--- /dev/null
+From 8b8ec83a1d7d3b6605d9163d2e306971295a4ce8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Wed, 6 Mar 2024 10:56:50 +0100
+Subject: arm64: dts: qcom: sc8280xp: add missing PCIe minimum OPP
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 8b8ec83a1d7d3b6605d9163d2e306971295a4ce8 upstream.
+
+Add the missing PCIe CX performance level votes to avoid relying on
+other drivers (e.g. USB or UFS) to maintain the nominal performance
+level required for Gen3 speeds.
+
+Fixes: 813e83157001 ("arm64: dts: qcom: sc8280xp/sa8540p: add PCIe2-4 nodes")
+Cc: stable@vger.kernel.org # 6.2
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240306095651.4551-5-johan+linaro@kernel.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/sc8280xp.dtsi | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/sc8280xp.dtsi
++++ b/arch/arm64/boot/dts/qcom/sc8280xp.dtsi
+@@ -1774,6 +1774,7 @@
+ reset-names = "pci";
+
+ power-domains = <&gcc PCIE_4_GDSC>;
++ required-opps = <&rpmhpd_opp_nom>;
+
+ phys = <&pcie4_phy>;
+ phy-names = "pciephy";
+@@ -1872,6 +1873,7 @@
+ reset-names = "pci";
+
+ power-domains = <&gcc PCIE_3B_GDSC>;
++ required-opps = <&rpmhpd_opp_nom>;
+
+ phys = <&pcie3b_phy>;
+ phy-names = "pciephy";
+@@ -1970,6 +1972,7 @@
+ reset-names = "pci";
+
+ power-domains = <&gcc PCIE_3A_GDSC>;
++ required-opps = <&rpmhpd_opp_nom>;
+
+ phys = <&pcie3a_phy>;
+ phy-names = "pciephy";
+@@ -2071,6 +2074,7 @@
+ reset-names = "pci";
+
+ power-domains = <&gcc PCIE_2B_GDSC>;
++ required-opps = <&rpmhpd_opp_nom>;
+
+ phys = <&pcie2b_phy>;
+ phy-names = "pciephy";
+@@ -2169,6 +2173,7 @@
+ reset-names = "pci";
+
+ power-domains = <&gcc PCIE_2A_GDSC>;
++ required-opps = <&rpmhpd_opp_nom>;
+
+ phys = <&pcie2a_phy>;
+ phy-names = "pciephy";
--- /dev/null
+From ecc3ac293ed15ac2536e9fde2810154486f84010 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 18 Mar 2024 12:49:03 +0530
+Subject: arm64: dts: qcom: sm8450: Fix the msi-map entries
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit ecc3ac293ed15ac2536e9fde2810154486f84010 upstream.
+
+While adding the GIC ITS MSI support, it was found that the msi-map entries
+needed to be swapped to receive MSIs from the endpoint.
+
+But later it was identified that the swapping was needed due to a bug in
+the Qualcomm PCIe controller driver. And since the bug is now fixed with
+commit bf79e33cdd89 ("PCI: qcom: Enable BDF to SID translation properly"),
+let's fix the msi-map entries also to reflect the actual mapping in the
+hardware.
+
+Cc: stable@vger.kernel.org # 6.3: bf79e33cdd89 ("PCI: qcom: Enable BDF to SID translation properly")
+Fixes: ff384ab56f16 ("arm64: dts: qcom: sm8450: Use GIC-ITS for PCIe0 and PCIe1")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://lore.kernel.org/r/20240318-pci-bdf-sid-fix-v1-1-acca6c5d9cf1@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/sm8450.dtsi | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/arch/arm64/boot/dts/qcom/sm8450.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8450.dtsi
+@@ -1777,12 +1777,8 @@
+ ranges = <0x01000000 0x0 0x00000000 0x0 0x60200000 0x0 0x100000>,
+ <0x02000000 0x0 0x60300000 0x0 0x60300000 0x0 0x3d00000>;
+
+- /*
+- * MSIs for BDF (1:0.0) only works with Device ID 0x5980.
+- * Hence, the IDs are swapped.
+- */
+- msi-map = <0x0 &gic_its 0x5981 0x1>,
+- <0x100 &gic_its 0x5980 0x1>;
++ msi-map = <0x0 &gic_its 0x5980 0x1>,
++ <0x100 &gic_its 0x5981 0x1>;
+ msi-map-mask = <0xff00>;
+ interrupts = <GIC_SPI 141 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "msi";
+@@ -1886,12 +1882,8 @@
+ ranges = <0x01000000 0x0 0x00000000 0x0 0x40200000 0x0 0x100000>,
+ <0x02000000 0x0 0x40300000 0x0 0x40300000 0x0 0x1fd00000>;
+
+- /*
+- * MSIs for BDF (1:0.0) only works with Device ID 0x5a00.
+- * Hence, the IDs are swapped.
+- */
+- msi-map = <0x0 &gic_its 0x5a01 0x1>,
+- <0x100 &gic_its 0x5a00 0x1>;
++ msi-map = <0x0 &gic_its 0x5a00 0x1>,
++ <0x100 &gic_its 0x5a01 0x1>;
+ msi-map-mask = <0xff00>;
+ interrupts = <GIC_SPI 307 IRQ_TYPE_LEVEL_HIGH>;
+ interrupt-names = "msi";
--- /dev/null
+From 0ac417b8f124427c90ec8c2ef4f632b821d924cc Mon Sep 17 00:00:00 2001
+From: Iskander Amara <iskander.amara@theobroma-systems.com>
+Date: Fri, 8 Mar 2024 09:52:42 +0100
+Subject: arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
+
+From: Iskander Amara <iskander.amara@theobroma-systems.com>
+
+commit 0ac417b8f124427c90ec8c2ef4f632b821d924cc upstream.
+
+Q7_THRM# pin is connected to a diode on the module which is used
+as a level shifter, and the pin have a pull-down enabled by
+default. We need to configure it to internal pull-up, other-
+wise whenever the pin is configured as INPUT and we try to
+control it externally the value will always remain zero.
+
+Signed-off-by: Iskander Amara <iskander.amara@theobroma-systems.com>
+Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
+Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240308085243.69903-1-iskander.amara@theobroma-systems.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
+@@ -422,6 +422,16 @@
+ };
+
+ &pinctrl {
++ pinctrl-names = "default";
++ pinctrl-0 = <&q7_thermal_pin>;
++
++ gpios {
++ q7_thermal_pin: q7-thermal-pin {
++ rockchip,pins =
++ <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>;
++ };
++ };
++
+ i2c8 {
+ i2c8_xfer_a: i2c8-xfer {
+ rockchip,pins =
--- /dev/null
+From d1a5a7eede2977da3d2002d5ea3b519019cc1a98 Mon Sep 17 00:00:00 2001
+From: WangYuli <wangyuli@uniontech.com>
+Date: Fri, 29 Mar 2024 10:34:39 +0800
+Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
+
+From: WangYuli <wangyuli@uniontech.com>
+
+commit d1a5a7eede2977da3d2002d5ea3b519019cc1a98 upstream.
+
+Add the support ID(0x0bda, 0x4853) to usb_device_id table for
+Realtek RTL8852BE.
+
+Without this change the device utilizes an obsolete version of
+the firmware that is encoded in it rather than the updated Realtek
+firmware and config files from the firmware directory. The latter
+files implement many new features.
+
+The device table is as follows:
+
+T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0bda ProdID=4853 Rev= 0.00
+S: Manufacturer=Realtek
+S: Product=Bluetooth Radio
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -542,6 +542,8 @@ static const struct usb_device_id quirks
+ /* Realtek 8852BE Bluetooth devices */
+ { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
++ { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK |
++ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK |
--- /dev/null
+From 9bf4e919ccad613b3596eebf1ff37b05b6405307 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 1 Apr 2024 11:24:17 -0700
+Subject: Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream.
+
+After an innocuous optimization change in LLVM main (19.0.0), x86_64
+allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to
+build due to the checks in check_copy_size():
+
+ In file included from net/bluetooth/sco.c:27:
+ In file included from include/linux/module.h:13:
+ In file included from include/linux/stat.h:19:
+ In file included from include/linux/time.h:60:
+ In file included from include/linux/time32.h:13:
+ In file included from include/linux/timex.h:67:
+ In file included from arch/x86/include/asm/timex.h:6:
+ In file included from arch/x86/include/asm/tsc.h:10:
+ In file included from arch/x86/include/asm/msr.h:15:
+ In file included from include/linux/percpu.h:7:
+ In file included from include/linux/smp.h:118:
+ include/linux/thread_info.h:244:4: error: call to '__bad_copy_from'
+ declared with 'error' attribute: copy source size is too small
+ 244 | __bad_copy_from();
+ | ^
+
+The same exact error occurs in l2cap_sock.c. The copy_to_user()
+statements that are failing come from l2cap_sock_getsockopt_old() and
+sco_sock_getsockopt_old(). This does not occur with GCC with or without
+KCSAN or Clang without KCSAN enabled.
+
+len is defined as an 'int' because it is assigned from
+'__user int *optlen'. However, it is clamped against the result of
+sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit
+platforms). This is done with min_t() because min() requires compatible
+types, which results in both len and the result of sizeof() being casted
+to 'unsigned int', meaning len changes signs and the result of sizeof()
+is truncated. From there, len is passed to copy_to_user(), which has a
+third parameter type of 'unsigned long', so it is widened and changes
+signs again. This excessive casting in combination with the KCSAN
+instrumentation causes LLVM to fail to eliminate the __bad_copy_from()
+call, failing the build.
+
+The official recommendation from LLVM developers is to consistently use
+long types for all size variables to avoid the unnecessary casting in
+the first place. Change the type of len to size_t in both
+l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears
+up the error while allowing min_t() to be replaced with min(), resulting
+in simpler code with no casts and fewer implicit conversions. While len
+is a different type than optlen now, it should result in no functional
+change because the result of sizeof() will clamp all values of optlen in
+the same manner as before.
+
+Cc: stable@vger.kernel.org
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2007
+Link: https://github.com/llvm/llvm-project/issues/85647
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 7 ++++---
+ net/bluetooth/sco.c | 7 ++++---
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -439,7 +439,8 @@ static int l2cap_sock_getsockopt_old(str
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_options opts;
+ struct l2cap_conninfo cinfo;
+- int len, err = 0;
++ int err = 0;
++ size_t len;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -486,7 +487,7 @@ static int l2cap_sock_getsockopt_old(str
+
+ BT_DBG("mode 0x%2.2x", chan->mode);
+
+- len = min_t(unsigned int, len, sizeof(opts));
++ len = min(len, sizeof(opts));
+ if (copy_to_user(optval, (char *) &opts, len))
+ err = -EFAULT;
+
+@@ -536,7 +537,7 @@ static int l2cap_sock_getsockopt_old(str
+ cinfo.hci_handle = chan->conn->hcon->handle;
+ memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
+
+- len = min_t(unsigned int, len, sizeof(cinfo));
++ len = min(len, sizeof(cinfo));
+ if (copy_to_user(optval, (char *) &cinfo, len))
+ err = -EFAULT;
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -964,7 +964,8 @@ static int sco_sock_getsockopt_old(struc
+ struct sock *sk = sock->sk;
+ struct sco_options opts;
+ struct sco_conninfo cinfo;
+- int len, err = 0;
++ int err = 0;
++ size_t len;
+
+ BT_DBG("sk %p", sk);
+
+@@ -986,7 +987,7 @@ static int sco_sock_getsockopt_old(struc
+
+ BT_DBG("mtu %u", opts.mtu);
+
+- len = min_t(unsigned int, len, sizeof(opts));
++ len = min(len, sizeof(opts));
+ if (copy_to_user(optval, (char *)&opts, len))
+ err = -EFAULT;
+
+@@ -1004,7 +1005,7 @@ static int sco_sock_getsockopt_old(struc
+ cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
+
+- len = min_t(unsigned int, len, sizeof(cinfo));
++ len = min(len, sizeof(cinfo));
+ if (copy_to_user(optval, (char *)&cinfo, len))
+ err = -EFAULT;
+
--- /dev/null
+From 32868e126c78876a8a5ddfcb6ac8cb2fffcf4d27 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Tue, 16 Apr 2024 11:15:09 +0200
+Subject: Bluetooth: qca: fix invalid device address check
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 32868e126c78876a8a5ddfcb6ac8cb2fffcf4d27 upstream.
+
+Qualcomm Bluetooth controllers may not have been provisioned with a
+valid device address and instead end up using the default address
+00:00:00:00:5a:ad.
+
+This was previously believed to be due to lack of persistent storage for
+the address but it may also be due to integrators opting to not use the
+on-chip OTP memory and instead store the address elsewhere (e.g. in
+storage managed by secure world firmware).
+
+According to Qualcomm, at least WCN6750, WCN6855 and WCN7850 have
+on-chip OTP storage for the address.
+
+As the device type alone cannot be used to determine when the address is
+valid, instead read back the address during setup() and only set the
+HCI_QUIRK_USE_BDADDR_PROPERTY flag when needed.
+
+This specifically makes sure that controllers that have been provisioned
+with an address do not start as unconfigured.
