Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hickups in sound when using snd_usb_audio devices #91

Closed
Farbman opened this issue Aug 22, 2012 · 4 comments
Closed

hickups in sound when using snd_usb_audio devices #91

Farbman opened this issue Aug 22, 2012 · 4 comments

Comments

@Farbman
Copy link

Farbman commented Aug 22, 2012

I know you already are aware of this issue. Just want to have this as an open issue here.

For me everything got worse when I performed a rpi-update some days ago (In raspbian). The kernel that was shipped with my first raspbian installation had issues but not this many. After reading that some usb issues was resolved I did the update and after this usb audio is almost unlistenable.

Everytime the problem occur (when I play a sound) I get the lots of entries like the following in kern.log
[42641.766854] delay: estimated 0, actual 133
[42641.774864] delay: estimated 0, actual 133
[42641.782877] delay: estimated 0, actual 132
[42641.790866] delay: estimated 0, actual 132
[42641.811869] delay: estimated 0, actual 132
[42641.819878] delay: estimated 0, actual 132
[42641.827874] delay: estimated 0, actual 133
[42641.835876] delay: estimated 0, actual 133

The soundcard (usb-dac) I am trying with is a Cambridge Audio DacMagic Plus and it works just perfect in x86 linux.

@popcornmix
Copy link
Collaborator

It's not something I can test. It would be useful if you could identify the commit that made it worse.
The older firmware versions are available in github.

@Farbman
Copy link
Author

Farbman commented Aug 23, 2012

Problem got worse in:
commit 0ef3d91e613a3d8db5debbd7eb8105071bfcb9be
Author: Dom Cobley dc4@broadcom.com
Date: Sat Aug 18 15:30:25 2012 +0100

Rebase to kernel 3.2.27

@popcornmix
Copy link
Collaborator

That's unfortunate. I was hoping the offending commit would be something easily identifiable.
That commit changed tens of thousands of lines of code...

@Farbman
Copy link
Author

Farbman commented Aug 23, 2012

Searching for info I found this:
http://alsa.opensrc.org/Usb-audio#Tuning_USB_devices_for_minimal_latencies

modprobe snd-usb-audio nrpacks=1 removes the delay messages that I experienced above and sound is much better.

Closing this issue.
(I have not been able to verify if sound works 100% with snd-usb-audio, but it is at least back to kernel 3.1 levels)

@Farbman Farbman closed this as completed Aug 23, 2012
popcornmix pushed a commit that referenced this issue Mar 13, 2018
Previously, if a ppp session was closed, we called inet_shutdown to mark
the socket as unconnected such that userspace would get errors and
then close the socket. This could race with userspace closing the
socket. Instead, leave userspace to close the socket in its own time
(our session will be detached anyway).

BUG: KASAN: use-after-free in inet_shutdown+0x5d/0x1c0
Read of size 4 at addr ffff880010ea3ac0 by task syzbot_347bd5ac/8296

CPU: 3 PID: 8296 Comm: syzbot_347bd5ac Not tainted 4.16.0-rc1+ #91
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Call Trace:
 dump_stack+0x101/0x157
 ? inet_shutdown+0x5d/0x1c0
 print_address_description+0x78/0x260
 ? inet_shutdown+0x5d/0x1c0
 kasan_report+0x240/0x360
 __asan_load4+0x78/0x80
 inet_shutdown+0x5d/0x1c0
 ? pppol2tp_show+0x80/0x80
 pppol2tp_session_close+0x68/0xb0
 l2tp_tunnel_closeall+0x199/0x210
 ? udp_v6_flush_pending_frames+0x90/0x90
 l2tp_udp_encap_destroy+0x6b/0xc0
 ? l2tp_tunnel_del_work+0x2e0/0x2e0
 udpv6_destroy_sock+0x8c/0x90
 sk_common_release+0x47/0x190
 udp_lib_close+0x15/0x20
 inet_release+0x85/0xd0
 inet6_release+0x43/0x60
 sock_release+0x53/0x100
 ? sock_alloc_file+0x260/0x260
 sock_close+0x1b/0x20
 __fput+0x19f/0x380
 ____fput+0x1a/0x20
 task_work_run+0xd2/0x110
 exit_to_usermode_loop+0x18d/0x190
 do_syscall_64+0x389/0x3b0
 entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x7fe240a45259
RSP: 002b:00007fe241132df8 EFLAGS: 00000297 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe240a45259
RDX: 00007fe240a45259 RSI: 0000000000000000 RDI: 00000000000000a5
RBP: 00007fe241132e20 R08: 00007fe241133700 R09: 0000000000000000
R10: 00007fe241133700 R11: 0000000000000297 R12: 0000000000000000
R13: 00007ffc49aff84f R14: 0000000000000000 R15: 00007fe241141040

Allocated by task 8331:
 save_stack+0x43/0xd0
 kasan_kmalloc+0xad/0xe0
 kasan_slab_alloc+0x12/0x20
 kmem_cache_alloc+0x144/0x3e0
 sock_alloc_inode+0x22/0x130
 alloc_inode+0x3d/0xf0
 new_inode_pseudo+0x1c/0x90
 sock_alloc+0x30/0x110
 __sock_create+0xaa/0x4c0
 SyS_socket+0xbe/0x130
 do_syscall_64+0x128/0x3b0
 entry_SYSCALL_64_after_hwframe+0x26/0x9b

Freed by task 8314:
 save_stack+0x43/0xd0
 __kasan_slab_free+0x11a/0x170
 kasan_slab_free+0xe/0x10
 kmem_cache_free+0x88/0x2b0
 sock_destroy_inode+0x49/0x50
 destroy_inode+0x77/0xb0
 evict+0x285/0x340
 iput+0x429/0x530
 dentry_unlink_inode+0x28c/0x2c0
 __dentry_kill+0x1e3/0x2f0
 dput.part.21+0x500/0x560
 dput+0x24/0x30
 __fput+0x2aa/0x380
 ____fput+0x1a/0x20
 task_work_run+0xd2/0x110
 exit_to_usermode_loop+0x18d/0x190
 do_syscall_64+0x389/0x3b0
 entry_SYSCALL_64_after_hwframe+0x26/0x9b

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
popcornmix pushed a commit that referenced this issue Mar 14, 2018
[ Upstream commit 225eb26 ]

Previously, if a ppp session was closed, we called inet_shutdown to mark
the socket as unconnected such that userspace would get errors and
then close the socket. This could race with userspace closing the
socket. Instead, leave userspace to close the socket in its own time
(our session will be detached anyway).

BUG: KASAN: use-after-free in inet_shutdown+0x5d/0x1c0
Read of size 4 at addr ffff880010ea3ac0 by task syzbot_347bd5ac/8296

CPU: 3 PID: 8296 Comm: syzbot_347bd5ac Not tainted 4.16.0-rc1+ #91
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Call Trace:
 dump_stack+0x101/0x157
 ? inet_shutdown+0x5d/0x1c0
 print_address_description+0x78/0x260
 ? inet_shutdown+0x5d/0x1c0
 kasan_report+0x240/0x360
 __asan_load4+0x78/0x80
 inet_shutdown+0x5d/0x1c0
 ? pppol2tp_show+0x80/0x80
 pppol2tp_session_close+0x68/0xb0
 l2tp_tunnel_closeall+0x199/0x210
 ? udp_v6_flush_pending_frames+0x90/0x90
 l2tp_udp_encap_destroy+0x6b/0xc0
 ? l2tp_tunnel_del_work+0x2e0/0x2e0
 udpv6_destroy_sock+0x8c/0x90
 sk_common_release+0x47/0x190
 udp_lib_close+0x15/0x20
 inet_release+0x85/0xd0
 inet6_release+0x43/0x60
 sock_release+0x53/0x100
 ? sock_alloc_file+0x260/0x260
 sock_close+0x1b/0x20
 __fput+0x19f/0x380
 ____fput+0x1a/0x20
 task_work_run+0xd2/0x110
 exit_to_usermode_loop+0x18d/0x190
 do_syscall_64+0x389/0x3b0
 entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x7fe240a45259
RSP: 002b:00007fe241132df8 EFLAGS: 00000297 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007fe240a45259
RDX: 00007fe240a45259 RSI: 0000000000000000 RDI: 00000000000000a5
RBP: 00007fe241132e20 R08: 00007fe241133700 R09: 0000000000000000
R10: 00007fe241133700 R11: 0000000000000297 R12: 0000000000000000
R13: 00007ffc49aff84f R14: 0000000000000000 R15: 00007fe241141040

Allocated by task 8331:
 save_stack+0x43/0xd0
 kasan_kmalloc+0xad/0xe0
 kasan_slab_alloc+0x12/0x20
 kmem_cache_alloc+0x144/0x3e0
 sock_alloc_inode+0x22/0x130
 alloc_inode+0x3d/0xf0
 new_inode_pseudo+0x1c/0x90
 sock_alloc+0x30/0x110
 __sock_create+0xaa/0x4c0
 SyS_socket+0xbe/0x130
 do_syscall_64+0x128/0x3b0
 entry_SYSCALL_64_after_hwframe+0x26/0x9b

Freed by task 8314:
 save_stack+0x43/0xd0
 __kasan_slab_free+0x11a/0x170
 kasan_slab_free+0xe/0x10
 kmem_cache_free+0x88/0x2b0
 sock_destroy_inode+0x49/0x50
 destroy_inode+0x77/0xb0
 evict+0x285/0x340
 iput+0x429/0x530
 dentry_unlink_inode+0x28c/0x2c0
 __dentry_kill+0x1e3/0x2f0
 dput.part.21+0x500/0x560
 dput+0x24/0x30
 __fput+0x2aa/0x380
 ____fput+0x1a/0x20
 task_work_run+0xd2/0x110
 exit_to_usermode_loop+0x18d/0x190
 do_syscall_64+0x389/0x3b0
 entry_SYSCALL_64_after_hwframe+0x26/0x9b

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Apr 3, 2018
Add missing check that device is connected prior to access it.

[   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
[   55.360255]
[   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b8b88 #91
[   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   55.363264] Call Trace:
[   55.363833]  dump_stack+0x5c/0x77
[   55.364215]  kasan_report+0x163/0x380
[   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
[   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
[   55.366410]  ucma_init_qp_attr+0x111/0x200
[   55.366846]  ? ucma_notify+0xf0/0xf0
[   55.367405]  ? _get_random_bytes+0xea/0x1b0
[   55.367846]  ? urandom_read+0x2f0/0x2f0
[   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
[   55.369104]  ? refcount_inc_not_zero+0x9/0x60
[   55.369583]  ? refcount_inc+0x5/0x30
[   55.370155]  ? rdma_create_id+0x215/0x240
[   55.370937]  ? _copy_to_user+0x4f/0x60
[   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
[   55.372127]  ? _copy_from_user+0x5e/0x90
[   55.372720]  ucma_write+0x174/0x1f0
[   55.373090]  ? ucma_close_id+0x40/0x40
[   55.373805]  ? __lru_cache_add+0xa8/0xd0
[   55.374403]  __vfs_write+0xc4/0x350
[   55.374774]  ? kernel_read+0xa0/0xa0
[   55.375173]  ? fsnotify+0x899/0x8f0
[   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
[   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
[   55.377522]  ? handle_mm_fault+0x174/0x320
[   55.378169]  vfs_write+0xf7/0x280
[   55.378864]  SyS_write+0xa1/0x120
[   55.379270]  ? SyS_read+0x120/0x120
[   55.379643]  ? mm_fault_error+0x180/0x180
[   55.380071]  ? task_work_run+0x7d/0xd0
[   55.380910]  ? __task_pid_nr_ns+0x120/0x140
[   55.381366]  ? SyS_read+0x120/0x120
[   55.381739]  do_syscall_64+0xeb/0x250
[   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   55.382841] RIP: 0033:0x7fc2ef803e99
[   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
[   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
[   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
[   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
[   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
[   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
[   55.532648] CR2: 00000000000000b0
[   55.534396] ---[ end trace 70cee64090251c0b ]---

Fixes: 7521663 ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45 ("IB/core: Convert ah_attr from OPA to IB when copying to user")
Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
nathanchance pushed a commit to nathanchance/pi-kernel that referenced this issue Apr 8, 2018
commit 4b658d1 upstream.

Add missing check that device is connected prior to access it.

