1. 05 May, 2024 5 commits
    • Linus Torvalds's avatar
      Merge tag 'input-for-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 3f1d0865
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
      
       - a new ID for ASUS ROG RAIKIRI controllers added to xpad driver
      
       - amimouse driver structure annotated with __refdata to prevent section
         mismatch warnings.
      
      * tag 'input-for-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: amimouse - mark driver struct with __refdata to prevent section mismatch
        Input: xpad - add support for ASUS ROG RAIKIRI
      3f1d0865
    • Linus Torvalds's avatar
      Merge tag 'probes-fixes-v6.9-rc6' of... · 2c17a1cd
      Linus Torvalds authored
      Merge tag 'probes-fixes-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull probes fix from Masami Hiramatsu:
      
       - probe-events: Fix memory leak in parsing probe argument.
      
         There is a memory leak (forget to free an allocated buffer) in a
         memory allocation failure path. Fix it to jump to the correct error
         handling code.
      
      * tag 'probes-fixes-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing/probes: Fix memory leak in traceprobe_parse_probe_arg_body()
      2c17a1cd
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.9-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · e92b99ae
      Linus Torvalds authored
      Pull tracing and tracefs fixes from Steven Rostedt:
      
       - Fix RCU callback of freeing an eventfs_inode.
      
         The freeing of the eventfs_inode from the kref going to zero freed
         the contents of the eventfs_inode and then used kfree_rcu() to free
         the inode itself. But the contents should also be protected by RCU.
         Switch to a call_rcu() that calls a function to free all of the
         eventfs_inode after the RCU synchronization.
      
       - The tracing subsystem maps its own descriptor to a file represented
         by eventfs. The freeing of this descriptor needs to know when the
         last reference of an eventfs_inode is released, but currently there
         is no interface for that.
      
         Add a "release" callback to the eventfs_inode entry array that allows
         for freeing of data that can be referenced by the eventfs_inode being
         opened. Then increment the ref counter for this descriptor when the
         eventfs_inode file is created, and decrement/free it when the last
         reference to the eventfs_inode is released and the file is removed.
         This prevents races between freeing the descriptor and the opening of
         the eventfs file.
      
       - Fix the permission processing of eventfs.
      
         The change to make the permissions of eventfs default to the mount
         point but keep track of when changes were made had a side effect that
         could cause security concerns. When the tracefs is remounted with a
         given gid or uid, all the files within it should inherit that gid or
         uid. But if the admin had changed the permission of some file within
         the tracefs file system, it would not get updated by the remount.
      
         This caused the kselftest of file permissions to fail the second time
         it is run. The first time, all changes would look fine, but the
         second time, because the changes were "saved", the remount did not
         reset them.
      
         Create a link list of all existing tracefs inodes, and clear the
         saved flags on them on a remount if the remount changes the
         corresponding gid or uid fields.
      
         This also simplifies the code by removing the distinction between the
         toplevel eventfs and an instance eventfs. They should both act the
         same. They were different because of a misconception due to the
         remount not resetting the flags. Now that remount resets all the
         files and directories to default to the root node if a uid/gid is
         specified, it makes the logic simpler to implement.
      
      * tag 'trace-v6.9-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        eventfs: Have "events" directory get permissions from its parent
        eventfs: Do not treat events directory different than other directories
        eventfs: Do not differentiate the toplevel events directory
        tracefs: Still use mount point as default permissions for instances
        tracefs: Reset permissions on remount if permissions are options
        eventfs: Free all of the eventfs_inode after RCU
        eventfs/tracing: Add callback for release of an eventfs_inode
      e92b99ae
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-6.9-2024-05-04' of git://git.infradead.org/users/hch/dma-mapping · 4fbcf585
      Linus Torvalds authored
      Pull dma-mapping fix from Christoph Hellwig:
      
       - fix the combination of restricted pools and dynamic swiotlb
         (Will Deacon)
      
      * tag 'dma-mapping-6.9-2024-05-04' of git://git.infradead.org/users/hch/dma-mapping:
        swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y
      4fbcf585
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 61ccc8c3
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of clk driver fixes:
      
         - Avoid a deadlock in the Qualcomm clk driver by making the regulator
           which supplies the GDSC optional
      
         - Restore RPM clks on Qualcomm msm8976 by setting num_clks
      
         - Fix Allwinner H6 CPU rate changing logic to avoid system crashes by
           temporarily reparenting the CPU clk to something that isn't being
           changed
      
         - Set a MIPI PLL min/max rate on Allwinner A64 to fix blank screens
           on some devices
      
         - Revert back to of_match_device() in the Samsung clkout driver to
           get the match data based on the parent device's compatible string"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: samsung: Revert "clk: Use device_get_match_data()"
        clk: sunxi-ng: a64: Set minimum and maximum rate for PLL-MIPI
        clk: sunxi-ng: common: Support minimum and maximum rate
        clk: sunxi-ng: h6: Reparent CPUX during PLL CPUX rate change
        clk: qcom: smd-rpm: Restore msm8976 num_clk
        clk: qcom: gdsc: treat optional supplies as optional
      61ccc8c3
  2. 04 May, 2024 7 commits
    • Steven Rostedt (Google)'s avatar
      eventfs: Have "events" directory get permissions from its parent · d57cf30c
      Steven Rostedt (Google) authored
      The events directory gets its permissions from the root inode. But this
      can cause an inconsistency if the instances directory changes its
      permissions, as the permissions of the created directories under it should
      inherit the permissions of the instances directory when directories under
      it are created.
      
