--- /dev/null
+From bb94a157b37ec23f53906a279320f6ed64300eba Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Wed, 31 Jul 2024 13:05:28 +0200
+Subject: arm64: dts: rockchip: fix eMMC/SPI corruption when audio has been used on RK3399 Puma
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit bb94a157b37ec23f53906a279320f6ed64300eba upstream.
+
+In commit 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch
+on rk3399"), an additional pinctrl state was added whose default pinmux
+is for 8ch i2s0. However, Puma only has 2ch i2s0. It's been overriding
+the pinctrl-0 property but the second property override was missed in
+the aforementioned commit.
+
+On Puma, a hardware slider called "BIOS Disable/Normal Boot" can disable
+eMMC and SPI to force booting from SD card. Another software-controlled
+GPIO is then configured to override this behavior to make eMMC and SPI
+available without human intervention. This is currently done in U-Boot
+and it was enough until the aforementioned commit.
+
+Indeed, because of this additional not-yet-overridden property, this
+software-controlled GPIO is now muxed in a state that does not override
+this hardware slider anymore, rendering SPI and eMMC flashes unusable.
+
+Let's override the property with the 2ch pinmux to fix this.
+
+Fixes: 91419ae0420f ("arm64: dts: rockchip: use BCLK to GPIO switch on rk3399")
+Cc: stable@vger.kernel.org
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Link: https://lore.kernel.org/r/20240731-puma-emmc-6-v1-1-4e28eadf32d0@cherry.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
+@@ -409,6 +409,7 @@
+
+ &i2s0 {
+ pinctrl-0 = <&i2s0_2ch_bus>;
++ pinctrl-1 = <&i2s0_2ch_bus_bclk_off>;
+ rockchip,playback-channels = <2>;
+ rockchip,capture-channels = <2>;
+ status = "okay";
+@@ -417,8 +418,8 @@
+ /*
+ * As Q7 does not specify neither a global nor a RX clock for I2S these
+ * signals are not used. Furthermore I2S0_LRCK_RX is used as GPIO.
+- * Therefore we have to redefine the i2s0_2ch_bus definition to prevent
+- * conflicts.
++ * Therefore we have to redefine the i2s0_2ch_bus and i2s0_2ch_bus_bclk_off
++ * definitions to prevent conflicts.
+ */
+ &i2s0_2ch_bus {
+ rockchip,pins =
+@@ -426,6 +427,14 @@
+ <3 RK_PD2 1 &pcfg_pull_none>,
+ <3 RK_PD3 1 &pcfg_pull_none>,
+ <3 RK_PD7 1 &pcfg_pull_none>;
++};
++
++&i2s0_2ch_bus_bclk_off {
++ rockchip,pins =
++ <3 RK_PD0 RK_FUNC_GPIO &pcfg_pull_none>,
++ <3 RK_PD2 1 &pcfg_pull_none>,
++ <3 RK_PD3 1 &pcfg_pull_none>,
++ <3 RK_PD7 1 &pcfg_pull_none>;
+ };
+
+ &io_domains {
--- /dev/null
+From 741f5ba7ccba5d7ae796dd11c320e28045524771 Mon Sep 17 00:00:00 2001
+From: Quentin Schulz <quentin.schulz@cherry.de>
+Date: Wed, 31 Jul 2024 13:05:29 +0200
+Subject: arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma
+
+From: Quentin Schulz <quentin.schulz@cherry.de>
+
+commit 741f5ba7ccba5d7ae796dd11c320e28045524771 upstream.
+
+The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module eMMC
+and SPI flash powered-down initially (in fact it keeps the reset signal
+asserted). BIOS_DISABLE_OVERRIDE pin allows to override that signal so
+that eMMC and SPI can be used regardless of the state of the signal.
+
+Let's make this GPIO a hog so that it's reserved and locked in the
+proper state.
+
+At the same time, make sure the pin is reserved for the hog and cannot
+be requested by another node.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de>
+Link: https://lore.kernel.org/r/20240731-puma-emmc-6-v1-2-4e28eadf32d0@cherry.de
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
+@@ -154,6 +154,22 @@
+ };
+ };
+
++&gpio3 {
++ /*
++ * The Qseven BIOS_DISABLE signal on the RK3399-Q7 keeps the on-module
++ * eMMC and SPI flash powered-down initially (in fact it keeps the
++ * reset signal asserted). BIOS_DISABLE_OVERRIDE pin allows to override
++ * that signal so that eMMC and SPI can be used regardless of the state
++ * of the signal.
