Color #69

commit 3820c4fdc247b6f0a4162733bdb8ddf8f2e8a1e4 upstream. Trying to stop a queue which hasn't been allocated will result in a warning due to calling mutex_lock() against an uninitialized mutex. DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 4 PID: 104150 at kernel/locking/mutex.c:579 Call trace: RIP: 0010:__mutex_lock+0x1173/0x14a0 nvme_rdma_stop_queue+0x1b/0xa0 [nvme_rdma] nvme_rdma_teardown_io_queues.part.0+0xb0/0x1d0 [nvme_rdma] nvme_rdma_delete_ctrl+0x50/0x100 [nvme_rdma] nvme_do_delete_ctrl+0x149/0x158 [nvme_core] Signed-off-by: Maurizio Lombardi <[email protected]> Reviewed-by: Sagi Grimberg <[email protected]> Tested-by: Yi Zhang <[email protected]> Signed-off-by: Keith Busch <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 6a7be48e9bd18d309ba25c223a27790ad1bf0fa3 upstream. Add support for the following Telit LE910C4-WWX composition: 0x1035: TTY, TTY, ECM T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=1bc7 ProdID=1035 Rev=00.00 S: Manufacturer=Telit S: Product=LE910C4-WWX S: SerialNumber=e1b117c7 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=option E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms I: If#= 2 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms I: If#= 3 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Fabio Porcedda <[email protected]> Cc: [email protected] Reviewed-by: Daniele Palmas <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 064f6e2ba9eb59b2c87b866e1e968e79ccedf9dd upstream. Following a firmware update of the modem, the interface for the AT command port changed, so add it back. T: Bus=08 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=1199 ProdID=90d3 Rev=00.06 S: Manufacturer=Sierra Wireless, Incorporated S: Product=Sierra Wireless EM9191 S: SerialNumber=xxxxxxxxxxxxxxxx C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=896mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=(none) I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option Signed-off-by: Benoît Monin <[email protected]> Cc: [email protected] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 52480e1f1a259c93d749ba3961af0bffedfe7a7a upstream. Update the USB serial option driver support for the Fibocom FM101R-GL LTE modules as there are actually several different variants. - VID:PID 413C:8213, FM101R-GL are laptop M.2 cards (with MBIM interfaces for Linux) - VID:PID 413C:8215, FM101R-GL ESIM are laptop M.2 cards (with MBIM interface for Linux) 0x8213: mbim, tty 0x8215: mbim, tty T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=413c ProdID=8213 Rev= 5.04 S: Manufacturer=Fibocom Wireless Inc. S: Product=Fibocom FM101-GL Module S: SerialNumber=a3b7cbf0 C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 P: Vendor=413c ProdID=8215 Rev= 5.04 S: Manufacturer=Fibocom Wireless Inc. S: Product=Fibocom FM101-GL Module S: SerialNumber=a3b7cbf0 C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00 I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms Signed-off-by: Puliang Lu <[email protected]> Cc: [email protected] Signed-off-by: Johan Hovold <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 upstream. Because group consistency is non-atomic between parent (filedesc) and children (inherited) events, it is possible for PERF_FORMAT_GROUP read() to try and sum non-matching counter groups -- with non-sensical results. Add group_generation to distinguish the case where a parent group removes and adds an event and thus has the same number, but a different configuration of events as inherited groups. This became a problem when commit fa8c269 ("perf/core: Invert perf_read_group() loops") flipped the order of child_list and sibling_list. Previously it would iterate the group (sibling_list) first, and for each sibling traverse the child_list. In this order, only the group composition of the parent is relevant. By flipping the order the group composition of the child (inherited) events becomes an issue and the mis-match in group composition becomes evident. That said; even prior to this commit, while reading of a group that is not equally inherited was not broken, it still made no sense. (Ab)use ECHILD as error return to indicate issues with child process group composition. Fixes: fa8c269 ("perf/core: Invert perf_read_group() loops") Reported-by: Budimir Markovic <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit c1ae1c59c8c6e0b66a718308c623e0cb394dab6b upstream. Since the fixed commits both zdev->iommu_bitmap and zdev->lazy_bitmap are allocated as vzalloc(zdev->iommu_pages / 8). The problem is that zdev->iommu_bitmap is a pointer to unsigned long but the above only yields an allocation that is a multiple of sizeof(unsigned long) which is 8 on s390x if the number of IOMMU pages is a multiple of 64. This in turn is the case only if the effective IOMMU aperture is a multiple of 64 * 4K = 256K. This is usually the case and so didn't cause visible issues since both the virt_to_phys(high_memory) reduced limit and hardware limits use nice numbers. Under KVM, and in particular with QEMU limiting the IOMMU aperture to the vfio DMA limit (default 65535), it is possible for the reported aperture not to be a multiple of 256K however. In this case we end up with an iommu_bitmap whose allocation is not a multiple of 8 causing bitmap operations to access it out of bounds. Sadly we can't just fix this in the obvious way and use bitmap_zalloc() because for large RAM systems (tested on 8 TiB) the zdev->iommu_bitmap grows too large for kmalloc(). So add our own bitmap_vzalloc() wrapper. This might be a candidate for common code, but this area of code will be replaced by the upcoming conversion to use the common code DMA API on s390 so just add a local routine. Fixes: 2245932 ("s390/pci: use virtual memory for iommu bitmap") Fixes: 13954fd ("s390/pci_dma: improve lazy flush for unmap") Cc: [email protected] Reviewed-by: Matthew Rosato <[email protected]> Signed-off-by: Niklas Schnelle <[email protected]> Signed-off-by: Vasily Gorbik <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 03b80ff8023adae6780e491f66e932df8165e3a0 upstream. If name_show() is non unique, this test will try to install a kprobe on this function which should fail returning EADDRNOTAVAIL. On kernel where name_show() is not unique, this test is skipped. Link: https://lore.kernel.org/all/[email protected]/ Cc: [email protected] Signed-off-by: Francis Laniel <[email protected]> Acked-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 63e8b94ad1840f02462633abdb363397f56bc642 upstream. When dma_set_coherent_mask() fails, sch->lock has not been freed, which is allocated in css_sch_create_locks(), leading to a memleak. Fixes: 4520a91 ("s390/cio: use dma helpers for setting masks") Signed-off-by: Dinghao Liu <[email protected]> Message-Id: <[email protected]> Link: https://lore.kernel.org/linux-s390/[email protected]/ Reviewed-by: Halil Pasic <[email protected]> Reviewed-by: Peter Oberparleiter <[email protected]> Signed-off-by: Vasily Gorbik <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

…ration fails commit fe0e04cf66a12ffe6d1b43725ddaabd5599d024f upstream. If platform_profile_register() fails, the driver does not propagate the error, but instead probes successfully. This means when the driver unbinds, the a warning might be issued by platform_profile_remove(). Fix this by propagating the error back to the caller of surface_platform_profile_probe(). Compile-tested only. Fixes: b78b498 ("platform/surface: Add platform profile driver") Signed-off-by: Armin Wolf <[email protected]> Reviewed-by: Maximilian Luz <[email protected]> Tested-by: Maximilian Luz <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Hans de Goede <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit f37cc2fc277b371fc491890afb7d8a26e36bb3a1 upstream. Older Asus laptops change the backlight level themselves and then send WMI events with different codes for different backlight levels. The asus-wmi.c code maps the entire range of codes reported on brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code: define NOTIFY_BRNUP_MIN 0x11 define NOTIFY_BRNUP_MAX 0x1f define NOTIFY_BRNDOWN_MIN 0x20 define NOTIFY_BRNDOWN_MAX 0x2e if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX) code = ASUS_WMI_BRN_UP; else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX) code = ASUS_WMI_BRN_DOWN; Before this commit all the NOTIFY_BRNDOWN_MIN - NOTIFY_BRNDOWN_MAX aka 0x20 - 0x2e events were mapped to 0x20. This mapping is causing issues on new laptop models which actually send 0x2b events for printscreen presses and 0x2c events for capslock presses, which get translated into spurious brightness-down presses. The plan is disable the 0x11-0x2e special mapping on laptops where asus-wmi does not register a backlight-device to avoid the spurious brightness-down keypresses. New laptops always send 0x2e for brightness-down presses, change the special internal ASUS_WMI_BRN_DOWN value from 0x20 to 0x2e to match this in preparation for fixing the spurious brightness-down presses. This change does not have any functional impact since all of 0x20 - 0x2e is mapped to ASUS_WMI_BRN_DOWN first and only then checked against the keymap code and the new 0x2e value is still in the 0x20 - 0x2e range. Reported-by: James John <[email protected]> Closes: https://lore.kernel.org/platform-driver-x86/[email protected]/ Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716 Signed-off-by: Hans de Goede <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 235985d1763f7aba92c1c64e5f5aaec26c2c9b18 upstream. Newer Asus laptops send the following new WMI event codes when some of the F1 - F12 "media" hotkeys are pressed: 0x2a Screen Capture 0x2b PrintScreen 0x2c CapsLock Map 0x2a to KEY_SELECTIVE_SCREENSHOT mirroring how similar hotkeys are mapped on other laptops. PrintScreem and CapsLock are also reported as normal PS/2 keyboard events, map these event codes to KE_IGNORE to avoid "Unknown key code 0x%x\n" log messages. Reported-by: James John <[email protected]> Closes: https://lore.kernel.org/platform-driver-x86/[email protected]/ Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716 Signed-off-by: Hans de Goede <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit fc363413ef8ea842ae7a99e3caf5465dafdd3a49 upstream. We found a glitch when configuring the pad as output high. To avoid this glitch, move the data value setting before direction config in the function vf610_gpio_direction_output(). Fixes: 659d8a6 ("gpio: vf610: add imx7ulp support") Signed-off-by: Haibo Chen <[email protected]> [Bartosz: tweak the commit message] Signed-off-by: Bartosz Golaszewski <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit aa6464edbd51af4a2f8db43df866a7642b244b5f ] Free the "priv" pointer before returning the error code. Fixes: 90eb6b5 ("ASoC: pxa-ssp: add support for an external clock in devicetree") Signed-off-by: Dan Carpenter <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

commit c53aab20762255ee03e65dd66b3cba3887ad39d1 upstream. If CONFIG_PM is not set (e.g. m68k/allmodconfig): drivers/tty/serial/8250/8250_omap.c:169:13: error: ‘uart_write’ defined but not used [-Werror=unused-function] 169 | static void uart_write(struct omap8250_priv *priv, u32 reg, u32 val) | ^~~~~~~~~~ Fix tis by moving uart_write() inside the existing section protected by #ifdef CONFIG_PM. Reported-by: [email protected] Link: http://kisskb.ellerman.id.au/kisskb/buildresult/14925095/ Fixes: 398cecc24846e867 ("serial: 8250: omap: Fix imprecise external abort for omap_8250_pm()") Signed-off-by: Geert Uytterhoeven <[email protected]> Reviewed-by: Tony Lindgren <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit 719606154c7033c068a5d4c1dc5f9163b814b3c8 ] Commit d644e0d79829 ("phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe") caused a regression where we now unconditionally disable runtime PM at the end of the probe while it is only needed on errors. Cc: Ivaylo Dimitrov <[email protected]> Cc: Merlijn Wajer <[email protected]> Cc: Miaoqian Lin <[email protected]> Cc: Pavel Machek <[email protected]> Reviewed-by: Sebastian Reichel <[email protected]> Fixes: d644e0d79829 ("phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe") Signed-off-by: Tony Lindgren <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit b99e0ba9633af51638e5ee1668da2e33620c134f ] Otherwise we will get an underflow on remove. Cc: Ivaylo Dimitrov <[email protected]> Cc: Merlijn Wajer <[email protected]> Cc: Pavel Machek <[email protected]> Cc: Sebastian Reichel <[email protected]> Fixes: f7f50b2 ("phy: mapphone-mdm6600: Add runtime PM support for n_gsm on USB suspend") Signed-off-by: Tony Lindgren <[email protected]> Reviewed-by: Sebastian Reichel <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 3b384cc74b00b5ac21d18e4c1efc3c1da5300971 ] Looks like the driver sleep pins configuration is unusable. Adding the sleep pins causes the usb phy to not respond. We need to use the default pins in probe, and only set sleep pins at phy_mdm6600_device_power_off(). As the modem can also be booted to a serial port mode for firmware flashing, let's make the pin changes limited to probe and remove. For probe, we get the default pins automatically. We only need to set the sleep pins in phy_mdm6600_device_power_off() to prevent the modem from waking up because the gpio line glitches. If it turns out that we need a separate state for phy_mdm6600_power_on() and phy_mdm6600_power_off(), we can use the pinctrl idle state. Cc: Ivaylo Dimitrov <[email protected]> Cc: Merlijn Wajer <[email protected]> Cc: Pavel Machek <[email protected]> Cc: Sebastian Reichel <[email protected]> Fixes: 2ad2af0 ("phy: mapphone-mdm6600: Improve phy related runtime PM calls") Signed-off-by: Tony Lindgren <[email protected]> Reviewed-by: Sebastian Reichel <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

commit 18f547f3fc074500ab5d419cf482240324e73a7e upstream. When accessing hdev->name, the actual string length should prevail Reported-by: [email protected] Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings") Signed-off-by: Edward AD <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

… name commit cb3871b1cd135a6662b732fbc6b3db4afcdb4a64 upstream. The code pattern of memcpy(dst, src, strlen(src)) is almost always wrong. In this case it is wrong because it leaves memory uninitialized if it is less than sizeof(ni->name), and overflows ni->name when longer. Normally strtomem_pad() could be used here, but since ni->name is a trailing array in struct hci_mon_new_index, compilers that don't support -fstrict-flex-arrays=3 can't tell how large this array is via __builtin_object_size(). Instead, open-code the helper and use sizeof() since it will work correctly. Additionally mark ni->name as __nonstring since it appears to not be a %NUL terminated C string. Cc: Luiz Augusto von Dentz <[email protected]> Cc: Edward AD <[email protected]> Cc: Marcel Holtmann <[email protected]> Cc: Johan Hedberg <[email protected]> Cc: "David S. Miller" <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: [email protected] Cc: [email protected] Fixes: 18f547f3fc07 ("Bluetooth: hci_sock: fix slab oob read in create_monitor_event") Link: https://lore.kernel.org/lkml/202310110908.F2639D3276@keescook/ Signed-off-by: Kees Cook <[email protected]> Signed-off-by: Luiz Augusto von Dentz <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ] There are race conditions that may lead to inet6_dev refcount underflow in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev(). One of the refcount underflow bugs is shown below: (cpu 1) | (cpu 2) xfrm6_dst_destroy() | ... | in6_dev_put() | | rt6_uncached_list_flush_dev() ... | ... | in6_dev_put() rt6_uncached_list_del() | ... ... | xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(), so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put() again for the same inet6_dev. Fix it by moving in6_dev_put() after rt6_uncached_list_del() in xfrm6_dst_destroy(). Fixes: 510c321 ("xfrm: reuse uncached_list to track xdsts") Signed-off-by: Zhang Changzhong <[email protected]> Reviewed-by: Xin Long <[email protected]> Signed-off-by: Steffen Klassert <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

Link: https://lore.kernel.org/r/[email protected] Tested-by: SeongJae Park <[email protected]> Tested-by: Ricardo B. Marliere <[email protected]> Tested-by: Allen Pais <[email protected]> Tested-by: Florian Fainelli <[email protected]> Tested-by: Sudip Mukherjee <[email protected]> Link: https://lore.kernel.org/r/[email protected] Tested-by: Florian Fainelli <[email protected]> Tested-by: Slade Watkins <[email protected]> Tested-by: Allen Pais <[email protected]> Tested-by: SeongJae Park <[email protected]> Tested-by: Linux Kernel Functional Testing <[email protected]> Tested-by: Harshit Mogalapalli <[email protected]> Tested-by: Ron Economos <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

Changes in 5.15.135 spi: zynqmp-gqspi: Convert to platform remove callback returning void spi: zynqmp-gqspi: fix clock imbalance on probe failure ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates NFS: Cleanup unused rpc_clnt variable NFS: rename nfs_client_kset to nfs_kset NFSv4: Fix a state manager thread deadlock regression ring-buffer: remove obsolete comment for free_buffer_page() ring-buffer: Fix bytes info in per_cpu buffer stats arm64: Avoid repeated AA64MMFR1_EL1 register read on pagefault path iommu/arm-smmu-v3: Set TTL invalidation hint better iommu/arm-smmu-v3: Avoid constructing invalid range commands rbd: move rbd_dev_refresh() definition rbd: decouple header read-in from updating rbd_dev->header rbd: decouple parent info read-in from updating rbd_dev rbd: take header_rwsem in rbd_dev_refresh() only when updating block: fix use-after-free of q->q_usage_counter Revert "clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz" scsi: zfcp: Fix a double put in zfcp_port_enqueue() vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info wifi: mwifiex: Fix tlv_buf_left calculation net: replace calls to sock->ops->connect() with kernel_connect() net: prevent rewrite of msg_name in sock_sendmsg() drm/amd: Fix detection of _PR3 on the PCIe root port arm64: Add Cortex-A520 CPU part definition HID: sony: Fix a potential memory leak in sony_probe() ubi: Refuse attaching if mtd's erasesize is 0 wifi: iwlwifi: dbg_ini: fix structure packing iwlwifi: avoid void pointer arithmetic wifi: iwlwifi: mvm: Fix a memory corruption issue wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet bpf: Fix tr dereferencing drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling regmap: rbtree: Fix wrong register marked as in-cache when creating new node ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig scsi: target: core: Fix deadlock due to recursive locking ima: rework CONFIG_IMA dependency block NFSv4: Fix a nfs4_state_manager() race bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets modpost: add missing else to the "of" check net: fix possible store tearing in neigh_periodic_work() ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() ptp: ocp: Fix error handling in ptp_ocp_device_init net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg net: nfc: llcp: Add lock when modifying device list net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns() ibmveth: Remove condition to recompute TCP header checksum. netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure ipv4: Set offload_failed flag in fibmatch results net: stmmac: dwmac-stm32: fix resume on STM32 MCU tipc: fix a potential deadlock on &tx->lock tcp: fix quick-ack counting to count actual ACKs of new data tcp: fix delayed ACKs for MSS boundary condition sctp: update transport state when processing a dupcook packet sctp: update hb timer immediately after users change hb_interval HID: sony: remove duplicate NULL check before calling usb_free_urb() HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit dm zoned: free dmz->ddev array in dmz_put_zoned_devices RDMA/core: Require admin capabilities to set system parameters of: dynamic: Fix potential memory leak in of_changeset_action() IB/mlx4: Fix the size of a buffer in add_port_entries() gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() gpio: pxa: disable pinctrl calls for MMP_GPIO RDMA/cma: Initialize ib_sa_multicast structure to 0 when join RDMA/cma: Fix truncation compilation warning in make_cma_ports RDMA/uverbs: Fix typo of sizeof argument RDMA/siw: Fix connection failure handling RDMA/mlx5: Fix NULL string error ksmbd: fix uaf in smb20_oplock_break_ack parisc: Restore __ldcw_align for PA-RISC 2.0 processors xen/events: replace evtchn_rwlock with RCU Linux 5.15.135 Change-Id: I568f0a1c698f90e58e8bef6e05e785526e46dcf4 Signed-off-by: Greg Kroah-Hartman <[email protected]>

Allow drivers to register mm_page_alloc hooks when alloc pages. This helps to get page info when alloc pages exit. Bug: 307485594 Change-Id: I6bdec48bf04a19718e49a51e52ac8d4ae64a7f86 Signed-off-by: Qinglin Li <[email protected]>

1 function symbol(s) added 'int __traceiter_mm_page_alloc(void*, struct page*, unsigned int, gfp_t, int)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_mm_page_alloc' Bug: 307485594 Change-Id: I1393146b905a27875e52ff925da1a94e2d6d2e45 Signed-off-by: Qinglin Li <[email protected]>

…ntrack_proto_sctp" This reverts commit 88497f7 which is commit 8e56b063c86569e51eed1c5681ce6361fa97fc7a uptream. It breaks the Android ABI so revert it for now, if it is needed in the future, it can be brought back in an ABI-safe way. Bug: 161946584 Change-Id: Ia03ea49365e6ce063194738b22f77d2a403ea3a4 Signed-off-by: Greg Kroah-Hartman <[email protected]>

…ing void" This reverts commit e514f89 which is commit 3ffefa1d9c9eba60c7f8b4a9ce2df3e4c7f4a88e upstream. It breaks the build due to the 'remove_new' callback not being present. Revert it in order to fix the build in the android13-5.15 tree. Change-Id: I22d25ef61b65ccf0f14a71f4e2a76c3f78486286 Signed-off-by: Greg Kroah-Hartman <[email protected]>

Changes in 5.15.136 iommu/vt-d: Avoid memory allocation in iommu_suspend() scsi: core: Use a structure member to track the SCSI command submitter scsi: core: Rename scsi_mq_done() into scsi_done() and export it scsi: ib_srp: Call scsi_done() directly RDMA/srp: Do not call scsi_done() from srp_abort() RDMA/cxgb4: Check skb value for failure to allocate perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 of: overlay: Reorder struct fragment fields kerneldoc platform/x86: think-lmi: Fix reference leak platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning lib/test_meminit: fix off-by-one error in test_pages() HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect quota: Fix slow quotaoff net: prevent address rewrite in kernel_bind() ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset KEYS: trusted: allow use of kernel RNG for key material KEYS: trusted: Remove redundant static calls usage drm/msm/dp: do not reinitialize phy unless retry during link training drm/msm/dsi: skip the wait for video mode done if not applicable drm/msm/dsi: fix irq_of_parse_and_map() error checking drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow ravb: Fix up dma_free_coherent() call in ravb_remove() ravb: Fix use-after-free issue in ravb_tx_timeout_work() ieee802154: ca8210: Fix a potential UAF in ca8210_probe mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type eth: remove copies of the NAPI_POLL_WEIGHT define xen-netback: use default TX queue size for vifs riscv, bpf: Factor out emit_call for kernel and bpf context riscv, bpf: Sign-extend return values drm/vmwgfx: fix typo of sizeof argument bpf: Fix verifier log for async callback return values net: macsec: indicate next pn update when offloading net: phy: mscc: macsec: reject PN update requests ixgbe: fix crash with empty VF macvlan list net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() net/smc: Fix pos miscalculation in statistics pinctrl: renesas: rzn1: Enable missing PINMUX nfc: nci: assert requested protocol is valid workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() net: add sysctl accept_ra_min_rtr_lft net: change accept_ra_min_rtr_lft to affect all RA lifetimes net: release reference to inet6_dev pointer media: mtk-jpeg: Fix use after free bug due to uncanceled work dmaengine: stm32-mdma: abort resume if no ongoing transfer xhci: Keep interrupt disabled in initialization until host is running. usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read usb: dwc3: Soft reset phy on probe for host usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled usb: musb: Get the musb_qh poniter after musb_giveback usb: musb: Modify the "HWVers" register address iio: pressure: bmp280: Fix NULL pointer exception iio: pressure: dps310: Adjust Timeout Settings iio: pressure: ms5611: ms5611_prom_is_valid false negative bug drm/amdgpu: add missing NULL check drm/amd/display: Don't set dpms_off for seamless boot ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs mcb: remove is_added flag from mcb_device struct thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding libceph: use kernel_connect() ceph: fix incorrect revoked caps assert in ceph_fill_file_size() ceph: fix type promotion bug on 32bit systems Input: powermate - fix use-after-free in powermate_config_complete Input: psmouse - fix fast_reconnect function for PS/2 mode Input: xpad - add PXN V900 support Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case tee: amdtee: fix use-after-free vulnerability in amdtee_close_session cgroup: Remove duplicates in cgroup v1 tasks file pinctrl: avoid unsafe code pattern in find_pinctrl() counter: microchip-tcb-capture: Fix the use of internal GCLK logic usb: gadget: udc-xilinx: replace memcpy with memcpy_toio usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call usb: cdnsp: Fixes issue with dequeuing not queued requests x86/alternatives: Disable KASAN in apply_alternatives() dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq dmaengine: mediatek: Fix deadlock caused by synchronize_irq() powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() arm64: report EL1 UNDEFs better arm64: die(): pass 'err' as long arm64: consistently pass ESR_ELx to die() arm64: rework FPAC exception handling arm64: rework BTI exception handling arm64: allow kprobes on EL0 handlers arm64: split EL0/EL1 UNDEF handlers arm64: factor out EL1 SSBS emulation hook arm64: factor insn read out of call_undef_hook() arm64: rework EL0 MRS emulation arm64: armv8_deprecated: fold ops into insn_emulation arm64: armv8_deprecated move emulation functions arm64: armv8_deprecated: move aarch32 helper earlier arm64: armv8_deprecated: rework deprected instruction handling arm64: armv8_deprecated: fix unused-function error Revert "kernel/sched: Modify initial boot task idle setup" usb: hub: Guard against accesses to uninitialized BOS descriptors eth: remove remaining copies of the NAPI_POLL_WEIGHT define Linux 5.15.136 Change-Id: I22c3d347cc5437f0607d0ab0c4ba392a75652d37 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 935a153 which is commit e0a8c918daa58700609ebd45e3fcd49965be8bbc upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: Icc2bb21cc8f1432d765a4fbf279fdcd5ffffd281 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 667fe91 which is commit 0412cc846a1ef38697c3f321f9b174da91ecd3b5 upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: Ie12bd23d4099bec4dfebb062947ef7d1ea299d9b Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit b9bdffb which is commit e193b7955dfad68035b983a0011f4ef3590c85eb upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: I90b5ec90e1ff0f4285cff3d1e195f0af4e0cda02 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 7d49995 which is commit 5f9ae9eecb15ef00d89a5884add1117a8e634e7f upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: I4fc8f2c46f9c0ab0da91134905ab549e39faf378 Signed-off-by: Greg Kroah-Hartman <[email protected]>

… it" This reverts commit d2746cd which is commit a710eacb9d13cb5d9eb5341ebc6fc8f7b96f8c6f upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: I7657431a5d17cb9f4155b223eeec57ec0e440e7a Signed-off-by: Greg Kroah-Hartman <[email protected]>

…submitter" This reverts commit 8f2350e which is commit bf23e619039d360d503b7282d030daf2277a5d47 upstream. It breaks the Android KABI and is not needed at this time for any Android-relevant systems. Bug: 161946584 Change-Id: I156b994dbccedface36e892e24fc439406b6c34b Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 5e13e69 which is commit 5cb249686e67dbef3ffe53887fa725eefc5a7144 upstream. It breaks the Android ABI, and is already merged in the non-LTS branch in an abi-safe way. Bug: 161946584 Change-Id: I563f7eb7ffb01d9681f6a1dbb0252ca32b94f856 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit aade10d which is commit 5027d54a9c30bc7ec808360378e2b4753f053f25 upstream. It breaks the Android ABI, and is already merged in the non-LTS branch in an abi-safe way. Bug: 161946584 Change-Id: I9f0f611a3ecbae0ae154ae465ff7472d8e98a1d8 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 8f12d2d which is commit 1671bcfd76fdc0b9e65153cf759153083755fe4c upstream. It breaks the Android ABI, and is already merged in the non-LTS branch in an abi-safe way. Bug: 161946584 Change-Id: Ie689c535c1f7c1c4a1e6af6805f400da625104c7 Signed-off-by: Greg Kroah-Hartman <[email protected]>

Changes in 5.15.137 lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default Documentation: sysctl: align cells in second content column xfs: don't expose internal symlink metadata buffers to the vfs Bluetooth: hci_event: Ignore NULL link key Bluetooth: Reject connection with the device which has same BD_ADDR Bluetooth: Fix a refcnt underflow problem for hci_conn Bluetooth: vhci: Fix race when opening vhci device Bluetooth: hci_event: Fix coding style Bluetooth: avoid memcmp() out of bounds warning ice: fix over-shifted variable ice: reset first in crash dump kernels nfc: nci: fix possible NULL pointer dereference in send_acknowledge() regmap: fix NULL deref on lookup KVM: x86: Mask LVTPC when handling a PMI x86/sev: Disable MMIO emulation from user mode x86/sev: Check IOBM for IOIO exceptions from user-space x86/sev: Check for user-space IOIO pointing to kernel space tcp: check mptcp-level constraints for backlog coalescing fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea() fs/ntfs3: fix deadlock in mark_as_free_ex netfilter: nft_payload: fix wrong mac header matching nvmet-tcp: Fix a possible UAF in queue intialization setup drm/i915: Retry gtt fault when out of fence registers ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors ASoC: codecs: wcd938x: drop bogus bind error handling ASoC: codecs: wcd938x: fix unbind tear down order qed: fix LL2 RX buffer allocation xfrm: fix a data-race in xfrm_gen_index() xfrm: interface: use DEV_STATS_INC() net: ipv4: fix return value check in esp_remove_trailer net: ipv6: fix return value check in esp_remove_trailer net: rfkill: gpio: prevent value glitch during probe tcp: fix excessive TLP and RACK timeouts from HZ rounding tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb tun: prevent negative ifindex ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr net: usb: smsc95xx: Fix an error code in smsc95xx_reset() i40e: prevent crash on probe if hw registers have invalid values net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register() bonding: Return pointer to data after pull on skb net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section netfilter: nft_set_rbtree: .deactivate fails if element has expired netfilter: nf_tables: do not remove elements if set backend implements .abort netfilter: nf_tables: revert do not remove elements if set backend implements .abort net: pktgen: Fix interface flags printing selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh that may cause error serial: 8250: omap: Fix imprecise external abort for omap_8250_pm() serial: 8250_omap: Fix errors with no_console_suspend iio: Un-inline iio_buffer_enabled() iio: core: Hide read accesses to iio_dev->currentmode iio: core: introduce iio_device_{claim|release}_buffer_mode() APIs iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data() iio: adc: ad7192: Correct reference voltage perf: Add irq and exception return branch types perf/x86: Move branch classifier perf/x86/lbr: Filter vsyscall addresses drm/atomic-helper: relax unregistered connector check powerpc/32s: Remove capability to disable KUEP at boottime powerpc/32s: Do kuep_lock() and kuep_unlock() in assembly powerpc/47x: Fix 47x syscall return crash mctp: Allow local delivery to the null EID mctp: perform route lookups under a RCU read-side lock nfp: flower: avoid rmmod nfp crash issues ksmbd: not allow to open file if delelete on close bit is set ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone fs-writeback: do not requeue a clean inode having skipped pages btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 btrfs: initialize start_slot in btrfs_log_prealloc_extents i2c: mux: Avoid potential false error message in i2c_mux_add_adapter overlayfs: set ctime when setting mtime and atime gpio: timberdale: Fix potential deadlock on &tgpio->lock ata: libata-core: Fix compilation warning in ata_dev_config_ncq() ata: libata-eh: Fix compilation warning in ata_eh_link_report() tracing: relax trace_event_eval_update() execution with cond_resched() wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len wifi: iwlwifi: Ensure ack flag is properly cleared. HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event Bluetooth: btusb: add shutdown function for QCA6174 Bluetooth: Avoid redundant authentication Bluetooth: hci_core: Fix build warnings wifi: cfg80211: Fix 6GHz scan configuration wifi: mac80211: allow transmitting EAPOL frames with tainted key wifi: cfg80211: avoid leaking stack data into trace regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" sky2: Make sure there is at least one frag_addr available ipv4/fib: send notify when delete source address routes drm: panel-orientation-quirks: Add quirk for One Mix 2S btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c btrfs: error out when COWing block using a stale transaction btrfs: error when COWing block from a root that is being deleted btrfs: error out when reallocating block for defrag using a stale transaction HID: multitouch: Add required quirk for Synaptics 0xcd7e device platform/x86: touchscreen_dmi: Add info for the Positivo C4128B net/mlx5: Handle fw tracer change ownership event based on MTRC Bluetooth: hci_event: Fix using memcmp when comparing keys net: introduce a function to check if a netdev name is in use net: move from strlcpy with unused retval to strscpy net: fix ifname in netlink ntf during netns move mtd: rawnand: qcom: Unmap the right resource upon probe failure mtd: rawnand: pl353: Ensure program page operations are successful mtd: rawnand: marvell: Ensure program page operations are successful mtd: rawnand: arasan: Ensure program page operations are successful mtd: spinand: micron: correct bitmask for ecc status mtd: physmap-core: Restore map_rom fallback mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw mmc: core: sdio: hold retuning if sdio in 1-bit mode mmc: core: Capture correct oemid-bits for eMMC cards Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" pNFS: Fix a hang in nfs4_evict_inode() NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server ACPI: irq: Fix incorrect return value in acpi_register_gsi() nvme-pci: add BOGUS_NID for Intel 0a54 device nvme-rdma: do not try to stop unallocated queues USB: serial: option: add Telit LE910C4-WWX 0x1035 composition USB: serial: option: add entry for Sierra EM9191 with new firmware USB: serial: option: add Fibocom to DELL custom modem FM101R-GL perf: Disallow mis-matched inherited group reads s390/pci: fix iommu bitmap allocation selftests/ftrace: Add new test case which checks non unique symbol s390/cio: fix a memleak in css_alloc_subchannel platform/surface: platform_profile: Propagate error if profile registration fails platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events gpio: vf610: set value before the direction to avoid a glitch ASoC: pxa: fix a memory leak in probe() serial: 8250: omap: Move uart_write() inside PM section phy: mapphone-mdm6600: Fix runtime disable on probe phy: mapphone-mdm6600: Fix runtime PM for remove phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins Bluetooth: hci_sock: fix slab oob read in create_monitor_event Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name xfrm6: fix inet6_dev refcount underflow problem Linux 5.15.137 Change-Id: If6dcdd53e1db2e35a053ce57df3fcd16b956563a Signed-off-by: Greg Kroah-Hartman <[email protected]>

In commit 1815844 ("lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default"), DEBUG_PREEMPT is not enabled by default, so our explicit turning it off is no longer needed. This fixes the arm64 gki builds. Fixes: 1815844 ("lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default") Change-Id: I4491bceb3735d966731717f13b1e2395c9b7206a Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 26a3c73 which is commit f7c4e3e5d4f6609b4725a97451948ca2e425379a upstream. It breaks the build as it relies on a commit that was earlier reverted due to breaking the Android abi. If this is needed in the future, it can be brought back in an abi-safe way. Change-Id: Icdda6ca3ef3d208043dcac2bcb0b227307d70da3 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit bbec172 which is commit dcda165706b9fbfd685898d46a6749d7d397e0c0 upstream. It breaks the android ABI and if this is needed in the future, can be brought back in an abi-safe way. Bug: 161946584 Change-Id: I4a64dca20bcdfe9cbe33fc23c7d3d1b252f4b873 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit f8bc4b7 which is commit 3e4bc23926b83c3c67e5f61ae8571602754131a6 upstream. It breaks the android ABI and if this is needed in the future, can be brought back in an abi-safe way. Bug: 161946584 Change-Id: I6af8ce540570c756ea9f16526c36f8815971e216 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 71d224a which is commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 upstream. It breaks the android ABI and if this is needed in the future, can be brought back in an abi-safe way. Bug: 161946584 Change-Id: Ia00890aeeef6153c7f3462a2a2189149734ac28a Signed-off-by: Greg Kroah-Hartman <[email protected]>

4 function symbol(s) added 'int block_read_full_page(struct page *, get_block_t *)' 'void inode_add_bytes(struct inode *, loff_t)' 'int try_to_free_buffers(struct page *)' 'int utf32_to_utf8(unicode_t, u8 *, int)' 1 variable symbol(s) added 'unsigned int dirty_writeback_interval' Bug: 307761441 Change-Id: I32c48bc74937b3d82abd0534f3afd731fe36db34 Signed-off-by: Aaro Mäkinen <[email protected]>

