1. 13 Mar, 2024 2 commits
    • Roger Pau Monne's avatar
      x86/xen: attempt to inflate the memory balloon on PVH · 38620fc4
      Roger Pau Monne authored
      When running as PVH or HVM Linux will use holes in the memory map as scratch
      space to map grants, foreign domain pages and possibly miscellaneous other
      stuff.  However the usage of such memory map holes for Xen purposes can be
      problematic.  The request of holesby Xen happen quite early in the kernel boot
      process (grant table setup already uses scratch map space), and it's possible
      that by then not all devices have reclaimed their MMIO space.  It's not
      unlikely for chunks of Xen scratch map space to end up using PCI bridge MMIO
      window memory, which (as expected) causes quite a lot of issues in the system.
      
      At least for PVH dom0 we have the possibility of using regions marked as
      UNUSABLE in the e820 memory map.  Either if the region is UNUSABLE in the
      native memory map, or it has been converted into UNUSABLE in order to hide RAM
      regions from dom0, the second stage translation page-tables can populate those
      areas without issues.
      
      PV already has this kind of logic, where the balloon driver is inflated at
      boot.  Re-use the current logic in order to also inflate it when running as
      PVH.  onvert UNUSABLE regions up to the ratio specified in EXTRA_MEM_RATIO to
      RAM, while reserving them using xen_add_extra_mem() (which is also moved so
      it's no longer tied to CONFIG_PV).
      
      [jgross: fixed build for CONFIG_PVH without CONFIG_XEN_PVH]
      Signed-off-by: default avatarRoger Pau Monné <roger.pau@citrix.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Link: https://lore.kernel.org/r/20240220174341.56131-1-roger.pau@citrix.comSigned-off-by: default avatarJuergen Gross <jgross@suse.com>
      38620fc4
    • Uwe Kleine-König's avatar
      xen/grant-dma-iommu: Convert to platform remove callback returning void · cc87253e
      Uwe Kleine-König authored
      The .remove() callback for a platform driver returns an int which makes
      many driver authors wrongly assume it's possible to do error handling by
      returning an error code. However the value returned is ignored (apart
      from emitting a warning) and this typically results in resource leaks.
      
      To improve here there is a quest to make the remove callback return
      void. In the first step of this quest all drivers are converted to
      .remove_new(), which already returns void. Eventually after all drivers
      are converted, .remove_new() will be renamed to .remove().
      
      Trivially convert this driver from always returning zero in the remove
      callback to the void returning variant.
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Link: https://lore.kernel.org/r/20240307181135.191192-2-u.kleine-koenig@pengutronix.deSigned-off-by: default avatarJuergen Gross <jgross@suse.com>
      cc87253e
  2. 10 Mar, 2024 7 commits
    • Linus Torvalds's avatar
      Linux 6.8 · e8f897f4
      Linus Torvalds authored
      e8f897f4
    • Linus Torvalds's avatar
      Merge tag 'trace-ring-buffer-v6.8-rc7' of... · fa4b851b
      Linus Torvalds authored
      Merge tag 'trace-ring-buffer-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull tracing fixes from Steven Rostedt:
      
       - Do not allow large strings (> 4096) as single write to trace_marker
      
         The size of a string written into trace_marker was determined by the
         size of the sub-buffer in the ring buffer. That size is dependent on
         the PAGE_SIZE of the architecture as it can be mapped into user
         space. But on PowerPC, where PAGE_SIZE is 64K, that made the limit of
         the string of writing into trace_marker 64K.
      
         One of the selftests looks at the size of the ring buffer sub-buffers
         and writes that plus more into the trace_marker. The write will take
         what it can and report back what it consumed so that the user space
         application (like echo) will write the rest of the string. The string
         is stored in the ring buffer and can be read via the "trace" or
         "trace_pipe" files.
      
         The reading of the ring buffer uses vsnprintf(), which uses a
         precision "%.*s" to make sure it only reads what is stored in the
         buffer, as a bug could cause the string to be non terminated.
      
         With the combination of the precision change and the PAGE_SIZE of 64K
         allowing huge strings to be added into the ring buffer, plus the test
         that would actually stress that limit, a bug was reported that the
         precision used was too big for "%.*s" as the string was close to 64K
         in size and the max precision of vsnprintf is 32K.
      
         Linus suggested not to have that precision as it could hide a bug if
         the string was again stored without a nul byte.
      
         Another issue that was brought up is that the trace_seq buffer is
         also based on PAGE_SIZE even though it is not tied to the
         architecture limit like the ring buffer sub-buffer is. Having it be
         64K * 2 is simply just too big and wasting memory on systems with 64K
         page sizes. It is now hardcoded to 8K which is what all other
         architectures with 4K PAGE_SIZE has.
      
         Finally, the write to trace_marker is now limited to 4K as there is
         no reason to write larger strings into trace_marker.
      
       - ring_buffer_wait() should not loop.
      
         The ring_buffer_wait() does not have the full context (yet) on if it
         should loop or not. Just exit the loop as soon as its woken up and
         let the callers decide to loop or not (they already do, so it's a bit
         redundant).
      
       - Fix shortest_full field to be the smallest amount in the ring buffer
         that a waiter is waiting for. The "shortest_full" field is updated
         when a new waiter comes in and wants to wait for a smaller amount of
         data in the ring buffer than other waiters. But after all waiters are
         woken up, it's not reset, so if another waiter comes in wanting to
         wait for more data, it will be woken up when the ring buffer has a
         smaller amount from what the previous waiters were waiting for.
      
       - The wake up all waiters on close is incorrectly called frome
         .release() and not from .flush() so it will never wake up any waiters
         as the .release() will not get called until all .read() calls are
         finished. And the wakeup is for the waiters in those .read() calls.
      