++ */
++ bios-disable-override-hog {
++ gpios = <RK_PD5 GPIO_ACTIVE_LOW>;
++ gpio-hog;
++ line-name = "bios_disable_override";
++ output-high;
++ };
++};
++
+ &gmac {
+ assigned-clocks = <&cru SCLK_RMII_SRC>;
+ assigned-clock-parents = <&clkin_gmac>;
+@@ -458,9 +474,14 @@
+
+ &pinctrl {
+ pinctrl-names = "default";
+- pinctrl-0 = <&q7_thermal_pin>;
++ pinctrl-0 = <&q7_thermal_pin &bios_disable_override_hog_pin>;
+
+ gpios {
++ bios_disable_override_hog_pin: bios-disable-override-hog-pin {
++ rockchip,pins =
++ <3 RK_PD5 RK_FUNC_GPIO &pcfg_pull_down>;
++ };
++
+ q7_thermal_pin: q7-thermal-pin {
+ rockchip,pins =
+ <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>;
--- /dev/null
+From 7f828d5fff7d24752e1ecf6bebb6617a81f97b93 Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Thu, 20 Jun 2024 23:16:14 -0700
+Subject: clocksource: hyper-v: Use lapic timer in a TDX VM without paravisor
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 7f828d5fff7d24752e1ecf6bebb6617a81f97b93 upstream.
+
+In a TDX VM without paravisor, currently the default timer is the Hyper-V
+timer, which depends on the slow VM Reference Counter MSR: the Hyper-V TSC
+page is not enabled in such a VM because the VM uses Invariant TSC as a
+better clocksource and it's challenging to mark the Hyper-V TSC page shared
+in very early boot.
+
+Lower the rating of the Hyper-V timer so the local APIC timer becomes the
+the default timer in such a VM, and print a warning in case Invariant TSC
+is unavailable in such a VM. This change should cause no perceivable
+performance difference.
+
+Cc: stable@vger.kernel.org # 6.6+
+Reviewed-by: Roman Kisel <romank@linux.microsoft.com>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Link: https://lore.kernel.org/r/20240621061614.8339-1-decui@microsoft.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Message-ID: <20240621061614.8339-1-decui@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mshyperv.c | 16 +++++++++++++++-
+ drivers/clocksource/hyperv_timer.c | 16 +++++++++++++++-
+ 2 files changed, 30 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/cpu/mshyperv.c
++++ b/arch/x86/kernel/cpu/mshyperv.c
+@@ -449,9 +449,23 @@ static void __init ms_hyperv_init_platfo
+ ms_hyperv.hints &= ~HV_X64_APIC_ACCESS_RECOMMENDED;
+
+ if (!ms_hyperv.paravisor_present) {
+- /* To be supported: more work is required. */
++ /*
++ * Mark the Hyper-V TSC page feature as disabled
++ * in a TDX VM without paravisor so that the
++ * Invariant TSC, which is a better clocksource
++ * anyway, is used instead.
++ */
+ ms_hyperv.features &= ~HV_MSR_REFERENCE_TSC_AVAILABLE;
+
++ /*
++ * The Invariant TSC is expected to be available
++ * in a TDX VM without paravisor, but if not,
++ * print a warning message. The slower Hyper-V MSR-based
++ * Ref Counter should end up being the clocksource.
++ */
++ if (!(ms_hyperv.features & HV_ACCESS_TSC_INVARIANT))
++ pr_warn("Hyper-V: Invariant TSC is unavailable\n");
++
+ /* HV_MSR_CRASH_CTL is unsupported. */
+ ms_hyperv.misc_features &= ~HV_FEATURE_GUEST_CRASH_MSR_AVAILABLE;
+
+--- a/drivers/clocksource/hyperv_timer.c
++++ b/drivers/clocksource/hyperv_timer.c
+@@ -137,7 +137,21 @@ static int hv_stimer_init(unsigned int c
+ ce->name = "Hyper-V clockevent";
+ ce->features = CLOCK_EVT_FEAT_ONESHOT;
+ ce->cpumask = cpumask_of(cpu);
+- ce->rating = 1000;
++
++ /*
++ * Lower the rating of the Hyper-V timer in a TDX VM without paravisor,
++ * so the local APIC timer (lapic_clockevent) is the default timer in
++ * such a VM. The Hyper-V timer is not preferred in such a VM because
++ * it depends on the slow VM Reference Counter MSR (the Hyper-V TSC
++ * page is not enbled in such a VM because the VM uses Invariant TSC
++ * as a better clocksource and it's challenging to mark the Hyper-V
++ * TSC page shared in very early boot).
++ */
++ if (!ms_hyperv.paravisor_present && hv_isolation_type_tdx())
++ ce->rating = 90;
++ else
++ ce->rating = 1000;
++
+ ce->set_state_shutdown = hv_ce_shutdown;
+ ce->set_state_oneshot = hv_ce_set_oneshot;
+ ce->set_next_event = hv_ce_set_next_event;
--- /dev/null
+From f8e1ca92e35e9041cc0a1bc226ef07a853a22de4 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 5 Sep 2024 20:27:25 +0200
+Subject: dm-integrity: fix a race condition when accessing recalc_sector
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit f8e1ca92e35e9041cc0a1bc226ef07a853a22de4 upstream.
+
+There's a race condition when accessing the variable
+ic->sb->recalc_sector. The function integrity_recalc writes to this
+variable when it makes some progress and the function
+dm_integrity_map_continue may read this variable concurrently.
+
+One problem is that on 32-bit architectures the 64-bit variable is not
+read and written atomically - it may be possible to read garbage if read
+races with write.
+
+Another problem is that memory accesses to this variable are not guarded
+with memory barriers.
