Commit Graph

1310313 Commits

Author SHA1 Message Date
Abel Vesa
85e444a681 drm/bridge: Fix assignment of the of_node of the parent to aux bridge
The assignment of the of_node to the aux bridge needs to mark the
of_node as reused as well, otherwise resource providers like pinctrl will
report a gpio as already requested by a different device when both pinconf
and gpios property are present.
Fix that by using the device_set_of_node_from_dev() helper instead.

Fixes: 6914968a0b ("drm/bridge: properly refcount DT nodes in aux bridge drivers")
Cc: stable@vger.kernel.org      # 6.8
Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://lore.kernel.org/r/20241018-drm-aux-bridge-mark-of-node-reused-v2-1-aeed1b445c7d@linaro.org
Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20241018-drm-aux-bridge-mark-of-node-reused-v2-1-aeed1b445c7d@linaro.org
2024-10-21 14:59:48 +02:00
Shubham Panwar
8fa73ee44d ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue
Add a DMI quirk for Samsung Galaxy Book2 to fix an initial lid state
detection issue.

The _LID device incorrectly returns the lid status as "closed" during
boot, causing the system to enter a suspend loop right after booting.

The quirk ensures that the correct lid state is reported initially,
preventing the system from immediately suspending after startup.  It
only addresses the initial lid state detection and ensures proper
system behavior upon boot.

Signed-off-by: Shubham Panwar <shubiisp8@gmail.com>
Link: https://patch.msgid.link/20241020095045.6036-2-shubiisp8@gmail.com
[ rjw: Changelog edits ]
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2024-10-21 14:00:59 +02:00
Christian Heusel
53f1a907d3 ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[]
The LG Gram Pro 16 2-in-1 (2024) the 16T90SP has its keybopard IRQ (1)
described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh
which breaks the keyboard.

Add the 16T90SP to the irq1_level_low_skip_override[] quirk table to fix
this.

Reported-by: Dirk Holten <dirk.holten@gmx.de>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219382
Cc: All applicable <stable@vger.kernel.org>
Suggested-by: Dirk Holten <dirk.holten@gmx.de>
Signed-off-by: Christian Heusel <christian@heusel.eu>
Link: https://patch.msgid.link/20241017-lg-gram-pro-keyboard-v2-1-7c8fbf6ff718@heusel.eu
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2024-10-21 13:54:57 +02:00
Jack Yu
038fa6ddf5
ASoC: rt722-sdca: increase clk_stop_timeout to fix clock stop issue
clk_stop_timeout should be increased to 900ms to fix clock stop issue.

Signed-off-by: Jack Yu <jack.yu@realtek.com>
Link: https://patch.msgid.link/cd26275d9fc54374a18dc016755cb72d@realtek.com
Signed-off-by: Mark Brown <broonie@kernel.org>
2024-10-21 12:49:15 +01:00
Koba Ko
088984c8d5 ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context
PRMT needs to find the correct type of block to translate the PA-VA
mapping for EFI runtime services.

The issue arises because the PRMT is finding a block of type
EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services
as described in Section 2.2.2 (Runtime Services) of the UEFI
Specification [1]. Since the PRM handler is a type of runtime service,
this causes an exception when the PRM handler is called.

    [Firmware Bug]: Unable to handle paging request in EFI runtime service
    WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341
        __efi_queue_work+0x11c/0x170
    Call trace:

Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM
context.

If no suitable block is found, a warning message will be printed, but
the procedure continues to manage the next PRM handler.

However, if the PRM handler is actually called without proper allocation,
it would result in a failure during error handling.

By using the correct memory types for runtime services, ensure that the
PRM handler and the context are properly mapped in the virtual address
space during runtime, preventing the paging request error.

The issue is really that only memory that has been remapped for runtime
by the firmware can be used by the PRM handler, and so the region needs
to have the EFI_MEMORY_RUNTIME attribute.

Link: https://uefi.org/sites/default/files/resources/UEFI_Spec_2_10_Aug29.pdf # [1]
Fixes: cefc7ca462 ("ACPI: PRM: implement OperationRegion handler for the PlatformRtMechanism subtype")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Koba Ko <kobak@nvidia.com>
Reviewed-by: Matthew R. Ochs <mochs@nvidia.com>
Reviewed-by: Zhang Rui <rui.zhang@intel.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://patch.msgid.link/20241012205010.4165798-1-kobak@nvidia.com
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2024-10-21 13:46:50 +02:00
Yuan Can
5209d1b654 powercap: dtpm_devfreq: Fix error check against dev_pm_qos_add_request()
The caller of the function dev_pm_qos_add_request() checks again a non
zero value but dev_pm_qos_add_request() can return '1' if the request
already exists. Therefore, the setup function fails while the QoS
request actually did not failed.

Fix that by changing the check against a negative value like all the
other callers of the function.

Fixes: e446556173 ("powercap/drivers/dtpm: Add dtpm devfreq with energy model support")
Signed-off-by: Yuan Can <yuancan@huawei.com>
Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Link: https://patch.msgid.link/20241018021205.46460-1-yuancan@huawei.com
[ rjw: Subject edit ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2024-10-21 13:23:06 +02:00
Christian Loehle
29dcbea924 cpufreq: docs: Reflect latency changes in docs
There were two changes related to transition latency recently.
Namely commit e13aa799c2 ("cpufreq: Change default transition delay
to 2ms") and
commit 37c6dccd68 ("cpufreq: Remove LATENCY_MULTIPLIER").

Both changed the defaults / maximums so let the documentation
reflect that.

Signed-off-by: Christian Loehle <christian.loehle@arm.com>
Link: https://patch.msgid.link/46853b6e-bad5-4ace-9b23-ff157f234ae3@arm.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2024-10-21 13:20:03 +02:00
Michael S. Tsirkin
d95d9a31ac virtio_net: fix integer overflow in stats
Static analysis on linux-next has detected the following issue
in function virtnet_stats_ctx_init, in drivers/net/virtio_net.c :

        if (vi->device_stats_cap & VIRTIO_NET_STATS_TYPE_CVQ) {
                queue_type = VIRTNET_Q_TYPE_CQ;
                ctx->bitmap[queue_type]   |= VIRTIO_NET_STATS_TYPE_CVQ;
                ctx->desc_num[queue_type] += ARRAY_SIZE(virtnet_stats_cvq_desc);
                ctx->size[queue_type]     += sizeof(struct virtio_net_stats_cvq);
        }

ctx->bitmap is declared as a u32 however it is being bit-wise or'd with
VIRTIO_NET_STATS_TYPE_CVQ and this is defined as 1 << 32:

include/uapi/linux/virtio_net.h:#define VIRTIO_NET_STATS_TYPE_CVQ (1ULL << 32)

..and hence the bit-wise or operation won't set any bits in ctx->bitmap
because 1ULL < 32 is too wide for a u32.

In fact, the field is read into a u64:

       u64 offset, bitmap;
....
       bitmap = ctx->bitmap[queue_type];

so to fix, it is enough to make bitmap an array of u64.

Fixes: 941168f8b4 ("virtio_net: support device stats")
Reported-by: "Colin King (gmail)" <colin.i.king@gmail.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://patch.msgid.link/53e2bd6728136d5916e384a7840e5dc7eebff832.1729099611.git.mst@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-10-21 13:09:00 +02:00
Eric Dumazet
95ecba62e2 net: fix races in netdev_tx_sent_queue()/dev_watchdog()
Some workloads hit the infamous dev_watchdog() message:

"NETDEV WATCHDOG: eth0 (xxxx): transmit queue XX timed out"

It seems possible to hit this even for perfectly normal
BQL enabled drivers:

1) Assume a TX queue was idle for more than dev->watchdog_timeo
   (5 seconds unless changed by the driver)

2) Assume a big packet is sent, exceeding current BQL limit.

3) Driver ndo_start_xmit() puts the packet in TX ring,
   and netdev_tx_sent_queue() is called.

4) QUEUE_STATE_STACK_XOFF could be set from netdev_tx_sent_queue()
   before txq->trans_start has been written.

5) txq->trans_start is written later, from netdev_start_xmit()

    if (rc == NETDEV_TX_OK)
          txq_trans_update(txq)

dev_watchdog() running on another cpu could read the old
txq->trans_start, and then see QUEUE_STATE_STACK_XOFF, because 5)
did not happen yet.

