--- /dev/null
+From 6c70c15d3f392f7271f1eefa4c417e83778ffd65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Apr 2024 08:48:20 +0200
+Subject: ALSA: emux: improve patch ioctl data validation
+
+From: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+
+[ Upstream commit 89b32ccb12ae67e630c6453d778ec30a592a212f ]
+
+In load_data(), make the validation of and skipping over the main info
+block match that in load_guspatch().
+
+In load_guspatch(), add checking that the specified patch length matches
+the actually supplied data, like load_data() already did.
+
+Signed-off-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
+Message-ID: <20240406064830.1029573-8-oswald.buddenhagen@gmx.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/synth/emux/soundfont.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/sound/synth/emux/soundfont.c b/sound/synth/emux/soundfont.c
+index 16f00097cb95a..eed47e4830248 100644
+--- a/sound/synth/emux/soundfont.c
++++ b/sound/synth/emux/soundfont.c
+@@ -701,7 +701,6 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
+ struct snd_soundfont *sf;
+ struct soundfont_sample_info sample_info;
+ struct snd_sf_sample *sp;
+- long off;
+
+ /* patch must be opened */
+ sf = sflist->currsf;
+@@ -711,12 +710,16 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
+ if (is_special_type(sf->type))
+ return -EINVAL;
+
++ if (count < (long)sizeof(sample_info)) {
++ return -EINVAL;
++ }
+ if (copy_from_user(&sample_info, data, sizeof(sample_info)))
+ return -EFAULT;
++ data += sizeof(sample_info);
++ count -= sizeof(sample_info);
+
+- off = sizeof(sample_info);
+-
+- if (sample_info.size != (count-off)/2)
++ // SoundFont uses S16LE samples.
++ if (sample_info.size * 2 != count)
+ return -EINVAL;
+
+ /* Check for dup */
+@@ -744,7 +747,7 @@ load_data(struct snd_sf_list *sflist, const void __user *data, long count)
+ int rc;
+ rc = sflist->callback.sample_new
+ (sflist->callback.private_data, sp, sflist->memhdr,
+- data + off, count - off);
++ data, count);
+ if (rc < 0) {
+ sf_sample_delete(sflist, sf, sp);
+ return rc;
+@@ -957,10 +960,12 @@ load_guspatch(struct snd_sf_list *sflist, const char __user *data,
+ }
+ if (copy_from_user(&patch, data, sizeof(patch)))
+ return -EFAULT;
+-
+ count -= sizeof(patch);
+ data += sizeof(patch);
+
++ if ((patch.len << (patch.mode & WAVE_16_BITS ? 1 : 0)) != count)
++ return -EINVAL;
++
+ sf = newsf(sflist, SNDRV_SFNT_PAT_TYPE_GUS|SNDRV_SFNT_PAT_SHARED, NULL);
+ if (sf == NULL)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 4f5ebd958ac490ac29830678ac1b3c28183b134c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 11:58:01 -0700
+Subject: bpf: Mark bpf prog stack with kmsan_unposion_memory in interpreter
+ mode
+
+From: Martin KaFai Lau <martin.lau@kernel.org>
+
+[ Upstream commit e8742081db7d01f980c6161ae1e8a1dbc1e30979 ]
+
+syzbot reported uninit memory usages during map_{lookup,delete}_elem.
+
+==========
+BUG: KMSAN: uninit-value in __dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
+BUG: KMSAN: uninit-value in dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
+__dev_map_lookup_elem kernel/bpf/devmap.c:441 [inline]
+dev_map_lookup_elem+0xf3/0x170 kernel/bpf/devmap.c:796
+____bpf_map_lookup_elem kernel/bpf/helpers.c:42 [inline]
+bpf_map_lookup_elem+0x5c/0x80 kernel/bpf/helpers.c:38
+___bpf_prog_run+0x13fe/0xe0f0 kernel/bpf/core.c:1997
+__bpf_prog_run256+0xb5/0xe0 kernel/bpf/core.c:2237
+==========
+
+The reproducer should be in the interpreter mode.
+
+The C reproducer is trying to run the following bpf prog:
+
+ 0: (18) r0 = 0x0
+ 2: (18) r1 = map[id:49]
+ 4: (b7) r8 = 16777216
+ 5: (7b) *(u64 *)(r10 -8) = r8
+ 6: (bf) r2 = r10
+ 7: (07) r2 += -229
+ ^^^^^^^^^^
+
+ 8: (b7) r3 = 8
+ 9: (b7) r4 = 0
+ 10: (85) call dev_map_lookup_elem#1543472
+ 11: (95) exit
+
+It is due to the "void *key" (r2) passed to the helper. bpf allows uninit
+stack memory access for bpf prog with the right privileges. This patch
+uses kmsan_unpoison_memory() to mark the stack as initialized.
+
+This should address different syzbot reports on the uninit "void *key"
+argument during map_{lookup,delete}_elem.
+
+Reported-by: syzbot+603bcd9b0bf1d94dbb9b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/000000000000f9ce6d061494e694@google.com/
+Reported-by: syzbot+eb02dc7f03dce0ef39f3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/000000000000a5c69c06147c2238@google.com/
+Reported-by: syzbot+b4e65ca24fd4d0c734c3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/000000000000ac56fb06143b6cfa@google.com/
+Reported-by: syzbot+d2b113dc9fea5e1d2848@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/0000000000000d69b206142d1ff7@google.com/
+Reported-by: syzbot+1a3cf6f08d68868f9db3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/bpf/0000000000006f876b061478e878@google.com/
+Tested-by: syzbot+1a3cf6f08d68868f9db3@syzkaller.appspotmail.com
+Suggested-by: Yonghong Song <yonghong.song@linux.dev>
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://lore.kernel.org/r/20240328185801.1843078-1-martin.lau@linux.dev
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index bdbce41d1bb4a..77a9b12e00af7 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2174,6 +2174,7 @@ static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn
+ u64 stack[stack_size / sizeof(u64)]; \
+ u64 regs[MAX_BPF_EXT_REG] = {}; \
+ \
++ kmsan_unpoison_memory(stack, sizeof(stack)); \
+ FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
+ ARG1 = (u64) (unsigned long) ctx; \
+ return ___bpf_prog_run(regs, insn); \
+@@ -2187,6 +2188,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
+ u64 stack[stack_size / sizeof(u64)]; \
+ u64 regs[MAX_BPF_EXT_REG]; \
+ \
++ kmsan_unpoison_memory(stack, sizeof(stack)); \
+ FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
+ BPF_R1 = r1; \
+ BPF_R2 = r2; \
+--
+2.43.0
+
--- /dev/null
+From 819292501c3d0dd6032d3cc52490ea8090a6e5c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 06:38:07 +0100
+Subject: bpf: Take return from set_memory_ro() into account with
+ bpf_prog_lock_ro()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ]
+
+set_memory_ro() can fail, leaving memory unprotected.
+
+Check its return and take it into account as an error.
+
+Link: https://github.com/KSPP/linux/issues/7
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: linux-hardening@vger.kernel.org <linux-hardening@vger.kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/filter.h | 5 +++--
+ kernel/bpf/core.c | 4 +++-
+ kernel/bpf/verifier.c | 8 ++++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 5090e940ba3e4..5a2800ec94ea6 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -842,14 +842,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default)
+
+ #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0]))
+
+-static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
++static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp)
+ {
+ #ifndef CONFIG_BPF_JIT_ALWAYS_ON
+ if (!fp->jited) {
+ set_vm_flush_reset_perms(fp);
+- set_memory_ro((unsigned long)fp, fp->pages);
++ return set_memory_ro((unsigned long)fp, fp->pages);
+ }
+ #endif
++ return 0;
+ }
+
+ static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
+diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
+index 05445a4d55181..bdbce41d1bb4a 100644
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -2373,7 +2373,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
+ }
+
+ finalize:
+- bpf_prog_lock_ro(fp);
++ *err = bpf_prog_lock_ro(fp);
++ if (*err)
++ return fp;
+
+ /* The tail call compatibility check can only be done at
+ * this late stage as we need to determine, if we deal
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 171045b6956d9..aa546355918cb 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -18625,10 +18625,14 @@ static int jit_subprogs(struct bpf_verifier_env *env)
+ * bpf_prog_load will add the kallsyms for the main program.
+ */
+ for (i = 1; i < env->subprog_cnt; i++) {
+- bpf_prog_lock_ro(func[i]);
+- bpf_prog_kallsyms_add(func[i]);
++ err = bpf_prog_lock_ro(func[i]);
++ if (err)
++ goto out_free;
+ }
+
++ for (i = 1; i < env->subprog_cnt; i++)
++ bpf_prog_kallsyms_add(func[i]);
++
+ /* Last step: make now unused interpreter insns from main
+ * prog consistent for later dump requests, so they can
+ * later look the same as if they were interpreted only.
+--
+2.43.0
+
--- /dev/null
+From 73bf54aa365875fc43664e094b56f1d44adec59d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 06:38:08 +0100
+Subject: bpf: Take return from set_memory_rox() into account with
+ bpf_jit_binary_lock_ro()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit e60adf513275c3a38e5cb67f7fd12387e43a3ff5 ]
+
+set_memory_rox() can fail, leaving memory unprotected.