+
+Reported-by: Janaki Ramaiah Thota <quic_janathot@quicinc.com>
+Link: https://lore.kernel.org/r/124a7d54-5a18-4be7-9a76-a12017f6cce5@quicinc.com/
+Fixes: 5971752de44c ("Bluetooth: hci_qca: Set HCI_QUIRK_USE_BDADDR_PROPERTY for wcn3990")
+Fixes: e668eb1e1578 ("Bluetooth: hci_core: Don't stop BT if the BD address missing in dts")
+Fixes: 6945795bc81a ("Bluetooth: fix use-bdaddr-property quirk")
+Cc: stable@vger.kernel.org # 6.5
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reported-by: Janaki Ramaiah Thota <quic_janathot@quicinc.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btqca.c | 38 ++++++++++++++++++++++++++++++++++++++
+ drivers/bluetooth/hci_qca.c | 2 --
+ 2 files changed, 38 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -15,6 +15,8 @@
+
+ #define VERSION "0.1"
+
++#define QCA_BDADDR_DEFAULT (&(bdaddr_t) {{ 0xad, 0x5a, 0x00, 0x00, 0x00, 0x00 }})
++
+ int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver,
+ enum qca_btsoc_type soc_type)
+ {
+@@ -612,6 +614,38 @@ int qca_set_bdaddr_rome(struct hci_dev *
+ }
+ EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome);
+
++static int qca_check_bdaddr(struct hci_dev *hdev)
++{
++ struct hci_rp_read_bd_addr *bda;
++ struct sk_buff *skb;
++ int err;
++
++ if (bacmp(&hdev->public_addr, BDADDR_ANY))
++ return 0;
++
++ skb = __hci_cmd_sync(hdev, HCI_OP_READ_BD_ADDR, 0, NULL,
++ HCI_INIT_TIMEOUT);
++ if (IS_ERR(skb)) {
++ err = PTR_ERR(skb);
++ bt_dev_err(hdev, "Failed to read device address (%d)", err);
++ return err;
++ }
++
++ if (skb->len != sizeof(*bda)) {
++ bt_dev_err(hdev, "Device address length mismatch");
++ kfree_skb(skb);
++ return -EIO;
++ }
++
++ bda = (struct hci_rp_read_bd_addr *)skb->data;
++ if (!bacmp(&bda->bdaddr, QCA_BDADDR_DEFAULT))
++ set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
++
++ kfree_skb(skb);
++
++ return 0;
++}
++
+ static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size,
+ struct qca_btsoc_version ver, u8 rom_ver, u16 bid)
+ {
+@@ -818,6 +852,10 @@ int qca_uart_setup(struct hci_dev *hdev,
+ break;
+ }
+
++ err = qca_check_bdaddr(hdev);
++ if (err)
++ return err;
++
+ bt_dev_info(hdev, "QCA setup on UART is completed");
+
+ return 0;
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1905,8 +1905,6 @@ retry:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
+ case QCA_WCN7850:
+- set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
+-
+ qcadev = serdev_device_get_drvdata(hu->serdev);
+ if (qcadev->bdaddr_property_broken)
+ set_bit(HCI_QUIRK_BDADDR_PROPERTY_BROKEN, &hdev->quirks);
--- /dev/null
+From 7ddb9de6af0f1c71147785b12fd7c8ec3f06cc86 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 22 Apr 2024 15:57:48 +0200
+Subject: Bluetooth: qca: fix NULL-deref on non-serdev setup
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 7ddb9de6af0f1c71147785b12fd7c8ec3f06cc86 upstream.
+
+Qualcomm ROME controllers can be registered from the Bluetooth line
+discipline and in this case the HCI UART serdev pointer is NULL.
+
+Add the missing sanity check to prevent a NULL-pointer dereference when
+setup() is called for a non-serdev controller.
+
+Fixes: e9b3e5b8c657 ("Bluetooth: hci_qca: only assign wakeup with serial port support")
+Cc: stable@vger.kernel.org # 6.2
+Cc: Zhengping Jiang <jiangzp@google.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_qca.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1958,8 +1958,10 @@ retry:
+ qca_debugfs_init(hdev);
+ hu->hdev->hw_error = qca_hw_error;
+ hu->hdev->cmd_timeout = qca_cmd_timeout;
+- if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
+- hu->hdev->wakeup = qca_wakeup;
++ if (hu->serdev) {
++ if (device_can_wakeup(hu->serdev->ctrl->dev.parent))
++ hu->hdev->wakeup = qca_wakeup;
++ }
+ } else if (ret == -ENOENT) {
+ /* No patch/nvm-config found, run with original fw/config */
+ set_bit(QCA_ROM_FW, &qca->flags);
--- /dev/null
+From 73e87c0a49fda31d7b589edccf4c72e924411371 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 22 Apr 2024 15:57:47 +0200
+Subject: Bluetooth: qca: fix NULL-deref on non-serdev suspend
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 73e87c0a49fda31d7b589edccf4c72e924411371 upstream.
+
+Qualcomm ROME controllers can be registered from the Bluetooth line
+discipline and in this case the HCI UART serdev pointer is NULL.
+
+Add the missing sanity check to prevent a NULL-pointer dereference when
+wakeup() is called for a non-serdev controller during suspend.
+
+Just return true for now to restore the original behaviour and address
+the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657
+("Bluetooth: hci_qca: only assign wakeup with serial port support") that
+causes the crash to happen already at setup() time.
+
+Fixes: c1a74160eaf1 ("Bluetooth: hci_qca: Add device_may_wakeup support")
+Cc: stable@vger.kernel.org # 5.13
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_qca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1672,6 +1672,9 @@ static bool qca_wakeup(struct hci_dev *h
+ struct hci_uart *hu = hci_get_drvdata(hdev);
+ bool wakeup;
+
++ if (!hu->serdev)
++ return true;
++
+ /* BT SoC attached through the serial bus is handled by the serdev driver.
+ * So we need to use the device handle of the serdev driver to get the
+ * status of device may wakeup.
--- /dev/null
+From 131a821a243f89be312ced9e62ccc37b2cf3846c Mon Sep 17 00:00:00 2001
+From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Date: Sat, 6 Apr 2024 04:45:02 -0400
+Subject: btrfs: fallback if compressed IO fails for ENOSPC
+
+From: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+
+commit 131a821a243f89be312ced9e62ccc37b2cf3846c upstream.
+
+In commit b4ccace878f4 ("btrfs: refactor submit_compressed_extents()"), if
+an async extent compressed but failed to find enough space, we changed
+from falling back to an uncompressed write to just failing the write
+altogether. The principle was that if there's not enough space to write
+the compressed version of the data, there can't possibly be enough space
+to write the larger, uncompressed version of the data.
+
+However, this isn't necessarily true: due to fragmentation, there could
+be enough discontiguous free blocks to write the uncompressed version,
+but not enough contiguous free blocks to write the smaller but
+unsplittable compressed version.
+
+This has occurred to an internal workload which relied on write()'s
+return value indicating there was space. While rare, it has happened a
+few times.
+
+Thus, in order to prevent early ENOSPC, re-add a fallback to
+uncompressed writing.
+
+Fixes: b4ccace878f4 ("btrfs: refactor submit_compressed_extents()")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Co-developed-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Neal Gompa <neal@gompa.dev>
+Signed-off-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -1144,13 +1144,13 @@ static void submit_one_async_extent(stru
+ 0, *alloc_hint, &ins, 1, 1);
+ if (ret) {
+ /*
+- * Here we used to try again by going back to non-compressed
+- * path for ENOSPC. But we can't reserve space even for
+- * compressed size, how could it work for uncompressed size
+- * which requires larger size? So here we directly go error
+- * path.
++ * We can't reserve contiguous space for the compressed size.
++ * Unlikely, but it's possible that we could have enough
++ * non-contiguous space for the uncompressed size instead. So
++ * fall back to uncompressed.
+ */
+- goto out_free;
++ submit_uncompressed_range(inode, async_extent, locked_page);
++ goto done;
+ }
+
+ /* Here we're doing allocation and writeback of the compressed pages */
+@@ -1202,7 +1202,6 @@ done:
+ out_free_reserve:
+ btrfs_dec_block_group_reservations(fs_info, ins.objectid);
+ btrfs_free_reserved_extent(fs_info, ins.objectid, ins.offset, 1);
+-out_free:
+ mapping_set_error(inode->vfs_inode.i_mapping, -EIO);
+ extent_clear_unlock_delalloc(inode, start, end,
+ NULL, EXTENT_LOCKED | EXTENT_DELALLOC |
--- /dev/null
+From 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Wed, 17 Apr 2024 10:45:47 +0200
+Subject: btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf upstream.
+
+Syzbot reported the following information leak for in
+btrfs_ioctl_logical_to_ino():
+
+ BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40
+ instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ _copy_to_user+0xbc/0x110 lib/usercopy.c:40
+ copy_to_user include/linux/uaccess.h:191 [inline]
+ btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499
+ btrfs_ioctl+0x714/0x1260
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
+ __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
+ x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Uninit was created at:
+ __kmalloc_large_node+0x231/0x370 mm/slub.c:3921
+ __do_kmalloc_node mm/slub.c:3954 [inline]
+ __kmalloc_node+0xb07/0x1060 mm/slub.c:3973
+ kmalloc_node include/linux/slab.h:648 [inline]
+ kvmalloc_node+0xc0/0x2d0 mm/util.c:634
+ kvmalloc include/linux/slab.h:766 [inline]
+ init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779
+ btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480
+ btrfs_ioctl+0x714/0x1260
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
+ __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
+ x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Bytes 40-65535 of 65536 are uninitialized
+ Memory access of size 65536 starts at ffff888045a40000
+
+This happens, because we're copying a 'struct btrfs_data_container' back
+to user-space. This btrfs_data_container is allocated in
+'init_data_container()' via kvmalloc(), which does not zero-fill the
+memory.
+
+Fix this by using kvzalloc() which zeroes out the memory on allocation.
+
+CC: stable@vger.kernel.org # 4.14+
+Reported-by: <syzbot+510a1abbb8116eeb341d@syzkaller.appspotmail.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Johannes Thumshirn <Johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/backref.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -2773,20 +2773,14 @@ struct btrfs_data_container *init_data_c
+ size_t alloc_bytes;
+
+ alloc_bytes = max_t(size_t, total_bytes, sizeof(*data));
+- data = kvmalloc(alloc_bytes, GFP_KERNEL);
++ data = kvzalloc(alloc_bytes, GFP_KERNEL);
+ if (!data)
+ return ERR_PTR(-ENOMEM);
+
+- if (total_bytes >= sizeof(*data)) {
++ if (total_bytes >= sizeof(*data))
+ data->bytes_left = total_bytes - sizeof(*data);
+- data->bytes_missing = 0;
+- } else {
++ else
+ data->bytes_missing = sizeof(*data) - total_bytes;
+- data->bytes_left = 0;
+- }
+-
+- data->elem_cnt = 0;
+- data->elem_missed = 0;
+
+ return data;
+ }
--- /dev/null
+From fe1c6c7acce10baf9521d6dccc17268d91ee2305 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Tue, 9 Apr 2024 20:32:34 +0930
+Subject: btrfs: fix wrong block_start calculation for btrfs_drop_extent_map_range()
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit fe1c6c7acce10baf9521d6dccc17268d91ee2305 upstream.
+
+[BUG]
+During my extent_map cleanup/refactor, with extra sanity checks,
+extent-map-tests::test_case_7() would not pass the checks.
+
+The problem is, after btrfs_drop_extent_map_range(), the resulted
+extent_map has a @block_start way too large.
+Meanwhile my btrfs_file_extent_item based members are returning a
+correct @disk_bytenr/@offset combination.
+
+The extent map layout looks like this:
+
+ 0 16K 32K 48K
+ | PINNED | | Regular |
+
+The regular em at [32K, 48K) also has 32K @block_start.
+
+Then drop range [0, 36K), which should shrink the regular one to be
+[36K, 48K).
+However the @block_start is incorrect, we expect 32K + 4K, but got 52K.
+
+[CAUSE]
+Inside btrfs_drop_extent_map_range() function, if we hit an extent_map
+that covers the target range but is still beyond it, we need to split
+that extent map into half:
+
+ |<-- drop range -->|
+ |<----- existing extent_map --->|
+
+And if the extent map is not compressed, we need to forward
+extent_map::block_start by the difference between the end of drop range
+and the extent map start.
+
+However in that particular case, the difference is calculated using
+(start + len - em->start).
+
+The problem is @start can be modified if the drop range covers any
+pinned extent.
+
+This leads to wrong calculation, and would be caught by my later
+extent_map sanity checks, which checks the em::block_start against
+btrfs_file_extent_item::disk_bytenr + btrfs_file_extent_item::offset.
+
+This is a regression caused by commit c962098ca4af ("btrfs: fix
+incorrect splitting in btrfs_drop_extent_map_range"), which removed the
+@len update for pinned extents.
+
+[FIX]
+Fix it by avoiding using @start completely, and use @end - em->start
+instead, which @end is exclusive bytenr number.
+
+And update the test case to verify the @block_start to prevent such
+problem from happening.
+
+Thankfully this is not going to lead to any data corruption, as IO path
+does not utilize btrfs_drop_extent_map_range() with @skip_pinned set.
+
+So this fix is only here for the sake of consistency/correctness.
+
+CC: stable@vger.kernel.org # 6.5+
+Fixes: c962098ca4af ("btrfs: fix incorrect splitting in btrfs_drop_extent_map_range")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent_map.c | 2 +-
+ fs/btrfs/tests/extent-map-tests.c | 5 +++++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/extent_map.c
++++ b/fs/btrfs/extent_map.c
+@@ -818,7 +818,7 @@ void btrfs_drop_extent_map_range(struct
+ split->block_len = em->block_len;
+ split->orig_start = em->orig_start;
+ } else {
+- const u64 diff = start + len - em->start;
++ const u64 diff = end - em->start;
+
+ split->block_len = split->len;
+ split->block_start += diff;
+--- a/fs/btrfs/tests/extent-map-tests.c
++++ b/fs/btrfs/tests/extent-map-tests.c
+@@ -847,6 +847,11 @@ static int test_case_7(struct btrfs_fs_i
+ goto out;
+ }
+
++ if (em->block_start != SZ_32K + SZ_4K) {
++ test_err("em->block_start is %llu, expected 36K", em->block_start);
++ goto out;
++ }
++
+ free_extent_map(em);
+
+ read_lock(&em_tree->lock);
--- /dev/null
+From 7192833c4e55b26e8f15ef58577867a1bc808036 Mon Sep 17 00:00:00 2001
+From: Naohiro Aota <naohiro.aota@wdc.com>
+Date: Tue, 9 Apr 2024 23:18:52 +0900
+Subject: btrfs: scrub: run relocation repair when/only needed
+
+From: Naohiro Aota <naohiro.aota@wdc.com>
+
+commit 7192833c4e55b26e8f15ef58577867a1bc808036 upstream.
+
+When btrfs scrub finds an error, it reads mirrors to find correct data. If
+all the errors are fixed, sctx->error_bitmap is cleared for the stripe
+range. However, in the zoned mode, it runs relocation to repair scrub
+errors when the bitmap is *not* empty, which is a flipped condition.
+
+Also, it runs the relocation even if the scrub is read-only. This was
+missed by a fix in commit 1f2030ff6e49 ("btrfs: scrub: respect the
+read-only flag during repair").
+
+The repair is only necessary when there is a repaired sector and should be
+done on read-write scrub. So, tweak the condition for both regular and
+zoned case.
+
+Fixes: 54765392a1b9 ("btrfs: scrub: introduce helper to queue a stripe for scrub")
+Fixes: 1f2030ff6e49 ("btrfs: scrub: respect the read-only flag during repair")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/scrub.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/scrub.c
++++ b/fs/btrfs/scrub.c
+@@ -1012,6 +1012,7 @@ static void scrub_stripe_read_repair_wor
+ struct btrfs_fs_info *fs_info = sctx->fs_info;
+ int num_copies = btrfs_num_copies(fs_info, stripe->bg->start,
+ stripe->bg->length);
++ unsigned long repaired;
+ int mirror;
+ int i;
+
+@@ -1078,16 +1079,15 @@ out:
+ * Submit the repaired sectors. For zoned case, we cannot do repair
+ * in-place, but queue the bg to be relocated.
