1. 03 Apr, 2023 2 commits
    • Namjae Jeon's avatar
      ksmbd: fix slab-out-of-bounds in init_smb2_rsp_hdr · dc8289f9
      Namjae Jeon authored
      When smb1 mount fails, KASAN detect slab-out-of-bounds in
      init_smb2_rsp_hdr like the following one.
      For smb1 negotiate(56bytes) , init_smb2_rsp_hdr() for smb2 is called.
      The issue occurs while handling smb1 negotiate as smb2 server operations.
      Add smb server operations for smb1 (get_cmd_val, init_rsp_hdr,
      allocate_rsp_buf, check_user_session) to handle smb1 negotiate so that
      smb2 server operation does not handle it.
      
      [  411.400423] CIFS: VFS: Use of the less secure dialect vers=1.0 is
      not recommended unless required for access to very old servers
      [  411.400452] CIFS: Attempting to mount \\192.168.45.139\homes
      [  411.479312] ksmbd: init_smb2_rsp_hdr : 492
      [  411.479323] ==================================================================
      [  411.479327] BUG: KASAN: slab-out-of-bounds in
      init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]
      [  411.479369] Read of size 16 at addr ffff888488ed0734 by task kworker/14:1/199
      
      [  411.479379] CPU: 14 PID: 199 Comm: kworker/14:1 Tainted: G
       OE      6.1.21 #3
      [  411.479386] Hardware name: ASUSTeK COMPUTER INC. Z10PA-D8
      Series/Z10PA-D8 Series, BIOS 3801 08/23/2019
      [  411.479390] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
      [  411.479425] Call Trace:
      [  411.479428]  <TASK>
      [  411.479432]  dump_stack_lvl+0x49/0x63
      [  411.479444]  print_report+0x171/0x4a8
      [  411.479452]  ? kasan_complete_mode_report_info+0x3c/0x200
      [  411.479463]  ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]
      [  411.479497]  kasan_report+0xb4/0x130
      [  411.479503]  ? init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]
      [  411.479537]  kasan_check_range+0x149/0x1e0
      [  411.479543]  memcpy+0x24/0x70
      [  411.479550]  init_smb2_rsp_hdr+0x1e2/0x1f4 [ksmbd]
      [  411.479585]  handle_ksmbd_work+0x109/0x760 [ksmbd]
      [  411.479616]  ? _raw_spin_unlock_irqrestore+0x50/0x50
      [  411.479624]  ? smb3_encrypt_resp+0x340/0x340 [ksmbd]
      [  411.479656]  process_one_work+0x49c/0x790
      [  411.479667]  worker_thread+0x2b1/0x6e0
      [  411.479674]  ? process_one_work+0x790/0x790
      [  411.479680]  kthread+0x177/0x1b0
      [  411.479686]  ? kthread_complete_and_exit+0x30/0x30
      [  411.479692]  ret_from_fork+0x22/0x30
      [  411.479702]  </TASK>
      
      Fixes: 39b291b8 ("ksmbd: return unsupported error on smb1 mount")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      dc8289f9
    • Namjae Jeon's avatar
      ksmbd: delete asynchronous work from list · 3a9b557f
      Namjae Jeon authored
      When smb2_lock request is canceled by smb2_cancel or smb2_close(),
      ksmbd is missing deleting async_request_entry async_requests list.
      Because calling init_smb2_rsp_hdr() in smb2_lock() mark ->synchronous
      as true and then it will not be deleted in
      ksmbd_conn_try_dequeue_request(). This patch add release_async_work() to
      release the ones allocated for async work.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      3a9b557f
  2. 25 Mar, 2023 3 commits
  3. 24 Mar, 2023 29 commits
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · e76db6e5
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "As usual, most of the bug fixes address issues in the devicetree
        files, and out of these, most are for the Qualcomm and NXP platforms,
        including:
      
         - A missing 'reserved-memory' property on LG G Watch R that is needed
           to prevent clashing with firmware
      
         - Annotations for cache coherency on multiple machines
      
         - Corrections for pinctrl, regulator, clock, iommu and power domain
           properties for i.MX and Qualcomm to correctly reflect the hardware
           settings
      
         - Firmware file names on multiple machines SA8540P Ride board
      
         - An incompatible change to the qcom vadc driver requires adding
           individual labels
      
         - Fix EQoS PHY reset GPIO by dropping the deprecated/wrong property
           and switch to the new bindings.
      
         - A fix for PCI bus address translation Tegra194 and Tegra234.
      
