Changelog in Linux kernel 6.1.100

 
ACPI: processor_idle: Fix invalid comparison with insertion sort for latency [+ + +]
Author: Kuan-Wei Chiu <visitorckw@gmail.com>
Date:   Tue Jul 2 04:56:39 2024 +0800

    ACPI: processor_idle: Fix invalid comparison with insertion sort for latency
    
    commit 233323f9b9f828cd7cd5145ad811c1990b692542 upstream.
    
    The acpi_cst_latency_cmp() comparison function currently used for
    sorting C-state latencies does not satisfy transitivity, causing
    incorrect sorting results.
    
    Specifically, if there are two valid acpi_processor_cx elements A and B
    and one invalid element C, it may occur that A < B, A = C, and B = C.
    Sorting algorithms assume that if A < B and A = C, then C < B, leading
    to incorrect ordering.
    
    Given the small size of the array (<=8), we replace the library sort
    function with a simple insertion sort that properly ignores invalid
    elements and sorts valid ones based on latency. This change ensures
    correct ordering of the C-state latencies.
    
    Fixes: 65ea8f2c6e23 ("ACPI: processor idle: Fix up C-state latency if not ordered")
    Reported-by: Julian Sikorski <belegdol@gmail.com>
    Closes: https://lore.kernel.org/lkml/70674dc7-5586-4183-8953-8095567e73df@gmail.com
    Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
    Tested-by: Julian Sikorski <belegdol@gmail.com>
    Cc: All applicable <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240701205639.117194-1-visitorckw@gmail.com
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ALSA: hda/realtek: add quirk for Clevo V5[46]0TU [+ + +]
Author: Michał Kopeć <michal.kopec@3mdeb.com>
Date:   Mon Jul 1 13:10:09 2024 +0200

    ALSA: hda/realtek: add quirk for Clevo V5[46]0TU
    
    commit e1c6db864599be341cd3bcc041540383215ce05e upstream.
    
    Apply quirk to fix combo jack detection on a new Clevo model: V5[46]0TU
    
    Signed-off-by: Michał Kopeć <michal.kopec@3mdeb.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240701111010.1496569-1-michal.kopec@3mdeb.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/realtek: Enable Mute LED on HP 250 G7 [+ + +]
Author: Nazar Bilinskyi <nbilinskyi@gmail.com>
Date:   Tue Jul 9 11:05:46 2024 +0300

    ALSA: hda/realtek: Enable Mute LED on HP 250 G7
    
    commit b46953029c52bd3a3306ff79f631418b75384656 upstream.
    
    HP 250 G7 has a mute LED that can be made to work using quirk
    ALC269_FIXUP_HP_LINE1_MIC1_LED. Enable already existing quirk.
    
    Signed-off-by: Nazar Bilinskyi <nbilinskyi@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240709080546.18344-1-nbilinskyi@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda/realtek: Limit mic boost on VAIO PRO PX [+ + +]
Author: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
Date:   Fri Jul 5 11:10:12 2024 -0300

    ALSA: hda/realtek: Limit mic boost on VAIO PRO PX
    
    commit 6db03b1929e207d2c6e84e75a9cd78124b3d6c6d upstream.
    
    The internal mic boost on the VAIO models VJFE-CL and VJFE-IL is too high.
    Fix this by applying the ALC269_FIXUP_LIMIT_INT_MIC_BOOST fixup to the machine
    to limit the gain.
    
    Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240705141012.5368-1-edson.drosdeck@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ARM: davinci: Convert comma to semicolon [+ + +]
Author: Chen Ni <nichen@iscas.ac.cn>
Date:   Wed Jul 10 16:16:48 2024 +0800

    ARM: davinci: Convert comma to semicolon
    
    [ Upstream commit acc3815db1a02d654fbc19726ceaadca0d7dd81c ]
    
    Replace a comma between expression statements by a semicolon.
    
    Fixes: efc1bb8a6fd5 ("davinci: add power management support")
    Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
    Acked-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf: Allow reads from uninit stack [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Sun Feb 19 22:04:26 2023 +0200

    bpf: Allow reads from uninit stack
    
    commit 6715df8d5d24655b9fd368e904028112b54c7de1 upstream.
    
    This commits updates the following functions to allow reads from
    uninitialized stack locations when env->allow_uninit_stack option is
    enabled:
    - check_stack_read_fixed_off()
    - check_stack_range_initialized(), called from:
      - check_stack_read_var_off()
      - check_helper_mem_access()
    
    Such change allows to relax logic in stacksafe() to treat STACK_MISC
    and STACK_INVALID in a same way and make the following stack slot
    configurations equivalent:
    
      |  Cached state    |  Current state   |
      |   stack slot     |   stack slot     |
      |------------------+------------------|
      | STACK_INVALID or | STACK_INVALID or |
      | STACK_MISC       | STACK_SPILL   or |
      |                  | STACK_MISC    or |
      |                  | STACK_ZERO    or |
      |                  | STACK_DYNPTR     |
    
    This leads to significant verification speed gains (see below).
    
    The idea was suggested by Andrii Nakryiko [1] and initial patch was
    created by Alexei Starovoitov [2].
    
    Currently the env->allow_uninit_stack is allowed for programs loaded
    by users with CAP_PERFMON or CAP_SYS_ADMIN capabilities.
    
    A number of test cases from verifier/*.c were expecting uninitialized
    stack access to be an error. These test cases were updated to execute
    in unprivileged mode (thus preserving the tests).
    
    The test progs/test_global_func10.c expected "invalid indirect read
    from stack" error message because of the access to uninitialized
    memory region. This error is no longer possible in privileged mode.
    The test is updated to provoke an error "invalid indirect access to
    stack" because of access to invalid stack address (such error is not
    verified by progs/test_global_func*.c series of tests).
    
    The following tests had to be removed because these can't be made
    unprivileged:
    - verifier/sock.c:
      - "sk_storage_get(map, skb->sk, &stack_value, 1): partially init
      stack_value"
      BPF_PROG_TYPE_SCHED_CLS programs are not executed in unprivileged mode.
    - verifier/var_off.c:
      - "indirect variable-offset stack access, max_off+size > max_initialized"
      - "indirect variable-offset stack access, uninitialized"
      These tests verify that access to uninitialized stack values is
      detected when stack offset is not a constant. However, variable
      stack access is prohibited in unprivileged mode, thus these tests
      are no longer valid.
    
     * * *
    
    Here is veristat log comparing this patch with current master on a
    set of selftest binaries listed in tools/testing/selftests/bpf/veristat.cfg
    and cilium BPF binaries (see [3]):
    
    $ ./veristat -e file,prog,states -C -f 'states_pct<-30' master.log current.log
    File                        Program                     States (A)  States (B)  States    (DIFF)
    --------------------------  --------------------------  ----------  ----------  ----------------
    bpf_host.o                  tail_handle_ipv6_from_host         349         244    -105 (-30.09%)
    bpf_host.o                  tail_handle_nat_fwd_ipv4          1320         895    -425 (-32.20%)
    bpf_lxc.o                   tail_handle_nat_fwd_ipv4          1320         895    -425 (-32.20%)
    bpf_sock.o                  cil_sock4_connect                   70          48     -22 (-31.43%)
    bpf_sock.o                  cil_sock4_sendmsg                   68          46     -22 (-32.35%)
    bpf_xdp.o                   tail_handle_nat_fwd_ipv4          1554         803    -751 (-48.33%)
    bpf_xdp.o                   tail_lb_ipv4                      6457        2473   -3984 (-61.70%)
    bpf_xdp.o                   tail_lb_ipv6                      7249        3908   -3341 (-46.09%)
    pyperf600_bpf_loop.bpf.o    on_event                           287         145    -142 (-49.48%)
    strobemeta.bpf.o            on_event                         15915        4772  -11143 (-70.02%)
    strobemeta_nounroll2.bpf.o  on_event                         17087        3820  -13267 (-77.64%)
    xdp_synproxy_kern.bpf.o     syncookie_tc                     21271        6635  -14636 (-68.81%)
    xdp_synproxy_kern.bpf.o     syncookie_xdp                    23122        6024  -17098 (-73.95%)
    --------------------------  --------------------------  ----------  ----------  ----------------
    
    Note: I limited selection by states_pct<-30%.
    
    Inspection of differences in pyperf600_bpf_loop behavior shows that
    the following patch for the test removes almost all differences:
    
        - a/tools/testing/selftests/bpf/progs/pyperf.h
        + b/tools/testing/selftests/bpf/progs/pyperf.h
        @ -266,8 +266,8 @ int __on_event(struct bpf_raw_tracepoint_args *ctx)
                }
    
                if (event->pthread_match || !pidData->use_tls) {
        -               void* frame_ptr;
        -               FrameData frame;
        +               void* frame_ptr = 0;
        +               FrameData frame = {};
                        Symbol sym = {};
                        int cur_cpu = bpf_get_smp_processor_id();
    
    W/o this patch the difference comes from the following pattern
    (for different variables):
    
        static bool get_frame_data(... FrameData *frame ...)
        {
            ...
            bpf_probe_read_user(&frame->f_code, ...);
            if (!frame->f_code)
                return false;
            ...
            bpf_probe_read_user(&frame->co_name, ...);
            if (frame->co_name)
                ...;
        }
    
        int __on_event(struct bpf_raw_tracepoint_args *ctx)
        {
            FrameData frame;
            ...
            get_frame_data(... &frame ...) // indirectly via a bpf_loop & callback
            ...
        }
    
        SEC("raw_tracepoint/kfree_skb")
        int on_event(struct bpf_raw_tracepoint_args* ctx)
        {
            ...
            ret |= __on_event(ctx);
            ret |= __on_event(ctx);
            ...
        }
    
    With regards to value `frame->co_name` the following is important:
    - Because of the conditional `if (!frame->f_code)` each call to
      __on_event() produces two states, one with `frame->co_name` marked
      as STACK_MISC, another with it as is (and marked STACK_INVALID on a
      first call).
    - The call to bpf_probe_read_user() does not mark stack slots
      corresponding to `&frame->co_name` as REG_LIVE_WRITTEN but it marks
      these slots as BPF_MISC, this happens because of the following loop
      in the check_helper_call():
    
            for (i = 0; i < meta.access_size; i++) {
                    err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,
                                           BPF_WRITE, -1, false);
                    if (err)
                            return err;
            }
    
      Note the size of the write, it is a one byte write for each byte
      touched by a helper. The BPF_B write does not lead to write marks
      for the target stack slot.
    - Which means that w/o this patch when second __on_event() call is
      verified `if (frame->co_name)` will propagate read marks first to a
      stack slot with STACK_MISC marks and second to a stack slot with
      STACK_INVALID marks and these states would be considered different.
    
    [1] https://lore.kernel.org/bpf/CAEf4BzY3e+ZuC6HUa8dCiUovQRg2SzEk7M-dSkqNZyn=xEmnPA@mail.gmail.com/
    [2] https://lore.kernel.org/bpf/CAADnVQKs2i1iuZ5SUGuJtxWVfGYR9kDgYKhq3rNV+kBLQCu7rA@mail.gmail.com/
    [3] git@github.com:anakryiko/cilium.git
    
    Suggested-by: Andrii Nakryiko <andrii@kernel.org>
    Co-developed-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Acked-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/r/20230219200427.606541-2-eddyz87@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Maxim Mikityanskiy <maxim@isovalent.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

bpf: fix order of args in call to bpf_map_kvcalloc [+ + +]
Author: Mohammad Shehar Yaar Tausif <sheharyaar48@gmail.com>
Date:   Wed Jul 10 12:05:22 2024 +0200

    bpf: fix order of args in call to bpf_map_kvcalloc
    
    [ Upstream commit af253aef183a31ce62d2e39fc520b0ebfb562bb9 ]
    
    The original function call passed size of smap->bucket before the number of
    buckets which raises the error 'calloc-transposed-args' on compilation.
    
    Vlastimil Babka added:
    
    The order of parameters can be traced back all the way to 6ac99e8f23d4
    ("bpf: Introduce bpf sk local storage") accross several refactorings,
    and that's why the commit is used as a Fixes: tag.
    
    In v6.10-rc1, a different commit 2c321f3f70bc ("mm: change inlined
    allocation helpers to account at the call site") however exposed the
    order of args in a way that gcc-14 has enough visibility to start
    warning about it, because (in !CONFIG_MEMCG case) bpf_map_kvcalloc is
    then a macro alias for kvcalloc instead of a static inline wrapper.
    
    To sum up the warning happens when the following conditions are all met:
    
    - gcc-14 is used (didn't see it with gcc-13)
    - commit 2c321f3f70bc is present
    - CONFIG_MEMCG is not enabled in .config
    - CONFIG_WERROR turns this from a compiler warning to error
    
    Fixes: 6ac99e8f23d4 ("bpf: Introduce bpf sk local storage")
    Reviewed-by: Andrii Nakryiko <andrii@kernel.org>
    Tested-by: Christian Kujau <lists@nerdbynature.de>
    Signed-off-by: Mohammad Shehar Yaar Tausif <sheharyaar48@gmail.com>
    Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
    Link: https://lore.kernel.org/r/20240710100521.15061-2-vbabka@suse.cz
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Reduce smap->elem_size [+ + +]
Author: Martin KaFai Lau <martin.lau@kernel.org>
Date:   Tue Dec 20 17:30:36 2022 -0800

    bpf: Reduce smap->elem_size
    
    [ Upstream commit 552d42a356ebf78df9d2f4b73e077d2459966fac ]
    
    'struct bpf_local_storage_elem' has an unused 56 byte padding at the
    end due to struct's cache-line alignment requirement. This padding
    space is overlapped by storage value contents, so if we use sizeof()
    to calculate the total size, we overinflate it by 56 bytes. Use
    offsetof() instead to calculate more exact memory use.
    
    Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Acked-by: Yonghong Song <yhs@fb.com>
    Acked-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/bpf/20221221013036.3427431-1-martin.lau@linux.dev
    Stable-dep-of: af253aef183a ("bpf: fix order of args in call to bpf_map_kvcalloc")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Refactor some inode/task/sk storage functions for reuse [+ + +]
Author: Yonghong Song <yhs@fb.com>
Date:   Tue Oct 25 21:28:45 2022 -0700

    bpf: Refactor some inode/task/sk storage functions for reuse
    
    [ Upstream commit c83597fa5dc6b322e9bdf929e5f4136a3f4aa4db ]
    
    Refactor codes so that inode/task/sk storage implementation
    can maximally share the same code. I also added some comments
    in new function bpf_local_storage_unlink_nolock() to make
    codes easy to understand. There is no functionality change.
    
    Acked-by: David Vernet <void@manifault.com>
    Signed-off-by: Yonghong Song <yhs@fb.com>
    Link: https://lore.kernel.org/r/20221026042845.672944-1-yhs@fb.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Stable-dep-of: af253aef183a ("bpf: fix order of args in call to bpf_map_kvcalloc")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: Remove __bpf_local_storage_map_alloc [+ + +]
Author: Martin KaFai Lau <martin.lau@kernel.org>
Date:   Tue Mar 7 22:59:22 2023 -0800

    bpf: Remove __bpf_local_storage_map_alloc
    
    [ Upstream commit 62827d612ae525695799b3635a087cb49c55e977 ]
    
    bpf_local_storage_map_alloc() is the only caller of
    __bpf_local_storage_map_alloc().  The remaining logic in
    bpf_local_storage_map_alloc() is only a one liner setting
    the smap->cache_idx.
    
    Remove __bpf_local_storage_map_alloc() to simplify code.
    
    Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
    Link: https://lore.kernel.org/r/20230308065936.1550103-4-martin.lau@linux.dev
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Stable-dep-of: af253aef183a ("bpf: fix order of args in call to bpf_map_kvcalloc")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: use bpf_map_kvcalloc in bpf_local_storage [+ + +]
Author: Yafang Shao <laoar.shao@gmail.com>
Date:   Fri Feb 10 15:47:32 2023 +0000

    bpf: use bpf_map_kvcalloc in bpf_local_storage
    
    [ Upstream commit ddef81b5fd1da4d7c3cc8785d2043b73b72f38ef ]
    
    Introduce new helper bpf_map_kvcalloc() for the memory allocation in
    bpf_local_storage(). Then the allocation will charge the memory from the
    map instead of from current, though currently they are the same thing as
    it is only used in map creation path now. By charging map's memory into
    the memcg from the map, it will be more clear.
    
    Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
    Acked-by: Johannes Weiner <hannes@cmpxchg.org>
    Acked-by: Roman Gushchin <roman.gushchin@linux.dev>
    Link: https://lore.kernel.org/r/20230210154734.4416-3-laoar.shao@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Stable-dep-of: af253aef183a ("bpf: fix order of args in call to bpf_map_kvcalloc")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cachefiles: add missing lock protection when polling [+ + +]
Author: Jingbo Xu <jefflexu@linux.alibaba.com>
Date:   Fri Jun 28 14:29:30 2024 +0800

    cachefiles: add missing lock protection when polling
    
    [ Upstream commit cf5bb09e742a9cf6349127e868329a8f69b7a014 ]
    
    Add missing lock protection in poll routine when iterating xarray,
    otherwise:
    
    Even with RCU read lock held, only the slot of the radix tree is
    ensured to be pinned there, while the data structure (e.g. struct
    cachefiles_req) stored in the slot has no such guarantee.  The poll
    routine will iterate the radix tree and dereference cachefiles_req
    accordingly.  Thus RCU read lock is not adequate in this case and
    spinlock is needed here.
    
    Fixes: b817e22b2e91 ("cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode")
    Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Link: https://lore.kernel.org/r/20240628062930.2467993-10-libaokun@huaweicloud.com
    Acked-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
    Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cachefiles: cancel all requests for the object that is being dropped [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Jun 28 14:29:27 2024 +0800

    cachefiles: cancel all requests for the object that is being dropped
    
    [ Upstream commit 751f524635a4f076117d714705eeddadaf6748ee ]
    
    Because after an object is dropped, requests for that object are useless,
    cancel them to avoid causing other problems.
    
    This prepares for the later addition of cancel_work_sync(). After the
    reopen requests is generated, cancel it to avoid cancel_work_sync()
    blocking by waiting for daemon to complete the reopen requests.
    
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Link: https://lore.kernel.org/r/20240628062930.2467993-7-libaokun@huaweicloud.com
    Acked-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 12e009d60852 ("cachefiles: wait for ondemand_object_worker to finish when dropping object")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cachefiles: cyclic allocation of msg_id to avoid reuse [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Jun 28 14:29:29 2024 +0800

    cachefiles: cyclic allocation of msg_id to avoid reuse
    
    [ Upstream commit 19f4f399091478c95947f6bd7ad61622300c30d9 ]
    
    Reusing the msg_id after a maliciously completed reopen request may cause
    a read request to remain unprocessed and result in a hung, as shown below:
    
           t1       |      t2       |      t3
    -------------------------------------------------
    cachefiles_ondemand_select_req
     cachefiles_ondemand_object_is_close(A)
     cachefiles_ondemand_set_object_reopening(A)
     queue_work(fscache_object_wq, &info->work)
                    ondemand_object_worker
                     cachefiles_ondemand_init_object(A)
                      cachefiles_ondemand_send_req(OPEN)
                        // get msg_id 6
                        wait_for_completion(&req_A->done)
    cachefiles_ondemand_daemon_read
     // read msg_id 6 req_A
     cachefiles_ondemand_get_fd
     copy_to_user
                                    // Malicious completion msg_id 6
                                    copen 6,-1
                                    cachefiles_ondemand_copen
                                     complete(&req_A->done)
                                     // will not set the object to close
                                     // because ondemand_id && fd is valid.
    
                    // ondemand_object_worker() is done
                    // but the object is still reopening.
    
                                    // new open req_B
                                    cachefiles_ondemand_init_object(B)
                                     cachefiles_ondemand_send_req(OPEN)
                                     // reuse msg_id 6
    process_open_req
     copen 6,A.size
     // The expected failed copen was executed successfully
    
    Expect copen to fail, and when it does, it closes fd, which sets the
    object to close, and then close triggers reopen again. However, due to
    msg_id reuse resulting in a successful copen, the anonymous fd is not
    closed until the daemon exits. Therefore read requests waiting for reopen
    to complete may trigger hung task.
    
    To avoid this issue, allocate the msg_id cyclically to avoid reusing the
    msg_id for a very short duration of time.
    
    Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Link: https://lore.kernel.org/r/20240628062930.2467993-9-libaokun@huaweicloud.com
    Acked-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode [+ + +]
Author: Jia Zhu <zhujia.zj@bytedance.com>
Date:   Mon Nov 20 12:14:21 2023 +0800

    cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode
    
    [ Upstream commit b817e22b2e91257ace32a6768c3c003faeaa1c5c ]
    
    Don't trigger EPOLLIN when there are only reopening read requests in
    xarray.
    
    Suggested-by: Xin Yin <yinxin.x@bytedance.com>
    Signed-off-by: Jia Zhu <zhujia.zj@bytedance.com>
    Link: https://lore.kernel.org/r/20231120041422.75170-5-zhujia.zj@bytedance.com
    Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
    Reviewed-by: David Howells <dhowells@redhat.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 12e009d60852 ("cachefiles: wait for ondemand_object_worker to finish when dropping object")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Jun 28 14:29:25 2024 +0800

    cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop
    
    [ Upstream commit 0ece614a52bc9d219b839a6a29282b30d10e0c48 ]
    
    In cachefiles_check_volume_xattr(), the error returned by vfs_getxattr()
    is not passed to ret, so it ends up returning -ESTALE, which leads to an
    endless loop as follows:
    
    cachefiles_acquire_volume
    retry:
      ret = cachefiles_check_volume_xattr
        ret = -ESTALE
        xlen = vfs_getxattr // return -EIO
        // The ret is not updated when xlen < 0, so -ESTALE is returned.
        return ret
      // Supposed to jump out of the loop at this judgement.
      if (ret != -ESTALE)
          goto error_dir;
      cachefiles_bury_object
        //  EIO causes rename failure
      goto retry;
    
    Hence propagate the error returned by vfs_getxattr() to avoid the above
    issue. Do the same in cachefiles_check_auxdata().
    
    Fixes: 32e150037dce ("fscache, cachefiles: Store the volume coherency data")
    Fixes: 72b957856b0c ("cachefiles: Implement metadata/coherency data storage in xattrs")
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Link: https://lore.kernel.org/r/20240628062930.2467993-5-libaokun@huaweicloud.com
    Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cachefiles: stop sending new request when dropping object [+ + +]
Author: Baokun Li <libaokun1@huawei.com>
Date:   Fri Jun 28 14:29:26 2024 +0800

    cachefiles: stop sending new request when dropping object
    
    [ Upstream commit b2415d1f4566b6939acacc69637eaa57815829c1 ]
    
    Added CACHEFILES_ONDEMAND_OBJSTATE_DROPPING indicates that the cachefiles
    object is being dropped, and is set after the close request for the dropped
    object completes, and no new requests are allowed to be sent after this
    state.
    
    This prepares for the later addition of cancel_work_sync(). It prevents
    leftover reopen requests from being sent, to avoid processing unnecessary
    requests and to avoid cancel_work_sync() blocking by waiting for daemon to
    complete the reopen requests.
    
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Link: https://lore.kernel.org/r/20240628062930.2467993-6-libaokun@huaweicloud.com
    Acked-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: 12e009d60852 ("cachefiles: wait for ondemand_object_worker to finish when dropping object")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

cachefiles: wait for ondemand_object_worker to finish when dropping object [+ + +]
Author: Hou Tao <houtao1@huawei.com>
Date:   Fri Jun 28 14:29:28 2024 +0800

    cachefiles: wait for ondemand_object_worker to finish when dropping object
    
    [ Upstream commit 12e009d60852f7bce0afc373ca0b320f14150418 ]
    
    When queuing ondemand_object_worker() to re-open the object,
    cachefiles_object is not pinned. The cachefiles_object may be freed when
    the pending read request is completed intentionally and the related
    erofs is umounted. If ondemand_object_worker() runs after the object is
    freed, it will incur use-after-free problem as shown below.
    
    process A  processs B  process C  process D
    
    cachefiles_ondemand_send_req()
    // send a read req X
    // wait for its completion
    
               // close ondemand fd
               cachefiles_ondemand_fd_release()
               // set object as CLOSE
    
                           cachefiles_ondemand_daemon_read()
                           // set object as REOPENING
                           queue_work(fscache_wq, &info->ondemand_work)
    
                                    // close /dev/cachefiles
                                    cachefiles_daemon_release
                                    cachefiles_flush_reqs
                                    complete(&req->done)
    
    // read req X is completed
    // umount the erofs fs
    cachefiles_put_object()
    // object will be freed
    cachefiles_ondemand_deinit_obj_info()
    kmem_cache_free(object)
                           // both info and object are freed
                           ondemand_object_worker()
    
    When dropping an object, it is no longer necessary to reopen the object,
    so use cancel_work_sync() to cancel or wait for ondemand_object_worker()
    to finish.
    
    Fixes: 0a7e54c1959c ("cachefiles: resend an open request if the read request's object is closed")
    Signed-off-by: Hou Tao <houtao1@huawei.com>
    Signed-off-by: Baokun Li <libaokun1@huawei.com>
    Link: https://lore.kernel.org/r/20240628062930.2467993-8-libaokun@huaweicloud.com
    Acked-by: Jeff Layton <jlayton@kernel.org>
    Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
    Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
cifs: fix setting SecurityFlags to true [+ + +]
Author: Steve French <stfrench@microsoft.com>
Date:   Tue Jul 9 18:07:35 2024 -0500

    cifs: fix setting SecurityFlags to true
    
    commit d2346e2836318a227057ed41061114cbebee5d2a upstream.
    
    If you try to set /proc/fs/cifs/SecurityFlags to 1 it
    will set them to CIFSSEC_MUST_NTLMV2 which no longer is
    relevant (the less secure ones like lanman have been removed
    from cifs.ko) and is also missing some flags (like for
    signing and encryption) and can even cause mount to fail,
    so change this to set it to Kerberos in this case.
    
    Also change the description of the SecurityFlags to remove mention
    of flags which are no longer supported.
    
    Cc: stable@vger.kernel.org
    Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Compiler Attributes: Add __uninitialized macro [+ + +]
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Mon Feb 5 16:48:43 2024 +0100

    Compiler Attributes: Add __uninitialized macro
    
    commit fd7eea27a3aed79b63b1726c00bde0d50cf207e2 upstream.
    
    With INIT_STACK_ALL_PATTERN or INIT_STACK_ALL_ZERO enabled the kernel will
    be compiled with -ftrivial-auto-var-init=<...> which causes initialization
    of stack variables at function entry time.
    
    In order to avoid the performance impact that comes with this users can use
    the "uninitialized" attribute to prevent such initialization.
    
    Therefore provide the __uninitialized macro which can be used for cases
    where INIT_STACK_ALL_PATTERN or INIT_STACK_ALL_ZERO is enabled, but only
    selected variables should not be initialized.
    
    Acked-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: Nathan Chancellor <nathan@kernel.org>
    Link: https://lore.kernel.org/r/20240205154844.3757121-2-hca@linux.ibm.com
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
ethtool: netlink: do not return SQI value if link is down [+ + +]
Author: Oleksij Rempel <o.rempel@pengutronix.de>
Date:   Tue Jul 9 08:19:43 2024 +0200

    ethtool: netlink: do not return SQI value if link is down
    
    [ Upstream commit c184cf94e73b04ff7048d045f5413899bc664788 ]
    
    Do not attach SQI value if link is down. "SQI values are only valid if
    link-up condition is present" per OpenAlliance specification of
    100Base-T1 Interoperability Test suite [1]. The same rule would apply
    for other link types.
    
    [1] https://opensig.org/automotive-ethernet-specifications/#
    
    Fixes: 806602191592 ("ethtool: provide UAPI for PHY Signal Quality Index (SQI)")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Reviewed-by: Woojung Huh <woojung.huh@microchip.com>
    Link: https://patch.msgid.link/20240709061943.729381-1-o.rempel@pengutronix.de
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
filelock: fix potential use-after-free in posix_lock_inode [+ + +]
Author: Jeff Layton <jlayton@kernel.org>
Date:   Tue Jul 2 18:44:48 2024 -0400

    filelock: fix potential use-after-free in posix_lock_inode
    
    [ Upstream commit 1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92 ]
    
    Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
    The request pointer had been changed earlier to point to a lock entry
    that was added to the inode's list. However, before the tracepoint could
    fire, another task raced in and freed that lock.
    
    Fix this by moving the tracepoint inside the spinlock, which should
    ensure that this doesn't happen.
    
    Fixes: 74f6f5912693 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock")
    Link: https://lore.kernel.org/linux-fsdevel/724ffb0a2962e912ea62bb0515deadf39c325112.camel@kernel.org/
    Reported-by: Light Hsieh (謝明燈) <Light.Hsieh@mediatek.com>
    Signed-off-by: Jeff Layton <jlayton@kernel.org>
    Link: https://lore.kernel.org/r/20240702-filelock-6-10-v1-1-96e766aadc98@kernel.org
    Reviewed-by: Alexander Aring <aahringo@redhat.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
firmware: cs_dsp: Fix overflow checking of wmfw header [+ + +]
Author: Richard Fitzgerald <rf@opensource.cirrus.com>
Date:   Thu Jun 27 15:14:29 2024 +0100

    firmware: cs_dsp: Fix overflow checking of wmfw header
    
    [ Upstream commit 3019b86bce16fbb5bc1964f3544d0ce7d0137278 ]
    
    Fix the checking that firmware file buffer is large enough for the
    wmfw header, to prevent overrunning the buffer.
    
    The original code tested that the firmware data buffer contained
    enough bytes for the sums of the size of the structs
    
            wmfw_header + wmfw_adsp1_sizes + wmfw_footer
    
    But wmfw_adsp1_sizes is only used on ADSP1 firmware. For ADSP2 and
    Halo Core the equivalent struct is wmfw_adsp2_sizes, which is
    4 bytes longer. So the length check didn't guarantee that there
    are enough bytes in the firmware buffer for a header with
    wmfw_adsp2_sizes.
    
    This patch splits the length check into three separate parts. Each
    of the wmfw_header, wmfw_adsp?_sizes and wmfw_footer are checked
    separately before they are used.
    
    Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
    Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs")
    Link: https://patch.msgid.link/20240627141432.93056-2-rf@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers [+ + +]
Author: Richard Fitzgerald <rf@opensource.cirrus.com>
Date:   Thu Jun 27 15:14:32 2024 +0100

    firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers
    
    [ Upstream commit 2163aff6bebbb752edf73f79700f5e2095f3559e ]
    
    Check that all fields of a V2 algorithm header fit into the available
    firmware data buffer.
    
    The wmfw V2 format introduced variable-length strings in the algorithm
    block header. This means the overall header length is variable, and the
    position of most fields varies depending on the length of the string
    fields. Each field must be checked to ensure that it does not overflow
    the firmware data buffer.
    
    As this ia bugfix patch, the fixes avoid making any significant change to
    the existing code. This makes it easier to review and less likely to
    introduce new bugs.
    
    Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
    Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs")
    Link: https://patch.msgid.link/20240627141432.93056-5-rf@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

firmware: cs_dsp: Return error if block header overflows file [+ + +]
Author: Richard Fitzgerald <rf@opensource.cirrus.com>
Date:   Thu Jun 27 15:14:30 2024 +0100

    firmware: cs_dsp: Return error if block header overflows file
    
    [ Upstream commit 959fe01e85b7241e3ec305d657febbe82da16a02 ]
    
    Return an error from cs_dsp_power_up() if a block header is longer
    than the amount of data left in the file.
    
