commit e515b9902f5fa362ca66db9b01e7b2161c324c06 Author: Greg Kroah-Hartman Date: Mon Feb 6 07:59:02 2023 +0100 Linux 5.15.92 Link: https://lore.kernel.org/r/20230203101007.985835823@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Shuah Khan Tested-by: Guenter Roeck Tested-by: Bagas Sanjaya Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit c7caf669b89d05bc86238cc6bc4add41311b16e8 Author: Jeremy Kerr Date: Thu Jan 26 14:45:51 2023 +0800 net: mctp: purge receive queues on sk destruction commit 60bd1d9008a50cc78c4033a16a6f5d78210d481c upstream. We may have pending skbs in the receive queue when the sk is being destroyed; add a destructor to purge the queue. MCTP doesn't use the error queue, so only the receive_queue is purged. Fixes: 833ef3b91de6 ("mctp: Populate socket implementation") Signed-off-by: Jeremy Kerr Reviewed-by: Pavan Chebbi Link: https://lore.kernel.org/r/20230126064551.464468-1-jk@codeconstruct.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 046de74f9af92ae9ffce75fa22a1795223f4fb54 Author: Yan Zhai Date: Mon Jan 30 12:51:48 2023 -0800 net: fix NULL pointer in skb_segment_list commit 876e8ca8366735a604bac86ff7e2732fc9d85d2d upstream. Commit 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") introduced UDP listifyed GRO. The segmentation relies on frag_list being untouched when passing through the network stack. This assumption can be broken sometimes, where frag_list itself gets pulled into linear area, leaving frag_list being NULL. When this happens it can trigger following NULL pointer dereference, and panic the kernel. Reverse the test condition should fix it. [19185.577801][ C1] BUG: kernel NULL pointer dereference, address: ... [19185.663775][ C1] RIP: 0010:skb_segment_list+0x1cc/0x390 ... [19185.834644][ C1] Call Trace: [19185.841730][ C1] [19185.848563][ C1] __udp_gso_segment+0x33e/0x510 [19185.857370][ C1] inet_gso_segment+0x15b/0x3e0 [19185.866059][ C1] skb_mac_gso_segment+0x97/0x110 [19185.874939][ C1] __skb_gso_segment+0xb2/0x160 [19185.883646][ C1] udp_queue_rcv_skb+0xc3/0x1d0 [19185.892319][ C1] udp_unicast_rcv_skb+0x75/0x90 [19185.900979][ C1] ip_protocol_deliver_rcu+0xd2/0x200 [19185.910003][ C1] ip_local_deliver_finish+0x44/0x60 [19185.918757][ C1] __netif_receive_skb_one_core+0x8b/0xa0 [19185.927834][ C1] process_backlog+0x88/0x130 [19185.935840][ C1] __napi_poll+0x27/0x150 [19185.943447][ C1] net_rx_action+0x27e/0x5f0 [19185.951331][ C1] ? mlx5_cq_tasklet_cb+0x70/0x160 [mlx5_core] [19185.960848][ C1] __do_softirq+0xbc/0x25d [19185.968607][ C1] irq_exit_rcu+0x83/0xb0 [19185.976247][ C1] common_interrupt+0x43/0xa0 [19185.984235][ C1] asm_common_interrupt+0x22/0x40 ... [19186.094106][ C1] Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") Suggested-by: Daniel Borkmann Reviewed-by: Willem de Bruijn Signed-off-by: Yan Zhai Acked-by: Daniel Borkmann Link: https://lore.kernel.org/r/Y9gt5EUizK1UImEP@debian Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7ab3376703ce2210d331c0c5456b33e0398c21a5 Author: Reinette Chatre Date: Mon Apr 25 14:01:11 2022 -0700 selftests: Provide local define of __cpuid_count() commit a23039c7306f53416ba35d230201398ea34f4640 upstream. Some selftests depend on information provided by the CPUID instruction. To support this dependency the selftests implement private wrappers for CPUID. Duplication of the CPUID wrappers should be avoided. Both gcc and clang/LLVM provide __cpuid_count() macros but neither the macro nor its header file are available in all the compiler versions