+
+Check return and bail out when bpf_jit_binary_lock_ro() returns
+an error.
+
+Link: https://github.com/KSPP/linux/issues/7
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: linux-hardening@vger.kernel.org <linux-hardening@vger.kernel.org>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Puranjay Mohan <puranjay12@gmail.com>
+Reviewed-by: Ilya Leoshkevich <iii@linux.ibm.com> # s390x
+Acked-by: Tiezhu Yang <yangtiezhu@loongson.cn> # LoongArch
+Reviewed-by: Johan Almbladh <johan.almbladh@anyfinetworks.com> # MIPS Part
+Message-ID: <036b6393f23a2032ce75a1c92220b2afcb798d5d.1709850515.git.christophe.leroy@csgroup.eu>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/net/bpf_jit_32.c | 25 ++++++++++++-------------
+ arch/loongarch/net/bpf_jit.c | 22 ++++++++++++++++------
+ arch/mips/net/bpf_jit_comp.c | 3 ++-
+ arch/parisc/net/bpf_jit_core.c | 8 +++++++-
+ arch/s390/net/bpf_jit_comp.c | 6 +++++-
+ arch/sparc/net/bpf_jit_comp_64.c | 6 +++++-
+ arch/x86/net/bpf_jit_comp32.c | 3 +--
+ include/linux/filter.h | 5 +++--
+ 8 files changed, 51 insertions(+), 27 deletions(-)
+
+diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
+index 6a1c9fca5260b..ac8e4d9bf9544 100644
+--- a/arch/arm/net/bpf_jit_32.c
++++ b/arch/arm/net/bpf_jit_32.c
+@@ -1982,28 +1982,21 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ /* If building the body of the JITed code fails somehow,
+ * we fall back to the interpretation.
+ */
+- if (build_body(&ctx) < 0) {
+- image_ptr = NULL;
+- bpf_jit_binary_free(header);
+- prog = orig_prog;
+- goto out_imms;
+- }
++ if (build_body(&ctx) < 0)
++ goto out_free;
+ build_epilogue(&ctx);
+
+ /* 3.) Extra pass to validate JITed Code */
+- if (validate_code(&ctx)) {
+- image_ptr = NULL;
+- bpf_jit_binary_free(header);
+- prog = orig_prog;
+- goto out_imms;
+- }
++ if (validate_code(&ctx))
++ goto out_free;
+ flush_icache_range((u32)header, (u32)(ctx.target + ctx.idx));
+
+ if (bpf_jit_enable > 1)
+ /* there are 2 passes here */
+ bpf_jit_dump(prog->len, image_size, 2, ctx.target);
+
+- bpf_jit_binary_lock_ro(header);
++ if (bpf_jit_binary_lock_ro(header))
++ goto out_free;
+ prog->bpf_func = (void *)ctx.target;
+ prog->jited = 1;
+ prog->jited_len = image_size;
+@@ -2020,5 +2013,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ bpf_jit_prog_release_other(prog, prog == orig_prog ?
+ tmp : orig_prog);
+ return prog;
++
++out_free:
++ image_ptr = NULL;
++ bpf_jit_binary_free(header);
++ prog = orig_prog;
++ goto out_imms;
+ }
+
+diff --git a/arch/loongarch/net/bpf_jit.c b/arch/loongarch/net/bpf_jit.c
+index 9eb7753d117df..13cd480385ca8 100644
+--- a/arch/loongarch/net/bpf_jit.c
++++ b/arch/loongarch/net/bpf_jit.c
+@@ -1206,16 +1206,19 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ flush_icache_range((unsigned long)header, (unsigned long)(ctx.image + ctx.idx));
+
+ if (!prog->is_func || extra_pass) {
++ int err;
++
+ if (extra_pass && ctx.idx != jit_data->ctx.idx) {
+ pr_err_once("multi-func JIT bug %d != %d\n",
+ ctx.idx, jit_data->ctx.idx);
+- bpf_jit_binary_free(header);
+- prog->bpf_func = NULL;
+- prog->jited = 0;
+- prog->jited_len = 0;
+- goto out_offset;
++ goto out_free;
++ }
++ err = bpf_jit_binary_lock_ro(header);
++ if (err) {
++ pr_err_once("bpf_jit_binary_lock_ro() returned %d\n",
++ err);
++ goto out_free;
+ }
+- bpf_jit_binary_lock_ro(header);
+ } else {
+ jit_data->ctx = ctx;
+ jit_data->image = image_ptr;
+@@ -1246,6 +1249,13 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ out_offset = -1;
+
+ return prog;
++
++out_free:
++ bpf_jit_binary_free(header);
++ prog->bpf_func = NULL;
++ prog->jited = 0;
++ prog->jited_len = 0;
++ goto out_offset;
+ }
+
+ /* Indicate the JIT backend supports mixing bpf2bpf and tailcalls. */
+diff --git a/arch/mips/net/bpf_jit_comp.c b/arch/mips/net/bpf_jit_comp.c
+index a40d926b65139..e355dfca44008 100644
+--- a/arch/mips/net/bpf_jit_comp.c
++++ b/arch/mips/net/bpf_jit_comp.c
+@@ -1012,7 +1012,8 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ bpf_prog_fill_jited_linfo(prog, &ctx.descriptors[1]);
+
+ /* Set as read-only exec and flush instruction cache */
+- bpf_jit_binary_lock_ro(header);
++ if (bpf_jit_binary_lock_ro(header))
++ goto out_err;
+ flush_icache_range((unsigned long)header,
+ (unsigned long)&ctx.target[ctx.jit_index]);
+
+diff --git a/arch/parisc/net/bpf_jit_core.c b/arch/parisc/net/bpf_jit_core.c
+index d6ee2fd455503..979f45d4d1fbe 100644
+--- a/arch/parisc/net/bpf_jit_core.c
++++ b/arch/parisc/net/bpf_jit_core.c
+@@ -167,7 +167,13 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ bpf_flush_icache(jit_data->header, ctx->insns + ctx->ninsns);
+
+ if (!prog->is_func || extra_pass) {
+- bpf_jit_binary_lock_ro(jit_data->header);
++ if (bpf_jit_binary_lock_ro(jit_data->header)) {
++ bpf_jit_binary_free(jit_data->header);
++ prog->bpf_func = NULL;
++ prog->jited = 0;
++ prog->jited_len = 0;
++ goto out_offset;
++ }
+ prologue_len = ctx->epilogue_offset - ctx->body_len;
+ for (i = 0; i < prog->len; i++)
+ ctx->offset[i] += prologue_len;
+diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c
+index 62ee557d4b499..05746e22fe79c 100644
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -1973,7 +1973,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *fp)
+ print_fn_code(jit.prg_buf, jit.size_prg);
+ }
+ if (!fp->is_func || extra_pass) {
+- bpf_jit_binary_lock_ro(header);
++ if (bpf_jit_binary_lock_ro(header)) {
++ bpf_jit_binary_free(header);
++ fp = orig_fp;
++ goto free_addrs;
++ }
+ } else {
+ jit_data->header = header;
+ jit_data->ctx = jit;
+diff --git a/arch/sparc/net/bpf_jit_comp_64.c b/arch/sparc/net/bpf_jit_comp_64.c
+index fa0759bfe498e..73bf0aea8baf1 100644
+--- a/arch/sparc/net/bpf_jit_comp_64.c
++++ b/arch/sparc/net/bpf_jit_comp_64.c
+@@ -1602,7 +1602,11 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ bpf_flush_icache(header, (u8 *)header + header->size);
+
+ if (!prog->is_func || extra_pass) {
+- bpf_jit_binary_lock_ro(header);
++ if (bpf_jit_binary_lock_ro(header)) {
++ bpf_jit_binary_free(header);
++ prog = orig_prog;
++ goto out_off;
++ }
+ } else {
+ jit_data->ctx = ctx;
+ jit_data->image = image_ptr;
+diff --git a/arch/x86/net/bpf_jit_comp32.c b/arch/x86/net/bpf_jit_comp32.c
+index 429a89c5468b5..f2fc8c38629b5 100644
+--- a/arch/x86/net/bpf_jit_comp32.c
++++ b/arch/x86/net/bpf_jit_comp32.c
+@@ -2600,8 +2600,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog)
+ if (bpf_jit_enable > 1)
+ bpf_jit_dump(prog->len, proglen, pass + 1, image);
+
+- if (image) {
+- bpf_jit_binary_lock_ro(header);
++ if (image && !bpf_jit_binary_lock_ro(header)) {
+ prog->bpf_func = (void *)image;
+ prog->jited = 1;
+ prog->jited_len = proglen;
+diff --git a/include/linux/filter.h b/include/linux/filter.h
+index 5a2800ec94ea6..a74d97114a542 100644
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -853,10 +853,11 @@ static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp)
+ return 0;
+ }
+
+-static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
++static inline int __must_check
++bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
+ {
+ set_vm_flush_reset_perms(hdr);
+- set_memory_rox((unsigned long)hdr, hdr->size >> PAGE_SHIFT);
++ return set_memory_rox((unsigned long)hdr, hdr->size >> PAGE_SHIFT);
+ }
+
+ int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap);
+--
+2.43.0
+
--- /dev/null
+From df224e48b45d27e39a824837b71b19551a7bdb54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 11:24:30 -0500
+Subject: crypto: ecdh - explicitly zeroize private_key
+
+From: Joachim Vandersmissen <git@jvdsn.com>
+
+[ Upstream commit 73e5984e540a76a2ee1868b91590c922da8c24c9 ]
+
+private_key is overwritten with the key parameter passed in by the
+caller (if present), or alternatively a newly generated private key.
