--- /dev/null
+From 7eebc18149135d59d46c417c86849b0f323d93f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jul 2024 01:53:39 +0300
+Subject: ACPI: PMIC: Remove unneeded check in tps68470_pmic_opregion_probe()
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit 07442c46abad1d50ac82af5e0f9c5de2732c4592 ]
+
+In tps68470_pmic_opregion_probe() pointer 'dev' is compared to NULL which
+is useless.
+
+Fix this issue by removing unneeded check.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: e13452ac3790 ("ACPI / PMIC: Add TI PMIC TPS68470 operation region driver")
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://patch.msgid.link/20240730225339.13165-1-amishin@t-argos.ru
+[ rjw: Subject edit ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/pmic/tps68470_pmic.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/acpi/pmic/tps68470_pmic.c b/drivers/acpi/pmic/tps68470_pmic.c
+index a083de507009e..fde8a1271c9b6 100644
+--- a/drivers/acpi/pmic/tps68470_pmic.c
++++ b/drivers/acpi/pmic/tps68470_pmic.c
+@@ -376,10 +376,8 @@ static int tps68470_pmic_opregion_probe(struct platform_device *pdev)
+ struct tps68470_pmic_opregion *opregion;
+ acpi_status status;
+
+- if (!dev || !tps68470_regmap) {
+- dev_warn(dev, "dev or regmap is NULL\n");
+- return -EINVAL;
+- }
++ if (!tps68470_regmap)
++ return dev_err_probe(dev, -EINVAL, "regmap is missing\n");
+
+ if (!handle) {
+ dev_warn(dev, "acpi handle is NULL\n");
+--
+2.43.0
+
--- /dev/null
+From e20d7dd052cf6eba3db36562616c1a5862046ec6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 07:49:33 +0200
+Subject: ARM: versatile: fix OF node leak in CPUs prepare
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f2642d97f2105ed17b2ece0c597450f2ff95d704 ]
+
+Machine code is leaking OF node reference from of_find_matching_node()
+in realview_smp_prepare_cpus().
+
+Fixes: 5420b4b15617 ("ARM: realview: add an DT SMP boot method")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Acked-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://lore.kernel.org/20240826054934.10724-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/mach-realview/platsmp-dt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/mach-realview/platsmp-dt.c b/arch/arm/mach-realview/platsmp-dt.c
+index c242423bf8db5..66d6b11eda7bd 100644
+--- a/arch/arm/mach-realview/platsmp-dt.c
++++ b/arch/arm/mach-realview/platsmp-dt.c
+@@ -70,6 +70,7 @@ static void __init realview_smp_prepare_cpus(unsigned int max_cpus)
+ return;
+ }
+ map = syscon_node_to_regmap(np);
++ of_node_put(np);
+ if (IS_ERR(map)) {
+ pr_err("PLATSMP: No syscon regmap\n");
+ return;
+--
+2.43.0
+
--- /dev/null
+From dfeaff9dc45d96e758ed7780fc616cc29246b442 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:27 +0800
+Subject: block, bfq: choose the last bfqq from merge chain in
+ bfq_setup_cooperator()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 0e456dba86c7f9a19792204a044835f1ca2c8dbb ]
+
+Consider the following merge chain:
+
+Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \--------------\ \-------------\ \-------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+
+IO from Process 1 will get bfqf2 from BIC1 first, then
+bfq_setup_cooperator() will found bfqq2 already merged to bfqq3 and then
+handle this IO from bfqq3. However, the merge chain can be much deeper
+and bfqq3 can be merged to other bfqq as well.
+
+Fix this problem by iterating to the last bfqq in
+bfq_setup_cooperator().
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-3-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 1479e8d6fede2..3ed6584496f34 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -2226,8 +2226,12 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq,
+ struct bfq_queue *in_service_bfqq, *new_bfqq;
+
+ /* if a merge has already been setup, then proceed with that first */
+- if (bfqq->new_bfqq)
+- return bfqq->new_bfqq;
++ new_bfqq = bfqq->new_bfqq;
++ if (new_bfqq) {
++ while (new_bfqq->new_bfqq)
++ new_bfqq = new_bfqq->new_bfqq;
++ return new_bfqq;
++ }
+
+ /*
+ * Prevent bfqq from being merged if it has been created too
+--
+2.43.0
+
--- /dev/null
+From 818bd33bb2230996e3ce487c17fe3e2085ffa0b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:28 +0800
+Subject: block, bfq: don't break merge chain in bfq_split_bfqq()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 42c306ed723321af4003b2a41bb73728cab54f85 ]
+
+Consider the following scenario:
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ Λ | | |
+ \-------------\ \-------------\ \--------------\|
+ V V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ref 0 1 2 4
+
+If Process 1 issue a new IO and bfqq2 is found, and then bfq_init_rq()
+decide to spilt bfqq2 by bfq_split_bfqq(). Howerver, procress reference
+of bfqq2 is 1 and bfq_split_bfqq() just clear the coop flag, which will
+break the merge chain.
+
+Expected result: caller will allocate a new bfqq for BIC1
+
+ Process 1 Process 2 Process 3 Process 4
+ (BIC1) (BIC2) (BIC3) (BIC4)
+ | | |
+ \-------------\ \--------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3----------->bfqq4
+ref 0 0 1 3
+
+Since the condition is only used for the last bfqq4 when the previous
+bfqq2 and bfqq3 are already splited. Fix the problem by checking if
+bfqq is the last one in the merge chain as well.
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-4-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 3ed6584496f34..afc30a200fe82 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5037,7 +5037,7 @@ bfq_split_bfqq(struct bfq_io_cq *bic, struct bfq_queue *bfqq)
+ {
+ bfq_log_bfqq(bfqq->bfqd, bfqq, "splitting queue");
+
+- if (bfqq_process_refs(bfqq) == 1) {
++ if (bfqq_process_refs(bfqq) == 1 && !bfqq->new_bfqq) {
+ bfqq->pid = current->pid;
+ bfq_clear_bfqq_coop(bfqq);
+ bfq_clear_bfqq_split_coop(bfqq);
+--
+2.43.0
+
--- /dev/null
+From 98b118f078f617f4dafacfb3c941c9b6369fc21e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:03:26 +0800
+Subject: block, bfq: fix possible UAF for bfqq->bic with merge chain
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 18ad4df091dd5d067d2faa8fce1180b79f7041a7 ]
+
+1) initial state, three tasks:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ | Λ | Λ | Λ
+ | | | | | |
+ V | V | V |
+ bfqq1 bfqq2 bfqq3
+process ref: 1 1 1
+
+2) bfqq1 merged to bfqq2:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ | | | Λ
+ \--------------\| | |
+ V V |
+ bfqq1--------->bfqq2 bfqq3
+process ref: 0 2 1
+
+3) bfqq2 merged to bfqq3:
+
+ Process 1 Process 2 Process 3
+ (BIC1) (BIC2) (BIC3)
+ here -> Λ | |
+ \--------------\ \-------------\|
+ V V
+ bfqq1--------->bfqq2---------->bfqq3
+process ref: 0 1 3
+
+In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
+get bfqq3 through merge chain, and finially handle IO by bfqq3.
+Howerver, current code will think bfqq2 is owned by BIC1, like initial
+state, and set bfqq2->bic to BIC1.
+
+bfq_insert_request
+-> by Process 1
+ bfqq = bfq_init_rq(rq)
+ bfqq = bfq_get_bfqq_handle_split
+ bfqq = bic_to_bfqq
+ -> get bfqq2 from BIC1
+ bfqq->ref++
+ rq->elv.priv[0] = bic
+ rq->elv.priv[1] = bfqq
+ if (bfqq_process_refs(bfqq) == 1)
+ bfqq->bic = bic
+ -> record BIC1 to bfqq2
+
+ __bfq_insert_request
+ new_bfqq = bfq_setup_cooperator
+ -> get bfqq3 from bfqq2->new_bfqq
+ bfqq_request_freed(bfqq)
+ new_bfqq->ref++
+ rq->elv.priv[1] = new_bfqq
+ -> handle IO by bfqq3
+
+Fix the problem by checking bfqq is from merge chain fist. And this
+might fix a following problem reported by our syzkaller(unreproducible):
+
+==================================================================
+BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
+BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
+BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
+Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
+
+CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+Workqueue: kblockd blk_mq_requeue_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
+ print_address_description mm/kasan/report.c:364 [inline]
+ print_report+0x10d/0x610 mm/kasan/report.c:475
+ kasan_report+0x8e/0xc0 mm/kasan/report.c:588
+ bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
+ bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
+ bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
+ bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
+ bfq_init_rq block/bfq-iosched.c:6876 [inline]
+ bfq_insert_request block/bfq-iosched.c:6254 [inline]
+ bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
+ blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
+ blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+ </TASK>
+
+Allocated by task 20776:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:188 [inline]
+ slab_post_alloc_hook mm/slab.h:763 [inline]
+ slab_alloc_node mm/slub.c:3458 [inline]
+ kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
+ ioc_create_icq block/blk-ioc.c:370 [inline]
+ ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436
+ bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812
+ blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403
+ __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517
+ blk_mq_get_new_requests block/blk-mq.c:2940 [inline]
+ blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042
+ __submit_bio+0x331/0x6f0 block/blk-core.c:624
+ __submit_bio_noacct_mq block/blk-core.c:703 [inline]
+ submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732
+ submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826
+ xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958
+ xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619
+ xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+Freed by task 946:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:164 [inline]
+ slab_free_hook mm/slub.c:1815 [inline]
+ slab_free_freelist_hook mm/slub.c:1841 [inline]
+ slab_free mm/slub.c:3786 [inline]
+ kmem_cache_free+0x118/0x6f0 mm/slub.c:3808
+ rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189
+ rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462
+ __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553
+
+Last potentially related work creation:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
+ __call_rcu_common kernel/rcu/tree.c:2712 [inline]
+ call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
+ ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
+ ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+Second to last potentially related work creation:
+ kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
+ __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
+ __call_rcu_common kernel/rcu/tree.c:2712 [inline]
+ call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
+ ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
+ ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
+ process_one_work kernel/workqueue.c:2627 [inline]
+ process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
+ worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
+ kthread+0x33c/0x440 kernel/kthread.c:388
+ ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
+
+The buggy address belongs to the object at ffff888123839d68
+ which belongs to the cache bfq_io_cq of size 1360
+The buggy address is located 336 bytes inside of
+ freed 1360-byte region [ffff888123839d68, ffff88812383a2b8)
+
+The buggy address belongs to the physical page:
+page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838
+head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
+page_type: 0xffffffff()
+raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488
+raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+>ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+==================================================================
+
+Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240902130329.3787024-2-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index 7415db053217c..1479e8d6fede2 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -5218,7 +5218,8 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
+ * addition, if the queue has also just been split, we have to
+ * resume its state.
+ */
+- if (likely(bfqq != &bfqd->oom_bfqq) && bfqq_process_refs(bfqq) == 1) {
++ if (likely(bfqq != &bfqd->oom_bfqq) && !bfqq->new_bfqq &&
++ bfqq_process_refs(bfqq) == 1) {
+ bfqq->bic = bic;
+ if (split) {
+ /*
+--
+2.43.0
+
--- /dev/null
+From 6cf6a3ef604bda727e98bc4bef9646ab35d22f3d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 16:51:52 -0400
+Subject: Bluetooth: btusb: Fix not handling ZPL/short-transfer
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 7b05933340f4490ef5b09e84d644d12484b05fdf ]
+
+Requesting transfers of the exact same size of wMaxPacketSize may result
+in ZPL/short-transfer since the USB stack cannot handle it as we are
+limiting the buffer size to be the same as wMaxPacketSize.
+
+Also, in terms of throughput this change has the same effect to
+interrupt endpoint as 290ba200815f "Bluetooth: Improve USB driver throughput
+by increasing the frame size" had for the bulk endpoint, so users of the
+advertisement bearer (e.g. BT Mesh) may benefit from this change.
+
+Fixes: 5e23b923da03 ("[Bluetooth] Add generic driver for Bluetooth USB devices")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Tested-by: Kiran K <kiran.k@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index b6eb48e44e6b1..c7a1ec57256b4 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -743,7 +743,10 @@ static int btusb_submit_intr_urb(struct hci_dev *hdev, gfp_t mem_flags)
+ if (!urb)
+ return -ENOMEM;
+
+- size = le16_to_cpu(data->intr_ep->wMaxPacketSize);
++ /* Use maximum HCI Event size so the USB stack handles
++ * ZPL/short-transfer automatically.
++ */
++ size = HCI_MAX_EVENT_SIZE;
+
+ buf = kmalloc(size, mem_flags);
+ if (!buf) {
+--
+2.43.0
+
--- /dev/null
+From 0ff2365b0e2b5cfe2a5d4ac35c9108f691cdfbce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 18:22:37 -0700
+Subject: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 94b0818fa63555a65f6ba107080659ea6bcca63e ]
+
+syzbot reported a warning in bcm_release(). [0]
+
+The blamed change fixed another warning that is triggered when
+connect() is issued again for a socket whose connect()ed device has
+been unregistered.
+
+However, if the socket is just close()d without the 2nd connect(), the
+remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
+in bcm_release().
+
+Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().
+
+[0]
+name '4986'
+WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
+Modules linked in:
+CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
+RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
+Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
+RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
+RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
+R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
+R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
+FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ bcm_release+0x250/0x880 net/can/bcm.c:1578
+ __sock_release net/socket.c:659 [inline]
+ sock_close+0xbc/0x240 net/socket.c:1421
+ __fput+0x24a/0x8a0 fs/file_table.c:422
+ task_work_run+0x24f/0x310 kernel/task_work.c:228
+ exit_task_work include/linux/task_work.h:40 [inline]
+ do_exit+0xa2f/0x27f0 kernel/exit.c:882
+ do_group_exit+0x207/0x2c0 kernel/exit.c:1031
+ __do_sys_exit_group kernel/exit.c:1042 [inline]
+ __se_sys_exit_group kernel/exit.c:1040 [inline]
+ __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
+ x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7fcfb51ee969
+Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
+RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
+RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
+RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
+RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
+R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
+R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
+ </TASK>
+
+Fixes: 76fe372ccb81 ("can: bcm: Remove proc entry when dev is unregistered.")
+Reported-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0532ac7a06fb1a03187e
+Tested-by: syzbot+0532ac7a06fb1a03187e@syzkaller.appspotmail.com
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://patch.msgid.link/20240905012237.79683-1-kuniyu@amazon.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index 095f68536c147..07c0634b32f73 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1423,8 +1423,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
+ /* remove device reference, if this is our bound device */
+ if (bo->bound && bo->ifindex == dev->ifindex) {
+ #if IS_ENABLED(CONFIG_PROC_FS)
+- if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read)
++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read) {
+ remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir);
++ bo->bcm_proc_read = NULL;
++ }
+ #endif
+ bo->bound = 0;
+ bo->ifindex = 0;
+--
+2.43.0
+
--- /dev/null
+From 9582bcb2f59349e818a0d6ac7e9e46b6fb0cad37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:53 +0000
+Subject: clk: rockchip: Set parent rate for DCLK_VOP clock on RK3228
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 1d34b9757523c1ad547bd6d040381f62d74a3189 ]
+
+Similar to DCLK_LCDC on RK3328, the DCLK_VOP on RK3228 is typically
+parented by the hdmiphy clk and it is expected that the DCLK_VOP and
+hdmiphy clk rate are kept in sync.
+
+Use CLK_SET_RATE_PARENT and CLK_SET_RATE_NO_REPARENT flags, same as used
+on RK3328, to make full use of all possible supported display modes.
+
+Fixes: 0a9d4ac08ebc ("clk: rockchip: set the clock ids for RK3228 VOP")
+Fixes: 307a2e9ac524 ("clk: rockchip: add clock controller for rk3228")
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Link: https://lore.kernel.org/r/20240615170417.3134517-3-jonas@kwiboo.se
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/rockchip/clk-rk3228.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/rockchip/clk-rk3228.c b/drivers/clk/rockchip/clk-rk3228.c
+index 8d11d76e1db7c..811f0d43ee90b 100644
+--- a/drivers/clk/rockchip/clk-rk3228.c
++++ b/drivers/clk/rockchip/clk-rk3228.c
+@@ -415,7 +415,7 @@ static struct rockchip_clk_branch rk3228_clk_branches[] __initdata = {
+ RK2928_CLKSEL_CON(29), 0, 3, DFLAGS),
+ DIV(0, "sclk_vop_pre", "sclk_vop_src", 0,
+ RK2928_CLKSEL_CON(27), 8, 8, DFLAGS),
+- MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, 0,
++ MUX(DCLK_VOP, "dclk_vop", mux_dclk_vop_p, CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT,
+ RK2928_CLKSEL_CON(27), 1, 1, MFLAGS),
+
+ FACTOR(0, "xin12m", "xin24m", 0, 1, 2),
+--
+2.43.0
+
--- /dev/null
+From 8ad3b849e45c27eea8c7dfab49c62b588b2bc31f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 10:35:29 -0500
+Subject: clk: ti: dra7-atl: Fix leak of of_nodes
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 9d6e9f10e2e031fb7bfb3030a7d1afc561a28fea ]
+
+This fix leaking the of_node references in of_dra7_atl_clk_probe().
+
+The docs for of_parse_phandle_with_args() say that the caller must call
+of_node_put() on the returned node. This adds the missing of_node_put()
+to fix the leak.
+
+Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://lore.kernel.org/r/20240826-clk-fix-leak-v1-1-f55418a13aa6@baylibre.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/ti/clk-dra7-atl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c
+index a4b6f3ac2d34a..afd71c894150b 100644
+--- a/drivers/clk/ti/clk-dra7-atl.c
++++ b/drivers/clk/ti/clk-dra7-atl.c
+@@ -257,6 +257,7 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev)
+ }
+
+ clk = of_clk_get_from_provider(&clkspec);
++ of_node_put(clkspec.np);
+ if (IS_ERR(clk)) {
+ pr_err("%s: failed to get atl clock %d from provider\n",
+ __func__, i);
+--
+2.43.0
+
--- /dev/null
+From b39b47e87deea34994c36b792a540474099df081 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jul 2024 15:27:13 +0530
+Subject: clocksource/drivers/qcom: Add missing iounmap() on errors in
+ msm_dt_timer_init()
+
+From: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
+
+[ Upstream commit ca140a0dc0a18acd4653b56db211fec9b2339986 ]
+
+Add the missing iounmap() when clock frequency fails to get read by the
+of_property_read_u32() call, or if the call to msm_timer_init() fails.
+
+Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer")
+Signed-off-by: Ankit Agrawal <agrawal.ag.ankit@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Link: https://lore.kernel.org/r/20240713095713.GA430091@bnew-VirtualBox
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-qcom.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c
+index 89816f89ff3f4..83385bc431acc 100644
+--- a/drivers/clocksource/timer-qcom.c
++++ b/drivers/clocksource/timer-qcom.c
+@@ -242,6 +242,7 @@ static int __init msm_dt_timer_init(struct device_node *np)
+ }
+
+ if (of_property_read_u32(np, "clock-frequency", &freq)) {
++ iounmap(cpu0_base);
+ pr_err("Unknown frequency\n");
+ return -EINVAL;
+ }
+@@ -252,7 +253,11 @@ static int __init msm_dt_timer_init(struct device_node *np)
+ freq /= 4;
+ writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL);
+
+- return msm_timer_init(freq, 32, irq, !!percpu_offset);
++ ret = msm_timer_init(freq, 32, irq, !!percpu_offset);
++ if (ret)
++ iounmap(cpu0_base);
++
++ return ret;
+ }
+ TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init);
+ TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init);
+--
+2.43.0
+
--- /dev/null
+From a566b5dc6e4075770322ae469e36242c058b2474 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 14:28:46 +0100
+Subject: coresight: tmc: sg: Do not leak sg_table
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+[ Upstream commit c58dc5a1f886f2fcc1133746d0cbaa1fe7fd44ff ]
+
+Running perf with cs_etm on Juno triggers the following kmemleak warning !
+
+:~# cat /sys/kernel/debug/kmemleak
+ unreferenced object 0xffffff8806b6d720 (size 96):
+ comm "perf", pid 562, jiffies 4297810960
+ hex dump (first 32 bytes):
+ 38 d8 13 07 88 ff ff ff 00 d0 9e 85 c0 ff ff ff 8...............
+ 00 10 00 88 c0 ff ff ff 00 f0 ff f7 ff 00 00 00 ................
+ backtrace (crc 1dbf6e00):
+ [<ffffffc08107381c>] kmemleak_alloc+0xbc/0xd8
+ [<ffffffc0802f9798>] kmalloc_trace_noprof+0x220/0x2e8
+ [<ffffffc07bb71948>] tmc_alloc_sg_table+0x48/0x208 [coresight_tmc]
+ [<ffffffc07bb71cbc>] tmc_etr_alloc_sg_buf+0xac/0x240 [coresight_tmc]
+ [<ffffffc07bb72538>] tmc_alloc_etr_buf.constprop.0+0x1f0/0x260 [coresight_tmc]
+ [<ffffffc07bb7280c>] alloc_etr_buf.constprop.0.isra.0+0x74/0xa8 [coresight_tmc]
+ [<ffffffc07bb72950>] tmc_alloc_etr_buffer+0x110/0x260 [coresight_tmc]
+ [<ffffffc07bb38afc>] etm_setup_aux+0x204/0x3b0 [coresight]
+ [<ffffffc08025837c>] rb_alloc_aux+0x20c/0x318
+ [<ffffffc08024dd84>] perf_mmap+0x2e4/0x7a0
+ [<ffffffc0802cceb0>] mmap_region+0x3b0/0xa08
+ [<ffffffc0802cd8a8>] do_mmap+0x3a0/0x500
+ [<ffffffc080295328>] vm_mmap_pgoff+0x100/0x1d0
+ [<ffffffc0802cadf8>] ksys_mmap_pgoff+0xb8/0x110
+ [<ffffffc080020688>] __arm64_sys_mmap+0x38/0x58
+ [<ffffffc080028fc0>] invoke_syscall.constprop.0+0x58/0x100
+
+This due to the fact that we do not free the "sg_table" itself while
+freeing up the SG table and data pages. Fix this by freeing the sg_table
+in tmc_free_sg_table().
+
+Fixes: 99443ea19e8b ("coresight: Add generic TMC sg table framework")
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: James Clark <james.clark@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20240702132846.1677261-1-suzuki.poulose@arm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+index 8f850c22be418..99344e9daf5db 100644
+--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
+@@ -222,6 +222,7 @@ void tmc_free_sg_table(struct tmc_sg_table *sg_table)
+ {
+ tmc_free_table_pages(sg_table);
+ tmc_free_data_pages(sg_table);
++ kfree(sg_table);
+ }
+
+ /*
+@@ -302,7 +303,6 @@ struct tmc_sg_table *tmc_alloc_sg_table(struct device *dev,
+ rc = tmc_alloc_table_pages(sg_table);
+ if (rc) {
+ tmc_free_sg_table(sg_table);
+- kfree(sg_table);
+ return ERR_PTR(rc);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ff80a72148af06cbfcb22e569c8b30d976394698 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 01:50:23 +0800
+Subject: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write
+ error
+
+From: Junlin Li <make24@iscas.ac.cn>
+
+[ Upstream commit 46d7ebfe6a75a454a5fa28604f0ef1491f9d8d14 ]
+
+Ensure index in rtl2830_pid_filter does not exceed 31 to prevent
+out-of-bounds access.
+
+dev->filters is a 32-bit value, so set_bit and clear_bit functions should
+only operate on indices from 0 to 31. If index is 32, it will attempt to
+access a non-existent 33rd bit, leading to out-of-bounds access.
+Change the boundary check from index > 32 to index >= 32 to resolve this
+issue.
+
+Fixes: df70ddad81b4 ("[media] rtl2830: implement PID filter")
+Signed-off-by: Junlin Li <make24@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/rtl2830.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/rtl2830.c b/drivers/media/dvb-frontends/rtl2830.c
+index c0659568471b8..8cda25902d63a 100644
+--- a/drivers/media/dvb-frontends/rtl2830.c
++++ b/drivers/media/dvb-frontends/rtl2830.c
+@@ -619,7 +619,7 @@ static int rtl2830_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid, int on
+ index, pid, onoff);
+
+ /* skip invalid PIDs (0x2000) */
+- if (pid > 0x1fff || index > 32)
++ if (pid > 0x1fff || index >= 32)
+ return 0;
+
+ if (onoff)
+--
+2.43.0
+
--- /dev/null
+From b6d12bc069b04ae1474f83cba0485f2dd0852a4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 21:24:13 +0800
+Subject: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write
+ error
+
+From: Junlin Li <make24@iscas.ac.cn>
+
+[ Upstream commit 8ae06f360cfaca2b88b98ca89144548b3186aab1 ]
+
+Ensure index in rtl2832_pid_filter does not exceed 31 to prevent
+out-of-bounds access.
+
+dev->filters is a 32-bit value, so set_bit and clear_bit functions should
+only operate on indices from 0 to 31. If index is 32, it will attempt to
+access a non-existent 33rd bit, leading to out-of-bounds access.
+Change the boundary check from index > 32 to index >= 32 to resolve this
+issue.
+
+Signed-off-by: Junlin Li <make24@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Fixes: 4b01e01a81b6 ("[media] rtl2832: implement PID filter")
+[hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/rtl2832.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/dvb-frontends/rtl2832.c b/drivers/media/dvb-frontends/rtl2832.c
+index 7cad4e985315a..608bd2a81633d 100644
+--- a/drivers/media/dvb-frontends/rtl2832.c
++++ b/drivers/media/dvb-frontends/rtl2832.c
+@@ -995,7 +995,7 @@ static int rtl2832_pid_filter(struct dvb_frontend *fe, u8 index, u16 pid,
+ index, pid, onoff, dev->slave_ts);
+
+ /* skip invalid PIDs (0x2000) */
+- if (pid > 0x1fff || index > 32)
++ if (pid > 0x1fff || index >= 32)
+ return 0;
+
+ if (onoff)
+--
+2.43.0
+
--- /dev/null
+From 0901e80bd671d916d08144123afc086545fea9e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jan 2019 14:06:00 +0100
+Subject: drm/amd: fix typo
+
+From: Matteo Croce <mcroce@redhat.com>
+
+[ Upstream commit 229f7b1d6344ea35fff0b113e4d91128921f8937 ]
+
+Fix spelling mistake: "lenght" -> "length"
+
+Signed-off-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 8155566a26b8 ("drm/amdgpu: properly handle vbios fake edid sizing")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/include/atombios.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/include/atombios.h b/drivers/gpu/drm/amd/include/atombios.h
+index 7931502fa54fa..8ba21747b40a3 100644
+--- a/drivers/gpu/drm/amd/include/atombios.h
++++ b/drivers/gpu/drm/amd/include/atombios.h
+@@ -4106,7 +4106,7 @@ typedef struct _ATOM_LCD_MODE_CONTROL_CAP
+ typedef struct _ATOM_FAKE_EDID_PATCH_RECORD
+ {
+ UCHAR ucRecordType;
+- UCHAR ucFakeEDIDLength; // = 128 means EDID lenght is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
++ UCHAR ucFakeEDIDLength; // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+ UCHAR ucFakeEDIDString[1]; // This actually has ucFakeEdidLength elements.
+ } ATOM_FAKE_EDID_PATCH_RECORD;
+
+--
+2.43.0
+
--- /dev/null
+From 5f0cd5bd96b23bdcf29cf4581864aa550a1e2e44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 13:23:56 -0400
+Subject: drm/amdgpu: properly handle vbios fake edid sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 8155566a26b8d6c1dd914f06a0c652e4e2f2adf1 ]
+
+The comment in the vbios structure says:
+// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+
+This fake edid struct has not been used in a long time, so I'm
+not sure if there were actually any boards out there with a non-128 byte
+EDID, but align the code with the comment.
+
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
+Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/amd/amdgpu/atombios_encoders.c | 29 ++++++++++---------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+index 9de266a1bfbe0..251975697d69d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+@@ -2095,26 +2095,29 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder)
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ struct edid *edid;
+- int edid_size =
+- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
+- edid = kmalloc(edid_size, GFP_KERNEL);
++ int edid_size;
++
++ if (fake_edid_record->ucFakeEDIDLength == 128)
++ edid_size = fake_edid_record->ucFakeEDIDLength;
++ else
++ edid_size = fake_edid_record->ucFakeEDIDLength * 128;
++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0],
++ edid_size, GFP_KERNEL);
+ if (edid) {
+- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+- fake_edid_record->ucFakeEDIDLength);
+-
+ if (drm_edid_is_valid(edid)) {
+ adev->mode_info.bios_hardcoded_edid = edid;
+ adev->mode_info.bios_hardcoded_edid_size = edid_size;
+- } else
++ } else {
+ kfree(edid);
++ }
+ }
++ record += struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ edid_size);
++ } else {
++ /* empty fake edid record must be 3 bytes long */
++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+- record += fake_edid_record->ucFakeEDIDLength ?
+- struct_size(fake_edid_record,
+- ucFakeEDIDString,
+- fake_edid_record->ucFakeEDIDLength) :
+- /* empty fake edid record must be 3 bytes long */
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From 95ac75fbd5073f4431825d5244ac664def2209b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 14:30:44 +1300
+Subject: drm/amdgpu: Replace one-element array with flexible-array member
+
+From: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
+
+[ Upstream commit 320e2590e281d0a7865e861f50155b5b435e9813 ]
+
+One-element arrays are deprecated, and we are replacing them with
+flexible array members instead. So, replace one-element array with
+flexible-array member in struct _ATOM_FAKE_EDID_PATCH_RECORD and
+refactor the rest of the code accordingly.
+
+Important to mention is that doing a build before/after this patch
+results in no binary output differences.
+
+This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
+routines on memcpy() and help us make progress towards globally
+enabling -fstrict-flex-arrays=3 [1].
