Changelog in Linux kernel 6.1.117

 
ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init() [+ + +]
Author: Murad Masimov <m.masimov@maxima.ru>
Date:   Fri Nov 1 21:55:13 2024 +0300

    ALSA: firewire-lib: fix return value on fail in amdtp_tscm_init()
    
    [ Upstream commit 8abbf1f01d6a2ef9f911f793e30f7382154b5a3a ]
    
    If amdtp_stream_init() fails in amdtp_tscm_init(), the latter returns zero,
    though it's supposed to return error code, which is checked inside
    init_stream() in file tascam-stream.c.
    
    Found by Linux Verification Center (linuxtesting.org) with SVACE.
    
    Fixes: 47faeea25ef3 ("ALSA: firewire-tascam: add data block processing layer")
    Signed-off-by: Murad Masimov <m.masimov@maxima.ru>
    Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Link: https://patch.msgid.link/20241101185517.1819-1-m.masimov@maxima.ru
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 [+ + +]
Author: Christoffer Sandberg <cs@tuxedo.de>
Date:   Tue Oct 29 16:16:52 2024 +0100

    ALSA: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3
    
    commit 0b04fbe886b4274c8e5855011233aaa69fec6e75 upstream.
    
    Quirk is needed to enable headset microphone on missing pin 0x19.
    
    Signed-off-by: Christoffer Sandberg <cs@tuxedo.de>
    Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20241029151653.80726-1-wse@tuxedocomputers.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: usb-audio: Add quirk for HP 320 FHD Webcam [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Tue Nov 5 13:02:17 2024 +0100

    ALSA: usb-audio: Add quirk for HP 320 FHD Webcam
    
    commit dabc44c28f118910dea96244d903f0c270225669 upstream.
    
    HP 320 FHD Webcam (03f0:654a) seems to have flaky firmware like other
    webcam devices that don't like the frequency inquiries.  Also, Mic
    Capture Volume has an invalid resolution, hence fix it to be 16 (as a
    blind shot).
    
    Link: https://bugzilla.suse.com/show_bug.cgi?id=1232768
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20241105120220.5740-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Wed Sep 4 13:41:03 2024 +0200

    arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs
    
    [ Upstream commit eed2d8e8d0051a6551e4dffba99e16eb88c676ac ]
    
    imx8-ss-vpu only contained imx8qxp IRQ numbers, only mu2_m0 uses the
    correct imx8qm IRQ number, as imx8qxp lacks this MU.
    Fix this by providing imx8qm IRQ numbers in the main imx8-ss-vpu.dtsi
    and override the IRQ numbers in SoC-specific imx8qxp-ss-vpu.dtsi, similar
    to reg property for VPU core devices.
    
    Fixes: 0d9968d98467d ("arm64: dts: freescale: imx8q: add imx vpu codec entries")
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: imx8mp: correct sdhc ipg clk [+ + +]
Author: Peng Fan <peng.fan@nxp.com>
Date:   Sat Oct 12 10:52:21 2024 +0800

    arm64: dts: imx8mp: correct sdhc ipg clk
    
    [ Upstream commit eab6ba2aa3bbaf598a66e31f709bf84b7bb7dc8a ]
    
    The ipg clk for sdhc sources from IPG_CLK_ROOT per i.MX 8M Plus
    Applications Processor Reference Manual, Table 5-2. System Clocks.
    
    Fixes: 6d9b8d20431f ("arm64: dts: freescale: Add i.MX8MP dtsi support")
    Signed-off-by: Peng Fan <peng.fan@nxp.com>
    Reviewed-by: Fabio Estevam <festevam@gmail.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: imx8qm: Fix VPU core alias name [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Fri Jul 21 13:10:37 2023 +0200

    arm64: dts: imx8qm: Fix VPU core alias name
    
    [ Upstream commit f6038de293f28503eccbfcfa84d39faf56d09150 ]
    
    Alias names use dashes instead of underscores, fix this. Silences also
    dtbs_check warning:
    imx8qxp-tqma8xqp-mba8xx.dtb: aliases: 'vpu_core0', 'vpu_core1', 'vpu_core2'
     do not match any of the regexes: '^[a-z][a-z0-9\\-]*$', 'pinctrl-[0-9]+'
    from schema $id: http://devicetree.org/schemas/aliases.yaml#
    
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Stable-dep-of: eed2d8e8d005 ("arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: imx8qxp: Add VPU subsystem file [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Thu Dec 14 14:20:00 2023 +0100

    arm64: dts: imx8qxp: Add VPU subsystem file
    
    [ Upstream commit 6bcd8b2fa2a9826fb6a849a9bfd7bdef145cabb6 ]
    
    imx8qxp re-uses imx8qm VPU subsystem file, but it has different base
    addresses. Also imx8qxp has only two VPU cores, delete vpu_vore2 and
    mu2_m0 accordingly.
    
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Reviewed-by: Fabio Estevam <festevam@gmail.com>
    Signed-off-by: Shawn Guo <shawnguo@kernel.org>
    Stable-dep-of: eed2d8e8d005 ("arm64: dts: imx8-ss-vpu: Fix imx8qm VPU IRQs")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:30 2024 +0200

    arm64: dts: rockchip: Fix bluetooth properties on Rock960 boards
    
    [ Upstream commit ea74528aaea5a1dfc8e3de09ef2af37530eca526 ]
    
    The expected clock-name is different, and extclk also is deprecated
    in favor of txco for clocks that are not crystals.
    
    So fix it to match the binding.
    
    Fixes: c72235c288c8 ("arm64: dts: rockchip: Add on-board WiFi/BT support for Rock960 boards")
    Cc: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-5-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:33 2024 +0200

    arm64: dts: rockchip: Fix LED triggers on rk3308-roc-cc
    
    [ Upstream commit 3a53a7187f41ec3db12cf4c2cb0db4ba87c2f3a1 ]
    
    There are two LEDs on the board, power and user events.
    Currently both are assigned undocumented IR(-remote)
    triggers that are probably only part of the vendor-kernel.
    
    To make dtbs check happier, assign the power-led to a generic
    default-on trigger and the user led to the documented rc-feedback
    trigger that should mostly match its current usage.
    
    Fixes: 4403e1237be3 ("arm64: dts: rockchip: Add devicetree for board roc-rk3308-cc")
    Cc: Andy Yan <andy.yan@rock-chips.com>
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-8-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610 [+ + +]
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Thu Sep 26 15:48:40 2024 +0200

    arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-eaidk-610
    
    [ Upstream commit 2f39bba3b4f037d6c3c9174eed5befcef1c79abb ]
    
    There are no DT bindings and driver support for a "rockchip,rt5651"
    codec.  Replace "rockchip,rt5651" by "realtek,rt5651", which matches the
    "simple-audio-card,name" property in the "rt5651-sound" node.
    
    Fixes: 904f983256fdd24b ("arm64: dts: rockchip: Add dts for a rk3399 based board EAIDK-610")
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Link: https://lore.kernel.org/r/a9877b8b1bd0de279d2ec8294d5be14587203a82.1727358193.git.geert+renesas@glider.be
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator [+ + +]
Author: Geert Uytterhoeven <geert+renesas@glider.be>
Date:   Thu Sep 26 15:48:41 2024 +0200

    arm64: dts: rockchip: Fix rt5651 compatible value on rk3399-sapphire-excavator
    
    [ Upstream commit 577b5761679da90e691acc939ebbe7879fff5f31 ]
    
    There are no DT bindings and driver support for a "rockchip,rt5651"
    codec.  Replace "rockchip,rt5651" by "realtek,rt5651", which matches the
    "simple-audio-card,name" property in the "rt5651-sound" node.
    
    Fixes: 0a3c78e251b3a266 ("arm64: dts: rockchip: Add support for rk3399 excavator main board")
    Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Link: https://lore.kernel.org/r/abc6c89811b3911785601d6d590483eacb145102.1727358193.git.geert+renesas@glider.be
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node [+ + +]
Author: Diederik de Haas <didi.debian@cknow.org>
Date:   Tue Oct 8 13:15:38 2024 +0200

    arm64: dts: rockchip: Fix wakeup prop names on PineNote BT node
    
    [ Upstream commit 87299d6ee95a37d2d576dd8077ea6860f77ad8e2 ]
    
    The "brcm,bluetooth.yaml" binding has 'device-wakeup-gpios' and
    'host-wakeup-gpios' property names, not '*-wake-gpios'.
    Fix the incorrect property names.
    
    Note that the "realtek,bluetooth.yaml" binding does use the
    '*-wake-gpios' property names.
    
    Fixes: d449121e5e8a ("arm64: dts: rockchip: Add Pine64 PineNote board")
    Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
    Link: https://lore.kernel.org/r/20241008113344.23957-4-didi.debian@cknow.org
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:32 2024 +0200

    arm64: dts: rockchip: Remove #cooling-cells from fan on Theobroma lion
    
    [ Upstream commit 5ed96580568c4f79a0aff11a67f10b3e9229ba86 ]
    
    All Theobroma boards use a ti,amc6821 as fan controller.
    It normally runs in an automatically controlled way and while it may be
    possible to use it as part of a dt-based thermal management, this is
    not yet specified in the binding, nor implemented in any kernel.
    
    Newer boards already don't contain that #cooling-cells property, but
    older ones do. So remove them for now, they can be re-added if thermal
    integration gets implemented in the future.
    
    There are two further occurences in v6.12-rc in px30-ringneck and
    rk3399-puma, but those already get removed by the i2c-mux conversion
    scheduled for 6.13 . As the undocumented property is in the kernel so
    long, I opted for not causing extra merge conflicts between 6.12 and 6.13
    
    Fixes: d99a02bcfa81 ("arm64: dts: rockchip: add RK3368-uQ7 (Lion) SoM")
    Cc: Quentin Schulz <quentin.schulz@theobroma-systems.com>
    Cc: Klaus Goger <klaus.goger@theobroma-systems.com>
    Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-7-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328 [+ + +]
Author: Diederik de Haas <didi.debian@cknow.org>
Date:   Tue Oct 8 13:15:37 2024 +0200

    arm64: dts: rockchip: Remove hdmi's 2nd interrupt on rk3328
    
    [ Upstream commit de50a7e3681771c6b990238af82bf1dea9b11b21 ]
    
    The "synopsys,dw-hdmi.yaml" binding specifies that the interrupts
    property of the hdmi node has 'maxItems: 1', so the hdmi node in
    rk3328.dtsi having 2 is incorrect.
    
    Paragraph 1.3 ("System Interrupt connection") of the RK3328 TRM v1.1
    page 16 and 17 define the following hdmi related interrupts:
    -  67 hdmi_intr
    - 103 hdmi_intr_wakeup
    
    The difference of 32 is due to a different base used in the TRM.
    
    The RK3399 (which uses the same binding) has '23: hdmi_irq' and
    '24: hdmi_wakeup_irq' according to its TRM (page 19).
    The RK3568 (also same binding) has '76: hdmi_wakeup' and '77: hdmi'
    according to page 17 of its TRM.
    In both cases the non-wakeup IRQ was used, so use that too for rk3328.
    
    Helped-by: Heiko Stuebner <heiko@sntech.de>
    Fixes: 725e351c265a ("arm64: dts: rockchip: add rk3328 display nodes")
    Signed-off-by: Diederik de Haas <didi.debian@cknow.org>
    Link: https://lore.kernel.org/r/20241008113344.23957-3-didi.debian@cknow.org
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

arm64: Kconfig: Make SME depend on BROKEN for now [+ + +]
Author: Mark Rutland <mark.rutland@arm.com>
Date:   Wed Nov 6 16:42:20 2024 +0000

    arm64: Kconfig: Make SME depend on BROKEN for now
    
    commit 81235ae0c846e1fb46a2c6fe9283fe2b2b24f7dc upstream.
    
    Although support for SME was merged in v5.19, we've since uncovered a
    number of issues with the implementation, including issues which might
    corrupt the FPSIMD/SVE/SME state of arbitrary tasks. While there are
    patches to address some of these issues, ongoing review has highlighted
    additional functional problems, and more time is necessary to analyse
    and fix these.
    
    For now, mark SME as BROKEN in the hope that we can fix things properly
    in the near future. As SME is an OPTIONAL part of ARMv9.2+, and there is
    very little extant hardware, this should not adversely affect the vast
    majority of users.
    
    Signed-off-by: Mark Rutland <mark.rutland@arm.com>
    Cc: Ard Biesheuvel <ardb@kernel.org>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Marc Zyngier <maz@kernel.org>
    Cc: Mark Brown <broonie@kernel.org>
    Cc: Will Deacon <will@kernel.org>
    Cc: stable@vger.kernel.org # 5.19
    Acked-by: Catalin Marinas <catalin.marinas@arm.com>
    Link: https://lore.kernel.org/r/20241106164220.2789279-1-mark.rutland@arm.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ARM: dts: rockchip: drop grf reference from rk3036 hdmi [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:38 2024 +0200

    ARM: dts: rockchip: drop grf reference from rk3036 hdmi
    
    [ Upstream commit 1580ccb6ed9dc76b8ff3e2d8912e8215c8b0fa6d ]
    
    Neither the binding nor the driver implementation specify/use the grf
    reference provided in the rk3036. And neither does the newer rk3128
    user of the hdmi controller. So drop the rockchip,grf property.
    
    Fixes: b7217cf19c63 ("ARM: dts: rockchip: add hdmi device node for rk3036")
    Cc: Caesar Wang <wxt@rock-chips.com>
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-13-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: rockchip: fix rk3036 acodec node [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:37 2024 +0200

    ARM: dts: rockchip: fix rk3036 acodec node
    
    [ Upstream commit c7206853cd7d31c52575fb1dc7616b4398f3bc8f ]
    
    The acodec node is not conformant to the binding.
    
    Set the correct nodename, use the correct compatible, add the needed
    #sound-dai-cells and sort the rockchip,grf below clocks properties
    as expected.
    
    Fixes: faea098e1808 ("ARM: dts: rockchip: add core rk3036 dtsi")
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-12-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:40 2024 +0200

    ARM: dts: rockchip: Fix the realtek audio codec on rk3036-kylin
    
    [ Upstream commit 77a9a7f2d3b94d29d13d71b851114d593a2147cf ]
    
    Both the node name as well as the compatible were not named
    according to the binding expectations, fix that.
    
    Fixes: 47bf3a5c9e2a ("ARM: dts: rockchip: add the sound setup for rk3036-kylin board")
    Cc: Caesar Wang <wxt@rock-chips.com>
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-15-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: dts: rockchip: Fix the spi controller on rk3036 [+ + +]
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Tue Oct 8 22:39:39 2024 +0200

    ARM: dts: rockchip: Fix the spi controller on rk3036
    
    [ Upstream commit 8bade1ad1f0821aef31f6a8fb1027ae292566d85 ]
    
    Compatible and clock names did not match the existing binding.
    So set the correct values and re-order+rename the clocks.
    