that need to be supported by the selftests. __cpuid_count() as provided by gcc is available starting with gcc v4.4, so it is not available if the latest tests need to be run in all the environments required to support kernels v4.9 and v4.14 that have the minimal required gcc v3.2. Duplicate gcc's __cpuid_count() macro to provide a centrally defined macro for __cpuid_count() to help eliminate the duplicate CPUID wrappers while continuing to compile in older environments. Suggested-by: Shuah Khan Signed-off-by: Reinette Chatre Signed-off-by: Shuah Khan Cc: Kyle Huey Signed-off-by: Greg Kroah-Hartman commit e92e311ced6feaa272b25a3980fddede9afab900 Author: Shuah Khan Date: Thu Dec 9 16:35:02 2021 -0700 selftests/vm: remove ARRAY_SIZE define from individual tests commit e89908201e2509354c40158b517945bf3d645812 upstream. ARRAY_SIZE is defined in several selftests. Remove definitions from individual test files and include header file for the define instead. ARRAY_SIZE define is added in a separate patch to prepare for this change. Remove ARRAY_SIZE from vm tests and pickup the one defined in kselftest.h. Signed-off-by: Shuah Khan Cc: Kyle Huey Signed-off-by: Greg Kroah-Hartman commit c9e52db90031b7a89bf667057df5ca9c25cd68ff Author: Shuah Khan Date: Wed Dec 8 10:47:42 2021 -0700 tools: fix ARRAY_SIZE defines in tools and selftests hdrs commit 066b34aa5461f6072dbbecb690f4fe446b736ebf upstream. tools/include/linux/kernel.h and kselftest_harness.h are missing ifndef guard around ARRAY_SIZE define. Fix them to avoid duplicate define errors during compile when another file defines it. This problem was found when compiling selftests that include a header with ARRAY_SIZE define. ARRAY_SIZE is defined in several selftests. There are about 25+ duplicate defines in various selftests source and header files. Add ARRAY_SIZE to kselftest.h in preparation for removing duplicate ARRAY_SIZE defines from individual test files. Signed-off-by: Shuah Khan Cc: Kyle Huey Signed-off-by: Greg Kroah-Hartman commit c1aa0dd52db4ce888be0bd820c3fa918d350ca0b Author: Soenke Huster Date: Fri Jan 14 17:44:02 2022 +0100 Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt commit 3afee2118132e93e5f6fa636dfde86201a860ab3 upstream. This event is just specified for SCO and eSCO link types. On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR of an existing LE connection, LE link type and a status that triggers the second case of the packet processing a NULL pointer dereference happens, as conn->link is NULL. Signed-off-by: Soenke Huster Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Ovidiu Panait Signed-off-by: Greg Kroah-Hartman commit 02e61196c578390caf19b340825ea58f874f948c Author: Dave Hansen Date: Thu Sep 22 11:47:45 2022 -0700 ACPI: processor idle: Practically limit "Dummy wait" workaround to old Intel systems commit e400ad8b7e6a1b9102123c6240289a811501f7d9 upstream. Old, circa 2002 chipsets have a bug: they don't go idle when they are supposed to. So, a workaround was added to slow the CPU down and ensure that the CPU waits a bit for the chipset to actually go idle. This workaround is ancient and has been in place in some form since the original kernel ACPI implementation. But, this workaround is very painful on modern systems. The "inl()" can take thousands of cycles (see Link: for some more detailed numbers and some fun kernel archaeology). First and foremost, modern systems should not be using this code. Typical Intel systems have not used it in over a decade because