--- /dev/null
+From b3d6121eaeb22aee8a02f46706745b1968cc0292 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Mon, 30 Sep 2024 13:04:48 +0100
+Subject: arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit b3d6121eaeb22aee8a02f46706745b1968cc0292 upstream.
+
+The Kconfig logic to select HAVE_DYNAMIC_FTRACE_WITH_ARGS is incorrect,
+and HAVE_DYNAMIC_FTRACE_WITH_ARGS may be selected when it is not
+supported by the combination of clang and GNU LD, resulting in link-time
+errors:
+
+ aarch64-linux-gnu-ld: .init.data has both ordered [`__patchable_function_entries' in init/main.o] and unordered [`.meminit.data' in mm/sparse.o] sections
+ aarch64-linux-gnu-ld: final link failed: bad value
+
+... which can be seen when building with CC=clang using a binutils
+version older than 2.36.
+
+We originally fixed that in commit:
+
+ 45bd8951806eb5e8 ("arm64: Improve HAVE_DYNAMIC_FTRACE_WITH_REGS selection for clang")
+
+... by splitting the "select HAVE_DYNAMIC_FTRACE_WITH_ARGS" statement
+into separete CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS and
+GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS options which individually select
+HAVE_DYNAMIC_FTRACE_WITH_ARGS.
+
+Subsequently we accidentally re-introduced the common "select
+HAVE_DYNAMIC_FTRACE_WITH_ARGS" statement in commit:
+
+ 26299b3f6ba26bfc ("ftrace: arm64: move from REGS to ARGS")
+
+... then we removed it again in commit:
+
+ 68a63a412d18bd2e ("arm64: Fix build with CC=clang, CONFIG_FTRACE=y and CONFIG_STACK_TRACER=y")
+
+... then we accidentally re-introduced it again in commit:
+
+ 2aa6ac03516d078c ("arm64: ftrace: Add direct call support")
+
+Fix this for the third time by keeping the unified select statement and
+making this depend onf either GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS or
+CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS. This is more consistent with
+usual style and less likely to go wrong in future.
+
+Fixes: 2aa6ac03516d ("arm64: ftrace: Add direct call support")
+Cc: <stable@vger.kernel.org> # 6.4.x
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20240930120448.3352564-1-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/Kconfig | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -196,7 +196,8 @@ config ARM64
+ select HAVE_DMA_CONTIGUOUS
+ select HAVE_DYNAMIC_FTRACE
+ select HAVE_DYNAMIC_FTRACE_WITH_ARGS \
+- if $(cc-option,-fpatchable-function-entry=2)
++ if (GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS || \
++ CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS)
+ select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \
+ if DYNAMIC_FTRACE_WITH_ARGS && DYNAMIC_FTRACE_WITH_CALL_OPS
+ select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS \
+@@ -269,12 +270,10 @@ config CLANG_SUPPORTS_DYNAMIC_FTRACE_WIT
+ def_bool CC_IS_CLANG
+ # https://github.com/ClangBuiltLinux/linux/issues/1507
+ depends on AS_IS_GNU || (AS_IS_LLVM && (LD_IS_LLD || LD_VERSION >= 23600))
+- select HAVE_DYNAMIC_FTRACE_WITH_ARGS
+
+ config GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS
+ def_bool CC_IS_GCC
+ depends on $(cc-option,-fpatchable-function-entry=2)
+- select HAVE_DYNAMIC_FTRACE_WITH_ARGS
+
+ config 64BIT
+ def_bool y
--- /dev/null
+From 3eddb108abe3de6723cc4b77e8558ce1b3047987 Mon Sep 17 00:00:00 2001
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+Date: Thu, 3 Oct 2024 22:52:35 +0000
+Subject: arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386
+
+From: Easwar Hariharan <eahariha@linux.microsoft.com>
+
+commit 3eddb108abe3de6723cc4b77e8558ce1b3047987 upstream.
+
+Add the Microsoft Azure Cobalt 100 CPU to the list of CPUs suffering
+from erratum 3194386 added in commit 75b3c43eab59 ("arm64: errata:
+Expand speculative SSBS workaround")
+
+CC: Mark Rutland <mark.rutland@arm.com>
+CC: James More <james.morse@arm.com>
+CC: Will Deacon <will@kernel.org>
+CC: stable@vger.kernel.org # 6.6+
+Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20241003225239.321774-1-eahariha@linux.microsoft.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/arch/arm64/silicon-errata.rst | 2 ++
+ arch/arm64/kernel/cpu_errata.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/Documentation/arch/arm64/silicon-errata.rst
++++ b/Documentation/arch/arm64/silicon-errata.rst
+@@ -289,3 +289,5 @@ stable kernels.
+ +----------------+-----------------+-----------------+-----------------------------+
+ | Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 |
+ +----------------+-----------------+-----------------+-----------------------------+
++| Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 |
+++----------------+-----------------+-----------------+-----------------------------+
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -447,6 +447,7 @@ static const struct midr_range erratum_s
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
++ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
--- /dev/null
+From 2d2be279f1ca9e7288282d4214f16eea8a727cdb Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Mon, 23 Sep 2024 15:56:48 +0100
+Subject: drm/xe: fix UAF around queue destruction
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit 2d2be279f1ca9e7288282d4214f16eea8a727cdb upstream.
+
+We currently do stuff like queuing the final destruction step on a
+random system wq, which will outlive the driver instance. With bad
+timing we can teardown the driver with one or more work workqueue still
+being alive leading to various UAF splats. Add a fini step to ensure
+user queues are properly torn down. At this point GuC should already be
+nuked so queue itself should no longer be referenced from hw pov.
+
+v2 (Matt B)
+ - Looks much safer to use a waitqueue and then just wait for the
+ xa_array to become empty before triggering the drain.