To solve the issue, write txq->trans_start right before one XOFF bit
is set :

- _QUEUE_STATE_DRV_XOFF from netif_tx_stop_queue()
- __QUEUE_STATE_STACK_XOFF from netdev_tx_sent_queue()

From dev_watchdog(), we have to read txq->state before txq->trans_start.

Add memory barriers to enforce correct ordering.

In the future, we could avoid writing over txq->trans_start for normal
operations, and rename this field to txq->xoff_start_time.

Fixes: bec251bc8b ("net: no longer stop all TX queues in dev_watchdog()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Link: https://patch.msgid.link/20241015194118.3951657-1-edumazet@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-10-21 12:54:25 +02:00
Lin Ma
47dd5447ca net: wwan: fix global oob in wwan_rtnl_policy
The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to
a global out-of-bounds read when parsing the netlink attributes. Exactly
same bug cause as the oob fixed in commit b33fb5b801 ("net: qualcomm:
rmnet: fix global oob in rmnet_policy").

==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862

CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x14f/0x750 mm/kasan/report.c:395
 kasan_report+0x139/0x170 mm/kasan/report.c:495
 validate_nla lib/nlattr.c:388 [inline]
 __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
 __nla_parse+0x3c/0x50 lib/nlattr.c:700
 nla_parse_nested_deprecated include/net/netlink.h:1269 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3514 [inline]
 rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623
 rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122
 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508
 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
 netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352
 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874
 sock_sendmsg_nosec net/socket.c:716 [inline]
 __sock_sendmsg net/socket.c:728 [inline]
 ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499
 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553
 __sys_sendmsg net/socket.c:2582 [inline]
 __do_sys_sendmsg net/socket.c:2591 [inline]
 __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f67b19a24ad
RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad
RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004
RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40
 </TASK>

The buggy address belongs to the variable:
 wwan_rtnl_policy+0x20/0x40

The buggy address belongs to the physical page:
page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c
flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9
 ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
>ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
                                                       ^
 ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

According to the comment of `nla_parse_nested_deprecated`, use correct size
`IFLA_WWAN_MAX` here to fix this issue.

Fixes: 88b710532e ("wwan: add interface creation support")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20241015131621.47503-1-linma@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-10-21 11:38:44 +02:00
Pablo Neira Ayuso
306ed1728e netfilter: xtables: fix typo causing some targets not to load on IPv6
- There is no NFPROTO_IPV6 family for mark and NFLOG.
- TRACE is also missing module autoload with NFPROTO_IPV6.

This results in ip6tables failing to restore a ruleset. This issue has been
reported by several users providing incomplete patches.

Very similar to Ilya Katsnelson's patch including a missing chunk in the
TRACE extension.

Fixes: 0bfcb7b71e ("netfilter: xtables: avoid NFPROTO_UNSPEC where needed")
Reported-by: Ignat Korchagin <ignat@cloudflare.com>
Reported-by: Ilya Katsnelson <me@0upti.me>
Reported-by: Krzysztof Olędzki <ole@ans.pl>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2024-10-21 11:31:26 +02:00
Arnd Bergmann
51521d2e2c fbdev: wm8505fb: select CONFIG_FB_IOMEM_FOPS
The fb_io_mmap() function is used in the file operations but
not enabled in all configurations unless FB_IOMEM_FOPS gets
selected:

ld.lld-20: error: undefined symbol: fb_io_mmap
   referenced by wm8505fb.c
   drivers/video/fbdev/wm8505fb.o:(wm8505fb_ops) in archive vmlinux.a

Fixes: 11754a5046 ("fbdev/wm8505fb: Initialize fb_ops to fbdev I/O-memory helpers")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>
2024-10-21 11:16:51 +02:00
Paolo Abeni
374d4106cb Merge branch 'fsl-fman-fix-refcount-handling-of-fman-related-devices'
Aleksandr Mishin says:

====================
fsl/fman: Fix refcount handling of fman-related devices

The series is intended to fix refcount handling for fman-related "struct
device" objects - the devices are not released upon driver removal or in
the error paths during probe. This leads to device reference leaks.

The device pointers are now saved to struct mac_device and properly handled
in the driver's probe and removal functions.

Originally reported by Simon Horman <horms@kernel.org>
(https://lore.kernel.org/all/20240702133651.GK598357@kernel.org/)

Compile tested only.
====================

Link: https://patch.msgid.link/20241015060122.25709-1-amishin@t-argos.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-10-21 10:50:18 +02:00
Aleksandr Mishin
1dec67e0d9 fsl/fman: Fix refcount handling of fman-related devices
In mac_probe() there are multiple calls to of_find_device_by_node(),
fman_bind() and fman_port_bind() which takes references to of_dev->dev.
Not all references taken by these calls are released later on error path
in mac_probe() and in mac_remove() which lead to reference leaks.

Add references release.

Fixes: 3933961682 ("fsl/fman: Add FMan MAC driver")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-10-21 10:50:16 +02:00
Aleksandr Mishin
efeddd552e fsl/fman: Save device references taken in mac_probe()
In mac_probe() there are calls to of_find_device_by_node() which takes
references to of_dev->dev. These references are not saved and not released
later on error path in mac_probe() and in mac_remove().

Add new fields into mac_device structure to save references taken for
future use in mac_probe() and mac_remove().

This is a preparation for further reference leaks fix.

Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2024-10-21 10:50:16 +02:00
Miklos Szeredi
184429a17f Revert "fuse: move initialization of fuse_file to fuse_writepages() instead of in callback"
This reverts commit 672c3b7457.

fuse_writepages() might be called with no dirty pages after all writable
opens were closed.  In this case __fuse_write_file_get() will return NULL
which will trigger the WARNING.

The exact conditions under which this is triggered is unclear and syzbot
didn't find a reproducer yet.

Reported-by: syzbot+217a976dc26ef2fa8711@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/CAJnrk1aQwfvb51wQ5rUSf9N8j1hArTFeSkHqC_3T-mU6_BCD=A@mail.gmail.com/
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
2024-10-21 10:02:51 +02:00
Peter Collingbourne
a552e2ef5f bpf, arm64: Fix address emission with tag-based KASAN enabled
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.

Fixes: 19d3c179a3 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG")
Signed-off-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Xu Kuohai <xukuohai@huawei.com>
Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
Link: https://lore.kernel.org/bpf/20241018221644.3240898-1-pcc@google.com
2024-10-21 09:45:19 +02:00
Eric Biggers
86c96e7289 ALSA: hda/tas2781: select CRC32 instead of CRC32_SARWATE
Fix the kconfig option for the tas2781 HDA driver to select CRC32 rather
than CRC32_SARWATE.  CRC32_SARWATE is an option from the kconfig
'choice' that selects the specific CRC32 implementation.  Selecting a
'choice' option seems to have no effect, but even if it did work, it
would be incorrect for a random driver to override the user's choice.
CRC32 is the correct option to select for crc32() to be available.

Fixes: 5be27f1e3e ("ALSA: hda/tas2781: Add tas2781 HDA driver")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://patch.msgid.link/20241020175624.7095-1-ebiggers@kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2024-10-21 09:21:08 +02:00
José Relvas
35fdc6e1c1 ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593
The Acer Predator G9-593 has a 2+1 speaker system which isn't probed
correctly.
This patch adds a quirk with the proper pin connections.

Note that I do not own this laptop, so I cannot guarantee that this
fixes the issue.
Testing was done by other users here:
https://discussion.fedoraproject.org/t/-/118482

This model appears to have two different dev IDs...

- 0x1177 (as seen on the forum link above)
- 0x1178 (as seen on https://linux-hardware.org/?probe=127df9999f)

I don't think the audio system was changed between model revisions, so
the patch applies for both IDs.

Signed-off-by: José Relvas <josemonsantorelvas@gmail.com>
Link: https://patch.msgid.link/20241020102756.225258-1-josemonsantorelvas@gmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2024-10-21 09:20:04 +02:00
Andrey Shumilin
72cafe63b3 ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size()
The step variable is initialized to zero. It is changed in the loop,
but if it's not changed it will remain zero. Add a variable check
before the division.