This reverts commit d5ba30e which is commit 4b2b606075e50cdae62ab2356b0a1e206947c354 upstream. It breaks the android ABI and if this is needed in the future, can be brought back in an abi-safe way. Bug: 161946584 Change-Id: I445b109db38243faa7154021212e3f7ca0ad820f Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit e6864af61493113558c502b5cd0d754c19b93277 ] In ravb_remove(), dma_free_coherent() should be call after unregister_netdev(). Otherwise, this controller is possible to use the freed buffer. Bug: 289003868 Fixes: c156633 ("Renesas Ethernet AVB driver proper") Signed-off-by: Yoshihiro Shimoda <[email protected]> Reviewed-by: Sergey Shtylyov <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]> (cherry picked from commit 3f9295ad7f9478e65debcef496da4e4eb83db5ea) Signed-off-by: Lee Jones <[email protected]> Change-Id: I8e7da5816f715307c7d8bcd881a2a5ecb52439bb

[ Upstream commit 3971442870713de527684398416970cf025b4f89 ] The ravb_stop() should call cancel_work_sync(). Otherwise, ravb_tx_timeout_work() is possible to use the freed priv after ravb_remove() was called like below: CPU0 CPU1 ravb_tx_timeout() ravb_remove() unregister_netdev() free_netdev(ndev) // free priv ravb_tx_timeout_work() // use priv unregister_netdev() will call .ndo_stop() so that ravb_stop() is called. And, after phy_stop() is called, netif_carrier_off() is also called. So that .ndo_tx_timeout() will not be called after phy_stop(). Bug: 289003868 Fixes: c156633 ("Renesas Ethernet AVB driver proper") Reported-by: Zheng Wang <[email protected]> Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Yoshihiro Shimoda <[email protected]> Reviewed-by: Sergey Shtylyov <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]> (cherry picked from commit 6f6fa8061f756aedb93af12a8a5d3cf659127965) Signed-off-by: Lee Jones <[email protected]> Change-Id: I36fcd769d93817adaa04162cae0b54b1addbb9bf

This patch elaborates on some of the edge cases handled by video_pump around setting no_interrupt flag, and brings the code style in line with rest of the file. Link: https://lore.kernel.org/[email protected]/ Signed-off-by: Avichal Rakesh <[email protected]> Reviewed-by: Laurent Pinchart <[email protected]> Message-ID: <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301887900 Change-Id: Ie5f28e8d8f55158e32e0ff03b79f0f18cce7d6af (cherry picked from commit 5ae8a35459e77fd9ddb1844baa8c736fc0223847 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Signed-off-by: Avichal Rakesh <[email protected]>

These declarations are not implemented anymore, remove them. Signed-off-by: Yue Haibing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301887900 Change-Id: Ib1ac4d7ecada70d467cd9b2d688f13ba3797a05c (cherry picked from commit ae257611573cde279d31be3961a59e255f567fb0 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Signed-off-by: Avichal Rakesh <[email protected]>

…ion_bind() when call uvc_function_bind(), gadget still have no connection speed, just follow other gadget function, use fs endpoint descriptor to allocate a video endpoint, remove gadget_is_{super|dual}speed() API call. Signed-off-by: Linyu Yuan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301887900 Change-Id: I076e51716e4bab7a70a43ad3e080b4c4e110c9db (cherry picked from commit 3c5b006f3ee800b4bd9ed37b3a8f271b8560126e https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Signed-off-by: Avichal Rakesh <[email protected]>

…ind operation Take f_midi_bind() for example, when composite layer call it, it will allocate hs descriptor by calling gadget_is_dualspeed() API to check gadget max support speed capability, but most other gadget function didn't do like this. To follow other function drivers, it is safe to remove the check which mean support all possible link speed by default in function driver. Similar change apply to midi2 and uvc. Also in midi and midi2, as there is no descriptor difference between super speed and super speed plus, follow other gadget function drivers, do not allocate descriptor for super speed plus, composite layer will handle it properly. Signed-off-by: Linyu Yuan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301887900 Change-Id: I8b287266b3973c66e559bd3eea9adbe95e051be7 (cherry picked from commit 46decc82ffd54212cc2c600031daec6e835a6503 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) [arakesh: f_midi2.c doesn't exist, so dropped those changes] Signed-off-by: Avichal Rakesh <[email protected]>

…descriptor In case the uvc gadget is super speed plus, the corresponding config descriptor wasn't initialized. As a result, the host will not recognize the devices when using super speed plus connection. This patch initializes them to super speed descriptors. Reviewed-by: Laurent Pinchart <[email protected]> Signed-off-by: Shuzhen Wang <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301887900 Change-Id: I79c699bafaf959990da3a8101c8bfe0f8dabf72f (cherry picked from commit c70793fb7632a153862ee9060e6d48131469a29c https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) [arakesh: Resolved minor merge conflicts in f_uvc.c] Signed-off-by: Avichal Rakesh <[email protected]>

…ro for ip_set_hash_netportnet.c commit 050d91c03b28ca479df13dfb02bcd2c60dd6a878 upstream. The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can lead to the use of wrong `CIDR_POS(c)` for calculating array offsets, which can lead to integer underflow. As a result, it leads to slab out-of-bound access. This patch adds back the IP_SET_HASH_WITH_NET0 macro to ip_set_hash_netportnet to address the issue. Bug: 302199939 Fixes: 886503f ("netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net") Suggested-by: Jozsef Kadlecsik <[email protected]> Signed-off-by: Kyle Zeng <[email protected]> Acked-by: Jozsef Kadlecsik <[email protected]> Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit a9e6142) Signed-off-by: Lee Jones <[email protected]> Change-Id: I11cc1650e7df9d54041164b6bdb01f3a0de46de4

Update whitelist for the symbols used by the unisoc in abi_gki_aarch64_unisoc. Also changes happened to the abi_gki_aarch64.xml file. 1 symbol(s) added 'u16 vlan_dev_vlan_id(const struct net_device *dev)' 2 symbol(s) added 'struct net_device *vlan_dev_real_dev(const struct net_device *dev)' Bug: 308822565 Change-Id: Ia27c300c5716608a3732333e0a5dce64dfd93461 Signed-off-by: cathy.cai <[email protected]>

Only update QCOM abi-list with usb-net related APIs They are already in abi_gki_aarch64.xml. 27 function symbol(s) added dev_get_tstats64 eth_platform_mac_address generic_mii_ioctl mii_check_media mii_ethtool_gset usb_autopm_get_interface_async usb_autopm_put_interface_async usbnet_disconnect usbnet_get_endpoints usbnet_get_msglevel usbnet_link_change usbnet_nway_reset usbnet_open usbnet_probe usbnet_read_cmd usbnet_read_cmd_nopm usbnet_resume usbnet_set_msglevel usbnet_skb_return usbnet_start_xmit usbnet_stop usbnet_suspend usbnet_tx_timeout usbnet_update_max_qlen usbnet_write_cmd usbnet_write_cmd_async usbnet_write_cmd_nopm Bug: 309359608 Change-Id: I062391bafa884cec6b7be5794077c3398e598c05 Signed-off-by: Zhezhe Song <[email protected]>

When runtime pm send SSU times out, the SCSI core invokes eh_host_reset_handler, which hooks function ufshcd_eh_host_reset_handler schedule eh_work and stuck at wait flush_work(&hba->eh_work). However, ufshcd_err_handler hangs in wait rpm resume. Do link recovery only in this case. Below is IO hang stack dump in kernel-6.1 kworker/4:0 D <ffffffd7d31f6fb4> __switch_to+0x180/0x344 <ffffffd7d31f779c> __schedule+0x5ec/0xa14 <ffffffd7d31f7c3c> schedule+0x78/0xe0 <ffffffd7d31fefbc> schedule_timeout+0xb0/0x15c <ffffffd7d31f8120> io_schedule_timeout+0x48/0x70 <ffffffd7d31f8e40> do_wait_for_common+0x108/0x19c <ffffffd7d31f837c> wait_for_completion_io_timeout+0x50/0x78 <ffffffd7d2876bc0> blk_execute_rq+0x1b8/0x218 <ffffffd7d2b4297c> scsi_execute_cmd+0x148/0x238 <ffffffd7d2da7358> ufshcd_set_dev_pwr_mode+0xe8/0x244 <ffffffd7d2da7e40> __ufshcd_wl_resume+0x1e0/0x45c <ffffffd7d2da7b28> ufshcd_wl_runtime_resume+0x3c/0x174 <ffffffd7d2b4f290> scsi_runtime_resume+0x7c/0xc8 <ffffffd7d2ae1d48> __rpm_callback+0xa0/0x410 <ffffffd7d2ae0128> rpm_resume+0x43c/0x67c <ffffffd7d2ae1e98> __rpm_callback+0x1f0/0x410 <ffffffd7d2ae014c> rpm_resume+0x460/0x67c <ffffffd7d2ae1450> pm_runtime_work+0xa4/0xac <ffffffd7d22e39ac> process_one_work+0x208/0x598 <ffffffd7d22e3fc0> worker_thread+0x228/0x438 <ffffffd7d22eb038> kthread+0x104/0x1d4 <ffffffd7d22171a0> ret_from_fork+0x10/0x20 scsi_eh_0 D <ffffffd7d31f6fb4> __switch_to+0x180/0x344 <ffffffd7d31f779c> __schedule+0x5ec/0xa14 <ffffffd7d31f7c3c> schedule+0x78/0xe0 <ffffffd7d31fef50> schedule_timeout+0x44/0x15c <ffffffd7d31f8e40> do_wait_for_common+0x108/0x19c <ffffffd7d31f8234> wait_for_completion+0x48/0x64 <ffffffd7d22deb88> __flush_work+0x260/0x2d0 <ffffffd7d22de918> flush_work+0x10/0x20 <ffffffd7d2da4728> ufshcd_eh_host_reset_handler+0x88/0xcc <ffffffd7d2b41da4> scsi_try_host_reset+0x48/0xe0 <ffffffd7d2b410fc> scsi_eh_ready_devs+0x934/0xa40 <ffffffd7d2b41618> scsi_error_handler+0x168/0x374 <ffffffd7d22eb038> kthread+0x104/0x1d4 <ffffffd7d22171a0> ret_from_fork+0x10/0x20 kworker/u16:5 D <ffffffd7d31f6fb4> __switch_to+0x180/0x344 <ffffffd7d31f779c> __schedule+0x5ec/0xa14 <ffffffd7d31f7c3c> schedule+0x78/0xe0 <ffffffd7d2adfe00> rpm_resume+0x114/0x67c <ffffffd7d2adfca8> __pm_runtime_resume+0x70/0xb4 <ffffffd7d2d9cf48> ufshcd_err_handler+0x1a0/0xe68 <ffffffd7d22e39ac> process_one_work+0x208/0x598 <ffffffd7d22e3fc0> worker_thread+0x228/0x438 <ffffffd7d22eb038> kthread+0x104/0x1d4 <ffffffd7d22171a0> ret_from_fork+0x10/0x20 (cherry picked from commit 971237b900c38f50e7865289a2aecb77dc7f09f3 https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git for-next) Link: https://lore.kernel.org/all/[email protected]/ Change-Id: I51d4ddec2be7ef71fd333ca7658539f38eeb8c31 Signed-off-by: Peter Wang <[email protected]> Reviewed-by: Bart Van Assche <[email protected]> Reviewed-by: Stanley Chu <[email protected]> Signed-off-by: Peng Zhou <[email protected]>

commit 7aed44babc7f97e82b38e9a68515e699692cc100 upstream. In the while loop of vringh_iov_xfer(), `partlen` could be 0 if one of the `iov` has 0 lenght. In this case, we should skip the iov and go to the next one. But calling vringh_kiov_advance() with 0 lenght does not cause the advancement, since it returns immediately if asked to advance by 0 bytes. Let's restore the code that was there before commit b8c06ad ("vringh: implement vringh_kiov_advance()"), avoiding using vringh_kiov_advance(). Bug: 302200656 Fixes: b8c06ad ("vringh: implement vringh_kiov_advance()") Cc: [email protected] Reported-by: Jason Wang <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Acked-by: Jason Wang <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 3a72decd6b49ff11a894aabd4d9b3025f046fe61) Signed-off-by: Lee Jones <[email protected]> Change-Id: I5ed14650aca07e0f8d52023cf148bd63e87d04c9

Each of the 4 PCI functions on ASIX AX99100 PCIe to Multi I/O Controller can be configured as a single-port serial port controller. The subvendor id is 0x1000 when configured as serial port and MSI interrupts are supported. Signed-off-by: Jiaqing Zhao <[email protected]> Reviewed-by: Andy Shevchenko <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 0b32216557ce3b2a468d1282d99b428bf72ff532) [qiang: Add AX99100 definitions in include/linux/pci_ids.h ] Tracked-On: OAM-112839 Signed-off-by: Qiang Zhang <[email protected]>

The commit 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area") fixed an omission of KASLR on CPU entry areas. It doesn't take into account KASLR switches though, which may result in unintended non-determinism when a user wants to avoid it (e.g. debugging, benchmarking). Generate only a single combination of CPU entry areas offsets -- the linear array that existed prior randomization when KASLR is turned off. Since we have 3f148f331814 ("x86/kasan: Map shadow for percpu pages on demand") and followups, we can use the more relaxed guard kasrl_enabled() (in contrast to kaslr_memory_enabled()). Cc: [email protected] Link: https://lore.kernel.org/all/20230306193144.24605-1-mkoutny%40suse.com Fixes: 97e3d26b5e5f ("x86/mm: Randomize per-cpu entry area") Signed-off-by: Michal Koutný <[email protected]> Signed-off-by: Dave Hansen <[email protected]> Tracked-On: OAM-112556

Implementation of support for audio controls in accordance with the extension of the virtio sound device specification [1] planned for virtio-v1.3-cs01. The device can announce the VIRTIO_SND_F_CTLS feature. If the feature is negotiated, then an additional field appears in the configuration space: struct virtio_snd_config { ... /* number of available control elements */ __le32 controls; }; The driver can send the following requests to manage audio controls: enum { ... /* control element request types */ VIRTIO_SND_R_CTL_INFO = 0x0300, VIRTIO_SND_R_CTL_ENUM_ITEMS, VIRTIO_SND_R_CTL_READ, VIRTIO_SND_R_CTL_WRITE, VIRTIO_SND_R_CTL_TLV_READ, VIRTIO_SND_R_CTL_TLV_WRITE, VIRTIO_SND_R_CTL_TLV_COMMAND, ... }; And the device can send the following audio control event notification: enum { ... /* control element event types */ VIRTIO_SND_EVT_CTL_NOTIFY = 0x1200, ... }; See additional details in [1]. [1] https://lists.oasis-open.org/archives/virtio-comment/202104/msg00013.html Signed-off-by: Anton Yakovlev <[email protected]> Signed-off-by: Aiswarya Cyriac <[email protected]> Tracked-On: OAM-111318 Signed-off-by: Wan, Xinxin <[email protected]> Signed-off-by: Chen, Haochuan <[email protected]>

Tests Done: - RPL system with RT5640 audio board bootup and playback works Tracked-On: OAM-112961 Signed-off-by: Chen, Haochuan <[email protected]>

When user get/set cur_state fails, it should be some negative error value instead of whatever returned by acpi_evaluate_object() or from acpi_execute_simple_method(). The return value from these apis is some positive values greater than 0. For example if AE_NOT_FOUND is returned it will be "5". In other ACPI drivers, -ENODEV is returned when ACPI_FAILURE(status) is true. Do the same thing here for thermal sysfs callbacks for get and set for failures. Signed-off-by: Srinivas Pandruvada <[email protected]> Signed-off-by: Rafael J. Wysocki <[email protected]> [Cherry picked from commit 9ddb00a2a136cc6ebbf6ee32fcf527d0d66044a2 Backport Kernel patches from 5.18 for reporting fan speed in sysfs] Tracked-On: OAM-112713 Signed-off-by: vraghavulu <[email protected]>

Move the functionality of creation of sysfs attributes under acpi device to a new file fan_attr.c. This cleans up the core fan code, which just use thermal sysfs interface. The original fan.c is renamed to fan_core.c. No functional changes are expected. Signed-off-by: Srinivas Pandruvada <[email protected]> Signed-off-by: Rafael J. Wysocki <[email protected]> [cherry picked from commit 00ae053a0533155d830da27070a931e6fa747327 Backport Kernel patches from 5.18 for reporting fan speed in sysfs] Tracked-On: OAM-112713 Signed-off-by: vraghavulu <[email protected]>

We don't need u64 to store the information about _FIF. There are two booleans (fine_grain_ctrl and low_speed_notification) and one field step_size which can take value from 1-9. There are no internal users of revision field. So convert all fields to u8, by not directly extracting the _FIF info the struct. Use an intermediate buffer to extract and assign. This will help to do u32 math using these fields. No functional changes are expected. Signed-off-by: Srinivas Pandruvada <[email protected]> Signed-off-by: Rafael J. Wysocki <[email protected]> [cherry picked from commit d445571fa369cf08148dcd9bce563d5fae14fcd7 Backport Kernel patches from 5.18 for reporting fan speed in sysfs] Tracked-On: OAM-112713 Signed-off-by: vraghavulu <[email protected]>

When _FIF object specifies support for fine grain control, then fan speed can be set from 0 to 100% with the recommended minimum "step size" via _FSL object. Here the control value doesn't need to match any value from _FPS object. Currently we have a simple solution implemented which just pick maximum control value from _FPS to display the actual state, but this is not optimal when there is a big window between two control values in _FPS. Also there is no way to set to any speed which doesn't match control values in _FPS. The system firmware can start the fan at speed which doesn't match any control value. To support fine grain control (when supported) via thermal sysfs: - cooling device max state is not _FPS state count but it will be 100 / _FIF.step_size Step size can be from 1 to 9. - cooling device current state is _FST.control / _FIF.step_size - cooling device set state will set the control value cdev.curr_state * _FIF.step_size plus any adjustment for 100%. By the spec, when control value do not sum to 100% because of _FIF.step_size, OSPM may select an appropriate ending Level increment to reach 100%. There is no rounding during calculation. For example if step size is 6: thermal sysfs cooling device max_state = 100/6 = 16 So user can set any value from 0-16. If the system boots with a _FST.control which is not multiples of step_size, the thermal sysfs cur_state will be based on the range. For example for step size = 6: _FST.control thermal sysfs cur_state ------------------------------------------------ 0-5 0 6-11 1 .. .. 90-95 15 96-100 16 While setting the _FST.control, the compensation will be at the last step for cur_state = 16, which will set the _FST.control to 100. Signed-off-by: Srinivas Pandruvada <[email protected]> Signed-off-by: Rafael J. Wysocki <[email protected]> [cherry picked from commit bea2d9868ef553e376480de3cd84a7a06fb03e41 Backport Kernel patches from 5.18 for reporting fan speed in sysfs] Tracked-On: OAM-112713 Signed-off-by: vraghavulu <[email protected]>

Add additional attributes, which helps in implementing algorithm in the user space to optimize fan control. These attributes are presented in the same directory as the existing performance state attributes. Additional attributes: 1. Support of fine grain control Publish support of presence of fine grain control so that fan speed can be tuned correctly. This attribute is called "fine_grain_control". 2. fan speed Publish the actual fan rpm in sysfs. Knowing fan rpm is helpful to reduce noise level and use passive control instead. Also fan performance may not be same over time, so the same control value may not be enough to run the fan at a speed. So a feedback value of speed is helpful. This sysfs attribute is called "fan_speed_rpm". Signed-off-by: Srinivas Pandruvada <[email protected]> Signed-off-by: Rafael J. Wysocki <[email protected]> [cherry picked from commit f1197343f07749035d74c08cf8b546c4f95614ab Backport Kernel patches from 5.18 for reporting fan speed in sysfs] Tracked-On: OAM-112713 Signed-off-by: vraghavulu <[email protected]>

As per HDAudio specification, up to 16 channels are supported. Reflect that in the code. Signed-off-by: Cezary Rojewski <[email protected]>

AudioDSP firmware and HDAudio controller support and facilitate streaming with up to 16 channels. Reflect that in the code. Signed-off-by: Cezary Rojewski <[email protected]>

USB2 LPM mode resume functionality is not working as expected so disabling it. Tracked-On: OAM-112470 Signed-off-by: Balaji M <[email protected]> Signed-off-by: Vilas R K <[email protected]>

In preparation for reworking the usb_get_device_descriptor() routine, it is desirable to unite the two different code paths responsible for initially determining endpoint 0's maximum packet size in a newly discovered USB device. Making this determination presents a chicken-and-egg sort of problem, in that the only way to learn the maxpacket value is to get it from the device descriptor retrieved from the device, but communicating with the device to retrieve a descriptor requires us to know beforehand the ep0 maxpacket size. In practice this problem is solved in two different ways, referred to in hub.c as the "old scheme" and the "new scheme". The old scheme (which is the approach recommended by the USB-2 spec) involves asking the device to send just the first eight bytes of its device descriptor. Such a transfer uses packets containing no more than eight bytes each, and every USB device must have an ep0 maxpacket size >= 8, so this should succeed. Since the bMaxPacketSize0 field of the device descriptor lies within the first eight bytes, this is all we need. The new scheme is an imitation of the technique used in an early Windows USB implementation, giving it the happy advantage of working with a wide variety of devices (some of them at the time would not work with the old scheme, although that's probably less true now). It involves making an initial guess of the ep0 maxpacket size, asking the device to send up to 64 bytes worth of its device descriptor (which is only 18 bytes long), and then resetting the device to clear any error condition that might have resulted from the guess being wrong. The initial guess is determined by the connection speed; it should be correct in all cases other than full speed, for which the allowed values are 8, 16, 32, and 64 (in this case the initial guess is 64). The reason for this patch is that the old- and new-scheme parts of hub_port_init() use different code paths, one involving usb_get_device_descriptor() and one not, for their initial reads of the device descriptor. Since these reads have essentially the same purpose and are made under essentially the same circumstances, this is illogical. It makes more sense to have both of them use a common subroutine. This subroutine does basically what the new scheme's code did, because that approach is more general than the one used by the old scheme. It only needs to know how many bytes to transfer and whether or not it is being called for the first iteration of a retry loop (in case of certain time-out errors). There are two main differences from the former code: We initialize the bDescriptorType field of the transfer buffer to 0 before performing the transfer, to avoid possibly accessing an uninitialized value afterward. We read the device descriptor into a temporary buffer rather than storing it directly into udev->descriptor, which the old scheme implementation used to do. Since the whole point of this first read of the device descriptor is to determine the bMaxPacketSize0 value, that is what the new routine returns (or an error code). The value is stored in a local variable rather than in udev->descriptor. As a side effect, this necessitates moving a section of code that checks the bcdUSB field for SuperSpeed devices until after the full device descriptor has been retrieved. Signed-off-by: Alan Stern <[email protected]> Cc: Oliver Neukum <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

The usb_get_device_descriptor() routine reads the device descriptor from the udev device and stores it directly in udev->descriptor. This interface is error prone, because the USB subsystem expects in-memory copies of a device's descriptors to be immutable once the device has been initialized. The interface is changed so that the device descriptor is left in a kmalloc-ed buffer, not copied into the usb_device structure. A pointer to the buffer is returned to the caller, who is then responsible for kfree-ing it. The corresponding changes needed in the various callers are fairly small. Signed-off-by: Alan Stern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

…hub_port_init() Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors(): BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it. Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race. The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago. So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read. The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot. Reported-and-tested-by: [email protected] Closes: https://lore.kernel.org/linux-usb/[email protected]/#r Signed-off-by: Alan Stern <[email protected]> Cc: Khazhy Kumykov <[email protected]> Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") Cc: [email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

Wireless USB has long been defunct, and kernel support for it was removed in 2020 by commit caa6772 ("Staging: remove wusbcore and UWB from the kernel tree."). Nevertheless, some vestiges of the old implementation still clutter up the USB subsystem and one or two other places. Let's get rid of them once and for all. The only parts still left are the user-facing APIs in include/uapi/linux/usb/ch9.h. (There are also a couple of misleading instances, such as the Sierra Wireless USB modem, which is a USB modem made by Sierra Wireless.) Signed-off-by: Alan Stern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

Commit 85d07c556216 ("USB: core: Unite old scheme and new scheme descriptor reads") altered the way USB devices are enumerated following detection, and in the process it messed up the initialization of SuperSpeed (or faster) devices: [ 31.650759] usb 2-1: new SuperSpeed Plus Gen 2x1 USB device number 2 using xhci_hcd [ 31.663107] usb 2-1: device descriptor read/8, error -71 [ 31.952697] usb 2-1: new SuperSpeed Plus Gen 2x1 USB device number 3 using xhci_hcd [ 31.965122] usb 2-1: device descriptor read/8, error -71 [ 32.080991] usb usb2-port1: attempt power cycle ... The problem was caused by the commit forgetting that in SuperSpeed or faster devices, the device descriptor uses a logarithmic encoding of the bMaxPacketSize0 value. (For some reason I thought the 255 case in the switch statement was meant for these devices, but it isn't -- it was meant for Wireless USB and is no longer needed.) We can fix the oversight by testing for buf->bMaxPacketSize0 = 9 (meaning 512, the actual maxpacket size for ep0 on all SuperSpeed devices) and straightening out the logic that checks and adjusts our initial guesses of the maxpacket value. Reported-and-tested-by: Thinh Nguyen <[email protected]> Closes: https://lore.kernel.org/linux-usb/[email protected]/ Signed-off-by: Alan Stern <[email protected]> Fixes: 85d07c556216 ("USB: core: Unite old scheme and new scheme descriptor reads") Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

Bing-Jhong Billy Jheng reported null-ptr-deref in unix_stream_sendpage() with detailed analysis and a nice repro. unix_stream_sendpage() tries to add data to the last skb in the peer's recv queue without locking the queue. If the peer's FD is passed to another socket and the socket's FD is passed to the peer, there is a loop between them. If we close both sockets without receiving FD, the sockets will be cleaned up by garbage collection. The garbage collection iterates such sockets and unlinks skb with FD from the socket's receive queue under the queue's lock. So, there is a race where unix_stream_sendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free. To avoid the issue, unix_stream_sendpage() must lock the peer's recv queue. Note the issue does not exist in 6.5+ thanks to the recent sendpage() refactoring. This patch is originally written by Linus Torvalds. BUG: unable to handle page fault for address: ffff988004dd6870 PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 PREEMPT SMP PTI CPU: 4 PID: 297 Comm: garbage_uaf Not tainted 6.1.46 projectceladon#1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc_node+0xa2/0x1e0 Code: c0 0f 84 32 01 00 00 41 83 fd ff 74 10 48 8b 00 48 c1 e8 3a 41 39 c5 0f 85 1c 01 00 00 41 8b 44 24 28 49 8b 3c 24 48 8d 4a 40 <49> 8b 1c 06 4c 89 f0 65 48 0f c7 0f 0f 94 c0 84 c0 74 a1 41 8b 44 RSP: 0018:ffffc9000079fac0 EFLAGS: 00000246 RAX: 0000000000000070 RBX: 0000000000000005 RCX: 000000000001a284 RDX: 000000000001a244 RSI: 0000000000400cc0 RDI: 000000000002eee0 RBP: 0000000000400cc0 R08: 0000000000400cc0 R09: 0000000000000003 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888003970f00 R13: 00000000ffffffff R14: ffff988004dd6800 R15: 00000000000000e8 FS: 00007f174d6f3600(0000) GS:ffff88807db00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff988004dd6870 CR3: 00000000092be000 CR4: 00000000007506e0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x1a/0x1f ? page_fault_oops+0xa9/0x1e0 ? fixup_exception+0x1d/0x310 ? exc_page_fault+0xa8/0x150 ? asm_exc_page_fault+0x22/0x30 ? kmem_cache_alloc_node+0xa2/0x1e0 ? __alloc_skb+0x16c/0x1e0 __alloc_skb+0x16c/0x1e0 alloc_skb_with_frags+0x48/0x1e0 sock_alloc_send_pskb+0x234/0x270 unix_stream_sendmsg+0x1f5/0x690 sock_sendmsg+0x5d/0x60 ____sys_sendmsg+0x210/0x260 ___sys_sendmsg+0x83/0xd0 ? kmem_cache_alloc+0xc6/0x1c0 ? avc_disable+0x20/0x20 ? percpu_counter_add_batch+0x53/0xc0 ? alloc_empty_file+0x5d/0xb0 ? alloc_file+0x91/0x170 ? alloc_file_pseudo+0x94/0x100 ? __fget_light+0x9f/0x120 __sys_sendmsg+0x54/0xa0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x69/0xd3 RIP: 0033:0x7f174d639a7d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 8a c1 f4 ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 de c1 f4 ff 48 RSP: 002b:00007ffcb563ea50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f174d639a7d RDX: 0000000000000000 RSI: 00007ffcb563eab0 RDI: 0000000000000007 RBP: 00007ffcb563eb10 R08: 0000000000000000 R09: 00000000ffffffff R10: 00000000004040a0 R11: 0000000000000293 R12: 00007ffcb563ec28 R13: 0000000000401398 R14: 0000000000403e00 R15: 00007f174d72c000 </TASK> Fixes: 869e7c6 ("net: af_unix: implement stream sendpage support") Reported-by: Bing-Jhong Billy Jheng <[email protected]> Reviewed-by: Bing-Jhong Billy Jheng <[email protected]> Co-developed-by: Linus Torvalds <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Kuniyuki Iwashima <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

…avoid use-after-free [ Upstream commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 ] When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: de5df63 ("net: sched: cls_u32 changes to knode must appear atomic to readers") Reported-by: valis <[email protected]> Reported-by: M A Ramdhan <[email protected]> Signed-off-by: valis <[email protected]> Signed-off-by: Jamal Hadi Salim <[email protected]> Reviewed-by: Victor Nogueira <[email protected]> Reviewed-by: Pedro Tammela <[email protected]> Reviewed-by: M A Ramdhan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Tracked-On: OAM-112801

commit 9bc3047374d5bec163e83e743709e23753376f0c upstream. Commit a096ccca6e50 initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/net/tun" device node's owner UID. Per original commit 86741ec ("net: core: Add a UID field to struct sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the userspace process that creates the socket. Commit 86741ec mentions socket() and accept(); with "tun", the action that creates the socket is open("/dev/net/tun"). Therefore the device node's owner UID is irrelevant. In most cases, "/dev/net/tun" will be owned by root, so in practice, commit a096ccca6e50 has no observable effect: - before, "sk_uid" would be zero, due to undefined behavior (CVE-2023-1076), - after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root. What matters is the (fs)UID of the process performing the open(), so cache that in "sk_uid". Cc: Eric Dumazet <[email protected]> Cc: Lorenzo Colitti <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: Pietro Borrello <[email protected]> Cc: [email protected] Cc: [email protected] Fixes: a096ccca6e50 ("tun: tun_chr_open(): correctly initialize socket uid") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435 Signed-off-by: Laszlo Ersek <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

commit 5c9241f3ceab3257abe2923a59950db0dc8bb737 upstream. Commit 66b2c338adce initializes the "sk_uid" field in the protocol socket (struct sock) from the "/dev/tapX" device node's owner UID. Per original commit 86741ec ("net: core: Add a UID field to struct sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the userspace process that creates the socket. Commit 86741ec mentions socket() and accept(); with "tap", the action that creates the socket is open("/dev/tapX"). Therefore the device node's owner UID is irrelevant. In most cases, "/dev/tapX" will be owned by root, so in practice, commit 66b2c338adce has no observable effect: - before, "sk_uid" would be zero, due to undefined behavior (CVE-2023-1076), - after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root. What matters is the (fs)UID of the process performing the open(), so cache that in "sk_uid". Cc: Eric Dumazet <[email protected]> Cc: Lorenzo Colitti <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: Pietro Borrello <[email protected]> Cc: [email protected] Cc: [email protected] Fixes: 66b2c338adce ("tap: tap_open(): correctly initialize socket uid") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435 Signed-off-by: Laszlo Ersek <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Tracked-On: OAM-112801

Rename 'only_kill_custom' and refactor logic related to it to be more meaningful. Bug: 309378049 Change-Id: I119d2f8c29b9b624e6c1d8546c1533d76a2cc51d Signed-off-by: Mukesh Ojha <[email protected]> Acked-by: Luis Chamberlain <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 87ffa98eeee8d62a56afdad80ea697e7a6e5c354) Signed-off-by: Srinivasarao Pathipati <[email protected]>

…nce reboot triggered There could be following scenario where there is a ongoing reboot is going from processA which tries to call all the reboot notifier callback and one of them is firmware reboot call which tries to abort all the ongoing firmware userspace request under fw_lock but there could be another processB which tries to do request firmware, which came just after abort done from ProcessA and ask for userspace to load the firmware and this can stop the ongoing reboot ProcessA to stall for next 60s(default timeout) which may not be expected behaviour everyone like to see, instead we should abort any firmware load request which came once firmware knows about the reboot through notification. ProcessA ProcessB kernel_restart_prepare blocking_notifier_call_chain fw_shutdown_notify kill_pending_fw_fallback_reqs __fw_load_abort fw_state_aborted request_firmware __fw_state_set firmware_fallback_sysfs ... fw_load_from_user_helper .. ... . .. usermodehelper_read_trylock fw_load_sysfs_fallback fw_sysfs_wait_timeout usermodehelper_disable __usermodehelper_disable down_write() Bug: 309378049 Change-Id: I61eb91f21a01460f340f890b25c60de7597a87ff Signed-off-by: Mukesh Ojha <[email protected]> Acked-by: Luis Chamberlain <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit effd7c70eaa0440688b60b9d419243695ede3c45) Signed-off-by: Srinivasarao Pathipati <[email protected]>

