--- /dev/null
+From 2699107989431d6db44f8a9e809ea74c387336d1 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 4 Apr 2023 13:02:48 +0200
+Subject: ACPI: video: Add acpi_backlight=video quirk for Apple iMac14,1 and iMac14,2
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2699107989431d6db44f8a9e809ea74c387336d1 upstream.
+
+On the Apple iMac14,1 and iMac14,2 all-in-ones (monitors with builtin "PC")
+the connection between the GPU and the panel is seen by the GPU driver as
+regular DP instead of eDP, causing the GPU driver to never call
+acpi_video_register_backlight().
+
+(GPU drivers only call acpi_video_register_backlight() when an internal
+ panel is detected, to avoid non working acpi_video# devices getting
+ registered on desktops which unfortunately is a real issue.)
+
+Fix the missing acpi_video# backlight device on these all-in-ones by
+adding a acpi_backlight=video DMI quirk, so that video.ko will
+immediately register the backlight device instead of waiting for
+an acpi_video_register_backlight() call.
+
+Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default")
+Cc: All applicable <stable@vger.kernel.org>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -277,6 +277,29 @@ static const struct dmi_system_id video_
+ },
+
+ /*
++ * Models which need acpi_video backlight control where the GPU drivers
++ * do not call acpi_video_register_backlight() because no internal panel
++ * is detected. Typically these are all-in-ones (monitors with builtin
++ * PC) where the panel connection shows up as regular DP instead of eDP.
++ */
++ {
++ .callback = video_detect_force_video,
++ /* Apple iMac14,1 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac14,1"),
++ },
++ },
++ {
++ .callback = video_detect_force_video,
++ /* Apple iMac14,2 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Apple Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "iMac14,2"),
++ },
++ },
++
++ /*
+ * These models have a working acpi_video backlight control, and using
+ * native backlight causes a regression where backlight does not work
+ * when userspace is not handling brightness key events. Disable
--- /dev/null
+From a5b2781dcab2c77979a4b8adda781d2543580901 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 4 Apr 2023 13:02:49 +0200
+Subject: ACPI: video: Add acpi_backlight=video quirk for Lenovo ThinkPad W530
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit a5b2781dcab2c77979a4b8adda781d2543580901 upstream.
+
+The Lenovo ThinkPad W530 uses a nvidia k1000m GPU. When this gets used
+together with one of the older nvidia binary driver series (the latest
+series does not support it), then backlight control does not work.
+
+This is caused by commit 3dbc80a3e4c5 ("ACPI: video: Make backlight
+class device registration a separate step (v2)") combined with
+commit 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for
+creating ACPI backlight by default").
+
+After these changes the acpi_video# backlight device is only registered
+when requested by a GPU driver calling acpi_video_register_backlight()
+which the nvidia binary driver does not do.
+
+I realize that using the nvidia binary driver is not a supported use-case
+and users can workaround this by adding acpi_backlight=video on the kernel
+commandline, but the ThinkPad W530 is a popular model under Linux users,
+so it seems worthwhile to add a quirk for this.
+
+I will also email Nvidia asking them to make the driver call
+acpi_video_register_backlight() when an internal LCD panel is detected.
+So maybe the next maintenance release of the drivers will fix this...
+
+Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default")
+Cc: All applicable <stable@vger.kernel.org>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -300,6 +300,20 @@ static const struct dmi_system_id video_
+ },
+
+ /*
++ * Older models with nvidia GPU which need acpi_video backlight
++ * control and where the old nvidia binary driver series does not
++ * call acpi_video_register_backlight().
++ */
++ {
++ .callback = video_detect_force_video,
++ /* ThinkPad W530 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad W530"),
++ },
++ },
++
++ /*
+ * These models have a working acpi_video backlight control, and using
+ * native backlight causes a regression where backlight does not work
+ * when userspace is not handling brightness key events. Disable
--- /dev/null
+From 78dfc9d1d1abb9e400386fa9c5724a8f7d75e3b9 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 4 Apr 2023 13:02:46 +0200
+Subject: ACPI: video: Add auto_detect arg to __acpi_video_get_backlight_type()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 78dfc9d1d1abb9e400386fa9c5724a8f7d75e3b9 upstream.
+
+Allow callers of __acpi_video_get_backlight_type() to pass a pointer
+to a bool which will get set to false if the backlight-type comes from
+the cmdline or a DMI quirk and set to true if auto-detection was used.
+
+And make __acpi_video_get_backlight_type() non static so that it can
+be called directly outside of video_detect.c .
+
+While at it turn the acpi_video_get_backlight_type() and
+acpi_video_backlight_use_native() wrappers into static inline functions
+in include/acpi/video.h, so that we need to export one less symbol.
+
+Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default")
+Cc: All applicable <stable@vger.kernel.org>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 21 ++++++++-------------
+ include/acpi/video.h | 15 +++++++++++++--
+ 2 files changed, 21 insertions(+), 15 deletions(-)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -774,7 +774,7 @@ static bool prefer_native_over_acpi_vide
+ * Determine which type of backlight interface to use on this system,
+ * First check cmdline, then dmi quirks, then do autodetect.
+ */
+-static enum acpi_backlight_type __acpi_video_get_backlight_type(bool native)
++enum acpi_backlight_type __acpi_video_get_backlight_type(bool native, bool *auto_detect)
+ {
+ static DEFINE_MUTEX(init_mutex);
+ static bool nvidia_wmi_ec_present;
+@@ -799,6 +799,9 @@ static enum acpi_backlight_type __acpi_v
+ native_available = true;
+ mutex_unlock(&init_mutex);
+
++ if (auto_detect)
++ *auto_detect = false;
++
+ /*
+ * The below heuristics / detection steps are in order of descending
+ * presedence. The commandline takes presedence over anything else.
+@@ -810,6 +813,9 @@ static enum acpi_backlight_type __acpi_v
+ if (acpi_backlight_dmi != acpi_backlight_undef)
+ return acpi_backlight_dmi;
+
++ if (auto_detect)
++ *auto_detect = true;
++
+ /* Special cases such as nvidia_wmi_ec and apple gmux. */
+ if (nvidia_wmi_ec_present)
+ return acpi_backlight_nvidia_wmi_ec;
+@@ -829,15 +835,4 @@ static enum acpi_backlight_type __acpi_v
+ /* No ACPI video/native (old hw), use vendor specific fw methods. */
+ return acpi_backlight_vendor;
+ }
+-
+-enum acpi_backlight_type acpi_video_get_backlight_type(void)
+-{
+- return __acpi_video_get_backlight_type(false);
+-}
+-EXPORT_SYMBOL(acpi_video_get_backlight_type);
+-
+-bool acpi_video_backlight_use_native(void)
+-{
+- return __acpi_video_get_backlight_type(true) == acpi_backlight_native;
+-}
+-EXPORT_SYMBOL(acpi_video_backlight_use_native);
++EXPORT_SYMBOL(__acpi_video_get_backlight_type);
+--- a/include/acpi/video.h
++++ b/include/acpi/video.h
+@@ -59,8 +59,6 @@ extern void acpi_video_unregister(void);
+ extern void acpi_video_register_backlight(void);
+ extern int acpi_video_get_edid(struct acpi_device *device, int type,
+ int device_id, void **edid);
+-extern enum acpi_backlight_type acpi_video_get_backlight_type(void);
+-extern bool acpi_video_backlight_use_native(void);
+ /*
+ * Note: The value returned by acpi_video_handles_brightness_key_presses()
+ * may change over time and should not be cached.