      * tag 'trace-ring-buffer-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: Use .flush() call to wake up readers
        ring-buffer: Fix resetting of shortest_full
        ring-buffer: Fix waking up ring buffer readers
        tracing: Limit trace_marker writes to just 4K
        tracing: Limit trace_seq size to just 8K and not depend on architecture PAGE_SIZE
        tracing: Remove precision vsnprintf() check from print event
      fa4b851b
    • Linus Torvalds's avatar
      Merge tag 'phy-fixes3-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy · 210ee636
      Linus Torvalds authored
      Pull phy fixes from Vinod Koul:
      
       - fixes for Qualcomm qmp-combo driver for ordering of drm and type-c
         switch registartion due to drivers might not probe defer after having
         registered child devices to avoid triggering a probe deferral loop.
      
         This fixes internal display on Lenovo ThinkPad X13s
      
      * tag 'phy-fixes3-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/phy/linux-phy:
        phy: qcom-qmp-combo: fix type-c switch registration
        phy: qcom-qmp-combo: fix drm bridge registration
      210ee636
    • Steven Rostedt (Google)'s avatar
      tracing: Use .flush() call to wake up readers · e5d7c191
      Steven Rostedt (Google) authored
      The .release() function does not get called until all readers of a file
      descriptor are finished.
      
      If a thread is blocked on reading a file descriptor in ring_buffer_wait(),
      and another thread closes the file descriptor, it will not wake up the
      other thread as ring_buffer_wake_waiters() is called by .release(), and
      that will not get called until the .read() is finished.
      
      The issue originally showed up in trace-cmd, but the readers are actually
      other processes with their own file descriptors. So calling close() would wake
      up the other tasks because they are blocked on another descriptor then the
      one that was closed(). But there's other wake ups that solve that issue.
      
      When a thread is blocked on a read, it can still hang even when another
      thread closed its descriptor.
      
      This is what the .flush() callback is for. Have the .flush() wake up the
      readers.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240308202432.107909457@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: linke li <lilinke99@qq.com>
      Cc: Rabin Vincent <rabin@rab.in>
      Fixes: f3ddb74a ("tracing: Wake up ring buffer waiters on closing of the file")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      e5d7c191
    • Steven Rostedt (Google)'s avatar
      ring-buffer: Fix resetting of shortest_full · 68282dd9
      Steven Rostedt (Google) authored
      The "shortest_full" variable is used to keep track of the waiter that is
      waiting for the smallest amount on the ring buffer before being woken up.
      When a tasks waits on the ring buffer, it passes in a "full" value that is
      a percentage. 0 means wake up on any data. 1-100 means wake up from 1% to
      100% full buffer.
      
      As all waiters are on the same wait queue, the wake up happens for the
      waiter with the smallest percentage.
      
      The problem is that the smallest_full on the cpu_buffer that stores the
      smallest amount doesn't get reset when all the waiters are woken up. It
      does get reset when the ring buffer is reset (echo > /sys/kernel/tracing/trace).
      
      This means that tasks may be woken up more often then when they want to
      be. Instead, have the shortest_full field get reset just before waking up
      all the tasks. If the tasks wait again, they will update the shortest_full
      before sleeping.
      
      Also add locking around setting of shortest_full in the poll logic, and
      change "work" to "rbwork" to match the variable name for rb_irq_work
      structures that are used in other places.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240308202431.948914369@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: linke li <lilinke99@qq.com>
      Cc: Rabin Vincent <rabin@rab.in>
      Fixes: 2c2b0a78 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      68282dd9
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 137e0ec0
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "KVM GUEST_MEMFD fixes for 6.8:
      
         - Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY
           to avoid creating an inconsistent ABI (KVM_MEM_GUEST_MEMFD is not
           writable from userspace, so there would be no way to write to a
           read-only guest_memfd).
      
         - Update documentation for KVM_SW_PROTECTED_VM to make it abundantly
           clear that such VMs are purely for development and testing.
      
         - Limit KVM_SW_PROTECTED_VM guests to the TDP MMU, as the long term
           plan is to support confidential VMs with deterministic private
           memory (SNP and TDX) only in the TDP MMU.
      
         - Fix a bug in a GUEST_MEMFD dirty logging test that caused false
           passes.
      
        x86 fixes:
      
         - Fix missing marking of a guest page as dirty when emulating an
           atomic access.
      
         - Check for mmu_notifier invalidation events before faulting in the
           pfn, and before acquiring mmu_lock, to avoid unnecessary work and
           lock contention with preemptible kernels (including
           CONFIG_PREEMPT_DYNAMIC in non-preemptible mode).
      
         - Disable AMD DebugSwap by default, it breaks VMSA signing and will
           be re-enabled with a better VM creation API in 6.10.
      
         - Do the cache flush of converted pages in svm_register_enc_region()
           before dropping kvm->lock, to avoid a race with unregistering of
           the same region and the consequent use-after-free issue"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        SEV: disable SEV-ES DebugSwap by default
        KVM: x86/mmu: Retry fault before acquiring mmu_lock if mapping is changing
        KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
        KVM: selftests: Add a testcase to verify GUEST_MEMFD and READONLY are exclusive
        KVM: selftests: Create GUEST_MEMFD for relevant invalid flags testcases
        KVM: x86/mmu: Restrict KVM_SW_PROTECTED_VM to the TDP MMU
        KVM: x86: Update KVM_SW_PROTECTED_VM docs to make it clear they're a WIP
        KVM: Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY
        KVM: x86: Mark target gfn of emulated atomic instruction as dirty
      137e0ec0
    • Steven Rostedt (Google)'s avatar
      ring-buffer: Fix waking up ring buffer readers · b3594573
      Steven Rostedt (Google) authored
      A task can wait on a ring buffer for when it fills up to a specific
      watermark. The writer will check the minimum watermark that waiters are
      waiting for and if the ring buffer is past that, it will wake up all the
      waiters.
      
      The waiters are in a wait loop, and will first check if a signal is
      pending and then check if the ring buffer is at the desired level where it
      should break out of the loop.
      
