--- /dev/null
+From 02b305e51d9dce1d859792120f15d58dd26bb02a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 12:34:45 -0400
+Subject: 9p: explicitly deny setlease attempts
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 7a84602297d36617dbdadeba55a2567031e5165b ]
+
+9p is a remote network protocol, and it doesn't support asynchronous
+notifications from the server. Ensure that we don't hand out any leases
+since we can't guarantee they'll be broken when a file's contents
+change.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/vfs_file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
+index 7437b185fa8eb..0c84d414660ca 100644
+--- a/fs/9p/vfs_file.c
++++ b/fs/9p/vfs_file.c
+@@ -660,6 +660,7 @@ const struct file_operations v9fs_file_operations = {
+ .splice_read = generic_file_splice_read,
+ .splice_write = iter_file_splice_write,
+ .fsync = v9fs_file_fsync,
++ .setlease = simple_nosetlease,
+ };
+
+ const struct file_operations v9fs_file_operations_dotl = {
+@@ -701,4 +702,5 @@ const struct file_operations v9fs_mmap_file_operations_dotl = {
+ .splice_read = generic_file_splice_read,
+ .splice_write = iter_file_splice_write,
+ .fsync = v9fs_file_fsync_dotl,
++ .setlease = simple_nosetlease,
+ };
+--
+2.43.0
+
--- /dev/null
+From 04ee94cbc9aee6cf40b15af86516f2af64ca18ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Apr 2024 08:36:25 +0200
+Subject: ALSA: line6: Zero-initialize message buffers
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit c4e51e424e2c772ce1836912a8b0b87cd61bc9d5 ]
+
+For shutting up spurious KMSAN uninit-value warnings, just replace
+kmalloc() calls with kzalloc() for the buffers used for
+communications. There should be no real issue with the original code,
+but it's still better to cover.
+
+Reported-by: syzbot+7fb05ccf7b3d2f9617b3@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/00000000000084b18706150bcca5@google.com
+Message-ID: <20240402063628.26609-1-tiwai@suse.de>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/line6/driver.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/usb/line6/driver.c b/sound/usb/line6/driver.c
+index b67617b68e509..f4437015d43a7 100644
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -202,7 +202,7 @@ int line6_send_raw_message_async(struct usb_line6 *line6, const char *buffer,
+ struct urb *urb;
+
+ /* create message: */
+- msg = kmalloc(sizeof(struct message), GFP_ATOMIC);
++ msg = kzalloc(sizeof(struct message), GFP_ATOMIC);
+ if (msg == NULL)
+ return -ENOMEM;
+
+@@ -688,7 +688,7 @@ static int line6_init_cap_control(struct usb_line6 *line6)
+ int ret;
+
+ /* initialize USB buffers: */
+- line6->buffer_listen = kmalloc(LINE6_BUFSIZE_LISTEN, GFP_KERNEL);
++ line6->buffer_listen = kzalloc(LINE6_BUFSIZE_LISTEN, GFP_KERNEL);
+ if (!line6->buffer_listen)
+ return -ENOMEM;
+
+@@ -697,7 +697,7 @@ static int line6_init_cap_control(struct usb_line6 *line6)
+ return -ENOMEM;
+
+ if (line6->properties->capabilities & LINE6_CAP_CONTROL_MIDI) {
+- line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL);
++ line6->buffer_message = kzalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL);
+ if (!line6->buffer_message)
+ return -ENOMEM;
+
+--
+2.43.0
+
--- /dev/null
+From 196e54ec5e43481fa366a62d764e0b6e27e899e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Apr 2022 17:57:25 +0200
+Subject: ASoC: meson: axg-card: Fix nonatomic links
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit 0c9b152c72e53016e96593bdbb8cffe2176694b9 ]
+
+This commit e138233e56e9829e65b6293887063a1a3ccb2d68 causes the
+following system crash when using audio on G12A/G12B & SM1 systems:
+
+ BUG: sleeping function called from invalid context at kernel/locking/mutex.c:282
+ in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 0, name: swapper/0
+ preempt_count: 10001, expected: 0
+ RCU nest depth: 0, expected: 0
+ Preemption disabled at:
+ schedule_preempt_disabled+0x20/0x2c
+
+ mutex_lock+0x24/0x60
+ _snd_pcm_stream_lock_irqsave+0x20/0x3c
+ snd_pcm_period_elapsed+0x24/0xa4
+ axg_fifo_pcm_irq_block+0x64/0xdc
+ __handle_irq_event_percpu+0x104/0x264
+ handle_irq_event+0x48/0xb4
+ ...
+ start_kernel+0x3f0/0x484
+ __primary_switched+0xc0/0xc8
+
+Revert this commit until the crash is fixed.
+
+Fixes: e138233e56e9829e65b6 ("ASoC: meson: axg-card: make links nonatomic")
+Reported-by: Dmitry Shmidt <dimitrysh@google.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20220421155725.2589089-2-narmstrong@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-card.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/sound/soc/meson/axg-card.c b/sound/soc/meson/axg-card.c
+index cbbaa55d92a66..2b77010c2c5ce 100644
+--- a/sound/soc/meson/axg-card.c
++++ b/sound/soc/meson/axg-card.c
+@@ -320,7 +320,6 @@ static int axg_card_add_link(struct snd_soc_card *card, struct device_node *np,
+
+ dai_link->cpus = cpu;
+ dai_link->num_cpus = 1;
+- dai_link->nonatomic = true;
+
+ ret = meson_card_parse_dai(card, np, &dai_link->cpus->of_node,
+ &dai_link->cpus->dai_name);
+--
+2.43.0
+
--- /dev/null
+From eb2cd42efa1a3c0c8cab97605f0b7afadb47d14c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Apr 2022 17:57:24 +0200
+Subject: ASoC: meson: axg-tdm-interface: Fix formatters in trigger"
+
+From: Neil Armstrong <narmstrong@baylibre.com>
+
+[ Upstream commit c26830b6c5c534d273ce007eb33d5a2d2ad4e969 ]
+
+This reverts commit bf5e4887eeddb48480568466536aa08ec7f179a5 because
+the following and required commit e138233e56e9829e65b6293887063a1a3ccb2d68
+causes the following system crash when using audio:
+ BUG: sleeping function called from invalid context at kernel/locking/mutex.c:282
+
+Fixes: bf5e4887eeddb4848056846 ("ASoC: meson: axg-tdm-interface: manage formatters in trigger")
+Reported-by: Dmitry Shmidt <dimitrysh@google.com>
+Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
+Acked-by: Jerome Brunet <jbrunet@baylibre.com>
+Link: https://lore.kernel.org/r/20220421155725.2589089-1-narmstrong@baylibre.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/meson/axg-tdm-interface.c | 26 +++++---------------------
+ 1 file changed, 5 insertions(+), 21 deletions(-)
+
+diff --git a/sound/soc/meson/axg-tdm-interface.c b/sound/soc/meson/axg-tdm-interface.c
+index f5145902360de..60d132ab1ab78 100644
+--- a/sound/soc/meson/axg-tdm-interface.c
++++ b/sound/soc/meson/axg-tdm-interface.c
+@@ -362,29 +362,13 @@ static int axg_tdm_iface_hw_free(struct snd_pcm_substream *substream,
+ return 0;
+ }
+
+-static int axg_tdm_iface_trigger(struct snd_pcm_substream *substream,
+- int cmd,
++static int axg_tdm_iface_prepare(struct snd_pcm_substream *substream,
+ struct snd_soc_dai *dai)
+ {
+- struct axg_tdm_stream *ts =
+- snd_soc_dai_get_dma_data(dai, substream);
+-
+- switch (cmd) {
+- case SNDRV_PCM_TRIGGER_START:
+- case SNDRV_PCM_TRIGGER_RESUME:
+- case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+- axg_tdm_stream_start(ts);
+- break;
+- case SNDRV_PCM_TRIGGER_SUSPEND:
+- case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
+- case SNDRV_PCM_TRIGGER_STOP:
+- axg_tdm_stream_stop(ts);
+- break;
+- default:
+- return -EINVAL;
+- }
++ struct axg_tdm_stream *ts = snd_soc_dai_get_dma_data(dai, substream);
+
+- return 0;
++ /* Force all attached formatters to update */
++ return axg_tdm_stream_reset(ts);
+ }
+
+ static int axg_tdm_iface_remove_dai(struct snd_soc_dai *dai)
+@@ -424,8 +408,8 @@ static const struct snd_soc_dai_ops axg_tdm_iface_ops = {
+ .set_fmt = axg_tdm_iface_set_fmt,
+ .startup = axg_tdm_iface_startup,
+ .hw_params = axg_tdm_iface_hw_params,
++ .prepare = axg_tdm_iface_prepare,
+ .hw_free = axg_tdm_iface_hw_free,
+- .trigger = axg_tdm_iface_trigger,
+ };
+
+ /* TDM Backend DAIs */
+--
+2.43.0
+
--- /dev/null
+From 1c170092d7ebd16878749dd6e3ccae8ed24b3c86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 04:33:49 +0000
+Subject: ata: sata_gemini: Check clk_enable() result
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit e85006ae7430aef780cc4f0849692e266a102ec0 ]
+
+The call to clk_enable() in gemini_sata_start_bridge() can fail.
+Add a check to detect such failure.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/sata_gemini.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ata/sata_gemini.c b/drivers/ata/sata_gemini.c
+index 6fd54e968d10a..1564472fd5d50 100644
+--- a/drivers/ata/sata_gemini.c
++++ b/drivers/ata/sata_gemini.c
+@@ -201,7 +201,10 @@ int gemini_sata_start_bridge(struct sata_gemini *sg, unsigned int bridge)
+ pclk = sg->sata0_pclk;
+ else
+ pclk = sg->sata1_pclk;
+- clk_enable(pclk);
++ ret = clk_enable(pclk);
++ if (ret)
++ return ret;
++
+ msleep(10);
+
+ /* Do not keep clocking a bridge that is not online */
+--
+2.43.0
+
--- /dev/null
+From 7167f96cd25263c24a1d3ae8d5b3f53423e3a5ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Apr 2024 12:32:53 -0400
+Subject: blk-iocost: avoid out of bounds shift
+
+From: Rik van Riel <riel@surriel.com>
+
+[ Upstream commit beaa51b36012fad5a4d3c18b88a617aea7a9b96d ]
+
+UBSAN catches undefined behavior in blk-iocost, where sometimes
+iocg->delay is shifted right by a number that is too large,
+resulting in undefined behavior on some architectures.
+
+[ 186.556576] ------------[ cut here ]------------
+UBSAN: shift-out-of-bounds in block/blk-iocost.c:1366:23
+shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')
+CPU: 16 PID: 0 Comm: swapper/16 Tainted: G S E N 6.9.0-0_fbk700_debug_rc2_kbuilder_0_gc85af715cac0 #1
+Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A23 12/08/2020
+Call Trace:
+ <IRQ>
+ dump_stack_lvl+0x8f/0xe0
+ __ubsan_handle_shift_out_of_bounds+0x22c/0x280
+ iocg_kick_delay+0x30b/0x310
+ ioc_timer_fn+0x2fb/0x1f80
+ __run_timer_base+0x1b6/0x250
+...
+
+Avoid that undefined behavior by simply taking the
+"delay = 0" branch if the shift is too large.
+
+I am not sure what the symptoms of an undefined value
+delay will be, but I suspect it could be more than a
+little annoying to debug.
+
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Josef Bacik <josef@toxicpanda.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Acked-by: Tejun Heo <tj@kernel.org>
+Link: https://lore.kernel.org/r/20240404123253.0f58010f@imladris.surriel.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/blk-iocost.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/block/blk-iocost.c b/block/blk-iocost.c
+index 645a589edda82..bfdb7b0cf49de 100644
+--- a/block/blk-iocost.c
++++ b/block/blk-iocost.c
+@@ -1336,7 +1336,7 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now)
+ {
+ struct ioc *ioc = iocg->ioc;
+ struct blkcg_gq *blkg = iocg_to_blkg(iocg);
+- u64 tdelta, delay, new_delay;
++ u64 tdelta, delay, new_delay, shift;
+ s64 vover, vover_pct;
+ u32 hwa;
+
+@@ -1351,8 +1351,9 @@ static bool iocg_kick_delay(struct ioc_gq *iocg, struct ioc_now *now)
+
+ /* calculate the current delay in effect - 1/2 every second */
+ tdelta = now->now - iocg->delay_at;
+- if (iocg->delay)
+- delay = iocg->delay >> div64_u64(tdelta, USEC_PER_SEC);
++ shift = div64_u64(tdelta, USEC_PER_SEC);
++ if (iocg->delay && shift < BITS_PER_LONG)
++ delay = iocg->delay >> shift;
+ else
+ delay = 0;
+
+--
+2.43.0
+
--- /dev/null
+From d2aeeca726ebb44363ea0fe4f7b97d253e8198d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 19:56:06 -0700
+Subject: bpf, sockmap: Convert schedule_work into delayed_work
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 29173d07f79883ac94f5570294f98af3d4287382 ]
+
+Sk_buffs are fed into sockmap verdict programs either from a strparser
+(when the user might want to decide how framing of skb is done by attaching
+another parser program) or directly through tcp_read_sock. The
+tcp_read_sock is the preferred method for performance when the BPF logic is
+a stream parser.
+
+The flow for Cilium's common use case with a stream parser is,
+
+ tcp_read_sock()
+ sk_psock_verdict_recv
+ ret = bpf_prog_run_pin_on_cpu()
+ sk_psock_verdict_apply(sock, skb, ret)
+ // if system is under memory pressure or app is slow we may
+ // need to queue skb. Do this queuing through ingress_skb and
+ // then kick timer to wake up handler
+ skb_queue_tail(ingress_skb, skb)
+ schedule_work(work);
+
+The work queue is wired up to sk_psock_backlog(). This will then walk the
+ingress_skb skb list that holds our sk_buffs that could not be handled,
+but should be OK to run at some later point. However, its possible that
+the workqueue doing this work still hits an error when sending the skb.
