--- /dev/null
+From 0cc65482f5b03ac2b1c240bc34665e43ea2d71bb Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 23 Aug 2024 09:42:17 +0200
+Subject: ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards harder
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 0cc65482f5b03ac2b1c240bc34665e43ea2d71bb upstream.
+
+Since commit 13f58267cda3 ("ASoC: soc.h: don't create dummy Component
+via COMP_DUMMY()") dummy codecs declared like this:
+
+SND_SOC_DAILINK_DEF(dummy,
+ DAILINK_COMP_ARRAY(COMP_DUMMY()));
+
+expand to:
+
+static struct snd_soc_dai_link_component dummy[] = {
+};
+
+Which means that dummy is a zero sized array and thus dais[i].codecs should
+not be dereferenced *at all* since it points to the address of the next
+variable stored in the data section as the "dummy" variable has an address
+but no size, so even dereferencing dais[0] is already an out of bounds
+array reference.
+
+Which means that the if (dais[i].codecs->name) check added in
+commit 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref
+in BYT/CHT boards") relies on that the part of the next variable which
+the name member maps to just happens to be NULL.
+
+Which apparently so far it usually is, except when it isn't
+and then it results in crashes like this one:
+
+[ 28.795659] BUG: unable to handle page fault for address: 0000000000030011
+...
+[ 28.795780] Call Trace:
+[ 28.795787] <TASK>
+...
+[ 28.795862] ? strcmp+0x18/0x40
+[ 28.795872] 0xffffffffc150c605
+[ 28.795887] platform_probe+0x40/0xa0
+...
+[ 28.795979] ? __pfx_init_module+0x10/0x10 [snd_soc_sst_bytcr_wm5102]
+
+Really fix things this time around by checking dais.num_codecs != 0.
+
+Fixes: 7d99a70b6595 ("ASoC: Intel: Boards: Fix NULL pointer deref in BYT/CHT boards")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://patch.msgid.link/20240823074217.14653-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/intel/boards/bxt_rt298.c | 2 +-
+ sound/soc/intel/boards/bytcht_cx2072x.c | 2 +-
+ sound/soc/intel/boards/bytcht_da7213.c | 2 +-
+ sound/soc/intel/boards/bytcht_es8316.c | 2 +-
+ sound/soc/intel/boards/bytcr_rt5640.c | 2 +-
+ sound/soc/intel/boards/bytcr_rt5651.c | 2 +-
+ sound/soc/intel/boards/bytcr_wm5102.c | 2 +-
+ sound/soc/intel/boards/cht_bsw_rt5645.c | 2 +-
+ sound/soc/intel/boards/cht_bsw_rt5672.c | 2 +-
+ 9 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/intel/boards/bxt_rt298.c b/sound/soc/intel/boards/bxt_rt298.c
+index dce6a2086f2a..6da1517c53c6 100644
+--- a/sound/soc/intel/boards/bxt_rt298.c
++++ b/sound/soc/intel/boards/bxt_rt298.c
+@@ -605,7 +605,7 @@ static int broxton_audio_probe(struct platform_device *pdev)
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(broxton_rt298_dais); i++) {
+- if (card->dai_link[i].codecs->name &&
++ if (card->dai_link[i].num_codecs &&
+ !strncmp(card->dai_link[i].codecs->name, "i2c-INT343A:00",
+ I2C_NAME_SIZE)) {
+ if (!strncmp(card->name, "broxton-rt298",
+diff --git a/sound/soc/intel/boards/bytcht_cx2072x.c b/sound/soc/intel/boards/bytcht_cx2072x.c
+index c014d85a08b2..df3c2a7b64d2 100644
+--- a/sound/soc/intel/boards/bytcht_cx2072x.c
++++ b/sound/soc/intel/boards/bytcht_cx2072x.c
+@@ -241,7 +241,7 @@ static int snd_byt_cht_cx2072x_probe(struct platform_device *pdev)
+
+ /* fix index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(byt_cht_cx2072x_dais); i++) {
+- if (byt_cht_cx2072x_dais[i].codecs->name &&
++ if (byt_cht_cx2072x_dais[i].num_codecs &&
+ !strcmp(byt_cht_cx2072x_dais[i].codecs->name,
+ "i2c-14F10720:00")) {
+ dai_index = i;
+diff --git a/sound/soc/intel/boards/bytcht_da7213.c b/sound/soc/intel/boards/bytcht_da7213.c
+index f4ac3ddd148b..08c598b7e1ee 100644
+--- a/sound/soc/intel/boards/bytcht_da7213.c
++++ b/sound/soc/intel/boards/bytcht_da7213.c
+@@ -245,7 +245,7 @@ static int bytcht_da7213_probe(struct platform_device *pdev)
+
+ /* fix index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(dailink); i++) {
+- if (dailink[i].codecs->name &&
++ if (dailink[i].num_codecs &&
+ !strcmp(dailink[i].codecs->name, "i2c-DLGS7213:00")) {
+ dai_index = i;
+ break;
+diff --git a/sound/soc/intel/boards/bytcht_es8316.c b/sound/soc/intel/boards/bytcht_es8316.c
+index 2fcec2e02bb5..77b91ea4dc32 100644
+--- a/sound/soc/intel/boards/bytcht_es8316.c
++++ b/sound/soc/intel/boards/bytcht_es8316.c
+@@ -546,7 +546,7 @@ static int snd_byt_cht_es8316_mc_probe(struct platform_device *pdev)
+
+ /* fix index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(byt_cht_es8316_dais); i++) {
+- if (byt_cht_es8316_dais[i].codecs->name &&
++ if (byt_cht_es8316_dais[i].num_codecs &&
+ !strcmp(byt_cht_es8316_dais[i].codecs->name,
+ "i2c-ESSX8316:00")) {
+ dai_index = i;
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index a64d1989e28a..db4a33680d94 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -1677,7 +1677,7 @@ static int snd_byt_rt5640_mc_probe(struct platform_device *pdev)
+
+ /* fix index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(byt_rt5640_dais); i++) {
+- if (byt_rt5640_dais[i].codecs->name &&
++ if (byt_rt5640_dais[i].num_codecs &&