    It looks like no rk3036 board did use the spi controller so far,
    so this was never detected on a running device yet.
    
    Fixes: f629fcfab2cd ("ARM: dts: rockchip: support the spi for rk3036")
    Cc: Caesar Wang <wxt@rock-chips.com>
    Reviewed-by: Dragan Simic <dsimic@manjaro.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Link: https://lore.kernel.org/r/20241008203940.2573684-14-heiko@sntech.de
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022 [+ + +]
Author: Mingcong Bai <jeffbai@aosc.io>
Date:   Wed Nov 6 10:40:50 2024 +0800

    ASoC: amd: yc: fix internal mic on Xiaomi Book Pro 14 2022
    
    commit de156f3cf70e17dc6ff4c3c364bb97a6db961ffd upstream.
    
    Xiaomi Book Pro 14 2022 (MIA2210-AD) requires a quirk entry for its
    internal microphone to be enabled.
    
    This is likely due to similar reasons as seen previously on Redmi Book
    14/15 Pro 2022 models (since they likely came with similar firmware):
    
    - commit dcff8b7ca92d ("ASoC: amd: yc: Add Xiaomi Redmi Book Pro 15 2022
      into DMI table")
    - commit c1dd6bf61997 ("ASoC: amd: yc: Add Xiaomi Redmi Book Pro 14 2022
      into DMI table")
    
    A quirk would likely be needed for Xiaomi Book Pro 15 2022 models, too.
    However, I do not have such device on hand so I will leave it for now.
    
    Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
    Link: https://patch.msgid.link/20241106024052.15748-1-jeffbai@aosc.io
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: WangYuli <wangyuli@uniontech.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove [+ + +]
Author: Amelie Delaunay <amelie.delaunay@foss.st.com>
Date:   Tue Nov 5 15:02:42 2024 +0100

    ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove
    
    [ Upstream commit 9bb4af400c386374ab1047df44c508512c08c31f ]
    
    In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not
    null. So the release of the dma channel leads to the following issue:
    [    4.879000] st,stm32-spdifrx 500d0000.audio-controller:
    dma_request_slave_channel error -19
    [    4.888975] Unable to handle kernel NULL pointer dereference
    at virtual address 000000000000003d
    [...]
    [    5.096577] Call trace:
    [    5.099099]  dma_release_channel+0x24/0x100
    [    5.103235]  stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx]
    [    5.109494]  stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx]
    
    To avoid this issue, release channel only if the pointer is valid.
    
    Fixes: 794df9448edb ("ASoC: stm32: spdifrx: manage rebind issue")
    Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
    Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
    Link: https://patch.msgid.link/20241105140242.527279-1-olivier.moysan@foss.st.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq [+ + +]
Author: Michal Schmidt <mschmidt@redhat.com>
Date:   Tue May 7 12:39:28 2024 +0200

    bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq
    
    commit 78cfd17142ef70599d6409cbd709d94b3da58659 upstream.
    
    Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is called
    with hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.
    In that case, "roundup_pow_of_two(hwq_attr->aux_stride)" gets called.
    roundup_pow_of_two is documented as undefined for 0.
    
    Fix it in the one caller that had this combination.
    
    The undefined behavior was detected by UBSAN:
      UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
      shift exponent 64 is too large for 64-bit type 'long unsigned int'
      CPU: 24 PID: 1075 Comm: (udev-worker) Not tainted 6.9.0-rc6+ #4
      Hardware name: Abacus electric, s.r.o. - servis@abacus.cz Super Server/H12SSW-iN, BIOS 2.7 10/25/2023
      Call Trace:
       <TASK>
       dump_stack_lvl+0x5d/0x80
       ubsan_epilogue+0x5/0x30
       __ubsan_handle_shift_out_of_bounds.cold+0x61/0xec
       __roundup_pow_of_two+0x25/0x35 [bnxt_re]
       bnxt_qplib_alloc_init_hwq+0xa1/0x470 [bnxt_re]
       bnxt_qplib_create_qp+0x19e/0x840 [bnxt_re]
       bnxt_re_create_qp+0x9b1/0xcd0 [bnxt_re]
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? __kmalloc+0x1b6/0x4f0
       ? create_qp.part.0+0x128/0x1c0 [ib_core]
       ? __pfx_bnxt_re_create_qp+0x10/0x10 [bnxt_re]
       create_qp.part.0+0x128/0x1c0 [ib_core]
       ib_create_qp_kernel+0x50/0xd0 [ib_core]
       create_mad_qp+0x8e/0xe0 [ib_core]
       ? __pfx_qp_event_handler+0x10/0x10 [ib_core]
       ib_mad_init_device+0x2be/0x680 [ib_core]
       add_client_context+0x10d/0x1a0 [ib_core]
       enable_device_and_get+0xe0/0x1d0 [ib_core]
       ib_register_device+0x53c/0x630 [ib_core]
       ? srso_alias_return_thunk+0x5/0xfbef5
       bnxt_re_probe+0xbd8/0xe50 [bnxt_re]
       ? __pfx_bnxt_re_probe+0x10/0x10 [bnxt_re]
       auxiliary_bus_probe+0x49/0x80
       ? driver_sysfs_add+0x57/0xc0
       really_probe+0xde/0x340
       ? pm_runtime_barrier+0x54/0x90
       ? __pfx___driver_attach+0x10/0x10
       __driver_probe_device+0x78/0x110
       driver_probe_device+0x1f/0xa0
       __driver_attach+0xba/0x1c0
       bus_for_each_dev+0x8f/0xe0
       bus_add_driver+0x146/0x220
       driver_register+0x72/0xd0
       __auxiliary_driver_register+0x6e/0xd0
       ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
       bnxt_re_mod_init+0x3e/0xff0 [bnxt_re]
       ? __pfx_bnxt_re_mod_init+0x10/0x10 [bnxt_re]
       do_one_initcall+0x5b/0x310
       do_init_module+0x90/0x250
       init_module_from_file+0x86/0xc0
       idempotent_init_module+0x121/0x2b0
       __x64_sys_finit_module+0x5e/0xb0
       do_syscall_64+0x82/0x160
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? syscall_exit_to_user_mode_prepare+0x149/0x170
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? syscall_exit_to_user_mode+0x75/0x230
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? do_syscall_64+0x8e/0x160
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? __count_memcg_events+0x69/0x100
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? count_memcg_events.constprop.0+0x1a/0x30
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? handle_mm_fault+0x1f0/0x300
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? do_user_addr_fault+0x34e/0x640
       ? srso_alias_return_thunk+0x5/0xfbef5
       ? srso_alias_return_thunk+0x5/0xfbef5
       entry_SYSCALL_64_after_hwframe+0x76/0x7e
      RIP: 0033:0x7f4e5132821d
      Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d e3 db 0c 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffca9c906a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 0000563ec8a8f130 RCX: 00007f4e5132821d
      RDX: 0000000000000000 RSI: 00007f4e518fa07d RDI: 000000000000003b
      RBP: 00007ffca9c90760 R08: 00007f4e513f6b20 R09: 00007ffca9c906f0
      R10: 0000563ec8a8faa0 R11: 0000000000000246 R12: 00007f4e518fa07d
      R13: 0000000000020000 R14: 0000563ec8409e90 R15: 0000563ec8a8fa60
       </TASK>
      ---[ end trace ]---
    
    Fixes: 0c4dcd602817 ("RDMA/bnxt_re: Refactor hardware queue memory allocation")
    Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
    Link: https://lore.kernel.org/r/20240507103929.30003-1-mschmidt@redhat.com
    Acked-by: Selvin Xavier <selvin.xavier@broadcom.com>
    Signed-off-by: Leon Romanovsky <leon@kernel.org>
    Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
btrfs: reinitialize delayed ref list after deleting it from the list [+ + +]
Author: Filipe Manana <fdmanana@suse.com>
Date:   Mon Nov 4 12:11:15 2024 +0000

    btrfs: reinitialize delayed ref list after deleting it from the list
    
    commit c9a75ec45f1111ef530ab186c2a7684d0a0c9245 upstream.
    
    At insert_delayed_ref() if we need to update the action of an existing
    ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's
    ref_add_list using list_del(), which leaves the ref's add_list member
    not reinitialized, as list_del() sets the next and prev members of the
    list to LIST_POISON1 and LIST_POISON2, respectively.
    
    If later we end up calling drop_delayed_ref() against the ref, which can
    happen during merging or when destroying delayed refs due to a transaction
    abort, we can trigger a crash since at drop_delayed_ref() we call
    list_empty() against the ref's add_list, which returns false since
    the list was not reinitialized after the list_del() and as a consequence
    we call list_del() again at drop_delayed_ref(). This results in an
    invalid list access since the next and prev members are set to poison
    pointers, resulting in a splat if CONFIG_LIST_HARDENED and
    CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences
    otherwise.
    
    So fix this by deleting from the list with list_del_init() instead.
    
    Fixes: 1d57ee941692 ("btrfs: improve delayed refs iterations")
    CC: stable@vger.kernel.org # 4.19+
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Signed-off-by: Filipe Manana <fdmanana@suse.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
can: c_can: fix {rx,tx}_errors statistics [+ + +]
Author: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Date:   Mon Oct 14 15:53:13 2024 +0200

    can: c_can: fix {rx,tx}_errors statistics
    
    [ Upstream commit 4d6d26537940f3b3e17138987ed9e4a334780bf7 ]
    
    The c_can_handle_bus_err() function was incorrectly incrementing only the
    receive error counter, even in cases of bit or acknowledgment errors that
    occur during transmission. The patch fixes the issue by incrementing the
    appropriate counter based on the type of error.
    
    Fixes: 881ff67ad450 ("can: c_can: Added support for Bosch C_CAN controller")
    Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
    Link: https://patch.msgid.link/20241014135319.2009782-1-dario.binacchi@amarulasolutions.com
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation [+ + +]
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Tue Oct 1 16:56:22 2024 +0200

    can: mcp251xfd: mcp251xfd_get_tef_len(): fix length calculation
    
    commit 3c1c18551e6ac1b988d0a05c5650e3f6c95a1b8a upstream.
    
    Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround
    broken TEF FIFO tail index erratum") introduced
    mcp251xfd_get_tef_len() to get the number of unhandled transmit events
    from the Transmit Event FIFO (TEF).
    
    As the TEF has no head pointer, the driver uses the TX FIFO's tail
    pointer instead, assuming that send frames are completed. However the
    check for the TEF being full was not correct. This leads to the driver
    stop working if the TEF is full.
    
    Fix the TEF full check by assuming that if, from the driver's point of
    view, there are no free TX buffers in the chip and the TX FIFO is
    empty, all messages must have been sent and the TEF must therefore be
    full.
    
    Reported-by: Sven Schuchmann <schuchmann@schleissheimer.de>
    Closes: https://patch.msgid.link/FR3P281MB155216711EFF900AD9791B7ED9692@FR3P281MB1552.DEUP281.PROD.OUTLOOK.COM
    Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum")
    Tested-by: Sven Schuchmann <schuchmann@schleissheimer.de>
    Cc: stable@vger.kernel.org
    Link: https://patch.msgid.link/20241104-mcp251xfd-fix-length-calculation-v3-1-608b6e7e2197@pengutronix.de
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes [+ + +]
Author: Marc Kleine-Budde <mkl@pengutronix.de>
Date:   Fri Oct 25 14:34:40 2024 +0200

    can: mcp251xfd: mcp251xfd_ring_alloc(): fix coalescing configuration when switching CAN modes
    
    commit eb9a839b3d8a989be5970035a5cf29bcd6ffd24d upstream.
    
    Since commit 50ea5449c563 ("can: mcp251xfd: fix ring configuration
    when switching from CAN-CC to CAN-FD mode"), the current ring and
    coalescing configuration is passed to can_ram_get_layout(). That fixed
    the issue when switching between CAN-CC and CAN-FD mode with
    configured ring (rx, tx) and/or coalescing parameters (rx-frames-irq,
    tx-frames-irq).
    
    However 50ea5449c563 ("can: mcp251xfd: fix ring configuration when
    switching from CAN-CC to CAN-FD mode"), introduced a regression when
    switching CAN modes with disabled coalescing configuration: Even if
    the previous CAN mode has no coalescing configured, the new mode is
    configured with active coalescing. This leads to delayed receiving of
    CAN-FD frames.
    
    This comes from the fact, that ethtool uses usecs = 0 and max_frames =
    1 to disable coalescing, however the driver uses internally
    priv->{rx,tx}_obj_num_coalesce_irq = 0 to indicate disabled
    coalescing.
    
    Fix the regression by assigning struct ethtool_coalesce
    ec->{rx,tx}_max_coalesced_frames_irq = 1 if coalescing is disabled in
    the driver as can_ram_get_layout() expects this.
    
    Reported-by: https://github.com/vdh-robothania
    Closes: https://github.com/raspberrypi/linux/issues/6407
    Fixes: 50ea5449c563 ("can: mcp251xfd: fix ring configuration when switching from CAN-CC to CAN-FD mode")
    Cc: stable@vger.kernel.org
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241025-mcp251xfd-fix-coalesing-v1-1-9d11416de1df@pengutronix.de
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
dm cache: correct the number of origin blocks to match the target length [+ + +]
Author: Ming-Hung Tsai <mtsai@redhat.com>
Date:   Tue Oct 22 15:12:22 2024 +0800

    dm cache: correct the number of origin blocks to match the target length
    
    commit 235d2e739fcbe964c9ce179b4c991025662dcdb6 upstream.
    
    When creating a cache device, the actual size of the cache origin might
    be greater than the specified cache target length. In such case, the
    number of origin blocks should match the cache target length, not the
    full size of the origin device, since access beyond the cache target is
    not possible. This issue occurs when reducing the origin device size
    using lvm, as lvreduce preloads the new cache table before resuming the
    cache origin, which can result in incorrect sizes for the discard bitset
    and smq hotspot blocks.
    
    Reproduce steps:
    
    1. create a cache device consists of 4096 origin blocks
    
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
    dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
    dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
    dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    
    2. reduce the cache origin to 2048 oblocks, in lvreduce's approach
    
    dmsetup reload corig --table "0 262144 linear /dev/sdc 262144"
    dmsetup reload cache --table "0 262144 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    dmsetup suspend cache
    dmsetup suspend corig
    dmsetup suspend cdata
    dmsetup suspend cmeta
    dmsetup resume corig
    dmsetup resume cdata
    dmsetup resume cmeta
    dmsetup resume cache
    
    3. shutdown the cache, and check the number of discard blocks in
       superblock. The value is expected to be 2048, but actually is 4096.
    
    dmsetup remove cache corig cdata cmeta
    dd if=/dev/sdc bs=1c count=8 skip=224 2>/dev/null | hexdump -e '1/8 "%u\n"'
    
    Fix by correcting the origin_blocks initialization in cache_create and
    removing the unused origin_sectors from struct cache_args accordingly.
    
    Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
    Fixes: c6b4fcbad044 ("dm: add cache target")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: Joe Thornber <thornber@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dm cache: fix flushing uninitialized delayed_work on cache_ctr error [+ + +]
Author: Ming-Hung Tsai <mtsai@redhat.com>
Date:   Tue Oct 22 15:12:49 2024 +0800

    dm cache: fix flushing uninitialized delayed_work on cache_ctr error
    
    commit 135496c208ba26fd68cdef10b64ed7a91ac9a7ff upstream.
    
    An unexpected WARN_ON from flush_work() may occur when cache creation
    fails, caused by destroying the uninitialized delayed_work waker in the
    error path of cache_create(). For example, the warning appears on the
    superblock checksum error.
    
    Reproduce steps:
    
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
    dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
    dd if=/dev/urandom of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
    dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    
    Kernel logs:
    
    (snip)
    WARNING: CPU: 0 PID: 84 at kernel/workqueue.c:4178 __flush_work+0x5d4/0x890
    
    Fix by pulling out the cancel_delayed_work_sync() from the constructor's
    error path. This patch doesn't affect the use-after-free fix for
    concurrent dm_resume and dm_destroy (commit 6a459d8edbdb ("dm cache: Fix
    UAF in destroy()")) as cache_dtr is not changed.
    
    Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
    Fixes: 6a459d8edbdb ("dm cache: Fix UAF in destroy()")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: Joe Thornber <thornber@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dm cache: fix out-of-bounds access to the dirty bitset when resizing [+ + +]
Author: Ming-Hung Tsai <mtsai@redhat.com>
Date:   Tue Oct 22 15:13:16 2024 +0800

    dm cache: fix out-of-bounds access to the dirty bitset when resizing
    
    commit 792227719725497ce10a8039803bec13f89f8910 upstream.
    
    dm-cache checks the dirty bits of the cache blocks to be dropped when
    shrinking the fast device, but an index bug in bitset iteration causes
    out-of-bounds access.
    
    Reproduce steps:
    
    1. create a cache device of 1024 cache blocks (128 bytes dirty bitset)
    
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    dmsetup create cdata --table "0 131072 linear /dev/sdc 8192"
    dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
    dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
    dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    
    2. shrink the fast device to 512 cache blocks, triggering out-of-bounds
       access to the dirty bitset (offset 0x80)
    
    dmsetup suspend cache
    dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192"
    dmsetup resume cdata
    dmsetup resume cache
    
    KASAN reports:
    
      BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0
      Read of size 8 at addr ffffc900000f3080 by task dmsetup/131
    
      (...snip...)
      The buggy address belongs to the virtual mapping at
       [ffffc900000f3000, ffffc900000f5000) created by:
       cache_ctr+0x176a/0x35f0
    
      (...snip...)
      Memory state around the buggy address:
       ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
       ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                         ^
       ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
       ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    
    Fix by making the index post-incremented.
    
    Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
    Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: Joe Thornber <thornber@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dm cache: fix potential out-of-bounds access on the first resume [+ + +]
Author: Ming-Hung Tsai <mtsai@redhat.com>
Date:   Tue Oct 22 15:13:54 2024 +0800

    dm cache: fix potential out-of-bounds access on the first resume
    
    commit c0ade5d98979585d4f5a93e4514c2e9a65afa08d upstream.
    
    Out-of-bounds access occurs if the fast device is expanded unexpectedly
    before the first-time resume of the cache table. This happens because
    expanding the fast device requires reloading the cache table for
    cache_create to allocate new in-core data structures that fit the new
    size, and the check in cache_preresume is not performed during the
    first resume, leading to the issue.
    
    Reproduce steps:
    
    1. prepare component devices:
    
    dmsetup create cmeta --table "0 8192 linear /dev/sdc 0"
    dmsetup create cdata --table "0 65536 linear /dev/sdc 8192"
    dmsetup create corig --table "0 524288 linear /dev/sdc 262144"
    dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct
    
    2. load a cache table of 512 cache blocks, and deliberately expand the
       fast device before resuming the cache, making the in-core data
       structures inadequate.
    
    dmsetup create cache --notable
    dmsetup reload cache --table "0 524288 cache /dev/mapper/cmeta \
    /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0"
    dmsetup reload cdata --table "0 131072 linear /dev/sdc 8192"
    dmsetup resume cdata
    dmsetup resume cache
    
    3. suspend the cache to write out the in-core dirty bitset and hint
       array, leading to out-of-bounds access to the dirty bitset at offset
       0x40:
    
    dmsetup suspend cache
    
    KASAN reports:
    
      BUG: KASAN: vmalloc-out-of-bounds in is_dirty_callback+0x2b/0x80
      Read of size 8 at addr ffffc90000085040 by task dmsetup/90
    
      (...snip...)
      The buggy address belongs to the virtual mapping at
       [ffffc90000085000, ffffc90000087000) created by:
       cache_ctr+0x176a/0x35f0
    
      (...snip...)
      Memory state around the buggy address:
       ffffc90000084f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
       ffffc90000084f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
      >ffffc90000085000: 00 00 00 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8
                                                 ^
       ffffc90000085080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
       ffffc90000085100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    
    Fix by checking the size change on the first resume.
    
    Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
    Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: Joe Thornber <thornber@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

dm cache: optimize dirty bit checking with find_next_bit when resizing [+ + +]
Author: Ming-Hung Tsai <mtsai@redhat.com>
Date:   Tue Oct 22 15:13:39 2024 +0800

    dm cache: optimize dirty bit checking with find_next_bit when resizing
    
    commit f484697e619a83ecc370443a34746379ad99d204 upstream.
    
    When shrinking the fast device, dm-cache iteratively searches for a
    dirty bit among the cache blocks to be dropped, which is less efficient.
    Use find_next_bit instead, as it is twice as fast as the iterative
    approach with test_bit.
    
    Signed-off-by: Ming-Hung Tsai <mtsai@redhat.com>
    Fixes: f494a9c6b1b6 ("dm cache: cache shrinking support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Acked-by: Joe Thornber <thornber@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow [+ + +]
Author: Zichen Xie <zichenxie0106@gmail.com>
Date:   Mon Oct 21 14:54:45 2024 -0500

    dm-unstriped: cast an operand to sector_t to prevent potential uint32_t overflow
    
    commit 5a4510c762fc04c74cff264cd4d9e9f5bf364bae upstream.
    
    This was found by a static analyzer.
    There may be a potential integer overflow issue in
    unstripe_ctr(). uc->unstripe_offset and uc->unstripe_width are
    defined as "sector_t"(uint64_t), while uc->unstripe,
    uc->chunk_size and uc->stripes are all defined as "uint32_t".
    The result of the calculation will be limited to "uint32_t"
    without correct casting.
    So, we recommend adding an extra cast to prevent potential
    integer overflow.
    
    Fixes: 18a5bf270532 ("dm: add unstriped target")
    Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
    Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Oct 23 16:52:08 2024 -0400

    drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read()
    
    commit 4d75b9468021c73108b4439794d69e892b1d24e3 upstream.
    
    Avoid a possible buffer overflow if size is larger than 4K.
    
    Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/amdgpu: Adjust debugfs eviction and IB access permissions [+ + +]
Author: Alex Deucher <alexander.deucher@amd.com>
Date:   Wed Oct 23 16:39:36 2024 -0400

    drm/amdgpu: Adjust debugfs eviction and IB access permissions
    
    commit f790a2c494c4ef587eeeb9fca20124de76a1646f upstream.
    
    Users should not be able to run these.
    
    Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit 7ba9395430f611cfc101b1c2687732baafa239d5)
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported [+ + +]
Author: Antonio Quartulli <antonio@mandelbit.com>
Date:   Thu Oct 31 16:28:48 2024 +0100

    drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported
    
    commit a6dd15981c03f2cdc9a351a278f09b5479d53d2e upstream.
    
    acpi_evaluate_object() may return AE_NOT_FOUND (failure), which
    would result in dereferencing buffer.pointer (obj) while being NULL.
    
    Although this case may be unrealistic for the current code, it is
    still better to protect against possible bugs.
    
    Bail out also when status is AE_NOT_FOUND.
    
    This fixes 1 FORWARD_NULL issue reported by Coverity
    Report: CID 1600951:  Null pointer dereferences  (FORWARD_NULL)
    
    Signed-off-by: Antonio Quartulli <antonio@mandelbit.com>
    Fixes: c9b7c809b89f ("drm/amd: Guard against bad data for ATIF ACPI method")
    Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
    Link: https://lore.kernel.org/r/20241031152848.4716-1-antonio@mandelbit.com
    Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
filemap: Fix bounds checking in filemap_read() [+ + +]
Author: Trond Myklebust <trond.myklebust@hammerspace.com>
Date:   Fri Sep 13 13:57:04 2024 -0400

    filemap: Fix bounds checking in filemap_read()
    
    commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream.
    
    If the caller supplies an iocb->ki_pos value that is close to the
    filesystem upper limit, and an iterator with a count that causes us to
    overflow that limit, then filemap_read() enters an infinite loop.
    
    This behaviour was discovered when testing xfstests generic/525 with the
    "localio" optimisation for loopback NFS mounts.
    
    Reported-by: Mike Snitzer <snitzer@kernel.org>
    Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
    Tested-by: Mike Snitzer <snitzer@kernel.org>
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
fs/proc: fix compile warning about variable 'vmcore_mmap_ops' [+ + +]
Author: Qi Xi <xiqi2@huawei.com>
Date:   Fri Nov 1 11:48:03 2024 +0800

    fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
    
    commit b8ee299855f08539e04d6c1a6acb3dc9e5423c00 upstream.
    
    When build with !CONFIG_MMU, the variable 'vmcore_mmap_ops'
    is defined but not used:
    
    >> fs/proc/vmcore.c:458:42: warning: unused variable 'vmcore_mmap_ops'
         458 | static const struct vm_operations_struct vmcore_mmap_ops = {
    
    Fix this by only defining it when CONFIG_MMU is enabled.
    
    Link: https://lkml.kernel.org/r/20241101034803.9298-1-xiqi2@huawei.com
    Fixes: 9cb218131de1 ("vmcore: introduce remap_oldmem_pfn_range()")
    Signed-off-by: Qi Xi <xiqi2@huawei.com>
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/lkml/202410301936.GcE8yUos-lkp@intel.com/
    Cc: Baoquan He <bhe@redhat.com>
    Cc: Dave Young <dyoung@redhat.com>
    Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
    Cc: Vivek Goyal <vgoyal@redhat.com>
    Cc: Wang ShaoBo <bobo.shaobowang@huawei.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
HID: core: zero-initialize the report buffer [+ + +]
Author: Jiri Kosina <jikos@kernel.org>
Date:   Tue Oct 29 15:44:35 2024 +0100

    HID: core: zero-initialize the report buffer
    
    [ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]
    
    Since the report buffer is used by all kinds of drivers in various ways, let's
    zero-initialize it during allocation to make sure that it can't be ever used
    to leak kernel memory via specially-crafted report.
    
    Fixes: 27ce405039bf ("HID: fix data access in implement()")
    Reported-by: Benoît Sevens <bsevens@google.com>
    Acked-by: Benjamin Tissoires <bentiss@kernel.org>
    Signed-off-by: Jiri Kosina <jkosina@suse.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer [+ + +]
Author: Hyunwoo Kim <v4bel@theori.io>
Date:   Wed Nov 6 04:36:04 2024 -0500

    hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
    
    commit e629295bd60abf4da1db85b82819ca6a4f6c1e79 upstream.
    
    When hvs is released, there is a possibility that vsk->trans may not
    be initialized to NULL, which could lead to a dangling pointer.
    This issue is resolved by initializing vsk->trans to NULL.
    
    Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
    Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Link: https://patch.msgid.link/Zys4hCj61V+mQfX2@v4bel-B760M-AORUS-ELITE-AX
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
i40e: fix race condition by adding filter's intermediate sync state [+ + +]
Author: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Date:   Wed Oct 16 11:30:11 2024 +0200

    i40e: fix race condition by adding filter's intermediate sync state
    
    [ Upstream commit f30490e9695ef7da3d0899c6a0293cc7cd373567 ]
    
    Fix a race condition in the i40e driver that leads to MAC/VLAN filters
    becoming corrupted and leaking. Address the issue that occurs under
    heavy load when multiple threads are concurrently modifying MAC/VLAN
    filters by setting mac and port VLAN.
    
    1. Thread T0 allocates a filter in i40e_add_filter() within
            i40e_ndo_set_vf_port_vlan().
    2. Thread T1 concurrently frees the filter in __i40e_del_filter() within
            i40e_ndo_set_vf_mac().
    3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which
            refers to the already freed filter memory, causing corruption.
    
    Reproduction steps:
    1. Spawn multiple VFs.
    2. Apply a concurrent heavy load by running parallel operations to change
            MAC addresses on the VFs and change port VLANs on the host.
    3. Observe errors in dmesg:
    "Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX,
            please set promiscuous on manually for VF XX".
    
    Exact code for stable reproduction Intel can't open-source now.
    
    The fix involves implementing a new intermediate filter state,
    I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list.
    These filters cannot be deleted from the hash list directly but
    must be removed using the full process.
    
    Fixes: 278e7d0b9d68 ("i40e: store MAC/VLAN filters in a hash with the MAC Address as key")
    Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Reviewed-by: Michal Schmidt <mschmidt@redhat.com>
    Tested-by: Michal Schmidt <mschmidt@redhat.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ice: change q_index variable type to s16 to store -1 value [+ + +]
Author: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Date:   Mon Oct 28 12:59:22 2024 -0400

    ice: change q_index variable type to s16 to store -1 value
    
    [ Upstream commit 64502dac974a5d9951d16015fa2e16a14e5f2bb2 ]
    
    Fix Flow Director not allowing to re-map traffic to 0th queue when action
    is configured to drop (and vice versa).
    
    The current implementation of ethtool callback in the ice driver forbids
    change Flow Director action from 0 to -1 and from -1 to 0 with an error,
    e.g:
    
     # ethtool -U eth2 flow-type tcp4 src-ip 1.1.1.1 loc 1 action 0
     # ethtool -U eth2 flow-type tcp4 src-ip 1.1.1.1 loc 1 action -1
     rmgr: Cannot insert RX class rule: Invalid argument
    
    We set the value of `u16 q_index = 0` at the beginning of the function
    ice_set_fdir_input_set(). In case of "drop traffic" action (which is
    equal to -1 in ethtool) we store the 0 value. Later, when want to change
    traffic rule to redirect to queue with index 0 it returns an error
    caused by duplicate found.
    
    Fix this behaviour by change of the type of field `q_index` from u16 to s16
    in `struct ice_fdir_fltr`. This allows to store -1 in the field in case
    of "drop traffic" action. What is more, change the variable type in the
    function ice_set_fdir_input_set() and assign at the beginning the new
    `#define ICE_FDIR_NO_QUEUE_IDX` which is -1. Later, if the action is set
    to another value (point specific queue index) the variable value is
    overwritten in the function.
    