      If a file that uses a ring buffer closes, and there's threads waiting on
      the ring buffer, it needs to wake up those threads. To do this, a
      "wait_index" was used.
      
      Before entering the wait loop, the waiter will read the wait_index. On
      wakeup, it will check if the wait_index is different than when it entered
      the loop, and will exit the loop if it is. The waker will only need to
      update the wait_index before waking up the waiters.
      
      This had a couple of bugs. One trivial one and one broken by design.
      
      The trivial bug was that the waiter checked the wait_index after the
      schedule() call. It had to be checked between the prepare_to_wait() and
      the schedule() which it was not.
      
      The main bug is that the first check to set the default wait_index will
      always be outside the prepare_to_wait() and the schedule(). That's because
      the ring_buffer_wait() doesn't have enough context to know if it should
      break out of the loop.
      
      The loop itself is not needed, because all the callers to the
      ring_buffer_wait() also has their own loop, as the callers have a better
      sense of what the context is to decide whether to break out of the loop
      or not.
      
      Just have the ring_buffer_wait() block once, and if it gets woken up, exit
      the function and let the callers decide what to do next.
      
      Link: https://lore.kernel.org/all/CAHk-=whs5MdtNjzFkTyaUy=vHi=qwWgPi0JgTe6OYUYMNSRZfg@mail.gmail.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20240308202431.792933613@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: linke li <lilinke99@qq.com>
      Cc: Rabin Vincent <rabin@rab.in>
      Fixes: e30f53aa ("tracing: Do not busy wait in buffer splice")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      b3594573
  3. 09 Mar, 2024 6 commits
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 005f6f34
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Two patches from Heiner for the i801 are targeting muxes discovered
        while working on some other features. Essentially, there is a
        reordering when adding optional slaves and proper cleanup upon
        registering a mux device.
      
        Christophe fixes the exit path in the wmt driver that was leaving the
        clocks hanging, and the last fix from Tommy avoids false error reports
        in IRQ"
      
      * tag 'i2c-for-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: aspeed: Fix the dummy irq expected print
        i2c: wmt: Fix an error handling path in wmt_i2c_probe()
        i2c: i801: Avoid potential double call to gpiod_remove_lookup_table
        i2c: i801: Fix using mux_pdev before it's set
      005f6f34
    • Linus Torvalds's avatar
      Merge tag 'firewire-fixes-6.8-final' of... · 66695e7d
      Linus Torvalds authored
      Merge tag 'firewire-fixes-6.8-final' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394
      
      Pull firewire fix from Takashi Sakamoto:
       "A fix to suppress a warning about unreleased IRQ for 1394 OHCI
        hardware when disabling MSI.
      
        In Linux kernel v6.5, a PCI driver for 1394 OHCI hardware was
        optimized into the managed device resources. Edmund Raile points out
        that the change brings the warning about unreleased IRQ at the call of
        pci_disable_msi(), since the API expects that the relevant IRQ has
        already been released in advance.
      
        As long as the API is called in .remove callback of PCI device
        operation, it is prohibited to maintain the IRQ as the part of managed
        device resource. As a workaround, the IRQ is explicitly released at
        .remove callback, before the call of pci_disable_msi().
      
        pci_disable_msi() is legacy API nowadays in PCI MSI implementation. I
        have a plan to replace it with the modern API in the development for
        the future version of Linux kernel. So at present I keep them as is"
      
      * tag 'firewire-fixes-6.8-final' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
        firewire: ohci: prevent leak of left-over IRQ on unbind
      66695e7d
    • Paolo Bonzini's avatar
      SEV: disable SEV-ES DebugSwap by default · 5abf6dce
      Paolo Bonzini authored
      The DebugSwap feature of SEV-ES provides a way for confidential guests to use
      data breakpoints.  However, because the status of the DebugSwap feature is
      recorded in the VMSA, enabling it by default invalidates the attestation
      signatures.  In 6.10 we will introduce a new API to create SEV VMs that
      will allow enabling DebugSwap based on what the user tells KVM to do.
      Contextually, we will change the legacy KVM_SEV_ES_INIT API to never
      enable DebugSwap.
      
      For compatibility with kernels that pre-date the introduction of DebugSwap,
      as well as with those where KVM_SEV_ES_INIT will never enable it, do not enable
      the feature by default.  If anybody wants to use it, for now they can enable
      the sev_es_debug_swap_enabled module parameter, but this will result in a
      warning.
      
      Fixes: d1f85fbe ("KVM: SEV: Enable data breakpoints in SEV-ES")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      5abf6dce
    • Paolo Bonzini's avatar
      Merge tag 'kvm-x86-guest_memfd_fixes-6.8' of https://github.com/kvm-x86/linux into HEAD · 39fee313
      Paolo Bonzini authored
      KVM GUEST_MEMFD fixes for 6.8:
      
       - Make KVM_MEM_GUEST_MEMFD mutually exclusive with KVM_MEM_READONLY to
         avoid creating ABI that KVM can't sanely support.
      
       - Update documentation for KVM_SW_PROTECTED_VM to make it abundantly
         clear that such VMs are purely a development and testing vehicle, and
         come with zero guarantees.
      
       - Limit KVM_SW_PROTECTED_VM guests to the TDP MMU, as the long term plan
         is to support confidential VMs with deterministic private memory (SNP
         and TDX) only in the TDP MMU.
      
       - Fix a bug in a GUEST_MEMFD negative test that resulted in false passes
         when verifying that KVM_MEM_GUEST_MEMFD memslots can't be dirty logged.
      39fee313
    • Paolo Bonzini's avatar
      Merge tag 'kvm-x86-fixes-6.8-2' of https://github.com/kvm-x86/linux into HEAD · 1b6c146d
      Paolo Bonzini authored
      KVM x86 fixes for 6.8, round 2:
      
       - When emulating an atomic access, mark the gfn as dirty in the memslot
         to fix a bug where KVM could fail to mark the slot as dirty during live
         migration, ultimately resulting in guest data corruption due to a dirty
         page not being re-copied from the source to the target.
      