        There are also a couple of device driver fixes, addressing:
      
         - A race condition in the amdtee driver
      
         - A performance regression in the Qualcomm 'llcc' driver
      
         - An unitialized variable use NXP i.MX 'weim' driver
      
         - Error handling issues in Qualcomm 'rmtfs', and 'scm' drivers and
           the Arm scmi firmware driver"
      
      * tag 'arm-fixes-6.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (48 commits)
        arm64: dts: qcom: sc8280xp-x13s: mark bob regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s12b regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s10b regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s11b regulator as always-on
        arm64: dts: imx93: add missing #address-cells and #size-cells to i2c nodes
        bus: imx-weim: fix branch condition evaluates to a garbage value
        arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes
        ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl
        ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl
        ARM: dts: imx6sll: e70k02: fix usbotg1 pinctrl
        arm64: dts: imx93: Fix eqos properties
        arm64: dts: imx8mp: Fix LCDIF2 node clock order
        arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name
        arm64: dts: imx8dxl-evk: Fix eqos phy reset gpio
        firmware: qcom: scm: fix bogus irq error at probe
        arm64: dts: qcom: sm8550: Mark UFS controller as cache coherent
        arm64: dts: qcom: sa8540p-ride: correct name of remoteproc_nsp0 firmware
        arm64: dts: qcom: sm8450: Mark UFS controller as cache coherent
        arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent
        arm64: dts: qcom: sm8550: fix LPASS pinctrl slew base address
        ...
      e76db6e5
    • Linus Torvalds's avatar
      Merge tag 'for-v6.3-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply · d7b5c942
      Linus Torvalds authored
      Pull power supply fixes from Sebastian Reichel:
      
       - rk817: Fix compiler warning
      
       - cros_usbpd-charger: Fix excessive error printing
      
       - axp288_fuel_gauge: handle platform_get_irq error
      
       - bq24190 and da9150: Fix race condition in remove path
      
      * tag 'for-v6.3-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply:
        power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition
        power: supply: bq24190: Fix use after free bug in bq24190_remove due to race condition
        power: supply: axp288_fuel_gauge: Added check for negative values
        power: supply: cros_usbpd: reclassify "default case!" as debug
        power: supply: rk817: Fix unsigned comparison with less than zero
      d7b5c942
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-03-24' of git://anongit.freedesktop.org/drm/drm · 37154c19
      Linus Torvalds authored
      Pull drm fixes from Daniel Vetter:
      
       - usual pile of fixes for amdgpu & i915
      
       - probe error handling fixes for meson, lt8912b bridge
      
       - the host1x patch from Arnd
      
       - panel-orientation fix for Lenovo Book X90F
      
      * tag 'drm-fixes-2023-03-24' of git://anongit.freedesktop.org/drm/drm: (23 commits)
        gpu: host1x: fix uninitialized variable use
        drm/amd/display: Set dcn32 caps.seamless_odm
        drm/amd/display: fix wrong index used in dccg32_set_dpstreamclk
        drm/amdgpu/nv: Apply ASPM quirk on Intel ADL + AMD Navi
        drm/amd/display: remove outdated 8bpc comments
        drm/amdgpu/gfx: set cg flags to enter/exit safe mode
        drm/amdgpu: Force signal hw_fences that are embedded in non-sched jobs
        drm/amdgpu: add mes resume when do gfx post soft reset
        drm/amdgpu: skip ASIC reset for APUs when go to S4
        drm/amdgpu: reposition the gpu reset checking for reuse
        drm/bridge: lt8912b: return EPROBE_DEFER if bridge is not found
        drm/meson: fix missing component unbind on bind errors
        drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F
        Revert "drm/i915/hwmon: Enable PL1 power limit"
        drm/i915: Update vblank timestamping stuff on seamless M/N change
        drm/i915: Fix format for perf_limit_reasons
        drm/i915/gt: perform uc late init after probe error injection
        drm/i915/active: Fix missing debug object activation
        drm/i915/guc: Fix missing ecodes
        drm/i915/mtl: Disable MC6 for MTL A step
        ...
      37154c19
    • Linus Torvalds's avatar
      Merge tag 'for-6.3/dm-fixes' of... · 5ad4fe96
      Linus Torvalds authored
      Merge tag 'for-6.3/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - Fix DM thin to work as a swap device by using 'limit_swap_bios' DM
         target flag (initially added to allow swap to dm-crypt) to throttle
         the amount of outstanding swap bios.
      
       - Fix DM crypt soft lockup warnings by calling cond_resched() from the
         cpu intensive loop in dmcrypt_write().
      
       - Fix DM crypt to not access an uninitialized tasklet. This fix allows
         for consistent handling of IO completion, by _not_ needlessly punting
         to a workqueue when tasklets are not needed.
      
       - Fix DM core's alloc_dev() initialization for DM stats to check for
         and propagate alloc_percpu() failure.
      