+When this happens the skbuff is requeued on a temporary 'state' struct
+kept with the workqueue. This is necessary because its possible to
+partially send an skbuff before hitting an error and we need to know how
+and where to restart when the workqueue runs next.
+
+Now for the trouble, we don't rekick the workqueue. This can cause a
+stall where the skbuff we just cached on the state variable might never
+be sent. This happens when its the last packet in a flow and no further
+packets come along that would cause the system to kick the workqueue from
+that side.
+
+To fix we could do simple schedule_work(), but while under memory pressure
+it makes sense to back off some instead of continue to retry repeatedly. So
+instead to fix convert schedule_work to schedule_delayed_work and add
+backoff logic to reschedule from backlog queue on errors. Its not obvious
+though what a good backoff is so use '1'.
+
+To test we observed some flakes whil running NGINX compliance test with
+sockmap we attributed these failed test to this bug and subsequent issue.
+
+>From on list discussion. This commit
+
+ bec217197b41("skmsg: Schedule psock work if the cached skb exists on the psock")
+
+was intended to address similar race, but had a couple cases it missed.
+Most obvious it only accounted for receiving traffic on the local socket
+so if redirecting into another socket we could still get an sk_buff stuck
+here. Next it missed the case where copied=0 in the recv() handler and
+then we wouldn't kick the scheduler. Also its sub-optimal to require
+userspace to kick the internal mechanisms of sockmap to wake it up and
+copy data to user. It results in an extra syscall and requires the app
+to actual handle the EAGAIN correctly.
+
+Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: William Findlay <will@isovalent.com>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230523025618.113937-3-john.fastabend@gmail.com
+Stable-dep-of: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 2 +-
+ net/core/skmsg.c | 21 ++++++++++++++-------
+ net/core/sock_map.c | 3 ++-
+ 3 files changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index f18eb6a6f7631..07a8e7c695373 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -107,7 +107,7 @@ struct sk_psock {
+ struct proto *sk_proto;
+ struct mutex work_mutex;
+ struct sk_psock_work_state work_state;
+- struct work_struct work;
++ struct delayed_work work;
+ struct rcu_work rwork;
+ };
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 6bdb15b05a78d..e9fddceba390e 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -482,7 +482,7 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+ }
+ out:
+ if (psock->work_state.skb && copied > 0)
+- schedule_work(&psock->work);
++ schedule_delayed_work(&psock->work, 0);
+ return copied;
+ }
+ EXPORT_SYMBOL_GPL(sk_msg_recvmsg);
+@@ -633,7 +633,8 @@ static void sk_psock_skb_state(struct sk_psock *psock,
+
+ static void sk_psock_backlog(struct work_struct *work)
+ {
+- struct sk_psock *psock = container_of(work, struct sk_psock, work);
++ struct delayed_work *dwork = to_delayed_work(work);
++ struct sk_psock *psock = container_of(dwork, struct sk_psock, work);
+ struct sk_psock_work_state *state = &psock->work_state;
+ struct sk_buff *skb = NULL;
+ bool ingress;
+@@ -673,6 +674,12 @@ static void sk_psock_backlog(struct work_struct *work)
+ if (ret == -EAGAIN) {
+ sk_psock_skb_state(psock, state, skb,
+ len, off);
++
++ /* Delay slightly to prioritize any
++ * other work that might be here.
++ */
++ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
++ schedule_delayed_work(&psock->work, 1);
+ goto end;
+ }
+ /* Hard errors break pipe and stop xmit. */
+@@ -727,7 +734,7 @@ struct sk_psock *sk_psock_init(struct sock *sk, int node)
+ INIT_LIST_HEAD(&psock->link);
+ spin_lock_init(&psock->link_lock);
+
+- INIT_WORK(&psock->work, sk_psock_backlog);
++ INIT_DELAYED_WORK(&psock->work, sk_psock_backlog);
+ mutex_init(&psock->work_mutex);
+ INIT_LIST_HEAD(&psock->ingress_msg);
+ spin_lock_init(&psock->ingress_lock);
+@@ -816,7 +823,7 @@ static void sk_psock_destroy(struct work_struct *work)
+
+ sk_psock_done_strp(psock);
+
+- cancel_work_sync(&psock->work);
++ cancel_delayed_work_sync(&psock->work);
+ mutex_destroy(&psock->work_mutex);
+
+ psock_progs_drop(&psock->progs);
+@@ -931,7 +938,7 @@ static int sk_psock_skb_redirect(struct sk_psock *from, struct sk_buff *skb)
+ }
+
+ skb_queue_tail(&psock_other->ingress_skb, skb);
+- schedule_work(&psock_other->work);
++ schedule_delayed_work(&psock_other->work, 0);
+ spin_unlock_bh(&psock_other->ingress_lock);
+ return 0;
+ }
+@@ -1011,7 +1018,7 @@ static int sk_psock_verdict_apply(struct sk_psock *psock, struct sk_buff *skb,
+ spin_lock_bh(&psock->ingress_lock);
+ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) {
+ skb_queue_tail(&psock->ingress_skb, skb);
+- schedule_work(&psock->work);
++ schedule_delayed_work(&psock->work, 0);
+ err = 0;
+ }
+ spin_unlock_bh(&psock->ingress_lock);
+@@ -1042,7 +1049,7 @@ static void sk_psock_write_space(struct sock *sk)
+ psock = sk_psock(sk);
+ if (likely(psock)) {
+ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
+- schedule_work(&psock->work);
++ schedule_delayed_work(&psock->work, 0);
+ write_space = psock->saved_write_space;
+ }
+ rcu_read_unlock();
+diff --git a/net/core/sock_map.c b/net/core/sock_map.c
+index 4e42bc679bac9..2ded250ac0d2b 100644
+--- a/net/core/sock_map.c
++++ b/net/core/sock_map.c
+@@ -1577,9 +1577,10 @@ void sock_map_close(struct sock *sk, long timeout)
+ rcu_read_unlock();
+ sk_psock_stop(psock);
+ release_sock(sk);
+- cancel_work_sync(&psock->work);
++ cancel_delayed_work_sync(&psock->work);
+ sk_psock_put(sk, psock);
+ }
++
+ /* Make sure we do not recurse. This is a bug.
+ * Leak the socket instead of crashing on a stack overflow.
+ */
+--
+2.43.0
+
--- /dev/null
+From 88273fb7af387cd8d6eae1e2db11385d47022a79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 19:56:09 -0700
+Subject: bpf, sockmap: Handle fin correctly
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 901546fd8f9ca4b5c481ce00928ab425ce9aacc0 ]
+
+The sockmap code is returning EAGAIN after a FIN packet is received and no
+more data is on the receive queue. Correct behavior is to return 0 to the
+user and the user can then close the socket. The EAGAIN causes many apps
+to retry which masks the problem. Eventually the socket is evicted from
+the sockmap because its released from sockmap sock free handling. The
+issue creates a delay and can cause some errors on application side.
+
+To fix this check on sk_msg_recvmsg side if length is zero and FIN flag
+is set then set return to zero. A selftest will be added to check this
+condition.
+
+Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: William Findlay <will@isovalent.com>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230523025618.113937-6-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 89204004eeb5e..5fdef5ddfbbe6 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -174,6 +174,24 @@ static int tcp_msg_wait_data(struct sock *sk, struct sk_psock *psock,
+ return ret;
+ }
+
++static bool is_next_msg_fin(struct sk_psock *psock)
++{
++ struct scatterlist *sge;
++ struct sk_msg *msg_rx;
++ int i;
++
++ msg_rx = sk_psock_peek_msg(psock);
++ i = msg_rx->sg.start;
++ sge = sk_msg_elem(msg_rx, i);
++ if (!sge->length) {
++ struct sk_buff *skb = msg_rx->skb;
++
++ if (skb && TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
++ return true;
++ }
++ return false;
++}
++
+ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ struct msghdr *msg,
+ size_t len,
+@@ -217,6 +235,19 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+
+ msg_bytes_ready:
+ copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
++ /* The typical case for EFAULT is the socket was gracefully
++ * shutdown with a FIN pkt. So check here the other case is
++ * some error on copy_page_to_iter which would be unexpected.
++ * On fin return correct return code to zero.
++ */
++ if (copied == -EFAULT) {
++ bool is_fin = is_next_msg_fin(psock);
++
++ if (is_fin) {
++ copied = 0;
++ goto out;
++ }
++ }
+ if (!copied) {
+ long timeo;
+ int data;
+--
+2.43.0
+
--- /dev/null
+From c56e0721e40d3ed1d91f65eaa09ac34722dc3386 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 19:56:08 -0700
+Subject: bpf, sockmap: Improved check for empty queue
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit 405df89dd52cbcd69a3cd7d9a10d64de38f854b2 ]
+
+We noticed some rare sk_buffs were stepping past the queue when system was
+under memory pressure. The general theory is to skip enqueueing
+sk_buffs when its not necessary which is the normal case with a system
+that is properly provisioned for the task, no memory pressure and enough
+cpu assigned.
+
+But, if we can't allocate memory due to an ENOMEM error when enqueueing
+the sk_buff into the sockmap receive queue we push it onto a delayed
+workqueue to retry later. When a new sk_buff is received we then check
+if that queue is empty. However, there is a problem with simply checking
+the queue length. When a sk_buff is being processed from the ingress queue
+but not yet on the sockmap msg receive queue its possible to also recv
+a sk_buff through normal path. It will check the ingress queue which is
+zero and then skip ahead of the pkt being processed.
+
+Previously we used sock lock from both contexts which made the problem
+harder to hit, but not impossible.
+
+To fix instead of popping the skb from the queue entirely we peek the
+skb from the queue and do the copy there. This ensures checks to the
+queue length are non-zero while skb is being processed. Then finally
+when the entire skb has been copied to user space queue or another
+socket we pop it off the queue. This way the queue length check allows
+bypassing the queue only after the list has been completely processed.
+
+To reproduce issue we run NGINX compliance test with sockmap running and
+observe some flakes in our testing that we attributed to this issue.
+
+Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
+Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: William Findlay <will@isovalent.com>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230523025618.113937-5-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skmsg.h | 1 -
+ net/core/skmsg.c | 32 ++++++++------------------------
+ 2 files changed, 8 insertions(+), 25 deletions(-)
+
+diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
+index 07a8e7c695373..422b391d931fe 100644
+--- a/include/linux/skmsg.h
++++ b/include/linux/skmsg.h
+@@ -73,7 +73,6 @@ struct sk_psock_link {
+ };
+
+ struct sk_psock_work_state {
+- struct sk_buff *skb;
+ u32 len;
+ u32 off;
+ };
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index 51ab1e617d922..675fd86279d87 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -615,16 +615,12 @@ static int sk_psock_handle_skb(struct sk_psock *psock, struct sk_buff *skb,
+
+ static void sk_psock_skb_state(struct sk_psock *psock,
+ struct sk_psock_work_state *state,
+- struct sk_buff *skb,
+ int len, int off)
+ {
+ spin_lock_bh(&psock->ingress_lock);
+ if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED)) {
+- state->skb = skb;
+ state->len = len;
+ state->off = off;
+- } else {
+- sock_drop(psock->sk, skb);
+ }
+ spin_unlock_bh(&psock->ingress_lock);
+ }
+@@ -635,23 +631,17 @@ static void sk_psock_backlog(struct work_struct *work)
+ struct sk_psock *psock = container_of(dwork, struct sk_psock, work);
+ struct sk_psock_work_state *state = &psock->work_state;
+ struct sk_buff *skb = NULL;
++ u32 len = 0, off = 0;
+ bool ingress;
+- u32 len, off;
+ int ret;
+
+ mutex_lock(&psock->work_mutex);
+- if (unlikely(state->skb)) {
+- spin_lock_bh(&psock->ingress_lock);
+- skb = state->skb;
++ if (unlikely(state->len)) {
+ len = state->len;
+ off = state->off;
+- state->skb = NULL;
+- spin_unlock_bh(&psock->ingress_lock);
+ }
+- if (skb)
+- goto start;
+
+- while ((skb = skb_dequeue(&psock->ingress_skb))) {
++ while ((skb = skb_peek(&psock->ingress_skb))) {
+ len = skb->len;
+ off = 0;
+ if (skb_bpf_strparser(skb)) {
+@@ -660,7 +650,6 @@ static void sk_psock_backlog(struct work_struct *work)
+ off = stm->offset;
+ len = stm->full_len;
+ }
+-start:
+ ingress = skb_bpf_ingress(skb);
+ skb_bpf_redirect_clear(skb);
+ do {
+@@ -670,8 +659,7 @@ static void sk_psock_backlog(struct work_struct *work)
+ len, ingress);
+ if (ret <= 0) {
+ if (ret == -EAGAIN) {
+- sk_psock_skb_state(psock, state, skb,
+- len, off);
++ sk_psock_skb_state(psock, state, len, off);
+
+ /* Delay slightly to prioritize any
+ * other work that might be here.
+@@ -683,15 +671,16 @@ static void sk_psock_backlog(struct work_struct *work)
+ /* Hard errors break pipe and stop xmit. */
+ sk_psock_report_error(psock, ret ? -ret : EPIPE);
+ sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);
+- sock_drop(psock->sk, skb);
+ goto end;
+ }
+ off += ret;
+ len -= ret;
+ } while (len);
+
+- if (!ingress)
++ skb = skb_dequeue(&psock->ingress_skb);
++ if (!ingress) {
+ kfree_skb(skb);
++ }
+ }
+ end:
+ mutex_unlock(&psock->work_mutex);
+@@ -784,11 +773,6 @@ static void __sk_psock_zap_ingress(struct sk_psock *psock)
+ skb_bpf_redirect_clear(skb);
+ sock_drop(psock->sk, skb);
+ }
+- kfree_skb(psock->work_state.skb);
+- /* We null the skb here to ensure that calls to sk_psock_backlog
+- * do not pick up the free'd skb.