    Fixes: cac2a27cd9ab ("ice: Support IPv4 Flow Director filters")
    Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
    Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
irqchip/gic-v3: Force propagation of the active state with a read-back [+ + +]
Author: Marc Zyngier <maz@kernel.org>
Date:   Wed Nov 6 08:44:18 2024 +0000

    irqchip/gic-v3: Force propagation of the active state with a read-back
    
    commit 464cb98f1c07298c4c10e714ae0c36338d18d316 upstream.
    
    Christoffer reports that on some implementations, writing to
    GICR_ISACTIVER0 (and similar GICD registers) can race badly with a guest
    issuing a deactivation of that interrupt via the system register interface.
    
    There are multiple reasons to this:
    
     - this uses an early write-acknoledgement memory type (nGnRE), meaning
       that the write may only have made it as far as some interconnect
       by the time the store is considered "done"
    
     - the GIC itself is allowed to buffer the write until it decides to
       take it into account (as long as it is in finite time)
    
    The effects are that the activation may not have taken effect by the time
    the kernel enters the guest, forcing an immediate exit, or that a guest
    deactivation occurs before the interrupt is active, doing nothing.
    
    In order to guarantee that the write to the ISACTIVER register has taken
    effect, read back from it, forcing the interconnect to propagate the write,
    and the GIC to process the write before returning the read.
    
    Reported-by: Christoffer Dall <christoffer.dall@arm.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Christoffer Dall <christoffer.dall@arm.com>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/all/20241106084418.3794612-1-maz@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
kselftest/arm64: Initialise current at build time in signal tests [+ + +]
Author: Mark Brown <broonie@kernel.org>
Date:   Thu Jan 12 19:51:50 2023 +0000

    kselftest/arm64: Initialise current at build time in signal tests
    
    commit 6e4b4f0eca88e47def703f90a403fef5b96730d5 upstream.
    
    When building with clang the toolchain refuses to link the signals
    testcases since the assembly code has a reference to current which has
    no initialiser so is placed in the BSS:
    
      /tmp/signals-af2042.o: in function `fake_sigreturn':
      <unknown>:51:(.text+0x40): relocation truncated to fit: R_AARCH64_LD_PREL_LO19 against symbol `current' defined in .bss section in /tmp/test_signals-ec1160.o
    
    Since the first statement in main() initialises current we may as well
    fix this by moving the initialisation to build time so the variable
    doesn't end up in the BSS.
    
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
    Link: https://lore.kernel.org/r/20230111-arm64-kselftest-clang-v1-4-89c69d377727@kernel.org
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create [+ + +]
Author: Namjae Jeon <linkinjeon@kernel.org>
Date:   Sat Nov 2 18:46:38 2024 +0900

    ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create
    
    commit 0a77715db22611df50b178374c51e2ba0d58866e upstream.
    
    There is a race condition between ksmbd_smb2_session_create and
    ksmbd_expire_session. This patch add missing sessions_table_lock
    while adding/deleting session from global session table.
    
    Cc: stable@vger.kernel.org # v5.15+
    Reported-by: Norbert Szetei <norbert@doyensec.com>
    Tested-by: Norbert Szetei <norbert@doyensec.com>
    Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp [+ + +]
Author: Namjae Jeon <linkinjeon@kernel.org>
Date:   Mon Nov 4 13:40:41 2024 +0900

    ksmbd: fix slab-use-after-free in smb3_preauth_hash_rsp
    
    commit b8fc56fbca7482c1e5c0e3351c6ae78982e25ada upstream.
    
    ksmbd_user_session_put should be called under smb3_preauth_hash_rsp().
    It will avoid freeing session before calling smb3_preauth_hash_rsp().
    
    Cc: stable@vger.kernel.org # v5.15+
    Reported-by: Norbert Szetei <norbert@doyensec.com>
    Tested-by: Norbert Szetei <norbert@doyensec.com>
    Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ksmbd: Fix the missing xa_store error check [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Mon Oct 28 08:28:30 2024 +0900

    ksmbd: Fix the missing xa_store error check
    
    commit 3abab905b14f4ba756d413f37f1fb02b708eee93 upstream.
    
    xa_store() can fail, it return xa_err(-EINVAL) if the entry cannot
    be stored in an XArray, or xa_err(-ENOMEM) if memory allocation failed,
    so check error for xa_store() to fix it.
    
    Cc: stable@vger.kernel.org
    Fixes: b685757c7b08 ("ksmbd: Implements sess->rpc_handle_list as xarray")
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Acked-by: Namjae Jeon <linkinjeon@kernel.org>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: Linux 6.1.117 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Thu Nov 14 13:15:20 2024 +0100

    Linux 6.1.117
    
    Link: https://lore.kernel.org/r/20241112101844.263449965@linuxfoundation.org
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Salvatore Bonaccorso <carnil@debian.org>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Mark Brown <broonie@kernel.org>
    Tested-by: Peter Schneider <pschneider1968@googlemail.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Hardik Garg <hargar@linux.microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
media: adv7604: prevent underflow condition when reporting colorspace [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 12:25:09 2024 +0200

    media: adv7604: prevent underflow condition when reporting colorspace
    
    [ Upstream commit 50b9fa751d1aef5d262bde871c70a7f44262f0bc ]
    
    Currently, adv76xx_log_status() reads some date using
    io_read() which may return negative values. The current logic
    doesn't check such errors, causing colorspace to be reported
    on a wrong way at adv76xx_log_status(), as reported by Coverity.
    
    If I/O error happens there, print a different message, instead
    of reporting bogus messages to userspace.
    
    Fixes: 54450f591c99 ("[media] adv7604: driver for the Analog Devices ADV7604 video decoder")
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: amphion: Fix VPU core alias name [+ + +]
Author: Alexander Stein <alexander.stein@ew.tq-group.com>
Date:   Tue Nov 7 08:15:21 2023 +0100

    media: amphion: Fix VPU core alias name
    
    commit f033c87fda47e272bb4f75dc7b03677261d91158 upstream.
    
    Starting with commit f6038de293f2 ("arm64: dts: imx8qm: Fix VPU core
    alias name") the alias for VPU cores uses dashes instead of underscores.
    Adjust the alias stem accordingly. Fixes the errors:
    amphion-vpu-core 2d040000.vpu-core: can't get vpu core id
    amphion-vpu-core 2d050000.vpu-core: can't get vpu core id
    
    Fixes: f6038de293f2 ("arm64: dts: imx8qm: Fix VPU core alias name")
    Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
    Reviewed-by: Ming Qian <ming.qian@nxp.com>
    Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: ar0521: don't overflow when checking PLL values [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 11:38:10 2024 +0200

    media: ar0521: don't overflow when checking PLL values
    
    commit 438d3085ba5b8b5bfa5290faa594e577f6ac9aa7 upstream.
    
    The PLL checks are comparing 64 bit integers with 32 bit
    ones, as reported by Coverity. Depending on the values of
    the variables, this may underflow.
    
    Fix it ensuring that both sides of the expression are u64.
    
    Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: cx24116: prevent overflows on SNR calculus [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 12:14:11 2024 +0200

    media: cx24116: prevent overflows on SNR calculus
    
    commit 576a307a7650bd544fbb24df801b9b7863b85e2f upstream.
    
    as reported by Coverity, if reading SNR registers fail, a negative
    number will be returned, causing an underflow when reading SNR
    registers.
    
    Prevent that.
    
    Fixes: 8953db793d5b ("V4L/DVB (9178): cx24116: Add module parameter to return SNR as ESNO.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: dvb_frontend: don't play tricks with underflow values [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 16:05:16 2024 +0200

    media: dvb_frontend: don't play tricks with underflow values
    
    [ Upstream commit 9883a4d41aba7612644e9bb807b971247cea9b9d ]
    
    fepriv->auto_sub_step is unsigned. Setting it to -1 is just a
    trick to avoid calling continue, as reported by Coverity.
    
    It relies to have this code just afterwards:
    
            if (!ready) fepriv->auto_sub_step++;
    
    Simplify the code by simply setting it to zero and use
    continue to return to the while loop.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: dvbdev: prevent the risk of out of memory access [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 15:23:01 2024 +0200

    media: dvbdev: prevent the risk of out of memory access
    
    [ Upstream commit 972e63e895abbe8aa1ccbdbb4e6362abda7cd457 ]
    
    The dvbdev contains a static variable used to store dvb minors.
    
    The behavior of it depends if CONFIG_DVB_DYNAMIC_MINORS is set
    or not. When not set, dvb_register_device() won't check for
    boundaries, as it will rely that a previous call to
    dvb_register_adapter() would already be enforcing it.
    
    On a similar way, dvb_device_open() uses the assumption
    that the register functions already did the needed checks.
    
    This can be fragile if some device ends using different
    calls. This also generate warnings on static check analysers
    like Coverity.
    
    So, add explicit guards to prevent potential risk of OOM issues.
    
    Fixes: 5dd3f3071070 ("V4L/DVB (9361): Dynamic DVB minor allocation")
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

media: pulse8-cec: fix data timestamp at pulse8_setup() [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Wed Oct 16 11:24:15 2024 +0200

    media: pulse8-cec: fix data timestamp at pulse8_setup()
    
    commit ba9cf6b430433e57bfc8072364e944b7c0eca2a4 upstream.
    
    As pointed by Coverity, there is a hidden overflow condition there.
    As date is signed and u8 is unsigned, doing:
    
            date = (data[0] << 24)
    
    With a value bigger than 07f will make all upper bits of date
    0xffffffff. This can be demonstrated with this small code:
    
    <code>
    typedef int64_t time64_t;
    typedef uint8_t u8;
    
    int main(void)
    {
            u8 data[] = { 0xde ,0xad , 0xbe, 0xef };
            time64_t date;
    
            date = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
            printf("Invalid data = 0x%08lx\n", date);
    
            date = ((unsigned)data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3];
            printf("Expected data = 0x%08lx\n", date);
    
            return 0;
    }
    </code>
    
    Fix it by converting the upper bit calculation to unsigned.
    
    Fixes: cea28e7a55e7 ("media: pulse8-cec: reorganize function order")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: s5p-jpeg: prevent buffer overflows [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 11:10:31 2024 +0200

    media: s5p-jpeg: prevent buffer overflows
    
    commit 14a22762c3daeac59a5a534e124acbb4d7a79b3a upstream.
    
    The current logic allows word to be less than 2. If this happens,
    there will be buffer overflows, as reported by smatch. Add extra
    checks to prevent it.
    
    While here, remove an unused word = 0 assignment.
    
    Fixes: 6c96dbbc2aa9 ("[media] s5p-jpeg: add support for 5433")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Reviewed-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: stb0899_algo: initialize cfr before using it [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 13:29:43 2024 +0200

    media: stb0899_algo: initialize cfr before using it
    
    commit 2d861977e7314f00bf27d0db17c11ff5e85e609a upstream.
    
    The loop at stb0899_search_carrier() starts with a random
    value for cfr, as reported by Coverity.
    
    Initialize it to zero, just like stb0899_dvbs_algo() to ensure
    that carrier search won't bail out.
    
    Fixes: 8bd135bab91f ("V4L/DVB (9375): Add STB0899 support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format [+ + +]
Author: Benoit Sevens <bsevens@google.com>
Date:   Thu Nov 7 14:22:02 2024 +0000

    media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format
    
    commit ecf2b43018da9579842c774b7f35dbe11b5c38dd upstream.
    
    This can lead to out of bounds writes since frames of this type were not
    taken into account when calculating the size of the frames buffer in
    uvc_parse_streaming.
    
    Fixes: c0efd232929c ("V4L/DVB (8145a): USB Video Class driver")
    Signed-off-by: Benoit Sevens <bsevens@google.com>
    Cc: stable@vger.kernel.org
    Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
    Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Tue Oct 15 14:23:38 2024 +0200

    media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl()
    
    commit 4c76f331a9a173ac8fe1297a9231c2a38f88e368 upstream.
    
    As detected by Coverity, the error check logic at get_ctrl() is
    broken: if ptr_to_user() fails to fill a control due to an error,
    no errors are returned and v4l2_g_ctrl() returns success on a
    failed operation, which may cause applications to fail.
    
    Add an error check at get_ctrl() and ensure that it will
    be returned to userspace without filling the control value if
    get_ctrl() fails.
    
    Fixes: 71c689dc2e73 ("media: v4l2-ctrls: split up into four source files")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

media: v4l2-tpg: prevent the risk of a division by zero [+ + +]
Author: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Date:   Wed Oct 16 11:53:15 2024 +0200

    media: v4l2-tpg: prevent the risk of a division by zero
    
    commit e6a3ea83fbe15d4818d01804e904cbb0e64e543b upstream.
    
    As reported by Coverity, the logic at tpg_precalculate_line()
    blindly rescales the buffer even when scaled_witdh is equal to
    zero. If this ever happens, this will cause a division by zero.
    
    Instead, add a WARN_ON_ONCE() to trigger such cases and return
    without doing any precalculation.
    
    Fixes: 63881df94d3e ("[media] vivid: add the Test Pattern Generator")
    Cc: stable@vger.kernel.org
    Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
mptcp: use sock_kfree_s instead of kfree [+ + +]
Author: Geliang Tang <geliang@kernel.org>
Date:   Mon Nov 4 13:31:42 2024 +0100

    mptcp: use sock_kfree_s instead of kfree
    
    commit 99635c91fb8b860a6404b9bc8b769df7bdaa2ae3 upstream.
    
    The local address entries on userspace_pm_local_addr_list are allocated
    by sock_kmalloc().
    
    It's then required to use sock_kfree_s() instead of kfree() to free
    these entries in order to adjust the allocated size on the sk side.
    
    Fixes: 24430f8bf516 ("mptcp: add address into userspace pm list")
    Cc: stable@vger.kernel.org
    Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
    Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Link: https://patch.msgid.link/20241104-net-mptcp-misc-6-12-v1-2-c13f2ff1656f@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net: arc: fix the device for dma_map_single/dma_unmap_single [+ + +]
Author: Johan Jonker <jbx6244@gmail.com>
Date:   Mon Nov 4 21:01:38 2024 +0800

    net: arc: fix the device for dma_map_single/dma_unmap_single
    
    [ Upstream commit 71803c1dfa29e0d13b99e48fda11107cc8caebc7 ]
    
    The ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent
    which has dma_mask, ndev->dev.parent is just pdev->dev.
    Or it would cause the following issue:
    
    [   39.933526] ------------[ cut here ]------------
    [   39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8
    
    Fixes: f959dcd6ddfd ("dma-direct: Fix potential NULL pointer dereference")
    Signed-off-by: David Wu <david.wu@rock-chips.com>
    Signed-off-by: Johan Jonker <jbx6244@gmail.com>
    Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: arc: rockchip: fix emac mdio node support [+ + +]
Author: Johan Jonker <jbx6244@gmail.com>
Date:   Mon Nov 4 21:01:39 2024 +0800

    net: arc: rockchip: fix emac mdio node support
    
    [ Upstream commit 0a1c7a7b0adbf595ce7f218609db53749e966573 ]
    
    The binding emac_rockchip.txt is converted to YAML.
    Changed against the original binding is an added MDIO subnode.
    This make the driver failed to find the PHY, and given the 'mdio
    has invalid PHY address' it is probably looking in the wrong node.
    Fix emac_mdio.c so that it can handle both old and new
    device trees.
    
