1. 21 Jul, 2023 2 commits
  2. 20 Jul, 2023 1 commit
  3. 19 Jul, 2023 3 commits
  4. 17 Jul, 2023 2 commits
  5. 16 Jul, 2023 10 commits
    • Linus Torvalds's avatar
      Linux 6.5-rc2 · fdf0eaf1
      Linus Torvalds authored
      fdf0eaf1
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20230716' of https://github.com/jcmvbkbc/linux-xtensa · 5b8d6e85
      Linus Torvalds authored
      Pull xtensa fixes from Max Filippov:
      
       - fix interaction between unaligned exception handler and load/store
         exception handler
      
       - fix parsing ISS network interface specification string
      
       - add comment about etherdev freeing to ISS network driver
      
      * tag 'xtensa-20230716' of https://github.com/jcmvbkbc/linux-xtensa:
        xtensa: fix unaligned and load/store configuration interaction
        xtensa: ISS: fix call to split_if_spec
        xtensa: ISS: add comment about etherdev freeing
      5b8d6e85
    • Linus Torvalds's avatar
      Merge tag 'perf_urgent_for_v6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 1667e630
      Linus Torvalds authored
      Pull perf fix from Borislav Petkov:
      
       - Fix a lockdep warning when the event given is the first one, no event
         group exists yet but the code still goes and iterates over event
         siblings
      
      * tag 'perf_urgent_for_v6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86: Fix lockdep warning in for_each_sibling_event() on SPR
      1667e630
    • Linus Torvalds's avatar
      Merge tag 'objtool_urgent_for_v6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 8a3e4a64
      Linus Torvalds authored
      Pull objtool fixes from Borislav Petkov:
      
       - Mark copy_iovec_from_user() __noclone in order to prevent gcc from
         doing an inter-procedural optimization and confuse objtool
      
       - Initialize struct elf fully to avoid build failures
      
      * tag 'objtool_urgent_for_v6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        iov_iter: Mark copy_iovec_from_user() noclone
        objtool: initialize all of struct elf
      8a3e4a64
    • Linus Torvalds's avatar
      Merge tag 'sched_urgent_for_v6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · f61a89ca
      Linus Torvalds authored
      Pull scheduler fixes from Borislav Petkov:
      
       - Remove a cgroup from under a polling process properly
      
       - Fix the idle sibling selection
      
      * tag 'sched_urgent_for_v6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/psi: use kernfs polling functions for PSI trigger polling
        sched/fair: Use recent_used_cpu to test p->cpus_ptr
      f61a89ca
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · ede950b0
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "I'm mostly on vacation but what would vacation be without a few
        critical fixes so people can use their gaming laptops when hiding away
        from the sun (or rain)?
      
         - Fix a really annoying interrupt storm in the AMD driver affecting
           Asus TUF gaming notebooks
      
         - Fix device tree parsing in the Renesas driver"
      
      * tag 'pinctrl-v6.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: amd: Unify debounce handling into amd_pinconf_set()
        pinctrl: amd: Drop pull up select configuration
        pinctrl: amd: Use amd_pinconf_set() for all config options
        pinctrl: amd: Only use special debounce behavior for GPIO 0
        pinctrl: renesas: rzg2l: Handle non-unique subnode names
        pinctrl: renesas: rzv2m: Handle non-unique subnode names
      ede950b0
    • Linus Torvalds's avatar
      Merge tag '6.5-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · fe756ad0
      Linus Torvalds authored
      Pull smb client fixes from Steve French:
      
       - Two reconnect fixes: important fix to address inFlight count to leak
         (which can leak credits), and fix for better handling a deleted share
      
       - DFS fix
      
       - SMB1 cleanup fix
      
       - deferred close fix
      
      * tag '6.5-rc1-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: fix mid leak during reconnection after timeout threshold
        cifs: is_network_name_deleted should return a bool
        smb: client: fix missed ses refcounting
        smb: client: Fix -Wstringop-overflow issues
        cifs: if deferred close is disabled then close files immediately
      fe756ad0
    • Linus Torvalds's avatar
      Merge tag 'powerpc-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 20edcec2
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Fix Speculation_Store_Bypass reporting in /proc/self/status on
         Power10
      
       - Fix HPT with 4K pages since recent changes by implementing pmd_same()
      
       - Fix 64-bit native_hpte_remove() to be irq-safe
      
      Thanks to Aneesh Kumar K.V, Nageswara R Sastry, and Russell Currey.
      