+
+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2317
+Fixes: dd08ebf6c352 ("drm/xe: Introduce a new DRM driver for Intel GPUs")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Matthew Brost <matthew.brost@intel.com>
+Cc: <stable@vger.kernel.org> # v6.8+
+Reviewed-by: Matthew Brost <matthew.brost@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240923145647.77707-2-matthew.auld@intel.com
+(cherry picked from commit 861108666cc0e999cffeab6aff17b662e68774e3)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_device.c | 6 +++++-
+ drivers/gpu/drm/xe/xe_device_types.h | 3 +++
+ drivers/gpu/drm/xe/xe_guc_submit.c | 26 +++++++++++++++++++++++++-
+ drivers/gpu/drm/xe/xe_guc_types.h | 2 ++
+ 4 files changed, 35 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/xe/xe_device.c
++++ b/drivers/gpu/drm/xe/xe_device.c
+@@ -285,6 +285,9 @@ static void xe_device_destroy(struct drm
+ if (xe->unordered_wq)
+ destroy_workqueue(xe->unordered_wq);
+
++ if (xe->destroy_wq)
++ destroy_workqueue(xe->destroy_wq);
++
+ ttm_device_fini(&xe->ttm);
+ }
+
+@@ -350,8 +353,9 @@ struct xe_device *xe_device_create(struc
+ xe->preempt_fence_wq = alloc_ordered_workqueue("xe-preempt-fence-wq", 0);
+ xe->ordered_wq = alloc_ordered_workqueue("xe-ordered-wq", 0);
+ xe->unordered_wq = alloc_workqueue("xe-unordered-wq", 0, 0);
++ xe->destroy_wq = alloc_workqueue("xe-destroy-wq", 0, 0);
+ if (!xe->ordered_wq || !xe->unordered_wq ||
+- !xe->preempt_fence_wq) {
++ !xe->preempt_fence_wq || !xe->destroy_wq) {
+ /*
+ * Cleanup done in xe_device_destroy via
+ * drmm_add_action_or_reset register above
+--- a/drivers/gpu/drm/xe/xe_device_types.h
++++ b/drivers/gpu/drm/xe/xe_device_types.h
+@@ -392,6 +392,9 @@ struct xe_device {
+ /** @unordered_wq: used to serialize unordered work, mostly display */
+ struct workqueue_struct *unordered_wq;
+
++ /** @destroy_wq: used to serialize user destroy work, like queue */
++ struct workqueue_struct *destroy_wq;
++
+ /** @tiles: device tiles */
+ struct xe_tile tiles[XE_MAX_TILES_PER_DEVICE];
+
+--- a/drivers/gpu/drm/xe/xe_guc_submit.c
++++ b/drivers/gpu/drm/xe/xe_guc_submit.c
+@@ -276,10 +276,26 @@ static struct workqueue_struct *get_subm
+ }
+ #endif
+
++static void xe_guc_submit_fini(struct xe_guc *guc)
++{
++ struct xe_device *xe = guc_to_xe(guc);
++ struct xe_gt *gt = guc_to_gt(guc);
++ int ret;
++
++ ret = wait_event_timeout(guc->submission_state.fini_wq,
++ xa_empty(&guc->submission_state.exec_queue_lookup),
++ HZ * 5);
++
++ drain_workqueue(xe->destroy_wq);
++
++ xe_gt_assert(gt, ret);
++}
++
+ static void guc_submit_fini(struct drm_device *drm, void *arg)
+ {
+ struct xe_guc *guc = arg;
+
++ xe_guc_submit_fini(guc);
+ xa_destroy(&guc->submission_state.exec_queue_lookup);
+ free_submit_wq(guc);
+ }
+@@ -351,6 +367,8 @@ int xe_guc_submit_init(struct xe_guc *gu
+
+ xa_init(&guc->submission_state.exec_queue_lookup);
+
++ init_waitqueue_head(&guc->submission_state.fini_wq);
++
+ primelockdep(guc);
+
+ return drmm_add_action_or_reset(&xe->drm, guc_submit_fini, guc);
+@@ -367,6 +385,9 @@ static void __release_guc_id(struct xe_g
+
+ xe_guc_id_mgr_release_locked(&guc->submission_state.idm,
+ q->guc->id, q->width);
++
++ if (xa_empty(&guc->submission_state.exec_queue_lookup))
++ wake_up(&guc->submission_state.fini_wq);
+ }
+
+ static int alloc_guc_id(struct xe_guc *guc, struct xe_exec_queue *q)
+@@ -1267,13 +1288,16 @@ static void __guc_exec_queue_fini_async(
+
+ static void guc_exec_queue_fini_async(struct xe_exec_queue *q)
+ {
++ struct xe_guc *guc = exec_queue_to_guc(q);
++ struct xe_device *xe = guc_to_xe(guc);
++
+ INIT_WORK(&q->guc->fini_async, __guc_exec_queue_fini_async);
+
+ /* We must block on kernel engines so slabs are empty on driver unload */
+ if (q->flags & EXEC_QUEUE_FLAG_PERMANENT || exec_queue_wedged(q))
+ __guc_exec_queue_fini_async(&q->guc->fini_async);
+ else
+- queue_work(system_wq, &q->guc->fini_async);
++ queue_work(xe->destroy_wq, &q->guc->fini_async);
+ }
+
+ static void __guc_exec_queue_fini(struct xe_guc *guc, struct xe_exec_queue *q)
+--- a/drivers/gpu/drm/xe/xe_guc_types.h
++++ b/drivers/gpu/drm/xe/xe_guc_types.h
+@@ -81,6 +81,8 @@ struct xe_guc {
+ #endif
+ /** @submission_state.enabled: submission is enabled */
+ bool enabled;
++ /** @submission_state.fini_wq: submit fini wait queue */
++ wait_queue_head_t fini_wq;
+ } submission_state;
+ /** @hwconfig: Hardware config state */
+ struct {
--- /dev/null
+From 8135f1c09dd2eecee7cb637f7ec9a29e57300eb8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Roberto=20de=20Souza?= <jose.souza@intel.com>
+Date: Tue, 24 Sep 2024 14:37:13 -0700
+Subject: drm/xe/oa: Don't reset OAC_CONTEXT_ENABLE on OA stream close
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Roberto de Souza <jose.souza@intel.com>
+
+commit 8135f1c09dd2eecee7cb637f7ec9a29e57300eb8 upstream.
+
+Mesa testing on Xe2+ revealed that when OA metrics are collected for an
+exec_queue, after the OA stream is closed, future batch buffers submitted
+on that exec_queue do not complete. Not resetting OAC_CONTEXT_ENABLE on OA
+stream close resolves these hangs and should not have any adverse effects.