      * tag 'for-6.3/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm stats: check for and propagate alloc_percpu failure
        dm crypt: avoid accessing uninitialized tasklet
        dm crypt: add cond_resched() to dmcrypt_write()
        dm thin: fix deadlock when swapping to thin device
      5ad4fe96
    • Linus Torvalds's avatar
      Merge tag 'block-6.3-2023-03-24' of git://git.kernel.dk/linux · 83511470
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Christoph:
           - Send Identify with CNS 06h only to I/O controllers (Martin
             George)
           - Fix nvme_tcp_term_pdu to match spec (Caleb Sander)
      
       - Pass in issue_flags for uring_cmd, so the end_io handlers don't need
         to assume what the right context is (me)
      
       - Fix for ublk, marking it as LIVE before adding it to avoid races on
         the initial IO (Ming)
      
      * tag 'block-6.3-2023-03-24' of git://git.kernel.dk/linux:
        nvme-tcp: fix nvme_tcp_term_pdu to match spec
        nvme: send Identify with CNS 06h only to I/O controllers
        block/io_uring: pass in issue_flags for uring_cmd task_work handling
        block: ublk_drv: mark device as LIVE before adding disk
      83511470
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux · e344eb7b
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix an issue with repeated -ECONNREFUSED on a socket (me)
      
       - Fix a NULL pointer deference due to a stale lookup cache for
         allocating direct descriptors (Savino)
      
      * tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux:
        io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get()
        io_uring/net: avoid sending -ECONNABORTED on repeated connection requests
      e344eb7b
    • Linus Torvalds's avatar
      Merge tag 'thermal-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · fd3d06ff
      Linus Torvalds authored
      Pull thermal control fixes from Rafael Wysocki:
       "These address two recent regressions related to thermal control.
      
        Specifics:
      
         - Restore the thermal core behavior regarding zero-temperature trip
           points to avoid a driver regression (Ido Schimmel)
      
         - Fix a recent regression in the ACPI processor driver preventing it
           from changing the number of CPU cooling device states exposed via
           sysfs after the given CPU cooling device has been registered
           (Rafael Wysocki)"
      
      * tag 'thermal-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        thermal: core: Restore behavior regarding invalid trip points
        ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes
        thermal: core: Introduce thermal_cooling_device_update()
        thermal: core: Introduce thermal_cooling_device_present()
        ACPI: processor: Reorder acpi_processor_driver_init()
      fd3d06ff
    • Linus Torvalds's avatar
      Merge tag 'acpi-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 1868d192
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These add new ACPI IRQ override and backlight detection quirks.
      
        Specifics:
      
         - Add backlight=native DMI quirk for Acer Aspire 3830TG to the ACPI
           backlight driver (Hans de Goede)
      
         - Add an ACPI IRQ override quirk for Medion S17413 (Aymeric Wibo)"
      
      * tag 'acpi-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: resource: Add Medion S17413 to IRQ override quirk
        ACPI: video: Add backlight=native DMI quirk for Acer Aspire 3830TG
      1868d192
    • Linus Torvalds's avatar
      Merge tag 'slab-fix-for-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab · cb7f5b41
      Linus Torvalds authored
      Pull slab fix from Vlastimil Babka:
       "A single build fix for a corner case configuration that is apparently
        possible to achieve on some arches, from Geert"
      
      * tag 'slab-fix-for-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vbabka/slab:
        mm/slab: Fix undefined init_cache_node_node() for NUMA and !SMP
      cb7f5b41
    • Linus Torvalds's avatar
      Merge tag 'efi-fixes-for-v6.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi · 877c20b1
      Linus Torvalds authored
      Pull EFI fixes from Ard Biesheuvel:
      
       - Set the NX compat flag for arm64 and zboot, to ensure compatibility
         with EFI firmware that complies with tightening requirements imposed
         across the ecosystem.
      
       - Improve identification of Ampere Altra systems based on SMBIOS data.
      
       - Fix some issues related to the EFI framebuffer that were introduced
         as a result from some refactoring related to zboot and the merge with
         sysfb.
      
       - Makefile tweak to avoid rebuilding vmlinuz unnecessarily.
      
       - Fix efi_random_alloc() return value on out of memory condition.
      
      * tag 'efi-fixes-for-v6.3-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
        efi/libstub: randomalloc: Return EFI_OUT_OF_RESOURCES on failure
        efi/libstub: Use relocated version of kernel's struct screen_info
        efi/libstub: zboot: Add compressed image to make targets
        efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
        efi: sysfb_efi: Fix DMI quirks not working for simpledrm
        efi/libstub: smbios: Drop unused 'recsize' parameter
        arm64: efi: Use SMBIOS processor version to key off Ampere quirk
        efi/libstub: smbios: Use length member instead of record struct size
        efi: earlycon: Reprobe after parsing config tables
        arm64: efi: Set NX compat flag in PE/COFF header
        efi/libstub: arm64: Remap relocated image with strict permissions
        efi/libstub: zboot: Mark zboot EFI application as NX compatible
      877c20b1
    • Arnd Bergmann's avatar
      Merge tag 'qcom-driver-fixes-for-6.3' of... · ec7d8bd7
      Arnd Bergmann authored
      Merge tag 'qcom-driver-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/fixes
      
      Qualcomm driver fixes for v6.3
      
      Support for the secure world interrupting the SCM driver drive the wait
      queue mechanism was recently introduced, but most platforms doesn't have
      this mechanism and an error should not be printed in the log.
      
      The rmtfs_mem driver recently gained support for assigning the region to
      multiple VMIDs, but accidentally removed the support for running without
      assignment. A couple of changes are introducd to correct this.
      