[   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
[   55.360255]
[   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b8b88 raspberrypi#91
[   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   55.363264] Call Trace:
[   55.363833]  dump_stack+0x5c/0x77
[   55.364215]  kasan_report+0x163/0x380
[   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
[   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
[   55.366410]  ucma_init_qp_attr+0x111/0x200
[   55.366846]  ? ucma_notify+0xf0/0xf0
[   55.367405]  ? _get_random_bytes+0xea/0x1b0
[   55.367846]  ? urandom_read+0x2f0/0x2f0
[   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
[   55.369104]  ? refcount_inc_not_zero+0x9/0x60
[   55.369583]  ? refcount_inc+0x5/0x30
[   55.370155]  ? rdma_create_id+0x215/0x240
[   55.370937]  ? _copy_to_user+0x4f/0x60
[   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
[   55.372127]  ? _copy_from_user+0x5e/0x90
[   55.372720]  ucma_write+0x174/0x1f0
[   55.373090]  ? ucma_close_id+0x40/0x40
[   55.373805]  ? __lru_cache_add+0xa8/0xd0
[   55.374403]  __vfs_write+0xc4/0x350
[   55.374774]  ? kernel_read+0xa0/0xa0
[   55.375173]  ? fsnotify+0x899/0x8f0
[   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
[   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
[   55.377522]  ? handle_mm_fault+0x174/0x320
[   55.378169]  vfs_write+0xf7/0x280
[   55.378864]  SyS_write+0xa1/0x120
[   55.379270]  ? SyS_read+0x120/0x120
[   55.379643]  ? mm_fault_error+0x180/0x180
[   55.380071]  ? task_work_run+0x7d/0xd0
[   55.380910]  ? __task_pid_nr_ns+0x120/0x140
[   55.381366]  ? SyS_read+0x120/0x120
[   55.381739]  do_syscall_64+0xeb/0x250
[   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   55.382841] RIP: 0033:0x7fc2ef803e99
[   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
[   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
[   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
[   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
[   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
[   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
[   55.532648] CR2: 00000000000000b0
[   55.534396] ---[ end trace 70cee64090251c0b ]---

Fixes: 7521663 ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45 ("IB/core: Convert ah_attr from OPA to IB when copying to user")
Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Apr 9, 2018
commit 4b658d1 upstream.

Add missing check that device is connected prior to access it.

[   55.358652] BUG: KASAN: null-ptr-deref in rdma_init_qp_attr+0x4a/0x2c0
[   55.359389] Read of size 8 at addr 00000000000000b0 by task qp/618
[   55.360255]
[   55.360432] CPU: 1 PID: 618 Comm: qp Not tainted 4.16.0-rc1-00071-gcaf61b1b8b88 #91
[   55.361693] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[   55.363264] Call Trace:
[   55.363833]  dump_stack+0x5c/0x77
[   55.364215]  kasan_report+0x163/0x380
[   55.364610]  ? rdma_init_qp_attr+0x4a/0x2c0
[   55.365238]  rdma_init_qp_attr+0x4a/0x2c0
[   55.366410]  ucma_init_qp_attr+0x111/0x200
[   55.366846]  ? ucma_notify+0xf0/0xf0
[   55.367405]  ? _get_random_bytes+0xea/0x1b0
[   55.367846]  ? urandom_read+0x2f0/0x2f0
[   55.368436]  ? kmem_cache_alloc_trace+0xd2/0x1e0
[   55.369104]  ? refcount_inc_not_zero+0x9/0x60
[   55.369583]  ? refcount_inc+0x5/0x30
[   55.370155]  ? rdma_create_id+0x215/0x240
[   55.370937]  ? _copy_to_user+0x4f/0x60
[   55.371620]  ? mem_cgroup_commit_charge+0x1f5/0x290
[   55.372127]  ? _copy_from_user+0x5e/0x90
[   55.372720]  ucma_write+0x174/0x1f0
[   55.373090]  ? ucma_close_id+0x40/0x40
[   55.373805]  ? __lru_cache_add+0xa8/0xd0
[   55.374403]  __vfs_write+0xc4/0x350
[   55.374774]  ? kernel_read+0xa0/0xa0
[   55.375173]  ? fsnotify+0x899/0x8f0
[   55.375544]  ? fsnotify_unmount_inodes+0x170/0x170
[   55.376689]  ? __fsnotify_update_child_dentry_flags+0x30/0x30
[   55.377522]  ? handle_mm_fault+0x174/0x320
[   55.378169]  vfs_write+0xf7/0x280
[   55.378864]  SyS_write+0xa1/0x120
[   55.379270]  ? SyS_read+0x120/0x120
[   55.379643]  ? mm_fault_error+0x180/0x180
[   55.380071]  ? task_work_run+0x7d/0xd0
[   55.380910]  ? __task_pid_nr_ns+0x120/0x140
[   55.381366]  ? SyS_read+0x120/0x120
[   55.381739]  do_syscall_64+0xeb/0x250
[   55.382143]  entry_SYSCALL_64_after_hwframe+0x21/0x86
[   55.382841] RIP: 0033:0x7fc2ef803e99
[   55.383227] RSP: 002b:00007fffcc5f3be8 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
[   55.384173] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc2ef803e99
[   55.386145] RDX: 0000000000000057 RSI: 0000000020000080 RDI: 0000000000000003
[   55.388418] RBP: 00007fffcc5f3c00 R08: 0000000000000000 R09: 0000000000000000
[   55.390542] R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000400480
[   55.392916] R13: 00007fffcc5f3cf0 R14: 0000000000000000 R15: 0000000000000000
[   55.521088] Code: e5 4d 1e ff 48 89 df 44 0f b6 b3 b8 01 00 00 e8 65 50 1e ff 4c 8b 2b 49
8d bd b0 00 00 00 e8 56 50 1e ff 41 0f b6 c6 48 c1 e0 04 <49> 03 85 b0 00 00 00 48 8d 78 08
48 89 04 24 e8 3a 4f 1e ff 48
[   55.525980] RIP: rdma_init_qp_attr+0x52/0x2c0 RSP: ffff8801e2c2f9d8
[   55.532648] CR2: 00000000000000b0
[   55.534396] ---[ end trace 70cee64090251c0b ]---

Fixes: 7521663 ("RDMA/cma: Export rdma cm interface to userspace")
Fixes: d541e45 ("IB/core: Convert ah_attr from OPA to IB when copying to user")
Reported-by: <syzbot+7b62c837c2516f8f38c8@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Jul 9, 2018
smb{2,3}_create_lease_buf() store a lease key in the lease
context for later usage on a lease break.

In most paths, the key is currently sourced from data that
happens to be on the stack near local variables for oplock in
SMB2_open() callers, e.g. from open_shroot(), whereas
smb2_open_file() properly allocates space on its stack for it.

The address of those local variables holding the oplock is then
passed to create_lease_buf handlers via SMB2_open(), and 16
bytes near oplock are used. This causes a stack out-of-bounds
access as reported by KASAN on SMB2.1 and SMB3 mounts (first
out-of-bounds access is shown here):

[  111.528823] BUG: KASAN: stack-out-of-bounds in smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.530815] Read of size 8 at addr ffff88010829f249 by task mount.cifs/985
[  111.532838] CPU: 3 PID: 985 Comm: mount.cifs Not tainted 4.18.0-rc3+ #91
[  111.534656] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[  111.536838] Call Trace:
[  111.537528]  dump_stack+0xc2/0x16b
[  111.540890]  print_address_description+0x6a/0x270
[  111.542185]  kasan_report+0x258/0x380
[  111.544701]  smb3_create_lease_buf+0x399/0x3b0 [cifs]
[  111.546134]  SMB2_open+0x1ef8/0x4b70 [cifs]
[  111.575883]  open_shroot+0x339/0x550 [cifs]
[  111.591969]  smb3_qfs_tcon+0x32c/0x1e60 [cifs]
[  111.617405]  cifs_mount+0x4f3/0x2fc0 [cifs]
[  111.674332]  cifs_smb3_do_mount+0x263/0xf10 [cifs]
[  111.677915]  mount_fs+0x55/0x2b0
[  111.679504]  vfs_kern_mount.part.22+0xaa/0x430
[  111.684511]  do_mount+0xc40/0x2660
[  111.698301]  ksys_mount+0x80/0xd0
[  111.701541]  do_syscall_64+0x14e/0x4b0
[  111.711807]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  111.713665] RIP: 0033:0x7f372385b5fa
[  111.715311] Code: 48 8b 0d 99 78 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 66 78 2c 00 f7 d8 64 89 01 48
[  111.720330] RSP: 002b:00007ffff27049d8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5
[  111.722601] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f372385b5fa
[  111.724842] RDX: 000055c2ecdc73b2 RSI: 000055c2ecdc73f9 RDI: 00007ffff270580f
[  111.727083] RBP: 00007ffff2705804 R08: 000055c2ee976060 R09: 0000000000001000
[  111.729319] R10: 0000000000000000 R11: 0000000000000206 R12: 00007f3723f4d000
[  111.731615] R13: 000055c2ee976060 R14: 00007f3723f4f90f R15: 0000000000000000

[  111.735448] The buggy address belongs to the page:
[  111.737420] page:ffffea000420a7c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[  111.739890] flags: 0x17ffffc0000000()
[  111.741750] raw: 0017ffffc0000000 0000000000000000 dead000000000200 0000000000000000
[  111.744216] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  111.746679] page dumped because: kasan: bad access detected

[  111.750482] Memory state around the buggy address:
[  111.752562]  ffff88010829f100: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[  111.754991]  ffff88010829f180: 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
[  111.757401] >ffff88010829f200: 00 00 00 00 00 f1 f1 f1 f1 01 f2 f2 f2 f2 f2 f2
[  111.759801]                                               ^
[  111.762034]  ffff88010829f280: f2 02 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00
[  111.764486]  ffff88010829f300: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  111.766913] ==================================================================

Lease keys are however already generated and stored in fid data
on open and create paths: pass them down to the lease context
creation handlers and use them.

Suggested-by: Aurélien Aptel <aaptel@suse.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Fixes: b8c32db ("CIFS: Request SMB2.1 leases")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
popcornmix pushed a commit that referenced this issue May 28, 2019
commit 46ca3f7 upstream.

The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC: Jiri Slaby <jslaby@suse.com>
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue May 28, 2019
commit 46ca3f7 upstream.

The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC: Jiri Slaby <jslaby@suse.com>
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Jun 4, 2019
commit 46ca3f7 upstream.

The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e #91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC: Jiri Slaby <jslaby@suse.com>
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
artynet pushed a commit to artynet/rpi-linux that referenced this issue Jul 15, 2019
commit 46ca3f7 upstream.

The bug manifests as an attempt to access deallocated memory:

    BUG: unable to handle kernel paging request at ffff9c8735448000
    #PF error: [PROT] [WRITE]
    PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
    Oops: 0003 [raspberrypi#1] PREEMPT SMP
    CPU: 6 PID: 388 Comm: loadkeys Tainted: G         C        5.0.0-rc6-00153-g5ded5871030e raspberrypi#91
    Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
    RIP: 0010:__memmove+0x81/0x1a0
    Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
    RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
    RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
    RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
    RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
    R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
    R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
    FS:  00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
    Call Trace:
     vt_do_kdgkb_ioctl+0x34d/0x440
     vt_ioctl+0xba3/0x1190
     ? __bpf_prog_run32+0x39/0x60
     ? mem_cgroup_commit_charge+0x7b/0x4e0
     tty_ioctl+0x23f/0x920
     ? preempt_count_sub+0x98/0xe0
     ? __seccomp_filter+0x67/0x600
     do_vfs_ioctl+0xa2/0x6a0
     ? syscall_trace_enter+0x192/0x2d0
     ksys_ioctl+0x3a/0x70
     __x64_sys_ioctl+0x16/0x20
     do_syscall_64+0x54/0xe0
     entry_SYSCALL_64_after_hwframe+0x49/0xbe

The bug manifests on systemd systems with multiple vtcon devices:
  # cat /sys/devices/virtual/vtconsole/vtcon0/name
  (S) dummy device
  # cat /sys/devices/virtual/vtconsole/vtcon1/name
  (M) frame buffer device

There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:

    drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()

The function has no locking around writes to 'func_table'.

The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:

    #!/bin/sh

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &

    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    loadkeys -q windowkeys ru4 &
    wait

The change adds lock on write path only. Reads are still racy.

CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC: Jiri Slaby <jslaby@suse.com>
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Mar 4, 2021
commit 35f1c89 upstream.

The recent rework of probe_kernel_address() and its conversion to
get_kernel_nofault() inadvertently broke is_prefetch(). Before this
change, probe_kernel_address() was used as a sloppy "read user or
kernel memory" helper, but it doesn't do that any more. The new
get_kernel_nofault() reads *kernel* memory only, which completely broke
is_prefetch() for user access.

Adjust the code to the correct accessor based on access mode. The
manual address bounds check is no longer necessary, since the accessor
helpers (get_user() / get_kernel_nofault()) do the right thing all by
themselves. As a bonus, by using the correct accessor, the open-coded
address bounds check is not needed anymore.

