commit ffc253263a1375a65fa6c9f62a893e9767fbebfa Author: Linus Torvalds Date: Sun Oct 29 16:31:08 2023 -1000 Linux 6.6 commit 2af9b20dbb39f6ebf9b9b6c090271594627d818e Merge: e663ab6bb56fa bd94d86f490b7 Author: Linus Torvalds Date: Sat Oct 28 08:15:07 2023 -1000 Merge tag 'x86-urgent-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull misc x86 fixes from Ingo Molnar: - Fix a possible CPU hotplug deadlock bug caused by the new TSC synchronization code - Fix a legacy PIC discovery bug that results in device troubles on affected systems, such as non-working keybards, etc - Add a new Intel CPU model number to * tag 'x86-urgent-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/tsc: Defer marking TSC unstable to a worker x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility x86/cpu: Add model number for Intel Arrow Lake mobile processor commit e663ab6bb56fa8f048cf8725aba577e56f7b2644 Merge: 4714de0332981 f199bf5bf84c1 Author: Linus Torvalds Date: Sat Oct 28 08:12:34 2023 -1000 Merge tag 'irq-urgent-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Ingo Molnar: "Restore unintentionally lost quirk settings in the GIC irqchip driver, which broke certain devices" * tag 'irq-urgent-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/gic-v3-its: Don't override quirk settings with default values commit 4714de03329810b9ac57762b6bfdb73b123fedd5 Merge: 51a7691038c33 a71ef31485bb5 Author: Linus Torvalds Date: Sat Oct 28 08:10:47 2023 -1000 Merge tag 'perf-urgent-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf event fix from Ingo Molnar: "Fix a potential NULL dereference bug" * tag 'perf-urgent-2023-10-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Fix potential NULL deref commit 51a7691038c334db81b736faa6b4cc4778e751fc Merge: bd80d2ef59bb6 926fe783c8a64 Author: Linus Torvalds Date: Sat Oct 28 08:04:56 2023 -1000 Merge tag 'probes-fixes-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes fixes from Masami Hiramatsu: - tracing/kprobes: Fix kernel-doc warnings for the variable length arguments - tracing/kprobes: Fix to count the symbols in modules even if the module name is not specified so that user can probe the symbols in the modules without module name * tag 'probes-fixes-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: tracing/kprobes: Fix symbol counting logic by looking at modules as well tracing/kprobes: Fix the description of variable length arguments commit bd80d2ef59bb6436effa6b7f77746b1418cf0a15 Merge: db5cda7fd4688 d5090484b0217 Author: Linus Torvalds Date: Sat Oct 28 08:01:31 2023 -1000 Merge tag 'dma-mapping-6.6-2023-10-28' of git://git.infradead.org/users/hch/dma-mapping Pull dma-mapping fix from Christoph Hellwig: - reduce the initialy dynamic swiotlb size to remove an annoying but harmless warning from the page allocator (Petr Tesarik) * tag 'dma-mapping-6.6-2023-10-28' of git://git.infradead.org/users/hch/dma-mapping: swiotlb: do not try to allocate a TLB bigger than MAX_ORDER pages commit db5cda7fd46881f88eee52f3960b7856ddf051fb Merge: 8907bfd2b11ab 28926daf731f7 Author: Linus Torvalds Date: Sat Oct 28 07:51:27 2023 -1000 Merge tag 'char-misc-6.6-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some very small driver fixes for 6.6-final that have shown up in the past two weeks. Included in here are: - tiny fastrpc bugfixes for reported errors - nvmem register fixes - iio driver fixes for some reported problems - fpga test fix - MAINTAINERS file update for fpga All of these have been in linux-next this week with no reported problems" * tag 'char-misc-6.6-final' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: fpga: Fix memory leak for fpga_region_test_class_find() fpga: m10bmc-sec: Change contact for secure update driver fpga: disable KUnit test suites when module support is enabled iio: afe: rescale: Accept only offset channels nvmem: imx: correct nregs for i.MX6ULL nvmem: imx: correct nregs for i.MX6UL nvmem: imx: correct nregs for i.MX6SLL misc: fastrpc: Unmap only if buffer is unmapped from DSP misc: fastrpc: Clean buffers on remote invocation failures misc: fastrpc: Free DMA handles for RPC calls with no arguments misc: fastrpc: Reset metadata buffer to avoid incorrect free iio: exynos-adc: request second interupt only when touchscreen mode is used iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature thresholds dt-bindings: iio: add missing reset-gpios constrain commit 8907bfd2b11ab0d09f2c408f82bff09e55d53a9a Merge: 67d4c87945b2d c896ff2dd8f30 Author: Linus Torvalds Date: Sat Oct 28 07:48:37 2023 -1000 Merge tag 'i2c-for-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Bugfixes for Axxia when it is a target and for PEC handling of stm32f7. Plus, fix an OF node leak pattern in the mux subsystem" * tag 'i2c-for-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: stm32f7: Fix PEC handling in case of SMBUS transfers i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: aspeed: Fix i2c bus hang in slave read commit 67d4c87945b2d9678347eaa4567d62dd56dc9713 Merge: d1b0949f23a34 790437bbe0ef7 Author: Linus Torvalds Date: Fri Oct 27 16:52:51 2023 -1000 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Three fixes, one for the clk framework and two for clk drivers: - Avoid an oops in possible_parent_show() by checking for no parent properly when a DT index based lookup is used - Handle errors returned from divider_ro_round_rate() in clk_stm32_composite_determine_rate() - Fix clk_ops::determine_rate() implementation of socfpga's gateclk_ops that was ruining uart output because the divider was forgotten about" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: stm32: Fix a signedness issue in clk_stm32_composite_determine_rate() clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name clk: socfpga: gate: Account for the divider in determine_rate commit d1b0949f23a343d3153d5c681fb1866538534227 Merge: 56567a20b22bd dc32464a5fe49 Author: Linus Torvalds Date: Fri Oct 27 16:44:58 2023 -1000 Merge tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull misc filesystem fixes from Al Viro: "Assorted fixes all over the place: literally nothing in common, could have been three separate pull requests. All are simple regression fixes, but not for anything from this cycle" * tag 'pull-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock io_uring: kiocb_done() should *not* trust ->ki_pos if ->{read,write}_iter() failed sparc32: fix a braino in fault handling in csum_and_copy_..._user() commit 926fe783c8a64b33997fec405cf1af3e61aed441 Author: Andrii Nakryiko Date: Fri Oct 27 16:31:26 2023 -0700 tracing/kprobes: Fix symbol counting logic by looking at modules as well Recent changes to count number of matching symbols when creating a kprobe event failed to take into account kernel modules. As such, it breaks kprobes on kernel module symbols, by assuming there is no match. Fix this my calling module_kallsyms_on_each_symbol() in addition to kallsyms_on_each_match_symbol() to perform a proper counting. Link: https://lore.kernel.org/all/20231027233126.2073148-1-andrii@kernel.org/ Cc: Francis Laniel Cc: stable@vger.kernel.org Cc: Masami Hiramatsu Cc: Steven Rostedt Fixes: b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols") Signed-off-by: Andrii Nakryiko Acked-by: Song Liu Signed-off-by: Masami Hiramatsu (Google) commit dc32464a5fe4946fe1a4d8f8e29961dc411933c5 Author: Al Viro Date: Thu Sep 14 21:55:29 2023 -0400 ceph_wait_on_conflict_unlink(): grab reference before dropping ->d_lock Use of dget() after we'd dropped ->d_lock is too late - dentry might be gone by that point. Reviewed-by: Jeff Layton Signed-off-by: Al Viro commit 1939316bf988f3e49a07d9c4dd6f660bf4daa53d Author: Al Viro Date: Mon Aug 28 18:47:31 2023 -0400 io_uring: kiocb_done() should *not* trust ->ki_pos if ->{read,write}_iter() failed ->ki_pos value is unreliable in such cases. For an obvious example, consider O_DSYNC write - we feed the data to page cache and start IO, then we make sure it's completed. Update of ->ki_pos is dealt with by the first part; failure in the second ends up with negative value returned _and_ ->ki_pos left advanced as if sync had been successful. In the same situation write(2) does not advance the file position at all. Reviewed-by: Christian Brauner Reviewed-by: Jens Axboe Signed-off-by: Al Viro commit 56567a20b22bdbf85c3e55eee3bf2bd23fa2f108 Merge: 2dc4e0f45593a 838b35bb6a89c Author: Linus Torvalds Date: Fri Oct 27 14:10:32 2023 -1000 Merge tag 'io_uring-6.6-2023-10-27' of git://git.kernel.dk/linux Pull io_uring fixes from Jens Axboe: "Fix for an issue reported where reading fdinfo could find a NULL thread as we didn't properly synchronize, and then a disable for the IOCB_DIO_CALLER_COMP optimization as a recent reported highlighted how that could lead to deadlocks if the task issued async O_DIRECT writes and then proceeded to do sync fallocate() calls" * tag 'io_uring-6.6-2023-10-27' of git://git.kernel.dk/linux: io_uring/rw: disable IOCB_DIO_CALLER_COMP io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid commit 1f36cd05e0081f2c75769a551d584c4ffb2a5660 Author: Al Viro Date: Sun Oct 22 19:34:28 2023 -0400 sparc32: fix a braino in fault handling in csum_and_copy_..._user() Fault handler used to make non-trivial calls, so it needed to set a stack frame up. Used to be save ... - grab a stack frame, old %o... become %i... .... ret - go back to address originally in %o7, currently %i7 restore - switch to previous stack frame, in delay slot Non-trivial calls had been gone since ab5e8b331244 and that code should have become retl - go back to address in %o7 clr %o0 - have return value set to 0 What it had become instead was ret - go back to address in %i7 - return address of *caller* clr %o0 - have return value set to 0 which is not good, to put it mildly - we forcibly return 0 from csum_and_copy_{from,to}_iter() (which is what the call of that thing had been inlined into) and do that without dropping the stack frame of said csum_and_copy_..._iter(). Confuses the hell out of the caller of csum_and_copy_..._iter(), obviously... Reviewed-by: Sam Ravnborg Fixes: ab5e8b331244 "sparc32: propagate the calling conventions change down to __csum_partial_copy_sparc_generic()" Signed-off-by: Al Viro commit 2dc4e0f45593abc53d58d0073b3b314f864c522b Merge: 832328c9f8aa4 2dd710d476f2f Author: Linus Torvalds Date: Fri Oct 27 14:01:59 2023 -1000 Merge tag 'block-6.6-2023-10-27' of git://git.kernel.dk/linux Pull block fix from Jens Axboe: "Just a single fix for a potential divide-by-zero, introduced in this cycle" * tag 'block-6.6-2023-10-27' of git://git.kernel.dk/linux: blk-throttle: check for overflow in calculate_bytes_allowed commit 832328c9f8aa4b41423f29a53ba7080eb7214976 Merge: a78a67f3019c6 24eca2dce0f8d Author: Linus Torvalds Date: Fri Oct 27 13:38:59 2023 -1000 Merge tag 'ata-6.6-final' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata Pull ATA fix from Damien Le Moal: "A single patch to fix a regression introduced by the recent suspend/resume fixes. The regression is that ATA disks are not stopped on system shutdown, which is not recommended and increases the disks SMART counters for unclean power off events. This patch fixes this by refining the recent rework of the scsi device manage_xxx flags" * tag 'ata-6.6-final' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata: scsi: sd: Introduce manage_shutdown device flag commit a78a67f3019c687d06dee8cebfb7b7cee7bf0216 Merge: 888cf78c29e22 3bde7ec13c971 Author: Linus Torvalds Date: Fri Oct 27 13:32:48 2023 -1000 Merge tag 'platform-drivers-x86-v6.6-6' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fix from Hans de Goede: "A single patch to extend the AMD PMC driver DMI quirk list for laptops which need special handling to avoid NVME s2idle suspend/resume errors" * tag 'platform-drivers-x86-v6.6-6' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: Add s2idle quirk for more Lenovo laptops commit bd94d86f490b70c58b3fc5739328a53ad4b18d86 Author: Thomas Gleixner Date: Wed Oct 25 23:31:35 2023 +0200 x86/tsc: Defer marking TSC unstable to a worker Tetsuo reported the following lockdep splat when the TSC synchronization fails during CPU hotplug: tsc: Marking TSC unstable due to check_tsc_sync_source failed WARNING: inconsistent lock state inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. ffffffff8cfa1c78 (watchdog_lock){?.-.}-{2:2}, at: clocksource_watchdog+0x23/0x5a0 {IN-HARDIRQ-W} state was registered at: _raw_spin_lock_irqsave+0x3f/0x60 clocksource_mark_unstable+0x1b/0x90 mark_tsc_unstable+0x41/0x50 check_tsc_sync_source+0x14f/0x180 sysvec_call_function_single+0x69/0x90 Possible unsafe locking scenario: lock(watchdog_lock); lock(watchdog_lock); stack backtrace: _raw_spin_lock+0x30/0x40 clocksource_watchdog+0x23/0x5a0 run_timer_softirq+0x2a/0x50 sysvec_apic_timer_interrupt+0x6e/0x90 The reason is the recent conversion of the TSC synchronization function during CPU hotplug on the control CPU to a SMP function call. In case that the synchronization with the upcoming CPU fails, the TSC has to be marked unstable via clocksource_mark_unstable(). clocksource_mark_unstable() acquires 'watchdog_lock', but that lock is taken with interrupts enabled in the watchdog timer callback to minimize interrupt disabled time. That's obviously a possible deadlock scenario, Before that change the synchronization function was invoked in thread context so this could not happen. As it is not crucical whether the unstable marking happens slightly delayed, defer the call to a worker thread which avoids the lock context problem. Fixes: 9d349d47f0e3 ("x86/smpboot: Make TSC synchronization function call based") Reported-by: Tetsuo Handa Signed-off-by: Thomas Gleixner Tested-by: Tetsuo Handa Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87zg064ceg.ffs@tglx commit 128b0c9781c9f2651bea163cb85e52a6c7be0f9e Author: Thomas Gleixner Date: Wed Oct 25 23:04:15 2023 +0200 x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility David and a few others reported that on certain newer systems some legacy interrupts fail to work correctly. Debugging revealed that the BIOS of these systems leaves the legacy PIC in uninitialized state which makes the PIC detection fail and the kernel switches to a dummy implementation. Unfortunately this fallback causes quite some code to fail as it depends on checks for the number of legacy PIC interrupts or the availability of the real PIC. In theory there is no reason to use the PIC on any modern system when IO/APIC is available, but the dependencies on the related checks cannot be resolved trivially and on short notice. This needs lots of analysis and rework. The PIC detection has been added to avoid quirky checks and force selection of the dummy implementation all over the place, especially in VM guest scenarios. So it's not an option to revert the relevant commit as that would break a lot of other scenarios. One solution would be to try to initialize the PIC on detection fail and retry the detection, but that puts the burden on everything which does not have a PIC. Fortunately the ACPI/MADT table header has a flag field, which advertises in bit 0 that the system is PCAT compatible, which means it has a legacy 8259 PIC. Evaluate that bit and if set avoid the detection routine and keep the real PIC installed, which then gets initialized (for nothing) and makes the rest of the code with all the dependencies work again. Fixes: e179f6914152 ("x86, irq, pic: Probe for legacy PIC and set legacy_pic appropriately") Reported-by: David Lazar Signed-off-by: Thomas Gleixner Tested-by: David Lazar Reviewed-by: Hans de Goede Reviewed-by: Mario Limonciello Cc: stable@vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218003 Link: https://lore.kernel.org/r/875y2u5s8g.ffs@tglx commit b99d70c0d1380f1368fd4a82271280c4fd28558b Author: Tony Luck Date: Wed Oct 25 13:25:13 2023 -0700 x86/cpu: Add model number for Intel Arrow Lake mobile processor For "reasons" Intel has code-named this CPU with a "_H" suffix. [ dhansen: As usual, apply this and send it upstream quickly to make it easier for anyone who is doing work that consumes this. ] Signed-off-by: Tony Luck Signed-off-by: Dave Hansen Link: https://lore.kernel.org/all/20231025202513.12358-1-tony.luck%40intel.com commit 888cf78c29e223fd808682f477c18cf8f61ad995 Merge: 09a4a03c073ba 6e6c6d6bc6c96 Author: Linus Torvalds Date: Fri Oct 27 05:43:05 2023 -1000 Merge tag 'iommu-fix-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fix from Joerg Roedel: - Fix boot regression for Sapphire Rapids with Intel VT-d driver * tag 'iommu-fix-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu: Avoid unnecessary cache invalidations commit 09a4a03c073bab5b375b71769f708d6932b370f7 Merge: 750b95887e567 47b8def9358c5 Author: Linus Torvalds Date: Fri Oct 27 05:40:42 2023 -1000 Merge tag 'powerpc-6.6-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - Fix boot crash with FLATMEM since set_ptes() introduction - Avoid calling arch_enter/leave_lazy_mmu() in set_ptes() Thanks to Aneesh Kumar K.V and Erhard Furtner. * tag 'powerpc-6.6-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/mm: Avoid calling arch_enter/leave_lazy_mmu() in set_ptes powerpc/mm: Fix boot crash with FLATMEM commit 3bde7ec13c971445faade32172cb0b4370b841d9 Author: David Lazar Date: Wed Oct 25 21:30:16 2023 +0200 platform/x86: Add s2idle quirk for more Lenovo laptops When suspending to idle and resuming on some Lenovo laptops using the Mendocino APU, multiple NVME IOMMU page faults occur, showing up in dmesg as repeated errors: nvme 0000:01:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x000b address=0xb6674000 flags=0x0000] The system is unstable afterwards. Applying the s2idle quirk introduced by commit 455cd867b85b ("platform/x86: thinkpad_acpi: Add a s2idle resume quirk for a number of laptops") allows these systems to work with the IOMMU enabled and s2idle resume to work. Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218024 Suggested-by: Mario Limonciello Suggested-by: Mark Pearson Signed-off-by: David Lazar Reviewed-by: Mario Limonciello Reviewed-by: Mark Pearson Link: https://lore.kernel.org/r/ZTlsyOaFucF2pWrL@localhost Signed-off-by: Hans de Goede commit e0f831836cead677fb07d54bd6bf499df35640c2 Author: Yujie Liu Date: Fri Oct 27 12:13:14 2023 +0800 tracing/kprobes: Fix the description of variable length arguments Fix the following kernel-doc warnings: kernel/trace/trace_kprobe.c:1029: warning: Excess function parameter 'args' description in '__kprobe_event_gen_cmd_start' kernel/trace/trace_kprobe.c:1097: warning: Excess function parameter 'args' description in '__kprobe_event_add_fields' Refer to the usage of variable length arguments elsewhere in the kernel code, "@..." is the proper way to express it in the description. Link: https://lore.kernel.org/all/20231027041315.2613166-1-yujie.liu@intel.com/ Fixes: 2a588dd1d5d6 ("tracing: Add kprobe event command generation functions") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202310190437.paI6LYJF-lkp@intel.com/ Signed-off-by: Yujie Liu Reviewed-by: Mukesh Ojha Acked-by: Masami Hiramatsu (Google) Signed-off-by: Masami Hiramatsu (Google) commit 6e6c6d6bc6c96c2477ddfea24a121eb5ee12b7a3 Author: Lu Baolu Date: Thu Oct 26 16:49:42 2023 +0800 iommu: Avoid unnecessary cache invalidations The iommu_create_device_direct_mappings() only needs to flush the caches when the mappings are changed in the affected domain. This is not true for non-DMA domains, or for devices attached to the domain that have no reserved regions. To avoid unnecessary cache invalidations, add a check before iommu_flush_iotlb_all(). Fixes: a48ce36e2786 ("iommu: Prevent RESV_DIRECT devices from blocking domains") Signed-off-by: Lu Baolu Tested-by: Henry Willard Link: https://lore.kernel.org/r/20231026084942.17387-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel commit 750b95887e567848ac2c851dae47922cac6db946 Merge: 3a568e3a961ba 44117828ed5c1 Author: Linus Torvalds Date: Thu Oct 26 20:42:02 2023 -1000 Merge tag 'drm-fixes-2023-10-27' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "This is the final set of fixes for 6.6, just misc bits mainly in amdgpu and i915, nothing too noteworthy. amdgpu: - ignore duplicated BOs in CS parser - remove redundant call to amdgpu_ctx_priority_is_valid() - Extend VI APSM quirks to more platforms amdkfd: - reserve fence slot while locking BO dp_mst: - Fix NULL deref in get_mst_branch_device_by_guid_helper() logicvc: - Kconfig: Select REGMAP and REGMAP_MMIO ivpu: - Fix missing VPUIP interrupts i915: - Determine context valid in OA reports - Hold GT forcewake during steering operations - Check if PMU is closed before stopping event" * tag 'drm-fixes-2023-10-27' of git://anongit.freedesktop.org/drm/drm: accel/ivpu/37xx: Fix missing VPUIP interrupts drm/amd: Disable ASPM for VI w/ all Intel systems drm/i915/pmu: Check if pmu is closed before stopping event drm/i915/mcr: Hold GT forcewake during steering operations drm/logicvc: Kconfig: select REGMAP and REGMAP_MMIO drm/i915/perf: Determine context valid in OA reports drm/amdkfd: reserve a fence slot while locking the BO drm/amdgpu: Remove redundant call to priority_is_valid() drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() drm/amdgpu: ignore duplicate BOs again commit 44117828ed5c129a8146585e81262c0025daa50f Merge: 5679dd241bbf3 64ffd2f1d00c6 Author: Dave Airlie Date: Fri Oct 27 12:13:29 2023 +1000 Merge tag 'amd-drm-fixes-6.6-2023-10-25' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.6-2023-10-25: amdgpu: - Extend VI APSM quirks to more platforms Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20231026035452.14921-1-alexander.deucher@amd.com commit 5679dd241bbf36492d8fcddb99af48b22a5f99ec Merge: 6366ffa6edd83 4cbed7702eb77 Author: Dave Airlie Date: Fri Oct 27 11:58:28 2023 +1000 Merge tag 'drm-intel-fixes-2023-10-26' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Determine context valid in OA reports (Umesh) - Hold GT forcewake during steering operations (Matt Roper) - Check if PMU is closed before stopping event (Umesh) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/ZTp8IQ0wxzxVjN7J@intel.com commit 6366ffa6edd832de870aaef184d5949a2e09c0c2 Merge: 05d3ef8bba77c b132ac51d7a50 Author: Dave Airlie Date: Fri Oct 27 11:50:51 2023 +1000 Merge tag 'drm-misc-fixes-2023-10-26' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Short summary of fixes pull: amdgpu: - ignore duplicated BOs in CS parser - remove redundant call to amdgpu_ctx_priority_is_valid() amdkfd: - reserve fence slot while locking BO dp_mst: - Fix NULL deref in get_mst_branch_device_by_guid_helper() logicvc: - Kconfig: Select REGMAP and REGMAP_MMIO ivpu: - Fix missing VPUIP interrupts Signed-off-by: Dave Airlie From: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20231026110132.GA10591@linux-uq9g.fritz.box commit 24eca2dce0f8d19db808c972b0281298d0bafe99 Author: Damien Le Moal Date: Wed Oct 25 15:46:12 2023 +0900 scsi: sd: Introduce manage_shutdown device flag Commit aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop") change setting the manage_system_start_stop flag to false for libata managed disks to enable libata internal management of disk suspend/resume. However, a side effect of this change is that on system shutdown, disks are no longer being stopped (set to standby mode with the heads unloaded). While this is not a critical issue, this unclean shutdown is not recommended and shows up with increased smart counters (e.g. the unexpected power loss counter "Unexpect_Power_Loss_Ct"). Instead of defining a shutdown driver method for all ATA adapter drivers (not all of them define that operation), this patch resolves this issue by further refining the sd driver start/stop control of disks using the new flag manage_shutdown. If this new flag is set to true by a low level driver, the function sd_shutdown() will issue a START STOP UNIT command with the start argument set to 0 when a disk needs to be powered off (suspended) on system power off, that is, when system_state is equal to SYSTEM_POWER_OFF. Similarly to the other manage_xxx flags, the new manage_shutdown flag is exposed through sysfs as a read-write device attribute. To avoid any confusion between manage_shutdown and manage_system_start_stop, the comments describing these flags in include/scsi/scsi.h are also improved. Fixes: aa3998dbeb3a ("ata: libata-scsi: Disable scsi device manage_system_start_stop") Cc: stable@vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218038 Link: https://lore.kernel.org/all/cd397c88-bf53-4768-9ab8-9d107df9e613@gmail.com/ Signed-off-by: Damien Le Moal Reviewed-by: Niklas Cassel Reviewed-by: Hannes Reinecke Reviewed-by: James Bottomley Acked-by: Martin K. Petersen commit 3a568e3a961ba330091cd031647e4c303fa0badb Merge: c17cda15cc86e 736a4aad8a9fd Author: Linus Torvalds Date: Thu Oct 26 08:17:26 2023 -1000 Merge tag 'soc-fixes-6.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "A couple of platforms have some last-minute fixes, in particular: - riscv gets some fixes for noncoherent DMA on the renesas and thead platforms and dts fix for SPI on the visionfive 2 board - Qualcomm Snapdragon gets three dts fixes to address board specific regressions on the pmic and gpio nodes - Rockchip platforms get multiple dts fixes to address issues on the recent rk3399 platform as well as the older rk3128 platform that apparently regressed a while ago. - TI OMAP gets some trivial code and dts fixes and a regression fix for the omap1 ams-delta modem - NXP i.MX firmware has one fix for a use-after-free but in its error handling" * tag 'soc-fixes-6.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (25 commits) soc: renesas: ARCH_R9A07G043 depends on !RISCV_ISA_ZICBOM riscv: only select DMA_DIRECT_REMAP from RISCV_ISA_ZICBOM and ERRATA_THEAD_PBMT riscv: RISCV_NONSTANDARD_CACHE_OPS shouldn't depend on RISCV_DMA_NONCOHERENT riscv: dts: thead: set dma-noncoherent to soc bus arm64: dts: rockchip: Fix i2s0 pin conflict on ROCK Pi 4 boards arm64: dts: rockchip: Add i2s0-2ch-bus-bclk-off pins to RK3399 clk: ti: Fix missing omap5 mcbsp functional clock and aliases clk: ti: Fix missing omap4 mcbsp functional clock and aliases ARM: OMAP1: ams-delta: Fix MODEM initialization failure soc: renesas: Make ARCH_R9A07G043 depend on required options riscv: dts: starfive: visionfive 2: correct spi's ss pin firmware/imx-dsp: Fix use_after_free in imx_dsp_setup_channels() ARM: OMAP: timer32K: fix all kernel-doc warnings ARM: omap2: fix a debug printk ARM: dts: rockchip: Fix timer clocks for RK3128 ARM: dts: rockchip: Add missing quirk for RK3128's dma engine ARM: dts: rockchip: Add missing arm timer interrupt for RK3128 ARM: dts: rockchip: Fix i2c0 register address for RK3128 arm64: dts: rockchip: set codec system-clock-fixed on px30-ringneck-haikou arm64: dts: rockchip: use codec as clock master on px30-ringneck-haikou ... commit c17cda15cc86e65e9725641daddcd7a63cc9ad01 Merge: 611da07b89fdd 53798666648af Author: Linus Torvalds Date: Thu Oct 26 07:41:27 2023 -1000 Merge tag 'net-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Paolo Abeni: "Including fixes from WiFi and netfilter. Most regressions addressed here come from quite old versions, with the exceptions of the iavf one and the WiFi fixes. No known outstanding reports or investigation. Fixes to fixes: - eth: iavf: in iavf_down, disable queues when removing the driver Previous releases - regressions: - sched: act_ct: additional checks for outdated flows - tcp: do not leave an empty skb in write queue - tcp: fix wrong RTO timeout when received SACK reneging - wifi: cfg80211: pass correct pointer to rdev_inform_bss() - eth: i40e: sync next_to_clean and next_to_process for programming status desc - eth: iavf: initialize waitqueues before starting watchdog_task Previous releases - always broken: - eth: r8169: fix data-races - eth: igb: fix potential memory leak in igb_add_ethtool_nfc_entry - eth: r8152: avoid writing garbage to the adapter's registers - eth: gtp: fix fragmentation needed check with gso" * tag 'net-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (43 commits) iavf: in iavf_down, disable queues when removing the driver vsock/virtio: initialize the_virtio_vsock before using VQs net: ipv6: fix typo in comments net: ipv4: fix typo in comments net/sched: act_ct: additional checks for outdated flows netfilter: flowtable: GC pushes back packets to classic path i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR gtp: fix fragmentation needed check with gso gtp: uapi: fix GTPA_MAX Fix NULL pointer dereference in cn_filter() sfc: cleanup and reduce netlink error messages net/handshake: fix file ref count in handshake_nl_accept_doit() wifi: mac80211: don't drop all unprotected public action frames wifi: cfg80211: fix assoc response warning on failed links wifi: cfg80211: pass correct pointer to rdev_inform_bss() isdn: mISDN: hfcsusb: Spelling fix in comment tcp: fix wrong RTO timeout when received SACK reneging r8152: Block future register access if register access fails r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en() ... commit 736a4aad8a9fdcf577ffa33b33df240c67557af8 Merge: 291c0d3a98afb 9eab43facdadb Author: Arnd Bergmann Date: Thu Oct 26 17:06:37 2023 +0200 Merge tag 'renesas-fixes-for-v6.6-tag3' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into arm/fixes Renesas fixes for v6.6 (take three) - Sort out a few Kconfig dependency issues for the rich set of RISC-V non-coherent DMA support. * tag 'renesas-fixes-for-v6.6-tag3' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel: soc: renesas: ARCH_R9A07G043 depends on !RISCV_ISA_ZICBOM riscv: only select DMA_DIRECT_REMAP from RISCV_ISA_ZICBOM and ERRATA_THEAD_PBMT riscv: RISCV_NONSTANDARD_CACHE_OPS shouldn't depend on RISCV_DMA_NONCOHERENT Link: https://lore.kernel.org/r/cover.1698312384.git.geert+renesas@glider.be Signed-off-by: Arnd Bergmann commit 9eab43facdadb7d00456c2657001ae2e5353c814 Author: Christoph Hellwig Date: Wed Oct 18 07:26:54 2023 +0200 soc: renesas: ARCH_R9A07G043 depends on !RISCV_ISA_ZICBOM ARCH_R9A07G043 has its own non-standard global pool based DMA coherent allocator, which conflicts with the remap based RISCV_ISA_ZICBOM version. Add a proper dependency. Signed-off-by: Christoph Hellwig Reviewed-by: Lad Prabhakar Acked-by: Conor Dooley Acked-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20231018052654.50074-4-hch@lst.de Signed-off-by: Geert Uytterhoeven commit 381cae1698538ad2f90dd6ecd8ed155d194e072f Author: Christoph Hellwig Date: Wed Oct 18 07:26:53 2023 +0200 riscv: only select DMA_DIRECT_REMAP from RISCV_ISA_ZICBOM and ERRATA_THEAD_PBMT RISCV_DMA_NONCOHERENT is also used for whacky non-standard non-coherent ops that use different hooks in dma-direct. Signed-off-by: Christoph Hellwig Reviewed-by: Conor Dooley Reviewed-by: Robin Murphy Reviewed-by: Lad Prabhakar Tested-by: Samuel Holland Link: https://lore.kernel.org/r/20231018052654.50074-3-hch@lst.de Signed-off-by: Geert Uytterhoeven commit fd962781270e6452dd5b30c8aa0b3b0fbee06244 Author: Christoph Hellwig Date: Wed Oct 18 07:26:52 2023 +0200 riscv: RISCV_NONSTANDARD_CACHE_OPS shouldn't depend on RISCV_DMA_NONCOHERENT RISCV_NONSTANDARD_CACHE_OPS is also used for the pmem cache maintenance helpers, which are built into the kernel unconditionally. Signed-off-by: Christoph Hellwig Acked-by: Conor Dooley Link: https://lore.kernel.org/r/20231018052654.50074-2-hch@lst.de Signed-off-by: Geert Uytterhoeven commit b132ac51d7a50c37683be56c96ff64f8c887930f Author: Karol Wachowski Date: Tue Oct 24 18:19:52 2023 +0200 accel/ivpu/37xx: Fix missing VPUIP interrupts Move sequence of masking and unmasking global interrupts from buttress interrupt handler to generic one that handles both VPUIP and BTRS interrupts. Unmasking global interrupts will re-trigger MSI for any pending interrupts. Lack of this sequence will cause the driver to miss any VPUIP interrupt that comes after reading VPU_37XX_HOST_SS_ICB_STATUS_0 and before clearing all active interrupt sources. Fixes: 35b137630f08 ("accel/ivpu: Introduce a new DRM driver for Intel VPU") Cc: stable@vger.kernel.org Signed-off-by: Karol Wachowski Reviewed-by: Stanislaw Gruszka Signed-off-by: Stanislaw Gruszka Link: https://patchwork.freedesktop.org/patch/msgid/20231024161952.759914-1-stanislaw.gruszka@linux.intel.com commit 53798666648af3aa0dd512c2380576627237a800 Author: Michal Schmidt Date: Wed Oct 25 11:32:13 2023 -0700 iavf: in iavf_down, disable queues when removing the driver In iavf_down, we're skipping the scheduling of certain operations if the driver is being removed. However, the IAVF_FLAG_AQ_DISABLE_QUEUES request must not be skipped in this case, because iavf_close waits for the transition to the __IAVF_DOWN state, which happens in iavf_virtchnl_completion after the queues are released. Without this fix, "rmmod iavf" takes half a second per interface that's up and prints the "Device resources not yet released" warning. Fixes: c8de44b577eb ("iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set") Signed-off-by: Michal Schmidt Reviewed-by: Wojciech Drewek Tested-by: Rafal Romanowski Tested-by: Jacob Keller Signed-off-by: Jacob Keller Link: https://lore.kernel.org/r/20231025183213.874283-1-jacob.e.keller@intel.com Signed-off-by: Jakub Kicinski commit 5e5d8b94a4fa5fc4a4ea5c97393a29aa5bf3e4bb Merge: 53b08c4985158 a63b6622120cd Author: Jakub Kicinski Date: Wed Oct 25 16:02:06 2023 -0700 Merge tag 'nf-23-10-25' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net This patch contains two late Netfilter's flowtable fixes for net: 1) Flowtable GC pushes back packets to classic path in every GC run, ie. every second. This is because NF_FLOW_HW_ESTABLISHED is only used by sched/act_ct (never set) and IPS_SEEN_REPLY might be unset by the time the flow is offloaded (this status bit is only reliable in the sched/act_ct datapath). 