Changelog in Linux kernel 6.9.9

 
ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897 [+ + +]
Author: Jian-Hong Pan <jhp@endlessos.org>
Date:   Mon May 20 13:50:09 2024 +0800

    ALSA: hda/realtek: Enable headset mic of JP-IK LEAP W502 with ALC897
    
    [ Upstream commit 45e37f9ce28d248470bab4376df2687a215d1b22 ]
    
    JP-IK LEAP W502 laptop's headset mic is not enabled until
    ALC897_FIXUP_HEADSET_MIC_PIN3 quirk is applied.
    
    Here is the original pin node values:
    
    0x11 0x40000000
    0x12 0xb7a60130
    0x14 0x90170110
    0x15 0x411111f0
    0x16 0x411111f0
    0x17 0x411111f0
    0x18 0x411111f0
    0x19 0x411111f0
    0x1a 0x411111f0
    0x1b 0x03211020
    0x1c 0x411111f0
    0x1d 0x4026892d
    0x1e 0x411111f0
    0x1f 0x411111f0
    
    Signed-off-by: Jian-Hong Pan <jhp@endlessos.org>
    Link: https://lore.kernel.org/r/20240520055008.7083-2-jhp@endlessos.org
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: ump: Set default protocol when not given explicitly [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed May 29 18:47:17 2024 +0200

    ALSA: ump: Set default protocol when not given explicitly
    
    [ Upstream commit bc42ca002d5d211f9c57334b9b4c25ddb0b4ec35 ]
    
    When an inquiry of the current protocol via UMP Stream Configuration
    message fails by some reason, we may leave the current protocol
    undefined, which may lead to unexpected behavior.  Better to assume a
    valid protocol found in the protocol capability bits instead.
    
    For a device that doesn't support the UMP v1.2 feature, it won't reach
    to this code path, and USB MIDI GTB descriptor would be used for
    determining the protocol, instead.
    
    Link: https://lore.kernel.org/r/20240529164723.18309-2-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B [+ + +]
Author: Dragan Simic <dsimic@manjaro.org>
Date:   Mon May 20 19:20:28 2024 +0200

    arm64: dts: rockchip: Fix the DCDC_REG2 minimum voltage on Quartz64 Model B
    
    commit d201c92bff90f3d3d0b079fc955378c15c0483cc upstream.
    
    Correct the specified regulator-min-microvolt value for the buck DCDC_REG2
    regulator, which is part of the Rockchip RK809 PMIC, in the Pine64 Quartz64
    Model B board dts.  According to the RK809 datasheet, version 1.01, this
    regulator is capable of producing voltages as low as 0.5 V on its output,
    instead of going down to 0.9 V only, which is additionally confirmed by the
    regulator-min-microvolt values found in the board dts files for the other
    supported boards that use the same RK809 PMIC.
    
    This allows the DVFS to clock the GPU on the Quartz64 Model B below 700 MHz,
    all the way down to 200 MHz, which saves some power and reduces the amount of
    generated heat a bit, improving the thermal headroom and possibly improving
    the bursty CPU and GPU performance on this board.
    
    This also eliminates the following warnings in the kernel log:
    
      core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator
      panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (200000000)
      core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator
      panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (300000000)
      core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator
      panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (400000000)
      core: _opp_supported_by_regulators: OPP minuV: 825000 maxuV: 825000, not supported by regulator
      panfrost fde60000.gpu: _opp_add: OPP not supported by regulators (600000000)
    
    Fixes: dcc8c66bef79 ("arm64: dts: rockchip: add Pine64 Quartz64-B device tree")
    Cc: stable@vger.kernel.org
    Reported-By: Diederik de Haas <didi.debian@cknow.org>
    Signed-off-by: Dragan Simic <dsimic@manjaro.org>
    Tested-by: Diederik de Haas <didi.debian@cknow.org>
    Link: https://lore.kernel.org/r/e70742ea2df432bf57b3f7de542d81ca22b0da2f.1716225483.git.dsimic@manjaro.org
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
block: check for max_hw_sectors underflow [+ + +]
Author: Hannes Reinecke <hare@kernel.org>
Date:   Fri May 24 12:46:51 2024 +0200

    block: check for max_hw_sectors underflow
    
    [ Upstream commit e993db2d6e5207f1ae061c2ac554ab1f714c741d ]
    
    The logical block size need to be smaller than the max_hw_sector
    setting, otherwise we can't even transfer a single LBA.
    
    Signed-off-by: Hannes Reinecke <hare@kernel.org>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Reviewed-by: John Garry <john.g.garry@oracle.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX [+ + +]
Author: Pavel Skripkin <paskripkin@gmail.com>
Date:   Thu Jun 20 22:27:47 2024 +0300

    bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX
    
    [ Upstream commit 1cc18c2ab2e8c54c355ea7c0423a636e415a0c23 ]
    
    Syzbot hit warning in hci_conn_del() caused by freeing handle that was
    not allocated using ida allocator.
    
    This is caused by handle bigger than HCI_CONN_HANDLE_MAX passed by
    hci_le_big_sync_established_evt(), which makes code think it's unset
    connection.
    
    Add same check for handle upper bound as in hci_conn_set_handle() to
    prevent warning.
    
    Link: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474
    Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com
    Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique")
    Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report [+ + +]
Author: Sven Peter <sven@svenpeter.dev>
Date:   Wed May 15 18:02:58 2024 +0000

    Bluetooth: Add quirk to ignore reserved PHY bits in LE Extended Adv Report
    
    commit ed2a2ef16a6b9197a0e452308bf6acee6e01f709 upstream.
    
    Some Broadcom controllers found on Apple Silicon machines abuse the
    reserved bits inside the PHY fields of LE Extended Advertising Report
    events for additional flags. Add a quirk to drop these and correctly
    extract the Primary/Secondary_PHY field.
    
    The following excerpt from a btmon trace shows a report received with
    "Reserved" for "Primary PHY" on a 4388 controller:
    
    > HCI Event: LE Meta Event (0x3e) plen 26
          LE Extended Advertising Report (0x0d)
            Num reports: 1
            Entry 0
              Event type: 0x2515
                Props: 0x0015
                  Connectable
                  Directed
                  Use legacy advertising PDUs
                Data status: Complete
                Reserved (0x2500)
             Legacy PDU Type: Reserved (0x2515)
              Address type: Random (0x01)
              Address: 00:00:00:00:00:00 (Static)
              Primary PHY: Reserved
              Secondary PHY: No packets
              SID: no ADI field (0xff)
              TX power: 127 dBm
              RSSI: -60 dBm (0xc4)
              Periodic advertising interval: 0.00 msec (0x0000)
              Direct address type: Public (0x00)
              Direct address: 00:00:00:00:00:00 (Apple, Inc.)
              Data length: 0x00
    
    Cc: stable@vger.kernel.org
    Fixes: 2e7ed5f5e69b ("Bluetooth: hci_sync: Use advertised PHYs on hci_le_ext_create_conn_sync")
    Reported-by: Janne Grunau <j@jannau.net>
    Closes: https://lore.kernel.org/all/Zjz0atzRhFykROM9@robin
    Tested-by: Janne Grunau <j@jannau.net>
    Signed-off-by: Sven Peter <sven@svenpeter.dev>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: hci_bcm4377: Fix msgid release [+ + +]
Author: Hector Martin <marcan@marcan.st>
Date:   Wed May 15 18:15:04 2024 +0000

    Bluetooth: hci_bcm4377: Fix msgid release
    
    commit 897e6120566f1c108b85fefe78d1c1bddfbd5988 upstream.
    
    We are releasing a single msgid, so the order argument to
    bitmap_release_region must be zero.
    
    Fixes: 8a06127602de ("Bluetooth: hci_bcm4377: Add new driver for BCM4377 PCIe boards")
    Cc: stable@vger.kernel.org
    Signed-off-by: Hector Martin <marcan@marcan.st>
    Reviewed-by: Sven Peter <sven@svenpeter.dev>
    Reviewed-by: Neal Gompa <neal@gompa.dev>
    Signed-off-by: Sven Peter <sven@svenpeter.dev>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: hci_event: Fix setting of unicast qos interval [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Thu Jun 6 12:04:30 2024 -0400

    Bluetooth: hci_event: Fix setting of unicast qos interval
    
    [ Upstream commit ac65ecccae802417ce42e857defacad60e4b8329 ]
    
    qos->ucast interval reffers to the SDU interval, and should not
    be set to the interval value reported by the LE CIS Established
    event since the latter reffers to the ISO interval. These two
    interval are not the same thing:
    
    BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 6, Part G
    
    Isochronous interval:
    The time between two consecutive BIS or CIS events (designated
    ISO_Interval in the Link Layer)
    
    SDU interval:
    The nominal time between two consecutive SDUs that are sent or
    received by the upper layer.
    
    So this instead uses the following formula from the spec to calculate
    the resulting SDU interface:
    
    BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 6, Part G
    page 3075:
    
    Transport_Latency_C_To_P = CIG_Sync_Delay + (FT_C_To_P) ×
    ISO_Interval + SDU_Interval_C_To_P
    Transport_Latency_P_To_C = CIG_Sync_Delay + (FT_P_To_C) ×
    ISO_Interval + SDU_Interval_P_To_C
    
    Link: https://github.com/bluez/bluez/issues/823
    Fixes: 2be22f1941d5 ("Bluetooth: hci_event: Fix parsing of CIS Established Event")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: Ignore too large handle values in BIG [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Mon Jun 17 19:09:37 2024 +0800

    Bluetooth: Ignore too large handle values in BIG
    
    [ Upstream commit 015d79c96d62cd8a4a359fcf5be40d58088c936b ]
    
    hci_le_big_sync_established_evt is necessary to filter out cases where the
    handle value is belonging to ida id range, otherwise ida will be erroneously
    released in hci_conn_cleanup.
    
    Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique")
    Reported-by: syzbot+b2545b087a01a7319474@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: ISO: Check socket flag instead of hcon [+ + +]
Author: Iulia Tanasescu <iulia.tanasescu@nxp.com>
Date:   Tue Jun 18 13:33:24 2024 +0300

    Bluetooth: ISO: Check socket flag instead of hcon
    
    [ Upstream commit 596b6f081336e77764ca35cfeab66d0fcdbe544e ]
    
    This fixes the following Smatch static checker warning:
    
    net/bluetooth/iso.c:1364 iso_sock_recvmsg()
    error: we previously assumed 'pi->conn->hcon' could be null (line 1359)
    
    net/bluetooth/iso.c
    1347 static int iso_sock_recvmsg(struct socket *sock, struct msghdr *msg,
    1348                             size_t len, int flags)
    1349 {
    1350         struct sock *sk = sock->sk;
    1351         struct iso_pinfo *pi = iso_pi(sk);
    1352
    1353         BT_DBG("sk %p", sk);
    1354
    1355         if (test_and_clear_bit(BT_SK_DEFER_SETUP,
                                          &bt_sk(sk)->flags)) {
    1356                 lock_sock(sk);
    1357                 switch (sk->sk_state) {
    1358                 case BT_CONNECT2:
    1359                         if (pi->conn->hcon &&
                                         ^^^^^^^^^^^^^^ If ->hcon is NULL
    
    1360                             test_bit(HCI_CONN_PA_SYNC,
                                             &pi->conn->hcon->flags)) {
    1361                                 iso_conn_big_sync(sk);
    1362                                 sk->sk_state = BT_LISTEN;
    1363                         } else {
    --> 1364                         iso_conn_defer_accept(pi->conn->hcon);
                                                           ^^^^^^^^^^^^^^
                                                           then we're toast
    
    1365                                 sk->sk_state = BT_CONFIG;
    1366                         }
    1367                         release_sock(sk);
    1368                         return 0;
    1369                 case BT_CONNECTED:
    1370                         if (test_bit(BT_SK_PA_SYNC,
    
    Fixes: fbdc4bc47268 ("Bluetooth: ISO: Use defer setup to separate PA sync and BIG sync")
    Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot [+ + +]
Author: Zijun Hu <quic_zijuhu@quicinc.com>
Date:   Thu May 16 21:31:34 2024 +0800

    Bluetooth: qca: Fix BT enable failure again for QCA6390 after warm reboot
    
    commit 88e72239ead9814b886db54fc4ee39ef3c2b8f26 upstream.
    
    Commit 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed
    serdev") will cause below regression issue:
    
    BT can't be enabled after below steps:
    cold boot -> enable BT -> disable BT -> warm reboot -> BT enable failure
    if property enable-gpios is not configured within DT|ACPI for QCA6390.
    
    The commit is to fix a use-after-free issue within qca_serdev_shutdown()
    by adding condition to avoid the serdev is flushed or wrote after closed
    but also introduces this regression issue regarding above steps since the
    VSC is not sent to reset controller during warm reboot.
    
    Fixed by sending the VSC to reset controller within qca_serdev_shutdown()
    once BT was ever enabled, and the use-after-free issue is also fixed by
    this change since the serdev is still opened before it is flushed or wrote.
    
    Verified by the reported machine Dell XPS 13 9310 laptop over below two
    kernel commits:
    commit e00fc2700a3f ("Bluetooth: btusb: Fix triggering coredump
    implementation for QCA") of bluetooth-next tree.
    commit b23d98d46d28 ("Bluetooth: btusb: Fix triggering coredump
    implementation for QCA") of linus mainline tree.
    
    Fixes: 272970be3dab ("Bluetooth: hci_qca: Fix driver shutdown on closed serdev")
    Cc: stable@vger.kernel.org
    Reported-by: Wren Turkal <wt@penguintechs.org>
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218726
    Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
    Tested-by: Wren Turkal <wt@penguintechs.org>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
bnx2x: Fix multiple UBSAN array-index-out-of-bounds [+ + +]
Author: Ghadi Elie Rahme <ghadi.rahme@canonical.com>
Date:   Thu Jun 27 14:14:05 2024 +0300

    bnx2x: Fix multiple UBSAN array-index-out-of-bounds
    
    commit 134061163ee5ca4759de5c24ca3bd71608891ba7 upstream.
    
    Fix UBSAN warnings that occur when using a system with 32 physical
    cpu cores or more, or when the user defines a number of Ethernet
    queues greater than or equal to FP_SB_MAX_E1x using the num_queues
    module parameter.
    
    Currently there is a read/write out of bounds that occurs on the array
    "struct stats_query_entry query" present inside the "bnx2x_fw_stats_req"
    struct in "drivers/net/ethernet/broadcom/bnx2x/bnx2x.h".
    Looking at the definition of the "struct stats_query_entry query" array:
    
    struct stats_query_entry query[FP_SB_MAX_E1x+
             BNX2X_FIRST_QUEUE_QUERY_IDX];
    
    FP_SB_MAX_E1x is defined as the maximum number of fast path interrupts and
    has a value of 16, while BNX2X_FIRST_QUEUE_QUERY_IDX has a value of 3
    meaning the array has a total size of 19.
    Since accesses to "struct stats_query_entry query" are offset-ted by
    BNX2X_FIRST_QUEUE_QUERY_IDX, that means that the total number of Ethernet
    queues should not exceed FP_SB_MAX_E1x (16). However one of these queues
    is reserved for FCOE and thus the number of Ethernet queues should be set
    to [FP_SB_MAX_E1x -1] (15) if FCOE is enabled or [FP_SB_MAX_E1x] (16) if
    it is not.
    
    This is also described in a comment in the source code in
    drivers/net/ethernet/broadcom/bnx2x/bnx2x.h just above the Macro definition
    of FP_SB_MAX_E1x. Below is the part of this explanation that it important
    for this patch
    
    /*
      * The total number of L2 queues, MSIX vectors and HW contexts (CIDs) is
      * control by the number of fast-path status blocks supported by the
      * device (HW/FW). Each fast-path status block (FP-SB) aka non-default
      * status block represents an independent interrupts context that can
      * serve a regular L2 networking queue. However special L2 queues such
      * as the FCoE queue do not require a FP-SB and other components like
      * the CNIC may consume FP-SB reducing the number of possible L2 queues
      *
      * If the maximum number of FP-SB available is X then:
      * a. If CNIC is supported it consumes 1 FP-SB thus the max number of
      *    regular L2 queues is Y=X-1
      * b. In MF mode the actual number of L2 queues is Y= (X-1/MF_factor)
      * c. If the FCoE L2 queue is supported the actual number of L2 queues
      *    is Y+1
      * d. The number of irqs (MSIX vectors) is either Y+1 (one extra for
      *    slow-path interrupts) or Y+2 if CNIC is supported (one additional
      *    FP interrupt context for the CNIC).
      * e. The number of HW context (CID count) is always X or X+1 if FCoE
      *    L2 queue is supported. The cid for the FCoE L2 queue is always X.
      */
    
    However this driver also supports NICs that use the E2 controller which can
    handle more queues due to having more FP-SB represented by FP_SB_MAX_E2.
    Looking at the commits when the E2 support was added, it was originally
    using the E1x parameters: commit f2e0899f0f27 ("bnx2x: Add 57712 support").
    Back then FP_SB_MAX_E2 was set to 16 the same as E1x. However the driver
    was later updated to take full advantage of the E2 instead of having it be
    limited to the capabilities of the E1x. But as far as we can tell, the
    array "stats_query_entry query" was still limited to using the FP-SB
    available to the E1x cards as part of an oversignt when the driver was
    updated to take full advantage of the E2, and now with the driver being
    aware of the greater queue size supported by E2 NICs, it causes the UBSAN
    warnings seen in the stack traces below.
    
    This patch increases the size of the "stats_query_entry query" array by
    replacing FP_SB_MAX_E1x with FP_SB_MAX_E2 to be large enough to handle
    both types of NICs.
    
    Stack traces:
    
    UBSAN: array-index-out-of-bounds in
           drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1529:11
    index 20 is out of range for type 'stats_query_entry [19]'
    CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
                 #202405052133
    Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
                   BIOS P89 10/21/2019
    Call Trace:
     <TASK>
     dump_stack_lvl+0x76/0xa0
     dump_stack+0x10/0x20
     __ubsan_handle_out_of_bounds+0xcb/0x110
     bnx2x_prep_fw_stats_req+0x2e1/0x310 [bnx2x]
     bnx2x_stats_init+0x156/0x320 [bnx2x]
     bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
     bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
     bnx2x_open+0x16b/0x290 [bnx2x]
     __dev_open+0x10e/0x1d0
    RIP: 0033:0x736223927a0a
    Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
          64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00
          f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
    RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
    RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
    RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
    R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
    </TASK>
    ---[ end trace ]---
    ------------[ cut here ]------------
    UBSAN: array-index-out-of-bounds in
           drivers/net/ethernet/broadcom/bnx2x/bnx2x_stats.c:1546:11
    index 28 is out of range for type 'stats_query_entry [19]'
    CPU: 12 PID: 858 Comm: systemd-network Not tainted 6.9.0-060900rc7-generic
                 #202405052133
    Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
                   BIOS P89 10/21/2019
    Call Trace:
    <TASK>
    dump_stack_lvl+0x76/0xa0
    dump_stack+0x10/0x20
    __ubsan_handle_out_of_bounds+0xcb/0x110
    bnx2x_prep_fw_stats_req+0x2fd/0x310 [bnx2x]
    bnx2x_stats_init+0x156/0x320 [bnx2x]
    bnx2x_post_irq_nic_init+0x81/0x1a0 [bnx2x]
    bnx2x_nic_load+0x8e8/0x19e0 [bnx2x]
    bnx2x_open+0x16b/0x290 [bnx2x]
    __dev_open+0x10e/0x1d0
    RIP: 0033:0x736223927a0a
    Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca
          64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00
          f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
    RSP: 002b:00007ffc0bb2ada8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
    RAX: ffffffffffffffda RBX: 0000583df50f9c78 RCX: 0000736223927a0a
    RDX: 0000000000000020 RSI: 0000583df50ee510 RDI: 0000000000000003
    RBP: 0000583df50d4940 R08: 00007ffc0bb2adb0 R09: 0000000000000080
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000583df5103ae0
    R13: 000000000000035a R14: 0000583df50f9c30 R15: 0000583ddddddf00
     </TASK>
    ---[ end trace ]---
    ------------[ cut here ]------------
    UBSAN: array-index-out-of-bounds in
           drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:1895:8
    index 29 is out of range for type 'stats_query_entry [19]'
    CPU: 13 PID: 163 Comm: kworker/u96:1 Not tainted 6.9.0-060900rc7-generic
                 #202405052133
    Hardware name: HP ProLiant DL360 Gen9/ProLiant DL360 Gen9,
                   BIOS P89 10/21/2019
    Workqueue: bnx2x bnx2x_sp_task [bnx2x]
    Call Trace:
     <TASK>
     dump_stack_lvl+0x76/0xa0
     dump_stack+0x10/0x20
     __ubsan_handle_out_of_bounds+0xcb/0x110
     bnx2x_iov_adjust_stats_req+0x3c4/0x3d0 [bnx2x]
     bnx2x_storm_stats_post.part.0+0x4a/0x330 [bnx2x]
     ? bnx2x_hw_stats_post+0x231/0x250 [bnx2x]
     bnx2x_stats_start+0x44/0x70 [bnx2x]
     bnx2x_stats_handle+0x149/0x350 [bnx2x]
     bnx2x_attn_int_asserted+0x998/0x9b0 [bnx2x]
     bnx2x_sp_task+0x491/0x5c0 [bnx2x]
     process_one_work+0x18d/0x3f0
     </TASK>
    ---[ end trace ]---
    
    Fixes: 50f0a562f8cc ("bnx2x: add fcoe statistics")
    Signed-off-by: Ghadi Elie Rahme <ghadi.rahme@canonical.com>
    Cc: stable@vger.kernel.org
    Link: https://patch.msgid.link/20240627111405.1037812-1-ghadi.rahme@canonical.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
bnxt_en: Fix the resource check condition for RSS contexts [+ + +]
Author: Pavan Chebbi <pavan.chebbi@broadcom.com>
Date:   Wed Jul 3 11:01:12 2024 -0700

    bnxt_en: Fix the resource check condition for RSS contexts
    
    [ Upstream commit 5d350dc3429b3eb6f2b1b8ccb78ed4ec6c4d4a4f ]
    
    While creating a new RSS context, bnxt_rfs_capable() currently
    makes a strict check to see if the required VNICs are already
    available.  If the current VNICs are not what is required,
    either too many or not enough, it will call the firmware to
    reserve the exact number required.
    
    There is a bug in the firmware when the driver tries to
    relinquish some reserved VNICs and RSS contexts.  It will
    cause the default VNIC to lose its RSS configuration and
    cause receive packets to be placed incorrectly.
    
    Workaround this problem by skipping the resource reduction.
    The driver will not reduce the VNIC and RSS context reservations
    when a context is deleted.  The resources will be available for
    use when new contexts are created later.
    
    Potentially, this workaround can cause us to run out of VNIC
    and RSS contexts if there are a lot of VF functions creating
    and deleting RSS contexts.  In the future, we will conditionally
    disable this workaround when the firmware fix is available.
    
    Fixes: 438ba39b25fe ("bnxt_en: Improve RSS context reservation infrastructure")
    Reported-by: Jakub Kicinski <kuba@kernel.org>
    Link: https://lore.kernel.org/netdev/20240625010210.2002310-1-kuba@kernel.org/
    Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
    Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240703180112.78590-1-michael.chan@broadcom.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() [+ + +]
Author: Sam Sun <samsun1006219@gmail.com>
Date:   Tue Jul 2 14:55:55 2024 +0100

    bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
    
    [ Upstream commit e271ff53807e8f2c628758290f0e499dbe51cb3d ]
    
    In function bond_option_arp_ip_targets_set(), if newval->string is an
    empty string, newval->string+1 will point to the byte after the
    string, causing an out-of-bound read.
    
    BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
    Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
    CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
    Call Trace:
     <TASK>
     __dump_stack lib/dump_stack.c:88 [inline]
     dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
     print_address_description mm/kasan/report.c:364 [inline]
     print_report+0xc1/0x5e0 mm/kasan/report.c:475
     kasan_report+0xbe/0xf0 mm/kasan/report.c:588
     strlen+0x7d/0xa0 lib/string.c:418
     __fortify_strlen include/linux/fortify-string.h:210 [inline]
     in4_pton+0xa3/0x3f0 net/core/utils.c:130
     bond_option_arp_ip_targets_set+0xc2/0x910
    drivers/net/bonding/bond_options.c:1201
     __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
     __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
     bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
     bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
     dev_attr_store+0x54/0x80 drivers/base/core.c:2366
     sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
     kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
     call_write_iter include/linux/fs.h:2020 [inline]
     new_sync_write fs/read_write.c:491 [inline]
     vfs_write+0x96a/0xd80 fs/read_write.c:584
     ksys_write+0x122/0x250 fs/read_write.c:637
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x63/0x6b
    ---[ end trace ]---
    
    Fix it by adding a check of string length before using it.
    
    Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
    Signed-off-by: Yue Sun <samsun1006219@gmail.com>
    Signed-off-by: Simon Horman <horms@kernel.org>
    Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
    Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
    Link: https://patch.msgid.link/20240702-bond-oob-v6-1-2dfdba195c19@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD [+ + +]
Author: Jose E. Marchesi <jose.marchesi@oracle.com>
Date:   Wed May 8 12:13:13 2024 +0200

    bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD
    
    [ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ]
    
    [Changes from V1:
     - Use a default branch in the switch statement to initialize `val'.]
    
    GCC warns that `val' may be used uninitialized in the
    BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:
    
            [...]
            unsigned long long val;                                               \
            [...]                                                                 \
            switch (__CORE_RELO(s, field, BYTE_SIZE)) {                           \
            case 1: val = *(const unsigned char *)p; break;                       \
            case 2: val = *(const unsigned short *)p; break;                      \
            case 4: val = *(const unsigned int *)p; break;                        \
            case 8: val = *(const unsigned long long *)p; break;                  \
            }                                                                     \
            [...]
            val;                                                                  \
            }                                                                     \
    
    This patch adds a default entry in the switch statement that sets
    `val' to zero in order to avoid the warning, and random values to be
    used in case __builtin_preserve_field_info returns unexpected values
    for BPF_FIELD_BYTE_SIZE.
    
    Tested in bpf-next master.
    No regressions.
    
    Signed-off-by: Jose E. Marchesi <jose.marchesi@oracle.com>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: check bpf_dummy_struct_ops program params for test runs [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Tue Apr 23 18:28:20 2024 -0700

    bpf: check bpf_dummy_struct_ops program params for test runs
    
    [ Upstream commit 980ca8ceeae69ddf362870ea9183f389ae26324a ]
    
    When doing BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs,
    reject execution when NULL is passed for non-nullable params.
    For programs with non-nullable params verifier assumes that
    such params are never NULL and thus might optimize out NULL checks.
    
    Suggested-by: Kui-Feng Lee <sinquersw@gmail.com>
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/r/20240424012821.595216-5-eddyz87@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Tue Apr 23 18:28:17 2024 -0700

    bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable
    
    [ Upstream commit 1479eaff1f16983d8fda7c5a08a586c21891087d ]
    
    Test case dummy_st_ops/dummy_init_ret_value passes NULL as the first
    parameter of the test_1() function. Mark this parameter as nullable to
    make verifier aware of such possibility.
    Otherwise, NULL check in the test_1() code:
    
          SEC("struct_ops/test_1")
          int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
          {
                if (!state)
                        return ...;
    
                ... access state ...
          }
    
    Might be removed by verifier, thus triggering NULL pointer dereference
    under certain conditions.
    