The observed behavior was introduced by commit 826b5de90c
("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"),
and it is difficult to show that any of the interval parameters will
satisfy the snd_interval_test() condition with data from the
amdtp_rate_table[] table.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 826b5de90c ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size")
Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://patch.msgid.link/20241018060018.1189537-1-shum.sdl@nppct.ru
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2024-10-21 09:09:21 +02:00
Arnd Bergmann
338b655a11 i915: fix DRM_I915_GVT_KVMGT dependencies
Depending on x86 and KVM is not enough, as the kvm helper functions
that get called here are controlled by CONFIG_KVM_X86, which is
disabled if both KVM_INTEL and KVM_AMD are turned off.

ERROR: modpost: "kvm_write_track_remove_gfn" [drivers/gpu/drm/i915/kvmgt.ko] undefined!
ERROR: modpost: "kvm_page_track_register_notifier" [drivers/gpu/drm/i915/kvmgt.ko] undefined!
ERROR: modpost: "kvm_page_track_unregister_notifier" [drivers/gpu/drm/i915/kvmgt.ko] undefined!
ERROR: modpost: "kvm_write_track_add_gfn" [drivers/gpu/drm/i915/kvmgt.ko] undefined!

Change the dependency to CONFIG_KVM_X86 instead.

Fixes: ea4290d77b ("KVM: x86: leave kvm.ko out of the build if no vendor module is requested")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20241015152157.2955229-1-arnd@kernel.org
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
(cherry picked from commit 341e402303)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
2024-10-21 09:51:05 +03:00
Qiao Ma
373b9338c9 uprobe: avoid out-of-bounds memory access of fetching args
Uprobe needs to fetch args into a percpu buffer, and then copy to ring
buffer to avoid non-atomic context problem.

Sometimes user-space strings, arrays can be very large, but the size of
percpu buffer is only page size. And store_trace_args() won't check
whether these data exceeds a single page or not, caused out-of-bounds
memory access.

It could be reproduced by following steps:
1. build kernel with CONFIG_KASAN enabled
2. save follow program as test.c

```
\#include <stdio.h>
\#include <stdlib.h>
\#include <string.h>

// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()
// will return 0, cause __get_data_size() return shorter size, and
// store_trace_args() will not trigger out-of-bounds access.
// So make string length less than 4096.
\#define STRLEN 4093

void generate_string(char *str, int n)
{
    int i;
    for (i = 0; i < n; ++i)
    {
        char c = i % 26 + 'a';
        str[i] = c;
    }
    str[n-1] = '\0';
}

void print_string(char *str)
{
    printf("%s\n", str);
}

int main()
{
    char tmp[STRLEN];

    generate_string(tmp, STRLEN);
    print_string(tmp);

    return 0;
}
```
3. compile program
`gcc -o test test.c`

4. get the offset of `print_string()`
```
objdump -t test | grep -w print_string
0000000000401199 g     F .text  000000000000001b              print_string
```

5. configure uprobe with offset 0x1199
```
off=0x1199

cd /sys/kernel/debug/tracing/
echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring"
 > uprobe_events
echo 1 > events/uprobes/enable
echo 1 > tracing_on
```

6. run `test`, and kasan will report error.
==================================================================
BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0
Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x55/0x70
 print_address_description.constprop.0+0x27/0x310
 kasan_report+0x10f/0x120
 ? strncpy_from_user+0x1d6/0x1f0
 strncpy_from_user+0x1d6/0x1f0
 ? rmqueue.constprop.0+0x70d/0x2ad0
 process_fetch_insn+0xb26/0x1470
 ? __pfx_process_fetch_insn+0x10/0x10
 ? _raw_spin_lock+0x85/0xe0
 ? __pfx__raw_spin_lock+0x10/0x10
 ? __pte_offset_map+0x1f/0x2d0
 ? unwind_next_frame+0xc5f/0x1f80
 ? arch_stack_walk+0x68/0xf0
 ? is_bpf_text_address+0x23/0x30
 ? kernel_text_address.part.0+0xbb/0xd0
 ? __kernel_text_address+0x66/0xb0
 ? unwind_get_return_address+0x5e/0xa0
 ? __pfx_stack_trace_consume_entry+0x10/0x10
 ? arch_stack_walk+0xa2/0xf0
 ? _raw_spin_lock_irqsave+0x8b/0xf0
 ? __pfx__raw_spin_lock_irqsave+0x10/0x10
 ? depot_alloc_stack+0x4c/0x1f0
 ? _raw_spin_unlock_irqrestore+0xe/0x30
 ? stack_depot_save_flags+0x35d/0x4f0
 ? kasan_save_stack+0x34/0x50
 ? kasan_save_stack+0x24/0x50
 ? mutex_lock+0x91/0xe0
 ? __pfx_mutex_lock+0x10/0x10
 prepare_uprobe_buffer.part.0+0x2cd/0x500
 uprobe_dispatcher+0x2c3/0x6a0
 ? __pfx_uprobe_dispatcher+0x10/0x10
 ? __kasan_slab_alloc+0x4d/0x90
 handler_chain+0xdd/0x3e0
 handle_swbp+0x26e/0x3d0
 ? __pfx_handle_swbp+0x10/0x10
 ? uprobe_pre_sstep_notifier+0x151/0x1b0
 irqentry_exit_to_user_mode+0xe2/0x1b0
 asm_exc_int3+0x39/0x40
RIP: 0033:0x401199
Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce
RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206
RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2
RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0
RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20
R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040
R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

This commit enforces the buffer's maxlen less than a page-size to avoid
store_trace_args() out-of-memory access.

Link: https://lore.kernel.org/all/20241015060148.1108331-1-mqaio@linux.alibaba.com/

Fixes: dcad1a204f ("tracing/uprobes: Fetch args before reserving a ring buffer")
Signed-off-by: Qiao Ma <mqaio@linux.alibaba.com>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
2024-10-21 13:15:28 +09:00
Linus Torvalds
42f7652d3e Linux 6.12-rc4 2024-10-20 15:19:38 -07:00
Kent Overstreet
a069f01479 bcachefs: Set bch_inode_unpacked.bi_snapshot in old inode path
This fixes a fsck bug on a very old filesystem (pre mainline merge).

Fixes: 72350ee0ea ("bcachefs: Kill snapshot arg to fsck_write_inode()")
Reported-by: Marcin Mirosław <marcin@mejor.pl>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
2024-10-20 18:09:09 -04:00
Kent Overstreet
e04ee86089 bcachefs: Mark more errors as AUTOFIX
Reported-by: Marcin Mirosław <marcin@mejor.pl>
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
2024-10-20 18:08:53 -04:00
Linus Torvalds
d7f513ae7b bluetooth pull request for net:
- ISO: Fix multiple init when debugfs is disabled
  - Call iso_exit() on module unload
  - Remove debugfs directory on module init failure
  - btusb: Fix not being able to reconnect after suspend
  - btusb: Fix regression with fake CSR controllers 0a12:0001
  - bnep: fix wild-memory-access in proto_unregister
 -----BEGIN PGP SIGNATURE-----
 
 iQJNBAABCAA3FiEE7E6oRXp8w05ovYr/9JCA4xAyCykFAmcQJGUZHGx1aXoudm9u
 LmRlbnR6QGludGVsLmNvbQAKCRD0kIDjEDILKeWiD/9WIrQRp7K10hc7Q9vjyex+
 DA+yv3EaFbqk//BIXOAg3En+HjhrDeaIkrt0L3m5D+/Y5K/oGQeO0ffOu4aF3So2
 D4Q8ZDQHXJ7pxG2hVMHbBBUikiKbt8HATMdQDutJnDtIpxxtB8ugTMm/pRG57Nq8
 QjWdy5h2aYm5NwPuu/ErY26UpCljMoOrKAMiWQ539AkxQJGVN4hp4l6mVrZdnjc5
 MmL1+S1r/S3PBxP5Mw3VX58c7J1Ki28d80BF+1C4qDGjKXdLoqYpCy2CRyiqlFSo
 9yU37Uh1AeobbWGC8/7dIKN3PoXe1UQRhF56EdWAeTbz+yr0c8sRYsOs9SGEyWlj
 +PWFkpXF8Dpxs96BHf0iLy4XxtByJsdmGaUSSmdktUK1WWEOa8I51xtR0xVswOqr
 BXZ9ATNDZjed5DFItwyj3YYoh0L7Bid594ZuAbxHRUCOnaFNR3DZbNVe2+uZfo5l
 Lc2L/Vfa4mwuQtH0psMvXAvvywuGNGv9cjK5PwVyRwqsppcco5oV9LckmGMMnWoO
 xsU+/IMljHORL0HPvL+RaSBDprj7GgA7nDEuv7zyYMC/uWHv5olUvLNEdN/LtCaB
 S9mVlBpkB2yxUT8FvZg71UEK0FVix2IaFcSF8FZcJqHw+ureRH0mhwe7BUytMvH1
 7IbfeYSu7h6fr6wnGrW8dQ==
 =k8sF
 -----END PGP SIGNATURE-----