      * tag 'powerpc-6.5-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm/book3s64/hash/4k: Add pmd_same callback for 4K page size
        powerpc/64e: Fix obtool warnings in exceptions-64e.S
        powerpc/security: Fix Speculation_Store_Bypass reporting on Power10
        powerpc/64s: Fix native_hpte_remove() to be irq-safe
      20edcec2
    • Linus Torvalds's avatar
      Merge tag 'hardening-v6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 6eede068
      Linus Torvalds authored
      Pull hardening fixes from Kees Cook:
      
       - Remove LTO-only suffixes from promoted global function symbols
         (Yonghong Song)
      
       - Remove unused .text..refcount section from vmlinux.lds.h (Petr Pavlu)
      
       - Add missing __always_inline to sparc __arch_xchg() (Arnd Bergmann)
      
       - Claim maintainership of string routines
      
      * tag 'hardening-v6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        sparc: mark __arch_xchg() as __always_inline
        MAINTAINERS: Foolishly claim maintainership of string routines
        kallsyms: strip LTO-only suffixes from promoted global functions
        vmlinux.lds.h: Remove a reference to no longer used sections .text..refcount
      6eede068
    • Linus Torvalds's avatar
      Merge tag 'probes-fixes-v6.5-rc1-2' of... · 4b4eef57
      Linus Torvalds authored
      Merge tag 'probes-fixes-v6.5-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
      
      Pull probe fixes from Masami Hiramatsu:
      
       - fprobe: Add a comment why fprobe will be skipped if another kprobe is
         running in fprobe_kprobe_handler().
      
       - probe-events: Fix some issues related to fetch-arguments:
      
          - Fix double counting of the string length for user-string and
            symstr. This will require longer buffer in the array case.
      
          - Fix not to count error code (minus value) for the total used
            length in array argument. This makes the total used length
            shorter.
      
          - Fix to update dynamic used data size counter only if fetcharg uses
            the dynamic size data. This may mis-count the used dynamic data
            size and corrupt data.
      
          - Revert "tracing: Add "(fault)" name injection to kernel probes"
            because that did not work correctly with a bug, and we agreed the
            current '(fault)' output (instead of '"(fault)"' like a string)
            explains what happened more clearly.
      
          - Fix to record 0-length (means fault access) data_loc data in fetch
            function itself, instead of store_trace_args(). If we record an
            array of string, this will fix to save fault access data on each
            entry of the array correctly.
      
      * tag 'probes-fixes-v6.5-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing/probes: Fix to record 0-length data_loc in fetch_store_string*() if fails
        Revert "tracing: Add "(fault)" name injection to kernel probes"
        tracing/probes: Fix to update dynamic data counter if fetcharg uses it
        tracing/probes: Fix not to count error code to total length
        tracing/probes: Fix to avoid double count of the string length on the array
        fprobes: Add a comment why fprobe_kprobe_handler exits if kprobe is running
      4b4eef57
  6. 15 Jul, 2023 8 commits
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v6.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 831fe284
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A couple of fairly minor driver specific fixes here, plus a bunch of
        maintainership and admin updates. Nothing too remarkable"
      
      * tag 'spi-fix-v6.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        mailmap: add entry for Jonas Gorski
        MAINTAINERS: add myself for spi-bcm63xx
        spi: s3c64xx: clear loopback bit after loopback test
        spi: bcm63xx: fix max prepend length
        MAINTAINERS: Add myself as a maintainer for Microchip SPI
      831fe284
    • Linus Torvalds's avatar
      Merge tag 'regmap-fix-v6.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap · 393ea781
      Linus Torvalds authored
      Pull regmap fix from Mark Brown:
       "One fix for an out of bounds access in the interupt code here"
      