    Reported-by: Jose E. Marchesi <jemarch@gnu.org>
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/r/20240424012821.595216-2-eddyz87@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: always do the basic checks for btrfs_qgroup_inherit structure [+ + +]
Author: Qu Wenruo <wqu@suse.com>
Date:   Mon Jun 24 15:10:53 2024 +0930

    btrfs: always do the basic checks for btrfs_qgroup_inherit structure
    
    [ Upstream commit 724d8042cef84496ddb4492dc120291f997ae26b ]
    
    [BUG]
    Syzbot reports the following regression detected by KASAN:
    
      BUG: KASAN: slab-out-of-bounds in btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277
      Read of size 8 at addr ffff88814628ca50 by task syz-executor318/5171
    
      CPU: 0 PID: 5171 Comm: syz-executor318 Not tainted 6.10.0-rc2-syzkaller-00010-g2ab795141095 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
      Call Trace:
       <TASK>
       __dump_stack lib/dump_stack.c:88 [inline]
       dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
       print_address_description mm/kasan/report.c:377 [inline]
       print_report+0x169/0x550 mm/kasan/report.c:488
       kasan_report+0x143/0x180 mm/kasan/report.c:601
       btrfs_qgroup_inherit+0x42e/0x2e20 fs/btrfs/qgroup.c:3277
       create_pending_snapshot+0x1359/0x29b0 fs/btrfs/transaction.c:1854
       create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1922
       btrfs_commit_transaction+0xf20/0x3740 fs/btrfs/transaction.c:2382
       create_snapshot+0x6a1/0x9e0 fs/btrfs/ioctl.c:875
       btrfs_mksubvol+0x58f/0x710 fs/btrfs/ioctl.c:1029
       btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1075
       __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1340
       btrfs_ioctl_snap_create_v2+0x1f2/0x3a0 fs/btrfs/ioctl.c:1422
       btrfs_ioctl+0x99e/0xc60
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:907 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      RIP: 0033:0x7fcbf1992509
      RSP: 002b:00007fcbf1928218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 00007fcbf1a1f618 RCX: 00007fcbf1992509
      RDX: 0000000020000280 RSI: 0000000050009417 RDI: 0000000000000003
      RBP: 00007fcbf1a1f610 R08: 00007ffea1298e97 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fcbf19eb660
      R13: 00000000200002b8 R14: 00007fcbf19e60c0 R15: 0030656c69662f2e
       </TASK>
    
    And it also pinned it down to commit b5357cb268c4 ("btrfs: qgroup: do not
    check qgroup inherit if qgroup is disabled").
    
    [CAUSE]
    That offending commit skips the whole qgroup inherit check if qgroup is
    not enabled.
    
    But that also skips the very basic checks like
    num_ref_copies/num_excl_copies and the structure size checks.
    
    Meaning if a qgroup enable/disable race is happening at the background,
    and we pass a btrfs_qgroup_inherit structure when the qgroup is
    disabled, the check would be completely skipped.
    
    Then at the time of transaction commitment, qgroup is re-enabled and
    btrfs_qgroup_inherit() is going to use the incorrect structure and
    causing the above KASAN error.
    
    [FIX]
    Make btrfs_qgroup_check_inherit() only skip the source qgroup checks.
    So that even if invalid btrfs_qgroup_inherit structure is passed in, we
    can still reject invalid ones no matter if qgroup is enabled or not.
    
    Furthermore we do already have an extra safety inside
    btrfs_qgroup_inherit(), which would just ignore invalid qgroup sources,
    so even if we only skip the qgroup source check we're still safe.
    
    Reported-by: syzbot+a0d1f7e26910be4dc171@syzkaller.appspotmail.com
    Fixes: b5357cb268c4 ("btrfs: qgroup: do not check qgroup inherit if qgroup is disabled")
    Reviewed-by: Boris Burkov <boris@bur.io>
    Reviewed-by: Jeongjun Park <aha310510@gmail.com>
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

btrfs: fix adding block group to a reclaim list and the unused list during reclaim [+ + +]
Author: Naohiro Aota <naohiro.aota@wdc.com>
Date:   Fri Jun 28 13:32:24 2024 +0900

    btrfs: fix adding block group to a reclaim list and the unused list during reclaim
    
    commit 48f091fd50b2eb33ae5eaea9ed3c4f81603acf38 upstream.
    
    There is a potential parallel list adding for retrying in
    btrfs_reclaim_bgs_work and adding to the unused list. Since the block
    group is removed from the reclaim list and it is on a relocation work,
    it can be added into the unused list in parallel. When that happens,
    adding it to the reclaim list will corrupt the list head and trigger
    list corruption like below.
    
    Fix it by taking fs_info->unused_bgs_lock.
    
      [177.504][T2585409] BTRFS error (device nullb1): error relocating ch= unk 2415919104
      [177.514][T2585409] list_del corruption. next->prev should be ff1100= 0344b119c0, but was ff11000377e87c70. (next=3Dff110002390cd9c0)
      [177.529][T2585409] ------------[ cut here ]------------
      [177.537][T2585409] kernel BUG at lib/list_debug.c:65!
      [177.545][T2585409] Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
      [177.555][T2585409] CPU: 9 PID: 2585409 Comm: kworker/u128:2 Tainted: G        W          6.10.0-rc5-kts #1
      [177.568][T2585409] Hardware name: Supermicro SYS-520P-WTR/X12SPW-TF, BIOS 1.2 02/14/2022
      [177.579][T2585409] Workqueue: events_unbound btrfs_reclaim_bgs_work[btrfs]
      [177.589][T2585409] RIP: 0010:__list_del_entry_valid_or_report.cold+0x70/0x72
      [177.624][T2585409] RSP: 0018:ff11000377e87a70 EFLAGS: 00010286
      [177.633][T2585409] RAX: 000000000000006d RBX: ff11000344b119c0 RCX:0000000000000000
      [177.644][T2585409] RDX: 000000000000006d RSI: 0000000000000008 RDI:ffe21c006efd0f40
      [177.655][T2585409] RBP: ff110002e0509f78 R08: 0000000000000001 R09:ffe21c006efd0f08
      [177.665][T2585409] R10: ff11000377e87847 R11: 0000000000000000 R12:ff110002390cd9c0
      [177.676][T2585409] R13: ff11000344b119c0 R14: ff110002e0508000 R15:dffffc0000000000
      [177.687][T2585409] FS:  0000000000000000(0000) GS:ff11000fec880000(0000) knlGS:0000000000000000
      [177.700][T2585409] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [177.709][T2585409] CR2: 00007f06bc7b1978 CR3: 0000001021e86005 CR4:0000000000771ef0
      [177.720][T2585409] DR0: 0000000000000000 DR1: 0000000000000000 DR2:0000000000000000
      [177.731][T2585409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:0000000000000400
      [177.742][T2585409] PKRU: 55555554
      [177.748][T2585409] Call Trace:
      [177.753][T2585409]  <TASK>
      [177.759][T2585409]  ? __die_body.cold+0x19/0x27
      [177.766][T2585409]  ? die+0x2e/0x50
      [177.772][T2585409]  ? do_trap+0x1ea/0x2d0
      [177.779][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
      [177.788][T2585409]  ? do_error_trap+0xa3/0x160
      [177.795][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
      [177.805][T2585409]  ? handle_invalid_op+0x2c/0x40
      [177.812][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
      [177.820][T2585409]  ? exc_invalid_op+0x2d/0x40
      [177.827][T2585409]  ? asm_exc_invalid_op+0x1a/0x20
      [177.834][T2585409]  ? __list_del_entry_valid_or_report.cold+0x70/0x72
      [177.843][T2585409]  btrfs_delete_unused_bgs+0x3d9/0x14c0 [btrfs]
    
    There is a similar retry_list code in btrfs_delete_unused_bgs(), but it is
    safe, AFAICS. Since the block group was in the unused list, the used bytes
    should be 0 when it was added to the unused list. Then, it checks
    block_group->{used,reserved,pinned} are still 0 under the
    block_group->lock. So, they should be still eligible for the unused list,
    not the reclaim list.
    
    The reason it is safe there it's because because we're holding
    space_info->groups_sem in write mode.
    
    That means no other task can allocate from the block group, so while we
    are at deleted_unused_bgs() it's not possible for other tasks to
    allocate and deallocate extents from the block group, so it can't be
    added to the unused list or the reclaim list by anyone else.
    
    The bug can be reproduced by btrfs/166 after a few rounds. In practice
    this can be hit when relocation cannot find more chunk space and ends
    with ENOSPC.
    
    Reported-by: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    Suggested-by: Johannes Thumshirn <Johannes.Thumshirn@wdc.com>
    Fixes: 4eb4e85c4f81 ("btrfs: retry block group reclaim without infinite loop")
    CC: stable@vger.kernel.org # 5.15+
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: fix folio refcount in __alloc_dummy_extent_buffer() [+ + +]
Author: Boris Burkov <boris@bur.io>
Date:   Tue Jul 2 07:31:14 2024 -0700

    btrfs: fix folio refcount in __alloc_dummy_extent_buffer()
    
    commit a56c85fa2d59ab0780514741550edf87989a66e9 upstream.
    
    Another improper use of __folio_put() in an error path after freshly
    allocating pages/folios which returns them with the refcount initialized
    to 1. The refactor from __free_pages() -> __folio_put() (instead of
    folio_put) removed a refcount decrement found in __free_pages() and
    folio_put but absent from __folio_put().
    
    Fixes: 13df3775efca ("btrfs: cleanup metadata page pointer usage")
    CC: stable@vger.kernel.org # 6.8+
    Tested-by: Ed Tomlinson <edtoml@gmail.com>
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: Boris Burkov <boris@bur.io>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation warning [+ + +]
Author: Lu Yao <yaolu@kylinos.cn>
Date:   Tue May 7 10:34:17 2024 +0800

    btrfs: scrub: initialize ret in scrub_simple_mirror() to fix compilation warning
    
    [ Upstream commit b4e585fffc1cf877112ed231a91f089e85688c2a ]
    
    The following error message is displayed:
      ../fs/btrfs/scrub.c:2152:9: error: ‘ret’ may be used uninitialized
      in this function [-Werror=maybe-uninitialized]"
    
    Compiler version: gcc version: (Debian 10.2.1-6) 10.2.1 20210110
    
    Reviewed-by: Boris Burkov <boris@bur.io>
    Signed-off-by: Lu Yao <yaolu@kylinos.cn>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

btrfs: zoned: fix calc_available_free_space() for zoned mode [+ + +]
Author: Naohiro Aota <naohiro.aota@wdc.com>
Date:   Thu Jun 20 15:05:45 2024 +0900

    btrfs: zoned: fix calc_available_free_space() for zoned mode
    
    commit 64d2c847ba380e07b9072d65a50aa6469d2aa43f upstream.
    
    calc_available_free_space() returns the total size of metadata (or
    system) block groups, which can be allocated from unallocated disk
    space. The logic is wrong on zoned mode in two places.
    
    First, the calculation of data_chunk_size is wrong. We always allocate
    one zone as one chunk, and no partial allocation of a zone. So, we
    should use zone_size (= data_sinfo->chunk_size) as it is.
    
    Second, the result "avail" may not be zone aligned. Since we always
    allocate one zone as one chunk on zoned mode, returning non-zone size
    aligned bytes will result in less pressure on the async metadata reclaim
    process.
    
    This is serious for the nearly full state with a large zone size device.
    Allowing over-commit too much will result in less async reclaim work and
    end up in ENOSPC. We can align down to the zone size to avoid that.
    
    Fixes: cb6cbab79055 ("btrfs: adjust overcommit logic when very close to full")
    CC: stable@vger.kernel.org # 6.9
    Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
    Reviewed-by: Boris Burkov <boris@bur.io>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct [+ + +]
Author: Jimmy Assarsson <extja@kvaser.com>
Date:   Fri Jun 28 21:45:29 2024 +0200

    can: kvaser_usb: Explicitly initialize family in leafimx driver_info struct
    
    commit 19d5b2698c35b2132a355c67b4d429053804f8cc upstream.
    
    Explicitly set the 'family' driver_info struct member for leafimx.
    Previously, the correct operation relied on KVASER_LEAF being the first
    defined value in enum kvaser_usb_leaf_family.
    
    Fixes: e6c80e601053 ("can: kvaser_usb: kvaser_usb_leaf: fix CAN clock frequency regression")
    Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
    Link: https://lore.kernel.org/all/20240628194529.312968-1-extja@kvaser.com
    Cc: stable@vger.kernel.org
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
cdrom: rearrange last_media_change check to avoid unintentional overflow [+ + +]
Author: Justin Stitt <justinstitt@google.com>
Date:   Tue May 7 23:25:20 2024 +0100

    cdrom: rearrange last_media_change check to avoid unintentional overflow
    
    [ Upstream commit efb905aeb44b0e99c0e6b07865b1885ae0471ebf ]
    
    When running syzkaller with the newly reintroduced signed integer wrap
    sanitizer we encounter this splat:
    
    [  366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33
    [  366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')
    [  366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO
    [  366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
    [  366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
    [  366.027518] Call Trace:
    [  366.027523]  <TASK>
    [  366.027533]  dump_stack_lvl+0x93/0xd0
    [  366.027899]  handle_overflow+0x171/0x1b0
    [  366.038787] ata1.00: invalid multi_count 32 ignored
    [  366.043924]  cdrom_ioctl+0x2c3f/0x2d10
    [  366.063932]  ? __pm_runtime_resume+0xe6/0x130
    [  366.071923]  sr_block_ioctl+0x15d/0x1d0
    [  366.074624]  ? __pfx_sr_block_ioctl+0x10/0x10
    [  366.077642]  blkdev_ioctl+0x419/0x500
    [  366.080231]  ? __pfx_blkdev_ioctl+0x10/0x10
    ...
    
    Historically, the signed integer overflow sanitizer did not work in the
    kernel due to its interaction with `-fwrapv` but this has since been
    changed [1] in the newest version of Clang. It was re-enabled in the
    kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
    sanitizer").
    
    Let's rearrange the check to not perform any arithmetic, thus not
    tripping the sanitizer.
    
    Link: https://github.com/llvm/llvm-project/pull/82432 [1]
    Closes: https://github.com/KSPP/linux/issues/354
    Cc: linux-hardening@vger.kernel.org
    Signed-off-by: Justin Stitt <justinstitt@google.com>
    Link: https://lore.kernel.org/lkml/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com
    Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
    Link: https://lore.kernel.org/lkml/ZjqU0fbzHrlnad8D@equinox
    Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
    Link: https://lore.kernel.org/r/20240507222520.1445-2-phil@philpotter.co.uk
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg [+ + +]
Author: Pin-yen Lin <treapking@chromium.org>
Date:   Thu Jun 13 20:02:28 2024 +0800

    clk: mediatek: mt8183: Only enable runtime PM on mt8183-mfgcfg
    
    [ Upstream commit 878e845d8db04df9ff3bbbaac09d335b24153704 ]
    
    Commit 2f7b1d8b5505 ("clk: mediatek: Do a runtime PM get on controllers
    during probe") enabled runtime PM for all mediatek clock controllers,
    but this introduced an issue on the resume path.
    
    If a device resumes earlier than the clock controller and calls
    clk_prepare() when runtime PM is enabled on the controller, it will end
    up calling clk_pm_runtime_get(). But the subsequent
    pm_runtime_resume_and_get() call will fail because the runtime PM is
    temporarily disabled during suspend.
    
    To workaround this, introduce a need_runtime_pm flag and only enable it
    on mt8183-mfgcfg, which is the driver that observed deadlock previously.
    Hopefully mt8183-cfgcfg won't run into the issue at the resume stage
    because the GPU should have stopped rendering before the system calls
    suspend.
    
    Fixes: 2f7b1d8b5505 ("clk: mediatek: Do a runtime PM get on controllers during probe")
    Signed-off-by: Pin-yen Lin <treapking@chromium.org>
    Link: https://lore.kernel.org/r/20240613120357.1043342-1-treapking@chromium.org
    Signed-off-by: Stephen Boyd <sboyd@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs [+ + +]
Author: Gabor Juhos <j4g8y7@gmail.com>
Date:   Wed May 8 22:34:14 2024 +0200

    clk: qcom: clk-alpha-pll: set ALPHA_EN bit for Stromer Plus PLLs
    
    [ Upstream commit 5a33a64524e6381c399e5e42571d9363ffc0bed4 ]
    
    The clk_alpha_pll_stromer_plus_set_rate() function does not
    sets the ALPHA_EN bit in the USER_CTL register, so setting
    rates which requires using alpha mode works only if the bit
    gets set already prior calling the function.
    
    Extend the function to set the ALPHA_EN bit in order to allow
    using fractional rates regardless whether the bit gets set
    previously or not.
    
    Fixes: 84da48921a97 ("clk: qcom: clk-alpha-pll: introduce stromer plus ops")
    Signed-off-by: Gabor Juhos <j4g8y7@gmail.com>
    Link: https://lore.kernel.org/r/20240508-stromer-plus-alpha-en-v1-1-6639ce01ca5b@gmail.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag [+ + +]
Author: Md Sadre Alam <quic_mdalam@quicinc.com>
Date:   Thu May 9 16:24:05 2024 +0530

    clk: qcom: gcc-ipq9574: Add BRANCH_HALT_VOTED flag
    
    commit 72ceafb587a56e26c905472418c7dc2033c294d3 upstream.
    
    The crypto_ahb and crypto_axi clks are hardware voteable.
    This means that the halt bit isn't reliable because some
    other voter in the system, e.g. TrustZone, could be keeping
    the clk enabled when the kernel turns it off from clk_disable().
    Make these clks use voting mode by changing the halt check to
    BRANCH_HALT_VOTED and toggle the voting bit in the voting register
    instead of directly controlling the branch by writing to the branch
    register. This fixes stuck clk warnings seen on ipq9574 and saves
    power by actually turning the clk off.
    
    Also changes the CRYPTO_AHB_CLK_ENA & CRYPTO_AXI_CLK_ENA
    offset to 0xb004 from 0x16014.
    
    Cc: stable@vger.kernel.org
    Fixes: f6b2bd9cb29a ("clk: qcom: gcc-ipq9574: Enable crypto clocks")
    Signed-off-by: Md Sadre Alam <quic_mdalam@quicinc.com>
    Link: https://lore.kernel.org/r/20240509105405.1262369-1-quic_mdalam@quicinc.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents [+ + +]
Author: Luca Weiss <luca.weiss@fairphone.com>
Date:   Wed May 8 10:12:53 2024 +0200

    clk: qcom: gcc-sm6350: Fix gpll6* & gpll7 parents
    
    [ Upstream commit 3414f41a13eb41db15c558fbc695466203dca4fa ]
    
    Both gpll6 and gpll7 are parented to CXO at 19.2 MHz and not to GPLL0
    which runs at 600 MHz. Also gpll6_out_even should have the parent gpll6
    and not gpll0.
    
    Adjust the parents of these clocks to make Linux report the correct rate
    and not absurd numbers like gpll7 at ~25 GHz or gpll6 at 24 GHz.
    
    Corrected rates are the following:
    
      gpll7              807999902 Hz
      gpll6              768000000 Hz
         gpll6_out_even  384000000 Hz
      gpll0              600000000 Hz
         gpll0_out_odd   200000000 Hz
         gpll0_out_even  300000000 Hz
    
    And because gpll6 is the parent of gcc_sdcc2_apps_clk_src (at 202 MHz)
    that clock also reports the correct rate now and avoids this warning:
    
      [    5.984062] mmc0: Card appears overclocked; req 202000000 Hz, actual 6312499237 Hz
    
    Fixes: 131abae905df ("clk: qcom: Add SM6350 GCC driver")
    Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
    Link: https://lore.kernel.org/r/20240508-sm6350-gpll-fix-v1-1-e4ea34284a6d@fairphone.com
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common [+ + +]
Author: Frank Oltmanns <frank@oltmanns.dev>
Date:   Sun Jun 23 10:45:58 2024 +0200

    clk: sunxi-ng: common: Don't call hw_to_ccu_common on hw without common
    
    commit ea977d742507e534d9fe4f4d74256f6b7f589338 upstream.
    
    In order to set the rate range of a hw sunxi_ccu_probe calls
    hw_to_ccu_common() assuming all entries in desc->ccu_clks are contained
    in a ccu_common struct. This assumption is incorrect and, in
    consequence, causes invalid pointer de-references.
    
    Remove the faulty call. Instead, add one more loop that iterates over
    the ccu_clks and sets the rate range, if required.
    
    Fixes: b914ec33b391 ("clk: sunxi-ng: common: Support minimum and maximum rate")
    Reported-by: Robert J. Pafford <pafford.9@buckeyemail.osu.edu>
    Closes: https://lore.kernel.org/lkml/DM6PR01MB58047C810DDD5D0AE397CADFF7C22@DM6PR01MB5804.prod.exchangelabs.com/
    Cc: stable@vger.kernel.org
    Signed-off-by: Frank Oltmanns <frank@oltmanns.dev>
    Tested-by: Robert J. Pafford <pafford.9@buckeyemail.osu.edu>
    Link: https://lore.kernel.org/r/20240623-sunxi-ng_fix_common_probe-v1-1-7c97e32824a1@oltmanns.dev
    Signed-off-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
connector: Fix invalid conversion in cn_proc.h [+ + +]
Author: Matt Jan <zoo868e@gmail.com>
Date:   Tue May 14 12:10:46 2024 +0800

    connector: Fix invalid conversion in cn_proc.h
    
    [ Upstream commit 06e785aeb9ea8a43d0a3967c1ba6e69d758e82d4 ]
    
    The implicit conversion from unsigned int to enum
    proc_cn_event is invalid, so explicitly cast it
    for compilation in a C++ compiler.
    /usr/include/linux/cn_proc.h: In function 'proc_cn_event valid_event(proc_cn_event)':
    /usr/include/linux/cn_proc.h:72:17: error: invalid conversion from 'unsigned int' to 'proc_cn_event' [-fpermissive]
       72 |         ev_type &= PROC_EVENT_ALL;
          |                 ^
          |                 |
          |                 unsigned int
    
    Signed-off-by: Matt Jan <zoo868e@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
crypto: aead,cipher - zeroize key buffer after use [+ + +]
Author: Hailey Mothershead <hailmo@amazon.com>
Date:   Mon Apr 15 22:19:15 2024 +0000

    crypto: aead,cipher - zeroize key buffer after use
    
    [ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ]
    
    I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
    cryptographic information should be zeroized once they are no longer
    needed. Accomplish this by using kfree_sensitive for buffers that
    previously held the private key.
    
    Signed-off-by: Hailey Mothershead <hailmo@amazon.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

crypto: hisilicon/debugfs - Fix debugfs uninit process issue [+ + +]
Author: Chenghai Huang <huangchenghai2@huawei.com>
Date:   Sun Apr 7 15:59:53 2024 +0800

    crypto: hisilicon/debugfs - Fix debugfs uninit process issue
    
    [ Upstream commit 8be0913389718e8d27c4f1d4537b5e1b99ed7739 ]
    
    During the zip probe process, the debugfs failure does not stop
    the probe. When debugfs initialization fails, jumping to the
    error branch will also release regs, in addition to its own
    rollback operation.
    
    As a result, it may be released repeatedly during the regs
    uninit process. Therefore, the null check needs to be added to
    the regs uninit process.
    
    Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

crypto: hisilicon/sec2 - fix for register offset [+ + +]
Author: Wenkai Lin <linwenkai6@hisilicon.com>
Date:   Tue Apr 23 09:19:22 2024 +0800

    crypto: hisilicon/sec2 - fix for register offset
    
    [ Upstream commit 6117af86365916e4202b5a709c155f7e6e5df810 ]
    
    The offset of SEC_CORE_ENABLE_BITMAP should be 0 instead of 32,
    it cause a kasan shift-out-bounds warning, fix it.
    
    Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails [+ + +]
Author: Fedor Pchelkin <pchelkin@ispras.ru>
Date:   Sat May 4 14:47:02 2024 +0300

    dma-mapping: benchmark: avoid needless copy_to_user if benchmark fails
    
    [ Upstream commit f7c9ccaadffd13066353332c13d7e9bf73b8f92d ]
    
    If do_map_benchmark() has failed, there is nothing useful to copy back
    to userspace.
    
    Suggested-by: Barry Song <21cnbao@gmail.com>
    Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
    Acked-by: Robin Murphy <robin.murphy@arm.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amd/display: Add NULL pointer check for kzalloc [+ + +]
Author: Hersen Wu <hersenxs.wu@amd.com>
Date:   Mon Apr 22 12:27:34 2024 -0400

    drm/amd/display: Add NULL pointer check for kzalloc
    
    [ Upstream commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 ]
    
    [Why & How]
    Check return pointer of kzalloc before using it.
    
    Reviewed-by: Alex Hung <alex.hung@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: ASSERT when failing to find index by plane/stream id [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Mon Apr 22 12:02:17 2024 -0600

    drm/amd/display: ASSERT when failing to find index by plane/stream id
    
    [ Upstream commit 01eb50e53c1ce505bf449348d433181310288765 ]
    
    [WHY]
    find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns
    an array index and they return -1 when not found; however, -1 is not a
    valid index number.
    
    [HOW]
    When this happens, call ASSERT(), and return a positive number (which is
    fewer than callers' array size) instead.
    
    This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Check index msg_id before read or write [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Thu Apr 18 13:27:43 2024 -0600

    drm/amd/display: Check index msg_id before read or write
    
    [ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ]
    
    [WHAT]
    msg_id is used as an array index and it cannot be a negative value, and
    therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).
    
    [HOW]
    Check whether msg_id is valid before reading and setting.
    
    This fixes 4 OVERRUN issues reported by Coverity.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Check pipe offset before setting vblank [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Mon Apr 22 18:07:17 2024 -0600

    drm/amd/display: Check pipe offset before setting vblank
    
    [ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ]
    
    pipe_ctx has a size of MAX_PIPES so checking its index before accessing
    the array.
    
    This fixes an OVERRUN issue reported by Coverity.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Do not return negative stream id for array [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Mon Apr 22 13:43:14 2024 -0600

    drm/amd/display: Do not return negative stream id for array
    
    [ Upstream commit 3ac31c9a707dd1c7c890b95333182f955e9dcb57 ]
    
    [WHY]
    resource_stream_to_stream_idx returns an array index and it return -1
    when not found; however, -1 is not a valid array index number.
    
    [HOW]
    When this happens, call ASSERT(), and return a zero instead.
    
    This fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Fix overlapping copy within dml_core_mode_programming [+ + +]
Author: Hersen Wu <hersenxs.wu@amd.com>
Date:   Tue Apr 23 10:57:37 2024 -0400

    drm/amd/display: Fix overlapping copy within dml_core_mode_programming
    
    [ Upstream commit f1fd8a0a54e6d23a6d16ee29159f247862460fd1 ]
    
    [WHY]
    &mode_lib->mp.Watermark and &locals->Watermark are
    the same address. memcpy may lead to unexpected behavior.
    
