--- /dev/null
+From 9fc3049e99a34f1d2e8a15e62ddbda3ebc64cb24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 May 2024 21:34:37 +0800
+Subject: arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
+
+From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+
+[ Upstream commit ffbf4fb9b5c12ff878a10ea17997147ea4ebea6f ]
+
+When CONFIG_DEBUG_BUGVERBOSE=n, we fail to add necessary padding bytes
+to bug_table entries, and as a result the last entry in a bug table will
+be ignored, potentially leading to an unexpected panic(). All prior
+entries in the table will be handled correctly.
+
+The arm64 ABI requires that struct fields of up to 8 bytes are
+naturally-aligned, with padding added within a struct such that struct
+are suitably aligned within arrays.
+
+When CONFIG_DEBUG_BUGVERPOSE=y, the layout of a bug_entry is:
+
+ struct bug_entry {
+ signed int bug_addr_disp; // 4 bytes
+ signed int file_disp; // 4 bytes
+ unsigned short line; // 2 bytes
+ unsigned short flags; // 2 bytes
+ }
+
+... with 12 bytes total, requiring 4-byte alignment.
+
+When CONFIG_DEBUG_BUGVERBOSE=n, the layout of a bug_entry is:
+
+ struct bug_entry {
+ signed int bug_addr_disp; // 4 bytes
+ unsigned short flags; // 2 bytes
+ < implicit padding > // 2 bytes
+ }
+
+... with 8 bytes total, with 6 bytes of data and 2 bytes of trailing
+padding, requiring 4-byte alginment.
+
+When we create a bug_entry in assembly, we align the start of the entry
+to 4 bytes, which implicitly handles padding for any prior entries.
+However, we do not align the end of the entry, and so when
+CONFIG_DEBUG_BUGVERBOSE=n, the final entry lacks the trailing padding
+bytes.
+
+For the main kernel image this is not a problem as find_bug() doesn't
+depend on the trailing padding bytes when searching for entries:
+
+ for (bug = __start___bug_table; bug < __stop___bug_table; ++bug)
+ if (bugaddr == bug_addr(bug))
+ return bug;
+
+However for modules, module_bug_finalize() depends on the trailing
+bytes when calculating the number of entries:
+
+ mod->num_bugs = sechdrs[i].sh_size / sizeof(struct bug_entry);
+
+... and as the last bug_entry lacks the necessary padding bytes, this entry
+will not be counted, e.g. in the case of a single entry:
+
+ sechdrs[i].sh_size == 6
+ sizeof(struct bug_entry) == 8;
+
+ sechdrs[i].sh_size / sizeof(struct bug_entry) == 0;
+
+Consequently module_find_bug() will miss the last bug_entry when it does:
+
+ for (i = 0; i < mod->num_bugs; ++i, ++bug)
+ if (bugaddr == bug_addr(bug))
+ goto out;
+
+... which can lead to a kenrel panic due to an unhandled bug.
+
+This can be demonstrated with the following module:
+
+ static int __init buginit(void)
+ {
+ WARN(1, "hello\n");
+ return 0;
+ }
+
+ static void __exit bugexit(void)
+ {
+ }
+
+ module_init(buginit);
+ module_exit(bugexit);
+ MODULE_LICENSE("GPL");
+
+... which will trigger a kernel panic when loaded:
+
+ ------------[ cut here ]------------
+ hello
+ Unexpected kernel BRK exception at EL1
+ Internal error: BRK handler: 00000000f2000800 [#1] PREEMPT SMP
+ Modules linked in: hello(O+)
+ CPU: 0 PID: 50 Comm: insmod Tainted: G O 6.9.1 #8
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : buginit+0x18/0x1000 [hello]
+ lr : buginit+0x18/0x1000 [hello]
+ sp : ffff800080533ae0
+ x29: ffff800080533ae0 x28: 0000000000000000 x27: 0000000000000000
+ x26: ffffaba8c4e70510 x25: ffff800080533c30 x24: ffffaba8c4a28a58
+ x23: 0000000000000000 x22: 0000000000000000 x21: ffff3947c0eab3c0
+ x20: ffffaba8c4e3f000 x19: ffffaba846464000 x18: 0000000000000006
+ x17: 0000000000000000 x16: ffffaba8c2492834 x15: 0720072007200720
+ x14: 0720072007200720 x13: ffffaba8c49b27c8 x12: 0000000000000312
+ x11: 0000000000000106 x10: ffffaba8c4a0a7c8 x9 : ffffaba8c49b27c8
+ x8 : 00000000ffffefff x7 : ffffaba8c4a0a7c8 x6 : 80000000fffff000
+ x5 : 0000000000000107 x4 : 0000000000000000 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff3947c0eab3c0
+ Call trace:
+ buginit+0x18/0x1000 [hello]
+ do_one_initcall+0x80/0x1c8
+ do_init_module+0x60/0x218
+ load_module+0x1ba4/0x1d70
+ __do_sys_init_module+0x198/0x1d0
+ __arm64_sys_init_module+0x1c/0x28
+ invoke_syscall+0x48/0x114
+ el0_svc_common.constprop.0+0x40/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x34/0xd8
+ el0t_64_sync_handler+0x120/0x12c
+ el0t_64_sync+0x190/0x194
+ Code: d0ffffe0 910003fd 91000000 9400000b (d4210000)
+ ---[ end trace 0000000000000000 ]---
+ Kernel panic - not syncing: BRK handler: Fatal exception
+
+Fix this by always aligning the end of a bug_entry to 4 bytes, which is
+correct regardless of CONFIG_DEBUG_BUGVERBOSE.
+
+Fixes: 9fb7410f955f ("arm64/BUG: Use BRK instruction for generic BUG traps")
+
+Signed-off-by: Yuanbin Xie <xieyuanbin1@huawei.com>
+Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/1716212077-43826-1-git-send-email-xiaojiangfeng@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/asm-bug.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/include/asm/asm-bug.h b/arch/arm64/include/asm/asm-bug.h
+index 03f52f84a4f3f..bc2dcc8a00009 100644
+--- a/arch/arm64/include/asm/asm-bug.h
++++ b/arch/arm64/include/asm/asm-bug.h
+@@ -28,6 +28,7 @@
+ 14470: .long 14471f - 14470b; \
+ _BUGVERBOSE_LOCATION(__FILE__, __LINE__) \
+ .short flags; \
++ .align 2; \
+ .popsection; \
+ 14471:
+ #else
+--
+2.43.0
+
--- /dev/null
+From 93c431f9979466cb5e5d3600470fb026ac8e6fac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Apr 2024 01:57:43 +0200
+Subject: drm/msm/dpu: Always flush the slave INTF on the CTL
+
+From: Marijn Suijten <marijn.suijten@somainline.org>
+
+[ Upstream commit 2b938c3ab0a69ec6ea587bbf6fc2aec3db4a8736 ]
+
+As we can clearly see in a downstream kernel [1], flushing the slave INTF
+is skipped /only if/ the PPSPLIT topology is active.
+
+However, when DPU was originally submitted to mainline PPSPLIT was no
+longer part of it (seems to have been ripped out before submission), but
+this clause was incorrectly ported from the original SDE driver. Given
+that there is no support for PPSPLIT (currently), flushing the slave
+INTF should /never/ be skipped (as the `if (ppsplit && !master) goto
+skip;` clause downstream never becomes true).
+
+[1]: https://git.codelinaro.org/clo/la/platform/vendor/opensource/display-drivers/-/blob/display-kernel.lnx.5.4.r1-rel/msm/sde/sde_encoder_phys_cmd.c?ref_type=heads#L1131-1139
+
+Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
+Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/589901/
+Link: https://lore.kernel.org/r/20240417-drm-msm-initial-dualpipe-dsc-fixes-v1-3-78ae3ee9a697@somainline.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
+index 2923b63d95fec..34b39a475e3e6 100644
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder_phys_cmd.c
+@@ -479,9 +479,6 @@ static void dpu_encoder_phys_cmd_enable_helper(
+
+ _dpu_encoder_phys_cmd_pingpong_config(phys_enc);
+
+- if (!dpu_encoder_phys_cmd_is_master(phys_enc))
+- return;
+-
+ ctl = phys_enc->hw_ctl;
+ ctl->ops.get_bitmask_intf(ctl, &flush_mask, phys_enc->intf_idx);
+ ctl->ops.update_pending_flush(ctl, flush_mask);
+--
+2.43.0
+
--- /dev/null
+From de5f6a2687d5c86fc4ce0d1ae2e4412efde80bf7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 13:28:56 -0700
+Subject: Input: ims-pcu - fix printf string overflow
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit bf32bceedd0453c70d9d022e2e29f98e446d7161 ]
+
+clang warns about a string overflow in this driver
+
+drivers/input/misc/ims-pcu.c:1802:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation]
+drivers/input/misc/ims-pcu.c:1814:2: error: 'snprintf' will always be truncated; specified size is 10, but format string expands to at least 12 [-Werror,-Wformat-truncation]
+
+Make the buffer a little longer to ensure it always fits.