       - Check for mmu_notifier invalidation events before faulting in the pfn,
         and before acquiring mmu_lock, to avoid unnecessary work and lock
         contention.  Contending mmu_lock is especially problematic on preemptible
         kernels, as KVM may yield mmu_lock in response to the contention, which
         severely degrades overall performance due to vCPUs making it difficult
         for the task that triggered invalidation to make forward progress.
      
         Note, due to another kernel bug, this fix isn't limited to preemtible
         kernels, as any kernel built with CONFIG_PREEMPT_DYNAMIC=y will yield
         contended rwlocks and spinlocks.
      
         https://lore.kernel.org/all/20240110214723.695930-1-seanjc@google.com
      1b6c146d
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.8-rc8' of https://github.com/ceph/ceph-client · 09e5c48f
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "A follow-up for sparse read fixes that went into -rc4 -- msgr2 case
        was missed and is corrected here"
      
      * tag 'ceph-for-6.8-rc8' of https://github.com/ceph/ceph-client:
        libceph: init the cursor when preparing sparse read in msgr2
      09e5c48f
  4. 08 Mar, 2024 19 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 10d48d70
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are a few small char/misc and other driver subsystem fixes for
        reported issues that have been in my tree.
      
        Included in here are fixes for:
      
         - iio driver fixes for reported problems
      
         - much reported bugfix for a lis3lv02d_i2c regression
      
         - comedi driver bugfix
      
         - mei new device ids
      
         - mei driver fixes
      
         - counter core fix
      
        All of these have been in linux-next with no reported issues, some for
        many weeks"
      
      * tag 'char-misc-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        mei: gsc_proxy: match component when GSC is on different bus
        misc: fastrpc: Pass proper arguments to scm call
        comedi: comedi_test: Prevent timers rescheduling during deletion
        comedi: comedi_8255: Correct error in subdevice initialization
        misc: lis3lv02d_i2c: Fix regulators getting en-/dis-abled twice on suspend/resume
        iio: accel: adxl367: fix I2C FIFO data register
        iio: accel: adxl367: fix DEVID read after reset
        iio: pressure: dlhl60d: Initialize empty DLH bytes
        iio: imu: inv_mpu6050: fix frequency setting when chip is off
        iio: pressure: Fixes BMP38x and BMP390 SPI support
        iio: imu: inv_mpu6050: fix FIFO parsing when empty
        mei: Add Meteor Lake support for IVSC device
        mei: me: add arrow lake point H DID
        mei: me: add arrow lake point S DID
        counter: fix privdata alignment
      10d48d70
    • Linus Torvalds's avatar
      Merge tag 'tty-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 563c5b02
      Linus Torvalds authored
      Pull tty / serial fixes from Greg KH:
       "Here are some small remaining tty/serial driver fixes. Included in
        here is fixes for:
      
         - vt unicode buffer corruption fix
      
         - imx serial driver fixes, again
      
         - port suspend fix
      
         - 8250_dw driver fix
      
         - fsl_lpuart driver fix
      
         - revert for the qcom_geni_serial driver to fix a reported regression
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'tty-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        Revert "tty: serial: simplify qcom_geni_serial_send_chunk_fifo()"
        tty: serial: fsl_lpuart: avoid idle preamble pending if CTS is enabled
        vt: fix unicode buffer corruption when deleting characters
        serial: port: Don't suspend if the port is still busy
        serial: 8250_dw: Do not reclock if already at correct rate
        tty: serial: imx: Fix broken RS485
      563c5b02
    • Linus Torvalds's avatar
      Merge tag 'usb-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · e536e0d4
      Linus Torvalds authored
      Pull USB / Thunderbolt fixes from Greg KH:
       "Here are some small remaining fixes for USB and Thunderbolt drivers.
        Included in here are fixes for:
      
         - thunderbold NULL dereference fix
      
         - typec driver fixes
      
         - xhci driver regression fix
      
         - usb-storage divide-by-0 fix
      
         - ncm gadget driver fix
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        xhci: Fix failure to detect ring expansion need.
        usb: port: Don't try to peer unused USB ports based on location
        usb: gadget: ncm: Fix handling of zero block length packets
        usb: typec: altmodes/displayport: create sysfs nodes as driver's default device attribute group
        usb: typec: tpcm: Fix PORT_RESET behavior for self powered devices
        usb: typec: ucsi: fix UCSI on SM8550 & SM8650 Qualcomm devices
        USB: usb-storage: Prevent divide-by-0 error in isd200_ata_command
        thunderbolt: Fix NULL pointer dereference in tb_port_update_credits()
      e536e0d4
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 49deb280
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
      
       - Fix the PM suspend callback in the STM32 ST32MP257 driver to properly
         support suspend
      
       - Drop an extraneous reference put in the debugfs code, this was
         confusing the reference counts and causing unsolicited calls to
         __free()
      
      * tag 'pinctrl-v6.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: don't put the reference to GPIO device in pinctrl_pins_show()
        pinctrl: stm32: fix PM support for stm32mp257
      49deb280
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 7a4f31c7
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
      
       - a revert of endpoint checks in bcm5974 - the driver is being naughty
         and pokes at unclaimed USB interface, so the check fails. We need to
         fix the driver to claim both interfaces, and then re-implement the
         endpoints check
      
       - a fix to Synaptics RMI driver to avoid UAF on driver unload or device
         unbinding
      
       - a few new VID/PIDs added to xpad game controller driver
      
       - a change to gpio_keys_polled driver to quiet it when GPIO causes
         probe deferral.
      
