--- /dev/null
+From 9e8fa520a1db22ccf3fe76cdf5b536f713107ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 16:58:48 +0100
+Subject: arm64: probes: Fix uprobes for big-endian kernels
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit 13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7 ]
+
+The arm64 uprobes code is broken for big-endian kernels as it doesn't
+convert the in-memory instruction encoding (which is always
+little-endian) into the kernel's native endianness before analyzing and
+simulating instructions. This may result in a few distinct problems:
+
+* The kernel may may erroneously reject probing an instruction which can
+ safely be probed.
+
+* The kernel may erroneously erroneously permit stepping an
+ instruction out-of-line when that instruction cannot be stepped
+ out-of-line safely.
+
+* The kernel may erroneously simulate instruction incorrectly dur to
+ interpretting the byte-swapped encoding.
+
+The endianness mismatch isn't caught by the compiler or sparse because:
+
+* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so
+ the compiler and sparse have no idea these contain a little-endian
+ 32-bit value. The core uprobes code populates these with a memcpy()
+ which similarly does not handle endianness.
+
+* While the uprobe_opcode_t type is an alias for __le32, both
+ arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]
+ to the similarly-named probe_opcode_t, which is an alias for u32.
+ Hence there is no endianness conversion warning.
+
+Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and
+adding the appropriate __le32_to_cpu() conversions prior to consuming
+the instruction encoding. The core uprobes copies these fields as opaque
+ranges of bytes, and so is unaffected by this change.
+
+At the same time, remove MAX_UINSN_BYTES and consistently use
+AARCH64_INSN_SIZE for clarity.
+
+Tested with the following:
+
+| #include <stdio.h>
+| #include <stdbool.h>
+|
+| #define noinline __attribute__((noinline))
+|
+| static noinline void *adrp_self(void)
+| {
+| void *addr;
+|
+| asm volatile(
+| " adrp %x0, adrp_self\n"
+| " add %x0, %x0, :lo12:adrp_self\n"
+| : "=r" (addr));
+| }
+|
+|
+| int main(int argc, char *argv)
+| {
+| void *ptr = adrp_self();
+| bool equal = (ptr == adrp_self);
+|
+| printf("adrp_self => %p\n"
+| "adrp_self() => %p\n"
+| "%s\n",
+| adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL");
+|
+| return 0;
+| }
+
+.... where the adrp_self() function was compiled to:
+
+| 00000000004007e0 <adrp_self>:
+| 4007e0: 90000000 adrp x0, 400000 <__ehdr_start>
+| 4007e4: 911f8000 add x0, x0, #0x7e0
+| 4007e8: d65f03c0 ret
+
+Before this patch, the ADRP is not recognized, and is assumed to be
+steppable, resulting in corruption of the result:
+
+| # ./adrp-self
+| adrp_self => 0x4007e0
+| adrp_self() => 0x4007e0
+| EQUAL
+| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
+| # echo 1 > /sys/kernel/tracing/events/uprobes/enable
+| # ./adrp-self
+| adrp_self => 0x4007e0
+| adrp_self() => 0xffffffffff7e0
+| NOT EQUAL
+
+After this patch, the ADRP is correctly recognized and simulated:
+
+| # ./adrp-self
+| adrp_self => 0x4007e0
+| adrp_self() => 0x4007e0
+| EQUAL
+| #
+| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events
+| # echo 1 > /sys/kernel/tracing/events/uprobes/enable
+| # ./adrp-self
+| adrp_self => 0x4007e0
+| adrp_self() => 0x4007e0
+| EQUAL
+
+Fixes: 9842ceae9fa8 ("arm64: Add uprobe support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20241008155851.801546-4-mark.rutland@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/uprobes.h | 8 +++-----
+ arch/arm64/kernel/probes/uprobes.c | 4 ++--
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h
+index 189755d332601..bf3ba528fb6cb 100644
+--- a/arch/arm64/include/asm/uprobes.h
++++ b/arch/arm64/include/asm/uprobes.h
+@@ -13,11 +13,9 @@
+ #include <asm/insn.h>
+ #include <asm/probes.h>
+
+-#define MAX_UINSN_BYTES AARCH64_INSN_SIZE
+-
+ #define UPROBE_SWBP_INSN cpu_to_le32(BRK64_OPCODE_UPROBES)
+ #define UPROBE_SWBP_INSN_SIZE AARCH64_INSN_SIZE
+-#define UPROBE_XOL_SLOT_BYTES MAX_UINSN_BYTES
++#define UPROBE_XOL_SLOT_BYTES AARCH64_INSN_SIZE
+
+ typedef u32 uprobe_opcode_t;
+
+@@ -26,8 +24,8 @@ struct arch_uprobe_task {
+
+ struct arch_uprobe {
+ union {
+- u8 insn[MAX_UINSN_BYTES];
+- u8 ixol[MAX_UINSN_BYTES];
++ __le32 insn;
++ __le32 ixol;
+ };
+ struct arch_probe_insn api;
+ bool simulate;
+diff --git a/arch/arm64/kernel/probes/uprobes.c b/arch/arm64/kernel/probes/uprobes.c
+index 6aeb11aa7e283..851689216007c 100644
+--- a/arch/arm64/kernel/probes/uprobes.c
++++ b/arch/arm64/kernel/probes/uprobes.c
+@@ -45,7 +45,7 @@ int arch_uprobe_analyze_insn(struct arch_uprobe *auprobe, struct mm_struct *mm,
+ else if (!IS_ALIGNED(addr, AARCH64_INSN_SIZE))
+ return -EINVAL;
+
+- insn = *(probe_opcode_t *)(&auprobe->insn[0]);
++ insn = le32_to_cpu(auprobe->insn);
+
+ switch (arm_probe_decode_insn(insn, &auprobe->api)) {
+ case INSN_REJECTED:
+@@ -111,7 +111,7 @@ bool arch_uprobe_skip_sstep(struct arch_uprobe *auprobe, struct pt_regs *regs)
+ if (!auprobe->simulate)
+ return false;
+
+- insn = *(probe_opcode_t *)(&auprobe->insn[0]);
++ insn = le32_to_cpu(auprobe->insn);
+ addr = instruction_pointer(regs);
+
+ if (auprobe->api.handler)
+--
+2.43.0
+
--- /dev/null
+From a0a13fd3f344a2bd64216e0feb1b6c8bd3ce74ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 15:11:10 +0800
+Subject: arm64:uprobe fix the uprobe SWBP_INSN in big-endian
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: junhua huang <huang.junhua@zte.com.cn>
+
+[ Upstream commit 60f07e22a73d318cddaafa5ef41a10476807cc07 ]
+
+We use uprobe in aarch64_be, which we found the tracee task would exit
+due to SIGILL when we enable the uprobe trace.