    The previous code in cs_dsp_load() and cs_dsp_load_coeff() would loop
    while there was enough data left in the file for a valid region. This
    protected against overrunning the end of the file data, but it didn't
    abort the file processing with an error.
    
    Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
    Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs")
    Link: https://patch.msgid.link/20240627141432.93056-3-rf@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files [+ + +]
Author: Richard Fitzgerald <rf@opensource.cirrus.com>
Date:   Mon Jul 8 15:48:55 2024 +0100

    firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files
    
    [ Upstream commit 680e126ec0400f6daecf0510c5bb97a55779ff03 ]
    
    Use strnlen() instead of strlen() on the algorithm and coefficient name
    string arrays in V1 wmfw files.
    
    In V1 wmfw files the name is a NUL-terminated string in a fixed-size
    array. cs_dsp should protect against overrunning the array if the NUL
    terminator is missing.
    
    Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
    Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs")
    Link: https://patch.msgid.link/20240708144855.385332-1-rf@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

firmware: cs_dsp: Validate payload length before processing block [+ + +]
Author: Richard Fitzgerald <rf@opensource.cirrus.com>
Date:   Thu Jun 27 15:14:31 2024 +0100

    firmware: cs_dsp: Validate payload length before processing block
    
    [ Upstream commit 6598afa9320b6ab13041616950ca5f8f938c0cf1 ]
    
    Move the payload length check in cs_dsp_load() and cs_dsp_coeff_load()
    to be done before the block is processed.
    
    The check that the length of a block payload does not exceed the number
    of remaining bytes in the firwmware file buffer was being done near the
    end of the loop iteration. However, some code before that check used the
    length field without validating it.
    
    Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
    Fixes: f6bc909e7673 ("firmware: cs_dsp: add driver to support firmware loading on Cirrus Logic DSPs")
    Link: https://patch.msgid.link/20240627141432.93056-4-rf@opensource.cirrus.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Fix userfaultfd_api to return EINVAL as expected [+ + +]
Author: Audra Mitchell <audra@redhat.com>
Date:   Wed Jun 26 09:05:11 2024 -0400

    Fix userfaultfd_api to return EINVAL as expected
    
    commit 1723f04caacb32cadc4e063725d836a0c4450694 upstream.
    
    Currently if we request a feature that is not set in the Kernel config we
    fail silently and return all the available features.  However, the man
    page indicates we should return an EINVAL.
    
    We need to fix this issue since we can end up with a Kernel warning should
    a program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with
    the config not set with this feature.
    
     [  200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660
     [  200.820738] Modules linked in:
     [  200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8
     [  200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022
     [  200.885052] RIP: 0010:zap_pte_range+0x43d/0x660
    
    Link: https://lkml.kernel.org/r/20240626130513.120193-1-audra@redhat.com
    Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API")
    Signed-off-by: Audra Mitchell <audra@redhat.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Christian Brauner <brauner@kernel.org>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
    Cc: Peter Xu <peterx@redhat.com>
    Cc: Rafael Aquini <raquini@redhat.com>
    Cc: Shaohua Li <shli@fb.com>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading [+ + +]
Author: linke li <lilinke99@qq.com>
Date:   Wed Apr 3 10:10:08 2024 +0800

    fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading
    
    [ Upstream commit 8bfb40be31ddea0cb4664b352e1797cfe6c91976 ]
    
    Currently, the __d_clear_type_and_inode() writes the value flags to
    dentry->d_flags, then immediately re-reads it in order to use it in a if
    statement. This re-read is useless because no other update to
    dentry->d_flags can occur at this point.
    
    This commit therefore re-use flags in the if statement instead of
    re-reading dentry->d_flags.
    
    Signed-off-by: linke li <lilinke99@qq.com>
    Link: https://lore.kernel.org/r/tencent_5E187BD0A61BA28605E85405F15228254D0A@qq.com
    Reviewed-by: Jan Kara <jack@suse.cz>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Stable-dep-of: aabfe57ebaa7 ("vfs: don't mod negative dentry count when on shrinker list")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hpet: Support 32-bit userspace [+ + +]
Author: He Zhe <zhe.he@windriver.com>
Date:   Thu Jun 6 20:39:08 2024 +0800

    hpet: Support 32-bit userspace
    
    commit 4e60131d0d36af65ab9c9144f4f163fe97ae36e8 upstream.
    
    hpet_compat_ioctl and read file operations failed to handle parameters from
    32-bit userspace and thus samples/timers/hpet_example.c fails as below.
    
    root@intel-x86-64:~# ./hpet_example-32.out poll /dev/hpet 1 2
    -hpet: executing poll
    hpet_poll: HPET_IRQFREQ failed
    
    This patch fixes cmd and arg handling in hpet_compat_ioctl and adds compat
    handling for 32-bit userspace in hpet_read.
    
    hpet_example now shows that it works for both 64-bit and 32-bit.
    
    root@intel-x86-64:~# ./hpet_example-32.out poll /dev/hpet 1 2
    -hpet: executing poll
    hpet_poll: info.hi_flags 0x0
    hpet_poll: expired time = 0xf4298
    hpet_poll: revents = 0x1
    hpet_poll: data 0x1
    hpet_poll: expired time = 0xf4235
    hpet_poll: revents = 0x1
    hpet_poll: data 0x1
    root@intel-x86-64:~# ./hpet_example-64.out poll /dev/hpet 1 2
    -hpet: executing poll
    hpet_poll: info.hi_flags 0x0
    hpet_poll: expired time = 0xf42a1
    hpet_poll: revents = 0x1
    hpet_poll: data 0x1
    hpet_poll: expired time = 0xf4232
    hpet_poll: revents = 0x1
    hpet_poll: data 0x1
    
    Cc: stable@vger.kernel.org
    Signed-off-by: He Zhe <zhe.he@windriver.com>
    Fixes: 54066a57c584 ("hpet: kill BKL, add compat_ioctl")
    Reviewed-by: Arnd Bergmann <arnd@arndb.de>
    Link: https://lore.kernel.org/r/20240606123908.738733-1-zhe.he@windriver.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
i2c: mark HostNotify target address as used [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Wed Jul 10 10:55:07 2024 +0200

    i2c: mark HostNotify target address as used
    
    [ Upstream commit bd9f5348089b65612e5ca976e2ae22f005340331 ]
    
    I2C core handles the local target for receiving HostNotify alerts. There
    is no separate driver bound to that address. That means userspace can
    access it if desired, leading to further complications if controllers
    are not capable of reading their own local target. Bind the local target
    to the dummy driver so it will be marked as "handled by the kernel" if
    the HostNotify feature is used. That protects aginst userspace access
    and prevents other drivers binding to it.
    
    Fixes: 2a71593da34d ("i2c: smbus: add core function handling SMBus host-notify")
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: rcar: bring hardware to known state when probing [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Sun Jul 7 10:28:46 2024 +0200

    i2c: rcar: bring hardware to known state when probing
    
    [ Upstream commit 4e36c0f20cb1c74c7bd7ea31ba432c1c4a989031 ]
    
    When probing, the hardware is not brought into a known state. This may
    be a problem when a hypervisor restarts Linux without resetting the
    hardware, leaving an old state running. Make sure the hardware gets
    initialized, especially interrupts should be cleared and disabled.
    
    Reported-by: Dirk Behme <dirk.behme@de.bosch.com>
    Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Closes: https://lore.kernel.org/r/20240702045535.2000393-1-dirk.behme@de.bosch.com
    Fixes: 6ccbe607132b ("i2c: add Renesas R-Car I2C driver")
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: rcar: clear NO_RXDMA flag after resetting [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Wed Jul 10 13:03:00 2024 +0200

    i2c: rcar: clear NO_RXDMA flag after resetting
    
    [ Upstream commit fea6b5ebb71a2830b042e42de7ae255017ac3ce8 ]
    
    We should allow RXDMA only if the reset was really successful, so clear
    the flag after the reset call.
    
    Fixes: 0e864b552b23 ("i2c: rcar: reset controller is mandatory for Gen3+")
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: rcar: ensure Gen3+ reset does not disturb local targets [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Thu Jul 11 10:30:44 2024 +0200

    i2c: rcar: ensure Gen3+ reset does not disturb local targets
    
    [ Upstream commit ea5ea84c9d3570dc06e8fc5ee2273eaa584aa3ac ]
    
    R-Car Gen3+ needs a reset before every controller transfer. That erases
    configuration of a potentially in parallel running local target
    instance. To avoid this disruption, avoid controller transfers if a
    local target is running. Also, disable SMBusHostNotify because it
    requires being a controller and local target at the same time.
    
    Fixes: 3b770017b03a ("i2c: rcar: handle RXDMA HW behaviour on Gen3")
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: rcar: fix error code in probe() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Wed Sep 27 15:38:36 2023 +0300

    i2c: rcar: fix error code in probe()
    
    commit 37a672be3ae357a0f87fbc00897fa7fcb3d7d782 upstream.
    
    Return an error code if devm_reset_control_get_exclusive() fails.
    The current code returns success.
    
    Fixes: 0e864b552b23 ("i2c: rcar: reset controller is mandatory for Gen3+")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

i2c: rcar: introduce Gen4 devices [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Thu Dec 14 08:43:57 2023 +0100

    i2c: rcar: introduce Gen4 devices
    
    [ Upstream commit 2b523c46e81ebd621515ab47117f95de197dfcbf ]
    
    So far, we treated Gen4 as Gen3. But we are soon adding FM+ as a Gen4
    specific feature, so prepare the code for the new devtype.
    
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Stable-dep-of: ea5ea84c9d35 ("i2c: rcar: ensure Gen3+ reset does not disturb local targets")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: rcar: reset controller is mandatory for Gen3+ [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Thu Sep 21 14:53:49 2023 +0200

    i2c: rcar: reset controller is mandatory for Gen3+
    
    [ Upstream commit 0e864b552b2302e40b2277629ebac79544a5c433 ]
    
    Initially, we only needed a reset controller to make sure RXDMA works at
    least once per transfer. Meanwhile, documentation has been updated. It
    now says that a reset has to be performed prior every transaction, even
    if it is non-DMA. So, make the reset controller a requirement instead of
    being optional. And bail out if resetting fails.
    
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Stable-dep-of: ea5ea84c9d35 ("i2c: rcar: ensure Gen3+ reset does not disturb local targets")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: testunit: avoid re-issued work after read message [+ + +]
Author: Wolfram Sang <wsa+renesas@sang-engineering.com>
Date:   Thu Jul 11 14:08:19 2024 +0200

    i2c: testunit: avoid re-issued work after read message
    
    [ Upstream commit 119736c7af442ab398dbb806865988c98ef60d46 ]
    
    The to-be-fixed commit rightfully prevented that the registers will be
    cleared. However, the index must be cleared. Otherwise a read message
    will re-issue the last work. Fix it and add a comment describing the
    situation.
    
    Fixes: c422b6a63024 ("i2c: testunit: don't erase registers after STOP")
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i40e: Fix XDP program unloading while removing the driver [+ + +]
Author: Michal Kubiak <michal.kubiak@intel.com>
Date:   Mon Jul 8 16:07:49 2024 -0700

    i40e: Fix XDP program unloading while removing the driver
    
    [ Upstream commit 01fc5142ae6b06b61ed51a624f2732d6525d8ea3 ]
    
    The commit 6533e558c650 ("i40e: Fix reset path while removing
    the driver") introduced a new PF state "__I40E_IN_REMOVE" to block
    modifying the XDP program while the driver is being removed.
    Unfortunately, such a change is useful only if the ".ndo_bpf()"
    callback was called out of the rmmod context because unloading the
    existing XDP program is also a part of driver removing procedure.
    In other words, from the rmmod context the driver is expected to
    unload the XDP program without reporting any errors. Otherwise,
    the kernel warning with callstack is printed out to dmesg.
    
    Example failing scenario:
     1. Load the i40e driver.
     2. Load the XDP program.
     3. Unload the i40e driver (using "rmmod" command).
    
    The example kernel warning log:
    
    [  +0.004646] WARNING: CPU: 94 PID: 10395 at net/core/dev.c:9290 unregister_netdevice_many_notify+0x7a9/0x870
    [...]
    [  +0.010959] RIP: 0010:unregister_netdevice_many_notify+0x7a9/0x870
    [...]
    [  +0.002726] Call Trace:
    [  +0.002457]  <TASK>
    [  +0.002119]  ? __warn+0x80/0x120
    [  +0.003245]  ? unregister_netdevice_many_notify+0x7a9/0x870
    [  +0.005586]  ? report_bug+0x164/0x190
    [  +0.003678]  ? handle_bug+0x3c/0x80
    [  +0.003503]  ? exc_invalid_op+0x17/0x70
    [  +0.003846]  ? asm_exc_invalid_op+0x1a/0x20
    [  +0.004200]  ? unregister_netdevice_many_notify+0x7a9/0x870
    [  +0.005579]  ? unregister_netdevice_many_notify+0x3cc/0x870
    [  +0.005586]  unregister_netdevice_queue+0xf7/0x140
    [  +0.004806]  unregister_netdev+0x1c/0x30
    [  +0.003933]  i40e_vsi_release+0x87/0x2f0 [i40e]
    [  +0.004604]  i40e_remove+0x1a1/0x420 [i40e]
    [  +0.004220]  pci_device_remove+0x3f/0xb0
    [  +0.003943]  device_release_driver_internal+0x19f/0x200
    [  +0.005243]  driver_detach+0x48/0x90
    [  +0.003586]  bus_remove_driver+0x6d/0xf0
    [  +0.003939]  pci_unregister_driver+0x2e/0xb0
    [  +0.004278]  i40e_exit_module+0x10/0x5f0 [i40e]
    [  +0.004570]  __do_sys_delete_module.isra.0+0x197/0x310
    [  +0.005153]  do_syscall_64+0x85/0x170
    [  +0.003684]  ? syscall_exit_to_user_mode+0x69/0x220
    [  +0.004886]  ? do_syscall_64+0x95/0x170
    [  +0.003851]  ? exc_page_fault+0x7e/0x180
    [  +0.003932]  entry_SYSCALL_64_after_hwframe+0x71/0x79
    [  +0.005064] RIP: 0033:0x7f59dc9347cb
    [  +0.003648] Code: 73 01 c3 48 8b 0d 65 16 0c 00 f7 d8 64 89 01 48 83
    c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00 00 0f
    05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 35 16 0c 00 f7 d8 64 89 01 48
    [  +0.018753] RSP: 002b:00007ffffac99048 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
    [  +0.007577] RAX: ffffffffffffffda RBX: 0000559b9bb2f6e0 RCX: 00007f59dc9347cb
    [  +0.007140] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000559b9bb2f748
    [  +0.007146] RBP: 00007ffffac99070 R08: 1999999999999999 R09: 0000000000000000
    [  +0.007133] R10: 00007f59dc9a5ac0 R11: 0000000000000206 R12: 0000000000000000
    [  +0.007141] R13: 00007ffffac992d8 R14: 0000559b9bb2f6e0 R15: 0000000000000000
    [  +0.007151]  </TASK>
    [  +0.002204] ---[ end trace 0000000000000000 ]---
    
    Fix this by checking if the XDP program is being loaded or unloaded.
    Then, block only loading a new program while "__I40E_IN_REMOVE" is set.
    Also, move testing "__I40E_IN_REMOVE" flag to the beginning of XDP_SETUP
    callback to avoid unnecessary operations and checks.
    
    Fixes: 6533e558c650 ("i40e: Fix reset path while removing the driver")
    Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
    Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://patch.msgid.link/20240708230750.625986-1-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kbuild: Make ld-version.sh more robust against version string changes [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Sun Jul 7 22:06:47 2024 -0700

    kbuild: Make ld-version.sh more robust against version string changes
    
    [ Upstream commit 9852f47ac7c993990317570ff125e30ad901e213 ]
    
    After [1] in upstream LLVM, ld.lld's version output became slightly
    different when the cmake configuration option LLVM_APPEND_VC_REV is
    disabled.
    