      * tag 'input-for-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal
        Input: gpio_keys_polled - suppress deferred probe error for gpio
        Revert "Input: bcm5974 - check endpoint type before starting traffic"
        Input: xpad - add additional HyperX Controller Identifiers
      7a4f31c7
    • Linus Torvalds's avatar
      Merge tag 'sound-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 6dfeb04c
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small fixes. Half of them are HD-audio quirks while
        the rest are various device-specific ASoC fixes"
      
      * tag 'sound-6.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ASoC: wm8962: Fix up incorrect error message in wm8962_set_fll
        ASoC: wm8962: Enable both SPKOUTR_ENA and SPKOUTL_ENA in mono mode
        ASoC: wm8962: Enable oscillator if selecting WM8962_FLL_OSC
        ASoC: dt-bindings: nvidia: Fix 'lge' vendor prefix
        ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook
        ASoC: amd: yc: Add HP Pavilion Aero Laptop 13-be2xxx(8BD6) into DMI quirk table
        ASoC: rcar: adg: correct TIMSEL setting for SSI9
        ALSA: hda: cs35l41: Overwrite CS35L41 configuration for ASUS UM5302LA
        ALSA: hda/realtek: Add quirks for Lenovo Thinkbook 16P laptops
        ALSA: hda: cs35l41: Support Lenovo Thinkbook 16P
        ALSA: hda/realtek - Add Headset Mic supported Acer NB platform
        ALSA: hda: optimize the probe codec process
        ALSA: hda/realtek - Fix headset Mic no show at resume back for Lenovo ALC897 platform
        ASoC: Intel: bytcr_rt5640: Add an extra entry for the Chuwi Vi8 tablet
        ASoC: madera: Fix typo in madera_set_fll_clks shift value
      6dfeb04c
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-03-08' of https://gitlab.freedesktop.org/drm/kernel · e6fac3c1
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular fixes (two weeks for i915), scattered across drivers, amdgpu
        and i915 being the main ones, with nouveau having a couple of fixes.
        One patch got applied for udl, but reverted soon after as the
        maintainer has missed some crucial prior discussion.
      
        Seems quiet and normal enough for this stage.
      
        MAINTAINERS
         - update email address
      
        core:
         - fix polling in certain configurations
      
        buddy:
         - fix kunit test warning
      
        panel:
         - boe-tv101wum-nl6: timing tuning fixes
      
        i915:
         - Fix to extract HDCP information from primary connector
         - Check for NULL mmu_interval_notifier before removing
         - Fix for #10184: Kernel crash on UHD Graphics 730 (Cc stable)
         - Fix for #10284: Boot delay regresion with PSR
         - Fix DP connector DSC HW state readout
         - Selftest fix to convert msecs to jiffies
      
        xe:
         - error path fix
      
        amdgpu:
         - SMU14 fix
         - Fix possible NULL pointer
         - VRR fix
         - pwm fix
      
        nouveau:
         - fix deadlock in new ioctls fail path
         - fix missing locking around object rbtree
      
        udl:
         - apply and revert format change"
      
      * tag 'drm-fixes-2024-03-08' of https://gitlab.freedesktop.org/drm/kernel: (21 commits)
        nouveau: lock the client object tree.
        drm/tests/buddy: fix print format
        drm/xe: Return immediately on tile_init failure
        drm/amdgpu/pm: Fix the error of pwm1_enable setting
        drm/amd/display: handle range offsets in VRR ranges
        drm/amd/display: check dc_link before dereferencing
        drm/amd/swsmu: modify the gfx activity scaling
        Revert "drm/udl: Add ARGB8888 as a format"
        drm/i915/panelreplay: Move out psr_init_dpcd() from init_connector()
        drm/i915/dp: Fix connector DSC HW state readout
        drm/i915/selftests: Fix dependency of some timeouts on HZ
        drm/udl: Add ARGB8888 as a format
        drm/nouveau: fix stale locked mutex in nouveau_gem_ioctl_pushbuf
        drm/i915: Don't explode when the dig port we don't have an AUX CH
        MAINTAINERS: Update email address for Tvrtko Ursulin
        drm/panel: boe-tv101wum-nl6: Fine tune Himax83102-j02 panel HFP and HBP (again)
        drm: Fix output poll work for drm_kms_helper_poll=n
        drm/i915: Check before removing mm notifier
        drm/i915/hdcp: Extract hdcp structure from correct connector
        drm/i915/hdcp: Remove additional timing for reading mst hdcp message
        ...
      e6fac3c1
    • Tommy Huang's avatar
      i2c: aspeed: Fix the dummy irq expected print · ac168d67
      Tommy Huang authored
      When the i2c error condition occurred and master state was not
      idle, the master irq function will goto complete state without any
      other interrupt handling. It would cause dummy irq expected print.
      Under this condition, assign the irq_status into irq_handle.
      
      For example, when the abnormal start / stop occurred (bit 5) with
      normal stop status (bit 4) at same time. Then the normal stop status
      would not be handled and it would cause irq expected print in
      the aspeed_i2c_bus_irq.
      
      ...
      aspeed-i2c-bus x. i2c-bus: irq handled != irq.
      Expected 0x00000030, but was 0x00000020
      ...
      
      Fixes: 3e9efc32 ("i2c: aspeed: Handle master/slave combined irq events properly")
      Cc: Jae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
      Signed-off-by: default avatarTommy Huang <tommy_huang@aspeedtech.com>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@kernel.org>
      ac168d67
    • Christophe JAILLET's avatar
      i2c: wmt: Fix an error handling path in wmt_i2c_probe() · 97fd62e3
      Christophe JAILLET authored
      wmt_i2c_reset_hardware() calls clk_prepare_enable(). So, should an error
      occur after it, it should be undone by a corresponding
      clk_disable_unprepare() call, as already done in the remove function.
      