+We can see the replace inst from uprobe is not correct in aarch big-endian.
+As in Armv8-A, instruction fetches are always treated as little-endian,
+we should treat the UPROBE_SWBP_INSN as little-endian。
+
+The test case is as following。
+bash-4.4# ./mqueue_test_aarchbe 1 1 2 1 10 > /dev/null &
+bash-4.4# cd /sys/kernel/debug/tracing/
+bash-4.4# echo 'p:test /mqueue_test_aarchbe:0xc30 %x0 %x1' > uprobe_events
+bash-4.4# echo 1 > events/uprobes/enable
+bash-4.4#
+bash-4.4# ps
+ PID TTY TIME CMD
+ 140 ? 00:00:01 bash
+ 237 ? 00:00:00 ps
+[1]+ Illegal instruction ./mqueue_test_aarchbe 1 1 2 1 100 > /dev/null
+
+which we debug use gdb as following:
+
+bash-4.4# gdb attach 155
+(gdb) disassemble send
+Dump of assembler code for function send:
+ 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined
+ 0x0000000000400c34 <+4>: mov x29, sp
+ 0x0000000000400c38 <+8>: str w0, [sp, #28]
+ 0x0000000000400c3c <+12>: strb w1, [sp, #27]
+ 0x0000000000400c40 <+16>: str xzr, [sp, #40]
+ 0x0000000000400c44 <+20>: str xzr, [sp, #48]
+ 0x0000000000400c48 <+24>: add x0, sp, #0x1b
+ 0x0000000000400c4c <+28>: mov w3, #0x0 // #0
+ 0x0000000000400c50 <+32>: mov x2, #0x1 // #1
+ 0x0000000000400c54 <+36>: mov x1, x0
+ 0x0000000000400c58 <+40>: ldr w0, [sp, #28]
+ 0x0000000000400c5c <+44>: bl 0x405e10 <mq_send>
+ 0x0000000000400c60 <+48>: str w0, [sp, #60]
+ 0x0000000000400c64 <+52>: ldr w0, [sp, #60]
+ 0x0000000000400c68 <+56>: ldp x29, x30, [sp], #64
+ 0x0000000000400c6c <+60>: ret
+End of assembler dump.
+(gdb) info b
+No breakpoints or watchpoints.
+(gdb) c
+Continuing.
+
+Program received signal SIGILL, Illegal instruction.
+0x0000000000400c30 in send ()
+(gdb) x/10x 0x400c30
+0x400c30 <send>: 0xd42000a0 0xfd030091 0xe01f00b9 0xe16f0039
+0x400c40 <send+16>: 0xff1700f9 0xff1b00f9 0xe06f0091 0x03008052
+0x400c50 <send+32>: 0x220080d2 0xe10300aa
+(gdb) disassemble 0x400c30
+Dump of assembler code for function send:
+=> 0x0000000000400c30 <+0>: .inst 0xa00020d4 ; undefined
+ 0x0000000000400c34 <+4>: mov x29, sp
+ 0x0000000000400c38 <+8>: str w0, [sp, #28]
+ 0x0000000000400c3c <+12>: strb w1, [sp, #27]
+ 0x0000000000400c40 <+16>: str xzr, [sp, #40]
+
+Signed-off-by: junhua huang <huang.junhua@zte.com.cn>
+Link: https://lore.kernel.org/r/202212021511106844809@zte.com.cn
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 13f8f1e05f1d ("arm64: probes: Fix uprobes for big-endian kernels")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/include/asm/uprobes.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/include/asm/uprobes.h b/arch/arm64/include/asm/uprobes.h
+index 8d004073d0e8e..189755d332601 100644
+--- a/arch/arm64/include/asm/uprobes.h
++++ b/arch/arm64/include/asm/uprobes.h
+@@ -15,7 +15,7 @@
+
+ #define MAX_UINSN_BYTES AARCH64_INSN_SIZE
+
+-#define UPROBE_SWBP_INSN BRK64_OPCODE_UPROBES
++#define UPROBE_SWBP_INSN cpu_to_le32(BRK64_OPCODE_UPROBES)
+ #define UPROBE_SWBP_INSN_SIZE AARCH64_INSN_SIZE
+ #define UPROBE_XOL_SLOT_BYTES MAX_UINSN_BYTES
+
+--
+2.43.0
+
--- /dev/null
+From 79730a13626b7729de666575215fc3c8b32b13ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 17:07:08 +0800
+Subject: Bluetooth: bnep: fix wild-memory-access in proto_unregister
+
+From: Ye Bin <yebin10@huawei.com>
+
+[ Upstream commit 64a90991ba8d4e32e3173ddd83d0b24167a5668c ]
+
+There's issue as follows:
+ KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f]
+ CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W
+ RIP: 0010:proto_unregister+0xee/0x400
+ Call Trace:
+ <TASK>
+ __do_sys_delete_module+0x318/0x580
+ do_syscall_64+0xc1/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init()
+will cleanup all resource. Then when remove bnep module will call
+bnep_sock_cleanup() to cleanup sock's resource.
+To solve above issue just return bnep_sock_init()'s return value in
+bnep_exit().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index a16d584a6c0d0..e1cfd110d281e 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -744,8 +744,7 @@ static int __init bnep_init(void)
+ if (flt[0])
+ BT_INFO("BNEP filters: %s", flt);
+
+- bnep_sock_init();
+- return 0;
++ return bnep_sock_init();
+ }
+
+ static void __exit bnep_exit(void)
+--
+2.43.0
+
--- /dev/null
+From 0fdadb90faa7999d3e2b1bb09a7f264924d7dba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 01:01:49 -0400
+Subject: drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate
+ calculation
+
+From: Jonathan Marek <jonathan@marek.ca>
+
+[ Upstream commit 358b762400bd94db2a14a72dfcef74c7da6bd845 ]
+
+When (mode->clock * 1000) is larger than (1<<31), int to unsigned long
+conversion will sign extend the int to 64 bits and the pclk_rate value
+will be incorrect.
+
+Fix this by making the result of the multiplication unsigned.
+
+Note that above (1<<32) would still be broken and require more changes, but
+its unlikely anyone will need that anytime soon.
