--- /dev/null
+From e14fd2af7a1d621c167dad761f729135a7a76ff4 Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Tue, 23 May 2023 19:20:47 +0200
+Subject: dmaengine: at_hdmac: Extend the Flow Controller bitfield to three bits
+
+From: Peter Rosin <peda@axentia.se>
+
+commit e14fd2af7a1d621c167dad761f729135a7a76ff4 upstream.
+
+Some chips have two bits (e.g SAMA5D3), and some have three (e.g.
+SAM9G45). A field width of three is compatible as long as valid
+values are used for the different chips.
+
+There is no current use of any value needing three bits, so the
+fixed bug is relatively benign.
+
+Fixes: d8840a7edcf0 ("dmaengine: at_hdmac: Use bitfield access macros")
+Cc: stable@vger.kernel.org
+Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Link: https://lore.kernel.org/r/e2c898ba-c3a3-5dd3-384b-0585661c79f2@axentia.se
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/at_hdmac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
+index 6362013b90df..ee3a219e3a89 100644
+--- a/drivers/dma/at_hdmac.c
++++ b/drivers/dma/at_hdmac.c
+@@ -132,7 +132,7 @@
+ #define ATC_DST_PIP BIT(12) /* Destination Picture-in-Picture enabled */
+ #define ATC_SRC_DSCR_DIS BIT(16) /* Src Descriptor fetch disable */
+ #define ATC_DST_DSCR_DIS BIT(20) /* Dst Descriptor fetch disable */
+-#define ATC_FC GENMASK(22, 21) /* Choose Flow Controller */
++#define ATC_FC GENMASK(23, 21) /* Choose Flow Controller */
+ #define ATC_FC_MEM2MEM 0x0 /* Mem-to-Mem (DMA) */
+ #define ATC_FC_MEM2PER 0x1 /* Mem-to-Periph (DMA) */
+ #define ATC_FC_PER2MEM 0x2 /* Periph-to-Mem (DMA) */
+--
+2.41.0
+
--- /dev/null
+From 2a6c7e8cc74e58ba94b8c897035a8ef7f7349f76 Mon Sep 17 00:00:00 2001
+From: Peter Rosin <peda@axentia.se>
+Date: Tue, 23 May 2023 19:20:37 +0200
+Subject: dmaengine: at_hdmac: Repair bitfield macros for peripheral ID handling
+
+From: Peter Rosin <peda@axentia.se>
+
+commit 2a6c7e8cc74e58ba94b8c897035a8ef7f7349f76 upstream.
+
+The MSB part of the peripheral IDs need to go into the ATC_SRC_PER_MSB
+and ATC_DST_PER_MSB fields. Not the LSB part.
+
+This fixes a severe regression for TSE-850 devices (compatible
+axentia,tse850v3) where output to the audio I2S codec (the main
+purpose of the device) simply do not work.
+
+Fixes: d8840a7edcf0 ("dmaengine: at_hdmac: Use bitfield access macros")
+Cc: stable@vger.kernel.org
+Signed-off-by: Peter Rosin <peda@axentia.se>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/r/01e5dae1-d4b0-cf31-516b-423b11b077f1@axentia.se
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/at_hdmac.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
+index 8858470246e1..6362013b90df 100644
+--- a/drivers/dma/at_hdmac.c
++++ b/drivers/dma/at_hdmac.c
+@@ -153,8 +153,6 @@
+ #define ATC_AUTO BIT(31) /* Auto multiple buffer tx enable */
+
+ /* Bitfields in CFG */
+-#define ATC_PER_MSB(h) ((0x30U & (h)) >> 4) /* Extract most significant bits of a handshaking identifier */
+-
+ #define ATC_SRC_PER GENMASK(3, 0) /* Channel src rq associated with periph handshaking ifc h */
+ #define ATC_DST_PER GENMASK(7, 4) /* Channel dst rq associated with periph handshaking ifc h */
+ #define ATC_SRC_REP BIT(8) /* Source Replay Mod */
+@@ -181,10 +179,15 @@
+ #define ATC_DPIP_HOLE GENMASK(15, 0)
+ #define ATC_DPIP_BOUNDARY GENMASK(25, 16)
+
+-#define ATC_SRC_PER_ID(id) (FIELD_PREP(ATC_SRC_PER_MSB, (id)) | \
+- FIELD_PREP(ATC_SRC_PER, (id)))
+-#define ATC_DST_PER_ID(id) (FIELD_PREP(ATC_DST_PER_MSB, (id)) | \
+- FIELD_PREP(ATC_DST_PER, (id)))
++#define ATC_PER_MSB GENMASK(5, 4) /* Extract MSBs of a handshaking identifier */
++#define ATC_SRC_PER_ID(id) \
++ ({ typeof(id) _id = (id); \
++ FIELD_PREP(ATC_SRC_PER_MSB, FIELD_GET(ATC_PER_MSB, _id)) | \
++ FIELD_PREP(ATC_SRC_PER, _id); })
++#define ATC_DST_PER_ID(id) \
++ ({ typeof(id) _id = (id); \
++ FIELD_PREP(ATC_DST_PER_MSB, FIELD_GET(ATC_PER_MSB, _id)) | \
++ FIELD_PREP(ATC_DST_PER, _id); })
+
+
+
+--
+2.41.0
+
--- /dev/null
+From b3e6bcb94590dea45396b9481e47b809b1be4afa Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 23 May 2023 23:49:48 -0400
+Subject: ext4: add EA_INODE checking to ext4_iget()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit b3e6bcb94590dea45396b9481e47b809b1be4afa upstream.
+
+Add a new flag, EXT4_IGET_EA_INODE which indicates whether the inode
+is expected to have the EA_INODE flag or not. If the flag is not
+set/clear as expected, then fail the iget() operation and mark the
+file system as corrupted.
+
+This commit also makes the ext4_iget() always perform the
+is_bad_inode() check even when the inode is already inode cache. This
+allows us to remove the is_bad_inode() check from the callers of
+ext4_iget() in the ea_inode code.
+
+Reported-by: syzbot+cbb68193bdb95af4340a@syzkaller.appspotmail.com
+Reported-by: syzbot+62120febbd1ee3c3c860@syzkaller.appspotmail.com
+Reported-by: syzbot+edce54daffee36421b4c@syzkaller.appspotmail.com
+Cc: stable@kernel.org
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20230524034951.779531-2-tytso@mit.edu
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h | 3 ++-
+ fs/ext4/inode.c | 31 ++++++++++++++++++++++++++-----
+ fs/ext4/xattr.c | 36 +++++++-----------------------------
+ 3 files changed, 35 insertions(+), 35 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -2992,7 +2992,8 @@ typedef enum {
+ EXT4_IGET_NORMAL = 0,
+ EXT4_IGET_SPECIAL = 0x0001, /* OK to iget a system inode */
+ EXT4_IGET_HANDLE = 0x0002, /* Inode # is from a handle */
+- EXT4_IGET_BAD = 0x0004 /* Allow to iget a bad inode */
++ EXT4_IGET_BAD = 0x0004, /* Allow to iget a bad inode */
++ EXT4_IGET_EA_INODE = 0x0008 /* Inode should contain an EA value */
+ } ext4_iget_flags;
+
+ extern struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4835,6 +4835,21 @@ static inline void ext4_inode_set_iversi
+ inode_set_iversion_queried(inode, val);
+ }
+
++static const char *check_igot_inode(struct inode *inode, ext4_iget_flags flags)
++
++{
++ if (flags & EXT4_IGET_EA_INODE) {
++ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
++ return "missing EA_INODE flag";
++ } else {
++ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
++ return "unexpected EA_INODE flag";
++ }
++ if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD))
++ return "unexpected bad inode w/o EXT4_IGET_BAD";
++ return NULL;
++}
++
+ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino,
+ ext4_iget_flags flags, const char *function,
+ unsigned int line)
+@@ -4844,6 +4859,7 @@ struct inode *__ext4_iget(struct super_b
+ struct ext4_inode_info *ei;
+ struct ext4_super_block *es = EXT4_SB(sb)->s_es;
+ struct inode *inode;
++ const char *err_str;
+ journal_t *journal = EXT4_SB(sb)->s_journal;
+ long ret;
+ loff_t size;
+@@ -4871,8 +4887,14 @@ struct inode *__ext4_iget(struct super_b
+ inode = iget_locked(sb, ino);
+ if (!inode)
+ return ERR_PTR(-ENOMEM);
+- if (!(inode->i_state & I_NEW))
++ if (!(inode->i_state & I_NEW)) {
++ if ((err_str = check_igot_inode(inode, flags)) != NULL) {
++ ext4_error_inode(inode, function, line, 0, err_str);
++ iput(inode);
++ return ERR_PTR(-EFSCORRUPTED);
++ }
+ return inode;
++ }
+
+ ei = EXT4_I(inode);
+ iloc.bh = NULL;
+@@ -5138,10 +5160,9 @@ struct inode *__ext4_iget(struct super_b
+ if (IS_CASEFOLDED(inode) && !ext4_has_feature_casefold(inode->i_sb))
+ ext4_error_inode(inode, function, line, 0,
+ "casefold flag without casefold feature");
+- if (is_bad_inode(inode) && !(flags & EXT4_IGET_BAD)) {
+- ext4_error_inode(inode, function, line, 0,
+- "bad inode without EXT4_IGET_BAD flag");
+- ret = -EUCLEAN;
++ if ((err_str = check_igot_inode(inode, flags)) != NULL) {
++ ext4_error_inode(inode, function, line, 0, err_str);
++ ret = -EFSCORRUPTED;
+ goto bad_inode;
+ }
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -433,7 +433,7 @@ static int ext4_xattr_inode_iget(struct
+ return -EFSCORRUPTED;
+ }
+
+- inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_NORMAL);
++ inode = ext4_iget(parent->i_sb, ea_ino, EXT4_IGET_EA_INODE);
+ if (IS_ERR(inode)) {
+ err = PTR_ERR(inode);
+ ext4_error(parent->i_sb,
+@@ -441,23 +441,6 @@ static int ext4_xattr_inode_iget(struct
+ err);
+ return err;
+ }
+-
+- if (is_bad_inode(inode)) {
+- ext4_error(parent->i_sb,
+- "error while reading EA inode %lu is_bad_inode",
+- ea_ino);
+- err = -EIO;
+- goto error;
+- }
+-
+- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL)) {
+- ext4_error(parent->i_sb,
+- "EA inode %lu does not have EXT4_EA_INODE_FL flag",
+- ea_ino);
+- err = -EINVAL;
+- goto error;
+- }
+-
+ ext4_xattr_inode_set_class(inode);
+
+ /*
+@@ -478,9 +461,6 @@ static int ext4_xattr_inode_iget(struct
+
+ *ea_inode = inode;
+ return 0;
+-error:
+- iput(inode);
+- return err;
+ }
+
+ /* Remove entry from mbcache when EA inode is getting evicted */
+@@ -1557,11 +1537,10 @@ ext4_xattr_inode_cache_find(struct inode
+
+ while (ce) {
+ ea_inode = ext4_iget(inode->i_sb, ce->e_value,
+- EXT4_IGET_NORMAL);
+- if (!IS_ERR(ea_inode) &&
+- !is_bad_inode(ea_inode) &&
+- (EXT4_I(ea_inode)->i_flags & EXT4_EA_INODE_FL) &&
+- i_size_read(ea_inode) == value_len &&
++ EXT4_IGET_EA_INODE);
++ if (IS_ERR(ea_inode))
++ goto next_entry;
++ if (i_size_read(ea_inode) == value_len &&
+ !ext4_xattr_inode_read(ea_inode, ea_data, value_len) &&
+ !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data,
+ value_len) &&
+@@ -1571,9 +1550,8 @@ ext4_xattr_inode_cache_find(struct inode
+ kvfree(ea_data);
+ return ea_inode;
+ }
+-
+- if (!IS_ERR(ea_inode))
+- iput(ea_inode);
++ iput(ea_inode);
++ next_entry:
+ ce = mb_cache_entry_find_next(ea_inode_cache, ce);
+ }
+ kvfree(ea_data);
--- /dev/null
+From aff3bea95388299eec63440389b4545c8041b357 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 23 May 2023 23:49:51 -0400
+Subject: ext4: add lockdep annotations for i_data_sem for ea_inode's
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit aff3bea95388299eec63440389b4545c8041b357 upstream.
+
+Treat i_data_sem for ea_inodes as being in their own lockdep class to
+avoid lockdep complaints about ext4_setattr's use of inode_lock() on
+normal inodes potentially causing lock ordering with i_data_sem on
+ea_inodes in ext4_xattr_inode_write(). However, ea_inodes will be
+operated on by ext4_setattr(), so this isn't a problem.
