Changelog in Linux kernel 5.4.288

 
ACPI: resource: Fix memory resource type union access [+ + +]
Author: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Date:   Mon Dec 2 12:06:13 2024 +0200

    ACPI: resource: Fix memory resource type union access
    
    [ Upstream commit 7899ca9f3bd2b008e9a7c41f2a9f1986052d7e96 ]
    
    In acpi_decode_space() addr->info.mem.caching is checked on main level
    for any resource type but addr->info.mem is part of union and thus
    valid only if the resource type is memory range.
    
    Move the check inside the preceeding switch/case to only execute it
    when the union is of correct type.
    
    Fixes: fcb29bbcd540 ("ACPI: Add prefetch decoding to the address space parser")
    Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://patch.msgid.link/20241202100614.20731-1-ilpo.jarvinen@linux.intel.com
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired [+ + +]
Author: Daniil Tatianin <d-tatianin@yandex-team.ru>
Date:   Fri Nov 22 11:29:54 2024 +0300

    ACPICA: events/evxfregn: don't release the ContextMutex that was never acquired
    
    [ Upstream commit c53d96a4481f42a1635b96d2c1acbb0a126bfd54 ]
    
    This bug was first introduced in c27f3d011b08, where the author of the
    patch probably meant to do DeleteMutex instead of ReleaseMutex. The
    mutex leak was noticed later on and fixed in e4dfe108371, but the bogus
    MutexRelease line was never removed, so do it now.
    
    Link: https://github.com/acpica/acpica/pull/982
    Fixes: c27f3d011b08 ("ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling")
    Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru>
    Link: https://patch.msgid.link/20241122082954.658356-1-d-tatianin@yandex-team.ru
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ALSA: usb-audio: Fix a DMA to stack memory bug [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Mon Dec 2 15:57:54 2024 +0300

    ALSA: usb-audio: Fix a DMA to stack memory bug
    
    commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
    
    The usb_get_descriptor() function does DMA so we're not allowed
    to use a stack buffer for that.  Doing DMA to the stack is not portable
    all architectures.  Move the "new_device_descriptor" from being stored
    on the stack and allocate it with kmalloc() instead.
    
    Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
    Cc: stable@kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Benoît Sevens <bsevens@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys() [+ + +]
Author: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
Date:   Thu Dec 5 19:30:14 2024 +0900

    ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys()
    
    commit 676fe1f6f74db988191dab5df3bf256908177072 upstream.
    
    The OF node reference obtained by of_parse_phandle_with_args() is not
    released on early return. Add a of_node_put() call before returning.
    
    Fixes: 8996b89d6bc9 ("ata: add platform driver for Calxeda AHCI controller")
    Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
    Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
batman-adv: Do not let TT changes list grows indefinitely [+ + +]
Author: Remi Pommarel <repk@triplefau.lt>
Date:   Fri Nov 22 16:52:50 2024 +0100

    batman-adv: Do not let TT changes list grows indefinitely
    
    [ Upstream commit fff8f17c1a6fc802ca23bbd3a276abfde8cc58e6 ]
    
    When TT changes list is too big to fit in packet due to MTU size, an
    empty OGM is sent expected other node to send TT request to get the
    changes. The issue is that tt.last_changeset was not built thus the
    originator was responding with previous changes to those TT requests
    (see batadv_send_my_tt_response). Also the changes list was never
    cleaned up effectively never ending growing from this point onwards,
    repeatedly sending the same TT response changes over and over, and
    creating a new empty OGM every OGM interval expecting for the local
    changes to be purged.
    
    When there is more TT changes that can fit in packet, drop all changes,
    send empty OGM and wait for TT request so we can respond with a full
    table instead.
    
    Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs")
    Signed-off-by: Remi Pommarel <repk@triplefau.lt>
    Acked-by: Antonio Quartulli <Antonio@mandelbit.com>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: Do not send uninitialized TT changes [+ + +]
Author: Remi Pommarel <repk@triplefau.lt>
Date:   Fri Nov 22 16:52:48 2024 +0100

    batman-adv: Do not send uninitialized TT changes
    
    [ Upstream commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 ]
    
    The number of TT changes can be less than initially expected in
    batadv_tt_tvlv_container_update() (changes can be removed by
    batadv_tt_local_event() in ADD+DEL sequence between reading
    tt_diff_entries_num and actually iterating the change list under lock).
    