+ !strcmp(byt_rt5640_dais[i].codecs->name,
+ "i2c-10EC5640:00")) {
+ dai_index = i;
+diff --git a/sound/soc/intel/boards/bytcr_rt5651.c b/sound/soc/intel/boards/bytcr_rt5651.c
+index 80c841b000a3..8514b79f389b 100644
+--- a/sound/soc/intel/boards/bytcr_rt5651.c
++++ b/sound/soc/intel/boards/bytcr_rt5651.c
+@@ -910,7 +910,7 @@ static int snd_byt_rt5651_mc_probe(struct platform_device *pdev)
+
+ /* fix index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(byt_rt5651_dais); i++) {
+- if (byt_rt5651_dais[i].codecs->name &&
++ if (byt_rt5651_dais[i].num_codecs &&
+ !strcmp(byt_rt5651_dais[i].codecs->name,
+ "i2c-10EC5651:00")) {
+ dai_index = i;
+diff --git a/sound/soc/intel/boards/bytcr_wm5102.c b/sound/soc/intel/boards/bytcr_wm5102.c
+index cccb5e90c0fe..e5a7cc606aa9 100644
+--- a/sound/soc/intel/boards/bytcr_wm5102.c
++++ b/sound/soc/intel/boards/bytcr_wm5102.c
+@@ -605,7 +605,7 @@ static int snd_byt_wm5102_mc_probe(struct platform_device *pdev)
+
+ /* find index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(byt_wm5102_dais); i++) {
+- if (byt_wm5102_dais[i].codecs->name &&
++ if (byt_wm5102_dais[i].num_codecs &&
+ !strcmp(byt_wm5102_dais[i].codecs->name,
+ "wm5102-codec")) {
+ dai_index = i;
+diff --git a/sound/soc/intel/boards/cht_bsw_rt5645.c b/sound/soc/intel/boards/cht_bsw_rt5645.c
+index eb41b7115d01..1da9ceee4d59 100644
+--- a/sound/soc/intel/boards/cht_bsw_rt5645.c
++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c
+@@ -569,7 +569,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev)
+
+ /* set correct codec name */
+ for (i = 0; i < ARRAY_SIZE(cht_dailink); i++)
+- if (cht_dailink[i].codecs->name &&
++ if (cht_dailink[i].num_codecs &&
+ !strcmp(cht_dailink[i].codecs->name,
+ "i2c-10EC5645:00")) {
+ dai_index = i;
+diff --git a/sound/soc/intel/boards/cht_bsw_rt5672.c b/sound/soc/intel/boards/cht_bsw_rt5672.c
+index be2d1a8dbca8..d68e5bc755de 100644
+--- a/sound/soc/intel/boards/cht_bsw_rt5672.c
++++ b/sound/soc/intel/boards/cht_bsw_rt5672.c
+@@ -466,7 +466,7 @@ static int snd_cht_mc_probe(struct platform_device *pdev)
+
+ /* find index of codec dai */
+ for (i = 0; i < ARRAY_SIZE(cht_dailink); i++) {
+- if (cht_dailink[i].codecs->name &&
++ if (cht_dailink[i].num_codecs &&
+ !strcmp(cht_dailink[i].codecs->name, RT5672_I2C_DEFAULT)) {
+ dai_index = i;
+ break;
+--
+2.46.0
+
--- /dev/null
+From 1e9683c9b6ca88cc9340cdca85edd6134c8cffe3 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 27 Aug 2024 15:01:34 -0400
+Subject: Bluetooth: MGMT: Ignore keys being loaded with invalid type
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 1e9683c9b6ca88cc9340cdca85edd6134c8cffe3 upstream.
+
+Due to 59b047bc98084f8af2c41483e4d68a5adf2fa7f7 there could be keys stored
+with the wrong address type so this attempt to detect it and ignore them
+instead of just failing to load all keys.
+
+Cc: stable@vger.kernel.org
+Link: https://github.com/bluez/bluez/issues/875
+Fixes: 59b047bc9808 ("Bluetooth: MGMT/SMP: Fix address type when using SMP over BREDR/LE")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2831,15 +2831,6 @@ static int load_link_keys(struct sock *s
+ bt_dev_dbg(hdev, "debug_keys %u key_count %u", cp->debug_keys,
+ key_count);
+
+- for (i = 0; i < key_count; i++) {
+- struct mgmt_link_key_info *key = &cp->keys[i];
+-
+- if (key->addr.type != BDADDR_BREDR || key->type > 0x08)
+- return mgmt_cmd_status(sk, hdev->id,
+- MGMT_OP_LOAD_LINK_KEYS,
+- MGMT_STATUS_INVALID_PARAMS);
+- }
+-
+ hci_dev_lock(hdev);
+
+ hci_link_keys_clear(hdev);
+@@ -2864,6 +2855,19 @@ static int load_link_keys(struct sock *s
+ continue;
+ }
+
++ if (key->addr.type != BDADDR_BREDR) {
++ bt_dev_warn(hdev,
++ "Invalid link address type %u for %pMR",
++ key->addr.type, &key->addr.bdaddr);
++ continue;
++ }
++
++ if (key->type > 0x08) {
++ bt_dev_warn(hdev, "Invalid link key type %u for %pMR",
++ key->type, &key->addr.bdaddr);
++ continue;
++ }
++
+ /* Always ignore debug keys and require a new pairing if
+ * the user wants to use them.
+ */
+@@ -7147,15 +7151,6 @@ static int load_long_term_keys(struct so
+
+ bt_dev_dbg(hdev, "key_count %u", key_count);
+
+- for (i = 0; i < key_count; i++) {
+- struct mgmt_ltk_info *key = &cp->keys[i];
+-
+- if (!ltk_is_valid(key))
+- return mgmt_cmd_status(sk, hdev->id,
+- MGMT_OP_LOAD_LONG_TERM_KEYS,
+- MGMT_STATUS_INVALID_PARAMS);
+- }
+-
+ hci_dev_lock(hdev);
+
+ hci_smp_ltks_clear(hdev);
+@@ -7171,6 +7166,12 @@ static int load_long_term_keys(struct so
+ &key->addr.bdaddr);
+ continue;
+ }
++
++ if (!ltk_is_valid(key)) {
++ bt_dev_warn(hdev, "Invalid LTK for %pMR",
++ &key->addr.bdaddr);
++ continue;
++ }
+
+ switch (key->type) {
+ case MGMT_LTK_UNAUTHENTICATED:
--- /dev/null
+From 97f30876c94382d1b01d45c2c76be8911b196527 Mon Sep 17 00:00:00 2001
+From: Joanne Koong <joannelkoong@gmail.com>
+Date: Thu, 25 Jul 2024 10:53:34 -0700
+Subject: fuse: check aborted connection before adding requests to pending list for resending
+
+From: Joanne Koong <joannelkoong@gmail.com>
+
+commit 97f30876c94382d1b01d45c2c76be8911b196527 upstream.