      * tag 'regmap-fix-v6.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
        regmap-irq: Fix out-of-bounds access when allocating config buffers
      393ea781
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v6.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 82678ab2
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - Fix a regression causing a crash on sysfs access of iommu-group
         specific files
      
       - Fix signedness bug in SVA code
      
      * tag 'iommu-fixes-v6.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/sva: Fix signedness bug in iommu_sva_alloc_pasid()
        iommu: Fix crash during syfs iommu_groups/N/type
      82678ab2
    • Ville Syrjälä's avatar
      dma-buf/dma-resv: Stop leaking on krealloc() failure · 05abb3be
      Ville Syrjälä authored
      Currently dma_resv_get_fences() will leak the previously
      allocated array if the fence iteration got restarted and
      the krealloc_array() fails.
      
      Free the old array by hand, and make sure we still clear
      the returned *fences so the caller won't end up accessing
      freed memory. Some (but not all) of the callers of
      dma_resv_get_fences() seem to still trawl through the
      array even when dma_resv_get_fences() failed. And let's
      zero out *num_fences as well for good measure.
      
      Cc: Sumit Semwal <sumit.semwal@linaro.org>
      Cc: Christian König <christian.koenig@amd.com>
      Cc: linux-media@vger.kernel.org
      Cc: dri-devel@lists.freedesktop.org
      Cc: linaro-mm-sig@lists.linaro.org
      Fixes: d3c80698 ("dma-buf: use new iterator in dma_resv_get_fences v3")
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Cc: stable@vger.kernel.org
      Link: https://patchwork.freedesktop.org/patch/msgid/20230713194745.1751-1-ville.syrjala@linux.intel.comSigned-off-by: default avatarChristian König <christian.koenig@amd.com>
      05abb3be
    • Linus Torvalds's avatar
      Merge tag 'x86_urgent_for_6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b6e6cc1f
      Linus Torvalds authored
      Pull x86 CFI fixes from Peter Zijlstra:
       "Fix kCFI/FineIBT weaknesses
      
        The primary bug Alyssa noticed was that with FineIBT enabled function
        prologues have a spurious ENDBR instruction:
      
          __cfi_foo:
      	endbr64
      	subl	$hash, %r10d
      	jz	1f
      	ud2
      	nop
          1:
          foo:
      	endbr64 <--- *sadface*
      
        This means that any indirect call that fails to target the __cfi
        symbol and instead targets (the regular old) foo+0, will succeed due
        to that second ENDBR.
      
        Fixing this led to the discovery of a single indirect call that was
        still doing this: ret_from_fork(). Since that's an assembly stub the
        compiler would not generate the proper kCFI indirect call magic and it
        would not get patched.
      
        Brian came up with the most comprehensive fix -- convert the thing to
        C with only a very thin asm wrapper. This ensures the kernel thread
        boostrap is a proper kCFI call.
      
        While discussing all this, Kees noted that kCFI hashes could/should be
        poisoned to seal all functions whose address is never taken, further
        limiting the valid kCFI targets -- much like we already do for IBT.
      
        So what was a 'simple' observation and fix cascaded into a bunch of
        inter-related CFI infrastructure fixes"
      
      * tag 'x86_urgent_for_6.5_rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/cfi: Only define poison_cfi() if CONFIG_X86_KERNEL_IBT=y
        x86/fineibt: Poison ENDBR at +0
        x86: Rewrite ret_from_fork() in C
        x86/32: Remove schedule_tail_wrapper()
        x86/cfi: Extend ENDBR sealing to kCFI
        x86/alternative: Rename apply_ibt_endbr()
        x86/cfi: Extend {JMP,CAKK}_NOSPEC comment
      b6e6cc1f
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · be522ac7
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a bunch of small driver fixes and a larger rework of zone disk
        handling (which reaches into blk and nvme).
      