    Thus tt_diff_len could be bigger than the actual changes size that need
    to be sent. Because batadv_send_my_tt_response sends the whole
    packet, uninitialized data can be interpreted as TT changes on other
    nodes leading to weird TT global entries on those nodes such as:
    
     * 00:00:00:00:00:00   -1 [....] (  0) 88:12:4e:ad:7e:ba (179) (0x45845380)
     * 00:00:00:00:78:79 4092 [.W..] (  0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
    
    All of the above also applies to OGM tvlv container buffer's tvlv_len.
    
    Remove the extra allocated space to avoid sending uninitialized TT
    changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif().
    
    Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs")
    Signed-off-by: Remi Pommarel <repk@triplefau.lt>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

batman-adv: Remove uninitialized data in full table TT response [+ + +]
Author: Remi Pommarel <repk@triplefau.lt>
Date:   Fri Nov 22 16:52:49 2024 +0100

    batman-adv: Remove uninitialized data in full table TT response
    
    [ Upstream commit 8038806db64da15721775d6b834990cacbfcf0b2 ]
    
    The number of entries filled by batadv_tt_tvlv_generate() can be less
    than initially expected in batadv_tt_prepare_tvlv_{global,local}_data()
    (changes can be removed by batadv_tt_local_event() in ADD+DEL sequence
    in the meantime as the lock held during the whole tvlv global/local data
    generation).
    
    Thus tvlv_len could be bigger than the actual TT entry size that need
    to be sent so full table TT_RESPONSE could hold invalid TT entries such
    as below.
    
     * 00:00:00:00:00:00   -1 [....] (  0) 88:12:4e:ad:7e:ba (179) (0x45845380)
     * 00:00:00:00:78:79 4092 [.W..] (  0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
    
    Remove the extra allocated space to avoid sending uninitialized entries
    for full table TT_RESPONSE in both batadv_send_other_tt_response() and
    batadv_send_my_tt_response().
    
    Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
    Signed-off-by: Remi Pommarel <repk@triplefau.lt>
    Signed-off-by: Sven Eckelmann <sven@narfation.org>
    Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
blk-iocost: Avoid using clamp() on inuse in __propagate_weights() [+ + +]
Author: Nathan Chancellor <nathan@kernel.org>
Date:   Thu Dec 12 10:13:29 2024 -0700

    blk-iocost: Avoid using clamp() on inuse in __propagate_weights()
    
    [ Upstream commit 57e420c84f9ab55ba4c5e2ae9c5f6c8e1ea834d2 ]
    
    After a recent change to clamp() and its variants [1] that increases the
    coverage of the check that high is greater than low because it can be
    done through inlining, certain build configurations (such as s390
    defconfig) fail to build with clang with:
    
      block/blk-iocost.c:1101:11: error: call to '__compiletime_assert_557' declared with 'error' attribute: clamp() low limit 1 greater than high limit active
       1101 |                 inuse = clamp_t(u32, inuse, 1, active);
            |                         ^
      include/linux/minmax.h:218:36: note: expanded from macro 'clamp_t'
        218 | #define clamp_t(type, val, lo, hi) __careful_clamp(type, val, lo, hi)
            |                                    ^
      include/linux/minmax.h:195:2: note: expanded from macro '__careful_clamp'
        195 |         __clamp_once(type, val, lo, hi, __UNIQUE_ID(v_), __UNIQUE_ID(l_), __UNIQUE_ID(h_))
            |         ^
      include/linux/minmax.h:188:2: note: expanded from macro '__clamp_once'
        188 |         BUILD_BUG_ON_MSG(statically_true(ulo > uhi),                            \
            |         ^
    
    __propagate_weights() is called with an active value of zero in
    ioc_check_iocgs(), which results in the high value being less than the
    low value, which is undefined because the value returned depends on the
    order of the comparisons.
    
    The purpose of this expression is to ensure inuse is not more than
    active and at least 1. This could be written more simply with a ternary
    expression that uses min(inuse, active) as the condition so that the
    value of that condition can be used if it is not zero and one if it is.
    Do this conversion to resolve the error and add a comment to deter
    people from turning this back into clamp().
    
    Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost")
    Link: https://lore.kernel.org/r/34d53778977747f19cce2abb287bb3e6@AcuMS.aculab.com/ [1]
    Suggested-by: David Laight <david.laight@aculab.com>
    Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Closes: https://lore.kernel.org/llvm/CA+G9fYsD7mw13wredcZn0L-KBA3yeoVSTuxnss-AEWMN3ha0cA@mail.gmail.com/
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202412120322.3GfVe3vF-lkp@intel.com/
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Acked-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

blk-iocost: clamp inuse and skip noops in __propagate_weights() [+ + +]
Author: Tejun Heo <tj@kernel.org>
Date:   Tue Sep 1 14:52:35 2020 -0400

    blk-iocost: clamp inuse and skip noops in __propagate_weights()
    
    [ Upstream commit db84a72af6be422abf2089a5896293590dda5066 ]
    
    __propagate_weights() currently expects the callers to clamp inuse within
    [1, active], which is needlessly fragile. The inuse adjustment logic is
    going to be revamped, in preparation, let's make __propagate_weights() clamp
    inuse on entry.
    
    Also, make it avoid weight updates altogether if neither active or inuse is
    changed.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Stable-dep-of: 57e420c84f9a ("blk-iocost: Avoid using clamp() on inuse in __propagate_weights()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

blk-iocost: fix weight updates of inner active iocgs [+ + +]
Author: Tejun Heo <tj@kernel.org>
Date:   Tue May 11 21:38:36 2021 -0400

    blk-iocost: fix weight updates of inner active iocgs
    
    [ Upstream commit e9f4eee9a0023ba22db9560d4cc6ee63f933dae8 ]
    
    When the weight of an active iocg is updated, weight_updated() is called
    which in turn calls __propagate_weights() to update the active and inuse
    weights so that the effective hierarchical weights are update accordingly.
    
    The current implementation is incorrect for inner active nodes. For an
    active leaf iocg, inuse can be any value between 1 and active and the
    difference represents how much the iocg is donating. When weight is updated,
    as long as inuse is clamped between 1 and the new weight, we're alright and
    this is what __propagate_weights() currently implements.
    
    However, that's not how an active inner node's inuse is set. An inner node's
    inuse is solely determined by the ratio between the sums of inuse's and
    active's of its children - ie. they're results of propagating the leaves'
    active and inuse weights upwards. __propagate_weights() incorrectly applies
    the same clamping as for a leaf when an active inner node's weight is
    updated. Consider a hierarchy which looks like the following with saturating
    workloads in AA and BB.
    
         R
       /   \
      A     B
      |     |
     AA     BB
    
    1. For both A and B, active=100, inuse=100, hwa=0.5, hwi=0.5.
    
    2. echo 200 > A/io.weight
    
    3. __propagate_weights() update A's active to 200 and leave inuse at 100 as
       it's already between 1 and the new active, making A:active=200,
       A:inuse=100. As R's active_sum is updated along with A's active,
       A:hwa=2/3, B:hwa=1/3. However, because the inuses didn't change, the
       hwi's remain unchanged at 0.5.
    
    4. The weight of A is now twice that of B but AA and BB still have the same
       hwi of 0.5 and thus are doing the same amount of IOs.
    
    Fix it by making __propgate_weights() always calculate the inuse of an
    active inner iocg based on the ratio of child_inuse_sum to child_active_sum.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Reported-by: Dan Schatzberg <dschatzberg@fb.com>
    Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost")
    Cc: stable@vger.kernel.org # v5.4+
    Link: https://lore.kernel.org/r/YJsxnLZV1MnBcqjj@slm.duckdns.org
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Stable-dep-of: 57e420c84f9a ("blk-iocost: Avoid using clamp() on inuse in __propagate_weights()")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bpf, sockmap: Fix update element with same [+ + +]
Author: Michal Luczaj <mhal@rbox.co>
Date:   Mon Dec 2 12:29:23 2024 +0100

    bpf, sockmap: Fix update element with same
    
    commit 75e072a390da9a22e7ae4a4e8434dfca5da499fb upstream.
    
    Consider a sockmap entry being updated with the same socket:
    
            osk = stab->sks[idx];
            sock_map_add_link(psock, link, map, &stab->sks[idx]);
            stab->sks[idx] = sk;
            if (osk)
                    sock_map_unref(osk, &stab->sks[idx]);
    
    Due to sock_map_unref(), which invokes sock_map_del_link(), all the
    psock's links for stab->sks[idx] are torn:
    
            list_for_each_entry_safe(link, tmp, &psock->link, list) {
                    if (link->link_raw == link_raw) {
                            ...
                            list_del(&link->list);
                            sk_psock_free_link(link);
                    }
            }
    
    And that includes the new link sock_map_add_link() added just before
    the unref.
    
    This results in a sockmap holding a socket, but without the respective
    link. This in turn means that close(sock) won't trigger the cleanup,
    i.e. a closed socket will not be automatically removed from the sockmap.
    