      Currently the behavior is:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 instances
       # mkdir instances/foo
       # ls -l instances/foo
      [..]
       -r--r-----  1 root lkp  0 May  1 18:55 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 18:55 current_tracer
       -rw-r-----  1 root lkp  0 May  1 18:55 error_log
       drwxr-xr-x  1 root root 0 May  1 18:55 events
       --w-------  1 root lkp  0 May  1 18:55 free_buffer
       drwxr-x---  2 root lkp  0 May  1 18:55 options
       drwxr-x--- 10 root lkp  0 May  1 18:55 per_cpu
       -rw-r-----  1 root lkp  0 May  1 18:55 set_event
      
      All the files and directories under "foo" has the "lkp" group except the
      "events" directory. That's because its getting its default value from the
      mount point instead of its parent.
      
      Have the "events" directory make its default value based on its parent's
      permissions. That now gives:
      
       # ls -l instances/foo
      [..]
       -rw-r-----  1 root lkp 0 May  1 21:16 buffer_subbuf_size_kb
       -r--r-----  1 root lkp 0 May  1 21:16 buffer_total_size_kb
       -rw-r-----  1 root lkp 0 May  1 21:16 current_tracer
       -rw-r-----  1 root lkp 0 May  1 21:16 error_log
       drwxr-xr-x  1 root lkp 0 May  1 21:16 events
       --w-------  1 root lkp 0 May  1 21:16 free_buffer
       drwxr-x---  2 root lkp 0 May  1 21:16 options
       drwxr-x--- 10 root lkp 0 May  1 21:16 per_cpu
       -rw-r-----  1 root lkp 0 May  1 21:16 set_event
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200906.161887248@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d57cf30c
    • Steven Rostedt (Google)'s avatar
      eventfs: Do not treat events directory different than other directories · 22e61e15
      Steven Rostedt (Google) authored
      Treat the events directory the same as other directories when it comes to
      permissions. The events directory was considered different because it's
      dentry is persistent, whereas the other directory dentries are created
      when accessed. But the way tracefs now does its ownership by using the
      root dentry's permissions as the default permissions, the events directory
      can get out of sync when a remount is performed setting the group and user
      permissions.
      
      Remove the special case for the events directory on setting the
      attributes. This allows the updates caused by remount to work properly as
      well as simplifies the code.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200906.002923579@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      22e61e15
    • Steven Rostedt (Google)'s avatar
      eventfs: Do not differentiate the toplevel events directory · d53891d3
      Steven Rostedt (Google) authored
      The toplevel events directory is really no different than the events
      directory of instances. Having the two be different caused
      inconsistencies and made it harder to fix the permissions bugs.
      
      Make all events directories act the same.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.846448710@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      d53891d3
    • Steven Rostedt (Google)'s avatar
      tracefs: Still use mount point as default permissions for instances · 6599bd55
      Steven Rostedt (Google) authored
      If the instances directory's permissions were never change, then have it
      and its children use the mount point permissions as the default.
      
      Currently, the permissions of instance directories are determined by the
      instance directory's permissions itself. But if the tracefs file system is
      remounted and changes the permissions, the instance directory and its
      children should use the new permission.
      
      But because both the instance directory and its children use the instance
      directory's inode for permissions, it misses the update.
      
      To demonstrate this:
      
        # cd /sys/kernel/tracing/
        # mkdir instances/foo
        # ls -ld instances/foo
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 18:57 current_tracer
      
        # mount -o remount,gid=1002 .
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 18:57 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:07 instances/foo/
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 18:57 current_tracer
      
      Notice that changing the group id to that of "lkp" did not affect the
      instances directory nor its children. It should have been:
      
        # ls -ld current_tracer
       -rw-r----- 1 root root 0 May  1 19:19 current_tracer
        # ls -ld instances/foo/
       drwxr-x--- 5 root root 0 May  1 19:25 instances/foo/
        # ls -ld instances
       drwxr-x--- 3 root root 0 May  1 19:19 instances
      
        # mount -o remount,gid=1002 .
        # ls -ld current_tracer
       -rw-r----- 1 root lkp 0 May  1 19:19 current_tracer
        # ls -ld instances
       drwxr-x--- 3 root lkp 0 May  1 19:19 instances
        # ls -ld instances/foo/
       drwxr-x--- 5 root lkp 0 May  1 19:25 instances/foo/
      
      Where all files were updated by the remount gid update.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.686838327@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      6599bd55
    • Steven Rostedt (Google)'s avatar
      tracefs: Reset permissions on remount if permissions are options · baa23a8d
      Steven Rostedt (Google) authored
      There's an inconsistency with the way permissions are handled in tracefs.
      Because the permissions are generated when accessed, they default to the
      root inode's permission if they were never set by the user. If the user
      sets the permissions, then a flag is set and the permissions are saved via
      the inode (for tracefs files) or an internal attribute field (for
      eventfs).
      
      But if a remount happens that specify the permissions, all the files that
      were not changed by the user gets updated, but the ones that were are not.
      If the user were to remount the file system with a given permission, then
      all files and directories within that file system should be updated.
      
      This can cause security issues if a file's permission was updated but the
      admin forgot about it. They could incorrectly think that remounting with
      permissions set would update all files, but miss some.
      
      For example:
      
       # cd /sys/kernel/tracing
       # chgrp 1002 current_tracer
       # ls -l
      [..]
       -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer
       -rw-r-----  1 root root 0 May  1 21:25 dynamic_events
       -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root root 0 May  1 21:25 enabled_functions
      
      Where current_tracer now has group "lkp".
      
       # mount -o remount,gid=1001 .
       # ls -l
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb
       -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb
       -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb
       -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer
       -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events
       -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info
       -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions
      
      Everything changed but the "current_tracer".
      
      Add a new link list that keeps track of all the tracefs_inodes which has
      the permission flags that tell if the file/dir should use the root inode's
      permission or not. Then on remount, clear all the flags so that the
      default behavior of using the root inode's permission is done for all
      files and directories.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.529542160@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 8186fff7 ("tracefs/eventfs: Use root and instance inodes as default ownership")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      baa23a8d
    • Steven Rostedt (Google)'s avatar
      eventfs: Free all of the eventfs_inode after RCU · ee4e0379
      Steven Rostedt (Google) authored
      The freeing of eventfs_inode via a kfree_rcu() callback. But the content
      of the eventfs_inode was being freed after the last kref. This is
      dangerous, as changes are being made that can access the content of an
      eventfs_inode from an RCU loop.
      