+
+Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240326223825.4084412-7-arnd@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/ims-pcu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
+index d8dbfc030d0fa..4dfed127952d3 100644
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -42,8 +42,8 @@ struct ims_pcu_backlight {
+ #define IMS_PCU_PART_NUMBER_LEN 15
+ #define IMS_PCU_SERIAL_NUMBER_LEN 8
+ #define IMS_PCU_DOM_LEN 8
+-#define IMS_PCU_FW_VERSION_LEN (9 + 1)
+-#define IMS_PCU_BL_VERSION_LEN (9 + 1)
++#define IMS_PCU_FW_VERSION_LEN 16
++#define IMS_PCU_BL_VERSION_LEN 16
+ #define IMS_PCU_BL_RESET_REASON_LEN (2 + 1)
+
+ #define IMS_PCU_PCU_B_DEVICE_ID 5
+--
+2.43.0
+
--- /dev/null
+From cf278b83d10bcffead4010a05ca2d207a4ab7df7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2024 16:03:40 -0700
+Subject: Input: pm8xxx-vibrator - correct VIB_MAX_LEVELS calculation
+
+From: Fenglin Wu <quic_fenglinw@quicinc.com>
+
+[ Upstream commit 48c0687a322d54ac7e7a685c0b6db78d78f593af ]
+
+The output voltage is inclusive hence the max level calculation is
+off-by-one-step. Correct it.
+
+iWhile we are at it also add a define for the step size instead of
+using the magic value.
+
+Fixes: 11205bb63e5c ("Input: add support for pm8xxx based vibrator driver")
+Signed-off-by: Fenglin Wu <quic_fenglinw@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20240412-pm8xxx-vibrator-new-design-v10-1-0ec0ad133866@quicinc.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/pm8xxx-vibrator.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/input/misc/pm8xxx-vibrator.c b/drivers/input/misc/pm8xxx-vibrator.c
+index 53ad25eaf1a28..8bfe5c7b1244c 100644
+--- a/drivers/input/misc/pm8xxx-vibrator.c
++++ b/drivers/input/misc/pm8xxx-vibrator.c
+@@ -14,7 +14,8 @@
+
+ #define VIB_MAX_LEVEL_mV (3100)
+ #define VIB_MIN_LEVEL_mV (1200)
+-#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV)
++#define VIB_PER_STEP_mV (100)
++#define VIB_MAX_LEVELS (VIB_MAX_LEVEL_mV - VIB_MIN_LEVEL_mV + VIB_PER_STEP_mV)
+
+ #define MAX_FF_SPEED 0xff
+
+@@ -118,10 +119,10 @@ static void pm8xxx_work_handler(struct work_struct *work)
+ vib->active = true;
+ vib->level = ((VIB_MAX_LEVELS * vib->speed) / MAX_FF_SPEED) +
+ VIB_MIN_LEVEL_mV;
+- vib->level /= 100;
++ vib->level /= VIB_PER_STEP_mV;
+ } else {
+ vib->active = false;
+- vib->level = VIB_MIN_LEVEL_mV / 100;
++ vib->level = VIB_MIN_LEVEL_mV / VIB_PER_STEP_mV;
+ }
+
+ pm8xxx_vib_set(vib, vib->active);
+--
+2.43.0
+
--- /dev/null
+From 2eabb6159947223f344401391dd70ed0e5b25281 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 May 2024 08:54:35 +0800
+Subject: ipv6: sr: fix memleak in seg6_hmac_init_algo
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit efb9f4f19f8e37fde43dfecebc80292d179f56c6 ]
+
+seg6_hmac_init_algo returns without cleaning up the previous allocations
+if one fails, so it's going to leak all that memory and the crypto tfms.
+
+Update seg6_hmac_exit to only free the memory when allocated, so we can
+reuse the code directly.
+
+Fixes: bf355b8d2c30 ("ipv6: sr: add core files for SR HMAC support")
+Reported-by: Sabrina Dubroca <sd@queasysnail.net>
+Closes: https://lore.kernel.org/netdev/Zj3bh-gE7eT6V6aH@hog/
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://lore.kernel.org/r/20240517005435.2600277-1-liuhangbin@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6_hmac.c | 42 ++++++++++++++++++++++++++++--------------
+ 1 file changed, 28 insertions(+), 14 deletions(-)
+
+diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
+index 65394abf4736b..b3b2aa92e60d4 100644
+--- a/net/ipv6/seg6_hmac.c
++++ b/net/ipv6/seg6_hmac.c
+@@ -356,6 +356,7 @@ static int seg6_hmac_init_algo(void)
+ struct crypto_shash *tfm;
+ struct shash_desc *shash;
+ int i, alg_count, cpu;
++ int ret = -ENOMEM;
+
+ alg_count = ARRAY_SIZE(hmac_algos);
+
+@@ -366,12 +367,14 @@ static int seg6_hmac_init_algo(void)
+ algo = &hmac_algos[i];
+ algo->tfms = alloc_percpu(struct crypto_shash *);
+ if (!algo->tfms)
+- return -ENOMEM;
++ goto error_out;
+
+ for_each_possible_cpu(cpu) {
+ tfm = crypto_alloc_shash(algo->name, 0, 0);
+- if (IS_ERR(tfm))
+- return PTR_ERR(tfm);
++ if (IS_ERR(tfm)) {
++ ret = PTR_ERR(tfm);
++ goto error_out;
++ }
+ p_tfm = per_cpu_ptr(algo->tfms, cpu);
+ *p_tfm = tfm;
+ }
+@@ -383,18 +386,22 @@ static int seg6_hmac_init_algo(void)
+
+ algo->shashs = alloc_percpu(struct shash_desc *);
+ if (!algo->shashs)
+- return -ENOMEM;
++ goto error_out;
+
+ for_each_possible_cpu(cpu) {
+ shash = kzalloc_node(shsize, GFP_KERNEL,
+ cpu_to_node(cpu));
+ if (!shash)
+- return -ENOMEM;
++ goto error_out;
+ *per_cpu_ptr(algo->shashs, cpu) = shash;
+ }
+ }
+
+ return 0;
++
++error_out:
++ seg6_hmac_exit();
++ return ret;
+ }
+
+ int __init seg6_hmac_init(void)
+@@ -414,22 +421,29 @@ int __net_init seg6_hmac_net_init(struct net *net)
+ void seg6_hmac_exit(void)
+ {
+ struct seg6_hmac_algo *algo = NULL;
++ struct crypto_shash *tfm;
++ struct shash_desc *shash;
+ int i, alg_count, cpu;
+
+ alg_count = ARRAY_SIZE(hmac_algos);
+ for (i = 0; i < alg_count; i++) {
+ algo = &hmac_algos[i];
+- for_each_possible_cpu(cpu) {
+- struct crypto_shash *tfm;
+- struct shash_desc *shash;
+
+- shash = *per_cpu_ptr(algo->shashs, cpu);
+- kfree(shash);
+- tfm = *per_cpu_ptr(algo->tfms, cpu);
+- crypto_free_shash(tfm);
++ if (algo->shashs) {
++ for_each_possible_cpu(cpu) {
++ shash = *per_cpu_ptr(algo->shashs, cpu);
++ kfree(shash);
++ }
++ free_percpu(algo->shashs);
++ }
++
++ if (algo->tfms) {
++ for_each_possible_cpu(cpu) {
++ tfm = *per_cpu_ptr(algo->tfms, cpu);
++ crypto_free_shash(tfm);
++ }
++ free_percpu(algo->tfms);
+ }
+- free_percpu(algo->tfms);
+- free_percpu(algo->shashs);
+ }
+ }
+ EXPORT_SYMBOL(seg6_hmac_exit);
+--
+2.43.0
+
--- /dev/null
+From ca7964ec30988a24ea9ed0330684ae9e275cfad9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 12:24:38 +0000
+Subject: media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 9fe2816816a3c765dff3b88af5b5c3d9bbb911ce ]
+
+Do not check for !data->completed, just always call
+cancel_delayed_work_sync(). This fixes a small race condition.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Yang, Chenyuan <cy54@illinois.edu>
+Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/
+Fixes: 490d84f6d73c ("media: cec: forgot to cancel delayed work")
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/cec-adap.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/media/cec/cec-adap.c b/drivers/media/cec/cec-adap.c
+index 4c1770b8128cb..94ddaca496c94 100644
+--- a/drivers/media/cec/cec-adap.c
++++ b/drivers/media/cec/cec-adap.c
+@@ -908,8 +908,7 @@ int cec_transmit_msg_fh(struct cec_adapter *adap, struct cec_msg *msg,
+ */
+ mutex_unlock(&adap->lock);
+ wait_for_completion_killable(&data->c);
+- if (!data->completed)
+- cancel_delayed_work_sync(&data->work);
++ cancel_delayed_work_sync(&data->work);
+ mutex_lock(&adap->lock);
+
+ /* Cancel the transmit if it was interrupted */
+--
+2.43.0
+
--- /dev/null
+From 067f3cf836a912899497f300cf6547b62d702e22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 12:25:55 +0000
+Subject: media: cec: cec-api: add locking in cec_release()
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 42bcaacae924bf18ae387c3f78c202df0b739292 ]
+
+When cec_release() uses fh->msgs it has to take fh->lock,
+otherwise the list can get corrupted.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Yang, Chenyuan <cy54@illinois.edu>
+Closes: https://lore.kernel.org/linux-media/PH7PR11MB57688E64ADE4FE82E658D86DA09EA@PH7PR11MB5768.namprd11.prod.outlook.com/
+Fixes: ca684386e6e2 ("[media] cec: add HDMI CEC framework (api)")
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/cec/cec-api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/cec/cec-api.c b/drivers/media/cec/cec-api.c
+index ed75636a6fb34..90e90234f5bd8 100644
+--- a/drivers/media/cec/cec-api.c
++++ b/drivers/media/cec/cec-api.c
+@@ -652,6 +652,8 @@ static int cec_release(struct inode *inode, struct file *filp)
+ list_del(&data->xfer_list);
+ }
+ mutex_unlock(&adap->lock);
++
++ mutex_lock(&fh->lock);
+ while (!list_empty(&fh->msgs)) {
+ struct cec_msg_entry *entry =
+ list_first_entry(&fh->msgs, struct cec_msg_entry, list);
+@@ -669,6 +671,7 @@ static int cec_release(struct inode *inode, struct file *filp)
+ kfree(entry);
+ }
+ }
++ mutex_unlock(&fh->lock);
+ kfree(fh);
+
+ cec_put_device(devnode);
+--
+2.43.0
+
--- /dev/null
+From cea3f7e37430b8f0965b6560823226808d1cfb1b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 12:32:44 +0300
+Subject: media: stk1160: fix bounds checking in stk1160_copy_video()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit faa4364bef2ec0060de381ff028d1d836600a381 ]
+
+The subtract in this condition is reversed. The ->length is the length
+of the buffer. The ->bytesused is how many bytes we have copied thus
+far. When the condition is reversed that means the result of the
+subtraction is always negative but since it's unsigned then the result
+is a very high positive value. That means the overflow check is never
+true.
