--- /dev/null
+From 35243fc777566ccb3370e175cf591fea0f81f68c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 2 Jan 2025 12:49:36 +0100
+Subject: drm/nouveau/disp: Fix missing backlight control on Macbook 5,1
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 35243fc777566ccb3370e175cf591fea0f81f68c upstream.
+
+Macbook 5,1 with MCP79 lost its backlight control since the recent
+change for supporting GSP-RM; it rewrote the whole nv50 backlight
+control code and each display engine is supposed to have an entry for
+IOR bl callback, but it didn't cover mcp77.
+
+This patch adds the missing bl entry initialization for mcp77 display
+engine to recover the backlight control.
+
+Fixes: 2274ce7e3681 ("drm/nouveau/disp: add output backlight control methods")
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1223838
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250102114944.11499-1-tiwai@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/mcp77.c
+@@ -31,6 +31,7 @@ mcp77_sor = {
+ .state = g94_sor_state,
+ .power = nv50_sor_power,
+ .clock = nv50_sor_clock,
++ .bl = &nv50_sor_bl,
+ .hdmi = &g84_sor_hdmi,
+ .dp = &g94_sor_dp,
+ };
--- /dev/null
+From f505e6c91e7a22d10316665a86d79f84d9f0ba76 Mon Sep 17 00:00:00 2001
+From: Marco Nelissen <marco.nelissen@gmail.com>
+Date: Thu, 2 Jan 2025 11:04:11 -0800
+Subject: filemap: avoid truncating 64-bit offset to 32 bits
+
+From: Marco Nelissen <marco.nelissen@gmail.com>
+
+commit f505e6c91e7a22d10316665a86d79f84d9f0ba76 upstream.
+
+On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a
+64-bit value to 32 bits, leading to a possible infinite loop when writing
+to an xfs filesystem.
+
+Link: https://lkml.kernel.org/r/20250102190540.1356838-1-marco.nelissen@gmail.com
+Fixes: 54fa39ac2e00 ("iomap: use mapping_seek_hole_data")
+Signed-off-by: Marco Nelissen <marco.nelissen@gmail.com>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -3004,7 +3004,7 @@ static inline loff_t folio_seek_hole_dat
+ if (ops->is_partially_uptodate(folio, offset, bsz) ==
+ seek_data)
+ break;
+- start = (start + bsz) & ~(bsz - 1);
++ start = (start + bsz) & ~((u64)bsz - 1);
+ offset += bsz;
+ } while (offset < folio_size(folio));
+ unlock:
--- /dev/null
+From cbc5dde0a461240046e8a41c43d7c3b76d5db952 Mon Sep 17 00:00:00 2001
+From: Rik van Riel <riel@surriel.com>
+Date: Fri, 10 Jan 2025 10:28:21 -0500
+Subject: fs/proc: fix softlockup in __read_vmcore (part 2)
+
+From: Rik van Riel <riel@surriel.com>
+
+commit cbc5dde0a461240046e8a41c43d7c3b76d5db952 upstream.
+
+Since commit 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore") the
+number of softlockups in __read_vmcore at kdump time have gone down, but
+they still happen sometimes.
+
+In a memory constrained environment like the kdump image, a softlockup is
+not just a harmless message, but it can interfere with things like RCU
+freeing memory, causing the crashdump to get stuck.
+
+The second loop in __read_vmcore has a lot more opportunities for natural
+sleep points, like scheduling out while waiting for a data write to
+happen, but apparently that is not always enough.
+
+Add a cond_resched() to the second loop in __read_vmcore to (hopefully)
+get rid of the softlockups.
+
+Link: https://lkml.kernel.org/r/20250110102821.2a37581b@fangorn
+Fixes: 5cbcb62dddf5 ("fs/proc: fix softlockup in __read_vmcore")
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Reported-by: Breno Leitao <leitao@debian.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/vmcore.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/proc/vmcore.c
++++ b/fs/proc/vmcore.c
+@@ -404,6 +404,8 @@ static ssize_t __read_vmcore(struct iov_
+ if (!iov_iter_count(iter))
+ return acc;
+ }
++
++ cond_resched();
+ }
+
+ return acc;
--- /dev/null
+From 9860370c2172704b6b4f0075a0c2a29fd84af96a Mon Sep 17 00:00:00 2001
+From: Sean Anderson <sean.anderson@linux.dev>
+Date: Fri, 10 Jan 2025 11:33:54 -0500
+Subject: gpio: xilinx: Convert gpio_lock to raw spinlock
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+commit 9860370c2172704b6b4f0075a0c2a29fd84af96a upstream.
+
+irq_chip functions may be called in raw spinlock context. Therefore, we
+must also use a raw spinlock for our own internal locking.