+
+This commit fixes the race - it moves reading ic->sb->recalc_sector to an
+earlier place where we hold &ic->endio_wait.lock.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-integrity.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -2173,6 +2173,7 @@ static void dm_integrity_map_continue(st
+ struct bio *bio = dm_bio_from_per_bio_data(dio, sizeof(struct dm_integrity_io));
+ unsigned int journal_section, journal_entry;
+ unsigned int journal_read_pos;
++ sector_t recalc_sector;
+ struct completion read_comp;
+ bool discard_retried = false;
+ bool need_sync_io = ic->internal_hash && dio->op == REQ_OP_READ;
+@@ -2313,6 +2314,7 @@ offload_to_thread:
+ goto lock_retry;
+ }
+ }
++ recalc_sector = le64_to_cpu(ic->sb->recalc_sector);
+ spin_unlock_irq(&ic->endio_wait.lock);
+
+ if (unlikely(journal_read_pos != NOT_FOUND)) {
+@@ -2367,7 +2369,7 @@ offload_to_thread:
+ if (need_sync_io) {
+ wait_for_completion_io(&read_comp);
+ if (ic->sb->flags & cpu_to_le32(SB_FLAG_RECALCULATING) &&
+- dio->range.logical_sector + dio->range.n_sectors > le64_to_cpu(ic->sb->recalc_sector))
++ dio->range.logical_sector + dio->range.n_sectors > recalc_sector)
+ goto skip_check;
+ if (ic->mode == 'B') {
+ if (!block_bitmap_op(ic, ic->recalc_bitmap, dio->range.logical_sector,
--- /dev/null
+From 7c6a3a65ace70f12b27b1a27c9a69cb791dc6e91 Mon Sep 17 00:00:00 2001
+From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Date: Wed, 11 Sep 2024 18:51:11 +0100
+Subject: minmax: reduce min/max macro expansion in atomisp driver
+
+From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+
+commit 7c6a3a65ace70f12b27b1a27c9a69cb791dc6e91 upstream.
+
+Avoid unnecessary nested min()/max() which results in egregious macro
+expansion.
+
+Use clamp_t() as this introduces the least possible expansion, and turn
+the {s,u}DIGIT_FITTING() macros into inline functions to avoid the
+nested expansion.
+
+This resolves an issue with slackware 15.0 32-bit compilation as
+reported by Richard Narron.
+
+Presumably the min/max fixups would be difficult to backport, this patch
+should be easier and fix's Richard's problem in 5.15.
+
+Reported-by: Richard Narron <richard@aaazen.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Closes: https://lore.kernel.org/all/4a5321bd-b1f-1832-f0c-cea8694dc5aa@aaazen.com/
+Fixes: 867046cc7027 ("minmax: relax check to allow comparison between unsigned arguments and signed constants")
+Cc: stable@vger.kernel.org
+Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/media/atomisp/pci/sh_css_frac.h | 26 +++++++++++++++++-------
+ 1 file changed, 19 insertions(+), 7 deletions(-)
+
+--- a/drivers/staging/media/atomisp/pci/sh_css_frac.h
++++ b/drivers/staging/media/atomisp/pci/sh_css_frac.h
+@@ -30,12 +30,24 @@
+ #define uISP_VAL_MAX ((unsigned int)((1 << uISP_REG_BIT) - 1))
+
+ /* a:fraction bits for 16bit precision, b:fraction bits for ISP precision */
+-#define sDIGIT_FITTING(v, a, b) \
+- min_t(int, max_t(int, (((v) >> sSHIFT) >> max(sFRACTION_BITS_FITTING(a) - (b), 0)), \
+- sISP_VAL_MIN), sISP_VAL_MAX)
+-#define uDIGIT_FITTING(v, a, b) \
+- min((unsigned int)max((unsigned)(((v) >> uSHIFT) \
+- >> max((int)(uFRACTION_BITS_FITTING(a) - (b)), 0)), \
+- uISP_VAL_MIN), uISP_VAL_MAX)
++static inline int sDIGIT_FITTING(int v, int a, int b)
++{
++ int fit_shift = sFRACTION_BITS_FITTING(a) - b;
++
++ v >>= sSHIFT;
++ v >>= fit_shift > 0 ? fit_shift : 0;
++
++ return clamp_t(int, v, sISP_VAL_MIN, sISP_VAL_MAX);
++}
++
++static inline unsigned int uDIGIT_FITTING(unsigned int v, int a, int b)
++{
++ int fit_shift = uFRACTION_BITS_FITTING(a) - b;
++
++ v >>= uSHIFT;
++ v >>= fit_shift > 0 ? fit_shift : 0;
++
++ return clamp_t(unsigned int, v, uISP_VAL_MIN, uISP_VAL_MAX);
++}
+
+ #endif /* __SH_CSS_FRAC_H */
--- /dev/null
+From 79a61cc3fc0466ad2b7b89618a6157785f0293b3 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Wed, 11 Sep 2024 17:11:23 -0700
+Subject: mm: avoid leaving partial pfn mappings around in error case
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 79a61cc3fc0466ad2b7b89618a6157785f0293b3 upstream.
