--- /dev/null
+From e2e49e214145a8f6ece6ecd52fec63ebc2b27ce9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
+Date: Mon, 14 Apr 2025 11:08:15 +0200
+Subject: Bluetooth: l2cap: Process valid commands in too long frame
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Danis <frederic.danis@collabora.com>
+
+commit e2e49e214145a8f6ece6ecd52fec63ebc2b27ce9 upstream.
+
+This is required for passing PTS test cases:
+- L2CAP/COS/CED/BI-14-C
+ Multiple Signaling Command in one PDU, Data Truncated, BR/EDR,
+ Connection Request
+- L2CAP/COS/CED/BI-15-C
+ Multiple Signaling Command in one PDU, Data Truncated, BR/EDR,
+ Disconnection Request
+
+The test procedure defined in L2CAP.TS.p39 for both tests is:
+1. The Lower Tester sends a C-frame to the IUT with PDU Length set
+ to 8 and Channel ID set to the correct signaling channel for the
+ logical link. The Information payload contains one L2CAP_ECHO_REQ
+ packet with Data Length set to 0 with 0 octets of echo data and
+ one command packet and Data Length set as specified in Table 4.6
+ and the correct command data.
+2. The IUT sends an L2CAP_ECHO_RSP PDU to the Lower Tester.
+3. Perform alternative 3A, 3B, 3C, or 3D depending on the IUT’s
+ response.
+ Alternative 3A (IUT terminates the link):
+ 3A.1 The IUT terminates the link.
+ 3A.2 The test ends with a Pass verdict.
+ Alternative 3B (IUT discards the frame):
+ 3B.1 The IUT does not send a reply to the Lower Tester.
+ Alternative 3C (IUT rejects PDU):
+ 3C.1 The IUT sends an L2CAP_COMMAND_REJECT_RSP PDU to the
+ Lower Tester.
+ Alternative 3D (Any other IUT response):
+ 3D.1 The Upper Tester issues a warning and the test ends.
+4. The Lower Tester sends a C-frame to the IUT with PDU Length set
+ to 4 and Channel ID set to the correct signaling channel for the
+ logical link. The Information payload contains Data Length set to
+ 0 with an L2CAP_ECHO_REQ packet with 0 octets of echo data.
+5. The IUT sends an L2CAP_ECHO_RSP PDU to the Lower Tester.
+
+With expected outcome:
+ In Steps 2 and 5, the IUT responds with an L2CAP_ECHO_RSP.
+ In Step 3A.1, the IUT terminates the link.
+ In Step 3B.1, the IUT does not send a reply to the Lower Tester.
+ In Step 3C.1, the IUT rejects the PDU.
+ In Step 3D.1, the IUT sends any valid response.
+
+Currently PTS fails with the following logs:
+ Failed to receive ECHO RESPONSE.
+
+And HCI logs:
+> ACL Data RX: Handle 11 flags 0x02 dlen 20
+ L2CAP: Information Response (0x0b) ident 2 len 12
+ Type: Fixed channels supported (0x0003)
+ Result: Success (0x0000)
+ Channels: 0x000000000000002e
+ L2CAP Signaling (BR/EDR)
+ Connectionless reception
+ AMP Manager Protocol
+ L2CAP Signaling (LE)
+> ACL Data RX: Handle 11 flags 0x02 dlen 13
+ frame too long
+ 08 01 00 00 08 02 01 00 aa .........
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -7504,8 +7504,24 @@ void l2cap_recv_acldata(struct hci_conn
+ if (skb->len > len) {
+ BT_ERR("Frame is too long (len %u, expected len %d)",
+ skb->len, len);
++ /* PTS test cases L2CAP/COS/CED/BI-14-C and BI-15-C
++ * (Multiple Signaling Command in one PDU, Data
++ * Truncated, BR/EDR) send a C-frame to the IUT with
++ * PDU Length set to 8 and Channel ID set to the
++ * correct signaling channel for the logical link.
++ * The Information payload contains one L2CAP_ECHO_REQ
++ * packet with Data Length set to 0 with 0 octets of
++ * echo data and one invalid command packet due to
++ * data truncated in PDU but present in HCI packet.
++ *
++ * Shorter the socket buffer to the PDU length to
++ * allow to process valid commands from the PDU before
++ * setting the socket unreliable.
++ */
++ skb->len = len;
++ l2cap_recv_frame(conn, skb);
+ l2cap_conn_unreliable(conn, ECOMM);
+- goto drop;
++ goto unlock;
+ }
+
+ /* Append fragment into frame (with header) */
--- /dev/null
+From 875db86e1ec75fe633f1e85ed2f92c731cdbf760 Mon Sep 17 00:00:00 2001
+From: Kees Cook <kees@kernel.org>
+Date: Tue, 15 Apr 2025 09:15:19 -0700
+Subject: Bluetooth: vhci: Avoid needless snprintf() calls
+
+From: Kees Cook <kees@kernel.org>
+
+commit 875db86e1ec75fe633f1e85ed2f92c731cdbf760 upstream.
+
+Avoid double-copying of string literals. Use a "const char *" for each
+string instead of copying from .rodata into stack and then into the skb.
+We can go directly from .rodata to the skb.
+
+This also works around a Clang bug (that has since been fixed[1]).
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202401250927.1poZERd6-lkp@intel.com/
+Fixes: ab4e4380d4e1 ("Bluetooth: Add vhci devcoredump support")
+Link: https://github.com/llvm/llvm-project/commit/ea2e66aa8b6e363b89df66dc44275a0d7ecd70ce [1]
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_vhci.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/bluetooth/hci_vhci.c
++++ b/drivers/bluetooth/hci_vhci.c
+@@ -289,18 +289,18 @@ static void vhci_coredump(struct hci_dev
+
+ static void vhci_coredump_hdr(struct hci_dev *hdev, struct sk_buff *skb)
+ {
+- char buf[80];
++ const char *buf;
+
+- snprintf(buf, sizeof(buf), "Controller Name: vhci_ctrl\n");
++ buf = "Controller Name: vhci_ctrl\n";
+ skb_put_data(skb, buf, strlen(buf));
+
+- snprintf(buf, sizeof(buf), "Firmware Version: vhci_fw\n");
++ buf = "Firmware Version: vhci_fw\n";
+ skb_put_data(skb, buf, strlen(buf));
+
+- snprintf(buf, sizeof(buf), "Driver: vhci_drv\n");
++ buf = "Driver: vhci_drv\n";
+ skb_put_data(skb, buf, strlen(buf));
+
+- snprintf(buf, sizeof(buf), "Vendor: vhci\n");
++ buf = "Vendor: vhci\n";
+ skb_put_data(skb, buf, strlen(buf));
+ }
+
--- /dev/null
+From dc08c58696f8555e4a802f1f23c894a330d80ab7 Mon Sep 17 00:00:00 2001
+From: Johannes Kimmel <kernel@bareminimum.eu>
+Date: Wed, 19 Mar 2025 22:49:00 +0100
+Subject: btrfs: correctly escape subvol in btrfs_show_options()
+
+From: Johannes Kimmel <kernel@bareminimum.eu>
+
+commit dc08c58696f8555e4a802f1f23c894a330d80ab7 upstream.
+
+Currently, displaying the btrfs subvol mount option doesn't escape ','.
+This makes parsing /proc/self/mounts and /proc/self/mountinfo
+ambiguous for subvolume names that contain commas. The text after the
+comma could be mistaken for another option (think "subvol=foo,ro", where
+ro is actually part of the subvolumes name).
+
+Replace the manual escape characters list with a call to
+seq_show_option(). Thanks to Calvin Walton for suggesting this approach.
+
+Fixes: c8d3fe028f64 ("Btrfs: show subvol= and subvolid= in /proc/mounts")
+CC: stable@vger.kernel.org # 5.4+
+Suggested-by: Calvin Walton <calvin.walton@kepstin.ca>
+Signed-off-by: Johannes Kimmel <kernel@bareminimum.eu>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/super.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -1139,8 +1139,7 @@ static int btrfs_show_options(struct seq
+ subvol_name = btrfs_get_subvol_name_from_objectid(info,
+ btrfs_root_id(BTRFS_I(d_inode(dentry))->root));
+ if (!IS_ERR(subvol_name)) {
+- seq_puts(seq, ",subvol=");
+- seq_escape(seq, subvol_name, " \t\n\\");
++ seq_show_option(seq, "subvol", subvol_name);
+ kfree(subvol_name);
+ }
+ return 0;
--- /dev/null
+From 8e587ab43cb92a9e57f99ea8d6c069ee65863707 Mon Sep 17 00:00:00 2001
+From: Sidong Yang <sidong.yang@furiosa.ai>
+Date: Wed, 19 Mar 2025 11:24:01 +0000
+Subject: btrfs: ioctl: don't free iov when btrfs_encoded_read() returns -EAGAIN
+
+From: Sidong Yang <sidong.yang@furiosa.ai>
+
+commit 8e587ab43cb92a9e57f99ea8d6c069ee65863707 upstream.
+
+Fix a bug in encoded read that mistakenly frees the iov in case
+btrfs_encoded_read() returns -EAGAIN assuming the structure will be
+reused. This can happen when when receiving requests concurrently, the
+io_uring subsystem does not reset the data, and the last free will
+happen in btrfs_uring_read_finished().
+
+Handle the -EAGAIN error and skip freeing iov.
+
+CC: stable@vger.kernel.org # 6.13+
+Signed-off-by: Sidong Yang <sidong.yang@furiosa.ai>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4903,6 +4903,8 @@ static int btrfs_uring_encoded_read(stru
+
+ ret = btrfs_encoded_read(&kiocb, &data->iter, &data->args, &cached_state,
+ &disk_bytenr, &disk_io_size);
++ if (ret == -EAGAIN)
++ goto out_acct;
+ if (ret < 0 && ret != -EIOCBQUEUED)
+ goto out_free;
+
--- /dev/null
+From 7491cdf46b5cbdf123fc84fbe0a07e9e3d7b7620 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Wed, 16 Apr 2025 16:12:37 +0200
+Subject: cpufreq: Avoid using inconsistent policy->min and policy->max
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 7491cdf46b5cbdf123fc84fbe0a07e9e3d7b7620 upstream.
+
+Since cpufreq_driver_resolve_freq() can run in parallel with
+cpufreq_set_policy() and there is no synchronization between them,
+the former may access policy->min and policy->max while the latter
+is updating them and it may see intermediate values of them due
+to the way the update is carried out. Also the compiler is free
+to apply any optimizations it wants both to the stores in
+cpufreq_set_policy() and to the loads in cpufreq_driver_resolve_freq()
+which may result in additional inconsistencies.
+
+To address this, use WRITE_ONCE() when updating policy->min and
+policy->max in cpufreq_set_policy() and use READ_ONCE() for reading
+them in cpufreq_driver_resolve_freq(). Moreover, rearrange the update
+in cpufreq_set_policy() to avoid storing intermediate values in
+policy->min and policy->max with the help of the observation that
+their new values are expected to be properly ordered upfront.
+
+Also modify cpufreq_driver_resolve_freq() to take the possible reverse
+ordering of policy->min and policy->max, which may happen depending on
+the ordering of operations when this function and cpufreq_set_policy()
+run concurrently, into account by always honoring the max when it
+turns out to be less than the min (in case it comes from thermal
+throttling or similar).
+
+Fixes: 151717690694 ("cpufreq: Make policy min/max hard requirements")
+Cc: 5.16+ <stable@vger.kernel.org> # 5.16+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Link: https://patch.msgid.link/5907080.DvuYhMxLoT@rjwysocki.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpufreq/cpufreq.c | 32 +++++++++++++++++++++++++-------
+ 1 file changed, 25 insertions(+), 7 deletions(-)
+
+--- a/drivers/cpufreq/cpufreq.c
++++ b/drivers/cpufreq/cpufreq.c
+@@ -539,8 +539,6 @@ static unsigned int __resolve_freq(struc
+ {
+ unsigned int idx;
+
+- target_freq = clamp_val(target_freq, policy->min, policy->max);
+-
+ if (!policy->freq_table)
+ return target_freq;
+
+@@ -564,7 +562,22 @@ static unsigned int __resolve_freq(struc
+ unsigned int cpufreq_driver_resolve_freq(struct cpufreq_policy *policy,
+ unsigned int target_freq)
+ {
+- return __resolve_freq(policy, target_freq, CPUFREQ_RELATION_LE);
++ unsigned int min = READ_ONCE(policy->min);
++ unsigned int max = READ_ONCE(policy->max);
++
++ /*
++ * If this function runs in parallel with cpufreq_set_policy(), it may
++ * read policy->min before the update and policy->max after the update
++ * or the other way around, so there is no ordering guarantee.
++ *
++ * Resolve this by always honoring the max (in case it comes from
++ * thermal throttling or similar).
++ */
++ if (unlikely(min > max))
++ min = max;
++
++ return __resolve_freq(policy, clamp_val(target_freq, min, max),
++ CPUFREQ_RELATION_LE);
+ }
+ EXPORT_SYMBOL_GPL(cpufreq_driver_resolve_freq);
+
+@@ -2337,6 +2350,7 @@ int __cpufreq_driver_target(struct cpufr
+ if (cpufreq_disabled())
+ return -ENODEV;
+
++ target_freq = clamp_val(target_freq, policy->min, policy->max);
+ target_freq = __resolve_freq(policy, target_freq, relation);
+
+ pr_debug("target for CPU %u: %u kHz, relation %u, requested %u kHz\n",
+@@ -2661,11 +2675,15 @@ static int cpufreq_set_policy(struct cpu
+ * Resolve policy min/max to available frequencies. It ensures
+ * no frequency resolution will neither overshoot the requested maximum
+ * nor undershoot the requested minimum.
++ *
++ * Avoid storing intermediate values in policy->max or policy->min and
++ * compiler optimizations around them because they may be accessed
++ * concurrently by cpufreq_driver_resolve_freq() during the update.
+ */
+- policy->min = new_data.min;
+- policy->max = new_data.max;
+- policy->min = __resolve_freq(policy, policy->min, CPUFREQ_RELATION_L);
+- policy->max = __resolve_freq(policy, policy->max, CPUFREQ_RELATION_H);
++ WRITE_ONCE(policy->max, __resolve_freq(policy, new_data.max, CPUFREQ_RELATION_H));
++ new_data.min = __resolve_freq(policy, new_data.min, CPUFREQ_RELATION_L);
++ WRITE_ONCE(policy->min, new_data.min > policy->max ? policy->max : new_data.min);
++
+ trace_cpu_frequency_limits(policy);
+
+ cpufreq_update_pressure(policy);
--- /dev/null
+From 79443a7e9da3c9f68290a8653837e23aba0fa89f Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 15 Apr 2025 11:59:15 +0200
+Subject: cpufreq/sched: Explicitly synchronize limits_changed flag handling
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 79443a7e9da3c9f68290a8653837e23aba0fa89f upstream.
+
+The handling of the limits_changed flag in struct sugov_policy needs to
+be explicitly synchronized to ensure that cpufreq policy limits updates
+will not be missed in some cases.
+
+Without that synchronization it is theoretically possible that
+the limits_changed update in sugov_should_update_freq() will be
+reordered with respect to the reads of the policy limits in
+cpufreq_driver_resolve_freq() and in that case, if the limits_changed
+update in sugov_limits() clobbers the one in sugov_should_update_freq(),
+the new policy limits may not take effect for a long time.
+
+Likewise, the limits_changed update in sugov_limits() may theoretically
+get reordered with respect to the updates of the policy limits in
+cpufreq_set_policy() and if sugov_should_update_freq() runs between
+them, the policy limits change may be missed.
+
+To ensure that the above situations will not take place, add memory
+barriers preventing the reordering in question from taking place and
+add READ_ONCE() and WRITE_ONCE() annotations around all of the
+limits_changed flag updates to prevent the compiler from messing up
+with that code.
+
+Fixes: 600f5badb78c ("cpufreq: schedutil: Don't skip freq update when limits change")
+Cc: 5.3+ <stable@vger.kernel.org> # 5.3+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/3376719.44csPzL39Z@rjwysocki.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -81,9 +81,20 @@ static bool sugov_should_update_freq(str
+ if (!cpufreq_this_cpu_can_update(sg_policy->policy))
+ return false;
+
+- if (unlikely(sg_policy->limits_changed)) {
+- sg_policy->limits_changed = false;
++ if (unlikely(READ_ONCE(sg_policy->limits_changed))) {
++ WRITE_ONCE(sg_policy->limits_changed, false);
+ sg_policy->need_freq_update = true;
++
++ /*
++ * The above limits_changed update must occur before the reads
++ * of policy limits in cpufreq_driver_resolve_freq() or a policy
++ * limits update might be missed, so use a memory barrier to
++ * ensure it.
++ *
++ * This pairs with the write memory barrier in sugov_limits().
++ */
++ smp_mb();
++
+ return true;
+ }
+
+@@ -377,7 +388,7 @@ static inline bool sugov_hold_freq(struc
+ static inline void ignore_dl_rate_limit(struct sugov_cpu *sg_cpu)
+ {
+ if (cpu_bw_dl(cpu_rq(sg_cpu->cpu)) > sg_cpu->bw_min)
+- sg_cpu->sg_policy->limits_changed = true;
++ WRITE_ONCE(sg_cpu->sg_policy->limits_changed, true);
+ }
+
+ static inline bool sugov_update_single_common(struct sugov_cpu *sg_cpu,
+@@ -883,7 +894,16 @@ static void sugov_limits(struct cpufreq_
+ mutex_unlock(&sg_policy->work_lock);
+ }
+
+- sg_policy->limits_changed = true;
++ /*
++ * The limits_changed update below must take place before the updates
++ * of policy limits in cpufreq_set_policy() or a policy limits update
++ * might be missed, so use a memory barrier to ensure it.
++ *
++ * This pairs with the memory barrier in sugov_should_update_freq().
++ */
++ smp_wmb();
++
++ WRITE_ONCE(sg_policy->limits_changed, true);
+ }
+
+ struct cpufreq_governor schedutil_gov = {
--- /dev/null
+From b7b39df7e710b0068356e4c696af07aa10e2cd3d Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Tue, 8 Apr 2025 13:17:20 +0800
+Subject: crypto: caam/qi - Fix drv_ctx refcount bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit b7b39df7e710b0068356e4c696af07aa10e2cd3d upstream.
+
+Ensure refcount is raised before request is enqueued since it could
+be dequeued before the call returns.