        The aacraid array-bounds fix is now critical since the security people
        turned on -Werror for some build tests, which now fail without it"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: storvsc: Handle SRB status value 0x30
        scsi: block: Improve checks in blk_revalidate_disk_zones()
        scsi: block: virtio_blk: Set zone limits before revalidating zones
        scsi: block: nullblk: Set zone limits before revalidating zones
        scsi: nvme: zns: Set zone limits before revalidating zones
        scsi: sd_zbc: Set zone limits before revalidating zones
        scsi: ufs: core: Add support for qTimestamp attribute
        scsi: aacraid: Avoid -Warray-bounds warning
        scsi: ufs: ufs-mediatek: Add dependency for RESET_CONTROLLER
        scsi: ufs: core: Update contact email for monitor sysfs nodes
        scsi: scsi_debug: Remove dead code
        scsi: qla2xxx: Use vmalloc_array() and vcalloc()
        scsi: fnic: Use vmalloc_array() and vcalloc()
        scsi: qla2xxx: Fix error code in qla2x00_start_sp()
        scsi: qla2xxx: Silence a static checker warning
        scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan()
      be522ac7
    • Linus Torvalds's avatar
      Merge tag 'block-6.5-2023-07-14' of git://git.kernel.dk/linux · b3bd86a0
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request via Keith:
            - Don't require quirk to use duplicate namespace identifiers
              (Christoph, Sagi)
            - One more BOGUS_NID quirk (Pankaj)
            - IO timeout and error hanlding fixes for PCI (Keith)
            - Enhanced metadata format mask fix (Ankit)
            - Association race condition fix for fibre channel (Michael)
            - Correct debugfs error checks (Minjie)
            - Use PAGE_SECTORS_SHIFT where needed (Damien)
            - Reduce kernel logs for legacy nguid attribute (Keith)
            - Use correct dma direction when unmapping metadata (Ming)
      
       - Fix for a flush handling regression in this release (Christoph)
      
       - Fix for batched request time stamping (Chengming)
      
       - Fix for a regression in the mq-deadline position calculation (Bart)
      
       - Lockdep fix for blk-crypto (Eric)
      
       - Fix for a regression in the Amiga partition handling changes
         (Michael)
      
      * tag 'block-6.5-2023-07-14' of git://git.kernel.dk/linux:
        block: queue data commands from the flush state machine at the head
        blk-mq: fix start_time_ns and alloc_time_ns for pre-allocated rq
        nvme-pci: fix DMA direction of unmapping integrity data
        nvme: don't reject probe due to duplicate IDs for single-ported PCIe devices
        block/mq-deadline: Fix a bug in deadline_from_pos()
        nvme: ensure disabling pairs with unquiesce
        nvme-fc: fix race between error recovery and creating association
        nvme-fc: return non-zero status code when fails to create association
        nvme: fix parameter check in nvme_fault_inject_init()
        nvme: warn only once for legacy uuid attribute
        block: remove dead struc request->completion_data field
        nvme: fix the NVME_ID_NS_NVM_STS_MASK definition
        nvmet: use PAGE_SECTORS_SHIFT
        nvme: add BOGUS_NID quirk for Samsung SM953
        blk-crypto: use dynamic lock class for blk_crypto_profile::lock
        block/partition: fix signedness issue for Amiga partitions
      b3bd86a0
    • Linus Torvalds's avatar
      Merge tag 'io_uring-6.5-2023-07-14' of git://git.kernel.dk/linux · ec17f164
      Linus Torvalds authored
      Pull io_uring fix from Jens Axboe:
       "Just a single tweak for the wait logic in io_uring"
      
      * tag 'io_uring-6.5-2023-07-14' of git://git.kernel.dk/linux:
        io_uring: Use io_schedule* in cqring wait
      ec17f164
  7. 14 Jul, 2023 14 commits
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux · 2772d7df
      Linus Torvalds authored
      Pull RISC-V fixes from Palmer Dabbelt:
      
       - fix a formatting error in the hwprobe documentation
      
       - fix a spurious warning in the RISC-V PMU driver
      
       - fix memory detection on rv32 (problem does not manifest on any known
         system)
      
       - avoid parsing legacy parsing of I in ACPI ISA strings
      
      * tag 'riscv-for-linus-6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
        RISC-V: Don't include Zicsr or Zifencei in I from ACPI
        riscv: mm: fix truncation warning on RV32
        perf: RISC-V: Remove PERF_HES_STOPPED flag checking in riscv_pmu_start()
        Documentation: RISC-V: hwprobe: Fix a formatting error
      2772d7df
    • Linus Torvalds's avatar
      Merge tag 'pm-6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · bde7f150
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix hibernation (after recent changes), frequency QoS and the
        sparc cpufreq driver.
      