+
+As Jann points out, PFN mappings are special, because unlike normal
+memory mappings, there is no lifetime information associated with the
+mapping - it is just a raw mapping of PFNs with no reference counting of
+a 'struct page'.
+
+That's all very much intentional, but it does mean that it's easy to
+mess up the cleanup in case of errors. Yes, a failed mmap() will always
+eventually clean up any partial mappings, but without any explicit
+lifetime in the page table mapping itself, it's very easy to do the
+error handling in the wrong order.
+
+In particular, it's easy to mistakenly free the physical backing store
+before the page tables are actually cleaned up and (temporarily) have
+stale dangling PTE entries.
+
+To make this situation less error-prone, just make sure that any partial
+pfn mapping is torn down early, before any other error handling.
+
+Reported-and-tested-by: Jann Horn <jannh@google.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Cc: Simona Vetter <simona.vetter@ffwll.ch>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory.c | 27 ++++++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -2581,11 +2581,7 @@ static inline int remap_p4d_range(struct
+ return 0;
+ }
+
+-/*
+- * Variant of remap_pfn_range that does not call track_pfn_remap. The caller
+- * must have pre-validated the caching bits of the pgprot_t.
+- */
+-int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr,
++static int remap_pfn_range_internal(struct vm_area_struct *vma, unsigned long addr,
+ unsigned long pfn, unsigned long size, pgprot_t prot)
+ {
+ pgd_t *pgd;
+@@ -2638,6 +2634,27 @@ int remap_pfn_range_notrack(struct vm_ar
+ return 0;
+ }
+
++/*
++ * Variant of remap_pfn_range that does not call track_pfn_remap. The caller
++ * must have pre-validated the caching bits of the pgprot_t.
++ */
++int remap_pfn_range_notrack(struct vm_area_struct *vma, unsigned long addr,
++ unsigned long pfn, unsigned long size, pgprot_t prot)
++{
++ int error = remap_pfn_range_internal(vma, addr, pfn, size, prot);
++
++ if (!error)
++ return 0;
++
++ /*
++ * A partial pfn range mapping is dangerous: it does not
++ * maintain page reference counts, and callers may free
++ * pages due to the error. So zap it early.
++ */
++ zap_page_range_single(vma, addr, size, NULL);
++ return error;
++}
++
+ /**
+ * remap_pfn_range - remap kernel memory to userspace
+ * @vma: user vma to map to
--- /dev/null
+From b4cd80b0338945a94972ac3ed54f8338d2da2076 Mon Sep 17 00:00:00 2001
+From: Edward Adam Davis <eadavis@qq.com>
+Date: Tue, 10 Sep 2024 17:58:56 +0800
+Subject: mptcp: pm: Fix uaf in __timer_delete_sync
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+commit b4cd80b0338945a94972ac3ed54f8338d2da2076 upstream.
+
+There are two paths to access mptcp_pm_del_add_timer, result in a race
+condition:
+
+ CPU1 CPU2
+ ==== ====
+ net_rx_action
+ napi_poll netlink_sendmsg
+ __napi_poll netlink_unicast
+ process_backlog netlink_unicast_kernel
+ __netif_receive_skb genl_rcv
+ __netif_receive_skb_one_core netlink_rcv_skb
+ NF_HOOK genl_rcv_msg
+ ip_local_deliver_finish genl_family_rcv_msg
+ ip_protocol_deliver_rcu genl_family_rcv_msg_doit
+ tcp_v4_rcv mptcp_pm_nl_flush_addrs_doit
+ tcp_v4_do_rcv mptcp_nl_remove_addrs_list
+ tcp_rcv_established mptcp_pm_remove_addrs_and_subflows
+ tcp_data_queue remove_anno_list_by_saddr
+ mptcp_incoming_options mptcp_pm_del_add_timer
+ mptcp_pm_del_add_timer kfree(entry)
+
+In remove_anno_list_by_saddr(running on CPU2), after leaving the critical
+zone protected by "pm.lock", the entry will be released, which leads to the
+occurrence of uaf in the mptcp_pm_del_add_timer(running on CPU1).
+
+Keeping a reference to add_timer inside the lock, and calling
+sk_stop_timer_sync() with this reference, instead of "entry->add_timer".
+
+Move list_del(&entry->list) to mptcp_pm_del_add_timer and inside the pm lock,
+do not directly access any members of the entry outside the pm lock, which
+can avoid similar "entry->x" uaf.