+- */
+- psock->work_state.skb = NULL;
+ __sk_psock_purge_ingress_msg(psock);
+ }
+
+@@ -807,7 +791,6 @@ void sk_psock_stop(struct sk_psock *psock)
+ spin_lock_bh(&psock->ingress_lock);
+ sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED);
+ sk_psock_cork_free(psock);
+- __sk_psock_zap_ingress(psock);
+ spin_unlock_bh(&psock->ingress_lock);
+ }
+
+@@ -822,6 +805,7 @@ static void sk_psock_destroy(struct work_struct *work)
+ sk_psock_done_strp(psock);
+
+ cancel_delayed_work_sync(&psock->work);
++ __sk_psock_zap_ingress(psock);
+ mutex_destroy(&psock->work_mutex);
+
+ psock_progs_drop(&psock->progs);
+--
+2.43.0
+
--- /dev/null
+From 5acb00d1b2303b0c7ffe8ea15f15fc30e022ee07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 19:56:07 -0700
+Subject: bpf, sockmap: Reschedule is now done through backlog
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit bce22552f92ea7c577f49839b8e8f7d29afaf880 ]
+
+Now that the backlog manages the reschedule() logic correctly we can drop
+the partial fix to reschedule from recvmsg hook.
+
+Rescheduling on recvmsg hook was added to address a corner case where we
+still had data in the backlog state but had nothing to kick it and
+reschedule the backlog worker to run and finish copying data out of the
+state. This had a couple limitations, first it required user space to
+kick it introducing an unnecessary EBUSY and retry. Second it only
+handled the ingress case and egress redirects would still be hung.
+
+With the correct fix, pushing the reschedule logic down to where the
+enomem error occurs we can drop this fix.
+
+Fixes: bec217197b412 ("skmsg: Schedule psock work if the cached skb exists on the psock")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230523025618.113937-4-john.fastabend@gmail.com
+Stable-dep-of: 405df89dd52c ("bpf, sockmap: Improved check for empty queue")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/skmsg.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/net/core/skmsg.c b/net/core/skmsg.c
+index e9fddceba390e..51ab1e617d922 100644
+--- a/net/core/skmsg.c
++++ b/net/core/skmsg.c
+@@ -481,8 +481,6 @@ int sk_msg_recvmsg(struct sock *sk, struct sk_psock *psock, struct msghdr *msg,
+ msg_rx = sk_psock_peek_msg(psock);
+ }
+ out:
+- if (psock->work_state.skb && copied > 0)
+- schedule_delayed_work(&psock->work, 0);
+ return copied;
+ }
+ EXPORT_SYMBOL_GPL(sk_msg_recvmsg);
+--
+2.43.0
+
--- /dev/null
+From 571b906d7d24a275334d64a47b43b62da302017a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 May 2023 19:56:10 -0700
+Subject: bpf, sockmap: TCP data stall on recv before accept
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+[ Upstream commit ea444185a6bf7da4dd0df1598ee953e4f7174858 ]
+
+A common mechanism to put a TCP socket into the sockmap is to hook the
+BPF_SOCK_OPS_{ACTIVE_PASSIVE}_ESTABLISHED_CB event with a BPF program
+that can map the socket info to the correct BPF verdict parser. When
+the user adds the socket to the map the psock is created and the new
+ops are assigned to ensure the verdict program will 'see' the sk_buffs
+as they arrive.
+
+Part of this process hooks the sk_data_ready op with a BPF specific
+handler to wake up the BPF verdict program when data is ready to read.
+The logic is simple enough (posted here for easy reading)
+
+ static void sk_psock_verdict_data_ready(struct sock *sk)
+ {
+ struct socket *sock = sk->sk_socket;
+
+ if (unlikely(!sock || !sock->ops || !sock->ops->read_skb))
+ return;
+ sock->ops->read_skb(sk, sk_psock_verdict_recv);
+ }
+
+The oversight here is sk->sk_socket is not assigned until the application
+accepts() the new socket. However, its entirely ok for the peer application
+to do a connect() followed immediately by sends. The socket on the receiver
+is sitting on the backlog queue of the listening socket until its accepted
+and the data is queued up. If the peer never accepts the socket or is slow
+it will eventually hit data limits and rate limit the session. But,
+important for BPF sockmap hooks when this data is received TCP stack does
+the sk_data_ready() call but the read_skb() for this data is never called
+because sk_socket is missing. The data sits on the sk_receive_queue.
+
+Then once the socket is accepted if we never receive more data from the
+peer there will be no further sk_data_ready calls and all the data
+is still on the sk_receive_queue(). Then user calls recvmsg after accept()
+and for TCP sockets in sockmap we use the tcp_bpf_recvmsg_parser() handler.
+The handler checks for data in the sk_msg ingress queue expecting that
+the BPF program has already run from the sk_data_ready hook and enqueued
+the data as needed. So we are stuck.
+
+To fix do an unlikely check in recvmsg handler for data on the
+sk_receive_queue and if it exists wake up data_ready. We have the sock
+locked in both read_skb and recvmsg so should avoid having multiple
+runners.
+
+Fixes: 04919bed948dc ("tcp: Introduce tcp_read_skb()")
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/bpf/20230523025618.113937-7-john.fastabend@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index e3a9477293ce4..89204004eeb5e 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -195,6 +195,26 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
+ return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
+
+ lock_sock(sk);
++
++ /* We may have received data on the sk_receive_queue pre-accept and
++ * then we can not use read_skb in this context because we haven't
++ * assigned a sk_socket yet so have no link to the ops. The work-around
++ * is to check the sk_receive_queue and in these cases read skbs off
++ * queue again. The read_skb hook is not running at this point because
++ * of lock_sock so we avoid having multiple runners in read_skb.
++ */
++ if (unlikely(!skb_queue_empty(&sk->sk_receive_queue))) {
++ tcp_data_ready(sk);
++ /* This handles the ENOMEM errors if we both receive data
++ * pre accept and are already under memory pressure. At least
++ * let user know to retry.
++ */
++ if (unlikely(!skb_queue_empty(&sk->sk_receive_queue))) {
++ copied = -EAGAIN;
++ goto out;
++ }
++ }
++
+ msg_bytes_ready:
+ copied = sk_msg_recvmsg(sk, psock, msg, len, flags);
+ if (!copied) {
+--
+2.43.0
+
--- /dev/null
+From ea0f8a95e12dd2ae00d826daa0560f478e5ea854 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 12:01:28 -0700
+Subject: btrfs: always clear PERTRANS metadata during commit
+
+From: Boris Burkov <boris@bur.io>
+
+[ Upstream commit 6e68de0bb0ed59e0554a0c15ede7308c47351e2d ]
+
+It is possible to clear a root's IN_TRANS tag from the radix tree, but
+not clear its PERTRANS, if there is some error in between. Eliminate
+that possibility by moving the free up to where we clear the tag.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/transaction.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 99cdd1d6a4bf8..a9b794c47159f 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1424,6 +1424,7 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans)
+ radix_tree_tag_clear(&fs_info->fs_roots_radix,
+ (unsigned long)root->root_key.objectid,
+ BTRFS_ROOT_TRANS_TAG);
++ btrfs_qgroup_free_meta_all_pertrans(root);
+ spin_unlock(&fs_info->fs_roots_radix_lock);
+
+ btrfs_free_log(trans, root);
+@@ -1448,7 +1449,6 @@ static noinline int commit_fs_roots(struct btrfs_trans_handle *trans)
+ if (ret2)
+ return ret2;
+ spin_lock(&fs_info->fs_roots_radix_lock);
+- btrfs_qgroup_free_meta_all_pertrans(root);
+ }
+ }
+ spin_unlock(&fs_info->fs_roots_radix_lock);
+--
+2.43.0
+
--- /dev/null
+From 677110ddce868a2838f74490b66dbc41c9a3540f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 11:55:22 -0700
+Subject: btrfs: make btrfs_clear_delalloc_extent() free delalloc reserve
+
+From: Boris Burkov <boris@bur.io>
+
+[ Upstream commit 3c6f0c5ecc8910d4ffb0dfe85609ebc0c91c8f34 ]
+
+Currently, this call site in btrfs_clear_delalloc_extent() only converts
+the reservation. We are marking it not delalloc, so I don't think it
+makes sense to keep the rsv around. This is a path where we are not
+sure to join a transaction, so it leads to incorrect free-ing during
+umount.
+
+Helps with the pass rate of generic/269 and generic/475.
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index c7d8a18daaf50..07c6ab4ba0d43 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -2261,7 +2261,7 @@ void btrfs_clear_delalloc_extent(struct inode *vfs_inode,
+ */
+ if (*bits & EXTENT_CLEAR_META_RESV &&
+ root != fs_info->tree_root)
+- btrfs_delalloc_release_metadata(inode, len, false);
++ btrfs_delalloc_release_metadata(inode, len, true);
+
+ /* For sanity tests. */
+ if (btrfs_is_testing(fs_info))
+--
+2.43.0
+
--- /dev/null
+From 98fc2b179cda94606c5d87624e5a9e87e1ec61ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 08:28:18 +0530
+Subject: btrfs: return accurate error code on open failure in
+ open_fs_devices()
+
+From: Anand Jain <anand.jain@oracle.com>
+
+[ Upstream commit 2f1aeab9fca1a5f583be1add175d1ee95c213cfa ]
+
+When attempting to exclusive open a device which has no exclusive open
+permission, such as a physical device associated with the flakey dm
+device, the open operation will fail, resulting in a mount failure.
+
+In this particular scenario, we erroneously return -EINVAL instead of the
+correct error code provided by the bdev_open_by_path() function, which is
+-EBUSY.
+
+Fix this, by returning error code from the bdev_open_by_path() function.
+With this correction, the mount error message will align with that of
+ext4 and xfs.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Anand Jain <anand.jain@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/volumes.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
+index 36e77956c63fa..2a0d44fd2dd98 100644
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -1260,25 +1260,32 @@ static int open_fs_devices(struct btrfs_fs_devices *fs_devices,
+ struct btrfs_device *device;
+ struct btrfs_device *latest_dev = NULL;
+ struct btrfs_device *tmp_device;
++ int ret = 0;
+
+ flags |= FMODE_EXCL;
+
+ list_for_each_entry_safe(device, tmp_device, &fs_devices->devices,
+ dev_list) {
+- int ret;
++ int ret2;
+
+- ret = btrfs_open_one_device(fs_devices, device, flags, holder);
+- if (ret == 0 &&
++ ret2 = btrfs_open_one_device(fs_devices, device, flags, holder);
++ if (ret2 == 0 &&
+ (!latest_dev || device->generation > latest_dev->generation)) {
+ latest_dev = device;
+- } else if (ret == -ENODATA) {
++ } else if (ret2 == -ENODATA) {
+ fs_devices->num_devices--;
+ list_del(&device->dev_list);
+ btrfs_free_device(device);
+ }
++ if (ret == 0 && ret2 != 0)
++ ret = ret2;
+ }
+- if (fs_devices->open_devices == 0)
++
++ if (fs_devices->open_devices == 0) {
++ if (ret)
++ return ret;
+ return -EINVAL;
++ }
+
+ fs_devices->opened = 1;
+ fs_devices->latest_dev = latest_dev;
+--
+2.43.0
+
--- /dev/null
+From fc07c35011af35d74bfea585f330c35e8319dfe3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 11:41:56 -0700
+Subject: clk: Don't hold prepare_lock when calling kref_put()
+
+From: Stephen Boyd <sboyd@kernel.org>
+
+[ Upstream commit 6f63af7511e7058f3fa4ad5b8102210741c9f947 ]
+
+We don't need to hold the prepare_lock when dropping a ref on a struct
+clk_core. The release function is only freeing memory and any code with
+a pointer reference has already unlinked anything pointing to the
+clk_core. This reduces the holding area of the prepare_lock a bit.
+
+Note that we also don't call free_clk() with the prepare_lock held.
+There isn't any reason to do that.
+
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Link: https://lore.kernel.org/r/20240325184204.745706-3-sboyd@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
+index a05b5bca64250..dc2bcf58fc107 100644
+--- a/drivers/clk/clk.c
++++ b/drivers/clk/clk.c
+@@ -4227,7 +4227,8 @@ void clk_unregister(struct clk *clk)
+ if (ops == &clk_nodrv_ops) {
+ pr_err("%s: unregistered clock: %s\n", __func__,
+ clk->core->name);
+- goto unlock;
++ clk_prepare_unlock();
++ return;
+ }
+ /*
+ * Assign empty clock ops for consumers that might still hold
+@@ -4261,11 +4262,10 @@ void clk_unregister(struct clk *clk)
+ if (clk->core->protect_count)
+ pr_warn("%s: unregistering protected clock: %s\n",
+ __func__, clk->core->name);
++ clk_prepare_unlock();
+
+ kref_put(&clk->core->ref, __clk_release);
+ free_clk(clk);
+-unlock:
+- clk_prepare_unlock();
+ }
+ EXPORT_SYMBOL_GPL(clk_unregister);
+
+@@ -4471,13 +4471,11 @@ void __clk_put(struct clk *clk)
+ clk->max_rate < clk->core->req_rate)
+ clk_core_set_rate_nolock(clk->core, clk->core->req_rate);
+
+- owner = clk->core->owner;
+- kref_put(&clk->core->ref, __clk_release);
+-
+ clk_prepare_unlock();
+
++ owner = clk->core->owner;
++ kref_put(&clk->core->ref, __clk_release);
+ module_put(owner);
+-
+ free_clk(clk);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1169d9bcc9c0b26e6c1d11265c32f56aa1ad98bf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Apr 2024 19:35:54 -0400
+Subject: drm/nouveau/dp: Don't probe eDP ports twice harder
+
+From: Lyude Paul <lyude@redhat.com>
+
+[ Upstream commit bf52d7f9b2067f02efe7e32697479097aba4a055 ]
+
+I didn't pay close enough attention the last time I tried to fix this
+problem - while we currently do correctly take care to make sure we don't
+probe a connected eDP port more then once, we don't do the same thing for
+eDP ports we found to be disconnected.
+
+So, fix this and make sure we only ever probe eDP ports once and then leave
+them at that connector state forever (since without HPD, it's not going to
+change on its own anyway). This should get rid of the last few GSP errors
+getting spit out during runtime suspend and resume on some machines, as we
+tried to reprobe eDP ports in response to ACPI hotplug probe events.