      The SC8280XP LLCC slice configuration is wrong, reslting in incorrect
      configuration of the hardware. The table is corrected, based on the
      datasheet.
      
      * tag 'qcom-driver-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux:
        firmware: qcom: scm: fix bogus irq error at probe
        soc: qcom: rmtfs: handle optional qcom,vmid correctly
        soc: qcom: rmtfs: fix error handling reading qcom,vmid
        soc: qcom: llcc: Fix slice configuration values for SC8280XP
      
      Link: https://lore.kernel.org/r/20230323142505.1086072-1-andersson@kernel.orgSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      ec7d8bd7
    • Arnd Bergmann's avatar
      Merge tag 'qcom-dts-fixes-for-6.3' of... · 7158e61c
      Arnd Bergmann authored
      Merge tag 'qcom-dts-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/fixes
      
      Qualcomm ARM32 Devicetree fixes for v6.3
      
      This introduces missing reserved-memory ranges on LG G Watch R,
      resolving stability issues caused by Linux reusing memory used by
      firmware.
      
      * tag 'qcom-dts-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux:
        ARM: dts: qcom: apq8026-lg-lenok: add missing reserved memory
      
      Link: https://lore.kernel.org/r/20230323141922.1085875-1-andersson@kernel.orgSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      7158e61c
    • Arnd Bergmann's avatar
      Merge tag 'qcom-arm64-fixes-for-6.3' of... · f42ee7c4
      Arnd Bergmann authored
      Merge tag 'qcom-arm64-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into soc/fixes
      
      Qualcomm ARM64 Devicetree fixes for v6.3
      
      This correct SIM card selection on the two newly introduced
      MSM8916-based USB modems.
      
      The firmware-name for the first CDSP is corrected on the SA8540P Ride
      board.
      
      The PCIe controller in SC7280 is marked cache-coherent, which resolves
      seen data corruption issues.
      
      Labels are added to the vadc channel nodes on SC8280XP, as the Linux
      driver was updated to not include the unit address when generating
      device names and collisions thereby prevented registration of the
      channels. Audio clocks and routing is corrected and a few regulators are
      marked always-on for the Lenovo Thinkpad X13s, as their clients are not
      fully described at this point.
      
      SPI5 was accidentally enabled by default on SM6115, and is disabled
      again.
      
      CDSP on SM6375 is provided its power-domains, to appropriately vote for
      during power up for the DSP.
      
      The iommu mask for the PCIe controllers in SM8150 is updated, to match
      what the hypervisor expects.
      
      Th Venus firmware path is corrected on Xiaomi Mi Pad 5 Pro.
      
      The UFS controller is marked cache coherent on SM8350 and SM8450.
      
      The clocks for the second WSA macro on SM8450 is corrected, and given
      its own clocks.
      
      The bias-pull-up value for I2C pins are corrected on SM8550, to trigger
      the selection of the strong pull. CPU compatibles and the base address
      of the LPASS TLMM block are corrected.
      
      * tag 'qcom-arm64-fixes-for-6.3' of https://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: (23 commits)
        arm64: dts: qcom: sc8280xp-x13s: mark bob regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s12b regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s10b regulator as always-on
        arm64: dts: qcom: sc8280xp-x13s: mark s11b regulator as always-on
        arm64: dts: qcom: sm8550: Mark UFS controller as cache coherent
        arm64: dts: qcom: sa8540p-ride: correct name of remoteproc_nsp0 firmware
        arm64: dts: qcom: sm8450: Mark UFS controller as cache coherent
        arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent
        arm64: dts: qcom: sm8550: fix LPASS pinctrl slew base address
        arm64: dts: qcom: sc8280xp-x13s: fix va dmic dai links and routing
        arm64: dts: qcom: sc8280xp-x13s: fix dmic sample rate
        arm64: dts: qcom: sc8280xp: fix lpass tx macro clocks
        arm64: dts: qcom: sc8280xp: fix rx frame shapping info
        arm64: dts: qcom: sm8450: correct WSA2 assigned clocks
        arm64: dts: qcom: sc7280: Mark PCIe controller as cache coherent
        arm64: dts: qcom: msm8916-ufi: Fix sim card selection pinctrl
        arm64: dts: qcom: sm8250-xiaomi-elish: Correct venus firmware path
        arm64: dts: qcom: sm8550: Use correct CPU compatibles
        arm64: dts: qcom: sm8550: Add bias pull up value to tlmm i2c data clk states
        arm64: dts: qcom: sm6375: Add missing power-domain-named to CDSP
        ...
      