+@@ -69,6 +67,19 @@ extern bool acpi_video_handles_brightnes
+ extern int acpi_video_get_levels(struct acpi_device *device,
+ struct acpi_video_device_brightness **dev_br,
+ int *pmax_level);
++
++extern enum acpi_backlight_type __acpi_video_get_backlight_type(bool native,
++ bool *auto_detect);
++
++static inline enum acpi_backlight_type acpi_video_get_backlight_type(void)
++{
++ return __acpi_video_get_backlight_type(false, NULL);
++}
++
++static inline bool acpi_video_backlight_use_native(void)
++{
++ return __acpi_video_get_backlight_type(true, NULL) == acpi_backlight_native;
++}
+ #else
+ static inline void acpi_video_report_nolcd(void) { return; };
+ static inline int acpi_video_register(void) { return -ENODEV; }
--- /dev/null
+From e506731c8f35699d746c615164ed620cd53c00ca Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 4 Apr 2023 13:02:47 +0200
+Subject: ACPI: video: Make acpi_backlight=video work independent from GPU driver
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit e506731c8f35699d746c615164ed620cd53c00ca upstream.
+
+Commit 3dbc80a3e4c5 ("ACPI: video: Make backlight class device
+registration a separate step (v2)") combined with
+commit 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for
+creating ACPI backlight by default")
+
+Means that the video.ko code now fully depends on the GPU driver calling
+acpi_video_register_backlight() for the acpi_video# backlight class
+devices to get registered.
+
+This means that if the GPU driver does not do this, acpi_backlight=video
+on the cmdline, or DMI quirks for selecting acpi_video# will not work.
+
+This is a problem on for example Apple iMac14,1 all-in-ones where
+the monitor's LCD panel shows up as a regular DP connection instead of
+eDP so the GPU driver will not call acpi_video_register_backlight() [1].
+
+Fix this by making video.ko directly register the acpi_video# devices
+when these have been explicitly requested either on the cmdline or
+through DMI quirks (rather then auto-detection being used).
+
+[1] GPU drivers only call acpi_video_register_backlight() when an internal
+panel is detected, to avoid non working acpi_video# devices getting
+registered on desktops which unfortunately is a real issue.
+
+Fixes: 5aa9d943e9b6 ("ACPI: video: Don't enable fallback path for creating ACPI backlight by default")
+Cc: All applicable <stable@vger.kernel.org>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_video.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -1984,6 +1984,7 @@ static int instance;
+ static int acpi_video_bus_add(struct acpi_device *device)
+ {
+ struct acpi_video_bus *video;
++ bool auto_detect;
+ int error;
+ acpi_status status;
+
+@@ -2045,10 +2046,20 @@ static int acpi_video_bus_add(struct acp
+ mutex_unlock(&video_list_lock);
+
+ /*
+- * The userspace visible backlight_device gets registered separately
+- * from acpi_video_register_backlight().
++ * If backlight-type auto-detection is used then a native backlight may
++ * show up later and this may change the result from video to native.
++ * Therefor normally the userspace visible /sys/class/backlight device
++ * gets registered separately by the GPU driver calling
++ * acpi_video_register_backlight() when an internal panel is detected.
++ * Register the backlight now when not using auto-detection, so that
++ * when the kernel cmdline or DMI-quirks are used the backlight will
++ * get registered even if acpi_video_register_backlight() is not called.
+ */
+ acpi_video_run_bcl_for_osi(video);
++ if (__acpi_video_get_backlight_type(false, &auto_detect) == acpi_backlight_video &&
++ !auto_detect)
++ acpi_video_bus_register_backlight(video);
++
+ acpi_video_bus_add_notify_handler(video);
+
+ return 0;
--- /dev/null
+From f6887a71bdd2f0dcba9b8180dd2223cfa8637e85 Mon Sep 17 00:00:00 2001
+From: Jason Montleon <jmontleo@redhat.com>
+Date: Fri, 24 Mar 2023 13:07:11 -0400
+Subject: ASoC: hdac_hdmi: use set_stream() instead of set_tdm_slots()
+
+From: Jason Montleon <jmontleo@redhat.com>
+
+commit f6887a71bdd2f0dcba9b8180dd2223cfa8637e85 upstream.
+
+hdac_hdmi was not updated to use set_stream() instead of set_tdm_slots()
+in the original commit so HDMI no longer produces audio.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/regressions/CAJD_bPKQdtaExvVEKxhQ47G-ZXDA=k+gzhMJRHLBe=mysPnuKA@mail.gmail.com/
+Fixes: 636110411ca7 ("ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio")
+Signed-off-by: Jason Montleon <jmontleo@redhat.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Link: https://lore.kernel.org/r/20230324170711.2526-1-jmontleo@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/hdac_hdmi.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/codecs/hdac_hdmi.c
++++ b/sound/soc/codecs/hdac_hdmi.c
+@@ -436,23 +436,28 @@ static int hdac_hdmi_setup_audio_infofra
+ return 0;
+ }
+
+-static int hdac_hdmi_set_tdm_slot(struct snd_soc_dai *dai,
+- unsigned int tx_mask, unsigned int rx_mask,
+- int slots, int slot_width)
++static int hdac_hdmi_set_stream(struct snd_soc_dai *dai,
++ void *stream, int direction)
+ {
+ struct hdac_hdmi_priv *hdmi = snd_soc_dai_get_drvdata(dai);
+ struct hdac_device *hdev = hdmi->hdev;
+ struct hdac_hdmi_dai_port_map *dai_map;
+ struct hdac_hdmi_pcm *pcm;
++ struct hdac_stream *hstream;
+
+- dev_dbg(&hdev->dev, "%s: strm_tag: %d\n", __func__, tx_mask);
++ if (!stream)
++ return -EINVAL;
++
++ hstream = (struct hdac_stream *)stream;
++
++ dev_dbg(&hdev->dev, "%s: strm_tag: %d\n", __func__, hstream->stream_tag);
+
+ dai_map = &hdmi->dai_map[dai->id];
+
+ pcm = hdac_hdmi_get_pcm_from_cvt(hdmi, dai_map->cvt);
+
+ if (pcm)
+- pcm->stream_tag = (tx_mask << 4);
++ pcm->stream_tag = (hstream->stream_tag << 4);
+
+ return 0;
+ }
+@@ -1544,7 +1549,7 @@ static const struct snd_soc_dai_ops hdmi
+ .startup = hdac_hdmi_pcm_open,
+ .shutdown = hdac_hdmi_pcm_close,
+ .hw_params = hdac_hdmi_set_hw_params,
+- .set_tdm_slot = hdac_hdmi_set_tdm_slot,
++ .set_stream = hdac_hdmi_set_stream,
+ };
+
+ /*
--- /dev/null
+From e3720f92e0237921da537e47a0b24e27899203f8 Mon Sep 17 00:00:00 2001
+From: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+Date: Wed, 29 Mar 2023 14:38:28 +0300
+Subject: ASoC: SOF: avoid a NULL dereference with unsupported widgets
+
+From: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+
+commit e3720f92e0237921da537e47a0b24e27899203f8 upstream.
+
+If an IPC4 topology contains an unsupported widget, its .module_info
+field won't be set, then sof_ipc4_route_setup() will cause a kernel
+Oops trying to dereference it. Add a check for such cases.