+
+Signed-off-by: Lyude Paul <lyude@redhat.com>
+Reviewed-by: Dave Airlie <airlied@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240404233736.7946-3-lyude@redhat.com
+(cherry picked from commit fe6660b661c3397af0867d5d098f5b26581f1290)
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_dp.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_dp.c b/drivers/gpu/drm/nouveau/nouveau_dp.c
+index 447b7594b35ae..0107a21dc9f9b 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_dp.c
++++ b/drivers/gpu/drm/nouveau/nouveau_dp.c
+@@ -109,12 +109,15 @@ nouveau_dp_detect(struct nouveau_connector *nv_connector,
+ u8 *dpcd = nv_encoder->dp.dpcd;
+ int ret = NOUVEAU_DP_NONE;
+
+- /* If we've already read the DPCD on an eDP device, we don't need to
+- * reread it as it won't change
++ /* eDP ports don't support hotplugging - so there's no point in probing eDP ports unless we
++ * haven't probed them once before.
+ */
+- if (connector->connector_type == DRM_MODE_CONNECTOR_eDP &&
+- dpcd[DP_DPCD_REV] != 0)
+- return NOUVEAU_DP_SST;
++ if (connector->connector_type == DRM_MODE_CONNECTOR_eDP) {
++ if (connector->status == connector_status_connected)
++ return NOUVEAU_DP_SST;
++ else if (connector->status == connector_status_disconnected)
++ return NOUVEAU_DP_NONE;
++ }
+
+ mutex_lock(&nv_encoder->dp.hpd_irq_lock);
+ if (mstm) {
+--
+2.43.0
+
--- /dev/null
+From 968863258057916309e0837962fb67f31a1c4b67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 07:38:41 +0900
+Subject: firewire: ohci: mask bus reset interrupts between ISR and bottom half
+
+From: Adam Goldman <adamg@pobox.com>
+
+[ Upstream commit 752e3c53de0fa3b7d817a83050b6699b8e9c6ec9 ]
+
+In the FireWire OHCI interrupt handler, if a bus reset interrupt has
+occurred, mask bus reset interrupts until bus_reset_work has serviced and
+cleared the interrupt.
+
+Normally, we always leave bus reset interrupts masked. We infer the bus
+reset from the self-ID interrupt that happens shortly thereafter. A
+scenario where we unmask bus reset interrupts was introduced in 2008 in
+a007bb857e0b26f5d8b73c2ff90782d9c0972620: If
+OHCI_PARAM_DEBUG_BUSRESETS (8) is set in the debug parameter bitmask, we
+will unmask bus reset interrupts so we can log them.
+
+irq_handler logs the bus reset interrupt. However, we can't clear the bus
+reset event flag in irq_handler, because we won't service the event until
+later. irq_handler exits with the event flag still set. If the
+corresponding interrupt is still unmasked, the first bus reset will
+usually freeze the system due to irq_handler being called again each
+time it exits. This freeze can be reproduced by loading firewire_ohci
+with "modprobe firewire_ohci debug=-1" (to enable all debugging output).
+Apparently there are also some cases where bus_reset_work will get called
+soon enough to clear the event, and operation will continue normally.
+
+This freeze was first reported a few months after a007bb85 was committed,
+but until now it was never fixed. The debug level could safely be set
+to -1 through sysfs after the module was loaded, but this would be
+ineffectual in logging bus reset interrupts since they were only
+unmasked during initialization.
+
+irq_handler will now leave the event flag set but mask bus reset
+interrupts, so irq_handler won't be called again and there will be no
+freeze. If OHCI_PARAM_DEBUG_BUSRESETS is enabled, bus_reset_work will
+unmask the interrupt after servicing the event, so future interrupts
+will be caught as desired.
+
+As a side effect to this change, OHCI_PARAM_DEBUG_BUSRESETS can now be
+enabled through sysfs in addition to during initial module loading.
+However, when enabled through sysfs, logging of bus reset interrupts will
+be effective only starting with the second bus reset, after
+bus_reset_work has executed.
+
+Signed-off-by: Adam Goldman <adamg@pobox.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firewire/ohci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
+index 667ff40f39353..7d94e1cbc0ed3 100644
+--- a/drivers/firewire/ohci.c
++++ b/drivers/firewire/ohci.c
+@@ -2049,6 +2049,8 @@ static void bus_reset_work(struct work_struct *work)
+
+ ohci->generation = generation;
+ reg_write(ohci, OHCI1394_IntEventClear, OHCI1394_busReset);
++ if (param_debug & OHCI_PARAM_DEBUG_BUSRESETS)
++ reg_write(ohci, OHCI1394_IntMaskSet, OHCI1394_busReset);
+
+ if (ohci->quirks & QUIRK_RESET_PACKET)
+ ohci->request_generation = generation;
+@@ -2115,12 +2117,14 @@ static irqreturn_t irq_handler(int irq, void *data)
+ return IRQ_NONE;
+
+ /*
+- * busReset and postedWriteErr must not be cleared yet
++ * busReset and postedWriteErr events must not be cleared yet
+ * (OHCI 1.1 clauses 7.2.3.2 and 13.2.8.1)
+ */
+ reg_write(ohci, OHCI1394_IntEventClear,
+ event & ~(OHCI1394_busReset | OHCI1394_postedWriteErr));
+ log_irqs(ohci, event);
++ if (event & OHCI1394_busReset)
++ reg_write(ohci, OHCI1394_IntMaskClear, OHCI1394_busReset);
+
+ if (event & OHCI1394_selfIDComplete)
+ queue_work(selfid_workqueue, &ohci->bus_reset_work);
+--
+2.43.0
+
--- /dev/null
+From fa6eccc96c586544825a36a2894b5d0f57cdb636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Mar 2024 12:22:32 +0100
+Subject: fs/9p: drop inodes immediately on non-.L too
+
+From: Joakim Sindholt <opensource@zhasha.com>
+
+[ Upstream commit 7fd524b9bd1be210fe79035800f4bd78a41b349f ]
+
+Signed-off-by: Joakim Sindholt <opensource@zhasha.com>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/vfs_super.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/9p/vfs_super.c b/fs/9p/vfs_super.c
+index 7449f7fd47d22..51ac2653984a7 100644
+--- a/fs/9p/vfs_super.c
++++ b/fs/9p/vfs_super.c
+@@ -340,6 +340,7 @@ static const struct super_operations v9fs_super_ops = {
+ .alloc_inode = v9fs_alloc_inode,
+ .free_inode = v9fs_free_inode,
+ .statfs = simple_statfs,
++ .drop_inode = v9fs_drop_inode,
+ .evict_inode = v9fs_evict_inode,
+ .show_options = v9fs_show_options,
+ .umount_begin = v9fs_umount_begin,
+--
+2.43.0
+
--- /dev/null
+From 58c76f4f827629566c33c15d68f9aeef82d47552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Mar 2024 12:22:31 +0100
+Subject: fs/9p: only translate RWX permissions for plain 9P2000
+
+From: Joakim Sindholt <opensource@zhasha.com>
+
+[ Upstream commit cd25e15e57e68a6b18dc9323047fe9c68b99290b ]
+
+Garbage in plain 9P2000's perm bits is allowed through, which causes it
+to be able to set (among others) the suid bit. This was presumably not
+the intent since the unix extended bits are handled explicitly and
+conditionally on .u.
+
+Signed-off-by: Joakim Sindholt <opensource@zhasha.com>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/vfs_inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
+index 0d9b7d453a877..75907f77f9e38 100644
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -87,7 +87,7 @@ static int p9mode2perm(struct v9fs_session_info *v9ses,
+ int res;
+ int mode = stat->mode;
+
+- res = mode & S_IALLUGO;
++ res = mode & 0777; /* S_IRWXUGO */
+ if (v9fs_proto_dotu(v9ses)) {
+ if ((mode & P9_DMSETUID) == P9_DMSETUID)
+ res |= S_ISUID;
+--
+2.43.0
+
--- /dev/null
+From 27affae537cf65214aa324a8d0c3c1b91908b23b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Mar 2024 12:22:33 +0100
+Subject: fs/9p: translate O_TRUNC into OTRUNC
+
+From: Joakim Sindholt <opensource@zhasha.com>
+
+[ Upstream commit 87de39e70503e04ddb58965520b15eb9efa7eef3 ]
+
+This one hits both 9P2000 and .u as it appears v9fs has never translated
+the O_TRUNC flag.
+
+Signed-off-by: Joakim Sindholt <opensource@zhasha.com>
+Signed-off-by: Eric Van Hensbergen <ericvh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/9p/vfs_inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c
+index 75907f77f9e38..ef103ef392ee3 100644
+--- a/fs/9p/vfs_inode.c
++++ b/fs/9p/vfs_inode.c
+@@ -178,6 +178,9 @@ int v9fs_uflags2omode(int uflags, int extended)
+ break;
+ }
+
++ if (uflags & O_TRUNC)
++ ret |= P9_OTRUNC;
++
+ if (extended) {
+ if (uflags & O_EXCL)
+ ret |= P9_OEXCL;
+--
+2.43.0
+
--- /dev/null
+From be6e8a396d30bbde5a6bcffa993a19eae739eae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Mar 2024 16:40:36 +0100
+Subject: gfs2: Fix invalid metadata access in punch_hole
+
+From: Andrew Price <anprice@redhat.com>
+
+[ Upstream commit c95346ac918c5badf51b9a7ac58a26d3bd5bb224 ]
+
+In punch_hole(), when the offset lies in the final block for a given
+height, there is no hole to punch, but the maximum size check fails to
+detect that. Consequently, punch_hole() will try to punch a hole beyond
+the end of the metadata and fail. Fix the maximum size check.
+
+Signed-off-by: Andrew Price <anprice@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/bmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/gfs2/bmap.c b/fs/gfs2/bmap.c
+index 0ec1eaf338338..d2011c3c33fc2 100644
+--- a/fs/gfs2/bmap.c
++++ b/fs/gfs2/bmap.c
+@@ -1704,7 +1704,8 @@ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length)
+ struct buffer_head *dibh, *bh;
+ struct gfs2_holder rd_gh;
+ unsigned int bsize_shift = sdp->sd_sb.sb_bsize_shift;
+- u64 lblock = (offset + (1 << bsize_shift) - 1) >> bsize_shift;
++ unsigned int bsize = 1 << bsize_shift;
++ u64 lblock = (offset + bsize - 1) >> bsize_shift;
+ __u16 start_list[GFS2_MAX_META_HEIGHT];
+ __u16 __end_list[GFS2_MAX_META_HEIGHT], *end_list = NULL;
+ unsigned int start_aligned, end_aligned;
+@@ -1715,7 +1716,7 @@ static int punch_hole(struct gfs2_inode *ip, u64 offset, u64 length)
+ u64 prev_bnr = 0;
+ __be64 *start, *end;
+
+- if (offset >= maxsize) {
++ if (offset + bsize - 1 >= maxsize) {
+ /*
+ * The starting point lies beyond the allocated meta-data;
+ * there are no blocks do deallocate.
+--
+2.43.0
+
--- /dev/null
+From 28bf8e7ccc8d8b31c6c2532356c31a1a36e7f288 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 19:26:22 +0300
+Subject: gpio: crystalcove: Use -ENOTSUPP consistently
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit ace0ebe5c98d66889f19e0f30e2518d0c58d0e04 ]
+
+The GPIO library expects the drivers to return -ENOTSUPP in some
+cases and not using analogue POSIX code. Make the driver to follow
+this.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-crystalcove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-crystalcove.c b/drivers/gpio/gpio-crystalcove.c
+index 5a909f3c79e87..c48a82c240873 100644
+--- a/drivers/gpio/gpio-crystalcove.c
++++ b/drivers/gpio/gpio-crystalcove.c
+@@ -91,7 +91,7 @@ static inline int to_reg(int gpio, enum ctrl_register reg_type)
+ case 0x5e:
+ return GPIOPANELCTL;
+ default:
+- return -EOPNOTSUPP;
++ return -ENOTSUPP;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 224c4dec96dddf91b7c39a14d926ab9da87c58dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Apr 2024 19:25:21 +0300
+Subject: gpio: wcove: Use -ENOTSUPP consistently
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 0c3b532ad3fbf82884a2e7e83e37c7dcdd4d1d99 ]
+
+The GPIO library expects the drivers to return -ENOTSUPP in some
+cases and not using analogue POSIX code. Make the driver to follow
+this.
+
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-wcove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-wcove.c b/drivers/gpio/gpio-wcove.c
+index 16a0fae1e32eb..2df948e16eb71 100644
+--- a/drivers/gpio/gpio-wcove.c
++++ b/drivers/gpio/gpio-wcove.c
+@@ -104,7 +104,7 @@ static inline int to_reg(int gpio, enum ctrl_register type)
+ unsigned int reg = type == CTRL_IN ? GPIO_IN_CTRL_BASE : GPIO_OUT_CTRL_BASE;
+
+ if (gpio >= WCOVE_GPIO_NUM)
+- return -EOPNOTSUPP;
++ return -ENOTSUPP;
+
+ return reg + gpio;
+ }
+--
+2.43.0
+
--- /dev/null
+From 06bd6573ab811a47d44b9d20a14c6414a889ff38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Mar 2024 16:49:43 +0100
+Subject: gpu: host1x: Do not setup DMA for virtual devices
+
+From: Thierry Reding <treding@nvidia.com>
+
+[ Upstream commit 8ab58f6841b19423231c5db3378691ec80c778f8 ]
+
+The host1x devices are virtual compound devices and do not perform DMA
+accesses themselves, so they do not need to be set up for DMA.
+
+Ideally we would also not need to set up DMA masks for the virtual
+devices, but we currently still need those for legacy support on old
+hardware.