+
+Fixes: 00cfd77b9063 ("mptcp: retransmit ADD_ADDR when timeout")
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+f3a31fb909db9b2a5c4d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f3a31fb909db9b2a5c4d
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://patch.msgid.link/tencent_7142963A37944B4A74EF76CD66EA3C253609@qq.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -334,15 +334,21 @@ mptcp_pm_del_add_timer(struct mptcp_sock
+ {
+ struct mptcp_pm_add_entry *entry;
+ struct sock *sk = (struct sock *)msk;
++ struct timer_list *add_timer = NULL;
+
+ spin_lock_bh(&msk->pm.lock);
+ entry = mptcp_lookup_anno_list_by_saddr(msk, addr);
+- if (entry && (!check_id || entry->addr.id == addr->id))
++ if (entry && (!check_id || entry->addr.id == addr->id)) {
+ entry->retrans_times = ADD_ADDR_RETRANS_MAX;
++ add_timer = &entry->add_timer;
++ }
++ if (!check_id && entry)
++ list_del(&entry->list);
+ spin_unlock_bh(&msk->pm.lock);
+
+- if (entry && (!check_id || entry->addr.id == addr->id))
+- sk_stop_timer_sync(sk, &entry->add_timer);
++ /* no lock, because sk_stop_timer_sync() is calling del_timer_sync() */
++ if (add_timer)
++ sk_stop_timer_sync(sk, add_timer);
+
+ return entry;
+ }
+@@ -1462,7 +1468,6 @@ static bool remove_anno_list_by_saddr(st
+
+ entry = mptcp_pm_del_add_timer(msk, addr, false);
+ if (entry) {
+- list_del(&entry->list);
+ kfree(entry);
+ return true;
+ }
--- /dev/null
+From 077ee7e6b13a2b6668196ed01a22023549e19381 Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Tue, 10 Sep 2024 17:56:29 +0800
+Subject: net: libwx: fix number of Rx and Tx descriptors
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit 077ee7e6b13a2b6668196ed01a22023549e19381 upstream.
+
+The number of transmit and receive descriptors must be a multiple of 128
+due to the hardware limitation. If it is set to a multiple of 8 instead of
+a multiple 128, the queues will easily be hung.
+
+Cc: stable@vger.kernel.org
+Fixes: 883b5984a5d2 ("net: wangxun: add ethtool_ops for ring parameters")
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20240910095629.570674-1-jiawenwu@trustnetic.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_type.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/wangxun/libwx/wx_type.h
++++ b/drivers/net/ethernet/wangxun/libwx/wx_type.h
+@@ -424,9 +424,9 @@ enum WX_MSCA_CMD_value {
+ #define WX_MIN_RXD 128
+ #define WX_MIN_TXD 128
+
+-/* Number of Transmit and Receive Descriptors must be a multiple of 8 */
+-#define WX_REQ_RX_DESCRIPTOR_MULTIPLE 8
+-#define WX_REQ_TX_DESCRIPTOR_MULTIPLE 8
++/* Number of Transmit and Receive Descriptors must be a multiple of 128 */
++#define WX_REQ_RX_DESCRIPTOR_MULTIPLE 128
++#define WX_REQ_TX_DESCRIPTOR_MULTIPLE 128
+
+ #define WX_MAX_JUMBO_FRAME_SIZE 9432 /* max payload 9414 */
+ #define VMDQ_P(p) p
--- /dev/null
+From 6513eb3d3191574b58859ef2d6dc26c0277c6f81 Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Tue, 10 Sep 2024 17:35:35 -0400
+Subject: net: tighten bad gso csum offset check in virtio_net_hdr
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 6513eb3d3191574b58859ef2d6dc26c0277c6f81 upstream.
+
+The referenced commit drops bad input, but has false positives.
+Tighten the check to avoid these.
+
+The check detects illegal checksum offload requests, which produce
+csum_start/csum_off beyond end of packet after segmentation.
+
+But it is based on two incorrect assumptions:
+
+1. virtio_net_hdr_to_skb with VIRTIO_NET_HDR_GSO_TCP[46] implies GSO.
+True in callers that inject into the tx path, such as tap.
+But false in callers that inject into rx, like virtio-net.
+Here, the flags indicate GRO, and CHECKSUM_UNNECESSARY or
+CHECKSUM_NONE without VIRTIO_NET_HDR_F_NEEDS_CSUM is normal.
+
+2. TSO requires checksum offload, i.e., ip_summed == CHECKSUM_PARTIAL.
+False, as tcp[46]_gso_segment will fix up csum_start and offset for
+all other ip_summed by calling __tcp_v4_send_check.
+
+Because of 2, we can limit the scope of the fix to virtio_net_hdr
+that do try to set these fields, with a bogus value.
+
+Link: https://lore.kernel.org/netdev/20240909094527.GA3048202@port70.net/
+Fixes: 89add40066f9 ("net: drop bad gso csum_start and offset in virtio_net_hdr")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20240910213553.839926-1-willemdebruijn.kernel@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -173,7 +173,8 @@ retry:
+ break;
+ case SKB_GSO_TCPV4:
+ case SKB_GSO_TCPV6:
+- if (skb->csum_offset != offsetof(struct tcphdr, check))
++ if (skb->ip_summed == CHECKSUM_PARTIAL &&
++ skb->csum_offset != offsetof(struct tcphdr, check))
+ return -EINVAL;
+ break;
+ }
--- /dev/null
+From 33297cef3101d950cec0033a0dce0a2d2bd59999 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 9 Sep 2024 13:32:26 +0200
+Subject: platform/x86: panasonic-laptop: Allocate 1 entry extra in the sinf array
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 33297cef3101d950cec0033a0dce0a2d2bd59999 upstream.