+However, it is possible that the caller provides a key (or the newly
+generated key) which is shorter than the previous key. In that
+scenario, some key material from the previous key would not be
+overwritten. The easiest solution is to explicitly zeroize the entire
+private_key array first.
+
+Note that this patch slightly changes the behavior of this function:
+previously, if the ecc_gen_privkey failed, the old private_key would
+remain. Now, the private_key is always zeroized. This behavior is
+consistent with the case where params.key is set and ecc_is_key_valid
+fails.
+
+Signed-off-by: Joachim Vandersmissen <git@jvdsn.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/ecdh.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/ecdh.c b/crypto/ecdh.c
+index 80afee3234fbe..3049f147e0117 100644
+--- a/crypto/ecdh.c
++++ b/crypto/ecdh.c
+@@ -33,6 +33,8 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
+ params.key_size > sizeof(u64) * ctx->ndigits)
+ return -EINVAL;
+
++ memset(ctx->private_key, 0, sizeof(ctx->private_key));
++
+ if (!params.key || !params.key_size)
+ return ecc_gen_privkey(ctx->curve_id, ctx->ndigits,
+ ctx->private_key);
+--
+2.43.0
+
--- /dev/null
+From 55e79421c48f0b114a339d6693811e8e018331ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 14:04:38 +0530
+Subject: drm/amdgpu: Fix pci state save during mode-1 reset
+
+From: Lijo Lazar <lijo.lazar@amd.com>
+
+[ Upstream commit 74fa02c4a5ea1ade5156a6ce494d3ea83881c2d8 ]
+
+Cache the PCI state before bus master is disabled. The saved state is
+later used for other cases like restoring config space after mode-2
+reset.
+
+Fixes: 5c03e5843e6b ("drm/amdgpu:add smu mode1/2 support for aldebaran")
+Signed-off-by: Lijo Lazar <lijo.lazar@amd.com>
+Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+index 062d78818da16..e1227b7c71b16 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4685,11 +4685,14 @@ int amdgpu_device_mode1_reset(struct amdgpu_device *adev)
+
+ dev_info(adev->dev, "GPU mode1 reset\n");
+
++ /* Cache the state before bus master disable. The saved config space
++ * values are used in other cases like restore after mode-2 reset.
++ */
++ amdgpu_device_cache_pci_state(adev->pdev);
++
+ /* disable BM */
+ pci_clear_master(adev->pdev);
+
+- amdgpu_device_cache_pci_state(adev->pdev);
+-
+ if (amdgpu_dpm_is_mode1_reset_supported(adev)) {
+ dev_info(adev->dev, "GPU smu mode1 reset\n");
+ ret = amdgpu_dpm_mode1_reset(adev);
+--
+2.43.0
+
--- /dev/null
+From c86b342be839029d3a7be7210fd12ecfde4d52fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 17 Mar 2024 17:48:39 +0200
+Subject: drm/panel: ilitek-ili9881c: Fix warning with GPIO controllers that
+ sleep
+
+From: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+
+[ Upstream commit ee7860cd8b5763017f8dc785c2851fecb7a0c565 ]
+
+The ilitek-ili9881c controls the reset GPIO using the non-sleeping
+gpiod_set_value() function. This complains loudly when the GPIO
+controller needs to sleep. As the caller can sleep, use
+gpiod_set_value_cansleep() to fix the issue.
+
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240317154839.21260-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240317154839.21260-1-laurent.pinchart@ideasonboard.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-ilitek-ili9881c.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c
+index 7838947a1bf3c..bb201f848ae97 100644
+--- a/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c
++++ b/drivers/gpu/drm/panel/panel-ilitek-ili9881c.c
+@@ -883,10 +883,10 @@ static int ili9881c_prepare(struct drm_panel *panel)
+ msleep(5);
+
+ /* And reset it */
+- gpiod_set_value(ctx->reset, 1);
++ gpiod_set_value_cansleep(ctx->reset, 1);
+ msleep(20);
+
+- gpiod_set_value(ctx->reset, 0);
++ gpiod_set_value_cansleep(ctx->reset, 0);
+ msleep(20);
+
+ for (i = 0; i < ctx->desc->init_length; i++) {
+@@ -941,7 +941,7 @@ static int ili9881c_unprepare(struct drm_panel *panel)
+
+ mipi_dsi_dcs_enter_sleep_mode(ctx->dsi);
+ regulator_disable(ctx->power);
+- gpiod_set_value(ctx->reset, 1);
++ gpiod_set_value_cansleep(ctx->reset, 1);
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From b7be0ac1ed3886e6f74f74efa94140855dc8ac9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jun 2024 09:56:12 +0800
+Subject: drm/panel: simple: Add missing display timing flags for KOE
+ TX26D202VM0BWA
+
+From: Liu Ying <victor.liu@nxp.com>
+
+[ Upstream commit 37ce99b77762256ec9fda58d58fd613230151456 ]
+
+KOE TX26D202VM0BWA panel spec indicates the DE signal is active high in
+timing chart, so add DISPLAY_FLAGS_DE_HIGH flag in display timing flags.
+This aligns display_timing with panel_desc.
+
+Fixes: 8a07052440c2 ("drm/panel: simple: Add support for KOE TX26D202VM0BWA panel")
+Signed-off-by: Liu Ying <victor.liu@nxp.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240624015612.341983-1-victor.liu@nxp.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240624015612.341983-1-victor.liu@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/panel/panel-simple.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
+index e8d12ec8dbec1..11ade6bac592f 100644
+--- a/drivers/gpu/drm/panel/panel-simple.c
++++ b/drivers/gpu/drm/panel/panel-simple.c
+@@ -2523,6 +2523,7 @@ static const struct display_timing koe_tx26d202vm0bwa_timing = {
+ .vfront_porch = { 3, 5, 10 },
+ .vback_porch = { 2, 5, 10 },
+ .vsync_len = { 5, 5, 5 },
++ .flags = DISPLAY_FLAGS_DE_HIGH,
+ };
+
+ static const struct panel_desc koe_tx26d202vm0bwa = {
+--
+2.43.0
+
--- /dev/null
+From 94deb2dd41eaa7798925874b5d1e4b17fa101cc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Mar 2024 17:34:47 +0100
+Subject: drm/radeon/radeon_display: Decrease the size of allocated memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Erick Archer <erick.archer@outlook.com>
+
+[ Upstream commit ae6a233092747e9652eb793d92f79d0820e01c6a ]
+
+This is an effort to get rid of all multiplications from allocation
+functions in order to prevent integer overflows [1] [2].
+
+In this case, the memory allocated to store RADEONFB_CONN_LIMIT pointers
+to "drm_connector" structures can be avoided. This is because this
+memory area is never accessed.
+
+Also, in the kzalloc function, it is preferred to use sizeof(*pointer)
+instead of sizeof(type) due to the type of the variable can change and
+one needs not change the former (unlike the latter).
+
+At the same time take advantage to remove the "#if 0" block, the code
+where the removed memory area was accessed, and the RADEONFB_CONN_LIMIT
+constant due to now is never used.
+
+Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
+Link: https://github.com/KSPP/linux/issues/160 [2]
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Erick Archer <erick.archer@outlook.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon.h | 1 -
+ drivers/gpu/drm/radeon/radeon_display.c | 8 +-------
+ 2 files changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon.h b/drivers/gpu/drm/radeon/radeon.h
+index 3d3d2109dfebc..426a49851e349 100644
+--- a/drivers/gpu/drm/radeon/radeon.h
++++ b/drivers/gpu/drm/radeon/radeon.h
+@@ -132,7 +132,6 @@ extern int radeon_cik_support;
+ /* RADEON_IB_POOL_SIZE must be a power of 2 */
+ #define RADEON_IB_POOL_SIZE 16
+ #define RADEON_DEBUGFS_MAX_COMPONENTS 32
+-#define RADEONFB_CONN_LIMIT 4
+ #define RADEON_BIOS_NUM_SCRATCH 8
+
+ /* internal ring indices */
+diff --git a/drivers/gpu/drm/radeon/radeon_display.c b/drivers/gpu/drm/radeon/radeon_display.c
+index efd18c8d84c83..5f1d24d3120c4 100644
+--- a/drivers/gpu/drm/radeon/radeon_display.c
++++ b/drivers/gpu/drm/radeon/radeon_display.c
+@@ -683,7 +683,7 @@ static void radeon_crtc_init(struct drm_device *dev, int index)
+ struct radeon_device *rdev = dev->dev_private;
+ struct radeon_crtc *radeon_crtc;
+
+- radeon_crtc = kzalloc(sizeof(struct radeon_crtc) + (RADEONFB_CONN_LIMIT * sizeof(struct drm_connector *)), GFP_KERNEL);
++ radeon_crtc = kzalloc(sizeof(*radeon_crtc), GFP_KERNEL);
+ if (radeon_crtc == NULL)
+ return;
+
+@@ -709,12 +709,6 @@ static void radeon_crtc_init(struct drm_device *dev, int index)
+ dev->mode_config.cursor_width = radeon_crtc->max_cursor_width;
+ dev->mode_config.cursor_height = radeon_crtc->max_cursor_height;
+
+-#if 0
+- radeon_crtc->mode_set.crtc = &radeon_crtc->base;
+- radeon_crtc->mode_set.connectors = (struct drm_connector **)(radeon_crtc + 1);
+- radeon_crtc->mode_set.num_connectors = 0;
+-#endif
+-
+ if (rdev->is_atom_bios && (ASIC_IS_AVIVO(rdev) || radeon_r4xx_atom))
+ radeon_atombios_init_crtc(dev, radeon_crtc);
+ else
+--
+2.43.0
+
--- /dev/null
+From 0a0effd37a0554701daeef2083713e1d4f6a7a57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Mar 2024 15:51:59 +0100
+Subject: gfs2: Fix NULL pointer dereference in gfs2_log_flush
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828 ]
+
+In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush
+lock to provide exclusion against gfs2_log_flush().