+
+There is a race condition where inflight requests will not be aborted if
+they are in the middle of being re-sent when the connection is aborted.
+
+If fuse_resend has already moved all the requests in the fpq->processing
+lists to its private queue ("to_queue") and then the connection starts
+and finishes aborting, these requests will be added to the pending queue
+and remain on it indefinitely.
+
+Fixes: 760eac73f9f6 ("fuse: Introduce a new notification type for resend pending requests")
+Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Jingbo Xu <jefflexu@linux.alibaba.com>
+Cc: <stable@vger.kernel.org> # v6.9
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -31,6 +31,8 @@ MODULE_ALIAS("devname:fuse");
+
+ static struct kmem_cache *fuse_req_cachep;
+
++static void end_requests(struct list_head *head);
++
+ static struct fuse_dev *fuse_get_dev(struct file *file)
+ {
+ /*
+@@ -1822,6 +1824,13 @@ static void fuse_resend(struct fuse_conn
+ }
+
+ spin_lock(&fiq->lock);
++ if (!fiq->connected) {
++ spin_unlock(&fiq->lock);
++ list_for_each_entry(req, &to_queue, list)
++ clear_bit(FR_PENDING, &req->flags);
++ end_requests(&to_queue);
++ return;
++ }
+ /* iq and pq requests are both oldest to newest */
+ list_splice(&to_queue, &fiq->pending);
+ fiq->ops->wake_pending_and_unlock(fiq);
--- /dev/null
+From 76a51ac00ca2a72fe3e168b7fb0e70f75ba6f512 Mon Sep 17 00:00:00 2001
+From: Miklos Szeredi <mszeredi@redhat.com>
+Date: Wed, 28 Aug 2024 15:55:17 +0200
+Subject: fuse: clear PG_uptodate when using a stolen page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miklos Szeredi <mszeredi@redhat.com>
+
+commit 76a51ac00ca2a72fe3e168b7fb0e70f75ba6f512 upstream.
+
+Originally when a stolen page was inserted into fuse's page cache by
+fuse_try_move_page(), it would be marked uptodate. Then
+fuse_readpages_end() would call SetPageUptodate() again on the already
+uptodate page.
+
+Commit 413e8f014c8b ("fuse: Convert fuse_readpages_end() to use
+folio_end_read()") changed that by replacing the SetPageUptodate() +
+unlock_page() combination with folio_end_read(), which does mostly the
+same, except it sets the uptodate flag with an xor operation, which in the
+above scenario resulted in the uptodate flag being cleared, which in turn
+resulted in EIO being returned on the read.
+
+Fix by clearing PG_uptodate instead of setting it in fuse_try_move_page(),
+conforming to the expectation of folio_end_read().
+
+Reported-by: Jürg Billeter <j@bitron.ch>
+Debugged-by: Matthew Wilcox <willy@infradead.org>
+Fixes: 413e8f014c8b ("fuse: Convert fuse_readpages_end() to use folio_end_read()")
+Cc: <stable@vger.kernel.org> # v6.10
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dev.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
+index a11461ef6022..67443ef07285 100644
+--- a/fs/fuse/dev.c
++++ b/fs/fuse/dev.c
+@@ -775,7 +775,6 @@ static int fuse_check_folio(struct folio *folio)
+ (folio->flags & PAGE_FLAGS_CHECK_AT_PREP &
+ ~(1 << PG_locked |
+ 1 << PG_referenced |
+- 1 << PG_uptodate |
+ 1 << PG_lru |
+ 1 << PG_active |
+ 1 << PG_workingset |
+@@ -820,9 +819,7 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep)
+
+ newfolio = page_folio(buf->page);
+
+- if (!folio_test_uptodate(newfolio))
+- folio_mark_uptodate(newfolio);
+-
++ folio_clear_uptodate(newfolio);
+ folio_clear_mappedtodisk(newfolio);
+
+ if (fuse_check_folio(newfolio) != 0)
+--
+2.46.0
+
--- /dev/null
+From 3ab394b363c5fd14b231e335fb6746ddfb93aaaa Mon Sep 17 00:00:00 2001
+From: Bernd Schubert <bschubert@ddn.com>
+Date: Wed, 3 Jul 2024 19:30:20 +0200
+Subject: fuse: disable the combination of passthrough and writeback cache
+
+From: Bernd Schubert <bschubert@ddn.com>
+
+commit 3ab394b363c5fd14b231e335fb6746ddfb93aaaa upstream.
+
+Current design and handling of passthrough is without fuse
+caching and with that FUSE_WRITEBACK_CACHE is conflicting.
+
+Fixes: 7dc4e97a4f9a ("fuse: introduce FUSE_PASSTHROUGH capability")
+Cc: stable@kernel.org # v6.9
+Signed-off-by: Bernd Schubert <bschubert@ddn.com>
+Acked-by: Amir Goldstein <amir73il@gmail.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/inode.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -1336,11 +1336,16 @@ static void process_init_reply(struct fu
+ * on a stacked fs (e.g. overlayfs) themselves and with
+ * max_stack_depth == 1, FUSE fs can be stacked as the
+ * underlying fs of a stacked fs (e.g. overlayfs).
++ *
++ * Also don't allow the combination of FUSE_PASSTHROUGH
++ * and FUSE_WRITEBACK_CACHE, current design doesn't handle
++ * them together.