+
+Some DSDT-s have an off-by-one bug where the SINF package count is
+one higher than the SQTY reported value, allocate 1 entry extra.
+
+Also make the SQTY <-> SINF package count mismatch error more verbose
+to help debugging similar issues in the future.
+
+This fixes the panasonic-laptop driver failing to probe() on some
+devices with the following errors:
+
+[ 3.958887] SQTY reports bad SINF length SQTY: 37 SINF-pkg-count: 38
+[ 3.958892] Couldn't retrieve BIOS data
+[ 3.983685] Panasonic Laptop Support - With Macros: probe of MAT0019:00 failed with error -5
+
+Fixes: 709ee531c153 ("panasonic-laptop: add Panasonic Let's Note laptop extras driver v0.94")
+Cc: stable@vger.kernel.org
+Tested-by: James Harmison <jharmison@redhat.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20240909113227.254470-2-hdegoede@redhat.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/panasonic-laptop.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/panasonic-laptop.c
++++ b/drivers/platform/x86/panasonic-laptop.c
+@@ -337,7 +337,8 @@ static int acpi_pcc_retrieve_biosdata(st
+ }
+
+ if (pcc->num_sifr < hkey->package.count) {
+- pr_err("SQTY reports bad SINF length\n");
++ pr_err("SQTY reports bad SINF length SQTY: %lu SINF-pkg-count: %u\n",
++ pcc->num_sifr, hkey->package.count);
+ status = AE_ERROR;
+ goto end;
+ }
+@@ -994,6 +995,12 @@ static int acpi_pcc_hotkey_add(struct ac
+ return -ENODEV;
+ }
+
++ /*
++ * Some DSDT-s have an off-by-one bug where the SINF package count is
++ * one higher than the SQTY reported value, allocate 1 entry extra.
++ */
++ num_sifr++;
++
+ pcc = kzalloc(sizeof(struct pcc_acpi), GFP_KERNEL);
+ if (!pcc) {
+ pr_err("Couldn't allocate mem for pcc");
--- /dev/null
+From f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 9 Sep 2024 13:32:25 +0200
+Subject: platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit f52e98d16e9bd7dd2b3aef8e38db5cbc9899d6a4 upstream.
+
+The panasonic laptop code in various places uses the SINF array with index
+values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array
+is big enough.
+
+Not all panasonic laptops have this many SINF array entries, for example
+the Toughbook CF-18 model only has 10 SINF array entries. So it only
+supports the AC+DC brightness entries and mute.
+
+Check that the SINF array has a minimum size which covers all AC+DC
+brightness entries and refuse to load if the SINF array is smaller.
+
+For higher SINF indexes hide the sysfs attributes when the SINF array
+does not contain an entry for that attribute, avoiding show()/store()
+accessing the array out of bounds and add bounds checking to the probe()
+and resume() code accessing these.
+
+Fixes: e424fb8cc4e6 ("panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20240909113227.254470-1-hdegoede@redhat.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/panasonic-laptop.c | 49 +++++++++++++++++++++++++-------
+ 1 file changed, 39 insertions(+), 10 deletions(-)
+
+--- a/drivers/platform/x86/panasonic-laptop.c
++++ b/drivers/platform/x86/panasonic-laptop.c
+@@ -773,6 +773,24 @@ static DEVICE_ATTR_RW(dc_brightness);
+ static DEVICE_ATTR_RW(current_brightness);
+ static DEVICE_ATTR_RW(cdpower);
+
++static umode_t pcc_sysfs_is_visible(struct kobject *kobj, struct attribute *attr, int idx)
++{
++ struct device *dev = kobj_to_dev(kobj);
++ struct acpi_device *acpi = to_acpi_device(dev);
++ struct pcc_acpi *pcc = acpi_driver_data(acpi);
++
++ if (attr == &dev_attr_mute.attr)
++ return (pcc->num_sifr > SINF_MUTE) ? attr->mode : 0;
++
++ if (attr == &dev_attr_eco_mode.attr)
++ return (pcc->num_sifr > SINF_ECO_MODE) ? attr->mode : 0;
++
++ if (attr == &dev_attr_current_brightness.attr)
++ return (pcc->num_sifr > SINF_CUR_BRIGHT) ? attr->mode : 0;
++
++ return attr->mode;
++}
++
+ static struct attribute *pcc_sysfs_entries[] = {
+ &dev_attr_numbatt.attr,
+ &dev_attr_lcdtype.attr,
+@@ -787,8 +805,9 @@ static struct attribute *pcc_sysfs_entri
+ };
+
+ static const struct attribute_group pcc_attr_group = {
+- .name = NULL, /* put in device directory */
+- .attrs = pcc_sysfs_entries,
++ .name = NULL, /* put in device directory */
++ .attrs = pcc_sysfs_entries,
++ .is_visible = pcc_sysfs_is_visible,
+ };
+
+
+@@ -941,12 +960,15 @@ static int acpi_pcc_hotkey_resume(struct
+ if (!pcc)
+ return -EINVAL;
+
+- acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute);
+- acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode);
++ if (pcc->num_sifr > SINF_MUTE)
++ acpi_pcc_write_sset(pcc, SINF_MUTE, pcc->mute);
++ if (pcc->num_sifr > SINF_ECO_MODE)
++ acpi_pcc_write_sset(pcc, SINF_ECO_MODE, pcc->eco_mode);
+ acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, pcc->sticky_key);
+ acpi_pcc_write_sset(pcc, SINF_AC_CUR_BRIGHT, pcc->ac_brightness);
+ acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, pcc->dc_brightness);
+- acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness);
++ if (pcc->num_sifr > SINF_CUR_BRIGHT)
++ acpi_pcc_write_sset(pcc, SINF_CUR_BRIGHT, pcc->current_brightness);
+
+ return 0;
+ }
+@@ -963,8 +985,12 @@ static int acpi_pcc_hotkey_add(struct ac
+
+ num_sifr = acpi_pcc_get_sqty(device);
+
+- if (num_sifr < 0 || num_sifr > 255) {
+- pr_err("num_sifr out of range");
++ /*
++ * pcc->sinf is expected to at least have the AC+DC brightness entries.