Merge tag 'for-net-2024-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Pull bluetooth fixes from Luiz Augusto Von Dentz:

 - ISO: Fix multiple init when debugfs is disabled

 - Call iso_exit() on module unload

 - Remove debugfs directory on module init failure

 - btusb: Fix not being able to reconnect after suspend

 - btusb: Fix regression with fake CSR controllers 0a12:0001

 - bnep: fix wild-memory-access in proto_unregister

Note: normally the bluetooth fixes go through the networking tree, but
this missed the weekly merge, and two of the commits fix regressions
that have caused a fair amount of noise and have now hit stable too:

  https://lore.kernel.org/all/4e1977ca-6166-4891-965e-34a6f319035f@leemhuis.info/

So I'm pulling it directly just to expedite things and not miss yet
another -rc release. This is not meant to become a new pattern.

* tag 'for-net-2024-10-16' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
  Bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001
  Bluetooth: bnep: fix wild-memory-access in proto_unregister
  Bluetooth: btusb: Fix not being able to reconnect after suspend
  Bluetooth: Remove debugfs directory on module init failure
  Bluetooth: Call iso_exit() on module unload
  Bluetooth: ISO: Fix multiple init when debugfs is disabled
2024-10-20 14:08:17 -07:00
Linus Torvalds
dd4f50373e Pin control fixes for the v6.12 kernel series:
- Fix two error paths and a missing semicolon in the
   Intel driver.
 
 - Add a missing ACPI ID for the Intel Panther Lake.
 
 - Check return value of devm_kasprintf() in the Apple
   and STM32 drivers.
 
 - Add a missing mutex_destroy() in the aw9523 driver.
 
 - Fix a double free in cv1800_pctrl_dt_node_to_map()
   in the Sophgo driver.
 
 - Fix a double free in ma35_pinctrl_dt_node_to_map_func()
   in the Nuvoton driver.
 
 - Fix a bug in the Ocelot interrupt handler making the
   system hang.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAmcVPtQACgkQQRCzN7AZ
 XXM67hAAyOKNn3YlRPd/B3hGviWEwV/f2EW2i+g96feM7szPmobvPXcCnPhbXu31
 FbpuhodTXw9sz69jDBeBahl4VU/C3+T4/2Fr7xSI8Tu14+nm04OZHvULcch0qpjW
 X+y2BPNfM6A4pN8Bxovk9wt31KpkVM11M9jMaQCzNAiWp/vv3qPrdTD51r84yZ5C
 GOpKBDyiQF4F5uQsXXPkhmmaQHbiIRDTTPlAGv6R1xlfLtX4RLZUyey3TZnzo3M0
 iDfimhqBZmnpE8SPvf6A+cSDCeA1bl3/oKDmh1kaV/hoD9nt7fqfvYW7orBiFykf
 1YIvujXu7OOizcRS/hru7aNRSWU3E9E10wR1W1RPfZyY5aRuhNyU3X3cvgEORzLE
 QlC2cRXcWOzUJ1pk6IevbOu+3tcPQNvFAo9grSXW/J/LD7pfZjmX9KevKG3esvvJ
 p3r4ta8qGP0PCfOU1dHZWWrjzxgotbGp2U1Z9ZxayT/33oEz1FDAnZePb+w7EwwO
 0K4PTO4UrN1CLqZYQhyP4ILMnvCuGfBHPdEjmFIySVbJfu/Bqm8IJ45a5AeS0TiE
 5S6bkyqS3cGh1k5WKM2kkuCp0gxoL1WFbznR9pmEiZxJ3dyZ7L4BRuk7eIVSN9La
 DpDDZqYImeckAG1BNMQolh79mfN0RIBnQr7g/oomCuVe8k/XA+g=
 =uwk3
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v6.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:
 "Mostly error path fixes, but one pretty serious interrupt problem in
  the Ocelot driver as well:

   - Fix two error paths and a missing semicolon in the Intel driver

   - Add a missing ACPI ID for the Intel Panther Lake

   - Check return value of devm_kasprintf() in the Apple and STM32
     drivers

   - Add a missing mutex_destroy() in the aw9523 driver

   - Fix a double free in cv1800_pctrl_dt_node_to_map() in the Sophgo
     driver

   - Fix a double free in ma35_pinctrl_dt_node_to_map_func() in the
     Nuvoton driver

   - Fix a bug in the Ocelot interrupt handler making the system hang"

* tag 'pinctrl-v6.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: ocelot: fix system hang on level based interrupts
  pinctrl: nuvoton: fix a double free in ma35_pinctrl_dt_node_to_map_func()
  pinctrl: sophgo: fix double free in cv1800_pctrl_dt_node_to_map()
  pinctrl: intel: platform: Add Panther Lake to the list of supported
  pinctrl: aw9523: add missing mutex_destroy
  pinctrl: stm32: check devm_kasprintf() returned value
  pinctrl: apple: check devm_kasprintf() returned value
  pinctrl: intel: platform: use semicolon instead of comma in ncommunities assignment
  pinctrl: intel: platform: fix error path in device_for_each_child_node()
2024-10-20 13:55:46 -07:00
Kent Overstreet
f0d3302073 bcachefs: Workaround for kvmalloc() not supporting > INT_MAX allocations
kvmalloc() doesn't support allocations > INT_MAX, but vmalloc() does -
the limit should be lifted, but we can work around this for now.

A user with a 75 TB filesystem reported the following journal replay
error:
https://github.com/koverstreet/bcachefs/issues/769

In journal replay we have to sort and dedup all the keys from the
journal, which means we need a large contiguous allocation. Given that
the user has 128GB of ram, the 2GB limit on allocation size has become
far too small.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
2024-10-20 16:50:14 -04:00
Kent Overstreet
3956ff8bc2 bcachefs: Don't use wait_event_interruptible() in recovery
Fix a bug where mount was failing with -ERESTARTSYS:
https://github.com/koverstreet/bcachefs/issues/741

We only want the interruptible wait when called from fsync.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
2024-10-20 16:50:14 -04:00
Kent Overstreet
eb5db64c45 bcachefs: Fix __bch2_fsck_err() warning
We only warn about having a btree_trans that wasn't passed in if we'll
be prompting.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
2024-10-20 16:50:14 -04:00
Linus Torvalds
c55228220d Char/Misc/IIO fixes for 6.12-rc4
Here are a number of small char/misc/iio driver fixes for 6.12-rc4.
 Included in here are the following:
   - loads of small iio driver fixes for reported problems
   - parport driver out-of-bounds fix
   - Kconfig description and MAINTAINERS file updates
 
 All of these, except for the Kconfig and MAINTAINERS file updates have
 been in linux-next all week.  Those other two are just documentation
 changes and will have no runtime issues and were merged on Friday.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZxUGYg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ynTCQCggBy+iX/11utliIaNKD2PHkB5BjQAn1igXYZI
 hgWphEoTvBtVgGfOzNwt
 =0mak
 -----END PGP SIGNATURE-----

Merge tag 'char-misc-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull misc driver fixes from Greg KH:
 "Here are a number of small char/misc/iio driver fixes for 6.12-rc4:

   - loads of small iio driver fixes for reported problems

   - parport driver out-of-bounds fix

   - Kconfig description and MAINTAINERS file updates

  All of these, except for the Kconfig and MAINTAINERS file updates have
  been in linux-next all week. Those other two are just documentation
  changes and will have no runtime issues and were merged on Friday"