+
+v2: Make the change that we don't reset the bit clearer (Ashutosh)
+ Also make the same fix for OAC as OAR (Ashutosh)
+
+Bspec: 60314
+Fixes: 2f4a730fcd2d ("drm/xe/oa: Add OAR support")
+Fixes: 14e077f8006d ("drm/xe/oa: Add OAC support")
+Closes: https://gitlab.freedesktop.org/drm/xe/kernel/-/issues/2821
+Signed-off-by: José Roberto de Souza <jose.souza@intel.com>
+Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240924213713.3497992-1-ashutosh.dixit@intel.com
+(cherry picked from commit 0c8650b09a365f4a31fca1d1d1e9d99c56071128)
+Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/xe_oa.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/xe/xe_oa.c b/drivers/gpu/drm/xe/xe_oa.c
+index eae38a49ee8e..2804f14f8f29 100644
+--- a/drivers/gpu/drm/xe/xe_oa.c
++++ b/drivers/gpu/drm/xe/xe_oa.c
+@@ -709,8 +709,7 @@ static int xe_oa_configure_oar_context(struct xe_oa_stream *stream, bool enable)
+ {
+ RING_CONTEXT_CONTROL(stream->hwe->mmio_base),
+ regs_offset + CTX_CONTEXT_CONTROL,
+- _MASKED_FIELD(CTX_CTRL_OAC_CONTEXT_ENABLE,
+- enable ? CTX_CTRL_OAC_CONTEXT_ENABLE : 0)
++ _MASKED_BIT_ENABLE(CTX_CTRL_OAC_CONTEXT_ENABLE),
+ },
+ };
+ struct xe_oa_reg reg_lri = { OAR_OACONTROL, oacontrol };
+@@ -742,10 +741,8 @@ static int xe_oa_configure_oac_context(struct xe_oa_stream *stream, bool enable)
+ {
+ RING_CONTEXT_CONTROL(stream->hwe->mmio_base),
+ regs_offset + CTX_CONTEXT_CONTROL,
+- _MASKED_FIELD(CTX_CTRL_OAC_CONTEXT_ENABLE,
+- enable ? CTX_CTRL_OAC_CONTEXT_ENABLE : 0) |
+- _MASKED_FIELD(CTX_CTRL_RUN_ALONE,
+- enable ? CTX_CTRL_RUN_ALONE : 0),
++ _MASKED_BIT_ENABLE(CTX_CTRL_OAC_CONTEXT_ENABLE) |
++ _MASKED_FIELD(CTX_CTRL_RUN_ALONE, enable ? CTX_CTRL_RUN_ALONE : 0),
+ },
+ };
+ struct xe_oa_reg reg_lri = { OAC_OACONTROL, oacontrol };
+--
+2.46.2
+
--- /dev/null
+From d2b537b3e533f28e0d97293fe9293161fe8cd137 Mon Sep 17 00:00:00 2001
+From: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Date: Tue, 3 Sep 2024 15:01:09 +0800
+Subject: exfat: fix memory leak in exfat_load_bitmap()
+
+From: Yuezhang Mo <Yuezhang.Mo@sony.com>
+
+commit d2b537b3e533f28e0d97293fe9293161fe8cd137 upstream.
+
+If the first directory entry in the root directory is not a bitmap
+directory entry, 'bh' will not be released and reassigned, which
+will cause a memory leak.
+
+Fixes: 1e49a94cf707 ("exfat: add bitmap operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
+Reviewed-by: Aoyama Wataru <wataru.aoyama@sony.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/exfat/balloc.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/exfat/balloc.c
++++ b/fs/exfat/balloc.c
+@@ -91,11 +91,8 @@ int exfat_load_bitmap(struct super_block
+ return -EIO;
+
+ type = exfat_get_entry_type(ep);
+- if (type == TYPE_UNUSED)
+- break;
+- if (type != TYPE_BITMAP)
+- continue;
+- if (ep->dentry.bitmap.flags == 0x0) {
++ if (type == TYPE_BITMAP &&
++ ep->dentry.bitmap.flags == 0x0) {
+ int err;
+
+ err = exfat_allocate_bitmap(sb, ep);
+@@ -103,6 +100,9 @@ int exfat_load_bitmap(struct super_block
+ return err;
+ }
+ brelse(bh);
++
++ if (type == TYPE_UNUSED)
++ return -EINVAL;
+ }
+
+ if (exfat_get_next_cluster(sb, &clu.dir))
--- /dev/null
+From 61850725779709369c7e907ae8c7c75dc7cec4f3 Mon Sep 17 00:00:00 2001
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Date: Sun, 15 Sep 2024 00:39:33 +0800
+Subject: i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream.
+
+In the svc_i3c_master_probe function, &master->hj_work is bound with
+svc_i3c_master_hj_work, &master->ibi_work is bound with
+svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the
+hj_work, svc_i3c_master_irq_handler can start the ibi_work.
+
+If we remove the module which will call svc_i3c_master_remove to
+make cleanup, it will free master->base through i3c_master_unregister
+while the work mentioned above will be used. The sequence of operations
+that may lead to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | svc_i3c_master_hj_work
+svc_i3c_master_remove |
+i3c_master_unregister(&master->base)|
+device_unregister(&master->dev) |
+device_release |
+//free master->base |
+ | i3c_master_do_daa(&master->base)
+ | //use master->base
+
+Fix it by ensuring that the work is canceled before proceeding with the
+cleanup in svc_i3c_master_remove.
+
+Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn
+Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master/svc-i3c-master.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i3c/master/svc-i3c-master.c
++++ b/drivers/i3c/master/svc-i3c-master.c
+@@ -1775,6 +1775,7 @@ static void svc_i3c_master_remove(struct
+ {
+ struct svc_i3c_master *master = platform_get_drvdata(pdev);
+
++ cancel_work_sync(&master->hj_work);
+ i3c_master_unregister(&master->base);
+
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
--- /dev/null
+From 45bb63ed20e02ae146336412889fe5450316a84f Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.de>
+Date: Mon, 9 Sep 2024 15:06:36 +1000
+Subject: nfsd: fix delegation_blocked() to block correctly for at least 30 seconds
+
+From: NeilBrown <neilb@suse.de>
+
+commit 45bb63ed20e02ae146336412889fe5450316a84f upstream.
+
+The pair of bloom filtered used by delegation_blocked() was intended to
+block delegations on given filehandles for between 30 and 60 seconds. A
+new filehandle would be recorded in the "new" bit set. That would then
+be switch to the "old" bit set between 0 and 30 seconds later, and it
+would remain as the "old" bit set for 30 seconds.