    Fixes: 1dabb74971b3 ("ARM: dts: rockchip: restyle emac nodes")
    Signed-off-by: Johan Jonker <jbx6244@gmail.com>
    Tested-by: Andy Yan <andyshrk@163.com>
    Link: https://lore.kernel.org/r/20220603163539.537-3-jbx6244@gmail.com
    Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: do not delay dst_entries_add() in dst_release() [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Oct 8 14:31:10 2024 +0000

    net: do not delay dst_entries_add() in dst_release()
    
    commit ac888d58869bb99753e7652be19a151df9ecb35d upstream.
    
    dst_entries_add() uses per-cpu data that might be freed at netns
    dismantle from ip6_route_net_exit() calling dst_entries_destroy()
    
    Before ip6_route_net_exit() can be called, we release all
    the dsts associated with this netns, via calls to dst_release(),
    which waits an rcu grace period before calling dst_destroy()
    
    dst_entries_add() use in dst_destroy() is racy, because
    dst_entries_destroy() could have been called already.
    
    Decrementing the number of dsts must happen sooner.
    
    Notes:
    
    1) in CONFIG_XFRM case, dst_destroy() can call
       dst_release_immediate(child), this might also cause UAF
       if the child does not have DST_NOCOUNT set.
       IPSEC maintainers might take a look and see how to address this.
    
    2) There is also discussion about removing this count of dst,
       which might happen in future kernels.
    
    Fixes: f88649721268 ("ipv4: fix dst race in sk_dst_get()")
    Closes: https://lore.kernel.org/lkml/CANn89iLCCGsP7SFn9HKpvnKu96Td4KD08xf7aGtiYgZnkjaL=w@mail.gmail.com/T/
    Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Naresh Kamboju <naresh.kamboju@linaro.org>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Xin Long <lucien.xin@gmail.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Reviewed-by: Xin Long <lucien.xin@gmail.com>
    Link: https://patch.msgid.link/20241008143110.1064899-1-edumazet@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    [ resolved conflict due to bc9d3a9f2afc ("net: dst: Switch to rcuref_t
      reference counting") is not in the tree ]
    Signed-off-by: Abdelkareem Abdelsaamad <kareemem@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: enetc: set MAC address to the VF net_device [+ + +]
Author: Wei Fang <wei.fang@nxp.com>
Date:   Tue Oct 29 17:04:06 2024 +0800

    net: enetc: set MAC address to the VF net_device
    
    [ Upstream commit badccd49b93bb945bf4e5cc8707db67cdc5e27e5 ]
    
    The MAC address of VF can be configured through the mailbox mechanism of
    ENETC, but the previous implementation forgot to set the MAC address in
    net_device, resulting in the SMAC of the sent frames still being the old
    MAC address. Since the MAC address in the hardware has been changed, Rx
    cannot receive frames with the DMAC address as the new MAC address. The
    most obvious phenomenon is that after changing the MAC address, we can
    see that the MAC address of eno0vf0 has not changed through the "ifconfig
    eno0vf0" command and the IP address cannot be obtained .
    
    root@ls1028ardb:~# ifconfig eno0vf0 down
    root@ls1028ardb:~# ifconfig eno0vf0 hw ether 00:04:9f:3a:4d:56 up
    root@ls1028ardb:~# ifconfig eno0vf0
    eno0vf0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            ether 66:36:2c:3b:87:76  txqueuelen 1000  (Ethernet)
            RX packets 794  bytes 69239 (69.2 KB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 11  bytes 2226 (2.2 KB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    Fixes: beb74ac878c8 ("enetc: Add vf to pf messaging support")
    Signed-off-by: Wei Fang <wei.fang@nxp.com>
    Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Reviewed-by: Claudiu Manoil <claudiu.manoil@nxp.com>
    Link: https://patch.msgid.link/20241029090406.841836-1-wei.fang@nxp.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: hns3: fix kernel crash when uninstalling driver [+ + +]
Author: Peiyang Wang <wangpeiyang1@huawei.com>
Date:   Fri Nov 1 17:15:07 2024 +0800

    net: hns3: fix kernel crash when uninstalling driver
    
    [ Upstream commit df3dff8ab6d79edc942464999d06fbaedf8cdd18 ]
    
    When the driver is uninstalled and the VF is disabled concurrently, a
    kernel crash occurs. The reason is that the two actions call function
    pci_disable_sriov(). The num_VFs is checked to determine whether to
    release the corresponding resources. During the second calling, num_VFs
    is not 0 and the resource release function is called. However, the
    corresponding resource has been released during the first invoking.
    Therefore, the problem occurs:
    
    [15277.839633][T50670] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
    ...
    [15278.131557][T50670] Call trace:
    [15278.134686][T50670]  klist_put+0x28/0x12c
    [15278.138682][T50670]  klist_del+0x14/0x20
    [15278.142592][T50670]  device_del+0xbc/0x3c0
    [15278.146676][T50670]  pci_remove_bus_device+0x84/0x120
    [15278.151714][T50670]  pci_stop_and_remove_bus_device+0x6c/0x80
    [15278.157447][T50670]  pci_iov_remove_virtfn+0xb4/0x12c
    [15278.162485][T50670]  sriov_disable+0x50/0x11c
    [15278.166829][T50670]  pci_disable_sriov+0x24/0x30
    [15278.171433][T50670]  hnae3_unregister_ae_algo_prepare+0x60/0x90 [hnae3]
    [15278.178039][T50670]  hclge_exit+0x28/0xd0 [hclge]
    [15278.182730][T50670]  __se_sys_delete_module.isra.0+0x164/0x230
    [15278.188550][T50670]  __arm64_sys_delete_module+0x1c/0x30
    [15278.193848][T50670]  invoke_syscall+0x50/0x11c
    [15278.198278][T50670]  el0_svc_common.constprop.0+0x158/0x164
    [15278.203837][T50670]  do_el0_svc+0x34/0xcc
    [15278.207834][T50670]  el0_svc+0x20/0x30
    
    For details, see the following figure.
    
         rmmod hclge              disable VFs
    ----------------------------------------------------
    hclge_exit()            sriov_numvfs_store()
      ...                     device_lock()
      pci_disable_sriov()     hns3_pci_sriov_configure()
                                pci_disable_sriov()
                                  sriov_disable()
        sriov_disable()             if !num_VFs :
          if !num_VFs :               return;
            return;                 sriov_del_vfs()
          sriov_del_vfs()             ...
            ...                       klist_put()
            klist_put()               ...
            ...                     num_VFs = 0;
          num_VFs = 0;        device_unlock();
    
    In this patch, when driver is removing, we get the device_lock()
    to protect num_VFs, just like sriov_numvfs_store().
    
    Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer")
    Signed-off-by: Peiyang Wang <wangpeiyang1@huawei.com>
    Signed-off-by: Jijie Shao <shaojijie@huawei.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241101091507.3644584-1-shaojijie@huawei.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: ti: add PHY_RST_AFTER_CLK_EN flag [+ + +]
Author: Diogo Silva <diogompaissilva@gmail.com>
Date:   Sat Nov 2 16:15:05 2024 +0100

    net: phy: ti: add PHY_RST_AFTER_CLK_EN flag
    
    [ Upstream commit 256748d5480bb3c4b731236c6d6fc86a8e2815d8 ]
    
    DP83848 datasheet (section 4.7.2) indicates that the reset pin should be
    toggled after the clocks are running. Add the PHY_RST_AFTER_CLK_EN to
    make sure that this indication is respected.
    
    In my experience not having this flag enabled would lead to, on some
    boots, the wrong MII mode being selected if the PHY was initialized on
    the bootloader and was receiving data during Linux boot.
    
    Signed-off-by: Diogo Silva <diogompaissilva@gmail.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Fixes: 34e45ad9378c ("net: phy: dp83848: Add TI DP83848 Ethernet PHY")
    Link: https://patch.msgid.link/20241102151504.811306-1-paissilva@ld-100007.ds1.internal
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: sched: use RCU read-side critical section in taprio_dump() [+ + +]
Author: Dmitry Antipov <dmantipov@yandex.ru>
Date:   Fri Oct 18 08:13:39 2024 +0300

    net: sched: use RCU read-side critical section in taprio_dump()
    
    commit b22db8b8befe90b61c98626ca1a2fbb0505e9fe3 upstream.
    
    Fix possible use-after-free in 'taprio_dump()' by adding RCU
    read-side critical section there. Never seen on x86 but
    found on a KASAN-enabled arm64 system when investigating
    https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa:
    
    [T15862] BUG: KASAN: slab-use-after-free in taprio_dump+0xa0c/0xbb0
    [T15862] Read of size 4 at addr ffff0000d4bb88f8 by task repro/15862
    [T15862]
    [T15862] CPU: 0 UID: 0 PID: 15862 Comm: repro Not tainted 6.11.0-rc1-00293-gdefaf1a2113a-dirty #2
    [T15862] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-20240524-5.fc40 05/24/2024
    [T15862] Call trace:
    [T15862]  dump_backtrace+0x20c/0x220
    [T15862]  show_stack+0x2c/0x40
    [T15862]  dump_stack_lvl+0xf8/0x174
    [T15862]  print_report+0x170/0x4d8
    [T15862]  kasan_report+0xb8/0x1d4
    [T15862]  __asan_report_load4_noabort+0x20/0x2c
    [T15862]  taprio_dump+0xa0c/0xbb0
    [T15862]  tc_fill_qdisc+0x540/0x1020
    [T15862]  qdisc_notify.isra.0+0x330/0x3a0
    [T15862]  tc_modify_qdisc+0x7b8/0x1838
    [T15862]  rtnetlink_rcv_msg+0x3c8/0xc20
    [T15862]  netlink_rcv_skb+0x1f8/0x3d4
    [T15862]  rtnetlink_rcv+0x28/0x40
    [T15862]  netlink_unicast+0x51c/0x790
    [T15862]  netlink_sendmsg+0x79c/0xc20
    [T15862]  __sock_sendmsg+0xe0/0x1a0
    [T15862]  ____sys_sendmsg+0x6c0/0x840
    [T15862]  ___sys_sendmsg+0x1ac/0x1f0
    [T15862]  __sys_sendmsg+0x110/0x1d0
    [T15862]  __arm64_sys_sendmsg+0x74/0xb0
    [T15862]  invoke_syscall+0x88/0x2e0
    [T15862]  el0_svc_common.constprop.0+0xe4/0x2a0
    [T15862]  do_el0_svc+0x44/0x60
    [T15862]  el0_svc+0x50/0x184
    [T15862]  el0t_64_sync_handler+0x120/0x12c
    [T15862]  el0t_64_sync+0x190/0x194
    [T15862]
    [T15862] Allocated by task 15857:
    [T15862]  kasan_save_stack+0x3c/0x70
    [T15862]  kasan_save_track+0x20/0x3c
    [T15862]  kasan_save_alloc_info+0x40/0x60
    [T15862]  __kasan_kmalloc+0xd4/0xe0
    [T15862]  __kmalloc_cache_noprof+0x194/0x334
    [T15862]  taprio_change+0x45c/0x2fe0
    [T15862]  tc_modify_qdisc+0x6a8/0x1838
    [T15862]  rtnetlink_rcv_msg+0x3c8/0xc20
    [T15862]  netlink_rcv_skb+0x1f8/0x3d4
    [T15862]  rtnetlink_rcv+0x28/0x40
    [T15862]  netlink_unicast+0x51c/0x790
    [T15862]  netlink_sendmsg+0x79c/0xc20
    [T15862]  __sock_sendmsg+0xe0/0x1a0
    [T15862]  ____sys_sendmsg+0x6c0/0x840
    [T15862]  ___sys_sendmsg+0x1ac/0x1f0
    [T15862]  __sys_sendmsg+0x110/0x1d0
    [T15862]  __arm64_sys_sendmsg+0x74/0xb0
    [T15862]  invoke_syscall+0x88/0x2e0
    [T15862]  el0_svc_common.constprop.0+0xe4/0x2a0
    [T15862]  do_el0_svc+0x44/0x60
    [T15862]  el0_svc+0x50/0x184
    [T15862]  el0t_64_sync_handler+0x120/0x12c
    [T15862]  el0t_64_sync+0x190/0x194
    [T15862]
    [T15862] Freed by task 6192:
    [T15862]  kasan_save_stack+0x3c/0x70
    [T15862]  kasan_save_track+0x20/0x3c
    [T15862]  kasan_save_free_info+0x4c/0x80
    [T15862]  poison_slab_object+0x110/0x160
    [T15862]  __kasan_slab_free+0x3c/0x74
    [T15862]  kfree+0x134/0x3c0
    [T15862]  taprio_free_sched_cb+0x18c/0x220
    [T15862]  rcu_core+0x920/0x1b7c
    [T15862]  rcu_core_si+0x10/0x1c
    [T15862]  handle_softirqs+0x2e8/0xd64
    [T15862]  __do_softirq+0x14/0x20
    
    Fixes: 18cdd2f0998a ("net/sched: taprio: taprio_dump and taprio_change are protected by rtnl_mutex")
    Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
    Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
    Link: https://patch.msgid.link/20241018051339.418890-2-dmantipov@yandex.ru
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    [Lee: Backported from linux-6.6.y to linux-6.1.y and fixed conflicts]
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case [+ + +]
Author: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Date:   Fri Nov 1 17:17:29 2024 -0400

    net: stmmac: Fix unbalanced IRQ wake disable warning on single irq case
    
    [ Upstream commit 25d70702142ac2115e75e01a0a985c6ea1d78033 ]
    
    Commit a23aa0404218 ("net: stmmac: ethtool: Fixed calltrace caused by
    unbalanced disable_irq_wake calls") introduced checks to prevent
    unbalanced enable and disable IRQ wake calls. However it only
    initialized the auxiliary variable on one of the paths,
    stmmac_request_irq_multi_msi(), missing the other,
    stmmac_request_irq_single().
    
    Add the same initialization on stmmac_request_irq_single() to prevent
    "Unbalanced IRQ <x> wake disable" warnings from being printed the first
    time disable_irq_wake() is called on platforms that run on that code
    path.
    
    Fixes: a23aa0404218 ("net: stmmac: ethtool: Fixed calltrace caused by unbalanced disable_irq_wake calls")
    Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20241101-stmmac-unbalanced-wake-single-fix-v1-1-5952524c97f0@collabora.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: vertexcom: mse102x: Fix possible double free of TX skb [+ + +]
Author: Stefan Wahren <wahrenst@gmx.net>
Date:   Tue Nov 5 17:31:01 2024 +0100

    net: vertexcom: mse102x: Fix possible double free of TX skb
    
    commit 1f26339b2ed63d1e8e18a18674fb73a392f3660e upstream.
    