* tag 'char-misc-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: (39 commits)
  misc: rtsx: list supported models in Kconfig help
  MAINTAINERS: Remove some entries due to various compliance requirements.
  misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for OTP device
  misc: microchip: pci1xxxx: add support for NVMEM_DEVID_AUTO for EEPROM device
  parport: Proper fix for array out-of-bounds access
  iio: frequency: admv4420: fix missing select REMAP_SPI in Kconfig
  iio: frequency: {admv4420,adrf6780}: format Kconfig entries
  iio: adc: ad4695: Add missing Kconfig select
  iio: adc: ti-ads8688: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
  iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency()
  iioc: dac: ltc2664: Fix span variable usage in ltc2664_channel_config()
  iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig
  iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig
  iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig
  iio: amplifiers: ada4250: add missing select REGMAP_SPI in Kconfig
  iio: frequency: adf4377: add missing select REMAP_SPI in Kconfig
  iio: resolver: ad2s1210: add missing select (TRIGGERED_)BUFFER in Kconfig
  iio: resolver: ad2s1210 add missing select REGMAP in Kconfig
  iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
  iio: pressure: bm1390: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig
  ...
2024-10-20 13:10:44 -07:00
Linus Torvalds
c01ac4b944 TTY/Serial driver fixes for 6.12-rc4
Here are some small tty and serial driver fixes for 6.12-rc4.  Included
 in here are:
   - qcom-geni serial driver fixes, wow what a mess of a UART chip that
     thing is...
   - vt infoleak fix for odd font sizes
   - imx serial driver bugfix
   - yet-another n_gsm ldisc bugfix, slowly chipping down the issues in
     that piece of code.
 
 All of these have been in linux-next for over a week with no reported
 issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZxUGDQ8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ymS+ACfQaKXHHy0WZ/kB22Eif7KgKsx+D0AnjxH+H5l
 knORLhrVW+V41wyk9QM/
 =qbdY
 -----END PGP SIGNATURE-----

Merge tag 'tty-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty/serial driver fixes from Greg KH:
 "Here are some small tty and serial driver fixes for 6.12-rc4:

   - qcom-geni serial driver fixes, wow what a mess of a UART chip that
     thing is...

   - vt infoleak fix for odd font sizes

   - imx serial driver bugfix

   - yet-another n_gsm ldisc bugfix, slowly chipping down the issues in
     that piece of code

  All of these have been in linux-next for over a week with no reported
  issues"

* tag 'tty-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  serial: qcom-geni: rename suspend functions
  serial: qcom-geni: drop unused receive parameter
  serial: qcom-geni: drop flip buffer WARN()
  serial: qcom-geni: fix rx cancel dma status bit
  serial: qcom-geni: fix receiver enable
  serial: qcom-geni: fix dma rx cancellation
  serial: qcom-geni: fix shutdown race
  serial: qcom-geni: revert broken hibernation support
  serial: qcom-geni: fix polled console initialisation
  serial: imx: Update mctrl old_status on RTSD interrupt
  tty: n_gsm: Fix use-after-free in gsm_cleanup_mux
  vt: prevent kernel-infoleak in con_font_get()
2024-10-20 13:03:30 -07:00
Linus Torvalds
b68c189570 USB driver fixes for 6.12-rc4
Here are some small USB driver fixes and new device ids for 6.12-rc4.
 Included in here are:
   - xhci driver fixes for a number of reported issues
   - new usb-serial driver ids
   - dwc3 driver fixes for reported problems.
   - usb gadget driver fixes for reported problems
   - typec driver fixes
   - MAINTAINER file updates
 
 All of these have been in linux-next this week with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 
 iG0EABECAC0WIQT0tgzFv3jCIUoxPcsxR9QN2y37KQUCZxUHDg8cZ3JlZ0Brcm9h
 aC5jb20ACgkQMUfUDdst+ykYGACgvHkvAFkhaCeJKubX4cso1BAM+60AoMrkdNyB
 aNAH0Zn2IoZOfRjHWit6
 =sHyY
 -----END PGP SIGNATURE-----

Merge tag 'usb-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB driver fixes from Greg KH:
 "Here are some small USB driver fixes and new device ids for 6.12-rc4:

   - xhci driver fixes for a number of reported issues

   - new usb-serial driver ids

   - dwc3 driver fixes for reported problems.

   - usb gadget driver fixes for reported problems

   - typec driver fixes

   - MAINTAINER file updates

  All of these have been in linux-next this week with no reported issues"

* tag 'usb-6.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: serial: option: add Telit FN920C04 MBIM compositions
  USB: serial: option: add support for Quectel EG916Q-GL
  xhci: dbc: honor usb transfer size boundaries.
  usb: xhci: Fix handling errors mid TD followed by other errors
  xhci: Mitigate failed set dequeue pointer commands
  xhci: Fix incorrect stream context type macro
  USB: gadget: dummy-hcd: Fix "task hung" problem
  usb: gadget: f_uac2: fix return value for UAC2_ATTRIBUTE_STRING store
  usb: dwc3: core: Fix system suspend on TI AM62 platforms
  xhci: tegra: fix checked USB2 port number
  usb: dwc3: Wait for EndXfer completion before restoring GUSB2PHYCFG
  usb: typec: qcom-pmic-typec: fix sink status being overwritten with RP_DEF
  usb: typec: altmode should keep reference to parent
  MAINTAINERS: usb: raw-gadget: add bug tracker link
  MAINTAINERS: Add an entry for the LJCA drivers
2024-10-20 12:57:53 -07:00
Linus Torvalds
db87114dcf - Explicitly disable the TSC deadline timer when going idle to address
some CPU errata in that area
 
 - Do not apply the Zenbleed fix on anything else except AMD Zen2 on the
   late microcode loading path
 
 - Clear CPU buffers later in the NMI exit path on 32-bit to avoid
   register clearing while they still contain sensitive data, for the
   RDFS mitigation
 
 - Do not clobber EFLAGS.ZF with VERW on the opportunistic SYSRET exit
   path on 32-bit
 
 - Fix parsing issues of memory bandwidth specification in sysfs for
   resctrl's memory bandwidth allocation feature
 
 - Other small cleanups and improvements
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmcU6aMACgkQEsHwGGHe
 VUqXPxAAjG0m9J11jBNlNsorPKe0dlhkgV6RpEOtCWov0mvxSAPQazT9PE0FTCvx
 Hm/IdEmj5vkkJOC/R7pga8Yz5fRwGtYwIHyS5618Wh+KAfdsXDgTFvCKaBQt0ltB
 9U5+mwmyzzL6rS6jcv/y28qwi0STd4dHKg6K9sWAtga1bQSPCyJMZjeh9op5CxNh
 QOppCJR23jrp9I9c1zFd1LJPM4GY+KTYXTa7076sfcoD2taHbxAwsC/wiMooh5A2
 k0EItyzy2UWWSUxAW8QhZJyuAWav631tHjcz9iETgNZmjgpR0sTGFGkRaYB74qkf
 vS2yyGpTSoKhxXVcBe7Z6cMf5DhUUjMa7itXZnY7kWCenvwfa3/nuSUKtIeqTPyg
 a6BXypPFyYaqRWHtCiN6KjwXaS+fbc385Fh6m8Q/NDrHnXG84oLQ3DK0WKj4Z37V
 YRflsWJ4ZRIwLALGsKJX+qbe9Oh3VDE3Q8MH9pCiJi227YB2OzyImJmCUBRY9bIC
 7Amw4aUBUxX/VUpUOC4CJnx8SOG7cIeM06E6jM7J6LgWHpee++ccbFpZNqFh3VW/
 j67AifRJFljG+JcyPLZxZ4M/bzpsGkpZ7iiW8wI8k0CPoG7lcvbkZ3pQ4eizAHIJ
 0a+WQ9jHj1/64g4bT7Ml8lZRbzfBG/ksLkRwq8Gakt+h7GQbsd4=
 =n0wZ
 -----END PGP SIGNATURE-----

Merge tag 'x86_urgent_for_v6.12_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 fixes from Borislav Petkov:

 - Explicitly disable the TSC deadline timer when going idle to address
   some CPU errata in that area

 - Do not apply the Zenbleed fix on anything else except AMD Zen2 on the
   late microcode loading path

 - Clear CPU buffers later in the NMI exit path on 32-bit to avoid
   register clearing while they still contain sensitive data, for the
   RDFS mitigation

 - Do not clobber EFLAGS.ZF with VERW on the opportunistic SYSRET exit
   path on 32-bit

 - Fix parsing issues of memory bandwidth specification in sysfs for
   resctrl's memory bandwidth allocation feature

