--- /dev/null
+From c000a704924aa2235f9a4f69aa94758d7dfdfcbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 18:01:31 -0700
+Subject: ASoC: ops: Fix wraparound for mask in snd_soc_get_volsw
+
+From: Stephen Lee <slee08177@gmail.com>
+
+[ Upstream commit fc563aa900659a850e2ada4af26b9d7a3de6c591 ]
+
+In snd_soc_info_volsw(), mask is generated by figuring out the index of
+the most significant bit set in max and converting the index to a
+bitmask through bit shift 1. Unintended wraparound occurs when max is an
+integer value with msb bit set. Since the bit shift value 1 is treated
+as an integer type, the left shift operation will wraparound and set
+mask to 0 instead of all 1's. In order to fix this, we type cast 1 as
+`1ULL` to prevent the wraparound.
+
+Fixes: 7077148fb50a ("ASoC: core: Split ops out of soc-core.c")
+Signed-off-by: Stephen Lee <slee08177@gmail.com>
+Link: https://msgid.link/r/20240326010131.6211-1-slee08177@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/soc-ops.c b/sound/soc/soc-ops.c
+index c56379fac9272..57caa91a4376e 100644
+--- a/sound/soc/soc-ops.c
++++ b/sound/soc/soc-ops.c
+@@ -246,7 +246,7 @@ int snd_soc_get_volsw(struct snd_kcontrol *kcontrol,
+ int max = mc->max;
+ int min = mc->min;
+ int sign_bit = mc->sign_bit;
+- unsigned int mask = (1 << fls(max)) - 1;
++ unsigned int mask = (1ULL << fls(max)) - 1;
+ unsigned int invert = mc->invert;
+ int val;
+ int ret;
+--
+2.43.0
+
--- /dev/null
+From ac25a7a03ad5b893d4b45df962330374699c6e84 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 17:18:12 -0500
+Subject: ASoC: rt5682-sdw: fix locking sequence
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 310a5caa4e861616a27a83c3e8bda17d65026fa8 ]
+
+The disable_irq_lock protects the 'disable_irq' value, we need to lock
+before testing it.
+
+Fixes: 02fb23d72720 ("ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0")
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Chao Song <chao.song@linux.intel.com>
+Link: https://msgid.link/r/20240325221817.206465-2-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt5682-sdw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/rt5682-sdw.c b/sound/soc/codecs/rt5682-sdw.c
+index 9fdd9afe00da4..f452245b210f6 100644
+--- a/sound/soc/codecs/rt5682-sdw.c
++++ b/sound/soc/codecs/rt5682-sdw.c
+@@ -787,12 +787,12 @@ static int __maybe_unused rt5682_dev_resume(struct device *dev)
+ return 0;
+
+ if (!slave->unattach_request) {
++ mutex_lock(&rt5682->disable_irq_lock);
+ if (rt5682->disable_irq == true) {
+- mutex_lock(&rt5682->disable_irq_lock);
+ sdw_write_no_pm(slave, SDW_SCP_INTMASK1, SDW_SCP_INT1_IMPL_DEF);
+ rt5682->disable_irq = false;
+- mutex_unlock(&rt5682->disable_irq_lock);
+ }
++ mutex_unlock(&rt5682->disable_irq_lock);
+ goto regmap_sync;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 09fcb51aab39c1f2dc9c370105cf546fa7b9e46e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 17:18:13 -0500
+Subject: ASoC: rt711-sdca: fix locking sequence
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit ee287771644394d071e6a331951ee8079b64f9a7 ]
+
+The disable_irq_lock protects the 'disable_irq' value, we need to lock
+before testing it.
+
+Fixes: 23adeb7056ac ("ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0")
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Chao Song <chao.song@linux.intel.com>
+Link: https://msgid.link/r/20240325221817.206465-3-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt711-sdca-sdw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/rt711-sdca-sdw.c b/sound/soc/codecs/rt711-sdca-sdw.c
+index 4faf6b8544ddd..25e8b9906f316 100644
+--- a/sound/soc/codecs/rt711-sdca-sdw.c
++++ b/sound/soc/codecs/rt711-sdca-sdw.c
+@@ -443,13 +443,13 @@ static int __maybe_unused rt711_sdca_dev_resume(struct device *dev)
+ return 0;
+
+ if (!slave->unattach_request) {
++ mutex_lock(&rt711->disable_irq_lock);
+ if (rt711->disable_irq == true) {
+- mutex_lock(&rt711->disable_irq_lock);
+ sdw_write_no_pm(slave, SDW_SCP_SDCA_INTMASK1, SDW_SCP_SDCA_INTMASK_SDCA_0);
+ sdw_write_no_pm(slave, SDW_SCP_SDCA_INTMASK2, SDW_SCP_SDCA_INTMASK_SDCA_8);
+ rt711->disable_irq = false;
+- mutex_unlock(&rt711->disable_irq_lock);
+ }
++ mutex_unlock(&rt711->disable_irq_lock);
+ goto regmap_sync;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9ef4a6433bdbbe097997b469518005f2d89662e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 17:18:14 -0500
+Subject: ASoC: rt711-sdw: fix locking sequence
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit aae86cfd8790bcc7693a5a0894df58de5cb5128c ]
+
+The disable_irq_lock protects the 'disable_irq' value, we need to lock
+before testing it.