+
+Tested-by: Jon Hunter <jonathanh@nvidia.com>
+Acked-by: Jon Hunter <jonathanh@nvidia.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240314154943.2487549-1-thierry.reding@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/host1x/bus.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/drivers/gpu/host1x/bus.c b/drivers/gpu/host1x/bus.c
+index 218e3718fd68c..96737ddc81209 100644
+--- a/drivers/gpu/host1x/bus.c
++++ b/drivers/gpu/host1x/bus.c
+@@ -367,11 +367,6 @@ static int host1x_device_uevent(struct device *dev,
+ return 0;
+ }
+
+-static int host1x_dma_configure(struct device *dev)
+-{
+- return of_dma_configure(dev, dev->of_node, true);
+-}
+-
+ static const struct dev_pm_ops host1x_device_pm_ops = {
+ .suspend = pm_generic_suspend,
+ .resume = pm_generic_resume,
+@@ -385,7 +380,6 @@ struct bus_type host1x_bus_type = {
+ .name = "host1x",
+ .match = host1x_device_match,
+ .uevent = host1x_device_uevent,
+- .dma_configure = host1x_dma_configure,
+ .pm = &host1x_device_pm_ops,
+ };
+
+@@ -474,8 +468,6 @@ static int host1x_device_add(struct host1x *host1x,
+ device->dev.bus = &host1x_bus_type;
+ device->dev.parent = host1x->dev;
+
+- of_dma_configure(&device->dev, host1x->dev->of_node, true);
+-
+ device->dev.dma_parms = &device->dma_parms;
+ dma_set_max_seg_size(&device->dev, UINT_MAX);
+
+--
+2.43.0
+
--- /dev/null
+From fa26cc6a74d3b301df89b9744d47436be8d7f3c0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Apr 2024 18:41:09 +0200
+Subject: iommu: mtk: fix module autoloading
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+[ Upstream commit 7537e31df80cb58c27f3b6fef702534ea87a5957 ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
+based on the alias from of_device_id table.
+
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20240410164109.233308-1-krzk@kernel.org
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/mtk_iommu.c | 1 +
+ drivers/iommu/mtk_iommu_v1.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
+index 2ae46fa6b3dee..04ac40d11fdff 100644
+--- a/drivers/iommu/mtk_iommu.c
++++ b/drivers/iommu/mtk_iommu.c
+@@ -1101,6 +1101,7 @@ static const struct of_device_id mtk_iommu_of_ids[] = {
+ { .compatible = "mediatek,mt8192-m4u", .data = &mt8192_data},
+ {}
+ };
++MODULE_DEVICE_TABLE(of, mtk_iommu_of_ids);
+
+ static struct platform_driver mtk_iommu_driver = {
+ .probe = mtk_iommu_probe,
+diff --git a/drivers/iommu/mtk_iommu_v1.c b/drivers/iommu/mtk_iommu_v1.c
+index fe1c3123a7e77..3a52f6a6ecb32 100644
+--- a/drivers/iommu/mtk_iommu_v1.c
++++ b/drivers/iommu/mtk_iommu_v1.c
+@@ -576,6 +576,7 @@ static const struct of_device_id mtk_iommu_of_ids[] = {
+ { .compatible = "mediatek,mt2701-m4u", },
+ {}
+ };
++MODULE_DEVICE_TABLE(of, mtk_iommu_v1_of_ids);
+
+ static const struct component_master_ops mtk_iommu_com_ops = {
+ .bind = mtk_iommu_bind,
+--
+2.43.0
+
--- /dev/null
+From c3ac2e0f989770434efb77ea235bf93305b6a90f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 21:25:48 +0100
+Subject: kbuild: Disable KCSAN for autogenerated *.mod.c intermediaries
+
+From: Borislav Petkov (AMD) <bp@alien8.de>
+
+[ Upstream commit 54babdc0343fff2f32dfaafaaa9e42c4db278204 ]
+
+When KCSAN and CONSTRUCTORS are enabled, one can trigger the
+
+ "Unpatched return thunk in use. This should not happen!"
+
+catch-all warning.
+
+Usually, when objtool runs on the .o objects, it does generate a section
+.return_sites which contains all offsets in the objects to the return
+thunks of the functions present there. Those return thunks then get
+patched at runtime by the alternatives.
+
+KCSAN and CONSTRUCTORS add this to the object file's .text.startup
+section:
+
+ -------------------
+ Disassembly of section .text.startup:
+
+ ...
+
+ 0000000000000010 <_sub_I_00099_0>:
+ 10: f3 0f 1e fa endbr64
+ 14: e8 00 00 00 00 call 19 <_sub_I_00099_0+0x9>
+ 15: R_X86_64_PLT32 __tsan_init-0x4
+ 19: e9 00 00 00 00 jmp 1e <__UNIQUE_ID___addressable_cryptd_alloc_aead349+0x6>
+ 1a: R_X86_64_PLT32 __x86_return_thunk-0x4
+ -------------------
+
+which, if it is built as a module goes through the intermediary stage of
+creating a <module>.mod.c file which, when translated, receives a second
+constructor:
+
+ -------------------
+ Disassembly of section .text.startup:
+
+ 0000000000000010 <_sub_I_00099_0>:
+ 10: f3 0f 1e fa endbr64
+ 14: e8 00 00 00 00 call 19 <_sub_I_00099_0+0x9>
+ 15: R_X86_64_PLT32 __tsan_init-0x4
+ 19: e9 00 00 00 00 jmp 1e <_sub_I_00099_0+0xe>
+ 1a: R_X86_64_PLT32 __x86_return_thunk-0x4
+
+ ...
+
+ 0000000000000030 <_sub_I_00099_0>:
+ 30: f3 0f 1e fa endbr64
+ 34: e8 00 00 00 00 call 39 <_sub_I_00099_0+0x9>
+ 35: R_X86_64_PLT32 __tsan_init-0x4
+ 39: e9 00 00 00 00 jmp 3e <__ksymtab_cryptd_alloc_ahash+0x2>
+ 3a: R_X86_64_PLT32 __x86_return_thunk-0x4
+ -------------------
+
+in the .ko file.
+
+Objtool has run already so that second constructor's return thunk cannot
+be added to the .return_sites section and thus the return thunk remains
+unpatched and the warning rightfully fires.
+
+Drop KCSAN flags from the mod.c generation stage as those constructors
+do not contain data races one would be interested about.
+
+Debugged together with David Kaplan <David.Kaplan@amd.com> and Nikolay
+Borisov <nik.borisov@suse.com>.
+
+Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Closes: https://lore.kernel.org/r/0851a207-7143-417e-be31-8bf2b3afb57d@molgen.mpg.de
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Tested-by: Paul Menzel <pmenzel@molgen.mpg.de> # Dell XPS 13
+Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/Makefile.modfinal | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/Makefile.modfinal b/scripts/Makefile.modfinal
+index 47f047458264f..dce4cf55a4b68 100644
+--- a/scripts/Makefile.modfinal
++++ b/scripts/Makefile.modfinal
+@@ -23,7 +23,7 @@ modname = $(notdir $(@:.mod.o=))
+ part-of-module = y
+
+ quiet_cmd_cc_o_c = CC [M] $@
+- cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI) $(CFLAGS_GCOV), $(c_flags)) -c -o $@ $<
++ cmd_cc_o_c = $(CC) $(filter-out $(CC_FLAGS_CFI) $(CFLAGS_GCOV) $(CFLAGS_KCSAN), $(c_flags)) -c -o $@ $<
+
+ %.mod.o: %.mod.c FORCE
+ $(call if_changed_dep,cc_o_c)
+--
+2.43.0
+
--- /dev/null
+From f7a5c184d864981a4065fa60454dde1d7edcca79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Mar 2024 14:27:56 +0000
+Subject: MIPS: scall: Save thread_info.syscall unconditionally on entry
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit 4370b673ccf240bf7587b0cb8e6726a5ccaf1f17 ]
+
+thread_info.syscall is used by syscall_get_nr to supply syscall nr
+over a thread stack frame.
+
+Previously, thread_info.syscall is only saved at syscall_trace_enter
+when syscall tracing is enabled. However rest of the kernel code do
+expect syscall_get_nr to be available without syscall tracing. The
+previous design breaks collect_syscall.
+
+Move saving process to syscall entry to fix it.
+
+Reported-by: Xi Ruoyao <xry111@xry111.site>
+Link: https://github.com/util-linux/util-linux/issues/2867
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/ptrace.h | 2 +-
+ arch/mips/kernel/asm-offsets.c | 1 +
+ arch/mips/kernel/ptrace.c | 15 ++++++---------
+ arch/mips/kernel/scall32-o32.S | 23 +++++++++++++----------
+ arch/mips/kernel/scall64-n32.S | 3 ++-
+ arch/mips/kernel/scall64-n64.S | 3 ++-
+ arch/mips/kernel/scall64-o32.S | 33 +++++++++++++++++----------------
+ 7 files changed, 42 insertions(+), 38 deletions(-)
+
+diff --git a/arch/mips/include/asm/ptrace.h b/arch/mips/include/asm/ptrace.h
+index b3e4dd6be7e20..428b9f1cf1de2 100644
+--- a/arch/mips/include/asm/ptrace.h
++++ b/arch/mips/include/asm/ptrace.h
+@@ -157,7 +157,7 @@ static inline long regs_return_value(struct pt_regs *regs)
+ #define instruction_pointer(regs) ((regs)->cp0_epc)
+ #define profile_pc(regs) instruction_pointer(regs)
+
+-extern asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall);
++extern asmlinkage long syscall_trace_enter(struct pt_regs *regs);
+ extern asmlinkage void syscall_trace_leave(struct pt_regs *regs);
+
+ extern void die(const char *, struct pt_regs *) __noreturn;
+diff --git a/arch/mips/kernel/asm-offsets.c b/arch/mips/kernel/asm-offsets.c
+index 04ca75278f023..6cd0246aa2c69 100644
+--- a/arch/mips/kernel/asm-offsets.c
++++ b/arch/mips/kernel/asm-offsets.c
+@@ -98,6 +98,7 @@ void output_thread_info_defines(void)
+ OFFSET(TI_CPU, thread_info, cpu);
+ OFFSET(TI_PRE_COUNT, thread_info, preempt_count);
+ OFFSET(TI_REGS, thread_info, regs);
++ OFFSET(TI_SYSCALL, thread_info, syscall);
+ DEFINE(_THREAD_SIZE, THREAD_SIZE);
+ DEFINE(_THREAD_MASK, THREAD_MASK);
+ DEFINE(_IRQ_STACK_SIZE, IRQ_STACK_SIZE);
+diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
+index db7c5be1d4a35..dd454b429ff73 100644
+--- a/arch/mips/kernel/ptrace.c
++++ b/arch/mips/kernel/ptrace.c
+@@ -1310,16 +1310,13 @@ long arch_ptrace(struct task_struct *child, long request,
+ * Notification of system call entry/exit
+ * - triggered by current->work.syscall_trace
+ */
+-asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
++asmlinkage long syscall_trace_enter(struct pt_regs *regs)
+ {
+ user_exit();
+
+- current_thread_info()->syscall = syscall;
+-
+ if (test_thread_flag(TIF_SYSCALL_TRACE)) {
+ if (tracehook_report_syscall_entry(regs))
+ return -1;
+- syscall = current_thread_info()->syscall;
+ }
+
+ #ifdef CONFIG_SECCOMP
+@@ -1328,7 +1325,7 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
+ struct seccomp_data sd;
+ unsigned long args[6];
+
+- sd.nr = syscall;
++ sd.nr = current_thread_info()->syscall;
+ sd.arch = syscall_get_arch(current);
+ syscall_get_arguments(current, regs, args);
+ for (i = 0; i < 6; i++)
+@@ -1338,23 +1335,23 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
+ ret = __secure_computing(&sd);
+ if (ret == -1)
+ return ret;
+- syscall = current_thread_info()->syscall;
+ }
+ #endif
+
+ if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
+ trace_sys_enter(regs, regs->regs[2]);
+
+- audit_syscall_entry(syscall, regs->regs[4], regs->regs[5],
++ audit_syscall_entry(current_thread_info()->syscall,
++ regs->regs[4], regs->regs[5],
+ regs->regs[6], regs->regs[7]);
+
+ /*
+ * Negative syscall numbers are mistaken for rejected syscalls, but
+ * won't have had the return value set appropriately, so we do so now.
+ */
+- if (syscall < 0)
++ if (current_thread_info()->syscall < 0)
+ syscall_set_return_value(current, regs, -ENOSYS, 0);
+- return syscall;
++ return current_thread_info()->syscall;
+ }
+
+ /*
+diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
+index 9bfce5f75f601..6c14160cd8ba7 100644
+--- a/arch/mips/kernel/scall32-o32.S
++++ b/arch/mips/kernel/scall32-o32.S
+@@ -78,6 +78,18 @@ loads_done:
+ PTR_WD load_a7, bad_stack_a7
+ .previous
+
++ /*
++ * syscall number is in v0 unless we called syscall(__NR_###)
++ * where the real syscall number is in a0
++ */
++ subu t2, v0, __NR_O32_Linux
++ bnez t2, 1f /* __NR_syscall at offset 0 */
++ LONG_S a0, TI_SYSCALL($28) # Save a0 as syscall number
++ b 2f
++1:
++ LONG_S v0, TI_SYSCALL($28) # Save v0 as syscall number
++2:
++
+ lw t0, TI_FLAGS($28) # syscall tracing enabled?