    Stop tearing the links when a matching link_raw is found.
    
    Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
    Signed-off-by: Michal Luczaj <mhal@rbox.co>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-1-1e88579e7bd5@rbox.co
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status [+ + +]
Author: Raghavendra Rao Ananta <rananta@google.com>
Date:   Tue Nov 19 16:52:29 2024 -0800

    KVM: arm64: Ignore PMCNTENSET_EL0 while checking for overflow status
    
    commit 54bbee190d42166209185d89070c58a343bf514b upstream.
    
    DDI0487K.a D13.3.1 describes the PMU overflow condition, which evaluates
    to true if any counter's global enable (PMCR_EL0.E), overflow flag
    (PMOVSSET_EL0[n]), and interrupt enable (PMINTENSET_EL1[n]) are all 1.
    Of note, this does not require a counter to be enabled
    (i.e. PMCNTENSET_EL0[n] = 1) to generate an overflow.
    
    Align kvm_pmu_overflow_status() with the reality of the architecture
    and stop using PMCNTENSET_EL0 as part of the overflow condition. The
    bug was discovered while running an SBSA PMU test [*], which only sets
    PMCR.E, PMOVSSET<0>, PMINTENSET<0>, and expects an overflow interrupt.
    
    Cc: stable@vger.kernel.org
    Fixes: 76d883c4e640 ("arm64: KVM: Add access handler for PMOVSSET and PMOVSCLR register")
    Link: https://github.com/ARM-software/sbsa-acs/blob/master/test_pool/pmu/operating_system/test_pmu001.c
    Signed-off-by: Raghavendra Rao Ananta <rananta@google.com>
    [ oliver: massaged changelog ]
    Reviewed-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20241120005230.2335682-2-oliver.upton@linux.dev
    Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 5.4.288 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Dec 19 18:05:05 2024 +0100

    Linux 5.4.288
    
    Link: https://lore.kernel.org/r/20241217170519.006786596@linuxfoundation.org
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Mark Brown <broonie@kernel.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/sched: netem: account for backlog updates from child qdisc [+ + +]
Author: Martin Ottens <martin.ottens@fau.de>
Date:   Tue Dec 10 14:14:11 2024 +0100

    net/sched: netem: account for backlog updates from child qdisc
    
    [ Upstream commit f8d4bc455047cf3903cd6f85f49978987dbb3027 ]
    
    In general, 'qlen' of any classful qdisc should keep track of the
    number of packets that the qdisc itself and all of its children holds.
    In case of netem, 'qlen' only accounts for the packets in its internal
    tfifo. When netem is used with a child qdisc, the child qdisc can use
    'qdisc_tree_reduce_backlog' to inform its parent, netem, about created
    or dropped SKBs. This function updates 'qlen' and the backlog statistics
    of netem, but netem does not account for changes made by a child qdisc.
    'qlen' then indicates the wrong number of packets in the tfifo.
    If a child qdisc creates new SKBs during enqueue and informs its parent
    about this, netem's 'qlen' value is increased. When netem dequeues the
    newly created SKBs from the child, the 'qlen' in netem is not updated.
    If 'qlen' reaches the configured sch->limit, the enqueue function stops
    working, even though the tfifo is not full.
    
    Reproduce the bug:
    Ensure that the sender machine has GSO enabled. Configure netem as root
    qdisc and tbf as its child on the outgoing interface of the machine
    as follows:
    $ tc qdisc add dev <oif> root handle 1: netem delay 100ms limit 100
    $ tc qdisc add dev <oif> parent 1:0 tbf rate 50Mbit burst 1542 latency 50ms
    
    Send bulk TCP traffic out via this interface, e.g., by running an iPerf3
    client on the machine. Check the qdisc statistics:
    $ tc -s qdisc show dev <oif>
    
    Statistics after 10s of iPerf3 TCP test before the fix (note that
    netem's backlog > limit, netem stopped accepting packets):
    qdisc netem 1: root refcnt 2 limit 1000 delay 100ms
     Sent 2767766 bytes 1848 pkt (dropped 652, overlimits 0 requeues 0)
     backlog 4294528236b 1155p requeues 0
    qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms
     Sent 2767766 bytes 1848 pkt (dropped 327, overlimits 7601 requeues 0)
     backlog 0b 0p requeues 0
    
    Statistics after the fix:
    qdisc netem 1: root refcnt 2 limit 1000 delay 100ms
     Sent 37766372 bytes 24974 pkt (dropped 9, overlimits 0 requeues 0)
     backlog 0b 0p requeues 0
    qdisc tbf 10: parent 1:1 rate 50Mbit burst 1537b lat 50ms
     Sent 37766372 bytes 24974 pkt (dropped 327, overlimits 96017 requeues 0)
     backlog 0b 0p requeues 0
    
    tbf segments the GSO SKBs (tbf_segment) and updates the netem's 'qlen'.
    The interface fully stops transferring packets and "locks". In this case,
    the child qdisc and tfifo are empty, but 'qlen' indicates the tfifo is at
    its limit and no more packets are accepted.
    