+
+Fixes: b69de265bd0e ("ASoC: rt711: fix for JD event handling in ClockStop Mode0")
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Chao Song <chao.song@linux.intel.com>
+Link: https://msgid.link/r/20240325221817.206465-4-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/rt711-sdw.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/codecs/rt711-sdw.c b/sound/soc/codecs/rt711-sdw.c
+index 9545b8a7eb192..af7a0ab5669f4 100644
+--- a/sound/soc/codecs/rt711-sdw.c
++++ b/sound/soc/codecs/rt711-sdw.c
+@@ -542,12 +542,12 @@ static int __maybe_unused rt711_dev_resume(struct device *dev)
+ return 0;
+
+ if (!slave->unattach_request) {
++ mutex_lock(&rt711->disable_irq_lock);
+ if (rt711->disable_irq == true) {
+- mutex_lock(&rt711->disable_irq_lock);
+ sdw_write_no_pm(slave, SDW_SCP_INTMASK1, SDW_SCP_INT1_IMPL_DEF);
+ rt711->disable_irq = false;
+- mutex_unlock(&rt711->disable_irq_lock);
+ }
++ mutex_unlock(&rt711->disable_irq_lock);
+ goto regmap_sync;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 827e47e8afd46d3bf158577026fbc56eb2af6367 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 10:06:48 +0200
+Subject: ata: sata_mv: Fix PCI device ID table declaration compilation warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 3137b83a90646917c90951d66489db466b4ae106 ]
+
+Building with W=1 shows a warning for an unused variable when CONFIG_PCI
+is diabled:
+
+drivers/ata/sata_mv.c:790:35: error: unused variable 'mv_pci_tbl' [-Werror,-Wunused-const-variable]
+static const struct pci_device_id mv_pci_tbl[] = {
+
+Move the table into the same block that containsn the pci_driver
+definition.
+
+Fixes: 7bb3c5290ca0 ("sata_mv: Remove PCI dependency")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_mv.c | 63 +++++++++++++++++++++----------------------
+ 1 file changed, 31 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/ata/sata_mv.c b/drivers/ata/sata_mv.c
+index c53633d47bfb3..1c9dde51d456c 100644
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -787,37 +787,6 @@ static const struct ata_port_info mv_port_info[] = {
+ },
+ };
+
+-static const struct pci_device_id mv_pci_tbl[] = {
+- { PCI_VDEVICE(MARVELL, 0x5040), chip_504x },
+- { PCI_VDEVICE(MARVELL, 0x5041), chip_504x },
+- { PCI_VDEVICE(MARVELL, 0x5080), chip_5080 },
+- { PCI_VDEVICE(MARVELL, 0x5081), chip_508x },
+- /* RocketRAID 1720/174x have different identifiers */
+- { PCI_VDEVICE(TTI, 0x1720), chip_6042 },
+- { PCI_VDEVICE(TTI, 0x1740), chip_6042 },
+- { PCI_VDEVICE(TTI, 0x1742), chip_6042 },
+-
+- { PCI_VDEVICE(MARVELL, 0x6040), chip_604x },
+- { PCI_VDEVICE(MARVELL, 0x6041), chip_604x },
+- { PCI_VDEVICE(MARVELL, 0x6042), chip_6042 },
+- { PCI_VDEVICE(MARVELL, 0x6080), chip_608x },
+- { PCI_VDEVICE(MARVELL, 0x6081), chip_608x },
+-
+- { PCI_VDEVICE(ADAPTEC2, 0x0241), chip_604x },
+-
+- /* Adaptec 1430SA */
+- { PCI_VDEVICE(ADAPTEC2, 0x0243), chip_7042 },
+-
+- /* Marvell 7042 support */
+- { PCI_VDEVICE(MARVELL, 0x7042), chip_7042 },
+-
+- /* Highpoint RocketRAID PCIe series */
+- { PCI_VDEVICE(TTI, 0x2300), chip_7042 },
+- { PCI_VDEVICE(TTI, 0x2310), chip_7042 },
+-
+- { } /* terminate list */
+-};
+-
+ static const struct mv_hw_ops mv5xxx_ops = {
+ .phy_errata = mv5_phy_errata,
+ .enable_leds = mv5_enable_leds,