+ li t1, _TIF_WORK_SYSCALL_ENTRY
+ and t0, t1
+@@ -115,16 +127,7 @@ syscall_trace_entry:
+ SAVE_STATIC
+ move a0, sp
+
+- /*
+- * syscall number is in v0 unless we called syscall(__NR_###)
+- * where the real syscall number is in a0
+- */
+- move a1, v0
+- subu t2, v0, __NR_O32_Linux
+- bnez t2, 1f /* __NR_syscall at offset 0 */
+- lw a1, PT_R4(sp)
+-
+-1: jal syscall_trace_enter
++ jal syscall_trace_enter
+
+ bltz v0, 1f # seccomp failed? Skip syscall
+
+diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S
+index 97456b2ca7dc3..97788859238c3 100644
+--- a/arch/mips/kernel/scall64-n32.S
++++ b/arch/mips/kernel/scall64-n32.S
+@@ -44,6 +44,8 @@ NESTED(handle_sysn32, PT_SIZE, sp)
+
+ sd a3, PT_R26(sp) # save a3 for syscall restarting
+
++ LONG_S v0, TI_SYSCALL($28) # Store syscall number
++
+ li t1, _TIF_WORK_SYSCALL_ENTRY
+ LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
+ and t0, t1, t0
+@@ -72,7 +74,6 @@ syscall_common:
+ n32_syscall_trace_entry:
+ SAVE_STATIC
+ move a0, sp
+- move a1, v0
+ jal syscall_trace_enter
+
+ bltz v0, 1f # seccomp failed? Skip syscall
+diff --git a/arch/mips/kernel/scall64-n64.S b/arch/mips/kernel/scall64-n64.S
+index 5f6ed4b4c3993..db58115385639 100644
+--- a/arch/mips/kernel/scall64-n64.S
++++ b/arch/mips/kernel/scall64-n64.S
+@@ -47,6 +47,8 @@ NESTED(handle_sys64, PT_SIZE, sp)
+
+ sd a3, PT_R26(sp) # save a3 for syscall restarting
+
++ LONG_S v0, TI_SYSCALL($28) # Store syscall number
++
+ li t1, _TIF_WORK_SYSCALL_ENTRY
+ LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
+ and t0, t1, t0
+@@ -83,7 +85,6 @@ n64_syscall_exit:
+ syscall_trace_entry:
+ SAVE_STATIC
+ move a0, sp
+- move a1, v0
+ jal syscall_trace_enter
+
+ bltz v0, 1f # seccomp failed? Skip syscall
+diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
+index d3c2616cba226..7a5abb73e5312 100644
+--- a/arch/mips/kernel/scall64-o32.S
++++ b/arch/mips/kernel/scall64-o32.S
+@@ -79,6 +79,22 @@ loads_done:
+ PTR_WD load_a7, bad_stack_a7
+ .previous
+
++ /*
++ * absolute syscall number is in v0 unless we called syscall(__NR_###)
++ * where the real syscall number is in a0
++ * note: NR_syscall is the first O32 syscall but the macro is
++ * only defined when compiling with -mabi=32 (CONFIG_32BIT)
++ * therefore __NR_O32_Linux is used (4000)
++ */
++
++ subu t2, v0, __NR_O32_Linux
++ bnez t2, 1f /* __NR_syscall at offset 0 */
++ LONG_S a0, TI_SYSCALL($28) # Save a0 as syscall number
++ b 2f
++1:
++ LONG_S v0, TI_SYSCALL($28) # Save v0 as syscall number
++2:
++
+ li t1, _TIF_WORK_SYSCALL_ENTRY
+ LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
+ and t0, t1, t0
+@@ -113,22 +129,7 @@ trace_a_syscall:
+ sd a7, PT_R11(sp) # For indirect syscalls
+
+ move a0, sp
+- /*
+- * absolute syscall number is in v0 unless we called syscall(__NR_###)
+- * where the real syscall number is in a0
+- * note: NR_syscall is the first O32 syscall but the macro is
+- * only defined when compiling with -mabi=32 (CONFIG_32BIT)
+- * therefore __NR_O32_Linux is used (4000)
+- */
+- .set push
+- .set reorder
+- subu t1, v0, __NR_O32_Linux
+- move a1, v0
+- bnez t1, 1f /* __NR_syscall at offset 0 */
+- ld a1, PT_R4(sp) /* Arg1 for __NR_syscall case */
+- .set pop
+-
+-1: jal syscall_trace_enter
++ jal syscall_trace_enter
+
+ bltz v0, 1f # seccomp failed? Skip syscall
+
+--
+2.43.0
+
--- /dev/null
+From f0d6749a8c64e75d9c468d10e34d9b7fddce5ee8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Apr 2024 13:09:33 +0200
+Subject: net: bcmgenet: Reset RBUF on first open
+
+From: Phil Elwell <phil@raspberrypi.com>
+
+[ Upstream commit 0a6380cb4c6b5c1d6dad226ba3130f9090f0ccea ]
+
+If the RBUF logic is not reset when the kernel starts then there
+may be some data left over from any network boot loader. If the
+64-byte packet headers are enabled then this can be fatal.
+
+Extend bcmgenet_dma_disable to do perform the reset, but not when
+called from bcmgenet_resume in order to preserve a wake packet.
+
+N.B. This different handling of resume is just based on a hunch -
+why else wouldn't one reset the RBUF as well as the TBUF? If this
+isn't the case then it's easy to change the patch to make the RBUF
+reset unconditional.
+
+See: https://github.com/raspberrypi/linux/issues/3850
+See: https://github.com/raspberrypi/firmware/issues/1882
+
+Signed-off-by: Phil Elwell <phil@raspberrypi.com>
+Signed-off-by: Maarten Vanraes <maarten@rmail.be>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+index a2b736a9d20cc..9db391e5b4f4f 100644
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -3256,7 +3256,7 @@ static void bcmgenet_get_hw_addr(struct bcmgenet_priv *priv,
+ }
+
+ /* Returns a reusable dma control register value */
+-static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv)
++static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv, bool flush_rx)
+ {
+ unsigned int i;
+ u32 reg;
+@@ -3281,6 +3281,14 @@ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv)
+ udelay(10);
+ bcmgenet_umac_writel(priv, 0, UMAC_TX_FLUSH);
+
++ if (flush_rx) {
++ reg = bcmgenet_rbuf_ctrl_get(priv);
++ bcmgenet_rbuf_ctrl_set(priv, reg | BIT(0));
++ udelay(10);
++ bcmgenet_rbuf_ctrl_set(priv, reg);
++ udelay(10);
++ }
++
+ return dma_ctrl;
+ }
+
+@@ -3344,8 +3352,8 @@ static int bcmgenet_open(struct net_device *dev)
+
+ bcmgenet_set_hw_addr(priv, dev->dev_addr);
+
+- /* Disable RX/TX DMA and flush TX queues */
+- dma_ctrl = bcmgenet_dma_disable(priv);
++ /* Disable RX/TX DMA and flush TX and RX queues */
++ dma_ctrl = bcmgenet_dma_disable(priv, true);
+
+ /* Reinitialize TDMA and RDMA and SW housekeeping */
+ ret = bcmgenet_init_dma(priv);
+@@ -4201,7 +4209,7 @@ static int bcmgenet_resume(struct device *d)
+ bcmgenet_hfb_create_rxnfc_filter(priv, rule);
+
+ /* Disable RX/TX DMA and flush TX queues */
+- dma_ctrl = bcmgenet_dma_disable(priv);
++ dma_ctrl = bcmgenet_dma_disable(priv, false);
+
+ /* Reinitialize TDMA and RDMA and SW housekeeping */
+ ret = bcmgenet_init_dma(priv);
+--
+2.43.0
+
--- /dev/null
+From 5cd0f15c8e05a0753b51e19c0e0b1ed81b21b31e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Mar 2024 16:44:10 +0800
+Subject: net: mark racy access on sk->sk_rcvbuf
+
+From: linke li <lilinke99@qq.com>
+
+[ Upstream commit c2deb2e971f5d9aca941ef13ee05566979e337a4 ]
+
+sk->sk_rcvbuf in __sock_queue_rcv_skb() and __sk_receive_skb() can be
+changed by other threads. Mark this as benign using READ_ONCE().
+
+This patch is aimed at reducing the number of benign races reported by
+KCSAN in order to focus future debugging effort on harmful races.
+
+Signed-off-by: linke li <lilinke99@qq.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sock.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 6f761f3c272aa..62e376f09f957 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -459,7 +459,7 @@ int __sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ unsigned long flags;
+ struct sk_buff_head *list = &sk->sk_receive_queue;
+
+- if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) {
++ if (atomic_read(&sk->sk_rmem_alloc) >= READ_ONCE(sk->sk_rcvbuf)) {
+ atomic_inc(&sk->sk_drops);
+ trace_sock_rcvqueue_full(sk, skb);
+ return -ENOMEM;
+@@ -511,7 +511,7 @@ int __sk_receive_skb(struct sock *sk, struct sk_buff *skb,
+
+ skb->dev = NULL;
+
+- if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
++ if (sk_rcvqueues_full(sk, READ_ONCE(sk->sk_rcvbuf))) {
+ atomic_inc(&sk->sk_drops);
+ goto discard_and_relse;
+ }
+--
+2.43.0
+
--- /dev/null
+From eb77ec976324ee2eda28cf8ca994f5ca4b7eb89b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Apr 2024 20:07:13 +0800
+Subject: net:usb:qmi_wwan: support Rolling modules
+
+From: Vanillan Wang <vanillanwang@163.com>
+
+[ Upstream commit d362046021ea122309da8c8e0b6850c792ca97b5 ]
+
+Update the qmi_wwan driver support for the Rolling
+LTE modules.
+
+- VID:PID 33f8:0104, RW101-GL for laptop debug M.2 cards(with RMNET
+interface for /Linux/Chrome OS)
+0x0104: RMNET, diag, at, pipe
+
+Here are the outputs of usb-devices:
+T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=33f8 ProdID=0104 Rev=05.04
+S: Manufacturer=Rolling Wireless S.a.r.l.
+S: Product=Rolling Module
+S: SerialNumber=ba2eb033
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=896mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+Signed-off-by: Vanillan Wang <vanillanwang@163.com>
+Link: https://lore.kernel.org/r/20240416120713.24777-1-vanillanwang@163.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/qmi_wwan.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
+index 846ace9830d3b..89e1fac07a255 100644
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1419,6 +1419,7 @@ static const struct usb_device_id products[] = {
+ {QMI_FIXED_INTF(0x0489, 0xe0b5, 0)}, /* Foxconn T77W968 LTE with eSIM support*/
+ {QMI_FIXED_INTF(0x2692, 0x9025, 4)}, /* Cellient MPL200 (rebranded Qualcomm 05c6:9025) */
+ {QMI_QUIRK_SET_DTR(0x1546, 0x1342, 4)}, /* u-blox LARA-L6 */
++ {QMI_QUIRK_SET_DTR(0x33f8, 0x0104, 4)}, /* Rolling RW101 RMNET */
+
+ /* 4. Gobi 1000 devices */
+ {QMI_GOBI1K_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */
+--
+2.43.0
+
--- /dev/null
+From 5c779491ad7fa4af9ec117c19988b5a088485453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Mar 2024 12:44:27 +0530
+Subject: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after
+ upload
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+[ Upstream commit c214ed2a4dda35b308b0b28eed804d7ae66401f9 ]
+
+The session resources are used by FW and driver when session is offloaded,
+once session is uploaded these resources are not used. The lock is not
+required as these fields won't be used any longer. The offload and upload
+calls are sequential, hence lock is not required.
+
+This will suppress following BUG_ON():
+
+[ 449.843143] ------------[ cut here ]------------
+[ 449.848302] kernel BUG at mm/vmalloc.c:2727!
+[ 449.853072] invalid opcode: 0000 [#1] PREEMPT SMP PTI
+[ 449.858712] CPU: 5 PID: 1996 Comm: kworker/u24:2 Not tainted 5.14.0-118.el9.x86_64 #1
+Rebooting.
+[ 449.867454] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.3.4 11/08/2016
+[ 449.876966] Workqueue: fc_rport_eq fc_rport_work [libfc]
+[ 449.882910] RIP: 0010:vunmap+0x2e/0x30
+[ 449.887098] Code: 00 65 8b 05 14 a2 f0 4a a9 00 ff ff 00 75 1b 55 48 89 fd e8 34 36 79 00 48 85 ed 74 0b 48 89 ef 31 f6 5d e9 14 fc ff ff 5d c3 <0f> 0b 0f 1f 44 00 00 41 57 41 56 49 89 ce 41 55 49 89 fd 41 54 41
+[ 449.908054] RSP: 0018:ffffb83d878b3d68 EFLAGS: 00010206
+[ 449.913887] RAX: 0000000080000201 RBX: ffff8f4355133550 RCX: 000000000d400005
+[ 449.921843] RDX: 0000000000000001 RSI: 0000000000001000 RDI: ffffb83da53f5000
+[ 449.929808] RBP: ffff8f4ac6675800 R08: ffffb83d878b3d30 R09: 00000000000efbdf
+[ 449.937774] R10: 0000000000000003 R11: ffff8f434573e000 R12: 0000000000001000
+[ 449.945736] R13: 0000000000001000 R14: ffffb83da53f5000 R15: ffff8f43d4ea3ae0
+[ 449.953701] FS: 0000000000000000(0000) GS:ffff8f529fc80000(0000) knlGS:0000000000000000
+[ 449.962732] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 449.969138] CR2: 00007f8cf993e150 CR3: 0000000efbe10003 CR4: 00000000003706e0
+[ 449.977102] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 449.985065] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 449.993028] Call Trace:
+[ 449.995756] __iommu_dma_free+0x96/0x100
+[ 450.000139] bnx2fc_free_session_resc+0x67/0x240 [bnx2fc]
+[ 450.006171] bnx2fc_upload_session+0xce/0x100 [bnx2fc]
+[ 450.011910] bnx2fc_rport_event_handler+0x9f/0x240 [bnx2fc]
+[ 450.018136] fc_rport_work+0x103/0x5b0 [libfc]
+[ 450.023103] process_one_work+0x1e8/0x3c0
+[ 450.027581] worker_thread+0x50/0x3b0
+[ 450.031669] ? rescuer_thread+0x370/0x370
+[ 450.036143] kthread+0x149/0x170
+[ 450.039744] ? set_kthread_struct+0x40/0x40
+[ 450.044411] ret_from_fork+0x22/0x30
+[ 450.048404] Modules linked in: vfat msdos fat xfs nfs_layout_nfsv41_files rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver dm_service_time qedf qed crc8 bnx2fc libfcoe libfc scsi_transport_fc intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp dcdbas rapl intel_cstate intel_uncore mei_me pcspkr mei ipmi_ssif lpc_ich ipmi_si fuse zram ext4 mbcache jbd2 loop nfsv3 nfs_acl nfs lockd grace fscache netfs irdma ice sd_mod t10_pi sg ib_uverbs ib_core 8021q garp mrp stp llc mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt mxm_wmi fb_sys_fops cec crct10dif_pclmul ahci crc32_pclmul bnx2x drm ghash_clmulni_intel libahci rfkill i40e libata megaraid_sas mdio wmi sunrpc lrw dm_crypt dm_round_robin dm_multipath dm_snapshot dm_bufio dm_mirror dm_region_hash dm_log dm_zero dm_mod linear raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid6_pq libcrc32c crc32c_intel raid1 raid0 iscsi_ibft squashfs be2iscsi bnx2i cnic uio cxgb4i cxgb4 tls
+[ 450.048497] libcxgbi libcxgb qla4xxx iscsi_boot_sysfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi edd ipmi_devintf ipmi_msghandler
+[ 450.159753] ---[ end trace 712de2c57c64abc8 ]---
+
+Reported-by: Guangwu Zhang <guazhang@redhat.com>
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20240315071427.31842-1-skashyap@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc_tgt.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_tgt.c b/drivers/scsi/bnx2fc/bnx2fc_tgt.c
+index 9200b718085c4..5015d9b0817ac 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_tgt.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_tgt.c
+@@ -833,7 +833,6 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba,
+
+ BNX2FC_TGT_DBG(tgt, "Freeing up session resources\n");
+
+- spin_lock_bh(&tgt->cq_lock);
+ ctx_base_ptr = tgt->ctx_base;
+ tgt->ctx_base = NULL;
+
+@@ -889,7 +888,6 @@ static void bnx2fc_free_session_resc(struct bnx2fc_hba *hba,
+ tgt->sq, tgt->sq_dma);
+ tgt->sq = NULL;
+ }
+- spin_unlock_bh(&tgt->cq_lock);
+
+ if (ctx_base_ptr)
+ iounmap(ctx_base_ptr);
+--
+2.43.0
+
--- /dev/null
+From efbe5d370717ec6fca069194fb4c69d5e9c2a808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 12:04:53 -0800
+Subject: scsi: lpfc: Move NPIV's transport unregistration to after resource
+ clean up
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 4ddf01f2f1504fa08b766e8cfeec558e9f8eef6c ]
+
+There are cases after NPIV deletion where the fabric switch still believes
+the NPIV is logged into the fabric. This occurs when a vport is
+unregistered before the Remove All DA_ID CT and LOGO ELS are sent to the
+fabric.