+
+Reported-by: Sean Anderson <sean.anderson@linux.dev>
+Cc: <stable@vger.kernel.org>
+Fixes: 11144416a755 ("crypto: caam/qi - optimize frame queue cleanup")
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
+Tested-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/caam/qi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/caam/qi.c
++++ b/drivers/crypto/caam/qi.c
+@@ -122,12 +122,12 @@ int caam_qi_enqueue(struct device *qidev
+ qm_fd_addr_set64(&fd, addr);
+
+ do {
++ refcount_inc(&req->drv_ctx->refcnt);
+ ret = qman_enqueue(req->drv_ctx->req_fq, &fd);
+- if (likely(!ret)) {
+- refcount_inc(&req->drv_ctx->refcnt);
++ if (likely(!ret))
+ return 0;
+- }
+
++ refcount_dec(&req->drv_ctx->refcnt);
+ if (ret != -EBUSY)
+ break;
+ num_retries++;
--- /dev/null
+From bb5e07cb927724e0b47be371fa081141cfb14414 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+Date: Sat, 19 Oct 2024 22:13:03 +0300
+Subject: hfs/hfsplus: fix slab-out-of-bounds in hfs_bnode_read_key
+
+From: Vasiliy Kovalev <kovalev@altlinux.org>
+
+commit bb5e07cb927724e0b47be371fa081141cfb14414 upstream.
+
+Syzbot reported an issue in hfs subsystem:
+
+BUG: KASAN: slab-out-of-bounds in memcpy_from_page include/linux/highmem.h:423 [inline]
+BUG: KASAN: slab-out-of-bounds in hfs_bnode_read fs/hfs/bnode.c:35 [inline]
+BUG: KASAN: slab-out-of-bounds in hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
+Write of size 94 at addr ffff8880123cd100 by task syz-executor237/5102
+
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ memcpy_from_page include/linux/highmem.h:423 [inline]
+ hfs_bnode_read fs/hfs/bnode.c:35 [inline]
+ hfs_bnode_read_key+0x314/0x450 fs/hfs/bnode.c:70
+ hfs_brec_insert+0x7f3/0xbd0 fs/hfs/brec.c:159
+ hfs_cat_create+0x41d/0xa50 fs/hfs/catalog.c:118
+ hfs_mkdir+0x6c/0xe0 fs/hfs/dir.c:232
+ vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
+ do_mkdirat+0x264/0x3a0 fs/namei.c:4280
+ __do_sys_mkdir fs/namei.c:4300 [inline]
+ __se_sys_mkdir fs/namei.c:4298 [inline]
+ __x64_sys_mkdir+0x6c/0x80 fs/namei.c:4298
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fbdd6057a99
+
+Add a check for key length in hfs_bnode_read_key to prevent
+out-of-bounds memory access. If the key length is invalid, the
+key buffer is cleared, improving stability and reliability.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+5f3a973ed3dfb85a6683@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=5f3a973ed3dfb85a6683
+Cc: stable@vger.kernel.org
+Signed-off-by: Vasiliy Kovalev <kovalev@altlinux.org>
+Link: https://lore.kernel.org/20241019191303.24048-1-kovalev@altlinux.org
+Reviewed-by: Cengiz Can <cengiz.can@canonical.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hfs/bnode.c | 6 ++++++
+ fs/hfsplus/bnode.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/fs/hfs/bnode.c
++++ b/fs/hfs/bnode.c
+@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode
+ else
+ key_len = tree->max_key_len + 1;
+
++ if (key_len > sizeof(hfs_btree_key) || key_len < 1) {
++ memset(key, 0, sizeof(hfs_btree_key));
++ pr_err("hfs: Invalid key length: %d\n", key_len);
++ return;
++ }
++
+ hfs_bnode_read(node, key, off, key_len);
+ }
+
+--- a/fs/hfsplus/bnode.c
++++ b/fs/hfsplus/bnode.c
+@@ -67,6 +67,12 @@ void hfs_bnode_read_key(struct hfs_bnode
+ else
+ key_len = tree->max_key_len + 2;
+
++ if (key_len > sizeof(hfsplus_btree_key) || key_len < 1) {
++ memset(key, 0, sizeof(hfsplus_btree_key));
++ pr_err("hfsplus: Invalid key length: %d\n", key_len);
++ return;
++ }
++
+ hfs_bnode_read(node, key, off, key_len);
+ }
+
--- /dev/null
+From 424eafe65647a8d6c690284536e711977153195a Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Mon, 7 Apr 2025 17:33:34 -0300
+Subject: i2c: cros-ec-tunnel: defer probe if parent EC is not present
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 424eafe65647a8d6c690284536e711977153195a upstream.
+
+When i2c-cros-ec-tunnel and the EC driver are built-in, the EC parent
+device will not be found, leading to NULL pointer dereference.
+
+That can also be reproduced by unbinding the controller driver and then
+loading i2c-cros-ec-tunnel module (or binding the device).
+
+[ 271.991245] BUG: kernel NULL pointer dereference, address: 0000000000000058
+[ 271.998215] #PF: supervisor read access in kernel mode
+[ 272.003351] #PF: error_code(0x0000) - not-present page
+[ 272.008485] PGD 0 P4D 0
+[ 272.011022] Oops: Oops: 0000 [#1] SMP NOPTI
+[ 272.015207] CPU: 0 UID: 0 PID: 3859 Comm: insmod Tainted: G S 6.15.0-rc1-00004-g44722359ed83 #30 PREEMPT(full) 3c7fb39a552e7d949de2ad921a7d6588d3a4fdc5
+[ 272.030312] Tainted: [S]=CPU_OUT_OF_SPEC
+[ 272.034233] Hardware name: HP Berknip/Berknip, BIOS Google_Berknip.13434.356.0 05/17/2021
+[ 272.042400] RIP: 0010:ec_i2c_probe+0x2b/0x1c0 [i2c_cros_ec_tunnel]
+[ 272.048577] Code: 1f 44 00 00 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 48 8b 05 06 a0 6c e7 48 89 44 24 08 4c 8d 7f 10 48 8b 47 50 4c 8b 60 78 <49> 83 7c 24 58 00 0f 84 2f 01 00 00 48 89 fb be 30 06 00 00 4c 9
+[ 272.067317] RSP: 0018:ffffa32082a03940 EFLAGS: 00010282
+[ 272.072541] RAX: ffff969580b6a810 RBX: ffff969580b68c10 RCX: 0000000000000000
+[ 272.079672] RDX: 0000000000000000 RSI: 0000000000000282 RDI: ffff969580b68c00
+[ 272.086804] RBP: 00000000fffffdfb R08: 0000000000000000 R09: 0000000000000000
+[ 272.093936] R10: 0000000000000000 R11: ffffffffc0600000 R12: 0000000000000000
+[ 272.101067] R13: ffffffffa666fbb8 R14: ffffffffc05b5528 R15: ffff969580b68c10
+[ 272.108198] FS: 00007b930906fc40(0000) GS:ffff969603149000(0000) knlGS:0000000000000000
+[ 272.116282] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 272.122024] CR2: 0000000000000058 CR3: 000000012631c000 CR4: 00000000003506f0
+[ 272.129155] Call Trace:
+[ 272.131606] <TASK>
+[ 272.133709] ? acpi_dev_pm_attach+0xdd/0x110
+[ 272.137985] platform_probe+0x69/0xa0
+[ 272.141652] really_probe+0x152/0x310
+[ 272.145318] __driver_probe_device+0x77/0x110
+[ 272.149678] driver_probe_device+0x1e/0x190
+[ 272.153864] __driver_attach+0x10b/0x1e0
+[ 272.157790] ? driver_attach+0x20/0x20
+[ 272.161542] bus_for_each_dev+0x107/0x150
+[ 272.165553] bus_add_driver+0x15d/0x270
+[ 272.169392] driver_register+0x65/0x110
+[ 272.173232] ? cleanup_module+0xa80/0xa80 [i2c_cros_ec_tunnel 3a00532f3f4af4a9eade753f86b0f8dd4e4e5698]
+[ 272.182617] do_one_initcall+0x110/0x350
+[ 272.186543] ? security_kernfs_init_security+0x49/0xd0
+[ 272.191682] ? __kernfs_new_node+0x1b9/0x240
+[ 272.195954] ? security_kernfs_init_security+0x49/0xd0
+[ 272.201093] ? __kernfs_new_node+0x1b9/0x240
+[ 272.205365] ? kernfs_link_sibling+0x105/0x130
+[ 272.209810] ? kernfs_next_descendant_post+0x1c/0xa0
+[ 272.214773] ? kernfs_activate+0x57/0x70
+[ 272.218699] ? kernfs_add_one+0x118/0x160
+[ 272.222710] ? __kernfs_create_file+0x71/0xa0
+[ 272.227069] ? sysfs_add_bin_file_mode_ns+0xd6/0x110
+[ 272.232033] ? internal_create_group+0x453/0x4a0
+[ 272.236651] ? __vunmap_range_noflush+0x214/0x2d0
+[ 272.241355] ? __free_frozen_pages+0x1dc/0x420
+[ 272.245799] ? free_vmap_area_noflush+0x10a/0x1c0
+[ 272.250505] ? load_module+0x1509/0x16f0
+[ 272.254431] do_init_module+0x60/0x230
+[ 272.258181] __se_sys_finit_module+0x27a/0x370
+[ 272.262627] do_syscall_64+0x6a/0xf0
+[ 272.266206] ? do_syscall_64+0x76/0xf0
+[ 272.269956] ? irqentry_exit_to_user_mode+0x79/0x90
+[ 272.274836] entry_SYSCALL_64_after_hwframe+0x55/0x5d
+[ 272.279887] RIP: 0033:0x7b9309168d39
+[ 272.283466] Code: 5b 41 5c 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d af 40 0c 00 f7 d8 64 89 01 8
+[ 272.302210] RSP: 002b:00007fff50f1a288 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+[ 272.309774] RAX: ffffffffffffffda RBX: 000058bf9b50f6d0 RCX: 00007b9309168d39
+[ 272.316905] RDX: 0000000000000000 RSI: 000058bf6c103a77 RDI: 0000000000000003
+[ 272.324036] RBP: 00007fff50f1a2e0 R08: 00007fff50f19218 R09: 0000000021ec4150
+[ 272.331166] R10: 000058bf9b50f7f0 R11: 0000000000000246 R12: 0000000000000000
+[ 272.338296] R13: 00000000fffffffe R14: 0000000000000000 R15: 000058bf6c103a77
+[ 272.345428] </TASK>
+[ 272.347617] Modules linked in: i2c_cros_ec_tunnel(+)
+[ 272.364585] gsmi: Log Shutdown Reason 0x03
+
+Returning -EPROBE_DEFER will allow the device to be bound once the
+controller is bound, in the case of built-in drivers.
+
+Fixes: 9d230c9e4f4e ("i2c: ChromeOS EC tunnel driver")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Cc: <stable@vger.kernel.org> # v3.16+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250407-null-ec-parent-v1-1-f7dda62d3110@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-cros-ec-tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-cros-ec-tunnel.c
++++ b/drivers/i2c/busses/i2c-cros-ec-tunnel.c
+@@ -247,6 +247,9 @@ static int ec_i2c_probe(struct platform_
+ u32 remote_bus;
+ int err;
+
++ if (!ec)
++ return dev_err_probe(dev, -EPROBE_DEFER, "couldn't find parent EC device\n");
++
+ if (!ec->cmd_xfer) {
+ dev_err(dev, "Missing sendrecv\n");
+ return -EINVAL;
--- /dev/null
+From 0405d4b63d082861f4eaff9d39c78ee9dc34f845 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Fri, 4 Apr 2025 13:31:29 +0800
+Subject: isofs: Prevent the use of too small fid
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit 0405d4b63d082861f4eaff9d39c78ee9dc34f845 upstream.
+
+syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]
+
+The handle_bytes value passed in by the reproducing program is equal to 12.
+In handle_to_path(), only 12 bytes of memory are allocated for the structure
+file_handle->f_handle member, which causes an out-of-bounds access when
+accessing the member parent_block of the structure isofs_fid in isofs,
+because accessing parent_block requires at least 16 bytes of f_handle.
+Here, fh_len is used to indirectly confirm that the value of handle_bytes
+is greater than 3 before accessing parent_block.
+
+[1]
+BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
+Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466
+CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Call trace:
+ show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0x198/0x550 mm/kasan/report.c:521
+ kasan_report+0xd8/0x138 mm/kasan/report.c:634
+ __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380
+ isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183
+ exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523
+ do_handle_to_path+0xa0/0x198 fs/fhandle.c:257
+ handle_to_path fs/fhandle.c:385 [inline]
+ do_handle_open+0x8cc/0xb8c fs/fhandle.c:403
+ __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
+ __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
+ __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
+ el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
+ el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+
+Allocated by task 6466:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x40/0x78 mm/kasan/common.c:68
+ kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __do_kmalloc_node mm/slub.c:4294 [inline]
+ __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ handle_to_path fs/fhandle.c:357 [inline]
+ do_handle_open+0x5a4/0xb8c fs/fhandle.c:403
+ __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]
+ __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]
+ __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
+ el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
+ el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
+ el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
+
+Reported-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4d7cd7dd0ce1aa8d5c65
+Tested-by: syzbot+4d7cd7dd0ce1aa8d5c65@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/tencent_9C8CB8A7E7C6C512C7065DC98B6EDF6EC606@qq.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/isofs/export.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -180,7 +180,7 @@ static struct dentry *isofs_fh_to_parent
+ return NULL;
+
+ return isofs_export_iget(sb,
+- fh_len > 2 ? ifid->parent_block : 0,
++ fh_len > 3 ? ifid->parent_block : 0,
+ ifid->parent_offset,
+ fh_len > 4 ? ifid->parent_generation : 0);
+ }
--- /dev/null
+From 1e440d5b25b7efccb3defe542a73c51005799a5f Mon Sep 17 00:00:00 2001
+From: Sean Heelan <seanheelan@gmail.com>
+Date: Mon, 7 Apr 2025 11:26:50 +0000
+Subject: ksmbd: Fix dangling pointer in krb_authenticate
+
+From: Sean Heelan <seanheelan@gmail.com>
+
+commit 1e440d5b25b7efccb3defe542a73c51005799a5f upstream.
+
+krb_authenticate frees sess->user and does not set the pointer
+to NULL. It calls ksmbd_krb5_authenticate to reinitialise
+sess->user but that function may return without doing so. If
+that happens then smb2_sess_setup, which calls krb_authenticate,
+will be accessing free'd memory when it later uses sess->user.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Heelan <seanheelan@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -1602,8 +1602,10 @@ static int krb5_authenticate(struct ksmb
+ if (prev_sess_id && prev_sess_id != sess->id)
+ destroy_previous_session(conn, sess->user, prev_sess_id);
+
+- if (sess->state == SMB2_SESSION_VALID)
++ if (sess->state == SMB2_SESSION_VALID) {
+ ksmbd_free_user(sess->user);
++ sess->user = NULL;
++ }
+
+ retval = ksmbd_krb5_authenticate(sess, in_blob, in_len,
+ out_blob, &out_len);
--- /dev/null
+From b37f2f332b40ad1c27f18682a495850f2f04db0a Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 15 Apr 2025 09:31:08 +0900
+Subject: ksmbd: fix the warning from __kernel_write_iter
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit b37f2f332b40ad1c27f18682a495850f2f04db0a upstream.
+
+[ 2110.972290] ------------[ cut here ]------------
+[ 2110.972301] WARNING: CPU: 3 PID: 735 at fs/read_write.c:599 __kernel_write_iter+0x21b/0x280
+
+This patch doesn't allow writing to directory.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/vfs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/vfs.c
++++ b/fs/smb/server/vfs.c
+@@ -496,7 +496,8 @@ int ksmbd_vfs_write(struct ksmbd_work *w
+ int err = 0;
+
+ if (work->conn->connection_type) {
+- if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE))) {
++ if (!(fp->daccess & (FILE_WRITE_DATA_LE | FILE_APPEND_DATA_LE)) ||
++ S_ISDIR(file_inode(fp->filp)->i_mode)) {
+ pr_err("no right to write(%pD)\n", fp->filp);
+ err = -EACCES;
+ goto out;
--- /dev/null
+From 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 11 Apr 2025 15:19:46 +0900
+Subject: ksmbd: fix use-after-free in __smb2_lease_break_noti()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de upstream.
+
+Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is
+referenced when ksmbd server thread terminates, It will not be freed,
+but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed
+asynchronously when the connection is disconnected. __smb2_lease_break_noti
+calls ksmbd_conn_write, which can cause use-after-free
+when conn->ksmbd_transport is already freed.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.c | 4 +++-
+ fs/smb/server/transport_tcp.c | 14 +++++++++-----
+ fs/smb/server/transport_tcp.h | 1 +
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/server/connection.c
++++ b/fs/smb/server/connection.c
+@@ -39,8 +39,10 @@ void ksmbd_conn_free(struct ksmbd_conn *
+ xa_destroy(&conn->sessions);
+ kvfree(conn->request_buf);
+ kfree(conn->preauth_info);
+- if (atomic_dec_and_test(&conn->refcnt))
++ if (atomic_dec_and_test(&conn->refcnt)) {
++ ksmbd_free_transport(conn->transport);
+ kfree(conn);
++ }
+ }
+
+ /**
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -93,17 +93,21 @@ static struct tcp_transport *alloc_trans
+ return t;
+ }
+
+-static void free_transport(struct tcp_transport *t)
++void ksmbd_free_transport(struct ksmbd_transport *kt)
+ {
+- kernel_sock_shutdown(t->sock, SHUT_RDWR);
+- sock_release(t->sock);
+- t->sock = NULL;
++ struct tcp_transport *t = TCP_TRANS(kt);
+
+- ksmbd_conn_free(KSMBD_TRANS(t)->conn);
++ sock_release(t->sock);
+ kfree(t->iov);
+ kfree(t);
+ }
+
++static void free_transport(struct tcp_transport *t)
++{
++ kernel_sock_shutdown(t->sock, SHUT_RDWR);
++ ksmbd_conn_free(KSMBD_TRANS(t)->conn);
++}
++
+ /**
+ * kvec_array_init() - initialize a IO vector segment
+ * @new: IO vector to be initialized
+--- a/fs/smb/server/transport_tcp.h
++++ b/fs/smb/server/transport_tcp.h
+@@ -8,6 +8,7 @@
+
+ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz);
+ struct interface *ksmbd_find_netdev_name_iface_list(char *netdev_name);
++void ksmbd_free_transport(struct ksmbd_transport *kt);
+ int ksmbd_tcp_init(void);
+ void ksmbd_tcp_destroy(void);
+
--- /dev/null
+From 18b4fac5ef17f77fed9417d22210ceafd6525fc7 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 15 Apr 2025 09:30:21 +0900
+Subject: ksmbd: fix use-after-free in smb_break_all_levII_oplock()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 18b4fac5ef17f77fed9417d22210ceafd6525fc7 upstream.