it is horribly inferior to MWAIT-based idle. Despite this, people do seem to be tripping over this workaround on AMD system today. Limit the "dummy wait" workaround to Intel systems. Keep Modern AMD systems from tripping over the workaround. Remotely modern Intel systems use intel_idle instead of this code and will, in practice, remain unaffected by the dummy wait. Reported-by: K Prateek Nayak Suggested-by: Rafael J. Wysocki Signed-off-by: Dave Hansen Reviewed-by: Mario Limonciello Tested-by: K Prateek Nayak Link: https://lore.kernel.org/all/20220921063638.2489-1-kprateek.nayak@amd.com/ Link: https://lkml.kernel.org/r/20220922184745.3252932-1-dave.hansen@intel.com Signed-off-by: Guilherme G. Piccoli Signed-off-by: Greg Kroah-Hartman commit 79dd676b445feb92ba35f662cc99589d5614350d Author: Rong Chen Date: Tue Sep 6 12:04:29 2022 +0800 extcon: usbc-tusb320: fix kernel-doc warning commit 08099ecd9216219f51cc82637f06797cf81890b6 upstream. Fix the warning: drivers/extcon/extcon-usbc-tusb320.c:19: warning: expecting prototype for drivers/extcon/extcon-tusb320.c(). Prototype was for TUSB320_REG8() instead Reported-by: kernel test robot Signed-off-by: Rong Chen Signed-off-by: Chanwoo Choi Cc: Marek Vasut Signed-off-by: Greg Kroah-Hartman commit c2bd60ef20de177d48969143dadf8a9492bd5e75 Author: Baokun Li Date: Mon Jan 30 23:52:12 2023 +0000 ext4: fix bad checksum after online resize commit a408f33e895e455f16cf964cb5cd4979b658db7b upstream. When online resizing is performed twice consecutively, the error message "Superblock checksum does not match superblock" is displayed for the second time. Here's the reproducer: mkfs.ext4 -F /dev/sdb 100M mount /dev/sdb /tmp/test resize2fs /dev/sdb 5G resize2fs /dev/sdb 6G To solve this issue, we moved the update of the checksum after the es->s_overhead_clusters is updated. Fixes: 026d0d27c488 ("ext4: reduce computation of overhead during resize") Fixes: de394a86658f ("ext4: update s_overhead_clusters in the superblock during an on-line resize") Signed-off-by: Baokun Li Reviewed-by: Darrick J. Wong Reviewed-by: Jan Kara Cc: stable@kernel.org Link: https://lore.kernel.org/r/20221117040341.1380702-2-libaokun1@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Oleksandr Tymoshenko Signed-off-by: Sasha Levin commit 4cd1e18bc04a335f87be8714722bcfb983410a12 Author: Paulo Alcantara Date: Wed Jan 18 13:36:31 2023 -0300 cifs: fix return of uninitialized rc in dfs_cache_update_tgthint() [ Upstream commit d6a49e8c4ca4d399ed65ac219585187fc8c2e2b1 ] Fix this by initializing rc to 0 as cache_refresh_path() would not set it in case of success. Reported-by: kernel test robot Link: https://lore.kernel.org/all/202301190004.bEHvbKG6-lkp@intel.com/ Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 43acd767bd90c5d4172ce7fee5d9007a9a08dea9 Author: Hui Wang Date: Wed Nov 30 17:08:00 2022 +0800 dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init [ Upstream commit 1417f59ac0b02130ee56c0c50794b9b257be3d17 ] If the function sdma_load_context() fails, the sdma_desc will be freed, but the allocated desc->bd is forgot to be freed. We already met the sdma_load_context() failure case and the log as below: [ 450.699064] imx-sdma 30bd0000.dma-controller: Timeout waiting for CH0 ready ... In this case, the desc->bd will not be freed without this change. Signed-off-by: Hui Wang Reviewed-by: Sascha Hauer Link: https://lore.kernel.org/r/20221130090800.102035-1-hui.wang@canonical.