    Before:
    
      Debian LLD 19.0.0 (compatible with GNU linkers)
    
    After:
    
      Debian LLD 19.0.0, compatible with GNU linkers
    
    This results in ld-version.sh failing with
    
      scripts/ld-version.sh: 18: arithmetic expression: expecting EOF: "10000 * 19 + 100 * 0 + 0,"
    
    because the trailing comma is included in the patch level part of the
    expression. While [1] has been partially reverted in [2] to avoid this
    breakage (as it impacts the configuration stage and it is present in all
    LTS branches), it would be good to make ld-version.sh more robust
    against such miniscule changes like this one.
    
    Use POSIX shell parameter expansion [3] to remove the largest suffix
    after just numbers and periods, replacing of the current removal of
    everything after a hyphen. ld-version.sh continues to work for a number
    of distributions (Arch Linux, Debian, and Fedora) and the kernel.org
    toolchains and no longer errors on a version of ld.lld with [1].
    
    Fixes: 02aff8592204 ("kbuild: check the minimum linker version in Kconfig")
    Link: https://github.com/llvm/llvm-project/commit/0f9fbbb63cfcd2069441aa2ebef622c9716f8dbb [1]
    Link: https://github.com/llvm/llvm-project/commit/649cdfc4b6781a350dfc87d9b2a4b5a4c3395909 [2]
    Link: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html [3]
    Suggested-by: Fangrui Song <maskray@google.com>
    Reviewed-by: Fangrui Song <maskray@google.com>
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Reviewed-by: Nicolas Schier <nicolas@fjasle.eu>
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ksmbd: discard write access to the directory open [+ + +]
Author: Hobin Woo <hobin.woo@samsung.com>
Date:   Fri Jul 5 12:27:25 2024 +0900

    ksmbd: discard write access to the directory open
    
    commit e2e33caa5dc2eae7bddf88b22ce11ec3d760e5cd upstream.
    
    may_open() does not allow a directory to be opened with the write access.
    However, some writing flags set by client result in adding write access
    on server, making ksmbd incompatible with FUSE file system. Simply, let's
    discard the write access when opening a directory.
    
    list_add corruption. next is NULL.
    ------------[ cut here ]------------
    kernel BUG at lib/list_debug.c:26!
    pc : __list_add_valid+0x88/0xbc
    lr : __list_add_valid+0x88/0xbc
    Call trace:
    __list_add_valid+0x88/0xbc
    fuse_finish_open+0x11c/0x170
    fuse_open_common+0x284/0x5e8
    fuse_dir_open+0x14/0x24
    do_dentry_open+0x2a4/0x4e0
    dentry_open+0x50/0x80
    smb2_open+0xbe4/0x15a4
    handle_ksmbd_work+0x478/0x5ec
    process_one_work+0x1b4/0x448
    worker_thread+0x25c/0x430
    kthread+0x104/0x1d4
    ret_from_fork+0x10/0x20
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Yoonho Shin <yoonho.shin@samsung.com>
    Signed-off-by: Hobin Woo <hobin.woo@samsung.com>
    Acked-by: Namjae Jeon <linkinjeon@kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
libceph: fix race between delayed_work() and ceph_monc_stop() [+ + +]
Author: Ilya Dryomov <idryomov@gmail.com>
Date:   Mon Jul 8 22:37:29 2024 +0200

    libceph: fix race between delayed_work() and ceph_monc_stop()
    
    commit 69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 upstream.
    
    The way the delayed work is handled in ceph_monc_stop() is prone to
    races with mon_fault() and possibly also finish_hunting().  Both of
    these can requeue the delayed work which wouldn't be canceled by any of
    the following code in case that happens after cancel_delayed_work_sync()
    runs -- __close_session() doesn't mess with the delayed work in order
    to avoid interfering with the hunting interval logic.  This part was
    missed in commit b5d91704f53e ("libceph: behave in mon_fault() if
    cur_mon < 0") and use-after-free can still ensue on monc and objects
    that hang off of it, with monc->auth and monc->monmap being
    particularly susceptible to quickly being reused.
    
    To fix this:
    
    - clear monc->cur_mon and monc->hunting as part of closing the session
      in ceph_monc_stop()
    - bail from delayed_work() if monc->cur_mon is cleared, similar to how
      it's done in mon_fault() and finish_hunting() (based on monc->hunting)
    - call cancel_delayed_work_sync() after the session is closed
    
    Cc: stable@vger.kernel.org
    Link: https://tracker.ceph.com/issues/66857
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Reviewed-by: Xiubo Li <xiubli@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 6.1.100 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Jul 18 13:18:44 2024 +0200

    Linux 6.1.100
    
    Link: https://lore.kernel.org/r/20240716152746.516194097@linuxfoundation.org
    Tested-by: SeongJae Park <sj@kernel.org>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Allen Pais <apais@linux.microsoft.com>
    Link: https://lore.kernel.org/r/20240717063758.086668888@linuxfoundation.org
    Tested-by: Salvatore Bonaccorso <carnil@debian.org>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Peter Schneider <pschneider1968@googlemail.com>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com>
    Tested-by: Mark Brown <broonie@kernel.org>
    Tested-by: Yann Sionneau <ysionneau@kalrayinc.com>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
misc: fastrpc: Avoid updating PD type for capability request [+ + +]
Author: Ekansh Gupta <quic_ekangupt@quicinc.com>
Date:   Fri Jun 28 12:44:58 2024 +0100

    misc: fastrpc: Avoid updating PD type for capability request
    
    commit bfb6b07d2a30ffe98864d8cfc31fc00470063025 upstream.
    
    When user is requesting for DSP capability, the process pd type is
    getting updated to USER_PD which is incorrect as DSP will assume the
    process which is making the request is a user PD and this will never
    get updated back to the original value. The actual PD type should not
    be updated for capability request and it should be serviced by the
    respective PD on DSP side. Don't change process's PD type for DSP
    capability request.
    
    Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
    Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20240628114501.14310-4-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

misc: fastrpc: Copy the complete capability structure to user [+ + +]
Author: Ekansh Gupta <quic_ekangupt@quicinc.com>
Date:   Fri Jun 28 12:44:57 2024 +0100

    misc: fastrpc: Copy the complete capability structure to user
    
    commit e7f0be3f09c6e955dc8009129862b562d8b64513 upstream.
    
    User is passing capability ioctl structure(argp) to get DSP
    capabilities. This argp is copied to a local structure to get domain
    and attribute_id information. After getting the capability, only
    capability value is getting copied to user argp which will not be
    useful if the use is trying to get the capability by checking the
    capability member of fastrpc_ioctl_capability structure. Copy the
    complete capability structure so that user can get the capability
    value from the expected member of the structure.
    
    Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20240628114501.14310-3-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

misc: fastrpc: Fix DSP capabilities request [+ + +]
Author: Ekansh Gupta <quic_ekangupt@quicinc.com>
Date:   Fri Jun 28 12:44:56 2024 +0100

    misc: fastrpc: Fix DSP capabilities request
    
    commit 4cb7915f0a35e2fcc4be60b912c4be35cd830957 upstream.
    
    The DSP capability request call expects 2 arguments. First is the
    information about the total number of attributes to be copied from
    DSP and second is the information about the buffer where the DSP
    needs to copy the information. The current design is passing the
    information about the size to be copied from DSP which would be
    considered as a bad argument to the call by DSP causing a failure
    suggesting the same. The second argument carries the information
    about the buffer where the DSP needs to copy the capability
    information and the size to be copied. As the first entry of
    capability attribute is getting skipped, same should also be
    considered while sending the information to DSP. Add changes to
    pass proper arguments to DSP.
    
    Fixes: 6c16fd8bdd40 ("misc: fastrpc: Add support to get DSP capabilities")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
    Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20240628114501.14310-2-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mm: prevent derefencing NULL ptr in pfn_section_valid() [+ + +]
Author: Waiman Long <longman@redhat.com>
Date:   Tue Jun 25 20:16:39 2024 -0400

    mm: prevent derefencing NULL ptr in pfn_section_valid()
    
    [ Upstream commit 82f0b6f041fad768c28b4ad05a683065412c226e ]
    
    Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing
    memory_section->usage") changed pfn_section_valid() to add a READ_ONCE()
    call around "ms->usage" to fix a race with section_deactivate() where
    ms->usage can be cleared.  The READ_ONCE() call, by itself, is not enough
    to prevent NULL pointer dereference.  We need to check its value before
    dereferencing it.
    
    Link: https://lkml.kernel.org/r/20240626001639.1350646-1-longman@redhat.com
    Fixes: 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage")
    Signed-off-by: Waiman Long <longman@redhat.com>
    Cc: Charan Teja Kalla <quic_charante@quicinc.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket [+ + +]
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Jul 4 08:41:57 2024 +0200

    net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
    
    [ Upstream commit 626dfed5fa3bfb41e0dffd796032b555b69f9cde ]
    
    When using a BPF program on kernel_connect(), the call can return -EPERM. This
    causes xs_tcp_setup_socket() to loop forever, filling up the syslog and causing
    the kernel to potentially freeze up.
    
    Neil suggested:
    
      This will propagate -EPERM up into other layers which might not be ready
      to handle it. It might be safer to map EPERM to an error we would be more
      likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.
    
    ECONNREFUSED as error seems reasonable. For programs setting a different error
    can be out of reach (see handling in 4fbac77d2d09) in particular on kernels
    which do not have f10d05966196 ("bpf: Make BPF_PROG_RUN_ARRAY return -err
    instead of allow boolean"), thus given that it is better to simply remap for
    consistent behavior. UDP does handle EPERM in xs_udp_send_request().
    
    Fixes: d74bad4e74ee ("bpf: Hooks for sys_connect")
    Fixes: 4fbac77d2d09 ("bpf: Hooks for sys_bind")
    Co-developed-by: Lex Siegel <usiegl00@gmail.com>
    Signed-off-by: Lex Siegel <usiegl00@gmail.com>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Cc: Neil Brown <neilb@suse.de>
    Cc: Trond Myklebust <trondmy@kernel.org>
    Cc: Anna Schumaker <anna@kernel.org>
    Link: https://github.com/cilium/cilium/issues/33395
    Link: https://lore.kernel.org/bpf/171374175513.12877.8993642908082014881@noble.neil.brown.name
    Link: https://patch.msgid.link/9069ec1d59e4b2129fc23433349fd5580ad43921.1720075070.git.daniel@iogearbox.net
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/sched: Fix UAF when resolving a clash [+ + +]
Author: Chengen Du <chengen.du@canonical.com>
Date:   Wed Jul 10 13:37:47 2024 +0800

    net/sched: Fix UAF when resolving a clash
    
    [ Upstream commit 26488172b0292bed837b95a006a3f3431d1898c3 ]
    
    KASAN reports the following UAF:
    
     BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
     Read of size 1 at addr ffff888c07603600 by task handler130/6469
    
     Call Trace:
      <IRQ>
      dump_stack_lvl+0x48/0x70
      print_address_description.constprop.0+0x33/0x3d0
      print_report+0xc0/0x2b0
      kasan_report+0xd0/0x120
      __asan_load1+0x6c/0x80
      tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
      tcf_ct_act+0x886/0x1350 [act_ct]
      tcf_action_exec+0xf8/0x1f0
      fl_classify+0x355/0x360 [cls_flower]
      __tcf_classify+0x1fd/0x330
      tcf_classify+0x21c/0x3c0
      sch_handle_ingress.constprop.0+0x2c5/0x500
      __netif_receive_skb_core.constprop.0+0xb25/0x1510
      __netif_receive_skb_list_core+0x220/0x4c0
      netif_receive_skb_list_internal+0x446/0x620
      napi_complete_done+0x157/0x3d0
      gro_cell_poll+0xcf/0x100
      __napi_poll+0x65/0x310
      net_rx_action+0x30c/0x5c0
      __do_softirq+0x14f/0x491
      __irq_exit_rcu+0x82/0xc0
      irq_exit_rcu+0xe/0x20
      common_interrupt+0xa1/0xb0
      </IRQ>
      <TASK>
      asm_common_interrupt+0x27/0x40
    
     Allocated by task 6469:
      kasan_save_stack+0x38/0x70
      kasan_set_track+0x25/0x40
      kasan_save_alloc_info+0x1e/0x40
      __kasan_krealloc+0x133/0x190
      krealloc+0xaa/0x130
      nf_ct_ext_add+0xed/0x230 [nf_conntrack]
      tcf_ct_act+0x1095/0x1350 [act_ct]
      tcf_action_exec+0xf8/0x1f0
      fl_classify+0x355/0x360 [cls_flower]
      __tcf_classify+0x1fd/0x330
      tcf_classify+0x21c/0x3c0
      sch_handle_ingress.constprop.0+0x2c5/0x500
      __netif_receive_skb_core.constprop.0+0xb25/0x1510
      __netif_receive_skb_list_core+0x220/0x4c0
      netif_receive_skb_list_internal+0x446/0x620
      napi_complete_done+0x157/0x3d0
      gro_cell_poll+0xcf/0x100
      __napi_poll+0x65/0x310
      net_rx_action+0x30c/0x5c0
      __do_softirq+0x14f/0x491
    
     Freed by task 6469:
      kasan_save_stack+0x38/0x70
      kasan_set_track+0x25/0x40
      kasan_save_free_info+0x2b/0x60
      ____kasan_slab_free+0x180/0x1f0
      __kasan_slab_free+0x12/0x30
      slab_free_freelist_hook+0xd2/0x1a0
      __kmem_cache_free+0x1a2/0x2f0
      kfree+0x78/0x120
      nf_conntrack_free+0x74/0x130 [nf_conntrack]
      nf_ct_destroy+0xb2/0x140 [nf_conntrack]
      __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]
      nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]
      __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]
      tcf_ct_act+0x12ad/0x1350 [act_ct]
      tcf_action_exec+0xf8/0x1f0
      fl_classify+0x355/0x360 [cls_flower]
      __tcf_classify+0x1fd/0x330
      tcf_classify+0x21c/0x3c0
      sch_handle_ingress.constprop.0+0x2c5/0x500
      __netif_receive_skb_core.constprop.0+0xb25/0x1510
      __netif_receive_skb_list_core+0x220/0x4c0
      netif_receive_skb_list_internal+0x446/0x620
      napi_complete_done+0x157/0x3d0
      gro_cell_poll+0xcf/0x100
      __napi_poll+0x65/0x310
      net_rx_action+0x30c/0x5c0
      __do_softirq+0x14f/0x491
    
    The ct may be dropped if a clash has been resolved but is still passed to
    the tcf_ct_flow_table_process_conn function for further usage. This issue
    can be fixed by retrieving ct from skb again after confirming conntrack.
    
    Fixes: 0cc254e5aa37 ("net/sched: act_ct: Offload connections with commit action")
    Co-developed-by: Gerald Yang <gerald.yang@canonical.com>
    Signed-off-by: Gerald Yang <gerald.yang@canonical.com>
    Signed-off-by: Chengen Du <chengen.du@canonical.com>
    Link: https://patch.msgid.link/20240710053747.13223-1-chengen.du@canonical.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: ethernet: lantiq_etop: fix double free in detach [+ + +]
Author: Aleksander Jan Bajkowski <olek2@wp.pl>
Date:   Mon Jul 8 22:58:26 2024 +0200

    net: ethernet: lantiq_etop: fix double free in detach
    
    [ Upstream commit e1533b6319ab9c3a97dad314dd88b3783bc41b69 ]
    
    The number of the currently released descriptor is never incremented
    which results in the same skb being released multiple times.
    
    Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
    Reported-by: Joe Perches <joe@perches.com>
    Closes: https://lore.kernel.org/all/fc1bf93d92bb5b2f99c6c62745507cc22f3a7b2d.camel@perches.com/
    Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://patch.msgid.link/20240708205826.5176-1-olek2@wp.pl
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ethernet: mtk-star-emac: set mac_managed_pm when probing [+ + +]
Author: Jian Hui Lee <jianhui.lee@canonical.com>
Date:   Mon Jul 8 14:52:09 2024 +0800

    net: ethernet: mtk-star-emac: set mac_managed_pm when probing
    
    [ Upstream commit 8c6790b5c25dfac11b589cc37346bcf9e23ad468 ]
    
    The below commit introduced a warning message when phy state is not in
    the states: PHY_HALTED, PHY_READY, and PHY_UP.
    commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
    
    mtk-star-emac doesn't need mdiobus suspend/resume. To fix the warning
    message during resume, indicate the phy resume/suspend is managed by the
    mac when probing.
    
    Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
    Signed-off-by: Jian Hui Lee <jianhui.lee@canonical.com>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Link: https://patch.msgid.link/20240708065210.4178980-1-jianhui.lee@canonical.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: fix rc7's __skb_datagram_iter() [+ + +]
Author: Hugh Dickins <hughd@google.com>
Date:   Mon Jul 8 07:46:00 2024 -0700

    net: fix rc7's __skb_datagram_iter()
    
    [ Upstream commit f153831097b4435f963e385304cc0f1acba1c657 ]
    
    X would not start in my old 32-bit partition (and the "n"-handling looks
    just as wrong on 64-bit, but for whatever reason did not show up there):
    "n" must be accumulated over all pages before it's added to "offset" and
    compared with "copy", immediately after the skb_frag_foreach_page() loop.
    
    Fixes: d2d30a376d9c ("net: allow skb_datagram_iter to be called from any context")
    Signed-off-by: Hugh Dickins <hughd@google.com>
    Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
    Link: https://patch.msgid.link/fef352e8-b89a-da51-f8ce-04bc39ee6481@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ks8851: Fix deadlock with the SPI chip variant [+ + +]
Author: Ronald Wahl <ronald.wahl@raritan.com>
Date:   Sat Jul 6 12:13:37 2024 +0200

    net: ks8851: Fix deadlock with the SPI chip variant
    
    commit 0913ec336a6c0c4a2b296bd9f74f8e41c4c83c8c upstream.
    
    When SMP is enabled and spinlocks are actually functional then there is
    a deadlock with the 'statelock' spinlock between ks8851_start_xmit_spi
    and ks8851_irq:
    
        watchdog: BUG: soft lockup - CPU#0 stuck for 27s!
        call trace:
          queued_spin_lock_slowpath+0x100/0x284
          do_raw_spin_lock+0x34/0x44
          ks8851_start_xmit_spi+0x30/0xb8
          ks8851_start_xmit+0x14/0x20
          netdev_start_xmit+0x40/0x6c
          dev_hard_start_xmit+0x6c/0xbc
          sch_direct_xmit+0xa4/0x22c
          __qdisc_run+0x138/0x3fc
          qdisc_run+0x24/0x3c
          net_tx_action+0xf8/0x130
          handle_softirqs+0x1ac/0x1f0
          __do_softirq+0x14/0x20
          ____do_softirq+0x10/0x1c
          call_on_irq_stack+0x3c/0x58
          do_softirq_own_stack+0x1c/0x28
          __irq_exit_rcu+0x54/0x9c
          irq_exit_rcu+0x10/0x1c
          el1_interrupt+0x38/0x50
          el1h_64_irq_handler+0x18/0x24
          el1h_64_irq+0x64/0x68
          __netif_schedule+0x6c/0x80
          netif_tx_wake_queue+0x38/0x48
          ks8851_irq+0xb8/0x2c8
          irq_thread_fn+0x2c/0x74
          irq_thread+0x10c/0x1b0
          kthread+0xc8/0xd8
          ret_from_fork+0x10/0x20
    
    This issue has not been identified earlier because tests were done on
    a device with SMP disabled and so spinlocks were actually NOPs.
    
    Now use spin_(un)lock_bh for TX queue related locking to avoid execution
    of softirq work synchronously that would lead to a deadlock.
    
    Fixes: 3dc5d4454545 ("net: ks8851: Fix TX stall caused by TX buffer overrun")
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Cc: Paolo Abeni <pabeni@redhat.com>
    Cc: Simon Horman <horms@kernel.org>
    Cc: netdev@vger.kernel.org
    Cc: stable@vger.kernel.org # 5.10+
    Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240706101337.854474-1-rwahl@gmx.de
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: ks8851: Fix potential TX stall after interface reopen [+ + +]
Author: Ronald Wahl <ronald.wahl@raritan.com>
Date:   Tue Jul 9 21:58:45 2024 +0200

    net: ks8851: Fix potential TX stall after interface reopen
    
    commit 7a99afef17af66c276c1d6e6f4dbcac223eaf6ac upstream.
    
    The amount of TX space in the hardware buffer is tracked in the tx_space
    variable. The initial value is currently only set during driver probing.
    
    After closing the interface and reopening it the tx_space variable has
    the last value it had before close. If it is smaller than the size of
    the first send packet after reopeing the interface the queue will be
    stopped. The queue is woken up after receiving a TX interrupt but this
    will never happen since we did not send anything.
    
    This commit moves the initialization of the tx_space variable to the
    ks8851_net_open function right before starting the TX queue. Also query
    the value from the hardware instead of using a hard coded value.
    
    Only the SPI chip variant is affected by this issue because only this
    driver variant actually depends on the tx_space variable in the xmit
    function.
    
    Fixes: 3dc5d4454545 ("net: ks8851: Fix TX stall caused by TX buffer overrun")
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Eric Dumazet <edumazet@google.com>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Cc: Paolo Abeni <pabeni@redhat.com>
    Cc: Simon Horman <horms@kernel.org>
    Cc: netdev@vger.kernel.org
    Cc: stable@vger.kernel.org # 5.10+
    Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
    Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
    Link: https://patch.msgid.link/20240709195845.9089-1-rwahl@gmx.de
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: phy: microchip: lan87xx: reinit PHY after cable test [+ + +]
Author: Oleksij Rempel <o.rempel@pengutronix.de>
Date:   Fri Jul 5 10:49:54 2024 +0200

    net: phy: microchip: lan87xx: reinit PHY after cable test
    
    [ Upstream commit 30f747b8d53bc73555f268d0f48f56174fa5bf10 ]
    
    Reinit PHY after cable test, otherwise link can't be established on
    tested port. This issue is reproducible on LAN9372 switches with
    integrated 100BaseT1 PHYs.
    
    Fixes: 788050256c411 ("net: phy: microchip_t1: add cable test support for lan87xx phy")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
    Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Link: https://patch.msgid.link/20240705084954.83048-1-o.rempel@pengutronix.de
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: fix kernel bug on rename operation of broken directory [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sat Jun 29 01:51:07 2024 +0900

    nilfs2: fix kernel bug on rename operation of broken directory
    
    commit a9e1ddc09ca55746079cc479aa3eb6411f0d99d4 upstream.
    
    Syzbot reported that in rename directory operation on broken directory on
    nilfs2, __block_write_begin_int() called to prepare block write may fail
    BUG_ON check for access exceeding the folio/page size.
    
    This is because nilfs_dotdot(), which gets parent directory reference
    entry ("..") of the directory to be moved or renamed, does not check
    consistency enough, and may return location exceeding folio/page size for
    broken directories.
    
    Fix this issue by checking required directory entries ("." and "..") in
    the first chunk of the directory in nilfs_dotdot().
    
    Link: https://lkml.kernel.org/r/20240628165107.9006-1-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+d3abed1ad3d367fa2627@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=d3abed1ad3d367fa2627
    Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
nvmem: core: only change name to fram for current attribute [+ + +]
Author: Thomas Weißschuh <linux@weissschuh.net>
Date:   Fri Jun 28 12:37:03 2024 +0100

    nvmem: core: only change name to fram for current attribute
    
    commit 0ba424c934fd43dccf0d597e1ae8851f07cb2edf upstream.
    
    bin_attr_nvmem_eeprom_compat is the template from which all future
    compat attributes are created.
    Changing it means to change all subsquent compat attributes, too.
    
    Instead only use the "fram" name for the currently registered attribute.
    
    Fixes: fd307a4ad332 ("nvmem: prepare basics for FRAM support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20240628113704.13742-4-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nvmem: meson-efuse: Fix return value of nvmem callbacks [+ + +]
Author: Joy Chakraborty <joychakr@google.com>
Date:   Fri Jun 28 12:37:02 2024 +0100

    nvmem: meson-efuse: Fix return value of nvmem callbacks
    
    commit 7a0a6d0a7c805f9380381f4deedffdf87b93f408 upstream.
    
    Read/write callbacks registered with nvmem core expect 0 to be returned
    on success and a negative value to be returned on failure.
    
    meson_efuse_read() and meson_efuse_write() call into
    meson_sm_call_read() and meson_sm_call_write() respectively which return
    the number of bytes read or written on success as per their api
    description.
    
    Fix to return error if meson_sm_call_read()/meson_sm_call_write()
    returns an error else return 0.
    
    Fixes: a29a63bdaf6f ("nvmem: meson-efuse: simplify read callback")
    Cc: stable@vger.kernel.org
    Signed-off-by: Joy Chakraborty <joychakr@google.com>
    Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20240628113704.13742-3-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nvmem: rmem: Fix return value of rmem_read() [+ + +]
Author: Joy Chakraborty <joychakr@google.com>
Date:   Fri Jun 28 12:37:01 2024 +0100

    nvmem: rmem: Fix return value of rmem_read()
    
    commit 28b008751aa295612318a0fbb2f22dd4f6a83139 upstream.
    
    reg_read() callback registered with nvmem core expects 0 on success and
    a negative value on error but rmem_read() returns the number of bytes
    read which is treated as an error at the nvmem core.
    
    This does not break when rmem is accessed using sysfs via
    bin_attr_nvmem_read()/write() but causes an error when accessed from
    places like nvmem_access_with_keepouts(), etc.
    
    Change to return 0 on success and error in case
    memory_read_from_buffer() returns an error or -EIO if bytes read do not
    match what was requested.
    
    Fixes: 5a3fa75a4d9c ("nvmem: Add driver to expose reserved memory as nvmem")
    Cc: stable@vger.kernel.org
    Signed-off-by: Joy Chakraborty <joychakr@google.com>
    Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
    Link: https://lore.kernel.org/r/20240628113704.13742-2-srinivas.kandagatla@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
octeontx2-af: extend RSS supported offload types [+ + +]
Author: Kiran Kumar K <kirankumark@marvell.com>
Date:   Mon Jun 12 11:34:20 2023 +0530

    octeontx2-af: extend RSS supported offload types
    
    [ Upstream commit 79bc788c038c9c87224d41ba6bbab20b6bf1a141 ]
    
    Add support to select L3 SRC or DST only, L4 SRC or DST only for RSS
    calculation.
    
    AF consumer may have requirement as we can select only SRC or DST data for
    RSS calculation in L3, L4 layers. With this requirement there will be
    following combinations, IPV[4,6]_SRC_ONLY, IPV[4,6]_DST_ONLY,
    [TCP,UDP,SCTP]_SRC_ONLY, [TCP,UDP,SCTP]_DST_ONLY. So, instead of creating
    a bit for each combination, we are using upper 4 bits (31:28) in the
    flow_key_cfg to represent the SRC, DST selection. 31 => L3_SRC,
    30 => L3_DST, 29 => L4_SRC, 28 => L4_DST. These won't be part of flow_cfg,
    so that we don't need to change the existing ABI.
    
    Signed-off-by: Kiran Kumar K <kirankumark@marvell.com>
    Signed-off-by: Geetha sowjanya <gakula@marvell.com>
    Signed-off-by: Naveen Mamindlapalli <naveenm@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: e23ac1095b9e ("octeontx2-af: fix issue with IPv6 ext match for RSS")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: fix a issue with cpt_lf_alloc mailbox [+ + +]
Author: Srujana Challa <schalla@marvell.com>
Date:   Wed Jul 10 13:21:24 2024 +0530

    octeontx2-af: fix a issue with cpt_lf_alloc mailbox
    
    [ Upstream commit 845fe19139ab5a1ee303a3bee327e3191c3938af ]
    
    This patch fixes CPT_LF_ALLOC mailbox error due to
    incompatible mailbox message format. Specifically, it
    corrects the `blkaddr` field type from `int` to `u8`.
    
    Fixes: de2854c87c64 ("octeontx2-af: Mailbox changes for 98xx CPT block")
    Signed-off-by: Srujana Challa <schalla@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: fix detection of IP layer [+ + +]
Author: Michal Mazur <mmazur2@marvell.com>
Date:   Wed Jul 10 13:21:25 2024 +0530

    octeontx2-af: fix detection of IP layer
    
    [ Upstream commit 404dc0fd6fb0bb942b18008c6f8c0320b80aca20 ]
    
    Checksum and length checks are not enabled for IPv4 header with
    options and IPv6 with extension headers.
    To fix this a change in enum npc_kpu_lc_ltype is required which will
    allow adjustment of LTYPE_MASK to detect all types of IP headers.
    
    Fixes: 21e6699e5cd6 ("octeontx2-af: Add NPC KPU profile")
    Signed-off-by: Michal Mazur <mmazur2@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability() [+ + +]
Author: Aleksandr Mishin <amishin@t-argos.ru>
Date:   Fri Jul 5 12:53:17 2024 +0300

    octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability()
    
    [ Upstream commit 442e26af9aa8115c96541026cbfeaaa76c85d178 ]
    
    In rvu_check_rsrc_availability() in case of invalid SSOW req, an incorrect
    data is printed to error log. 'req->sso' value is printed instead of
    'req->ssow'. Looks like "copy-paste" mistake.
    
    Fix this mistake by replacing 'req->sso' with 'req->ssow'.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 746ea74241fa ("octeontx2-af: Add RVU block LF provisioning support")
    Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240705095317.12640-1-amishin@t-argos.ru
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: fix issue with IPv4 match for RSS [+ + +]
Author: Satheesh Paul <psatheesh@marvell.com>
Date:   Wed Jul 10 13:21:27 2024 +0530

    octeontx2-af: fix issue with IPv4 match for RSS
    
    [ Upstream commit 60795bbf047654c9f8ae88d34483233a56033578 ]
    
    While performing RSS based on IPv4, packets with
    IPv4 options are not being considered. Adding changes
    to match both plain IPv4 and IPv4 with option header.
    
    Fixes: 41a7aa7b800d ("octeontx2-af: NIX Rx flowkey configuration for RSS")
    Signed-off-by: Satheesh Paul <psatheesh@marvell.com>
    Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: fix issue with IPv6 ext match for RSS [+ + +]
Author: Kiran Kumar K <kirankumark@marvell.com>
Date:   Wed Jul 10 13:21:26 2024 +0530

    octeontx2-af: fix issue with IPv6 ext match for RSS
    
    [ Upstream commit e23ac1095b9eb8ac48f98c398d81d6ba062c9b5d ]
    
    While performing RSS based on IPv6, extension ltype
    is not being considered. This will be problem for
    fragmented packets or packets with extension header.
    Adding changes to match IPv6 ext header along with IPv6
    ltype.
    
    Fixes: 41a7aa7b800d ("octeontx2-af: NIX Rx flowkey configuration for RSS")
    Signed-off-by: Kiran Kumar K <kirankumark@marvell.com>
    Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: replace cpt slot with lf id on reg write [+ + +]
Author: Nithin Dabilpuram <ndabilpuram@marvell.com>
Date:   Wed Jul 10 13:21:23 2024 +0530

    octeontx2-af: replace cpt slot with lf id on reg write
    
    [ Upstream commit bc35e28af7890085dcbe5cc32373647dfb4d9af9 ]
    
    Replace slot id with global CPT lf id on reg read/write as
    CPTPF/VF driver would send slot number instead of global
    lf id in the reg offset. And also update the mailbox response
    with the global lf's register offset.
    