+
+Cc: stable@vger.kernel.org # 6.2
+Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20230329113828.28562-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/ipc4-topology.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/sound/soc/sof/ipc4-topology.c
++++ b/sound/soc/sof/ipc4-topology.c
+@@ -1686,6 +1686,14 @@ static int sof_ipc4_route_setup(struct s
+ u32 header, extension;
+ int ret;
+
++ if (!src_fw_module || !sink_fw_module) {
++ /* The NULL module will print as "(efault)" */
++ dev_err(sdev->dev, "source %s or sink %s widget weren't set up properly\n",
++ src_fw_module->man4_module_entry.name,
++ sink_fw_module->man4_module_entry.name);
++ return -ENODEV;
++ }
++
+ sroute->src_queue_id = sof_ipc4_get_queue_id(src_widget, sink_widget,
+ SOF_PIN_TYPE_SOURCE);
+ if (sroute->src_queue_id < 0) {
--- /dev/null
+From 051737439eaee5bdd03d3c2ef5510d54a478fd05 Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Fri, 31 Mar 2023 15:19:35 +0200
+Subject: can: isotp: fix race between isotp_sendsmg() and isotp_release()
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 051737439eaee5bdd03d3c2ef5510d54a478fd05 upstream.
+
+As discussed with Dae R. Jeong and Hillf Danton here [1] the sendmsg()
+function in isotp.c might get into a race condition when restoring the
+former tx.state from the old_state.
+
+Remove the old_state concept and implement proper locking for the
+ISOTP_IDLE transitions in isotp_sendmsg(), inspired by a
+simplification idea from Hillf Danton.
+
+Introduce a new tx.state ISOTP_SHUTDOWN and use the same locking
+mechanism from isotp_release() which resolves a potential race between
+isotp_sendsmg() and isotp_release().
+
+[1] https://lore.kernel.org/linux-can/ZB%2F93xJxq%2FBUqAgG@dragonet
+
+v1: https://lore.kernel.org/all/20230331102114.15164-1-socketcan@hartkopp.net
+v2: https://lore.kernel.org/all/20230331123600.3550-1-socketcan@hartkopp.net
+ take care of signal interrupts for wait_event_interruptible() in
+ isotp_release()
+v3: https://lore.kernel.org/all/20230331130654.9886-1-socketcan@hartkopp.net
+ take care of signal interrupts for wait_event_interruptible() in
+ isotp_sendmsg() in the wait_tx_done case
+v4: https://lore.kernel.org/all/20230331131935.21465-1-socketcan@hartkopp.net
+ take care of signal interrupts for wait_event_interruptible() in
+ isotp_sendmsg() in ALL cases
+
+Cc: Dae R. Jeong <threeearcat@gmail.com>
+Cc: Hillf Danton <hdanton@sina.com>
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Fixes: 4f027cba8216 ("can: isotp: split tx timer into transmission and timeout")
+Link: https://lore.kernel.org/all/20230331131935.21465-1-socketcan@hartkopp.net
+Cc: stable@vger.kernel.org
+[mkl: rephrase commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 55 +++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 31 insertions(+), 24 deletions(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -119,7 +119,8 @@ enum {
+ ISOTP_WAIT_FIRST_FC,
+ ISOTP_WAIT_FC,
+ ISOTP_WAIT_DATA,
+- ISOTP_SENDING
++ ISOTP_SENDING,
++ ISOTP_SHUTDOWN,
+ };
+
+ struct tpcon {
+@@ -880,8 +881,8 @@ static enum hrtimer_restart isotp_tx_tim
+ txtimer);
+ struct sock *sk = &so->sk;
+
+- /* don't handle timeouts in IDLE state */
+- if (so->tx.state == ISOTP_IDLE)
++ /* don't handle timeouts in IDLE or SHUTDOWN state */
++ if (so->tx.state == ISOTP_IDLE || so->tx.state == ISOTP_SHUTDOWN)
+ return HRTIMER_NORESTART;
+
+ /* we did not get any flow control or echo frame in time */
+@@ -918,7 +919,6 @@ static int isotp_sendmsg(struct socket *
+ {
+ struct sock *sk = sock->sk;
+ struct isotp_sock *so = isotp_sk(sk);
+- u32 old_state = so->tx.state;
+ struct sk_buff *skb;
+ struct net_device *dev;
+ struct canfd_frame *cf;
+@@ -928,23 +928,24 @@ static int isotp_sendmsg(struct socket *
+ int off;
+ int err;
+
+- if (!so->bound)
++ if (!so->bound || so->tx.state == ISOTP_SHUTDOWN)
+ return -EADDRNOTAVAIL;
+
++wait_free_buffer:
+ /* we do not support multiple buffers - for now */
+- if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE ||
+- wq_has_sleeper(&so->wait)) {
+- if (msg->msg_flags & MSG_DONTWAIT) {
+- err = -EAGAIN;
+- goto err_out;
+- }
++ if (wq_has_sleeper(&so->wait) && (msg->msg_flags & MSG_DONTWAIT))
++ return -EAGAIN;
+
+- /* wait for complete transmission of current pdu */
+- err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
+- if (err)
+- goto err_out;
++ /* wait for complete transmission of current pdu */
++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ if (err)
++ goto err_event_drop;
++
++ if (cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SENDING) != ISOTP_IDLE) {
++ if (so->tx.state == ISOTP_SHUTDOWN)
++ return -EADDRNOTAVAIL;
+
+- so->tx.state = ISOTP_SENDING;
++ goto wait_free_buffer;
+ }
+
+ if (!size || size > MAX_MSG_LENGTH) {
+@@ -1074,7 +1075,9 @@ static int isotp_sendmsg(struct socket *
+
+ if (wait_tx_done) {
+ /* wait for complete transmission of current pdu */
+- wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ err = wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ if (err)
++ goto err_event_drop;
+
+ if (sk->sk_err)
+ return -sk->sk_err;
+@@ -1082,13 +1085,15 @@ static int isotp_sendmsg(struct socket *
+
+ return size;
+
++err_event_drop:
++ /* got signal: force tx state machine to be idle */
++ so->tx.state = ISOTP_IDLE;
++ hrtimer_cancel(&so->txfrtimer);
++ hrtimer_cancel(&so->txtimer);
+ err_out_drop:
+ /* drop this PDU and unlock a potential wait queue */
+- old_state = ISOTP_IDLE;
+-err_out:
+- so->tx.state = old_state;
+- if (so->tx.state == ISOTP_IDLE)
+- wake_up_interruptible(&so->wait);
++ so->tx.state = ISOTP_IDLE;
++ wake_up_interruptible(&so->wait);
+
+ return err;
+ }
+@@ -1150,10 +1155,12 @@ static int isotp_release(struct socket *
+ net = sock_net(sk);
+
+ /* wait for complete transmission of current pdu */
+- wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE);
++ while (wait_event_interruptible(so->wait, so->tx.state == ISOTP_IDLE) == 0 &&
++ cmpxchg(&so->tx.state, ISOTP_IDLE, ISOTP_SHUTDOWN) != ISOTP_IDLE)
++ ;
+
+ /* force state machines to be idle also when a signal occurred */
+- so->tx.state = ISOTP_IDLE;
++ so->tx.state = ISOTP_SHUTDOWN;
+ so->rx.state = ISOTP_IDLE;
+
+ spin_lock(&isotp_notifier_lock);
--- /dev/null
+From 79e19fa79cb5d5f1b3bf3e3ae24989ccb93c7b7b Mon Sep 17 00:00:00 2001
+From: Michal Sojka <michal.sojka@cvut.cz>
+Date: Fri, 31 Mar 2023 14:55:11 +0200
+Subject: can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events
+
+From: Michal Sojka <michal.sojka@cvut.cz>
+
+commit 79e19fa79cb5d5f1b3bf3e3ae24989ccb93c7b7b upstream.