+
+Additionally, the ->bytesused doesn't actually work for this purpose
+because we're not writing to "buf->mem + buf->bytesused". Instead, the
+math to calculate the destination where we are writing is a bit
+involved. You calculate the number of full lines already written,
+multiply by two, skip a line if necessary so that we start on an odd
+numbered line, and add the offset into the line.
+
+To fix this buffer overflow, just take the actual destination where we
+are writing, if the offset is already out of bounds print an error and
+return. Otherwise, write up to buf->length bytes.
+
+Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/stk1160/stk1160-video.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/usb/stk1160/stk1160-video.c b/drivers/media/usb/stk1160/stk1160-video.c
+index 4cf540d1b2501..2a5a90311e0cc 100644
+--- a/drivers/media/usb/stk1160/stk1160-video.c
++++ b/drivers/media/usb/stk1160/stk1160-video.c
+@@ -99,7 +99,7 @@ void stk1160_buffer_done(struct stk1160 *dev)
+ static inline
+ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
+ {
+- int linesdone, lineoff, lencopy;
++ int linesdone, lineoff, lencopy, offset;
+ int bytesperline = dev->width * 2;
+ struct stk1160_buffer *buf = dev->isoc_ctl.buf;
+ u8 *dst = buf->mem;
+@@ -139,8 +139,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
+ * Check if we have enough space left in the buffer.
+ * In that case, we force loop exit after copy.
+ */
+- if (lencopy > buf->bytesused - buf->length) {
+- lencopy = buf->bytesused - buf->length;
++ offset = dst - (u8 *)buf->mem;
++ if (offset > buf->length) {
++ dev_warn_ratelimited(dev->dev, "out of bounds offset\n");
++ return;
++ }
++ if (lencopy > buf->length - offset) {
++ lencopy = buf->length - offset;
+ remain = lencopy;
+ }
+
+@@ -182,8 +187,13 @@ void stk1160_copy_video(struct stk1160 *dev, u8 *src, int len)
+ * Check if we have enough space left in the buffer.
+ * In that case, we force loop exit after copy.
+ */
+- if (lencopy > buf->bytesused - buf->length) {
+- lencopy = buf->bytesused - buf->length;
++ offset = dst - (u8 *)buf->mem;
++ if (offset > buf->length) {
++ dev_warn_ratelimited(dev->dev, "offset out of bounds\n");
++ return;
++ }
++ if (lencopy > buf->length - offset) {
++ lencopy = buf->length - offset;
+ remain = lencopy;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 21b1d9b8845ae28ad121619a940156deff81105d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 10:38:00 +0800
+Subject: net: fec: avoid lock evasion when reading pps_enable
+
+From: Wei Fang <wei.fang@nxp.com>
+
+[ Upstream commit 3b1c92f8e5371700fada307cc8fd2c51fa7bc8c1 ]
+
+The assignment of pps_enable is protected by tmreg_lock, but the read
+operation of pps_enable is not. So the Coverity tool reports a lock
+evasion warning which may cause data race to occur when running in a
+multithread environment. Although this issue is almost impossible to
+occur, we'd better fix it, at least it seems more logically reasonable,
+and it also prevents Coverity from continuing to issue warnings.
+
+Fixes: 278d24047891 ("net: fec: ptp: Enable PPS output based on ptp clock")
+Signed-off-by: Wei Fang <wei.fang@nxp.com>
+Link: https://lore.kernel.org/r/20240521023800.17102-1-wei.fang@nxp.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_ptp.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
+index 6fd0c73b327e2..37b8ad29b5b30 100644
+--- a/drivers/net/ethernet/freescale/fec_ptp.c
++++ b/drivers/net/ethernet/freescale/fec_ptp.c
+@@ -108,14 +108,13 @@ static int fec_ptp_enable_pps(struct fec_enet_private *fep, uint enable)
+ return -EINVAL;
+ }
+
+- if (fep->pps_enable == enable)
+- return 0;
+-
+- fep->pps_channel = DEFAULT_PPS_CHANNEL;
+- fep->reload_period = PPS_OUPUT_RELOAD_PERIOD;
+-
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
++ if (fep->pps_enable == enable) {
++ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
++ return 0;
++ }
++
+ if (enable) {
+ /* clear capture or output compare interrupt status if have.
+ */
+@@ -446,6 +445,9 @@ static int fec_ptp_enable(struct ptp_clock_info *ptp,
+ int ret = 0;
+
+ if (rq->type == PTP_CLK_REQ_PPS) {
++ fep->pps_channel = DEFAULT_PPS_CHANNEL;
++ fep->reload_period = PPS_OUPUT_RELOAD_PERIOD;
++
+ ret = fec_ptp_enable_pps(fep, on);
+
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 479a9c4172f38764f0c7338a7f7635a50b123008 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 May 2024 00:34:42 +0900
+Subject: nfc: nci: Fix handling of zero-length payload packets in
+ nci_rx_work()
+
+From: Ryosuke Yasuoka <ryasuoka@redhat.com>
+
+[ Upstream commit 6671e352497ca4bb07a96c48e03907065ff77d8a ]
+
+When nci_rx_work() receives a zero-length payload packet, it should not
+discard the packet and exit the loop. Instead, it should continue
+processing subsequent packets.
+
+Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
+Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240521153444.535399-1-ryasuoka@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index ebf1b511d8e3b..58ac4c80495ef 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1514,8 +1514,7 @@ static void nci_rx_work(struct work_struct *work)
+
+ if (!nci_valid_size(skb)) {
+ kfree_skb(skb);
+- kcov_remote_stop();
+- break;
++ continue;
+ }
+
+ /* Process frame */
+--
+2.43.0
+
--- /dev/null
+From a52538596b0b5b9aba344e2465cc28a5d495c84b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 5 May 2024 19:36:49 +0900
+Subject: nfc: nci: Fix kcov check in nci_rx_work()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 19e35f24750ddf860c51e51c68cf07ea181b4881 ]
+
+Commit 7e8cdc97148c ("nfc: Add KCOV annotations") added
+kcov_remote_start_common()/kcov_remote_stop() pair into nci_rx_work(),
+with an assumption that kcov_remote_stop() is called upon continue of
+the for loop. But commit d24b03535e5e ("nfc: nci: Fix uninit-value in
+nci_dev_up and nci_ntf_packet") forgot to call kcov_remote_stop() before
+break of the for loop.
+
+Reported-by: syzbot <syzbot+0438378d6f157baae1a2@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=0438378d6f157baae1a2
+Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
+Suggested-by: Andrey Konovalov <andreyknvl@gmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/6d10f829-5a0c-405a-b39a-d7266f3a1a0b@I-love.SAKURA.ne.jp
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 6671e352497c ("nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 61b12281ec47c..ebf1b511d8e3b 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1514,6 +1514,7 @@ static void nci_rx_work(struct work_struct *work)
+
+ if (!nci_valid_size(skb)) {
+ kfree_skb(skb);
++ kcov_remote_stop();
+ break;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8346101962fd5877a55950d4cc0b3769e16cc1b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 May 2024 18:43:03 +0900
+Subject: nfc: nci: Fix uninit-value in nci_rx_work
+
+From: Ryosuke Yasuoka <ryasuoka@redhat.com>
+
+[ Upstream commit e4a87abf588536d1cdfb128595e6e680af5cf3ed ]
+
+syzbot reported the following uninit-value access issue [1]
+
+nci_rx_work() parses received packet from ndev->rx_q. It should be
+validated header size, payload size and total packet size before
+processing the packet. If an invalid packet is detected, it should be
+silently discarded.