+ */
+- if (btrfs_is_zoned(fs_info)) {
+- if (!bitmap_empty(&stripe->error_bitmap, stripe->nr_sectors))
++ bitmap_andnot(&repaired, &stripe->init_error_bitmap, &stripe->error_bitmap,
++ stripe->nr_sectors);
++ if (!sctx->readonly && !bitmap_empty(&repaired, stripe->nr_sectors)) {
++ if (btrfs_is_zoned(fs_info)) {
+ btrfs_repair_one_zone(fs_info, sctx->stripes[0].bg->start);
+- } else if (!sctx->readonly) {
+- unsigned long repaired;
+-
+- bitmap_andnot(&repaired, &stripe->init_error_bitmap,
+- &stripe->error_bitmap, stripe->nr_sectors);
+- scrub_write_sectors(sctx, stripe, repaired, false);
+- wait_scrub_stripe_io(stripe);
++ } else {
++ scrub_write_sectors(sctx, stripe, repaired, false);
++ wait_scrub_stripe_io(stripe);
++ }
+ }
+
+ scrub_stripe_report_errors(sctx, stripe);
--- /dev/null
+From fe42754b94a42d08cf9501790afc25c4f6a5f631 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 19 Apr 2024 17:05:54 -0700
+Subject: cpu: Re-enable CPU mitigations by default for !X86 architectures
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit fe42754b94a42d08cf9501790afc25c4f6a5f631 upstream.
+
+Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it
+on for all architectures exception x86. A recent commit to turn
+mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta
+missed that "cpu_mitigations" is completely generic, whereas
+SPECULATION_MITIGATIONS is x86-specific.
+
+Rename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it
+select CPU_MITIGATIONS, as having two configs for the same thing is
+unnecessary and confusing. This will also allow x86 to use the knob to
+manage mitigations that aren't strictly related to speculative
+execution.
+
+Use another Kconfig to communicate to common code that CPU_MITIGATIONS
+is already defined instead of having x86's menu depend on the common
+CPU_MITIGATIONS. This allows keeping a single point of contact for all
+of x86's mitigations, and it's not clear that other architectures *want*
+to allow disabling mitigations at compile-time.
+
+Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
+Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Reported-by: Michael Ellerman <mpe@ellerman.id.au>
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240420000556.2645001-2-seanjc@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/Kconfig | 8 ++++++++
+ arch/x86/Kconfig | 11 ++++++-----
+ kernel/cpu.c | 4 ++--
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -9,6 +9,14 @@
+ #
+ source "arch/$(SRCARCH)/Kconfig"
+
++config ARCH_CONFIGURES_CPU_MITIGATIONS
++ bool
++
++if !ARCH_CONFIGURES_CPU_MITIGATIONS
++config CPU_MITIGATIONS
++ def_bool y
++endif
++
+ menu "General architecture-dependent options"
+
+ config ARCH_HAS_SUBPAGE_FAULTS
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -62,6 +62,7 @@ config X86
+ select ACPI_HOTPLUG_CPU if ACPI_PROCESSOR && HOTPLUG_CPU
+ select ARCH_32BIT_OFF_T if X86_32
+ select ARCH_CLOCKSOURCE_INIT
++ select ARCH_CONFIGURES_CPU_MITIGATIONS
+ select ARCH_CORRECT_STACKTRACE_ON_KRETPROBE
+ select ARCH_ENABLE_HUGEPAGE_MIGRATION if X86_64 && HUGETLB_PAGE && MIGRATION
+ select ARCH_ENABLE_MEMORY_HOTPLUG if X86_64
+@@ -2467,17 +2468,17 @@ config PREFIX_SYMBOLS
+ def_bool y
+ depends on CALL_PADDING && !CFI_CLANG
+
+-menuconfig SPECULATION_MITIGATIONS
+- bool "Mitigations for speculative execution vulnerabilities"
++menuconfig CPU_MITIGATIONS
++ bool "Mitigations for CPU vulnerabilities"
+ default y
+ help
+- Say Y here to enable options which enable mitigations for
+- speculative execution hardware vulnerabilities.
++ Say Y here to enable options which enable mitigations for hardware
++ vulnerabilities (usually related to speculative execution).
+
+ If you say N, all mitigations will be disabled. You really
+ should know what you are doing to say so.
+
+-if SPECULATION_MITIGATIONS
++if CPU_MITIGATIONS
+
+ config PAGE_TABLE_ISOLATION
+ bool "Remove the kernel mapping in user mode"
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -3207,8 +3207,8 @@ enum cpu_mitigations {
+ };
+
+ static enum cpu_mitigations cpu_mitigations __ro_after_init =
+- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
+- CPU_MITIGATIONS_OFF;
++ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
++ CPU_MITIGATIONS_OFF;
+
+ static int __init mitigations_parse_cmdline(char *arg)
+ {
--- /dev/null
+From afc89870ea677bd5a44516eb981f7a259b74280c Mon Sep 17 00:00:00 2001
+From: Vinod Koul <vkoul@kernel.org>
+Date: Thu, 28 Mar 2024 12:21:51 +0530
+Subject: dmaengine: Revert "dmaengine: pl330: issue_pending waits until WFP state"
+
+From: Vinod Koul <vkoul@kernel.org>
+
+commit afc89870ea677bd5a44516eb981f7a259b74280c upstream.
+
+This reverts commit 22a9d9585812 ("dmaengine: pl330: issue_pending waits
+until WFP state") as it seems to cause regression in pl330 driver.
+Note the issue now exists in mainline so a fix to be done.
+
+Cc: stable@vger.kernel.org
+Reported-by: karthikeyan <karthikeyan@linumiz.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/pl330.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/dma/pl330.c
++++ b/drivers/dma/pl330.c
+@@ -1053,9 +1053,6 @@ static bool _trigger(struct pl330_thread
+
+ thrd->req_running = idx;
+
+- if (desc->rqtype == DMA_MEM_TO_DEV || desc->rqtype == DMA_DEV_TO_MEM)
+- UNTIL(thrd, PL330_STATE_WFP);
+-
+ return true;
+ }
+
--- /dev/null
+From 6a40fb8245965b481b4dcce011cd63f20bf91ee0 Mon Sep 17 00:00:00 2001
+From: Louis Chauvet <louis.chauvet@bootlin.com>
+Date: Wed, 27 Mar 2024 10:58:49 +0100
+Subject: dmaengine: xilinx: xdma: Fix synchronization issue
+
+From: Louis Chauvet <louis.chauvet@bootlin.com>
+
+commit 6a40fb8245965b481b4dcce011cd63f20bf91ee0 upstream.
+
+The current xdma_synchronize method does not properly wait for the last
+transfer to be done. Due to limitations of the XMDA engine, it is not
+possible to stop a transfer in the middle of a descriptor. Said
+otherwise, if a stop is requested at the end of descriptor "N" and the OS
+is fast enough, the DMA controller will effectively stop immediately.
+However, if the OS is slightly too slow to request the stop and the DMA
+engine starts descriptor "N+1", the N+1 transfer will be performed until
+its end. This means that after a terminate_all, the last descriptor must
+remain valid and the synchronization must wait for this last descriptor to
+be terminated.
+
+Fixes: 855c2e1d1842 ("dmaengine: xilinx: xdma: Rework xdma_terminate_all()")
+Fixes: f5c392d106e7 ("dmaengine: xilinx: xdma: Add terminate_all/synchronize callbacks")
+Cc: stable@vger.kernel.org
+Suggested-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Link: https://lore.kernel.org/r/20240327-digigram-xdma-fixes-v1-2-45f4a52c0283@bootlin.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/xilinx/xdma-regs.h | 3 +++
+ drivers/dma/xilinx/xdma.c | 26 ++++++++++++++++++--------
+ 2 files changed, 21 insertions(+), 8 deletions(-)
+
+--- a/drivers/dma/xilinx/xdma-regs.h
++++ b/drivers/dma/xilinx/xdma-regs.h
+@@ -117,6 +117,9 @@ struct xdma_hw_desc {
+ CHAN_CTRL_IE_WRITE_ERROR | \
+ CHAN_CTRL_IE_DESC_ERROR)
+
++/* bits of the channel status register */
++#define XDMA_CHAN_STATUS_BUSY BIT(0)
++
+ #define XDMA_CHAN_STATUS_MASK CHAN_CTRL_START
+
+ #define XDMA_CHAN_ERROR_MASK (CHAN_CTRL_IE_DESC_ALIGN_MISMATCH | \
+--- a/drivers/dma/xilinx/xdma.c
++++ b/drivers/dma/xilinx/xdma.c
+@@ -71,6 +71,8 @@ struct xdma_chan {
+ enum dma_transfer_direction dir;
+ struct dma_slave_config cfg;
+ u32 irq;
++ struct completion last_interrupt;
++ bool stop_requested;
+ };
+
+ /**
+@@ -376,6 +378,8 @@ static int xdma_xfer_start(struct xdma_c
+ return ret;
+
+ xchan->busy = true;
++ xchan->stop_requested = false;
++ reinit_completion(&xchan->last_interrupt);
+
+ return 0;
+ }
+@@ -387,7 +391,6 @@ static int xdma_xfer_start(struct xdma_c
+ static int xdma_xfer_stop(struct xdma_chan *xchan)
+ {
+ int ret;
+- u32 val;
+ struct xdma_device *xdev = xchan->xdev_hdl;
+
+ /* clear run stop bit to prevent any further auto-triggering */
+@@ -395,13 +398,7 @@ static int xdma_xfer_stop(struct xdma_ch
+ CHAN_CTRL_RUN_STOP);
+ if (ret)
+ return ret;
+-
+- /* Clear the channel status register */
+- ret = regmap_read(xdev->rmap, xchan->base + XDMA_CHAN_STATUS_RC, &val);
+- if (ret)
+- return ret;
+-
+- return 0;
++ return ret;
+ }
+
+ /**
+@@ -474,6 +471,8 @@ static int xdma_alloc_channels(struct xd
+ xchan->xdev_hdl = xdev;
+ xchan->base = base + i * XDMA_CHAN_STRIDE;
+ xchan->dir = dir;
++ xchan->stop_requested = false;
++ init_completion(&xchan->last_interrupt);
+
+ ret = xdma_channel_init(xchan);
+ if (ret)
+@@ -521,6 +520,7 @@ static int xdma_terminate_all(struct dma
+ spin_lock_irqsave(&xdma_chan->vchan.lock, flags);
+
+ xdma_chan->busy = false;
++ xdma_chan->stop_requested = true;
+ vd = vchan_next_desc(&xdma_chan->vchan);
+ if (vd) {
+ list_del(&vd->node);
+@@ -542,6 +542,13 @@ static int xdma_terminate_all(struct dma
+ static void xdma_synchronize(struct dma_chan *chan)
+ {
+ struct xdma_chan *xdma_chan = to_xdma_chan(chan);
++ struct xdma_device *xdev = xdma_chan->xdev_hdl;
++ int st = 0;
++
++ /* If the engine continues running, wait for the last interrupt */
++ regmap_read(xdev->rmap, xdma_chan->base + XDMA_CHAN_STATUS, &st);
++ if (st & XDMA_CHAN_STATUS_BUSY)
++ wait_for_completion_timeout(&xdma_chan->last_interrupt, msecs_to_jiffies(1000));
+
+ vchan_synchronize(&xdma_chan->vchan);
+ }
+@@ -876,6 +883,9 @@ static irqreturn_t xdma_channel_isr(int
+ u32 st;
+ bool repeat_tx;
+
++ if (xchan->stop_requested)
++ complete(&xchan->last_interrupt);
++
+ spin_lock(&xchan->vchan.lock);
+
+ /* get submitted request */
--- /dev/null
+From 5b9706bfc094314c600ab810a61208a7cbaa4cb3 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 27 Mar 2024 10:58:48 +0100
+Subject: dmaengine: xilinx: xdma: Fix wrong offsets in the buffers addresses in dma descriptor
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit 5b9706bfc094314c600ab810a61208a7cbaa4cb3 upstream.
+
+The addition of interleaved transfers slightly changed the way
+addresses inside DMA descriptors are derived, breaking cyclic
+transfers.
+
+Fixes: 3e184e64c2e5 ("dmaengine: xilinx: xdma: Prepare the introduction of interleaved DMA transfers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Louis Chauvet <louis.chauvet@bootlin.com>
+Link: https://lore.kernel.org/r/20240327-digigram-xdma-fixes-v1-1-45f4a52c0283@bootlin.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/xilinx/xdma.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/xilinx/xdma.c
++++ b/drivers/dma/xilinx/xdma.c
+@@ -704,7 +704,7 @@ xdma_prep_dma_cyclic(struct dma_chan *ch
+ desc_num = 0;
+ for (i = 0; i < periods; i++) {
+ desc_num += xdma_fill_descs(sw_desc, *src, *dst, period_size, desc_num);
+- addr += i * period_size;
++ addr += period_size;
+ }
+
+ tx_desc = vchan_tx_prep(&xdma_chan->vchan, &sw_desc->vdesc, flags);
--- /dev/null
+From aebd3eb9d3ae017e6260043f6bcace2f5ef60694 Mon Sep 17 00:00:00 2001
+From: Lijo Lazar <lijo.lazar@amd.com>
+Date: Wed, 10 Apr 2024 19:30:46 +0530
+Subject: drm/amdgpu: Assign correct bits for SDMA HDP flush
+
+From: Lijo Lazar <lijo.lazar@amd.com>
+
+commit aebd3eb9d3ae017e6260043f6bcace2f5ef60694 upstream.
+
+HDP Flush request bit can be kept unique per AID, and doesn't need to be
+unique SOC-wide. Assign only bits 10-13 for SDMA v4.4.2.
+
+Signed-off-by: Lijo Lazar <lijo.lazar@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v4_4_2.c
+@@ -366,7 +366,8 @@ static void sdma_v4_4_2_ring_emit_hdp_fl
+ u32 ref_and_mask = 0;
+ const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg;
+
+- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me;
++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0
++ << (ring->me % adev->sdma.num_inst_per_aid);
+
+ sdma_v4_4_2_wait_reg_mem(ring, 0, 1,
+ adev->nbio.funcs->get_hdp_flush_done_offset(adev),
--- /dev/null
+From 25e9227c6afd200bed6774c866980b8e36d033af Mon Sep 17 00:00:00 2001
+From: Mukul Joshi <mukul.joshi@amd.com>
+Date: Thu, 18 Apr 2024 11:32:34 -0400
+Subject: drm/amdgpu: Fix leak when GPU memory allocation fails
+
+From: Mukul Joshi <mukul.joshi@amd.com>
+
+commit 25e9227c6afd200bed6774c866980b8e36d033af upstream.
+
+Free the sync object if the memory allocation fails for any
+reason.