+
+When using select()/poll()/epoll() with a non-blocking ISOTP socket to
+wait for when non-blocking write is possible, a false EPOLLOUT event
+is sometimes returned. This can happen at least after sending a
+message which must be split to multiple CAN frames.
+
+The reason is that isotp_sendmsg() returns -EAGAIN when tx.state is
+not equal to ISOTP_IDLE and this behavior is not reflected in
+datagram_poll(), which is used in isotp_ops.
+
+This is fixed by introducing ISOTP-specific poll function, which
+suppresses the EPOLLOUT events in that case.
+
+v2: https://lore.kernel.org/all/20230302092812.320643-1-michal.sojka@cvut.cz
+v1: https://lore.kernel.org/all/20230224010659.48420-1-michal.sojka@cvut.cz
+ https://lore.kernel.org/all/b53a04a2-ba1f-3858-84c1-d3eb3301ae15@hartkopp.net
+
+Signed-off-by: Michal Sojka <michal.sojka@cvut.cz>
+Reported-by: Jakub Jira <jirajak2@fel.cvut.cz>
+Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Link: https://lore.kernel.org/all/20230331125511.372783-1-michal.sojka@cvut.cz
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1615,6 +1615,21 @@ static int isotp_init(struct sock *sk)
+ return 0;
+ }
+
++static __poll_t isotp_poll(struct file *file, struct socket *sock, poll_table *wait)
++{
++ struct sock *sk = sock->sk;
++ struct isotp_sock *so = isotp_sk(sk);
++
++ __poll_t mask = datagram_poll(file, sock, wait);
++ poll_wait(file, &so->wait, wait);
++
++ /* Check for false positives due to TX state */
++ if ((mask & EPOLLWRNORM) && (so->tx.state != ISOTP_IDLE))
++ mask &= ~(EPOLLOUT | EPOLLWRNORM);
++
++ return mask;
++}
++
+ static int isotp_sock_no_ioctlcmd(struct socket *sock, unsigned int cmd,
+ unsigned long arg)
+ {
+@@ -1630,7 +1645,7 @@ static const struct proto_ops isotp_ops
+ .socketpair = sock_no_socketpair,
+ .accept = sock_no_accept,
+ .getname = isotp_getname,
+- .poll = datagram_poll,
++ .poll = isotp_poll,
+ .ioctl = isotp_sock_no_ioctlcmd,
+ .gettstamp = sock_gettstamp,
+ .listen = sock_no_listen,
--- /dev/null
+From 0145462fc802cd447ef5d029758043c7f15b4b1e Mon Sep 17 00:00:00 2001
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+Date: Thu, 30 Mar 2023 19:02:48 +0200
+Subject: can: isotp: isotp_recvmsg(): use sock_recv_cmsgs() to get SOCK_RXQ_OVFL infos
+
+From: Oliver Hartkopp <socketcan@hartkopp.net>
+
+commit 0145462fc802cd447ef5d029758043c7f15b4b1e upstream.
+
+isotp.c was still using sock_recv_timestamp() which does not provide
+control messages to detect dropped PDUs in the receive path.
+
+Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol")
+Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Link: https://lore.kernel.org/all/20230330170248.62342-1-socketcan@hartkopp.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/isotp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/can/isotp.c
++++ b/net/can/isotp.c
+@@ -1125,7 +1125,7 @@ static int isotp_recvmsg(struct socket *
+ if (ret < 0)
+ goto out_err;
+
+- sock_recv_timestamp(msg, sk, skb);
++ sock_recv_cmsgs(msg, sk, skb);
+
+ if (msg->msg_name) {
+ __sockaddr_check_size(ISOTP_MIN_NAMELEN);
--- /dev/null
+From b45193cb4df556fe6251b285a5ce44046dd36b4a Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Tue, 4 Apr 2023 09:31:28 +0200
+Subject: can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit b45193cb4df556fe6251b285a5ce44046dd36b4a upstream.
+
+In the j1939_tp_tx_dat_new() function, an out-of-bounds memory access
+could occur during the memcpy() operation if the size of skb->cb is
+larger than the size of struct j1939_sk_buff_cb. This is because the
+memcpy() operation uses the size of skb->cb, leading to a read beyond
+the struct j1939_sk_buff_cb.
+
+Updated the memcpy() operation to use the size of struct
+j1939_sk_buff_cb instead of the size of skb->cb. This ensures that the
+memcpy() operation only reads the memory within the bounds of struct
+j1939_sk_buff_cb, preventing out-of-bounds memory access.
+
+Additionally, add a BUILD_BUG_ON() to check that the size of skb->cb
+is greater than or equal to the size of struct j1939_sk_buff_cb. This
+ensures that the skb->cb buffer is large enough to hold the
+j1939_sk_buff_cb structure.
+
+Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
+Reported-by: Shuangpeng Bai <sjb7183@psu.edu>
+Tested-by: Shuangpeng Bai <sjb7183@psu.edu>
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://groups.google.com/g/syzkaller/c/G_LL-C3plRs/m/-8xCi6dCAgAJ
+Link: https://lore.kernel.org/all/20230404073128.3173900-1-o.rempel@pengutronix.de
+Cc: stable@vger.kernel.org
+[mkl: rephrase commit message]
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/transport.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/can/j1939/transport.c
++++ b/net/can/j1939/transport.c
+@@ -604,7 +604,10 @@ sk_buff *j1939_tp_tx_dat_new(struct j193
+ /* reserve CAN header */
+ skb_reserve(skb, offsetof(struct can_frame, data));
+
+- memcpy(skb->cb, re_skcb, sizeof(skb->cb));
++ /* skb->cb must be large enough to hold a j1939_sk_buff_cb structure */
++ BUILD_BUG_ON(sizeof(skb->cb) < sizeof(*re_skcb));
++
++ memcpy(skb->cb, re_skcb, sizeof(*re_skcb));
+ skcb = j1939_skb_to_cb(skb);
+ if (swap_src_dst)
+ j1939_skbcb_swap(skcb);
--- /dev/null
+From cb2239c198ad9fbd5aced22cf93e45562da781eb Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Thu, 30 Mar 2023 09:13:16 +0200
+Subject: fs: drop peer group ids under namespace lock
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit cb2239c198ad9fbd5aced22cf93e45562da781eb upstream.
+
+When cleaning up peer group ids in the failure path we need to make sure
+to hold on to the namespace lock. Otherwise another thread might just
+turn the mount from a shared into a non-shared mount concurrently.
+
+Link: https://lore.kernel.org/lkml/00000000000088694505f8132d77@google.com
+Fixes: 2a1867219c7b ("fs: add mount_setattr()")
+Reported-by: syzbot+8ac3859139c685c4f597@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org # 5.12+
+Message-Id: <20230330-vfs-mount_setattr-propagation-fix-v1-1-37548d91533b@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -4286,9 +4286,9 @@ out:
+ unlock_mount_hash();
+
+ if (kattr->propagation) {
+- namespace_unlock();
+ if (err)
+ cleanup_group_ids(mnt, NULL);
++ namespace_unlock();
+ }
+
+ return err;
--- /dev/null
+From 2a2d8c51defb446e8d89a83f42f8e5cd529111e9 Mon Sep 17 00:00:00 2001
+From: Zheng Yejian <zhengyejian1@huawei.com>
+Date: Thu, 30 Mar 2023 10:52:23 +0800
+Subject: ftrace: Fix issue that 'direct->addr' not restored in modify_ftrace_direct()
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+commit 2a2d8c51defb446e8d89a83f42f8e5cd529111e9 upstream.
