Update 5.15.x+fslc up to v5.15.47 #580

zandrey · 2022-06-14T21:07:54Z

Automatic merge performed, no conflicts reported.

Kernel has been built for aarch64 (defconfig).

-- andrey

[ Upstream commit 4a9800c ] As the possible failure of the kmalloc(), the not_checked and checked could be NULL pointer. Therefore, it should be better to check it in order to avoid the dereference of the NULL pointer. Also, we need to kfree the 'not_checked' and 'checked' to avoid the memory leak if fails. And since it is just a test, it may directly return without error number. Fixes: ae2e1aa ("drivers/misc/lkdtm/bugs.c: add arithmetic overflow and array bounds checks") Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Acked-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220120092936.1874264-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 8bfdbdd ] When you don't select CONFIG_UBSAN_TRAP, you get: # echo ARRAY_BOUNDS > /sys/kernel/debug/provoke-crash/DIRECT [ 102.265827] ================================================================================ [ 102.278433] UBSAN: array-index-out-of-bounds in drivers/misc/lkdtm/bugs.c:342:16 [ 102.287207] index 8 is out of range for type 'char [8]' [ 102.298722] ================================================================================ [ 102.313712] lkdtm: FAIL: survived array bounds overflow! [ 102.318770] lkdtm: Unexpected! This kernel (5.16.0-rc1-s3k-dev-01884-g720dcf79314a ppc) was built with CONFIG_UBSAN_BOUNDS=y It is not correct because when CONFIG_UBSAN_TRAP is not selected you can't expect array bounds overflow to kill the thread. Modify the logic so that when the kernel is built with CONFIG_UBSAN_BOUNDS but without CONFIG_UBSAN_TRAP, you get a warning about CONFIG_UBSAN_TRAP not been selected instead. This also require a fix of pr_expected_config(), otherwise the following error is encountered. CC drivers/misc/lkdtm/bugs.o drivers/misc/lkdtm/bugs.c: In function 'lkdtm_ARRAY_BOUNDS': drivers/misc/lkdtm/bugs.c:351:2: error: 'else' without a previous 'if' 351 | else | ^~~~ Fixes: c75be56 ("lkdtm/bugs: Add ARRAY_BOUNDS to selftests") Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/363b58690e907c677252467a94fe49444c80ea76.1649704381.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 507b050 ] In goldfish_tty_probe(), the port initialized through tty_port_init() should be destroyed in error paths.In goldfish_tty_remove(), qtty->port also should be destroyed or else might leak resources. Fix the above by calling tty_port_destroy(). Fixes: 666b779 ("goldfish: tty driver") Reviewed-by: Jiri Slaby <jirislaby@kernel.org> Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com> Link: https://lore.kernel.org/r/20220328115844.86032-1-wangweiyang2@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit bcea0f5 ] Fix the missing clk_disable_unprepare() before return from owl_uart_probe() in the error handling case. Fixes: abf42d2 ("tty: serial: owl: add "much needed" clk_prepare_enable()") Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Link: https://lore.kernel.org/r/20220307105135.11698-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 65a8b28 ] TTYs in ICANON mode have a special case that allows "pushing" a line without a regular EOL character (like newline), by using EOF (the EOT character - ASCII 0x4) as a pseudo-EOL. It is silently discarded, so the reader of the PTS will receive the line *without* EOF or any other terminating character. This special case has an edge case: What happens if the readers buffer is the same size as the line (without EOF)? Will they be able to tell if the whole line is received, i.e. if the next read() will return more of the same line or the next line? There are two possibilities, that both have (dis)advantages: 1. The next read() returns 0. FreeBSD (13.0) and OSX (10.11) do this. Advantage: The reader can interpret this as "the line is over". Disadvantage: read() returning 0 means EOF, the reader could also interpret it as "there's no more data" and stop reading or even close the PT. 2. The next read() returns the next line, the EOF is silently discarded. Solaris (or at least OpenIndiana 2021.10) does this, Linux has done do this since commit 40d5e09 ("n_tty: Fix EOF push handling"); this behavior was recently broken by commit 3593030 ("tty: n_tty: do not look ahead for EOL character past the end of the buffer"). Advantage: read() won't return 0 (EOF), reader less likely to be confused (and things like `while(read(..)>0)` don't break) Disadvantage: The reader can't really know if the read() continues the last line (that filled the whole read buffer) or starts a new line. As both options are defensible (and are used by other Unix-likes), it's best to stick to the "old" behavior since "n_tty: Fix EOF push handling" of 2013, i.e. silently discard that EOF. This patch - that I actually got from Linus for testing and only modified slightly - restores that behavior by skipping an EOF character if it's the next character after reading is done. Based on a patch from Linus Torvalds. Link: https://bugzilla.kernel.org/show_bug.cgi?id=215611 Fixes: 3593030 ("tty: n_tty: do not look ahead for EOL character past the end of the buffer") Cc: Peter Hurley <peter@hurleysoftware.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jiri Slaby <jirislaby@kernel.org> Reviewed-and-tested-by: Daniel Gibson <daniel@gibson.sh> Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Daniel Gibson <daniel@gibson.sh> Link: https://lore.kernel.org/r/20220329235810.452513-2-daniel@gibson.sh Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

…uart_probe [ Upstream commit 0e0fd55 ] platform_get_resource() may fail and return NULL, so we should better check it's return value to avoid a NULL pointer dereference. Fixes: 54da3e3 ("serial: 8250_aspeed_vuart: use UPF_IOREMAP to set up register mapping") Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Link: https://lore.kernel.org/r/20220404143842.16960-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

…et_id and ida_simple_get [ Upstream commit f398e0a ] Now fsl_lpuart driver use both of_alias_get_id() and ida_simple_get() in .probe(), which has the potential bug. For example, when remove the lpuart7 alias in dts, of_alias_get_id() will return error, then call ida_simple_get() to allocate the id 0 for lpuart7, this may confilct with the lpuart4 which has alias 0. aliases { ... serial0 = &lpuart4; serial1 = &lpuart5; serial2 = &lpuart6; serial3 = &lpuart7; } So remove the ida_simple_get() in .probe(), return an error directly when calling of_alias_get_id() fails, which is consistent with other uart drivers behavior. Fixes: 3bc3206 ("serial: fsl_lpuart: Remove the alias node dependence") Signed-off-by: Sherry Sun <sherry.sun@nxp.com> Link: https://lore.kernel.org/r/20220321112211.8895-1-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 58b7c85 ] Resource table is used by Linux to get information published by remote processor. It should be not be used for memory allocation, so not create rproc mem entry. Fixes: b29b424 ("remoteproc: imx_rproc: add i.MX specific parse fw hook") Signed-off-by: Peng Fan <peng.fan@nxp.com> Link: https://lore.kernel.org/r/20220415025737.1561976-1-peng.fan@oss.nxp.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 9ec4cbf ] usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails after that, usb_put_dev() needs to be called to release the reference. Fix this by moving usb_put_dev() to sdev_free error path handling. Find this by code review. Fixes: 3ff6744 ("usbip: fix error handling in stub_probe()") Reviewed-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit d088fab ] The function documentation of usb_set_configuration says that its callers should hold the device lock. This lock is held for all callsites except tweak_set_configuration_cmd. The code path can be executed for example when attaching a remote USB device. The solution is to surround the call by the device lock. This bug was found using my experimental own-developed static analysis tool, which reported the missing lock on v5.17.2. I manually verified this bug report by doing code review as well. I runtime checked that the required lock is not held. I compiled and runtime tested this on x86_64 with a USB mouse. After applying this patch, my analyser no longer reports this potential bug. Fixes: 2c8c981 ("staging: usbip: let client choose device configuration") Reviewed-by: Shuah Khan <skhan@linuxfoundation.org> Signed-off-by: Niels Dossche <dossche.niels@gmail.com> Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit b92ffb1 ] The function rio_karam_init() should return -ENOMEM instead of value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails. Similarly, it should return -EIO when rio_karma_send_command() fails. Fixes: dfe0d3b ("USB Storage: add rio karma eject support") Acked-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Lin Ma <linma@zju.edu.cn> Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 424bef5 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: 8934d3e ("usb: musb: omap2430: Don't use omap_get_control_dev()") Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Link: https://lore.kernel.org/r/20220309111033.24487-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