    This patch adds a counter for the entries in the tfifo. Netem's 'qlen' is
    only decreased when a packet is returned by its dequeue function, and not
    during enqueuing into the child qdisc. External updates to 'qlen' are thus
    accounted for and only the behavior of the backlog statistics changes. As
    in other qdiscs, 'qlen' then keeps track of  how many packets are held in
    netem and all of its children. As before, sch->limit remains as the
    maximum number of packets in the tfifo. The same applies to netem's
    backlog statistics.
    
    Fixes: 50612537e9ab ("netem: fix classful handling")
    Signed-off-by: Martin Ottens <martin.ottens@fau.de>
    Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Link: https://patch.msgid.link/20241210131412.1837202-1-martin.ottens@fau.de
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: lapb: increase LAPB_HEADER_LEN [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Dec 4 14:10:31 2024 +0000

    net: lapb: increase LAPB_HEADER_LEN
    
    [ Upstream commit a6d75ecee2bf828ac6a1b52724aba0a977e4eaf4 ]
    
    It is unclear if net/lapb code is supposed to be ready for 8021q.
    
    We can at least avoid crashes like the following :
    
    skbuff: skb_under_panic: text:ffffffff8aabe1f6 len:24 put:20 head:ffff88802824a400 data:ffff88802824a3fe tail:0x16 end:0x140 dev:nr0.2
    ------------[ cut here ]------------
     kernel BUG at net/core/skbuff.c:206 !
    Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
    CPU: 1 UID: 0 PID: 5508 Comm: dhcpcd Not tainted 6.12.0-rc7-syzkaller-00144-g66418447d27b #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
     RIP: 0010:skb_panic net/core/skbuff.c:206 [inline]
     RIP: 0010:skb_under_panic+0x14b/0x150 net/core/skbuff.c:216
    Code: 0d 8d 48 c7 c6 2e 9e 29 8e 48 8b 54 24 08 8b 0c 24 44 8b 44 24 04 4d 89 e9 50 41 54 41 57 41 56 e8 1a 6f 37 02 48 83 c4 20 90 <0f> 0b 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3
    RSP: 0018:ffffc90002ddf638 EFLAGS: 00010282
    RAX: 0000000000000086 RBX: dffffc0000000000 RCX: 7a24750e538ff600
    RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000
    RBP: ffff888034a86650 R08: ffffffff8174b13c R09: 1ffff920005bbe60
    R10: dffffc0000000000 R11: fffff520005bbe61 R12: 0000000000000140
    R13: ffff88802824a400 R14: ffff88802824a3fe R15: 0000000000000016
    FS:  00007f2a5990d740(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000110c2631fd CR3: 0000000029504000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    Call Trace:
     <TASK>
      skb_push+0xe5/0x100 net/core/skbuff.c:2636
      nr_header+0x36/0x320 net/netrom/nr_dev.c:69
      dev_hard_header include/linux/netdevice.h:3148 [inline]
      vlan_dev_hard_header+0x359/0x480 net/8021q/vlan_dev.c:83
      dev_hard_header include/linux/netdevice.h:3148 [inline]
      lapbeth_data_transmit+0x1f6/0x2a0 drivers/net/wan/lapbether.c:257
      lapb_data_transmit+0x91/0xb0 net/lapb/lapb_iface.c:447
      lapb_transmit_buffer+0x168/0x1f0 net/lapb/lapb_out.c:149
     lapb_establish_data_link+0x84/0xd0
     lapb_device_event+0x4e0/0x670
      notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
     __dev_notify_flags+0x207/0x400
      dev_change_flags+0xf0/0x1a0 net/core/dev.c:8922
      devinet_ioctl+0xa4e/0x1aa0 net/ipv4/devinet.c:1188
      inet_ioctl+0x3d7/0x4f0 net/ipv4/af_inet.c:1003
      sock_do_ioctl+0x158/0x460 net/socket.c:1227
      sock_ioctl+0x626/0x8e0 net/socket.c:1346
      vfs_ioctl fs/ioctl.c:51 [inline]
      __do_sys_ioctl fs/ioctl.c:907 [inline]
      __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Reported-by: syzbot+fb99d1b0c0f81d94a5e2@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/netdev/67506220.050a0220.17bd51.006c.GAE@google.com/T/#u
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241204141031.4030267-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
qca_spi: Fix clock speed for multiple QCA7000 [+ + +]
Author: Stefan Wahren <wahrenst@gmx.net>
Date:   Fri Dec 6 19:46:42 2024 +0100