      Instead of using kfree_rcu() use call_rcu() that calls a function to do
      all the freeing of the eventfs_inode after a RCU grace period has expired.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240502200905.370261163@goodmis.org
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Fixes: 43aa6f97 ("eventfs: Get rid of dentry pointers without refcounts")
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      ee4e0379
    • Steven Rostedt (Google)'s avatar
      eventfs/tracing: Add callback for release of an eventfs_inode · b63db58e
      Steven Rostedt (Google) authored
      Synthetic events create and destroy tracefs files when they are created
      and removed. The tracing subsystem has its own file descriptor
      representing the state of the events attached to the tracefs files.
      There's a race between the eventfs files and this file descriptor of the
      tracing system where the following can cause an issue:
      
      With two scripts 'A' and 'B' doing:
      
        Script 'A':
          echo "hello int aaa" > /sys/kernel/tracing/synthetic_events
          while :
          do
            echo 0 > /sys/kernel/tracing/events/synthetic/hello/enable
          done
      
        Script 'B':
          echo > /sys/kernel/tracing/synthetic_events
      
      Script 'A' creates a synthetic event "hello" and then just writes zero
      into its enable file.
      
      Script 'B' removes all synthetic events (including the newly created
      "hello" event).
      
      What happens is that the opening of the "enable" file has:
      
       {
      	struct trace_event_file *file = inode->i_private;
      	int ret;
      
      	ret = tracing_check_open_get_tr(file->tr);
       [..]
      
      But deleting the events frees the "file" descriptor, and a "use after
      free" happens with the dereference at "file->tr".
      
      The file descriptor does have a reference counter, but there needs to be a
      way to decrement it from the eventfs when the eventfs_inode is removed
      that represents this file descriptor.
      
      Add an optional "release" callback to the eventfs_entry array structure,
      that gets called when the eventfs file is about to be removed. This allows
      for the creating on the eventfs file to increment the tracing file
      descriptor ref counter. When the eventfs file is deleted, it can call the
      release function that will call the put function for the tracing file
      descriptor.
      
      This will protect the tracing file from being freed while a eventfs file
      that references it is being opened.
      
      Link: https://lore.kernel.org/linux-trace-kernel/20240426073410.17154-1-Tze-nan.Wu@mediatek.com/
      Link: https://lore.kernel.org/linux-trace-kernel/20240502090315.448cba46@gandalf.local.home
      
      Cc: stable@vger.kernel.org
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Fixes: 5790b1fb ("eventfs: Remove eventfs_file and just use eventfs_inode")
      Reported-by: default avatarTze-nan wu <Tze-nan.Wu@mediatek.com>
      Tested-by: default avatarTze-nan Wu (吳澤南) <Tze-nan.Wu@mediatek.com>
      Signed-off-by: default avatarSteven Rostedt (Google) <rostedt@goodmis.org>
      b63db58e
  3. 03 May, 2024 10 commits
    • Linus Torvalds's avatar
      Merge tag 'cxl-fixes-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl · 7367539a
      Linus Torvalds authored
      Pull cxl fix from Dave Jiang:
       "Add missing RCH support for endpoint access_coordinate calculation.
      
        A late bug was reported by Robert Richter that the Restricted CXL Host
        (RCH) support was missing in the CXL endpoint access_coordinate
        calculation.
      
        The missing support causes the topology iterator to stumble over a
        NULL pointer and triggers a kernel OOPS on a platform with CXL 1.1
        support.
      
        The fix bypasses RCH topology as the access_coordinate calculation is
        not necessary since RCH does not support hotplug and the memory region
        exported should be covered by the HMAT table already.
      
        A unit test is also added to cxl_test to check against future
        regressions on the topology iterator"
      
      * tag 'cxl-fixes-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl:
        cxl: Fix cxl_endpoint_get_perf_coordinate() support for RCH
      7367539a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.9a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · ddb4c3f2
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Two fixes when running as Xen PV guests for issues introduced in the
        6.9 merge window, both related to apic id handling"
      
      * tag 'for-linus-6.9a-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: return a sane initial apic id when running as PV guest
        x86/xen/smp_pv: Register the boot CPU APIC properly
      ddb4c3f2
    • Linus Torvalds's avatar
      Merge tag 'efi-urgent-for-v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi · f094ee78
      Linus Torvalds authored
      Pull EFI fix from Ard Biesheuvel:
       "This works around a shortcoming in the memory acceptation API, which
        may apparently hog the CPU for long enough to trigger the softlockup
        watchdog.
      
        Note that this only affects confidential VMs running under the Intel
        TDX hypervisor, which is why I accepted this for now, but this should
        obviously be fixed properly in the future"
      
      * tag 'efi-urgent-for-v6.9-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi:
        efi/unaccepted: touch soft lockup during memory accept
      f094ee78
    • Linus Torvalds's avatar
      Merge tag 'block-6.9-20240503' of git://git.kernel.dk/linux · 3d25a941
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Nothing major in here - an nvme pull request with mostly auth/tcp
        fixes, and a single fix for ublk not setting segment count and size
        limits"
      
      * tag 'block-6.9-20240503' of git://git.kernel.dk/linux:
        nvme-tcp: strict pdu pacing to avoid send stalls on TLS
        nvmet: fix nvme status code when namespace is disabled
        nvmet-tcp: fix possible memory leak when tearing down a controller
        nvme: cancel pending I/O if nvme controller is in terminal state
        nvmet-auth: replace pr_debug() with pr_err() to report an error.
        nvmet-auth: return the error code to the nvmet_auth_host_hash() callers
        nvme: find numa distance only if controller has valid numa id
        ublk: remove segment count and size limits
        nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH
      3d25a941
    • Linus Torvalds's avatar
      Merge tag 'sound-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7dc78c7b
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "As usual in a late stage, we received a fair amount of fixes for ASoC,
        and it became bigger than wished. But all fixes are rather device-
        specific, and they look pretty safe to apply.
      