    Fixes: ae454086e3c2 ("octeontx2-af: add mailbox interface for CPT")
    Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

octeontx2-af: update cpt lf alloc mailbox [+ + +]
Author: Srujana Challa <schalla@marvell.com>
Date:   Wed Jan 18 17:33:53 2023 +0530

    octeontx2-af: update cpt lf alloc mailbox
    
    [ Upstream commit c0688ec002a451d04a51d43b849765c5ce6cb36f ]
    
    The CN10K CPT coprocessor contains a context processor
    to accelerate updates to the IPsec security association
    contexts. The context processor contains a context cache.
    This patch updates CPT LF ALLOC mailbox to config ctx_ilen
    requested by VFs. CPT_LF_ALLOC:ctx_ilen is the size of
    initial context fetch.
    
    Signed-off-by: Srujana Challa <schalla@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Stable-dep-of: 845fe19139ab ("octeontx2-af: fix a issue with cpt_lf_alloc mailbox")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
platform/x86: toshiba_acpi: Fix array out-of-bounds access [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Tue Jul 9 16:38:51 2024 +0200

    platform/x86: toshiba_acpi: Fix array out-of-bounds access
    
    commit b6e02c6b0377d4339986e07aeb696c632cd392aa upstream.
    
    In order to use toshiba_dmi_quirks[] together with the standard DMI
    matching functions, it must be terminated by a empty entry.
    
    Since this entry is missing, an array out-of-bounds access occurs
    every time the quirk list is processed.
    
    Fix this by adding the terminating empty entry.
    
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Closes: https://lore.kernel.org/oe-lkp/202407091536.8b116b3d-lkp@intel.com
    Fixes: 3cb1f40dfdc3 ("drivers/platform: toshiba_acpi: Call HCI_PANEL_POWER_ON on resume on some models")
    Cc: stable@vger.kernel.org
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://lore.kernel.org/r/20240709143851.10097-1-W_Armin@gmx.de
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ppp: reject claimed-as-LCP but actually malformed packets [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Mon Jul 8 14:56:15 2024 +0300

    ppp: reject claimed-as-LCP but actually malformed packets
    
    [ Upstream commit f2aeb7306a898e1cbd03963d376f4b6656ca2b55 ]
    
    Since 'ppp_async_encode()' assumes valid LCP packets (with code
    from 1 to 7 inclusive), add 'ppp_check_packet()' to ensure that
    LCP packet has an actual body beyond PPP_LCP header bytes, and
    reject claimed-as-LCP but actually malformed data otherwise.
    
    Reported-by: syzbot+ec0723ba9605678b14bf@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=ec0723ba9605678b14bf
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Revert "sched/fair: Make sure to try to detach at least one movable task" [+ + +]
Author: Josh Don <joshdon@google.com>
Date:   Thu Jun 20 14:44:50 2024 -0700

    Revert "sched/fair: Make sure to try to detach at least one movable task"
    
    commit 2feab2492deb2f14f9675dd6388e9e2bf669c27a upstream.
    
    This reverts commit b0defa7ae03ecf91b8bfd10ede430cff12fcbd06.
    
    b0defa7ae03ec changed the load balancing logic to ignore env.max_loop if
    all tasks examined to that point were pinned. The goal of the patch was
    to make it more likely to be able to detach a task buried in a long list
    of pinned tasks. However, this has the unfortunate side effect of
    creating an O(n) iteration in detach_tasks(), as we now must fully
    iterate every task on a cpu if all or most are pinned. Since this load
    balance code is done with rq lock held, and often in softirq context, it
    is very easy to trigger hard lockups. We observed such hard lockups with
    a user who affined O(10k) threads to a single cpu.
    
    When I discussed this with Vincent he initially suggested that we keep
    the limit on the number of tasks to detach, but increase the number of
    tasks we can search. However, after some back and forth on the mailing
    list, he recommended we instead revert the original patch, as it seems
    likely no one was actually getting hit by the original issue.
    
    Fixes: b0defa7ae03e ("sched/fair: Make sure to try to detach at least one movable task")
    Signed-off-by: Josh Don <joshdon@google.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
    Link: https://lore.kernel.org/r/20240620214450.316280-1-joshdon@google.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
s390: Mark psw in __load_psw_mask() as __unitialized [+ + +]
Author: Sven Schnelle <svens@linux.ibm.com>
Date:   Tue Apr 30 16:30:01 2024 +0200

    s390: Mark psw in __load_psw_mask() as __unitialized
    
    [ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ]
    
    Without __unitialized, the following code is generated when
    INIT_STACK_ALL_ZERO is enabled:
    
    86: d7 0f f0 a0 f0 a0     xc      160(16,%r15), 160(%r15)
    8c: e3 40 f0 a0 00 24     stg     %r4, 160(%r15)
    92: c0 10 00 00 00 08     larl    %r1, 0xa2
    98: e3 10 f0 a8 00 24     stg     %r1, 168(%r15)
    9e: b2 b2 f0 a0           lpswe   160(%r15)
    
    The xc is not adding any security because psw is fully initialized
    with the following instructions. Add __unitialized to the psw
    definitiation to avoid the superfluous clearing of psw.
    
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath [+ + +]
Author: John Stultz <jstultz@google.com>
Date:   Tue Jun 18 14:58:55 2024 -0700

    sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath
    
    commit ddae0ca2a8fe12d0e24ab10ba759c3fbd755ada8 upstream.
    
    It was reported that in moving to 6.1, a larger then 10%
    regression was seen in the performance of
    clock_gettime(CLOCK_THREAD_CPUTIME_ID,...).
    
    Using a simple reproducer, I found:
    5.10:
    100000000 calls in 24345994193 ns => 243.460 ns per call
    100000000 calls in 24288172050 ns => 242.882 ns per call
    100000000 calls in 24289135225 ns => 242.891 ns per call
    
    6.1:
    100000000 calls in 28248646742 ns => 282.486 ns per call
    100000000 calls in 28227055067 ns => 282.271 ns per call
    100000000 calls in 28177471287 ns => 281.775 ns per call
    
    The cause of this was finally narrowed down to the addition of
    psi_account_irqtime() in update_rq_clock_task(), in commit
    52b1364ba0b1 ("sched/psi: Add PSI_IRQ to track IRQ/SOFTIRQ
    pressure").
    
    In my initial attempt to resolve this, I leaned towards moving
    all accounting work out of the clock_gettime() call path, but it
    wasn't very pretty, so it will have to wait for a later deeper
    rework. Instead, Peter shared this approach:
    
    Rework psi_account_irqtime() to use its own psi_irq_time base
    for accounting, and move it out of the hotpath, calling it
    instead from sched_tick() and __schedule().
    
    In testing this, we found the importance of ensuring
    psi_account_irqtime() is run under the rq_lock, which Johannes
    Weiner helpfully explained, so also add some lockdep annotations
    to make that requirement clear.
    
    With this change the performance is back in-line with 5.10:
    6.1+fix:
    100000000 calls in 24297324597 ns => 242.973 ns per call
    100000000 calls in 24318869234 ns => 243.189 ns per call
    100000000 calls in 24291564588 ns => 242.916 ns per call
    
    Reported-by: Jimmy Shiu <jimmyshiu@google.com>
    Originally-by: Peter Zijlstra <peterz@infradead.org>
    Signed-off-by: John Stultz <jstultz@google.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
    Reviewed-by: Qais Yousef <qyousef@layalina.io>
    Link: https://lore.kernel.org/r/20240618215909.4099720-1-jstultz@google.com
    Fixes: 52b1364ba0b1 ("sched/psi: Add PSI_IRQ to track IRQ/SOFTIRQ pressure")
    [jstultz: Fixed up minor collisions w/ 6.1-stable]
    Signed-off-by: John Stultz <jstultz@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
skmsg: Skip zero length skb in sk_msg_recvmsg [+ + +]
Author: Geliang Tang <geliang@kernel.org>
Date:   Wed Jul 3 16:39:31 2024 +0800

    skmsg: Skip zero length skb in sk_msg_recvmsg
    
    [ Upstream commit f0c18025693707ec344a70b6887f7450bf4c826b ]
    
    When running BPF selftests (./test_progs -t sockmap_basic) on a Loongarch
    platform, the following kernel panic occurs:
    
      [...]
      Oops[#1]:
      CPU: 22 PID: 2824 Comm: test_progs Tainted: G           OE  6.10.0-rc2+ #18
      Hardware name: LOONGSON Dabieshan/Loongson-TC542F0, BIOS Loongson-UDK2018
         ... ...
         ra: 90000000048bf6c0 sk_msg_recvmsg+0x120/0x560
        ERA: 9000000004162774 copy_page_to_iter+0x74/0x1c0
       CRMD: 000000b0 (PLV0 -IE -DA +PG DACF=CC DACM=CC -WE)
       PRMD: 0000000c (PPLV0 +PIE +PWE)
       EUEN: 00000007 (+FPE +SXE +ASXE -BTE)
       ECFG: 00071c1d (LIE=0,2-4,10-12 VS=7)
      ESTAT: 00010000 [PIL] (IS= ECode=1 EsubCode=0)
       BADV: 0000000000000040
       PRID: 0014c011 (Loongson-64bit, Loongson-3C5000)
      Modules linked in: bpf_testmod(OE) xt_CHECKSUM xt_MASQUERADE xt_conntrack
      Process test_progs (pid: 2824, threadinfo=0000000000863a31, task=...)
      Stack : ...
      Call Trace:
      [<9000000004162774>] copy_page_to_iter+0x74/0x1c0
      [<90000000048bf6c0>] sk_msg_recvmsg+0x120/0x560
      [<90000000049f2b90>] tcp_bpf_recvmsg_parser+0x170/0x4e0
      [<90000000049aae34>] inet_recvmsg+0x54/0x100
      [<900000000481ad5c>] sock_recvmsg+0x7c/0xe0
      [<900000000481e1a8>] __sys_recvfrom+0x108/0x1c0
      [<900000000481e27c>] sys_recvfrom+0x1c/0x40
      [<9000000004c076ec>] do_syscall+0x8c/0xc0
      [<9000000003731da4>] handle_syscall+0xc4/0x160
      Code: ...
      ---[ end trace 0000000000000000 ]---
      Kernel panic - not syncing: Fatal exception
      Kernel relocated by 0x3510000
       .text @ 0x9000000003710000
       .data @ 0x9000000004d70000
       .bss  @ 0x9000000006469400
      ---[ end Kernel panic - not syncing: Fatal exception ]---
      [...]
    
    This crash happens every time when running sockmap_skb_verdict_shutdown
    subtest in sockmap_basic.
    
    This crash is because a NULL pointer is passed to page_address() in the
    sk_msg_recvmsg(). Due to the different implementations depending on the
    architecture, page_address(NULL) will trigger a panic on Loongarch
    platform but not on x86 platform. So this bug was hidden on x86 platform
    for a while, but now it is exposed on Loongarch platform. The root cause
    is that a zero length skb (skb->len == 0) was put on the queue.
    
    This zero length skb is a TCP FIN packet, which was sent by shutdown(),
    invoked in test_sockmap_skb_verdict_shutdown():
    
            shutdown(p1, SHUT_WR);
    
    In this case, in sk_psock_skb_ingress_enqueue(), num_sge is zero, and no
    page is put to this sge (see sg_set_page in sg_set_page), but this empty
    sge is queued into ingress_msg list.
    
    And in sk_msg_recvmsg(), this empty sge is used, and a NULL page is got by
    sg_page(sge). Pass this NULL page to copy_page_to_iter(), which passes it
    to kmap_local_page() and to page_address(), then kernel panics.
    
    To solve this, we should skip this zero length skb. So in sk_msg_recvmsg(),
    if copy is zero, that means it's a zero length skb, skip invoking
    copy_page_to_iter(). We are using the EFAULT return triggered by
    copy_page_to_iter to check for is_fin in tcp_bpf.c.
    
    Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
    Suggested-by: John Fastabend <john.fastabend@gmail.com>
    Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/bpf/e3a16eacdc6740658ee02a33489b1b9d4912f378.1719992715.git.tanggeliang@kylinos.cn
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: avoid too many retransmit packets [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Jul 10 00:14:01 2024 +0000

    tcp: avoid too many retransmit packets
    
    commit 97a9063518f198ec0adb2ecb89789de342bb8283 upstream.
    
    If a TCP socket is using TCP_USER_TIMEOUT, and the other peer
    retracted its window to zero, tcp_retransmit_timer() can
    retransmit a packet every two jiffies (2 ms for HZ=1000),
    for about 4 minutes after TCP_USER_TIMEOUT has 'expired'.
    
    The fix is to make sure tcp_rtx_probe0_timed_out() takes
    icsk->icsk_user_timeout into account.
    
    Before blamed commit, the socket would not timeout after
    icsk->icsk_user_timeout, but would use standard exponential
    backoff for the retransmits.
    
    Also worth noting that before commit e89688e3e978 ("net: tcp:
    fix unexcepted socket die when snd_wnd is 0"), the issue
    would last 2 minutes instead of 4.
    
    Fixes: b701a99e431d ("tcp: Add tcp_clamp_rto_to_user_timeout() helper to improve accuracy")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Neal Cardwell <ncardwell@google.com>
    Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
    Reviewed-by: Jon Maxwell <jmaxwell37@gmail.com>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://patch.msgid.link/20240710001402.2758273-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: fix incorrect undo caused by DSACK of TLP retransmit [+ + +]
Author: Neal Cardwell <ncardwell@google.com>
Date:   Wed Jul 3 13:12:46 2024 -0400

    tcp: fix incorrect undo caused by DSACK of TLP retransmit
    
    [ Upstream commit 0ec986ed7bab6801faed1440e8839dcc710331ff ]
    
    Loss recovery undo_retrans bookkeeping had a long-standing bug where a
    DSACK from a spurious TLP retransmit packet could cause an erroneous
    undo of a fast recovery or RTO recovery that repaired a single
    really-lost packet (in a sequence range outside that of the TLP
    retransmit). Basically, because the loss recovery state machine didn't
    account for the fact that it sent a TLP retransmit, the DSACK for the
    TLP retransmit could erroneously be implicitly be interpreted as
    corresponding to the normal fast recovery or RTO recovery retransmit
    that plugged a real hole, thus resulting in an improper undo.
    
    For example, consider the following buggy scenario where there is a
    real packet loss but the congestion control response is improperly
    undone because of this bug:
    
    + send packets P1, P2, P3, P4
    + P1 is really lost
    + send TLP retransmit of P4
    + receive SACK for original P2, P3, P4
    + enter fast recovery, fast-retransmit P1, increment undo_retrans to 1
    + receive DSACK for TLP P4, decrement undo_retrans to 0, undo (bug!)
    + receive cumulative ACK for P1-P4 (fast retransmit plugged real hole)
    
    The fix: when we initialize undo machinery in tcp_init_undo(), if
    there is a TLP retransmit in flight, then increment tp->undo_retrans
    so that we make sure that we receive a DSACK corresponding to the TLP
    retransmit, as well as DSACKs for all later normal retransmits, before
    triggering a loss recovery undo. Note that we also have to move the
    line that clears tp->tlp_high_seq for RTO recovery, so that upon RTO
    we remember the tp->tlp_high_seq value until tcp_init_undo() and clear
    it only afterward.
    
    Also note that the bug dates back to the original 2013 TLP
    implementation, commit 6ba8a3b19e76 ("tcp: Tail loss probe (TLP)").
    
    However, this patch will only compile and work correctly with kernels
    that have tp->tlp_retrans, which was added only in v5.8 in 2020 in
    commit 76be93fc0702 ("tcp: allow at most one TLP probe per flight").
    So we associate this fix with that later commit.
    
    Fixes: 76be93fc0702 ("tcp: allow at most one TLP probe per flight")
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Cc: Yuchung Cheng <ycheng@google.com>
    Cc: Kevin Yang <yyd@google.com>
    Link: https://patch.msgid.link/20240703171246.1739561-1-ncardwell.sw@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Fri Jun 7 12:56:52 2024 +0000

    tcp: use signed arithmetic in tcp_rtx_probe0_timed_out()
    
    commit 36534d3c54537bf098224a32dc31397793d4594d upstream.
    
    Due to timer wheel implementation, a timer will usually fire
    after its schedule.
    