 [ bp: Massage commit message. ]

Fixes: eab0c60 ("maccess: unify the probe kernel arch hooks")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/b91f7f92f3367d2d3a88eec3b09c6aab1b2dc8ef.1612924255.git.luto@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Mar 16, 2021
commit 35f1c89 upstream.

The recent rework of probe_kernel_address() and its conversion to
get_kernel_nofault() inadvertently broke is_prefetch(). Before this
change, probe_kernel_address() was used as a sloppy "read user or
kernel memory" helper, but it doesn't do that any more. The new
get_kernel_nofault() reads *kernel* memory only, which completely broke
is_prefetch() for user access.

Adjust the code to the correct accessor based on access mode. The
manual address bounds check is no longer necessary, since the accessor
helpers (get_user() / get_kernel_nofault()) do the right thing all by
themselves. As a bonus, by using the correct accessor, the open-coded
address bounds check is not needed anymore.

 [ bp: Massage commit message. ]

Fixes: eab0c60 ("maccess: unify the probe kernel arch hooks")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/b91f7f92f3367d2d3a88eec3b09c6aab1b2dc8ef.1612924255.git.luto@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Aug 31, 2022
storvsc_error_wq workqueue should not be marked as WQ_MEM_RECLAIM as it
doesn't need to make forward progress under memory pressure.  Marking this
workqueue as WQ_MEM_RECLAIM may cause deadlock while flushing a
non-WQ_MEM_RECLAIM workqueue.  In the current state it causes the following
warning:

[   14.506347] ------------[ cut here ]------------
[   14.506354] workqueue: WQ_MEM_RECLAIM storvsc_error_wq_0:storvsc_remove_lun is flushing !WQ_MEM_RECLAIM events_freezable_power_:disk_events_workfn
[   14.506360] WARNING: CPU: 0 PID: 8 at <-snip->kernel/workqueue.c:2623 check_flush_dependency+0xb5/0x130
[   14.506390] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.4.0-1086-azure #91~18.04.1-Ubuntu
[   14.506391] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022
[   14.506393] Workqueue: storvsc_error_wq_0 storvsc_remove_lun
[   14.506395] RIP: 0010:check_flush_dependency+0xb5/0x130
		<-snip->
[   14.506408] Call Trace:
[   14.506412]  __flush_work+0xf1/0x1c0
[   14.506414]  __cancel_work_timer+0x12f/0x1b0
[   14.506417]  ? kernfs_put+0xf0/0x190
[   14.506418]  cancel_delayed_work_sync+0x13/0x20
[   14.506420]  disk_block_events+0x78/0x80
[   14.506421]  del_gendisk+0x3d/0x2f0
[   14.506423]  sr_remove+0x28/0x70
[   14.506427]  device_release_driver_internal+0xef/0x1c0
[   14.506428]  device_release_driver+0x12/0x20
[   14.506429]  bus_remove_device+0xe1/0x150
[   14.506431]  device_del+0x167/0x380
[   14.506432]  __scsi_remove_device+0x11d/0x150
[   14.506433]  scsi_remove_device+0x26/0x40
[   14.506434]  storvsc_remove_lun+0x40/0x60
[   14.506436]  process_one_work+0x209/0x400
[   14.506437]  worker_thread+0x34/0x400
[   14.506439]  kthread+0x121/0x140
[   14.506440]  ? process_one_work+0x400/0x400
[   14.506441]  ? kthread_park+0x90/0x90
[   14.506443]  ret_from_fork+0x35/0x40
[   14.506445] ---[ end trace 2d9633159fdc6ee7 ]---

Link: https://lore.kernel.org/r/1659628534-17539-1-git-send-email-ssengar@linux.microsoft.com
Fixes: 436ad94 ("scsi: storvsc: Allow only one remove lun work item to be issued per lun")
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Pzqqt pushed a commit to Pzqqt/kernel_raspberrypi_4b that referenced this issue Sep 2, 2022
commit d957e7f upstream.

storvsc_error_wq workqueue should not be marked as WQ_MEM_RECLAIM as it
doesn't need to make forward progress under memory pressure.  Marking this
workqueue as WQ_MEM_RECLAIM may cause deadlock while flushing a
non-WQ_MEM_RECLAIM workqueue.  In the current state it causes the following
warning:

[   14.506347] ------------[ cut here ]------------
[   14.506354] workqueue: WQ_MEM_RECLAIM storvsc_error_wq_0:storvsc_remove_lun is flushing !WQ_MEM_RECLAIM events_freezable_power_:disk_events_workfn
[   14.506360] WARNING: CPU: 0 PID: 8 at <-snip->kernel/workqueue.c:2623 check_flush_dependency+0xb5/0x130
[   14.506390] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.4.0-1086-azure raspberrypi#91~18.04.1-Ubuntu
[   14.506391] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022
[   14.506393] Workqueue: storvsc_error_wq_0 storvsc_remove_lun
[   14.506395] RIP: 0010:check_flush_dependency+0xb5/0x130
		<-snip->
[   14.506408] Call Trace:
[   14.506412]  __flush_work+0xf1/0x1c0
[   14.506414]  __cancel_work_timer+0x12f/0x1b0
[   14.506417]  ? kernfs_put+0xf0/0x190
[   14.506418]  cancel_delayed_work_sync+0x13/0x20
[   14.506420]  disk_block_events+0x78/0x80
[   14.506421]  del_gendisk+0x3d/0x2f0
[   14.506423]  sr_remove+0x28/0x70
[   14.506427]  device_release_driver_internal+0xef/0x1c0
[   14.506428]  device_release_driver+0x12/0x20
[   14.506429]  bus_remove_device+0xe1/0x150
[   14.506431]  device_del+0x167/0x380
[   14.506432]  __scsi_remove_device+0x11d/0x150
[   14.506433]  scsi_remove_device+0x26/0x40
[   14.506434]  storvsc_remove_lun+0x40/0x60
[   14.506436]  process_one_work+0x209/0x400
[   14.506437]  worker_thread+0x34/0x400
[   14.506439]  kthread+0x121/0x140
[   14.506440]  ? process_one_work+0x400/0x400
[   14.506441]  ? kthread_park+0x90/0x90
[   14.506443]  ret_from_fork+0x35/0x40
[   14.506445] ---[ end trace 2d9633159fdc6ee7 ]---

Link: https://lore.kernel.org/r/1659628534-17539-1-git-send-email-ssengar@linux.microsoft.com
Fixes: 436ad94 ("scsi: storvsc: Allow only one remove lun work item to be issued per lun")
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
popcornmix pushed a commit that referenced this issue Sep 5, 2022
commit d957e7f upstream.

storvsc_error_wq workqueue should not be marked as WQ_MEM_RECLAIM as it
doesn't need to make forward progress under memory pressure.  Marking this
workqueue as WQ_MEM_RECLAIM may cause deadlock while flushing a
non-WQ_MEM_RECLAIM workqueue.  In the current state it causes the following
warning:

[   14.506347] ------------[ cut here ]------------
[   14.506354] workqueue: WQ_MEM_RECLAIM storvsc_error_wq_0:storvsc_remove_lun is flushing !WQ_MEM_RECLAIM events_freezable_power_:disk_events_workfn
[   14.506360] WARNING: CPU: 0 PID: 8 at <-snip->kernel/workqueue.c:2623 check_flush_dependency+0xb5/0x130
[   14.506390] CPU: 0 PID: 8 Comm: kworker/u4:0 Not tainted 5.4.0-1086-azure #91~18.04.1-Ubuntu
[   14.506391] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 05/09/2022
[   14.506393] Workqueue: storvsc_error_wq_0 storvsc_remove_lun
[   14.506395] RIP: 0010:check_flush_dependency+0xb5/0x130
		<-snip->
[   14.506408] Call Trace:
[   14.506412]  __flush_work+0xf1/0x1c0
[   14.506414]  __cancel_work_timer+0x12f/0x1b0
[   14.506417]  ? kernfs_put+0xf0/0x190
[   14.506418]  cancel_delayed_work_sync+0x13/0x20
[   14.506420]  disk_block_events+0x78/0x80
[   14.506421]  del_gendisk+0x3d/0x2f0
[   14.506423]  sr_remove+0x28/0x70
[   14.506427]  device_release_driver_internal+0xef/0x1c0
[   14.506428]  device_release_driver+0x12/0x20
[   14.506429]  bus_remove_device+0xe1/0x150
[   14.506431]  device_del+0x167/0x380
[   14.506432]  __scsi_remove_device+0x11d/0x150
[   14.506433]  scsi_remove_device+0x26/0x40
[   14.506434]  storvsc_remove_lun+0x40/0x60
[   14.506436]  process_one_work+0x209/0x400
[   14.506437]  worker_thread+0x34/0x400
[   14.506439]  kthread+0x121/0x140
[   14.506440]  ? process_one_work+0x400/0x400
[   14.506441]  ? kthread_park+0x90/0x90
[   14.506443]  ret_from_fork+0x35/0x40
[   14.506445] ---[ end trace 2d9633159fdc6ee7 ]---