2) sched/act_ct logic to push back packets to classic path to reevaluate if UDP flow is unidirectional only applies if IPS_HW_OFFLOAD_BIT is set on and no hardware offload request is pending to be handled. From Vlad Buslov. These two patches fixes two problems that were introduced in the previous 6.5 development cycle. * tag 'nf-23-10-25' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: net/sched: act_ct: additional checks for outdated flows netfilter: flowtable: GC pushes back packets to classic path ==================== Link: https://lore.kernel.org/r/20231025100819.2664-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski commit 53b08c4985158430fd6d035fb49443bada535210 Author: Alexandru Matei Date: Tue Oct 24 22:17:42 2023 +0300 vsock/virtio: initialize the_virtio_vsock before using VQs Once VQs are filled with empty buffers and we kick the host, it can send connection requests. If the_virtio_vsock is not initialized before, replies are silently dropped and do not reach the host. virtio_transport_send_pkt() can queue packets once the_virtio_vsock is set, but they won't be processed until vsock->tx_run is set to true. We queue vsock->send_pkt_work when initialization finishes to send those packets queued earlier. Fixes: 0deab087b16a ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") Signed-off-by: Alexandru Matei Reviewed-by: Stefano Garzarella Link: https://lore.kernel.org/r/20231024191742.14259-1-alexandru.matei@uipath.com Signed-off-by: Jakub Kicinski commit f199bf5bf84c19a4f488a39d7d694ab10787de35 Author: Marc Zyngier Date: Tue Oct 24 15:34:31 2023 +0100 irqchip/gic-v3-its: Don't override quirk settings with default values When splitting the allocation of the ITS node from its configuration, some of the default settings were kept in the latter instead of being moved to the former. This has the side effect of negating some of the quirk detections that have happened in between, amongst which the dreaded Synquacer hack (that also affect Dominic's TI platform). Move the initialisation of these fields early, so that they can again be overriden by the Synquacer quirk. Fixes: 9585a495ac93 ("irqchip/gic-v3-its: Split allocation from initialisation of its_node") Reported by: Dominic Rath Signed-off-by: Marc Zyngier Signed-off-by: Thomas Gleixner Tested-by: Dominic Rath Link: https://lore.kernel.org/r/20231024084831.GA3788@JADEVM-DRA Link: https://lore.kernel.org/r/20231024143431.2144579-1-maz@kernel.org commit 611da07b89fdd53f140d7b33013f255bf0ed8f34 Merge: 4f82870119a46 9b311b7313d6c Author: Linus Torvalds Date: Wed Oct 25 07:51:56 2023 -1000 Merge tag 'acpi-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Unbreak the ACPI NFIT driver after a recent change that inadvertently altered its behavior (Xiang Chen)" * tag 'acpi-6.6-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: NFIT: Install Notify() handler before getting NFIT table commit d5090484b021794271280ab64d20253883b7f6fd Author: Petr Tesarik Date: Wed Oct 25 10:44:25 2023 +0200 swiotlb: do not try to allocate a TLB bigger than MAX_ORDER pages When allocating a new pool at runtime, reduce the number of slabs so that the allocation order is at most MAX_ORDER. This avoids a kernel warning in __alloc_pages(). The warning is relatively benign, because the pool size is subsequently reduced when allocation fails, but it is silly to start with a request that is known to fail, especially since this is the default behavior if the kernel is built with CONFIG_SWIOTLB_DYNAMIC=y and booted without any swiotlb= parameter. Reported-by: Ben Greear Closes: https://lore.kernel.org/netdev/4f173dd2-324a-0240-ff8d-abf5c191be18@candelatech.com/ Fixes: 1aaa736815eb ("swiotlb: allocate a new memory pool when existing pools are full") Signed-off-by: Petr Tesarik Signed-off-by: Christoph Hellwig commit 838b35bb6a89c36da07ca39520ec071d9250334d Author: Jens Axboe Date: Tue Oct 24 14:39:06 2023 -0600 io_uring/rw: disable IOCB_DIO_CALLER_COMP If an application does O_DIRECT writes with io_uring and the file system supports IOCB_DIO_CALLER_COMP, then completions of the dio write side is done from the task_work that will post the completion event for said write as well. Whenever a dio write is done against a file, the inode i_dio_count is elevated. This enables other callers to use inode_dio_wait() to wait for previous writes to complete. If we defer the full dio completion to task_work, we are dependent on that task_work being run before the inode i_dio_count can be decremented. If the same task that issues io_uring dio writes with IOCB_DIO_CALLER_COMP performs a synchronous system call that calls inode_dio_wait(), then we can deadlock as we're blocked sleeping on the event to become true, but not processing the completions that will result in the inode i_dio_count being decremented. Until we can guarantee that this is the case, then disable the deferred caller completions. Fixes: 099ada2c8726 ("io_uring/rw: add write support for IOCB_DIO_CALLER_COMP") Reported-by: Andres Freund Signed-off-by: Jens Axboe commit 64ffd2f1d00c6235dabe9704bbb0d9ce3e28147f Author: Mario Limonciello Date: Fri Oct 20 10:26:29 2023 -0500 drm/amd: Disable ASPM for VI w/ all Intel systems Originally we were quirking ASPM disabled specifically for VI when used with Alder Lake, but it appears to have problems with Rocket Lake as well. Like we've done in the case of dpm for newer platforms, disable ASPM for all Intel systems. Cc: stable@vger.kernel.org # 5.15+ Fixes: 0064b0ce85bb ("drm/amd/pm: enable ASPM by default") Reported-and-tested-by: Paolo Gentili Closes: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742 Signed-off-by: Mario Limonciello Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit 7644b1a1c9a7ae8ab99175989bfc8676055edb46 Author: Jens Axboe Date: Sat Oct 21 12:30:29 2023 -0600 io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid We could race with SQ thread exit, and if we do, we'll hit a NULL pointer dereference when the thread is cleared. Grab the SQPOLL data lock before attempting to get the task cpu and pid for fdinfo, this ensures we have a stable view of it. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218032 Reviewed-by: Gabriel Krisman Bertazi Signed-off-by: Jens Axboe commit 4cbed7702eb775cca22fff6827a549092cb59f61 Author: Umesh Nerlige Ramappa Date: Fri Oct 20 08:24:41 2023 -0700 drm/i915/pmu: Check if pmu is closed before stopping event When the driver unbinds, pmu is unregistered and i915->uabi_engines is set to RB_ROOT. Due to this, when i915 PMU tries to stop the engine events, it issues a warn_on because engine lookup fails. All perf hooks are taking care of this using a pmu->closed flag that is set when PMU unregisters. The stop event seems to have been left out. Check for pmu->closed in pmu_event_stop as well. Based on discussion here - https://patchwork.freedesktop.org/patch/492079/?series=105790&rev=2 v2: s/is/if/ in commit title v3: Add fixes tag and cc stable Cc: # v5.11+ Fixes: b00bccb3f0bb ("drm/i915/pmu: Handle PCI unbind") Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: Tvrtko Ursulin Reviewed-by: Andi Shyti Signed-off-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/20231020152441.3764850-1-umesh.nerlige.ramappa@intel.com (cherry picked from commit 31f6a06f0c543b43a38fab10f39e5fc45ad62aa2) Signed-off-by: Rodrigo Vivi commit 78cc55e0b64c820673a796635daf82c7eadfe152 Author: Matt Roper Date: Thu Oct 19 10:02:42 2023 -0700 drm/i915/mcr: Hold GT forcewake during steering operations The steering control and semaphore registers are inside an "always on" power domain with respect to RC6. However there are some issues if higher-level platform sleep states are entering/exiting at the same time these registers are accessed. Grabbing GT forcewake and holding it over the entire lock/steer/unlock cycle ensures that those sleep states have been fully exited before we access these registers. This is expected to become a formally documented/numbered workaround soon. Note that this patch alone isn't expected to have an immediately noticeable impact on MCR (mis)behavior; an upcoming pcode firmware update will also be necessary to provide the other half of this workaround. v2: - Move the forcewake inside the Xe_LPG-specific IP version check. This should only be necessary on platforms that have a steering semaphore. Fixes: 3100240bf846 ("drm/i915/mtl: Add hardware-level lock for steering") Cc: Radhakrishna Sripada Cc: Jonathan Cavitt Signed-off-by: Matt Roper Reviewed-by: Radhakrishna Sripada Reviewed-by: Jonathan Cavitt Reviewed-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/20231019170241.2102037-2-matthew.d.roper@intel.com (cherry picked from commit 8fa1c7cd1fe9cdfc426a603e1f1eecd3f463c487) Signed-off-by: Rodrigo Vivi commit 4e6c38c38723a954b85aa9ee62603bb4a37acbb4 Author: Sui Jingfeng Date: Thu Jun 8 10:42:07 2023 +0800 drm/logicvc: Kconfig: select REGMAP and REGMAP_MMIO drm/logicvc driver is depend on REGMAP and REGMAP_MMIO, should select this two kconfig option, otherwise the driver failed to compile on platform without REGMAP_MMIO selected: ERROR: modpost: "__devm_regmap_init_mmio_clk" [drivers/gpu/drm/logicvc/logicvc-drm.ko] undefined! make[1]: *** [scripts/Makefile.modpost:136: Module.symvers] Error 1 make: *** [Makefile:1978: modpost] Error 2 Signed-off-by: Sui Jingfeng Acked-by: Paul Kocialkowski Fixes: efeeaefe9be5 ("drm: Add support for the LogiCVC display controller") Link: https://patchwork.freedesktop.org/patch/msgid/20230608024207.581401-1-suijingfeng@loongson.cn Signed-off-by: Paul Kocialkowski commit 1711435e3e67e079d6a2bce54d96d1af21c7ef2c Author: Deming Wang Date: Wed Oct 25 02:16:56 2023 -0400 net: ipv6: fix typo in comments The word "advertize" should be replaced by "advertise". Signed-off-by: Deming Wang Signed-off-by: David S. Miller commit 197f9fba9663e765f8f3ae3b2375c6cc32b2e2b3 Author: Deming Wang Date: Wed Oct 25 02:14:34 2023 -0400 net: ipv4: fix typo in comments The word "advertize" should be replaced by "advertise". Signed-off-by: Deming Wang Signed-off-by: David S. Miller commit a63b6622120cd03a304796dbccb80655b3a21798 Author: Vlad Buslov Date: Tue Oct 24 21:58:57 2023 +0200 net/sched: act_ct: additional checks for outdated flows Current nf_flow_is_outdated() implementation considers any flow table flow which state diverged from its underlying CT connection status for teardown which can be problematic in the following cases: - Flow has never been offloaded to hardware in the first place either because flow table has hardware offload disabled (flag NF_FLOWTABLE_HW_OFFLOAD is not set) or because it is still pending on 'add' workqueue to be offloaded for the first time. The former is incorrect, the later generates excessive deletions and additions of flows. - Flow is already pending to be updated on the workqueue. Tearing down such flows will also generate excessive removals from the flow table, especially on highly loaded system where the latency to re-offload a flow via 'add' workqueue can be quite high. When considering a flow for teardown as outdated verify that it is both offloaded to hardware and doesn't have any pending updates. Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple") Reviewed-by: Paul Blakey Signed-off-by: Vlad Buslov Signed-off-by: Pablo Neira Ayuso commit 735795f68b37e9bb49f642407a0d49b1631ea1c7 Author: Pablo Neira Ayuso Date: Tue Oct 24 21:09:47 2023 +0200 netfilter: flowtable: GC pushes back packets to classic path Since 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple"), flowtable GC pushes back flows with IPS_SEEN_REPLY back to classic path in every run, ie. every second. This is because of a new check for NF_FLOW_HW_ESTABLISHED which is specific of sched/act_ct. In Netfilter's flowtable case, NF_FLOW_HW_ESTABLISHED never gets set on and IPS_SEEN_REPLY is unreliable since users decide when to offload the flow before, such bit might be set on at a later stage. Fix it by adding a custom .gc handler that sched/act_ct can use to deal with its NF_FLOW_HW_ESTABLISHED bit. Fixes: 41f2c7c342d3 ("net/sched: act_ct: Fix promotion of offloaded unreplied tuple") Reported-by: Vladimir Smelhaus Reviewed-by: Paul Blakey Signed-off-by: Pablo Neira Ayuso commit 47b8def9358c5eb888e78b24b7e5b7f2e2e97b8e Author: Aneesh Kumar K.V Date: Tue Oct 24 20:06:04 2023 +0530 powerpc/mm: Avoid calling arch_enter/leave_lazy_mmu() in set_ptes With commit 9fee28baa601 ("powerpc: implement the new page table range API") we added set_ptes to powerpc architecture. The implementation included calling arch_enter/leave_lazy_mmu() calls. The patch removes the usage of arch_enter/leave_lazy_mmu() because set_pte is not supposed to be used when updating a pte entry. Powerpc architecture uses this rule to skip the expensive tlb invalidate which is not needed when you are setting up the pte for the first time. See commit 56eecdb912b5 ("mm: Use ptep/pmdp_set_numa() for updating _PAGE_NUMA bit") for more details The patch also makes sure we are not using the interface to update a valid/present pte entry by adding VM_WARN_ON check all the ptes we are setting up. Furthermore, we add a comment to set_pte_filter to clarify it can only update folio-related flags and cannot filter pfn specific details in pte filtering. Removal of arch_enter/leave_lazy_mmu() also will avoid nesting of these functions that are not supported. For ex: remap_pte_range() -> arch_enter_lazy_mmu() -> set_ptes() -> arch_enter_lazy_mmu() -> arch_leave_lazy_mmu() -> arch_leave_lazy_mmu() Fixes: 9fee28baa601 ("powerpc: implement the new page table range API") Signed-off-by: "Aneesh Kumar K.V" Signed-off-by: Michael Ellerman Link: https://msgid.link/20231024143604.16749-1-aneesh.kumar@linux.ibm.com commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec Author: Ivan Vecera Date: Mon Oct 23 14:27:14 2023 -0700 i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one. Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722") Signed-off-by: Ivan Vecera Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: Jacob Keller Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com Signed-off-by: Jakub Kicinski commit 00d67093e4f1874f713e5869dbcf34a00665dbb7 Merge: cd8892c07876d 91535613b6090 Author: Jakub Kicinski Date: Tue Oct 24 13:10:53 2023 -0700 Merge tag 'wireless-2023-10-24' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== Three more fixes: - don't drop all unprotected public action frames since some don't have a protected dual - fix pointer confusion in scanning code - fix warning in some connections with multiple links * tag 'wireless-2023-10-24' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: wifi: mac80211: don't drop all unprotected public action frames wifi: cfg80211: fix assoc response warning on failed links wifi: cfg80211: pass correct pointer to rdev_inform_bss() ==================== Link: https://lore.kernel.org/r/20231024103540.19198-2-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski commit 4f82870119a46b0d04d91ef4697ac4977a255a9d Merge: d88520ad73b79 099d7439ce03d Author: Linus Torvalds Date: Tue Oct 24 09:52:16 2023 -1000 Merge tag 'mm-hotfixes-stable-2023-10-24-09-40' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Pull misc fixes from Andrew Morton: "20 hotfixes. 12 are cc:stable and the remainder address post-6.5 issues or aren't considered necessary for earlier kernel versions" * tag 'mm-hotfixes-stable-2023-10-24-09-40' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm: maple_tree: add GFP_KERNEL to allocations in mas_expected_entries() selftests/mm: include mman header to access MREMAP_DONTUNMAP identifier mailmap: correct email aliasing for Oleksij Rempel mailmap: map Bartosz's old address to the current one mm/damon/sysfs: check DAMOS regions update progress from before_terminate() MAINTAINERS: Ondrej has moved kasan: disable kasan_non_canonical_hook() for HW tags kasan: print the original fault addr when access invalid shadow hugetlbfs: close race between MADV_DONTNEED and page fault hugetlbfs: extend hugetlb_vma_lock to private VMAs hugetlbfs: clear resv_map pointer if mmap fails mm: zswap: fix pool refcount bug around shrink_worker() mm/migrate: fix do_pages_move for compat pointers riscv: fix set_huge_pte_at() for NAPOT mappings when a swap entry is set riscv: handle VM_FAULT_[HWPOISON|HWPOISON_LARGE] faults instead of panicking mmap: fix error paths with dup_anon_vma() mmap: fix vma_iterator in error path of vma_merge() mm: fix vm_brk_flags() to not bail out while holding lock mm/mempolicy: fix set_mempolicy_home_node() previous VMA pointer mm/page_alloc: correct start page when guard page debug is enabled commit 28926daf731f72d0537767fdbab2a3e06e31190a Author: Jinjie Ruan Date: Mon Oct 23 11:28:57 2023 +0800 fpga: Fix memory leak for fpga_region_test_class_find() fpga_region_class_find() in fpga_region_test_class_find() will call get_device() if the data is matched, which will increment refcount for dev->kobj, so it should call put_device() to decrement refcount for dev->kobj to free the region, because fpga_region_unregister() will call fpga_region_dev_release() only when the refcount for dev->kobj is zero but fpga_region_test_init() call device_register() in fpga_region_register_full(), which also increment refcount. So call put_device() after calling fpga_region_class_find() in fpga_region_test_class_find(). After applying this patch, the following memory leak is never detected. unreferenced object 0xffff88810c8ef000 (size 1024): comm "kunit_try_catch", pid 1875, jiffies 4294715298 (age 836.836s) hex dump (first 32 bytes): b8 d1 fb 05 81 88 ff ff 08 f0 8e 0c 81 88 ff ff ................ 08 f0 8e 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc_trace+0x27/0xa0 [] fpga_region_register_full+0x51/0x430 [fpga_region] [] 0xffffffffa0228e47 [] kunit_try_run_case+0xdd/0x250 [] kunit_generic_run_threadfn_adapter+0x4a/0x90 [] kthread+0x2b5/0x380 [] ret_from_fork+0x2d/0x70 [] ret_from_fork_asm+0x11/0x20 unreferenced object 0xffff888105fbd1b8 (size 8): comm "kunit_try_catch", pid 1875, jiffies 4294715298 (age 836.836s) hex dump (first 8 bytes): 72 65 67 69 6f 6e 30 00 region0. backtrace: [] __kmalloc_node_track_caller+0x53/0x150 [] kvasprintf+0xb0/0x130 [] kobject_set_name_vargs+0x41/0x110 [] dev_set_name+0xab/0xe0 [] fpga_region_register_full+0x312/0x430 [fpga_region] [] 0xffffffffa0228e47 [] kunit_try_run_case+0xdd/0x250 [] kunit_generic_run_threadfn_adapter+0x4a/0x90 [] kthread+0x2b5/0x380 [] ret_from_fork+0x2d/0x70 [] ret_from_fork_asm+0x11/0x20 unreferenced object 0xffff88810b3b8a00 (size 256): comm "kunit_try_catch", pid 1875, jiffies 4294715298 (age 836.836s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 8a 3b 0b 81 88 ff ff ..........;..... 08 8a 3b 0b 81 88 ff ff e0 ac 04 83 ff ff ff ff ..;............. backtrace: [] kmalloc_trace+0x27/0xa0 [] device_add+0xa2a/0x15e0 [] fpga_region_register_full+0x321/0x430 [fpga_region] [] 0xffffffffa0228e47 [] kunit_try_run_case+0xdd/0x250 [] kunit_generic_run_threadfn_adapter+0x4a/0x90 [] kthread+0x2b5/0x380 [] ret_from_fork+0x2d/0x70 [] ret_from_fork_asm+0x11/0x20 Fixes: 64a5f972c93d ("fpga: add an initial KUnit suite for the FPGA Region") Signed-off-by: Jinjie Ruan Reviewed-by: Marco Pagani Acked-by: Xu Yilun Link: https://lore.kernel.org/r/20231007094321.3447084-1-ruanjinjie@huawei.com [yilun.xu@intel.com: slightly changes the commit message] Signed-off-by: Xu Yilun Link: https://lore.kernel.org/r/20231023032857.902699-3-yilun.xu@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1e55c5200dc7efeb84d4582a82d289329255fd82 Author: Russ Weight Date: Mon Oct 23 11:28:56 2023 +0800 fpga: m10bmc-sec: Change contact for secure update driver Change the maintainer for the Intel MAX10 BMC Secure Update driver from Russ Weight to Peter Colberg. Update the ABI documentation contact information as well. Signed-off-by: Russ Weight Acked-by: Peter Colberg Link: https://lore.kernel.org/r/20230928164753.278684-1-russell.h.weight@intel.com Signed-off-by: Xu Yilun Link: https://lore.kernel.org/r/20231023032857.902699-2-yilun.xu@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit cba94bbcff08d209710dd7bdc139caad675a6f8d Author: Umesh Nerlige Ramappa Date: Wed Aug 2 13:28:54 2023 -0700 drm/i915/perf: Determine context valid in OA reports When supporting OA for TGL, it was seen that the context valid bit in the report ID was not defined, however revisiting the spec seems to have this bit defined. The bit is used to determine if a context is valid on a context switch and is essential to determine active and idle periods for a context. Re-enable the context valid bit for gen12 platforms. BSpec: 52196 (description of report_id) v2: Include BSpec reference (Ashutosh) Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL") Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: Ashutosh Dixit Link: https://patchwork.freedesktop.org/patch/msgid/20230802202854.1224547-1-umesh.nerlige.ramappa@intel.com (cherry picked from commit 7eeaedf79989a8f131939782832e21e9218ed2a0) Signed-off-by: Rodrigo Vivi commit a71ef31485bb51b846e8db8b3a35e432cc15afb5 Author: Peter Zijlstra Date: Tue Oct 24 11:42:21 2023 +0200 perf/core: Fix potential NULL deref Smatch is awesome. Fixes: 32671e3799ca ("perf: Disallow mis-matched inherited group reads") Reported-by: Dan Carpenter Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar commit cd8892c07876da0c4b50e020048a32a28596a074 Merge: 9644bc4970572 4530e5b8e2dad Author: Paolo Abeni Date: Tue Oct 24 12:02:03 2023 +0200 Merge branch 'gtp-tunnel-driver-fixes' Pablo Neira Ayuso says: ==================== GTP tunnel driver fixes The following patchset contains two fixes for the GTP tunnel driver: 1) Incorrect GTPA_MAX definition in UAPI headers. This is updating an existing UAPI definition but for a good reason, this is certainly broken. Similar fixes for incorrect _MAX definition in netlink headers were applied in the past too. 2) Fix GTP driver PMTU with GRO packets, add missing call to skb_gso_validate_network_len() to handle GRO packets. ==================== Link: https://lore.kernel.org/r/20231022202519.659526-1-pablo@netfilter.org Signed-off-by: Paolo Abeni commit 4530e5b8e2dad63dcad2206232dd86e4b1489b6c Author: Pablo Neira Ayuso Date: Sun Oct 22 22:25:18 2023 +0200 gtp: fix fragmentation needed check with gso Call skb_gso_validate_network_len() to check if packet is over PMTU. Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Paolo Abeni commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 Author: Pablo Neira Ayuso Date: Sun Oct 22 22:25:17 2023 +0200 gtp: uapi: fix GTPA_MAX Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2. Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Paolo Abeni commit 9644bc49705723bf7c69aa9bf542bb5161b91dba Author: Anjali Kulkarni Date: Fri Oct 20 16:40:58 2023 -0700 Fix NULL pointer dereference in cn_filter() Check that sk_user_data is not NULL, else return from cn_filter(). Could not reproduce this issue, but Oliver Sang verified it has fixed the "Closes" problem below. Fixes: 2aa1f7a1f47c ("connector/cn_proc: Add filtering to fix some bugs") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-lkp/202309201456.84c19e27-oliver.sang@intel.com/ Signed-off-by: Anjali Kulkarni Link: https://lore.kernel.org/r/20231020234058.2232347-1-anjali.k.kulkarni@oracle.com Signed-off-by: Paolo Abeni commit d88520ad73b79e71e3ddf08de335b8520ae41c5c Merge: 84186fcb834ec 1aee9158bc978 Author: Linus Torvalds Date: Mon Oct 23 20:40:04 2023 -1000 Merge tag 'pull-nfsd-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull nfsd fix from Al Viro: "Catch from lock_rename() audit; nfsd_rename() checked that both directories belonged to the same filesystem, but only after having done lock_rename(). Trivial fix, tested and acked by nfs folks" * tag 'pull-nfsd-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: nfsd: lock_rename() needs both directories to live on the same fs commit 84186fcb834ecc55604efaf383e17e6b5e9baa50 Merge: e017769f4ce20 921992229b1f0 Author: Linus Torvalds Date: Mon Oct 23 14:19:11 2023 -1000 Merge tag 'urgent/nolibc.2023.10.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu Pull nolibc fixes from Paul McKenney: - tools/nolibc: i386: Fix a stack misalign bug on _start - MAINTAINERS: nolibc: update tree location - tools/nolibc: mark start_c as weak to avoid linker errors * tag 'urgent/nolibc.2023.10.16a' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu: tools/nolibc: mark start_c as weak MAINTAINERS: nolibc: update tree location tools/nolibc: i386: Fix a stack misalign bug on _start commit d788c9338342a3146d115281922901c1e3e1cbff Author: Pieter Jansen van Vuuren Date: Fri Oct 20 15:01:49 2023 +0100 sfc: cleanup and reduce netlink error messages Reduce the length of netlink error messages as they are likely to be truncated anyway. Additionally, reword netlink error messages so they are more consistent with previous messages. Fixes: 9dbc8d2b9a02 ("sfc: add decrement ipv6 hop limit by offloading set hop limit actions") Fixes: 3c9561c0a5b9 ("sfc: support TC decap rules matching on enc_ip_tos") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202310202136.4u7bv0hp-lkp@intel.com/ Signed-off-by: Pieter Jansen van Vuuren Reviewed-by: Edward Cree Link: https://lore.kernel.org/r/20231020140149.30490-1-pieter.jansen-van-vuuren@amd.com Signed-off-by: Jakub Kicinski commit 291c0d3a98afb7b863485215c241a851be9e3435 Merge: eaf16b92b18ce 1122a9c2ebe02 Author: Arnd Bergmann Date: Mon Oct 23 21:01:45 2023 +0200 Merge tag 'mvebu-fixes-6.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu into arm/fixes mvebu fixes for 6.6 (part 1) Update MAINTAINERS for eDPU board * tag 'mvebu-fixes-6.6-1' of git://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu: MAINTAINERS: uDPU: add remaining Methode boards MAINTAINERS: uDPU: make myself maintainer of it Link: https://lore.kernel.org/r/875y32abqe.fsf@BL-laptop Signed-off-by: Arnd Bergmann commit e017769f4ce20dc0d3fa3220d4d359dcc4431274 Merge: 7c14564010fc1 eb96e221937af Author: Linus Torvalds Date: Mon Oct 23 07:59:13 2023 -1000 Merge tag 'for-6.6-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fix from David Sterba: "One more fix for a problem with snapshot of a newly created subvolume that can lead to inconsistent data under some circumstances. Kernel 6.5 added a performance optimization to skip transaction commit for subvolume creation but this could end up with newer data on disk but not linked to other structures. The fix itself is an added condition, the rest of the patch is a parameter added to several functions" * tag 'for-6.6-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: fix unwritten extent buffer after snapshotting a new subvolume commit 7c14564010fc1d0f16ca7d39b0ff948b43344209 Merge: 05d3ef8bba77c 061b39fdfe7fd Author: Linus Torvalds Date: Mon Oct 23 07:42:48 2023 -1000 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "A collection of small fixes that look like worth having in this release" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_pci: fix the common cfg map size virtio-crypto: handle config changed by work queue vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE vdpa/mlx5: Fix firmware error on creation of 1k VQs virtio_balloon: Fix endless deflation and inflation on arm64 vdpa/mlx5: Fix double release of debugfs entry virtio-mmio: fix memory leak of vm_dev vdpa_sim_blk: Fix the potential leak of mgmt_dev tools/virtio: Add dma sync api for virtio test commit 7798b59409c345d4a6034a4326bceb9f7e2e8b58 Author: Moritz Wanzenböck Date: Thu Oct 19 14:58:47 2023 +0200 net/handshake: fix file ref count in handshake_nl_accept_doit() If req->hr_proto->hp_accept() fail, we call fput() twice: Once in the error path, but also a second time because sock->file is at that point already associated with the file descriptor. Once the task exits, as it would probably do after receiving an error reading from netlink, the fd is closed, calling fput() a second time. To fix, we move installing the file after the error path for the hp_accept() call. In the case of errors we simply put the unused fd. In case of success we can use fd_install() to link the sock->file to the reserved fd. Fixes: 7ea9c1ec66bc ("net/handshake: Fix handshake_dup() ref counting") Signed-off-by: Moritz Wanzenböck Reviewed-by: Chuck Lever Link: https://lore.kernel.org/r/20231019125847.276443-1-moritz.wanzenboeck@linbit.com Signed-off-by: Jakub Kicinski commit eb96e221937af3c7bb8a63208dbab813ca5d3d7e Author: Filipe Manana Date: Thu Oct 19 13:19:28 2023 +0100 btrfs: fix unwritten extent buffer after snapshotting a new subvolume When creating a snapshot of a subvolume that was created in the current transaction, we can end up not persisting a dirty extent buffer that is referenced by the snapshot, resulting in IO errors due to checksum failures when trying to read the extent buffer later from disk. A sequence of steps that leads to this is the following: 1) At ioctl.c:create_subvol() we allocate an extent buffer, with logical address 36007936, for the leaf/root of a new subvolume that has an ID of 291. We mark the extent buffer as dirty, and at this point the subvolume tree has a single node/leaf which is also its root (level 0); 2) We no longer commit the transaction used to create the subvolume at create_subvol(). We used to, but that was recently removed in commit 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol create"); 3) The transaction used to create the subvolume has an ID of 33, so the extent buffer 36007936 has a generation of 33; 4) Several updates happen to subvolume 291 during transaction 33, several files created and its tree height changes from 0 to 1, so we end up with a new root at level 1 and the extent buffer 36007936 is now a leaf of that new root node, which is extent buffer 36048896. The commit root remains as 36007936, since we are still at transaction 33; 5) Creation of a snapshot of subvolume 291, with an ID of 292, starts at ioctl.c:create_snapshot(). This triggers a commit of transaction 33 and we end up at transaction.c:create_pending_snapshot(), in the critical section of a transaction commit. There we COW the root of subvolume 291, which is extent buffer 36048896. The COW operation returns extent buffer 36048896, since there's no need to COW because the extent buffer was created in this transaction and it was not written yet. The we call btrfs_copy_root() against the root node 36048896. During this operation we allocate a new extent buffer to turn into the root node of the snapshot, copy the contents of the root node 36048896 into this snapshot root extent buffer, set the owner to 292 (the ID of the snapshot), etc, and then we call btrfs_inc_ref(). This will create a delayed reference for each leaf pointed by the root node with a reference root of 292 - this includes a reference for the leaf 36007936. After that we set the bit BTRFS_ROOT_FORCE_COW in the root's state. Then we call btrfs_insert_dir_item(), to create the directory entry in in the tree of subvolume 291 that points to the snapshot. This ends up needing to modify leaf 36007936 to insert the respective directory items. Because the bit BTRFS_ROOT_FORCE_COW is set for the root's state, we need to COW the leaf. We end up at btrfs_force_cow_block() and then at update_ref_for_cow(). At update_ref_for_cow() we call btrfs_block_can_be_shared() which returns false, despite the fact the leaf 36007936 is shared - the subvolume's root and the snapshot's root point to that leaf. The reason that it incorrectly returns false is because the commit root of the subvolume is extent buffer 36007936 - it was the initial root of the subvolume when we created it. So btrfs_block_can_be_shared() which has the following logic: int btrfs_block_can_be_shared(struct btrfs_root *root, struct extent_buffer *buf) { if (test_bit(BTRFS_ROOT_SHAREABLE, &root->state) && buf != root->node && buf != root->commit_root && (btrfs_header_generation(buf) <= btrfs_root_last_snapshot(&root->root_item) || btrfs_header_flag(buf, BTRFS_HEADER_FLAG_RELOC))) return 1; return 0; } Returns false (0) since 'buf' (extent buffer 36007936) matches the root's commit root. As a result, at update_ref_for_cow(), we don't check for the number of references for extent buffer 36007936, we just assume it's not shared and therefore that it has only 1 reference, so we set the local variable 'refs' to 1. Later on, in the final if-else statement at update_ref_for_cow(): static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct extent_buffer *buf, struct extent_buffer *cow, int *last_ref) { (...) if (refs > 1) { (...) } else { (...) btrfs_clear_buffer_dirty(trans, buf); *last_ref = 1; } } So we mark the extent buffer 36007936 as not dirty, and as a result we don't write it to disk later in the transaction commit, despite the fact that the snapshot's root points to it. Attempting to access the leaf or dumping the tree for example shows that the extent buffer was not written: $ btrfs inspect-internal dump-tree -t 292 /dev/sdb btrfs-progs v6.2.2 file tree key (292 ROOT_ITEM 33) node 36110336 level 1 items 2 free space 119 generation 33 owner 292 node 36110336 flags 0x1(WRITTEN) backref revision 1 checksum stored a8103e3e checksum calced a8103e3e fs uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 chunk uuid e8c9c885-78f4-4d31-85fe-89e5f5fd4a07 key (256 INODE_ITEM 0) block 36007936 gen 33 key (257 EXTENT_DATA 0) block 36052992 gen 33 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 total bytes 107374182400 bytes used 38572032 uuid 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 The respective on disk region is full of zeroes as the device was trimmed at mkfs time. Obviously 'btrfs check' also detects and complains about this: $ btrfs check /dev/sdb Opening filesystem to check... Checking filesystem on /dev/sdb UUID: 90c9a46f-ae9f-4626-9aff-0cbf3e2e3a79 generation: 33 (33) [1/7] checking root items [2/7] checking extents checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 bad tree block 36007936, bytenr mismatch, want=36007936, have=0 owner ref check failed [36007936 4096] ERROR: errors found in extent allocation tree or chunk allocation [3/7] checking free space tree [4/7] checking fs roots checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 checksum verify failed on 36007936 wanted 0x00000000 found 0x86005f29 bad tree block 36007936, bytenr mismatch, want=36007936, have=0 The following tree block(s) is corrupted in tree 292: tree block bytenr: 36110336, level: 1, node key: (256, 1, 0) root 292 root dir 256 not found ERROR: errors found in fs roots found 38572032 bytes used, error(s) found total csum bytes: 16048 total tree bytes: 1265664 total fs tree bytes: 1118208 total extent tree bytes: 65536 btree space waste bytes: 562598 file data blocks allocated: 65978368 referenced 36569088 Fix this by updating btrfs_block_can_be_shared() to consider that an extent buffer may be shared if it matches the commit root and if its generation matches the current transaction's generation. This can be reproduced with the following script: $ cat test.sh #!