+@@ -4311,6 +4280,36 @@ static int mv_pci_init_one(struct pci_dev *pdev,
+ static int mv_pci_device_resume(struct pci_dev *pdev);
+ #endif
+
++static const struct pci_device_id mv_pci_tbl[] = {
++ { PCI_VDEVICE(MARVELL, 0x5040), chip_504x },
++ { PCI_VDEVICE(MARVELL, 0x5041), chip_504x },
++ { PCI_VDEVICE(MARVELL, 0x5080), chip_5080 },
++ { PCI_VDEVICE(MARVELL, 0x5081), chip_508x },
++ /* RocketRAID 1720/174x have different identifiers */
++ { PCI_VDEVICE(TTI, 0x1720), chip_6042 },
++ { PCI_VDEVICE(TTI, 0x1740), chip_6042 },
++ { PCI_VDEVICE(TTI, 0x1742), chip_6042 },
++
++ { PCI_VDEVICE(MARVELL, 0x6040), chip_604x },
++ { PCI_VDEVICE(MARVELL, 0x6041), chip_604x },
++ { PCI_VDEVICE(MARVELL, 0x6042), chip_6042 },
++ { PCI_VDEVICE(MARVELL, 0x6080), chip_608x },
++ { PCI_VDEVICE(MARVELL, 0x6081), chip_608x },
++
++ { PCI_VDEVICE(ADAPTEC2, 0x0241), chip_604x },
++
++ /* Adaptec 1430SA */
++ { PCI_VDEVICE(ADAPTEC2, 0x0243), chip_7042 },
++
++ /* Marvell 7042 support */
++ { PCI_VDEVICE(MARVELL, 0x7042), chip_7042 },
++
++ /* Highpoint RocketRAID PCIe series */
++ { PCI_VDEVICE(TTI, 0x2300), chip_7042 },
++ { PCI_VDEVICE(TTI, 0x2310), chip_7042 },
++
++ { } /* terminate list */
++};
+
+ static struct pci_driver mv_pci_driver = {
+ .name = DRV_NAME,
+@@ -4323,6 +4322,7 @@ static struct pci_driver mv_pci_driver = {
+ #endif
+
+ };
++MODULE_DEVICE_TABLE(pci, mv_pci_tbl);
+
+ /**
+ * mv_print_info - Dump key info to kernel log for perusal.
+@@ -4495,7 +4495,6 @@ static void __exit mv_exit(void)
+ MODULE_AUTHOR("Brett Russ");
+ MODULE_DESCRIPTION("SCSI low-level driver for Marvell SATA controllers");
+ MODULE_LICENSE("GPL v2");
+-MODULE_DEVICE_TABLE(pci, mv_pci_tbl);
+ MODULE_VERSION(DRV_VERSION);
+ MODULE_ALIAS("platform:" DRV_NAME);
+
+--
+2.43.0
+
--- /dev/null
+From 18d590f9a71fa92d8c9d4139bbc06e8f9c3bad69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 15:53:37 +0100
+Subject: ata: sata_sx4: fix pdc20621_get_from_dimm() on 64-bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 52f80bb181a9a1530ade30bc18991900bbb9697f ]
+
+gcc warns about a memcpy() with overlapping pointers because of an
+incorrect size calculation:
+
+In file included from include/linux/string.h:369,
+ from drivers/ata/sata_sx4.c:66:
+In function 'memcpy_fromio',
+ inlined from 'pdc20621_get_from_dimm.constprop' at drivers/ata/sata_sx4.c:962:2:
+include/linux/fortify-string.h:97:33: error: '__builtin_memcpy' accessing 4294934464 bytes at offsets 0 and [16, 16400] overlaps 6442385281 bytes at offset -2147450817 [-Werror=restrict]
+ 97 | #define __underlying_memcpy __builtin_memcpy
+ | ^
+include/linux/fortify-string.h:620:9: note: in expansion of macro '__underlying_memcpy'
+ 620 | __underlying_##op(p, q, __fortify_size); \
+ | ^~~~~~~~~~~~~
+include/linux/fortify-string.h:665:26: note: in expansion of macro '__fortify_memcpy_chk'
+ 665 | #define memcpy(p, q, s) __fortify_memcpy_chk(p, q, s, \
+ | ^~~~~~~~~~~~~~~~~~~~
+include/asm-generic/io.h:1184:9: note: in expansion of macro 'memcpy'
+ 1184 | memcpy(buffer, __io_virt(addr), size);
+ | ^~~~~~
+
+The problem here is the overflow of an unsigned 32-bit number to a
+negative that gets converted into a signed 'long', keeping a large
+positive number.