 - Other small cleanups and improvements

* tag 'x86_urgent_for_v6.12_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/apic: Always explicitly disarm TSC-deadline timer
  x86/CPU/AMD: Only apply Zenbleed fix for Zen2 during late microcode load
  x86/bugs: Use code segment selector for VERW operand
  x86/entry_32: Clear CPU buffers after register restore in NMI return
  x86/entry_32: Do not clobber user EFLAGS.ZF
  x86/resctrl: Annotate get_mem_config() functions as __init
  x86/resctrl: Avoid overflow in MB settings in bw_validate()
  x86/amd_nb: Add new PCI ID for AMD family 1Ah model 20h
2024-10-20 12:04:32 -07:00
Linus Torvalds
949c9ef59b - Fix a case for sifive-plic where an interrupt gets disabled *and* masked and
remains masked when it gets reenabled later
 
 - Plug a small race in GIC-v4 where userspace can force an affinity change of
   a virtual CPU (vPE) in its unmapping path
 
 - Do not mix the two sets of ocelot irqchip's registers in the mask
   calculation of the main interrupt sticky register
 
 - Other smaller fixlets and cleanups
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmcU5d0ACgkQEsHwGGHe
 VUrNARAAtS7zkD4zQcJx2r0sr/jkLoWszP3+6Xgz/DKiT6+MUn7An+GmwvCPwZYd
 rVqQBBpt6Fzfn8tYY53lLC9C5zvp04aXfKv7/qNsvxI3XmDozwkjQ3pu83TYhXsn
 4dWZyUlk3BtyY9Au4aoK0c1X7zaxoGaHs+kQa5PJvPr7bW+fL1RqkpdyOzb3G3+A
 rj/KdKz42B54cKCSfQ0321tz/9Ts24ewr8vIhIoVDuHbhZ+gQc9GueZuK75Lm2iT
 YZZuBXYUueIESwkRnK2PtpTJn9Q2hF/z52SqPr33D2jCcMFk1WuscBG2kMie/ifL
 HZyVE1ynhg8RRJRMxJ2H14aWNZbYa+PnFoK9B2oAquUDRJ/ef7laTpjXQjyYgH/X
 xjNdW/lm/yklxc1vmVvPmfGtP0joc17cYix8rGLxymH7oOvvcOxhJRwWmUCLuC78
 y1LRwPZxgbC4iK1Rar9IfIzsVMgWQUoGDY3NgoA95xiBcYrfrXjHFgIasKTn5tJd
 sQKA4DOlVNotCplWf+Vo801CvXQSr7vra+5apcEYJOTTUEfnPT6LcNXh9S5obpsq
 aB0pMgT1xWimIWCwLvwEVYwkKEeYW+TskuM3x1Movzk4BSW1yNZUseoBl1jXPclg
 xxSuCNnc5gCn5CbYBt4qrVR+vNga+TYbvvD3KfnDUkWSZKqsjbg=
 =LwSw
 -----END PGP SIGNATURE-----

Merge tag 'irq_urgent_for_v6.12_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull irq fixes from Borislav Petkov:

 - Fix a case for sifive-plic where an interrupt gets disabled *and*
   masked and remains masked when it gets reenabled later

 - Plug a small race in GIC-v4 where userspace can force an affinity
   change of a virtual CPU (vPE) in its unmapping path

 - Do not mix the two sets of ocelot irqchip's registers in the mask
   calculation of the main interrupt sticky register

- Other smaller fixlets and cleanups

* tag 'irq_urgent_for_v6.12_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irqchip/renesas-rzg2l: Fix missing put_device
  irqchip/riscv-intc: Fix SMP=n boot with ACPI
  irqchip/sifive-plic: Unmask interrupt in plic_irq_enable()
  irqchip/gic-v4: Don't allow a VMOVP on a dying VPE
  irqchip/sifive-plic: Return error code on failure
  irqchip/riscv-imsic: Fix output text of base address
  irqchip/ocelot: Comment sticky register clearing code
  irqchip/ocelot: Fix trigger register address
  irqchip: Remove obsolete config ARM_GIC_V3_ITS_PCI
2024-10-20 11:44:07 -07:00
Linus Torvalds
2b4d25010d - Add PREEMPT_RT maintainers
- Fix another aspect of delayed dequeued tasks wrt determining their state,
   i.e., whether they're runnable or blocked
 
 - Handle delayed dequeued tasks and their migration wrt PSI properly
 
 - Fix the situation where a delayed dequeue task gets enqueued into a new
   class, which should not happen
 
 - Fix a case where memory allocation would happen while the runqueue lock is
   held, which is a no-no
 
 - Do not over-schedule when tasks with shorter slices preempt the currently
   running task
 
 - Make sure delayed to deque entities are properly handled before unthrottling
 
 - Other smaller cleanups and improvements
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAmcU3tMACgkQEsHwGGHe
 VUqpuhAAqqyi2NNgrIOlEWh/Ej4NQZL7KleF84cSpKCIBK2somYX5ksgMcUgn82i
 bIuDVErQu/a4lhNAf5zn7TO3yuPA1Q5xd/453qBlWM9ApkH0S69Mp9f0yocVu8F0
 t3XsgXm+/R8A4TYbiv8cB+r1Xt8E5NUP6RkNIKCHbPLAG94gqYF8UZEJ9sAl9ZXw
 qEWc9afpnp+4LQ9PlzePuaM976LWUPB49OoFZMnFmY1VkvFuVjkjXSVzJX6l4qB7
 Omo/+TXOOBSHXVVflNx/68Q16irFHAnqwPPrLCBQWBLIPz3iRiZjV9ptD9tUZkRM
 M+klL7w0jRG+8wa9fTwuqybmBNIBt4Az1/WUw9Lc3ryEWRsCKzkGT8au3lv5FpQY
 CTwIIBSMmUcqQSG40R0HHS3nDR4UBFFD0PAww+8cJQZc0IPd2rT9/hfqYdt3sq2Z
 vV9rmTFOcDlApeDdCGcfC7zJhdgVuBgDVjdTsE5SNRUduBUsBYOeLDnT+0Qi0ArJ
 txVINGxQDm6jz512f4CAB/xzUcYpU4o639Z1Jkd6a8QbO1NBZGX1ioOcvPEMhmFF
 f/qFyM8ctR5Kj6LJCZiDcstqtAZviW1d2uMp48gk2QeSvkCyIUQqrWshItd02iBG
 TZdSYRvSYtYSIz7WYtE/CABUDmrJGjuLtb+jOrR93//TsWwwVdE=
 =1D7H
 -----END PGP SIGNATURE-----

Merge tag 'sched_urgent_for_v6.12_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull scheduling fixes from Borislav Petkov:

 - Add PREEMPT_RT maintainers

 - Fix another aspect of delayed dequeued tasks wrt determining their
   state, i.e., whether they're runnable or blocked

 - Handle delayed dequeued tasks and their migration wrt PSI properly

 - Fix the situation where a delayed dequeue task gets enqueued into a
   new class, which should not happen

 - Fix a case where memory allocation would happen while the runqueue
   lock is held, which is a no-no

 - Do not over-schedule when tasks with shorter slices preempt the
   currently running task

 - Make sure delayed to deque entities are properly handled before
   unthrottling

 - Other smaller cleanups and improvements

* tag 'sched_urgent_for_v6.12_rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  MAINTAINERS: Add an entry for PREEMPT_RT.
  sched/fair: Fix external p->on_rq users
  sched/psi: Fix mistaken CPU pressure indication after corrupted task state bug
  sched/core: Dequeue PSI signals for blocked tasks that are delayed
  sched: Fix delayed_dequeue vs switched_from_fair()
  sched/core: Disable page allocation in task_tick_mm_cid()
  sched/deadline: Use hrtick_enabled_dl() before start_hrtick_dl()
  sched/eevdf: Fix wakeup-preempt by checking cfs_rq->nr_running
  sched: Fix sched_delayed vs cfs_bandwidth
2024-10-20 11:30:56 -07:00
Linus Torvalds
a5ee44c829 xen: branch for v6.12-rc4
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRTLbB6QfY48x44uB6AXGG7T9hjvgUCZxTVfAAKCRCAXGG7T9hj
 vixMAQDQPRqtmbpAr9l7tIrVMRqGktuV6nVTeLGXUDpqC7wM0gEA9c/h/Z0QVKth
 0XKyYWMsUIQ2Y5lKP8ywr0KxRQuUmQ0=
 =U3e3
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-6.12a-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fix from Juergen Gross:
 "A single fix for a build failure introduced this merge window"