+
+Syzkaller report a WARNING: "WARN_ON(!direct)" in modify_ftrace_direct().
+
+Root cause is 'direct->addr' was changed from 'old_addr' to 'new_addr' but
+not restored if error happened on calling ftrace_modify_direct_caller().
+Then it can no longer find 'direct' by that 'old_addr'.
+
+To fix it, restore 'direct->addr' to 'old_addr' explicitly in error path.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230330025223.1046087-1-zhengyejian1@huawei.com
+
+Cc: stable@vger.kernel.org
+Cc: <mhiramat@kernel.org>
+Cc: <mark.rutland@arm.com>
+Cc: <ast@kernel.org>
+Cc: <daniel@iogearbox.net>
+Fixes: 8a141dd7f706 ("ftrace: Fix modify_ftrace_direct.")
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5568,12 +5568,15 @@ int modify_ftrace_direct(unsigned long i
+ ret = 0;
+ }
+
+- if (unlikely(ret && new_direct)) {
+- direct->count++;
+- list_del_rcu(&new_direct->next);
+- synchronize_rcu_tasks();
+- kfree(new_direct);
+- ftrace_direct_func_count--;
++ if (ret) {
++ direct->addr = old_addr;
++ if (unlikely(new_direct)) {
++ direct->count++;
++ list_del_rcu(&new_direct->next);
++ synchronize_rcu_tasks();
++ kfree(new_direct);
++ ftrace_direct_func_count--;
++ }
+ }
+
+ out_unlock:
--- /dev/null
+From ea65b41807a26495ff2a73dd8b1bab2751940887 Mon Sep 17 00:00:00 2001
+From: John Keeping <john@metanate.com>
+Date: Mon, 27 Mar 2023 18:36:46 +0100
+Subject: ftrace: Mark get_lock_parent_ip() __always_inline
+
+From: John Keeping <john@metanate.com>
+
+commit ea65b41807a26495ff2a73dd8b1bab2751940887 upstream.
+
+If the compiler decides not to inline this function then preemption
+tracing will always show an IP inside the preemption disabling path and
+never the function actually calling preempt_{enable,disable}.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230327173647.1690849-1-john@metanate.com
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: f904f58263e1d ("sched/debug: Fix preempt_disable_ip recording for preempt_disable()")
+Signed-off-by: John Keeping <john@metanate.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ftrace.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/ftrace.h
++++ b/include/linux/ftrace.h
+@@ -970,7 +970,7 @@ static inline void __ftrace_enabled_rest
+ #define CALLER_ADDR5 ((unsigned long)ftrace_return_address(5))
+ #define CALLER_ADDR6 ((unsigned long)ftrace_return_address(6))
+
+-static inline unsigned long get_lock_parent_ip(void)
++static __always_inline unsigned long get_lock_parent_ip(void)
+ {
+ unsigned long addr = CALLER_ADDR0;
+
--- /dev/null
+From e4395701330fc4aee530905039516fe770b81417 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Fri, 31 Mar 2023 12:32:24 -0300
+Subject: iommufd: Check for uptr overflow
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit e4395701330fc4aee530905039516fe770b81417 upstream.
+
+syzkaller found that setting up a map with a user VA that wraps past zero
+can trigger WARN_ONs, particularly from pin_user_pages weirdly returning 0
+due to invalid arguments.
+
+Prevent creating a pages with a uptr and size that would math overflow.
+
+ WARNING: CPU: 0 PID: 518 at drivers/iommu/iommufd/pages.c:793 pfn_reader_user_pin+0x2e6/0x390
+ Modules linked in:
+ CPU: 0 PID: 518 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:pfn_reader_user_pin+0x2e6/0x390
+ Code: b1 11 e9 25 fe ff ff e8 28 e4 0f ff 31 ff 48 89 de e8 2e e6 0f ff 48 85 db 74 0a e8 14 e4 0f ff e9 4d ff ff ff e8 0a e4 0f ff <0f> 0b bb f2 ff ff ff e9 3c ff ff ff e8 f9 e3 0f ff ba 01 00 00 00
+ RSP: 0018:ffffc90000f9fa30 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff821e2b72
+ RDX: 0000000000000000 RSI: ffff888014184680 RDI: 0000000000000002
+ RBP: ffffc90000f9fa78 R08: 00000000000000ff R09: 0000000079de6f4e
+ R10: ffffc90000f9f790 R11: ffff888014185418 R12: ffffc90000f9fc60
+ R13: 0000000000000002 R14: ffff888007879800 R15: 0000000000000000
+ FS: 00007f4227555740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000020000043 CR3: 000000000e748005 CR4: 0000000000770ef0
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ pfn_reader_next+0x14a/0x7b0
+ ? interval_tree_double_span_iter_update+0x11a/0x140
+ pfn_reader_first+0x140/0x1b0
+ iopt_pages_rw_slow+0x71/0x280
+ ? __this_cpu_preempt_check+0x20/0x30
+ iopt_pages_rw_access+0x2b2/0x5b0
+ iommufd_access_rw+0x19f/0x2f0
+ iommufd_test+0xd11/0x16f0
+ ? write_comp_data+0x2f/0x90
+ iommufd_fops_ioctl+0x206/0x330
+ __x64_sys_ioctl+0x10e/0x160
+ ? __pfx_iommufd_fops_ioctl+0x10/0x10
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Cc: <stable@vger.kernel.org>
+Fixes: 8d160cd4d506 ("iommufd: Algorithms for PFN storage")
+Link: https://lore.kernel.org/r/1-v1-ceab6a4d7d7a+94-iommufd_syz_jgg@nvidia.com
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reported-by: Pengfei Xu <pengfei.xu@intel.com>
+Tested-by: Pengfei Xu <pengfei.xu@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/pages.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/iommu/iommufd/pages.c
++++ b/drivers/iommu/iommufd/pages.c
+@@ -1140,6 +1140,7 @@ struct iopt_pages *iopt_alloc_pages(void
+ bool writable)
+ {
+ struct iopt_pages *pages;
++ unsigned long end;
+
+ /*
+ * The iommu API uses size_t as the length, and protect the DIV_ROUND_UP
+@@ -1148,6 +1149,9 @@ struct iopt_pages *iopt_alloc_pages(void
+ if (length > SIZE_MAX - PAGE_SIZE || length == 0)
+ return ERR_PTR(-EINVAL);
+
++ if (check_add_overflow((unsigned long)uptr, length, &end))
++ return ERR_PTR(-EOVERFLOW);
++
+ pages = kzalloc(sizeof(*pages), GFP_KERNEL_ACCOUNT);
+ if (!pages)
+ return ERR_PTR(-ENOMEM);
--- /dev/null
+From 13a0d1ae7ee6b438f5537711a8c60cba00554943 Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Fri, 31 Mar 2023 12:32:26 -0300
+Subject: iommufd: Do not corrupt the pfn list when doing batch carry
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 13a0d1ae7ee6b438f5537711a8c60cba00554943 upstream.
+
+If batch->end is 0 then setting npfns[0] before computing the new value of
+pfns will fail to adjust the pfn and result in various page accounting
+corruptions. It should be ordered after.