/bin/bash MNT=/mnt/sdi DEV=/dev/sdi # Use a filesystem with a 64K node size so that we have the same node # size on every machine regardless of its page size (on x86_64 default # node size is 16K due to the 4K page size, while on PPC it's 64K by # default). This way we can make sure we are able to create a btree for # the subvolume with a height of 2. mkfs.btrfs -f -n 64K $DEV mount $DEV $MNT btrfs subvolume create $MNT/subvol # Create a few empty files on the subvolume, this bumps its btree # height to 2 (root node at level 1 and 2 leaves). for ((i = 1; i <= 300; i++)); do echo -n > $MNT/subvol/file_$i done btrfs subvolume snapshot -r $MNT/subvol $MNT/subvol/snap umount $DEV btrfs check $DEV Running it on a 6.5 kernel (or any 6.6-rc kernel at the moment): $ ./test.sh Create subvolume '/mnt/sdi/subvol' Create a readonly snapshot of '/mnt/sdi/subvol' in '/mnt/sdi/subvol/snap' Opening filesystem to check... Checking filesystem on /dev/sdi UUID: bbdde2ff-7d02-45ca-8a73-3c36f23755a1 [1/7] checking root items [2/7] checking extents parent transid verify failed on 30539776 wanted 7 found 5 parent transid verify failed on 30539776 wanted 7 found 5 parent transid verify failed on 30539776 wanted 7 found 5 Ignoring transid failure owner ref check failed [30539776 65536] ERROR: errors found in extent allocation tree or chunk allocation [3/7] checking free space tree [4/7] checking fs roots parent transid verify failed on 30539776 wanted 7 found 5 Ignoring transid failure Wrong key of child node/leaf, wanted: (256, 1, 0), have: (2, 132, 0) Wrong generation of child node/leaf, wanted: 5, have: 7 root 257 root dir 256 not found ERROR: errors found in fs roots found 917504 bytes used, error(s) found total csum bytes: 0 total tree bytes: 851968 total fs tree bytes: 393216 total extent tree bytes: 65536 btree space waste bytes: 736550 file data blocks allocated: 0 referenced 0 A test case for fstests will follow soon. Fixes: 1b53e51a4a8f ("btrfs: don't commit transaction for every subvol create") CC: stable@vger.kernel.org # 6.5+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba commit 4984fc578a911f3146965f4086d0a219a9806002 Author: Christian König Date: Fri Oct 20 14:28:56 2023 +0200 drm/amdkfd: reserve a fence slot while locking the BO Looks like the KFD still needs this. Signed-off-by: Christian König Fixes: 8abc1eb2987a ("drm/amdkfd: switch over to using drm_exec v3") Acked-by: Alex Deucher Acked-by: Felix Kuehling Link: https://patchwork.freedesktop.org/patch/msgid/20231020123306.43978-1-christian.koenig@amd.com commit daa9ada2093ed23d52b4c1fe6e13cf78f55cc85f Author: Michael Ellerman Date: Mon Oct 23 22:25:00 2023 +1100 powerpc/mm: Fix boot crash with FLATMEM Erhard reported that his G5 was crashing with v6.6-rc kernels: mpic: Setting up HT PICs workarounds for U3/U4 BUG: Unable to handle kernel data access at 0xfeffbb62ffec65fe Faulting instruction address: 0xc00000000005dc40 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Tainted: G T 6.6.0-rc3-PMacGS #1 Hardware name: PowerMac11,2 PPC970MP 0x440101 PowerMac NIP: c00000000005dc40 LR: c000000000066660 CTR: c000000000007730 REGS: c0000000022bf510 TRAP: 0380 Tainted: G T (6.6.0-rc3-PMacGS) MSR: 9000000000001032 CR: 44004242 XER: 00000000 IRQMASK: 3 GPR00: 0000000000000000 c0000000022bf7b0 c0000000010c0b00 00000000000001ac GPR04: 0000000003c80000 0000000000000300 c0000000f20001ae 0000000000000300 GPR08: 0000000000000006 feffbb62ffec65ff 0000000000000001 0000000000000000 GPR12: 9000000000001032 c000000002362000 c000000000f76b80 000000000349ecd8 GPR16: 0000000002367ba8 0000000002367f08 0000000000000006 0000000000000000 GPR20: 00000000000001ac c000000000f6f920 c0000000022cd985 000000000000000c GPR24: 0000000000000300 00000003b0a3691d c0003e008030000e 0000000000000000 GPR28: c00000000000000c c0000000f20001ee feffbb62ffec65fe 00000000000001ac NIP hash_page_do_lazy_icache+0x50/0x100 LR __hash_page_4K+0x420/0x590 Call Trace: hash_page_mm+0x364/0x6f0 do_hash_fault+0x114/0x2b0 data_access_common_virt+0x198/0x1f0 --- interrupt: 300 at mpic_init+0x4bc/0x10c4 NIP: c000000002020a5c LR: c000000002020a04 CTR: 0000000000000000 REGS: c0000000022bf9f0 TRAP: 0300 Tainted: G T (6.6.0-rc3-PMacGS) MSR: 9000000000001032 CR: 24004248 XER: 00000000 DAR: c0003e008030000e DSISR: 40000000 IRQMASK: 1 ... NIP mpic_init+0x4bc/0x10c4 LR mpic_init+0x464/0x10c4 --- interrupt: 300 pmac_setup_one_mpic+0x258/0x2dc pmac_pic_init+0x28c/0x3d8 init_IRQ+0x90/0x140 start_kernel+0x57c/0x78c start_here_common+0x1c/0x20 A bisect pointed to the breakage beginning with commit 9fee28baa601 ("powerpc: implement the new page table range API"). Analysis of the oops pointed to a struct page with a corrupted compound_head being loaded via page_folio() -> _compound_head() in hash_page_do_lazy_icache(). The access by the mpic code is to an MMIO address, so the expectation is that the struct page for that address would be initialised by init_unavailable_range(), as pointed out by Aneesh. Instrumentation showed that was not the case, which eventually lead to the realisation that pfn_valid() was returning false for that address, causing the struct page to not be initialised. Because the system is using FLATMEM, the version of pfn_valid() in memory_model.h is used: static inline int pfn_valid(unsigned long pfn) { ... return pfn >= pfn_offset && (pfn - pfn_offset) < max_mapnr; } Which relies on max_mapnr being initialised. Early in boot max_mapnr is zero meaning no PFNs are valid. max_mapnr is initialised in mem_init() called via: start_kernel() mm_core_init() # init/main.c:928 mem_init() But that is too late for the usage in init_unavailable_range() called via: start_kernel() setup_arch() # init/main.c:893 paging_init() free_area_init() init_unavailable_range() Although max_mapnr is currently set in mem_init(), the value is actually already available much earlier, as soon as mem_topology_setup() has completed, which is also before paging_init() is called. So move the initialisation there, which causes paging_init() to correctly initialise the struct page and fixes the bug. This bug seems to have been lurking for years, but went unnoticed because the pre-folio code was inspecting the uninitialised page->flags but not dereferencing it. Thanks to Erhard and Aneesh for help debugging. Reported-by: Erhard Furtner Closes: https://lore.kernel.org/all/20230929132750.3cd98452@yea/ Signed-off-by: Michael Ellerman Link: https://msgid.link/20231023112500.1550208-1-mpe@ellerman.id.au commit 91535613b6090fc968c601d11d4e2f16b333713c Author: Avraham Stern Date: Mon Oct 16 14:52:48 2023 +0300 wifi: mac80211: don't drop all unprotected public action frames Not all public action frames have a protected variant. When MFP is enabled drop only public action frames that have a dual protected variant. Fixes: 76a3059cf124 ("wifi: mac80211: drop some unprotected action frames") Signed-off-by: Avraham Stern Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20231016145213.2973e3c8d3bb.I6198b8d3b04cf4a97b06660d346caec3032f232a@changeid Signed-off-by: Johannes Berg commit c434b2be2d80d236bb090fdb493d4bd5ed589238 Author: Johannes Berg Date: Wed Oct 18 11:42:51 2023 +0200 wifi: cfg80211: fix assoc response warning on failed links The warning here shouldn't be done before we even set the bss field (or should've used the input data). Move the assignment before the warning to fix it. We noticed this now because of Wen's bugfix, where the bug fixed there had previously hidden this other bug. Fixes: 53ad07e9823b ("wifi: cfg80211: support reporting failed links") Signed-off-by: Johannes Berg commit 3e3929ef889e650dd585dc0f4f7f18240688811a Author: Ben Greear Date: Sat Oct 21 08:48:27 2023 -0700 wifi: cfg80211: pass correct pointer to rdev_inform_bss() Confusing struct member names here resulted in passing the wrong pointer, causing crashes. Pass the correct one. Fixes: eb142608e2c4 ("wifi: cfg80211: use a struct for inform_single_bss data") Signed-off-by: Ben Greear Link: https://lore.kernel.org/r/20231021154827.1142734-1-greearb@candelatech.com [rewrite commit message, add fixes] Signed-off-by: Johannes Berg commit 13454e6e0df2ff37853596d546438ac84ca6a413 Author: Kunwu Chan Date: Mon Oct 23 14:37:58 2023 +0800 isdn: mISDN: hfcsusb: Spelling fix in comment protocoll -> protocol Signed-off-by: Kunwu Chan Signed-off-by: David S. Miller commit 05d3ef8bba77c1b5f98d941d8b2d4aeab8118ef1 Author: Linus Torvalds Date: Sun Oct 22 12:11:21 2023 -1000 Linux 6.6-rc7 commit fe3cfe869d5e0453754cf2b4c75110276b5e8527 Merge: 70e65afc23b76 089667aaaa6aa Author: Linus Torvalds Date: Sun Oct 22 07:11:10 2023 -1000 Merge tag 'phy-fixes-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy Pull phy fixes from Vinod Koul: - mapphone-mdm6600 runtime pm & pinctrl handling fixes - Qualcomm qmp usb pcs register fixes, qmp pcie register size warning fix, m31 fixes for wrong pointer in PTR_ERR and dropping wrong vreg check, qmp combo fix for 8550 power config register - realtek usb fix for debugfs_create_dir() and kconfig dependency * tag 'phy-fixes-6.6' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy: phy: realtek: Realtek PHYs should depend on ARCH_REALTEK phy: qualcomm: Fix typos in comments phy: qcom-qmp-combo: initialize PCS_USB registers phy: qcom-qmp-combo: Square out 8550 POWER_STATE_CONFIG1 phy: qcom: m31: Remove unwanted qphy->vreg is NULL check phy: realtek: usb: Drop unnecessary error check for debugfs_create_dir() phy: qcom: phy-qcom-m31: change m31_ipq5332_regs to static phy: qcom: phy-qcom-m31: fix wrong pointer pass to PTR_ERR() dt-bindings: phy: qcom,ipq8074-qmp-pcie: fix warning regarding reg size phy: qcom-qmp-usb: split PCS_USB init table for sc8280xp and sa8775p phy: qcom-qmp-usb: initialize PCS_USB registers phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins phy: mapphone-mdm6600: Fix runtime PM for remove phy: mapphone-mdm6600: Fix runtime disable on probe commit 70e65afc23b7670b775f0f086b9acd59b7fc4343 Merge: 1acfd2bd3f0d9 c03d21f05e76b Author: Linus Torvalds Date: Sun Oct 22 07:05:28 2023 -1000 Merge tag 'efi-fixes-for-v6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi Pull EFI fixes from Ard Biesheuvel: "The boot_params pointer fix uses a somewhat ugly extern struct declaration but this will be cleaned up the next cycle. - don't try to print warnings to the console when it is no longer available - fix theoretical memory leak in SSDT override handling - make sure that the boot_params global variable is set before the KASLR code attempts to hash it for 'randomness' - avoid soft lockups in the memory acceptance code" * tag 'efi-fixes-for-v6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi: efi/unaccepted: Fix soft lockups caused by parallel memory acceptance x86/boot: efistub: Assign global boot_params variable efi: fix memory leak in krealloc failure handling x86/efistub: Don't try to print after ExitBootService() commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad Author: Fred Chen Date: Sat Oct 21 08:19:47 2023 +0800 tcp: fix wrong RTO timeout when received SACK reneging This commit fix wrong RTO timeout when received SACK reneging. When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging() will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future. But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer() is moved after tcp_fastretrans_alert()(which do the SACK reneging check), so the RTO timeout will be overwrited by tcp_set_xmit_timer() with icsk_rto instead of 1/2*srtt. Here is a packetdrill script to check this bug: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 bind(3, ..., ...) = 0 +0 listen(3, 1) = 0 // simulate srtt to 100ms +0 < S 0:0(0) win 32792 +0 > S. 0:0(0) ack 1 +.1 < . 1:1(0) ack 1 win 1024 +0 accept(3, ..., ...) = 4 +0 write(4, ..., 10000) = 10000 +0 > P. 1:10001(10000) ack 1 // inject sack +.1 < . 1:1(0) ack 1 win 257 +0 > . 1:1001(1000) ack 1 // inject sack reneging +.1 < . 1:1(0) ack 1001 win 257 // we expect rto fired in 1/2*srtt (50ms) +.05 > . 1001:2001(1000) ack 1 This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid being overwrited later. Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN") Signed-off-by: Fred Chen Reviewed-by: Neal Cardwell Tested-by: Neal Cardwell Signed-off-by: David S. Miller commit 9b311b7313d6c104dd4a2d43ab54536dce07f960 Author: Xiang Chen Date: Thu Oct 19 21:01:21 2023 +0800 ACPI: NFIT: Install Notify() handler before getting NFIT table If there is no NFIT at startup, it will return 0 immediately in function acpi_nfit_add() and will not install Notify() handler. If hotplugging a nvdimm device later, it will not be identified as there is no Notify() handler. Install the handler before getting NFI table in function acpi_nfit_add() to avoid above issue. Fixes: dcca12ab62a2 ("ACPI: NFIT: Install Notify() handler directly") Signed-off-by: Xiang Chen [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki commit a40614fe885a46758105bfcc6761594af2c9155e Merge: 51a32e828109b d9962b0d42029 Author: David S. Miller Date: Sun Oct 22 11:46:18 2023 +0100 Merge branch 'r8152-reg-garbage' Douglas Anderson says: ==================== r8152: Avoid writing garbage to the adapter's registers This series is the result of a cooperative debug effort between Realtek and the ChromeOS team. On ChromeOS, we've noticed that Realtek Ethernet adapters can sometimes get so wedged that even a reboot of the host can't get them to enumerate again, assuming that the adapter was on a powered hub and din't lose power when the host rebooted. This is sometimes seen in the ChromeOS automated testing lab. The only way to recover adapters in this state is to manually power cycle them. I managed to reproduce one instance of this wedging (unknown if this is truly related to what the test lab sees) by doing this: 1. Start a flood ping from a host to the device. 2. Drop the device into kdb. 3. Wait 90 seconds. 4. Resume from kdb (the "g" command). 5. Wait another 45 seconds. Upon analysis, Realtek realized this was happening: 1. The Linux driver was getting a "Tx timeout" after resuming from kdb and then trying to reset itself. 2. As part of the reset, the Linux driver was attempting to do a read-modify-write of the adapter's registers. 3. The read would fail (due to a timeout) and the driver pretended that the register contained all 0xFFs. See commit f53a7ad18959 ("r8152: Set memory to all 0xFFs on failed reg reads") 4. The driver would take this value of all 0xFFs, modify it, and attempt to write it back to the adapter. 5. By this time the USB channel seemed to recover and thus we'd successfully write a value that was mostly 0xFFs to the adpater. 6. The adapter didn't like this and would wedge itself. Another Engineer also managed to reproduce wedging of the Realtek Ethernet adpater during a reboot test on an AMD Chromebook. In that case he was sometimes seeing -EPIPE returned from the control transfers. This patch series fixes both issues. Changes in v5: - ("Run the unload routine if we have errors during probe") new for v5. - ("Cancel hw_phy_work if we have an error in probe") new for v5. - ("Release firmware if we have an error in probe") new for v5. - Removed extra mutex_unlock() left over in v4. - Fixed minor typos. - Don't do queue an unbind/bind reset if probe fails; just retry probe. Changes in v4: - Took out some unnecessary locks/unlocks of the control mutex. - Added comment about reading version causing probe fail if 3 fails. - Added text to commit msg about the potential unbind/bind loop. Changes in v3: - Fixed v2 changelog ending up in the commit message. - farmework -> framework in comments. Changes in v2: - ("Check for unplug in rtl_phy_patch_request()") new for v2. - ("Check for unplug in r8153b_ups_en() / r8153c_ups_en()") new for v2. - ("Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE") new for v2. - Reset patch no longer based on retry patch, since that was dropped. - Reset patch should be robust even if failures happen in probe. - Switched booleans to bits in the "flags" variable. - Check for -ENODEV instead of "udev->state == USB_STATE_NOTATTACHED" ==================== Signed-off-by: David S. Miller commit d9962b0d42029bcb40fe3c38bce06d1870fa4df4 Author: Douglas Anderson Date: Fri Oct 20 14:06:59 2023 -0700 r8152: Block future register access if register access fails Even though the functions to read/write registers can fail, most of the places in the r8152 driver that read/write register values don't check error codes. The lack of error code checking is problematic in at least two ways. The first problem is that the r8152 driver often uses code patterns similar to this: x = read_register() x = x | SOME_BIT; write_register(x); ...with the above pattern, if the read_register() fails and returns garbage then we'll end up trying to write modified garbage back to the Realtek adapter. If the write_register() succeeds that's bad. Note that as of commit f53a7ad18959 ("r8152: Set memory to all 0xFFs on failed reg reads") the "garbage" returned by read_register() will at least be consistent garbage, but it is still garbage. It turns out that this problem is very serious. Writing garbage to some of the hardware registers on the Ethernet adapter can put the adapter in such a bad state that it needs to be power cycled (fully unplugged and plugged in again) before it can enumerate again. The second problem is that the r8152 driver generally has functions that are long sequences of register writes. Assuming everything will be OK if a random register write fails in the middle isn't a great assumption. One might wonder if the above two problems are real. You could ask if we would really have a successful write after a failed read. It turns out that the answer appears to be "yes, this can happen". In fact, we've seen at least two distinct failure modes where this happens. On a sc7180-trogdor Chromebook if you drop into kdb for a while and then resume, you can see: 1. We get a "Tx timeout" 2. The "Tx timeout" queues up a USB reset. 3. In rtl8152_pre_reset() we try to reinit the hardware. 4. The first several (2-9) register accesses fail with a timeout, then things recover. The above test case was actually fixed by the patch ("r8152: Increase USB control msg timeout to 5000ms as per spec") but at least shows that we really can see successful calls after failed ones. On a different (AMD) based Chromebook with a particular adapter, we found that during reboot tests we'd also sometimes get a transitory failure. In this case we saw -EPIPE being returned sometimes. Retrying worked, but retrying is not always safe for all register accesses since reading/writing some registers might have side effects (like registers that clear on read). Let's fully lock out all register access if a register access fails. When we do this, we'll try to queue up a USB reset and try to unlock register access after the reset. This is slightly tricker than it sounds since the r8152 driver has an optimized reset sequence that only works reliably after probe happens. In order to handle this, we avoid the optimized reset if probe didn't finish. Instead, we simply retry the probe routine in this case. When locking out access, we'll use the existing infrastructure that the driver was using when it detected we were unplugged. This keeps us from getting stuck in delay loops in some parts of the driver. Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit 715f67f33af45ce2cc3a5b1ef133cc8c8e7787b0 Author: Douglas Anderson Date: Fri Oct 20 14:06:58 2023 -0700 r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE Whenever the RTL8152_UNPLUG is set that just tells the driver that all accesses will fail and we should just immediately bail. A future patch will use this same concept at a time when the driver hasn't actually been unplugged but is about to be reset. Rename the flag in preparation for the future patch. This is a no-op change and just a search and replace. Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit bc65cc42af737a5a35f83842408ef2c6c79ba025 Author: Douglas Anderson Date: Fri Oct 20 14:06:57 2023 -0700 r8152: Check for unplug in r8153b_ups_en() / r8153c_ups_en() If the adapter is unplugged while we're looping in r8153b_ups_en() / r8153c_ups_en() we could end up looping for 10 seconds (20 ms * 500 loops). Add code similar to what's done in other places in the driver to check for unplug and bail. Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit dc90ba37a8c37042407fa6970b9830890cfe6047 Author: Douglas Anderson Date: Fri Oct 20 14:06:56 2023 -0700 r8152: Check for unplug in rtl_phy_patch_request() If the adapter is unplugged while we're looping in rtl_phy_patch_request() we could end up looping for 10 seconds (2 ms * 5000 loops). Add code similar to what's done in other places in the driver to check for unplug and bail. Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit b8d35024d4059ca550cba11ac9ab23a6c238d929 Author: Douglas Anderson Date: Fri Oct 20 14:06:55 2023 -0700 r8152: Release firmware if we have an error in probe The error handling in rtl8152_probe() is missing a call to release firmware. Add it in to match what's in the cleanup code in rtl8152_disconnect(). Fixes: 9370f2d05a2a ("r8152: support request_firmware for RTL8153") Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit bb8adff9123e492598162ac1baad01a53891aef6 Author: Douglas Anderson Date: Fri Oct 20 14:06:54 2023 -0700 r8152: Cancel hw_phy_work if we have an error in probe The error handling in rtl8152_probe() is missing a call to cancel the hw_phy_work. Add it in to match what's in the cleanup code in rtl8152_disconnect(). Fixes: a028a9e003f2 ("r8152: move the settings of PHY to a work queue") Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit 5dd17689526971c5ae12bc8398f34bd68cd0499e Author: Douglas Anderson Date: Fri Oct 20 14:06:53 2023 -0700 r8152: Run the unload routine if we have errors during probe The rtl8152_probe() function lacks a call to the chip-specific unload() routine when it sees an error in probe. Add it in to match the cleanup code in rtl8152_disconnect(). Fixes: ac718b69301c ("net/usb: new driver for RTL8152") Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 Author: Douglas Anderson Date: Fri Oct 20 14:06:52 2023 -0700 r8152: Increase USB control msg timeout to 5000ms as per spec According to the comment next to USB_CTRL_GET_TIMEOUT and USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is usually quite fast, the spec allows them to take up to 5 seconds. Let's increase the timeout in the Realtek driver from 500ms to 5000ms (using the #defines) to account for this. This is not just a theoretical change. The need for the longer timeout was seen in testing. Specifically, if you drop a sc7180-trogdor based Chromebook into the kdb debugger and then "go" again after sitting in the debugger for a while, the next USB control message takes a long time. Out of ~40 tests the slowest USB control message was 4.5 seconds. While dropping into kdb is not exactly an end-user scenario, the above is similar to what could happen due to an temporary interrupt storm, what could happen if there was a host controller (HW or SW) issue, or what could happen if the Realtek device got into a confused state and needed time to recover. This change is fairly critical since the r8152 driver in Linux doesn't expect register reads/writes (which are backed by USB control messages) to fail. Fixes: ac718b69301c ("net/usb: new driver for RTL8152") Suggested-by: Hayes Wang Signed-off-by: Douglas Anderson Reviewed-by: Grant Grundler Signed-off-by: David S. Miller commit 51a32e828109b4a209efde44505baa356b37a4ce Author: Shigeru Yoshida Date: Sat Oct 21 02:03:44 2023 +0900 net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg syzbot reported the following uninit-value access issue [1]: smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Failed to read reg index 0x00000030: -32 smsc95xx 1-1:0.0 (unnamed net_device) (uninitialized): Error reading E2P_CMD ===================================================== BUG: KMSAN: uninit-value in smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 smsc95xx_reset+0x409/0x25f0 drivers/net/usb/smsc95xx.c:896 smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 usbnet_probe+0x100b/0x4060 drivers/net/usb/usbnet.c:1750 usb_probe_interface+0xc75/0x1210 drivers/usb/core/driver.c:396 really_probe+0x506/0xf40 drivers/base/dd.c:658 __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 device_add+0x16ae/0x1f20 drivers/base/core.c:3622 usb_set_configuration+0x31c9/0x38c0 drivers/usb/core/message.c:2207 usb_generic_driver_probe+0x109/0x2a0 drivers/usb/core/generic.c:238 usb_probe_device+0x290/0x4a0 drivers/usb/core/driver.c:293 really_probe+0x506/0xf40 drivers/base/dd.c:658 __driver_probe_device+0x2a7/0x5d0 drivers/base/dd.c:800 driver_probe_device+0x72/0x7b0 drivers/base/dd.c:830 __device_attach_driver+0x55a/0x8f0 drivers/base/dd.c:958 bus_for_each_drv+0x3ff/0x620 drivers/base/bus.c:457 __device_attach+0x3bd/0x640 drivers/base/dd.c:1030 device_initial_probe+0x32/0x40 drivers/base/dd.c:1079 bus_probe_device+0x3d8/0x5a0 drivers/base/bus.c:532 device_add+0x16ae/0x1f20 drivers/base/core.c:3622 usb_new_device+0x15f6/0x22f0 drivers/usb/core/hub.c:2589 hub_port_connect drivers/usb/core/hub.c:5440 [inline] hub_port_connect_change drivers/usb/core/hub.c:5580 [inline] port_event drivers/usb/core/hub.c:5740 [inline] hub_event+0x53bc/0x7290 drivers/usb/core/hub.c:5822 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x104e/0x1e70 kernel/workqueue.c:2703 worker_thread+0xf45/0x1490 kernel/workqueue.c:2784 kthread+0x3e8/0x540 kernel/kthread.c:388 ret_from_fork+0x66/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Local variable buf.i225 created at: smsc95xx_read_reg drivers/net/usb/smsc95xx.c:90 [inline] smsc95xx_reset+0x203/0x25f0 drivers/net/usb/smsc95xx.c:892 smsc95xx_bind+0x9bc/0x22e0 drivers/net/usb/smsc95xx.c:1131 CPU: 1 PID: 773 Comm: kworker/1:2 Not tainted 6.6.0-rc1-syzkaller-00125-ge42bebf6db29 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 Workqueue: usb_hub_wq hub_event ===================================================== Similar to e9c65989920f ("net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg"), this issue is caused because usbnet_read_cmd() reads less bytes than requested (zero byte in the reproducer). In this case, 'buf' is not properly filled. This patch fixes the issue by returning -ENODATA if usbnet_read_cmd() reads less bytes than requested. sysbot reported similar uninit-value access issue [2]. The root cause is the same as mentioned above, and this patch addresses it as well. Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Reported-and-tested-by: syzbot+c74c24b43c9ae534f0e0@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+2c97a98a5ba9ea9c23bd@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c74c24b43c9ae534f0e0 [1] Closes: https://syzkaller.appspot.com/bug?extid=2c97a98a5ba9ea9c23bd [2] Signed-off-by: Shigeru Yoshida Signed-off-by: David S. Miller commit 9f771493da935299c6393ad3563b581255d01a37 Author: Su Hui Date: Fri Oct 20 17:27:59 2023 +0800 net: chelsio: cxgb4: add an error code check in t4_load_phy_fw t4_set_params_timeout() can return -EINVAL if failed, add check for this. Signed-off-by: Su Hui Signed-off-by: David S. Miller commit ca082f019d8fbb983f03080487946da714154bae Author: Christophe JAILLET Date: Sat Oct 21 20:03:53 2023 +0200 net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() strncat() usage in adf7242_debugfs_init() is wrong. The size given to strncat() is the maximum number of bytes that can be written, excluding the trailing NULL. Here, the size that is passed, DNAME_INLINE_LEN, does not take into account the size of "adf7242-" that is already in the array. In order to fix it, use snprintf() instead. Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller commit 1acfd2bd3f0d9dc34ea1871a445c554220945d9f Merge: d537ae43f8a10 f9bc9bbe8afdf Author: Linus Torvalds Date: Sat Oct 21 18:46:47 2023 -0700 Merge tag 'powerpc-6.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - Fix stale propagated yield_cpu in qspinlocks leading to lockups - Fix broken hugepages on some configs due to ARCH_FORCE_MAX_ORDER - Fix a spurious warning when copros are in use at exit time Thanks to Nicholas Piggin, Christophe Leroy, Nysal Jan K.A Sachin Sant, and Shrikanth Hegde. * tag 'powerpc-6.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/qspinlock: Fix stale propagated yield_cpu powerpc/64s/radix: Don't warn on copros in radix__tlb_flush() powerpc/mm: Allow ARCH_FORCE_MAX_ORDER up to 12 commit d3df66fd98557c25856860b7d9c3b8b93d449f0a Author: Luben Tuikov Date: Tue Oct 17 20:56:57 2023 -0400 drm/amdgpu: Remove redundant call to priority_is_valid() Remove a redundant call to amdgpu_ctx_priority_is_valid() from amdgpu_ctx_priority_permit(), which is called from amdgpu_ctx_init() which is called from amdgpu_ctx_alloc() which is called from amdgpu_ctx_ioctl(), where we've called amdgpu_ctx_priority_is_valid() already first thing in the function. Cc: Alex Deucher Cc: Christian König Signed-off-by: Luben Tuikov Acked-by: Christian König Link: https://lore.kernel.org/r/20231018010359.30393-1-luben.tuikov@amd.com commit d537ae43f8a107761fb5a85c3f0cfce5ca79bcb1 Merge: 03027aa3a5c69 479ac419206b5 Author: Linus Torvalds Date: Sat Oct 21 12:59:18 2023 -0700 Merge tag 'gpio-fixes-for-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fixes from Bartosz Golaszewski: - fix interrupt handling in suspend and wakeup in gpio-vf610 - fix a bug on setting direction to output in gpio-vf610 - add a missing memset() in gpio ACPI code * tag 'gpio-fixes-for-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data() gpio: vf610: set value before the direction to avoid a glitch gpio: vf610: mask the gpio irq in system suspend and support wakeup commit 03027aa3a5c698b8fe1a0254284198cb1423481e Merge: 45d3291c5201f cfd96726e6113 Author: Linus Torvalds Date: Sat Oct 21 12:54:58 2023 -0700 Merge tag 'rust-fixes-6.6' of https://github.com/Rust-for-Linux/linux Pull rust fixes from Miguel Ojeda: - GCC build: fix bindgen build error with '-fstrict-flex-arrays' - Error module: fix the description for 'ECHILD' and fix Markdown style nit - Code docs: fix logo replacement - Docs: update docs output path - Kbuild: remove old docs output path in 'cleandocs' target * tag 'rust-fixes-6.6' of https://github.com/Rust-for-Linux/linux: rust: docs: fix logo replacement kbuild: remove old Rust docs output path docs: rust: update Rust docs output path rust: fix bindgen build error with fstrict-flex-arrays rust: error: Markdown style nit rust: error: fix the description for `ECHILD` commit c896ff2dd8f30a6b0a922c83a96f6d43f05f0e92 Author: Alain Volmat Date: Tue Oct 10 10:44:54 2023 +0200 i2c: stm32f7: Fix PEC handling in case of SMBUS transfers In case of SMBUS byte read with PEC enabled, the whole transfer is split into two commands. A first write command, followed by a read command. The write command does not have any PEC byte and a PEC byte is appended at the end of the read command. (cf Read byte protocol with PEC in SMBUS specification) Within the STM32 I2C controller, handling (either sending or receiving) of the PEC byte is done via the PECBYTE bit in register CR2. Currently, the PECBYTE is set at the beginning of a transfer, which lead to sending a PEC byte at the end of the write command (hence losing the real last byte), and also does not check the PEC byte received during the read command. This patch corrects the function stm32f7_i2c_smbus_xfer_msg in order to only set the PECBYTE during the read command. Fixes: 9e48155f6bfe ("i2c: i2c-stm32f7: Add initial SMBus protocols support") Signed-off-by: Alain Volmat Reviewed-by: Pierre-Yves MORDRET Acked-by: Andi Shyti Signed-off-by: Wolfram Sang commit 45d3291c5201fced351e62d714e2912400cc7f4d Merge: 94be133fb2b8a d2929762cc3f8 Author: Linus Torvalds Date: Sat Oct 21 11:19:07 2023 -0700 Merge tag 'sched-urgent-2023-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Ingo Molnar: "Fix a recently introduced use-after-free bug" * tag 'sched-urgent-2023-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/eevdf: Fix heap corruption more commit 94be133fb2b8a36d79b362b3bafbdfd054a4da89 Merge: 023cc83605353 32671e3799ca2 Author: Linus Torvalds Date: Sat Oct 21 11:09:29 2023 -0700 Merge tag 'perf-urgent-2023-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf events fix from Ingo Molnar: "Fix group event semantics" * tag 'perf-urgent-2023-10-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf: Disallow mis-matched inherited group reads commit 023cc836053539148ffd015d3938887ef19af1cd Merge: 4d7b04c0cda36 03b80ff8023ad Author: Linus Torvalds Date: Sat Oct 21 11:00:36 2023 -0700 Merge tag 'probes-fixes-v6.6-rc6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes fixes from Masami Hiramatsu: - kprobe-events: Fix kprobe events to reject if the attached symbol is not unique name because it may not the function which the user want to attach to. (User can attach a probe to such symbol using the nearest unique symbol + offset.) - selftest: Add a testcase to ensure the kprobe event rejects non unique symbol correctly. * tag 'probes-fixes-v6.6-rc6.2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: selftests/ftrace: Add new test case which checks non unique symbol tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols commit 3dc0ec46f6e7511fc4fdf6b6cda439382bc957f1 Author: Herve Codina Date: Fri Oct 20 17:30:13 2023 +0200 i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() i2c-mux-gpmux uses the pair of_find_i2c_adapter_by_node() / i2c_put_adapter(). These pair alone is not correct to properly lock the I2C parent adapter. Indeed, i2c_put_adapter() decrements the module refcount while of_find_i2c_adapter_by_node() does not increment it. This leads to an underflow of the parent module refcount. Use the dedicated function, of_get_i2c_adapter_by_node(), to handle correctly the module refcount. Fixes: ac8498f0ce53 ("i2c: i2c-mux-gpmux: new driver") Signed-off-by: Herve Codina Cc: stable@vger.kernel.org Acked-by: Peter Rosin Reviewed-by: Jonathan Cameron Signed-off-by: Wolfram Sang commit 0fb118de5003028ad092a4e66fc6d07b86c3bc94 Author: Herve Codina Date: Fri Oct 20 17:30:12 2023 +0200 i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() i2c-demux-pinctrl uses the pair of_find_i2c_adapter_by_node() / i2c_put_adapter(). These pair alone is not correct to properly lock the I2C parent adapter. Indeed, i2c_put_adapter() decrements the module refcount while of_find_i2c_adapter_by_node() does not increment it. This leads to an underflow of the parent module refcount. Use the dedicated function, of_get_i2c_adapter_by_node(), to handle correctly the module refcount. Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver") Signed-off-by: Herve Codina Cc: stable@vger.kernel.org Acked-by: Peter Rosin Reviewed-by: Jonathan Cameron Signed-off-by: Wolfram Sang commit 3171d37b58a76e1febbf3f4af2d06234a98cf88b Author: Herve Codina Date: Fri Oct 20 17:30:11 2023 +0200 i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() i2c-mux-pinctrl uses the pair of_find_i2c_adapter_by_node() / i2c_put_adapter(). These pair alone is not correct to properly lock the I2C parent adapter. Indeed, i2c_put_adapter() decrements the module refcount while of_find_i2c_adapter_by_node() does not increment it. This leads to an underflow of the parent module refcount. Use the dedicated function, of_get_i2c_adapter_by_node(), to handle correctly the module refcount. Fixes: c4aee3e1b0de ("i2c: mux: pinctrl: remove platform_data") Signed-off-by: Herve Codina Cc: stable@vger.kernel.org Acked-by: Peter Rosin Reviewed-by: Jonathan Cameron Signed-off-by: Wolfram Sang commit 4d7b04c0cda365f190c4a8f7fddc535b93aae9f9 Merge: f51de61ce7cf2 c1ae1c59c8c6e Author: Linus Torvalds Date: Sat Oct 21 10:11:11 2023 -0700 Merge tag 's390-6.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Vasily Gorbik: - Fix IOMMU bitmap allocation in s390 PCI to avoid out of bounds access when IOMMU pages aren't a multiple of 64 - Fix kasan crashes when accessing DCSS mapping in memory holes by adding corresponding kasan zero shadow mappings - Fix a memory leak in css_alloc_subchannel in case dma_set_coherent_mask fails * tag 's390-6.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/pci: fix iommu bitmap allocation s390/kasan: handle DCSS mapping in memory holes s390/cio: fix a memleak in css_alloc_subchannel commit f51de61ce7cf27202fe1357b6c35a39a98ecd9cf Merge: bfd4704c82d90 99c09c985e597 Author: Linus Torvalds Date: Sat Oct 21 10:02:46 2023 -0700 Merge tag 'platform-drivers-x86-v6.