+
+Cc: stable@kernel.org
+Link: https://syzkaller.appspot.com/bug?extid=298c5d8fb4a128bc27b0
+Reported-by: syzbot+298c5d8fb4a128bc27b0@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20230524034951.779531-5-tytso@mit.edu
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/ext4.h | 2 ++
+ fs/ext4/xattr.c | 4 ++++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1007,11 +1007,13 @@ do { \
+ * where the second inode has larger inode number
+ * than the first
+ * I_DATA_SEM_QUOTA - Used for quota inodes only
++ * I_DATA_SEM_EA - Used for ea_inodes only
+ */
+ enum {
+ I_DATA_SEM_NORMAL = 0,
+ I_DATA_SEM_OTHER,
+ I_DATA_SEM_QUOTA,
++ I_DATA_SEM_EA
+ };
+
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -125,7 +125,11 @@ ext4_expand_inode_array(struct ext4_xatt
+ #ifdef CONFIG_LOCKDEP
+ void ext4_xattr_inode_set_class(struct inode *ea_inode)
+ {
++ struct ext4_inode_info *ei = EXT4_I(ea_inode);
++
+ lockdep_set_subclass(&ea_inode->i_rwsem, 1);
++ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */
++ lockdep_set_subclass(&ei->i_data_sem, I_DATA_SEM_EA);
+ }
+ #endif
+
--- /dev/null
+From 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 23 May 2023 23:49:50 -0400
+Subject: ext4: disallow ea_inodes with extended attributes
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 2bc7e7c1a3bc9bd0cbf0f71006f6fe7ef24a00c2 upstream.
+
+An ea_inode stores the value of an extended attribute; it can not have
+extended attributes itself, or this will cause recursive nightmares.
+Add a check in ext4_iget() to make sure this is the case.
+
+Cc: stable@kernel.org
+Reported-by: syzbot+e44749b6ba4d0434cd47@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20230524034951.779531-4-tytso@mit.edu
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -4841,6 +4841,9 @@ static const char *check_igot_inode(stru
+ if (flags & EXT4_IGET_EA_INODE) {
+ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
+ return "missing EA_INODE flag";
++ if (ext4_test_inode_state(inode, EXT4_STATE_XATTR) ||
++ EXT4_I(inode)->i_file_acl)
++ return "ea_inode with extended attributes";
+ } else {
+ if ((EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
+ return "unexpected EA_INODE flag";
--- /dev/null
+From b928dfdcb27d8fa59917b794cfba53052a2f050f Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Tue, 23 May 2023 23:49:49 -0400
+Subject: ext4: set lockdep subclass for the ea_inode in ext4_xattr_inode_cache_find()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit b928dfdcb27d8fa59917b794cfba53052a2f050f upstream.
+
+If the ea_inode has been pushed out of the inode cache while there is
+still a reference in the mb_cache, the lockdep subclass will not be
+set on the inode, which can lead to some lockdep false positives.
+
+Fixes: 33d201e0277b ("ext4: fix lockdep warning about recursive inode locking")
+Cc: stable@kernel.org
+Reported-by: syzbot+d4b971e744b1f5439336@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Link: https://lore.kernel.org/r/20230524034951.779531-3-tytso@mit.edu
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1540,6 +1540,7 @@ ext4_xattr_inode_cache_find(struct inode
+ EXT4_IGET_EA_INODE);
+ if (IS_ERR(ea_inode))
+ goto next_entry;
++ ext4_xattr_inode_set_class(ea_inode);
+ if (i_size_read(ea_inode) == value_len &&
+ !ext4_xattr_inode_read(ea_inode, ea_data, value_len) &&
+ !ext4_xattr_inode_verify_hashes(ea_inode, NULL, ea_data,
--- /dev/null
+From d78bd6cc68276bd57f766f7cb98bfe32c23ab327 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 27 May 2023 08:41:09 +0200
+Subject: fbcon: Fix null-ptr-deref in soft_cursor
+
+From: Helge Deller <deller@gmx.de>
+
+commit d78bd6cc68276bd57f766f7cb98bfe32c23ab327 upstream.
+
+syzbot repored this bug in the softcursor code:
+
+BUG: KASAN: null-ptr-deref in soft_cursor+0x384/0x6b4 drivers/video/fbdev/core/softcursor.c:70
+Read of size 16 at addr 0000000000000200 by task kworker/u4:1/12
+
+CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.4.0-rc3-syzkaller-geb0f1697d729 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
+Workqueue: events_power_efficient fb_flashcursor
+Call trace:
+ dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
+ show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
+ print_report+0xe4/0x514 mm/kasan/report.c:465
+ kasan_report+0xd4/0x130 mm/kasan/report.c:572
+ kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187
+ __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105
+ soft_cursor+0x384/0x6b4 drivers/video/fbdev/core/softcursor.c:70
+ bit_cursor+0x113c/0x1a64 drivers/video/fbdev/core/bitblit.c:377
+ fb_flashcursor+0x35c/0x54c drivers/video/fbdev/core/fbcon.c:380
+ process_one_work+0x788/0x12d4 kernel/workqueue.c:2405
+ worker_thread+0x8e0/0xfe8 kernel/workqueue.c:2552
+ kthread+0x288/0x310 kernel/kthread.c:379
+ ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:853
+
+This fix let bit_cursor() bail out early when a font bitmap
+isn't available yet.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: syzbot+d910bd780e6efac35869@syzkaller.appspotmail.com
+Acked-by: Sam Ravnborg <sam@ravnborg.org>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/bitblit.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/video/fbdev/core/bitblit.c
++++ b/drivers/video/fbdev/core/bitblit.c
+@@ -247,6 +247,9 @@ static void bit_cursor(struct vc_data *v
+
+ cursor.set = 0;
+
++ if (!vc->vc_font.data)
++ return;
++
+ c = scr_readw((u16 *) vc->vc_pos);
+ attribute = get_attribute(info, c);
+ src = vc->vc_font.data + ((c & charmask) * (w * vc->vc_font.height));
--- /dev/null
+From 4ea0bf4b98d66a7a790abb285539f395596bae92 Mon Sep 17 00:00:00 2001
+From: Ben Noordhuis <info@bnoordhuis.nl>
+Date: Sat, 6 May 2023 11:55:02 +0200
+Subject: io_uring: undeprecate epoll_ctl support
+
+From: Ben Noordhuis <info@bnoordhuis.nl>
+
+commit 4ea0bf4b98d66a7a790abb285539f395596bae92 upstream.
+
+Libuv recently started using it so there is at least one consumer now.
+
+Cc: stable@vger.kernel.org
+Fixes: 61a2732af4b0 ("io_uring: deprecate epoll_ctl support")
+Link: https://github.com/libuv/libuv/pull/3979
+Signed-off-by: Ben Noordhuis <info@bnoordhuis.nl>
+Link: https://lore.kernel.org/r/20230506095502.13401-1-info@bnoordhuis.nl
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/epoll.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/io_uring/epoll.c
++++ b/io_uring/epoll.c
+@@ -25,10 +25,6 @@ int io_epoll_ctl_prep(struct io_kiocb *r
+ {
+ struct io_epoll *epoll = io_kiocb_to_cmd(req, struct io_epoll);
+
+- pr_warn_once("%s: epoll_ctl support in io_uring is deprecated and will "
+- "be removed in a future Linux kernel version.\n",
+- current->comm);
+-
+ if (sqe->buf_index || sqe->splice_fd_in)
+ return -EINVAL;
+
--- /dev/null
+From 84c5aa47925a1f40d698b6a6a2bf67e99617433d Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 12 May 2023 23:29:12 +0900
+Subject: ksmbd: fix credit count leakage
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 84c5aa47925a1f40d698b6a6a2bf67e99617433d upstream.
+
+This patch fix the failure from smb2.credits.single_req_credits_granted
+test. When client send 8192 credit request, ksmbd return 8191 credit
+granted. ksmbd should give maximum possible credits that must be granted
+within the range of not exceeding the max credit to client.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -326,13 +326,9 @@ int smb2_set_rsp_credits(struct ksmbd_wo
+ if (hdr->Command == SMB2_NEGOTIATE)
+ aux_max = 1;
+ else
+- aux_max = conn->vals->max_credits - credit_charge;
++ aux_max = conn->vals->max_credits - conn->total_credits;
+ credits_granted = min_t(unsigned short, credits_requested, aux_max);
+
+- if (conn->vals->max_credits - conn->total_credits < credits_granted)
+- credits_granted = conn->vals->max_credits -
+- conn->total_credits;
+-
+ conn->total_credits += credits_granted;
+ work->credits_granted += credits_granted;
+
--- /dev/null
+From 6cc2268f5647cbfde3d4fc2e4ee005070ea3a8d2 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 19 May 2023 23:11:33 +0900
+Subject: ksmbd: fix incorrect AllocationSize set in smb2_get_info
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 6cc2268f5647cbfde3d4fc2e4ee005070ea3a8d2 upstream.
+
+If filesystem support sparse file, ksmbd should return allocated size
+using ->i_blocks instead of stat->size. This fix generic/694 xfstests.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 21 +++------------------
+ 1 file changed, 3 insertions(+), 18 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -4380,21 +4380,6 @@ static int get_file_basic_info(struct sm
+ return 0;
+ }
+
+-static unsigned long long get_allocation_size(struct inode *inode,
+- struct kstat *stat)
+-{
+- unsigned long long alloc_size = 0;
+-
+- if (!S_ISDIR(stat->mode)) {
+- if ((inode->i_blocks << 9) <= stat->size)
+- alloc_size = stat->size;
+- else
+- alloc_size = inode->i_blocks << 9;
+- }
+-
+- return alloc_size;
+-}
+-
+ static void get_file_standard_info(struct smb2_query_info_rsp *rsp,
+ struct ksmbd_file *fp, void *rsp_org)
+ {
+@@ -4409,7 +4394,7 @@ static void get_file_standard_info(struc
+ sinfo = (struct smb2_file_standard_info *)rsp->Buffer;
+ delete_pending = ksmbd_inode_pending_delete(fp);
+
+- sinfo->AllocationSize = cpu_to_le64(get_allocation_size(inode, &stat));
++ sinfo->AllocationSize = cpu_to_le64(inode->i_blocks << 9);
+ sinfo->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size);
+ sinfo->NumberOfLinks = cpu_to_le32(get_nlink(&stat) - delete_pending);
+ sinfo->DeletePending = delete_pending;
+@@ -4474,7 +4459,7 @@ static int get_file_all_info(struct ksmb
+ file_info->Attributes = fp->f_ci->m_fattr;
+ file_info->Pad1 = 0;
+ file_info->AllocationSize =
+- cpu_to_le64(get_allocation_size(inode, &stat));
++ cpu_to_le64(inode->i_blocks << 9);
+ file_info->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size);
+ file_info->NumberOfLinks =
+ cpu_to_le32(get_nlink(&stat) - delete_pending);
+@@ -4663,7 +4648,7 @@ static int get_file_network_open_info(st
+ file_info->ChangeTime = cpu_to_le64(time);
+ file_info->Attributes = fp->f_ci->m_fattr;
+ file_info->AllocationSize =
+- cpu_to_le64(get_allocation_size(inode, &stat));
++ cpu_to_le64(inode->i_blocks << 9);
+ file_info->EndOfFile = S_ISDIR(stat.mode) ? 0 : cpu_to_le64(stat.size);
+ file_info->Reserved = cpu_to_le32(0);
+ rsp->OutputBufferLength =
--- /dev/null
+From 0512a5f89e1fae74251fde6893ff634f1c96c6fb Mon Sep 17 00:00:00 2001
+From: Kuan-Ting Chen <h3xrabbit@gmail.com>
+Date: Fri, 19 May 2023 23:00:24 +0900
+Subject: ksmbd: fix multiple out-of-bounds read during context decoding
+
+From: Kuan-Ting Chen <h3xrabbit@gmail.com>
+
+commit 0512a5f89e1fae74251fde6893ff634f1c96c6fb upstream.
+
+Check the remaining data length before accessing the context structure
+to ensure that the entire structure is contained within the packet.
+Additionally, since the context data length `ctxt_len` has already been
+checked against the total packet length `len_of_ctxts`, update the
+comparison to use `ctxt_len`.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuan-Ting Chen <h3xrabbit@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 53 ++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 34 insertions(+), 19 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -873,13 +873,14 @@ static void assemble_neg_contexts(struct
+
+ static __le32 decode_preauth_ctxt(struct ksmbd_conn *conn,
+ struct smb2_preauth_neg_context *pneg_ctxt,
+- int len_of_ctxts)
++ int ctxt_len)
+ {
+ /*
+ * sizeof(smb2_preauth_neg_context) assumes SMB311_SALT_SIZE Salt,
+ * which may not be present. Only check for used HashAlgorithms[1].