…_probe() [ Upstream commit 7079b34 ] If device_register() fails, device_unregister() should not be called because it will free some resources that are not allocated. put_device() should be used instead. Fixes: 308ee87 ("staging: fieldbus: anybus-s: support HMS Anybus-S bus") Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Link: https://lore.kernel.org/r/5401a519608d6e1a4e7435c20f4f20b0c5c36c23.1650610082.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 5e3b07c ] The hardware only supports periods <= 1.6 ms and if a bigger period is requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger than 1.6 ms and then the duty cycle register is written with a value bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly. Fixes: af66b3c ("pwm: Add LP3943 PWM driver") Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Thierry Reding <thierry.reding@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 09f688f ] The reg member of struct raspberrypi_pwm_prop is a little endian 32 bit quantity. Explicitly convert the (native endian) value to little endian on assignment as is already done in raspberrypi_pwm_set_property(). This fixes the following sparse warning: drivers/pwm/pwm-raspberrypi-poe.c:69:24: warning: incorrect type in initializer (different base types) drivers/pwm/pwm-raspberrypi-poe.c:69:24: expected restricted __le32 [usertype] reg drivers/pwm/pwm-raspberrypi-poe.c:69:24: got unsigned int [usertype] reg Fixes: 79caa36 ("pwm: Add Raspberry Pi Firmware based PWM bus") Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Signed-off-by: Thierry Reding <thierry.reding@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 1a358d3 ] The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. Fixes: 53e2822 ("rpmsg: Introduce Qualcomm SMD backend") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit bf594d1 ] The list_for_each_entry_safe() macro saves the current item (n) and the item after (n+1), so that n can be safely removed without corrupting the list. However, when traversing the list and removing items using gadget giveback, the DWC3 lock is briefly released, allowing other routines to execute. There is a situation where, while items are being removed from the cancelled_list using dwc3_gadget_ep_cleanup_cancelled_requests(), the pullup disable routine is running in parallel (due to UDC unbind). As the cleanup routine removes n, and the pullup disable removes n+1, once the cleanup retakes the DWC3 lock, it references a request who was already removed/handled. With list debug enabled, this leads to a panic. Ensure all instances of the macro are replaced where gadget giveback is used. Example call stack: Thread#1: __dwc3_gadget_ep_set_halt() - CLEAR HALT -> dwc3_gadget_ep_cleanup_cancelled_requests() ->list_for_each_entry_safe() ->dwc3_gadget_giveback(n) ->dwc3_gadget_del_and_unmap_request()- n deleted[cancelled_list] ->spin_unlock ->Thread#2 executes ... ->dwc3_gadget_giveback(n+1) ->Already removed! Thread#2: dwc3_gadget_pullup() ->waiting for dwc3 spin_lock ... ->Thread#1 released lock ->dwc3_stop_active_transfers() ->dwc3_remove_requests() ->fetches n+1 item from cancelled_list (n removed by Thread#1) ->dwc3_gadget_giveback() ->dwc3_gadget_del_and_unmap_request()- n+1 deleted[cancelled_list] ->spin_unlock Fixes: d4f1afe ("usb: dwc3: gadget: move requests to cancelled_list") Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com> Link: https://lore.kernel.org/r/20220414183521.23451-1-quic_wcheng@quicinc.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit a03e2dd ] If the device is already in a runtime PM enabled state pm_runtime_get_sync() will return 1, so a test for negative value should be used to check for errors. Fixes: 8eed00b ("usb: dwc3: pci: Runtime resume child device from wq") Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com> Link: https://lore.kernel.org/r/20220422062652.10575-1-zhengyongjun3@huawei.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 5ac11fe ] The bug is here: if (!buf) { The list iterator value 'buf' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty (in this case, the check 'if (!buf) {' will always be false and never exit expectly). To fix the bug, use a new variable 'iter' as the list iterator, while use the original variable 'buf' as a dedicated pointer to point to the found element. Fixes: 2419e55 ("misc: fastrpc: add mmap/unmap support") Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> Link: https://lore.kernel.org/r/20220327062202.5720-1-xiam0nd.tong@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 5a0793a ] The bug is here: pmem->vaddr = NULL; The list iterator 'pmem' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access. To fix this bug, just gen_pool_free/set NULL/list_del() and return when found, otherwise list_del HEAD and return; Fixes: 7ca5ce8 ("firmware: add Intel Stratix10 service layer driver") Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> Link: https://lore.kernel.org/r/20220414035609.2239-1-xiam0nd.tong@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit b9fa029 ] It's possible that dev_set_name() returns -ENOMEM, catch and handle this. Fixes: 3370db3 ("usb: typec: Registering real device entries for the muxes") Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20220422222351.1297276-4-bjorn.andersson@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit c2eecef ] vch will be free in virtio_rpmsg_release_device() when rpmsg_ns_register_device() fails. There is no need to call kfree() again. Fix this by changing error path from free_vch to free_ctrldev. Fixes: c486682 ("rpmsg: virtio: Register the rpmsg_char device") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Tested-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/20220426060536.15594-2-hbh25y@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 1680939 ] vch will be free in virtio_rpmsg_release_device() when rpmsg_ctrldev_register_device() fails. There is no need to call kfree() again. Fixes: c486682 ("rpmsg: virtio: Register the rpmsg_char device") Signed-off-by: Hangyu Hua <hbh25y@gmail.com> Tested-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Link: https://lore.kernel.org/r/20220426060536.15594-3-hbh25y@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit df19179 ] Unregister the rpmsg_ctrl device instead of just freeing the the virtio_rpmsg_channel structure. This will properly unregister the device and call virtio_rpmsg_release_device() that frees the structure. Fixes: c486682 ("rpmsg: virtio: Register the rpmsg_char device") Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com> Reviewed-by: Hangyu Hua <hbh25y@gmail.com> Link: https://lore.kernel.org/r/20220426060536.15594-4-hbh25y@gmail.com Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit d345b23 ] wait_for_completion_timeout() returns unsigned long not long. it returns 0 if timed out, and positive if completed. The check for <= 0 is ambiguous and should be == 0 here indicating timeout which is the only error case Fixes: e813dde ("iio: stmpe-adc: Use wait_for_completion_timeout") Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Reviewed-by: Philippe Schenker <philippe.schenker@toradex.com> Link: https://lore.kernel.org/r/20220412065150.14486-1-linmq006@gmail.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

…n_timeout [ Upstream commit 50f2959 ] wait_for_completion_timeout() returns unsigned long not int. It returns 0 if timed out, and positive if completed. The check for <= 0 is ambiguous and should be == 0 here indicating timeout which is the only error case. Fixes: 3cef2e3 ("iio: proximity: vl53l0x: Add IRQ support") Signed-off-by: Miaoqian Lin <linmq006@gmail.com> Link: https://lore.kernel.org/r/20220412064210.10734-1-linmq006@gmail.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit ad930a7 ] Fix wrong configuration value of SC27XX_ADC_SCALE_MASK and SC27XX_ADC_SCALE_SHIFT by spec documetation. Fixes: 5df362a (iio: adc: Add Spreadtrum SC27XX PMICs ADC support) Signed-off-by: Cixi Geng <cixi.geng1@unisoc.com> Reviewed-by: Baolin Wang <baolin.wang7@gmail.com> Link: https://lore.kernel.org/r/20220419142458.884933-3-gengcixi@gmail.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 5a7a184 ] Small adjustment the scale calibration value for the sc2731, use new name sc2731_[big|small]_scale_graph_calib, and remove the origin [big|small]_scale_graph_calib struct for unused. Fixes: 8ba0dbf (iio: adc: sc27xx: Add ADC scale calibration) Signed-off-by: Cixi Geng <cixi.geng1@unisoc.com> Link: https://lore.kernel.org/r/20220419142458.884933-4-gengcixi@gmail.com Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit 59d6f72 ] irq_of_parse_and_map() returns 0 on failure, so this should not be passed further as error return code. Fixes: 1a358d3 ("rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value") Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20220423093932.32136-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin <sashal@kernel.org>