    [HOW]
    memmove should be used.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Reviewed-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Fix uninitialized variables in DM [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Mon Apr 15 19:02:56 2024 -0600

    drm/amd/display: Fix uninitialized variables in DM
    
    [ Upstream commit f95bcb041f213a5da3da5fcaf73269bd13dba945 ]
    
    This fixes 11 UNINIT issues reported by Coverity.
    
    Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: Skip finding free audio for unknown engine_id [+ + +]
Author: Alex Hung <alex.hung@amd.com>
Date:   Mon Apr 22 13:52:27 2024 -0600

    drm/amd/display: Skip finding free audio for unknown engine_id
    
    [ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ]
    
    [WHY]
    ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it
    also means it is uninitialized and does not need free audio.
    
    [HOW]
    Skip and return NULL.
    
    This fixes 2 OVERRUN issues reported by Coverity.
    
    Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
    Acked-by: Wayne Lin <wayne.lin@amd.com>
    Signed-off-by: Alex Hung <alex.hung@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amd/display: update pipe topology log to support subvp [+ + +]
Author: Wenjing Liu <wenjing.liu@amd.com>
Date:   Tue Mar 19 10:06:51 2024 -0400

    drm/amd/display: update pipe topology log to support subvp
    
    [ Upstream commit 5db346c256bbacc634ff515a1a9202cd4b61d8c7 ]
    
    [why]
    There is an ambiguity in subvp pipe topology log. The log doesn't show
    subvp relation to main stream and it is not clear that certain stream
    is an internal stream for subvp pipes.
    
    [how]
    Separate subvp pipe topology logging from main pipe topology. Log main
    stream indices instead of the internal stream for subvp pipes.
    The following is a sample log showing 2 streams with subvp enabled on
    both:
    
       pipe topology update
     ________________________
    | plane0  slice0  stream0|
    |DPP1----OPP1----OTG1----|
    | plane0  slice0  stream1|
    |DPP0----OPP0----OTG0----|
    |    (phantom pipes)     |
    | plane0  slice0  stream0|
    |DPP3----OPP3----OTG3----|
    | plane0  slice0  stream1|
    |DPP2----OPP2----OTG2----|
    |________________________|
    
    Reviewed-by: Alvin Lee <alvin.lee2@amd.com>
    Acked-by: Roman Li <roman.li@amd.com>
    Signed-off-by: Wenjing Liu <wenjing.liu@amd.com>
    Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Stable-dep-of: 3ac31c9a707d ("drm/amd/display: Do not return negative stream id for array")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amdgpu/atomfirmware: silence UBSAN warning [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Mon Jul 1 12:50:10 2024 -0400

    drm/amdgpu/atomfirmware: silence UBSAN warning
    
    commit d0417264437a8fa05f894cabba5a26715b32d78e upstream.
    
    This is a variable sized array.
    
    Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/110420.html
    Tested-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amdgpu: correct hbm field in boot status [+ + +]
Author: Hawking Zhang <Hawking.Zhang@amd.com>
Date:   Tue May 21 15:03:02 2024 +0800

    drm/amdgpu: correct hbm field in boot status
    
    [ Upstream commit ec58991054e899c9d86f7e3c8a96cb602d4b5938 ]
    
    hbm filed takes bit 13 and bit 14 in boot status.
    
    Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
    Reviewed-by: Tao Zhou <tao.zhou1@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: fix double free err_addr pointer warnings [+ + +]
Author: Bob Zhou <bob.zhou@amd.com>
Date:   Tue Apr 23 13:32:39 2024 +0800

    drm/amdgpu: fix double free err_addr pointer warnings
    
    [ Upstream commit 506c245f3f1cd989cb89811a7f06e04ff8813a0d ]
    
    In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages
    will be run many times so that double free err_addr in some special case.
    So set the err_addr to NULL to avoid the warnings.
    
    Signed-off-by: Bob Zhou <bob.zhou@amd.com>
    Acked-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: fix the warning about the expression (int)size - len [+ + +]
Author: Jesse Zhang <jesse.zhang@amd.com>
Date:   Thu Apr 25 15:16:40 2024 +0800

    drm/amdgpu: fix the warning about the expression (int)size - len
    
    [ Upstream commit ea686fef5489ef7a2450a9fdbcc732b837fb46a8 ]
    
    Converting size from size_t to int may overflow.
    v2: keep reverse xmas tree order (Christian)
    
    Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: fix uninitialized scalar variable warning [+ + +]
Author: Tim Huang <Tim.Huang@amd.com>
Date:   Tue Apr 23 14:06:28 2024 +0800

    drm/amdgpu: fix uninitialized scalar variable warning
    
    [ Upstream commit 9a5f15d2a29d06ce5bd50919da7221cda92afb69 ]
    
    Clear warning that uses uninitialized value fw_size.
    
    Signed-off-by: Tim Huang <Tim.Huang@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: Fix uninitialized variable warnings [+ + +]
Author: Ma Jun <Jun.Ma2@amd.com>
Date:   Mon Apr 22 14:47:52 2024 +0800

    drm/amdgpu: Fix uninitialized variable warnings
    
    [ Upstream commit 60c448439f3b5db9431e13f7f361b4074d0e8594 ]
    
    return 0 to avoid returning an uninitialized variable r
    
    Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
    Acked-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: Initialize timestamp for some legacy SOCs [+ + +]
Author: Ma Jun <Jun.Ma2@amd.com>
Date:   Mon Apr 22 10:07:51 2024 +0800

    drm/amdgpu: Initialize timestamp for some legacy SOCs
    
    [ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ]
    
    Initialize the interrupt timestamp for some legacy SOCs
    to fix the coverity issue "Uninitialized scalar variable"
    
    Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
    Suggested-by: Christian König <christian.koenig@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: silence UBSAN warning [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Thu May 16 09:51:26 2024 -0400

    drm/amdgpu: silence UBSAN warning
    
    [ Upstream commit 05d9e24ddb15160164ba6e917a88c00907dc2434 ]
    
    Convert a variable sized array from [1] to [].
    
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc [+ + +]
Author: Jesse Zhang <jesse.zhang@amd.com>
Date:   Wed Apr 24 17:10:46 2024 +0800

    drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc
    
    [ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ]
    
    Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
    V2: To really improve the handling we would actually
       need to have a separate value of 0xffffffff.(Christian)
    
    Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
    Suggested-by: Christian König <christian.koenig@amd.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs [+ + +]
Author: Lang Yu <Lang.Yu@amd.com>
Date:   Fri Apr 26 14:56:35 2024 +0800

    drm/amdkfd: Let VRAM allocations go to GTT domain on small APUs
    
    [ Upstream commit eb853413d02c8d9b27942429b261a9eef228f005 ]
    
    Small APUs(i.e., consumer, embedded products) usually have a small
    carveout device memory which can't satisfy most compute workloads
    memory allocation requirements.
    
    We can't even run a Basic MNIST Example with a default 512MB carveout.
    https://github.com/pytorch/examples/tree/main/mnist. Error Log:
    
    "torch.cuda.OutOfMemoryError: HIP out of memory. Tried to allocate
    84.00 MiB. GPU 0 has a total capacity of 512.00 MiB of which 0 bytes
    is free. Of the allocated memory 103.83 MiB is allocated by PyTorch,
    and 22.17 MiB is reserved by PyTorch but unallocated"
    
    Though we can change BIOS settings to enlarge carveout size,
    which is inflexible and may bring complaint. On the other hand,
    the memory resource can't be effectively used between host and device.
    
    The solution is MI300A approach, i.e., let VRAM allocations go to GTT.
    Then device and host can flexibly and effectively share memory resource.
    
    v2: Report local_mem_size_private as 0. (Felix)
    
    Signed-off-by: Lang Yu <Lang.Yu@amd.com>
    Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/fbdev-generic: Fix framebuffer on big endian devices [+ + +]
Author: Thomas Huth <thuth@redhat.com>
Date:   Thu Jun 27 19:35:30 2024 +0200

    drm/fbdev-generic: Fix framebuffer on big endian devices
    
    [ Upstream commit 740b8dad05bee39e1e3b926f05bb4a8274b8ba49 ]
    
    Starting with kernel 6.7, the framebuffer text console is not working
    anymore with the virtio-gpu device on s390x hosts. Such big endian fb
    devices are usinga different pixel ordering than little endian devices,
    e.g. DRM_FORMAT_BGRX8888 instead of DRM_FORMAT_XRGB8888.
    
    This used to work fine as long as drm_client_buffer_addfb() was still
    calling drm_mode_addfb() which called drm_driver_legacy_fb_format()
    internally to get the right format. But drm_client_buffer_addfb() has
    recently been reworked to call drm_mode_addfb2() instead with the
    format value that has been passed to it as a parameter (see commit
    6ae2ff23aa43 ("drm/client: Convert drm_client_buffer_addfb() to drm_mode_addfb2()").
    
    That format parameter is determined in drm_fbdev_generic_helper_fb_probe()
    via the drm_mode_legacy_fb_format() function - which only generates
    formats suitable for little endian devices. So to fix this issue
    switch to drm_driver_legacy_fb_format() here instead to take the
    device endianness into consideration.
    
    Fixes: 6ae2ff23aa43 ("drm/client: Convert drm_client_buffer_addfb() to drm_mode_addfb2()")
    Closes: https://issues.redhat.com/browse/RHEL-45158
    Signed-off-by: Thomas Huth <thuth@redhat.com>
    Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
    Acked-by: Thomas Zimmermann <tzimmermann@suse.de>
    Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240627173530.460615-1-thuth@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/lima: fix shared irq handling on driver remove [+ + +]
Author: Erico Nunes <nunes.erico@gmail.com>
Date:   Tue Apr 2 00:43:28 2024 +0200

    drm/lima: fix shared irq handling on driver remove
    
    [ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ]
    
    lima uses a shared interrupt, so the interrupt handlers must be prepared
    to be called at any time. At driver removal time, the clocks are
    disabled early and the interrupts stay registered until the very end of
    the remove process due to the devm usage.
    This is potentially a bug as the interrupts access device registers
    which assumes clocks are enabled. A crash can be triggered by removing
    the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.
    This patch frees the interrupts at each lima device finishing callback
    so that the handlers are already unregistered by the time we fully
    disable clocks.
    
    Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
    Signed-off-by: Qiang Yu <yuq825@gmail.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes [+ + +]
Author: Ma Ke <make24@iscas.ac.cn>
Date:   Thu Jun 27 15:42:04 2024 +0800

    drm/nouveau: fix null pointer dereference in nouveau_connector_get_modes
    
    commit 80bec6825b19d95ccdfd3393cf8ec15ff2a749b4 upstream.
    
    In nouveau_connector_get_modes(), the return value of drm_mode_duplicate()
    is assigned to mode, which will lead to a possible NULL pointer
    dereference on failure of drm_mode_duplicate(). Add a check to avoid npd.
    
    Cc: stable@vger.kernel.org
    Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs")
    Signed-off-by: Ma Ke <make24@iscas.ac.cn>
    Signed-off-by: Lyude Paul <lyude@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240627074204.3023776-1-make24@iscas.ac.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/ttm: Always take the bo delayed cleanup path for imported bos [+ + +]
Author: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Date:   Fri Jun 28 17:38:48 2024 +0200

    drm/ttm: Always take the bo delayed cleanup path for imported bos
    
    commit d99fbd9aab624fc030934e21655389ab1765dc94 upstream.
    
    Bos can be put with multiple unrelated dma-resv locks held. But
    imported bos attempt to grab the bo dma-resv during dma-buf detach
    that typically happens during cleanup. That leads to lockde splats
    similar to the below and a potential ABBA deadlock.
    
    Fix this by always taking the delayed workqueue cleanup path for
    imported bos.
    
    Requesting stable fixes from when the Xe driver was introduced,
    since its usage of drm_exec and wide vm dma_resvs appear to be
    the first reliable trigger of this.
    
    [22982.116427] ============================================
    [22982.116428] WARNING: possible recursive locking detected
    [22982.116429] 6.10.0-rc2+ #10 Tainted: G     U  W
    [22982.116430] --------------------------------------------
    [22982.116430] glxgears:sh0/5785 is trying to acquire lock:
    [22982.116431] ffff8c2bafa539a8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: dma_buf_detach+0x3b/0xf0
    [22982.116438]
                   but task is already holding lock:
    [22982.116438] ffff8c2d9aba6da8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_exec_lock_obj+0x49/0x2b0 [drm_exec]
    [22982.116442]
                   other info that might help us debug this:
    [22982.116442]  Possible unsafe locking scenario:
    
    [22982.116443]        CPU0
    [22982.116444]        ----
    [22982.116444]   lock(reservation_ww_class_mutex);
    [22982.116445]   lock(reservation_ww_class_mutex);
    [22982.116447]
                    *** DEADLOCK ***
    
    [22982.116447]  May be due to missing lock nesting notation
    
    [22982.116448] 5 locks held by glxgears:sh0/5785:
    [22982.116449]  #0: ffff8c2d9aba58c8 (&xef->vm.lock){+.+.}-{3:3}, at: xe_file_close+0xde/0x1c0 [xe]
    [22982.116507]  #1: ffff8c2e28cc8480 (&vm->lock){++++}-{3:3}, at: xe_vm_close_and_put+0x161/0x9b0 [xe]
    [22982.116578]  #2: ffff8c2e31982970 (&val->lock){.+.+}-{3:3}, at: xe_validation_ctx_init+0x6d/0x70 [xe]
    [22982.116647]  #3: ffffacdc469478a8 (reservation_ww_class_acquire){+.+.}-{0:0}, at: xe_vma_destroy_unlocked+0x7f/0xe0 [xe]
    [22982.116716]  #4: ffff8c2d9aba6da8 (reservation_ww_class_mutex){+.+.}-{3:3}, at: drm_exec_lock_obj+0x49/0x2b0 [drm_exec]
    [22982.116719]
                   stack backtrace:
    [22982.116720] CPU: 8 PID: 5785 Comm: glxgears:sh0 Tainted: G     U  W          6.10.0-rc2+ #10
    [22982.116721] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023
    [22982.116723] Call Trace:
    [22982.116724]  <TASK>
    [22982.116725]  dump_stack_lvl+0x77/0xb0
    [22982.116727]  __lock_acquire+0x1232/0x2160
    [22982.116730]  lock_acquire+0xcb/0x2d0
    [22982.116732]  ? dma_buf_detach+0x3b/0xf0
    [22982.116734]  ? __lock_acquire+0x417/0x2160
    [22982.116736]  __ww_mutex_lock.constprop.0+0xd0/0x13b0
    [22982.116738]  ? dma_buf_detach+0x3b/0xf0
    [22982.116741]  ? dma_buf_detach+0x3b/0xf0
    [22982.116743]  ? ww_mutex_lock+0x2b/0x90
    [22982.116745]  ww_mutex_lock+0x2b/0x90
    [22982.116747]  dma_buf_detach+0x3b/0xf0
    [22982.116749]  drm_prime_gem_destroy+0x2f/0x40 [drm]
    [22982.116775]  xe_ttm_bo_destroy+0x32/0x220 [xe]
    [22982.116818]  ? __mutex_unlock_slowpath+0x3a/0x290
    [22982.116821]  drm_exec_unlock_all+0xa1/0xd0 [drm_exec]
    [22982.116823]  drm_exec_fini+0x12/0xb0 [drm_exec]
    [22982.116824]  xe_validation_ctx_fini+0x15/0x40 [xe]
    [22982.116892]  xe_vma_destroy_unlocked+0xb1/0xe0 [xe]
    [22982.116959]  xe_vm_close_and_put+0x41a/0x9b0 [xe]
    [22982.117025]  ? xa_find+0xe3/0x1e0
    [22982.117028]  xe_file_close+0x10a/0x1c0 [xe]
    [22982.117074]  drm_file_free+0x22a/0x280 [drm]
    [22982.117099]  drm_release_noglobal+0x22/0x70 [drm]
    [22982.117119]  __fput+0xf1/0x2d0
    [22982.117122]  task_work_run+0x59/0x90
    [22982.117125]  do_exit+0x330/0xb40
    [22982.117127]  do_group_exit+0x36/0xa0
    [22982.117129]  get_signal+0xbd2/0xbe0
    [22982.117131]  arch_do_signal_or_restart+0x3e/0x240
    [22982.117134]  syscall_exit_to_user_mode+0x1e7/0x290
    [22982.117137]  do_syscall_64+0xa1/0x180
    [22982.117139]  ? lock_acquire+0xcb/0x2d0
    [22982.117140]  ? __set_task_comm+0x28/0x1e0
    [22982.117141]  ? find_held_lock+0x2b/0x80
    [22982.117144]  ? __set_task_comm+0xe1/0x1e0
    [22982.117145]  ? lock_release+0xca/0x290
    [22982.117147]  ? __do_sys_prctl+0x245/0xab0
    [22982.117149]  ? lockdep_hardirqs_on_prepare+0xde/0x190
    [22982.117150]  ? syscall_exit_to_user_mode+0xb0/0x290
    [22982.117152]  ? do_syscall_64+0xa1/0x180
    [22982.117154]  ? __lock_acquire+0x417/0x2160
    [22982.117155]  ? reacquire_held_locks+0xd1/0x1f0
    [22982.117156]  ? do_user_addr_fault+0x30c/0x790
    [22982.117158]  ? lock_acquire+0xcb/0x2d0
    [22982.117160]  ? find_held_lock+0x2b/0x80
    [22982.117162]  ? do_user_addr_fault+0x357/0x790
    [22982.117163]  ? lock_release+0xca/0x290
    [22982.117164]  ? do_user_addr_fault+0x361/0x790
    [22982.117166]  ? trace_hardirqs_off+0x4b/0xc0
    [22982.117168]  ? clear_bhb_loop+0x45/0xa0
    [22982.117170]  ? clear_bhb_loop+0x45/0xa0
    [22982.117172]  ? clear_bhb_loop+0x45/0xa0
    [22982.117174]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
    [22982.117176] RIP: 0033:0x7f943d267169
    [22982.117192] Code: Unable to access opcode bytes at 0x7f943d26713f.
    [22982.117193] RSP: 002b:00007f9430bffc80 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
    [22982.117195] RAX: fffffffffffffe00 RBX: 0000000000000000 RCX: 00007f943d267169
    [22982.117196] RDX: 0000000000000000 RSI: 0000000000000189 RDI: 00005622f89579d0
    [22982.117197] RBP: 00007f9430bffcb0 R08: 0000000000000000 R09: 00000000ffffffff
    [22982.117198] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
    [22982.117199] R13: 0000000000000000 R14: 0000000000000000 R15: 00005622f89579d0
    [22982.117202]  </TASK>
    
    Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
    Cc: Christian König <christian.koenig@amd.com>
    Cc: Daniel Vetter <daniel@ffwll.ch>
    Cc: dri-devel@lists.freedesktop.org
    Cc: intel-xe@lists.freedesktop.org
    Cc: <stable@vger.kernel.org> # v6.8+
    Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Reviewed-by: Matthew Brost <matthew.brost@intel.com>
    Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240628153848.4989-1-thomas.hellstrom@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/xe/mcr: Avoid clobbering DSS steering [+ + +]
Author: Matt Roper <matthew.d.roper@intel.com>
Date:   Wed Jun 26 14:05:37 2024 -0700

    drm/xe/mcr: Avoid clobbering DSS steering
    
    [ Upstream commit 1f006470284598060ca1307355352934400b37ca ]
    
    A couple copy/paste mistakes in the code that selects steering targets
    for OADDRM and INSTANCE0 unintentionally clobbered the steering target
    for DSS ranges in some cases.
    
    The OADDRM/INSTANCE0 values were also not assigned as intended, although
    that mistake wound up being harmless since the desired values for those
    specific ranges were '0' which the kzalloc of the GT structure should
    have already taken care of implicitly.
    
    Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
    Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
    Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240626210536.1620176-2-matthew.d.roper@intel.com
    (cherry picked from commit 4f82ac6102788112e599a6074d2c1f2afce923df)
    Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf [+ + +]
Author: Rodrigo Vivi <rodrigo.vivi@intel.com>
Date:   Wed Apr 17 16:39:52 2024 -0400

    drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf
    
    [ Upstream commit f9116f658a6217b101e3b4e89f845775b6fb05d9 ]
    
    Any kunit doing any memory access should get their own runtime_pm
    outer references since they don't use the standard driver API
    entries. In special this dma_buf from the same driver.
    
    Found by pre-merge CI on adding WARN calls for unprotected
    inner callers:
    
    <6> [318.639739]     # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver
    <4> [318.639957] ------------[ cut here ]------------
    <4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection
    <4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]
    
    Cc: Matthew Auld <matthew.auld@intel.com>
    Cc: Francois Dugast <francois.dugast@intel.com>
    Reviewed-by: Matthew Brost <matthew.brost@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240417203952.25503-10-rodrigo.vivi@intel.com
    Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/xe: fix error handling in xe_migrate_update_pgtables [+ + +]
Author: Matthew Auld <matthew.auld@intel.com>
Date:   Thu Jun 20 11:20:26 2024 +0100

    drm/xe: fix error handling in xe_migrate_update_pgtables
    
    commit fc932f51926698488f874ddf7d8f18483ca10271 upstream.
    
    Don't call drm_suballoc_free with sa_bo pointing to PTR_ERR.
    
    References: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2120
    Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
    Signed-off-by: Matthew Auld <matthew.auld@intel.com>
    Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Cc: Matthew Brost <matthew.brost@intel.com>
    Cc: <stable@vger.kernel.org> # v6.8+
    Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240620102025.127699-2-matthew.auld@intel.com
    (cherry picked from commit ce6b63336f79ec5f3996de65f452330e395f99ae)
    Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm: panel-orientation-quirks: Add quirk for Valve Galileo [+ + +]
Author: John Schoenick <johns@valvesoftware.com>
Date:   Fri Jun 28 13:58:21 2024 -0700

    drm: panel-orientation-quirks: Add quirk for Valve Galileo
    
    commit 26746ed40bb0e4ebe2b2bd61c04eaaa54e263c14 upstream.
    
    Valve's Steam Deck Galileo revision has a 800x1280 OLED panel
    
    Cc: stable@vger.kernel.org # 6.1+
    Signed-off-by: John Schoenick <johns@valvesoftware.com>
    Signed-off-by: Matthew Schwartz <mattschwartz@gwu.edu>
    Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240628205822.348402-2-mattschwartz@gwu.edu
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
e1000e: Fix S0ix residency on corporate systems [+ + +]
Author: Dima Ruinskiy <dima.ruinskiy@intel.com>
Date:   Fri Jun 28 13:17:53 2024 -0700

    e1000e: Fix S0ix residency on corporate systems
    
    [ Upstream commit c93a6f62cb1bd097aef2e4588648a420d175eee2 ]
    
    On vPro systems, the configuration of the I219-LM to achieve power
    gating and S0ix residency is split between the driver and the CSME FW.
    It was discovered that in some scenarios, where the network cable is
    connected and then disconnected, S0ix residency is not always reached.
    This was root-caused to a subset of I219-LM register writes that are not
    performed by the CSME FW. Therefore, the driver should perform these
    register writes on corporate setups, regardless of the CSME FW state.
    
    This was discovered on Meteor Lake systems; however it is likely to
    appear on other platforms as well.
    
    Fixes: cc23f4f0b6b9 ("e1000e: Add support for Meteor Lake")
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=218589
    Signed-off-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
    Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240628201754.2744221-1-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: Add inline to f2fs_build_fault_attr() stub [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Mon May 13 08:40:27 2024 -0700

    f2fs: Add inline to f2fs_build_fault_attr() stub
    
    commit 0d8968287a1cf7b03d07387dc871de3861b9f6b9 upstream.
    
    When building without CONFIG_F2FS_FAULT_INJECTION, there is a warning
    from each file that includes f2fs.h because the stub for
    f2fs_build_fault_attr() is missing inline:
    
      In file included from fs/f2fs/segment.c:21:
      fs/f2fs/f2fs.h:4605:12: warning: 'f2fs_build_fault_attr' defined but not used [-Wunused-function]
       4605 | static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
            |            ^~~~~~~~~~~~~~~~~~~~~
    
    Add the missing inline to resolve all of the warnings for this
    configuration.
    
    Fixes: 4ed886b187f4 ("f2fs: check validation of fault attrs in f2fs_build_fault_attr()")
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

f2fs: check validation of fault attrs in f2fs_build_fault_attr() [+ + +]
Author: Chao Yu <chao@kernel.org>
Date:   Tue May 7 11:38:47 2024 +0800

    f2fs: check validation of fault attrs in f2fs_build_fault_attr()
    
    [ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ]
    
    - It missed to check validation of fault attrs in parse_options(),
    let's fix to add check condition in f2fs_build_fault_attr().
    - Use f2fs_build_fault_attr() in __sbi_store() to clean up code.
    
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
filelock: Remove locks reliably when fcntl/close race is detected [+ + +]
Author: Jann Horn <jannh@google.com>
Date:   Tue Jul 2 18:26:52 2024 +0200

    filelock: Remove locks reliably when fcntl/close race is detected
    
    commit 3cad1bc010416c6dd780643476bc59ed742436b9 upstream.
    
    When fcntl_setlk() races with close(), it removes the created lock with
    do_lock_file_wait().
    However, LSMs can allow the first do_lock_file_wait() that created the lock
    while denying the second do_lock_file_wait() that tries to remove the lock.
    In theory (but AFAIK not in practice), posix_lock_file() could also fail to
    remove a lock due to GFP_KERNEL allocation failure (when splitting a range
    in the middle).
    
    After the bug has been triggered, use-after-free reads will occur in
    lock_get_status() when userspace reads /proc/locks. This can likely be used
    to read arbitrary kernel memory, but can't corrupt kernel memory.
    This only affects systems with SELinux / Smack / AppArmor / BPF-LSM in
    enforcing mode and only works from some security contexts.
    
    Fix it by calling locks_remove_posix() instead, which is designed to
    reliably get rid of POSIX locks associated with the given file and
    files_struct and is also used by filp_flush().
    
    Fixes: c293621bbf67 ("[PATCH] stale POSIX lock handling")
    Cc: stable@kernel.org
    Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=2563
    Signed-off-by: Jann Horn <jannh@google.com>
    Link: https://lore.kernel.org/r/20240702-fs-lock-recover-2-v1-1-edd456f63789@google.com
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
firmware: dmi: Stop decoding on broken entry [+ + +]
Author: Jean Delvare <jdelvare@suse.de>
Date:   Tue Apr 30 18:29:32 2024 +0200

    firmware: dmi: Stop decoding on broken entry
    
    [ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ]
    
    If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
    how DMI table parsing works, it is impossible to safely recover from
    such an error, so we have to stop decoding the table.
    
    Signed-off-by: Jean Delvare <jdelvare@suse.de>
    Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/
    Reviewed-by: Michael Kelley <mhklinux@outlook.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

firmware: sysfb: Fix reference count of sysfb parent device [+ + +]
Author: Thomas Zimmermann <tzimmermann@suse.de>
Date:   Tue Jun 25 10:17:43 2024 +0200

    firmware: sysfb: Fix reference count of sysfb parent device
    
    commit 3285d8f0a2ede604c368155c9c0921e16d41f70a upstream.
    