+
+There is a room in smb_break_all_levII_oplock that can cause racy issues
+when unlocking in the middle of the loop. This patch use read lock
+to protect whole loop.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/oplock.c | 29 +++++++++--------------------
+ fs/smb/server/oplock.h | 1 -
+ 2 files changed, 9 insertions(+), 21 deletions(-)
+
+--- a/fs/smb/server/oplock.c
++++ b/fs/smb/server/oplock.c
+@@ -129,14 +129,6 @@ static void free_opinfo(struct oplock_in
+ kfree(opinfo);
+ }
+
+-static inline void opinfo_free_rcu(struct rcu_head *rcu_head)
+-{
+- struct oplock_info *opinfo;
+-
+- opinfo = container_of(rcu_head, struct oplock_info, rcu_head);
+- free_opinfo(opinfo);
+-}
+-
+ struct oplock_info *opinfo_get(struct ksmbd_file *fp)
+ {
+ struct oplock_info *opinfo;
+@@ -157,8 +149,8 @@ static struct oplock_info *opinfo_get_li
+ if (list_empty(&ci->m_op_list))
+ return NULL;
+
+- rcu_read_lock();
+- opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info,
++ down_read(&ci->m_lock);
++ opinfo = list_first_entry(&ci->m_op_list, struct oplock_info,
+ op_entry);
+ if (opinfo) {
+ if (opinfo->conn == NULL ||
+@@ -171,8 +163,7 @@ static struct oplock_info *opinfo_get_li
+ }
+ }
+ }
+-
+- rcu_read_unlock();
++ up_read(&ci->m_lock);
+
+ return opinfo;
+ }
+@@ -185,7 +176,7 @@ void opinfo_put(struct oplock_info *opin
+ if (!atomic_dec_and_test(&opinfo->refcount))
+ return;
+
+- call_rcu(&opinfo->rcu_head, opinfo_free_rcu);
++ free_opinfo(opinfo);
+ }
+
+ static void opinfo_add(struct oplock_info *opinfo)
+@@ -193,7 +184,7 @@ static void opinfo_add(struct oplock_inf
+ struct ksmbd_inode *ci = opinfo->o_fp->f_ci;
+
+ down_write(&ci->m_lock);
+- list_add_rcu(&opinfo->op_entry, &ci->m_op_list);
++ list_add(&opinfo->op_entry, &ci->m_op_list);
+ up_write(&ci->m_lock);
+ }
+
+@@ -207,7 +198,7 @@ static void opinfo_del(struct oplock_inf
+ write_unlock(&lease_list_lock);
+ }
+ down_write(&ci->m_lock);
+- list_del_rcu(&opinfo->op_entry);
++ list_del(&opinfo->op_entry);
+ up_write(&ci->m_lock);
+ }
+
+@@ -1347,8 +1338,8 @@ void smb_break_all_levII_oplock(struct k
+ ci = fp->f_ci;
+ op = opinfo_get(fp);
+
+- rcu_read_lock();
+- list_for_each_entry_rcu(brk_op, &ci->m_op_list, op_entry) {
++ down_read(&ci->m_lock);
++ list_for_each_entry(brk_op, &ci->m_op_list, op_entry) {
+ if (brk_op->conn == NULL)
+ continue;
+
+@@ -1358,7 +1349,6 @@ void smb_break_all_levII_oplock(struct k
+ if (ksmbd_conn_releasing(brk_op->conn))
+ continue;
+
+- rcu_read_unlock();
+ if (brk_op->is_lease && (brk_op->o_lease->state &
+ (~(SMB2_LEASE_READ_CACHING_LE |
+ SMB2_LEASE_HANDLE_CACHING_LE)))) {
+@@ -1388,9 +1378,8 @@ void smb_break_all_levII_oplock(struct k
+ oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE, NULL);
+ next:
+ opinfo_put(brk_op);
+- rcu_read_lock();
+ }
+- rcu_read_unlock();
++ up_read(&ci->m_lock);
+
+ if (op)
+ opinfo_put(op);
+--- a/fs/smb/server/oplock.h
++++ b/fs/smb/server/oplock.h
+@@ -71,7 +71,6 @@ struct oplock_info {
+ struct list_head lease_entry;
+ wait_queue_head_t oplock_q; /* Other server threads */
+ wait_queue_head_t oplock_brk; /* oplock breaking wait */
+- struct rcu_head rcu_head;
+ };
+
+ struct lease_break_info {
--- /dev/null
+From a93ff742820f75bf8bb3fcf21d9f25ca6eb3d4c6 Mon Sep 17 00:00:00 2001
+From: Denis Arefev <arefev@swemel.ru>
+Date: Wed, 9 Apr 2025 12:04:49 +0300
+Subject: ksmbd: Prevent integer overflow in calculation of deadtime
+
+From: Denis Arefev <arefev@swemel.ru>
+
+commit a93ff742820f75bf8bb3fcf21d9f25ca6eb3d4c6 upstream.
+
+The user can set any value for 'deadtime'. This affects the arithmetic
+expression 'req->deadtime * SMB_ECHO_INTERVAL', which is subject to
+overflow. The added check makes the server behavior more predictable.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_ipc.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -310,7 +310,11 @@ static int ipc_server_config_on_startup(
+ server_conf.signing = req->signing;
+ server_conf.tcp_port = req->tcp_port;
+ server_conf.ipc_timeout = req->ipc_timeout * HZ;
+- server_conf.deadtime = req->deadtime * SMB_ECHO_INTERVAL;
++ if (check_mul_overflow(req->deadtime, SMB_ECHO_INTERVAL,
++ &server_conf.deadtime)) {
++ ret = -EINVAL;
++ goto out;
++ }
+ server_conf.share_fake_fscaps = req->share_fake_fscaps;
+ ksmbd_init_domain(req->sub_auth);
+
+@@ -337,6 +341,7 @@ static int ipc_server_config_on_startup(
+ server_conf.bind_interfaces_only = req->bind_interfaces_only;
+ ret |= ksmbd_tcp_set_interfaces(KSMBD_STARTUP_CONFIG_INTERFACES(req),
+ req->ifc_list_sz);
++out:
+ if (ret) {
+ pr_err("Server configuration error: %s %s %s\n",
+ req->netbios_name, req->server_string,
--- /dev/null
+From 770c8d55c42868239c748a3ebc57c9e37755f842 Mon Sep 17 00:00:00 2001
+From: Sheng Yong <shengyong1@xiaomi.com>
+Date: Tue, 1 Apr 2025 22:47:12 +0800
+Subject: lib/iov_iter: fix to increase non slab folio refcount
+
+From: Sheng Yong <shengyong1@xiaomi.com>
+
+commit 770c8d55c42868239c748a3ebc57c9e37755f842 upstream.
+
+When testing EROFS file-backed mount over v9fs on qemu, I encountered a
+folio UAF issue. The page sanity check reports the following call trace.
+The root cause is that pages in bvec are coalesced across a folio bounary.
+The refcount of all non-slab folios should be increased to ensure
+p9_releas_pages can put them correctly.
+
+BUG: Bad page state in process md5sum pfn:18300
+page: refcount:0 mapcount:0 mapping:00000000d5ad8e4e index:0x60 pfn:0x18300
+head: order:0 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+aops:z_erofs_aops ino:30b0f dentry name(?):"GoogleExtServicesCn.apk"
+flags: 0x100000000000041(locked|head|node=0|zone=1)
+raw: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
+raw: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
+head: 0100000000000041 dead000000000100 dead000000000122 ffff888014b13bd0
+head: 0000000000000060 0000000000000020 00000000ffffffff 0000000000000000
+head: 0100000000000000 0000000000000000 ffffffffffffffff 0000000000000000
+head: 0000000000000010 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
+Call Trace:
+ dump_stack_lvl+0x53/0x70
+ bad_page+0xd4/0x220
+ __free_pages_ok+0x76d/0xf30
+ __folio_put+0x230/0x320
+ p9_release_pages+0x179/0x1f0
+ p9_virtio_zc_request+0xa2a/0x1230
+ p9_client_zc_rpc.constprop.0+0x247/0x700
+ p9_client_read_once+0x34d/0x810
+ p9_client_read+0xf3/0x150
+ v9fs_issue_read+0x111/0x360
+ netfs_unbuffered_read_iter_locked+0x927/0x1390
+ netfs_unbuffered_read_iter+0xa2/0xe0
+ vfs_iocb_iter_read+0x2c7/0x460
+ erofs_fileio_rq_submit+0x46b/0x5b0
+ z_erofs_runqueue+0x1203/0x21e0
+ z_erofs_readahead+0x579/0x8b0
+ read_pages+0x19f/0xa70
+ page_cache_ra_order+0x4ad/0xb80
+ filemap_readahead.isra.0+0xe7/0x150
+ filemap_get_pages+0x7aa/0x1890
+ filemap_read+0x320/0xc80
+ vfs_read+0x6c6/0xa30
+ ksys_read+0xf9/0x1c0
+ do_syscall_64+0x9e/0x1a0
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+
+Link: https://lkml.kernel.org/r/20250401144712.1377719-1-shengyong1@xiaomi.com
+Fixes: b9c0e49abfca ("mm: decline to manipulate the refcount on a slab page")
+Signed-off-by: Sheng Yong <shengyong1@xiaomi.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/iov_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/iov_iter.c b/lib/iov_iter.c
+index 8c7fdb7d8c8f..bc9391e55d57 100644
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -1191,7 +1191,7 @@ static ssize_t __iov_iter_get_pages_alloc(struct iov_iter *i,
+ return -ENOMEM;
+ p = *pages;
+ for (int k = 0; k < n; k++) {
+- struct folio *folio = page_folio(page);
++ struct folio *folio = page_folio(page + k);
+ p[k] = page + k;
+ if (!folio_test_slab(folio))
+ folio_get(folio);
+--
+2.49.0
+
--- /dev/null
+From 0dba7a05b9e47d8b546399117b0ddf2426dc6042 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de>
+Date: Tue, 15 Apr 2025 16:55:06 +0200
+Subject: loop: LOOP_SET_FD: send uevents for partitions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+commit 0dba7a05b9e47d8b546399117b0ddf2426dc6042 upstream.
+
+Remove the suppression of the uevents before scanning for partitions.
+The partitions inherit their suppression settings from their parent device,
+which lead to the uevents being dropped.
+
+This is similar to the same changes for LOOP_CONFIGURE done in
+commit bb430b694226 ("loop: LOOP_CONFIGURE: send uevents for partitions").
+
+Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v3-1-60ff69ac6088@linutronix.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -572,12 +572,12 @@ static int loop_change_fd(struct loop_de
+ * dependency.
+ */
+ fput(old_file);
++ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
+ if (partscan)
+ loop_reread_partitions(lo);
+
+ error = 0;
+ done:
+- dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
+ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE);
+ return error;
+
+@@ -585,6 +585,7 @@ out_err:
+ loop_global_unlock(lo, is_loop);
+ out_putf:
+ fput(file);
++ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
+ goto done;
+ }
+
--- /dev/null
+From e7bc0010ceb403d025100698586c8e760921d471 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <thomas.weissschuh@linutronix.de>
+Date: Tue, 15 Apr 2025 10:51:47 +0200
+Subject: loop: properly send KOBJ_CHANGED uevent for disk device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+
+commit e7bc0010ceb403d025100698586c8e760921d471 upstream.
+
+The original commit message and the wording "uncork" in the code comment
+indicate that it is expected that the suppressed event instances are
+automatically sent after unsuppressing.
+This is not the case, instead they are discarded.
+In effect this means that no "changed" events are emitted on the device
+itself by default.
+While each discovered partition does trigger a changed event on the
+device, devices without partitions don't have any event emitted.
+
+This makes udev miss the device creation and prompted workarounds in
+userspace. See the linked util-linux/losetup bug.
+
+Explicitly emit the events and drop the confusingly worded comments.
+
+Link: https://github.com/util-linux/util-linux/issues/2434
+Fixes: 498ef5c777d9 ("loop: suppress uevents while reconfiguring the device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
+Link: https://lore.kernel.org/r/20250415-loop-uevent-changed-v2-1-0c4e6a923b2a@linutronix.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/loop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -577,8 +577,8 @@ static int loop_change_fd(struct loop_de
+
+ error = 0;
+ done:
+- /* enable and uncork uevent now that we are done */
+ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
++ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE);
+ return error;
+
+ out_err:
+@@ -1038,8 +1038,8 @@ static int loop_configure(struct loop_de
+ if (partscan)
+ clear_bit(GD_SUPPRESS_PART_SCAN, &lo->lo_disk->state);
+
+- /* enable and uncork uevent now that we are done */
+ dev_set_uevent_suppress(disk_to_dev(lo->lo_disk), 0);
++ kobject_uevent(&disk_to_dev(lo->lo_disk)->kobj, KOBJ_CHANGE);
+
+ loop_global_unlock(lo, is_loop);
+ if (partscan)
--- /dev/null
+From a84edd52f0a0fa193f0f685769939cf84510755b Mon Sep 17 00:00:00 2001
+From: "Vishal Moola (Oracle)" <vishal.moola@gmail.com>
+Date: Mon, 31 Mar 2025 19:10:24 -0700
+Subject: mm/compaction: fix bug in hugetlb handling pathway
+
+From: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+
+commit a84edd52f0a0fa193f0f685769939cf84510755b upstream.
+
+The compaction code doesn't take references on pages until we're certain
+we should attempt to handle it.
+
+In the hugetlb case, isolate_or_dissolve_huge_page() may return -EBUSY
+without taking a reference to the folio associated with our pfn. If our
+folio's refcount drops to 0, compound_nr() becomes unpredictable, making
+low_pfn and nr_scanned unreliable. The user-visible effect is minimal -
+this should rarely happen (if ever).
+
+Fix this by storing the folio statistics earlier on the stack (just like
+the THP and Buddy cases).
+
+Also revert commit 66fe1cf7f581 ("mm: compaction: use helper compound_nr
+in isolate_migratepages_block") to make backporting easier.
+
+Link: https://lkml.kernel.org/r/20250401021025.637333-1-vishal.moola@gmail.com
+Fixes: 369fa227c219 ("mm: make alloc_contig_range handle free hugetlb pages")
+Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Acked-by: Oscar Salvador <osalvador@suse.de>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/compaction.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -981,13 +981,13 @@ isolate_migratepages_block(struct compac
+ }
+
+ if (PageHuge(page)) {
++ const unsigned int order = compound_order(page);
+ /*
+ * skip hugetlbfs if we are not compacting for pages
+ * bigger than its order. THPs and other compound pages
+ * are handled below.
+ */
+ if (!cc->alloc_contig) {
+- const unsigned int order = compound_order(page);
+
+ if (order <= MAX_PAGE_ORDER) {
+ low_pfn += (1UL << order) - 1;
+@@ -1011,8 +1011,8 @@ isolate_migratepages_block(struct compac
+ /* Do not report -EBUSY down the chain */
+ if (ret == -EBUSY)
+ ret = 0;
+- low_pfn += compound_nr(page) - 1;
+- nr_scanned += compound_nr(page) - 1;
++ low_pfn += (1UL << order) - 1;
++ nr_scanned += (1UL << order) - 1;
+ goto isolate_fail;
+ }
+
--- /dev/null
+From a995199384347261bb3f21b2e171fa7f988bd2f8 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Wed, 9 Apr 2025 12:40:43 +0300
+Subject: mm: fix apply_to_existing_page_range()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit a995199384347261bb3f21b2e171fa7f988bd2f8 upstream.
+
+In the case of apply_to_existing_page_range(), apply_to_pte_range() is
+reached with 'create' set to false. When !create, the loop over the PTE
+page table is broken.
+
+apply_to_pte_range() will only move to the next PTE entry if 'create' is
+true or if the current entry is not pte_none().
+
+This means that the user of apply_to_existing_page_range() will not have
+'fn' called for any entries after the first pte_none() in the PTE page
+table.
+
+Fix the loop logic in apply_to_pte_range().
+
+There are no known runtime issues from this, but the fix is trivial enough
+for stable@ even without a known buggy user.
+
+Link: https://lkml.kernel.org/r/20250409094043.1629234-1-kirill.shutemov@linux.intel.com
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Fixes: be1db4753ee6 ("mm/memory.c: add apply_to_existing_page_range() helper")
+Cc: Daniel Axtens <dja@axtens.net>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2904,11 +2904,11 @@ static int apply_to_pte_range(struct mm_
+ if (fn) {
+ do {
+ if (create || !pte_none(ptep_get(pte))) {
+- err = fn(pte++, addr, data);
++ err = fn(pte, addr, data);
+ if (err)
+ break;
+ }
+- } while (addr += PAGE_SIZE, addr != end);
++ } while (pte++, addr += PAGE_SIZE, addr != end);
+ }
+ *mask |= PGTBL_PTE_MODIFIED;
+
--- /dev/null
+From 8ab1b16023961dc640023b10436d282f905835ad Mon Sep 17 00:00:00 2001
+From: "Vishal Moola (Oracle)" <vishal.moola@gmail.com>
+Date: Thu, 3 Apr 2025 16:54:17 -0700
+Subject: mm: fix filemap_get_folios_contig returning batches of identical folios
+
+From: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+
+commit 8ab1b16023961dc640023b10436d282f905835ad upstream.
+
+filemap_get_folios_contig() is supposed to return distinct folios found
+within [start, end]. Large folios in the Xarray become multi-index
+entries. xas_next() can iterate through the sub-indexes before finding a
+sibling entry and breaking out of the loop.
+
+This can result in a returned folio_batch containing an indeterminate
+number of duplicate folios, which forces the callers to skeptically handle
+the returned batch. This is inefficient and incurs a large maintenance
+overhead.
+
+We can fix this by calling xas_advance() after we have successfully adding
+a folio to the batch to ensure our Xarray is positioned such that it will
+correctly find the next folio - similar to filemap_get_read_batch().
+
+Link: https://lkml.kernel.org/r/Z-8s1-kiIDkzgRbc@fedora
+Fixes: 35b471467f88 ("filemap: add filemap_get_folios_contig()")
+Signed-off-by: Vishal Moola (Oracle) <vishal.moola@gmail.com>
+Reported-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
+Closes: https://lkml.kernel.org/r/b714e4de-2583-4035-b829-72cfb5eb6fc6@gmx.com
+Tested-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2244,6 +2244,7 @@ unsigned filemap_get_folios_contig(struc
+ *start = folio->index + nr;
+ goto out;
+ }
++ xas_advance(&xas, folio_next_index(folio) - 1);
+ continue;
+ put_folio:
+ folio_put(folio);
--- /dev/null
+From 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa Mon Sep 17 00:00:00 2001
+From: Baoquan He <bhe@redhat.com>
+Date: Thu, 10 Apr 2025 11:57:14 +0800
+Subject: mm/gup: fix wrongly calculated returned value in fault_in_safe_writeable()
+
+From: Baoquan He <bhe@redhat.com>
+
+commit 8c03ebd7cdc06bd0d2fecb4d1a609ef1dbb7d0aa upstream.
+
+Not like fault_in_readable() or fault_in_writeable(), in
+fault_in_safe_writeable() local variable 'start' is increased page by page
+to loop till the whole address range is handled. However, it mistakenly
+calculates the size of the handled range with 'uaddr - start'.
+
+Fix it here.
+
+Andreas said:
+
+: In gfs2, fault_in_iov_iter_writeable() is used in
+: gfs2_file_direct_read() and gfs2_file_read_iter(), so this potentially
+: affects buffered as well as direct reads. This bug could cause those
+: gfs2 functions to spin in a loop.
+
+Link: https://lkml.kernel.org/r/20250410035717.473207-1-bhe@redhat.com
+Link: https://lkml.kernel.org/r/20250410035717.473207-2-bhe@redhat.com
+Signed-off-by: Baoquan He <bhe@redhat.com>
+Fixes: fe673d3f5bf1 ("mm: gup: make fault_in_safe_writeable() use fixup_user_fault()")
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: Yanjun.Zhu <yanjun.zhu@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/gup.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/gup.c
++++ b/mm/gup.c
+@@ -2210,8 +2210,8 @@ size_t fault_in_safe_writeable(const cha
+ } while (start != end);
+ mmap_read_unlock(mm);
+
+- if (size > (unsigned long)uaddr - start)
+- return size - ((unsigned long)uaddr - start);
++ if (size > start - (unsigned long)uaddr)
++ return size - (start - (unsigned long)uaddr);
+ return 0;
+ }
+ EXPORT_SYMBOL(fault_in_safe_writeable);
--- /dev/null
+From eb3a04a8516ee9b5174379306f94279fc90424c4 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Mon, 10 Feb 2025 15:11:22 +0100
+Subject: ovl: don't allow datadir only
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit eb3a04a8516ee9b5174379306f94279fc90424c4 upstream.
+
+In theory overlayfs could support upper layer directly referring to a data
+layer, but there's no current use case for this.
+
+Originally, when data-only layers were introduced, this wasn't allowed,
+only introduced by the "datadir+" feature, but without actually handling
+this case, resulting in an Oops.
+
+Fix by disallowing datadir without lowerdir.
+
+Reported-by: Giuseppe Scrivano <gscrivan@redhat.com>
+Fixes: 24e16e385f22 ("ovl: add support for appending lowerdirs one by one")
+Cc: <stable@vger.kernel.org> # v6.7
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Reviewed-by: Alexander Larsson <alexl@redhat.com>
+Reviewed-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/super.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -1137,6 +1137,11 @@ static struct ovl_entry *ovl_get_lowerst
+ return ERR_PTR(-EINVAL);
+ }
+
++ if (ctx->nr == ctx->nr_data) {
++ pr_err("at least one non-data lowerdir is required\n");
++ return ERR_PTR(-EINVAL);
++ }
++
+ err = -EINVAL;
+ for (i = 0; i < ctx->nr; i++) {
+ l = &ctx->lower[i];
--- /dev/null
+From 71dcc11c2cd9e434c34a63154ecadca21c135ddd Mon Sep 17 00:00:00 2001
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Date: Tue, 15 Apr 2025 10:41:35 +0000
+Subject: perf/x86/intel: Allow to update user space GPRs from PEBS records
+
+From: Dapeng Mi <dapeng1.mi@linux.intel.com>
+
+commit 71dcc11c2cd9e434c34a63154ecadca21c135ddd upstream.
+
+Currently when a user samples user space GPRs (--user-regs option) with
+PEBS, the user space GPRs actually always come from software PMI
+instead of from PEBS hardware. This leads to the sampled GPRs to
+possibly be inaccurate for single PEBS record case because of the
+skid between counter overflow and GPRs sampling on PMI.
+
+For the large PEBS case, it is even worse. If user sets the
+exclude_kernel attribute, large PEBS would be used to sample user space
+GPRs, but since PEBS GPRs group is not really enabled, it leads to all
+samples in the large PEBS record to share the same piece of user space
+GPRs, like this reproducer shows:
+
+ $ perf record -e branches:pu --user-regs=ip,ax -c 100000 ./foo
+ $ perf report -D | grep "AX"
+
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+ .... AX 0x000000003a0d4ead
+
+So enable GPRs group for user space GPRs sampling and prioritize reading
+GPRs from PEBS. If the PEBS sampled GPRs is not user space GPRs (single
+PEBS record case), perf_sample_regs_user() modifies them to user space
+GPRs.
+
+[ mingo: Clarified the changelog. ]
+
+Fixes: c22497f5838c ("perf/x86/intel: Support adaptive PEBS v4")
+Signed-off-by: Dapeng Mi <dapeng1.mi@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250415104135.318169-2-dapeng1.mi@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1338,8 +1338,10 @@ static u64 pebs_update_adaptive_cfg(stru
+ * + precise_ip < 2 for the non event IP
+ * + For RTM TSX weight we need GPRs for the abort code.
+ */
+- gprs = (sample_type & PERF_SAMPLE_REGS_INTR) &&
+- (attr->sample_regs_intr & PEBS_GP_REGS);
++ gprs = ((sample_type & PERF_SAMPLE_REGS_INTR) &&
++ (attr->sample_regs_intr & PEBS_GP_REGS)) ||
++ ((sample_type & PERF_SAMPLE_REGS_USER) &&
++ (attr->sample_regs_user & PEBS_GP_REGS));
+
+ tsx_weight = (sample_type & PERF_SAMPLE_WEIGHT_TYPE) &&
+ ((attr->config & INTEL_ARCH_EVENT_MASK) ==
+@@ -1985,7 +1987,7 @@ static void setup_pebs_adaptive_sample_d
+ regs->flags &= ~PERF_EFLAGS_EXACT;
+ }
+
+- if (sample_type & PERF_SAMPLE_REGS_INTR)
++ if (sample_type & (PERF_SAMPLE_REGS_INTR | PERF_SAMPLE_REGS_USER))
+ adaptive_pebs_save_regs(regs, gprs);
+ }
+
--- /dev/null
+From 32c7f1150225694d95a51110a93be25db03bb5db Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Wed, 16 Apr 2025 07:24:25 -0700
+Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on ICX
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 32c7f1150225694d95a51110a93be25db03bb5db upstream.
+
+There was a mistake in the ICX uncore spec too. The counter increments
+for every 32 bytes rather than 4 bytes.
+
+The same as SNR, there are 1 ioclk and 8 IIO bandwidth in free running
+counters. Reuse the snr_uncore_iio_freerunning_events().
+
+Fixes: 2b3b76b5ec67 ("perf/x86/intel/uncore: Add Ice Lake server uncore support")
+Reported-by: Tang Jun <dukang.tj@alibaba-inc.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250416142426.3933977-2-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 33 +--------------------------------
+ 1 file changed, 1 insertion(+), 32 deletions(-)
+
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -5485,37 +5485,6 @@ static struct freerunning_counters icx_i
+ [ICX_IIO_MSR_BW_IN] = { 0xaa0, 0x1, 0x10, 8, 48, icx_iio_bw_freerunning_box_offsets },
+ };
+
+-static struct uncore_event_desc icx_uncore_iio_freerunning_events[] = {
+- /* Free-Running IIO CLOCKS Counter */
+- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
+- /* Free-Running IIO BANDWIDTH IN Counters */
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
+- { /* end: all zeroes */ },
+-};
+-
+ static struct intel_uncore_type icx_uncore_iio_free_running = {
+ .name = "iio_free_running",
+ .num_counters = 9,
+@@ -5523,7 +5492,7 @@ static struct intel_uncore_type icx_unco
+ .num_freerunning_types = ICX_IIO_FREERUNNING_TYPE_MAX,
+ .freerunning = icx_iio_freerunning,
+ .ops = &skx_uncore_iio_freerunning_ops,
+- .event_descs = icx_uncore_iio_freerunning_events,
++ .event_descs = snr_uncore_iio_freerunning_events,
+ .format_group = &skx_uncore_iio_freerunning_format_group,
+ };
+
--- /dev/null
+From 96a720db59ab330c8562b2437153faa45dac705f Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Wed, 16 Apr 2025 07:24:24 -0700
+Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SNR
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 96a720db59ab330c8562b2437153faa45dac705f upstream.
+
+There was a mistake in the SNR uncore spec. The counter increments for
+every 32 bytes of data sent from the IO agent to the SOC, not 4 bytes
+which was documented in the spec.
+
+The event list has been updated:
+
+ "EventName": "UNC_IIO_BANDWIDTH_IN.PART0_FREERUN",
+ "BriefDescription": "Free running counter that increments for every 32
+ bytes of data sent from the IO agent to the SOC",
+
+Update the scale of the IIO bandwidth in free running counters as well.
+
+Fixes: 210cc5f9db7a ("perf/x86/intel/uncore: Add uncore support for Snow Ridge server")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250416142426.3933977-1-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -4891,28 +4891,28 @@ static struct uncore_event_desc snr_unco
+ INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
+ /* Free-Running IIO BANDWIDTH IN Counters */
+ INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
++ INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.0517578125e-5"),
+ INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
+ { /* end: all zeroes */ },
+ };
--- /dev/null
+From 506f981ab40f0b03a11a640cfd77f48b09aff330 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Wed, 16 Apr 2025 07:24:26 -0700
+Subject: perf/x86/intel/uncore: Fix the scale of IIO free running counters on SPR
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 506f981ab40f0b03a11a640cfd77f48b09aff330 upstream.
+
+The scale of IIO bandwidth in free running counters is inherited from
+the ICX. The counter increments for every 32 bytes rather than 4 bytes.
+
+The IIO bandwidth out free running counters don't increment with a
+consistent size. The increment depends on the requested size. It's
+impossible to find a fixed increment. Remove it from the event_descs.
+
+Fixes: 0378c93a92e2 ("perf/x86/intel/uncore: Support IIO free-running counters on Sapphire Rapids server")
+Reported-by: Tang Jun <dukang.tj@alibaba-inc.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250416142426.3933977-3-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/uncore_snbep.c | 58 -----------------------------------
+ 1 file changed, 1 insertion(+), 57 deletions(-)
+
+--- a/arch/x86/events/intel/uncore_snbep.c
++++ b/arch/x86/events/intel/uncore_snbep.c
+@@ -6289,69 +6289,13 @@ static struct freerunning_counters spr_i
+ [SPR_IIO_MSR_BW_OUT] = { 0x3808, 0x1, 0x10, 8, 48 },
+ };
+
+-static struct uncore_event_desc spr_uncore_iio_freerunning_events[] = {
+- /* Free-Running IIO CLOCKS Counter */
+- INTEL_UNCORE_EVENT_DESC(ioclk, "event=0xff,umask=0x10"),
+- /* Free-Running IIO BANDWIDTH IN Counters */
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0, "event=0xff,umask=0x20"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port0.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1, "event=0xff,umask=0x21"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port1.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2, "event=0xff,umask=0x22"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port2.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3, "event=0xff,umask=0x23"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port3.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4, "event=0xff,umask=0x24"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port4.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5, "event=0xff,umask=0x25"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port5.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6, "event=0xff,umask=0x26"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port6.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7, "event=0xff,umask=0x27"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_in_port7.unit, "MiB"),
+- /* Free-Running IIO BANDWIDTH OUT Counters */
+- INTEL_UNCORE_EVENT_DESC(bw_out_port0, "event=0xff,umask=0x30"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port0.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port0.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port1, "event=0xff,umask=0x31"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port1.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port1.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port2, "event=0xff,umask=0x32"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port2.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port2.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port3, "event=0xff,umask=0x33"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port3.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port3.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port4, "event=0xff,umask=0x34"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port4.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port4.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port5, "event=0xff,umask=0x35"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port5.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port5.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port6, "event=0xff,umask=0x36"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port6.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port6.unit, "MiB"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port7, "event=0xff,umask=0x37"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port7.scale, "3.814697266e-6"),
+- INTEL_UNCORE_EVENT_DESC(bw_out_port7.unit, "MiB"),
+- { /* end: all zeroes */ },
+-};
+-
+ static struct intel_uncore_type spr_uncore_iio_free_running = {
+ .name = "iio_free_running",
+ .num_counters = 17,
+ .num_freerunning_types = SPR_IIO_FREERUNNING_TYPE_MAX,
+ .freerunning = spr_iio_freerunning,
+ .ops = &skx_uncore_iio_freerunning_ops,
+- .event_descs = spr_uncore_iio_freerunning_events,
++ .event_descs = snr_uncore_iio_freerunning_events,
+ .format_group = &skx_uncore_iio_freerunning_format_group,
+ };
+
--- /dev/null
+From fcf27a6a926fd9eeba39e9c3fde43c9298fe284e Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Mon, 7 Apr 2025 13:18:21 -0500
+Subject: platform/x86: amd: pmf: Fix STT limits
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit fcf27a6a926fd9eeba39e9c3fde43c9298fe284e upstream.
+
+On some platforms it has been observed that STT limits are not being
+applied properly causing poor performance as power limits are set too low.
+
+STT limits that are sent to the platform are supposed to be in Q8.8
+format. Convert them before sending.
+
+Reported-by: Yijun Shen <Yijun.Shen@dell.com>
+Fixes: 7c45534afa443 ("platform/x86/amd/pmf: Add support for PMF Policy Binary")
+Cc: stable@vger.kernel.org
+Tested-by: Yijun Shen <Yijun_Shen@Dell.com>
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20250407181915.1482450-1-superm1@kernel.org
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/amd/pmf/auto-mode.c | 4 ++--
+ drivers/platform/x86/amd/pmf/cnqf.c | 8 ++++----
+ drivers/platform/x86/amd/pmf/core.c | 14 ++++++++++++++
+ drivers/platform/x86/amd/pmf/pmf.h | 1 +
+ drivers/platform/x86/amd/pmf/sps.c | 12 ++++++++----
+ drivers/platform/x86/amd/pmf/tee-if.c | 6 ++++--
+ 6 files changed, 33 insertions(+), 12 deletions(-)
+
+--- a/drivers/platform/x86/amd/pmf/auto-mode.c
++++ b/drivers/platform/x86/amd/pmf/auto-mode.c
+@@ -120,9 +120,9 @@ static void amd_pmf_set_automode(struct
+ amd_pmf_send_cmd(dev, SET_SPPT_APU_ONLY, false, pwr_ctrl->sppt_apu_only, NULL);
+ amd_pmf_send_cmd(dev, SET_STT_MIN_LIMIT, false, pwr_ctrl->stt_min, NULL);
+ amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false,
+- pwr_ctrl->stt_skin_temp[STT_TEMP_APU], NULL);
++ fixp_q88_fromint(pwr_ctrl->stt_skin_temp[STT_TEMP_APU]), NULL);
+ amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false,
+- pwr_ctrl->stt_skin_temp[STT_TEMP_HS2], NULL);
++ fixp_q88_fromint(pwr_ctrl->stt_skin_temp[STT_TEMP_HS2]), NULL);
+
+ if (is_apmf_func_supported(dev, APMF_FUNC_SET_FAN_IDX))
+ apmf_update_fan_idx(dev, config_store.mode_set[idx].fan_control.manual,
+--- a/drivers/platform/x86/amd/pmf/cnqf.c
++++ b/drivers/platform/x86/amd/pmf/cnqf.c
+@@ -81,10 +81,10 @@ static int amd_pmf_set_cnqf(struct amd_p
+ amd_pmf_send_cmd(dev, SET_SPPT, false, pc->sppt, NULL);
+ amd_pmf_send_cmd(dev, SET_SPPT_APU_ONLY, false, pc->sppt_apu_only, NULL);
+ amd_pmf_send_cmd(dev, SET_STT_MIN_LIMIT, false, pc->stt_min, NULL);
+- amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false, pc->stt_skin_temp[STT_TEMP_APU],
+- NULL);
+- amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false, pc->stt_skin_temp[STT_TEMP_HS2],
+- NULL);
++ amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false,
++ fixp_q88_fromint(pc->stt_skin_temp[STT_TEMP_APU]), NULL);
++ amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false,
++ fixp_q88_fromint(pc->stt_skin_temp[STT_TEMP_HS2]), NULL);
+
+ if (is_apmf_func_supported(dev, APMF_FUNC_SET_FAN_IDX))
+ apmf_update_fan_idx(dev,
+--- a/drivers/platform/x86/amd/pmf/core.c
++++ b/drivers/platform/x86/amd/pmf/core.c
+@@ -176,6 +176,20 @@ static void __maybe_unused amd_pmf_dump_
+ dev_dbg(dev->dev, "AMD_PMF_REGISTER_MESSAGE:%x\n", value);
+ }
+
++/**
++ * fixp_q88_fromint: Convert integer to Q8.8
++ * @val: input value
++ *
++ * Converts an integer into binary fixed point format where 8 bits
++ * are used for integer and 8 bits are used for the decimal.
++ *
++ * Return: unsigned integer converted to Q8.8 format
++ */
++u32 fixp_q88_fromint(u32 val)
++{
++ return val << 8;
++}
++
+ int amd_pmf_send_cmd(struct amd_pmf_dev *dev, u8 message, bool get, u32 arg, u32 *data)
+ {
+ int rc;
+--- a/drivers/platform/x86/amd/pmf/pmf.h
++++ b/drivers/platform/x86/amd/pmf/pmf.h
+@@ -777,6 +777,7 @@ int apmf_install_handler(struct amd_pmf_
+ int apmf_os_power_slider_update(struct amd_pmf_dev *dev, u8 flag);
+ int amd_pmf_set_dram_addr(struct amd_pmf_dev *dev, bool alloc_buffer);
+ int amd_pmf_notify_sbios_heartbeat_event_v2(struct amd_pmf_dev *dev, u8 flag);
++u32 fixp_q88_fromint(u32 val);
+
+ /* SPS Layer */
+ int amd_pmf_get_pprof_modes(struct amd_pmf_dev *pmf);
+--- a/drivers/platform/x86/amd/pmf/sps.c
++++ b/drivers/platform/x86/amd/pmf/sps.c
+@@ -198,9 +198,11 @@ static void amd_pmf_update_slider_v2(str
+ amd_pmf_send_cmd(dev, SET_STT_MIN_LIMIT, false,
+ apts_config_store.val[idx].stt_min_limit, NULL);
+ amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false,
+- apts_config_store.val[idx].stt_skin_temp_limit_apu, NULL);
++ fixp_q88_fromint(apts_config_store.val[idx].stt_skin_temp_limit_apu),
++ NULL);
+ amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false,
+- apts_config_store.val[idx].stt_skin_temp_limit_hs2, NULL);
++ fixp_q88_fromint(apts_config_store.val[idx].stt_skin_temp_limit_hs2),
++ NULL);
+ }
+
+ void amd_pmf_update_slider(struct amd_pmf_dev *dev, bool op, int idx,
+@@ -217,9 +219,11 @@ void amd_pmf_update_slider(struct amd_pm
+ amd_pmf_send_cmd(dev, SET_STT_MIN_LIMIT, false,
+ config_store.prop[src][idx].stt_min, NULL);
+ amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false,
+- config_store.prop[src][idx].stt_skin_temp[STT_TEMP_APU], NULL);
++ fixp_q88_fromint(config_store.prop[src][idx].stt_skin_temp[STT_TEMP_APU]),
++ NULL);
+ amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false,
+- config_store.prop[src][idx].stt_skin_temp[STT_TEMP_HS2], NULL);
++ fixp_q88_fromint(config_store.prop[src][idx].stt_skin_temp[STT_TEMP_HS2]),
++ NULL);
+ } else if (op == SLIDER_OP_GET) {
+ amd_pmf_send_cmd(dev, GET_SPL, true, ARG_NONE, &table->prop[src][idx].spl);
+ amd_pmf_send_cmd(dev, GET_FPPT, true, ARG_NONE, &table->prop[src][idx].fppt);
+--- a/drivers/platform/x86/amd/pmf/tee-if.c
++++ b/drivers/platform/x86/amd/pmf/tee-if.c
+@@ -123,7 +123,8 @@ static void amd_pmf_apply_policies(struc
+
+ case PMF_POLICY_STT_SKINTEMP_APU:
+ if (dev->prev_data->stt_skintemp_apu != val) {
+- amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false, val, NULL);
++ amd_pmf_send_cmd(dev, SET_STT_LIMIT_APU, false,
++ fixp_q88_fromint(val), NULL);
+ dev_dbg(dev->dev, "update STT_SKINTEMP_APU: %u\n", val);
+ dev->prev_data->stt_skintemp_apu = val;
+ }
+@@ -131,7 +132,8 @@ static void amd_pmf_apply_policies(struc
+
+ case PMF_POLICY_STT_SKINTEMP_HS2:
+ if (dev->prev_data->stt_skintemp_hs2 != val) {
+- amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false, val, NULL);
++ amd_pmf_send_cmd(dev, SET_STT_LIMIT_HS2, false,
++ fixp_q88_fromint(val), NULL);
+ dev_dbg(dev->dev, "update STT_SKINTEMP_HS2: %u\n", val);
+ dev->prev_data->stt_skintemp_hs2 = val;
+ }
--- /dev/null
+From 6c44e5354d4d16d9d891a419ca3f57abfe18ce7a Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Tue, 1 Apr 2025 20:49:00 +0000
+Subject: RAS/AMD/ATL: Include row[13] bit in row retirement
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 6c44e5354d4d16d9d891a419ca3f57abfe18ce7a upstream.
+
+Based on feedback from hardware folks, row[13] is part of the variable
+bits within a physical row (along with all column bits).
+
+Only half the physical addresses affected by a row are calculated if
+this bit is not included.
+
+Add the row[13] bit to the row retirement flow.
+
+Fixes: 3b566b30b414 ("RAS/AMD/ATL: Add MI300 row retirement support")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250401-fix-fmpm-extra-records-v1-1-840bcf7a8ac5@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ras/amd/atl/umc.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/drivers/ras/amd/atl/umc.c
++++ b/drivers/ras/amd/atl/umc.c
+@@ -320,7 +320,7 @@ static unsigned long convert_dram_to_nor
+ * See amd_atl::convert_dram_to_norm_addr_mi300() for MI300 address formats.
+ */
+ #define MI300_NUM_COL BIT(HWEIGHT(MI300_UMC_MCA_COL))
+-static void retire_row_mi300(struct atl_err *a_err)
++static void _retire_row_mi300(struct atl_err *a_err)
+ {
+ unsigned long addr;
+ struct page *p;
+@@ -351,6 +351,23 @@ static void retire_row_mi300(struct atl_
+ }
+ }
+
++/*
++ * In addition to the column bits, the row[13] bit should also be included when
++ * calculating addresses affected by a physical row.
++ *
++ * Instead of running through another loop over a single bit, just run through
++ * the column bits twice and flip the row[13] bit in-between.
++ *
++ * See MI300_UMC_MCA_ROW for the row bits in MCA_ADDR_UMC value.
++ */
++#define MI300_UMC_MCA_ROW13 BIT(23)
++static void retire_row_mi300(struct atl_err *a_err)
++{
++ _retire_row_mi300(a_err);
++ a_err->addr ^= MI300_UMC_MCA_ROW13;
++ _retire_row_mi300(a_err);
++}
++
+ void amd_retire_dram_row(struct atl_err *a_err)
+ {
+ if (df_cfg.rev == DF4p5 && df_cfg.flags.heterogeneous)
--- /dev/null
+From 58029c39cdc54ac4f4dc40b4a9c05eed9f9b808a Mon Sep 17 00:00:00 2001
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+Date: Thu, 27 Feb 2025 19:31:32 +0000
+Subject: RAS/AMD/FMPM: Get masked address
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+commit 58029c39cdc54ac4f4dc40b4a9c05eed9f9b808a upstream.
+
+Some operations require checking, or ignoring, specific bits in an address
+value. For example, this can be comparing address values to identify unique
+structures.
+
+Currently, the full address value is compared when filtering for duplicates.
+This results in over counting and creation of extra records. This gives the
+impression that more unique events occurred than did in reality.
+
+Mask the address for physical rows on MI300.
+
+ [ bp: Simplify. ]
+
+Fixes: 6f15e617cc99 ("RAS: Introduce a FRU memory poison manager")
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ras/amd/atl/internal.h | 3 +++
+ drivers/ras/amd/atl/umc.c | 2 --
+ drivers/ras/amd/fmpm.c | 9 ++++++++-
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/ras/amd/atl/internal.h
++++ b/drivers/ras/amd/atl/internal.h
+@@ -362,4 +362,7 @@ static inline void atl_debug_on_bad_intl
+ atl_debug(ctx, "Unrecognized interleave mode: %u", ctx->map.intlv_mode);
+ }
+
++#define MI300_UMC_MCA_COL GENMASK(5, 1)
++#define MI300_UMC_MCA_ROW13 BIT(23)
++
+ #endif /* __AMD_ATL_INTERNAL_H__ */
+--- a/drivers/ras/amd/atl/umc.c
++++ b/drivers/ras/amd/atl/umc.c
+@@ -229,7 +229,6 @@ int get_umc_info_mi300(void)
+ * Additionally, the PC and Bank bits may be hashed. This must be accounted for before
+ * reconstructing the normalized address.
+ */
+-#define MI300_UMC_MCA_COL GENMASK(5, 1)
+ #define MI300_UMC_MCA_BANK GENMASK(9, 6)
+ #define MI300_UMC_MCA_ROW GENMASK(24, 10)
+ #define MI300_UMC_MCA_PC BIT(25)
+@@ -360,7 +359,6 @@ static void _retire_row_mi300(struct atl
+ *
+ * See MI300_UMC_MCA_ROW for the row bits in MCA_ADDR_UMC value.
+ */
+-#define MI300_UMC_MCA_ROW13 BIT(23)
+ static void retire_row_mi300(struct atl_err *a_err)
+ {
+ _retire_row_mi300(a_err);
+--- a/drivers/ras/amd/fmpm.c
++++ b/drivers/ras/amd/fmpm.c
+@@ -250,6 +250,13 @@ static bool rec_has_valid_entries(struct
+ return true;
+ }
+
++/*
++ * Row retirement is done on MI300 systems, and some bits are 'don't
++ * care' for comparing addresses with unique physical rows. This
++ * includes all column bits and the row[13] bit.
++ */
++#define MASK_ADDR(addr) ((addr) & ~(MI300_UMC_MCA_ROW13 | MI300_UMC_MCA_COL))
++
+ static bool fpds_equal(struct cper_fru_poison_desc *old, struct cper_fru_poison_desc *new)
+ {
+ /*
+@@ -258,7 +265,7 @@ static bool fpds_equal(struct cper_fru_p
+ *
+ * Also, order the checks from most->least likely to fail to shortcut the code.
+ */
+- if (old->addr != new->addr)
++ if (MASK_ADDR(old->addr) != MASK_ADDR(new->addr))
+ return false;
+
+ if (old->hw_id != new->hw_id)
--- /dev/null
+From 45f5dcdd049719fb999393b30679605f16ebce14 Mon Sep 17 00:00:00 2001
+From: Sharath Srinivasan <sharath.srinivasan@oracle.com>
+Date: Wed, 26 Mar 2025 14:05:32 -0700
+Subject: RDMA/cma: Fix workqueue crash in cma_netevent_work_handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sharath Srinivasan <sharath.srinivasan@oracle.com>
+
+commit 45f5dcdd049719fb999393b30679605f16ebce14 upstream.
+
+struct rdma_cm_id has member "struct work_struct net_work"
+that is reused for enqueuing cma_netevent_work_handler()s
+onto cma_wq.
+
+Below crash[1] can occur if more than one call to
+cma_netevent_callback() occurs in quick succession,
+which further enqueues cma_netevent_work_handler()s for the
+same rdma_cm_id, overwriting any previously queued work-item(s)
+that was just scheduled to run i.e. there is no guarantee
+the queued work item may run between two successive calls
+to cma_netevent_callback() and the 2nd INIT_WORK would overwrite
+the 1st work item (for the same rdma_cm_id), despite grabbing
+id_table_lock during enqueue.
+
+Also drgn analysis [2] indicates the work item was likely overwritten.
+
+Fix this by moving the INIT_WORK() to __rdma_create_id(),
+so that it doesn't race with any existing queue_work() or
+its worker thread.
+
+[1] Trimmed crash stack:
+=============================================
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+kworker/u256:6 ... 6.12.0-0...
+Workqueue: cma_netevent_work_handler [rdma_cm] (rdma_cm)
+RIP: 0010:process_one_work+0xba/0x31a
+Call Trace:
+ worker_thread+0x266/0x3a0
+ kthread+0xcf/0x100
+ ret_from_fork+0x31/0x50
+ ret_from_fork_asm+0x1a/0x30
+=============================================
+
+[2] drgn crash analysis:
+
+>>> trace = prog.crashed_thread().stack_trace()
+>>> trace
+(0) crash_setup_regs (./arch/x86/include/asm/kexec.h:111:15)
+(1) __crash_kexec (kernel/crash_core.c:122:4)
+(2) panic (kernel/panic.c:399:3)
+(3) oops_end (arch/x86/kernel/dumpstack.c:382:3)
+...
+(8) process_one_work (kernel/workqueue.c:3168:2)
+(9) process_scheduled_works (kernel/workqueue.c:3310:3)
+(10) worker_thread (kernel/workqueue.c:3391:4)
+(11) kthread (kernel/kthread.c:389:9)
+
+Line workqueue.c:3168 for this kernel version is in process_one_work():
+3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);
+
+>>> trace[8]["work"]
+*(struct work_struct *)0xffff92577d0a21d8 = {
+ .data = (atomic_long_t){
+ .counter = (s64)536870912, <=== Note
+ },
+ .entry = (struct list_head){
+ .next = (struct list_head *)0xffff924d075924c0,
+ .prev = (struct list_head *)0xffff924d075924c0,
+ },
+ .func = (work_func_t)cma_netevent_work_handler+0x0 = 0xffffffffc2cec280,
+}
+
+Suspicion is that pwq is NULL:
+>>> trace[8]["pwq"]
+(struct pool_workqueue *)<absent>
+
+In process_one_work(), pwq is assigned from:
+struct pool_workqueue *pwq = get_work_pwq(work);
+
+and get_work_pwq() is:
+static struct pool_workqueue *get_work_pwq(struct work_struct *work)
+{
+ unsigned long data = atomic_long_read(&work->data);
+
+ if (data & WORK_STRUCT_PWQ)
+ return work_struct_pwq(data);
+ else
+ return NULL;
+}
+
+WORK_STRUCT_PWQ is 0x4:
+>>> print(repr(prog['WORK_STRUCT_PWQ']))
+Object(prog, 'enum work_flags', value=4)
+
+But work->data is 536870912 which is 0x20000000.
+So, get_work_pwq() returns NULL and we crash in process_one_work():
+3168 strscpy(worker->desc, pwq->wq->name, WORKER_DESC_LEN);
+=============================================
+
+Fixes: 925d046e7e52 ("RDMA/core: Add a netevent notifier to cma")
+Cc: stable@vger.kernel.org
+Co-developed-by: Håkon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
+Signed-off-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
+Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
+Link: https://patch.msgid.link/bf0082f9-5b25-4593-92c6-d130aa8ba439@oracle.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/cma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/cma.c
++++ b/drivers/infiniband/core/cma.c
+@@ -72,6 +72,8 @@ static const char * const cma_events[] =
+ static void cma_iboe_set_mgid(struct sockaddr *addr, union ib_gid *mgid,
+ enum ib_gid_type gid_type);
+
++static void cma_netevent_work_handler(struct work_struct *_work);
++
+ const char *__attribute_const__ rdma_event_msg(enum rdma_cm_event_type event)
+ {
+ size_t index = event;
+@@ -1033,6 +1035,7 @@ __rdma_create_id(struct net *net, rdma_c
+ get_random_bytes(&id_priv->seq_num, sizeof id_priv->seq_num);
+ id_priv->id.route.addr.dev_addr.net = get_net(net);
+ id_priv->seq_num &= 0x00ffffff;
++ INIT_WORK(&id_priv->id.net_work, cma_netevent_work_handler);
+
+ rdma_restrack_new(&id_priv->res, RDMA_RESTRACK_CM_ID);
+ if (parent)
+@@ -5227,7 +5230,6 @@ static int cma_netevent_callback(struct
+ if (!memcmp(current_id->id.route.addr.dev_addr.dst_dev_addr,
+ neigh->ha, ETH_ALEN))
+ continue;
+- INIT_WORK(¤t_id->id.net_work, cma_netevent_work_handler);
+ cma_id_get(current_id);
+ queue_work(cma_wq, ¤t_id->id.net_work);
+ }
--- /dev/null
+From c707193a17128fae2802d10cbad7239cc57f0c95 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 2 Apr 2025 13:26:47 -0700
+Subject: Revert "smb: client: Fix netns refcount imbalance causing leaks and use-after-free"
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit c707193a17128fae2802d10cbad7239cc57f0c95 upstream.
+
+This reverts commit 4e7f1644f2ac6d01dc584f6301c3b1d5aac4eaef.
+
+The commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
+rmmod") is not only a bogus fix for LOCKDEP null-ptr-deref but also
+introduces a real issue, TCP sockets leak, which will be explained in
+detail in the next revert.
+
+Also, CNA assigned CVE-2024-54680 to it but is rejecting it. [0]
+
+Thus, we are reverting the commit and its follow-up commit 4e7f1644f2ac
+("smb: client: Fix netns refcount imbalance causing leaks and
+use-after-free").
+
+Link: https://lore.kernel.org/all/2025040248-tummy-smilingly-4240@gregkh/ #[0]
+Fixes: 4e7f1644f2ac ("smb: client: Fix netns refcount imbalance causing leaks and use-after-free")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -300,7 +300,6 @@ cifs_abort_connection(struct TCP_Server_
+ server->ssocket->flags);
+ sock_release(server->ssocket);
+ server->ssocket = NULL;
+- put_net(cifs_net_ns(server));
+ }
+ server->sequence_number = 0;
+ server->session_estab = false;
+@@ -3127,12 +3126,8 @@ generic_ip_connect(struct TCP_Server_Inf
+ /*
+ * Grab netns reference for the socket.
+ *
+- * This reference will be released in several situations:
+- * - In the failure path before the cifsd thread is started.
+- * - In the all place where server->socket is released, it is
+- * also set to NULL.
+- * - Ultimately in clean_demultiplex_info(), during the final
+- * teardown.
++ * It'll be released here, on error, or in clean_demultiplex_info() upon server
++ * teardown.
+ */
+ get_net(net);
+
+@@ -3148,8 +3143,10 @@ generic_ip_connect(struct TCP_Server_Inf
+ }
+
+ rc = bind_socket(server);
+- if (rc < 0)
++ if (rc < 0) {
++ put_net(cifs_net_ns(server));
+ return rc;
++ }
+
+ /*
+ * Eventually check for other socket options to change from
+@@ -3195,6 +3192,9 @@ generic_ip_connect(struct TCP_Server_Inf
+ if (sport == htons(RFC1001_PORT))
+ rc = ip_rfc1001_connect(server);
+
++ if (rc < 0)
++ put_net(cifs_net_ns(server));
++
+ return rc;
+ }
+
--- /dev/null
+From 95d2b9f693ff2a1180a23d7d59acc0c4e72f4c41 Mon Sep 17 00:00:00 2001
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+Date: Wed, 2 Apr 2025 13:26:48 -0700
+Subject: Revert "smb: client: fix TCP timers deadlock after rmmod"
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+commit 95d2b9f693ff2a1180a23d7d59acc0c4e72f4c41 upstream.
+
+This reverts commit e9f2517a3e18a54a3943c098d2226b245d488801.
+
+Commit e9f2517a3e18 ("smb: client: fix TCP timers deadlock after
+rmmod") is intended to fix a null-ptr-deref in LOCKDEP, which is
+mentioned as CVE-2024-54680, but is actually did not fix anything;
+The issue can be reproduced on top of it. [0]
+
+Also, it reverted the change by commit ef7134c7fc48 ("smb: client:
+Fix use-after-free of network namespace.") and introduced a real
+issue by reviving the kernel TCP socket.
+
+When a reconnect happens for a CIFS connection, the socket state
+transitions to FIN_WAIT_1. Then, inet_csk_clear_xmit_timers_sync()
+in tcp_close() stops all timers for the socket.
+
+If an incoming FIN packet is lost, the socket will stay at FIN_WAIT_1
+forever, and such sockets could be leaked up to net.ipv4.tcp_max_orphans.
+
+Usually, FIN can be retransmitted by the peer, but if the peer aborts
+the connection, the issue comes into reality.
+
+I warned about this privately by pointing out the exact report [1],
+but the bogus fix was finally merged.
+
+So, we should not stop the timers to finally kill the connection on
+our side in that case, meaning we must not use a kernel socket for
+TCP whose sk->sk_net_refcnt is 0.
+
+The kernel socket does not have a reference to its netns to make it
+possible to tear down netns without cleaning up every resource in it.
+
+For example, tunnel devices use a UDP socket internally, but we can
+destroy netns without removing such devices and let it complete
+during exit. Otherwise, netns would be leaked when the last application
+died.
+
+However, this is problematic for TCP sockets because TCP has timers to
+close the connection gracefully even after the socket is close()d. The
+lifetime of the socket and its netns is different from the lifetime of
+the underlying connection.
+
+If the socket user does not maintain the netns lifetime, the timer could
+be fired after the socket is close()d and its netns is freed up, resulting
+in use-after-free.
+
+Actually, we have seen so many similar issues and converted such sockets
+to have a reference to netns.
+
+That's why I converted the CIFS client socket to have a reference to
+netns (sk->sk_net_refcnt == 1), which is somehow mentioned as out-of-scope
+of CIFS and technically wrong in e9f2517a3e18, but **is in-scope and right
+fix**.
+
+Regarding the LOCKDEP issue, we can prevent the module unload by
+bumping the module refcount when switching the LOCKDDEP key in
+sock_lock_init_class_and_name(). [2]
+
+For a while, let's revert the bogus fix.
+
+Note that now we can use sk_net_refcnt_upgrade() for the socket
+conversion, but I'll do so later separately to make backport easy.
+
+Link: https://lore.kernel.org/all/20250402020807.28583-1-kuniyu@amazon.com/ #[0]
+Link: https://lore.kernel.org/netdev/c08bd5378da647a2a4c16698125d180a@huawei.com/ #[1]
+Link: https://lore.kernel.org/lkml/20250402005841.19846-1-kuniyu@amazon.com/ #[2]
+Fixes: e9f2517a3e18 ("smb: client: fix TCP timers deadlock after rmmod")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 36 ++++++++++--------------------------
+ 1 file changed, 10 insertions(+), 26 deletions(-)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -972,13 +972,9 @@ clean_demultiplex_info(struct TCP_Server
+ msleep(125);
+ if (cifs_rdma_enabled(server))
+ smbd_destroy(server);
+-
+ if (server->ssocket) {
+ sock_release(server->ssocket);
+ server->ssocket = NULL;
+-
+- /* Release netns reference for the socket. */
+- put_net(cifs_net_ns(server));
+ }
+
+ if (!list_empty(&server->pending_mid_q)) {
+@@ -1026,7 +1022,6 @@ clean_demultiplex_info(struct TCP_Server
+ */
+ }
+
+- /* Release netns reference for this server. */
+ put_net(cifs_net_ns(server));
+ kfree(server->leaf_fullpath);
+ kfree(server->hostname);
+@@ -1672,8 +1667,6 @@ cifs_get_tcp_session(struct smb3_fs_cont
+
+ tcp_ses->ops = ctx->ops;
+ tcp_ses->vals = ctx->vals;
+-
+- /* Grab netns reference for this server. */
+ cifs_set_net_ns(tcp_ses, get_net(current->nsproxy->net_ns));
+
+ tcp_ses->sign = ctx->sign;
+@@ -1803,7 +1796,6 @@ smbd_connected:
+ out_err_crypto_release:
+ cifs_crypto_secmech_release(tcp_ses);
+
+- /* Release netns reference for this server. */
+ put_net(cifs_net_ns(tcp_ses));
+
+ out_err:
+@@ -1812,10 +1804,8 @@ out_err:
+ cifs_put_tcp_session(tcp_ses->primary_server, false);
+ kfree(tcp_ses->hostname);
+ kfree(tcp_ses->leaf_fullpath);
+- if (tcp_ses->ssocket) {
++ if (tcp_ses->ssocket)
+ sock_release(tcp_ses->ssocket);
+- put_net(cifs_net_ns(tcp_ses));
+- }
+ kfree(tcp_ses);
+ }
+ return ERR_PTR(rc);
+@@ -3116,20 +3106,20 @@ generic_ip_connect(struct TCP_Server_Inf
+ socket = server->ssocket;
+ } else {
+ struct net *net = cifs_net_ns(server);
++ struct sock *sk;
+
+- rc = sock_create_kern(net, sfamily, SOCK_STREAM, IPPROTO_TCP, &server->ssocket);
++ rc = __sock_create(net, sfamily, SOCK_STREAM,
++ IPPROTO_TCP, &server->ssocket, 1);
+ if (rc < 0) {
+ cifs_server_dbg(VFS, "Error %d creating socket\n", rc);
+ return rc;
+ }
+
+- /*
+- * Grab netns reference for the socket.
+- *
+- * It'll be released here, on error, or in clean_demultiplex_info() upon server
+- * teardown.
+- */
+- get_net(net);
++ sk = server->ssocket->sk;
++ __netns_tracker_free(net, &sk->ns_tracker, false);
++ sk->sk_net_refcnt = 1;
++ get_net_track(net, &sk->ns_tracker, GFP_KERNEL);
++ sock_inuse_add(net, 1);
+
+ /* BB other socket options to set KEEPALIVE, NODELAY? */
+ cifs_dbg(FYI, "Socket created\n");
+@@ -3143,10 +3133,8 @@ generic_ip_connect(struct TCP_Server_Inf
+ }
+
+ rc = bind_socket(server);
+- if (rc < 0) {
+- put_net(cifs_net_ns(server));
++ if (rc < 0)
+ return rc;
+- }
+
+ /*
+ * Eventually check for other socket options to change from
+@@ -3183,7 +3171,6 @@ generic_ip_connect(struct TCP_Server_Inf
+ if (rc < 0) {
+ cifs_dbg(FYI, "Error %d connecting to server\n", rc);
+ trace_smb3_connect_err(server->hostname, server->conn_id, &server->dstaddr, rc);
+- put_net(cifs_net_ns(server));
+ sock_release(socket);
+ server->ssocket = NULL;
+ return rc;
+@@ -3192,9 +3179,6 @@ generic_ip_connect(struct TCP_Server_Inf
+ if (sport == htons(RFC1001_PORT))
+ rc = ip_rfc1001_connect(server);
+
+- if (rc < 0)
+- put_net(cifs_net_ns(server));
+-
+ return rc;
+ }
+
--- /dev/null
+From adf53771a3123df99ca26e38818760fbcf5c05d0 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 9 Apr 2025 14:24:46 -0700
+Subject: riscv: Avoid fortify warning in syscall_get_arguments()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit adf53771a3123df99ca26e38818760fbcf5c05d0 upstream.
+
+When building with CONFIG_FORTIFY_SOURCE=y and W=1, there is a warning
+because of the memcpy() in syscall_get_arguments():
+
+ In file included from include/linux/string.h:392,
+ from include/linux/bitmap.h:13,
+ from include/linux/cpumask.h:12,
+ from arch/riscv/include/asm/processor.h:55,
+ from include/linux/sched.h:13,
+ from kernel/ptrace.c:13:
+ In function 'fortify_memcpy_chk',
+ inlined from 'syscall_get_arguments.isra' at arch/riscv/include/asm/syscall.h:66:2:
+ include/linux/fortify-string.h:580:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
+ 580 | __read_overflow2_field(q_size_field, size);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ cc1: all warnings being treated as errors
+
+The fortified memcpy() routine enforces that the source is not overread
+and the destination is not overwritten if the size of either field and
+the size of the copy are known at compile time. The memcpy() in
+syscall_get_arguments() intentionally overreads from a1 to a5 in
+'struct pt_regs' but this is bigger than the size of a1.
+
+Normally, this could be solved by wrapping a1 through a5 with
+struct_group() but there was already a struct_group() applied to these
+members in commit bba547810c66 ("riscv: tracing: Fix
+__write_overflow_field in ftrace_partial_regs()").
+
+Just avoid memcpy() altogether and write the copying of args from regs
+manually, which clears up the warning at the expense of three extra
+lines of code.
+
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Dmitry V. Levin <ldv@strace.io>
+Fixes: e2c0cdfba7f6 ("RISC-V: User-facing API")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250409-riscv-avoid-fortify-warning-syscall_get_arguments-v1-1-7853436d4755@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/syscall.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/syscall.h
++++ b/arch/riscv/include/asm/syscall.h
+@@ -62,8 +62,11 @@ static inline void syscall_get_arguments
+ unsigned long *args)
+ {
+ args[0] = regs->orig_a0;
+- args++;
+- memcpy(args, ®s->a1, 5 * sizeof(args[0]));
++ args[1] = regs->a1;
++ args[2] = regs->a2;
++ args[3] = regs->a3;
++ args[4] = regs->a4;
++ args[5] = regs->a5;
+ }
+
+ static inline int syscall_get_arch(struct task_struct *task)
--- /dev/null
+From aad9945623ab4029ae7789609fb6166c97976c62 Mon Sep 17 00:00:00 2001
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Date: Thu, 3 Apr 2025 01:07:34 +0530
+Subject: scsi: megaraid_sas: Block zero-length ATA VPD inquiry
+
+From: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+
+commit aad9945623ab4029ae7789609fb6166c97976c62 upstream.
+
+A firmware bug was observed where ATA VPD inquiry commands with a
+zero-length data payload were not handled and failed with a non-standard
+status code of 0xf0.
+
+Avoid sending ATA VPD inquiry commands without data payload by setting
+the device no_vpd_size flag to 1. In addition, if the firmware returns a
+status code of 0xf0, set scsi_cmnd->result to CHECK_CONDITION to
+facilitate proper error handling.
+
+Suggested-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Chandrakanth Patil <chandrakanth.patil@broadcom.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250402193735.5098-1-chandrakanth.patil@broadcom.com
+Tested-by: Ryan Lahfa <ryan@lahfa.xyz>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 9 +++++++--
+ drivers/scsi/megaraid/megaraid_sas_fusion.c | 5 ++++-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -2103,6 +2103,9 @@ static int megasas_sdev_configure(struct
+ /* This sdev property may change post OCR */
+ megasas_set_dynamic_target_properties(sdev, lim, is_target_prop);
+
++ if (!MEGASAS_IS_LOGICAL(sdev))
++ sdev->no_vpd_size = 1;
++
+ mutex_unlock(&instance->reset_mutex);
+
+ return 0;
+@@ -3662,8 +3665,10 @@ megasas_complete_cmd(struct megasas_inst
+
+ case MFI_STAT_SCSI_IO_FAILED:
+ case MFI_STAT_LD_INIT_IN_PROGRESS:
+- cmd->scmd->result =
+- (DID_ERROR << 16) | hdr->scsi_status;
++ if (hdr->scsi_status == 0xf0)
++ cmd->scmd->result = (DID_ERROR << 16) | SAM_STAT_CHECK_CONDITION;
++ else
++ cmd->scmd->result = (DID_ERROR << 16) | hdr->scsi_status;
+ break;
+
+ case MFI_STAT_SCSI_DONE_WITH_ERROR:
+--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c
++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c
+@@ -2043,7 +2043,10 @@ map_cmd_status(struct fusion_context *fu
+
+ case MFI_STAT_SCSI_IO_FAILED:
+ case MFI_STAT_LD_INIT_IN_PROGRESS:
+- scmd->result = (DID_ERROR << 16) | ext_status;
++ if (ext_status == 0xf0)
++ scmd->result = (DID_ERROR << 16) | SAM_STAT_CHECK_CONDITION;
++ else
++ scmd->result = (DID_ERROR << 16) | ext_status;
+ break;
+
+ case MFI_STAT_SCSI_DONE_WITH_ERROR:
--- /dev/null
+From f92bb7436802f8eb7ee72dc911a33c8897fde366 Mon Sep 17 00:00:00 2001
+From: Peter Griffin <peter.griffin@linaro.org>
+Date: Wed, 19 Mar 2025 15:30:20 +0000
+Subject: scsi: ufs: exynos: Disable iocc if dma-coherent property isn't set
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+commit f92bb7436802f8eb7ee72dc911a33c8897fde366 upstream.
+
+If dma-coherent property isn't set then descriptors are non-cacheable
+and the iocc shareability bits should be disabled. Without this UFS can
+end up in an incompatible configuration and suffer from random cache
+related stability issues.
+
+Suggested-by: Bart Van Assche <bvanassche@acm.org>
+Fixes: cc52e15397cc ("scsi: ufs: ufs-exynos: Support ExynosAuto v9 UFS")
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-3-96722cc2ba1b@linaro.org
+Cc: Chanho Park <chanho61.park@samsung.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-exynos.c | 17 +++++++++++++----
+ drivers/ufs/host/ufs-exynos.h | 3 ++-
+ 2 files changed, 15 insertions(+), 5 deletions(-)
+
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -214,8 +214,8 @@ static int exynos_ufs_shareability(struc
+ /* IO Coherency setting */
+ if (ufs->sysreg) {
+ return regmap_update_bits(ufs->sysreg,
+- ufs->shareability_reg_offset,
+- ufs->iocc_mask, ufs->iocc_mask);
++ ufs->iocc_offset,
++ ufs->iocc_mask, ufs->iocc_val);
+ }
+
+ return 0;
+@@ -1173,13 +1173,22 @@ static int exynos_ufs_parse_dt(struct de
+ ufs->sysreg = NULL;
+ else {
+ if (of_property_read_u32_index(np, "samsung,sysreg", 1,
+- &ufs->shareability_reg_offset)) {
++ &ufs->iocc_offset)) {
+ dev_warn(dev, "can't get an offset from sysreg. Set to default value\n");
+- ufs->shareability_reg_offset = UFS_SHAREABILITY_OFFSET;
++ ufs->iocc_offset = UFS_SHAREABILITY_OFFSET;
+ }
+ }
+
+ ufs->iocc_mask = ufs->drv_data->iocc_mask;
++ /*
++ * no 'dma-coherent' property means the descriptors are
++ * non-cacheable so iocc shareability should be disabled.
++ */
++ if (of_dma_is_coherent(dev->of_node))
++ ufs->iocc_val = ufs->iocc_mask;
++ else
++ ufs->iocc_val = 0;
++
+ ufs->pclk_avail_min = PCLK_AVAIL_MIN;
+ ufs->pclk_avail_max = PCLK_AVAIL_MAX;
+
+--- a/drivers/ufs/host/ufs-exynos.h
++++ b/drivers/ufs/host/ufs-exynos.h
+@@ -231,8 +231,9 @@ struct exynos_ufs {
+ ktime_t entry_hibern8_t;
+ const struct exynos_ufs_drv_data *drv_data;
+ struct regmap *sysreg;
+- u32 shareability_reg_offset;
++ u32 iocc_offset;
+ u32 iocc_mask;
++ u32 iocc_val;
+
+ u32 opts;
+ #define EXYNOS_UFS_OPT_HAS_APB_CLK_CTRL BIT(0)
--- /dev/null
+From 7f05fd9a3b6fb3a9abc5a748307d11831c03175f Mon Sep 17 00:00:00 2001
+From: Peter Griffin <peter.griffin@linaro.org>
+Date: Wed, 19 Mar 2025 15:30:21 +0000
+Subject: scsi: ufs: exynos: Ensure consistent phy reference counts
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+commit 7f05fd9a3b6fb3a9abc5a748307d11831c03175f upstream.
+
+ufshcd_link_startup() can call ufshcd_vops_link_startup_notify()
+multiple times when retrying. This causes the phy reference count to
+keep increasing and the phy to not properly re-initialize.
+
+If the phy has already been previously powered on, first issue a
+phy_power_off() and phy_exit(), before re-initializing and powering on
+again.
+
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-4-96722cc2ba1b@linaro.org
+Fixes: 3d73b200f989 ("scsi: ufs: ufs-exynos: Change ufs phy control sequence")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-exynos.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -962,6 +962,12 @@ static int exynos_ufs_phy_init(struct ex
+ }
+
+ phy_set_bus_width(generic_phy, ufs->avail_ln_rx);
++
++ if (generic_phy->power_count) {
++ phy_power_off(generic_phy);
++ phy_exit(generic_phy);
++ }
++
+ ret = phy_init(generic_phy);
+ if (ret) {
+ dev_err(hba->dev, "%s: phy init failed, ret = %d\n",
--- /dev/null
+From 68f5ef7eebf0f41df4d38ea55a54c2462af1e3d6 Mon Sep 17 00:00:00 2001
+From: Peter Griffin <peter.griffin@linaro.org>
+Date: Wed, 19 Mar 2025 15:30:19 +0000
+Subject: scsi: ufs: exynos: Move UFS shareability value to drvdata
+
+From: Peter Griffin <peter.griffin@linaro.org>
+
+commit 68f5ef7eebf0f41df4d38ea55a54c2462af1e3d6 upstream.
+
+gs101 I/O coherency shareability bits differ from exynosauto SoC. To
+support both SoCs move this info the SoC drvdata.
+
+Currently both the value and mask are the same for both gs101 and
+exynosauto, thus we use the same value.
+
+Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
+Link: https://lore.kernel.org/r/20250319-exynos-ufs-stability-fixes-v2-2-96722cc2ba1b@linaro.org
+Fixes: d11e0a318df8 ("scsi: ufs: exynos: Add support for Tensor gs101 SoC")
+Cc: stable@vger.kernel.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-exynos.c | 20 ++++++++++++++------
+ drivers/ufs/host/ufs-exynos.h | 2 ++
+ 2 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -92,11 +92,16 @@
+ UIC_TRANSPORT_NO_CONNECTION_RX |\
+ UIC_TRANSPORT_BAD_TC)
+
+-/* FSYS UFS Shareability */
+-#define UFS_WR_SHARABLE BIT(2)
+-#define UFS_RD_SHARABLE BIT(1)
+-#define UFS_SHARABLE (UFS_WR_SHARABLE | UFS_RD_SHARABLE)
+-#define UFS_SHAREABILITY_OFFSET 0x710
++/* UFS Shareability */
++#define UFS_EXYNOSAUTO_WR_SHARABLE BIT(2)
++#define UFS_EXYNOSAUTO_RD_SHARABLE BIT(1)
++#define UFS_EXYNOSAUTO_SHARABLE (UFS_EXYNOSAUTO_WR_SHARABLE | \
++ UFS_EXYNOSAUTO_RD_SHARABLE)
++#define UFS_GS101_WR_SHARABLE BIT(1)
++#define UFS_GS101_RD_SHARABLE BIT(0)
++#define UFS_GS101_SHARABLE (UFS_GS101_WR_SHARABLE | \
++ UFS_GS101_RD_SHARABLE)
++#define UFS_SHAREABILITY_OFFSET 0x710
+
+ /* Multi-host registers */
+ #define MHCTRL 0xC4
+@@ -210,7 +215,7 @@ static int exynos_ufs_shareability(struc
+ if (ufs->sysreg) {
+ return regmap_update_bits(ufs->sysreg,
+ ufs->shareability_reg_offset,
+- UFS_SHARABLE, UFS_SHARABLE);
++ ufs->iocc_mask, ufs->iocc_mask);
+ }
+
+ return 0;
+@@ -1174,6 +1179,7 @@ static int exynos_ufs_parse_dt(struct de
+ }
+ }
+
++ ufs->iocc_mask = ufs->drv_data->iocc_mask;
+ ufs->pclk_avail_min = PCLK_AVAIL_MIN;
+ ufs->pclk_avail_max = PCLK_AVAIL_MAX;
+
+@@ -2034,6 +2040,7 @@ static const struct exynos_ufs_drv_data
+ .opts = EXYNOS_UFS_OPT_BROKEN_AUTO_CLK_CTRL |
+ EXYNOS_UFS_OPT_SKIP_CONFIG_PHY_ATTR |
+ EXYNOS_UFS_OPT_BROKEN_RX_SEL_IDX,
++ .iocc_mask = UFS_EXYNOSAUTO_SHARABLE,
+ .drv_init = exynosauto_ufs_drv_init,
+ .post_hce_enable = exynosauto_ufs_post_hce_enable,
+ .pre_link = exynosauto_ufs_pre_link,
+@@ -2135,6 +2142,7 @@ static const struct exynos_ufs_drv_data
+ .opts = EXYNOS_UFS_OPT_SKIP_CONFIG_PHY_ATTR |
+ EXYNOS_UFS_OPT_UFSPR_SECURE |
+ EXYNOS_UFS_OPT_TIMER_TICK_SELECT,
++ .iocc_mask = UFS_GS101_SHARABLE,
+ .drv_init = gs101_ufs_drv_init,
+ .pre_link = gs101_ufs_pre_link,
+ .post_link = gs101_ufs_post_link,
+--- a/drivers/ufs/host/ufs-exynos.h
++++ b/drivers/ufs/host/ufs-exynos.h
+@@ -181,6 +181,7 @@ struct exynos_ufs_drv_data {
+ struct exynos_ufs_uic_attr *uic_attr;
+ unsigned int quirks;
+ unsigned int opts;
++ u32 iocc_mask;
+ /* SoC's specific operations */
+ int (*drv_init)(struct exynos_ufs *ufs);
+ int (*pre_link)(struct exynos_ufs *ufs);
+@@ -231,6 +232,7 @@ struct exynos_ufs {
+ const struct exynos_ufs_drv_data *drv_data;
+ struct regmap *sysreg;
+ u32 shareability_reg_offset;
++ u32 iocc_mask;
+
+ u32 opts;
+ #define EXYNOS_UFS_OPT_HAS_APB_CLK_CTRL BIT(0)
--- /dev/null
+From 9c02223e2d9df5cb37c51aedb78f3960294e09b5 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Fri, 4 Apr 2025 17:42:32 +0100
+Subject: selftests/mm: generate a temporary mountpoint for cgroup filesystem
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 9c02223e2d9df5cb37c51aedb78f3960294e09b5 upstream.
+
+Currently if the filesystem for the cgroups version it wants to use is not
+mounted charge_reserved_hugetlb.sh and hugetlb_reparenting_test.sh tests
+will attempt to mount it on the hard coded path /dev/cgroup/memory,
+deleting that directory when the test finishes. This will fail if there
+is not a preexisting directory at that path, and since the directory is
+deleted subsequent runs of the test will fail. Instead of relying on this
+hard coded directory name use mktemp to generate a temporary directory to
+use as a mountpoint, fixing both the assumption and the disruption caused
+by deleting a preexisting directory.
+
+This means that if the relevant cgroup filesystem is not already mounted
+then we rely on having coreutils (which provides mktemp) installed. I
+suspect that many current users are relying on having things automounted
+by default, and given that the script relies on bash it's probably not an
+unreasonable requirement.
+
+Link: https://lkml.kernel.org/r/20250404-kselftest-mm-cgroup2-detection-v1-1-3dba6d32ba8c@kernel.org
+Fixes: 209376ed2a84 ("selftests/vm: make charge_reserved_hugetlb.sh work with existing cgroup setting")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Aishwarya TCV <aishwarya.tcv@arm.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Mina Almasry <almasrymina@google.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Waiman Long <longman@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/charge_reserved_hugetlb.sh | 4 ++--
+ tools/testing/selftests/mm/hugetlb_reparenting_test.sh | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/tools/testing/selftests/mm/charge_reserved_hugetlb.sh
++++ b/tools/testing/selftests/mm/charge_reserved_hugetlb.sh
+@@ -29,7 +29,7 @@ fi
+ if [[ $cgroup2 ]]; then
+ cgroup_path=$(mount -t cgroup2 | head -1 | awk '{print $3}')
+ if [[ -z "$cgroup_path" ]]; then
+- cgroup_path=/dev/cgroup/memory
++ cgroup_path=$(mktemp -d)
+ mount -t cgroup2 none $cgroup_path
+ do_umount=1
+ fi
+@@ -37,7 +37,7 @@ if [[ $cgroup2 ]]; then
+ else
+ cgroup_path=$(mount -t cgroup | grep ",hugetlb" | awk '{print $3}')
+ if [[ -z "$cgroup_path" ]]; then
+- cgroup_path=/dev/cgroup/memory
++ cgroup_path=$(mktemp -d)
+ mount -t cgroup memory,hugetlb $cgroup_path
+ do_umount=1
+ fi
+--- a/tools/testing/selftests/mm/hugetlb_reparenting_test.sh
++++ b/tools/testing/selftests/mm/hugetlb_reparenting_test.sh
+@@ -23,7 +23,7 @@ fi
+ if [[ $cgroup2 ]]; then
+ CGROUP_ROOT=$(mount -t cgroup2 | head -1 | awk '{print $3}')
+ if [[ -z "$CGROUP_ROOT" ]]; then
+- CGROUP_ROOT=/dev/cgroup/memory
++ CGROUP_ROOT=$(mktemp -d)
+ mount -t cgroup2 none $CGROUP_ROOT
+ do_umount=1
+ fi
fs-move-the-bdex_statx-call-to-vfs_getattr_nosec.patch
ftrace-fix-incorrect-hash-size-in-register_ftrace_di.patch
drm-msm-a6xx-don-t-let-ib_size-overflow.patch
+bluetooth-l2cap-process-valid-commands-in-too-long-frame.patch
+bluetooth-vhci-avoid-needless-snprintf-calls.patch
+btrfs-ioctl-don-t-free-iov-when-btrfs_encoded_read-returns-eagain.patch
+btrfs-correctly-escape-subvol-in-btrfs_show_options.patch
+cpufreq-sched-explicitly-synchronize-limits_changed-flag-handling.patch
+cpufreq-avoid-using-inconsistent-policy-min-and-policy-max.patch
+crypto-caam-qi-fix-drv_ctx-refcount-bug.patch
+hfs-hfsplus-fix-slab-out-of-bounds-in-hfs_bnode_read_key.patch
+i2c-cros-ec-tunnel-defer-probe-if-parent-ec-is-not-present.patch
+isofs-prevent-the-use-of-too-small-fid.patch
+lib-iov_iter-fix-to-increase-non-slab-folio-refcount.patch
+loop-properly-send-kobj_changed-uevent-for-disk-device.patch
+loop-loop_set_fd-send-uevents-for-partitions.patch
+mm-compaction-fix-bug-in-hugetlb-handling-pathway.patch
+mm-gup-fix-wrongly-calculated-returned-value-in-fault_in_safe_writeable.patch
+mm-fix-filemap_get_folios_contig-returning-batches-of-identical-folios.patch
+mm-fix-apply_to_existing_page_range.patch
+ovl-don-t-allow-datadir-only.patch
+ksmbd-fix-dangling-pointer-in-krb_authenticate.patch
+ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch
+ksmbd-fix-use-after-free-in-smb_break_all_levii_oplock.patch
+ksmbd-prevent-integer-overflow-in-calculation-of-deadtime.patch
+ksmbd-fix-the-warning-from-__kernel_write_iter.patch
+revert-smb-client-fix-netns-refcount-imbalance-causing-leaks-and-use-after-free.patch
+revert-smb-client-fix-tcp-timers-deadlock-after-rmmod.patch
+riscv-avoid-fortify-warning-in-syscall_get_arguments.patch
+selftests-mm-generate-a-temporary-mountpoint-for-cgroup-filesystem.patch
+slab-ensure-slab-obj_exts-is-clear-in-a-newly-allocated-slab-page.patch
+smb3-client-fix-open-hardlink-on-deferred-close-file-error.patch
+string-add-load_unaligned_zeropad-code-path-to-sized_strscpy.patch
+tracing-fix-filter-string-testing.patch
+virtiofs-add-filesystem-context-source-name-check.patch
+x86-microcode-amd-extend-the-sha-check-to-zen5-block-loading-of-any-unreleased-standalone-zen5-microcode-patches.patch
+x86-cpu-amd-fix-workaround-for-erratum-1054.patch
+x86-boot-sev-avoid-shared-ghcb-page-for-early-memory-acceptance.patch
+scsi-megaraid_sas-block-zero-length-ata-vpd-inquiry.patch
+scsi-ufs-exynos-move-ufs-shareability-value-to-drvdata.patch
+scsi-ufs-exynos-disable-iocc-if-dma-coherent-property-isn-t-set.patch
+scsi-ufs-exynos-ensure-consistent-phy-reference-counts.patch
+rdma-cma-fix-workqueue-crash-in-cma_netevent_work_handler.patch
+ras-amd-atl-include-row-bit-in-row-retirement.patch
+ras-amd-fmpm-get-masked-address.patch
+platform-x86-amd-pmf-fix-stt-limits.patch
+perf-x86-intel-allow-to-update-user-space-gprs-from-pebs-records.patch
+perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-snr.patch
+perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-icx.patch
+perf-x86-intel-uncore-fix-the-scale-of-iio-free-running-counters-on-spr.patch
--- /dev/null
+From d2f5819b6ed357c0c350c0616b6b9f38be59adf6 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Fri, 11 Apr 2025 08:57:37 -0700
+Subject: slab: ensure slab->obj_exts is clear in a newly allocated slab page
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit d2f5819b6ed357c0c350c0616b6b9f38be59adf6 upstream.
+
+ktest recently reported crashes while running several buffered io tests
+with __alloc_tagging_slab_alloc_hook() at the top of the crash call stack.
+The signature indicates an invalid address dereference with low bits of
+slab->obj_exts being set. The bits were outside of the range used by
+page_memcg_data_flags and objext_flags and hence were not masked out
+by slab_obj_exts() when obtaining the pointer stored in slab->obj_exts.
+The typical crash log looks like this:
+
+00510 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
+00510 Mem abort info:
+00510 ESR = 0x0000000096000045
+00510 EC = 0x25: DABT (current EL), IL = 32 bits
+00510 SET = 0, FnV = 0
+00510 EA = 0, S1PTW = 0
+00510 FSC = 0x05: level 1 translation fault
+00510 Data abort info:
+00510 ISV = 0, ISS = 0x00000045, ISS2 = 0x00000000
+00510 CM = 0, WnR = 1, TnD = 0, TagAccess = 0
+00510 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+00510 user pgtable: 4k pages, 39-bit VAs, pgdp=0000000104175000
+00510 [0000000000000010] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+00510 Internal error: Oops: 0000000096000045 [#1] SMP
+00510 Modules linked in:
+00510 CPU: 10 UID: 0 PID: 7692 Comm: cat Not tainted 6.15.0-rc1-ktest-g189e17946605 #19327 NONE
+00510 Hardware name: linux,dummy-virt (DT)
+00510 pstate: 20001005 (nzCv daif -PAN -UAO -TCO -DIT +SSBS BTYPE=--)
+00510 pc : __alloc_tagging_slab_alloc_hook+0xe0/0x190
+00510 lr : __kmalloc_noprof+0x150/0x310
+00510 sp : ffffff80c87df6c0
+00510 x29: ffffff80c87df6c0 x28: 000000000013d1ff x27: 000000000013d200
+00510 x26: ffffff80c87df9e0 x25: 0000000000000000 x24: 0000000000000001
+00510 x23: ffffffc08041953c x22: 000000000000004c x21: ffffff80c0002180
+00510 x20: fffffffec3120840 x19: ffffff80c4821000 x18: 0000000000000000
+00510 x17: fffffffec3d02f00 x16: fffffffec3d02e00 x15: fffffffec3d00700
+00510 x14: fffffffec3d00600 x13: 0000000000000200 x12: 0000000000000006
+00510 x11: ffffffc080bb86c0 x10: 0000000000000000 x9 : ffffffc080201e58
+00510 x8 : ffffff80c4821060 x7 : 0000000000000000 x6 : 0000000055555556
+00510 x5 : 0000000000000001 x4 : 0000000000000010 x3 : 0000000000000060
+00510 x2 : 0000000000000000 x1 : ffffffc080f50cf8 x0 : ffffff80d801d000
+00510 Call trace:
+00510 __alloc_tagging_slab_alloc_hook+0xe0/0x190 (P)
+00510 __kmalloc_noprof+0x150/0x310
+00510 __bch2_folio_create+0x5c/0xf8
+00510 bch2_folio_create+0x2c/0x40
+00510 bch2_readahead+0xc0/0x460
+00510 read_pages+0x7c/0x230
+00510 page_cache_ra_order+0x244/0x3a8
+00510 page_cache_async_ra+0x124/0x170
+00510 filemap_readahead.isra.0+0x58/0xa0
+00510 filemap_get_pages+0x454/0x7b0
+00510 filemap_read+0xdc/0x418
+00510 bch2_read_iter+0x100/0x1b0
+00510 vfs_read+0x214/0x300
+00510 ksys_read+0x6c/0x108
+00510 __arm64_sys_read+0x20/0x30
+00510 invoke_syscall.constprop.0+0x54/0xe8
+00510 do_el0_svc+0x44/0xc8
+00510 el0_svc+0x18/0x58
+00510 el0t_64_sync_handler+0x104/0x130
+00510 el0t_64_sync+0x154/0x158
+00510 Code: d5384100 f9401c01 b9401aa3 b40002e1 (f8227881)
+00510 ---[ end trace 0000000000000000 ]---
+00510 Kernel panic - not syncing: Oops: Fatal exception
+00510 SMP: stopping secondary CPUs
+00510 Kernel Offset: disabled
+00510 CPU features: 0x0000,000000e0,00000410,8240500b
+00510 Memory Limit: none
+
+Investigation indicates that these bits are already set when we allocate
+slab page and are not zeroed out after allocation. We are not yet sure
+why these crashes start happening only recently but regardless of the
+reason, not initializing a field that gets used later is wrong. Fix it
+by initializing slab->obj_exts during slab page allocation.
+
+Fixes: 21c690a349ba ("mm: introduce slabobj_ext to support slab object extensions")
+Reported-by: Kent Overstreet <kent.overstreet@linux.dev>
+Tested-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Acked-by: Kent Overstreet <kent.overstreet@linux.dev>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250411155737.1360746-1-surenb@google.com
+Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/slub.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/mm/slub.c
++++ b/mm/slub.c
+@@ -1950,6 +1950,11 @@ static inline void handle_failed_objexts
+ #define OBJCGS_CLEAR_MASK (__GFP_DMA | __GFP_RECLAIMABLE | \
+ __GFP_ACCOUNT | __GFP_NOFAIL)
+
++static inline void init_slab_obj_exts(struct slab *slab)
++{
++ slab->obj_exts = 0;
++}
++
+ int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s,
+ gfp_t gfp, bool new_slab)
+ {
+@@ -2034,6 +2039,10 @@ static inline bool need_slab_obj_ext(voi
+
+ #else /* CONFIG_SLAB_OBJ_EXT */
+
++static inline void init_slab_obj_exts(struct slab *slab)
++{
++}
++
+ static int alloc_slab_obj_exts(struct slab *slab, struct kmem_cache *s,
+ gfp_t gfp, bool new_slab)
+ {
+@@ -2601,6 +2610,7 @@ static struct slab *allocate_slab(struct
+ slab->objects = oo_objects(oo);
+ slab->inuse = 0;
+ slab->frozen = 0;
++ init_slab_obj_exts(slab);
+
+ account_slab(slab, oo_order(oo), s, flags);
+
--- /dev/null
+From 262b73ef442e68e53220b9d6fc5a0d08b557fa42 Mon Sep 17 00:00:00 2001
+From: Chunjie Zhu <chunjie.zhu@cloud.com>
+Date: Sat, 12 Apr 2025 21:15:55 -0500
+Subject: smb3 client: fix open hardlink on deferred close file error
+
+From: Chunjie Zhu <chunjie.zhu@cloud.com>
+
+commit 262b73ef442e68e53220b9d6fc5a0d08b557fa42 upstream.
+
+The following Python script results in unexpected behaviour when run on
+a CIFS filesystem against a Windows Server:
+
+ # Create file
+ fd = os.open('test', os.O_WRONLY|os.O_CREAT)
+ os.write(fd, b'foo')
+ os.close(fd)
+
+ # Open and close the file to leave a pending deferred close
+ fd = os.open('test', os.O_RDONLY|os.O_DIRECT)
+ os.close(fd)
+
+ # Try to open the file via a hard link
+ os.link('test', 'new')
+ newfd = os.open('new', os.O_RDONLY|os.O_DIRECT)
+
+The final open returns EINVAL due to the server returning
+STATUS_INVALID_PARAMETER. The root cause of this is that the client
+caches lease keys per inode, but the spec requires them to be related to
+the filename which causes problems when hard links are involved:
+
+From MS-SMB2 section 3.3.5.9.11:
+
+"The server MUST attempt to locate a Lease by performing a lookup in the
+LeaseTable.LeaseList using the LeaseKey in the
+SMB2_CREATE_REQUEST_LEASE_V2 as the lookup key. If a lease is found,
+Lease.FileDeleteOnClose is FALSE, and Lease.Filename does not match the
+file name for the incoming request, the request MUST be failed with
+STATUS_INVALID_PARAMETER"
+
+On client side, we first check the context of file open, if it hits above
+conditions, we first close all opening files which are belong to the same
+inode, then we do open the hard link file.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chunjie Zhu <chunjie.zhu@cloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsproto.h | 2 ++
+ fs/smb/client/file.c | 28 ++++++++++++++++++++++++++++
+ 2 files changed, 30 insertions(+)
+
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -160,6 +160,8 @@ extern int cifs_get_writable_path(struct
+ extern struct cifsFileInfo *find_readable_file(struct cifsInodeInfo *, bool);
+ extern int cifs_get_readable_path(struct cifs_tcon *tcon, const char *name,
+ struct cifsFileInfo **ret_file);
++extern int cifs_get_hardlink_path(struct cifs_tcon *tcon, struct inode *inode,
++ struct file *file);
+ extern unsigned int smbCalcSize(void *buf);
+ extern int decode_negTokenInit(unsigned char *security_blob, int length,
+ struct TCP_Server_Info *server);
+--- a/fs/smb/client/file.c
++++ b/fs/smb/client/file.c
+@@ -1007,6 +1007,11 @@ int cifs_open(struct inode *inode, struc
+ } else {
+ _cifsFileInfo_put(cfile, true, false);
+ }
++ } else {
++ /* hard link on the defeered close file */
++ rc = cifs_get_hardlink_path(tcon, inode, file);
++ if (rc)
++ cifs_close_deferred_file(CIFS_I(inode));
+ }
+
+ if (server->oplocks)
+@@ -2071,6 +2076,29 @@ cifs_move_llist(struct list_head *source
+ list_move(li, dest);
+ }
+
++int
++cifs_get_hardlink_path(struct cifs_tcon *tcon, struct inode *inode,
++ struct file *file)
++{
++ struct cifsFileInfo *open_file = NULL;
++ struct cifsInodeInfo *cinode = CIFS_I(inode);
++ int rc = 0;
++
++ spin_lock(&tcon->open_file_lock);
++ spin_lock(&cinode->open_file_lock);
++
++ list_for_each_entry(open_file, &cinode->openFileList, flist) {
++ if (file->f_flags == open_file->f_flags) {
++ rc = -EINVAL;
++ break;
++ }
++ }
++
++ spin_unlock(&cinode->open_file_lock);
++ spin_unlock(&tcon->open_file_lock);
++ return rc;
++}
++
+ void
+ cifs_free_llist(struct list_head *llist)
+ {
--- /dev/null
+From d94c12bd97d567de342fd32599e7cd9e50bfa140 Mon Sep 17 00:00:00 2001
+From: Peter Collingbourne <pcc@google.com>
+Date: Wed, 2 Apr 2025 17:06:59 -0700
+Subject: string: Add load_unaligned_zeropad() code path to sized_strscpy()
+
+From: Peter Collingbourne <pcc@google.com>
+
+commit d94c12bd97d567de342fd32599e7cd9e50bfa140 upstream.
+
+The call to read_word_at_a_time() in sized_strscpy() is problematic
+with MTE because it may trigger a tag check fault when reading
+across a tag granule (16 bytes) boundary. To make this code
+MTE compatible, let's start using load_unaligned_zeropad()
+on architectures where it is available (i.e. architectures that
+define CONFIG_DCACHE_WORD_ACCESS). Because load_unaligned_zeropad()
+takes care of page boundaries as well as tag granule boundaries,
+also disable the code preventing crossing page boundaries when using
+load_unaligned_zeropad().
+
+Signed-off-by: Peter Collingbourne <pcc@google.com>
+Link: https://linux-review.googlesource.com/id/If4b22e43b5a4ca49726b4bf98ada827fdf755548
+Fixes: 94ab5b61ee16 ("kasan, arm64: enable CONFIG_KASAN_HW_TAGS")
+Cc: stable@vger.kernel.org
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Link: https://lore.kernel.org/r/20250403000703.2584581-2-pcc@google.com
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/string.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -119,6 +119,7 @@ ssize_t sized_strscpy(char *dest, const
+ if (count == 0 || WARN_ON_ONCE(count > INT_MAX))
+ return -E2BIG;
+
++#ifndef CONFIG_DCACHE_WORD_ACCESS
+ #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ /*
+ * If src is unaligned, don't cross a page boundary,
+@@ -134,11 +135,13 @@ ssize_t sized_strscpy(char *dest, const
+ if (((long) dest | (long) src) & (sizeof(long) - 1))
+ max = 0;
+ #endif
++#endif
+
+ /*
+- * read_word_at_a_time() below may read uninitialized bytes after the
+- * trailing zero and use them in comparisons. Disable this optimization
+- * under KMSAN to prevent false positive reports.
++ * load_unaligned_zeropad() or read_word_at_a_time() below may read
++ * uninitialized bytes after the trailing zero and use them in
++ * comparisons. Disable this optimization under KMSAN to prevent
++ * false positive reports.
+ */
+ if (IS_ENABLED(CONFIG_KMSAN))
+ max = 0;
+@@ -146,7 +149,11 @@ ssize_t sized_strscpy(char *dest, const
+ while (max >= sizeof(unsigned long)) {
+ unsigned long c, data;
+
++#ifdef CONFIG_DCACHE_WORD_ACCESS
++ c = load_unaligned_zeropad(src+res);
++#else
+ c = read_word_at_a_time(src+res);
++#endif
+ if (has_zero(c, &data, &constants)) {
+ data = prep_zero_mask(c, data, &constants);
+ data = create_zero_mask(data);
--- /dev/null
+From a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 17 Apr 2025 18:30:03 -0400
+Subject: tracing: Fix filter string testing
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit a8c5b0ed89a3f2c81c6ae0b041394e6eea0e7024 upstream.
+
+The filter string testing uses strncpy_from_kernel/user_nofault() to
+retrieve the string to test the filter against. The if() statement was
+incorrect as it considered 0 as a fault, when it is only negative that it
+faulted.
+
+Running the following commands:
+
+ # cd /sys/kernel/tracing
+ # echo "filename.ustring ~ \"/proc*\"" > events/syscalls/sys_enter_openat/filter
+ # echo 1 > events/syscalls/sys_enter_openat/enable
+ # ls /proc/$$/maps
+ # cat trace
+
+Would produce nothing, but with the fix it will produce something like:
+
+ ls-1192 [007] ..... 8169.828333: sys_openat(dfd: ffffffffffffff9c, filename: 7efc18359904, flags: 80000, mode: 0)
+
+Link: https://lore.kernel.org/all/CAEf4BzbVPQ=BjWztmEwBPRKHUwNfKBkS3kce-Rzka6zvbQeVpg@mail.gmail.com/
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Link: https://lore.kernel.org/20250417183003.505835fb@gandalf.local.home
+Fixes: 77360f9bbc7e5 ("tracing: Add test for user space strings when filtering on string pointers")
+Reported-by: Andrii Nakryiko <andrii.nakryiko@gmail.com>
+Reported-by: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_filter.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -808,7 +808,7 @@ static __always_inline char *test_string
+ kstr = ubuf->buffer;
+
+ /* For safety, do not trust the string pointer */
+- if (!strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE))
++ if (strncpy_from_kernel_nofault(kstr, str, USTRING_BUF_SIZE) < 0)
+ return NULL;
+ return kstr;
+ }
+@@ -827,7 +827,7 @@ static __always_inline char *test_ustrin
+
+ /* user space address? */
+ ustr = (char __user *)str;
+- if (!strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE))
++ if (strncpy_from_user_nofault(kstr, ustr, USTRING_BUF_SIZE) < 0)
+ return NULL;
+
+ return kstr;
--- /dev/null
+From a94fd938df2b1628da66b498aa0eeb89593bc7a2 Mon Sep 17 00:00:00 2001
+From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+Date: Mon, 7 Apr 2025 19:50:49 +0800
+Subject: virtiofs: add filesystem context source name check
+
+From: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+
+commit a94fd938df2b1628da66b498aa0eeb89593bc7a2 upstream.
+
+In certain scenarios, for example, during fuzz testing, the source
+name may be NULL, which could lead to a kernel panic. Therefore, an
+extra check for the source name should be added.
+
+Fixes: a62a8ef9d97d ("virtio-fs: add virtiofs filesystem")
+Cc: <stable@vger.kernel.org> # all LTS kernels
+Signed-off-by: Xiangsheng Hou <xiangsheng.hou@mediatek.com>
+Link: https://lore.kernel.org/20250407115111.25535-1-xiangsheng.hou@mediatek.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/virtio_fs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -1670,6 +1670,9 @@ static int virtio_fs_get_tree(struct fs_
+ unsigned int virtqueue_size;
+ int err = -EIO;
+
++ if (!fsc->source)
++ return invalf(fsc, "No source specified");
++
+ /* This gets a reference on virtio_fs object. This ptr gets installed
+ * in fc->iq->priv. Once fuse_conn is going away, it calls ->put()
+ * to drop the reference to this object.
--- /dev/null
+From d54d610243a4508183978871e5faff5502786cd4 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Thu, 17 Apr 2025 22:21:21 +0200
+Subject: x86/boot/sev: Avoid shared GHCB page for early memory acceptance
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit d54d610243a4508183978871e5faff5502786cd4 upstream.
+
+Communicating with the hypervisor using the shared GHCB page requires
+clearing the C bit in the mapping of that page. When executing in the
+context of the EFI boot services, the page tables are owned by the
+firmware, and this manipulation is not possible.
+
+So switch to a different API for accepting memory in SEV-SNP guests, one
+which is actually supported at the point during boot where the EFI stub
+may need to accept memory, but the SEV-SNP init code has not executed
+yet.
+
+For simplicity, also switch the memory acceptance carried out by the
+decompressor when not booting via EFI - this only involves the
+allocation for the decompressed kernel, and is generally only called
+after kexec, as normal boot will jump straight into the kernel from the
+EFI stub.
+
+Fixes: 6c3211796326 ("x86/sev: Add SNP-specific unaccepted memory support")
+Tested-by: Tom Lendacky <thomas.lendacky@amd.com>
+Co-developed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: <stable@vger.kernel.org>
+Cc: Dionna Amalie Glaze <dionnaglaze@google.com>
+Cc: Kevin Loughlin <kevinloughlin@google.com>
+Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-efi@vger.kernel.org
+Link: https://lore.kernel.org/r/20250404082921.2767593-8-ardb+git@google.com # discussion thread #1
+Link: https://lore.kernel.org/r/20250410132850.3708703-2-ardb+git@google.com # discussion thread #2
+Link: https://lore.kernel.org/r/20250417202120.1002102-2-ardb+git@google.com # final submission
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/boot/compressed/mem.c | 5 ++-
+ arch/x86/boot/compressed/sev.c | 67 +++++++++--------------------------------
+ arch/x86/boot/compressed/sev.h | 2 +
+ 3 files changed, 21 insertions(+), 53 deletions(-)
+
+--- a/arch/x86/boot/compressed/mem.c
++++ b/arch/x86/boot/compressed/mem.c
+@@ -34,11 +34,14 @@ static bool early_is_tdx_guest(void)
+
+ void arch_accept_memory(phys_addr_t start, phys_addr_t end)
+ {
++ static bool sevsnp;
++
+ /* Platform-specific memory-acceptance call goes here */
+ if (early_is_tdx_guest()) {
+ if (!tdx_accept_memory(start, end))
+ panic("TDX: Failed to accept memory\n");
+- } else if (sev_snp_enabled()) {
++ } else if (sevsnp || (sev_get_status() & MSR_AMD64_SEV_SNP_ENABLED)) {
++ sevsnp = true;
+ snp_accept_memory(start, end);
+ } else {
+ error("Cannot accept memory: unknown platform\n");
+--- a/arch/x86/boot/compressed/sev.c
++++ b/arch/x86/boot/compressed/sev.c
+@@ -164,10 +164,7 @@ bool sev_snp_enabled(void)
+
+ static void __page_state_change(unsigned long paddr, enum psc_op op)
+ {
+- u64 val;
+-
+- if (!sev_snp_enabled())
+- return;
++ u64 val, msr;
+
+ /*
+ * If private -> shared then invalidate the page before requesting the
+@@ -176,6 +173,9 @@ static void __page_state_change(unsigned
+ if (op == SNP_PAGE_STATE_SHARED)
+ pvalidate_4k_page(paddr, paddr, false);
+
++ /* Save the current GHCB MSR value */
++ msr = sev_es_rd_ghcb_msr();
++
+ /* Issue VMGEXIT to change the page state in RMP table. */
+ sev_es_wr_ghcb_msr(GHCB_MSR_PSC_REQ_GFN(paddr >> PAGE_SHIFT, op));
+ VMGEXIT();
+@@ -185,6 +185,9 @@ static void __page_state_change(unsigned
+ if ((GHCB_RESP_CODE(val) != GHCB_MSR_PSC_RESP) || GHCB_MSR_PSC_RESP_VAL(val))
+ sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC);
+
++ /* Restore the GHCB MSR value */
++ sev_es_wr_ghcb_msr(msr);
++
+ /*
+ * Now that page state is changed in the RMP table, validate it so that it is
+ * consistent with the RMP entry.
+@@ -195,11 +198,17 @@ static void __page_state_change(unsigned
+
+ void snp_set_page_private(unsigned long paddr)
+ {
++ if (!sev_snp_enabled())
++ return;
++
+ __page_state_change(paddr, SNP_PAGE_STATE_PRIVATE);
+ }
+
+ void snp_set_page_shared(unsigned long paddr)
+ {
++ if (!sev_snp_enabled())
++ return;
++
+ __page_state_change(paddr, SNP_PAGE_STATE_SHARED);
+ }
+
+@@ -223,56 +232,10 @@ static bool early_setup_ghcb(void)
+ return true;
+ }
+
+-static phys_addr_t __snp_accept_memory(struct snp_psc_desc *desc,
+- phys_addr_t pa, phys_addr_t pa_end)
+-{
+- struct psc_hdr *hdr;
+- struct psc_entry *e;
+- unsigned int i;
+-
+- hdr = &desc->hdr;
+- memset(hdr, 0, sizeof(*hdr));
+-
+- e = desc->entries;
+-
+- i = 0;
+- while (pa < pa_end && i < VMGEXIT_PSC_MAX_ENTRY) {
+- hdr->end_entry = i;
+-
+- e->gfn = pa >> PAGE_SHIFT;
+- e->operation = SNP_PAGE_STATE_PRIVATE;
+- if (IS_ALIGNED(pa, PMD_SIZE) && (pa_end - pa) >= PMD_SIZE) {
+- e->pagesize = RMP_PG_SIZE_2M;
+- pa += PMD_SIZE;
+- } else {
+- e->pagesize = RMP_PG_SIZE_4K;
+- pa += PAGE_SIZE;
+- }
+-
+- e++;
+- i++;
+- }
+-
+- if (vmgexit_psc(boot_ghcb, desc))
+- sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC);
+-
+- pvalidate_pages(desc);
+-
+- return pa;
+-}
+-
+ void snp_accept_memory(phys_addr_t start, phys_addr_t end)
+ {
+- struct snp_psc_desc desc = {};
+- unsigned int i;
+- phys_addr_t pa;
+-
+- if (!boot_ghcb && !early_setup_ghcb())
+- sev_es_terminate(SEV_TERM_SET_LINUX, GHCB_TERM_PSC);
+-
+- pa = start;
+- while (pa < end)
+- pa = __snp_accept_memory(&desc, pa, end);
++ for (phys_addr_t pa = start; pa < end; pa += PAGE_SIZE)
++ __page_state_change(pa, SNP_PAGE_STATE_PRIVATE);
+ }
+
+ void sev_es_shutdown_ghcb(void)
+--- a/arch/x86/boot/compressed/sev.h
++++ b/arch/x86/boot/compressed/sev.h
+@@ -12,11 +12,13 @@
+
+ bool sev_snp_enabled(void);
+ void snp_accept_memory(phys_addr_t start, phys_addr_t end);
++u64 sev_get_status(void);
+
+ #else
+
+ static inline bool sev_snp_enabled(void) { return false; }
+ static inline void snp_accept_memory(phys_addr_t start, phys_addr_t end) { }
++static inline u64 sev_get_status(void) { return 0; }
+
+ #endif
+
--- /dev/null
+From 263e55949d8902a6a09bdb92a1ab6a3f67231abe Mon Sep 17 00:00:00 2001
+From: Sandipan Das <sandipan.das@amd.com>
+Date: Fri, 18 Apr 2025 11:49:40 +0530
+Subject: x86/cpu/amd: Fix workaround for erratum 1054
+
+From: Sandipan Das <sandipan.das@amd.com>
+
+commit 263e55949d8902a6a09bdb92a1ab6a3f67231abe upstream.
+
+Erratum 1054 affects AMD Zen processors that are a part of Family 17h
+Models 00-2Fh and the workaround is to not set HWCR[IRPerfEn]. However,
+when X86_FEATURE_ZEN1 was introduced, the condition to detect unaffected
+processors was incorrectly changed in a way that the IRPerfEn bit gets
+set only for unaffected Zen 1 processors.
+
+Ensure that HWCR[IRPerfEn] is set for all unaffected processors. This
+includes a subset of Zen 1 (Family 17h Models 30h and above) and all
+later processors. Also clear X86_FEATURE_IRPERF on affected processors
+so that the IRPerfCount register is not used by other entities like the
+MSR PMU driver.
+
+Fixes: 232afb557835 ("x86/CPU/AMD: Add X86_FEATURE_ZEN1")
+Signed-off-by: Sandipan Das <sandipan.das@amd.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: Borislav Petkov <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/caa057a9d6f8ad579e2f1abaa71efbd5bd4eaf6d.1744956467.git.sandipan.das@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/amd.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -867,6 +867,16 @@ static void init_amd_zen1(struct cpuinfo
+
+ pr_notice_once("AMD Zen1 DIV0 bug detected. Disable SMT for full protection.\n");
+ setup_force_cpu_bug(X86_BUG_DIV0);
++
++ /*
++ * Turn off the Instructions Retired free counter on machines that are
++ * susceptible to erratum #1054 "Instructions Retired Performance
++ * Counter May Be Inaccurate".
++ */
++ if (c->x86_model < 0x30) {
++ msr_clear_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT);
++ clear_cpu_cap(c, X86_FEATURE_IRPERF);
++ }
+ }
+
+ static bool cpu_has_zenbleed_microcode(void)
+@@ -1050,13 +1060,8 @@ static void init_amd(struct cpuinfo_x86
+ if (!cpu_feature_enabled(X86_FEATURE_XENPV))
+ set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
+
+- /*
+- * Turn on the Instructions Retired free counter on machines not
+- * susceptible to erratum #1054 "Instructions Retired Performance
+- * Counter May Be Inaccurate".
+- */
+- if (cpu_has(c, X86_FEATURE_IRPERF) &&
+- (boot_cpu_has(X86_FEATURE_ZEN1) && c->x86_model > 0x2f))
++ /* Enable the Instructions Retired free counter */
++ if (cpu_has(c, X86_FEATURE_IRPERF))
+ msr_set_bit(MSR_K7_HWCR, MSR_K7_HWCR_IRPERF_EN_BIT);
+
+ check_null_seg_clears_base(c);
--- /dev/null
+From 805b743fc163f1abef7ce1bea8eca8dfab5b685b Mon Sep 17 00:00:00 2001
+From: "Borislav Petkov (AMD)" <bp@alien8.de>
+Date: Thu, 10 Apr 2025 13:42:22 +0200
+Subject: x86/microcode/AMD: Extend the SHA check to Zen5, block loading of any unreleased standalone Zen5 microcode patches
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+commit 805b743fc163f1abef7ce1bea8eca8dfab5b685b upstream.
+
+All Zen5 machines out there should get BIOS updates which update to the
+correct microcode patches addressing the microcode signature issue.
+However, silly people carve out random microcode blobs from BIOS
+packages and think are doing other people a service this way...
+
+Block loading of any unreleased standalone Zen5 microcode patches.
+
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: <stable@kernel.org>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Cc: Nikolay Borisov <nik.borisov@suse.com>
+Cc: Tom Lendacky <thomas.lendacky@amd.com>
+Link: https://lore.kernel.org/r/20250410114222.32523-1-bp@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/microcode/amd.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/microcode/amd.c
++++ b/arch/x86/kernel/cpu/microcode/amd.c
+@@ -199,6 +199,12 @@ static bool need_sha_check(u32 cur_rev)
+ case 0xa70c0: return cur_rev <= 0xa70C009; break;
+ case 0xaa001: return cur_rev <= 0xaa00116; break;
+ case 0xaa002: return cur_rev <= 0xaa00218; break;
++ case 0xb0021: return cur_rev <= 0xb002146; break;
++ case 0xb1010: return cur_rev <= 0xb101046; break;
++ case 0xb2040: return cur_rev <= 0xb204031; break;
++ case 0xb4040: return cur_rev <= 0xb404031; break;
++ case 0xb6000: return cur_rev <= 0xb600031; break;
++ case 0xb7000: return cur_rev <= 0xb700031; break;
+ default: break;
+ }
+
+@@ -214,8 +220,7 @@ static bool verify_sha256_digest(u32 pat
+ struct sha256_state s;
+ int i;
+
+- if (x86_family(bsp_cpuid_1_eax) < 0x17 ||
+- x86_family(bsp_cpuid_1_eax) > 0x19)
++ if (x86_family(bsp_cpuid_1_eax) < 0x17)
+ return true;
+
+ if (!need_sha_check(cur_rev))
projects / thirdparty / kernel / stable-queue.git / commitdiff