+ */
+ if (IS_ENABLED(CONFIG_FUSE_PASSTHROUGH) &&
+ (flags & FUSE_PASSTHROUGH) &&
+ arg->max_stack_depth > 0 &&
+- arg->max_stack_depth <= FILESYSTEM_MAX_STACK_DEPTH) {
++ arg->max_stack_depth <= FILESYSTEM_MAX_STACK_DEPTH &&
++ !(flags & FUSE_WRITEBACK_CACHE)) {
+ fc->passthrough = 1;
+ fc->max_stack_depth = arg->max_stack_depth;
+ fm->sb->s_stack_depth = arg->max_stack_depth;
--- /dev/null
+From 3002240d16494d798add0575e8ba1f284258ab34 Mon Sep 17 00:00:00 2001
+From: yangyun <yangyun50@huawei.com>
+Date: Fri, 23 Aug 2024 16:51:46 +0800
+Subject: fuse: fix memory leak in fuse_create_open
+
+From: yangyun <yangyun50@huawei.com>
+
+commit 3002240d16494d798add0575e8ba1f284258ab34 upstream.
+
+The memory of struct fuse_file is allocated but not freed
+when get_create_ext return error.
+
+Fixes: 3e2b6fdbdc9a ("fuse: send security context of inode on file")
+Cc: stable@vger.kernel.org # v5.17
+Signed-off-by: yangyun <yangyun50@huawei.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/fuse/dir.c
++++ b/fs/fuse/dir.c
+@@ -670,7 +670,7 @@ static int fuse_create_open(struct inode
+
+ err = get_create_ext(&args, dir, entry, mode);
+ if (err)
+- goto out_put_forget_req;
++ goto out_free_ff;
+
+ err = fuse_simple_request(fm, &args);
+ free_ext_value(&args);
--- /dev/null
+From f7790d67785302b3116bbbfda62a5a44524601a3 Mon Sep 17 00:00:00 2001
+From: Joanne Koong <joannelkoong@gmail.com>
+Date: Mon, 26 Aug 2024 14:19:04 -0700
+Subject: fuse: update stats for pages in dropped aux writeback list
+
+From: Joanne Koong <joannelkoong@gmail.com>
+
+commit f7790d67785302b3116bbbfda62a5a44524601a3 upstream.
+
+In the case where the aux writeback list is dropped (e.g. the pages
+have been truncated or the connection is broken), the stats for
+its pages and backing device info need to be updated as well.
+
+Fixes: e2653bd53a98 ("fuse: fix leaked aux requests")
+Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Cc: <stable@vger.kernel.org> # v5.1
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/file.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/fuse/file.c
++++ b/fs/fuse/file.c
+@@ -1832,10 +1832,16 @@ __acquires(fi->lock)
+ fuse_writepage_finish(fm, wpa);
+ spin_unlock(&fi->lock);
+
+- /* After fuse_writepage_finish() aux request list is private */
++ /* After rb_erase() aux request list is private */
+ for (aux = wpa->next; aux; aux = next) {
++ struct backing_dev_info *bdi = inode_to_bdi(aux->inode);
++
+ next = aux->next;
+ aux->next = NULL;
++
++ dec_wb_stat(&bdi->wb, WB_WRITEBACK);
++ dec_node_page_state(aux->ia.ap.pages[0], NR_WRITEBACK_TEMP);
++ wb_writeout_inc(&bdi->wb);
+ fuse_writepage_free(aux);
+ }
+
--- /dev/null
+From b18915248a15eae7d901262f108d6ff0ffb4ffc1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 19 Aug 2024 19:52:30 +0200
+Subject: fuse: use unsigned type for getxattr/listxattr size truncation
+
+From: Jann Horn <jannh@google.com>
+
+commit b18915248a15eae7d901262f108d6ff0ffb4ffc1 upstream.
+
+The existing code uses min_t(ssize_t, outarg.size, XATTR_LIST_MAX) when
+parsing the FUSE daemon's response to a zero-length getxattr/listxattr
+request.
+On 32-bit kernels, where ssize_t and outarg.size are the same size, this is
+wrong: The min_t() will pass through any size values that are negative when
+interpreted as signed.
+fuse_listxattr() will then return this userspace-supplied negative value,
+which callers will treat as an error value.
+
+This kind of bug pattern can lead to fairly bad security bugs because of
+how error codes are used in the Linux kernel. If a caller were to convert
+the numeric error into an error pointer, like so:
+
+ struct foo *func(...) {
+ int len = fuse_getxattr(..., NULL, 0);
+ if (len < 0)
+ return ERR_PTR(len);
+ ...
+ }
+
+then it would end up returning this userspace-supplied negative value cast
+to a pointer - but the caller of this function wouldn't recognize it as an
+error pointer (IS_ERR_VALUE() only detects values in the narrow range in
+which legitimate errno values are), and so it would just be treated as a
+kernel pointer.
+
+I think there is at least one theoretical codepath where this could happen,
+but that path would involve virtio-fs with submounts plus some weird
+SELinux configuration, so I think it's probably not a concern in practice.
+
+Cc: stable@vger.kernel.org # v4.9
+Fixes: 63401ccdb2ca ("fuse: limit xattr returned size")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fuse/xattr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/fuse/xattr.c
++++ b/fs/fuse/xattr.c
+@@ -81,7 +81,7 @@ ssize_t fuse_getxattr(struct inode *inod
+ }
+ ret = fuse_simple_request(fm, &args);
+ if (!ret && !size)
+- ret = min_t(ssize_t, outarg.size, XATTR_SIZE_MAX);
++ ret = min_t(size_t, outarg.size, XATTR_SIZE_MAX);
+ if (ret == -ENOSYS) {
+ fm->fc->no_getxattr = 1;
+ ret = -EOPNOTSUPP;
+@@ -143,7 +143,7 @@ ssize_t fuse_listxattr(struct dentry *en
+ }
+ ret = fuse_simple_request(fm, &args);
+ if (!ret && !size)
+- ret = min_t(ssize_t, outarg.size, XATTR_LIST_MAX);
++ ret = min_t(size_t, outarg.size, XATTR_LIST_MAX);
+ if (ret > 0 && size)
+ ret = fuse_verify_xattr_list(list, ret);
+ if (ret == -ENOSYS) {
--- /dev/null
+From 469e5e4713989fdd5e3e502b922e7be0da2464b9 Mon Sep 17 00:00:00 2001
+From: Jonathan Bell <jonathan@raspberrypi.com>
+Date: Wed, 21 Aug 2024 08:06:31 +0900
+Subject: mmc: core: apply SD quirks earlier during probe
+
+From: Jonathan Bell <jonathan@raspberrypi.com>
+
+commit 469e5e4713989fdd5e3e502b922e7be0da2464b9 upstream.