        A major par of changes are series of fixes for ASoC meson and SOF
        drivers as well as for Realtek and Cirrus codecs. In addition, recent
        emu10k1 regression fixes and usual HD-audio quirks are included"
      
      * tag 'sound-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (46 commits)
        ALSA: hda/realtek: Fix build error without CONFIG_PM
        ALSA: hda/realtek: Fix conflicting PCI SSID 17aa:386f for Lenovo Legion models
        ALSA: hda/realtek - Set GPIO3 to default at S4 state for Thinkpad with ALC1318
        ALSA: hda: intel-sdw-acpi: fix usage of device_get_named_child_node()
        ALSA: hda: intel-dsp-config: harden I2C/I2S codec detection
        ASoC: cs35l56: fix usages of device_get_named_child_node()
        ASoC: da7219-aad: fix usage of device_get_named_child_node()
        ASoC: meson: cards: select SND_DYNAMIC_MINORS
        ASoC: meson: axg-tdm: add continuous clock support
        ASoC: meson: axg-tdm-interface: manage formatters in trigger
        ASoC: meson: axg-card: make links nonatomic
        ASoC: meson: axg-fifo: use threaded irq to check periods
        ALSA: hda/realtek: Fix mute led of HP Laptop 15-da3001TU
        ALSA: emu10k1: make E-MU FPGA writes potentially more reliable
        ALSA: emu10k1: fix E-MU dock initialization
        ALSA: emu10k1: use mutex for E-MU FPGA access locking
        ALSA: emu10k1: move the whole GPIO event handling to the workqueue
        ALSA: emu10k1: factor out snd_emu1010_load_dock_firmware()
        ALSA: emu10k1: fix E-MU card dock presence monitoring
        ASoC: rt715-sdca: volume step modification
        ...
      7dc78c7b
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2024-05-03' of https://gitlab.freedesktop.org/drm/kernel · b5a66609
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Weekly fixes, mostly made up from amdgpu and some panel changes.
      
        Otherwise xe, nouveau, vmwgfx and a couple of others, all seems pretty
        on track.
      
        amdgpu:
         - Fix VRAM memory accounting
         - DCN 3.1 fixes
         - DCN 2.0 fix
         - DCN 3.1.5 fix
         - DCN 3.5 fix
         - DCN 3.2.1 fix
         - DP fixes
         - Seamless boot fix
         - Fix call order in amdgpu_ttm_move()
         - Fix doorbell regression
         - Disable panel replay temporarily
      
        amdkfd:
         - Flush wq before creating kfd process
      
        xe:
         - Fix UAF on rebind worker
         - Fix ADL-N display integration
      
        imagination:
         - fix page-count macro
      
        nouveau:
         - avoid page-table allocation failures
         - fix firmware memory allocation
      
        panel:
         - ili9341: avoid OF for device properties; respect deferred probe;
           fix usage of errno codes
      
        ttm:
         - fix status output
      
        vmwgfx:
         - fix legacy display unit
         - fix read length in fence signalling"
      
      * tag 'drm-fixes-2024-05-03' of https://gitlab.freedesktop.org/drm/kernel: (25 commits)
        drm/xe/display: Fix ADL-N detection
        drm/panel: ili9341: Use predefined error codes
        drm/panel: ili9341: Respect deferred probe
        drm/panel: ili9341: Correct use of device property APIs
        drm/xe/vm: prevent UAF in rebind_work_func()
        drm/amd/display: Disable panel replay by default for now
        drm/amdgpu: fix doorbell regression
        drm/amdkfd: Flush the process wq before creating a kfd_process
        drm/amd/display: Disable seamless boot on 128b/132b encoding
        drm/amd/display: Fix DC mode screen flickering on DCN321
        drm/amd/display: Add VCO speed parameter for DCN31 FPU
        drm/amdgpu: once more fix the call oder in amdgpu_ttm_move() v2
        drm/amd/display: Allocate zero bw after bw alloc enable
        drm/amd/display: Fix incorrect DSC instance for MST
        drm/amd/display: Atom Integrated System Info v2_2 for DCN35
        drm/amd/display: Add dtbclk access to dcn315
        drm/amd/display: Ensure that dmcub support flag is set for DCN20
        drm/amd/display: Handle Y carry-over in VCP X.Y calculation
        drm/amdgpu: Fix VRAM memory accounting
        drm/vmwgfx: Fix invalid reads in fence signaled events
        ...
      b5a66609
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 9fbc8bdf
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A few small fixes for v6.9,
      
        The core fix is for issues with reuse of a spi_message in the case
        where we've got queued messages (a relatively rare occurrence with
        modern code so it wasn't noticed in testing).
      
        We also avoid an issue with the Kunpeng driver by simply removing the
        debug interface that could trigger it, and address issues with
        confusing and corrupted output when printing the IP version of the AXI
        SPI engine"
      
      * tag 'spi-fix-v6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: fix null pointer dereference within spi_sync
        spi: hisi-kunpeng: Delete the dump interface of data registers in debugfs
        spi: axi-spi-engine: fix version format string
      9fbc8bdf
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2024-05-02' of... · 09e10499
      Dave Airlie authored
      Merge tag 'drm-misc-fixes-2024-05-02' of https://gitlab.freedesktop.org/drm/misc/kernel into drm-fixes
      