…l name When I was implementing a new per-cpu kthread cfs_migration, I found the comm of it "cfs_migration/%u" is truncated due to the limitation of TASK_COMM_LEN. For example, the comm of the percpu thread on CPU10~19 all have the same name "cfs_migration/1", which will confuse the user. This issue is not critical, because we can get the corresponding CPU from the task's Cpus_allowed. But for kthreads corresponding to other hardware devices, it is not easy to get the detailed device info from task comm, for example, jbd2/nvme0n1p2- xfs-reclaim/sdf Currently there are so many truncated kthreads: rcu_tasks_kthre rcu_tasks_rude_ rcu_tasks_trace poll_mpt3sas0_s ext4-rsv-conver xfs-reclaim/sd{a, b, c, ...} xfs-blockgc/sd{a, b, c, ...} xfs-inodegc/sd{a, b, c, ...} audit_send_repl ecryptfs-kthrea vfio-irqfd-clea jbd2/nvme0n1p2- ... We can shorten these names to work around this problem, but it may be not applied to all of the truncated kthreads. Take 'jbd2/nvme0n1p2-' for example, it is a nice name, and it is not a good idea to shorten it. One possible way to fix this issue is extending the task comm size, but as task->comm is used in lots of places, that may cause some potential buffer overflows. Another more conservative approach is introducing a new pointer to store kthread's full name if it is truncated, which won't introduce too much overhead as it is in the non-critical path. Finally we make a dicision to use the second approach. See also the discussions in this thread: https://lore.kernel.org/lkml/[email protected]/ After this change, the full name of these truncated kthreads will be displayed via /proc/[pid]/comm: rcu_tasks_kthread rcu_tasks_rude_kthread rcu_tasks_trace_kthread poll_mpt3sas0_statu ext4-rsv-conversion xfs-reclaim/sdf1 xfs-blockgc/sdf1 xfs-inodegc/sdf1 audit_send_reply ecryptfs-kthread vfio-irqfd-cleanup jbd2/nvme0n1p2-8 Bug: 309706715 Change-Id: Ib3f176d2738ad547dbd8beb83c89ebdb5a9e476d (cherry picked from commit d6986ce24fc00b0638bd29efe8fb7ba7619ed2aa) Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Yafang Shao <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Reviewed-by: Petr Mladek <[email protected]> Suggested-by: Petr Mladek <[email protected]> Suggested-by: Steven Rostedt <[email protected]> Cc: Mathieu Desnoyers <[email protected]> Cc: Arnaldo Carvalho de Melo <[email protected]> Cc: Alexei Starovoitov <[email protected]> Cc: Andrii Nakryiko <[email protected]> Cc: Michal Miroslaw <[email protected]> Cc: Peter Zijlstra <[email protected]> Cc: Steven Rostedt <[email protected]> Cc: Matthew Wilcox <[email protected]> Cc: Al Viro <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Zhiguo Niu <[email protected]>

commit da29b94ed3547cee9d510d02eca4009f2de476cf upstream. Add the missing code to release resources on bind errors, including the references taken by wcd938x_sdw_device_get() which also need to be dropped on unbind(). Fixes: 1657252 ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") Cc: [email protected] # 5.14 Cc: Srinivas Kandagatla <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit 3ebebb2c1eca92a15107b2d7aeff34196fd9e217 ] Make sure to balance the runtime PM operations, including the disable count, on driver unbind. Fixes: 1657252 ("ASoC: codecs: wcd938x-sdw: add SoundWire driver") Cc: [email protected] # 5.14 Cc: Srinivas Kandagatla <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit c8befdc411e5fd1bf95a13e8744c8ca79b412bee ] The Qualcomm LPASS LPI pin controller driver uses one lock for guarding Read-Modify-Write code for slew rate registers. However the pin configuration and muxing registers have exactly the same RMW code but are not protected. Pin controller framework does not provide locking here, thus it is possible to trigger simultaneous change of pin configuration registers resulting in non-atomic changes. Protect from concurrent access by re-using the same lock used to cover the slew rate register. Using the same lock instead of adding second one will make more sense, once we add support for newer Qualcomm SoC, where slew rate is configured in the same register as pin configuration/muxing. Fixes: 6e261d1 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver") Cc: [email protected] Reviewed-by: Linus Walleij <[email protected]> Signed-off-by: Krzysztof Kozlowski <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Linus Walleij <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 3ded97bc41a1e76e1e72eeb192331c01ceacc4bc ] TCP sendmsg() no longer puts payload in skb head, we can remove dead code. Signed-off-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]> Stable-dep-of: 72377ab2d671 ("mptcp: more conservative check for zero probes") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 27728ba80f1eb279b209bbd5922fdeebe52d9e30 ] All tcp_remove_empty_skb() callers now use tcp_write_queue_tail() for the skb argument, we can therefore factorize code. Signed-off-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]> Stable-dep-of: 72377ab2d671 ("mptcp: more conservative check for zero probes") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 72377ab2d671befd6390a1d5677f5cca61235b65 ] Christoph reported that the MPTCP protocol can find the subflow-level write queue unexpectedly not empty while crafting a zero-window probe, hitting a warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 188 at net/mptcp/protocol.c:1312 mptcp_sendmsg_frag+0xc06/0xe70 Modules linked in: CPU: 0 PID: 188 Comm: kworker/0:2 Not tainted 6.6.0-rc2-g1176aa719d7a projectceladon#47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:mptcp_sendmsg_frag+0xc06/0xe70 net/mptcp/protocol.c:1312 RAX: 47d0530de347ff6a RBX: 47d0530de347ff6b RCX: ffff8881015d3c00 RDX: ffff8881015d3c00 RSI: 47d0530de347ff6b RDI: 47d0530de347ff6b RBP: 47d0530de347ff6b R08: ffffffff8243c6a8 R09: ffffffff82042d9c R10: 0000000000000002 R11: ffffffff82056850 R12: ffff88812a13d580 R13: 0000000000000001 R14: ffff88812b375e50 R15: ffff88812bbf3200 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000695118 CR3: 0000000115dfc001 CR4: 0000000000170ef0 Call Trace: <TASK> __subflow_push_pending+0xa4/0x420 net/mptcp/protocol.c:1545 __mptcp_push_pending+0x128/0x3b0 net/mptcp/protocol.c:1614 mptcp_release_cb+0x218/0x5b0 net/mptcp/protocol.c:3391 release_sock+0xf6/0x100 net/core/sock.c:3521 mptcp_worker+0x6e8/0x8f0 net/mptcp/protocol.c:2746 process_scheduled_works+0x341/0x690 kernel/workqueue.c:2630 worker_thread+0x3a7/0x610 kernel/workqueue.c:2784 kthread+0x143/0x180 kernel/kthread.c:388 ret_from_fork+0x4d/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304 </TASK> The root cause of the issue is that expectations are wrong: e.g. due to MPTCP-level re-injection we can hit the critical condition. Explicitly avoid the zero-window probe when the subflow write queue is not empty and drop the related warnings. Reported-by: Christoph Paasch <[email protected]> Closes: multipath-tcp/mptcp_net-next#444 Fixes: f70cad1085d1 ("mptcp: stop relying on tcp_tx_skb_cache") Cc: [email protected] Reviewed-by: Mat Martineau <[email protected]> Signed-off-by: Paolo Abeni <[email protected]> Signed-off-by: Mat Martineau <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit a889c276d33d333ae96697510f33533f6e9d9591 ] The function chameleon_parse_cells() returns the number of cells parsed which has an undetermined size. This return value is only used for error checking but the number of cells is never used. Change return value to be number of bytes parsed to allow for memory management improvements. Co-developed-by: Jorge Sanjuan Garcia <[email protected]> Signed-off-by: Jorge Sanjuan Garcia <[email protected]> Signed-off-by: Javier Rodriguez <[email protected]> Signed-off-by: Johannes Thumshirn <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 2025b2ca8004c04861903d076c67a73a0ec6dfca ] mcb-lpc requests a fixed-size memory region to parse the chameleon table, however, if the chameleon table is smaller that the allocated region, it could overlap with the IP Cores' memory regions. After parsing the chameleon table, drop/reallocate the memory region with the actual chameleon table size. Co-developed-by: Jorge Sanjuan Garcia <[email protected]> Signed-off-by: Jorge Sanjuan Garcia <[email protected]> Signed-off-by: Javier Rodriguez <[email protected]> Signed-off-by: Johannes Thumshirn <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

commit 07622bd415639e9709579f400afd19e7e9866e5e upstream. The deflation request to the target, which isn't unaligned to the guest page size causes endless deflation and inflation actions. For example, we receive the flooding QMP events for the changes on memory balloon's size after a deflation request to the unaligned target is sent for the ARM64 guest, where we have 64KB base page size. /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ -accel kvm -machine virt,gic-version=host -cpu host \ -smp maxcpus=8,cpus=8,sockets=2,clusters=2,cores=2,threads=1 \ -m 1024M,slots=16,maxmem=64G \ -object memory-backend-ram,id=mem0,size=512M \ -object memory-backend-ram,id=mem1,size=512M \ -numa node,nodeid=0,memdev=mem0,cpus=0-3 \ -numa node,nodeid=1,memdev=mem1,cpus=4-7 \ : \ -device virtio-balloon-pci,id=balloon0,bus=pcie.10 { "execute" : "balloon", "arguments": { "value" : 1073672192 } } {"return": {}} {"timestamp": {"seconds": 1693272173, "microseconds": 88667}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272174, "microseconds": 89704}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272175, "microseconds": 90819}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272176, "microseconds": 91961}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272177, "microseconds": 93040}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272178, "microseconds": 94117}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272179, "microseconds": 95337}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272180, "microseconds": 96615}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272181, "microseconds": 97626}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272182, "microseconds": 98693}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272183, "microseconds": 99698}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272184, "microseconds": 100727}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272185, "microseconds": 90430}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272186, "microseconds": 102999}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} : <The similar QMP events repeat> Fix it by aligning the target up to the guest page size, 64KB in this specific case. With this applied, no flooding QMP events are observed and the memory balloon's size can be stablizied to 0x3ffe0000 soon after the deflation request is sent. { "execute" : "balloon", "arguments": { "value" : 1073672192 } } {"return": {}} {"timestamp": {"seconds": 1693273328, "microseconds": 793075}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} { "execute" : "query-balloon" } {"return": {"actual": 1073610752}} Cc: [email protected] Signed-off-by: Gavin Shan <[email protected]> Tested-by: Zhenyu Zhang <[email protected]> Message-Id: <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit fab7f259227b8f70aa6d54e1de1a1f5f4729041c upstream. With the recent removal of vm_dev from devres its memory is only freed via the callback virtio_mmio_release_dev. However, this only takes effect after device_add is called by register_virtio_device. Until then it's an unmanaged resource and must be explicitly freed on error exit. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Cc: [email protected] Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") Signed-off-by: Maximilian Heyne <[email protected]> Reviewed-by: Catalin Marinas <[email protected]> Tested-by: Catalin Marinas <[email protected]> Reviewed-by: Xuan Zhuo <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Message-Id: <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Reviewed-by: Wolfram Sang <[email protected]>

commit ca50ec377c2e94b0a9f8735de2856cd0f13beab4 upstream. Commit e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Forbade vhost iotlb msg with null size to prevent entries with size = start = 0 and last = ULONG_MAX to end up in the iotlb. Then commit 95932ab2ea07 ("vhost: allow batching hint without size") only applied the check for VHOST_IOTLB_UPDATE and VHOST_IOTLB_INVALIDATE message types to fix a regression observed with batching hit. Still, the introduction of that check introduced a regression for some users attempting to invalidate the whole ULONG_MAX range by setting the size to 0. This is the case with qemu/smmuv3/vhost integration which does not work anymore. It Looks safe to partially revert the original commit and allow VHOST_IOTLB_INVALIDATE messages with null size. vhost_iotlb_del_range() will compute a correct end iova. Same for vhost_vdpa_iotlb_unmap(). Signed-off-by: Eric Auger <[email protected]> Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Cc: [email protected] # v5.17+ Acked-by: Jason Wang <[email protected]> Message-Id: <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 61e21cf2d2c3cc5e60e8d0a62a77e250fccda62c upstream. When guard page debug is enabled and set_page_guard returns success, we miss to forward page to point to start of next split range and we will do split unexpectedly in page range without target page. Move start page update before set_page_guard to fix this. As we split to wrong target page, then splited pages are not able to merge back to original order when target page is put back and splited pages except target page is not usable. To be specific: Consider target page is the third page in buddy page with order 2. | buddy-2 | Page | Target | Page | After break down to target page, we will only set first page to Guard because of bug. | Guard | Page | Target | Page | When we try put_page_back_buddy with target page, the buddy page of target if neither guard nor buddy, Then it's not able to construct original page with order 2 | Guard | Page | buddy-0 | Page | All pages except target page is not in free list and is not usable. Link: https://lkml.kernel.org/r/[email protected] Fixes: 06be6ff ("mm,hwpoison: rework soft offline for free pages") Signed-off-by: Kemeng Shi <[email protected]> Acked-by: Naoya Horiguchi <[email protected]> Cc: Matthew Wilcox (Oracle) <[email protected]> Cc: Oscar Salvador <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 229e2253766c7cdfe024f1fe280020cc4711087c upstream. do_pages_move does not handle compat pointers for the page list. correctly. Add in_compat_syscall check and appropriate get_user fetch when iterating the page list. It makes the syscall in compat mode (32-bit userspace, 64-bit kernel) work the same way as the native 32-bit syscall again, restoring the behavior before my broken commit 5b1b561 ("mm: simplify compat_sys_move_pages"). More specifically, my patch moved the parsing of the 'pages' array from the main entry point into do_pages_stat(), which left the syscall working correctly for the 'stat' operation (nodes = NULL), while the 'move' operation (nodes != NULL) is now missing the conversion and interprets 'pages' as an array of 64-bit pointers instead of the intended 32-bit userspace pointers. It is possible that nobody noticed this bug because the few applications that actually call move_pages are unlikely to run in compat mode because of their large memory requirements, but this clearly fixes a user-visible regression and should have been caught by ltp. Link: https://lkml.kernel.org/r/[email protected] Fixes: 5b1b561 ("mm: simplify compat_sys_move_pages") Signed-off-by: Gregory Price <[email protected]> Reported-by: Arnd Bergmann <[email protected]> Co-developed-by: Arnd Bergmann <[email protected]> Cc: Jonathan Cameron <[email protected]> Cc: <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 1aee9158bc978f91701c5992e395efbc6da2de3c upstream. ... checking that after lock_rename() is too late. Incidentally, NFSv2 had no nfserr_xdev... Fixes: aa387d6 "nfsd: fix EXDEV checking in rename" Cc: [email protected] # v3.9+ Reviewed-by: Jeff Layton <[email protected]> Acked-by: Chuck Lever <[email protected]> Tested-by: Jeff Layton <[email protected]> Signed-off-by: Al Viro <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 4cbed7702eb775cca22fff6827a549092cb59f61 upstream. When the driver unbinds, pmu is unregistered and i915->uabi_engines is set to RB_ROOT. Due to this, when i915 PMU tries to stop the engine events, it issues a warn_on because engine lookup fails. All perf hooks are taking care of this using a pmu->closed flag that is set when PMU unregisters. The stop event seems to have been left out. Check for pmu->closed in pmu_event_stop as well. Based on discussion here - https://patchwork.freedesktop.org/patch/492079/?series=105790&rev=2 v2: s/is/if/ in commit title v3: Add fixes tag and cc stable Cc: <[email protected]> # v5.11+ Fixes: b00bccb ("drm/i915/pmu: Handle PCI unbind") Signed-off-by: Umesh Nerlige Ramappa <[email protected]> Reviewed-by: Tvrtko Ursulin <[email protected]> Reviewed-by: Andi Shyti <[email protected]> Signed-off-by: Andi Shyti <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] (cherry picked from commit 31f6a06f0c543b43a38fab10f39e5fc45ad62aa2) Signed-off-by: Rodrigo Vivi <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit a103209886264a3289f7e53e7ed389d0391fb23f ] Add virtio_vsock_vqs_init() and virtio_vsock_vqs_del() with the code that was in virtio_vsock_probe() and virtio_vsock_remove to initialize and delete VQs. These new functions will be used in the next commit to support device suspend/resume Signed-off-by: Stefano Garzarella <[email protected]> Acked-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Jakub Kicinski <[email protected]> Stable-dep-of: 53b08c498515 ("vsock/virtio: initialize the_virtio_vsock before using VQs") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit bd50c5dc182b0a52599f87b429f9a5a9cbfc9b1c ] Implement .freeze and .restore callbacks of struct virtio_driver to support device suspend/resume. During suspension all connected sockets are reset and VQs deleted. During resume the VQs are re-initialized. Reported by: Vilas R K <[email protected]> Signed-off-by: Stefano Garzarella <[email protected]> Acked-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Jakub Kicinski <[email protected]> Stable-dep-of: 53b08c498515 ("vsock/virtio: initialize the_virtio_vsock before using VQs") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 53b08c4985158430fd6d035fb49443bada535210 ] Once VQs are filled with empty buffers and we kick the host, it can send connection requests. If the_virtio_vsock is not initialized before, replies are silently dropped and do not reach the host. virtio_transport_send_pkt() can queue packets once the_virtio_vsock is set, but they won't be processed until vsock->tx_run is set to true. We queue vsock->send_pkt_work when initialization finishes to send those packets queued earlier. Fixes: 0deab08 ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") Signed-off-by: Alexandru Matei <[email protected]> Reviewed-by: Stefano Garzarella <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 3d887d512494d678b17c57b835c32f4e48d34f26 ] As drm_dp_get_mst_branch_device_by_guid() is called from drm_dp_get_mst_branch_device_by_guid(), mstb parameter has to be checked, otherwise NULL dereference may occur in the call to the memcpy() and cause following: [12579.365869] BUG: kernel NULL pointer dereference, address: 0000000000000049 [12579.365878] #PF: supervisor read access in kernel mode [12579.365880] #PF: error_code(0x0000) - not-present page [12579.365882] PGD 0 P4D 0 [12579.365887] Oops: 0000 [projectceladon#1] PREEMPT SMP NOPTI ... [12579.365895] Workqueue: events_long drm_dp_mst_up_req_work [12579.365899] RIP: 0010:memcmp+0xb/0x29 [12579.365921] Call Trace: [12579.365927] get_mst_branch_device_by_guid_helper+0x22/0x64 [12579.365930] drm_dp_mst_up_req_work+0x137/0x416 [12579.365933] process_one_work+0x1d0/0x419 [12579.365935] worker_thread+0x11a/0x289 [12579.365938] kthread+0x13e/0x14f [12579.365941] ? process_one_work+0x419/0x419 [12579.365943] ? kthread_blkcg+0x31/0x31 [12579.365946] ret_from_fork+0x1f/0x30 As get_mst_branch_device_by_guid_helper() is recursive, moving condition to the first line allow to remove a similar one for step over of NULL elements inside a loop. Fixes: 5e93b82 ("drm/dp/mst: move GUID storage from mgr, port to only mst branch") Cc: <[email protected]> # 4.14+ Signed-off-by: Lukasz Majczak <[email protected]> Reviewed-by: Radoslaw Biernacki <[email protected]> Signed-off-by: Manasi Navare <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 1558b1a8dd388f5fcc3abc1e24de854a295044c3 ] dsp_chan->name and chan_name points to same block of memory, because dev_err still needs to be used it,so we need free it's memory after use to avoid use_after_free. Fixes: e527adfb9b7d ("firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels()") Signed-off-by: Hao Ge <[email protected]> Reviewed-by: Daniel Baluta <[email protected]> Signed-off-by: Shawn Guo <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

…>cur_tx [ Upstream commit c1c0ce31b2420d5c173228a2132a492ede03d81f ] KCSAN reported the following data-race: ================================================================== BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169] write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29: rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169 dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560) sch_direct_xmit (net/sched/sch_generic.c:342) __dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306) ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233) __ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293) ip_finish_output (net/ipv4/ip_output.c:328) ip_output (net/ipv4/ip_output.c:435) ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486) udp_send_skb (net/ipv4/udp.c:963) udp_sendmsg (net/ipv4/udp.c:1246) inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4)) sock_sendmsg (net/socket.c:730 net/socket.c:753) __sys_sendto (net/socket.c:2177) __x64_sys_sendto (net/socket.c:2185) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21: rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 __napi_poll (net/core/dev.c:6527) net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) __do_softirq (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) irq_exit_rcu (kernel/softirq.c:647) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636) cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) cpuidle_enter (drivers/cpuidle/cpuidle.c:390) call_cpuidle (kernel/sched/idle.c:135) do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) value changed: 0x002f4815 -> 0x002f4816 Reported by Kernel Concurrency Sanitizer on: CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 projectceladon#41 Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 ================================================================== The write side of drivers/net/ethernet/realtek/r8169_main.c is: ================== 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */ 4252 smp_wmb(); 4253 → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1); 4255 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp), 4257 R8169_TX_STOP_THRS, 4258 R8169_TX_START_THRS); The read side is the function rtl_tx(): 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, 4356 int budget) 4357 { 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; 4359 struct sk_buff *skb; 4360 4361 dirty_tx = tp->dirty_tx; 4362 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; 4365 u32 status; 4366 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); 4368 if (status & DescOwn) 4369 break; 4370 4371 skb = tp->tx_skb[entry].skb; 4372 rtl8169_unmap_tx_skb(tp, entry); 4373 4374 if (skb) { 4375 pkts_compl++; 4376 bytes_compl += skb->len; 4377 napi_consume_skb(skb, budget); 4378 } 4379 dirty_tx++; 4380 } 4381 4382 if (tp->dirty_tx != dirty_tx) { 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); 4385 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, 4387 rtl_tx_slots_avail(tp), 4388 R8169_TX_START_THRS); 4389 /* 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are 4391 * too close. Let's kick an extra TxPoll request when a burst 4392 * of start_xmit activity is detected (if it is not detected, 4393 * it is slow enough). -- FR 4394 * If skb is NULL then we come here again once a tx irq is 4395 * triggered after the last fragment is marked transmitted. 4396 */ → 4397 if (tp->cur_tx != dirty_tx && skb) 4398 rtl8169_doorbell(tp); 4399 } 4400 } Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the line 4363: 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { but the same solution is required for protecting the other access to tp->cur_tx: → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) 4398 rtl8169_doorbell(tp); The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397 might have suffered read tearing under some compiler optimisations. The fix eliminated the KCSAN data-race report for this bug. It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363 and line 4397. This test should certainly not be cached by the compiler in some register for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line 4254 in the meantime. Fixes: 94d8a98 ("r8169: reduce number of workaround doorbell rings") Cc: Heiner Kallweit <[email protected]> Cc: [email protected] Cc: "David S. Miller" <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: Marco Elver <[email protected]> Cc: [email protected] Link: https://lore.kernel.org/lkml/[email protected]/ Signed-off-by: Mirsad Goran Todorovac <[email protected]> Acked-by: Marco Elver <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

…cArray[entry].opts1 [ Upstream commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 ] KCSAN reported the following data-race: ================================================================== BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21: rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 __napi_poll (net/core/dev.c:6527) net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) __do_softirq (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) irq_exit_rcu (kernel/softirq.c:647) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) cpuidle_enter (drivers/cpuidle/cpuidle.c:390) call_cpuidle (kernel/sched/idle.c:135) do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) value changed: 0xb0000042 -> 0x00000000 Reported by Kernel Concurrency Sanitizer on: CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 projectceladon#41 Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 ================================================================== The read side is in drivers/net/ethernet/realtek/r8169_main.c ========================================= 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, 4356 int budget) 4357 { 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; 4359 struct sk_buff *skb; 4360 4361 dirty_tx = tp->dirty_tx; 4362 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; 4365 u32 status; 4366 → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); 4368 if (status & DescOwn) 4369 break; 4370 4371 skb = tp->tx_skb[entry].skb; 4372 rtl8169_unmap_tx_skb(tp, entry); 4373 4374 if (skb) { 4375 pkts_compl++; 4376 bytes_compl += skb->len; 4377 napi_consume_skb(skb, budget); 4378 } 4379 dirty_tx++; 4380 } 4381 4382 if (tp->dirty_tx != dirty_tx) { 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); 4385 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, 4387 rtl_tx_slots_avail(tp), 4388 R8169_TX_START_THRS); 4389 /* 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are 4391 * too close. Let's kick an extra TxPoll request when a burst 4392 * of start_xmit activity is detected (if it is not detected, 4393 * it is slow enough). -- FR 4394 * If skb is NULL then we come here again once a tx irq is 4395 * triggered after the last fragment is marked transmitted. 4396 */ 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) 4398 rtl8169_doorbell(tp); 4399 } 4400 } tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes this KCSAN warning. 4366 → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); 4368 if (status & DescOwn) 4369 break; 4370 Cc: Heiner Kallweit <[email protected]> Cc: [email protected] Cc: "David S. Miller" <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: Marco Elver <[email protected]> Cc: [email protected] Link: https://lore.kernel.org/lkml/[email protected]/ Signed-off-by: Mirsad Goran Todorovac <[email protected]> Acked-by: Marco Elver <[email protected]> Fixes: 1da177e ("Linux-2.6.12-rc2") Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

…>opts1 [ Upstream commit f97eee484e71890131f9c563c5cc6d5a69e4308d ] KCSAN reported the following data-race bug: ================================================================== BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21: rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 __napi_poll (net/core/dev.c:6527) net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) __do_softirq (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) irq_exit_rcu (kernel/softirq.c:647) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) cpuidle_enter (drivers/cpuidle/cpuidle.c:390) call_cpuidle (kernel/sched/idle.c:135) do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) value changed: 0x80003fff -> 0x3402805f Reported by Kernel Concurrency Sanitizer on: CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 projectceladon#41 Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 ================================================================== drivers/net/ethernet/realtek/r8169_main.c: ========================================== 4429 → 4430 status = le32_to_cpu(desc->opts1); 4431 if (status & DescOwn) 4432 break; 4433 4434 /* This barrier is needed to keep us from reading 4435 * any other fields out of the Rx descriptor until 4436 * we know the status of DescOwn 4437 */ 4438 dma_rmb(); 4439 4440 if (unlikely(status & RxRES)) { 4441 if (net_ratelimit()) 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n", Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from happening: 4429 → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1)); 4431 if (status & DescOwn) 4432 break; 4433 As the consequence of this fix, this KCSAN warning was eliminated. Fixes: 6202806 ("r8169: drop member opts1_mask from struct rtl8169_private") Suggested-by: Marco Elver <[email protected]> Cc: Heiner Kallweit <[email protected]> Cc: [email protected] Cc: "David S. Miller" <[email protected]> Cc: Eric Dumazet <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: Paolo Abeni <[email protected]> Cc: [email protected] Link: https://lore.kernel.org/lkml/[email protected]/ Signed-off-by: Mirsad Goran Todorovac <[email protected]> Acked-by: Marco Elver <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb ] Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag. Move the affected flag at the end of the flags and fix its value. Reproducer: [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off [ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled) netlink error: Operation not supported [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off The link-down-on-close flag cannot be modified after setting vf-vlan-pruning because vf-vlan-pruning shares the same bit with total-port-shutdown flag that prevents any modification of link-down-on-close flag. Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning") Cc: Mateusz Palczewski <[email protected]> Cc: Simon Horman <[email protected]> Signed-off-by: Ivan Vecera <[email protected]> Reviewed-by: Jacob Keller <[email protected]> Tested-by: Pucha Himasekhar Reddy <[email protected]> (A Contingent worker at Intel) Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ] reques -> request Fixes: 09dde54 ("PS3: gelic: Add wireless support for PS3") Signed-off-by: Kunwu Chan <[email protected]> Reviewed-by: Geert Uytterhoeven <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ] Add check for return of igb_update_ethtool_nfc_entry so that in case of any potential errors the memory alocated for input will be freed. Fixes: 0e71def ("igb: add support of RX network flow classification") Reviewed-by: Wojciech Drewek <[email protected]> Signed-off-by: Mateusz Palczewski <[email protected]> Tested-by: Arpana Arland <[email protected]> (A Contingent worker at Intel) Signed-off-by: Jacob Keller <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ] 1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval can be written from sysfs. 2) tbl->last_flush is read locklessly from neigh_alloc() 3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info() 4) neightbl_fill_info() reads cpu stats that can be changed concurrently. Fixes: c7fb64d ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink") Signed-off-by: Eric Dumazet <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit e7684d29efdf37304c62bb337ea55b3428ca118e ] The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to advertise 2500M speed support and TP (twisted pair) properly. Convert to 'ethtool_link_ksettings_test_link_mode' to advertise supported speed and eliminate ambiguity. Fixes: 8c5ad0d ("igc: Add ethtool support") Suggested-by: Dima Ruinskiy <[email protected]> Suggested-by: Vitaly Lifshits <[email protected]> Signed-off-by: Sasha Neftin <[email protected]> Tested-by: Naama Meir <[email protected]> Signed-off-by: Jacob Keller <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

…42_stats_show() [ Upstream commit ca082f019d8fbb983f03080487946da714154bae ] strncat() usage in adf7242_debugfs_init() is wrong. The size given to strncat() is the maximum number of bytes that can be written, excluding the trailing NULL. Here, the size that is passed, DNAME_INLINE_LEN, does not take into account the size of "adf7242-" that is already in the array. In order to fix it, use snprintf() instead. Fixes: 7302b9d ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") Signed-off-by: Christophe JAILLET <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 51a32e828109b4a209efde44505baa356b37a4ce ] syzbot reported the following uninit-value access issue [1]: smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32 smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD ===================================================== BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750 usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396 really_probe+0x506/0xf40 drivers/base/dd.c:658 __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 device_add+0x16ae/0x1f20 drivers/base/core.c:3622 usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207 usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238 usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293 really_probe+0x506/0xf40 drivers/base/dd.c:658 __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 device_add+0x16ae/0x1f20 drivers/base/core.c:3622 usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589 hub_port_connect drivers/usb/core/hub.c:5440 [inline] hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] port_event drivers/usb/core/hub.c:5740 [inline] hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703 worker_thread+0xf45/0x1490 kernel/workqueue.c:2784 kthread+0x3e8/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Local variable buf.i225 created at: smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline] smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892 smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Workqueue: usb_hub_wq hub_event ===================================================== Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled. This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads less bytes than requested. sysbot reported similar uninit-value access issue [2]. The root cause is the same as mentioned above, and this patch addresses it as well. Fixes: 2f7ca80 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Reported-and-tested-by: [email protected] Reported-and-tested-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1] Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2] Signed-off-by: Shigeru Yoshida <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ] According to the comment next to USB_CTRL_GET_TIMEOUT and USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is usually quite fast, the spec allows them to take up to 5 seconds. Let's increase the timeout in the Realtek driver from 500ms to 5000ms (using the #defines) to account for this. This is not just a theoretical change. The need for the longer timeout was seen in testing. Specifically, if you drop a sc7180-trogdor based Chromebook into the kdb debugger and then "go" again after sitting in the debugger for a while, the next USB control message takes a long time. Out of ~40 tests the slowest USB control message was 4.5 seconds. While dropping into kdb is not exactly an end-user scenario, the above is similar to what could happen due to an temporary interrupt storm, what could happen if there was a host controller (HW or SW) issue, or what could happen if the Realtek device got into a confused state and needed time to recover. This change is fairly critical since the r8152 driver in Linux doesn't expect register reads/writes (which are backed by USB control messages) to fail. Fixes: ac718b6 ("net/usb: new driver for RTL8152") Suggested-by: Hayes Wang <[email protected]> Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: Grant Grundler <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 5dd17689526971c5ae12bc8398f34bd68cd0499e ] The rtl8152_probe() function lacks a call to the chip-specific unload() routine when it sees an error in probe. Add it in to match the cleanup code in rtl8152_disconnect(). Fixes: ac718b6 ("net/usb: new driver for RTL8152") Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: Grant Grundler <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit bb8adff9123e492598162ac1baad01a53891aef6 ] The error handling in rtl8152_probe() is missing a call to cancel the hw_phy_work. Add it in to match what's in the cleanup code in rtl8152_disconnect(). Fixes: a028a9e ("r8152: move the settings of PHY to a work queue") Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: Grant Grundler <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit b8d35024d4059ca550cba11ac9ab23a6c238d929 ] The error handling in rtl8152_probe() is missing a call to release firmware. Add it in to match what's in the cleanup code in rtl8152_disconnect(). Fixes: 9370f2d ("r8152: support request_firmware for RTL8153") Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: Grant Grundler <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ] This commit fix wrong RTO timeout when received SACK reneging. When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging() will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future. But since the commit 62d9f1a ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer() is moved after tcp_fastretrans_alert()(which do the SACK reneging check), so the RTO timeout will be overwrited by tcp_set_xmit_timer() with icsk_rto instead of 1/2*srtt. Here is a packetdrill script to check this bug: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 bind(3, ..., ...) = 0 +0 listen(3, 1) = 0 // simulate srtt to 100ms +0 < S 0:0(0) win 32792 <mss 1000, sackOK,nop,nop,nop,wscale 7> +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7> +.1 < . 1:1(0) ack 1 win 1024 +0 accept(3, ..., ...) = 4 +0 write(4, ..., 10000) = 10000 +0 > P. 1:10001(10000) ack 1 // inject sack +.1 < . 1:1(0) ack 1 win 257 <sack 1001:10001,nop,nop> +0 > . 1:1001(1000) ack 1 // inject sack reneging +.1 < . 1:1(0) ack 1001 win 257 <sack 9001:10001,nop,nop> // we expect rto fired in 1/2*srtt (50ms) +.05 > . 1001:2001(1000) ack 1 This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid being overwrited later. Fixes: 62d9f1a ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") Signed-off-by: Fred Chen <[email protected]> Reviewed-by: Neal Cardwell <[email protected]> Tested-by: Neal Cardwell <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ] Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2. Fixes: 459aa66 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Paolo Abeni <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c ] Call skb_gso_validate_network_len() to check if packet is over PMTU. Fixes: 459aa66 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Paolo Abeni <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ] The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one. Fixes: 8e0764b ("i40e/i40evf: Add support for writeback on ITR feature for X722") Signed-off-by: Ivan Vecera <[email protected]> Tested-by: Pucha Himasekhar Reddy <[email protected]> (A Contingent worker at Intel) Signed-off-by: Jacob Keller <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

commit babddbfb7d7d70ae7f10fedd75a45d8ad75fdddf upstream. when the checked address is illegal,the corresponding shadow address from kasan_mem_to_shadow may have no mapping in mmu table. Access such shadow address causes kernel oops. Here is a sample about oops on arm64(VA 39bit) with KASAN_SW_TAGS and KASAN_OUTLINE on: [ffffffb80aaaaaaa] pgd=000000005d3ce003, p4d=000000005d3ce003, pud=000000005d3ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [projectceladon#1] PREEMPT SMP Modules linked in: CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty projectceladon#43 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __hwasan_load8_noabort+0x5c/0x90 lr : do_ib_ob+0xf4/0x110 ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa. The problem is reading invalid shadow in kasan_check_range. The generic kasan also has similar oops. It only reports the shadow address which causes oops but not the original address. Commit 2f004ee("x86/kasan: Print original address on #GP") introduce to kasan_non_canonical_hook but limit it to KASAN_INLINE. This patch extends it to KASAN_OUTLINE mode. Link: https://lkml.kernel.org/r/[email protected] Fixes: 2f004ee("x86/kasan: Print original address on #GP") Signed-off-by: Haibo Li <[email protected]> Reviewed-by: Andrey Konovalov <[email protected]> Cc: Alexander Potapenko <[email protected]> Cc: Andrey Ryabinin <[email protected]> Cc: AngeloGioacchino Del Regno <[email protected]> Cc: Dmitry Vyukov <[email protected]> Cc: Haibo Li <[email protected]> Cc: Matthias Brugger <[email protected]> Cc: Vincenzo Frascino <[email protected]> Cc: Arnd Bergmann <[email protected]> Cc: Kees Cook <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

…s used commit 865b080e3229102f160889328ce2e8e97aa65ea0 upstream. Second interrupt is needed only when touchscreen mode is used, so don't request it unconditionally. This removes the following annoying warning during boot: exynos-adc 14d10000.adc: error -ENXIO: IRQ index 1 not found Fixes: 2bb8ad9 ("iio: exynos-adc: add experimental touchscreen support") Signed-off-by: Marek Szyprowski <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: <[email protected]> Signed-off-by: Jonathan Cameron <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