+
+Link: https://github.com/KSPP/linux/issues/79
+Link: https://github.com/KSPP/linux/issues/238
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1]
+
+Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 8155566a26b8 ("drm/amdgpu: properly handle vbios fake edid sizing")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/atombios_encoders.c | 7 +++++--
+ drivers/gpu/drm/amd/include/atombios.h | 2 +-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+index d702fb8e34275..9de266a1bfbe0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
++++ b/drivers/gpu/drm/amd/amdgpu/atombios_encoders.c
+@@ -2110,8 +2110,11 @@ amdgpu_atombios_encoder_get_lcd_info(struct amdgpu_encoder *encoder)
+ }
+ }
+ record += fake_edid_record->ucFakeEDIDLength ?
+- fake_edid_record->ucFakeEDIDLength + 2 :
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD);
++ struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ fake_edid_record->ucFakeEDIDLength) :
++ /* empty fake edid record must be 3 bytes long */
++ sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+diff --git a/drivers/gpu/drm/amd/include/atombios.h b/drivers/gpu/drm/amd/include/atombios.h
+index 8ba21747b40a3..c9f70accd46d8 100644
+--- a/drivers/gpu/drm/amd/include/atombios.h
++++ b/drivers/gpu/drm/amd/include/atombios.h
+@@ -4107,7 +4107,7 @@ typedef struct _ATOM_FAKE_EDID_PATCH_RECORD
+ {
+ UCHAR ucRecordType;
+ UCHAR ucFakeEDIDLength; // = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+- UCHAR ucFakeEDIDString[1]; // This actually has ucFakeEdidLength elements.
++ UCHAR ucFakeEDIDString[]; // This actually has ucFakeEdidLength elements.
+ } ATOM_FAKE_EDID_PATCH_RECORD;
+
+ typedef struct _ATOM_PANEL_RESOLUTION_PATCH_RECORD
+--
+2.43.0
+
--- /dev/null
+From 832db2841955830c1ed6108d670b8dad1b5f7f0f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:02 +0000
+Subject: drm/msm/a5xx: fix races in preemption evaluation stage
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit ce050f307ad93bcc5958d0dd35fc276fd394d274 ]
+
+On A5XX GPUs when preemption is used it's invietable to enter a soft
+lock-up state in which GPU is stuck at empty ring-buffer doing nothing.
+This appears as full UI lockup and not detected as GPU hang (because
+it's not). This happens due to not triggering preemption when it was
+needed. Sometimes this state can be recovered by some new submit but
+generally it won't happen because applications are waiting for old
+submits to retire.
+
+One of the reasons why this happens is a race between a5xx_submit and
+a5xx_preempt_trigger called from IRQ during submit retire. Former thread
+updates ring->cur of previously empty and not current ring right after
+latter checks it for emptiness. Then both threads can just exit because
+for first one preempt_state wasn't NONE yet and for second one all rings
+appeared to be empty.
+
+To prevent such situations from happening we need to establish guarantee
+for preempt_trigger to make decision after each submit or retire. To
+implement this we serialize preemption initiation using spinlock. If
+switch is already in progress we need to re-trigger preemption when it
+finishes.
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Patchwork: https://patchwork.freedesktop.org/patch/612045/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_gpu.h | 1 +
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 24 +++++++++++++++++++++--
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+index 7d71860c4bee6..c9b1da1517dc2 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
++++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.h
+@@ -44,6 +44,7 @@ struct a5xx_gpu {
+ uint64_t preempt_iova[MSM_GPU_MAX_RINGS];
+
+ atomic_t preempt_state;
++ spinlock_t preempt_start_lock;
+ struct timer_list preempt_timer;
+ };
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index d6dc4168558e0..63445e88f8adc 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -107,12 +107,19 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+ if (gpu->nr_rings == 1)
+ return;
+
++ /*
++ * Serialize preemption start to ensure that we always make
++ * decision on latest state. Otherwise we can get stuck in
++ * lower priority or empty ring.
++ */
++ spin_lock_irqsave(&a5xx_gpu->preempt_start_lock, flags);
++
+ /*
+ * Try to start preemption by moving from NONE to START. If
+ * unsuccessful, a preemption is already in flight
+ */
+ if (!try_preempt_state(a5xx_gpu, PREEMPT_NONE, PREEMPT_START))
+- return;
++ goto out;
+
+ /* Get the next ring to preempt to */
+ ring = get_next_ring(gpu);
+@@ -137,9 +144,11 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+ set_preempt_state(a5xx_gpu, PREEMPT_ABORT);
+ update_wptr(gpu, a5xx_gpu->cur_ring);
+ set_preempt_state(a5xx_gpu, PREEMPT_NONE);
+- return;
++ goto out;
+ }
+
++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags);
++
+ /* Make sure the wptr doesn't update while we're in motion */
+ spin_lock_irqsave(&ring->lock, flags);
+ a5xx_gpu->preempt[ring->id]->wptr = get_wptr(ring);
+@@ -163,6 +172,10 @@ void a5xx_preempt_trigger(struct msm_gpu *gpu)
+
+ /* And actually start the preemption */
+ gpu_write(gpu, REG_A5XX_CP_CONTEXT_SWITCH_CNTL, 1);
++ return;
++
++out:
++ spin_unlock_irqrestore(&a5xx_gpu->preempt_start_lock, flags);
+ }
+
+ void a5xx_preempt_irq(struct msm_gpu *gpu)
+@@ -200,6 +213,12 @@ void a5xx_preempt_irq(struct msm_gpu *gpu)
+ update_wptr(gpu, a5xx_gpu->cur_ring);
+
+ set_preempt_state(a5xx_gpu, PREEMPT_NONE);
++
++ /*
++ * Try to trigger preemption again in case there was a submit or
++ * retire during ring switch
++ */
++ a5xx_preempt_trigger(gpu);
+ }
+
+ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+@@ -302,5 +321,6 @@ void a5xx_preempt_init(struct msm_gpu *gpu)
+ }
+ }
+
++ spin_lock_init(&a5xx_gpu->preempt_start_lock);
+ timer_setup(&a5xx_gpu->preempt_timer, a5xx_preempt_timer, 0);
+ }
+--
+2.43.0
+
--- /dev/null
+From 7d08913e65b404594663aad8f0c897a33156a7be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 13:54:01 +0000
+Subject: drm/msm/a5xx: properly clear preemption records on resume
+
+From: Vladimir Lypak <vladimir.lypak@gmail.com>
+
+[ Upstream commit 64fd6d01a52904bdbda0ce810a45a428c995a4ca ]
+
+Two fields of preempt_record which are used by CP aren't reset on
+resume: "data" and "info". This is the reason behind faults which happen
+when we try to switch to the ring that was active last before suspend.
+In addition those faults can't be recovered from because we use suspend
+and resume to do so (keeping values of those fields again).
+
+Fixes: b1fc2839d2f9 ("drm/msm: Implement preemption for A5XX targets")
+Signed-off-by: Vladimir Lypak <vladimir.lypak@gmail.com>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Patchwork: https://patchwork.freedesktop.org/patch/612043/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/adreno/a5xx_preempt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+index 970c7963ae29b..d6dc4168558e0 100644
+--- a/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
++++ b/drivers/gpu/drm/msm/adreno/a5xx_preempt.c
+@@ -209,6 +209,8 @@ void a5xx_preempt_hw_init(struct msm_gpu *gpu)
+ int i;
+
+ for (i = 0; i < gpu->nr_rings; i++) {
++ a5xx_gpu->preempt[i]->data = 0;
++ a5xx_gpu->preempt[i]->info = 0;
+ a5xx_gpu->preempt[i]->wptr = 0;
+ a5xx_gpu->preempt[i]->rptr = 0;
+ a5xx_gpu->preempt[i]->rbase = gpu->rb[i]->iova;
+--
+2.43.0
+
--- /dev/null
+From 6521075f3ddf6be64a88c1e73ceac9e76de3223b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 09:53:37 -0700
+Subject: drm/msm: fix %s null argument error
+
+From: Sherry Yang <sherry.yang@oracle.com>
+
+[ Upstream commit 25b85075150fe8adddb096db8a4b950353045ee1 ]
+
+The following build error was triggered because of NULL string argument:
+
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c: In function 'mdp5_smp_dump':
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
+BUILDSTDERR: 352 | drm_printf(p, "%s:%d\t%d\t%s\n",
+BUILDSTDERR: | ^~
+BUILDSTDERR: drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c:352:51: error: '%s' directive argument is null [-Werror=format-overflow=]
+
+This happens from the commit a61ddb4393ad ("drm: enable (most) W=1
+warnings by default across the subsystem"). Using "(null)" instead
+to fix it.
+
+Fixes: bc5289eed481 ("drm/msm/mdp5: add debugfs to show smp block status")
+Signed-off-by: Sherry Yang <sherry.yang@oracle.com>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Patchwork: https://patchwork.freedesktop.org/patch/611071/
+Link: https://lore.kernel.org/r/20240827165337.1075904-1-sherry.yang@oracle.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
+index 96c2b828dba4a..2d9027c8418ee 100644
+--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_smp.c
+@@ -366,7 +366,7 @@ void mdp5_smp_dump(struct mdp5_smp *smp, struct drm_printer *p)
+
+ drm_printf(p, "%s:%d\t%d\t%s\n",
+ pipe2name(pipe), j, inuse,
+- plane ? plane->name : NULL);
++ plane ? plane->name : "(null)");
+
+ total += inuse;
+ }
+--
+2.43.0
+
--- /dev/null
+From 5b8492f3bfe33dca6b2ec79f942daaa3601fc10f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:19:04 -0700
+Subject: drm/radeon/evergreen_cs: fix int overflow errors in cs track offsets
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit 3fbaf475a5b8361ebee7da18964db809e37518b7 ]
+
+Several cs track offsets (such as 'track->db_s_read_offset')
+either are initialized with or plainly take big enough values that,
+once shifted 8 bits left, may be hit with integer overflow if the
+resulting values end up going over u32 limit.
+
+Same goes for a few instances of 'surf.layer_size * mslice'
+multiplications that are added to 'offset' variable - they may
+potentially overflow as well and need to be validated properly.
+
+While some debug prints in this code section take possible overflow
+issues into account, simply casting to (unsigned long) may be
+erroneous in its own way, as depending on CPU architecture one is
+liable to get different results.
+
+Fix said problems by:
+ - casting 'offset' to fixed u64 data type instead of
+ ambiguous unsigned long.
+ - casting one of the operands in vulnerable to integer
+ overflow cases to u64.
+ - adjust format specifiers in debug prints to properly
+ represent 'offset' values.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 285484e2d55e ("drm/radeon: add support for evergreen/ni tiling informations v11")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/evergreen_cs.c | 62 +++++++++++++--------------
+ 1 file changed, 31 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/evergreen_cs.c b/drivers/gpu/drm/radeon/evergreen_cs.c
+index 2f0a5bd501746..44a5c9059323c 100644
+--- a/drivers/gpu/drm/radeon/evergreen_cs.c
++++ b/drivers/gpu/drm/radeon/evergreen_cs.c
+@@ -396,7 +396,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028C6C_SLICE_MAX(track->cb_color_view[id]) + 1;
+@@ -434,14 +434,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ return r;
+ }
+
+- offset = track->cb_color_bo_offset[id] << 8;
++ offset = (u64)track->cb_color_bo_offset[id] << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d cb[%d] bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d cb[%d] bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, id, offset, surf.base_align);
+ return -EINVAL;
+ }
+
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->cb_color_bo[id])) {
+ /* old ddx are broken they allocate bo with w*h*bpp but
+ * program slice with ALIGN(h, 8), catch this and patch
+@@ -449,14 +449,14 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ */
+ if (!surf.mode) {
+ uint32_t *ib = p->ib.ptr;
+- unsigned long tmp, nby, bsize, size, min = 0;
++ u64 tmp, nby, bsize, size, min = 0;
+
+ /* find the height the ddx wants */
+ if (surf.nby > 8) {
+ min = surf.nby - 8;
+ }
+ bsize = radeon_bo_size(track->cb_color_bo[id]);
+- tmp = track->cb_color_bo_offset[id] << 8;
++ tmp = (u64)track->cb_color_bo_offset[id] << 8;
+ for (nby = surf.nby; nby > min; nby--) {
+ size = nby * surf.nbx * surf.bpe * surf.nsamples;
+ if ((tmp + size * mslice) <= bsize) {
+@@ -468,7 +468,7 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ slice = ((nby * surf.nbx) / 64) - 1;
+ if (!evergreen_surface_check(p, &surf, "cb")) {
+ /* check if this one works */
+- tmp += surf.layer_size * mslice;
++ tmp += (u64)surf.layer_size * mslice;
+ if (tmp <= bsize) {
+ ib[track->cb_color_slice_idx[id]] = slice;
+ goto old_ddx_ok;
+@@ -477,9 +477,9 @@ static int evergreen_cs_track_validate_cb(struct radeon_cs_parser *p, unsigned i
+ }
+ }
+ dev_warn(p->dev, "%s:%d cb[%d] bo too small (layer size %d, "
+- "offset %d, max layer %d, bo size %ld, slice %d)\n",
++ "offset %llu, max layer %d, bo size %ld, slice %d)\n",
+ __func__, __LINE__, id, surf.layer_size,
+- track->cb_color_bo_offset[id] << 8, mslice,
++ (u64)track->cb_color_bo_offset[id] << 8, mslice,
+ radeon_bo_size(track->cb_color_bo[id]), slice);
+ dev_warn(p->dev, "%s:%d problematic surf: (%d %d) (%d %d %d %d %d %d %d)\n",
+ __func__, __LINE__, surf.nbx, surf.nby,
+@@ -563,7 +563,7 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
+@@ -609,18 +609,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ return r;
+ }
+
+- offset = track->db_s_read_offset << 8;
++ offset = (u64)track->db_s_read_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_s_read_bo)) {
+ dev_warn(p->dev, "%s:%d stencil read bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_s_read_offset << 8, mslice,
++ (u64)track->db_s_read_offset << 8, mslice,
+ radeon_bo_size(track->db_s_read_bo));
+ dev_warn(p->dev, "%s:%d stencil invalid (0x%08x 0x%08x 0x%08x 0x%08x)\n",
+ __func__, __LINE__, track->db_depth_size,
+@@ -628,18 +628,18 @@ static int evergreen_cs_track_validate_stencil(struct radeon_cs_parser *p)
+ return -EINVAL;
+ }
+
+- offset = track->db_s_write_offset << 8;
++ offset = (u64)track->db_s_write_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_s_write_bo)) {
+ dev_warn(p->dev, "%s:%d stencil write bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_s_write_offset << 8, mslice,
++ (u64)track->db_s_write_offset << 8, mslice,
+ radeon_bo_size(track->db_s_write_bo));
+ return -EINVAL;
+ }
+@@ -660,7 +660,7 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
+ struct evergreen_cs_track *track = p->track;
+ struct eg_surface surf;
+ unsigned pitch, slice, mslice;
+- unsigned long offset;
++ u64 offset;
+ int r;
+
+ mslice = G_028008_SLICE_MAX(track->db_depth_view) + 1;
+@@ -707,34 +707,34 @@ static int evergreen_cs_track_validate_depth(struct radeon_cs_parser *p)
+ return r;
+ }
+
+- offset = track->db_z_read_offset << 8;
++ offset = (u64)track->db_z_read_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil read bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil read bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_z_read_bo)) {
+ dev_warn(p->dev, "%s:%d depth read bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_z_read_offset << 8, mslice,
++ (u64)track->db_z_read_offset << 8, mslice,
+ radeon_bo_size(track->db_z_read_bo));
+ return -EINVAL;
+ }
+
+- offset = track->db_z_write_offset << 8;
++ offset = (u64)track->db_z_write_offset << 8;
+ if (offset & (surf.base_align - 1)) {
+- dev_warn(p->dev, "%s:%d stencil write bo base %ld not aligned with %ld\n",
++ dev_warn(p->dev, "%s:%d stencil write bo base %llu not aligned with %ld\n",
+ __func__, __LINE__, offset, surf.base_align);
+ return -EINVAL;
+ }
+- offset += surf.layer_size * mslice;
++ offset += (u64)surf.layer_size * mslice;
+ if (offset > radeon_bo_size(track->db_z_write_bo)) {
+ dev_warn(p->dev, "%s:%d depth write bo too small (layer size %d, "
+- "offset %ld, max layer %d, bo size %ld)\n",
++ "offset %llu, max layer %d, bo size %ld)\n",
+ __func__, __LINE__, surf.layer_size,
+- (unsigned long)track->db_z_write_offset << 8, mslice,
++ (u64)track->db_z_write_offset << 8, mslice,
+ radeon_bo_size(track->db_z_write_bo));
+ return -EINVAL;
+ }
+--
+2.43.0
+
--- /dev/null
+From e9e522adeb1b65c93f3f305134692179c2aca39e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 13:31:58 -0400
+Subject: drm/radeon: properly handle vbios fake edid sizing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+[ Upstream commit 17c6baff3d5f65c8da164137a58742541a060b2f ]
+
+The comment in the vbios structure says:
+// = 128 means EDID length is 128 bytes, otherwise the EDID length = ucFakeEDIDLength*128
+
+This fake edid struct has not been used in a long time, so I'm
+not sure if there were actually any boards out there with a non-128 byte
+EDID, but align the code with the comment.
+
+Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
+Reported-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lists.freedesktop.org/archives/amd-gfx/2024-June/109964.html
+Fixes: c324acd5032f ("drm/radeon/kms: parse the extended LCD info block")
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/radeon_atombios.c | 29 +++++++++++++-----------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 0d11d6d1f5f0a..317843bd67d93 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1727,26 +1727,29 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct
+ fake_edid_record = (ATOM_FAKE_EDID_PATCH_RECORD *)record;
+ if (fake_edid_record->ucFakeEDIDLength) {
+ struct edid *edid;
+- int edid_size =
+- max((int)EDID_LENGTH, (int)fake_edid_record->ucFakeEDIDLength);
+- edid = kmalloc(edid_size, GFP_KERNEL);
++ int edid_size;
++
++ if (fake_edid_record->ucFakeEDIDLength == 128)
++ edid_size = fake_edid_record->ucFakeEDIDLength;
++ else
++ edid_size = fake_edid_record->ucFakeEDIDLength * 128;
++ edid = kmemdup(&fake_edid_record->ucFakeEDIDString[0],
++ edid_size, GFP_KERNEL);
+ if (edid) {
+- memcpy((u8 *)edid, (u8 *)&fake_edid_record->ucFakeEDIDString[0],
+- fake_edid_record->ucFakeEDIDLength);
+-
+ if (drm_edid_is_valid(edid)) {
+ rdev->mode_info.bios_hardcoded_edid = edid;
+ rdev->mode_info.bios_hardcoded_edid_size = edid_size;
+- } else
++ } else {
+ kfree(edid);
++ }
+ }
++ record += struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ edid_size);
++ } else {
++ /* empty fake edid record must be 3 bytes long */
++ record += sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ }
+- record += fake_edid_record->ucFakeEDIDLength ?
+- struct_size(fake_edid_record,
+- ucFakeEDIDString,
+- fake_edid_record->ucFakeEDIDLength) :
+- /* empty fake edid record must be 3 bytes long */
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From a3a0ab17ebdce9761b095fcfab86902885813b30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Oct 2022 16:32:05 +1300
+Subject: drm/radeon: Replace one-element array with flexible-array member
+
+From: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
+
+[ Upstream commit c81c5bd5cf2f428867e0bcfcccd4e4d2f8c68f51 ]
+
+One-element arrays are deprecated, and we are replacing them with
+flexible array members instead. So, replace one-element array with
+flexible-array member in struct _ATOM_FAKE_EDID_PATCH_RECORD and
+refactor the rest of the code accordingly.
+
+It's worth mentioning that doing a build before/after this patch results
+in no binary output differences.
+
+This helps with the ongoing efforts to tighten the FORTIFY_SOURCE
+routines on memcpy() and help us make progress towards globally
+enabling -fstrict-flex-arrays=3 [1].
+
+Link: https://github.com/KSPP/linux/issues/79
+Link: https://github.com/KSPP/linux/issues/239
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101836 [1]
+
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Paulo Miguel Almeida <paulo.miguel.almeida.rodenas@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 17c6baff3d5f ("drm/radeon: properly handle vbios fake edid sizing")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/atombios.h | 2 +-
+ drivers/gpu/drm/radeon/radeon_atombios.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/radeon/atombios.h b/drivers/gpu/drm/radeon/atombios.h
+index 4b86e8b450090..e3f4964647641 100644
+--- a/drivers/gpu/drm/radeon/atombios.h
++++ b/drivers/gpu/drm/radeon/atombios.h
+@@ -3615,7 +3615,7 @@ typedef struct _ATOM_FAKE_EDID_PATCH_RECORD
+ {
+ UCHAR ucRecordType;
+ UCHAR ucFakeEDIDLength;
+- UCHAR ucFakeEDIDString[1]; // This actually has ucFakeEdidLength elements.
++ UCHAR ucFakeEDIDString[]; // This actually has ucFakeEdidLength elements.
+ } ATOM_FAKE_EDID_PATCH_RECORD;
+
+ typedef struct _ATOM_PANEL_RESOLUTION_PATCH_RECORD
+diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
+index 821b03d6142b0..0d11d6d1f5f0a 100644
+--- a/drivers/gpu/drm/radeon/radeon_atombios.c
++++ b/drivers/gpu/drm/radeon/radeon_atombios.c
+@@ -1742,8 +1742,11 @@ struct radeon_encoder_atom_dig *radeon_atombios_get_lvds_info(struct
+ }
+ }
+ record += fake_edid_record->ucFakeEDIDLength ?
+- fake_edid_record->ucFakeEDIDLength + 2 :
+- sizeof(ATOM_FAKE_EDID_PATCH_RECORD);
++ struct_size(fake_edid_record,
++ ucFakeEDIDString,
++ fake_edid_record->ucFakeEDIDLength) :
++ /* empty fake edid record must be 3 bytes long */
++ sizeof(ATOM_FAKE_EDID_PATCH_RECORD) + 1;
+ break;
+ case LCD_PANEL_RESOLUTION_RECORD_TYPE:
+ panel_res_record = (ATOM_PANEL_RESOLUTION_PATCH_RECORD *)record;
+--
+2.43.0
+
--- /dev/null
+From b8e33a1a08f9975b1f735547b17e5e67808688c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 15 Jun 2024 17:03:54 +0000
+Subject: drm/rockchip: vop: Allow 4096px width scaling
+
+From: Alex Bee <knaerzche@gmail.com>
+
+[ Upstream commit 0ef968d91a20b5da581839f093f98f7a03a804f7 ]
+
+There is no reason to limit VOP scaling to 3840px width, the limit of
+RK3288, when there are newer VOP versions that support 4096px width.
+
+Change to enforce a maximum of 4096px width plane scaling, the maximum
+supported output width of the VOP versions supported by this driver.
+
+Fixes: 4c156c21c794 ("drm/rockchip: vop: support plane scale")
+Signed-off-by: Alex Bee <knaerzche@gmail.com>
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240615170417.3134517-4-jonas@kwiboo.se
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+index c502d24b8253e..63c4e16ec449d 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+@@ -308,8 +308,8 @@ static void scl_vop_cal_scl_fac(struct vop *vop, const struct vop_win_data *win,
+ if (info->is_yuv)
+ is_yuv = true;
+
+- if (dst_w > 3840) {
+- DRM_DEV_ERROR(vop->dev, "Maximum dst width (3840) exceeded\n");
++ if (dst_w > 4096) {
++ DRM_DEV_ERROR(vop->dev, "Maximum dst width (4096) exceeded\n");
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e652c43ff1f7903d8373c43df82e68376e1280ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jan 2024 17:54:32 +0100
+Subject: drm/stm: Fix an error handling path in stm_drm_platform_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit ce7c90bfda2656418c69ba0dd8f8a7536b8928d4 ]
+
+If drm_dev_register() fails, a call to drv_load() must be undone, as
+already done in the remove function.
+
+Fixes: b759012c5fa7 ("drm/stm: Add STM32 LTDC driver")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Acked-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20fff7f853f20a48a96db8ff186124470ec4d976.1704560028.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/stm/drv.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
+index f2021b23554d3..dade0ecdfc1a1 100644
+--- a/drivers/gpu/drm/stm/drv.c
++++ b/drivers/gpu/drm/stm/drv.c
+@@ -152,10 +152,12 @@ static int stm_drm_platform_probe(struct platform_device *pdev)
+
+ ret = drm_dev_register(ddev, 0);
+ if (ret)
+- goto err_put;
++ goto err_unload;
+
+ return 0;
+
++err_unload:
++ drv_unload(ddev);
+ err_put:
+ drm_dev_put(ddev);
+
+--
+2.43.0
+
--- /dev/null
+From 17bfe59f6eaf5bdc3383a6ae32b699b86224a52f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 21:22:30 +0800
+Subject: ext4: avoid negative min_clusters in find_group_orlov()
+
+From: Kemeng Shi <shikemeng@huaweicloud.com>
+
+[ Upstream commit bb0a12c3439b10d88412fd3102df5b9a6e3cd6dc ]
+
+min_clusters is signed integer and will be converted to unsigned
+integer when compared with unsigned number stats.free_clusters.
+If min_clusters is negative, it will be converted to a huge unsigned
+value in which case all groups may not meet the actual desired free
+clusters.
+Set negative min_clusters to 0 to avoid unexpected behavior.
+
+Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
+Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
+Link: https://patch.msgid.link/20240820132234.2759926-4-shikemeng@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/ialloc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
+index 5dfb34802aed5..39a824df52726 100644
+--- a/fs/ext4/ialloc.c
++++ b/fs/ext4/ialloc.c
+@@ -510,6 +510,8 @@ static int find_group_orlov(struct super_block *sb, struct inode *parent,
+ if (min_inodes < 1)
+ min_inodes = 1;
+ min_clusters = avefreec - EXT4_CLUSTERS_PER_GROUP(sb)*flex_size / 4;
++ if (min_clusters < 0)
++ min_clusters = 0;
+
+ /*
+ * Start looking in the flex group where we last allocated an
+--
+2.43.0
+
--- /dev/null
+From a4d1396ace50853512f3858b82f22bc005c4120a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 12:23:24 -0300
+Subject: ext4: avoid OOB when system.data xattr changes underneath the
+ filesystem
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit c6b72f5d82b1017bad80f9ebf502832fc321d796 ]
+
+When looking up for an entry in an inlined directory, if e_value_offs is
+changed underneath the filesystem by some change in the block device, it
+will lead to an out-of-bounds access that KASAN detects as an UAF.
+
+EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
+loop0: detected capacity change from 2048 to 2047
+==================================================================
+BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
+Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103
+
+CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:93 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500
+ ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697
+ __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573
+ ext4_lookup_entry fs/ext4/namei.c:1727 [inline]
+ ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795
+ lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633
+ filename_create+0x297/0x540 fs/namei.c:3980
+ do_symlinkat+0xf9/0x3a0 fs/namei.c:4587
+ __do_sys_symlinkat fs/namei.c:4610 [inline]
+ __se_sys_symlinkat fs/namei.c:4607 [inline]
+ __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7f3e73ced469
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a
+RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469
+RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0
+RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290
+R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c
+R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0
+ </TASK>
+
+Calling ext4_xattr_ibody_find right after reading the inode with
+ext4_get_inode_loc will lead to a check of the validity of the xattrs,
+avoiding this problem.
+
+Reported-by: syzbot+0c2508114d912a54ee79@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0c2508114d912a54ee79
+Fixes: e8e948e7802a ("ext4: let ext4_find_entry handle inline data")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://patch.msgid.link/20240821152324.3621860-5-cascardo@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 31 +++++++++++++++++++++----------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index ee9f19709eda1..2230b36479624 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1653,25 +1653,36 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ struct ext4_dir_entry_2 **res_dir,
+ int *has_inline_data)
+ {
++ struct ext4_xattr_ibody_find is = {
++ .s = { .not_found = -ENODATA, },
++ };
++ struct ext4_xattr_info i = {
++ .name_index = EXT4_XATTR_INDEX_SYSTEM,
++ .name = EXT4_XATTR_SYSTEM_DATA,
++ };
+ int ret;
+- struct ext4_iloc iloc;
+ void *inline_start;
+ int inline_size;
+
+- ret = ext4_get_inode_loc(dir, &iloc);
++ ret = ext4_get_inode_loc(dir, &is.iloc);
+ if (ret)
+ return ERR_PTR(ret);
+
+ down_read(&EXT4_I(dir)->xattr_sem);
++
++ ret = ext4_xattr_ibody_find(dir, &i, &is);
++ if (ret)
++ goto out;
++
+ if (!ext4_has_inline_data(dir)) {
+ *has_inline_data = 0;
+ goto out;
+ }
+
+- inline_start = (void *)ext4_raw_inode(&iloc)->i_block +
++ inline_start = (void *)ext4_raw_inode(&is.iloc)->i_block +
+ EXT4_INLINE_DOTDOT_SIZE;
+ inline_size = EXT4_MIN_INLINE_DATA_SIZE - EXT4_INLINE_DOTDOT_SIZE;
+- ret = ext4_search_dir(iloc.bh, inline_start, inline_size,
++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
+ dir, fname, 0, res_dir);
+ if (ret == 1)
+ goto out_find;
+@@ -1681,23 +1692,23 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ if (ext4_get_inline_size(dir) == EXT4_MIN_INLINE_DATA_SIZE)
+ goto out;
+
+- inline_start = ext4_get_inline_xattr_pos(dir, &iloc);
++ inline_start = ext4_get_inline_xattr_pos(dir, &is.iloc);
+ inline_size = ext4_get_inline_size(dir) - EXT4_MIN_INLINE_DATA_SIZE;
+
+- ret = ext4_search_dir(iloc.bh, inline_start, inline_size,
++ ret = ext4_search_dir(is.iloc.bh, inline_start, inline_size,
+ dir, fname, 0, res_dir);
+ if (ret == 1)
+ goto out_find;
+
+ out:
+- brelse(iloc.bh);
++ brelse(is.iloc.bh);
+ if (ret < 0)
+- iloc.bh = ERR_PTR(ret);
++ is.iloc.bh = ERR_PTR(ret);
+ else
+- iloc.bh = NULL;
++ is.iloc.bh = NULL;
+ out_find:
+ up_read(&EXT4_I(dir)->xattr_sem);
+- return iloc.bh;
++ return is.iloc.bh;
+ }
+
+ int ext4_delete_inline_entry(handle_t *handle,
+--
+2.43.0
+
--- /dev/null
+From 7e32b48398617cc0982b184edc2314e69d1ee3d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2024 16:55:10 +0800
+Subject: ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard
+
+From: yangerkun <yangerkun@huawei.com>
+
+[ Upstream commit 20cee68f5b44fdc2942d20f3172a262ec247b117 ]
+
+Commit 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in
+ext4_group_info") speed up fstrim by skipping trim trimmed group. We
+also has the chance to clear trimmed once there exists some block free
+for this group(mount without discard), and the next trim for this group
+will work well too.