+
+Replace the complex calculation with a more readable min() variant
+that avoids the warning.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_sx4.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/ata/sata_sx4.c b/drivers/ata/sata_sx4.c
+index 4c01190a5e370..c95685f693a68 100644
+--- a/drivers/ata/sata_sx4.c
++++ b/drivers/ata/sata_sx4.c
+@@ -1004,8 +1004,7 @@ static void pdc20621_get_from_dimm(struct ata_host *host, void *psource,
+
+ offset -= (idx * window_size);
+ idx++;
+- dist = ((long) (window_size - (offset + size))) >= 0 ? size :
+- (long) (window_size - offset);
++ dist = min(size, window_size - offset);
+ memcpy_fromio(psource, dimm_mmio + offset / 4, dist);
+
+ psource += dist;
+@@ -1053,8 +1052,7 @@ static void pdc20621_put_to_dimm(struct ata_host *host, void *psource,
+ readl(mmio + PDC_DIMM_WINDOW_CTLR);
+ offset -= (idx * window_size);
+ idx++;
+- dist = ((long)(s32)(window_size - (offset + size))) >= 0 ? size :
+- (long) (window_size - offset);
++ dist = min(size, window_size - offset);
+ memcpy_toio(dimm_mmio + offset / 4, psource, dist);
+ writel(0x01, mmio + PDC_GENERAL_CTLR);
+ readl(mmio + PDC_GENERAL_CTLR);
+--
+2.43.0
+
--- /dev/null
+From be7cd770fe928dd49c14b3afbbe4c298d8a6e27a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Nov 2023 16:08:22 +0100
+Subject: fs/pipe: Fix lockdep false-positive in watchqueue pipe_write()
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 055ca83559912f2cfd91c9441427bac4caf3c74e ]
+
+When you try to splice between a normal pipe and a notification pipe,
+get_pipe_info(..., true) fails, so splice() falls back to treating the
+notification pipe like a normal pipe - so we end up in
+iter_file_splice_write(), which first locks the input pipe, then calls
+vfs_iter_write(), which locks the output pipe.
+
+Lockdep complains about that, because we're taking a pipe lock while
+already holding another pipe lock.
+
+I think this probably (?) can't actually lead to deadlocks, since you'd
+need another way to nest locking a normal pipe into locking a
+watch_queue pipe, but the lockdep annotations don't make that clear.
+
+Bail out earlier in pipe_write() for notification pipes, before taking
+the pipe lock.
+
+Reported-and-tested-by: <syzbot+011e4ea1da6692cf881c@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=011e4ea1da6692cf881c
+Fixes: c73be61cede5 ("pipe: Add general notification queue support")
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/r/20231124150822.2121798-1-jannh@google.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/pipe.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index a8b8ef2dae7b7..0a8095070b70e 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -423,6 +423,18 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
+ bool was_empty = false;
+ bool wake_next_writer = false;
+
++ /*
++ * Reject writing to watch queue pipes before the point where we lock
++ * the pipe.
++ * Otherwise, lockdep would be unhappy if the caller already has another
++ * pipe locked.
++ * If we had to support locking a normal pipe and a notification pipe at
++ * the same time, we could set up lockdep annotations for that, but
++ * since we don't actually need that, it's simpler to just bail here.
++ */
++ if (pipe_has_watch_queue(pipe))
++ return -EXDEV;
++
+ /* Null write succeeds. */
+ if (unlikely(total_len == 0))
+ return 0;
+@@ -435,11 +447,6 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
+ goto out;
+ }
+
+- if (pipe_has_watch_queue(pipe)) {
+- ret = -EXDEV;
+- goto out;
+- }
+-
+ /*
+ * If it wasn't empty we try to merge new data into
+ * the last buffer.
+--
+2.43.0
+
--- /dev/null
+From 652f2e382be89b8af0c340397dcd2e03609843ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jan 2022 14:33:31 +0100
+Subject: HID: uhid: Use READ_ONCE()/WRITE_ONCE() for ->running
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit c8e7ff41f819b0c31c66c5196933c26c18f7681f ]
+
+The flag uhid->running can be set to false by uhid_device_add_worker()
+without holding the uhid->devlock. Mark all reads/writes of the flag
+that might race with READ_ONCE()/WRITE_ONCE() for clarity and
+correctness.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/uhid.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c
+index ba0ca652b9dab..09da654d2b05c 100644
+--- a/drivers/hid/uhid.c
++++ b/drivers/hid/uhid.c
+@@ -84,7 +84,7 @@ static void uhid_device_add_worker(struct work_struct *work)
+ * However, we do have to clear the ->running flag and do a
+ * wakeup to make sure userspace knows that the device is gone.