[ Upstream commit cc5b392 ] Fix a few spelling typos in the comments. Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Link: https://lore.kernel.org/r/20210829124354.81653-2-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f2e19b3 upstream. The transaction buffer is allocated by using the size of the packet buf, and subtracting two which seem intended to remove the two tags which are not present in the target structure. This calculation leads to under counting memory because of differences between the packet contents and the target structure. The aid_len field is a u8 in the packet, but a u32 in the structure, resulting in at least 3 bytes always being under counted. Further, the aid data is a variable length field in the packet, but fixed in the structure, so if this field is less than the max, the difference is added to the under counting. The last validation check for transaction->params_len is also incorrect since it employs the same accounting error. To fix, perform validation checks progressively to safely reach the next field, to determine the size of both buffers and verify both tags. Once all validation checks pass, allocate the buffer and copy the data. This eliminates freeing memory on the error path, as those checks are moved ahead of memory allocation. Fixes: 26fc6c7 ("NFC: st21nfca: Add HCI transaction event support") Fixes: 4fbcc1a ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION") Cc: stable@vger.kernel.org Signed-off-by: Martin Faltesek <mfaltesek@google.com> Reviewed-by: Guenter Roeck <groeck@chromium.org> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 803e989 upstream. After a VF requested to remove the promiscuous flag on an interface, the broadcast packets are not received anymore. This breaks some protocols like ARP. In ixgbe_update_vf_xcast_mode(), we should keep the IXGBE_VMOLR_BAM bit (Broadcast Accept) on promiscuous removal. This flag is already set by default in ixgbe_set_vmolr() on VF reset. Fixes: 8443c1a ("ixgbe, ixgbevf: Add new mbox API xcast mode") Cc: stable@vger.kernel.org Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Olivier Matz <olivier.matz@6wind.com> Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7bb0fb7 upstream. When the promiscuous mode is enabled on a VF, the IXGBE_VMOLR_VPE bit (VLAN Promiscuous Enable) is set. This means that the VF will receive packets whose VLAN is not the same than the VLAN of the VF. For instance, in this situation: ┌────────┐ ┌────────┐ ┌────────┐ │ │ │ │ │ │ │ │ │ │ │ │ │ VF0├────┤VF1 VF2├────┤VF3 │ │ │ │ │ │ │ └────────┘ └────────┘ └────────┘ VM1 VM2 VM3 vf 0: vlan 1000 vf 1: vlan 1000 vf 2: vlan 1001 vf 3: vlan 1001 If we tcpdump on VF3, we see all the packets, even those transmitted on vlan 1000. This behavior prevents to bridge VF1 and VF2 in VM2, because it will create a loop: packets transmitted on VF1 will be received by VF2 and vice-versa, and bridged again through the software bridge. This patch remove the activation of VLAN Promiscuous when a VF enables the promiscuous mode. However, the IXGBE_VMOLR_UPE bit (Unicast Promiscuous) is kept, so that a VF receives all packets that has the same VLAN, whatever the destination MAC address. Fixes: 8443c1a ("ixgbe, ixgbevf: Add new mbox API xcast mode") Cc: stable@vger.kernel.org Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: Olivier Matz <olivier.matz@6wind.com> Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com> Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c42e656 upstream. The bcm5974 driver does the allocation and dma mapping of the usb urb data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag to let usb core know the buffer is already mapped. usb core tries to map the already mapped buffer, causing a warning: "xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory" Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core know buffer is already mapped by bcm5974 driver Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com> Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890 Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b27ee76 upstream. The control device has no drvdata. So we will get a NULL pointer dereference when accessing control device's msg_timeout attribute via sysfs: [ 132.841881][ T3644] BUG: kernel NULL pointer dereference, address: 00000000000000f8 [ 132.850619][ T3644] RIP: 0010:msg_timeout_show (drivers/vdpa/vdpa_user/vduse_dev.c:1271) [ 132.869447][ T3644] dev_attr_show (drivers/base/core.c:2094) [ 132.870215][ T3644] sysfs_kf_seq_show (fs/sysfs/file.c:59) [ 132.871164][ T3644] ? device_remove_bin_file (drivers/base/core.c:2088) [ 132.872082][ T3644] kernfs_seq_show (fs/kernfs/file.c:164) [ 132.872838][ T3644] seq_read_iter (fs/seq_file.c:230) [ 132.873578][ T3644] ? __vmalloc_area_node (mm/vmalloc.c:3041) [ 132.874532][ T3644] kernfs_fop_read_iter (fs/kernfs/file.c:238) [ 132.875513][ T3644] __kernel_read (fs/read_write.c:440 (discriminator 1)) [ 132.876319][ T3644] kernel_read (fs/read_write.c:459) [ 132.877129][ T3644] kernel_read_file (fs/kernel_read_file.c:94) [ 132.877978][ T3644] kernel_read_file_from_fd (include/linux/file.h:45 fs/kernel_read_file.c:186) [ 132.879019][ T3644] __do_sys_finit_module (kernel/module.c:4207) [ 132.879930][ T3644] __ia32_sys_finit_module (kernel/module.c:4189) [ 132.880930][ T3644] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132) [ 132.881847][ T3644] entry_INT80_compat (arch/x86/entry/entry_64_compat.S:419) To fix it, don't create the unneeded attribute for control device anymore. Fixes: c8a6153 ("vduse: Introduce VDUSE - vDPA Device in Userspace") Reported-by: kernel test robot <oliver.sang@intel.com> Cc: stable@vger.kernel.org Signed-off-by: Xie Yongji <xieyongji@bytedance.com> Message-Id: <20220426073656.229-1-xieyongji@bytedance.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1346d00 upstream. The HAVE_IRQ_EXIT_ON_IRQ_STACK option tells generic code that irq_exit() is called while still running on the hard irq stack (hardirq_ctx[] in the powerpc code). Selecting the option means the generic code will *not* switch to the softirq stack before running softirqs, because the code is already running on the (mostly empty) hard irq stack. But since commit 1b1b6a6 ("powerpc: handle irq_enter/irq_exit in interrupt handler wrappers"), irq_exit() is now called on the regular task stack, not the hard irq stack. That's because previously irq_exit() was called in __do_irq() which is run on the hard irq stack, but now it is called in interrupt_async_exit_prepare() which is called from do_irq() constructed by the wrapper macro, which is after the switch back to the task stack. So drop HAVE_IRQ_EXIT_ON_IRQ_STACK from the Kconfig. This will mean an extra stack switch when processing some interrupts, but should significantly reduce the likelihood of stack overflow. It also means the softirq stack will be used for running softirqs from other interrupts that don't use the hard irq stack, eg. timer interrupts. Fixes: 1b1b6a6 ("powerpc: handle irq_enter/irq_exit in interrupt handler wrappers") Cc: stable@vger.kernel.org # v5.12+ Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20220525032639.1947280-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ca87165 upstream. Most eDP panel functions only work correctly when the panel is not in self-refresh. In particular, analogix_dp_bridge_disable() tends to hit AUX channel errors if the panel is in self-refresh. Given the above, it appears that so far, this driver assumes that we are never in self-refresh when it comes time to fully disable the bridge. Prior to commit 846c7df ("drm/atomic: Try to preserve the crtc enabled state in drm_atomic_remove_fb, v2."), this tended to be true, because we would automatically disable the pipe when framebuffers were removed, and so we'd typically disable the bridge shortly after the last display activity. However, that is not guaranteed: an idle (self-refresh) display pipe may be disabled, e.g., when switching CRTCs. We need to exit PSR first. Stable notes: this is definitely a bugfix, and the bug has likely existed in some form for quite a while. It may predate the "PSR helpers" refactor, but the code looked very different before that, and it's probably not worth rewriting the fix. Cc: <stable@vger.kernel.org> Fixes: 6c836d9 ("drm/rockchip: Use the helpers for PSR") Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-by: Sean Paul <seanpaul@chromium.org> Signed-off-by: Douglas Anderson <dianders@chromium.org> Link: https://patchwork.freedesktop.org/patch/msgid/20220228122522.v2.1.I161904be17ba14526f78536ccd78b85818449b51@changeid Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e54a442 upstream. It's possible to change which CRTC is in use for a given connector/encoder/bridge while we're in self-refresh without fully disabling the connector/encoder/bridge along the way. This can confuse the bridge encoder/bridge, because (a) it needs to track the SR state (trying to perform "active" operations while the panel is still in SR can be Bad(TM)); and (b) it tracks the SR state via the CRTC state (and after the switch, the previous SR state is lost). Thus, we need to either somehow carry the self-refresh state over to the new CRTC, or else force an encoder/bridge self-refresh transition during such a switch. I choose the latter, so we disable the encoder (and exit PSR) before attaching it to the new CRTC (where we can continue to assume a clean (non-self-refresh) state). This fixes PSR issues seen on Rockchip RK3399 systems with drivers/gpu/drm/bridge/analogix/analogix_dp_core.c. Change in v2: - Drop "->enable" condition; this could possibly be "->active" to reflect the intended hardware state, but it also is a little over-specific. We want to make a transition through "disabled" any time we're exiting PSR at the same time as a CRTC switch. (Thanks Liu Ying) Cc: Liu Ying <victor.liu@oss.nxp.com> Cc: <stable@vger.kernel.org> Fixes: 1452c25 ("drm: Add helpers to kick off self refresh mode in drivers") Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-by: Sean Paul <seanpaul@chromium.org> Signed-off-by: Douglas Anderson <dianders@chromium.org> Link: https://patchwork.freedesktop.org/patch/msgid/20220228122522.v2.2.Ic15a2ef69c540aee8732703103e2cff51fb9c399@changeid Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 97e5030 upstream. Supports AV1. Mesa already has support for this and doesn't rely on the kernel caps for yellow carp, so this was already working from an application perspective. Fixes: 5543981 ("amdgpu/nv.c - Added video codec support for Yellow Carp") Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/2002 Reviewed-by: Leo Liu <leo.liu@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8e12784 upstream. The ptrace PEEKUSR/POKEUSR (aka PEEKUSER/POKEUSER) API allows a process to read/write registers of another process. To get/set a register, the API takes an index into an imaginary address space called the "USER area", where the registers of the process are laid out in some fashion. The kernel then maps that index to a particular register in its own data structures and gets/sets the value. The API only allows a single machine-word to be read/written at a time. So 4 bytes on 32-bit kernels and 8 bytes on 64-bit kernels. The way floating point registers (FPRs) are addressed is somewhat complicated, because double precision float values are 64-bit even on 32-bit CPUs. That means on 32-bit kernels each FPR occupies two word-sized locations in the USER area. On 64-bit kernels each FPR occupies one word-sized location in the USER area. Internally the kernel stores the FPRs in an array of u64s, or if VSX is enabled, an array of pairs of u64s where one half of each pair stores the FPR. Which half of the pair stores the FPR depends on the kernel's endianness. To handle the different layouts of the FPRs depending on VSX/no-VSX and big/little endian, the TS_FPR() macro was introduced. Unfortunately the TS_FPR() macro does not take into account the fact that the addressing of each FPR differs between 32-bit and 64-bit kernels. It just takes the index into the "USER area" passed from userspace and indexes into the fp_state.fpr array. On 32-bit there are 64 indexes that address FPRs, but only 32 entries in the fp_state.fpr array, meaning the user can read/write 256 bytes past the end of the array. Because the fp_state sits in the middle of the thread_struct there are various fields than can be overwritten, including some pointers. As such it may be exploitable. It has also been observed to cause systems to hang or otherwise misbehave when using gdbserver, and is probably the root cause of this report which could not be easily reproduced: https://lore.kernel.org/linuxppc-dev/dc38afe9-6b78-f3f5-666b-986939e40fc6@keymile.com/ Rather than trying to make the TS_FPR() macro even more complicated to fix the bug, or add more macros, instead add a special-case for 32-bit kernels. This is more obvious and hopefully avoids a similar bug happening again in future. Note that because 32-bit kernels never have VSX enabled the code doesn't need to consider TS_FPRWIDTH/OFFSET at all. Add a BUILD_BUG_ON() to ensure that 32-bit && VSX is never enabled. Fixes: 87fec05 ("powerpc: PTRACE_PEEKUSR/PTRACE_POKEUSER of FPR registers in little endian builds") Cc: stable@vger.kernel.org # v3.13+ Reported-by: Ariel Miculas <ariel.miculas@belden.com> Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20220609133245.573565-1-mpe@ellerman.id.au Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d51f86c upstream. The dssall ("Data Stream Stop All") instruction is obsolete altogether with other Data Cache Instructions since ISA 2.03 (year 2006). LLVM IAS does not support it but PPC970 seems to be using it. This switches dssall to .long as there is no much point in fixing LLVM. Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/20211221055904.555763-6-aik@ozlabs.ru Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bcc7741 upstream. The threshold value is used for AST2600 only. Signed-off-by: KuoHsiang Chou <kuohsiang_chou@aspeedtech.com> Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Link: https://patchwork.freedesktop.org/patch/msgid/20220117083643.41493-1-kuohsiang_chou@aspeedtech.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9b29b6b upstream. The current flow expands to: if (crng_ready()) ... else if (...) if (!crng_ready()) ... The second crng_ready() call is redundant, but can't so easily be optimized out by the compiler. This commit simplifies that to: if (crng_ready() ... else if (...) ... Fixes: 560181c ("random: move initialization functions out of hot pages") Cc: stable@vger.kernel.org Cc: Dominik Brodowski <linux@dominikbrodowski.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 39e0f99 upstream. add_bootloader_randomness() and the variables it touches are only used during __init and not after, so mark these as __init. At the same time, unexport this, since it's only called by other __init code that's built-in. Cc: stable@vger.kernel.org Fixes: 428826f ("fdt: add support for rng-seed") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 77fc95f upstream. Rather than accounting in bytes and multiplying (shifting), we can just account in bits and avoid the shift. The main motivation for this is there are other patches in flux that expand this code a bit, and avoiding the duplication of "* 8" everywhere makes things a bit clearer. Cc: stable@vger.kernel.org Fixes: 12e45a2 ("random: credit architectural init the exact amount") Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ea23994 upstream. The RAID0 layout is irrelevant if all members have the same size so the array has only one zone. It is *also* irrelevant if the array has two zones and the second zone has only one device, for example if the array has two members of different sizes. So in that case it makes sense to allow assembly even when the layout is undefined, like what is done when the array has only one zone. Reviewed-by: NeilBrown <neilb@suse.de> Signed-off-by: Pascal Hambourg <pascal@plouf.fr.eu.org> Signed-off-by: Song Liu <song@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4ddc844 upstream. in current Linux, MTU policing does not take into account that packets at the TC ingress have the L2 header pulled. Thus, the same TC police action (with the same value of tcfp_mtu) behaves differently for ingress/egress. In addition, the full GSO size is compared to tcfp_mtu: as a consequence, the policer drops GSO packets even when individual segments have the L2 + L3 + L4 + payload length below the configured valued of tcfp_mtu. Improve the accuracy of MTU policing as follows: - account for mac_len for non-GSO packets at TC ingress. - compare MTU threshold with the segmented size for GSO packets. Also, add a kselftest that verifies the correct behavior. Signed-off-by: Davide Caratti <dcaratti@redhat.com> Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fdf6a2f upstream. Fix a clock imbalance introduced by ed8cc3b ("PCI: qcom: Add support for SDM845 PCIe controller"), which enables the pipe clock both in init() and in post_init() but only disables in post_deinit(). Note that the pipe clock was also never disabled in the init() error paths and that enabling the clock before powering up the PHY looks questionable. Link: https://lore.kernel.org/r/20220401133351.10113-1-johan+linaro@kernel.org Fixes: ed8cc3b ("PCI: qcom: Add support for SDM845 PCIe controller") Signed-off-by: Johan Hovold <johan+linaro@kernel.org> Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Cc: stable@vger.kernel.org # 5.6 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a2a513b upstream. Ignoring the explicit_open mount option on mount for devices that do not have a limit on the number of open zones must be done after the mount options are parsed and set in s_mount_opts. Move the check to ignore the explicit_open option after the call to zonefs_parse_options() in zonefs_fill_super(). Fixes: b5c00e9 ("zonefs: open/close zone on file open/close") Cc: <stable@vger.kernel.org> Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1c27f1f upstream. Commit 6c77676 ("iov_iter: Fix iter_xarray_get_pages{,_alloc}()") introduced a problem on some 32-bit architectures (at least arm, xtensa, csky,sparc and mips), that have a 'size_t' that is 'unsigned int'. The reason is that we now do min(nr * PAGE_SIZE - offset, maxsize); where 'nr' and 'offset' and both 'unsigned int', and PAGE_SIZE is 'unsigned long'. As a result, the normal C type rules means that the first argument to 'min()' ends up being 'unsigned long'. In contrast, 'maxsize' is of type 'size_t'. Now, 'size_t' and 'unsigned long' are always the same physical type in the kernel, so you'd think this doesn't matter, and from an actual arithmetic standpoint it doesn't. But on 32-bit architectures 'size_t' is commonly 'unsigned int', even if it could also be 'unsigned long'. In that situation, both are unsigned 32-bit types, but they are not the *same* type. And as a result 'min()' will complain about the distinct types (ignore the "pointer types" part of the error message: that's an artifact of the way we have made 'min()' check types for being the same): lib/iov_iter.c: In function 'iter_xarray_get_pages': include/linux/minmax.h:20:35: error: comparison of distinct pointer types lacks a cast [-Werror] 20 | (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) | ^~ lib/iov_iter.c:1464:16: note: in expansion of macro 'min' 1464 | return min(nr * PAGE_SIZE - offset, maxsize); | ^~~ This was not visible on 64-bit architectures (where we always define 'size_t' to be 'unsigned long'). Force these cases to use 'min_t(size_t, x, y)' to make the type explicit and avoid the issue. [ Nit-picky note: technically 'size_t' doesn't have to match 'unsigned long' arithmetically. We've certainly historically seen environments with 16-bit address spaces and 32-bit 'unsigned long'. Similarly, even in 64-bit modern environments, 'size_t' could be its own type distinct from 'unsigned long', even if it were arithmetically identical. So the above type commentary is only really descriptive of the kernel environment, not some kind of universal truth for the kinds of wild and crazy situations that are allowed by the C standard ] Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com> Link: https://lore.kernel.org/all/YqRyL2sIqQNDfky2@debian/ Cc: Jeff Layton <jlayton@kernel.org> Cc: David Howells <dhowells@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2112b8f upstream. When setting DMA_INTERRUPT capability, a callback function dma->device_prep_dma_interrupt() is needed to support this capability. Without setting the callback, dma_async_device_register() will fail dma capability check. Fixes: 4e5a4eb ("dmaengine: idxd: set DMA_INTERRUPT cap bit") Signed-off-by: Dave Jiang <dave.jiang@intel.com> Link: https://lore.kernel.org/r/165101232637.3951447.15765792791591763119.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1182576 upstream. syzbot got a new report [1] finally pointing to a very old bug, added in initial support for MTU probing. tcp_mtu_probe() has checks about starting an MTU probe if tcp_snd_cwnd(tp) >= 11. But nothing prevents tcp_snd_cwnd(tp) to be reduced later and before the MTU probe succeeds. This bug would lead to potential zero-divides. Debugging added in commit 4057037 ("tcp: add accessors to read/set tp->snd_cwnd") has paid off :) While we are at it, address potential overflows in this code. [1] WARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712 Modules linked in: CPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline] RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712 Code: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287 RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000 RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520 R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50 R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000 FS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356 tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861 tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973 tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476 sk_backlog_rcv include/net/sock.h:1061 [inline] __release_sock+0x1d8/0x4c0 net/core/sock.c:2849 release_sock+0x5d/0x1c0 net/core/sock.c:3404 sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145 tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410 tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] __sys_sendto+0x439/0x5c0 net/socket.c:2119 __do_sys_sendto net/socket.c:2131 [inline] __se_sys_sendto net/socket.c:2127 [inline] __x64_sys_sendto+0xda/0xf0 net/socket.c:2127 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f6431289109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109 RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000 Fixes: 5d424d5 ("[TCP]: MTU probing") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ba3beec upstream. Fix a crash that happens if an Rx only socket is created first, then a second socket is created that is Tx only and bound to the same umem as the first socket and also the same netdev and queue_id together with the XDP_SHARED_UMEM flag. In this specific case, the tx_descs array page pool was not created by the first socket as it was an Rx only socket. When the second socket is bound it needs this tx_descs array of this shared page pool as it has a Tx component, but unfortunately it was never allocated, leading to a crash. Note that this array is only used for zero-copy drivers using the batched Tx APIs, currently only ice and i40e. [ 5511.150360] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 5511.158419] #PF: supervisor write access in kernel mode [ 5511.164472] #PF: error_code(0x0002) - not-present page [ 5511.170416] PGD 0 P4D 0 [ 5511.173347] Oops: 0002 [Freescale#1] PREEMPT SMP PTI [ 5511.178186] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G E 5.18.0-rc1+ Freescale#97 [ 5511.187245] Hardware name: Intel Corp. GRANTLEY/GRANTLEY, BIOS GRRFCRB1.86B.0276.D07.1605190235 05/19/2016 [ 5511.198418] RIP: 0010:xsk_tx_peek_release_desc_batch+0x198/0x310 [ 5511.205375] Code: c0 83 c6 01 84 c2 74 6d 8d 46 ff 23 07 44 89 e1 48 83 c0 14 48 c1 e1 04 48 c1 e0 04 48 03 47 10 4c 01 c1 48 8b 50 08 48 8b 00 <48> 89 51 08 48 89 01 41 80 bd d7 00 00 00 00 75 82 48 8b 19 49 8b [ 5511.227091] RSP: 0018:ffffc90000003dd0 EFLAGS: 00010246 [ 5511.233135] RAX: 0000000000000000 RBX: ffff88810c8da600 RCX: 0000000000000000 [ 5511.241384] RDX: 000000000000003c RSI: 0000000000000001 RDI: ffff888115f555c0 [ 5511.249634] RBP: ffffc90000003e08 R08: 0000000000000000 R09: ffff889092296b48 [ 5511.257886] R10: 0000ffffffffffff R11: ffff889092296800 R12: 0000000000000000 [ 5511.266138] R13: ffff88810c8db500 R14: 0000000000000040 R15: 0000000000000100 [ 5511.274387] FS: 0000000000000000(0000) GS:ffff88903f800000(0000) knlGS:0000000000000000 [ 5511.283746] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5511.290389] CR2: 0000000000000008 CR3: 00000001046e2001 CR4: 00000000003706f0 [ 5511.298640] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5511.306892] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5511.315142] Call Trace: [ 5511.317972] <IRQ> [ 5511.320301] ice_xmit_zc+0x68/0x2f0 [ice] [ 5511.324977] ? ktime_get+0x38/0xa0 [ 5511.328913] ice_napi_poll+0x7a/0x6a0 [ice] [ 5511.333784] __napi_poll+0x2c/0x160 [ 5511.337821] net_rx_action+0xdd/0x200 [ 5511.342058] __do_softirq+0xe6/0x2dd [ 5511.346198] irq_exit_rcu+0xb5/0x100 [ 5511.350339] common_interrupt+0xa4/0xc0 [ 5511.354777] </IRQ> [ 5511.357201] <TASK> [ 5511.359625] asm_common_interrupt+0x1e/0x40 [ 5511.364466] RIP: 0010:cpuidle_enter_state+0xd2/0x360 [ 5511.370211] Code: 49 89 c5 0f 1f 44 00 00 31 ff e8 e9 00 7b ff 45 84 ff 74 12 9c 58 f6 c4 02 0f 85 72 02 00 00 31 ff e8 02 0c 80 ff fb 45 85 f6 <0f> 88 11 01 00 00 49 63 c6 4c 2b 2c 24 48 8d 14 40 48 8d 14 90 49 [ 5511.391921] RSP: 0018:ffffffff82a03e60 EFLAGS: 00000202 [ 5511.397962] RAX: ffff88903f800000 RBX: 0000000000000001 RCX: 000000000000001f [ 5511.406214] RDX: 0000000000000000 RSI: ffffffff823400b9 RDI: ffffffff8234c046 [ 5511.424646] RBP: ffff88810a384800 R08: 000005032a28c046 R09: 0000000000000008 [ 5511.443233] R10: 000000000000000b R11: 0000000000000006 R12: ffffffff82bcf700 [ 5511.461922] R13: 000005032a28c046 R14: 0000000000000001 R15: 0000000000000000 [ 5511.480300] cpuidle_enter+0x29/0x40 [ 5511.494329] do_idle+0x1c7/0x250 [ 5511.507610] cpu_startup_entry+0x19/0x20 [ 5511.521394] start_kernel+0x649/0x66e [ 5511.534626] secondary_startup_64_no_verify+0xc3/0xcb [ 5511.549230] </TASK> Detect such case during bind() and allocate this memory region via newly introduced xp_alloc_tx_descs(). Also, use kvcalloc instead of kcalloc as for other buffer pool allocations, so that it matches the kvfree() from xp_destroy(). Fixes: d1bc532 ("i40e: xsk: Move tmp desc array from driver to pool") Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Magnus Karlsson <magnus.karlsson@intel.com> Link: https://lore.kernel.org/bpf/20220425153745.481322-1-maciej.fijalkowski@intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Link: https://lore.kernel.org/r/20220613094922.843438024@linuxfoundation.org Tested-by: Fox Chen <foxhlchen@gmail.com> Tested-by: Bagas Sanjaya <bagasdotme@gmail.com> Link: https://lore.kernel.org/r/20220613181847.216528857@linuxfoundation.org Tested-by: Florian Fainelli <f.fainelli@gmail.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Fox Chen <foxhlchen@gmail.com> Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Tested-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This is the 5.15.47 stable release Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>