+
+For mount with discard, we will issue dicard when we free blocks, so
+leave trimmed flag keep alive to skip useless trim trigger from
+userspace seems reasonable. But for some case like ext4 build on
+dm-thinpool(ext4 blocksize 4K, pool blocksize 128K), discard from ext4
+maybe unaligned for dm thinpool, and thinpool will just finish this
+discard(see process_discard_bio when begein equals to end) without
+actually process discard. For this case, trim from userspace can really
+help us to free some thinpool block.
+
+So convert to clear trimmed flag for all case no matter mounted with
+discard or not.
+
+Fixes: 3d56b8d2c74c ("ext4: Speed up FITRIM by recording flags in ext4_group_info")
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20240817085510.2084444-1-yangerkun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 75dbe40ed8f72..329b3cf105742 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -2834,11 +2834,8 @@ static void ext4_free_data_in_buddy(struct super_block *sb,
+ /*
+ * Clear the trimmed flag for the group so that the next
+ * ext4_trim_fs can trim it.
+- * If the volume is mounted with -o discard, online discard
+- * is supported and the free blocks will be trimmed online.
+ */
+- if (!test_opt(sb, DISCARD))
+- EXT4_MB_GRP_CLEAR_TRIMMED(db);
++ EXT4_MB_GRP_CLEAR_TRIMMED(db);
+
+ if (!db->bb_free_root.rb_node) {
+ /* No more items in the per group rb tree
+@@ -4962,8 +4959,9 @@ void ext4_free_blocks(handle_t *handle, struct inode *inode,
+ " group:%d block:%d count:%lu failed"
+ " with %d", block_group, bit, count,
+ err);
+- } else
+- EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info);
++ }
++
++ EXT4_MB_GRP_CLEAR_TRIMMED(e4b.bd_info);
+
+ ext4_lock_group(sb, block_group);
+ mb_clear_bits(bitmap_bh->b_data, bit, count_clusters);
+--
+2.43.0
+
--- /dev/null
+From a6c70eefdd7e8ddd3c358e548e213666ce28f6c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 12:23:22 -0300
+Subject: ext4: return error on ext4_find_inline_entry
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 4d231b91a944f3cab355fce65af5871fb5d7735b ]
+
+In case of errors when reading an inode from disk or traversing inline
+directory entries, return an error-encoded ERR_PTR instead of returning
+NULL. ext4_find_inline_entry only caller, __ext4_find_entry already returns
+such encoded errors.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Link: https://patch.msgid.link/20240821152324.3621860-3-cascardo@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: c6b72f5d82b1 ("ext4: avoid OOB when system.data xattr changes underneath the filesystem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inline.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c
+index 71bb3cfc5933c..ee9f19709eda1 100644
+--- a/fs/ext4/inline.c
++++ b/fs/ext4/inline.c
+@@ -1658,8 +1658,9 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+ void *inline_start;
+ int inline_size;
+
+- if (ext4_get_inode_loc(dir, &iloc))
+- return NULL;
++ ret = ext4_get_inode_loc(dir, &iloc);
++ if (ret)
++ return ERR_PTR(ret);
+
+ down_read(&EXT4_I(dir)->xattr_sem);
+ if (!ext4_has_inline_data(dir)) {
+@@ -1690,7 +1691,10 @@ struct buffer_head *ext4_find_inline_entry(struct inode *dir,
+
+ out:
+ brelse(iloc.bh);
+- iloc.bh = NULL;
++ if (ret < 0)
++ iloc.bh = ERR_PTR(ret);
++ else
++ iloc.bh = NULL;
+ out_find:
+ up_read(&EXT4_I(dir)->xattr_sem);
+ return iloc.bh;
+--
+2.43.0
+
--- /dev/null
+From 2edc3660c5239bc3419441521d5bf2f2023893e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Dec 2020 16:52:27 +0800
+Subject: f2fs: enhance to update i_mode and acl atomically in f2fs_setattr()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+[ Upstream commit 17232e830afb800acdcc22ae8980bf9d330393ef ]
+
+Previously, in f2fs_setattr(), we don't update S_ISUID|S_ISGID|S_ISVTX
+bits with S_IRWXUGO bits and acl entries atomically, so in error path,
+chmod() may partially success, this patch enhances to make chmod() flow
+being atomical.
+
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/acl.c | 23 ++++++++++++++++++++++-
+ fs/f2fs/file.c | 6 ++++--
+ fs/f2fs/xattr.c | 15 +++++++++------
+ 3 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c
+index b9fe937a3c701..cc53d4c80b0a9 100644
+--- a/fs/f2fs/acl.c
++++ b/fs/f2fs/acl.c
+@@ -200,6 +200,27 @@ struct posix_acl *f2fs_get_acl(struct inode *inode, int type)
+ return __f2fs_get_acl(inode, type, NULL);
+ }
+
++static int f2fs_acl_update_mode(struct inode *inode, umode_t *mode_p,
++ struct posix_acl **acl)
++{
++ umode_t mode = inode->i_mode;
++ int error;
++
++ if (is_inode_flag_set(inode, FI_ACL_MODE))
++ mode = F2FS_I(inode)->i_acl_mode;
++
++ error = posix_acl_equiv_mode(*acl, &mode);
++ if (error < 0)
++ return error;
++ if (error == 0)
++ *acl = NULL;
++ if (!in_group_p(inode->i_gid) &&
++ !capable_wrt_inode_uidgid(inode, CAP_FSETID))
++ mode &= ~S_ISGID;
++ *mode_p = mode;
++ return 0;
++}
++
+ static int __f2fs_set_acl(struct inode *inode, int type,
+ struct posix_acl *acl, struct page *ipage)
+ {
+@@ -213,7 +234,7 @@ static int __f2fs_set_acl(struct inode *inode, int type,
+ case ACL_TYPE_ACCESS:
+ name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
+ if (acl && !ipage) {
+- error = posix_acl_update_mode(inode, &mode, &acl);
++ error = f2fs_acl_update_mode(inode, &mode, &acl);
+ if (error)
+ return error;
+ set_acl_inode(inode, mode);
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index 043ce96ac1270..e44cb6bf68b9e 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -839,8 +839,10 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
+
+ if (attr->ia_valid & ATTR_MODE) {
+ err = posix_acl_chmod(inode, f2fs_get_inode_mode(inode));
+- if (err || is_inode_flag_set(inode, FI_ACL_MODE)) {
+- inode->i_mode = F2FS_I(inode)->i_acl_mode;
++
++ if (is_inode_flag_set(inode, FI_ACL_MODE)) {
++ if (!err)
++ inode->i_mode = F2FS_I(inode)->i_acl_mode;
+ clear_inode_flag(inode, FI_ACL_MODE);
+ }
+ }
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index db3e76b35607b..496a9e70cb091 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -651,7 +651,7 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ }
+
+ if (value && f2fs_xattr_value_same(here, value, size))
+- goto exit;
++ goto same;
+ } else if ((flags & XATTR_REPLACE)) {
+ error = -ENODATA;
+ goto exit;
+@@ -729,17 +729,20 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (error)
+ goto exit;
+
+- if (is_inode_flag_set(inode, FI_ACL_MODE)) {
+- inode->i_mode = F2FS_I(inode)->i_acl_mode;
+- inode->i_ctime = current_time(inode);
+- clear_inode_flag(inode, FI_ACL_MODE);
+- }
+ if (index == F2FS_XATTR_INDEX_ENCRYPTION &&
+ !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT))
+ f2fs_set_encrypted_inode(inode);
+ f2fs_mark_inode_dirty_sync(inode, true);
+ if (!error && S_ISDIR(inode->i_mode))
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP);
++
++same:
++ if (is_inode_flag_set(inode, FI_ACL_MODE)) {
++ inode->i_mode = F2FS_I(inode)->i_acl_mode;
++ inode->i_ctime = current_time(inode);
++ clear_inode_flag(inode, FI_ACL_MODE);
++ }
++
+ exit:
+ kzfree(base_addr);
+ return error;
+--
+2.43.0
+
--- /dev/null
+From 6353a3196542f81f3b22a5f5d7430bd62c139f21 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 21:50:45 +0800
+Subject: f2fs: fix to update i_ctime in __f2fs_setxattr()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 8874ad7dae8d91d24cc87c545c0073b3b2da5688 ]
+
+generic/728 - output mismatch (see /media/fstests/results//generic/728.out.bad)
+ --- tests/generic/728.out 2023-07-19 07:10:48.362711407 +0000
+ +++ /media/fstests/results//generic/728.out.bad 2023-07-19 08:39:57.000000000 +0000
+ QA output created by 728
+ +Expected ctime to change after setxattr.
+ +Expected ctime to change after removexattr.
+ Silence is golden
+ ...
+ (Run 'diff -u /media/fstests/tests/generic/728.out /media/fstests/results//generic/728.out.bad' to see the entire diff)
+generic/729 1s
+
+It needs to update i_ctime after {set,remove}xattr, fix it.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/xattr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index 496a9e70cb091..00af34ba8561e 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -732,17 +732,17 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (index == F2FS_XATTR_INDEX_ENCRYPTION &&
+ !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT))
+ f2fs_set_encrypted_inode(inode);
+- f2fs_mark_inode_dirty_sync(inode, true);
+ if (!error && S_ISDIR(inode->i_mode))
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP);
+
+ same:
+ if (is_inode_flag_set(inode, FI_ACL_MODE)) {
+ inode->i_mode = F2FS_I(inode)->i_acl_mode;
+- inode->i_ctime = current_time(inode);
+ clear_inode_flag(inode, FI_ACL_MODE);
+ }
+
++ inode->i_ctime = current_time(inode);
++ f2fs_mark_inode_dirty_sync(inode, true);
+ exit:
+ kzfree(base_addr);
+ return error;
+--
+2.43.0
+
--- /dev/null
+From ea23338a3c5c164728da5f9247e1dbef73e43ab0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Sep 2022 11:07:49 +0900
+Subject: f2fs: fix typo
+
+From: Yonggil Song <yonggil.song@samsung.com>
+
+[ Upstream commit d382e36970ecf8242921400db2afde15fb6ed49e ]
+
+Fix typo in f2fs.h
+Detected by Jaeyoon Choi
+
+Signed-off-by: Yonggil Song <yonggil.song@samsung.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index aacd8e11758ca..8126a82b4d26f 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -213,7 +213,7 @@ enum {
+ ORPHAN_INO, /* for orphan ino list */
+ APPEND_INO, /* for append ino list */
+ UPDATE_INO, /* for update ino list */
+- TRANS_DIR_INO, /* for trasactions dir ino list */
++ TRANS_DIR_INO, /* for transactions dir ino list */
+ FLUSH_INO, /* for multiple device flushing */
+ MAX_INO_ENTRY, /* max. list */
+ };
+--
+2.43.0
+
--- /dev/null
+From 1cefadb933a98294bb570582cf48776b492c1df0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 09:47:27 +0800
+Subject: f2fs: reduce expensive checkpoint trigger frequency
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit aaf8c0b9ae042494cb4585883b15c1332de77840 ]
+
+We may trigger high frequent checkpoint for below case:
+1. mkdir /mnt/dir1; set dir1 encrypted
+2. touch /mnt/file1; fsync /mnt/file1
+3. mkdir /mnt/dir2; set dir2 encrypted
+4. touch /mnt/file2; fsync /mnt/file2
+...
+
+Although, newly created dir and file are not related, due to
+commit bbf156f7afa7 ("f2fs: fix lost xattrs of directories"), we will
+trigger checkpoint whenever fsync() comes after a new encrypted dir
+created.
+
+In order to avoid such performance regression issue, let's record an
+entry including directory's ino in global cache whenever we update
+directory's xattr data, and then triggerring checkpoint() only if
+xattr metadata of target file's parent was updated.
+
+This patch updates to cover below no encryption case as well:
+1) parent is checkpointed
+2) set_xattr(dir) w/ new xnid
+3) create(file)
+4) fsync(file)
+
+Fixes: bbf156f7afa7 ("f2fs: fix lost xattrs of directories")
+Reported-by: wangzijie <wangzijie1@honor.com>
+Reported-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Tested-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reported-by: Yunlei He <heyunlei@hihonor.com>
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/f2fs.h | 2 ++
+ fs/f2fs/file.c | 3 +++
+ fs/f2fs/xattr.c | 14 ++++++++++++--
+ include/trace/events/f2fs.h | 3 ++-
+ 4 files changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
+index 8126a82b4d26f..f90aaa16bdee6 100644
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -214,6 +214,7 @@ enum {
+ APPEND_INO, /* for append ino list */
+ UPDATE_INO, /* for update ino list */
+ TRANS_DIR_INO, /* for transactions dir ino list */
++ XATTR_DIR_INO, /* for xattr updated dir ino list */
+ FLUSH_INO, /* for multiple device flushing */
+ MAX_INO_ENTRY, /* max. list */
+ };
+@@ -998,6 +999,7 @@ enum cp_reason_type {
+ CP_FASTBOOT_MODE,
+ CP_SPEC_LOG_NUM,
+ CP_RECOVER_DIR,
++ CP_XATTR_DIR,
+ };
+
+ enum iostat_type {
+diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
+index e44cb6bf68b9e..41eec5bfc7b31 100644
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -170,6 +170,9 @@ static inline enum cp_reason_type need_do_checkpoint(struct inode *inode)
+ f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino,
+ TRANS_DIR_INO))
+ cp_reason = CP_RECOVER_DIR;
++ else if (f2fs_exist_written_data(sbi, F2FS_I(inode)->i_pino,
++ XATTR_DIR_INO))
++ cp_reason = CP_XATTR_DIR;
+
+ return cp_reason;
+ }
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index 5b8ce9c7a5dc2..0b9568480d8f5 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -607,6 +607,7 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ const char *name, const void *value, size_t size,
+ struct page *ipage, int flags)
+ {
++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
+ struct f2fs_xattr_entry *here, *last;
+ void *base_addr, *last_base_addr;
+ nid_t xnid = F2FS_I(inode)->i_xattr_nid;
+@@ -732,9 +733,18 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (index == F2FS_XATTR_INDEX_ENCRYPTION &&
+ !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT))
+ f2fs_set_encrypted_inode(inode);
+- if (S_ISDIR(inode->i_mode))
+- set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP);
+
++ if (!S_ISDIR(inode->i_mode))
++ goto same;
++ /*
++ * In restrict mode, fsync() always try to trigger checkpoint for all
++ * metadata consistency, in other mode, it triggers checkpoint when
++ * parent's xattr metadata was updated.
++ */
++ if (F2FS_OPTION(sbi).fsync_mode == FSYNC_MODE_STRICT)
++ set_sbi_flag(sbi, SBI_NEED_CP);
++ else
++ f2fs_add_ino_entry(sbi, inode->i_ino, XATTR_DIR_INO);
+ same:
+ if (is_inode_flag_set(inode, FI_ACL_MODE)) {
+ inode->i_mode = F2FS_I(inode)->i_acl_mode;
+diff --git a/include/trace/events/f2fs.h b/include/trace/events/f2fs.h
+index 098d6dff20bef..abffe3a3f39e1 100644
+--- a/include/trace/events/f2fs.h
++++ b/include/trace/events/f2fs.h
+@@ -148,7 +148,8 @@ TRACE_DEFINE_ENUM(CP_TRIMMED);
+ { CP_NODE_NEED_CP, "node needs cp" }, \
+ { CP_FASTBOOT_MODE, "fastboot mode" }, \
+ { CP_SPEC_LOG_NUM, "log type is 2" }, \
+- { CP_RECOVER_DIR, "dir needs recovery" })
++ { CP_RECOVER_DIR, "dir needs recovery" }, \
++ { CP_XATTR_DIR, "dir's xattr updated" })
+
+ struct victim_sel_policy;
+ struct f2fs_map_blocks;
+--
+2.43.0
+
--- /dev/null
+From 646abd7502ba81db27b0d9fb68b7c2a9e4d0b13a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Jul 2023 21:50:46 +0800
+Subject: f2fs: remove unneeded check condition in __f2fs_setxattr()
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit bc3994ffa4cf23f55171943c713366132c3ff45d ]
+
+It has checked return value of write_all_xattrs(), remove unneeded
+following check condition.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: aaf8c0b9ae04 ("f2fs: reduce expensive checkpoint trigger frequency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/xattr.c b/fs/f2fs/xattr.c
+index 00af34ba8561e..5b8ce9c7a5dc2 100644
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -732,7 +732,7 @@ static int __f2fs_setxattr(struct inode *inode, int index,
+ if (index == F2FS_XATTR_INDEX_ENCRYPTION &&
+ !strcmp(name, F2FS_XATTR_NAME_ENCRYPTION_CONTEXT))
+ f2fs_set_encrypted_inode(inode);
+- if (!error && S_ISDIR(inode->i_mode))
++ if (S_ISDIR(inode->i_mode))
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_CP);
+
+ same:
+--
+2.43.0
+
--- /dev/null
+From 3e825844035d4ebe1476680b356ae6219503eb28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 22:34:39 +0200
+Subject: fbdev: hpfb: Fix an error handling path in hpfb_dio_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit aa578e897520f32ae12bec487f2474357d01ca9c ]
+
+If an error occurs after request_mem_region(), a corresponding
+release_mem_region() should be called, as already done in the remove
+function.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/hpfb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/hpfb.c b/drivers/video/fbdev/hpfb.c
+index 9230db9ea94b7..47ec02a38f76c 100644
+--- a/drivers/video/fbdev/hpfb.c
++++ b/drivers/video/fbdev/hpfb.c
+@@ -343,6 +343,7 @@ static int hpfb_dio_probe(struct dio_dev *d, const struct dio_device_id *ent)
+ if (hpfb_init_one(paddr, vaddr)) {
+ if (d->scode >= DIOII_SCBASE)
+ iounmap((void *)vaddr);
++ release_mem_region(d->resource.start, resource_size(&d->resource));
+ return -ENOMEM;
+ }
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From f8eb35c78c412e388140db7224d5435aef5f5836 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 09:52:01 -0700
+Subject: hwmon: (max16065) Fix overflows seen when writing limits
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 744ec4477b11c42e2c8de9eb8364675ae7a0bd81 ]
+
+Writing large limits resulted in overflows as reported by module tests.
+
+in0_lcrit: Suspected overflow: [max=5538, read 0, written 2147483647]
+in0_crit: Suspected overflow: [max=5538, read 0, written 2147483647]
+in0_min: Suspected overflow: [max=5538, read 0, written 2147483647]
+
+Fix the problem by clamping prior to multiplications and the use of
+DIV_ROUND_CLOSEST, and by using consistent variable types.
+
+Reviewed-by: Tzung-Bi Shih <tzungbi@kernel.org>
+Fixes: f5bae2642e3d ("hwmon: Driver for MAX16065 System Manager and compatibles")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/max16065.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/max16065.c b/drivers/hwmon/max16065.c
+index 162401aaef71b..3015dd1a75141 100644
+--- a/drivers/hwmon/max16065.c
++++ b/drivers/hwmon/max16065.c
+@@ -117,9 +117,10 @@ static inline int LIMIT_TO_MV(int limit, int range)
+ return limit * range / 256;
+ }
+
+-static inline int MV_TO_LIMIT(int mv, int range)
++static inline int MV_TO_LIMIT(unsigned long mv, int range)
+ {
+- return clamp_val(DIV_ROUND_CLOSEST(mv * 256, range), 0, 255);
++ mv = clamp_val(mv, 0, ULONG_MAX / 256);
++ return DIV_ROUND_CLOSEST(clamp_val(mv * 256, 0, range * 255), range);
+ }
+
+ static inline int ADC_TO_CURR(int adc, int gain)
+--
+2.43.0
+
--- /dev/null
+From ce23a766c0693c275a498057c3c9ab8c7c1a569e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2024 08:30:21 +0000
+Subject: hwmon: (ntc_thermistor) fix module autoloading
+
+From: Yuntao Liu <liuyuntao12@huawei.com>
+
+[ Upstream commit b6964d66a07a9003868e428a956949e17ab44d7e ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from of_device_id table.
+
+Fixes: 9e8269de100d ("hwmon: (ntc_thermistor) Add DT with IIO support to NTC thermistor driver")
+Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
+Message-ID: <20240815083021.756134-1-liuyuntao12@huawei.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/ntc_thermistor.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/hwmon/ntc_thermistor.c b/drivers/hwmon/ntc_thermistor.c
+index c52d07c6b49f9..6e4c1453b8ab5 100644
+--- a/drivers/hwmon/ntc_thermistor.c
++++ b/drivers/hwmon/ntc_thermistor.c
+@@ -57,6 +57,7 @@ static const struct platform_device_id ntc_thermistor_id[] = {
+ { "ncp15xh103", TYPE_NCPXXXH103 },
+ { },
+ };
++MODULE_DEVICE_TABLE(platform, ntc_thermistor_id);
+
+ /*
+ * A compensation table should be sorted by the values of .ohm
+--
+2.43.0
+
--- /dev/null
+From c5946fa9aed6ba14fc41a031762f8a6ae7694216 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Sep 2024 11:02:11 +0200
+Subject: ipmi: docs: don't advertise deprecated sysfs entries
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 64dce81f8c373c681e62d5ffe0397c45a35d48a2 ]
+
+"i2c-adapter" class entries are deprecated since 2009. Switch to the
+proper location.
+
+Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
+Closes: https://lore.kernel.org/r/80c4a898-5867-4162-ac85-bdf7c7c68746@gmail.com
+Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF)")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Message-Id: <20240901090211.3797-2-wsa+renesas@sang-engineering.com>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/IPMI.txt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/IPMI.txt b/Documentation/IPMI.txt
+index 5ef1047e2e663..f3c6530d9f354 100644
+--- a/Documentation/IPMI.txt
++++ b/Documentation/IPMI.txt
+@@ -518,7 +518,7 @@ at module load time (for a module) with::
+ [dbg_probe=1]
+
+ The addresses are normal I2C addresses. The adapter is the string
+-name of the adapter, as shown in /sys/class/i2c-adapter/i2c-<n>/name.
++name of the adapter, as shown in /sys/bus/i2c/devices/i2c-<n>/name.
+ It is *NOT* i2c-<n> itself. Also, the comparison is done ignoring
+ spaces, so if the name is "This is an I2C chip" you can say
+ adapter_name=ThisisanI2cchip. This is because it's hard to pass in
+--
+2.43.0
+
--- /dev/null
+From 3d58e20a0e9e43d07ab40ec6e09d8ab268e636c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Oct 2020 21:48:38 -0300
+Subject: jbd2: introduce/export functions
+ jbd2_journal_submit|finish_inode_data_buffers()
+
+From: Mauricio Faria de Oliveira <mfo@canonical.com>
+
+[ Upstream commit aa3c0c61f62d682259e3e66cdc01846290f9cd6c ]
+
+Export functions that implement the current behavior done
+for an inode in journal_submit|finish_inode_data_buffers().
+
+No functional change.
+
+Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
+Suggested-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+Link: https://lore.kernel.org/r/20201006004841.600488-2-mfo@canonical.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 20cee68f5b44 ("ext4: clear EXT4_GROUP_INFO_WAS_TRIMMED_BIT even mount with discard")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jbd2/commit.c | 36 ++++++++++++++++--------------------
+ fs/jbd2/journal.c | 2 ++
+ include/linux/jbd2.h | 4 ++++
+ 3 files changed, 22 insertions(+), 20 deletions(-)
+
+diff --git a/fs/jbd2/commit.c b/fs/jbd2/commit.c
+index 97760cb9bcd75..0250a6e1f91c9 100644
+--- a/fs/jbd2/commit.c
++++ b/fs/jbd2/commit.c
+@@ -187,19 +187,17 @@ static int journal_wait_on_commit_record(journal_t *journal,
+ * use writepages() because with dealyed allocation we may be doing
+ * block allocation in writepages().
+ */
+-static int journal_submit_inode_data_buffers(struct address_space *mapping,
+- loff_t dirty_start, loff_t dirty_end)
++int jbd2_journal_submit_inode_data_buffers(struct jbd2_inode *jinode)
+ {
+- int ret;
++ struct address_space *mapping = jinode->i_vfs_inode->i_mapping;
+ struct writeback_control wbc = {
+ .sync_mode = WB_SYNC_ALL,
+ .nr_to_write = mapping->nrpages * 2,
+- .range_start = dirty_start,
+- .range_end = dirty_end,
++ .range_start = jinode->i_dirty_start,
++ .range_end = jinode->i_dirty_end,
+ };
+
+- ret = generic_writepages(mapping, &wbc);
+- return ret;
++ return generic_writepages(mapping, &wbc);
+ }
+
+ /*
+@@ -215,16 +213,11 @@ static int journal_submit_data_buffers(journal_t *journal,
+ {
+ struct jbd2_inode *jinode;
+ int err, ret = 0;
+- struct address_space *mapping;
+
+ spin_lock(&journal->j_list_lock);
+ list_for_each_entry(jinode, &commit_transaction->t_inode_list, i_list) {
+- loff_t dirty_start = jinode->i_dirty_start;
+- loff_t dirty_end = jinode->i_dirty_end;
+-
+ if (!(jinode->i_flags & JI_WRITE_DATA))
+ continue;
+- mapping = jinode->i_vfs_inode->i_mapping;
+ jinode->i_flags |= JI_COMMIT_RUNNING;
+ spin_unlock(&journal->j_list_lock);
+ /*
+@@ -234,8 +227,7 @@ static int journal_submit_data_buffers(journal_t *journal,
+ * only allocated blocks here.
+ */
+ trace_jbd2_submit_inode_data(jinode->i_vfs_inode);
+- err = journal_submit_inode_data_buffers(mapping, dirty_start,
+- dirty_end);
++ err = jbd2_journal_submit_inode_data_buffers(jinode);
+ if (!ret)
+ ret = err;
+ spin_lock(&journal->j_list_lock);
+@@ -248,6 +240,15 @@ static int journal_submit_data_buffers(journal_t *journal,
+ return ret;
+ }
+
++int jbd2_journal_finish_inode_data_buffers(struct jbd2_inode *jinode)
++{
++ struct address_space *mapping = jinode->i_vfs_inode->i_mapping;
++
++ return filemap_fdatawait_range_keep_errors(mapping,
++ jinode->i_dirty_start,
++ jinode->i_dirty_end);
++}
++
+ /*
+ * Wait for data submitted for writeout, refile inodes to proper
+ * transaction if needed.
+@@ -262,16 +263,11 @@ static int journal_finish_inode_data_buffers(journal_t *journal,
+ /* For locking, see the comment in journal_submit_data_buffers() */
+ spin_lock(&journal->j_list_lock);
+ list_for_each_entry(jinode, &commit_transaction->t_inode_list, i_list) {
+- loff_t dirty_start = jinode->i_dirty_start;
+- loff_t dirty_end = jinode->i_dirty_end;
+-
+ if (!(jinode->i_flags & JI_WAIT_DATA))
+ continue;
+ jinode->i_flags |= JI_COMMIT_RUNNING;
+ spin_unlock(&journal->j_list_lock);
+- err = filemap_fdatawait_range_keep_errors(
+- jinode->i_vfs_inode->i_mapping, dirty_start,
+- dirty_end);
++ err = jbd2_journal_finish_inode_data_buffers(jinode);
+ if (!ret)
+ ret = err;
+ spin_lock(&journal->j_list_lock);
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index 08cff80f8c297..79eceebbf3df8 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -96,6 +96,8 @@ EXPORT_SYMBOL(jbd2_journal_inode_add_write);
+ EXPORT_SYMBOL(jbd2_journal_inode_add_wait);
+ EXPORT_SYMBOL(jbd2_journal_inode_ranged_write);
+ EXPORT_SYMBOL(jbd2_journal_inode_ranged_wait);
++EXPORT_SYMBOL(jbd2_journal_submit_inode_data_buffers);
++EXPORT_SYMBOL(jbd2_journal_finish_inode_data_buffers);
+ EXPORT_SYMBOL(jbd2_journal_init_jbd_inode);
+ EXPORT_SYMBOL(jbd2_journal_release_jbd_inode);
+ EXPORT_SYMBOL(jbd2_journal_begin_ordered_truncate);
+diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
+index 268f3000d1b34..1d81afb54928e 100644
+--- a/include/linux/jbd2.h
++++ b/include/linux/jbd2.h
+@@ -1421,6 +1421,10 @@ extern int jbd2_journal_inode_ranged_write(handle_t *handle,
+ extern int jbd2_journal_inode_ranged_wait(handle_t *handle,
+ struct jbd2_inode *inode, loff_t start_byte,
+ loff_t length);
++extern int jbd2_journal_submit_inode_data_buffers(
++ struct jbd2_inode *jinode);
++extern int jbd2_journal_finish_inode_data_buffers(
++ struct jbd2_inode *jinode);
+ extern int jbd2_journal_begin_ordered_truncate(journal_t *journal,
+ struct jbd2_inode *inode, loff_t new_size);
+ extern void jbd2_journal_init_jbd_inode(struct jbd2_inode *jinode, struct inode *inode);
+--
+2.43.0
+
--- /dev/null
+From 9b72d142660e591f3add42b02e9b4c8fad28de37 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 13:05:46 +0900
+Subject: jfs: fix out-of-bounds in dbNextAG() and diAlloc()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit e63866a475562810500ea7f784099bfe341e761a ]
+
+In dbNextAG() , there is no check for the case where bmp->db_numag is
+greater or same than MAXAG due to a polluted image, which causes an
+out-of-bounds. Therefore, a bounds check should be added in dbMount().
+
+And in dbNextAG(), a check for the case where agpref is greater than
+bmp->db_numag should be added, so an out-of-bounds exception should be
+prevented.
+
+Additionally, a check for the case where agno is greater or same than
+MAXAG should be added in diAlloc() to prevent out-of-bounds.