+
+In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before
+dereferencing it. Otherwise, we could run into a NULL pointer
+dereference when outstanding glock work races with an unmount
+(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->
+gfs2_log_flush).
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/log.c | 3 ++-
+ fs/gfs2/super.c | 4 ++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
+index 88bc9b1b22650..767549066066c 100644
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@ -1102,7 +1102,8 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
+ lops_before_commit(sdp, tr);
+ if (gfs2_withdrawing_or_withdrawn(sdp))
+ goto out_withdraw;
+- gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
++ if (sdp->sd_jdesc)
++ gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
+ if (gfs2_withdrawing_or_withdrawn(sdp))
+ goto out_withdraw;
+
+diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
+index 2e1d1eca4d14a..8b34c6cf9293f 100644
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *sdp)
+ sdp->sd_journals = 0;
+ spin_unlock(&sdp->sd_jindex_spin);
+
++ down_write(&sdp->sd_log_flush_lock);
+ sdp->sd_jdesc = NULL;
++ up_write(&sdp->sd_log_flush_lock);
++
+ while (!list_empty(&list)) {
+ jd = list_first_entry(&list, struct gfs2_jdesc, jd_list);
++ BUG_ON(jd->jd_log_bio);
+ gfs2_free_journal_extents(jd);
+ list_del(&jd->jd_list);
+ iput(jd->jd_inode);
+--
+2.43.0
+
--- /dev/null
+From 07de5406c8f65e547f0c924e83fb6432a480b536 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 17:43:44 +0300
+Subject: gpio: davinci: Validate the obtained number of IRQs
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 7aa9b96e9a73e4ec1771492d0527bd5fc5ef9164 ]
+
+Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken
+DT due to any error this value can be any. Without this value validation
+there can be out of chips->irqs array boundaries access in
+davinci_gpio_probe().
+
+Validate the obtained nirq value so that it won't exceed the maximum
+number of IRQs per bank.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: eb3744a2dd01 ("gpio: davinci: Do not assume continuous IRQ numbering")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Link: https://lore.kernel.org/r/20240618144344.16943-1-amishin@t-argos.ru
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-davinci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c
+index 8db5717bdabe5..aa3ce8aa99dc8 100644
+--- a/drivers/gpio/gpio-davinci.c
++++ b/drivers/gpio/gpio-davinci.c
+@@ -225,6 +225,11 @@ static int davinci_gpio_probe(struct platform_device *pdev)
+ else
+ nirq = DIV_ROUND_UP(ngpio, 16);
+
++ if (nirq > MAX_INT_PER_BANK) {
++ dev_err(dev, "Too many IRQs!\n");
++ return -EINVAL;
++ }
++
+ chips = devm_kzalloc(dev, sizeof(*chips), GFP_KERNEL);
+ if (!chips)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 986a28ee8b0b800a76e50fb85d0ebc41abdff9f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 13:29:22 +0800
+Subject: gpiolib: cdev: Disallow reconfiguration without direction (uAPI v1)
+
+From: Kent Gibson <warthog618@gmail.com>
+
+[ Upstream commit 9919cce62f68e6ab68dc2a975b5dc670f8ca7d40 ]
+
+linehandle_set_config() behaves badly when direction is not set.
+The configuration validation is borrowed from linehandle_create(), where,
+to verify the intent of the user, the direction must be set to in order
+to effect a change to the electrical configuration of a line. But, when
+applied to reconfiguration, that validation does not allow for the unset
+direction case, making it possible to clear flags set previously without
+specifying the line direction.
+
+Adding to the inconsistency, those changes are not immediately applied by
+linehandle_set_config(), but will take effect when the line value is next
+get or set.
+
+For example, by requesting a configuration with no flags set, an output
+line with GPIOHANDLE_REQUEST_ACTIVE_LOW and GPIOHANDLE_REQUEST_OPEN_DRAIN
+requested could have those flags cleared, inverting the sense of the line
+and changing the line drive to push-pull on the next line value set.
+
+Ensure the intent of the user by disallowing configurations which do not
+have direction set, returning an error to userspace to indicate that the
+configuration is invalid.
+
+And, for clarity, use lflags, a local copy of gcnf.flags, throughout when
+dealing with the requested flags, rather than a mixture of both.
+
+Fixes: e588bb1eae31 ("gpio: add new SET_CONFIG ioctl() to gpio chardev")
+Signed-off-by: Kent Gibson <warthog618@gmail.com>
+Link: https://lore.kernel.org/r/20240626052925.174272-2-warthog618@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib-cdev.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
+index b4b71e68b90de..d526a4c91e82e 100644
+--- a/drivers/gpio/gpiolib-cdev.c
++++ b/drivers/gpio/gpiolib-cdev.c
+@@ -132,6 +132,10 @@ struct linehandle_state {
+ GPIOHANDLE_REQUEST_OPEN_DRAIN | \
+ GPIOHANDLE_REQUEST_OPEN_SOURCE)
+
++#define GPIOHANDLE_REQUEST_DIRECTION_FLAGS \
++ (GPIOHANDLE_REQUEST_INPUT | \
++ GPIOHANDLE_REQUEST_OUTPUT)
++
+ static int linehandle_validate_flags(u32 flags)
+ {
+ /* Return an error if an unknown flag is set */
+@@ -212,21 +216,21 @@ static long linehandle_set_config(struct linehandle_state *lh,
+ if (ret)
+ return ret;
+
++ /* Lines must be reconfigured explicitly as input or output. */
++ if (!(lflags & GPIOHANDLE_REQUEST_DIRECTION_FLAGS))
++ return -EINVAL;
++
+ for (i = 0; i < lh->num_descs; i++) {
+ desc = lh->descs[i];
+- linehandle_flags_to_desc_flags(gcnf.flags, &desc->flags);
++ linehandle_flags_to_desc_flags(lflags, &desc->flags);
+
+- /*
+- * Lines have to be requested explicitly for input
+- * or output, else the line will be treated "as is".
+- */
+ if (lflags & GPIOHANDLE_REQUEST_OUTPUT) {
+ int val = !!gcnf.default_values[i];
+
+ ret = gpiod_direction_output(desc, val);
+ if (ret)
+ return ret;
+- } else if (lflags & GPIOHANDLE_REQUEST_INPUT) {
++ } else {
+ ret = gpiod_direction_input(desc);
+ if (ret)
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From e7f8f023fbb3e30b5103de35f4c75f444fcd630f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 20:11:29 +0800
+Subject: irqchip/loongson: Select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP for
+ IRQ_LOONGARCH_CPU
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+[ Upstream commit 42a7d887664b02a747ef5d479f6fd01081564af8 ]
+
+An interrupt's effective affinity can only be different from its configured
+affinity if there are multiple CPUs. Make it clear that this option is only
+meaningful when SMP is enabled. Otherwise, there exists "WARNING: unmet
+direct dependencies detected for GENERIC_IRQ_EFFECTIVE_AFF_MASK" when make
+menuconfig if CONFIG_SMP is not set on LoongArch.
+
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20240326121130.16622-3-yangtiezhu@loongson.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
+index f7149d0f3d45c..e7b736800dd02 100644
+--- a/drivers/irqchip/Kconfig
++++ b/drivers/irqchip/Kconfig
+@@ -557,7 +557,7 @@ config IRQ_LOONGARCH_CPU
+ bool
+ select GENERIC_IRQ_CHIP
+ select IRQ_DOMAIN
+- select GENERIC_IRQ_EFFECTIVE_AFF_MASK
++ select GENERIC_IRQ_EFFECTIVE_AFF_MASK if SMP
+ select LOONGSON_HTVEC
+ select LOONGSON_LIOINTC
+ select LOONGSON_EIOINTC
+--
+2.43.0
+
--- /dev/null
+From 45fa2ff14c155c6c41e95f1e7642635dc955b58c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jan 2024 11:19:45 +0800
+Subject: md: Fix overflow in is_mddev_idle
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 3f9f231236ce7e48780d8a4f1f8cb9fae2df1e4e ]
+
+UBSAN reports this problem:
+
+ UBSAN: Undefined behaviour in drivers/md/md.c:8175:15
+ signed integer overflow:
+ -2147483291 - 2072033152 cannot be represented in type 'int'
+ Call trace:
+ dump_backtrace+0x0/0x310
+ show_stack+0x28/0x38
+ dump_stack+0xec/0x15c
+ ubsan_epilogue+0x18/0x84
+ handle_overflow+0x14c/0x19c
+ __ubsan_handle_sub_overflow+0x34/0x44
+ is_mddev_idle+0x338/0x3d8
+ md_do_sync+0x1bb8/0x1cf8
+ md_thread+0x220/0x288
+ kthread+0x1d8/0x1e0
+ ret_from_fork+0x10/0x18
+
+'curr_events' will overflow when stat accum or 'sync_io' is greater than
+INT_MAX.