…holds commit 8d6b3ea4d9eaca80982442b68a292ce50ce0a135 upstream. In the probe function, the driver was reading out the thresholds already set in the core, which can be configured by the user in the Vivado tools when the FPGA image is built. However, it later clobbered those values with zero or maximum values. In particular, the overtemperature shutdown threshold register was overwritten with the max value, which effectively prevents the FPGA from shutting down when the desired threshold was eached, potentially risking hardware damage in that case. Remove this code to leave the preconfigured default threshold values intact. The code was also disabling all alarms regardless of what enable state they were left in by the FPGA image, including the overtemperature shutdown feature. Leave these bits in their original state so they are not unconditionally disabled. Fixes: bdc8cda ("iio:adc: Add Xilinx XADC driver") Signed-off-by: Robert Hancock <[email protected]> Acked-by: O'Griofa, Conall <[email protected]> Tested-by: O'Griofa, Conall <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: <[email protected]> Signed-off-by: Jonathan Cameron <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit e2bd8c28b9bd835077eb65715d416d667694a80d upstream. The driver was previously using offset and scale values for the temperature sensor readings which were only valid for 7-series devices. Add per-device-type values for offset and scale and set them appropriately for each device type. Note that the values used for the UltraScale family are for UltraScale+ (i.e. the SYSMONE4 primitive) using the internal reference, as that seems to be the most common configuration and the device tree values Xilinx's device tree generator produces don't seem to give us anything to tell us which configuration is used. However, the differences within the UltraScale family seem fairly minor and it's closer than using the 7-series values instead in any case. Fixes: c2b7720 ("iio: xilinx-xadc: Add basic support for Ultrascale System Monitor") Signed-off-by: Robert Hancock <[email protected]> Acked-by: O'Griofa, Conall <[email protected]> Tested-by: O'Griofa, Conall <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: <[email protected]> Signed-off-by: Jonathan Cameron <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 3171d37b58a76e1febbf3f4af2d06234a98cf88b upstream. i2c-mux-pinctrl uses the pair of_find_i2c_adapter_by_node() / i2c_put_adapter(). These pair alone is not correct to properly lock the I2C parent adapter. Indeed, i2c_put_adapter() decrements the module refcount while of_find_i2c_adapter_by_node() does not increment it. This leads to an underflow of the parent module refcount. Use the dedicated function, of_get_i2c_adapter_by_node(), to handle correctly the module refcount. Fixes: c4aee3e ("i2c: mux: pinctrl: remove platform_data") Signed-off-by: Herve Codina <[email protected]> Cc: [email protected] Acked-by: Peter Rosin <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]> Signed-off-by: Wolfram Sang <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 3dc0ec46f6e7511fc4fdf6b6cda439382bc957f1 upstream. i2c-mux-gpmux uses the pair of_find_i2c_adapter_by_node() / i2c_put_adapter(). These pair alone is not correct to properly lock the I2C parent adapter. Indeed, i2c_put_adapter() decrements the module refcount while of_find_i2c_adapter_by_node() does not increment it. This leads to an underflow of the parent module refcount. Use the dedicated function, of_get_i2c_adapter_by_node(), to handle correctly the module refcount. Fixes: ac8498f ("i2c: i2c-mux-gpmux: new driver") Signed-off-by: Herve Codina <[email protected]> Cc: [email protected] Acked-by: Peter Rosin <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]> Signed-off-by: Wolfram Sang <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 0fb118de5003028ad092a4e66fc6d07b86c3bc94 upstream. i2c-demux-pinctrl uses the pair of_find_i2c_adapter_by_node() / i2c_put_adapter(). These pair alone is not correct to properly lock the I2C parent adapter. Indeed, i2c_put_adapter() decrements the module refcount while of_find_i2c_adapter_by_node() does not increment it. This leads to an underflow of the parent module refcount. Use the dedicated function, of_get_i2c_adapter_by_node(), to handle correctly the module refcount. Fixes: 50a5ba8 ("i2c: mux: demux-pinctrl: add driver") Signed-off-by: Herve Codina <[email protected]> Cc: [email protected] Acked-by: Peter Rosin <[email protected]> Reviewed-by: Jonathan Cameron <[email protected]> Signed-off-by: Wolfram Sang <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit c896ff2dd8f30a6b0a922c83a96f6d43f05f0e92 upstream. In case of SMBUS byte read with PEC enabled, the whole transfer is split into two commands. A first write command, followed by a read command. The write command does not have any PEC byte and a PEC byte is appended at the end of the read command. (cf Read byte protocol with PEC in SMBUS specification) Within the STM32 I2C controller, handling (either sending or receiving) of the PEC byte is done via the PECBYTE bit in register CR2. Currently, the PECBYTE is set at the beginning of a transfer, which lead to sending a PEC byte at the end of the write command (hence losing the real last byte), and also does not check the PEC byte received during the read command. This patch corrects the function stm32f7_i2c_smbus_xfer_msg in order to only set the PECBYTE during the read command. Fixes: 9e48155 ("i2c: i2c-stm32f7: Add initial SMBus protocols support") Signed-off-by: Alain Volmat <[email protected]> Reviewed-by: Pierre-Yves MORDRET <[email protected]> Acked-by: Andi Shyti <[email protected]> Signed-off-by: Wolfram Sang <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 54f1840ddee9bbdc8dd89fbbfdfa632401244146 upstream. When the `CONFIG_I2C_SLAVE` option is enabled and the device operates as a slave, a situation arises where the master sends a START signal without the accompanying STOP signal. This action results in a persistent I2C bus timeout. The core issue stems from the fact that the i2c controller remains in a slave read state without a timeout mechanism. As a consequence, the bus perpetually experiences timeouts. In this case, the i2c bus will be reset, but the slave_state reset is missing. Fixes: fee465150b45 ("i2c: aspeed: Reset the i2c controller when timeout occurs") Signed-off-by: Jian Zhang <[email protected]> Acked-by: Andi Shyti <[email protected]> Tested-by: Andrew Jeffery <[email protected]> Reviewed-by: Andrew Jeffery <[email protected]> Signed-off-by: Wolfram Sang <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit e0f831836cead677fb07d54bd6bf499df35640c2 upstream. Fix the following kernel-doc warnings: kernel/trace/trace_kprobe.c:1029: warning: Excess function parameter 'args' description in '__kprobe_event_gen_cmd_start' kernel/trace/trace_kprobe.c:1097: warning: Excess function parameter 'args' description in '__kprobe_event_add_fields' Refer to the usage of variable length arguments elsewhere in the kernel code, "@..." is the proper way to express it in the description. Link: https://lore.kernel.org/all/[email protected]/ Fixes: 2a588dd ("tracing: Add kprobe event command generation functions") Reported-by: kernel test robot <[email protected]> Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/ Signed-off-by: Yujie Liu <[email protected]> Reviewed-by: Mukesh Ojha <[email protected]> Acked-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Masami Hiramatsu (Google) <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 1c8093591d1e372d700fe65423e7315a8ecf721b upstream. With current design, buffers and dma handles are not freed in case of remote invocation failures returned from DSP. This could result in buffer leakings and dma handle pointing to wrong memory in the fastrpc kernel. Adding changes to clean buffers and dma handles even when remote invocation to DSP returns failures. Fixes: c68cfb7 ("misc: fastrpc: Add support for context Invoke method") Cc: stable <[email protected]> Signed-off-by: Ekansh Gupta <[email protected]> Signed-off-by: Srinivas Kandagatla <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 2382c1b044231fd49eaf9aa82bc7113fc55487b8 upstream. The nregs for i.MX6ULL should be 80 per fuse map, correct it. Fixes: ffbc34b ("nvmem: imx-ocotp: Implement i.MX6ULL/ULZ support") Cc: [email protected] Signed-off-by: Peng Fan <[email protected]> Signed-off-by: Srinivas Kandagatla <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 414a98abbefd82d591f4e2d1efd2917bcd3b6f6d upstream. The nregs for i.MX6SLL should be 80 per fuse map, correct it. Fixes: 6da2782 ("nvmem: imx-ocotp: add support for imx6sll") Cc: [email protected] Signed-off-by: Peng Fan <[email protected]> Signed-off-by: Srinivas Kandagatla <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 7d6e10f5d254681983b53d979422c8de3fadbefb upstream. The nregs for i.MX6UL should be 144 per fuse map, correct it. Fixes: 4aa2b48 ("nvmem: octop: Add support for imx6ul") Cc: [email protected] Signed-off-by: Peng Fan <[email protected]> Signed-off-by: Srinivas Kandagatla <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit a71ef31485bb51b846e8db8b3a35e432cc15afb5 upstream. Smatch is awesome. Fixes: 32671e3799ca ("perf: Disallow mis-matched inherited group reads") Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Signed-off-by: Ingo Molnar <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 1f36cd05e0081f2c75769a551d584c4ffb2a5660 upstream. Fault handler used to make non-trivial calls, so it needed to set a stack frame up. Used to be save ... - grab a stack frame, old %o... become %i... .... ret - go back to address originally in %o7, currently %i7 restore - switch to previous stack frame, in delay slot Non-trivial calls had been gone since ab5e8b3 and that code should have become retl - go back to address in %o7 clr %o0 - have return value set to 0 What it had become instead was ret - go back to address in %i7 - return address of *caller* clr %o0 - have return value set to 0 which is not good, to put it mildly - we forcibly return 0 from csum_and_copy_{from,to}_iter() (which is what the call of that thing had been inlined into) and do that without dropping the stack frame of said csum_and_copy_..._iter(). Confuses the hell out of the caller of csum_and_copy_..._iter(), obviously... Reviewed-by: Sam Ravnborg <[email protected]> Fixes: ab5e8b3 "sparc32: propagate the calling conventions change down to __csum_partial_copy_sparc_generic()" Signed-off-by: Al Viro <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

…et_parent_name commit ceb87a361d0b079ecbc7d2831618c19087f304a9 upstream. In the possible_parent_show function, ensure proper handling of the return value from of_clk_get_parent_name to prevent potential issues arising from a NULL return. The current implementation invokes seq_puts directly on the result of of_clk_get_parent_name without verifying the return value, which can lead to kernel panic if the function returns NULL. This patch addresses the concern by introducing a check on the return value of of_clk_get_parent_name. If the return value is not NULL, the function proceeds to call seq_puts, providing the returned value as argument. However, if of_clk_get_parent_name returns NULL, the function provides a static string as argument, avoiding the panic. Fixes: 1ccc0dd ("clk: Use seq_puts() in possible_parent_show()") Reported-by: Philip Daly <[email protected]> Signed-off-by: Alessandro Carminati (Red Hat) <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Stephen Boyd <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit cd717ac6f69db4953ca701c6220c7cb58e17f35a ] Includes should be ordered alphabetically which is already the case, but follow what is done in other drivers by separation IIO specific headers with a blank line. Signed-off-by: Liam Beguin <[email protected]> Reviewed-by: Andy Shevchenko <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jonathan Cameron <[email protected]> Stable-dep-of: bee448390e51 ("iio: afe: rescale: Accept only offset channels") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit bc437f7515f5e14aec9f2801412d9ea48116a97d ] In preparation for the addition of kunit tests, expose the logic responsible for combining channel scales. Signed-off-by: Liam Beguin <[email protected]> Reviewed-by: Peter Rosin <[email protected]> Reviewed-by: Andy Shevchenko <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jonathan Cameron <[email protected]> Stable-dep-of: bee448390e51 ("iio: afe: rescale: Accept only offset channels") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit a29c3283653b80b916c5ca5292c5d36415e38e92 ] This is a preparatory change required for the addition of temperature sensing front ends. Signed-off-by: Liam Beguin <[email protected]> Reviewed-by: Peter Rosin <[email protected]> Reviewed-by: Andy Shevchenko <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jonathan Cameron <[email protected]> Stable-dep-of: bee448390e51 ("iio: afe: rescale: Accept only offset channels") Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit bee448390e5166d019e9e037194d487ee94399d9 ] As noted by Jonathan Cameron: it is perfectly legal for a channel to have an offset but no scale in addition to the raw interface. The conversion will imply that scale is 1:1. Make rescale_configure_channel() accept just scale, or just offset to process a channel. When a user asks for IIO_CHAN_INFO_OFFSET in rescale_read_raw() we now have to deal with the fact that OFFSET could be present but SCALE missing. Add code to simply scale 1:1 in this case. Link: https://lore.kernel.org/linux-iio/CACRpkdZXBjHU4t-GVOCFxRO-AHGxKnxMeHD2s4Y4PuC29gBq6g@mail.gmail.com/ Fixes: 53ebee9 ("iio: afe: iio-rescale: Support processed channels") Fixes: 9decacd8b3a4 ("iio: afe: rescale: Fix boolean logic bug") Reported-by: Jonathan Cameron <[email protected]> Signed-off-by: Linus Walleij <[email protected]> Reviewed-by: Peter Rosin <[email protected]> Link: https://lore.kernel.org/r/[email protected] Cc: <[email protected]> Signed-off-by: Jonathan Cameron <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit a92f7a6feeb3884c69c1c7c1f13bccecb2228ad0 ] Use GFP_ATOMIC when allocating pages out of the hotpath, continue to use GFP_KERNEL when allocating pages during setup. GFP_KERNEL will allow blocking which allows it to succeed more often in a low memory enviornment but in the hotpath we do not want to allow the allocation to block. Fixes: f5cedc8 ("gve: Add transmit and receive support") Signed-off-by: Catherine Sullivan <[email protected]> Signed-off-by: David Awogbemila <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

commit 128b0c9781c9f2651bea163cb85e52a6c7be0f9e upstream. David and a few others reported that on certain newer systems some legacy interrupts fail to work correctly. Debugging revealed that the BIOS of these systems leaves the legacy PIC in uninitialized state which makes the PIC detection fail and the kernel switches to a dummy implementation. Unfortunately this fallback causes quite some code to fail as it depends on checks for the number of legacy PIC interrupts or the availability of the real PIC. In theory there is no reason to use the PIC on any modern system when IO/APIC is available, but the dependencies on the related checks cannot be resolved trivially and on short notice. This needs lots of analysis and rework. The PIC detection has been added to avoid quirky checks and force selection of the dummy implementation all over the place, especially in VM guest scenarios. So it's not an option to revert the relevant commit as that would break a lot of other scenarios. One solution would be to try to initialize the PIC on detection fail and retry the detection, but that puts the burden on everything which does not have a PIC. Fortunately the ACPI/MADT table header has a flag field, which advertises in bit 0 that the system is PCAT compatible, which means it has a legacy 8259 PIC. Evaluate that bit and if set avoid the detection routine and keep the real PIC installed, which then gets initialized (for nothing) and makes the rest of the code with all the dependencies work again. Fixes: e179f69 ("x86, irq, pic: Probe for legacy PIC and set legacy_pic appropriately") Reported-by: David Lazar <[email protected]> Signed-off-by: Thomas Gleixner <[email protected]> Tested-by: David Lazar <[email protected]> Reviewed-by: Hans de Goede <[email protected]> Reviewed-by: Mario Limonciello <[email protected]> Cc: [email protected] Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218003 Link: https://lore.kernel.org/r/875y2u5s8g.ffs@tglx Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit a1e2c031ec3949b8c039b739c0b5bf9c30007b00 upstream. RESERVE_BRK() reserves data in the .brk_reservation section. The data is initialized to zero, like BSS, so the macro specifies 'nobits' to prevent the data from taking up space in the vmlinux binary. The only way to get the compiler to do that (without putting the variable in .bss proper) is to use inline asm. The macro also has a hack which encloses the inline asm in a discarded function, which allows the size to be passed (global inline asm doesn't allow inputs). Remove the need for the discarded function hack by just stringifying the size rather than supplying it as an input to the inline asm. Signed-off-by: Josh Poimboeuf <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Signed-off-by: Borislav Petkov <[email protected]> Reviewed-by: Borislav Petkov <[email protected]> Link: https://lore.kernel.org/r/[email protected] [nathan: Resolve conflict due to lack of 2b6ff7dea670] Signed-off-by: Nathan Chancellor <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit e32683c6f7d22ba624e0bfc58b02cf3348bdca63 upstream. With binutils 2.26, RESERVE_BRK() causes a build failure: /tmp/ccnGOKZ5.s: Assembler messages: /tmp/ccnGOKZ5.s:98: Error: missing ')' /tmp/ccnGOKZ5.s:98: Error: missing ')' /tmp/ccnGOKZ5.s:98: Error: missing ')' /tmp/ccnGOKZ5.s:98: Error: junk at end of line, first unrecognized character is `U' The problem is this line: RESERVE_BRK(early_pgt_alloc, INIT_PGT_BUF_SIZE) Specifically, the INIT_PGT_BUF_SIZE macro which (via PAGE_SIZE's use _AC()) has a "1UL", which makes older versions of the assembler unhappy. Unfortunately the _AC() macro doesn't work for inline asm. Inline asm was only needed here to convince the toolchain to add the STT_NOBITS flag. However, if a C variable is placed in a section whose name is prefixed with ".bss", GCC and Clang automatically set STT_NOBITS. In fact, ".bss..page_aligned" already relies on this trick. So fix the build failure (and simplify the macro) by allocating the variable in C. Also, add NOLOAD to the ".brk" output section clause in the linker script. This is a failsafe in case the ".bss" prefix magic trick ever stops working somehow. If there's a section type mismatch, the GNU linker will force the ".brk" output section to be STT_NOBITS. The LLVM linker will fail with a "section type mismatch" error. Note this also changes the name of the variable from .brk.##name to __brk_##name. The variable names aren't actually used anywhere, so it's harmless. Fixes: a1e2c031ec39 ("x86/mm: Simplify RESERVE_BRK()") Reported-by: Joe Damato <[email protected]> Reported-by: Byungchul Park <[email protected]> Signed-off-by: Josh Poimboeuf <[email protected]> Signed-off-by: Peter Zijlstra (Intel) <[email protected]> Tested-by: Joe Damato <[email protected]> Link: https://lore.kernel.org/r/22d07a44c80d8e8e1e82b9a806ddc8c6bbb2606e.1654759036.git.jpoimboe@kernel.org Signed-off-by: Nathan Chancellor <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 43bbddc067883d94de7a43d5756a295439fbe37d upstream. When we use lstart + len to calculate the end of free extent or prealloc space, it may exceed the maximum value of 4294967295(0xffffffff) supported by ext4_lblk_t and cause overflow, which may lead to various problems. Therefore, we add two helper functions, extent_logical_end() and pa_logical_end(), to limit the type of end to loff_t, and also convert lstart to loff_t for calculation to avoid overflow. Signed-off-by: Baokun Li <[email protected]> Reviewed-by: Ritesh Harjani (IBM) <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Theodore Ts'o <[email protected]> Signed-off-by: Baokun Li <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit bc056e7163ac7db945366de219745cf94f32a3e6 upstream. When we calculate the end position of ext4_free_extent, this position may be exactly where ext4_lblk_t (i.e. uint) overflows. For example, if ac_g_ex.fe_logical is 4294965248 and ac_orig_goal_len is 2048, then the computed end is 0x100000000, which is 0. If ac->ac_o_ex.fe_logical is not the first case of adjusting the best extent, that is, new_bex_end > 0, the following BUG_ON will be triggered: ========================================================= kernel BUG at fs/ext4/mballoc.c:5116! invalid opcode: 0000 [projectceladon#1] PREEMPT SMP PTI CPU: 3 PID: 673 Comm: xfs_io Tainted: G E 6.5.0-rc1+ #279 RIP: 0010:ext4_mb_new_inode_pa+0xc5/0x430 Call Trace: <TASK> ext4_mb_use_best_found+0x203/0x2f0 ext4_mb_try_best_found+0x163/0x240 ext4_mb_regular_allocator+0x158/0x1550 ext4_mb_new_blocks+0x86a/0xe10 ext4_ext_map_blocks+0xb0c/0x13a0 ext4_map_blocks+0x2cd/0x8f0 ext4_iomap_begin+0x27b/0x400 iomap_iter+0x222/0x3d0 __iomap_dio_rw+0x243/0xcb0 iomap_dio_rw+0x16/0x80 ========================================================= A simple reproducer demonstrating the problem: mkfs.ext4 -F /dev/sda -b 4096 100M mount /dev/sda /tmp/test fallocate -l1M /tmp/test/tmp fallocate -l10M /tmp/test/file fallocate -i -o 1M -l16777203M /tmp/test/file fsstress -d /tmp/test -l 0 -n 100000 -p 8 & sleep 10 && killall -9 fsstress rm -f /tmp/test/tmp xfs_io -c "open -ad /tmp/test/file" -c "pwrite -S 0xff 0 8192" We simply refactor the logic for adjusting the best extent by adding a temporary ext4_free_extent ex and use extent_logical_end() to avoid overflow, which also simplifies the code. Cc: [email protected] # 6.4 Fixes: 93cdf49f6eca ("ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()") Signed-off-by: Baokun Li <[email protected]> Reviewed-by: Ritesh Harjani (IBM) <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Theodore Ts'o <[email protected]> Signed-off-by: Baokun Li <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit bedc5d34632c21b5adb8ca7143d4c1f794507e4c upstream. Let's say we want to allocate 2 blocks starting from 4294966386, after predicting the file size, start is aligned to 4294965248, len is changed to 2048, then end = start + size = 0x100000000. Since end is of type ext4_lblk_t, i.e. uint, end is truncated to 0. This causes (pa->pa_lstart >= end) to always hold when checking if the current extent to be allocated crosses already preallocated blocks, so the resulting ac_g_ex may cross already preallocated blocks. Hence we convert the end type to loff_t and use pa_logical_end() to avoid overflow. Signed-off-by: Baokun Li <[email protected]> Reviewed-by: Ritesh Harjani (IBM) <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Theodore Ts'o <[email protected]> Signed-off-by: Baokun Li <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

When dbf460087755 ("objtool/x86: Fixup frame-pointer vs rethunk") was backported to some stable branches, the check for dest->embedded_insn in is_special_call() was missed. The result is that the warning it was intended to suppress still appears. For example on 6.1 (on kernels before 6.1, the '-s' argument would instead be 'check'): $ tools/objtool/objtool -s arch/x86/lib/retpoline.o arch/x86/lib/retpoline.o: warning: objtool: srso_untrain_ret+0xd: call without frame pointer save/setup With this patch, the warning is correctly suppressed, and the kernel still passes the normal Google kernel developer tests. Signed-off-by: John Sperbeck <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 6c2f421174273de8f83cde4286d1c076d43a2d35 upstream. Several core drivers and buses expect that driver_override is a dynamically allocated memory thus later they can kfree() it. However such assumption is not documented, there were in the past and there are already users setting it to a string literal. This leads to kfree() of static memory during device release (e.g. in error paths or during unbind): kernel BUG at ../mm/slub.c:3960! Internal error: Oops - BUG: 0 [projectceladon#1] PREEMPT SMP ARM ... (kfree) from [<c058da50>] (platform_device_release+0x88/0xb4) (platform_device_release) from [<c0585be0>] (device_release+0x2c/0x90) (device_release) from [<c0a69050>] (kobject_put+0xec/0x20c) (kobject_put) from [<c0f2f120>] (exynos5_clk_probe+0x154/0x18c) (exynos5_clk_probe) from [<c058de70>] (platform_drv_probe+0x6c/0xa4) (platform_drv_probe) from [<c058b7ac>] (really_probe+0x280/0x414) (really_probe) from [<c058baf4>] (driver_probe_device+0x78/0x1c4) (driver_probe_device) from [<c0589854>] (bus_for_each_drv+0x74/0xb8) (bus_for_each_drv) from [<c058b48c>] (__device_attach+0xd4/0x16c) (__device_attach) from [<c058a638>] (bus_probe_device+0x88/0x90) (bus_probe_device) from [<c05871fc>] (device_add+0x3dc/0x62c) (device_add) from [<c075ff10>] (of_platform_device_create_pdata+0x94/0xbc) (of_platform_device_create_pdata) from [<c07600ec>] (of_platform_bus_create+0x1a8/0x4fc) (of_platform_bus_create) from [<c0760150>] (of_platform_bus_create+0x20c/0x4fc) (of_platform_bus_create) from [<c07605f0>] (of_platform_populate+0x84/0x118) (of_platform_populate) from [<c0f3c964>] (of_platform_default_populate_init+0xa0/0xb8) (of_platform_default_populate_init) from [<c01031f8>] (do_one_initcall+0x8c/0x404) Provide a helper which clearly documents the usage of driver_override. This will allow later to reuse the helper and reduce the amount of duplicated code. Convert the platform driver to use a new helper and make the driver_override field const char (it is not modified by the core). Reviewed-by: Rafael J. Wysocki <[email protected]> Acked-by: Rafael J. Wysocki <[email protected]> Signed-off-by: Krzysztof Kozlowski <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Lee Jones <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit e5f89131a06142e91073b6959d91cea73861d40e upstream. Memory pointed by variable 'old' in field store macro is not modified, so it can be made a pointer to const. Signed-off-by: Krzysztof Kozlowski <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Lee Jones <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 42cd402b8fd4672b692400fe5f9eecd55d2794ac upstream. The driver_override field from platform driver should not be initialized from static memory (string literal) because the core later kfree() it, for example when driver_override is set via sysfs. Use dedicated helper to set driver_override properly. Fixes: 950a738 ("rpmsg: Turn name service into a stand alone driver") Fixes: c0cdc19 ("rpmsg: Driver for user space endpoint interface") Reviewed-by: Bjorn Andersson <[email protected]> Signed-off-by: Krzysztof Kozlowski <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Lee Jones <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit bb17d110cbf270d5247a6e261c5ad50e362d1675 upstream. driver_set_override() helper uses device_lock() so it should not be called before rpmsg_register_device() (which calls device_register()). Effect can be seen with CONFIG_DEBUG_MUTEXES: DEBUG_LOCKS_WARN_ON(lock->magic != lock) WARNING: CPU: 3 PID: 57 at kernel/locking/mutex.c:582 __mutex_lock+0x1ec/0x430 ... Call trace: __mutex_lock+0x1ec/0x430 mutex_lock_nested+0x44/0x50 driver_set_override+0x124/0x150 qcom_glink_native_probe+0x30c/0x3b0 glink_rpm_probe+0x274/0x350 platform_probe+0x6c/0xe0 really_probe+0x17c/0x3d0 __driver_probe_device+0x114/0x190 driver_probe_device+0x3c/0xf0 ... Refactor the rpmsg_register_device() function to use two-step device registering (initialization + add) and call driver_set_override() in proper moment. This moves the code around, so while at it also NULL-ify the rpdev->driver_override in error path to be sure it won't be kfree() second time. Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override") Reported-by: Marek Szyprowski <[email protected]> Signed-off-by: Krzysztof Kozlowski <[email protected]> Tested-by: Marek Szyprowski <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Lee Jones <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit fb80ef67e8ff6a00d3faad4cb348dafdb8eccfd8 upstream. Upon termination of the rpmsg_device, driver_override needs to be freed to avoid leaking the potentially assigned string. Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override") Fixes: 39e4776 ("rpmsg: Add driver_override device attribute for rpmsg_device") Reviewed-by: Chris Lew <[email protected]> Signed-off-by: Bjorn Andersson <[email protected]> Signed-off-by: Bjorn Andersson <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Lee Jones <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit d7bd416d35121c95fe47330e09a5c04adbc5f928 upstream. rpmsg_register_device_override need to call put_device to free vch when driver_set_override fails. Fix this by adding a put_device() to the error path. Fixes: bb17d110cbf2 ("rpmsg: Fix calling device_lock() on non-initialized device") Reviewed-by: Krzysztof Kozlowski <[email protected]> Signed-off-by: Hangyu Hua <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mathieu Poirier <[email protected]> Signed-off-by: Lee Jones <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 7e09ac27f43b382f5fe9bb7c7f4c465ece1f8a23 upstream. Commit in Fixes added the "NOLOAD" attribute to the .brk section as a "failsafe" measure. Unfortunately, this leads to the linker no longer covering the .brk section in a program header, resulting in the kernel loader not knowing that the memory for the .brk section must be reserved. This has led to crashes when loading the kernel as PV dom0 under Xen, but other scenarios could be hit by the same problem (e.g. in case an uncompressed kernel is used and the initrd is placed directly behind it). So drop the "NOLOAD" attribute. This has been verified to correctly cover the .brk section by a program header of the resulting ELF file. Fixes: e32683c6f7d2 ("x86/mm: Fix RESERVE_BRK() for older binutils") Signed-off-by: Juergen Gross <[email protected]> Signed-off-by: Borislav Petkov <[email protected]> Reviewed-by: Josh Poimboeuf <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

[ Upstream commit 41bae58df411f9accf01ea660730649b2fab1dab ] asoc_simple_probe() is used for both "DT probe" (A) and "platform probe" (B). It uses "goto err" when error case, but it is not needed for "platform probe" case (B). Thus it is using "return" directly there. static int asoc_simple_probe(...) { ^ if (...) { | ... (A) if (ret < 0) | goto err; v } else { ^ ... | if (ret < 0) (B) return -Exxx; v } ... ^ if (ret < 0) (C) goto err; v ... err: (D) simple_util_clean_reference(card); return ret; } Both case are using (C) part, and it calls (D) when err case. But (D) will do nothing for (B) case. Because of these behavior, current code itself is not wrong, but is confusable, and more, static analyzing tool will warning on (B) part (should use goto err). To avoid static analyzing tool warning, this patch uses "goto err" on (B) part. Reported-by: kernel test robot <[email protected]> Reported-by: Dan Carpenter <[email protected]> Signed-off-by: Kuninori Morimoto <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit c4d49196ceec80e30e8d981410d73331b49b7850 ] commit d61491a ("net/sched: cls_u32: Replace one-element array with flexible-array member") incorrecly replaced an instance of `sizeof(*tp_c)` with `struct_size(tp_c, hlist->ht, 1)`. This results in a an over-allocation of 8 bytes. This change is wrong because `hlist` in `struct tc_u_common` is a pointer: net/sched/cls_u32.c: struct tc_u_common { struct tc_u_hnode __rcu *hlist; void *ptr; int refcnt; struct idr handle_idr; struct hlist_node hnode; long knodes; }; So, the use of `struct_size()` makes no sense: we don't need to allocate any extra space for a flexible-array member. `sizeof(*tp_c)` is just fine. So, `struct_size(tp_c, hlist->ht, 1)` translates to: sizeof(*tp_c) + sizeof(tp_c->hlist->ht) == sizeof(struct tc_u_common) + sizeof(struct tc_u_knode *) == 144 + 8 == 0x98 (byes) ^^^ | unnecessary extra allocation size $ pahole -C tc_u_common net/sched/cls_u32.o struct tc_u_common { struct tc_u_hnode * hlist; /* 0 8 */ void * ptr; /* 8 8 */ int refcnt; /* 16 4 */ /* XXX 4 bytes hole, try to pack */ struct idr handle_idr; /* 24 96 */ /* --- cacheline 1 boundary (64 bytes) was 56 bytes ago --- */ struct hlist_node hnode; /* 120 16 */ /* --- cacheline 2 boundary (128 bytes) was 8 bytes ago --- */ long int knodes; /* 136 8 */ /* size: 144, cachelines: 3, members: 6 */ /* sum members: 140, holes: 1, sum holes: 4 */ /* last cacheline: 16 bytes */ }; And with `sizeof(*tp_c)`, we have: sizeof(*tp_c) == sizeof(struct tc_u_common) == 144 == 0x90 (bytes) which is the correct and original allocation size. Fix this issue by replacing `struct_size(tp_c, hlist->ht, 1)` with `sizeof(*tp_c)`, and avoid allocating 8 too many bytes. The following difference in binary output is expected and reflects the desired change: | net/sched/cls_u32.o | @@ -6148,7 +6148,7 @@ | include/linux/slab.h:599 | 2cf5: mov 0x0(%rip),%rdi # 2cfc <u32_init+0xfc> | 2cf8: R_X86_64_PC32 kmalloc_caches+0xc |- 2cfc: mov $0x98,%edx |+ 2cfc: mov $0x90,%edx Reported-by: Alejandro Colomar <[email protected]> Closes: https://lore.kernel.org/lkml/[email protected]/ Signed-off-by: Gustavo A. R. Silva <[email protected]> Acked-by: Jamal Hadi Salim <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit e13cd66bd821be417c498a34928652db4ac6b436 ] The RISC-V INTC local interrupts are per-HART (or per-CPU) so we create INTC IRQ domain only for the INTC node belonging to the boot HART. This means only the boot HART INTC node will be marked as initialized and other INTC nodes won't be marked which results downstream interrupt controllers (such as PLIC, IMSIC and APLIC direct-mode) not being probed due to missing device suppliers. To address this issue, we mark all INTC node for which we don't create IRQ domain as initialized. Reported-by: Dmitry Dunaev <[email protected]> Signed-off-by: Anup Patel <[email protected]> Signed-off-by: Marc Zyngier <[email protected]> Link: https://lore.kernel.org/r/[email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 8554cba1d6dbd3c74e0549e28ddbaccbb1d6b30a ] The STM32F4/7 EXTI driver was missing the xlate callback, so IRQ trigger flags specified in the device tree were being ignored. This was preventing the RTC alarm interrupt from working, because it must be set to trigger on the rising edge to function correctly. Signed-off-by: Ben Wolsieffer <[email protected]> Signed-off-by: Marc Zyngier <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 0618c077a8c20e8c81e367988f70f7e32bb5a717 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. We fix it by calling pm_runtime_disable when error returns. Signed-off-by: Zhang Shurong <[email protected]> Reviewed-by: Linus Walleij <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 8e8a12ecbc86700b5e1a3596ce2b3c43dafad336 ] Booting mpc85xx_defconfig kernel on QEMU leads to: Bad trap at PC: fe9bab0, SR: 2d000, vector=800 awk[82]: unhandled trap (5) at 0 nip fe9bab0 lr fe9e01c code 5 in libc-2.27.so[fe5a000+17a000] awk[82]: code: 3aa00000 3a800010 4bffe03c 9421fff0 7ca62b78 38a00000 93c10008 83c10008 awk[82]: code: 38210010 4bffdec8 9421ffc0 7c0802a6 <fc00048e> d8010008 4815190d 93810030 Trace/breakpoint trap WARNING: no useful console This is because allthough CONFIG_MATH_EMULATION is selected, Exception 800 calls unknown_exception(). Call emulation_assist_interrupt() instead. Signed-off-by: Christophe Leroy <[email protected]> Signed-off-by: Michael Ellerman <[email protected]> Link: https://msgid.link/066caa6d9480365da9b8ed83692d7101e10ac5f8.1695657339.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 5030b2fe6aab37fe42d14f31842ea38be7c55c57 ] Touch controllers need some time after receiving reset command for the firmware to finish re-initializing and be ready to respond to commands from the host. The driver already had handling for the post-reset delay for I2C and SPI transports, this change adds the handling to SMBus-connected devices. SMBus devices are peculiar because they implement legacy PS/2 compatibility mode, so reset is actually issued by psmouse driver on the associated serio port, after which the control is passed to the RMI4 driver with SMBus companion device. Note that originally the delay was added to psmouse driver in 92e24e0e57f7 ("Input: psmouse - add delay when deactivating for SMBus mode"), but that resulted in an unwanted delay in "fast" reconnect handler for the serio port, so it was decided to revert the patch and have the delay being handled in the RMI4 driver, similar to the other transports. Tested-by: Jeffery Miller <[email protected]> Link: https://lore.kernel.org/r/ZR1yUFJ8a9Zt606N@penguin Signed-off-by: Dmitry Torokhov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit c1a8d1d0edb71dec15c9649cb56866c71c1ecd9e ] ioremap_uc() is only meaningful on old x86-32 systems with the PAT extension, and on ia64 with its slightly unconventional ioremap() behavior, everywhere else this is the same as ioremap() anyway. Change the only driver that still references ioremap_uc() to only do so on x86-32/ia64 in order to allow removing that interface at some point in the future for the other architectures. On some architectures, ioremap_uc() just returns NULL, changing the driver to call ioremap() means that they now have a chance of working correctly. Signed-off-by: Arnd Bergmann <[email protected]> Signed-off-by: Baoquan He <[email protected]> Reviewed-by: Luis Chamberlain <[email protected]> Cc: Helge Deller <[email protected]> Cc: Thomas Zimmermann <[email protected]> Cc: Christophe Leroy <[email protected]> Cc: [email protected] Cc: [email protected] Signed-off-by: Helge Deller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 87d1888aa40f25773fa0b948bcb2545f97e2cb15 ] Check simple case when parent inode equals current inode. Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 06ccfb00645990a9fcc14249e6d1c25921ecb836 ] Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit fc471e39e38fea6677017cbdd6d928088a59fc67 ] Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 32e9212256b88f35466642f9c939bb40cfb2c2de ] Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 9c689c8dc86f8ca99bf91c05f24c8bab38fe7d5f ] Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 85a4780dc96ed9dd643bbadf236552b3320fae26 ] Calling stat() from userspace correctly identified junctions in an NTFS partition as symlinks, but using readdir() and iterating through the directory containing the same junction did not identify the junction as a symlink. When emitting directory contents, check FILE_ATTRIBUTE_REPARSE_POINT attribute to detect junctions and report them as links. Signed-off-by: Gabriel Marcano <[email protected]> Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit e4494770a5cad3c9d1d2a65ed15d07656c0d9b82 ] smatch warn: fs/ntfs3/fslog.c:2172 last_log_lsn() warn: possible memory leak of 'page_bufs' Jump to label 'out' to free 'page_bufs' and is more consistent with other code. Signed-off-by: Su Hui <[email protected]> Signed-off-by: Konstantin Komarov <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 2ec8b010979036c2fe79a64adb6ecc0bd11e91d1 ] We don't want to use the value of ilog2(0) as dummy.buswidth is 0 when dummy.nbytes is 0. Since we have no dummy bytes, we don't need to configure the dummy byte bits per clock register value anyway. Signed-off-by: "William A. Kennington III" <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 2e1d175410972285333193837a4250a74cd472e6 ] net/netfilter/nfnetlink_log.c:800:18: warning: variable 'ctinfo' is uninitialized The warning is bogus, the variable is only used if ct is non-NULL and always initialised in that case. Init to 0 too to silence this. Reported-by: kernel test robot <[email protected]> Closes: https://lore.kernel.org/oe-kbuild-all/[email protected]/ Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit f88dfbf333b3661faff996bb03af2024d907b76a ] The RT5650 should enable a power setting for button detection to avoid the wrong result. Signed-off-by: Shuming Fan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 3b401e30c249849d803de6c332dad2a595a58658 ] With the current cleanup flow, we could trigger a NULL pointer dereference if there is a delayed destruction of a BO with a system resource that gets executed on drain_workqueue() call, as we attempt to free a resource using an already released resource manager. Remove the device from the device list and drain its workqueue before releasing the system domain manager in ttm_device_fini(). Signed-off-by: Karolina Stolarek <[email protected]> Reviewed-by: Christian König <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Christian König <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 1022e7e2f40574c74ed32c3811b03d26b0b81daf ] Delete the v86d netlink only after all the VBE tasks have been completed. Fixes initial state restore on module unload: uvesafb: VBE state restore call failed (eax=0x4f04, err=-19) Signed-off-by: Jorge Maidana <[email protected]> Signed-off-by: Helge Deller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit e40c04ade0e2f3916b78211d747317843b11ce10 ] The driver should be deregistered as misc driver after PCI registration failure. Signed-off-by: Tomas Henzl <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Martin K. Petersen <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 99c09c985e5973c8f0ad976ebae069548dd86f12 ] This commit fixes the smatch static checker warning in function mlxbf_tmfifo_rxtx_word() which complains data not initialized at line 634 when IS_VRING_DROP() is TRUE. Signed-off-by: Liming Sun <[email protected]> Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Hans de Goede <[email protected]> Signed-off-by: Hans de Goede <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit 9f771493da935299c6393ad3563b581255d01a37 ] t4_set_params_timeout() can return -EINVAL if failed, add check for this. Signed-off-by: Su Hui <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit dc90ba37a8c37042407fa6970b9830890cfe6047 ] If the adapter is unplugged while we're looping in rtl_phy_patch_request() we could end up looping for 10 seconds (2 ms * 5000 loops). Add code similar to what's done in other places in the driver to check for unplug and bail. Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: Grant Grundler <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit bc65cc42af737a5a35f83842408ef2c6c79ba025 ] If the adapter is unplugged while we're looping in r8153b_ups_en() / r8153c_ups_en() we could end up looping for 10 seconds (20 ms * 500 loops). Add code similar to what's done in other places in the driver to check for unplug and bail. Signed-off-by: Douglas Anderson <[email protected]> Reviewed-by: Grant Grundler <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit daa9ada2093ed23d52b4c1fe6e13cf78f55cc85f ] Erhard reported that his G5 was crashing with v6.6-rc kernels: mpic: Setting up HT PICs workarounds for U3/U4 BUG: Unable to handle kernel data access at 0xfeffbb62ffec65fe Faulting instruction address: 0xc00000000005dc40 Oops: Kernel access of bad area, sig: 11 [projectceladon#1] BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Tainted: G T 6.6.0-rc3-PMacGS projectceladon#1 Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac NIP: c00000000005dc40 LR: c000000000066660 CTR: c000000000007730 REGS: c0000000022bf510 TRAP: 0380 Tainted: G T (6.6.0-rc3-PMacGS) MSR: 9000000000001032 <SF,HV,ME,IR,DR,RI> CR: 44004242 XER: 00000000 IRQMASK: 3 GPR00: 0000000000000000 c0000000022bf7b0 c0000000010c0b00 00000000000001ac GPR04: 0000000003c80000 0000000000000300 c0000000f20001ae 0000000000000300 GPR08: 0000000000000006 feffbb62ffec65ff 0000000000000001 0000000000000000 GPR12: 9000000000001032 c000000002362000 c000000000f76b80 000000000349ecd8 GPR16: 0000000002367ba8 0000000002367f08 0000000000000006 0000000000000000 GPR20: 00000000000001ac c000000000f6f920 c0000000022cd985 000000000000000c GPR24: 0000000000000300 00000003b0a3691d c0003e008030000e 0000000000000000 GPR28: c00000000000000c c0000000f20001ee feffbb62ffec65fe 00000000000001ac NIP hash_page_do_lazy_icache+0x50/0x100 LR __hash_page_4K+0x420/0x590 Call Trace: hash_page_mm+0x364/0x6f0 do_hash_fault+0x114/0x2b0 data_access_common_virt+0x198/0x1f0 --- interrupt: 300 at mpic_init+0x4bc/0x10c4 NIP: c000000002020a5c LR: c000000002020a04 CTR: 0000000000000000 REGS: c0000000022bf9f0 TRAP: 0300 Tainted: G T (6.6.0-rc3-PMacGS) MSR: 9000000000001032 <SF,HV,ME,IR,DR,RI> CR: 24004248 XER: 00000000 DAR: c0003e008030000e DSISR: 40000000 IRQMASK: 1 ... NIP mpic_init+0x4bc/0x10c4 LR mpic_init+0x464/0x10c4 --- interrupt: 300 pmac_setup_one_mpic+0x258/0x2dc pmac_pic_init+0x28c/0x3d8 init_IRQ+0x90/0x140 start_kernel+0x57c/0x78c start_here_common+0x1c/0x20 A bisect pointed to the breakage beginning with commit 9fee28baa601 ("powerpc: implement the new page table range API"). Analysis of the oops pointed to a struct page with a corrupted compound_head being loaded via page_folio() -> _compound_head() in hash_page_do_lazy_icache(). The access by the mpic code is to an MMIO address, so the expectation is that the struct page for that address would be initialised by init_unavailable_range(), as pointed out by Aneesh. Instrumentation showed that was not the case, which eventually lead to the realisation that pfn_valid() was returning false for that address, causing the struct page to not be initialised. Because the system is using FLATMEM, the version of pfn_valid() in memory_model.h is used: static inline int pfn_valid(unsigned long pfn) { ... return pfn >= pfn_offset && (pfn - pfn_offset) < max_mapnr; } Which relies on max_mapnr being initialised. Early in boot max_mapnr is zero meaning no PFNs are valid. max_mapnr is initialised in mem_init() called via: start_kernel() mm_core_init() # init/main.c:928 mem_init() But that is too late for the usage in init_unavailable_range() called via: start_kernel() setup_arch() # init/main.c:893 paging_init() free_area_init() init_unavailable_range() Although max_mapnr is currently set in mem_init(), the value is actually already available much earlier, as soon as mem_topology_setup() has completed, which is also before paging_init() is called. So move the initialisation there, which causes paging_init() to correctly initialise the struct page and fixes the bug. This bug seems to have been lurking for years, but went unnoticed because the pre-folio code was inspecting the uninitialised page->flags but not dereferencing it. Thanks to Erhard and Aneesh for help debugging. Reported-by: Erhard Furtner <[email protected]> Closes: https://lore.kernel.org/all/20230929132750.3cd98452@yea/ Signed-off-by: Michael Ellerman <[email protected]> Link: https://msgid.link/[email protected] Signed-off-by: Sasha Levin <[email protected]>