+
+Reported-by: Jeongjun Park <aha310510@gmail.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 ++--
+ fs/jfs/jfs_imap.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 893bc59658dad..1128bcdf5024a 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -200,7 +200,7 @@ int dbMount(struct inode *ipbmap)
+ }
+
+ bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag);
+- if (!bmp->db_numag) {
++ if (!bmp->db_numag || bmp->db_numag >= MAXAG) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+@@ -665,7 +665,7 @@ int dbNextAG(struct inode *ipbmap)
+ * average free space.
+ */
+ for (i = 0 ; i < bmp->db_numag; i++, agpref++) {
+- if (agpref == bmp->db_numag)
++ if (agpref >= bmp->db_numag)
+ agpref = 0;
+
+ if (atomic_read(&bmp->db_active[agpref]))
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index 9893cb6b8a756..1e9a3ec4bfa84 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -1375,7 +1375,7 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip)
+ /* get the ag number of this iag */
+ agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));
+ dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;
+- if (agno < 0 || agno > dn_numag)
++ if (agno < 0 || agno > dn_numag || agno >= MAXAG)
+ return -EIO;
+
+ if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {
+--
+2.43.0
+
--- /dev/null
+From 4d2d748f6b5ab944ccf205fdce8a9f101958ce85 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Dec 2020 19:03:14 -0800
+Subject: kthread: add kthread_work tracepoints
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit f630c7c6f10546ebff15c3a856e7949feb7a2372 ]
+
+While migrating some code from wq to kthread_worker, I found that I missed
+the execute_start/end tracepoints. So add similar tracepoints for
+kthread_work. And for completeness, queue_work tracepoint (although this
+one differs slightly from the matching workqueue tracepoint).
+
+Link: https://lkml.kernel.org/r/20201010180323.126634-1-robdclark@gmail.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Cc: Rob Clark <robdclark@chromium.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
+Cc: Phil Auld <pauld@redhat.com>
+Cc: Valentin Schneider <valentin.schneider@arm.com>
+Cc: Thara Gopinath <thara.gopinath@linaro.org>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Vincent Donnefort <vincent.donnefort@arm.com>
+Cc: Mel Gorman <mgorman@techsingularity.net>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Marcelo Tosatti <mtosatti@redhat.com>
+Cc: Frederic Weisbecker <frederic@kernel.org>
+Cc: Ilias Stamatis <stamatis.iliass@gmail.com>
+Cc: Liang Chen <cl@rock-chips.com>
+Cc: Ben Dooks <ben.dooks@codethink.co.uk>
+Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Cc: "J. Bruce Fields" <bfields@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: e16c7b07784f ("kthread: fix task state in kthread worker if being frozen")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/trace/events/sched.h | 84 ++++++++++++++++++++++++++++++++++++
+ kernel/kthread.c | 9 ++++
+ 2 files changed, 93 insertions(+)
+
+diff --git a/include/trace/events/sched.h b/include/trace/events/sched.h
+index 9a4bdfadab077..a4eb7bc6fcf5b 100644
+--- a/include/trace/events/sched.h
++++ b/include/trace/events/sched.h
+@@ -5,6 +5,7 @@
+ #if !defined(_TRACE_SCHED_H) || defined(TRACE_HEADER_MULTI_READ)
+ #define _TRACE_SCHED_H
+
++#include <linux/kthread.h>
+ #include <linux/sched/numa_balancing.h>
+ #include <linux/tracepoint.h>
+ #include <linux/binfmts.h>
+@@ -51,6 +52,89 @@ TRACE_EVENT(sched_kthread_stop_ret,
+ TP_printk("ret=%d", __entry->ret)
+ );
+
++/**
++ * sched_kthread_work_queue_work - called when a work gets queued
++ * @worker: pointer to the kthread_worker
++ * @work: pointer to struct kthread_work
++ *
++ * This event occurs when a work is queued immediately or once a
++ * delayed work is actually queued (ie: once the delay has been
++ * reached).
++ */
++TRACE_EVENT(sched_kthread_work_queue_work,
++
++ TP_PROTO(struct kthread_worker *worker,
++ struct kthread_work *work),
++
++ TP_ARGS(worker, work),
++
++ TP_STRUCT__entry(
++ __field( void *, work )
++ __field( void *, function)
++ __field( void *, worker)
++ ),
++
++ TP_fast_assign(
++ __entry->work = work;
++ __entry->function = work->func;
++ __entry->worker = worker;
++ ),
++
++ TP_printk("work struct=%p function=%ps worker=%p",
++ __entry->work, __entry->function, __entry->worker)
++);
++
++/**
++ * sched_kthread_work_execute_start - called immediately before the work callback
++ * @work: pointer to struct kthread_work
++ *
++ * Allows to track kthread work execution.
++ */
++TRACE_EVENT(sched_kthread_work_execute_start,
++
++ TP_PROTO(struct kthread_work *work),
++
++ TP_ARGS(work),
++
++ TP_STRUCT__entry(
++ __field( void *, work )
++ __field( void *, function)
++ ),
++
++ TP_fast_assign(
++ __entry->work = work;
++ __entry->function = work->func;
++ ),
++
++ TP_printk("work struct %p: function %ps", __entry->work, __entry->function)
++);
++
++/**
++ * sched_kthread_work_execute_end - called immediately after the work callback
++ * @work: pointer to struct work_struct
++ * @function: pointer to worker function
++ *
++ * Allows to track workqueue execution.
++ */
++TRACE_EVENT(sched_kthread_work_execute_end,
++
++ TP_PROTO(struct kthread_work *work, kthread_work_func_t function),
++
++ TP_ARGS(work, function),
++
++ TP_STRUCT__entry(
++ __field( void *, work )
++ __field( void *, function)
++ ),
++
++ TP_fast_assign(
++ __entry->work = work;
++ __entry->function = function;
++ ),
++
++ TP_printk("work struct %p: function %ps", __entry->work, __entry->function)
++);
++
+ /*
+ * Tracepoint for waking up a task:
+ */
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index 9750f4f7f9010..f69aa5da3b53e 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -696,8 +696,15 @@ int kthread_worker_fn(void *worker_ptr)
+ spin_unlock_irq(&worker->lock);
+
+ if (work) {
++ kthread_work_func_t func = work->func;
+ __set_current_state(TASK_RUNNING);
++ trace_sched_kthread_work_execute_start(work);
+ work->func(work);
++ /*
++ * Avoid dereferencing work after this point. The trace
++ * event only cares about the address.
++ */
++ trace_sched_kthread_work_execute_end(work, func);
+ } else if (!freezing(current))
+ schedule();
+
+@@ -826,6 +833,8 @@ static void kthread_insert_work(struct kthread_worker *worker,
+ {
+ kthread_insert_work_sanity_check(worker, work);
+
++ trace_sched_kthread_work_queue_work(worker, work);
++
+ list_add_tail(&work->node, pos);
+ work->worker = worker;
+ if (!worker->current_work && likely(worker->task))
+--
+2.43.0
+
--- /dev/null
+From 8a40a05a8a654efde7bc40a96a3dcf169a20b136 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Aug 2024 19:23:08 +0800
+Subject: kthread: fix task state in kthread worker if being frozen
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+[ Upstream commit e16c7b07784f3fb03025939c4590b9a7c64970a7 ]
+
+When analyzing a kernel waring message, Peter pointed out that there is a
+race condition when the kworker is being frozen and falls into
+try_to_freeze() with TASK_INTERRUPTIBLE, which could trigger a
+might_sleep() warning in try_to_freeze(). Although the root cause is not
+related to freeze()[1], it is still worthy to fix this issue ahead.
+
+One possible race scenario:
+
+ CPU 0 CPU 1
+ ----- -----
+
+ // kthread_worker_fn
+ set_current_state(TASK_INTERRUPTIBLE);
+ suspend_freeze_processes()
+ freeze_processes
+ static_branch_inc(&freezer_active);
+ freeze_kernel_threads
+ pm_nosig_freezing = true;
+ if (work) { //false
+ __set_current_state(TASK_RUNNING);
+
+ } else if (!freezing(current)) //false, been frozen
+
+ freezing():
+ if (static_branch_unlikely(&freezer_active))
+ if (pm_nosig_freezing)
+ return true;
+ schedule()
+ }
+
+ // state is still TASK_INTERRUPTIBLE
+ try_to_freeze()
+ might_sleep() <--- warning
+
+Fix this by explicitly set the TASK_RUNNING before entering
+try_to_freeze().
+
+Link: https://lore.kernel.org/lkml/Zs2ZoAcUsZMX2B%2FI@chenyu5-mobl2/ [1]
+Link: https://lkml.kernel.org/r/20240827112308.181081-1-yu.c.chen@intel.com
+Fixes: b56c0d8937e6 ("kthread: implement kthread_worker")
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Suggested-by: Peter Zijlstra <peterz@infradead.org>
+Suggested-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andreas Gruenbacher <agruenba@redhat.com>
+Cc: David Gow <davidgow@google.com>
+Cc: Mateusz Guzik <mjguzik@gmail.com>
+Cc: Mickaël Salaün <mic@digikod.net>
+Cc: Tejun Heo <tj@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/kthread.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index f69aa5da3b53e..9c562b3b362ae 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -705,8 +705,16 @@ int kthread_worker_fn(void *worker_ptr)
+ * event only cares about the address.
+ */
+ trace_sched_kthread_work_execute_end(work, func);
+- } else if (!freezing(current))
++ } else if (!freezing(current)) {
+ schedule();
++ } else {
++ /*
++ * Handle the case where the current remains
++ * TASK_INTERRUPTIBLE. try_to_freeze() expects
++ * the current to be TASK_RUNNING.
++ */
++ __set_current_state(TASK_RUNNING);
++ }
+
+ try_to_freeze();
+ cond_resched();
+--
+2.43.0
+
--- /dev/null
+From 67040aee5f7d6230e3d41bce54fa185fc6918a57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 26 Jul 2024 15:09:07 -0700
+Subject: minmax: avoid overly complex min()/max() macro arguments in xen
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit e8432ac802a028eaee6b1e86383d7cd8e9fb8431 ]
+
+We have some very fancy min/max macros that have tons of sanity checking
+to warn about mixed signedness etc.
+
+This is all things that a sane compiler should warn about, but there are
+no sane compiler interfaces for this, and '-Wsign-compare' is broken [1]
+and not useful.
+
+So then we compensate (some would say over-compensate) by doing the
+checks manually with some truly horrid macro games.
+
+And no, we can't just use __builtin_types_compatible_p(), because the
+whole question of "does it make sense to compare these two values" is a
+lot more complicated than that.
+
+For example, it makes a ton of sense to compare unsigned values with
+simple constants like "5", even if that is indeed a signed type. So we
+have these very strange macros to try to make sensible type checking
+decisions on the arguments to 'min()' and 'max()'.
+
+But that can cause enormous code expansion if the min()/max() macros are
+used with complicated expressions, and particularly if you nest these
+things so that you get the first big expansion then expanded again.
+
+The xen setup.c file ended up ballooning to over 50MB of preprocessed
+noise that takes 15s to compile (obviously depending on the build host),
+largely due to one single line.
+
+So let's split that one single line to just be simpler. I think it ends
+up being more legible to humans too at the same time. Now that single
+file compiles in under a second.
+
+Reported-and-reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Link: https://lore.kernel.org/all/c83c17bb-be75-4c67-979d-54eee38774c6@lucifer.local/
+Link: https://staticthinking.wordpress.com/2023/07/25/wsign-compare-is-garbage/ [1]
+Cc: David Laight <David.Laight@aculab.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 69fd1134b7fcf..ad69e5796cd0c 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -737,6 +737,7 @@ char * __init xen_memory_setup(void)
+ struct xen_memory_map memmap;
+ unsigned long max_pages;
+ unsigned long extra_pages = 0;
++ unsigned long maxmem_pages;
+ int i;
+ int op;
+
+@@ -802,8 +803,8 @@ char * __init xen_memory_setup(void)
+ * the initial memory is also very large with respect to
+ * lowmem, but we won't try to deal with that here.
+ */
+- extra_pages = min3(EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM)),
+- extra_pages, max_pages - max_pfn);
++ maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM));
++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn);
+ i = 0;
+ addr = xen_e820_table.entries[0].addr;
+ size = xen_e820_table.entries[0].size;
+--
+2.43.0
+
--- /dev/null
+From 1010ea86092ac587fbb3c0526eb6844f51365440 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Jul 2022 17:16:19 +0800
+Subject: mm: Add PAGE_ALIGN_DOWN macro
+
+From: David Gow <davidgow@google.com>
+
+[ Upstream commit 335e52c28cf9954d65b819cb68912fd32de3c844 ]
+
+This is just the same as PAGE_ALIGN(), but rounds the address down, not
+up.
+
+Suggested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David Gow <davidgow@google.com>
+Acked-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/mm.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 26a5fba226644..e76bbe77e0f7d 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -143,6 +143,9 @@ extern int overcommit_kbytes_handler(struct ctl_table *, int, void __user *,
+ /* to align the pointer to the (next) page boundary */
+ #define PAGE_ALIGN(addr) ALIGN(addr, PAGE_SIZE)
+
++/* to align the pointer to the (prev) page boundary */
++#define PAGE_ALIGN_DOWN(addr) ALIGN_DOWN(addr, PAGE_SIZE)
++
+ /* test whether an address (unsigned long or pointer) is aligned to PAGE_SIZE */
+ #define PAGE_ALIGNED(addr) IS_ALIGNED((unsigned long)(addr), PAGE_SIZE)
+
+--
+2.43.0
+
--- /dev/null
+From 6ae91f4f27160691d01b2bda3173e64343ba47a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 01:43:20 +0200
+Subject: mtd: slram: insert break after errors in parsing the map
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mirsad Todorovac <mtodorovac69@gmail.com>
+
+[ Upstream commit 336c218dd7f0588ed8a7345f367975a00a4f003f ]
+
+GCC 12.3.0 compiler on linux-next next-20240709 tree found the execution
+path in which, due to lazy evaluation, devlength isn't initialised with the
+parsed string:
+
+ 289 while (map) {
+ 290 devname = devstart = devlength = NULL;
+ 291
+ 292 if (!(devname = strsep(&map, ","))) {
+ 293 E("slram: No devicename specified.\n");
+ 294 break;
+ 295 }
+ 296 T("slram: devname = %s\n", devname);
+ 297 if ((!map) || (!(devstart = strsep(&map, ",")))) {
+ 298 E("slram: No devicestart specified.\n");
+ 299 }
+ 300 T("slram: devstart = %s\n", devstart);
+ → 301 if ((!map) || (!(devlength = strsep(&map, ",")))) {
+ 302 E("slram: No devicelength / -end specified.\n");
+ 303 }
+ → 304 T("slram: devlength = %s\n", devlength);
+ 305 if (parse_cmdline(devname, devstart, devlength) != 0) {
+ 306 return(-EINVAL);
+ 307 }
+
+Parsing should be finished after map == NULL, so a break is best inserted after
+each E("slram: ... \n") error message.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: linux-mtd@lists.infradead.org
+Signed-off-by: Mirsad Todorovac <mtodorovac69@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240711234319.637824-1-mtodorovac69@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/devices/slram.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mtd/devices/slram.c b/drivers/mtd/devices/slram.c
+index 10183ee4e12b2..aa4f73aef3626 100644
+--- a/drivers/mtd/devices/slram.c
++++ b/drivers/mtd/devices/slram.c
+@@ -295,10 +295,12 @@ static int __init init_slram(void)
+ T("slram: devname = %s\n", devname);
+ if ((!map) || (!(devstart = strsep(&map, ",")))) {
+ E("slram: No devicestart specified.\n");
++ break;
+ }
+ T("slram: devstart = %s\n", devstart);
+ if ((!map) || (!(devlength = strsep(&map, ",")))) {
+ E("slram: No devicelength / -end specified.\n");
++ break;
+ }
+ T("slram: devlength = %s\n", devlength);
+ if (parse_cmdline(devname, devstart, devlength) != 0) {
+--
+2.43.0
+
--- /dev/null
+From 001a4b0b071c3b92241465abedf6084f6d2b361d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 19:08:58 +0200
+Subject: net: qrtr: Update packets cloning when broadcasting
+
+From: Youssef Samir <quic_yabdulra@quicinc.com>
+
+[ Upstream commit f011b313e8ebd5b7abd8521b5119aecef403de45 ]
+
+When broadcasting data to multiple nodes via MHI, using skb_clone()
+causes all nodes to receive the same header data. This can result in
+packets being discarded by endpoints, leading to lost data.
+
+This issue occurs when a socket is closed, and a QRTR_TYPE_DEL_CLIENT
+packet is broadcasted. All nodes receive the same destination node ID,
+causing the node connected to the client to discard the packet and
+remain unaware of the client's deletion.
+
+Replace skb_clone() with pskb_copy(), to create a separate copy of
+the header for each sk_buff.
+
+Fixes: bdabad3e363d ("net: Add Qualcomm IPC router")
+Signed-off-by: Youssef Samir <quic_yabdulra@quicinc.com>
+Reviewed-by: Jeffery Hugo <quic_jhugo@quicinc.com>
+Reviewed-by: Carl Vanderlip <quic_carlv@quicinc.com>
+Reviewed-by: Chris Lew <quic_clew@quicinc.com>
+Link: https://patch.msgid.link/20240916170858.2382247-1-quic_yabdulra@quicinc.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/qrtr/qrtr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
+index 128d0a48478d1..890a8fe51a9af 100644
+--- a/net/qrtr/qrtr.c
++++ b/net/qrtr/qrtr.c
+@@ -718,7 +718,7 @@ static int qrtr_bcast_enqueue(struct qrtr_node *node, struct sk_buff *skb,
+
+ mutex_lock(&qrtr_node_lock);
+ list_for_each_entry(node, &qrtr_all_nodes, item) {
+- skbn = skb_clone(skb, GFP_KERNEL);
++ skbn = pskb_copy(skb, GFP_KERNEL);
+ if (!skbn)
+ break;
+ skb_set_owner_w(skbn, skb->sk);
+--
+2.43.0
+
--- /dev/null
+From baa628a28327e0a8dbc4898cc2af0e60e5ebeef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Sep 2024 22:40:46 +0800
+Subject: net: seeq: Fix use after free vulnerability in ether3 Driver Due to
+ Race Condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+[ Upstream commit b5109b60ee4fcb2f2bb24f589575e10cc5283ad4 ]
+
+In the ether3_probe function, a timer is initialized with a callback
+function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is
+started, there is a risk of a race condition if the module or device
+is removed, triggering the ether3_remove function to perform cleanup.
+The sequence of operations that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | ether3_ledoff
+ether3_remove |
+ free_netdev(dev); |
+ put_devic |
+ kfree(dev); |
+ | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
+ | // use dev
+
+Fix it by ensuring that the timer is canceled before proceeding with
+the cleanup in ether3_remove.
+
+Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()")
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Link: https://patch.msgid.link/20240915144045.451-1-kxwang23@m.fudan.edu.cn
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/seeq/ether3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/seeq/ether3.c b/drivers/net/ethernet/seeq/ether3.c
+index d1bb73bf99148..a612ca6418883 100644
+--- a/drivers/net/ethernet/seeq/ether3.c
++++ b/drivers/net/ethernet/seeq/ether3.c
+@@ -851,9 +851,11 @@ static void ether3_remove(struct expansion_card *ec)
+ {
+ struct net_device *dev = ecard_get_drvdata(ec);
+
++ ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2);
+ ecard_set_drvdata(ec, NULL);
+
+ unregister_netdev(dev);
++ del_timer_sync(&priv(dev)->timer);
+ free_netdev(dev);
+ ecard_release_resources(ec);
+ }
+--
+2.43.0
+
--- /dev/null
+From 87e1a2b142596a6e6ad4c8ae9673e4d287b0d333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 16:14:41 +0100
+Subject: netfilter: ctnetlink: compile ctnetlink_label_size with
+ CONFIG_NF_CONNTRACK_EVENTS
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit e1f1ee0e9ad8cbe660f5c104e791c5f1a7cf4c31 ]
+
+Only provide ctnetlink_label_size when it is used,
+which is when CONFIG_NF_CONNTRACK_EVENTS is configured.
+
+Flagged by clang-18 W=1 builds as:
+
+.../nf_conntrack_netlink.c:385:19: warning: unused function 'ctnetlink_label_size' [-Wunused-function]
+ 385 | static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ | ^~~~~~~~~~~~~~~~~~~~
+
+The condition on CONFIG_NF_CONNTRACK_LABELS being removed by
+this patch guards compilation of non-trivial implementations
+of ctnetlink_dump_labels() and ctnetlink_label_size().
+
+However, this is not necessary as each of these functions
+will always return 0 if CONFIG_NF_CONNTRACK_LABELS is not defined
+as each function starts with the equivalent of:
+
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+
+ if (!labels)
+ return 0;
+
+And nf_ct_labels_find always returns NULL if CONFIG_NF_CONNTRACK_LABELS
+is not enabled. So I believe that the compiler optimises the code away
+in such cases anyway.
+
+Found by inspection.
+Compile tested only.
+
+Originally splitted in two patches, Pablo Neira Ayuso collapsed them and
+added Fixes: tag.
+
+Fixes: 0ceabd83875b ("netfilter: ctnetlink: deliver labels to userspace")
+Link: https://lore.kernel.org/netfilter-devel/20240909151712.GZ2097826@kernel.org/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conntrack_netlink.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
+index bcb72ad2c1786..4101a3ce2e309 100644
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -359,7 +359,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
+ #define ctnetlink_dump_secctx(a, b) (0)
+ #endif
+
+-#ifdef CONFIG_NF_CONNTRACK_LABELS
++#ifdef CONFIG_NF_CONNTRACK_EVENTS
+ static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ {
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+@@ -368,6 +368,7 @@ static inline int ctnetlink_label_size(const struct nf_conn *ct)
+ return 0;
+ return nla_total_size(sizeof(labels->bits));
+ }
++#endif
+
+ static int
+ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
+@@ -388,10 +389,6 @@ ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
+
+ return 0;
+ }
+-#else
+-#define ctnetlink_dump_labels(a, b) (0)
+-#define ctnetlink_label_size(a) (0)
+-#endif
+
+ #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
+
+--
+2.43.0
+
--- /dev/null
+From 2ee0386a10e0559482d018cd294fbd24b9787e60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 17:06:15 +0000
+Subject: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 9c778fe48d20ef362047e3376dee56d77f8500d4 ]
+
+syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending
+garbage on the four reserved tcp bits (th->res1)
+
+Use skb_put_zero() to clear the whole TCP header,
+as done in nf_reject_ip_tcphdr_put()
+
+BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
+ nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+ do_softirq+0x9a/0x100 kernel/softirq.c:455
+ __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382
+ local_bh_enable include/linux/bottom_half.h:33 [inline]
+ rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline]
+ __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450
+ dev_queue_xmit include/linux/netdevice.h:3105 [inline]
+ neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565
+ neigh_output include/net/neighbour.h:542 [inline]
+ ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141
+ __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]
+ ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226
+ NF_HOOK_COND include/linux/netfilter.h:303 [inline]
+ ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247
+ dst_output include/net/dst.h:450 [inline]
+ NF_HOOK include/linux/netfilter.h:314 [inline]
+ ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366
+ inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135
+ __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466
+ tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline]
+ tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143
+ tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333
+ __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679
+ inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750
+ __sys_connect_file net/socket.c:2061 [inline]
+ __sys_connect+0x606/0x690 net/socket.c:2078
+ __do_sys_connect net/socket.c:2088 [inline]
+ __se_sys_connect net/socket.c:2085 [inline]
+ __x64_sys_connect+0x91/0xe0 net/socket.c:2085
+ x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Uninit was stored to memory at:
+ nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Uninit was stored to memory at:
+ nf_reject_ip6_tcphdr_put+0x2ca/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:231
+ nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3998 [inline]
+ slab_alloc_node mm/slub.c:4041 [inline]
+ kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4084
+ kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:583
+ __alloc_skb+0x363/0x7b0 net/core/skbuff.c:674
+ alloc_skb include/linux/skbuff.h:1320 [inline]
+ nf_send_reset6+0x98d/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:327
+ nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48
+ expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
+ nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288
+ nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161
+ nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
+ nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626
+ nf_hook include/linux/netfilter.h:269 [inline]
+ NF_HOOK include/linux/netfilter.h:312 [inline]
+ ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310
+ __netif_receive_skb_one_core net/core/dev.c:5661 [inline]
+ __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775
+ process_backlog+0x4ad/0xa50 net/core/dev.c:6108
+ __napi_poll+0xe7/0x980 net/core/dev.c:6772
+ napi_poll net/core/dev.c:6841 [inline]
+ net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963
+ handle_softirqs+0x1ce/0x800 kernel/softirq.c:554
+ __do_softirq+0x14/0x1a kernel/softirq.c:588
+
+Fixes: c8d7b98bec43 ("netfilter: move nf_send_resetX() code to nf_reject_ipvX modules")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://patch.msgid.link/20240913170615.3670897-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/netfilter/nf_reject_ipv6.c | 14 ++------------
+ 1 file changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
+index 24858402e3748..0edf9c1192de0 100644
+--- a/net/ipv6/netfilter/nf_reject_ipv6.c
++++ b/net/ipv6/netfilter/nf_reject_ipv6.c
+@@ -92,33 +92,23 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb,
+ const struct tcphdr *oth, unsigned int otcplen)
+ {
+ struct tcphdr *tcph;
+- int needs_ack;
+
+ skb_reset_transport_header(nskb);
+- tcph = skb_put(nskb, sizeof(struct tcphdr));
++ tcph = skb_put_zero(nskb, sizeof(struct tcphdr));
+ /* Truncate to length (no data) */
+ tcph->doff = sizeof(struct tcphdr)/4;
+ tcph->source = oth->dest;
+ tcph->dest = oth->source;
+
+ if (oth->ack) {
+- needs_ack = 0;
+ tcph->seq = oth->ack_seq;
+- tcph->ack_seq = 0;
+ } else {
+- needs_ack = 1;
+ tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
+ otcplen - (oth->doff<<2));
+- tcph->seq = 0;
++ tcph->ack = 1;
+ }
+
+- /* Reset flags */
+- ((u_int8_t *)tcph)[13] = 0;
+ tcph->rst = 1;
+- tcph->ack = needs_ack;
+- tcph->window = 0;
+- tcph->urg_ptr = 0;
+- tcph->check = 0;
+
+ /* Adjust TCP checksum */
+ tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,
+--
+2.43.0
+
--- /dev/null
+From fb05db16fcc0d9558d45c7a5e0537fe76cb3f91f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 01:06:41 +0200
+Subject: netfilter: nf_tables: elements with timeout below CONFIG_HZ never
+ expire
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+[ Upstream commit e0c47281723f301894c14e6f5cd5884fdfb813f9 ]
+
+Element timeout that is below CONFIG_HZ never expires because the
+timeout extension is not allocated given that nf_msecs_to_jiffies64()
+returns 0. Set timeout to the minimum value to honor timeout.
+
+Fixes: 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_tables_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index a033c9baf58ad..25b2870dda24a 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3339,7 +3339,7 @@ int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result)
+ return -ERANGE;
+
+ ms *= NSEC_PER_MSEC;
+- *result = nsecs_to_jiffies64(ms);
++ *result = nsecs_to_jiffies64(ms) ? : !!ms;
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 9bc910840fe92b7a687f153f7138bdae8fa3dcca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 22:03:18 +0800
+Subject: nfsd: call cache_put if xdr_reserve_space returns NULL
+
+From: Guoqing Jiang <guoqing.jiang@linux.dev>
+
+[ Upstream commit d078cbf5c38de83bc31f83c47dcd2184c04a50c7 ]
+
+If not enough buffer space available, but idmap_lookup has triggered
+lookup_fn which calls cache_get and returns successfully. Then we
+missed to call cache_put here which pairs with cache_get.
+
+Fixes: ddd1ea563672 ("nfsd4: use xdr_reserve_space in attribute encoding")
+Signed-off-by: Guoqing Jiang <guoqing.jiang@linux.dev>
+Reviwed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfsd/nfs4idmap.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/fs/nfsd/nfs4idmap.c b/fs/nfsd/nfs4idmap.c
+index a5bb76593ce72..de6bab641b20c 100644
+--- a/fs/nfsd/nfs4idmap.c
++++ b/fs/nfsd/nfs4idmap.c
+@@ -565,6 +565,7 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ .id = id,
+ .type = type,
+ };
++ __be32 status = nfs_ok;
+ __be32 *p;
+ int ret;
+ struct nfsd_net *nn = net_generic(SVC_NET(rqstp), nfsd_net_id);
+@@ -577,12 +578,16 @@ static __be32 idmap_id_to_name(struct xdr_stream *xdr,
+ return nfserrno(ret);
+ ret = strlen(item->name);
+ WARN_ON_ONCE(ret > IDMAP_NAMESZ);
++
+ p = xdr_reserve_space(xdr, ret + 4);
+- if (!p)
+- return nfserr_resource;
+- p = xdr_encode_opaque(p, item->name, ret);
++ if (unlikely(!p)) {
++ status = nfserr_resource;
++ goto out_put;
++ }
++ xdr_encode_opaque(p, item->name, ret);
++out_put:
+ cache_put(&item->h, nn->idtoname_cache);
+- return 0;
++ return status;
+ }
+
+ static bool
+--
+2.43.0
+
--- /dev/null
+From 9ffde729ae53c9404b09a11000b80e5b9f509ed4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:08 +0900
+Subject: nilfs2: determine empty node blocks as corrupted
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 111b812d3662f3a1b831d19208f83aa711583fe6 ]
+
+Due to the nature of b-trees, nilfs2 itself and admin tools such as
+mkfs.nilfs2 will never create an intermediate b-tree node block with 0
+child nodes, nor will they delete (key, pointer)-entries that would result
+in such a state. However, it is possible that a b-tree node block is
+corrupted on the backing device and is read with 0 child nodes.