+
+Fix it by changing sync_io, last_events and curr_events to 64bit.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240117031946.2324519-2-linan666@huaweicloud.com
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 7 ++++---
+ drivers/md/md.h | 4 ++--
+ include/linux/blkdev.h | 2 +-
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index e4d3741234d90..f4e0cb66288a1 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8558,14 +8558,15 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+ {
+ struct md_rdev *rdev;
+ int idle;
+- int curr_events;
++ long long curr_events;
+
+ idle = 1;
+ rcu_read_lock();
+ rdev_for_each_rcu(rdev, mddev) {
+ struct gendisk *disk = rdev->bdev->bd_disk;
+- curr_events = (int)part_stat_read_accum(disk->part0, sectors) -
+- atomic_read(&disk->sync_io);
++ curr_events =
++ (long long)part_stat_read_accum(disk->part0, sectors) -
++ atomic64_read(&disk->sync_io);
+ /* sync IO will cause sync_io to increase before the disk_stats
+ * as sync_io is counted when a request starts, and
+ * disk_stats is counted when it completes.
+diff --git a/drivers/md/md.h b/drivers/md/md.h
+index 7c9c13abd7cac..57463470c96f4 100644
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -50,7 +50,7 @@ struct md_rdev {
+
+ sector_t sectors; /* Device size (in 512bytes sectors) */
+ struct mddev *mddev; /* RAID array if running */
+- int last_events; /* IO event timestamp */
++ long long last_events; /* IO event timestamp */
+
+ /*
+ * If meta_bdev is non-NULL, it means that a separate device is
+@@ -605,7 +605,7 @@ extern void mddev_unlock(struct mddev *mddev);
+
+ static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
+ {
+- atomic_add(nr_sectors, &bdev->bd_disk->sync_io);
++ atomic64_add(nr_sectors, &bdev->bd_disk->sync_io);
+ }
+
+ static inline void md_sync_acct_bio(struct bio *bio, unsigned long nr_sectors)
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index a7b65d4ab616e..d4a6bc6577241 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -168,7 +168,7 @@ struct gendisk {
+ struct list_head slave_bdevs;
+ #endif
+ struct timer_rand_state *random;
+- atomic_t sync_io; /* RAID */
++ atomic64_t sync_io; /* RAID */
+ struct disk_events *ev;
+
+ #ifdef CONFIG_BLK_DEV_ZONED
+--
+2.43.0
+
--- /dev/null
+From 687c2c553e7241cd8bfdb314dc01d1437a7f08b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 14:50:25 +0000
+Subject: media: dvbdev: Initialize sbuf
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 17d1316de0d7dc1bdc5d6e3ad4efd30a9bf1a381 ]
+
+Because the size passed to copy_from_user() cannot be known beforehand,
+it needs to be checked during runtime with check_object_size. That makes
+gcc believe that the content of sbuf can be used before init.
+
+Fix:
+./include/linux/thread_info.h:215:17: warning: ‘sbuf’ may be used uninitialized [-Wmaybe-uninitialized]
+
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
+index 733d0bc4b4cc3..b43695bc51e75 100644
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -956,7 +956,7 @@ int dvb_usercopy(struct file *file,
+ int (*func)(struct file *file,
+ unsigned int cmd, void *arg))
+ {
+- char sbuf[128];
++ char sbuf[128] = {};
+ void *mbuf = NULL;
+ void *parg = NULL;
+ int err = -EINVAL;
+--
+2.43.0
+
--- /dev/null
+From bdf1607a7443ce0cf9a5e88cddc6755f90f1d9a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 12:37:58 +0300
+Subject: mtd: partitions: redboot: Added conversion of operands to a larger
+ type
+
+From: Denis Arefev <arefev@swemel.ru>
+
+[ Upstream commit 1162bc2f8f5de7da23d18aa4b7fbd4e93c369c50 ]
+
+The value of an arithmetic expression directory * master->erasesize is
+subject to overflow due to a failure to cast operands to a larger data
+type before perfroming arithmetic
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Denis Arefev <arefev@swemel.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240315093758.20790-1-arefev@swemel.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/parsers/redboot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/parsers/redboot.c b/drivers/mtd/parsers/redboot.c
+index a16b42a885816..3b55b676ca6b9 100644
+--- a/drivers/mtd/parsers/redboot.c
++++ b/drivers/mtd/parsers/redboot.c
+@@ -102,7 +102,7 @@ static int parse_redboot_partitions(struct mtd_info *master,
+ offset -= master->erasesize;
+ }
+ } else {
+- offset = directory * master->erasesize;
++ offset = (unsigned long) directory * master->erasesize;
+ while (mtd_block_isbad(master, offset)) {
+ offset += master->erasesize;
+ if (offset == master->size)
+--
+2.43.0
+
--- /dev/null
+From c239a5cf1f2841efc82cd1b33751cba016cf82bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Mar 2024 13:34:41 +0800
+Subject: net/dpaa2: Avoid explicit cpumask var allocation on stack
+
+From: Dawei Li <dawei.li@shingroup.cn>
+
+[ Upstream commit d33fe1714a44ff540629b149d8fab4ac6967585c ]
+
+For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
+variable on stack is not recommended since it can cause potential stack
+overflow.
+
+Instead, kernel code should always use *cpumask_var API(s) to allocate
+cpumask var in config-neutral way, leaving allocation strategy to
+CONFIG_CPUMASK_OFFSTACK.
+
+Use *cpumask_var API(s) to address it.
+
+Signed-off-by: Dawei Li <dawei.li@shingroup.cn>
+Link: https://lore.kernel.org/r/20240331053441.1276826-3-dawei.li@shingroup.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+index 888509cf1f210..40e8818295951 100644
+--- a/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
++++ b/drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c
+@@ -2896,11 +2896,14 @@ static int dpaa2_eth_xdp_xmit(struct net_device *net_dev, int n,
+ static int update_xps(struct dpaa2_eth_priv *priv)
+ {
+ struct net_device *net_dev = priv->net_dev;
+- struct cpumask xps_mask;
+- struct dpaa2_eth_fq *fq;
+ int i, num_queues, netdev_queues;
++ struct dpaa2_eth_fq *fq;
++ cpumask_var_t xps_mask;
+ int err = 0;
+
++ if (!alloc_cpumask_var(&xps_mask, GFP_KERNEL))
++ return -ENOMEM;
++
+ num_queues = dpaa2_eth_queue_count(priv);
+ netdev_queues = (net_dev->num_tc ? : 1) * num_queues;
+
+@@ -2910,16 +2913,17 @@ static int update_xps(struct dpaa2_eth_priv *priv)
+ for (i = 0; i < netdev_queues; i++) {
+ fq = &priv->fq[i % num_queues];
+
+- cpumask_clear(&xps_mask);
+- cpumask_set_cpu(fq->target_cpu, &xps_mask);
++ cpumask_clear(xps_mask);
++ cpumask_set_cpu(fq->target_cpu, xps_mask);
+
+- err = netif_set_xps_queue(net_dev, &xps_mask, i);
++ err = netif_set_xps_queue(net_dev, xps_mask, i);
+ if (err) {
+ netdev_warn_once(net_dev, "Error setting XPS queue\n");
+ break;
+ }
+ }
+
++ free_cpumask_var(xps_mask);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9d1bcca92584aa1b21242833ace246633904e8f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Mar 2024 13:34:40 +0800
+Subject: net/iucv: Avoid explicit cpumask var allocation on stack
+
+From: Dawei Li <dawei.li@shingroup.cn>
+
+[ Upstream commit be4e1304419c99a164b4c0e101c7c2a756b635b9 ]
+
+For CONFIG_CPUMASK_OFFSTACK=y kernel, explicit allocation of cpumask
+variable on stack is not recommended since it can cause potential stack
+overflow.
+
+Instead, kernel code should always use *cpumask_var API(s) to allocate
+cpumask var in config-neutral way, leaving allocation strategy to
+CONFIG_CPUMASK_OFFSTACK.
+
+Use *cpumask_var API(s) to address it.