+
+Applying MMC_QUIRK_BROKEN_SD_CACHE is broken, as the card's SD quirks are
+referenced in sd_parse_ext_reg_perf() prior to the quirks being initialized
+in mmc_blk_probe().
+
+To fix this problem, let's split out an SD-specific list of quirks and
+apply in mmc_sd_init_card() instead. In this way, sd_read_ext_regs() to has
+the available information for not assigning the SD_EXT_PERF_CACHE as one of
+the (un)supported features, which in turn allows mmc_sd_init_card() to
+properly skip execution of sd_enable_cache().
+
+Fixes: c467c8f08185 ("mmc: Add MMC_QUIRK_BROKEN_SD_CACHE for Kingston Canvas Go Plus from 11/2019")
+Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
+Co-developed-by: Keita Aihara <keita.aihara@sony.com>
+Signed-off-by: Keita Aihara <keita.aihara@sony.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240820230631.GA436523@sony.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/quirks.h | 22 +++++++++++++---------
+ drivers/mmc/core/sd.c | 4 ++++
+ 2 files changed, 17 insertions(+), 9 deletions(-)
+
+--- a/drivers/mmc/core/quirks.h
++++ b/drivers/mmc/core/quirks.h
+@@ -15,6 +15,19 @@
+
+ #include "card.h"
+
++static const struct mmc_fixup __maybe_unused mmc_sd_fixups[] = {
++ /*
++ * Kingston Canvas Go! Plus microSD cards never finish SD cache flush.
++ * This has so far only been observed on cards from 11/2019, while new
++ * cards from 2023/05 do not exhibit this behavior.
++ */
++ _FIXUP_EXT("SD64G", CID_MANFID_KINGSTON_SD, 0x5449, 2019, 11,
++ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd,
++ MMC_QUIRK_BROKEN_SD_CACHE, EXT_CSD_REV_ANY),
++
++ END_FIXUP
++};
++
+ static const struct mmc_fixup __maybe_unused mmc_blk_fixups[] = {
+ #define INAND_CMD38_ARG_EXT_CSD 113
+ #define INAND_CMD38_ARG_ERASE 0x00
+@@ -54,15 +67,6 @@ static const struct mmc_fixup __maybe_un
+ MMC_QUIRK_BLK_NO_CMD23),
+
+ /*
+- * Kingston Canvas Go! Plus microSD cards never finish SD cache flush.
+- * This has so far only been observed on cards from 11/2019, while new
+- * cards from 2023/05 do not exhibit this behavior.
+- */
+- _FIXUP_EXT("SD64G", CID_MANFID_KINGSTON_SD, 0x5449, 2019, 11,
+- 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd,
+- MMC_QUIRK_BROKEN_SD_CACHE, EXT_CSD_REV_ANY),
+-
+- /*
+ * Some SD cards lockup while using CMD23 multiblock transfers.
+ */
+ MMC_FIXUP("AF SD", CID_MANFID_ATP, CID_OEMID_ANY, add_quirk_sd,
+--- a/drivers/mmc/core/sd.c
++++ b/drivers/mmc/core/sd.c
+@@ -26,6 +26,7 @@
+ #include "host.h"
+ #include "bus.h"
+ #include "mmc_ops.h"
++#include "quirks.h"
+ #include "sd.h"
+ #include "sd_ops.h"
+
+@@ -1475,6 +1476,9 @@ retry:
+ goto free_card;
+ }
+
++ /* Apply quirks prior to card setup */
++ mmc_fixup_device(card, mmc_sd_fixups);
++
+ err = mmc_sd_setup_card(host, card, oldcard != NULL);
+ if (err)
+ goto free_card;
--- /dev/null
+From aea62c744a9ae2a8247c54ec42138405216414da Mon Sep 17 00:00:00 2001
+From: Seunghwan Baek <sh8267.baek@samsung.com>
+Date: Thu, 29 Aug 2024 15:18:22 +0900
+Subject: mmc: cqhci: Fix checking of CQHCI_HALT state
+
+From: Seunghwan Baek <sh8267.baek@samsung.com>
+
+commit aea62c744a9ae2a8247c54ec42138405216414da upstream.
+
+To check if mmc cqe is in halt state, need to check set/clear of CQHCI_HALT
+bit. At this time, we need to check with &, not &&.
+
+Fixes: a4080225f51d ("mmc: cqhci: support for command queue enabled host")
+Cc: stable@vger.kernel.org
+Signed-off-by: Seunghwan Baek <sh8267.baek@samsung.com>
+Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20240829061823.3718-2-sh8267.baek@samsung.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/cqhci-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/cqhci-core.c
++++ b/drivers/mmc/host/cqhci-core.c
+@@ -617,7 +617,7 @@ static int cqhci_request(struct mmc_host
+ cqhci_writel(cq_host, 0, CQHCI_CTL);
+ mmc->cqe_on = true;
+ pr_debug("%s: cqhci: CQE on\n", mmc_hostname(mmc));
+- if (cqhci_readl(cq_host, CQHCI_CTL) && CQHCI_HALT) {
++ if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT) {
+ pr_err("%s: cqhci: CQE failed to exit halt state\n",
+ mmc_hostname(mmc));
+ }
--- /dev/null
+From 8396c793ffdf28bb8aee7cfe0891080f8cab7890 Mon Sep 17 00:00:00 2001
+From: Sam Protsenko <semen.protsenko@linaro.org>
+Date: Wed, 6 Mar 2024 17:20:52 -0600
+Subject: mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K
+
+From: Sam Protsenko <semen.protsenko@linaro.org>
+
+commit 8396c793ffdf28bb8aee7cfe0891080f8cab7890 upstream.