+ */
+- uhid->running = false;
++ WRITE_ONCE(uhid->running, false);
+ wake_up_interruptible(&uhid->report_wait);
+ }
+ }
+@@ -194,9 +194,9 @@ static int __uhid_report_queue_and_wait(struct uhid_device *uhid,
+ spin_unlock_irqrestore(&uhid->qlock, flags);
+
+ ret = wait_event_interruptible_timeout(uhid->report_wait,
+- !uhid->report_running || !uhid->running,
++ !uhid->report_running || !READ_ONCE(uhid->running),
+ 5 * HZ);
+- if (!ret || !uhid->running || uhid->report_running)
++ if (!ret || !READ_ONCE(uhid->running) || uhid->report_running)
+ ret = -EIO;
+ else if (ret < 0)
+ ret = -ERESTARTSYS;
+@@ -237,7 +237,7 @@ static int uhid_hid_get_report(struct hid_device *hid, unsigned char rnum,
+ struct uhid_event *ev;
+ int ret;
+
+- if (!uhid->running)
++ if (!READ_ONCE(uhid->running))
+ return -EIO;
+
+ ev = kzalloc(sizeof(*ev), GFP_KERNEL);
+@@ -279,7 +279,7 @@ static int uhid_hid_set_report(struct hid_device *hid, unsigned char rnum,
+ struct uhid_event *ev;
+ int ret;
+
+- if (!uhid->running || count > UHID_DATA_MAX)
++ if (!READ_ONCE(uhid->running) || count > UHID_DATA_MAX)
+ return -EIO;
+
+ ev = kzalloc(sizeof(*ev), GFP_KERNEL);
+@@ -580,7 +580,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid)
+ if (!uhid->hid)
+ return -EINVAL;
+
+- uhid->running = false;
++ WRITE_ONCE(uhid->running, false);
+ wake_up_interruptible(&uhid->report_wait);
+
+ cancel_work_sync(&uhid->worker);
+@@ -594,7 +594,7 @@ static int uhid_dev_destroy(struct uhid_device *uhid)
+
+ static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
+ {
+- if (!uhid->running)
++ if (!READ_ONCE(uhid->running))
+ return -EINVAL;
+
+ hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input.data,
+@@ -605,7 +605,7 @@ static int uhid_dev_input(struct uhid_device *uhid, struct uhid_event *ev)
+
+ static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
+ {
+- if (!uhid->running)
++ if (!READ_ONCE(uhid->running))
+ return -EINVAL;
+
+ hid_input_report(uhid->hid, HID_INPUT_REPORT, ev->u.input2.data,
+@@ -617,7 +617,7 @@ static int uhid_dev_input2(struct uhid_device *uhid, struct uhid_event *ev)
+ static int uhid_dev_get_report_reply(struct uhid_device *uhid,
+ struct uhid_event *ev)
+ {
+- if (!uhid->running)
++ if (!READ_ONCE(uhid->running))
+ return -EINVAL;
+
+ uhid_report_wake_up(uhid, ev->u.get_report_reply.id, ev);
+@@ -627,7 +627,7 @@ static int uhid_dev_get_report_reply(struct uhid_device *uhid,
+ static int uhid_dev_set_report_reply(struct uhid_device *uhid,
+ struct uhid_event *ev)
+ {
+- if (!uhid->running)
++ if (!READ_ONCE(uhid->running))
+ return -EINVAL;
+
+ uhid_report_wake_up(uhid, ev->u.set_report_reply.id, ev);
+--
+2.43.0
+
--- /dev/null
+From 07729bac319307a1e1fb725be28959f1c3c41886 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 13:56:18 -0400
+Subject: nfsd: hold a lighter-weight client reference over CB_RECALL_ANY
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 10396f4df8b75ff6ab0aa2cd74296565466f2c8d ]
+
+Currently the CB_RECALL_ANY job takes a cl_rpc_users reference to the
+client. While a callback job is technically an RPC that counter is
+really more for client-driven RPCs, and this has the effect of
+preventing the client from being unhashed until the callback completes.
+
+If nfsd decides to send a CB_RECALL_ANY just as the client reboots, we
+can end up in a situation where the callback can't complete on the (now
+dead) callback channel, but the new client can't connect because the old
+client can't be unhashed. This usually manifests as a NFS4ERR_DELAY
+return on the CREATE_SESSION operation.