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a54c5ad007ea6e19be1a88b6c3022a0cf12682eb Author: Roderick Colenbrander Date: Thu Jan 5 17:59:08 2023 -0800 HID: playstation: sanity check DualSense calibration data. [ Upstream commit ccf1e1626d37745d0a697db67407beec9ae9d4b8 ] Make sure calibration values are defined to prevent potential kernel crashes. This fixes a hypothetical issue for virtual or clone devices inspired by a similar fix for DS4. Signed-off-by: Roderick Colenbrander Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 6d7686cc11b76019db57f9b2dc555f4023d097a1 Author: Yu Kuai Date: Tue Jan 3 19:28:33 2023 +0800 blk-cgroup: fix missing pd_online_fn() while activating policy [ Upstream commit e3ff8887e7db757360f97634e0d6f4b8e27a8c46 ] If the policy defines pd_online_fn(), it should be called after pd_init_fn(), like blkg_create(). Signed-off-by: Yu Kuai Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20230103112833.2013432-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2144859229c1e74f52d3ea067338d314a83a8afb Author: Siddh Raman Pant Date: Fri Dec 9 15:51:51 2022 +0530 erofs/zmap.c: Fix incorrect offset calculation [ Upstream commit 6acd87d50998ef0afafc441613aeaf5a8f5c9eff ] Effective offset to add to length was being incorrectly calculated, which resulted in iomap->length being set to 0, triggering a WARN_ON in iomap_iter_done(). Fix that, and describe it in comments. This was reported as a crash by syzbot under an issue about a warning encountered in iomap_iter_done(), but unrelated to erofs. C reproducer: https://syzkaller.appspot.com/text?tag=ReproC&x=1037a6b2880000 Kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=e2021a61197ebe02 Dashboard link: https://syzkaller.appspot.com/bug?extid=a8e049cd3abd342936b6 Reported-by: syzbot+a8e049cd3abd342936b6@syzkaller.appspotmail.com Suggested-by: Gao Xiang Signed-off-by: Siddh Raman Pant Reviewed-by: Gao Xiang Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/20221209102151.311049-1-code@siddh.me Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 0dfef503133565fa0bcf3268d8eeb5b181191a65 Author: Hao Sun Date: Fri Jan 6 16:48:38 2023 +0800 bpf: Skip task with pid=1 in send_signal_common() [ Upstream commit a3d81bc1eaef48e34dd0b9b48eefed9e02a06451 ] The following kernel panic can be triggered when a task with pid=1 attaches a prog that attempts to send killing signal to itself, also see [1] for more details: Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b CPU: 3 PID: 1 Comm: systemd Not tainted 6.1.0-09652-g59fe41b5255f #148 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x100/0x178 lib/dump_stack.c:106 panic+0x2c4/0x60f kernel/panic.c:275 do_exit.cold+0x63/0xe4 kernel/exit.c:789 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x2460/0x2600 kernel/signal.c:2858 arch_do_signal_or_restart+0x78/0x5d0 arch/x86/kernel/signal.c:306 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd So skip task with pid=1 in bpf_send_signal_common() to avoid the panic. [1] https://lore.kernel.org/bpf/20221222043507.33037-1-sunhao.th@gmail.com Signed-off-by: Hao Sun Signed-off-by: Daniel Borkmann Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20230106084838.12690-1-sunhao.th@gmail.com Signed-off-by: Sasha Levin commit e8bb772f745e02c04c19103b1f343752784a3c17 Author: Cristian Marussi Date: Thu Dec 22 18:38:19 2022 +0000 firmware: arm_scmi: Clear stale xfer->hdr.status [ Upstream commit f6ca5059dc0d6608dc46070f48e396d611f240d6 ] Stale error status reported from a previous message transaction must be cleared before starting a new