commit 9c0c191d82a1de964ac953a1df8b5744ec670b07 upstream The reason to extend the max PDU size from 4095 Byte (12 bit length value) to a 32 bit value (up to 4 GByte) was to be able to flash 64 kByte bootloaders with a single ISO-TP PDU. The max PDU size in the Linux kernel implementation was set to 8200 Bytes to be able to test the length information escape sequence. It turns out that the demand for 64 kByte PDUs is real so the value for MAX_MSG_LENGTH is set to 66000 to be able to potentially add some checksums to the 65.536 Byte block. Link: linux-can/can-utils#347 (comment) Link: https://lore.kernel.org/all/[email protected] Signed-off-by: Oliver Hartkopp <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 2aa39889c463195a0dfe2aff9fad413139c32a4f upstream Commit 3ea566422cbd ("can: isotp: sanitize CAN ID checks in isotp_bind()") checks the given CAN ID address information by sanitizing the input values. This check (silently) removes obsolete bits by masking the given CAN IDs. Derek Will suggested to give a feedback to the application programmer when the 'sanitizing' was actually needed which means the programmer provided CAN ID content in a wrong format (e.g. SFF CAN IDs with a CAN ID > 0x7FF). Link: https://lore.kernel.org/all/[email protected] Suggested-by: Derek Will <[email protected]> Signed-off-by: Oliver Hartkopp <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit c6adf659a8ba85913e16a571d5a9bcd17d3d1234 upstream Add missing check to block non-AF_CAN binds. Syzbot created some code which matched the right sockaddr struct size but used AF_XDP (0x2C) instead of AF_CAN (0x1D) in the address family field: bind$xdp(r2, &(0x7f0000000540)={0x2c, 0x0, r4, 0x0, r2}, 0x10) ^^^^ This has no funtional impact but the userspace should be notified about the wrong address family field content. Link: https://syzkaller.appspot.com/text?tag=CrashLog&x=11ff9d8c480000 Reported-by: [email protected] Signed-off-by: Oliver Hartkopp <[email protected]> Link: https://lore.kernel.org/all/[email protected] Signed-off-by: Marc Kleine-Budde <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 823b2e42720f96f277940c37ea438b7c5ead51a4 upstream When wait_event_interruptible() has been interrupted by a signal the tx.state value might not be ISOTP_IDLE. Force the state machines into idle state to inhibit the timer handlers to continue working. Fixes: 866337865f37 ("can: isotp: fix tx state handling for echo tx processing") Cc: [email protected] Signed-off-by: Oliver Hartkopp <[email protected]> Link: https://lore.kernel.org/all/[email protected] Signed-off-by: Marc Kleine-Budde <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 4b7fe92c06901f4563af0e36d25223a5ab343782 upstream commit 9f39d36530e5678d092d53c5c2c60d82b4dcc169 upstream commit 051737439eaee5bdd03d3c2ef5510d54a478fd05 upstream Due to the existing patch order applied to isotp.c in the stable kernel the original order of depending patches the three original patches 4b7fe92c0690 ("can: isotp: add local echo tx processing for consecutive frames") 9f39d36530e5 ("can: isotp: add support for transmission without flow control") 051737439eae ("can: isotp: fix race between isotp_sendsmg() and isotp_release()") can not be split into different patches that can be applied in working steps to the stable tree. Signed-off-by: Oliver Hartkopp <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit b76b163f46b661499921a0049982764a6659bfe7 upstream With commit 2aa39889c463 ("can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting") the bind() syscall returns -EINVAL when the given CAN ID needed to be sanitized. But in the case of an unconfirmed broadcast mode the rx CAN ID is not needed and may be uninitialized from the caller - which is ok. This patch makes sure the result of an inproper CAN ID format is only provided when the address information is needed. Link: https://lore.kernel.org/all/[email protected] Signed-off-by: Oliver Hartkopp <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

From: Lukas Magel <[email protected]> [ Upstream commit d9c2ba65e651467de739324d978b04ed8729f483 ] With patch [1], isotp_poll was updated to also queue the poller in the so->wait queue, which is used for send state changes. Since the queue now also contains polling tasks that are not interested in sending, the queue fill state can no longer be used as an indication of send readiness. As a consequence, nonblocking writes can lead to a race and lock-up of the socket if there is a second task polling the socket in parallel. With this patch, isotp_sendmsg does not consult wq_has_sleepers but instead tries to atomically set so->tx.state and waits on so->wait if it is unable to do so. This behavior is in alignment with isotp_poll, which also checks so->tx.state to determine send readiness. V2: - Revert direct exit to goto err_event_drop [1] https://lore.kernel.org/all/[email protected] Reported-by: Maxime Jayat <[email protected]> Closes: https://lore.kernel.org/linux-can/[email protected]/ Signed-off-by: Lukas Magel <[email protected]> Reviewed-by: Oliver Hartkopp <[email protected]> Fixes: 79e19fa79cb5 ("can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events") Link: pylessard/python-udsoncan#178 (comment) Link: https://lore.kernel.org/all/[email protected] Signed-off-by: Marc Kleine-Budde <[email protected]> Signed-off-by: Sasha Levin <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 188623076d0f1a500583d392b6187056bf7cc71a upstream. This helper is used for checking if the connected host supports the feature, it can be moved into generic code to be used by other smu implementations as well. Signed-off-by: Mario Limonciello <[email protected]> Reviewed-by: Evan Quan <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Cc: [email protected] # 6.1.x Signed-off-by: Mario Limonciello <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 64ffd2f1d00c6235dabe9704bbb0d9ce3e28147f upstream. Originally we were quirking ASPM disabled specifically for VI when used with Alder Lake, but it appears to have problems with Rocket Lake as well. Like we've done in the case of dpm for newer platforms, disable ASPM for all Intel systems. Cc: [email protected] # 5.15+ Fixes: 0064b0c ("drm/amd/pm: enable ASPM by default") Reported-and-tested-by: Paolo Gentili <[email protected]> Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 Signed-off-by: Mario Limonciello <[email protected]> Reviewed-by: Alex Deucher <[email protected]> Signed-off-by: Alex Deucher <[email protected]> Signed-off-by: Mario Limonciello <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 7e6f3b6d2c352b5fde37ce3fed83bdf6172eebd4 upstream. The AMD VanGogh SoC contains a DesignWare USB3 Dual-Role Device that can be operated as either a USB Host or a USB Device, similar to on the AMD Nolan platform. be6646b ("PCI: Prevent xHCI driver from claiming AMD Nolan USB3 DRD device") added a quirk to let the dwc3 driver claim the Nolan device since it provides more specific support. Extend that quirk to include the VanGogh SoC USB3 device. Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vicki Pfau <[email protected]> [bhelgaas: include be6646b reference, add stable tag] Signed-off-by: Bjorn Helgaas <[email protected]> Cc: [email protected] # v3.19+ Signed-off-by: Greg Kroah-Hartman <[email protected]>

…ompatibility commit 0e3139e6543b241b3e65956a55c712333bef48ac upstream. Change lower bcdDevice value for "Super Top USB 2.0 SATA BRIDGE" to match 1.50. I have such an older device with bcdDevice=1.50 and it will not work otherwise. Cc: [email protected] Signed-off-by: Liha Sikanen <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 4987daf86c152ff882d51572d154ad12e4ff3a4b upstream. It is possible that typec_register_partner() returns ERR_PTR on failure. When port->partner is an error, a NULL pointer dereference may occur as shown below. [91222.095236][ T319] typec port0: failed to register partner (-17) ... [91225.061491][ T319] Unable to handle kernel NULL pointer dereference at virtual address 000000000000039f [91225.274642][ T319] pc : tcpm_pd_data_request+0x310/0x13fc [91225.274646][ T319] lr : tcpm_pd_data_request+0x298/0x13fc [91225.308067][ T319] Call trace: [91225.308070][ T319] tcpm_pd_data_request+0x310/0x13fc [91225.308073][ T319] tcpm_pd_rx_handler+0x100/0x9e8 [91225.355900][ T319] kthread_worker_fn+0x178/0x58c [91225.355902][ T319] kthread+0x150/0x200 [91225.355905][ T319] ret_from_fork+0x10/0x30 Add a check for port->partner to avoid dereferencing a NULL pointer. Fixes: 5e1d4c4 ("usb: typec: tcpm: Determine common SVDM Version") Cc: [email protected] Signed-off-by: Jimmy Hu <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit e8033bde451eddfb9b1bbd6e2d848c1b5c277222 upstream. Currently, if a USB request that was queued by Raw Gadget is interrupted (via a signal), wait_for_completion_interruptible returns -ERESTARTSYS. Raw Gadget then attempts to propagate this value to userspace as a return value from its ioctls. However, when -ERESTARTSYS is returned by a syscall handler, the kernel internally restarts the syscall. This doesn't allow userspace applications to interrupt requests queued by Raw Gadget (which is required when the emulated device is asked to switch altsettings). It also violates the implied interface of Raw Gadget that a single ioctl must only queue a single USB request. Instead, make Raw Gadget do what GadgetFS does: check whether the request was interrupted (dequeued with status == -ECONNRESET) and report -EINTR to userspace. Fixes: f2c2e71 ("usb: gadget: add raw-gadget interface") Cc: stable <[email protected]> Signed-off-by: Andrey Konovalov <[email protected]> Link: https://lore.kernel.org/r/0db45b1d7cc466e3d4d1ab353f61d63c977fbbc5.1698350424.git.andreyknvl@gmail.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 3a75b205de43365f80a33b98ec9289785da56243 upstream. gsm_cleanup_mux() cleans up the gsm by closing all DLCIs, stopping all timers, removing the virtual tty devices and clearing the data queues. This procedure, however, may cause subsequent changes of the virtual modem status lines of a DLCI. More data is being added the outgoing data queue and the deleted kick timer is restarted to handle this. At this point many resources have already been removed by the cleanup procedure. Thus, a kernel panic occurs. Fix this by proving in gsm_modem_update() that the cleanup procedure has not been started and the mux is still alive. Note that writing to a virtual tty is already protected by checks against the DLCI specific connection state. Fixes: c568f7086c6e ("tty: n_gsm: fix missing timer to handle stalled links") Cc: stable <[email protected]> Signed-off-by: Daniel Starke <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 33092fb3af51deb80849e90a17bada44bbcde6b3 upstream. The UC-257 is a serial + LPT card, so remove it from this driver. A patch has been submitted to add it to parport_serial instead. Additionaly, the UC-431 does not use this card ID, only the UC-420 does. The 431 is a 3-port card and there is no generic 3-port configuration available, so remove reference to it from this driver. Fixes: 152d1afa834c ("tty: Add support for Brainboxes UC cards.") Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB78995ADF7394C74AD4CF3357C4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit c563db486db7d245c0e2f319443417ae8e692f7f upstream. Add device IDs for some more Brainboxes UC cards, namely UC-235/UC-246, UC-253/UC-734, UC-302, UC-313, UC-346, UC-357, UC-607 and UC-836. Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB789969998A6C3FAFCD95C85DC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 2c6fec1e1532f15350be7e14ba6b88a39d289fe4 upstream. Add support for the Brainboxes UP (powered PCI) range of cards, namely UP-189, UP-200, UP-869 and UP-880. Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB7899B5B59FF3D8587E88C117C4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 4d994e3cf1b541ff32dfb03fbbc60eea68f9645b upstream. Add support for the Intashield IS-100 1 port serial card. Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB7899A0E0CDAA505AF5A874CDC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit d0ff5b24c2f112f29dea4c38b3bac9597b1be9ba upstream. The port count of the PX-257 Rev3 is actually 2, not 4. Fixes: ef5a03a26c87 ("tty: 8250: Add support for Brainboxes PX cards.") Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB7899C804D9F04E727B5A0E8FC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit ee61337b934c99c2611e0a945d592019b2e00c82 upstream. The PX-803/PX-857 are variants of each other, add a note. Additionally fix up the port counts for the card (2, not 1). Fixes: ef5a03a26c87 ("tty: 8250: Add support for Brainboxes PX cards.") Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB789978C8ED872FB4B014E132C4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 9604884e592cd04ead024c9737c67a77f175cab9 upstream. Add support for some more of the Brainboxes PX (PCIe) range of serial cards, namely PX-275/PX-279, PX-475 (serial port, not LPT), PX-820, PX-803/PX-857 (additional ID). Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB78996BEC353FB346FC35444BC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 62d2ec2ded278c7512d91ca7bf8eb9bac46baf90 upstream. Add support for the IX-100, IX-200 and IX-400 serial cards. Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB7899614E5837E82A03272A4BC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit e4876dacaca46a1b09f9b417480924ab12019a5b upstream. Some of the later revisions of the Brainboxes PX cards are based on the Oxford Semiconductor chipset. Due to the chip's unique setup these cards need to be initialised. Previously these were tested against a reference card with the same broken baudrate on another PC, cancelling out the effect. With this patch they work and can transfer/receive find against an FTDI-based device. Add all of the cards which require this setup to the quirks table. Thanks to Maciej W. Rozycki for clarification on this chip. Fixes: ef5a03a26c87 ("tty: 8250: Add support for Brainboxes PX cards.") Cc: [email protected] Signed-off-by: Cameron Williams <[email protected]> Link: https://lore.kernel.org/r/DU0PR02MB7899D222A4AB2A4E8C57108FC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 8293703a492ae97c86af27c75b76e6239ec86483 upstream. Add DEVICE_ID for J721S2 and enable support for endpoints configured with this DEVICE_ID in the pci_endpoint_test driver. Signed-off-by: Siddharth Vadapalli <[email protected]> Cc: stable <[email protected]> Reviewed-by: Manivannan Sadhasivam <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>

commit 7c05b44e1a50d9cbfc4f731dddc436a24ddc129a upstream. Some Jasperlake Chromebooks overwrite the system vendor DMI value to the name of the OEM that manufactured the device. This breaks Chromebook quirk detection as it expects the system vendor to be "Google". Add another quirk detection entry that looks for "Google" in the BIOS version. Cc: [email protected] Signed-off-by: Mark Hasemeyer <[email protected]> Reviewed-by: Pierre-Louis Bossart <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

Link: https://lore.kernel.org/r/[email protected] Tested-by: SeongJae Park <[email protected]> Tested-by: Ron Economos <[email protected]> Tested-by: Jon Hunter <[email protected]> Tested-by: Harshit Mogalapalli <[email protected]> Tested-by: Shuah Khan <[email protected]> Tested-by: Ricardo B. Marliere <[email protected]> Tested-by: Linux Kernel Functional Testing <[email protected]> Link: https://lore.kernel.org/r/[email protected] Tested-by: Florian Fainelli <[email protected]> Tested-by: Allen Pais <[email protected]> Tested-by: Jon Hunter <[email protected]> Tested-by: Linux Kernel Functional Testing <[email protected]> Tested-by: Pavel Machek (CIP) <[email protected]> Tested-by: Guenter Roeck <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

By this vh, so that we can skip if this page needs to be treated specially, like as cma. In the Android kernel, the use of cma is restricted, and filecache cannot use cma.But during the memory compaction process, filecache may be migrated to cma pool, so a judgment needs to be added here to restrict filecache from entering cma. Bug: 309371168 Change-Id: I3ec29bdf5f7b6ac4c7af0a317aa41ad77b71444d Signed-off-by: Qinglin Li <[email protected]>

1 function symbol(s) added 'int __traceiter_android_vh_isolate_freepages(void*, struct compact_control*, struct page*, bool*)' 1 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_isolate_freepages' Bug: 309371168 Change-Id: I441742a55ab6e5192b2ce512ae41dd9099112cfa Signed-off-by: Qinglin Li <[email protected]>

Add symbol list for Transsion 1 variable symbol(s) added 'unsigned long avenrun[3]' Bug: 309886726 Change-Id: Ic15627b2d6f2cf379b00bac36ec148ba56eeac63 Signed-off-by: Dongyun Liu <[email protected]>

On one error path, pin_user_pages has succeeded and should be undone. Bug: 310131277 Change-Id: I92fe0c54bb5b8005f848491f5e9be1090b61fbd1 Signed-off-by: Keir Fraser <[email protected]>

Convert blk-ioprio handling from a rqos policy to a direct call from blk_mq_submit_bio(). Firstly, blk-ioprio is not much of a rqos policy anyway, it just needs a hook in bio submission path to set the bio's IO priority. Secondly, the rqos .track hook gets actually called too late for blk-ioprio purposes and introducing a special rqos hook just for blk-ioprio looks even weirder. Bug: 307161346 Reviewed-by: Damien Le Moal <[email protected]> Tested-by: Damien Le Moal <[email protected]> Change-Id: I0fdc6ab21f34a5fa2c919d8dc21f3e1fb1bc4be3 Signed-off-by: Jan Kara <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe <[email protected]> (cherry picked from commit 82b74cac28493fb40ea74fb2fe648b5fc7ea0c1c) [xiuhong: Resolved minor conflict in block/blk-ioprio.c] Signed-off-by: Xiuhong Wang <[email protected]>

Bio's IO priority needs to be initialized before we try to merge the bio with other bios. Otherwise we could merge bios which would otherwise receive different IO priorities leading to possible QoS issues. Reviewed-by: Damien Le Moal <[email protected]> Tested-by: Damien Le Moal <[email protected]> Change-Id: I6a28ae88242c4ebe69569ebe898f2cbe1042c5e6 Signed-off-by: Jan Kara <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe <[email protected]> (cherry picked from commit 9c6227e04355a430aa59709bbf869d9126112d0d) [xiuhong: Resolved minor conflict in block/blk-mq.c] Signed-off-by: Xiuhong Wang <[email protected]>

Currently, IO priority set in task's IO context is not reflected in the bio->bi_ioprio for most IO (only io_uring and direct IO set it). This results in odd results where process is submitting some bios with one priority and other bios with a different (unset) priority and due to differing priorities bios cannot be merged. Make sure bio->bi_ioprio is always set on bio submission. Bug: 307161346 Reviewed-by: Damien Le Moal <[email protected]> Tested-by: Damien Le Moal <[email protected]> Change-Id: I7be765392f9072564ea49fb32b7814e10c4b5d74 Signed-off-by: Jan Kara <[email protected]> Reviewed-by: Christoph Hellwig <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe <[email protected]> (cherry picked from commit a78418e6a04c93b9ffd3f0f601c5cb10612acb7f) Signed-off-by: Xiuhong Wang <[email protected]>

Since commit a78418e6a04c ("block: Always initialize bio IO priority on submit"), bio->bi_ioprio will never be IOPRIO_CLASS_NONE when calling blkcg_set_ioprio(), so there will be no way to promote the io-priority of one cgroup to IOPRIO_CLASS_RT, because bi_ioprio will always be greater than or equals to IOPRIO_CLASS_RT. It seems possible to call blkcg_set_ioprio() first then try to initialize bi_ioprio later in bio_set_ioprio(), but this doesn't work for bio in which bi_ioprio is already initialized (e.g., direct-io), so introduce a new promote-to-rt policy to promote the iopriority of bio to IOPRIO_CLASS_RT if the ioprio is not already RT. For none-to-rt policy, although it doesn't work now, but considering that its purpose was also to override the io-priority to RT and allowing for a smoother transition, just keep it and treat it as an alias of the promote-to-rt policy. Bug: 307161346 Acked-by: Tejun Heo <[email protected]> Reviewed-by: Bart Van Assche <[email protected]> Reviewed-by: Chaitanya Kulkarni <[email protected]> Reviewed-by: Jan Kara <[email protected]> Change-Id: I15df75ca52ec6985a474dbe30aa2107d8092444a Signed-off-by: Hou Tao <[email protected]> Reviewed-by: Bagas Sanjaya <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jens Axboe <[email protected]> (cherry picked from commit ddf63516d8d37528dc6834c7f19b55084e956068) Signed-off-by: Xiuhong Wang <[email protected]>

It's a reoccurring pattern that we need to extract the fence from a dma_fence_chain object. Add a helper for this. Bug: 286102048 Change-Id: Ib94b7f26893ca39ee3c3a58c335d30a7787facc2 Signed-off-by: Christian König <[email protected]> Reviewed-by: Thomas Hellström <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] (cherry picked from commit 18f5fad275efef015226ee4f90eae34d8f44aa5e) Signed-off-by: Richard Fung <[email protected]>

Add a helper to iterate over all fences in a dma_fence_array object. v2 (Jason Ekstrand) - Return NULL from dma_fence_array_first if head == NULL. This matches the iterator behavior of dma_fence_chain_for_each in that it iterates zero times if head == NULL. - Return NULL from dma_fence_array_next if index > array->num_fences. Bug: 310208240 Change-Id: Ic142d9066c8ed14fd1ca7163f8ac5eaf15c6d972 Signed-off-by: Jason Ekstrand <[email protected]> Reviewed-by: Jason Ekstrand <[email protected]> Reviewed-by: Christian König <[email protected]> Cc: Daniel Vetter <[email protected]> Cc: Maarten Lankhorst <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Christian König <[email protected]> (cherry picked from commit caaf2ae712b7cc3c7717898fe267dbf882a502ef) Signed-off-by: Richard Fung <[email protected]>

Add a general purpose helper to deep dive into dma_fence_chain/dma_fence_array structures and iterate over all the fences in them. This is useful when we need to flatten out all fences in those structures. v2: some selftests cleanup, improved function naming and documentation Bug: 310208240 Change-Id: I4d4bd21fd9444523917cc884107f5af13fa5a08f Signed-off-by: Christian König <[email protected]> Reviewed-by: Daniel Vetter <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] (cherry picked from commit 64a8f92fd783e750cdb81af75942dcd53bbf61bd) [richardfung: modified patch to remove build rules for st-dma-resv which was introduced in a separate patch] Signed-off-by: Richard Fung <[email protected]>

Add hooks to support oem's binder feature of improving binder_thread->task sched priority 1) Check if it is a specific task in trace_android_vh_binder_alloc_oem_struct() and store the flag to t->android_vendor_data1 2) If it is a specific binder task and binder_thread selected, raise the sched priority of binder_thread->task in runqueue. 3) If it is a specific binder task but no binder_thread selected (e.g pending_async or no free threads), insert t->work to the appropriate position in the list. 4) Reset the sched priority when BR_TRANSACTION or BC_FREE_BUFFER. Some high-priority async binder task reset the sched priority when BC_FREE_BUFFER in trace_android_vh_binder_free_buf(). Some middle-priority async binder task reset the sched priority when driver return server "BR_TRANSACTION" in trace_android_vh_binder_transaction_received(). Bug: 299328919 Change-Id: Iab4939fe4a4881b31961aaa2fef500b51c944743 Signed-off-by: lfc <[email protected]>

INFO: 5 function symbol(s) added 'int __traceiter_android_vh_alloc_oem_binder_struct(void*, struct binder_transaction_data*, struct binder_transaction*, struct binder_proc*)' 'int __traceiter_android_vh_binder_free_buf(void*, struct binder_proc*, struct binder_thread*, struct binder_buffer*)' 'int __traceiter_android_vh_binder_special_task(void*, struct binder_transaction*, struct binder_proc*, struct binder_thread*, struct binder_work*, struct list_head*, bool, bool*)' 'int __traceiter_android_vh_binder_transaction_received(void*, struct binder_transaction*, struct binder_proc*, struct binder_thread*, uint32_t)' 'int __traceiter_android_vh_free_oem_binder_struct(void*, struct binder_transaction*)' 5 variable symbol(s) added 'struct tracepoint __tracepoint_android_vh_alloc_oem_binder_struct' 'struct tracepoint __tracepoint_android_vh_binder_free_buf' 'struct tracepoint __tracepoint_android_vh_binder_special_task' 'struct tracepoint __tracepoint_android_vh_binder_transaction_received' 'struct tracepoint __tracepoint_android_vh_free_oem_binder_struct' Bug: 299328919 Change-Id: Id264691f9e1403d37eec560d2769efb5cb9cd8b9 Signed-off-by: lfc <[email protected]>

Currently, uinput doesn't use the input_set_timestamp API, so any event injected using uinput is not accurately timestamped in terms of measuring when the actual event happened. Hence, call the input_set_timestamp API from uinput in order to provide a more accurate sense of time for the event. Propagate only the timestamps which are a) positive, b) within a pre-defined offset (10 secs) from the current time, and c) not in the future. Bug: 271946580 Bug: 277040837 Change-Id: I928be61d0114b78e2098995ee49eeb0376bef2a3 (cherry picked from commit 3a2df60200a03f78173f1fd831aa54c08464dcde https://git.kernel.org/pub/scm/linux/kernel/git/dtor/input.git master) Signed-off-by: Biswarup Pal <[email protected]> Reviewed-by: Peter Hutterer <[email protected]> Reviewed-by: Siarhei Vishniakou <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Dmitry Torokhov <[email protected]> (cherry picked from commit ee1f5fc55cc7bf1bca78edbb8a1f9d989d4ea03e)

Changes in 5.15.138 ASoC: codecs: wcd938x: fix resource leaks on bind errors ASoC: codecs: wcd938x: fix runtime PM imbalance on remove pinctrl: qcom: lpass-lpi: fix concurrent register updates tcp: remove dead code from tcp_sendmsg_locked() tcp: cleanup tcp_remove_empty_skb() use mptcp: more conservative check for zero probes mcb: Return actual parsed size when reading chameleon table mcb-lpc: Reallocate memory region to avoid memory overlapping virtio_balloon: Fix endless deflation and inflation on arm64 virtio-mmio: fix memory leak of vm_dev vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE mm/page_alloc: correct start page when guard page debug is enabled mm/migrate: fix do_pages_move for compat pointers nfsd: lock_rename() needs both directories to live on the same fs drm/i915/pmu: Check if pmu is closed before stopping event vsock/virtio: factor our the code to initialize and delete VQs vsock/virtio: add support for device suspend/resume vsock/virtio: initialize the_virtio_vsock before using VQs drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() r8169: fix the KCSAN reported data-race in rtl_tx() while reading tp->cur_tx r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1 r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1 i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value treewide: Spelling fix in comment igb: Fix potential memory leak in igb_add_ethtool_nfc_entry neighbour: fix various data-races igc: Fix ambiguity in the ethtool advertising net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg r8152: Increase USB control msg timeout to 5000ms as per spec r8152: Run the unload routine if we have errors during probe r8152: Cancel hw_phy_work if we have an error in probe r8152: Release firmware if we have an error in probe tcp: fix wrong RTO timeout when received SACK reneging gtp: uapi: fix GTPA_MAX gtp: fix fragmentation needed check with gso i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR kasan: print the original fault addr when access invalid shadow iio: exynos-adc: request second interupt only when touchscreen mode is used iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature thresholds iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: stm32f7: Fix PEC handling in case of SMBUS transfers i2c: aspeed: Fix i2c bus hang in slave read tracing/kprobes: Fix the description of variable length arguments misc: fastrpc: Clean buffers on remote invocation failures nvmem: imx: correct nregs for i.MX6ULL nvmem: imx: correct nregs for i.MX6SLL nvmem: imx: correct nregs for i.MX6UL perf/core: Fix potential NULL deref sparc32: fix a braino in fault handling in csum_and_copy_..._user() clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name iio: afe: rescale: reorder includes iio: afe: rescale: expose scale processing function iio: afe: rescale: add offset support iio: afe: rescale: Accept only offset channels gve: Fix GFP flags when allocing pages x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility x86/mm: Simplify RESERVE_BRK() x86/mm: Fix RESERVE_BRK() for older binutils ext4: add two helper functions extent_logical_end() and pa_logical_end() ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow ext4: avoid overlapping preallocations due to overflow objtool/x86: add missing embedded_insn check driver: platform: Add helper for safer setting of driver_override rpmsg: Constify local variable in field store macro rpmsg: Fix kfree() of static memory on setting driver_override rpmsg: Fix calling device_lock() on non-initialized device rpmsg: glink: Release driver_override rpmsg: Fix possible refcount leak in rpmsg_register_device_override() x86: Fix .brk attribute in linker script ASoC: simple-card: fixup asoc_simple_probe() error handling net: sched: cls_u32: Fix allocation size in u32_init() irqchip/riscv-intc: Mark all INTC nodes as initialized irqchip/stm32-exti: add missing DT IRQ flag translation dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe powerpc/85xx: Fix math emulation exception Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport fbdev: atyfb: only use ioremap_uc() on i386 and ia64 fs/ntfs3: Add ckeck in ni_update_parent() fs/ntfs3: Write immediately updated ntfs state fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN) fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr() fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame() fs/ntfs3: Fix directory element type detection fs/ntfs3: Avoid possible memory leak spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 netfilter: nfnetlink_log: silence bogus compiler warning ASoC: rt5650: fix the wrong result of key button drm/ttm: Reorder sys manager cleanup step fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() scsi: mpt3sas: Fix in error path platform/mellanox: mlxbf-tmfifo: Fix a warning message net: chelsio: cxgb4: add an error code check in t4_load_phy_fw r8152: Check for unplug in rtl_phy_patch_request() r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en() powerpc/mm: Fix boot crash with FLATMEM can: isotp: set max PDU size to 64 kByte can: isotp: isotp_bind(): return -EINVAL on incorrect CAN ID formatting can: isotp: check CAN address family in isotp_bind() can: isotp: handle wait_event_interruptible() return values can: isotp: add local echo tx processing and tx without FC can: isotp: isotp_bind(): do not validate unused address information can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior drm/amd: Move helper for dynamic speed switch check out of smu13 drm/amd: Disable ASPM for VI w/ all Intel systems PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility usb: typec: tcpm: Fix NULL pointer dereference in tcpm_pd_svdm() usb: raw-gadget: properly handle interrupted requests tty: n_gsm: fix race condition in status line change on dead connections tty: 8250: Remove UC-257 and UC-431 tty: 8250: Add support for additional Brainboxes UC cards tty: 8250: Add support for Brainboxes UP cards tty: 8250: Add support for Intashield IS-100 tty: 8250: Fix port count of PX-257 tty: 8250: Fix up PX-803/PX-857 tty: 8250: Add support for additional Brainboxes PX cards tty: 8250: Add support for Intashield IX cards tty: 8250: Add Brainboxes Oxford Semiconductor-based quirks misc: pci_endpoint_test: Add deviceID for J721S2 PCIe EP device support ALSA: hda: intel-dsp-config: Fix JSL Chromebook quirk detection Linux 5.15.138 Change-Id: I08a4759878588e92f843652069831acb85e34495 Signed-off-by: Greg Kroah-Hartman <[email protected]>