+
+This fixes the following lockdep splat:
+
+[ 5.349336] =============================
+[ 5.353349] [ BUG: Invalid wait context ]
+[ 5.357361] 6.13.0-rc5+ #69 Tainted: G W
+[ 5.363031] -----------------------------
+[ 5.367045] kworker/u17:1/44 is trying to lock:
+[ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))
+[ 5.380079] other info that might help us debug this:
+[ 5.385138] context-{5:5}
+[ 5.387762] 5 locks held by kworker/u17:1/44:
+[ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204)
+[ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205)
+[ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006)
+[ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596)
+[ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614)
+[ 5.436472] stack backtrace:
+[ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69
+[ 5.448690] Tainted: [W]=WARN
+[ 5.451656] Hardware name: xlnx,zynqmp (DT)
+[ 5.455845] Workqueue: events_unbound deferred_probe_work_func
+[ 5.461699] Call trace:
+[ 5.464147] show_stack+0x18/0x24 C
+[ 5.467821] dump_stack_lvl (lib/dump_stack.c:123)
+[ 5.471501] dump_stack (lib/dump_stack.c:130)
+[ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176)
+[ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814)
+[ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
+[ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))
+[ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345)
+[ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250)
+[ 5.497645] irq_startup (kernel/irq/chip.c:270)
+[ 5.501143] __setup_irq (kernel/irq/manage.c:1807)
+[ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)
+
+Fixes: a32c7caea292 ("gpio: gpio-xilinx: Add interrupt support")
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250110163354.2012654-1-sean.anderson@linux.dev
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-xilinx.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+--- a/drivers/gpio/gpio-xilinx.c
++++ b/drivers/gpio/gpio-xilinx.c
+@@ -65,7 +65,7 @@ struct xgpio_instance {
+ DECLARE_BITMAP(state, 64);
+ DECLARE_BITMAP(last_irq_read, 64);
+ DECLARE_BITMAP(dir, 64);
+- spinlock_t gpio_lock; /* For serializing operations */
++ raw_spinlock_t gpio_lock; /* For serializing operations */
+ int irq;
+ DECLARE_BITMAP(enable, 64);
+ DECLARE_BITMAP(rising_edge, 64);
+@@ -179,14 +179,14 @@ static void xgpio_set(struct gpio_chip *
+ struct xgpio_instance *chip = gpiochip_get_data(gc);
+ int bit = xgpio_to_bit(chip, gpio);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ /* Write to GPIO signal and set its direction to output */
+ __assign_bit(bit, chip->state, val);
+
+ xgpio_write_ch(chip, XGPIO_DATA_OFFSET, bit, chip->state);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+ }
+
+ /**
+@@ -210,7 +210,7 @@ static void xgpio_set_multiple(struct gp
+ bitmap_remap(hw_mask, mask, chip->sw_map, chip->hw_map, 64);
+ bitmap_remap(hw_bits, bits, chip->sw_map, chip->hw_map, 64);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ bitmap_replace(state, chip->state, hw_bits, hw_mask, 64);
+
+@@ -218,7 +218,7 @@ static void xgpio_set_multiple(struct gp
+
+ bitmap_copy(chip->state, state, 64);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+ }
+
+ /**
+@@ -236,13 +236,13 @@ static int xgpio_dir_in(struct gpio_chip
+ struct xgpio_instance *chip = gpiochip_get_data(gc);
+ int bit = xgpio_to_bit(chip, gpio);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ /* Set the GPIO bit in shadow register and set direction as input */
+ __set_bit(bit, chip->dir);
+ xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+
+ return 0;
+ }
+@@ -265,7 +265,7 @@ static int xgpio_dir_out(struct gpio_chi
+ struct xgpio_instance *chip = gpiochip_get_data(gc);
+ int bit = xgpio_to_bit(chip, gpio);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ /* Write state of GPIO signal */
+ __assign_bit(bit, chip->state, val);
+@@ -275,7 +275,7 @@ static int xgpio_dir_out(struct gpio_chi
+ __clear_bit(bit, chip->dir);
+ xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+
+ return 0;
+ }
+@@ -398,7 +398,7 @@ static void xgpio_irq_mask(struct irq_da
+ int bit = xgpio_to_bit(chip, irq_offset);
+ u32 mask = BIT(bit / 32), temp;
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ __clear_bit(bit, chip->enable);
+
+@@ -408,7 +408,7 @@ static void xgpio_irq_mask(struct irq_da
+ temp &= ~mask;
+ xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp);
+ }
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+
+ gpiochip_disable_irq(&chip->gc, irq_offset);
+ }
+@@ -428,7 +428,7 @@ static void xgpio_irq_unmask(struct irq_
+
+ gpiochip_enable_irq(&chip->gc, irq_offset);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ __set_bit(bit, chip->enable);
+
+@@ -447,7 +447,7 @@ static void xgpio_irq_unmask(struct irq_
+ xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, val);
+ }
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+ }
+
+ /**
+@@ -512,7 +512,7 @@ static void xgpio_irqhandler(struct irq_
+
+ chained_irq_enter(irqchip, desc);
+
+- spin_lock(&chip->gpio_lock);
++ raw_spin_lock(&chip->gpio_lock);
+
+ xgpio_read_ch_all(chip, XGPIO_DATA_OFFSET, all);
+
+@@ -529,7 +529,7 @@ static void xgpio_irqhandler(struct irq_
+ bitmap_copy(chip->last_irq_read, all, 64);
+ bitmap_or(all, rising, falling, 64);
+
+- spin_unlock(&chip->gpio_lock);
++ raw_spin_unlock(&chip->gpio_lock);
+
+ dev_dbg(gc->parent, "IRQ rising %*pb falling %*pb\n", 64, rising, 64, falling);
+
+@@ -620,7 +620,7 @@ static int xgpio_probe(struct platform_d
+ bitmap_set(chip->hw_map, 0, width[0]);
+ bitmap_set(chip->hw_map, 32, width[1]);
+
+- spin_lock_init(&chip->gpio_lock);
++ raw_spin_lock_init(&chip->gpio_lock);
+
+ chip->gc.base = -1;
+ chip->gc.ngpio = bitmap_weight(chip->hw_map, 64);
--- /dev/null
+From cefc479cbb50399dec0c8e996f3539c48a1ee9dd Mon Sep 17 00:00:00 2001
+From: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Date: Fri, 22 Nov 2024 14:26:18 +0200
+Subject: i2c: atr: Fix client detach
+
+From: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+
+commit cefc479cbb50399dec0c8e996f3539c48a1ee9dd upstream.
+
+i2c-atr catches the BUS_NOTIFY_DEL_DEVICE event on the bus and removes
+the translation by calling i2c_atr_detach_client().
+
+However, BUS_NOTIFY_DEL_DEVICE happens when the device is about to be
+removed from this bus, i.e. before removal, and thus before calling
+.remove() on the driver. If the driver happens to do any i2c
+transactions in its remove(), they will fail.