      Short summary of fixes pull:
      
      imagination:
      - fix page-count macro
      
      nouveau:
      - avoid page-table allocation failures
      - fix firmware memory allocation
      
      panel:
      - ili9341: avoid OF for device properties; respect deferred probe; fix
      usage of errno codes
      
      ttm:
      - fix status output
      
      vmwgfx:
      - fix legacy display unit
      - fix read length in fence signalling
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Thomas Zimmermann <tzimmermann@suse.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240502192117.GA12158@linux.fritz.box
      09e10499
    • Dave Airlie's avatar
      Merge tag 'drm-xe-fixes-2024-05-02' of https://gitlab.freedesktop.org/drm/xe/kernel into drm-fixes · 5c75d681
      Dave Airlie authored
      - Fix UAF on rebind worker
      - Fix ADL-N display integration
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Lucas De Marchi <lucas.demarchi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/6bontwst3mbxozs6u3ad5n3g5zmaucrngbfwv4hkfhpscnwlym@wlwjgjx6pwue
      5c75d681
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-6.9-2024-05-01' of... · 306eca05
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-6.9-2024-05-01' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes
      
      amd-drm-fixes-6.9-2024-05-01:
      
      amdgpu:
      - Fix VRAM memory accounting
      - DCN 3.1 fixes
      - DCN 2.0 fix
      - DCN 3.1.5 fix
      - DCN 3.5 fix
      - DCN 3.2.1 fix
      - DP fixes
      - Seamless boot fix
      - Fix call order in amdgpu_ttm_move()
      - Fix doorbell regression
      - Disable panel replay temporarily
      
      amdkfd:
      - Flush wq before creating kfd process
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Alex Deucher <alexander.deucher@amd.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240501135054.1919108-1-alexander.deucher@amd.com
      306eca05
  4. 02 May, 2024 18 commits
    • Linus Torvalds's avatar
      Merge tag 'for-6.9-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · f03359bc
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
      
       - set correct ram_bytes when splitting ordered extent. This can be
         inconsistent on-disk but harmless as it's not used for calculations
         and it's only advisory for compression
      
       - fix lockdep splat when taking cleaner mutex in qgroups disable ioctl
      
       - fix missing mutex unlock on error path when looking up sys chunk for
         relocation
      
      * tag 'for-6.9-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: set correct ram_bytes when splitting ordered extent
        btrfs: take the cleaner_mutex earlier in qgroup disable
        btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
      f03359bc
    • Linus Torvalds's avatar
      Merge tag 's390-6.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · da87c77e
      Linus Torvalds authored
      Pull s390 fixes from Alexander Gordeev:
      
       - The function __storage_key_init_range() expects the end address to be
         the first byte outside the range to be initialized. Fix the callers
         that provide the last byte within the range instead.
      
       - 3270 Channel Command Word (CCW) may contain zero data address in case
         there is no data in the request. Add data availability check to avoid
         erroneous non-zero value as result of virt_to_dma32(NULL) application
         in cases there is no data
      
       - Add missing CFI directives for an unwinder to restore the return
         address in the vDSO assembler code
      
       - NUL-terminate kernel buffer when duplicating user space memory region
         on Channel IO (CIO) debugfs write inject
      
       - Fix wrong format string in zcrypt debug output
      
       - Return -EBUSY code when a CCA card is temporarily unavailabile
      
       - Restore a loop that retries derivation of a protected key from a
         secure key in cases the low level reports temporarily unavailability
         with -EBUSY code
      
      * tag 's390-6.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/paes: Reestablish retry loop in paes
        s390/zcrypt: Use EBUSY to indicate temp unavailability
        s390/zcrypt: Handle ep11 cprb return code
        s390/zcrypt: Fix wrong format string in debug feature printout
        s390/cio: Ensure the copied buf is NUL terminated
        s390/vdso: Add CFI for RA register to asm macro vdso_func
        s390/3270: Fix buffer assignment
        s390/mm: Fix clearing storage keys for huge pages
        s390/mm: Fix storage key clearing for guest huge pages
      da87c77e
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20240502' of https://github.com/jcmvbkbc/linux-xtensa · 09bf0f19
      Linus Torvalds authored
      Pull xtensa fixes from Max Filippov:
      
       - fix unused variable warning caused by empty flush_dcache_page()
         definition
      
       - fix stack unwinding on windowed noMMU XIP configurations
      
       - fix Coccinelle warning 'opportunity for min()' in xtensa ISS platform
         code
      
      * tag 'xtensa-20240502' of https://github.com/jcmvbkbc/linux-xtensa:
        xtensa: remove redundant flush_dcache_page and ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE macros
        tty: xtensa/iss: Use min() to fix Coccinelle warning
        xtensa: fix MAKE_PC_FROM_RA second argument
      09bf0f19
    • Juergen Gross's avatar
      x86/xen: return a sane initial apic id when running as PV guest · 802600eb
      Juergen Gross authored
      With recent sanity checks for topology information added, there are now
      warnings issued for APs when running as a Xen PV guest:
      
        [Firmware Bug]: CPU   1: APIC ID mismatch. CPUID: 0x0000 APIC: 0x0001
      
      This is due to the initial APIC ID obtained via CPUID for PV guests is
      always 0.
      
      Avoid the warnings by synthesizing the CPUID data to contain the same
      initial APIC ID as xen_pv_smp_config() is using for registering the
      APIC IDs of all CPUs.
      
      Fixes: 52128a7a ("86/cpu/topology: Make the APIC mismatch warnings complete")
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      802600eb
    • Lucas De Marchi's avatar
      drm/xe/display: Fix ADL-N detection · df04b152
      Lucas De Marchi authored
      Contrary to i915, in xe ADL-N is kept as a different platform, not a
      subplatform of ADL-P. Since the display side doesn't need to
      differentiate between P and N, i.e. IS_ALDERLAKE_P_N() is never called,
      just fixup the compat header to check for both P and N.
      
      Moving ADL-N to be a subplatform would be more complex as the firmware
      loading in xe only handles platforms, not subplatforms, as going forward
      the direction is to check on IP version rather than
      platforms/subplatforms.
      