    The scope of the TX skb is wider than just mse102x_tx_frame_spi(),
    so in case the TX skb room needs to be expanded, we should free the
    the temporary skb instead of the original skb. Otherwise the original
    TX skb pointer would be freed again in mse102x_tx_work(), which leads
    to crashes:
    
      Internal error: Oops: 0000000096000004 [#2] PREEMPT SMP
      CPU: 0 PID: 712 Comm: kworker/0:1 Tainted: G      D            6.6.23
      Hardware name: chargebyte Charge SOM DC-ONE (DT)
      Workqueue: events mse102x_tx_work [mse102x]
      pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      pc : skb_release_data+0xb8/0x1d8
      lr : skb_release_data+0x1ac/0x1d8
      sp : ffff8000819a3cc0
      x29: ffff8000819a3cc0 x28: ffff0000046daa60 x27: ffff0000057f2dc0
      x26: ffff000005386c00 x25: 0000000000000002 x24: 00000000ffffffff
      x23: 0000000000000000 x22: 0000000000000001 x21: ffff0000057f2e50
      x20: 0000000000000006 x19: 0000000000000000 x18: ffff00003fdacfcc
      x17: e69ad452d0c49def x16: 84a005feff870102 x15: 0000000000000000
      x14: 000000000000024a x13: 0000000000000002 x12: 0000000000000000
      x11: 0000000000000400 x10: 0000000000000930 x9 : ffff00003fd913e8
      x8 : fffffc00001bc008
      x7 : 0000000000000000 x6 : 0000000000000008
      x5 : ffff00003fd91340 x4 : 0000000000000000 x3 : 0000000000000009
      x2 : 00000000fffffffe x1 : 0000000000000000 x0 : 0000000000000000
      Call trace:
       skb_release_data+0xb8/0x1d8
       kfree_skb_reason+0x48/0xb0
       mse102x_tx_work+0x164/0x35c [mse102x]
       process_one_work+0x138/0x260
       worker_thread+0x32c/0x438
       kthread+0x118/0x11c
       ret_from_fork+0x10/0x20
      Code: aa1303e0 97fffab6 72001c1f 54000141 (f9400660)
    
    Cc: stable@vger.kernel.org
    Fixes: 2f207cbf0dd4 ("net: vertexcom: Add MSE102x SPI support")
    Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
    Link: https://patch.msgid.link/20241105163101.33216-1-wahrenst@gmx.net
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc() [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Fri Nov 1 10:53:16 2024 +0800

    net: wwan: t7xx: Fix off-by-one error in t7xx_dpmaif_rx_buf_alloc()
    
    commit 3b557be89fc688dbd9ccf704a70f7600a094f13a upstream.
    
    The error path in t7xx_dpmaif_rx_buf_alloc(), free and unmap the already
    allocated and mapped skb in a loop, but the loop condition terminates when
    the index reaches zero, which fails to free the first allocated skb at
    index zero.
    
    Check with i-- so that skb at index 0 is freed as well.
    
    Cc: stable@vger.kernel.org
    Fixes: d642b012df70 ("net: wwan: t7xx: Add data path interface")
    Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://patch.msgid.link/20241101025316.3234023-1-ruanjinjie@huawei.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
nfs: avoid i_lock contention in nfs_clear_invalid_mapping [+ + +]
Author: Mike Snitzer <snitzer@kernel.org>
Date:   Fri Oct 18 17:15:41 2024 -0400

    nfs: avoid i_lock contention in nfs_clear_invalid_mapping
    
    [ Upstream commit 867da60d463bb2a3e28c9235c487e56e96cffa00 ]
    
    Multi-threaded buffered reads to the same file exposed significant
    inode spinlock contention in nfs_clear_invalid_mapping().
    
    Eliminate this spinlock contention by checking flags without locking,
    instead using smp_rmb and smp_load_acquire accordingly, but then take
    spinlock and double-check these inode flags.
    
    Also refactor nfs_set_cache_invalid() slightly to use
    smp_store_release() to pair with nfs_clear_invalid_mapping()'s
    smp_load_acquire().
    
    While this fix is beneficial for all multi-threaded buffered reads
    issued by an NFS client, this issue was identified in the context of
    surprisingly low LOCALIO performance with 4K multi-threaded buffered
    read IO.  This fix dramatically speeds up LOCALIO performance:
    
    before: read: IOPS=1583k, BW=6182MiB/s (6482MB/s)(121GiB/20002msec)
    after:  read: IOPS=3046k, BW=11.6GiB/s (12.5GB/s)(232GiB/20001msec)
    
    Fixes: 17dfeb911339 ("NFS: Fix races in nfs_revalidate_mapping")
    Signed-off-by: Mike Snitzer <snitzer@kernel.org>
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

nfs: Fix KMSAN warning in decode_getfattr_attrs() [+ + +]
Author: Roberto Sassu <roberto.sassu@huawei.com>
Date:   Fri Oct 25 16:03:27 2024 +0200

    nfs: Fix KMSAN warning in decode_getfattr_attrs()
    
    commit dc270d7159699ad6d11decadfce9633f0f71c1db upstream.
    
    Fix the following KMSAN warning:
    
    CPU: 1 UID: 0 PID: 7651 Comm: cp Tainted: G    B
    Tainted: [B]=BAD_PAGE
    Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)
    =====================================================
    =====================================================
    BUG: KMSAN: uninit-value in decode_getfattr_attrs+0x2d6d/0x2f90
     decode_getfattr_attrs+0x2d6d/0x2f90
     decode_getfattr_generic+0x806/0xb00
     nfs4_xdr_dec_getattr+0x1de/0x240
     rpcauth_unwrap_resp_decode+0xab/0x100
     rpcauth_unwrap_resp+0x95/0xc0
     call_decode+0x4ff/0xb50
     __rpc_execute+0x57b/0x19d0
     rpc_execute+0x368/0x5e0
     rpc_run_task+0xcfe/0xee0
     nfs4_proc_getattr+0x5b5/0x990
     __nfs_revalidate_inode+0x477/0xd00
     nfs_access_get_cached+0x1021/0x1cc0
     nfs_do_access+0x9f/0xae0
     nfs_permission+0x1e4/0x8c0
     inode_permission+0x356/0x6c0
     link_path_walk+0x958/0x1330
     path_lookupat+0xce/0x6b0
     filename_lookup+0x23e/0x770
     vfs_statx+0xe7/0x970
     vfs_fstatat+0x1f2/0x2c0
     __se_sys_newfstatat+0x67/0x880
     __x64_sys_newfstatat+0xbd/0x120
     x64_sys_call+0x1826/0x3cf0
     do_syscall_64+0xd0/0x1b0
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    The KMSAN warning is triggered in decode_getfattr_attrs(), when calling
    decode_attr_mdsthreshold(). It appears that fattr->mdsthreshold is not
    initialized.
    
    Fix the issue by initializing fattr->mdsthreshold to NULL in
    nfs_fattr_init().
    
    Cc: stable@vger.kernel.org # v3.5.x
    Fixes: 88034c3d88c2 ("NFSv4.1 mdsthreshold attribute xdr")
    Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
NFSv3: handle out-of-order write replies. [+ + +]
Author: NeilBrown <neilb@suse.de>
Date:   Wed Mar 22 09:27:04 2023 +1100

    NFSv3: handle out-of-order write replies.
    
    [ Upstream commit 3db63daabe210af32a09533fe7d8d47c711a103c ]
    
    NFSv3 includes pre/post wcc attributes which allow the client to
    determine if all changes to the file have been made by the client
    itself, or if any might have been made by some other client.
    
    If there are gaps in the pre/post ctime sequence it must be assumed that
    some other client changed the file in that gap and the local cache must
    be suspect.  The next time the file is opened the cache should be
    invalidated.
    
    Since Commit 1c341b777501 ("NFS: Add deferred cache invalidation for
    close-to-open consistency violations") in linux 5.3 the Linux client has
    been triggering this invalidation.  The chunk in nfs_update_inode() in
    particularly triggers.
    
    Unfortunately Linux NFS assumes that all replies will be processed in
    the order sent, and will arrive in the order processed.  This is not
    true in general.  Consequently Linux NFS might ignore the wcc info in a
    WRITE reply because the reply is in response to a WRITE that was sent
    before some other request for which a reply has already been seen.  This
    is detected by Linux using the gencount tests in nfs_inode_attr_cmp().
    
    Also, when the gencount tests pass it is still possible that the request
    were processed on the server in a different order, and a gap seen in
    the ctime sequence might be filled in by a subsequent reply, so gaps
    should not immediately trigger delayed invalidation.
    
    The net result is that writing to a server and then reading the file
    back can result in going to the server for the read rather than serving
    it from cache - all because a couple of replies arrived out-of-order.
    This is a performance regression over kernels before 5.3, though the
    change in 5.3 is a correctness improvement.
    
    This has been seen with Linux writing to a Netapp server which
    occasionally re-orders requests.  In testing the majority of requests
    were in-order, but a few (maybe 2 or three at a time) could be
    re-ordered.
    
    This patch addresses the problem by recording any gaps seen in the
    pre/post ctime sequence and not triggering invalidation until either
    there are too many gaps to fit in the table, or until there are no more
    active writes and the remaining gaps cannot be resolved.
    
    We allocate a table of 16 gaps on demand.  If the allocation fails we
    revert to current behaviour which is of little cost as we are unlikely
    to be able to cache the writes anyway.
    
    In the table we store "start->end" pair when iversion is updated and
    "end<-start" pairs pre/post pairs reported by the server.  Usually these
    exactly cancel out and so nothing is stored.  When there are
    out-of-order replies we do store gaps and these will eventually be
    cancelled against later replies when this client is the only writer.
    
    If the final write is out-of-order there may be one gap remaining when
    the file is closed.  This will be noticed and if there is precisely on
    gap and if the iversion can be advanced to match it, then we do so.
    
    This patch makes no attempt to handle directories correctly.  The same
    problem potentially exists in the out-of-order replies to create/unlink
    requests can cause future lookup requires to be sent to the server
    unnecessarily.  A similar scheme using the same primitives could be used
    to notice and handle out-of-order replies.
    
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Stable-dep-of: 867da60d463b ("nfs: avoid i_lock contention in nfs_clear_invalid_mapping")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

NFSv3: only use NFS timeout for MOUNT when protocols are compatible [+ + +]
Author: NeilBrown <neilb@suse.de>
Date:   Fri Oct 4 11:07:23 2024 +1000

    NFSv3: only use NFS timeout for MOUNT when protocols are compatible
    
    [ Upstream commit 6e2a10343ecb71c4457bc16be05758f9c7aae7d9 ]
    
    If a timeout is specified in the mount options, it currently applies to
    both the NFS protocol and (with v3) the MOUNT protocol.  This is
    sensible when they both use the same underlying protocol, or those
    protocols are compatible w.r.t timeouts as RDMA and TCP are.
    
    However if, for example, NFS is using TCP and MOUNT is using UDP then
    using the same timeout doesn't make much sense.
    
    If you
       mount -o vers=3,proto=tcp,mountproto=udp,timeo=600,retrans=5 \
          server:/path /mountpoint
    
    then the timeo=600 which was intended for the NFS/TCP request will
    apply to the MOUNT/UDP requests with the result that there will only be
    one request sent (because UDP has a maximum timeout of 60 seconds).
    This is not what a reasonable person might expect.
    
    This patch disables the sharing of timeout information in cases where
    the underlying protocols are not compatible.
    
    Fixes: c9301cb35b59 ("nfs: hornor timeo and retrans option when mounting NFSv3")
    Signed-off-by: NeilBrown <neilb@suse.de>
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() [+ + +]
Author: Andrew Kanner <andrew.kanner@gmail.com>
Date:   Sun Nov 3 20:38:45 2024 +0100

    ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
    
    commit 0b63c0e01fba40e3992bc627272ec7b618ccaef7 upstream.
    
    Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove():
    
    [   57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12
    [   57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper.  Leaking 1 clusters and removing the entry
    [   57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004
    [...]
    [   57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
    [...]
    [   57.331328] Call Trace:
    [   57.331477]  <TASK>
    [...]
    [   57.333511]  ? do_user_addr_fault+0x3e5/0x740
    [   57.333778]  ? exc_page_fault+0x70/0x170
    [   57.334016]  ? asm_exc_page_fault+0x2b/0x30
    [   57.334263]  ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10
    [   57.334596]  ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
    [   57.334913]  ocfs2_xa_remove_entry+0x23/0xc0
    [   57.335164]  ocfs2_xa_set+0x704/0xcf0
    [   57.335381]  ? _raw_spin_unlock+0x1a/0x40
    [   57.335620]  ? ocfs2_inode_cache_unlock+0x16/0x20
    [   57.335915]  ? trace_preempt_on+0x1e/0x70
    [   57.336153]  ? start_this_handle+0x16c/0x500
    [   57.336410]  ? preempt_count_sub+0x50/0x80
    [   57.336656]  ? _raw_read_unlock+0x20/0x40
    [   57.336906]  ? start_this_handle+0x16c/0x500
    [   57.337162]  ocfs2_xattr_block_set+0xa6/0x1e0
    [   57.337424]  __ocfs2_xattr_set_handle+0x1fd/0x5d0
    [   57.337706]  ? ocfs2_start_trans+0x13d/0x290
    [   57.337971]  ocfs2_xattr_set+0xb13/0xfb0
    [   57.338207]  ? dput+0x46/0x1c0
    [   57.338393]  ocfs2_xattr_trusted_set+0x28/0x30
    [   57.338665]  ? ocfs2_xattr_trusted_set+0x28/0x30
    [   57.338948]  __vfs_removexattr+0x92/0xc0
    [   57.339182]  __vfs_removexattr_locked+0xd5/0x190
    [   57.339456]  ? preempt_count_sub+0x50/0x80
    [   57.339705]  vfs_removexattr+0x5f/0x100
    [...]
    
    Reproducer uses faultinject facility to fail ocfs2_xa_remove() ->
    ocfs2_xa_value_truncate() with -ENOMEM.
    
    In this case the comment mentions that we can return 0 if
    ocfs2_xa_cleanup_value_truncate() is going to wipe the entry
    anyway. But the following 'rc' check is wrong and execution flow do
    'ocfs2_xa_remove_entry(loc);' twice:
    * 1st: in ocfs2_xa_cleanup_value_truncate();
    * 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'.
    
    Fix this by skipping the 2nd removal of the same entry and making
    syzkaller repro happy.
    