+
+Fix this by catching BUS_NOTIFY_REMOVED_DEVICE instead, thus removing
+the translation only after the device is actually removed.
+
+Fixes: a076a860acae ("media: i2c: add I2C Address Translator (ATR) support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
+Reviewed-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
+Reviewed-by: Romain Gantois <romain.gantois@bootlin.com>
+Tested-by: Romain Gantois <romain.gantois@bootlin.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/i2c-atr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/i2c-atr.c
++++ b/drivers/i2c/i2c-atr.c
+@@ -412,7 +412,7 @@ static int i2c_atr_bus_notifier_call(str
+ dev_name(dev), ret);
+ break;
+
+- case BUS_NOTIFY_DEL_DEVICE:
++ case BUS_NOTIFY_REMOVED_DEVICE:
+ i2c_atr_detach_client(client->adapter, client);
+ break;
+
--- /dev/null
+From 2ca06a2f65310aeef30bb69b7405437a14766e4d Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 13 Jan 2025 16:44:56 +0100
+Subject: mptcp: be sure to send ack when mptcp-level window re-opens
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 2ca06a2f65310aeef30bb69b7405437a14766e4d upstream.
+
+mptcp_cleanup_rbuf() is responsible to send acks when the user-space
+reads enough data to update the receive windows significantly.
+
+It tries hard to avoid acquiring the subflow sockets locks by checking
+conditions similar to the ones implemented at the TCP level.
+
+To avoid too much code duplication - the MPTCP protocol can't reuse the
+TCP helpers as part of the relevant status is maintained into the msk
+socket - and multiple costly window size computation, mptcp_cleanup_rbuf
+uses a rough estimate for the most recently advertised window size:
+the MPTCP receive free space, as recorded as at last-ack time.
+
+Unfortunately the above does not allow mptcp_cleanup_rbuf() to detect
+a zero to non-zero win change in some corner cases, skipping the
+tcp_cleanup_rbuf call and leaving the peer stuck.
+
+After commit ea66758c1795 ("tcp: allow MPTCP to update the announced
+window"), MPTCP has actually cheap access to the announced window value.
+Use it in mptcp_cleanup_rbuf() for a more accurate ack generation.
+
+Fixes: e3859603ba13 ("mptcp: better msk receive window updates")
+Cc: stable@vger.kernel.org
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/20250107131845.5e5de3c5@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-1-0d986ee7b1b6@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/options.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -607,7 +607,6 @@ static bool mptcp_established_options_ds
+ }
+ opts->ext_copy.use_ack = 1;
+ opts->suboptions = OPTION_MPTCP_DSS;
+- WRITE_ONCE(msk->old_wspace, __mptcp_space((struct sock *)msk));
+
+ /* Add kind/length/subtype/flag overhead if mapping is not populated */
+ if (dss_size == 0)
+@@ -1288,7 +1287,7 @@ static void mptcp_set_rwin(struct tcp_so
+ }
+ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_RCVWNDCONFLICT);
+ }
+- return;
++ goto update_wspace;
+ }
+
+ if (rcv_wnd_new != rcv_wnd_old) {
+@@ -1313,6 +1312,9 @@ raise_win:
+ th->window = htons(new_win);
+ MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_RCVWNDSHARED);
+ }
++
++update_wspace:
++ WRITE_ONCE(msk->old_wspace, tp->rcv_wnd);
+ }
+
+ __sum16 __mptcp_make_csum(u64 data_seq, u32 subflow_seq, u16 data_len, __wsum sum)
--- /dev/null
+From e226d9259dc4f5d2c19e6682ad1356fa97cf38f4 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 13 Jan 2025 16:44:57 +0100
+Subject: mptcp: fix spurious wake-up on under memory pressure
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit e226d9259dc4f5d2c19e6682ad1356fa97cf38f4 upstream.
+
+The wake-up condition currently implemented by mptcp_epollin_ready()
+is wrong, as it could mark the MPTCP socket as readable even when
+no data are present and the system is under memory pressure.
+
+Explicitly check for some data being available in the receive queue.
+
+Fixes: 5684ab1a0eff ("mptcp: give rcvlowat some love")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-2-0d986ee7b1b6@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -760,10 +760,15 @@ static inline u64 mptcp_data_avail(const
+
+ static inline bool mptcp_epollin_ready(const struct sock *sk)
+ {
++ u64 data_avail = mptcp_data_avail(mptcp_sk(sk));
++
++ if (!data_avail)
++ return false;
++
+ /* mptcp doesn't have to deal with small skbs in the receive queue,
+- * at it can always coalesce them
++ * as it can always coalesce them
+ */
+- return (mptcp_data_avail(mptcp_sk(sk)) >= sk->sk_rcvlowat) ||
++ return (data_avail >= sk->sk_rcvlowat) ||
+ (mem_cgroup_sockets_enabled && sk->sk_memcg &&
+ mem_cgroup_under_socket_pressure(sk->sk_memcg)) ||
+ READ_ONCE(tcp_memory_pressure);
--- /dev/null
+From 6be7aca91009865d8c2b73589270224a6b6e67ab Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sun, 12 Jan 2025 22:59:59 +0100
+Subject: net: ethernet: xgbe: re-add aneg to supported features in PHY quirks
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit 6be7aca91009865d8c2b73589270224a6b6e67ab upstream.
+
+In 4.19, before the switch to linkmode bitmaps, PHY_GBIT_FEATURES
+included feature bits for aneg and TP/MII ports.
+
+ SUPPORTED_TP | \
+ SUPPORTED_MII)
+
+ SUPPORTED_10baseT_Full)
+
+ SUPPORTED_100baseT_Full)
+
+ SUPPORTED_1000baseT_Full)
+
+ PHY_100BT_FEATURES | \
+ PHY_DEFAULT_FEATURES)
+
+ PHY_1000BT_FEATURES)
+
+Referenced commit expanded PHY_GBIT_FEATURES, silently removing
+PHY_DEFAULT_FEATURES. The removed part can be re-added by using
+the new PHY_GBIT_FEATURES definition.