      Fix warning when initializing display:
      
      	xe 0000:00:02.0: [drm:intel_pch_type [xe]] Found Alder Lake PCH
      	------------[ cut here ]------------
      	xe 0000:00:02.0: drm_WARN_ON(!((dev_priv)->info.platform == XE_ALDERLAKE_S) && !((dev_priv)->info.platform == XE_ALDERLAKE_P))
      
      And wrong paths being taken on the display side.
      Reviewed-by: default avatarMatt Roper <matthew.d.roper@intel.com>
      Acked-by: default avatarJani Nikula <jani.nikula@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240425181610.2704633-1-lucas.demarchi@intel.comSigned-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      (cherry picked from commit 6a2a90cb)
      Fixes: 44e69495 ("drm/xe/display: Implement display support")
      Signed-off-by: default avatarLucas De Marchi <lucas.demarchi@intel.com>
      df04b152
    • Linus Torvalds's avatar
      Merge tag 'firewire-fixes-6.9-rc6' of... · 49a73b16
      Linus Torvalds authored
      Merge tag 'firewire-fixes-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394
      
      Pull firewire fixes from Takashi Sakamoto:
       "Two driver fixes:
      
         - The firewire-ohci driver for 1394 OHCI hardware does not fill time
           stamp for response packet when handling asynchronous transaction to
           local destination. This brings an inconvenience that the response
           packet is not equivalent between the transaction to local and
           remote. It is fixed by fulfilling the time stamp with hardware
           time. The fix should be applied to Linux kernel v6.5 or later as
           well.
      
         - The nosy driver for Texas Instruments TSB12LV21A (PCILynx) has
           long-standing issue about the behaviour when user space application
           passes less size of buffer than expected. It is fixed by returning
           zero according to the convention of UNIX-like systems"
      
      * tag 'firewire-fixes-6.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394:
        firewire: ohci: fulfill timestamp for some local asynchronous transaction
        firewire: nosy: ensure user_length is taken into account when fetching packet contents
      49a73b16
    • Thomas Gleixner's avatar
      x86/xen/smp_pv: Register the boot CPU APIC properly · 8a95db3b
      Thomas Gleixner authored
      The topology core expects the boot APIC to be registered from earhy APIC
      detection first and then again when the firmware tables are evaluated. This
      is used for detecting the real BSP CPU on a kexec kernel.
      
      The recent conversion of XEN/PV to register fake APIC IDs failed to
      register the boot CPU APIC correctly as it only registers it once. This
      causes the BSP detection mechanism to trigger wrongly:
      
         CPU topo: Boot CPU APIC ID not the first enumerated APIC ID: 0 > 1
      
      Additionally this results in one CPU being ignored.
      
      Register the boot CPU APIC twice so that the XEN/PV fake enumeration
      behaves like real firmware.
      Reported-by: default avatarJuergen Gross <jgross@suse.com>
      Fixes: e7530702 ("x86/xen/smp_pv: Register fake APICs")
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Link: https://lore.kernel.org/r/87a5l8s2fg.ffs@tglxSigned-off-by: default avatarJuergen Gross <jgross@suse.com>
      8a95db3b
    • Linus Torvalds's avatar
      Merge tag 'thermal-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 6aed7b97
      Linus Torvalds authored
      Pull thermal control fixes from Rafael Wysocki:
       "Fix a memory leak and a few locking issues (that may cause the kernel
        to crash in principle if all goes wrong) in the thermal debug code
        introduced during the 6.8 development cycle"
      
      * tag 'thermal-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        thermal/debugfs: Prevent use-after-free from occurring after cdev removal
        thermal/debugfs: Fix two locking issues with thermal zone debug
        thermal/debugfs: Free all thermal zone debug memory on zone removal
      6aed7b97
    • Linus Torvalds's avatar
      Merge tag 'net-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 545c4944
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf.
      
        Relatively calm week, likely due to public holiday in most places. No
        known outstanding regressions.
      
        Current release - regressions:
      
         - rxrpc: fix wrong alignmask in __page_frag_alloc_align()
      
         - eth: e1000e: change usleep_range to udelay in PHY mdic access
      
        Previous releases - regressions:
      
         - gro: fix udp bad offset in socket lookup
      
         - bpf: fix incorrect runtime stat for arm64
      
         - tipc: fix UAF in error path
      
         - netfs: fix a potential infinite loop in extract_user_to_sg()
      
         - eth: ice: ensure the copied buf is NUL terminated
      
         - eth: qeth: fix kernel panic after setting hsuid
      
        Previous releases - always broken:
      
         - bpf:
             - verifier: prevent userspace memory access
             - xdp: use flags field to disambiguate broadcast redirect
      
         - bridge: fix multicast-to-unicast with fraglist GSO
      
         - mptcp: ensure snd_nxt is properly initialized on connect
      
         - nsh: fix outer header access in nsh_gso_segment().
      
         - eth: bcmgenet: fix racing registers access
      
         - eth: vxlan: fix stats counters.
      
        Misc:
      
         - a bunch of MAINTAINERS file updates"
      
      * tag 'net-6.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (45 commits)
        MAINTAINERS: mark MYRICOM MYRI-10G as Orphan
        MAINTAINERS: remove Ariel Elior
        net: gro: add flush check in udp_gro_receive_segment
        net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb
        ipv4: Fix uninit-value access in __ip_make_skb()
        s390/qeth: Fix kernel panic after setting hsuid
        vxlan: Pull inner IP header in vxlan_rcv().
        tipc: fix a possible memleak in tipc_buf_append
        tipc: fix UAF in error path
        rxrpc: Clients must accept conn from any address
        net: core: reject skb_copy(_expand) for fraglist GSO skbs
        net: bridge: fix multicast-to-unicast with fraglist GSO
        mptcp: ensure snd_nxt is properly initialized on connect
        e1000e: change usleep_range to udelay in PHY mdic access
        net: dsa: mv88e6xxx: Fix number of databases for 88E6141 / 88E6341
        cxgb4: Properly lock TX queue for the selftest.
        rxrpc: Fix using alignmask being zero for __page_frag_alloc_align()
        vxlan: Add missing VNI filter counter update in arp_reduce().
        vxlan: Fix racy device stats updates.
        net: qede: use return from qede_parse_actions()
        ...
      545c4944
    • Jens Axboe's avatar
      Merge commit '50abcc17' of... · fb15ffd0
      Jens Axboe authored
      Merge commit '50abcc17' of git://git.infradead.org/nvme into block-6.9
      
      Pull NVMe fixes from Keith.
      