      Link: https://lore.kernel.org/r/20230323141642.1085684-1-andersson@kernel.orgSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      f42ee7c4
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 19a6b66c
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - A fix to match the CSR ASID masking rules when passing ASIDs to
         firmware
      
       - Force GCC to use ISA 2.2, to avoid a host of compatibily issues
         between toolchains
      
      * tag 'riscv-for-linus-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        riscv: Handle zicsr/zifencei issues between clang and binutils
        riscv: mm: Fix incorrect ASID argument when flushing TLB
      19a6b66c
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.3-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 24956974
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
      
       - fix build warning
      
       - avoid concurrent accesses to the Xen PV console ring page
      
      * tag 'for-linus-6.3-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/PVH: avoid 32-bit build warning when obtaining VGA console info
        hvc/xen: prevent concurrent accesses to the shared ring
      24956974
    • Rafael J. Wysocki's avatar
      Merge branch 'thermal-acpi' · 6babf38d
      Rafael J. Wysocki authored
      Merge a fix for a recent thermal-related regression in the ACPI
      processor driver.
      
      * thermal-acpi:
        ACPI: processor: thermal: Update CPU cooling devices on cpufreq policy changes
        thermal: core: Introduce thermal_cooling_device_update()
        thermal: core: Introduce thermal_cooling_device_present()
        ACPI: processor: Reorder acpi_processor_driver_init()
      6babf38d
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-video' · 8dbfa057
      Rafael J. Wysocki authored
      Merge an ACPI backlight quirk for Acer Aspire 3830TG (Hans de Goede).
      
      * acpi-video:
        ACPI: video: Add backlight=native DMI quirk for Acer Aspire 3830TG
      8dbfa057
    • Aymeric Wibo's avatar
      ACPI: resource: Add Medion S17413 to IRQ override quirk · 2d0ab146
      Aymeric Wibo authored
      Add DMI info of the Medion S17413 (board M1xA) to the IRQ override
      quirk table. This fixes the keyboard not working on these laptops.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=213031Signed-off-by: default avatarAymeric Wibo <obiwac@gmail.com>
      [ rjw: Fixed up white space ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      2d0ab146
    • Linus Torvalds's avatar
      Merge tag 'tag-chrome-platform-fixes-for-v6.3-rc4' of... · 4bae0ad1
      Linus Torvalds authored
      Merge tag 'tag-chrome-platform-fixes-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux
      
      Pull chrome platform fix from Tzung-Bi Shih:
       "Fix a kernel data leak vulnerability"
      
      * tag 'tag-chrome-platform-fixes-for-v6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
        platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl
      4bae0ad1
    • Linus Torvalds's avatar
      Merge tag 'i2c-for-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · ed1407e7
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "A set of regular driver fixes"
      
      * tag 'i2c-for-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()
        i2c: hisi: Only use the completion interrupt to finish the transfer
        i2c: hisi: Avoid redundant interrupts
        i2c: mxs: ensure that DMA buffers are safe for DMA
        i2c: imx-lpi2c: check only for enabled interrupt flags
        i2c: imx-lpi2c: clean rx/tx buffers upon new message
      ed1407e7
    • Linus Torvalds's avatar
      Merge tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 608f1b13
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bpf, wifi and bluetooth.
      
        Current release - regressions:
      
         - wifi: mt76: mt7915: add back 160MHz channel width support for
           MT7915
      
         - libbpf: revert poisoning of strlcpy, it broke uClibc-ng
      
        Current release - new code bugs:
      
         - bpf: improve the coverage of the "allow reads from uninit stack"
           feature to fix verification complexity problems
      
         - eth: am65-cpts: reset PPS genf adj settings on enable
      
        Previous releases - regressions:
      
         - wifi: mac80211: serialize ieee80211_handle_wake_tx_queue()
      
         - wifi: mt76: do not run mt76_unregister_device() on unregistered hw,
           fix null-deref
      
         - Bluetooth: btqcomsmd: fix command timeout after setting BD address
      
         - eth: igb: revert rtnl_lock() that causes a deadlock
      
         - dsa: mscc: ocelot: fix device specific statistics
      
        Previous releases - always broken:
      
         - xsk: add missing overflow check in xdp_umem_reg()
      
         - wifi: mac80211:
            - fix QoS on mesh interfaces
            - fix mesh path discovery based on unicast packets
      
         - Bluetooth:
            - ISO: fix timestamped HCI ISO data packet parsing
            - remove "Power-on" check from Mesh feature
      
         - usbnet: more fixes to drivers trusting packet length
      
         - wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
      
         - Bluetooth: btintel: iterate only bluetooth device ACPI entries
      
         - eth: iavf: fix inverted Rx hash condition leading to disabled hash
      
         - eth: igc: fix the validation logic for taprio's gate list
      
         - dsa: tag_brcm: legacy: fix daisy-chained switches
      
        Misc:
      
         - bpf: adjust insufficient default bpf_jit_limit to account for
           growth of BPF use over the last 5 years
      
         - xdp: bpf_xdp_metadata() use EOPNOTSUPP as unique errno indicating
           no driver support"
      