+Not clear to me is why nobody seems to have noticed this issue.
+
+I stumbled across this when checking what it takes to make
+phy_10_100_features_array et al private to phylib.
+
+Fixes: d0939c26c53a ("net: ethernet: xgbe: expand PHY_GBIT_FEAUTRES")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Link: https://patch.msgid.link/46521973-7738-4157-9f5e-0bb6f694acba@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c | 19 ++-----------------
+ 1 file changed, 2 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-phy-v2.c
+@@ -923,7 +923,6 @@ static void xgbe_phy_free_phy_device(str
+
+ static bool xgbe_phy_finisar_phy_quirks(struct xgbe_prv_data *pdata)
+ {
+- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, };
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+ unsigned int phy_id = phy_data->phydev->phy_id;
+
+@@ -945,14 +944,7 @@ static bool xgbe_phy_finisar_phy_quirks(
+ phy_write(phy_data->phydev, 0x04, 0x0d01);
+ phy_write(phy_data->phydev, 0x00, 0x9140);
+
+- linkmode_set_bit_array(phy_10_100_features_array,
+- ARRAY_SIZE(phy_10_100_features_array),
+- supported);
+- linkmode_set_bit_array(phy_gbit_features_array,
+- ARRAY_SIZE(phy_gbit_features_array),
+- supported);
+-
+- linkmode_copy(phy_data->phydev->supported, supported);
++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES);
+
+ phy_support_asym_pause(phy_data->phydev);
+
+@@ -964,7 +956,6 @@ static bool xgbe_phy_finisar_phy_quirks(
+
+ static bool xgbe_phy_belfuse_phy_quirks(struct xgbe_prv_data *pdata)
+ {
+- __ETHTOOL_DECLARE_LINK_MODE_MASK(supported) = { 0, };
+ struct xgbe_phy_data *phy_data = pdata->phy_data;
+ struct xgbe_sfp_eeprom *sfp_eeprom = &phy_data->sfp_eeprom;
+ unsigned int phy_id = phy_data->phydev->phy_id;
+@@ -1028,13 +1019,7 @@ static bool xgbe_phy_belfuse_phy_quirks(
+ reg = phy_read(phy_data->phydev, 0x00);
+ phy_write(phy_data->phydev, 0x00, reg & ~0x00800);
+
+- linkmode_set_bit_array(phy_10_100_features_array,
+- ARRAY_SIZE(phy_10_100_features_array),
+- supported);
+- linkmode_set_bit_array(phy_gbit_features_array,
+- ARRAY_SIZE(phy_gbit_features_array),
+- supported);
+- linkmode_copy(phy_data->phydev->supported, supported);
++ linkmode_copy(phy_data->phydev->supported, PHY_GBIT_FEATURES);
+ phy_support_asym_pause(phy_data->phydev);
+
+ netif_dbg(pdata, drv, pdata->netdev,
--- /dev/null
+From 9e2bbab94b88295dcc57c7580393c9ee08d7314d Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 9 Jan 2025 17:50:54 +0300
+Subject: net/ncsi: fix locking in Get MAC Address handling
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 9e2bbab94b88295dcc57c7580393c9ee08d7314d upstream.
+
+Obtaining RTNL lock in a response handler is not allowed since it runs
+in an atomic softirq context. Postpone setting the MAC address by adding
+a dedicated step to the configuration FSM.
+
+Fixes: 790071347a0a ("net/ncsi: change from ndo_set_mac_address to dev_set_mac_address")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20241129-potin-revert-ncsi-set-mac-addr-v1-1-94ea2cb596af@gmail.com
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Tested-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20250109145054.30925-1-fercerpav@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/internal.h | 2 ++
+ net/ncsi/ncsi-manage.c | 16 ++++++++++++++--
+ net/ncsi/ncsi-rsp.c | 19 ++++++-------------
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -289,6 +289,7 @@ enum {
+ ncsi_dev_state_config_sp = 0x0301,
+ ncsi_dev_state_config_cis,
+ ncsi_dev_state_config_oem_gma,
++ ncsi_dev_state_config_apply_mac,
+ ncsi_dev_state_config_clear_vids,
+ ncsi_dev_state_config_svf,
+ ncsi_dev_state_config_ev,
+@@ -322,6 +323,7 @@ struct ncsi_dev_priv {
+ #define NCSI_DEV_RESHUFFLE 4
+ #define NCSI_DEV_RESET 8 /* Reset state of NC */
+ unsigned int gma_flag; /* OEM GMA flag */
++ struct sockaddr pending_mac; /* MAC address received from GMA */
+ spinlock_t lock; /* Protect the NCSI device */
+ unsigned int package_probe_id;/* Current ID during probe */
+ unsigned int package_num; /* Number of packages */
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -1038,7 +1038,7 @@ static void ncsi_configure_channel(struc
+ : ncsi_dev_state_config_clear_vids;
+ break;
+ case ncsi_dev_state_config_oem_gma:
+- nd->state = ncsi_dev_state_config_clear_vids;
++ nd->state = ncsi_dev_state_config_apply_mac;
+
+ nca.package = np->id;
+ nca.channel = nc->id;
+@@ -1050,10 +1050,22 @@ static void ncsi_configure_channel(struc
+ nca.type = NCSI_PKT_CMD_OEM;
+ ret = ncsi_gma_handler(&nca, nc->version.mf_id);
+ }
+- if (ret < 0)
++ if (ret < 0) {
++ nd->state = ncsi_dev_state_config_clear_vids;
+ schedule_work(&ndp->work);
++ }
+
+ break;
++ case ncsi_dev_state_config_apply_mac:
++ rtnl_lock();
++ ret = dev_set_mac_address(dev, &ndp->pending_mac, NULL);
++ rtnl_unlock();
++ if (ret < 0)
++ netdev_warn(dev, "NCSI: 'Writing MAC address to device failed\n");
++
++ nd->state = ncsi_dev_state_config_clear_vids;
++
++ fallthrough;