+
+Unfortunately the code intended to clear the old bit set once it reached
+30 seconds old, preparing it to be the next new bit set, instead cleared
+the *new* bit set before switching it to be the old bit set. This means
+that the "old" bit set is always empty and delegations are blocked
+between 0 and 30 seconds.
+
+This patch updates bd->new before clearing the set with that index,
+instead of afterwards.
+
+Reported-by: Olga Kornievskaia <okorniev@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 6282cd565553 ("NFSD: Don't hand out delegations for 30 seconds after recalling them.")
+Signed-off-by: NeilBrown <neilb@suse.de>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1077,7 +1077,8 @@ static void nfs4_free_deleg(struct nfs4_
+ * When a delegation is recalled, the filehandle is stored in the "new"
+ * filter.
+ * Every 30 seconds we swap the filters and clear the "new" one,
+- * unless both are empty of course.
++ * unless both are empty of course. This results in delegations for a
++ * given filehandle being blocked for between 30 and 60 seconds.
+ *
+ * Each filter is 256 bits. We hash the filehandle to 32bit and use the
+ * low 3 bytes as hash-table indices.
+@@ -1106,9 +1107,9 @@ static int delegation_blocked(struct knf
+ if (ktime_get_seconds() - bd->swap_time > 30) {
+ bd->entries -= bd->old_entries;
+ bd->old_entries = bd->entries;
++ bd->new = 1-bd->new;
+ memset(bd->set[bd->new], 0,
+ sizeof(bd->set[0]));
+- bd->new = 1-bd->new;
+ bd->swap_time = ktime_get_seconds();
+ }
+ spin_unlock(&blocked_delegations_lock);
--- /dev/null
+From 202f39039a11402dcbcd5fece8d9fa6be83f49ae Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Sun, 11 Aug 2024 13:11:07 -0400
+Subject: NFSD: Fix NFSv4's PUTPUBFH operation
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 202f39039a11402dcbcd5fece8d9fa6be83f49ae upstream.
+
+According to RFC 8881, all minor versions of NFSv4 support PUTPUBFH.
+
+Replace the XDR decoder for PUTPUBFH with a "noop" since we no
+longer want the minorversion check, and PUTPUBFH has no arguments to
+decode. (Ideally nfsd4_decode_noop should really be called
+nfsd4_decode_void).
+
+PUTPUBFH should now behave just like PUTROOTFH.
+
+Reported-by: Cedric Blancher <cedric.blancher@gmail.com>
+Fixes: e1a90ebd8b23 ("NFSD: Combine decode operations for v4 and v4.1")
+Cc: Dan Shelton <dan.f.shelton@gmail.com>
+Cc: Roland Mainz <roland.mainz@nrubsig.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4xdr.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -1246,14 +1246,6 @@ nfsd4_decode_putfh(struct nfsd4_compound
+ }
+
+ static __be32
+-nfsd4_decode_putpubfh(struct nfsd4_compoundargs *argp, union nfsd4_op_u *p)
+-{
+- if (argp->minorversion == 0)
+- return nfs_ok;
+- return nfserr_notsupp;
+-}
+-
+-static __be32
+ nfsd4_decode_read(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u)
+ {
+ struct nfsd4_read *read = &u->read;
+@@ -2374,7 +2366,7 @@ static const nfsd4_dec nfsd4_dec_ops[] =
+ [OP_OPEN_CONFIRM] = nfsd4_decode_open_confirm,
+ [OP_OPEN_DOWNGRADE] = nfsd4_decode_open_downgrade,
+ [OP_PUTFH] = nfsd4_decode_putfh,
+- [OP_PUTPUBFH] = nfsd4_decode_putpubfh,
++ [OP_PUTPUBFH] = nfsd4_decode_noop,
+ [OP_PUTROOTFH] = nfsd4_decode_noop,
+ [OP_READ] = nfsd4_decode_read,
+ [OP_READDIR] = nfsd4_decode_readdir,
--- /dev/null
+From 340e61e44c1d2a15c42ec72ade9195ad525fd048 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Sat, 17 Aug 2024 14:27:13 +0800
+Subject: nfsd: map the EBADMSG to nfserr_io to avoid warning
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit 340e61e44c1d2a15c42ec72ade9195ad525fd048 upstream.
+
+Ext4 will throw -EBADMSG through ext4_readdir when a checksum error
+occurs, resulting in the following WARNING.
+
+Fix it by mapping EBADMSG to nfserr_io.
+
+nfsd_buffered_readdir
+ iterate_dir // -EBADMSG -74
+ ext4_readdir // .iterate_shared
+ ext4_dx_readdir
+ ext4_htree_fill_tree
+ htree_dirblock_to_tree
+ ext4_read_dirblock
+ __ext4_read_dirblock
+ ext4_dirblock_csum_verify
+ warn_no_space_for_csum
+ __warn_no_space_for_csum
+ return ERR_PTR(-EFSBADCRC) // -EBADMSG -74
+ nfserrno // WARNING
+
+[ 161.115610] ------------[ cut here ]------------
+[ 161.116465] nfsd: non-standard errno: -74
+[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0
+[ 161.118596] Modules linked in:
+[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138
+[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe
+mu.org 04/01/2014
+[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0
+[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6
+ 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33
+[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286
+[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a
+[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827
+[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021
+[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8
+[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000
+[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0
+[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 161.141519] PKRU: 55555554
+[ 161.142076] Call Trace:
+[ 161.142575] ? __warn+0x9b/0x140
+[ 161.143229] ? nfserrno+0x9d/0xd0
+[ 161.143872] ? report_bug+0x125/0x150
+[ 161.144595] ? handle_bug+0x41/0x90
+[ 161.145284] ? exc_invalid_op+0x14/0x70
+[ 161.146009] ? asm_exc_invalid_op+0x12/0x20
+[ 161.146816] ? nfserrno+0x9d/0xd0
+[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0
+[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380
+[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0
+[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170
+[ 161.151004] ? generic_file_llseek_size+0x48/0x160
+[ 161.151895] nfsd_readdir+0x132/0x190
+[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380
+[ 161.153516] ? nfsd_unlink+0x380/0x380
+[ 161.154256] ? override_creds+0x45/0x60
+[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0
+[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210
+[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0
+[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0
+[ 161.158494] ? lock_downgrade+0x90/0x90
+[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10
+[ 161.160092] nfsd4_encode_operation+0x15a/0x440
+[ 161.160959] nfsd4_proc_compound+0x718/0xe90
+[ 161.161818] nfsd_dispatch+0x18e/0x2c0
+[ 161.162586] svc_process_common+0x786/0xc50
+[ 161.163403] ? nfsd_svc+0x380/0x380
+[ 161.164137] ? svc_printk+0x160/0x160
+[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380
+[ 161.165808] ? nfsd_svc+0x380/0x380
+[ 161.166523] ? rcu_is_watching+0x23/0x40
+[ 161.167309] svc_process+0x1a5/0x200
+[ 161.168019] nfsd+0x1f5/0x380
+[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260
+[ 161.169554] kthread+0x1c4/0x210
+[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80
+[ 161.171246] ret_from_fork+0x1f/0x30
+
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/vfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -100,6 +100,7 @@ nfserrno (int errno)
+ { nfserr_io, -EUCLEAN },
+ { nfserr_perm, -ENOKEY },
+ { nfserr_no_grace, -ENOGRACE},
++ { nfserr_io, -EBADMSG },
+ };
+ int i;
+
--- /dev/null
+From ac01c8c4246546fd8340a232f3ada1921dc0ee48 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt@readmodwrite.com>
+Date: Thu, 15 Aug 2024 15:22:12 +0100
+Subject: perf hist: Update hist symbol when updating maps
+
+From: Matt Fleming <matt@readmodwrite.com>
+
+commit ac01c8c4246546fd8340a232f3ada1921dc0ee48 upstream.