      Fixes: 560746eb ("i2c: vt8500: Add support for I2C bus on Wondermedia SoCs")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@kernel.org>
      97fd62e3
    • Heiner Kallweit's avatar
      i2c: i801: Avoid potential double call to gpiod_remove_lookup_table · ceb013b2
      Heiner Kallweit authored
      If registering the platform device fails, the lookup table is
      removed in the error path. On module removal we would try to
      remove the lookup table again. Fix this by setting priv->lookup
      only if registering the platform device was successful.
      In addition free the memory allocated for the lookup table in
      the error path.
      
      Fixes: d308dfbf ("i2c: mux/i801: Switch to use descriptor passing")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarAndi Shyti <andi.shyti@kernel.org>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@kernel.org>
      ceb013b2
    • Heiner Kallweit's avatar
      i2c: i801: Fix using mux_pdev before it's set · 09f02902
      Heiner Kallweit authored
      i801_probe_optional_slaves() is called before i801_add_mux().
      This results in mux_pdev being checked before it's set by
      i801_add_mux(). Fix this by changing the order of the calls.
      I consider this safe as I see no dependencies.
      
      Fixes: 80e56b86 ("i2c: i801: Simplify class-based client device instantiation")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarAndi Shyti <andi.shyti@kernel.org>
      Signed-off-by: default avatarAndi Shyti <andi.shyti@kernel.org>
      09f02902
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v6.8-rc7' of... · 21e59fe2
      Takashi Iwai authored
      Merge tag 'asoc-fix-v6.8-rc7' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v6.8
      
      Some more driver specific fixes for v6.8, plus one new x86 platform
      quirk.  All good fixes to have if you have systems that use the relevant
      hardware.
      21e59fe2
    • Dave Airlie's avatar
      nouveau: lock the client object tree. · b7cc4ff7
      Dave Airlie authored
      It appears the client object tree has no locking unless I've missed
      something else. Fix races around adding/removing client objects,
      mostly vram bar mappings.
      
       4562.099306] general protection fault, probably for non-canonical address 0x6677ed422bceb80c: 0000 [#1] PREEMPT SMP PTI
      [ 4562.099314] CPU: 2 PID: 23171 Comm: deqp-vk Not tainted 6.8.0-rc6+ #27
      [ 4562.099324] Hardware name: Gigabyte Technology Co., Ltd. Z390 I AORUS PRO WIFI/Z390 I AORUS PRO WIFI-CF, BIOS F8 11/05/2021
      [ 4562.099330] RIP: 0010:nvkm_object_search+0x1d/0x70 [nouveau]
      [ 4562.099503] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 48 89 f8 48 85 f6 74 39 48 8b 87 a0 00 00 00 48 85 c0 74 12 <48> 8b 48 f8 48 39 ce 73 15 48 8b 40 10 48 85 c0 75 ee 48 c7 c0 fe
      [ 4562.099506] RSP: 0000:ffffa94cc420bbf8 EFLAGS: 00010206
      [ 4562.099512] RAX: 6677ed422bceb814 RBX: ffff98108791f400 RCX: ffff9810f26b8f58
      [ 4562.099517] RDX: 0000000000000000 RSI: ffff9810f26b9158 RDI: ffff98108791f400
      [ 4562.099519] RBP: ffff9810f26b9158 R08: 0000000000000000 R09: 0000000000000000
      [ 4562.099521] R10: ffffa94cc420bc48 R11: 0000000000000001 R12: ffff9810f02a7cc0
      [ 4562.099526] R13: 0000000000000000 R14: 00000000000000ff R15: 0000000000000007
      [ 4562.099528] FS:  00007f629c5017c0(0000) GS:ffff98142c700000(0000) knlGS:0000000000000000
      [ 4562.099534] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 4562.099536] CR2: 00007f629a882000 CR3: 000000017019e004 CR4: 00000000003706f0
      [ 4562.099541] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 4562.099542] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 4562.099544] Call Trace:
      [ 4562.099555]  <TASK>
      [ 4562.099573]  ? die_addr+0x36/0x90
      [ 4562.099583]  ? exc_general_protection+0x246/0x4a0
      [ 4562.099593]  ? asm_exc_general_protection+0x26/0x30
      [ 4562.099600]  ? nvkm_object_search+0x1d/0x70 [nouveau]
      [ 4562.099730]  nvkm_ioctl+0xa1/0x250 [nouveau]
      [ 4562.099861]  nvif_object_map_handle+0xc8/0x180 [nouveau]
      [ 4562.099986]  nouveau_ttm_io_mem_reserve+0x122/0x270 [nouveau]
      [ 4562.100156]  ? dma_resv_test_signaled+0x26/0xb0
      [ 4562.100163]  ttm_bo_vm_fault_reserved+0x97/0x3c0 [ttm]
      [ 4562.100182]  ? __mutex_unlock_slowpath+0x2a/0x270
      [ 4562.100189]  nouveau_ttm_fault+0x69/0xb0 [nouveau]
      [ 4562.100356]  __do_fault+0x32/0x150
      [ 4562.100362]  do_fault+0x7c/0x560
      [ 4562.100369]  __handle_mm_fault+0x800/0xc10
      [ 4562.100382]  handle_mm_fault+0x17c/0x3e0
      [ 4562.100388]  do_user_addr_fault+0x208/0x860
      [ 4562.100395]  exc_page_fault+0x7f/0x200
      [ 4562.100402]  asm_exc_page_fault+0x26/0x30
      [ 4562.100412] RIP: 0033:0x9b9870
      [ 4562.100419] Code: 85 a8 f7 ff ff 8b 8d 80 f7 ff ff 89 08 e9 18 f2 ff ff 0f 1f 84 00 00 00 00 00 44 89 32 e9 90 fa ff ff 0f 1f 84 00 00 00 00 00 <44> 89 32 e9 f8 f1 ff ff 0f 1f 84 00 00 00 00 00 66 44 89 32 e9 e7
      [ 4562.100422] RSP: 002b:00007fff9ba2dc70 EFLAGS: 00010246
      [ 4562.100426] RAX: 0000000000000004 RBX: 000000000dd65e10 RCX: 000000fff0000000
      [ 4562.100428] RDX: 00007f629a882000 RSI: 00007f629a882000 RDI: 0000000000000066
      [ 4562.100432] RBP: 00007fff9ba2e570 R08: 0000000000000000 R09: 0000000123ddf000
      [ 4562.100434] R10: 0000000000000001 R11: 0000000000000246 R12: 000000007fffffff
      [ 4562.100436] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      [ 4562.100446]  </TASK>
      [ 4562.100448] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables libcrc32c nfnetlink cmac bnep sunrpc iwlmvm intel_rapl_msr intel_rapl_common snd_sof_pci_intel_cnl x86_pkg_temp_thermal intel_powerclamp snd_sof_intel_hda_common mac80211 coretemp snd_soc_acpi_intel_match kvm_intel snd_soc_acpi snd_soc_hdac_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof_intel_hda_mlink snd_sof_intel_hda snd_sof kvm snd_sof_utils snd_soc_core snd_hda_codec_realtek libarc4 snd_hda_codec_generic snd_compress snd_hda_ext_core vfat fat snd_hda_intel snd_intel_dspcfg irqbypass iwlwifi snd_hda_codec snd_hwdep snd_hda_core btusb btrtl mei_hdcp iTCO_wdt rapl mei_pxp btintel snd_seq iTCO_vendor_support btbcm snd_seq_device intel_cstate bluetooth snd_pcm cfg80211 intel_wmi_thunderbolt wmi_bmof intel_uncore snd_timer mei_me snd ecdh_generic i2c_i801
      [ 4562.100541]  ecc mei i2c_smbus soundcore rfkill intel_pch_thermal acpi_pad zram nouveau drm_ttm_helper ttm gpu_sched i2c_algo_bit drm_gpuvm drm_exec mxm_wmi drm_display_helper drm_kms_helper drm crct10dif_pclmul crc32_pclmul nvme e1000e crc32c_intel nvme_core ghash_clmulni_intel video wmi pinctrl_cannonlake ip6_tables ip_tables fuse
      [ 4562.100616] ---[ end trace 0000000000000000 ]---
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Cc: stable@vger.kernel.org
      b7cc4ff7
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2024-03-07' of... · 83c34dcb
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2024-03-07' of https://anongit.freedesktop.org/git/drm/drm-misc into drm-fixes
      