        Specifics:
      
         - Unbreak the /sys/power/resume interface after recent changes (Azat
           Khuzhin).
      
         - Allow PM_QOS_DEFAULT_VALUE to be used with frequency QoS (Chungkai
           Yang).
      
         - Remove __init from cpufreq callbacks in the sparc driver, because
           they may be called after initialization too (Viresh Kumar)"
      
      * tag 'pm-6.5-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: sparc: Don't mark cpufreq callbacks with __init
        PM: QoS: Restore support for default value on frequency QoS
        PM: hibernate: Fix writing maj:min to /sys/power/resume
      bde7f150
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-sleep' and 'pm-qos' · d121758d
      Rafael J. Wysocki authored
      Merge a PM QoS fix and a hibernation fix for 6.5-rc2.
      
       - Unbreak the /sys/power/resume interface after recent changes (Azat
         Khuzhin).
      
       - Allow PM_QOS_DEFAULT_VALUE to be used with frequency QoS (Chungkai
         Yang).
      
      * pm-sleep:
        PM: hibernate: Fix writing maj:min to /sys/power/resume
      
      * pm-qos:
        PM: QoS: Restore support for default value on frequency QoS
      d121758d
    • Shyam Prasad N's avatar
      cifs: fix mid leak during reconnection after timeout threshold · 69cba9d3
      Shyam Prasad N authored
      When the number of responses with status of STATUS_IO_TIMEOUT
      exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect
      the connection. But we do not return the mid, or the credits
      returned for the mid, or reduce the number of in-flight requests.
      
      This bug could result in the server->in_flight count to go bad,
      and also cause a leak in the mids.
      
      This change moves the check to a few lines below where the
      response is decrypted, even of the response is read from the
      transform header. This way, the code for returning the mids
      can be reused.
      
      Also, the cifs_reconnect was reconnecting just the transport
      connection before. In case of multi-channel, this may not be
      what we want to do after several timeouts. Changed that to
      reconnect the session and the tree too.
      
      Also renamed NUM_STATUS_IO_TIMEOUT to a more appropriate name
      MAX_STATUS_IO_TIMEOUT.
      
      Fixes: 8e670f77 ("Handle STATUS_IO_TIMEOUT gracefully")
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      69cba9d3
    • Shyam Prasad N's avatar
      cifs: is_network_name_deleted should return a bool · c071b34f
      Shyam Prasad N authored
      Currently, is_network_name_deleted and it's implementations
      do not return anything if the network name did get deleted.
      So the function doesn't fully achieve what it advertizes.
      
      Changed the function to return a bool instead. It will now
      return true if the error returned is STATUS_NETWORK_NAME_DELETED
      and the share (tree id) was found to be connected. It returns
      false otherwise.
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Acked-by: default avatarPaulo Alcantara (SUSE) <pc@manguebit.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      c071b34f
    • Dan Carpenter's avatar
      accel/qaic: Fix a leak in map_user_pages() · 73274c33
      Dan Carpenter authored
      If get_user_pages_fast() allocates some pages but not as many as we
      wanted, then the current code leaks those pages.  Call put_page() on
      the pages before returning.
      
      Fixes: 129776ac ("accel/qaic: Add control path")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarPranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
      Reviewed-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Reviewed-by: default avatarDafna Hirschfeld <dhirschfeld@habana.ai>
      Cc: stable@vger.kernel.org # 6.4.x
      Signed-off-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q+ZuONTsBG+1T@moroto
      73274c33
    • Dan Carpenter's avatar
      accel/qaic: Add consistent integer overflow checks · 47d87f71
      Dan Carpenter authored
      The encode_dma() function has integer overflow checks.  The
      encode_passthrough(), encode_activate() and encode_status() functions
      did not.  I added integer overflow checking everywhere.  I also
      updated the integer overflow checking in encode_dma() to use size_add()
      so everything is consistent.
      