This reverts commit 4e14f2d which is commit babddbfb7d7d70ae7f10fedd75a45d8ad75fdddf upstream. It just flat out breaks the build for KASAN builds, so revert it. Odd. Fixes: 1684909df3f4 ("kasan: print the original fault addr when access invalid shadow") Signed-off-by: Greg Kroah-Hartman <[email protected]> Change-Id: Ida71f61b6ea32f2682091407144032928891c83e

In commit 389190b ("driver: platform: Add helper for safer setting of driver_override"), a pointer was changed to const, which messes with the CRC and ABI checks. As the code is fine if this is left as not-const, just put it back to preserve the abi. Bug: 161946584 Fixes: 389190b ("driver: platform: Add helper for safer setting of driver_override") Signed-off-by: Greg Kroah-Hartman <[email protected]> Change-Id: Ieb4a730a6a5767d31fbec2f1ba683617f5cda7a9

In commit 2e76b4f ("rpmsg: Fix kfree() of static memory on setting driver_override") a pointer was changed to const, which messes with the CRC and ABI checks. As the code is fine if this is left as not-const, just put it back to preserve the abi. Bug: 161946584 Fixes: 2e76b4f ("rpmsg: Fix kfree() of static memory on setting driver_override") Change-Id: I9a87b9cf412191d9872b48f1f876a81df6701de0 Signed-off-by: Greg Kroah-Hartman <[email protected]>

If open request sent to classic fuse, backing_file is null. In fuse_release_initialize, fput will trigger a crash. Bug: 297831741 Signed-off-by: liujing40 <[email protected]> (cherry picked from https://android-review.googlesource.com/q/commit:4d2ff573981f06ba09e1ddda8726bb73ff6a2c3f) Merged-In: I2d54d99d62b54c39a6dc9064f8f62488433aff6f Change-Id: I2d54d99d62b54c39a6dc9064f8f62488433aff6f

Currently the set_alt callback immediately disables the endpoint and queues the v4l2 streamoff event. However, as the streamoff event is processed asynchronously, it is possible that the video_pump thread attempts to queue requests to an already disabled endpoint. This change moves disabling usb endpoint to the end of streamoff event callback. As the endpoint's state can no longer be used, video_pump is now guarded by uvc->state as well. To be consistent with the actual streaming state, uvc->state is now toggled between CONNECTED and STREAMING from the v4l2 event callback only. Link: https://lore.kernel.org/[email protected]/ Link: https://lore.kernel.org/[email protected]/ Reviewed-by: Daniel Scally <[email protected]> Reviewed-by: Michael Grzeschik <[email protected]> Tested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit 991544dc579b636e69defa3eec486fd6f6191e59 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: Ic5631a526e72cbcf299dcb8167bb3d34468d37e9 Signed-off-by: Avichal Rakesh <[email protected]>

Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This patch is 1 of 2 patches addressing the use-after-free issue. Instead of bulk allocating all uvc_requests as an array, this patch allocates uvc_requests one at a time, which should allows for similar granularity when deallocating the uvc_requests. This patch has no functional changes other than allocating each uvc_request separately, and similarly freeing each of them separately. Link: https://lore.kernel.org/[email protected] Reviewed-by: Daniel Scally <[email protected]> Reviewed-by: Michael Grzeschik <[email protected]> Suggested-by: Michael Grzeschik <[email protected]> Tested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit aeb686a98a9e9743c4c0338957e59643a2708146 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: I33400ac6b28e72c6c10805e167e8bab7e2520a28 Signed-off-by: Avichal Rakesh <[email protected]>

This patch refactors the video disable logic in uvcg_video_enable into its own separate function 'uvcg_video_disable'. This function is now used anywhere uvcg_video_enable(video, 0) was used. Reviewed-by: Daniel Scally <[email protected]> Suggested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit 2079b60bda3257146a4e8ed7525513865f7e6b3e https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: Ie8934e6fe1577373b01e3c66626e4239cf9f8c83 Signed-off-by: Avichal Rakesh <[email protected]>

Currently, the uvc gadget driver allocates all uvc_requests as one array and deallocates them all when the video stream stops. This includes de-allocating all the usb_requests associated with those uvc_requests. This can lead to use-after-free issues if any of those de-allocated usb_requests were still owned by the usb controller. This is patch 2 of 2 in fixing the use-after-free issue. It adds a new flag to uvc_video to track when frames and requests should be flowing. When disabling the video stream, the flag is tripped and, instead of de-allocating all uvc_requests and usb_requests, the gadget driver only de-allocates those usb_requests that are currently owned by it (as present in req_free). Other usb_requests are left untouched until their completion handler is called which takes care of freeing the usb_request and its corresponding uvc_request. Now that uvc_video does not depends on uvc->state, this patch removes unnecessary upates to uvc->state that were made to accommodate uvc_video logic. This should ensure that uvc gadget driver never accidentally de-allocates a usb_request that it doesn't own. Link: https://lore.kernel.org/[email protected] Reviewed-by: Daniel Scally <[email protected]> Reviewed-by: Michael Grzeschik <[email protected]> Suggested-by: Michael Grzeschik <[email protected]> Tested-by: Michael Grzeschik <[email protected]> Signed-off-by: Avichal Rakesh <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 296925310 (cherry picked from commit da324ffce34c521b239f319d4051260444a3eb4a https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: Ib0378394dc20e894507f60c70f71c579d046cd7a Signed-off-by: Avichal Rakesh <[email protected]>

…uests When we use an async work queue to perform the function of pumping usb requests to the usb controller, it is possible that amongst other factors, thread scheduling affects at what cadence we're able to pump requests. This could mean isoc usb requests miss their uframes - resulting in video stream flickers on the host device. To avoid this, we make the async_wq thread only produce isoc usb_requests with uvc buffers encoded into them. The process of queueing to the endpoint is done by the uvc_video_complete() handler. In case no usb_requests are ready with encoded information, we just queue a zero length request to the endpoint from the complete handler. For bulk endpoints the async_wq thread still queues usb requests to the endpoint. Signed-off-by: Michael Grzeschik <[email protected]> Signed-off-by: Jayant Chowdhary <[email protected]> Suggested-by: Avichal Rakesh <[email protected]> Suggested-by: Alan Stern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> Bug: 301915972 (cherry picked from commit 6acba0345b68772830582ca1ca369a2f45631275 https://kernel.googlesource.com/pub/scm/linux/kernel/git/gregkh/usb usb-next) Change-Id: I5597cc29e9caec69e4f3575938d7d640857aaa28 Signed-off-by: Avichal Rakesh <[email protected]>

commit c611589b4259ed63b9b77be6872b1ce07ec0ac16 upstream. qxl_mode_dumb_create() dereferences the qobj returned by qxl_gem_object_create_with_handle(), but the handle is the only one holding a reference to it. A potential attacker could guess the returned handle value and closes it between the return of qxl_gem_object_create_with_handle() and the qobj usage, triggering a use-after-free scenario. Reproducer: int dri_fd =-1; struct drm_mode_create_dumb arg = {0}; void gem_close(int handle); void* trigger(void* ptr) { int ret; arg.width = arg.height = 0x20; arg.bpp = 32; ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg); if(ret) { perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed"); exit(-1); } gem_close(arg.handle); while(1) { struct drm_mode_create_dumb args = {0}; args.width = args.height = 0x20; args.bpp = 32; ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args); if (ret) { perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed"); exit(-1); } printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle); gem_close(args.handle); } return NULL; } void gem_close(int handle) { struct drm_gem_close args; args.handle = handle; int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle if (!ret) printf("gem close handle %d\n", args.handle); } int main(void) { dri_fd= open("/dev/dri/card0", O_RDWR); printf("fd:%d\n", dri_fd); if(dri_fd == -1) return -1; pthread_t tid1; if(pthread_create(&tid1,NULL,trigger,NULL)){ perror("[*] thread_create tid1\n"); return -1; } while (1) { gem_close(arg.handle); } return 0; } This is a KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69 Write of size 1 at addr ffff88801136c240 by task poc/515 CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 projectceladon#3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014 Call Trace: <TASK> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106 print_address_description linux/mm/kasan/report.c:319 print_report+0xd2/0x660 linux/mm/kasan/report.c:430 kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536 __asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383 qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69 drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96 drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102 drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788 drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891 vfs_ioctl linux/fs/ioctl.c:51 __do_sys_ioctl linux/fs/ioctl.c:870 __se_sys_ioctl linux/fs/ioctl.c:856 __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856 do_syscall_x64 linux/arch/x86/entry/common.c:50 do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120 RIP: 0033:0x7ff5004ff5f7 Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7 RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003 RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000 </TASK> Allocated by task 515: kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45 kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52 kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510 ____kasan_kmalloc linux/mm/kasan/common.c:374 __kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383 kasan_kmalloc linux/./include/linux/kasan.h:196 kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066 kmalloc linux/./include/linux/slab.h:580 kzalloc linux/./include/linux/slab.h:720 qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124 qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58 qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89 qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63 drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96 drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102 drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788 drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891 vfs_ioctl linux/fs/ioctl.c:51 __do_sys_ioctl linux/fs/ioctl.c:870 __se_sys_ioctl linux/fs/ioctl.c:856 __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856 do_syscall_x64 linux/arch/x86/entry/common.c:50 do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120 Freed by task 515: kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45 kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521 ____kasan_slab_free linux/mm/kasan/common.c:236 ____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200 __kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244 kasan_slab_free linux/./include/linux/kasan.h:162 slab_free_hook linux/mm/slub.c:1781 slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807 slab_free linux/mm/slub.c:3787 __kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800 kfree+0x78/0x120 linux/mm/slab_common.c:1019 qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49 ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381 kref_put linux/./include/linux/kref.h:65 ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393 qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42 drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974 kref_put linux/./include/linux/kref.h:65 __drm_gem_object_put linux/./include/drm/drm_gem.h:431 drm_gem_object_put linux/./include/drm/drm_gem.h:444 qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100 qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63 drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96 drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102 drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788 drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891 vfs_ioctl linux/fs/ioctl.c:51 __do_sys_ioctl linux/fs/ioctl.c:870 __se_sys_ioctl linux/fs/ioctl.c:856 __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856 do_syscall_x64 linux/arch/x86/entry/common.c:50 do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120 The buggy address belongs to the object at ffff88801136c000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 576 bytes inside of freed 1024-byte region [ffff88801136c000, ffff88801136c400) The buggy address belongs to the physical page: page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368 head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint Instead of returning a weak reference to the qxl_bo object, return the created drm_gem_object and let the caller decrement the reference count when it no longer needs it. As a convenience, if the caller is not interested in the gobj object, it can pass NULL to the parameter and the reference counting is descremented internally. The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940). Bug: 311571057 Link: https://www.zerodayinitiative.com/ Signed-off-by: Wander Lairson Costa <[email protected]> Cc: [email protected] Reviewed-by: Dave Airlie <[email protected]> Signed-off-by: Dave Airlie <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit d578c91) Signed-off-by: Lee Jones <[email protected]> Change-Id: If0e6ae00dd7e90f938beff9c6992ea37ba7bc4fa

commit 85d07c55621676d47d873d2749b88f783cd4d5a1 upstream. In preparation for reworking the usb_get_device_descriptor() routine, it is desirable to unite the two different code paths responsible for initially determining endpoint 0's maximum packet size in a newly discovered USB device. Making this determination presents a chicken-and-egg sort of problem, in that the only way to learn the maxpacket value is to get it from the device descriptor retrieved from the device, but communicating with the device to retrieve a descriptor requires us to know beforehand the ep0 maxpacket size. In practice this problem is solved in two different ways, referred to in hub.c as the "old scheme" and the "new scheme". The old scheme (which is the approach recommended by the USB-2 spec) involves asking the device to send just the first eight bytes of its device descriptor. Such a transfer uses packets containing no more than eight bytes each, and every USB device must have an ep0 maxpacket size >= 8, so this should succeed. Since the bMaxPacketSize0 field of the device descriptor lies within the first eight bytes, this is all we need. The new scheme is an imitation of the technique used in an early Windows USB implementation, giving it the happy advantage of working with a wide variety of devices (some of them at the time would not work with the old scheme, although that's probably less true now). It involves making an initial guess of the ep0 maxpacket size, asking the device to send up to 64 bytes worth of its device descriptor (which is only 18 bytes long), and then resetting the device to clear any error condition that might have resulted from the guess being wrong. The initial guess is determined by the connection speed; it should be correct in all cases other than full speed, for which the allowed values are 8, 16, 32, and 64 (in this case the initial guess is 64). The reason for this patch is that the old- and new-scheme parts of hub_port_init() use different code paths, one involving usb_get_device_descriptor() and one not, for their initial reads of the device descriptor. Since these reads have essentially the same purpose and are made under essentially the same circumstances, this is illogical. It makes more sense to have both of them use a common subroutine. This subroutine does basically what the new scheme's code did, because that approach is more general than the one used by the old scheme. It only needs to know how many bytes to transfer and whether or not it is being called for the first iteration of a retry loop (in case of certain time-out errors). There are two main differences from the former code: We initialize the bDescriptorType field of the transfer buffer to 0 before performing the transfer, to avoid possibly accessing an uninitialized value afterward. We read the device descriptor into a temporary buffer rather than storing it directly into udev->descriptor, which the old scheme implementation used to do. Since the whole point of this first read of the device descriptor is to determine the bMaxPacketSize0 value, that is what the new routine returns (or an error code). The value is stored in a local variable rather than in udev->descriptor. As a side effect, this necessitates moving a section of code that checks the bcdUSB field for SuperSpeed devices until after the full device descriptor has been retrieved. Bug: 290990909 Signed-off-by: Alan Stern <[email protected]> Cc: Oliver Neukum <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 56c49a3) Signed-off-by: Lee Jones <[email protected]> Change-Id: I2ffdb9ee11219fca6aeb2cda7867ea53fd6ca61c

commit de28e469da75359a2bb8cd8778b78aa64b1be1f4 upstream. The usb_get_device_descriptor() routine reads the device descriptor from the udev device and stores it directly in udev->descriptor. This interface is error prone, because the USB subsystem expects in-memory copies of a device's descriptors to be immutable once the device has been initialized. The interface is changed so that the device descriptor is left in a kmalloc-ed buffer, not copied into the usb_device structure. A pointer to the buffer is returned to the caller, who is then responsible for kfree-ing it. The corresponding changes needed in the various callers are fairly small. Bug: 290990909 Signed-off-by: Alan Stern <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit eda9a29) Signed-off-by: Lee Jones <[email protected]> Change-Id: I7c4be5b5dd06f7d5ba8aacad33ecf78f4a3b49e6

…hub_port_init() commit ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b upstream. Syzbot reported an out-of-bounds read in sysfs.c:read_descriptors(): BUG: KASAN: slab-out-of-bounds in read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 Read of size 8 at addr ffff88801e78b8c8 by task udevd/5011 CPU: 0 PID: 5011 Comm: udevd Not tainted 6.4.0-rc6-syzkaller-00195-g40f71e7cd3c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106 print_address_description.constprop.0+0x2c/0x3c0 mm/kasan/report.c:351 print_report mm/kasan/report.c:462 [inline] kasan_report+0x11c/0x130 mm/kasan/report.c:572 read_descriptors+0x263/0x280 drivers/usb/core/sysfs.c:883 ... Allocated by task 758: ... __do_kmalloc_node mm/slab_common.c:966 [inline] __kmalloc+0x5e/0x190 mm/slab_common.c:979 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:680 [inline] usb_get_configuration+0x1f7/0x5170 drivers/usb/core/config.c:887 usb_enumerate_device drivers/usb/core/hub.c:2407 [inline] usb_new_device+0x12b0/0x19d0 drivers/usb/core/hub.c:2545 As analyzed by Khazhy Kumykov, the cause of this bug is a race between read_descriptors() and hub_port_init(): The first routine uses a field in udev->descriptor, not expecting it to change, while the second overwrites it. Prior to commit 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") this race couldn't occur, because the routines were mutually exclusive thanks to the device locking. Removing that locking from read_descriptors() exposed it to the race. The best way to fix the bug is to keep hub_port_init() from changing udev->descriptor once udev has been initialized and registered. Drivers expect the descriptors stored in the kernel to be immutable; we should not undermine this expectation. In fact, this change should have been made long ago. So now hub_port_init() will take an additional argument, specifying a buffer in which to store the device descriptor it reads. (If udev has not yet been initialized, the buffer pointer will be NULL and then hub_port_init() will store the device descriptor in udev as before.) This eliminates the data race responsible for the out-of-bounds read. The changes to hub_port_init() appear more extensive than they really are, because of indentation changes resulting from an attempt to avoid writing to other parts of the usb_device structure after it has been initialized. Similar changes should be made to the code that reads the BOS descriptor, but that can be handled in a separate patch later on. This patch is sufficient to fix the bug found by syzbot. Bug: 290990909 Reported-and-tested-by: [email protected] Closes: https://lore.kernel.org/linux-usb/[email protected]/#r Signed-off-by: Alan Stern <[email protected]> Cc: Khazhy Kumykov <[email protected]> Fixes: 45bf39f8df7f ("USB: core: Don't hold device lock while reading the "descriptors" sysfs file") Cc: [email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]> (cherry picked from commit 7fe9d87) Signed-off-by: Lee Jones <[email protected]> Change-Id: Ia5e4a65cd5d895bf0d85a5aa5efa1c4d1368d069