+
+Commit 616f87661792 ("mmc: pass queue_limits to blk_mq_alloc_disk") [1]
+revealed the long living issue in dw_mmc.c driver, existing since the
+time when it was first introduced in commit f95f3850f7a9 ("mmc: dw_mmc:
+Add Synopsys DesignWare mmc host driver."), also making kernel boot
+broken on platforms using dw_mmc driver with 16K or 64K pages enabled,
+with this message in dmesg:
+
+ mmcblk: probe of mmc0:0001 failed with error -22
+
+That's happening because mmc_blk_probe() fails when it calls
+blk_validate_limits() consequently, which returns the error due to
+failed max_segment_size check in this code:
+
+ /*
+ * The maximum segment size has an odd historic 64k default that
+ * drivers probably should override. Just like the I/O size we
+ * require drivers to at least handle a full page per segment.
+ */
+ ...
+ if (WARN_ON_ONCE(lim->max_segment_size < PAGE_SIZE))
+ return -EINVAL;
+
+In case when IDMAC (Internal DMA Controller) is used, dw_mmc.c always
+sets .max_seg_size to 4 KiB:
+
+ mmc->max_seg_size = 0x1000;
+
+The comment in the code above explains why it's incorrect. Arnd
+suggested setting .max_seg_size to .max_req_size to fix it, which is
+also what some other drivers are doing:
+
+ $ grep -rl 'max_seg_size.*=.*max_req_size' drivers/mmc/host/ | \
+ wc -l
+ 18
+
+This change is not only fixing the boot with 16K/64K pages, but also
+leads to a better MMC performance. The linear write performance was
+tested on E850-96 board (eMMC only), before commit [1] (where it's
+possible to boot with 16K/64K pages without this fix, to be able to do
+a comparison). It was tested with this command:
+
+ # dd if=/dev/zero of=somefile bs=1M count=500 oflag=sync
+
+Test results are as follows:
+
+ - 4K pages, .max_seg_size = 4 KiB: 94.2 MB/s
+ - 4K pages, .max_seg_size = .max_req_size = 512 KiB: 96.9 MB/s
+ - 16K pages, .max_seg_size = 4 KiB: 126 MB/s
+ - 16K pages, .max_seg_size = .max_req_size = 2 MiB: 128 MB/s
+ - 64K pages, .max_seg_size = 4 KiB: 138 MB/s
+ - 64K pages, .max_seg_size = .max_req_size = 8 MiB: 138 MB/s
+
+Unfortunately, SD card controller is not enabled in E850-96 yet, so it
+wasn't possible for me to run the test on some cheap SD cards to check
+this patch's impact on those. But it's possible that this change might
+also reduce the writes count, thus improving SD/eMMC longevity.
+
+All credit for the analysis and the suggested solution goes to Arnd.
+
+[1] https://lore.kernel.org/all/20240215070300.2200308-18-hch@lst.de/
+
+Fixes: f95f3850f7a9 ("mmc: dw_mmc: Add Synopsys DesignWare mmc host driver.")
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/all/CA+G9fYtddf2Fd3be+YShHP6CmSDNcn0ptW8qg+stUKW+Cn0rjQ@mail.gmail.com/
+Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240306232052.21317-1-semen.protsenko@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -2951,8 +2951,8 @@ static int dw_mci_init_slot(struct dw_mc
+ if (host->use_dma == TRANS_MODE_IDMAC) {
+ mmc->max_segs = host->ring_size;
+ mmc->max_blk_size = 65535;
+- mmc->max_seg_size = 0x1000;
+- mmc->max_req_size = mmc->max_seg_size * host->ring_size;
++ mmc->max_req_size = DW_MCI_DESC_DATA_LENGTH * host->ring_size;
++ mmc->max_seg_size = mmc->max_req_size;
+ mmc->max_blk_count = mmc->max_req_size / 512;
+ } else if (host->use_dma == TRANS_MODE_EDMAC) {
+ mmc->max_segs = 64;
--- /dev/null
+From 6e540da4c1db7b840e347c4dfe48359b18b7e376 Mon Sep 17 00:00:00 2001
+From: Liao Chen <liaochen4@huawei.com>
+Date: Mon, 26 Aug 2024 12:48:51 +0000
+Subject: mmc: sdhci-of-aspeed: fix module autoloading
+
+From: Liao Chen <liaochen4@huawei.com>
+
+commit 6e540da4c1db7b840e347c4dfe48359b18b7e376 upstream.
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from of_device_id table.
+
+Signed-off-by: Liao Chen <liaochen4@huawei.com>
+Acked-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Fixes: bb7b8ec62dfb ("mmc: sdhci-of-aspeed: Add support for the ASPEED SD controller")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240826124851.379759-1-liaochen4@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-aspeed.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-of-aspeed.c
++++ b/drivers/mmc/host/sdhci-of-aspeed.c
+@@ -510,6 +510,7 @@ static const struct of_device_id aspeed_
+ { .compatible = "aspeed,ast2600-sdhci", .data = &ast2600_sdhci_pdata, },
+ { }
+ };
++MODULE_DEVICE_TABLE(of, aspeed_sdhci_of_match);
+
+ static struct platform_driver aspeed_sdhci_driver = {
+ .driver = {
--- /dev/null
+From 213aa670153ed675a007c1f35c5db544b0fefc94 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 31 Aug 2024 14:02:06 +0200
+Subject: parisc: Delay write-protection until mark_rodata_ro() call
+
+From: Helge Deller <deller@gmx.de>
+
+commit 213aa670153ed675a007c1f35c5db544b0fefc94 upstream.