    For instance, for HZ=1000, a timeout between 512ms and 4s
    has a granularity of 64ms.
    For this range of values, the extra delay could be up to 63ms.
    
    For TCP, this means that tp->rcv_tstamp may be after
    inet_csk(sk)->icsk_timeout whenever the timer interrupt
    finally triggers, if one packet came during the extra delay.
    
    We need to make sure tcp_rtx_probe0_timed_out() handles this case.
    
    Fixes: e89688e3e978 ("net: tcp: fix unexcepted socket die when snd_wnd is 0")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Menglong Dong <imagedong@tencent.com>
    Acked-by: Neal Cardwell <ncardwell@google.com>
    Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
    Link: https://lore.kernel.org/r/20240607125652.1472540-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jul 9 12:13:56 2024 -0700

    udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
    
    [ Upstream commit 5c0b485a8c6116516f33925b9ce5b6104a6eadfd ]
    
    syzkaller triggered the warning [0] in udp_v4_early_demux().
    
    In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount
    of the looked-up sk and use sock_pfree() as skb->destructor, so we check
    SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace
    period.
    
    Currently, SOCK_RCU_FREE is flagged for a bound socket after being put
    into the hash table.  Moreover, the SOCK_RCU_FREE check is done too early
    in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race
    window:
    
      CPU1                                 CPU2
      ----                                 ----
      udp_v4_early_demux()                 udp_lib_get_port()
      |                                    |- hlist_add_head_rcu()
      |- sk = __udp4_lib_demux_lookup()    |
      |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));
                                           `- sock_set_flag(sk, SOCK_RCU_FREE)
    
    We had the same bug in TCP and fixed it in commit 871019b22d1b ("net:
    set SOCK_RCU_FREE before inserting socket into hashtable").
    
    Let's apply the same fix for UDP.
    
    [0]:
    WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
    Modules linked in:
    CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda33046e7 #13
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
    RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
    Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52
    RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293
    RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c
    RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001
    RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000
    R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680
    R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e
    FS:  00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
    PKRU: 55555554
    Call Trace:
     <TASK>
     ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349
     ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447
     NF_HOOK include/linux/netfilter.h:314 [inline]
     NF_HOOK include/linux/netfilter.h:308 [inline]
     ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569
     __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624
     __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738
     netif_receive_skb_internal net/core/dev.c:5824 [inline]
     netif_receive_skb+0x271/0x300 net/core/dev.c:5884
     tun_rx_batched drivers/net/tun.c:1549 [inline]
     tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002
     tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048
     new_sync_write fs/read_write.c:497 [inline]
     vfs_write+0x76f/0x8d0 fs/read_write.c:590
     ksys_write+0xbf/0x190 fs/read_write.c:643
     __do_sys_write fs/read_write.c:655 [inline]
     __se_sys_write fs/read_write.c:652 [inline]
     __x64_sys_write+0x41/0x50 fs/read_write.c:652
     x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x4b/0x53
    RIP: 0033:0x7fc44a68bc1f
    Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48
    RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
    RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f
    RDX: 0000000000000032 RSI: 00000000200000c0 RDI: 00000000000000c8
    RBP: 00000000004bc050 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000032 R11: 0000000000000293 R12: 0000000000000000
    R13: 000000000000000b R14: 00007fc44a5ec530 R15: 0000000000000000
     </TASK>
    
    Fixes: 6acc9b432e67 ("bpf: Add helper to retrieve socket in BPF")
    Reported-by: syzkaller <syzkaller@googlegroups.com>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20240709191356.24010-1-kuniyu@amazon.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k [+ + +]
Author: WangYuli <wangyuli@uniontech.com>
Date:   Tue Jul 2 23:44:08 2024 +0800

    USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k
    
    commit 3859e85de30815a20bce7db712ce3d94d40a682d upstream.
    
    START BP-850K is a dot matrix printer that crashes when
    it receives a Set-Interface request and needs USB_QUIRK_NO_SET_INTF
    to work properly.
    
    Cc: stable <stable@kernel.org>
    Signed-off-by: jinxiaobo <jinxiaobo@uniontech.com>
    Signed-off-by: WangYuli <wangyuli@uniontech.com>
    Link: https://lore.kernel.org/r/202E4B2BD0F0FEA4+20240702154408.631201-1-wangyuli@uniontech.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor [+ + +]
Author: Alan Stern <stern@rowland.harvard.edu>
Date:   Thu Jun 27 15:56:18 2024 -0400

    USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor
    
    commit a368ecde8a5055b627749b09c6218ef793043e47 upstream.
    
    Syzbot has identified a bug in usbcore (see the Closes: tag below)
    caused by our assumption that the reserved bits in an endpoint
    descriptor's bEndpointAddress field will always be 0.  As a result of
    the bug, the endpoint_is_duplicate() routine in config.c (and possibly
    other routines as well) may believe that two descriptors are for
    distinct endpoints, even though they have the same direction and
    endpoint number.  This can lead to confusion, including the bug
    identified by syzbot (two descriptors with matching endpoint numbers
    and directions, where one was interrupt and the other was bulk).
    
    To fix the bug, we will clear the reserved bits in bEndpointAddress
    when we parse the descriptor.  (Note that both the USB-2.0 and USB-3.1
    specs say these bits are "Reserved, reset to zero".)  This requires us
    to make a copy of the descriptor earlier in usb_parse_endpoint() and
    use the copy instead of the original when checking for duplicates.
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Reported-and-tested-by: syzbot+8693a0bb9c10b554272a@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/linux-usb/0000000000003d868e061bc0f554@google.com/
    Fixes: 0a8fd1346254 ("USB: fix problems with duplicate endpoint addresses")
    CC: Oliver Neukum <oneukum@suse.com>
    CC: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/205a5edc-7fef-4159-b64a-80374b6b101a@rowland.harvard.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() [+ + +]
Author: Lee Jones <lee@kernel.org>
Date:   Fri Jul 5 08:43:39 2024 +0100

    usb: gadget: configfs: Prevent OOB read/write in usb_string_copy()
    
    commit 6d3c721e686ea6c59e18289b400cc95c76e927e0 upstream.
    
    Userspace provided string 's' could trivially have the length zero. Left
    unchecked this will firstly result in an OOB read in the form
    `if (str[0 - 1] == '\n') followed closely by an OOB write in the form
    `str[0 - 1] = '\0'`.
    
    There is already a validating check to catch strings that are too long.
    Let's supply an additional check for invalid strings that are too short.
    
    Signed-off-by: Lee Jones <lee@kernel.org>
    Cc: stable <stable@kernel.org>
    Link: https://lore.kernel.org/r/20240705074339.633717-1-lee@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: serial: mos7840: fix crash on resume [+ + +]
Author: Dmitry Smirnov <d.smirnov@inbox.lv>
Date:   Sat Jun 15 01:45:56 2024 +0300

    USB: serial: mos7840: fix crash on resume
    
    commit c15a688e49987385baa8804bf65d570e362f8576 upstream.
    
    Since commit c49cfa917025 ("USB: serial: use generic method if no
    alternative is provided in usb serial layer"), USB serial core calls the
    generic resume implementation when the driver has not provided one.
    
    This can trigger a crash on resume with mos7840 since support for
    multiple read URBs was added back in 2011. Specifically, both port read
    URBs are now submitted on resume for open ports, but the context pointer
    of the second URB is left set to the core rather than mos7840 port
    structure.
    
    Fix this by implementing dedicated suspend and resume functions for
    mos7840.
    
    Tested with Delock 87414 USB 2.0 to 4x serial adapter.
    
    Signed-off-by: Dmitry Smirnov <d.smirnov@inbox.lv>
    [ johan: analyse crash and rewrite commit message; set busy flag on
             resume; drop bulk-in check; drop unnecessary usb_kill_urb() ]
    Fixes: d83b405383c9 ("USB: serial: add support for multiple read urbs")
    Cc: stable@vger.kernel.org      # 3.3
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Fibocom FM350-GL [+ + +]
Author: Bjørn Mork <bjorn@mork.no>
Date:   Wed Jun 26 15:32:23 2024 +0200

    USB: serial: option: add Fibocom FM350-GL
    
    commit 2604e08ff251dba330e16b65e80074c9c540aad7 upstream.
    
    FM350-GL is 5G Sub-6 WWAN module which uses M.2 form factor interface.
    It is based on Mediatek's MTK T700 CPU. The module supports PCIe Gen3
    x1 and USB 2.0 and 3.0 interfaces.
    
    The manufacturer states that USB is "for debug" but it has been
    confirmed to be fully functional, except for modem-control requests on
    some of the interfaces.
    
    USB device composition is controlled by AT+GTUSBMODE=<mode> command.
    Two values are currently supported for the <mode>:
    
    40: RNDIS+AT+AP(GNSS)+META+DEBUG+NPT+ADB
    41: RNDIS+AT+AP(GNSS)+META+DEBUG+NPT+ADB+AP(LOG)+AP(META) (default value)
    
    [ Note that the functions above are not ordered by interface number. ]
    
    Mode 40 corresponds to:
    
    T:  Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 22 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0e8d ProdID=7126 Rev= 0.01
    S:  Manufacturer=Fibocom Wireless Inc.
    S:  Product=FM350-GL
    C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=125us
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Mode 41 corresponds to:
    
    T:  Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=  7 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0e8d ProdID=7127 Rev= 0.01
    S:  Manufacturer=Fibocom Wireless Inc.
    S:  Product=FM350-GL
    C:* #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=03
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=125us
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Bjørn Mork <bjorn@mork.no>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Netprisma LCUK54 series modules [+ + +]
Author: Mank Wang <mank.wang@netprisma.us>
Date:   Sat Jun 29 01:54:45 2024 +0000

    USB: serial: option: add Netprisma LCUK54 series modules
    
    commit dc6dbe3ed28795b01c712ad8f567728f9c14b01d upstream.
    
    Add support for Netprisma LCUK54 series modules.
    
    LCUK54-WRD-LWW(0x3731/0x0100): NetPrisma LCUK54-WWD for Global
    LCUK54-WRD-LWW(0x3731/0x0101): NetPrisma LCUK54-WRD for Global SKU
    LCUK54-WRD-LCN(0x3731/0x0106): NetPrisma LCUK54-WRD for China SKU
    LCUK54-WRD-LWW(0x3731/0x0111): NetPrisma LCUK54-WWD for SA
    LCUK54-WRD-LWW(0x3731/0x0112): NetPrisma LCUK54-WWD for EU
    LCUK54-WRD-LWW(0x3731/0x0113): NetPrisma LCUK54-WWD for NA
    LCUK54-WWD-LCN(0x3731/0x0115): NetPrisma LCUK54-WWD for China EDU
    LCUK54-WWD-LWW(0x3731/0x0116): NetPrisma LCUK54-WWD for Golbal EDU
    
    Above products use the exact same interface layout and option
    driver:
    MBIM + GNSS + DIAG + NMEA + AT + QDSS + DPL
    
    T:  Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#=  5 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=3731 ProdID=0101 Rev= 5.04
    S:  Manufacturer=NetPrisma
    S:  Product=LCUK54-WRD
    S:  SerialNumber=b6250c36
    C:* #Ifs= 8 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=81(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=87(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
    E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 7 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=8f(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Mank Wang <mank.wang@netprisma.us>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Rolling RW350-GL variants [+ + +]
Author: Vanillan Wang <vanillanwang@163.com>
Date:   Fri May 31 10:40:12 2024 +0800

    USB: serial: option: add Rolling RW350-GL variants
    
    commit ae420771551bd9f04347c59744dd062332bdec3e upstream.
    
    Update the USB serial option driver support for the Rolling
    RW350-GL
    - VID:PID 33f8:0802, RW350-GL are laptop M.2 cards (with
    MBIM interfaces for /Linux/Chrome OS)
    
    Here are the outputs of usb-devices:
    
    usbmode=63: mbim, pipe
    
    T:  Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#=  2 Spd=5000 MxCh= 0
    D:  Ver= 3.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs=  1
    P:  Vendor=33f8 ProdID=0802 Rev=00.01
    S:  Manufacturer=Rolling Wireless S.a.r.l.
    S:  Product=USB DATA CARD
    C:  #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    
    usbmode=64: mbim, others at (If#= 5 adb)
    
    MBIM(MI0) + GNSS(MI2) + AP log(MI3) + AP META(MI4) + ADB(MI5) +
    MD AT(MI6) + MD META(MI7) + NPT(MI8) + Debug(MI9)
    
    T:  Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#=  5 Spd=5000 MxCh= 0
    D:  Ver= 3.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs=  1
    P:  Vendor=33f8 ProdID=0802 Rev=00.01
    S:  Manufacturer=Rolling Wireless S.a.r.l.
    S:  Product=USB DATA CARD
    C:  #Ifs=10 Cfg#= 1 Atr=a0 MxPwr=896mA
    I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=82(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
    E:  Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=06(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=07(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=08(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 9 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=09(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=8a(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    
    Signed-off-by: Vanillan Wang <vanillanwang@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add support for Foxconn T99W651 [+ + +]
Author: Slark Xiao <slark_xiao@163.com>
Date:   Fri Jul 5 16:17:09 2024 +0800

    USB: serial: option: add support for Foxconn T99W651
    
    commit 3c841d54b63e4446383de3238399a3910e47d8e2 upstream.
    
    T99W651 is a RNDIS based modem device. There are 3 serial ports
    need to be enumerated: Diag, NMEA and AT.
    
    Test evidence as below:
    T:  Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=  6 Spd=480 MxCh= 0
    D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=0489 ProdID=e145 Rev=05.15
    S:  Manufacturer=QCOM
    S:  Product=SDXPINN-IDP _SN:93B562B2
    S:  SerialNumber=82e6fe26
    C:  #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:  If#=0x0 Alt= 0 #EPs= 1 Cls=ef(misc ) Sub=04 Prot=01 Driver=rndis_host
    I:  If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
    I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    I:  If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    I:  If#=0x5 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=70 Driver=(none)
    I:  If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
    
    0&1: RNDIS, 2:AT, 3:NMEA, 4:DIAG, 5:QDSS, 6:ADB
    QDSS is not a serial port.
    
    Signed-off-by: Slark Xiao <slark_xiao@163.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Telit FN912 rmnet compositions [+ + +]
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Tue Jun 25 12:27:16 2024 +0200

    USB: serial: option: add Telit FN912 rmnet compositions
    
    commit 9a590ff283421b71560deded2110dbdcbe1f7d1d upstream.
    
    Add the following Telit FN912 compositions:
    
    0x3000: rmnet + tty (AT/NMEA) + tty (AT) + tty (diag)
    T:  Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#=  8 Spd=480  MxCh= 0
    D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=3000 Rev=05.15
    S:  Manufacturer=Telit Cinterion
    S:  Product=FN912
    S:  SerialNumber=92c4c4d8
    C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x3001: rmnet + tty (AT) + tty (diag) + DPL (data packet logging) + adb
    T:  Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#=  7 Spd=480  MxCh= 0
    D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=3001 Rev=05.15
    S:  Manufacturer=Telit Cinterion
    S:  Product=FN912
    S:  SerialNumber=92c4c4d8
    C:  #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=80 Driver=(none)
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:  If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Telit generic core-dump composition [+ + +]
Author: Daniele Palmas <dnlplm@gmail.com>
Date:   Thu May 30 10:00:53 2024 +0200

    USB: serial: option: add Telit generic core-dump composition
    
    commit 4298e400dbdbf259549d69c349e060652ad53611 upstream.
    
    Add the following core-dump composition, used in different Telit modems:
    
    0x9000: tty (sahara)
    T:  Bus=03 Lev=01 Prnt=03 Port=07 Cnt=01 Dev#= 41 Spd=480  MxCh= 0
    D:  Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1bc7 ProdID=9000 Rev=00.00
    S:  Manufacturer=Telit Cinterion
    S:  Product=FN990-dump
    S:  SerialNumber=e815bdde
    C:  #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA
    I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=option
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
vfs: don't mod negative dentry count when on shrinker list [+ + +]
Author: Brian Foster <bfoster@redhat.com>
Date:   Wed Jul 3 08:13:01 2024 -0400

    vfs: don't mod negative dentry count when on shrinker list
    
    [ Upstream commit aabfe57ebaa75841db47ea59091ec3c5a06d2f52 ]
    
    The nr_dentry_negative counter is intended to only account negative
    dentries that are present on the superblock LRU. Therefore, the LRU
    add, remove and isolate helpers modify the counter based on whether
    the dentry is negative, but the shrinker list related helpers do not
    modify the counter, and the paths that change a dentry between
    positive and negative only do so if DCACHE_LRU_LIST is set.
    