+
+Fixes: d24b03535e5e ("nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet")
+Reported-and-tested-by: syzbot+d7b4dc6cd50410152534@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d7b4dc6cd50410152534 [1]
+Signed-off-by: Ryosuke Yasuoka <ryasuoka@redhat.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/nfc/nci/core.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
+index 701c3752bda09..61b12281ec47c 100644
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1449,6 +1449,19 @@ int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode,
+ ndev->ops->n_core_ops);
+ }
+
++static bool nci_valid_size(struct sk_buff *skb)
++{
++ BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE);
++ unsigned int hdr_size = NCI_CTRL_HDR_SIZE;
++
++ if (skb->len < hdr_size ||
++ !nci_plen(skb->data) ||
++ skb->len < hdr_size + nci_plen(skb->data)) {
++ return false;
++ }
++ return true;
++}
++
+ /* ---- NCI TX Data worker thread ---- */
+
+ static void nci_tx_work(struct work_struct *work)
+@@ -1499,7 +1512,7 @@ static void nci_rx_work(struct work_struct *work)
+ nfc_send_to_raw_sock(ndev->nfc_dev, skb,
+ RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);
+
+- if (!nci_plen(skb->data)) {
++ if (!nci_valid_size(skb)) {
+ kfree_skb(skb);
+ break;
+ }
+--
+2.43.0
+
--- /dev/null
+From 3c5f6ee6b81bd34304abb6403464cdce5ab7f6c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2024 09:55:38 +0200
+Subject: null_blk: Fix the WARNING: modpost: missing MODULE_DESCRIPTION()
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 9e6727f824edcdb8fdd3e6e8a0862eb49546e1cd ]
+
+No functional changes intended.
+
+Fixes: f2298c0403b0 ("null_blk: multi queue aware block test driver")
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Link: https://lore.kernel.org/r/20240506075538.6064-1-yanjun.zhu@linux.dev
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/null_blk_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c
+index b6210bf0724d5..218658df77ae5 100644
+--- a/drivers/block/null_blk_main.c
++++ b/drivers/block/null_blk_main.c
+@@ -1876,4 +1876,5 @@ module_init(null_init);
+ module_exit(null_exit);
+
+ MODULE_AUTHOR("Jens Axboe <axboe@kernel.dk>");
++MODULE_DESCRIPTION("multi queue aware block test driver");
+ MODULE_LICENSE("GPL");
+--
+2.43.0
+
--- /dev/null
+From 9624528578e70ebc4a73d128565e7e88cc8718eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 May 2024 16:09:41 -0400
+Subject: openvswitch: Set the skbuff pkt_type for proper pmtud support.
+
+From: Aaron Conole <aconole@redhat.com>
+
+[ Upstream commit 30a92c9e3d6b073932762bef2ac66f4ee784c657 ]
+
+Open vSwitch is originally intended to switch at layer 2, only dealing with
+Ethernet frames. With the introduction of l3 tunnels support, it crossed
+into the realm of needing to care a bit about some routing details when
+making forwarding decisions. If an oversized packet would need to be
+fragmented during this forwarding decision, there is a chance for pmtu
+to get involved and generate a routing exception. This is gated by the
+skbuff->pkt_type field.
+
+When a flow is already loaded into the openvswitch module this field is
+set up and transitioned properly as a packet moves from one port to
+another. In the case that a packet execute is invoked after a flow is
+newly installed this field is not properly initialized. This causes the
+pmtud mechanism to omit sending the required exception messages across
+the tunnel boundary and a second attempt needs to be made to make sure
+that the routing exception is properly setup. To fix this, we set the
+outgoing packet's pkt_type to PACKET_OUTGOING, since it can only get
+to the openvswitch module via a port device or packet command.
+
+Even for bridge ports as users, the pkt_type needs to be reset when
+doing the transmit as the packet is truly outgoing and routing needs
+to get involved post packet transformations, in the case of
+VXLAN/GENEVE/udp-tunnel packets. In general, the pkt_type on output
+gets ignored, since we go straight to the driver, but in the case of
+tunnel ports they go through IP routing layer.
+
+This issue is periodically encountered in complex setups, such as large
+openshift deployments, where multiple sets of tunnel traversal occurs.
+A way to recreate this is with the ovn-heater project that can setup
+a networking environment which mimics such large deployments. We need
+larger environments for this because we need to ensure that flow
+misses occur. In these environment, without this patch, we can see:
+
+ ./ovn_cluster.sh start
+ podman exec ovn-chassis-1 ip r a 170.168.0.5/32 dev eth1 mtu 1200
+ podman exec ovn-chassis-1 ip netns exec sw01p1 ip r flush cache
+ podman exec ovn-chassis-1 ip netns exec sw01p1 \
+ ping 21.0.0.3 -M do -s 1300 -c2
+ PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data.
+ From 21.0.0.3 icmp_seq=2 Frag needed and DF set (mtu = 1142)
+
+ --- 21.0.0.3 ping statistics ---
+ ...
+
+Using tcpdump, we can also see the expected ICMP FRAG_NEEDED message is not
+sent into the server.
+
+With this patch, setting the pkt_type, we see the following:
+
+ podman exec ovn-chassis-1 ip netns exec sw01p1 \
+ ping 21.0.0.3 -M do -s 1300 -c2
+ PING 21.0.0.3 (21.0.0.3) 1300(1328) bytes of data.
+ From 21.0.0.3 icmp_seq=1 Frag needed and DF set (mtu = 1222)
+ ping: local error: message too long, mtu=1222
+
+ --- 21.0.0.3 ping statistics ---
+ ...
+
+In this case, the first ping request receives the FRAG_NEEDED message and
+a local routing exception is created.
+
+Tested-by: Jaime Caamano <jcaamano@redhat.com>
+Reported-at: https://issues.redhat.com/browse/FDP-164
+Fixes: 58264848a5a7 ("openvswitch: Add vxlan tunneling support.")
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Acked-by: Eelco Chaudron <echaudro@redhat.com>
+Link: https://lore.kernel.org/r/20240516200941.16152-1-aconole@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/actions.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
+index 9e8a5c4862d04..7cef078304c3d 100644
+--- a/net/openvswitch/actions.c
++++ b/net/openvswitch/actions.c
+@@ -931,6 +931,12 @@ static void do_output(struct datapath *dp, struct sk_buff *skb, int out_port,
+ pskb_trim(skb, ovs_mac_header_len(key));
+ }
+
++ /* Need to set the pkt_type to involve the routing layer. The
++ * packet movement through the OVS datapath doesn't generally
++ * use routing, but this is needed for tunnel cases.
++ */
++ skb->pkt_type = PACKET_OUTGOING;
++
+ if (likely(!mru ||
+ (skb->len <= mru + vport->dev->hard_header_len))) {
+ ovs_vport_send(vport, skb, ovs_key_mac_proto(key));
+--
+2.43.0
+
--- /dev/null
+From 96f29f134760042c04d07e3ed92a6b9d4dc6aaf6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Jun 2021 14:19:33 -0700
+Subject: params: lift param_set_uint_minmax to common code
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 2a14c9ae15a38148484a128b84bff7e9ffd90d68 ]
+
+It is a useful helper hence move it to common code so others can enjoy
+it.