+
+AddressSanitizer found a use-after-free bug in the symbol code which
+manifested as 'perf top' segfaulting.
+
+ ==1238389==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00c48844b at pc 0x5650d8035961 bp 0x7f751aaecc90 sp 0x7f751aaecc80
+ READ of size 1 at 0x60b00c48844b thread T193
+ #0 0x5650d8035960 in _sort__sym_cmp util/sort.c:310
+ #1 0x5650d8043744 in hist_entry__cmp util/hist.c:1286
+ #2 0x5650d8043951 in hists__findnew_entry util/hist.c:614
+ #3 0x5650d804568f in __hists__add_entry util/hist.c:754
+ #4 0x5650d8045bf9 in hists__add_entry util/hist.c:772
+ #5 0x5650d8045df1 in iter_add_single_normal_entry util/hist.c:997
+ #6 0x5650d8043326 in hist_entry_iter__add util/hist.c:1242
+ #7 0x5650d7ceeefe in perf_event__process_sample /home/matt/src/linux/tools/perf/builtin-top.c:845
+ #8 0x5650d7ceeefe in deliver_event /home/matt/src/linux/tools/perf/builtin-top.c:1208
+ #9 0x5650d7fdb51b in do_flush util/ordered-events.c:245
+ #10 0x5650d7fdb51b in __ordered_events__flush util/ordered-events.c:324
+ #11 0x5650d7ced743 in process_thread /home/matt/src/linux/tools/perf/builtin-top.c:1120
+ #12 0x7f757ef1f133 in start_thread nptl/pthread_create.c:442
+ #13 0x7f757ef9f7db in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
+
+When updating hist maps it's also necessary to update the hist symbol
+reference because the old one gets freed in map__put().
+
+While this bug was probably introduced with 5c24b67aae72f54c ("perf
+tools: Replace map->referenced & maps->removed_maps with map->refcnt"),
+the symbol objects were leaked until c087e9480cf33672 ("perf machine:
+Fix refcount usage when processing PERF_RECORD_KSYMBOL") was merged so
+the bug was masked.
+
+Fixes: c087e9480cf33672 ("perf machine: Fix refcount usage when processing PERF_RECORD_KSYMBOL")
+Reported-by: Yunzhao Li <yunzhao@cloudflare.com>
+Signed-off-by: Matt Fleming (Cloudflare) <matt@readmodwrite.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: kernel-team@cloudflare.com
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Riccardo Mancini <rickyman7@gmail.com>
+Cc: stable@vger.kernel.org # v5.13+
+Link: https://lore.kernel.org/r/20240815142212.3834625-1-matt@readmodwrite.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/hist.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -637,6 +637,11 @@ static struct hist_entry *hists__findnew
+ * the history counter to increment.
+ */
+ if (he->ms.map != entry->ms.map) {
++ if (he->ms.sym) {
++ u64 addr = he->ms.sym->start;
++ he->ms.sym = map__find_symbol(entry->ms.map, addr);
++ }
++
+ map__put(he->ms.map);
+ he->ms.map = map__get(entry->ms.map);
+ }
--- /dev/null
+From 00dc514612fe98cfa117193b9df28f15e7c9db9c Mon Sep 17 00:00:00 2001
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+Date: Thu, 22 Aug 2024 14:13:49 -0300
+Subject: perf python: Disable -Wno-cast-function-type-mismatch if present on clang
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+commit 00dc514612fe98cfa117193b9df28f15e7c9db9c upstream.
+
+The -Wcast-function-type-mismatch option was introduced in clang 19 and
+its enabled by default, since we use -Werror, and python bindings do
+casts that are valid but trips this warning, disable it if present.
+
+Closes: https://lore.kernel.org/all/CA+icZUXoJ6BS3GMhJHV3aZWyb5Cz2haFneX0C5pUMUUhG-UVKQ@mail.gmail.com
+Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
+Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: stable@vger.kernel.org # To allow building with the upcoming clang 19
+Link: https://lore.kernel.org/lkml/CA+icZUVtHn8X1Tb_Y__c-WswsO0K8U9uy3r2MzKXwTA5THtL7w@mail.gmail.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/util/setup.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/tools/perf/util/setup.py
++++ b/tools/perf/util/setup.py
+@@ -63,6 +63,8 @@ cflags = getenv('CFLAGS', '').split()
+ cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls' ]
+ if cc_is_clang:
+ cflags += ["-Wno-unused-command-line-argument" ]
++ if clang_has_option("-Wno-cast-function-type-mismatch"):
++ cflags += ["-Wno-cast-function-type-mismatch" ]
+ else:
+ cflags += ['-Wno-cast-function-type' ]
+
--- /dev/null
+From 4a3b99bc04e501b816db78f70064e26a01257910 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Fri, 30 Aug 2024 08:16:33 -0700
+Subject: RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page
+
+From: Long Li <longli@microsoft.com>
+
+commit 4a3b99bc04e501b816db78f70064e26a01257910 upstream.