Kernel repository has been upgraded up to v5.15.47 from stable korg. Following upstream commits are included in this version: ---- 3a0f70149324 Linux 5.15.47 f7019562f142 xsk: Fix possible crash when multiple sockets are created 90385f2b65d0 tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd cfe3dd8bd526 dmaengine: idxd: add missing callback function to support DMA_INTERRUPT fb5e51c0aa97 iov_iter: fix build issue due to possible type mis-match 7f36e2e13e29 zonefs: fix handling of explicit_open option on mount 9e4810b4e1ab PCI: qcom: Fix pipe clock imbalance 42c0160d27f6 net/sched: act_police: more accurate MTU policing 4c106eb89534 md/raid0: Ignore RAID0 layout if the second zone has only one device 51e557272482 random: account for arch randomness in bits e59a120f2d43 random: mark bootloader randomness code as __init ce49b94ddb70 random: avoid checking crng_ready() twice in random_init() 32ca45300fd9 drm/ast: Create threshold values for AST2600 82a2059a11b4 powerpc/mm: Switch obsolete dssall to .long 2a0165d27897 powerpc/32: Fix overread/overwrite of thread_struct via ptrace 2b7d9fd0f372 drm/amdgpu: update VCN codec support for Yellow Carp cab7cd86f9e8 drm/atomic: Force bridge self-refresh-exit on CRTC switch 142bebf827b3 drm/bridge: analogix_dp: Support PSR-exit to disable transition 84280ab2245c powerpc: Don't select HAVE_IRQ_EXIT_ON_IRQ_STACK 3a7a81f4835d vduse: Fix NULL pointer dereference on sysfs access 614ad9d24f9c Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag 3eb91b7bc252 ixgbe: fix unexpected VLAN Rx in promisc mode on VF dc2673462e3d ixgbe: fix bcast packets Rx on VF after promisc removal a5989ae3c53b nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION f444ecd3f57f nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling 73b28763050f nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION bafbc134f5b0 writeback: Fix inode->i_io_list not be protected by inode->i_lock error cba7c76ea1e1 net: openvswitch: fix misuse of the cached connection on tuple changes 50ca4e7f91ff net: phy: dp83867: retrigger SGMII AN when link change 0efa89742fd8 mmc: block: Fix CQE recovery reset success 63af49e0881c ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files 0dcc35c1c23a KEYS: trusted: tpm2: Fix migratable logic 0cd4a1766759 cifs: fix reconnect on smb3 mount types 7aa4b31291f1 cifs: return errors during session setup during reconnects 700484081ea7 ALSA: hda/realtek: Add quirk for HP Dev One 0179650a13f9 ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo Yoga DuetITL 2021 7fea196ccb4e ALSA: hda/conexant - Fix loopback issue with CX20632 04f79360c69a ALSA: usb-audio: Set up (implicit) sync for Saffire 6 2ee0b454fda7 ALSA: usb-audio: Skip generic sync EP parse for secondary EP 8fe1ee581846 scripts/gdb: change kernel config dumping method d3e38fdf9e10 vringh: Fix loop descriptors check in the indirect cases f293dfc18404 nodemask: Fix return values to be unsigned b2d359f09588 drm/amd/pm: use bitmap_{from,to}_arr32 where appropriate dc105d20122d cifs: version operations for smb20 unneeded when legacy support disabled 12eb4e7db22a s390/gmap: voluntarily schedule during key setting c4ba982bd508 nbd: fix io hung while disconnecting device 71c142f910da nbd: fix race between nbd_alloc_config() and module removal cbeafa7a79d0 nbd: call genl_unregister_family() first in nbd_cleanup() 38d432f4b391 jump_label,noinstr: Avoid instrumentation for JUMP_LABEL=n builds 0853f905e48b x86/cpu: Elide KCSAN for cpu_has() and friends 4adc7d7ee640 modpost: fix undefined behavior of is_arm_mapping_symbol() 5877390da911 um: line: Use separate IRQs per line e0199ce728fb drm/amd/pm: Fix missing thermal throttler status 7b7fba107b2c drm/radeon: fix a possible null pointer dereference 10ef82d6e0af drm/amd/display: Check if modulo is 0 before dividing. 1daf72982efe ceph: flush the mdlog for filesystem sync cc983cf9ee39 ceph: allow ceph.dir.rctime xattr to be updatable 729fea8aaf2c Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process" 2cd1adcb8c08 scsi: myrb: Fix up null pointer access on myrb_cleanup() b5a0f17b03df md: protect md_unregister_thread from reentrancy 0b4a66eb96de watchdog: wdat_wdt: Stop watchdog when rebooting the system e369420e1234 kernfs: Separate kernfs_pr_cont_buf and rename_lock. d21ffa548737 serial: msm_serial: disable interrupts in __msm_console_write() f36e754a1f0b staging: rtl8712: fix uninit-value in r871xu_drv_init() 95b0f54f8a89 staging: rtl8712: fix uninit-value in usb_read8() and friends 55bfe858d019 clocksource/drivers/sp804: Avoid error on multiple instances 368e68ad6da4 extcon: Modify extcon device to be created after driver data is set 4785574f0caf extcon: Fix extcon_get_extcon_dev() error handling e7686d80fc3c misc: rtsx: set NULL intfdata when probe fails 89401b5e9cf3 soundwire: qcom: adjust autoenumeration timeout 547ebdc200b8 usb: dwc2: gadget: don't reset gadget's driver->bus 98cf0cd959ef sysrq: do not omit current cpu when showing backtrace of all active CPUs bc8fceda3b89 char: xillybus: fix a refcount leak in cleanup_dev() feb0fb39695b USB: hcd-pci: Fully suspend across freeze/thaw cycle d88875387219 drivers: usb: host: Fix deadlock in oxu_bus_suspend() 2cbfc38df580 drivers: tty: serial: Fix deadlock in sa1100_set_termios() 3592cfd8b848 USB: host: isp116x: check return value after calling platform_get_resource() fef451f0fbbe drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() 042915c1bfed drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop() 04a8e39c8c9b thunderbolt: Use different lane for second DisplayPort tunnel 5f9b2e4ca88c tty: Fix a possible resource leak in icom_probe 8a95696bdc0e tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() ae60744d5fad drivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle() f89f6c3ebf69 drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() b10e1171341c lkdtm/usercopy: Expand size of "out of frame" object 3692f17e7036 iio: st_sensors: Add a local lock for protecting odr 8eb42d6d10f8 staging: rtl8712: fix a potential memory leak in r871xu_drv_init() 9f9ed31de4dd iio: dummy: iio_simple_dummy: check the return value of kstrdup() bd08704b8a4d iov_iter: Fix iter_xarray_get_pages{,_alloc}() 614d81bba75d nfp: flower: restructure flow-key for gre+vlan combination f1fec5ccbe70 drm: imx: fix compiler warning with gcc-12 9c1fb2e93844 tcp: use alloc_large_system_hash() to allocate table_perturb 9b18f01a5120 net: dsa: mv88e6xxx: use BMSR_ANEGCOMPLETE bit for filling an_complete e31d9ba16986 net: altera: Fix refcount leak in altera_tse_mdio_create e6b6f98fc760 ip_gre: test csum_start instead of transport header 356f3d808e77 net/mlx5: fs, fail conflicting actions 0e92af67f051 net/mlx5: Rearm the FW tracer after each tracer event d2ebc436aab9 net/mlx5: Fix mlx5_get_next_dev() peer device matching 65a5ea7cb9c7 net/mlx5: Lag, filter non compatible devices 1084716f76c8 net: ipv6: unexport __init-annotated seg6_hmac_init() 85a055c03691 net: xfrm: unexport __init-annotated xfrm4_protocol_init() 59fa94cddf9e net: mdio: unexport __init-annotated mdio_bus_init() 6dda4426fa77 SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer() 71afd0ceb5b0 xsk: Fix handling of invalid descriptors in XSK TX batching API 761b4fa75205 i40e: xsk: Move tmp desc array from driver to pool 403659df77b6 net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure 54d6802c4d83 net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list 3f4d5e727aea bpf, arm64: Clear prog->jited_len along prog->jited c926ae58f24f af_unix: Fix a data-race in unix_dgram_peer_wake_me(). 39475043ffbc stmmac: intel: Fix an error handling path in intel_eth_pci_probe() 40e6078fcf18 xen: unexport __init-annotated xen_xlate_map_ballooned_pages() 23cb1fef93d2 netfilter: nf_tables: bail out early if hardware offload is not supported e33d9bd563e7 netfilter: nf_tables: memleak flow rule from commit path fb2962f9a1b4 netfilter: nf_tables: release new hooks on unsupported flowtable flags 888312dc297a ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe 77b68c59f6c9 netfilter: nf_tables: always initialize flowtable hook list in transaction ea26bf5eca14 SUNRPC: Trap RDMA segment overflows 7a60594efdd5 powerpc/kasan: Force thread size increase with KASAN f275989ad041 netfilter: nf_tables: delete flowtable hooks via transaction list 73629859a997 netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path bf65364cd74c netfilter: nat: really support inet nat without l3 address 291efcb6ff49 drm/bridge: ti-sn65dsi83: Handle dsi_lanes == 0 as invalid fde5ff6ab6c7 drm/bridge: sn65dsi83: Fix an error handling path in sn65dsi83_probe() a3fc8051ee06 xprtrdma: treat all calls not a bcall when bc_serv is NULL 21c6ee673401 f2fs: fix to tag gcing flag on page during file defragment b382115016c8 m68knommu: fix undefined reference to `mach_get_rtc_pll' 4211742f0f9e RISC-V: use memcpy for kexec_file mode ca02b9675532 video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() e4cf9982ff3e video: fbdev: hyperv_fb: Allow resolutions with size > 64 MB for Gen1 d4c2a041ed3b NFSv4: Don't hold the layoutget locks across multiple RPC calls 7b5488f4721f dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type ed9b34f616f9 m68knommu: fix undefined reference to `_init_sp' 40426b4f08bc m68knommu: set ZERO_PAGE() to the allocated zeroed page 015e9831547e i2c: cadence: Increase timeout per message if necessary 99c09b298e47 f2fs: remove WARN_ON in f2fs_is_valid_blkaddr fb0f1c5eb8d6 iommu/arm-smmu-v3: check return value after calling platform_get_resource() 98dd53a92825 iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe() 6eb85cbd9ef8 tracing: Avoid adding tracer option before update_tracer_options 9b534640a2c6 tracing: Fix sleeping function called from invalid context on RT kernel c1c62c5fa9a3 tracing: Make tp_printk work on syscall tracepoints e8864a3c9da9 bootconfig: Make the bootconfig.o as a normal object file 1699ec1bfb59 mips: cpc: Fix refcount leak in mips_cpc_default_phys_base 0a0539c524fa dmaengine: idxd: set DMA_INTERRUPT cap bit 340cf8272540 perf c2c: Fix sorting in percent_rmt_hitm_cmp() 29357883a891 driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction 92a930fcf425 tipc: check attribute length for bearer name 0fcb0b131cc9 scsi: sd: Fix potential NULL pointer dereference 73647a1f92d1 afs: Fix infinite loop found by xfstest generic/676 0c6cd71caa7c gpio: pca953x: use the correct register address to do regcache sync cedca5b2f08b regulator: mt6315-regulator: fix invalid allowed mode 66e2bf4b2cef s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag a96cae49dcbb octeontx2-af: fix error code in is_valid_offset() 9983f49a994e vdpa: ifcvf: set pci driver data in probe 88cd23214620 tcp: tcp_rtx_synack() can be called from process context f7ca1989fd21 net: sched: add barrier to fix packet stuck problem for lockless qdisc 4ddcfb7870cf net/mlx5e: Update netdev features after changing XDP state a6d0af6d329d net/mlx5: correct ECE offset in query qp output e5a1557906da net/mlx5: CT: Fix header-rewrite re-use for tupels 4a333ec73dee net/mlx5e: TC NIC mode, fix tc chains miss table 29e0872acbd1 net/mlx5: Don't use already freed action pointer e3b9204c08a7 virtio: pci: Fix an error handling path in vp_modern_probe() 655aafaa80ca vdpa: Fix error logic in vdpa_nl_cmd_dev_get_doit 4a45a7dcc55e block: make bioset_exit() fully resilient against being called twice 06cb7e134f8f sfc: fix wrong tx channel offset with efx_separate_tx_channels 5567d69b95b9 sfc: fix considering that all channels have TX queues 7768d102b143 nfp: only report pause frame configuration for physical device 3308676ec525 tcp: add accessors to read/set tp->snd_cwnd 4d481469137d net/smc: fixes for converting from "struct smc_cdc_tx_pend **" to "struct smc_wr_tx_pend_priv *" 6005d36fbc82 riscv: read-only pages should not be writable 33a5c6009ab8 block: take destination bvec offsets into account in bio_copy_data_iter f95e24bf19e2 bpf: Fix probe read error in ___bpf_prog_run() d03edc02a752 selftests/bpf: fix stacktrace_build_id with missing kprobe/urandom_read 8969c3b1051e selftests/bpf: fix selftest after random: Urandom_read tracepoint removal 5ff2514e4fb5 ubi: ubi_create_volume: Fix use-after-free when volume creation failed f61b9c8760af ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool not empty ecc53e585965 jffs2: fix memory leak in jffs2_do_fill_super a53131a69515 modpost: fix removing numeric suffixes c1df9cb756e5 net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register a4b7ef3b1598 net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks b24ca1cf8462 net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry() 1e853f235a01 net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog a67b46468ae9 s390/crypto: fix scatterwalk_unmap() callers in AES-GCM 8a04477f3be9 clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value f3274083975b ASoC: fsl_sai: Fix FSL_SAI_xDR/xFR definition 460aa288c5cd blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx 7a4afd8a003d watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe 5487a135c903 watchdog: rti-wdt: Fix pm_runtime_get_sync() error checking df6de52b80aa driver core: fix deadlock in __device_attach cdf1a683a015 driver: base: fix UAF when driver_attach failed 40960520a940 bus: ti-sysc: Fix warnings for unbind for serial fdffa4ad8f6b firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle 002949a3aedb serial: stm32-usart: Correct CSIZE, bits, and parity 8137c0e48bca serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 c11c1cdd4f0e serial: sifive: Sanitize CSIZE and c_iflag b1ca16ac17ad serial: sh-sci: Don't allow CS5-6 da689ae549c5 serial: txx9: Don't allow CS5-6 954a7194b164 serial: rda-uart: Don't allow CS5-6 899c5aabd0a9 serial: digicolor-usart: Don't allow CS5-6 899938f18093 serial: cpm_uart: Fix build error without CONFIG_SERIAL_CPM_CONSOLE 8303f34e733f serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485 4c96e6aeacf5 serial: meson: acquire port->lock in startup() 9a63ef418a4e tty: n_gsm: Fix packet data hex dump output 80dfe1798aa0 tty: n_gsm: Don't ignore write return value in gsmld_output() 029983ea88e5 staging: r8188eu: add check for kzalloc e1928887219b rtc: ftrtc010: Fix error handling in ftrtc010_rtc_probe 49f698e22052 rtc: ftrtc010: Use platform_get_irq() to get the interrupt 865051de2d9e rtc: mt6397: check return value after calling platform_get_resource() fb60291c0fde ARM: dts: aspeed: ast2600-evb: Enable RX delay for MAC0/MAC1 604e35f70475 clocksource/drivers/riscv: Events are stopped during CPU suspend aab25b669cb9 soc: rockchip: Fix refcount leak in rockchip_grf_init a6061695bb2b extcon: ptn5150: Add queue work sync before driver release cf824b95c12a ksmbd: fix reference count leak in smb_check_perm_dacl() fffde6d1c679 coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier fd18fb38d6a4 soundwire: intel: prevent pm_runtime resume prior to system suspend b3983b1042e4 export: fix string handling of namespace in EXPORT_SYMBOL_NS cbf9172eb657 serial: sifive: Report actual baud base rather than fixed 115200 5157979d8c79 power: supply: axp288_fuel_gauge: Drop BIOS version check from "T3 MRD" DMI quirk 90e2993c8d88 phy: qcom-qmp: fix pipe-clock imbalance on power-on failure ede251293753 misc/pvpanic: Convert regular spinlock into trylock on panic path ee94d7468679 pvpanic: Fix typos in the comments d2ba56d55cea rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails 276f7c6165bf iio: adc: sc27xx: Fine tune the scale calibration values 31f3f2a598f6 iio: adc: sc27xx: fix read big scale voltage not right 7c7bc8b82fff iio: proximity: vl53l0x: Fix return value check of wait_for_completion_timeout 79f83f388ba3 iio: adc: stmpe-adc: Fix wait_for_completion_timeout return value check 4ff1449e8fd9 rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl b94d40c792de rpmsg: virtio: Fix possible double free in rpmsg_virtio_add_ctrl_dev() eaf37bb6b4f7 rpmsg: virtio: Fix possible double free in rpmsg_probe() 12452c776090 usb: typec: mux: Check dev_set_name() return value 3b687b407179 firmware: stratix10-svc: fix a missing check on list iterator c25feda42f14 misc: fastrpc: fix an incorrect NULL check on list iterator c8eb1ea6e839 usb: dwc3: pci: Fix pm_runtime_get_sync() error checking 1c6e5dc3b639 usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback 603efacb71e3 rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value c49c6a1bf02d pwm: raspberrypi-poe: Fix endianness in firmware struct 2c0079979df6 pwm: lp3943: Fix duty calculation in case period was clamped 52e848568aa3 staging: fieldbus: Fix the error handling path in anybuss_host_common_probe() 10243224fd45 usb: musb: Fix missing of_node_put() in omap2430_probe 09ad026dac0e USB: storage: karma: fix rio_karma_init return 90ab34df6654 usb: usbip: add missing device lock on tweak configuration cmd 51422046be50 usb: usbip: fix a refcount leak in stub_probe() 433a689cadea remoteproc: imx_rproc: Ignore create mem entry for resource table b62bbf8a4753 tty: serial: fsl_lpuart: fix potential bug when using both of_alias_get_id and ida_simple_get 923d34ce069e serial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe c84fa729f8db tty: n_tty: Restore EOF push handling behavior f307bdb67018 tty: serial: owl: Fix missing clk_disable_unprepare() in owl_uart_probe da64f419d7f7 tty: goldfish: Use tty_port_destroy() to destroy port 20e75f3c6e09 lkdtm/bugs: Don't expect thread termination without CONFIG_UBSAN_TRAP 1aeeca2b8397 lkdtm/bugs: Check for the NULL pointer after calling kmalloc 1deb5f87053e iio: adc: ad7124: Remove shift from scan_type b34163bf9967 staging: greybus: codecs: fix type confusion of list iterator variable 9d919665a089 pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards ---- Link: https://lore.kernel.org/r/20220613094922.843438024@linuxfoundation.org # v5.15.47 Link: https://lore.kernel.org/r/20220613181847.216528857@linuxfoundation.org # v5.15.47 Link: Freescale/linux-fslc#580 Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>