      * git://git.infradead.org/nvme:
        nvme-tcp: strict pdu pacing to avoid send stalls on TLS
        nvmet: fix nvme status code when namespace is disabled
        nvmet-tcp: fix possible memory leak when tearing down a controller
        nvme: cancel pending I/O if nvme controller is in terminal state
        nvmet-auth: replace pr_debug() with pr_err() to report an error.
        nvmet-auth: return the error code to the nvmet_auth_host_hash() callers
        nvme: find numa distance only if controller has valid numa id
        nvme: fix warn output about shared namespaces without CONFIG_NVME_MULTIPATH
      fb15ffd0
    • Will Deacon's avatar
      swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y · 75961ffb
      Will Deacon authored
      Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunction
      with dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the following
      crash when initialising the restricted pools at boot-time:
      
        | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
        | Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
        | pc : rmem_swiotlb_device_init+0xfc/0x1ec
        | lr : rmem_swiotlb_device_init+0xf0/0x1ec
        | Call trace:
        |  rmem_swiotlb_device_init+0xfc/0x1ec
        |  of_reserved_mem_device_init_by_idx+0x18c/0x238
        |  of_dma_configure_id+0x31c/0x33c
        |  platform_dma_configure+0x34/0x80
      
      faddr2line reveals that the crash is in the list validation code:
      
        include/linux/list.h:83
        include/linux/rculist.h:79
        include/linux/rculist.h:106
        kernel/dma/swiotlb.c:306
        kernel/dma/swiotlb.c:1695
      
      because add_mem_pool() is trying to list_add_rcu() to a NULL
      'mem->pools'.
      
      Fix the crash by initialising the 'mem->pools' list_head in
      rmem_swiotlb_device_init() before calling add_mem_pool().
      Reported-by: default avatarNikita Ioffe <ioffe@google.com>
      Tested-by: default avatarNikita Ioffe <ioffe@google.com>
      Fixes: 1aaa7368 ("swiotlb: allocate a new memory pool when existing pools are full")
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      75961ffb
    • Jakub Kicinski's avatar
      MAINTAINERS: mark MYRICOM MYRI-10G as Orphan · 78cfe547
      Jakub Kicinski authored
      Chris's email address bounces and lore hasn't seen an email
      from anyone with his name for almost a decade.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20240430233532.1356982-1-kuba@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      78cfe547
    • Jakub Kicinski's avatar
      MAINTAINERS: remove Ariel Elior · c9ccbcd9
      Jakub Kicinski authored
      aelior@marvell.com bounces, we haven't seen Ariel on lore
      since March 2022.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20240430233305.1356105-1-kuba@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      c9ccbcd9
    • Paolo Abeni's avatar
      Merge branch 'net-gro-add-flush-flush_id-checks-and-fix-wrong-offset-in-udp' · a257f093
      Paolo Abeni authored
      Richard Gobert says:
      
      ====================
      net: gro: add flush/flush_id checks and fix wrong offset in udp
      
      This series fixes a bug in the complete phase of UDP in GRO, in which
      socket lookup fails due to using network_header when parsing encapsulated
      packets. The fix is to add network_offset and inner_network_offset to
      napi_gro_cb and use these offsets for socket lookup.
      
      In addition p->flush/flush_id should be checked in all UDP flows. The
      same logic from tcp_gro_receive is applied for all flows in
      udp_gro_receive_segment. This prevents packets with mismatching network
      headers (flush/flush_id turned on) from merging in UDP GRO.
      
      The original series includes a change to vxlan test which adds the local
      parameter to prevent similar future bugs. I plan to submit it separately to
      net-next.
      
      This series is part of a previously submitted series to net-next:
      https://lore.kernel.org/all/20240408141720.98832-1-richardbgobert@gmail.com/
      
      v3 -> v4:
       - Store network offsets, and use them only in udp_gro_complete flows
       - Correct commit hash used in Fixes tag
       - v3:
       https://lore.kernel.org/netdev/20240424163045.123528-1-richardbgobert@gmail.com/
      
      v2 -> v3:
       - Add network_offsets and fix udp bug in a single commit to make backporting easier
       - Write to inner_network_offset in {inet,ipv6}_gro_receive
       - Use network_offsets union in tcp[46]_gro_complete as well
       - v2:
       https://lore.kernel.org/netdev/20240419153542.121087-1-richardbgobert@gmail.com/
      
      v1 -> v2:
       - Use network_offsets instead of p_poff param as suggested by Willem
       - Check flush before postpull, and for all UDP GRO flows
       - v1:
       https://lore.kernel.org/netdev/20240412152120.115067-1-richardbgobert@gmail.com/
      ====================
      
      Link: https://lore.kernel.org/r/20240430143555.126083-1-richardbgobert@gmail.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a257f093
    • Richard Gobert's avatar
      net: gro: add flush check in udp_gro_receive_segment · 5babae77
      Richard Gobert authored
      GRO-GSO path is supposed to be transparent and as such L3 flush checks are
      relevant to all UDP flows merging in GRO. This patch uses the same logic
      and code from tcp_gro_receive, terminating merge if flush is non zero.
      