This merges up to the 5.15.137 LTS release into android13-5.15. It includes the following commits: * 61cfd264993d Revert "ipv4/fib: send notify when delete source address routes" * 96e78d17ff32 Revert "perf: Disallow mis-matched inherited group reads" * 0e202e52c706 Revert "xfrm: fix a data-race in xfrm_gen_index()" * 1706e8a9deb3 Revert "Bluetooth: hci_core: Fix build warnings" * ca21a66652be Revert "xfrm: interface: use DEV_STATS_INC()" * ea135f6ae66a ANDROID: GKI: arm64: drop CONFIG_DEBUG_PREEMPT forced disable * a7c5fe8e7b29 Merge 5.15.137 into android13-5.15-lts |\ | * 12952a23a5da Linux 5.15.137 | * dff33880d40a xfrm6: fix inet6_dev refcount underflow problem | * 5a9d05a4f1c3 Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name | * a6df96ee0b45 Bluetooth: hci_sock: fix slab oob read in create_monitor_event | * c08d609fb2b6 phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins | * e1b030b101f6 phy: mapphone-mdm6600: Fix runtime PM for remove | * 59f1095ab58e phy: mapphone-mdm6600: Fix runtime disable on probe | * b618062c0b13 serial: 8250: omap: Move uart_write() inside PM section | * 67f29cd2f851 ASoC: pxa: fix a memory leak in probe() | * 76d04c339508 gpio: vf610: set value before the direction to avoid a glitch | * 4b129e3964b3 platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events | * e1a058cc2467 platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e | * c6bbe51dcdf3 platform/surface: platform_profile: Propagate error if profile registration fails | * a73c8d716938 s390/cio: fix a memleak in css_alloc_subchannel | * c8b6c2df1e7d selftests/ftrace: Add new test case which checks non unique symbol | * 3ad81e6affcb s390/pci: fix iommu bitmap allocation | * 71d224acc4d1 perf: Disallow mis-matched inherited group reads | * 5aa89a11a2a6 USB: serial: option: add Fibocom to DELL custom modem FM101R-GL | * 8c376d863618 USB: serial: option: add entry for Sierra EM9191 with new firmware | * 483221216176 USB: serial: option: add Telit LE910C4-WWX 0x1035 composition | * e750fb71dc6a nvme-rdma: do not try to stop unallocated queues | * a9fd6d44abbc nvme-pci: add BOGUS_NID for Intel 0a54 device | * 071382bda1da ACPI: irq: Fix incorrect return value in acpi_register_gsi() | * 431a5010bce2 NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server | * 5762e72ef1b0 pNFS: Fix a hang in nfs4_evict_inode() | * 5a3abee2eee9 Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" | * 24959825377f mmc: core: Capture correct oemid-bits for eMMC cards | * 8041e7b7e7e9 mmc: core: sdio: hold retuning if sdio in 1-bit mode | * 262029c0c58c mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw | * 3e363db1c13a mtd: physmap-core: Restore map_rom fallback | * 71823463b1b2 mtd: spinand: micron: correct bitmask for ecc status | * a50d2f17d562 mtd: rawnand: arasan: Ensure program page operations are successful | * ae53c92e928c mtd: rawnand: marvell: Ensure program page operations are successful | * c0ca2ab23098 mtd: rawnand: pl353: Ensure program page operations are successful | * a7070628043e mtd: rawnand: qcom: Unmap the right resource upon probe failure | * 3f928d1362f7 net: fix ifname in netlink ntf during netns move | * ac43ec299a6f net: move from strlcpy with unused retval to strscpy | * 30e2db403032 net: introduce a function to check if a netdev name is in use | * 38ba5479355b Bluetooth: hci_event: Fix using memcmp when comparing keys | * 3b2da6d62b42 net/mlx5: Handle fw tracer change ownership event based on MTRC | * f6e263824539 platform/x86: touchscreen_dmi: Add info for the Positivo C4128B | * ca56d8afe648 HID: multitouch: Add required quirk for Synaptics 0xcd7e device | * ca5bec7ecf26 btrfs: error out when reallocating block for defrag using a stale transaction | * 2692fd37aaf4 btrfs: error when COWing block from a root that is being deleted | * ef491d9560d9 btrfs: error out when COWing block using a stale transaction | * f89ed0a09673 btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c | * df486b75feca drm: panel-orientation-quirks: Add quirk for One Mix 2S | * d5ba30ee4f6d ipv4/fib: send notify when delete source address routes | * 9d07b7abd277 sky2: Make sure there is at least one frag_addr available | * f652eb4adf27 regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" | * aa77b187b1f0 wifi: cfg80211: avoid leaking stack data into trace | * 30a2285a2e18 wifi: mac80211: allow transmitting EAPOL frames with tainted key | * b64eb31a1b53 wifi: cfg80211: Fix 6GHz scan configuration | * bbec1724519e Bluetooth: hci_core: Fix build warnings | * 02b0e6991838 Bluetooth: Avoid redundant authentication | * 38681af225b6 Bluetooth: btusb: add shutdown function for QCA6174 | * e6e9a32c3e60 HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event | * 06aabf7715da wifi: iwlwifi: Ensure ack flag is properly cleared. | * 6063f6f64fa4 wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len | * 59ebfeb7b319 tracing: relax trace_event_eval_update() execution with cond_resched() | * 3d85fb391fa7 ata: libata-eh: Fix compilation warning in ata_eh_link_report() | * 89e3cc1b0703 ata: libata-core: Fix compilation warning in ata_dev_config_ncq() | * 137c658ea3ce gpio: timberdale: Fix potential deadlock on &tgpio->lock | * 68f106c2b2ab overlayfs: set ctime when setting mtime and atime | * ef3c62e2f0f1 i2c: mux: Avoid potential false error message in i2c_mux_add_adapter | * e2f64f3eebaa btrfs: initialize start_slot in btrfs_log_prealloc_extents | * 266dab0ce42d btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 | * bc424f18fbdc fs-writeback: do not requeue a clean inode having skipped pages | * 92609823592c ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone | * 3898d8d685ab ksmbd: not allow to open file if delelete on close bit is set | * d3dc26c4fdc2 nfp: flower: avoid rmmod nfp crash issues | * 6c52b1215904 mctp: perform route lookups under a RCU read-side lock | * db3f17e571e8 mctp: Allow local delivery to the null EID | * 29017ab1a539 powerpc/47x: Fix 47x syscall return crash | * 558ee0fafd40 powerpc/32s: Do kuep_lock() and kuep_unlock() in assembly | * d00f4ae3accf powerpc/32s: Remove capability to disable KUEP at boottime | * fcb3f09e8173 drm/atomic-helper: relax unregistered connector check | * 403d201d1fd1 perf/x86/lbr: Filter vsyscall addresses | * 419ac18d8808 perf/x86: Move branch classifier | * 030099bc9115 perf: Add irq and exception return branch types | * ae80d5290c14 iio: adc: ad7192: Correct reference voltage | * 569a126f244b iio: cros_ec: fix an use-after-free in cros_ec_sensors_push_data() | * a9c471892d75 iio: core: introduce iio_device_{claim|release}_buffer_mode() APIs | * eafbb1966152 iio: core: Hide read accesses to iio_dev->currentmode | * 919721348c04 iio: Un-inline iio_buffer_enabled() | * 7f74bc91eb00 serial: 8250_omap: Fix errors with no_console_suspend | * d67d831e1dbc serial: 8250: omap: Fix imprecise external abort for omap_8250_pm() | * aff3019b553e selftests/mm: fix awk usage in charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh that may cause error | * 4f1d3d1ca500 net: pktgen: Fix interface flags printing | * 8bdf95e29f86 netfilter: nf_tables: revert do not remove elements if set backend implements .abort | * cc19daa037f5 netfilter: nf_tables: do not remove elements if set backend implements .abort | * db33720697c8 netfilter: nft_set_rbtree: .deactivate fails if element has expired | * 44768cad012c neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section | * b33179dbf3f2 net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve | * 0426d7bc17b8 bonding: Return pointer to data after pull on skb | * 66982023d741 net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register() | * 0ea476863ef7 i40e: prevent crash on probe if hw registers have invalid values | * f9202217a6ea net: usb: smsc95xx: Fix an error code in smsc95xx_reset() | * a2ceb30cc1fc ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr | * a270aa7a47db tun: prevent negative ifindex | * 9d55719f983d tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb | * 8ae344291e38 tcp: fix excessive TLP and RACK timeouts from HZ rounding | * 8b6b4ca42a94 net: rfkill: gpio: prevent value glitch during probe | * 4df9ba0d7a82 net: ipv6: fix return value check in esp_remove_trailer | * a9651e66d0bd net: ipv4: fix return value check in esp_remove_trailer | * 26a3c734cb8a xfrm: interface: use DEV_STATS_INC() | * f8bc4b708b11 xfrm: fix a data-race in xfrm_gen_index() | * b660e58ef72d qed: fix LL2 RX buffer allocation | * d35f398b88a1 ASoC: codecs: wcd938x: fix unbind tear down order | * d182d8ed7b7e ASoC: codecs: wcd938x: drop bogus bind error handling | * 8d32a6b67e77 ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors | * 6df571a6c153 ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind | * 36eabe87031f drm/i915: Retry gtt fault when out of fence registers | * 34f62612be2a nvmet-tcp: Fix a possible UAF in queue intialization setup | * 04e0eef74b8f netfilter: nft_payload: fix wrong mac header matching | * efe43d1bcbcb fs/ntfs3: fix deadlock in mark_as_free_ex | * ab40c7ab7a93 fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea() | * 24badb9dd8b8 fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() | * ff38d2a705e1 tcp: check mptcp-level constraints for backlog coalescing | * 582f7993353c x86/sev: Check for user-space IOIO pointing to kernel space | * 5c2c01be809d x86/sev: Check IOBM for IOIO exceptions from user-space | * 6797c6d09e50 x86/sev: Disable MMIO emulation from user mode | * 0b4e772a6a89 KVM: x86: Mask LVTPC when handling a PMI | * f61c43be1eb9 regmap: fix NULL deref on lookup | * ffdc881f6807 nfc: nci: fix possible NULL pointer dereference in send_acknowledge() | * d42aeae14fc4 ice: reset first in crash dump kernels | * e42cecb513af ice: fix over-shifted variable | * f6c093b97761 Bluetooth: avoid memcmp() out of bounds warning | * e5f8b43c9c90 Bluetooth: hci_event: Fix coding style | * 1597c1ed0e7d Bluetooth: vhci: Fix race when opening vhci device | * 1ef071526848 Bluetooth: Fix a refcnt underflow problem for hci_conn | * dd6b62fdd245 Bluetooth: Reject connection with the device which has same BD_ADDR | * 848a05c4423f Bluetooth: hci_event: Ignore NULL link key | * e7a2aa7770d3 xfs: don't expose internal symlink metadata buffers to the vfs | * fe5c6fbc5e4a Documentation: sysctl: align cells in second content column | * 1815844652cc lib/Kconfig.debug: do not enable DEBUG_PREEMPT by default * | 558a2461986e Revert "net: add sysctl accept_ra_min_rtr_lft" * | 042c8b7ec81e Revert "net: change accept_ra_min_rtr_lft to affect all RA lifetimes" * | 88545dee8c65 Revert "net: release reference to inet6_dev pointer" * | 987f2b76b345 Revert "scsi: core: Use a structure member to track the SCSI command submitter" * | 5448f20ac207 Revert "scsi: core: Rename scsi_mq_done() into scsi_done() and export it" * | aa17a5f040ac Revert "scsi: ib_srp: Call scsi_done() directly" * | 53a549207220 Revert "RDMA/srp: Do not call scsi_done() from srp_abort()" * | 90ec7834c858 Revert "net: macsec: indicate next pn update when offloading" * | 33c153dc1e9e Revert "net: phy: mscc: macsec: reject PN update requests" * | e472d47b2d7d Merge 5.15.136 into android13-5.15-lts |\| | * 00c03985402e Linux 5.15.136 | * 5266b5b6e975 eth: remove remaining copies of the NAPI_POLL_WEIGHT define | * 528f0ba9f7a4 usb: hub: Guard against accesses to uninitialized BOS descriptors | * 542a3f1a3cc1 Revert "kernel/sched: Modify initial boot task idle setup" | * 737ce5518a9c arm64: armv8_deprecated: fix unused-function error | * 2e10931e2d77 arm64: armv8_deprecated: rework deprected instruction handling | * abd4aa081905 arm64: armv8_deprecated: move aarch32 helper earlier | * f10abdb04c3d arm64: armv8_deprecated move emulation functions | * 0b4eec015fa5 arm64: armv8_deprecated: fold ops into insn_emulation | * a8d2910be6f8 arm64: rework EL0 MRS emulation | * 057f9123b1a8 arm64: factor insn read out of call_undef_hook() | * 3f82927cabaf arm64: factor out EL1 SSBS emulation hook | * 474385adcd84 arm64: split EL0/EL1 UNDEF handlers | * de0358635401 arm64: allow kprobes on EL0 handlers | * 7154e2db8890 arm64: rework BTI exception handling | * cd5ceadc2b37 arm64: rework FPAC exception handling | * b6358002fd0c arm64: consistently pass ESR_ELx to die() | * 7ddb1ef2bb42 arm64: die(): pass 'err' as long | * 9a3e177ef570 arm64: report EL1 UNDEFs better | * d6808be3ff94 powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() | * 9c0dc3e2c996 powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE | * 4da05eba66e6 dmaengine: mediatek: Fix deadlock caused by synchronize_irq() | * 82f61b2d5187 dmaengine: idxd: use spin_lock_irqsave before wait_event_lock_irq | * ecba5afe86f3 x86/alternatives: Disable KASAN in apply_alternatives() | * cbd2aac00498 usb: cdnsp: Fixes issue with dequeuing not queued requests | * 7014807fb7ef usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call | * 50259cf71a1b usb: gadget: udc-xilinx: replace memcpy with memcpy_toio | * 308f19249641 counter: microchip-tcb-capture: Fix the use of internal GCLK logic | * 5a6ce81d7c16 pinctrl: avoid unsafe code pattern in find_pinctrl() | * 1c790191cab4 cgroup: Remove duplicates in cgroup v1 tasks file | * 1680c82929bc tee: amdtee: fix use-after-free vulnerability in amdtee_close_session | * b8ec40a90acd Input: goodix - ensure int GPIO is in input for gpio_count == 1 && gpio_int_idx == 0 case | * d092630e8a20 Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table | * 7cea6fa2d73f Input: xpad - add PXN V900 support | * 6ff4e50e2d2a Input: psmouse - fix fast_reconnect function for PS/2 mode | * 6a4a39638640 Input: powermate - fix use-after-free in powermate_config_complete | * 6ad7f52d8c58 ceph: fix type promotion bug on 32bit systems | * c0c4acd53a98 ceph: fix incorrect revoked caps assert in ceph_fill_file_size() | * 58f0e6324ec7 libceph: use kernel_connect() | * d727b97f8f2e thunderbolt: Check that lane 1 is in CL0 before enabling lane bonding | * 04c38bedd07c thunderbolt: Workaround an IOMMU fault on certain systems with Intel Maple Ridge | * a586742a3780 mcb: remove is_added flag from mcb_device struct | * 4382d1a996e5 x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs | * 763167003a80 ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA | * 510d4a01d84c drm/amd/display: Don't set dpms_off for seamless boot | * 9cb61ab9f4ca drm/amdgpu: add missing NULL check | * f9a1af37b801 iio: pressure: ms5611: ms5611_prom_is_valid false negative bug | * 09b8ed9547f1 iio: pressure: dps310: Adjust Timeout Settings | * 4c80ecef859d iio: pressure: bmp280: Fix NULL pointer exception | * a625de7e5464 usb: musb: Modify the "HWVers" register address | * eb28694f6da8 usb: musb: Get the musb_qh poniter after musb_giveback | * ee88141873a8 usb: cdns3: Modify the return value of cdns_set_active () to void when CONFIG_PM_SLEEP is disabled | * 3b2dbc4f3302 usb: dwc3: Soft reset phy on probe for host | * 42c56e015653 net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read | * 524f45361789 usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer | * 1d8e7fe85528 xhci: Keep interrupt disabled in initialization until host is running. | * cb34e3b25c37 dmaengine: stm32-mdma: abort resume if no ongoing transfer | * d56dbfe750a8 media: mtk-jpeg: Fix use after free bug due to uncanceled work | * 5e13e69ddf0d net: release reference to inet6_dev pointer | * aade10d51ddc net: change accept_ra_min_rtr_lft to affect all RA lifetimes | * 8f12d2d66cba net: add sysctl accept_ra_min_rtr_lft | * bc9f6cbeb999 workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() | * 25dd54b95abf nfc: nci: assert requested protocol is valid | * b2bb3b43b94a pinctrl: renesas: rzn1: Enable missing PINMUX | * c4140dd77c3b net/smc: Fix pos miscalculation in statistics | * d888d3f70b0d net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() | * 249a1fdb95d5 net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp | * 2112cacb38aa ixgbe: fix crash with empty VF macvlan list | * 935a15334d77 net: phy: mscc: macsec: reject PN update requests | * 667fe9101a3a net: macsec: indicate next pn update when offloading | * 2dcb31e65d26 bpf: Fix verifier log for async callback return values | * 6a217af2c67f drm/vmwgfx: fix typo of sizeof argument | * 72ef70886556 riscv, bpf: Sign-extend return values | * 7795592e0818 riscv, bpf: Factor out emit_call for kernel and bpf context | * 58941cc742ca xen-netback: use default TX queue size for vifs | * cffdced18af8 eth: remove copies of the NAPI_POLL_WEIGHT define | * 5c360eec5332 mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type | * 84c6aa0ae5c4 ieee802154: ca8210: Fix a potential UAF in ca8210_probe | * 616761cf9df9 ravb: Fix use-after-free issue in ravb_tx_timeout_work() | * 30ebd4177593 ravb: Fix up dma_free_coherent() call in ravb_remove() | * 3f39de2bd1d2 drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid overflow | * 85ae07d4dcc6 drm/msm/dsi: fix irq_of_parse_and_map() error checking | * 9a890c7d4d0f drm/msm/dsi: skip the wait for video mode done if not applicable | * b9de60b6830c drm/msm/dp: do not reinitialize phy unless retry during link training | * afe5f596b588 KEYS: trusted: Remove redundant static calls usage | * 20e73ece06b3 KEYS: trusted: allow use of kernel RNG for key material | * a01d68b6c666 ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset | * 5b5e58299eac net: prevent address rewrite in kernel_bind() | * 56e96b38d2f7 quota: Fix slow quotaoff | * 28ddc1e0b898 HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect | * b930f0f7bbc2 lib/test_meminit: fix off-by-one error in test_pages() | * 982bd86fd659 platform/x86: hp-wmi:: Mark driver struct with __refdata to prevent section mismatch warning | * 124cf0ea4b82 platform/x86: think-lmi: Fix reference leak | * 3d2a16f878f0 of: overlay: Reorder struct fragment fields kerneldoc | * 10f4a0b6657e perf/arm-cmn: Fix the unhandled overflow status of counter 4 to 7 | * b7966e2191d0 RDMA/cxgb4: Check skb value for failure to allocate | * b9bdffb3f9aa RDMA/srp: Do not call scsi_done() from srp_abort() | * 7d4999589ebc scsi: ib_srp: Call scsi_done() directly | * d2746cdfd5e5 scsi: core: Rename scsi_mq_done() into scsi_done() and export it | * 8f2350e204da scsi: core: Use a structure member to track the SCSI command submitter | * 29298c85a81a iommu/vt-d: Avoid memory allocation in iommu_suspend() * | 317c6c346ab2 Revert "spi: zynqmp-gqspi: Convert to platform remove callback returning void" * | 1ce1d976647e Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp" * | 39de8e2114ec Merge 5.15.135 into android13-5.15-lts |\| | * 02e21884dcf2 Linux 5.15.135 | * c8af81a9d36e xen/events: replace evtchn_rwlock with RCU | * c346494ec7f1 parisc: Restore __ldcw_align for PA-RISC 2.0 processors | * 694e13732e83 ksmbd: fix uaf in smb20_oplock_break_ack | * e914c3a47e45 RDMA/mlx5: Fix NULL string error | * 81b7bf367eea RDMA/siw: Fix connection failure handling | * 5d8bd138204f RDMA/uverbs: Fix typo of sizeof argument | * 60c9ed88526d RDMA/cma: Fix truncation compilation warning in make_cma_ports | * 7f6136ced1b8 RDMA/cma: Initialize ib_sa_multicast structure to 0 when join | * 1dd6095fc727 gpio: pxa: disable pinctrl calls for MMP_GPIO | * 844fcf4c697c gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() | * 1878d6666c32 IB/mlx4: Fix the size of a buffer in add_port_entries() | * 718d9b44afca of: dynamic: Fix potential memory leak in of_changeset_action() | * e0878f38b661 RDMA/core: Require admin capabilities to set system parameters | * 18a839064fc6 dm zoned: free dmz->ddev array in dmz_put_zoned_devices | * 8781fe259dd5 HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit | * 949ccc91c35b HID: sony: remove duplicate NULL check before calling usb_free_urb() | * a02c02adc2bd sctp: update hb timer immediately after users change hb_interval | * 7783b471bfce sctp: update transport state when processing a dupcook packet | * 1abac613c0d5 tcp: fix delayed ACKs for MSS boundary condition | * 821b3b00bc0f tcp: fix quick-ack counting to count actual ACKs of new data | * 24fb22bddb71 tipc: fix a potential deadlock on &tx->lock | * 2e53585e233c net: stmmac: dwmac-stm32: fix resume on STM32 MCU | * 74e569324050 ipv4: Set offload_failed flag in fibmatch results | * a4b9bbd1d12f netfilter: nf_tables: nft_set_rbtree: fix spurious insertion failure | * 88497f74d684 netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp | * 0c9cf5e8807f ibmveth: Remove condition to recompute TCP header checksum. | * 5a899e2ce848 net: ethernet: ti: am65-cpsw: Fix error code in am65_cpsw_nuss_init_tx_chns() | * 4837a192f6d0 net: nfc: llcp: Add lock when modifying device list | * cda10784a176 net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg | * 2801a1ddb26d net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent | * cb145e6c2070 ptp: ocp: Fix error handling in ptp_ocp_device_init | * cd1189956393 ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() | * 147d89ee4143 net: fix possible store tearing in neigh_periodic_work() | * bdb4fcf18e16 modpost: add missing else to the "of" check | * bc8b89b69638 bpf, sockmap: Reject sk_msg egress redirects to non-TCP sockets | * 9fb4dfb8e212 NFSv4: Fix a nfs4_state_manager() race | * fcdd79fda38a ima: rework CONFIG_IMA dependency block | * b67adca1e1be scsi: target: core: Fix deadlock due to recursive locking | * 9a103e0b100c ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig | * bb6aee0696c6 regmap: rbtree: Fix wrong register marked as in-cache when creating new node | * 0cee8c1b3af3 wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling | * 3f6fbbccba2d drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() | * ebad2e4c4847 bpf: Fix tr dereferencing | * 5afb996349cb wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet | * 7c8faa310803 wifi: iwlwifi: mvm: Fix a memory corruption issue | * 5db7af530ebd iwlwifi: avoid void pointer arithmetic | * 6ff75f524dae wifi: iwlwifi: dbg_ini: fix structure packing | * 0ea2a6349733 ubi: Refuse attaching if mtd's erasesize is 0 | * bb0707fde749 HID: sony: Fix a potential memory leak in sony_probe() | * 8afbacf61919 arm64: Add Cortex-A520 CPU part definition | * 0da6d21ba235 drm/amd: Fix detection of _PR3 on the PCIe root port | * 1ad7ccd45a65 net: prevent rewrite of msg_name in sock_sendmsg() | * 0fb3df94274b net: replace calls to sock->ops->connect() with kernel_connect() | * 37b54e8acea5 wifi: mwifiex: Fix tlv_buf_left calculation | * e80f55d6d2a9 qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info | * 1e69422efcc6 vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() | * 4e2f83952b1d scsi: zfcp: Fix a double put in zfcp_port_enqueue() | * 310bca649b30 Revert "clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz" | * 3f59e63568ad block: fix use-after-free of q->q_usage_counter | * b75b017b3f37 rbd: take header_rwsem in rbd_dev_refresh() only when updating | * 33229d783466 rbd: decouple parent info read-in from updating rbd_dev | * ab73e7ed79d3 rbd: decouple header read-in from updating rbd_dev->header | * b4ddad3fb0ea rbd: move rbd_dev_refresh() definition | * bb1fae816c90 iommu/arm-smmu-v3: Avoid constructing invalid range commands | * c4edc7b5c836 iommu/arm-smmu-v3: Set TTL invalidation hint better | * a98ad3adf60d arm64: Avoid repeated AA64MMFR1_EL1 register read on pagefault path | * aad6ba1715ec ring-buffer: Fix bytes info in per_cpu buffer stats | * 8012d0b05158 ring-buffer: remove obsolete comment for free_buffer_page() | * 65a218ca516e NFSv4: Fix a state manager thread deadlock regression | * 8454a2f5e930 NFS: rename nfs_client_kset to nfs_kset | * f8b0b6a8e196 NFS: Cleanup unused rpc_clnt variable | * 686746be7bfb ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates | * 0a210e63844b ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol | * b4f7f1556813 spi: zynqmp-gqspi: fix clock imbalance on probe failure | * e514f897ad66 spi: zynqmp-gqspi: Convert to platform remove callback returning void * | 65fc22a29c6e Revert "net: bridge: use DEV_STATS_INC()" * | 2bcfc32534ed Merge 5.15.134 into android13-5.15-lts |\| | * 1edcec18cfb7 Linux 5.15.134 | * 09a683023785 netfilter: nf_tables: fix kdoc warnings after gc rework | * 66cb6d74f5a1 drm/meson: fix memory leak on ->hpd_notify callback | * 91f1f025b6d9 fs: binfmt_elf_efpic: fix personality for ELF-FDPIC | * 1cae7473a6dd ata: libata-sata: increase PMP SRST timeout to 10s | * e74adc589922 ata: libata-core: Do not register PM operations for SAS ports | * 4cbd55a81965 ata: libata-core: Fix port and device removal | * ddc525fffb44 ata: libata-core: Fix ata_port_request_pm() locking | * 2990a195edb5 net: thunderbolt: Fix TCPv6 GSO checksum calculation | * 132a5ae4136b bpf: Fix BTF_ID symbol generation collision in tools/ | * 58d560e98da5 bpf: Fix BTF_ID symbol generation collision | * f8673f651bc1 btrfs: properly report 0 avail for very full file systems | * b5d00cd7db66 ring-buffer: Update "shortest_full" in polling | * 00d2cb8066cb proc: nommu: /proc/<pid>/maps: release mmap read lock | * 40527ebb3e45 Revert "SUNRPC dont update timeout value on connection reset" | * a2b1d486fb70 io_uring/fs: remove sqe->rw_flags checking from LINKAT | * 111fe77cb13f sched/rt: Fix live lock between select_fallback_rq() and RT push | * 3569ad59664f kernel/sched: Modify initial boot task idle setup | * 07f78e97676c i2c: i801: unregister tco_pdev in i801_probe() error path | * 70df8b9c59bc ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES | * a7e0c10a8c33 ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q | * 0c5fd85fb01f netfilter: nf_tables: disallow rule removal from chain binding | * 3936e8714907 nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() | * 2b837f13a818 serial: 8250_port: Check IRQ data before use | * a48d2bcd23f2 Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" | * 78e70c6238d2 misc: rtsx: Fix some platforms can not boot and move the l1ss judgment to probe | * f090a8b4d2e3 x86/srso: Add SRSO mitigation for Hygon processors | * f5a604757aa8 iommu/arm-smmu-v3: Fix soft lockup triggered by arm_smmu_mm_invalidate_range | * efce75bd2dbc Smack:- Use overlay inode label in smack_inode_copy_up() | * 0e3450487f99 smack: Retrieve transmuting information in smack_inode_getsecurity() | * 3586b3feed1b smack: Record transmuting in smk_transmuted | * 9690ad557d94 nvme-pci: always return an ERR_PTR from nvme_pci_alloc_dev | * 3c29c6e8cd7c scsi: qla2xxx: Fix NULL pointer dereference in target mode | * 6e5e4223c897 i40e: fix potential NULL pointer dereferencing of pf->vf i40e_sync_vsi_filters() | * aff3994d4bdd watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running | * 83a30e945571 watchdog: iTCO_wdt: No need to stop the timer in probe | * 1e8c573f50a7 nvme-pci: do not set the NUMA node of device if it has none | * 182d13dadb03 nvme-pci: factor out a nvme_pci_alloc_dev helper | * af58072e867c nvme-pci: factor the iod mempool creation into a helper | * c8bc44936f2c cgroup: Fix suspicious rcu_dereference_check() usage warning | * ce6b88a5853d sched/cpuacct: Optimize away RCU read lock | * b1deb155524e perf build: Define YYNOMEM as YYNOABORT for bison < 3.81 | * 86e65ffc4d0f fbdev/sh7760fb: Depend on FB=y | * 4bf0044fe43f ncsi: Propagate carrier gain/loss events to the NCSI controller | * 288990ec3580 powerpc/watchpoints: Annotate atomic context in more places | * 47a94e87f00c powerpc/watchpoint: Disable pagefaults when getting user instruction | * 7eb09f70d9c2 powerpc/watchpoints: Disable preemption in thread_change_pc() | * 134b01a39077 media: vb2: frame_vector.c: replace WARN_ONCE with a comment | * baf7cf0fdb83 ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link | * 9da93c74490c bpf: Clarify error expectations from bpf_clone_redirect | * e1a8b79ad768 ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag | * 45e028accbdf spi: stm32: add a delay before SPI disable | * 25850bf83dcd spi: nxp-fspi: reset the FLSHxCR1 registers | * 50662d21e414 ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() | * 8e3cdab909db smb3: correct places where ENOTSUPP is used instead of preferred EOPNOTSUPP | * d540a4370aba scsi: pm80xx: Avoid leaking tags when processing OPC_INB_SET_CONTROLLER_CONFIG command | * fde57d7ba9b3 scsi: pm80xx: Use phy-specific SAS address when sending PHY_START command | * a1589abd7c4a drm/amdgpu: Handle null atom context in VBIOS info ioctl | * fd334cfd8412 drm/amd/display: Don't check registers, if using AUX BL control | * a8bc0f6357af platform/mellanox: mlxbf-bootctl: add NET dependency into Kconfig | * 344f2f3e61a9 ring-buffer: Do not attempt to read past "commit" | * 3db9b420709b selftests: fix dependency checker script | * 4aa90e624c30 btrfs: improve error message after failure to add delayed dir index item | * 53e7c559b7bf ring-buffer: Avoid softlockup in ring_buffer_resize() | * b4874f72cf57 selftests/ftrace: Correctly enable event in instance-event.tc | * 8c5c9ecbfa8d scsi: ufs: core: Move __ufshcd_send_uic_cmd() outside host_lock | * e08e61d50a30 scsi: qedf: Add synchronization between I/O completions and abort | * ada7fcba2d6a parisc: irq: Make irq_stack_union static to avoid sparse warning | * b7e376a26b0c parisc: drivers: Fix sparse warning | * d8c6fad00282 parisc: iosapic.c: Fix sparse warnings | * 1ecdcfec4e4a parisc: sba: Fix compile warning wrt list of SBA devices | * bd1ec7f9983b spi: sun6i: fix race between DMA RX transfer completion and RX FIFO drain | * ff05ed4ae214 spi: sun6i: reduce DMA RX transfer width to single byte | * ac0d06809934 dma-debug: don't call __dma_entry_alloc_check_leak() under free_entries_lock | * d938c3d278d5 i2c: npcm7xx: Fix callback completion ordering | * 0c615323a745 gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip | * 2a47ee15a6ab soc: imx8m: Enable OCOTP clock for imx8mm before reading registers | * 7c59b882b9b3 xtensa: boot/lib: fix function prototypes | * 70460e81e2d1 xtensa: boot: don't add include-dirs | * bc51434b6612 xtensa: iss/network: make functions static | * 8e0f78a84f64 xtensa: add default definition for XCHAL_HAVE_DIV32 | * be57fc50dc3c firmware: imx-dsp: Fix an error handling path in imx_dsp_setup_channels() | * 1df81ea9e4db power: supply: ucs1002: fix error code in ucs1002_get_property() | * 6937e44ffb91 bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up | * 0e75aa86a7d0 ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot | * 1b39eae11752 ARM: dts: ti: omap: Fix bandgap thermal cells addressing for omap3/4 | * fcbf770c66ef ARM: dts: omap: correct indentation | * f5e12de36ab3 treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 1) | * 6829bc7978e0 clk: tegra: fix error return case for recalc_rate | * 78277b096d4c bus: ti-sysc: Fix missing AM35xx SoC matching | * 5435a49b3b66 bus: ti-sysc: Use fsleep() instead of usleep_range() in sysc_reset() | * c39df101d8ca drm/bridge: ti-sn65dsi83: Do not generate HFP/HBP/HSA and EOT packet | * 4bf10fd51ca5 MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled | * d2640d86876e btrfs: reset destination buffer when read_extent_buffer() gets invalid range | * 1a541999f31f scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() | * 532a23960566 scsi: qla2xxx: Select qpair depending on which CPU post_cmd() gets called | * 6642b4eb083b ata: ahci: Add Elkhart Lake AHCI controller | * 072611960741 ata: ahci: Rename board_ahci_mobile | * 8274154712a0 ata: ahci: Add support for AMD A85 FCH (Hudson D4) | * bd69c74dca70 ata: libata: Rename link flag ATA_LFLAG_NO_DB_DELAY | * f5ba6d9d6bec netfilter: nft_exthdr: Fix non-linear header modification | * 7ca3a1b0f474 netfilter: exthdr: add support for tcp option removal | * fb6f65780c9c Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN | * 191fc23cfa9a Input: i8042 - rename i8042-x86ia64io.h to i8042-acpipnpio.h | * 5d2b57c0bc40 xfs: fix xfs_inodegc_stop racing with mod_delayed_work | * 657f842859c4 xfs: disable reaping in fscounters scrub | * 8444467eadb2 xfs: check that per-cpu inodegc workers actually run on that cpu | * 67db9ecb84d5 xfs: explicitly specify cpu when forcing inodegc delayed work to run immediately | * 99e65f075e6c xfs: introduce xfs_inodegc_push() | * 2df381963240 xfs: bound maximum wait time for inodegc work | * 08dc21596751 i2c: mux: gpio: Add missing fwnode_handle_put() | * f912d9d87421 i2c: mux: gpio: Replace custom acpi_get_local_address() | * 1aa39eee57f6 i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() | * 9910b1411e7e gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() | * d7acb7031758 Fix up backport of 136191703038 ("interconnect: Teach lockdep about icc_bw_lock order") | * d645206e9be2 igc: Expose tx-usecs coalesce setting to user | * d7a2bf6faa82 bnxt_en: Flush XDP for bnxt_poll_nitroa0()'s NAPI | * 56d2418a079a net: ena: Flush XDP packets on error. | * 07b569051f6e locking/seqlock: Do the lockdep annotation before locking in do_write_seqcount_begin_nested() | * a70dbdede0c7 netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP | * 0dcc9b4097d8 netfilter: nf_tables: disable toggling dormant table state more than once | * ea82139e6e35 net: rds: Fix possible NULL-pointer dereference | * cd05eec2ee0c team: fix null-ptr-deref when team device type is changed | * 8bc97117b51d net: bridge: use DEV_STATS_INC() | * 0d3939cccb20 net: hns3: add 5ms delay before clear firmware reset irq source | * d6d182d856d0 net: hns3: fix fail to delete tc flower rules during reset issue | * 7c47b238f4ec net: hns3: only enable unicast promisc when mac table full | * 96af9a55b782 net: hns3: fix GRE checksum offload issue | * 13ea4b92e875 x86/srso: Fix SBPB enablement for spec_rstack_overflow=off | * e2c34afe8362 x86/srso: Fix srso_show_state() side effect | * 21efa88e777f platform/x86: intel_scu_ipc: Fail IPC send if still busy | * 0a5d236b52cf platform/x86: intel_scu_ipc: Don't override scu in intel_scu_ipc_dev_simple_command() | * ab78000c38b4 platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() | * 47329633b3f0 platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() | * 26df9ab5de30 dccp: fix dccp_v4_err()/dccp_v6_err() again | * 3b14e8431855 powerpc/perf/hv-24x7: Update domain value check | * 8860d354f653 ipv4: fix null-deref in ipv4_link_failure | * c196ecd3f893 igc: Fix infinite initialization loop with early XDP redirect | * a2d69dcb6ccb ionic: fix 16bit math issue when PAGE_SIZE >= 64KB | * 3796e449a03e i40e: Fix VF VLAN offloading when port VLAN is configured | * a628f3b5cd8d i40e: Add VF VLAN pruning | * 7a9eee3b5d4d iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set | * f3c6a17900e8 ASoC: imx-audmix: Fix return error with devm_clk_get() | * f90a7b9586d7 net/core: Fix ETH_P_1588 flow dissector | * 55629e616452 selftests: tls: swap the TX and RX sockets in some tests | * acabf5df49aa bpf: Avoid deadlock when using queue and stack maps from NMI | * c6e44f4c31c5 netfilter: nf_tables: disallow element removal on anonymous sets | * 6a8de7775329 ASoC: meson: spdifin: start hw on dai probe | * ef99506eaf1d netfilter: nf_tables: fix memleak when more than 255 elements expired | * 8d7a00b904da netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration | * 83d3a4607c58 netfilter: nft_set_pipapo: stop GC iteration if GC transaction allocation fails | * 949369f9f0d9 netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC | * 2e6846b613fa netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention | * 9af7dfb3c9d7 netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction | * 9366966caf1a netfilter: nf_tables: defer gc run if previous batch is still pending | * 082791b42123 netfilter: nf_tables: use correct lock to protect gc_list | * b44a459c6561 netfilter: nf_tables: GC transaction race with abort path | * 24707fa1e1f9 netfilter: nf_tables: GC transaction race with netns dismantle | * 6796800f0d8e netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path | * af78b0489e88 netfilter: nf_tables: don't fail inserts if duplicate has expired | * 8f24fe69e3ca netfilter: nf_tables: remove busy mark and gc batch API | * b290795bd26f netfilter: nft_set_hash: mark set element as dead when deleting from packet path | * 479a2cf52593 netfilter: nf_tables: adapt set backend to use GC transaction API | * d19e8bf3ea41 netfilter: nf_tables: GC transaction API to avoid race with control plane | * 7c7e658a36f8 netfilter: nf_tables: don't skip expired elements during walk | * a2d1125ee04e tracing: Have event inject files inc the trace array ref count | * 6b6c088c38f7 ext4: do not let fstrim block system suspend | * a9d3bb58da95 ext4: move setting of trimmed bit into ext4_try_to_trim_range() | * d91abea15c61 ext4: replace the traditional ternary conditional operator with with max()/min() | * 656f0495e4ac ext4: change s_last_trim_minblks type to unsigned long | * be57857fb3c3 ext4: scope ret locally in ext4_try_to_trim_range() | * e832b55881a1 ata: libahci: clear pending interrupt status | * f6189f373151 ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones | * fa6d449e4d02 tracing: Increase trace array ref count on enable and filter files | * 7a688f191a17 tracing: Make trace_marker{,_raw} stream-like | * 68fc0e75c793 NFSv4.1: fix pnfs MDS=DS session trunking | * 0ff78c455494 NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server | * d381bfe13895 SUNRPC: Mark the cred for revalidation if the server rejects it | * f1c434ddafe6 NFS/pNFS: Report EINVAL errors from connect() to the server | * 0c0a7e1f2a6a NFS: More fixes for nfs_direct_write_reschedule_io() | * a354b4a367f5 NFS: Use the correct commit info in nfs_join_page_group() * | 51c330012b68 Revert "usb: ehci: add workaround for chipidea PORTSC.PEC bug" * | c70292cc4ffd Merge 5.15.133 into android13-5.15-lts |\| | * b911329317b4 Linux 5.15.133 | * e3a29b80e9e6 interconnect: Teach lockdep about icc_bw_lock order | * c6244cd00c97 drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma | * 08569c92f7f3 net/sched: Retire rsvp classifier | * 6b080fa8aae1 drm/amdgpu: fix amdgpu_cs_p1_user_fence | * 6386a2d4dc01 drm/amd/display: fix the white screen issue when >= 64GB DRAM | * e04b7073bdce ext4: fix rec_len verify error | * 93763d58705a scsi: pm8001: Setup IRQs on resume | * 72a22696cf19 scsi: megaraid_sas: Fix deadlock on firmware crashdump | * 54603e8a88bc ata: libata: disallow dev-initiated LPM transitions to unsupported states | * 01c7c38a90bc i2c: aspeed: Reset the i2c controller when timeout occurs | * 763d39f4e8fb tracefs: Add missing lockdown check to tracefs_create_dir() | * bf195968e362 nfsd: fix change_info in NFSv4 RENAME replies | * bf38c1d29f8b tracing: Have option files inc the trace array ref count | * 85ad4688b7a7 tracing: Have current_trace inc the trace array ref count | * 962e6723239b tracing: Have tracing_max_latency inc the trace array ref count | * 380bbd46d61c btrfs: release path before inode lookup during the ino lookup ioctl | * 779c3cf2749c btrfs: fix lockdep splat and potential deadlock after failure running delayed items | * f9c78afcee46 ovl: fix incorrect fdput() on aio completion | * 05a7289a5d4b ovl: fix failed copyup of fileattr on a symlink | * 8bcb80293be7 attr: block mode changes of symlinks | * d30af15e460f md/raid1: fix error: ISO C90 forbids mixed declarations | * abdfde037712 samples/hw_breakpoint: fix building without module unloading | * 58787ff3d023 x86/purgatory: Remove LTO flags | * 8abf1ec895d5 x86/boot/compressed: Reserve more memory for page tables | * e1a27664fcf5 scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() | * f0fd24f1fae0 selftests: tracing: Fix to unmount tracefs for recovering environment | * dded6b81ad68 scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() | * 1d5caeac9655 drm: gm12u320: Fix the timeout usage for usb_bulk_msg() | * b9f0572b38c1 btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super | * cba491ee38e2 btrfs: add a helper to read the superblock metadata_uuid | * cb3671a2eeac btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h | * f16fe29368fd perf test shell stat_bpf_counters: Fix test on Intel | * ad73216e006f perf test: Remove bash construct from stat_bpf_counters.sh test | * d8f81baeb9eb MIPS: Use "grep -E" instead of "egrep" | * dfe961b1e476 mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller | * 56cf9f446b33 mtd: rawnand: brcmnand: Allow SoC to provide I/O operations | * 34fcb59437a7 jbd2: correct the end of the journal recovery scan range | * a4605449cc9f jbd2: rename jbd_debug() to jbd2_debug() | * db6c90f2671c jbd2: kill t_handle_lock transaction spinlock | * e9270898222a jbd2: fix use-after-free of transaction_t race | * b0412dd1c24b jbd2: refactor wait logic for transaction updates into a common function | * f980bf1586ef printk: Consolidate console deferred printing | * 9be2957f014d interconnect: Fix locking for runpm vs reclaim | * f3f6bf22a4f5 kobject: Add sanity check for kset->kobj.ktype in kset_register() | * 81bbe6667024 media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning | * d4ef3c9c7947 usb: ehci: add workaround for chipidea PORTSC.PEC bug | * c829d25e26fb serial: cpm_uart: Avoid suspicious locking | * 5353df78c226 scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() | * b97aaf9faf89 tools: iio: iio_generic_buffer: Fix some integer type and calculation | * 60a71fd1910e usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc | * c861a61be6d3 usb: cdns3: Put the cdns set active part outside the spin lock | * 930c60e13947 media: pci: cx23885: replace BUG with error return | * 48bb6a9fa5cb media: tuners: qt1010: replace BUG_ON with a regular error | * 2a33fc57133d media: dvb-usb-v2: gl861: Fix null-ptr-deref in gl861_i2c_master_xfer | * 5b1ea100ad36 media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() | * 3dd5846a8739 media: anysee: fix null-ptr-deref in anysee_master_xfer | * 033b0c0780ad media: af9005: Fix null-ptr-deref in af9005_i2c_xfer | * 903566208ae6 media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() | * d9ef84a7c222 media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer | * ca49cef3acaa PCI: fu740: Set the number of MSI vectors | * d35e7ae10eb8 powerpc/pseries: fix possible memory leak in ibmebus_bus_init() | * 46870eea5496 ARM: 9317/1: kexec: Make smp stop calls asynchronous | * ef7311101ca4 jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount | * aa5b019a3e0f fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() | * 7ac65c29b6c2 ext2: fix datatype of block number in ext2_xattr_set2() | * 4f96c0665f9f md: raid1: fix potential OOB in raid1_remove_disk() | * f3e9fc7b02b9 bus: ti-sysc: Configure uart quirks for k3 SoC | * 3157aa794c75 drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() | * 78bc9d25997a drm/amd/display: Blocking invalid 420 modes on HDMI TMDS for DCN31 | * 5eca70c14b31 ALSA: hda: intel-dsp-cfg: add LunarLake support | * e8ba418d4926 samples/hw_breakpoint: Fix kernel BUG 'invalid opcode: 0000' | * 961df5a3f5cc arm64: dts: qcom: sm8250-edo: correct ramoops pmsg-size | * 49cd54900078 arm64: dts: qcom: sm8150-kumano: correct ramoops pmsg-size | * 1e0a38bb840a arm64: dts: qcom: sm6125-pdx201: correct ramoops pmsg-size | * 201071956ec6 drm/bridge: tc358762: Instruct DSI host to generate HSE packets | * c64ee9dd3358 wifi: mac80211_hwsim: drop short frames | * 66594a1e6ddd netfilter: ebtables: fix fortify warnings in size_entry_mwt() | * fedd9377dd9c wifi: mac80211: check S1G action frame size | * e08333e2abae alx: fix OOB-read compiler warning | * 2b0a093cdf59 mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 | * 0a1f87f0ca76 tpm_tis: Resend command to recover from data transfer errors | * 67589d247909 crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() | * 389106425dee wifi: wil6210: fix fortify warnings | * ddb8f358b5e0 wifi: mwifiex: fix fortify warning | * a7ebe459c72e wifi: ath9k: fix printk specifier | * 3de6b6ab69e2 wifi: ath9k: fix fortify warnings | * 6b0adfafb073 crypto: lrw,xts - Replace strlcpy with strscpy | * dc100292e503 devlink: remove reload failed checks in params get/set callbacks | * 7b7964cd9db3 ACPI: x86: s2idle: Catch multiple ACPI_TYPE_PACKAGE objects | * eda268b5b7ad hw_breakpoint: fix single-stepping when using bpf_overflow_handler | * 6e743b7261ef perf/imx_ddr: speed up overflow frequency of cycle | * f9a2c79c2970 perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 | * ed1afb597280 ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470 | * f685311dbe05 scftorture: Forgive memory-allocation failure if KASAN | * 4f03fba096bf rcuscale: Move rcu_scale_writer() schedule_timeout_uninterruptible() to _idle() | * f1ceff37ac6b kernel/fork: beware of __put_task_struct() calling context | * 430787056dd3 ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer | * 766e56faddbe locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock | * 6994f806c6d1 btrfs: output extra debug info if we failed to find an inline backref | * 71eeddcad734 autofs: fix memory leak of waitqueues in autofs_catatonic_mode * | 754f8cc9b7de Revert "pwm: atmel-tcb: Convert to platform remove callback returning void" * | 12cff4ffca32 FROMLIST: lib/test_meminit: fix off-by-one error in test_pages() * | 317df336a929 Revert "usb: typec: bus: verify partner exists in typec_altmode_attention" * | 27839edcfe7a Revert "scsi: core: Use 32-bit hostnum in scsi_host_lookup()" * | e296a90d28c0 Revert "fs/nls: make load_nls() take a const parameter" * | 8ed010e1a8c0 Revert "tracing: Introduce pipe_cpumask to avoid race on trace_pipes" * | 11e906694dc2 Revert "tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY" * | 07952c0be063 Revert "crypto: api - Use work queue in crypto_destroy_instance" * | d0c27f008f19 Revert "ip_tunnels: use DEV_STATS_INC()" * | f983580f42c9 Merge 5.15.132 into android13-5.15-lts |\| | * 35ecaa3632bf Linux 5.15.132 | * 0c0d79f3366a pcd: fix error codes in pcd_init_unit() | * 893978f1b4d1 drm/amd/display: Fix a bug when searching for insert_above_mpcc | * 0b8e09b39ef3 MIPS: Only fiddle with CHECKFLAGS if `need-compiler' | * 55d2e7c1ab8e kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). | * e80228b27487 ixgbe: fix timestamp configuration code | * 5b55dac919ec ipv6: fix ip6_sock_set_addr_preferences() typo | * 481bd6dcc5fe net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() | * 3600c0dc0deb platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events | * 07c0abc80604 platform/mellanox: mlxbf-pmc: Fix potential buffer overflows | * 7c34ea34516d platform/mellanox: mlxbf-tmfifo: Drop jumbo frames | * 694035201aac platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors | * 97275339c34c kcm: Fix memory leak in error path of kcm_sendmsg() | * 864da4a5d5eb r8152: check budget for r8152_poll() | * fbdc4e9908b2 net: dsa: sja1105: hide all multicast addresses from "bridge fdb show" | * 6a4480c5e6eb hsr: Fix uninit-value access in fill_frame_info() | * 072324cfab9b net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() | * 5bb09dddc724 net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() | * 06b4934ab2b5 net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add | * aea3801c234d kselftest/runner.sh: Propagate SIGTERM to runner child | * 2f1e86014d0c net: ipv4: fix one memleak in __inet_del_ifa() | * f086e859ddc2 ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 | * 8173d9027031 ARM: dts: samsung: exynos4210-i9100: Fix LCD screen's physical size | * 072cd213c64f block: don't add or resize partition on the disk with GENHD_FL_NO_PART | * c6ce1c5dd327 block: rename GENHD_FL_NO_PART_SCAN to GENHD_FL_NO_PART | * 6c06a7f6b41c block: move GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE to disk->event_flags | * 8247ff0d5036 block: move GENHD_FL_NATIVE_CAPACITY to disk->state | * 5ad42b999a42 pcd: cleanup initialization | * 7607bc7fe6cc pcd: move the identify buffer into pcd_identify | * 242bbe218814 perf hists browser: Fix the number of entries for 'e' key | * 4d7a8a44e030 perf tools: Handle old data in PERF_RECORD_ATTR | * a8f91f480c62 perf hists browser: Fix hierarchy mode header | * 4ee1cf2a5bcc MIPS: Fix CONFIG_CPU_DADDI_WORKAROUNDS `modules_install' regression | * df4d8d5ab647 drm/amd/display: prevent potential division by zero errors | * 3b51d016bbbf mtd: rawnand: brcmnand: Fix potential false time out warning | * 2353b7bb61e4 mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write | * b59ff750bf80 mtd: rawnand: brcmnand: Fix crash during the panic_write | * ca5218aef9e5 btrfs: use the correct superblock to compare fsid in btrfs_validate_super | * f3260733894a btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART | * 7ef0e8b812e0 btrfs: free qgroup rsv on io failure | * 5fd6f40d17e8 fuse: nlookup missing decrement in fuse_direntplus_link | * 65b6890c3d01 ata: pata_ftide010: Add missing MODULE_DESCRIPTION | * 0b62825dc6c3 ata: sata_gemini: Add missing MODULE_DESCRIPTION | * 81dd61cb1caa ata: pata_falcon: fix IO base selection for Q40 | * 20bc2c470369 lib: test_scanf: Add explicit type cast to result initialization in test_number_prefix() | * 4315b4a95ecf ext4: add correct group descriptors and reserved GDT blocks to system zone | * ef5fea70e591 jbd2: check 'jh->b_transaction' before removing it from checkpoint | * 6778a3857266 jbd2: fix checkpoint cleanup performance regression | * 6b195e07a2cf dmaengine: sh: rz-dmac: Fix destination and source data size setting | * 0476f2016ddc ARC: atomics: Add compiler barrier to atomic operations... | * 3375186d5e3f net/mlx5: Free IRQ rmap and notifier on kernel shutdown | * 2348a375ee16 sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory() | * f5160dc17e81 net: hns3: remove GSO partial feature bit | * 6d548b7cb216 net: hns3: fix the port information display when sfp is absent | * cc3c67e08169 net: hns3: fix invalid mutex between tc qdisc and dcb ets command issue | * 2c9643fa6360 net: hns3: fix debugfs concurrency issue between kfree buffer and read | * 8bfa87cf4a86 net: hns3: fix byte order conversion issue in hclge_dbg_fd_tcam_read() | * 19280e8dfb52 netfilter: nfnetlink_osf: avoid OOB read | * 1ad7b189cc14 netfilter: nftables: exthdr: fix 4-byte stack OOB write | * 347f765176db net: dsa: sja1105: complete tc-cbs offload support on SJA1110 | * cb4494cfe4b7 net: dsa: sja1105: fix -ENOSPC when replacing the same tc-cbs too many times | * 77b850b84d21 net: dsa: sja1105: fix bandwidth discrepancy between tc-cbs software and offload | * d11109c03d6e ip_tunnels: use DEV_STATS_INC() | * fcfb5842ef9c idr: fix param name in idr_alloc_cyclic() doc | * 131cd74a8e38 s390/zcrypt: don't leak memory if dev_set_name() fails | * 12de76fdddb5 igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 | * 7c2f90b1c213 igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 | * f4c5640d6d38 igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 | * 9210b3dd74ac octeontx2-af: Fix truncation of smq in CN10K NIX AQ enqueue mbox handler | * 1840f08c2a1b kcm: Destroy mutex in kcm_exit_net() | * 6ea277b2c626 net: sched: sch_qfq: Fix UAF in qfq_dequeue() | * 3868de7c5361 af_unix: Fix data race around sk->sk_err. | * d95456660fae af_unix: Fix data-races around sk->sk_shutdown. | * e5edc6e44a88 af_unix: Fix data-race around unix_tot_inflight. | * 9151ed4b0061 af_unix: Fix data-races around user->unix_inflight. | * 907fbed65cec net: phy: micrel: Correct bit assignments for phy_device flags | * 5d2d3f2300c3 net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr | * 77dd55f5ec6a veth: Fixing transmit return status for dropped packets | * 56603b2c82e3 igb: disable virtualization features on 82580 | * 149bc7834d6f ipv4: ignore dst hint for multipath routes | * e18b49495a52 drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() | * 5979985f2d6b xsk: Fix xsk_diag use-after-free error during socket cleanup | * 49acc5c5b280 net: fib: avoid warn splat in flow dissector | * ed4e0adfa407 net: read sk->sk_family once in sk_mc_loop() | * e0b483a0584f ipv4: annotate data-races around fi->fib_dead | * 74df0319e4e2 sctp: annotate data-races around sk->sk_wmem_queued | * 973a4c302d7f net/sched: fq_pie: avoid stalls in fq_pie_timer() | * 5e22217c1142 pwm: lpc32xx: Remove handling of PWM channels | * 676152264dec watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load | * d6aa2be1379d perf top: Don't pass an ERR_PTR() directly to perf_session__delete() | * 79bd17c99ec9 perf vendor events: Drop some of the JSON/events for power10 platform | * 1356eaceef34 perf vendor events: Update the JSON/events descriptions for power10 platform | * 24481d5c7413 x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm() | * 6e9863165674 perf annotate bpf: Don't enclose non-debug code with an assert() | * 184be0d59242 Input: tca6416-keypad - fix interrupt enable disbalance | * 0b79f5a19cfb Input: tca6416-keypad - always expect proper IRQ number in i2c client | * 1e3167aa4ba2 backlight: gpio_backlight: Drop output GPIO direction check for initial power state | * 6fc8bdc3cf4c pwm: atmel-tcb: Fix resource freeing in error path and remove | * 6b2bb1a1a63c pwm: atmel-tcb: Harmonize resource allocation order | * d4734ef765eb pwm: atmel-tcb: Convert to platform remove callback returning void | * c3bc668581e7 perf trace: Really free the evsel->priv area | * 8e96f741b328 perf trace: Use zfree() to reduce chances of use after free | * 414cf7a2cc87 kconfig: fix possible buffer overflow | * be9ce0dbde4f gfs2: low-memory forced flush fixes | * 751facd3634c gfs2: Switch to wait_event in gfs2_logd | * d0245b066971 kbuild: do not run depmod for 'make modules_sign' | * 05333a6a21e3 bus: mhi: host: Skip MHI reset if device is in RDDM | * e2964c98ec31 NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info | * da302f1d476a NFS: Fix a potential data corruption | * 0db19df21be5 clk: qcom: mss-sc7180: fix missing resume during probe | * f64f682be7c8 clk: qcom: q6sstop-qcs404: fix missing resume during probe | * b2f39b813d1e soc: qcom: qmi_encdec: Restrict string length in decode | * e61db8922631 clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock | * a8474506c912 clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz | * a69b951c8398 dt-bindings: clock: xlnx,versal-clk: drop select:false | * ead2436cf05e pinctrl: cherryview: fix address_space_handler() argument | * 8859f58c1790 parisc: led: Reduce CPU overhead for disk & lan LED computation | * 2655e1d970cf parisc: led: Fix LAN receive and transmit LEDs | * 7ad44409cd3b lib/test_meminit: allocate pages up to order MAX_ORDER | * 2d8138cea71d clk: qcom: turingcc-qcs404: fix missing resume during probe | * 9f5db4ab19f8 drm/ast: Fix DRAM init on AST2200 | * cfc47807a482 clk: qcom: camcc-sc7180: fix async resume during probe | * 309c27162afe fbdev/ep93xx-fb: Do not assign to struct fb_info.dev | * 4316e951f164 scsi: qla2xxx: Fix firmware resource tracking | * 7b89c3727bff scsi: qla2xxx: Error code did not return to upper layer | * 15a71bb25beb scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() | * 106392156273 scsi: qla2xxx: Flush mailbox commands on chip reset | * def49a05aef4 scsi: qla2xxx: Remove unsupported ql2xenabledif option | * be12c9f4c60c scsi: qla2xxx: Fix TMF leak through | * 4322f3de9f21 scsi: qla2xxx: Fix session hang in gnl | * a4708402c458 scsi: qla2xxx: Turn off noisy message log | * b0453b0cf506 scsi: qla2xxx: Fix erroneous link up failure | * 5934b2125f5b scsi: qla2xxx: Fix command flush during TMF | * 4a16a46c8481 scsi: qla2xxx: fix inconsistent TMF timeout | * f1ea164be545 scsi: qla2xxx: Fix deletion race condition | * 683945b17724 scsi: qla2xxx: Limit TMF to 8 per function | * fde268c234d1 scsi: qla2xxx: Adjust IOCB resource on qpair create | * c29848249f78 io_uring: break iopolling on signal | * 0def123f1254 io_uring: break out of iowq iopoll on teardown | * 1a0aba2bf293 io_uring: always lock in io_apoll_task_func | * 2920cc4c64a1 net/ipv6: SKB symmetric hash should incorporate transport ports | * 529bcc70c49c udf: initialize newblock to 0 | * fae2d591f3cb Revert "drm/amdgpu: install stub fence into potential unused fence pointers" | * f01e21d6c7ed md/md-bitmap: remove unnecessary local variable in backlog_store() | * 99a8d14d7965 tracing: Zero the pipe cpumask on alloc to avoid spurious -EBUSY | * 05c581ad3e7b perf/x86/uncore: Correct the number of CHAs on EMR | * 861cfdc51f22 x86/sgx: Break up long non-preemptible delays in sgx_vepc_release() | * 7e3ddbea87a9 USB: core: Fix oversight in SuperSpeed initialization | * 7fe9d8799606 USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() | * eda9a2966582 USB: core: Change usb_get_device_descriptor() API | * 56c49a3328e9 USB: core: Unite old scheme and new scheme descriptor reads | * 0ad6bad31da6 usb: typec: bus: verify partner exists in typec_altmode_attention | * 31220bd89c22 usb: typec: tcpm: set initial svdm version based on pd revision | * 3acc6b9f266f cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug | * cb65ad51f1bd crypto: stm32 - fix loop iterating through scatterlist for DMA | * 9ab2c149c2e7 s390/ipl: add missing secure/has_secure file to ipl type 'unknown' | * 6aff2732577c arm64: sdei: abort running SDEI handlers during crash | * fedecaeef888 pstore/ram: Check start of empty przs during init | * 8d68582b93e6 mmc: renesas_sdhi: register irqs before registering controller | * 5294144b6ad2 fsverity: skip PKCS#7 parser when keyring is empty | * 86608e1b0c6f net: handle ARPHRD_PPP in dev_is_mac_header_xmit() | * 51ffed9ca1a4 X.509: if signature is unsupported skip validation | * 6ecf09699eb1 dccp: Fix out of bounds access in DCCP error handler | * 7a2978e8d3c0 dlm: fix plock lookup when using multiple lockspaces | * 703cf47d47ba parisc: Fix /proc/cpuinfo output for lscpu | * 49a49d442075 procfs: block chmod on /proc/thread-self/comm | * 44f6ec589353 Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset" | * d73d3787c9d1 ntb: Fix calculation ntb_transport_tx_free_entry() | * da0c7293f4db ntb: Clean up tx tail index on link down | * bfa051f650a7 ntb: Drop packets when qp link is down | * 8f4edcd65534 scsi: mpt3sas: Perform additional retries if doorbell read returns 0 | * 58388f2958f6 Revert "scsi: qla2xxx: Fix buffer overrun" | * bd188d1e3855 media: venus: hfi_venus: Write to VIDC_CTRL_INIT after unmasking interrupts | * 6e9632a01e6d media: dvb: symbol fixup for dvb_attach() | * 9a43563cfd6b arm64: csum: Fix OoB access in IP checksum code for negative lengths | * a0a49da2a79a i3c: master: svc: fix probe failure when no i3c device exist | * a905ac21b2ab xtensa: PMU: fix base address for the newer hardware | * 8742dbf9c25d backlight/lv5207lp: Compare against struct fb_info.device | * 568132f74cb1 backlight/bd6107: Compare against struct fb_info.device | * 4e7b4ddc900c backlight/gpio_backlight: Compare against struct fb_info.device | * 3b018c3d1016 ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() | * cbb7d8a4b4be ipmi_si: fix a memleak in try_smi_init() | * 6043dd31f771 PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address | * aba1bf197467 media: i2c: ccs: Check rules is non-NULL | * df64819dd6a0 mm/vmalloc: add a safer version of find_vm_area() for debug | * 20b7d0a62ad1 scsi: core: Fix the scsi_set_resid() documentation | * 20990d6a8543 printk: ringbuffer: Fix truncating buffer size min_t cast | * 0a22f9c17b1a rcu: dump vmalloc memory info safely | * d479c841b18d ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl | * 111bafa210ae PM / devfreq: Fix leak in devfreq_dev_release() | * be7353af5b35 igb: set max size RX buffer when store bad packet is enabled | * d5790386595d skbuff: skb_segment, Call zero copy functions before using skbuff frags | * 267a29f8bfdb netfilter: xt_sctp: validate the flag_info count | * b3d07714ad24 netfilter: xt_u32: validate user space input | * a9e6142e5f8f netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c | * 3e48f741e98a igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU | * de16cb7986f2 virtio_ring: fix avail_wrap_counter in virtqueue_add_packed | * d6f80ddb9eda cpufreq: Fix the race condition while updating the transition_task of policy | * 42d8c7fa0bf6 dmaengine: ste_dma40: Add missing IRQ check in d40_probe | * 329d0f168c8f um: Fix hostaudio build errors | * 58d17e766093 mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() | * 679a71b31179 mtd: spi-nor: Check bus width while setting QE bit | * 8869fd166f23 leds: trigger: tty: Do not use LED_ON/OFF constants, use led_blink_set_oneshot instead | * 0f715ea7d36e leds: multicolor: Use rounded division when calculating color components | * 1a68bef23726 leds: pwm: Fix error code in led_pwm_create_fwnode() | * abd740db896b rpmsg: glink: Add check for kstrdup | * b45cf29f97a2 phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write | * 40d637359f3f phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate | * 52942a47d034 phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 | * 31d7e6c7689b mtd: rawnand: brcmnand: Fix mtd oobsize | * 6182318ac046 tracing: Fix race issue between cpu buffer write and swap | * 548f48ec1915 tracing: Remove extra space at the end of hwlat_detector/mode | * 2ba8bb00720a x86/speculation: Mark all Skylake CPUs as vulnerable to GDS | * dde88ab4e45b HID: multitouch: Correct devm device reference for hidinput input_dev name | * 4fb28379b3c7 HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode() | * 1bb42aca7a96 Revert "IB/isert: Fix incorrect release of isert connection" | * 4f1807fddd9b amba: bus: fix refcount leak | * 1c3701373463 serial: tegra: handle clk prepare error in tegra_uart_hw_init() | * 076fb40cf27a scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock | * c4772759abe1 scsi: core: Use 32-bit hostnum in scsi_host_lookup() | * 6248f4305378 cgroup:namespace: Remove unused cgroup_namespaces_init() | * 04824d50e6b5 media: i2c: rdacm21: Fix uninitialized value | * f3572eef8551 media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors | * 205f71744176 media: ov2680: Fix ov2680_set_fmt() which == V4L2_SUBDEV_FORMAT_TRY not working | * 89ecb4b40094 media: ov2680: Add ov2680_fill_format() helper function | * 784d1b83ae2c media: ov2680: Don't take the lock for try_fmt calls | * dbb717b4ee68 media: ov2680: Remove VIDEO_V4L2_SUBDEV_API ifdef-s | * 4c1a5c2885d4 media: ov2680: Fix vflip / hflip set functions | * 958905ed42b8 media: ov2680: Fix ov2680_bayer_order() | * cdd5fca7200d media: ov2680: Remove auto-gain and auto-exposure controls | * 322a805ffdff media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips | * abba34017e16 media: ov5640: Enable MIPI interface in ov5640_set_power_mipi() | * 1717f67be875 USB: gadget: f_mass_storage: Fix unused variable warning | * 121b8d30f42c media: venus: hfi_venus: Only consider sys_idle_indicator on V1 | * f6b483ead6dc media: go7007: Remove redundant if statement | * d079a3e1ccdd platform/x86: dell-sysman: Fix reference leak | * 426bd7418701 iommu/vt-d: Fix to flush cache of PASID directory table | * 9dc6f660815a iommu/qcom: Disable and reset context bank before programming | * 3274e32fc969 fsi: aspeed: Reset master errors after CFAM reset | * 7a17deca33e1 IB/uverbs: Fix an potential error pointer dereference | * 42d111304dd7 RDMA/hns: Fix CQ and QP cache affinity | * b051c3bf3bdf RDMA/hns: Fix incorrect post-send with direct wqe of wr-list | * 154822356e4d RDMA/hns: Fix port active speed | * de4aca5b284e iommu/sprd: Add missing force_aperture | * 46b76f13f1ad driver core: test_async: fix an error code | * a6992ecefe5d dma-buf/sync_file: Fix docs syntax | * d3256d80406c coresight: tmc: Explicit type conversions to prevent integer overflow | * 93a5b461a4e1 RDMA/irdma: Replace one-element array with flexible-array member | * 97097ea2f37e scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly | * 1c996be7f233 scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly | * cb6d20a8b5d7 scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly | * 2f0d202d82b9 x86/APM: drop the duplicate APM_MINOR_DEV macro | * f34508d934c4 serial: sprd: Fix DMA buffer leak issue | * c54c66d904fa serial: sprd: Assign sprd_port after initialized to avoid wrong access | * f61fc650c478 scsi: qla4xxx: Add length check when parsing nlattrs | * 46ad449efde1 scsi: be2iscsi: Add length check when parsing nlattrs | * 4bd57d889099 scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_p…