    Retrieving the system framebuffer's parent device in sysfb_init()
    increments the parent device's reference count. Hence release the
    reference before leaving the init function.
    
    Adding the sysfb platform device acquires and additional reference
    for the parent. This keeps the parent device around while the system
    framebuffer is in use.
    
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Fixes: 9eac534db001 ("firmware/sysfb: Set firmware-framebuffer parent device")
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Cc: Javier Martinez Canillas <javierm@redhat.com>
    Cc: Helge Deller <deller@gmx.de>
    Cc: Jani Nikula <jani.nikula@intel.com>
    Cc: Dan Carpenter <dan.carpenter@linaro.org>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Sui Jingfeng <suijingfeng@loongson.cn>
    Cc: <stable@vger.kernel.org> # v6.9+
    Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240625081818.15696-1-tzimmermann@suse.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fs/ntfs3: Mark volume as dirty if xattr is broken [+ + +]
Author: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Date:   Mon Apr 22 17:18:51 2024 +0300

    fs/ntfs3: Mark volume as dirty if xattr is broken
    
    [ Upstream commit 24f6f5020b0b2c89c2cba5ec224547be95f753ee ]
    
    Mark a volume as corrupted if the name length exceeds the space
    occupied by ea.
    
    Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
fs: don't misleadingly warn during thaw operations [+ + +]
Author: Christian Brauner <brauner@kernel.org>
Date:   Thu Jun 13 11:38:14 2024 +0200

    fs: don't misleadingly warn during thaw operations
    
    commit 2ae4db5647d807efb6a87c09efaa6d1db9c905d7 upstream.
    
    The block device may have been frozen before it was claimed by a
    filesystem. Concurrently another process might try to mount that
    frozen block device and has temporarily claimed the block device for
    that purpose causing a concurrent fs_bdev_thaw() to end up here. The
    mounter is already about to abort mounting because they still saw an
    elevanted bdev->bd_fsfreeze_count so get_bdev_super() will return
    NULL in that case.
    
    For example, P1 calls dm_suspend() which calls into bdev_freeze() before
    the block device has been claimed by the filesystem. This brings
    bdev->bd_fsfreeze_count to 1 and no call into fs_bdev_freeze() is
    required.
    
    Now P2 tries to mount that frozen block device. It claims it and checks
    bdev->bd_fsfreeze_count. As it's elevated it aborts mounting.
    
    In the meantime P3 called dm_resume(). P3 sees that the block device is
    already claimed by a filesystem and calls into fs_bdev_thaw().
    
    P3 takes a passive reference and realizes that the filesystem isn't
    ready yet. P3 puts itself to sleep to wait for the filesystem to become
    ready.
    
    P2 now puts the last active reference to the filesystem and marks it as
    dying. P3 gets woken, sees that the filesystem is dying and
    get_bdev_super() fails.
    
    Fixes: 49ef8832fb1a ("bdev: implement freeze and thaw holder operations")
    Cc: <stable@vger.kernel.org>
    Reported-by: Theodore Ts'o <tytso@mit.edu>
    Link: https://lore.kernel.org/r/20240611085210.GA1838544@mit.edu
    Link: https://lore.kernel.org/r/20240613-lackmantel-einsehen-90f0d727358d@brauner
    Reviewed-by: Darrick J. Wong <djwong@kernel.org>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fsnotify: Do not generate events for O_PATH file descriptors [+ + +]
Author: Jan Kara <jack@suse.cz>
Date:   Mon Jun 17 18:23:00 2024 +0200

    fsnotify: Do not generate events for O_PATH file descriptors
    
    commit 702eb71fd6501b3566283f8c96d7ccc6ddd662e9 upstream.
    
    Currently we will not generate FS_OPEN events for O_PATH file
    descriptors but we will generate FS_CLOSE events for them. This is
    asymmetry is confusing. Arguably no fsnotify events should be generated
    for O_PATH file descriptors as they cannot be used to access or modify
    file content, they are just convenient handles to file objects like
    paths. So fix the asymmetry by stopping to generate FS_CLOSE for O_PATH
    file descriptors.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Jan Kara <jack@suse.cz>
    Link: https://lore.kernel.org/r/20240617162303.1596-1-jack@suse.cz
    Reviewed-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
gpio: mmio: do not calculate bgpio_bits via "ngpios" [+ + +]
Author: Shiji Yang <yangshiji66@outlook.com>
Date:   Tue Jun 25 09:19:49 2024 +0800

    gpio: mmio: do not calculate bgpio_bits via "ngpios"
    
    [ Upstream commit f07798d7bb9c46d17d80103fb772fd2c75d47919 ]
    
    bgpio_bits must be aligned with the data bus width. For example, on a
    32 bit big endian system and we only have 16 GPIOs. If we only assume
    bgpio_bits=16 we can never control the GPIO because the base address
    is the lowest address.
    
    low address                          high address
    -------------------------------------------------
    |   byte3   |   byte2   |   byte1   |   byte0   |
    -------------------------------------------------
    |    NaN    |    NaN    |  gpio8-15 |  gpio0-7  |
    -------------------------------------------------
    
    Fixes: 55b2395e4e92 ("gpio: mmio: handle "ngpios" properly in bgpio_init()")
    Fixes: https://github.com/openwrt/openwrt/issues/15739
    Reported-by: Mark Mentovai <mark@mentovai.com>
    Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
    Suggested-By: Mark Mentovai <mark@mentovai.com>
    Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
    Tested-by: Lóránd Horváth <lorand.horvath82@gmail.com>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Link: https://lore.kernel.org/r/TYCP286MB089577B47D70F0AB25ABA6F5BCD52@TYCP286MB0895.JPNP286.PROD.OUTLOOK.COM
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
gpiolib: of: add polarity quirk for TSC2005 [+ + +]
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Wed Jul 3 11:26:09 2024 -0700

    gpiolib: of: add polarity quirk for TSC2005
    
    [ Upstream commit f8d76c2c313c56d5cb894a243dff4550f048278d ]
    
    DTS for Nokia N900 incorrectly specifies "active high" polarity for
    the reset line, while the chip documentation actually specifies it as
    "active low".  In the past the driver fudged gpiod API and inverted
    the logic internally, but it was changed in d0d89493bff8.
    
    Fixes: d0d89493bff8 ("Input: tsc2004/5 - switch to using generic device properties")
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Acked-by: Linus Walleij <linus.walleij@linaro.org>
    Link: https://lore.kernel.org/r/ZoWXwYtwgJIxi-hD@google.com
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

gpiolib: of: fix lookup quirk for MIPS Lantiq [+ + +]
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Mon Jul 1 10:38:50 2024 -0700

    gpiolib: of: fix lookup quirk for MIPS Lantiq
    
    [ Upstream commit 3645ffaf2b334abaf5f53e5ca0f47465d91e69d2 ]
    
    As it turns out, there is a large number of out-of-tree DTSes (in
    OpenWrt project) that used to specify incorrect (active high) polarity
    for the Lantiq reset GPIO, so to keep compatibility while they are
    being updated a quirk for force the polarity low is needed. Luckily
    these old DTSes used nonstandard name for the property ("gpio-reset" vs
    "reset-gpios") so the quirk will not hurt if there are any new devices
    that need inverted polarity as they can specify the right polarity in
    their DTS when using the standard "reset-gpios" property.
    
    Additionally the condition to enable the transition from standard to
    non-standard reset GPIO property name was inverted and the replacement
    name for the property was not correct. Fix this as well.
    
    Fixes: fbbbcd177a27 ("gpiolib: of: add quirk for locating reset lines with legacy bindings")
    Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API")
    Reported-by: Martin Schiller <ms@dev.tdt.de>
    Acked-by: Martin Schiller <ms@dev.tdt.de>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Link: https://lore.kernel.org/r/ZoLpqv1PN08xHioh@google.com
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
gve: Account for stopped queues when reading NIC stats [+ + +]
Author: Shailend Chand <shailend@google.com>
Date:   Wed May 1 23:25:47 2024 +0000

    gve: Account for stopped queues when reading NIC stats
    
    [ Upstream commit af9bcf910b1f86244f39e15e701b2dc564b469a6 ]
    
    We now account for the fact that the NIC might send us stats for a
    subset of queues. Without this change, gve_get_ethtool_stats might make
    an invalid access on the priv->stats_report->stats array.
    
    Tested-by: Mina Almasry <almasrymina@google.com>
    Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com>
    Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
    Signed-off-by: Shailend Chand <shailend@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hwmon: (dell-smm) Add Dell G15 5511 to fan control whitelist [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Wed May 22 23:08:09 2024 +0200

    hwmon: (dell-smm) Add Dell G15 5511 to fan control whitelist
    
    [ Upstream commit fa0bc8f297b29126b5ae983406e9bc76d48a9a8e ]
    
    A user reported that he needs to disable BIOS fan control on his
    Dell G15 5511 in order to be able to control the fans.
    
    Closes: https://github.com/Wer-Wolf/i8kutils/issues/5
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Acked-by: Pali Rohár <pali@kernel.org>
    Link: https://lore.kernel.org/r/20240522210809.294488-1-W_Armin@gmx.de
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
i2c: i801: Annotate apanel_addr as __ro_after_init [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Fri Apr 12 12:21:58 2024 +0200

    i2c: i801: Annotate apanel_addr as __ro_after_init
    
    [ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ]
    
    Annotate this variable as __ro_after_init to protect it from being
    overwritten later.
    
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr [+ + +]
Author: Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com>
Date:   Fri Jun 28 17:25:42 2024 +0200

    i2c: pnx: Fix potential deadlock warning from del_timer_sync() call in isr
    
    [ Upstream commit f63b94be6942ba82c55343e196bd09b53227618e ]
    
    When del_timer_sync() is called in an interrupt context it throws a warning
    because of potential deadlock. The timer is used only to exit from
    wait_for_completion() after a timeout so replacing the call with
    wait_for_completion_timeout() allows to remove the problematic timer and
    its related functions altogether.
    
    Fixes: 41561f28e76a ("i2c: New Philips PNX bus driver")
    Signed-off-by: Piotr Wojtaszczyk <piotr.wojtaszczyk@timesys.com>
    Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
IB/core: Implement a limit on UMAD receive List [+ + +]
Author: Michael Guralnik <michaelgur@nvidia.com>
Date:   Tue Apr 16 15:01:44 2024 +0300

    IB/core: Implement a limit on UMAD receive List
    
    [ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ]
    
    The existing behavior of ib_umad, which maintains received MAD
    packets in an unbounded list, poses a risk of uncontrolled growth.
    As user-space applications extract packets from this list, the rate
    of extraction may not match the rate of incoming packets, leading
    to potential list overflow.
    
    To address this, we introduce a limit to the size of the list. After
    considering typical scenarios, such as OpenSM processing, which can
    handle approximately 100k packets per second, and the 1-second retry
    timeout for most packets, we set the list size limit to 200k. Packets
    received beyond this limit are dropped, assuming they are likely timed
    out by the time they are handled by user-space.
    
    Notably, packets queued on the receive list due to reasons like
    timed-out sends are preserved even when the list is full.
    
    Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
    Reviewed-by: Mark Zhang <markzhang@nvidia.com>
    Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ice: Don't process extts if PTP is disabled [+ + +]
Author: Jacob Keller <jacob.e.keller@intel.com>
Date:   Tue Jul 2 10:14:55 2024 -0700

    ice: Don't process extts if PTP is disabled
    
    [ Upstream commit 996422e3230e41468f652d754fefd1bdbcd4604e ]
    
    The ice_ptp_extts_event() function can race with ice_ptp_release() and
    result in a NULL pointer dereference which leads to a kernel panic.
    
    Panic occurs because the ice_ptp_extts_event() function calls
    ptp_clock_event() with a NULL pointer. The ice driver has already
    released the PTP clock by the time the interrupt for the next external
    timestamp event occurs.
    
    To fix this, modify the ice_ptp_extts_event() function to check the
    PTP state and bail early if PTP is not ready.
    
    Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins")
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://patch.msgid.link/20240702171459.2606611-3-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: Fix improper extts handling [+ + +]
Author: Milena Olech <milena.olech@intel.com>
Date:   Tue Jul 2 10:14:54 2024 -0700

    ice: Fix improper extts handling
    
    [ Upstream commit 00d3b4f54582d4e4a02cda5886bb336eeab268cc ]
    
    Extts events are disabled and enabled by the application ts2phc.
    However, in case where the driver is removed when the application is
    running, a specific extts event remains enabled and can cause a kernel
    crash.
    As a side effect, when the driver is reloaded and application is started
    again, remaining extts event for the channel from a previous run will
    keep firing and the message "extts on unexpected channel" might be
    printed to the user.
    
    To avoid that, extts events shall be disabled when PTP is released.
    
    Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins")
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Co-developed-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Milena Olech <milena.olech@intel.com>
    Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://patch.msgid.link/20240702171459.2606611-2-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: Reject pin requests with unsupported flags [+ + +]
Author: Jacob Keller <jacob.e.keller@intel.com>
Date:   Tue Jul 2 10:14:56 2024 -0700

    ice: Reject pin requests with unsupported flags
    
    [ Upstream commit be2a9d12e6dad894b27361c06ea3752d67a45b49 ]
    
    The driver receives requests for configuring pins via the .enable
    callback of the PTP clock object. These requests come into the driver
    with flags which modify the requested behavior from userspace. Current
    implementation in ice does not reject flags that it doesn't support.
    This causes the driver to incorrectly apply requests with such flags as
    PTP_PEROUT_DUTY_CYCLE, or any future flags added by the kernel which it
    is not yet aware of.
    
    Fix this by properly validating flags in both ice_ptp_cfg_perout and
    ice_ptp_cfg_extts. Ensure that we check by bit-wise negating supported
    flags rather than just checking and rejecting known un-supported flags.
    This is preferable, as it ensures better compatibility with future
    kernels.
    
    Fixes: 172db5f91d5f ("ice: add support for auxiliary input/output pins")
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://patch.msgid.link/20240702171459.2606611-4-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: use proper macro for testing bit [+ + +]
Author: Petr Oros <poros@redhat.com>
Date:   Tue Jul 2 10:14:57 2024 -0700

    ice: use proper macro for testing bit
    
    [ Upstream commit 7829ee78490ddb29993cc7893384a04b8cc7436c ]
    
    Do not use _test_bit() macro for testing bit. The proper macro for this
    is one without underline.
    
    _test_bit() is what test_bit() was prior to const-optimization. It
    directly calls arch_test_bit(), i.e. the arch-specific implementation
    (or the generic one). It's strictly _internal_ and shouldn't be used
    anywhere outside the actual test_bit() macro.
    
    test_bit() is a wrapper which checks whether the bitmap and the bit
    number are compile-time constants and if so, it calls the optimized
    function which evaluates this call to a compile-time constant as well.
    If either of them is not a compile-time constant, it just calls _test_bit().
    test_bit() is the actual function to use anywhere in the kernel.
    
    IOW, calling _test_bit() avoids potential compile-time optimizations.
    
    The sensors is not a compile-time constant, thus most probably there
    are no object code changes before and after the patch.
    But anyway, we shouldn't call internal wrappers instead of
    the actual API.
    
    Fixes: 4da71a77fc3b ("ice: read internal temperature sensor")
    Acked-by: Ivan Vecera <ivecera@redhat.com>
    Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
    Signed-off-by: Petr Oros <poros@redhat.com>
    Reviewed-by: Jiri Pirko <jiri@nvidia.com>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://patch.msgid.link/20240702171459.2606611-5-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
igc: fix a log entry using uninitialized netdev [+ + +]
Author: Corinna Vinschen <vinschen@redhat.com>
Date:   Tue Apr 23 12:24:54 2024 +0200

    igc: fix a log entry using uninitialized netdev
    
    [ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ]
    
    During successful probe, igc logs this:
    
    [    5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    The reason is that igc_ptp_init() is called very early, even before
    register_netdev() has been called. So the netdev_info() call works
    on a partially uninitialized netdev.
    
    Fix this by calling igc_ptp_init() after register_netdev(), right
    after the media autosense check, just as in igb.  Add a comment,
    just as in igb.
    
    Now the log message is fine:
    
    [    5.200987] igc 0000:01:00.0 eth0: PHC added
    
    Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
    Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
    Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
    Tested-by: Naama Meir <naamax.meir@linux.intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
inet_diag: Initialize pad field in struct inet_diag_req_v2 [+ + +]
Author: Shigeru Yoshida <syoshida@redhat.com>
Date:   Wed Jul 3 18:16:49 2024 +0900

    inet_diag: Initialize pad field in struct inet_diag_req_v2
    
    [ Upstream commit 61cf1c739f08190a4cbf047b9fbb192a94d87e3f ]
    
    KMSAN reported uninit-value access in raw_lookup() [1]. Diag for raw
    sockets uses the pad field in struct inet_diag_req_v2 for the
    underlying protocol. This field corresponds to the sdiag_raw_protocol
    field in struct inet_diag_req_raw.
    
    inet_diag_get_exact_compat() converts inet_diag_req to
    inet_diag_req_v2, but leaves the pad field uninitialized. So the issue
    occurs when raw_lookup() accesses the sdiag_raw_protocol field.
    
    Fix this by initializing the pad field in
    inet_diag_get_exact_compat(). Also, do the same fix in
    inet_diag_dump_compat() to avoid the similar issue in the future.
    
    [1]
    BUG: KMSAN: uninit-value in raw_lookup net/ipv4/raw_diag.c:49 [inline]
    BUG: KMSAN: uninit-value in raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
     raw_lookup net/ipv4/raw_diag.c:49 [inline]
     raw_sock_get+0x657/0x800 net/ipv4/raw_diag.c:71
     raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
     inet_diag_cmd_exact+0x7d9/0x980
     inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
     inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
     sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
     netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
     sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
     netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
     netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
     netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg+0x332/0x3d0 net/socket.c:745
     ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
     ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
     __sys_sendmsg net/socket.c:2668 [inline]
     __do_sys_sendmsg net/socket.c:2677 [inline]
     __se_sys_sendmsg net/socket.c:2675 [inline]
     __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
     x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Uninit was stored to memory at:
     raw_sock_get+0x650/0x800 net/ipv4/raw_diag.c:71
     raw_diag_dump_one+0xa1/0x660 net/ipv4/raw_diag.c:99
     inet_diag_cmd_exact+0x7d9/0x980
     inet_diag_get_exact_compat net/ipv4/inet_diag.c:1404 [inline]
     inet_diag_rcv_msg_compat+0x469/0x530 net/ipv4/inet_diag.c:1426
     sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
     netlink_rcv_skb+0x537/0x670 net/netlink/af_netlink.c:2564
     sock_diag_rcv+0x35/0x40 net/core/sock_diag.c:297
     netlink_unicast_kernel net/netlink/af_netlink.c:1335 [inline]
     netlink_unicast+0xe74/0x1240 net/netlink/af_netlink.c:1361
     netlink_sendmsg+0x10c6/0x1260 net/netlink/af_netlink.c:1905
     sock_sendmsg_nosec net/socket.c:730 [inline]
     __sock_sendmsg+0x332/0x3d0 net/socket.c:745
     ____sys_sendmsg+0x7f0/0xb70 net/socket.c:2585
     ___sys_sendmsg+0x271/0x3b0 net/socket.c:2639
     __sys_sendmsg net/socket.c:2668 [inline]
     __do_sys_sendmsg net/socket.c:2677 [inline]
     __se_sys_sendmsg net/socket.c:2675 [inline]
     __x64_sys_sendmsg+0x27e/0x4a0 net/socket.c:2675
     x64_sys_call+0x135e/0x3ce0 arch/x86/include/generated/asm/syscalls_64.h:47
     do_syscall_x64 arch/x86/entry/common.c:52 [inline]
     do_syscall_64+0xd9/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Local variable req.i created at:
     inet_diag_get_exact_compat net/ipv4/inet_diag.c:1396 [inline]
     inet_diag_rcv_msg_compat+0x2a6/0x530 net/ipv4/inet_diag.c:1426
     sock_diag_rcv_msg+0x23d/0x740 net/core/sock_diag.c:282
    
    CPU: 1 PID: 8888 Comm: syz-executor.6 Not tainted 6.10.0-rc4-00217-g35bb670d65fc #32
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014
    
    Fixes: 432490f9d455 ("net: ip, diag -- Add diag interface for raw sockets")
    Reported-by: syzkaller <syzkaller@googlegroups.com>
    Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20240703091649.111773-1-syoshida@redhat.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Input: ff-core - prefer struct_size over open coded arithmetic [+ + +]
Author: Erick Archer <erick.archer@outlook.com>
Date:   Sat Apr 27 17:05:56 2024 +0200

    Input: ff-core - prefer struct_size over open coded arithmetic
    
    [ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ]
    
    This is an effort to get rid of all multiplications from allocation
    functions in order to prevent integer overflows [1][2].
    
    As the "ff" variable is a pointer to "struct ff_device" and this
    structure ends in a flexible array:
    
    struct ff_device {
            [...]
            struct file *effect_owners[] __counted_by(max_effects);
    };
    
    the preferred way in the kernel is to use the struct_size() helper to
    do the arithmetic instead of the calculation "size + count * size" in
    the kzalloc() function.
    
    The struct_size() helper returns SIZE_MAX on overflow. So, refactor
    the comparison to take advantage of this.
    
    This way, the code is more readable and safer.
    
    This code was detected with the help of Coccinelle, and audited and
    modified manually.
    
    Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
    Link: https://github.com/KSPP/linux/issues/160 [2]
    Signed-off-by: Erick Archer <erick.archer@outlook.com>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
jffs2: Fix potential illegal address access in jffs2_free_inode [+ + +]
Author: Wang Yong <wang.yong12@zte.com.cn>
Date:   Tue May 7 15:00:46 2024 +0800

    jffs2: Fix potential illegal address access in jffs2_free_inode
    
    [ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ]
    
    During the stress testing of the jffs2 file system,the following
    abnormal printouts were found:
    [ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948
    [ 2430.649622] Mem abort info:
    [ 2430.649829]   ESR = 0x96000004
    [ 2430.650115]   EC = 0x25: DABT (current EL), IL = 32 bits
    [ 2430.650564]   SET = 0, FnV = 0
    [ 2430.650795]   EA = 0, S1PTW = 0
    [ 2430.651032]   FSC = 0x04: level 0 translation fault
    [ 2430.651446] Data abort info:
    [ 2430.651683]   ISV = 0, ISS = 0x00000004
    [ 2430.652001]   CM = 0, WnR = 0
    [ 2430.652558] [0069696969696948] address between user and kernel address ranges
    [ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP
    [ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33
    [ 2430.655008] Hardware name: linux,dummy-virt (DT)
    [ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
    [ 2430.656142] pc : kfree+0x78/0x348
    [ 2430.656630] lr : jffs2_free_inode+0x24/0x48
    [ 2430.657051] sp : ffff800009eebd10
    [ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000
    [ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000
    [ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14
    [ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000
    [ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000
    [ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19
    [ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14
    [ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302
    [ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342
    [ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000
    [ 2430.664217] Call trace:
    [ 2430.664528]  kfree+0x78/0x348
    [ 2430.664855]  jffs2_free_inode+0x24/0x48
    [ 2430.665233]  i_callback+0x24/0x50
    [ 2430.665528]  rcu_do_batch+0x1ac/0x448
    [ 2430.665892]  rcu_core+0x28c/0x3c8
    [ 2430.666151]  rcu_core_si+0x18/0x28
    [ 2430.666473]  __do_softirq+0x138/0x3cc
    [ 2430.666781]  irq_exit+0xf0/0x110
    [ 2430.667065]  handle_domain_irq+0x6c/0x98
    [ 2430.667447]  gic_handle_irq+0xac/0xe8
    [ 2430.667739]  call_on_irq_stack+0x28/0x54
    The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of
    the jffs_inode_info structure. It was found that all variables in the jffs_inode_info
    structure were 5a5a5a5a, except for the first member sem. It is suspected that these
    variables are not initialized because they were set to 5a5a5a5a during memory testing,
    which is meant to detect uninitialized memory.The sem variable is initialized in the
    function jffs2_i_init_once, while other members are initialized in
    the function jffs2_init_inode_info.
    
    The function jffs2_init_inode_info is called after iget_locked,
    but in the iget_locked function, the destroy_inode process is triggered,
    which releases the inode and consequently, the target member of the inode
    is not initialized.In concurrent high pressure scenarios, iget_locked
    may enter the destroy_inode branch as described in the code.
    
    Since the destroy_inode functionality of jffs2 only releases the target,
    the fix method is to set target to NULL in jffs2_i_init_once.
    
    Signed-off-by: Wang Yong <wang.yong12@zte.com.cn>
    Reviewed-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
    Reviewed-by: Yang Tao <yang.tao172@zte.com.cn>
    Cc: Xu Xin <xu.xin16@zte.com.cn>
    Cc: Yang Yang <yang.yang29@zte.com.cn>
    Signed-off-by: Richard Weinberger <richard@nod.at>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kbuild: fix short log for AS in link-vmlinux.sh [+ + +]
Author: Masahiro Yamada <masahiroy@kernel.org>
Date:   Mon May 20 21:42:11 2024 +0900

    kbuild: fix short log for AS in link-vmlinux.sh
    
    [ Upstream commit 3430f65d6130ccbc86f0ff45642eeb9e2032a600 ]
    
    In convention, short logs print the output file, not the input file.
    
    Let's change the suffix for 'AS' since it assembles *.S into *.o.
    
    [Before]
    
      LD      .tmp_vmlinux.kallsyms1
      NM      .tmp_vmlinux.kallsyms1.syms
      KSYMS   .tmp_vmlinux.kallsyms1.S
      AS      .tmp_vmlinux.kallsyms1.S
      LD      .tmp_vmlinux.kallsyms2
      NM      .tmp_vmlinux.kallsyms2.syms
      KSYMS   .tmp_vmlinux.kallsyms2.S
      AS      .tmp_vmlinux.kallsyms2.S
      LD      vmlinux
    
    [After]
    
      LD      .tmp_vmlinux.kallsyms1
      NM      .tmp_vmlinux.kallsyms1.syms
      KSYMS   .tmp_vmlinux.kallsyms1.S
      AS      .tmp_vmlinux.kallsyms1.o
      LD      .tmp_vmlinux.kallsyms2
      NM      .tmp_vmlinux.kallsyms2.syms
      KSYMS   .tmp_vmlinux.kallsyms2.S
      AS      .tmp_vmlinux.kallsyms2.o
      LD      vmlinux
    
    Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kunit/fortify: Do not spam logs with fortify WARNs [+ + +]
Author: Kees Cook <kees@kernel.org>
Date:   Mon Apr 29 12:43:40 2024 -0700

    kunit/fortify: Do not spam logs with fortify WARNs
    
    [ Upstream commit 091f79e8de44736a1e677701d67334bba5b749e3 ]
    
    When running KUnit fortify tests, we're already doing precise tracking
    of which warnings are getting hit. Don't fill the logs with WARNs unless
    we've been explicitly built with DEBUG enabled.
    