+
+Suggested-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Stable-dep-of: 3ebc46ca8675 ("tcp: Fix shift-out-of-bounds in dctcp_update_alpha().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/moduleparam.h | 2 ++
+ kernel/params.c | 18 ++++++++++++++++++
+ net/sunrpc/xprtsock.c | 18 ------------------
+ 3 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
+index 5ba250d9172ac..4d5a851cafe8b 100644
+--- a/include/linux/moduleparam.h
++++ b/include/linux/moduleparam.h
+@@ -359,6 +359,8 @@ extern int param_get_int(char *buffer, const struct kernel_param *kp);
+ extern const struct kernel_param_ops param_ops_uint;
+ extern int param_set_uint(const char *val, const struct kernel_param *kp);
+ extern int param_get_uint(char *buffer, const struct kernel_param *kp);
++int param_set_uint_minmax(const char *val, const struct kernel_param *kp,
++ unsigned int min, unsigned int max);
+ #define param_check_uint(name, p) __param_check(name, p, unsigned int)
+
+ extern const struct kernel_param_ops param_ops_long;
+diff --git a/kernel/params.c b/kernel/params.c
+index 8e56f8b12d8f7..b638476d12de1 100644
+--- a/kernel/params.c
++++ b/kernel/params.c
+@@ -242,6 +242,24 @@ STANDARD_PARAM_DEF(long, long, "%li", kstrtol);
+ STANDARD_PARAM_DEF(ulong, unsigned long, "%lu", kstrtoul);
+ STANDARD_PARAM_DEF(ullong, unsigned long long, "%llu", kstrtoull);
+
++int param_set_uint_minmax(const char *val, const struct kernel_param *kp,
++ unsigned int min, unsigned int max)
++{
++ unsigned int num;
++ int ret;
++
++ if (!val)
++ return -EINVAL;
++ ret = kstrtouint(val, 0, &num);
++ if (ret)
++ return ret;
++ if (num < min || num > max)
++ return -EINVAL;
++ *((unsigned int *)kp->arg) = num;
++ return 0;
++}
++EXPORT_SYMBOL_GPL(param_set_uint_minmax);
++
+ int param_set_charp(const char *val, const struct kernel_param *kp)
+ {
+ if (strlen(val) > 1024) {
+diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
+index 3095442b03822..39d0a3c434829 100644
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -3302,24 +3302,6 @@ void cleanup_socket_xprt(void)
+ xprt_unregister_transport(&xs_bc_tcp_transport);
+ }
+
+-static int param_set_uint_minmax(const char *val,
+- const struct kernel_param *kp,
+- unsigned int min, unsigned int max)
+-{
+- unsigned int num;
+- int ret;
+-
+- if (!val)
+- return -EINVAL;
+- ret = kstrtouint(val, 0, &num);
+- if (ret)
+- return ret;
+- if (num < min || num > max)
+- return -EINVAL;
+- *((unsigned int *)kp->arg) = num;
+- return 0;
+-}
+-
+ static int param_set_portnr(const char *val, const struct kernel_param *kp)
+ {
+ return param_set_uint_minmax(val, kp,
+--
+2.43.0
+
--- /dev/null
+From 0489a0ad073cdd9949a16571919d07dae1df4802 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Apr 2024 14:50:47 +0530
+Subject: powerpc/pseries: Add failure related checks for h_get_mpp and
+ h_get_ppp
+
+From: Shrikanth Hegde <sshegde@linux.ibm.com>
+
+[ Upstream commit 6d4341638516bf97b9a34947e0bd95035a8230a5 ]
+
+Couple of Minor fixes:
+
+- hcall return values are long. Fix that for h_get_mpp, h_get_ppp and
+parse_ppp_data
+
+- If hcall fails, values set should be at-least zero. It shouldn't be
+uninitialized values. Fix that for h_get_mpp and h_get_ppp
+
+Signed-off-by: Shrikanth Hegde <sshegde@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240412092047.455483-3-sshegde@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/hvcall.h | 2 +-
+ arch/powerpc/platforms/pseries/lpar.c | 6 +++---
+ arch/powerpc/platforms/pseries/lparcfg.c | 6 +++---
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/hvcall.h b/arch/powerpc/include/asm/hvcall.h
+index 11112023e327d..0826c4ed83770 100644
+--- a/arch/powerpc/include/asm/hvcall.h
++++ b/arch/powerpc/include/asm/hvcall.h
+@@ -444,7 +444,7 @@ struct hvcall_mpp_data {
+ unsigned long backing_mem;
+ };
+
+-int h_get_mpp(struct hvcall_mpp_data *);
++long h_get_mpp(struct hvcall_mpp_data *mpp_data);
+
+ struct hvcall_mpp_x_data {
+ unsigned long coalesced_bytes;
+diff --git a/arch/powerpc/platforms/pseries/lpar.c b/arch/powerpc/platforms/pseries/lpar.c
+index 52e466d4a33ca..d5700ef27e36c 100644
+--- a/arch/powerpc/platforms/pseries/lpar.c
++++ b/arch/powerpc/platforms/pseries/lpar.c
+@@ -1871,10 +1871,10 @@ void __trace_hcall_exit(long opcode, long retval, unsigned long *retbuf)
+ * h_get_mpp
+ * H_GET_MPP hcall returns info in 7 parms
+ */
+-int h_get_mpp(struct hvcall_mpp_data *mpp_data)
++long h_get_mpp(struct hvcall_mpp_data *mpp_data)
+ {
+- int rc;
+- unsigned long retbuf[PLPAR_HCALL9_BUFSIZE];
++ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0};
++ long rc;
+
+ rc = plpar_hcall9(H_GET_MPP, retbuf);
+
+diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c
+index e12cf62357f29..676a60927dad9 100644
+--- a/arch/powerpc/platforms/pseries/lparcfg.c
++++ b/arch/powerpc/platforms/pseries/lparcfg.c
+@@ -112,8 +112,8 @@ struct hvcall_ppp_data {
+ */
+ static unsigned int h_get_ppp(struct hvcall_ppp_data *ppp_data)
+ {
+- unsigned long rc;
+- unsigned long retbuf[PLPAR_HCALL9_BUFSIZE];
++ unsigned long retbuf[PLPAR_HCALL9_BUFSIZE] = {0};
++ long rc;
+
+ rc = plpar_hcall9(H_GET_PPP, retbuf);
+
+@@ -159,7 +159,7 @@ static void parse_ppp_data(struct seq_file *m)
+ struct hvcall_ppp_data ppp_data;
+ struct device_node *root;
+ const __be32 *perf_level;
+- int rc;
++ long rc;
+
+ rc = h_get_ppp(&ppp_data);
+ if (rc)
+--
+2.43.0
+
--- /dev/null
+From 436205c00c978a7e65afebbf78503bd74f87df26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 May 2023 02:54:04 +0000
+Subject: scsi: qla2xxx: Replace all non-returning strlcpy() with strscpy()
+
+From: Azeem Shaikh <azeemshaikh38@gmail.com>
+
+[ Upstream commit 37f1663c91934f664fb850306708094a324c227c ]
+
+strlcpy() reads the entire source buffer first. This read may exceed the
+destination size limit. This is both inefficient and can lead to linear
+read overflows if a source string is not NUL-terminated [1]. In an effort
+to remove strlcpy() completely [2], replace strlcpy() here with strscpy().
+No return values were used, so direct replacement is safe.
+
+[1] https://www.kernel.org/doc/html/latest/process/deprecated.html#strlcpy
+[2] https://github.com/KSPP/linux/issues/89
+
+Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
+Link: https://lore.kernel.org/r/20230516025404.2843867-1-azeemshaikh38@gmail.com
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: c3408c4ae041 ("scsi: qla2xxx: Avoid possible run-time warning with long model_num")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_init.c | 8 ++++----
+ drivers/scsi/qla2xxx/qla_mr.c | 20 ++++++++++----------
+ 2 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
+index 8a0ac87f70a9d..11ee2c7487b2a 100644
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -4479,7 +4479,7 @@ qla2x00_set_model_info(scsi_qla_host_t *vha, uint8_t *model, size_t len,
+ if (use_tbl &&
+ ha->pdev->subsystem_vendor == PCI_VENDOR_ID_QLOGIC &&
+ index < QLA_MODEL_NAMES)
+- strlcpy(ha->model_desc,
++ strscpy(ha->model_desc,
+ qla2x00_model_name[index * 2 + 1],
+ sizeof(ha->model_desc));
+ } else {
+@@ -4487,14 +4487,14 @@ qla2x00_set_model_info(scsi_qla_host_t *vha, uint8_t *model, size_t len,
+ if (use_tbl &&
+ ha->pdev->subsystem_vendor == PCI_VENDOR_ID_QLOGIC &&
+ index < QLA_MODEL_NAMES) {
+- strlcpy(ha->model_number,
++ strscpy(ha->model_number,
+ qla2x00_model_name[index * 2],
+ sizeof(ha->model_number));
+- strlcpy(ha->model_desc,
++ strscpy(ha->model_desc,
+ qla2x00_model_name[index * 2 + 1],
+ sizeof(ha->model_desc));
+ } else {
+- strlcpy(ha->model_number, def,
++ strscpy(ha->model_number, def,
+ sizeof(ha->model_number));
+ }
+ }
+diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c
+index badd09c5dd429..6b44be4ce5bd4 100644
+--- a/drivers/scsi/qla2xxx/qla_mr.c
++++ b/drivers/scsi/qla2xxx/qla_mr.c
+@@ -693,7 +693,7 @@ qlafx00_pci_info_str(struct scsi_qla_host *vha, char *str, size_t str_len)
+ struct qla_hw_data *ha = vha->hw;
+
+ if (pci_is_pcie(ha->pdev))
+- strlcpy(str, "PCIe iSA", str_len);
++ strscpy(str, "PCIe iSA", str_len);
+ return str;
+ }
+
+@@ -1854,21 +1854,21 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type)
+ phost_info = &preg_hsi->hsi;
+ memset(preg_hsi, 0, sizeof(struct register_host_info));