+
+Because operation is not guaranteed if the number of child nodes is 0 for
+intermediate node blocks other than the root node, modify
+nilfs_btree_node_broken(), which performs sanity checks when reading a
+b-tree node block, so that such cases will be judged as metadata
+corruption.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-3-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index c2aca9cd78644..7cfff27b4b4a5 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -350,7 +350,7 @@ static int nilfs_btree_node_broken(const struct nilfs_btree_node *node,
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
+ (flags & NILFS_BTREE_NODE_ROOT) ||
+- nchildren < 0 ||
++ nchildren <= 0 ||
+ nchildren > NILFS_BTREE_NODE_NCHILDREN_MAX(size))) {
+ nilfs_crit(inode->i_sb,
+ "bad btree node (ino=%lu, blocknr=%llu): level = %d, flags = 0x%x, nchildren = %d",
+--
+2.43.0
+
--- /dev/null
+From 34f6acefc71a2d14e2a1e362c1528ff58ab53a25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:07 +0900
+Subject: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 9403001ad65ae4f4c5de368bdda3a0636b51d51a ]
+
+Patch series "nilfs2: fix potential issues with empty b-tree nodes".
+
+This series addresses three potential issues with empty b-tree nodes that
+can occur with corrupted filesystem images, including one recently
+discovered by syzbot.
+
+This patch (of 3):
+
+If a b-tree is broken on the device, and the b-tree height is greater than
+2 (the level of the root node is greater than 1) even if the number of
+child nodes of the b-tree root is 0, a NULL pointer dereference occurs in
+nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert().
+
+This is because, when the number of child nodes of the b-tree root is 0,
+nilfs_btree_do_lookup() does not set the block buffer head in any of
+path[x].bp_bh, leaving it as the initial value of NULL, but if the level
+of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(),
+which accesses the buffer memory of path[x].bp_bh, is called.
+
+Fix this issue by adding a check to nilfs_btree_root_broken(), which
+performs sanity checks when reading the root node from the device, to
+detect this inconsistency.
+
+Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause
+early on.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-1-konishi.ryusuke@gmail.com
+Link: https://lkml.kernel.org/r/20240902084101.138971-1-lizhi.xu@windriver.com
+Link: https://lkml.kernel.org/r/20240904081401.16682-2-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+9bff4c7b992038a7409f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9bff4c7b992038a7409f
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index a426e4e2acdac..c2aca9cd78644 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -381,7 +381,8 @@ static int nilfs_btree_root_broken(const struct nilfs_btree_node *node,
+ if (unlikely(level < NILFS_BTREE_LEVEL_NODE_MIN ||
+ level >= NILFS_BTREE_LEVEL_MAX ||
+ nchildren < 0 ||
+- nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX)) {
++ nchildren > NILFS_BTREE_ROOT_NCHILDREN_MAX ||
++ (nchildren == 0 && level > NILFS_BTREE_LEVEL_NODE_MIN))) {
+ nilfs_crit(inode->i_sb,
+ "bad btree root (ino=%lu): level = %d, flags = 0x%x, nchildren = %d",
+ inode->i_ino, level, flags, nchildren);
+--
+2.43.0
+
--- /dev/null
+From ff2fac05ea278f6e0a16adbb55567f562a06e61b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 17:13:09 +0900
+Subject: nilfs2: fix potential oob read in nilfs_btree_check_delete()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit f9c96351aa6718b42a9f42eaf7adce0356bdb5e8 ]
+
+The function nilfs_btree_check_delete(), which checks whether degeneration
+to direct mapping occurs before deleting a b-tree entry, causes memory
+access outside the block buffer when retrieving the maximum key if the
+root node has no entries.
+
+This does not usually happen because b-tree mappings with 0 child nodes
+are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen
+if the b-tree root node read from a device is configured that way, so fix
+this potential issue by adding a check for that case.
+
+Link: https://lkml.kernel.org/r/20240904081401.16682-4-konishi.ryusuke@gmail.com
+Fixes: 17c76b0104e4 ("nilfs2: B-tree based block mapping")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: Lizhi Xu <lizhi.xu@windriver.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/btree.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nilfs2/btree.c b/fs/nilfs2/btree.c
+index 7cfff27b4b4a5..7c9f4d79bdbc5 100644
+--- a/fs/nilfs2/btree.c
++++ b/fs/nilfs2/btree.c
+@@ -1660,13 +1660,16 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key)
+ int nchildren, ret;
+
+ root = nilfs_btree_get_root(btree);
++ nchildren = nilfs_btree_node_get_nchildren(root);
++ if (unlikely(nchildren == 0))
++ return 0;
++
+ switch (nilfs_btree_height(btree)) {
+ case 2:
+ bh = NULL;
+ node = root;
+ break;
+ case 3:
+- nchildren = nilfs_btree_node_get_nchildren(root);
+ if (nchildren > 1)
+ return 0;
+ ptr = nilfs_btree_node_get_ptr(root, nchildren - 1,
+@@ -1675,12 +1678,12 @@ static int nilfs_btree_check_delete(struct nilfs_bmap *btree, __u64 key)
+ if (ret < 0)
+ return ret;
+ node = (struct nilfs_btree_node *)bh->b_data;
++ nchildren = nilfs_btree_node_get_nchildren(node);
+ break;
+ default:
+ return 0;
+ }
+
+- nchildren = nilfs_btree_node_get_nchildren(node);
+ maxkey = nilfs_btree_node_get_key(node, nchildren - 1);
+ nextmaxkey = (nchildren > 1) ?
+ nilfs_btree_node_get_key(node, nchildren - 2) : 0;
+--
+2.43.0
+
--- /dev/null
+From ef7a5e2f031283ddfc4e3d5233d1fd736f2d9d72 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Aug 2023 20:39:27 +0800
+Subject: ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+[ Upstream commit e229897d373a87ee09ec5cc4ecd4bb2f895fc16b ]
+
+The debugfs_create_dir() function returns error pointers.
+It never returns NULL. So use IS_ERR() to check it.
+
+Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/intel/ntb_hw_gen1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ntb/hw/intel/ntb_hw_gen1.c b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+index 084bd1d1ac1dc..0e913fd6b592e 100644
+--- a/drivers/ntb/hw/intel/ntb_hw_gen1.c
++++ b/drivers/ntb/hw/intel/ntb_hw_gen1.c
+@@ -777,7 +777,7 @@ static void ndev_init_debugfs(struct intel_ntb_dev *ndev)
+ ndev->debugfs_dir =
+ debugfs_create_dir(pci_name(ndev->ntb.pdev),
+ debugfs_dir);
+- if (!ndev->debugfs_dir)
++ if (IS_ERR(ndev->debugfs_dir))
+ ndev->debugfs_info = NULL;
+ else
+ ndev->debugfs_info =
+--
+2.43.0
+
--- /dev/null
+From 005be71fdfa687e72172fcff75578b45d0e54776 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 12:13:33 -0400
+Subject: PCI: xilinx-nwl: Fix register misspelling
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit a437027ae1730b8dc379c75fa0dd7d3036917400 ]
+
+MSIC -> MISC
+
+Fixes: c2a7ff18edcd ("PCI: xilinx-nwl: Expand error logging")
+Link: https://lore.kernel.org/r/20240531161337.864994-4-sean.anderson@linux.dev
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-xilinx-nwl.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/controller/pcie-xilinx-nwl.c b/drivers/pci/controller/pcie-xilinx-nwl.c
+index a86bd9660dae9..4b7b906967582 100644
+--- a/drivers/pci/controller/pcie-xilinx-nwl.c
++++ b/drivers/pci/controller/pcie-xilinx-nwl.c
+@@ -79,8 +79,8 @@
+ #define MSGF_MISC_SR_NON_FATAL_DEV BIT(22)
+ #define MSGF_MISC_SR_FATAL_DEV BIT(23)
+ #define MSGF_MISC_SR_LINK_DOWN BIT(24)
+-#define MSGF_MSIC_SR_LINK_AUTO_BWIDTH BIT(25)
+-#define MSGF_MSIC_SR_LINK_BWIDTH BIT(26)
++#define MSGF_MISC_SR_LINK_AUTO_BWIDTH BIT(25)
++#define MSGF_MISC_SR_LINK_BWIDTH BIT(26)
+
+ #define MSGF_MISC_SR_MASKALL (MSGF_MISC_SR_RXMSG_AVAIL | \
+ MSGF_MISC_SR_RXMSG_OVER | \
+@@ -95,8 +95,8 @@
+ MSGF_MISC_SR_NON_FATAL_DEV | \
+ MSGF_MISC_SR_FATAL_DEV | \
+ MSGF_MISC_SR_LINK_DOWN | \
+- MSGF_MSIC_SR_LINK_AUTO_BWIDTH | \
+- MSGF_MSIC_SR_LINK_BWIDTH)
++ MSGF_MISC_SR_LINK_AUTO_BWIDTH | \
++ MSGF_MISC_SR_LINK_BWIDTH)
+
+ /* Legacy interrupt status mask bits */
+ #define MSGF_LEG_SR_INTA BIT(0)
+@@ -308,10 +308,10 @@ static irqreturn_t nwl_pcie_misc_handler(int irq, void *data)
+ if (misc_stat & MSGF_MISC_SR_FATAL_DEV)
+ dev_err(dev, "Fatal Error Detected\n");
+
+- if (misc_stat & MSGF_MSIC_SR_LINK_AUTO_BWIDTH)
++ if (misc_stat & MSGF_MISC_SR_LINK_AUTO_BWIDTH)
+ dev_info(dev, "Link Autonomous Bandwidth Management Status bit set\n");
+
+- if (misc_stat & MSGF_MSIC_SR_LINK_BWIDTH)
++ if (misc_stat & MSGF_MISC_SR_LINK_BWIDTH)
+ dev_info(dev, "Link Bandwidth Management Status bit set\n");
+
+ /* Clear misc interrupt status */
+--
+2.43.0
+
--- /dev/null
+From 73357237e63ffec6fa72b184e3f4cd3da6e25160 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:35:33 +0800
+Subject: perf sched timehist: Fix missing free of session in
+ perf_sched__timehist()
+
+From: Yang Jihong <yangjihong@bytedance.com>
+
+[ Upstream commit 6bdf5168b6fb19541b0c1862bdaa596d116c7bfb ]
+
+When perf_time__parse_str() fails in perf_sched__timehist(),
+need to free session that was previously created, fix it.
+
+Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
+Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240806023533.1316348-1-yangjihong@bytedance.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 4562e3b2f4d36..1c9e06c1d0089 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -2994,7 +2994,8 @@ static int perf_sched__timehist(struct perf_sched *sched)
+
+ if (perf_time__parse_str(&sched->ptime, sched->time_str) != 0) {
+ pr_err("Invalid time string\n");
+- return -EINVAL;
++ err = -EINVAL;
++ goto out;
+ }
+
+ if (timehist_check_attr(sched, evlist) != 0)
+--
+2.43.0
+
--- /dev/null
+From 9488e25cbecacbcf7a90b4f16720333cd9a8871f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:47:20 +0800
+Subject: perf sched timehist: Fixed timestamp error when unable to confirm
+ event sched_in time
+
+From: Yang Jihong <yangjihong@bytedance.com>
+
+[ Upstream commit 39c243411bdb8fb35777adf49ee32549633c4e12 ]
+
+If sched_in event for current task is not recorded, sched_in timestamp
+will be set to end_time of time window interest, causing an error in
+timestamp show. In this case, we choose to ignore this event.
+
+Test scenario:
+
+ perf[1229608] does not record the first sched_in event, run time and sch delay are both 0
+
+ # perf sched timehist
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+ 2090450.763231 [0000] perf[1229608] 0.000 0.000 0.000
+ 2090450.763235 [0000] migration/0[15] 0.000 0.001 0.003
+ 2090450.763263 [0001] perf[1229608] 0.000 0.000 0.000
+ 2090450.763268 [0001] migration/1[21] 0.000 0.001 0.004
+ 2090450.763302 [0002] perf[1229608] 0.000 0.000 0.000
+ 2090450.763309 [0002] migration/2[27] 0.000 0.001 0.007
+ 2090450.763338 [0003] perf[1229608] 0.000 0.000 0.000
+ 2090450.763343 [0003] migration/3[33] 0.000 0.001 0.004
+
+Before:
+
+ arbitrarily specify a time window of interest, timestamp will be set to an incorrect value
+
+ # perf sched timehist --time 100,200
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+ 200.000000 [0000] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0001] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0002] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0003] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0004] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0005] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0006] perf[1229608] 0.000 0.000 0.000
+ 200.000000 [0007] perf[1229608] 0.000 0.000 0.000
+
+ After:
+
+ # perf sched timehist --time 100,200
+ Samples of sched_switch event do not have callchains.
+ time cpu task name wait time sch delay run time
+ [tid/pid] (msec) (msec) (msec)
+ --------------- ------ ------------------------------ --------- --------- ---------
+
+Fixes: 853b74071110bed3 ("perf sched timehist: Add option to specify time window of interest")
+Signed-off-by: Yang Jihong <yangjihong@bytedance.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20240819024720.2405244-1-yangjihong@bytedance.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-sched.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-sched.c b/tools/perf/builtin-sched.c
+index 1c9e06c1d0089..cf8dc3910ef21 100644
+--- a/tools/perf/builtin-sched.c
++++ b/tools/perf/builtin-sched.c
+@@ -2553,9 +2553,12 @@ static int timehist_sched_change_event(struct perf_tool *tool,
+ * - previous sched event is out of window - we are done
+ * - sample time is beyond window user cares about - reset it
+ * to close out stats for time window interest
++ * - If tprev is 0, that is, sched_in event for current task is
++ * not recorded, cannot determine whether sched_in event is
++ * within time window interest - ignore it
+ */
+ if (ptime->end) {
+- if (tprev > ptime->end)
++ if (!tprev || tprev > ptime->end)
+ goto out;
+
+ if (t > ptime->end)
+--
+2.43.0
+
--- /dev/null
+From d7f1f19bc944cbdd51f5dbaa100e38b3416b3c44 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Aug 2024 00:04:11 -0700
+Subject: perf time-utils: Fix 32-bit nsec parsing
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit 38e2648a81204c9fc5b4c87a8ffce93a6ed91b65 ]
+
+The "time utils" test fails in 32-bit builds:
+ ...
+ parse_nsec_time("18446744073.709551615")
+ Failed. ptime 4294967295709551615 expected 18446744073709551615
+ ...
+
+Switch strtoul to strtoull as an unsigned long in 32-bit build isn't
+64-bits.
+
+Fixes: c284d669a20d408b ("perf tools: Move parse_nsec_time to time-utils.c")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Chaitanya S Prakash <chaitanyas.prakash@arm.com>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: David Ahern <dsa@cumulusnetworks.com>
+Cc: Dominique Martinet <asmadeus@codewreck.org>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: Junhao He <hejunhao3@huawei.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Yang Jihong <yangjihong@bytedance.com>
+Link: https://lore.kernel.org/r/20240831070415.506194-3-irogers@google.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/time-utils.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/util/time-utils.c b/tools/perf/util/time-utils.c
+index 6193b46050a56..540a71450de52 100644
+--- a/tools/perf/util/time-utils.c
++++ b/tools/perf/util/time-utils.c
+@@ -17,7 +17,7 @@ int parse_nsec_time(const char *str, u64 *ptime)
+ u64 time_sec, time_nsec;
+ char *end;
+
+- time_sec = strtoul(str, &end, 10);
++ time_sec = strtoull(str, &end, 10);
+ if (*end != '.' && *end != '\0')
+ return -1;
+
+@@ -35,7 +35,7 @@ int parse_nsec_time(const char *str, u64 *ptime)
+ for (i = strlen(nsec_buf); i < 9; i++)
+ nsec_buf[i] = '0';
+
+- time_nsec = strtoul(nsec_buf, &end, 10);
++ time_nsec = strtoull(nsec_buf, &end, 10);
+ if (*end != '\0')
+ return -1;
+ } else
+--
+2.43.0
+
--- /dev/null
+From 4984dff1d9139b1993503fb5f1ef48c0eecf9c3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 14:48:23 +0800
+Subject: pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function
+
+From: Wang Jianzheng <wangjianzheng@vivo.com>
+
+[ Upstream commit c25478419f6fd3f74c324a21ec007cf14f2688d7 ]
+
+When an error occurs during the execution of the function
+__devinit_dove_pinctrl_probe, the clk is not properly disabled.
+
+Fix this by calling clk_disable_unprepare before return.
+
+Fixes: ba607b6238a1 ("pinctrl: mvebu: make pdma clock on dove mandatory")
+Signed-off-by: Wang Jianzheng <wangjianzheng@vivo.com>
+Link: https://lore.kernel.org/20240829064823.19808-1-wangjianzheng@vivo.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mvebu/pinctrl-dove.c | 42 +++++++++++++++++++---------
+ 1 file changed, 29 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c
+index 2c5032d0def52..8a77289fe96fb 100644
+--- a/drivers/pinctrl/mvebu/pinctrl-dove.c
++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c
+@@ -773,7 +773,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ of_match_device(dove_pinctrl_of_match, &pdev->dev);
+ struct mvebu_mpp_ctrl_data *mpp_data;
+ void __iomem *base;
+- int i;
++ int i, ret;
+
+ pdev->dev.platform_data = (void *)match->data;
+
+@@ -789,13 +789,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ clk_prepare_enable(clk);
+
+ base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res);
+- if (IS_ERR(base))
+- return PTR_ERR(base);
++ if (IS_ERR(base)) {
++ ret = PTR_ERR(base);
++ goto err_probe;
++ }
+
+ mpp_data = devm_kcalloc(&pdev->dev, dove_pinctrl_info.ncontrols,
+ sizeof(*mpp_data), GFP_KERNEL);
+- if (!mpp_data)
+- return -ENOMEM;
++ if (!mpp_data) {
++ ret = -ENOMEM;
++ goto err_probe;
++ }
+
+ dove_pinctrl_info.control_data = mpp_data;
+ for (i = 0; i < ARRAY_SIZE(dove_mpp_controls); i++)
+@@ -814,8 +818,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+
+ mpp4_base = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(mpp4_base))
+- return PTR_ERR(mpp4_base);
++ if (IS_ERR(mpp4_base)) {
++ ret = PTR_ERR(mpp4_base);
++ goto err_probe;
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 2);
+ if (!res) {
+@@ -826,8 +832,10 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+
+ pmu_base = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(pmu_base))
+- return PTR_ERR(pmu_base);
++ if (IS_ERR(pmu_base)) {
++ ret = PTR_ERR(pmu_base);
++ goto err_probe;
++ }
+
+ gconfmap = syscon_regmap_lookup_by_compatible("marvell,dove-global-config");
+ if (IS_ERR(gconfmap)) {
+@@ -837,12 +845,17 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ adjust_resource(&fb_res,
+ (mpp_res->start & INT_REGS_MASK) + GC_REGS_OFFS, 0x14);
+ gc_base = devm_ioremap_resource(&pdev->dev, &fb_res);
+- if (IS_ERR(gc_base))
+- return PTR_ERR(gc_base);
++ if (IS_ERR(gc_base)) {
++ ret = PTR_ERR(gc_base);
++ goto err_probe;
++ }
++
+ gconfmap = devm_regmap_init_mmio(&pdev->dev,
+ gc_base, &gc_regmap_config);
+- if (IS_ERR(gconfmap))
+- return PTR_ERR(gconfmap);
++ if (IS_ERR(gconfmap)) {
++ ret = PTR_ERR(gconfmap);
++ goto err_probe;
++ }
+ }
+
+ /* Warn on any missing DT resource */
+@@ -850,6 +863,9 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ dev_warn(&pdev->dev, FW_BUG "Missing pinctrl regs in DTB. Please update your firmware.\n");
+
+ return mvebu_pinctrl_probe(pdev);
++err_probe:
++ clk_disable_unprepare(clk);
++ return ret;
+ }
+
+ static struct platform_driver dove_pinctrl_driver = {
+--
+2.43.0
+
--- /dev/null
+From f4443a86b2b810be51520a56ebb036fc335bdecf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jul 2023 20:47:40 +0800
+Subject: pinctrl: mvebu: Use devm_platform_get_and_ioremap_resource()
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit 2d357f25663ddfef47ffe26da21155302153d168 ]
+
+Convert platform_get_resource(), devm_ioremap_resource() to a single
+call to devm_platform_get_and_ioremap_resource(), as this is exactly
+what this function does.
+
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Link: https://lore.kernel.org/r/20230704124742.9596-2-frank.li@vivo.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Stable-dep-of: c25478419f6f ("pinctrl: mvebu: Fix devinit_dove_pinctrl_probe function")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/mvebu/pinctrl-dove.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/pinctrl/mvebu/pinctrl-dove.c b/drivers/pinctrl/mvebu/pinctrl-dove.c
+index 8472f61f2bbe7..2c5032d0def52 100644
+--- a/drivers/pinctrl/mvebu/pinctrl-dove.c
++++ b/drivers/pinctrl/mvebu/pinctrl-dove.c
+@@ -788,8 +788,7 @@ static int dove_pinctrl_probe(struct platform_device *pdev)
+ }
+ clk_prepare_enable(clk);
+
+- mpp_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- base = devm_ioremap_resource(&pdev->dev, mpp_res);
++ base = devm_platform_get_and_ioremap_resource(pdev, 0, &mpp_res);
+ if (IS_ERR(base))
+ return PTR_ERR(base);
+
+--
+2.43.0
+
--- /dev/null
+From e562347fa6a397ef12a892937819b188470c22d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Aug 2024 10:46:25 +0800
+Subject: pinctrl: single: fix missing error code in pcs_probe()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit cacd8cf79d7823b07619865e994a7916fcc8ae91 ]
+
+If pinctrl_enable() fails in pcs_probe(), it should return the error code.
+
+Fixes: 8f773bfbdd42 ("pinctrl: single: fix possible memory leak when pinctrl_enable() fails")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/20240819024625.154441-1-yangyingliang@huaweicloud.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c
+index 86691841efc01..004410e58e54b 100644
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -1898,7 +1898,8 @@ static int pcs_probe(struct platform_device *pdev)
+
+ dev_info(pcs->dev, "%i pins, size %u\n", pcs->desc.npins, pcs->size);
+
+- if (pinctrl_enable(pcs->pctl))
++ ret = pinctrl_enable(pcs->pctl);
++ if (ret)
+ goto free;
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 11dfce7f864ec26ab7f5da16b28caea9d0676d6b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 17 Aug 2024 12:51:14 +0200
+Subject: power: supply: max17042_battery: Fix SOC threshold calc w/ no current
+ sense
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 3a3acf839b2cedf092bdd1ff65b0e9895df1656b ]
+
+Commit 223a3b82834f ("power: supply: max17042_battery: use VFSOC for
+capacity when no rsns") made it so that capacity on systems without
+current sensing would be read from VFSOC instead of RepSOC. However,
+the SOC threshold calculation still read RepSOC to get the SOC
+regardless of the current sensing option state.
+
+Fix this by applying the same conditional to determine which register
+should be read.
+
+This also seems to be the intended behavior as per the datasheet - SOC
+alert config value in MiscCFG on setups without current sensing is set
+to a value of 0b11, indicating SOC alerts being generated based on
+VFSOC, instead of 0b00 which indicates SOC alerts being generated based
+on RepSOC.
+
+This fixes an issue on the Galaxy S3/Midas boards, where the alert
+interrupt would be constantly retriggered, causing high CPU usage
+on idle (around ~12%-15%).
+
+Fixes: e5f3872d2044 ("max17042: Add support for signalling change in SOC")
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Henrik Grimler <henrik@grimler.se>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240817-max17042-soc-threshold-fix-v1-1-72b45899c3cc@gmail.com
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/power/supply/max17042_battery.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/power/supply/max17042_battery.c b/drivers/power/supply/max17042_battery.c
+index 33fbb0fc952b4..6d3ad453e6092 100644
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -848,7 +848,10 @@ static void max17042_set_soc_threshold(struct max17042_chip *chip, u16 off)
+ /* program interrupt thesholds such that we should
+ * get interrupt for every 'off' perc change in the soc
+ */
+- regmap_read(map, MAX17042_RepSOC, &soc);
++ if (chip->pdata->enable_current_sense)
++ regmap_read(map, MAX17042_RepSOC, &soc);
++ else
++ regmap_read(map, MAX17042_VFSOC, &soc);
+ soc >>= 8;
+ soc_tr = (soc + off) << 8;
+ if (off < soc)
+--
+2.43.0
+
--- /dev/null
+From 877b63a1dd98ddce7da690fe7a71cb4a28c1e53c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 10:58:39 -0400
+Subject: RDMA/cxgb4: Added NULL check for lookup_atid
+
+From: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+
+[ Upstream commit e766e6a92410ca269161de059fff0843b8ddd65f ]
+
+The lookup_atid() function can return NULL if the ATID is
+invalid or does not exist in the identifier table, which
+could lead to dereferencing a null pointer without a
+check in the `act_establish()` and `act_open_rpl()` functions.
+Add a NULL check to prevent null pointer dereferencing.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: cfdda9d76436 ("RDMA/cxgb4: Add driver for Chelsio T4 RNIC")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosalinux.ru>
+Link: https://patch.msgid.link/20240912145844.77516-1-m.lobanov@rosalinux.ru
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/cm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
+index e8d2135df22db..f9ea863a80885 100644
+--- a/drivers/infiniband/hw/cxgb4/cm.c
++++ b/drivers/infiniband/hw/cxgb4/cm.c
+@@ -1180,6 +1180,8 @@ static int act_establish(struct c4iw_dev *dev, struct sk_buff *skb)
+ int ret;
+
+ ep = lookup_atid(t, atid);
++ if (!ep)
++ return -EINVAL;
+
+ pr_debug("ep %p tid %u snd_isn %u rcv_isn %u\n", ep, tid,
+ be32_to_cpu(req->snd_isn), be32_to_cpu(req->rcv_isn));
+@@ -2235,6 +2237,9 @@ static int act_open_rpl(struct c4iw_dev *dev, struct sk_buff *skb)
+ int ret = 0;
+
+ ep = lookup_atid(t, atid);
++ if (!ep)
++ return -EINVAL;
++
+ la = (struct sockaddr_in *)&ep->com.local_addr;
+ ra = (struct sockaddr_in *)&ep->com.remote_addr;
+ la6 = (struct sockaddr_in6 *)&ep->com.local_addr;
+--
+2.43.0
+
--- /dev/null
+From 04cd79452fca22ad6151e3ac5dc4967d9bf2723b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 13:33:36 +0200
+Subject: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency
+
+From: Zhu Yanjun <yanjun.zhu@linux.dev>
+
+[ Upstream commit 86dfdd8288907f03c18b7fb462e0e232c4f98d89 ]
+
+In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to
+destroying CM IDs"), the function flush_workqueue is invoked to flush the
+work queue iwcm_wq.
+
+But at that time, the work queue iwcm_wq was created via the function
+alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM.
+
+Because the current process is trying to flush the whole iwcm_wq, if
+iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current
+process is not reclaiming memory or running on a workqueue which doesn't
+have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee
+leading to a deadlock.
+
+The call trace is as below:
+
+[ 125.350876][ T1430] Call Trace:
+[ 125.356281][ T1430] <TASK>
+[ 125.361285][ T1430] ? __warn (kernel/panic.c:693)
+[ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219)
+[ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239)
+[ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
+[ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621)
+[ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9))
+[ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970)
+[ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151)
+[ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm
+[ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910)
+[ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
+[ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161)
+[ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm
+[ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma
+[ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma
+[ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231)
+[ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393)
+[ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339)
+[ 125.531837][ T1430] kthread (kernel/kthread.c:389)
+[ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
+[ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147)
+[ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342)
+[ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257)
+[ 125.566487][ T1430] </TASK>
+[ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---
+
+Fixes: aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs")
+Link: https://patch.msgid.link/r/20240820113336.19860-1-yanjun.zhu@linux.dev
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202408151633.fc01893c-oliver.sang@intel.com
+Tested-by: kernel test robot <oliver.sang@intel.com>
+Signed-off-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/iwcm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c
+index 84fa7b727a2b2..6070488850ed8 100644
+--- a/drivers/infiniband/core/iwcm.c
++++ b/drivers/infiniband/core/iwcm.c
+@@ -1178,7 +1178,7 @@ static int __init iw_cm_init(void)
+ if (ret)
+ return ret;
+
+- iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", 0);
++ iwcm_wq = alloc_ordered_workqueue("iw_cm_wq", WQ_MEM_RECLAIM);
+ if (!iwcm_wq)
+ goto err_alloc;
+
+--
+2.43.0
+
--- /dev/null
+From fa3d28c66db8387d8245b999e7c9fbf000a1ed17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Aug 2024 16:14:24 +0200
+Subject: reset: berlin: fix OF node leak in probe() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 5f58a88cc91075be38cec69b7cb70aaa4ba69e8b ]
+
+Driver is leaking OF node reference on memory allocation failure.
+Acquire the OF node reference after memory allocation to fix this and
+keep it simple.