++ * Accesses to higher SINF entries are checked against num_sifr.
++ */
++ if (num_sifr <= SINF_DC_CUR_BRIGHT || num_sifr > 255) {
++ pr_err("num_sifr %d out of range %d - 255\n", num_sifr, SINF_DC_CUR_BRIGHT + 1);
+ return -ENODEV;
+ }
+
+@@ -1020,11 +1046,14 @@ static int acpi_pcc_hotkey_add(struct ac
+ acpi_pcc_write_sset(pcc, SINF_STICKY_KEY, 0);
+ pcc->sticky_key = 0;
+
+- pcc->eco_mode = pcc->sinf[SINF_ECO_MODE];
+- pcc->mute = pcc->sinf[SINF_MUTE];
+ pcc->ac_brightness = pcc->sinf[SINF_AC_CUR_BRIGHT];
+ pcc->dc_brightness = pcc->sinf[SINF_DC_CUR_BRIGHT];
+- pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT];
++ if (pcc->num_sifr > SINF_MUTE)
++ pcc->mute = pcc->sinf[SINF_MUTE];
++ if (pcc->num_sifr > SINF_ECO_MODE)
++ pcc->eco_mode = pcc->sinf[SINF_ECO_MODE];
++ if (pcc->num_sifr > SINF_CUR_BRIGHT)
++ pcc->current_brightness = pcc->sinf[SINF_CUR_BRIGHT];
+
+ /* add sysfs attributes */
+ result = sysfs_create_group(&device->dev.kobj, &pcc_attr_group);
--- /dev/null
+From 49ac6f05ace5bb0070c68a0193aa05d3c25d4c83 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 10 Sep 2024 21:06:36 +0200
+Subject: selftests: mptcp: join: restrict fullmesh endp on 1st sf
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 49ac6f05ace5bb0070c68a0193aa05d3c25d4c83 upstream.
+
+A new endpoint using the IP of the initial subflow has been recently
+added to increase the code coverage. But it breaks the test when using
+old kernels not having commit 86e39e04482b ("mptcp: keep track of local
+endpoint still available for each msk"), e.g. on v5.15.
+
+Similar to commit d4c81bbb8600 ("selftests: mptcp: join: support local
+endpoint being tracked or not"), it is possible to add the new endpoint
+conditionally, by checking if "mptcp_pm_subflow_check_next" is present
+in kallsyms: this is not directly linked to the commit introducing this
+symbol but for the parent one which is linked anyway. So we can know in
+advance what will be the expected behaviour, and add the new endpoint
+only when it makes sense to do so.
+
+Fixes: 4878f9f8421f ("selftests: mptcp: join: validate fullmesh endp on 1st sf")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240910-net-selftests-mptcp-fix-install-v1-1-8f124aa9156d@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3064,7 +3064,9 @@ fullmesh_tests()
+ pm_nl_set_limits $ns1 1 3
+ pm_nl_set_limits $ns2 1 3
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
+- pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh
++ if mptcp_lib_kallsyms_has "mptcp_pm_subflow_check_next$"; then
++ pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh
++ fi
+ fullmesh=1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 3 3 3
smb-server-fix-return-value-of-smb2_open.patch
nfsv4-fix-clearing-of-layout-segments-in-layoutretur.patch
nfs-avoid-unnecessary-rescanning-of-the-per-server-d.patch
+platform-x86-panasonic-laptop-fix-sinf-array-out-of-bounds-accesses.patch
+platform-x86-panasonic-laptop-allocate-1-entry-extra-in-the-sinf-array.patch
+mptcp-pm-fix-uaf-in-__timer_delete_sync.patch
+selftests-mptcp-join-restrict-fullmesh-endp-on-1st-sf.patch
+arm64-dts-rockchip-fix-emmc-spi-corruption-when-audio-has-been-used-on-rk3399-puma.patch
+arm64-dts-rockchip-override-bios_disable-signal-via-gpio-hog-on-rk3399-puma.patch
+minmax-reduce-min-max-macro-expansion-in-atomisp-driver.patch
+net-tighten-bad-gso-csum-offset-check-in-virtio_net_hdr.patch
+net-libwx-fix-number-of-rx-and-tx-descriptors.patch
+dm-integrity-fix-a-race-condition-when-accessing-recalc_sector.patch
+clocksource-hyper-v-use-lapic-timer-in-a-tdx-vm-without-paravisor.patch
+x86-hyperv-fix-kexec-crash-due-to-vp-assist-page-corruption.patch
+mm-avoid-leaving-partial-pfn-mappings-around-in-error-case.patch
--- /dev/null
+From b9af6418279c4cf73ca073f8ea024992b38be8ab Mon Sep 17 00:00:00 2001
+From: "Anirudh Rayabharam (Microsoft)" <anirudh@anirudhrb.com>
+Date: Wed, 28 Aug 2024 16:51:56 +0530
+Subject: x86/hyperv: fix kexec crash due to VP assist page corruption
+
+From: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
+
+commit b9af6418279c4cf73ca073f8ea024992b38be8ab upstream.