    Link: https://lore.kernel.org/r/20240429194342.2421639-2-keescook@chromium.org
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
kunit: Fix timeout message [+ + +]
Author: Mickaël Salaün <mic@digikod.net>
Date:   Mon Apr 8 09:46:21 2024 +0200

    kunit: Fix timeout message
    
    [ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ]
    
    The exit code is always checked, so let's properly handle the -ETIMEDOUT
    error code.
    
    Cc: Brendan Higgins <brendanhiggins@google.com>
    Cc: Shuah Khan <skhan@linuxfoundation.org>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: David Gow <davidgow@google.com>
    Reviewed-by: Rae Moar <rmoar@google.com>
    Signed-off-by: Mickaël Salaün <mic@digikod.net>
    Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Stable-dep-of: 3a35c13007de ("kunit: Handle test faults")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
KVM: s390: fix LPSWEY handling [+ + +]
Author: Christian Borntraeger <borntraeger@linux.ibm.com>
Date:   Fri Jun 28 18:35:47 2024 +0200

    KVM: s390: fix LPSWEY handling
    
    [ Upstream commit 4c6abb7f7b349f00c0f7ed5045bf67759c012892 ]
    
    in rare cases, e.g. for injecting a machine check we do intercept all
    load PSW instructions via ICTL_LPSW. With facility 193 a new variant
    LPSWEY was added. KVM needs to handle that as well.
    
    Fixes: a3efa8429266 ("KVM: s390: gen_facilities: allow facilities 165, 193, 194 and 196")
    Reported-by: Marc Hartmayer <mhartmay@linux.ibm.com>
    Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
    Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
    Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
    Message-ID: <20240628163547.2314-1-borntraeger@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
leds: an30259a: Use devm_mutex_init() for mutex initialization [+ + +]
Author: George Stark <gnstark@salutedevices.com>
Date:   Thu Apr 11 19:10:32 2024 +0300

    leds: an30259a: Use devm_mutex_init() for mutex initialization
    
    [ Upstream commit c382e2e3eccb6b7ca8c7aff5092c1668428e7de6 ]
    
    In this driver LEDs are registered using devm_led_classdev_register()
    so they are automatically unregistered after module's remove() is done.
    led_classdev_unregister() calls module's led_set_brightness() to turn off
    the LEDs and that callback uses mutex which was destroyed already
    in module's remove() so use devm API instead.
    
    Signed-off-by: George Stark <gnstark@salutedevices.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://lore.kernel.org/r/20240411161032.609544-9-gnstark@salutedevices.com
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

leds: mlxreg: Use devm_mutex_init() for mutex initialization [+ + +]
Author: George Stark <gnstark@salutedevices.com>
Date:   Thu Apr 11 19:10:31 2024 +0300

    leds: mlxreg: Use devm_mutex_init() for mutex initialization
    
    [ Upstream commit efc347b9efee1c2b081f5281d33be4559fa50a16 ]
    
    In this driver LEDs are registered using devm_led_classdev_register()
    so they are automatically unregistered after module's remove() is done.
    led_classdev_unregister() calls module's led_set_brightness() to turn off
    the LEDs and that callback uses mutex which was destroyed already
    in module's remove() so use devm API instead.
    
    Signed-off-by: George Stark <gnstark@salutedevices.com>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Link: https://lore.kernel.org/r/20240411161032.609544-8-gnstark@salutedevices.com
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
libbpf: detect broken PID filtering logic for multi-uprobe [+ + +]
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Tue May 21 09:33:59 2024 -0700

    libbpf: detect broken PID filtering logic for multi-uprobe
    
    [ Upstream commit 04d939a2ab229a3821f04fc81f7c027842f501f1 ]
    
    Libbpf is automatically (and transparently to user) detecting
    multi-uprobe support in the kernel, and, if supported, uses
    multi-uprobes to improve USDT attachment speed.
    
    USDTs can be attached system-wide or for the specific process by PID. In
    the latter case, we rely on correct kernel logic of not triggering USDT
    for unrelated processes.
    
    As such, on older kernels that do support multi-uprobes, but still have
    broken PID filtering logic, we need to fall back to singular uprobes.
    
    Unfortunately, whether user is using PID filtering or not is known at
    the attachment time, which happens after relevant BPF programs were
    loaded into the kernel. Also unfortunately, we need to make a call
    whether to use multi-uprobes or singular uprobe for SEC("usdt") programs
    during BPF object load time, at which point we have no information about
    possible PID filtering.
    
    The distinction between single and multi-uprobes is small, but important
    for the kernel. Multi-uprobes get BPF_TRACE_UPROBE_MULTI attach type,
    and kernel internally substitiute different implementation of some of
    BPF helpers (e.g., bpf_get_attach_cookie()) depending on whether uprobe
    is multi or singular. So, multi-uprobes and singular uprobes cannot be
    intermixed.
    
    All the above implies that we have to make an early and conservative
    call about the use of multi-uprobes. And so this patch modifies libbpf's
    existing feature detector for multi-uprobe support to also check correct
    PID filtering. If PID filtering is not yet fixed, we fall back to
    singular uprobes for USDTs.
    
    This extension to feature detection is simple thanks to kernel's -EINVAL
    addition for pid < 0.
    
    Acked-by: Jiri Olsa <jolsa@kernel.org>
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/r/20240521163401.3005045-4-andrii@kernel.org
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

libbpf: don't close(-1) in multi-uprobe feature detector [+ + +]
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Wed May 29 16:12:12 2024 -0700

    libbpf: don't close(-1) in multi-uprobe feature detector
    
    commit 7d0b3953f6d832daec10a0d76e2d4db405768a8b upstream.
    
    Guard close(link_fd) with extra link_fd >= 0 check to prevent close(-1).
    
    Detected by Coverity static analysis.
    
    Fixes: 04d939a2ab22 ("libbpf: detect broken PID filtering logic for multi-uprobe")
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Acked-by: Jiri Olsa <jolsa@kernel.org>
    Link: https://lore.kernel.org/r/20240529231212.768828-1-andrii@kernel.org
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 6.9.9 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Jul 11 12:51:24 2024 +0200

    Linux 6.9.9
    
    Link: https://lore.kernel.org/r/20240709110708.903245467@linuxfoundation.org
    Tested-by: Ronald Warsow <rwarsow@gmx.de>
    Tested-by: SeongJae Park <sj@kernel.org>
    Tested-by: Markus Reichelt <lkt+2023@mareichelt.com>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Kelsey Steele <kelseysteele@linux.microsoft.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Peter Schneider <pschneider1968@googlemail.com>
    Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
    Tested-by: Salvatore Bonaccorso <carnil@debian.org>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Christian Heusel <christian@heusel.eu>
    Tested-by: Pascal Ernster <git@hardfalcon.net>
    Tested-by: Ron Economos <re@w6rz.net>
    Link: https://lore.kernel.org/r/2024071118-iguana-pureblood-03be@gregkh
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
locking/mutex: Introduce devm_mutex_init() [+ + +]
Author: George Stark <gnstark@salutedevices.com>
Date:   Thu Apr 11 19:10:25 2024 +0300

    locking/mutex: Introduce devm_mutex_init()
    
    [ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ]
    
    Using of devm API leads to a certain order of releasing resources.
    So all dependent resources which are not devm-wrapped should be deleted
    with respect to devm-release order. Mutex is one of such objects that
    often is bound to other resources and has no own devm wrapping.
    Since mutex_destroy() actually does nothing in non-debug builds
    frequently calling mutex_destroy() is just ignored which is safe for now
    but wrong formally and can lead to a problem if mutex_destroy() will be
    extended so introduce devm_mutex_init().
    
    Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Signed-off-by: George Stark <gnstark@salutedevices.com>
    Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
    Reviewed-by: Marek Behún <kabel@kernel.org>
    Acked-by: Waiman Long <longman@redhat.com>
    Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com
    Signed-off-by: Lee Jones <lee@kernel.org>
    Stable-dep-of: efc347b9efee ("leds: mlxreg: Use devm_mutex_init() for mutex initialization")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mac802154: fix time calculation in ieee802154_configure_durations() [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Wed May 8 14:40:10 2024 +0300

    mac802154: fix time calculation in ieee802154_configure_durations()
    
    [ Upstream commit 07aa33988ad92fef79056f5ec30b9a0e4364b616 ]
    
    Since 'symbol_duration' of 'struct wpan_phy' is in nanoseconds but
    'lifs_period' and 'sifs_period' are both in microseconds, fix time
    calculation in 'ieee802154_configure_durations()' and use convenient
    'NSEC_PER_USEC' in 'ieee802154_setup_wpan_phy_pib()' as well.
    Compile tested only.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 781830c800dd ("net: mac802154: Set durations automatically")
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Message-ID: <20240508114010.219527-1-dmantipov@yandex.ru>
    Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
media: dvb-frontends: tda10048: Fix integer overflow [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Apr 29 16:05:04 2024 +0100

    media: dvb-frontends: tda10048: Fix integer overflow
    
    [ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ]
    
    state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer
    when multiplied by pll_mfactor.
    
    Create a new 64 bit variable to hold the calculations.
    
    Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org
    Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dvb-frontends: tda18271c2dd: Remove casting during div [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Apr 29 16:04:47 2024 +0100

    media: dvb-frontends: tda18271c2dd: Remove casting during div
    
    [ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ]
    
    do_div() divides 64 bits by 32. We were adding a casting to the divider
    to 64 bits, for a number that fits perfectly in 32 bits. Remove it.
    
    Found by cocci:
    drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
    drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
    
    Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dvb-usb: dib0700_devices: Add missing release_firmware() [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Thu Apr 11 21:17:56 2024 +0000

    media: dvb-usb: dib0700_devices: Add missing release_firmware()
    
    [ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ]
    
    Add missing release_firmware on the error paths.
    
    drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415.
    drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497.
    
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dvb: as102-fe: Fix as10x_register_addr packing [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Wed Apr 10 12:24:37 2024 +0000

    media: dvb: as102-fe: Fix as10x_register_addr packing
    
    [ Upstream commit 309422d280748c74f57f471559980268ac27732a ]
    
    This structure is embedded in multiple other structures that are packed,
    which conflicts with it being aligned.
    
    drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access]
    
    Mark it as being packed.
    
    Marking the inner struct as 'packed' does not change the layout, since the
    whole struct is already packed, it just silences the clang warning. See
    also this llvm discussion:
    
    https://github.com/llvm/llvm-project/issues/55520
    
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dw2102: Don't translate i2c read into write [+ + +]
Author: Michael Bunk <micha@freedict.org>
Date:   Sun Jan 16 11:22:36 2022 +0000

    media: dw2102: Don't translate i2c read into write
    
    [ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ]
    
    The code ignored the I2C_M_RD flag on I2C messages.  Instead it assumed
    an i2c transaction with a single message must be a write operation and a
    transaction with two messages would be a read operation.
    
    Though this works for the driver code, it leads to problems once the i2c
    device is exposed to code not knowing this convention.  For example,
    I did "insmod i2c-dev" and issued read requests from userspace, which
    were translated into write requests and destroyed the EEPROM of my
    device.
    
    So, just check and respect the I2C_M_READ flag, which indicates a read
    when set on a message.  If it is absent, it is a write message.
    
    Incidentally, changing from the case statement to a while loop allows
    the code to lift the limitation to two i2c messages per transaction.
    
    There are 4 more *_i2c_transfer functions affected by the same behaviour
    and limitation that should be fixed in the same way.
    
    Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org
    Signed-off-by: Michael Bunk <micha@freedict.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dw2102: fix a potential buffer overflow [+ + +]
Author: Mauro Carvalho Chehab <mchehab@kernel.org>
Date:   Mon Apr 29 15:15:05 2024 +0100

    media: dw2102: fix a potential buffer overflow
    
    [ Upstream commit 1c73d0b29d04bf4082e7beb6a508895e118ee30d ]
    
    As pointed by smatch:
             drivers/media/usb/dvb-usb/dw2102.c:802 su3000_i2c_transfer() error: __builtin_memcpy() '&state->data[4]' too small (64 vs 67)
    
    That seemss to be due to a wrong copy-and-paste.
    
    Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write")
    
    Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
    Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: i2c: st-mipid02: Use the correct div function [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Apr 29 16:05:00 2024 +0100

    media: i2c: st-mipid02: Use the correct div function
    
    [ Upstream commit 22dccf029e4a67ad5aa62537c47ece9f24c8f970 ]
    
    link_freq does not fit in 32 bits.
    
    Found by cocci:
    drivers/media/i2c/st-mipid02.c:329:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_s64 instead.
    
    Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-21-3c4865f5a4b0@chromium.org
    Reviewed-by: Benjamin Mugnier <benjamin.mugnier@foss.st.com>
    Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: mediatek: vcodec: Only free buffer VA that is not NULL [+ + +]
Author: Fei Shao <fshao@chromium.org>
Date:   Thu Dec 21 09:17:46 2023 +0000

    media: mediatek: vcodec: Only free buffer VA that is not NULL
    
    [ Upstream commit eb005c801ec70ff4307727bd3bd6e8280169ef32 ]
    
    In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly
    called only when the buffer to free exists, there are some instances
    that didn't do the check and triggered warnings in practice.
    
    We believe those checks were forgotten unintentionally. Add the checks
    back to fix the warnings.
    
    Signed-off-by: Fei Shao <fshao@chromium.org>
    Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
    Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
    Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: s2255: Use refcount_t instead of atomic_t for num_channels [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Apr 29 16:04:50 2024 +0100

    media: s2255: Use refcount_t instead of atomic_t for num_channels
    
    [ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ]
    
    Use an API that resembles more the actual use of num_channels.
    
    Found by cocci:
    drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363.
    drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558.
    
    Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: tc358746: Use the correct div_ function [+ + +]
Author: Ricardo Ribalda <ribalda@chromium.org>
Date:   Mon Apr 29 16:05:01 2024 +0100

    media: tc358746: Use the correct div_ function
    
    [ Upstream commit d77731382f57b9c18664a13c7e197285060ebf93 ]
    
    fin does not fit in 32 bits in some arches.
    
    Found by cocci:
    drivers/media/i2c/tc358746.c:847:2-8: WARNING: do_div() does a 64-by-32 division, please consider using div64_ul instead.
    
    Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-22-3c4865f5a4b0@chromium.org
    Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file [+ + +]
Author: Aleksandr Mishin <amishin@t-argos.ru>
Date:   Wed Jul 3 23:32:51 2024 +0300

    mlxsw: core_linecards: Fix double memory deallocation in case of invalid INI file
    
    [ Upstream commit 8ce34dccbe8fa7d2ef86f2d8e7db2a9b67cabfc3 ]
    
    In case of invalid INI file mlxsw_linecard_types_init() deallocates memory
    but doesn't reset pointer to NULL and returns 0. In case of any error
    occurred after mlxsw_linecard_types_init() call, mlxsw_linecards_init()
    calls mlxsw_linecard_types_fini() which performs memory deallocation again.
    
    Add pointer reset to NULL.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: b217127e5e4e ("mlxsw: core_linecards: Add line card objects and implement provisioning")
    Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Reviewed-by: Ido Schimmel <idosch@nvidia.com>
    Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
    Link: https://patch.msgid.link/20240703203251.8871-1-amishin@t-argos.ru
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mm: avoid overflows in dirty throttling logic [+ + +]
Author: Jan Kara <jack@suse.cz>
Date:   Fri Jun 21 16:42:38 2024 +0200

    mm: avoid overflows in dirty throttling logic
    
    commit 385d838df280eba6c8680f9777bfa0d0bfe7e8b2 upstream.
    
    The dirty throttling logic is interspersed with assumptions that dirty
    limits in PAGE_SIZE units fit into 32-bit (so that various multiplications
    fit into 64-bits).  If limits end up being larger, we will hit overflows,
    possible divisions by 0 etc.  Fix these problems by never allowing so
    large dirty limits as they have dubious practical value anyway.  For
    dirty_bytes / dirty_background_bytes interfaces we can just refuse to set
    so large limits.  For dirty_ratio / dirty_background_ratio it isn't so
    simple as the dirty limit is computed from the amount of available memory
    which can change due to memory hotplug etc.  So when converting dirty
    limits from ratios to numbers of pages, we just don't allow the result to
    exceed UINT_MAX.
    
    This is root-only triggerable problem which occurs when the operator
    sets dirty limits to >16 TB.
    
    Link: https://lkml.kernel.org/r/20240621144246.11148-2-jack@suse.cz
    Signed-off-by: Jan Kara <jack@suse.cz>
    Reported-by: Zach O'Keefe <zokeefe@google.com>
    Reviewed-By: Zach O'Keefe <zokeefe@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mm: optimize the redundant loop of mm_update_owner_next() [+ + +]
Author: Jinliang Zheng <alexjlzheng@tencent.com>
Date:   Thu Jun 20 20:21:24 2024 +0800

    mm: optimize the redundant loop of mm_update_owner_next()
    
    commit cf3f9a593dab87a032d2b6a6fb205e7f3de4f0a1 upstream.
    
    When mm_update_owner_next() is racing with swapoff (try_to_unuse()) or
    /proc or ptrace or page migration (get_task_mm()), it is impossible to
    find an appropriate task_struct in the loop whose mm_struct is the same as
    the target mm_struct.
    
    If the above race condition is combined with the stress-ng-zombie and
    stress-ng-dup tests, such a long loop can easily cause a Hard Lockup in
    write_lock_irq() for tasklist_lock.
    
    Recognize this situation in advance and exit early.
    
    Link: https://lkml.kernel.org/r/20240620122123.3877432-1-alexjlzheng@tencent.com
    Signed-off-by: Jinliang Zheng <alexjlzheng@tencent.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: Christian Brauner <brauner@kernel.org>
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: Mateusz Guzik <mjguzik@gmail.com>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Tycho Andersen <tandersen@netflix.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mtd: rawnand: Bypass a couple of sanity checks during NAND identification [+ + +]
Author: Miquel Raynal <miquel.raynal@bootlin.com>
Date:   Thu May 16 15:13:20 2024 +0200

    mtd: rawnand: Bypass a couple of sanity checks during NAND identification
    
    commit 8754d9835683e8fab9a8305acdb38a3aeb9d20bd upstream.
    
    Early during NAND identification, mtd_info fields have not yet been
    initialized (namely, writesize and oobsize) and thus cannot be used for
    sanity checks yet. Of course if there is a misuse of
    nand_change_read_column_op() so early we won't be warned, but there is
    anyway no actual check to perform at this stage as we do not yet know
    the NAND geometry.
    
    So, if the fields are empty, especially mtd->writesize which is *always*
    set quite rapidly after identification, let's skip the sanity checks.
    
    nand_change_read_column_op() is subject to be used early for ONFI/JEDEC
    identification in the very unlikely case of:
    - bitflips appearing in the parameter page,
    - the controller driver not supporting simple DATA_IN cycles.
    
    As nand_change_read_column_op() uses nand_fill_column_cycles() the logic
    explaind above also applies in this secondary helper.
    
    Fixes: c27842e7e11f ("mtd: rawnand: onfi: Adapt the parameter page read to constraint controllers")
    Fixes: daca31765e8b ("mtd: rawnand: jedec: Adapt the parameter page read to constraint controllers")
    Cc: stable@vger.kernel.org
    Reported-by: Alexander Dahl <ada@thorsis.com>
    Closes: https://lore.kernel.org/linux-mtd/20240306-shaky-bunion-d28b65ea97d7@thorsis.com/
    Reported-by: Steven Seeger <steven.seeger@flightsystems.net>
    Closes: https://lore.kernel.org/linux-mtd/DM6PR05MB4506554457CF95191A670BDEF7062@DM6PR05MB4506.namprd05.prod.outlook.com/
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Tested-by: Sascha Hauer <s.hauer@pengutronix.de>
    Link: https://lore.kernel.org/linux-mtd/20240516131320.579822-3-miquel.raynal@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mtd: rawnand: Ensure ECC configuration is propagated to upper layers [+ + +]
Author: Miquel Raynal <miquel.raynal@bootlin.com>
Date:   Tue May 7 10:58:42 2024 +0200

    mtd: rawnand: Ensure ECC configuration is propagated to upper layers
    
    commit 3a1b777eb9fb75d09c45ae5dd1d007eddcbebf1f upstream.
    
    Until recently the "upper layer" was MTD. But following incremental
    reworks to bring spi-nand support and more recently generic ECC support,
    there is now an intermediate "generic NAND" layer that also needs to get
    access to some values. When using "converted" ECC engines, like the
    software ones, these values are already propagated correctly. But
    otherwise when using good old raw NAND controller drivers, we need to
    manually set these values ourselves at the end of the "scan" operation,
    once these values have been negotiated.
    
    Without this propagation, later (generic) checks like the one warning
    users that the ECC strength is not high enough might simply no longer
    work.
    
    Fixes: 8c126720fe10 ("mtd: rawnand: Use the ECC framework nand_ecc_is_strong_enough() helper")
    Cc: stable@vger.kernel.org
    Reported-by: Sascha Hauer <s.hauer@pengutronix.de>
    Closes: https://lore.kernel.org/all/Zhe2JtvvN1M4Ompw@pengutronix.de/
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Tested-by: Sascha Hauer <s.hauer@pengutronix.de>
    Link: https://lore.kernel.org/linux-mtd/20240507085842.108844-1-miquel.raynal@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mtd: rawnand: Fix the nand_read_data_op() early check [+ + +]
Author: Miquel Raynal <miquel.raynal@bootlin.com>
Date:   Thu May 16 15:13:19 2024 +0200

    mtd: rawnand: Fix the nand_read_data_op() early check
    
    commit 5da39530d19946f6241de84d1db69da2f5c61da7 upstream.
    
    The nand_read_data_op() operation, which only consists in DATA_IN
    cycles, is sadly not supported by all controllers despite being very
    basic. The core, for some time, supposed all drivers would support
    it. An improvement to this situation for supporting more constrained
    controller added a check to verify if the operation was supported before
    attempting it by running the function with the check_only boolean set
    first, and then possibly falling back to another (possibly slightly less
    optimized) alternative.
    
    An even newer addition moved that check very early and probe time, in
    order to perform the check only once. The content of the operation was
    not so important, as long as the controller driver would tell whether
    such operation on the NAND bus would be possible or not. In practice, no
    buffer was provided (no fake buffer or whatever) as it is anyway not
    relevant for the "check_only" condition. Unfortunately, early in the
    function, there is an if statement verifying that the input parameters
    are right for normal use, making the early check always unsuccessful.
    
    Fixes: 9f820fc0651c ("mtd: rawnand: Check the data only read pattern only once")
    Cc: stable@vger.kernel.org
    Reported-by: Alexander Dahl <ada@thorsis.com>
    Closes: https://lore.kernel.org/linux-mtd/20240306-shaky-bunion-d28b65ea97d7@thorsis.com/
    Reported-by: Steven Seeger <steven.seeger@flightsystems.net>
    Closes: https://lore.kernel.org/linux-mtd/DM6PR05MB4506554457CF95191A670BDEF7062@DM6PR05MB4506.namprd05.prod.outlook.com/
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Reviewed-by: Alexander Dahl <ada@thorsis.com>
    Link: https://lore.kernel.org/linux-mtd/20240516131320.579822-2-miquel.raynal@bootlin.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mtd: rawnand: rockchip: ensure NVDDR timings are rejected [+ + +]
Author: Val Packett <val@packett.cool>
Date:   Sun May 19 00:13:39 2024 -0300

    mtd: rawnand: rockchip: ensure NVDDR timings are rejected
    
    commit b27d8946b5edd9827ee3c2f9ea1dd30022fb1ebe upstream.
    
    .setup_interface first gets called with a "target" value of
    NAND_DATA_IFACE_CHECK_ONLY, in which case an error is expected
    if the controller driver does not support the timing mode (NVDDR).
    
    Fixes: a9ecc8c814e9 ("mtd: rawnand: Choose the best timings, NV-DDR included")
    Signed-off-by: Val Packett <val@packett.cool>
    Cc: stable@vger.kernel.org
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Link: https://lore.kernel.org/linux-mtd/20240519031409.26464-1-val@packett.cool
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/mlx5: E-switch, Create ingress ACL when needed [+ + +]
Author: Chris Mi <cmi@nvidia.com>
Date:   Thu Jun 27 21:02:37 2024 +0300

    net/mlx5: E-switch, Create ingress ACL when needed
    
    [ Upstream commit b20c2fb45470d0c7a603613c9cfa5d45720e17f2 ]
    
    Currently, ingress acl is used for three features. It is created only
    when vport metadata match and prio tag are enabled. But active-backup
    lag mode also uses it. It is independent of vport metadata match and
    prio tag. And vport metadata match can be disabled using the
    following devlink command:
    
     # devlink dev param set pci/0000:08:00.0 name esw_port_metadata \
            value false cmode runtime
    
    If ingress acl is not created, will hit panic when creating drop rule
    for active-backup lag mode. If always create it, there will be about
    5% performance degradation.
    
    Fix it by creating ingress acl when needed. If esw_port_metadata is
    true, ingress acl exists, then create drop rule using existing
    ingress acl. If esw_port_metadata is false, create ingress acl and
    then create drop rule.
    
    Fixes: 1749c4c51c16 ("net/mlx5: E-switch, add drop rule support to ingress ACL")
    Signed-off-by: Chris Mi <cmi@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup() [+ + +]
Author: Jianbo Liu <jianbol@nvidia.com>
Date:   Thu Jun 27 21:02:38 2024 +0300

    net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup()
    
    [ Upstream commit 1da839eab6dbc26b95bfcd1ed1a4d1aaa5c144a3 ]
    
    In the cited commit, mqprio_rl cleanup and free are mistakenly removed
    in mlx5e_priv_cleanup(), and it causes the leakage of host memory and
    firmware SCHEDULING_ELEMENT objects while changing eswitch mode. So,
    add them back.
    
    Fixes: 0bb7228f7096 ("net/mlx5e: Fix mqprio_rl handling on devlink reload")
    Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
    Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5e: Approximate IPsec per-SA payload data bytes count [+ + +]
Author: Leon Romanovsky <leon@kernel.org>
Date:   Thu Jun 27 21:02:40 2024 +0300

    net/mlx5e: Approximate IPsec per-SA payload data bytes count
    
    [ Upstream commit e562f2d46d27576dd4108c1c4a67d501a5936e31 ]
    
    ConnectX devices lack ability to count payload data byte size which is
    needed for SA to return to libreswan for rekeying.
    
    As a solution let's approximate that by decreasing headers size from
    total size counted by flow steering. The calculation doesn't take into
    account any other headers which can be in the packet (e.g. IP extensions).
    
    Fixes: 5a6cddb89b51 ("net/mlx5e: Update IPsec per SA packets/bytes count")
    Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5e: Present succeeded IPsec SA bytes and packet [+ + +]
Author: Leon Romanovsky <leon@kernel.org>
Date:   Thu Jun 27 21:02:39 2024 +0300

    net/mlx5e: Present succeeded IPsec SA bytes and packet
    
    [ Upstream commit 2d9dac5559f8cc4318e6b0d3c5b71984f462620b ]
    
    IPsec SA statistics presents successfully decrypted and encrypted
    packet and bytes, and not total handled by this SA. So update the
    calculation logic to take into account failures.
    