+
+When mapping doorbell page from user-mode, the driver should use the system
+page size as this memory is allocated via mmap() from user-mode.
+
+Cc: stable@vger.kernel.org
+Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
+Signed-off-by: Long Li <longli@microsoft.com>
+Link: https://patch.msgid.link/1725030993-16213-2-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mana/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/mana/main.c
++++ b/drivers/infiniband/hw/mana/main.c
+@@ -511,13 +511,13 @@ int mana_ib_mmap(struct ib_ucontext *ibc
+ PAGE_SHIFT;
+ prot = pgprot_writecombine(vma->vm_page_prot);
+
+- ret = rdma_user_mmap_io(ibcontext, vma, pfn, gc->db_page_size, prot,
++ ret = rdma_user_mmap_io(ibcontext, vma, pfn, PAGE_SIZE, prot,
+ NULL);
+ if (ret)
+ ibdev_dbg(ibdev, "can't rdma_user_mmap_io ret %d\n", ret);
+ else
+- ibdev_dbg(ibdev, "mapped I/O pfn 0x%llx page_size %u, ret %d\n",
+- pfn, gc->db_page_size, ret);
++ ibdev_dbg(ibdev, "mapped I/O pfn 0x%llx page_size %lu, ret %d\n",
++ pfn, PAGE_SIZE, ret);
+
+ return ret;
+ }
--- /dev/null
+From 9e517a8e9d9a303bf9bde35e5c5374795544c152 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Fri, 30 Aug 2024 08:16:32 -0700
+Subject: RDMA/mana_ib: use the correct page table index based on hardware page size
+
+From: Long Li <longli@microsoft.com>
+
+commit 9e517a8e9d9a303bf9bde35e5c5374795544c152 upstream.
+
+MANA hardware uses 4k page size. When calculating the page table index,
+it should use the hardware page size, not the system page size.
+
+Cc: stable@vger.kernel.org
+Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
+Signed-off-by: Long Li <longli@microsoft.com>
+Link: https://patch.msgid.link/1725030993-16213-1-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/infiniband/hw/mana/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mana/main.c
++++ b/drivers/infiniband/hw/mana/main.c
+@@ -383,7 +383,7 @@ static int mana_ib_gd_create_dma_region(
+
+ create_req->length = umem->length;
+ create_req->offset_in_page = ib_umem_dma_offset(umem, page_sz);
+- create_req->gdma_page_type = order_base_2(page_sz) - PAGE_SHIFT;
++ create_req->gdma_page_type = order_base_2(page_sz) - MANA_PAGE_SHIFT;
+ create_req->page_count = num_pages_total;
+
+ ibdev_dbg(&dev->ib_dev, "size_dma_region %lu num_pages_total %lu\n",
--- /dev/null
+From 5c178472af247c7b50f962495bb7462ba453b9fb Mon Sep 17 00:00:00 2001
+From: Jisheng Zhang <jszhang@kernel.org>
+Date: Sat, 6 Jul 2024 01:02:10 +0800
+Subject: riscv: define ILLEGAL_POINTER_VALUE for 64bit
+
+From: Jisheng Zhang <jszhang@kernel.org>
+
+commit 5c178472af247c7b50f962495bb7462ba453b9fb upstream.
+
+This is used in poison.h for poison pointer offset. Based on current
+SV39, SV48 and SV57 vm layout, 0xdead000000000000 is a proper value
+that is not mappable, this can avoid potentially turning an oops to
+an expolit.
+
+Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
+Fixes: fbe934d69eb7 ("RISC-V: Build Infrastructure")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240705170210.3236-1-jszhang@kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/Kconfig | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/riscv/Kconfig
++++ b/arch/riscv/Kconfig
+@@ -319,6 +319,11 @@ config GENERIC_HWEIGHT
+ config FIX_EARLYCON_MEM
+ def_bool MMU
+
++config ILLEGAL_POINTER_VALUE
++ hex
++ default 0 if 32BIT
++ default 0xdead000000000000 if 64BIT
++
+ config PGTABLE_LEVELS
+ int
+ default 5 if 64BIT
--- /dev/null
+From c245910049d04fbfa85bb2f5acd591c24e9907c7 Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Mon, 27 May 2024 14:06:48 +0200
+Subject: sched/core: Add clearing of ->dl_server in put_prev_task_balance()
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit c245910049d04fbfa85bb2f5acd591c24e9907c7 upstream.
+
+Paths using put_prev_task_balance() need to do a pick shortly
+after. Make sure they also clear the ->dl_server on prev as a
+part of that.
+
+Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers")
+Signed-off-by: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/d184d554434bedbad0581cb34656582d78655150.1716811044.git.bristot@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5789,6 +5789,14 @@ static void put_prev_task_balance(struct
+ #endif
+
+ put_prev_task(rq, prev);
++
++ /*
++ * We've updated @prev and no longer need the server link, clear it.
++ * Must be done before ->pick_next_task() because that can (re)set
++ * ->dl_server.
++ */
++ if (prev->dl_server)
++ prev->dl_server = NULL;
+ }
+
+ /*
+@@ -5832,14 +5840,6 @@ __pick_next_task(struct rq *rq, struct t
+ restart:
+ put_prev_task_balance(rq, prev, rf);
+
+- /*
+- * We've updated @prev and no longer need the server link, clear it.
+- * Must be done before ->pick_next_task() because that can (re)set
+- * ->dl_server.
+- */
+- if (prev->dl_server)
+- prev->dl_server = NULL;
+-
+ for_each_class(class) {
+ p = class->pick_next_task(rq);
+ if (p)
--- /dev/null
+From a741b82423f41501e301eb6f9820b45ca202e877 Mon Sep 17 00:00:00 2001
+From: Youssef Esmat <youssefesmat@google.com>
+Date: Mon, 27 May 2024 14:06:49 +0200
+Subject: sched/core: Clear prev->dl_server in CFS pick fast path
+
+From: Youssef Esmat <youssefesmat@google.com>
+
+commit a741b82423f41501e301eb6f9820b45ca202e877 upstream.