+ phost_info->os_type = OS_TYPE_LINUX;
+- strlcpy(phost_info->sysname, p_sysid->sysname,
++ strscpy(phost_info->sysname, p_sysid->sysname,
+ sizeof(phost_info->sysname));
+- strlcpy(phost_info->nodename, p_sysid->nodename,
++ strscpy(phost_info->nodename, p_sysid->nodename,
+ sizeof(phost_info->nodename));
+ if (!strcmp(phost_info->nodename, "(none)"))
+ ha->mr.host_info_resend = true;
+- strlcpy(phost_info->release, p_sysid->release,
++ strscpy(phost_info->release, p_sysid->release,
+ sizeof(phost_info->release));
+- strlcpy(phost_info->version, p_sysid->version,
++ strscpy(phost_info->version, p_sysid->version,
+ sizeof(phost_info->version));
+- strlcpy(phost_info->machine, p_sysid->machine,
++ strscpy(phost_info->machine, p_sysid->machine,
+ sizeof(phost_info->machine));
+- strlcpy(phost_info->domainname, p_sysid->domainname,
++ strscpy(phost_info->domainname, p_sysid->domainname,
+ sizeof(phost_info->domainname));
+- strlcpy(phost_info->hostdriver, QLA2XXX_VERSION,
++ strscpy(phost_info->hostdriver, QLA2XXX_VERSION,
+ sizeof(phost_info->hostdriver));
+ preg_hsi->utc = (uint64_t)ktime_get_real_seconds();
+ ql_dbg(ql_dbg_init, vha, 0x0149,
+@@ -1914,9 +1914,9 @@ qlafx00_fx_disc(scsi_qla_host_t *vha, fc_port_t *fcport, uint16_t fx_type)
+ if (fx_type == FXDISC_GET_CONFIG_INFO) {
+ struct config_info_data *pinfo =
+ (struct config_info_data *) fdisc->u.fxiocb.rsp_addr;
+- strlcpy(vha->hw->model_number, pinfo->model_num,
++ strscpy(vha->hw->model_number, pinfo->model_num,
+ ARRAY_SIZE(vha->hw->model_number));
+- strlcpy(vha->hw->model_desc, pinfo->model_description,
++ strscpy(vha->hw->model_desc, pinfo->model_description,
+ ARRAY_SIZE(vha->hw->model_desc));
+ memcpy(&vha->hw->mr.symbolic_name, pinfo->symbolic_name,
+ sizeof(vha->hw->mr.symbolic_name));
+--
+2.43.0
+
serial-sh-sci-protect-invalidating-rxdma-on-shutdown.patch
libsubcmd-fix-parse-options-memory-leak.patch
perf-stat-don-t-display-metric-header-for-non-leader.patch
+input-ims-pcu-fix-printf-string-overflow.patch
+input-pm8xxx-vibrator-correct-vib_max_levels-calcula.patch
+drm-msm-dpu-always-flush-the-slave-intf-on-the-ctl.patch
+um-fix-return-value-in-ubd_init.patch
+um-add-winch-to-winch_handlers-before-registering-wi.patch
+media-stk1160-fix-bounds-checking-in-stk1160_copy_vi.patch
+scsi-qla2xxx-replace-all-non-returning-strlcpy-with-.patch
+powerpc-pseries-add-failure-related-checks-for-h_get.patch
+um-fix-the-wmissing-prototypes-warning-for-__switch_.patch
+media-cec-cec-adap-always-cancel-work-in-cec_transmi.patch
+media-cec-cec-api-add-locking-in-cec_release.patch
+null_blk-fix-the-warning-modpost-missing-module_desc.patch
+x86-kconfig-select-arch_want_frame_pointers-again-wh.patch
+nfc-nci-fix-uninit-value-in-nci_rx_work.patch
+sunrpc-fix-nfsacl-rpc-retry-on-soft-mount.patch
+ipv6-sr-fix-memleak-in-seg6_hmac_init_algo.patch
+params-lift-param_set_uint_minmax-to-common-code.patch
+tcp-fix-shift-out-of-bounds-in-dctcp_update_alpha.patch
+openvswitch-set-the-skbuff-pkt_type-for-proper-pmtud.patch
+arm64-asm-bug-add-.align-2-to-the-end-of-__bug_entry.patch
+virtio-delete-vq-in-vp_find_vqs_msix-when-request_ir.patch
+net-fec-avoid-lock-evasion-when-reading-pps_enable.patch
+tcp-remove-64-kbyte-limit-for-initial-tp-rcv_wnd-val.patch
+nfc-nci-fix-kcov-check-in-nci_rx_work.patch
+nfc-nci-fix-handling-of-zero-length-payload-packets-.patch
--- /dev/null
+From 9e42b8b18d3303498abce01fcd9b4e29c46dc105 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 25 Apr 2024 13:49:38 +0300
+Subject: sunrpc: fix NFSACL RPC retry on soft mount
+
+From: Dan Aloni <dan.aloni@vastdata.com>
+
+[ Upstream commit 0dc9f430027b8bd9073fdafdfcdeb1a073ab5594 ]
+
+It used to be quite awhile ago since 1b63a75180c6 ('SUNRPC: Refactor
+rpc_clone_client()'), in 2012, that `cl_timeout` was copied in so that
+all mount parameters propagate to NFSACL clients. However since that
+change, if mount options as follows are given:
+
+ soft,timeo=50,retrans=16,vers=3
+
+The resultant NFSACL client receives:
+
+ cl_softrtry: 1
+ cl_timeout: to_initval=60000, to_maxval=60000, to_increment=0, to_retries=2, to_exponential=0
+
+These values lead to NFSACL operations not being retried under the
+condition of transient network outages with soft mount. Instead, getacl
+call fails after 60 seconds with EIO.
+
+The simple fix is to pass the existing client's `cl_timeout` as the new
+client timeout.
+
+Cc: Chuck Lever <chuck.lever@oracle.com>
+Cc: Benjamin Coddington <bcodding@redhat.com>
+Link: https://lore.kernel.org/all/20231105154857.ryakhmgaptq3hb6b@gmail.com/T/
+Fixes: 1b63a75180c6 ('SUNRPC: Refactor rpc_clone_client()')
+Signed-off-by: Dan Aloni <dan.aloni@vastdata.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sunrpc/clnt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
+index c6fe108845e8b..dc3226edf22fb 100644
+--- a/net/sunrpc/clnt.c
++++ b/net/sunrpc/clnt.c
+@@ -964,6 +964,7 @@ struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *old,
+ .authflavor = old->cl_auth->au_flavor,
+ .cred = old->cl_cred,
+ .stats = old->cl_stats,
++ .timeout = old->cl_timeout,
+ };
+ struct rpc_clnt *clnt;
+ int err;
+--
+2.43.0
+
--- /dev/null
+From 531ebbaf180be8a57647c0be0e9977491c972210 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 May 2024 18:16:26 +0900
+Subject: tcp: Fix shift-out-of-bounds in dctcp_update_alpha().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 3ebc46ca8675de6378e3f8f40768e180bb8afa66 ]
+
+In dctcp_update_alpha(), we use a module parameter dctcp_shift_g
+as follows:
+
+ alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);
+ ...
+ delivered_ce <<= (10 - dctcp_shift_g);
+
+It seems syzkaller started fuzzing module parameters and triggered
+shift-out-of-bounds [0] by setting 100 to dctcp_shift_g:
+
+ memcpy((void*)0x20000080,
+ "/sys/module/tcp_dctcp/parameters/dctcp_shift_g\000", 47);
+ res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x20000080ul,
+ /*flags=*/2ul, /*mode=*/0ul);
+ memcpy((void*)0x20000000, "100\000", 4);
+ syscall(__NR_write, /*fd=*/r[0], /*val=*/0x20000000ul, /*len=*/4ul);
+
+Let's limit the max value of dctcp_shift_g by param_set_uint_minmax().
+
+With this patch:
+
+ # echo 10 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
+ # cat /sys/module/tcp_dctcp/parameters/dctcp_shift_g
+ 10
+ # echo 11 > /sys/module/tcp_dctcp/parameters/dctcp_shift_g
+ -bash: echo: write error: Invalid argument
+
+[0]:
+UBSAN: shift-out-of-bounds in net/ipv4/tcp_dctcp.c:143:12
+shift exponent 100 is too large for 32-bit type 'u32' (aka 'unsigned int')
+CPU: 0 PID: 8083 Comm: syz-executor345 Not tainted 6.9.0-05151-g1b294a1f3561 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.13.0-1ubuntu1.1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x201/0x300 lib/dump_stack.c:114
+ ubsan_epilogue lib/ubsan.c:231 [inline]
+ __ubsan_handle_shift_out_of_bounds+0x346/0x3a0 lib/ubsan.c:468
+ dctcp_update_alpha+0x540/0x570 net/ipv4/tcp_dctcp.c:143
+ tcp_in_ack_event net/ipv4/tcp_input.c:3802 [inline]
+ tcp_ack+0x17b1/0x3bc0 net/ipv4/tcp_input.c:3948
+ tcp_rcv_state_process+0x57a/0x2290 net/ipv4/tcp_input.c:6711
+ tcp_v4_do_rcv+0x764/0xc40 net/ipv4/tcp_ipv4.c:1937
+ sk_backlog_rcv include/net/sock.h:1106 [inline]
+ __release_sock+0x20f/0x350 net/core/sock.c:2983
+ release_sock+0x61/0x1f0 net/core/sock.c:3549
+ mptcp_subflow_shutdown+0x3d0/0x620 net/mptcp/protocol.c:2907
+ mptcp_check_send_data_fin+0x225/0x410 net/mptcp/protocol.c:2976
+ __mptcp_close+0x238/0xad0 net/mptcp/protocol.c:3072
+ mptcp_close+0x2a/0x1a0 net/mptcp/protocol.c:3127
+ inet_release+0x190/0x1f0 net/ipv4/af_inet.c:437
+ __sock_release net/socket.c:659 [inline]
+ sock_close+0xc0/0x240 net/socket.c:1421
+ __fput+0x41b/0x890 fs/file_table.c:422
+ task_work_run+0x23b/0x300 kernel/task_work.c:180
+ exit_task_work include/linux/task_work.h:38 [inline]
+ do_exit+0x9c8/0x2540 kernel/exit.c:878
+ do_group_exit+0x201/0x2b0 kernel/exit.c:1027
+ __do_sys_exit_group kernel/exit.c:1038 [inline]
+ __se_sys_exit_group kernel/exit.c:1036 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1036
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xe4/0x240 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x67/0x6f
+RIP: 0033:0x7f6c2b5005b6
+Code: Unable to access opcode bytes at 0x7f6c2b50058c.