+
+Do not write-protect the kernel read-only and __ro_after_init sections
+earlier than before mark_rodata_ro() is called. This fixes a boot issue on
+parisc which is triggered by commit 91a1d97ef482 ("jump_label,module: Don't
+alloc static_key_mod for __ro_after_init keys"). That commit may modify
+static key contents in the __ro_after_init section at bootup, so this
+section needs to be writable at least until mark_rodata_ro() is called.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: matoro <matoro_mailinglist_kernel@matoro.tk>
+Reported-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Tested-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
+Link: https://lore.kernel.org/linux-parisc/096cad5aada514255cd7b0b9dbafc768@matoro.tk/#r
+Fixes: 91a1d97ef482 ("jump_label,module: Don't alloc static_key_mod for __ro_after_init keys")
+Cc: stable@vger.kernel.org # v6.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/mm/init.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c
+index 34d91cb8b259..96970fa75e4a 100644
+--- a/arch/parisc/mm/init.c
++++ b/arch/parisc/mm/init.c
+@@ -459,7 +459,6 @@ void free_initmem(void)
+ unsigned long kernel_end = (unsigned long)&_end;
+
+ /* Remap kernel text and data, but do not touch init section yet. */
+- kernel_set_to_readonly = true;
+ map_pages(init_end, __pa(init_end), kernel_end - init_end,
+ PAGE_KERNEL, 0);
+
+@@ -493,11 +492,18 @@ void free_initmem(void)
+ #ifdef CONFIG_STRICT_KERNEL_RWX
+ void mark_rodata_ro(void)
+ {
+- /* rodata memory was already mapped with KERNEL_RO access rights by
+- pagetable_init() and map_pages(). No need to do additional stuff here */
+- unsigned long roai_size = __end_ro_after_init - __start_ro_after_init;
++ unsigned long start = (unsigned long) &__start_rodata;
++ unsigned long end = (unsigned long) &__end_rodata;
+
+- pr_info("Write protected read-only-after-init data: %luk\n", roai_size >> 10);
++ pr_info("Write protecting the kernel read-only data: %luk\n",
++ (end - start) >> 10);
++
++ kernel_set_to_readonly = true;
++ map_pages(start, __pa(start), end - start, PAGE_KERNEL, 0);
++
++ /* force the kernel to see the new page table entries */
++ flush_cache_all();
++ flush_tlb_all();
+ }
+ #endif
+
+--
+2.46.0
+
--- /dev/null
+From b686ecdeacf6658e1348c1a32a08e2e72f7c0f00 Mon Sep 17 00:00:00 2001
+From: Samuel Holland <samuel.holland@sifive.com>
+Date: Wed, 14 Aug 2024 17:57:03 -0700
+Subject: riscv: misaligned: Restrict user access to kernel memory
+
+From: Samuel Holland <samuel.holland@sifive.com>
+
+commit b686ecdeacf6658e1348c1a32a08e2e72f7c0f00 upstream.
+
+raw_copy_{to,from}_user() do not call access_ok(), so this code allowed
+userspace to access any virtual memory address.
+
+Cc: stable@vger.kernel.org
+Fixes: 7c83232161f6 ("riscv: add support for misaligned trap handling in S-mode")
+Fixes: 441381506ba7 ("riscv: misaligned: remove CONFIG_RISCV_M_MODE specific code")
+Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20240815005714.1163136-1-samuel.holland@sifive.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/traps_misaligned.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/riscv/kernel/traps_misaligned.c b/arch/riscv/kernel/traps_misaligned.c
+index 192cd5603e95..d4fd8af7aaf5 100644
+--- a/arch/riscv/kernel/traps_misaligned.c
++++ b/arch/riscv/kernel/traps_misaligned.c
+@@ -417,7 +417,7 @@ int handle_misaligned_load(struct pt_regs *regs)
+
+ val.data_u64 = 0;
+ if (user_mode(regs)) {
+- if (raw_copy_from_user(&val, (u8 __user *)addr, len))
++ if (copy_from_user(&val, (u8 __user *)addr, len))
+ return -1;
+ } else {
+ memcpy(&val, (u8 *)addr, len);
+@@ -515,7 +515,7 @@ int handle_misaligned_store(struct pt_regs *regs)
+ return -EOPNOTSUPP;
+
+ if (user_mode(regs)) {
+- if (raw_copy_to_user((u8 __user *)addr, &val, len))
++ if (copy_to_user((u8 __user *)addr, &val, len))
+ return -1;
+ } else {
+ memcpy((u8 *)addr, &val, len);
+--
+2.46.0
+
--- /dev/null
+From b808f629215685c1941b1cd567c7b7ccb3c90278 Mon Sep 17 00:00:00 2001
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Date: Fri, 9 Aug 2024 13:25:11 +0500
+Subject: selftests: mm: fix build errors on armhf
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+commit b808f629215685c1941b1cd567c7b7ccb3c90278 upstream.
+
+The __NR_mmap isn't found on armhf. The mmap() is commonly available
+system call and its wrapper is present on all architectures. So it should
+be used directly. It solves problem for armhf and doesn't create problem
+for other architectures.
+
+Remove sys_mmap() functions as they aren't doing anything else other than
+calling mmap(). There is no need to set errno = 0 manually as glibc
+always resets it.