+
+commit 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when
+CPUs go online/offline") introduces a new cpuhp state for hyperv
+initialization.
+
+cpuhp_setup_state() returns the state number if state is
+CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states.
+For the hyperv case, since a new cpuhp state was introduced it would
+return 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call
+is conditioned upon "hyperv_init_cpuhp > 0". This will never be true and
+so hv_cpu_die() won't be called on all CPUs. This means the VP assist page
+won't be reset. When the kexec kernel tries to setup the VP assist page
+again, the hypervisor corrupts the memory region of the old VP assist page
+causing a panic in case the kexec kernel is using that memory elsewhere.
+This was originally fixed in commit dfe94d4086e4 ("x86/hyperv: Fix kexec
+panic/hang issues").
+
+Get rid of hyperv_init_cpuhp entirely since we are no longer using a
+dynamic cpuhp state and use CPUHP_AP_HYPERV_ONLINE directly with
+cpuhp_remove_state().
+
+Cc: stable@vger.kernel.org
+Fixes: 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline")
+Signed-off-by: Anirudh Rayabharam (Microsoft) <anirudh@anirudhrb.com>
+Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Link: https://lore.kernel.org/r/20240828112158.3538342-1-anirudh@anirudhrb.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Message-ID: <20240828112158.3538342-1-anirudh@anirudhrb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/hyperv/hv_init.c | 5 +----
+ arch/x86/include/asm/mshyperv.h | 1 -
+ arch/x86/kernel/cpu/mshyperv.c | 4 ++--
+ 3 files changed, 3 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/hyperv/hv_init.c
++++ b/arch/x86/hyperv/hv_init.c
+@@ -35,7 +35,6 @@
+ #include <clocksource/hyperv_timer.h>
+ #include <linux/highmem.h>
+
+-int hyperv_init_cpuhp;
+ u64 hv_current_partition_id = ~0ull;
+ EXPORT_SYMBOL_GPL(hv_current_partition_id);
+
+@@ -607,8 +606,6 @@ skip_hypercall_pg_init:
+
+ register_syscore_ops(&hv_syscore_ops);
+
+- hyperv_init_cpuhp = cpuhp;
+-
+ if (cpuid_ebx(HYPERV_CPUID_FEATURES) & HV_ACCESS_PARTITION_ID)
+ hv_get_partition_id();
+
+@@ -637,7 +634,7 @@ skip_hypercall_pg_init:
+ clean_guest_os_id:
+ wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0);
+ hv_ivm_msr_write(HV_X64_MSR_GUEST_OS_ID, 0);
+- cpuhp_remove_state(cpuhp);
++ cpuhp_remove_state(CPUHP_AP_HYPERV_ONLINE);
+ free_ghcb_page:
+ free_percpu(hv_ghcb_pg);
+ free_vp_assist_page:
+--- a/arch/x86/include/asm/mshyperv.h
++++ b/arch/x86/include/asm/mshyperv.h
+@@ -40,7 +40,6 @@ static inline unsigned char hv_get_nmi_r
+ }
+
+ #if IS_ENABLED(CONFIG_HYPERV)
+-extern int hyperv_init_cpuhp;
+ extern bool hyperv_paravisor_present;
+
+ extern void *hv_hypercall_pg;
+--- a/arch/x86/kernel/cpu/mshyperv.c
++++ b/arch/x86/kernel/cpu/mshyperv.c
+@@ -199,8 +199,8 @@ static void hv_machine_shutdown(void)
+ * Call hv_cpu_die() on all the CPUs, otherwise later the hypervisor
+ * corrupts the old VP Assist Pages and can crash the kexec kernel.
+ */
+- if (kexec_in_progress && hyperv_init_cpuhp > 0)
+- cpuhp_remove_state(hyperv_init_cpuhp);
++ if (kexec_in_progress)
++ cpuhp_remove_state(CPUHP_AP_HYPERV_ONLINE);
+
+ /* The function calls stop_other_cpus(). */
+ native_machine_shutdown();
projects / thirdparty / kernel / stable-queue.git / commitdiff