    qca_spi: Fix clock speed for multiple QCA7000
    
    [ Upstream commit 4dba406fac06b009873fe7a28231b9b7e4288b09 ]
    
    Storing the maximum clock speed in module parameter qcaspi_clkspeed
    has the unintended side effect that the first probed instance
    defines the value for all other instances. Fix this issue by storing
    it in max_speed_hz of the relevant SPI device.
    
    This fix keeps the priority of the speed parameter (module parameter,
    device tree property, driver default). Btw this uses the opportunity
    to get the rid of the unused member clkspeed.
    
    Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
    Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
    Link: https://patch.msgid.link/20241206184643.123399-2-wahrenst@gmx.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

qca_spi: Make driver probing reliable [+ + +]
Author: Stefan Wahren <wahrenst@gmx.net>
Date:   Fri Dec 6 19:46:43 2024 +0100

    qca_spi: Make driver probing reliable
    
    [ Upstream commit becc6399ce3b724cffe9ccb7ef0bff440bb1b62b ]
    
    The module parameter qcaspi_pluggable controls if QCA7000 signature
    should be checked at driver probe (current default) or not. Unfortunately
    this could fail in case the chip is temporary in reset, which isn't under
    total control by the Linux host. So disable this check per default
    in order to avoid unexpected probe failures.
    
    Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
    Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
    Link: https://patch.msgid.link/20241206184643.123399-3-wahrenst@gmx.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tipc: fix NULL deref in cleanup_bearer() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Dec 4 17:05:48 2024 +0000

    tipc: fix NULL deref in cleanup_bearer()
    
    [ Upstream commit b04d86fff66b15c07505d226431f808c15b1703c ]
    
    syzbot found [1] that after blamed commit, ub->ubsock->sk
    was NULL when attempting the atomic_dec() :
    
    atomic_dec(&tipc_net(sock_net(ub->ubsock->sk))->wq_count);
    
    Fix this by caching the tipc_net pointer.
    
    [1]
    
    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN PTI
    KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
    CPU: 0 UID: 0 PID: 5896 Comm: kworker/0:3 Not tainted 6.13.0-rc1-next-20241203-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
    Workqueue: events cleanup_bearer
     RIP: 0010:read_pnet include/net/net_namespace.h:387 [inline]
     RIP: 0010:sock_net include/net/sock.h:655 [inline]
     RIP: 0010:cleanup_bearer+0x1f7/0x280 net/tipc/udp_media.c:820
    Code: 18 48 89 d8 48 c1 e8 03 42 80 3c 28 00 74 08 48 89 df e8 3c f7 99 f6 48 8b 1b 48 83 c3 30 e8 f0 e4 60 00 48 89 d8 48 c1 e8 03 <42> 80 3c 28 00 74 08 48 89 df e8 1a f7 99 f6 49 83 c7 e8 48 8b 1b
    RSP: 0018:ffffc9000410fb70 EFLAGS: 00010206
    RAX: 0000000000000006 RBX: 0000000000000030 RCX: ffff88802fe45a00
    RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffc9000410f900
    RBP: ffff88807e1f0908 R08: ffffc9000410f907 R09: 1ffff92000821f20
    R10: dffffc0000000000 R11: fffff52000821f21 R12: ffff888031d19980
    R13: dffffc0000000000 R14: dffffc0000000000 R15: ffff88807e1f0918
    FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000556ca050b000 CR3: 0000000031c0c000 CR4: 00000000003526f0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    
    Fixes: 6a2fa13312e5 ("tipc: Fix use-after-free of kernel socket in cleanup_bearer().")
    Reported-by: syzbot+46aa5474f179dacd1a3b@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/netdev/67508b5f.050a0220.17bd51.0070.GAE@google.com/T/#u
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Link: https://patch.msgid.link/20241204170548.4152658-1-edumazet@google.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe() [+ + +]
Author: Nikolay Kuratov <kniv@yandex-team.ru>
Date:   Mon Dec 16 14:19:23 2024 +0300

    tracing/kprobes: Skip symbol counting logic for module symbols in create_local_trace_kprobe()
    
    commit b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols")
    avoids checking number_of_same_symbols() for module symbol in
    __trace_kprobe_create(), but create_local_trace_kprobe() should avoid this
    check too. Doing this check leads to ENOENT for module_name:symbol_name
    constructions passed over perf_event_open.
    