+
+Signed-off-by: Mukul Joshi <mukul.joshi@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1851,6 +1851,7 @@ err_node_allow:
+ err_bo_create:
+ amdgpu_amdkfd_unreserve_mem_limit(adev, aligned_size, flags, xcp_id);
+ err_reserve_limit:
++ amdgpu_sync_free(&(*mem)->sync);
+ mutex_destroy(&(*mem)->lock);
+ if (gobj)
+ drm_gem_object_put(gobj);
--- /dev/null
+From 0e95ed6452cb079cf9587c774a475a7d83c7e040 Mon Sep 17 00:00:00 2001
+From: Ma Jun <Jun.Ma2@amd.com>
+Date: Tue, 16 Apr 2024 17:30:12 +0800
+Subject: drm/amdgpu/pm: Remove gpu_od if it's an empty directory
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+commit 0e95ed6452cb079cf9587c774a475a7d83c7e040 upstream.
+
+gpu_od should be removed if it's an empty directory
+
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Reported-by: Yang Wang <kevinyang.wang@amd.com>
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Suggested-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/amdgpu_pm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c
++++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+@@ -4217,6 +4217,13 @@ static int amdgpu_od_set_init(struct amd
+ }
+ }
+
++ /*
++ * If gpu_od is the only member in the list, that means gpu_od is an
++ * empty directory, so remove it.
++ */
++ if (list_is_singular(&adev->pm.od_kobj_list))
++ goto err_out;
++
+ return 0;
+
+ err_out:
--- /dev/null
+From 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Sun, 14 Apr 2024 21:20:56 -0400
+Subject: drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d upstream.
+
+This avoids a potential conflict with firmwares with the newer
+HDP flush mechanism.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
+@@ -292,17 +292,21 @@ static void sdma_v5_2_ring_emit_hdp_flus
+ u32 ref_and_mask = 0;
+ const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg;
+
+- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me;
++ if (ring->me > 1) {
++ amdgpu_asic_flush_hdp(adev, ring);
++ } else {
++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me;
+
+- amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) |
+- SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) |
+- SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */
+- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2);
+- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2);
+- amdgpu_ring_write(ring, ref_and_mask); /* reference */
+- amdgpu_ring_write(ring, ref_and_mask); /* mask */
+- amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) |
+- SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */
++ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) |
++ SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) |
++ SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */
++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2);
++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2);
++ amdgpu_ring_write(ring, ref_and_mask); /* reference */
++ amdgpu_ring_write(ring, ref_and_mask); /* mask */
++ amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) |
++ SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */
++ }
+ }
+
+ /**
--- /dev/null
+From 661d71ee5a010bdc0663e0db701931aff920e8e1 Mon Sep 17 00:00:00 2001
+From: Lang Yu <Lang.Yu@amd.com>
+Date: Fri, 19 Apr 2024 15:40:08 +0800
+Subject: drm/amdgpu/umsch: don't execute umsch test when GPU is in reset/suspend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lang Yu <Lang.Yu@amd.com>
+
+commit 661d71ee5a010bdc0663e0db701931aff920e8e1 upstream.
+
+umsch test needs full GPU functionality(e.g., VM update, TLB flush,
+possibly buffer moving under memory pressure) which may be not ready
+under these states. Just skip it to avoid potential issues.
+
+Signed-off-by: Lang Yu <Lang.Yu@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Veerabadhran Gopalakrishnan <Veerabadhran.Gopalakrishnan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_umsch_mm.c
+@@ -766,6 +766,9 @@ static int umsch_mm_late_init(void *hand
+ {
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
++ if (amdgpu_in_reset(adev) || adev->in_s0ix || adev->in_suspend)
++ return 0;
++
+ return umsch_mm_test(adev);
+ }
+
--- /dev/null
+From 37865e02e6ccecdda240f33b4332105a5c734984 Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <felix.kuehling@amd.com>
+Date: Wed, 17 Apr 2024 21:13:59 -0400
+Subject: drm/amdkfd: Fix eviction fence handling
+
+From: Felix Kuehling <felix.kuehling@amd.com>
+
+commit 37865e02e6ccecdda240f33b4332105a5c734984 upstream.
+
+Handle case that dma_fence_get_rcu_safe returns NULL.
+
+If restore work is already scheduled, only update its timer. The same
+work item cannot be queued twice, so undo the extra queue eviction.
+
+Fixes: 9a1c1339abf9 ("drm/amdkfd: Run restore_workers on freezable WQs")
+Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Philip Yang <Philip.Yang@amd.com>
+Tested-by: Gang BA <Gang.Ba@amd.com>
+Reviewed-by: Gang BA <Gang.Ba@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+index b79986412cd8..aafdf064651f 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -1922,6 +1922,8 @@ static int signal_eviction_fence(struct kfd_process *p)
+ rcu_read_lock();
+ ef = dma_fence_get_rcu_safe(&p->ef);
+ rcu_read_unlock();
++ if (!ef)
++ return -EINVAL;
+
+ ret = dma_fence_signal(ef);
+ dma_fence_put(ef);
+@@ -1949,10 +1951,9 @@ static void evict_process_worker(struct work_struct *work)
+ * they are responsible stopping the queues and scheduling
+ * the restore work.
+ */
+- if (!signal_eviction_fence(p))
+- queue_delayed_work(kfd_restore_wq, &p->restore_work,
+- msecs_to_jiffies(PROCESS_RESTORE_TIME_MS));
+- else
++ if (signal_eviction_fence(p) ||
++ mod_delayed_work(kfd_restore_wq, &p->restore_work,
++ msecs_to_jiffies(PROCESS_RESTORE_TIME_MS)))
+ kfd_process_restore_queues(p);
+
+ pr_debug("Finished evicting pasid 0x%x\n", p->pasid);
+--
+2.44.0
+
--- /dev/null
+From e26305f369ed0e087a043c2cdc76f3d9a6efb3bd Mon Sep 17 00:00:00 2001
+From: Felix Kuehling <felix.kuehling@amd.com>
+Date: Fri, 19 Apr 2024 13:25:58 -0400
+Subject: drm/amdkfd: Fix rescheduling of restore worker
+
+From: Felix Kuehling <felix.kuehling@amd.com>
+
+commit e26305f369ed0e087a043c2cdc76f3d9a6efb3bd upstream.
+
+Handle the case that the restore worker was already scheduled by another
+eviction while the restore was in progress.
+
+Fixes: 9a1c1339abf9 ("drm/amdkfd: Run restore_workers on freezable WQs")
+Signed-off-by: Felix Kuehling <felix.kuehling@amd.com>
+Reviewed-by: Philip Yang <Philip.Yang@amd.com>
+Tested-by: Yunxiang Li <Yunxiang.Li@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+@@ -2011,9 +2011,9 @@ static void restore_process_worker(struc
+ if (ret) {
+ pr_debug("Failed to restore BOs of pasid 0x%x, retry after %d ms\n",
+ p->pasid, PROCESS_BACK_OFF_TIME_MS);
+- ret = queue_delayed_work(kfd_restore_wq, &p->restore_work,
+- msecs_to_jiffies(PROCESS_BACK_OFF_TIME_MS));
+- WARN(!ret, "reschedule restore work failed\n");
++ if (mod_delayed_work(kfd_restore_wq, &p->restore_work,
++ msecs_to_jiffies(PROCESS_RESTORE_TIME_MS)))
++ kfd_process_restore_queues(p);
+ }
+ }
+
--- /dev/null
+From a386c30410450ea87cd38070f9feaca49dadce29 Mon Sep 17 00:00:00 2001
+From: Lucas Stach <l.stach@pengutronix.de>
+Date: Thu, 4 Apr 2024 10:17:56 +0200
+Subject: drm/atomic-helper: fix parameter order in drm_format_conv_state_copy() call
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lucas Stach <l.stach@pengutronix.de>
+
+commit a386c30410450ea87cd38070f9feaca49dadce29 upstream.
+
+Old and new state parameters are swapped, so the old state was cleared
+instead of the new duplicated state.
+
+Fixes: 903674588a48 ("drm/atomic-helper: Add format-conversion state to shadow-plane state")
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Tested-by: Leonard Göhrs <l.goehrs@pengutronix.de>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: <stable@vger.kernel.org> # v6.8+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404081756.2714424-1-l.stach@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_gem_atomic_helper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_gem_atomic_helper.c b/drivers/gpu/drm/drm_gem_atomic_helper.c
+index e440f458b663..93337543aac3 100644
+--- a/drivers/gpu/drm/drm_gem_atomic_helper.c
++++ b/drivers/gpu/drm/drm_gem_atomic_helper.c
+@@ -224,8 +224,8 @@ __drm_gem_duplicate_shadow_plane_state(struct drm_plane *plane,
+
+ __drm_atomic_helper_plane_duplicate_state(plane, &new_shadow_plane_state->base);
+
+- drm_format_conv_state_copy(&shadow_plane_state->fmtcnv_state,
+- &new_shadow_plane_state->fmtcnv_state);
++ drm_format_conv_state_copy(&new_shadow_plane_state->fmtcnv_state,
++ &shadow_plane_state->fmtcnv_state);
+ }
+ EXPORT_SYMBOL(__drm_gem_duplicate_shadow_plane_state);
+
+--
+2.44.0
+
--- /dev/null
+From f42c97027fb75776e2e9358d16bf4a99aeb04cf2 Mon Sep 17 00:00:00 2001
+From: Daniel Okazaki <dtokazaki@google.com>
+Date: Mon, 22 Apr 2024 17:43:36 +0000
+Subject: eeprom: at24: fix memory corruption race condition
+
+From: Daniel Okazaki <dtokazaki@google.com>
+
+commit f42c97027fb75776e2e9358d16bf4a99aeb04cf2 upstream.
+
+If the eeprom is not accessible, an nvmem device will be registered, the
+read will fail, and the device will be torn down. If another driver
+accesses the nvmem device after the teardown, it will reference
+invalid memory.
+
+Move the failure point before registering the nvmem device.
+
+Signed-off-by: Daniel Okazaki <dtokazaki@google.com>
+Fixes: b20eb4c1f026 ("eeprom: at24: drop unnecessary label")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240422174337.2487142-1-dtokazaki@google.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/eeprom/at24.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/misc/eeprom/at24.c
++++ b/drivers/misc/eeprom/at24.c
+@@ -758,15 +758,6 @@ static int at24_probe(struct i2c_client
+ }
+ pm_runtime_enable(dev);
+
+- at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
+- if (IS_ERR(at24->nvmem)) {
+- pm_runtime_disable(dev);
+- if (!pm_runtime_status_suspended(dev))
+- regulator_disable(at24->vcc_reg);
+- return dev_err_probe(dev, PTR_ERR(at24->nvmem),
+- "failed to register nvmem\n");
+- }
+-
+ /*
+ * Perform a one-byte test read to verify that the chip is functional,
+ * unless powering on the device is to be avoided during probe (i.e.
+@@ -782,6 +773,15 @@ static int at24_probe(struct i2c_client
+ }
+ }
+
++ at24->nvmem = devm_nvmem_register(dev, &nvmem_config);
++ if (IS_ERR(at24->nvmem)) {
++ pm_runtime_disable(dev);
++ if (!pm_runtime_status_suspended(dev))
++ regulator_disable(at24->vcc_reg);
++ return dev_err_probe(dev, PTR_ERR(at24->nvmem),
++ "failed to register nvmem\n");
++ }
++
+ /* If this a SPD EEPROM, probe for DDR3 thermal sensor */
+ if (cdata == &at24_data_spd)
+ at24_probe_temp_sensor(client);
--- /dev/null
+From 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 18 Mar 2024 11:59:02 +0100
+Subject: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e upstream.
+
+The flag I2C_HID_READ_PENDING is used to serialize I2C operations.
+However, this is not necessary, because I2C core already has its own
+locking for that.
+
+More importantly, this flag can cause a lock-up: if the flag is set in
+i2c_hid_xfer() and an interrupt happens, the interrupt handler
+(i2c_hid_irq) will check this flag and return immediately without doing
+anything, then the interrupt handler will be invoked again in an
+infinite loop.
+
+Since interrupt handler is an RT task, it takes over the CPU and the
+flag-clearing task never gets scheduled, thus we have a lock-up.
+
+Delete this unnecessary flag.
+
+Reported-and-tested-by: Eva Kurchatova <nyandarknessgirl@gmail.com>
+Closes: https://lore.kernel.org/r/CA+eeCSPUDpUg76ZO8dszSbAGn+UHjcyv8F1J-CUPVARAzEtW9w@mail.gmail.com
+Fixes: 4a200c3b9a40 ("HID: i2c-hid: introduce HID over i2c specification implementation")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -64,7 +64,6 @@
+ /* flags */
+ #define I2C_HID_STARTED 0
+ #define I2C_HID_RESET_PENDING 1
+-#define I2C_HID_READ_PENDING 2
+
+ #define I2C_HID_PWR_ON 0x00
+ #define I2C_HID_PWR_SLEEP 0x01
+@@ -190,15 +189,10 @@ static int i2c_hid_xfer(struct i2c_hid *
+ msgs[n].len = recv_len;
+ msgs[n].buf = recv_buf;
+ n++;
+-
+- set_bit(I2C_HID_READ_PENDING, &ihid->flags);
+ }
+
+ ret = i2c_transfer(client->adapter, msgs, n);
+
+- if (recv_len)
+- clear_bit(I2C_HID_READ_PENDING, &ihid->flags);
+-
+ if (ret != n)
+ return ret < 0 ? ret : -EIO;
+
+@@ -556,9 +550,6 @@ static irqreturn_t i2c_hid_irq(int irq,
+ {
+ struct i2c_hid *ihid = dev_id;
+
+- if (test_bit(I2C_HID_READ_PENDING, &ihid->flags))
+- return IRQ_HANDLED;
+-
+ i2c_hid_get_input(ihid);
+
+ return IRQ_HANDLED;
--- /dev/null
+From ea36bf1827462e4a52365bf8e3f7d1712c5d9600 Mon Sep 17 00:00:00 2001
+From: Kenny Levinsen <kl@kl.wtf>
+Date: Tue, 2 Apr 2024 13:10:04 +0200
+Subject: HID: i2c-hid: Revert to await reset ACK before reading report descriptor
+
+From: Kenny Levinsen <kl@kl.wtf>
+
+commit ea36bf1827462e4a52365bf8e3f7d1712c5d9600 upstream.
+
+In af93a167eda9, i2c_hid_parse was changed to continue with reading the
+report descriptor before waiting for reset to be acknowledged.
+
+This has lead to two regressions:
+
+1. We fail to handle reset acknowledgment if it happens while reading
+ the report descriptor. The transfer sets I2C_HID_READ_PENDING, which
+ causes the IRQ handler to return without doing anything.