+RSP: 002b:00007ffe883eb948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 00007f6c2b5862f0 RCX: 00007f6c2b5005b6
+RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
+RBP: 0000000000000001 R08: 00000000000000e7 R09: ffffffffffffffc0
+R10: 0000000000000006 R11: 0000000000000246 R12: 00007f6c2b5862f0
+R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
+ </TASK>
+
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Yue Sun <samsun1006219@gmail.com>
+Reported-by: xingwei lee <xrivendell7@gmail.com>
+Closes: https://lore.kernel.org/netdev/CAEkJfYNJM=cw-8x7_Vmj1J6uYVCWMbbvD=EFmDPVBGpTsqOxEA@mail.gmail.com/
+Fixes: e3118e8359bb ("net: tcp: add DCTCP congestion control algorithm")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240517091626.32772-1-kuniyu@amazon.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_dctcp.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c
+index 79f705450c162..be2c97e907ae2 100644
+--- a/net/ipv4/tcp_dctcp.c
++++ b/net/ipv4/tcp_dctcp.c
+@@ -55,7 +55,18 @@ struct dctcp {
+ };
+
+ static unsigned int dctcp_shift_g __read_mostly = 4; /* g = 1/2^4 */
+-module_param(dctcp_shift_g, uint, 0644);
++
++static int dctcp_shift_g_set(const char *val, const struct kernel_param *kp)
++{
++ return param_set_uint_minmax(val, kp, 0, 10);
++}
++
++static const struct kernel_param_ops dctcp_shift_g_ops = {
++ .set = dctcp_shift_g_set,
++ .get = param_get_uint,
++};
++
++module_param_cb(dctcp_shift_g, &dctcp_shift_g_ops, &dctcp_shift_g, 0644);
+ MODULE_PARM_DESC(dctcp_shift_g, "parameter g for updating dctcp_alpha");
+
+ static unsigned int dctcp_alpha_on_init __read_mostly = DCTCP_MAX_ALPHA;
+--
+2.43.0
+
--- /dev/null
+From 762d05acb3aca8988bd532e1b002382d28d6d6c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 21:42:20 +0800
+Subject: tcp: remove 64 KByte limit for initial tp->rcv_wnd value
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit 378979e94e953c2070acb4f0e0c98d29260bd09d ]
+
+Recently, we had some servers upgraded to the latest kernel and noticed
+the indicator from the user side showed worse results than before. It is
+caused by the limitation of tp->rcv_wnd.
+
+In 2018 commit a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin
+to around 64KB") limited the initial value of tp->rcv_wnd to 65535, most
+CDN teams would not benefit from this change because they cannot have a
+large window to receive a big packet, which will be slowed down especially
+in long RTT. Small rcv_wnd means slow transfer speed, to some extent. It's
+the side effect for the latency/time-sensitive users.
+
+To avoid future confusion, current change doesn't affect the initial
+receive window on the wire in a SYN or SYN+ACK packet which are set within
+65535 bytes according to RFC 7323 also due to the limit in
+__tcp_transmit_skb():
+
+ th->window = htons(min(tp->rcv_wnd, 65535U));
+
+In one word, __tcp_transmit_skb() already ensures that constraint is
+respected, no matter how large tp->rcv_wnd is. The change doesn't violate
+RFC.
+
+Let me provide one example if with or without the patch:
+Before:
+client --- SYN: rwindow=65535 ---> server
+client <--- SYN+ACK: rwindow=65535 ---- server
+client --- ACK: rwindow=65536 ---> server
+Note: for the last ACK, the calculation is 512 << 7.
+
+After:
+client --- SYN: rwindow=65535 ---> server
+client <--- SYN+ACK: rwindow=65535 ---- server
+client --- ACK: rwindow=175232 ---> server
+Note: I use the following command to make it work:
+ip route change default via [ip] dev eth0 metric 100 initrwnd 120
+For the last ACK, the calculation is 1369 << 7.
+
+When we apply such a patch, having a large rcv_wnd if the user tweak this
+knob can help transfer data more rapidly and save some rtts.
+
+Fixes: a337531b942b ("tcp: up initial rmem to 128KB and SYN rwin to around 64KB")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20240521134220.12510-1-kerneljasonxing@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_output.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 4f203cbbc99b5..7884b0619762f 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -231,7 +231,7 @@ void tcp_select_initial_window(const struct sock *sk, int __space, __u32 mss,
+ if (sock_net(sk)->ipv4.sysctl_tcp_workaround_signed_windows)
+ (*rcv_wnd) = min(space, MAX_TCP_WINDOW);
+ else
+- (*rcv_wnd) = min_t(u32, space, U16_MAX);
++ (*rcv_wnd) = space;
+
+ if (init_rcv_wnd)
+ *rcv_wnd = min(*rcv_wnd, init_rcv_wnd * mss);
+--
+2.43.0
+
--- /dev/null
+From 7050e92cd7871c4782ff025200263263ff2ed9b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 11:49:26 +0100
+Subject: um: Add winch to winch_handlers before registering winch IRQ
+
+From: Roberto Sassu <roberto.sassu@huawei.com>
+
+[ Upstream commit a0fbbd36c156b9f7b2276871d499c9943dfe5101 ]
+
+Registering a winch IRQ is racy, an interrupt may occur before the winch is
+added to the winch_handlers list.
+
+If that happens, register_winch_irq() adds to that list a winch that is
+scheduled to be (or has already been) freed, causing a panic later in
+winch_cleanup().
+
+Avoid the race by adding the winch to the winch_handlers list before
+registering the IRQ, and rolling back if um_request_irq() fails.
+
+Fixes: 42a359e31a0e ("uml: SIGIO support cleanup")
+Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/line.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
+index 4f2a4ac8a82bb..d6a78c3548a55 100644
+--- a/arch/um/drivers/line.c
++++ b/arch/um/drivers/line.c
+@@ -673,24 +673,26 @@ void register_winch_irq(int fd, int tty_fd, int pid, struct tty_port *port,
+ goto cleanup;
+ }
+
+- *winch = ((struct winch) { .list = LIST_HEAD_INIT(winch->list),
+- .fd = fd,
++ *winch = ((struct winch) { .fd = fd,
+ .tty_fd = tty_fd,
+ .pid = pid,
+ .port = port,
+ .stack = stack });
+
++ spin_lock(&winch_handler_lock);
++ list_add(&winch->list, &winch_handlers);
++ spin_unlock(&winch_handler_lock);
++
+ if (um_request_irq(WINCH_IRQ, fd, IRQ_READ, winch_interrupt,
+ IRQF_SHARED, "winch", winch) < 0) {
+ printk(KERN_ERR "register_winch_irq - failed to register "
+ "IRQ\n");
++ spin_lock(&winch_handler_lock);
++ list_del(&winch->list);
++ spin_unlock(&winch_handler_lock);
+ goto out_free;
+ }
+
+- spin_lock(&winch_handler_lock);
+- list_add(&winch->list, &winch_handlers);
+- spin_unlock(&winch_handler_lock);
+-
+ return;
+
+ out_free:
+--
+2.43.0
+
--- /dev/null
+From e41835942e5f5fceae48f91f978bbe6e3348b007 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 17:12:59 +0800
+Subject: um: Fix return value in ubd_init()
+
+From: Duoming Zhou <duoming@zju.edu.cn>
+
+[ Upstream commit 31a5990ed253a66712d7ddc29c92d297a991fdf2 ]
+
+When kmalloc_array() fails to allocate memory, the ubd_init()
+should return -ENOMEM instead of -1. So, fix it.
+
+Fixes: f88f0bdfc32f ("um: UBD Improvements")
+Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/ubd_kern.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c
+index 4e59ab817d3e7..a4e531f0e3b96 100644
+--- a/arch/um/drivers/ubd_kern.c
++++ b/arch/um/drivers/ubd_kern.c
+@@ -1157,7 +1157,7 @@ static int __init ubd_init(void)
+
+ if (irq_req_buffer == NULL) {
+ printk(KERN_ERR "Failed to initialize ubd buffering\n");
+- return -1;
++ return -ENOMEM;
+ }
+ io_req_buffer = kmalloc_array(UBD_REQ_BUFFER_SIZE,
+ sizeof(struct io_thread_req *),
+@@ -1168,7 +1168,7 @@ static int __init ubd_init(void)
+
+ if (io_req_buffer == NULL) {
+ printk(KERN_ERR "Failed to initialize ubd buffering\n");
+- return -1;
++ return -ENOMEM;
+ }
+ platform_driver_register(&ubd_driver);
+ mutex_lock(&ubd_lock);
+--
+2.43.0
+
--- /dev/null
+From 7a3a858ac56317ae827c74c0b7cd137715556a1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Apr 2024 20:58:53 +0800
+Subject: um: Fix the -Wmissing-prototypes warning for __switch_mm
+
+From: Tiwei Bie <tiwei.btw@antgroup.com>
+
+[ Upstream commit 2cbade17b18c0f0fd9963f26c9fc9b057eb1cb3a ]
+
+The __switch_mm function is defined in the user code, and is called
+by the kernel code. It should be declared in a shared header.