Link: https://lore.kernel.org/r/1659628534-17539-1-git-send-email-ssengar@linux.microsoft.com
Fixes: 436ad94 ("scsi: storvsc: Allow only one remove lun work item to be issued per lun")
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PalinuroSec pushed a commit to ParrotSec/linux-rpi that referenced this issue Apr 25, 2023
linux (5.10.24-5parrot1) rolling; urgency=medium
.
  * Import new Debian release.
  * Import Parrot patches.
.
linux (5.10.24-1) unstable; urgency=medium
.
  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.20
    - vmlinux.lds.h: add DWARF v5 sections
    - debugfs: be more robust at handling improper input in debugfs_lookup()
    - debugfs: do not attempt to create a new file before the filesystem is
      initalized
    - scsi: libsas: docs: Remove notify_ha_event()
    - scsi: qla2xxx: Fix mailbox Ch erroneous error
    - kdb: Make memory allocations more robust
    - w1: w1_therm: Fix conversion result for negative temperatures
    - [arm64] PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064
    - PCI: Decline to resize resources if boot config must be preserved
    - [x86] virt: vbox: Do not use wait_event_interruptible when called from
      kernel context
    - bfq: Avoid false bfq queue merging
    - ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode
    - [mips*] vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section
    - random: fix the RNDRESEEDCRNG ioctl
    - ALSA: pcm: Call sync_stop at disconnection
    - ALSA: pcm: Assure sync with the pending stop operation at suspend
    - ALSA: pcm: Don't call sync_stop if it hasn't been stopped
    - [arm64] Bluetooth: btqcomsmd: Fix a resource leak in error handling
      paths in the probe function
    - Bluetooth: hci_uart: Fix a race for write_work scheduling
    - Bluetooth: Fix initializing response id after clearing struct
    - [armhf] dts: exynos: correct PMIC interrupt trigger level on Spring
    - [armhf] dts: exynos: correct PMIC interrupt trigger level on Arndale
      Octa
    - Bluetooth: hci_qca: Fix memleak in qca_controller_memdump
    - [arm*] staging: vchiq: Fix bulk userdata handling
    - [arm*] staging: vchiq: Fix bulk transfers on 64-bit builds
    - [arm64,armhf] net: stmmac: dwmac-meson8b: fix enabling the
      timing-adjustment clock
    - bpf: Add bpf_patch_call_args prototype to include/linux/bpf.h
    - bpf: Avoid warning when re-casting __bpf_call_base into
      __bpf_call_base_args
    - [arm64] dts: allwinner: A64: properly connect USB PHY to port 0
    - [arm64] dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz
    - ACPICA: Fix exception code class checks
    - usb: gadget: u_audio: Free requests only after callback
    - Bluetooth: drop HCI device reference before return
    - Bluetooth: Put HCI device if inquiry procedure interrupts
    - [arm*] usb: dwc2: Do not update data length if it is 0 on inbound
      transfers
    - [arm*] usb: dwc2: Abort transaction after errors with unknown reason
    - [arm*] usb: dwc2: Make "trimming xfer length" a debug message
    - staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory
      rules
    - [x86] MSR: Filter MSR writes through X86_IOC_WRMSR_REGS ioctl too
    - [armhf] dts: armada388-helios4: assign pinctrl to LEDs
    - [armhf] dts: armada388-helios4: assign pinctrl to each fan
    - opp: Correct debug message in _opp_add_static_v2()
    - Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv
    - iwlwifi: mvm: set enabled in the PPAG command properly
    - [arm64] optee: simplify i2c access
    - ath10k: Fix suspicious RCU usage warning in
      ath10k_wmi_tlv_parse_peer_stats_info()
    - ath10k: Fix lockdep assertion warning in ath10k_sta_statistics
    - iwlwifi: mvm: fix the type we use in the PPAG table validity checks
    - iwlwifi: mvm: store PPAG enabled/disabled flag properly
    - iwlwifi: mvm: send stored PPAG command instead of local
    - iwlwifi: mvm: assign SAR table revision to the command later
    - iwlwifi: mvm: don't check if CSA event is running before removing
    - bpf_lru_list: Read double-checked variable once without lock
    - iwlwifi: pnvm: set the PNVM again if it was already loaded
    - iwlwifi: pnvm: increment the pointer before checking the TLV
    - bnxt_en: reverse order of TX disable and carrier off
    - bnxt_en: Fix devlink info's stored fw.psid version format.
    - xen/netback: fix spurious event detection for common event case
    - net: phy: consider that suspend2ram may cut off PHY power
    - net/mlx5e: Don't change interrupt moderation params when DIM is enabled
    - net/mlx5e: Change interrupt moderation channel params also when channels
      are closed
    - net/mlx5: Fix health error state handling
    - net/mlx5e: Replace synchronize_rcu with synchronize_net
    - net/mlx5e: kTLS, Use refcounts to free kTLS RX priv context
    - net/mlx5: Disable devlink reload for multi port slave device
    - net/mlx5: Disallow RoCE on multi port slave device
    - net/mlx5: Disallow RoCE on lag device
    - net/mlx5: Disable devlink reload for lag devices
    - net/mlx5e: CT: manage the lifetime of the ct entry object
    - net/mlx5e: Check tunnel offload is required before setting SWP
    - mac80211: fix potential overflow when multiplying to u32 integers
    - libbpf: Ignore non function pointer member in struct_ops
    - bpf: Fix an unitialized value in bpf_iter
    - bpf, devmap: Use GFP_KERNEL for xdp bulk queue allocation
    - bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx
    - tcp: fix SO_RCVLOWAT related hangs under mem pressure
    - cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in
      cxgb4 and ulds
    - b43: N-PHY: Fix the update of coef for the PHY revision >= 3case
    - bpf: Clear subreg_def for global function return values
    - [amd64,arm64] net: amd-xgbe: Reset the PHY rx data path when mailbox
      command timeout
    - [amd64,arm64] net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout
      warning
    - [amd64,arm64] net: amd-xgbe: Reset link when the link never comes back
    - [amd64,arm64] net: amd-xgbe: Fix network fluctuations when using 1G
      BELFUSE SFP
    - [arm64,armhf] net: mvneta: Remove per-cpu queue mapping for Armada 3700
    - tty: convert tty_ldisc_ops 'read()' function to take a kernel pointer
    - tty: implement read_iter
    - [x86] drm/gma500: Fix error return code in psb_driver_load()
    - [x86] gma500: clean up error handling in init
    - drm/fb-helper: Add missed unlocks in setcmap_legacy()
    - [arm*] drm/vc4: hdmi: Take into account the clock doubling flag in
      atomic_check
    - [arm64] crypto: arm64/aes-ce - really hide slower algos when faster ones
      are enabled
    - [mips*] c-r4k: Fix section mismatch for loongson2_sc_init
    - drm/virtio: make sure context is created in gem open
    - media: em28xx: Fix use-after-free in em28xx_alloc_urbs
    - media: media/pci: Fix memleak in empress_init
    - [x86] media: tm6000: Fix memleak in tm6000_start_stream
    - sched/fair: Avoid stale CPU util_est value for schedutil in task dequeue
    - [arm64,armhf] drm/sun4i: tcon: fix inverted DCLK polarity
    - [mips*] properly stop .eh_frame generation
    - [arm64,armhf] drm/tegra: Fix reference leak when pm_runtime_get_sync()
      fails
    - bsg: free the request before return error code
    - media: lmedm04: Fix misuse of comma
    - media: qm1d1c0042: fix error return code in qm1d1c0042_init()
    - media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values
    - sched/eas: Don't update misfit status if the task is pinned
    - f2fs: compress: fix potential deadlock
    - [arm64] ASoC: qcom: lpass-cpu: Remove bit clock state check
    - perf/arm-cmn: Fix PMU instance naming
    - perf/arm-cmn: Move IRQs when migrating context
    - mm: proc: Invalidate TLB after clearing soft-dirty page state
    - f2fs: fix to avoid inconsistent quota data
    - f2fs: fix a wrong condition in __submit_bio
    - [arm64] ASoC: qcom: Fix typo error in HDMI regmap config callbacks
    - [x86] KVM: nSVM: Don't strip host's C-bit from guest's CR3 when reading
      PDPTRs
    - [x86] Drivers: hv: vmbus: Avoid use-after-free in
      vmbus_onoffer_rescind()
    - [x86] ASoC: Intel: sof_sdw: add missing TGL_HDMI quirk for Dell SKU 0A5E
    - [x86] ASoC: Intel: sof_sdw: add missing TGL_HDMI quirk for Dell SKU 0A3E
    - locking/lockdep: Avoid unmatched unlock
    - [arm64] ASoC: qcom: lpass: Fix i2s ctl register bit map
    - btrfs: clarify error returns values in __load_free_space_cache
    - btrfs: fix double accounting of ordered extent for subpage case in
      btrfs_invalidapge
    - [x86] KVM: Restore all 64 bits of DR6 and DR7 during RSM on x86-64
    - [s390x] zcrypt: return EIO when msg retry limit reached
    - [arm*] drm/vc4: hdmi: Move hdmi reset to bind
    - [arm*] drm/vc4: hdmi: Fix register offset with longer CEC messages
    - [arm*] drm/vc4: hdmi: Fix up CEC registers
    - [arm*] drm/vc4: hdmi: Restore cec physical address on reconnect
    - [arm*] drm/vc4: hdmi: Compute the CEC clock divider from the clock rate
    - [arm*] drm/vc4: hdmi: Update the CEC clock divider on HSM rate change
    - drm/dp_mst: Don't cache EDIDs for physical ports
    - crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key()
    - io_uring: fix possible deadlock in io_uring_poll
    - nvme-multipath: set nr_zones for zoned namespaces
    - nvmet: remove extra variable in identify ns
    - nvmet: set status to 0 in case for invalid nsid
    - [armel,armhf] ASoC: simple-card-utils: Fix device module clock
    - fs/jfs: fix potential integer overflow on shift of a int
    - jffs2: fix use after free in jffs2_sum_write_data()
    - smp: Process pending softirqs in flush_smp_call_function_from_idle()
    - capabilities: Don't allow writing ambiguous v3 file capabilities
    - [armhf] HSI: Fix PM usage counter unbalance in ssi_hw_init
    - [arm64,armhf] clk: meson: clk-pll: fix initializing the old rate
      (fallback) for a PLL
    - [arm64,armhf] clk: meson: clk-pll: make "ret" a signed integer
    - [arm64,armhf] clk: meson: clk-pll: propagate the error from
      meson_clk_pll_set_rate()
    - quota: Fix memory leak when handling corrupted quota file
    - [arm64] clk: sunxi-ng: h6: Fix CEC clock
    - HID: core: detect and skip invalid inputs to snto32()
    - fdt: Properly handle "no-map" field in the memory region
    - of/fdt: Make sure no-map does not remove already reserved regions
    - [armhf] spi: imx: Don't print error on -EPROBEDEFER
    - RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation
    - IB/mlx5: Add mutex destroy call to cap_mask_mutex mutex
    - [arm64] clk: sunxi-ng: h6: Fix clock divider range on some clocks
    - [arm64,armhf] platform/chrome: cros_ec_proto: Use EC_HOST_EVENT_MASK not
      BIT
    - [arm64,armhf] platform/chrome: cros_ec_proto: Add LID and BATTERY to
      default mask
    - [arm64,armhf] regulator: axp20x: Fix reference cout leak
    - watch_queue: Drop references to /dev/watch_queue
    - certs: Fix blacklist flag type confusion
    - [armhf] regulator: s5m8767: Fix reference count leak
    - [armhf] regulator: s5m8767: Drop regulators OF node reference
    - [arm64,armhf] power: supply: axp20x_usb_power: Init work before enabling
      IRQs
    - regulator: core: Avoid debugfs: Directory ... already present! error
    - isofs: release buffer head before return
    - objtool: Fix error handling for STD/CLD warnings
    - objtool: Fix retpoline detection in asm code
    - objtool: Fix ".cold" section suffix check for newer versions of GCC
    - scsi: lpfc: Fix ancient double free
    - iommu: Switch gather->end to the inclusive end
    - IB/umad: Return EIO in case of when device disassociated
    - IB/umad: Return EPOLLERR in case of when device disassociated
    - [ppc64el] KVM: Make the VMX instruction emulation routines static
    - [powerpc*] time: Enable sched clock for irqtime
    - [armel,armhf] 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+
      cores
    - [arm*] amba: Fix resource leak for drivers without .remove
    - iommu: Move iotlb_sync_map out from __iommu_map
    - iommu: Properly pass gfp_t in _iommu_map() to avoid atomic sleeping
    - IB/mlx5: Return appropriate error code instead of ENOMEM
    - IB/cm: Avoid a loop when device has 255 ports
    - tracepoint: Do not fail unregistering a probe due to memory failure
    - perf tools: Fix DSO filtering when not finding a map for a sampled
      address
    - perf vendor events arm64: Fix Ampere eMag event typo
    - RDMA/rxe: Fix coding error in rxe_recv.c
    - RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt
    - RDMA/rxe: Correct skb on loopback path
    - [powerpc*] pseries/dlpar: handle ibm, configure-connector delay status
    - [arm64] RDMA/hns: Fixed wrong judgments in the goto branch
    - [arm64] RDMA/hns: Fix type of sq_signal_bits
    - [arm64] RDMA/hns: Disable RQ inline by default
    - clk: divider: fix initialization with parent_hw
    - [amd64] spi: pxa2xx: Fix the controller numbering for Wildcat Point