+
+In case the previous pick was a DL server pick, ->dl_server might be
+set. Clear it in the fast path as well.
+
+Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers")
+Signed-off-by: Youssef Esmat <youssefesmat@google.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/7f7381ccba09efcb4a1c1ff808ed58385eccc222.1716811044.git.bristot@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/core.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -5828,6 +5828,13 @@ __pick_next_task(struct rq *rq, struct t
+ }
+
+ /*
++ * This is a normal CFS pick, but the previous could be a DL pick.
++ * Clear it as previous is no longer picked.
++ */
++ if (prev->dl_server)
++ prev->dl_server = NULL;
++
++ /*
+ * This is the fast path; it cannot be a DL server pick;
+ * therefore even if @p == @prev, ->dl_server must be NULL.
+ */
--- /dev/null
+From f23c042ce34ba265cf3129d530702b5d218e3f4b Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Mon, 27 May 2024 14:06:47 +0200
+Subject: sched/deadline: Comment sched_dl_entity::dl_server variable
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit f23c042ce34ba265cf3129d530702b5d218e3f4b upstream.
+
+Add an explanation for the newly added variable.
+
+Fixes: 63ba8422f876 ("sched/deadline: Introduce deadline servers")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Tested-by: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/147f7aa8cb8fd925f36aa8059af6a35aad08b45a.1716811044.git.bristot@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/sched.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -639,6 +639,8 @@ struct sched_dl_entity {
+ *
+ * @dl_overrun tells if the task asked to be informed about runtime
+ * overruns.
++ *
++ * @dl_server tells if this is a server entity.
+ */
+ unsigned int dl_throttled : 1;
+ unsigned int dl_yielded : 1;
--- /dev/null
+From 3840cbe24cf060ea05a585ca497814609f5d47d1 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Thu, 3 Oct 2024 07:29:05 -0400
+Subject: sched: psi: fix bogus pressure spikes from aggregation race
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit 3840cbe24cf060ea05a585ca497814609f5d47d1 upstream.
+
+Brandon reports sporadic, non-sensical spikes in cumulative pressure
+time (total=) when reading cpu.pressure at a high rate. This is due to
+a race condition between reader aggregation and tasks changing states.
+
+While it affects all states and all resources captured by PSI, in
+practice it most likely triggers with CPU pressure, since scheduling
+events are so frequent compared to other resource events.
+
+The race context is the live snooping of ongoing stalls during a
+pressure read. The read aggregates per-cpu records for stalls that
+have concluded, but will also incorporate ad-hoc the duration of any
+active state that hasn't been recorded yet. This is important to get
+timely measurements of ongoing stalls. Those ad-hoc samples are
+calculated on-the-fly up to the current time on that CPU; since the
+stall hasn't concluded, it's expected that this is the minimum amount
+of stall time that will enter the per-cpu records once it does.
+
+The problem is that the path that concludes the state uses a CPU clock
+read that is not synchronized against aggregators; the clock is read
+outside of the seqlock protection. This allows aggregators to race and
+snoop a stall with a longer duration than will actually be recorded.
+
+With the recorded stall time being less than the last snapshot
+remembered by the aggregator, a subsequent sample will underflow and
+observe a bogus delta value, resulting in an erratic jump in pressure.
+
+Fix this by moving the clock read of the state change into the seqlock
+protection. This ensures no aggregation can snoop live stalls past the
+time that's recorded when the state concludes.
+
+Reported-by: Brandon Duffany <brandon@buildbuddy.io>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219194
+Link: https://lore.kernel.org/lkml/20240827121851.GB438928@cmpxchg.org/
+Fixes: df77430639c9 ("psi: Reduce calls to sched_clock() in psi")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sched/psi.c | 26 ++++++++++++--------------
+ 1 file changed, 12 insertions(+), 14 deletions(-)
+
+--- a/kernel/sched/psi.c
++++ b/kernel/sched/psi.c
+@@ -769,12 +769,13 @@ static void record_times(struct psi_grou
+ }
+
+ static void psi_group_change(struct psi_group *group, int cpu,
+- unsigned int clear, unsigned int set, u64 now,
++ unsigned int clear, unsigned int set,
+ bool wake_clock)
+ {
+ struct psi_group_cpu *groupc;
+ unsigned int t, m;
+ u32 state_mask;
++ u64 now;
+
+ lockdep_assert_rq_held(cpu_rq(cpu));
+ groupc = per_cpu_ptr(group->pcpu, cpu);
+@@ -789,6 +790,7 @@ static void psi_group_change(struct psi_
+ * SOME and FULL time these may have resulted in.