      Fixes: e20cf8d3 ("udp: implement GRO for plain UDP sockets.")
      Signed-off-by: default avatarRichard Gobert <richardbgobert@gmail.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5babae77
    • Richard Gobert's avatar
      net: gro: fix udp bad offset in socket lookup by adding {inner_}network_offset to napi_gro_cb · 5ef31ea5
      Richard Gobert authored
      Commits a6024562 ("udp: Add GRO functions to UDP socket") and 57c67ff4 ("udp:
      additional GRO support") introduce incorrect usage of {ip,ipv6}_hdr in the
      complete phase of gro. The functions always return skb->network_header,
      which in the case of encapsulated packets at the gro complete phase, is
      always set to the innermost L3 of the packet. That means that calling
      {ip,ipv6}_hdr for skbs which completed the GRO receive phase (both in
      gro_list and *_gro_complete) when parsing an encapsulated packet's _outer_
      L3/L4 may return an unexpected value.
      
      This incorrect usage leads to a bug in GRO's UDP socket lookup.
      udp{4,6}_lib_lookup_skb functions use ip_hdr/ipv6_hdr respectively. These
      *_hdr functions return network_header which will point to the innermost L3,
      resulting in the wrong offset being used in __udp{4,6}_lib_lookup with
      encapsulated packets.
      
      This patch adds network_offset and inner_network_offset to napi_gro_cb, and
      makes sure both are set correctly.
      
      To fix the issue, network_offsets union is used inside napi_gro_cb, in
      which both the outer and the inner network offsets are saved.
      
      Reproduction example:
      
      Endpoint configuration example (fou + local address bind)
      
          # ip fou add port 6666 ipproto 4
          # ip link add name tun1 type ipip remote 2.2.2.1 local 2.2.2.2 encap fou encap-dport 5555 encap-sport 6666 mode ipip
          # ip link set tun1 up
          # ip a add 1.1.1.2/24 dev tun1
      
      Netperf TCP_STREAM result on net-next before patch is applied:
      
      net-next main, GRO enabled:
          $ netperf -H 1.1.1.2 -t TCP_STREAM -l 5
          Recv   Send    Send
          Socket Socket  Message  Elapsed
          Size   Size    Size     Time     Throughput
          bytes  bytes   bytes    secs.    10^6bits/sec
      
          131072  16384  16384    5.28        2.37
      
      net-next main, GRO disabled:
          $ netperf -H 1.1.1.2 -t TCP_STREAM -l 5
          Recv   Send    Send
          Socket Socket  Message  Elapsed
          Size   Size    Size     Time     Throughput
          bytes  bytes   bytes    secs.    10^6bits/sec
      
          131072  16384  16384    5.01     2745.06
      
      patch applied, GRO enabled:
          $ netperf -H 1.1.1.2 -t TCP_STREAM -l 5
          Recv   Send    Send
          Socket Socket  Message  Elapsed
          Size   Size    Size     Time     Throughput
          bytes  bytes   bytes    secs.    10^6bits/sec
      
          131072  16384  16384    5.01     2877.38
      
      Fixes: a6024562 ("udp: Add GRO functions to UDP socket")
      Signed-off-by: default avatarRichard Gobert <richardbgobert@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5ef31ea5
    • Shigeru Yoshida's avatar
      ipv4: Fix uninit-value access in __ip_make_skb() · fc1092f5
      Shigeru Yoshida authored
      KMSAN reported uninit-value access in __ip_make_skb() [1].  __ip_make_skb()
      tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
      race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
      while __ip_make_skb() is running, the function will access icmphdr in the
      skb even if it is not included. This causes the issue reported by KMSAN.
      
      Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
      on the socket.
      
      Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
      are union in struct flowi4 and are implicitly initialized by
      flowi4_init_output(), but we should not rely on specific union layout.
      
      Initialize these explicitly in raw_sendmsg().
      
      [1]
      BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
       __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
       ip_finish_skb include/net/ip.h:243 [inline]
       ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
       raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
       inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x274/0x3c0 net/socket.c:745
       __sys_sendto+0x62c/0x7b0 net/socket.c:2191
       __do_sys_sendto net/socket.c:2203 [inline]
       __se_sys_sendto net/socket.c:2199 [inline]
       __x64_sys_sendto+0x130/0x200 net/socket.c:2199
       do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      Uninit was created at:
       slab_post_alloc_hook mm/slub.c:3804 [inline]
       slab_alloc_node mm/slub.c:3845 [inline]
       kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
       kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
       __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
       alloc_skb include/linux/skbuff.h:1318 [inline]
       __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
       ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
       raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
       inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x274/0x3c0 net/socket.c:745
       __sys_sendto+0x62c/0x7b0 net/socket.c:2191
       __do_sys_sendto net/socket.c:2203 [inline]
       __se_sys_sendto net/socket.c:2199 [inline]
       __x64_sys_sendto+0x130/0x200 net/socket.c:2199
       do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x6d/0x75
      
      CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb #25
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
      
      Fixes: 99e5acae ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarShigeru Yoshida <syoshida@redhat.com>
      Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      fc1092f5
    • Andy Shevchenko's avatar
      drm/panel: ili9341: Use predefined error codes · da85f0aa
      Andy Shevchenko authored
      In one case the -1 is returned which is quite confusing code for
      the wrong device ID, in another the ret is returning instead of
      plain 0 that also confusing as readed may ask the possible meaning
      of positive codes, which are never the case there. Convert both
      to use explicit predefined error codes to make it clear what's going
      on there.
      
      Fixes: 5a042273 ("drm/panel: Add ilitek ili9341 panel driver")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Reviewed-by: default avatarNeil Armstrong <neil.armstrong@linaro.org>
      Reviewed-by: default avatarSui Jingfeng <sui.jingfeng@linux.dev>
      Link: https://lore.kernel.org/r/20240425142706.2440113-4-andriy.shevchenko@linux.intel.comSigned-off-by: default avatarNeil Armstrong <neil.armstrong@linaro.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20240425142706.2440113-4-andriy.shevchenko@linux.intel.com
      da85f0aa