    The problem with this is that a dentry on a shrinker list still has
    DCACHE_LRU_LIST set to indicate ->d_lru is in use. The additional
    DCACHE_SHRINK_LIST flag denotes whether the dentry is on LRU or a
    shrink related list. Therefore if a relevant operation (i.e. unlink)
    occurs while a dentry is present on a shrinker list, and the
    associated codepath only checks for DCACHE_LRU_LIST, then it is
    technically possible to modify the negative dentry count for a
    dentry that is off the LRU. Since the shrinker list related helpers
    do not modify the negative dentry count (because non-LRU dentries
    should not be included in the count) when the dentry is ultimately
    removed from the shrinker list, this can cause the negative dentry
    count to become permanently inaccurate.
    
    This problem can be reproduced via a heavy file create/unlink vs.
    drop_caches workload. On an 80xcpu system, I start 80 tasks each
    running a 1k file create/delete loop, and one task spinning on
    drop_caches. After 10 minutes or so of runtime, the idle/clean cache
    negative dentry count increases from somewhere in the range of 5-10
    entries to several hundred (and increasingly grows beyond
    nr_dentry_unused).
    
    Tweak the logic in the paths that turn a dentry negative or positive
    to filter out the case where the dentry is present on a shrink
    related list. This allows the above workload to maintain an accurate
    negative dentry count.
    
    Fixes: af0c9af1b3f6 ("fs/dcache: Track & report number of negative dentries")
    Signed-off-by: Brian Foster <bfoster@redhat.com>
    Link: https://lore.kernel.org/r/20240703121301.247680-1-bfoster@redhat.com
    Acked-by: Ian Kent <ikent@redhat.com>
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: Waiman Long <longman@redhat.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
wireguard: allowedips: avoid unaligned 64-bit memory accesses [+ + +]
Author: Helge Deller <deller@kernel.org>
Date:   Thu Jul 4 17:45:15 2024 +0200

    wireguard: allowedips: avoid unaligned 64-bit memory accesses
    
    commit 948f991c62a4018fb81d85804eeab3029c6209f8 upstream.
    
    On the parisc platform, the kernel issues kernel warnings because
    swap_endian() tries to load a 128-bit IPv6 address from an unaligned
    memory location:
    
     Kernel: unaligned access to 0x55f4688c in wg_allowedips_insert_v6+0x2c/0x80 [wireguard] (iir 0xf3010df)
     Kernel: unaligned access to 0x55f46884 in wg_allowedips_insert_v6+0x38/0x80 [wireguard] (iir 0xf2010dc)
    
    Avoid such unaligned memory accesses by instead using the
    get_unaligned_be64() helper macro.
    
    Signed-off-by: Helge Deller <deller@gmx.de>
    [Jason: replace src[8] in original patch with src+8]
    Cc: stable@vger.kernel.org
    Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Link: https://patch.msgid.link/20240704154517.1572127-3-Jason@zx2c4.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wireguard: queueing: annotate intentional data race in cpu round robin [+ + +]
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Thu Jul 4 17:45:16 2024 +0200

    wireguard: queueing: annotate intentional data race in cpu round robin
    
    commit 2fe3d6d2053c57f2eae5e85ca1656d185ebbe4e8 upstream.
    
    KCSAN reports a race in the CPU round robin function, which, as the
    comment points out, is intentional:
    
        BUG: KCSAN: data-race in wg_packet_send_staged_packets / wg_packet_send_staged_packets
    
        read to 0xffff88811254eb28 of 4 bytes by task 3160 on cpu 1:
         wg_cpumask_next_online drivers/net/wireguard/queueing.h:127 [inline]
         wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:173 [inline]
         wg_packet_create_data drivers/net/wireguard/send.c:320 [inline]
         wg_packet_send_staged_packets+0x60e/0xac0 drivers/net/wireguard/send.c:388
         wg_packet_send_keepalive+0xe2/0x100 drivers/net/wireguard/send.c:239
         wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline]
         wg_packet_handshake_receive_worker+0x449/0x5f0 drivers/net/wireguard/receive.c:213
         process_one_work kernel/workqueue.c:3248 [inline]
         process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3329
         worker_thread+0x526/0x720 kernel/workqueue.c:3409
         kthread+0x1d1/0x210 kernel/kthread.c:389
         ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147
         ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
        write to 0xffff88811254eb28 of 4 bytes by task 3158 on cpu 0:
         wg_cpumask_next_online drivers/net/wireguard/queueing.h:130 [inline]
         wg_queue_enqueue_per_device_and_peer drivers/net/wireguard/queueing.h:173 [inline]
         wg_packet_create_data drivers/net/wireguard/send.c:320 [inline]
         wg_packet_send_staged_packets+0x6e5/0xac0 drivers/net/wireguard/send.c:388
         wg_packet_send_keepalive+0xe2/0x100 drivers/net/wireguard/send.c:239
         wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline]
         wg_packet_handshake_receive_worker+0x449/0x5f0 drivers/net/wireguard/receive.c:213
         process_one_work kernel/workqueue.c:3248 [inline]
         process_scheduled_works+0x483/0x9a0 kernel/workqueue.c:3329
         worker_thread+0x526/0x720 kernel/workqueue.c:3409
         kthread+0x1d1/0x210 kernel/kthread.c:389
         ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:147
         ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
    
        value changed: 0xffffffff -> 0x00000000
    
    Mark this race as intentional by using READ/WRITE_ONCE().
    
    Cc: stable@vger.kernel.org
    Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Link: https://patch.msgid.link/20240704154517.1572127-4-Jason@zx2c4.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU [+ + +]
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Thu Jul 4 17:45:14 2024 +0200

    wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU
    
    commit 2cb489eb8dfc291060516df313ff31f4f9f3d794 upstream.
    
    QEMU 9.0 removed -no-acpi, in favor of machine properties, so update the
    Makefile to use the correct QEMU invocation.
    
    Cc: stable@vger.kernel.org
    Fixes: b83fdcd9fb8a ("wireguard: selftests: use microvm on x86")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Link: https://patch.msgid.link/20240704154517.1572127-2-Jason@zx2c4.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wireguard: send: annotate intentional data race in checking empty queue [+ + +]
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Thu Jul 4 17:45:17 2024 +0200

    wireguard: send: annotate intentional data race in checking empty queue
    
    commit 381a7d453fa2ac5f854a154d3c9b1bbb90c4f94f upstream.
    
    KCSAN reports a race in wg_packet_send_keepalive, which is intentional:
    
        BUG: KCSAN: data-race in wg_packet_send_keepalive / wg_packet_send_staged_packets
    
        write to 0xffff88814cd91280 of 8 bytes by task 3194 on cpu 0:
         __skb_queue_head_init include/linux/skbuff.h:2162 [inline]
         skb_queue_splice_init include/linux/skbuff.h:2248 [inline]
         wg_packet_send_staged_packets+0xe5/0xad0 drivers/net/wireguard/send.c:351
         wg_xmit+0x5b8/0x660 drivers/net/wireguard/device.c:218
         __netdev_start_xmit include/linux/netdevice.h:4940 [inline]
         netdev_start_xmit include/linux/netdevice.h:4954 [inline]
         xmit_one net/core/dev.c:3548 [inline]
         dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3564
         __dev_queue_xmit+0xeff/0x1d80 net/core/dev.c:4349
         dev_queue_xmit include/linux/netdevice.h:3134 [inline]
         neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1592
         neigh_output include/net/neighbour.h:542 [inline]
         ip6_finish_output2+0xa66/0xce0 net/ipv6/ip6_output.c:137
         ip6_finish_output+0x1a5/0x490 net/ipv6/ip6_output.c:222
         NF_HOOK_COND include/linux/netfilter.h:303 [inline]
         ip6_output+0xeb/0x220 net/ipv6/ip6_output.c:243
         dst_output include/net/dst.h:451 [inline]
         NF_HOOK include/linux/netfilter.h:314 [inline]
         ndisc_send_skb+0x4a2/0x670 net/ipv6/ndisc.c:509
         ndisc_send_rs+0x3ab/0x3e0 net/ipv6/ndisc.c:719
         addrconf_dad_completed+0x640/0x8e0 net/ipv6/addrconf.c:4295
         addrconf_dad_work+0x891/0xbc0
         process_one_work kernel/workqueue.c:2633 [inline]
         process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
         worker_thread+0x525/0x730 kernel/workqueue.c:2787
         kthread+0x1d7/0x210 kernel/kthread.c:388
         ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
    
        read to 0xffff88814cd91280 of 8 bytes by task 3202 on cpu 1:
         skb_queue_empty include/linux/skbuff.h:1798 [inline]
         wg_packet_send_keepalive+0x20/0x100 drivers/net/wireguard/send.c:225
         wg_receive_handshake_packet drivers/net/wireguard/receive.c:186 [inline]
         wg_packet_handshake_receive_worker+0x445/0x5e0 drivers/net/wireguard/receive.c:213
         process_one_work kernel/workqueue.c:2633 [inline]
         process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2706
         worker_thread+0x525/0x730 kernel/workqueue.c:2787
         kthread+0x1d7/0x210 kernel/kthread.c:388
         ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
         ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
    
        value changed: 0xffff888148fef200 -> 0xffff88814cd91280
    
    Mark this race as intentional by using the skb_queue_empty_lockless()
    function rather than skb_queue_empty(), which uses READ_ONCE()
    internally to annotate the race.
    
    Cc: stable@vger.kernel.org
    Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
    Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
    Link: https://patch.msgid.link/20240704154517.1572127-5-Jason@zx2c4.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
x86/bhi: Avoid warning in #DB handler due to BHI mitigation [+ + +]
Author: Alexandre Chartre <alexandre.chartre@oracle.com>
Date:   Fri May 24 09:04:59 2024 +0200

    x86/bhi: Avoid warning in #DB handler due to BHI mitigation
    
    [ Upstream commit ac8b270b61d48fcc61f052097777e3b5e11591e0 ]
    
    When BHI mitigation is enabled, if SYSENTER is invoked with the TF flag set
    then entry_SYSENTER_compat() uses CLEAR_BRANCH_HISTORY and calls the
    clear_bhb_loop() before the TF flag is cleared. This causes the #DB handler
    (exc_debug_kernel()) to issue a warning because single-step is used outside the
    entry_SYSENTER_compat() function.
    
    To address this issue, entry_SYSENTER_compat() should use CLEAR_BRANCH_HISTORY
    after making sure the TF flag is cleared.
    
    The problem can be reproduced with the following sequence:
    
      $ cat sysenter_step.c
      int main()
      { asm("pushf; pop %ax; bts $8,%ax; push %ax; popf; sysenter"); }
    
      $ gcc -o sysenter_step sysenter_step.c
    
      $ ./sysenter_step
      Segmentation fault (core dumped)
    
    The program is expected to crash, and the #DB handler will issue a warning.
    
    Kernel log:
    
      WARNING: CPU: 27 PID: 7000 at arch/x86/kernel/traps.c:1009 exc_debug_kernel+0xd2/0x160
      ...
      RIP: 0010:exc_debug_kernel+0xd2/0x160
      ...
      Call Trace:
      <#DB>
       ? show_regs+0x68/0x80
       ? __warn+0x8c/0x140
       ? exc_debug_kernel+0xd2/0x160
       ? report_bug+0x175/0x1a0
       ? handle_bug+0x44/0x90
       ? exc_invalid_op+0x1c/0x70
       ? asm_exc_invalid_op+0x1f/0x30
       ? exc_debug_kernel+0xd2/0x160
       exc_debug+0x43/0x50
       asm_exc_debug+0x1e/0x40
      RIP: 0010:clear_bhb_loop+0x0/0xb0
      ...
      </#DB>
      <TASK>
       ? entry_SYSENTER_compat_after_hwframe+0x6e/0x8d
      </TASK>
    
      [ bp: Massage commit message. ]
    
    Fixes: 7390db8aea0d ("x86/bhi: Add support for clearing branch history at syscall entry")
    Reported-by: Suman Maity <suman.m.maity@oracle.com>
    Signed-off-by: Alexandre Chartre <alexandre.chartre@oracle.com>
    Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
    Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
    Reviewed-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
    Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
    Link: https://lore.kernel.org/r/20240524070459.3674025-1-alexandre.chartre@oracle.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/entry/64: Remove obsolete comment on tracing vs. SYSRET [+ + +]
Author: Brian Gerst <brgerst@gmail.com>
Date:   Fri Jul 21 12:10:12 2023 -0400

    x86/entry/64: Remove obsolete comment on tracing vs. SYSRET
    
    [ Upstream commit eb43c9b1517b48e2ff0d3a584aca197338987d7b ]
    
    This comment comes from a time when the kernel attempted to use SYSRET
    on all returns to userspace, including interrupts and exceptions.  Ever
    since commit fffbb5dc ("Move opportunistic sysret code to syscall code
    path"), SYSRET is only used for returning from system calls. The
    specific tracing issue listed in this comment is not possible anymore.
    
    Signed-off-by: Brian Gerst <brgerst@gmail.com>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Brian Gerst <brgerst@gmail.com>
    Cc: Denys Vlasenko <dvlasenk@redhat.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Josh Poimboeuf <jpoimboe@redhat.com>
    Link: https://lore.kernel.org/r/20230721161018.50214-2-brgerst@gmail.com
    Stable-dep-of: ac8b270b61d4 ("x86/bhi: Avoid warning in #DB handler due to BHI mitigation")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk [+ + +]
Author: Jim Mattson <jmattson@google.com>
Date:   Tue Jul 9 16:12:38 2024 +0200

    x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk
    
    The linux-6.1-y backport of commit b377c66ae350 ("x86/retpoline: Add
    NOENDBR annotation to the SRSO dummy return thunk") misplaced the new
    NOENDBR annotation, repeating the annotation on __x86_return_thunk,
    rather than adding the annotation to the !CONFIG_CPU_SRSO version of
    srso_alias_untrain_ret, as intended.
    
    Move the annotation to the right place.
    
    Fixes: b377c66ae350 ("x86/retpoline: Add NOENDBR annotation to the SRSO dummy return thunk")
    Reported-by: Greg Thelen <gthelen@google.com>
    Signed-off-by: Jim Mattson <jmattson@google.com>
    Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
    Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xhci: always resume roothubs if xHC was reset during resume [+ + +]
Author: Mathias Nyman <mathias.nyman@linux.intel.com>
Date:   Thu Jun 27 17:55:23 2024 +0300

    xhci: always resume roothubs if xHC was reset during resume
    
    commit 79989bd4ab86404743953fa382af0a22900050cf upstream.
    
    Usb device connect may not be detected after runtime resume if
    xHC is reset during resume.
    
    In runtime resume cases xhci_resume() will only resume roothubs if there
    are pending port events. If the xHC host is reset during runtime resume
    due to a Save/Restore Error (SRE) then these pending port events won't be
    detected as PORTSC change bits are not immediately set by host after reset.
    
    Unconditionally resume roothubs if xHC is reset during resume to ensure
    device connections are detected.
    
    Also return early with error code if starting xHC fails after reset.
    
    Issue was debugged and a similar solution suggested by Remi Pommarel.
    Using this instead as it simplifies future refactoring.
    
    Reported-by: Remi Pommarel <repk@triplefau.lt>
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218987
    Suggested-by: Remi Pommarel <repk@triplefau.lt>
    Tested-by: Remi Pommarel <repk@triplefau.lt>
    Cc: stable@vger.kernel.org
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20240627145523.1453155-2-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>