* tag 'for-linus-6.12a-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen: Remove dependency between pciback and privcmd
2024-10-20 11:25:58 -07:00
Linus Torvalds
10e93e1900 dma-mapping fix for Linux 6.12
Just another small tracing fix from Sean.
 -----BEGIN PGP SIGNATURE-----
 
 iQI/BAABCgApFiEEgdbnc3r/njty3Iq9D55TZVIEUYMFAmcUhhoLHGhjaEBsc3Qu
 ZGUACgkQD55TZVIEUYPzww//XpnJtQ2glWj9MZAbrPAHsBooazaIae1wfxPXCb9u
 EzaookDsTZhVtS0buSH9+EcNC5fWsr7Q7wyazx4cmGl6wOdHZ6mq+YbpxGQmhgWe
 MHDXu/X+rCRsa4cU5X8LUCjWVpKsu0kQE2B3E7M6cYfCWH9r1r9jaW0uXxdTQRWf
 Yi6W43cL/G946aT76wTspFrCfBqLgxypuTPGgehHpbF99sC/eJ6YHzGkOxc+mZ/5
 AatMB/npW8Y0G38yScp6gJZ4XaetJ6hflXoFN1pR7ehDggmZAjM/WfPwFlqZgjbk
 sVL0GjLuE4kbLnXIWX7GzzY/sXlUbebIKkAiYw3uqeo3KchU8/pA2Cqb9qWzdQmf
 FkMJQO7rgj7BvlJnxccDVAZYedkoywdj4Jw/B8hnm5jF355g4tZDmXm+4A88KtHZ
 qnz7pBNdfFumyMEJFwUzOAMWyN2ZDdirb3lrDsCXlIV56h4NH60I6D+cAsX9a+94
 Qao0xLr72jlk4NNDQShYJgHybCVTMMep3Wjkejg/EEZCxdkkyMpSOZXJeBLlxn80
 O2fdRynM5EhG+e28pjFYvU+/zLT0poSRaE+jBfWJLtG9xCFMybWRKtASH7VcaRLQ
 /kDPR51ZttfNYQscVWi7S+R37VWksPLEbFQHSFDvOcwGKgcnFpllDuwv+o62TuUc
 eKk=
 =MnDt
 -----END PGP SIGNATURE-----

Merge tag 'dma-mapping-6.12-2024-10-20' of git://git.infradead.org/users/hch/dma-mapping

Pull dma-mapping fix from Christoph Hellwig:
 "Just another small tracing fix from Sean"

* tag 'dma-mapping-6.12-2024-10-20' of git://git.infradead.org/users/hch/dma-mapping:
  dma-mapping: fix tracing dma_alloc/free with vmalloc'd memory
2024-10-20 10:56:42 -07:00
Paolo Bonzini
e9001a382f KVM/arm64 fixes for 6.12, take #3
- Stop wasting space in the HYP idmap, as we are dangerously close
   to the 4kB limit, and this has already exploded in -next
 
 - Fix another race in vgic_init()
 
 - Fix a UBSAN error when faking the cache topology with MTE
   enabled
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEn9UcU+C1Yxj9lZw9I9DQutE9ekMFAmcQ0ioACgkQI9DQutE9
 ekP71Q/9FJOSfvZU0aPTeMLkrkJFkVO1Xvecq2YSrYSdBBtaVO3WAybV/tbSLKGb
 rgy64JOoRYys9I8kbvztGul7vT6QgrTZMGjbNVHGmKVXsnEYRY2jKWwtRh20nnhx
 hwIiAItkp76MGEurOJShFffDju4Psuj0lMPDYDv3j24YHSX+fiWIWcwHoqM9baVt
 IRIx2bkJf5isbXJ0i2dtV6PvxBn7ShdDU2VoMr+69LtSgiQypRQ2OXyBvOHt1Pg4
 7r5MY3YueMLSRdyuFFyr1esPDzZLRdhHZts/BbFmiBafGUPBrzSXjeBXM+GO0day
 8eEqhe1HSDsg9ctC6EJZbTfKC0T6UpSwUT7zlujgLhdaBae8mSuJVC0rywGRmWi8
 AHFWZQSu4mTdDaJ5A/dyZeXv3ir+lQIUMLTm6EJ+3+PSACTKt1TCDqUKM0z2tFvB
 F96cH3/m9vAlxoeLmxeZqX6RGU44ttDFkyqDcS8hezV5meTNLJ580r0iyqnBhIu0
 szNhOxhHziTUOrps0EM8Cx7WElYUK3MJ30t8pZRwZaYQOjlm2NeqTwI0I/c4dHNX
 IUvdFXCVSWLFyGULpKf/tPqeq/nZKQ900gzoGJNSPnZ2gEw0QnVhGyIFaPbj42Eb
 TTs2nvCJU5bE96nvz3mAkxWF5Uuu0yw1CRII6XPbkMCpaTocrPs=
 =2Cfq
 -----END PGP SIGNATURE-----

Merge tag 'kvmarm-fixes-6.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD

KVM/arm64 fixes for 6.12, take #3

- Stop wasting space in the HYP idmap, as we are dangerously close
  to the 4kB limit, and this has already exploded in -next

- Fix another race in vgic_init()

- Fix a UBSAN error when faking the cache topology with MTE
  enabled
2024-10-20 12:10:59 -04:00
Paolo Bonzini
ddd5c58201 KVM/arm64 fixes for 6.12, take #2
- Fix the guest view of the ID registers, making the relevant fields
   writable from userspace (affecting ID_AA64DFR0_EL1 and ID_AA64PFR1_EL1)
 
 - Correcly expose S1PIE to guests, fixing a regression introduced
   in 6.12-rc1 with the S1POE support
 
 - Fix the recycling of stage-2 shadow MMUs by tracking the context
   (are we allowed to block or not) as well as the recycling state
 
 - Address a couple of issues with the vgic when userspace misconfigures
   the emulation, resulting in various splats. Headaches courtesy
   of our Syzkaller friends
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEn9UcU+C1Yxj9lZw9I9DQutE9ekMFAmcJJfcACgkQI9DQutE9
 ekPD+A//QPpX99cWV5ryj0Ado9JeewfNBPba4PR1gmR1+HZLrpawo1BjUKFVa4jl
 iempDeUmhX68M7JyfpdgzW7HMKkemqavioWcL/bRY7ZZ4ss3g4w0BNKkwTkA+IEj
 qkxNw/LYRjDtjXWAmV4YB17M3AXYtj0Xnwgu8XKTlgp9EAqNxYAGDW/OX/vrkyKk
 0Zbe1xg0pq5NxAZhC9TC2b0aHCXPVN9qsHvqJW7mu9qy0/Z4ix+CAXcnmlG9lpZg
 OsAIBu1fWt4YC2Q6+J8Bhu/RcvQtw0doPOllI/wEhx/Za3mzkBMBdvitMD7s5Ldy
 KQ9uSWbDCcdVUPjLVsnVm4zZ+Dp/DixXPmlQaMfO/sIu0A4LLj8DvGc7CaJGF6Fu
 jumXgT6A9IiJEBWAFbB9P2HD83ROW+3deCyOHDzGmJtfPQ0jHC9PCMjMVGQlcvcy
 4aWrzxFjSsMvR7ILUBL2y53pTDXDZH02GGAn/zRjfAwr8Qqy3iLTDVvmfXnuIIZE
 HR4gXrvp9g7+nhwEkbB1a7MmAW/xPNFHJ0floAp7I4EqXfOcvPewG/Da3fDjDIV3
 HFNEVnrjWvct6aiPx1rRbQDJcC5ROn4Cl52sKcMmxYpZ2EK9YzsYNYoJiNFmhmU3
 8EW+lMraGNQXxyzhZHsoAmmqkwy8YyjG37uH/EEHdHtDGJAJHls=
 =OM+r
 -----END PGP SIGNATURE-----

Merge tag 'kvmarm-fixes-6.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD

KVM/arm64 fixes for 6.12, take #2

- Fix the guest view of the ID registers, making the relevant fields
  writable from userspace (affecting ID_AA64DFR0_EL1 and ID_AA64PFR1_EL1)

- Correcly expose S1PIE to guests, fixing a regression introduced
  in 6.12-rc1 with the S1POE support

- Fix the recycling of stage-2 shadow MMUs by tracking the context
  (are we allowed to block or not) as well as the recycling state

- Address a couple of issues with the vgic when userspace misconfigures
  the emulation, resulting in various splats. Headaches courtesy
  of our Syzkaller friends
2024-10-20 12:10:56 -04:00
Cyan Yang
3ec4350d4e RISCV: KVM: use raw_spinlock for critical section in imsic
For the external interrupt updating procedure in imsic, there was a
spinlock to protect it already. But since it should not be preempted in
any cases, we should turn to use raw_spinlock to prevent any preemption
in case PREEMPT_RT was enabled.