+
+ This affects both a Wacom touchscreen and a Sensel touchpad.
+
+2. On a Sensel touchpad, reading the report descriptor this quickly
+ after reset results in all zeroes or partial zeroes.
+
+The issues were observed on the Lenovo Thinkpad Z16 Gen 2.
+
+The change in question was made based on a Microsoft article[0] stating
+that Windows 8 *may* read the report descriptor in parallel with
+awaiting reset acknowledgment, intended as a slight reset performance
+optimization. Perhaps they only do this if reset is not completing
+quickly enough for their tastes?
+
+As the code is not currently ready to read registers in parallel with a
+pending reset acknowledgment, and as reading quickly breaks the report
+descriptor on the Sensel touchpad, revert to waiting for reset
+acknowledgment before proceeding to read the report descriptor.
+
+[0]: https://learn.microsoft.com/en-us/windows-hardware/drivers/hid/plug-and-play-support-and-power-management
+
+Fixes: af93a167eda9 ("HID: i2c-hid: Move i2c_hid_finish_hwreset() to after reading the report-descriptor")
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2271136
+Cc: stable@vger.kernel.org
+Signed-off-by: Kenny Levinsen <kl@kl.wtf>
+Link: https://lore.kernel.org/r/20240331182440.14477-1-kl@kl.wtf
+[hdegoede@redhat.com Drop no longer necessary abort_reset error exit path]
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Mark Pearson <mpearson-lenovo@squebb.ca>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 29 ++++++++---------------------
+ 1 file changed, 8 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
+index 1c86c97688e9..d965382196c6 100644
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -726,12 +726,15 @@ static int i2c_hid_parse(struct hid_device *hid)
+ mutex_lock(&ihid->reset_lock);
+ do {
+ ret = i2c_hid_start_hwreset(ihid);
+- if (ret)
++ if (ret == 0)
++ ret = i2c_hid_finish_hwreset(ihid);
++ else
+ msleep(1000);
+ } while (tries-- > 0 && ret);
++ mutex_unlock(&ihid->reset_lock);
+
+ if (ret)
+- goto abort_reset;
++ return ret;
+
+ use_override = i2c_hid_get_dmi_hid_report_desc_override(client->name,
+ &rsize);
+@@ -741,11 +744,8 @@ static int i2c_hid_parse(struct hid_device *hid)
+ i2c_hid_dbg(ihid, "Using a HID report descriptor override\n");
+ } else {
+ rdesc = kzalloc(rsize, GFP_KERNEL);
+-
+- if (!rdesc) {
+- ret = -ENOMEM;
+- goto abort_reset;
+- }
++ if (!rdesc)
++ return -ENOMEM;
+
+ i2c_hid_dbg(ihid, "asking HID report descriptor\n");
+
+@@ -754,23 +754,10 @@ static int i2c_hid_parse(struct hid_device *hid)
+ rdesc, rsize);
+ if (ret) {
+ hid_err(hid, "reading report descriptor failed\n");
+- goto abort_reset;
++ goto out;
+ }
+ }
+
+- /*
+- * Windows directly reads the report-descriptor after sending reset
+- * and then waits for resets completion afterwards. Some touchpads
+- * actually wait for the report-descriptor to be read before signalling
+- * reset completion.
+- */
+- ret = i2c_hid_finish_hwreset(ihid);
+-abort_reset:
+- clear_bit(I2C_HID_RESET_PENDING, &ihid->flags);
+- mutex_unlock(&ihid->reset_lock);
+- if (ret)
+- goto out;
+-
+ i2c_hid_dbg(ihid, "Report Descriptor: %*ph\n", rsize, rdesc);
+
+ ret = hid_parse_report(hid, rdesc, rsize);
+--
+2.44.0
+
--- /dev/null
+From ded103c7eb23753f22597afa500a7c1ad34116ba Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Mon, 22 Apr 2024 11:06:44 +0200
+Subject: kbuild: rust: force `alloc` extern to allow "empty" Rust files
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit ded103c7eb23753f22597afa500a7c1ad34116ba upstream.
+
+If one attempts to build an essentially empty file somewhere in the
+kernel tree, it leads to a build error because the compiler does not
+recognize the `new_uninit` unstable feature:
+
+ error[E0635]: unknown feature `new_uninit`
+ --> <crate attribute>:1:9
+ |
+ 1 | feature(new_uninit)
+ | ^^^^^^^^^^
+
+The reason is that we pass `-Zcrate-attr='feature(new_uninit)'` (together
+with `-Zallow-features=new_uninit`) to let non-`rust/` code use that
+unstable feature.
+
+However, the compiler only recognizes the feature if the `alloc` crate
+is resolved (the feature is an `alloc` one). `--extern alloc`, which we
+pass, is not enough to resolve the crate.
+
+Introducing a reference like `use alloc;` or `extern crate alloc;`
+solves the issue, thus this is not seen in normal files. For instance,
+`use`ing the `kernel` prelude introduces such a reference, since `alloc`
+is used inside.
+
+While normal use of the build system is not impacted by this, it can still
+be fairly confusing for kernel developers [1], thus use the unstable
+`force` option of `--extern` [2] (added in Rust 1.71 [3]) to force the
+compiler to resolve `alloc`.
+
+This new unstable feature is only needed meanwhile we use the other
+unstable feature, since then we will not need `-Zcrate-attr`.
+
+Cc: stable@vger.kernel.org # v6.6+
+Reported-by: Daniel Almeida <daniel.almeida@collabora.com>
+Reported-by: Julian Stecklina <julian.stecklina@cyberus-technology.de>
+Closes: https://rust-for-linux.zulipchat.com/#narrow/stream/288089-General/topic/x/near/424096982 [1]
+Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
+Link: https://github.com/rust-lang/rust/issues/111302 [2]
+Link: https://github.com/rust-lang/rust/pull/109421 [3]
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Gary Guo <gary@garyguo.net>
+Link: https://lore.kernel.org/r/20240422090644.525520-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/Makefile.build
++++ b/scripts/Makefile.build
+@@ -272,7 +272,7 @@ rust_common_cmd = \
+ -Zallow-features=$(rust_allowed_features) \
+ -Zcrate-attr=no_std \
+ -Zcrate-attr='feature($(rust_allowed_features))' \
+- --extern alloc --extern kernel \
++ -Zunstable-options --extern force:alloc --extern kernel \
+ --crate-type rlib -L $(objtree)/rust/ \
+ --crate-name $(basename $(notdir $@)) \
+ --sysroot=/dev/null \
--- /dev/null
+From 50cfe93b01475ba36878b65d35d812e1bb48ac71 Mon Sep 17 00:00:00 2001
+From: Miguel Ojeda <ojeda@kernel.org>
+Date: Mon, 22 Apr 2024 11:12:15 +0200
+Subject: kbuild: rust: remove unneeded `@rustc_cfg` to avoid ICE
+
+From: Miguel Ojeda <ojeda@kernel.org>
+
+commit 50cfe93b01475ba36878b65d35d812e1bb48ac71 upstream.
+
+When KUnit tests are enabled, under very big kernel configurations
+(e.g. `allyesconfig`), we can trigger a `rustdoc` ICE [1]:
+
+ RUSTDOC TK rust/kernel/lib.rs
+ error: the compiler unexpectedly panicked. this is a bug.
+
+The reason is that this build step has a duplicated `@rustc_cfg` argument,
+which contains the kernel configuration, and thus a lot of arguments. The
+factor 2 happens to be enough to reach the ICE.
+
+Thus remove the unneeded `@rustc_cfg`. By doing so, we clean up the
+command and workaround the ICE.
+
+The ICE has been fixed in the upcoming Rust 1.79 [2].
+
+Cc: stable@vger.kernel.org
+Fixes: a66d733da801 ("rust: support running Rust documentation tests as KUnit ones")
+Link: https://github.com/rust-lang/rust/issues/122722 [1]
+Link: https://github.com/rust-lang/rust/pull/122840 [2]
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Link: https://lore.kernel.org/r/20240422091215.526688-1-ojeda@kernel.org
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/Makefile | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/rust/Makefile
++++ b/rust/Makefile
+@@ -175,7 +175,6 @@ quiet_cmd_rustdoc_test_kernel = RUSTDOC
+ mkdir -p $(objtree)/$(obj)/test/doctests/kernel; \
+ OBJTREE=$(abspath $(objtree)) \
+ $(RUSTDOC) --test $(rust_flags) \
+- @$(objtree)/include/generated/rustc_cfg \
+ -L$(objtree)/$(obj) --extern alloc --extern kernel \
+ --extern build_error --extern macros \
+ --extern bindings --extern uapi \
--- /dev/null
+From efb44ff64c95340b06331fc48634b99efc9dd77c Mon Sep 17 00:00:00 2001
+From: Jiantao Shan <shanjiantao@loongson.cn>
+Date: Wed, 24 Apr 2024 12:36:07 +0800
+Subject: LoongArch: Fix access error when read fault on a write-only VMA
+
+From: Jiantao Shan <shanjiantao@loongson.cn>
+
+commit efb44ff64c95340b06331fc48634b99efc9dd77c upstream.
+
+As with most architectures, allow handling of read faults in VMAs that
+have VM_WRITE but without VM_READ (WRITE implies READ).
+
+Otherwise, reading before writing a write-only memory will error while
+reading after writing everything is fine.
+
+BTW, move the VM_EXEC judgement before VM_READ/VM_WRITE to make logic a
+little clearer.
+
+Cc: stable@vger.kernel.org
+Fixes: 09cfefb7fa70c3af01 ("LoongArch: Add memory management")
+Signed-off-by: Jiantao Shan <shanjiantao@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/mm/fault.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/loongarch/mm/fault.c
++++ b/arch/loongarch/mm/fault.c
+@@ -202,10 +202,10 @@ good_area:
+ if (!(vma->vm_flags & VM_WRITE))
+ goto bad_area;
+ } else {
+- if (!(vma->vm_flags & VM_READ) && address != exception_era(regs))
+- goto bad_area;
+ if (!(vma->vm_flags & VM_EXEC) && address == exception_era(regs))
+ goto bad_area;
++ if (!(vma->vm_flags & (VM_READ | VM_WRITE)) && address != exception_era(regs))
++ goto bad_area;
+ }
+
+ /*
--- /dev/null
+From d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 24 Apr 2024 12:36:07 +0800
+Subject: LoongArch: Fix callchain parse error with kernel tracepoint events
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 upstream.
+
+In order to fix perf's callchain parse error for LoongArch, we implement
+perf_arch_fetch_caller_regs() which fills several necessary registers
+used for callchain unwinding, including sp, fp, and era. This is similar
+to the following commits.
+
+commit b3eac0265bf6:
+("arm: perf: Fix callchain parse error with kernel tracepoint events")
+
+commit 5b09a094f2fb:
+("arm64: perf: Fix callchain parse error with kernel tracepoint events")
+
+commit 9a7e8ec0d4cc:
+("riscv: perf: Fix callchain parse error with kernel tracepoint events")
+
+Test with commands:
+
+ perf record -e sched:sched_switch -g --call-graph dwarf
+ perf report
+
+Without this patch:
+
+ Children Self Command Shared Object Symbol
+ ........ ........ ............. ................. ....................
+
+ 43.41% 43.41% swapper [unknown] [k] 0000000000000000
+
+ 10.94% 10.94% loong-container [unknown] [k] 0000000000000000
+ |
+ |--5.98%--0x12006ba38
+ |
+ |--2.56%--0x12006bb84
+ |
+ --2.40%--0x12006b6b8
+
+With this patch, callchain can be parsed correctly:
+
+ Children Self Command Shared Object Symbol
+ ........ ........ ............. ................. ....................
+
+ 47.57% 47.57% swapper [kernel.vmlinux] [k] __schedule
+ |
+ ---__schedule
+
+ 26.76% 26.76% loong-container [kernel.vmlinux] [k] __schedule
+ |
+ |--13.78%--0x12006ba38
+ | |
+ | |--9.19%--__schedule
+ | |
+ | --4.59%--handle_syscall
+ | do_syscall
+ | sys_futex
+ | do_futex
+ | futex_wait
+ | futex_wait_queue_me
+ | hrtimer_start_range_ns
+ | __schedule
+ |
+ |--8.38%--0x12006bb84
+ | handle_syscall
+ | do_syscall
+ | sys_epoll_pwait
+ | do_epoll_wait
+ | schedule_hrtimeout_range_clock
+ | hrtimer_start_range_ns
+ | __schedule
+ |
+ --4.59%--0x12006b6b8
+ handle_syscall
+ do_syscall
+ sys_nanosleep
+ hrtimer_nanosleep
+ do_nanosleep
+ hrtimer_start_range_ns
+ __schedule
+
+Cc: stable@vger.kernel.org
+Fixes: b37042b2bb7cd751f0 ("LoongArch: Add perf events support")
+Reported-by: Youling Tang <tangyouling@kylinos.cn>
+Suggested-by: Youling Tang <tangyouling@kylinos.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/perf_event.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/loongarch/include/asm/perf_event.h
++++ b/arch/loongarch/include/asm/perf_event.h
+@@ -7,6 +7,14 @@
+ #ifndef __LOONGARCH_PERF_EVENT_H__
+ #define __LOONGARCH_PERF_EVENT_H__
+
++#include <asm/ptrace.h>
++
+ #define perf_arch_bpf_user_pt_regs(regs) (struct user_pt_regs *)regs
+
++#define perf_arch_fetch_caller_regs(regs, __ip) { \
++ (regs)->csr_era = (__ip); \
++ (regs)->regs[3] = current_stack_pointer; \
++ (regs)->regs[22] = (unsigned long) __builtin_frame_address(0); \
++}
++
+ #endif /* __LOONGARCH_PERF_EVENT_H__ */
--- /dev/null
+From 12bbaae7635a56049779db3bef6e7140d9aa5f67 Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Thu, 21 Mar 2024 14:24:40 +0000
+Subject: mm: create FOLIO_FLAG_FALSE and FOLIO_TYPE_OPS macros
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 12bbaae7635a56049779db3bef6e7140d9aa5f67 upstream.
+
+Following the separation of FOLIO_FLAGS from PAGEFLAGS, separate
+FOLIO_FLAG_FALSE from PAGEFLAG_FALSE and FOLIO_TYPE_OPS from
+PAGE_TYPE_OPS.