Kernel repository has been upgraded up to v5.15.47 from stable korg. Following upstream commits are included in this version: ---- 3a0f70149324 Linux 5.15.47 f7019562f142 xsk: Fix possible crash when multiple sockets are created 90385f2b65d0 tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd cfe3dd8bd526 dmaengine: idxd: add missing callback function to support DMA_INTERRUPT fb5e51c0aa97 iov_iter: fix build issue due to possible type mis-match 7f36e2e13e29 zonefs: fix handling of explicit_open option on mount 9e4810b4e1ab PCI: qcom: Fix pipe clock imbalance 42c0160d27f6 net/sched: act_police: more accurate MTU policing 4c106eb89534 md/raid0: Ignore RAID0 layout if the second zone has only one device 51e557272482 random: account for arch randomness in bits e59a120f2d43 random: mark bootloader randomness code as __init ce49b94ddb70 random: avoid checking crng_ready() twice in random_init() 32ca45300fd9 drm/ast: Create threshold values for AST2600 82a2059a11b4 powerpc/mm: Switch obsolete dssall to .long 2a0165d27897 powerpc/32: Fix overread/overwrite of thread_struct via ptrace 2b7d9fd0f372 drm/amdgpu: update VCN codec support for Yellow Carp cab7cd86f9e8 drm/atomic: Force bridge self-refresh-exit on CRTC switch 142bebf827b3 drm/bridge: analogix_dp: Support PSR-exit to disable transition 84280ab2245c powerpc: Don't select HAVE_IRQ_EXIT_ON_IRQ_STACK 3a7a81f4835d vduse: Fix NULL pointer dereference on sysfs access 614ad9d24f9c Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag 3eb91b7bc252 ixgbe: fix unexpected VLAN Rx in promisc mode on VF dc2673462e3d ixgbe: fix bcast packets Rx on VF after promisc removal a5989ae3c53b nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION f444ecd3f57f nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling 73b28763050f nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION bafbc134f5b0 writeback: Fix inode->i_io_list not be protected by inode->i_lock error cba7c76ea1e1 net: openvswitch: fix misuse of the cached connection on tuple changes 50ca4e7f91ff net: phy: dp83867: retrigger SGMII AN when link change 0efa89742fd8 mmc: block: Fix CQE recovery reset success 63af49e0881c ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files 0dcc35c1c23a KEYS: trusted: tpm2: Fix migratable logic 0cd4a1766759 cifs: fix reconnect on smb3 mount types 7aa4b31291f1 cifs: return errors during session setup during reconnects 700484081ea7 ALSA: hda/realtek: Add quirk for HP Dev One 0179650a13f9 ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo Yoga DuetITL 2021 7fea196ccb4e ALSA: hda/conexant - Fix loopback issue with CX20632 04f79360c69a ALSA: usb-audio: Set up (implicit) sync for Saffire 6 2ee0b454fda7 ALSA: usb-audio: Skip generic sync EP parse for secondary EP 8fe1ee581846 scripts/gdb: change kernel config dumping method d3e38fdf9e10 vringh: Fix loop descriptors check in the indirect cases f293dfc18404 nodemask: Fix return values to be unsigned b2d359f09588 drm/amd/pm: use bitmap_{from,to}_arr32 where appropriate dc105d20122d cifs: version operations for smb20 unneeded when legacy support disabled 12eb4e7db22a s390/gmap: voluntarily schedule during key setting c4ba982bd508 nbd: fix io hung while disconnecting device 71c142f910da nbd: fix race between nbd_alloc_config() and module removal cbeafa7a79d0 nbd: call genl_unregister_family() first in nbd_cleanup() 38d432f4b391 jump_label,noinstr: Avoid instrumentation for JUMP_LABEL=n builds 0853f905e48b x86/cpu: Elide KCSAN for cpu_has() and friends 4adc7d7ee640 modpost: fix undefined behavior of is_arm_mapping_symbol() 5877390da911 um: line: Use separate IRQs per line e0199ce728fb drm/amd/pm: Fix missing thermal throttler status 7b7fba107b2c drm/radeon: fix a possible null pointer dereference 10ef82d6e0af drm/amd/display: Check if modulo is 0 before dividing. 1daf72982efe ceph: flush the mdlog for filesystem sync cc983cf9ee39 ceph: allow ceph.dir.rctime xattr to be updatable 729fea8aaf2c Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process" 2cd1adcb8c08 scsi: myrb: Fix up null pointer access on myrb_cleanup() b5a0f17b03df md: protect md_unregister_thread from reentrancy 0b4a66eb96de watchdog: wdat_wdt: Stop watchdog when rebooting the system e369420e1234 kernfs: Separate kernfs_pr_cont_buf and rename_lock. d21ffa548737 serial: msm_serial: disable interrupts in __msm_console_write() f36e754a1f0b staging: rtl8712: fix uninit-value in r871xu_drv_init() 95b0f54f8a89 staging: rtl8712: fix uninit-value in usb_read8() and friends 55bfe858d019 clocksource/drivers/sp804: Avoid error on multiple instances 368e68ad6da4 extcon: Modify extcon device to be created after driver data is set 4785574f0caf extcon: Fix extcon_get_extcon_dev() error handling e7686d80fc3c misc: rtsx: set NULL intfdata when probe fails 89401b5e9cf3 soundwire: qcom: adjust autoenumeration timeout 547ebdc200b8 usb: dwc2: gadget: don't reset gadget's driver->bus 98cf0cd959ef sysrq: do not omit current cpu when showing backtrace of all active CPUs bc8fceda3b89 char: xillybus: fix a refcount leak in cleanup_dev() feb0fb39695b USB: hcd-pci: Fully suspend across freeze/thaw cycle d88875387219 drivers: usb: host: Fix deadlock in oxu_bus_suspend() 2cbfc38df580 drivers: tty: serial: Fix deadlock in sa1100_set_termios() 3592cfd8b848 USB: host: isp116x: check return value after calling platform_get_resource() fef451f0fbbe drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() 042915c1bfed drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop() 04a8e39c8c9b thunderbolt: Use different lane for second DisplayPort tunnel 5f9b2e4ca88c tty: Fix a possible resource leak in icom_probe 8a95696bdc0e tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() ae60744d5fad drivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle() f89f6c3ebf69 drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback() b10e1171341c lkdtm/usercopy: Expand size of "out of frame" object 3692f17e7036 iio: st_sensors: Add a local lock for protecting odr 8eb42d6d10f8 staging: rtl8712: fix a potential memory leak in r871xu_drv_init() 9f9ed31de4dd iio: dummy: iio_simple_dummy: check the return value of kstrdup() bd08704b8a4d iov_iter: Fix iter_xarray_get_pages{,_alloc}() 614d81bba75d nfp: flower: restructure flow-key for gre+vlan combination f1fec5ccbe70 drm: imx: fix compiler warning with gcc-12 9c1fb2e93844 tcp: use alloc_large_system_hash() to allocate table_perturb 9b18f01a5120 net: dsa: mv88e6xxx: use BMSR_ANEGCOMPLETE bit for filling an_complete e31d9ba16986 net: altera: Fix refcount leak in altera_tse_mdio_create e6b6f98fc760 ip_gre: test csum_start instead of transport header 356f3d808e77 net/mlx5: fs, fail conflicting actions 0e92af67f051 net/mlx5: Rearm the FW tracer after each tracer event d2ebc436aab9 net/mlx5: Fix mlx5_get_next_dev() peer device matching 65a5ea7cb9c7 net/mlx5: Lag, filter non compatible devices 1084716f76c8 net: ipv6: unexport __init-annotated seg6_hmac_init() 85a055c03691 net: xfrm: unexport __init-annotated xfrm4_protocol_init() 59fa94cddf9e net: mdio: unexport __init-annotated mdio_bus_init() 6dda4426fa77 SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer() 71afd0ceb5b0 xsk: Fix handling of invalid descriptors in XSK TX batching API 761b4fa75205 i40e: xsk: Move tmp desc array from driver to pool 403659df77b6 net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure 54d6802c4d83 net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list 3f4d5e727aea bpf, arm64: Clear prog->jited_len along prog->jited c926ae58f24f af_unix: Fix a data-race in unix_dgram_peer_wake_me(). 39475043ffbc stmmac: intel: Fix an error handling path in intel_eth_pci_probe() 40e6078fcf18 xen: unexport __init-annotated xen_xlate_map_ballooned_pages() 23cb1fef93d2 netfilter: nf_tables: bail out early if hardware offload is not supported e33d9bd563e7 netfilter: nf_tables: memleak flow rule from commit path fb2962f9a1b4 netfilter: nf_tables: release new hooks on unsupported flowtable flags 888312dc297a ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe 77b68c59f6c9 netfilter: nf_tables: always initialize flowtable hook list in transaction ea26bf5eca14 SUNRPC: Trap RDMA segment overflows 7a60594efdd5 powerpc/kasan: Force thread size increase with KASAN f275989ad041 netfilter: nf_tables: delete flowtable hooks via transaction list 73629859a997 netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path bf65364cd74c netfilter: nat: really support inet nat without l3 address 291efcb6ff49 drm/bridge: ti-sn65dsi83: Handle dsi_lanes == 0 as invalid fde5ff6ab6c7 drm/bridge: sn65dsi83: Fix an error handling path in sn65dsi83_probe() a3fc8051ee06 xprtrdma: treat all calls not a bcall when bc_serv is NULL 21c6ee673401 f2fs: fix to tag gcing flag on page during file defragment b382115016c8 m68knommu: fix undefined reference to `mach_get_rtc_pll' 4211742f0f9e RISC-V: use memcpy for kexec_file mode ca02b9675532 video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove() e4cf9982ff3e video: fbdev: hyperv_fb: Allow resolutions with size > 