+
+Fixes: c4d8cfe516dc ("drm/msm/dsi: add implementation for helper functions")
+Signed-off-by: Jonathan Marek <jonathan@marek.ca>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/618434/
+Link: https://lore.kernel.org/r/20241007050157.26855-2-jonathan@marek.ca
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c
+index 5f4dd3659bf96..137c0ec1b5772 100644
+--- a/drivers/gpu/drm/msm/dsi/dsi_host.c
++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c
+@@ -671,7 +671,7 @@ static u32 dsi_get_pclk_rate(struct msm_dsi_host *msm_host, bool is_dual_dsi)
+ struct drm_display_mode *mode = msm_host->mode;
+ u32 pclk_rate;
+
+- pclk_rate = mode->clock * 1000;
++ pclk_rate = mode->clock * 1000u;
+
+ /*
+ * For dual DSI mode, the current DRM mode has the complete width of the
+--
+2.43.0
+
--- /dev/null
+From 5112523435254e70330f1b100e349b70196e12c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Sep 2024 17:18:33 +0200
+Subject: KVM: s390: gaccess: Check if guest address is in memslot
+
+From: Nico Boehr <nrb@linux.ibm.com>
+
+[ Upstream commit e8061f06185be0a06a73760d6526b8b0feadfe52 ]
+
+Previously, access_guest_page() did not check whether the given guest
+address is inside of a memslot. This is not a problem, since
+kvm_write_guest_page/kvm_read_guest_page return -EFAULT in this case.
+
+However, -EFAULT is also returned when copy_to/from_user fails.
+
+When emulating a guest instruction, the address being outside a memslot
+usually means that an addressing exception should be injected into the
+guest.
+
+Failure in copy_to/from_user however indicates that something is wrong
+in userspace and hence should be handled there.
+
+To be able to distinguish these two cases, return PGM_ADDRESSING in
+access_guest_page() when the guest address is outside guest memory. In
+access_guest_real(), populate vcpu->arch.pgm.code such that
+kvm_s390_inject_prog_cond() can be used in the caller for injecting into
+the guest (if applicable).
+
+Since this adds a new return value to access_guest_page(), we need to make
+sure that other callers are not confused by the new positive return value.
+
+There are the following users of access_guest_page():
+- access_guest_with_key() does the checking itself (in
+ guest_range_to_gpas()), so this case should never happen. Even if, the
+ handling is set up properly.
+- access_guest_real() just passes the return code to its callers, which
+ are:
+ - read_guest_real() - see below
+ - write_guest_real() - see below
+
+There are the following users of read_guest_real():
+- ar_translation() in gaccess.c which already returns PGM_*
+- setup_apcb10(), setup_apcb00(), setup_apcb11() in vsie.c which always
+ return -EFAULT on read_guest_read() nonzero return - no change
+- shadow_crycb(), handle_stfle() always present this as validity, this
+ could be handled better but doesn't change current behaviour - no change
+
+There are the following users of write_guest_real():
+- kvm_s390_store_status_unloaded() always returns -EFAULT on
+ write_guest_real() failure.
+
+Fixes: 2293897805c2 ("KVM: s390: add architecture compliant guest access functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nico Boehr <nrb@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240917151904.74314-2-nrb@linux.ibm.com
+Acked-by: Janosch Frank <frankja@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/gaccess.c | 4 ++++
+ arch/s390/kvm/gaccess.h | 14 ++++++++------
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c
+index 6ba82fe0776f8..11ddac5e3e923 100644
+--- a/arch/s390/kvm/gaccess.c
++++ b/arch/s390/kvm/gaccess.c
+@@ -873,6 +873,8 @@ static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa,
+ const gfn_t gfn = gpa_to_gfn(gpa);
+ int rc;
+
++ if (!gfn_to_memslot(kvm, gfn))
++ return PGM_ADDRESSING;
+ if (mode == GACC_STORE)
+ rc = kvm_write_guest_page(kvm, gfn, data, offset, len);
+ else
+@@ -936,6 +938,8 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra,
+ gra += fragment_len;
+ data += fragment_len;
+ }
++ if (rc > 0)
++ vcpu->arch.pgm.code = rc;
+ return rc;
+ }
+
+diff --git a/arch/s390/kvm/gaccess.h b/arch/s390/kvm/gaccess.h
+index 4c56de5429608..6c97cde8623a4 100644
+--- a/arch/s390/kvm/gaccess.h
++++ b/arch/s390/kvm/gaccess.h
+@@ -344,11 +344,12 @@ int read_guest_abs(struct kvm_vcpu *vcpu, unsigned long gpa, void *data,
+ * @len: number of bytes to copy
+ *
+ * Copy @len bytes from @data (kernel space) to @gra (guest real address).
+- * It is up to the caller to ensure that the entire guest memory range is
+- * valid memory before calling this function.
+ * Guest low address and key protection are not checked.
+ *
+- * Returns zero on success or -EFAULT on error.
++ * Returns zero on success, -EFAULT when copying from @data failed, or
++ * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info
++ * is also stored to allow injecting into the guest (if applicable) using
++ * kvm_s390_inject_prog_cond().
+ *
+ * If an error occurs data may have been copied partially to guest memory.
+ */
+@@ -367,11 +368,12 @@ int write_guest_real(struct kvm_vcpu *vcpu, unsigned long gra, void *data,
+ * @len: number of bytes to copy
+ *
+ * Copy @len bytes from @gra (guest real address) to @data (kernel space).
+- * It is up to the caller to ensure that the entire guest memory range is
+- * valid memory before calling this function.
+ * Guest key protection is not checked.
+ *
+- * Returns zero on success or -EFAULT on error.
++ * Returns zero on success, -EFAULT when copying to @data failed, or
++ * PGM_ADRESSING in case @gra is outside a memslot. In this case, pgm check info
++ * is also stored to allow injecting into the guest (if applicable) using
++ * kvm_s390_inject_prog_cond().
+ *
+ * If an error occurs data may have been copied partially to kernel space.
+ */
+--
+2.43.0
+
--- /dev/null
+From 97606368a1835744cfafc3eb3c875ff1afda1e1c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 17:45:49 +0100
+Subject: KVM: s390: gaccess: Cleanup access to guest pages
+
+From: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+
+[ Upstream commit bad13799e0305deb258372b7298a86be4c78aaba ]
+
+Introduce a helper function for guest frame access.