+ */
+- if (len_of_ctxts < MIN_PREAUTH_CTXT_DATA_LEN)
++ if (ctxt_len <
++ sizeof(struct smb2_neg_context) + MIN_PREAUTH_CTXT_DATA_LEN)
+ return STATUS_INVALID_PARAMETER;
+
+ if (pneg_ctxt->HashAlgorithms != SMB2_PREAUTH_INTEGRITY_SHA512)
+@@ -891,15 +892,23 @@ static __le32 decode_preauth_ctxt(struct
+
+ static void decode_encrypt_ctxt(struct ksmbd_conn *conn,
+ struct smb2_encryption_neg_context *pneg_ctxt,
+- int len_of_ctxts)
++ int ctxt_len)
+ {
+- int cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount);
+- int i, cphs_size = cph_cnt * sizeof(__le16);
++ int cph_cnt;
++ int i, cphs_size;
++
++ if (sizeof(struct smb2_encryption_neg_context) > ctxt_len) {
++ pr_err("Invalid SMB2_ENCRYPTION_CAPABILITIES context size\n");
++ return;
++ }
+
+ conn->cipher_type = 0;
+
++ cph_cnt = le16_to_cpu(pneg_ctxt->CipherCount);
++ cphs_size = cph_cnt * sizeof(__le16);
++
+ if (sizeof(struct smb2_encryption_neg_context) + cphs_size >
+- len_of_ctxts) {
++ ctxt_len) {
+ pr_err("Invalid cipher count(%d)\n", cph_cnt);
+ return;
+ }
+@@ -947,15 +956,22 @@ static void decode_compress_ctxt(struct
+
+ static void decode_sign_cap_ctxt(struct ksmbd_conn *conn,
+ struct smb2_signing_capabilities *pneg_ctxt,
+- int len_of_ctxts)
++ int ctxt_len)
+ {
+- int sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount);
+- int i, sign_alos_size = sign_algo_cnt * sizeof(__le16);
++ int sign_algo_cnt;
++ int i, sign_alos_size;
++
++ if (sizeof(struct smb2_signing_capabilities) > ctxt_len) {
++ pr_err("Invalid SMB2_SIGNING_CAPABILITIES context length\n");
++ return;
++ }
+
+ conn->signing_negotiated = false;
++ sign_algo_cnt = le16_to_cpu(pneg_ctxt->SigningAlgorithmCount);
++ sign_alos_size = sign_algo_cnt * sizeof(__le16);
+
+ if (sizeof(struct smb2_signing_capabilities) + sign_alos_size >
+- len_of_ctxts) {
++ ctxt_len) {
+ pr_err("Invalid signing algorithm count(%d)\n", sign_algo_cnt);
+ return;
+ }
+@@ -993,18 +1009,16 @@ static __le32 deassemble_neg_contexts(st
+ len_of_ctxts = len_of_smb - offset;
+
+ while (i++ < neg_ctxt_cnt) {
+- int clen;
+-
+- /* check that offset is not beyond end of SMB */
+- if (len_of_ctxts == 0)
+- break;
++ int clen, ctxt_len;
+
+ if (len_of_ctxts < sizeof(struct smb2_neg_context))
+ break;
+
+ pctx = (struct smb2_neg_context *)((char *)pctx + offset);
+ clen = le16_to_cpu(pctx->DataLength);
+- if (clen + sizeof(struct smb2_neg_context) > len_of_ctxts)
++ ctxt_len = clen + sizeof(struct smb2_neg_context);
++
++ if (ctxt_len > len_of_ctxts)
+ break;
+
+ if (pctx->ContextType == SMB2_PREAUTH_INTEGRITY_CAPABILITIES) {
+@@ -1015,7 +1029,7 @@ static __le32 deassemble_neg_contexts(st
+
+ status = decode_preauth_ctxt(conn,
+ (struct smb2_preauth_neg_context *)pctx,
+- len_of_ctxts);
++ ctxt_len);
+ if (status != STATUS_SUCCESS)
+ break;
+ } else if (pctx->ContextType == SMB2_ENCRYPTION_CAPABILITIES) {
+@@ -1026,7 +1040,7 @@ static __le32 deassemble_neg_contexts(st
+
+ decode_encrypt_ctxt(conn,
+ (struct smb2_encryption_neg_context *)pctx,
+- len_of_ctxts);
++ ctxt_len);
+ } else if (pctx->ContextType == SMB2_COMPRESSION_CAPABILITIES) {
+ ksmbd_debug(SMB,
+ "deassemble SMB2_COMPRESSION_CAPABILITIES context\n");
+@@ -1045,9 +1059,10 @@ static __le32 deassemble_neg_contexts(st
+ } else if (pctx->ContextType == SMB2_SIGNING_CAPABILITIES) {
+ ksmbd_debug(SMB,
+ "deassemble SMB2_SIGNING_CAPABILITIES context\n");
++
+ decode_sign_cap_ctxt(conn,
+ (struct smb2_signing_capabilities *)pctx,
+- len_of_ctxts);
++ ctxt_len);
+ }
+
+ /* offsets must be 8 byte aligned */
--- /dev/null
+From d738950f112c8f40f0515fe967db998e8235a175 Mon Sep 17 00:00:00 2001
+From: Kuan-Ting Chen <h3xrabbit@gmail.com>
+Date: Fri, 19 May 2023 22:59:28 +0900
+Subject: ksmbd: fix slab-out-of-bounds read in smb2_handle_negotiate
+
+From: Kuan-Ting Chen <h3xrabbit@gmail.com>
+
+commit d738950f112c8f40f0515fe967db998e8235a175 upstream.
+
+Check request_buf length first to avoid out-of-bounds read by
+req->DialectCount.
+
+[ 3350.990282] BUG: KASAN: slab-out-of-bounds in smb2_handle_negotiate+0x35d7/0x3e60
+[ 3350.990282] Read of size 2 at addr ffff88810ad61346 by task kworker/5:0/276
+[ 3351.000406] Workqueue: ksmbd-io handle_ksmbd_work
+[ 3351.003499] Call Trace:
+[ 3351.006473] <TASK>
+[ 3351.006473] dump_stack_lvl+0x8d/0xe0
+[ 3351.006473] print_report+0xcc/0x620
+[ 3351.006473] kasan_report+0x92/0xc0
+[ 3351.006473] smb2_handle_negotiate+0x35d7/0x3e60
+[ 3351.014760] ksmbd_smb_negotiate_common+0x7a7/0xf00
+[ 3351.014760] handle_ksmbd_work+0x3f7/0x12d0
+[ 3351.014760] process_one_work+0xa85/0x1780
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuan-Ting Chen <h3xrabbit@gmail.com>
+Acked-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/smb2pdu.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -1081,16 +1081,16 @@ int smb2_handle_negotiate(struct ksmbd_w
+ return rc;
+ }
+
+- if (req->DialectCount == 0) {
+- pr_err("malformed packet\n");
++ smb2_buf_len = get_rfc1002_len(work->request_buf);
++ smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects);
++ if (smb2_neg_size > smb2_buf_len) {
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
+ }
+
+- smb2_buf_len = get_rfc1002_len(work->request_buf);
+- smb2_neg_size = offsetof(struct smb2_negotiate_req, Dialects);
+- if (smb2_neg_size > smb2_buf_len) {
++ if (req->DialectCount == 0) {
++ pr_err("malformed packet\n");
+ rsp->hdr.Status = STATUS_INVALID_PARAMETER;
+ rc = -EINVAL;
+ goto err_out;
--- /dev/null
+From 36322523dddb11107e9f7f528675a0dec2536103 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 19 May 2023 23:09:48 +0900
+Subject: ksmbd: fix UAF issue from opinfo->conn
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 36322523dddb11107e9f7f528675a0dec2536103 upstream.
+
+If opinfo->conn is another connection and while ksmbd send oplock break
+request to cient on current connection, The connection for opinfo->conn
+can be disconnect and conn could be freed. When sending oplock break
+request, this ksmbd_conn can be used and cause user-after-free issue.
+When getting opinfo from the list, ksmbd check connection is being
+released. If it is not released, Increase ->r_count to wait that connection
+is freed.
+
+Cc: stable@vger.kernel.org
+Reported-by: Per Forlin <per.forlin@axis.com>
+Tested-by: Per Forlin <per.forlin@axis.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/oplock.c | 72 +++++++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 47 insertions(+), 25 deletions(-)
+
+--- a/fs/ksmbd/oplock.c
++++ b/fs/ksmbd/oplock.c
+@@ -157,13 +157,42 @@ static struct oplock_info *opinfo_get_li
+ rcu_read_lock();
+ opinfo = list_first_or_null_rcu(&ci->m_op_list, struct oplock_info,
+ op_entry);
+- if (opinfo && !atomic_inc_not_zero(&opinfo->refcount))
+- opinfo = NULL;
++ if (opinfo) {
++ if (!atomic_inc_not_zero(&opinfo->refcount))
++ opinfo = NULL;
++ else {
++ atomic_inc(&opinfo->conn->r_count);
++ if (ksmbd_conn_releasing(opinfo->conn)) {
++ atomic_dec(&opinfo->conn->r_count);
++ atomic_dec(&opinfo->refcount);
++ opinfo = NULL;
++ }
++ }
++ }
++
+ rcu_read_unlock();
+
+ return opinfo;
+ }
+
++static void opinfo_conn_put(struct oplock_info *opinfo)
++{
++ struct ksmbd_conn *conn;
++
++ if (!opinfo)
++ return;
++
++ conn = opinfo->conn;
++ /*
++ * Checking waitqueue to dropping pending requests on
++ * disconnection. waitqueue_active is safe because it
++ * uses atomic operation for condition.
++ */
++ if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q))
++ wake_up(&conn->r_count_q);
++ opinfo_put(opinfo);
++}
++
+ void opinfo_put(struct oplock_info *opinfo)
+ {
+ if (!atomic_dec_and_test(&opinfo->refcount))
+@@ -666,13 +695,6 @@ static void __smb2_oplock_break_noti(str
+
+ out:
+ ksmbd_free_work_struct(work);
+- /*
+- * Checking waitqueue to dropping pending requests on
+- * disconnection. waitqueue_active is safe because it
+- * uses atomic operation for condition.
+- */
+- if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q))
+- wake_up(&conn->r_count_q);
+ }
+
+ /**
+@@ -706,7 +728,6 @@ static int smb2_oplock_break_noti(struct
+ work->conn = conn;
+ work->sess = opinfo->sess;
+
+- atomic_inc(&conn->r_count);
+ if (opinfo->op_state == OPLOCK_ACK_WAIT) {
+ INIT_WORK(&work->work, __smb2_oplock_break_noti);
+ ksmbd_queue_work(work);
+@@ -776,13 +797,6 @@ static void __smb2_lease_break_noti(stru
+
+ out:
+ ksmbd_free_work_struct(work);
+- /*
+- * Checking waitqueue to dropping pending requests on
+- * disconnection. waitqueue_active is safe because it
+- * uses atomic operation for condition.
+- */
+- if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q))
+- wake_up(&conn->r_count_q);
+ }
+
+ /**
+@@ -822,7 +836,6 @@ static int smb2_lease_break_noti(struct
+ work->conn = conn;
+ work->sess = opinfo->sess;
+
+- atomic_inc(&conn->r_count);
+ if (opinfo->op_state == OPLOCK_ACK_WAIT) {
+ list_for_each_safe(tmp, t, &opinfo->interim_list) {
+ struct ksmbd_work *in_work;
+@@ -1144,8 +1157,10 @@ int smb_grant_oplock(struct ksmbd_work *
+ }
+ prev_opinfo = opinfo_get_list(ci);
+ if (!prev_opinfo ||
+- (prev_opinfo->level == SMB2_OPLOCK_LEVEL_NONE && lctx))
++ (prev_opinfo->level == SMB2_OPLOCK_LEVEL_NONE && lctx)) {
++ opinfo_conn_put(prev_opinfo);
+ goto set_lev;
++ }
+ prev_op_has_lease = prev_opinfo->is_lease;
+ if (prev_op_has_lease)
+ prev_op_state = prev_opinfo->o_lease->state;
+@@ -1153,19 +1168,19 @@ int smb_grant_oplock(struct ksmbd_work *
+ if (share_ret < 0 &&
+ prev_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) {
+ err = share_ret;
+- opinfo_put(prev_opinfo);
++ opinfo_conn_put(prev_opinfo);
+ goto err_out;
+ }
+
+ if (prev_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH &&
+ prev_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) {
+- opinfo_put(prev_opinfo);
++ opinfo_conn_put(prev_opinfo);
+ goto op_break_not_needed;
+ }
+
+ list_add(&work->interim_entry, &prev_opinfo->interim_list);
+ err = oplock_break(prev_opinfo, SMB2_OPLOCK_LEVEL_II);
+- opinfo_put(prev_opinfo);
++ opinfo_conn_put(prev_opinfo);
+ if (err == -ENOENT)
+ goto set_lev;
+ /* Check all oplock was freed by close */
+@@ -1228,14 +1243,14 @@ static void smb_break_all_write_oplock(s
+ return;
+ if (brk_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH &&
+ brk_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) {
+- opinfo_put(brk_opinfo);
++ opinfo_conn_put(brk_opinfo);
+ return;
+ }
+
+ brk_opinfo->open_trunc = is_trunc;
+ list_add(&work->interim_entry, &brk_opinfo->interim_list);
+ oplock_break(brk_opinfo, SMB2_OPLOCK_LEVEL_II);
+- opinfo_put(brk_opinfo);
++ opinfo_conn_put(brk_opinfo);
+ }
+
+ /**
+@@ -1263,6 +1278,13 @@ void smb_break_all_levII_oplock(struct k
+ list_for_each_entry_rcu(brk_op, &ci->m_op_list, op_entry) {
+ if (!atomic_inc_not_zero(&brk_op->refcount))
+ continue;
++
++ atomic_inc(&brk_op->conn->r_count);
++ if (ksmbd_conn_releasing(brk_op->conn)) {
++ atomic_dec(&brk_op->conn->r_count);
++ continue;
++ }
++
+ rcu_read_unlock();
+ if (brk_op->is_lease && (brk_op->o_lease->state &
+ (~(SMB2_LEASE_READ_CACHING_LE |
+@@ -1292,7 +1314,7 @@ void smb_break_all_levII_oplock(struct k
+ brk_op->open_trunc = is_trunc;
+ oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE);
+ next:
+- opinfo_put(brk_op);
++ opinfo_conn_put(brk_op);
+ rcu_read_lock();
+ }
+ rcu_read_unlock();
--- /dev/null
+From f6a27d6dc51b288106adaf053cff9c9b9cc12c4e Mon Sep 17 00:00:00 2001
+From: Oliver Upton <oliver.upton@linux.dev>
+Date: Tue, 30 May 2023 19:32:13 +0000
+Subject: KVM: arm64: Drop last page ref in kvm_pgtable_stage2_free_removed()
+
+From: Oliver Upton <oliver.upton@linux.dev>
+
+commit f6a27d6dc51b288106adaf053cff9c9b9cc12c4e upstream.