+
+This seems to result in various kinds of page meta-data corruption related
+failures:
+
+ WARNING: CPU: 1 PID: 527 at mm/gup.c:75 try_grab_folio+0x503/0x740
+ Modules linked in:
+ CPU: 1 PID: 527 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755+ #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:try_grab_folio+0x503/0x740
+ Code: e3 01 48 89 de e8 6d c1 dd ff 48 85 db 0f 84 7c fe ff ff e8 4f bf dd ff 49 8d 47 ff 48 89 45 d0 e9 73 fe ff ff e8 3d bf dd ff <0f> 0b 31 db e9 d0 fc ff ff e8 2f bf dd ff 48 8b 5d c8 31 ff 48 89
+ RSP: 0018:ffffc90000f37908 EFLAGS: 00010046
+ RAX: 0000000000000000 RBX: 00000000fffffc02 RCX: ffffffff81504c26
+ RDX: 0000000000000000 RSI: ffff88800d030000 RDI: 0000000000000002
+ RBP: ffffc90000f37948 R08: 000000000003ca24 R09: 0000000000000008
+ R10: 000000000003ca00 R11: 0000000000000023 R12: ffffea000035d540
+ R13: 0000000000000001 R14: 0000000000000000 R15: ffffea000035d540
+ FS: 00007fecbf659740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000200011c3 CR3: 000000000ef66006 CR4: 0000000000770ee0
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ internal_get_user_pages_fast+0xd32/0x2200
+ pin_user_pages_fast+0x65/0x90
+ pfn_reader_user_pin+0x376/0x390
+ pfn_reader_next+0x14a/0x7b0
+ pfn_reader_first+0x140/0x1b0
+ iopt_area_fill_domain+0x74/0x210
+ iopt_table_add_domain+0x30e/0x6e0
+ iommufd_device_selftest_attach+0x7f/0x140
+ iommufd_test+0x10ff/0x16f0
+ iommufd_fops_ioctl+0x206/0x330
+ __x64_sys_ioctl+0x10e/0x160
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Cc: <stable@vger.kernel.org>
+Fixes: f394576eb11d ("iommufd: PFN handling for iopt_pages")
+Link: https://lore.kernel.org/r/3-v1-ceab6a4d7d7a+94-iommufd_syz_jgg@nvidia.com
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reported-by: Pengfei Xu <pengfei.xu@intel.com>
+Tested-by: Pengfei Xu <pengfei.xu@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/pages.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/iommufd/pages.c
++++ b/drivers/iommu/iommufd/pages.c
+@@ -294,9 +294,9 @@ static void batch_clear_carry(struct pfn
+ batch->npfns[batch->end - 1] < keep_pfns);
+
+ batch->total_pfns = keep_pfns;
+- batch->npfns[0] = keep_pfns;
+ batch->pfns[0] = batch->pfns[batch->end - 1] +
+ (batch->npfns[batch->end - 1] - keep_pfns);
++ batch->npfns[0] = keep_pfns;
+ batch->end = 0;
+ }
+
--- /dev/null
+From 727c28c1cef2bc013d2c8bb6c50e410a3882a04e Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgg@nvidia.com>
+Date: Fri, 31 Mar 2023 12:32:25 -0300
+Subject: iommufd: Fix unpinning of pages when an access is present
+
+From: Jason Gunthorpe <jgg@nvidia.com>
+
+commit 727c28c1cef2bc013d2c8bb6c50e410a3882a04e upstream.
+
+syzkaller found that the calculation of batch_last_index should use
+'start_index' since at input to this function the batch is either empty or
+it has already been adjusted to cross any accesses so it will start at the
+point we are unmapping from.
+
+Getting this wrong causes the unmap to run over the end of the pages
+which corrupts pages that were never mapped. In most cases this triggers
+the num pinned debugging:
+
+ WARNING: CPU: 0 PID: 557 at drivers/iommu/iommufd/pages.c:294 __iopt_area_unfill_domain+0x152/0x560
+ Modules linked in:
+ CPU: 0 PID: 557 Comm: repro Not tainted 6.3.0-rc2-eeac8ede1755 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:__iopt_area_unfill_domain+0x152/0x560
+ Code: d2 0f ff 44 8b 64 24 54 48 8b 44 24 48 31 ff 44 89 e6 48 89 44 24 38 e8 fc d3 0f ff 45 85 e4 0f 85 eb 01 00 00 e8 0e d2 0f ff <0f> 0b e8 07 d2 0f ff 48 8b 44 24 38 89 5c 24 58 89 18 8b 44 24 54
+ RSP: 0018:ffffc9000108baf0 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffffffff821e3f85
+ RDX: 0000000000000000 RSI: ffff88800faf0000 RDI: 0000000000000002
+ RBP: ffffc9000108bd18 R08: 000000000003ca25 R09: 0000000000000014
+ R10: 000000000003ca00 R11: 0000000000000024 R12: 0000000000000004
+ R13: 0000000000000801 R14: 00000000000007ff R15: 0000000000000800
+ FS: 00007f3499ce1740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000020000243 CR3: 00000000179c2001 CR4: 0000000000770ef0
+ PKRU: 55555554
+ Call Trace:
+ <TASK>
+ iopt_area_unfill_domain+0x32/0x40
+ iopt_table_remove_domain+0x23f/0x4c0
+ iommufd_device_selftest_detach+0x3a/0x90
+ iommufd_selftest_destroy+0x55/0x70
+ iommufd_object_destroy_user+0xce/0x130
+ iommufd_destroy+0xa2/0xc0
+ iommufd_fops_ioctl+0x206/0x330
+ __x64_sys_ioctl+0x10e/0x160
+ do_syscall_64+0x3b/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Also add some useful WARN_ON sanity checks.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 8d160cd4d506 ("iommufd: Algorithms for PFN storage")
+Link: https://lore.kernel.org/r/2-v1-ceab6a4d7d7a+94-iommufd_syz_jgg@nvidia.com
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reported-by: Pengfei Xu <pengfei.xu@intel.com>
+Tested-by: Pengfei Xu <pengfei.xu@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/pages.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/iommufd/pages.c
++++ b/drivers/iommu/iommufd/pages.c
+@@ -1205,13 +1205,21 @@ iopt_area_unpin_domain(struct pfn_batch
+ unsigned long start =
+ max(start_index, *unmapped_end_index);
+
++ if (IS_ENABLED(CONFIG_IOMMUFD_TEST) &&
++ batch->total_pfns)
++ WARN_ON(*unmapped_end_index -
++ batch->total_pfns !=
++ start_index);
+ batch_from_domain(batch, domain, area, start,
+ last_index);
+- batch_last_index = start + batch->total_pfns - 1;
++ batch_last_index = start_index + batch->total_pfns - 1;
+ } else {
+ batch_last_index = last_index;
+ }
+
++ if (IS_ENABLED(CONFIG_IOMMUFD_TEST))
++ WARN_ON(batch_last_index > real_last_index);
++
+ /*
+ * unmaps must always 'cut' at a place where the pfns are not
+ * contiguous to pair with the maps that always install
--- /dev/null
+From 24e3fce00c0b557491ff596c0682a29dee6fe848 Mon Sep 17 00:00:00 2001
+From: Song Yoong Siang <yoong.siang.song@intel.com>
+Date: Tue, 4 Apr 2023 12:48:23 +0800
+Subject: net: stmmac: Add queue reset into stmmac_xdp_open() function
+
+From: Song Yoong Siang <yoong.siang.song@intel.com>
+
+commit 24e3fce00c0b557491ff596c0682a29dee6fe848 upstream.
+
+Queue reset was moved out from __init_dma_rx_desc_rings() and
+__init_dma_tx_desc_rings() functions. Thus, the driver fails to transmit
+and receive packet after XDP prog setup.
+
+This commit adds the missing queue reset into stmmac_xdp_open() function.