    Fixes: 6fb7f9408779 ("net/mlx5e: Connect mlx5 IPsec statistics with XFRM core")
    Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: allow skb_datagram_iter to be called from any context [+ + +]
Author: Sagi Grimberg <sagi@grimberg.me>
Date:   Wed Jun 26 13:00:08 2024 +0300

    net: allow skb_datagram_iter to be called from any context
    
    [ Upstream commit d2d30a376d9cc94c6fb730c58b3e5b7426ecb6de ]
    
    We only use the mapping in a single context, so kmap_local is sufficient
    and cheaper. Make sure to use skb_frag_foreach_page as skb frags may
    contain compound pages and we need to map page by page.
    
    Reported-by: kernel test robot <oliver.sang@intel.com>
    Closes: https://lore.kernel.org/oe-lkp/202406161539.b5ff7b20-oliver.sang@intel.com
    Fixes: 950fcaecd5cc ("datagram: consolidate datagram copy to iter helpers")
    Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
    Link: https://patch.msgid.link/20240626100008.831849-1-sagi@grimberg.me
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: dql: Avoid calling BUG() when WARN() is enough [+ + +]
Author: Breno Leitao <leitao@debian.org>
Date:   Thu Apr 11 12:22:29 2024 -0700

    net: dql: Avoid calling BUG() when WARN() is enough
    
    [ Upstream commit 4854b463c4b27c94a7de86d16ad84f235f4c1a72 ]
    
    If the dql_queued() function receives an invalid argument, WARN about it
    and continue, instead of crashing the kernel.
    
    This was raised by checkpatch, when I am refactoring this code (see
    following patch/commit)
    
            WARNING: Do not crash the kernel unless it is absolutely unavoidable--use WARN_ON_ONCE() plus recovery code (if feasible) instead of BUG() or variants
    
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Link: https://lore.kernel.org/r/20240411192241.2498631-2-leitao@debian.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: dsa: mv88e6xxx: Correct check for empty list [+ + +]
Author: Simon Horman <horms@kernel.org>
Date:   Tue Apr 30 18:46:45 2024 +0100

    net: dsa: mv88e6xxx: Correct check for empty list
    
    [ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ]
    
    Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO
    busses") mv88e6xxx_default_mdio_bus() has checked that the
    return value of list_first_entry() is non-NULL.
    
    This appears to be intended to guard against the list chip->mdios being
    empty.  However, it is not the correct check as the implementation of
    list_first_entry is not designed to return NULL for empty lists.
    
    Instead, use list_first_entry_or_null() which does return NULL if the
    list is empty.
    
    Flagged by Smatch.
    Compile tested only.
    
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Simon Horman <horms@kernel.org>
    Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx() [+ + +]
Author: Dave Jiang <dave.jiang@intel.com>
Date:   Mon Jul 1 11:15:38 2024 -0700

    net: ntb_netdev: Move ntb_netdev_rx_handler() to call netif_rx() from __netif_rx()
    
    [ Upstream commit e15a5d821e5192a3769d846079bc9aa380139baf ]
    
    The following is emitted when using idxd (DSA) dmanegine as the data
    mover for ntb_transport that ntb_netdev uses.
    
    [74412.546922] BUG: using smp_processor_id() in preemptible [00000000] code: irq/52-idxd-por/14526
    [74412.556784] caller is netif_rx_internal+0x42/0x130
    [74412.562282] CPU: 6 PID: 14526 Comm: irq/52-idxd-por Not tainted 6.9.5 #5
    [74412.569870] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.E9I.1752.P05.2402080856 02/08/2024
    [74412.581699] Call Trace:
    [74412.584514]  <TASK>
    [74412.586933]  dump_stack_lvl+0x55/0x70
    [74412.591129]  check_preemption_disabled+0xc8/0xf0
    [74412.596374]  netif_rx_internal+0x42/0x130
    [74412.600957]  __netif_rx+0x20/0xd0
    [74412.604743]  ntb_netdev_rx_handler+0x66/0x150 [ntb_netdev]
    [74412.610985]  ntb_complete_rxc+0xed/0x140 [ntb_transport]
    [74412.617010]  ntb_rx_copy_callback+0x53/0x80 [ntb_transport]
    [74412.623332]  idxd_dma_complete_txd+0xe3/0x160 [idxd]
    [74412.628963]  idxd_wq_thread+0x1a6/0x2b0 [idxd]
    [74412.634046]  irq_thread_fn+0x21/0x60
    [74412.638134]  ? irq_thread+0xa8/0x290
    [74412.642218]  irq_thread+0x1a0/0x290
    [74412.646212]  ? __pfx_irq_thread_fn+0x10/0x10
    [74412.651071]  ? __pfx_irq_thread_dtor+0x10/0x10
    [74412.656117]  ? __pfx_irq_thread+0x10/0x10
    [74412.660686]  kthread+0x100/0x130
    [74412.664384]  ? __pfx_kthread+0x10/0x10
    [74412.668639]  ret_from_fork+0x31/0x50
    [74412.672716]  ? __pfx_kthread+0x10/0x10
    [74412.676978]  ret_from_fork_asm+0x1a/0x30
    [74412.681457]  </TASK>
    
    The cause is due to the idxd driver interrupt completion handler uses
    threaded interrupt and the threaded handler is not hard or soft interrupt
    context. However __netif_rx() can only be called from interrupt context.
    Change the call to netif_rx() in order to allow completion via normal
    context for dmaengine drivers that utilize threaded irq handling.
    
    While the following commit changed from netif_rx() to __netif_rx(),
    baebdf48c360 ("net: dev: Makes sure netif_rx() can be invoked in any context."),
    the change should've been a noop instead. However, the code precedes this
    fix should've been using netif_rx_ni() or netif_rx_any_context().
    
    Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device")
    Reported-by: Jerry Dai <jerry.dai@intel.com>
    Tested-by: Jerry Dai <jerry.dai@intel.com>
    Signed-off-by: Dave Jiang <dave.jiang@intel.com>
    Link: https://patch.msgid.link/20240701181538.3799546-1-dave.jiang@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: aquantia: add missing include guards [+ + +]
Author: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Date:   Mon Jul 1 10:03:22 2024 +0200

    net: phy: aquantia: add missing include guards
    
    [ Upstream commit 219343755eae6536d1fcb9184e6253ade4906aac ]
    
    The header is missing the include guards so add them.
    
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Fixes: fb470f70fea7 ("net: phy: aquantia: add hwmon support")
    Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Link: https://patch.msgid.link/20240701080322.9569-1-brgl@bgdev.pl
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: phy_device: Fix PHY LED blinking code comment [+ + +]
Author: Marek Vasut <marex@denx.de>
Date:   Wed Jun 26 05:06:17 2024 +0200

    net: phy: phy_device: Fix PHY LED blinking code comment
    
    [ Upstream commit d3dcb084c70727be4a2f61bd94796e66147cfa35 ]
    
    Fix copy-paste error in the code comment. The code refers to
    LED blinking configuration, not brightness configuration. It
    was likely copied from comment above this one which does
    refer to brightness configuration.
    
    Fixes: 4e901018432e ("net: phy: phy_device: Call into the PHY driver to set LED blinking")
    Signed-off-by: Marek Vasut <marex@denx.de>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://patch.msgid.link/20240626030638.512069-1-marex@denx.de
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: rswitch: Avoid use-after-free in rswitch_poll() [+ + +]
Author: Radu Rendec <rrendec@redhat.com>
Date:   Tue Jul 2 17:08:37 2024 -0400

    net: rswitch: Avoid use-after-free in rswitch_poll()
    
    [ Upstream commit 9a0c28efeec6383ef22e97437616b920e7320b67 ]
    
    The use-after-free is actually in rswitch_tx_free(), which is inlined in
    rswitch_poll(). Since `skb` and `gq->skbs[gq->dirty]` are in fact the
    same pointer, the skb is first freed using dev_kfree_skb_any(), then the
    value in skb->len is used to update the interface statistics.
    
    Let's move around the instructions to use skb->len before the skb is
    freed.
    
    This bug is trivial to reproduce using KFENCE. It will trigger a splat
    every few packets. A simple ARP request or ICMP echo request is enough.
    
    Fixes: 271e015b9153 ("net: rswitch: Add unmap_addrs instead of dma address in each desc")
    Signed-off-by: Radu Rendec <rrendec@redhat.com>
    Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
    Reviewed-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
    Link: https://patch.msgid.link/20240702210838.2703228-1-rrendec@redhat.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: stmmac: dwmac-qcom-ethqos: fix error array size [+ + +]
Author: Yijie Yang <quic_yijiyang@quicinc.com>
Date:   Mon Jul 1 09:47:20 2024 +0800

    net: stmmac: dwmac-qcom-ethqos: fix error array size
    
    commit b698ab56837bc9e666b7e7e12e9c28fe1d6a763c upstream.
    
    Correct member @num_por with size of right array @emac_v4_0_0_por for
    struct ethqos_emac_driver_data @emac_v4_0_0_data.
    
    Cc: stable@vger.kernel.org
    Fixes: 8c4d92e82d50 ("net: stmmac: dwmac-qcom-ethqos: add support for emac4 on sa8775p platforms")
    Signed-off-by: Yijie Yang <quic_yijiyang@quicinc.com>
    Reviewed-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
    Link: https://patch.msgid.link/20240701014720.2547856-1-quic_yijiyang@quicinc.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only [+ + +]
Author: Furong Xu <0x1207@gmail.com>
Date:   Mon Jul 1 16:19:36 2024 +0800

    net: stmmac: enable HW-accelerated VLAN stripping for gmac4 only
    
    [ Upstream commit 8eb301bd7b0f45d36e663ecbe59b7c80b9863950 ]
    
    Commit 750011e239a5 ("net: stmmac: Add support for HW-accelerated VLAN
    stripping") enables MAC level VLAN tag stripping for all MAC cores, but
    leaves set_hw_vlan_mode() and rx_hw_vlan() un-implemented for both gmac
    and xgmac.
    
    On gmac and xgmac, ethtool reports rx-vlan-offload is on, both MAC and
    driver do nothing about VLAN packets actually, although VLAN works well.
    
    Driver level stripping should be used on gmac and xgmac for now.
    
    Fixes: 750011e239a5 ("net: stmmac: Add support for HW-accelerated VLAN stripping")
    Signed-off-by: Furong Xu <0x1207@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: txgbe: add extra handle for MSI/INTx into thread irq handle [+ + +]
Author: Jiawen Wu <jiawenwu@trustnetic.com>
Date:   Mon Jul 1 15:14:15 2024 +0800

    net: txgbe: add extra handle for MSI/INTx into thread irq handle
    
    [ Upstream commit 1e1fa1723eb3a293d7d0b1c1a9ad8774c1ef0aa0 ]
    
    Rename original txgbe_misc_irq_handle() to txgbe_misc_irq_thread_fn()
    since it is the handle thread to wake up. And add the primary handler
    to deal the case of MSI/INTx, because there is a schedule NAPI poll.
    
    Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
    Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: txgbe: free isb resources at the right time [+ + +]
Author: Jiawen Wu <jiawenwu@trustnetic.com>
Date:   Mon Jul 1 15:14:16 2024 +0800

    net: txgbe: free isb resources at the right time
    
    [ Upstream commit 935124dd5883b5de68dc5a94f582480a10643dc9 ]
    
    When using MSI/INTx interrupt, the shared interrupts are still being
    handled in the device remove routine, before free IRQs. So isb memory
    is still read after it is freed. Thus move wx_free_isb_resources()
    from txgbe_close() to txgbe_remove(). And fix the improper isb free
    action in txgbe_open() error handling path.
    
    Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
    Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: txgbe: initialize num_q_vectors for MSI/INTx interrupts [+ + +]
Author: Jiawen Wu <jiawenwu@trustnetic.com>
Date:   Mon Jul 1 15:14:13 2024 +0800

    net: txgbe: initialize num_q_vectors for MSI/INTx interrupts
    
    [ Upstream commit 7c36711a2cd8059c2d24f5e5c1d76e8ea2d5613c ]
    
    When using MSI/INTx interrupts, wx->num_q_vectors is uninitialized.
    Thus there will be kernel panic in wx_alloc_q_vectors() to allocate
    queue vectors.
    
    Fixes: 3f703186113f ("net: libwx: Add irq flow functions")
    Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: txgbe: remove separate irq request for MSI and INTx [+ + +]
Author: Jiawen Wu <jiawenwu@trustnetic.com>
Date:   Mon Jul 1 15:14:14 2024 +0800

    net: txgbe: remove separate irq request for MSI and INTx
    
    [ Upstream commit bd07a98178462e7a02ed2bf7dec90a00944c1da5 ]
    
    When using MSI or INTx interrupts, request_irq() for pdev->irq will
    conflict with request_threaded_irq() for txgbe->misc.irq, to cause
    system crash. So remove txgbe_request_irq() for MSI/INTx case, and
    rename txgbe_request_msix_irqs() since it only request for queue irqs.
    
    Add wx->misc_irq_domain to determine whether the driver creates an IRQ
    domain and threaded request the IRQs.
    
    Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
    Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netfilter: nf_tables: unconditionally flush pending work before notifier [+ + +]
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Jul 2 16:08:14 2024 +0200

    netfilter: nf_tables: unconditionally flush pending work before notifier
    
    [ Upstream commit 9f6958ba2e902f9820c594869bd710ba74b7c4c0 ]
    
    syzbot reports:
    
    KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831
    KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530
    KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
    Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45
    [..]
    Workqueue: events nf_tables_trans_destroy_work
    Call Trace:
     nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]
     nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]
     nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
    
    Problem is that the notifier does a conditional flush, but its possible
    that the table-to-be-removed is still referenced by transactions being
    processed by the worker, so we need to flush unconditionally.
    
    We could make the flush_work depend on whether we found a table to delete
    in nf-next to avoid the flush for most cases.
    
    AFAICS this problem is only exposed in nf-next, with
    commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"),
    with this commit applied there is an unconditional fetch of
    table->family which is whats triggering the above splat.
    
    Fixes: 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier")
    Reported-and-tested-by: syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=4fd66a69358fc15ae2ad
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nfc/nci: Add the inconsistency check between the input data length and count [+ + +]
Author: Edward Adam Davis <eadavis@qq.com>
Date:   Tue May 28 11:12:31 2024 +0800

    nfc/nci: Add the inconsistency check between the input data length and count
    
    [ Upstream commit 068648aab72c9ba7b0597354ef4d81ffaac7b979 ]
    
    write$nci(r0, &(0x7f0000000740)=ANY=[@ANYBLOB="610501"], 0xf)
    
    Syzbot constructed a write() call with a data length of 3 bytes but a count value
    of 15, which passed too little data to meet the basic requirements of the function
    nci_rf_intf_activated_ntf_packet().
    
    Therefore, increasing the comparison between data length and count value to avoid
    problems caused by inconsistent data length and count.
    
    Reported-and-tested-by: syzbot+71bfed2b2bcea46c98f2@syzkaller.appspotmail.com
    Signed-off-by: Edward Adam Davis <eadavis@qq.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nilfs2: add missing check for inode numbers on directory entries [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sun Jun 23 14:11:34 2024 +0900

    nilfs2: add missing check for inode numbers on directory entries
    
    commit bb76c6c274683c8570ad788f79d4b875bde0e458 upstream.
    
    Syzbot reported that mounting and unmounting a specific pattern of
    corrupted nilfs2 filesystem images causes a use-after-free of metadata
    file inodes, which triggers a kernel bug in lru_add_fn().
    
    As Jan Kara pointed out, this is because the link count of a metadata file
    gets corrupted to 0, and nilfs_evict_inode(), which is called from iput(),
    tries to delete that inode (ifile inode in this case).
    
    The inconsistency occurs because directories containing the inode numbers
    of these metadata files that should not be visible in the namespace are
    read without checking.
    
    Fix this issue by treating the inode numbers of these internal files as
    errors in the sanity check helper when reading directory folios/pages.
    
    Also thanks to Hillf Danton and Matthew Wilcox for their initial mm-layer
    analysis.
    
    Link: https://lkml.kernel.org/r/20240623051135.4180-3-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Reported-by: syzbot+d79afb004be235636ee8@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=d79afb004be235636ee8
    Reported-by: Jan Kara <jack@suse.cz>
    Closes: https://lkml.kernel.org/r/20240617075758.wewhukbrjod5fp5o@quack3
    Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: Hillf Danton <hdanton@sina.com>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix incorrect inode allocation from reserved inodes [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sun Jun 23 14:11:35 2024 +0900

    nilfs2: fix incorrect inode allocation from reserved inodes
    
    commit 93aef9eda1cea9e84ab2453fcceb8addad0e46f1 upstream.
    
    If the bitmap block that manages the inode allocation status is corrupted,
    nilfs_ifile_create_inode() may allocate a new inode from the reserved
    inode area where it should not be allocated.
    
    Previous fix commit d325dc6eb763 ("nilfs2: fix use-after-free bug of
    struct nilfs_root"), fixed the problem that reserved inodes with inode
    numbers less than NILFS_USER_INO (=11) were incorrectly reallocated due to
    bitmap corruption, but since the start number of non-reserved inodes is
    read from the super block and may change, in which case inode allocation
    may occur from the extended reserved inode area.
    
    If that happens, access to that inode will cause an IO error, causing the
    file system to degrade to an error state.
    
    Fix this potential issue by adding a wraparound option to the common
    metadata object allocation routine and by modifying
    nilfs_ifile_create_inode() to disable the option so that it only allocates
    inodes with inode numbers greater than or equal to the inode number read
    in "nilfs->ns_first_ino", regardless of the bitmap status of reserved
    inodes.
    
    Link: https://lkml.kernel.org/r/20240623051135.4180-4-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: Hillf Danton <hdanton@sina.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

nilfs2: fix inode number range checks [+ + +]
Author: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Date:   Sun Jun 23 14:11:33 2024 +0900

    nilfs2: fix inode number range checks
    
    commit e2fec219a36e0993642844be0f345513507031f4 upstream.
    
    Patch series "nilfs2: fix potential issues related to reserved inodes".
    
    This series fixes one use-after-free issue reported by syzbot, caused by
    nilfs2's internal inode being exposed in the namespace on a corrupted
    filesystem, and a couple of flaws that cause problems if the starting
    number of non-reserved inodes written in the on-disk super block is
    intentionally (or corruptly) changed from its default value.
    
    
    This patch (of 3):
    
    In the current implementation of nilfs2, "nilfs->ns_first_ino", which
    gives the first non-reserved inode number, is read from the superblock,
    but its lower limit is not checked.
    
    As a result, if a number that overlaps with the inode number range of
    reserved inodes such as the root directory or metadata files is set in the
    super block parameter, the inode number test macros (NILFS_MDT_INODE and
    NILFS_VALID_INODE) will not function properly.
    
    In addition, these test macros use left bit-shift calculations using with
    the inode number as the shift count via the BIT macro, but the result of a
    shift calculation that exceeds the bit width of an integer is undefined in
    the C specification, so if "ns_first_ino" is set to a large value other
    than the default value NILFS_USER_INO (=11), the macros may potentially
    malfunction depending on the environment.
    
    Fix these issues by checking the lower bound of "nilfs->ns_first_ino" and
    by preventing bit shifts equal to or greater than the NILFS_USER_INO
    constant in the inode number test macros.
    
    Also, change the type of "ns_first_ino" from signed integer to unsigned
    integer to avoid the need for type casting in comparisons such as the
    lower bound check introduced this time.
    
    Link: https://lkml.kernel.org/r/20240623051135.4180-1-konishi.ryusuke@gmail.com
    Link: https://lkml.kernel.org/r/20240623051135.4180-2-konishi.ryusuke@gmail.com
    Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
    Cc: Hillf Danton <hdanton@sina.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
null_blk: Do not allow runt zone with zone capacity smaller then zone size [+ + +]
Author: Damien Le Moal <dlemoal@kernel.org>
Date:   Thu May 30 14:40:32 2024 +0900

    null_blk: Do not allow runt zone with zone capacity smaller then zone size
    
    [ Upstream commit b164316808ec5de391c3e7b0148ec937d32d280d ]
    
    A zoned device with a smaller last zone together with a zone capacity
    smaller than the zone size does make any sense as that does not
    correspond to any possible setup for a real device:
    1) For ZNS and zoned UFS devices, all zones are always the same size.
    2) For SMR HDDs, all zones always have the same capacity.
    In other words, if we have a smaller last runt zone, then this zone
    capacity should always be equal to the zone size.
    
    Add a check in null_init_zoned_dev() to prevent a configuration to have
    both a smaller zone size and a zone capacity smaller than the zone size.
    
    Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
    Reviewed-by: Niklas Cassel <cassel@kernel.org>
    Reviewed-by: Bart Van Assche <bvanassche@acm.org>
    Link: https://lore.kernel.org/r/20240530054035.491497-2-dlemoal@kernel.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nvme-multipath: find NUMA path only for online numa-node [+ + +]
Author: Nilay Shroff <nilay@linux.ibm.com>
Date:   Thu May 16 17:43:51 2024 +0530

    nvme-multipath: find NUMA path only for online numa-node
    
    [ Upstream commit d3a043733f25d743f3aa617c7f82dbcb5ee2211a ]
    
    In current native multipath design when a shared namespace is created,
    we loop through each possible numa-node, calculate the NUMA distance of
    that node from each nvme controller and then cache the optimal IO path
    for future reference while sending IO. The issue with this design is that
    we may refer to the NUMA distance table for an offline node which may not
    be populated at the time and so we may inadvertently end up finding and
    caching a non-optimal path for IO. Then latter when the corresponding
    numa-node becomes online and hence the NUMA distance table entry for that
    node is created, ideally we should re-calculate the multipath node distance
    for the newly added node however that doesn't happen unless we rescan/reset
    the controller. So essentially, we may keep using non-optimal IO path for a
    node which is made online after namespace is created.
    This patch helps fix this issue ensuring that when a shared namespace is
    created, we calculate the multipath node distance for each online numa-node
    instead of each possible numa-node. Then latter when a node becomes online
    and we receive any IO on that newly added node, we would calculate the
    multipath node distance for newly added node but this time NUMA distance
    table would have been already populated for newly added node. Hence we
    would be able to correctly calculate the multipath node distance and choose
    the optimal path for the IO.
    
    Signed-off-by: Nilay Shroff <nilay@linux.ibm.com>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset [+ + +]
Author: Kundan Kumar <kundan.kumar@samsung.com>
Date:   Thu May 23 17:01:49 2024 +0530

    nvme: adjust multiples of NVME_CTRL_PAGE_SIZE in offset
    
    [ Upstream commit 1bd293fcf3af84674e82ed022c049491f3768840 ]
    
    bio_vec start offset may be relatively large particularly when large
    folio gets added to the bio. A bigger offset will result in avoiding the
    single-segment mapping optimization and end up using expensive
    mempool_alloc further.
    
    Rather than using absolute value, adjust bv_offset by
    NVME_CTRL_PAGE_SIZE while checking if segment can be fitted into one/two
    PRP entries.
    
    Suggested-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Kundan Kumar <kundan.kumar@samsung.com>
    Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nvmet: fix a possible leak when destroy a ctrl during qp establishment [+ + +]
Author: Sagi Grimberg <sagi@grimberg.me>
Date:   Mon May 27 22:38:52 2024 +0300

    nvmet: fix a possible leak when destroy a ctrl during qp establishment
    
    [ Upstream commit c758b77d4a0a0ed3a1292b3fd7a2aeccd1a169a4 ]
    
    In nvmet_sq_destroy we capture sq->ctrl early and if it is non-NULL we
    know that a ctrl was allocated (in the admin connect request handler)
    and we need to release pending AERs, clear ctrl->sqs and sq->ctrl
    (for nvme-loop primarily), and drop the final reference on the ctrl.
    
    However, a small window is possible where nvmet_sq_destroy starts (as
    a result of the client giving up and disconnecting) concurrently with
    the nvme admin connect cmd (which may be in an early stage). But *before*
    kill_and_confirm of sq->ref (i.e. the admin connect managed to get an sq
    live reference). In this case, sq->ctrl was allocated however after it was
    captured in a local variable in nvmet_sq_destroy.
    This prevented the final reference drop on the ctrl.
    
    Solve this by re-capturing the sq->ctrl after all inflight request has
    completed, where for sure sq->ctrl reference is final, and move forward
    based on that.
    
    This issue was observed in an environment with many hosts connecting
    multiple ctrls simoutanuosly, creating a delay in allocating a ctrl
    leading up to this race window.
    
    Reported-by: Alex Turin <alex@vastdata.com>
    Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Keith Busch <kbusch@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
orangefs: fix out-of-bounds fsid access [+ + +]
Author: Mike Marshall <hubcap@omnibond.com>
Date:   Wed May 1 16:20:36 2024 -0400

    orangefs: fix out-of-bounds fsid access
    
    [ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ]
    
    Arnd Bergmann sent a patch to fsdevel, he says:
    
    "orangefs_statfs() copies two consecutive fields of the superblock into
    the statfs structure, which triggers a warning from the string fortification
    helpers"
    
    Jan Kara suggested an alternate way to do the patch to make it more readable.
    
    I ran both ideas through xfstests and both seem fine. This patch
    is based on Jan Kara's suggestion.
    
    Signed-off-by: Mike Marshall <hubcap@omnibond.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
platform/x86: toshiba_acpi: Fix quickstart quirk handling [+ + +]
Author: Armin Wolf <W_Armin@gmx.de>
Date:   Mon Jul 1 21:45:39 2024 +0200

    platform/x86: toshiba_acpi: Fix quickstart quirk handling
    
    commit e527a6127223b644e0a27b44f4b16e16eb6c7f0a upstream.
    
    The global hci_hotkey_quickstart quirk flag is tested in
    toshiba_acpi_enable_hotkeys() before the quirk flag is properly
    initialized based on SMBIOS data. This causes the quirk to be
    applied to all models, some of which behave erratically as a
    result.
    
    Fix this by initializing the global quirk flags during module
    initialization before registering the ACPI driver. This also
    allows us to mark toshiba_dmi_quirks[] as __initconst.
    
    Fixes: 23f1d8b47d12 ("platform/x86: toshiba_acpi: Add quirk for buttons on Z830")
    Reported-by: kemal <kmal@cock.li>
    Closes: https://lore.kernel.org/platform-driver-x86/R4CYFS.TWB8QUU2SHWI1@cock.li/
    Tested-by: kemal <kmal@cock.li>
    Cc: stable@vger.kernel.org
    Signed-off-by: Armin Wolf <W_Armin@gmx.de>
    Link: https://lore.kernel.org/r/20240701194539.348937-1-W_Armin@gmx.de
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet [+ + +]
Author: hmtheboy154 <buingoc67@gmail.com>
Date:   Mon May 27 11:14:46 2024 +0200

    platform/x86: touchscreen_dmi: Add info for GlobalSpace SolT IVW 11.6" tablet
    
    [ Upstream commit 7c8639aa41343fd7b3dbe09baf6b0791fcc407a1 ]
    
    This is a tablet created by GlobalSpace Technologies Limited
    which uses an Intel Atom x5-Z8300, 4GB of RAM & 64GB of storage.
    