+
+The reference count on page table allocations is increased for every
+'counted' PTE (valid or donated) in the table in addition to the initial
+reference from ->zalloc_page(). kvm_pgtable_stage2_free_removed() fails
+to drop the last reference on the root of the table walk, meaning we
+leak memory.
+
+Fix it by dropping the last reference after the free walker returns,
+at which point all references for 'counted' PTEs have been released.
+
+Cc: stable@vger.kernel.org
+Fixes: 5c359cca1faf ("KVM: arm64: Tear down unlinked stage-2 subtree after break-before-make")
+Reported-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Tested-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230530193213.1663411-1-oliver.upton@linux.dev
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/pgtable.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/kvm/hyp/pgtable.c
++++ b/arch/arm64/kvm/hyp/pgtable.c
+@@ -1333,4 +1333,7 @@ void kvm_pgtable_stage2_free_removed(str
+ };
+
+ WARN_ON(__kvm_pgtable_walk(&data, mm_ops, ptep, level + 1));
++
++ WARN_ON(mm_ops->page_count(pgtable) != 1);
++ mm_ops->put_page(pgtable);
+ }
--- /dev/null
+From 811154e234db72f0a11557a84ba9640f8b3bc823 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Date: Tue, 30 May 2023 11:46:51 +0900
+Subject: KVM: arm64: Populate fault info for watchpoint
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+commit 811154e234db72f0a11557a84ba9640f8b3bc823 upstream.
+
+When handling ESR_ELx_EC_WATCHPT_LOW, far_el2 member of struct
+kvm_vcpu_fault_info will be copied to far member of struct
+kvm_debug_exit_arch and exposed to the userspace. The userspace will
+see stale values from older faults if the fault info does not get
+populated.
+
+Fixes: 8fb2046180a0 ("KVM: arm64: Move early handlers to per-EC handlers")
+Suggested-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20230530024651.10014-1-akihiko.odaki@daynix.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/hyp/include/hyp/switch.h | 8 ++++++--
+ arch/arm64/kvm/hyp/nvhe/switch.c | 2 ++
+ arch/arm64/kvm/hyp/vhe/switch.c | 1 +
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kvm/hyp/include/hyp/switch.h
++++ b/arch/arm64/kvm/hyp/include/hyp/switch.h
+@@ -351,17 +351,21 @@ static bool kvm_hyp_handle_cp15_32(struc
+ return false;
+ }
+
+-static bool kvm_hyp_handle_iabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
++static bool kvm_hyp_handle_memory_fault(struct kvm_vcpu *vcpu, u64 *exit_code)
+ {
+ if (!__populate_fault_info(vcpu))
+ return true;
+
+ return false;
+ }
++static bool kvm_hyp_handle_iabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
++ __alias(kvm_hyp_handle_memory_fault);
++static bool kvm_hyp_handle_watchpt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
++ __alias(kvm_hyp_handle_memory_fault);
+
+ static bool kvm_hyp_handle_dabt_low(struct kvm_vcpu *vcpu, u64 *exit_code)
+ {
+- if (!__populate_fault_info(vcpu))
++ if (kvm_hyp_handle_memory_fault(vcpu, exit_code))
+ return true;
+
+ if (static_branch_unlikely(&vgic_v2_cpuif_trap)) {
+--- a/arch/arm64/kvm/hyp/nvhe/switch.c
++++ b/arch/arm64/kvm/hyp/nvhe/switch.c
+@@ -186,6 +186,7 @@ static const exit_handler_fn hyp_exit_ha
+ [ESR_ELx_EC_FP_ASIMD] = kvm_hyp_handle_fpsimd,
+ [ESR_ELx_EC_IABT_LOW] = kvm_hyp_handle_iabt_low,
+ [ESR_ELx_EC_DABT_LOW] = kvm_hyp_handle_dabt_low,
++ [ESR_ELx_EC_WATCHPT_LOW] = kvm_hyp_handle_watchpt_low,
+ [ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth,
+ };
+
+@@ -196,6 +197,7 @@ static const exit_handler_fn pvm_exit_ha
+ [ESR_ELx_EC_FP_ASIMD] = kvm_hyp_handle_fpsimd,
+ [ESR_ELx_EC_IABT_LOW] = kvm_hyp_handle_iabt_low,
+ [ESR_ELx_EC_DABT_LOW] = kvm_hyp_handle_dabt_low,
++ [ESR_ELx_EC_WATCHPT_LOW] = kvm_hyp_handle_watchpt_low,
+ [ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth,
+ };
+
+--- a/arch/arm64/kvm/hyp/vhe/switch.c
++++ b/arch/arm64/kvm/hyp/vhe/switch.c
+@@ -110,6 +110,7 @@ static const exit_handler_fn hyp_exit_ha
+ [ESR_ELx_EC_FP_ASIMD] = kvm_hyp_handle_fpsimd,
+ [ESR_ELx_EC_IABT_LOW] = kvm_hyp_handle_iabt_low,
+ [ESR_ELx_EC_DABT_LOW] = kvm_hyp_handle_dabt_low,
++ [ESR_ELx_EC_WATCHPT_LOW] = kvm_hyp_handle_watchpt_low,
+ [ESR_ELx_EC_PAC] = kvm_hyp_handle_ptrauth,
+ };
+
--- /dev/null
+From 8b703a49c9df5e74870381ad7ba9c85d8a74ed2c Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Thu, 1 Jun 2023 18:19:19 -0700
+Subject: KVM: x86: Account fastpath-only VM-Exits in vCPU stats
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 8b703a49c9df5e74870381ad7ba9c85d8a74ed2c upstream.
+
+Increment vcpu->stat.exits when handling a fastpath VM-Exit without
+going through any part of the "slow" path. Not bumping the exits stat
+can result in wildly misleading exit counts, e.g. if the primary reason
+the guest is exiting is to program the TSC deadline timer.
+
+Fixes: 404d5d7bff0d ("KVM: X86: Introduce more exit_fastpath_completion enum values")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230602011920.787844-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -10682,6 +10682,9 @@ static int vcpu_enter_guest(struct kvm_v
+ exit_fastpath = EXIT_FASTPATH_EXIT_HANDLED;
+ break;
+ }
++
++ /* Note, VM-Exits that go down the "slow" path are accounted below. */
++ ++vcpu->stat.exits;
+ }
+
+ /*
--- /dev/null
+From 4364b287982bd05bfafa461c80650c732001974b Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 2 Jun 2023 16:32:48 -0700
+Subject: KVM: x86: Bail from kvm_recalculate_phys_map() if x2APIC ID is out-of-bounds
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 4364b287982bd05bfafa461c80650c732001974b upstream.
+
+Bail from kvm_recalculate_phys_map() and disable the optimized map if the
+target vCPU's x2APIC ID is out-of-bounds, i.e. if the vCPU was added
+and/or enabled its local APIC after the map was allocated. This fixes an
+out-of-bounds access bug in the !x2apic_format path where KVM would write
+beyond the end of phys_map.
+
+Check the x2APIC ID regardless of whether or not x2APIC is enabled,
+as KVM's hardcodes x2APIC ID to be the vCPU ID, i.e. it can't change, and
+the map allocation in kvm_recalculate_apic_map() doesn't check for x2APIC
+being enabled, i.e. the check won't get false postivies.
+
+Note, this also affects the x2apic_format path, which previously just
+ignored the "x2apic_id > new->max_apic_id" case. That too is arguably a
+bug fix, as ignoring the vCPU meant that KVM would not send interrupts to
+the vCPU until the next map recalculation. In practice, that "bug" is
+likely benign as a newly present vCPU/APIC would immediately trigger a
+recalc. But, there's no functional downside to disabling the map, and
+a future patch will gracefully handle the -E2BIG case by retrying instead
+of simply disabling the optimized map.
+
+Opportunistically add a sanity check on the xAPIC ID size, along with a
+comment explaining why the xAPIC ID is guaranteed to be "good".
+
+Reported-by: Michal Luczaj <mhal@rbox.co>
+Fixes: 5b84b0291702 ("KVM: x86: Honor architectural behavior for aliased 8-bit APIC IDs")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230602233250.1014316-2-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/lapic.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/lapic.c
++++ b/arch/x86/kvm/lapic.c
+@@ -229,6 +229,23 @@ static int kvm_recalculate_phys_map(stru
+ u32 physical_id;
+
+ /*
++ * For simplicity, KVM always allocates enough space for all possible
++ * xAPIC IDs. Yell, but don't kill the VM, as KVM can continue on
++ * without the optimized map.
++ */
++ if (WARN_ON_ONCE(xapic_id > new->max_apic_id))
++ return -EINVAL;
++
++ /*
++ * Bail if a vCPU was added and/or enabled its APIC between allocating
++ * the map and doing the actual calculations for the map. Note, KVM
++ * hardcodes the x2APIC ID to vcpu_id, i.e. there's no TOCTOU bug if
++ * the compiler decides to reload x2apic_id after this check.
++ */
++ if (x2apic_id > new->max_apic_id)
++ return -E2BIG;
++
++ /*
+ * Deliberately truncate the vCPU ID when detecting a mismatched APIC
+ * ID to avoid false positives if the vCPU ID, i.e. x2APIC ID, is a
+ * 32-bit value. Any unwanted aliasing due to truncation results will
+@@ -253,8 +270,7 @@ static int kvm_recalculate_phys_map(stru
+ */
+ if (vcpu->kvm->arch.x2apic_format) {
+ /* See also kvm_apic_match_physical_addr(). */
+- if ((apic_x2apic_mode(apic) || x2apic_id > 0xff) &&
+- x2apic_id <= new->max_apic_id)
++ if (apic_x2apic_mode(apic) || x2apic_id > 0xff)
+ new->phys_map[x2apic_id] = apic;
+
+ if (!apic_x2apic_mode(apic) && !new->phys_map[xapic_id])
--- /dev/null
+From 817fa998362d6ea9fabd5e97af8e9e2eb5f0e6f2 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Thu, 1 Jun 2023 18:01:37 -0700
+Subject: KVM: x86/mmu: Grab memslot for correct address space in NX recovery worker
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 817fa998362d6ea9fabd5e97af8e9e2eb5f0e6f2 upstream.
+
+Factor in the address space (non-SMM vs. SMM) of the target shadow page
+when recovering potential NX huge pages, otherwise KVM will retrieve the
+wrong memslot when zapping shadow pages that were created for SMM. The
+bug most visibly manifests as a WARN on the memslot being non-NULL, but
+the worst case scenario is that KVM could unaccount the shadow page
+without ensuring KVM won't install a huge page, i.e. if the non-SMM slot
+is being dirty logged, but the SMM slot is not.
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 1 PID: 3911 at arch/x86/kvm/mmu/mmu.c:7015
+ kvm_nx_huge_page_recovery_worker+0x38c/0x3d0 [kvm]
+ CPU: 1 PID: 3911 Comm: kvm-nx-lpage-re
+ RIP: 0010:kvm_nx_huge_page_recovery_worker+0x38c/0x3d0 [kvm]
+ RSP: 0018:ffff99b284f0be68 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffff99b284edd000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffff9271397024e0 R08: 0000000000000000 R09: ffff927139702450
+ R10: 0000000000000000 R11: 0000000000000001 R12: ffff99b284f0be98
+ R13: 0000000000000000 R14: ffff9270991fcd80 R15: 0000000000000003
+ FS: 0000000000000000(0000) GS:ffff927f9f640000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f0aacad3ae0 CR3: 000000088fc2c005 CR4: 00000000003726e0
+ Call Trace:
+ <TASK>
+__pfx_kvm_nx_huge_page_recovery_worker+0x10/0x10 [kvm]
+ kvm_vm_worker_thread+0x106/0x1c0 [kvm]
+ kthread+0xd9/0x100
+ ret_from_fork+0x2c/0x50
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+This bug was exposed by commit edbdb43fc96b ("KVM: x86: Preserve TDP MMU
+roots until they are explicitly invalidated"), which allowed KVM to retain
+SMM TDP MMU roots effectively indefinitely. Before commit edbdb43fc96b,
+KVM would zap all SMM TDP MMU roots and thus all SMM TDP MMU shadow pages
+once all vCPUs exited SMM, which made the window where this bug (recovering
+an SMM NX huge page) could be encountered quite tiny. To hit the bug, the
+NX recovery thread would have to run while at least one vCPU was in SMM.