+ case ncsi_dev_state_config_clear_vids:
+ case ncsi_dev_state_config_svf:
+ case ncsi_dev_state_config_ev:
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -628,16 +628,14 @@ static int ncsi_rsp_handler_snfc(struct
+ static int ncsi_rsp_handler_oem_gma(struct ncsi_request *nr, int mfr_id)
+ {
+ struct ncsi_dev_priv *ndp = nr->ndp;
++ struct sockaddr *saddr = &ndp->pending_mac;
+ struct net_device *ndev = ndp->ndev.dev;
+ struct ncsi_rsp_oem_pkt *rsp;
+- struct sockaddr saddr;
+ u32 mac_addr_off = 0;
+- int ret = 0;
+
+ /* Get the response header */
+ rsp = (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp);
+
+- saddr.sa_family = ndev->type;
+ ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
+ if (mfr_id == NCSI_OEM_MFR_BCM_ID)
+ mac_addr_off = BCM_MAC_ADDR_OFFSET;
+@@ -646,22 +644,17 @@ static int ncsi_rsp_handler_oem_gma(stru
+ else if (mfr_id == NCSI_OEM_MFR_INTEL_ID)
+ mac_addr_off = INTEL_MAC_ADDR_OFFSET;
+
+- memcpy(saddr.sa_data, &rsp->data[mac_addr_off], ETH_ALEN);
++ saddr->sa_family = ndev->type;
++ memcpy(saddr->sa_data, &rsp->data[mac_addr_off], ETH_ALEN);
+ if (mfr_id == NCSI_OEM_MFR_BCM_ID || mfr_id == NCSI_OEM_MFR_INTEL_ID)
+- eth_addr_inc((u8 *)saddr.sa_data);
+- if (!is_valid_ether_addr((const u8 *)saddr.sa_data))
++ eth_addr_inc((u8 *)saddr->sa_data);
++ if (!is_valid_ether_addr((const u8 *)saddr->sa_data))
+ return -ENXIO;
+
+ /* Set the flag for GMA command which should only be called once */
+ ndp->gma_flag = 1;
+
+- rtnl_lock();
+- ret = dev_set_mac_address(ndev, &saddr, NULL);
+- rtnl_unlock();
+- if (ret < 0)
+- netdev_warn(ndev, "NCSI: 'Writing mac address to device failed\n");
+-
+- return ret;
++ return 0;
+ }
+
+ /* Response handler for Mellanox card */
--- /dev/null
+From 1f9910b41c857a892b83801feebdc7bdf38c5985 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Thu, 9 Jan 2025 10:55:53 +1000
+Subject: nouveau/fence: handle cross device fences properly
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit 1f9910b41c857a892b83801feebdc7bdf38c5985 upstream.
+
+The fence sync logic doesn't handle a fence sync across devices
+as it tries to write to a channel offset from one device into
+the fence bo from a different device, which won't work so well.
+
+This patch fixes that to avoid using the sync path in the case
+where the fences come from different nouveau drm devices.
+
+This works fine on a single device as the fence bo is shared
+across the devices, and mapped into each channels vma space,
+the channel offsets are therefore okay to pass between sides,
+so one channel can sync on the seqnos from the other by using
+the offset into it's vma.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
+[ Fix compilation issue; remove version log from commit messsage.
+ - Danilo ]
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250109005553.623947-1-airlied@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fence.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_fence.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c
+@@ -387,11 +387,13 @@ nouveau_fence_sync(struct nouveau_bo *nv
+ if (f) {
+ struct nouveau_channel *prev;
+ bool must_wait = true;
++ bool local;
+
+ rcu_read_lock();
+ prev = rcu_dereference(f->channel);
+- if (prev && (prev == chan ||
+- fctx->sync(f, prev, chan) == 0))
++ local = prev && prev->cli->drm == chan->cli->drm;
++ if (local && (prev == chan ||
++ fctx->sync(f, prev, chan) == 0))
+ must_wait = false;
+ rcu_read_unlock();
+ if (!must_wait)
--- /dev/null
+From 218cc166321fb3cc8786677ffe0d09a78778a910 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Mon, 13 Jan 2025 16:44:58 +0100
+Subject: selftests: mptcp: avoid spurious errors on disconnect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 218cc166321fb3cc8786677ffe0d09a78778a910 upstream.
+
+The disconnect test-case generates spurious errors:
+
+ INFO: disconnect
+ INFO: extra options: -I 3 -i /tmp/tmp.r43niviyoI
+ 01 ns1 MPTCP -> ns1 (10.0.1.1:10000 ) MPTCP (duration 140ms) [FAIL]
+ file received by server does not match (in, out):
+ Unexpected revents: POLLERR/POLLNVAL(19)
+ -rw-r--r-- 1 root root 10028676 Jan 10 10:47 /tmp/tmp.r43niviyoI.disconnect
+ Trailing bytes are:
+ ��\����R���!8��u2��5N%
+ -rw------- 1 root root 9992290 Jan 10 10:47 /tmp/tmp.Os4UbnWbI1
+ Trailing bytes are:
+ ��\����R���!8��u2��5N%
+ 02 ns1 MPTCP -> ns1 (dead:beef:1::1:10001) MPTCP (duration 206ms) [ OK ]
+ 03 ns1 MPTCP -> ns1 (dead:beef:1::1:10002) TCP (duration 31ms) [ OK ]
+ 04 ns1 TCP -> ns1 (dead:beef:1::1:10003) MPTCP (duration 26ms) [ OK ]
+ [FAIL] Tests of the full disconnection have failed
+ Time: 2 seconds
+
+The root cause is actually in the user-space bits: the test program
+currently disconnects as soon as all the pending data has been spooled,
+generating an FASTCLOSE. If such option reaches the peer before the
+latter has reached the closed status, the msk socket will report an
+error to the user-space, as per protocol specification, causing the
+above failure.