      A connector status polling fix, a timings fix for the Himax83102-j02
      panel, a deadlock fix for nouveau, A controversial format fix for udl
      that got reverted to allow further discussion, and a build fix for the
      drm/buddy kunit tests.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <mripard@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240307-quizzical-auburn-starling-0ade8f@houat
      83c34dcb
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.8-2024-03-07' of... · b3cdb192
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.8-2024-03-07' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.8-2024-03-07:
      
      amdgpu:
      - SMU14 fix
      - Fix possible NULL pointer
      - VRR fix
      - pwm fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240307143318.2869884-1-alexander.deucher@amd.com
      b3cdb192
    • Dave Airlie's avatar
      Merge tag 'drm-xe-fixes-2024-03-07' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · 3a397b13
      Dave Airlie authored
      Driver Changes:
      - An error path fix.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Hellstrom <thomas.hellstrom@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Zema9lLEdtMISljc@fedora
      3a397b13
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2024-03-07' of... · 698236f5
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2024-03-07' of https://anongit.freedesktop.org/git/drm/drm-intel into drm-fixes
      
      - Fix for #10184: Kernel crash on UHD Graphics 730 (Cc stable)
      . Fix for #10284: Boot delay regresion with PSR
      - Fix DP connector DSC HW state readout
      - Selftest fix to convert msecs to jiffies
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/Zel4jMpJ2Fay5VeJ@jlahtine-mobl.ger.corp.intel.com
      698236f5
    • Linus Torvalds's avatar
      Merge tag 'mm-hotfixes-stable-2024-03-07-16-17' of... · 3aaa8ce7
      Linus Torvalds authored
      Merge tag 'mm-hotfixes-stable-2024-03-07-16-17' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
      
      Pull misc fixes from Andrew Morton:
       "6 hotfixes. 4 are cc:stable and the remainder pertain to post-6.7
        issues or aren't considered to be needed in earlier kernel versions"
      
      * tag 'mm-hotfixes-stable-2024-03-07-16-17' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm:
        scripts/gdb/symbols: fix invalid escape sequence warning
        mailmap: fix Kishon's email
        init/Kconfig: lower GCC version check for -Warray-bounds
        mm, mmap: fix vma_merge() case 7 with vma_ops->close
        mm: userfaultfd: fix unexpected change to src_folio when UFFDIO_MOVE fails
        mm, vmscan: prevent infinite loop for costly GFP_NOIO | __GFP_RETRY_MAYFAIL allocations
      3aaa8ce7
    • Andrew Ballance's avatar
      scripts/gdb/symbols: fix invalid escape sequence warning · ded79af4
      Andrew Ballance authored
      With python 3.12, '\.' results in this warning
          SyntaxWarning: invalid escape sequence '\.'
      
      Link: https://lkml.kernel.org/r/20240304012507.240380-1-andrewjballance@gmail.comSigned-off-by: default avatarAndrew Ballance <andrewjballance@gmail.com>
      Cc: Jan Kiszka <jan.kiszka@siemens.com>
      Cc: Kieran Bingham <kbingham@kernel.org>
      Cc: Koudai Iwahori <koudai@google.com>
      Cc: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Cc: Pankaj Raghav <p.raghav@samsung.com>
      Cc: Shuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      ded79af4
  5. 07 Mar, 2024 6 commits
    • Mathias Krause's avatar
      Input: synaptics-rmi4 - fix UAF of IRQ domain on driver removal · fbf8d717
      Mathias Krause authored
      Calling irq_domain_remove() will lead to freeing the IRQ domain
      prematurely. The domain is still referenced and will be attempted to get
      used via rmi_free_function_list() -> rmi_unregister_function() ->
      irq_dispose_mapping() -> irq_get_irq_data()'s ->domain pointer.
      