    No bug in newer kernels as it was fixed more generally by
    commit 9d8616034f16 ("tracing/kprobes: Add symbol counting check when module loads")
    
    Link: https://lore.kernel.org/linux-trace-kernel/20240705161030.b3ddb33a8167013b9b1da202@kernel.org
    Fixes: b022f0c7e404 ("tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols")
    Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature [+ + +]
Author: Stefan Wahren <wahrenst@gmx.net>
Date:   Mon Dec 2 01:16:30 2024 +0100

    usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature
    
    commit a8d3e4a734599c7d0f6735f8db8a812e503395dd upstream.
    
    On Rasperry Pis without onboard USB hub the power cycle during
    power connect init only disable the port but never enabled it again:
    
      usb usb1-port1: attempt power cycle
    
    The port relevant part in dwc2_hcd_hub_control() is skipped in case
    port_connect_status = 0 under the assumption the core is or will be soon
    in device mode. But this assumption is wrong, because after ClearPortFeature
    USB_PORT_FEAT_POWER the port_connect_status will also be 0 and
    SetPortFeature (incl. USB_PORT_FEAT_POWER) will be a no-op.
    
    Fix the behavior of dwc2_hcd_hub_control() by replacing the
    port_connect_status check with dwc2_is_device_mode().
    
    Link: https://github.com/raspberrypi/linux/issues/6247
    Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
    Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
    Link: https://lore.kernel.org/r/20241202001631.75473-3-wahrenst@gmx.net
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: ehci-hcd: fix call balance of clocks handling routines [+ + +]
Author: Vitalii Mordan <mordan@ispras.ru>
Date:   Thu Nov 21 14:47:00 2024 +0300

    usb: ehci-hcd: fix call balance of clocks handling routines
    
    commit 97264eaaba0122a5b7e8ddd7bf4ff3ac57c2b170 upstream.
    
    If the clocks priv->iclk and priv->fclk were not enabled in ehci_hcd_sh_probe,
    they should not be disabled in any path.
    
    Conversely, if they was enabled in ehci_hcd_sh_probe, they must be disabled
    in all error paths to ensure proper cleanup.
    
    Found by Linux Verification Center (linuxtesting.org) with Klever.
    
    Fixes: 63c845522263 ("usb: ehci-hcd: Add support for SuperH EHCI.")
    Cc: stable@vger.kernel.org # ff30bd6a6618: sh: clk: Fix clk_enable() to return 0 on NULL clk
    Signed-off-by: Vitalii Mordan <mordan@ispras.ru>
    Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
    Link: https://lore.kernel.org/r/20241121114700.2100520-1-mordan@ispras.ru
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer [+ + +]
Author: Lianqin Hu <hulianqin@vivo.com>
Date:   Tue Dec 3 12:14:16 2024 +0000

    usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer
    
    commit 4cfbca86f6a8b801f3254e0e3c8f2b1d2d64be2b upstream.
    
    Considering that in some extreme cases,
    when u_serial driver is accessed by multiple threads,
    Thread A is executing the open operation and calling the gs_open,
    Thread B is executing the disconnect operation and calling the
    gserial_disconnect function,The port->port_usb pointer will be set to NULL.
    
    E.g.
        Thread A                                 Thread B
        gs_open()                                gadget_unbind_driver()
        gs_start_io()                            composite_disconnect()
        gs_start_rx()                            gserial_disconnect()
        ...                                      ...
        spin_unlock(&port->port_lock)
        status = usb_ep_queue()                  spin_lock(&port->port_lock)
        spin_lock(&port->port_lock)              port->port_usb = NULL
        gs_free_requests(port->port_usb->in)     spin_unlock(&port->port_lock)
        Crash
    
    This causes thread A to access a null pointer (port->port_usb is null)
    when calling the gs_free_requests function, causing a crash.
    
    If port_usb is NULL, the release request will be skipped as it
    will be done by gserial_disconnect.
    
    So add a null pointer check to gs_start_io before attempting
    to access the value of the pointer port->port_usb.
    