+
+Address the issue explicitly waiting for all the relevant sockets to
+reach a closed status before performing the disconnect.
+
+Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250113-net-mptcp-connect-st-flakes-v1-3-0d986ee7b1b6@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 43 ++++++++++++++++------
+ 1 file changed, 32 insertions(+), 11 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -25,6 +25,8 @@
+ #include <sys/types.h>
+ #include <sys/mman.h>
+
++#include <arpa/inet.h>
++
+ #include <netdb.h>
+ #include <netinet/in.h>
+
+@@ -1211,23 +1213,42 @@ static void parse_setsock_options(const
+ exit(1);
+ }
+
+-void xdisconnect(int fd, int addrlen)
++void xdisconnect(int fd)
+ {
+- struct sockaddr_storage empty;
++ socklen_t addrlen = sizeof(struct sockaddr_storage);
++ struct sockaddr_storage addr, empty;
+ int msec_sleep = 10;
+- int queued = 1;
+- int i;
++ void *raw_addr;
++ int i, cmdlen;
++ char cmd[128];
++
++ /* get the local address and convert it to string */
++ if (getsockname(fd, (struct sockaddr *)&addr, &addrlen) < 0)
++ xerror("getsockname");
++
++ if (addr.ss_family == AF_INET)
++ raw_addr = &(((struct sockaddr_in *)&addr)->sin_addr);
++ else if (addr.ss_family == AF_INET6)
++ raw_addr = &(((struct sockaddr_in6 *)&addr)->sin6_addr);
++ else
++ xerror("bad family");
++
++ strcpy(cmd, "ss -M | grep -q ");
++ cmdlen = strlen(cmd);
++ if (!inet_ntop(addr.ss_family, raw_addr, &cmd[cmdlen],
++ sizeof(cmd) - cmdlen))
++ xerror("inet_ntop");
+
+ shutdown(fd, SHUT_WR);
+
+- /* while until the pending data is completely flushed, the later
++ /*
++ * wait until the pending data is completely flushed and all
++ * the MPTCP sockets reached the closed status.
+ * disconnect will bypass/ignore/drop any pending data.
+ */
+ for (i = 0; ; i += msec_sleep) {
+- if (ioctl(fd, SIOCOUTQ, &queued) < 0)
+- xerror("can't query out socket queue: %d", errno);
+-
+- if (!queued)
++ /* closed socket are not listed by 'ss' */
++ if (system(cmd) != 0)
+ break;
+
+ if (i > poll_timeout)
+@@ -1281,9 +1302,9 @@ again:
+ return ret;
+
+ if (cfg_truncate > 0) {
+- xdisconnect(fd, peer->ai_addrlen);
++ xdisconnect(fd);
+ } else if (--cfg_repeat > 0) {
+- xdisconnect(fd, peer->ai_addrlen);
++ xdisconnect(fd);
+
+ /* the socket could be unblocking at this point, we need the
+ * connect to be blocking
alsa-hda-realtek-fixup-asus-ga605w.patch
alsa-hda-realtek-fixup-asus-h7606w.patch
zram-fix-potential-uaf-of-zram-table.patch
+i2c-atr-fix-client-detach.patch
+mptcp-be-sure-to-send-ack-when-mptcp-level-window-re-opens.patch
+mptcp-fix-spurious-wake-up-on-under-memory-pressure.patch
+selftests-mptcp-avoid-spurious-errors-on-disconnect.patch
+net-ethernet-xgbe-re-add-aneg-to-supported-features-in-phy-quirks.patch
+vsock-bpf-return-early-if-transport-is-not-assigned.patch
+vsock-virtio-discard-packets-if-the-transport-changes.patch
+vsock-virtio-cancel-close-work-in-the-destructor.patch
+vsock-reset-socket-state-when-de-assigning-the-transport.patch
+vsock-prevent-null-ptr-deref-in-vsock_.patch
+nouveau-fence-handle-cross-device-fences-properly.patch
+drm-nouveau-disp-fix-missing-backlight-control-on-macbook-5-1.patch
+net-ncsi-fix-locking-in-get-mac-address-handling.patch
+filemap-avoid-truncating-64-bit-offset-to-32-bits.patch
+fs-proc-fix-softlockup-in-__read_vmcore-part-2.patch
+gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch
+tools-fix-atomic_set-definition-to-set-the-value-correctly.patch
--- /dev/null
+From 4bbb6df62c54e6a2c1fcce4908df768f0cfa1e91 Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Fri, 27 Dec 2024 14:22:20 -0800
+Subject: tools: fix atomic_set() definition to set the value correctly
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 4bbb6df62c54e6a2c1fcce4908df768f0cfa1e91 upstream.
+
+Currently vma test is failing because of the new vma_assert_attached()
+assertion. The check is failing because previous refcount_set() inside
+vma_mark_attached() is a NoOp. Fix the definition of atomic_set() to
+correctly set the value of the atomic.