+
+Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Message-Id: <20211126164549.7046-4-scgl@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/gaccess.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c
+index d4fe5db5984dd..6ba82fe0776f8 100644
+--- a/arch/s390/kvm/gaccess.c
++++ b/arch/s390/kvm/gaccess.c
+@@ -866,6 +866,20 @@ static int guest_range_to_gpas(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar,
+ return 0;
+ }
+
++static int access_guest_page(struct kvm *kvm, enum gacc_mode mode, gpa_t gpa,
++ void *data, unsigned int len)
++{
++ const unsigned int offset = offset_in_page(gpa);
++ const gfn_t gfn = gpa_to_gfn(gpa);
++ int rc;
++
++ if (mode == GACC_STORE)
++ rc = kvm_write_guest_page(kvm, gfn, data, offset, len);
++ else
++ rc = kvm_read_guest_page(kvm, gfn, data, offset, len);
++ return rc;
++}
++
+ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ unsigned long len, enum gacc_mode mode)
+ {
+@@ -896,10 +910,7 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ rc = guest_range_to_gpas(vcpu, ga, ar, gpas, len, asce, mode);
+ for (idx = 0; idx < nr_pages && !rc; idx++) {
+ fragment_len = min(PAGE_SIZE - offset_in_page(gpas[idx]), len);
+- if (mode == GACC_STORE)
+- rc = kvm_write_guest(vcpu->kvm, gpas[idx], data, fragment_len);
+- else
+- rc = kvm_read_guest(vcpu->kvm, gpas[idx], data, fragment_len);
++ rc = access_guest_page(vcpu->kvm, mode, gpas[idx], data, fragment_len);
+ len -= fragment_len;
+ data += fragment_len;
+ }
+@@ -920,10 +931,7 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra,
+ while (len && !rc) {
+ gpa = kvm_s390_real_to_abs(vcpu, gra);
+ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len);
+- if (mode)
+- rc = write_guest_abs(vcpu, gpa, data, fragment_len);
+- else
+- rc = read_guest_abs(vcpu, gpa, data, fragment_len);
++ rc = access_guest_page(vcpu->kvm, mode, gpa, data, fragment_len);
+ len -= fragment_len;
+ gra += fragment_len;
+ data += fragment_len;
+--
+2.43.0
+
--- /dev/null
+From c545b603860357987257453a5d968e8d3c80ea71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 17:45:48 +0100
+Subject: KVM: s390: gaccess: Refactor access address range check
+
+From: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+
+[ Upstream commit 7faa543df19bf62d4583a64d3902705747f2ad29 ]
+
+Do not round down the first address to the page boundary, just translate
+it normally, which gives the value we care about in the first place.
+Given this, translating a single address is just the special case of
+translating a range spanning a single page.
+
+Make the output optional, so the function can be used to just check a
+range.
+
+Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Message-Id: <20211126164549.7046-3-scgl@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/gaccess.c | 122 +++++++++++++++++++++++-----------------
+ 1 file changed, 69 insertions(+), 53 deletions(-)
+
+diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c
+index b184749ffc5ae..d4fe5db5984dd 100644
+--- a/arch/s390/kvm/gaccess.c
++++ b/arch/s390/kvm/gaccess.c
+@@ -794,35 +794,74 @@ static int low_address_protection_enabled(struct kvm_vcpu *vcpu,
+ return 1;
+ }
+
+-static int guest_page_range(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar,
+- unsigned long *pages, unsigned long nr_pages,
+- const union asce asce, enum gacc_mode mode)
++/**
++ * guest_range_to_gpas() - Calculate guest physical addresses of page fragments
++ * covering a logical range
++ * @vcpu: virtual cpu
++ * @ga: guest address, start of range
++ * @ar: access register
++ * @gpas: output argument, may be NULL
++ * @len: length of range in bytes
++ * @asce: address-space-control element to use for translation
++ * @mode: access mode
++ *
++ * Translate a logical range to a series of guest absolute addresses,
++ * such that the concatenation of page fragments starting at each gpa make up
++ * the whole range.
++ * The translation is performed as if done by the cpu for the given @asce, @ar,
++ * @mode and state of the @vcpu.
++ * If the translation causes an exception, its program interruption code is
++ * returned and the &struct kvm_s390_pgm_info pgm member of @vcpu is modified
++ * such that a subsequent call to kvm_s390_inject_prog_vcpu() will inject
++ * a correct exception into the guest.
++ * The resulting gpas are stored into @gpas, unless it is NULL.
++ *
++ * Note: All fragments except the first one start at the beginning of a page.
++ * When deriving the boundaries of a fragment from a gpa, all but the last
++ * fragment end at the end of the page.
++ *
++ * Return:
++ * * 0 - success
++ * * <0 - translation could not be performed, for example if guest
++ * memory could not be accessed
++ * * >0 - an access exception occurred. In this case the returned value
++ * is the program interruption code and the contents of pgm may
++ * be used to inject an exception into the guest.
++ */
++static int guest_range_to_gpas(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar,
++ unsigned long *gpas, unsigned long len,
++ const union asce asce, enum gacc_mode mode)
+ {
+ psw_t *psw = &vcpu->arch.sie_block->gpsw;
++ unsigned int offset = offset_in_page(ga);