+
+Signed-off-by: Dawei Li <dawei.li@shingroup.cn>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240331053441.1276826-2-dawei.li@shingroup.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index f66b5f74cd83a..db41eb2d977f2 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -519,7 +519,7 @@ static void iucv_setmask_mp(void)
+ */
+ static void iucv_setmask_up(void)
+ {
+- cpumask_t cpumask;
++ static cpumask_t cpumask;
+ int cpu;
+
+ /* Disable all cpu but the first in cpu_irq_cpumask. */
+@@ -627,23 +627,33 @@ static int iucv_cpu_online(unsigned int cpu)
+
+ static int iucv_cpu_down_prep(unsigned int cpu)
+ {
+- cpumask_t cpumask;
++ cpumask_var_t cpumask;
++ int ret = 0;
+
+ if (!iucv_path_table)
+ return 0;
+
+- cpumask_copy(&cpumask, &iucv_buffer_cpumask);
+- cpumask_clear_cpu(cpu, &cpumask);
+- if (cpumask_empty(&cpumask))
++ if (!alloc_cpumask_var(&cpumask, GFP_KERNEL))
++ return -ENOMEM;
++
++ cpumask_copy(cpumask, &iucv_buffer_cpumask);
++ cpumask_clear_cpu(cpu, cpumask);
++ if (cpumask_empty(cpumask)) {
+ /* Can't offline last IUCV enabled cpu. */
+- return -EINVAL;
++ ret = -EINVAL;
++ goto __free_cpumask;
++ }
+
+ iucv_retrieve_cpu(NULL);
+ if (!cpumask_empty(&iucv_irq_cpumask))
+- return 0;
++ goto __free_cpumask;
++
+ smp_call_function_single(cpumask_first(&iucv_buffer_cpumask),
+ iucv_allow_cpu, NULL, 1);
+- return 0;
++
++__free_cpumask:
++ free_cpumask_var(cpumask);
++ return ret;
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From fcc56dbd02714b56d1b3547576c1fa0284653d24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 09:27:27 +0200
+Subject: nvme: fixup comment for nvme RDMA Provider Type
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit f80a55fa90fa76d01e3fffaa5d0413e522ab9a00 ]
+
+PRTYPE is the provider type, not the QP service type.
+
+Fixes: eb793e2c9286 ("nvme.h: add NVMe over Fabrics definitions")
+Signed-off-by: Hannes Reinecke <hare@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/nvme.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/nvme.h b/include/linux/nvme.h
+index 26dd3f859d9d7..b61038de139e5 100644
+--- a/include/linux/nvme.h
++++ b/include/linux/nvme.h
+@@ -90,8 +90,8 @@ enum {
+ NVMF_RDMA_QPTYPE_DATAGRAM = 2, /* Reliable Datagram */
+ };
+
+-/* RDMA QP Service Type codes for Discovery Log Page entry TSAS
+- * RDMA_QPTYPE field
++/* RDMA Provider Type codes for Discovery Log Page entry TSAS
++ * RDMA_PRTYPE field
+ */
+ enum {
+ NVMF_RDMA_PRTYPE_NOT_SPECIFIED = 1, /* No Provider Specified */
+--
+2.43.0
+
--- /dev/null
+From cef1771d1c3eb063aa1acfa5ae637b12f8f12609 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jun 2024 14:47:15 -0700
+Subject: randomize_kstack: Remove non-functional per-arch entropy filtering
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 6db1208bf95b4c091897b597c415e11edeab2e2d ]
+
+An unintended consequence of commit 9c573cd31343 ("randomize_kstack:
+Improve entropy diffusion") was that the per-architecture entropy size
+filtering reduced how many bits were being added to the mix, rather than
+how many bits were being used during the offsetting. All architectures
+fell back to the existing default of 0x3FF (10 bits), which will consume
+at most 1KiB of stack space. It seems that this is working just fine,
+so let's avoid the confusion and update everything to use the default.
+
+The prior intent of the per-architecture limits were:
+
+ arm64: capped at 0x1FF (9 bits), 5 bits effective
+ powerpc: uncapped (10 bits), 6 or 7 bits effective
+ riscv: uncapped (10 bits), 6 bits effective
+ x86: capped at 0xFF (8 bits), 5 (x86_64) or 6 (ia32) bits effective
+ s390: capped at 0xFF (8 bits), undocumented effective entropy
+
+Current discussion has led to just dropping the original per-architecture
+filters. The additional entropy appears to be safe for arm64, x86,
+and s390. Quoting Arnd, "There is no point pretending that 15.75KB is
+somehow safe to use while 15.00KB is not."
+
+Co-developed-by: Yuntao Liu <liuyuntao12@huawei.com>
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Fixes: 9c573cd31343 ("randomize_kstack: Improve entropy diffusion")
+Link: https://lore.kernel.org/r/20240617133721.377540-1-liuyuntao12@huawei.com
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Heiko Carstens <hca@linux.ibm.com> # s390
+Link: https://lore.kernel.org/r/20240619214711.work.953-kees@kernel.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/syscall.c | 16 +++++++---------
+ arch/s390/include/asm/entry-common.h | 2 +-
+ arch/x86/include/asm/entry-common.h | 15 ++++++---------
+ 3 files changed, 14 insertions(+), 19 deletions(-)
+
+diff --git a/arch/arm64/kernel/syscall.c b/arch/arm64/kernel/syscall.c
+index 9a70d9746b661..f090e39f69bc4 100644
+--- a/arch/arm64/kernel/syscall.c
++++ b/arch/arm64/kernel/syscall.c
+@@ -56,17 +56,15 @@ static void invoke_syscall(struct pt_regs *regs, unsigned int scno,
+ syscall_set_return_value(current, regs, 0, ret);
+
+ /*
+- * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
+- * but not enough for arm64 stack utilization comfort. To keep
+- * reasonable stack head room, reduce the maximum offset to 9 bits.
++ * This value will get limited by KSTACK_OFFSET_MAX(), which is 10
++ * bits. The actual entropy will be further reduced by the compiler
++ * when applying stack alignment constraints: the AAPCS mandates a
++ * 16-byte aligned SP at function boundaries, which will remove the
++ * 4 low bits from any entropy chosen here.
+ *
+- * The actual entropy will be further reduced by the compiler when
+- * applying stack alignment constraints: the AAPCS mandates a
+- * 16-byte (i.e. 4-bit) aligned SP at function boundaries.
+- *
+- * The resulting 5 bits of entropy is seen in SP[8:4].
++ * The resulting 6 bits of entropy is seen in SP[9:4].
+ */
+- choose_random_kstack_offset(get_random_u16() & 0x1FF);
++ choose_random_kstack_offset(get_random_u16());
+ }
+
+ static inline bool has_syscall_work(unsigned long flags)
+diff --git a/arch/s390/include/asm/entry-common.h b/arch/s390/include/asm/entry-common.h
+index fdd319a622b06..622cd08e5f50f 100644
+--- a/arch/s390/include/asm/entry-common.h
++++ b/arch/s390/include/asm/entry-common.h
+@@ -55,7 +55,7 @@ static __always_inline void arch_exit_to_user_mode(void)
+ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs,
+ unsigned long ti_work)
+ {
+- choose_random_kstack_offset(get_tod_clock_fast() & 0xff);
++ choose_random_kstack_offset(get_tod_clock_fast());
+ }
+
+ #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare
+diff --git a/arch/x86/include/asm/entry-common.h b/arch/x86/include/asm/entry-common.h
+index 7e523bb3d2d31..fb2809b20b0ac 100644
+--- a/arch/x86/include/asm/entry-common.h
++++ b/arch/x86/include/asm/entry-common.h
+@@ -73,19 +73,16 @@ static inline void arch_exit_to_user_mode_prepare(struct pt_regs *regs,
+ #endif
+
+ /*
+- * Ultimately, this value will get limited by KSTACK_OFFSET_MAX(),
+- * but not enough for x86 stack utilization comfort. To keep
+- * reasonable stack head room, reduce the maximum offset to 8 bits.
+- *
+- * The actual entropy will be further reduced by the compiler when
+- * applying stack alignment constraints (see cc_stack_align4/8 in
++ * This value will get limited by KSTACK_OFFSET_MAX(), which is 10
++ * bits. The actual entropy will be further reduced by the compiler
++ * when applying stack alignment constraints (see cc_stack_align4/8 in
+ * arch/x86/Makefile), which will remove the 3 (x86_64) or 2 (ia32)
+ * low bits from any entropy chosen here.
+ *
+- * Therefore, final stack offset entropy will be 5 (x86_64) or
+- * 6 (ia32) bits.
++ * Therefore, final stack offset entropy will be 7 (x86_64) or
++ * 8 (ia32) bits.
+ */
+- choose_random_kstack_offset(rdtsc() & 0xFF);
++ choose_random_kstack_offset(rdtsc());
+ }
+ #define arch_exit_to_user_mode_prepare arch_exit_to_user_mode_prepare
+
+--
+2.43.0
+
--- /dev/null
+From 56ebc17f726f8038b8692df7b1693f1783ab7ed1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Mar 2024 17:23:20 +0800
+Subject: RDMA/restrack: Fix potential invalid address access
+
+From: Wenchao Hao <haowenchao2@huawei.com>
+
+[ Upstream commit ca537a34775c103f7b14d7bbd976403f1d1525d8 ]
+
+struct rdma_restrack_entry's kern_name was set to KBUILD_MODNAME
+in ib_create_cq(), while if the module exited but forgot del this
+rdma_restrack_entry, it would cause a invalid address access in
+rdma_restrack_clean() when print the owner of this rdma_restrack_entry.
+
+These code is used to help find one forgotten PD release in one of the
+ULPs. But it is not needed anymore, so delete them.