      * tag 'net-6.3-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
        Bluetooth: HCI: Fix global-out-of-bounds
        Bluetooth: mgmt: Fix MGMT add advmon with RSSI command
        Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
        Bluetooth: L2CAP: Fix responding with wrong PDU type
        Bluetooth: btqcomsmd: Fix command timeout after setting BD address
        Bluetooth: btinel: Check ACPI handle for NULL before accessing
        net: mdio: thunder: Add missing fwnode_handle_put()
        net: dsa: mt7530: move setting ssc_delta to PHY_INTERFACE_MODE_TRGMII case
        net: dsa: mt7530: move lowering TRGMII driving to mt7530_setup()
        net: dsa: mt7530: move enabling disabling core clock to mt7530_pll_setup()
        net: asix: fix modprobe "sysfs: cannot create duplicate filename"
        gve: Cache link_speed value from device
        tools: ynl: Fix genlmsg header encoding formats
        net: enetc: fix aggregate RMON counters not showing the ranges
        Bluetooth: Remove "Power-on" check from Mesh feature
        Bluetooth: Fix race condition in hci_cmd_sync_clear
        Bluetooth: btintel: Iterate only bluetooth device ACPI entries
        Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
        Bluetooth: btusb: Remove detection of ISO packets over bulk
        Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet
        ...
      608f1b13
    • Linus Torvalds's avatar
      Merge tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 28506304
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "A few more fixes, the zoned accounting fix is spread across a few
        patches, preparatory and the actual fixes:
      
         - zoned mode:
            - fix accounting of unusable zone space
            - fix zone activation condition for DUP profile
            - preparatory patches
      
         - improved error handling of missing chunks
      
         - fix compiler warning"
      
      * tag 'for-6.3-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: zoned: drop space_info->active_total_bytes
        btrfs: zoned: count fresh BG region as zone unusable
        btrfs: use temporary variable for space_info in btrfs_update_block_group
        btrfs: rename BTRFS_FS_NO_OVERCOMMIT to BTRFS_FS_ACTIVE_ZONE_TRACKING
        btrfs: zoned: fix btrfs_can_activate_zone() to support DUP profile
        btrfs: fix compiler warning on SPARC/PA-RISC handling fscrypt_setup_filename
        btrfs: handle missing chunk mapping more gracefully
      28506304
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 6dd74c51
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Four small fixes, three in drivers.
      
        The core fix adds a UFS device to an existing quirk to avoid a huge
        delay on boot"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()
        scsi: qla2xxx: Synchronize the IOCB count to be in order
        scsi: qla2xxx: Perform lockless command completion in abort path
        scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR
      6dd74c51
    • Arnd Bergmann's avatar
      gpu: host1x: fix uninitialized variable use · 08570b7c
      Arnd Bergmann authored
      The error handling for platform_get_irq() failing no longer
      works after a recent change, clang now points this out with
      a warning:
      
      drivers/gpu/host1x/dev.c:520:6: error: variable 'syncpt_irq' is uninitialized when used here [-Werror,-Wuninitialized]
              if (syncpt_irq < 0)
                  ^~~~~~~~~~
      
      Fix this by removing the variable and checking the correct
      error status.
      
      Fixes: 625d4ffb ("gpu: host1x: Rewrite syncpoint interrupt handling")
      Reviewed-by: default avatarNathan Chancellor <nathan@kernel.org>
      Reviewed-by: default avatarMikko Perttunen <mperttunen@nvidia.com>
      Reported-by: default avatar"kernelci.org bot" <bot@kernelci.org>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Reviewed-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230127221418.2522612-1-arnd@kernel.org
      08570b7c
    • Daniel Vetter's avatar
      Merge tag 'amd-drm-fixes-6.3-2023-03-23' of... · 2e4e9de1
      Daniel Vetter authored
      Merge tag 'amd-drm-fixes-6.3-2023-03-23' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.3-2023-03-23:
      
      amdgpu:
      - S4 fix
      - Soft reset fixes
      - SR-IOV fix
      - Remove an out of date comment in the DC code
      - ASPM fix
      - DCN 3.2 fixes
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230323161939.7751-1-alexander.deucher@amd.com
      2e4e9de1
    • Daniel Vetter's avatar
      Merge tag 'drm-intel-fixes-2023-03-23' of... · e37fef79
      Daniel Vetter authored
      Merge tag 'drm-intel-fixes-2023-03-23' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      drm/i915 fixes for v6.3-rc4:
      - Fix an MTL workaround
      - Fix fbdev obj locking before vma pin
      - Fix state inheritance tracking in initial commit
      - Fix missing GuC error capture codes
      - Fix missing debug object activation
      - Fix uc init late order relative to probe error injection
      - Fix perf limit reasons formatting
      - Fix vblank timestamp update on seamless M/N changes
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Jani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/878rfn7njw.fsf@intel.com
      e37fef79
    • Daniel Vetter's avatar
      Merge tag 'drm-misc-fixes-2023-03-23' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes · 9b5dbf6b
      Daniel Vetter authored
      Short summary of fixes pull:
      
       * fixes for bind and probing error handling for meson, lt8912b bridge
       * panel-orientation fixes for Lenovo Book X90F
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20230323082401.GA8371@linux-uq9g
      9b5dbf6b
    • Namjae Jeon's avatar
      ksmbd: return unsupported error on smb1 mount · 39b291b8
      Namjae Jeon authored
      ksmbd disconnect connection when mounting with vers=smb1.
      ksmbd should send smb1 negotiate response to client for correct
      unsupported error return. This patch add needed SMB1 macros and fill
      NegProt part of the response for smb1 negotiate response.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarSergey Senozhatsky <senozhatsky@chromium.org>
      Signed-off-by: default avatarNamjae Jeon <linkinjeon@kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      39b291b8
    • Tzung-Bi Shih's avatar
      platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl · b20cf3f8
      Tzung-Bi Shih authored
      It is possible to peep kernel page's data by providing larger `insize`
      in struct cros_ec_command[1] when invoking EC host commands.
      