++ unsigned int fragment_len;
+ int lap_enabled, rc = 0;
+ enum prot_type prot;
++ unsigned long gpa;
+
+ lap_enabled = low_address_protection_enabled(vcpu, asce);
+- while (nr_pages) {
++ while (min(PAGE_SIZE - offset, len) > 0) {
++ fragment_len = min(PAGE_SIZE - offset, len);
+ ga = kvm_s390_logical_to_effective(vcpu, ga);
+ if (mode == GACC_STORE && lap_enabled && is_low_address(ga))
+ return trans_exc(vcpu, PGM_PROTECTION, ga, ar, mode,
+ PROT_TYPE_LA);
+- ga &= PAGE_MASK;
+ if (psw_bits(*psw).dat) {
+- rc = guest_translate(vcpu, ga, pages, asce, mode, &prot);
++ rc = guest_translate(vcpu, ga, &gpa, asce, mode, &prot);
+ if (rc < 0)
+ return rc;
+ } else {
+- *pages = kvm_s390_real_to_abs(vcpu, ga);
+- if (kvm_is_error_gpa(vcpu->kvm, *pages))
++ gpa = kvm_s390_real_to_abs(vcpu, ga);
++ if (kvm_is_error_gpa(vcpu->kvm, gpa))
+ rc = PGM_ADDRESSING;
+ }
+ if (rc)
+ return trans_exc(vcpu, rc, ga, ar, mode, prot);
+- ga += PAGE_SIZE;
+- pages++;
+- nr_pages--;
++ if (gpas)
++ *gpas++ = gpa;
++ offset = 0;
++ ga += fragment_len;
++ len -= fragment_len;
+ }
+ return 0;
+ }
+@@ -831,10 +870,10 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ unsigned long len, enum gacc_mode mode)
+ {
+ psw_t *psw = &vcpu->arch.sie_block->gpsw;
+- unsigned long nr_pages, gpa, idx;
+- unsigned long pages_array[2];
++ unsigned long nr_pages, idx;
++ unsigned long gpa_array[2];
+ unsigned int fragment_len;
+- unsigned long *pages;
++ unsigned long *gpas;
+ int need_ipte_lock;
+ union asce asce;
+ int rc;
+@@ -846,30 +885,28 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ if (rc)
+ return rc;
+ nr_pages = (((ga & ~PAGE_MASK) + len - 1) >> PAGE_SHIFT) + 1;
+- pages = pages_array;
+- if (nr_pages > ARRAY_SIZE(pages_array))
+- pages = vmalloc(array_size(nr_pages, sizeof(unsigned long)));
+- if (!pages)
++ gpas = gpa_array;
++ if (nr_pages > ARRAY_SIZE(gpa_array))
++ gpas = vmalloc(array_size(nr_pages, sizeof(unsigned long)));
++ if (!gpas)
+ return -ENOMEM;
+ need_ipte_lock = psw_bits(*psw).dat && !asce.r;
+ if (need_ipte_lock)
+ ipte_lock(vcpu);
+- rc = guest_page_range(vcpu, ga, ar, pages, nr_pages, asce, mode);
++ rc = guest_range_to_gpas(vcpu, ga, ar, gpas, len, asce, mode);
+ for (idx = 0; idx < nr_pages && !rc; idx++) {
+- gpa = pages[idx] + offset_in_page(ga);
+- fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len);
++ fragment_len = min(PAGE_SIZE - offset_in_page(gpas[idx]), len);
+ if (mode == GACC_STORE)
+- rc = kvm_write_guest(vcpu->kvm, gpa, data, fragment_len);
++ rc = kvm_write_guest(vcpu->kvm, gpas[idx], data, fragment_len);
+ else
+- rc = kvm_read_guest(vcpu->kvm, gpa, data, fragment_len);
++ rc = kvm_read_guest(vcpu->kvm, gpas[idx], data, fragment_len);
+ len -= fragment_len;
+- ga += fragment_len;
+ data += fragment_len;
+ }
+ if (need_ipte_lock)
+ ipte_unlock(vcpu);
+- if (nr_pages > ARRAY_SIZE(pages_array))
+- vfree(pages);
++ if (nr_pages > ARRAY_SIZE(gpa_array))
++ vfree(gpas);
+ return rc;
+ }
+
+@@ -906,8 +943,6 @@ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra,
+ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar,
+ unsigned long *gpa, enum gacc_mode mode)
+ {
+- psw_t *psw = &vcpu->arch.sie_block->gpsw;
+- enum prot_type prot;
+ union asce asce;
+ int rc;
+
+@@ -915,23 +950,7 @@ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar,
+ rc = get_vcpu_asce(vcpu, &asce, gva, ar, mode);
+ if (rc)
+ return rc;
+- if (is_low_address(gva) && low_address_protection_enabled(vcpu, asce)) {
+- if (mode == GACC_STORE)
+- return trans_exc(vcpu, PGM_PROTECTION, gva, 0,
+- mode, PROT_TYPE_LA);
+- }
+-
+- if (psw_bits(*psw).dat && !asce.r) { /* Use DAT? */
+- rc = guest_translate(vcpu, gva, gpa, asce, mode, &prot);
+- if (rc > 0)
+- return trans_exc(vcpu, rc, gva, 0, mode, prot);
+- } else {
+- *gpa = kvm_s390_real_to_abs(vcpu, gva);
+- if (kvm_is_error_gpa(vcpu->kvm, *gpa))
+- return trans_exc(vcpu, rc, gva, PGM_ADDRESSING, mode, 0);
+- }
+-
+- return rc;
++ return guest_range_to_gpas(vcpu, gva, ar, gpa, 1, asce, mode);
+ }
+
+ /**
+@@ -940,17 +959,14 @@ int guest_translate_address(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar,
+ int check_gva_range(struct kvm_vcpu *vcpu, unsigned long gva, u8 ar,
+ unsigned long length, enum gacc_mode mode)
+ {
+- unsigned long gpa;
+- unsigned long currlen;
++ union asce asce;
+ int rc = 0;
+
++ rc = get_vcpu_asce(vcpu, &asce, gva, ar, mode);
++ if (rc)
++ return rc;
+ ipte_lock(vcpu);
+- while (length > 0 && !rc) {
+- currlen = min(length, PAGE_SIZE - (gva % PAGE_SIZE));
+- rc = guest_translate_address(vcpu, gva, ar, &gpa, mode);
+- gva += currlen;
+- length -= currlen;
+- }
++ rc = guest_range_to_gpas(vcpu, gva, ar, NULL, length, asce, mode);
+ ipte_unlock(vcpu);
+
+ return rc;
+--
+2.43.0
+
--- /dev/null
+From 24b1db701bb6ba362e4a708d0f1c3cd494961ab5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Nov 2021 17:45:47 +0100
+Subject: KVM: s390: gaccess: Refactor gpa and length calculation
+
+From: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+
+[ Upstream commit 416e7f0c9d613bf84e182eba9547ae8f9f5bfa4c ]
+
+Improve readability by renaming the length variable and
+not calculating the offset manually.