+
+Link: https://lkml.kernel.org/r/20240321142448.1645400-3-willy@infradead.org
+Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/page-flags.h | 70 ++++++++++++++++++++++++++++++---------------
+ 1 file changed, 47 insertions(+), 23 deletions(-)
+
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -432,30 +432,51 @@ static __always_inline int TestClearPage
+ TESTSETFLAG(uname, lname, policy) \
+ TESTCLEARFLAG(uname, lname, policy)
+
++#define FOLIO_TEST_FLAG_FALSE(name) \
++static inline bool folio_test_##name(const struct folio *folio) \
++{ return false; }
++#define FOLIO_SET_FLAG_NOOP(name) \
++static inline void folio_set_##name(struct folio *folio) { }
++#define FOLIO_CLEAR_FLAG_NOOP(name) \
++static inline void folio_clear_##name(struct folio *folio) { }
++#define __FOLIO_SET_FLAG_NOOP(name) \
++static inline void __folio_set_##name(struct folio *folio) { }
++#define __FOLIO_CLEAR_FLAG_NOOP(name) \
++static inline void __folio_clear_##name(struct folio *folio) { }
++#define FOLIO_TEST_SET_FLAG_FALSE(name) \
++static inline bool folio_test_set_##name(struct folio *folio) \
++{ return false; }
++#define FOLIO_TEST_CLEAR_FLAG_FALSE(name) \
++static inline bool folio_test_clear_##name(struct folio *folio) \
++{ return false; }
++
++#define FOLIO_FLAG_FALSE(name) \
++FOLIO_TEST_FLAG_FALSE(name) \
++FOLIO_SET_FLAG_NOOP(name) \
++FOLIO_CLEAR_FLAG_NOOP(name)
++
+ #define TESTPAGEFLAG_FALSE(uname, lname) \
+-static inline bool folio_test_##lname(const struct folio *folio) { return false; } \
++FOLIO_TEST_FLAG_FALSE(lname) \
+ static inline int Page##uname(const struct page *page) { return 0; }
+
+ #define SETPAGEFLAG_NOOP(uname, lname) \
+-static inline void folio_set_##lname(struct folio *folio) { } \
++FOLIO_SET_FLAG_NOOP(lname) \
+ static inline void SetPage##uname(struct page *page) { }
+
+ #define CLEARPAGEFLAG_NOOP(uname, lname) \
+-static inline void folio_clear_##lname(struct folio *folio) { } \
++FOLIO_CLEAR_FLAG_NOOP(lname) \
+ static inline void ClearPage##uname(struct page *page) { }
+
+ #define __CLEARPAGEFLAG_NOOP(uname, lname) \
+-static inline void __folio_clear_##lname(struct folio *folio) { } \
++__FOLIO_CLEAR_FLAG_NOOP(lname) \
+ static inline void __ClearPage##uname(struct page *page) { }
+
+ #define TESTSETFLAG_FALSE(uname, lname) \
+-static inline bool folio_test_set_##lname(struct folio *folio) \
+-{ return 0; } \
++FOLIO_TEST_SET_FLAG_FALSE(lname) \
+ static inline int TestSetPage##uname(struct page *page) { return 0; }
+
+ #define TESTCLEARFLAG_FALSE(uname, lname) \
+-static inline bool folio_test_clear_##lname(struct folio *folio) \
+-{ return 0; } \
++FOLIO_TEST_CLEAR_FLAG_FALSE(lname) \
+ static inline int TestClearPage##uname(struct page *page) { return 0; }
+
+ #define PAGEFLAG_FALSE(uname, lname) TESTPAGEFLAG_FALSE(uname, lname) \
+@@ -951,35 +972,38 @@ static inline int page_has_type(struct p
+ return page_type_has_type(page->page_type);
+ }
+
++#define FOLIO_TYPE_OPS(lname, fname) \
++static __always_inline bool folio_test_##fname(const struct folio *folio)\
++{ \
++ return folio_test_type(folio, PG_##lname); \
++} \
++static __always_inline void __folio_set_##fname(struct folio *folio) \
++{ \
++ VM_BUG_ON_FOLIO(!folio_test_type(folio, 0), folio); \
++ folio->page.page_type &= ~PG_##lname; \
++} \
++static __always_inline void __folio_clear_##fname(struct folio *folio) \
++{ \
++ VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \
++ folio->page.page_type |= PG_##lname; \
++}
++
+ #define PAGE_TYPE_OPS(uname, lname, fname) \
++FOLIO_TYPE_OPS(lname, fname) \
+ static __always_inline int Page##uname(const struct page *page) \
+ { \
+ return PageType(page, PG_##lname); \
+ } \
+-static __always_inline int folio_test_##fname(const struct folio *folio)\
+-{ \
+- return folio_test_type(folio, PG_##lname); \
+-} \
+ static __always_inline void __SetPage##uname(struct page *page) \
+ { \
+ VM_BUG_ON_PAGE(!PageType(page, 0), page); \
+ page->page_type &= ~PG_##lname; \
+ } \
+-static __always_inline void __folio_set_##fname(struct folio *folio) \
+-{ \
+- VM_BUG_ON_FOLIO(!folio_test_type(folio, 0), folio); \
+- folio->page.page_type &= ~PG_##lname; \
+-} \
+ static __always_inline void __ClearPage##uname(struct page *page) \
+ { \
+ VM_BUG_ON_PAGE(!Page##uname(page), page); \
+ page->page_type |= PG_##lname; \
+-} \
+-static __always_inline void __folio_clear_##fname(struct folio *folio) \
+-{ \
+- VM_BUG_ON_FOLIO(!folio_test_##fname(folio), folio); \
+- folio->page.page_type |= PG_##lname; \
+-} \
++}
+
+ /*
+ * PageBuddy() indicates that the page is free and in the buddy system
--- /dev/null
+From 52ccdde16b6540abe43b6f8d8e1e1ec90b0983af Mon Sep 17 00:00:00 2001
+From: Miaohe Lin <linmiaohe@huawei.com>
+Date: Fri, 19 Apr 2024 16:58:19 +0800
+Subject: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio()
+
+From: Miaohe Lin <linmiaohe@huawei.com>
+
+commit 52ccdde16b6540abe43b6f8d8e1e1ec90b0983af upstream.
+
+When I did memory failure tests recently, below warning occurs:
+
+DEBUG_LOCKS_WARN_ON(1)
+WARNING: CPU: 8 PID: 1011 at kernel/locking/lockdep.c:232 __lock_acquire+0xccb/0x1ca0
+Modules linked in: mce_inject hwpoison_inject
+CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+RIP: 0010:__lock_acquire+0xccb/0x1ca0
+RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082
+RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8
+RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0
+RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb
+R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10
+R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004
+FS: 00007ff9f32aa740(0000) GS:ffffa1ce5fc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ff9f3134ba0 CR3: 00000008484e4000 CR4: 00000000000006f0
+Call Trace:
+ <TASK>
+ lock_acquire+0xbe/0x2d0
+ _raw_spin_lock_irqsave+0x3a/0x60
+ hugepage_subpool_put_pages.part.0+0xe/0xc0
+ free_huge_folio+0x253/0x3f0
+ dissolve_free_huge_page+0x147/0x210
+ __page_handle_poison+0x9/0x70
+ memory_failure+0x4e6/0x8c0
+ hard_offline_page_store+0x55/0xa0
+ kernfs_fop_write_iter+0x12c/0x1d0
+ vfs_write+0x380/0x540
+ ksys_write+0x64/0xe0
+ do_syscall_64+0xbc/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7ff9f3114887
+RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887
+RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001
+RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c
+R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00
+ </TASK>
+Kernel panic - not syncing: kernel: panic_on_warn set ...
+CPU: 8 PID: 1011 Comm: bash Kdump: loaded Not tainted 6.9.0-rc3-next-20240410-00012-gdb69f219f4be #3
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ panic+0x326/0x350
+ check_panic_on_warn+0x4f/0x50
+ __warn+0x98/0x190
+ report_bug+0x18e/0x1a0
+ handle_bug+0x3d/0x70
+ exc_invalid_op+0x18/0x70
+ asm_exc_invalid_op+0x1a/0x20
+RIP: 0010:__lock_acquire+0xccb/0x1ca0
+RSP: 0018:ffffa7a1c7fe3bd0 EFLAGS: 00000082
+RAX: 0000000000000000 RBX: eb851eb853975fcf RCX: ffffa1ce5fc1c9c8
+RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffffa1ce5fc1c9c0
+RBP: ffffa1c6865d3280 R08: ffffffffb0f570a8 R09: 0000000000009ffb
+R10: 0000000000000286 R11: ffffffffb0f2ad50 R12: ffffa1c6865d3d10
+R13: ffffa1c6865d3c70 R14: 0000000000000000 R15: 0000000000000004
+ lock_acquire+0xbe/0x2d0
+ _raw_spin_lock_irqsave+0x3a/0x60
+ hugepage_subpool_put_pages.part.0+0xe/0xc0
+ free_huge_folio+0x253/0x3f0
+ dissolve_free_huge_page+0x147/0x210
+ __page_handle_poison+0x9/0x70
+ memory_failure+0x4e6/0x8c0
+ hard_offline_page_store+0x55/0xa0
+ kernfs_fop_write_iter+0x12c/0x1d0
+ vfs_write+0x380/0x540
+ ksys_write+0x64/0xe0
+ do_syscall_64+0xbc/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+RIP: 0033:0x7ff9f3114887
+RSP: 002b:00007ffecbacb458 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 000000000000000c RCX: 00007ff9f3114887
+RDX: 000000000000000c RSI: 0000564494164e10 RDI: 0000000000000001
+RBP: 0000564494164e10 R08: 00007ff9f31d1460 R09: 000000007fffffff
+R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000000c
+R13: 00007ff9f321b780 R14: 00007ff9f3217600 R15: 00007ff9f3216a00
+ </TASK>
+
+After git bisecting and digging into the code, I believe the root cause is
+that _deferred_list field of folio is unioned with _hugetlb_subpool field.
+In __update_and_free_hugetlb_folio(), folio->_deferred_list is
+initialized leading to corrupted folio->_hugetlb_subpool when folio is
+hugetlb. Later free_huge_folio() will use _hugetlb_subpool and above
+warning happens.
+
+But it is assumed hugetlb flag must have been cleared when calling
+folio_put() in update_and_free_hugetlb_folio(). This assumption is broken
+due to below race:
+
+CPU1 CPU2
+dissolve_free_huge_page update_and_free_pages_bulk
+ update_and_free_hugetlb_folio hugetlb_vmemmap_restore_folios
+ folio_clear_hugetlb_vmemmap_optimized
+ clear_flag = folio_test_hugetlb_vmemmap_optimized
+ if (clear_flag) <-- False, it's already cleared.
+ __folio_clear_hugetlb(folio) <-- Hugetlb is not cleared.
+ folio_put
+ free_huge_folio <-- free_the_page is expected.
+ list_for_each_entry()
+ __folio_clear_hugetlb <-- Too late.
+
+Fix this issue by checking whether folio is hugetlb directly instead of
+checking clear_flag to close the race window.
+
+Link: https://lkml.kernel.org/r/20240419085819.1901645-1-linmiaohe@huawei.com
+Fixes: 32c877191e02 ("hugetlb: do not clear hugetlb dtor until allocating vmemmap")
+Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -1780,7 +1780,7 @@ static void __update_and_free_hugetlb_fo
+ * If vmemmap pages were allocated above, then we need to clear the
+ * hugetlb destructor under the hugetlb lock.
+ */
+- if (clear_dtor) {
++ if (folio_test_hugetlb(folio)) {
+ spin_lock_irq(&hugetlb_lock);
+ __clear_hugetlb_destructor(h, folio);
+ spin_unlock_irq(&hugetlb_lock);
--- /dev/null
+From b76b46902c2d0395488c8412e1116c2486cdfcb2 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 17 Apr 2024 17:18:35 -0400
+Subject: mm/hugetlb: fix missing hugetlb_lock for resv uncharge
+
+From: Peter Xu <peterx@redhat.com>
+
+commit b76b46902c2d0395488c8412e1116c2486cdfcb2 upstream.
+
+There is a recent report on UFFDIO_COPY over hugetlb:
+
+https://lore.kernel.org/all/000000000000ee06de0616177560@google.com/
+
+350: lockdep_assert_held(&hugetlb_lock);
+
+Should be an issue in hugetlb but triggered in an userfault context, where
+it goes into the unlikely path where two threads modifying the resv map
+together. Mike has a fix in that path for resv uncharge but it looks like
+the locking criteria was overlooked: hugetlb_cgroup_uncharge_folio_rsvd()
+will update the cgroup pointer, so it requires to be called with the lock
+held.
+
+Link: https://lkml.kernel.org/r/20240417211836.2742593-3-peterx@redhat.com
+Fixes: 79aa925bf239 ("hugetlb_cgroup: fix reservation accounting")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reported-by: syzbot+4b8077a5fccc61c385a1@syzkaller.appspotmail.com
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Cc: David Hildenbrand <david@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/hugetlb.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -3266,9 +3266,12 @@ struct folio *alloc_hugetlb_folio(struct
+
+ rsv_adjust = hugepage_subpool_put_pages(spool, 1);
+ hugetlb_acct_memory(h, -rsv_adjust);
+- if (deferred_reserve)
++ if (deferred_reserve) {
++ spin_lock_irq(&hugetlb_lock);
+ hugetlb_cgroup_uncharge_folio_rsvd(hstate_index(h),
+ pages_per_huge_page(h), folio);
++ spin_unlock_irq(&hugetlb_lock);
++ }
+ }
+
+ if (!memcg_charge_ret)
--- /dev/null
+From fd1a745ce03e37945674c14833870a9af0882e2d Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Thu, 21 Mar 2024 14:24:42 +0000
+Subject: mm: support page_mapcount() on page_has_type() pages
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit fd1a745ce03e37945674c14833870a9af0882e2d upstream.
+
+Return 0 for pages which can't be mapped. This matches how page_mapped()
+works. It is more convenient for users to not have to filter out these
+pages.
+
+Link: https://lkml.kernel.org/r/20240321142448.1645400-5-willy@infradead.org
+Fixes: 9c5ccf2db04b ("mm: remove HUGETLB_PAGE_DTOR")
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Vlastimil Babka <vbabka@suse.cz>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/page.c | 7 ++-----
+ include/linux/mm.h | 8 +++++---
+ include/linux/page-flags.h | 4 ++--
+ 3 files changed, 9 insertions(+), 10 deletions(-)
+
+--- a/fs/proc/page.c
++++ b/fs/proc/page.c
+@@ -67,7 +67,7 @@ static ssize_t kpagecount_read(struct fi
+ */
+ ppage = pfn_to_online_page(pfn);
+
+- if (!ppage || PageSlab(ppage) || page_has_type(ppage))
++ if (!ppage)
+ pcount = 0;
+ else
+ pcount = page_mapcount(ppage);
+@@ -124,11 +124,8 @@ u64 stable_page_flags(struct page *page)
+
+ /*
+ * pseudo flags for the well known (anonymous) memory mapped pages
+- *
+- * Note that page->_mapcount is overloaded in SLAB, so the
+- * simple test in page_mapped() is not enough.
+ */
+- if (!PageSlab(page) && page_mapped(page))
++ if (page_mapped(page))
+ u |= 1 << KPF_MMAP;
+ if (PageAnon(page))
+ u |= 1 << KPF_ANON;
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1204,14 +1204,16 @@ static inline void page_mapcount_reset(s
+ * a large folio, it includes the number of times this page is mapped
+ * as part of that folio.
+ *
+- * The result is undefined for pages which cannot be mapped into userspace.
+- * For example SLAB or special types of pages. See function page_has_type().
+- * They use this field in struct page differently.
++ * Will report 0 for pages which cannot be mapped into userspace, eg
++ * slab, page tables and similar.
+ */
+ static inline int page_mapcount(struct page *page)
+ {
+ int mapcount = atomic_read(&page->_mapcount) + 1;
+
++ /* Handle page_has_type() pages */
++ if (mapcount < 0)
++ mapcount = 0;
+ if (unlikely(PageCompound(page)))
+ mapcount += folio_entire_mapcount(page_folio(page));
+
+--- a/include/linux/page-flags.h
++++ b/include/linux/page-flags.h
+@@ -945,12 +945,12 @@ static inline bool is_page_hwpoison(stru
+ * page_type may be used. Because it is initialised to -1, we invert the
+ * sense of the bit, so __SetPageFoo *clears* the bit used for PageFoo, and
+ * __ClearPageFoo *sets* the bit used for PageFoo. We reserve a few high and
+- * low bits so that an underflow or overflow of page_mapcount() won't be
++ * low bits so that an underflow or overflow of _mapcount won't be
+ * mistaken for a page type value.
+ */
+
+ #define PAGE_TYPE_BASE 0xf0000000
+-/* Reserve 0x0000007f to catch underflows of page_mapcount */
++/* Reserve 0x0000007f to catch underflows of _mapcount */
+ #define PAGE_MAPCOUNT_RESERVE -128
+ #define PG_buddy 0x00000080
+ #define PG_offline 0x00000100
--- /dev/null
+From f8def10f73a516b771051a2f70f2f0446902cb4f Mon Sep 17 00:00:00 2001
+From: Mantas Pucka <mantas@8devices.com>
+Date: Thu, 21 Mar 2024 14:30:01 +0000
+Subject: mmc: sdhci-msm: pervent access to suspended controller
+
+From: Mantas Pucka <mantas@8devices.com>
+
+commit f8def10f73a516b771051a2f70f2f0446902cb4f upstream.
+
+Generic sdhci code registers LED device and uses host->runtime_suspended
+flag to protect access to it. The sdhci-msm driver doesn't set this flag,
+which causes a crash when LED is accessed while controller is runtime
+suspended. Fix this by setting the flag correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 67e6db113c90 ("mmc: sdhci-msm: Add pm_runtime and system PM support")
+Signed-off-by: Mantas Pucka <mantas@8devices.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20240321-sdhci-mmc-suspend-v1-1-fbc555a64400@8devices.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -2694,6 +2694,11 @@ static __maybe_unused int sdhci_msm_runt
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++ unsigned long flags;
++
++ spin_lock_irqsave(&host->lock, flags);
++ host->runtime_suspended = true;
++ spin_unlock_irqrestore(&host->lock, flags);
+
+ /* Drop the performance vote */
+ dev_pm_opp_set_rate(dev, 0);
+@@ -2708,6 +2713,7 @@ static __maybe_unused int sdhci_msm_runt
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++ unsigned long flags;
+ int ret;
+
+ ret = clk_bulk_prepare_enable(ARRAY_SIZE(msm_host->bulk_clks),
+@@ -2726,7 +2732,15 @@ static __maybe_unused int sdhci_msm_runt
+
+ dev_pm_opp_set_rate(dev, msm_host->clk_rate);
+
+- return sdhci_msm_ice_resume(msm_host);
++ ret = sdhci_msm_ice_resume(msm_host);
++ if (ret)
++ return ret;
++
++ spin_lock_irqsave(&host->lock, flags);
++ host->runtime_suspended = false;
++ spin_unlock_irqrestore(&host->lock, flags);
++
++ return ret;
+ }
+
+ static const struct dev_pm_ops sdhci_msm_pm_ops = {
--- /dev/null
+From ace323f80b9bc6734289a4e8a77938a3ce964c7d Mon Sep 17 00:00:00 2001
+From: Maksim Kiselev <bigunclemax@gmail.com>
+Date: Tue, 2 Apr 2024 12:35:39 +0300
+Subject: mmc: sdhci-of-dwcmshc: th1520: Increase tuning loop count to 128
+
+From: Maksim Kiselev <bigunclemax@gmail.com>
+
+commit ace323f80b9bc6734289a4e8a77938a3ce964c7d upstream.
+
+Fix SD card tuning error by increasing tuning loop count
+from 40(MAX_TUNING_LOOP) to 128.
+
+For some reason the tuning algorithm requires to move through all the taps
+of delay line even if the THRESHOLD_MODE (bit 2 in AT_CTRL_R) is used
+instead of the LARGEST_WIN_MODE.
+
+Tested-by: Drew Fustini <drew@pdp7.com>
+Tested-by: Xi Ruoyao <xry111@xry111.site>
+Signed-off-by: Maksim Kiselev <bigunclemax@gmail.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Fixes: 43658a542ebf ("mmc: sdhci-of-dwcmshc: Add support for T-Head TH1520")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240402093539.184287-1-bigunclemax@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-of-dwcmshc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-of-dwcmshc.c
++++ b/drivers/mmc/host/sdhci-of-dwcmshc.c
+@@ -612,6 +612,7 @@ static int th1520_execute_tuning(struct
+
+ /* perform tuning */
+ sdhci_start_tuning(host);
++ host->tuning_loop_count = 128;
+ host->tuning_err = __sdhci_execute_tuning(host, opcode);
+ if (host->tuning_err) {
+ /* disable auto-tuning upon tuning error */
--- /dev/null
+From b61bb5bc2c1cd00bb53db42f705735db6e8700f0 Mon Sep 17 00:00:00 2001
+From: Christian Marangi <ansuelsmth@gmail.com>
+Date: Thu, 4 Apr 2024 10:31:55 +0200
+Subject: mtd: rawnand: qcom: Fix broken OP_RESET_DEVICE command in qcom_misc_cmd_type_exec()
+
+From: Christian Marangi <ansuelsmth@gmail.com>
+
+commit b61bb5bc2c1cd00bb53db42f705735db6e8700f0 upstream.
+
+While migrating to exec_ops in commit a82990c8a409 ("mtd: rawnand: qcom:
+Add read/read_start ops in exec_op path"), OP_RESET_DEVICE command handling
+got broken unintentionally. Right now for the OP_RESET_DEVICE command,
+qcom_misc_cmd_type_exec() will simply return 0 without handling it. Even,
+if that gets fixed, an unnecessary FLASH_STATUS read descriptor command is
+being added in the middle and that seems to be causing the command to fail
+on IPQ806x devices.
+
+So let's fix the above two issues to make OP_RESET_DEVICE command working
+again.
+
+Fixes: a82990c8a409 ("mtd: rawnand: qcom: Add read/read_start ops in exec_op path")
+Cc: stable@vger.kernel.org
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20240404083157.940-1-ansuelsmth@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/qcom_nandc.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/raw/qcom_nandc.c
++++ b/drivers/mtd/nand/raw/qcom_nandc.c
+@@ -2815,7 +2815,7 @@ static int qcom_misc_cmd_type_exec(struc
+ host->cfg0_raw & ~(7 << CW_PER_PAGE));
+ nandc_set_reg(chip, NAND_DEV0_CFG1, host->cfg1_raw);
+ instrs = 3;
+- } else {
++ } else if (q_op.cmd_reg != OP_RESET_DEVICE) {
+ return 0;
+ }
+
+@@ -2830,9 +2830,8 @@ static int qcom_misc_cmd_type_exec(struc
+ nandc_set_reg(chip, NAND_EXEC_CMD, 1);
+
+ write_reg_dma(nandc, NAND_FLASH_CMD, instrs, NAND_BAM_NEXT_SGL);
+- (q_op.cmd_reg == OP_BLOCK_ERASE) ? write_reg_dma(nandc, NAND_DEV0_CFG0,
+- 2, NAND_BAM_NEXT_SGL) : read_reg_dma(nandc,
+- NAND_FLASH_STATUS, 1, NAND_BAM_NEXT_SGL);
++ if (q_op.cmd_reg == OP_BLOCK_ERASE)
++ write_reg_dma(nandc, NAND_DEV0_CFG0, 2, NAND_BAM_NEXT_SGL);
+
+ write_reg_dma(nandc, NAND_EXEC_CMD, 1, NAND_BAM_NEXT_SGL);
+ read_reg_dma(nandc, NAND_FLASH_STATUS, 1, NAND_BAM_NEXT_SGL);
--- /dev/null
+From 7d49f53af4b988b188d3932deac2c9c80fd7d9ce Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Fri, 8 Mar 2024 09:36:31 +0000
+Subject: rust: don't select CONSTRUCTORS
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 7d49f53af4b988b188d3932deac2c9c80fd7d9ce upstream.
+
+This was originally part of commit 4b9a68f2e59a0 ("rust: add support for
+static synchronisation primitives") from the old Rust branch, which used
+module constructors to initialize globals containing various
+synchronisation primitives with pin-init. That commit has never been
+upstreamed, but the `select CONSTRUCTORS` statement ended up being
+included in the patch that initially added Rust support to the Linux
+Kernel.
+
+We are not using module constructors, so let's remove the select.
+
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Benno Lossin <benno.lossin@proton.me>
+Cc: stable@vger.kernel.org
+Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
+Link: https://lore.kernel.org/r/20240308-constructors-v1-1-4c811342391c@google.com
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1908,7 +1908,6 @@ config RUST
+ depends on !GCC_PLUGINS
+ depends on !RANDSTRUCT
+ depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE
+- select CONSTRUCTORS
+ help
+ Enables Rust support in the kernel.
+
--- /dev/null
+From 49ceae68a0df9a92617a61e9ce8a0efcf6419585 Mon Sep 17 00:00:00 2001
+From: Laine Taffin Altman <alexanderaltman@me.com>
+Date: Wed, 3 Apr 2024 14:06:59 -0700
+Subject: rust: init: remove impl Zeroable for Infallible
+
+From: Laine Taffin Altman <alexanderaltman@me.com>
+
+commit 49ceae68a0df9a92617a61e9ce8a0efcf6419585 upstream.
+
+In Rust, producing an invalid value of any type is immediate undefined
+behavior (UB); this includes via zeroing memory. Therefore, since an
+uninhabited type has no valid values, producing any values at all for it is
+UB.
+
+The Rust standard library type `core::convert::Infallible` is uninhabited,
+by virtue of having been declared as an enum with no cases, which always
+produces uninhabited types in Rust.
+
+The current kernel code allows this UB to be triggered, for example by code
+like `Box::<core::convert::Infallible>::init(kernel::init::zeroed())`.
+
+Thus, remove the implementation of `Zeroable` for `Infallible`, thereby
+avoiding the unsoundness (potential for future UB).
+
+Cc: stable@vger.kernel.org
+Fixes: 38cde0bd7b67 ("rust: init: add `Zeroable` trait and `init::zeroed` function")
+Closes: https://github.com/Rust-for-Linux/pinned-init/pull/13
+Signed-off-by: Laine Taffin Altman <alexanderaltman@me.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Boqun Feng <boqun.feng@gmail.com>
+Reviewed-by: Benno Lossin <benno.lossin@proton.me>
+Link: https://lore.kernel.org/r/CA160A4E-561E-4918-837E-3DCEBA74F808@me.com
+[ Reformatted the comment slightly. ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/init.rs | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/rust/kernel/init.rs
++++ b/rust/kernel/init.rs
+@@ -1292,8 +1292,15 @@ impl_zeroable! {
+ i8, i16, i32, i64, i128, isize,
+ f32, f64,
+
+- // SAFETY: These are ZSTs, there is nothing to zero.
+- {<T: ?Sized>} PhantomData<T>, core::marker::PhantomPinned, Infallible, (),
++ // Note: do not add uninhabited types (such as `!` or `core::convert::Infallible`) to this list;
++ // creating an instance of an uninhabited type is immediate undefined behavior. For more on
++ // uninhabited/empty types, consult The Rustonomicon:
++ // <https://doc.rust-lang.org/stable/nomicon/exotic-sizes.html#empty-types>. The Rust Reference
++ // also has information on undefined behavior:
++ // <https://doc.rust-lang.org/stable/reference/behavior-considered-undefined.html>.
++ //
++ // SAFETY: These are inhabited ZSTs; there is nothing to zero and a valid value exists.
++ {<T: ?Sized>} PhantomData<T>, core::marker::PhantomPinned, (),
+
+ // SAFETY: Type is allowed to take any value, including all zeros.
+ {<T>} MaybeUninit<T>,
--- /dev/null
+From 323617f649c0966ad5e741e47e27e06d3a680d8f Mon Sep 17 00:00:00 2001
+From: Wedson Almeida Filho <walmeida@microsoft.com>
+Date: Thu, 28 Mar 2024 16:54:54 -0300
+Subject: rust: kernel: require `Send` for `Module` implementations
+
+From: Wedson Almeida Filho <walmeida@microsoft.com>
+
+commit 323617f649c0966ad5e741e47e27e06d3a680d8f upstream.
+
+The thread that calls the module initialisation code when a module is
+loaded is not guaranteed [in fact, it is unlikely] to be the same one
+that calls the module cleanup code on module unload, therefore, `Module`
+implementations must be `Send` to account for them moving from one
+thread to another implicitly.
+
+Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Benno Lossin <benno.lossin@proton.me>
+Cc: stable@vger.kernel.org # 6.8.x: df70d04d5697: rust: phy: implement `Send` for `Registration`
+Cc: stable@vger.kernel.org
+Fixes: 247b365dc8dc ("rust: add `kernel` crate")
+Link: https://lore.kernel.org/r/20240328195457.225001-3-wedsonaf@gmail.com
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/lib.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rust/kernel/lib.rs
++++ b/rust/kernel/lib.rs
+@@ -66,7 +66,7 @@ const __LOG_PREFIX: &[u8] = b"rust_kerne
+ /// The top level entrypoint to implementing a kernel module.
+ ///
+ /// For any teardown or cleanup operations, your type may implement [`Drop`].
+-pub trait Module: Sized + Sync {
++pub trait Module: Sized + Sync + Send {
+ /// Called at module initialization time.