    - [powerpc*] uaccess: Avoid might_fault() when user access is enabled
    - [powerpc*] kuap: Restore AMR after replaying soft interrupts
    - perf symbols: Use (long) for iterator for bfd symbols
    - spi: Skip zero-length transfers in spi_transfer_one_message()
    - printk: avoid prb_first_valid_seq() where possible
    - perf symbols: Fix return value when loading PE DSO
    - nfsd: register pernet ops last, unregister first
    - svcrdma: Hold private mutex while invoking rdma_accept()
    - ceph: fix flush_snap logic after putting caps
    - [arm64] RDMA/hns: Fixes missing error code of CMDQ
    - RDMA/ucma: Fix use-after-free bug in ucma_create_uevent
    - Input: sur40 - fix an error code in sur40_probe()
    - perf record: Fix continue profiling after draining the buffer
    - perf intel-pt: Fix missing CYC processing in PSB
    - perf intel-pt: Fix premature IPC
    - perf intel-pt: Fix IPC with CYC threshold
    - perf test: Fix unaligned access in sample parsing test
    - Input: elo - fix an error code in elo_connect()
    - [arm64,armhf] phy: rockchip-emmc: emmc_phy_init() always return 0
    - [arm64,armhf] pwm: rockchip: Enable APB clock during register access
      while probing
    - [arm64,armhf] pwm: rockchip: rockchip_pwm_probe(): Remove superfluous
      clk_unprepare()
    - [arm64,armhf] pwm: rockchip: Eliminate potential race condition when
      probing
    - [x86] VMCI: Use set_page_dirty_lock() when unregistering guest memory
    - PCI: Align checking of syscall user config accessors
    - [x86] mei: hbm: call mei_set_devstate() on hbm stop response
    - [arm64] drm/msm: Fix MSM_INFO_GET_IOVA with carveout
    - [arm64] drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY)
    - [arm64] drm/msm/mdp5: Fix wait-for-commit for cmd panels
    - [arm64] drm/msm: Fix race of GPU init vs timestamp power management.
    - [arm64] drm/msm: Fix races managing the OOB state for timestamp vs
      timestamps.
    - [arm64] drm/msm/dp: trigger unplug event in msm_dp_display_disable
    - [amd64,arm64] vfio/iommu_type1: Populate full dirty when detach
      non-pinned group
    - [amd64,arm64] vfio/iommu_type1: Fix some sanity checks in detach group
    - ext4: fix potential htree index checksum corruption
    - nvmem: core: Fix a resource leak on error in nvmem_add_cells_from_of()
    - nvmem: core: skip child nodes not matching binding
    - soundwire: bus: use sdw_update_no_pm when initializing a device
    - soundwire: bus: use sdw_write_no_pm when setting the bus scale registers
    - soundwire: export sdw_write/read_no_pm functions
    - soundwire: bus: fix confusion on device used by pm_runtime
    - ext: EXT4_KUNIT_TESTS should depend on EXT4_FS instead of selecting it
    - PCI: pci-bridge-emul: Fix array overruns, improve safety
    - i40e: Fix flow for IPv6 next header (extension header)
    - i40e: Add zero-initialization of AQ command structures
    - i40e: Fix overwriting flow control settings during driver loading
    - i40e: Fix addition of RX filters after enabling FW LLDP agent
    - i40e: Fix VFs not created
    - Take mmap lock in cacheflush syscall
    - i40e: Fix add TC filter for IPv6
    - [amd64,arm64] vfio/type1: Use follow_pte()
    - ice: report correct max number of TCs
    - ice: Account for port VLAN in VF max packet size calculation
    - ice: Fix state bits on LLDP mode switch
    - ice: update the number of available RSS queues
    - [arm64,armhf] net: stmmac: fix CBS idleslope and sendslope calculation
    - net/mlx4_core: Add missed mlx4_free_cmd_mailbox()
    - [arm64] PCI: rockchip: Make 'ep-gpios' DT property optional
    - vxlan: move debug check after netdev unregister
    - wireguard: device: do not generate ICMP for non-IP packets
    - wireguard: kconfig: use arm chacha even with no neon
    - ocfs2: fix a use after free on error
    - mm: memcontrol: fix NR_ANON_THPS accounting in charge moving
    - mm: memcontrol: fix slub memory accounting
    - mm/memory.c: fix potential pte_unmap_unlock pte error
    - mm/hugetlb: fix potential double free in hugetlb_register_node() error
      path
    - mm/hugetlb: suppress wrong warning info when alloc gigantic page
    - mm/compaction: fix misbehaviors of fast_find_migrateblock()
    - NFSv4: Fixes for nfs4_bitmask_adjust()
    - [x86] KVM: SVM: Intercept INVPCID when it's disabled to inject #UD
    - [x86] KVM: x86/mmu: Expand collapsible SPTE zap for TDP MMU to
      ZONE_DEVICE and HugeTLB pages
    - [arm64] Add missing ISB after invalidating TLB in __primary_switch
    - [armhf] i2c: exynos5: Preserve high speed master code
    - mm,thp,shmem: make khugepaged obey tmpfs mount flags
    - mm: fix memory_failure() handling of dax-namespace metadata
    - mm/rmap: fix potential pte_unmap on an not mapped pte
    - proc: use kvzalloc for our kernel buffer
    - scsi: sd: sd_zbc: Don't pass GFP_NOIO to kvcalloc
    - block: reopen the device in blkdev_reread_part
    - scsi: sd: Fix Opal support
    - blk-settings: align max_sectors on "logical_block_size" boundary
    - ACPI: property: Fix fwnode string properties matching
    - ACPI: configfs: add missing check after
      configfs_register_default_group()
    - cpufreq: ACPI: Set cpuinfo.max_freq directly if max boost is known
    - HID: logitech-dj: add support for keyboard events in eQUAD step 4 Gaming
    - HID: wacom: Ignore attempts to overwrite the touch_max value from HID
    - Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox
      Series X|S
    - Input: joydev - prevent potential read overflow in ioctl
    - Input: i8042 - add ASUS Zenbook Flip to noselftest list
    - media: mceusb: Fix potential out-of-bounds shift
    - USB: serial: option: update interface mapping for ZTE P685M
    - [arm64,armhf] usb: musb: Fix runtime PM race in musb_queue_resume_work
    - [arm64,armhf] usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1
    - [arm64,armhf] usb: dwc3: gadget: Fix dep->interval for fullspeed
      interrupt
    - USB: serial: ftdi_sio: fix FTX sub-integer prescaler
    - USB: serial: pl2303: fix line-speed handling on newer chips
    - USB: serial: mos7840: fix error code in mos7840_write()
    - USB: serial: mos7720: fix error code in mos7720_write()
    - ALSA: hda: Add another CometLake-H PCI ID
    - ALSA: hda/hdmi: Drop bogus check at closing a stream
    - ALSA: hda/realtek: modify EAPD in the ALC886
    - ALSA: hda/realtek: Quirk for HP Spectre x360 14 amp setup
    - [mips*] Ingenic: Disable HPTLB for D0 XBurst CPUs too
    - [mips*] Revert "MIPS: Octeon: Remove special handling of
      CONFIG_MIPS_ELF_APPENDED_DTB=y"
    - Revert "bcache: Kill btree_io_wq"
    - bcache: Give btree_io_wq correct semantics again
    - bcache: Move journal work to new flush wq
    - drm/amdgpu: Set reference clock to 100Mhz on Renoir (v2)
    - drm/nouveau/kms: handle mDP connectors
    - drm/modes: Switch to 64bit maths to avoid integer overflow
    - drm/sched: Cancel and flush all outstanding jobs before finish.
    - selinux: fix inconsistency between inode_getxattr and inode_listsecurity
    - tpm_tis: Fix check_locality for correct locality acquisition
    - tpm_tis: Clean up locality release
    - KEYS: trusted: Fix incorrect handling of tpm_get_random()
    - KEYS: trusted: Fix migratable=1 failing
    - KEYS: trusted: Reserve TPM for seal and unseal operations
    - btrfs: do not cleanup upper nodes in btrfs_backref_cleanup_node
    - btrfs: do not warn if we can't find the reloc root when looking up
      backref
    - btrfs: add asserts for deleting backref cache nodes
    - btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root
    - btrfs: fix reloc root leak with 0 ref reloc roots on recovery
    - btrfs: splice remaining dirty_bg's onto the transaction dirty bg list
    - btrfs: handle space_info::total_bytes_pinned inside the delayed ref
      itself
    - btrfs: account for new extents being deleted in total_bytes_pinned
    - btrfs: fix extent buffer leak on failure to copy root
    - [arm64] crypto: arm64/sha - add missing module aliases
    - [x86] crypto: aesni - prevent misaligned buffers on the stack
    - crypto: michael_mic - fix broken misalignment handling
    - seccomp: Add missing return in non-void function
    - [arm64] ptrace: Fix seccomp of traced syscall -1 (NO_SYSCALL)
    - misc: rtsx: init of rts522a add OCP power off when no card is present
    - [x86] drivers/misc/vmw_vmci: restrict too big queue size in
      qp_host_alloc_queue
    - pstore: Fix typo in compression option name
    - staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table
    - floppy: reintroduce O_NDELAY fix
    - media: marvell-ccic: power up the device on mclk enable
    - media: smipcie: fix interrupt handling and IR timeout
    - [x86] virt: Eat faults on VMXOFF in reboot flows
    - [x86] reboot: Force all cpus to exit VMX root if VMX is supported
    - [x86] fault: Fix AMD erratum #91 errata fixup for user code
    - [x86] entry: Fix instrumentation annotation
    - [powerpc*] prom: Fix "ibm,arch-vec-5-platform-support" scan
    - rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers
    - rcu/nocb: Perform deferred wake up before last idle's need_resched()
      check
    - kprobes: Fix to delay the kprobes jump optimization
    - [arm64] Extend workaround for erratum 1024718 to all versions of
      Cortex-A55
    - [arm64] uprobe: Return EOPNOTSUPP for AARCH32 instruction probing
    - [arm64] module: set plt* section addresses to 0x0
    - [arm64] spectre: Prevent lockdep splat on v4 mitigation enable path
    - [arm64] watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ
    - [x86] watchdog: mei_wdt: request stop on unregister
    - fs/affs: release old buffer head on error path
    - seq_file: document how per-entry resources are managed.
    - [x86] fix seq_file iteration for pat/memtype.c
    - mm: memcontrol: fix swap undercounting in cgroup2
    - mm: memcontrol: fix get_active_memcg return value
    - hugetlb: fix update_and_free_page contig page struct assumption
    - hugetlb: fix copy_huge_page_from_user contig page struct assumption
    - mm/vmscan: restore zone_reclaim_mode ABI
    - mm, compaction: make fast_isolate_freepages() stay within zone
    - [x86] KVM: nSVM: fix running nested guests when npt=0
    - nvmem: qcom-spmi-sdam: Fix uninitialized pdev pointer
    - module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols
    - [armhf] mmc: sdhci-esdhc-imx: fix kernel panic when remove module
    - mmc: sdhci-pci-o2micro: Bug fix for SDR104 HW tuning failure
    - [arm64] spmi: spmi-pmic-arb: Fix hw_irq overflow
    - [x86] mei: fix transfer over dma with extended header
    - [x86] mei: me: emmitsburg workstation DID
    - [x86] mei: me: add adler lake point S DID
    - [x86] mei: me: add adler lake point LP DID
    - [armhf] gpio: pcf857x: Fix missing first interrupt
    - printk: fix deadlock when kernel panic
    - exfat: fix shift-out-of-bounds in exfat_fill_super()
    - zonefs: Fix file size of zones in full condition
    - [x86] cpufreq: intel_pstate: Change intel_pstate_get_hwp_max() argument
    - [x86] cpufreq: intel_pstate: Get per-CPU max freq via
      MSR_HWP_CAPABILITIES if available
    - proc: don't allow async path resolution of /proc/thread-self components
    - [s390x] vtime: fix inline assembly clobber list
    - [s390x] virtio/s390: implement virtio-ccw revision 2 correctly
    - f2fs: fix out-of-repair __setattr_copy()
    - f2fs: enforce the immutable flag on open files
    - f2fs: flush data when enabling checkpoint back
    - gfs2: fix glock confusion in function signal_our_withdraw
    - gfs2: Don't skip dlm unlock if glock has an lvb
    - gfs2: Lock imbalance on error path in gfs2_recover_one
    - gfs2: Recursive gfs2_quota_hold in gfs2_iomap_end
    - dm: fix deadlock when swapping to encrypted device
    - dm table: fix iterate_devices based device capability checks
    - dm table: fix DAX iterate_devices based device capability checks
    - dm table: fix zoned iterate_devices based device capability checks
    - dm writecache: fix performance degradation in ssd mode
    - dm writecache: return the exact table values that were set
    - dm writecache: fix writing beyond end of underlying device when
      shrinking
    - dm era: Recover committed writeset after crash
    - dm era: Update in-core bitset after committing the metadata
    - dm era: Verify the data block size hasn't changed
    - dm era: Fix bitset memory leaks
    - dm era: Use correct value size in equality function of writeset tree
    - dm era: Reinitialize bitset cache before digesting a new writeset
    - dm era: only resize metadata in preresume
    - kgdb: fix to kill breakpoints on initmem after boot
    - ipv6: silence compilation warning for non-IPV6 builds
    - net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
    - wireguard: queueing: get rid of per-peer ring buffers
    - net: sched: fix police ext initialization
    - net_sched: fix RTNL deadlock again caused by request_module()