+Most VMs typically only use SMM during boot, and so the problematic shadow
+pages were gone by the time the NX recovery thread ran.
+
+Now that KVM preserves TDP MMU roots until they are explicitly invalidated
+(e.g. by a memslot deletion), the window to trigger the bug is effectively
+never closed because most VMMs don't delete memslots after boot (except
+for a handful of special scenarios).
+
+Fixes: eb298605705a ("KVM: x86/mmu: Do not recover dirty-tracked NX Huge Pages")
+Reported-by: Fabio Coatti <fabio.coatti@gmail.com>
+Closes: https://lore.kernel.org/all/CADpTngX9LESCdHVu_2mQkNGena_Ng2CphWNwsRGSMxzDsTjU2A@mail.gmail.com
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230602010137.784664-1-seanjc@google.com
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/mmu/mmu.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/mmu/mmu.c
++++ b/arch/x86/kvm/mmu/mmu.c
+@@ -7011,7 +7011,10 @@ static void kvm_recover_nx_huge_pages(st
+ */
+ slot = NULL;
+ if (atomic_read(&kvm->nr_memslots_dirty_logging)) {
+- slot = gfn_to_memslot(kvm, sp->gfn);
++ struct kvm_memslots *slots;
++
++ slots = kvm_memslots_for_spte_role(kvm, sp->role);
++ slot = __gfn_to_memslot(slots, sp->gfn);
+ WARN_ON_ONCE(!slot);
+ }
+
--- /dev/null
+From 55b47ca7d80814ceb63d64e032e96cd6777811e5 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 31 May 2023 12:37:08 -0700
+Subject: mptcp: fix active subflow finalization
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 55b47ca7d80814ceb63d64e032e96cd6777811e5 upstream.
+
+Active subflow are inserted into the connection list at creation time.
+When the MPJ handshake completes successfully, a new subflow creation
+netlink event is generated correctly, but the current code wrongly
+avoid initializing a couple of subflow data.
+
+The above will cause misbehavior on a few exceptional events: unneeded
+mptcp-level retransmission on msk-level sequence wrap-around and infinite
+mapping fallback even when a MPJ socket is present.
+
+Address the issue factoring out the needed initialization in a new helper
+and invoking the latter from __mptcp_finish_join() time for passive
+subflow and from mptcp_finish_join() for active ones.
+
+Fixes: 0530020a7c8f ("mptcp: track and update contiguous data status")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -812,6 +812,13 @@ void mptcp_data_ready(struct sock *sk, s
+ mptcp_data_unlock(sk);
+ }
+
++static void mptcp_subflow_joined(struct mptcp_sock *msk, struct sock *ssk)
++{
++ mptcp_subflow_ctx(ssk)->map_seq = READ_ONCE(msk->ack_seq);
++ WRITE_ONCE(msk->allow_infinite_fallback, false);
++ mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC);
++}
++
+ static bool __mptcp_finish_join(struct mptcp_sock *msk, struct sock *ssk)
+ {
+ struct sock *sk = (struct sock *)msk;
+@@ -826,6 +833,7 @@ static bool __mptcp_finish_join(struct m
+ mptcp_sock_graft(ssk, sk->sk_socket);
+
+ mptcp_sockopt_sync_locked(msk, ssk);
++ mptcp_subflow_joined(msk, ssk);
+ return true;
+ }
+
+@@ -3457,14 +3465,16 @@ bool mptcp_finish_join(struct sock *ssk)
+ return false;
+ }
+
+- if (!list_empty(&subflow->node))
+- goto out;
++ /* active subflow, already present inside the conn_list */
++ if (!list_empty(&subflow->node)) {
++ mptcp_subflow_joined(msk, ssk);
++ return true;
++ }
+
+ if (!mptcp_pm_allow_new_subflow(msk))
+ goto err_prohibited;
+
+- /* active connections are already on conn_list.
+- * If we can't acquire msk socket lock here, let the release callback
++ /* If we can't acquire msk socket lock here, let the release callback
+ * handle it
+ */
+ mptcp_data_lock(parent);
+@@ -3487,11 +3497,6 @@ err_prohibited:
+ return false;
+ }
+
+- subflow->map_seq = READ_ONCE(msk->ack_seq);
+- WRITE_ONCE(msk->allow_infinite_fallback, false);
+-
+-out:
+- mptcp_event(MPTCP_EVENT_SUB_ESTABLISHED, msk, ssk, GFP_ATOMIC);
+ return true;
+ }
+
--- /dev/null
+From 786fc12457268cc9b555dde6c22ae7300d4b40e1 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Wed, 31 May 2023 12:37:03 -0700
+Subject: mptcp: fix connect timeout handling
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit 786fc12457268cc9b555dde6c22ae7300d4b40e1 upstream.
+
+Ondrej reported a functional issue WRT timeout handling on connect
+with a nice reproducer.
+
+The problem is that the current mptcp connect waits for both the
+MPTCP socket level timeout, and the first subflow socket timeout.
+The latter is not influenced/touched by the exposed setsockopt().
+
+Overall the above makes the SO_SNDTIMEO a no-op on connect.
+
+Since mptcp_connect is invoked via inet_stream_connect and the
+latter properly handle the MPTCP level timeout, we can address the
+issue making the nested subflow level connect always unblocking.
+
+This also allow simplifying a bit the code, dropping an ugly hack
+to handle the fastopen and custom proto_ops connect.
+
+The issues predates the blamed commit below, but the current resolution
+requires the infrastructure introduced there.
+
+Fixes: 54f1944ed6d2 ("mptcp: factor out mptcp_connect()")
+Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/399
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 29 +++++++----------------------
+ net/mptcp/protocol.h | 1 -
+ 2 files changed, 7 insertions(+), 23 deletions(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1671,7 +1671,6 @@ static int mptcp_sendmsg_fastopen(struct
+
+ lock_sock(ssk);
+ msg->msg_flags |= MSG_DONTWAIT;
+- msk->connect_flags = O_NONBLOCK;
+ msk->fastopening = 1;
+ ret = tcp_sendmsg_fastopen(ssk, msg, copied_syn, len, NULL);
+ msk->fastopening = 0;
+@@ -3610,9 +3609,9 @@ static int mptcp_connect(struct sock *sk
+ * acquired the subflow socket lock, too.
+ */
+ if (msk->fastopening)
+- err = __inet_stream_connect(ssock, uaddr, addr_len, msk->connect_flags, 1);
++ err = __inet_stream_connect(ssock, uaddr, addr_len, O_NONBLOCK, 1);
+ else
+- err = inet_stream_connect(ssock, uaddr, addr_len, msk->connect_flags);
++ err = inet_stream_connect(ssock, uaddr, addr_len, O_NONBLOCK);
+ inet_sk(sk)->defer_connect = inet_sk(ssock->sk)->defer_connect;
+
+ /* on successful connect, the msk state will be moved to established by
+@@ -3625,12 +3624,10 @@ static int mptcp_connect(struct sock *sk
+
+ mptcp_copy_inaddrs(sk, ssock->sk);
+
+- /* unblocking connect, mptcp-level inet_stream_connect will error out
+- * without changing the socket state, update it here.
++ /* silence EINPROGRESS and let the caller inet_stream_connect
++ * handle the connection in progress
+ */
+- if (err == -EINPROGRESS)
+- sk->sk_socket->state = ssock->state;
+- return err;
++ return 0;
+ }
+
+ static struct proto mptcp_prot = {
+@@ -3689,18 +3686,6 @@ unlock:
+ return err;
+ }
+
+-static int mptcp_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+- int addr_len, int flags)
+-{
+- int ret;
+-
+- lock_sock(sock->sk);
+- mptcp_sk(sock->sk)->connect_flags = flags;
+- ret = __inet_stream_connect(sock, uaddr, addr_len, flags, 0);
+- release_sock(sock->sk);
+- return ret;
+-}
+-
+ static int mptcp_listen(struct socket *sock, int backlog)
+ {
+ struct mptcp_sock *msk = mptcp_sk(sock->sk);
+@@ -3857,7 +3842,7 @@ static const struct proto_ops mptcp_stre
+ .owner = THIS_MODULE,
+ .release = inet_release,
+ .bind = mptcp_bind,
+- .connect = mptcp_stream_connect,
++ .connect = inet_stream_connect,
+ .socketpair = sock_no_socketpair,
+ .accept = mptcp_stream_accept,
+ .getname = inet_getname,
+@@ -3952,7 +3937,7 @@ static const struct proto_ops mptcp_v6_s
+ .owner = THIS_MODULE,
+ .release = inet6_release,
+ .bind = mptcp_bind,
+- .connect = mptcp_stream_connect,
++ .connect = inet_stream_connect,
+ .socketpair = sock_no_socketpair,
+ .accept = mptcp_stream_accept,
+ .getname = inet6_getname,
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -297,7 +297,6 @@ struct mptcp_sock {
+ nodelay:1,
+ fastopening:1,
+ in_accept_queue:1;
+- int connect_flags;
+ struct work_struct work;
+ struct sk_buff *ooo_last_skb;
+ struct rb_root out_of_order_queue;
--- /dev/null
+From 0ea923f443350c8c5cca6eef5b748d52b903f46c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 17 Apr 2023 22:56:50 +0200
+Subject: mtdchar: mark bits of ioctl handler noinline
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 0ea923f443350c8c5cca6eef5b748d52b903f46c upstream.
+
+The addition of the mtdchar_read_ioctl() function caused the stack usage
+of mtdchar_ioctl() to grow beyond the warning limit on 32-bit architectures
+with gcc-13:
+
+drivers/mtd/mtdchar.c: In function 'mtdchar_ioctl':
+drivers/mtd/mtdchar.c:1229:1: error: the frame size of 1488 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
+
+Mark both the read and write portions as noinline_for_stack to ensure
+they don't get inlined and use separate stack slots to reduce the
+maximum usage, both in the mtdchar_ioctl() and combined with any
+of its callees.
+
+Fixes: 095bb6e44eb1 ("mtdchar: add MEMREAD ioctl")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20230417205654.1982368-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdchar.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -590,8 +590,8 @@ static void adjust_oob_length(struct mtd
+ (end_page - start_page + 1) * oob_per_page);
+ }
+
+-static int mtdchar_write_ioctl(struct mtd_info *mtd,
+- struct mtd_write_req __user *argp)
++static noinline_for_stack int
++mtdchar_write_ioctl(struct mtd_info *mtd, struct mtd_write_req __user *argp)
+ {
+ struct mtd_info *master = mtd_get_master(mtd);
+ struct mtd_write_req req;
+@@ -688,8 +688,8 @@ static int mtdchar_write_ioctl(struct mt
+ return ret;
+ }
+
+-static int mtdchar_read_ioctl(struct mtd_info *mtd,
+- struct mtd_read_req __user *argp)
++static noinline_for_stack int
++mtdchar_read_ioctl(struct mtd_info *mtd, struct mtd_read_req __user *argp)
+ {
+ struct mtd_info *master = mtd_get_master(mtd);
+ struct mtd_read_req req;
--- /dev/null
+From 719dfd5925e186e09a2a6f23016936ac436f3d78 Mon Sep 17 00:00:00 2001
+From: Maninder Singh <maninder1.s@samsung.com>
+Date: Mon, 29 May 2023 16:43:37 +0530
+Subject: powerpc/xmon: Use KSYM_NAME_LEN in array size
+
+From: Maninder Singh <maninder1.s@samsung.com>
+
+commit 719dfd5925e186e09a2a6f23016936ac436f3d78 upstream.
+
+kallsyms_lookup() which in turn calls kallsyms_lookup_buildid() writes
+to index "KSYM_NAME_LEN - 1".
+
+Thus the array passed as namebuf to kallsyms_lookup() should be
+KSYM_NAME_LEN in size.
+
+In xmon.c the array was defined to be "128" bytes directly, without
+using KSYM_NAME_LEN. Commit b8a94bfb3395 ("kallsyms: increase maximum
+kernel symbol length to 512") changed the value to 512, but missed
+updating the xmon code.
+
+Fixes: b8a94bfb3395 ("kallsyms: increase maximum kernel symbol length to 512")
+Cc: stable@vger.kernel.org # v6.1+
+Co-developed-by: Onkarnath <onkarnath.1@samsung.com>
+Signed-off-by: Onkarnath <onkarnath.1@samsung.com>
+Signed-off-by: Maninder Singh <maninder1.s@samsung.com>
+[mpe: Tweak change log wording and fix commit reference]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20230529111337.352990-2-maninder1.s@samsung.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/xmon/xmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/xmon/xmon.c
++++ b/arch/powerpc/xmon/xmon.c
+@@ -88,7 +88,7 @@ static unsigned long ndump = 64;
+ static unsigned long nidump = 16;
+ static unsigned long ncsum = 4096;
+ static int termch;
+-static char tmpstr[128];
++static char tmpstr[KSYM_NAME_LEN];
+ static int tracing_enabled;
+
+ static long bus_error_jmp[JMP_BUF_LEN];
--- /dev/null
+From 9a7e8ec0d4cc64870ea449b4fce5779b77496cbb Mon Sep 17 00:00:00 2001
+From: Ism Hong <ism.hong@gmail.com>
+Date: Thu, 1 Jun 2023 17:53:55 +0800
+Subject: riscv: perf: Fix callchain parse error with kernel tracepoint events
+
+From: Ism Hong <ism.hong@gmail.com>
+
+commit 9a7e8ec0d4cc64870ea449b4fce5779b77496cbb upstream.