transaction to avoid being confusingly reported in the following SCMI message dump traces. Signed-off-by: Cristian Marussi Link: https://lore.kernel.org/r/20221222183823.518856-2-cristian.marussi@arm.com Signed-off-by: Sudeep Holla Signed-off-by: Sasha Levin commit 80cb9f1a76aadcde068535eae98565be131f6955 Author: Krzysztof Kozlowski Date: Sun Dec 4 10:44:17 2022 +0100 arm64: dts: imx8mq-thor96: fix no-mmc property for SDHCI [ Upstream commit ef10d57936ead5e817ef7cea6a87531085e77773 ] There is no "no-emmc" property, so intention for SD/SDIO only nodes was to use "no-mmc". Signed-off-by: Krzysztof Kozlowski Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 162fad24d2e1533b47c4d6428bb3a790dd5df1ce Author: Geert Uytterhoeven Date: Fri Dec 2 17:49:22 2022 +0100 arm64: dts: freescale: Fix pca954x i2c-mux node names [ Upstream commit b025b4f5c288e29bbea421613a5b4eacf9261fbb ] "make dtbs_check": arch/arm64/boot/dts/freescale/fsl-ls1012a-qds.dtb: pca9547@77: $nodename:0: 'pca9547@77' does not match '^(i2c-?)?mux' From schema: Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.yaml arch/arm64/boot/dts/freescale/fsl-ls1012a-qds.dtb: pca9547@77: Unevaluated properties are not allowed ('#address-cells', '#size-cells', 'i2c@4' were unexpected) From schema: Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.yaml ... Fix this by renaming PCA954x nodes to "i2c-mux", to match the I2C bus multiplexer/switch DT bindings and the Generic Names Recommendation in the Devicetree Specification. Signed-off-by: Geert Uytterhoeven Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 82ad105e1a55d4f10d62c4069650a32f68c6587e Author: Geert Uytterhoeven Date: Fri Dec 2 17:49:21 2022 +0100 ARM: dts: vf610: Fix pca9548 i2c-mux node names [ Upstream commit 42825d1f269355d63554ab3c3762611e4d8053e9 ] "make dtbs_check": arch/arm/boot/dts/vf610-zii-dev-rev-b.dtb: tca9548@70: $nodename:0: 'tca9548@70' does not match '^(i2c-?)?mux' From schema: Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.yaml arch/arm/boot/dts/vf610-zii-dev-rev-b.dtb: tca9548@70: Unevaluated properties are not allowed ('#address-cells', '#size-cells', 'i2c@0', 'i2c@1', 'i2c@2', 'i2c@3', 'i2c@4' were unexpected) From schema: /scratch/geert/linux/linux-renesas/Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.yaml ... Fix this by renaming PCA9548 nodes to "i2c-mux", to match the I2C bus multiplexer/switch DT bindings and the Generic Names Recommendation in the Devicetree Specification. Signed-off-by: Geert Uytterhoeven Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 5aee5f33e03af2ecb88fbe8e554c6d019c5cfd88 Author: Geert Uytterhoeven Date: Fri Dec 2 17:49:18 2022 +0100 ARM: dts: imx: Fix pca9547 i2c-mux node name [ Upstream commit f78985f9f58380eec37f82c8a2c765aa7670fc29 ] "make dtbs_check": arch/arm/boot/dts/imx53-ppd.dtb: i2c-switch@70: $nodename:0: 'i2c-switch@70' does not match '^(i2c-?)?mux' From schema: Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.yaml arch/arm/boot/dts/imx53-ppd.dtb: i2c-switch@70: Unevaluated properties are not allowed ('#address-cells', '#size-cells', 'i2c@0', 'i2c@1', 'i2c@2', 'i2c@3', 'i2c@4', 'i2c@5', 'i2c@6', 'i2c@7' were unexpected) From schema: Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.yaml Fix this by renaming the PCA9547 node to "i2c-mux", to match the I2C bus multiplexer/switch DT bindings and the Generic Names Recommendation in the Devicetree Specification. Signed-off-by: Geert Uytterhoeven Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin