--- /dev/null
+From bb81c8f8c9cd5456552d9e6b598b0d3d41200641 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 12:13:13 +0200
+Subject: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD
+
+From: Jose E. Marchesi <jose.marchesi@oracle.com>
+
+[ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ]
+
+[Changes from V1:
+ - Use a default branch in the switch statement to initialize `val'.]
+
+GCC warns that `val' may be used uninitialized in the
+BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:
+
+ [...]
+ unsigned long long val; \
+ [...] \
+ switch (__CORE_RELO(s, field, BYTE_SIZE)) { \
+ case 1: val = *(const unsigned char *)p; break; \
+ case 2: val = *(const unsigned short *)p; break; \
+ case 4: val = *(const unsigned int *)p; break; \
+ case 8: val = *(const unsigned long long *)p; break; \
+ } \
+ [...]
+ val; \
+ } \
+
+This patch adds a default entry in the switch statement that sets
+`val' to zero in order to avoid the warning, and random values to be
+used in case __builtin_preserve_field_info returns unexpected values
+for BPF_FIELD_BYTE_SIZE.
+
+Tested in bpf-next master.
+No regressions.
+
+Signed-off-by: Jose E. Marchesi <jose.marchesi@oracle.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/bpf_core_read.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
+index 1ce738d91685a..670726353aa50 100644
+--- a/tools/lib/bpf/bpf_core_read.h
++++ b/tools/lib/bpf/bpf_core_read.h
+@@ -104,6 +104,7 @@ enum bpf_enum_value_kind {
+ case 2: val = *(const unsigned short *)p; break; \
+ case 4: val = *(const unsigned int *)p; break; \
+ case 8: val = *(const unsigned long long *)p; break; \
++ default: val = 0; break; \
+ } \
+ val <<= __CORE_RELO(s, field, LSHIFT_U64); \
+ if (__CORE_RELO(s, field, SIGNED)) \
+--
+2.43.0
+
--- /dev/null
+From beac3fd75154b3486440aebb0d5dd9f2c0daf81d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 18:28:20 -0700
+Subject: bpf: check bpf_dummy_struct_ops program params for test runs
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 980ca8ceeae69ddf362870ea9183f389ae26324a ]
+
+When doing BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs,
+reject execution when NULL is passed for non-nullable params.
+For programs with non-nullable params verifier assumes that
+such params are never NULL and thus might optimize out NULL checks.
+
+Suggested-by: Kui-Feng Lee <sinquersw@gmail.com>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240424012821.595216-5-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/bpf_dummy_struct_ops.c | 51 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 50 insertions(+), 1 deletion(-)
+
+diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c
+index fdbe30ad8db2f..7236349cf0598 100644
+--- a/net/bpf/bpf_dummy_struct_ops.c
++++ b/net/bpf/bpf_dummy_struct_ops.c
+@@ -79,6 +79,51 @@ static int dummy_ops_call_op(void *image, struct bpf_dummy_ops_test_args *args)
+ args->args[3], args->args[4]);
+ }
+
++static const struct bpf_ctx_arg_aux *find_ctx_arg_info(struct bpf_prog_aux *aux, int offset)
++{
++ int i;
++
++ for (i = 0; i < aux->ctx_arg_info_size; i++)
++ if (aux->ctx_arg_info[i].offset == offset)
++ return &aux->ctx_arg_info[i];
++
++ return NULL;
++}
++
++/* There is only one check at the moment:
++ * - zero should not be passed for pointer parameters not marked as nullable.
++ */
++static int check_test_run_args(struct bpf_prog *prog, struct bpf_dummy_ops_test_args *args)
++{
++ const struct btf_type *func_proto = prog->aux->attach_func_proto;
++
++ for (u32 arg_no = 0; arg_no < btf_type_vlen(func_proto) ; ++arg_no) {
++ const struct btf_param *param = &btf_params(func_proto)[arg_no];
++ const struct bpf_ctx_arg_aux *info;
++ const struct btf_type *t;
++ int offset;
++
++ if (args->args[arg_no] != 0)
++ continue;
++
++ /* Program is validated already, so there is no need
++ * to check if t is NULL.
++ */
++ t = btf_type_skip_modifiers(bpf_dummy_ops_btf, param->type, NULL);
++ if (!btf_type_is_ptr(t))
++ continue;
++
++ offset = btf_ctx_arg_offset(bpf_dummy_ops_btf, func_proto, arg_no);
++ info = find_ctx_arg_info(prog->aux, offset);
++ if (info && (info->reg_type & PTR_MAYBE_NULL))
++ continue;
++
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ extern const struct bpf_link_ops bpf_struct_ops_link_lops;
+
+ int bpf_struct_ops_test_run(struct bpf_prog *prog, const union bpf_attr *kattr,
+@@ -87,7 +132,7 @@ int bpf_struct_ops_test_run(struct bpf_prog *prog, const union bpf_attr *kattr,
+ const struct bpf_struct_ops *st_ops = &bpf_bpf_dummy_ops;
+ const struct btf_type *func_proto;
+ struct bpf_dummy_ops_test_args *args;
+- struct bpf_tramp_links *tlinks;
++ struct bpf_tramp_links *tlinks = NULL;
+ struct bpf_tramp_link *link = NULL;
+ void *image = NULL;
+ unsigned int op_idx;
+@@ -109,6 +154,10 @@ int bpf_struct_ops_test_run(struct bpf_prog *prog, const union bpf_attr *kattr,
+ if (IS_ERR(args))
+ return PTR_ERR(args);
+
++ err = check_test_run_args(prog, args);
++ if (err)
++ goto out;
++
+ tlinks = kcalloc(BPF_TRAMP_MAX, sizeof(*tlinks), GFP_KERNEL);
+ if (!tlinks) {
+ err = -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 5f4fbd5007dcca96f10df8d04320f79d4d8458f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 18:28:17 -0700
+Subject: bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 1479eaff1f16983d8fda7c5a08a586c21891087d ]
+
+Test case dummy_st_ops/dummy_init_ret_value passes NULL as the first
+parameter of the test_1() function. Mark this parameter as nullable to
+make verifier aware of such possibility.
+Otherwise, NULL check in the test_1() code:
+
+ SEC("struct_ops/test_1")
+ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
+ {
+ if (!state)
+ return ...;
+
+ ... access state ...
+ }
+
+Might be removed by verifier, thus triggering NULL pointer dereference
+under certain conditions.
+
+Reported-by: Jose E. Marchesi <jemarch@gnu.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240424012821.595216-2-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/bpf_dummy_struct_ops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bpf/bpf_dummy_struct_ops.c b/net/bpf/bpf_dummy_struct_ops.c
+index de33dc1b0daad..fdbe30ad8db2f 100644
+--- a/net/bpf/bpf_dummy_struct_ops.c
++++ b/net/bpf/bpf_dummy_struct_ops.c
+@@ -230,7 +230,7 @@ static void bpf_dummy_unreg(void *kdata)
+ {
+ }
+
+-static int bpf_dummy_test_1(struct bpf_dummy_ops_state *cb)
++static int bpf_dummy_ops__test_1(struct bpf_dummy_ops_state *cb__nullable)
+ {
+ return 0;
+ }
+@@ -247,7 +247,7 @@ static int bpf_dummy_test_sleepable(struct bpf_dummy_ops_state *cb)
+ }
+
+ static struct bpf_dummy_ops __bpf_bpf_dummy_ops = {
+- .test_1 = bpf_dummy_test_1,
++ .test_1 = bpf_dummy_ops__test_1,
+ .test_2 = bpf_dummy_test_2,
+ .test_sleepable = bpf_dummy_test_sleepable,
+ };
+--
+2.43.0
+
--- /dev/null
+From 94c893bb89c1af7c8cd76d8da902ed681f43b369 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 10:34:17 +0800
+Subject: btrfs: scrub: initialize ret in scrub_simple_mirror() to fix
+ compilation warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lu Yao <yaolu@kylinos.cn>
+
+[ Upstream commit b4e585fffc1cf877112ed231a91f089e85688c2a ]
+
+The following error message is displayed:
+ ../fs/btrfs/scrub.c:2152:9: error: ‘ret’ may be used uninitialized
+ in this function [-Werror=maybe-uninitialized]"
+
+Compiler version: gcc version: (Debian 10.2.1-6) 10.2.1 20210110
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Lu Yao <yaolu@kylinos.cn>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/scrub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
+index 4b22cfe9a98cb..afd6932f5e895 100644
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -2100,7 +2100,7 @@ static int scrub_simple_mirror(struct scrub_ctx *sctx,
+ struct btrfs_fs_info *fs_info = sctx->fs_info;
+ const u64 logical_end = logical_start + logical_length;
+ u64 cur_logical = logical_start;
+- int ret;
++ int ret = 0;
+
+ /* The range must be inside the bg */
+ ASSERT(logical_start >= bg->start && logical_end <= bg->start + bg->length);
+--
+2.43.0
+
--- /dev/null
+From 4fddd4a334dd763f38c2b09111fc5a65b78ff748 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 23:25:20 +0100
+Subject: cdrom: rearrange last_media_change check to avoid unintentional
+ overflow
+
+From: Justin Stitt <justinstitt@google.com>
+
+[ Upstream commit efb905aeb44b0e99c0e6b07865b1885ae0471ebf ]
+
+When running syzkaller with the newly reintroduced signed integer wrap
+sanitizer we encounter this splat:
+
+[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33
+[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')
+[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO
+[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
+[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+[ 366.027518] Call Trace:
+[ 366.027523] <TASK>
+[ 366.027533] dump_stack_lvl+0x93/0xd0
+[ 366.027899] handle_overflow+0x171/0x1b0
+[ 366.038787] ata1.00: invalid multi_count 32 ignored
+[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10
+[ 366.063932] ? __pm_runtime_resume+0xe6/0x130
+[ 366.071923] sr_block_ioctl+0x15d/0x1d0
+[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10
+[ 366.077642] blkdev_ioctl+0x419/0x500
+[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10
+...
+
+Historically, the signed integer overflow sanitizer did not work in the
+kernel due to its interaction with `-fwrapv` but this has since been
+changed [1] in the newest version of Clang. It was re-enabled in the
+kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
+sanitizer").
+
+Let's rearrange the check to not perform any arithmetic, thus not
+tripping the sanitizer.
+
+Link: https://github.com/llvm/llvm-project/pull/82432 [1]
+Closes: https://github.com/KSPP/linux/issues/354
+Cc: linux-hardening@vger.kernel.org
+Signed-off-by: Justin Stitt <justinstitt@google.com>
+Link: https://lore.kernel.org/lkml/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com
+Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
+Link: https://lore.kernel.org/lkml/ZjqU0fbzHrlnad8D@equinox
+Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
+Link: https://lore.kernel.org/r/20240507222520.1445-2-phil@philpotter.co.uk
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index a5e07270e0d41..20c90ebb3a3f6 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_timed_media_change(struct cdrom_device_info *cdi,
+ return -EFAULT;
+
+ tmp_info.media_flags = 0;
+- if (tmp_info.last_media_change - cdi->last_media_change_ms < 0)
++ if (cdi->last_media_change_ms > tmp_info.last_media_change)
+ tmp_info.media_flags |= MEDIA_CHANGED_FLAG;
+
+ tmp_info.last_media_change = cdi->last_media_change_ms;
+--
+2.43.0
+
--- /dev/null
+From 472cdd398aae20952a81f50f086ae3b7f2d596bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2024 22:19:15 +0000
+Subject: crypto: aead,cipher - zeroize key buffer after use
+
+From: Hailey Mothershead <hailmo@amazon.com>
+
+[ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ]
+
+I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
+cryptographic information should be zeroized once they are no longer
+needed. Accomplish this by using kfree_sensitive for buffers that
+previously held the private key.
+
+Signed-off-by: Hailey Mothershead <hailmo@amazon.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/aead.c | 3 +--
+ crypto/cipher.c | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/aead.c b/crypto/aead.c
+index 54906633566a2..5f3c1954d8e5d 100644
+--- a/crypto/aead.c
++++ b/crypto/aead.c
+@@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
+ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
+ memcpy(alignbuffer, key, keylen);
+ ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen);
+- memset(alignbuffer, 0, keylen);
+- kfree(buffer);
++ kfree_sensitive(buffer);
+ return ret;
+ }
+
+diff --git a/crypto/cipher.c b/crypto/cipher.c
+index 47c77a3e59783..40cae908788ec 100644
+--- a/crypto/cipher.c
++++ b/crypto/cipher.c
+@@ -34,8 +34,7 @@ static int setkey_unaligned(struct crypto_cipher *tfm, const u8 *key,
+ alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
+ memcpy(alignbuffer, key, keylen);
+ ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen);
+- memset(alignbuffer, 0, keylen);
+- kfree(buffer);
++ kfree_sensitive(buffer);
+ return ret;
+
+ }
+--
+2.43.0
+
--- /dev/null
+From 957f8dd9bee35149643a587007e8f7bd2da7d56d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Apr 2024 15:59:53 +0800
+Subject: crypto: hisilicon/debugfs - Fix debugfs uninit process issue
+
+From: Chenghai Huang <huangchenghai2@huawei.com>
+
+[ Upstream commit 8be0913389718e8d27c4f1d4537b5e1b99ed7739 ]
+
+During the zip probe process, the debugfs failure does not stop
+the probe. When debugfs initialization fails, jumping to the
+error branch will also release regs, in addition to its own
+rollback operation.
+
+As a result, it may be released repeatedly during the regs
+uninit process. Therefore, the null check needs to be added to
+the regs uninit process.
+
+Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/debugfs.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/hisilicon/debugfs.c b/drivers/crypto/hisilicon/debugfs.c
+index cd67fa348ca72..6351a452878dd 100644
+--- a/drivers/crypto/hisilicon/debugfs.c
++++ b/drivers/crypto/hisilicon/debugfs.c
+@@ -809,8 +809,14 @@ static void dfx_regs_uninit(struct hisi_qm *qm,
+ {
+ int i;
+
++ if (!dregs)
++ return;
++
+ /* Setting the pointer is NULL to prevent double free */
+ for (i = 0; i < reg_len; i++) {
++ if (!dregs[i].regs)
++ continue;
++
+ kfree(dregs[i].regs);
+ dregs[i].regs = NULL;
+ }
+@@ -860,14 +866,21 @@ static struct dfx_diff_registers *dfx_regs_init(struct hisi_qm *qm,
+ static int qm_diff_regs_init(struct hisi_qm *qm,
+ struct dfx_diff_registers *dregs, u32 reg_len)
+ {
++ int ret;
++
+ qm->debug.qm_diff_regs = dfx_regs_init(qm, qm_diff_regs, ARRAY_SIZE(qm_diff_regs));
+- if (IS_ERR(qm->debug.qm_diff_regs))
+- return PTR_ERR(qm->debug.qm_diff_regs);
++ if (IS_ERR(qm->debug.qm_diff_regs)) {
++ ret = PTR_ERR(qm->debug.qm_diff_regs);
++ qm->debug.qm_diff_regs = NULL;
++ return ret;
++ }
+
+ qm->debug.acc_diff_regs = dfx_regs_init(qm, dregs, reg_len);
+ if (IS_ERR(qm->debug.acc_diff_regs)) {
+ dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs));
+- return PTR_ERR(qm->debug.acc_diff_regs);
++ ret = PTR_ERR(qm->debug.acc_diff_regs);
++ qm->debug.acc_diff_regs = NULL;
++ return ret;
+ }
+
+ return 0;
+@@ -908,7 +921,9 @@ static int qm_last_regs_init(struct hisi_qm *qm)
+ static void qm_diff_regs_uninit(struct hisi_qm *qm, u32 reg_len)
+ {
+ dfx_regs_uninit(qm, qm->debug.acc_diff_regs, reg_len);
++ qm->debug.acc_diff_regs = NULL;
+ dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs));
++ qm->debug.qm_diff_regs = NULL;
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 837e0d5987e3dd13e0cd19b7bfdd47e5e58243fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 09:19:22 +0800
+Subject: crypto: hisilicon/sec2 - fix for register offset
+
+From: Wenkai Lin <linwenkai6@hisilicon.com>
+
+[ Upstream commit 6117af86365916e4202b5a709c155f7e6e5df810 ]
+
+The offset of SEC_CORE_ENABLE_BITMAP should be 0 instead of 32,
+it cause a kasan shift-out-bounds warning, fix it.
+
+Signed-off-by: Wenkai Lin <linwenkai6@hisilicon.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/hisilicon/sec2/sec_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/hisilicon/sec2/sec_main.c b/drivers/crypto/hisilicon/sec2/sec_main.c
+index c290d8937b19c..fabea0d650297 100644
+--- a/drivers/crypto/hisilicon/sec2/sec_main.c
++++ b/drivers/crypto/hisilicon/sec2/sec_main.c
+@@ -152,7 +152,7 @@ static const struct hisi_qm_cap_info sec_basic_info[] = {
+ {SEC_CORE_TYPE_NUM_CAP, 0x313c, 16, GENMASK(3, 0), 0x1, 0x1, 0x1},
+ {SEC_CORE_NUM_CAP, 0x313c, 8, GENMASK(7, 0), 0x4, 0x4, 0x4},
+ {SEC_CORES_PER_CLUSTER_NUM_CAP, 0x313c, 0, GENMASK(7, 0), 0x4, 0x4, 0x4},
+- {SEC_CORE_ENABLE_BITMAP, 0x3140, 32, GENMASK(31, 0), 0x17F, 0x17F, 0xF},
++ {SEC_CORE_ENABLE_BITMAP, 0x3140, 0, GENMASK(31, 0), 0x17F, 0x17F, 0xF},
+ {SEC_DRV_ALG_BITMAP_LOW, 0x3144, 0, GENMASK(31, 0), 0x18050CB, 0x18050CB, 0x18670CF},
+ {SEC_DRV_ALG_BITMAP_HIGH, 0x3148, 0, GENMASK(31, 0), 0x395C, 0x395C, 0x395C},
+ {SEC_DEV_ALG_BITMAP_LOW, 0x314c, 0, GENMASK(31, 0), 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF},
+--
+2.43.0
+
--- /dev/null
+From 362772c5975df01a764f570a48efd653be85b41a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 12:27:34 -0400
+Subject: drm/amd/display: Add NULL pointer check for kzalloc
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit 8e65a1b7118acf6af96449e1e66b7adbc9396912 ]
+
+[Why & How]
+Check return pointer of kzalloc before using it.
+
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c | 8 ++++++++
+ .../gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c | 8 ++++++++
+ .../drm/amd/display/dc/resource/dcn30/dcn30_resource.c | 3 +++
+ .../drm/amd/display/dc/resource/dcn31/dcn31_resource.c | 5 +++++
+ .../drm/amd/display/dc/resource/dcn314/dcn314_resource.c | 5 +++++
+ .../drm/amd/display/dc/resource/dcn315/dcn315_resource.c | 2 ++
+ .../drm/amd/display/dc/resource/dcn316/dcn316_resource.c | 2 ++
+ .../drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 5 +++++
+ .../drm/amd/display/dc/resource/dcn321/dcn321_resource.c | 2 ++
+ .../drm/amd/display/dc/resource/dcn35/dcn35_resource.c | 2 ++
+ .../drm/amd/display/dc/resource/dcn351/dcn351_resource.c | 2 ++
+ 11 files changed, 44 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c
+index 3271c8c7905dd..4e036356b6a89 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn30/dcn30_clk_mgr.c
+@@ -560,11 +560,19 @@ void dcn3_clk_mgr_construct(
+ dce_clock_read_ss_info(clk_mgr);
+
+ clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL);
++ if (!clk_mgr->base.bw_params) {
++ BREAK_TO_DEBUGGER();
++ return;
++ }
+
+ /* need physical address of table to give to PMFW */
+ clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx,
+ DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t),
+ &clk_mgr->wm_range_table_addr);
++ if (!clk_mgr->wm_range_table) {
++ BREAK_TO_DEBUGGER();
++ return;
++ }
+ }
+
+ void dcn3_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr)
+diff --git a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c
+index e506e4f969ca9..dda1173be35ea 100644
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn32/dcn32_clk_mgr.c
+@@ -1208,11 +1208,19 @@ void dcn32_clk_mgr_construct(
+ clk_mgr->smu_present = false;
+
+ clk_mgr->base.bw_params = kzalloc(sizeof(*clk_mgr->base.bw_params), GFP_KERNEL);
++ if (!clk_mgr->base.bw_params) {
++ BREAK_TO_DEBUGGER();
++ return;
++ }
+
+ /* need physical address of table to give to PMFW */
+ clk_mgr->wm_range_table = dm_helpers_allocate_gpu_mem(clk_mgr->base.ctx,
+ DC_MEM_ALLOC_TYPE_GART, sizeof(WatermarksExternal_t),
+ &clk_mgr->wm_range_table_addr);
++ if (!clk_mgr->wm_range_table) {
++ BREAK_TO_DEBUGGER();
++ return;
++ }
+ }
+
+ void dcn32_clk_mgr_destroy(struct clk_mgr_internal *clk_mgr)
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c
+index ecc477ef8e3b7..b427a98066c11 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn30/dcn30_resource.c
+@@ -2050,6 +2050,9 @@ bool dcn30_validate_bandwidth(struct dc *dc,
+
+ BW_VAL_TRACE_COUNT();
+
++ if (!pipes)
++ goto validate_fail;
++
+ DC_FP_START();
+ out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true);
+ DC_FP_END();
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c
+index 2fb1d00ff9654..f38de5391176f 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn31/dcn31_resource.c
+@@ -1311,6 +1311,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst,
+ &hpo_dp_link_enc_regs[inst],
+@@ -1767,6 +1769,9 @@ bool dcn31_validate_bandwidth(struct dc *dc,
+
+ BW_VAL_TRACE_COUNT();
+
++ if (!pipes)
++ goto validate_fail;
++
+ DC_FP_START();
+ out = dcn30_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate, true);
+ DC_FP_END();
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c
+index c97391edb5ff7..2791fc45bb8c7 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn314/dcn314_resource.c
+@@ -1384,6 +1384,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst,
+ &hpo_dp_link_enc_regs[inst],
+@@ -1744,6 +1746,9 @@ bool dcn314_validate_bandwidth(struct dc *dc,
+
+ BW_VAL_TRACE_COUNT();
+
++ if (!pipes)
++ goto validate_fail;
++
+ if (filter_modes_for_single_channel_workaround(dc, context))
+ goto validate_fail;
+
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c
+index 515ba435f759c..4ce0f4bf1d9bb 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn315/dcn315_resource.c
+@@ -1309,6 +1309,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst,
+ &hpo_dp_link_enc_regs[inst],
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c
+index b9753d4606f89..efa5627b0c50a 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn316/dcn316_resource.c
+@@ -1306,6 +1306,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ hpo_dp_link_encoder31_construct(hpo_dp_enc31, ctx, inst,
+ &hpo_dp_link_enc_regs[inst],
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c
+index ce1754cc1f463..1f5a91b764828 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c
+@@ -1304,6 +1304,8 @@ static struct hpo_dp_link_encoder *dcn32_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ #undef REG_STRUCT
+ #define REG_STRUCT hpo_dp_link_enc_regs
+@@ -1751,6 +1753,9 @@ static bool dml1_validate(struct dc *dc, struct dc_state *context, bool fast_val
+
+ BW_VAL_TRACE_COUNT();
+
++ if (!pipes)
++ goto validate_fail;
++
+ DC_FP_START();
+ out = dcn32_internal_validate_bw(dc, context, pipes, &pipe_cnt, &vlevel, fast_validate);
+ DC_FP_END();
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c
+index 296a0a8e71459..e83d340ed6260 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn321/dcn321_resource.c
+@@ -1288,6 +1288,8 @@ static struct hpo_dp_link_encoder *dcn321_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ #undef REG_STRUCT
+ #define REG_STRUCT hpo_dp_link_enc_regs
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
+index 5d52853cac96a..cf0cb5cf4b5b2 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn35/dcn35_resource.c
+@@ -1368,6 +1368,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ #undef REG_STRUCT
+ #define REG_STRUCT hpo_dp_link_enc_regs
+diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
+index 909e14261f9b4..116b59123199f 100644
+--- a/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/resource/dcn351/dcn351_resource.c
+@@ -1348,6 +1348,8 @@ static struct hpo_dp_link_encoder *dcn31_hpo_dp_link_encoder_create(
+
+ /* allocate HPO link encoder */
+ hpo_dp_enc31 = kzalloc(sizeof(struct dcn31_hpo_dp_link_encoder), GFP_KERNEL);
++ if (!hpo_dp_enc31)
++ return NULL; /* out of memory */
+
+ #undef REG_STRUCT
+ #define REG_STRUCT hpo_dp_link_enc_regs
+--
+2.43.0
+
--- /dev/null
+From 7af4784170d8e9653c1a74da4cd6bf6a4859fd37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 12:02:17 -0600
+Subject: drm/amd/display: ASSERT when failing to find index by plane/stream id
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 01eb50e53c1ce505bf449348d433181310288765 ]
+
+[WHY]
+find_disp_cfg_idx_by_plane_id and find_disp_cfg_idx_by_stream_id returns
+an array index and they return -1 when not found; however, -1 is not a
+valid index number.
+
+[HOW]
+When this happens, call ASSERT(), and return a positive number (which is
+fewer than callers' array size) instead.
+
+This fixes 4 OVERRUN and 2 NEGATIVE_RETURNS issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c b/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c
+index a52c594e1ba4b..e1f1b5dd13203 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/dml2_dc_resource_mgmt.c
+@@ -88,7 +88,8 @@ static int find_disp_cfg_idx_by_plane_id(struct dml2_dml_to_dc_pipe_mapping *map
+ return i;
+ }
+
+- return -1;
++ ASSERT(false);
++ return __DML2_WRAPPER_MAX_STREAMS_PLANES__;
+ }
+
+ static int find_disp_cfg_idx_by_stream_id(struct dml2_dml_to_dc_pipe_mapping *mapping, unsigned int stream_id)
+@@ -100,7 +101,8 @@ static int find_disp_cfg_idx_by_stream_id(struct dml2_dml_to_dc_pipe_mapping *ma
+ return i;
+ }
+
+- return -1;
++ ASSERT(false);
++ return __DML2_WRAPPER_MAX_STREAMS_PLANES__;
+ }
+
+ // The master pipe of a stream is defined as the top pipe in odm slice 0
+--
+2.43.0
+
--- /dev/null
+From 0fb3c7af48a7d8d384550f14d52afe4a4413335a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 13:27:43 -0600
+Subject: drm/amd/display: Check index msg_id before read or write
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ]
+
+[WHAT]
+msg_id is used as an array index and it cannot be a negative value, and
+therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).
+
+[HOW]
+Check whether msg_id is valid before reading and setting.
+
+This fixes 4 OVERRUN issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+index f7b5583ee609a..8e9caae7c9559 100644
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
+@@ -156,6 +156,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
+ uint32_t cur_size = 0;
+ uint32_t data_offset = 0;
+
++ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
++ return MOD_HDCP_STATUS_DDC_FAILURE;
++ }
++
+ if (is_dp_hdcp(hdcp)) {
+ while (buf_len > 0) {
+ cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
+@@ -215,6 +219,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
+ uint32_t cur_size = 0;
+ uint32_t data_offset = 0;
+
++ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
++ return MOD_HDCP_STATUS_DDC_FAILURE;
++ }
++
+ if (is_dp_hdcp(hdcp)) {
+ while (buf_len > 0) {
+ cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
+--
+2.43.0
+
--- /dev/null
+From 2f6d179fcebdaf5bdf924d2d18daa86226fbd73e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 18:07:17 -0600
+Subject: drm/amd/display: Check pipe offset before setting vblank
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ]
+
+pipe_ctx has a size of MAX_PIPES so checking its index before accessing
+the array.
+
+This fixes an OVERRUN issue reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../drm/amd/display/dc/irq/dce110/irq_service_dce110.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c
+index 1c0d89e675da5..bb576a9c5fdbd 100644
+--- a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c
++++ b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c
+@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service,
+ info->ext_id);
+ uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK;
+
+- struct timing_generator *tg =
+- dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
++ struct timing_generator *tg;
++
++ if (pipe_offset >= MAX_PIPES)
++ return false;
++
++ tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
+
+ if (enable) {
+ if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) {
+--
+2.43.0
+
--- /dev/null
+From 15aff16daf6a9576f274a388334cc0452452659c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 13:43:14 -0600
+Subject: drm/amd/display: Do not return negative stream id for array
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 3ac31c9a707dd1c7c890b95333182f955e9dcb57 ]
+
+[WHY]
+resource_stream_to_stream_idx returns an array index and it return -1
+when not found; however, -1 is not a valid array index number.
+
+[HOW]
+When this happens, call ASSERT(), and return a zero instead.
+
+This fixes an OVERRUN and an NEGATIVE_RETURNS issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+index d0bdfdf270ac9..ab598e1f088cf 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -2216,6 +2216,13 @@ static int resource_stream_to_stream_idx(struct dc_state *state,
+ stream_idx = i;
+ break;
+ }
++
++ /* never return negative array index */
++ if (stream_idx == -1) {
++ ASSERT(0);
++ return 0;
++ }
++
+ return stream_idx;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 87b93fc12d69aaf0938e3a63ccf9c839bcd55057 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 10:57:37 -0400
+Subject: drm/amd/display: Fix overlapping copy within
+ dml_core_mode_programming
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit f1fd8a0a54e6d23a6d16ee29159f247862460fd1 ]
+
+[WHY]
+&mode_lib->mp.Watermark and &locals->Watermark are
+the same address. memcpy may lead to unexpected behavior.
+
+[HOW]
+memmove should be used.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c
+index 9be5ebf3a8c0b..79cd4c4790439 100644
+--- a/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c
++++ b/drivers/gpu/drm/amd/display/dc/dml2/display_mode_core.c
+@@ -9460,8 +9460,10 @@ void dml_core_mode_programming(struct display_mode_lib_st *mode_lib, const struc
+
+ /* Copy the calculated watermarks to mp.Watermark as the getter functions are
+ * implemented by the DML team to copy the calculated values from the mp.Watermark interface.
++ * &mode_lib->mp.Watermark and &locals->Watermark are the same address, memcpy may lead to
++ * unexpected behavior. memmove should be used.
+ */
+- memcpy(&mode_lib->mp.Watermark, CalculateWatermarks_params->Watermark, sizeof(struct Watermarks));
++ memmove(&mode_lib->mp.Watermark, CalculateWatermarks_params->Watermark, sizeof(struct Watermarks));
+
+ for (k = 0; k < mode_lib->ms.num_active_planes; ++k) {
+ if (mode_lib->ms.cache_display_cfg.writeback.WritebackEnable[k] == true) {
+--
+2.43.0
+
--- /dev/null
+From 8b3fa3dfbb02f457422c5a50e7af88b37af04a06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2024 19:02:56 -0600
+Subject: drm/amd/display: Fix uninitialized variables in DM
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit f95bcb041f213a5da3da5fcaf73269bd13dba945 ]
+
+This fixes 11 UNINIT issues reported by Coverity.
+
+Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++----
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 ++--
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+index f866a02f4f489..2152e40ee1c27 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -274,7 +274,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc)
+ static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc,
+ u32 *vbl, u32 *position)
+ {
+- u32 v_blank_start, v_blank_end, h_position, v_position;
++ u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0;
+ struct amdgpu_crtc *acrtc = NULL;
+ struct dc *dc = adev->dm.dc;
+
+@@ -848,7 +848,7 @@ static void dm_handle_hpd_work(struct work_struct *work)
+ */
+ static void dm_dmub_outbox1_low_irq(void *interrupt_params)
+ {
+- struct dmub_notification notify;
++ struct dmub_notification notify = {0};
+ struct common_irq_params *irq_params = interrupt_params;
+ struct amdgpu_device *adev = irq_params->adev;
+ struct amdgpu_display_manager *dm = &adev->dm;
+@@ -7192,7 +7192,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state,
+ struct amdgpu_dm_connector *aconnector;
+ struct dm_connector_state *dm_conn_state;
+ int i, j, ret;
+- int vcpi, pbn_div, pbn, slot_num = 0;
++ int vcpi, pbn_div, pbn = 0, slot_num = 0;
+
+ for_each_new_connector_in_state(state, connector, new_con_state, i) {
+
+@@ -10595,7 +10595,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
+ struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state;
+ struct drm_dp_mst_topology_mgr *mgr;
+ struct drm_dp_mst_topology_state *mst_state;
+- struct dsc_mst_fairness_vars vars[MAX_PIPES];
++ struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0};
+
+ trace_amdgpu_dm_atomic_check_begin(state);
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index c7715a17f388b..4d7a5d470b1ea 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -1249,7 +1249,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b
+ size_t size, loff_t *pos)
+ {
+ int r;
+- uint8_t data[36];
++ uint8_t data[36] = {0};
+ struct amdgpu_dm_connector *connector = file_inode(f)->i_private;
+ struct dm_crtc_state *acrtc_state;
+ uint32_t write_size = 36;
+@@ -2960,7 +2960,7 @@ static int psr_read_residency(void *data, u64 *val)
+ {
+ struct amdgpu_dm_connector *connector = data;
+ struct dc_link *link = connector->dc_link;
+- u32 residency;
++ u32 residency = 0;
+
+ link->dc->link_srv->edp_get_psr_residency(link, &residency);
+
+--
+2.43.0
+
--- /dev/null
+From a371f506d3c6a95a0b7be24d97b4271f14491896 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 13:52:27 -0600
+Subject: drm/amd/display: Skip finding free audio for unknown engine_id
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ]
+
+[WHY]
+ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it
+also means it is uninitialized and does not need free audio.
+
+[HOW]
+Skip and return NULL.
+
+This fixes 2 OVERRUN issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Acked-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+index ec4bf9432bdb1..37a8e530cc951 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -3117,6 +3117,9 @@ static struct audio *find_first_free_audio(
+ {
+ int i, available_audio_count;
+
++ if (id == ENGINE_ID_UNKNOWN)
++ return NULL;
++
+ available_audio_count = pool->audio_count;
+
+ for (i = 0; i < available_audio_count; i++) {
+--
+2.43.0
+
--- /dev/null
+From 4ccfc41708b9b944f5a44167a0c37304c1bba388 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 10:06:51 -0400
+Subject: drm/amd/display: update pipe topology log to support subvp
+
+From: Wenjing Liu <wenjing.liu@amd.com>
+
+[ Upstream commit 5db346c256bbacc634ff515a1a9202cd4b61d8c7 ]
+
+[why]
+There is an ambiguity in subvp pipe topology log. The log doesn't show
+subvp relation to main stream and it is not clear that certain stream
+is an internal stream for subvp pipes.
+
+[how]
+Separate subvp pipe topology logging from main pipe topology. Log main
+stream indices instead of the internal stream for subvp pipes.
+The following is a sample log showing 2 streams with subvp enabled on
+both:
+
+ pipe topology update
+ ________________________
+| plane0 slice0 stream0|
+|DPP1----OPP1----OTG1----|
+| plane0 slice0 stream1|
+|DPP0----OPP0----OTG0----|
+| (phantom pipes) |
+| plane0 slice0 stream0|
+|DPP3----OPP3----OTG3----|
+| plane0 slice0 stream1|
+|DPP2----OPP2----OTG2----|
+|________________________|
+
+Reviewed-by: Alvin Lee <alvin.lee2@amd.com>
+Acked-by: Roman Li <roman.li@amd.com>
+Signed-off-by: Wenjing Liu <wenjing.liu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 3ac31c9a707d ("drm/amd/display: Do not return negative stream id for array")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/display/dc/core/dc_resource.c | 96 +++++++++++++------
+ 1 file changed, 65 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+index 37a8e530cc951..d0bdfdf270ac9 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -2168,50 +2168,84 @@ static void resource_log_pipe(struct dc *dc, struct pipe_ctx *pipe,
+ }
+ }
+
+-void resource_log_pipe_topology_update(struct dc *dc, struct dc_state *state)
++static void resource_log_pipe_for_stream(struct dc *dc, struct dc_state *state,
++ struct pipe_ctx *otg_master, int stream_idx)
+ {
+- struct pipe_ctx *otg_master;
+ struct pipe_ctx *opp_heads[MAX_PIPES];
+ struct pipe_ctx *dpp_pipes[MAX_PIPES];
+
+- int stream_idx, slice_idx, dpp_idx, plane_idx, slice_count, dpp_count;
++ int slice_idx, dpp_idx, plane_idx, slice_count, dpp_count;
+ bool is_primary;
+ DC_LOGGER_INIT(dc->ctx->logger);
+
++ slice_count = resource_get_opp_heads_for_otg_master(otg_master,
++ &state->res_ctx, opp_heads);
++ for (slice_idx = 0; slice_idx < slice_count; slice_idx++) {
++ plane_idx = -1;
++ if (opp_heads[slice_idx]->plane_state) {
++ dpp_count = resource_get_dpp_pipes_for_opp_head(
++ opp_heads[slice_idx],
++ &state->res_ctx,
++ dpp_pipes);
++ for (dpp_idx = 0; dpp_idx < dpp_count; dpp_idx++) {
++ is_primary = !dpp_pipes[dpp_idx]->top_pipe ||
++ dpp_pipes[dpp_idx]->top_pipe->plane_state != dpp_pipes[dpp_idx]->plane_state;
++ if (is_primary)
++ plane_idx++;
++ resource_log_pipe(dc, dpp_pipes[dpp_idx],
++ stream_idx, slice_idx,
++ plane_idx, slice_count,
++ is_primary);
++ }
++ } else {
++ resource_log_pipe(dc, opp_heads[slice_idx],
++ stream_idx, slice_idx, plane_idx,
++ slice_count, true);
++ }
++
++ }
++}
++
++static int resource_stream_to_stream_idx(struct dc_state *state,
++ struct dc_stream_state *stream)
++{
++ int i, stream_idx = -1;
++
++ for (i = 0; i < state->stream_count; i++)
++ if (state->streams[i] == stream) {
++ stream_idx = i;
++ break;
++ }
++ return stream_idx;
++}
++
++void resource_log_pipe_topology_update(struct dc *dc, struct dc_state *state)
++{
++ struct pipe_ctx *otg_master;
++ int stream_idx, phantom_stream_idx;
++ DC_LOGGER_INIT(dc->ctx->logger);
++
+ DC_LOG_DC(" pipe topology update");
+ DC_LOG_DC(" ________________________");
+ for (stream_idx = 0; stream_idx < state->stream_count; stream_idx++) {
++ if (state->streams[stream_idx]->is_phantom)
++ continue;
++
+ otg_master = resource_get_otg_master_for_stream(
+ &state->res_ctx, state->streams[stream_idx]);
+- if (!otg_master || otg_master->stream_res.tg == NULL) {
+- DC_LOG_DC("topology update: otg_master NULL stream_idx %d!\n", stream_idx);
+- return;
+- }
+- slice_count = resource_get_opp_heads_for_otg_master(otg_master,
+- &state->res_ctx, opp_heads);
+- for (slice_idx = 0; slice_idx < slice_count; slice_idx++) {
+- plane_idx = -1;
+- if (opp_heads[slice_idx]->plane_state) {
+- dpp_count = resource_get_dpp_pipes_for_opp_head(
+- opp_heads[slice_idx],
+- &state->res_ctx,
+- dpp_pipes);
+- for (dpp_idx = 0; dpp_idx < dpp_count; dpp_idx++) {
+- is_primary = !dpp_pipes[dpp_idx]->top_pipe ||
+- dpp_pipes[dpp_idx]->top_pipe->plane_state != dpp_pipes[dpp_idx]->plane_state;
+- if (is_primary)
+- plane_idx++;
+- resource_log_pipe(dc, dpp_pipes[dpp_idx],
+- stream_idx, slice_idx,
+- plane_idx, slice_count,
+- is_primary);
+- }
+- } else {
+- resource_log_pipe(dc, opp_heads[slice_idx],
+- stream_idx, slice_idx, plane_idx,
+- slice_count, true);
+- }
++ resource_log_pipe_for_stream(dc, state, otg_master, stream_idx);
++ }
++ if (state->phantom_stream_count > 0) {
++ DC_LOG_DC(" | (phantom pipes) |");
++ for (stream_idx = 0; stream_idx < state->stream_count; stream_idx++) {
++ if (state->stream_status[stream_idx].mall_stream_config.type != SUBVP_MAIN)
++ continue;
+
++ phantom_stream_idx = resource_stream_to_stream_idx(state,
++ state->stream_status[stream_idx].mall_stream_config.paired_stream);
++ otg_master = resource_get_otg_master_for_stream(
++ &state->res_ctx, state->streams[phantom_stream_idx]);
++ resource_log_pipe_for_stream(dc, state, otg_master, stream_idx);
+ }
+ }
+ DC_LOG_DC(" |________________________|\n");
+--
+2.43.0
+
--- /dev/null
+From 7f3c2f3871f844946d81e83c04d652ad8af0e400 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 13:32:39 +0800
+Subject: drm/amdgpu: fix double free err_addr pointer warnings
+
+From: Bob Zhou <bob.zhou@amd.com>
+
+[ Upstream commit 506c245f3f1cd989cb89811a7f06e04ff8813a0d ]
+
+In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pages
+will be run many times so that double free err_addr in some special case.
+So set the err_addr to NULL to avoid the warnings.
+
+Signed-off-by: Bob Zhou <bob.zhou@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c
+index 20436f81856ad..6f7451e3ee87e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umc.c
+@@ -170,6 +170,7 @@ static void amdgpu_umc_handle_bad_pages(struct amdgpu_device *adev,
+ }
+
+ kfree(err_data->err_addr);
++ err_data->err_addr = NULL;
+
+ mutex_unlock(&con->page_retirement_lock);
+ }
+--
+2.43.0
+
--- /dev/null
+From e9c2ceca20327ba3dc8fd4a40859ec064cbbc5cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 15:16:40 +0800
+Subject: drm/amdgpu: fix the warning about the expression (int)size - len
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit ea686fef5489ef7a2450a9fdbcc732b837fb46a8 ]
+
+Converting size from size_t to int may overflow.
+v2: keep reverse xmas tree order (Christian)
+
+Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+index f5d0fa207a88b..b62ae3c91a9db 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -2065,12 +2065,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
+ struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
+ char reg_offset[11];
+ uint32_t *new = NULL, *tmp = NULL;
+- int ret, i = 0, len = 0;
++ unsigned int len = 0;
++ int ret, i = 0;
+
+ do {
+ memset(reg_offset, 0, 11);
+ if (copy_from_user(reg_offset, buf + len,
+- min(10, ((int)size-len)))) {
++ min(10, (size-len)))) {
+ ret = -EFAULT;
+ goto error_free;
+ }
+--
+2.43.0
+
--- /dev/null
+From c4c7f700a5285dc8790f6b415e6922b3981f5b9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 14:06:28 +0800
+Subject: drm/amdgpu: fix uninitialized scalar variable warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tim Huang <Tim.Huang@amd.com>
+
+[ Upstream commit 9a5f15d2a29d06ce5bd50919da7221cda92afb69 ]
+
+Clear warning that uses uninitialized value fw_size.
+
+Signed-off-by: Tim Huang <Tim.Huang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+index 55d5508987ffe..1d955652f3ba6 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+@@ -1206,7 +1206,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev,
+ fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes);
+ break;
+ default:
+- break;
++ dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id);
++ return;
+ }
+
+ if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) {
+--
+2.43.0
+
--- /dev/null
+From 87f263f0d8fba5c5446acf3d7e7491e0754ae79c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 14:47:52 +0800
+Subject: drm/amdgpu: Fix uninitialized variable warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit 60c448439f3b5db9431e13f7f361b4074d0e8594 ]
+
+return 0 to avoid returning an uninitialized variable r
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/aldebaran.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/aldebaran.c b/drivers/gpu/drm/amd/amdgpu/aldebaran.c
+index 576067d66bb9a..d0a8da67dc2a1 100644
+--- a/drivers/gpu/drm/amd/amdgpu/aldebaran.c
++++ b/drivers/gpu/drm/amd/amdgpu/aldebaran.c
+@@ -97,7 +97,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev)
+ adev->ip_blocks[i].status.hw = false;
+ }
+
+- return r;
++ return 0;
+ }
+
+ static int
+diff --git a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c
+index 93f6772d1b241..481217c32d853 100644
+--- a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c
++++ b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c
+@@ -92,7 +92,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev)
+ adev->ip_blocks[i].status.hw = false;
+ }
+
+- return r;
++ return 0;
+ }
+
+ static int
+--
+2.43.0
+
--- /dev/null
+From 77ee54fd5060bb61d7a6e469fb075a1fa14d111d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 10:07:51 +0800
+Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ]
+
+Initialize the interrupt timestamp for some legacy SOCs
+to fix the coverity issue "Uninitialized scalar variable"
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+index 7e6d09730e6d3..665c63f552787 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
+@@ -445,6 +445,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev,
+
+ entry.ih = ih;
+ entry.iv_entry = (const uint32_t *)&ih->ring[ring_index];
++
++ /*
++ * timestamp is not supported on some legacy SOCs (cik, cz, iceland,
++ * si and tonga), so initialize timestamp and timestamp_src to 0
++ */
++ entry.timestamp = 0;
++ entry.timestamp_src = 0;
++
+ amdgpu_ih_decode_iv(adev, &entry);
+
+ trace_amdgpu_iv(ih - &adev->irq.ih, &entry);
+--
+2.43.0
+
--- /dev/null
+From b801d653104b59e34d3ed6547eec4142dc161bb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Apr 2024 17:10:46 +0800
+Subject: drm/amdgpu: Using uninitialized value *size when calling
+ amdgpu_vce_cs_reloc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ]
+
+Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
+V2: To really improve the handling we would actually
+ need to have a separate value of 0xffffffff.(Christian)
+
+Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+index 59acf424a078f..968ca2c84ef7e 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
+@@ -743,7 +743,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
+ uint32_t created = 0;
+ uint32_t allocated = 0;
+ uint32_t tmp, handle = 0;
+- uint32_t *size = &tmp;
++ uint32_t dummy = 0xffffffff;
++ uint32_t *size = &dummy;
+ unsigned int idx;
+ int i, r = 0;
+
+--
+2.43.0
+
--- /dev/null
+From 57b952fa323b63b42116a5e994c9704a99f17a63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 00:43:28 +0200
+Subject: drm/lima: fix shared irq handling on driver remove
+
+From: Erico Nunes <nunes.erico@gmail.com>
+
+[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ]
+
+lima uses a shared interrupt, so the interrupt handlers must be prepared
+to be called at any time. At driver removal time, the clocks are
+disabled early and the interrupts stay registered until the very end of
+the remove process due to the devm usage.
+This is potentially a bug as the interrupts access device registers
+which assumes clocks are enabled. A crash can be triggered by removing
+the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.
+This patch frees the interrupts at each lima device finishing callback
+so that the handlers are already unregistered by the time we fully
+disable clocks.
+
+Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/lima/lima_gp.c | 2 ++
+ drivers/gpu/drm/lima/lima_mmu.c | 5 +++++
+ drivers/gpu/drm/lima/lima_pp.c | 4 ++++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
+index e15295071533b..3282997a0358d 100644
+--- a/drivers/gpu/drm/lima/lima_gp.c
++++ b/drivers/gpu/drm/lima/lima_gp.c
+@@ -345,7 +345,9 @@ int lima_gp_init(struct lima_ip *ip)
+
+ void lima_gp_fini(struct lima_ip *ip)
+ {
++ struct lima_device *dev = ip->dev;
+
++ devm_free_irq(dev->dev, ip->irq, ip);
+ }
+
+ int lima_gp_pipe_init(struct lima_device *dev)
+diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c
+index e18317c5ca8c1..6611e2836bf0d 100644
+--- a/drivers/gpu/drm/lima/lima_mmu.c
++++ b/drivers/gpu/drm/lima/lima_mmu.c
+@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip)
+
+ void lima_mmu_fini(struct lima_ip *ip)
+ {
++ struct lima_device *dev = ip->dev;
++
++ if (ip->id == lima_ip_ppmmu_bcast)
++ return;
+
++ devm_free_irq(dev->dev, ip->irq, ip);
+ }
+
+ void lima_mmu_flush_tlb(struct lima_ip *ip)
+diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c
+index a4a2ffe6527c2..eaab4788dff49 100644
+--- a/drivers/gpu/drm/lima/lima_pp.c
++++ b/drivers/gpu/drm/lima/lima_pp.c
+@@ -286,7 +286,9 @@ int lima_pp_init(struct lima_ip *ip)
+
+ void lima_pp_fini(struct lima_ip *ip)
+ {
++ struct lima_device *dev = ip->dev;
+
++ devm_free_irq(dev->dev, ip->irq, ip);
+ }
+
+ int lima_pp_bcast_resume(struct lima_ip *ip)
+@@ -319,7 +321,9 @@ int lima_pp_bcast_init(struct lima_ip *ip)
+
+ void lima_pp_bcast_fini(struct lima_ip *ip)
+ {
++ struct lima_device *dev = ip->dev;
+
++ devm_free_irq(dev->dev, ip->irq, ip);
+ }
+
+ static int lima_pp_task_validate(struct lima_sched_pipe *pipe,
+--
+2.43.0
+
--- /dev/null
+From 9e8db88dae57d179bca6fe67a508efd170a79a15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Apr 2024 16:39:52 -0400
+Subject: drm/xe: Add outer runtime_pm protection to xe_live_ktest@xe_dma_buf
+
+From: Rodrigo Vivi <rodrigo.vivi@intel.com>
+
+[ Upstream commit f9116f658a6217b101e3b4e89f845775b6fb05d9 ]
+
+Any kunit doing any memory access should get their own runtime_pm
+outer references since they don't use the standard driver API
+entries. In special this dma_buf from the same driver.
+
+Found by pre-merge CI on adding WARN calls for unprotected
+inner callers:
+
+<6> [318.639739] # xe_dma_buf_kunit: running xe_test_dmabuf_import_same_driver
+<4> [318.639957] ------------[ cut here ]------------
+<4> [318.639967] xe 0000:4d:00.0: Missing outer runtime PM protection
+<4> [318.640049] WARNING: CPU: 117 PID: 3832 at drivers/gpu/drm/xe/xe_pm.c:533 xe_pm_runtime_get_noresume+0x48/0x60 [xe]
+
+Cc: Matthew Auld <matthew.auld@intel.com>
+Cc: Francois Dugast <francois.dugast@intel.com>
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240417203952.25503-10-rodrigo.vivi@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/xe/tests/xe_dma_buf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/gpu/drm/xe/tests/xe_dma_buf.c b/drivers/gpu/drm/xe/tests/xe_dma_buf.c
+index 9f6d571d7fa9c..a3d2dd42adf96 100644
+--- a/drivers/gpu/drm/xe/tests/xe_dma_buf.c
++++ b/drivers/gpu/drm/xe/tests/xe_dma_buf.c
+@@ -12,6 +12,7 @@
+ #include "tests/xe_pci_test.h"
+
+ #include "xe_pci.h"
++#include "xe_pm.h"
+
+ static bool p2p_enabled(struct dma_buf_test_params *params)
+ {
+@@ -259,6 +260,7 @@ static int dma_buf_run_device(struct xe_device *xe)
+ const struct dma_buf_test_params *params;
+ struct kunit *test = xe_cur_kunit();
+
++ xe_pm_runtime_get(xe);
+ for (params = test_params; params->mem_mask; ++params) {
+ struct dma_buf_test_params p = *params;
+
+@@ -266,6 +268,7 @@ static int dma_buf_run_device(struct xe_device *xe)
+ test->priv = &p;
+ xe_test_dmabuf_import_same_driver(xe);
+ }
++ xe_pm_runtime_put(xe);
+
+ /* A non-zero return would halt iteration over driver devices */
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From a64c8e3e5e32644ac515235545e6021c3d226659 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 11:38:47 +0800
+Subject: f2fs: check validation of fault attrs in f2fs_build_fault_attr()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ]
+
+- It missed to check validation of fault attrs in parse_options(),
+let's fix to add check condition in f2fs_build_fault_attr().
+- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 12 ++++++++----
+ fs/f2fs/super.c | 27 ++++++++++++++++++++-------
+ fs/f2fs/sysfs.c | 14 ++++++++++----
+ 3 files changed, 38 insertions(+), 15 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 07b3675ea1694..f5adb9942c4c4 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -72,7 +72,7 @@ enum {
+
+ struct f2fs_fault_info {
+ atomic_t inject_ops;
+- unsigned int inject_rate;
++ int inject_rate;
+ unsigned int inject_type;
+ };
+
+@@ -4597,10 +4597,14 @@ static inline bool f2fs_need_verity(const struct inode *inode, pgoff_t idx)
+ }
+
+ #ifdef CONFIG_F2FS_FAULT_INJECTION
+-extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,
+- unsigned int type);
++extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
++ unsigned long type);
+ #else
+-#define f2fs_build_fault_attr(sbi, rate, type) do { } while (0)
++static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
++ unsigned long type)
++{
++ return 0;
++}
+ #endif
+
+ static inline bool is_journalled_quota(struct f2fs_sb_info *sbi)
+diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
+index 2f75a7dfc311d..0c3ebe4d9026d 100644
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -66,21 +66,31 @@ const char *f2fs_fault_name[FAULT_MAX] = {
+ [FAULT_NO_SEGMENT] = "no free segment",
+ };
+
+-void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,
+- unsigned int type)
++int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
++ unsigned long type)
+ {
+ struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info;
+
+ if (rate) {
++ if (rate > INT_MAX)
++ return -EINVAL;
+ atomic_set(&ffi->inject_ops, 0);
+- ffi->inject_rate = rate;
++ ffi->inject_rate = (int)rate;
+ }
+
+- if (type)
+- ffi->inject_type = type;
++ if (type) {
++ if (type >= BIT(FAULT_MAX))
++ return -EINVAL;
++ ffi->inject_type = (unsigned int)type;
++ }
+
+ if (!rate && !type)
+ memset(ffi, 0, sizeof(struct f2fs_fault_info));
++ else
++ f2fs_info(sbi,
++ "build fault injection attr: rate: %lu, type: 0x%lx",
++ rate, type);
++ return 0;
+ }
+ #endif
+
+@@ -886,14 +896,17 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount)
+ case Opt_fault_injection:
+ if (args->from && match_int(args, &arg))
+ return -EINVAL;
+- f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE);
++ if (f2fs_build_fault_attr(sbi, arg,
++ F2FS_ALL_FAULT_TYPE))
++ return -EINVAL;
+ set_opt(sbi, FAULT_INJECTION);
+ break;
+
+ case Opt_fault_type:
+ if (args->from && match_int(args, &arg))
+ return -EINVAL;
+- f2fs_build_fault_attr(sbi, 0, arg);
++ if (f2fs_build_fault_attr(sbi, 0, arg))
++ return -EINVAL;
+ set_opt(sbi, FAULT_INJECTION);
+ break;
+ #else
+diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
+index a568ce96cf563..7aa3844e7a808 100644
+--- a/fs/f2fs/sysfs.c
++++ b/fs/f2fs/sysfs.c
+@@ -484,10 +484,16 @@ static ssize_t __sbi_store(struct f2fs_attr *a,
+ if (ret < 0)
+ return ret;
+ #ifdef CONFIG_F2FS_FAULT_INJECTION
+- if (a->struct_type == FAULT_INFO_TYPE && t >= BIT(FAULT_MAX))
+- return -EINVAL;
+- if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX)
+- return -EINVAL;
++ if (a->struct_type == FAULT_INFO_TYPE) {
++ if (f2fs_build_fault_attr(sbi, 0, t))
++ return -EINVAL;
++ return count;
++ }
++ if (a->struct_type == FAULT_INFO_RATE) {
++ if (f2fs_build_fault_attr(sbi, t, 0))
++ return -EINVAL;
++ return count;
++ }
+ #endif
+ if (a->struct_type == RESERVED_BLOCKS) {
+ spin_lock(&sbi->stat_lock);
+--
+2.43.0
+
--- /dev/null
+From be6aff8aec0cb01b2dca12ed2646f0a79726b5b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 18:29:32 +0200
+Subject: firmware: dmi: Stop decoding on broken entry
+
+From: Jean Delvare <jdelvare@suse.de>
+
+[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ]
+
+If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
+how DMI table parsing works, it is impossible to safely recover from
+such an error, so we have to stop decoding the table.
+
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/dmi_scan.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
+index 015c95a825d31..ac2a5d2d47463 100644
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -101,6 +101,17 @@ static void dmi_decode_table(u8 *buf,
+ (data - buf + sizeof(struct dmi_header)) <= dmi_len) {
+ const struct dmi_header *dm = (const struct dmi_header *)data;
+
++ /*
++ * If a short entry is found (less than 4 bytes), not only it
++ * is invalid, but we cannot reliably locate the next entry.
++ */
++ if (dm->length < sizeof(struct dmi_header)) {
++ pr_warn(FW_BUG
++ "Corrupted DMI table, offset %zd (only %d entries processed)\n",
++ data - buf, i);
++ break;
++ }
++
+ /*
+ * We want to know the total length (formatted area and
+ * strings) before decoding to make sure we won't run off the
+--
+2.43.0
+
--- /dev/null
+From b457150f7655c1348a5ca962ae9283e0983bdd13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 23:25:47 +0000
+Subject: gve: Account for stopped queues when reading NIC stats
+
+From: Shailend Chand <shailend@google.com>
+
+[ Upstream commit af9bcf910b1f86244f39e15e701b2dc564b469a6 ]
+
+We now account for the fact that the NIC might send us stats for a
+subset of queues. Without this change, gve_get_ethtool_stats might make
+an invalid access on the priv->stats_report->stats array.
+
+Tested-by: Mina Almasry <almasrymina@google.com>
+Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com>
+Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Signed-off-by: Shailend Chand <shailend@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/google/gve/gve_ethtool.c | 41 ++++++++++++++++---
+ 1 file changed, 35 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/google/gve/gve_ethtool.c b/drivers/net/ethernet/google/gve/gve_ethtool.c
+index 9aebfb843d9d1..ae90c09c56a89 100644
+--- a/drivers/net/ethernet/google/gve/gve_ethtool.c
++++ b/drivers/net/ethernet/google/gve/gve_ethtool.c
+@@ -8,6 +8,7 @@
+ #include "gve.h"
+ #include "gve_adminq.h"
+ #include "gve_dqo.h"
++#include "gve_utils.h"
+
+ static void gve_get_drvinfo(struct net_device *netdev,
+ struct ethtool_drvinfo *info)
+@@ -165,6 +166,8 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ struct stats *report_stats;
+ int *rx_qid_to_stats_idx;
+ int *tx_qid_to_stats_idx;
++ int num_stopped_rxqs = 0;
++ int num_stopped_txqs = 0;
+ struct gve_priv *priv;
+ bool skip_nic_stats;
+ unsigned int start;
+@@ -181,12 +184,23 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ sizeof(int), GFP_KERNEL);
+ if (!rx_qid_to_stats_idx)
+ return;
++ for (ring = 0; ring < priv->rx_cfg.num_queues; ring++) {
++ rx_qid_to_stats_idx[ring] = -1;
++ if (!gve_rx_was_added_to_block(priv, ring))
++ num_stopped_rxqs++;
++ }
+ tx_qid_to_stats_idx = kmalloc_array(num_tx_queues,
+ sizeof(int), GFP_KERNEL);
+ if (!tx_qid_to_stats_idx) {
+ kfree(rx_qid_to_stats_idx);
+ return;
+ }
++ for (ring = 0; ring < num_tx_queues; ring++) {
++ tx_qid_to_stats_idx[ring] = -1;
++ if (!gve_tx_was_added_to_block(priv, ring))
++ num_stopped_txqs++;
++ }
++
+ for (rx_pkts = 0, rx_bytes = 0, rx_hsplit_pkt = 0,
+ rx_skb_alloc_fail = 0, rx_buf_alloc_fail = 0,
+ rx_desc_err_dropped_pkt = 0, rx_hsplit_unsplit_pkt = 0,
+@@ -260,7 +274,13 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ /* For rx cross-reporting stats, start from nic rx stats in report */
+ base_stats_idx = GVE_TX_STATS_REPORT_NUM * num_tx_queues +
+ GVE_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues;
+- max_stats_idx = NIC_RX_STATS_REPORT_NUM * priv->rx_cfg.num_queues +
++ /* The boundary between driver stats and NIC stats shifts if there are
++ * stopped queues.
++ */
++ base_stats_idx += NIC_RX_STATS_REPORT_NUM * num_stopped_rxqs +
++ NIC_TX_STATS_REPORT_NUM * num_stopped_txqs;
++ max_stats_idx = NIC_RX_STATS_REPORT_NUM *
++ (priv->rx_cfg.num_queues - num_stopped_rxqs) +
+ base_stats_idx;
+ /* Preprocess the stats report for rx, map queue id to start index */
+ skip_nic_stats = false;
+@@ -274,6 +294,10 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ skip_nic_stats = true;
+ break;
+ }
++ if (queue_id < 0 || queue_id >= priv->rx_cfg.num_queues) {
++ net_err_ratelimited("Invalid rxq id in NIC stats\n");
++ continue;
++ }
+ rx_qid_to_stats_idx[queue_id] = stats_idx;
+ }
+ /* walk RX rings */
+@@ -308,11 +332,11 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ data[i++] = rx->rx_copybreak_pkt;
+ data[i++] = rx->rx_copied_pkt;
+ /* stats from NIC */
+- if (skip_nic_stats) {
++ stats_idx = rx_qid_to_stats_idx[ring];
++ if (skip_nic_stats || stats_idx < 0) {
+ /* skip NIC rx stats */
+ i += NIC_RX_STATS_REPORT_NUM;
+ } else {
+- stats_idx = rx_qid_to_stats_idx[ring];
+ for (j = 0; j < NIC_RX_STATS_REPORT_NUM; j++) {
+ u64 value =
+ be64_to_cpu(report_stats[stats_idx + j].value);
+@@ -338,7 +362,8 @@ gve_get_ethtool_stats(struct net_device *netdev,
+
+ /* For tx cross-reporting stats, start from nic tx stats in report */
+ base_stats_idx = max_stats_idx;
+- max_stats_idx = NIC_TX_STATS_REPORT_NUM * num_tx_queues +
++ max_stats_idx = NIC_TX_STATS_REPORT_NUM *
++ (num_tx_queues - num_stopped_txqs) +
+ max_stats_idx;
+ /* Preprocess the stats report for tx, map queue id to start index */
+ skip_nic_stats = false;
+@@ -352,6 +377,10 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ skip_nic_stats = true;
+ break;
+ }
++ if (queue_id < 0 || queue_id >= num_tx_queues) {
++ net_err_ratelimited("Invalid txq id in NIC stats\n");
++ continue;
++ }
+ tx_qid_to_stats_idx[queue_id] = stats_idx;
+ }
+ /* walk TX rings */
+@@ -383,11 +412,11 @@ gve_get_ethtool_stats(struct net_device *netdev,
+ data[i++] = gve_tx_load_event_counter(priv, tx);
+ data[i++] = tx->dma_mapping_error;
+ /* stats from NIC */
+- if (skip_nic_stats) {
++ stats_idx = tx_qid_to_stats_idx[ring];
++ if (skip_nic_stats || stats_idx < 0) {
+ /* skip NIC tx stats */
+ i += NIC_TX_STATS_REPORT_NUM;
+ } else {
+- stats_idx = tx_qid_to_stats_idx[ring];
+ for (j = 0; j < NIC_TX_STATS_REPORT_NUM; j++) {
+ u64 value =
+ be64_to_cpu(report_stats[stats_idx + j].value);
+--
+2.43.0
+
--- /dev/null
+From f97b2084ff27f83d2558b8fdc8f55e3faabcdab3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 12:21:58 +0200
+Subject: i2c: i801: Annotate apanel_addr as __ro_after_init
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ]
+
+Annotate this variable as __ro_after_init to protect it from being
+overwritten later.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-i801.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
+index 79870dd7a0146..fafd999b4bcb2 100644
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -1059,7 +1059,7 @@ static const struct pci_device_id i801_ids[] = {
+ MODULE_DEVICE_TABLE(pci, i801_ids);
+
+ #if defined CONFIG_X86 && defined CONFIG_DMI
+-static unsigned char apanel_addr;
++static unsigned char apanel_addr __ro_after_init;
+
+ /* Scan the system ROM for the signature "FJKEYINF" */
+ static __init const void __iomem *bios_signature(const void __iomem *bios)
+--
+2.43.0
+
--- /dev/null
+From 310dad60ed3d64c8247b8b4ba83a954391d3b67f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 15:01:44 +0300
+Subject: IB/core: Implement a limit on UMAD receive List
+
+From: Michael Guralnik <michaelgur@nvidia.com>
+
+[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ]
+
+The existing behavior of ib_umad, which maintains received MAD
+packets in an unbounded list, poses a risk of uncontrolled growth.
+As user-space applications extract packets from this list, the rate
+of extraction may not match the rate of incoming packets, leading
+to potential list overflow.
+
+To address this, we introduce a limit to the size of the list. After
+considering typical scenarios, such as OpenSM processing, which can
+handle approximately 100k packets per second, and the 1-second retry
+timeout for most packets, we set the list size limit to 200k. Packets
+received beyond this limit are dropped, assuming they are likely timed
+out by the time they are handled by user-space.
+
+Notably, packets queued on the receive list due to reasons like
+timed-out sends are preserved even when the list is full.
+
+Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
+Reviewed-by: Mark Zhang <markzhang@nvidia.com>
+Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
+index f5feca7fa9b9c..2ed749f50a29f 100644
+--- a/drivers/infiniband/core/user_mad.c
++++ b/drivers/infiniband/core/user_mad.c
+@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier");
+ MODULE_DESCRIPTION("InfiniBand userspace MAD packet access");
+ MODULE_LICENSE("Dual BSD/GPL");
+
++#define MAX_UMAD_RECV_LIST_SIZE 200000
++
+ enum {
+ IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS,
+ IB_UMAD_MAX_AGENTS = 32,
+@@ -113,6 +115,7 @@ struct ib_umad_file {
+ struct mutex mutex;
+ struct ib_umad_port *port;
+ struct list_head recv_list;
++ atomic_t recv_list_size;
+ struct list_head send_list;
+ struct list_head port_list;
+ spinlock_t send_lock;
+@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id)
+ return file->agents_dead ? NULL : file->agent[id];
+ }
+
+-static int queue_packet(struct ib_umad_file *file,
+- struct ib_mad_agent *agent,
+- struct ib_umad_packet *packet)
++static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent,
++ struct ib_umad_packet *packet, bool is_recv_mad)
+ {
+ int ret = 1;
+
+ mutex_lock(&file->mutex);
+
++ if (is_recv_mad &&
++ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE)
++ goto unlock;
++
+ for (packet->mad.hdr.id = 0;
+ packet->mad.hdr.id < IB_UMAD_MAX_AGENTS;
+ packet->mad.hdr.id++)
+ if (agent == __get_agent(file, packet->mad.hdr.id)) {
+ list_add_tail(&packet->list, &file->recv_list);
++ atomic_inc(&file->recv_list_size);
+ wake_up_interruptible(&file->recv_wait);
+ ret = 0;
+ break;
+ }
+-
++unlock:
+ mutex_unlock(&file->mutex);
+
+ return ret;
+@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent,
+ if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) {
+ packet->length = IB_MGMT_MAD_HDR;
+ packet->mad.hdr.status = ETIMEDOUT;
+- if (!queue_packet(file, agent, packet))
++ if (!queue_packet(file, agent, packet, false))
+ return;
+ }
+ kfree(packet);
+@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent,
+ rdma_destroy_ah_attr(&ah_attr);
+ }
+
+- if (queue_packet(file, agent, packet))
++ if (queue_packet(file, agent, packet, true))
+ goto err2;
+ return;
+
+@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
+
+ packet = list_entry(file->recv_list.next, struct ib_umad_packet, list);
+ list_del(&packet->list);
++ atomic_dec(&file->recv_list_size);
+
+ mutex_unlock(&file->mutex);
+
+@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
+ /* Requeue packet */
+ mutex_lock(&file->mutex);
+ list_add(&packet->list, &file->recv_list);
++ atomic_inc(&file->recv_list_size);
+ mutex_unlock(&file->mutex);
+ } else {
+ if (packet->recv_wc)
+--
+2.43.0
+
--- /dev/null
+From ee112b3c8929ec718b444134db87e1c585eb7d70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 12:24:54 +0200
+Subject: igc: fix a log entry using uninitialized netdev
+
+From: Corinna Vinschen <vinschen@redhat.com>
+
+[ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ]
+
+During successful probe, igc logs this:
+
+[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+The reason is that igc_ptp_init() is called very early, even before
+register_netdev() has been called. So the netdev_info() call works
+on a partially uninitialized netdev.
+
+Fix this by calling igc_ptp_init() after register_netdev(), right
+after the media autosense check, just as in igb. Add a comment,
+just as in igb.
+
+Now the log message is fine:
+
+[ 5.200987] igc 0000:01:00.0 eth0: PHC added
+
+Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
+Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Tested-by: Naama Meir <naamax.meir@linux.intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 58bc96021bb4c..07feb951be749 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -6932,8 +6932,6 @@ static int igc_probe(struct pci_dev *pdev,
+ device_set_wakeup_enable(&adapter->pdev->dev,
+ adapter->flags & IGC_FLAG_WOL_SUPPORTED);
+
+- igc_ptp_init(adapter);
+-
+ igc_tsn_clear_schedule(adapter);
+
+ /* reset the hardware with the new settings */
+@@ -6955,6 +6953,9 @@ static int igc_probe(struct pci_dev *pdev,
+ /* Check if Media Autosense is enabled */
+ adapter->ei = *ei;
+
++ /* do hw tstamp init after resetting */
++ igc_ptp_init(adapter);
++
+ /* print pcie link status and MAC address */
+ pcie_print_link_status(pdev);
+ netdev_info(netdev, "MAC: %pM\n", netdev->dev_addr);
+--
+2.43.0
+
--- /dev/null
+From 75ef36af3b3822e90eb16f3aaae53d4558a22899 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 17:05:56 +0200
+Subject: Input: ff-core - prefer struct_size over open coded arithmetic
+
+From: Erick Archer <erick.archer@outlook.com>
+
+[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ]
+
+This is an effort to get rid of all multiplications from allocation
+functions in order to prevent integer overflows [1][2].
+
+As the "ff" variable is a pointer to "struct ff_device" and this
+structure ends in a flexible array:
+
+struct ff_device {
+ [...]
+ struct file *effect_owners[] __counted_by(max_effects);
+};
+
+the preferred way in the kernel is to use the struct_size() helper to
+do the arithmetic instead of the calculation "size + count * size" in
+the kzalloc() function.
+
+The struct_size() helper returns SIZE_MAX on overflow. So, refactor
+the comparison to take advantage of this.
+
+This way, the code is more readable and safer.
+
+This code was detected with the help of Coccinelle, and audited and
+modified manually.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
+Link: https://github.com/KSPP/linux/issues/160 [2]
+Signed-off-by: Erick Archer <erick.archer@outlook.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/ff-core.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c
+index 16231fe080b00..609a5f01761bd 100644
+--- a/drivers/input/ff-core.c
++++ b/drivers/input/ff-core.c
+@@ -9,8 +9,10 @@
+ /* #define DEBUG */
+
+ #include <linux/input.h>
++#include <linux/limits.h>
+ #include <linux/module.h>
+ #include <linux/mutex.h>
++#include <linux/overflow.h>
+ #include <linux/sched.h>
+ #include <linux/slab.h>
+
+@@ -315,9 +317,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects)
+ return -EINVAL;
+ }
+
+- ff_dev_size = sizeof(struct ff_device) +
+- max_effects * sizeof(struct file *);
+- if (ff_dev_size < max_effects) /* overflow */
++ ff_dev_size = struct_size(ff, effect_owners, max_effects);
++ if (ff_dev_size == SIZE_MAX) /* overflow */
+ return -EINVAL;
+
+ ff = kzalloc(ff_dev_size, GFP_KERNEL);
+--
+2.43.0
+
--- /dev/null
+From 26ca8971ba590e3c23b9768e541b9e9205b27e99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 14:10:53 +0800
+Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
+
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+
+[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
+
+This BUG_ON() is useless, because the same effect will be obtained
+by letting the code run its course and vm being dereferenced,
+triggering an exception.
+
+So just remove this check.
+
+Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 6dbac6ec778ee..33fa6b7f41c93 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -4507,8 +4507,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+ struct page *vprop_page;
+ int base, nr_ids, i, err = 0;
+
+- BUG_ON(!vm);
+-
+ bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
+ if (!bitmap)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 58034d921a9b30f094cd8a1ca7f4bb5e4e116a81 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 15:00:46 +0800
+Subject: jffs2: Fix potential illegal address access in jffs2_free_inode
+
+From: Wang Yong <wang.yong12@zte.com.cn>
+
+[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ]
+
+During the stress testing of the jffs2 file system,the following
+abnormal printouts were found:
+[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948
+[ 2430.649622] Mem abort info:
+[ 2430.649829] ESR = 0x96000004
+[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 2430.650564] SET = 0, FnV = 0
+[ 2430.650795] EA = 0, S1PTW = 0
+[ 2430.651032] FSC = 0x04: level 0 translation fault
+[ 2430.651446] Data abort info:
+[ 2430.651683] ISV = 0, ISS = 0x00000004
+[ 2430.652001] CM = 0, WnR = 0
+[ 2430.652558] [0069696969696948] address between user and kernel address ranges
+[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP
+[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33
+[ 2430.655008] Hardware name: linux,dummy-virt (DT)
+[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 2430.656142] pc : kfree+0x78/0x348
+[ 2430.656630] lr : jffs2_free_inode+0x24/0x48
+[ 2430.657051] sp : ffff800009eebd10
+[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000
+[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000
+[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14
+[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000
+[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000
+[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19
+[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14
+[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302
+[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342
+[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000
+[ 2430.664217] Call trace:
+[ 2430.664528] kfree+0x78/0x348
+[ 2430.664855] jffs2_free_inode+0x24/0x48
+[ 2430.665233] i_callback+0x24/0x50
+[ 2430.665528] rcu_do_batch+0x1ac/0x448
+[ 2430.665892] rcu_core+0x28c/0x3c8
+[ 2430.666151] rcu_core_si+0x18/0x28
+[ 2430.666473] __do_softirq+0x138/0x3cc
+[ 2430.666781] irq_exit+0xf0/0x110
+[ 2430.667065] handle_domain_irq+0x6c/0x98
+[ 2430.667447] gic_handle_irq+0xac/0xe8
+[ 2430.667739] call_on_irq_stack+0x28/0x54
+The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of
+the jffs_inode_info structure. It was found that all variables in the jffs_inode_info
+structure were 5a5a5a5a, except for the first member sem. It is suspected that these
+variables are not initialized because they were set to 5a5a5a5a during memory testing,
+which is meant to detect uninitialized memory.The sem variable is initialized in the
+function jffs2_i_init_once, while other members are initialized in
+the function jffs2_init_inode_info.
+
+The function jffs2_init_inode_info is called after iget_locked,
+but in the iget_locked function, the destroy_inode process is triggered,
+which releases the inode and consequently, the target member of the inode
+is not initialized.In concurrent high pressure scenarios, iget_locked
+may enter the destroy_inode branch as described in the code.
+
+Since the destroy_inode functionality of jffs2 only releases the target,
+the fix method is to set target to NULL in jffs2_i_init_once.
+
+Signed-off-by: Wang Yong <wang.yong12@zte.com.cn>
+Reviewed-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
+Reviewed-by: Yang Tao <yang.tao172@zte.com.cn>
+Cc: Xu Xin <xu.xin16@zte.com.cn>
+Cc: Yang Yang <yang.yang29@zte.com.cn>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
+index aede1be4dc0cd..4545f885c41ef 100644
+--- a/fs/jffs2/super.c
++++ b/fs/jffs2/super.c
+@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo)
+ struct jffs2_inode_info *f = foo;
+
+ mutex_init(&f->sem);
++ f->target = NULL;
+ inode_init_once(&f->vfs_inode);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7e2de150c0d0d3e4f05d30b7eacab3eb9220a0bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 09:46:21 +0200
+Subject: kunit: Fix timeout message
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+[ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ]
+
+The exit code is always checked, so let's properly handle the -ETIMEDOUT
+error code.
+
+Cc: Brendan Higgins <brendanhiggins@google.com>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: David Gow <davidgow@google.com>
+Reviewed-by: Rae Moar <rmoar@google.com>
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Stable-dep-of: 3a35c13007de ("kunit: Handle test faults")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/kunit/try-catch.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
+index d9d1df28cc52e..9c9e4dcf06d96 100644
+--- a/lib/kunit/try-catch.c
++++ b/lib/kunit/try-catch.c
+@@ -78,7 +78,6 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
+ time_remaining = wait_for_completion_timeout(&try_completion,
+ kunit_test_timeout());
+ if (time_remaining == 0) {
+- kunit_err(test, "try timed out\n");
+ try_catch->try_result = -ETIMEDOUT;
+ kthread_stop(task_struct);
+ }
+@@ -93,6 +92,8 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
+ try_catch->try_result = 0;
+ else if (exit_code == -EINTR)
+ kunit_err(test, "wake_up_process() was never called\n");
++ else if (exit_code == -ETIMEDOUT)
++ kunit_err(test, "try timed out\n");
+ else if (exit_code)
+ kunit_err(test, "Unknown error: %d\n", exit_code);
+
+--
+2.43.0
+
--- /dev/null
+From d14901a956833589de7f5b08669451ad105944c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 12:43:40 -0700
+Subject: kunit/fortify: Do not spam logs with fortify WARNs
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 091f79e8de44736a1e677701d67334bba5b749e3 ]
+
+When running KUnit fortify tests, we're already doing precise tracking
+of which warnings are getting hit. Don't fill the logs with WARNs unless
+we've been explicitly built with DEBUG enabled.
+
+Link: https://lore.kernel.org/r/20240429194342.2421639-2-keescook@chromium.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/fortify_kunit.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/fortify_kunit.c b/lib/fortify_kunit.c
+index fdba0eaf19a59..ad29721b956bc 100644
+--- a/lib/fortify_kunit.c
++++ b/lib/fortify_kunit.c
+@@ -15,10 +15,17 @@
+ */
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
++/* We don't need to fill dmesg with the fortify WARNs during testing. */
++#ifdef DEBUG
++# define FORTIFY_REPORT_KUNIT(x...) __fortify_report(x)
++#else
++# define FORTIFY_REPORT_KUNIT(x...) do { } while (0)
++#endif
++
+ /* Redefine fortify_panic() to track failures. */
+ void fortify_add_kunit_error(int write);
+ #define fortify_panic(func, write, avail, size, retfail) do { \
+- __fortify_report(FORTIFY_REASON(func, write), avail, size); \
++ FORTIFY_REPORT_KUNIT(FORTIFY_REASON(func, write), avail, size); \
+ fortify_add_kunit_error(write); \
+ return (retfail); \
+ } while (0)
+--
+2.43.0
+
--- /dev/null
+From 2d873e7b1358877e1f41c1631a2ac1c7d70d0b5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 09:46:22 +0200
+Subject: kunit: Handle test faults
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+[ Upstream commit 3a35c13007dea132a65f07de05c26b87837fadc2 ]
+
+Previously, when a kernel test thread crashed (e.g. NULL pointer
+dereference, general protection fault), the KUnit test hanged for 30
+seconds and exited with a timeout error.
+
+Fix this issue by waiting on task_struct->vfork_done instead of the
+custom kunit_try_catch.try_completion, and track the execution state by
+initially setting try_result with -EINTR and only setting it to 0 if
+the test passed.
+
+Fix kunit_generic_run_threadfn_adapter() signature by returning 0
+instead of calling kthread_complete_and_exit(). Because thread's exit
+code is never checked, always set it to 0 to make it clear. To make
+this explicit, export kthread_exit() for KUnit tests built as module.
+
+Fix the -EINTR error message, which couldn't be reached until now.
+
+This is tested with a following patch.
+
+Cc: Brendan Higgins <brendanhiggins@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: David Gow <davidgow@google.com>
+Tested-by: Rae Moar <rmoar@google.com>
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Link: https://lore.kernel.org/r/20240408074625.65017-5-mic@digikod.net
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/kunit/try-catch.h | 3 ---
+ kernel/kthread.c | 1 +
+ lib/kunit/try-catch.c | 19 ++++++++++++-------
+ 3 files changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/include/kunit/try-catch.h b/include/kunit/try-catch.h
+index c507dd43119d5..7c966a1adbd30 100644
+--- a/include/kunit/try-catch.h
++++ b/include/kunit/try-catch.h
+@@ -14,13 +14,11 @@
+
+ typedef void (*kunit_try_catch_func_t)(void *);
+
+-struct completion;
+ struct kunit;
+
+ /**
+ * struct kunit_try_catch - provides a generic way to run code which might fail.
+ * @test: The test case that is currently being executed.
+- * @try_completion: Completion that the control thread waits on while test runs.
+ * @try_result: Contains any errno obtained while running test case.
+ * @try: The function, the test case, to attempt to run.
+ * @catch: The function called if @try bails out.
+@@ -46,7 +44,6 @@ struct kunit;
+ struct kunit_try_catch {
+ /* private: internal use only. */
+ struct kunit *test;
+- struct completion *try_completion;
+ int try_result;
+ kunit_try_catch_func_t try;
+ kunit_try_catch_func_t catch;
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index c5e40830c1f2d..f7be976ff88af 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -315,6 +315,7 @@ void __noreturn kthread_exit(long result)
+ kthread->result = result;
+ do_exit(0);
+ }
++EXPORT_SYMBOL(kthread_exit);
+
+ /**
+ * kthread_complete_and_exit - Exit the current kthread.
+diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
+index 9c9e4dcf06d96..34d30a6f23054 100644
+--- a/lib/kunit/try-catch.c
++++ b/lib/kunit/try-catch.c
+@@ -18,7 +18,7 @@
+ void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch)
+ {
+ try_catch->try_result = -EFAULT;
+- kthread_complete_and_exit(try_catch->try_completion, -EFAULT);
++ kthread_exit(0);
+ }
+ EXPORT_SYMBOL_GPL(kunit_try_catch_throw);
+
+@@ -26,9 +26,12 @@ static int kunit_generic_run_threadfn_adapter(void *data)
+ {
+ struct kunit_try_catch *try_catch = data;
+
++ try_catch->try_result = -EINTR;
+ try_catch->try(try_catch->context);
++ if (try_catch->try_result == -EINTR)
++ try_catch->try_result = 0;
+
+- kthread_complete_and_exit(try_catch->try_completion, 0);
++ return 0;
+ }
+
+ static unsigned long kunit_test_timeout(void)
+@@ -58,13 +61,11 @@ static unsigned long kunit_test_timeout(void)
+
+ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
+ {
+- DECLARE_COMPLETION_ONSTACK(try_completion);
+ struct kunit *test = try_catch->test;
+ struct task_struct *task_struct;
+ int exit_code, time_remaining;
+
+ try_catch->context = context;
+- try_catch->try_completion = &try_completion;
+ try_catch->try_result = 0;
+ task_struct = kthread_create(kunit_generic_run_threadfn_adapter,
+ try_catch, "kunit_try_catch_thread");
+@@ -74,8 +75,12 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
+ }
+ get_task_struct(task_struct);
+ wake_up_process(task_struct);
+-
+- time_remaining = wait_for_completion_timeout(&try_completion,
++ /*
++ * As for a vfork(2), task_struct->vfork_done (pointing to the
++ * underlying kthread->exited) can be used to wait for the end of a
++ * kernel thread.
++ */
++ time_remaining = wait_for_completion_timeout(task_struct->vfork_done,
+ kunit_test_timeout());
+ if (time_remaining == 0) {
+ try_catch->try_result = -ETIMEDOUT;
+@@ -91,7 +96,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
+ if (exit_code == -EFAULT)
+ try_catch->try_result = 0;
+ else if (exit_code == -EINTR)
+- kunit_err(test, "wake_up_process() was never called\n");
++ kunit_err(test, "try faulted\n");
+ else if (exit_code == -ETIMEDOUT)
+ kunit_err(test, "try timed out\n");
+ else if (exit_code)
+--
+2.43.0
+
--- /dev/null
+From de7d6677d6f2a268dd8c42428315070a32bf0fc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 19:10:32 +0300
+Subject: leds: an30259a: Use devm_mutex_init() for mutex initialization
+
+From: George Stark <gnstark@salutedevices.com>
+
+[ Upstream commit c382e2e3eccb6b7ca8c7aff5092c1668428e7de6 ]
+
+In this driver LEDs are registered using devm_led_classdev_register()
+so they are automatically unregistered after module's remove() is done.
+led_classdev_unregister() calls module's led_set_brightness() to turn off
+the LEDs and that callback uses mutex which was destroyed already
+in module's remove() so use devm API instead.
+
+Signed-off-by: George Stark <gnstark@salutedevices.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20240411161032.609544-9-gnstark@salutedevices.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-an30259a.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/leds/leds-an30259a.c b/drivers/leds/leds-an30259a.c
+index 0216afed3b6e7..decfca447d8a7 100644
+--- a/drivers/leds/leds-an30259a.c
++++ b/drivers/leds/leds-an30259a.c
+@@ -283,7 +283,10 @@ static int an30259a_probe(struct i2c_client *client)
+ if (err < 0)
+ return err;
+
+- mutex_init(&chip->mutex);
++ err = devm_mutex_init(&client->dev, &chip->mutex);
++ if (err)
++ return err;
++
+ chip->client = client;
+ i2c_set_clientdata(client, chip);
+
+@@ -317,17 +320,9 @@ static int an30259a_probe(struct i2c_client *client)
+ return 0;
+
+ exit:
+- mutex_destroy(&chip->mutex);
+ return err;
+ }
+
+-static void an30259a_remove(struct i2c_client *client)
+-{
+- struct an30259a *chip = i2c_get_clientdata(client);
+-
+- mutex_destroy(&chip->mutex);
+-}
+-
+ static const struct of_device_id an30259a_match_table[] = {
+ { .compatible = "panasonic,an30259a", },
+ { /* sentinel */ },
+@@ -347,7 +342,6 @@ static struct i2c_driver an30259a_driver = {
+ .of_match_table = an30259a_match_table,
+ },
+ .probe = an30259a_probe,
+- .remove = an30259a_remove,
+ .id_table = an30259a_id,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 896e10aad28baa03d4974a2bce51e42522872231 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 19:10:31 +0300
+Subject: leds: mlxreg: Use devm_mutex_init() for mutex initialization
+
+From: George Stark <gnstark@salutedevices.com>
+
+[ Upstream commit efc347b9efee1c2b081f5281d33be4559fa50a16 ]
+
+In this driver LEDs are registered using devm_led_classdev_register()
+so they are automatically unregistered after module's remove() is done.
+led_classdev_unregister() calls module's led_set_brightness() to turn off
+the LEDs and that callback uses mutex which was destroyed already
+in module's remove() so use devm API instead.
+
+Signed-off-by: George Stark <gnstark@salutedevices.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20240411161032.609544-8-gnstark@salutedevices.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-mlxreg.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c
+index 5595788d98d20..1b70de72376cc 100644
+--- a/drivers/leds/leds-mlxreg.c
++++ b/drivers/leds/leds-mlxreg.c
+@@ -256,6 +256,7 @@ static int mlxreg_led_probe(struct platform_device *pdev)
+ {
+ struct mlxreg_core_platform_data *led_pdata;
+ struct mlxreg_led_priv_data *priv;
++ int err;
+
+ led_pdata = dev_get_platdata(&pdev->dev);
+ if (!led_pdata) {
+@@ -267,26 +268,21 @@ static int mlxreg_led_probe(struct platform_device *pdev)
+ if (!priv)
+ return -ENOMEM;
+
+- mutex_init(&priv->access_lock);
++ err = devm_mutex_init(&pdev->dev, &priv->access_lock);
++ if (err)
++ return err;
++
+ priv->pdev = pdev;
+ priv->pdata = led_pdata;
+
+ return mlxreg_led_config(priv);
+ }
+
+-static void mlxreg_led_remove(struct platform_device *pdev)
+-{
+- struct mlxreg_led_priv_data *priv = dev_get_drvdata(&pdev->dev);
+-
+- mutex_destroy(&priv->access_lock);
+-}
+-
+ static struct platform_driver mlxreg_led_driver = {
+ .driver = {
+ .name = "leds-mlxreg",
+ },
+ .probe = mlxreg_led_probe,
+- .remove_new = mlxreg_led_remove,
+ };
+
+ module_platform_driver(mlxreg_led_driver);
+--
+2.43.0
+
--- /dev/null
+From 5cafcf9acd1f83e360182f161b965eb345be12be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 19:10:25 +0300
+Subject: locking/mutex: Introduce devm_mutex_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: George Stark <gnstark@salutedevices.com>
+
+[ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ]
+
+Using of devm API leads to a certain order of releasing resources.
+So all dependent resources which are not devm-wrapped should be deleted
+with respect to devm-release order. Mutex is one of such objects that
+often is bound to other resources and has no own devm wrapping.
+Since mutex_destroy() actually does nothing in non-debug builds
+frequently calling mutex_destroy() is just ignored which is safe for now
+but wrong formally and can lead to a problem if mutex_destroy() will be
+extended so introduce devm_mutex_init().
+
+Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: George Stark <gnstark@salutedevices.com>
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Acked-by: Waiman Long <longman@redhat.com>
+Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Stable-dep-of: efc347b9efee ("leds: mlxreg: Use devm_mutex_init() for mutex initialization")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mutex.h | 27 +++++++++++++++++++++++++++
+ kernel/locking/mutex-debug.c | 12 ++++++++++++
+ 2 files changed, 39 insertions(+)
+
+diff --git a/include/linux/mutex.h b/include/linux/mutex.h
+index 67edc4ca2beeb..a561c629d89f0 100644
+--- a/include/linux/mutex.h
++++ b/include/linux/mutex.h
+@@ -22,6 +22,8 @@
+ #include <linux/cleanup.h>
+ #include <linux/mutex_types.h>
+
++struct device;
++
+ #ifdef CONFIG_DEBUG_LOCK_ALLOC
+ # define __DEP_MAP_MUTEX_INITIALIZER(lockname) \
+ , .dep_map = { \
+@@ -117,6 +119,31 @@ do { \
+ } while (0)
+ #endif /* CONFIG_PREEMPT_RT */
+
++#ifdef CONFIG_DEBUG_MUTEXES
++
++int __devm_mutex_init(struct device *dev, struct mutex *lock);
++
++#else
++
++static inline int __devm_mutex_init(struct device *dev, struct mutex *lock)
++{
++ /*
++ * When CONFIG_DEBUG_MUTEXES is off mutex_destroy() is just a nop so
++ * no really need to register it in the devm subsystem.
++ */
++ return 0;
++}
++
++#endif
++
++#define devm_mutex_init(dev, mutex) \
++({ \
++ typeof(mutex) mutex_ = (mutex); \
++ \
++ mutex_init(mutex_); \
++ __devm_mutex_init(dev, mutex_); \
++})
++
+ /*
+ * See kernel/locking/mutex.c for detailed documentation of these APIs.
+ * Also see Documentation/locking/mutex-design.rst.
+diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
+index bc8abb8549d20..6e6f6071cfa27 100644
+--- a/kernel/locking/mutex-debug.c
++++ b/kernel/locking/mutex-debug.c
+@@ -12,6 +12,7 @@
+ */
+ #include <linux/mutex.h>
+ #include <linux/delay.h>
++#include <linux/device.h>
+ #include <linux/export.h>
+ #include <linux/poison.h>
+ #include <linux/sched.h>
+@@ -89,6 +90,17 @@ void debug_mutex_init(struct mutex *lock, const char *name,
+ lock->magic = lock;
+ }
+
++static void devm_mutex_release(void *res)
++{
++ mutex_destroy(res);
++}
++
++int __devm_mutex_init(struct device *dev, struct mutex *lock)
++{
++ return devm_add_action_or_reset(dev, devm_mutex_release, lock);
++}
++EXPORT_SYMBOL_GPL(__devm_mutex_init);
++
+ /***
+ * mutex_destroy - mark a mutex unusable
+ * @lock: the mutex to be destroyed
+--
+2.43.0
+
--- /dev/null
+From 1ec233cc664eb0b133656144b8268dffa1fc6f61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Apr 2024 12:24:37 +0000
+Subject: media: dvb: as102-fe: Fix as10x_register_addr packing
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 309422d280748c74f57f471559980268ac27732a ]
+
+This structure is embedded in multiple other structures that are packed,
+which conflicts with it being aligned.
+
+drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access]
+
+Mark it as being packed.
+
+Marking the inner struct as 'packed' does not change the layout, since the
+whole struct is already packed, it just silences the clang warning. See
+also this llvm discussion:
+
+https://github.com/llvm/llvm-project/issues/55520
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/as102_fe_types.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h
+index 297f9520ebf9d..8a4e392c88965 100644
+--- a/drivers/media/dvb-frontends/as102_fe_types.h
++++ b/drivers/media/dvb-frontends/as102_fe_types.h
+@@ -174,6 +174,6 @@ struct as10x_register_addr {
+ uint32_t addr;
+ /* register mode access */
+ uint8_t mode;
+-};
++} __packed;
+
+ #endif
+--
+2.43.0
+
--- /dev/null
+From b3cf1766acf55c599f12b57b13acd0e1a1e7b90f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 16:05:04 +0100
+Subject: media: dvb-frontends: tda10048: Fix integer overflow
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ]
+
+state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer
+when multiplied by pll_mfactor.
+
+Create a new 64 bit variable to hold the calculations.
+
+Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/tda10048.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c
+index 5d5e4e9e4422e..3e725cdcc66bd 100644
+--- a/drivers/media/dvb-frontends/tda10048.c
++++ b/drivers/media/dvb-frontends/tda10048.c
+@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw)
+ struct tda10048_config *config = &state->config;
+ int i;
+ u32 if_freq_khz;
++ u64 sample_freq;
+
+ dprintk(1, "%s(bw = %d)\n", __func__, bw);
+
+@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw)
+ dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor);
+
+ /* Calculate the sample frequency */
+- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45);
+- state->sample_freq /= (state->pll_nfactor + 1);
+- state->sample_freq /= (state->pll_pfactor + 4);
++ sample_freq = state->xtal_hz;
++ sample_freq *= state->pll_mfactor + 45;
++ do_div(sample_freq, state->pll_nfactor + 1);
++ do_div(sample_freq, state->pll_pfactor + 4);
++ state->sample_freq = sample_freq;
+ dprintk(1, "- sample_freq = %d\n", state->sample_freq);
+
+ /* Update the I/F */
+--
+2.43.0
+
--- /dev/null
+From fcffea15147f638f17df215540327bc50d7172c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 16:04:47 +0100
+Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ]
+
+do_div() divides 64 bits by 32. We were adding a casting to the divider
+to 64 bits, for a number that fits perfectly in 32 bits. Remove it.
+
+Found by cocci:
+drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
+drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
+
+Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c
+index a348344879433..fd928787207ed 100644
+--- a/drivers/media/dvb-frontends/tda18271c2dd.c
++++ b/drivers/media/dvb-frontends/tda18271c2dd.c
+@@ -328,7 +328,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq)
+
+ OscFreq = (u64) freq * (u64) Div;
+ OscFreq *= (u64) 16384;
+- do_div(OscFreq, (u64)16000000);
++ do_div(OscFreq, 16000000);
+ MainDiv = OscFreq;
+
+ state->m_Regs[MPD] = PostDiv & 0x77;
+@@ -352,7 +352,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq)
+ OscFreq = (u64)freq * (u64)Div;
+ /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */
+ OscFreq *= (u64)16384;
+- do_div(OscFreq, (u64)16000000);
++ do_div(OscFreq, 16000000);
+ CalDiv = OscFreq;
+
+ state->m_Regs[CPD] = PostDiv;
+--
+2.43.0
+
--- /dev/null
+From 5eb380aea028cb5b41851e0bcd0b043af3fac0e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 21:17:56 +0000
+Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware()
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ]
+
+Add missing release_firmware on the error paths.
+
+drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415.
+drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497.
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
+index 3af594134a6de..6ddc205133939 100644
+--- a/drivers/media/usb/dvb-usb/dib0700_devices.c
++++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
+@@ -2412,7 +2412,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap)
+
+ adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config);
+
+- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0;
++ if (!adap->fe_adap[0].fe) {
++ release_firmware(state->frontend_firmware);
++ return -ENODEV;
++ }
++
++ return 0;
+ }
+
+ static int dib9090_tuner_attach(struct dvb_usb_adapter *adap)
+@@ -2485,8 +2490,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap)
+ dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80);
+ adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]);
+
+- if (adap->fe_adap[0].fe == NULL)
++ if (!adap->fe_adap[0].fe) {
++ release_firmware(state->frontend_firmware);
+ return -ENODEV;
++ }
+
+ i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0);
+ dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82);
+@@ -2494,7 +2501,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap)
+ fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]);
+ dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave);
+
+- return fe_slave == NULL ? -ENODEV : 0;
++ if (!fe_slave) {
++ release_firmware(state->frontend_firmware);
++ return -ENODEV;
++ }
++
++ return 0;
+ }
+
+ static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap)
+--
+2.43.0
+
--- /dev/null
+From 5da0aad5a8b9b6388dfcc2496e6991018ef7a837 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Jan 2022 11:22:36 +0000
+Subject: media: dw2102: Don't translate i2c read into write
+
+From: Michael Bunk <micha@freedict.org>
+
+[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ]
+
+The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed
+an i2c transaction with a single message must be a write operation and a
+transaction with two messages would be a read operation.
+
+Though this works for the driver code, it leads to problems once the i2c
+device is exposed to code not knowing this convention. For example,
+I did "insmod i2c-dev" and issued read requests from userspace, which
+were translated into write requests and destroyed the EEPROM of my
+device.
+
+So, just check and respect the I2C_M_READ flag, which indicates a read
+when set on a message. If it is absent, it is a write message.
+
+Incidentally, changing from the case statement to a while loop allows
+the code to lift the limitation to two i2c messages per transaction.
+
+There are 4 more *_i2c_transfer functions affected by the same behaviour
+and limitation that should be fixed in the same way.
+
+Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org
+Signed-off-by: Michael Bunk <micha@freedict.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++-----------
+ 1 file changed, 73 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
+index b3bb1805829ad..10351308b0d02 100644
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ {
+ struct dvb_usb_device *d = i2c_get_adapdata(adap);
+ struct dw2102_state *state;
++ int j;
+
+ if (!d)
+ return -ENODEV;
+@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ return -EAGAIN;
+ }
+
+- switch (num) {
+- case 1:
+- switch (msg[0].addr) {
++ j = 0;
++ while (j < num) {
++ switch (msg[j].addr) {
+ case SU3000_STREAM_CTRL:
+- state->data[0] = msg[0].buf[0] + 0x36;
++ state->data[0] = msg[j].buf[0] + 0x36;
+ state->data[1] = 3;
+ state->data[2] = 0;
+ if (dvb_usb_generic_rw(d, state->data, 3,
+@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+ if (dvb_usb_generic_rw(d, state->data, 1,
+ state->data, 2, 0) < 0)
+ err("i2c transfer failed.");
+- msg[0].buf[1] = state->data[0];
+- msg[0].buf[0] = state->data[1];
++ msg[j].buf[1] = state->data[0];
++ msg[j].buf[0] = state->data[1];
+ break;
+ default:
+- if (3 + msg[0].len > sizeof(state->data)) {
+- warn("i2c wr: len=%d is too big!\n",
+- msg[0].len);
++ /* if the current write msg is followed by a another
++ * read msg to/from the same address
++ */
++ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) &&
++ (msg[j].addr == msg[j+1].addr)) {
++ /* join both i2c msgs to one usb read command */
++ if (4 + msg[j].len > sizeof(state->data)) {
++ warn("i2c combined wr/rd: write len=%d is too big!\n",
++ msg[j].len);
++ num = -EOPNOTSUPP;
++ break;
++ }
++ if (1 + msg[j+1].len > sizeof(state->data)) {
++ warn("i2c combined wr/rd: read len=%d is too big!\n",
++ msg[j+1].len);
++ num = -EOPNOTSUPP;
++ break;
++ }
++
++ state->data[0] = 0x09;
++ state->data[1] = msg[j].len;
++ state->data[2] = msg[j+1].len;
++ state->data[3] = msg[j].addr;
++ memcpy(&state->data[4], msg[j].buf, msg[j].len);
++
++ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4,
++ state->data, msg[j+1].len + 1, 0) < 0)
++ err("i2c transfer failed.");
++
++ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len);
++ j++;
++ break;
++ }
++
++ if (msg[j].flags & I2C_M_RD) {
++ /* single read */
++ if (1 + msg[j].len > sizeof(state->data)) {
++ warn("i2c rd: len=%d is too big!\n", msg[j].len);
++ num = -EOPNOTSUPP;
++ break;
++ }
++
++ state->data[0] = 0x09;
++ state->data[1] = 0;
++ state->data[2] = msg[j].len;
++ state->data[3] = msg[j].addr;
++ memcpy(&state->data[4], msg[j].buf, msg[j].len);
++
++ if (dvb_usb_generic_rw(d, state->data, 4,
++ state->data, msg[j].len + 1, 0) < 0)
++ err("i2c transfer failed.");
++
++ memcpy(msg[j].buf, &state->data[1], msg[j].len);
++ break;
++ }
++
++ /* single write */
++ if (3 + msg[j].len > sizeof(state->data)) {
++ warn("i2c wr: len=%d is too big!\n", msg[j].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
+- /* always i2c write*/
+ state->data[0] = 0x08;
+- state->data[1] = msg[0].addr;
+- state->data[2] = msg[0].len;
++ state->data[1] = msg[j].addr;
++ state->data[2] = msg[j].len;
+
+- memcpy(&state->data[3], msg[0].buf, msg[0].len);
++ memcpy(&state->data[3], msg[j].buf, msg[j].len);
+
+- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3,
++ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3,
+ state->data, 1, 0) < 0)
+ err("i2c transfer failed.");
++ } // switch
++ j++;
+
+- }
+- break;
+- case 2:
+- /* always i2c read */
+- if (4 + msg[0].len > sizeof(state->data)) {
+- warn("i2c rd: len=%d is too big!\n",
+- msg[0].len);
+- num = -EOPNOTSUPP;
+- break;
+- }
+- if (1 + msg[1].len > sizeof(state->data)) {
+- warn("i2c rd: len=%d is too big!\n",
+- msg[1].len);
+- num = -EOPNOTSUPP;
+- break;
+- }
+-
+- state->data[0] = 0x09;
+- state->data[1] = msg[0].len;
+- state->data[2] = msg[1].len;
+- state->data[3] = msg[0].addr;
+- memcpy(&state->data[4], msg[0].buf, msg[0].len);
+-
+- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4,
+- state->data, msg[1].len + 1, 0) < 0)
+- err("i2c transfer failed.");
+-
+- memcpy(msg[1].buf, &state->data[1], msg[1].len);
+- break;
+- default:
+- warn("more than 2 i2c messages at a time is not handled yet.");
+- break;
+- }
++ } // while
+ mutex_unlock(&d->data_mutex);
+ mutex_unlock(&d->i2c_mutex);
+ return num;
+--
+2.43.0
+
--- /dev/null
+From 2eb41b8b2c1a96d38030f9a36647ea2703247ec8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 15:15:05 +0100
+Subject: media: dw2102: fix a potential buffer overflow
+
+From: Mauro Carvalho Chehab <mchehab@kernel.org>
+
+[ Upstream commit 1c73d0b29d04bf4082e7beb6a508895e118ee30d ]
+
+As pointed by smatch:
+ drivers/media/usb/dvb-usb/dw2102.c:802 su3000_i2c_transfer() error: __builtin_memcpy() '&state->data[4]' too small (64 vs 67)
+
+That seemss to be due to a wrong copy-and-paste.
+
+Fixes: 0e148a522b84 ("media: dw2102: Don't translate i2c read into write")
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Reviewed-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb/dw2102.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
+index 10351308b0d02..f31d3835430e7 100644
+--- a/drivers/media/usb/dvb-usb/dw2102.c
++++ b/drivers/media/usb/dvb-usb/dw2102.c
+@@ -786,7 +786,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
+
+ if (msg[j].flags & I2C_M_RD) {
+ /* single read */
+- if (1 + msg[j].len > sizeof(state->data)) {
++ if (4 + msg[j].len > sizeof(state->data)) {
+ warn("i2c rd: len=%d is too big!\n", msg[j].len);
+ num = -EOPNOTSUPP;
+ break;
+--
+2.43.0
+
--- /dev/null
+From 27333bd88b33d3e1b5e664c2c4bb1115e4784b29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 16:05:00 +0100
+Subject: media: i2c: st-mipid02: Use the correct div function
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 22dccf029e4a67ad5aa62537c47ece9f24c8f970 ]
+
+link_freq does not fit in 32 bits.
+
+Found by cocci:
+drivers/media/i2c/st-mipid02.c:329:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_s64 instead.
+
+Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-21-3c4865f5a4b0@chromium.org
+Reviewed-by: Benjamin Mugnier <benjamin.mugnier@foss.st.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/st-mipid02.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/i2c/st-mipid02.c b/drivers/media/i2c/st-mipid02.c
+index f250640729ca4..b947a55281f0e 100644
+--- a/drivers/media/i2c/st-mipid02.c
++++ b/drivers/media/i2c/st-mipid02.c
+@@ -326,7 +326,7 @@ static int mipid02_configure_from_rx_speed(struct mipid02_dev *bridge,
+ }
+
+ dev_dbg(&client->dev, "detect link_freq = %lld Hz", link_freq);
+- do_div(ui_4, link_freq);
++ ui_4 = div64_u64(ui_4, link_freq);
+ bridge->r.clk_lane_reg1 |= ui_4 << 2;
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 9a7646ca19f74a51e8de8e178103e710d978ca67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 09:17:46 +0000
+Subject: media: mediatek: vcodec: Only free buffer VA that is not NULL
+
+From: Fei Shao <fshao@chromium.org>
+
+[ Upstream commit eb005c801ec70ff4307727bd3bd6e8280169ef32 ]
+
+In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly
+called only when the buffer to free exists, there are some instances
+that didn't do the check and triggered warnings in practice.
+
+We believe those checks were forgotten unintentionally. Add the checks
+back to fix the warnings.
+
+Signed-off-by: Fei Shao <fshao@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../vcodec/decoder/vdec/vdec_av1_req_lat_if.c | 22 +++++++++++++------
+ .../vcodec/encoder/venc/venc_h264_if.c | 5 +++--
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c
+index 2b6a5adbc4199..b0e2e59f61b5d 100644
+--- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c
++++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c
+@@ -1023,18 +1023,26 @@ static void vdec_av1_slice_free_working_buffer(struct vdec_av1_slice_instance *i
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(instance->mv); i++)
+- mtk_vcodec_mem_free(ctx, &instance->mv[i]);
++ if (instance->mv[i].va)
++ mtk_vcodec_mem_free(ctx, &instance->mv[i]);
+
+ for (i = 0; i < ARRAY_SIZE(instance->seg); i++)
+- mtk_vcodec_mem_free(ctx, &instance->seg[i]);
++ if (instance->seg[i].va)
++ mtk_vcodec_mem_free(ctx, &instance->seg[i]);
+
+ for (i = 0; i < ARRAY_SIZE(instance->cdf); i++)
+- mtk_vcodec_mem_free(ctx, &instance->cdf[i]);
++ if (instance->cdf[i].va)
++ mtk_vcodec_mem_free(ctx, &instance->cdf[i]);
++
+
+- mtk_vcodec_mem_free(ctx, &instance->tile);
+- mtk_vcodec_mem_free(ctx, &instance->cdf_temp);
+- mtk_vcodec_mem_free(ctx, &instance->cdf_table);
+- mtk_vcodec_mem_free(ctx, &instance->iq_table);
++ if (instance->tile.va)
++ mtk_vcodec_mem_free(ctx, &instance->tile);
++ if (instance->cdf_temp.va)
++ mtk_vcodec_mem_free(ctx, &instance->cdf_temp);
++ if (instance->cdf_table.va)
++ mtk_vcodec_mem_free(ctx, &instance->cdf_table);
++ if (instance->iq_table.va)
++ mtk_vcodec_mem_free(ctx, &instance->iq_table);
+
+ instance->level = AV1_RES_NONE;
+ }
+diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
+index a68dac72c4e42..f8145998fcaf7 100644
+--- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
++++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
+@@ -301,11 +301,12 @@ static void h264_enc_free_work_buf(struct venc_h264_inst *inst)
+ * other buffers need to be freed by AP.
+ */
+ for (i = 0; i < VENC_H264_VPU_WORK_BUF_MAX; i++) {
+- if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME)
++ if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME && inst->work_bufs[i].va)
+ mtk_vcodec_mem_free(inst->ctx, &inst->work_bufs[i]);
+ }
+
+- mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf);
++ if (inst->pps_buf.va)
++ mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf);
+ }
+
+ static int h264_enc_alloc_work_buf(struct venc_h264_inst *inst, bool is_34bit)
+--
+2.43.0
+
--- /dev/null
+From 16ef6c19c1cc107d29df11a38a0191267e6faba4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 16:04:50 +0100
+Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ]
+
+Use an API that resembles more the actual use of num_channels.
+
+Found by cocci:
+drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363.
+drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558.
+
+Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
+index 8e1de1e8bd127..a6e450181fd01 100644
+--- a/drivers/media/usb/s2255/s2255drv.c
++++ b/drivers/media/usb/s2255/s2255drv.c
+@@ -247,7 +247,7 @@ struct s2255_vc {
+ struct s2255_dev {
+ struct s2255_vc vc[MAX_CHANNELS];
+ struct v4l2_device v4l2_dev;
+- atomic_t num_channels;
++ refcount_t num_channels;
+ int frames;
+ struct mutex lock; /* channels[].vdev.lock */
+ struct mutex cmdlock; /* protects cmdbuf */
+@@ -1550,11 +1550,11 @@ static void s2255_video_device_release(struct video_device *vdev)
+ container_of(vdev, struct s2255_vc, vdev);
+
+ dprintk(dev, 4, "%s, chnls: %d\n", __func__,
+- atomic_read(&dev->num_channels));
++ refcount_read(&dev->num_channels));
+
+ v4l2_ctrl_handler_free(&vc->hdl);
+
+- if (atomic_dec_and_test(&dev->num_channels))
++ if (refcount_dec_and_test(&dev->num_channels))
+ s2255_destroy(dev);
+ return;
+ }
+@@ -1659,7 +1659,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev)
+ "failed to register video device!\n");
+ break;
+ }
+- atomic_inc(&dev->num_channels);
++ refcount_inc(&dev->num_channels);
+ v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n",
+ video_device_node_name(&vc->vdev));
+
+@@ -1667,11 +1667,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev)
+ pr_info("Sensoray 2255 V4L driver Revision: %s\n",
+ S2255_VERSION);
+ /* if no channels registered, return error and probe will fail*/
+- if (atomic_read(&dev->num_channels) == 0) {
++ if (refcount_read(&dev->num_channels) == 0) {
+ v4l2_device_unregister(&dev->v4l2_dev);
+ return ret;
+ }
+- if (atomic_read(&dev->num_channels) != MAX_CHANNELS)
++ if (refcount_read(&dev->num_channels) != MAX_CHANNELS)
+ pr_warn("s2255: Not all channels available.\n");
+ return 0;
+ }
+@@ -2221,7 +2221,7 @@ static int s2255_probe(struct usb_interface *interface,
+ goto errorFWDATA1;
+ }
+
+- atomic_set(&dev->num_channels, 0);
++ refcount_set(&dev->num_channels, 0);
+ dev->pid = id->idProduct;
+ dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL);
+ if (!dev->fw_data)
+@@ -2341,12 +2341,12 @@ static void s2255_disconnect(struct usb_interface *interface)
+ {
+ struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface));
+ int i;
+- int channels = atomic_read(&dev->num_channels);
++ int channels = refcount_read(&dev->num_channels);
+ mutex_lock(&dev->lock);
+ v4l2_device_disconnect(&dev->v4l2_dev);
+ mutex_unlock(&dev->lock);
+ /*see comments in the uvc_driver.c usb disconnect function */
+- atomic_inc(&dev->num_channels);
++ refcount_inc(&dev->num_channels);
+ /* unregister each video device. */
+ for (i = 0; i < channels; i++)
+ video_unregister_device(&dev->vc[i].vdev);
+@@ -2359,7 +2359,7 @@ static void s2255_disconnect(struct usb_interface *interface)
+ dev->vc[i].vidstatus_ready = 1;
+ wake_up(&dev->vc[i].wait_vidstatus);
+ }
+- if (atomic_dec_and_test(&dev->num_channels))
++ if (refcount_dec_and_test(&dev->num_channels))
+ s2255_destroy(dev);
+ dev_info(&interface->dev, "%s\n", __func__);
+ }
+--
+2.43.0
+
--- /dev/null
+From 1e8cac6b8ed33ae7a358b0f1c9fdf71c1c50d30c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 16:05:01 +0100
+Subject: media: tc358746: Use the correct div_ function
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit d77731382f57b9c18664a13c7e197285060ebf93 ]
+
+fin does not fit in 32 bits in some arches.
+
+Found by cocci:
+drivers/media/i2c/tc358746.c:847:2-8: WARNING: do_div() does a 64-by-32 division, please consider using div64_ul instead.
+
+Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-22-3c4865f5a4b0@chromium.org
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/tc358746.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/i2c/tc358746.c b/drivers/media/i2c/tc358746.c
+index d676adc4401bb..edf79107adc51 100644
+--- a/drivers/media/i2c/tc358746.c
++++ b/drivers/media/i2c/tc358746.c
+@@ -844,8 +844,7 @@ static unsigned long tc358746_find_pll_settings(struct tc358746 *tc358746,
+ continue;
+
+ tmp = fout * postdiv;
+- do_div(tmp, fin);
+- mul = tmp;
++ mul = div64_ul(tmp, fin);
+ if (mul > 511)
+ continue;
+
+--
+2.43.0
+
--- /dev/null
+From 97608e6156ec689642b1b200f2e7646216837ed6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 12:22:29 -0700
+Subject: net: dql: Avoid calling BUG() when WARN() is enough
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit 4854b463c4b27c94a7de86d16ad84f235f4c1a72 ]
+
+If the dql_queued() function receives an invalid argument, WARN about it
+and continue, instead of crashing the kernel.
+
+This was raised by checkpatch, when I am refactoring this code (see
+following patch/commit)
+
+ WARNING: Do not crash the kernel unless it is absolutely unavoidable--use WARN_ON_ONCE() plus recovery code (if feasible) instead of BUG() or variants
+
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://lore.kernel.org/r/20240411192241.2498631-2-leitao@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/dynamic_queue_limits.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/dynamic_queue_limits.h b/include/linux/dynamic_queue_limits.h
+index 5693a4be0d9a9..ff9c65841ae8d 100644
+--- a/include/linux/dynamic_queue_limits.h
++++ b/include/linux/dynamic_queue_limits.h
+@@ -91,7 +91,8 @@ static inline void dql_queued(struct dql *dql, unsigned int count)
+ {
+ unsigned long map, now, now_hi, i;
+
+- BUG_ON(count > DQL_MAX_OBJECT);
++ if (WARN_ON_ONCE(count > DQL_MAX_OBJECT))
++ return;
+
+ dql->last_obj_cnt = count;
+
+--
+2.43.0
+
--- /dev/null
+From 9a8af2f5b0a464bc64d149585a26c6ee98f8c1fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 18:46:45 +0100
+Subject: net: dsa: mv88e6xxx: Correct check for empty list
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ]
+
+Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO
+busses") mv88e6xxx_default_mdio_bus() has checked that the
+return value of list_first_entry() is non-NULL.
+
+This appears to be intended to guard against the list chip->mdios being
+empty. However, it is not the correct check as the implementation of
+list_first_entry is not designed to return NULL for empty lists.
+
+Instead, use list_first_entry_or_null() which does return NULL if the
+list is empty.
+
+Flagged by Smatch.
+Compile tested only.
+
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 5a202edfec371..80741e506f422 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -131,8 +131,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip)
+ {
+ struct mv88e6xxx_mdio_bus *mdio_bus;
+
+- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus,
+- list);
++ mdio_bus = list_first_entry_or_null(&chip->mdios,
++ struct mv88e6xxx_mdio_bus, list);
+ if (!mdio_bus)
+ return NULL;
+
+--
+2.43.0
+
--- /dev/null
+From 90b244ce6f7f430c59f382c1ee7941a1952e9d87 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 16:20:36 -0400
+Subject: orangefs: fix out-of-bounds fsid access
+
+From: Mike Marshall <hubcap@omnibond.com>
+
+[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ]
+
+Arnd Bergmann sent a patch to fsdevel, he says:
+
+"orangefs_statfs() copies two consecutive fields of the superblock into
+the statfs structure, which triggers a warning from the string fortification
+helpers"
+
+Jan Kara suggested an alternate way to do the patch to make it more readable.
+
+I ran both ideas through xfstests and both seem fine. This patch
+is based on Jan Kara's suggestion.
+
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/super.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c
+index 34849b4a3243c..907765673765c 100644
+--- a/fs/orangefs/super.c
++++ b/fs/orangefs/super.c
+@@ -201,7 +201,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf)
+ (long)new_op->downcall.resp.statfs.files_avail);
+
+ buf->f_type = sb->s_magic;
+- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid));
++ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id;
++ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id;
+ buf->f_bsize = new_op->downcall.resp.statfs.block_size;
+ buf->f_namelen = ORANGEFS_NAME_MAX;
+
+--
+2.43.0
+
--- /dev/null
+From 68a2ae4788076eddd4bca95129e51c532620dc55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 May 2024 17:56:19 +1000
+Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for
+ CONFIG_PCI=n
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ]
+
+There is code that builds with calls to IO accessors even when
+CONFIG_PCI=n, but the actual calls are guarded by runtime checks.
+
+If not those calls would be faulting, because the page at virtual
+address zero is (usually) not mapped into the kernel. As Arnd pointed
+out, it is possible a large port value could cause the address to be
+above mmap_min_addr which would then access userspace, which would be
+a bug.
+
+To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That
+is a value chosen to point into unmapped space between the kernel and
+userspace, so any access will always fault.
+
+Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an
+effect on 64-bit.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/io.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h
+index ba2e13bb879dc..048e3705af20b 100644
+--- a/arch/powerpc/include/asm/io.h
++++ b/arch/powerpc/include/asm/io.h
+@@ -37,7 +37,7 @@ extern struct pci_dev *isa_bridge_pcidev;
+ * define properly based on the platform
+ */
+ #ifndef CONFIG_PCI
+-#define _IO_BASE 0
++#define _IO_BASE POISON_POINTER_DELTA
+ #define _ISA_MEM_BASE 0
+ #define PCI_DRAM_OFFSET 0
+ #elif defined(CONFIG_PPC32)
+--
+2.43.0
+
--- /dev/null
+From 8836d0e335422aff019e5f9590d553fb56979614 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Apr 2024 10:00:06 +0530
+Subject: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
+
+From: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+
+[ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ]
+
+nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel
+crash when invoked during real mode interrupt handling (e.g. early HMI/MCE
+interrupt handler) if percpu allocation comes from vmalloc area.
+
+Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()
+wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when
+percpu allocation is from the embedded first chunk. However with
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu
+allocation can come from the vmalloc area.
+
+With kernel command line "percpu_alloc=page" we can force percpu allocation
+to come from vmalloc area and can see kernel crash in machine_check_early:
+
+[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110
+[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0
+[ 1.215719] --- interrupt: 200
+[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)
+[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0
+[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8
+
+Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu
+first chunk is not embedded.
+
+Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Tested-by: Shirisha Ganta <shirisha@linux.ibm.com>
+Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/interrupt.h | 10 ++++++++++
+ arch/powerpc/include/asm/percpu.h | 10 ++++++++++
+ arch/powerpc/kernel/setup_64.c | 2 ++
+ 3 files changed, 22 insertions(+)
+
+diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h
+index 7b610864b3645..2d6c886b40f44 100644
+--- a/arch/powerpc/include/asm/interrupt.h
++++ b/arch/powerpc/include/asm/interrupt.h
+@@ -336,6 +336,14 @@ static inline void interrupt_nmi_enter_prepare(struct pt_regs *regs, struct inte
+ if (IS_ENABLED(CONFIG_KASAN))
+ return;
+
++ /*
++ * Likewise, do not use it in real mode if percpu first chunk is not
++ * embedded. With CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there
++ * are chances where percpu allocation can come from vmalloc area.
++ */
++ if (percpu_first_chunk_is_paged)
++ return;
++
+ /* Otherwise, it should be safe to call it */
+ nmi_enter();
+ }
+@@ -351,6 +359,8 @@ static inline void interrupt_nmi_exit_prepare(struct pt_regs *regs, struct inter
+ // no nmi_exit for a pseries hash guest taking a real mode exception
+ } else if (IS_ENABLED(CONFIG_KASAN)) {
+ // no nmi_exit for KASAN in real mode
++ } else if (percpu_first_chunk_is_paged) {
++ // no nmi_exit if percpu first chunk is not embedded
+ } else {
+ nmi_exit();
+ }
+diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h
+index 8e5b7d0b851c6..634970ce13c6b 100644
+--- a/arch/powerpc/include/asm/percpu.h
++++ b/arch/powerpc/include/asm/percpu.h
+@@ -15,6 +15,16 @@
+ #endif /* CONFIG_SMP */
+ #endif /* __powerpc64__ */
+
++#if defined(CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK) && defined(CONFIG_SMP)
++#include <linux/jump_label.h>
++DECLARE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged);
++
++#define percpu_first_chunk_is_paged \
++ (static_key_enabled(&__percpu_first_chunk_is_paged.key))
++#else
++#define percpu_first_chunk_is_paged false
++#endif /* CONFIG_PPC64 && CONFIG_SMP */
++
+ #include <asm-generic/percpu.h>
+
+ #include <asm/paca.h>
+diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
+index 2f19d5e944852..ae36a129789ff 100644
+--- a/arch/powerpc/kernel/setup_64.c
++++ b/arch/powerpc/kernel/setup_64.c
+@@ -834,6 +834,7 @@ static __init int pcpu_cpu_to_node(int cpu)
+
+ unsigned long __per_cpu_offset[NR_CPUS] __read_mostly;
+ EXPORT_SYMBOL(__per_cpu_offset);
++DEFINE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged);
+
+ void __init setup_per_cpu_areas(void)
+ {
+@@ -876,6 +877,7 @@ void __init setup_per_cpu_areas(void)
+ if (rc < 0)
+ panic("cannot initialize percpu area (err=%d)", rc);
+
++ static_key_enable(&__percpu_first_chunk_is_paged.key);
+ delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
+ for_each_possible_cpu(cpu) {
+ __per_cpu_offset[cpu] = delta + pcpu_unit_offsets[cpu];
+--
+2.43.0
+
--- /dev/null
+From 0e94b82304e7a726b27dd46394fe22b6c1ebcd60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Apr 2024 21:23:18 +1000
+Subject: powerpc/dexcr: Track the DEXCR per-process
+
+From: Benjamin Gray <bgray@linux.ibm.com>
+
+[ Upstream commit 75171f06c4507c3b6b5a69d793879fb20d108bb1 ]
+
+Add capability to make the DEXCR act as a per-process SPR.
+
+We do not yet have an interface for changing the values per task. We
+also expect the kernel to use a single DEXCR value across all tasks
+while in privileged state, so there is no need to synchronize after
+changing it (the userspace aspects will synchronize upon returning to
+userspace).
+
+Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240417112325.728010-3-bgray@linux.ibm.com
+Stable-dep-of: bbd99922d0f4 ("powerpc/dexcr: Reset DEXCR value across exec")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/processor.h | 1 +
+ arch/powerpc/kernel/process.c | 10 ++++++++++
+ arch/powerpc/kernel/ptrace/ptrace-view.c | 7 +------
+ 3 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
+index b2c51d337e60c..882e31296ea6b 100644
+--- a/arch/powerpc/include/asm/processor.h
++++ b/arch/powerpc/include/asm/processor.h
+@@ -260,6 +260,7 @@ struct thread_struct {
+ unsigned long sier2;
+ unsigned long sier3;
+ unsigned long hashkeyr;
++ unsigned long dexcr;
+
+ #endif
+ };
+diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
+index 9452a54d356c9..d482c3fd81d7a 100644
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -1185,6 +1185,9 @@ static inline void save_sprs(struct thread_struct *t)
+
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ t->hashkeyr = mfspr(SPRN_HASHKEYR);
++
++ if (cpu_has_feature(CPU_FTR_ARCH_31))
++ t->dexcr = mfspr(SPRN_DEXCR);
+ #endif
+ }
+
+@@ -1267,6 +1270,10 @@ static inline void restore_sprs(struct thread_struct *old_thread,
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE) &&
+ old_thread->hashkeyr != new_thread->hashkeyr)
+ mtspr(SPRN_HASHKEYR, new_thread->hashkeyr);
++
++ if (cpu_has_feature(CPU_FTR_ARCH_31) &&
++ old_thread->dexcr != new_thread->dexcr)
++ mtspr(SPRN_DEXCR, new_thread->dexcr);
+ #endif
+
+ }
+@@ -1878,6 +1885,9 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
+ #ifdef CONFIG_PPC_BOOK3S_64
+ if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
+ p->thread.hashkeyr = current->thread.hashkeyr;
++
++ if (cpu_has_feature(CPU_FTR_ARCH_31))
++ p->thread.dexcr = mfspr(SPRN_DEXCR);
+ #endif
+ return 0;
+ }
+diff --git a/arch/powerpc/kernel/ptrace/ptrace-view.c b/arch/powerpc/kernel/ptrace/ptrace-view.c
+index 584cf5c3df509..c1819e0a66842 100644
+--- a/arch/powerpc/kernel/ptrace/ptrace-view.c
++++ b/arch/powerpc/kernel/ptrace/ptrace-view.c
+@@ -469,12 +469,7 @@ static int dexcr_get(struct task_struct *target, const struct user_regset *regse
+ if (!cpu_has_feature(CPU_FTR_ARCH_31))
+ return -ENODEV;
+
+- /*
+- * The DEXCR is currently static across all CPUs, so we don't
+- * store the target's value anywhere, but the static value
+- * will also be correct.
+- */
+- membuf_store(&to, (u64)lower_32_bits(DEXCR_INIT));
++ membuf_store(&to, (u64)lower_32_bits(target->thread.dexcr));
+
+ /*
+ * Technically the HDEXCR is per-cpu, but a hypervisor can't reasonably
+--
+2.43.0
+
--- /dev/null
+From 301ecb6b33f1516fcd4198afea3531be4090fe76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Mar 2021 19:11:10 +0100
+Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Greg Kurz <groug@kaod.org>
+
+[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ]
+
+All these commands end up peeking into the PACA using the user
+originated cpu id as an index. Check the cpu id is valid in order
+to prevent xmon to crash. Instead of printing an error, this follows
+the same behavior as the "lp s #" command : ignore the buggy cpu id
+parameter and fall back to the #-less version of the command.
+
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/xmon/xmon.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
+index d79d6633f3336..bd4813bad317e 100644
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -1350,7 +1350,7 @@ static int cpu_cmd(void)
+ }
+ termch = cpu;
+
+- if (!scanhex(&cpu)) {
++ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) {
+ /* print cpus waiting or in xmon */
+ printf("cpus stopped:");
+ last_cpu = first_cpu = NR_CPUS;
+@@ -2772,7 +2772,7 @@ static void dump_pacas(void)
+
+ termch = c; /* Put c back, it wasn't 'a' */
+
+- if (scanhex(&num))
++ if (scanhex(&num) && num < num_possible_cpus())
+ dump_one_paca(num);
+ else
+ dump_one_paca(xmon_owner);
+@@ -2845,7 +2845,7 @@ static void dump_xives(void)
+
+ termch = c; /* Put c back, it wasn't 'a' */
+
+- if (scanhex(&num))
++ if (scanhex(&num) && num < num_possible_cpus())
+ dump_one_xive(num);
+ else
+ dump_one_xive(xmon_owner);
+--
+2.43.0
+
--- /dev/null
+From 9361ebd01bd5d9cf88c0acaf1b9cd36f4bb7c77e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Apr 2024 08:17:26 -0700
+Subject: RISC-V: KVM: Fix the initial sample period value
+
+From: Atish Patra <atishp@rivosinc.com>
+
+[ Upstream commit 57990ab90ce31aadac0d5a6293f5582e24ff7521 ]
+
+The initial sample period value when counter value is not assigned
+should be set to maximum value supported by the counter width.
+Otherwise, it may result in spurious interrupts.
+
+Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
+Signed-off-by: Atish Patra <atishp@rivosinc.com>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Link: https://lore.kernel.org/r/20240420151741.962500-11-atishp@rivosinc.com
+Signed-off-by: Anup Patel <anup@brainfault.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kvm/vcpu_pmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
+index 86391a5061dda..cee1b9ca4ec48 100644
+--- a/arch/riscv/kvm/vcpu_pmu.c
++++ b/arch/riscv/kvm/vcpu_pmu.c
+@@ -39,7 +39,7 @@ static u64 kvm_pmu_get_sample_period(struct kvm_pmc *pmc)
+ u64 sample_period;
+
+ if (!pmc->counter_val)
+- sample_period = counter_val_mask + 1;
++ sample_period = counter_val_mask;
+ else
+ sample_period = (-pmc->counter_val) & counter_val_mask;
+
+--
+2.43.0
+
--- /dev/null
+From b794d1421e29a31517e45318f087a0e59b5b23cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 21:49:48 -0700
+Subject: riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma
+
+From: Samuel Holland <samuel.holland@sifive.com>
+
+[ Upstream commit 20e03d702e00a3e0269a1d6f9549c2e370492054 ]
+
+commit 3f1e782998cd ("riscv: add ASID-based tlbflushing methods") added
+calls to the sfence.vma instruction with rs2 != x0. These single-ASID
+instruction variants are also affected by SiFive errata CIP-1200.
+
+Until now, the errata workaround was not needed for the single-ASID
+sfence.vma variants, because they were only used when the ASID allocator
+was enabled, and the affected SiFive platforms do not support multiple
+ASIDs. However, we are going to start using those sfence.vma variants
+regardless of ASID support, so now we need alternatives covering them.
+
+Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
+Link: https://lore.kernel.org/r/20240327045035.368512-8-samuel.holland@sifive.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/errata_list.h | 12 +++++++++++-
+ arch/riscv/include/asm/tlbflush.h | 19 ++++++++++++++++++-
+ arch/riscv/mm/tlbflush.c | 23 -----------------------
+ 3 files changed, 29 insertions(+), 25 deletions(-)
+
+diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h
+index efd851e1b4832..7c8a71a526a30 100644
+--- a/arch/riscv/include/asm/errata_list.h
++++ b/arch/riscv/include/asm/errata_list.h
+@@ -43,11 +43,21 @@ ALTERNATIVE(__stringify(RISCV_PTR do_page_fault), \
+ CONFIG_ERRATA_SIFIVE_CIP_453)
+ #else /* !__ASSEMBLY__ */
+
+-#define ALT_FLUSH_TLB_PAGE(x) \
++#define ALT_SFENCE_VMA_ASID(asid) \
++asm(ALTERNATIVE("sfence.vma x0, %0", "sfence.vma", SIFIVE_VENDOR_ID, \
++ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \
++ : : "r" (asid) : "memory")
++
++#define ALT_SFENCE_VMA_ADDR(addr) \
+ asm(ALTERNATIVE("sfence.vma %0", "sfence.vma", SIFIVE_VENDOR_ID, \
+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \
+ : : "r" (addr) : "memory")
+
++#define ALT_SFENCE_VMA_ADDR_ASID(addr, asid) \
++asm(ALTERNATIVE("sfence.vma %0, %1", "sfence.vma", SIFIVE_VENDOR_ID, \
++ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \
++ : : "r" (addr), "r" (asid) : "memory")
++
+ /*
+ * _val is marked as "will be overwritten", so need to set it to 0
+ * in the default case.
+diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h
+index 4112cc8d1d69f..79dada53d7eb5 100644
+--- a/arch/riscv/include/asm/tlbflush.h
++++ b/arch/riscv/include/asm/tlbflush.h
+@@ -22,10 +22,27 @@ static inline void local_flush_tlb_all(void)
+ __asm__ __volatile__ ("sfence.vma" : : : "memory");
+ }
+
++static inline void local_flush_tlb_all_asid(unsigned long asid)
++{
++ if (asid != FLUSH_TLB_NO_ASID)
++ ALT_SFENCE_VMA_ASID(asid);
++ else
++ local_flush_tlb_all();
++}
++
+ /* Flush one page from local TLB */
+ static inline void local_flush_tlb_page(unsigned long addr)
+ {
+- ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory"));
++ ALT_SFENCE_VMA_ADDR(addr);
++}
++
++static inline void local_flush_tlb_page_asid(unsigned long addr,
++ unsigned long asid)
++{
++ if (asid != FLUSH_TLB_NO_ASID)
++ ALT_SFENCE_VMA_ADDR_ASID(addr, asid);
++ else
++ local_flush_tlb_page(addr);
+ }
+ #else /* CONFIG_MMU */
+ #define local_flush_tlb_all() do { } while (0)
+diff --git a/arch/riscv/mm/tlbflush.c b/arch/riscv/mm/tlbflush.c
+index 07d743f87b3f6..a6f788774856b 100644
+--- a/arch/riscv/mm/tlbflush.c
++++ b/arch/riscv/mm/tlbflush.c
+@@ -7,29 +7,6 @@
+ #include <asm/sbi.h>
+ #include <asm/mmu_context.h>
+
+-static inline void local_flush_tlb_all_asid(unsigned long asid)
+-{
+- if (asid != FLUSH_TLB_NO_ASID)
+- __asm__ __volatile__ ("sfence.vma x0, %0"
+- :
+- : "r" (asid)
+- : "memory");
+- else
+- local_flush_tlb_all();
+-}
+-
+-static inline void local_flush_tlb_page_asid(unsigned long addr,
+- unsigned long asid)
+-{
+- if (asid != FLUSH_TLB_NO_ASID)
+- __asm__ __volatile__ ("sfence.vma %0, %1"
+- :
+- : "r" (addr), "r" (asid)
+- : "memory");
+- else
+- local_flush_tlb_page(addr);
+-}
+-
+ /*
+ * Flush entire TLB if number of entries to be flushed is greater
+ * than the threshold below.
+--
+2.43.0
+
--- /dev/null
+From 597a794ab323d327b10c5a20162d0af2f36e933e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 16:30:01 +0200
+Subject: s390: Mark psw in __load_psw_mask() as __unitialized
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ]
+
+Without __unitialized, the following code is generated when
+INIT_STACK_ALL_ZERO is enabled:
+
+86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15)
+8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15)
+92: c0 10 00 00 00 08 larl %r1, 0xa2
+98: e3 10 f0 a8 00 24 stg %r1, 168(%r15)
+9e: b2 b2 f0 a0 lpswe 160(%r15)
+
+The xc is not adding any security because psw is fully initialized
+with the following instructions. Add __unitialized to the psw
+definitiation to avoid the superfluous clearing of psw.
+
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/processor.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h
+index bbbdc5abe2b2c..a589547ee0200 100644
+--- a/arch/s390/include/asm/processor.h
++++ b/arch/s390/include/asm/processor.h
+@@ -305,8 +305,8 @@ static inline void __load_psw(psw_t psw)
+ */
+ static __always_inline void __load_psw_mask(unsigned long mask)
+ {
++ psw_t psw __uninitialized;
+ unsigned long addr;
+- psw_t psw;
+
+ psw.mask = mask;
+
+--
+2.43.0
+
--- /dev/null
+From f09d319ccefead053cb21910f700be7f5698fe7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 22:13:52 +0100
+Subject: s390/pkey: Use kfree_sensitive() to fix Coccinelle warnings
+
+From: Jules Irenge <jbi.octave@gmail.com>
+
+[ Upstream commit 22e6824622e8a8889df0f8fc4ed5aea0e702a694 ]
+
+Replace memzero_explicit() and kfree() with kfree_sensitive() to fix
+warnings reported by Coccinelle:
+
+WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1506)
+WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1643)
+WARNING opportunity for kfree_sensitive/kvfree_sensitive (line 1770)
+
+Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Link: https://lore.kernel.org/r/ZjqZkNi_JUJu73Rg@octinomon.home
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/pkey_api.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
+index dccf664a3d957..933894065623e 100644
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1503,8 +1503,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = pkey_keyblob2pkey(kkey, ktp.keylen, ktp.protkey.protkey,
+ &ktp.protkey.len, &ktp.protkey.type);
+ pr_debug("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
+- memzero_explicit(kkey, ktp.keylen);
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ if (rc)
+ break;
+ if (copy_to_user(utp, &ktp, sizeof(ktp)))
+@@ -1640,8 +1639,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ &ktp.protkey.type);
+ pr_debug("%s pkey_keyblob2pkey2()=%d\n", __func__, rc);
+ kfree(apqns);
+- memzero_explicit(kkey, ktp.keylen);
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ if (rc)
+ break;
+ if (copy_to_user(utp, &ktp, sizeof(ktp)))
+@@ -1767,8 +1765,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ protkey, &protkeylen, &ktp.pkeytype);
+ pr_debug("%s pkey_keyblob2pkey3()=%d\n", __func__, rc);
+ kfree(apqns);
+- memzero_explicit(kkey, ktp.keylen);
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ if (rc) {
+ kfree(protkey);
+ break;
+--
+2.43.0
+
--- /dev/null
+From f3254a415c468699eb945a33aadc8320a81a0c4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 17:03:19 +0200
+Subject: s390/pkey: Wipe copies of clear-key structures on failure
+
+From: Holger Dengler <dengler@linux.ibm.com>
+
+[ Upstream commit d65d76a44ffe74c73298ada25b0f578680576073 ]
+
+Wipe all sensitive data from stack for all IOCTLs, which convert a
+clear-key into a protected- or secure-key.
+
+Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/pkey_api.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
+index 179287157c2fe..1aa78a74fbade 100644
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1374,9 +1374,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = cca_clr2seckey(kcs.cardnr, kcs.domain, kcs.keytype,
+ kcs.clrkey.clrkey, kcs.seckey.seckey);
+ pr_debug("%s cca_clr2seckey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(ucs, &kcs, sizeof(kcs)))
++ if (!rc && copy_to_user(ucs, &kcs, sizeof(kcs)))
+ rc = -EFAULT;
+ memzero_explicit(&kcs, sizeof(kcs));
+ break;
+@@ -1409,9 +1407,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ kcp.protkey.protkey,
+ &kcp.protkey.len, &kcp.protkey.type);
+ pr_debug("%s pkey_clr2protkey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(ucp, &kcp, sizeof(kcp)))
++ if (!rc && copy_to_user(ucp, &kcp, sizeof(kcp)))
+ rc = -EFAULT;
+ memzero_explicit(&kcp, sizeof(kcp));
+ break;
+@@ -1562,11 +1558,14 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ if (copy_from_user(&kcs, ucs, sizeof(kcs)))
+ return -EFAULT;
+ apqns = _copy_apqns_from_user(kcs.apqns, kcs.apqn_entries);
+- if (IS_ERR(apqns))
++ if (IS_ERR(apqns)) {
++ memzero_explicit(&kcs, sizeof(kcs));
+ return PTR_ERR(apqns);
++ }
+ kkey = kzalloc(klen, GFP_KERNEL);
+ if (!kkey) {
+ kfree(apqns);
++ memzero_explicit(&kcs, sizeof(kcs));
+ return -ENOMEM;
+ }
+ rc = pkey_clr2seckey2(apqns, kcs.apqn_entries,
+@@ -1576,15 +1575,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ kfree(apqns);
+ if (rc) {
+ kfree(kkey);
++ memzero_explicit(&kcs, sizeof(kcs));
+ break;
+ }
+ if (kcs.key) {
+ if (kcs.keylen < klen) {
+ kfree(kkey);
++ memzero_explicit(&kcs, sizeof(kcs));
+ return -EINVAL;
+ }
+ if (copy_to_user(kcs.key, kkey, klen)) {
+ kfree(kkey);
++ memzero_explicit(&kcs, sizeof(kcs));
+ return -EFAULT;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From fde2e2ffdf0e2af69be34e6423f9b3b463c42fce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 17:03:20 +0200
+Subject: s390/pkey: Wipe copies of protected- and secure-keys
+
+From: Holger Dengler <dengler@linux.ibm.com>
+
+[ Upstream commit f2ebdadd85af4f4d0cae1e5d009c70eccc78c207 ]
+
+Although the clear-key of neither protected- nor secure-keys is
+accessible, this key material should only be visible to the calling
+process. So wipe all copies of protected- or secure-keys from stack,
+even in case of an error.
+
+Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/pkey_api.c | 80 ++++++++++++++++------------------
+ 1 file changed, 37 insertions(+), 43 deletions(-)
+
+diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
+index 1aa78a74fbade..ffc0b5db55c29 100644
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1359,10 +1359,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = cca_genseckey(kgs.cardnr, kgs.domain,
+ kgs.keytype, kgs.seckey.seckey);
+ pr_debug("%s cca_genseckey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(ugs, &kgs, sizeof(kgs)))
+- return -EFAULT;
++ if (!rc && copy_to_user(ugs, &kgs, sizeof(kgs)))
++ rc = -EFAULT;
++ memzero_explicit(&kgs, sizeof(kgs));
+ break;
+ }
+ case PKEY_CLR2SECK: {
+@@ -1390,10 +1389,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ ksp.seckey.seckey, ksp.protkey.protkey,
+ &ksp.protkey.len, &ksp.protkey.type);
+ pr_debug("%s cca_sec2protkey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(usp, &ksp, sizeof(ksp)))
+- return -EFAULT;
++ if (!rc && copy_to_user(usp, &ksp, sizeof(ksp)))
++ rc = -EFAULT;
++ memzero_explicit(&ksp, sizeof(ksp));
+ break;
+ }
+ case PKEY_CLR2PROTK: {
+@@ -1437,10 +1435,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = pkey_skey2pkey(ksp.seckey.seckey, ksp.protkey.protkey,
+ &ksp.protkey.len, &ksp.protkey.type);
+ pr_debug("%s pkey_skey2pkey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(usp, &ksp, sizeof(ksp)))
+- return -EFAULT;
++ if (!rc && copy_to_user(usp, &ksp, sizeof(ksp)))
++ rc = -EFAULT;
++ memzero_explicit(&ksp, sizeof(ksp));
+ break;
+ }
+ case PKEY_VERIFYKEY: {
+@@ -1452,10 +1449,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = pkey_verifykey(&kvk.seckey, &kvk.cardnr, &kvk.domain,
+ &kvk.keysize, &kvk.attributes);
+ pr_debug("%s pkey_verifykey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(uvk, &kvk, sizeof(kvk)))
+- return -EFAULT;
++ if (!rc && copy_to_user(uvk, &kvk, sizeof(kvk)))
++ rc = -EFAULT;
++ memzero_explicit(&kvk, sizeof(kvk));
+ break;
+ }
+ case PKEY_GENPROTK: {
+@@ -1468,10 +1464,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = pkey_genprotkey(kgp.keytype, kgp.protkey.protkey,
+ &kgp.protkey.len, &kgp.protkey.type);
+ pr_debug("%s pkey_genprotkey()=%d\n", __func__, rc);
+- if (rc)
+- break;
+- if (copy_to_user(ugp, &kgp, sizeof(kgp)))
+- return -EFAULT;
++ if (!rc && copy_to_user(ugp, &kgp, sizeof(kgp)))
++ rc = -EFAULT;
++ memzero_explicit(&kgp, sizeof(kgp));
+ break;
+ }
+ case PKEY_VERIFYPROTK: {
+@@ -1483,6 +1478,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = pkey_verifyprotkey(kvp.protkey.protkey,
+ kvp.protkey.len, kvp.protkey.type);
+ pr_debug("%s pkey_verifyprotkey()=%d\n", __func__, rc);
++ memzero_explicit(&kvp, sizeof(kvp));
+ break;
+ }
+ case PKEY_KBLOB2PROTK: {
+@@ -1500,10 +1496,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ &ktp.protkey.len, &ktp.protkey.type);
+ pr_debug("%s pkey_keyblob2pkey()=%d\n", __func__, rc);
+ kfree_sensitive(kkey);
+- if (rc)
+- break;
+- if (copy_to_user(utp, &ktp, sizeof(ktp)))
+- return -EFAULT;
++ if (!rc && copy_to_user(utp, &ktp, sizeof(ktp)))
++ rc = -EFAULT;
++ memzero_explicit(&ktp, sizeof(ktp));
+ break;
+ }
+ case PKEY_GENSECK2: {
+@@ -1529,23 +1524,23 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ pr_debug("%s pkey_genseckey2()=%d\n", __func__, rc);
+ kfree(apqns);
+ if (rc) {
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ break;
+ }
+ if (kgs.key) {
+ if (kgs.keylen < klen) {
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ return -EINVAL;
+ }
+ if (copy_to_user(kgs.key, kkey, klen)) {
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ return -EFAULT;
+ }
+ }
+ kgs.keylen = klen;
+ if (copy_to_user(ugs, &kgs, sizeof(kgs)))
+ rc = -EFAULT;
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ break;
+ }
+ case PKEY_CLR2SECK2: {
+@@ -1574,18 +1569,18 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ pr_debug("%s pkey_clr2seckey2()=%d\n", __func__, rc);
+ kfree(apqns);
+ if (rc) {
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ memzero_explicit(&kcs, sizeof(kcs));
+ break;
+ }
+ if (kcs.key) {
+ if (kcs.keylen < klen) {
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ memzero_explicit(&kcs, sizeof(kcs));
+ return -EINVAL;
+ }
+ if (copy_to_user(kcs.key, kkey, klen)) {
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ memzero_explicit(&kcs, sizeof(kcs));
+ return -EFAULT;
+ }
+@@ -1594,7 +1589,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ if (copy_to_user(ucs, &kcs, sizeof(kcs)))
+ rc = -EFAULT;
+ memzero_explicit(&kcs, sizeof(kcs));
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ break;
+ }
+ case PKEY_VERIFYKEY2: {
+@@ -1611,7 +1606,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ &kvk.cardnr, &kvk.domain,
+ &kvk.type, &kvk.size, &kvk.flags);
+ pr_debug("%s pkey_verifykey2()=%d\n", __func__, rc);
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ if (rc)
+ break;
+ if (copy_to_user(uvk, &kvk, sizeof(kvk)))
+@@ -1642,10 +1637,9 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ pr_debug("%s pkey_keyblob2pkey2()=%d\n", __func__, rc);
+ kfree(apqns);
+ kfree_sensitive(kkey);
+- if (rc)
+- break;
+- if (copy_to_user(utp, &ktp, sizeof(ktp)))
+- return -EFAULT;
++ if (!rc && copy_to_user(utp, &ktp, sizeof(ktp)))
++ rc = -EFAULT;
++ memzero_explicit(&ktp, sizeof(ktp));
+ break;
+ }
+ case PKEY_APQNS4K: {
+@@ -1673,7 +1667,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ rc = pkey_apqns4key(kkey, kak.keylen, kak.flags,
+ apqns, &nr_apqns);
+ pr_debug("%s pkey_apqns4key()=%d\n", __func__, rc);
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ if (rc && rc != -ENOSPC) {
+ kfree(apqns);
+ break;
+@@ -1759,7 +1753,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ protkey = kmalloc(protkeylen, GFP_KERNEL);
+ if (!protkey) {
+ kfree(apqns);
+- kfree(kkey);
++ kfree_sensitive(kkey);
+ return -ENOMEM;
+ }
+ rc = pkey_keyblob2pkey3(apqns, ktp.apqn_entries,
+@@ -1769,20 +1763,20 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ kfree(apqns);
+ kfree_sensitive(kkey);
+ if (rc) {
+- kfree(protkey);
++ kfree_sensitive(protkey);
+ break;
+ }
+ if (ktp.pkey && ktp.pkeylen) {
+ if (protkeylen > ktp.pkeylen) {
+- kfree(protkey);
++ kfree_sensitive(protkey);
+ return -EINVAL;
+ }
+ if (copy_to_user(ktp.pkey, protkey, protkeylen)) {
+- kfree(protkey);
++ kfree_sensitive(protkey);
+ return -EFAULT;
+ }
+ }
+- kfree(protkey);
++ kfree_sensitive(protkey);
+ ktp.pkeylen = protkeylen;
+ if (copy_to_user(utp, &ktp, sizeof(ktp)))
+ return -EFAULT;
+--
+2.43.0
+
--- /dev/null
+From 9f5678ae0c681d5bc57195a62483e17e36ace968 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 17:03:18 +0200
+Subject: s390/pkey: Wipe sensitive data on failure
+
+From: Holger Dengler <dengler@linux.ibm.com>
+
+[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ]
+
+Wipe sensitive data from stack also if the copy_to_user() fails.
+
+Suggested-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
+Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/s390/crypto/pkey_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
+index 933894065623e..179287157c2fe 100644
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -1377,7 +1377,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ if (rc)
+ break;
+ if (copy_to_user(ucs, &kcs, sizeof(kcs)))
+- return -EFAULT;
++ rc = -EFAULT;
+ memzero_explicit(&kcs, sizeof(kcs));
+ break;
+ }
+@@ -1412,7 +1412,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
+ if (rc)
+ break;
+ if (copy_to_user(ucp, &kcp, sizeof(kcp)))
+- return -EFAULT;
++ rc = -EFAULT;
+ memzero_explicit(&kcp, sizeof(kcp));
+ break;
+ }
+--
+2.43.0
+
--- /dev/null
+From 8cd2c4d93b62b15e829f522f548976a6c0861993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 16:10:13 +0100
+Subject: scsi: mpi3mr: Sanitise num_phys
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+[ Upstream commit 3668651def2c1622904e58b0280ee93121f2b10b ]
+
+Information is stored in mr_sas_port->phy_mask, values larger then size of
+this field shouldn't be allowed.
+
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Link: https://lore.kernel.org/r/20240226151013.8653-1-thenzl@redhat.com
+Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
+index d32ad46318cb0..7ca9a7c2709cf 100644
+--- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
+@@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc,
+ mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node,
+ mr_sas_port->remote_identify.sas_address, hba_port);
+
++ if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8)
++ ioc_info(mrioc, "max port count %u could be too high\n",
++ mr_sas_node->num_phys);
++
+ for (i = 0; i < mr_sas_node->num_phys; i++) {
+ if ((mr_sas_node->phy[i].remote_identify.sas_address !=
+ mr_sas_port->remote_identify.sas_address) ||
+ (mr_sas_node->phy[i].hba_port != hba_port))
+ continue;
++
++ if (i > sizeof(mr_sas_port->phy_mask) * 8) {
++ ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n",
++ i, sizeof(mr_sas_port->phy_mask) * 8);
++ goto out_fail;
++ }
+ list_add_tail(&mr_sas_node->phy[i].port_siblings,
+ &mr_sas_port->phy_list);
+ mr_sas_port->num_phys++;
+--
+2.43.0
+
--- /dev/null
+From b6a92e0739b3f8adc738f3e0008637a69c830756 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 11:01:55 -0400
+Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible
+
+From: John Meneghini <jmeneghi@redhat.com>
+
+[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ]
+
+Stop calling smp_processor_id() from preemptible code in
+qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.
+
+[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646
+[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]
+
+Tested-by: Guangwu Zhang <guazhang@redhat.com>
+Cc: Saurav Kashyap <skashyap@marvell.com>
+Cc: Nilesh Javali <njavali@marvell.com>
+Signed-off-by: John Meneghini <jmeneghi@redhat.com>
+Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com
+Acked-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qedf/qedf_io.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
+index bf921caaf6aea..054a51713d556 100644
+--- a/drivers/scsi/qedf/qedf_io.c
++++ b/drivers/scsi/qedf/qedf_io.c
+@@ -2324,9 +2324,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, u64 tm_lun,
+ io_req->fcport = fcport;
+ io_req->cmd_type = QEDF_TASK_MGMT_CMD;
+
+- /* Record which cpu this request is associated with */
+- io_req->cpu = smp_processor_id();
+-
+ /* Set TM flags */
+ io_req->io_req_flags = QEDF_READ;
+ io_req->data_xfer_len = 0;
+@@ -2349,6 +2346,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, u64 tm_lun,
+
+ spin_lock_irqsave(&fcport->rport_lock, flags);
+
++ /* Record which cpu this request is associated with */
++ io_req->cpu = smp_processor_id();
++
+ sqe_idx = qedf_get_sqe_idx(fcport);
+ sqe = &fcport->sq[sqe_idx];
+ memset(sqe, 0, sizeof(struct fcoe_wqe));
+--
+2.43.0
+
--- /dev/null
+From 25ea190510466c43f636ce54d8f680d8029e6cc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Apr 2024 19:23:36 +0200
+Subject: sctp: prefer struct_size over open coded arithmetic
+
+From: Erick Archer <erick.archer@outlook.com>
+
+[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ]
+
+This is an effort to get rid of all multiplications from allocation
+functions in order to prevent integer overflows [1][2].
+
+As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
+structure ends in a flexible array:
+
+struct sctp_assoc_ids {
+ [...]
+ sctp_assoc_t gaids_assoc_id[];
+};
+
+the preferred way in the kernel is to use the struct_size() helper to
+do the arithmetic instead of the calculation "size + size * count" in
+the kmalloc() function.
+
+Also, refactor the code adding the "ids_size" variable to avoid sizing
+twice.
+
+This way, the code is more readable and safer.
+
+This code was detected with the help of Coccinelle, and audited and
+modified manually.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
+Link: https://github.com/KSPP/linux/issues/160 [2]
+Signed-off-by: Erick Archer <erick.archer@outlook.com>
+Acked-by: Xin Long <lucien.xin@gmail.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index c67679a41044f..13b3998c6177f 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -7119,6 +7119,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
+ struct sctp_sock *sp = sctp_sk(sk);
+ struct sctp_association *asoc;
+ struct sctp_assoc_ids *ids;
++ size_t ids_size;
+ u32 num = 0;
+
+ if (sctp_style(sk, TCP))
+@@ -7131,11 +7132,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
+ num++;
+ }
+
+- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
++ ids_size = struct_size(ids, gaids_assoc_id, num);
++ if (len < ids_size)
+ return -EINVAL;
+
+- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
+-
++ len = ids_size;
+ ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
+ if (unlikely(!ids))
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 4397ba6d6290c0fd181732199520cd309b0b2694 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 18:28:18 -0700
+Subject: selftests/bpf: adjust dummy_st_ops_success to detect additional error
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 3b3b84aacb4420226576c9732e7b539ca7b79633 ]
+
+As reported by Jose E. Marchesi in off-list discussion, GCC and LLVM
+generate slightly different code for dummy_st_ops_success/test_1():
+
+ SEC("struct_ops/test_1")
+ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
+ {
+ int ret;
+
+ if (!state)
+ return 0xf2f3f4f5;
+
+ ret = state->val;
+ state->val = 0x5a;
+ return ret;
+ }
+
+ GCC-generated LLVM-generated
+ ---------------------------- ---------------------------
+ 0: r1 = *(u64 *)(r1 + 0x0) 0: w0 = -0xd0c0b0b
+ 1: if r1 == 0x0 goto 5f 1: r1 = *(u64 *)(r1 + 0x0)
+ 2: r0 = *(s32 *)(r1 + 0x0) 2: if r1 == 0x0 goto 6f
+ 3: *(u32 *)(r1 + 0x0) = 0x5a 3: r0 = *(u32 *)(r1 + 0x0)
+ 4: exit 4: w2 = 0x5a
+ 5: r0 = -0xd0c0b0b 5: *(u32 *)(r1 + 0x0) = r2
+ 6: exit 6: exit
+
+If the 'state' argument is not marked as nullable in
+net/bpf/bpf_dummy_struct_ops.c, the verifier would assume that
+'r1 == 0x0' is never true:
+- for the GCC version, this means that instructions #5-6 would be
+ marked as dead and removed;
+- for the LLVM version, all instructions would be marked as live.
+
+The test dummy_st_ops/dummy_init_ret_value actually sets the 'state'
+parameter to NULL.
+
+Therefore, when the 'state' argument is not marked as nullable,
+the GCC-generated version of the code would trigger a NULL pointer
+dereference at instruction #3.
+
+This patch updates the test_1() test case to always follow a shape
+similar to the GCC-generated version above, in order to verify whether
+the 'state' nullability is marked correctly.
+
+Reported-by: Jose E. Marchesi <jemarch@gnu.org>
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240424012821.595216-3-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/progs/dummy_st_ops_success.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
+index 1efa746c25dc7..cc7b69b001aae 100644
+--- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
++++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
+@@ -11,8 +11,17 @@ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
+ {
+ int ret;
+
+- if (!state)
+- return 0xf2f3f4f5;
++ /* Check that 'state' nullable status is detected correctly.
++ * If 'state' argument would be assumed non-null by verifier
++ * the code below would be deleted as dead (which it shouldn't).
++ * Hide it from the compiler behind 'asm' block to avoid
++ * unnecessary optimizations.
++ */
++ asm volatile (
++ "if %[state] != 0 goto +2;"
++ "r0 = 0xf2f3f4f5;"
++ "exit;"
++ ::[state]"p"(state));
+
+ ret = state->val;
+ state->val = 0x5a;
+--
+2.43.0
+
--- /dev/null
+From 515464a6cd8ff6c331eb54b6dd447b767fd2a9fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 18:28:19 -0700
+Subject: selftests/bpf: do not pass NULL for non-nullable params in
+ dummy_st_ops
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit f612210d456a0b969a0adca91e68dbea0e0ea301 ]
+
+dummy_st_ops.test_2 and dummy_st_ops.test_sleepable do not have their
+'state' parameter marked as nullable. Update dummy_st_ops.c to avoid
+passing NULL for such parameters, as the next patch would allow kernel
+to enforce this restriction.
+
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240424012821.595216-4-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c | 7 +++++--
+ tools/testing/selftests/bpf/progs/dummy_st_ops_success.c | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
+index f43fcb13d2c46..dd926c00f4146 100644
+--- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
++++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
+@@ -98,7 +98,8 @@ static void test_dummy_init_ptr_arg(void)
+
+ static void test_dummy_multiple_args(void)
+ {
+- __u64 args[5] = {0, -100, 0x8a5f, 'c', 0x1234567887654321ULL};
++ struct bpf_dummy_ops_state st = { 7 };
++ __u64 args[5] = {(__u64)&st, -100, 0x8a5f, 'c', 0x1234567887654321ULL};
+ LIBBPF_OPTS(bpf_test_run_opts, attr,
+ .ctx_in = args,
+ .ctx_size_in = sizeof(args),
+@@ -115,6 +116,7 @@ static void test_dummy_multiple_args(void)
+ fd = bpf_program__fd(skel->progs.test_2);
+ err = bpf_prog_test_run_opts(fd, &attr);
+ ASSERT_OK(err, "test_run");
++ args[0] = 7;
+ for (i = 0; i < ARRAY_SIZE(args); i++) {
+ snprintf(name, sizeof(name), "arg %zu", i);
+ ASSERT_EQ(skel->bss->test_2_args[i], args[i], name);
+@@ -125,7 +127,8 @@ static void test_dummy_multiple_args(void)
+
+ static void test_dummy_sleepable(void)
+ {
+- __u64 args[1] = {0};
++ struct bpf_dummy_ops_state st;
++ __u64 args[1] = {(__u64)&st};
+ LIBBPF_OPTS(bpf_test_run_opts, attr,
+ .ctx_in = args,
+ .ctx_size_in = sizeof(args),
+diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
+index cc7b69b001aae..ec0c595d47af8 100644
+--- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
++++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
+@@ -34,7 +34,7 @@ SEC("struct_ops/test_2")
+ int BPF_PROG(test_2, struct bpf_dummy_ops_state *state, int a1, unsigned short a2,
+ char a3, unsigned long a4)
+ {
+- test_2_args[0] = (unsigned long)state;
++ test_2_args[0] = state->val;
+ test_2_args[1] = a1;
+ test_2_args[2] = a2;
+ test_2_args[3] = a3;
+--
+2.43.0
+
--- /dev/null
+From 8c70aacc3978ceb7cd5c841e63d9cabfabb5a8f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 18:28:21 -0700
+Subject: selftests/bpf: dummy_st_ops should reject 0 for non-nullable params
+
+From: Eduard Zingerman <eddyz87@gmail.com>
+
+[ Upstream commit 6a2d30d3c5bf9f088dcfd5f3746b04d84f2fab83 ]
+
+Check if BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs
+rejects execution if NULL is passed for non-nullable parameter.
+
+Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
+Link: https://lore.kernel.org/r/20240424012821.595216-6-eddyz87@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 +++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
+index dd926c00f4146..d3d94596ab79c 100644
+--- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
++++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
+@@ -147,6 +147,31 @@ static void test_dummy_sleepable(void)
+ dummy_st_ops_success__destroy(skel);
+ }
+
++/* dummy_st_ops.test_sleepable() parameter is not marked as nullable,
++ * thus bpf_prog_test_run_opts() below should be rejected as it tries
++ * to pass NULL for this parameter.
++ */
++static void test_dummy_sleepable_reject_null(void)
++{
++ __u64 args[1] = {0};
++ LIBBPF_OPTS(bpf_test_run_opts, attr,
++ .ctx_in = args,
++ .ctx_size_in = sizeof(args),
++ );
++ struct dummy_st_ops_success *skel;
++ int fd, err;
++
++ skel = dummy_st_ops_success__open_and_load();
++ if (!ASSERT_OK_PTR(skel, "dummy_st_ops_load"))
++ return;
++
++ fd = bpf_program__fd(skel->progs.test_sleepable);
++ err = bpf_prog_test_run_opts(fd, &attr);
++ ASSERT_EQ(err, -EINVAL, "test_run");
++
++ dummy_st_ops_success__destroy(skel);
++}
++
+ void test_dummy_st_ops(void)
+ {
+ if (test__start_subtest("dummy_st_ops_attach"))
+@@ -159,6 +184,8 @@ void test_dummy_st_ops(void)
+ test_dummy_multiple_args();
+ if (test__start_subtest("dummy_sleepable"))
+ test_dummy_sleepable();
++ if (test__start_subtest("dummy_sleepable_reject_null"))
++ test_dummy_sleepable_reject_null();
+
+ RUN_TESTS(dummy_st_ops_fail);
+ }
+--
+2.43.0
+
--- /dev/null
+From 22a4b9d733a0f899b8d24a8291085c65512e8979 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 12:02:04 -0700
+Subject: selftests/net: fix uninitialized variables
+
+From: John Hubbard <jhubbard@nvidia.com>
+
+[ Upstream commit eb709b5f6536636dfb87b85ded0b2af9bb6cd9e6 ]
+
+When building with clang, via:
+
+ make LLVM=1 -C tools/testing/selftest
+
+...clang warns about three variables that are not initialized in all
+cases:
+
+1) The opt_ipproto_off variable is used uninitialized if "testname" is
+not "ip". Willem de Bruijn pointed out that this is an actual bug, and
+suggested the fix that I'm using here (thanks!).
+
+2) The addr_len is used uninitialized, but only in the assert case,
+ which bails out, so this is harmless.
+
+3) The family variable in add_listener() is only used uninitialized in
+ the error case (neither IPv4 nor IPv6 is specified), so it's also
+ harmless.
+
+Fix by initializing each variable.
+
+Signed-off-by: John Hubbard <jhubbard@nvidia.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Mat Martineau <martineau@kernel.org>
+Link: https://lore.kernel.org/r/20240506190204.28497-1-jhubbard@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/gro.c | 3 +++
+ tools/testing/selftests/net/ip_local_port_range.c | 2 +-
+ tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 2 +-
+ 3 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c
+index 353e1e867fbb2..6038b96ecee88 100644
+--- a/tools/testing/selftests/net/gro.c
++++ b/tools/testing/selftests/net/gro.c
+@@ -119,6 +119,9 @@ static void setup_sock_filter(int fd)
+ next_off = offsetof(struct ipv6hdr, nexthdr);
+ ipproto_off = ETH_HLEN + next_off;
+
++ /* Overridden later if exthdrs are used: */
++ opt_ipproto_off = ipproto_off;
++
+ if (strcmp(testname, "ip") == 0) {
+ if (proto == PF_INET)
+ optlen = sizeof(struct ip_timestamp);
+diff --git a/tools/testing/selftests/net/ip_local_port_range.c b/tools/testing/selftests/net/ip_local_port_range.c
+index 193b82745fd87..29451d2244b75 100644
+--- a/tools/testing/selftests/net/ip_local_port_range.c
++++ b/tools/testing/selftests/net/ip_local_port_range.c
+@@ -359,7 +359,7 @@ TEST_F(ip_local_port_range, late_bind)
+ struct sockaddr_in v4;
+ struct sockaddr_in6 v6;
+ } addr;
+- socklen_t addr_len;
++ socklen_t addr_len = 0;
+ const int one = 1;
+ int fd, err;
+ __u32 range;
+diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
+index 7426a2cbd4a03..7ad5a59adff2b 100644
+--- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
++++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
+@@ -1276,7 +1276,7 @@ int add_listener(int argc, char *argv[])
+ struct sockaddr_storage addr;
+ struct sockaddr_in6 *a6;
+ struct sockaddr_in *a4;
+- u_int16_t family;
++ u_int16_t family = AF_UNSPEC;
+ int enable = 1;
+ int sock;
+ int err;
+--
+2.43.0
+
--- /dev/null
+From 52d1d4fa34e30d4ec27a5ae145858f1dab380300 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2024 17:18:30 -0500
+Subject: selftests/resctrl: Fix non-contiguous CBM for AMD
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Babu Moger <babu.moger@amd.com>
+
+[ Upstream commit 48236960c06d32370bfa6f2cc408e786873262c8 ]
+
+The non-contiguous CBM test fails on AMD with:
+Starting L3_NONCONT_CAT test ...
+Mounting resctrl to "/sys/fs/resctrl"
+CPUID output doesn't match 'sparse_masks' file content!
+not ok 5 L3_NONCONT_CAT: test
+
+AMD always supports non-contiguous CBM but does not report it via CPUID.
+
+Fix the non-contiguous CBM test to use CPUID to discover non-contiguous
+CBM support only on Intel.
+
+Fixes: ae638551ab64 ("selftests/resctrl: Add non-contiguous CBMs CAT test")
+Signed-off-by: Babu Moger <babu.moger@amd.com>
+Reviewed-by: Reinette Chatre <reinette.chatre@intel.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/resctrl/cat_test.c | 32 +++++++++++++++-------
+ 1 file changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/tools/testing/selftests/resctrl/cat_test.c b/tools/testing/selftests/resctrl/cat_test.c
+index 4cb991be8e31b..178a41d4bb1be 100644
+--- a/tools/testing/selftests/resctrl/cat_test.c
++++ b/tools/testing/selftests/resctrl/cat_test.c
+@@ -294,11 +294,30 @@ static int cat_run_test(const struct resctrl_test *test, const struct user_param
+ return ret;
+ }
+
++static bool arch_supports_noncont_cat(const struct resctrl_test *test)
++{
++ unsigned int eax, ebx, ecx, edx;
++
++ /* AMD always supports non-contiguous CBM. */
++ if (get_vendor() == ARCH_AMD)
++ return true;
++
++ /* Intel support for non-contiguous CBM needs to be discovered. */
++ if (!strcmp(test->resource, "L3"))
++ __cpuid_count(0x10, 1, eax, ebx, ecx, edx);
++ else if (!strcmp(test->resource, "L2"))
++ __cpuid_count(0x10, 2, eax, ebx, ecx, edx);
++ else
++ return false;
++
++ return ((ecx >> 3) & 1);
++}
++
+ static int noncont_cat_run_test(const struct resctrl_test *test,
+ const struct user_params *uparams)
+ {
+ unsigned long full_cache_mask, cont_mask, noncont_mask;
+- unsigned int eax, ebx, ecx, edx, sparse_masks;
++ unsigned int sparse_masks;
+ int bit_center, ret;
+ char schemata[64];
+
+@@ -307,15 +326,8 @@ static int noncont_cat_run_test(const struct resctrl_test *test,
+ if (ret)
+ return ret;
+
+- if (!strcmp(test->resource, "L3"))
+- __cpuid_count(0x10, 1, eax, ebx, ecx, edx);
+- else if (!strcmp(test->resource, "L2"))
+- __cpuid_count(0x10, 2, eax, ebx, ecx, edx);
+- else
+- return -EINVAL;
+-
+- if (sparse_masks != ((ecx >> 3) & 1)) {
+- ksft_print_msg("CPUID output doesn't match 'sparse_masks' file content!\n");
++ if (arch_supports_noncont_cat(test) != sparse_masks) {
++ ksft_print_msg("Hardware and kernel differ on non-contiguous CBM support!\n");
+ return 1;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From eee6f2a31e01261222838715d0545bc62f432f1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 15:37:44 +0200
+Subject: serial: imx: Raise TX trigger level to 8
+
+From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+
+[ Upstream commit a3d8728ab079951741efa11360df43dbfacba7ab ]
+
+At the default TX trigger level of 2 in non-DMA mode (meaning that an
+interrupt is generated when less than 2 characters are left in the
+FIFO), we have observed frequent buffer underruns at 115200 Baud on an
+i.MX8M Nano. This can cause communication issues if the receiving side
+expects a continuous transfer.
+
+Increasing the level to 8 makes the UART trigger an interrupt earlier,
+giving the kernel enough time to refill the FIFO, at the cost of
+triggering one interrupt per ~24 instead of ~30 bytes of transmitted
+data (as the i.MX UART has a 32 byte FIFO).
+
+Signed-off-by: Michael Krummsdorf <michael.krummsdorf@tq-group.com>
+Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
+Link: https://lore.kernel.org/r/20240508133744.35858-1-matthias.schiffer@ew.tq-group.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/imx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
+index 9552228d21614..f63cdd6794419 100644
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -1314,7 +1314,7 @@ static void imx_uart_clear_rx_errors(struct imx_port *sport)
+
+ }
+
+-#define TXTL_DEFAULT 2 /* reset default */
++#define TXTL_DEFAULT 8
+ #define RXTL_DEFAULT 8 /* 8 characters or aging timer */
+ #define TXTL_DMA 8 /* DMA burst setting */
+ #define RXTL_DMA 9 /* DMA burst setting */
+--
+2.43.0
+
--- /dev/null
+selftests-resctrl-fix-non-contiguous-cbm-for-amd.patch
+locking-mutex-introduce-devm_mutex_init.patch
+leds-mlxreg-use-devm_mutex_init-for-mutex-initializa.patch
+leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch
+crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch
+drm-lima-fix-shared-irq-handling-on-driver-remove.patch
+powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch
+media-dvb-as102-fe-fix-as10x_register_addr-packing.patch
+media-dvb-usb-dib0700_devices-add-missing-release_fi.patch
+net-dql-avoid-calling-bug-when-warn-is-enough.patch
+wifi-rtw89-fw-scan-offload-prohibit-all-6-ghz-channe.patch
+drm-xe-add-outer-runtime_pm-protection-to-xe_live_kt.patch
+ib-core-implement-a-limit-on-umad-receive-list.patch
+scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch
+irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
+bpf-mark-bpf_dummy_struct_ops.test_1-parameter-as-nu.patch
+selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch
+selftests-bpf-do-not-pass-null-for-non-nullable-para.patch
+bpf-check-bpf_dummy_struct_ops-program-params-for-te.patch
+selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch
+risc-v-kvm-fix-the-initial-sample-period-value.patch
+crypto-aead-cipher-zeroize-key-buffer-after-use.patch
+media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch
+drm-amdgpu-fix-uninitialized-variable-warnings.patch
+drm-amdgpu-using-uninitialized-value-size-when-calli.patch
+drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch
+drm-amdgpu-fix-double-free-err_addr-pointer-warnings.patch
+drm-amd-display-add-null-pointer-check-for-kzalloc.patch
+drm-amd-display-check-index-msg_id-before-read-or-wr.patch
+drm-amd-display-check-pipe-offset-before-setting-vbl.patch
+drm-amd-display-skip-finding-free-audio-for-unknown-.patch
+drm-amd-display-fix-overlapping-copy-within-dml_core.patch
+drm-amd-display-update-pipe-topology-log-to-support-.patch
+drm-amd-display-do-not-return-negative-stream-id-for.patch
+drm-amd-display-assert-when-failing-to-find-index-by.patch
+drm-amd-display-fix-uninitialized-variables-in-dm.patch
+drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch
+drm-amdgpu-fix-the-warning-about-the-expression-int-.patch
+media-dw2102-don-t-translate-i2c-read-into-write.patch
+riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch
+media-dw2102-fix-a-potential-buffer-overflow.patch
+sctp-prefer-struct_size-over-open-coded-arithmetic.patch
+firmware-dmi-stop-decoding-on-broken-entry.patch
+kunit-fortify-do-not-spam-logs-with-fortify-warns.patch
+input-ff-core-prefer-struct_size-over-open-coded-ari.patch
+usb-xhci-prevent-potential-failure-in-handle_tx_even.patch
+wifi-mt76-replace-skb_put-with-skb_put_zero.patch
+wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch
+thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch
+net-dsa-mv88e6xxx-correct-check-for-empty-list.patch
+media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch
+media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch
+media-i2c-st-mipid02-use-the-correct-div-function.patch
+media-tc358746-use-the-correct-div_-function.patch
+media-dvb-frontends-tda10048-fix-integer-overflow.patch
+crypto-hisilicon-sec2-fix-for-register-offset.patch
+powerpc-dexcr-track-the-dexcr-per-process.patch
+gve-account-for-stopped-queues-when-reading-nic-stat.patch
+i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch
+powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch
+orangefs-fix-out-of-bounds-fsid-access.patch
+kunit-fix-timeout-message.patch
+kunit-handle-test-faults.patch
+powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch
+selftests-net-fix-uninitialized-variables.patch
+igc-fix-a-log-entry-using-uninitialized-netdev.patch
+bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch
+f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch
+scsi-mpi3mr-sanitise-num_phys.patch
+serial-imx-raise-tx-trigger-level-to-8.patch
+jffs2-fix-potential-illegal-address-access-in-jffs2_.patch
+s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch
+s390-pkey-use-kfree_sensitive-to-fix-coccinelle-warn.patch
+s390-pkey-wipe-sensitive-data-on-failure.patch
+s390-pkey-wipe-copies-of-clear-key-structures-on-fai.patch
+s390-pkey-wipe-copies-of-protected-and-secure-keys.patch
+btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch
+cdrom-rearrange-last_media_change-check-to-avoid-uni.patch
+tools-power-turbostat-remember-global-max_die_id.patch
+tools-power-turbostat-avoid-possible-memory-corrupti.patch
+vhost-use-virtqueue-mutex-for-swapping-worker.patch
+vhost-release-worker-mutex-during-flushes.patch
+vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch
+virtio-pci-check-if-is_avq-is-null.patch
--- /dev/null
+From 08e202ab3a10c07e7362745aaaab491894076cb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 May 2024 15:46:03 +0200
+Subject: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data
+
+From: Julien Panis <jpanis@baylibre.com>
+
+[ Upstream commit a1191a77351e25ddf091bb1a231cae12ee598b5d ]
+
+Verify that lvts_data is not NULL before using it.
+
+Signed-off-by: Julien Panis <jpanis@baylibre.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20240502-mtk-thermal-lvts-data-v1-1-65f1b0bfad37@baylibre.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/thermal/mediatek/lvts_thermal.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
+index 6b9422bd8795d..25f836c00e226 100644
+--- a/drivers/thermal/mediatek/lvts_thermal.c
++++ b/drivers/thermal/mediatek/lvts_thermal.c
+@@ -1250,6 +1250,8 @@ static int lvts_probe(struct platform_device *pdev)
+ return -ENOMEM;
+
+ lvts_data = of_device_get_match_data(dev);
++ if (!lvts_data)
++ return -ENODEV;
+
+ lvts_td->clk = devm_clk_get_enabled(dev, NULL);
+ if (IS_ERR(lvts_td->clk))
+--
+2.43.0
+
--- /dev/null
+From d6233fac32c4d8479cecfa2bb922bcacf17ab950 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 15:39:08 +0200
+Subject: tools/power turbostat: Avoid possible memory corruption due to sparse
+ topology IDs
+
+From: Patryk Wlazlyn <patryk.wlazlyn@linux.intel.com>
+
+[ Upstream commit 3559ea813ad3a9627934325c68ad05b18008a077 ]
+
+Save the highest core and package id when parsing topology to
+allocate enough memory when get_rapl_counters() is called with a core or
+a package id as a domain.
+
+Note that RAPL domains are per-package on Intel, but per-core on AMD.
+Thus, the RAPL code effectively runs in different modes on those two
+product lines.
+
+Signed-off-by: Patryk Wlazlyn <patryk.wlazlyn@linux.intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 25417c3a47ab6..5d80d193e5bee 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1022,6 +1022,7 @@ struct rapl_counter_info_t {
+
+ /* struct rapl_counter_info_t for each RAPL domain */
+ struct rapl_counter_info_t *rapl_counter_info_perdomain;
++unsigned int rapl_counter_info_perdomain_size;
+
+ #define RAPL_COUNTER_FLAG_USE_MSR_SUM (1u << 1)
+
+@@ -1415,6 +1416,8 @@ struct topo_params {
+ int allowed_cpus;
+ int allowed_cores;
+ int max_cpu_num;
++ int max_core_id;
++ int max_package_id;
+ int max_die_id;
+ int max_node_num;
+ int nodes_per_pkg;
+@@ -3369,15 +3372,18 @@ void write_rapl_counter(struct rapl_counter *rc, struct rapl_counter_info_t *rci
+ rc->scale = rci->scale[idx];
+ }
+
+-int get_rapl_counters(int cpu, int domain, struct core_data *c, struct pkg_data *p)
++int get_rapl_counters(int cpu, unsigned int domain, struct core_data *c, struct pkg_data *p)
+ {
+ unsigned long long perf_data[NUM_RAPL_COUNTERS + 1];
+- struct rapl_counter_info_t *rci = &rapl_counter_info_perdomain[domain];
++ struct rapl_counter_info_t *rci;
+
+ if (debug)
+ fprintf(stderr, "%s: cpu%d domain%d\n", __func__, cpu, domain);
+
+ assert(rapl_counter_info_perdomain);
++ assert(domain < rapl_counter_info_perdomain_size);
++
++ rci = &rapl_counter_info_perdomain[domain];
+
+ /*
+ * If we have any perf counters to read, read them all now, in bulk
+@@ -4181,7 +4187,7 @@ void free_fd_rapl_percpu(void)
+ if (!rapl_counter_info_perdomain)
+ return;
+
+- const int num_domains = platform->has_per_core_rapl ? topo.num_cores : topo.num_packages;
++ const int num_domains = rapl_counter_info_perdomain_size;
+
+ for (int domain_id = 0; domain_id < num_domains; ++domain_id) {
+ if (rapl_counter_info_perdomain[domain_id].fd_perf != -1)
+@@ -4189,6 +4195,8 @@ void free_fd_rapl_percpu(void)
+ }
+
+ free(rapl_counter_info_perdomain);
++ rapl_counter_info_perdomain = NULL;
++ rapl_counter_info_perdomain_size = 0;
+ }
+
+ void free_all_buffers(void)
+@@ -6479,17 +6487,18 @@ void linux_perf_init(void)
+
+ void rapl_perf_init(void)
+ {
+- const int num_domains = platform->has_per_core_rapl ? topo.num_cores : topo.num_packages;
++ const unsigned int num_domains = (platform->has_per_core_rapl ? topo.max_core_id : topo.max_package_id) + 1;
+ bool *domain_visited = calloc(num_domains, sizeof(bool));
+
+ rapl_counter_info_perdomain = calloc(num_domains, sizeof(*rapl_counter_info_perdomain));
+ if (rapl_counter_info_perdomain == NULL)
+ err(-1, "calloc rapl_counter_info_percpu");
++ rapl_counter_info_perdomain_size = num_domains;
+
+ /*
+ * Initialize rapl_counter_info_percpu
+ */
+- for (int domain_id = 0; domain_id < num_domains; ++domain_id) {
++ for (unsigned int domain_id = 0; domain_id < num_domains; ++domain_id) {
+ struct rapl_counter_info_t *rci = &rapl_counter_info_perdomain[domain_id];
+
+ rci->fd_perf = -1;
+@@ -6509,7 +6518,7 @@ void rapl_perf_init(void)
+ bool has_counter = 0;
+ double scale;
+ enum rapl_unit unit;
+- int next_domain;
++ unsigned int next_domain;
+
+ memset(domain_visited, 0, num_domains * sizeof(*domain_visited));
+
+@@ -6522,6 +6531,8 @@ void rapl_perf_init(void)
+ next_domain =
+ platform->has_per_core_rapl ? cpus[cpu].physical_core_id : cpus[cpu].physical_package_id;
+
++ assert(next_domain < num_domains);
++
+ if (domain_visited[next_domain])
+ continue;
+
+@@ -7104,6 +7115,8 @@ void topology_probe(bool startup)
+ if (cpus[i].thread_id == 0)
+ topo.num_cores++;
+ }
++ topo.max_core_id = max_core_id;
++ topo.max_package_id = max_package_id;
+
+ topo.cores_per_node = max_core_id + 1;
+ if (debug > 1)
+--
+2.43.0
+
--- /dev/null
+From bd9faa4e50dff75e836f229ed4fc3057331104e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Apr 2024 11:56:48 -0400
+Subject: tools/power turbostat: Remember global max_die_id
+
+From: Len Brown <len.brown@intel.com>
+
+[ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ]
+
+This is necessary to gracefully handle sparse die_id's.
+
+no functional change
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Stable-dep-of: 3559ea813ad3 ("tools/power turbostat: Avoid possible memory corruption due to sparse topology IDs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 8071a3ef2a2e8..25417c3a47ab6 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1415,6 +1415,7 @@ struct topo_params {
+ int allowed_cpus;
+ int allowed_cores;
+ int max_cpu_num;
++ int max_die_id;
+ int max_node_num;
+ int nodes_per_pkg;
+ int cores_per_node;
+@@ -6967,7 +6968,6 @@ void topology_probe(bool startup)
+ int i;
+ int max_core_id = 0;
+ int max_package_id = 0;
+- int max_die_id = 0;
+ int max_siblings = 0;
+
+ /* Initialize num_cpus, max_cpu_num */
+@@ -7084,8 +7084,8 @@ void topology_probe(bool startup)
+
+ /* get die information */
+ cpus[i].die_id = get_die_id(i);
+- if (cpus[i].die_id > max_die_id)
+- max_die_id = cpus[i].die_id;
++ if (cpus[i].die_id > topo.max_die_id)
++ topo.max_die_id = cpus[i].die_id;
+
+ /* get numa node information */
+ cpus[i].physical_node_id = get_physical_node_id(&cpus[i]);
+@@ -7111,9 +7111,9 @@ void topology_probe(bool startup)
+ if (!summary_only && topo.cores_per_node > 1)
+ BIC_PRESENT(BIC_Core);
+
+- topo.num_die = max_die_id + 1;
++ topo.num_die = topo.max_die_id + 1;
+ if (debug > 1)
+- fprintf(outf, "max_die_id %d, sizing for %d die\n", max_die_id, topo.num_die);
++ fprintf(outf, "max_die_id %d, sizing for %d die\n", topo.max_die_id, topo.num_die);
+ if (!summary_only && topo.num_die > 1)
+ BIC_PRESENT(BIC_Die);
+
+--
+2.43.0
+
--- /dev/null
+From 598e3484df0788e2ed517d51308da519b861d296 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Apr 2024 17:02:37 +0300
+Subject: usb: xhci: prevent potential failure in handle_tx_event() for
+ Transfer events without TRB
+
+From: Niklas Neronin <niklas.neronin@linux.intel.com>
+
+[ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ]
+
+Some transfer events don't always point to a TRB, and consequently don't
+have a endpoint ring. In these cases, function handle_tx_event() should
+not proceed, because if 'ep->skip' is set, the pointer to the endpoint
+ring is used.
+
+To prevent a potential failure and make the code logical, return after
+checking the completion code for a Transfer event without TRBs.
+
+Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/host/xhci-ring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
+index 48d745e9f9730..48028bab57e34 100644
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2658,16 +2658,17 @@ static int handle_tx_event(struct xhci_hcd *xhci,
+ else
+ xhci_handle_halted_endpoint(xhci, ep, NULL,
+ EP_SOFT_RESET);
+- goto cleanup;
++ break;
+ case COMP_RING_UNDERRUN:
+ case COMP_RING_OVERRUN:
+ case COMP_STOPPED_LENGTH_INVALID:
+- goto cleanup;
++ break;
+ default:
+ xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n",
+ slot_id, ep_index);
+ goto err_out;
+ }
++ return 0;
+ }
+
+ /* Count current td numbers if ep->skip is set */
+--
+2.43.0
+
--- /dev/null
+From ccda39b73c3d8e72f74bd93a5152e2773eeb4896 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 19:47:05 -0500
+Subject: vhost: Release worker mutex during flushes
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit ba704ff4e142fd3cfaf3379dd3b3b946754e06e3 ]
+
+In the next patches where the worker can be killed while in use, we
+need to be able to take the worker mutex and kill queued works for
+new IO and flushes, and set some new flags to prevent new
+__vhost_vq_attach_worker calls from swapping in/out killed workers.
+
+If we are holding the worker mutex during a flush and the flush's work
+is still in the queue, the worker code that will handle the SIGKILL
+cleanup won't be able to take the mutex and perform it's cleanup. So
+this patch has us drop the worker mutex while waiting for the flush
+to complete.
+
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Message-Id: <20240316004707.45557-8-michael.christie@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: db5247d9bf5c ("vhost_task: Handle SIGKILL by flushing work and exiting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vhost.c | 44 +++++++++++++++++++++++++++++--------------
+ 1 file changed, 30 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 113b6a42719b7..5580b24934015 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -276,21 +276,36 @@ void vhost_vq_flush(struct vhost_virtqueue *vq)
+ EXPORT_SYMBOL_GPL(vhost_vq_flush);
+
+ /**
+- * vhost_worker_flush - flush a worker
++ * __vhost_worker_flush - flush a worker
+ * @worker: worker to flush
+ *
+- * This does not use RCU to protect the worker, so the device or worker
+- * mutex must be held.
++ * The worker's flush_mutex must be held.
+ */
+-static void vhost_worker_flush(struct vhost_worker *worker)
++static void __vhost_worker_flush(struct vhost_worker *worker)
+ {
+ struct vhost_flush_struct flush;
+
++ if (!worker->attachment_cnt)
++ return;
++
+ init_completion(&flush.wait_event);
+ vhost_work_init(&flush.work, vhost_flush_work);
+
+ vhost_worker_queue(worker, &flush.work);
++ /*
++ * Drop mutex in case our worker is killed and it needs to take the
++ * mutex to force cleanup.
++ */
++ mutex_unlock(&worker->mutex);
+ wait_for_completion(&flush.wait_event);
++ mutex_lock(&worker->mutex);
++}
++
++static void vhost_worker_flush(struct vhost_worker *worker)
++{
++ mutex_lock(&worker->mutex);
++ __vhost_worker_flush(worker);
++ mutex_unlock(&worker->mutex);
+ }
+
+ void vhost_dev_flush(struct vhost_dev *dev)
+@@ -298,15 +313,8 @@ void vhost_dev_flush(struct vhost_dev *dev)
+ struct vhost_worker *worker;
+ unsigned long i;
+
+- xa_for_each(&dev->worker_xa, i, worker) {
+- mutex_lock(&worker->mutex);
+- if (!worker->attachment_cnt) {
+- mutex_unlock(&worker->mutex);
+- continue;
+- }
++ xa_for_each(&dev->worker_xa, i, worker)
+ vhost_worker_flush(worker);
+- mutex_unlock(&worker->mutex);
+- }
+ }
+ EXPORT_SYMBOL_GPL(vhost_dev_flush);
+
+@@ -685,7 +693,6 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
+ * device wide flushes which doesn't use RCU for execution.
+ */
+ mutex_lock(&old_worker->mutex);
+- old_worker->attachment_cnt--;
+ /*
+ * We don't want to call synchronize_rcu for every vq during setup
+ * because it will slow down VM startup. If we haven't done
+@@ -696,6 +703,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
+ mutex_lock(&vq->mutex);
+ if (!vhost_vq_get_backend(vq) && !vq->kick) {
+ mutex_unlock(&vq->mutex);
++
++ old_worker->attachment_cnt--;
+ mutex_unlock(&old_worker->mutex);
+ /*
+ * vsock can queue anytime after VHOST_VSOCK_SET_GUEST_CID.
+@@ -711,7 +720,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
+ /* Make sure new vq queue/flush/poll calls see the new worker */
+ synchronize_rcu();
+ /* Make sure whatever was queued gets run */
+- vhost_worker_flush(old_worker);
++ __vhost_worker_flush(old_worker);
++ old_worker->attachment_cnt--;
+ mutex_unlock(&old_worker->mutex);
+ }
+
+@@ -764,6 +774,12 @@ static int vhost_free_worker(struct vhost_dev *dev,
+ mutex_unlock(&worker->mutex);
+ return -EBUSY;
+ }
++ /*
++ * A flush might have raced and snuck in before attachment_cnt was set
++ * to zero. Make sure flushes are flushed from the queue before
++ * freeing.
++ */
++ __vhost_worker_flush(worker);
+ mutex_unlock(&worker->mutex);
+
+ vhost_worker_destroy(dev, worker);
+--
+2.43.0
+
--- /dev/null
+From 0fe495244d220b436e85ffbce013d6074ffde15b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 19:47:04 -0500
+Subject: vhost: Use virtqueue mutex for swapping worker
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit 34cf9ba5f00a222dddd9fc71de7c68fdaac7fb97 ]
+
+__vhost_vq_attach_worker uses the vhost_dev mutex to serialize the
+swapping of a virtqueue's worker. This was done for simplicity because
+we are already holding that mutex.
+
+In the next patches where the worker can be killed while in use, we need
+finer grained locking because some drivers will hold the vhost_dev mutex
+while flushing. However in the SIGKILL handler in the next patches, we
+will need to be able to swap workers (set current one to NULL), kill
+queued works and stop new flushes while flushes are in progress.
+
+To prepare us, this has us use the virtqueue mutex for swapping workers
+instead of the vhost_dev one.
+
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Message-Id: <20240316004707.45557-7-michael.christie@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Stable-dep-of: db5247d9bf5c ("vhost_task: Handle SIGKILL by flushing work and exiting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vhost.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 8995730ce0bfc..113b6a42719b7 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -664,16 +664,22 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
+ {
+ struct vhost_worker *old_worker;
+
+- old_worker = rcu_dereference_check(vq->worker,
+- lockdep_is_held(&vq->dev->mutex));
+-
+ mutex_lock(&worker->mutex);
+- worker->attachment_cnt++;
+- mutex_unlock(&worker->mutex);
++ mutex_lock(&vq->mutex);
++
++ old_worker = rcu_dereference_check(vq->worker,
++ lockdep_is_held(&vq->mutex));
+ rcu_assign_pointer(vq->worker, worker);
++ worker->attachment_cnt++;
+
+- if (!old_worker)
++ if (!old_worker) {
++ mutex_unlock(&vq->mutex);
++ mutex_unlock(&worker->mutex);
+ return;
++ }
++ mutex_unlock(&vq->mutex);
++ mutex_unlock(&worker->mutex);
++
+ /*
+ * Take the worker mutex to make sure we see the work queued from
+ * device wide flushes which doesn't use RCU for execution.
+--
+2.43.0
+
--- /dev/null
+From 49d623c3c5aab07a8e24f88ccd1f714fde715ee4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 19:47:06 -0500
+Subject: vhost_task: Handle SIGKILL by flushing work and exiting
+
+From: Mike Christie <michael.christie@oracle.com>
+
+[ Upstream commit db5247d9bf5c6ade9fd70b4e4897441e0269b233 ]
+
+Instead of lingering until the device is closed, this has us handle
+SIGKILL by:
+
+1. marking the worker as killed so we no longer try to use it with
+ new virtqueues and new flush operations.
+2. setting the virtqueue to worker mapping so no new works are queued.
+3. running all the exiting works.
+
+Suggested-by: Edward Adam Davis <eadavis@qq.com>
+Reported-and-tested-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com
+Message-Id: <tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com>
+Signed-off-by: Mike Christie <michael.christie@oracle.com>
+Message-Id: <20240316004707.45557-9-michael.christie@oracle.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vhost/vhost.c | 54 +++++++++++++++++++++++++++++---
+ drivers/vhost/vhost.h | 2 ++
+ include/linux/sched/vhost_task.h | 3 +-
+ kernel/vhost_task.c | 53 ++++++++++++++++++++-----------
+ 4 files changed, 88 insertions(+), 24 deletions(-)
+
+diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
+index 5580b24934015..1740a5f1f35e7 100644
+--- a/drivers/vhost/vhost.c
++++ b/drivers/vhost/vhost.c
+@@ -285,7 +285,7 @@ static void __vhost_worker_flush(struct vhost_worker *worker)
+ {
+ struct vhost_flush_struct flush;
+
+- if (!worker->attachment_cnt)
++ if (!worker->attachment_cnt || worker->killed)
+ return;
+
+ init_completion(&flush.wait_event);
+@@ -400,7 +400,7 @@ static void vhost_vq_reset(struct vhost_dev *dev,
+ __vhost_vq_meta_reset(vq);
+ }
+
+-static bool vhost_worker(void *data)
++static bool vhost_run_work_list(void *data)
+ {
+ struct vhost_worker *worker = data;
+ struct vhost_work *work, *work_next;
+@@ -425,6 +425,40 @@ static bool vhost_worker(void *data)
+ return !!node;
+ }
+
++static void vhost_worker_killed(void *data)
++{
++ struct vhost_worker *worker = data;
++ struct vhost_dev *dev = worker->dev;
++ struct vhost_virtqueue *vq;
++ int i, attach_cnt = 0;
++
++ mutex_lock(&worker->mutex);
++ worker->killed = true;
++
++ for (i = 0; i < dev->nvqs; i++) {
++ vq = dev->vqs[i];
++
++ mutex_lock(&vq->mutex);
++ if (worker ==
++ rcu_dereference_check(vq->worker,
++ lockdep_is_held(&vq->mutex))) {
++ rcu_assign_pointer(vq->worker, NULL);
++ attach_cnt++;
++ }
++ mutex_unlock(&vq->mutex);
++ }
++
++ worker->attachment_cnt -= attach_cnt;
++ if (attach_cnt)
++ synchronize_rcu();
++ /*
++ * Finish vhost_worker_flush calls and any other works that snuck in
++ * before the synchronize_rcu.
++ */
++ vhost_run_work_list(worker);
++ mutex_unlock(&worker->mutex);
++}
++
+ static void vhost_vq_free_iovecs(struct vhost_virtqueue *vq)
+ {
+ kfree(vq->indirect);
+@@ -639,9 +673,11 @@ static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev)
+ if (!worker)
+ return NULL;
+
++ worker->dev = dev;
+ snprintf(name, sizeof(name), "vhost-%d", current->pid);
+
+- vtsk = vhost_task_create(vhost_worker, worker, name);
++ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed,
++ worker, name);
+ if (!vtsk)
+ goto free_worker;
+
+@@ -673,6 +709,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
+ struct vhost_worker *old_worker;
+
+ mutex_lock(&worker->mutex);
++ if (worker->killed) {
++ mutex_unlock(&worker->mutex);
++ return;
++ }
++
+ mutex_lock(&vq->mutex);
+
+ old_worker = rcu_dereference_check(vq->worker,
+@@ -693,6 +734,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
+ * device wide flushes which doesn't use RCU for execution.
+ */
+ mutex_lock(&old_worker->mutex);
++ if (old_worker->killed) {
++ mutex_unlock(&old_worker->mutex);
++ return;
++ }
++
+ /*
+ * We don't want to call synchronize_rcu for every vq during setup
+ * because it will slow down VM startup. If we haven't done
+@@ -770,7 +816,7 @@ static int vhost_free_worker(struct vhost_dev *dev,
+ return -ENODEV;
+
+ mutex_lock(&worker->mutex);
+- if (worker->attachment_cnt) {
++ if (worker->attachment_cnt || worker->killed) {
+ mutex_unlock(&worker->mutex);
+ return -EBUSY;
+ }
+diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
+index 9e942fcda5c3f..dc94e6a7d3c22 100644
+--- a/drivers/vhost/vhost.h
++++ b/drivers/vhost/vhost.h
+@@ -28,12 +28,14 @@ struct vhost_work {
+
+ struct vhost_worker {
+ struct vhost_task *vtsk;
++ struct vhost_dev *dev;
+ /* Used to serialize device wide flushing with worker swapping. */
+ struct mutex mutex;
+ struct llist_head work_list;
+ u64 kcov_handle;
+ u32 id;
+ int attachment_cnt;
++ bool killed;
+ };
+
+ /* Poll a file (eventfd or socket) */
+diff --git a/include/linux/sched/vhost_task.h b/include/linux/sched/vhost_task.h
+index bc60243d43b36..25446c5d35081 100644
+--- a/include/linux/sched/vhost_task.h
++++ b/include/linux/sched/vhost_task.h
+@@ -4,7 +4,8 @@
+
+ struct vhost_task;
+
+-struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg,
++struct vhost_task *vhost_task_create(bool (*fn)(void *),
++ void (*handle_kill)(void *), void *arg,
+ const char *name);
+ void vhost_task_start(struct vhost_task *vtsk);
+ void vhost_task_stop(struct vhost_task *vtsk);
+diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c
+index da35e5b7f0473..8800f5acc0071 100644
+--- a/kernel/vhost_task.c
++++ b/kernel/vhost_task.c
+@@ -10,38 +10,32 @@
+
+ enum vhost_task_flags {
+ VHOST_TASK_FLAGS_STOP,
++ VHOST_TASK_FLAGS_KILLED,
+ };
+
+ struct vhost_task {
+ bool (*fn)(void *data);
++ void (*handle_sigkill)(void *data);
+ void *data;
+ struct completion exited;
+ unsigned long flags;
+ struct task_struct *task;
++ /* serialize SIGKILL and vhost_task_stop calls */
++ struct mutex exit_mutex;
+ };
+
+ static int vhost_task_fn(void *data)
+ {
+ struct vhost_task *vtsk = data;
+- bool dead = false;
+
+ for (;;) {
+ bool did_work;
+
+- if (!dead && signal_pending(current)) {
++ if (signal_pending(current)) {
+ struct ksignal ksig;
+- /*
+- * Calling get_signal will block in SIGSTOP,
+- * or clear fatal_signal_pending, but remember
+- * what was set.
+- *
+- * This thread won't actually exit until all
+- * of the file descriptors are closed, and
+- * the release function is called.
+- */
+- dead = get_signal(&ksig);
+- if (dead)
+- clear_thread_flag(TIF_SIGPENDING);
++
++ if (get_signal(&ksig))
++ break;
+ }
+
+ /* mb paired w/ vhost_task_stop */
+@@ -57,7 +51,19 @@ static int vhost_task_fn(void *data)
+ schedule();
+ }
+
++ mutex_lock(&vtsk->exit_mutex);
++ /*
++ * If a vhost_task_stop and SIGKILL race, we can ignore the SIGKILL.
++ * When the vhost layer has called vhost_task_stop it's already stopped
++ * new work and flushed.
++ */
++ if (!test_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags)) {
++ set_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags);
++ vtsk->handle_sigkill(vtsk->data);
++ }
++ mutex_unlock(&vtsk->exit_mutex);
+ complete(&vtsk->exited);
++
+ do_exit(0);
+ }
+
+@@ -78,12 +84,17 @@ EXPORT_SYMBOL_GPL(vhost_task_wake);
+ * @vtsk: vhost_task to stop
+ *
+ * vhost_task_fn ensures the worker thread exits after
+- * VHOST_TASK_FLAGS_SOP becomes true.
++ * VHOST_TASK_FLAGS_STOP becomes true.
+ */
+ void vhost_task_stop(struct vhost_task *vtsk)
+ {
+- set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags);
+- vhost_task_wake(vtsk);
++ mutex_lock(&vtsk->exit_mutex);
++ if (!test_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags)) {
++ set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags);
++ vhost_task_wake(vtsk);
++ }
++ mutex_unlock(&vtsk->exit_mutex);
++
+ /*
+ * Make sure vhost_task_fn is no longer accessing the vhost_task before
+ * freeing it below.
+@@ -96,14 +107,16 @@ EXPORT_SYMBOL_GPL(vhost_task_stop);
+ /**
+ * vhost_task_create - create a copy of a task to be used by the kernel
+ * @fn: vhost worker function
+- * @arg: data to be passed to fn
++ * @handle_sigkill: vhost function to handle when we are killed
++ * @arg: data to be passed to fn and handled_kill
+ * @name: the thread's name
+ *
+ * This returns a specialized task for use by the vhost layer or NULL on
+ * failure. The returned task is inactive, and the caller must fire it up
+ * through vhost_task_start().
+ */
+-struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg,
++struct vhost_task *vhost_task_create(bool (*fn)(void *),
++ void (*handle_sigkill)(void *), void *arg,
+ const char *name)
+ {
+ struct kernel_clone_args args = {
+@@ -122,8 +135,10 @@ struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg,
+ if (!vtsk)
+ return NULL;
+ init_completion(&vtsk->exited);
++ mutex_init(&vtsk->exit_mutex);
+ vtsk->data = arg;
+ vtsk->fn = fn;
++ vtsk->handle_sigkill = handle_sigkill;
+
+ args.fn_arg = vtsk;
+
+--
+2.43.0
+
--- /dev/null
+From 53968c1d5cd1a9dfd10212f016527f2b49e7fcdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 16 Mar 2024 13:25:54 +0800
+Subject: virtio-pci: Check if is_avq is NULL
+
+From: Li Zhang <zhanglikernel@gmail.com>
+
+[ Upstream commit c8fae27d141a32a1624d0d0d5419d94252824498 ]
+
+[bug]
+In the virtio_pci_common.c function vp_del_vqs, vp_dev->is_avq is involved
+to determine whether it is admin virtqueue, but this function vp_dev->is_avq
+ may be empty. For installations, virtio_pci_legacy does not assign a value
+ to vp_dev->is_avq.
+
+[fix]
+Check whether it is vp_dev->is_avq before use.
+
+[test]
+Test with virsh Attach device
+Before this patch, the following command would crash the guest system
+
+After applying the patch, everything seems to be working fine.
+
+Signed-off-by: Li Zhang <zhanglikernel@gmail.com>
+Message-Id: <1710566754-3532-1-git-send-email-zhanglikernel@gmail.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_pci_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
+index 584af7816532b..f6b0b00e4599f 100644
+--- a/drivers/virtio/virtio_pci_common.c
++++ b/drivers/virtio/virtio_pci_common.c
+@@ -236,7 +236,7 @@ void vp_del_vqs(struct virtio_device *vdev)
+ int i;
+
+ list_for_each_entry_safe(vq, n, &vdev->vqs, list) {
+- if (vp_dev->is_avq(vdev, vq->index))
++ if (vp_dev->is_avq && vp_dev->is_avq(vdev, vq->index))
+ continue;
+
+ if (vp_dev->per_vq_vectors) {
+--
+2.43.0
+
--- /dev/null
+From 47e4d0037e17e7653b2c72b236ed5091635ef38b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Mar 2024 19:09:16 +0800
+Subject: wifi: mt76: mt7996: add sanity checks for background radar trigger
+
+From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
+
+[ Upstream commit ec55d8e7dfea92daff87f5c01689633f8c4e6a62 ]
+
+Check if background radar is enabled or not before manually triggering it,
+and also add more checks in radar detected event.
+
+Signed-off-by: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c | 5 +++++
+ drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 ++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c
+index 9bd953586b041..62c03d088925c 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c
+@@ -225,6 +225,11 @@ mt7996_radar_trigger(void *data, u64 val)
+ if (val > MT_RX_SEL2)
+ return -EINVAL;
+
++ if (val == MT_RX_SEL2 && !dev->rdd2_phy) {
++ dev_err(dev->mt76.dev, "Background radar is not enabled\n");
++ return -EINVAL;
++ }
++
+ return mt7996_mcu_rdd_cmd(dev, RDD_RADAR_EMULATE,
+ val, 0, 0);
+ }
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+index e86c05d0eecc9..bc3b2babb094d 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+@@ -355,7 +355,10 @@ mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb)
+ if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys))
+ return;
+
+- if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2)
++ if (r->band_idx == MT_RX_SEL2 && !dev->rdd2_phy)
++ return;
++
++ if (r->band_idx == MT_RX_SEL2)
+ mphy = dev->rdd2_phy->mt76;
+ else
+ mphy = dev->mt76.phys[r->band_idx];
+--
+2.43.0
+
--- /dev/null
+From ca674c202b57031b974bb10aafa1d04019b85fb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Mar 2024 17:02:52 +0100
+Subject: wifi: mt76: replace skb_put with skb_put_zero
+
+From: Felix Fietkau <nbd@nbd.name>
+
+[ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ]
+
+Avoid potentially reusing uninitialized data
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++-----
+ drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+index fb8bd50eb7de8..5521c0ea5b261 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -257,7 +257,7 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len,
+ };
+ u16 ntlv;
+
+- ptlv = skb_put(skb, len);
++ ptlv = skb_put_zero(skb, len);
+ memcpy(ptlv, &tlv, sizeof(tlv));
+
+ ntlv = le16_to_cpu(ntlv_hdr->tlv_num);
+@@ -1670,7 +1670,7 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif,
+ set_bit(MT76_HW_SCANNING, &phy->state);
+ mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f;
+
+- req = (struct mt76_connac_hw_scan_req *)skb_put(skb, sizeof(*req));
++ req = (struct mt76_connac_hw_scan_req *)skb_put_zero(skb, sizeof(*req));
+
+ req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7;
+ req->bss_idx = mvif->idx;
+@@ -1798,7 +1798,7 @@ int mt76_connac_mcu_sched_scan_req(struct mt76_phy *phy,
+
+ mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f;
+
+- req = (struct mt76_connac_sched_scan_req *)skb_put(skb, sizeof(*req));
++ req = (struct mt76_connac_sched_scan_req *)skb_put_zero(skb, sizeof(*req));
+ req->version = 1;
+ req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7;
+
+@@ -2321,7 +2321,7 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw,
+ return -ENOMEM;
+
+ skb_put_data(skb, &hdr, sizeof(hdr));
+- gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put(skb,
++ gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put_zero(skb,
+ sizeof(*gtk_tlv));
+ gtk_tlv->tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_GTK_REKEY);
+ gtk_tlv->len = cpu_to_le16(sizeof(*gtk_tlv));
+@@ -2446,7 +2446,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev,
+ return -ENOMEM;
+
+ skb_put_data(skb, &hdr, sizeof(hdr));
+- ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put(skb, sizeof(*ptlv));
++ ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put_zero(skb, sizeof(*ptlv));
+ ptlv->tag = cpu_to_le16(UNI_SUSPEND_WOW_PATTERN);
+ ptlv->len = cpu_to_le16(sizeof(*ptlv));
+ ptlv->data_len = pattern->pattern_len;
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+index d90f98c500399..b7157bdb3103f 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+@@ -424,7 +424,7 @@ mt7915_mcu_add_nested_subtlv(struct sk_buff *skb, int sub_tag, int sub_len,
+ .len = cpu_to_le16(sub_len),
+ };
+
+- ptlv = skb_put(skb, sub_len);
++ ptlv = skb_put_zero(skb, sub_len);
+ memcpy(ptlv, &tlv, sizeof(tlv));
+
+ le16_add_cpu(sub_ntlv, 1);
+--
+2.43.0
+
--- /dev/null
+From 0f7e9c9428e1a7a3865fd89b7531284940283d36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 19:57:23 +0800
+Subject: wifi: rtw89: fw: scan offload prohibit all 6 GHz channel if no 6 GHz
+ sband
+
+From: Zong-Zhe Yang <kevin_yang@realtek.com>
+
+[ Upstream commit bb38626f3f97e16e6d368a9ff6daf320f3fe31d9 ]
+
+We have some policy via BIOS to block uses of 6 GHz. In this case, 6 GHz
+sband will be NULL even if it is WiFi 7 chip. So, add NULL handling here
+to avoid crash.
+
+Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://msgid.link/20240412115729.8316-3-pkshih@realtek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtw89/fw.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
+index 6c75ebbb21caa..ef86389545ffb 100644
+--- a/drivers/net/wireless/realtek/rtw89/fw.c
++++ b/drivers/net/wireless/realtek/rtw89/fw.c
+@@ -4646,6 +4646,10 @@ static void rtw89_scan_get_6g_disabled_chan(struct rtw89_dev *rtwdev,
+ u8 i, idx;
+
+ sband = rtwdev->hw->wiphy->bands[NL80211_BAND_6GHZ];
++ if (!sband) {
++ option->prohib_chan = U64_MAX;
++ return;
++ }
+
+ for (i = 0; i < sband->n_channels; i++) {
+ chan = &sband->channels[i];
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