+
+The job is only holding a reference to the client so it can clear a flag
+after the RPC completes. Fix this by having CB_RECALL_ANY instead hold a
+reference to the cl_nfsdfs.cl_ref. Typically we only take that sort of
+reference when dealing with the nfsdfs info files, but it should work
+appropriately here to ensure that the nfs4_client doesn't disappear.
+
+Fixes: 44df6f439a17 ("NFSD: add delegation reaper to react to low memory condition")
+Reported-by: Vladimir Benes <vbenes@redhat.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4state.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
+index ccc235a8bc1b4..40b5b226e504d 100644
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -2889,12 +2889,9 @@ static void
+ nfsd4_cb_recall_any_release(struct nfsd4_callback *cb)
+ {
+ struct nfs4_client *clp = cb->cb_clp;
+- struct nfsd_net *nn = net_generic(clp->net, nfsd_net_id);
+
+- spin_lock(&nn->client_lock);
+ clear_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags);
+- put_client_renew_locked(clp);
+- spin_unlock(&nn->client_lock);
++ drop_client(clp);
+ }
+
+ static const struct nfsd4_callback_ops nfsd4_cb_recall_any_ops = {
+@@ -6234,7 +6231,7 @@ deleg_reaper(struct nfsd_net *nn)
+ list_add(&clp->cl_ra_cblist, &cblist);
+
+ /* release in nfsd4_cb_recall_any_release */
+- atomic_inc(&clp->cl_rpc_users);
++ kref_get(&clp->cl_nfsdfs.cl_ref);
+ set_bit(NFSD4_CLIENT_CB_RECALL_ANY, &clp->cl_flags);
+ clp->cl_ra_time = ktime_get_boottime_seconds();
+ }
+--
+2.43.0
+
--- /dev/null
+From 89e6f0e2c56eb4a9460a921e5f3e9a0b3c506427 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Oct 2022 20:33:01 +0200
+Subject: openrisc: Fix pagewalk usage in arch_dma_{clear, set}_uncached
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit 28148a17c988b614534f457da86893f83664ad43 ]
+
+Since commit 8782fb61cc848 ("mm: pagewalk: Fix race between unmap and page
+walker"), walk_page_range() on kernel ranges won't work anymore,
+walk_page_range_novma() must be used instead.
+
+Note: I don't have an openrisc development setup, so this is completely
+untested.
+
+Fixes: 8782fb61cc848 ("mm: pagewalk: Fix race between unmap and page walker")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/dma.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/arch/openrisc/kernel/dma.c b/arch/openrisc/kernel/dma.c
+index a82b2caaa560d..b3edbb33b621d 100644
+--- a/arch/openrisc/kernel/dma.c
++++ b/arch/openrisc/kernel/dma.c
+@@ -74,10 +74,10 @@ void *arch_dma_set_uncached(void *cpu_addr, size_t size)
+ * We need to iterate through the pages, clearing the dcache for
+ * them and setting the cache-inhibit bit.
+ */
+- mmap_read_lock(&init_mm);
+- error = walk_page_range(&init_mm, va, va + size, &set_nocache_walk_ops,
+- NULL);
+- mmap_read_unlock(&init_mm);
++ mmap_write_lock(&init_mm);
++ error = walk_page_range_novma(&init_mm, va, va + size,
++ &set_nocache_walk_ops, NULL, NULL);
++ mmap_write_unlock(&init_mm);
+
+ if (error)
+ return ERR_PTR(error);
+@@ -88,11 +88,11 @@ void arch_dma_clear_uncached(void *cpu_addr, size_t size)
+ {
+ unsigned long va = (unsigned long)cpu_addr;
+
+- mmap_read_lock(&init_mm);
++ mmap_write_lock(&init_mm);
+ /* walk_page_range shouldn't be able to fail here */
+- WARN_ON(walk_page_range(&init_mm, va, va + size,
+- &clear_nocache_walk_ops, NULL));
+- mmap_read_unlock(&init_mm);
++ WARN_ON(walk_page_range_novma(&init_mm, va, va + size,
++ &clear_nocache_walk_ops, NULL, NULL));
++ mmap_write_unlock(&init_mm);
+ }
+
+ void arch_sync_dma_for_device(phys_addr_t addr, size_t size,
+--
+2.43.0
+
--- /dev/null
+From 1505d5f373c12e9065b0cb228362ed4d16ee4737 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 23:38:06 +0100
+Subject: scsi: mylex: Fix sysfs buffer lengths
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 1197c5b2099f716b3de327437fb50900a0b936c9 ]
+
+The myrb and myrs drivers use an odd way of implementing their sysfs files,
+calling snprintf() with a fixed length of 32 bytes to print into a page
+sized buffer. One of the strings is actually longer than 32 bytes, which
+clang can warn about:
+
+drivers/scsi/myrb.c:1906:10: error: 'snprintf' will always be truncated; specified size is 32, but format string expands to at least 34 [-Werror,-Wformat-truncation]
+drivers/scsi/myrs.c:1089:10: error: 'snprintf' will always be truncated; specified size is 32, but format string expands to at least 34 [-Werror,-Wformat-truncation]
+
+These could all be plain sprintf() without a length as the buffer is always
+long enough. On the other hand, sysfs files should not be overly long
+either, so just double the length to make sure the longest strings don't
+get truncated here.