We need to add this new symbol as it was un-inlined in the upstream commit 9197213 ("iio: Un-inline iio_buffer_enabled()"). 1 function symbol(s) added 'bool iio_buffer_enabled(struct iio_dev *)' Bug: 308652253 Change-Id: I558a9b5144050690437bca79aa620132b6b5b560 Signed-off-by: Will McVicker <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>

This catches the android13-5.15-lts branch up with a lot of recent changes that have gone into the android13-5.15 branch, including new symbols that need to be tracked properly. Included in here are the following changes: * eff6178 ANDROID: ABI: Update pixel symbol list * c43b797 Merge tag 'android13-5.15.137_r00' into android13-5.15 * d2d389f UPSTREAM: USB: core: Fix race by not overwriting udev->descriptor in hub_port_init() * f4fd913 UPSTREAM: USB: core: Change usb_get_device_descriptor() API * a0f42ba UPSTREAM: USB: core: Unite old scheme and new scheme descriptor reads * 2550d09 UPSTREAM: drm/qxl: fix UAF on handle creation * d6f794b FROMGIT: usb:gadget:uvc Do not use worker thread to pump isoc usb requests * 19914a1 FROMGIT: usb: gadget: uvc: Fix use-after-free for inflight usb_requests * d102805 FROMGIT: usb: gadget: uvc: move video disable logic to its own function * 17f7b06 FROMGIT: usb: gadget: uvc: Allocate uvc_requests one at a time * e7ed9e4 FROMGIT: usb: gadget: uvc: prevent use of disabled endpoint * b2017f5 ANDROID: fuse-bpf: Add NULL pointer check in fuse_release_in * 18865db FROMGIT: Input: uinput - allow injecting event times * e039fca ANDROID: ABI: Update oplus symbol list * 0eb66ec ANDROID: vendor_hooks: Add hooks for binder * 1696301 BACKPORT: dma-buf: add dma_fence_unwrap v2 * 67e5ffd UPSTREAM: dma-buf: Add dma_fence_array_for_each (v2) * 20b2d56 UPSTREAM: dma-buf: add dma_fence_chain_contained helper * a2a56bf BACKPORT: blk-ioprio: Introduce promote-to-rt policy * a0c7043 BACKPORT: block: Always initialize bio IO priority on submit * 739e44e BACKPORT: block: Initialize bio priority earlier * b029b53 BACKPORT: blk-ioprio: Convert from rqos policy to direct call * 0468dbf ANDROID: KVM: arm64: Fix error path in pkvm_mem_abort() * d815634 ANDROID: GKI: Add symbol list for Transsion * 690e148 ANDROID: GKI: Update symbol list for Amlogic * cd7989c ANDROID: mm: add vendor hook in isolate_freepages() * 6dcfedc UPSTREAM: kthread: dynamically allocate memory to store kthread's full name * e3eb2bb BACKPORT: firmware_loader: Abort all upcoming firmware load request once reboot triggered * 29ee427 UPSTREAM: firmware_loader: Refactor kill_pending_fw_fallback_reqs() * 46b8053 UPSTREAM: vringh: don't use vringh_kiov_advance() in vringh_iov_xfer() * e4cb5ea FROMGIT: ufs: core: wlun send SSU timeout recovery * f0033a7 ANDROID: abi_gki_aarch64_qcom: Update QCOM symbol list * 85ccc4a ANDROID: ABI: Update symbols to unisoc whitelist * c85178c UPSTREAM: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c * 373d867 BACKPORT: usb: gadget: uvc: Add missing initialization of ssp config descriptor * df15bb1 BACKPORT: usb: gadget: unconditionally allocate hs/ss descriptor in bind operation * 85156cf UPSTREAM: usb: gadget: f_uvc: change endpoint allocation in uvc_function_bind() * b153f0c UPSTREAM: usb: gadget: function: Remove unused declarations * 0f24a9e UPSTREAM: usb: gadget: uvc: clean up comments and styling in video_pump * ff64284 UPSTREAM: ravb: Fix use-after-free issue in ravb_tx_timeout_work() * a82ccd7 UPSTREAM: ravb: Fix up dma_free_coherent() call in ravb_remove() * 1027701 ANDROID: GKI: Update symbol list for Tuxera * d0a5b5f ANDROID: GKI: Update symbol list for Amlogic * d7644c8 ANDROID: mm: allow hooks into __alloc_pages() * 50b7fed UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP * e89b126 ANDROID: fuse-bpf: Add NULL pointer check in fuse_entry_revalidate * f637dd4 UPSTREAM: net: xfrm: Fix xfrm_address_filter OOB read * 72d0bfc UPSTREAM: igb: set max size RX buffer when store bad packet is enabled * 4d065e6 ANDROID: abi_gki_aarch64_qcom: Add wait_for_device_probe symbol * ac17898 ANDROID: GKI: Update symbol list for Amlogic * 488dcc0 BACKPORT: take care to handle NULL ->proc_lseek() * d4c2ea3 ANDROID: GKI: Update symbol list for Amlogic * dc8e07a ANDROID: vendor_hooks: add vendor hook in __alloc_pages() * be34ad9 UPSTREAM: netfilter: xt_sctp: validate the flag_info count * c7d73c9 BACKPORT: xhci: Keep interrupt disabled in initialization until host is running. * 9ab4afc BACKPORT: f2fs: allocate node blocks for atomic write block replacement * 48c18bb BACKPORT: f2fs: use cow inode data when updating atomic write * 3137629 BACKPORT: f2fs: fix to check return value of inc_valid_block_count() * 2dfe664 BACKPORT: f2fs: fix to check return value of f2fs_do_truncate_blocks() * f3f08c6 BACKPORT: f2fs: fix null pointer panic in tracepoint in __replace_atomic_write_block * 1625f1a BACKPORT: f2fs: synchronize atomic write aborts * 4f59336 BACKPORT: f2fs: fix to handle F2FS_IOC_START_ATOMIC_REPLACE in f2fs_compat_ioctl() * 7ce5c70 BACKPORT: f2fs: fix to abort atomic write only during do_exist() * 709e51b BACKPORT: f2fs: clear atomic_write_task in f2fs_abort_atomic_write() * 11cc01e BACKPORT: f2fs: introduce trace_f2fs_replace_atomic_write_block * c148d63 BACKPORT: f2fs: introduce F2FS_IOC_START_ATOMIC_REPLACE * a9fafdc BACKPORT: f2fs: correct i_size change for atomic writes * c964e0f BACKPORT: f2fs: change to use atomic_t type form sbi.atomic_files * 8074e8d BACKPORT: f2fs: clean up f2fs_abort_atomic_write() * 407a7bf BACKPORT: f2fs: fix null-ptr-deref in f2fs_get_dnode_of_data * 5000638 BACKPORT: f2fs: revive F2FS_IOC_ABORT_VOLATILE_WRITE * 9745174 BACKPORT: f2fs: introduce sysfs atomic write statistics * 255af4c BACKPORT: f2fs: add a sysfs entry to show zone capacity * e092319 BACKPORT: f2fs: replace F2FS_I(inode) and sbi by the local variable * 6f1a8b7 BACKPORT: f2fs: avoid unneeded error handling for revoke_entry_slab allocation * a7ad891 BACKPORT: f2fs: kill volatile write support * 76ca4a0 BACKPORT: f2fs: change the current atomic write way * 048853c UPSTREAM: netfilter: xt_u32: validate user space input * 5625502 UPSTREAM: netfilter: nfnetlink_osf: avoid OOB read * 5ccdde7 UPSTREAM: net/sched: Retire rsvp classifier * e01c180 UPSTREAM: ipv4: fix null-deref in ipv4_link_failure * bab1133 UPSTREAM: netfilter: nf_tables: disallow rule removal from chain binding * 8a0ac15 FROMGIT: usb: typec: ucsi: Clear EVENT_PENDING bit if ucsi_send_command fails * 05167f0 UPSTREAM: f2fs: fix deadlock in i_xattr_sem and inode page lock * 082a5bf UPSTREAM: mmc:block:fix in_flight[issue_type] value error * 87478bd Merge tag 'android13-5.15.123_r00' into android13-5.15 * 4655b13 UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue() * 3844902 UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve * d34029c UPSTREAM: tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux * 35fa353 BACKPORT: mm: page_alloc: fix CMA and HIGHATOMIC landing on the wrong buddy list * 3ac536f UPSTREAM: ARM: ptrace: Restore syscall skipping for tracers * 3c5af9e UPSTREAM: ARM: ptrace: Restore syscall restart tracing * c8443a2 ANDROID: ABI: Update oplus symbol list * 09f3b24 ANDROID: vendor_hooks: Add hooks for oem percpu-rwsem optimaton * 0007dae ANDROID: Update abi_gki_aarch64_qcom for usb typec orientation * 5d6584e ANDROID: GKI: Update symbol list for Amlogic * 46fbfc1 ANDROID: vendor_hooks: add vendor hook in xhci_urb_suitable_for_idt() * ee2fd66 ANDROID: GKI: Update symbol list for mtk * 60f97c6 ANDROID: tools/resolve_btfids: Pass CFLAGS to libsubcmd build via EXTRA_CFLAGS * 8f75dab ANDROID: libsubcmd: Hoist iterator variable declarations in parse_options_subcommand() * 9a8c25b ANDROID: enable CONFIG_USB_XHCI_PCI_RENESAS in gki_defconfig * 74e3fb4 ANDROID: GKI: Update oplus symbol list * d6c24c3 ANDROID: vendor_hooks: Add hooks for adjusting alloc_flags * c1fa53f ANDROID: uid_sys_stat: instead update_io_stats_uid_locked to update_io_stats_uid * c949fbd ANDROID: uid_sys_stat: split the global lock uid_lock to the fine-grained locks for each hlist in hash_table. * f9a1230 ANDROID: GKI: Update symbol list for Amlogic * 965abef BACKPORT: FROMLIST: ovl: get_acl: Fix null pointer dereference at realinode in rcu-walk mode * 676f9ba BACKPORT: FROMLIST: ovl: ovl_permission: Fix null pointer dereference at realinode in rcu-walk mode * 66c03b8 BACKPORT: FROMLIST: ovl: Let helper ovl_i_path_real() return the realinode * c9f0540 UPSTREAM: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval * 9798dc0 ANDROID: vendor_hooks: add missing forward declare for struct cma * 734916f ANDROID: GKI: Add thermal genl vendor hook * b4d3113 ANDROID: thermal: Add vendor thermal genl check * c575790 BACKPORT: printk: ringbuffer: Fix truncating buffer size min_t cast * 154a18b ANDROID: ABI: Update symbols to unisoc whitelist * dac9a9b UPSTREAM: block/mq-deadline: Set the fifo_time member also if inserting at head * fcc3046 UPSTREAM: block/mq-deadline: Prioritize high-priority requests * 8ecb51c UPSTREAM: block/mq-deadline: Stop using per-CPU counters * 2a8fbb9 UPSTREAM: block/mq-deadline: Add an invariant check * b7deb97 UPSTREAM: block/mq-deadline: Improve request accounting further * 92babd4 BACKPORT: mm/filemap.c: fix update prev_pos after one read request done * 4097bc8 UPSTREAM: af_unix: Fix null-ptr-deref in unix_stream_sendpage(). * cc960d6 ANDROID: GKI: Update symbol list for Amlogic * d105129 ANDROID: vendor_hooks: add vendor hook in cma_alloc() * 73528dc ANDROID: GKI: Update symbol list for sunxi * 1ee5e96 ANDROID: abi_gki_aarch64_qcom: Add blk_ksm_reprogram_all_keys symbol * d4f95b5 BACKPORT: block/mq-deadline: use correct way to throttle write requests * e71ded6 BACKPORT: mm: avoid unnecessary flush on change_huge_pmd() * 49745e7 BACKPORT: mm/mprotect: do not flush when not required architecturally * 8923a83 BACKPORT: mm/mprotect: use mmu_gather * d73fc26 ANDROID: uid_sys_stats: Use llist for deferred work * f37ba43 ANDROID: uid_sys_stats: Use a single work for deferred updates * 622c141 ANDROID: fuse-bpf: Align data structs for 32-bit kernels * a1f654e ANDROID: fuse-bpf: Get correct inode in mkdir * 1594563 ANDROID: GKI: prevent removal of monitored symbols * 31c3f0e BACKPORT: net: nfc: Fix use-after-free caused by nfc_llcp_find_local * 6b6ab2b UPSTREAM: netfilter: nf_tables: deactivate catchall elements in next generation * 17f6f4f ANDROID: Fix unaligned memory access * c4a8b3a ANDROID: GKI: Update symbol list for Amlogic * f60d8b8 ANDROID: GKI: Introduce new ABI symbol list * 462a6aa ANDROID: GKI: Update abi_gki_aarch64_qcom for page_owner symbols * d403c30 ANDROID: mm: Export page_owner_inited and __set_page_owner * 0324851 FROMGIT: pstore/ram: Check start of empty przs during init * 4b2aade UPSTREAM: exfat: check if filename entries exceeds max filename length * 55bd8a9 ANDROID: GKI: Update symbol list for Amlogic * 6d71772 ANDROID: ABI: Update oplus symbol list * 0e5b290 ANDROID: vendor_hooks: Add hooks for waking up and exiting control * ae0fb8d ANDROID: Hack to support ABI stable accept_ra_min_lft * 7bd837e BACKPORT: FROMGIT: netfilter: nfnetlink_log: always add a timestamp Change-Id: I267c60244b56c3445e38267d3fd2eba53a6b05fe Signed-off-by: Greg Kroah-Hartman <[email protected]>

Merged 5.15.138 android13-5.15-lts Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>

Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>

VM3 reboot issue observed when playing 3A game (conqueror's blade) inside LIC. Call stack as below: [ 183.173756] BUG: unable to handle page fault for address: ffff998d47760500 [ 183.176248] #PF: supervisor read access in kernel mode [ 183.177960] #PF: error_code(0x0000) - not-present page [ 183.179596] PGD 100400067 P4D 100400067 PUD 10075d067 PMD 16d6fe067 PTE 0 [ 183.184764] Oops: 0000 [projectceladon#1] PREEMPT SMP NOPTI [ 183.186120] CPU: 1 PID: 119 Comm: kworker/1:1H Tainted: G U 5.15.119+ projectceladon#1 [ 183.188706] Workqueue: events_highpri guc_timestamp_ping [ 183.190365] RIP: 0010:__guc_context_update_clks+0x40/0x1c0 [ 183.268473] RSP: 0018:ffff998d411e7d98 EFLAGS: 00010086 [ 183.269978] RAX: ffff998d47761000 RBX: ffff96008dd66880 RCX: 0000000000000001 [ 183.271849] RDX: 000000000000000b RSI: ffffffff919e4dd1 RDI: ffff960082b73468 [ 183.273763] RBP: ffff998d411e7df0 R08: 00000003fffffffc R09: 00000000005b52ff [ 183.275721] R10: 0000000000000010 R11: ffffffff910a7e10 R12: 000000000000051e [ 183.318417] R13: ffff960082b72c80 R14: ffff960082b72c80 R15: ffff998d411e7e28 [ 183.320929] FS: 0000000000000000(0000) GS:ffff960959a40000(0000) knlGS:0000000000000000 [ 183.323387] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.325373] CR2: ffff998d47760500 CR3: 00000001b5cc2000 CR4: 0000000000750ee0 [ 183.327740] PKRU: 55555554 [ 183.328554] Call Trace: [ 183.329470] <TASK> [ 183.330181] ? __die_body+0x6b/0xb0 [ 183.331486] ? __die+0x9d/0xb0 [ 183.332680] ? page_fault_oops+0x383/0x3f0 [ 183.333996] ? search_bpf_extables+0xce/0xe0 [ 183.335358] ? __guc_context_update_clks+0x40/0x1c0 [ 183.336706] ? search_exception_tables+0x62/0x70 This reverts commit c01c587 to fix the VM3 reboot issue. Tests done: - VM3 boot check - VM3: Play 3A game (conqueror's blade) inside LIC without hang observed. Tracked-On: OAM-113373, OAM-113702 Signed-off-by: Zhang, Xiaolin <[email protected]>

This patch extends UIO PCI generic driver to support MSI-X interrupt. Tracked-On:projectacrn/acrn-hypervisor#5407 Signed-off-by: Yonghua Huang <[email protected]> Signed-off-by: Yuan Liu <[email protected]>

below function prototypes are extended to pass user info to uio_pci_generic driver: - ioctl - release Signed-off-by: Yonghua Huang <[email protected]>

this patch to enable per-application notification support when enabling ivhsmem doorbell feature. Signed-off-by: Yonghua Huang <[email protected]>

... in wait_for_avail() and snd_pcm_drain(). t was calculated in seconds, so it would be pretty much always zero, to be subsequently de-facto ignored due to being max(t, 10)'d. And then it (i.e., 10) would be treated as secs, which doesn't seem right. However, fixing it to properly calculate msecs would potentially cause timeouts when using twice the period size for the default timeout (which seems reasonable to me), so instead use the buffer size plus 10 percent to be on the safe side ... but that still seems insufficient, presumably because the hardware typically needs a moment to fire up. To compensate for this, we up the minimal timeout to 100ms, which is still two orders of magnitude less than the bogus minimum. substream->wait_time was also misinterpreted as jiffies, despite being documented as being in msecs. Only the soc/sof driver sets it - to 500, which looks very much like msecs were intended. Speaking of which, shouldn't snd_pcm_drain() also use substream-> wait_time? As a drive-by, make the debug messages on timeout less confusing. Tracked-On: OAM-113000 Signed-off-by: Oswald Buddenhagen <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai <[email protected]>

When changing value of kcontrol, FW module to which data should be send needs to be found. Currently it is done in improper way, fix it. Change function name to indicate that it looks only for volume module. This allows to change volume during runtime, instead of only changing init value. Tracked-On: OAM-114230 Fixes: be2b81b519d7 ("ASoC: Intel: avs: Parse control tuples") Reviewed-by: Cezary Rojewski <[email protected]> Signed-off-by: Amadeusz Sławiński <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown <[email protected]>

FW GAIN module has same payload as PEAKVOL and can be used to change stream volume, code should check if either GAIN or PEAKVOL are present in path. Tracked-On: OAM-114230 Signed-off-by: Amadeusz Sławiński <[email protected]>

Fix possible wrong communication between REE and TEE. Test done: 1. Fastboot flash OK 2. adb reboot OK Tracked-On: OAM-114239 Signed-off-by: Jingdong Lu <[email protected]>

in the following commit, it has added code for if (prev) i915_request_put(prev); commit 930f3f1 (a1) Author: Janusz Krzysztofik <[email protected]> Date: Thu Jul 20 11:35:44 2023 +0200 drm/i915: Fix premature release of request's reusable memory but these two lines of code was removed by mistake in commit commit a30f5de (b1_5) Merge: 20090f4 eb99a64 Author: Jeevaka Prabu Badrappan <[email protected]> Date: Tue Dec 5 15:57:17 2023 +0530 Merge commit 'eb99a642b7e6b94282662389ff05737cb8285db9' into dev Merged 5.15.138 android13-5.15-lts It causees the request not be freed, and lead to kernel memory leak. Fix it by adding back the request free routine. Test Done: 1. Fast boot flash OK 2. adb reboot OK 3. 24-hours monkey test OK Tracked-On: OAM-114492 Signed-off-by: Xie, Chao <[email protected]>

Addition of user information to release function of uio_info structure is not taken care in all drivers resulting in build error. Fix the issue by updating the release function with user information argument. Tests done: Host and Guest kernel builds without any error in UIO drivers. Tracked-On: OAM-115388 Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>

Add ctm_post_offset property drm ioctl interface and color post offset setting for color adjustment Signed-off-by: Lin Jia <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Color #69

Color #69

Commits on Oct 25, 2023

Commits on Oct 26, 2023

Commits on Oct 27, 2023

Commits on Oct 30, 2023

Commits on Oct 31, 2023

Commits on Nov 3, 2023

Commits on Nov 6, 2023

Commits on Nov 7, 2023

Commits on Nov 8, 2023

Commits on Nov 9, 2023

Commits on Nov 10, 2023

Commits on Nov 15, 2023

Commits on Nov 21, 2023

Commits on Nov 24, 2023

Commits on Nov 26, 2023

Commits on Nov 27, 2023

Commits on Nov 28, 2023

Commits on Nov 29, 2023

Commits on Dec 5, 2023

Commits on Dec 8, 2023

Commits on Dec 18, 2023

Commits on Dec 20, 2023

Commits on Jan 10, 2024

Commits on Jan 29, 2024

Commits on Mar 4, 2024

Color #69

Are you sure you want to change the base?

Color #69

Commits on Oct 25, 2023

Commits on Oct 26, 2023

Commits on Oct 27, 2023

Commits on Oct 30, 2023

Commits on Oct 31, 2023

Commits on Nov 3, 2023

Commits on Nov 6, 2023

Commits on Nov 7, 2023

Commits on Nov 8, 2023

Commits on Nov 9, 2023

Commits on Nov 10, 2023

Commits on Nov 15, 2023

Commits on Nov 21, 2023

Commits on Nov 24, 2023

Commits on Nov 26, 2023

Commits on Nov 27, 2023

Commits on Nov 28, 2023

Commits on Nov 29, 2023

Commits on Dec 5, 2023

Commits on Dec 8, 2023

Commits on Dec 18, 2023

Commits on Dec 20, 2023

Commits on Jan 10, 2024

Commits on Jan 29, 2024

Commits on Mar 4, 2024