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.21
    - net: usb: qmi_wwan: support ZTE P685M modem
    - Input: elantech - fix protocol errors for some trackpoints in SMBus mode
    - Input: elan_i2c - add new trackpoint report type 0x5F
    - drm/virtio: use kvmalloc for large allocations
    - [x86] build: Treat R_386_PLT32 relocation as R_386_PC32
    - JFS: more checks for invalid superblock
    - sched/core: Allow try_invoke_on_locked_down_task() with irqs disabled
    - udlfb: Fix memory leak in dlfb_usb_probe
    - media: mceusb: sanity check for prescaler value
    - erofs: fix shift-out-of-bounds of blkszbits
    - media: v4l2-ctrls.c: fix shift-out-of-bounds in std_validate
    - xfs: Fix assert failure in xfs_setattr_size()
    - [s390x] net/af_iucv: remove WARN_ONCE on malformed RX packets
    - tomoyo: ignore data race while checking quota
    - net: fix up truesize of cloned skb in skb_prepare_for_shift()
    - [riscv64] Get rid of MAX_EARLY_MAPPING_SIZE
    - nbd: handle device refs for DESTROY_ON_DISCONNECT properly
    - mm/hugetlb.c: fix unnecessary address expansion of pmd sharing
    - tcp: fix tcp_rmem documentation
    - net: bridge: use switchdev for port flags set through sysfs too
    - net/sched: cls_flower: Reject invalid ct_state flags rules
    - net: psample: Fix netlink skb length with tunnel info
    - net: fix dev_ifsioc_locked() race condition
    - dt-bindings: ethernet-controller: fix fixed-link specification
    - dt-bindings: net: btusb: DT fix s/interrupt-name/interrupt-names/
    - [arm64] ASoC: qcom: Remove useless debug print
    - rsi: Fix TX EAPOL packet handling against iwlwifi AP
    - rsi: Move card interrupt handling to RX thread
    - [x86] EDAC/amd64: Do not load on family 0x15, model 0x13
    - [x86] reboot: Add Zotac ZBOX CI327 nano PCI reboot quirk
    - vt/consolemap: do font sum unsigned
    - [arm64,armhf] wlcore: Fix command execute failure 19 for wl12xx
    - Bluetooth: hci_h5: Set HCI_QUIRK_SIMULTANEOUS_DISCOVERY for btrtl
    - Bluetooth: btusb: fix memory leak on suspend and resume
    - pktgen: fix misuse of BUG_ON() in pktgen_thread_worker()
    - ath10k: fix wmi mgmt tx queue full due to race condition
    - net: sfp: add mode quirk for GPON module Ubiquiti U-Fiber Instant
    - Bluetooth: Add new HCI_QUIRK_NO_SUSPEND_NOTIFIER quirk
    - Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
    - [arm*] staging: bcm2835-audio: Replace unsafe strcpy() with strscpy()
    - brcmfmac: Add DMI nvram filename quirk for Predia Basic tablet
    - brcmfmac: Add DMI nvram filename quirk for Voyo winpad A15 tablet
    - [arm64] drm/hisilicon: Fix use-after-free
    - crypto: tcrypt - avoid signed overflow in byte count
    - fs: make unlazy_walk() error handling consistent
    - drm/amdgpu: Add check to prevent IH overflow
    - PCI: Add a REBAR size quirk for Sapphire RX 5600 XT Pulse
    - [x86] ASoC: Intel: bytcr_rt5640: Add new BYT_RT5640_NO_SPEAKERS
      quirk-flag
    - media: uvcvideo: Allow entities with no pads
    - f2fs: handle unallocated section and zone on pinned/atgc
    - f2fs: fix to set/clear I_LINKABLE under i_lock
    - nvme-core: add cancel tagset helpers
    - nvme-rdma: add clean action for failed reconnection
    - nvme-tcp: add clean action for failed reconnection
    - ASoC: Intel: Add DMI quirk table to soc_intel_is_byt_cr()
    - btrfs: fix error handling in commit_fs_roots
    - [x86] perf/x86/kvm: Add Cascade Lake Xeon steppings to
      isolation_ucodes[]
    - [x86] ASoC: Intel: sof-sdw: indent and add quirks consistently
    - [x86] ASoC: Intel: sof_sdw: detect DMIC number based on mach params
    - sched/features: Fix hrtick reprogramming
    - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Estar Beauty HD MID
      7316R tablet
    - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Voyo Winpad A15
      tablet
    - [x86] ASoC: Intel: bytcr_rt5651: Add quirk for the Jumper EZpad 7 tablet
    - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for the Acer One S1002 tablet
    - scsi: iscsi: Restrict sessions and handles to admin capabilities
      (CVE-2021-27363, CVE-2021-27364)
    - scsi: iscsi: Ensure sysfs attributes are limited to PAGE_SIZE
      (CVE-2021-27365)
    - scsi: iscsi: Verify lengths on passthrough PDUs (CVE-2021-27365)
    - Xen/gnttab: handle p2m update errors on a per-slot basis
      (CVE-2021-28038)
    - xen-netback: respect gnttab_map_refs()'s return value (CVE-2021-28038)
    - xen: fix p2m size in dom0 for disabled memory hotplug case
      (CVE-2021-28039)
    - zsmalloc: account the number of compacted pages correctly
    - swap: fix swapfile read/write offset
    - [powerpc*] sstep: Check instruction validity against ISA version before
      emulation
    - [powerpc*] sstep: Fix incorrect return from analyze_instr()
    - tty: fix up iterate_tty_read() EOVERFLOW handling
    - tty: fix up hung_up_tty_read() conversion
    - tty: clean up legacy leftovers from n_tty line discipline
    - tty: teach n_tty line discipline about the new "cookie continuations"
    - tty: teach the n_tty ICANON case about the new "cookie continuations"
      too
    - media: v4l: ioctl: Fix memory leak in video_usercopy
    - ALSA: hda/realtek: Add quirk for Clevo NH55RZQ
    - ALSA: hda/realtek: Add quirk for Intel NUC 10
    - ALSA: hda/realtek: Apply dual codec quirks for MSI Godlike X570 board
    - net: sfp: VSOL V2801F / CarlitoxxPro CPGOS03-0490 v2.0 workaround
    - net: sfp: add workaround for Realtek RTL8672 and RTL9601C chips
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.22
    - ALSA: hda/realtek: Enable headset mic of Acer SWIFT with ALC256
    - ALSA: usb-audio: Drop bogus dB range in too low level
    - tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with request_locality()
    - tpm, tpm_tis: Decorate tpm_get_timeouts() with request_locality()
    - btrfs: avoid double put of block group when emptying cluster
    - btrfs: fix raid6 qstripe kmap
    - btrfs: fix race between writes to swap files and scrub
    - btrfs: fix race between swap file activation and snapshot creation
    - btrfs: fix stale data exposure after cloning a hole with NO_HOLES
      enabled
    - btrfs: fix race between extent freeing/allocation when using bitmaps
    - btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl
    - btrfs: free correct amount of space in
      btrfs_delayed_inode_reserve_metadata
    - btrfs: unlock extents in btrfs_zero_range in case of quota reservation
      errors
    - btrfs: fix warning when creating a directory with smack enabled
    - PM: runtime: Update device status before letting suppliers suspend
    - ring-buffer: Force before_stamp and write_stamp to be different on
      discard
    - io_uring: ignore double poll add on the same waitqueue head
    - dm bufio: subtract the number of initial sectors in
      dm_bufio_get_device_size
    - drm/amdgpu:disable VCN for Navi12 SKU
    - drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie
    - [arm64] mm: Move reserve_crashkernel() into mem_init()
    - [arm64] mm: Move zone_dma_bits initialization into zone_sizes_init()
    - of/address: Introduce of_dma_get_max_cpu_address()
    - [arm64] mm: Set ZONE_DMA size based on devicetree's dma-ranges
    - [arm64] mm: Set ZONE_DMA size based on early IORT scan
    - ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits
    - RDMA/cm: Fix IRQ restore in ib_send_cm_sidr_rep
    - IB/mlx5: Add missing error code
    - ALSA: hda: intel-nhlt: verify config type
    - ftrace: Have recordmcount use w8 to read relp->r_info in
      arm64_is_fake_mcount
    - rsxx: Return -EFAULT if copy_to_user() fails
    - [amd64] iommu/vt-d: Fix status code for Allocate/Free PASID command
    - tomoyo: recognize kernel threads correctly
    - r8169: fix resuming from suspend on RTL8105e if machine runs on battery
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.23
    - ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region
      parameter handling
    - nvme-pci: mark Kingston SKC2000 as not supporting the deepest power
      state
    - btrfs: export and rename qgroup_reserve_meta
    - btrfs: don't flush from btrfs_delayed_inode_reserve_metadata
    - [amd64] iommu/amd: Fix sleeping in atomic in increase_address_space()
    - Bluetooth: btqca: Add valid le states quirk
    - mwifiex: pcie: skip cancel_work_sync() on reset failure path
    - [x86] ASoC: Intel: sof_sdw: add quirk for new TigerLake-SDCA device
    - [armhf] bus: ti-sysc: Implement GPMC debug quirk to drop platform data
    - [x86] platform/x86: acer-wmi: Cleanup ACER_CAP_FOO defines
    - [x86] platform/x86: acer-wmi: Cleanup accelerometer device handling
    - [x86] platform/x86: acer-wmi: Add new force_caps module parameter
    - [x86] platform/x86: acer-wmi: Add ACER_CAP_SET_FUNCTION_MODE capability
      flag
    - [x86] platform/x86: acer-wmi: Add support for SW_TABLET_MODE on Switch
      devices
    - [x86] platform/x86: acer-wmi: Add ACER_CAP_KBD_DOCK quirk for the Aspire
      Switch 10E SW3-016
    - HID: mf: add support for 0079:1846 Mayflash/Dragonrise USB Gamecube
      Adapter
    - media: cx23885: add more quirks for reset DMA on some AMD IOMMU
    - [x86] ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807
    - [x86] ASoC: Intel: bytcr_rt5640: Add quirk for ARCHOS Cesium 140
    - PCI: Add function 1 DMA alias quirk for Marvell 9215 SATA controller
    - [x86] KVM: x86: Supplement __cr4_reserved_bits() with X86_FEATURE_PCID
      check
    - [x86] ASoC: Intel: sof_sdw: add missing TGL_HDMI quirk for Dell SKU 0A32
    - scsi: ufs: Add a quirk to permit overriding UniPro defaults
    - misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom
    - scsi: ufs: Introduce a quirk to allow only page-aligned sg entries
    - [arm64] drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register
    - HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on
      Voyo Winpad A15
    - ALSA: usb-audio: Add DJM750 to Pioneer mixer quirk
    - ALSA: usb-audio: add mixer quirks for Pioneer DJM-900NXS2
    - [x86] ASoC: Intel: sof_sdw: reorganize quirks by generation
    - [x86] ASoC: Intel: sof_sdw: add quirk for HP Spectre x360 convertible
    - [x86] KVM: SVM: Clear the CR4 register on reset
    - nvme-pci: mark Seagate Nytro XM1440 as QUIRK_NO_NS_DESC_LIST.
    - nvme-pci: add quirks for Lexar 256GB SSD
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.24
    - uapi: nfnetlink_cthelper.h: fix userspace compilation error
    - [powerpc*] perf: Fix handling of privilege level checks in perf interrupt
      context
    - [powerpc*] pseries: Don't enforce MSI affinity with kdump
    - ethernet: alx: fix order of calls on resume (Closes: #983595)
    - [mips*] crypto: mips/poly1305 - enable for all MIPS processors
    - ath9k: fix transmitting to stations in dynamic SMPS mode
    - net: Fix gro aggregation for udp encaps with zero csum
    - net: check if protocol extracted by virtio_net_hdr_set_proto is correct
    - net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0
    - net: l2tp: reduce log level of messages in receive path, add counter
      instead
    - can: skb: can_skb_set_owner(): fix ref counting if socket was closed
      before setting skb ownership
    - [armhf] can: flexcan: assert FRZ bit in flexcan_chip_freeze()
    - [armhf] can: flexcan: enable RX FIFO after FRZ/HALT valid
    - [armhf] can: flexcan: invoke flexcan_chip_freeze() to enter freeze mode
    - tcp: Fix sign comparison bug in getsockopt(TCP_ZEROCOPY_RECEIVE)
    - tcp: add sanity tests to TCP_QUEUE_SEQ
    - netfilter: nf_nat: undo erroneous tcp edemux lookup
    - netfilter: x_tables: gpf inside xt_find_revision()
    - net: always use icmp{,v6}_ndo_send from ndo_start_xmit
    - net: phy: fix save wrong speed and duplex problem if autoneg is on
    - mt76: dma: do not report truncated frames to mac80211
    - [powerpc*] 603: Fix protection of user pages mapped with PROT_NONE
    - mount: fix mounting of detached mounts onto targets that reside on shared
      mounts
    - cifs: return proper error code in statfs(2)
    - Revert "mm, slub: consider rest of partial list if acquire_slab() fails"
    - docs: networking: drop special stable handling
    - [arm64] net: enetc: don't overwrite the RSS indirection table when
      initializing
    - [arm64] net: enetc: take the MDIO lock only once per NAPI poll cycle
    - [arm64] net: enetc: fix incorrect TPID when receiving 802.1ad tagged
      packets
    - [arm64] net: enetc: don't disable VLAN filtering in IFF_PROMISC mode
    - [arm64] net: enetc: force the RGMII speed and duplex instead of operating
      in inband mode
    - [arm64] net: enetc: remove bogus write to SIRXIDR from enetc_setup_rxbdr
    - [arm64] net: enetc: keep RX ring consumer index in sync with hardware
    - net/mlx4_en: update moderation when config reset
    - net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10
    - nexthop: Do not flush blackhole nexthops when loopback goes down
    - net: sched: avoid duplicates in classes dump