64 MB for Gen1 d4c2a041ed3b NFSv4: Don't hold the layoutget locks across multiple RPC calls 7b5488f4721f dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type ed9b34f616f9 m68knommu: fix undefined reference to `_init_sp' 40426b4f08bc m68knommu: set ZERO_PAGE() to the allocated zeroed page 015e9831547e i2c: cadence: Increase timeout per message if necessary 99c09b298e47 f2fs: remove WARN_ON in f2fs_is_valid_blkaddr fb0f1c5eb8d6 iommu/arm-smmu-v3: check return value after calling platform_get_resource() 98dd53a92825 iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe() 6eb85cbd9ef8 tracing: Avoid adding tracer option before update_tracer_options 9b534640a2c6 tracing: Fix sleeping function called from invalid context on RT kernel c1c62c5fa9a3 tracing: Make tp_printk work on syscall tracepoints e8864a3c9da9 bootconfig: Make the bootconfig.o as a normal object file 1699ec1bfb59 mips: cpc: Fix refcount leak in mips_cpc_default_phys_base 0a0539c524fa dmaengine: idxd: set DMA_INTERRUPT cap bit 340cf8272540 perf c2c: Fix sorting in percent_rmt_hitm_cmp() 29357883a891 driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction 92a930fcf425 tipc: check attribute length for bearer name 0fcb0b131cc9 scsi: sd: Fix potential NULL pointer dereference 73647a1f92d1 afs: Fix infinite loop found by xfstest generic/676 0c6cd71caa7c gpio: pca953x: use the correct register address to do regcache sync cedca5b2f08b regulator: mt6315-regulator: fix invalid allowed mode 66e2bf4b2cef s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag a96cae49dcbb octeontx2-af: fix error code in is_valid_offset() 9983f49a994e vdpa: ifcvf: set pci driver data in probe 88cd23214620 tcp: tcp_rtx_synack() can be called from process context f7ca1989fd21 net: sched: add barrier to fix packet stuck problem for lockless qdisc 4ddcfb7870cf net/mlx5e: Update netdev features after changing XDP state a6d0af6d329d net/mlx5: correct ECE offset in query qp output e5a1557906da net/mlx5: CT: Fix header-rewrite re-use for tupels 4a333ec73dee net/mlx5e: TC NIC mode, fix tc chains miss table 29e0872acbd1 net/mlx5: Don't use already freed action pointer e3b9204c08a7 virtio: pci: Fix an error handling path in vp_modern_probe() 655aafaa80ca vdpa: Fix error logic in vdpa_nl_cmd_dev_get_doit 4a45a7dcc55e block: make bioset_exit() fully resilient against being called twice 06cb7e134f8f sfc: fix wrong tx channel offset with efx_separate_tx_channels 5567d69b95b9 sfc: fix considering that all channels have TX queues 7768d102b143 nfp: only report pause frame configuration for physical device 3308676ec525 tcp: add accessors to read/set tp->snd_cwnd 4d481469137d net/smc: fixes for converting from "struct smc_cdc_tx_pend **" to "struct smc_wr_tx_pend_priv *" 6005d36fbc82 riscv: read-only pages should not be writable 33a5c6009ab8 block: take destination bvec offsets into account in bio_copy_data_iter f95e24bf19e2 bpf: Fix probe read error in ___bpf_prog_run() d03edc02a752 selftests/bpf: fix stacktrace_build_id with missing kprobe/urandom_read 8969c3b1051e selftests/bpf: fix selftest after random: Urandom_read tracepoint removal 5ff2514e4fb5 ubi: ubi_create_volume: Fix use-after-free when volume creation failed f61b9c8760af ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool not empty ecc53e585965 jffs2: fix memory leak in jffs2_do_fill_super a53131a69515 modpost: fix removing numeric suffixes c1df9cb756e5 net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register a4b7ef3b1598 net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks b24ca1cf8462 net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry() 1e853f235a01 net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog a67b46468ae9 s390/crypto: fix scatterwalk_unmap() callers in AES-GCM 8a04477f3be9 clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value f3274083975b ASoC: fsl_sai: Fix FSL_SAI_xDR/xFR definition 460aa288c5cd blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx 7a4afd8a003d watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe 5487a135c903 watchdog: rti-wdt: Fix pm_runtime_get_sync() error checking df6de52b80aa driver core: fix deadlock in __device_attach cdf1a683a015 driver: base: fix UAF when driver_attach failed 40960520a940 bus: ti-sysc: Fix warnings for unbind for serial fdffa4ad8f6b firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle 002949a3aedb serial: stm32-usart: Correct CSIZE, bits, and parity 8137c0e48bca serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 c11c1cdd4f0e serial: sifive: Sanitize CSIZE and c_iflag b1ca16ac17ad serial: sh-sci: Don't allow CS5-6 da689ae549c5 serial: txx9: Don't allow CS5-6 954a7194b164 serial: rda-uart: Don't allow CS5-6 899c5aabd0a9 serial: digicolor-usart: Don't allow CS5-6 899938f18093 serial: cpm_uart: Fix build error without CONFIG_SERIAL_CPM_CONSOLE 8303f34e733f serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485 4c96e6aeacf5 serial: meson: acquire port->lock in startup() 9a63ef418a4e tty: n_gsm: Fix packet data hex dump output 80dfe1798aa0 tty: n_gsm: Don't ignore write return value in gsmld_output() 029983ea88e5 staging: r8188eu: add check for kzalloc e1928887219b rtc: ftrtc010: Fix error handling in ftrtc010_rtc_probe 49f698e22052 rtc: ftrtc010: Use platform_get_irq() to get the interrupt 865051de2d9e rtc: mt6397: check return value after calling platform_get_resource() fb60291c0fde ARM: dts: aspeed: ast2600-evb: Enable RX delay for MAC0/MAC1 604e35f70475 clocksource/drivers/riscv: Events are stopped during CPU suspend aab25b669cb9 soc: rockchip: Fix refcount leak in rockchip_grf_init a6061695bb2b extcon: ptn5150: Add queue work sync before driver release cf824b95c12a ksmbd: fix reference count leak in smb_check_perm_dacl() fffde6d1c679 coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier fd18fb38d6a4 soundwire: intel: prevent pm_runtime resume prior to system suspend b3983b1042e4 export: fix string handling of namespace in EXPORT_SYMBOL_NS cbf9172eb657 serial: sifive: Report actual baud base rather than fixed 115200 5157979d8c79 power: supply: axp288_fuel_gauge: Drop BIOS version check from "T3 MRD" DMI quirk 90e2993c8d88 phy: qcom-qmp: fix pipe-clock imbalance on power-on failure ede251293753 misc/pvpanic: Convert regular spinlock into trylock on panic path ee94d7468679 pvpanic: Fix typos in the comments d2ba56d55cea rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails 276f7c6165bf iio: adc: sc27xx: Fine tune the scale calibration values 31f3f2a598f6 iio: adc: sc27xx: fix read big scale voltage not right 7c7bc8b82fff iio: proximity: vl53l0x: Fix return value check of wait_for_completion_timeout 79f83f388ba3 iio: adc: stmpe-adc: Fix wait_for_completion_timeout return value check 4ff1449e8fd9 rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl b94d40c792de rpmsg: virtio: Fix possible double free in rpmsg_virtio_add_ctrl_dev() eaf37bb6b4f7 rpmsg: virtio: Fix possible double free in rpmsg_probe() 12452c776090 usb: typec: mux: Check dev_set_name() return value 3b687b407179 firmware: stratix10-svc: fix a missing check on list iterator c25feda42f14 misc: fastrpc: fix an incorrect NULL check on list iterator c8eb1ea6e839 usb: dwc3: pci: Fix pm_runtime_get_sync() error checking 1c6e5dc3b639 usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback 603efacb71e3 rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value c49c6a1bf02d pwm: raspberrypi-poe: Fix endianness in firmware struct 2c0079979df6 pwm: lp3943: Fix duty calculation in case period was clamped 52e848568aa3 staging: fieldbus: Fix the error handling path in anybuss_host_common_probe() 10243224fd45 usb: musb: Fix missing of_node_put() in omap2430_probe 09ad026dac0e USB: storage: karma: fix rio_karma_init return 90ab34df6654 usb: usbip: add missing device lock on tweak configuration cmd 51422046be50 usb: usbip: fix a refcount leak in stub_probe() 433a689cadea remoteproc: imx_rproc: Ignore create mem entry for resource table b62bbf8a4753 tty: serial: fsl_lpuart: fix potential bug when using both of_alias_get_id and ida_simple_get 923d34ce069e serial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe c84fa729f8db tty: n_tty: Restore EOF push handling behavior f307bdb67018 tty: serial: owl: Fix missing clk_disable_unprepare() in owl_uart_probe da64f419d7f7 tty: goldfish: Use tty_port_destroy() to destroy port 20e75f3c6e09 lkdtm/bugs: Don't expect thread termination without CONFIG_UBSAN_TRAP 1aeeca2b8397 lkdtm/bugs: Check for the NULL pointer after calling kmalloc 1deb5f87053e iio: adc: ad7124: Remove shift from scan_type b34163bf9967 staging: greybus: codecs: fix type confusion of list iterator variable 9d919665a089 pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards ---- Link: https://lore.kernel.org/r/20220613094922.843438024@linuxfoundation.org # v5.15.47 Link: https://lore.kernel.org/r/20220613181847.216528857@linuxfoundation.org # v5.15.47 Link: Freescale/linux-fslc#580 Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com> (cherry picked from commit 86ad339)