    Link: https://lkml.kernel.org/r/20241103193845.2940988-1-andrew.kanner@gmail.com
    Fixes: 399ff3a748cf ("ocfs2: Handle errors while setting external xattr values.")
    Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
    Reported-by: syzbot+386ce9e60fa1b18aac5b@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/all/671e13ab.050a0220.2b8c0f.01d0.GAE@google.com/T/
    Tested-by: syzbot+386ce9e60fa1b18aac5b@syzkaller.appspotmail.com
    Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
    Cc: Mark Fasheh <mark@fasheh.com>
    Cc: Joel Becker <jlbec@evilplan.org>
    Cc: Junxiao Bi <junxiao.bi@oracle.com>
    Cc: Changwei Ge <gechangwei@live.cn>
    Cc: Jun Piao <piaojun@huawei.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
platform/x86/amd/pmc: Detect when STB is not available [+ + +]
Author: Corey Hickey <bugfood-c@fatooh.org>
Date:   Mon Oct 28 11:02:41 2024 -0700

    platform/x86/amd/pmc: Detect when STB is not available
    
    [ Upstream commit bceec87a73804bb4c33b9a6c96e2d27cd893a801 ]
    
    Loading the amd_pmc module as:
    
        amd_pmc enable_stb=1
    
    ...can result in the following messages in the kernel ring buffer:
    
        amd_pmc AMDI0009:00: SMU cmd failed. err: 0xff
        ioremap on RAM at 0x0000000000000000 - 0x0000000000ffffff
        WARNING: CPU: 10 PID: 2151 at arch/x86/mm/ioremap.c:217 __ioremap_caller+0x2cd/0x340
    
    Further debugging reveals that this occurs when the requests for
    S2D_PHYS_ADDR_LOW and S2D_PHYS_ADDR_HIGH return a value of 0,
    indicating that the STB is inaccessible. To prevent the ioremap
    warning and provide clarity to the user, handle the invalid address
    and display an error message.
    
    Link: https://lore.kernel.org/platform-driver-x86/c588ff5d-3e04-4549-9a86-284b9b4419ba@amd.com
    Fixes: 3d7d407dfb05 ("platform/x86: amd-pmc: Add support for AMD Spill to DRAM STB feature")
    Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
    Signed-off-by: Corey Hickey <bugfood-c@fatooh.org>
    Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
    Link: https://lore.kernel.org/r/20241028180241.1341624-1-bugfood-ml@fatooh.org
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone [+ + +]
Author: Benjamin Segall <bsegall@google.com>
Date:   Fri Oct 25 18:35:35 2024 -0700

    posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone
    
    [ Upstream commit b5413156bad91dc2995a5c4eab1b05e56914638a ]
    
    When cloning a new thread, its posix_cputimers are not inherited, and
    are cleared by posix_cputimers_init(). However, this does not clear the
    tick dependency it creates in tsk->tick_dep_mask, and the handler does
    not reach the code to clear the dependency if there were no timers to
    begin with.
    
    Thus if a thread has a cputimer running before clone/fork, all
    descendants will prevent nohz_full unless they create a cputimer of
    their own.
    
    Fix this by entirely clearing the tick_dep_mask in copy_process().
    (There is currently no inherited state that needs a tick dependency)
    
    Process-wide timers do not have this problem because fork does not copy
    signal_struct as a baseline, it creates one from scratch.
    
    Fixes: b78783000d5c ("posix-cpu-timers: Migrate to use new tick dependency mask model")
    Signed-off-by: Ben Segall <bsegall@google.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Frederic Weisbecker <frederic@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/all/xm26o737bq8o.fsf@google.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
pwm: imx-tpm: Use correct MODULO value for EPWM mode [+ + +]
Author: Erik Schumacher <erik.schumacher@iris-sensing.com>
Date:   Fri Oct 25 08:37:00 2024 +0000

    pwm: imx-tpm: Use correct MODULO value for EPWM mode
    
    commit cc6a931d1f3b412263d515fd93b21fc0ca5147fe upstream.
    
    The modulo register defines the period of the edge-aligned PWM mode
    (which is the only mode implemented). The reference manual states:
    "The EPWM period is determined by (MOD + 0001h) ..." So the value that
    is written to the MOD register must therefore be one less than the
    calculated period length. Return -EINVAL if the calculated length is
    already zero.
    A correct MODULO value is particularly relevant if the PWM has to output
    a high frequency due to a low period value.
    
    Fixes: 738a1cfec2ed ("pwm: Add i.MX TPM PWM driver support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Erik Schumacher <erik.schumacher@iris-sensing.com>
    Link: https://lore.kernel.org/r/1a3890966d68b9f800d457cbf095746627495e18.camel@iris-sensing.com
    Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown" [+ + +]
Author: Jarosław Janik <jaroslaw.janik@gmail.com>
Date:   Wed Oct 30 18:18:12 2024 +0100

    Revert "ALSA: hda/conexant: Mute speakers at suspend / shutdown"
    
    commit c9363bbb0f68dd1ddb8be7bbfe958cdfcd38d851 upstream.
    
    Commit 4f61c8fe3520 ("ALSA: hda/conexant: Mute speakers at suspend /
    shutdown") mutes speakers on system shutdown or whenever HDA controller
    is suspended by PM; this however interacts badly with Thinkpad's ACPI
    firmware behavior which uses beeps to signal various events (enter/leave
    suspend or hibernation, AC power connect/disconnect, low battery, etc.);
    now those beeps are either muted altogether (for suspend/hibernate/
    shutdown related events) or work more or less randomly (eg. AC
    plug/unplug is only audible when you are playing music at the moment,
    because HDA device is likely in suspend mode otherwise).
    
    Since the original bug report mentioned in 4f61c8fe3520 complained about
    Lenovo's Thinkpad laptop - revert this commit altogether.
    
    Fixes: 4f61c8fe3520 ("ALSA: hda/conexant: Mute speakers at suspend / shutdown")
    Signed-off-by: Jarosław Janik <jaroslaw.janik@gmail.com>
    Link: https://patch.msgid.link/20241030171813.18941-2-jaroslaw.janik@gmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "wifi: mac80211: fix RCU list iterations" [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sun Nov 10 06:02:40 2024 +0100

    Revert "wifi: mac80211: fix RCU list iterations"
    
    This reverts commit b0b2dc1eaa7ec509e07a78c9974097168ae565b7 which is
    commit ac35180032fbc5d80b29af00ba4881815ceefcb6 upstream.
    
    It should not have been backported here due to lack of other rcu
    changes in the stable branches.
    
    Cc: Johannes Berg <johannes@sipsolutions.net>
    Cc: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
riscv/purgatory: align riscv_kernel_entry [+ + +]
Author: Daniel Maslowski <cyrevolt@googlemail.com>
Date:   Fri Jul 19 19:04:37 2024 +0200

    riscv/purgatory: align riscv_kernel_entry
    
    commit fb197c5d2fd24b9af3d4697d0cf778645846d6d5 upstream.
    
    When alignment handling is delegated to the kernel, everything must be
    word-aligned in purgatory, since the trap handler is then set to the
    kexec one. Without the alignment, hitting the exception would
    ultimately crash. On other occasions, the kernel's handler would take
    care of exceptions.
    This has been tested on a JH7110 SoC with oreboot and its SBI delegating
    unaligned access exceptions and the kernel configured to handle them.
    
    Fixes: 736e30af583fb ("RISC-V: Add purgatory")
    Signed-off-by: Daniel Maslowski <cyrevolt@gmail.com>
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Link: https://lore.kernel.org/r/20240719170437.247457-1-cyrevolt@gmail.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer [+ + +]
Author: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Date:   Wed Oct 30 12:02:53 2024 +0100

    scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer
    
    [ Upstream commit 7ce3e6107103214d354a16729a472f588be60572 ]
    
    We have two reports of failed memory allocation in btrfs' code which is
    calling into report zones.
    
    Both of these reports have the following signature coming from
    __vmalloc_area_node():
    
     kworker/u17:5: vmalloc error: size 0, failed to allocate pages, mode:0x10dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NORETRY|__GFP_ZERO), nodemask=(null),cpuset=/,mems_allowed=0
    
    Further debugging showed these where allocations of one sector (512
    bytes) and at least one of the reporter's systems where low on memory,
    so going through the overhead of allocating a vm area failed.
    
    Switching the allocation from __vmalloc() to kvzalloc() avoids the
    overhead of vmalloc() on small allocations and succeeds.
    
    Note: the buffer is already freed using kvfree() so there's no need to
    adjust the free path.
    
    Cc: Qu Wenru <wqu@suse.com>
    Cc: Naohiro Aota <naohiro.aota@wdc.com>
    Link: https://github.com/kdave/btrfs-progs/issues/779
    Link: https://github.com/kdave/btrfs-progs/issues/915
    Fixes: 23a50861adda ("scsi: sd_zbc: Cleanup sd_zbc_alloc_report_buffer()")
    Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Link: https://lore.kernel.org/r/20241030110253.11718-1-jth@kernel.org
    Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sctp: properly validate chunk size in sctp_sf_ootb() [+ + +]
Author: Xin Long <lucien.xin@gmail.com>
Date:   Tue Oct 29 13:46:21 2024 -0400

    sctp: properly validate chunk size in sctp_sf_ootb()
    
    [ Upstream commit 0ead60804b64f5bd6999eec88e503c6a1a242d41 ]
    
    A size validation fix similar to that in Commit 50619dbf8db7 ("sctp: add
    size validation when walking chunks") is also required in sctp_sf_ootb()
    to address a crash reported by syzbot:
    
      BUG: KMSAN: uninit-value in sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
      sctp_sf_ootb+0x7f5/0xce0 net/sctp/sm_statefuns.c:3712
      sctp_do_sm+0x181/0x93d0 net/sctp/sm_sideeffect.c:1166
      sctp_endpoint_bh_rcv+0xc38/0xf90 net/sctp/endpointola.c:407
      sctp_inq_push+0x2ef/0x380 net/sctp/inqueue.c:88
      sctp_rcv+0x3831/0x3b20 net/sctp/input.c:243
      sctp4_rcv+0x42/0x50 net/sctp/protocol.c:1159
      ip_protocol_deliver_rcu+0xb51/0x13d0 net/ipv4/ip_input.c:205
      ip_local_deliver_finish+0x336/0x500 net/ipv4/ip_input.c:233
    
    Reported-by: syzbot+f0cbb34d39392f2746ca@syzkaller.appspotmail.com
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Link: https://patch.msgid.link/a29ebb6d8b9f8affd0f9abb296faafafe10c17d8.1730223981.git.lucien.xin@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
security/keys: fix slab-out-of-bounds in key_task_permission [+ + +]
Author: Chen Ridong <chenridong@huawei.com>
Date:   Tue Oct 8 12:46:39 2024 +0000

    security/keys: fix slab-out-of-bounds in key_task_permission
    
    [ Upstream commit 4a74da044ec9ec8679e6beccc4306b936b62873f ]
    
    KASAN reports an out of bounds read:
    BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36
    BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline]
    BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410
    security/keys/permission.c:54
    Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362
    
    CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15
    Call Trace:
     __dump_stack lib/dump_stack.c:82 [inline]
     dump_stack+0x107/0x167 lib/dump_stack.c:123
     print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400
     __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560
     kasan_report+0x3a/0x50 mm/kasan/report.c:585
     __kuid_val include/linux/uidgid.h:36 [inline]
     uid_eq include/linux/uidgid.h:63 [inline]
     key_task_permission+0x394/0x410 security/keys/permission.c:54
     search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793
    
    This issue was also reported by syzbot.
    
    It can be reproduced by following these steps(more details [1]):
    1. Obtain more than 32 inputs that have similar hashes, which ends with the
       pattern '0xxxxxxxe6'.
    2. Reboot and add the keys obtained in step 1.
    
    The reproducer demonstrates how this issue happened:
    1. In the search_nested_keyrings function, when it iterates through the
       slots in a node(below tag ascend_to_node), if the slot pointer is meta
       and node->back_pointer != NULL(it means a root), it will proceed to
       descend_to_node. However, there is an exception. If node is the root,
       and one of the slots points to a shortcut, it will be treated as a
       keyring.
    2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function.
       However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as
       ASSOC_ARRAY_PTR_SUBTYPE_MASK.
    3. When 32 keys with the similar hashes are added to the tree, the ROOT
       has keys with hashes that are not similar (e.g. slot 0) and it splits
       NODE A without using a shortcut. When NODE A is filled with keys that
       all hashes are xxe6, the keys are similar, NODE A will split with a
       shortcut. Finally, it forms the tree as shown below, where slot 6 points
       to a shortcut.
    
                          NODE A
                  +------>+---+
          ROOT    |       | 0 | xxe6
          +---+   |       +---+
     xxxx | 0 | shortcut  :   : xxe6
          +---+   |       +---+
     xxe6 :   :   |       |   | xxe6
          +---+   |       +---+
          | 6 |---+       :   : xxe6
          +---+           +---+
     xxe6 :   :           | f | xxe6
          +---+           +---+
     xxe6 | f |
          +---+
    
    4. As mentioned above, If a slot(slot 6) of the root points to a shortcut,
       it may be mistakenly transferred to a key*, leading to a read
       out-of-bounds read.
    
    To fix this issue, one should jump to descend_to_node if the ptr is a
    shortcut, regardless of whether the node is root or not.
    
    [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/
    
    [jarkko: tweaked the commit message a bit to have an appropriate closes
     tag.]
    Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
    Reported-by: syzbot+5b415c07907a2990d1a3@syzkaller.appspotmail.com
    Closes: https://lore.kernel.org/all/000000000000cbb7860611f61147@google.com/T/
    Signed-off-by: Chen Ridong <chenridong@huawei.com>
    Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
signal: restore the override_rlimit logic [+ + +]
Author: Roman Gushchin <roman.gushchin@linux.dev>
Date:   Mon Nov 4 19:54:19 2024 +0000

    signal: restore the override_rlimit logic
    
    commit 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed upstream.
    
    Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of
    ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of
    signals.  However now it's enforced unconditionally, even if
    override_rlimit is set.  This behavior change caused production issues.
    
    For example, if the limit is reached and a process receives a SIGSEGV
    signal, sigqueue_alloc fails to allocate the necessary resources for the
    signal delivery, preventing the signal from being delivered with siginfo.
    This prevents the process from correctly identifying the fault address and
    handling the error.  From the user-space perspective, applications are
    unaware that the limit has been reached and that the siginfo is
    effectively 'corrupted'.  This can lead to unpredictable behavior and
    crashes, as we observed with java applications.
    
    Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip
    the comparison to max there if override_rlimit is set.  This effectively
    restores the old behavior.
    
    Link: https://lkml.kernel.org/r/20241104195419.3962584-1-roman.gushchin@linux.dev
    Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
    Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
    Co-developed-by: Andrei Vagin <avagin@google.com>
    Signed-off-by: Andrei Vagin <avagin@google.com>
    Acked-by: Oleg Nesterov <oleg@redhat.com>
    Acked-by: Alexey Gladkov <legion@kernel.org>
    Cc: Kees Cook <kees@kernel.org>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
sunrpc: handle -ENOTCONN in xs_tcp_setup_socket() [+ + +]
Author: NeilBrown <neilb@suse.de>
Date:   Wed Oct 9 16:28:06 2024 +1100

    sunrpc: handle -ENOTCONN in xs_tcp_setup_socket()
    
    [ Upstream commit 10f0740234f0b157b41bdc7e9c3555a9b86c1599 ]
    
    xs_tcp_finish_connecting() can return -ENOTCONN but the switch statement
    in xs_tcp_setup_socket() treats that as an unhandled error.
    