+
+Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
+Link: https://lore.kernel.org/r/20240318092320.1215235-1-haowenchao2@huawei.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/restrack.c | 51 +-----------------------------
+ 1 file changed, 1 insertion(+), 50 deletions(-)
+
+diff --git a/drivers/infiniband/core/restrack.c b/drivers/infiniband/core/restrack.c
+index 01a499a8b88db..438ed35881752 100644
+--- a/drivers/infiniband/core/restrack.c
++++ b/drivers/infiniband/core/restrack.c
+@@ -37,22 +37,6 @@ int rdma_restrack_init(struct ib_device *dev)
+ return 0;
+ }
+
+-static const char *type2str(enum rdma_restrack_type type)
+-{
+- static const char * const names[RDMA_RESTRACK_MAX] = {
+- [RDMA_RESTRACK_PD] = "PD",
+- [RDMA_RESTRACK_CQ] = "CQ",
+- [RDMA_RESTRACK_QP] = "QP",
+- [RDMA_RESTRACK_CM_ID] = "CM_ID",
+- [RDMA_RESTRACK_MR] = "MR",
+- [RDMA_RESTRACK_CTX] = "CTX",
+- [RDMA_RESTRACK_COUNTER] = "COUNTER",
+- [RDMA_RESTRACK_SRQ] = "SRQ",
+- };
+-
+- return names[type];
+-};
+-
+ /**
+ * rdma_restrack_clean() - clean resource tracking
+ * @dev: IB device
+@@ -60,47 +44,14 @@ static const char *type2str(enum rdma_restrack_type type)
+ void rdma_restrack_clean(struct ib_device *dev)
+ {
+ struct rdma_restrack_root *rt = dev->res;
+- struct rdma_restrack_entry *e;
+- char buf[TASK_COMM_LEN];
+- bool found = false;
+- const char *owner;
+ int i;
+
+ for (i = 0 ; i < RDMA_RESTRACK_MAX; i++) {
+ struct xarray *xa = &dev->res[i].xa;
+
+- if (!xa_empty(xa)) {
+- unsigned long index;
+-
+- if (!found) {
+- pr_err("restrack: %s", CUT_HERE);
+- dev_err(&dev->dev, "BUG: RESTRACK detected leak of resources\n");
+- }
+- xa_for_each(xa, index, e) {
+- if (rdma_is_kernel_res(e)) {
+- owner = e->kern_name;
+- } else {
+- /*
+- * There is no need to call get_task_struct here,
+- * because we can be here only if there are more
+- * get_task_struct() call than put_task_struct().
+- */
+- get_task_comm(buf, e->task);
+- owner = buf;
+- }
+-
+- pr_err("restrack: %s %s object allocated by %s is not freed\n",
+- rdma_is_kernel_res(e) ? "Kernel" :
+- "User",
+- type2str(e->type), owner);
+- }
+- found = true;
+- }
++ WARN_ON(!xa_empty(xa));
+ xa_destroy(xa);
+ }
+- if (found)
+- pr_err("restrack: %s", CUT_HERE);
+-
+ kfree(rt);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 68d660616fe77539ad2b07462f207414c57f1c48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 14:28:00 -0400
+Subject: RISC-V: fix vector insn load/store width mask
+
+From: Jesse Taube <jesse@rivosinc.com>
+
+[ Upstream commit 04a2aef59cfe192aa99020601d922359978cc72a ]
+
+RVFDQ_FL_FS_WIDTH_MASK should be 3 bits [14-12], shifted down by 12 bits.
+Replace GENMASK(3, 0) with GENMASK(2, 0).
+
+Fixes: cd054837243b ("riscv: Allocate user's vector context in the first-use trap")
+Signed-off-by: Jesse Taube <jesse@rivosinc.com>
+Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
+Link: https://lore.kernel.org/r/20240606182800.415831-1-jesse@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/include/asm/insn.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/include/asm/insn.h b/arch/riscv/include/asm/insn.h
+index 06e439eeef9ad..09fde95a5e8f7 100644
+--- a/arch/riscv/include/asm/insn.h
++++ b/arch/riscv/include/asm/insn.h
+@@ -145,7 +145,7 @@
+
+ /* parts of opcode for RVF, RVD and RVQ */
+ #define RVFDQ_FL_FS_WIDTH_OFF 12
+-#define RVFDQ_FL_FS_WIDTH_MASK GENMASK(3, 0)
++#define RVFDQ_FL_FS_WIDTH_MASK GENMASK(2, 0)
+ #define RVFDQ_FL_FS_WIDTH_W 2
+ #define RVFDQ_FL_FS_WIDTH_D 3
+ #define RVFDQ_LS_FS_WIDTH_Q 4
+--
+2.43.0
+
--- /dev/null
+From 63affb2cdf545c052631ceee387bb257f10f003c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Jun 2024 15:11:06 +0800
+Subject: riscv: stacktrace: convert arch_stack_walk() to noinstr
+
+From: Andy Chiu <andy.chiu@sifive.com>
+
+[ Upstream commit 23b2188920a25e88d447dd7d819a0b0f62fb4455 ]
+
+arch_stack_walk() is called intensively in function_graph when the
+kernel is compiled with CONFIG_TRACE_IRQFLAGS. As a result, the kernel
+logs a lot of arch_stack_walk and its sub-functions into the ftrace
+buffer. However, these functions should not appear on the trace log
+because they are part of the ftrace itself. This patch references what
+arm64 does for the smae function. So it further prevent the re-enter
+kprobe issue, which is also possible on riscv.
+
+Related-to: commit 0fbcd8abf337 ("arm64: Prohibit instrumentation on arch_stack_walk()")
+Fixes: 680341382da5 ("riscv: add CALLER_ADDRx support")
+Signed-off-by: Andy Chiu <andy.chiu@sifive.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20240613-dev-andyc-dyn-ftrace-v4-v1-1-1a538e12c01e@sifive.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/stacktrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/stacktrace.c b/arch/riscv/kernel/stacktrace.c
+index 528ec7cc9a622..0d3f00eb0baee 100644
+--- a/arch/riscv/kernel/stacktrace.c
++++ b/arch/riscv/kernel/stacktrace.c
+@@ -156,7 +156,7 @@ unsigned long __get_wchan(struct task_struct *task)
+ return pc;
+ }
+
+-noinline void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie,
++noinline noinstr void arch_stack_walk(stack_trace_consume_fn consume_entry, void *cookie,
+ struct task_struct *task, struct pt_regs *regs)
+ {
+ walk_stackframe(task, regs, consume_entry, cookie);
+--
+2.43.0
+
netfilter-nf_tables-fully-validate-nft_data_value-on.patch
tracing-net_sched-null-pointer-dereference-in-perf_t.patch
net-mana-fix-possible-double-free-in-error-handling-.patch
+bpf-take-return-from-set_memory_ro-into-account-with.patch
+bpf-take-return-from-set_memory_rox-into-account-wit.patch
+drm-panel-ilitek-ili9881c-fix-warning-with-gpio-cont.patch
+vduse-validate-block-features-only-with-block-device.patch
+vduse-temporarily-fail-if-control-queue-feature-requ.patch
+x86-fpu-fix-amd-x86_bug_fxsave_leak-fixup.patch
+mtd-partitions-redboot-added-conversion-of-operands-.patch
+wifi-ieee80211-check-for-null-in-ieee80211_mle_size_.patch
+bpf-mark-bpf-prog-stack-with-kmsan_unposion_memory-i.patch
+rdma-restrack-fix-potential-invalid-address-access.patch
+net-iucv-avoid-explicit-cpumask-var-allocation-on-st.patch
+net-dpaa2-avoid-explicit-cpumask-var-allocation-on-s.patch
+crypto-ecdh-explicitly-zeroize-private_key.patch
+alsa-emux-improve-patch-ioctl-data-validation.patch
+media-dvbdev-initialize-sbuf.patch
+md-fix-overflow-in-is_mddev_idle.patch
+irqchip-loongson-select-generic_irq_effective_aff_ma.patch
+soc-ti-wkup_m3_ipc-send-null-dummy-message-instead-o.patch
+gfs2-fix-null-pointer-dereference-in-gfs2_log_flush.patch
+drm-radeon-radeon_display-decrease-the-size-of-alloc.patch
+nvme-fixup-comment-for-nvme-rdma-provider-type.patch
+drm-panel-simple-add-missing-display-timing-flags-fo.patch
+gpio-davinci-validate-the-obtained-number-of-irqs.patch
+risc-v-fix-vector-insn-load-store-width-mask.patch
+drm-amdgpu-fix-pci-state-save-during-mode-1-reset.patch
+riscv-stacktrace-convert-arch_stack_walk-to-noinstr.patch
+gpiolib-cdev-disallow-reconfiguration-without-direct.patch
+randomize_kstack-remove-non-functional-per-arch-entr.patch
--- /dev/null
+From 2263d6a771aab3703520bbce7e2f2ce3727305ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 11:55:07 -0500
+Subject: soc: ti: wkup_m3_ipc: Send NULL dummy message instead of pointer
+ message
+
+From: Andrew Davis <afd@ti.com>
+
+[ Upstream commit ddbf3204f600a4d1f153498f618369fca352ae00 ]
+
+mbox_send_message() sends a u32 bit message, not a pointer to a message.
+We only convert to a pointer type as a generic type. If we want to send
+a dummy message of 0, then simply send 0 (NULL).
