Linux Kernel (branches are rebased on master from time to time) https://sre.ring0.de/linux/atom?h=v5.17-rc6 2022-02-27T21:07:40Z 2022-02-27T21:07:40Z Linus Torvalds torvalds@linux-foundation.org 2022-02-27T21:07:40Z urn:sha1:52a02554673122486ecb36c36387d91cf9544986 Pull irq fix from Thomas Gleixner: "A single fix for a regression caused by the recent PCI/MSI rework which resulted in a recursive locking problem in the VMD driver. The cure is to cache the relevant information upfront instead of retrieving it at runtime" * tag 'irq-urgent-2022-02-27' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: PCI: vmd: Prevent recursive locking on interrupt allocation 2022-02-27T20:30:54Z Linus Torvalds torvalds@linux-foundation.org 2022-02-27T20:30:54Z urn:sha1:6676ba2a6df6864a6b7b11f20166026e2201b627 Pull pin control fixes from Linus Walleij: - Fix some drive strength and pull-up code in the K210 driver. - Add the Alder Lake-M ACPI ID so it starts to work properly. - Use a static name for the StarFive GPIO irq_chip, forestalling an upcoming fixes series from Marc Zyngier. - Fix an ages old bug in the Tegra 186 driver where we were indexing at random into struct and being lucky getting the right member. * tag 'pinctrl-v5-17-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: gpio: tegra186: Fix chip_data type confusion pinctrl: starfive: Use a static name for the GPIO irq_chip pinctrl: tigerlake: Revert "Add Alder Lake-M ACPI ID" pinctrl: k210: Fix bias-pull-up pinctrl: fix loop in k210_pinconf_get_drive() 2022-02-25T21:34:30Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T21:34:30Z urn:sha1:ca7457236d47d8748bdb6b423d148726220ec3d8 Pull rdma fixes from Jason Gunthorpe: - Older "does not even boot" regression in qib from July - Bug fixes for error unwind in rtrs - Avoid a deadlock syzkaller found in srp - Fix another UAF syzkaller found in cma * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/cma: Do not change route.addr.src_addr outside state checks RDMA/ib_srp: Fix a deadlock RDMA/rtrs-clt: Move free_permit from free_clt to rtrs_clt_close RDMA/rtrs-clt: Fix possible double free in error case IB/qib: Fix duplicate sysfs directory name 2022-02-25T20:56:11Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T20:56:11Z urn:sha1:115ccd2278ccaa882000a20cb81a3649ef7dfe8b Pull gpio fixes from Bartosz Golaszewski: - fix an bug generating spurious interrupts in gpio-rockchip - fix a race condition in gpiod_to_irq() called by GPIO consumers * tag 'gpio-fixes-for-v5.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: Return EPROBE_DEFER if gc->to_irq is NULL gpio: rockchip: Reset int_bothedge when changing trigger 2022-02-25T20:46:51Z Jason Gunthorpe jgg@nvidia.com 2022-02-23T15:23:57Z urn:sha1:22e9f71072fa605cbf033158db58e0790101928d If the state is not idle then resolve_prepare_src() should immediately fail and no change to global state should happen. However, it unconditionally overwrites the src_addr trying to build a temporary any address. For instance if the state is already RDMA_CM_LISTEN then this will corrupt the src_addr and would cause the test in cma_cancel_operation(): if (cma_any_addr(cma_src_addr(id_priv)) && !id_priv->cma_dev) Which would manifest as this trace from syzkaller: BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff8881546491e0 by task syz-executor.1/32204 CPU: 1 PID: 32204 Comm: syz-executor.1 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __list_add_valid+0x93/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:67 [inline] list_add_tail include/linux/list.h:100 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2557 [inline] rdma_listen+0x787/0xe00 drivers/infiniband/core/cma.c:3751 ucma_listen+0x16a/0x210 drivers/infiniband/core/ucma.c:1102 ucma_write+0x259/0x350 drivers/infiniband/core/ucma.c:1732 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae This is indicating that an rdma_id_private was destroyed without doing cma_cancel_listens(). Instead of trying to re-use the src_addr memory to indirectly create an any address derived from the dst build one explicitly on the stack and bind to that as any other normal flow would do. rdma_bind_addr() will copy it over the src_addr once it knows the state is valid. This is similar to commit bc0bdc5afaa7 ("RDMA/cma: Do not change route.addr.src_addr.ss_family") Link: https://lore.kernel.org/r/0-v2-e975c8fd9ef2+11e-syz_cma_srcaddr_jgg@nvidia.com Cc: stable@vger.kernel.org Fixes: 732d41c545bb ("RDMA/cma: Make the locking for automatic state transition more clear") Reported-by: syzbot+c94a3675a626f6333d74@syzkaller.appspotmail.com Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com> 2022-02-25T20:37:41Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T20:37:41Z urn:sha1:4b23c6ecefcc9c15ae3d2f09d529151ab214b97f Pull spi fixes from Mark Brown: "A few small driver specific fixes" * tag 'spi-fix-v5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: rockchip: terminate dma transmission when slave abort spi: rockchip: Fix error in getting num-cs property spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() 2022-02-25T20:33:51Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T20:33:51Z urn:sha1:64b5132b897caeb4188fcbafd46fd73dc96be4a8 Pull regulator fixes from Mark Brown: "A series of fixes for the da9121 driver" * tag 'regulator-fix-v5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: da9121: Remove surplus DA9141 parameters regulator: da9121: Fix DA914x voltage value regulator: da9121: Fix DA914x current values 2022-02-25T20:30:01Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T20:30:01Z urn:sha1:0e9894e6aac2c591da00dae91c448c02d1ca6373 Pull regmap fix from Mark Brown: "A fix for interrupt controllers which require the explicit acknowledgement of interrupts using a different register to the one where interrupts are reported. Urgent for the few devices this affects" * tag 'regmap-fix-v5.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap-irq: Update interrupt clear register for proper reset 2022-02-25T20:25:44Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T20:25:44Z urn:sha1:e48cb5c2c65db87cf1269ca004e111764da6cc74 Pull thermal control fix from Rafael Wysocki: "Fix a memory leak in the int340x thermal driver's ACPI notify handler (Chuansheng Liu)" * tag 'thermal-5.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: thermal: int340x: fix memory leak in int3400_notify() 2022-02-25T20:17:20Z Linus Torvalds torvalds@linux-foundation.org 2022-02-25T20:17:20Z urn:sha1:2800b6d0fc390d7c3f22109a408d5ed72746588c Pull power management fixes from Rafael Wysocki: "Fix the throttle IRQ handling during cpufreq initialization on Qualcomm platforms (Bjorn Andersson)" * tag 'pm-5.17-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: qcom-hw: Delay enabling throttle_irq cpufreq: Reintroduce ready() callback