+
+Signed-off-by: Janis Schoetterl-Glausch <scgl@linux.ibm.com>
+Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Message-Id: <20211126164549.7046-2-scgl@linux.ibm.com>
+Signed-off-by: Janosch Frank <frankja@linux.ibm.com>
+Stable-dep-of: e8061f06185b ("KVM: s390: gaccess: Check if guest address is in memslot")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kvm/gaccess.c | 32 +++++++++++++++++---------------
+ 1 file changed, 17 insertions(+), 15 deletions(-)
+
+diff --git a/arch/s390/kvm/gaccess.c b/arch/s390/kvm/gaccess.c
+index 07d30ffcfa412..b184749ffc5ae 100644
+--- a/arch/s390/kvm/gaccess.c
++++ b/arch/s390/kvm/gaccess.c
+@@ -831,8 +831,9 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ unsigned long len, enum gacc_mode mode)
+ {
+ psw_t *psw = &vcpu->arch.sie_block->gpsw;
+- unsigned long _len, nr_pages, gpa, idx;
++ unsigned long nr_pages, gpa, idx;
+ unsigned long pages_array[2];
++ unsigned int fragment_len;
+ unsigned long *pages;
+ int need_ipte_lock;
+ union asce asce;
+@@ -855,15 +856,15 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ ipte_lock(vcpu);
+ rc = guest_page_range(vcpu, ga, ar, pages, nr_pages, asce, mode);
+ for (idx = 0; idx < nr_pages && !rc; idx++) {
+- gpa = *(pages + idx) + (ga & ~PAGE_MASK);
+- _len = min(PAGE_SIZE - (gpa & ~PAGE_MASK), len);
++ gpa = pages[idx] + offset_in_page(ga);
++ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len);
+ if (mode == GACC_STORE)
+- rc = kvm_write_guest(vcpu->kvm, gpa, data, _len);
++ rc = kvm_write_guest(vcpu->kvm, gpa, data, fragment_len);
+ else
+- rc = kvm_read_guest(vcpu->kvm, gpa, data, _len);
+- len -= _len;
+- ga += _len;
+- data += _len;
++ rc = kvm_read_guest(vcpu->kvm, gpa, data, fragment_len);
++ len -= fragment_len;
++ ga += fragment_len;
++ data += fragment_len;
+ }
+ if (need_ipte_lock)
+ ipte_unlock(vcpu);
+@@ -875,19 +876,20 @@ int access_guest(struct kvm_vcpu *vcpu, unsigned long ga, u8 ar, void *data,
+ int access_guest_real(struct kvm_vcpu *vcpu, unsigned long gra,
+ void *data, unsigned long len, enum gacc_mode mode)
+ {
+- unsigned long _len, gpa;
++ unsigned int fragment_len;
++ unsigned long gpa;
+ int rc = 0;
+
+ while (len && !rc) {
+ gpa = kvm_s390_real_to_abs(vcpu, gra);
+- _len = min(PAGE_SIZE - (gpa & ~PAGE_MASK), len);
++ fragment_len = min(PAGE_SIZE - offset_in_page(gpa), len);
+ if (mode)
+- rc = write_guest_abs(vcpu, gpa, data, _len);
++ rc = write_guest_abs(vcpu, gpa, data, fragment_len);
+ else
+- rc = read_guest_abs(vcpu, gpa, data, _len);
+- len -= _len;
+- gra += _len;
+- data += _len;
++ rc = read_guest_abs(vcpu, gpa, data, fragment_len);
++ len -= fragment_len;
++ gra += fragment_len;
++ data += fragment_len;
+ }
+ return rc;
+ }
+--
+2.43.0
+
--- /dev/null
+From d264d0d952a1eb3e34bf2c7c216d5f541006daf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Oct 2024 17:16:37 +0200
+Subject: macsec: don't increment counters for an unrelated SA
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+[ Upstream commit cf58aefb1332db322060cad4a330d5f9292b0f41 ]
+
+On RX, we shouldn't be incrementing the stats for an arbitrary SA in
+case the actual SA hasn't been set up. Those counters are intended to
+track packets for their respective AN when the SA isn't currently
+configured. Due to the way MACsec is implemented, we don't keep
+counters unless the SA is configured, so we can't track those packets,
+and those counters will remain at 0.
+
+The RXSC's stats keeps track of those packets without telling us which
+AN they belonged to. We could add counters for non-existent SAs, and
+then find a way to integrate them in the dump to userspace, but I
+don't think it's worth the effort.
+
+Fixes: 91ec9bd57f35 ("macsec: Fix traffic counters/statistics")
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Link: https://patch.msgid.link/f5ac92aaa5b89343232615f4c03f9f95042c6aa0.1728657709.git.sd@queasysnail.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macsec.c | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index 54b19977fb675..d870a168caba0 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -322,19 +322,6 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
+ return sa;
+ }
+
+-static struct macsec_rx_sa *macsec_active_rxsa_get(struct macsec_rx_sc *rx_sc)
+-{
+- struct macsec_rx_sa *sa = NULL;
+- int an;
+-
+- for (an = 0; an < MACSEC_NUM_AN; an++) {
+- sa = macsec_rxsa_get(rx_sc->sa[an]);
+- if (sa)
+- break;
+- }
+- return sa;
+-}
+-
+ static void free_rx_sc_rcu(struct rcu_head *head)
+ {
+ struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
+@@ -1206,15 +1193,12 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+ /* If validateFrames is Strict or the C bit in the
+ * SecTAG is set, discard
+ */
+- struct macsec_rx_sa *active_rx_sa = macsec_active_rxsa_get(rx_sc);
+ if (hdr->tci_an & MACSEC_TCI_C ||
+ secy->validate_frames == MACSEC_VALIDATE_STRICT) {
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsNotUsingSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+ DEV_STATS_INC(secy->netdev, rx_errors);
+- if (active_rx_sa)
+- this_cpu_inc(active_rx_sa->stats->InPktsNotUsingSA);
+ goto drop_nosa;
+ }
+
+@@ -1224,8 +1208,6 @@ static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
+ u64_stats_update_begin(&rxsc_stats->syncp);
+ rxsc_stats->stats.InPktsUnusedSA++;
+ u64_stats_update_end(&rxsc_stats->syncp);
+- if (active_rx_sa)
+- this_cpu_inc(active_rx_sa->stats->InPktsUnusedSA);
+ goto deliver;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 12af0d9810d8dd9193ef6b0c658acebdff4ddbbf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Oct 2024 19:04:34 +0800
+Subject: net: ethernet: aeroflex: fix potential memory leak in
+ greth_start_xmit_gbit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit cf57b5d7a2aad456719152ecd12007fe031628a3 ]
+
+The greth_start_xmit_gbit() returns NETDEV_TX_OK without freeing skb
+in case of skb->len being too long, add dev_kfree_skb() to fix it.
+
+Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Link: https://patch.msgid.link/20241012110434.49265-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/aeroflex/greth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
+index 4df8da8f5e7e3..59690330d81ca 100644
+--- a/drivers/net/ethernet/aeroflex/greth.c
++++ b/drivers/net/ethernet/aeroflex/greth.c
+@@ -488,7 +488,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev)
+
+ if (unlikely(skb->len > MAX_FRAME_SIZE)) {
+ dev->stats.tx_errors++;
+- goto out;
++ goto len_error;
+ }
+
+ /* Save skb pointer. */
+@@ -579,6 +579,7 @@ greth_start_xmit_gbit(struct sk_buff *skb, struct net_device *dev)
+ map_error:
+ if (net_ratelimit())
+ dev_warn(greth->dev, "Could not create TX DMA mapping\n");
++len_error:
+ dev_kfree_skb(skb);
+ out:
+ return err;
+--
+2.43.0
+
--- /dev/null
+From b287b6053e312fa2435b7321163a20b5bf8b7766 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 22:51:15 +0800
+Subject: net: systemport: fix potential memory leak in bcm_sysport_xmit()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit c401ed1c709948e57945485088413e1bb5e94bd1 ]
+
+The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb
+in case of dma_map_single() fails, add dev_kfree_skb() to fix it.