+
+For reference errors are as following:
+
+ CC seal_elf
+seal_elf.c: In function 'sys_mmap':
+seal_elf.c:39:33: error: '__NR_mmap' undeclared (first use in this function)
+ 39 | sret = (void *) syscall(__NR_mmap, addr, len, prot,
+ | ^~~~~~~~~
+
+mseal_test.c: In function 'sys_mmap':
+mseal_test.c:90:33: error: '__NR_mmap' undeclared (first use in this function)
+ 90 | sret = (void *) syscall(__NR_mmap, addr, len, prot,
+ | ^~~~~~~~~
+
+Link: https://lkml.kernel.org/r/20240809082511.497266-1-usama.anjum@collabora.com
+Fixes: 4926c7a52de7 ("selftest mm/mseal memory sealing")
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Cc: Jeff Xu <jeffxu@chromium.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/mseal_test.c | 37 +++++++++++---------------------
+ tools/testing/selftests/mm/seal_elf.c | 13 -----------
+ 2 files changed, 14 insertions(+), 36 deletions(-)
+
+--- a/tools/testing/selftests/mm/mseal_test.c
++++ b/tools/testing/selftests/mm/mseal_test.c
+@@ -128,17 +128,6 @@ static int sys_mprotect_pkey(void *ptr,
+ return sret;
+ }
+
+-static void *sys_mmap(void *addr, unsigned long len, unsigned long prot,
+- unsigned long flags, unsigned long fd, unsigned long offset)
+-{
+- void *sret;
+-
+- errno = 0;
+- sret = (void *) syscall(__NR_mmap, addr, len, prot,
+- flags, fd, offset);
+- return sret;
+-}
+-
+ static int sys_munmap(void *ptr, size_t size)
+ {
+ int sret;
+@@ -219,7 +208,7 @@ static void setup_single_address(int siz
+ {
+ void *ptr;
+
+- ptr = sys_mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
++ ptr = mmap(NULL, size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+ *ptrOut = ptr;
+ }
+
+@@ -228,7 +217,7 @@ static void setup_single_address_rw(int
+ void *ptr;
+ unsigned long mapflags = MAP_ANONYMOUS | MAP_PRIVATE;
+
+- ptr = sys_mmap(NULL, size, PROT_READ | PROT_WRITE, mapflags, -1, 0);
++ ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, mapflags, -1, 0);
+ *ptrOut = ptr;
+ }
+
+@@ -252,7 +241,7 @@ bool seal_support(void)
+ void *ptr;
+ unsigned long page_size = getpagesize();
+
+- ptr = sys_mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
++ ptr = mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+ if (ptr == (void *) -1)
+ return false;
+
+@@ -528,8 +517,8 @@ static void test_seal_zero_address(void)
+ int prot;
+
+ /* use mmap to change protection. */
+- ptr = sys_mmap(0, size, PROT_NONE,
+- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
++ ptr = mmap(0, size, PROT_NONE,
++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+ FAIL_TEST_IF_FALSE(ptr == 0);
+
+ size = get_vma_size(ptr, &prot);
+@@ -1256,8 +1245,8 @@ static void test_seal_mmap_overwrite_pro
+ }
+
+ /* use mmap to change protection. */
+- ret2 = sys_mmap(ptr, size, PROT_NONE,
+- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
++ ret2 = mmap(ptr, size, PROT_NONE,
++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+ if (seal) {
+ FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
+ FAIL_TEST_IF_FALSE(errno == EPERM);
+@@ -1287,8 +1276,8 @@ static void test_seal_mmap_expand(bool s
+ }
+
+ /* use mmap to expand. */
+- ret2 = sys_mmap(ptr, size, PROT_READ,
+- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
++ ret2 = mmap(ptr, size, PROT_READ,
++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+ if (seal) {
+ FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
+ FAIL_TEST_IF_FALSE(errno == EPERM);
+@@ -1315,8 +1304,8 @@ static void test_seal_mmap_shrink(bool s
+ }
+
+ /* use mmap to shrink. */
+- ret2 = sys_mmap(ptr, 8 * page_size, PROT_READ,
+- MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
++ ret2 = mmap(ptr, 8 * page_size, PROT_READ,
++ MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+ if (seal) {
+ FAIL_TEST_IF_FALSE(ret2 == MAP_FAILED);
+ FAIL_TEST_IF_FALSE(errno == EPERM);
+@@ -1697,7 +1686,7 @@ static void test_seal_discard_ro_anon_on
+ ret = fallocate(fd, 0, 0, size);
+ FAIL_TEST_IF_FALSE(!ret);
+
+- ptr = sys_mmap(NULL, size, PROT_READ, mapflags, fd, 0);
++ ptr = mmap(NULL, size, PROT_READ, mapflags, fd, 0);
+ FAIL_TEST_IF_FALSE(ptr != MAP_FAILED);
+
+ if (seal) {
+@@ -1727,7 +1716,7 @@ static void test_seal_discard_ro_anon_on
+ int ret;
+ unsigned long mapflags = MAP_ANONYMOUS | MAP_SHARED;
+
+- ptr = sys_mmap(NULL, size, PROT_READ, mapflags, -1, 0);
++ ptr = mmap(NULL, size, PROT_READ, mapflags, -1, 0);
+ FAIL_TEST_IF_FALSE(ptr != (void *)-1);
+
+ if (seal) {
+--- a/tools/testing/selftests/mm/seal_elf.c
++++ b/tools/testing/selftests/mm/seal_elf.c
+@@ -61,17 +61,6 @@ static int sys_mseal(void *start, size_t
+ return sret;
+ }
+
+-static void *sys_mmap(void *addr, unsigned long len, unsigned long prot,
+- unsigned long flags, unsigned long fd, unsigned long offset)
+-{
+- void *sret;
+-
+- errno = 0;
+- sret = (void *) syscall(__NR_mmap, addr, len, prot,
+- flags, fd, offset);
+- return sret;
+-}
+-
+ static inline int sys_mprotect(void *ptr, size_t size, unsigned long prot)
+ {
+ int sret;
+@@ -87,7 +76,7 @@ static bool seal_support(void)
+ void *ptr;
+ unsigned long page_size = getpagesize();
+
+- ptr = sys_mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
++ ptr = mmap(NULL, page_size, PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+ if (ptr == (void *) -1)
+ return false;
+
nvme-pci-add-sleep-quirk-for-samsung-990-evo.patch
rust-macros-provide-correct-provenance-when-constructing-this_module.patch
revert-bluetooth-mgmt-smp-fix-address-type-when-using-smp-over-bredr-le.patch
+bluetooth-mgmt-ignore-keys-being-loaded-with-invalid-type.patch
+selftests-mm-fix-build-errors-on-armhf.patch
+mmc-core-apply-sd-quirks-earlier-during-probe.patch
+mmc-dw_mmc-fix-idmac-operation-with-pages-bigger-than-4k.patch
+mmc-sdhci-of-aspeed-fix-module-autoloading.patch
+mmc-cqhci-fix-checking-of-cqhci_halt-state.patch
+fuse-update-stats-for-pages-in-dropped-aux-writeback-list.patch
+fuse-disable-the-combination-of-passthrough-and-writeback-cache.patch
+fuse-check-aborted-connection-before-adding-requests-to-pending-list-for-resending.patch
+fuse-use-unsigned-type-for-getxattr-listxattr-size-truncation.patch
+fuse-fix-memory-leak-in-fuse_create_open.patch
+fuse-clear-pg_uptodate-when-using-a-stolen-page.patch
+asoc-intel-boards-fix-null-pointer-deref-in-byt-cht-boards-harder.patch
+riscv-misaligned-restrict-user-access-to-kernel-memory.patch
+parisc-delay-write-protection-until-mark_rodata_ro-call.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