[ Upstream commit b4cafb3 ] Netdevsim triggers a splat on reload, when it destroys regions with snapshots pending: WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140 CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c Freescale#580 RIP: 0010:devlink_region_snapshot_del+0x12e/0x140 Call Trace: <TASK> devl_region_destroy+0x70/0x140 nsim_dev_reload_down+0x2f/0x60 [netdevsim] devlink_reload+0x1f7/0x360 devlink_nl_cmd_reload+0x6ce/0x860 genl_family_rcv_msg_doit.isra.0+0x145/0x1c0 This is the locking assert in devlink_region_snapshot_del(), we're supposed to be holding the region->snapshot_lock here. Fixes: 2dec18a ("net: devlink: remove region snapshots list dependency on devlink->lock") Signed-off-by: Jakub Kicinski <kuba@kernel.org> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>

JiangJias and others added 30 commits June 14, 2022 18:36

mfaltesek and others added 25 commits June 14, 2022 18:36

Merge tag 'v5.15.47' into 5.15.x+fslc

8b9f0b2

This is the 5.15.47 stable release Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>

otavio merged commit f06e086 into Freescale:5.15.x+fslc Jun 14, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update 5.15.x+fslc up to v5.15.47 #580

Update 5.15.x+fslc up to v5.15.47 #580

zandrey commented Jun 14, 2022

Update 5.15.x+fslc up to v5.15.47 #580

Update 5.15.x+fslc up to v5.15.47 #580

Conversation

zandrey commented Jun 14, 2022