+
+Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20240825-reset-cleanup-scoped-v1-1-03f6d834f8c0@linaro.org
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/reset/reset-berlin.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/reset/reset-berlin.c b/drivers/reset/reset-berlin.c
+index 371197bbd0556..542d32719b8ae 100644
+--- a/drivers/reset/reset-berlin.c
++++ b/drivers/reset/reset-berlin.c
+@@ -68,13 +68,14 @@ static int berlin_reset_xlate(struct reset_controller_dev *rcdev,
+
+ static int berlin2_reset_probe(struct platform_device *pdev)
+ {
+- struct device_node *parent_np = of_get_parent(pdev->dev.of_node);
++ struct device_node *parent_np;
+ struct berlin_reset_priv *priv;
+
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
++ parent_np = of_get_parent(pdev->dev.of_node);
+ priv->regmap = syscon_node_to_regmap(parent_np);
+ of_node_put(parent_np);
+ if (IS_ERR(priv->regmap))
+--
+2.43.0
+
--- /dev/null
+From a40401dbe10a2c827bf47f49c2e62808eae6cb91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 02:24:19 -0700
+Subject: selftests/bpf: Fix error compiling test_lru_map.c
+
+From: Tony Ambardar <tony.ambardar@gmail.com>
+
+[ Upstream commit cacf2a5a78cd1f5f616eae043ebc6f024104b721 ]
+
+Although the post-increment in macro 'CPU_SET(next++, &cpuset)' seems safe,
+the sequencing can raise compile errors, so move the increment outside the
+macro. This avoids an error seen using gcc 12.3.0 for mips64el/musl-libc:
+
+ In file included from test_lru_map.c:11:
+ test_lru_map.c: In function 'sched_next_online':
+ test_lru_map.c:129:29: error: operation on 'next' may be undefined [-Werror=sequence-point]
+ 129 | CPU_SET(next++, &cpuset);
+ | ^
+ cc1: all warnings being treated as errors
+
+Fixes: 3fbfadce6012 ("bpf: Fix test_lru_sanity5() in test_lru_map.c")
+Signed-off-by: Tony Ambardar <tony.ambardar@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/22993dfb11ccf27925a626b32672fd3324cb76c4.1722244708.git.tony.ambardar@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_lru_map.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/test_lru_map.c b/tools/testing/selftests/bpf/test_lru_map.c
+index 781c7de343be0..a9ed4b58c0879 100644
+--- a/tools/testing/selftests/bpf/test_lru_map.c
++++ b/tools/testing/selftests/bpf/test_lru_map.c
+@@ -76,7 +76,8 @@ static int sched_next_online(int pid, int *next_to_try)
+
+ while (next < nr_cpus) {
+ CPU_ZERO(&cpuset);
+- CPU_SET(next++, &cpuset);
++ CPU_SET(next, &cpuset);
++ next++;
+ if (!sched_setaffinity(pid, sizeof(cpuset), &cpuset)) {
+ ret = 0;
+ break;
+--
+2.43.0
+
--- /dev/null
+From 4f25d91c6fa317f332c5dce98a3ca2a5faa3a18a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 14:28:37 +0200
+Subject: selftests: vDSO: fix vDSO symbols lookup for powerpc64
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ]
+
+On powerpc64, following tests fail locating vDSO functions:
+
+ ~ # ./vdso_test_abi
+ TAP version 13
+ 1..16
+ # [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15
+ # Couldn't find __kernel_gettimeofday
+ ok 1 # SKIP __kernel_gettimeofday
+ # clock_id: CLOCK_REALTIME
+ # Couldn't find __kernel_clock_gettime
+ ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME
+ # Couldn't find __kernel_clock_getres
+ ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME
+ ...
+ # Couldn't find __kernel_time
+ ok 16 # SKIP __kernel_time
+ # Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0
+
+ ~ # ./vdso_test_getrandom
+ __kernel_getrandom is missing!
+
+ ~ # ./vdso_test_gettimeofday
+ Could not find __kernel_gettimeofday
+
+ ~ # ./vdso_test_getcpu
+ Could not find __kernel_getcpu
+
+On powerpc64, as shown below by readelf, vDSO functions symbols have
+type NOTYPE, so also accept that type when looking for symbols.
+
+$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
+ELF Header:
+ Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
+ Class: ELF64
+ Data: 2's complement, big endian
+ Version: 1 (current)
+ OS/ABI: UNIX - System V
+ ABI Version: 0
+ Type: DYN (Shared object file)
+ Machine: PowerPC64
+ Version: 0x1
+...
+
+Symbol table '.dynsym' contains 12 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+ 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
+ 1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 2: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 3: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 6: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 7: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 8: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 9: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 10: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+ 11: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
+
+Symbol table '.symtab' contains 56 entries:
+ Num: Value Size Type Bind Vis Ndx Name
+...
+ 45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
+ 46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu
+ 47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres
+ 48: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __kernel_get_tbfreq
+ 49: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __kernel_gettimeofday
+ 50: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __kernel_sync_dicache
+ 51: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_getrandom
+ 52: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __kernel_sigtram[...]
+ 53: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __kernel_time
+ 54: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_g[...]
+ 55: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __kernel_get_sys[...]
+
+Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vDSO/parse_vdso.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
+index 9ef3ad3789c17..540f9a284e9f0 100644
+--- a/tools/testing/selftests/vDSO/parse_vdso.c
++++ b/tools/testing/selftests/vDSO/parse_vdso.c
+@@ -238,7 +238,8 @@ void *vdso_sym(const char *version, const char *name)
+ ELF(Sym) *sym = &vdso_info.symtab[chain];
+
+ /* Check for a defined global or weak function w/ right name. */
+- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC)
++ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC &&
++ ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE)
+ continue;
+ if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL &&
+ ELF64_ST_BIND(sym->st_info) != STB_WEAK)
+--
+2.43.0
+
ocfs2-strict-bound-check-before-memcmp-in-ocfs2_xatt.patch
gpio-prevent-potential-speculation-leaks-in-gpio_device_get_desc.patch
usb-serial-pl2303-add-device-id-for-macrosilicon-ms3020.patch
+acpi-pmic-remove-unneeded-check-in-tps68470_pmic_opr.patch
+wifi-ath9k-fix-parameter-check-in-ath9k_init_debug.patch
+wifi-ath9k-remove-error-checks-when-creating-debugfs.patch
+netfilter-nf_tables-elements-with-timeout-below-conf.patch
+wifi-cfg80211-fix-ubsan-noise-in-cfg80211_wext_siwsc.patch
+wifi-cfg80211-fix-two-more-possible-ubsan-detected-o.patch
+wifi-mac80211-use-two-phase-skb-reclamation-in-ieee8.patch
+can-bcm-clear-bo-bcm_proc_read-after-remove_proc_ent.patch
+bluetooth-btusb-fix-not-handling-zpl-short-transfer.patch
+block-bfq-fix-possible-uaf-for-bfqq-bic-with-merge-c.patch
+block-bfq-choose-the-last-bfqq-from-merge-chain-in-b.patch
+block-bfq-don-t-break-merge-chain-in-bfq_split_bfqq.patch
+spi-ppc4xx-handle-irq_of_parse_and_map-errors.patch
+spi-ppc4xx-avoid-returning-0-when-failed-to-parse-an.patch
+arm-versatile-fix-of-node-leak-in-cpus-prepare.patch
+reset-berlin-fix-of-node-leak-in-probe-error-path.patch
+clocksource-drivers-qcom-add-missing-iounmap-on-erro.patch
+hwmon-max16065-fix-overflows-seen-when-writing-limit.patch
+mtd-slram-insert-break-after-errors-in-parsing-the-m.patch
+hwmon-ntc_thermistor-fix-module-autoloading.patch
+power-supply-max17042_battery-fix-soc-threshold-calc.patch
+fbdev-hpfb-fix-an-error-handling-path-in-hpfb_dio_pr.patch
+drm-stm-fix-an-error-handling-path-in-stm_drm_platfo.patch
+drm-amd-fix-typo.patch
+drm-amdgpu-replace-one-element-array-with-flexible-a.patch
+drm-amdgpu-properly-handle-vbios-fake-edid-sizing.patch
+drm-radeon-replace-one-element-array-with-flexible-a.patch
+drm-radeon-properly-handle-vbios-fake-edid-sizing.patch
+drm-rockchip-vop-allow-4096px-width-scaling.patch
+drm-radeon-evergreen_cs-fix-int-overflow-errors-in-c.patch
+jfs-fix-out-of-bounds-in-dbnextag-and-dialloc.patch
+selftests-vdso-fix-vdso-symbols-lookup-for-powerpc64.patch
+drm-msm-a5xx-properly-clear-preemption-records-on-re.patch
+drm-msm-a5xx-fix-races-in-preemption-evaluation-stag.patch
+ipmi-docs-don-t-advertise-deprecated-sysfs-entries.patch
+drm-msm-fix-s-null-argument-error.patch
+xen-use-correct-end-address-of-kernel-for-conflict-c.patch
+mm-add-page_align_down-macro.patch
+minmax-avoid-overly-complex-min-max-macro-arguments-.patch
+xen-introduce-generic-helper-checking-for-memory-map.patch
+xen-move-max_pfn-in-xen_memory_setup-out-of-function.patch
+xen-add-capability-to-remap-non-ram-pages-to-differe.patch
+xen-tolerate-acpi-nvs-memory-overlapping-with-xen-al.patch
+xen-swiotlb-simplify-range_straddles_page_boundary.patch
+xen-swiotlb-add-alignment-check-for-dma-buffers.patch
+selftests-bpf-fix-error-compiling-test_lru_map.c.patch
+xz-cleanup-crc32-edits-from-2018.patch
+kthread-add-kthread_work-tracepoints.patch
+kthread-fix-task-state-in-kthread-worker-if-being-fr.patch
+jbd2-introduce-export-functions-jbd2_journal_submit-.patch
+ext4-clear-ext4_group_info_was_trimmed_bit-even-moun.patch
+smackfs-use-rcu_assign_pointer-to-ensure-safe-assign.patch
+ext4-avoid-negative-min_clusters-in-find_group_orlov.patch
+ext4-return-error-on-ext4_find_inline_entry.patch
+ext4-avoid-oob-when-system.data-xattr-changes-undern.patch
+nilfs2-fix-potential-null-ptr-deref-in-nilfs_btree_i.patch
+nilfs2-determine-empty-node-blocks-as-corrupted.patch
+nilfs2-fix-potential-oob-read-in-nilfs_btree_check_d.patch
+perf-sched-timehist-fix-missing-free-of-session-in-p.patch
+perf-sched-timehist-fixed-timestamp-error-when-unabl.patch
+perf-time-utils-fix-32-bit-nsec-parsing.patch
+clk-rockchip-set-parent-rate-for-dclk_vop-clock-on-r.patch
+drivers-media-dvb-frontends-rtl2832-fix-an-out-of-bo.patch
+drivers-media-dvb-frontends-rtl2830-fix-an-out-of-bo.patch
+pci-xilinx-nwl-fix-register-misspelling.patch
+rdma-iwcm-fix-warning-at_kernel-workqueue.c-check_fl.patch
+pinctrl-single-fix-missing-error-code-in-pcs_probe.patch
+clk-ti-dra7-atl-fix-leak-of-of_nodes.patch
+pinctrl-mvebu-use-devm_platform_get_and_ioremap_reso.patch
+pinctrl-mvebu-fix-devinit_dove_pinctrl_probe-functio.patch
+rdma-cxgb4-added-null-check-for-lookup_atid.patch
+ntb-intel-fix-the-null-vs-is_err-bug-for-debugfs_cre.patch
+nfsd-call-cache_put-if-xdr_reserve_space-returns-nul.patch
+f2fs-enhance-to-update-i_mode-and-acl-atomically-in-.patch
+f2fs-fix-typo.patch
+f2fs-fix-to-update-i_ctime-in-__f2fs_setxattr.patch
+f2fs-remove-unneeded-check-condition-in-__f2fs_setxa.patch
+f2fs-reduce-expensive-checkpoint-trigger-frequency.patch
+coresight-tmc-sg-do-not-leak-sg_table.patch
+netfilter-nf_reject_ipv6-fix-nf_reject_ip6_tcphdr_pu.patch
+net-seeq-fix-use-after-free-vulnerability-in-ether3-.patch
+tcp-introduce-tcp_skb_timestamp_us-helper.patch
+tcp-check-skb-is-non-null-in-tcp_rto_delta_us.patch
+net-qrtr-update-packets-cloning-when-broadcasting.patch
+netfilter-ctnetlink-compile-ctnetlink_label_size-wit.patch
--- /dev/null
+From 740cff402e93cc897d9e3b0171fa959a2d8ae384 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 08:47:26 +0000
+Subject: smackfs: Use rcu_assign_pointer() to ensure safe assignment in
+ smk_set_cipso
+
+From: Jiawei Ye <jiawei.ye@foxmail.com>
+
+[ Upstream commit 2749749afa071f8a0e405605de9da615e771a7ce ]
+
+In the `smk_set_cipso` function, the `skp->smk_netlabel.attr.mls.cat`
+field is directly assigned to a new value without using the appropriate
+RCU pointer assignment functions. According to RCU usage rules, this is
+illegal and can lead to unpredictable behavior, including data
+inconsistencies and impossible-to-diagnose memory corruption issues.
+
+This possible bug was identified using a static analysis tool developed
+by myself, specifically designed to detect RCU-related issues.
+
+To address this, the assignment is now done using rcu_assign_pointer(),
+which ensures that the pointer assignment is done safely, with the
+necessary memory barriers and synchronization. This change prevents
+potential RCU dereference issues by ensuring that the `cat` field is
+safely updated while still adhering to RCU's requirements.
+
+Fixes: 0817534ff9ea ("smackfs: Fix use-after-free in netlbl_catmap_walk()")
+Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smackfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index 61e734baa332a..83dbfa26a6518 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -948,7 +948,7 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
+ rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
+ if (rc >= 0) {
+ old_cat = skp->smk_netlabel.attr.mls.cat;
+- skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
++ rcu_assign_pointer(skp->smk_netlabel.attr.mls.cat, ncats.attr.mls.cat);
+ skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
+ synchronize_rcu();
+ netlbl_catmap_free(old_cat);
+--
+2.43.0
+
--- /dev/null
+From fd7bf863e56a6b660090e2203a96607a2a3e7bbc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 17:45:12 +0300
+Subject: spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7781f1d120fec8624fc654eda900fc8748262082 ]
+
+0 is incorrect error code when failed to parse and map IRQ.
+Replace OF specific old API for IRQ retrieval with a generic
+one to fix this issue.
+
+Fixes: 0f245463b01e ("spi: ppc4xx: handle irq_of_parse_and_map() errors")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://patch.msgid.link/20240814144525.2648450-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ppc4xx.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
+index 8a1290fb4dd9d..7e8fc572f26cc 100644
+--- a/drivers/spi/spi-ppc4xx.c
++++ b/drivers/spi/spi-ppc4xx.c
+@@ -29,7 +29,6 @@
+ #include <linux/errno.h>
+ #include <linux/wait.h>
+ #include <linux/of_address.h>
+-#include <linux/of_irq.h>
+ #include <linux/of_platform.h>
+ #include <linux/of_gpio.h>
+ #include <linux/interrupt.h>
+@@ -494,9 +493,10 @@ static int spi_ppc4xx_of_probe(struct platform_device *op)
+ }
+
+ /* Request IRQ */
+- hw->irqnum = irq_of_parse_and_map(np, 0);
+- if (hw->irqnum <= 0)
++ ret = platform_get_irq(op, 0);
++ if (ret < 0)
+ goto free_host;
++ hw->irqnum = ret;
+
+ ret = request_irq(hw->irqnum, spi_ppc4xx_int,
+ 0, "spi_ppc4xx_of", (void *)hw);
+--
+2.43.0
+
--- /dev/null
+From 6c4e13cd2945c92bd38219a64b0e36ed8380d8fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 16:40:47 +0800
+Subject: spi: ppc4xx: handle irq_of_parse_and_map() errors
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+[ Upstream commit 0f245463b01ea254ae90e1d0389e90b0e7d8dc75 ]
+
+Zero and negative number is not a valid IRQ for in-kernel code and the
+irq_of_parse_and_map() function returns zero on error. So this check for
+valid IRQs should only accept values > 0.
+
+Fixes: 44dab88e7cc9 ("spi: add spi_ppc4xx driver")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://patch.msgid.link/20240724084047.1506084-1-make24@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-ppc4xx.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-ppc4xx.c b/drivers/spi/spi-ppc4xx.c
+index 58765a62fc15b..8a1290fb4dd9d 100644
+--- a/drivers/spi/spi-ppc4xx.c
++++ b/drivers/spi/spi-ppc4xx.c
+@@ -495,6 +495,9 @@ static int spi_ppc4xx_of_probe(struct platform_device *op)
+
+ /* Request IRQ */
+ hw->irqnum = irq_of_parse_and_map(np, 0);
++ if (hw->irqnum <= 0)
++ goto free_host;
++
+ ret = request_irq(hw->irqnum, spi_ppc4xx_int,
+ 0, "spi_ppc4xx_of", (void *)hw);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From 555b1c0993c802700c46543e76aa94f85baee7b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 15:08:22 -0400
+Subject: tcp: check skb is non-NULL in tcp_rto_delta_us()
+
+From: Josh Hunt <johunt@akamai.com>
+
+[ Upstream commit c8770db2d54437a5f49417ae7b46f7de23d14db6 ]
+
+We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic
+kernel that are running ceph and recently hit a null ptr dereference in
+tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also
+saw it getting hit from the RACK case as well. Here are examples of the oops
+messages we saw in each of those cases:
+
+Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020
+Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode
+Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page
+Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0
+Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI
+Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu
+Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
+Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
+Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
+Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
+Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
+Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
+Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
+Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554
+Jul 26 15:05:02 rx [11061395.916786] Call Trace:
+Jul 26 15:05:02 rx [11061395.919488]
+Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f
+Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9
+Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380
+Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
+Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50
+Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0
+Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20
+Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450
+Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140
+Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90
+Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0
+Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40
+Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220
+Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240
+Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0
+Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240
+Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130
+Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280
+Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10
+Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30
+Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_event+0x21/0x30
+Jul 26 15:05:02 rx [11061396.021984] ? clockevents_program_event+0x8f/0xe0
+Jul 26 15:05:02 rx [11061396.027035] run_timer_softirq+0x2a/0x50
+Jul 26 15:05:02 rx [11061396.031212] __do_softirq+0xd1/0x2c1
+Jul 26 15:05:02 rx [11061396.035044] do_softirq_own_stack+0x2a/0x40
+Jul 26 15:05:02 rx [11061396.039480]
+Jul 26 15:05:02 rx [11061396.041840] do_softirq.part.0+0x46/0x50
+Jul 26 15:05:02 rx [11061396.046022] __local_bh_enable_ip+0x50/0x60
+Jul 26 15:05:02 rx [11061396.050460] _raw_spin_unlock_bh+0x1e/0x20
+Jul 26 15:05:02 rx [11061396.054817] nf_conntrack_tcp_packet+0x29e/0xbe0 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.060994] ? get_l4proto+0xe7/0x190 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.066220] nf_conntrack_in+0xe9/0x670 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.071618] ipv6_conntrack_local+0x14/0x20 [nf_conntrack]
+Jul 26 15:05:02 rx [11061396.077356] nf_hook_slow+0x45/0xb0
+Jul 26 15:05:02 rx [11061396.081098] ip6_xmit+0x3f0/0x5d0
+Jul 26 15:05:02 rx [11061396.084670] ? ipv6_anycast_cleanup+0x50/0x50
+Jul 26 15:05:02 rx [11061396.089282] ? __sk_dst_check+0x38/0x70
+Jul 26 15:05:02 rx [11061396.093381] ? inet6_csk_route_socket+0x13b/0x200
+Jul 26 15:05:02 rx [11061396.098346] inet6_csk_xmit+0xa7/0xf0
+Jul 26 15:05:02 rx [11061396.102263] __tcp_transmit_skb+0x550/0xb30
+Jul 26 15:05:02 rx [11061396.106701] tcp_write_xmit+0x3c6/0xc20
+Jul 26 15:05:02 rx [11061396.110792] ? __alloc_skb+0x98/0x1d0
+Jul 26 15:05:02 rx [11061396.114708] __tcp_push_pending_frames+0x37/0x100
+Jul 26 15:05:02 rx [11061396.119667] tcp_push+0xfd/0x100
+Jul 26 15:05:02 rx [11061396.123150] tcp_sendmsg_locked+0xc70/0xdd0
+Jul 26 15:05:02 rx [11061396.127588] tcp_sendmsg+0x2d/0x50
+Jul 26 15:05:02 rx [11061396.131245] inet6_sendmsg+0x43/0x70
+Jul 26 15:05:02 rx [11061396.135075] __sock_sendmsg+0x48/0x70
+Jul 26 15:05:02 rx [11061396.138994] ____sys_sendmsg+0x212/0x280
+Jul 26 15:05:02 rx [11061396.143172] ___sys_sendmsg+0x88/0xd0
+Jul 26 15:05:02 rx [11061396.147098] ? __seccomp_filter+0x7e/0x6b0
+Jul 26 15:05:02 rx [11061396.151446] ? __switch_to+0x39c/0x460
+Jul 26 15:05:02 rx [11061396.155453] ? __switch_to_asm+0x42/0x80
+Jul 26 15:05:02 rx [11061396.159636] ? __switch_to_asm+0x5a/0x80
+Jul 26 15:05:02 rx [11061396.163816] __sys_sendmsg+0x5c/0xa0
+Jul 26 15:05:02 rx [11061396.167647] __x64_sys_sendmsg+0x1f/0x30
+Jul 26 15:05:02 rx [11061396.171832] do_syscall_64+0x57/0x190
+Jul 26 15:05:02 rx [11061396.175748] entry_SYSCALL_64_after_hwframe+0x5c/0xc1
+Jul 26 15:05:02 rx [11061396.181055] RIP: 0033:0x7f1ef692618d
+Jul 26 15:05:02 rx [11061396.184893] Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 ca ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 48 89 44 24 08 e8 fe ee ff ff 48
+Jul 26 15:05:02 rx [11061396.203889] RSP: 002b:00007f1ef4a26aa0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e
+Jul 26 15:05:02 rx [11061396.211708] RAX: ffffffffffffffda RBX: 000000000000084b RCX: 00007f1ef692618d
+Jul 26 15:05:02 rx [11061396.219091] RDX: 0000000000004000 RSI: 00007f1ef4a26b10 RDI: 0000000000000275
+Jul 26 15:05:02 rx [11061396.226475] RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000020
+Jul 26 15:05:02 rx [11061396.233859] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000084b
+Jul 26 15:05:02 rx [11061396.241243] R13: 00007f1ef4a26b10 R14: 0000000000000275 R15: 000055592030f1e8
+Jul 26 15:05:02 rx [11061396.248628] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler nft_ct sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 mlx5_core hid_generic pci_hyperv_intf crc32_pclmul tls usbhid ahci mlxfw bnxt_en libahci hid nvme i2c_piix4 nvme_core wmi
+Jul 26 15:05:02 rx [11061396.324334] CR2: 0000000000000020
+Jul 26 15:05:02 rx [11061396.327944] ---[ end trace 68a2b679d1cfb4f1 ]---
+Jul 26 15:05:02 rx [11061396.433435] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Jul 26 15:05:02 rx [11061396.438137] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Jul 26 15:05:02 rx [11061396.457144] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246
+Jul 26 15:05:02 rx [11061396.462629] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Jul 26 15:05:02 rx [11061396.470012] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60
+Jul 26 15:05:02 rx [11061396.477396] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8
+Jul 26 15:05:02 rx [11061396.484779] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900
+Jul 26 15:05:02 rx [11061396.492164] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30
+Jul 26 15:05:02 rx [11061396.499547] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000
+Jul 26 15:05:02 rx [11061396.507886] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 15:05:02 rx [11061396.513884] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0
+Jul 26 15:05:02 rx [11061396.521267] PKRU: 55555554
+Jul 26 15:05:02 rx [11061396.524230] Kernel panic - not syncing: Fatal exception in interrupt
+Jul 26 15:05:02 rx [11061396.530885] Kernel Offset: 0x1b200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
+Jul 26 15:05:03 rx [11061396.660181] ---[ end Kernel panic - not syncing: Fatal
+ exception in interrupt ]---
+
+After we hit this we disabled TLP by setting tcp_early_retrans to 0 and then hit the crash in the RACK case:
+
+Aug 7 07:26:16 rx [1006006.265582] BUG: kernel NULL pointer dereference, address: 0000000000000020
+Aug 7 07:26:16 rx [1006006.272719] #PF: supervisor read access in kernel mode
+Aug 7 07:26:16 rx [1006006.278030] #PF: error_code(0x0000) - not-present page
+Aug 7 07:26:16 rx [1006006.283343] PGD 0 P4D 0
+Aug 7 07:26:16 rx [1006006.286057] Oops: 0000 [#1] SMP NOPTI
+Aug 7 07:26:16 rx [1006006.289896] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.4.0-174-generic #193-Ubuntu
+Aug 7 07:26:16 rx [1006006.299107] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Aug 7 07:26:16 rx [1006006.309970] RIP: 0010:tcp_rearm_rto+0xe4/0x160
+Aug 7 07:26:16 rx [1006006.314584] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3
+Aug 7 07:26:16 rx [1006006.333499] RSP: 0018:ffffb42600a50960 EFLAGS: 00010246
+Aug 7 07:26:16 rx [1006006.338895] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000
+Aug 7 07:26:16 rx [1006006.346193] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff92d687ed8160
+Aug 7 07:26:16 rx [1006006.353489] RBP: ffffb42600a50978 R08: 0000000000000000 R09: 00000000cd896dcc
+Aug 7 07:26:16 rx [1006006.360786] R10: ffff92dc3404f400 R11: 0000000000000001 R12: ffff92d687ed8000
+Aug 7 07:26:16 rx [1006006.368084] R13: ffff92d687ed8160 R14: 00000000cd896dcc R15: 00000000cd8fca81
+Aug 7 07:26:16 rx [1006006.375381] FS: 0000000000000000(0000) GS:ffff93158ad40000(0000) knlGS:0000000000000000
+Aug 7 07:26:16 rx [1006006.383632] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Aug 7 07:26:16 rx [1006006.389544] CR2: 0000000000000020 CR3: 0000003e775ce006 CR4: 0000000000760ee0
+Aug 7 07:26:16 rx [1006006.396839] PKRU: 55555554
+Aug 7 07:26:16 rx [1006006.399717] Call Trace:
+Aug 7 07:26:16 rx [1006006.402335]
+Aug 7 07:26:16 rx [1006006.404525] ? show_regs.cold+0x1a/0x1f
+Aug 7 07:26:16 rx [1006006.408532] ? __die+0x90/0xd9
+Aug 7 07:26:16 rx [1006006.411760] ? no_context+0x196/0x380
+Aug 7 07:26:16 rx [1006006.415599] ? __bad_area_nosemaphore+0x50/0x1a0
+Aug 7 07:26:16 rx [1006006.420392] ? _raw_spin_lock+0x1e/0x30
+Aug 7 07:26:16 rx [1006006.424401] ? bad_area_nosemaphore+0x16/0x20
+Aug 7 07:26:16 rx [1006006.428927] ? do_user_addr_fault+0x267/0x450
+Aug 7 07:26:16 rx [1006006.433450] ? __do_page_fault+0x58/0x90
+Aug 7 07:26:16 rx [1006006.437542] ? do_page_fault+0x2c/0xe0
+Aug 7 07:26:16 rx [1006006.441470] ? page_fault+0x34/0x40
+Aug 7 07:26:16 rx [1006006.445134] ? tcp_rearm_rto+0xe4/0x160
+Aug 7 07:26:16 rx [1006006.449145] tcp_ack+0xa32/0xb30
+Aug 7 07:26:16 rx [1006006.452542] tcp_rcv_established+0x13c/0x670
+Aug 7 07:26:16 rx [1006006.456981] ? sk_filter_trim_cap+0x48/0x220
+Aug 7 07:26:16 rx [1006006.461419] tcp_v6_do_rcv+0xdb/0x450
+Aug 7 07:26:16 rx [1006006.465257] tcp_v6_rcv+0xc2b/0xd10
+Aug 7 07:26:16 rx [1006006.468918] ip6_protocol_deliver_rcu+0xd3/0x4e0
+Aug 7 07:26:16 rx [1006006.473706] ip6_input_finish+0x15/0x20
+Aug 7 07:26:16 rx [1006006.477710] ip6_input+0xa2/0xb0
+Aug 7 07:26:16 rx [1006006.481109] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0
+Aug 7 07:26:16 rx [1006006.486151] ip6_sublist_rcv_finish+0x3d/0x50
+Aug 7 07:26:16 rx [1006006.490679] ip6_sublist_rcv+0x1aa/0x250
+Aug 7 07:26:16 rx [1006006.494779] ? ip6_rcv_finish_core.isra.0+0xa0/0xa0
+Aug 7 07:26:16 rx [1006006.499828] ipv6_list_rcv+0x112/0x140
+Aug 7 07:26:16 rx [1006006.503748] __netif_receive_skb_list_core+0x1a4/0x250
+Aug 7 07:26:16 rx [1006006.509057] netif_receive_skb_list_internal+0x1a1/0x2b0
+Aug 7 07:26:16 rx [1006006.514538] gro_normal_list.part.0+0x1e/0x40
+Aug 7 07:26:16 rx [1006006.519068] napi_complete_done+0x91/0x130
+Aug 7 07:26:16 rx [1006006.523352] mlx5e_napi_poll+0x18e/0x610 [mlx5_core]
+Aug 7 07:26:16 rx [1006006.528481] net_rx_action+0x142/0x390
+Aug 7 07:26:16 rx [1006006.532398] __do_softirq+0xd1/0x2c1
+Aug 7 07:26:16 rx [1006006.536142] irq_exit+0xae/0xb0
+Aug 7 07:26:16 rx [1006006.539452] do_IRQ+0x5a/0xf0
+Aug 7 07:26:16 rx [1006006.542590] common_interrupt+0xf/0xf
+Aug 7 07:26:16 rx [1006006.546421]
+Aug 7 07:26:16 rx [1006006.548695] RIP: 0010:native_safe_halt+0xe/0x10
+Aug 7 07:26:16 rx [1006006.553399] Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
+Aug 7 07:26:16 rx [1006006.572309] RSP: 0018:ffffb42600177e70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffc2
+Aug 7 07:26:16 rx [1006006.580040] RAX: ffffffff8ed08b20 RBX: 0000000000000005 RCX: 0000000000000001
+Aug 7 07:26:16 rx [1006006.587337] RDX: 00000000f48eeca2 RSI: 0000000000000082 RDI: 0000000000000082
+Aug 7 07:26:16 rx [1006006.594635] RBP: ffffb42600177e90 R08: 0000000000000000 R09: 000000000000020f
+Aug 7 07:26:16 rx [1006006.601931] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000005
+Aug 7 07:26:16 rx [1006006.609229] R13: ffff93157deb5f00 R14: 0000000000000000 R15: 0000000000000000
+Aug 7 07:26:16 rx [1006006.616530] ? __cpuidle_text_start+0x8/0x8
+Aug 7 07:26:16 rx [1006006.620886] ? default_idle+0x20/0x140
+Aug 7 07:26:16 rx [1006006.624804] arch_cpu_idle+0x15/0x20
+Aug 7 07:26:16 rx [1006006.628545] default_idle_call+0x23/0x30
+Aug 7 07:26:16 rx [1006006.632640] do_idle+0x1fb/0x270
+Aug 7 07:26:16 rx [1006006.636035] cpu_startup_entry+0x20/0x30
+Aug 7 07:26:16 rx [1006006.640126] start_secondary+0x178/0x1d0
+Aug 7 07:26:16 rx [1006006.644218] secondary_startup_64+0xa4/0xb0
+Aug 7 07:26:17 rx [1006006.648568] Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif input_leds joydev rndis_host cdc_ether usbnet ast mii drm_vram_helper ttm drm_kms_helper i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt ccp mac_hid ipmi_si ipmi_devintf ipmi_msghandler sch_fq_codel nf_tables_set nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ramoops reed_solomon efi_pstore drm ip_tables x_tables autofs4 raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid0 multipath linear mlx5_ib ib_uverbs ib_core raid1 hid_generic mlx5_core pci_hyperv_intf crc32_pclmul usbhid ahci tls mlxfw bnxt_en hid libahci nvme i2c_piix4 nvme_core wmi [last unloaded: cpuid]
+Aug 7 07:26:17 rx [1006006.726180] CR2: 0000000000000020
+Aug 7 07:26:17 rx [1006006.729718] ---[ end trace e0e2e37e4e612984 ]---
+
+Prior to seeing the first crash and on other machines we also see the warning in
+tcp_send_loss_probe() where packets_out is non-zero, but both transmit and retrans
+queues are empty so we know the box is seeing some accounting issue in this area:
+
+Jul 26 09:15:27 kernel: ------------[ cut here ]------------
+Jul 26 09:15:27 kernel: invalid inflight: 2 state 1 cwnd 68 mss 8988
+Jul 26 09:15:27 kernel: WARNING: CPU: 16 PID: 0 at net/ipv4/tcp_output.c:2605 tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: Modules linked in: vrf bridge stp llc vxlan ip6_udp_tunnel udp_tunnel nls_iso8859_1 nft_ct amd64_edac_mod edac_mce_amd kvm_amd kvm crct10dif_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper wmi_bmof ipmi_ssif joydev input_leds rndis_host cdc_ether usbnet mii ast drm_vram_helper ttm drm_kms_he>
+Jul 26 09:15:27 kernel: CPU: 16 PID: 0 Comm: swapper/16 Not tainted 5.4.0-174-generic #193-Ubuntu
+Jul 26 09:15:27 kernel: Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023
+Jul 26 09:15:27 kernel: RIP: 0010:tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: Code: 08 26 01 00 75 e2 41 0f b6 54 24 12 41 8b 8c 24 c0 06 00 00 45 89 f0 48 c7 c7 e0 b4 20 a7 c6 05 8d 08 26 01 01 e8 4a c0 0f 00 <0f> 0b eb ba 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
+Jul 26 09:15:27 kernel: RSP: 0018:ffffb7838088ce00 EFLAGS: 00010286
+Jul 26 09:15:27 kernel: RAX: 0000000000000000 RBX: ffff9b84b5630430 RCX: 0000000000000006
+Jul 26 09:15:27 kernel: RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9b8e4621c8c0
+Jul 26 09:15:27 kernel: RBP: ffffb7838088ce18 R08: 0000000000000927 R09: 0000000000000004
+Jul 26 09:15:27 kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff9b84b5630000
+Jul 26 09:15:27 kernel: R13: 0000000000000000 R14: 000000000000231c R15: ffff9b84b5630430
+Jul 26 09:15:27 kernel: FS: 0000000000000000(0000) GS:ffff9b8e46200000(0000) knlGS:0000000000000000
+Jul 26 09:15:27 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+Jul 26 09:15:27 kernel: CR2: 000056238cec2380 CR3: 0000003e49ede005 CR4: 0000000000760ee0
+Jul 26 09:15:27 kernel: PKRU: 55555554
+Jul 26 09:15:27 kernel: Call Trace:
+Jul 26 09:15:27 kernel: <IRQ>
+Jul 26 09:15:27 kernel: ? show_regs.cold+0x1a/0x1f
+Jul 26 09:15:27 kernel: ? __warn+0x98/0xe0
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? report_bug+0xd1/0x100
+Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
+Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
+Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
+Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
+Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
+Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
+Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
+Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
+Jul 26 09:15:27 kernel: ? do_error_trap+0x9b/0xc0
+Jul 26 09:15:27 kernel: ? do_invalid_op+0x3c/0x50
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: ? invalid_op+0x1e/0x30
+Jul 26 09:15:27 kernel: ? tcp_send_loss_probe+0x214/0x220
+Jul 26 09:15:27 kernel: tcp_write_timer_handler+0x1b4/0x240
+Jul 26 09:15:27 kernel: tcp_write_timer+0x9e/0xe0
+Jul 26 09:15:27 kernel: ? tcp_write_timer_handler+0x240/0x240
+Jul 26 09:15:27 kernel: call_timer_fn+0x32/0x130
+Jul 26 09:15:27 kernel: __run_timers.part.0+0x180/0x280
+Jul 26 09:15:27 kernel: ? timerqueue_add+0x9b/0xb0
+Jul 26 09:15:27 kernel: ? enqueue_hrtimer+0x3d/0x90
+Jul 26 09:15:27 kernel: ? recalibrate_cpu_khz+0x10/0x10
+Jul 26 09:15:27 kernel: ? ktime_get+0x3e/0xa0
+Jul 26 09:15:27 kernel: ? native_x2apic_icr_write+0x30/0x30
+Jul 26 09:15:27 kernel: run_timer_softirq+0x2a/0x50
+Jul 26 09:15:27 kernel: __do_softirq+0xd1/0x2c1
+Jul 26 09:15:27 kernel: irq_exit+0xae/0xb0
+Jul 26 09:15:27 kernel: smp_apic_timer_interrupt+0x7b/0x140
+Jul 26 09:15:27 kernel: apic_timer_interrupt+0xf/0x20
+Jul 26 09:15:27 kernel: </IRQ>
+Jul 26 09:15:27 kernel: RIP: 0010:native_safe_halt+0xe/0x10
+Jul 26 09:15:27 kernel: Code: 7b ff ff ff eb bd 90 90 90 90 90 90 e9 07 00 00 00 0f 00 2d 36 2c 50 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 26 2c 50 00 fb f4 <c3> 90 0f 1f 44 00 00 55 48 89 e5 41 55 41 54 53 e8 dd 5e 61 ff 65
+Jul 26 09:15:27 kernel: RSP: 0018:ffffb783801cfe70 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
+Jul 26 09:15:27 kernel: RAX: ffffffffa6908b20 RBX: 0000000000000010 RCX: 0000000000000001
+Jul 26 09:15:27 kernel: RDX: 000000006fc0c97e RSI: 0000000000000082 RDI: 0000000000000082
+Jul 26 09:15:27 kernel: RBP: ffffb783801cfe90 R08: 0000000000000000 R09: 0000000000000225
+Jul 26 09:15:27 kernel: R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000010
+Jul 26 09:15:27 kernel: R13: ffff9b8e390b0000 R14: 0000000000000000 R15: 0000000000000000
+Jul 26 09:15:27 kernel: ? __cpuidle_text_start+0x8/0x8
+Jul 26 09:15:27 kernel: ? default_idle+0x20/0x140
+Jul 26 09:15:27 kernel: arch_cpu_idle+0x15/0x20
+Jul 26 09:15:27 kernel: default_idle_call+0x23/0x30
+Jul 26 09:15:27 kernel: do_idle+0x1fb/0x270
+Jul 26 09:15:27 kernel: cpu_startup_entry+0x20/0x30
+Jul 26 09:15:27 kernel: start_secondary+0x178/0x1d0
+Jul 26 09:15:27 kernel: secondary_startup_64+0xa4/0xb0
+Jul 26 09:15:27 kernel: ---[ end trace e7ac822987e33be1 ]---
+
+The NULL ptr deref is coming from tcp_rto_delta_us() attempting to pull an skb
+off the head of the retransmit queue and then dereferencing that skb to get the
+skb_mstamp_ns value via tcp_skb_timestamp_us(skb).