+
+Signed-off-by: Andrew Davis <afd@ti.com>
+Link: https://lore.kernel.org/r/20240325165507.30323-1-afd@ti.com
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/ti/wkup_m3_ipc.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/soc/ti/wkup_m3_ipc.c b/drivers/soc/ti/wkup_m3_ipc.c
+index 3aff106fc11a0..9a22932984232 100644
+--- a/drivers/soc/ti/wkup_m3_ipc.c
++++ b/drivers/soc/ti/wkup_m3_ipc.c
+@@ -16,7 +16,6 @@
+ #include <linux/irq.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+-#include <linux/omap-mailbox.h>
+ #include <linux/platform_device.h>
+ #include <linux/remoteproc.h>
+ #include <linux/suspend.h>
+@@ -314,7 +313,6 @@ static irqreturn_t wkup_m3_txev_handler(int irq, void *ipc_data)
+ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc)
+ {
+ struct device *dev = m3_ipc->dev;
+- mbox_msg_t dummy_msg = 0;
+ int ret;
+
+ if (!m3_ipc->mbox) {
+@@ -330,7 +328,7 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc)
+ * the RX callback to avoid multiple interrupts being received
+ * by the CM3.
+ */
+- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg);
++ ret = mbox_send_message(m3_ipc->mbox, NULL);
+ if (ret < 0) {
+ dev_err(dev, "%s: mbox_send_message() failed: %d\n",
+ __func__, ret);
+@@ -352,7 +350,6 @@ static int wkup_m3_ping(struct wkup_m3_ipc *m3_ipc)
+ static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc)
+ {
+ struct device *dev = m3_ipc->dev;
+- mbox_msg_t dummy_msg = 0;
+ int ret;
+
+ if (!m3_ipc->mbox) {
+@@ -361,7 +358,7 @@ static int wkup_m3_ping_noirq(struct wkup_m3_ipc *m3_ipc)
+ return -EIO;
+ }
+
+- ret = mbox_send_message(m3_ipc->mbox, &dummy_msg);
++ ret = mbox_send_message(m3_ipc->mbox, NULL);
+ if (ret < 0) {
+ dev_err(dev, "%s: mbox_send_message() failed: %d\n",
+ __func__, ret);
+--
+2.43.0
+
--- /dev/null
+From 36b3092a0a36bfd562cf412967297e6080ac0f3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jan 2024 12:10:24 +0100
+Subject: vduse: Temporarily fail if control queue feature requested
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+
+[ Upstream commit 56e71885b0349241c07631a7b979b61e81afab6a ]
+
+Virtio-net driver control queue implementation is not safe
+when used with VDUSE. If the VDUSE application does not
+reply to control queue messages, it currently ends up
+hanging the kernel thread sending this command.
+
+Some work is on-going to make the control queue
+implementation robust with VDUSE. Until it is completed,
+let's fail features check if control-queue feature is
+requested.
+
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Message-Id: <20240109111025.1320976-3-maxime.coquelin@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Eugenio Pérez <eperezma@redhat.com>
+Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_user/vduse_dev.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
+index d91fe7e0733b6..d7bda179ef79f 100644
+--- a/drivers/vdpa/vdpa_user/vduse_dev.c
++++ b/drivers/vdpa/vdpa_user/vduse_dev.c
+@@ -8,6 +8,7 @@
+ *
+ */
+
++#include "linux/virtio_net.h"
+ #include <linux/init.h>
+ #include <linux/module.h>
+ #include <linux/cdev.h>
+@@ -28,6 +29,7 @@
+ #include <uapi/linux/virtio_config.h>
+ #include <uapi/linux/virtio_ids.h>
+ #include <uapi/linux/virtio_blk.h>
++#include <uapi/linux/virtio_ring.h>
+ #include <linux/mod_devicetable.h>
+
+ #include "iova_domain.h"
+@@ -1671,6 +1673,9 @@ static bool features_is_valid(struct vduse_dev_config *config)
+ if ((config->device_id == VIRTIO_ID_BLOCK) &&
+ (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE)))
+ return false;
++ else if ((config->device_id == VIRTIO_ID_NET) &&
++ (config->features & BIT_ULL(VIRTIO_NET_F_CTRL_VQ)))
++ return false;
+
+ return true;
+ }
+--
+2.43.0
+
--- /dev/null
+From 29a65587414a31321fe680c157cef53668383432 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jan 2024 12:10:23 +0100
+Subject: vduse: validate block features only with block devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maxime Coquelin <maxime.coquelin@redhat.com>
+
+[ Upstream commit a115b5716fc9a64652aa9cb332070087178ffafa ]
+
+This patch is preliminary work to enable network device
+type support to VDUSE.
+
+As VIRTIO_BLK_F_CONFIG_WCE shares the same value as
+VIRTIO_NET_F_HOST_TSO4, we need to restrict its check
+to Virtio-blk device type.
+
+Acked-by: Jason Wang <jasowang@redhat.com>
+Reviewed-by: Xie Yongji <xieyongji@bytedance.com>
+Reviewed-by: Eugenio Pérez <eperezma@redhat.com>
+Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
+Message-Id: <20240109111025.1320976-2-maxime.coquelin@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vdpa/vdpa_user/vduse_dev.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
+index df7869537ef14..d91fe7e0733b6 100644
+--- a/drivers/vdpa/vdpa_user/vduse_dev.c
++++ b/drivers/vdpa/vdpa_user/vduse_dev.c
+@@ -1662,13 +1662,14 @@ static bool device_is_allowed(u32 device_id)
+ return false;
+ }
+
+-static bool features_is_valid(u64 features)
++static bool features_is_valid(struct vduse_dev_config *config)
+ {
+- if (!(features & (1ULL << VIRTIO_F_ACCESS_PLATFORM)))
++ if (!(config->features & BIT_ULL(VIRTIO_F_ACCESS_PLATFORM)))
+ return false;
+
+ /* Now we only support read-only configuration space */
+- if (features & (1ULL << VIRTIO_BLK_F_CONFIG_WCE))
++ if ((config->device_id == VIRTIO_ID_BLOCK) &&
++ (config->features & BIT_ULL(VIRTIO_BLK_F_CONFIG_WCE)))
+ return false;
+
+ return true;
+@@ -1695,7 +1696,7 @@ static bool vduse_validate_config(struct vduse_dev_config *config)
+ if (!device_is_allowed(config->device_id))
+ return false;
+
+- if (!features_is_valid(config->features))
++ if (!features_is_valid(config))
+ return false;
+
+ return true;
+--
+2.43.0
+
--- /dev/null
+From b4e17079e28047e6e6523ee09abaf1ab4036e95d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Mar 2024 18:53:17 +0200
+Subject: wifi: ieee80211: check for NULL in ieee80211_mle_size_ok()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit b7793a1a2f370c28b17d9554b58e9dc51afcfcbd ]
+
+For simplicity, we may want to pass a NULL element, and
+while we should then pass also a zero length, just be a
+bit more careful here.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240318184907.4d983653cb8d.Ic3ea99b60c61ac2f7d38cb9fd202a03c97a05601@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/ieee80211.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
+index 5fbc08930941c..5f1e5a16d7b2c 100644
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -4952,7 +4952,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
+ bool check_common_len = false;
+ u16 control;
+
+- if (len < fixed)
++ if (!data || len < fixed)
+ return false;
+
+ control = le16_to_cpu(mle->control);
+--
+2.43.0
+
--- /dev/null
+From 8e8d2025575b7d78c5a538534593254c27b57c0e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 09:18:23 +0100
+Subject: x86/fpu: Fix AMD X86_BUG_FXSAVE_LEAK fixup
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit 5d31174f3c8c465d9dbe88f6b9d1fe5716f44981 ]
+
+The assembly snippet in restore_fpregs_from_fpstate() that implements
+X86_BUG_FXSAVE_LEAK fixup loads the value from a random variable,
+preferably the one that is already in the L1 cache.
+
+However, the access to fpinit_state via *fpstate pointer is not
+implemented correctly. The "m" asm constraint requires dereferenced
+pointer variable, otherwise the compiler just reloads the value
+via temporary stack slot. The current asm code reflects this:
+
+ mov %rdi,(%rsp)
+ ...
+ fildl (%rsp)
+
+With dereferenced pointer variable, the code does what the
+comment above the asm snippet says:
+
+ fildl (%rdi)
+
+Also, remove the pointless %P operand modifier. The modifier is
+ineffective on non-symbolic references - it was used to prevent
+%rip-relative addresses in .altinstr sections, but FILDL in the
+.text section can use %rip-relative addresses without problems.
+
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20240315081849.5187-1-ubizjak@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/fpu/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
+index a21a4d0ecc345..4b414b0ab0692 100644
+--- a/arch/x86/kernel/fpu/core.c
++++ b/arch/x86/kernel/fpu/core.c
+@@ -145,8 +145,8 @@ void restore_fpregs_from_fpstate(struct fpstate *fpstate, u64 mask)
+ asm volatile(
+ "fnclex\n\t"
+ "emms\n\t"
+- "fildl %P[addr]" /* set F?P to defined value */
+- : : [addr] "m" (fpstate));
++ "fildl %[addr]" /* set F?P to defined value */
++ : : [addr] "m" (*fpstate));
+ }
+
+ if (use_xsave()) {
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