      Fix it by using zeroed memory.
      
      [1]: https://elixir.bootlin.com/linux/v6.2/source/include/linux/platform_data/cros_ec_proto.h#L74
      
      Fixes: eda2e30c ("mfd / platform: cros_ec: Miscellaneous character device to talk with the EC")
      Signed-off-by: default avatarTzung-Bi Shih <tzungbi@kernel.org>
      Reviewed-by: default avatarGuenter Roeck <groeck@chromium.org>
      Link: https://lore.kernel.org/r/20230324010658.1082361-1-tzungbi@kernel.org
      b20cf3f8
  4. 23 Mar, 2023 6 commits
    • Jakub Kicinski's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 1b4ae19e
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2023-03-23
      
      We've added 8 non-merge commits during the last 13 day(s) which contain
      a total of 21 files changed, 238 insertions(+), 161 deletions(-).
      
      The main changes are:
      
      1) Fix verification issues in some BPF programs due to their stack usage
         patterns, from Eduard Zingerman.
      
      2) Fix to add missing overflow checks in xdp_umem_reg and return an error
         in such case, from Kal Conley.
      
      3) Fix and undo poisoning of strlcpy in libbpf given it broke builds for
         libcs which provided the former like uClibc-ng, from Jesus Sanchez-Palencia.
      
      4) Fix insufficient bpf_jit_limit default to avoid users running into hard
         to debug seccomp BPF errors, from Daniel Borkmann.
      
      5) Fix driver return code when they don't support a bpf_xdp_metadata kfunc
         to make it unambiguous from other errors, from Jesper Dangaard Brouer.
      
      6) Two BPF selftest fixes to address compilation errors from recent changes
         in kernel structures, from Alexei Starovoitov.
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        xdp: bpf_xdp_metadata use EOPNOTSUPP for no driver support
        bpf: Adjust insufficient default bpf_jit_limit
        xsk: Add missing overflow check in xdp_umem_reg
        selftests/bpf: Fix progs/test_deny_namespace.c issues.
        selftests/bpf: Fix progs/find_vma_fail1.c build error.
        libbpf: Revert poisoning of strlcpy
        selftests/bpf: Tests for uninitialized stack reads
        bpf: Allow reads from uninit stack
      ====================
      
      Link: https://lore.kernel.org/r/20230323225221.6082-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      1b4ae19e
    • Jakub Kicinski's avatar
      Merge tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth · 2e63a2df
      Jakub Kicinski authored
      Luiz Augusto von Dentz says:
      
      ====================
      bluetooth pull request for net:
      
       - Fix MGMT add advmon with RSSI command
       - L2CAP: Fix responding with wrong PDU type
       - Fix race condition in hci_cmd_sync_clear
       - ISO: Fix timestamped HCI ISO data packet parsing
       - HCI: Fix global-out-of-bounds
       - hci_sync: Resume adv with no RPA when active scan
      
      * tag 'for-net-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
        Bluetooth: HCI: Fix global-out-of-bounds
        Bluetooth: mgmt: Fix MGMT add advmon with RSSI command
        Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work
        Bluetooth: L2CAP: Fix responding with wrong PDU type
        Bluetooth: btqcomsmd: Fix command timeout after setting BD address
        Bluetooth: btinel: Check ACPI handle for NULL before accessing
        Bluetooth: Remove "Power-on" check from Mesh feature
        Bluetooth: Fix race condition in hci_cmd_sync_clear
        Bluetooth: btintel: Iterate only bluetooth device ACPI entries
        Bluetooth: ISO: fix timestamped HCI ISO data packet parsing
        Bluetooth: btusb: Remove detection of ISO packets over bulk
        Bluetooth: hci_core: Detect if an ACL packet is in fact an ISO packet
        Bluetooth: hci_sync: Resume adv with no RPA when active scan
      ====================
      
      Link: https://lore.kernel.org/r/20230323202335.3380841-1-luiz.dentz@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2e63a2df
    • Jakub Kicinski's avatar
      Merge tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · 4f44d326
      Jakub Kicinski authored
      Kalle Valo says:
      
      ====================
      wireless fixes for v6.3
      
      Third set of fixes for v6.3. mt76 has two kernel crash fixes and
      adding back 160 MHz channel support for mt7915. mac80211 has fixes for
      a race in transmit path and two mesh related fixes. iwlwifi also has
      fixes for races.
      