+
+Fixes: 4dc706c2f292 ("um: take um_mmu.h to asm/mmu.h, clean asm/mmu_context.h a bit")
+Signed-off-by: Tiwei Bie <tiwei.btw@antgroup.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/include/asm/mmu.h | 2 --
+ arch/um/include/shared/skas/mm_id.h | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/um/include/asm/mmu.h b/arch/um/include/asm/mmu.h
+index 5b072aba5b658..a7cb380c0b5c0 100644
+--- a/arch/um/include/asm/mmu.h
++++ b/arch/um/include/asm/mmu.h
+@@ -15,8 +15,6 @@ typedef struct mm_context {
+ struct page *stub_pages[2];
+ } mm_context_t;
+
+-extern void __switch_mm(struct mm_id * mm_idp);
+-
+ /* Avoid tangled inclusion with asm/ldt.h */
+ extern long init_new_ldt(struct mm_context *to_mm, struct mm_context *from_mm);
+ extern void free_ldt(struct mm_context *mm);
+diff --git a/arch/um/include/shared/skas/mm_id.h b/arch/um/include/shared/skas/mm_id.h
+index 4337b4ced0954..9bd159649705a 100644
+--- a/arch/um/include/shared/skas/mm_id.h
++++ b/arch/um/include/shared/skas/mm_id.h
+@@ -14,4 +14,6 @@ struct mm_id {
+ unsigned long stack;
+ };
+
++void __switch_mm(struct mm_id *mm_idp);
++
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 5307bcb9c3c75f2f342e0858cef0bd43b95a6b3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Apr 2024 17:08:45 +0200
+Subject: virtio: delete vq in vp_find_vqs_msix() when request_irq() fails
+
+From: Jiri Pirko <jiri@nvidia.com>
+
+[ Upstream commit 89875151fccdd024d571aa884ea97a0128b968b6 ]
+
+When request_irq() fails, error path calls vp_del_vqs(). There, as vq is
+present in the list, free_irq() is called for the same vector. That
+causes following splat:
+
+[ 0.414355] Trying to free already-free IRQ 27
+[ 0.414403] WARNING: CPU: 1 PID: 1 at kernel/irq/manage.c:1899 free_irq+0x1a1/0x2d0
+[ 0.414510] Modules linked in:
+[ 0.414540] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 6.9.0-rc4+ #27
+[ 0.414540] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
+[ 0.414540] RIP: 0010:free_irq+0x1a1/0x2d0
+[ 0.414540] Code: 1e 00 48 83 c4 08 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 90 8b 74 24 04 48 c7 c7 98 80 6c b1 e8 00 c9 f7 ff 90 <0f> 0b 90 90 48 89 ee 4c 89 ef e8 e0 20 b8 00 49 8b 47 40 48 8b 40
+[ 0.414540] RSP: 0000:ffffb71480013ae0 EFLAGS: 00010086
+[ 0.414540] RAX: 0000000000000000 RBX: ffffa099c2722000 RCX: 0000000000000000
+[ 0.414540] RDX: 0000000000000000 RSI: ffffb71480013998 RDI: 0000000000000001
+[ 0.414540] RBP: 0000000000000246 R08: 00000000ffffdfff R09: 0000000000000001
+[ 0.414540] R10: 00000000ffffdfff R11: ffffffffb18729c0 R12: ffffa099c1c91760
+[ 0.414540] R13: ffffa099c1c916a4 R14: ffffa099c1d2f200 R15: ffffa099c1c91600
+[ 0.414540] FS: 0000000000000000(0000) GS:ffffa099fec40000(0000) knlGS:0000000000000000
+[ 0.414540] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 0.414540] CR2: 0000000000000000 CR3: 0000000008e3e001 CR4: 0000000000370ef0
+[ 0.414540] Call Trace:
+[ 0.414540] <TASK>
+[ 0.414540] ? __warn+0x80/0x120
+[ 0.414540] ? free_irq+0x1a1/0x2d0
+[ 0.414540] ? report_bug+0x164/0x190
+[ 0.414540] ? handle_bug+0x3b/0x70
+[ 0.414540] ? exc_invalid_op+0x17/0x70
+[ 0.414540] ? asm_exc_invalid_op+0x1a/0x20
+[ 0.414540] ? free_irq+0x1a1/0x2d0
+[ 0.414540] vp_del_vqs+0xc1/0x220
+[ 0.414540] vp_find_vqs_msix+0x305/0x470
+[ 0.414540] vp_find_vqs+0x3e/0x1a0
+[ 0.414540] vp_modern_find_vqs+0x1b/0x70
+[ 0.414540] init_vqs+0x387/0x600
+[ 0.414540] virtnet_probe+0x50a/0xc80
+[ 0.414540] virtio_dev_probe+0x1e0/0x2b0
+[ 0.414540] really_probe+0xc0/0x2c0
+[ 0.414540] ? __pfx___driver_attach+0x10/0x10
+[ 0.414540] __driver_probe_device+0x73/0x120
+[ 0.414540] driver_probe_device+0x1f/0xe0
+[ 0.414540] __driver_attach+0x88/0x180
+[ 0.414540] bus_for_each_dev+0x85/0xd0
+[ 0.414540] bus_add_driver+0xec/0x1f0
+[ 0.414540] driver_register+0x59/0x100
+[ 0.414540] ? __pfx_virtio_net_driver_init+0x10/0x10
+[ 0.414540] virtio_net_driver_init+0x90/0xb0
+[ 0.414540] do_one_initcall+0x58/0x230
+[ 0.414540] kernel_init_freeable+0x1a3/0x2d0
+[ 0.414540] ? __pfx_kernel_init+0x10/0x10
+[ 0.414540] kernel_init+0x1a/0x1c0
+[ 0.414540] ret_from_fork+0x31/0x50
+[ 0.414540] ? __pfx_kernel_init+0x10/0x10
+[ 0.414540] ret_from_fork_asm+0x1a/0x30
+[ 0.414540] </TASK>
+
+Fix this by calling deleting the current vq when request_irq() fails.
+
+Fixes: 0b0f9dc52ed0 ("Revert "virtio_pci: use shared interrupts for virtqueues"")
+Signed-off-by: Jiri Pirko <jiri@nvidia.com>
+Message-Id: <20240426150845.3999481-1-jiri@resnulli.us>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/virtio/virtio_pci_common.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/virtio/virtio_pci_common.c b/drivers/virtio/virtio_pci_common.c
+index 1e890ef176873..a6f375417fd54 100644
+--- a/drivers/virtio/virtio_pci_common.c
++++ b/drivers/virtio/virtio_pci_common.c
+@@ -339,8 +339,10 @@ static int vp_find_vqs_msix(struct virtio_device *vdev, unsigned nvqs,
+ vring_interrupt, 0,
+ vp_dev->msix_names[msix_vec],
+ vqs[i]);
+- if (err)
++ if (err) {
++ vp_del_vq(vqs[i]);
+ goto error_find;
++ }
+ }
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From 9dd82e734c40e582c4be1b8f40a5a7389de9aeb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Feb 2024 21:20:03 +0900
+Subject: x86/kconfig: Select ARCH_WANT_FRAME_POINTERS again when
+ UNWINDER_FRAME_POINTER=y
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit 66ee3636eddcc82ab82b539d08b85fb5ac1dff9b ]
+
+It took me some time to understand the purpose of the tricky code at
+the end of arch/x86/Kconfig.debug.
+
+Without it, the following would be shown:
+
+ WARNING: unmet direct dependencies detected for FRAME_POINTER
+
+because
+
+ 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection")
+
+removed 'select ARCH_WANT_FRAME_POINTERS'.
+
+The correct and more straightforward approach should have been to move
+it where 'select FRAME_POINTER' is located.
+
+Several architectures properly handle the conditional selection of
+ARCH_WANT_FRAME_POINTERS. For example, 'config UNWINDER_FRAME_POINTER'
+in arch/arm/Kconfig.debug.
+
+Fixes: 81d387190039 ("x86/kconfig: Consolidate unwinders into multiple choice selection")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Link: https://lore.kernel.org/r/20240204122003.53795-1-masahiroy@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig.debug | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
+index bf9cd83de7773..3abac9327b643 100644
+--- a/arch/x86/Kconfig.debug
++++ b/arch/x86/Kconfig.debug
+@@ -307,6 +307,7 @@ config UNWINDER_ORC
+
+ config UNWINDER_FRAME_POINTER
+ bool "Frame pointer unwinder"
++ select ARCH_WANT_FRAME_POINTERS
+ select FRAME_POINTER
+ ---help---
+ This option enables the frame pointer unwinder for unwinding kernel
+@@ -334,7 +335,3 @@ config UNWINDER_GUESS
+ overhead.
+
+ endchoice
+-
+-config FRAME_POINTER
+- depends on !UNWINDER_ORC && !UNWINDER_GUESS
+- bool
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