    - [arm64] net: mscc: ocelot: properly reject destination IP keys in VCAP IS1
    - net: usb: qmi_wwan: allow qmimux add/del with master up
    - cipso,calipso: resolve a number of problems with the DOI refcounts
    - net: stmmac: Fix VLAN filter delete timeout issue in Intel mGBE SGMII
    - [x86] stmmac: intel: Fixes clock registration error seen for multiple
      interfaces
    - [arm64] net: enetc: allow hardware timestamping on TX queues with tc-etf
      enabled
    - net: qrtr: fix error return code of qrtr_sendmsg()
    - [s390x] qeth: fix memory leak after failed TX Buffer allocation
    - r8169: fix r8168fp_adjust_ocp_cmd function
    - ixgbe: fail to create xfrm offload of IPsec tunnel mode SA
    - net: stmmac: stop each tx channel independently
    - net: stmmac: fix watchdog timeout during suspend/resume stress test
    - net: stmmac: fix wrongly set buffer2 valid when sph unsupport
    - ethtool: fix the check logic of at least one channel for RX/TX
    - net: phy: make mdio_bus_phy_suspend/resume as __maybe_unused
    - perf traceevent: Ensure read cmdlines are null terminated.
    - perf report: Fix -F for branch & mem modes
    - [arm64] net: hns3: fix query vlan mask value error for flow director
    - [arm64] net: hns3: fix bug when calculating the TCAM table info
    - bnxt_en: reliably allocate IRQ table on reset to avoid crash
    - gpiolib: acpi: Add ACPI_GPIO_QUIRK_ABSOLUTE_NUMBER quirk
    - gpiolib: acpi: Allow to find GpioInt() resource by name and index
    - [arm64,armhf] gpio: pca953x: Set IRQ type when handle Intel Galileo Gen 2
    - gpio: fix gpio-device list corruption
    - drm/compat: Clear bounce structures
    - drm/amd/display: Add a backlight module option
    - drm/amd/display: Fix nested FPU context in dcn21_validate_bandwidth()
    - drm/shmem-helper: Check for purged buffers in fault handler
    - drm/shmem-helper: Don't remove the offset in vm_area_struct pgoff
    - drm: Use USB controller's DMA mask when importing dmabufs
    - [arm64] drm: meson_drv add shutdown function
    - drm/shmem-helpers: vunmap: Don't put pages for dma-buf
    - [x86] drm/i915: Wedge the GPU if command parser setup fails
    - qxl: Fix uninitialised struct field head.surface_id
    - media: usbtv: Fix deadlock on suspend
    - media: rc: compile rc-cec.c into rc-core
    - cifs: fix credit accounting for extra channel
    - [arm64] net: hns3: fix error mask definition of flow director
    - [s390x] qeth: don't replace a fully completed async TX buffer
    - [s390x] qeth: remove QETH_QDIO_BUF_HANDLED_DELAYED state
    - [s390x] qeth: improve completion of pending TX buffers
    - [s390x] qeth: fix notification for pending buffers during teardown
    - [arm64,armhf] net: dsa: implement a central TX reallocation procedure
    - [arm64,armhf] net: dsa: trailer: don't allocate additional memory for
      padding/tagging
    - [arm64] net: dsa: tag_ocelot: let DSA core deal with TX reallocation
    - [arm64,armhf] net: dsa: tag_edsa: let DSA core deal with TX reallocation
    - [armhf] net: dsa: tag_brcm: let DSA core deal with TX reallocation
    - [arm64,armhf] net: dsa: tag_dsa: let DSA core deal with TX reallocation
    - [arm64] enetc: Fix unused var build warning for CONFIG_OF
    - [arm64] net: enetc: initialize RFS/RSS memories for unused ports too
    - ath11k: peer delete synchronization with firmware
    - ath11k: start vdev if a bss peer is already created
    - ath11k: fix AP mode for QCA6390
    - scsi: ufs: WB is only available on LUN #0 to #7
    - udf: fix silent AED tagLocation corruption
    - [amd64] iommu/vt-d: Clear PRQ overflow only when PRQ is empty
    - [arm*] mmc: sdhci-iproc: Add ACPI bindings for the RPi
    - Platform: OLPC: Fix probe error handling
    - [powerpc*] pci: Add ppc_md.discover_phbs()
    - [armhf] spi: stm32: make spurious and overrun interrupts visible
    - [powerpc] improve handling of unrecoverable system reset
    - [powerpc] perf: Record counter overflow always if SAMPLE_IP is unset
    - HID: logitech-dj: add support for the new lightspeed connection iteration
    - [powerpc*] 64: Fix stack trace not displaying final frame
    - [amd64] iommu/amd: Fix performance counter initialization
    - [arm64] clk: qcom: gdsc: Implement NO_RET_PERIPH flag
    - [x86] Input: applespi - don't wait for responses to commands indefinitely.
    - [arm64] PCI: xgene-msi: Fix race in installing chained irq handler
    - ext4: don't try to processed freed blocks until mballoc is initialized
    - kbuild: clamp SUBLEVEL to 255
    - PCI: Fix pci_register_io_range() memory leak
    - i40e: Fix memory leak in i40e_probe
    - [s390x] smp: __smp_rescan_cpus() - move cpumask away from stack
    - drivers/base/memory: don't store phys_device in memory blocks
    - sysctl.c: fix underflow value setting risk in vm_table
    - scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling
    - scsi: target: core: Add cmd length set before cmd complete
    - scsi: target: core: Prevent underflow for service actions
    - mmc: sdhci: Update firmware interface API
    - [arm*] assembler: introduce adr_l, ldr_l and str_l macros
    - [arm*] efistub: replace adrl pseudo-op with adr_l macro invocation
    - ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk
    - ALSA: hda/hdmi: Cancel pending works before suspend
    - ALSA: hda/conexant: Add quirk for mute LED control on HP ZBook G5
    - ALSA: hda/ca0132: Add Sound BlasterX AE-5 Plus support
    - ALSA: hda: Drop the BATCH workaround for AMD controllers
    - ALSA: hda: Flush pending unsolicited events before suspend
    - ALSA: hda: Avoid spurious unsol event handling during S3/S4
    - ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar
    - ALSA: usb-audio: Apply the control quirk to Plantronics headsets
    - ALSA: usb-audio: Disable USB autosuspend properly in
      setup_disable_autosuspend()
    - ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe
    - ALSA: usb-audio: fix use after free in usb_audio_disconnect
    - Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file
      capabilities")
    - block: Discard page cache of zone reset target range
    - block: Try to handle busy underlying device on discard
    - [arm64] mte: Map hotplugged memory as Normal Tagged
    - [arm64] perf: Fix 64-bit event counter read truncation
    - [s390x] dasd: fix hanging DASD driver unbind
    - [s390]x dasd: fix hanging IO request during DASD driver unbind
    - software node: Fix node registration
    - xen/events: reset affinity of 2-level event when tearing it down
    - [arm64,armhf] mmc: mmci: Add MMC_CAP_NEED_RSP_BUSY for the stm32 variants
    - mmc: core: Fix partition switch time for eMMC
    - mmc: cqhci: Fix random crash when remove mmc module/card
    - cifs: do not send close in compound create+close requests
    - Goodix Fingerprint device is not a modem
    - usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio
      slot
    - usb: gadget: f_uac1: stop playback on function disable
    - [arm64] usb: dwc3: qcom: Add missing DWC3 OF node refcount decrement
    - [arm64] usb: dwc3: qcom: add URS Host support for sdm845 ACPI boot
    - [arm64] usb: dwc3: qcom: add ACPI device id for sc8180x
    - [arm64] usb: dwc3: qcom: Honor wakeup enabled/disabled state
    - USB: usblp: fix a hang in poll() if disconnected
    - usb: xhci: do not perform Soft Retry for some xHCI hosts
    - xhci: Improve detection of device initiated wake signal.
    - usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing
    - xhci: Fix repeated xhci wake after suspend due to uncleared internal wake
      state
    - USB: serial: io_edgeport: fix memory leak in edge_startup
    - USB: serial: ch341: add new Product ID
    - USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter
    - USB: serial: cp210x: add some more GE USB IDs
    - usbip: fix stub_dev to check for stream socket
    - usbip: fix vhci_hcd to check for stream socket
    - usbip: fix vudc to check for stream socket
    - usbip: fix stub_dev usbip_sockfd_store() races leading to gpf
    - usbip: fix vhci_hcd attach_store() races leading to gpf
    - usbip: fix vudc usbip_sockfd_store races leading to gpf
    - [x86] misc/pvpanic: Export module FDT device table
    - misc: fastrpc: restrict user apps from sending kernel RPC messages
      (CVE-2021-28375)
    - [x86] staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()
    - staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan()
      (CVE-2021-28660)
    - staging: rtl8712: unterminated string leads to read overflow
    - staging: rtl8188eu: fix potential memory corruption in
      rtw_check_beacon_data()
    - staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd
    - [x86] staging: rtl8192e: Fix possible buffer overflow in
      _rtl92e_wx_set_scan
    - [x86] staging: comedi: addi_apci_1032: Fix endian problem for COS sample
    - [x86] staging: comedi: addi_apci_1500: Fix endian problem for command
      sample
    - [x86] staging: comedi: adv_pci1710: Fix endian problem for AI command data
    - [i386] staging: comedi: das6402: Fix endian problem for AI command data
    - [i386] staging: comedi: das800: Fix endian problem for AI command data
    - [i386] staging: comedi: dmm32at: Fix endian problem for AI command data
    - [x86] staging: comedi: me4000: Fix endian problem for AI command data
    - [i386] staging: comedi: pcl711: Fix endian problem for AI command data
    - [i386] staging: comedi: pcl818: Fix endian problem for AI command data
    - [arm64] mm: Fix pfn_valid() for ZONE_DEVICE based memory
    - SUNRPC: Set memalloc_nofs_save() for sync tasks
    - NFS: Don't revalidate the directory permissions on a lookup failure
    - NFS: Don't gratuitously clear the inode cache when lookup failed
    - NFSv4.2: fix return value of _nfs4_get_security_label()
    - block: rsxx: fix error return code of rsxx_pci_probe()
    - nvme-fc: fix racing controller reset and create association
    - configfs: fix a use-after-free in __configfs_open_file
    - [arm64] mm: use a 48-bit ID map when possible on 52-bit VA builds
    - perf/core: Flush PMU internal buffers for per-CPU events
    - [x86] perf/x86/intel: Set PERF_ATTACH_SCHED_CB for large PEBS and LBR
    - hrtimer: Update softirq_expires_next correctly after
      __hrtimer_get_next_event()
    - seqlock,lockdep: Fix seqcount_latch_init()
    - stop_machine: mark helpers __always_inline
    - include/linux/sched/mm.h: use rcu_dereference in in_vfork()
    - zram: fix return value on writeback_store
    - sched/membarrier: fix missing local execution of ipi_sync_rq_state()
    - efi: stub: omit SetVirtualAddressMap() if marked unsupported in RT_PROP
      table
    - [powerpc*] 64s: Fix instruction encoding for lis in ppc_function_entry()
    - [powerpc*] Fix inverted SET_FULL_REGS bitop
    - [powerpc*] Fix missing declaration of [en/dis]able_kernel_vsx()
    - binfmt_misc: fix possible deadlock in bm_register_write
    - [amd64] x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2
    - [x86] entry: Move nmi entry/exit into common code
    - [x86] entry: Fix entry/exit mismatch on failed fast 32-bit syscalls
    - [x86] KVM: Ensure deadline timer has truly expired before posting its IRQ
    - [x86] KVM: kvmclock: Fix vCPUs > 64 can't be online/hotpluged
    - [arm64] KVM: Fix range alignment when walking page tables
    - [arm64] KVM: Avoid corrupting vCPU context register in guest exit
    - [arm64] KVM: nvhe: Save the SPE context early
    - [arm64] KVM: Reject VM creation when the default IPA size is unsupported
    - [arm64] KVM: Fix exclusive limit for IPA size
    - mm/userfaultfd: fix memory corruption due to writeprotect
    - mm/madvise: replace ptrace attach requirement for process_madvise
    - [arm64] KVM: Ensure I-cache isolation between vcpus of a same VM
    - mm/page_alloc.c: refactor initialization of struct page for holes in
      memory layout
    - xen/events: don't unmask an event channel when an eoi is pending
    - xen/events: avoid handling the same event on two cpus at the same time
    - [arm64] KVM: Fix nVHE hyp panic host context restore
    - RDMA/umem: Use ib_dma_max_seg_size instead of dma_get_max_seg_size
.
  [ Salvatore Bonaccorso ]
  * Bump ABI to 5
  * [rt] Refresh "printk: remove logbuf_lock"
  * [rt] Refresh "printk: remove safe buffers"
  * [rt] Refresh "printk: remove deferred printing"
  * [rt] Refresh "mm/memcontrol: Replace local_irq_disable with local locks"
  * [rt] Update to 5.10.21-rt34
  * Refresh "Include package version along with kernel release in stack
    traces"
  * bpf: Prohibit alu ops for pointer types not defining ptr_limit
    (CVE-2020-27170)
  * bpf: Fix off-by-one for area size in creating mask to left
    (CVE-2020-27171)
  * bpf: Simplify alu_limit masking for pointer arithmetic
  * bpf: Add sanity check for upper ptr_limit
  * bpf, selftests: Fix up some test_verifier cases for unprivileged
  * [x86] crypto: aesni - Use TEST %reg,%reg instead of CMP $0,%reg