      Fixes: 129776ac ("accel/qaic: Add control path")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarPranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
      Reviewed-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Cc: stable@vger.kernel.org # 6.4.x
      [jhugo: tweak if in encode_dma() to match existing style]
      Signed-off-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q7IsPkj6WSCcL@moroto
      47d87f71
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2023-07-14-1' of git://anongit.freedesktop.org/drm/drm · 3a97a299
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "There were a bunch of fixes lined up for 2 weeks, so we have quite a
        few scattered fixes, mostly amdgpu and i915, but ttm has a bunch and
        nouveau makes an appearance.
      
        So a bit busier than usual for rc2, but nothing seems out of the
        ordinary.
      
        fbdev:
         - dma: Fix documented default preferred_bpp value
      
        ttm:
         - fix warning that we shouldn't mix && and ||
         - never consider pinned BOs for eviction&swap
         - Don't leak a resource on eviction error
         - Don't leak a resource on swapout move error
         - fix bulk_move corruption when adding a entry
      
        client:
         - Send hotplug event after registering a client
      
        dma-buf:
         - keep the signaling time of merged fences v3
         - fix an error pointer vs NULL bug
      
        sched:
         - wait for all deps in kill jobs
         - call set fence parent from scheduled
      
        i915:
         - Don't preserve dpll_hw_state for slave crtc in Bigjoiner
         - Consider OA buffer boundary when zeroing out reports
         - Remove dead code from gen8_pte_encode
         - Fix one wrong caching mode enum usage
      
        amdgpu:
         - SMU i2c locking fix
         - Fix a possible deadlock in process restoration for ROCm apps
         - Disable PCIe lane/speed switching on Intel platforms (the platforms
           don't support it)
      
        nouveau:
         - disp: fix HDMI on gt215+
         - disp/g94: enable HDMI
         - acr: Abort loading ACR if no firmware was found
         - bring back blit subchannel for pre nv50 GPUs
         - Fix drm_dp_remove_payload() invocation
      
        ivpu:
         - Fix VPU register access in irq disable
         - Clear specific interrupt status bits on C0
      
        bridge:
         - dw_hdmi: fix connector access for scdc
         - ti-sn65dsi86: Fix auxiliary bus lifetime
      
        panel:
         - simple: Add connector_type for innolux_at043tn24
         - simple: Add Powertip PH800480T013 drm_display_mode flags"
      
      * tag 'drm-fixes-2023-07-14-1' of git://anongit.freedesktop.org/drm/drm: (32 commits)
        drm/nouveau: bring back blit subchannel for pre nv50 GPUs
        drm/nouveau/acr: Abort loading ACR if no firmware was found
        drm/amd: Align SMU11 SMU_MSG_OverridePcieParameters implementation with SMU13
        drm/amd: Move helper for dynamic speed switch check out of smu13
        drm/amd/pm: conditionally disable pcie lane/speed switching for SMU13
        drm/amd/pm: share the code around SMU13 pcie parameters update
        drm/amdgpu: avoid restore process run into dead loop.
        drm/amd/pm: fix smu i2c data read risk
        drm/nouveau/disp/g94: enable HDMI
        drm/nouveau/disp: fix HDMI on gt215+
        drm/client: Send hotplug event after registering a client
        drm/i915: Fix one wrong caching mode enum usage
        drm/i915: Remove dead code from gen8_pte_encode
        drm/i915/perf: Consider OA buffer boundary when zeroing out reports
        drm/i915: Don't preserve dpll_hw_state for slave crtc in Bigjoiner
        drm/ttm: never consider pinned BOs for eviction&swap
        drm/fbdev-dma: Fix documented default preferred_bpp value
        dma-buf: fix an error pointer vs NULL bug
        accel/ivpu: Clear specific interrupt status bits on C0
        accel/ivpu: Fix VPU register access in irq disable
        ...
      3a97a299
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.5-rc2' of https://github.com/ceph/ceph-client · ddbd9161
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "A fix to prevent a potential buffer overrun in the messenger, marked
        for stable"
      
      * tag 'ceph-for-6.5-rc2' of https://github.com/ceph/ceph-client:
        libceph: harden msgr2.1 frame segment length checks
      ddbd9161
    • Dan Carpenter's avatar
      accel/qaic: tighten bounds checking in decode_message() · 51b56382
      Dan Carpenter authored
      Copy the bounds checking from encode_message() to decode_message().
      