      * tag 'wireless-2023-03-23' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: mac80211: fix mesh path discovery based on unicast packets
        wifi: mac80211: fix qos on mesh interfaces
        wifi: iwlwifi: mvm: protect TXQ list manipulation
        wifi: iwlwifi: mvm: fix mvmtxq->stopped handling
        wifi: mac80211: Serialize ieee80211_handle_wake_tx_queue()
        wifi: mwifiex: mark OF related data as maybe unused
        wifi: mt76: connac: do not check WED status for non-mmio devices
        wifi: mt76: mt7915: add back 160MHz channel width support for MT7915
        wifi: mt76: do not run mt76_unregister_device() on unregistered hw
      ====================
      
      Link: https://lore.kernel.org/r/20230323110332.C4FE4C433D2@smtp.kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f44d326
    • Linus Torvalds's avatar
      Merge tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 · 1e760fa3
      Linus Torvalds authored
      Pull gfs2 fix from Andreas Gruenbacher:
      
       - Reinstate commit 970343cd ("GFS2: free disk inode which is
         deleted by remote node -V2") as reverting that commit could cause
         gfs2_put_super() to hang.
      
      * tag 'gfs2-v6.3-rc3-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2:
        Reinstate "GFS2: free disk inode which is deleted by remote node -V2"
      1e760fa3
    • Sungwoo Kim's avatar
      Bluetooth: HCI: Fix global-out-of-bounds · bce56405
      Sungwoo Kim authored
      To loop a variable-length array, hci_init_stage_sync(stage) considers
      that stage[i] is valid as long as stage[i-1].func is valid.
      Thus, the last element of stage[].func should be intentionally invalid
      as hci_init0[], le_init2[], and others did.
      However, amp_init1[] and amp_init2[] have no invalid element, letting
      hci_init_stage_sync() keep accessing amp_init1[] over its valid range.
      This patch fixes this by adding {} in the last of amp_init1[] and
      amp_init2[].
      
      ==================================================================
      BUG: KASAN: global-out-of-bounds in hci_dev_open_sync (
      /v6.2-bzimage/net/bluetooth/hci_sync.c:3154
      /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
      /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032
      CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04
      Workqueue: hci1 hci_power_on
      Call Trace:
       <TASK>
      dump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1))
      print_report (/v6.2-bzimage/mm/kasan/report.c:307
        /v6.2-bzimage/mm/kasan/report.c:417)
      ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      kasan_report (/v6.2-bzimage/mm/kasan/report.c:184
        /v6.2-bzimage/mm/kasan/report.c:519)
      ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154
        /v6.2-bzimage/net/bluetooth/hci_sync.c:3343
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4418
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4609
        /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)
      ? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635)
      ? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190
        /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443
        /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781
        /v6.2-bzimage/kernel/locking/mutex.c:171
        /v6.2-bzimage/kernel/locking/mutex.c:285)
      ? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)
      hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485
        /v6.2-bzimage/net/bluetooth/hci_core.c:984)
      ? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969)
      ? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)
      ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62
        /v6.2-bzimage/lib/string.c:161)
      process_one_work (/v6.2-bzimage/kernel/workqueue.c:2294)
      worker_thread (/v6.2-bzimage/./include/linux/list.h:292
        /v6.2-bzimage/kernel/workqueue.c:2437)
      ? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379)
      kthread (/v6.2-bzimage/kernel/kthread.c:376)
      ? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331)
      ret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314)
       </TASK>
      The buggy address belongs to the variable:
      amp_init1+0x30/0x60
      The buggy address belongs to the physical page:
      page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia
      flags: 0x200000000001000(reserved|node=0|zone=2)
      raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000
      raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000
      page dumped because: kasan: bad access detected
      Memory state around the buggy address:
       ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
       ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      >ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
                                                                   ^
       ffffffffaed1ab80: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 f9
       ffffffffaed1ac00: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9
      
      This bug is found by FuzzBT, a modified version of Syzkaller.
      Other contributors for this bug are Ruoyu Wu and Peng Hui.
      
      Fixes: d0b13706 ("Bluetooth: hci_sync: Rework init stages")
      Signed-off-by: default avatarSungwoo Kim <iam@sung-woo.kim>
      Reviewed-by: default avatarSimon Horman <simon.horman@corigine.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      bce56405
    • Howard Chung's avatar
      Bluetooth: mgmt: Fix MGMT add advmon with RSSI command · 1a0291f8
      Howard Chung authored
      The MGMT command: MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI uses variable
      length argument. This causes host not able to register advmon with rssi.
      
      This patch has been locally tested by adding monitor with rssi via
      btmgmt on a kernel 6.1 machine.
      Reviewed-by: default avatarArchie Pusaka <apusaka@chromium.org>
      Fixes: b338d917 ("Bluetooth: Implement support for Mesh")
      Signed-off-by: default avatarHoward Chung <howardchung@google.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      1a0291f8