+
+Link: https://lkml.kernel.org/r/20241227222220.1726384-1-surenb@google.com
+Fixes: 9325b8b5a1cb ("tools: add skeleton code for userland testing of VMA logic")
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/shared/linux/maple_tree.h | 2 +-
+ tools/testing/vma/linux/atomic.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/shared/linux/maple_tree.h
++++ b/tools/testing/shared/linux/maple_tree.h
+@@ -2,6 +2,6 @@
+ #define atomic_t int32_t
+ #define atomic_inc(x) uatomic_inc(x)
+ #define atomic_read(x) uatomic_read(x)
+-#define atomic_set(x, y) do {} while (0)
++#define atomic_set(x, y) uatomic_set(x, y)
+ #define U8_MAX UCHAR_MAX
+ #include "../../../../include/linux/maple_tree.h"
+--- a/tools/testing/vma/linux/atomic.h
++++ b/tools/testing/vma/linux/atomic.h
+@@ -6,7 +6,7 @@
+ #define atomic_t int32_t
+ #define atomic_inc(x) uatomic_inc(x)
+ #define atomic_read(x) uatomic_read(x)
+-#define atomic_set(x, y) do {} while (0)
++#define atomic_set(x, y) uatomic_set(x, y)
+ #define U8_MAX UCHAR_MAX
+
+ #endif /* _LINUX_ATOMIC_H */
--- /dev/null
+From f6abafcd32f9cfc4b1a2f820ecea70773e26d423 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:08 +0100
+Subject: vsock/bpf: return early if transport is not assigned
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit f6abafcd32f9cfc4b1a2f820ecea70773e26d423 upstream.
+
+Some of the core functions can only be called if the transport
+has been assigned.
+
+As Michal reported, a socket might have the transport at NULL,
+for example after a failed connect(), causing the following trace:
+
+ BUG: kernel NULL pointer dereference, address: 00000000000000a0
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0
+ Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+
+ RIP: 0010:vsock_connectible_has_data+0x1f/0x40
+ Call Trace:
+ vsock_bpf_recvmsg+0xca/0x5e0
+ sock_recvmsg+0xb9/0xc0
+ __sys_recvfrom+0xb3/0x130
+ __x64_sys_recvfrom+0x20/0x30
+ do_syscall_64+0x93/0x180
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+So we need to check the `vsk->transport` in vsock_bpf_recvmsg(),
+especially for connected sockets (stream/seqpacket) as we already
+do in __vsock_connectible_recvmsg().
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Cc: stable@vger.kernel.org
+Reported-by: Michal Luczaj <mhal@rbox.co>
+Closes: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
+Tested-by: Michal Luczaj <mhal@rbox.co>
+Reported-by: syzbot+3affdbfc986ecd9200fd@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/
+Tested-by: syzbot+3affdbfc986ecd9200fd@syzkaller.appspotmail.com
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vsock_bpf.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/vmw_vsock/vsock_bpf.c
++++ b/net/vmw_vsock/vsock_bpf.c
+@@ -77,6 +77,7 @@ static int vsock_bpf_recvmsg(struct sock
+ size_t len, int flags, int *addr_len)
+ {
+ struct sk_psock *psock;
++ struct vsock_sock *vsk;
+ int copied;
+
+ psock = sk_psock_get(sk);
+@@ -84,6 +85,13 @@ static int vsock_bpf_recvmsg(struct sock
+ return __vsock_recvmsg(sk, msg, len, flags);
+
+ lock_sock(sk);
++ vsk = vsock_sk(sk);
++
++ if (!vsk->transport) {
++ copied = -ENODEV;
++ goto out;
++ }
++
+ if (vsock_has_data(sk, psock) && sk_psock_queue_empty(psock)) {
+ release_sock(sk);
+ sk_psock_put(sk, psock);
+@@ -108,6 +116,7 @@ static int vsock_bpf_recvmsg(struct sock
+ copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
+ }
+
++out:
+ release_sock(sk);
+ sk_psock_put(sk, psock);
+
--- /dev/null
+From 91751e248256efc111e52e15115840c35d85abaf Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:11 +0100
+Subject: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 91751e248256efc111e52e15115840c35d85abaf upstream.
+
+Recent reports have shown how we sometimes call vsock_*_has_data()
+when a vsock socket has been de-assigned from a transport (see attached
+links), but we shouldn't.
+
+Previous commits should have solved the real problems, but we may have
+more in the future, so to avoid null-ptr-deref, we can return 0
+(no space, no data available) but with a warning.
+
+This way the code should continue to run in a nearly consistent state
+and have a warning that allows us to debug future problems.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/netdev/Z2K%2FI4nlHdfMRTZC@v4bel-B760M-AORUS-ELITE-AX/
+Link: https://lore.kernel.org/netdev/5ca20d4c-1017-49c2-9516-f6f75fd331e9@rbox.co/
+Link: https://lore.kernel.org/netdev/677f84a8.050a0220.25a300.01b3.GAE@google.com/
+Co-developed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Hyunwoo Kim <v4bel@theori.io>
+Co-developed-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Wongi Lee <qwerty@theori.io>
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -879,6 +879,9 @@ EXPORT_SYMBOL_GPL(vsock_create_connected
+
+ s64 vsock_stream_has_data(struct vsock_sock *vsk)
+ {
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ return vsk->transport->stream_has_data(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_data);
+@@ -887,6 +890,9 @@ s64 vsock_connectible_has_data(struct vs
+ {
+ struct sock *sk = sk_vsock(vsk);
+
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ if (sk->sk_type == SOCK_SEQPACKET)
+ return vsk->transport->seqpacket_has_data(vsk);
+ else
+@@ -896,6 +902,9 @@ EXPORT_SYMBOL_GPL(vsock_connectible_has_
+
+ s64 vsock_stream_has_space(struct vsock_sock *vsk)
+ {
++ if (WARN_ON(!vsk->transport))
++ return 0;
++
+ return vsk->transport->stream_has_space(vsk);
+ }
+ EXPORT_SYMBOL_GPL(vsock_stream_has_space);
--- /dev/null
+From a24009bc9be60242651a21702609381b5092459e Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:10 +0100
+Subject: vsock: reset socket state when de-assigning the transport
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit a24009bc9be60242651a21702609381b5092459e upstream.
+
+Transport's release() and destruct() are called when de-assigning the
+vsock transport. These callbacks can touch some socket state like
+sock flags, sk_state, and peer_shutdown.