+
+Fixes: 77266186397c ("scsi: myrs: Add Mylex RAID controller (SCSI interface)")
+Fixes: 081ff398c56c ("scsi: myrb: Add Mylex RAID controller (block interface)")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20240326223825.4084412-8-arnd@kernel.org
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/myrb.c | 20 ++++++++++----------
+ drivers/scsi/myrs.c | 24 ++++++++++++------------
+ 2 files changed, 22 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/scsi/myrb.c b/drivers/scsi/myrb.c
+index 386256369dfc3..2a61cb7268839 100644
+--- a/drivers/scsi/myrb.c
++++ b/drivers/scsi/myrb.c
+@@ -1775,9 +1775,9 @@ static ssize_t raid_state_show(struct device *dev,
+
+ name = myrb_devstate_name(ldev_info->state);
+ if (name)
+- ret = snprintf(buf, 32, "%s\n", name);
++ ret = snprintf(buf, 64, "%s\n", name);
+ else
+- ret = snprintf(buf, 32, "Invalid (%02X)\n",
++ ret = snprintf(buf, 64, "Invalid (%02X)\n",
+ ldev_info->state);
+ } else {
+ struct myrb_pdev_state *pdev_info = sdev->hostdata;
+@@ -1796,9 +1796,9 @@ static ssize_t raid_state_show(struct device *dev,
+ else
+ name = myrb_devstate_name(pdev_info->state);
+ if (name)
+- ret = snprintf(buf, 32, "%s\n", name);
++ ret = snprintf(buf, 64, "%s\n", name);
+ else
+- ret = snprintf(buf, 32, "Invalid (%02X)\n",
++ ret = snprintf(buf, 64, "Invalid (%02X)\n",
+ pdev_info->state);
+ }
+ return ret;
+@@ -1886,11 +1886,11 @@ static ssize_t raid_level_show(struct device *dev,
+
+ name = myrb_raidlevel_name(ldev_info->raid_level);
+ if (!name)
+- return snprintf(buf, 32, "Invalid (%02X)\n",
++ return snprintf(buf, 64, "Invalid (%02X)\n",
+ ldev_info->state);
+- return snprintf(buf, 32, "%s\n", name);
++ return snprintf(buf, 64, "%s\n", name);
+ }
+- return snprintf(buf, 32, "Physical Drive\n");
++ return snprintf(buf, 64, "Physical Drive\n");
+ }
+ static DEVICE_ATTR_RO(raid_level);
+
+@@ -1903,15 +1903,15 @@ static ssize_t rebuild_show(struct device *dev,
+ unsigned char status;
+
+ if (sdev->channel < myrb_logical_channel(sdev->host))
+- return snprintf(buf, 32, "physical device - not rebuilding\n");
++ return snprintf(buf, 64, "physical device - not rebuilding\n");
+
+ status = myrb_get_rbld_progress(cb, &rbld_buf);
+
+ if (rbld_buf.ldev_num != sdev->id ||
+ status != MYRB_STATUS_SUCCESS)
+- return snprintf(buf, 32, "not rebuilding\n");
++ return snprintf(buf, 64, "not rebuilding\n");
+
+- return snprintf(buf, 32, "rebuilding block %u of %u\n",
++ return snprintf(buf, 64, "rebuilding block %u of %u\n",
+ rbld_buf.ldev_size - rbld_buf.blocks_left,
+ rbld_buf.ldev_size);
+ }
+diff --git a/drivers/scsi/myrs.c b/drivers/scsi/myrs.c
+index a4d244ee4548c..3f05f13fb107a 100644
+--- a/drivers/scsi/myrs.c
++++ b/drivers/scsi/myrs.c
+@@ -949,9 +949,9 @@ static ssize_t raid_state_show(struct device *dev,
+
+ name = myrs_devstate_name(ldev_info->dev_state);
+ if (name)
+- ret = snprintf(buf, 32, "%s\n", name);
++ ret = snprintf(buf, 64, "%s\n", name);
+ else
+- ret = snprintf(buf, 32, "Invalid (%02X)\n",
++ ret = snprintf(buf, 64, "Invalid (%02X)\n",
+ ldev_info->dev_state);
+ } else {
+ struct myrs_pdev_info *pdev_info;
+@@ -960,9 +960,9 @@ static ssize_t raid_state_show(struct device *dev,
+ pdev_info = sdev->hostdata;
+ name = myrs_devstate_name(pdev_info->dev_state);