Signed-off-by: Cyan Yang <cyan.yang@sifive.com>
Reviewed-by: Yong-Xuan Wang <yongxuan.wang@sifive.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Message-ID: <20240919160126.44487-1-cyan.yang@sifive.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 12:10:44 -04:00
Sean Christopherson
773cca1834 KVM: selftests: Fix out-of-bounds reads in CPUID test's array lookups
When looking for a "mangled", i.e. dynamic, CPUID entry, terminate the
walk based on the number of array _entries_, not the size in bytes of
the array.  Iterating based on the total size of the array can result in
false passes, e.g. if the random data beyond the array happens to match
a CPUID entry's function and index.

Fixes: fb18d053b7 ("selftest: kvm: x86: test KVM_GET_CPUID2 and guest visible CPUIDs against KVM_GET_SUPPORTED_CPUID")
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-ID: <20241003234337.273364-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 12:10:44 -04:00
Vitaly Kuznetsov
9a400068a1 KVM: selftests: x86: Avoid using SSE/AVX instructions
Some distros switched gcc to '-march=x86-64-v3' by default and while it's
hard to find a CPU which doesn't support it today, many KVM selftests fail
with

  ==== Test Assertion Failure ====
    lib/x86_64/processor.c:570: Unhandled exception in guest
    pid=72747 tid=72747 errno=4 - Interrupted system call
    Unhandled exception '0x6' at guest RIP '0x4104f7'

The failure is easy to reproduce elsewhere with

   $ make clean && CFLAGS='-march=x86-64-v3' make -j && ./x86_64/kvm_pv_test

The root cause of the problem seems to be that with '-march=x86-64-v3' GCC
uses AVX* instructions (VMOVQ in the example above) and without prior
XSETBV() in the guest this results in #UD. It is certainly possible to add
it there, e.g. the following saves the day as well:

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-ID: <20240920154422.2890096-1-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 12:10:27 -04:00
Hangbin Liu
3b05b9c36d MAINTAINERS: add samples/pktgen to NETWORKING [GENERAL]
samples/pktgen is missing in the MAINTAINERS file.

Suggested-by: Antoine Tenart <atenart@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Message-ID: <20241018005301.10052-1-liuhangbin@gmail.com>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
2024-10-20 09:41:10 -05:00
Jesper Dangaard Brouer
3e14d8ebaa mailmap: update entry for Jesper Dangaard Brouer
Mapping all my previously used emails to my kernel.org email.

Signed-off-by: Jesper Dangaard Brouer <hawk@kernel.org>
Message-ID: <172909057364.2452383.8019986488234344607.stgit@firesoul>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
2024-10-20 09:41:10 -05:00
Peter Rashleigh
12bc14949c net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x
mv88e6393x_port_set_policy doesn't correctly shift the ptr value when
converting the policy format between the old and new styles, so the
target register ends up with the ptr being written over the data bits.

Shift the pointer to align with the format expected by
mv88e6393x_port_policy_write().

Fixes: 6584b26020 ("net: dsa: mv88e6xxx: implement .port_set_policy for Amethyst")
Signed-off-by: Peter Rashleigh <peter@rashleigh.ca>
Reviewed-by: Simon Horman <horms@kernel.org>
Message-ID: <20241016040822.3917-1-peter@rashleigh.ca>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
2024-10-20 09:41:10 -05:00
Sean Christopherson
f559b2e9c5 KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory
Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits
4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't
enforce 32-byte alignment of nCR3.

In the absolute worst case scenario, failure to ignore bits 4:0 can result
in an out-of-bounds read, e.g. if the target page is at the end of a
memslot, and the VMM isn't using guard pages.

Per the APM:

  The CR3 register points to the base address of the page-directory-pointer
  table. The page-directory-pointer table is aligned on a 32-byte boundary,
  with the low 5 address bits 4:0 assumed to be 0.

And the SDM's much more explicit:

  4:0    Ignored

Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow
that is broken.

Fixes: e4e517b4be ("KVM: MMU: Do not unconditionally read PDPTE from guest memory")
Reported-by: Kirk Swidowski <swidowski@google.com>
Cc: Andy Nguyen <theflow@google.com>
Cc: 3pvd <3pvd@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20241009140838.1036226-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 07:31:06 -04:00
Maxim Levitsky
731285fbb6 KVM: VMX: reset the segment cache after segment init in vmx_vcpu_reset()
Reset the segment cache after segment initialization in vmx_vcpu_reset()
to harden KVM against caching stale/uninitialized data.  Without the
recent fix to bypass the cache in kvm_arch_vcpu_put(), the following
scenario is possible:

 - vCPU is just created, and the vCPU thread is preempted before
   SS.AR_BYTES is written in vmx_vcpu_reset().

 - When scheduling out the vCPU task, kvm_arch_vcpu_in_kernel() =>
   vmx_get_cpl() reads and caches '0' for SS.AR_BYTES.

 - vmx_vcpu_reset() => seg_setup() configures SS.AR_BYTES, but doesn't
   invoke vmx_segment_cache_clear() to invalidate the cache.

As a result, KVM retains a stale value in the cache, which can be read,
e.g. via KVM_GET_SREGS.  Usually this is not a problem because the VMX
segment cache is reset on each VM-Exit, but if the userspace VMM (e.g KVM
selftests) reads and writes system registers just after the vCPU was
created, _without_ modifying SS.AR_BYTES, userspace will write back the
stale '0' value and ultimately will trigger a VM-Entry failure due to
incorrect SS segment type.

Invalidating the cache after writing the VMCS doesn't address the general
issue of cache accesses from IRQ context being unsafe, but it does prevent
KVM from clobbering the VMCS, i.e. mitigates the harm done _if_ KVM has a
bug that results in an unsafe cache access.

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Fixes: 2fb92db1ec ("KVM: VMX: Cache vmcs segment fields")
[sean: rework changelog to account for previous patch]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20241009175002.1118178-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 07:31:06 -04:00
Sean Christopherson
5a27984244 KVM: x86: Clean up documentation for KVM_X86_QUIRK_SLOT_ZAP_ALL
Massage the documentation for KVM_X86_QUIRK_SLOT_ZAP_ALL to call out that
it applies to moved memslots as well as deleted memslots, to avoid KVM's
"fast zap" terminology (which has no meaning for userspace), and to reword
the documented targeted zap behavior to specifically say that KVM _may_
zap a subset of all SPTEs.  As evidenced by the fix to zap non-leafs SPTEs
with gPTEs, formally documenting KVM's exact internal behavior is risky
and unnecessary.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20241009192345.1148353-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 07:31:05 -04:00
Sean Christopherson
28cf497881 KVM: x86/mmu: Add lockdep assert to enforce safe usage of kvm_unmap_gfn_range()
Add a lockdep assertion in kvm_unmap_gfn_range() to ensure that either
mmu_invalidate_in_progress is elevated, or that the range is being zapped
due to memslot removal (loosely detected by slots_lock being held).
Zapping SPTEs without mmu_invalidate_{in_progress,seq} protection is unsafe
as KVM's page fault path snapshots state before acquiring mmu_lock, and
thus can create SPTEs with stale information if vCPUs aren't forced to
retry faults (due to seeing an in-progress or past MMU invalidation).

Memslot removal is a special case, as the memslot is retrieved outside of
mmu_invalidate_seq, i.e. doesn't use the "standard" protections, and
instead relies on SRCU synchronization to ensure any in-flight page faults
are fully resolved before zapping SPTEs.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-ID: <20241009192345.1148353-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-10-20 07:31:05 -04:00