+
+For RISC-V, when tracing with tracepoint events, the IP and status are
+set to 0, preventing the perf code parsing the callchain and resolving
+the symbols correctly.
+
+ ./ply 'tracepoint:kmem/kmem_cache_alloc { @[stack]=count(); }'
+ @:
+ { <STACKID4294967282> }: 1
+
+The fix is to implement perf_arch_fetch_caller_regs for riscv, which
+fills several necessary registers used for callchain unwinding,
+including epc, sp, s0 and status. It's similar to commit b3eac0265bf6
+("arm: perf: Fix callchain parse error with kernel tracepoint events")
+and commit 5b09a094f2fb ("arm64: perf: Fix callchain parse error with
+kernel tracepoint events").
+
+With this patch, callchain can be parsed correctly as:
+
+ ./ply 'tracepoint:kmem/kmem_cache_alloc { @[stack]=count(); }'
+ @:
+ {
+ __traceiter_kmem_cache_alloc+68
+ __traceiter_kmem_cache_alloc+68
+ kmem_cache_alloc+354
+ __sigqueue_alloc+94
+ __send_signal_locked+646
+ send_signal_locked+154
+ do_send_sig_info+84
+ __kill_pgrp_info+130
+ kill_pgrp+60
+ isig+150
+ n_tty_receive_signal_char+36
+ n_tty_receive_buf_standard+2214
+ n_tty_receive_buf_common+280
+ n_tty_receive_buf2+26
+ tty_ldisc_receive_buf+34
+ tty_port_default_receive_buf+62
+ flush_to_ldisc+158
+ process_one_work+458
+ worker_thread+138
+ kthread+178
+ riscv_cpufeature_patch_func+832
+ }: 1
+
+Signed-off-by: Ism Hong <ism.hong@gmail.com>
+Link: https://lore.kernel.org/r/20230601095355.1168910-1-ism.hong@gmail.com
+Fixes: 178e9fc47aae ("perf: riscv: preliminary RISC-V support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/perf_event.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/arch/riscv/include/asm/perf_event.h
++++ b/arch/riscv/include/asm/perf_event.h
+@@ -10,4 +10,11 @@
+
+ #include <linux/perf_event.h>
+ #define perf_arch_bpf_user_pt_regs(regs) (struct user_regs_struct *)regs
++
++#define perf_arch_fetch_caller_regs(regs, __ip) { \
++ (regs)->epc = (__ip); \
++ (regs)->s0 = (unsigned long) __builtin_frame_address(0); \
++ (regs)->sp = current_stack_pointer; \
++ (regs)->status = SR_PP; \
++}
+ #endif /* _ASM_RISCV_PERF_EVENT_H */
--- /dev/null
+From d83013bdf90a7994a474b0e650a7fc94b0d4ded6 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:27 +0200
+Subject: selftests: mptcp: connect: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit d83013bdf90a7994a474b0e650a7fc94b0d4ded6 upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped". Note that this check can also
+mark the test as failed if 'SELFTESTS_MPTCP_LIB_EXPECT_ALL_FEATURES' env
+var is set to 1: by doing that, we can make sure a test is not being
+skipped by mistake.
+
+A new shared file is added here to be able to re-used the same check in
+the different selftests we have.
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: 048d19d444be ("mptcp: add basic kselftest for mptcp")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/Makefile | 2 -
+ tools/testing/selftests/net/mptcp/mptcp_connect.sh | 4 ++
+ tools/testing/selftests/net/mptcp/mptcp_lib.sh | 40 +++++++++++++++++++++
+ 3 files changed, 45 insertions(+), 1 deletion(-)
+ create mode 100644 tools/testing/selftests/net/mptcp/mptcp_lib.sh
+
+--- a/tools/testing/selftests/net/mptcp/Makefile
++++ b/tools/testing/selftests/net/mptcp/Makefile
+@@ -9,7 +9,7 @@ TEST_PROGS := mptcp_connect.sh pm_netlin
+
+ TEST_GEN_FILES = mptcp_connect pm_nl_ctl mptcp_sockopt mptcp_inq
+
+-TEST_FILES := settings
++TEST_FILES := mptcp_lib.sh settings
+
+ EXTRA_CLEAN := *.pcap
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.sh
+@@ -1,6 +1,8 @@
+ #!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
+ time_start=$(date +%s)
+
+ optstring="S:R:d:e:l:r:h4cm:f:tC"
+@@ -141,6 +143,8 @@ cleanup()
+ done
+ }
+
++mptcp_lib_check_mptcp
++
+ ip -Version > /dev/null 2>&1
+ if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
+--- /dev/null
++++ b/tools/testing/selftests/net/mptcp/mptcp_lib.sh
+@@ -0,0 +1,40 @@
++#! /bin/bash
++# SPDX-License-Identifier: GPL-2.0
++
++readonly KSFT_FAIL=1
++readonly KSFT_SKIP=4
++
++# SELFTESTS_MPTCP_LIB_EXPECT_ALL_FEATURES env var can be set when validating all
++# features using the last version of the kernel and the selftests to make sure
++# a test is not being skipped by mistake.
++mptcp_lib_expect_all_features() {
++ [ "${SELFTESTS_MPTCP_LIB_EXPECT_ALL_FEATURES:-}" = "1" ]
++}
++
++# $1: msg
++mptcp_lib_fail_if_expected_feature() {
++ if mptcp_lib_expect_all_features; then
++ echo "ERROR: missing feature: ${*}"
++ exit ${KSFT_FAIL}
++ fi
++
++ return 1
++}
++
++# $1: file
++mptcp_lib_has_file() {
++ local f="${1}"
++
++ if [ -f "${f}" ]; then
++ return 0
++ fi
++
++ mptcp_lib_fail_if_expected_feature "${f} file not found"
++}
++
++mptcp_lib_check_mptcp() {
++ if ! mptcp_lib_has_file "/proc/sys/net/mptcp/enabled"; then
++ echo "SKIP: MPTCP support is not available"
++ exit ${KSFT_SKIP}
++ fi
++}
--- /dev/null
+From 46565acdd29facbf418a11e4a3791b3c8967308d Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:30 +0200
+Subject: selftests: mptcp: diag: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 46565acdd29facbf418a11e4a3791b3c8967308d upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped".
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: df62f2ec3df6 ("selftests/mptcp: add diag interface tests")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/diag.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/diag.sh
++++ b/tools/testing/selftests/net/mptcp/diag.sh
+@@ -1,6 +1,8 @@
+ #!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
+ sec=$(date +%s)
+ rndh=$(printf %x $sec)-$(mktemp -u XXXXXX)
+ ns="ns1-$rndh"
+@@ -31,6 +33,8 @@ cleanup()
+ ip netns del $ns
+ }
+
++mptcp_lib_check_mptcp
++
+ ip -Version > /dev/null 2>&1
+ if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
--- /dev/null
+From d328fe87067480cf2bd0b58dab428a98d31dbb7e Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:26 +0200
+Subject: selftests: mptcp: join: avoid using 'cmp --bytes'
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit d328fe87067480cf2bd0b58dab428a98d31dbb7e upstream.
+
+BusyBox's 'cmp' command doesn't support the '--bytes' parameter.
+
+Some CIs -- i.e. LKFT -- use BusyBox and have the mptcp_join.sh test
+failing [1] because their 'cmp' command doesn't support this '--bytes'
+option:
+
+ cmp: unrecognized option '--bytes=1024'
+ BusyBox v1.35.0 () multi-call binary.
+
+ Usage: cmp [-ls] [-n NUM] FILE1 [FILE2]
+
+Instead, 'head --bytes' can be used as this option is supported by
+BusyBox. A temporary file is needed for this operation.
+
+Because it is apparently quite common to use BusyBox, it is certainly
+better to backport this fix to impacted kernels.
+
+Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases")
+Cc: stable@vger.kernel.org
+Link: https://qa-reports.linaro.org/lkft/linux-mainline-master/build/v6.3-rc5-5-g148341f0a2f5/testrun/16088933/suite/kselftest-net-mptcp/test/net_mptcp_userspace_pm_sh/log [1]
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -15,6 +15,7 @@ sout=""
+ cin=""
+ cinfail=""
+ cinsent=""
++tmpfile=""
+ cout=""
+ capout=""
+ ns1=""
+@@ -175,6 +176,7 @@ cleanup()
+ {
+ rm -f "$cin" "$cout" "$sinfail"
+ rm -f "$sin" "$sout" "$cinsent" "$cinfail"
++ rm -f "$tmpfile"
+ rm -rf $evts_ns1 $evts_ns2
+ cleanup_partial
+ }
+@@ -382,9 +384,16 @@ check_transfer()
+ fail_test
+ return 1
+ fi
+- bytes="--bytes=${bytes}"
++
++ # note: BusyBox's "cmp" command doesn't support --bytes
++ tmpfile=$(mktemp)
++ head --bytes="$bytes" "$in" > "$tmpfile"
++ mv "$tmpfile" "$in"
++ head --bytes="$bytes" "$out" > "$tmpfile"
++ mv "$tmpfile" "$out"
++ tmpfile=""
+ fi
+- cmp -l "$in" "$out" ${bytes} | while read -r i a b; do
++ cmp -l "$in" "$out" | while read -r i a b; do
+ local sum=$((0${a} + 0${b}))
+ if [ $check_invert -eq 0 ] || [ $sum -ne $((0xff)) ]; then
+ echo "[ FAIL ] $what does not match (in, out):"
--- /dev/null
+From 715c78a82e00f848f99ef76e6f6b89216ccba268 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:29 +0200
+Subject: selftests: mptcp: join: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 715c78a82e00f848f99ef76e6f6b89216ccba268 upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped".
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: b08fbf241064 ("selftests: add test-cases for MPTCP MP_JOIN")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -6,6 +6,8 @@
+ # address all other issues detected by shellcheck.
+ #shellcheck disable=SC2086
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
+ ret=0
+ sin=""
+ sinfail=""
+@@ -132,6 +134,8 @@ cleanup_partial()
+
+ check_tools()
+ {
++ mptcp_lib_check_mptcp
++
+ if ! ip -Version &> /dev/null; then
+ echo "SKIP: Could not run test without ip tool"
+ exit $ksft_skip
--- /dev/null
+From 0f4955a40dafe18a1122e3714d8173e4b018e869 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:28 +0200
+Subject: selftests: mptcp: pm nl: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 0f4955a40dafe18a1122e3714d8173e4b018e869 upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped".
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: eedbc685321b ("selftests: add PM netlink functional tests")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/pm_netlink.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/pm_netlink.sh
++++ b/tools/testing/selftests/net/mptcp/pm_netlink.sh
+@@ -1,6 +1,8 @@
+ #!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
+ ksft_skip=4
+ ret=0
+
+@@ -34,6 +36,8 @@ cleanup()
+ ip netns del $ns1
+ }
+
++mptcp_lib_check_mptcp
++
+ ip -Version > /dev/null 2>&1
+ if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
--- /dev/null
+From 9161f21c74a1a0e7bb39eb84ea0c86b23c92fc87 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:31 +0200
+Subject: selftests: mptcp: simult flows: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 9161f21c74a1a0e7bb39eb84ea0c86b23c92fc87 upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped".
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: 1a418cb8e888 ("mptcp: simult flow self-tests")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/simult_flows.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/simult_flows.sh
++++ b/tools/testing/selftests/net/mptcp/simult_flows.sh
+@@ -1,6 +1,8 @@
+ #!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
+ sec=$(date +%s)
+ rndh=$(printf %x $sec)-$(mktemp -u XXXXXX)
+ ns1="ns1-$rndh"
+@@ -34,6 +36,8 @@ cleanup()
+ done
+ }
+
++mptcp_lib_check_mptcp
++
+ ip -Version > /dev/null 2>&1
+ if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
--- /dev/null
+From cf6f0fda7af7e8e016070bfee6b189e671a0c776 Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:32 +0200
+Subject: selftests: mptcp: sockopt: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit cf6f0fda7af7e8e016070bfee6b189e671a0c776 upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped".
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: dc65fe82fb07 ("selftests: mptcp: add packet mark test case")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_sockopt.sh
+@@ -1,6 +1,8 @@
+ #!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
+ ret=0
+ sin=""
+ sout=""
+@@ -84,6 +86,8 @@ cleanup()
+ rm -f "$sin" "$sout"
+ }
+
++mptcp_lib_check_mptcp
++
+ ip -Version > /dev/null 2>&1
+ if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
--- /dev/null
+From 63212608a92a1ff10ae56dbb14e9fb685f7e4ffa Mon Sep 17 00:00:00 2001
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+Date: Sun, 28 May 2023 19:35:33 +0200
+Subject: selftests: mptcp: userspace pm: skip if MPTCP is not supported
+
+From: Matthieu Baerts <matthieu.baerts@tessares.net>
+
+commit 63212608a92a1ff10ae56dbb14e9fb685f7e4ffa upstream.
+
+Selftests are supposed to run on any kernels, including the old ones not
+supporting MPTCP.
+
+A new check is then added to make sure MPTCP is supported. If not, the
+test stops and is marked as "skipped".
+
+Link: https://github.com/multipath-tcp/mptcp_net-next/issues/368
+Fixes: 259a834fadda ("selftests: mptcp: functional tests for the userspace PM type")
+Cc: stable@vger.kernel.org
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/userspace_pm.sh | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh
++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh
+@@ -1,6 +1,10 @@
+ #!/bin/bash
+ # SPDX-License-Identifier: GPL-2.0
+
++. "$(dirname "${0}")/mptcp_lib.sh"
++
++mptcp_lib_check_mptcp
++
+ ip -Version > /dev/null 2>&1
+ if [ $? -ne 0 ];then
+ echo "SKIP: Cannot not run test without ip tool"
--- /dev/null
+From 42c4e97e06a839b07d834f640a10911ad84ec8b3 Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Thu, 1 Jun 2023 10:21:21 -0400
+Subject: selinux: don't use make's grouped targets feature yet
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 42c4e97e06a839b07d834f640a10911ad84ec8b3 upstream.
+
+The Linux Kernel currently only requires make v3.82 while the grouped
+target functionality requires make v4.3. Removed the grouped target
+introduced in 4ce1f694eb5d ("selinux: ensure av_permissions.h is
+built when needed") as well as the multiple header file targets in
+the make rule. This effectively reverts the problem commit.
+
+We will revisit this change when make >= 4.3 is required by the rest
+of the kernel.
+
+Cc: stable@vger.kernel.org
+Fixes: 4ce1f694eb5d ("selinux: ensure av_permissions.h is built when needed")
+Reported-by: Erwan Velu <e.velu@criteo.com>
+Reported-by: Luiz Capitulino <luizcap@amazon.com>
+Tested-by: Luiz Capitulino <luizcap@amazon.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/selinux/Makefile | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/security/selinux/Makefile
++++ b/security/selinux/Makefile
+@@ -26,5 +26,9 @@ quiet_cmd_flask = GEN $(obj)/flask.h
+ cmd_flask = $< $(obj)/flask.h $(obj)/av_permissions.h
+
+ targets += flask.h av_permissions.h
+-$(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/genheaders/genheaders FORCE
++# once make >= 4.3 is required, we can use grouped targets in the rule below,
++# which basically involves adding both headers and a '&' before the colon, see
++# the example below:
++# $(obj)/flask.h $(obj)/av_permissions.h &: scripts/selinux/...
++$(obj)/flask.h: scripts/selinux/genheaders/genheaders FORCE
+ $(call if_changed,flask)
--- /dev/null
+From 134f49dec0b6aca3259cd8259de4c572048bd207 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 14 May 2023 13:25:42 +0200
+Subject: serial: 8250_tegra: Fix an error handling path in tegra_uart_probe()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 134f49dec0b6aca3259cd8259de4c572048bd207 upstream.
+
+If an error occurs after reset_control_deassert(), it must be re-asserted,
+as already done in the .remove() function.
+
+Fixes: c6825c6395b7 ("serial: 8250_tegra: Create Tegra specific 8250 driver")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/f8130f35339cc80edc6b9aac4bb2a60b60a226bf.1684063511.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_tegra.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_tegra.c
++++ b/drivers/tty/serial/8250/8250_tegra.c
+@@ -112,13 +112,15 @@ static int tegra_uart_probe(struct platf
+
+ ret = serial8250_register_8250_port(&port8250);
+ if (ret < 0)
+- goto err_clkdisable;
++ goto err_ctrl_assert;
+
+ platform_set_drvdata(pdev, uart);
+ uart->line = ret;
+
+ return 0;
+
++err_ctrl_assert:
++ reset_control_assert(uart->rst);
+ err_clkdisable:
+ clk_disable_unprepare(uart->clk);
+
--- /dev/null
+From 7183c37fd53eee1e795206e625da12a5d7ec1e1a Mon Sep 17 00:00:00 2001
+From: Herve Codina <herve.codina@bootlin.com>
+Date: Tue, 23 May 2023 10:59:02 +0200
+Subject: serial: cpm_uart: Fix a COMPILE_TEST dependency
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+commit 7183c37fd53eee1e795206e625da12a5d7ec1e1a upstream.
+
+In a COMPILE_TEST configuration, the cpm_uart driver uses symbols from
+the cpm_uart_cpm2.c file. This file is compiled only when CONFIG_CPM2 is
+set.
+
+Without this dependency, the linker fails with some missing symbols for
+COMPILE_TEST configuration that needs SERIAL_CPM without enabling CPM2.
+
+This lead to:
+ depends on CPM2 || CPM1 || (PPC32 && CPM2 && COMPILE_TEST)
+
+This dependency does not make sense anymore and can be simplified
+removing all the COMPILE_TEST part.
+
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/oe-kbuild-all/202305160221.9XgweObz-lkp@intel.com/
+Fixes: e3e7b13bffae ("serial: allow COMPILE_TEST for some drivers")
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20230523085902.75837-3-herve.codina@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/Kconfig | 2 +-
+ drivers/tty/serial/cpm_uart/cpm_uart.h | 2 --
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -769,7 +769,7 @@ config SERIAL_PMACZILOG_CONSOLE
+
+ config SERIAL_CPM
+ tristate "CPM SCC/SMC serial port support"
+- depends on CPM2 || CPM1 || (PPC32 && COMPILE_TEST)
++ depends on CPM2 || CPM1
+ select SERIAL_CORE
+ help
+ This driver supports the SCC and SMC serial ports on Motorola
+--- a/drivers/tty/serial/cpm_uart/cpm_uart.h
++++ b/drivers/tty/serial/cpm_uart/cpm_uart.h
+@@ -19,8 +19,6 @@ struct gpio_desc;
+ #include "cpm_uart_cpm2.h"
+ #elif defined(CONFIG_CPM1)
+ #include "cpm_uart_cpm1.h"
+-#elif defined(CONFIG_COMPILE_TEST)
+-#include "cpm_uart_cpm2.h"
+ #endif
+
+ #define SERIAL_CPM_MAJOR 204
misc-fastrpc-pass-proper-scm-arguments-for-secure-ma.patch
btrfs-call-btrfs_orig_bbio_end_io-in-btrfs_end_bio_w.patch
hid-hidpp-terminate-retry-loop-on-success.patch
+dmaengine-at_hdmac-repair-bitfield-macros-for-peripheral-id-handling.patch
+dmaengine-at_hdmac-extend-the-flow-controller-bitfield-to-three-bits.patch
+riscv-perf-fix-callchain-parse-error-with-kernel-tracepoint-events.patch
+io_uring-undeprecate-epoll_ctl-support.patch
+selinux-don-t-use-make-s-grouped-targets-feature-yet.patch
+mtdchar-mark-bits-of-ioctl-handler-noinline.patch
+tracing-timerlat-always-wakeup-the-timerlat-thread.patch
+tracing-histograms-allow-variables-to-have-some-modifiers.patch
+tracing-probe-trace_probe_primary_from_call-checked-list_first_entry.patch
+selftests-mptcp-connect-skip-if-mptcp-is-not-supported.patch
+selftests-mptcp-pm-nl-skip-if-mptcp-is-not-supported.patch
+selftests-mptcp-join-skip-if-mptcp-is-not-supported.patch
+selftests-mptcp-join-avoid-using-cmp-bytes.patch
+selftests-mptcp-diag-skip-if-mptcp-is-not-supported.patch
+selftests-mptcp-simult-flows-skip-if-mptcp-is-not-supported.patch
+selftests-mptcp-sockopt-skip-if-mptcp-is-not-supported.patch
+selftests-mptcp-userspace-pm-skip-if-mptcp-is-not-supported.patch
+mptcp-fix-connect-timeout-handling.patch
+mptcp-fix-active-subflow-finalization.patch
+ext4-add-ea_inode-checking-to-ext4_iget.patch
+ext4-set-lockdep-subclass-for-the-ea_inode-in-ext4_xattr_inode_cache_find.patch
+ext4-disallow-ea_inodes-with-extended-attributes.patch
+ext4-add-lockdep-annotations-for-i_data_sem-for-ea_inode-s.patch
+fbcon-fix-null-ptr-deref-in-soft_cursor.patch
+serial-8250_tegra-fix-an-error-handling-path-in-tegra_uart_probe.patch
+serial-cpm_uart-fix-a-compile_test-dependency.patch
+powerpc-xmon-use-ksym_name_len-in-array-size.patch
+test_firmware-prevent-race-conditions-by-a-correct-implementation-of-locking.patch
+test_firmware-fix-a-memory-leak-with-reqs-buffer.patch
+test_firmware-fix-the-memory-leak-of-the-allocated-firmware-buffer.patch
+kvm-arm64-populate-fault-info-for-watchpoint.patch
+kvm-arm64-drop-last-page-ref-in-kvm_pgtable_stage2_free_removed.patch
+kvm-x86-mmu-grab-memslot-for-correct-address-space-in-nx-recovery-worker.patch
+kvm-x86-account-fastpath-only-vm-exits-in-vcpu-stats.patch
+kvm-x86-bail-from-kvm_recalculate_phys_map-if-x2apic-id-is-out-of-bounds.patch
+ksmbd-fix-credit-count-leakage.patch
+ksmbd-fix-uaf-issue-from-opinfo-conn.patch
+ksmbd-fix-incorrect-allocationsize-set-in-smb2_get_info.patch
+ksmbd-fix-slab-out-of-bounds-read-in-smb2_handle_negotiate.patch
+ksmbd-fix-multiple-out-of-bounds-read-during-context-decoding.patch
--- /dev/null
+From be37bed754ed90b2655382f93f9724b3c1aae847 Mon Sep 17 00:00:00 2001
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Date: Tue, 9 May 2023 10:47:47 +0200
+Subject: test_firmware: fix a memory leak with reqs buffer
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+commit be37bed754ed90b2655382f93f9724b3c1aae847 upstream.
+
+Dan Carpenter spotted that test_fw_config->reqs will be leaked if
+trigger_batched_requests_store() is called two or more times.
+The same appears with trigger_batched_requests_async_store().
+
+This bug wasn't trigger by the tests, but observed by Dan's visual
+inspection of the code.
+
+The recommended workaround was to return -EBUSY if test_fw_config->reqs
+is already allocated.
+
+Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Russ Weight <russell.h.weight@intel.com>
+Cc: Tianfei Zhang <tianfei.zhang@intel.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: linux-kselftest@vger.kernel.org
+Cc: stable@vger.kernel.org # v5.4
+Suggested-by: Dan Carpenter <error27@gmail.com>
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Acked-by: Luis Chamberlain <mcgrof@kernel.org>
+Link: https://lore.kernel.org/r/20230509084746.48259-2-mirsad.todorovac@alu.unizg.hr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_firmware.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -913,6 +913,11 @@ static ssize_t trigger_batched_requests_
+
+ mutex_lock(&test_fw_mutex);
+
++ if (test_fw_config->reqs) {
++ rc = -EBUSY;
++ goto out_bail;
++ }
++
+ test_fw_config->reqs =
+ vzalloc(array3_size(sizeof(struct test_batched_req),
+ test_fw_config->num_requests, 2));
+@@ -1011,6 +1016,11 @@ ssize_t trigger_batched_requests_async_s
+
+ mutex_lock(&test_fw_mutex);
+
++ if (test_fw_config->reqs) {
++ rc = -EBUSY;
++ goto out_bail;
++ }
++
+ test_fw_config->reqs =
+ vzalloc(array3_size(sizeof(struct test_batched_req),
+ test_fw_config->num_requests, 2));
--- /dev/null
+From 48e156023059e57a8fc68b498439832f7600ffff Mon Sep 17 00:00:00 2001
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Date: Tue, 9 May 2023 10:47:49 +0200
+Subject: test_firmware: fix the memory leak of the allocated firmware buffer
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+commit 48e156023059e57a8fc68b498439832f7600ffff upstream.
+
+The following kernel memory leak was noticed after running
+tools/testing/selftests/firmware/fw_run_tests.sh:
+
+[root@pc-mtodorov firmware]# cat /sys/kernel/debug/kmemleak
+.
+.
+.