      This patch addresses the following concerns.  Ensure that there is
      enough space for at least one header so that we don't have a negative
      size later.
      
      	if (msg_hdr_len < sizeof(*trans_hdr))
      
      Ensure that we have enough space to read the next header from the
      msg->data.
      
      	if (msg_len > msg_hdr_len - sizeof(*trans_hdr))
      		return -EINVAL;
      
      Check that the trans_hdr->len is not below the minimum size:
      
      	if (hdr_len < sizeof(*trans_hdr))
      
      This minimum check ensures that we don't corrupt memory in
      decode_passthrough() when we do.
      
      	memcpy(out_trans->data, in_trans->data, len - sizeof(in_trans->hdr));
      
      And finally, use size_add() to prevent an integer overflow:
      
      	if (size_add(msg_len, hdr_len) > msg_hdr_len)
      
      Fixes: 129776ac ("accel/qaic: Add control path")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarPranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
      Reviewed-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Cc: stable@vger.kernel.org # 6.4.x
      Signed-off-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/ZK0Q5nbLyDO7kJa+@moroto
      51b56382
    • Dan Carpenter's avatar
      accel/qaic: tighten bounds checking in encode_message() · ea33cb6f
      Dan Carpenter authored
      There are several issues in this code.  The check at the start of the
      loop:
      
      	if (user_len >= user_msg->len) {
      
      This check does not ensure that we have enough space for the trans_hdr
      (8 bytes).  Instead the check needs to be:
      
      	if (user_len > user_msg->len - sizeof(*trans_hdr)) {
      
      That subtraction is done as an unsigned long we want to avoid
      negatives.  Add a lower bound to the start of the function.
      
      	if (user_msg->len < sizeof(*trans_hdr))
      
      There is a second integer underflow which can happen if
      trans_hdr->len is zero inside the encode_passthrough() function.
      
      	memcpy(out_trans->data, in_trans->data, in_trans->hdr.len - sizeof(in_trans->hdr));
      
      Instead of adding a check to encode_passthrough() it's better to check
      in this central place.  Add that check:
      
      	if (trans_hdr->len < sizeof(trans_hdr)
      
      The final concern is that the "user_len + trans_hdr->len" might have an
      integer overflow bug.  Use size_add() to prevent that.
      
      -	if (user_len + trans_hdr->len > user_msg->len) {
      +	if (size_add(user_len, trans_hdr->len) > user_msg->len) {
      
      Fixes: 129776ac ("accel/qaic: Add control path")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarPranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
      Reviewed-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Cc: stable@vger.kernel.org # 6.4.x
      Signed-off-by: default avatarJeffrey Hugo <quic_jhugo@quicinc.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/9a0cb0c1-a974-4f10-bc8d-94437983639a@moroto.mountain
      ea33cb6f
    • Christoph Hellwig's avatar
      block: queue data commands from the flush state machine at the head · 9f87fc4d
      Christoph Hellwig authored
      We used to insert the data commands following a pre-flush to the head
      of the queue until commit 1e82fadf ("blk-mq: do not do head insertions
      post-pre-flush commands").  Not doing this seems to cause hangs of
      such commands on NFS workloads when exported from file systems with
      SATA SSDs.  I have no idea why this would starve these workloads,
      but doing a semantic revert of this patch (which looks quite different
      due to various other changes) fixes the hangs.
      
      Fixes: 1e82fadf ("blk-mq: do not do head insertions post-pre-flush commands")
      Reported-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Tested-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Link: https://lore.kernel.org/r/20230714143014.11879-1-hch@lst.deSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
      9f87fc4d
    • Dan Carpenter's avatar
      iommu/sva: Fix signedness bug in iommu_sva_alloc_pasid() · c20ecf7b
      Dan Carpenter authored
      The ida_alloc_range() function returns negative error codes on error.
      On success it returns values in the min to max range (inclusive).  It
      never returns more then INT_MAX even if "max" is higher.  It never
      returns values in the 0 to (min - 1) range.
      