+ */
+ write_seqcount_begin(&groupc->seq);
++ now = cpu_clock(cpu);
+
+ /*
+ * Start with TSK_ONCPU, which doesn't have a corresponding
+@@ -899,18 +901,15 @@ void psi_task_change(struct task_struct
+ {
+ int cpu = task_cpu(task);
+ struct psi_group *group;
+- u64 now;
+
+ if (!task->pid)
+ return;
+
+ psi_flags_change(task, clear, set);
+
+- now = cpu_clock(cpu);
+-
+ group = task_psi_group(task);
+ do {
+- psi_group_change(group, cpu, clear, set, now, true);
++ psi_group_change(group, cpu, clear, set, true);
+ } while ((group = group->parent));
+ }
+
+@@ -919,7 +918,6 @@ void psi_task_switch(struct task_struct
+ {
+ struct psi_group *group, *common = NULL;
+ int cpu = task_cpu(prev);
+- u64 now = cpu_clock(cpu);
+
+ if (next->pid) {
+ psi_flags_change(next, 0, TSK_ONCPU);
+@@ -936,7 +934,7 @@ void psi_task_switch(struct task_struct
+ break;
+ }
+
+- psi_group_change(group, cpu, 0, TSK_ONCPU, now, true);
++ psi_group_change(group, cpu, 0, TSK_ONCPU, true);
+ } while ((group = group->parent));
+ }
+
+@@ -974,7 +972,7 @@ void psi_task_switch(struct task_struct
+ do {
+ if (group == common)
+ break;
+- psi_group_change(group, cpu, clear, set, now, wake_clock);
++ psi_group_change(group, cpu, clear, set, wake_clock);
+ } while ((group = group->parent));
+
+ /*
+@@ -986,7 +984,7 @@ void psi_task_switch(struct task_struct
+ if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) {
+ clear &= ~TSK_ONCPU;
+ for (; group; group = group->parent)
+- psi_group_change(group, cpu, clear, set, now, wake_clock);
++ psi_group_change(group, cpu, clear, set, wake_clock);
+ }
+ }
+ }
+@@ -997,8 +995,8 @@ void psi_account_irqtime(struct rq *rq,
+ int cpu = task_cpu(curr);
+ struct psi_group *group;
+ struct psi_group_cpu *groupc;
+- u64 now, irq;
+ s64 delta;
++ u64 irq;
+
+ if (static_branch_likely(&psi_disabled))
+ return;
+@@ -1011,7 +1009,6 @@ void psi_account_irqtime(struct rq *rq,
+ if (prev && task_psi_group(prev) == group)
+ return;
+
+- now = cpu_clock(cpu);
+ irq = irq_time_read(cpu);
+ delta = (s64)(irq - rq->psi_irq_time);
+ if (delta < 0)
+@@ -1019,12 +1016,15 @@ void psi_account_irqtime(struct rq *rq,
+ rq->psi_irq_time = irq;
+
+ do {
++ u64 now;
++
+ if (!group->enabled)
+ continue;
+
+ groupc = per_cpu_ptr(group->pcpu, cpu);
+
+ write_seqcount_begin(&groupc->seq);
++ now = cpu_clock(cpu);
+
+ record_times(groupc, now);
+ groupc->times[PSI_IRQ_FULL] += delta;
+@@ -1223,11 +1223,9 @@ void psi_cgroup_restart(struct psi_group
+ for_each_possible_cpu(cpu) {
+ struct rq *rq = cpu_rq(cpu);
+ struct rq_flags rf;
+- u64 now;
+
+ rq_lock_irq(rq, &rf);
+- now = cpu_clock(cpu);
+- psi_group_change(group, cpu, 0, 0, now, true);
++ psi_group_change(group, cpu, 0, 0, true);
+ rq_unlock_irq(rq, &rf);
+ }
+ }
scripts-gdb-fix-timerlist-parsing-issue.patch
scripts-gdb-add-iteration-function-for-rbtree.patch
scripts-gdb-fix-lx-mounts-command-error.patch
+arm64-fix-selection-of-have_dynamic_ftrace_with_args.patch
+arm64-subscribe-microsoft-azure-cobalt-100-to-erratum-3194386.patch
+drm-xe-fix-uaf-around-queue-destruction.patch
+drm-xe-oa-don-t-reset-oac_context_enable-on-oa-stream-close.patch
+sched-deadline-comment-sched_dl_entity-dl_server-variable.patch
+sched-core-add-clearing-of-dl_server-in-put_prev_task_balance.patch
+sched-core-clear-prev-dl_server-in-cfs-pick-fast-path.patch
+sched-psi-fix-bogus-pressure-spikes-from-aggregation-race.patch
+riscv-define-illegal_pointer_value-for-64bit.patch
+exfat-fix-memory-leak-in-exfat_load_bitmap.patch
+perf-python-disable-wno-cast-function-type-mismatch-if-present-on-clang.patch
+perf-hist-update-hist-symbol-when-updating-maps.patch
+nfsd-fix-delegation_blocked-to-block-correctly-for-at-least-30-seconds.patch
+nfsd-map-the-ebadmsg-to-nfserr_io-to-avoid-warning.patch
+nfsd-fix-nfsv4-s-putpubfh-operation.patch
+i3c-master-svc-fix-use-after-free-vulnerability-in-svc_i3c_master-driver-due-to-race-condition.patch
+sysctl-avoid-spurious-permanent-empty-tables.patch
+rdma-mana_ib-use-the-correct-page-table-index-based-on-hardware-page-size.patch
+rdma-mana_ib-use-the-correct-page-size-for-mapping-user-mode-doorbell-page.patch
--- /dev/null
+From 559d4c6a9d3b60f239493239070eb304edaea594 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Mon, 5 Aug 2024 11:39:35 +0200
+Subject: sysctl: avoid spurious permanent empty tables
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit 559d4c6a9d3b60f239493239070eb304edaea594 upstream.
+
+The test if a table is a permanently empty one, inspects the address of
+the registered ctl_table argument.
+However as sysctl_mount_point is an empty array and does not occupy and
+space it can end up sharing an address with another object in memory.
+If that other object itself is a "struct ctl_table" then registering
+that table will fail as it's incorrectly recognized as permanently empty.
+
+Avoid this issue by adding a dummy element to the array so that is not
+empty anymore.
+Explicitly register the table with zero elements as otherwise the dummy
+element would be recognized as a sentinel element which would lead to a
+runtime warning from the sysctl core.
+
+While the issue seems not being encountered at this time, this seems
+mostly to be due to luck.
+Also a future change, constifying sysctl_mount_point and root_table, can
+reliably trigger this issue on clang 18.
+
+Given that empty arrays are non-standard in the first place it seems
+prudent to avoid them if possible.
+
+Fixes: 4a7b29f65094 ("sysctl: move sysctl type to ctl_table_header")
+Fixes: a35dd3a786f5 ("sysctl: drop now unnecessary out-of-bounds check")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Closes: https://lore.kernel.org/oe-lkp/202408051453.f638857e-lkp@intel.com
+Signed-off-by: Joel Granados <j.granados@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -29,8 +29,13 @@ static const struct inode_operations pro
+ static const struct file_operations proc_sys_dir_file_operations;
+ static const struct inode_operations proc_sys_dir_operations;
+
+-/* Support for permanently empty directories */
+-static struct ctl_table sysctl_mount_point[] = { };
++/*
++ * Support for permanently empty directories.
++ * Must be non-empty to avoid sharing an address with other tables.
++ */
++static struct ctl_table sysctl_mount_point[] = {
++ { }
++};
+
+ /**
+ * register_sysctl_mount_point() - registers a sysctl mount point
+@@ -42,7 +47,7 @@ static struct ctl_table sysctl_mount_poi
+ */
+ struct ctl_table_header *register_sysctl_mount_point(const char *path)
+ {
+- return register_sysctl(path, sysctl_mount_point);
++ return register_sysctl_sz(path, sysctl_mount_point, 0);
+ }
+ EXPORT_SYMBOL(register_sysctl_mount_point);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