+
+Fixes: f9ec5723c3db ("net: ethernet: stmicro: stmmac: move queue reset to dedicated functions")
+Cc: <stable@vger.kernel.org> # 6.0+
+Signed-off-by: Song Yoong Siang <yoong.siang.song@intel.com>
+Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
+Link: https://lore.kernel.org/r/20230404044823.3226144-1-yoong.siang.song@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -6629,6 +6629,8 @@ int stmmac_xdp_open(struct net_device *d
+ goto init_error;
+ }
+
++ stmmac_reset_queues_param(priv);
++
+ /* DMA CSR Channel configuration */
+ for (chan = 0; chan < dma_csr_ch; chan++) {
+ stmmac_init_chan(priv, priv->ioaddr, priv->plat->dma_cfg, chan);
counter-104-quad-8-fix-race-condition-between-flag-and-cntr-reads.patch
counter-104-quad-8-fix-synapse-action-reported-for-index-signals.patch
blk-mq-directly-poll-requests.patch
+ftrace-mark-get_lock_parent_ip-__always_inline.patch
+ftrace-fix-issue-that-direct-addr-not-restored-in-modify_ftrace_direct.patch
+fs-drop-peer-group-ids-under-namespace-lock.patch
+can-j1939-j1939_tp_tx_dat_new-fix-out-of-bounds-memory-access.patch
+can-isotp-fix-race-between-isotp_sendsmg-and-isotp_release.patch
+can-isotp-isotp_ops-fix-poll-to-not-report-false-epollout-events.patch
+can-isotp-isotp_recvmsg-use-sock_recv_cmsgs-to-get-sock_rxq_ovfl-infos.patch
+acpi-video-add-auto_detect-arg-to-__acpi_video_get_backlight_type.patch
+acpi-video-make-acpi_backlight-video-work-independent-from-gpu-driver.patch
+acpi-video-add-acpi_backlight-video-quirk-for-apple-imac14-1-and-imac14-2.patch
+acpi-video-add-acpi_backlight-video-quirk-for-lenovo-thinkpad-w530.patch
+net-stmmac-add-queue-reset-into-stmmac_xdp_open-function.patch
+tracing-synthetic-fix-races-on-freeing-last_cmd.patch
+tracing-timerlat-notify-new-max-thread-latency.patch
+tracing-osnoise-fix-notify-new-tracing_max_latency.patch
+tracing-free-error-logs-of-tracing-instances.patch
+iommufd-check-for-uptr-overflow.patch
+iommufd-fix-unpinning-of-pages-when-an-access-is-present.patch
+iommufd-do-not-corrupt-the-pfn-list-when-doing-batch-carry.patch
+asoc-hdac_hdmi-use-set_stream-instead-of-set_tdm_slots.patch
+asoc-sof-avoid-a-null-dereference-with-unsupported-widgets.patch
iio-adc-ad7791-fix-irq-flags.patch
io_uring-fix-return-value-when-removing-provided-buf.patch
io_uring-fix-memory-leak-when-removing-provided-buff.patch
--- /dev/null
+From 3357c6e429643231e60447b52ffbb7ac895aca22 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Tue, 4 Apr 2023 19:45:04 -0400
+Subject: tracing: Free error logs of tracing instances
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit 3357c6e429643231e60447b52ffbb7ac895aca22 upstream.
+
+When a tracing instance is removed, the error messages that hold errors
+that occurred in the instance needs to be freed. The following reports a
+memory leak:
+
+ # cd /sys/kernel/tracing
+ # mkdir instances/foo
+ # echo 'hist:keys=x' > instances/foo/events/sched/sched_switch/trigger
+ # cat instances/foo/error_log
+ [ 117.404795] hist:sched:sched_switch: error: Couldn't find field
+ Command: hist:keys=x
+ ^
+ # rmdir instances/foo
+
+Then check for memory leaks:
+
+ # echo scan > /sys/kernel/debug/kmemleak
+ # cat /sys/kernel/debug/kmemleak
+unreferenced object 0xffff88810d8ec700 (size 192):
+ comm "bash", pid 869, jiffies 4294950577 (age 215.752s)
+ hex dump (first 32 bytes):
+ 60 dd 68 61 81 88 ff ff 60 dd 68 61 81 88 ff ff `.ha....`.ha....
+ a0 30 8c 83 ff ff ff ff 26 00 0a 00 00 00 00 00 .0......&.......
+ backtrace:
+ [<00000000dae26536>] kmalloc_trace+0x2a/0xa0
+ [<00000000b2938940>] tracing_log_err+0x277/0x2e0
+ [<000000004a0e1b07>] parse_atom+0x966/0xb40
+ [<0000000023b24337>] parse_expr+0x5f3/0xdb0
+ [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560
+ [<00000000293a9645>] trigger_process_regex+0x135/0x1a0
+ [<000000005c22b4f2>] event_trigger_write+0x87/0xf0
+ [<000000002cadc509>] vfs_write+0x162/0x670
+ [<0000000059c3b9be>] ksys_write+0xca/0x170
+ [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0
+ [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+unreferenced object 0xffff888170c35a00 (size 32):
+ comm "bash", pid 869, jiffies 4294950577 (age 215.752s)
+ hex dump (first 32 bytes):
+ 0a 20 20 43 6f 6d 6d 61 6e 64 3a 20 68 69 73 74 . Command: hist
+ 3a 6b 65 79 73 3d 78 0a 00 00 00 00 00 00 00 00 :keys=x.........
+ backtrace:
+ [<000000006a747de5>] __kmalloc+0x4d/0x160
+ [<000000000039df5f>] tracing_log_err+0x29b/0x2e0
+ [<000000004a0e1b07>] parse_atom+0x966/0xb40
+ [<0000000023b24337>] parse_expr+0x5f3/0xdb0
+ [<00000000594ad074>] event_hist_trigger_parse+0x27f8/0x3560
+ [<00000000293a9645>] trigger_process_regex+0x135/0x1a0
+ [<000000005c22b4f2>] event_trigger_write+0x87/0xf0
+ [<000000002cadc509>] vfs_write+0x162/0x670
+ [<0000000059c3b9be>] ksys_write+0xca/0x170
+ [<00000000f1cddc00>] do_syscall_64+0x3e/0xc0
+ [<00000000868ac68c>] entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+The problem is that the error log needs to be freed when the instance is
+removed.
+
+Link: https://lore.kernel.org/lkml/76134d9f-a5ba-6a0d-37b3-28310b4a1e91@alu.unizg.hr/
+Link: https://lore.kernel.org/linux-trace-kernel/20230404194504.5790b95f@gandalf.local.home
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Thorsten Leemhuis <regressions@leemhuis.info>
+Cc: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Fixes: 2f754e771b1a6 ("tracing: Have the error logs show up in the proper instances")
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Tested-by: Mirsad Todorovac <mirsad.todorovac@alu.unizg.hr>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -9472,6 +9472,7 @@ static int __remove_instance(struct trac
+ tracefs_remove(tr->dir);
+ free_percpu(tr->last_func_repeats);
+ free_trace_buffers(tr);
++ clear_tracing_err_log(tr);
+
+ for (i = 0; i < tr->nr_topts; i++) {
+ kfree(tr->topts[i].topts);
--- /dev/null
+From d3cba7f02cd82118c32651c73374d8a5a459d9a6 Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Wed, 29 Mar 2023 17:50:16 +0200
+Subject: tracing/osnoise: Fix notify new tracing_max_latency
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit d3cba7f02cd82118c32651c73374d8a5a459d9a6 upstream.
+
+osnoise/timerlat tracers are reporting new max latency on instances
+where the tracing is off, creating inconsistencies between the max
+reported values in the trace and in the tracing_max_latency. Thus
+only report new tracing_max_latency on active tracing instances.