+
+Currently fc_remove_host(), which calls dev_loss_tmo for all D_IDs including
+the fabric D_ID, removes the last ndlp reference and frees the ndlp rport
+object. This sometimes causes the race condition where the final DA_ID and
+LOGO are skipped from being sent to the fabric switch.
+
+Fix by moving the fc_remove_host() and scsi_remove_host() calls after DA_ID
+and LOGO are sent.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240305200503.57317-3-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_vport.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_vport.c b/drivers/scsi/lpfc/lpfc_vport.c
+index da9a1f72d9383..b1071226e27fb 100644
+--- a/drivers/scsi/lpfc/lpfc_vport.c
++++ b/drivers/scsi/lpfc/lpfc_vport.c
+@@ -651,10 +651,6 @@ lpfc_vport_delete(struct fc_vport *fc_vport)
+ lpfc_free_sysfs_attr(vport);
+ lpfc_debugfs_terminate(vport);
+
+- /* Remove FC host to break driver binding. */
+- fc_remove_host(shost);
+- scsi_remove_host(shost);
+-
+ /* Send the DA_ID and Fabric LOGO to cleanup Nameserver entries. */
+ ndlp = lpfc_findnode_did(vport, Fabric_DID);
+ if (!ndlp)
+@@ -700,6 +696,10 @@ lpfc_vport_delete(struct fc_vport *fc_vport)
+
+ skip_logo:
+
++ /* Remove FC host to break driver binding. */
++ fc_remove_host(shost);
++ scsi_remove_host(shost);
++
+ lpfc_cleanup(vport);
+
+ /* Remove scsi host now. The nodes are cleaned up. */
+--
+2.43.0
+
--- /dev/null
+From ffb7196df5eaa5d6627893b268fe301fd16a5b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 12:04:56 -0800
+Subject: scsi: lpfc: Replace hbalock with ndlp lock in
+ lpfc_nvme_unregister_port()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit d11272be497e48a8e8f980470eb6b70e92eed0ce ]
+
+The ndlp object update in lpfc_nvme_unregister_port() should be protected
+by the ndlp lock rather than hbalock.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240305200503.57317-6-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_nvme.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_nvme.c b/drivers/scsi/lpfc/lpfc_nvme.c
+index 4e0c0b273e5fe..2ff8ace6f78f2 100644
+--- a/drivers/scsi/lpfc/lpfc_nvme.c
++++ b/drivers/scsi/lpfc/lpfc_nvme.c
+@@ -2539,9 +2539,9 @@ lpfc_nvme_unregister_port(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp)
+ /* No concern about the role change on the nvme remoteport.
+ * The transport will update it.
+ */
+- spin_lock_irq(&vport->phba->hbalock);
++ spin_lock_irq(&ndlp->lock);
+ ndlp->fc4_xpt_flags |= NVME_XPT_UNREG_WAIT;
+- spin_unlock_irq(&vport->phba->hbalock);
++ spin_unlock_irq(&ndlp->lock);
+
+ /* Don't let the host nvme transport keep sending keep-alives
+ * on this remoteport. Vport is unloading, no recovery. The
+--
+2.43.0
+
--- /dev/null
+From 80a245afbb569458dc789ccb1aec78c240e0128f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Mar 2024 12:04:55 -0800
+Subject: scsi: lpfc: Update lpfc_ramp_down_queue_handler() logic
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit bb011631435c705cdeddca68d5c85fd40a4320f9 ]
+
+Typically when an out of resource CQE status is detected, the
+lpfc_ramp_down_queue_handler() logic is called to help reduce I/O load by
+reducing an sdev's queue_depth.
+
+However, the current lpfc_rampdown_queue_depth() logic does not help reduce
+queue_depth. num_cmd_success is never updated and is always zero, which
+means new_queue_depth will always be set to sdev->queue_depth. So,
+new_queue_depth = sdev->queue_depth - new_queue_depth always sets
+new_queue_depth to zero. And, scsi_change_queue_depth(sdev, 0) is
+essentially a no-op.
+
+Change the lpfc_ramp_down_queue_handler() logic to set new_queue_depth
+equal to sdev->queue_depth subtracted from number of times num_rsrc_err was
+incremented. If num_rsrc_err is >= sdev->queue_depth, then set
+new_queue_depth equal to 1. Eventually, the frequency of Good_Status
+frames will signal SCSI upper layer to auto increase the queue_depth back
+to the driver default of 64 via scsi_handle_queue_ramp_up().
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240305200503.57317-5-justintee8345@gmail.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc.h | 1 -
+ drivers/scsi/lpfc/lpfc_scsi.c | 13 ++++---------
+ 2 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
+index 65ac952b767fb..194825ff1ee80 100644
+--- a/drivers/scsi/lpfc/lpfc.h
++++ b/drivers/scsi/lpfc/lpfc.h
+@@ -1341,7 +1341,6 @@ struct lpfc_hba {
+ unsigned long bit_flags;
+ #define FABRIC_COMANDS_BLOCKED 0
+ atomic_t num_rsrc_err;
+- atomic_t num_cmd_success;
+ unsigned long last_rsrc_error_time;
+ unsigned long last_ramp_down_time;
+ #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
+diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
+index 6d1a3cbd6b3c4..d9fb5e09fb53f 100644
+--- a/drivers/scsi/lpfc/lpfc_scsi.c
++++ b/drivers/scsi/lpfc/lpfc_scsi.c
+@@ -231,11 +231,10 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
+ struct Scsi_Host *shost;
+ struct scsi_device *sdev;
+ unsigned long new_queue_depth;
+- unsigned long num_rsrc_err, num_cmd_success;
++ unsigned long num_rsrc_err;
+ int i;
+
+ num_rsrc_err = atomic_read(&phba->num_rsrc_err);
+- num_cmd_success = atomic_read(&phba->num_cmd_success);
+
+ /*
+ * The error and success command counters are global per
+@@ -250,20 +249,16 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
+ for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) {
+ shost = lpfc_shost_from_vport(vports[i]);
+ shost_for_each_device(sdev, shost) {
+- new_queue_depth =
+- sdev->queue_depth * num_rsrc_err /
+- (num_rsrc_err + num_cmd_success);
+- if (!new_queue_depth)
+- new_queue_depth = sdev->queue_depth - 1;
++ if (num_rsrc_err >= sdev->queue_depth)
++ new_queue_depth = 1;
+ else
+ new_queue_depth = sdev->queue_depth -
+- new_queue_depth;
++ num_rsrc_err;
+ scsi_change_queue_depth(sdev, new_queue_depth);
+ }
+ }
+ lpfc_destroy_vport_work_array(phba, vports);
+ atomic_set(&phba->num_rsrc_err, 0);
+- atomic_set(&phba->num_cmd_success, 0);
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 37493ebbc72faab3e892038fe36ac5210ab1117c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Feb 2024 15:39:43 +0100
+Subject: scsi: target: Fix SELinux error when systemd-modules loads the target
+ module
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+[ Upstream commit 97a54ef596c3fd24ec2b227ba8aaf2cf5415e779 ]
+
+If the systemd-modules service loads the target module, the credentials of
+that userspace process will be used to validate the access to the target db
+directory. SELinux will prevent it, reporting an error like the following:
+
+kernel: audit: type=1400 audit(1676301082.205:4): avc: denied { read }
+for pid=1020 comm="systemd-modules" name="target" dev="dm-3"
+ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0
+tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0
+
+Fix the error by using the kernel credentials to access the db directory
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Link: https://lore.kernel.org/r/20240215143944.847184-2-mlombard@redhat.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/target/target_core_configfs.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
+index 023bd4516a681..30ce3451bc6b0 100644
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -3566,6 +3566,8 @@ static int __init target_core_init_configfs(void)
+ {
+ struct configfs_subsystem *subsys = &target_core_fabrics;
+ struct t10_alua_lu_gp *lu_gp;
++ struct cred *kern_cred;
++ const struct cred *old_cred;
+ int ret;
+
+ pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage"
+@@ -3642,11 +3644,21 @@ static int __init target_core_init_configfs(void)
+ if (ret < 0)
+ goto out;
+
++ /* We use the kernel credentials to access the target directory */
++ kern_cred = prepare_kernel_cred(&init_task);
++ if (!kern_cred) {
++ ret = -ENOMEM;
++ goto out;
++ }
++ old_cred = override_creds(kern_cred);
+ target_init_dbroot();
++ revert_creds(old_cred);
++ put_cred(kern_cred);
+
+ return 0;
+
+ out:
++ target_xcopy_release_pt();
+ configfs_unregister_subsystem(subsys);
+ core_dev_release_virtual_lun0();
+ rd_module_exit();
+--
+2.43.0
+
--- /dev/null
+From 44683e5842d0cadfc779af19d76c854413d2627d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Apr 2024 13:22:12 -0700
+Subject: selftests: timers: Fix valid-adjtimex signed left-shift undefined
+ behavior
+
+From: John Stultz <jstultz@google.com>
+
+[ Upstream commit 076361362122a6d8a4c45f172ced5576b2d4a50d ]
+
+The struct adjtimex freq field takes a signed value who's units are in
+shifted (<<16) parts-per-million.
+
+Unfortunately for negative adjustments, the straightforward use of:
+
+ freq = ppm << 16 trips undefined behavior warnings with clang:
+
+valid-adjtimex.c:66:6: warning: shifting a negative signed value is undefined [-Wshift-negative-value]
+ -499<<16,
+ ~~~~^
+valid-adjtimex.c:67:6: warning: shifting a negative signed value is undefined [-Wshift-negative-value]
+ -450<<16,
+ ~~~~^
+..
+
+Fix it by using a multiply by (1 << 16) instead of shifting negative values
+in the valid-adjtimex test case. Align the values for better readability.