+
+Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://patch.msgid.link/20241014145115.44977-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bcmsysport.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
+index b3fc8745b5807..55b869f5c8255 100644
+--- a/drivers/net/ethernet/broadcom/bcmsysport.c
++++ b/drivers/net/ethernet/broadcom/bcmsysport.c
+@@ -1319,6 +1319,7 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
+ netif_err(priv, tx_err, dev, "DMA map failed at %p (len=%d)\n",
+ skb->data, skb_len);
+ ret = NETDEV_TX_OK;
++ dev_kfree_skb_any(skb);
+ goto out;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 78f2f4ff9d472090cdb0fd733c2695ca1a88e4db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:57 -0700
+Subject: RDMA/bnxt_re: Fix incorrect AVID type in WQE structure
+
+From: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+
+[ Upstream commit 9ab20f76ae9fad55ebaf36bdff04aea1c2552374 ]
+
+Driver uses internal data structure to construct WQE frame.
+It used avid type as u16 which can accommodate up to 64K AVs.
+When outstanding AVID crosses 64K, driver truncates AVID and
+hence it uses incorrect AVID to WR. This leads to WR failure
+due to invalid AV ID and QP is moved to error state with reason
+set to 19 (INVALID AVID). When RDMA CM path is used, this issue
+hits QP1 and it is moved to error state
+
+Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver")
+Link: https://patch.msgid.link/r/1726715161-18941-3-git-send-email-selvin.xavier@broadcom.com
+Reviewed-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Reviewed-by: Chandramohan Akula <chandramohan.akula@broadcom.com>
+Signed-off-by: Saravanan Vajravel <saravanan.vajravel@broadcom.com>
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_fp.h b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+index d0b24e961511a..aed0c53d84be2 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.h
++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.h
+@@ -150,7 +150,7 @@ struct bnxt_qplib_swqe {
+ };
+ u32 q_key;
+ u32 dst_qp;
+- u16 avid;
++ u32 avid;
+ } send;
+
+ /* Send Raw Ethernet and QP1 */
+--
+2.43.0
+
--- /dev/null
+From 4e4db8e7150108100bd974d94ffa577674fa0f66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Oct 2024 00:41:36 -0700
+Subject: RDMA/bnxt_re: Return more meaningful error
+
+From: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+
+[ Upstream commit 98647df0178df215b8239c5c365537283b2852a6 ]
+
+When the HWRM command fails, driver currently returns -EFAULT(Bad
+address). This does not look correct.
+
+Modified to return -EIO(I/O error).
+
+Fixes: cc1ec769b87c ("RDMA/bnxt_re: Fixing the Control path command and response handling")
+Fixes: 65288a22ddd8 ("RDMA/bnxt_re: use shadow qd while posting non blocking rcfw command")
+Link: https://patch.msgid.link/r/1728373302-19530-5-git-send-email-selvin.xavier@broadcom.com
+Signed-off-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Selvin Xavier <selvin.xavier@broadcom.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+index 8b3b5fdc19bbb..092cc11428f56 100644
+--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c
+@@ -234,7 +234,7 @@ int bnxt_qplib_rcfw_send_message(struct bnxt_qplib_rcfw *rcfw,
+ /* failed with status */
+ dev_err(&rcfw->pdev->dev, "QPLIB: cmdq[%#x]=%#x status %#x",
+ cookie, opcode, evnt->status);
+- rc = -EFAULT;
++ rc = -EIO;
+ }
+
+ return rc;
+--
+2.43.0
+
--- /dev/null
+From 60e6c8c7ee7d1f42ea911d38936a91252b6ee32a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 18:53:11 +0530
+Subject: RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP
+
+From: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+
+[ Upstream commit c659b405b82ead335bee6eb33f9691bf718e21e8 ]
+
+ip_dev_find() always returns real net_device address, whether traffic is
+running on a vlan or real device, if traffic is over vlan, filling
+endpoint struture with real ndev and an attempt to send a connect request
+will results in RDMA_CM_EVENT_UNREACHABLE error. This patch fixes the
+issue by using vlan_dev_real_dev().
+
+Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address")
+Link: https://patch.msgid.link/r/20241007132311.70593-1-anumula@chelsio.com
+Signed-off-by: Anumula Murali Mohan Reddy <anumula@chelsio.com>
+Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index f9ea863a80885..81b5b009a0dde 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -2043,7 +2043,7 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+ err = -ENOMEM;
+ if (n->dev->flags & IFF_LOOPBACK) {
+ if (iptype == 4)
+- pdev = ip_dev_find(&init_net, *(__be32 *)peer_ip);
++ pdev = __ip_dev_find(&init_net, *(__be32 *)peer_ip, false);
+ else if (IS_ENABLED(CONFIG_IPV6))
+ for_each_netdev(&init_net, pdev) {
+ if (ipv6_chk_addr(&init_net,
+@@ -2058,12 +2058,12 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+ err = -ENODEV;
+ goto out;
+ }
++ if (is_vlan_dev(pdev))
++ pdev = vlan_dev_real_dev(pdev);
+ ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t,
+ n, pdev, rt_tos2priority(tos));
+- if (!ep->l2t) {
+- dev_put(pdev);
++ if (!ep->l2t)
+ goto out;
+- }
+ ep->mtu = pdev->mtu;
+ ep->tx_chan = cxgb4_port_chan(pdev);
+ ep->smac_idx = cxgb4_tp_smt_idx(adapter_type,
+@@ -2077,7 +2077,6 @@ static int import_ep(struct c4iw_ep *ep, int iptype, __u8 *peer_ip,
+ ep->rss_qid = cdev->rdev.lldi.rxq_ids[
+ cxgb4_port_idx(pdev) * step];
+ set_tcp_window(ep, (struct port_info *)netdev_priv(pdev));
+- dev_put(pdev);
+ } else {
+ pdev = get_real_dev(n->dev);
+ ep->l2t = cxgb4_l2t_get(cdev->rdev.lldi.l2t,
+--
+2.43.0
+
nilfs2-propagate-directory-read-errors-from-nilfs_find_entry.patch
clk-fix-pointer-casting-to-prevent-oops-in-devm_clk_release.patch
clk-fix-slab-out-of-bounds-error-in-devm_clk_release.patch
+rdma-bnxt_re-fix-incorrect-avid-type-in-wqe-structur.patch
+rdma-cxgb4-fix-rdma_cm_event_unreachable-error-for-i.patch
+rdma-bnxt_re-return-more-meaningful-error.patch
+drm-msm-dsi-fix-32-bit-signed-integer-extension-in-p.patch
+macsec-don-t-increment-counters-for-an-unrelated-sa.patch
+net-ethernet-aeroflex-fix-potential-memory-leak-in-g.patch
+net-systemport-fix-potential-memory-leak-in-bcm_sysp.patch
+usb-typec-altmode-should-keep-reference-to-parent.patch
+bluetooth-bnep-fix-wild-memory-access-in-proto_unreg.patch
+arm64-uprobe-fix-the-uprobe-swbp_insn-in-big-endian.patch
+arm64-probes-fix-uprobes-for-big-endian-kernels.patch
+kvm-s390-gaccess-refactor-gpa-and-length-calculation.patch
+kvm-s390-gaccess-refactor-access-address-range-check.patch
+kvm-s390-gaccess-cleanup-access-to-guest-pages.patch
+kvm-s390-gaccess-check-if-guest-address-is-in-memslo.patch
--- /dev/null
+From 1a96b93458404dd2d54e6d685b1859e0ccb104ac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Oct 2024 09:37:38 -0300
+Subject: usb: typec: altmode should keep reference to parent
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit befab3a278c59db0cc88c8799638064f6d3fd6f8 ]
+
+The altmode device release refers to its parent device, but without keeping
+a reference to it.