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fixes from Hans de Goede: - Fix spurious brightness down presses on newer Asus laptop models - Fix backlight control not working on T2 Mac Pro all-in-ones - Add Armin Wolf as new maintainer for the WMI bus driver and change its status from orphaned to maintained - A few other small fixes * tag 'platform-drivers-x86-v6.6-5' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/mellanox: mlxbf-tmfifo: Fix a warning message apple-gmux: Hard Code max brightness for MMIO gmux platform/surface: platform_profile: Propagate error if profile registration fails platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e platform/x86: wmi: Update MAINTAINERS entry platform/x86: msi-ec: Fix the 3rd config platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency platform: mellanox: Fix a resource leak in an error handling path in probing flow commit bfd4704c82d9041cdd611d5c577f1e57ebf91537 Merge: f1de9aced809f 21a68b69f7c16 Author: Linus Torvalds Date: Sat Oct 21 09:57:34 2023 -0700 Merge tag 'usb-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB / Thunderbolt fixes and ids from Greg KH: "Here are four small patches for USB and Thunderbolt for 6.6-rc7 that do the following: - new usb-serial device ids - thunderbolt driver fix for reported issue All of these have been in linux-next with no reported problems" * tag 'usb-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: USB: serial: option: add Fibocom to DELL custom modem FM101R-GL USB: serial: option: add entry for Sierra EM9191 with new firmware USB: serial: option: add Telit LE910C4-WWX 0x1035 composition thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished commit f1de9aced809f1751bc97703bdf678c75da3fed3 Merge: 5722119f674d8 b11950356c4b4 Author: Linus Torvalds Date: Sat Oct 21 09:49:13 2023 -0700 Merge tag 'v6.6-p5' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fix from Herbert Xu: "Fix a 6.5 regression in crypto/asymmetric_keys" * tag 'v6.6-p5' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash commit 5722119f674d81eb88d51463ece8096855d94cc0 Merge: 9c5d00cb7b6bb 3ac974796e5d9 Author: Linus Torvalds Date: Sat Oct 21 09:43:09 2023 -0700 Merge tag 'iomap-6.6-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull iomap fix from Darrick Wong: - Fix a bug where a writev consisting of a bunch of sub-fsblock writes where the last buffer address is invalid could lead to an infinite loop * tag 'iomap-6.6-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: iomap: fix short copy in iomap_write_iter() commit 3e4a7afde492c51c86da243ae41b22c002e1a5c9 Merge: a3fad2e92c765 bee448390e516 Author: Greg Kroah-Hartman Date: Sat Oct 21 17:35:49 2023 +0200 Merge tag 'iio-fixes-for-6.6b' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into char-misc-linus Jonathan writes: 2nd set of IIO fixes for the 6.6 cycle. Note, given timing my expectation is these will be queued for the 6.7 merge window but they could go quicker if the 6.6 cycle ends up being extended. afe: * Allow for channels with offset but no scale. In this case the scale can be assumed to be 1. adi,ad74115: * Add missing dt-binding constraint on number of reset-gpios. samsung,exynos: * Don't request touchscreen interrupt if it is not going to be used, getting rid of an incorrect resulting warning message. xilinx,xadc: * Avoid changing preset voltage and themperature thresholds as they are typicaly set as part of FPGA image building so should be left alone. * Fix wrong temperature offset and scale for some devices. * tag 'iio-fixes-for-6.6b' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: iio: afe: rescale: Accept only offset channels iio: exynos-adc: request second interupt only when touchscreen mode is used iio: adc: xilinx-xadc: Correct temperature offset/scale for UltraScale iio: adc: xilinx-xadc: Don't clobber preset voltage/temperature thresholds dt-bindings: iio: add missing reset-gpios constrain commit 965f9b8c0c1b37fa2a0e3ef56e40d5666d4cbb5c Author: Dell Jin Date: Fri Oct 20 09:20:53 2023 +0300 net: ethernet: adi: adin1110: Fix uninitialized variable The spi_transfer struct has to have all it's fields initialized to 0 in this case, since not all of them are set before starting the transfer. Otherwise, spi_sync_transfer() will sometimes return an error. Fixes: a526a3cc9c8d ("net: ethernet: adi: adin1110: Fix SPI transfers") Signed-off-by: Dell Jin Signed-off-by: Ciprian Regus Signed-off-by: David S. Miller commit 95201f36f395df34321fcddbce12103e8bbe4970 Author: Michael Sit Wei Hong Date: Fri Oct 20 11:25:35 2023 +0800 net: stmmac: update MAC capabilities when tx queues are updated Upon boot up, the driver will configure the MAC capabilities based on the maximum number of tx and rx queues. When the user changes the tx queues to single queue, the MAC should be capable of supporting Half Duplex, but the driver does not update the MAC capabilities when it is configured so. Using the stmmac_reinit_queues() to check the number of tx queues and set the MAC capabilities accordingly. Fixes: 0366f7e06a6b ("net: stmmac: add ethtool support for get/set channels") Cc: # 5.17+ Signed-off-by: Michael Sit Wei Hong Signed-off-by: Gan, Yi Fang Signed-off-by: David S. Miller commit d2ca43f30611ac41bccfa8352c53f5432f0ecbb0 Author: Rob Herring Date: Thu Oct 19 13:23:37 2023 -0500 net: xgene: Fix unused xgene_enet_of_match warning for !CONFIG_OF Commit b0377116decd ("net: ethernet: Use device_get_match_data()") dropped the unconditional use of xgene_enet_of_match resulting in this warning: drivers/net/ethernet/apm/xgene/xgene_enet_main.c:2004:34: warning: unused variable 'xgene_enet_of_match' [-Wunused-const-variable] The fix is to drop of_match_ptr() which is not necessary because DT is always used for this driver (well, it could in theory support ACPI only, but CONFIG_OF is always enabled for arm64). Fixes: b0377116decd ("net: ethernet: Use device_get_match_data()") Reported-by: kernel test robot Closes: https://lore.kernel.org/oe-kbuild-all/202310170627.2Kvf6ZHY-lkp@intel.com/ Signed-off-by: Rob Herring Signed-off-by: David S. Miller commit a3fad2e92c76587fe262a1a4a122045b29885354 Author: Marco Pagani Date: Wed Oct 18 18:38:13 2023 +0200 fpga: disable KUnit test suites when module support is enabled The fpga core currently assumes that all manager, bridge, and region devices have a parent device associated with a driver that can be used to take the module's refcount. This behavior causes the fpga test suites to crash with a null-ptr-deref since parent fake devices do not have a driver. This patch disables all fpga KUnit test suites when loadable module support is enabled until the fpga core is fixed. Test suites can still be run using the KUnit default UML kernel. Signed-off-by: Marco Pagani Acked-by: Xu Yilun Fixes: ccbc1c302115 ("fpga: add an initial KUnit suite for the FPGA Manager") Link: https://lore.kernel.org/r/20231018163814.100803-1-marpagan@redhat.com Signed-off-by: Greg Kroah-Hartman commit 068d8b75c1aee153193522211ace6c13c21cd16b Author: Tirthendu Sarkar Date: Thu Oct 19 13:38:52 2023 -0700 i40e: sync next_to_clean and next_to_process for programming status desc When a programming status desc is encountered on the rx_ring, next_to_process is bumped along with cleaned_count but next_to_clean is not. This causes I40E_DESC_UNUSED() macro to misbehave resulting in overwriting whole ring with new buffers. Update next_to_clean to point to next_to_process on seeing a programming status desc if not in the middle of handling a multi-frag packet. Also, bump cleaned_count only for such case as otherwise next_to_clean buffer may be returned to hardware on reaching clean_threshold. Fixes: e9031f2da1ae ("i40e: introduce next_to_process to i40e_ring") Suggested-by: Maciej Fijalkowski Reported-by: hq.dev+kernel@msdfc.xyz Reported by: Solomon Peachy Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217678 Tested-by: hq.dev+kernel@msdfc.xyz Tested by: Indrek Järve Signed-off-by: Tirthendu Sarkar Tested-by: Arpana Arland (A Contingent worker at Intel) Signed-off-by: Jacob Keller Acked-by: Maciej Fijalkowski Link: https://lore.kernel.org/r/20231019203852.3663665-1-jacob.e.keller@intel.com Signed-off-by: Jakub Kicinski commit e7684d29efdf37304c62bb337ea55b3428ca118e Author: Sasha Neftin Date: Thu Oct 19 13:36:41 2023 -0700 igc: Fix ambiguity in the ethtool advertising The 'ethtool_convert_link_mode_to_legacy_u32' method does not allow us to advertise 2500M speed support and TP (twisted pair) properly. Convert to 'ethtool_link_ksettings_test_link_mode' to advertise supported speed and eliminate ambiguity. Fixes: 8c5ad0dae93c ("igc: Add ethtool support") Suggested-by: Dima Ruinskiy Suggested-by: Vitaly Lifshits Signed-off-by: Sasha Neftin Tested-by: Naama Meir Signed-off-by: Jacob Keller Link: https://lore.kernel.org/r/20231019203641.3661960-1-jacob.e.keller@intel.com Signed-off-by: Jakub Kicinski commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f Author: Eric Dumazet Date: Thu Oct 19 12:21:04 2023 +0000 neighbour: fix various data-races 1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval can be written from sysfs. 2) tbl->last_flush is read locklessly from neigh_alloc() 3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info() 4) neightbl_fill_info() reads cpu stats that can be changed concurrently. Fixes: c7fb64db001f ("[NETLINK]: Neighbour table configuration and statistics via rtnetlink") Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20231019122104.1448310-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 72bf4f1767f0386970dc04726dc5bc2e3991dc19 Author: Eric Dumazet Date: Thu Oct 19 11:24:57 2023 +0000 net: do not leave an empty skb in write queue Under memory stress conditions, tcp_sendmsg_locked() might call sk_stream_wait_memory(), thus releasing the socket lock. If a fresh skb has been allocated prior to this, we should not leave it in the write queue otherwise tcp_write_xmit() could panic. This apparently does not happen often, but a future change in __sk_mem_raise_allocated() that Shakeel and others are considering would increase chances of being hurt. Under discussion is to remove this controversial part: /* Fail only if socket is _under_ its sndbuf. * In this case we cannot block, so that we have to fail. */ if (sk->sk_wmem_queued + size >= sk->sk_sndbuf) { /* Force charge with __GFP_NOFAIL */ if (memcg_charge && !charged) { mem_cgroup_charge_skmem(sk->sk_memcg, amt, gfp_memcg_charge() | __GFP_NOFAIL); } return 1; } Fixes: fdfc5c8594c2 ("tcp: remove empty skb from write queue in error cases") Signed-off-by: Eric Dumazet Reviewed-by: Shakeel Butt Link: https://lore.kernel.org/r/20231019112457.1190114-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 2dd710d476f2f1f6eaca884f625f69ef4389ed40 Author: Khazhismel Kumykov Date: Fri Oct 20 15:36:17 2023 -0700 blk-throttle: check for overflow in calculate_bytes_allowed Inexact, we may reject some not-overflowing values incorrectly, but they'll be on the order of exabytes allowed anyways. This fixes divide error crash on x86 if bps_limit is not configured or is set too high in the rare case that jiffy_elapsed is greater than HZ. Fixes: e8368b57c006 ("blk-throttle: use calculate_io/bytes_allowed() for throtl_trim_slice()") Fixes: 8d6bbaada2e0 ("blk-throttle: prevent overflow while calculating wait time") Signed-off-by: Khazhismel Kumykov Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20231020223617.2739774-1-khazhy@google.com Signed-off-by: Jens Axboe commit 9c5d00cb7b6bbc5a7965d9ab7d223b5402d1f02c Merge: 444ccf1b11a0d 4fa008a2db484 Author: Linus Torvalds Date: Fri Oct 20 14:49:24 2023 -0700 Merge tag 'perf-tools-fixes-for-v6.6-2-2023-10-20' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools Pull perf tools fixes from Arnaldo Carvalho de Melo: - Fix regression in reading scale and unit files from sysfs for PMU events, so that we can use that info to pretty print instead of printing raw numbers: # perf stat -e power/energy-ram/,power/energy-gpu/ sleep 2 Performance counter stats for 'system wide': 1.64 Joules power/energy-ram/ 0.20 Joules power/energy-gpu/ 2.001228914 seconds time elapsed # # grep -m1 "model name" /proc/cpuinfo model name : Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz # - The small llvm.cpp file used to check if the llvm devel files are present was incorrectly deleted when removing the BPF event in 'perf trace', put it back as it is also used by tools/bpf/bpftool, that uses llvm routines to do disassembly of BPF object files. - Fix use of addr_location__exit() in dlfilter__object_code(), making sure that it is only used to pair a previous addr_location__init() call. * tag 'perf-tools-fixes-for-v6.6-2-2023-10-20' of git://git.kernel.org/pub/scm/linux/kernel/git/perf/perf-tools: tools build: Fix llvm feature detection, still used by bpftool perf dlfilter: Add a test for object_code() perf dlfilter: Fix use of addr_location__exit() in dlfilter__object_code() perf pmu: Fix perf stat output with correct scale and unit commit 444ccf1b11a0dbc54e789d6d2634c2649dc27498 Merge: f74e3ea3ba9cd cf5a103c98a6f Author: Linus Torvalds Date: Fri Oct 20 14:45:41 2023 -0700 Merge tag 'linux_kselftest_active-fixes-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull Kselftest fix from Shuah Khan: "One single fix to assert check in user_events abi_test to properly check bit value on Big Endian architectures. The code treated the bit values as Little Endian and the check failed on Big Endian" * tag 'linux_kselftest_active-fixes-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests/user_events: Fix abi_test for BE archs commit f74e3ea3ba9cdef948999c29c1c9793ea26787b4 Merge: 0e97fd29104fd 379e4adfddd6a Author: Linus Torvalds Date: Fri Oct 20 14:04:53 2023 -0700 Merge tag 'nfs-for-6.6-4' of git://git.linux-nfs.org/projects/anna/linux-nfs Pull NFS client fixes from Anna Schumaker: "Stable Fix: - Fix a pNFS hang in nfs4_evict_inode() Fixes: - Force update of suid/sgid bits after an NFS v4.2 ALLOCATE op - Fix a potential oops in nfs_inode_remove_request() - Check the validity of the layout pointer in ff_layout_mirror_prepare_stats() - Fix incorrectly marking the pNFS MDS with USE_PNFS_DS in some cases" * tag 'nfs-for-6.6-4' of git://git.linux-nfs.org/projects/anna/linux-nfs: NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats pNFS: Fix a hang in nfs4_evict_inode() NFS: Fix potential oops in nfs_inode_remove_request() nfs42: client needs to strip file mode's suid/sgid bit after ALLOCATE op commit 0e97fd29104fd9c6595788b670d04cc3c0e38b19 Merge: f20f29cbcb438 97ac489775f26 Author: Linus Torvalds Date: Fri Oct 20 14:00:05 2023 -0700 Merge tag 'fsnotify_for_v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull fanotify fix from Jan Kara: "Disable superblock / mount marks for filesystems that can encode file handles but not open them (currently only overlayfs). It is not clear the functionality is useful in any way so let's better disable it before someone comes up with some creative misuse" * tag 'fsnotify_for_v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: fanotify: limit reporting of event with non-decodeable file handles commit f20f29cbcb438ca37962d22735f74a143cbeb28c Merge: 75e167c2f63c4 9caa3a2de9552 Author: Linus Torvalds Date: Fri Oct 20 13:47:05 2023 -0700 Merge tag 'acpi-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These fix the ACPI initialization ordering on ARM and ACPI IRQ management in the cases when irq_create_fwspec_mapping() fails. Specifics: - Fix ACPI initialization ordering on ARM that was changed incorrectly during the 6.5 development cycle (Hanjun Guo) - Make acpi_register_gsi() return an error code as appropriate when irq_create_fwspec_mapping() returns 0 on failure (Sunil V L)" * tag 'acpi-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init() ACPI: irq: Fix incorrect return value in acpi_register_gsi() commit 75e167c2f63c45317f18170c1dee1df2167098c2 Merge: 659eaa0015dbc 097c06394c835 Author: Linus Torvalds Date: Fri Oct 20 13:24:50 2023 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two small fixes, both in drivers. The mptsas one is really fixing an error path issue where it can leave the misc driver loaded even though the sas driver fails to initialize" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: qla2xxx: Fix double free of dsd_list during driver load scsi: mpt3sas: Fix in error path commit 659eaa0015dbc640293e8d80b8cf772b1c60c09a Merge: f6176471542d9 62140a1e4dec4 Author: Linus Torvalds Date: Fri Oct 20 13:21:46 2023 -0700 Merge tag 'pinctrl-v6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: - Concurrent register updates in the Qualcomm LPASS pin controller gets a proper lock. - revert a mutex fix that was causing problems: contention on the mutex or something of the sort lead to probe reordering and MMC block devices start to register in a different order, which unsuspecting userspace is not ready to handle * tag 'pinctrl-v6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" pinctrl: qcom: lpass-lpi: fix concurrent register updates commit f6176471542d991137543af2ef1c18dae3286079 Merge: 7da6c042ca0da f6ca3fb6978f9 Author: Linus Torvalds Date: Fri Oct 20 13:12:34 2023 -0700 Merge tag 'mtd/fixes-for-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull MTD fixes from Miquel Raynal: "In the raw NAND subsystem, the major fix prevents using cached reads with devices not supporting it. There was two bug reports about this. Apart from that, three drivers (pl353, arasan and marvell) could sometimes hide page program failures due to their their own program page helper not being fully compliant with the specification (many drivers use the default helpers shared by the core). Adding a missing check prevents these situation. Finally, the Qualcomm driver had a broken error path. In the SPI-NAND subsystem one Micron device used a wrong bitmak reporting possibly corrupted ECC status. Finally, the physmap-core got stripped from its map_rom fallback by mistake, this feature is added back" * tag 'mtd/fixes-for-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: rawnand: Ensure the nand chip supports cached reads mtd: rawnand: qcom: Unmap the right resource upon probe failure mtd: rawnand: pl353: Ensure program page operations are successful mtd: rawnand: arasan: Ensure program page operations are successful mtd: spinand: micron: correct bitmask for ecc status mtd: physmap-core: Restore map_rom fallback mtd: rawnand: marvell: Ensure program page operations are successful commit 7da6c042ca0da545682713f3452eecaa18221af4 Merge: c3200081020d6 84ee19bffc930 Author: Linus Torvalds Date: Fri Oct 20 13:09:19 2023 -0700 Merge tag 'mmc-v6.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "MMC core: - Capture correct oemid-bits for eMMC cards - Fix error propagation for some ioctl commands - Hold retuning if SDIO is in 1-bit mode MMC host: - mtk-sd: Use readl_poll_timeout_atomic to not "schedule while atomic" - sdhci-msm: Correct minimum number of clocks - sdhci-pci-gli: Fix LPM negotiation so x86/S0ix SoCs can suspend - sdhci-sprd: Fix error code in sdhci_sprd_tuning()" * tag 'mmc-v6.6-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: core: Capture correct oemid-bits for eMMC cards mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw mmc: core: Fix error propagation for some ioctl commands mmc: sdhci-sprd: Fix error code in sdhci_sprd_tuning() mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend mmc: core: sdio: hold retuning if sdio in 1-bit mode dt-bindings: mmc: sdhci-msm: correct minimum number of clocks commit c3200081020d63f6c6bfd8a6db2ae8a5b99b348a Merge: 747b7628ca66d c3414550cb0d4 Author: Linus Torvalds Date: Fri Oct 20 10:31:06 2023 -0700 Merge tag 'block-6.6-2023-10-20' of git://git.kernel.dk/linux Pull block fixes from Jens Axboe: "A fix for a regression with sed-opal and saved keys, and outside of that an NVMe pull request fixing a few minor issues on that front" * tag 'block-6.6-2023-10-20' of git://git.kernel.dk/linux: nvme-pci: add BOGUS_NID for Intel 0a54 device nvmet-auth: complete a request only after freeing the dhchap pointers nvme: sanitize metadata bounce buffer for reads block: Fix regression in sed-opal for a saved key. nvme-auth: use chap->s2 to indicate bidirectional authentication nvmet-tcp: Fix a possible UAF in queue intialization setup nvme-rdma: do not try to stop unallocated queues commit 747b7628ca66de3806e6988d3a6e0c9c48d33694 Merge: 14f6863328164 8b51a3956d44e Author: Linus Torvalds Date: Fri Oct 20 10:28:46 2023 -0700 Merge tag 'io_uring-6.6-2023-10-20' of git://git.kernel.dk/linux Pull io_uring fix from Jens Axboe: "Just a single fix for a bug report that came in, fixing a case where failure to init a ring with IORING_SETUP_NO_MMAP can trigger a NULL pointer dereference" * tag 'io_uring-6.6-2023-10-20' of git://git.kernel.dk/linux: io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address commit 14f6863328164a9e66024bce5f2fa27de7dc00f0 Merge: c8045b4a33a51 8e13caa2150b5 Author: Linus Torvalds Date: Fri Oct 20 10:05:10 2023 -0700 Merge tag 'sound-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Still higher volume than wished, but all are driver-specific small fixes and look safe for this late RC. The majority of changes are for ASoC, especially for wcd938x driver and Cirrus codec drivers, while there are other random fixes including usual HD-audio quirks" * tag 'sound-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (22 commits) ASoC: da7219: Correct the process of setting up Gnd switch in AAD ALSA: hda/realtek - Fixed ASUS platform headset Mic issue ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx ASoC: dwc: Fix non-DT instantiation ASoC: codecs: tas2780: Fix log of failed reset via I2C. ASoC: rt5650: fix the wrong result of key button ASoC: cs42l42: Fix missing include of gpio/consumer.h ASoC: cs42l43: Update values for bias sense ASoC: dt-bindings: cirrus,cs42l43: Update values for bias sense ASoC: cs35l56: ASP1 DOUT must default to Hi-Z when not transmitting ASoC: pxa: fix a memory leak in probe() ASoC: cs35l56: Fix illegal use of init_completion() ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind ASoC: codecs: wcd938x: fix runtime PM imbalance on remove ASoC: codecs: wcd938x: fix regulator leaks on probe errors ASoC: codecs: wcd938x: fix resource leaks on bind errors ASoC: codecs: wcd938x: fix unbind tear down order ASoC: codecs: wcd938x: drop bogus bind error handling ... commit c8045b4a33a511ff1feaeb806e819572b90b6625 Merge: 0df072ab65ef0 8b35ce3f7a969 Author: Linus Torvalds Date: Fri Oct 20 09:55:31 2023 -0700 Merge tag 'drm-fixes-2023-10-20' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Regular fixes for the week, amdgpu, i915, nouveau, with some other scattered around, nothing major. amdgpu: - Fix possible NULL pointer dereference - Avoid possible BUG_ON in GPUVM updates - Disable AMD_CTX_PRIORITY_UNSET i915: - Fix display issue that was blocking S0ix - Retry gtt fault when out of fence registers bridge: - ti-sn65dsi86: Fix device lifetime edid: - Add quirk for BenQ GW2765 ivpu: - Extend address range for MMU mmap nouveau: - DP-connector fixes - Documentation fixes panel: - Move AUX B116XW03 into panel-simple scheduler: - Eliminate DRM_SCHED_PRIORITY_UNSET ttm: - Fix possible NULL-ptr deref in cleanup mediatek: - Correctly free sg_table in gem prime vmap" * tag 'drm-fixes-2023-10-20' of git://anongit.freedesktop.org/drm/drm: drm/amdgpu: Reserve fences for VM update drm/amdgpu: Fix possible null pointer dereference accel/ivpu: Extend address range for MMU mmap Revert "accel/ivpu: Use cached buffers for FW loading" accel/ivpu: Don't enter d0i3 during FLR drm/i915: Retry gtt fault when out of fence registers drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned gpu/drm: Eliminate DRM_SCHED_PRIORITY_UNSET drm/amdgpu: Unset context priority is now invalid drm/mediatek: Correctly free sg_table in gem prime vmap drm/edid: add 8 bpc quirk to the BenQ GW2765 drm/ttm: Reorder sys manager cleanup step drm/nouveau/disp: fix DP capable DSM connectors drm/nouveau: exec: fix ioctl kernel-doc warning drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device commit c03d21f05e76b25f907684bdf874308dcefab385 Merge: 8dbe33956d96c 50e782a86c980 Author: Ard Biesheuvel Date: Fri Oct 20 18:11:06 2023 +0200 Merge 3rd batch of EFI fixes into efi/urgent commit 50e782a86c980d4f8292ef82ed8139282ca07a98 Author: Kirill A. Shutemov Date: Mon Oct 16 19:31:22 2023 +0300 efi/unaccepted: Fix soft lockups caused by parallel memory acceptance Michael reported soft lockups on a system that has unaccepted memory. This occurs when a user attempts to allocate and accept memory on multiple CPUs simultaneously. The root cause of the issue is that memory acceptance is serialized with a spinlock, allowing only one CPU to accept memory at a time. The other CPUs spin and wait for their turn, leading to starvation and soft lockup reports. To address this, the code has been modified to release the spinlock while accepting memory. This allows for parallel memory acceptance on multiple CPUs. A newly introduced "accepting_list" keeps track of which memory is currently being accepted. This is necessary to prevent parallel acceptance of the same memory block. If a collision occurs, the lock is released and the process is retried. Such collisions should rarely occur. The main path for memory acceptance is the page allocator, which accepts memory in MAX_ORDER chunks. As long as MAX_ORDER is equal to or larger than the unit_size, collisions will never occur because the caller fully owns the memory block being accepted. Aside from the page allocator, only memblock and deferered_free_range() accept memory, but this only happens during boot. The code has been tested with unit_size == 128MiB to trigger collisions and validate the retry codepath. Fixes: 2053bc57f367 ("efi: Add unaccepted memory support") Signed-off-by: Kirill A. Shutemov Reported-by: Michael Roth Reviewed-by: Vlastimil Babka Tested-by: Michael Roth [ardb: drop unnecessary cpu_relax() call] Signed-off-by: Ard Biesheuvel commit 9caa3a2de955238df742572812178568fed173f7 Merge: d5921c460e543 0c21a18d5d6c6 Author: Rafael J. Wysocki Date: Fri Oct 20 17:31:15 2023 +0200 Merge branch 'acpi-irq' Merge ACPI IRQ management fix for 6.6-rc7 (Sunil V L). * acpi-irq: ACPI: irq: Fix incorrect return value in acpi_register_gsi() commit 03b80ff8023adae6780e491f66e932df8165e3a0 Author: Francis Laniel Date: Fri Oct 20 13:42:50 2023 +0300 selftests/ftrace: Add new test case which checks non unique symbol If name_show() is non unique, this test will try to install a kprobe on this function which should fail returning EADDRNOTAVAIL. On kernel where name_show() is not unique, this test is skipped. Link: https://lore.kernel.org/all/20231020104250.9537-3-flaniel@linux.microsoft.com/ Cc: stable@vger.kernel.org Signed-off-by: Francis Laniel Acked-by: Masami Hiramatsu (Google) Signed-off-by: Masami Hiramatsu (Google) commit b022f0c7e404887a7c5229788fc99eff9f9a80d5 Author: Francis Laniel Date: Fri Oct 20 13:42:49 2023 +0300 tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols When a kprobe is attached to a function that's name is not unique (is static and shares the name with other functions in the kernel), the kprobe is attached to the first function it finds. This is a bug as the function that it is attaching to is not necessarily the one that the user wants to attach to. Instead of blindly picking a function to attach to what is ambiguous, error with EADDRNOTAVAIL to let the user know that this function is not unique, and that the user must use another unique function with an address offset to get to the function they want to attach to. Link: https://lore.kernel.org/all/20231020104250.9537-2-flaniel@linux.microsoft.com/ Cc: stable@vger.kernel.org Fixes: 413d37d1eb69 ("tracing: Add kprobe-based event tracer") Suggested-by: Masami Hiramatsu Signed-off-by: Francis Laniel Link: https://lore.kernel.org/lkml/20230819101105.b0c104ae4494a7d1f2eea742@kernel.org/ Acked-by: Masami Hiramatsu (Google) Signed-off-by: Masami Hiramatsu (Google) commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 Author: Mateusz Palczewski Date: Thu Oct 19 13:40:35 2023 -0700 igb: Fix potential memory leak in igb_add_ethtool_nfc_entry Add check for return of igb_update_ethtool_nfc_entry so that in case of any potential errors the memory alocated for input will be freed. Fixes: 0e71def25281 ("igb: add support of RX network flow classification") Reviewed-by: Wojciech Drewek Signed-off-by: Mateusz Palczewski Tested-by: Arpana Arland (A Contingent worker at Intel) Signed-off-by: Jacob Keller Signed-off-by: David S. Miller commit fb71ba0ed8be9534493c80ba00142a64d9972a72 Author: Kunwu Chan Date: Fri Oct 20 17:31:56 2023 +0800 treewide: Spelling fix in comment reques -> request Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3") Signed-off-by: Kunwu Chan Reviewed-by: Geert Uytterhoeven Signed-off-by: David S. Miller commit 665e7d83c5386f9abdc67b2e4b6e6d9579aadfcb Author: Ivan Vecera Date: Thu Oct 19 18:37:20 2023 +0200 i40e: Fix I40E_FLAG_VF_VLAN_PRUNING value Commit c87c938f62d8f1 ("i40e: Add VF VLAN pruning") added new PF flag I40E_FLAG_VF_VLAN_PRUNING but its value collides with existing I40E_FLAG_TOTAL_PORT_SHUTDOWN_ENABLED flag. Move the affected flag at the end of the flags and fix its value. Reproducer: [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close on [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning on [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off [ 6323.142585] i40e 0000:02:00.0: Setting link-down-on-close not supported on this port (because total-port-shutdown is enabled) netlink error: Operation not supported [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 vf-vlan-pruning off [root@cnb-03 ~]# ethtool --set-priv-flags enp2s0f0np0 link-down-on-close off The link-down-on-close flag cannot be modified after setting vf-vlan-pruning because vf-vlan-pruning shares the same bit with total-port-shutdown flag that prevents any modification of link-down-on-close flag. Fixes: c87c938f62d8 ("i40e: Add VF VLAN pruning") Cc: Mateusz Palczewski Cc: Simon Horman Signed-off-by: Ivan Vecera Reviewed-by: Jacob Keller Tested-by: Pucha Himasekhar Reddy (A Contingent worker at Intel) Signed-off-by: David S. Miller commit 7db3111043885c146e795c199d39c3f9042d97c0 Author: Michal Schmidt Date: Thu Oct 19 09:13:46 2023 +0200 iavf: initialize waitqueues before starting watchdog_task It is not safe to initialize the waitqueues after queueing the watchdog_task. It will be using them. The chance of this causing a real problem is very small, because there will be some sleeping before any of the waitqueues get used. I got a crash only after inserting an artificial sleep in iavf_probe. Queue the watchdog_task as the last step in iavf_probe. Add a comment to prevent repeating the mistake. Fixes: fe2647ab0c99 ("i40evf: prevent VF close returning before state transitions to DOWN") Signed-off-by: Michal Schmidt Reviewed-by: Paul Menzel Reviewed-by: Przemek Kitszel Signed-off-by: David S. Miller commit f97eee484e71890131f9c563c5cc6d5a69e4308d Author: Mirsad Goran Todorovac Date: Wed Oct 18 21:34:38 2023 +0200 r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1 KCSAN reported the following data-race bug: ================================================================== BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 race at unknown origin, with read to 0xffff888117e43510 of 4 bytes by interrupt on cpu 21: rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4430 drivers/net/ethernet/realtek/r8169_main.c:4583) r8169 __napi_poll (net/core/dev.c:6527) net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) __do_softirq (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) irq_exit_rcu (kernel/softirq.c:647) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) cpuidle_enter (drivers/cpuidle/cpuidle.c:390) call_cpuidle (kernel/sched/idle.c:135) do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) value changed: 0x80003fff -> 0x3402805f Reported by Kernel Concurrency Sanitizer on: CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 ================================================================== drivers/net/ethernet/realtek/r8169_main.c: ========================================== 4429 → 4430 status = le32_to_cpu(desc->opts1); 4431 if (status & DescOwn) 4432 break; 4433 4434 /* This barrier is needed to keep us from reading 4435 * any other fields out of the Rx descriptor until 4436 * we know the status of DescOwn 4437 */ 4438 dma_rmb(); 4439 4440 if (unlikely(status & RxRES)) { 4441 if (net_ratelimit()) 4442 netdev_warn(dev, "Rx ERROR. status = %08x\n", Marco Elver explained that dma_rmb() doesn't prevent the compiler to tear up the access to desc->opts1 which can be written to concurrently. READ_ONCE() should prevent that from happening: 4429 → 4430 status = le32_to_cpu(READ_ONCE(desc->opts1)); 4431 if (status & DescOwn) 4432 break; 4433 As the consequence of this fix, this KCSAN warning was eliminated. Fixes: 6202806e7c03a ("r8169: drop member opts1_mask from struct rtl8169_private") Suggested-by: Marco Elver Cc: Heiner Kallweit Cc: nic_swsd@realtek.com Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: netdev@vger.kernel.org Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ Signed-off-by: Mirsad Goran Todorovac Acked-by: Marco Elver Signed-off-by: David S. Miller commit dcf75a0f6bc136de94e88178ae5f51b7f879abc9 Author: Mirsad Goran Todorovac Date: Wed Oct 18 21:34:36 2023 +0200 r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1 KCSAN reported the following data-race: ================================================================== BUG: KCSAN: data-race in rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 race at unknown origin, with read to 0xffff888140d37570 of 4 bytes by interrupt on cpu 21: rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4368 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 __napi_poll (net/core/dev.c:6527) net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) __do_softirq (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) irq_exit_rcu (kernel/softirq.c:647) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1074 (discriminator 14)) asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:645) cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) cpuidle_enter (drivers/cpuidle/cpuidle.c:390) call_cpuidle (kernel/sched/idle.c:135) do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) value changed: 0xb0000042 -> 0x00000000 Reported by Kernel Concurrency Sanitizer on: CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 ================================================================== The read side is in drivers/net/ethernet/realtek/r8169_main.c ========================================= 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, 4356 int budget) 4357 { 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; 4359 struct sk_buff *skb; 4360 4361 dirty_tx = tp->dirty_tx; 4362 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; 4365 u32 status; 4366 → 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); 4368 if (status & DescOwn) 4369 break; 4370 4371 skb = tp->tx_skb[entry].skb; 4372 rtl8169_unmap_tx_skb(tp, entry); 4373 4374 if (skb) { 4375 pkts_compl++; 4376 bytes_compl += skb->len; 4377 napi_consume_skb(skb, budget); 4378 } 4379 dirty_tx++; 4380 } 4381 4382 if (tp->dirty_tx != dirty_tx) { 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); 4385 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, 4387 rtl_tx_slots_avail(tp), 4388 R8169_TX_START_THRS); 4389 /* 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are 4391 * too close. Let's kick an extra TxPoll request when a burst 4392 * of start_xmit activity is detected (if it is not detected, 4393 * it is slow enough). -- FR 4394 * If skb is NULL then we come here again once a tx irq is 4395 * triggered after the last fragment is marked transmitted. 4396 */ 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) 4398 rtl8169_doorbell(tp); 4399 } 4400 } tp->TxDescArray[entry].opts1 is reported to have a data-race and READ_ONCE() fixes this KCSAN warning. 4366 → 4367 status = le32_to_cpu(READ_ONCE(tp->TxDescArray[entry].opts1)); 4368 if (status & DescOwn) 4369 break; 4370 Cc: Heiner Kallweit Cc: nic_swsd@realtek.com Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Marco Elver Cc: netdev@vger.kernel.org Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ Signed-off-by: Mirsad Goran Todorovac Acked-by: Marco Elver Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: David S. Miller commit c1c0ce31b2420d5c173228a2132a492ede03d81f Author: Mirsad Goran Todorovac Date: Wed Oct 18 21:34:34 2023 +0200 r8169: fix the KCSAN reported data-race in rtl_tx() while reading tp->cur_tx KCSAN reported the following data-race: ================================================================== BUG: KCSAN: data-race in rtl8169_poll [r8169] / rtl8169_start_xmit [r8169] write (marked) to 0xffff888102474b74 of 4 bytes by task 5358 on cpu 29: rtl8169_start_xmit (drivers/net/ethernet/realtek/r8169_main.c:4254) r8169 dev_hard_start_xmit (./include/linux/netdevice.h:4889 ./include/linux/netdevice.h:4903 net/core/dev.c:3544 net/core/dev.c:3560) sch_direct_xmit (net/sched/sch_generic.c:342) __dev_queue_xmit (net/core/dev.c:3817 net/core/dev.c:4306) ip_finish_output2 (./include/linux/netdevice.h:3082 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv4/ip_output.c:233) __ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:293) ip_finish_output (net/ipv4/ip_output.c:328) ip_output (net/ipv4/ip_output.c:435) ip_send_skb (./include/net/dst.h:458 net/ipv4/ip_output.c:127 net/ipv4/ip_output.c:1486) udp_send_skb (net/ipv4/udp.c:963) udp_sendmsg (net/ipv4/udp.c:1246) inet_sendmsg (net/ipv4/af_inet.c:840 (discriminator 4)) sock_sendmsg (net/socket.c:730 net/socket.c:753) __sys_sendto (net/socket.c:2177) __x64_sys_sendto (net/socket.c:2185) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) read to 0xffff888102474b74 of 4 bytes by interrupt on cpu 21: rtl8169_poll (drivers/net/ethernet/realtek/r8169_main.c:4397 drivers/net/ethernet/realtek/r8169_main.c:4581) r8169 __napi_poll (net/core/dev.c:6527) net_rx_action (net/core/dev.c:6596 net/core/dev.c:6727) __do_softirq (kernel/softirq.c:553) __irq_exit_rcu (kernel/softirq.c:427 kernel/softirq.c:632) irq_exit_rcu (kernel/softirq.c:647) common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14)) asm_common_interrupt (./arch/x86/include/asm/idtentry.h:636) cpuidle_enter_state (drivers/cpuidle/cpuidle.c:291) cpuidle_enter (drivers/cpuidle/cpuidle.c:390) call_cpuidle (kernel/sched/idle.c:135) do_idle (kernel/sched/idle.c:219 kernel/sched/idle.c:282) cpu_startup_entry (kernel/sched/idle.c:378 (discriminator 1)) start_secondary (arch/x86/kernel/smpboot.c:210 arch/x86/kernel/smpboot.c:294) secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:433) value changed: 0x002f4815 -> 0x002f4816 Reported by Kernel Concurrency Sanitizer on: CPU: 21 PID: 0 Comm: swapper/21 Tainted: G L 6.6.0-rc2-kcsan-00143-gb5cbe7c00aa0 #41 Hardware name: ASRock X670E PG Lightning/X670E PG Lightning, BIOS 1.21 04/26/2023 ================================================================== The write side of drivers/net/ethernet/realtek/r8169_main.c is: ================== 4251 /* rtl_tx needs to see descriptor changes before updated tp->cur_tx */ 4252 smp_wmb(); 4253 → 4254 WRITE_ONCE(tp->cur_tx, tp->cur_tx + frags + 1); 4255 4256 stop_queue = !netif_subqueue_maybe_stop(dev, 0, rtl_tx_slots_avail(tp), 4257 R8169_TX_STOP_THRS, 4258 R8169_TX_START_THRS); The read side is the function rtl_tx(): 4355 static void rtl_tx(struct net_device *dev, struct rtl8169_private *tp, 4356 int budget) 4357 { 4358 unsigned int dirty_tx, bytes_compl = 0, pkts_compl = 0; 4359 struct sk_buff *skb; 4360 4361 dirty_tx = tp->dirty_tx; 4362 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { 4364 unsigned int entry = dirty_tx % NUM_TX_DESC; 4365 u32 status; 4366 4367 status = le32_to_cpu(tp->TxDescArray[entry].opts1); 4368 if (status & DescOwn) 4369 break; 4370 4371 skb = tp->tx_skb[entry].skb; 4372 rtl8169_unmap_tx_skb(tp, entry); 4373 4374 if (skb) { 4375 pkts_compl++; 4376 bytes_compl += skb->len; 4377 napi_consume_skb(skb, budget); 4378 } 4379 dirty_tx++; 4380 } 4381 4382 if (tp->dirty_tx != dirty_tx) { 4383 dev_sw_netstats_tx_add(dev, pkts_compl, bytes_compl); 4384 WRITE_ONCE(tp->dirty_tx, dirty_tx); 4385 4386 netif_subqueue_completed_wake(dev, 0, pkts_compl, bytes_compl, 4387 rtl_tx_slots_avail(tp), 4388 R8169_TX_START_THRS); 4389 /* 4390 * 8168 hack: TxPoll requests are lost when the Tx packets are 4391 * too close. Let's kick an extra TxPoll request when a burst 4392 * of start_xmit activity is detected (if it is not detected, 4393 * it is slow enough). -- FR 4394 * If skb is NULL then we come here again once a tx irq is 4395 * triggered after the last fragment is marked transmitted. 