+ ///
+ /// Use this method to perform whatever setup or registration your module
--- /dev/null
+From 8933cf4651e02853ca679be7b2d978dfcdcc5e0c Mon Sep 17 00:00:00 2001
+From: Conor Dooley <conor.dooley@microchip.com>
+Date: Thu, 4 Apr 2024 15:17:02 +0100
+Subject: rust: make mutually exclusive with CFI_CLANG
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream.
+
+On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled,
+loading a rust module will trigger a kernel panic. Support for
+sanitisers, including kcfi (CFI_CLANG), is in the works, but for now
+they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG
+to prevent configuring a kernel without symmetrical support for kfi.
+
+[ Matthew Maurer writes [1]:
+
+ This patch is fine by me - the last patch needed for KCFI to be
+ functional in Rust just landed upstream last night, so we should
+ revisit this (in the form of enabling it) once we move to
+ `rustc-1.79.0` or later.
+
+ Ramon de C Valle also gave feedback [2] on the status of KCFI for
+ Rust and created a tracking issue [3] in upstream Rust. - Miguel ]
+
+Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1]
+Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2]
+Link: https://github.com/rust-lang/rust/issues/123479 [3]
+Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud
+[ Added feedback from the list, links, and used Cc for the tag. ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1904,6 +1904,7 @@ config RUST
+ bool "Rust support"
+ depends on HAVE_RUST
+ depends on RUST_IS_AVAILABLE
++ depends on !CFI_CLANG
+ depends on !MODVERSIONS
+ depends on !GCC_PLUGINS
+ depends on !RANDSTRUCT
--- /dev/null
+From 19843452dca40e28d6d3f4793d998b681d505c7f Mon Sep 17 00:00:00 2001
+From: Aswin Unnikrishnan <aswinunni01@gmail.com>
+Date: Fri, 19 Apr 2024 21:50:13 +0000
+Subject: rust: remove `params` from `module` macro example
+
+From: Aswin Unnikrishnan <aswinunni01@gmail.com>
+
+commit 19843452dca40e28d6d3f4793d998b681d505c7f upstream.
+
+Remove argument `params` from the `module` macro example, because the
+macro does not currently support module parameters since it was not sent
+with the initial merge.
+
+Signed-off-by: Aswin Unnikrishnan <aswinunni01@gmail.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Cc: stable@vger.kernel.org
+Fixes: 1fbde52bde73 ("rust: add `macros` crate")
+Link: https://lore.kernel.org/r/20240419215015.157258-1-aswinunni01@gmail.com
+[ Reworded slightly. ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/macros/lib.rs | 12 ------------
+ 1 file changed, 12 deletions(-)
+
+--- a/rust/macros/lib.rs
++++ b/rust/macros/lib.rs
+@@ -35,18 +35,6 @@ use proc_macro::TokenStream;
+ /// author: "Rust for Linux Contributors",
+ /// description: "My very own kernel module!",
+ /// license: "GPL",
+-/// params: {
+-/// my_i32: i32 {
+-/// default: 42,
+-/// permissions: 0o000,
+-/// description: "Example of i32",
+-/// },
+-/// writeable_i32: i32 {
+-/// default: 42,
+-/// permissions: 0o644,
+-/// description: "Example of i32",
+-/// },
+-/// },
+ /// }
+ ///
+ /// struct MyModule;
selftests-seccomp-handle-einval-on-unshare-clone_newpid.patch
x86-cpu-amd-add-models-0x10-0x1f-to-the-zen5-range.patch
x86-cpu-fix-check-for-rdpkru-in-__show_regs.patch
+rust-kernel-require-send-for-module-implementations.patch
+rust-don-t-select-constructors.patch
+rust-init-remove-impl-zeroable-for-infallible.patch
+rust-make-mutually-exclusive-with-cfi_clang.patch
+kbuild-rust-remove-unneeded-rustc_cfg-to-avoid-ice.patch
+kbuild-rust-force-alloc-extern-to-allow-empty-rust-files.patch
+rust-remove-params-from-module-macro-example.patch
+bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
+bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
+bluetooth-qca-fix-invalid-device-address-check.patch
+bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch
+bluetooth-qca-fix-null-deref-on-non-serdev-setup.patch
+mtd-rawnand-qcom-fix-broken-op_reset_device-command-in-qcom_misc_cmd_type_exec.patch
+mm-hugetlb-fix-missing-hugetlb_lock-for-resv-uncharge.patch
+mmc-sdhci-msm-pervent-access-to-suspended-controller.patch
+mmc-sdhci-of-dwcmshc-th1520-increase-tuning-loop-count-to-128.patch
+mm-create-folio_flag_false-and-folio_type_ops-macros.patch
+mm-support-page_mapcount-on-page_has_type-pages.patch
+mm-hugetlb-fix-debug_locks_warn_on-1-when-dissolve_free_hugetlb_folio.patch
+smb-client-fix-struct_group-usage-in-__packed-structs.patch
+smb3-missing-lock-when-picking-channel.patch
+smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch
+hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch
+hid-i2c-hid-revert-to-await-reset-ack-before-reading-report-descriptor.patch
+btrfs-fallback-if-compressed-io-fails-for-enospc.patch
+btrfs-fix-wrong-block_start-calculation-for-btrfs_drop_extent_map_range.patch
+btrfs-scrub-run-relocation-repair-when-only-needed.patch
+btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch
+x86-tdx-preserve-shared-bit-on-mprotect.patch
+cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch
+eeprom-at24-fix-memory-corruption-race-condition.patch
+loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch
+loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch
+arm64-dts-qcom-sc8280xp-add-missing-pcie-minimum-opp.patch
+arm64-dts-qcom-sm8450-fix-the-msi-map-entries.patch
+arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch
+dmaengine-revert-dmaengine-pl330-issue_pending-waits-until-wfp-state.patch
+dmaengine-xilinx-xdma-fix-wrong-offsets-in-the-buffers-addresses-in-dma-descriptor.patch
+dmaengine-xilinx-xdma-fix-synchronization-issue.patch
+drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch
+drm-amdgpu-assign-correct-bits-for-sdma-hdp-flush.patch
+drm-atomic-helper-fix-parameter-order-in-drm_format_conv_state_copy-call.patch
+drm-amdgpu-pm-remove-gpu_od-if-it-s-an-empty-directory.patch
+drm-amdgpu-umsch-don-t-execute-umsch-test-when-gpu-is-in-reset-suspend.patch
+drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch
+drm-amdkfd-fix-rescheduling-of-restore-worker.patch
+drm-amdkfd-fix-eviction-fence-handling.patch
--- /dev/null
+From 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Tue, 23 Apr 2024 20:41:22 -0600
+Subject: smb: client: Fix struct_group() usage in __packed structs
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 upstream.
+
+Use struct_group_attr() in __packed structs, instead of struct_group().
+
+Below you can see the pahole output before/after changes:
+
+pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o
+struct smb2_file_network_open_info {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ }; /* 0 56 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ } network_open_info; /* 0 56 */
+ }; /* 0 56 */
+ __le32 Reserved; /* 56 4 */
+
+ /* size: 60, cachelines: 1, members: 2 */
+ /* last cacheline: 60 bytes */
+} __attribute__((__packed__));
+
+pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o
+struct smb2_file_network_open_info {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ } __attribute__((__packed__)); /* 0 52 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ } __attribute__((__packed__)) network_open_info; /* 0 52 */
+ }; /* 0 52 */
+ __le32 Reserved; /* 52 4 */
+
+ /* size: 56, cachelines: 1, members: 2 */
+ /* last cacheline: 56 bytes */
+};
+
+pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o
+struct smb_com_open_rsp {
+ ...
+
+ union {
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ }; /* 48 40 */
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ } common_attributes; /* 48 40 */
+ }; /* 48 40 */
+
+ ...
+
+ /* size: 111, cachelines: 2, members: 14 */
+ /* last cacheline: 47 bytes */
+} __attribute__((__packed__));
+
+pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o
+struct smb_com_open_rsp {
+ ...
+
+ union {
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ } __attribute__((__packed__)); /* 48 36 */
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ } __attribute__((__packed__)) common_attributes; /* 48 36 */
+ }; /* 48 36 */
+
+ ...
+
+ /* size: 107, cachelines: 2, members: 14 */
+ /* last cacheline: 43 bytes */
+} __attribute__((__packed__));
+
+pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o
+typedef struct {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ }; /* 0 40 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ } common_attributes; /* 0 40 */
+ }; /* 0 40 */
+
+ ...
+
+ /* size: 113, cachelines: 2, members: 17 */
+ /* last cacheline: 49 bytes */
+} __attribute__((__packed__)) FILE_ALL_INFO;
+
+pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o
+typedef struct {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ } __attribute__((__packed__)); /* 0 36 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ } __attribute__((__packed__)) common_attributes; /* 0 36 */
+ }; /* 0 36 */
+
+ ...
+
+ /* size: 109, cachelines: 2, members: 17 */
+ /* last cacheline: 45 bytes */
+} __attribute__((__packed__)) FILE_ALL_INFO;
+
+Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings")
+Cc: stable@vger.kernel.org
+Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifspdu.h | 4 ++--
+ fs/smb/client/smb2pdu.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/client/cifspdu.h
++++ b/fs/smb/client/cifspdu.h
+@@ -882,7 +882,7 @@ typedef struct smb_com_open_rsp {
+ __u8 OplockLevel;
+ __u16 Fid;
+ __le32 CreateAction;
+- struct_group(common_attributes,
++ struct_group_attr(common_attributes, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
+@@ -2266,7 +2266,7 @@ typedef struct {
+ /* QueryFileInfo/QueryPathinfo (also for SetPath/SetFile) data buffer formats */
+ /******************************************************************************/
+ typedef struct { /* data block encoding of response to level 263 QPathInfo */
+- struct_group(common_attributes,
++ struct_group_attr(common_attributes, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
+--- a/fs/smb/client/smb2pdu.h
++++ b/fs/smb/client/smb2pdu.h
+@@ -319,7 +319,7 @@ struct smb2_file_reparse_point_info {
+ } __packed;
+
+ struct smb2_file_network_open_info {
+- struct_group(network_open_info,
++ struct_group_attr(network_open_info, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
--- /dev/null
+From 8861fd5180476f45f9e8853db154600469a0284f Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 25 Apr 2024 12:49:50 -0500
+Subject: smb3: fix lock ordering potential deadlock in cifs_sync_mid_result
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8861fd5180476f45f9e8853db154600469a0284f upstream.
+
+Coverity spotted that the cifs_sync_mid_result function could deadlock
+
+"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires
+lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock"
+
+Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)")
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/transport.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -909,12 +909,15 @@ cifs_sync_mid_result(struct mid_q_entry
+ list_del_init(&mid->qhead);
+ mid->mid_flags |= MID_DELETED;
+ }
++ spin_unlock(&server->mid_lock);
+ cifs_server_dbg(VFS, "%s: invalid mid state mid=%llu state=%d\n",
+ __func__, mid->mid, mid->mid_state);
+ rc = -EIO;
++ goto sync_mid_done;
+ }
+ spin_unlock(&server->mid_lock);
+
++sync_mid_done:
+ release_mid(mid);
+ return rc;
+ }
--- /dev/null
+From 8094a600245e9b28eb36a13036f202ad67c1f887 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 25 Apr 2024 11:30:16 -0500
+Subject: smb3: missing lock when picking channel
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8094a600245e9b28eb36a13036f202ad67c1f887 upstream.
+
+Coverity spotted a place where we should have been holding the
+channel lock when accessing the ses channel index.
+
+Addresses-Coverity: 1582039 ("Data race condition (MISSING_LOCK)")
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/transport.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -1057,9 +1057,11 @@ struct TCP_Server_Info *cifs_pick_channe
+ index = (uint)atomic_inc_return(&ses->chan_seq);
+ index %= ses->chan_count;
+ }
++
++ server = ses->chans[index].server;
+ spin_unlock(&ses->chan_lock);
+
+- return ses->chans[index].server;
++ return server;
+ }
+
+ int
--- /dev/null
+From a0a8d15a798be4b8f20aca2ba91bf6b688c6a640 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Wed, 24 Apr 2024 11:20:35 +0300
+Subject: x86/tdx: Preserve shared bit on mprotect()
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+commit a0a8d15a798be4b8f20aca2ba91bf6b688c6a640 upstream.
+
+The TDX guest platform takes one bit from the physical address to
+indicate if the page is shared (accessible by VMM). This bit is not part
+of the physical_mask and is not preserved during mprotect(). As a
+result, the 'shared' bit is lost during mprotect() on shared mappings.
+
+_COMMON_PAGE_CHG_MASK specifies which PTE bits need to be preserved
+during modification. AMD includes 'sme_me_mask' in the define to
+preserve the 'encrypt' bit.
+
+To cover both Intel and AMD cases, include 'cc_mask' in
+_COMMON_PAGE_CHG_MASK instead of 'sme_me_mask'.
+
+Reported-and-tested-by: Chris Oo <cho@microsoft.com>
+
+Fixes: 41394e33f3a0 ("x86/tdx: Extend the confidential computing API to support TDX guests")
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20240424082035.4092071-1-kirill.shutemov%40linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/coco.h | 1 +
+ arch/x86/include/asm/pgtable_types.h | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/coco.h
++++ b/arch/x86/include/asm/coco.h
+@@ -24,6 +24,7 @@ u64 cc_mkdec(u64 val);
+ void cc_random_init(void);
+ #else
+ #define cc_vendor (CC_VENDOR_NONE)
++static const u64 cc_mask = 0;
+
+ static inline u64 cc_mkenc(u64 val)
+ {
+--- a/arch/x86/include/asm/pgtable_types.h
++++ b/arch/x86/include/asm/pgtable_types.h
+@@ -148,7 +148,7 @@
+ #define _COMMON_PAGE_CHG_MASK (PTE_PFN_MASK | _PAGE_PCD | _PAGE_PWT | \
+ _PAGE_SPECIAL | _PAGE_ACCESSED | \
+ _PAGE_DIRTY_BITS | _PAGE_SOFT_DIRTY | \
+- _PAGE_DEVMAP | _PAGE_ENC | _PAGE_UFFD_WP)
++ _PAGE_DEVMAP | _PAGE_CC | _PAGE_UFFD_WP)
+ #define _PAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PAT)
+ #define _HPAGE_CHG_MASK (_COMMON_PAGE_CHG_MASK | _PAGE_PSE | _PAGE_PAT_LARGE)
+
+@@ -173,6 +173,7 @@ enum page_cache_mode {
+ };
+ #endif
+
++#define _PAGE_CC (_AT(pteval_t, cc_mask))
+ #define _PAGE_ENC (_AT(pteval_t, sme_me_mask))
+
+ #define _PAGE_CACHE_MASK (_PAGE_PWT | _PAGE_PCD | _PAGE_PAT)
projects / thirdparty / kernel / stable-queue.git / commitdiff