+
+The crash is the same one that was reported a # of years ago here:
+https://lore.kernel.org/netdev/86c0f836-9a7c-438b-d81a-839be45f1f58@gmail.com/T/#t
+
+and the kernel we're running has the fix which was added to resolve this issue.
+
+Unfortunately we've been unsuccessful so far in reproducing this problem in the
+lab and do not have the luxury of pushing out a new kernel to try and test if
+newer kernels resolve this issue at the moment. I realize this is a report
+against both an Ubuntu kernel and also an older 5.4 kernel. I have reported this
+issue to Ubuntu here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2077657
+however I feel like since this issue has possibly cropped up again it makes
+sense to build in some protection in this path (even on the latest kernel
+versions) since the code in question just blindly assumes there's a valid skb
+without testing if it's NULL b/f it looks at the timestamp.
+
+Given we have seen crashes in this path before and now this case it seems like
+we should protect ourselves for when packets_out accounting is incorrect.
+While we should fix that root cause we should also just make sure the skb
+is not NULL before dereferencing it. Also add a warn once here to capture
+some information if/when the problem case is hit again.
+
+Fixes: e1a10ef7fa87 ("tcp: introduce tcp_rto_delta_us() helper for xmit timer fix")
+Signed-off-by: Josh Hunt <johunt@akamai.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tcp.h | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 3138f01db6699..9f991c5927c37 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -2009,9 +2009,26 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk)
+ {
+ const struct sk_buff *skb = tcp_rtx_queue_head(sk);
+ u32 rto = inet_csk(sk)->icsk_rto;
+- u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
+
+- return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
++ if (likely(skb)) {
++ u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
++
++ return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
++ } else {
++ WARN_ONCE(1,
++ "rtx queue emtpy: "
++ "out:%u sacked:%u lost:%u retrans:%u "
++ "tlp_high_seq:%u sk_state:%u ca_state:%u "
++ "advmss:%u mss_cache:%u pmtu:%u\n",
++ tcp_sk(sk)->packets_out, tcp_sk(sk)->sacked_out,
++ tcp_sk(sk)->lost_out, tcp_sk(sk)->retrans_out,
++ tcp_sk(sk)->tlp_high_seq, sk->sk_state,
++ inet_csk(sk)->icsk_ca_state,
++ tcp_sk(sk)->advmss, tcp_sk(sk)->mss_cache,
++ inet_csk(sk)->icsk_pmtu_cookie);
++ return jiffies_to_usecs(rto);
++ }
++
+ }
+
+ /*
+--
+2.43.0
+
--- /dev/null
+From 793a33910e4957f7157d63e6facbd442e2ad813b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Sep 2018 08:51:47 -0700
+Subject: tcp: introduce tcp_skb_timestamp_us() helper
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2fd66ffba50716fc5ab481c48db643af3bda2276 ]
+
+There are few places where TCP reads skb->skb_mstamp expecting
+a value in usec unit.
+
+skb->tstamp (aka skb->skb_mstamp) will soon store CLOCK_TAI nsec value.
+
+Add tcp_skb_timestamp_us() to provide proper conversion when needed.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: c8770db2d544 ("tcp: check skb is non-NULL in tcp_rto_delta_us()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/tcp.h | 8 +++++++-
+ net/ipv4/tcp_input.c | 11 ++++++-----
+ net/ipv4/tcp_ipv4.c | 2 +-
+ net/ipv4/tcp_output.c | 2 +-
+ net/ipv4/tcp_rate.c | 15 ++++++++-------
+ net/ipv4/tcp_recovery.c | 5 +++--
+ 6 files changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/include/net/tcp.h b/include/net/tcp.h
+index 49da4d4a3c3d3..3138f01db6699 100644
+--- a/include/net/tcp.h
++++ b/include/net/tcp.h
+@@ -794,6 +794,12 @@ static inline u32 tcp_skb_timestamp(const struct sk_buff *skb)
+ return div_u64(skb->skb_mstamp, USEC_PER_SEC / TCP_TS_HZ);
+ }
+
++/* provide the departure time in us unit */
++static inline u64 tcp_skb_timestamp_us(const struct sk_buff *skb)
++{
++ return skb->skb_mstamp;
++}
++
+
+ #define tcp_flag_byte(th) (((u_int8_t *)th)[13])
+
+@@ -2003,7 +2009,7 @@ static inline s64 tcp_rto_delta_us(const struct sock *sk)
+ {
+ const struct sk_buff *skb = tcp_rtx_queue_head(sk);
+ u32 rto = inet_csk(sk)->icsk_rto;
+- u64 rto_time_stamp_us = skb->skb_mstamp + jiffies_to_usecs(rto);
++ u64 rto_time_stamp_us = tcp_skb_timestamp_us(skb) + jiffies_to_usecs(rto);
+
+ return rto_time_stamp_us - tcp_sk(sk)->tcp_mstamp;
+ }
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index 9254705afa869..2437a196c1392 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1301,7 +1301,7 @@ static bool tcp_shifted_skb(struct sock *sk, struct sk_buff *prev,
+ */
+ tcp_sacktag_one(sk, state, TCP_SKB_CB(skb)->sacked,
+ start_seq, end_seq, dup_sack, pcount,
+- skb->skb_mstamp);
++ tcp_skb_timestamp_us(skb));
+ tcp_rate_skb_delivered(sk, skb, state->rate);
+
+ if (skb == tp->lost_skb_hint)
+@@ -1590,7 +1590,7 @@ static struct sk_buff *tcp_sacktag_walk(struct sk_buff *skb, struct sock *sk,
+ TCP_SKB_CB(skb)->end_seq,
+ dup_sack,
+ tcp_skb_pcount(skb),
+- skb->skb_mstamp);
++ tcp_skb_timestamp_us(skb));
+ tcp_rate_skb_delivered(sk, skb, state->rate);
+ if (TCP_SKB_CB(skb)->sacked & TCPCB_SACKED_ACKED)
+ list_del_init(&skb->tcp_tsorted_anchor);
+@@ -3140,7 +3140,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
+ tp->retrans_out -= acked_pcount;
+ flag |= FLAG_RETRANS_DATA_ACKED;
+ } else if (!(sacked & TCPCB_SACKED_ACKED)) {
+- last_ackt = skb->skb_mstamp;
++ last_ackt = tcp_skb_timestamp_us(skb);
+ WARN_ON_ONCE(last_ackt == 0);
+ if (!first_ackt)
+ first_ackt = last_ackt;
+@@ -3158,7 +3158,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
+ tp->delivered += acked_pcount;
+ if (!tcp_skb_spurious_retrans(tp, skb))
+ tcp_rack_advance(tp, sacked, scb->end_seq,
+- skb->skb_mstamp);
++ tcp_skb_timestamp_us(skb));
+ }
+ if (sacked & TCPCB_LOST)
+ tp->lost_out -= acked_pcount;
+@@ -3253,7 +3253,8 @@ static int tcp_clean_rtx_queue(struct sock *sk, u32 prior_fack,
+ tp->lost_cnt_hint -= min(tp->lost_cnt_hint, delta);
+ }
+ } else if (skb && rtt_update && sack_rtt_us >= 0 &&
+- sack_rtt_us > tcp_stamp_us_delta(tp->tcp_mstamp, skb->skb_mstamp)) {
++ sack_rtt_us > tcp_stamp_us_delta(tp->tcp_mstamp,
++ tcp_skb_timestamp_us(skb))) {
+ /* Do not re-arm RTO if the sack RTT is measured from data sent
+ * after when the head was last (re)transmitted. Otherwise the
+ * timeout may continue to extend in loss recovery.
+diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
+index aa9aa38471f95..d08e9d33e4d79 100644
+--- a/net/ipv4/tcp_ipv4.c
++++ b/net/ipv4/tcp_ipv4.c
+@@ -556,7 +556,7 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
+ icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
+
+ tcp_mstamp_refresh(tp);
+- delta_us = (u32)(tp->tcp_mstamp - skb->skb_mstamp);
++ delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));
+ remaining = icsk->icsk_rto -
+ usecs_to_jiffies(delta_us);
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index fbeb40a481fcb..20bce57a19f09 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1993,7 +1993,7 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb,
+ head = tcp_rtx_queue_head(sk);
+ if (!head)
+ goto send_now;
+- age = tcp_stamp_us_delta(tp->tcp_mstamp, head->skb_mstamp);
++ age = tcp_stamp_us_delta(tp->tcp_mstamp, tcp_skb_timestamp_us(head));
+ /* If next ACK is likely to come too late (half srtt), do not defer */
+ if (age < (tp->srtt_us >> 4))
+ goto send_now;
+diff --git a/net/ipv4/tcp_rate.c b/net/ipv4/tcp_rate.c
+index 4dff40dad4dc5..baed2186c7c62 100644
+--- a/net/ipv4/tcp_rate.c
++++ b/net/ipv4/tcp_rate.c
+@@ -55,8 +55,10 @@ void tcp_rate_skb_sent(struct sock *sk, struct sk_buff *skb)
+ * bandwidth estimate.
+ */
+ if (!tp->packets_out) {
+- tp->first_tx_mstamp = skb->skb_mstamp;
+- tp->delivered_mstamp = skb->skb_mstamp;
++ u64 tstamp_us = tcp_skb_timestamp_us(skb);
++
++ tp->first_tx_mstamp = tstamp_us;
++ tp->delivered_mstamp = tstamp_us;
+ }
+
+ TCP_SKB_CB(skb)->tx.first_tx_mstamp = tp->first_tx_mstamp;
+@@ -88,13 +90,12 @@ void tcp_rate_skb_delivered(struct sock *sk, struct sk_buff *skb,
+ rs->is_app_limited = scb->tx.is_app_limited;
+ rs->is_retrans = scb->sacked & TCPCB_RETRANS;
+
++ /* Record send time of most recently ACKed packet: */
++ tp->first_tx_mstamp = tcp_skb_timestamp_us(skb);
+ /* Find the duration of the "send phase" of this window: */
+- rs->interval_us = tcp_stamp_us_delta(
+- skb->skb_mstamp,
+- scb->tx.first_tx_mstamp);
++ rs->interval_us = tcp_stamp_us_delta(tp->first_tx_mstamp,
++ scb->tx.first_tx_mstamp);
+
+- /* Record send time of most recently ACKed packet: */
+- tp->first_tx_mstamp = skb->skb_mstamp;
+ }
+ /* Mark off the skb delivered once it's sacked to avoid being
+ * used again when it's cumulatively acked. For acked packets
+diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c
+index 844ff390f7263..db3469c95c49d 100644
+--- a/net/ipv4/tcp_recovery.c
++++ b/net/ipv4/tcp_recovery.c
+@@ -51,7 +51,7 @@ static u32 tcp_rack_reo_wnd(const struct sock *sk)
+ s32 tcp_rack_skb_timeout(struct tcp_sock *tp, struct sk_buff *skb, u32 reo_wnd)
+ {
+ return tp->rack.rtt_us + reo_wnd -
+- tcp_stamp_us_delta(tp->tcp_mstamp, skb->skb_mstamp);
++ tcp_stamp_us_delta(tp->tcp_mstamp, tcp_skb_timestamp_us(skb));
+ }
+
+ /* RACK loss detection (IETF draft draft-ietf-tcpm-rack-01):
+@@ -92,7 +92,8 @@ static void tcp_rack_detect_loss(struct sock *sk, u32 *reo_timeout)
+ !(scb->sacked & TCPCB_SACKED_RETRANS))
+ continue;
+
+- if (!tcp_rack_sent_after(tp->rack.mstamp, skb->skb_mstamp,
++ if (!tcp_rack_sent_after(tp->rack.mstamp,
++ tcp_skb_timestamp_us(skb),
+ tp->rack.end_seq, scb->end_seq))
+ break;
+
+--
+2.43.0
+
--- /dev/null
+From b3a0eca25a5d3badf8ff912dbba2c7aa0d015357 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Jul 2023 19:47:40 +0800
+Subject: wifi: ath9k: fix parameter check in ath9k_init_debug()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Minjie Du <duminjie@vivo.com>
+
+[ Upstream commit 6edb4ba6fb5b946d112259f54f4657f82eb71e89 ]
+
+Make IS_ERR() judge the debugfs_create_dir() function return
+in ath9k_init_debug()
+
+Signed-off-by: Minjie Du <duminjie@vivo.com>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230712114740.13226-1-duminjie@vivo.com
+Stable-dep-of: f6ffe7f01847 ("wifi: ath9k: Remove error checks when creating debugfs entries")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
+index e0a4e3fa87305..1700d23f0aa9e 100644
+--- a/drivers/net/wireless/ath/ath9k/debug.c
++++ b/drivers/net/wireless/ath/ath9k/debug.c
+@@ -1384,7 +1384,7 @@ int ath9k_init_debug(struct ath_hw *ah)
+
+ sc->debug.debugfs_phy = debugfs_create_dir("ath9k",
+ sc->hw->wiphy->debugfsdir);
+- if (!sc->debug.debugfs_phy)
++ if (IS_ERR(sc->debug.debugfs_phy))
+ return -ENOMEM;
+
+ #ifdef CONFIG_ATH_DEBUG
+--
+2.43.0
+
--- /dev/null
+From d13cddf900a99a45a29f701ea9c3b0a5053d8071 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 13:02:22 +0200
+Subject: wifi: ath9k: Remove error checks when creating debugfs entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Toke Høiland-Jørgensen <toke@redhat.com>
+
+[ Upstream commit f6ffe7f0184792c2f99aca6ae5b916683973d7d3 ]
+
+We should not be checking the return values from debugfs creation at all: the
+debugfs functions are designed to handle errors of previously called functions
+and just transparently abort the creation of debugfs entries when debugfs is
+disabled. If we check the return value and abort driver initialisation, we break
+the driver if debugfs is disabled (such as when booting with debugfs=off).
+
+Earlier versions of ath9k accidentally did the right thing by checking the
+return value, but only for NULL, not for IS_ERR(). This was "fixed" by the two
+commits referenced below, breaking ath9k with debugfs=off starting from the 6.6
+kernel (as reported in the Bugzilla linked below).
+
+Restore functionality by just getting rid of the return value check entirely.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219122
+Fixes: 1e4134610d93 ("wifi: ath9k: use IS_ERR() with debugfs_create_dir()")
+Fixes: 6edb4ba6fb5b ("wifi: ath9k: fix parameter check in ath9k_init_debug()")
+Reported-by: Daniel Tobias <dan.g.tob@gmail.com>
+Tested-by: Daniel Tobias <dan.g.tob@gmail.com>
+Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://patch.msgid.link/20240805110225.19690-1-toke@toke.dk
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/debug.c | 2 --
+ drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
+index 1700d23f0aa9e..9440d6bfea922 100644
+--- a/drivers/net/wireless/ath/ath9k/debug.c
++++ b/drivers/net/wireless/ath/ath9k/debug.c
+@@ -1384,8 +1384,6 @@ int ath9k_init_debug(struct ath_hw *ah)
+
+ sc->debug.debugfs_phy = debugfs_create_dir("ath9k",
+ sc->hw->wiphy->debugfsdir);
+- if (IS_ERR(sc->debug.debugfs_phy))
+- return -ENOMEM;
+
+ #ifdef CONFIG_ATH_DEBUG
+ debugfs_create_file("debug", 0600, sc->debug.debugfs_phy,
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+index e79bbcd3279af..81332086e2899 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+@@ -491,8 +491,6 @@ int ath9k_htc_init_debug(struct ath_hw *ah)
+
+ priv->debug.debugfs_phy = debugfs_create_dir(KBUILD_MODNAME,
+ priv->hw->wiphy->debugfsdir);
+- if (IS_ERR(priv->debug.debugfs_phy))
+- return -ENOMEM;
+
+ ath9k_cmn_spectral_init_debug(&priv->spec_priv, priv->debug.debugfs_phy);
+
+--
+2.43.0
+
--- /dev/null
+From 80ecae7878075c9e04bbbd85aaba8b1a8369a9cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Sep 2024 12:08:06 +0300
+Subject: wifi: cfg80211: fix two more possible UBSAN-detected off-by-one
+ errors
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 15ea13b1b1fbf6364d4cd568e65e4c8479632999 ]
+
+Although not reproduced in practice, these two cases may be
+considered by UBSAN as off-by-one errors. So fix them in the
+same way as in commit a26a5107bc52 ("wifi: cfg80211: fix UBSAN
+noise in cfg80211_wext_siwscan()").
+
+Fixes: 807f8a8c3004 ("cfg80211/nl80211: add support for scheduled scans")
+Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20240909090806.1091956-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 3 ++-
+ net/wireless/sme.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index ebd8449f2fcf1..f3f01ab1abd38 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -7578,7 +7578,8 @@ nl80211_parse_sched_scan(struct wiphy *wiphy, struct wireless_dev *wdev,
+ return ERR_PTR(-ENOMEM);
+
+ if (n_ssids)
+- request->ssids = (void *)&request->channels[n_channels];
++ request->ssids = (void *)request +
++ struct_size(request, channels, n_channels);
+ request->n_ssids = n_ssids;
+ if (ie_len) {
+ if (n_ssids)
+diff --git a/net/wireless/sme.c b/net/wireless/sme.c
+index ebc73faa8fb18..4e6afb765e815 100644
+--- a/net/wireless/sme.c
++++ b/net/wireless/sme.c
+@@ -116,7 +116,8 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
+ n_channels = i;
+ }
+ request->n_channels = n_channels;
+- request->ssids = (void *)&request->channels[n_channels];
++ request->ssids = (void *)request +
++ struct_size(request, channels, n_channels);
+ request->n_ssids = 1;
+
+ memcpy(request->ssids[0].ssid, wdev->conn->params.ssid,
+--
+2.43.0
+
--- /dev/null
+From 29d2bb0abcf4c58589df210ed242b368b5533b78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Sep 2024 18:04:00 +0300
+Subject: wifi: cfg80211: fix UBSAN noise in cfg80211_wext_siwscan()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit a26a5107bc52922cf5f67361e307ad66547b51c7 ]
+
+Looking at https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
+and running reproducer with CONFIG_UBSAN_BOUNDS, I've noticed the
+following:
+
+[ T4985] UBSAN: array-index-out-of-bounds in net/wireless/scan.c:3479:25
+[ T4985] index 164 is out of range for type 'struct ieee80211_channel *[]'
+<...skipped...>
+[ T4985] Call Trace:
+[ T4985] <TASK>
+[ T4985] dump_stack_lvl+0x1c2/0x2a0
+[ T4985] ? __pfx_dump_stack_lvl+0x10/0x10
+[ T4985] ? __pfx__printk+0x10/0x10
+[ T4985] __ubsan_handle_out_of_bounds+0x127/0x150
+[ T4985] cfg80211_wext_siwscan+0x11a4/0x1260
+<...the rest is not too useful...>
+
+Even if we do 'creq->n_channels = n_channels' before 'creq->ssids =
+(void *)&creq->channels[n_channels]', UBSAN treats the latter as
+off-by-one error. Fix this by using pointer arithmetic rather than
+an expression with explicit array indexing and use convenient
+'struct_size()' to simplify the math here and in 'kzalloc()' above.
+
+Fixes: 5ba63533bbf6 ("cfg80211: fix alignment problem in scan request")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Link: https://patch.msgid.link/20240905150400.126386-1-dmantipov@yandex.ru
+[fix coding style for multi-line calculation]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 0dc27703443c8..4c6c333011e02 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -1414,8 +1414,8 @@ int cfg80211_wext_siwscan(struct net_device *dev,
+ n_channels = ieee80211_get_num_supported_channels(wiphy);
+ }
+
+- creq = kzalloc(sizeof(*creq) + sizeof(struct cfg80211_ssid) +
+- n_channels * sizeof(void *),
++ creq = kzalloc(struct_size(creq, channels, n_channels) +
++ sizeof(struct cfg80211_ssid),
+ GFP_ATOMIC);
+ if (!creq) {
+ err = -ENOMEM;
+@@ -1425,7 +1425,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
+ creq->wiphy = wiphy;
+ creq->wdev = dev->ieee80211_ptr;
+ /* SSIDs come after channels */
+- creq->ssids = (void *)&creq->channels[n_channels];
++ creq->ssids = (void *)creq + struct_size(creq, channels, n_channels);
+ creq->n_channels = n_channels;
+ creq->n_ssids = 1;
+ creq->scan_start = jiffies;
+--
+2.43.0
+
--- /dev/null
+From 8fcde46e3027cebc731d8ab070ab6a6de4dc2cb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 15:31:51 +0300
+Subject: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 9d301de12da6e1bb069a9835c38359b8e8135121 ]
+
+Since '__dev_queue_xmit()' should be called with interrupts enabled,
+the following backtrace:
+
+ieee80211_do_stop()
+ ...
+ spin_lock_irqsave(&local->queue_stop_reason_lock, flags)
+ ...
+ ieee80211_free_txskb()
+ ieee80211_report_used_skb()
+ ieee80211_report_ack_skb()
+ cfg80211_mgmt_tx_status_ext()
+ nl80211_frame_tx_status()
+ genlmsg_multicast_netns()
+ genlmsg_multicast_netns_filtered()
+ nlmsg_multicast_filtered()
+ netlink_broadcast_filtered()
+ do_one_broadcast()
+ netlink_broadcast_deliver()
+ __netlink_sendskb()
+ netlink_deliver_tap()
+ __netlink_deliver_tap_skb()
+ dev_queue_xmit()
+ __dev_queue_xmit() ; with IRQS disabled
+ ...
+ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags)
+
+issues the warning (as reported by syzbot reproducer):
+
+WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120
+
+Fix this by implementing a two-phase skb reclamation in
+'ieee80211_do_stop()', where actual work is performed
+outside of a section with interrupts disabled.
+
+Fixes: 5061b0c2b906 ("mac80211: cooperate more with network namespaces")
+Reported-by: syzbot+1a3986bbd3169c307819@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1a3986bbd3169c307819
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20240906123151.351647-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 358028a09ce4d..433083cc15331 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -798,6 +798,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ {
+ struct ieee80211_local *local = sdata->local;
+ unsigned long flags;
++ struct sk_buff_head freeq;
+ struct sk_buff *skb, *tmp;
+ u32 hw_reconf_flags = 0;
+ int i, flushed;
+@@ -996,18 +997,32 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ skb_queue_purge(&sdata->skb_queue);
+ }
+
++ /*
++ * Since ieee80211_free_txskb() may issue __dev_queue_xmit()
++ * which should be called with interrupts enabled, reclamation
++ * is done in two phases:
++ */
++ __skb_queue_head_init(&freeq);
++
++ /* unlink from local queues... */
+ spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+ for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
+ skb_queue_walk_safe(&local->pending[i], skb, tmp) {
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ if (info->control.vif == &sdata->vif) {
+ __skb_unlink(skb, &local->pending[i]);
+- ieee80211_free_txskb(&local->hw, skb);
++ __skb_queue_tail(&freeq, skb);
+ }
+ }
+ }
+ spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
+
++ /* ... and perform actual reclamation with interrupts enabled. */
++ skb_queue_walk_safe(&freeq, skb, tmp) {
++ __skb_unlink(skb, &freeq);
++ ieee80211_free_txskb(&local->hw, skb);
++ }
++
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ ieee80211_txq_remove_vlan(local, sdata);
+
+--
+2.43.0
+
--- /dev/null
+From 0a544f1cb96b13fc2453635d1dc9ff49852e6137 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 16:47:25 +0200
+Subject: xen: add capability to remap non-RAM pages to different PFNs
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit d05208cf7f05420ad10cc7f9550f91d485523659 ]
+
+When running as a Xen PV dom0 it can happen that the kernel is being
+loaded to a guest physical address conflicting with the host memory
+map.