+
+Link: https://lkml.kernel.org/r/ecd109fde4a0c24ab0f00ba1e9a144ac19a91322.1680104184.git.bristot@kernel.org
+
+Cc: stable@vger.kernel.org
+Fixes: dae181349f1e ("tracing/osnoise: Support a list of trace_array *tr")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -1296,7 +1296,7 @@ static void notify_new_max_latency(u64 l
+ rcu_read_lock();
+ list_for_each_entry_rcu(inst, &osnoise_instances, list) {
+ tr = inst->tr;
+- if (tr->max_latency < latency) {
++ if (tracer_tracing_is_on(tr) && tr->max_latency < latency) {
+ tr->max_latency = latency;
+ latency_fsnotify(tr);
+ }
--- /dev/null
+From 4ccf11c4e8a8e051499d53a12f502196c97a758e Mon Sep 17 00:00:00 2001
+From: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
+Date: Tue, 21 Mar 2023 19:04:43 +0800
+Subject: tracing/synthetic: Fix races on freeing last_cmd
+
+From: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
+
+commit 4ccf11c4e8a8e051499d53a12f502196c97a758e upstream.
+
+Currently, the "last_cmd" variable can be accessed by multiple processes
+asynchronously when multiple users manipulate synthetic_events node
+at the same time, it could lead to use-after-free or double-free.
+
+This patch add "lastcmd_mutex" to prevent "last_cmd" from being accessed
+asynchronously.
+
+================================================================
+
+It's easy to reproduce in the KASAN environment by running the two
+scripts below in different shells.
+
+script 1:
+ while :
+ do
+ echo -n -e '\x88' > /sys/kernel/tracing/synthetic_events
+ done
+
+script 2:
+ while :
+ do
+ echo -n -e '\xb0' > /sys/kernel/tracing/synthetic_events
+ done
+
+================================================================
+double-free scenario:
+
+ process A process B
+------------------- ---------------
+1.kstrdup last_cmd
+ 2.free last_cmd
+3.free last_cmd(double-free)
+
+================================================================
+use-after-free scenario:
+
+ process A process B
+------------------- ---------------
+1.kstrdup last_cmd
+ 2.free last_cmd
+3.tracing_log_err(use-after-free)
+
+================================================================
+
+Appendix 1. KASAN report double-free:
+
+BUG: KASAN: double-free in kfree+0xdc/0x1d4
+Free of addr ***** by task sh/4879
+Call trace:
+ ...
+ kfree+0xdc/0x1d4
+ create_or_delete_synth_event+0x60/0x1e8
+ trace_parse_run_command+0x2bc/0x4b8
+ synth_events_write+0x20/0x30
+ vfs_write+0x200/0x830
+ ...
+
+Allocated by task 4879:
+ ...
+ kstrdup+0x5c/0x98
+ create_or_delete_synth_event+0x6c/0x1e8
+ trace_parse_run_command+0x2bc/0x4b8
+ synth_events_write+0x20/0x30
+ vfs_write+0x200/0x830
+ ...
+
+Freed by task 5464:
+ ...
+ kfree+0xdc/0x1d4
+ create_or_delete_synth_event+0x60/0x1e8
+ trace_parse_run_command+0x2bc/0x4b8
+ synth_events_write+0x20/0x30
+ vfs_write+0x200/0x830
+ ...
+
+================================================================
+Appendix 2. KASAN report use-after-free:
+
+BUG: KASAN: use-after-free in strlen+0x5c/0x7c
+Read of size 1 at addr ***** by task sh/5483
+sh: CPU: 7 PID: 5483 Comm: sh
+ ...
+ __asan_report_load1_noabort+0x34/0x44
+ strlen+0x5c/0x7c
+ tracing_log_err+0x60/0x444
+ create_or_delete_synth_event+0xc4/0x204
+ trace_parse_run_command+0x2bc/0x4b8
+ synth_events_write+0x20/0x30
+ vfs_write+0x200/0x830
+ ...
+
+Allocated by task 5483:
+ ...
+ kstrdup+0x5c/0x98
+ create_or_delete_synth_event+0x80/0x204
+ trace_parse_run_command+0x2bc/0x4b8
+ synth_events_write+0x20/0x30
+ vfs_write+0x200/0x830
+ ...
+
+Freed by task 5480:
+ ...
+ kfree+0xdc/0x1d4
+ create_or_delete_synth_event+0x74/0x204
+ trace_parse_run_command+0x2bc/0x4b8
+ synth_events_write+0x20/0x30
+ vfs_write+0x200/0x830
+ ...
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230321110444.1587-1-Tze-nan.Wu@mediatek.com
+
+Fixes: 27c888da9867 ("tracing: Remove size restriction on synthetic event cmd error logging")
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: "Tom Zanussi" <zanussi@kernel.org>
+Signed-off-by: Tze-nan Wu <Tze-nan.Wu@mediatek.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_synth.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/trace_events_synth.c
++++ b/kernel/trace/trace_events_synth.c
+@@ -44,14 +44,21 @@ enum { ERRORS };
+
+ static const char *err_text[] = { ERRORS };
+
++DEFINE_MUTEX(lastcmd_mutex);
+ static char *last_cmd;
+
+ static int errpos(const char *str)
+ {
++ int ret = 0;
++
++ mutex_lock(&lastcmd_mutex);
+ if (!str || !last_cmd)
+- return 0;
++ goto out;
+
+- return err_pos(last_cmd, str);
++ ret = err_pos(last_cmd, str);
++ out:
++ mutex_unlock(&lastcmd_mutex);
++ return ret;
+ }
+
+ static void last_cmd_set(const char *str)
+@@ -59,18 +66,22 @@ static void last_cmd_set(const char *str
+ if (!str)
+ return;
+
++ mutex_lock(&lastcmd_mutex);
+ kfree(last_cmd);
+-
+ last_cmd = kstrdup(str, GFP_KERNEL);
++ mutex_unlock(&lastcmd_mutex);
+ }
+
+ static void synth_err(u8 err_type, u16 err_pos)
+ {
++ mutex_lock(&lastcmd_mutex);
+ if (!last_cmd)
+- return;
++ goto out;
+
+ tracing_log_err(NULL, "synthetic_events", last_cmd, err_text,
+ err_type, err_pos);
++ out:
++ mutex_unlock(&lastcmd_mutex);
+ }
+
+ static int create_synth_event(const char *raw_command);
--- /dev/null
+From b9f451a9029a16eb7913ace09b92493d00f2e564 Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Wed, 29 Mar 2023 17:50:15 +0200
+Subject: tracing/timerlat: Notify new max thread latency
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit b9f451a9029a16eb7913ace09b92493d00f2e564 upstream.
+
+timerlat is not reporting a new tracing_max_latency for the thread
+latency. The reason is that it is not calling notify_new_max_latency()
+function after the new thread latency is sampled.
+
+Call notify_new_max_latency() after computing the thread latency.
+
+Link: https://lkml.kernel.org/r/16e18d61d69073d0192ace07bf61e405cca96e9c.1680104184.git.bristot@kernel.org
+
+Cc: stable@vger.kernel.org
+Fixes: dae181349f1e ("tracing/osnoise: Support a list of trace_array *tr")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -1738,6 +1738,8 @@ static int timerlat_main(void *data)
+
+ trace_timerlat_sample(&s);
+
++ notify_new_max_latency(diff);
++
+ timerlat_dump_stack(time_to_us(diff));
+
+ tlat->tracing_thread = false;