      The bug is that "min" is an unsigned int so negative error codes will
      be promoted to high positive values errors treated as success.
      
      Fixes: 1a14bf0f ("iommu/sva: Use GFP_KERNEL for pasid allocation")
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Reviewed-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Link: https://lore.kernel.org/r/6b32095d-7491-4ebb-a850-12e96209eaaf@kili.mountainSigned-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      c20ecf7b
    • Jason Gunthorpe's avatar
      iommu: Fix crash during syfs iommu_groups/N/type · 911476ef
      Jason Gunthorpe authored
      The err_restore_domain flow was accidently inserted into the success path
      in commit 1000dccd ("iommu: Allow IOMMU_RESV_DIRECT to work on
      ARM"). It should only happen if iommu_create_device_direct_mappings()
      fails. This caused the domains the be wrongly changed and freed whenever
      the sysfs is used, resulting in an oops:
      
        BUG: kernel NULL pointer dereference, address: 0000000000000000
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] PREEMPT SMP NOPTI
        CPU: 1 PID: 3417 Comm: avocado Not tainted 6.4.0-rc4-next-20230602 #3
        Hardware name: Dell Inc. PowerEdge R6515/07PXPY, BIOS 2.3.6 07/06/2021
        RIP: 0010:__iommu_attach_device+0xc/0xa0
        Code: c0 c3 cc cc cc cc 48 89 f0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 41 54 55 48 8b 47 08 <48> 8b 00 48 85 c0 74 74 48 89 f5 e8 64 12 49 00 41 89 c4 85 c0 74
        RSP: 0018:ffffabae0220bd48 EFLAGS: 00010246
        RAX: 0000000000000000 RBX: ffff9ac04f70e410 RCX: 0000000000000001
        RDX: ffff9ac044db20c0 RSI: ffff9ac044fa50d0 RDI: ffff9ac04f70e410
        RBP: ffff9ac044fa50d0 R08: 1000000100209001 R09: 00000000000002dc
        R10: 0000000000000000 R11: 0000000000000000 R12: ffff9ac043d54700
        R13: ffff9ac043d54700 R14: 0000000000000001 R15: 0000000000000001
        FS:  00007f02e30ae000(0000) GS:ffff9afeb2440000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000000 CR3: 000000012afca006 CR4: 0000000000770ee0
        PKRU: 55555554
        Call Trace:
         <TASK>
         ? __die+0x24/0x70
         ? page_fault_oops+0x82/0x150
         ? __iommu_queue_command_sync+0x80/0xc0
         ? exc_page_fault+0x69/0x150
         ? asm_exc_page_fault+0x26/0x30
         ? __iommu_attach_device+0xc/0xa0
         ? __iommu_attach_device+0x1c/0xa0
         __iommu_device_set_domain+0x42/0x80
         __iommu_group_set_domain_internal+0x5d/0x160
         iommu_setup_default_domain+0x318/0x400
         iommu_group_store_type+0xb1/0x200
         kernfs_fop_write_iter+0x12f/0x1c0
         vfs_write+0x2a2/0x3b0
         ksys_write+0x63/0xe0
         do_syscall_64+0x3f/0x90
         entry_SYSCALL_64_after_hwframe+0x6e/0xd8
        RIP: 0033:0x7f02e2f14a6f
      
      Reorganize the error flow so that the success branch and error branches
      are clearer.
      
      Fixes: 1000dccd ("iommu: Allow IOMMU_RESV_DIRECT to work on ARM")
      Reported-by: default avatarDheeraj Kumar Srivastava <dheerajkumar.srivastava@amd.com>
      Tested-by: default avatarVasant Hegde <vasant.hegde@amd.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      Reviewed-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Reviewed-by: default avatarKevin Tian <kevin.tian@intel.com>
      Link: https://lore.kernel.org/r/0-v1-5bd8cc969d9e+1f1-iommu_set_def_fix_jgg@nvidia.comSigned-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      911476ef