+
+Since we are reassigning the socket to a new transport during
+vsock_connect(), let's reset these fields to have a clean state with
+the new transport.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/af_vsock.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -491,6 +491,15 @@ int vsock_assign_transport(struct vsock_
+ */
+ vsk->transport->release(vsk);
+ vsock_deassign_transport(vsk);
++
++ /* transport's release() and destruct() can touch some socket
++ * state, since we are reassigning the socket to a new transport
++ * during vsock_connect(), let's reset these fields to have a
++ * clean state.
++ */
++ sock_reset_flag(sk, SOCK_DONE);
++ sk->sk_state = TCP_CLOSE;
++ vsk->peer_shutdown = 0;
+ }
+
+ /* We increase the module refcnt to prevent the transport unloading
--- /dev/null
+From df137da9d6d166e87e40980e36eb8e0bc90483ef Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:09 +0100
+Subject: vsock/virtio: cancel close work in the destructor
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit df137da9d6d166e87e40980e36eb8e0bc90483ef upstream.
+
+During virtio_transport_release() we can schedule a delayed work to
+perform the closing of the socket before destruction.
+
+The destructor is called either when the socket is really destroyed
+(reference counter to zero), or it can also be called when we are
+de-assigning the transport.
+
+In the former case, we are sure the delayed work has completed, because
+it holds a reference until it completes, so the destructor will
+definitely be called after the delayed work is finished.
+But in the latter case, the destructor is called by AF_VSOCK core, just
+after the release(), so there may still be delayed work scheduled.
+
+Refactor the code, moving the code to delete the close work already in
+the do_close() to a new function. Invoke it during destruction to make
+sure we don't leave any pending work.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Closes: https://lore.kernel.org/netdev/Z37Sh+utS+iV3+eb@v4bel-B760M-AORUS-ELITE-AX/
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Tested-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -26,6 +26,9 @@
+ /* Threshold for detecting small packets to copy */
+ #define GOOD_COPY_LEN 128
+
++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk,
++ bool cancel_timeout);
++
+ static const struct virtio_transport *
+ virtio_transport_get_ops(struct vsock_sock *vsk)
+ {
+@@ -1109,6 +1112,8 @@ void virtio_transport_destruct(struct vs
+ {
+ struct virtio_vsock_sock *vvs = vsk->trans;
+
++ virtio_transport_cancel_close_work(vsk, true);
++
+ kfree(vvs);
+ vsk->trans = NULL;
+ }
+@@ -1204,17 +1209,11 @@ static void virtio_transport_wait_close(
+ }
+ }
+
+-static void virtio_transport_do_close(struct vsock_sock *vsk,
+- bool cancel_timeout)
++static void virtio_transport_cancel_close_work(struct vsock_sock *vsk,
++ bool cancel_timeout)
+ {
+ struct sock *sk = sk_vsock(vsk);
+
+- sock_set_flag(sk, SOCK_DONE);
+- vsk->peer_shutdown = SHUTDOWN_MASK;
+- if (vsock_stream_has_data(vsk) <= 0)
+- sk->sk_state = TCP_CLOSING;
+- sk->sk_state_change(sk);
+-
+ if (vsk->close_work_scheduled &&
+ (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) {
+ vsk->close_work_scheduled = false;
+@@ -1226,6 +1225,20 @@ static void virtio_transport_do_close(st
+ }
+ }
+
++static void virtio_transport_do_close(struct vsock_sock *vsk,
++ bool cancel_timeout)
++{
++ struct sock *sk = sk_vsock(vsk);
++
++ sock_set_flag(sk, SOCK_DONE);
++ vsk->peer_shutdown = SHUTDOWN_MASK;
++ if (vsock_stream_has_data(vsk) <= 0)
++ sk->sk_state = TCP_CLOSING;
++ sk->sk_state_change(sk);
++
++ virtio_transport_cancel_close_work(vsk, cancel_timeout);
++}
++
+ static void virtio_transport_close_timeout(struct work_struct *work)
+ {
+ struct vsock_sock *vsk =
--- /dev/null
+From 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 Mon Sep 17 00:00:00 2001
+From: Stefano Garzarella <sgarzare@redhat.com>
+Date: Fri, 10 Jan 2025 09:35:07 +0100
+Subject: vsock/virtio: discard packets if the transport changes
+
+From: Stefano Garzarella <sgarzare@redhat.com>
+
+commit 2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1 upstream.
+
+If the socket has been de-assigned or assigned to another transport,
+we must discard any packets received because they are not expected
+and would cause issues when we access vsk->transport.
+
+A possible scenario is described by Hyunwoo Kim in the attached link,
+where after a first connect() interrupted by a signal, and a second
+connect() failed, we can find `vsk->transport` at NULL, leading to a
+NULL pointer dereference.
+
+Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
+Cc: stable@vger.kernel.org
+Reported-by: Hyunwoo Kim <v4bel@theori.io>
+Reported-by: Wongi Lee <qwerty@theori.io>
+Closes: https://lore.kernel.org/netdev/Z2LvdTTQR7dBmPb5@v4bel-B760M-AORUS-ELITE-AX/
+Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Hyunwoo Kim <v4bel@theori.io>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/virtio_transport_common.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/virtio_transport_common.c
++++ b/net/vmw_vsock/virtio_transport_common.c
+@@ -1628,8 +1628,11 @@ void virtio_transport_recv_pkt(struct vi
+
+ lock_sock(sk);
+
+- /* Check if sk has been closed before lock_sock */
+- if (sock_flag(sk, SOCK_DONE)) {
++ /* Check if sk has been closed or assigned to another transport before
++ * lock_sock (note: listener sockets are not assigned to any transport)
++ */
++ if (sock_flag(sk, SOCK_DONE) ||
++ (sk->sk_state != TCP_LISTEN && vsk->transport != &t->transport)) {
+ (void)virtio_transport_reset_no_sock(t, skb);
+ release_sock(sk);
+ sock_put(sk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