+
+Reported-by: Lee Jones <joneslee@google.com>
+Reported-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Signed-off-by: John Stultz <jstultz@google.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Link: https://lore.kernel.org/r/20240409202222.2830476-1-jstultz@google.com
+Link: https://lore.kernel.org/lkml/0c6d4f0d-2064-4444-986b-1d1ed782135f@collabora.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../testing/selftests/timers/valid-adjtimex.c | 73 +++++++++----------
+ 1 file changed, 36 insertions(+), 37 deletions(-)
+
+diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c
+index 48b9a803235a8..d13ebde203221 100644
+--- a/tools/testing/selftests/timers/valid-adjtimex.c
++++ b/tools/testing/selftests/timers/valid-adjtimex.c
+@@ -21,9 +21,6 @@
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+-
+-
+-
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <time.h>
+@@ -62,45 +59,47 @@ int clear_time_state(void)
+ #define NUM_FREQ_OUTOFRANGE 4
+ #define NUM_FREQ_INVALID 2
+
++#define SHIFTED_PPM (1 << 16)
++
+ long valid_freq[NUM_FREQ_VALID] = {
+- -499<<16,
+- -450<<16,
+- -400<<16,
+- -350<<16,
+- -300<<16,
+- -250<<16,
+- -200<<16,
+- -150<<16,
+- -100<<16,
+- -75<<16,
+- -50<<16,
+- -25<<16,
+- -10<<16,
+- -5<<16,
+- -1<<16,
++ -499 * SHIFTED_PPM,
++ -450 * SHIFTED_PPM,
++ -400 * SHIFTED_PPM,
++ -350 * SHIFTED_PPM,
++ -300 * SHIFTED_PPM,
++ -250 * SHIFTED_PPM,
++ -200 * SHIFTED_PPM,
++ -150 * SHIFTED_PPM,
++ -100 * SHIFTED_PPM,
++ -75 * SHIFTED_PPM,
++ -50 * SHIFTED_PPM,
++ -25 * SHIFTED_PPM,
++ -10 * SHIFTED_PPM,
++ -5 * SHIFTED_PPM,
++ -1 * SHIFTED_PPM,
+ -1000,
+- 1<<16,
+- 5<<16,
+- 10<<16,
+- 25<<16,
+- 50<<16,
+- 75<<16,
+- 100<<16,
+- 150<<16,
+- 200<<16,
+- 250<<16,
+- 300<<16,
+- 350<<16,
+- 400<<16,
+- 450<<16,
+- 499<<16,
++ 1 * SHIFTED_PPM,
++ 5 * SHIFTED_PPM,
++ 10 * SHIFTED_PPM,
++ 25 * SHIFTED_PPM,
++ 50 * SHIFTED_PPM,
++ 75 * SHIFTED_PPM,
++ 100 * SHIFTED_PPM,
++ 150 * SHIFTED_PPM,
++ 200 * SHIFTED_PPM,
++ 250 * SHIFTED_PPM,
++ 300 * SHIFTED_PPM,
++ 350 * SHIFTED_PPM,
++ 400 * SHIFTED_PPM,
++ 450 * SHIFTED_PPM,
++ 499 * SHIFTED_PPM,
+ };
+
+ long outofrange_freq[NUM_FREQ_OUTOFRANGE] = {
+- -1000<<16,
+- -550<<16,
+- 550<<16,
+- 1000<<16,
++ -1000 * SHIFTED_PPM,
++ -550 * SHIFTED_PPM,
++ 550 * SHIFTED_PPM,
++ 1000 * SHIFTED_PPM,
+ };
+
+ #define LONG_MAX (~0UL>>1)
+--
+2.43.0
+
clk-sunxi-ng-h6-reparent-cpux-during-pll-cpux-rate-c.patch
kvm-arm64-vgic-v2-use-cpuid-from-userspace-as-vcpu_i.patch
kvm-arm64-vgic-v2-check-for-non-null-vcpu-in-vgic_v2.patch
+scsi-lpfc-move-npiv-s-transport-unregistration-to-af.patch
+scsi-lpfc-update-lpfc_ramp_down_queue_handler-logic.patch
+scsi-lpfc-replace-hbalock-with-ndlp-lock-in-lpfc_nvm.patch
+gfs2-fix-invalid-metadata-access-in-punch_hole.patch
+wifi-mac80211-fix-ieee80211_bss_-_flags-kernel-doc.patch
+wifi-cfg80211-fix-rdev_dump_mpp-arguments-order.patch
+net-mark-racy-access-on-sk-sk_rcvbuf.patch
+scsi-bnx2fc-remove-spin_lock_bh-while-releasing-reso.patch
+btrfs-return-accurate-error-code-on-open-failure-in-.patch
+kbuild-disable-kcsan-for-autogenerated-.mod.c-interm.patch
+alsa-line6-zero-initialize-message-buffers.patch
+net-bcmgenet-reset-rbuf-on-first-open.patch
+ata-sata_gemini-check-clk_enable-result.patch
+firewire-ohci-mask-bus-reset-interrupts-between-isr-.patch
+tools-power-turbostat-fix-added-raw-msr-output.patch
+tools-power-turbostat-fix-bzy_mhz-documentation-typo.patch
+btrfs-make-btrfs_clear_delalloc_extent-free-delalloc.patch
+btrfs-always-clear-pertrans-metadata-during-commit.patch
+scsi-target-fix-selinux-error-when-systemd-modules-l.patch
+blk-iocost-avoid-out-of-bounds-shift.patch
+gpu-host1x-do-not-setup-dma-for-virtual-devices.patch
+mips-scall-save-thread_info.syscall-unconditionally-.patch
+selftests-timers-fix-valid-adjtimex-signed-left-shif.patch
+iommu-mtk-fix-module-autoloading.patch
+fs-9p-only-translate-rwx-permissions-for-plain-9p200.patch
+fs-9p-translate-o_trunc-into-otrunc.patch
+9p-explicitly-deny-setlease-attempts.patch
+gpio-wcove-use-enotsupp-consistently.patch
+gpio-crystalcove-use-enotsupp-consistently.patch
+clk-don-t-hold-prepare_lock-when-calling-kref_put.patch
+fs-9p-drop-inodes-immediately-on-non-.l-too.patch
+drm-nouveau-dp-don-t-probe-edp-ports-twice-harder.patch
+net-usb-qmi_wwan-support-rolling-modules.patch
+tcp-fix-sock-skb-accounting-in-tcp_read_skb.patch
+bpf-sockmap-tcp-data-stall-on-recv-before-accept.patch
+bpf-sockmap-handle-fin-correctly.patch
+bpf-sockmap-convert-schedule_work-into-delayed_work.patch
+bpf-sockmap-reschedule-is-now-done-through-backlog.patch
+bpf-sockmap-improved-check-for-empty-queue.patch
+asoc-meson-axg-card-fix-nonatomic-links.patch
+asoc-meson-axg-tdm-interface-fix-formatters-in-trigg.patch
--- /dev/null
+From 4920db06394f041b049e3d13016d15577051471d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Aug 2022 12:54:42 -0700
+Subject: tcp: fix sock skb accounting in tcp_read_skb()
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit e9c6e79760265f019cde39d3f2c443dfbc1395b0 ]
+
+Before commit 965b57b469a5 ("net: Introduce a new proto_ops
+->read_skb()"), skb was not dequeued from receive queue hence
+when we close TCP socket skb can be just flushed synchronously.
+
+After this commit, we have to uncharge skb immediately after being
+dequeued, otherwise it is still charged in the original sock. And we
+still need to retain skb->sk, as eBPF programs may extract sock
+information from skb->sk. Therefore, we have to call
+skb_set_owner_sk_safe() here.
+
+Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()")
+Reported-and-tested-by: syzbot+a0e6f8738b58f7654417@syzkaller.appspotmail.com
+Tested-by: Stanislav Fomichev <sdf@google.com>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: John Fastabend <john.fastabend@gmail.com>
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 3fd4de1961a62..c826db961fc08 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -1720,6 +1720,7 @@ int tcp_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
+ int used;
+
+ __skb_unlink(skb, &sk->sk_receive_queue);
++ WARN_ON(!skb_set_owner_sk_safe(skb, sk));
+ used = recv_actor(sk, skb);
+ if (used <= 0) {
+ if (!copied)
+--
+2.43.0
+
--- /dev/null
+From fce2e71d945f071ea968e2b69294961565c9ca6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Apr 2023 14:11:38 -0700
+Subject: tools/power turbostat: Fix added raw MSR output
+
+From: Doug Smythies <dsmythies@telus.net>
+
+[ Upstream commit e5f4e68eed85fa8495d78cd966eecc2b27bb9e53 ]
+
+When using --Summary mode, added MSRs in raw mode always
+print zeros. Print the actual register contents.
+
+Example, with patch:
+
+note the added column:
+--add msr0x64f,u32,package,raw,REASON
+
+Where:
+
+0x64F is MSR_CORE_PERF_LIMIT_REASONS
+
+Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON
+0.00 4800 35 1.42 0.76 0x00000000
+0.00 4801 34 1.42 0.76 0x00000000
+80.08 4531 66 108.17 107.52 0x08000000
+98.69 4530 66 133.21 132.54 0x08000000
+99.28 4505 66 128.26 127.60 0x0c000400
+99.65 4486 68 124.91 124.25 0x0c000400
+99.63 4483 68 124.90 124.25 0x0c000400
+79.34 4481 41 99.80 99.13 0x0c000000
+0.00 4801 41 1.40 0.73 0x0c000000
+
+Where, for the test processor (i5-10600K):
+
+PKG Limit #1: 125.000 Watts, 8.000000 sec
+MSR bit 26 = log; bit 10 = status
+
+PKG Limit #2: 136.000 Watts, 0.002441 sec
+MSR bit 27 = log; bit 11 = status
+
+Example, without patch:
+
+Busy% Bzy_MHz PkgTmp PkgWatt CorWatt REASON
+0.01 4800 35 1.43 0.77 0x00000000
+0.00 4801 35 1.39 0.73 0x00000000
+83.49 4531 66 112.71 112.06 0x00000000
+98.69 4530 68 133.35 132.69 0x00000000
+99.31 4500 67 127.96 127.30 0x00000000
+99.63 4483 69 124.91 124.25 0x00000000
+99.61 4481 69 124.90 124.25 0x00000000
+99.61 4481 71 124.92 124.25 0x00000000
+59.35 4479 42 75.03 74.37 0x00000000
+0.00 4800 42 1.39 0.73 0x00000000
+0.00 4801 42 1.42 0.76 0x00000000
+
+c000000
+
+[lenb: simplified patch to apply only to package scope]
+
+Signed-off-by: Doug Smythies <dsmythies@telus.net>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 65ada8065cfc2..0822e7dc0fd8b 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1761,9 +1761,10 @@ int sum_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p)
+ average.packages.rapl_dram_perf_status += p->rapl_dram_perf_status;
+
+ for (i = 0, mp = sys.pp; mp; i++, mp = mp->next) {
+- if (mp->format == FORMAT_RAW)
+- continue;
+- average.packages.counter[i] += p->counter[i];
++ if ((mp->format == FORMAT_RAW) && (topo.num_packages == 0))
++ average.packages.counter[i] = p->counter[i];
++ else
++ average.packages.counter[i] += p->counter[i];
+ }
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 76b457f00efa0f3f18279721736d5f5767379cd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Oct 2023 13:46:22 +0800
+Subject: tools/power turbostat: Fix Bzy_MHz documentation typo
+
+From: Peng Liu <liupeng17@lenovo.com>
+
+[ Upstream commit 0b13410b52c4636aacb6964a4253a797c0fa0d16 ]
+
+The code calculates Bzy_MHz by multiplying TSC_delta * APERF_delta/MPERF_delta
+The man page erroneously showed that TSC_delta was divided.
+
+Signed-off-by: Peng Liu <liupeng17@lenovo.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.8 b/tools/power/x86/turbostat/turbostat.8
+index b3d4bf08e70b1..f382cd53cb4e8 100644
+--- a/tools/power/x86/turbostat/turbostat.8
++++ b/tools/power/x86/turbostat/turbostat.8
+@@ -322,7 +322,7 @@ below the processor's base frequency.
+
+ Busy% = MPERF_delta/TSC_delta
+
+-Bzy_MHz = TSC_delta/APERF_delta/MPERF_delta/measurement_interval
++Bzy_MHz = TSC_delta*APERF_delta/MPERF_delta/measurement_interval
+
+ Note that these calculations depend on TSC_delta, so they
+ are not reliable during intervals when TSC_MHz is not running at the base frequency.
+--
+2.43.0
+
--- /dev/null
+From d33575ab3fdc8fe9c6d3f2993b17d93ff8a03372 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Mar 2024 19:45:19 +0300
+Subject: wifi: cfg80211: fix rdev_dump_mpp() arguments order
+
+From: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
+
+[ Upstream commit ec50f3114e55406a1aad24b7dfaa1c3f4336d8eb ]
+
+Fix the order of arguments in the TP_ARGS macro
+for the rdev_dump_mpp tracepoint event.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
+Link: https://msgid.link/20240311164519.118398-1-Igor.A.Artemiev@mcst.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/trace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/trace.h b/net/wireless/trace.h
+index 19b78d4722834..dafea8bfcf3cb 100644
+--- a/net/wireless/trace.h
++++ b/net/wireless/trace.h
+@@ -963,7 +963,7 @@ TRACE_EVENT(rdev_get_mpp,
+ TRACE_EVENT(rdev_dump_mpp,
+ TP_PROTO(struct wiphy *wiphy, struct net_device *netdev, int _idx,
+ u8 *dst, u8 *mpp),
+- TP_ARGS(wiphy, netdev, _idx, mpp, dst),
++ TP_ARGS(wiphy, netdev, _idx, dst, mpp),
+ TP_STRUCT__entry(
+ WIPHY_ENTRY
+ NETDEV_ENTRY
+--
+2.43.0
+
--- /dev/null
+From 400c3a868b70da55fc0066b52e5a89c7de6552b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Mar 2024 14:23:00 -0700
+Subject: wifi: mac80211: fix ieee80211_bss_*_flags kernel-doc
+
+From: Jeff Johnson <quic_jjohnson@quicinc.com>
+
+[ Upstream commit 774f8841f55d7ac4044c79812691649da203584a ]
+
+Running kernel-doc on ieee80211_i.h flagged the following:
+net/mac80211/ieee80211_i.h:145: warning: expecting prototype for enum ieee80211_corrupt_data_flags. Prototype was for enum ieee80211_bss_corrupt_data_flags instead
+net/mac80211/ieee80211_i.h:162: warning: expecting prototype for enum ieee80211_valid_data_flags. Prototype was for enum ieee80211_bss_valid_data_flags instead
+
+Fix these warnings.
+
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://msgid.link/20240314-kdoc-ieee80211_i-v1-1-72b91b55b257@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
+index 21549a440b38c..03f8c8bdab765 100644
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -113,7 +113,7 @@ struct ieee80211_bss {
+ };
+
+ /**
+- * enum ieee80211_corrupt_data_flags - BSS data corruption flags
++ * enum ieee80211_bss_corrupt_data_flags - BSS data corruption flags
+ * @IEEE80211_BSS_CORRUPT_BEACON: last beacon frame received was corrupted
+ * @IEEE80211_BSS_CORRUPT_PROBE_RESP: last probe response received was corrupted
+ *
+@@ -126,7 +126,7 @@ enum ieee80211_bss_corrupt_data_flags {
+ };
+
+ /**
+- * enum ieee80211_valid_data_flags - BSS valid data flags
++ * enum ieee80211_bss_valid_data_flags - BSS valid data flags
+ * @IEEE80211_BSS_VALID_WMM: WMM/UAPSD data was gathered from non-corrupt IE
+ * @IEEE80211_BSS_VALID_RATES: Supported rates were gathered from non-corrupt IE
+ * @IEEE80211_BSS_VALID_ERP: ERP flag was gathered from non-corrupt IE
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