    Link: https://web.archive.org/web/20171102141952/http://globalspace.in/11.6-device.html
    Signed-off-by: hmtheboy154 <buingoc67@gmail.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20240527091447.248849-2-hdegoede@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro [+ + +]
Author: hmtheboy154 <buingoc67@gmail.com>
Date:   Mon May 27 11:14:47 2024 +0200

    platform/x86: touchscreen_dmi: Add info for the EZpad 6s Pro
    
    [ Upstream commit 3050052613790e75b5e4a8536930426b0a8b0774 ]
    
    The "EZpad 6s Pro" uses the same touchscreen as the "EZpad 6 Pro B",
    unlike the "Ezpad 6 Pro" which has its own touchscreen.
    
    Signed-off-by: hmtheboy154 <buingoc67@gmail.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20240527091447.248849-3-hdegoede@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n [+ + +]
Author: Michael Ellerman <mpe@ellerman.id.au>
Date:   Fri May 3 17:56:19 2024 +1000

    powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for CONFIG_PCI=n
    
    [ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ]
    
    There is code that builds with calls to IO accessors even when
    CONFIG_PCI=n, but the actual calls are guarded by runtime checks.
    
    If not those calls would be faulting, because the page at virtual
    address zero is (usually) not mapped into the kernel. As Arnd pointed
    out, it is possible a large port value could cause the address to be
    above mmap_min_addr which would then access userspace, which would be
    a bug.
    
    To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That
    is a value chosen to point into unmapped space between the kernel and
    userspace, so any access will always fault.
    
    Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an
    effect on 64-bit.
    
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0 [+ + +]
Author: Jinglin Wen <jinglin.wen@shingroup.cn>
Date:   Thu Jun 20 10:41:50 2024 +0800

    powerpc/64s: Fix unnecessary copy to 0 when kernel is booted at address 0
    
    commit 13fc6c175924eaa953cf597ce28ffa4edc4554a6 upstream.
    
    According to the code logic, when the kernel is loaded at address 0, no
    copying operation should be performed, but it is currently being done.
    
    This patch fixes the issue where the kernel code was incorrectly
    duplicated to address 0 when booting from address 0.
    
    Fixes: b270bebd34e3 ("powerpc/64s: Run at the kernel virtual address earlier in boot")
    Cc: stable@vger.kernel.org # v6.4+
    Signed-off-by: Jinglin Wen <jinglin.wen@shingroup.cn>
    Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20240620024150.14857-1-jinglin.wen@shingroup.cn
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
powerpc/pseries: Fix scv instruction crash with kexec [+ + +]
Author: Nicholas Piggin <npiggin@gmail.com>
Date:   Tue Jun 25 23:40:47 2024 +1000

    powerpc/pseries: Fix scv instruction crash with kexec
    
    commit 21a741eb75f80397e5f7d3739e24d7d75e619011 upstream.
    
    kexec on pseries disables AIL (reloc_on_exc), required for scv
    instruction support, before other CPUs have been shut down. This means
    they can execute scv instructions after AIL is disabled, which causes an
    interrupt at an unexpected entry location that crashes the kernel.
    
    Change the kexec sequence to disable AIL after other CPUs have been
    brought down.
    
    As a refresher, the real-mode scv interrupt vector is 0x17000, and the
    fixed-location head code probably couldn't easily deal with implementing
    such high addresses so it was just decided not to support that interrupt
    at all.
    
    Fixes: 7fa95f9adaee ("powerpc/64s: system call support for scv/rfscv instructions")
    Cc: stable@vger.kernel.org # v5.9+
    Reported-by: Sourabh Jain <sourabhjain@linux.ibm.com>
    Closes: https://lore.kernel.org/3b4b2943-49ad-4619-b195-bc416f1d1409@linux.ibm.com
    Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
    Tested-by: Gautam Menghani <gautam@linux.ibm.com>
    Tested-by: Sourabh Jain <sourabhjain@linux.ibm.com>
    Link: https://msgid.link/20240625134047.298759-1-npiggin@gmail.com
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#" [+ + +]
Author: Greg Kurz <groug@kaod.org>
Date:   Tue Mar 9 19:11:10 2021 +0100

    powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
    
    [ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ]
    
    All these commands end up peeking into the PACA using the user
    originated cpu id as an index. Check the cpu id is valid in order
    to prevent xmon to crash. Instead of printing an error, this follows
    the same behavior as the "lp s #" command : ignore the buggy cpu id
    parameter and fall back to the #-less version of the command.
    
    Signed-off-by: Greg Kurz <groug@kaod.org>
    Reviewed-by: Cédric Le Goater <clg@kaod.org>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt. [+ + +]
Author: Mahesh Salgaonkar <mahesh@linux.ibm.com>
Date:   Wed Apr 10 10:00:06 2024 +0530

    powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
    
    [ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ]
    
    nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel
    crash when invoked during real mode interrupt handling (e.g. early HMI/MCE
    interrupt handler) if percpu allocation comes from vmalloc area.
    
    Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()
    wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when
    percpu allocation is from the embedded first chunk. However with
    CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu
    allocation can come from the vmalloc area.
    
    With kernel command line "percpu_alloc=page" we can force percpu allocation
    to come from vmalloc area and can see kernel crash in machine_check_early:
    
    [    1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110
    [    1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0
    [    1.215719] --- interrupt: 200
    [    1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)
    [    1.215722] [c000000fffd731b0] [0000000000000000] 0x0
    [    1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8
    
    Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu
    first chunk is not embedded.
    
    Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
    Tested-by: Shirisha Ganta <shirisha@linux.ibm.com>
    Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
regmap-i2c: Subtract reg size from max_write [+ + +]
Author: Jim Wylder <jwylder@google.com>
Date:   Thu May 23 16:14:36 2024 -0500

    regmap-i2c: Subtract reg size from max_write
    
    [ Upstream commit 611b7eb19d0a305d4de00280e4a71a1b15c507fc ]
    
    Currently, when an adapter defines a max_write_len quirk,
    the data will be chunked into data sizes equal to the
    max_write_len quirk value.  But the payload will be increased by
    the size of the register address before transmission.  The
    resulting value always ends up larger than the limit set
    by the quirk.
    
    Avoid this error by setting regmap's max_write to the quirk's
    max_write_len minus the number of bytes for the register and
    padding.  This allows the chunking to work correctly for this
    limited case without impacting other use-cases.
    
    Signed-off-by: Jim Wylder <jwylder@google.com>
    Link: https://msgid.link/r/20240523211437.2839942-1-jwylder@google.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Revert "igc: fix a log entry using uninitialized netdev" [+ + +]
Author: Sasha Neftin <sasha.neftin@intel.com>
Date:   Tue Jun 11 09:24:55 2024 -0700

    Revert "igc: fix a log entry using uninitialized netdev"
    
    commit 8eef5c3cea65f248c99cd9dcb3f84c6509b78162 upstream.
    
    This reverts commit 86167183a17e03ec77198897975e9fdfbd53cb0b.
    
    igc_ptp_init() needs to be called before igc_reset(), otherwise kernel
    crash could be observed. Following the corresponding discussion [1] and
    [2] revert this commit.
    
    Link: https://lore.kernel.org/all/8fb634f8-7330-4cf4-a8ce-485af9c0a61a@intel.com/ [1]
    Link: https://lore.kernel.org/all/87o78rmkhu.fsf@intel.com/ [2]
    Fixes: 86167183a17e ("igc: fix a log entry using uninitialized netdev")
    Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
    Tested-by: Naama Meir <naamax.meir@linux.intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://lore.kernel.org/r/20240611162456.961631-1-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again" [+ + +]
Author: Jan Kara <jack@suse.cz>
Date:   Fri Jun 21 16:42:37 2024 +0200

    Revert "mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again"
    
    commit 30139c702048f1097342a31302cbd3d478f50c63 upstream.
    
    Patch series "mm: Avoid possible overflows in dirty throttling".
    
    Dirty throttling logic assumes dirty limits in page units fit into
    32-bits.  This patch series makes sure this is true (see patch 2/2 for
    more details).
    
    
    This patch (of 2):
    
    This reverts commit 9319b647902cbd5cc884ac08a8a6d54ce111fc78.
    
    The commit is broken in several ways.  Firstly, the removed (u64) cast
    from the multiplication will introduce a multiplication overflow on 32-bit
    archs if wb_thresh * bg_thresh >= 1<<32 (which is actually common - the
    default settings with 4GB of RAM will trigger this).  Secondly, the
    div64_u64() is unnecessarily expensive on 32-bit archs.  We have
    div64_ul() in case we want to be safe & cheap.  Thirdly, if dirty
    thresholds are larger than 1<<32 pages, then dirty balancing is going to
    blow up in many other spectacular ways anyway so trying to fix one
    possible overflow is just moot.
    
    Link: https://lkml.kernel.org/r/20240621144017.30993-1-jack@suse.cz
    Link: https://lkml.kernel.org/r/20240621144246.11148-1-jack@suse.cz
    Fixes: 9319b647902c ("mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again")
    Signed-off-by: Jan Kara <jack@suse.cz>
    Reviewed-By: Zach O'Keefe <zokeefe@google.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RISC-V: KVM: Fix the initial sample period value [+ + +]
Author: Atish Patra <atishp@rivosinc.com>
Date:   Sat Apr 20 08:17:26 2024 -0700

    RISC-V: KVM: Fix the initial sample period value
    
    [ Upstream commit 57990ab90ce31aadac0d5a6293f5582e24ff7521 ]
    
    The initial sample period value when counter value is not assigned
    should be set to maximum value supported by the counter width.
    Otherwise, it may result in spurious interrupts.
    
    Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
    Signed-off-by: Atish Patra <atishp@rivosinc.com>
    Reviewed-by: Anup Patel <anup@brainfault.org>
    Link: https://lore.kernel.org/r/20240420151741.962500-11-atishp@rivosinc.com
    Signed-off-by: Anup Patel <anup@brainfault.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma [+ + +]
Author: Samuel Holland <samuel.holland@sifive.com>
Date:   Tue Mar 26 21:49:48 2024 -0700

    riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma
    
    [ Upstream commit 20e03d702e00a3e0269a1d6f9549c2e370492054 ]
    
    commit 3f1e782998cd ("riscv: add ASID-based tlbflushing methods") added
    calls to the sfence.vma instruction with rs2 != x0. These single-ASID
    instruction variants are also affected by SiFive errata CIP-1200.
    
    Until now, the errata workaround was not needed for the single-ASID
    sfence.vma variants, because they were only used when the ASID allocator
    was enabled, and the affected SiFive platforms do not support multiple
    ASIDs. However, we are going to start using those sfence.vma variants
    regardless of ASID support, so now we need alternatives covering them.
    
    Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
    Link: https://lore.kernel.org/r/20240327045035.368512-8-samuel.holland@sifive.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

riscv: kexec: Avoid deadlock in kexec crash path [+ + +]
Author: Song Shuai <songshuaishuai@tinylab.org>
Date:   Wed Jun 26 10:33:16 2024 +0800

    riscv: kexec: Avoid deadlock in kexec crash path
    
    [ Upstream commit c562ba719df570c986caf0941fea2449150bcbc4 ]
    
    If the kexec crash code is called in the interrupt context, the
    machine_kexec_mask_interrupts() function will trigger a deadlock while
    trying to acquire the irqdesc spinlock and then deactivate irqchip in
    irq_set_irqchip_state() function.
    
    Unlike arm64, riscv only requires irq_eoi handler to complete EOI and
    keeping irq_set_irqchip_state() will only leave this possible deadlock
    without any use. So we simply remove it.
    
    Link: https://lore.kernel.org/linux-riscv/20231208111015.173237-1-songshuaishuai@tinylab.org/
    Fixes: b17d19a5314a ("riscv: kexec: Fixup irq controller broken in kexec crash path")
    Signed-off-by: Song Shuai <songshuaishuai@tinylab.org>
    Reviewed-by: Ryo Takakura <takakura@valinux.co.jp>
    Link: https://lore.kernel.org/r/20240626023316.539971-1-songshuaishuai@tinylab.org
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/dasd: Fix invalid dereferencing of indirect CCW data pointer [+ + +]
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Wed Jul 3 11:23:12 2024 +0200

    s390/dasd: Fix invalid dereferencing of indirect CCW data pointer
    
    commit b3a58f3b90f564f42a5c35778d8c5107b2c2150b upstream.
    
    Fix invalid dereferencing of indirect CCW data pointer in
    dasd_eckd_dump_sense() that leads to a kernel panic in error cases.
    
    When using indirect addressing for DASD CCWs (IDAW) the CCW CDA pointer
    does not contain the data address itself but a pointer to the IDAL.
    This needs to be translated from physical to virtual as well before
    using it.
    
    This dereferencing is also used for dasd_page_cache and also fixed
    although it is very unlikely that this code path ever gets used.
    
    Fixes: c0bd39601c13 ("s390/dasd: use new address translation helpers")
    Cc: stable@vger.kernel.org
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings [+ + +]
Author: Jules Irenge <jbi.octave@gmail.com>
Date:   Tue May 7 22:13:52 2024 +0100

    s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings
    
    [ Upstream commit 22e6824622e8a8889df0f8fc4ed5aea0e702a694 ]
    
    Replace memzero_explicit() and kfree() with kfree_sensitive() to fix
    warnings reported by Coccinelle:
    
    WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)
    WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)
    WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)
    
    Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
    Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
    Link: https://lore.kernel.org/r/ZjqZkNi_JUJu73Rg@octinomon.home
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

s390/pkey: Wipe copies of clear-key structures on failure [+ + +]
Author: Holger Dengler <dengler@linux.ibm.com>
Date:   Tue May 7 17:03:19 2024 +0200

    s390/pkey: Wipe copies of clear-key structures on failure
    
    [ Upstream commit d65d76a44ffe74c73298ada25b0f578680576073 ]
    
    Wipe all sensitive data from stack for all IOCTLs, which convert a
    clear-key into a protected- or secure-key.
    
    Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
    Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Acked-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

s390/pkey: Wipe copies of protected- and secure-keys [+ + +]
Author: Holger Dengler <dengler@linux.ibm.com>
Date:   Tue May 7 17:03:20 2024 +0200

    s390/pkey: Wipe copies of protected- and secure-keys
    
    [ Upstream commit f2ebdadd85af4f4d0cae1e5d009c70eccc78c207 ]
    
    Although the clear-key of neither protected- nor secure-keys is
    accessible, this key material should only be visible to the calling
    process. So wipe all copies of protected- or secure-keys from stack,
    even in case of an error.
    
    Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
    Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Acked-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

s390/pkey: Wipe sensitive data on failure [+ + +]
Author: Holger Dengler <dengler@linux.ibm.com>
Date:   Tue May 7 17:03:18 2024 +0200

    s390/pkey: Wipe sensitive data on failure
    
    [ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ]
    
    Wipe sensitive data from stack also if the copy_to_user() fails.
    
    Suggested-by: Heiko Carstens <hca@linux.ibm.com>
    Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
    Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
    Acked-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390/vfio_ccw: Fix target addresses of TIC CCWs [+ + +]
Author: Eric Farman <farman@linux.ibm.com>
Date:   Fri Jun 28 18:37:38 2024 +0200

    s390/vfio_ccw: Fix target addresses of TIC CCWs
    
    [ Upstream commit 2ae157ec497d93c639a60e730e21ec9c66fa9a6e ]
    
    The processing of a Transfer-In-Channel (TIC) CCW requires locating
    the target of the CCW in the channel program, and updating the
    address to reflect what will actually be sent to hardware.
    
    An error exists where the 64-bit virtual address is truncated to
    32-bits (variable "cda") when performing this math. Since s390
    addresses of that size are 31-bits, this leaves that additional
    bit enabled such that the resulting I/O triggers a channel
    program check. This shows up occasionally when booting a KVM
    guest from a passthrough DASD device:
    
      ..snip...
      Interrupt Response Block Data:
      : 0x0000000000003990
          Function Ctrl : [Start]
          Activity Ctrl :
          Status Ctrl : [Alert] [Primary] [Secondary] [Status-Pending]
          Device Status :
          Channel Status : [Program-Check]
          cpa=: 0x00000000008d0018
          prev_ccw=: 0x0000000000000000
          this_ccw=: 0x0000000000000000
      ...snip...
      dasd-ipl: Failed to run IPL1 channel program
    
    The channel program address of "0x008d0018" in the IRB doesn't
    look wrong, but tracing the CCWs shows the offending bit enabled:
    
      ccw=0x0000012e808d0000 cda=00a0b030
      ccw=0x0000012e808d0008 cda=00a0b038
      ccw=0x0000012e808d0010 cda=808d0008
      ccw=0x0000012e808d0018 cda=00a0b040
    
    Fix the calculation of the TIC CCW's data address such that it points
    to a valid 31-bit address regardless of the input address.
    
    Fixes: bd36cfbbb9e1 ("s390/vfio_ccw_cp: use new address translation helpers")
    Signed-off-by: Eric Farman <farman@linux.ibm.com>
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Link: https://lore.kernel.org/r/20240628163738.3643513-1-farman@linux.ibm.com
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
s390: Mark psw in __load_psw_mask() as __unitialized [+ + +]
Author: Sven Schnelle <svens@linux.ibm.com>
Date:   Tue Apr 30 16:30:01 2024 +0200

    s390: Mark psw in __load_psw_mask() as __unitialized
    
    [ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ]
    
    Without __unitialized, the following code is generated when
    INIT_STACK_ALL_ZERO is enabled:
    
    86: d7 0f f0 a0 f0 a0     xc      160(16,%r15), 160(%r15)
    8c: e3 40 f0 a0 00 24     stg     %r4, 160(%r15)
    92: c0 10 00 00 00 08     larl    %r1, 0xa2
    98: e3 10 f0 a8 00 24     stg     %r1, 168(%r15)
    9e: b2 b2 f0 a0           lpswe   160(%r15)
    
    The xc is not adding any security because psw is fully initialized
    with the following instructions. Add __unitialized to the psw
    definitiation to avoid the superfluous clearing of psw.
    
    Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
    Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
scsi: mpi3mr: Sanitise num_phys [+ + +]
Author: Tomas Henzl <thenzl@redhat.com>
Date:   Mon Feb 26 16:10:13 2024 +0100

    scsi: mpi3mr: Sanitise num_phys
    
    [ Upstream commit 3668651def2c1622904e58b0280ee93121f2b10b ]
    
    Information is stored in mr_sas_port->phy_mask, values larger then size of
    this field shouldn't be allowed.
    
    Signed-off-by: Tomas Henzl <thenzl@redhat.com>
    Link: https://lore.kernel.org/r/20240226151013.8653-1-thenzl@redhat.com
    Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add() [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Tue May 14 13:47:23 2024 -0700

    scsi: mpi3mr: Use proper format specifier in mpi3mr_sas_port_add()
    
    commit 9f365cb8bbd0162963d6852651d7c9e30adcb7b5 upstream.
    
    When building for a 32-bit platform such as ARM or i386, for which size_t
    is unsigned int, there is a warning due to using an unsigned long format
    specifier:
    
      drivers/scsi/mpi3mr/mpi3mr_transport.c:1370:11: error: format specifies type 'unsigned long' but the argument has type 'unsigned int' [-Werror,-Wformat]
       1369 |                         ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n",
            |                                                                                 ~~~
            |                                                                                 %u
       1370 |                             i, sizeof(mr_sas_port->phy_mask) * 8);
            |                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    Use the proper format specifier for size_t, %zu, to resolve the warning for
    all platforms.
    
    Fixes: 3668651def2c ("scsi: mpi3mr: Sanitise num_phys")
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Link: https://lore.kernel.org/r/20240514-mpi3mr-fix-wformat-v1-1-f1ad49217e5e@kernel.org
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

scsi: qedf: Make qedf_execute_tmf() non-preemptible [+ + +]
Author: John Meneghini <jmeneghi@redhat.com>
Date:   Wed Apr 3 11:01:55 2024 -0400

    scsi: qedf: Make qedf_execute_tmf() non-preemptible
    
    [ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ]
    
    Stop calling smp_processor_id() from preemptible code in
    qedf_execute_tmf90.  This results in BUG_ON() when running an RT kernel.
    
    [ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646
    [ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]
    
    Tested-by: Guangwu Zhang <guazhang@redhat.com>
    Cc: Saurav Kashyap <skashyap@marvell.com>
    Cc: Nilesh Javali <njavali@marvell.com>
    Signed-off-by: John Meneghini <jmeneghi@redhat.com>
    Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com
    Acked-by: Saurav Kashyap <skashyap@marvell.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sctp: prefer struct_size over open coded arithmetic [+ + +]
Author: Erick Archer <erick.archer@outlook.com>
Date:   Sat Apr 27 19:23:36 2024 +0200

    sctp: prefer struct_size over open coded arithmetic
    
    [ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ]
    
    This is an effort to get rid of all multiplications from allocation
    functions in order to prevent integer overflows [1][2].
    
    As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
    structure ends in a flexible array:
    
    struct sctp_assoc_ids {
            [...]
            sctp_assoc_t    gaids_assoc_id[];
    };
    
    the preferred way in the kernel is to use the struct_size() helper to
    do the arithmetic instead of the calculation "size + size * count" in
    the kmalloc() function.
    
    Also, refactor the code adding the "ids_size" variable to avoid sizing
    twice.
    
    This way, the code is more readable and safer.
    
    This code was detected with the help of Coccinelle, and audited and
    modified manually.
    
    Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
    Link: https://github.com/KSPP/linux/issues/160 [2]
    Signed-off-by: Erick Archer <erick.archer@outlook.com>
    Acked-by: Xin Long <lucien.xin@gmail.com>
    Reviewed-by: Kees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/bpf: adjust dummy_st_ops_success to detect additional error [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Tue Apr 23 18:28:18 2024 -0700

    selftests/bpf: adjust dummy_st_ops_success to detect additional error
    
    [ Upstream commit 3b3b84aacb4420226576c9732e7b539ca7b79633 ]
    
    As reported by Jose E. Marchesi in off-list discussion, GCC and LLVM
    generate slightly different code for dummy_st_ops_success/test_1():
    
      SEC("struct_ops/test_1")
      int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
      {
            int ret;
    
            if (!state)
                    return 0xf2f3f4f5;
    
            ret = state->val;
            state->val = 0x5a;
            return ret;
      }
    
      GCC-generated                  LLVM-generated
      ----------------------------   ---------------------------
      0: r1 = *(u64 *)(r1 + 0x0)     0: w0 = -0xd0c0b0b
      1: if r1 == 0x0 goto 5f        1: r1 = *(u64 *)(r1 + 0x0)
      2: r0 = *(s32 *)(r1 + 0x0)     2: if r1 == 0x0 goto 6f
      3: *(u32 *)(r1 + 0x0) = 0x5a   3: r0 = *(u32 *)(r1 + 0x0)
      4: exit                        4: w2 = 0x5a
      5: r0 = -0xd0c0b0b             5: *(u32 *)(r1 + 0x0) = r2
      6: exit                        6: exit
    
    If the 'state' argument is not marked as nullable in
    net/bpf/bpf_dummy_struct_ops.c, the verifier would assume that
    'r1 == 0x0' is never true:
    - for the GCC version, this means that instructions #5-6 would be
      marked as dead and removed;
    - for the LLVM version, all instructions would be marked as live.
    
    The test dummy_st_ops/dummy_init_ret_value actually sets the 'state'
    parameter to NULL.
    
    Therefore, when the 'state' argument is not marked as nullable,
    the GCC-generated version of the code would trigger a NULL pointer
    dereference at instruction #3.
    
    This patch updates the test_1() test case to always follow a shape
    similar to the GCC-generated version above, in order to verify whether
    the 'state' nullability is marked correctly.
    
    Reported-by: Jose E. Marchesi <jemarch@gnu.org>
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/r/20240424012821.595216-3-eddyz87@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Tue Apr 23 18:28:19 2024 -0700

    selftests/bpf: do not pass NULL for non-nullable params in dummy_st_ops
    
    [ Upstream commit f612210d456a0b969a0adca91e68dbea0e0ea301 ]
    
    dummy_st_ops.test_2 and dummy_st_ops.test_sleepable do not have their
    'state' parameter marked as nullable. Update dummy_st_ops.c to avoid
    passing NULL for such parameters, as the next patch would allow kernel
    to enforce this restriction.
    
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/r/20240424012821.595216-4-eddyz87@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

selftests/bpf: dummy_st_ops should reject 0 for non-nullable params [+ + +]
Author: Eduard Zingerman <eddyz87@gmail.com>
Date:   Tue Apr 23 18:28:21 2024 -0700

    selftests/bpf: dummy_st_ops should reject 0 for non-nullable params
    
    [ Upstream commit 6a2d30d3c5bf9f088dcfd5f3746b04d84f2fab83 ]
    
    Check if BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs
    rejects execution if NULL is passed for non-nullable parameter.
    
    Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/r/20240424012821.595216-6-eddyz87@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/harness: Fix tests timeout and race condition [+ + +]
Author: Mickaël Salaün <mic@digikod.net>
Date:   Fri Jun 21 20:06:05 2024 +0200

    selftests/harness: Fix tests timeout and race condition
    
    commit 130e42806773013e9cf32d211922c935ae2df86c upstream.
    
    We cannot use CLONE_VFORK because we also need to wait for the timeout
    signal.
    
    Restore tests timeout by using the original fork() call in __run_test()
    but also in __TEST_F_IMPL().  Also fix a race condition when waiting for
    the test child process.
    
    Because test metadata are shared between test processes, only the
    parent process must set the test PID (child).  Otherwise, t->pid may be
    set to zero, leading to inconsistent error cases:
    
      #  RUN           layout1.rule_on_mountpoint ...
      # rule_on_mountpoint: Test ended in some other way [127]
      #            OK  layout1.rule_on_mountpoint
      ok 20 layout1.rule_on_mountpoint
    
    As safeguards, initialize the "status" variable with a valid exit code,
    and handle unknown test exits as errors.
    
    The use of fork() introduces a new race condition in landlock/fs_test.c
    which seems to be specific to hostfs bind mounts, but I haven't found
    the root cause and it's difficult to trigger.  I'll try to fix it with
    another patch.
    
    Cc: Christian Brauner <brauner@kernel.org>
    Cc: Günther Noack <gnoack@google.com>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Shuah Khan <shuah@kernel.org>
    Cc: Will Drewry <wad@chromium.org>
    Cc: stable@vger.kernel.org
    Closes: https://lore.kernel.org/r/9341d4db-5e21-418c-bf9e-9ae2da7877e1@sirena.org.uk
    Fixes: a86f18903db9 ("selftests/harness: Fix interleaved scheduling leading to race conditions")
    Fixes: 24cf65a62266 ("selftests/harness: Share _metadata between forked processes")
    Link: https://lore.kernel.org/r/20240621180605.834676-1-mic@digikod.net
    Tested-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Mickaël Salaün <mic@digikod.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
selftests/net: fix uninitialized variables [+ + +]
Author: John Hubbard <jhubbard@nvidia.com>
Date:   Mon May 6 12:02:04 2024 -0700

    selftests/net: fix uninitialized variables
    
    [ Upstream commit eb709b5f6536636dfb87b85ded0b2af9bb6cd9e6 ]
    
    When building with clang, via:
    
        make LLVM=1 -C tools/testing/selftest
    
    ...clang warns about three variables that are not initialized in all
    cases:
    
    1) The opt_ipproto_off variable is used uninitialized if "testname" is
    not "ip". Willem de Bruijn pointed out that this is an actual bug, and
    suggested the fix that I'm using here (thanks!).
    