+
+In order to be able to resolve this conflict, add the capability to
+remap non-RAM areas to different guest PFNs. A function to use this
+remapping information for other purposes than doing the remap will be
+added when needed.
+
+As the number of conflicts should be rather low (currently only
+machines with max. 1 conflict are known), save the remap data in a
+small statically allocated array.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/p2m.c | 63 ++++++++++++++++++++++++++++++++++++++++++
+ arch/x86/xen/xen-ops.h | 3 ++
+ 2 files changed, 66 insertions(+)
+
+diff --git a/arch/x86/xen/p2m.c b/arch/x86/xen/p2m.c
+index 8cbdc5e6863c3..3828271697f94 100644
+--- a/arch/x86/xen/p2m.c
++++ b/arch/x86/xen/p2m.c
+@@ -78,6 +78,7 @@
+ #include <asm/xen/hypervisor.h>
+ #include <xen/balloon.h>
+ #include <xen/grant_table.h>
++#include <xen/hvc-console.h>
+
+ #include "multicalls.h"
+ #include "xen-ops.h"
+@@ -798,6 +799,68 @@ int clear_foreign_p2m_mapping(struct gnttab_unmap_grant_ref *unmap_ops,
+ }
+ EXPORT_SYMBOL_GPL(clear_foreign_p2m_mapping);
+
++/* Remapped non-RAM areas */
++#define NR_NONRAM_REMAP 4
++static struct nonram_remap {
++ phys_addr_t maddr;
++ phys_addr_t paddr;
++ size_t size;
++} xen_nonram_remap[NR_NONRAM_REMAP] __ro_after_init;
++static unsigned int nr_nonram_remap __ro_after_init;
++
++/*
++ * Do the real remapping of non-RAM regions as specified in the
++ * xen_nonram_remap[] array.
++ * In case of an error just crash the system.
++ */
++void __init xen_do_remap_nonram(void)
++{
++ unsigned int i;
++ unsigned int remapped = 0;
++ const struct nonram_remap *remap = xen_nonram_remap;
++ unsigned long pfn, mfn, end_pfn;
++
++ for (i = 0; i < nr_nonram_remap; i++) {
++ end_pfn = PFN_UP(remap->paddr + remap->size);
++ pfn = PFN_DOWN(remap->paddr);
++ mfn = PFN_DOWN(remap->maddr);
++ while (pfn < end_pfn) {
++ if (!set_phys_to_machine(pfn, mfn))
++ panic("Failed to set p2m mapping for pfn=%lx mfn=%lx\n",
++ pfn, mfn);
++
++ pfn++;
++ mfn++;
++ remapped++;
++ }
++
++ remap++;
++ }
++
++ pr_info("Remapped %u non-RAM page(s)\n", remapped);
++}
++
++/*
++ * Add a new non-RAM remap entry.
++ * In case of no free entry found, just crash the system.
++ */
++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr,
++ unsigned long size)
++{
++ BUG_ON((maddr & ~PAGE_MASK) != (paddr & ~PAGE_MASK));
++
++ if (nr_nonram_remap == NR_NONRAM_REMAP) {
++ xen_raw_console_write("Number of required E820 entry remapping actions exceed maximum value\n");
++ BUG();
++ }
++
++ xen_nonram_remap[nr_nonram_remap].maddr = maddr;
++ xen_nonram_remap[nr_nonram_remap].paddr = paddr;
++ xen_nonram_remap[nr_nonram_remap].size = size;
++
++ nr_nonram_remap++;
++}
++
+ #ifdef CONFIG_XEN_DEBUG_FS
+ #include <linux/debugfs.h>
+ #include "debugfs.h"
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 83f980867bc0b..932fb167bc990 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -45,6 +45,9 @@ void xen_mm_unpin_all(void);
+ #ifdef CONFIG_X86_64
+ void __init xen_relocate_p2m(void);
+ #endif
++void __init xen_do_remap_nonram(void);
++void __init xen_add_remap_nonram(phys_addr_t maddr, phys_addr_t paddr,
++ unsigned long size);
+
+ void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
+ const char *component);
+--
+2.43.0
+
--- /dev/null
+From d0a21324a95797dc2daebe340ff4498c2162c89e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 14:11:06 +0200
+Subject: xen: introduce generic helper checking for memory map conflicts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit ba88829706e2c5b7238638fc2b0713edf596495e ]
+
+When booting as a Xen PV dom0 the memory layout of the dom0 is
+modified to match that of the host, as this requires less changes in
+the kernel for supporting Xen.
+
+There are some cases, though, which are problematic, as it is the Xen
+hypervisor selecting the kernel's load address plus some other data,
+which might conflict with the host's memory map.
+
+These conflicts are detected at boot time and result in a boot error.
+In order to support handling at least some of these conflicts in
+future, introduce a generic helper function which will later gain the
+ability to adapt the memory layout when possible.
+
+Add the missing check for the xen_start_info area.
+
+Note that possible p2m map and initrd memory conflicts are handled
+already by copying the data to memory areas not conflicting with the
+memory map. The initial stack allocated by Xen doesn't need to be
+checked, as early boot code is switching to the statically allocated
+initial kernel stack. Initial page tables and the kernel itself will
+be handled later.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 5 +----
+ arch/x86/xen/setup.c | 34 ++++++++++++++++++++++++++++------
+ arch/x86/xen/xen-ops.h | 3 ++-
+ 3 files changed, 31 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index 73aa0b89a74a4..54e5d4f3d8608 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -2286,10 +2286,7 @@ void __init xen_reserve_special_pages(void)
+
+ void __init xen_pt_check_e820(void)
+ {
+- if (xen_is_e820_reserved(xen_pt_base, xen_pt_size)) {
+- xen_raw_console_write("Xen hypervisor allocated page table memory conflicts with E820 map\n");
+- BUG();
+- }
++ xen_chk_is_e820_usable(xen_pt_base, xen_pt_size, "page table");
+ }
+
+ static unsigned char dummy_mapping[PAGE_SIZE] __page_aligned_bss;
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index ad69e5796cd0c..2fd89830b1ffb 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -605,7 +605,7 @@ static void __init xen_ignore_unusable(void)
+ }
+ }
+
+-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size)
++static bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size)
+ {
+ struct e820_entry *entry;
+ unsigned mapcnt;
+@@ -662,6 +662,23 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size)
+ return 0;
+ }
+
++/*
++ * Check for an area in physical memory to be usable for non-movable purposes.
++ * An area is considered to usable if the used E820 map lists it to be RAM.
++ * In case the area is not usable, crash the system with an error message.
++ */
++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
++ const char *component)
++{
++ if (!xen_is_e820_reserved(start, size))
++ return;
++
++ xen_raw_console_write("Xen hypervisor allocated ");
++ xen_raw_console_write(component);
++ xen_raw_console_write(" memory conflicts with E820 map\n");
++ BUG();
++}
++
+ /*
+ * Like memcpy, but with physical addresses for dest and src.
+ */
+@@ -862,11 +879,16 @@ char * __init xen_memory_setup(void)
+ * Failing now is better than running into weird problems later due
+ * to relocating (and even reusing) pages with kernel text or data.
+ */
+- if (xen_is_e820_reserved(__pa_symbol(_text),
+- __pa_symbol(_end) - __pa_symbol(_text))) {
+- xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n");
+- BUG();
+- }
++ xen_chk_is_e820_usable(__pa_symbol(_text),
++ __pa_symbol(_end) - __pa_symbol(_text),
++ "kernel");
++
++ /*
++ * Check for a conflict of the xen_start_info memory with the target
++ * E820 map.
++ */
++ xen_chk_is_e820_usable(__pa(xen_start_info), sizeof(*xen_start_info),
++ "xen_start_info");
+
+ /*
+ * Check for a conflict of the hypervisor supplied page tables with
+diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
+index 9faec8543237a..83f980867bc0b 100644
+--- a/arch/x86/xen/xen-ops.h
++++ b/arch/x86/xen/xen-ops.h
+@@ -46,7 +46,8 @@ void xen_mm_unpin_all(void);
+ void __init xen_relocate_p2m(void);
+ #endif
+
+-bool __init xen_is_e820_reserved(phys_addr_t start, phys_addr_t size);
++void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
++ const char *component);
+ unsigned long __ref xen_chk_extra_mem(unsigned long pfn);
+ void __init xen_inv_extra_mem(void);
+ void __init xen_remap_memory(void);
+--
+2.43.0
+
--- /dev/null
+From 96e05f7863867acad3a2f1a9fde01f59cb56b9e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 10:24:41 +0200
+Subject: xen: move max_pfn in xen_memory_setup() out of function scope
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 43dc2a0f479b9cd30f6674986d7a40517e999d31 ]
+
+Instead of having max_pfn as a local variable of xen_memory_setup(),
+make it a static variable in setup.c instead. This avoids having to
+pass it to subfunctions, which will be needed in more cases in future.
+
+Rename it to ini_nr_pages, as the value denotes the currently usable
+number of memory pages as passed from the hypervisor at boot time.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: be35d91c8880 ("xen: tolerate ACPI NVS memory overlapping with Xen allocated memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 52 ++++++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 2fd89830b1ffb..64824e922c6ca 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -44,6 +44,9 @@ unsigned long xen_released_pages;
+ /* E820 map used during setting up memory. */
+ static struct e820_table xen_e820_table __initdata;
+
++/* Number of initially usable memory pages. */
++static unsigned long ini_nr_pages __initdata;
++
+ /*
+ * Buffer used to remap identity mapped pages. We only need the virtual space.
+ * The physical page behind this address is remapped as needed to different
+@@ -251,7 +254,7 @@ static int __init xen_free_mfn(unsigned long mfn)
+ * as a fallback if the remapping fails.
+ */
+ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn,
+- unsigned long end_pfn, unsigned long nr_pages)
++ unsigned long end_pfn)
+ {
+ unsigned long pfn, end;
+ int ret;
+@@ -259,7 +262,7 @@ static void __init xen_set_identity_and_release_chunk(unsigned long start_pfn,
+ WARN_ON(start_pfn > end_pfn);
+
+ /* Release pages first. */
+- end = min(end_pfn, nr_pages);
++ end = min(end_pfn, ini_nr_pages);
+ for (pfn = start_pfn; pfn < end; pfn++) {
+ unsigned long mfn = pfn_to_mfn(pfn);
+
+@@ -384,15 +387,14 @@ static void __init xen_do_set_identity_and_remap_chunk(
+ * to Xen and not remapped.
+ */
+ static unsigned long __init xen_set_identity_and_remap_chunk(
+- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages,
+- unsigned long remap_pfn)
++ unsigned long start_pfn, unsigned long end_pfn, unsigned long remap_pfn)
+ {
+ unsigned long pfn;
+ unsigned long i = 0;
+ unsigned long n = end_pfn - start_pfn;
+
+ if (remap_pfn == 0)
+- remap_pfn = nr_pages;
++ remap_pfn = ini_nr_pages;
+
+ while (i < n) {
+ unsigned long cur_pfn = start_pfn + i;
+@@ -401,19 +403,19 @@ static unsigned long __init xen_set_identity_and_remap_chunk(
+ unsigned long remap_range_size;
+
+ /* Do not remap pages beyond the current allocation */
+- if (cur_pfn >= nr_pages) {
++ if (cur_pfn >= ini_nr_pages) {
+ /* Identity map remaining pages */
+ set_phys_range_identity(cur_pfn, cur_pfn + size);
+ break;
+ }
+- if (cur_pfn + size > nr_pages)
+- size = nr_pages - cur_pfn;
++ if (cur_pfn + size > ini_nr_pages)
++ size = ini_nr_pages - cur_pfn;
+
+ remap_range_size = xen_find_pfn_range(&remap_pfn);
+ if (!remap_range_size) {
+ pr_warning("Unable to find available pfn range, not remapping identity pages\n");
+ xen_set_identity_and_release_chunk(cur_pfn,
+- cur_pfn + left, nr_pages);
++ cur_pfn + left);
+ break;
+ }
+ /* Adjust size to fit in current e820 RAM region */
+@@ -440,18 +442,18 @@ static unsigned long __init xen_set_identity_and_remap_chunk(
+ }
+
+ static unsigned long __init xen_count_remap_pages(
+- unsigned long start_pfn, unsigned long end_pfn, unsigned long nr_pages,
++ unsigned long start_pfn, unsigned long end_pfn,
+ unsigned long remap_pages)
+ {
+- if (start_pfn >= nr_pages)
++ if (start_pfn >= ini_nr_pages)
+ return remap_pages;
+
+- return remap_pages + min(end_pfn, nr_pages) - start_pfn;
++ return remap_pages + min(end_pfn, ini_nr_pages) - start_pfn;
+ }
+
+-static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages,
++static unsigned long __init xen_foreach_remap_area(
+ unsigned long (*func)(unsigned long start_pfn, unsigned long end_pfn,
+- unsigned long nr_pages, unsigned long last_val))
++ unsigned long last_val))
+ {
+ phys_addr_t start = 0;
+ unsigned long ret_val = 0;
+@@ -479,8 +481,7 @@ static unsigned long __init xen_foreach_remap_area(unsigned long nr_pages,
+ end_pfn = PFN_UP(entry->addr);
+
+ if (start_pfn < end_pfn)
+- ret_val = func(start_pfn, end_pfn, nr_pages,
+- ret_val);
++ ret_val = func(start_pfn, end_pfn, ret_val);
+ start = end;
+ }
+ }
+@@ -747,7 +748,7 @@ static void __init xen_reserve_xen_mfnlist(void)
+ **/
+ char * __init xen_memory_setup(void)
+ {
+- unsigned long max_pfn, pfn_s, n_pfns;
++ unsigned long pfn_s, n_pfns;
+ phys_addr_t mem_end, addr, size, chunk_size;
+ u32 type;
+ int rc;
+@@ -759,9 +760,8 @@ char * __init xen_memory_setup(void)
+ int op;
+
+ xen_parse_512gb();
+- max_pfn = xen_get_pages_limit();
+- max_pfn = min(max_pfn, xen_start_info->nr_pages);
+- mem_end = PFN_PHYS(max_pfn);
++ ini_nr_pages = min(xen_get_pages_limit(), xen_start_info->nr_pages);
++ mem_end = PFN_PHYS(ini_nr_pages);
+
+ memmap.nr_entries = ARRAY_SIZE(xen_e820_table.entries);
+ set_xen_guest_handle(memmap.buffer, xen_e820_table.entries);
+@@ -801,10 +801,10 @@ char * __init xen_memory_setup(void)
+ max_pages = xen_get_max_pages();
+
+ /* How many extra pages do we need due to remapping? */
+- max_pages += xen_foreach_remap_area(max_pfn, xen_count_remap_pages);
++ max_pages += xen_foreach_remap_area(xen_count_remap_pages);
+
+- if (max_pages > max_pfn)
+- extra_pages += max_pages - max_pfn;
++ if (max_pages > ini_nr_pages)
++ extra_pages += max_pages - ini_nr_pages;
+
+ /*
+ * Clamp the amount of extra memory to a EXTRA_MEM_RATIO
+@@ -820,8 +820,8 @@ char * __init xen_memory_setup(void)
+ * the initial memory is also very large with respect to
+ * lowmem, but we won't try to deal with that here.
+ */
+- maxmem_pages = EXTRA_MEM_RATIO * min(max_pfn, PFN_DOWN(MAXMEM));
+- extra_pages = min3(maxmem_pages, extra_pages, max_pages - max_pfn);
++ maxmem_pages = EXTRA_MEM_RATIO * min(ini_nr_pages, PFN_DOWN(MAXMEM));
++ extra_pages = min3(maxmem_pages, extra_pages, max_pages - ini_nr_pages);
+ i = 0;
+ addr = xen_e820_table.entries[0].addr;
+ size = xen_e820_table.entries[0].size;
+@@ -923,7 +923,7 @@ char * __init xen_memory_setup(void)
+ * Set identity map on non-RAM pages and prepare remapping the
+ * underlying RAM.
+ */
+- xen_foreach_remap_area(max_pfn, xen_set_identity_and_remap_chunk);
++ xen_foreach_remap_area(xen_set_identity_and_remap_chunk);
+
+ pr_info("Released %ld page(s)\n", xen_released_pages);
+
+--
+2.43.0
+
--- /dev/null
+From a9b017e3be8083e8fb7ce28532223242a165f09e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Sep 2024 12:05:02 +0200
+Subject: xen/swiotlb: add alignment check for dma buffers
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 9f40ec84a7976d95c34e7cc070939deb103652b0 ]
+
+When checking a memory buffer to be consecutive in machine memory,
+the alignment needs to be checked, too. Failing to do so might result
+in DMA memory not being aligned according to its requested size,
+leading to error messages like:
+
+ 4xxx 0000:2b:00.0: enabling device (0140 -> 0142)
+ 4xxx 0000:2b:00.0: Ring address not aligned
+ 4xxx 0000:2b:00.0: Failed to initialise service qat_crypto
+ 4xxx 0000:2b:00.0: Resetting device qat_dev0
+ 4xxx: probe of 0000:2b:00.0 failed with error -14
+
+Fixes: 9435cce87950 ("xen/swiotlb: Add support for 64KB page granularity")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 2f4d4e36c7b36..98f82c759d1e2 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -98,9 +98,15 @@ static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
+ {
+ unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p);
+ unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size);
++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT);
+
+ next_bfn = pfn_to_bfn(xen_pfn);
+
++ /* If buffer is physically aligned, ensure DMA alignment. */
++ if (IS_ALIGNED(p, algn) &&
++ !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn))
++ return 1;
++
+ for (i = 1; i < nr_pages; i++)
+ if (pfn_to_bfn(++xen_pfn) != ++next_bfn)
+ return 1;
+--
+2.43.0
+
--- /dev/null
+From 997d62e4f01fb8bdf0a44dacb4e05fea0f8f3210 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Jun 2019 07:46:03 +0200
+Subject: xen/swiotlb: simplify range_straddles_page_boundary()
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit bf70726668c6116aa4976e0cc87f470be6268a2f ]
+
+range_straddles_page_boundary() is open coding several macros from
+include/xen/page.h. Use those instead. Additionally there is no need
+to have check_pages_physically_contiguous() as a separate function as
+it is used only once, so merge it into range_straddles_page_boundary().
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 28 ++++++----------------------
+ 1 file changed, 6 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 3d9997595d900..2f4d4e36c7b36 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -94,34 +94,18 @@ static inline dma_addr_t xen_virt_to_bus(void *address)
+ return xen_phys_to_bus(virt_to_phys(address));
+ }
+
+-static int check_pages_physically_contiguous(unsigned long xen_pfn,
+- unsigned int offset,
+- size_t length)
++static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
+ {
+- unsigned long next_bfn;
+- int i;
+- int nr_pages;
++ unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p);
++ unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size);
+
+ next_bfn = pfn_to_bfn(xen_pfn);
+- nr_pages = (offset + length + XEN_PAGE_SIZE-1) >> XEN_PAGE_SHIFT;
+
+- for (i = 1; i < nr_pages; i++) {
++ for (i = 1; i < nr_pages; i++)
+ if (pfn_to_bfn(++xen_pfn) != ++next_bfn)
+- return 0;
+- }
+- return 1;
+-}
++ return 1;
+
+-static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
+-{
+- unsigned long xen_pfn = XEN_PFN_DOWN(p);
+- unsigned int offset = p & ~XEN_PAGE_MASK;
+-
+- if (offset + size <= XEN_PAGE_SIZE)
+- return 0;
+- if (check_pages_physically_contiguous(xen_pfn, offset, size))
+- return 0;
+- return 1;
++ return 0;
+ }
+
+ static int is_xen_swiotlb_buffer(dma_addr_t dma_addr)
+--
+2.43.0
+
--- /dev/null
+From 346cd48c6e5bc1bc92addabfaa569a19a1923f41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Aug 2024 20:14:22 +0200
+Subject: xen: tolerate ACPI NVS memory overlapping with Xen allocated memory
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit be35d91c8880650404f3bf813573222dfb106935 ]
+
+In order to minimize required special handling for running as Xen PV
+dom0, the memory layout is modified to match that of the host. This
+requires to have only RAM at the locations where Xen allocated memory
+is living. Unfortunately there seem to be some machines, where ACPI
+NVS is located at 64 MB, resulting in a conflict with the loaded
+kernel or the initial page tables built by Xen.
+
+Avoid this conflict by swapping the ACPI NVS area in the memory map
+with unused RAM. This is possible via modification of the dom0 P2M map.
+Accesses to the ACPI NVS area are done either for saving and restoring
+it across suspend operations (this will work the same way as before),
+or by ACPI code when NVS memory is referenced from other ACPI tables.
+The latter case is handled by a Xen specific indirection of
+acpi_os_ioremap().
+
+While the E820 map can (and should) be modified right away, the P2M
+map can be updated only after memory allocation is working, as the P2M
+map might need to be extended.
+
+Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 92 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 91 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 64824e922c6ca..70c6f4507de56 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -538,6 +538,8 @@ void __init xen_remap_memory(void)
+ set_pte_mfn(buf, mfn_save, PAGE_KERNEL);
+
+ pr_info("Remapped %ld page(s)\n", remapped);
++
++ xen_do_remap_nonram();
+ }
+
+ static unsigned long __init xen_get_pages_limit(void)
+@@ -663,14 +665,102 @@ phys_addr_t __init xen_find_free_area(phys_addr_t size)
+ return 0;
+ }
+
++/*
++ * Swap a non-RAM E820 map entry with RAM above ini_nr_pages.
++ * Note that the E820 map is modified accordingly, but the P2M map isn't yet.
++ * The adaption of the P2M must be deferred until page allocation is possible.
++ */
++static void __init xen_e820_swap_entry_with_ram(struct e820_entry *swap_entry)
++{
++ struct e820_entry *entry;
++ unsigned int mapcnt;
++ phys_addr_t mem_end = PFN_PHYS(ini_nr_pages);
++ phys_addr_t swap_addr, swap_size, entry_end;
++
++ swap_addr = PAGE_ALIGN_DOWN(swap_entry->addr);
++ swap_size = PAGE_ALIGN(swap_entry->addr - swap_addr + swap_entry->size);
++ entry = xen_e820_table.entries;
++
++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) {
++ entry_end = entry->addr + entry->size;
++ if (entry->type == E820_TYPE_RAM && entry->size >= swap_size &&
++ entry_end - swap_size >= mem_end) {
++ /* Reduce RAM entry by needed space (whole pages). */
++ entry->size -= swap_size;
++
++ /* Add new entry at the end of E820 map. */
++ entry = xen_e820_table.entries +
++ xen_e820_table.nr_entries;
++ xen_e820_table.nr_entries++;
++
++ /* Fill new entry (keep size and page offset). */
++ entry->type = swap_entry->type;
++ entry->addr = entry_end - swap_size +
++ swap_addr - swap_entry->addr;
++ entry->size = swap_entry->size;
++
++ /* Convert old entry to RAM, align to pages. */
++ swap_entry->type = E820_TYPE_RAM;
++ swap_entry->addr = swap_addr;
++ swap_entry->size = swap_size;
++
++ /* Remember PFN<->MFN relation for P2M update. */
++ xen_add_remap_nonram(swap_addr, entry_end - swap_size,
++ swap_size);
++
++ /* Order E820 table and merge entries. */
++ e820__update_table(&xen_e820_table);
++
++ return;
++ }
++
++ entry++;
++ }
++
++ xen_raw_console_write("No suitable area found for required E820 entry remapping action\n");
++ BUG();
++}
++
++/*
++ * Look for non-RAM memory types in a specific guest physical area and move
++ * those away if possible (ACPI NVS only for now).
++ */
++static void __init xen_e820_resolve_conflicts(phys_addr_t start,
++ phys_addr_t size)
++{
++ struct e820_entry *entry;
++ unsigned int mapcnt;
++ phys_addr_t end;
++
++ if (!size)
++ return;
++
++ end = start + size;
++ entry = xen_e820_table.entries;
++
++ for (mapcnt = 0; mapcnt < xen_e820_table.nr_entries; mapcnt++) {
++ if (entry->addr >= end)
++ return;
++
++ if (entry->addr + entry->size > start &&
++ entry->type == E820_TYPE_NVS)
++ xen_e820_swap_entry_with_ram(entry);
++
++ entry++;
++ }
++}
++
+ /*
+ * Check for an area in physical memory to be usable for non-movable purposes.
+- * An area is considered to usable if the used E820 map lists it to be RAM.
++ * An area is considered to usable if the used E820 map lists it to be RAM or
++ * some other type which can be moved to higher PFNs while keeping the MFNs.
+ * In case the area is not usable, crash the system with an error message.
+ */
+ void __init xen_chk_is_e820_usable(phys_addr_t start, phys_addr_t size,
+ const char *component)
+ {
++ xen_e820_resolve_conflicts(start, size);
++
+ if (!xen_is_e820_reserved(start, size))
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 1e72911b35deda997202b4fc0160a4847c760dc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Aug 2024 08:01:22 +0200
+Subject: xen: use correct end address of kernel for conflict checking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit fac1bceeeb04886fc2ee952672e6e6c85ce41dca ]
+
+When running as a Xen PV dom0 the kernel is loaded by the hypervisor
+using a different memory map than that of the host. In order to
+minimize the required changes in the kernel, the kernel adapts its
+memory map to that of the host. In order to do that it is checking
+for conflicts of its load address with the host memory map.
+
+Unfortunately the tested memory range does not include the .brk
+area, which might result in crashes or memory corruption when this
+area does conflict with the memory map of the host.
+
+Fix the test by using the _end label instead of __bss_stop.
+
+Fixes: 808fdb71936c ("xen: check for kernel memory conflicting with memory layout")
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c
+index 075ed47993bbf..69fd1134b7fcf 100644
+--- a/arch/x86/xen/setup.c
++++ b/arch/x86/xen/setup.c
+@@ -862,7 +862,7 @@ char * __init xen_memory_setup(void)
+ * to relocating (and even reusing) pages with kernel text or data.
+ */
+ if (xen_is_e820_reserved(__pa_symbol(_text),
+- __pa_symbol(__bss_stop) - __pa_symbol(_text))) {
++ __pa_symbol(_end) - __pa_symbol(_text))) {
+ xen_raw_console_write("Xen hypervisor allocated kernel memory conflicts with E820 map\n");
+ BUG();
+ }
+--
+2.43.0
+
--- /dev/null
+From 703815f1b4215df29dfc160f3c6e2b2d7af5e71a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 21 Jul 2024 16:36:24 +0300
+Subject: xz: cleanup CRC32 edits from 2018
+
+From: Lasse Collin <lasse.collin@tukaani.org>
+
+[ Upstream commit 2ee96abef214550d9e92f5143ee3ac1fd1323e67 ]
+
+In 2018, a dependency on <linux/crc32poly.h> was added to avoid
+duplicating the same constant in multiple files. Two months later it was
+found to be a bad idea and the definition of CRC32_POLY_LE macro was moved
+into xz_private.h to avoid including <linux/crc32poly.h>.
+
+xz_private.h is a wrong place for it too. Revert back to the upstream
+version which has the poly in xz_crc32_init() in xz_crc32.c.
+
+Link: https://lkml.kernel.org/r/20240721133633.47721-10-lasse.collin@tukaani.org
+Fixes: faa16bc404d7 ("lib: Use existing define with polynomial")
+Fixes: 242cdad873a7 ("lib/xz: Put CRC32_POLY_LE in xz_private.h")
+Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
+Reviewed-by: Sam James <sam@gentoo.org>
+Tested-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
+Cc: Krzysztof Kozlowski <krzk@kernel.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: Joel Stanley <joel@jms.id.au>
+Cc: Albert Ou <aou@eecs.berkeley.edu>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Emil Renner Berthing <emil.renner.berthing@canonical.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Jubin Zhong <zhongjubin@huawei.com>
+Cc: Jules Maselbas <jmaselbas@zdiv.net>
+Cc: Palmer Dabbelt <palmer@dabbelt.com>
+Cc: Paul Walmsley <paul.walmsley@sifive.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: Rui Li <me@lirui.org>
+Cc: Simon Glass <sjg@chromium.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/xz/xz_crc32.c | 2 +-
+ lib/xz/xz_private.h | 4 ----
+ 2 files changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/lib/xz/xz_crc32.c b/lib/xz/xz_crc32.c
+index 912aae5fa09e1..34532d14fd4c2 100644
+--- a/lib/xz/xz_crc32.c
++++ b/lib/xz/xz_crc32.c
+@@ -29,7 +29,7 @@ STATIC_RW_DATA uint32_t xz_crc32_table[256];
+
+ XZ_EXTERN void xz_crc32_init(void)
+ {
+- const uint32_t poly = CRC32_POLY_LE;
++ const uint32_t poly = 0xEDB88320;
+
+ uint32_t i;
+ uint32_t j;
+diff --git a/lib/xz/xz_private.h b/lib/xz/xz_private.h
+index 09360ebb510ef..482b90f363fe3 100644
+--- a/lib/xz/xz_private.h
++++ b/lib/xz/xz_private.h
+@@ -102,10 +102,6 @@
+ # endif
+ #endif
+
+-#ifndef CRC32_POLY_LE
+-#define CRC32_POLY_LE 0xedb88320
+-#endif
+-
+ /*
+ * Allocate memory for LZMA2 decoder. xz_dec_lzma2_reset() must be used
+ * before calling xz_dec_lzma2_run().
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