      With PaX's MEMORY_SANITIZE this will lead to an access fault when
      attempting to dereference embedded pointers, as in Torsten's report that
      was faulting on the 'domain->ops->unmap' test.
      
      Fix this by releasing the IRQ domain only after all related IRQs have
      been deactivated.
      
      Fixes: 24d28e4f ("Input: synaptics-rmi4 - convert irq distribution to irq_domain")
      Reported-by: default avatarTorsten Hilbrich <torsten.hilbrich@secunet.com>
      Signed-off-by: default avatarMathias Krause <minipli@grsecurity.net>
      Link: https://lore.kernel.org/r/20240222142654.856566-1-minipli@grsecurity.netSigned-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      fbf8d717
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · c381c89d
      Linus Torvalds authored
      Pull spi fix from Mark Brown:
       "One small fix for the newly added cs42l43 driver which would have
        caused it problems working in some system configurations by needlessly
        restricting chip select configurations"
      
      * tag 'spi-fix-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: cs42l43: Don't limit native CS to the first chip select
      c381c89d
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v6.8-rc7' of... · d5c6c9f1
      Linus Torvalds authored
      Merge tag 'regulator-fix-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "A couple of small fixes for the rk808 driver, the regulator voltage
        configurations were incorrectly described.
      
        The changes are not expected to have practical impact but given that
        we're dealing with power it's generally better to follow the hardware
        specification as closely as we can to avoid unexpected stresses"
      
      * tag 'regulator-fix-v6.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: rk808: fix LDO range on RK806
        regulator: rk808: fix buck range on RK806
      d5c6c9f1
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 135288b7
      Linus Torvalds authored
      Pull arm64 fix from Will Deacon:
       "A lonely arm64 fix addressing a kprobes regression that we introduced
        during the merge window:
      
         - Fix recursive kprobes regression when probing the stack unwinder"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: prohibit probing on arch_kunwind_consume_entry()
      135288b7
    • Linus Torvalds's avatar
      Merge tag 'erofs-for-6.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs · d0e88885
      Linus Torvalds authored
      Pull erofs fixes from Gao Xiang:
       "The main one is a KMSAN fix which addresses an issue introduced in
        this cycle so it'd be much better to fix before releasing, and the
        remaining one fixes VMA alignment for THP.
      
        Summary:
      
         - Fix a KMSAN uninit-value issue triggered by a crafted image
      
         - Fix VMA alignment for memory mapped files on THP"
      
      * tag 'erofs-for-6.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs:
        erofs: apply proper VMA alignment for memory mapped files on THP
        erofs: fix uninitialized page cache reported by KMSAN
      d0e88885
    • Linus Torvalds's avatar
      Merge tag 'net-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · df479350
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf, ipsec and netfilter.
      
        No solution yet for the stmmac issue mentioned in the last PR, but it
        proved to be a lockdep false positive, not a blocker.
      
        Current release - regressions:
      
         - dpll: move all dpll<>netdev helpers to dpll code, fix build
           regression with old compilers
      
        Current release - new code bugs:
      
         - page_pool: fix netlink dump stop/resume
      
        Previous releases - regressions:
      
         - bpf: fix verifier to check bpf_func_state->callback_depth when
           pruning states as otherwise unsafe programs could get accepted
      
         - ipv6: avoid possible UAF in ip6_route_mpath_notify()
      
         - ice: reconfig host after changing MSI-X on VF
      
         - mlx5:
             - e-switch, change flow rule destination checking
             - add a memory barrier to prevent a possible null-ptr-deref
             - switch to using _bh variant of of spinlock where needed
      
        Previous releases - always broken:
      
         - netfilter: nf_conntrack_h323: add protection for bmp length out of
           range
      
         - bpf: fix to zero-initialise xdp_rxq_info struct before running XDP
           program in CPU map which led to random xdp_md fields
      
         - xfrm: fix UDP encapsulation in TX packet offload
      
         - netrom: fix data-races around sysctls
      
         - ice:
             - fix potential NULL pointer dereference in ice_bridge_setlink()
             - fix uninitialized dplls mutex usage
      
         - igc: avoid returning frame twice in XDP_REDIRECT
      
         - i40e: disable NAPI right after disabling irqs when handling
           xsk_pool
      
         - geneve: make sure to pull inner header in geneve_rx()
      
         - sparx5: fix use after free inside sparx5_del_mact_entry
      
         - dsa: microchip: fix register write order in ksz8_ind_write8()
      
        Misc:
      
         - selftests: mptcp: fixes for diag.sh"
      
      * tag 'net-6.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (63 commits)
        net: pds_core: Fix possible double free in error handling path
        netrom: Fix data-races around sysctl_net_busy_read
        netrom: Fix a data-race around sysctl_netrom_link_fails_count
        netrom: Fix a data-race around sysctl_netrom_routing_control
        netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout
        netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size
        netrom: Fix a data-race around sysctl_netrom_transport_busy_delay
        netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay
        netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries
        netrom: Fix a data-race around sysctl_netrom_transport_timeout
        netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser
        netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser
        netrom: Fix a data-race around sysctl_netrom_default_path_quality
        netfilter: nf_conntrack_h323: Add protection for bmp length out of range
        netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
        netfilter: nft_ct: fix l3num expectations with inet pseudo family
        netfilter: nf_tables: reject constant set with timeout
        netfilter: nf_tables: disallow anonymous set with timeout flag
        net/rds: fix WARNING in rds_conn_connect_if_down
        net: dsa: microchip: fix register write order in ksz8_ind_write8()
        ...
      df479350