  * [x86] crypto: x86/aes-ni-xts - use direct calls to and 4-way stride
  * RDMA/srp: Fix support for unpopulated and unbalanced NUMA nodes
  * fuse: fix live lock in fuse_iget()
  * Revert "nfsd4: remove check_conflicting_opens warning"
  * Revert "nfsd4: a client's own opens needn't prevent delegations"
  * ALSA: usb-audio: Don't avoid stopping the stream at disconnection
  * [armhf] net: dsa: b53: Support setting learning on port
.
  [ Wookey ]
  * [arm64] drivers/perf: Enable ARM_CMN as module (Closes: #981186)
.
  [ Vincent Blut ]
  * [arm64] drivers/perf: Enable ARM_SMMU_V3_PMU as module
.
linux (5.10.19-1) unstable; urgency=medium
.
  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.14
    - [armhf] net: fec: put child node on error path
    - [x86] stmmac: intel: Configure EHL PSE0 GbE and PSE1 GbE to 32 bits DMA
      addressing
    - [armhf] net: dsa: bcm_sf2: put device node before return
    - net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
    - [arm64,armhf] iommu/io-pgtable-arm: Support coherency for Mali LPAE
    - [arm64,armhf] drm/panfrost: Support cache-coherent integrations
    - [arm64] Fix kernel address detection of __is_lm_address()
    - [arm64] Do not pass tagged addresses to __is_lm_address()
    - Revert "x86/setup: don't remove E820_TYPE_RAM for pfn 0"
    - [amd64] iommu/vt-d: Do not use flush-queue when caching-mode is on
    - [x86] platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix
      touchscreen on Estar Beauty HD tablet
    - [x86] platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron
      7352
    - [x86] __always_inline __{rd,wr}msr()
    - scsi: scsi_transport_srp: Don't block target in failfast state
    - scsi: libfc: Avoid invoking response handler twice if ep is already
      completed
    - [x86] scsi: fnic: Fix memleak in vnic_dev_init_devcmd2
    - [x86] ASoC: SOF: Intel: hda: Resume codec to do jack detection
    - ALSA: hda: Add AlderLake-P PCI ID and HDMI codec vid
    - mac80211: fix fast-rx encryption check
    - mac80211: fix encryption key selection for 802.3 xmit
    - [powerpc*] scsi: ibmvfc: Set default timeout to avoid crash during
      migration
    - ALSA: hda: Add Cometlake-R PCI ID
    - [arm64,armhf] i2c: tegra: Create i2c_writesl_vi() to use with VI I2C for
      filling TX FIFO
    - udf: fix the problem that the disc content is not displayed
    - nvme: check the PRINFO bit before deciding the host buffer length
    - nvme-rdma: avoid request double completion for concurrent
      nvme_rdma_timeout
    - nvme-tcp: avoid request double completion for concurrent
      nvme_tcp_timeout
    - nvme-pci: allow use of cmb on v1.4 controllers
    - nvmet: set right status on error in id-ns handler
    - [x86] platform/x86: thinkpad_acpi: Add P53/73 firmware to
      fan_quirk_table for dual fan control
    - objtool: Don't fail the kernel build on fatal errors
    - [x86] cpu: Add another Alder Lake CPU to the Intel family
    - kthread: Extract KTHREAD_IS_PER_CPU
    - workqueue: Restrict affinity change to rescuer
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.15
    - USB: serial: cp210x: add pid/vid for WSDA-200-USB
    - USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000
    - USB: serial: option: Adding support for Cinterion MV31
    - [arm64,armhf] usb: host: xhci: mvebu: make USB 3.0 PHY optional for
      Armada 3720
    - USB: gadget: legacy: fix an error code in eth_bind()
    - [armhf] usb: gadget: aspeed: add missing of_node_put
    - USB: usblp: don't call usb_set_interface if there's a single alt
    - [arm*] usb: dwc2: Fix endpoint direction check in ep_from_windex
    - [arm64,armhf] usb: dwc3: fix clock issue during resume in OTG mode
    - [arm64] dts: qcom: c630: keep both touchpad devices enabled
    - Input: i8042 - unbreak Pegatron C15B
    - [arm64] dts: rockchip: Use only supported PCIe link speed on Pinebook
      Pro
    - bpf, cgroup: Fix optlen WARN_ON_ONCE toctou (CVE-2021-20194)
    - bpf, cgroup: Fix problematic bounds check (CVE-2021-20194)
    - bpf, inode_storage: Put file handler if no storage was found
    - bpf, preload: Fix build when $(O) points to a relative path
    - [arm64] dts: meson: switch TFLASH_VDD_EN pin to open drain on Odroid-C4
    - r8169: work around RTL8125 UDP hw bug
    - rxrpc: Fix deadlock around release of dst cached on udp tunnel
    - SUNRPC: Fix NFS READs that start at non-page-aligned offsets
    - igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr
    - igc: check return value of ret_val in igc_config_fc_after_link_up
    - i40e: Revert "i40e: don't report link up for a VF who hasn't enabled
      queues"
    - net/mlx5: Fix function calculation for page trees
    - net/mlx5: Fix leak upon failure of rule creation
    - net/mlx5e: Update max_opened_tc also when channels are closed
    - net/mlx5e: Release skb in case of failure in tc update skb
    - net: lapb: Copy the skb before sending a packet
    - [arm64,armhf] net: mvpp2: TCAM entry enable should be written after SRAM
      data
    - [armhf] dts: sun7i: a20: bananapro: Fix ethernet phy-mode
    - nvmet-tcp: fix out-of-bounds access when receiving multiple h2cdata PDUs
    - memblock: do not start bottom-up allocations with kernel_end
    - [x86] thunderbolt: Fix possible NULL pointer dereference in
      tb_acpi_add_link()
    - ovl: fix dentry leak in ovl_get_redirect
    - ovl: avoid deadlock on directory ioctl
    - ovl: implement volatile-specific fsync error behaviour
    - mac80211: fix station rate table updates on assoc
    - gpiolib: free device name on error path to fix kmemleak
    - fgraph: Initialize tracing_graph_pause at task creation
    - tracing/kprobe: Fix to support kretprobe events on unloaded modules
    - kretprobe: Avoid re-registration of the same kretprobe earlier
    - tracing: Use pause-on-trace with the latency tracers
    - tracepoint: Fix race between tracing and removing tracepoint
    - [arm64,x86] libnvdimm/namespace: Fix visibility of namespace resource
      attribute
    - [arm64,x86] libnvdimm/dimm: Avoid race between probe and
      available_slots_show()
    - genirq: Prevent [devm_]irq_alloc_desc from returning irq 0
    - genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set
    - scripts: use pkg-config to locate libcrypto
    - xhci: fix bounce buffer usage for non-sg list case
    - cifs: report error instead of invalid when revalidating a dentry fails
    - iommu: Check dev->iommu in dev_iommu_priv_get() before dereferencing it
    - smb3: Fix out-of-bounds bug in SMB2_negotiate()
    - smb3: fix crediting for compounding when only one request in flight
    - mmc: core: Limit retries when analyse of SDIO tuples fails
    - [x86] Fix unsynchronized access to sev members through
      svm_register_enc_region
    - drm/dp/mst: Export drm_dp_get_vc_payload_bw()
    - [x86] drm/i915: Fix the MST PBN divider calculation
    - [x86] drm/i915/gem: Drop lru bumping on display unpinning
    - [x86] drm/i915/gt: Close race between enable_breadcrumbs and
      cancel_breadcrumbs
    - [x86] drm/i915/display: Prevent double YUV range correction on HDR
      planes
    - [x86] drm/i915: Extract intel_ddi_power_up_lanes()
    - [x86] drm/i915: Power up combo PHY lanes for for HDMI as well
    - drm/amd/display: Revert "Fix EDID parsing after resume from suspend"
    - io_uring: don't modify identity's files uncess identity is cowed
    - nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
    - [x86] KVM: SVM: Treat SVM as unsupported when running as an SEV guest
    - [x86] KVM: x86/mmu: Fix TDP MMU zap collapsible SPTEs
    - [x86] KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off
    - [x86] KVM: x86: fix CPUID entries returned by KVM_GET_CPUID2 ioctl
    - [x86] KVM: x86: Update emulator context mode if SYSENTER xfers to 64-bit
      mode
    - [x86] KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU
      reset
    - mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page
    - mm: hugetlb: fix a race between freeing and dissolving the page
    - mm: hugetlb: fix a race between isolating and freeing page
    - mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
    - mm, compaction: move high_pfn to the for loop scope
    - mm/vmalloc: separate put pages and flush VM flags
    - mm: thp: fix MADV_REMOVE deadlock on shmem THP
    - mm/filemap: add missing mem_cgroup_uncharge() to
      __add_to_page_cache_locked()
    - [x86] build: Disable CET instrumentation in the kernel
    - [x86] debug: Fix DR6 handling
    - [x86] debug: Prevent data breakpoints on __per_cpu_offset
    - [x86] debug: Prevent data breakpoints on cpu_dr7
    - [x86] apic: Add extra serialization for non-serializing MSRs
    - Input: goodix - add support for Goodix GT9286 chip
    - Input: xpad - sync supported devices with fork on GitHub
    - md: Set prev_flush_start and flush_bio in an atomic way
    - igc: Report speed and duplex as unknown when device is runtime suspended
    - neighbour: Prevent a dead entry from updating gc_list
    - net: ip_tunnel: fix mtu calculation
    - udp: ipv4: manipulate network header of NATed UDP GRO fraglist
    - [arm64,armhf] net: dsa: mv88e6xxx: override existent unicast portvec in
      port_fdb_add
    - net: sched: replaced invalid qdisc tree flush helper in qdisc_replace
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.16
    - io_uring: simplify io_task_match()
    - io_uring: add a {task,files} pair matching helper
    - io_uring: don't iterate io_uring_cancel_files()
    - io_uring: pass files into kill timeouts/poll
    - io_uring: always batch cancel in *cancel_files()
    - io_uring: fix files cancellation
    - io_uring: account io_uring internal files as REQ_F_INFLIGHT
    - io_uring: if we see flush on exit, cancel related tasks
    - io_uring: fix __io_uring_files_cancel() with TASK_UNINTERRUPTIBLE
    - io_uring: replace inflight_wait with tctx->wait
    - io_uring: fix cancellation taking mutex while TASK_UNINTERRUPTIBLE
    - io_uring: fix flush cqring overflow list while TASK_INTERRUPTIBLE
    - io_uring: fix list corruption for splice file_get
    - io_uring: fix sqo ownership false positive warning
    - io_uring: reinforce cancel on flush during exit
    - io_uring: drop mm/files between task_work_submit
    - gpiolib: cdev: clear debounce period if line set to output
    - [powerpc*] 64/signal: Fix regression in __kernel_sigtramp_rt64()
      semantics
    - af_key: relax availability checks for skb size calculation
    - regulator: core: avoid regulator_resolve_supply() race condition
    - drm/nouveau/nvif: fix method count when pushing an array
    - mac80211: 160MHz with extended NSS BW in CSA
    - [x86] ASoC: Intel: Skylake: Zero snd_ctl_elem_value
    - pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process()
    - pNFS/NFSv4: Improve rejection of out-of-order layouts
    - ALSA: hda: intel-dsp-config: add PCI id for TGL-H
    - [x86] ASoC: Intel: sof_sdw: set proper flags for Dell TGL-H SKU 0A5E
    - iwlwifi: mvm: skip power command when unbinding vif during CSA
    - iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
    - iwlwifi: pcie: fix context info memory leak
    - iwlwifi: mvm: invalidate IDs of internal stations at mvm start
    - iwlwifi: pcie: add rules to match Qu with Hr2
    - iwlwifi: mvm: guard against device removal in reprobe
    - iwlwifi: queue: bail out on invalid freeing
    - SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
    - SUNRPC: Handle 0 length opaque XDR object data properly
    - blk-cgroup: Use cond_resched() when destroy blkgs
    - regulator: Fix lockdep warning resolving supplies
    - bpf: Fix verifier jmp32 pruning decision logic
    - bpf: Fix 32 bit src register truncation on div/mod
    - bpf: Fix verifier jsgt branch analysis on max bound
    - [x86] drm/i915: Fix ICL MG PHY vswing handling
    - [x86] drm/i915: Skip vswing programming for TBT
    - nilfs2: make splice write available again
    - Revert "mm: memcontrol: avoid workload stalls when lowering memory.high"
    - squashfs: avoid out of bounds writes in decompressors
    - squashfs: add more sanity checks in id lookup
    - squashfs: add more sanity checks in inode lookup
    - squashfs: add more sanity checks in xattr id lookup
    https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.17
    - objtool: Fix seg fault with Clang non-section symbols
    - Revert "dts: phy: add GPIO number and active state used for phy reset"
    - tracing: Do not count ftrace events in top level enable output
    - tracing: Check length before giving out the filter buffer
    - [x86] drm/i915: Fix overlay frontbuffer tracking
    - arm/xen: Don't probe xenbus as part of an early initcall
    - cgroup: fix psi monitor for root cgroup
    - [x86] drm/i915/tgl+: Make sure TypeC FIA is powered up when initializing
      it
    - drm/dp_mst: Don't report ports connected if nothing is attached to them
   …
0lxb pushed a commit to 0lxb/rpi_linux that referenced this issue Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants