--- /dev/null
+From a2a871483161014f1bcc4e9a04354b01aa77cedb Mon Sep 17 00:00:00 2001
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Date: Fri, 9 Jun 2023 17:10:58 -0300
+Subject: ALSA: hda/realtek: Add a quirk for Compaq N14JP6
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+commit a2a871483161014f1bcc4e9a04354b01aa77cedb upstream.
+
+Add a quirk for Compaq N14JP6 to fixup ALC897 headset MIC no sound.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230609201058.523499-1-edson.drosdeck@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -11287,6 +11287,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON),
+ SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26),
+ SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T),
++ SND_PCI_QUIRK(0x1c6c, 0x1239, "Compaq N14JP6-V2", ALC897_FIXUP_HP_HSMIC_VERB),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
--- /dev/null
+From 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b Mon Sep 17 00:00:00 2001
+From: Lukasz Tyl <ltyl@hem-e.com>
+Date: Wed, 14 Jun 2023 14:25:24 +0200
+Subject: ALSA: usb-audio: Add quirk flag for HEM devices to enable native DSD playback
+
+From: Lukasz Tyl <ltyl@hem-e.com>
+
+commit 122e2cb7e1a30438cc0e8bf70d4279db245d7d5b upstream.
+
+This commit adds new DEVICE_FLG with QUIRK_FLAG_DSD_RAW and Vendor Id for
+HEM devices which supports native DSD. Prior to this change Linux kernel
+was not enabling native DSD playback for HEM devices, and as a result,
+DSD audio was being converted to PCM "on the fly". HEM devices,
+when connected to the system, would only play audio in PCM format,
+even if the source material was in DSD format. With the addition of new
+VENDOR_FLG in the quircks.c file, the devices are now correctly
+recognized, and raw DSD data is transmitted to the device,
+allowing for native DSD playback.
+
+Signed-off-by: Lukasz Tyl <ltyl@hem-e.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230614122524.30271-1-ltyl@hem-e.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1921,6 +1921,8 @@ static const struct usb_audio_quirk_flag
+ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x2ab6, /* T+A devices */
+ QUIRK_FLAG_DSD_RAW),
++ VENDOR_FLG(0x3336, /* HEM devices */
++ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x3353, /* Khadas devices */
+ QUIRK_FLAG_DSD_RAW),
+ VENDOR_FLG(0x3842, /* EVGA */
--- /dev/null
+From cb65b282c9640c27d3129e2e04b711ce1b352838 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Tue, 6 Jun 2023 20:20:24 +0800
+Subject: dm thin metadata: check fail_io before using data_sm
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit cb65b282c9640c27d3129e2e04b711ce1b352838 upstream.
+
+Must check pmd->fail_io before using pmd->data_sm since
+pmd->data_sm may be destroyed by other processes.
+
+ P1(kworker) P2(message)
+do_worker
+ process_prepared
+ process_prepared_discard_passdown_pt2
+ dm_pool_dec_data_range
+ pool_message
+ commit
+ dm_pool_commit_metadata
+ ↓
+ // commit failed
+ metadata_operation_failed
+ abort_transaction
+ dm_pool_abort_metadata
+ __open_or_format_metadata
+ ↓
+ dm_sm_disk_open
+ ↓
+ // open failed
+ // pmd->data_sm is NULL
+ dm_sm_dec_blocks
+ ↓
+ // try to access pmd->data_sm --> UAF
+
+As shown above, if dm_pool_commit_metadata() and
+dm_pool_abort_metadata() fail in pool_message process, kworker may
+trigger UAF.
+
+Fixes: be500ed721a6 ("dm space maps: improve performance with inc/dec on ranges of blocks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-thin-metadata.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/drivers/md/dm-thin-metadata.c
++++ b/drivers/md/dm-thin-metadata.c
+@@ -1778,13 +1778,15 @@ int dm_thin_remove_range(struct dm_thin_
+
+ int dm_pool_block_is_shared(struct dm_pool_metadata *pmd, dm_block_t b, bool *result)
+ {
+- int r;
++ int r = -EINVAL;
+ uint32_t ref_count;
+
+ down_read(&pmd->root_lock);
+- r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
+- if (!r)
+- *result = (ref_count > 1);
++ if (!pmd->fail_io) {
++ r = dm_sm_get_count(pmd->data_sm, b, &ref_count);
++ if (!r)
++ *result = (ref_count > 1);
++ }
+ up_read(&pmd->root_lock);
+
+ return r;
+@@ -1792,10 +1794,11 @@ int dm_pool_block_is_shared(struct dm_po
+
+ int dm_pool_inc_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e)
+ {
+- int r = 0;
++ int r = -EINVAL;
+
+ pmd_write_lock(pmd);
+- r = dm_sm_inc_blocks(pmd->data_sm, b, e);
++ if (!pmd->fail_io)
++ r = dm_sm_inc_blocks(pmd->data_sm, b, e);
+ pmd_write_unlock(pmd);
+
+ return r;
+@@ -1803,10 +1806,11 @@ int dm_pool_inc_data_range(struct dm_poo
+
+ int dm_pool_dec_data_range(struct dm_pool_metadata *pmd, dm_block_t b, dm_block_t e)
+ {
+- int r = 0;
++ int r = -EINVAL;
+
+ pmd_write_lock(pmd);
+- r = dm_sm_dec_blocks(pmd->data_sm, b, e);
++ if (!pmd->fail_io)
++ r = dm_sm_dec_blocks(pmd->data_sm, b, e);
+ pmd_write_unlock(pmd);
+
+ return r;
--- /dev/null
+From e749dd10e5f292061ad63d2b030194bf7d7d452c Mon Sep 17 00:00:00 2001
+From: Hersen Wu <hersenxs.wu@amd.com>
+Date: Thu, 25 May 2023 08:37:40 -0400
+Subject: drm/amd/display: edp do not add non-edid timings
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+commit e749dd10e5f292061ad63d2b030194bf7d7d452c upstream.
+
+[Why] most edp support only timings from edid. applying
+non-edid timings, especially those timings out of edp
+bandwidth, may damage edp.
+
+[How] do not add non-edid timings for edp.
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Acked-by: Stylon Wang <stylon.wang@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Reviewed-by: Roman Li <roman.li@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -8177,7 +8177,13 @@ static int amdgpu_dm_connector_get_modes
+ drm_add_modes_noedid(connector, 640, 480);
+ } else {
+ amdgpu_dm_connector_ddc_get_modes(connector, edid);
+- amdgpu_dm_connector_add_common_modes(encoder, connector);
++ /* most eDP supports only timings from its edid,
++ * usually only detailed timings are available
++ * from eDP edid. timings which are not from edid
++ * may damage eDP
++ */
++ if (connector->connector_type != DRM_MODE_CONNECTOR_eDP)
++ amdgpu_dm_connector_add_common_modes(encoder, connector);
+ amdgpu_dm_connector_add_freesync_modes(connector, edid);
+ }
+ amdgpu_dm_fbc_init(connector);
--- /dev/null
+From e61f67749b351c19455ce3085af2ae9af80023bc Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Tue, 6 Jun 2023 11:14:04 -0400
+Subject: drm/amdgpu: add missing radeon secondary PCI ID
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit e61f67749b351c19455ce3085af2ae9af80023bc upstream.
+
+0x5b70 is a missing RV370 secondary id. Add it so
+we don't try and probe it with amdgpu.
+
+Cc: michel@daenzer.net
+Reviewed-by: Michel Dänzer <mdaenzer@redhat.com>
+Tested-by: Michel Dänzer <mdaenzer@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -1557,6 +1557,7 @@ static const u16 amdgpu_unsupported_pcii
+ 0x5874,
+ 0x5940,
+ 0x5941,
++ 0x5b70,
+ 0x5b72,
+ 0x5b73,
+ 0x5b74,
--- /dev/null
+From 2192bba03d80f829233bfa34506b428f71e531e7 Mon Sep 17 00:00:00 2001
+From: Benjamin Segall <bsegall@google.com>
+Date: Tue, 30 May 2023 11:32:28 -0700
+Subject: epoll: ep_autoremove_wake_function should use list_del_init_careful
+
+From: Benjamin Segall <bsegall@google.com>
+
+commit 2192bba03d80f829233bfa34506b428f71e531e7 upstream.
+
+autoremove_wake_function uses list_del_init_careful, so should epoll's
+more aggressive variant. It only doesn't because it was copied from an
+older wait.c rather than the most recent.
+
+[bsegall@google.com: add comment]
+ Link: https://lkml.kernel.org/r/xm26bki0ulsr.fsf_-_@google.com
+Link: https://lkml.kernel.org/r/xm26pm6hvfer.fsf@google.com
+Fixes: a16ceb139610 ("epoll: autoremove wakers even more aggressively")
+Signed-off-by: Ben Segall <bsegall@google.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -1753,7 +1753,11 @@ static int ep_autoremove_wake_function(s
+ {
+ int ret = default_wake_function(wq_entry, mode, sync, key);
+
+- list_del_init(&wq_entry->entry);
++ /*
++ * Pairs with list_empty_careful in ep_poll, and ensures future loop
++ * iterations see the cause of this wakeup.
++ */
++ list_del_init_careful(&wq_entry->entry);
+ return ret;
+ }
+
--- /dev/null
+From 3f1f052a5f8e2f9c568c4e0a34057b9049e948d9 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Fri, 16 Jun 2023 21:12:06 -0600
+Subject: io_uring: hold uring mutex around poll removal
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream.
+
+While reworking the poll hashing in the v6.0 kernel, we ended up
+grabbing the ctx->uring_lock in poll update/removal. This also fixed
+a bug with linked timeouts racing with timeout expiry and poll
+removal.
+
+Bring back just the locking fix for that.
+
+Reported-and-tested-by: Querijn Voet <querijnqyn@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -6111,6 +6111,8 @@ static int io_poll_update(struct io_kioc
+ struct io_kiocb *preq;
+ int ret2, ret = 0;
+
++ io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
++
+ spin_lock(&ctx->completion_lock);
+ preq = io_poll_find(ctx, req->poll_update.old_user_data, true);
+ if (!preq || !io_poll_disarm(preq)) {
+@@ -6142,6 +6144,7 @@ out:
+ req_set_fail(req);
+ /* complete update request, we're done with it */
+ io_req_complete(req, ret);
++ io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
+ return 0;
+ }
+
--- /dev/null
+From 8652d44f466ad5772e7d1756e9457046189b0dfc Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:36 +0200
+Subject: kexec: support purgatories with .text.hot sections
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 8652d44f466ad5772e7d1756e9457046189b0dfc upstream.
+
+Patch series "kexec: Fix kexec_file_load for llvm16 with PGO", v7.
+
+When upreving llvm I realised that kexec stopped working on my test
+platform.
+
+The reason seems to be that due to PGO there are multiple .text sections
+on the purgatory, and kexec does not supports that.
+
+
+This patch (of 4):
+
+Clang16 links the purgatory text in two sections when PGO is in use:
+
+ [ 1] .text PROGBITS 0000000000000000 00000040
+ 00000000000011a1 0000000000000000 AX 0 0 16
+ [ 2] .rela.text RELA 0000000000000000 00003498
+ 0000000000000648 0000000000000018 I 24 1 8
+ ...
+ [17] .text.hot. PROGBITS 0000000000000000 00003220
+ 000000000000020b 0000000000000000 AX 0 0 1
+ [18] .rela.text.hot. RELA 0000000000000000 00004428
+ 0000000000000078 0000000000000018 I 24 17 8
+
+And both of them have their range [sh_addr ... sh_addr+sh_size] on the
+area pointed by `e_entry`.
+
+This causes that image->start is calculated twice, once for .text and
+another time for .text.hot. The second calculation leaves image->start
+in a random location.
+
+Because of this, the system crashes immediately after:
+
+kexec_core: Starting new kernel
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-0-b05c520b7296@chromium.org
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-1-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Ross Zwisler <zwisler@google.com>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Reviewed-by: Philipp Rudo <prudo@redhat.com>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kexec_file.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/kernel/kexec_file.c
++++ b/kernel/kexec_file.c
+@@ -910,10 +910,22 @@ static int kexec_purgatory_setup_sechdrs
+ }
+
+ offset = ALIGN(offset, align);
++
++ /*
++ * Check if the segment contains the entry point, if so,
++ * calculate the value of image->start based on it.
++ * If the compiler has produced more than one .text section
++ * (Eg: .text.hot), they are generally after the main .text
++ * section, and they shall not be used to calculate
++ * image->start. So do not re-calculate image->start if it
++ * is not set to the initial value, and warn the user so they
++ * have a chance to fix their purgatory's linker script.
++ */
+ if (sechdrs[i].sh_flags & SHF_EXECINSTR &&
+ pi->ehdr->e_entry >= sechdrs[i].sh_addr &&
+ pi->ehdr->e_entry < (sechdrs[i].sh_addr
+- + sechdrs[i].sh_size)) {
++ + sechdrs[i].sh_size) &&
++ !WARN_ON(kbuf->image->start != pi->ehdr->e_entry)) {
+ kbuf->image->start -= sechdrs[i].sh_addr;
+ kbuf->image->start += kbuf->mem + offset;
+ }
--- /dev/null
+From 863199199713908afaa47ba09332b87621c12496 Mon Sep 17 00:00:00 2001
+From: Wes Huang <wes.huang@moxa.com>
+Date: Thu, 8 Jun 2023 11:01:42 +0800
+Subject: net: usb: qmi_wwan: add support for Compal RXM-G1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wes Huang <wes.huang@moxa.com>
+
+commit 863199199713908afaa47ba09332b87621c12496 upstream.
+
+Add support for Compal RXM-G1 which is based on Qualcomm SDX55 chip.
+This patch adds support for two compositions:
+
+0x9091: DIAG + MODEM + QMI_RMNET + ADB
+0x90db: DIAG + DUN + RMNET + DPL + QDSS(Trace) + ADB
+
+T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=05c6 ProdID=9091 Rev= 4.14
+S: Manufacturer=QCOM
+S: Product=SDXPRAIRIE-MTP _SN:719AB680
+S: SerialNumber=719ab680
+C:* #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=896mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=05c6 ProdID=90db Rev= 4.14
+S: Manufacturer=QCOM
+S: Product=SDXPRAIRIE-MTP _SN:719AB680
+S: SerialNumber=719ab680
+C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=(none)
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=84(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=8f(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Wes Huang <wes.huang@moxa.com>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Link: https://lore.kernel.org/r/20230608030141.3546-1-wes.huang@moxa.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/qmi_wwan.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1217,7 +1217,9 @@ static const struct usb_device_id produc
+ {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+ {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+ {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++ {QMI_QUIRK_SET_DTR(0x05c6, 0x9091, 2)}, /* Compal RXM-G1 */
+ {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)}, /* ublox R410M */
++ {QMI_QUIRK_SET_DTR(0x05c6, 0x90db, 2)}, /* Compal RXM-G1 */
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */
--- /dev/null
+From 2f012f2baca140c488e43d27a374029c1e59098d Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Sat, 13 May 2023 19:24:28 +0900
+Subject: nilfs2: fix incomplete buffer cleanup in nilfs_btnode_abort_change_key()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 2f012f2baca140c488e43d27a374029c1e59098d upstream.
+
+A syzbot fault injection test reported that nilfs_btnode_create_block, a
+helper function that allocates a new node block for b-trees, causes a
+kernel BUG for disk images where the file system block size is smaller
+than the page size.
+
+This was due to unexpected flags on the newly allocated buffer head, and
+it turned out to be because the buffer flags were not cleared by
+nilfs_btnode_abort_change_key() after an error occurred during a b-tree
+update operation and the buffer was later reused in that state.
+
+Fix this issue by using nilfs_btnode_delete() to abandon the unused
+preallocated buffer in nilfs_btnode_abort_change_key().
+
+Link: https://lkml.kernel.org/r/20230513102428.10223-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+b0a35a5c1f7e846d3b09@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/000000000000d1d6c205ebc4d512@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/btnode.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/fs/nilfs2/btnode.c
++++ b/fs/nilfs2/btnode.c
+@@ -285,6 +285,14 @@ void nilfs_btnode_abort_change_key(struc
+ if (nbh == NULL) { /* blocksize == pagesize */
+ xa_erase_irq(&btnc->i_pages, newkey);
+ unlock_page(ctxt->bh->b_page);
+- } else
+- brelse(nbh);
++ } else {
++ /*
++ * When canceling a buffer that a prepare operation has
++ * allocated to copy a node block to another location, use
++ * nilfs_btnode_delete() to initialize and release the buffer
++ * so that the buffer flags will not be in an inconsistent
++ * state when it is reallocated.
++ */
++ nilfs_btnode_delete(nbh);
++ }
+ }
--- /dev/null
+From fee5eaecca86afa544355569b831c1f90f334b85 Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 24 May 2023 18:43:48 +0900
+Subject: nilfs2: fix possible out-of-bounds segment allocation in resize ioctl
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit fee5eaecca86afa544355569b831c1f90f334b85 upstream.
+
+Syzbot reports that in its stress test for resize ioctl, the log writing
+function nilfs_segctor_do_construct hits a WARN_ON in
+nilfs_segctor_truncate_segments().
+
+It turned out that there is a problem with the current implementation of
+the resize ioctl, which changes the writable range on the device (the
+range of allocatable segments) at the end of the resize process.
+
+This order is necessary for file system expansion to avoid corrupting the
+superblock at trailing edge. However, in the case of a file system
+shrink, if log writes occur after truncating out-of-bounds trailing
+segments and before the resize is complete, segments may be allocated from
+the truncated space.
+
+The userspace resize tool was fine as it limits the range of allocatable
+segments before performing the resize, but it can run into this issue if
+the resize ioctl is called alone.
+
+Fix this issue by changing nilfs_sufile_resize() to update the range of
+allocatable segments immediately after successful truncation of segment
+space in case of file system shrink.
+
+Link: https://lkml.kernel.org/r/20230524094348.3784-1-konishi.ryusuke@gmail.com
+Fixes: 4e33f9eab07e ("nilfs2: implement resize ioctl")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+33494cd0df2ec2931851@syzkaller.appspotmail.com
+Closes: https://lkml.kernel.org/r/0000000000005434c405fbbafdc5@google.com
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/sufile.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/nilfs2/sufile.c
++++ b/fs/nilfs2/sufile.c
+@@ -779,6 +779,15 @@ int nilfs_sufile_resize(struct inode *su
+ goto out_header;
+
+ sui->ncleansegs -= nsegs - newnsegs;
++
++ /*
++ * If the sufile is successfully truncated, immediately adjust
++ * the segment allocation space while locking the semaphore
++ * "mi_sem" so that nilfs_sufile_alloc() never allocates
++ * segments in the truncated space.
++ */
++ sui->allocmax = newnsegs - 1;
++ sui->allocmin = 0;
+ }
+
+ kaddr = kmap_atomic(header_bh->b_page);
--- /dev/null
+From 85041e12418fd0c08ff972b7729f7971afb361f8 Mon Sep 17 00:00:00 2001
+From: Janne Grunau <j@jannau.net>
+Date: Sun, 12 Feb 2023 13:16:32 +0100
+Subject: nios2: dts: Fix tse_mac "max-frame-size" property
+
+From: Janne Grunau <j@jannau.net>
+
+commit 85041e12418fd0c08ff972b7729f7971afb361f8 upstream.
+
+The given value of 1518 seems to refer to the layer 2 ethernet frame
+size without 802.1Q tag. Actual use of the "max-frame-size" including in
+the consumer of the "altr,tse-1.0" compatible is the MTU.
+
+Fixes: 95acd4c7b69c ("nios2: Device tree support")
+Fixes: 61c610ec61bb ("nios2: Add Max10 device tree")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Janne Grunau <j@jannau.net>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/boot/dts/10m50_devboard.dts | 2 +-
+ arch/nios2/boot/dts/3c120_devboard.dts | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/nios2/boot/dts/10m50_devboard.dts
++++ b/arch/nios2/boot/dts/10m50_devboard.dts
+@@ -97,7 +97,7 @@
+ rx-fifo-depth = <8192>;
+ tx-fifo-depth = <8192>;
+ address-bits = <48>;
+- max-frame-size = <1518>;
++ max-frame-size = <1500>;
+ local-mac-address = [00 00 00 00 00 00];
+ altr,has-supplementary-unicast;
+ altr,enable-sup-addr = <1>;
+--- a/arch/nios2/boot/dts/3c120_devboard.dts
++++ b/arch/nios2/boot/dts/3c120_devboard.dts
+@@ -106,7 +106,7 @@
+ interrupt-names = "rx_irq", "tx_irq";
+ rx-fifo-depth = <8192>;
+ tx-fifo-depth = <8192>;
+- max-frame-size = <1518>;
++ max-frame-size = <1500>;
+ local-mac-address = [ 00 00 00 00 00 00 ];
+ phy-mode = "rgmii-id";
+ phy-handle = <&phy0>;
--- /dev/null
+From c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Thu, 15 Jun 2023 12:22:11 +1000
+Subject: nouveau: fix client work fence deletion race
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit c8a5d5ea3ba6a18958f8d76430e4cd68eea33943 upstream.
+
+This seems to have existed for ever but is now more apparant after
+commit 9bff18d13473 ("drm/ttm: use per BO cleanup workers")
+
+My analysis: two threads are running, one in the irq signalling the
+fence, in dma_fence_signal_timestamp_locked, it has done the
+DMA_FENCE_FLAG_SIGNALLED_BIT setting, but hasn't yet reached the
+callbacks.
+
+The second thread in nouveau_cli_work_ready, where it sees the fence is
+signalled, so then puts the fence, cleanups the object and frees the
+work item, which contains the callback.
+
+Thread one goes again and tries to call the callback and causes the
+use-after-free.
+
+Proposed fix: lock the fence signalled check in nouveau_cli_work_ready,
+so either the callbacks are done or the memory is freed.
+
+Reviewed-by: Karol Herbst <kherbst@redhat.com>
+Fixes: 11e451e74050 ("drm/nouveau: remove fence wait code from deferred client work handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Link: https://lore.kernel.org/dri-devel/20230615024008.1600281-1-airlied@gmail.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_drm.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
++++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
+@@ -126,10 +126,16 @@ nouveau_name(struct drm_device *dev)
+ static inline bool
+ nouveau_cli_work_ready(struct dma_fence *fence)
+ {
+- if (!dma_fence_is_signaled(fence))
+- return false;
+- dma_fence_put(fence);
+- return true;
++ bool ret = true;
++
++ spin_lock_irq(fence->lock);
++ if (!dma_fence_is_signaled_locked(fence))
++ ret = false;
++ spin_unlock_irq(fence->lock);
++
++ if (ret == true)
++ dma_fence_put(fence);
++ return ret;
+ }
+
+ static void
--- /dev/null
+From 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= <ocfs2-devel@oss.oracle.com>
+Date: Mon, 29 May 2023 16:26:45 +0100
+Subject: ocfs2: check new file size on fallocate call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luís Henriques <ocfs2-devel@oss.oracle.com>
+
+commit 26a6ffff7de5dd369cdb12e38ba11db682f1dec0 upstream.
+
+When changing a file size with fallocate() the new size isn't being
+checked. In particular, the FSIZE ulimit isn't being checked, which makes
+fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes
+this issue.
+
+Link: https://lkml.kernel.org/r/20230529152645.32680-1-lhenriques@suse.de
+Signed-off-by: Luís Henriques <lhenriques@suse.de>
+Reviewed-by: Mark Fasheh <mark@fasheh.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/file.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -2103,14 +2103,20 @@ static long ocfs2_fallocate(struct file
+ struct ocfs2_space_resv sr;
+ int change_size = 1;
+ int cmd = OCFS2_IOC_RESVSP64;
++ int ret = 0;
+
+ if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
+ return -EOPNOTSUPP;
+ if (!ocfs2_writes_unwritten_extents(osb))
+ return -EOPNOTSUPP;
+
+- if (mode & FALLOC_FL_KEEP_SIZE)
++ if (mode & FALLOC_FL_KEEP_SIZE) {
+ change_size = 0;
++ } else {
++ ret = inode_newsize_ok(inode, offset + len);
++ if (ret)
++ return ret;
++ }
+
+ if (mode & FALLOC_FL_PUNCH_HOLE)
+ cmd = OCFS2_IOC_UNRESVSP64;
--- /dev/null
+From 50d927880e0f90d5cb25e897e9d03e5edacc79a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lu=C3=ADs=20Henriques?= <ocfs2-devel@oss.oracle.com>
+Date: Mon, 22 May 2023 11:21:12 +0100
+Subject: ocfs2: fix use-after-free when unmounting read-only filesystem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luís Henriques <ocfs2-devel@oss.oracle.com>
+
+commit 50d927880e0f90d5cb25e897e9d03e5edacc79a8 upstream.
+
+It's trivial to trigger a use-after-free bug in the ocfs2 quotas code using
+fstest generic/452. After a read-only remount, quotas are suspended and
+ocfs2_mem_dqinfo is freed through ->ocfs2_local_free_info(). When unmounting
+the filesystem, an UAF access to the oinfo will eventually cause a crash.
+
+BUG: KASAN: slab-use-after-free in timer_delete+0x54/0xc0
+Read of size 8 at addr ffff8880389a8208 by task umount/669
+...
+Call Trace:
+ <TASK>
+ ...
+ timer_delete+0x54/0xc0
+ try_to_grab_pending+0x31/0x230
+ __cancel_work_timer+0x6c/0x270
+ ocfs2_disable_quotas.isra.0+0x3e/0xf0 [ocfs2]
+ ocfs2_dismount_volume+0xdd/0x450 [ocfs2]
+ generic_shutdown_super+0xaa/0x280
+ kill_block_super+0x46/0x70
+ deactivate_locked_super+0x4d/0xb0
+ cleanup_mnt+0x135/0x1f0
+ ...
+ </TASK>
+
+Allocated by task 632:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ __kasan_kmalloc+0x8b/0x90
+ ocfs2_local_read_info+0xe3/0x9a0 [ocfs2]
+ dquot_load_quota_sb+0x34b/0x680
+ dquot_load_quota_inode+0xfe/0x1a0
+ ocfs2_enable_quotas+0x190/0x2f0 [ocfs2]
+ ocfs2_fill_super+0x14ef/0x2120 [ocfs2]
+ mount_bdev+0x1be/0x200
+ legacy_get_tree+0x6c/0xb0
+ vfs_get_tree+0x3e/0x110
+ path_mount+0xa90/0xe10
+ __x64_sys_mount+0x16f/0x1a0
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Freed by task 650:
+ kasan_save_stack+0x1c/0x40
+ kasan_set_track+0x21/0x30
+ kasan_save_free_info+0x2a/0x50
+ __kasan_slab_free+0xf9/0x150
+ __kmem_cache_free+0x89/0x180
+ ocfs2_local_free_info+0x2ba/0x3f0 [ocfs2]
+ dquot_disable+0x35f/0xa70
+ ocfs2_susp_quotas.isra.0+0x159/0x1a0 [ocfs2]
+ ocfs2_remount+0x150/0x580 [ocfs2]
+ reconfigure_super+0x1a5/0x3a0
+ path_mount+0xc8a/0xe10
+ __x64_sys_mount+0x16f/0x1a0
+ do_syscall_64+0x43/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Link: https://lkml.kernel.org/r/20230522102112.9031-1-lhenriques@suse.de
+Signed-off-by: Luís Henriques <lhenriques@suse.de>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Tested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -953,8 +953,10 @@ static void ocfs2_disable_quotas(struct
+ for (type = 0; type < OCFS2_MAXQUOTAS; type++) {
+ if (!sb_has_quota_loaded(sb, type))
+ continue;
+- oinfo = sb_dqinfo(sb, type)->dqi_priv;
+- cancel_delayed_work_sync(&oinfo->dqi_sync_work);
++ if (!sb_has_quota_suspended(sb, type)) {
++ oinfo = sb_dqinfo(sb, type)->dqi_priv;
++ cancel_delayed_work_sync(&oinfo->dqi_sync_work);
++ }
+ inode = igrab(sb->s_dquot.files[type]);
+ /* Turn off quotas. This will remove all dquot structures from
+ * memory and so they will be automatically synced to global
--- /dev/null
+From 20188baceb7a1463dc0bcb0c8678b69c2f447df6 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:38 +0200
+Subject: powerpc/purgatory: remove PGO flags
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 20188baceb7a1463dc0bcb0c8678b69c2f447df6 upstream.
+
+If profile-guided optimization is enabled, the purgatory ends up with
+multiple .text sections. This is not supported by kexec and crashes the
+system.
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-3-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: <stable@vger.kernel.org>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Philipp Rudo <prudo@redhat.com>
+Cc: Ross Zwisler <zwisler@google.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/purgatory/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/powerpc/purgatory/Makefile
++++ b/arch/powerpc/purgatory/Makefile
+@@ -4,6 +4,11 @@ KASAN_SANITIZE := n
+
+ targets += trampoline_$(BITS).o purgatory.ro kexec-purgatory.c
+
++# When profile-guided optimization is enabled, llvm emits two different
++# overlapping text sections, which is not supported by kexec. Remove profile
++# optimization flags.
++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS))
++
+ LDFLAGS_purgatory.ro := -e purgatory_start -r --no-undefined
+
+ $(obj)/purgatory.ro: $(obj)/trampoline_$(BITS).o FORCE
--- /dev/null
+From 0cadb4db79e1d9eea66711c4031e435c2191907e Mon Sep 17 00:00:00 2001
+From: Edward Srouji <edwards@nvidia.com>
+Date: Mon, 5 Jun 2023 13:33:24 +0300
+Subject: RDMA/uverbs: Restrict usage of privileged QKEYs
+
+From: Edward Srouji <edwards@nvidia.com>
+
+commit 0cadb4db79e1d9eea66711c4031e435c2191907e upstream.
+
+According to the IB specification rel-1.6, section 3.5.3:
+"QKEYs with the most significant bit set are considered controlled
+QKEYs, and a HCA does not allow a consumer to arbitrarily specify a
+controlled QKEY."
+
+Thus, block non-privileged users from setting such a QKEY.
+
+Cc: stable@vger.kernel.org
+Fixes: bc38a6abdd5a ("[PATCH] IB uverbs: core implementation")
+Signed-off-by: Edward Srouji <edwards@nvidia.com>
+Link: https://lore.kernel.org/r/c00c809ddafaaf87d6f6cb827978670989a511b3.1685960567.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/core/uverbs_cmd.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -1851,8 +1851,13 @@ static int modify_qp(struct uverbs_attr_
+ attr->path_mtu = cmd->base.path_mtu;
+ if (cmd->base.attr_mask & IB_QP_PATH_MIG_STATE)
+ attr->path_mig_state = cmd->base.path_mig_state;
+- if (cmd->base.attr_mask & IB_QP_QKEY)
++ if (cmd->base.attr_mask & IB_QP_QKEY) {
++ if (cmd->base.qkey & IB_QP_SET_QKEY && !capable(CAP_NET_RAW)) {
++ ret = -EPERM;
++ goto release_qp;
++ }
+ attr->qkey = cmd->base.qkey;
++ }
+ if (cmd->base.attr_mask & IB_QP_RQ_PSN)
+ attr->rq_psn = cmd->base.rq_psn;
+ if (cmd->base.attr_mask & IB_QP_SQ_PSN)
drm-amd-amdgpu-fix-missing-buffer-object-unlock-in-f.patch
nvme-add-maxio-1602-to-bogus-nid-list.patch
irqchip-gic-correctly-validate-of-quirk-descriptors.patch
+io_uring-hold-uring-mutex-around-poll-removal.patch
+wifi-cfg80211-fix-locking-in-regulatory-disconnect.patch
+wifi-cfg80211-fix-double-lock-bug-in-reg_wdev_chan_valid.patch
+epoll-ep_autoremove_wake_function-should-use-list_del_init_careful.patch
+ocfs2-fix-use-after-free-when-unmounting-read-only-filesystem.patch
+ocfs2-check-new-file-size-on-fallocate-call.patch
+nios2-dts-fix-tse_mac-max-frame-size-property.patch
+nilfs2-fix-incomplete-buffer-cleanup-in-nilfs_btnode_abort_change_key.patch
+nilfs2-fix-possible-out-of-bounds-segment-allocation-in-resize-ioctl.patch
+kexec-support-purgatories-with-.text.hot-sections.patch
+x86-purgatory-remove-pgo-flags.patch
+powerpc-purgatory-remove-pgo-flags.patch
+alsa-usb-audio-add-quirk-flag-for-hem-devices-to-enable-native-dsd-playback.patch
+dm-thin-metadata-check-fail_io-before-using-data_sm.patch
+nouveau-fix-client-work-fence-deletion-race.patch
+rdma-uverbs-restrict-usage-of-privileged-qkeys.patch
+net-usb-qmi_wwan-add-support-for-compal-rxm-g1.patch
+drm-amd-display-edp-do-not-add-non-edid-timings.patch
+drm-amdgpu-add-missing-radeon-secondary-pci-id.patch
+alsa-hda-realtek-add-a-quirk-for-compaq-n14jp6.patch
--- /dev/null
+From 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 9 Jun 2023 13:48:44 +0300
+Subject: wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 996c3117dae4c02b38a3cb68e5c2aec9d907ec15 upstream.
+
+The locking was changed recently so now the caller holds the wiphy_lock()
+lock. Taking the lock inside the reg_wdev_chan_valid() function will
+lead to a deadlock.
+
+Fixes: f7e60032c661 ("wifi: cfg80211: fix locking in regulatory disconnect")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/40c4114a-6cb4-4abf-b013-300b598aba65@moroto.mountain
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2398,9 +2398,7 @@ static bool reg_wdev_chan_valid(struct w
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
+ case NL80211_IFTYPE_ADHOC:
+- wiphy_lock(wiphy);
+ ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef, iftype);
+- wiphy_unlock(wiphy);
+
+ return ret;
+ case NL80211_IFTYPE_STATION:
--- /dev/null
+From f7e60032c6618dfd643c7210d5cba2789e2de2e2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 6 Jun 2023 14:34:48 +0200
+Subject: wifi: cfg80211: fix locking in regulatory disconnect
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f7e60032c6618dfd643c7210d5cba2789e2de2e2 upstream.
+
+This should use wiphy_lock() now instead of requiring the
+RTNL, since __cfg80211_leave() via cfg80211_leave() is now
+requiring that lock to be held.
+
+Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/reg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2423,11 +2423,11 @@ static void reg_leave_invalid_chans(stru
+ struct wireless_dev *wdev;
+ struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
+
+- ASSERT_RTNL();
+-
++ wiphy_lock(wiphy);
+ list_for_each_entry(wdev, &rdev->wiphy.wdev_list, list)
+ if (!reg_wdev_chan_valid(wiphy, wdev))
+ cfg80211_leave(rdev, wdev);
++ wiphy_unlock(wiphy);
+ }
+
+ static void reg_check_chans_work(struct work_struct *work)
--- /dev/null
+From 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Fri, 19 May 2023 16:47:37 +0200
+Subject: x86/purgatory: remove PGO flags
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 97b6b9cbba40a21c1d9a344d5c1991f8cfbf136e upstream.
+
+If profile-guided optimization is enabled, the purgatory ends up with
+multiple .text sections. This is not supported by kexec and crashes the
+system.
+
+Link: https://lkml.kernel.org/r/20230321-kexec_clang16-v7-2-b05c520b7296@chromium.org
+Fixes: 930457057abe ("kernel/kexec_file.c: split up __kexec_load_puragory")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Cc: <stable@vger.kernel.org>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Palmer Dabbelt <palmer@rivosinc.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Philipp Rudo <prudo@redhat.com>
+Cc: Ross Zwisler <zwisler@google.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Tom Rix <trix@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/purgatory/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/purgatory/Makefile
++++ b/arch/x86/purgatory/Makefile
+@@ -14,6 +14,11 @@ $(obj)/sha256.o: $(srctree)/lib/crypto/s
+
+ CFLAGS_sha256.o := -D__DISABLE_EXPORTS
+
++# When profile-guided optimization is enabled, llvm emits two different
++# overlapping text sections, which is not supported by kexec. Remove profile
++# optimization flags.
++KBUILD_CFLAGS := $(filter-out -fprofile-sample-use=% -fprofile-use=%,$(KBUILD_CFLAGS))
++
+ # When linking purgatory.ro with -r unresolved symbols are not checked,
+ # also link a purgatory.chk binary without -r to check for unresolved symbols.
+ PURGATORY_LDFLAGS := -e purgatory_start -nostdlib -z nodefaultlib
projects / thirdparty / kernel / stable-queue.git / commitdiff