4396 */ → 4397 if (tp->cur_tx != dirty_tx && skb) 4398 rtl8169_doorbell(tp); 4399 } 4400 } Obviously from the code, an earlier detected data-race for tp->cur_tx was fixed in the line 4363: 4363 while (READ_ONCE(tp->cur_tx) != dirty_tx) { but the same solution is required for protecting the other access to tp->cur_tx: → 4397 if (READ_ONCE(tp->cur_tx) != dirty_tx && skb) 4398 rtl8169_doorbell(tp); The write in the line 4254 is protected with WRITE_ONCE(), but the read in the line 4397 might have suffered read tearing under some compiler optimisations. The fix eliminated the KCSAN data-race report for this bug. It is yet to be evaluated what happens if tp->cur_tx changes between the test in line 4363 and line 4397. This test should certainly not be cached by the compiler in some register for such a long time, while asynchronous writes to tp->cur_tx might have occurred in line 4254 in the meantime. Fixes: 94d8a98e6235c ("r8169: reduce number of workaround doorbell rings") Cc: Heiner Kallweit Cc: nic_swsd@realtek.com Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Marco Elver Cc: netdev@vger.kernel.org Link: https://lore.kernel.org/lkml/dc7fc8fa-4ea4-e9a9-30a6-7c83e6b53188@alu.unizg.hr/ Signed-off-by: Mirsad Goran Todorovac Acked-by: Marco Elver Signed-off-by: David S. Miller commit 479ac419206b5fe4ce4e40de61ac3210a36711aa Author: Andy Shevchenko Date: Thu Oct 19 20:34:55 2023 +0300 gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data() When refactoring the acpi_get_gpiod_from_data() the change missed cleaning up the variable on stack. Add missing memset(). Reported-by: Ferry Toth Fixes: 16ba046e86e9 ("gpiolib: acpi: teach acpi_find_gpio() to handle data-only nodes") Signed-off-by: Andy Shevchenko Reviewed-by: Dmitry Torokhov Signed-off-by: Bartosz Golaszewski commit 21a68b69f7c16f026bd2e51884520aaf594977cb Merge: 8b695369a6f2d 52480e1f1a259 Author: Greg Kroah-Hartman Date: Fri Oct 20 07:52:44 2023 +0200 Merge tag 'usb-serial-6.6-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial device ids for 6.6-rc7 Here are some new modem device ids, including an entry needed for Sierra EM9191 which stopped working with recent firmware. All have been in linux-next with no reported issues. * tag 'usb-serial-6.6-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: option: add Fibocom to DELL custom modem FM101R-GL USB: serial: option: add entry for Sierra EM9191 with new firmware USB: serial: option: add Telit LE910C4-WWX 0x1035 composition commit 8b35ce3f7a9699e7580527fe4510d77f2a35f02d Merge: 280bd84f0743f dcc583c225e65 Author: Dave Airlie Date: Fri Oct 20 14:23:25 2023 +1000 Merge tag 'mediatek-drm-fixes-20231017' of https://git.kernel.org/pub/scm/linux/kernel/git/chunkuang.hu/linux into drm-fixes Mediatek DRM Fixes - 20231017 1. Correctly free sg_table in gem prime vmap Signed-off-by: Dave Airlie From: Chun-Kuang Hu Link: https://patchwork.freedesktop.org/patch/msgid/20231016233659.3639-1-chunkuang.hu@kernel.org commit 280bd84f0743f95849dbaadb12e9c0e532398d8d Merge: d43c76c8208c1 e339c6d628fe6 Author: Dave Airlie Date: Fri Oct 20 14:21:16 2023 +1000 Merge tag 'drm-intel-fixes-2023-10-19' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix display issue that was blocking S0ix (Khaled) - Retry gtt fault when out of fence registers (Ville) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/ZTFXbo6M5bWp/hTU@intel.com commit d43c76c8208c1c5e83bcf79c3f08974b231188f3 Merge: d844fd038fff5 8f5ad367e8b88 Author: Dave Airlie Date: Fri Oct 20 14:07:41 2023 +1000 Merge tag 'drm-misc-fixes-2023-10-19' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Short summary of fixes pull: amdgpu: - Disable AMD_CTX_PRIORITY_UNSET bridge: - ti-sn65dsi86: Fix device lifetime edid: - Add quirk for BenQ GW2765 ivpu: - Extend address range for MMU mmap nouveau: - DP-connector fixes - Documentation fixes panel: - Move AUX B116XW03 into panel-simple scheduler: - Eliminate DRM_SCHED_PRIORITY_UNSET ttm: - Fix possible NULL-ptr deref in cleanup Signed-off-by: Dave Airlie From: Thomas Zimmermann Link: https://patchwork.freedesktop.org/patch/msgid/20231019114605.GA22540@linux-uq9g commit d844fd038fff524f1793ffc9edcc8f4709497e65 Merge: 58720809f5277 316baf09d355a Author: Dave Airlie Date: Fri Oct 20 13:42:01 2023 +1000 Merge tag 'amd-drm-fixes-6.6-2023-10-19' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-6.6-2023-10-19: amdgpu: - Fix possible NULL pointer dereference - Avoid possible BUG_ON in GPUVM updates Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20231020012417.4876-1-alexander.deucher@amd.com commit 4fa008a2db484024a5cb52676a1b1534dc82330c Author: Arnaldo Carvalho de Melo Date: Thu Oct 19 18:09:33 2023 -0300 tools build: Fix llvm feature detection, still used by bpftool When removing the BPF event for perf a feature test that checks if the llvm devel files are availabe was removed but that is also used by bpftool. bpftool uses it to decide what kind of disassembly it will use: llvm or binutils based. Removing the tools/build/feature/test-llvm.cpp file made bpftool to always fallback to binutils disassembly, even with the llvm devel files installed, fix it by restoring just that small test-llvm.cpp test file. Fixes: 56b11a2126bf2f42 ("perf bpf: Remove support for embedding clang for compiling BPF events (-e foo.c)") Reported-by: Manu Bretelle Reviewed-by: Ian Rogers Reviewed-by: Manu Bretelle Acked-by: Quentin Monnet Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: Andrii Nakryiko Cc: Anshuman Khandual Cc: Carsten Haitzler Cc: Eduard Zingerman Cc: Fangrui Song Cc: He Kuang Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Leo Yan Cc: Madhavan Srinivasan Cc: Mark Rutland Cc: Namhyung Kim Cc: Nathan Chancellor Cc: Naveen N. Rao Cc: Nick Desaulniers Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Rob Herring Cc: Tiezhu Yang Cc: Tom Rix Cc: Wang Nan Cc: Wang ShaoBo Cc: Yang Jihong Cc: Yonghong Song Cc: YueHaibing Link: https://lore.kernel.org/lkml/ZTGa0Ukt7QyxWcVy@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 0df072ab65ef020091dc69c37c797f2650498472 Merge: ce55c22ec8b22 63e44bc52047f Author: Linus Torvalds Date: Thu Oct 19 18:12:08 2023 -0700 Merge tag 'sev_fixes_for_v6.6' of //git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: "Take care of a race between when the #VC exception is raised and when the guest kernel gets to emulate certain instructions in SEV-{ES,SNP} guests by: - disabling emulation of MMIO instructions when coming from user mode - checking the IO permission bitmap before emulating IO instructions and verifying the memory operands of INS/OUTS insns" * tag 'sev_fixes_for_v6.6' of //git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/sev: Check for user-space IOIO pointing to kernel space x86/sev: Check IOBM for IOIO exceptions from user-space x86/sev: Disable MMIO emulation from user mode commit 913eda2b08cc49d31f382579e2be34c2709eb789 Author: Maciej Fijalkowski Date: Wed Oct 18 18:39:08 2023 +0200 i40e: xsk: remove count_mask Cited commit introduced a neat way of updating next_to_clean that does not require boundary checks on each increment. This was done by masking the new value with (ring length - 1) mask. Problem is that this is applicable only for power of 2 ring sizes, for every other size this assumption can not be made. In turn, it leads to cleaning descriptors out of order as well as splats: [ 1388.411915] Workqueue: events xp_release_deferred [ 1388.411919] RIP: 0010:xp_free+0x1a/0x50 [ 1388.411921] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 48 8b 57 70 48 8d 47 70 48 89 e5 48 39 d0 74 06 <5d> c3 cc cc cc cc 48 8b 57 60 83 82 b8 00 00 00 01 48 8b 57 60 48 [ 1388.411922] RSP: 0018:ffa0000000a83cb0 EFLAGS: 00000206 [ 1388.411923] RAX: ff11000119aa5030 RBX: 000000000000001d RCX: ff110001129b6e50 [ 1388.411924] RDX: ff11000119aa4fa0 RSI: 0000000055555554 RDI: ff11000119aa4fc0 [ 1388.411925] RBP: ffa0000000a83cb0 R08: 0000000000000000 R09: 0000000000000000 [ 1388.411926] R10: 0000000000000001 R11: 0000000000000000 R12: ff11000115829b80 [ 1388.411927] R13: 000000000000005f R14: 0000000000000000 R15: ff11000119aa4fc0 [ 1388.411928] FS: 0000000000000000(0000) GS:ff11000277e00000(0000) knlGS:0000000000000000 [ 1388.411929] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1388.411930] CR2: 00007f1f564e6c14 CR3: 000000000783c005 CR4: 0000000000771ef0 [ 1388.411931] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1388.411931] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1388.411932] PKRU: 55555554 [ 1388.411933] Call Trace: [ 1388.411934] [ 1388.411935] ? show_regs+0x6e/0x80 [ 1388.411937] ? watchdog_timer_fn+0x1d2/0x240 [ 1388.411939] ? __pfx_watchdog_timer_fn+0x10/0x10 [ 1388.411941] ? __hrtimer_run_queues+0x10e/0x290 [ 1388.411945] ? clockevents_program_event+0xae/0x130 [ 1388.411947] ? hrtimer_interrupt+0x105/0x240 [ 1388.411949] ? __sysvec_apic_timer_interrupt+0x54/0x150 [ 1388.411952] ? sysvec_apic_timer_interrupt+0x7f/0x90 [ 1388.411955] [ 1388.411955] [ 1388.411956] ? asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 1388.411958] ? xp_free+0x1a/0x50 [ 1388.411960] i40e_xsk_clean_rx_ring+0x5d/0x100 [i40e] [ 1388.411968] i40e_clean_rx_ring+0x14c/0x170 [i40e] [ 1388.411977] i40e_queue_pair_disable+0xda/0x260 [i40e] [ 1388.411986] i40e_xsk_pool_setup+0x192/0x1d0 [i40e] [ 1388.411993] i40e_reconfig_rss_queues+0x1f0/0x1450 [i40e] [ 1388.412002] xp_disable_drv_zc+0x73/0xf0 [ 1388.412004] ? mutex_lock+0x17/0x50 [ 1388.412007] xp_release_deferred+0x2b/0xc0 [ 1388.412010] process_one_work+0x178/0x350 [ 1388.412011] ? __pfx_worker_thread+0x10/0x10 [ 1388.412012] worker_thread+0x2f7/0x420 [ 1388.412014] ? __pfx_worker_thread+0x10/0x10 [ 1388.412015] kthread+0xf8/0x130 [ 1388.412017] ? __pfx_kthread+0x10/0x10 [ 1388.412019] ret_from_fork+0x3d/0x60 [ 1388.412021] ? __pfx_kthread+0x10/0x10 [ 1388.412023] ret_from_fork_asm+0x1b/0x30 [ 1388.412026] It comes from picking wrong ring entries when cleaning xsk buffers during pool detach. Remove the count_mask logic and use they boundary check when updating next_to_process (which used to be a next_to_clean). Fixes: c8a8ca3408dc ("i40e: remove unnecessary memory writes of the next to clean pointer") Reported-by: Tushar Vyavahare Tested-by: Tushar Vyavahare Signed-off-by: Maciej Fijalkowski Reviewed-by: Jacob Keller Link: https://lore.kernel.org/r/20231018163908.40841-1-maciej.fijalkowski@intel.com Signed-off-by: Jakub Kicinski commit 316baf09d355aec1179981b6dfe28eba50c5ee5b Author: Felix Kuehling Date: Mon Jul 17 15:28:52 2023 -0400 drm/amdgpu: Reserve fences for VM update In amdgpu_dma_buf_move_notify reserve fences for the page table updates in amdgpu_vm_clear_freed and amdgpu_vm_handle_moved. This fixes a BUG_ON in dma_resv_add_fence when using SDMA for page table updates. Signed-off-by: Felix Kuehling Reviewed-by: Christian König Signed-off-by: Alex Deucher commit 51b79f33817544e3b4df838d86e8e8e4388ff684 Author: Felix Kuehling Date: Tue Oct 17 16:51:03 2023 -0400 drm/amdgpu: Fix possible null pointer dereference abo->tbo.resource may be NULL in amdgpu_vm_bo_update. Fixes: 180253782038 ("drm/ttm: stop allocating dummy resources during BO creation") Signed-off-by: Felix Kuehling Reviewed-by: Christian König Signed-off-by: Alex Deucher commit 3d887d512494d678b17c57b835c32f4e48d34f26 Author: Lukasz Majczak Date: Fri Sep 22 08:34:10 2023 +0200 drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() As drm_dp_get_mst_branch_device_by_guid() is called from drm_dp_get_mst_branch_device_by_guid(), mstb parameter has to be checked, otherwise NULL dereference may occur in the call to the memcpy() and cause following: [12579.365869] BUG: kernel NULL pointer dereference, address: 0000000000000049 [12579.365878] #PF: supervisor read access in kernel mode [12579.365880] #PF: error_code(0x0000) - not-present page [12579.365882] PGD 0 P4D 0 [12579.365887] Oops: 0000 [#1] PREEMPT SMP NOPTI ... [12579.365895] Workqueue: events_long drm_dp_mst_up_req_work [12579.365899] RIP: 0010:memcmp+0xb/0x29 [12579.365921] Call Trace: [12579.365927] get_mst_branch_device_by_guid_helper+0x22/0x64 [12579.365930] drm_dp_mst_up_req_work+0x137/0x416 [12579.365933] process_one_work+0x1d0/0x419 [12579.365935] worker_thread+0x11a/0x289 [12579.365938] kthread+0x13e/0x14f [12579.365941] ? process_one_work+0x419/0x419 [12579.365943] ? kthread_blkcg+0x31/0x31 [12579.365946] ret_from_fork+0x1f/0x30 As get_mst_branch_device_by_guid_helper() is recursive, moving condition to the first line allow to remove a similar one for step over of NULL elements inside a loop. Fixes: 5e93b8208d3c ("drm/dp/mst: move GUID storage from mgr, port to only mst branch") Cc: # 4.14+ Signed-off-by: Lukasz Majczak Reviewed-by: Radoslaw Biernacki Signed-off-by: Manasi Navare Link: https://patchwork.freedesktop.org/patch/msgid/20230922063410.23626-1-lma@semihalf.com commit ce55c22ec8b223a90ff3e084d842f73cfba35588 Merge: 74e9347ebc5be 524515020f255 Author: Linus Torvalds Date: Thu Oct 19 12:08:18 2023 -0700 Merge tag 'net-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Including fixes from bluetooth, netfilter, WiFi. Feels like an up-tick in regression fixes, mostly for older releases. The hfsc fix, tcp_disconnect() and Intel WWAN fixes stand out as fairly clear-cut user reported regressions. The mlx5 DMA bug was causing strife for 390x folks. The fixes themselves are not particularly scary, tho. No open investigations / outstanding reports at the time of writing. Current release - regressions: - eth: mlx5: perform DMA operations in the right locations, make devices usable on s390x, again - sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve, previous fix of rejecting invalid config broke some scripts - rfkill: reduce data->mtx scope in rfkill_fop_open, avoid deadlock - revert "ethtool: Fix mod state of verbose no_mask bitset", needs more work Current release - new code bugs: - tcp: fix listen() warning with v4-mapped-v6 address Previous releases - regressions: - tcp: allow tcp_disconnect() again when threads are waiting, it was denied to plug a constant source of bugs but turns out .NET depends on it - eth: mlx5: fix double-free if buffer refill fails under OOM - revert "net: wwan: iosm: enable runtime pm support for 7560", it's causing regressions and the WWAN team at Intel disappeared - tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb, fix single-stream perf regression on some devices Previous releases - always broken: - Bluetooth: - fix issues in legacy BR/EDR PIN code pairing - correctly bounds check and pad HCI_MON_NEW_INDEX name - netfilter: - more fixes / follow ups for the large "commit protocol" rework, which went in as a fix to 6.5 - fix null-derefs on netlink attrs which user may not pass in - tcp: fix excessive TLP and RACK timeouts from HZ rounding (bless Debian for keeping HZ=250 alive) - net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation, prevent letting frankenstein UDP super-frames from getting into the stack - net: fix interface altnames when ifc moves to a new namespace - eth: qed: fix the size of the RX buffers - mptcp: avoid sending RST when closing the initial subflow" * tag 'net-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (94 commits) Revert "ethtool: Fix mod state of verbose no_mask bitset" selftests: mptcp: join: no RST when rm subflow/addr mptcp: avoid sending RST when closing the initial subflow mptcp: more conservative check for zero probes tcp: check mptcp-level constraints for backlog coalescing selftests: mptcp: join: correctly check for no RST net: ti: icssg-prueth: Fix r30 CMDs bitmasks selftests: net: add very basic test for netdev names and namespaces net: move altnames together with the netdevice net: avoid UAF on deleted altname net: check for altname conflicts when changing netdev's netns net: fix ifname in netlink ntf during netns move net: ethernet: ti: Fix mixed module-builtin object net: phy: bcm7xxx: Add missing 16nm EPHY statistics ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr tcp_bpf: properly release resources on error paths net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve net: mdio-mux: fix C45 access returning -EIO after API change tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb octeon_ep: update BQL sent bytes before ringing doorbell ... commit 74e9347ebc5be452935fe4f3eddb150aa5a6f4fe Merge: 54fb58aec47a4 278be83601dd1 Author: Linus Torvalds Date: Thu Oct 19 11:02:28 2023 -0700 Merge tag 'loongarch-fixes-6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson Pull LoongArch fixes from Huacai ChenL "Fix 4-level pagetable building, disable WUC for pgprot_writecombine() like ioremap_wc(), use correct annotation for exception handlers, and a trivial cleanup" * tag 'loongarch-fixes-6.6-3' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson: LoongArch: Disable WUC for pgprot_writecombine() like ioremap_wc() LoongArch: Replace kmap_atomic() with kmap_local_page() in copy_user_highpage() LoongArch: Export symbol invalid_pud_table for modules building LoongArch: Use SYM_CODE_* to annotate exception handlers commit 54fb58aec47a49a80534d2ccabd319334d6b0ef8 Merge: 189b756271e69 c15cdea517414 Author: Linus Torvalds Date: Thu Oct 19 10:53:31 2023 -0700 Merge tag 'slab-fixes-for-6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab Pull slab fix from Vlastimil Babka: - stable fix to prevent kernel warnings with KASAN_HW_TAGS on arm64 due to improperly resolved kmalloc alignment restrictions (Catalin Marinas) * tag 'slab-fixes-for-6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab: mm: slab: Do not create kmalloc caches smaller than arch_slab_minalign() commit 189b756271e69bb6b9dfe4703b7f74855ab201b4 Merge: ea1cc20cd4ce5 31c65705a8cfa Author: Linus Torvalds Date: Thu Oct 19 10:10:14 2023 -0700 Merge tag 'seccomp-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fix from Kees Cook: - Fix seccomp_unotify perf benchmark for 32-bit (Jiri Slaby) * tag 'seccomp-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: perf/benchmark: fix seccomp_unotify benchmark for 32-bit commit 3ac974796e5d94509b85a403449132ea660127c2 Author: Jan Stancek Date: Thu Oct 19 09:41:36 2023 -0700 iomap: fix short copy in iomap_write_iter() Starting with commit 5d8edfb900d5 ("iomap: Copy larger chunks from userspace"), iomap_write_iter() can get into endless loop. This can be reproduced with LTP writev07 which uses partially valid iovecs: struct iovec wr_iovec[] = { { buffer, 64 }, { bad_addr, 64 }, { buffer + 64, 64 }, { buffer + 64 * 2, 64 }, }; commit bc1bb416bbb9 ("generic_perform_write()/iomap_write_actor(): saner logics for short copy") previously introduced the logic, which made short copy retry in next iteration with amount of "bytes" it managed to copy: if (unlikely(status == 0)) { /* * A short copy made iomap_write_end() reject the * thing entirely. Might be memory poisoning * halfway through, might be a race with munmap, * might be severe memory pressure. */ if (copied) bytes = copied; However, since 5d8edfb900d5 "bytes" is no longer carried into next iteration, because it is now always initialized at the beginning of the loop. And for iov_iter_count < PAGE_SIZE, "bytes" ends up with same value as previous iteration, making the loop retry same copy over and over, which leads to writev07 testcase hanging. Make next iteration retry with amount of bytes we managed to copy. Fixes: 5d8edfb900d5 ("iomap: Copy larger chunks from userspace") Signed-off-by: Jan Stancek Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig commit ea1cc20cd4ce55dd920a87a317c43da03ccea192 Merge: f69d00d12fcee 03adc61edad49 Author: Linus Torvalds Date: Thu Oct 19 09:37:41 2023 -0700 Merge tag 'v6.6-rc7.vfs.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs Pull vfs fix from Christian Brauner: "An openat() call from io_uring triggering an audit call can apparently cause the refcount of struct filename to be incremented from multiple threads concurrently during async execution, triggering a refcount underflow and hitting a BUG_ON(). That bug has been lurking around since at least v5.16 apparently. Switch to an atomic counter to fix that. The underflow check is downgraded from a BUG_ON() to a WARN_ON_ONCE() but we could easily remove that check altogether tbh" * tag 'v6.6-rc7.vfs.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs: audit,io_uring: io_uring openat triggers audit reference count underflow commit 524515020f2552759a7ef1c9d03e7dac9b1ff3c2 Author: Kory Maincent Date: Thu Oct 19 15:16:41 2023 +0200 Revert "ethtool: Fix mod state of verbose no_mask bitset" This reverts commit 108a36d07c01edbc5942d27c92494d1c6e4d45a0. It was reported that this fix breaks the possibility to remove existing WoL flags. For example: ~$ ethtool lan2 ... Supports Wake-on: pg Wake-on: d ... ~$ ethtool -s lan2 wol gp ~$ ethtool lan2 ... Wake-on: pg ... ~$ ethtool -s lan2 wol d ~$ ethtool lan2 ... Wake-on: pg ... This worked correctly before this commit because we were always updating a zero bitmap (since commit 6699170376ab ("ethtool: fix application of verbose no_mask bitset"), that is) so that the rest was left zero naturally. But now the 1->0 change (old_val is true, bit not present in netlink nest) no longer works. Reported-by: Oleksij Rempel Reported-by: Michal Kubecek Closes: https://lore.kernel.org/netdev/20231019095140.l6fffnszraeb6iiw@lion.mk-sys.cz/ Cc: stable@vger.kernel.org Fixes: 108a36d07c01 ("ethtool: Fix mod state of verbose no_mask bitset") Signed-off-by: Kory Maincent Reviewed-by: Michal Kubecek Link: https://lore.kernel.org/r/20231019-feature_ptp_bitset_fix-v1-1-70f3c429a221@bootlin.com Signed-off-by: Jakub Kicinski commit f69d00d12fcee9ce4b4f24bf609ad7398d10a576 Merge: 7cf4bea77ab60 e4494770a5cad Author: Linus Torvalds Date: Thu Oct 19 09:10:18 2023 -0700 Merge tag 'ntfs3_for_6.6' of https://github.com/Paragon-Software-Group/linux-ntfs3 Pull ntfs3 fixes from Konstantin Komarov: - memory leak - some logic errors, NULL dereferences - some code was refactored - more sanity checks * tag 'ntfs3_for_6.6' of https://github.com/Paragon-Software-Group/linux-ntfs3: fs/ntfs3: Avoid possible memory leak fs/ntfs3: Fix directory element type detection fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() fs/ntfs3: Fix OOB read in ntfs_init_from_boot fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea() fs/ntfs3: Fix NULL pointer dereference on error in attr_allocate_frame() fs/ntfs3: Fix possible NULL-ptr-deref in ni_readpage_cmpr() fs/ntfs3: Do not allow to change label if volume is read-only fs/ntfs3: Add more info into /proc/fs/ntfs3//volinfo fs/ntfs3: Refactoring and comments fs/ntfs3: Fix alternative boot searching fs/ntfs3: Allow repeated call to ntfs3_put_sbi fs/ntfs3: Use inode_set_ctime_to_ts instead of inode_set_ctime fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super fs/ntfs3: fix deadlock in mark_as_free_ex fs/ntfs3: Add more attributes checks in mi_enum_attr() fs/ntfs3: Use kvmalloc instead of kmalloc(... __GFP_NOWARN) fs/ntfs3: Write immediately updated ntfs state fs/ntfs3: Add ckeck in ni_update_parent() commit 1c1f14f92beca73555f9a23c3f37bae50d9ed323 Merge: 389db4fd673e5 2cfaa8b3b7aec Author: Jakub Kicinski Date: Thu Oct 19 09:10:02 2023 -0700 Merge branch 'mptcp-fixes-for-v6-6' Mat Martineau says: ==================== mptcp: Fixes for v6.6 Patch 1 corrects the logic for MP_JOIN tests where 0 RSTs are expected. Patch 2 ensures MPTCP packets are not incorrectly coalesced in the TCP backlog queue. Patch 3 avoids a zero-window probe and associated WARN_ON_ONCE() in an expected MPTCP reinjection scenario. Patches 4 & 5 allow an initial MPTCP subflow to be closed cleanly instead of always sending RST. Associated selftest is updated. ==================== Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-0-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski commit 2cfaa8b3b7aece3c7b13dd10db20dcea65875692 Author: Matthieu Baerts Date: Wed Oct 18 11:23:56 2023 -0700 selftests: mptcp: join: no RST when rm subflow/addr Recently, we noticed that some RST were wrongly generated when removing the initial subflow. This patch makes sure RST are not sent when removing any subflows or any addresses. Fixes: c2b2ae3925b6 ("mptcp: handle correctly disconnect() failures") Cc: stable@vger.kernel.org Acked-by: Paolo Abeni Signed-off-by: Matthieu Baerts Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-5-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski commit 14c56686a64c65ba716ff48f1f4b19c85f4cb2a9 Author: Geliang Tang Date: Wed Oct 18 11:23:55 2023 -0700 mptcp: avoid sending RST when closing the initial subflow When closing the first subflow, the MPTCP protocol unconditionally calls tcp_disconnect(), which in turn generates a reset if the subflow is established. That is unexpected and different from what MPTCP does with MPJ subflows, where resets are generated only on FASTCLOSE and other edge scenarios. We can't reuse for the first subflow the same code in place for MPJ subflows, as MPTCP clean them up completely via a tcp_close() call, while must keep the first subflow socket alive for later re-usage, due to implementation constraints. This patch adds a new helper __mptcp_subflow_disconnect() that encapsulates, a logic similar to tcp_close, issuing a reset only when the MPTCP_CF_FASTCLOSE flag is set, and performing a clean shutdown otherwise. Fixes: c2b2ae3925b6 ("mptcp: handle correctly disconnect() failures") Cc: stable@vger.kernel.org Reviewed-by: Matthieu Baerts Co-developed-by: Paolo Abeni Signed-off-by: Paolo Abeni Signed-off-by: Geliang Tang Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-4-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski commit 72377ab2d671befd6390a1d5677f5cca61235b65 Author: Paolo Abeni Date: Wed Oct 18 11:23:54 2023 -0700 mptcp: more conservative check for zero probes Christoph reported that the MPTCP protocol can find the subflow-level write queue unexpectedly not empty while crafting a zero-window probe, hitting a warning: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 188 at net/mptcp/protocol.c:1312 mptcp_sendmsg_frag+0xc06/0xe70 Modules linked in: CPU: 0 PID: 188 Comm: kworker/0:2 Not tainted 6.6.0-rc2-g1176aa719d7a #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Workqueue: events mptcp_worker RIP: 0010:mptcp_sendmsg_frag+0xc06/0xe70 net/mptcp/protocol.c:1312 RAX: 47d0530de347ff6a RBX: 47d0530de347ff6b RCX: ffff8881015d3c00 RDX: ffff8881015d3c00 RSI: 47d0530de347ff6b RDI: 47d0530de347ff6b RBP: 47d0530de347ff6b R08: ffffffff8243c6a8 R09: ffffffff82042d9c R10: 0000000000000002 R11: ffffffff82056850 R12: ffff88812a13d580 R13: 0000000000000001 R14: ffff88812b375e50 R15: ffff88812bbf3200 FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000695118 CR3: 0000000115dfc001 CR4: 0000000000170ef0 Call Trace: __subflow_push_pending+0xa4/0x420 net/mptcp/protocol.c:1545 __mptcp_push_pending+0x128/0x3b0 net/mptcp/protocol.c:1614 mptcp_release_cb+0x218/0x5b0 net/mptcp/protocol.c:3391 release_sock+0xf6/0x100 net/core/sock.c:3521 mptcp_worker+0x6e8/0x8f0 net/mptcp/protocol.c:2746 process_scheduled_works+0x341/0x690 kernel/workqueue.c:2630 worker_thread+0x3a7/0x610 kernel/workqueue.c:2784 kthread+0x143/0x180 kernel/kthread.c:388 ret_from_fork+0x4d/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304 The root cause of the issue is that expectations are wrong: e.g. due to MPTCP-level re-injection we can hit the critical condition. Explicitly avoid the zero-window probe when the subflow write queue is not empty and drop the related warnings. Reported-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/444 Fixes: f70cad1085d1 ("mptcp: stop relying on tcp_tx_skb_cache") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-3-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski commit 6db8a37dfc541e059851652cfd4f0bb13b8ff6af Author: Paolo Abeni Date: Wed Oct 18 11:23:53 2023 -0700 tcp: check mptcp-level constraints for backlog coalescing The MPTCP protocol can acquire the subflow-level socket lock and cause the tcp backlog usage. When inserting new skbs into the backlog, the stack will try to coalesce them. Currently, we have no check in place to ensure that such coalescing will respect the MPTCP-level DSS, and that may cause data stream corruption, as reported by Christoph. Address the issue by adding the relevant admission check for coalescing in tcp_add_backlog(). Note the issue is not easy to reproduce, as the MPTCP protocol tries hard to avoid acquiring the subflow-level socket lock. Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path") Cc: stable@vger.kernel.org Reported-by: Christoph Paasch Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420 Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-2-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski commit b134a5805455d1886662a6516c965cdb9df9fbcc Author: Matthieu Baerts Date: Wed Oct 18 11:23:52 2023 -0700 selftests: mptcp: join: correctly check for no RST The commit mentioned below was more tolerant with the number of RST seen during a test because in some uncontrollable situations, multiple RST can be generated. But it was not taking into account the case where no RST are expected: this validation was then no longer reporting issues for the 0 RST case because it is not possible to have less than 0 RST in the counter. This patch fixes the issue by adding a specific condition. Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases") Cc: stable@vger.kernel.org Reviewed-by: Mat Martineau Signed-off-by: Matthieu Baerts Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-1-17ecb002e41d@kernel.org Signed-off-by: Jakub Kicinski commit 389db4fd673e5b122393a69b2973dd294a125573 Author: MD Danish Anwar Date: Wed Oct 18 20:37:15 2023 +0530 net: ti: icssg-prueth: Fix r30 CMDs bitmasks The bitmasks for EMAC_PORT_DISABLE and EMAC_PORT_FORWARD r30 commands are wrong in the driver. Update the bitmasks of these commands to the correct ones as used by the ICSSG firmware. These bitmasks are backwards compatible and work with any ICSSG firmware version. Fixes: e9b4ece7d74b ("net: ti: icssg-prueth: Add Firmware config and classification APIs.") Signed-off-by: MD Danish Anwar Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20231018150715.3085380-1-danishanwar@ti.com Signed-off-by: Jakub Kicinski commit 7cf4bea77ab60742c128c2ceb4b1b8078887b823 Merge: dd72f9c7e512d 8a540e990d7da Author: Linus Torvalds Date: Thu Oct 19 08:56:01 2023 -0700 Merge tag 'for-6.6-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fix from David Sterba: "Fix a bug in chunk size decision that could lead to suboptimal placement and filling patterns" * tag 'for-6.6-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: fix stripe length calculation for non-zoned data chunk allocation commit cfd96726e61136e68a168813cedc4084f626208b Author: Miguel Ojeda Date: Wed Oct 18 17:55:27 2023 +0200 rust: docs: fix logo replacement The static files placement by `rustdoc` changed in Rust 1.67.0 [1], but the custom code we have to replace the logo in the generated HTML files did not get updated. Thus update it to have the Linux logo again in the output. Hopefully `rustdoc` will eventually support a custom logo from a local file [2], so that we do not need to maintain this hack on our side. Link: https://github.com/rust-lang/rust/pull/101702 [1] Link: https://github.com/rust-lang/rfcs/pull/3226 [2] Fixes: 3ed03f4da06e ("rust: upgrade to Rust 1.68.2") Cc: stable@vger.kernel.org Tested-by: Benno Lossin Reviewed-by: Andreas Hindborg Link: https://lore.kernel.org/r/20231018155527.1015059-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit 1db773da58df20772dcc037a47163ce472d39c4d Author: Miguel Ojeda Date: Wed Oct 18 18:01:45 2023 +0200 kbuild: remove old Rust docs output path The Rust code documentation output path moved from `rust/doc` to `Documentation/output/rust/rustdoc`. The `make cleandocs` target takes care of cleaning it now since it is integrated with the rest of the documentation. Thus remove the old reference. Fixes: 48fadf440075 ("docs: Move rustdoc output, cross-reference it") Reviewed-by: Benno Lossin Reviewed-by: Alice Ryhl Reviewed-by: Andreas Hindborg Link: https://lore.kernel.org/r/20231018160145.1017340-2-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit bd9e54a42ce26026d67963c21b3fdfe8c7e68430 Author: Miguel Ojeda Date: Wed Oct 18 18:01:44 2023 +0200 docs: rust: update Rust docs output path The Rust code documentation output path moved from `rust/doc` to `Documentation/output/rust/rustdoc`, thus update the old reference. Fixes: 48fadf440075 ("docs: Move rustdoc output, cross-reference it") Reviewed-by: Benno Lossin Reviewed-by: Alice Ryhl Reviewed-by: Andreas Hindborg Link: https://lore.kernel.org/r/20231018160145.1017340-1-ojeda@kernel.org Signed-off-by: Miguel Ojeda commit c1ae1c59c8c6e0b66a718308c623e0cb394dab6b Author: Niklas Schnelle Date: Tue Oct 17 15:37:29 2023 +0200 s390/pci: fix iommu bitmap allocation Since the fixed commits both zdev->iommu_bitmap and zdev->lazy_bitmap are allocated as vzalloc(zdev->iommu_pages / 8). The problem is that zdev->iommu_bitmap is a pointer to unsigned long but the above only yields an allocation that is a multiple of sizeof(unsigned long) which is 8 on s390x if the number of IOMMU pages is a multiple of 64. This in turn is the case only if the effective IOMMU aperture is a multiple of 64 * 4K = 256K. This is usually the case and so didn't cause visible issues since both the virt_to_phys(high_memory) reduced limit and hardware limits use nice numbers. Under KVM, and in particular with QEMU limiting the IOMMU aperture to the vfio DMA limit (default 65535), it is possible for the reported aperture not to be a multiple of 256K however. In this case we end up with an iommu_bitmap whose allocation is not a multiple of 8 causing bitmap operations to access it out of bounds. Sadly we can't just fix this in the obvious way and use bitmap_zalloc() because for large RAM systems (tested on 8 TiB) the zdev->iommu_bitmap grows too large for kmalloc(). So add our own bitmap_vzalloc() wrapper. This might be a candidate for common code, but this area of code will be replaced by the upcoming conversion to use the common code DMA API on s390 so just add a local routine. Fixes: 224593215525 ("s390/pci: use virtual memory for iommu bitmap") Fixes: 13954fd6913a ("s390/pci_dma: improve lazy flush for unmap") Cc: stable@vger.kernel.org Reviewed-by: Matthew Rosato Signed-off-by: Niklas Schnelle Signed-off-by: Vasily Gorbik commit 97ac489775f26acfd46a8a60c2f84ce7cc79fa4b Author: Amir Goldstein Date: Wed Oct 18 12:59:56 2023 +0300 fanotify: limit reporting of event with non-decodeable file handles Commit a95aef69a740 ("fanotify: support reporting non-decodeable file handles") merged in v6.5-rc1, added the ability to use an fanotify group with FAN_REPORT_FID mode to watch filesystems that do not support nfs export, but do know how to encode non-decodeable file handles, with the newly introduced AT_HANDLE_FID flag. At the time that this commit was merged, there were no filesystems in-tree with those traits. Commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles"), merged in v6.6-rc1, added this trait to overlayfs, thus allowing fanotify watching of overlayfs with FAN_REPORT_FID mode. In retrospect, allowing an fanotify filesystem/mount mark on such filesystem in FAN_REPORT_FID mode will result in getting events with file handles, without the ability to resolve the filesystem objects from those file handles (i.e. no open_by_handle_at() support). For v6.6, the safer option would be to allow this mode for inode marks only, where the caller has the opportunity to use name_to_handle_at() at the time of setting the mark. In the future we can revise this decision. Fixes: a95aef69a740 ("fanotify: support reporting non-decodeable file handles") Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara Message-Id: <20231018100000.2453965-2-amir73il@gmail.com> commit f7d86df41f963985261bc7a252b44dacf833d3f1 Merge: a602ee3176a81 3920431d98a9f Author: Paolo Abeni Date: Thu Oct 19 15:51:18 2023 +0200 Merge branch 'net-fix-bugs-in-device-netns-move-and-rename' Jakub Kicinski says: ==================== net: fix bugs in device netns-move and rename Daniel reported issues with the uevents generated during netdev namespace move, if the netdev is getting renamed at the same time. While the issue that he actually cares about is not fixed here, there is a bunch of seemingly obvious other bugs in this code. Fix the purely networking bugs while the discussion around the uevent fix is still ongoing. ==================== Link: https://lore.kernel.org/r/20231018013817.2391509-1-kuba@kernel.org Signed-off-by: Paolo Abeni commit 3920431d98a9ff26002b16802c153d3df5f55926 Author: Jakub Kicinski Date: Tue Oct 17 18:38:17 2023 -0700 selftests: net: add very basic test for netdev names and namespaces Add selftest for fixes around naming netdevs and namespaces. Signed-off-by: Jakub Kicinski Reviewed-by: Przemek Kitszel Signed-off-by: Paolo Abeni commit 8e15aee621618a3ee3abecaf1fd8c1428098b7ef Author: Jakub Kicinski Date: Tue Oct 17 18:38:16 2023 -0700 net: move altnames together with the netdevice The altname nodes are currently not moved to the new netns when netdevice itself moves: [ ~]# ip netns add test [ ~]# ip -netns test link add name eth0 type dummy [ ~]# ip -netns test link property add dev eth0 altname some-name [ ~]# ip -netns test link show dev some-name 2: eth0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 1e:67:ed:19:3d:24 brd ff:ff:ff:ff:ff:ff altname some-name [ ~]# ip -netns test link set dev eth0 netns 1 [ ~]# ip link ... 3: eth0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 02:40:88:62:ec:b8 brd ff:ff:ff:ff:ff:ff altname some-name [ ~]# ip li show dev some-name Device "some-name" does not exist. Remove them from the hash table when device is unlisted and add back when listed again. Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames") Reviewed-by: Jiri Pirko Signed-off-by: Jakub Kicinski Signed-off-by: Paolo Abeni commit 1a83f4a7c156fa6bbd6b530e89fa3270bf3d9d1b Author: Jakub Kicinski Date: Tue Oct 17 18:38:15 2023 -0700 net: avoid UAF on deleted altname Altnames are accessed under RCU (dev_get_by_name_rcu()) but freed by kfree() with no synchronization point. Each node has one or two allocations (node and a variable-size name, sometimes the name is netdev->name). Adding rcu_heads here is a bit tedious. Besides most code which unlists the names already has rcu barriers - so take the simpler approach of adding synchronize_rcu(). Note that the one on the unregistration path (which matters more) is removed by the next fix. Fixes: ff92741270bf ("net: introduce name_node struct to be used in hashlist") Reviewed-by: Jiri Pirko Signed-off-by: Jakub Kicinski Signed-off-by: Paolo Abeni commit 7663d522099ecc464512164e660bc771b2ff7b64 Author: Jakub Kicinski Date: Tue Oct 17 18:38:14 2023 -0700 net: check for altname conflicts when changing netdev's netns It's currently possible to create an altname conflicting with an altname or real name of another device by creating it in another netns and moving it over: [ ~]$ ip link add dev eth0 type dummy [ ~]$ ip netns add test [ ~]$ ip -netns test link add dev ethX netns test type dummy [ ~]$ ip -netns test link property add dev ethX altname eth0 [ ~]$ ip -netns test link set dev ethX netns 1 [ ~]$ ip link ... 3: eth0: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 02:40:88:62:ec:b8 brd ff:ff:ff:ff:ff:ff ... 5: ethX: mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether 26:b7:28:78:38:0f brd ff:ff:ff:ff:ff:ff altname eth0 Create a macro for walking the altnames, this hopefully makes it clearer that the list we walk contains only altnames. Which is otherwise not entirely intuitive. Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames") Reviewed-by: Jiri Pirko Signed-off-by: Jakub Kicinski Signed-off-by: Paolo Abeni commit 311cca40661f428b7aa114fb5af578cfdbe3e8b6 Author: Jakub Kicinski Date: Tue Oct 17 18:38:13 2023 -0700 net: fix ifname in netlink ntf during netns move dev_get_valid_name() overwrites the netdev's name on success. This makes it hard to use in prepare-commit-like fashion, where we do validation first, and "commit" to the change later. Factor out a helper which lets us save the new name to a buffer. Use it to fix the problem of notification on netns move having incorrect name: 5: eth0: mtu 1500 qdisc noop state DOWN group default link/ether be:4d:58:f9:d5:40 brd ff:ff:ff:ff:ff:ff 6: eth1: mtu 1500 qdisc noop state DOWN group default link/ether 1e:4a:34:36:e3:cd brd ff:ff:ff:ff:ff:ff [ ~]# ip link set dev eth0 netns 1 name eth1 ip monitor inside netns: Deleted inet eth0 Deleted inet6 eth0 Deleted 5: eth1: mtu 1500 qdisc noop state DOWN group default link/ether be:4d:58:f9:d5:40 brd ff:ff:ff:ff:ff:ff new-netnsid 0 new-ifindex 7 Name is reported as eth1 in old netns for ifindex 5, already renamed. Fixes: d90310243fd7 ("net: device name allocation cleanups") Signed-off-by: Jakub Kicinski Reviewed-by: Jiri Pirko Signed-off-by: Paolo Abeni commit 6b18ef481f31d0df9d1b20a40c8174956bd947fa Author: Christian König Date: Mon Oct 16 17:29:34 2023 +0200 drm/amdgpu: ignore duplicate BOs again Looks like RADV is actually hitting this. Signed-off-by: Christian König Fixes: ca6c1e210aa7 ("drm/amdgpu: use the new drm_exec object for CS v3") Acked-by: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20231017121015.1336786-1-christian.koenig@amd.com commit a602ee3176a81280b829c9f0cf259450f7982168 Author: MD Danish Anwar Date: Wed Oct 18 12:19:36 2023 +0530 net: ethernet: ti: Fix mixed module-builtin object With CONFIG_TI_K3_AM65_CPSW_NUSS=y and CONFIG_TI_ICSSG_PRUETH=m, k3-cppi-desc-pool.o is linked to a module and also to vmlinux even though the expected CFLAGS are different between builtins and modules. The build system is complaining about the following: k3-cppi-desc-pool.o is added to multiple modules: icssg-prueth ti-am65-cpsw-nuss Introduce the new module, k3-cppi-desc-pool, to provide the common functions to ti-am65-cpsw-nuss and icssg-prueth. Fixes: 128d5874c082 ("net: ti: icssg-prueth: Add ICSSG ethernet driver") Signed-off-by: MD Danish Anwar Link: https://lore.kernel.org/r/20231018064936.3146846-1-danishanwar@ti.com Signed-off-by: Paolo Abeni commit 62140a1e4dec4594d5d1e1d353747bf2ef434e8b Author: Andy Shevchenko Date: Tue Oct 17 17:18:06 2023 +0300 Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" The commit breaks MMC enumeration on the Intel Merrifield plaform. Before: [ 36.439057] mmc0: SDHCI controller on PCI [0000:00:01.0] using ADMA [ 36.450924] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA [ 36.459355] mmc1: SDHCI controller on PCI [0000:00:01.2] using ADMA [ 36.706399] mmc0: new DDR MMC card at address 0001 [ 37.058972] mmc2: new ultra high speed DDR50 SDIO card at address 0001 [ 37.278977] mmcblk0: mmc0:0001 H4G1d 3.64 GiB [ 37.297300] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 After: [ 36.436704] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA [ 36.436720] mmc1: SDHCI controller on PCI [0000:00:01.0] using ADMA [ 36.463685] mmc0: SDHCI controller on PCI [0000:00:01.2] using ADMA [ 36.720627] mmc1: new DDR MMC card at address 0001 [ 37.068181] mmc2: new ultra high speed DDR50 SDIO card at address 0001 [ 37.279998] mmcblk1: mmc1:0001 H4G1d 3.64 GiB [ 37.302670] mmcblk1: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 This reverts commit c153a4edff6ab01370fcac8e46f9c89cca1060c2. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20231017141806.535191-1-andriy.shevchenko@linux.intel.com Signed-off-by: Linus Walleij commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 Author: Peter Zijlstra Date: Wed Oct 18 13:56:54 2023 +0200 perf: Disallow mis-matched inherited group reads Because group consistency is non-atomic between parent (filedesc) and children (inherited) events, it is possible for PERF_FORMAT_GROUP read() to try and sum non-matching counter groups -- with non-sensical results. Add group_generation to distinguish the case where a parent group removes and adds an event and thus has the same number, but a different configuration of events as inherited groups. This became a problem when commit fa8c269353d5 ("perf/core: Invert perf_read_group() loops") flipped the order of child_list and sibling_list. Previously it would iterate the group (sibling_list) first, and for each sibling traverse the child_list. In this order, only the group composition of the parent is relevant. By flipping the order the group composition of the child (inherited) events becomes an issue and the mis-match in group composition becomes evident. That said; even prior to this commit, while reading of a group that is not equally inherited was not broken, it still made no sense. (Ab)use ECHILD as error return to indicate issues with child process group composition. Fixes: fa8c269353d5 ("perf/core: Invert perf_read_group() loops") Reported-by: Budimir Markovic Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20231018115654.GK33217@noisy.programming.kicks-ass.net commit 8f5ad367e8b884772945c6c9fb622ac94b7d3e32 Author: Wludzik, Jozef Date: Wed Oct 18 13:01:13 2023 +0200 accel/ivpu: Extend address range for MMU mmap Allow to use whole address range in MMU context mmap which is up to 48 bits. Return invalid argument from MMU context mmap in case address is not aligned to MMU page size, address is below MMU page size or address is greater then 47 bits. This fixes problem disallowing to run large models on VPU4 Signed-off-by: Wludzik, Jozef Reviewed-by: Stanislaw Gruszka Signed-off-by: Stanislaw Gruszka Link: https://patchwork.freedesktop.org/patch/msgid/20231018110113.547208-1-stanislaw.gruszka@linux.intel.com commit 610b5d219d1ccac8064556310cc0e62e3c202389 Author: Stanislaw Gruszka Date: Tue Oct 17 14:13:53 2023 +0200 Revert "accel/ivpu: Use cached buffers for FW loading" This reverts commit 645d694559cab36fe6a57c717efcfa27d9321396. The commit cause issues with memory access from the device side. Switch back to write-combined memory mappings until the issues will be properly addressed. Add extra wmb() needed when boot_params->save_restore_ret_address() is modified. Reviewed-by: Karol Wachowski Signed-off-by: Stanislaw Gruszka Link: https://patchwork.freedesktop.org/patch/msgid/20231017121353.532466-1-stanislaw.gruszka@linux.intel.com commit 828d63042aeca132a93938b98dc7f1a6c97bbc51 Author: Jacek Lawrynowicz Date: Tue Oct 3 08:42:13 2023 +0200 accel/ivpu: Don't enter d0i3 during FLR Avoid HW bug on some platforms where we enter D0i3 state and CPU is in low power states (C8 or above). Fixes: 852be13f3bd3 ("accel/ivpu: Add PM support") Cc: stable@vger.kernel.org Signed-off-by: Jacek Lawrynowicz Reviewed-by: Stanislaw Gruszka Signed-off-by: Stanislaw Gruszka Link: https://patchwork.freedesktop.org/patch/msgid/20231003064213.1527327-1-stanislaw.gruszka@linux.intel.com commit 9b9ac46c6cb52a2f3f779732d6837ecab1ca78dc Merge: 88343fbe5a137 f86fb94011aeb Author: Jakub Kicinski Date: Wed Oct 18 18:17:50 2023 -0700 Merge tag 'nf-23-10-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf Florian Westphal says: ==================== netfilter: updates for net First patch, from Phil Sutter, reduces number of audit notifications when userspace requests to re-set stateful objects. This change also comes with a selftest update. Second patch, also from Phil, moves the nftables audit selftest to its own netns to avoid interference with the init netns. Third patch, from Pablo Neira, fixes an inconsistency with the "rbtree" set backend: When set element X has expired, a request to delete element X should fail (like with all other backends). Finally, patch four, also from Pablo, reverts a recent attempt to speed up abort of a large pending update with the "pipapo" set backend. It could cause stray references to remain in the set, which then results in a double-free. * tag 'nf-23-10-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf: netfilter: nf_tables: revert do not remove elements if set backend implements .abort netfilter: nft_set_rbtree: .deactivate fails if element has expired selftests: netfilter: Run nft_audit.sh in its own netns netfilter: nf_tables: audit log object reset once per table ==================== Link: https://lore.kernel.org/r/20231018125605.27299-1-fw@strlen.de Signed-off-by: Jakub Kicinski commit 88343fbe5a137e2ad19cf35887d2733b9cc5cb02 Merge: 6200e00e112ce f2ac54ebf8561 Author: Jakub Kicinski Date: Wed Oct 18 18:14:25 2023 -0700 Merge tag 'wireless-2023-10-18' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless Johannes Berg says: ==================== A few more fixes: * prevent value bounce/glitch in rfkill GPIO probe * fix lockdep report in rfkill * fix error path leak in mac80211 key handling * use system_unbound_wq for wiphy work since it can take longer * tag 'wireless-2023-10-18' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: net: rfkill: reduce data->mtx scope in rfkill_fop_open net: rfkill: gpio: prevent value glitch during probe wifi: mac80211: fix error path key leak wifi: cfg80211: use system_unbound_wq for wiphy work ==================== Link: https://lore.kernel.org/r/20231018071041.8175-2-johannes@sipsolutions.net Signed-off-by: Jakub Kicinski commit 6200e00e112ce2d17b066a20dd2476d9aecbefa6 Author: Florian Fainelli Date: Tue Oct 17 13:51:19 2023 -0700 net: phy: bcm7xxx: Add missing 16nm EPHY statistics The .probe() function would allocate the necessary space and ensure that the library call sizes the number of statistics but the callbacks necessary to fetch the name and values were not wired up. Reported-by: Justin Chen Fixes: f68d08c437f9 ("net: phy: bcm7xxx: Add EPHY entry for 72165") Reviewed-by: Andrew Lunn Signed-off-by: Florian Fainelli Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20231017205119.416392-1-florian.fainelli@broadcom.com Signed-off-by: Jakub Kicinski commit 195374d893681da43a39796e53b30ac4f20400c4 Author: Eric Dumazet Date: Tue Oct 17 19:23:04 2023 +0000 ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr syzbot reported a data-race while accessing nh->nh_saddr_genid [1] Add annotations, but leave the code lazy as intended. [1] BUG: KCSAN: data-race in fib_select_path / fib_select_path write to 0xffff8881387166f0 of 4 bytes by task 6778 on cpu 1: fib_info_update_nhc_saddr net/ipv4/fib_semantics.c:1334 [inline] fib_result_prefsrc net/ipv4/fib_semantics.c:1354 [inline] fib_select_path+0x292/0x330 net/ipv4/fib_semantics.c:2269 ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810 ip_route_output_key_hash net/ipv4/route.c:2644 [inline] __ip_route_output_key include/net/route.h:134 [inline] ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872 send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61 wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175 wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703 worker_thread+0x525/0x730 kernel/workqueue.c:2784 kthread+0x1d7/0x210 kernel/kthread.c:388 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 read to 0xffff8881387166f0 of 4 bytes by task 6759 on cpu 0: fib_result_prefsrc net/ipv4/fib_semantics.c:1350 [inline] fib_select_path+0x1cb/0x330 net/ipv4/fib_semantics.c:2269 ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810 ip_route_output_key_hash net/ipv4/route.c:2644 [inline] __ip_route_output_key include/net/route.h:134 [inline] ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872 send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61 wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175 wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200 wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline] wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703 worker_thread+0x525/0x730 kernel/workqueue.c:2784 kthread+0x1d7/0x210 kernel/kthread.c:388 ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 value changed: 0x959d3217 -> 0x959d3218 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 6759 Comm: kworker/u4:15 Not tainted 6.6.0-rc4-syzkaller-00029-gcbf3a2cb156a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker Fixes: 436c3b66ec98 ("ipv4: Invalidate nexthop cache nh_saddr more correctly.") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Simon Horman Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20231017192304.82626-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 68b54aeff804acceb02f228ea2e28419272c1fb9 Author: Paolo Abeni Date: Tue Oct 17 17:49:51 2023 +0200 tcp_bpf: properly release resources on error paths In the blamed commit below, I completely forgot to release the acquired resources before erroring out in the TCP BPF code, as reported by Dan. Address the issues by replacing the bogus return with a jump to the relevant cleanup code. Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting") Reported-by: Dan Carpenter Signed-off-by: Paolo Abeni Acked-by: Jakub Sitnicki Reviewed-by: Eric Dumazet Reviewed-by: John Fastabend Link: https://lore.kernel.org/r/8f99194c698bcef12666f0a9a999c58f8b1cb52c.1697557782.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 Author: Pedro Tammela Date: Tue Oct 17 11:36:02 2023 -0300 net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve Christian Theune says: I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script, leaving me with a non-functional uplink on a remote router. A 'rt' curve cannot be used as a inner curve (parent class), but we were allowing such configurations since the qdisc was introduced. Such configurations would trigger a UAF as Budimir explains: The parent will have vttree_insert() called on it in init_vf(), but will not have vttree_remove() called on it in update_vf() because it does not have the HFSC_FSC flag set. The qdisc always assumes that inner classes have the HFSC_FSC flag set. This is by design as it doesn't make sense 'qdisc wise' for an 'rt' curve to be an inner curve. Budimir's original patch disallows users to add classes with a 'rt' parent, but this is too strict as it breaks users that have been using 'rt' as a inner class. Another approach, taken by this patch, is to upgrade the inner 'rt' into a 'sc', warning the user in the process. It avoids the UAF reported by Budimir while also being more permissive to bad scripts/users/code using 'rt' as a inner class. Users checking the `tc class ls [...]` or `tc class get [...]` dumps would observe the curve change and are potentially breaking with this change. v1->v2: https://lore.kernel.org/all/20231013151057.2611860-1-pctammela@mojatatu.com/ - Correct 'Fixes' tag and merge with revert (Jakub) Cc: Christian Theune Cc: Budimir Markovic Fixes: b3d26c5702c7 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve") Signed-off-by: Pedro Tammela Acked-by: Jamal Hadi Salim Link: https://lore.kernel.org/r/20231017143602.3191556-1-pctammela@mojatatu.com Signed-off-by: Jakub Kicinski commit 1f9f2143f24e224a8582a5d54918c43b9121eccc Author: Vladimir Oltean Date: Tue Oct 17 17:31:44 2023 +0300 net: mdio-mux: fix C45 access returning -EIO after API change The mii_bus API conversion to read_c45() and write_c45() did not cover the mdio-mux driver before read() and write() were made C22-only. This broke arch/arm64/boot/dts/freescale/fsl-ls1028a-qds-13bb.dtso. The -EOPNOTSUPP from mdiobus_c45_read() is transformed by get_phy_c45_devs_in_pkg() into -EIO, is further propagated to of_mdiobus_register() and this makes the mdio-mux driver fail to probe the entire child buses, not just the PHYs that cause access errors. Fix the regression by introducing special c45 read and write accessors to mdio-mux which forward the operation to the parent MDIO bus. Fixes: db1a63aed89c ("net: phy: Remove fallback to old C45 method") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Reviewed-by: Andrew Lunn Reviewed-by: Russell King (Oracle) Link: https://lore.kernel.org/r/20231017143144.3212657-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski commit f921a4a5bffa8a0005b190fb9421a7fc1fd716b6 Author: Eric Dumazet Date: Tue Oct 17 12:45:26 2023 +0000 tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb In commit 75eefc6c59fd ("tcp: tsq: add a shortcut in tcp_small_queue_check()") we allowed to send an skb regardless of TSQ limits being hit if rtx queue was empty or had a single skb, in order to better fill the pipe when/if TX completions were slow. Then later, commit 75c119afe14f ("tcp: implement rb-tree based retransmit queue") accidentally removed the special case for one skb in rtx queue. Stefan Wahren reported a regression in single TCP flow throughput using a 100Mbit fec link, starting from commit 65466904b015 ("tcp: adjust TSO packet sizes based on min_rtt"). This last commit only made the regression more visible, because it locked the TCP flow on a particular behavior where TSQ prevented two skbs being pushed downstream, adding silences on the wire between each TSO packet. Many thanks to Stefan for his invaluable help ! Fixes: 75c119afe14f ("tcp: implement rb-tree based retransmit queue") Link: https://lore.kernel.org/netdev/7f31ddc8-9971-495e-a1f6-819df542e0af@gmx.net/ Reported-by: Stefan Wahren Tested-by: Stefan Wahren Signed-off-by: Eric Dumazet Acked-by: Neal Cardwell Link: https://lore.kernel.org/r/20231017124526.4060202-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit a0ca6b9dfef0b3cc83aa8bb485ed61a018f84982 Author: Shinas Rasheed Date: Tue Oct 17 03:50:30 2023 -0700 octeon_ep: update BQL sent bytes before ringing doorbell Sometimes Tx is completed immediately after doorbell is updated, which causes Tx completion routing to update completion bytes before the same packet bytes are updated in sent bytes in transmit function, hence hitting BUG_ON() in dql_completed(). To avoid this, update BQL sent bytes before ringing doorbell. Fixes: 37d79d059606 ("octeon_ep: add Tx/Rx processing and interrupt support") Signed-off-by: Shinas Rasheed Link: https://lore.kernel.org/r/20231017105030.2310966-1-srasheed@marvell.com Signed-off-by: Jakub Kicinski commit 31c65705a8cfa5f80d3824c686ab74b0409ee76d Author: Jiri Slaby (SUSE) Date: Tue Oct 17 10:30:19 2023 +0200 perf/benchmark: fix seccomp_unotify benchmark for 32-bit Commit 7d5cb68af638 (perf/benchmark: add a new benchmark for seccom_unotify) added a reference to __NR_seccomp into perf. This is fine as it added also a definition of __NR_seccomp for 64-bit. But it failed to do so for 32-bit as instead of ifndef, ifdef was used. Fix this typo (so fix the build of perf on 32-bit). Fixes: 7d5cb68af638 (perf/benchmark: add a new benchmark for seccom_unotify) Cc: Andrei Vagin Cc: "Peter Zijlstra (Intel)" Cc: Kees Cook Signed-off-by: "Jiri Slaby (SUSE)" Link: https://lore.kernel.org/r/20231017083019.31733-1-jirislaby@kernel.org Signed-off-by: Kees Cook commit c3414550cb0d4dfad1816ee14ff1f44819d270db Merge: 4eaf0932c69bd 5c3f4066462a5 Author: Jens Axboe Date: Wed Oct 18 15:32:51 2023 -0600 Merge tag 'nvme-6.6-2023-10-18' of git://git.infradead.org/nvme into block-6.6 Pull NVMe fixes from Keith: "nvme fixes for Linux 6.6 - nvme-rdma queue fix (Maurizio) - nvmet-auth double free fix (Maurizio) - nvme-tcp use-after-free fix (Sagi) - nvme-auth data direction fix (Martin) - nvme passthrough metadata sanitization (Keith) - nvme bogus identifiers for multi-controller ssd (Keith)" * tag 'nvme-6.6-2023-10-18' of git://git.infradead.org/nvme: nvme-pci: add BOGUS_NID for Intel 0a54 device nvmet-auth: complete a request only after freeing the dhchap pointers nvme: sanitize metadata bounce buffer for reads nvme-auth: use chap->s2 to indicate bidirectional authentication nvmet-tcp: Fix a possible UAF in queue intialization setup nvme-rdma: do not try to stop unallocated queues commit 5c3f4066462a5f6cac04d3dd81c9f551fabbc6c7 Author: Keith Busch Date: Thu Oct 12 11:13:51 2023 -0700 nvme-pci: add BOGUS_NID for Intel 0a54 device These ones claim cmic and nmic capable, so need special consideration to ignore their duplicate identifiers. Link: https://bugzilla.kernel.org/show_bug.cgi?id=217981 Reported-by: welsh@cassens.com Signed-off-by: Keith Busch commit f965b281fd872b2e18bd82dd97730db9834d0750 Author: Maurizio Lombardi Date: Tue Oct 17 10:28:45 2023 +0200 nvmet-auth: complete a request only after freeing the dhchap pointers It may happen that the work to destroy a queue (for example nvmet_tcp_release_queue_work()) is started while an auth-send or auth-receive command is still completing. nvmet_sq_destroy() will block, waiting for all the references to the sq to be dropped, the last reference is then dropped when nvmet_req_complete() is called. When this happens, both nvmet_sq_destroy() and nvmet_execute_auth_send()/_receive() will free the dhchap pointers by calling nvmet_auth_sq_free(). Since there isn't any lock, the two threads may race against each other, causing double frees and memory corruptions, as reported by KASAN. Reproduced by stress blktests nvme/041 nvme/042 nvme/043 nvme nvme2: qid 0: authenticated with hash hmac(sha512) dhgroup ffdhe4096 ================================================================== BUG: KASAN: double-free in kfree+0xec/0x4b0 Call Trace: kfree+0xec/0x4b0 nvmet_auth_sq_free+0xe1/0x160 [nvmet] nvmet_execute_auth_send+0x482/0x16d0 [nvmet] process_one_work+0x8e5/0x1510 Allocated by task 191846: __kasan_kmalloc+0x81/0xa0 nvmet_auth_ctrl_sesskey+0xf6/0x380 [nvmet] nvmet_auth_reply+0x119/0x990 [nvmet] Freed by task 143270: kfree+0xec/0x4b0 nvmet_auth_sq_free+0xe1/0x160 [nvmet] process_one_work+0x8e5/0x1510 Fix this bug by calling nvmet_req_complete() only after freeing the pointers, so we will prevent the race by holding the sq reference. V2: remove redundant code Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication") Signed-off-by: Maurizio Lombardi Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch commit 2b32c76e2b0154b98b9322ae7546b8156cd703e6 Author: Keith Busch Date: Mon Oct 16 13:12:47 2023 -0700 nvme: sanitize metadata bounce buffer for reads User can request more metadata bytes than the device will write. Ensure kernel buffer is initialized so we're not leaking unsanitized memory on the copy-out. Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata") Reviewed-by: Jens Axboe Reviewed-by: Christoph Hellwig Reviewed-by: Kanchan Joshi Reviewed-by: Chaitanya Kulkarni Signed-off-by: Keith Busch commit 379e4adfddd6a2f95a4f2029b8ddcbacf92b21f9 Author: Olga Kornievskaia Date: Mon Oct 9 10:59:01 2023 -0400 NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server This patches fixes commit 51d674a5e488 "NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server", purpose of that commit was to mark EXCHANGE_ID to the DS with the appropriate flag. However, connection to MDS can return both EXCHGID4_FLAG_USE_PNFS_DS and EXCHGID4_FLAG_USE_PNFS_MDS set but previous patch would only remember the USE_PNFS_DS and for the 2nd EXCHANGE_ID send that to the MDS. Instead, just mark the pnfs path exclusively. Fixes: 51d674a5e488 ("NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server") Signed-off-by: Olga Kornievskaia Signed-off-by: Anna Schumaker commit 099d7439ce03d0e7bc8f0c3d7878b562f3a48d3d Author: Liam R. Howlett Date: Thu Oct 12 11:52:33 2023 -0400 maple_tree: add GFP_KERNEL to allocations in mas_expected_entries() Users complained about OOM errors during fork without triggering compaction. This can be fixed by modifying the flags used in mas_expected_entries() so that the compaction will be triggered in low memory situations. Since mas_expected_entries() is only used during fork, the extra argument does not need to be passed through. Additionally, the two test_maple_tree test cases and one benchmark test were altered to use the correct locking type so that allocations would not trigger sleeping and thus fail. Testing was completed with lockdep atomic sleep detection. The additional locking change requires rwsem support additions to the tools/ directory through the use of pthreads pthread_rwlock_t. With this change test_maple_tree works in userspace, as a module, and in-kernel. Users may notice that the system gave up early on attempting to start new processes instead of attempting to reclaim memory. Link: https://lkml.kernel.org/r/20230915093243epcms1p46fa00bbac1ab7b7dca94acb66c44c456@epcms1p4 Link: https://lkml.kernel.org/r/20231012155233.2272446-1-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett Reviewed-by: Peng Zhang Cc: Cc: Signed-off-by: Andrew Morton commit e2de156b0d918b5ebe975577d25f9ef92379a756 Author: Samasth Norway Ananda Date: Thu Oct 12 08:52:57 2023 -0700 selftests/mm: include mman header to access MREMAP_DONTUNMAP identifier Definition for MREMAP_DONTUNMAP is not present in glibc older than 2.32 thus throwing an undeclared error when running make on mm. Including linux/mman.h solves the build error for people having older glibc. Link: https://lkml.kernel.org/r/20231012155257.891776-1-samasth.norway.ananda@oracle.com Fixes: 0183d777c29a ("selftests: mm: remove duplicate unneeded defines") Signed-off-by: Samasth Norway Ananda Reported-by: Linux Kernel Functional Testing Closes: https://lore.kernel.org/linux-mm/CA+G9fYvV-71XqpCr_jhdDfEtN701fBdG3q+=bafaZiGwUXy_aA@mail.gmail.com/ Tested-by: Muhammad Usama Anjum Cc: Shuah Khan Cc: Signed-off-by: Andrew Morton commit d2313c77592661e5ba259cdae3a120fb391054ff Author: Oleksij Rempel Date: Wed Oct 11 13:25:19 2023 +0200 mailmap: correct email aliasing for Oleksij Rempel Ensure the current work email addresses for Oleksij Rempel are preserved and not overridden by private address. Alias the alternate work email to the primary work email address. Link: https://lkml.kernel.org/r/20231011112519.1427077-1-o.rempel@pengutronix.de Signed-off-by: Oleksij Rempel Cc: Jakub Kicinski Cc: Konrad Dybcio # qcom Cc: Mark Brown Cc: Qais Yousef Signed-off-by: Andrew Morton commit 002e39e9ece5589140236558a23c63ca4da45b68 Author: Bartosz Golaszewski Date: Wed Oct 11 17:01:04 2023 +0200 mailmap: map Bartosz's old address to the current one I no longer work for BayLibre but many DT bindings have my BL address in the maintainers entries. Map it to the email address I use for kernel development. Link: https://lkml.kernel.org/r/20231011150104.73863-1-brgl@bgdev.pl Signed-off-by: Bartosz Golaszewski Suggested-by: Conor Dooley Cc: Bartosz Golaszewski Cc: Bjorn Andersson Cc: Heiko Stuebner Cc: Jakub Kicinski Cc: Jens Axboe Cc: Konrad Dybcio # qcom Cc: Qais Yousef Cc: Stephen Hemminger Signed-off-by: Andrew Morton commit 76b7069bcc89dec33f03eb08abee165d0306b754 Author: SeongJae Park Date: Sat Oct 7 20:04:32 2023 +0000 mm/damon/sysfs: check DAMOS regions update progress from before_terminate() DAMON_SYSFS can receive DAMOS tried regions update request while kdamond is already out of the main loop and before_terminate callback (damon_sysfs_before_terminate() in this case) is not yet called. And damon_sysfs_handle_cmd() can further be finished before the callback is invoked. Then, damon_sysfs_before_terminate() unlocks damon_sysfs_lock, which is not locked by anyone. This happens because the callback function assumes damon_sysfs_cmd_request_callback() should be called before it. Check if the assumption was true before doing the unlock, to avoid this problem. Link: https://lkml.kernel.org/r/20231007200432.3110-1-sj@kernel.org Fixes: f1d13cacabe1 ("mm/damon/sysfs: implement DAMOS tried regions update command") Signed-off-by: SeongJae Park Cc: [6.2.x] Signed-off-by: Andrew Morton commit c5155d4ef4b2ac03cb5838b4060ab2ceb7dbda09 Author: Ondrej Jirman Date: Sun Oct 8 12:58:07 2023 +0200 MAINTAINERS: Ondrej has moved Update my email-address in MAINTAINERS to . Also add .mailmap entries to map my old, now blocked, email address. Link: https://lkml.kernel.org/r/20231008105812.1084226-1-megi@xff.cz Signed-off-by: Ondrej Jirman Cc: Bjorn Andersson Cc: Heiko Stuebner Cc: Jakub Kicinski Cc: Jens Axboe Cc: Konrad Dybcio # qcom Cc: Mark Brown Cc: Qais Yousef Cc: Stephen Hemminger Signed-off-by: Andrew Morton commit 17c17567fe510857b18fe01b7a88027600e76ac6 Author: Arnd Bergmann Date: Mon Oct 16 22:08:38 2023 +0200 kasan: disable kasan_non_canonical_hook() for HW tags On arm64, building with CONFIG_KASAN_HW_TAGS now causes a compile-time error: mm/kasan/report.c: In function 'kasan_non_canonical_hook': mm/kasan/report.c:637:20: error: 'KASAN_SHADOW_OFFSET' undeclared (first use in this function) 637 | if (addr < KASAN_SHADOW_OFFSET) | ^~~~~~~~~~~~~~~~~~~ mm/kasan/report.c:637:20: note: each undeclared identifier is reported only once for each function it appears in mm/kasan/report.c:640:77: error: expected expression before ';' token 640 | orig_addr = (addr - KASAN_SHADOW_OFFSET) << KASAN_SHADOW_SCALE_SHIFT; This was caused by removing the dependency on CONFIG_KASAN_INLINE that used to prevent this from happening. Use the more specific dependency on KASAN_SW_TAGS || KASAN_GENERIC to only ignore the function for hwasan mode. Link: https://lkml.kernel.org/r/20231016200925.984439-1-arnd@kernel.org Fixes: 12ec6a919b0f ("kasan: print the original fault addr when access invalid shadow") Signed-off-by: Arnd Bergmann Cc: Alexander Potapenko Cc: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Haibo Li Cc: Kees Cook Cc: Vincenzo Frascino Cc: AngeloGioacchino Del Regno Cc: Matthias Brugger Signed-off-by: Andrew Morton commit babddbfb7d7d70ae7f10fedd75a45d8ad75fdddf Author: Haibo Li Date: Mon Oct 9 15:37:48 2023 +0800 kasan: print the original fault addr when access invalid shadow when the checked address is illegal,the corresponding shadow address from kasan_mem_to_shadow may have no mapping in mmu table. Access such shadow address causes kernel oops. Here is a sample about oops on arm64(VA 39bit) with KASAN_SW_TAGS and KASAN_OUTLINE on: [ffffffb80aaaaaaa] pgd=000000005d3ce003, p4d=000000005d3ce003, pud=000000005d3ce003, pmd=0000000000000000 Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP Modules linked in: CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty #43 Hardware name: linux,dummy-virt (DT) pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __hwasan_load8_noabort+0x5c/0x90 lr : do_ib_ob+0xf4/0x110 ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa. The problem is reading invalid shadow in kasan_check_range. The generic kasan also has similar oops. It only reports the shadow address which causes oops but not the original address. Commit 2f004eea0fc8("x86/kasan: Print original address on #GP") introduce to kasan_non_canonical_hook but limit it to KASAN_INLINE. This patch extends it to KASAN_OUTLINE mode. Link: https://lkml.kernel.org/r/20231009073748.159228-1-haibo.li@mediatek.com Fixes: 2f004eea0fc8("x86/kasan: Print original address on #GP") Signed-off-by: Haibo Li Reviewed-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: AngeloGioacchino Del Regno Cc: Dmitry Vyukov Cc: Haibo Li Cc: Matthias Brugger Cc: Vincenzo Frascino Cc: Arnd Bergmann Cc: Kees Cook Signed-off-by: Andrew Morton commit 2820b0f09be99f6406784b03a22dfc83e858449d Author: Rik van Riel Date: Thu Oct 5 23:59:08 2023 -0400 hugetlbfs: close race between MADV_DONTNEED and page fault Malloc libraries, like jemalloc and tcalloc, take decisions on when to call madvise independently from the code in the main application. This sometimes results in the application page faulting on an address, right after the malloc library has shot down the backing memory with MADV_DONTNEED. Usually this is harmless, because we always have some 4kB pages sitting around to satisfy a page fault. However, with hugetlbfs systems often allocate only the exact number of huge pages that the application wants. Due to TLB batching, hugetlbfs MADV_DONTNEED will free pages outside of any lock taken on the page fault path, which can open up the following race condition: CPU 1 CPU 2 MADV_DONTNEED unmap page shoot down TLB entry page fault fail to allocate a huge page killed with SIGBUS free page Fix that race by pulling the locking from __unmap_hugepage_final_range into helper functions called from zap_page_range_single. This ensures page faults stay locked out of the MADV_DONTNEED VMA until the huge pages have actually been freed. Link: https://lkml.kernel.org/r/20231006040020.3677377-4-riel@surriel.com Fixes: 04ada095dcfc ("hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing") Signed-off-by: Rik van Riel