+
+When registering the altmode, get a reference to the parent and put it in
+the release function.
+
+Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues
+like this:
+
+[ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000)
+[ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000)
+[ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000)
+[ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000)
+[ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000)
+[ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000)
+[ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000)
+[ 46.612867] ==================================================================
+[ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129
+[ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48
+[ 46.614538]
+[ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535
+[ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
+[ 46.616042] Workqueue: events kobject_delayed_cleanup
+[ 46.616446] Call Trace:
+[ 46.616648] <TASK>
+[ 46.616820] dump_stack_lvl+0x5b/0x7c
+[ 46.617112] ? typec_altmode_release+0x38/0x129
+[ 46.617470] print_report+0x14c/0x49e
+[ 46.617769] ? rcu_read_unlock_sched+0x56/0x69
+[ 46.618117] ? __virt_addr_valid+0x19a/0x1ab
+[ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d
+[ 46.618807] ? typec_altmode_release+0x38/0x129
+[ 46.619161] kasan_report+0x8d/0xb4
+[ 46.619447] ? typec_altmode_release+0x38/0x129
+[ 46.619809] ? process_scheduled_works+0x3cb/0x85f
+[ 46.620185] typec_altmode_release+0x38/0x129
+[ 46.620537] ? process_scheduled_works+0x3cb/0x85f
+[ 46.620907] device_release+0xaf/0xf2
+[ 46.621206] kobject_delayed_cleanup+0x13b/0x17a
+[ 46.621584] process_scheduled_works+0x4f6/0x85f
+[ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10
+[ 46.622353] ? hlock_class+0x31/0x9a
+[ 46.622647] ? lock_acquired+0x361/0x3c3
+[ 46.622956] ? move_linked_works+0x46/0x7d
+[ 46.623277] worker_thread+0x1ce/0x291
+[ 46.623582] ? __kthread_parkme+0xc8/0xdf
+[ 46.623900] ? __pfx_worker_thread+0x10/0x10
+[ 46.624236] kthread+0x17e/0x190
+[ 46.624501] ? kthread+0xfb/0x190
+[ 46.624756] ? __pfx_kthread+0x10/0x10
+[ 46.625015] ret_from_fork+0x20/0x40
+[ 46.625268] ? __pfx_kthread+0x10/0x10
+[ 46.625532] ret_from_fork_asm+0x1a/0x30
+[ 46.625805] </TASK>
+[ 46.625953]
+[ 46.626056] Allocated by task 678:
+[ 46.626287] kasan_save_stack+0x24/0x44
+[ 46.626555] kasan_save_track+0x14/0x2d
+[ 46.626811] __kasan_kmalloc+0x3f/0x4d
+[ 46.627049] __kmalloc_noprof+0x1bf/0x1f0
+[ 46.627362] typec_register_port+0x23/0x491
+[ 46.627698] cros_typec_probe+0x634/0xbb6
+[ 46.628026] platform_probe+0x47/0x8c
+[ 46.628311] really_probe+0x20a/0x47d
+[ 46.628605] device_driver_attach+0x39/0x72
+[ 46.628940] bind_store+0x87/0xd7
+[ 46.629213] kernfs_fop_write_iter+0x1aa/0x218
+[ 46.629574] vfs_write+0x1d6/0x29b
+[ 46.629856] ksys_write+0xcd/0x13b
+[ 46.630128] do_syscall_64+0xd4/0x139
+[ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 46.630820]
+[ 46.630946] Freed by task 48:
+[ 46.631182] kasan_save_stack+0x24/0x44
+[ 46.631493] kasan_save_track+0x14/0x2d
+[ 46.631799] kasan_save_free_info+0x3f/0x4d
+[ 46.632144] __kasan_slab_free+0x37/0x45
+[ 46.632474] kfree+0x1d4/0x252
+[ 46.632725] device_release+0xaf/0xf2
+[ 46.633017] kobject_delayed_cleanup+0x13b/0x17a
+[ 46.633388] process_scheduled_works+0x4f6/0x85f
+[ 46.633764] worker_thread+0x1ce/0x291
+[ 46.634065] kthread+0x17e/0x190
+[ 46.634324] ret_from_fork+0x20/0x40
+[ 46.634621] ret_from_fork_asm+0x1a/0x30
+
+Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241004123738.2964524-1-cascardo@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/typec/class.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c
+index d396836244ff2..ae6835a792392 100644
+--- a/drivers/usb/typec/class.c
++++ b/drivers/usb/typec/class.c
+@@ -465,6 +465,7 @@ static void typec_altmode_release(struct device *dev)
+ typec_altmode_put_partner(alt);
+
+ altmode_id_remove(alt->adev.dev.parent, alt->id);
++ put_device(alt->adev.dev.parent);
+ kfree(alt);
+ }
+
+@@ -514,6 +515,8 @@ typec_register_altmode(struct device *parent,
+ alt->adev.dev.type = &typec_altmode_dev_type;
+ dev_set_name(&alt->adev.dev, "%s.%u", dev_name(parent), id);
+
++ get_device(alt->adev.dev.parent);
++
+ /* Link partners and plugs with the ports */
+ if (is_port)
+ BLOCKING_INIT_NOTIFIER_HEAD(&alt->nh);
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