    If we treat it as a known error it would propagate back to
    call_connect_status() which does handle that error code.  This appears
    to be the intention of the commit (given below) which added -ENOTCONN as
    a return status for xs_tcp_finish_connecting().
    
    So add -ENOTCONN to the switch statement as an error to pass through to
    the caller.
    
    Link: https://bugzilla.suse.com/show_bug.cgi?id=1231050
    Link: https://access.redhat.com/discussions/3434091
    Fixes: 01d37c428ae0 ("SUNRPC: xprt_connect() don't abort the task if the transport isn't bound")
    Signed-off-by: NeilBrown <neilb@suse.de>
    Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
    Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
thermal/drivers/qcom/lmh: Remove false lockdep backtrace [+ + +]
Author: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Date:   Fri Oct 11 08:48:39 2024 +0300

    thermal/drivers/qcom/lmh: Remove false lockdep backtrace
    
    commit f16beaaee248eaa37ad40b5905924fcf70ae02e3 upstream.
    
    Annotate LMH IRQs with lockdep classes so that the lockdep doesn't
    report possible recursive locking issue between LMH and GIC interrupts.
    
    For the reference:
    
           CPU0
           ----
      lock(&irq_desc_lock_class);
      lock(&irq_desc_lock_class);
    
     *** DEADLOCK ***
    
    Call trace:
     dump_backtrace+0x98/0xf0
     show_stack+0x18/0x24
     dump_stack_lvl+0x90/0xd0
     dump_stack+0x18/0x24
     print_deadlock_bug+0x258/0x348
     __lock_acquire+0x1078/0x1f44
     lock_acquire+0x1fc/0x32c
     _raw_spin_lock_irqsave+0x60/0x88
     __irq_get_desc_lock+0x58/0x98
     enable_irq+0x38/0xa0
     lmh_enable_interrupt+0x2c/0x38
     irq_enable+0x40/0x8c
     __irq_startup+0x78/0xa4
     irq_startup+0x78/0x168
     __enable_irq+0x70/0x7c
     enable_irq+0x4c/0xa0
     qcom_cpufreq_ready+0x20/0x2c
     cpufreq_online+0x2a8/0x988
     cpufreq_add_dev+0x80/0x98
     subsys_interface_register+0x104/0x134
     cpufreq_register_driver+0x150/0x234
     qcom_cpufreq_hw_driver_probe+0x2a8/0x388
     platform_probe+0x68/0xc0
     really_probe+0xbc/0x298
     __driver_probe_device+0x78/0x12c
     driver_probe_device+0x3c/0x160
     __device_attach_driver+0xb8/0x138
     bus_for_each_drv+0x84/0xe0
     __device_attach+0x9c/0x188
     device_initial_probe+0x14/0x20
     bus_probe_device+0xac/0xb0
     deferred_probe_work_func+0x8c/0xc8
     process_one_work+0x20c/0x62c
     worker_thread+0x1bc/0x36c
     kthread+0x120/0x124
     ret_from_fork+0x10/0x20
    
    Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    Link: https://lore.kernel.org/r/20241011-lmh-lockdep-v1-1-495cbbe6fef1@linaro.org
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
thermal/of: support thermal zones w/o trips subnode [+ + +]
Author: Icenowy Zheng <uwu@icenowy.me>
Date:   Fri Oct 18 15:31:36 2024 +0800

    thermal/of: support thermal zones w/o trips subnode
    
    [ Upstream commit 725f31f300e300a9d94976bd8f1db6e746f95f63 ]
    
    Although the current device tree binding of thermal zones require the
    trips subnode, the binding in kernel v5.15 does not require it, and many
    device trees shipped with the kernel, for example,
    allwinner/sun50i-a64.dtsi and mediatek/mt8183-kukui.dtsi in ARM64, still
    comply to the old binding and contain no trips subnode.
    
    Allow the code to successfully register thermal zones w/o trips subnode
    for DT binding compatibility now.
    
    Furtherly, the inconsistency between DTs and bindings should be resolved
    by either adding empty trips subnode or dropping the trips subnode
    requirement.
    
    Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately")
    Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
    [wenst@chromium.org: Reworked logic and kernel log messages]
    Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
    Reviewed-by: Rafael J. Wysocki <rafael@kernel.org>
    Link: https://lore.kernel.org/r/20241018073139.1268995-1-wenst@chromium.org
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
tools/lib/thermal: Fix sampling handler context ptr [+ + +]
Author: Emil Dahl Juhl <emdj@bang-olufsen.dk>
Date:   Tue Oct 15 19:18:26 2024 +0200

    tools/lib/thermal: Fix sampling handler context ptr
    
    [ Upstream commit fcd54cf480c87b96313a97dbf898c644b7bb3a2e ]
    
    The sampling handler, provided by the user alongside a void* context,
    was invoked with an internal structure instead of the user context.
    
    Correct the invocation of the sampling handler to pass the user context
    pointer instead.
    
    Note that the approach taken is similar to that in events.c, and will
    reduce the chances of this mistake happening if additional sampling
    callbacks are added.
    
    Fixes: 47c4b0de080a ("tools/lib/thermal: Add a thermal library")
    Signed-off-by: Emil Dahl Juhl <emdj@bang-olufsen.dk>
    Link: https://lore.kernel.org/r/20241015171826.170154-1-emdj@bang-olufsen.dk
    Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ucounts: fix counter leak in inc_rlimit_get_ucounts() [+ + +]
Author: Andrei Vagin <avagin@google.com>
Date:   Fri Nov 1 19:19:40 2024 +0000

    ucounts: fix counter leak in inc_rlimit_get_ucounts()
    
    commit 432dc0654c612457285a5dcf9bb13968ac6f0804 upstream.
    
    The inc_rlimit_get_ucounts() increments the specified rlimit counter and
    then checks its limit.  If the value exceeds the limit, the function
    returns an error without decrementing the counter.
    
    Link: https://lkml.kernel.org/r/20241101191940.3211128-1-roman.gushchin@linux.dev
    Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting")
    Signed-off-by: Andrei Vagin <avagin@google.com>
    Co-developed-by: Roman Gushchin <roman.gushchin@linux.dev>
    Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
    Tested-by: Roman Gushchin <roman.gushchin@linux.dev>
    Acked-by: Alexey Gladkov <legion@kernel.org>
    Cc: Kees Cook <kees@kernel.org>
    Cc: Andrei Vagin <avagin@google.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Alexey Gladkov <legion@kernel.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: dwc3: fix fault at system suspend if device was already runtime suspended [+ + +]
Author: Roger Quadros <rogerq@kernel.org>
Date:   Mon Nov 4 16:00:11 2024 +0200

    usb: dwc3: fix fault at system suspend if device was already runtime suspended
    
    commit 9cfb31e4c89d200d8ab7cb1e0bb9e6e8d621ca0b upstream.
    
    If the device was already runtime suspended then during system suspend
    we cannot access the device registers else it will crash.
    
    Also we cannot access any registers after dwc3_core_exit() on some
    platforms so move the dwc3_enable_susphy() call to the top.
    
    Cc: stable@vger.kernel.org # v5.15+
    Reported-by: William McVicker <willmcvicker@google.com>
    Closes: https://lore.kernel.org/all/ZyVfcUuPq56R2m1Y@google.com
    Fixes: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms")
    Signed-off-by: Roger Quadros <rogerq@kernel.org>
    Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
    Tested-by: Will McVicker <willmcvicker@google.com>
    Link: https://lore.kernel.org/r/20241104-am62-lpm-usb-fix-v1-1-e93df73a4f0d@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

usb: musb: sunxi: Fix accessing an released usb phy [+ + +]
Author: Zijun Hu <quic_zijuhu@quicinc.com>
Date:   Tue Oct 29 23:13:38 2024 +0800

    usb: musb: sunxi: Fix accessing an released usb phy
    
    commit 498dbd9aea205db9da674994b74c7bf8e18448bd upstream.
    
    Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on
    exit") will cause that usb phy @glue->xceiv is accessed after released.
    
    1) register platform driver @sunxi_musb_driver
    // get the usb phy @glue->xceiv
    sunxi_musb_probe() -> devm_usb_get_phy().
    
    2) register and unregister platform driver @musb_driver
    musb_probe() -> sunxi_musb_init()
    use the phy here
    //the phy is released here
    musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
    
    3) register @musb_driver again
    musb_probe() -> sunxi_musb_init()
    use the phy here but the phy has been released at 2).
    ...
    
    Fixed by reverting the commit, namely, removing devm_usb_put_phy()
    from sunxi_musb_exit().
    
    Fixes: 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit")
    Cc: stable@vger.kernel.org
    Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
    Link: https://lore.kernel.org/r/20241029-sunxi_fix-v1-1-9431ed2ab826@quicinc.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
USB: serial: io_edgeport: fix use after free in debug printk [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Thu Oct 31 12:48:30 2024 +0300

    USB: serial: io_edgeport: fix use after free in debug printk
    
    commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream.
    
    The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)
    is a use after free of the "urb" pointer.  Store the "dev" pointer at the
    start of the function to avoid this issue.
    
    Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage")
    Cc: stable@vger.kernel.org
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Fibocom FG132 0x0112 composition [+ + +]
Author: Reinhard Speyerer <rspmn@arcor.de>
Date:   Fri Oct 18 23:07:06 2024 +0200

    USB: serial: option: add Fibocom FG132 0x0112 composition
    
    commit 393c74ccbd847bacf18865a01b422586fc7341cf upstream.
    
    Add Fibocom FG132 0x0112 composition:
    
    T:  Bus=03 Lev=02 Prnt=06 Port=01 Cnt=02 Dev#= 10 Spd=12   MxCh= 0
    D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=2cb7 ProdID=0112 Rev= 5.15
    S:  Manufacturer=Fibocom Wireless Inc.
    S:  Product=Fibocom Module
    S:  SerialNumber=xxxxxxxx
    C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
    I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
    E:  Ad=82(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
    E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=84(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=86(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
    
    Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: option: add Quectel RG650V [+ + +]
Author: Benoît Monin <benoit.monin@gmx.fr>
Date:   Thu Oct 24 17:09:19 2024 +0200

    USB: serial: option: add Quectel RG650V
    
    commit 3b05949ba39f305b585452d0e177470607842165 upstream.
    
    Add support for Quectel RG650V which is based on Qualcomm SDX65 chip.
    The composition is DIAG / NMEA / AT / AT / QMI.
    
    T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=5000 MxCh= 0
    D:  Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs=  1
    P:  Vendor=2c7c ProdID=0122 Rev=05.15
    S:  Manufacturer=Quectel
    S:  Product=RG650V-EU
    S:  SerialNumber=xxxxxxx
    C:  #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA
    I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
    E:  Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=9ms
    I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
    E:  Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=86(I) Atr=03(Int.) MxPS=  10 Ivl=9ms
    I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
    E:  Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=87(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
    E:  Ad=88(I) Atr=03(Int.) MxPS=   8 Ivl=9ms
    
    Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

USB: serial: qcserial: add support for Sierra Wireless EM86xx [+ + +]
Author: Jack Wu <wojackbb@gmail.com>
Date:   Wed Nov 6 18:50:29 2024 +0800

    USB: serial: qcserial: add support for Sierra Wireless EM86xx
    
    commit 25eb47eed52979c2f5eee3f37e6c67714e02c49c upstream.
    
    Add support for Sierra Wireless EM86xx with USB-id 0x1199:0x90e5 and
    0x1199:0x90e4.
    
    0x1199:0x90e5
    T:  Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 14 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
    P:  Vendor=1199 ProdID=90e5 Rev= 5.15
    S:  Manufacturer=Sierra Wireless, Incorporated
    S:  Product=Semtech EM8695 Mobile Broadband Adapter
    S:  SerialNumber=004403161882339
    C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
    A:  FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=qcserial
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
    E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=qcserial
    E:  Ad=84(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
    E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
    E:  Ad=85(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
    E:  Ad=87(I) Atr=03(Int.) MxPS=  64 Ivl=32ms
    I:  If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
    E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    0x1199:0x90e4
    T:  Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 16 Spd=480  MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=1199 ProdID=90e4 Rev= 0.00
    S:  Manufacturer=Sierra Wireless, Incorporated
    S:  SerialNumber=004403161882339
    C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=  2mA
    I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial
    E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
    
    Signed-off-by: Jack Wu <wojackbb@gmail.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Mon Nov 4 20:16:42 2024 +0300

    usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
    
    commit 7dd08a0b4193087976db6b3ee7807de7e8316f96 upstream.
    
    The "*cmd" variable can be controlled by the user via debugfs.  That means
    "new_cam" can be as high as 255 while the size of the uc->updated[] array
    is UCSI_MAX_ALTMODES (30).
    
    The call tree is:
    ucsi_cmd() // val comes from simple_attr_write_xsigned()
    -> ucsi_send_command()
       -> ucsi_send_command_common()
          -> ucsi_run_command() // calls ucsi->ops->sync_control()
             -> ucsi_ccg_sync_control()
    
    Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices")
    Cc: stable <stable@kernel.org>
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
    Link: https://lore.kernel.org/r/325102b3-eaa8-4918-a947-22aca1146586@stanley.mountain
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
virtio_net: Add hash_key_length check [+ + +]
Author: Philo Lu <lulie@linux.alibaba.com>
Date:   Mon Nov 4 16:57:04 2024 +0800

    virtio_net: Add hash_key_length check
    
    [ Upstream commit 3f7d9c1964fcd16d02a8a9d4fd6f6cb60c4cc530 ]
    
    Add hash_key_length check in virtnet_probe() to avoid possible out of
    bound errors when setting/reading the hash key.
    
    Fixes: c7114b1249fa ("drivers/net/virtio_net: Added basic RSS support.")
    Signed-off-by: Philo Lu <lulie@linux.alibaba.com>
    Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
    Acked-by: Joe Damato <jdamato@fastly.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans [+ + +]
Author: Hyunwoo Kim <v4bel@theori.io>
Date:   Tue Oct 22 09:32:56 2024 +0200

    vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
    
    commit 6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f upstream.
    
    During loopback communication, a dangling pointer can be created in
    vsk->trans, potentially leading to a Use-After-Free condition.  This
    issue is resolved by initializing vsk->trans to NULL.
    
    Cc: stable <stable@kernel.org>
    Fixes: 06a8fc78367d ("VSOCK: Introduce virtio_vsock_common.ko")
    Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
    Signed-off-by: Wongi Lee <qwerty@theori.io>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Message-Id: <2024102245-strive-crib-c8d3@gregkh>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>