    2) The addr_len is used uninitialized, but only in the assert case,
       which bails out, so this is harmless.
    
    3) The family variable in add_listener() is only used uninitialized in
       the error case (neither IPv4 nor IPv6 is specified), so it's also
       harmless.
    
    Fix by initializing each variable.
    
    Signed-off-by: John Hubbard <jhubbard@nvidia.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Acked-by: Mat Martineau <martineau@kernel.org>
    Link: https://lore.kernel.org/r/20240506190204.28497-1-jhubbard@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests/resctrl: Fix non-contiguous CBM for AMD [+ + +]
Author: Babu Moger <babu.moger@amd.com>
Date:   Tue Jun 11 17:18:30 2024 -0500

    selftests/resctrl: Fix non-contiguous CBM for AMD
    
    [ Upstream commit 48236960c06d32370bfa6f2cc408e786873262c8 ]
    
    The non-contiguous CBM test fails on AMD with:
    Starting L3_NONCONT_CAT test ...
    Mounting resctrl to "/sys/fs/resctrl"
    CPUID output doesn't match 'sparse_masks' file content!
    not ok 5 L3_NONCONT_CAT: test
    
    AMD always supports non-contiguous CBM but does not report it via CPUID.
    
    Fix the non-contiguous CBM test to use CPUID to discover non-contiguous
    CBM support only on Intel.
    
    Fixes: ae638551ab64 ("selftests/resctrl: Add non-contiguous CBMs CAT test")
    Signed-off-by: Babu Moger <babu.moger@amd.com>
    Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
    Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
 
selftests: fix OOM in msg_zerocopy selftest [+ + +]
Author: Zijian Zhang <zijianzhang@bytedance.com>
Date:   Mon Jul 1 22:53:48 2024 +0000

    selftests: fix OOM in msg_zerocopy selftest
    
    [ Upstream commit af2b7e5b741aaae9ffbba2c660def434e07aa241 ]
    
    In selftests/net/msg_zerocopy.c, it has a while loop keeps calling sendmsg
    on a socket with MSG_ZEROCOPY flag, and it will recv the notifications
    until the socket is not writable. Typically, it will start the receiving
    process after around 30+ sendmsgs. However, as the introduction of commit
    dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale"), the sender is
    always writable and does not get any chance to run recv notifications.
    The selftest always exits with OUT_OF_MEMORY because the memory used by
    opt_skb exceeds the net.core.optmem_max. Meanwhile, it could be set to a
    different value to trigger OOM on older kernels too.
    
    Thus, we introduce "cfg_notification_limit" to force sender to receive
    notifications after some number of sendmsgs.
    
    Fixes: 07b65c5b31ce ("test: add msg_zerocopy test")
    Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
    Signed-off-by: Xiaochun Lu <xiaochun.lu@bytedance.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://patch.msgid.link/20240701225349.3395580-2-zijianzhang@bytedance.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

selftests: make order checking verbose in msg_zerocopy selftest [+ + +]
Author: Zijian Zhang <zijianzhang@bytedance.com>
Date:   Mon Jul 1 22:53:49 2024 +0000

    selftests: make order checking verbose in msg_zerocopy selftest
    
    [ Upstream commit 7d6d8f0c8b700c9493f2839abccb6d29028b4219 ]
    
    We find that when lock debugging is on, notifications may not come in
    order. Thus, we have order checking outputs managed by cfg_verbose, to
    avoid too many outputs in this case.
    
    Fixes: 07b65c5b31ce ("test: add msg_zerocopy test")
    Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
    Signed-off-by: Xiaochun Lu <xiaochun.lu@bytedance.com>
    Reviewed-by: Willem de Bruijn <willemb@google.com>
    Link: https://patch.msgid.link/20240701225349.3395580-3-zijianzhang@bytedance.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
serial: imx: Raise TX trigger level to 8 [+ + +]
Author: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Date:   Wed May 8 15:37:44 2024 +0200

    serial: imx: Raise TX trigger level to 8
    
    [ Upstream commit a3d8728ab079951741efa11360df43dbfacba7ab ]
    
    At the default TX trigger level of 2 in non-DMA mode (meaning that an
    interrupt is generated when less than 2 characters are left in the
    FIFO), we have observed frequent buffer underruns at 115200 Baud on an
    i.MX8M Nano. This can cause communication issues if the receiving side
    expects a continuous transfer.
    
    Increasing the level to 8 makes the UART trigger an interrupt earlier,
    giving the kernel enough time to refill the FIFO, at the cost of
    triggering one interrupt per ~24 instead of ~30 bytes of transmitted
    data (as the i.MX UART has a 32 byte FIFO).
    
    Signed-off-by: Michael Krummsdorf <michael.krummsdorf@tq-group.com>
    Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
    Link: https://lore.kernel.org/r/20240508133744.35858-1-matthias.schiffer@ew.tq-group.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
spi: cadence: Ensure data lines set to low during dummy-cycle period [+ + +]
Author: Witold Sadowski <wsadowski@marvell.com>
Date:   Wed May 29 00:40:32 2024 -0700

    spi: cadence: Ensure data lines set to low during dummy-cycle period
    
    [ Upstream commit 4a69c1264ff41bc5bf7c03101ada0454fbf08868 ]
    
    During dummy-cycles xSPI will switch GPIO into Hi-Z mode. In that dummy
    period voltage on data lines will slowly drop, what can cause
    unintentional modebyte transmission. Value send to SPI memory chip will
    depend on last address, and clock frequency.
    To prevent unforeseen consequences of that behaviour, force send
    single modebyte(0x00).
    Modebyte will be send only if number of dummy-cycles is not equal
    to 0. Code must also reduce dummycycle byte count by one - as one byte
    is send as modebyte.
    
    Signed-off-by: Witold Sadowski <wsadowski@marvell.com>
    Link: https://msgid.link/r/20240529074037.1345882-2-wsadowski@marvell.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
swap: yield device immediately [+ + +]
Author: Christian Brauner <brauner@kernel.org>
Date:   Tue May 21 21:00:44 2024 +0200

    swap: yield device immediately
    
    [ Upstream commit 712182b67e831912f90259102ae334089e7bccd1 ]
    
    Otherwise we can cause spurious EBUSY issues when trying to mount the
    rootfs later on.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=218845
    Reported-by: Petri Kaukasoina <petri.kaukasoina@tuni.fi>
    Signed-off-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO. [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Tue Jul 2 20:35:08 2024 -0700

    tcp: Don't flag tcp_sk(sk)->rx_opt.saw_unknown for TCP AO.
    
    [ Upstream commit 4b74726c01b7a0b5e1029e1e9247fd81590da726 ]
    
    When we process segments with TCP AO, we don't check it in
    tcp_parse_options().  Thus, opt_rx->saw_unknown is set to 1,
    which unconditionally triggers the BPF TCP option parser.
    
    Let's avoid the unnecessary BPF invocation.
    
    Fixes: 0a3a809089eb ("net/tcp: Verify inbound TCP-AO signed segments")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Acked-by: Dmitry Safonov <0x7f454c46@gmail.com>
    Link: https://patch.msgid.link/20240703033508.6321-1-kuniyu@amazon.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tcp_metrics: validate source addr length [+ + +]
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Thu Jun 27 14:25:00 2024 -0700

    tcp_metrics: validate source addr length
    
    [ Upstream commit 66be40e622e177316ae81717aa30057ba9e61dff ]
    
    I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4
    is at least 4 bytes long, and the policy doesn't have an entry
    for this attribute at all (neither does it for IPv6 but v6 is
    manually validated).
    
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Fixes: 3e7013ddf55a ("tcp: metrics: Allow selective get/del of tcp-metrics based on src IP")
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data [+ + +]
Author: Julien Panis <jpanis@baylibre.com>
Date:   Thu May 2 15:46:03 2024 +0200

    thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data
    
    [ Upstream commit a1191a77351e25ddf091bb1a231cae12ee598b5d ]
    
    Verify that lvts_data is not NULL before using it.
    
    Signed-off-by: Julien Panis <jpanis@baylibre.com>
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Link: https://lore.kernel.org/r/20240502-mtk-thermal-lvts-data-v1-1-65f1b0bfad37@baylibre.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tools/power turbostat: Avoid possible memory corruption due to sparse topology IDs [+ + +]
Author: Patryk Wlazlyn <patryk.wlazlyn@linux.intel.com>
Date:   Mon May 6 15:39:08 2024 +0200

    tools/power turbostat: Avoid possible memory corruption due to sparse topology IDs
    
    [ Upstream commit 3559ea813ad3a9627934325c68ad05b18008a077 ]
    
    Save the highest core and package id when parsing topology to
    allocate enough memory when get_rapl_counters() is called with a core or
    a package id as a domain.
    
    Note that RAPL domains are per-package on Intel, but per-core on AMD.
    Thus, the RAPL code effectively runs in different modes on those two
    product lines.
    
    Signed-off-by: Patryk Wlazlyn <patryk.wlazlyn@linux.intel.com>
    Signed-off-by: Len Brown <len.brown@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

tools/power turbostat: Remember global max_die_id [+ + +]
Author: Len Brown <len.brown@intel.com>
Date:   Sun Apr 21 11:56:48 2024 -0400

    tools/power turbostat: Remember global max_die_id
    
    [ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ]
    
    This is necessary to gracefully handle sparse die_id's.
    
    no functional change
    
    Signed-off-by: Len Brown <len.brown@intel.com>
    Stable-dep-of: 3559ea813ad3 ("tools/power turbostat: Avoid possible memory corruption due to sparse topology IDs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open() [+ + +]
Author: Neal Cardwell <ncardwell@google.com>
Date:   Wed Jun 26 22:42:27 2024 -0400

    UPSTREAM: tcp: fix DSACK undo in fast recovery to call tcp_try_to_open()
    
    [ Upstream commit a6458ab7fd4f427d4f6f54380453ad255b7fde83 ]
    
    In some production workloads we noticed that connections could
    sometimes close extremely prematurely with ETIMEDOUT after
    transmitting only 1 TLP and RTO retransmission (when we would normally
    expect roughly tcp_retries2 = TCP_RETR2 = 15 RTOs before a connection
    closes with ETIMEDOUT).
    
    From tracing we determined that these workloads can suffer from a
    scenario where in fast recovery, after some retransmits, a DSACK undo
    can happen at a point where the scoreboard is totally clear (we have
    retrans_out == sacked_out == lost_out == 0). In such cases, calling
    tcp_try_keep_open() means that we do not execute any code path that
    clears tp->retrans_stamp to 0. That means that tp->retrans_stamp can
    remain erroneously set to the start time of the undone fast recovery,
    even after the fast recovery is undone. If minutes or hours elapse,
    and then a TLP/RTO/RTO sequence occurs, then the start_ts value in
    retransmits_timed_out() (which is from tp->retrans_stamp) will be
    erroneously ancient (left over from the fast recovery undone via
    DSACKs). Thus this ancient tp->retrans_stamp value can cause the
    connection to die very prematurely with ETIMEDOUT via
    tcp_write_err().
    
    The fix: we change DSACK undo in fast recovery (TCP_CA_Recovery) to
    call tcp_try_to_open() instead of tcp_try_keep_open(). This ensures
    that if no retransmits are in flight at the time of DSACK undo in fast
    recovery then we properly zero retrans_stamp. Note that calling
    tcp_try_to_open() is more consistent with other loss recovery
    behavior, since normal fast recovery (CA_Recovery) and RTO recovery
    (CA_Loss) both normally end when tp->snd_una meets or exceeds
    tp->high_seq and then in tcp_fastretrans_alert() the "default" switch
    case executes tcp_try_to_open(). Also note that by inspection this
    change to call tcp_try_to_open() implies at least one other nice bug
    fix, where now an ECE-marked DSACK that causes an undo will properly
    invoke tcp_enter_cwr() rather than ignoring the ECE mark.
    
    Fixes: c7d9d6a185a7 ("tcp: undo on DSACK during recovery")
    Signed-off-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: Yuchung Cheng <ycheng@google.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB [+ + +]
Author: Niklas Neronin <niklas.neronin@linux.intel.com>
Date:   Mon Apr 29 17:02:37 2024 +0300

    usb: xhci: prevent potential failure in handle_tx_event() for Transfer events without TRB
    
    [ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ]
    
    Some transfer events don't always point to a TRB, and consequently don't
    have a endpoint ring. In these cases, function handle_tx_event() should
    not proceed, because if 'ep->skip' is set, the pointer to the endpoint
    ring is used.
    
    To prevent a potential failure and make the code logical, return after
    checking the completion code for a Transfer event without TRBs.
    
    Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vhost-scsi: Handle vhost_vq_work_queue failures for events [+ + +]
Author: Mike Christie <michael.christie@oracle.com>
Date:   Fri Mar 15 19:46:59 2024 -0500

    vhost-scsi: Handle vhost_vq_work_queue failures for events
    
    [ Upstream commit b1b2ce58ed23c5d56e0ab299a5271ac01f95b75c ]
    
    Currently, we can try to queue an event's work before the vhost_task is
    created. When this happens we just drop it in vhost_scsi_do_plug before
    even calling vhost_vq_work_queue. During a device shutdown we do the
    same thing after vhost_scsi_clear_endpoint has cleared the backends.
    
    In the next patches we will be able to kill the vhost_task before we
    have cleared the endpoint. In that case, vhost_vq_work_queue can fail
    and we will leak the event's memory. This has handle the failure by
    just freeing the event. This is safe to do, because
    vhost_vq_work_queue will only return failure for us when the vhost_task
    is killed and so userspace will not be able to handle events if we
    sent them.
    
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Message-Id: <20240316004707.45557-2-michael.christie@oracle.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vhost: Release worker mutex during flushes [+ + +]
Author: Mike Christie <michael.christie@oracle.com>
Date:   Fri Mar 15 19:47:05 2024 -0500

    vhost: Release worker mutex during flushes
    
    [ Upstream commit ba704ff4e142fd3cfaf3379dd3b3b946754e06e3 ]
    
    In the next patches where the worker can be killed while in use, we
    need to be able to take the worker mutex and kill queued works for
    new IO and flushes, and set some new flags to prevent new
    __vhost_vq_attach_worker calls from swapping in/out killed workers.
    
    If we are holding the worker mutex during a flush and the flush's work
    is still in the queue, the worker code that will handle the SIGKILL
    cleanup won't be able to take the mutex and perform it's cleanup. So
    this patch has us drop the worker mutex while waiting for the flush
    to complete.
    
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Message-Id: <20240316004707.45557-8-michael.christie@oracle.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Stable-dep-of: db5247d9bf5c ("vhost_task: Handle SIGKILL by flushing work and exiting")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

vhost: Use virtqueue mutex for swapping worker [+ + +]
Author: Mike Christie <michael.christie@oracle.com>
Date:   Fri Mar 15 19:47:04 2024 -0500

    vhost: Use virtqueue mutex for swapping worker
    
    [ Upstream commit 34cf9ba5f00a222dddd9fc71de7c68fdaac7fb97 ]
    
    __vhost_vq_attach_worker uses the vhost_dev mutex to serialize the
    swapping of a virtqueue's worker. This was done for simplicity because
    we are already holding that mutex.
    
    In the next patches where the worker can be killed while in use, we need
    finer grained locking because some drivers will hold the vhost_dev mutex
    while flushing. However in the SIGKILL handler in the next patches, we
    will need to be able to swap workers (set current one to NULL), kill
    queued works and stop new flushes while flushes are in progress.
    
    To prepare us, this has us use the virtqueue mutex for swapping workers
    instead of the vhost_dev one.
    
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Message-Id: <20240316004707.45557-7-michael.christie@oracle.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Stable-dep-of: db5247d9bf5c ("vhost_task: Handle SIGKILL by flushing work and exiting")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vhost_task: Handle SIGKILL by flushing work and exiting [+ + +]
Author: Mike Christie <michael.christie@oracle.com>
Date:   Fri Mar 15 19:47:06 2024 -0500

    vhost_task: Handle SIGKILL by flushing work and exiting
    
    [ Upstream commit db5247d9bf5c6ade9fd70b4e4897441e0269b233 ]
    
    Instead of lingering until the device is closed, this has us handle
    SIGKILL by:
    
    1. marking the worker as killed so we no longer try to use it with
       new virtqueues and new flush operations.
    2. setting the virtqueue to worker mapping so no new works are queued.
    3. running all the exiting works.
    
    Suggested-by: Edward Adam Davis <eadavis@qq.com>
    Reported-and-tested-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com
    Message-Id: <tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com>
    Signed-off-by: Mike Christie <michael.christie@oracle.com>
    Message-Id: <20240316004707.45557-9-michael.christie@oracle.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
virtio-pci: Check if is_avq is NULL [+ + +]
Author: Li Zhang <zhanglikernel@gmail.com>
Date:   Sat Mar 16 13:25:54 2024 +0800

    virtio-pci: Check if is_avq is NULL
    
    [ Upstream commit c8fae27d141a32a1624d0d0d5419d94252824498 ]
    
    [bug]
    In the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved
    to determine whether it is admin virtqueue, but this function vp_dev->is_avq
     may be empty. For installations, virtio_pci_legacy does not assign a value
     to vp_dev->is_avq.
    
    [fix]
    Check whether it is vp_dev->is_avq before use.
    
    [test]
    Test with virsh Attach device
    Before this patch, the following command would crash the guest system
    
    After applying the patch, everything seems to be working fine.
    
    Signed-off-by: Li Zhang <zhanglikernel@gmail.com>
    Message-Id: <1710566754-3532-1-git-send-email-zhanglikernel@gmail.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Sat Jun 15 16:08:00 2024 +0000

    wifi: cfg80211: restrict NL80211_ATTR_TXQ_QUANTUM values
    
    [ Upstream commit d1cba2ea8121e7fdbe1328cea782876b1dd80993 ]
    
    syzbot is able to trigger softlockups, setting NL80211_ATTR_TXQ_QUANTUM
    to 2^31.
    
    We had a similar issue in sch_fq, fixed with commit
    d9e15a273306 ("pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM")
    
    watchdog: BUG: soft lockup - CPU#1 stuck for 26s! [kworker/1:0:24]
    Modules linked in:
    irq event stamp: 131135
     hardirqs last  enabled at (131134): [<ffff80008ae8778c>] __exit_to_kernel_mode arch/arm64/kernel/entry-common.c:85 [inline]
     hardirqs last  enabled at (131134): [<ffff80008ae8778c>] exit_to_kernel_mode+0xdc/0x10c arch/arm64/kernel/entry-common.c:95
     hardirqs last disabled at (131135): [<ffff80008ae85378>] __el1_irq arch/arm64/kernel/entry-common.c:533 [inline]
     hardirqs last disabled at (131135): [<ffff80008ae85378>] el1_interrupt+0x24/0x68 arch/arm64/kernel/entry-common.c:551
     softirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_hh_init net/core/neighbour.c:1538 [inline]
     softirqs last  enabled at (125892): [<ffff80008907e82c>] neigh_resolve_output+0x268/0x658 net/core/neighbour.c:1553
     softirqs last disabled at (125896): [<ffff80008904166c>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
    CPU: 1 PID: 24 Comm: kworker/1:0 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
    Workqueue: mld mld_ifc_work
    pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
     pc : __list_del include/linux/list.h:195 [inline]
     pc : __list_del_entry include/linux/list.h:218 [inline]
     pc : list_move_tail include/linux/list.h:310 [inline]
     pc : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
     pc : ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
     lr : __list_del_entry include/linux/list.h:218 [inline]
     lr : list_move_tail include/linux/list.h:310 [inline]
     lr : fq_tin_dequeue include/net/fq_impl.h:112 [inline]
     lr : ieee80211_tx_dequeue+0x67c/0x3b4c net/mac80211/tx.c:3854
    sp : ffff800093d36700
    x29: ffff800093d36a60 x28: ffff800093d36960 x27: dfff800000000000
    x26: ffff0000d800ad50 x25: ffff0000d800abe0 x24: ffff0000d800abf0
    x23: ffff0000e0032468 x22: ffff0000e00324d4 x21: ffff0000d800abf0
    x20: ffff0000d800abf8 x19: ffff0000d800abf0 x18: ffff800093d363c0
    x17: 000000000000d476 x16: ffff8000805519dc x15: ffff7000127a6cc8
    x14: 1ffff000127a6cc8 x13: 0000000000000004 x12: ffffffffffffffff
    x11: ffff7000127a6cc8 x10: 0000000000ff0100 x9 : 0000000000000000
    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000
    x5 : ffff80009287aa08 x4 : 0000000000000008 x3 : ffff80008034c7fc
    x2 : ffff0000e0032468 x1 : 00000000da0e46b8 x0 : ffff0000e0032470
    Call trace:
      __list_del include/linux/list.h:195 [inline]
      __list_del_entry include/linux/list.h:218 [inline]
      list_move_tail include/linux/list.h:310 [inline]
      fq_tin_dequeue include/net/fq_impl.h:112 [inline]
      ieee80211_tx_dequeue+0x6b8/0x3b4c net/mac80211/tx.c:3854
      wake_tx_push_queue net/mac80211/util.c:294 [inline]
      ieee80211_handle_wake_tx_queue+0x118/0x274 net/mac80211/util.c:315
      drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
      schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
      ieee80211_queue_skb+0x18e8/0x2244 net/mac80211/tx.c:1664
      ieee80211_tx+0x260/0x400 net/mac80211/tx.c:1966
      ieee80211_xmit+0x278/0x354 net/mac80211/tx.c:2062
      __ieee80211_subif_start_xmit+0xab8/0x122c net/mac80211/tx.c:4338
      ieee80211_subif_start_xmit+0xe0/0x438 net/mac80211/tx.c:4532
      __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
      netdev_start_xmit include/linux/netdevice.h:4917 [inline]
      xmit_one net/core/dev.c:3531 [inline]
      dev_hard_start_xmit+0x27c/0x938 net/core/dev.c:3547
      __dev_queue_xmit+0x1678/0x33fc net/core/dev.c:4341
      dev_queue_xmit include/linux/netdevice.h:3091 [inline]
      neigh_resolve_output+0x558/0x658 net/core/neighbour.c:1563
      neigh_output include/net/neighbour.h:542 [inline]
      ip6_finish_output2+0x104c/0x1ee8 net/ipv6/ip6_output.c:137
      ip6_finish_output+0x428/0x7a0 net/ipv6/ip6_output.c:222
      NF_HOOK_COND include/linux/netfilter.h:303 [inline]
      ip6_output+0x270/0x594 net/ipv6/ip6_output.c:243
      dst_output include/net/dst.h:450 [inline]
      NF_HOOK+0x160/0x4f0 include/linux/netfilter.h:314
      mld_sendpack+0x7b4/0x10f4 net/ipv6/mcast.c:1818
      mld_send_cr net/ipv6/mcast.c:2119 [inline]
      mld_ifc_work+0x840/0xd0c net/ipv6/mcast.c:2650
      process_one_work+0x7b8/0x15d4 kernel/workqueue.c:3267
      process_scheduled_works kernel/workqueue.c:3348 [inline]
      worker_thread+0x938/0xef4 kernel/workqueue.c:3429
      kthread+0x288/0x310 kernel/kthread.c:388
      ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
    
    Fixes: 52539ca89f36 ("cfg80211: Expose TXQ stats and parameters to userspace")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Link: https://patch.msgid.link/20240615160800.250667-1-edumazet@google.com
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Thu Jun 27 10:42:56 2024 +0200

    wifi: mac80211: fix BSS_CHANGED_UNSOL_BCAST_PROBE_RESP
    
    [ Upstream commit 816c6bec09ed5b90a58a1e12d5a606c5b6e23f47 ]
    
    Fix the definition of BSS_CHANGED_UNSOL_BCAST_PROBE_RESP so that
    not all higher bits get set, 1<<31 is a signed variable, so when
    we do
    
      u64 changed = BSS_CHANGED_UNSOL_BCAST_PROBE_RESP;
    
    we get sign expansion, so the value is 0xffff'ffff'8000'0000 and
    that's clearly not desired. Use BIT_ULL() to make it unsigned as
    well as the right type for the change flags.
    
    Fixes: 178e9d6adc43 ("wifi: mac80211: fix unsolicited broadcast probe config")
    Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
    Link: https://patch.msgid.link/20240627104257.06174d291db2.Iba0d642916eb78a61f8ab2cc5ca9280783d9c1db@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mt76: mt7996: add sanity checks for background radar trigger [+ + +]
Author: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
Date:   Wed Mar 20 19:09:16 2024 +0800

    wifi: mt76: mt7996: add sanity checks for background radar trigger
    
    [ Upstream commit ec55d8e7dfea92daff87f5c01689633f8c4e6a62 ]
    
    Check if background radar is enabled or not before manually triggering it,
    and also add more checks in radar detected event.
    
    Signed-off-by: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
    Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mt76: replace skb_put with skb_put_zero [+ + +]
Author: Felix Fietkau <nbd@nbd.name>
Date:   Thu Mar 14 17:02:52 2024 +0100

    wifi: mt76: replace skb_put with skb_put_zero
    
    [ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ]
    
    Avoid potentially reusing uninitialized data
    
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband [+ + +]
Author: Zong-Zhe Yang <kevin_yang@realtek.com>
Date:   Fri Apr 12 19:57:23 2024 +0800

    wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz sband
    
    [ Upstream commit bb38626f3f97e16e6d368a9ff6daf320f3fe31d9 ]
    
    We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz
    sband will be NULL even if it is WiFi 7 chip. So, add NULL handling here
    to avoid crash.
    
    Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
    Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
    Link: https://msgid.link/20240412115729.8316-3-pkshih@realtek.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: wilc1000: fix ies_len type in connect path [+ + +]
Author: Jozef Hopko <jozef.hopko@altana.com>
Date:   Mon Jul 1 18:23:20 2024 +0200

    wifi: wilc1000: fix ies_len type in connect path
    
    [ Upstream commit 39ab8fff623053a50951b659e5f6b72343d7d78c ]
    
    Commit 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
    made sure that the IEs data was manipulated under the relevant RCU section.
    Unfortunately, while doing so, the commit brought a faulty implicit cast
    from int to u8 on the ies_len variable, making the parsing fail to be
    performed correctly if the IEs block is larger than 255 bytes. This failure
    can be observed with Access Points appending a lot of IEs TLVs in their
    beacon frames (reproduced with a Pixel phone acting as an Access Point,
    which brough 273 bytes of IE data in my testing environment).
    
    Fix IEs parsing by removing this undesired implicit cast.
    
    Fixes: 205c50306acf ("wifi: wilc1000: fix RCU usage in connect path")
    Signed-off-by: Jozef Hopko <jozef.hopko@altana.com>
    Signed-off-by: Alexis Lothoré <alexis.lothore@bootlin.com>
    Acked-by: Ajay Singh <ajay.kathat@microchip.com>
    Signed-off-by: Kalle Valo <kvalo@kernel.org>
    Link: https://patch.msgid.link/20240701-wilc_fix_ies_data-v1-1-7486cbacf98a@bootlin.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>