    Call trace:
     gs_start_io+0x164/0x25c
     gs_open+0x108/0x13c
     tty_open+0x314/0x638
     chrdev_open+0x1b8/0x258
     do_dentry_open+0x2c4/0x700
     vfs_open+0x2c/0x3c
     path_openat+0xa64/0xc60
     do_filp_open+0xb8/0x164
     do_sys_openat2+0x84/0xf0
     __arm64_sys_openat+0x70/0x9c
     invoke_syscall+0x58/0x114
     el0_svc_common+0x80/0xe0
     do_el0_svc+0x1c/0x28
     el0_svc+0x38/0x68
    
    Fixes: c1dca562be8a ("usb gadget: split out serial core")
    Cc: stable@vger.kernel.org
    Suggested-by: Prashanth K <quic_prashk@quicinc.com>
    Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
    Acked-by: Prashanth K <quic_prashk@quicinc.com>
    Link: https://lore.kernel.org/r/TYUPR06MB62178DC3473F9E1A537DCD02D2362@TYUPR06MB6217.apcprd06.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: host: max3421-hcd: Correctly abort a USB request. [+ + +]
Author: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Date:   Mon Nov 25 11:14:30 2024 +1300

    usb: host: max3421-hcd: Correctly abort a USB request.
    
    commit 0d2ada05227881f3d0722ca2364e3f7a860a301f upstream.
    
    If the current USB request was aborted, the spi thread would not respond
    to any further requests. This is because the "curr_urb" pointer would
    not become NULL, so no further requests would be taken off the queue.
    The solution here is to set the "urb_done" flag, as this will cause the
    correct handling of the URB. Also clear interrupts that should only be
    expected if an URB is in progress.
    
    Fixes: 2d53139f3162 ("Add support for using a MAX3421E chip as a host driver.")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
    Link: https://lore.kernel.org/r/20241124221430.1106080-1-mark.tomlinson@alliedtelesis.co.nz
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 
xen/netfront: fix crash when removing device [+ + +]
Author: Juergen Gross <jgross@suse.com>
Date:   Thu Nov 7 16:17:00 2024 +0100

    xen/netfront: fix crash when removing device
    
    commit f9244fb55f37356f75c739c57323d9422d7aa0f8 upstream.
    
    When removing a netfront device directly after a suspend/resume cycle
    it might happen that the queues have not been setup again, causing a
    crash during the attempt to stop the queues another time.
    
    Fix that by checking the queues are existing before trying to stop
    them.
    
    This is XSA-465 / CVE-2024-53240.
    
    Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
    Fixes: d50b7914fae0 ("xen-netfront: Fix NULL sring after live migration")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
xfs: don't drop errno values when we fail to ficlone the entire range [+ + +]
Author: Darrick J. Wong <djwong@kernel.org>
Date:   Mon Dec 2 10:57:27 2024 -0800

    xfs: don't drop errno values when we fail to ficlone the entire range
    
    commit 7ce31f20a0771d71779c3b0ec9cdf474cc3c8e9a upstream.
    
    Way back when we first implemented FICLONE for XFS, life was simple --
    either the the entire remapping completed, or something happened and we
    had to return an errno explaining what happened.  Neither of those
    ioctls support returning partial results, so it's all or nothing.
    
    Then things got complicated when copy_file_range came along, because it
    actually can return the number of bytes copied, so commit 3f68c1f562f1e4
    tried to make it so that we could return a partial result if the
    REMAP_FILE_CAN_SHORTEN flag is set.  This is also how FIDEDUPERANGE can
    indicate that the kernel performed a partial deduplication.
    
    Unfortunately, the logic is wrong if an error stops the remapping and
    CAN_SHORTEN is not set.  Because those callers cannot return partial
    results, it is an error for ->remap_file_range to return a positive
    quantity that is less than the @len passed in.  Implementations really
    should be returning a negative errno in this case, because that's what
    btrfs (which introduced FICLONE{,RANGE}) did.
    
    Therefore, ->remap_range implementations cannot silently drop an errno
    that they might have when the number of bytes remapped is less than the
    number of bytes requested and CAN_SHORTEN is not set.
    
    Found by running generic/562 on a 64k fsblock filesystem and wondering
    why it reported corrupt files.
    
    Cc: <stable@vger.kernel.org> # v4.20
    Fixes: 3fc9f5e409319e ("xfs: remove xfs_reflink_remap_range")
    Really-Fixes: 3f68c1f562f1e4 ("xfs: support returning partial reflink results")
    Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
    Reviewed-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>