+ if (name)
+- ret = snprintf(buf, 32, "%s\n", name);
++ ret = snprintf(buf, 64, "%s\n", name);
+ else
+- ret = snprintf(buf, 32, "Invalid (%02X)\n",
++ ret = snprintf(buf, 64, "Invalid (%02X)\n",
+ pdev_info->dev_state);
+ }
+ return ret;
+@@ -1068,13 +1068,13 @@ static ssize_t raid_level_show(struct device *dev,
+ ldev_info = sdev->hostdata;
+ name = myrs_raid_level_name(ldev_info->raid_level);
+ if (!name)
+- return snprintf(buf, 32, "Invalid (%02X)\n",
++ return snprintf(buf, 64, "Invalid (%02X)\n",
+ ldev_info->dev_state);
+
+ } else
+ name = myrs_raid_level_name(MYRS_RAID_PHYSICAL);
+
+- return snprintf(buf, 32, "%s\n", name);
++ return snprintf(buf, 64, "%s\n", name);
+ }
+ static DEVICE_ATTR_RO(raid_level);
+
+@@ -1088,7 +1088,7 @@ static ssize_t rebuild_show(struct device *dev,
+ unsigned char status;
+
+ if (sdev->channel < cs->ctlr_info->physchan_present)
+- return snprintf(buf, 32, "physical device - not rebuilding\n");
++ return snprintf(buf, 64, "physical device - not rebuilding\n");
+
+ ldev_info = sdev->hostdata;
+ ldev_num = ldev_info->ldev_num;
+@@ -1100,11 +1100,11 @@ static ssize_t rebuild_show(struct device *dev,
+ return -EIO;
+ }
+ if (ldev_info->rbld_active) {
+- return snprintf(buf, 32, "rebuilding block %zu of %zu\n",
++ return snprintf(buf, 64, "rebuilding block %zu of %zu\n",
+ (size_t)ldev_info->rbld_lba,
+ (size_t)ldev_info->cfg_devsize);
+ } else
+- return snprintf(buf, 32, "not rebuilding\n");
++ return snprintf(buf, 64, "not rebuilding\n");
+ }
+
+ static ssize_t rebuild_store(struct device *dev,
+@@ -1192,7 +1192,7 @@ static ssize_t consistency_check_show(struct device *dev,
+ unsigned short ldev_num;
+
+ if (sdev->channel < cs->ctlr_info->physchan_present)
+- return snprintf(buf, 32, "physical device - not checking\n");
++ return snprintf(buf, 64, "physical device - not checking\n");
+
+ ldev_info = sdev->hostdata;
+ if (!ldev_info)
+@@ -1200,11 +1200,11 @@ static ssize_t consistency_check_show(struct device *dev,
+ ldev_num = ldev_info->ldev_num;
+ myrs_get_ldev_info(cs, ldev_num, ldev_info);
+ if (ldev_info->cc_active)
+- return snprintf(buf, 32, "checking block %zu of %zu\n",
++ return snprintf(buf, 64, "checking block %zu of %zu\n",
+ (size_t)ldev_info->cc_lba,
+ (size_t)ldev_info->cfg_devsize);
+ else
+- return snprintf(buf, 32, "not checking\n");
++ return snprintf(buf, 64, "not checking\n");
+ }
+
+ static ssize_t consistency_check_store(struct device *dev,
+--
+2.43.0
+
drivers-net-convert-to-boolean-for-the-mac_managed_p.patch
net-fec-set-mac_managed_pm-during-probe.patch
net-ravb-always-process-tx-descriptor-ring.patch
+asoc-rt5682-sdw-fix-locking-sequence.patch
+asoc-rt711-sdca-fix-locking-sequence.patch
+asoc-rt711-sdw-fix-locking-sequence.patch
+asoc-ops-fix-wraparound-for-mask-in-snd_soc_get_vols.patch
+ata-sata_sx4-fix-pdc20621_get_from_dimm-on-64-bit.patch
+scsi-mylex-fix-sysfs-buffer-lengths.patch
+ata-sata_mv-fix-pci-device-id-table-declaration-comp.patch
+nfsd-hold-a-lighter-weight-client-reference-over-cb_.patch
+hid-uhid-use-read_once-write_once-for-running.patch
+openrisc-fix-pagewalk-usage-in-arch_dma_-clear-set-_.patch
+fs-pipe-fix-lockdep-false-positive-in-watchqueue-pip.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