Reviewed-by: Mike Kravetz Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton commit bf4916922c60f43efaa329744b3eef539aa6a2b2 Author: Rik van Riel Date: Thu Oct 5 23:59:07 2023 -0400 hugetlbfs: extend hugetlb_vma_lock to private VMAs Extend the locking scheme used to protect shared hugetlb mappings from truncate vs page fault races, in order to protect private hugetlb mappings (with resv_map) against MADV_DONTNEED. Add a read-write semaphore to the resv_map data structure, and use that from the hugetlb_vma_(un)lock_* functions, in preparation for closing the race between MADV_DONTNEED and page faults. Link: https://lkml.kernel.org/r/20231006040020.3677377-3-riel@surriel.com Fixes: 04ada095dcfc ("hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing") Signed-off-by: Rik van Riel Reviewed-by: Mike Kravetz Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton commit 92fe9dcbe4e109a7ce6bab3e452210a35b0ab493 Author: Rik van Riel Date: Thu Oct 5 23:59:06 2023 -0400 hugetlbfs: clear resv_map pointer if mmap fails Patch series "hugetlbfs: close race between MADV_DONTNEED and page fault", v7. Malloc libraries, like jemalloc and tcalloc, take decisions on when to call madvise independently from the code in the main application. This sometimes results in the application page faulting on an address, right after the malloc library has shot down the backing memory with MADV_DONTNEED. Usually this is harmless, because we always have some 4kB pages sitting around to satisfy a page fault. However, with hugetlbfs systems often allocate only the exact number of huge pages that the application wants. Due to TLB batching, hugetlbfs MADV_DONTNEED will free pages outside of any lock taken on the page fault path, which can open up the following race condition: CPU 1 CPU 2 MADV_DONTNEED unmap page shoot down TLB entry page fault fail to allocate a huge page killed with SIGBUS free page Fix that race by extending the hugetlb_vma_lock locking scheme to also cover private hugetlb mappings (with resv_map), and pulling the locking from __unmap_hugepage_final_range into helper functions called from zap_page_range_single. This ensures page faults stay locked out of the MADV_DONTNEED VMA until the huge pages have actually been freed. This patch (of 3): Hugetlbfs leaves a dangling pointer in the VMA if mmap fails. This has not been a problem so far, but other code in this patch series tries to follow that pointer. Link: https://lkml.kernel.org/r/20231006040020.3677377-1-riel@surriel.com Link: https://lkml.kernel.org/r/20231006040020.3677377-2-riel@surriel.com Fixes: 04ada095dcfc ("hugetlb: don't delete vma_lock in hugetlb MADV_DONTNEED processing") Signed-off-by: Mike Kravetz Signed-off-by: Rik van Riel Cc: Matthew Wilcox (Oracle) Cc: Muchun Song Cc: Signed-off-by: Andrew Morton commit 969d63e1af3b3abe35a49b08218f3125131ac32f Author: Johannes Weiner Date: Fri Oct 6 12:00:24 2023 -0400 mm: zswap: fix pool refcount bug around shrink_worker() When a zswap store fails due to the limit, it acquires a pool reference and queues the shrinker. When the shrinker runs, it drops the reference. However, there can be multiple store attempts before the shrinker wakes up and runs once. This results in reference leaks and eventual saturation warnings for the pool refcount. Fix this by dropping the reference again when the shrinker is already queued. This ensures one reference per shrinker run. Link: https://lkml.kernel.org/r/20231006160024.170748-1-hannes@cmpxchg.org Fixes: 45190f01dd40 ("mm/zswap.c: add allocation hysteresis if pool limit is hit") Signed-off-by: Johannes Weiner Reported-by: Chris Mason Acked-by: Nhat Pham Cc: Vitaly Wool Cc: Domenico Cerasuolo Cc: [5.6+] Signed-off-by: Andrew Morton commit e1c6cfbb3bd1377e2ddcbe06cf8fb1ec323ea7d3 Author: Trond Myklebust Date: Sun Oct 8 14:28:46 2023 -0400 pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats Ensure that we check the layout pointer and validity after dereferencing it in ff_layout_mirror_prepare_stats. Fixes: 08e2e5bc6c9a ("pNFS/flexfiles: Clean up layoutstats") Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker commit f63955721a8020e979b99cc417dcb6da3106aa24 Author: Trond Myklebust Date: Sun Oct 8 14:20:19 2023 -0400 pNFS: Fix a hang in nfs4_evict_inode() We are not allowed to call pnfs_mark_matching_lsegs_return() without also holding a reference to the layout header, since doing so could lead to the reference count going to zero when we call pnfs_layout_remove_lseg(). This again can lead to a hang when we get to nfs4_evict_inode() and are unable to clear the layout pointer. pnfs_layout_return_unused_byserver() is guilty of this behaviour, and has been seen to trigger the refcount warning prior to a hang. Fixes: b6d49ecd1081 ("NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode") Cc: stable@vger.kernel.org Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker commit 8e13caa2150b5a1287a1900952d3d7e04363f921 Merge: c8c0a03ec1be6 e8ecffd9962fe Author: Takashi Iwai Date: Wed Oct 18 20:02:46 2023 +0200 Merge tag 'asoc-fix-v6.6-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v6.6 A fairly large set of fixes here but all driver specific, the biggest block is Johan's work shaking out issues with device setup and teardown for the wcd938x driver which is a relatively large but clearly broken down set of changes. There is one core helper function added as part of a fix for wsa-macro. commit dd72f9c7e512da377074d47d990564959b772643 Merge: e1e80380f1c25 2ec8b01097903 Author: Linus Torvalds Date: Wed Oct 18 09:37:36 2023 -0700 Merge tag 'spi-fix-v6-6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fix from Mark Brown: "A fix for the npcm-fiu driver in cases where there are no dummy bytes during reads" * tag 'spi-fix-v6-6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 commit e1e80380f1c25aec736ce1a2e46fac9f9631b71a Merge: 06dc10eae55b5 c6df843348d6b Author: Linus Torvalds Date: Wed Oct 18 09:30:03 2023 -0700 Merge tag 'regmap-fix-v6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap fix from Mark Brown: "A straightforward fix from Johan for a long standing bug in cases where we both have regmaps without devices and something is using dev_get_regmap()" * tag 'regmap-fix-v6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: fix NULL deref on lookup commit 061b39fdfe7fd98946e67637213bcbb10a318cca Author: Xuan Zhuo Date: Tue Oct 10 11:11:18 2023 +0800 virtio_pci: fix the common cfg map size The function vp_modern_map_capability() takes the size parameter, which corresponds to the size of virtio_pci_common_cfg. As a result, this indicates the size of memory area to map. Now the size is the size of virtio_pci_common_cfg, but some feature(such as the _F_RING_RESET) needs the virtio_pci_modern_common_cfg, so this commit changes the size to the size of virtio_pci_modern_common_cfg. Cc: stable@vger.kernel.org Fixes: 0b50cece0b78 ("virtio_pci: introduce helper to get/set queue reset") Signed-off-by: Xuan Zhuo Message-Id: <20231010031120.81272-3-xuanzhuo@linux.alibaba.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit fa2e6947aa8844f25f5bad0d8cd1a541d9bc83eb Author: zhenwei pi Date: Sat Oct 7 14:43:09 2023 +0800 virtio-crypto: handle config changed by work queue MST pointed out: config change callback is also handled incorrectly in this driver, it takes a mutex from interrupt context. Handle config changed by work queue instead. Cc: stable@vger.kernel.org Cc: Gonglei (Arei) Cc: Halil Pasic Cc: Michael S. Tsirkin Signed-off-by: zhenwei pi Message-Id: <20231007064309.844889-1-pizhenwei@bytedance.com> Signed-off-by: Michael S. Tsirkin commit ca50ec377c2e94b0a9f8735de2856cd0f13beab4 Author: Eric Auger Date: Wed Sep 27 16:05:44 2023 +0200 vhost: Allow null msg.size on VHOST_IOTLB_INVALIDATE Commit e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Forbade vhost iotlb msg with null size to prevent entries with size = start = 0 and last = ULONG_MAX to end up in the iotlb. Then commit 95932ab2ea07 ("vhost: allow batching hint without size") only applied the check for VHOST_IOTLB_UPDATE and VHOST_IOTLB_INVALIDATE message types to fix a regression observed with batching hit. Still, the introduction of that check introduced a regression for some users attempting to invalidate the whole ULONG_MAX range by setting the size to 0. This is the case with qemu/smmuv3/vhost integration which does not work anymore. It Looks safe to partially revert the original commit and allow VHOST_IOTLB_INVALIDATE messages with null size. vhost_iotlb_del_range() will compute a correct end iova. Same for vhost_vdpa_iotlb_unmap(). Signed-off-by: Eric Auger Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Cc: stable@vger.kernel.org # v5.17+ Acked-by: Jason Wang Message-Id: <20230927140544.205088-1-eric.auger@redhat.com> Signed-off-by: Michael S. Tsirkin commit abb0dcf9938c93f765abf8cb45567cadef0af6b2 Author: Dragos Tatulea Date: Thu Aug 31 18:50:56 2023 +0300 vdpa/mlx5: Fix firmware error on creation of 1k VQs A firmware error is triggered when configuring a 9k MTU on the PF after switching to switchdev mode and then using a vdpa device with larger (1k) rings: mlx5_cmd_out_err: CREATE_GENERAL_OBJECT(0xa00) op_mod(0xd) failed, status bad resource(0x5), syndrome (0xf6db90), err(-22) This is due to the fact that the hw VQ size parameters are computed based on the umem_1/2/3_buffer_param_a/b capabilities and all device capabilities are read only when the driver is moved to switchdev mode. The problematic configuration flow looks like this: 1) Create VF 2) Unbind VF 3) Switch PF to switchdev mode. 4) Bind VF 5) Set PF MTU to 9k 6) create vDPA device 7) Start VM with vDPA device and 1K queue size Note that setting the MTU before step 3) doesn't trigger this issue. This patch reads the forementioned umem parameters at the latest point possible before the VQs of the device are created. v2: - Allocate output with kmalloc to reduce stack frame size. - Removed stable from cc. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Dragos Tatulea Message-Id: <20230831155702.1080754-1-dtatulea@nvidia.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit 07622bd415639e9709579f400afd19e7e9866e5e Author: Gavin Shan Date: Thu Aug 31 11:10:07 2023 +1000 virtio_balloon: Fix endless deflation and inflation on arm64 The deflation request to the target, which isn't unaligned to the guest page size causes endless deflation and inflation actions. For example, we receive the flooding QMP events for the changes on memory balloon's size after a deflation request to the unaligned target is sent for the ARM64 guest, where we have 64KB base page size. /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \ -accel kvm -machine virt,gic-version=host -cpu host \ -smp maxcpus=8,cpus=8,sockets=2,clusters=2,cores=2,threads=1 \ -m 1024M,slots=16,maxmem=64G \ -object memory-backend-ram,id=mem0,size=512M \ -object memory-backend-ram,id=mem1,size=512M \ -numa node,nodeid=0,memdev=mem0,cpus=0-3 \ -numa node,nodeid=1,memdev=mem1,cpus=4-7 \ : \ -device virtio-balloon-pci,id=balloon0,bus=pcie.10 { "execute" : "balloon", "arguments": { "value" : 1073672192 } } {"return": {}} {"timestamp": {"seconds": 1693272173, "microseconds": 88667}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272174, "microseconds": 89704}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272175, "microseconds": 90819}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272176, "microseconds": 91961}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272177, "microseconds": 93040}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272178, "microseconds": 94117}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272179, "microseconds": 95337}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272180, "microseconds": 96615}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272181, "microseconds": 97626}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272182, "microseconds": 98693}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} {"timestamp": {"seconds": 1693272183, "microseconds": 99698}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272184, "microseconds": 100727}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272185, "microseconds": 90430}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} {"timestamp": {"seconds": 1693272186, "microseconds": 102999}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}} : Fix it by aligning the target up to the guest page size, 64KB in this specific case. With this applied, no flooding QMP events are observed and the memory balloon's size can be stablizied to 0x3ffe0000 soon after the deflation request is sent. { "execute" : "balloon", "arguments": { "value" : 1073672192 } } {"return": {}} {"timestamp": {"seconds": 1693273328, "microseconds": 793075}, \ "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}} { "execute" : "query-balloon" } {"return": {"actual": 1073610752}} Cc: stable@vger.kernel.org Signed-off-by: Gavin Shan Tested-by: Zhenyu Zhang Message-Id: <20230831011007.1032822-1-gshan@redhat.com> Signed-off-by: Michael S. Tsirkin Reviewed-by: David Hildenbrand commit f8a3db47d944a33eac1f37358db560e5aabbfbca Author: Dragos Tatulea Date: Tue Aug 29 20:40:09 2023 +0300 vdpa/mlx5: Fix double release of debugfs entry The error path in setup_driver deletes the debugfs entry but doesn't clear the pointer. During .dev_del the invalid pointer will be released again causing a crash. This patch fixes the issue by always clearing the debugfs entry in mlx5_vdpa_remove_debugfs. Also, stop removing the debugfs entry in .dev_del op: the debugfs entry is already handled within the setup_driver/teardown_driver scope. Cc: stable@vger.kernel.org Fixes: f0417e72add5 ("vdpa/mlx5: Add and remove debugfs in setup/teardown driver") Signed-off-by: Dragos Tatulea Reviewed-by: Gal Pressman Message-Id: <20230829174014.928189-2-dtatulea@nvidia.com> Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit fab7f259227b8f70aa6d54e1de1a1f5f4729041c Author: Maximilian Heyne Date: Mon Sep 11 09:03:29 2023 +0000 virtio-mmio: fix memory leak of vm_dev With the recent removal of vm_dev from devres its memory is only freed via the callback virtio_mmio_release_dev. However, this only takes effect after device_add is called by register_virtio_device. Until then it's an unmanaged resource and must be explicitly freed on error exit. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Cc: stable@vger.kernel.org Fixes: 55c91fedd03d ("virtio-mmio: don't break lifecycle of vm_dev") Signed-off-by: Maximilian Heyne Reviewed-by: Catalin Marinas Tested-by: Catalin Marinas Reviewed-by: Xuan Zhuo Message-Id: <20230911090328.40538-1-mheyne@amazon.de> Signed-off-by: Michael S. Tsirkin Reviewed-by: Wolfram Sang commit d121df789b159e9a8ee770666f210975a81e8111 Author: Shawn.Shao Date: Mon Aug 21 14:03:33 2023 +0800 vdpa_sim_blk: Fix the potential leak of mgmt_dev If the shared_buffer allocation fails, need to unregister mgmt_dev first. Cc: stable@vger.kernel.org Fixes: abebb16254b36 ("vdpa_sim_blk: support shared backend") Signed-off-by: Shawn.Shao Acked-by: Jason Wang Message-Id: <20230821060333.1155-1-shawn.shao@jaguarmicro.com> Signed-off-by: Michael S. Tsirkin commit 8b51a3956d44ea6ade962874ade14de9a7d16556 Author: Jens Axboe Date: Wed Oct 18 08:09:27 2023 -0600 io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address If we specify a valid CQ ring address but an invalid SQ ring address, we'll correctly spot this and free the allocated pages and clear them to NULL. However, we don't clear the ring page count, and hence will attempt to free the pages again. We've already cleared the address of the page array when freeing them, but we don't check for that. This causes the following crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Oops [#1] Modules linked in: CPU: 0 PID: 20 Comm: kworker/u2:1 Not tainted 6.6.0-rc5-dirty #56 Hardware name: ucbbar,riscvemu-bare (DT) Workqueue: events_unbound io_ring_exit_work epc : io_pages_free+0x2a/0x58 ra : io_rings_free+0x3a/0x50 epc : ffffffff808811a2 ra : ffffffff80881406 sp : ffff8f80000c3cd0 status: 0000000200000121 badaddr: 0000000000000000 cause: 000000000000000d [] io_pages_free+0x2a/0x58 [] io_rings_free+0x3a/0x50 [] io_ring_exit_work+0x37e/0x424 [] process_one_work+0x10c/0x1f4 [] worker_thread+0x252/0x31c [] kthread+0xc4/0xe0 [] ret_from_fork+0xa/0x1c Check for a NULL array in io_pages_free(), but also clear the page counts when we free them to be on the safer side. Reported-by: rtm@csail.mit.edu Fixes: 03d89a2de25b ("io_uring: support for user allocated memory for rings/sqes") Cc: stable@vger.kernel.org Reviewed-by: Jeff Moyer Signed-off-by: Jens Axboe commit 99c09c985e5973c8f0ad976ebae069548dd86f12 Author: Liming Sun Date: Thu Oct 12 19:02:35 2023 -0400 platform/mellanox: mlxbf-tmfifo: Fix a warning message This commit fixes the smatch static checker warning in function mlxbf_tmfifo_rxtx_word() which complains data not initialized at line 634 when IS_VRING_DROP() is TRUE. Signed-off-by: Liming Sun Link: https://lore.kernel.org/r/20231012230235.219861-1-limings@nvidia.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit 0e51cb42438b8754d8f4cee4c802a8c5bb2cd5e0 Author: Orlando Chamberlain Date: Tue Oct 17 22:14:45 2023 +1100 apple-gmux: Hard Code max brightness for MMIO gmux The data in the max brightness port for iMacs with MMIO gmux incorrectly reports 0x03ff, but it should be 0xffff. As all other MMIO gmux models have 0xffff, hard code this for all MMIO gmux's so they all have the proper brightness range accessible. Fixes: 0c18184de990 ("platform/x86: apple-gmux: support MMIO gmux on T2 Macs") Reported-by: Karsten Leipold Signed-off-by: Orlando Chamberlain Link: https://lore.kernel.org/r/20231017111444.19304-2-orlandoch.dev@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede commit fe0e04cf66a12ffe6d1b43725ddaabd5599d024f Author: Armin Wolf Date: Sun Oct 15 01:54:49 2023 +0200 platform/surface: platform_profile: Propagate error if profile registration fails If platform_profile_register() fails, the driver does not propagate the error, but instead probes successfully. This means when the driver unbinds, the a warning might be issued by platform_profile_remove(). Fix this by propagating the error back to the caller of surface_platform_profile_probe(). Compile-tested only. Fixes: b78b4982d763 ("platform/surface: Add platform profile driver") Signed-off-by: Armin Wolf Reviewed-by: Maximilian Luz Tested-by: Maximilian Luz Link: https://lore.kernel.org/r/20231014235449.288702-1-W_Armin@gmx.de Signed-off-by: Hans de Goede commit eaf16b92b18cec5584392172ee4c89f5cf471397 Merge: 5e8a5e895a20c 0b9a4a67c60d3 Author: Arnd Bergmann Date: Wed Oct 18 15:29:05 2023 +0200 Merge tag 'omap-fixes-audio-clock-and-modem-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into arm/fixes Few minor fixes for omaps Regression fixes for mcbsp audio clock, and for ams-delta modem. And two warning fixes. These all can be merged whenever and are not urgent by any means. Feel free to defer to the merge window unless other fixes are still pending. * tag 'omap-fixes-audio-clock-and-modem-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: clk: ti: Fix missing omap5 mcbsp functional clock and aliases clk: ti: Fix missing omap4 mcbsp functional clock and aliases ARM: OMAP1: ams-delta: Fix MODEM initialization failure ARM: OMAP: timer32K: fix all kernel-doc warnings ARM: omap2: fix a debug printk Link: https://lore.kernel.org/r/pull-1697606314-911862@atomide.com Signed-off-by: Arnd Bergmann commit f86fb94011aeb3b26337fc22204ca726aeb8bc24 Author: Pablo Neira Ayuso Date: Wed Oct 18 13:18:39 2023 +0200 netfilter: nf_tables: revert do not remove elements if set backend implements .abort nf_tables_abort_release() path calls nft_set_elem_destroy() for NFT_MSG_NEWSETELEM which releases the element, however, a reference to the element still remains in the working copy. Fixes: ebd032fa8818 ("netfilter: nf_tables: do not remove elements if set backend implements .abort") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal commit d111692a59c1470ae530cbb39bcf0346c950ecc7 Author: Pablo Neira Ayuso Date: Tue Oct 17 12:28:27 2023 +0200 netfilter: nft_set_rbtree: .deactivate fails if element has expired This allows to remove an expired element which is not possible in other existing set backends, this is more noticeable if gc-interval is high so expired elements remain in the tree. On-demand gc also does not help in this case, because this is delete element path. Return NULL if element has expired. Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal commit 2e2d9c7d4d37d74873583d7b0c94eac8b6869486 Author: Phil Sutter Date: Fri Oct 13 22:02:24 2023 +0200 selftests: netfilter: Run nft_audit.sh in its own netns Don't mess with the host's firewall ruleset. Since audit logging is not per-netns, add an initial delay of a second so other selftests' netns cleanups have a chance to finish. Fixes: e8dbde59ca3f ("selftests: netfilter: Test nf_tables audit logging") Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal commit 1baf0152f7707c6c7e4ea815dcc1f431c0e603f9 Author: Phil Sutter Date: Wed Oct 11 17:06:59 2023 +0200 netfilter: nf_tables: audit log object reset once per table When resetting multiple objects at once (via dump request), emit a log message per table (or filled skb) and resurrect the 'entries' parameter to contain the number of objects being logged for. To test the skb exhaustion path, perform some bulk counter and quota adds in the kselftest. Signed-off-by: Phil Sutter Reviewed-by: Richard Guy Briggs Acked-by: Paul Moore (Audit) Signed-off-by: Florian Westphal commit d5921c460e543228d100daf67dac7a03dfaaa40a Author: Hanjun Guo Date: Tue Oct 10 16:21:23 2023 +0800 ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init() acpi_agdi_init() in acpi_arm_init() will register a SDEI event, so it needs the SDEI subsystem to be initialized (which is done in acpi_ghes_init()) before the AGDI driver probing. In commit fcea0ccf4fd7 ("ACPI: bus: Consolidate all arm specific initialisation into acpi_arm_init()"), the acpi_agdi_init() was called before acpi_ghes_init() and it causes following failure: | [ 0.515864] sdei: Failed to create event 1073741825: -5 | [ 0.515866] agdi agdi.0: Failed to register for SDEI event 1073741825 | [ 0.515867] agdi: probe of agdi.0 failed with error -5 | ... | [ 0.516022] sdei: SDEIv1.0 (0x0) detected in firmware. Fix it by moving acpi_arm_init() to the place of after acpi_ghes_init(). Fixes: fcea0ccf4fd7 ("ACPI: bus: Consolidate all arm specific initialisation into acpi_arm_init()") Reported-by: D Scott Phillips Signed-off-by: Hanjun Guo Reviewed-by: Sudeep Holla Tested-by: D Scott Phillips Cc: 6.5+ # 6.5+ Signed-off-by: Rafael J. Wysocki commit 0c21a18d5d6c6a73d098fb9b4701572370942df9 Author: Sunil V L Date: Mon Oct 16 22:39:39 2023 +0530 ACPI: irq: Fix incorrect return value in acpi_register_gsi() acpi_register_gsi() should return a negative value in case of failure. Currently, it returns the return value from irq_create_fwspec_mapping(). However, irq_create_fwspec_mapping() returns 0 for failure. Fix the issue by returning -EINVAL if irq_create_fwspec_mapping() returns zero. Fixes: d44fa3d46079 ("ACPI: Add support for ResourceSource/IRQ domain mapping") Cc: 4.11+ # 4.11+ Signed-off-by: Sunil V L [ rjw: Rename a new local variable ] Signed-off-by: Rafael J. Wysocki commit 2915240eddba96b37de4c7e9a3d0ac6f9548454b Author: Geert Uytterhoeven Date: Mon Oct 16 14:49:04 2023 +0200 neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section When CONFIG_IPV6=n, and building with W=1: In file included from include/trace/define_trace.h:102, from include/trace/events/neigh.h:255, from net/core/net-traces.c:51: include/trace/events/neigh.h: In function ‘trace_event_raw_event_neigh_create’: include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable] 42 | struct in6_addr *pin6; | ^~~~ include/trace/trace_events.h:402:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’ 402 | { assign; } \ | ^~~~~~ include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’ 44 | PARAMS(assign), \ | ^~~~~~ include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’ 23 | TRACE_EVENT(neigh_create, | ^~~~~~~~~~~ include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’ 41 | TP_fast_assign( | ^~~~~~~~~~~~~~ In file included from include/trace/define_trace.h:103, from include/trace/events/neigh.h:255, from net/core/net-traces.c:51: include/trace/events/neigh.h: In function ‘perf_trace_neigh_create’: include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable] 42 | struct in6_addr *pin6; | ^~~~ include/trace/perf.h:51:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’ 51 | { assign; } \ | ^~~~~~ include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’ 44 | PARAMS(assign), \ | ^~~~~~ include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’ 23 | TRACE_EVENT(neigh_create, | ^~~~~~~~~~~ include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’ 41 | TP_fast_assign( | ^~~~~~~~~~~~~~ Indeed, the variable pin6 is declared and initialized unconditionally, while it is only used and needlessly re-initialized when support for IPv6 is enabled. Fix this by dropping the unused variable initialization, and moving the variable declaration inside the existing section protected by a check for CONFIG_IPV6. Fixes: fc651001d2c5ca4f ("neighbor: Add tracepoint to __neigh_create") Signed-off-by: Geert Uytterhoeven Reviewed-by: Simon Horman Tested-by: Simon Horman # build-tested Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 1db34aa58d80988f5ee99d2fd9d8f7489c3b0681 Author: Bagas Sanjaya Date: Tue Oct 17 15:08:12 2023 +0700 Revert "net: wwan: iosm: enable runtime pm support for 7560" Runtime power management support breaks Intel LTE modem where dmesg dump showes timeout errors: ``` [ 72.027442] iosm 0000:01:00.0: msg timeout [ 72.531638] iosm 0000:01:00.0: msg timeout [ 73.035414] iosm 0000:01:00.0: msg timeout [ 73.540359] iosm 0000:01:00.0: msg timeout ``` Furthermore, when shutting down with `poweroff` and modem attached, the system rebooted instead of powering down as expected. The modem works again only after power cycling. Revert runtime power management support for IOSM driver as introduced by commit e4f5073d53be6c ("net: wwan: iosm: enable runtime pm support for 7560"). Fixes: e4f5073d53be ("net: wwan: iosm: enable runtime pm support for 7560") Reported-by: Martin Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217996 Link: https://lore.kernel.org/r/267abf02-4b60-4a2e-92cd-709e3da6f7d3@gmail.com/ Signed-off-by: Bagas Sanjaya Reviewed-by: Loic Poulain Signed-off-by: David S. Miller commit f9bc9bbe8afdf83412728f0b464979a72a3b9ec2 Author: Nicholas Piggin Date: Mon Oct 16 22:43:00 2023 +1000 powerpc/qspinlock: Fix stale propagated yield_cpu yield_cpu is a sample of a preempted lock holder that gets propagated back through the queue. Queued waiters use this to yield to the preempted lock holder without continually sampling the lock word (which would defeat the purpose of MCS queueing by bouncing the cache line). The problem is that yield_cpu can become stale. It can take some time to be passed down the chain, and if any queued waiter gets preempted then it will cease to propagate the yield_cpu to later waiters. This can result in yielding to a CPU that no longer holds the lock, which is bad, but particularly if it is currently in H_CEDE (idle), then it appears to be preempted and some hypervisors (PowerVM) can cause very long H_CONFER latencies waiting for H_CEDE wakeup. This results in latency spikes and hard lockups on oversubscribed partitions with lock contention. This is a minimal fix. Before yielding to yield_cpu, sample the lock word to confirm yield_cpu is still the owner, and bail out of it is not. Thanks to a bunch of people who reported this and tracked down the exact problem using tracepoints and dispatch trace logs. Fixes: 28db61e207ea ("powerpc/qspinlock: allow propagation of yield CPU down the queue") Cc: stable@vger.kernel.org # v6.2+ Reported-by: Srikar Dronamraju Reported-by: Laurent Dufour Reported-by: Shrikanth Hegde Debugged-by: "Nysal Jan K.A" Signed-off-by: Nicholas Piggin Tested-by: Shrikanth Hegde Signed-off-by: Michael Ellerman Link: https://msgid.link/20231016124305.139923-2-npiggin@gmail.com commit 235985d1763f7aba92c1c64e5f5aaec26c2c9b18 Author: Hans de Goede Date: Tue Oct 17 11:07:25 2023 +0200 platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events Newer Asus laptops send the following new WMI event codes when some of the F1 - F12 "media" hotkeys are pressed: 0x2a Screen Capture 0x2b PrintScreen 0x2c CapsLock Map 0x2a to KEY_SELECTIVE_SCREENSHOT mirroring how similar hotkeys are mapped on other laptops. PrintScreem and CapsLock are also reported as normal PS/2 keyboard events, map these event codes to KE_IGNORE to avoid "Unknown key code 0x%x\n" log messages. Reported-by: James John Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/ Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716 Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20231017090725.38163-4-hdegoede@redhat.com commit a5b92be2482e5f9ef30be4e4cda12ed484381493 Author: Hans de Goede Date: Tue Oct 17 11:07:24 2023 +0200 platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control Older Asus laptops change the backlight level themselves and then send WMI events with different codes for different backlight levels. The asus-wmi.c code maps the entire range of codes reported on brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code: define NOTIFY_BRNUP_MIN 0x11 define NOTIFY_BRNUP_MAX 0x1f define NOTIFY_BRNDOWN_MIN 0x20 define NOTIFY_BRNDOWN_MAX 0x2e if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX) code = ASUS_WMI_BRN_UP; else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX) code = ASUS_WMI_BRN_DOWN; This mapping is causing issues on new laptop models which actually send 0x2b events for printscreen presses and 0x2c events for capslock presses, which get translated into spurious brightness-down presses. This mapping is really only necessary when asus-wmi has registered a backlight-device for backlight control. In this case the mapping was used to decide to filter out the keypresss since in this case the firmware has already modified the brightness itself and instead of reporting a keypress asus-wmi will just report the new brightness value to userspace. OTOH when the firmware does not adjust the brightness itself then it seems to always report 0x2e for brightness-down presses and 0x2f for brightness up presses independent of the actual brightness level. So in this case the mapping of the code is not necessary and this translation actually leads to spurious brightness-down presses being send to userspace when pressing printscreen or capslock. Modify asus_wmi_handle_event_code() to only do the mapping when using asus-wmi backlight control to fix the spurious brightness-down presses. Reported-by: James John Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/ Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716 Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20231017090725.38163-3-hdegoede@redhat.com commit f37cc2fc277b371fc491890afb7d8a26e36bb3a1 Author: Hans de Goede Date: Tue Oct 17 11:07:23 2023 +0200 platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e Older Asus laptops change the backlight level themselves and then send WMI events with different codes for different backlight levels. The asus-wmi.c code maps the entire range of codes reported on brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code: define NOTIFY_BRNUP_MIN 0x11 define NOTIFY_BRNUP_MAX 0x1f define NOTIFY_BRNDOWN_MIN 0x20 define NOTIFY_BRNDOWN_MAX 0x2e if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX) code = ASUS_WMI_BRN_UP; else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX) code = ASUS_WMI_BRN_DOWN; Before this commit all the NOTIFY_BRNDOWN_MIN - NOTIFY_BRNDOWN_MAX aka 0x20 - 0x2e events were mapped to 0x20. This mapping is causing issues on new laptop models which actually send 0x2b events for printscreen presses and 0x2c events for capslock presses, which get translated into spurious brightness-down presses. The plan is disable the 0x11-0x2e special mapping on laptops where asus-wmi does not register a backlight-device to avoid the spurious brightness-down keypresses. New laptops always send 0x2e for brightness-down presses, change the special internal ASUS_WMI_BRN_DOWN value from 0x20 to 0x2e to match this in preparation for fixing the spurious brightness-down presses. This change does not have any functional impact since all of 0x20 - 0x2e is mapped to ASUS_WMI_BRN_DOWN first and only then checked against the keymap code and the new 0x2e value is still in the 0x20 - 0x2e range. Reported-by: James John Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/ Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716 Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20231017090725.38163-2-hdegoede@redhat.com commit 1d30162f35c7a73fc2f8cdcdcdbd690bedb99d1a Author: Gavrilov Ilia Date: Mon Oct 16 14:08:59 2023 +0000 net: pktgen: Fix interface flags printing Device flags are displayed incorrectly: 1) The comparison (i == F_FLOW_SEQ) is always false, because F_FLOW_SEQ is equal to (1 << FLOW_SEQ_SHIFT) == 2048, and the maximum value of the 'i' variable is (NR_PKT_FLAG - 1) == 17. It should be compared with FLOW_SEQ_SHIFT. 2) Similarly to the F_IPSEC flag. 3) Also add spaces to the print end of the string literal "spi:%u" to prevent the output from merging with the flag that follows. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 99c6d3d20d62 ("pktgen: Remove brute-force printing of flags") Signed-off-by: Gavrilov Ilia Signed-off-by: David S. Miller commit fc363413ef8ea842ae7a99e3caf5465dafdd3a49 Author: Haibo Chen Date: Wed Oct 18 11:00:17 2023 +0200 gpio: vf610: set value before the direction to avoid a glitch We found a glitch when configuring the pad as output high. To avoid this glitch, move the data value setting before direction config in the function vf610_gpio_direction_output(). Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support") Signed-off-by: Haibo Chen [Bartosz: tweak the commit message] Signed-off-by: Bartosz Golaszewski commit 430232619791e7de95191f2cd8ebaa4c380d17d0 Author: Haibo Chen Date: Tue Oct 17 18:42:36 2023 +0800 gpio: vf610: mask the gpio irq in system suspend and support wakeup Add flag IRQCHIP_MASK_ON_SUSPEND to make sure gpio irq is masked on suspend, if lack this flag, current irq arctitecture will not mask the irq, and these unmasked gpio irq will wrongly wakeup the system even they are not config as wakeup source. Also add flag IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND to make sure the gpio irq which is configed as wakeup source can work as expect. Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid") Signed-off-by: Haibo Chen Signed-off-by: Bartosz Golaszewski commit d2929762cc3f85528b0ca12f6f63c2a714f24778 Author: Peter Zijlstra Date: Tue Oct 17 16:59:47 2023 +0200 sched/eevdf: Fix heap corruption more Because someone is a flaming idiot... and forgot we have current as se->on_rq but not actually in the tree itself, and walking rb_parent() on an entry not in the tree is 'funky' and KASAN complains. Fixes: 8dafa9d0eb1a ("sched/eevdf: Fix min_deadline heap integrity") Reported-by: 0599jiangyc@gmail.com Reported-by: Dmitry Safonov <0x7f454c46@gmail.com> Signed-off-by: Peter Zijlstra (Intel) Tested-by: Dmitry Safonov <0x7f454c46@gmail.com> Link: https://bugzilla.kernel.org/show_bug.cgi?id=218020 Link: https://lkml.kernel.org/r/CAJwJo6ZGXO07%3DQvW4fgQfbsDzQPs9xj5sAQ1zp%3DmAyPMNbHYww%40mail.gmail.com commit b11950356c4b416d2e87941f3aa7a8bf089db72b Author: Herbert Xu Date: Mon Oct 16 16:35:36 2023 +0800 KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash The new sign/verify code broke the case of pkcs1pad without a hash algorithm. Fix it by setting issig correctly for this case. Fixes: 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists") Cc: stable@vger.kernel.org # v6.5 Reported-by: Denis Kenzior Signed-off-by: Herbert Xu Tested-by: Denis Kenzior Signed-off-by: Herbert Xu commit e339c6d628fe66c9b64bf31040a55770952aec57 Author: Ville Syrjälä Date: Thu Oct 12 16:28:01 2023 +0300 drm/i915: Retry gtt fault when out of fence registers If we can't find a free fence register to handle a fault in the GMADR range just return VM_FAULT_NOPAGE without populating the PTE so that userspace will retry the access and trigger another fault. Eventually we should find a free fence and the fault will get properly handled. A further improvement idea might be to reserve a fence (or one per CPU?) for the express purpose of handling faults without having to retry. But that would require some additional work. Looks like this may have gotten broken originally by commit 39965b376601 ("drm/i915: don't trash the gtt when running out of fences") as that changed the errno to -EDEADLK which wasn't handle by the gtt fault code either. But later in commit 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression") I changed it again to -ENOBUFS as -EDEADLK was now getting used for the ww mutex dance. So this fix only makes sense after that last commit. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9479 Fixes: 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20231012132801.16292-1-ville.syrjala@linux.intel.com Reviewed-by: Andi Shyti (cherry picked from commit 7f403caabe811b88ab0de3811ff3f4782c415761) Signed-off-by: Rodrigo Vivi commit 5e4c16fe08c8b894b258f4110349dc9b642669f9 Author: Khaled Almahallawy Date: Wed Oct 4 17:13:10 2023 -0700 drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned Currently, with MFD/pin assignment D, the driver clears the pipe reset bit of lane 1 which is not owned by display. This causes the display to block S0iX. By not clearing this bit for lane 1 and keeping whatever default, S0ix started to work. This is already what the driver does at the end of the phy lane reset sequence (Step#8) Bspec: 65451 Fixes: 619a06dba6fa ("drm/i915/mtl: Reset only one lane in case of MFD") Cc: Mika Kahola Cc: Gustavo Sousa Signed-off-by: Khaled Almahallawy Reviewed-by: Gustavo Sousa Signed-off-by: Radhakrishna Sripada Link: https://patchwork.freedesktop.org/patch/msgid/20231005001310.154396-1-khaled.almahallawy@intel.com (cherry picked from commit 4a07f063d20c46524f00976f4537de72d9f31c4e) Signed-off-by: Rodrigo Vivi commit f6c7b42243565a4ed8bc9d6f681b6d0cae026abc Merge: c53647a5df9e6 de5724ca38fd5 Author: Jakub Kicinski Date: Tue Oct 17 18:21:12 2023 -0700 Merge tag 'ipsec-2023-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2023-10-17 1) Fix a slab-use-after-free in xfrm_policy_inexact_list_reinsert. From Dong Chenchen. 2) Fix data-races in the xfrm interfaces dev->stats fields. From Eric Dumazet. 3) Fix a data-race in xfrm_gen_index. From Eric Dumazet. 4) Fix an inet6_dev refcount underflow. From Zhang Changzhong. 5) Check the return value of pskb_trim in esp_remove_trailer for esp4 and esp6. From Ma Ke. 6) Fix a data-race in xfrm_lookup_with_ifid. From Eric Dumazet. * tag 'ipsec-2023-10-17' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec: xfrm: fix a data-race in xfrm_lookup_with_ifid() net: ipv4: fix return value check in esp_remove_trailer net: ipv6: fix return value check in esp_remove_trailer xfrm6: fix inet6_dev refcount underflow problem xfrm: fix a data-race in xfrm_gen_index() xfrm: interface: use DEV_STATS_INC() net: xfrm: skip policies marked as dead while reinserting policies ==================== Link: https://lore.kernel.org/r/20231017083723.1364940-1-steffen.klassert@secunet.com Signed-off-by: Jakub Kicinski commit c53647a5df9e66dd9fedf240198e1fe50d88c286 Author: Dan Carpenter Date: Mon Oct 16 20:28:10 2023 +0300 net: usb: smsc95xx: Fix an error code in smsc95xx_reset() Return a negative error code instead of success. Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Signed-off-by: Dan Carpenter Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/147927f0-9ada-45cc-81ff-75a19dd30b76@moroto.mountain Signed-off-by: Jakub Kicinski commit cbfbfe3aee718dc4c3c837f5d2463170ee59d78c Author: Eric Dumazet Date: Mon Oct 16 18:08:51 2023 +0000 tun: prevent negative ifindex After commit 956db0a13b47 ("net: warn about attempts to register negative ifindex") syzbot is able to trigger the following splat. Negative ifindex are not supported. WARNING: CPU: 1 PID: 6003 at net/core/dev.c:9596 dev_index_reserve+0x104/0x210 Modules linked in: CPU: 1 PID: 6003 Comm: syz-executor926 Not tainted 6.6.0-rc4-syzkaller-g19af4a4ed414 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dev_index_reserve+0x104/0x210 lr : dev_index_reserve+0x100/0x210 sp : ffff800096a878e0 x29: ffff800096a87930 x28: ffff0000d04380d0 x27: ffff0000d04380f8 x26: ffff0000d04380f0 x25: 1ffff00012d50f20 x24: 1ffff00012d50f1c x23: dfff800000000000 x22: ffff8000929c21c0 x21: 00000000ffffffea x20: ffff0000d04380e0 x19: ffff800096a87900 x18: ffff800096a874c0 x17: ffff800084df5008 x16: ffff80008051f9c4 x15: 0000000000000001 x14: 1fffe0001a087198 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff0000d41c9bc0 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff800091763d88 x4 : 0000000000000000 x3 : ffff800084e04748 x2 : 0000000000000001 x1 : 00000000fead71c7 x0 : 0000000000000000 Call trace: dev_index_reserve+0x104/0x210 register_netdevice+0x598/0x1074 net/core/dev.c:10084 tun_set_iff+0x630/0xb0c drivers/net/tun.c:2850 __tun_chr_ioctl+0x788/0x2af8 drivers/net/tun.c:3118 tun_chr_ioctl+0x38/0x4c drivers/net/tun.c:3403 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl fs/ioctl.c:857 [inline] __arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857 __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155 el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595 irq event stamp: 11348 hardirqs last enabled at (11347): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (11347): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 hardirqs last disabled at (11348): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:436 softirqs last enabled at (11138): [] spin_unlock_bh include/linux/spinlock.h:396 [inline] softirqs last enabled at (11138): [] release_sock+0x15c/0x1b0 net/core/sock.c:3531 softirqs last disabled at (11136): [] spin_lock_bh include/linux/spinlock.h:356 [inline] softirqs last disabled at (11136): [] release_sock+0x3c/0x1b0 net/core/sock.c:3518 Fixes: fb7589a16216 ("tun: Add ability to create tun device with given index") Reported-by: syzbot Signed-off-by: Eric Dumazet Reviewed-by: Willem de Bruijn Acked-by: Jason Wang Link: https://lore.kernel.org/r/20231016180851.3560092-1-edumazet@google.com Signed-off-by: Jakub Kicinski commit 278be83601dd1725d4732241f066d528e160a39d Author: Icenowy Zheng Date: Wed Oct 18 08:42:52 2023 +0800 LoongArch: Disable WUC for pgprot_writecombine() like ioremap_wc() Currently the code disables WUC only disables it for ioremap_wc(), which is only used when mapping writecombine pages like ioremap() (mapped to the kernel space). But for VRAM mapped in TTM/GEM, it is mapped with a crafted pgprot by the pgprot_writecombine() function, in which case WUC isn't disabled now. Disable WUC for pgprot_writecombine() (fallback to SUC) if needed, like ioremap_wc(). This improves the AMDGPU driver's stability (solves some misrendering) on Loongson-3A5000/3A6000 machines. Signed-off-by: Icenowy Zheng Signed-off-by: Huacai Chen commit 477a0ebec101359f49d92796e3b609857d564b52 Author: Huacai Chen Date: Wed Oct 18 08:42:52 2023 +0800 LoongArch: Replace kmap_atomic() with kmap_local_page() in copy_user_highpage() Replace kmap_atomic()/kunmap_atomic() calls with kmap_local_page()/ kunmap_local() in copy_user_highpage() which can be invoked from both preemptible and atomic context [1]. [1] https://lore.kernel.org/all/20201029222652.302358281@linutronix.de/ Suggested-by: Deepak R Varma Signed-off-by: Huacai Chen commit 449c2756c2323c9e32b2a2fa9c8b59ce91b5819d Author: Huacai Chen Date: Wed Oct 18 08:42:52 2023 +0800 LoongArch: Export symbol invalid_pud_table for modules building Export symbol invalid_pud_table for modules building (such as the KVM module) if 4-level page tables enabled. Otherwise we get: ERROR: modpost: "invalid_pud_table" [arch/loongarch/kvm/kvm.ko] undefined! Reported-by: Randy Dunlap Acked-by: Randy Dunlap Tested-by: Randy Dunlap Signed-off-by: Tianrui Zhao Signed-off-by: Huacai Chen commit 00c2ca84c680f64b79b5e10a482ca435fd7d98ce Author: Tiezhu Yang Date: Wed Oct 18 08:42:52 2023 +0800 LoongArch: Use SYM_CODE_* to annotate exception handlers As described in include/linux/linkage.h, FUNC -- C-like functions (proper stack frame etc.) CODE -- non-C code (e.g. irq handlers with different, special stack etc.) SYM_FUNC_{START, END} -- use for global functions SYM_CODE_{START, END} -- use for non-C (special) functions So use SYM_CODE_* to annotate exception handlers. Signed-off-by: Tiezhu Yang Signed-off-by: Huacai Chen commit fa8391ad68c16716e2c06ada397e99ceed2fb647 Author: Luben Tuikov Date: Mon Oct 16 22:48:56 2023 -0400 gpu/drm: Eliminate DRM_SCHED_PRIORITY_UNSET Eliminate DRM_SCHED_PRIORITY_UNSET, value of -2, whose only user was amdgpu. Furthermore, eliminate an index bug, in that when amdgpu boots, it calls drm_sched_entity_init() with DRM_SCHED_PRIORITY_UNSET, which uses it to index sched->sched_rq[]. Cc: Alex Deucher Cc: Christian König Signed-off-by: Luben Tuikov Acked-by: Alex Deucher Link: https://lore.kernel.org/r/20231017035656.8211-2-luben.tuikov@amd.com commit eab0261967aeab528db4d0a51806df8209aec179 Author: Luben Tuikov Date: Mon Oct 16 22:24:39 2023 -0400 drm/amdgpu: Unset context priority is now invalid A context priority value of AMD_CTX_PRIORITY_UNSET is now invalid--instead of carrying it around and passing it to the Direct Rendering Manager--and it becomes AMD_CTX_PRIORITY_NORMAL in amdgpu_ctx_ioctl(), the gateway to context creation. Cc: Alex Deucher Cc: Christian König Signed-off-by: Luben Tuikov Acked-by: Alex Deucher Link: https://lore.kernel.org/r/20231017035656.8211-1-luben.tuikov@amd.com commit 1c2709cfff1dedbb9591e989e2f001484208d914 Author: Neal Cardwell Date: Sun Oct 15 13:47:00 2023 -0400 tcp: fix excessive TLP and RACK timeouts from HZ rounding We discovered from packet traces of slow loss recovery on kernels with the default HZ=250 setting (and min_rtt < 1ms) that after reordering, when receiving a SACKed sequence range, the RACK reordering timer was firing after about 16ms rather than the desired value of roughly min_rtt/4 + 2ms. The problem is largely due to the RACK reorder timer calculation adding in TCP_TIMEOUT_MIN, which is 2 jiffies. On kernels with HZ=250, this is 2*4ms = 8ms. The TLP timer calculation has the exact same issue. This commit fixes the TLP transmit timer and RACK reordering timer floor calculation to more closely match the intended 2ms floor even on kernels with HZ=250. It does this by adding in a new TCP_TIMEOUT_MIN_US floor of 2000 us and then converting to jiffies, instead of the current approach of converting to jiffies and then adding th TCP_TIMEOUT_MIN value of 2 jiffies. Our testing has verified that on kernels with HZ=1000, as expected, this does not produce significant changes in behavior, but on kernels with the default HZ=250 the latency improvement can be large. For example, our tests show that for HZ=250 kernels at low RTTs this fix roughly halves the latency for the RACK reorder timer: instead of mostly firing at 16ms it mostly fires at 8ms. Suggested-by: Eric Dumazet Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Fixes: bb4d991a28cc ("tcp: adjust tail loss probe timeout") Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20231015174700.2206872-1-ncardwell.sw@gmail.com Signed-off-by: Jakub Kicinski commit 06dc10eae55b5ceabfef287a7e5f16ceea204aa0 Merge: 213f891525c22 e8e4a470b6775 Author: Linus Torvalds Date: Tue Oct 17 17:14:22 2023 -0700 Merge tag 'fbdev-for-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev Pull fbdev fixes and cleanups from Helge Deller: "Various minor fixes, cleanups and annotations for atyfb, sa1100fb, omapfb, uvesafb and mmp" * tag 'fbdev-for-6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev: fbdev: core: syscopyarea: fix sloppy typing fbdev: core: cfbcopyarea: fix sloppy typing fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() fbdev: uvesafb: Remove uvesafb_exec() prototype from include/video/uvesafb.h fbdev: sa1100fb: mark sa1100fb_init() static fbdev: omapfb: fix some error codes fbdev: atyfb: only use ioremap_uc() on i386 and ia64 fbdev: mmp: Annotate struct mmp_path with __counted_by fbdev: mmp: Annotate struct mmphw_ctrl with __counted_by commit 20045f0155ab79f8beb840022ea86bff46167f79 Author: Michael Ellerman Date: Tue Oct 17 23:15:27 2023 +1100 powerpc/64s/radix: Don't warn on copros in radix__tlb_flush() Sachin reported a warning when running the inject-ra-err selftest: # selftests: powerpc/mce: inject-ra-err Disabling lock debugging due to kernel taint MCE: CPU19: machine check (Severe) Real address Load/Store (foreign/control memory) [Not recovered] MCE: CPU19: PID: 5254 Comm: inject-ra-err NIP: [0000000010000e48] MCE: CPU19: Initiator CPU MCE: CPU19: Unknown ------------[ cut here ]------------ WARNING: CPU: 19 PID: 5254 at arch/powerpc/mm/book3s64/radix_tlb.c:1221 radix__tlb_flush+0x160/0x180 CPU: 19 PID: 5254 Comm: inject-ra-err Kdump: loaded Tainted: G M E 6.6.0-rc3-00055-g9ed22ae6be81 #4 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1030.20 (NH1030_058) hv:phyp pSeries ... NIP radix__tlb_flush+0x160/0x180 LR radix__tlb_flush+0x104/0x180 Call Trace: radix__tlb_flush+0xf4/0x180 (unreliable) tlb_finish_mmu+0x15c/0x1e0 exit_mmap+0x1a0/0x510 __mmput+0x60/0x1e0 exit_mm+0xdc/0x170 do_exit+0x2bc/0x5a0 do_group_exit+0x4c/0xc0 sys_exit_group+0x28/0x30 system_call_exception+0x138/0x330 system_call_vectored_common+0x15c/0x2ec And bisected it to commit e43c0a0c3c28 ("powerpc/64s/radix: combine final TLB flush and lazy tlb mm shootdown IPIs"), which added a warning in radix__tlb_flush() if mm->context.copros is still elevated. However it's possible for the copros count to be elevated if a process exits without first closing file descriptors that are associated with a copro, eg. VAS. If the process exits with a VAS file still open, the release callback is queued up for exit_task_work() via: exit_files() put_files_struct() close_files() filp_close() fput() And called via: exit_task_work() ____fput() __fput() file->f_op->release(inode, file) coproc_release() vas_user_win_ops->close_win() vas_deallocate_window() mm_context_remove_vas_window() mm_context_remove_copro() But that is after exit_mm() has been called from do_exit() and triggered the warning. Fix it by dropping the warning, and always calling __flush_all_mm(). In the normal case of no copros, that will result in a call to _tlbiel_pid(mm->context.id, RIC_FLUSH_ALL) just as the current code does. If the copros count is elevated then it will cause a global flush, which should flush translations from any copros. Note that the process table entry was cleared in arch_exit_mmap(), so copros should not be able to fetch any new translations. Fixes: e43c0a0c3c28 ("powerpc/64s/radix: combine final TLB flush and lazy tlb mm shootdown IPIs") Reported-by: Sachin Sant Closes: https://lore.kernel.org/all/A8E52547-4BF1-47CE-8AEA-BC5A9D7E3567@linux.ibm.com/ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Tested-by: Sachin Sant Link: https://msgid.link/20231017121527.1574104-1-mpe@ellerman.id.au commit cf5a103c98a6fb9ee3164334cb5502df6360749b Author: Beau Belgrave Date: Thu Oct 5 21:57:12 2023 +0000 selftests/user_events: Fix abi_test for BE archs The abi_test currently uses a long sized test value for enablement checks. On LE this works fine, however, on BE this results in inaccurate assert checks due to a bit being used and assuming it's value is the same on both LE and BE. Use int type for 32-bit values and long type for 64-bit values to ensure appropriate behavior on both LE and BE. Fixes: 60b1af8de8c1 ("tracing/user_events: Add ABI self-test") Signed-off-by: Beau Belgrave Acked-by: Steven Rostedt (Google) Signed-off-by: Shuah Khan commit 5e8a5e895a20c08acc49736c3ce0898be4c77c91 Merge: 759426c758c70 8cd79b729e746 Author: Arnd Bergmann Date: Tue Oct 17 22:53:13 2023 +0200 Merge tag 'v6.6-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes I2S pinctrl fixes, someone resurrected the rk3128 arm32 and found some needed fixes and finally some sound fixes for the px30 ringneck som. * tag 'v6.6-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: arm64: dts: rockchip: Fix i2s0 pin conflict on ROCK Pi 4 boards arm64: dts: rockchip: Add i2s0-2ch-bus-bclk-off pins to RK3399 ARM: dts: rockchip: Fix timer clocks for RK3128 ARM: dts: rockchip: Add missing quirk for RK3128's dma engine ARM: dts: rockchip: Add missing arm timer interrupt for RK3128 ARM: dts: rockchip: Fix i2c0 register address for RK3128 arm64: dts: rockchip: set codec system-clock-fixed on px30-ringneck-haikou arm64: dts: rockchip: use codec as clock master on px30-ringneck-haikou Link: https://lore.kernel.org/r/1965242.usQuhbGJ8B@phil Signed-off-by: Arnd Bergmann commit bee448390e5166d019e9e037194d487ee94399d9 Author: Linus Walleij Date: Sat Sep 2 21:46:20 2023 +0200 iio: afe: rescale: Accept only offset channels As noted by Jonathan Cameron: it is perfectly legal for a channel to have an offset but no scale in addition to the raw interface. The conversion will imply that scale is 1:1. Make rescale_configure_channel() accept just scale, or just offset to process a channel. When a user asks for IIO_CHAN_INFO_OFFSET in rescale_read_raw() we now have to deal with the fact that OFFSET could be present but SCALE missing. Add code to simply scale 1:1 in this case. Link: https://lore.kernel.org/linux-iio/CACRpkdZXBjHU4t-GVOCFxRO-AHGxKnxMeHD2s4Y4PuC29gBq6g@mail.gmail.com/ Fixes: 53ebee949980 ("iio: afe: iio-rescale: Support processed channels") Fixes: 9decacd8b3a4 ("iio: afe: rescale: Fix boolean logic bug") Reported-by: Jonathan Cameron Signed-off-by: Linus Walleij Reviewed-by: Peter Rosin Link: https://lore.kernel.org/r/20230902-iio-rescale-only-offset-v2-1-988b807754c8@linaro.org Cc: Signed-off-by: Jonathan Cameron commit 759426c758c7053a941a4c06c7571461439fcff6 Author: Jisheng Zhang Date: Tue Sep 12 15:22:32 2023 +0800 riscv: dts: thead: set dma-noncoherent to soc bus riscv select ARCH_DMA_DEFAULT_COHERENT by default, and th1520 isn't dma coherent, so set dma-noncoherent to reflect this fact. Signed-off-by: Jisheng Zhang Tested-by: Drew Fustini Reviewed-by: Guo Ren Signed-off-by: Arnd Bergmann commit 8b695369a6f2d00f62cd28f927b6d4a0a2163191 Merge: 58720809f5277 ec4405ed92036 Author: Greg Kroah-Hartman Date: Tue Oct 17 19:25:42 2023 +0200 Merge tag 'thunderbolt-for-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-linus Mika writes: thunderbolt: Fix for v6.6-rc7 This includes a single commit that fixes a memory leak when DisplayPort bandwidth allocation request is being handled by the driver. This has been in linux-next with no reported issues. * tag 'thunderbolt-for-v6.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt: thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished commit e8ecffd9962fe051d53a0761921b26d653b3df6b Author: David Rau Date: Tue Oct 17 10:12:58 2023 +0800 ASoC: da7219: Correct the process of setting up Gnd switch in AAD Enable Gnd switch to improve stability when Jack insert event occurs, and then disable Gnd switch after Jack type detection is finished. Signed-off-by: David Rau Link: https://lore.kernel.org/r/20231017021258.5929-1-David.Rau.opensource@dm.renesas.com Signed-off-by: Mark Brown commit 95535e37e8959f50e7aee365a5bdc9e5ed720443 Author: Shailend Chand Date: Sat Oct 14 01:41:21 2023 +0000 gve: Do not fully free QPL pages on prefill errors The prefill function should have only removed the page count bias it added. Fully freeing the page will cause gve_free_queue_page_list to free a page the driver no longer owns. Fixes: 82fd151d38d9 ("gve: Reduce alloc and copy costs in the GQ rx path") Signed-off-by: Shailend Chand Link: https://lore.kernel.org/r/20231014014121.2843922-1-shailend@google.com Signed-off-by: Paolo Abeni commit 63e44bc52047f182601e7817da969a105aa1f721 Author: Joerg Roedel Date: Mon Oct 16 14:42:50 2023 +0200 x86/sev: Check for user-space IOIO pointing to kernel space Check the memory operand of INS/OUTS before emulating the instruction. The #VC exception can get raised from user-space, but the memory operand can be manipulated to access kernel memory before the emulation actually begins and after the exception handler has run. [ bp: Massage commit message. ] Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler") Reported-by: Tom Dohrmann Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov (AMD) Cc: commit c8c0a03ec1be6b3f3ec1ce91685351235212db19 Author: Kailang Yang Date: Tue Oct 17 15:30:24 2023 +0800 ALSA: hda/realtek - Fixed ASUS platform headset Mic issue ASUS platform Headset Mic was disable by default. Assigned verb table for Mic pin will enable it. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/1155d914c20c40569f56d36c79254879@realtek.com Signed-off-by: Takashi Iwai commit 5dedc9f53eef7ec07b23686381100d03fb259f50 Author: Artem Borisov Date: Sat Oct 14 10:50:42 2023 +0300 ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV Enables the SPI-connected Cirrus amp and the required pins for headset mic detection. As of BIOS version 313 it is still necessary to modify the ACPI table to add the related _DSD properties: https://gist.github.com/Flex1911/1bce378645fc95a5743671bd5deabfc8 Signed-off-by: Artem Borisov Cc: Link: https://lore.kernel.org/r/20231014075044.17474-1-dedsa2002@gmail.com Signed-off-by: Takashi Iwai commit 56e85993896b914032d11e32ecbf8415e7b2f621 Author: Luka Guzenko Date: Tue Oct 17 00:13:28 2023 +0200 ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx This HP Laptop uses ALC236 codec with COEF 0x07 controlling the mute LED. Enable existing quirk for this device. Signed-off-by: Luka Guzenko Cc: Link: https://lore.kernel.org/r/20231016221328.1521674-1-l.guzenko@web.de Signed-off-by: Takashi Iwai commit db7724134c26fdf16886a560646d02292563f5a4 Author: Ard Biesheuvel Date: Mon Oct 16 17:24:31 2023 +0200 x86/boot: efistub: Assign global boot_params variable Now that the x86 EFI stub calls into some APIs exposed by the decompressor (e.g., kaslr_get_random_long()), it is necessary to ensure that the global boot_params variable is set correctly before doing so. Note that the decompressor and the kernel proper carry conflicting declarations for the global variable 'boot_params' so refer to it via an alias to work around this. Signed-off-by: Ard Biesheuvel commit 1aee9158bc978f91701c5992e395efbc6da2de3c Author: Al Viro Date: Sat Oct 14 21:34:40 2023 -0400 nfsd: lock_rename() needs both directories to live on the same fs ... checking that after lock_rename() is too late. Incidentally, NFSv2 had no nfserr_xdev... Fixes: aa387d6ce153 "nfsd: fix EXDEV checking in rename" Cc: stable@vger.kernel.org # v3.9+ Reviewed-by: Jeff Layton Acked-by: Chuck Lever Tested-by: Jeff Layton Signed-off-by: Al Viro commit 213f891525c222e8ed145ce1ce7ae1f47921cb9c Merge: 86d6a628a281a 700b2b439766e Author: Linus Torvalds Date: Mon Oct 16 18:50:48 2023 -0700 Merge tag 'probes-fixes-v6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace Pull probes fixes from Masami Hiramatsu: - Fix fprobe document to add a new ret_ip parameter for callback functions. This has been introduced in v6.5 but the document was not updated. - Fix fprobe to check the number of active retprobes is not zero. This number is passed from parameter or calculated by the parameter and it can be zero which is not acceptable. But current code only check it is not minus. * tag 'probes-fixes-v6.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace: fprobe: Fix to ensure the number of active retprobes is not zero Documentation: probes: Add a new ret_ip callback parameter commit 86d6a628a281a17b8341ece99997c1251bb41a41 Merge: 58720809f5277 2b3f2325e71f0 Author: Linus Torvalds Date: Mon Oct 16 18:34:17 2023 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "ARM: - Fix the handling of the phycal timer offset when FEAT_ECV and CNTPOFF_EL2 are implemented - Restore the functionnality of Permission Indirection that was broken by the Fine Grained Trapping rework - Cleanup some PMU event sharing code MIPS: - Fix W=1 build s390: - One small fix for gisa to avoid stalls x86: - Truncate writes to PMU counters to the counter's width to avoid spurious overflows when emulating counter events in software - Set the LVTPC entry mask bit when handling a PMI (to match Intel-defined architectural behavior) - Treat KVM_REQ_PMI as a wake event instead of queueing host IRQ work to kick the guest out of emulated halt - Fix for loading XSAVE state from an old kernel into a new one - Fixes for AMD AVIC selftests: - Play nice with %llx when formatting guest printf and assert statements - Clean up stale test metadata - Zero-initialize structures in memslot perf test to workaround a suspected 'may be used uninitialized' false positives from GCC" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (21 commits) KVM: arm64: timers: Correctly handle TGE flip with CNTPOFF_EL2 KVM: arm64: POR{E0}_EL1 do not need trap handlers KVM: arm64: Add nPIR{E0}_EL1 to HFG traps KVM: MIPS: fix -Wunused-but-set-variable warning KVM: arm64: pmu: Drop redundant check for non-NULL kvm_pmu_events KVM: SVM: Fix build error when using -Werror=unused-but-set-variable x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() x86: KVM: SVM: add support for Invalid IPI Vector interception x86: KVM: SVM: always update the x2avic msr interception KVM: selftests: Force load all supported XSAVE state in state test KVM: selftests: Load XSAVE state into untouched vCPU during state test KVM: selftests: Touch relevant XSAVE state in guest for state test KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer KVM: selftests: Zero-initialize entire test_result in memslot perf test KVM: selftests: Remove obsolete and incorrect test case metadata KVM: selftests: Treat %llx like %lx when formatting guest printf KVM: x86/pmu: Synthesize at most one PMI per VM-exit KVM: x86: Mask LVTPC when handling a PMI KVM: x86/pmu: Truncate counter value to allowed width on write ... commit 700b2b439766e8aab8a7174991198497345bd411 Author: Masami Hiramatsu (Google) Date: Tue Oct 17 08:49:45 2023 +0900 fprobe: Fix to ensure the number of active retprobes is not zero The number of active retprobes can be zero but it is not acceptable, so return EINVAL error if detected. Link: https://lore.kernel.org/all/169750018550.186853.11198884812017796410.stgit@devnote2/ Reported-by: wuqiang.matt Closes: https://lore.kernel.org/all/20231016222103.cb9f426edc60220eabd8aa6a@kernel.org/ Fixes: 5b0ab78998e3 ("fprobe: Add exit_handler support") Signed-off-by: Masami Hiramatsu (Google) commit 2a86ac30a6687e47436e547deadae3bf0fc28697 Author: Masami Hiramatsu (Google) Date: Sun Sep 24 22:36:11 2023 +0900 Documentation: probes: Add a new ret_ip callback parameter Add a new ret_ip callback parameter description. Link: https://lore.kernel.org/all/169556257133.146934.13560704846459957726.stgit@devnote2/ Fixes: cb16330d1274 ("fprobe: Pass return address to the handlers") Signed-off-by: Masami Hiramatsu (Google) Acked-by: Florent Revest commit 097c06394c835be0cf21e23f9bd13ff771601b63 Author: Quinn Tran Date: Mon Oct 16 15:47:49 2023 +0530 scsi: qla2xxx: Fix double free of dsd_list during driver load On driver load, scsi_add_host() can fail. This triggers the free path to call qla2x00_mem_free() multiple times. This causes NULL pointer access of ha->base_qpair. Add check before access. BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 IP: [] qla2x00_mem_free+0x51c/0xcb0 [qla2xxx] PGD 8000001fcfe4a067 PUD 1fc8f0a067 PMD 0 Oops: 0000 [#1] SMP RIP: 0010:[] [] qla2x00_mem_free+0x51c/0xcb0 [qla2xxx] RSP: 0018:ffff8ace97a93a30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8ace8efd0000 RCX: 000000000000488f RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff8ace97a93a60 R08: 000000000001f040 R09: ffffffff8678209b R10: ffff8acf7d6df040 R11: ffffc591c0fcc980 R12: ffffffff87034800 R13: ffff8acf0e3cc740 R14: ffff8ace8efd0000 R15: 00000000fffffff4 FS: 00007f4cf5449740(0000) GS:ffff8acf7d6c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000030 CR3: 0000001fc2f6c000 CR4: 00000000007607e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [] ? kobject_put+0x28/0x60 [] qla2x00_probe_one+0x19fc/0x3040 [qla2xxx] Fixes: efeda3bf912f ("scsi: qla2xxx: Move resource to allow code reuse") Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20231016101749.5059-1-njavali@marvell.com Signed-off-by: Martin K. Petersen commit e40c04ade0e2f3916b78211d747317843b11ce10 Author: Tomas Henzl Date: Sun Oct 15 13:45:29 2023 +0200 scsi: mpt3sas: Fix in error path The driver should be deregistered as misc driver after PCI registration failure. Signed-off-by: Tomas Henzl Link: https://lore.kernel.org/r/20231015114529.10725-1-thenzl@redhat.com Signed-off-by: Martin K. Petersen commit 2b10740ce74abaea31c2cad4ff8e180549c4544b Merge: 7937609cd3872 cb3871b1cd135 Author: Jakub Kicinski Date: Mon Oct 16 18:02:19 2023 -0700 Merge tag 'for-net-2023-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Luiz Augusto von Dentz says: ==================== bluetooth pull request for net: - Fix race when opening vhci device - Avoid memcmp() out of bounds warning - Correctly bounds check and pad HCI_MON_NEW_INDEX name - Fix using memcmp when comparing keys - Ignore error return for hci_devcd_register() in btrtl - Always check if connection is alive before deleting - Fix a refcnt underflow problem for hci_conn * tag 'for-net-2023-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth: Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Bluetooth: avoid memcmp() out of bounds warning Bluetooth: hci_sock: fix slab oob read in create_monitor_event Bluetooth: btrtl: Ignore error return for hci_devcd_register() Bluetooth: hci_event: Fix coding style Bluetooth: hci_event: Fix using memcmp when comparing keys Bluetooth: Fix a refcnt underflow problem for hci_conn Bluetooth: hci_sync: always check if connection is alive before deleting Bluetooth: Reject connection with the device which has same BD_ADDR Bluetooth: hci_event: Ignore NULL link key Bluetooth: ISO: Fix invalid context error Bluetooth: vhci: Fix race when opening vhci device ==================== Link: https://lore.kernel.org/r/20231014031336.1664558-1-luiz.dentz@gmail.com Signed-off-by: Jakub Kicinski commit 7937609cd387246aed994e81aa4fa951358fba41 Author: Krzysztof Kozlowski Date: Fri Oct 13 20:41:29 2023 +0200 nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Handle memory allocation failure from nci_skb_alloc() (calling alloc_skb()) to avoid possible NULL pointer dereference. Reported-by: 黄思聪 Fixes: 391d8a2da787 ("NFC: Add NCI over SPI receive") Cc: Signed-off-by: Krzysztof Kozlowski Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20231013184129.18738-1-krzysztof.kozlowski@linaro.org Signed-off-by: Jakub Kicinski commit 503930f8e113edc86f92b767efb4ea57bdffffb2 Author: Christoph Paasch Date: Thu Oct 12 21:14:48 2023 -0700 netlink: Correct offload_xstats size rtnl_offload_xstats_get_size_hw_s_info_one() conditionalizes the size-computation for IFLA_OFFLOAD_XSTATS_HW_S_INFO_USED based on whether or not the device has offload_xstats enabled. However, rtnl_offload_xstats_fill_hw_s_info_one() is adding the u8 for that field uncondtionally. syzkaller triggered a WARNING in rtnl_stats_get due to this: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 754 at net/core/rtnetlink.c:5982 rtnl_stats_get+0x2f4/0x300 Modules linked in: CPU: 0 PID: 754 Comm: syz-executor148 Not tainted 6.6.0-rc2-g331b78eb12af #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:rtnl_stats_get+0x2f4/0x300 net/core/rtnetlink.c:5982 Code: ff ff 89 ee e8 7d 72 50 ff 83 fd a6 74 17 e8 33 6e 50 ff 4c 89 ef be 02 00 00 00 e8 86 00 fa ff e9 7b fe ff ff e8 1c 6e 50 ff <0f> 0b eb e5 e8 73 79 7b 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc900006837c0 EFLAGS: 00010293 RAX: ffffffff81cf7f24 RBX: ffff8881015d9000 RCX: ffff888101815a00 RDX: 0000000000000000 RSI: 00000000ffffffa6 RDI: 00000000ffffffa6 RBP: 00000000ffffffa6 R08: ffffffff81cf7f03 R09: 0000000000000001 R10: ffff888101ba47b9 R11: ffff888101815a00 R12: ffff8881017dae00 R13: ffff8881017dad00 R14: ffffc90000683ab8 R15: ffffffff83c1f740 FS: 00007fbc22dbc740(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000046 CR3: 000000010264e003 CR4: 0000000000170ef0 Call Trace: rtnetlink_rcv_msg+0x677/0x710 net/core/rtnetlink.c:6480 netlink_rcv_skb+0xea/0x1c0 net/netlink/af_netlink.c:2545 netlink_unicast+0x430/0x500 net/netlink/af_netlink.c:1342 netlink_sendmsg+0x4fc/0x620 net/netlink/af_netlink.c:1910 sock_sendmsg+0xa8/0xd0 net/socket.c:730 ____sys_sendmsg+0x22a/0x320 net/socket.c:2541 ___sys_sendmsg+0x143/0x190 net/socket.c:2595 __x64_sys_sendmsg+0xd8/0x150 net/socket.c:2624 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 RIP: 0033:0x7fbc22e8d6a9 Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007ffc4320e778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004007d0 RCX: 00007fbc22e8d6a9 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 0000000000000001 R08: 0000000000000000 R09: 00000000004007d0 R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffc4320e898 R13: 00007ffc4320e8a8 R14: 00000000004004a0 R15: 00007fbc22fa5a80 ---[ end trace 0000000000000000 ]--- Which didn't happen prior to commit bf9f1baa279f ("net: add dedicated kmem_cache for typical/small skb->head") as the skb always was large enough. Fixes: 0e7788fd7622 ("net: rtnetlink: Add UAPI for obtaining L3 offload xstats") Signed-off-by: Christoph Paasch Reviewed-by: Petr Machata Link: https://lore.kernel.org/r/20231013041448.8229-1-cpaasch@apple.com Signed-off-by: Jakub Kicinski commit 4abbd2e3c1db671fa1286390f1310aec78386f1d Author: Dust Li Date: Thu Oct 12 20:37:29 2023 +0800 net/smc: return the right falback reason when prefix checks fail In the smc_listen_work(), if smc_listen_prfx_check() failed, the real reason: SMC_CLC_DECL_DIFFPREFIX was dropped, and SMC_CLC_DECL_NOSMCDEV was returned. Althrough this is also kind of SMC_CLC_DECL_NOSMCDEV, but return the real reason is much friendly for debugging. Fixes: e49300a6bf62 ("net/smc: add listen processing for SMC-Rv2") Signed-off-by: Dust Li Reviewed-by: Alexandra Winter Reviewed-by: Wenjia Zhang Link: https://lore.kernel.org/r/20231012123729.29307-1-dust.li@linux.alibaba.com Signed-off-by: Jakub Kicinski commit e8e4a470b677511f9d1ad4f3cef32adc1d9a60ca Author: Sergey Shtylyov Date: Fri Oct 13 23:50:24 2023 +0300 fbdev: core: syscopyarea: fix sloppy typing In sys_copyarea(), the local variable bits_per_line is needlessly typed as *unsigned long* -- which is a 32-bit type on the 32-bit arches and a 64-bit type on the 64-bit arches; that variable's value is derived from the __u32 typed fb_fix_screeninfo::line_length field (multiplied by 8u) and a 32-bit *unsigned int* type should still be enough to store the # of bits per line. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov Signed-off-by: Helge Deller commit 7f33df94cf0156f64eee9509bd9b4a178990f613 Author: Sergey Shtylyov Date: Fri Oct 13 23:50:23 2023 +0300 fbdev: core: cfbcopyarea: fix sloppy typing In cfb_copyarea(), the local variable bits_per_line is needlessly typed as *unsigned long* -- which is a 32-bit type on the 32-bit arches and a 64-bit type on the 64-bit arches; that variable's value is derived from the __u32 typed fb_fix_screeninfo::line_length field (multiplied by 8u) and a 32-bit *unsigned int* type should still be enough to store the # of bits per line. Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. Signed-off-by: Sergey Shtylyov Signed-off-by: Helge Deller commit 1022e7e2f40574c74ed32c3811b03d26b0b81daf Author: Jorge Maidana Date: Fri Oct 6 17:43:47 2023 -0300 fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() Delete the v86d netlink only after all the VBE tasks have been completed. Fixes initial state restore on module unload: uvesafb: VBE state restore call failed (eax=0x4f04, err=-19) Signed-off-by: Jorge Maidana Signed-off-by: Helge Deller commit 0c37bffaaebe1733433b480d612282169632a31a Author: Jorge Maidana Date: Fri Oct 6 17:43:46 2023 -0300 fbdev: uvesafb: Remove uvesafb_exec() prototype from include/video/uvesafb.h uvesafb_exec() is a static function defined and called only in drivers/video/fbdev/uvesafb.c, remove the prototype from include/video/uvesafb.h. Fixes the warning: ./include/video/uvesafb.h:112:12: warning: 'uvesafb_exec' declared 'static' but never defined [-Wunused-function] when including '