+unreferenced object 0xffff955389bc3400 (size 1024):
+ comm "test_firmware-0", pid 5451, jiffies 4294944822 (age 65.652s)
+ hex dump (first 32 bytes):
+ 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
+ [<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
+ [<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
+ [<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
+ [<ffffffff95fd813b>] kthread+0x10b/0x140
+ [<ffffffff95e033e9>] ret_from_fork+0x29/0x50
+unreferenced object 0xffff9553c334b400 (size 1024):
+ comm "test_firmware-1", pid 5452, jiffies 4294944822 (age 65.652s)
+ hex dump (first 32 bytes):
+ 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
+ [<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
+ [<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
+ [<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
+ [<ffffffff95fd813b>] kthread+0x10b/0x140
+ [<ffffffff95e033e9>] ret_from_fork+0x29/0x50
+unreferenced object 0xffff9553c334f000 (size 1024):
+ comm "test_firmware-2", pid 5453, jiffies 4294944822 (age 65.652s)
+ hex dump (first 32 bytes):
+ 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
+ [<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
+ [<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
+ [<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
+ [<ffffffff95fd813b>] kthread+0x10b/0x140
+ [<ffffffff95e033e9>] ret_from_fork+0x29/0x50
+unreferenced object 0xffff9553c3348400 (size 1024):
+ comm "test_firmware-3", pid 5454, jiffies 4294944822 (age 65.652s)
+ hex dump (first 32 bytes):
+ 47 48 34 35 36 37 0a 00 00 00 00 00 00 00 00 00 GH4567..........
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff962f5dec>] slab_post_alloc_hook+0x8c/0x3c0
+ [<ffffffff962fcca4>] __kmem_cache_alloc_node+0x184/0x240
+ [<ffffffff962704de>] kmalloc_trace+0x2e/0xc0
+ [<ffffffff9665b42d>] test_fw_run_batch_request+0x9d/0x180
+ [<ffffffff95fd813b>] kthread+0x10b/0x140
+ [<ffffffff95e033e9>] ret_from_fork+0x29/0x50
+[root@pc-mtodorov firmware]#
+
+Note that the size 1024 corresponds to the size of the test firmware
+buffer. The actual number of the buffers leaked is around 70-110,
+depending on the test run.
+
+The cause of the leak is the following:
+
+request_partial_firmware_into_buf() and request_firmware_into_buf()
+provided firmware buffer isn't released on release_firmware(), we
+have allocated it and we are responsible for deallocating it manually.
+This is introduced in a number of context where previously only
+release_firmware() was called, which was insufficient.
+
+Reported-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Dan Carpenter <error27@gmail.com>
+Cc: Takashi Iwai <tiwai@suse.de>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Russ Weight <russell.h.weight@intel.com>
+Cc: Tianfei zhang <tianfei.zhang@intel.com>
+Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Zhengchao Shao <shaozhengchao@huawei.com>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: linux-kernel@vger.kernel.org
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Scott Branden <sbranden@broadcom.com>
+Cc: Luis R. Rodriguez <mcgrof@kernel.org>
+Cc: linux-kselftest@vger.kernel.org
+Cc: stable@vger.kernel.org # v5.4
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Link: https://lore.kernel.org/r/20230509084746.48259-3-mirsad.todorovac@alu.unizg.hr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_firmware.c | 19 ++++++++++++++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -45,6 +45,7 @@ struct test_batched_req {
+ bool sent;
+ const struct firmware *fw;
+ const char *name;
++ const char *fw_buf;
+ struct completion completion;
+ struct task_struct *task;
+ struct device *dev;
+@@ -175,8 +176,14 @@ static void __test_release_all_firmware(
+
+ for (i = 0; i < test_fw_config->num_requests; i++) {
+ req = &test_fw_config->reqs[i];
+- if (req->fw)
++ if (req->fw) {
++ if (req->fw_buf) {
++ kfree_const(req->fw_buf);
++ req->fw_buf = NULL;
++ }
+ release_firmware(req->fw);
++ req->fw = NULL;
++ }
+ }
+
+ vfree(test_fw_config->reqs);
+@@ -670,6 +677,8 @@ static ssize_t trigger_request_store(str
+
+ mutex_lock(&test_fw_mutex);
+ release_firmware(test_firmware);
++ if (test_fw_config->reqs)
++ __test_release_all_firmware();
+ test_firmware = NULL;
+ rc = request_firmware(&test_firmware, name, dev);
+ if (rc) {
+@@ -770,6 +779,8 @@ static ssize_t trigger_async_request_sto
+ mutex_lock(&test_fw_mutex);
+ release_firmware(test_firmware);
+ test_firmware = NULL;
++ if (test_fw_config->reqs)
++ __test_release_all_firmware();
+ rc = request_firmware_nowait(THIS_MODULE, 1, name, dev, GFP_KERNEL,
+ NULL, trigger_async_request_cb);
+ if (rc) {
+@@ -812,6 +823,8 @@ static ssize_t trigger_custom_fallback_s
+
+ mutex_lock(&test_fw_mutex);
+ release_firmware(test_firmware);
++ if (test_fw_config->reqs)
++ __test_release_all_firmware();
+ test_firmware = NULL;
+ rc = request_firmware_nowait(THIS_MODULE, FW_ACTION_NOUEVENT, name,
+ dev, GFP_KERNEL, NULL,
+@@ -874,6 +887,8 @@ static int test_fw_run_batch_request(voi
+ test_fw_config->buf_size);
+ if (!req->fw)
+ kfree(test_buf);
++ else
++ req->fw_buf = test_buf;
+ } else {
+ req->rc = test_fw_config->req_firmware(&req->fw,
+ req->name,
+@@ -934,6 +949,7 @@ static ssize_t trigger_batched_requests_
+ req->fw = NULL;
+ req->idx = i;
+ req->name = test_fw_config->name;
++ req->fw_buf = NULL;
+ req->dev = dev;
+ init_completion(&req->completion);
+ req->task = kthread_run(test_fw_run_batch_request, req,
+@@ -1038,6 +1054,7 @@ ssize_t trigger_batched_requests_async_s
+ for (i = 0; i < test_fw_config->num_requests; i++) {
+ req = &test_fw_config->reqs[i];
+ req->name = test_fw_config->name;
++ req->fw_buf = NULL;
+ req->fw = NULL;
+ req->idx = i;
+ init_completion(&req->completion);
--- /dev/null
+From 4acfe3dfde685a5a9eaec5555351918e2d7266a1 Mon Sep 17 00:00:00 2001
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Date: Tue, 9 May 2023 10:47:45 +0200
+Subject: test_firmware: prevent race conditions by a correct implementation of locking
+
+From: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+
+commit 4acfe3dfde685a5a9eaec5555351918e2d7266a1 upstream.
+
+Dan Carpenter spotted a race condition in a couple of situations like
+these in the test_firmware driver:
+
+static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
+{
+ u8 val;
+ int ret;
+
+ ret = kstrtou8(buf, 10, &val);
+ if (ret)
+ return ret;
+
+ mutex_lock(&test_fw_mutex);
+ *(u8 *)cfg = val;
+ mutex_unlock(&test_fw_mutex);
+
+ /* Always return full write size even if we didn't consume all */
+ return size;
+}
+
+static ssize_t config_num_requests_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t count)
+{
+ int rc;
+
+ mutex_lock(&test_fw_mutex);
+ if (test_fw_config->reqs) {
+ pr_err("Must call release_all_firmware prior to changing config\n");
+ rc = -EINVAL;
+ mutex_unlock(&test_fw_mutex);
+ goto out;
+ }
+ mutex_unlock(&test_fw_mutex);
+
+ rc = test_dev_config_update_u8(buf, count,
+ &test_fw_config->num_requests);
+
+out:
+ return rc;
+}
+
+static ssize_t config_read_fw_idx_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t count)
+{
+ return test_dev_config_update_u8(buf, count,
+ &test_fw_config->read_fw_idx);
+}
+
+The function test_dev_config_update_u8() is called from both the locked
+and the unlocked context, function config_num_requests_store() and
+config_read_fw_idx_store() which can both be called asynchronously as
+they are driver's methods, while test_dev_config_update_u8() and siblings
+change their argument pointed to by u8 *cfg or similar pointer.
+
+To avoid deadlock on test_fw_mutex, the lock is dropped before calling
+test_dev_config_update_u8() and re-acquired within test_dev_config_update_u8()
+itself, but alas this creates a race condition.
+
+Having two locks wouldn't assure a race-proof mutual exclusion.
+
+This situation is best avoided by the introduction of a new, unlocked
+function __test_dev_config_update_u8() which can be called from the locked
+context and reducing test_dev_config_update_u8() to:
+
+static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
+{
+ int ret;
+
+ mutex_lock(&test_fw_mutex);
+ ret = __test_dev_config_update_u8(buf, size, cfg);
+ mutex_unlock(&test_fw_mutex);
+
+ return ret;
+}
+
+doing the locking and calling the unlocked primitive, which enables both
+locked and unlocked versions without duplication of code.
+
+The similar approach was applied to all functions called from the locked
+and the unlocked context, which safely mitigates both deadlocks and race
+conditions in the driver.
+
+__test_dev_config_update_bool(), __test_dev_config_update_u8() and
+__test_dev_config_update_size_t() unlocked versions of the functions
+were introduced to be called from the locked contexts as a workaround
+without releasing the main driver's lock and thereof causing a race
+condition.
+
+The test_dev_config_update_bool(), test_dev_config_update_u8() and
+test_dev_config_update_size_t() locked versions of the functions
+are being called from driver methods without the unnecessary multiplying
+of the locking and unlocking code for each method, and complicating
+the code with saving of the return value across lock.
+
+Fixes: 7feebfa487b92 ("test_firmware: add support for request_firmware_into_buf")
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Russ Weight <russell.h.weight@intel.com>
+Cc: Takashi Iwai <tiwai@suse.de>
+Cc: Tianfei Zhang <tianfei.zhang@intel.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Colin Ian King <colin.i.king@gmail.com>
+Cc: Randy Dunlap <rdunlap@infradead.org>
+Cc: linux-kselftest@vger.kernel.org
+Cc: stable@vger.kernel.org # v5.4
+Suggested-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: Mirsad Goran Todorovac <mirsad.todorovac@alu.unizg.hr>
+Link: https://lore.kernel.org/r/20230509084746.48259-1-mirsad.todorovac@alu.unizg.hr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/test_firmware.c | 52 +++++++++++++++++++++++++++++++++++-----------------
+ 1 file changed, 35 insertions(+), 17 deletions(-)
+
+--- a/lib/test_firmware.c
++++ b/lib/test_firmware.c
+@@ -353,16 +353,26 @@ static ssize_t config_test_show_str(char
+ return len;
+ }
+
+-static int test_dev_config_update_bool(const char *buf, size_t size,
++static inline int __test_dev_config_update_bool(const char *buf, size_t size,
+ bool *cfg)
+ {
+ int ret;
+
+- mutex_lock(&test_fw_mutex);
+ if (kstrtobool(buf, cfg) < 0)
+ ret = -EINVAL;
+ else
+ ret = size;
++
++ return ret;
++}
++
++static int test_dev_config_update_bool(const char *buf, size_t size,
++ bool *cfg)
++{
++ int ret;
++
++ mutex_lock(&test_fw_mutex);
++ ret = __test_dev_config_update_bool(buf, size, cfg);
+ mutex_unlock(&test_fw_mutex);
+
+ return ret;
+@@ -373,7 +383,8 @@ static ssize_t test_dev_config_show_bool
+ return snprintf(buf, PAGE_SIZE, "%d\n", val);
+ }
+
+-static int test_dev_config_update_size_t(const char *buf,
++static int __test_dev_config_update_size_t(
++ const char *buf,
+ size_t size,
+ size_t *cfg)
+ {
+@@ -384,9 +395,7 @@ static int test_dev_config_update_size_t
+ if (ret)
+ return ret;
+
+- mutex_lock(&test_fw_mutex);
+ *(size_t *)cfg = new;
+- mutex_unlock(&test_fw_mutex);
+
+ /* Always return full write size even if we didn't consume all */
+ return size;
+@@ -402,7 +411,7 @@ static ssize_t test_dev_config_show_int(
+ return snprintf(buf, PAGE_SIZE, "%d\n", val);
+ }
+
+-static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
++static int __test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
+ {
+ u8 val;
+ int ret;
+@@ -411,14 +420,23 @@ static int test_dev_config_update_u8(con
+ if (ret)
+ return ret;
+
+- mutex_lock(&test_fw_mutex);
+ *(u8 *)cfg = val;
+- mutex_unlock(&test_fw_mutex);
+
+ /* Always return full write size even if we didn't consume all */
+ return size;
+ }
+
++static int test_dev_config_update_u8(const char *buf, size_t size, u8 *cfg)
++{
++ int ret;
++
++ mutex_lock(&test_fw_mutex);
++ ret = __test_dev_config_update_u8(buf, size, cfg);
++ mutex_unlock(&test_fw_mutex);
++
++ return ret;
++}
++
+ static ssize_t test_dev_config_show_u8(char *buf, u8 val)
+ {
+ return snprintf(buf, PAGE_SIZE, "%u\n", val);
+@@ -471,10 +489,10 @@ static ssize_t config_num_requests_store
+ mutex_unlock(&test_fw_mutex);
+ goto out;
+ }
+- mutex_unlock(&test_fw_mutex);
+
+- rc = test_dev_config_update_u8(buf, count,
+- &test_fw_config->num_requests);
++ rc = __test_dev_config_update_u8(buf, count,
++ &test_fw_config->num_requests);
++ mutex_unlock(&test_fw_mutex);
+
+ out:
+ return rc;
+@@ -518,10 +536,10 @@ static ssize_t config_buf_size_store(str
+ mutex_unlock(&test_fw_mutex);
+ goto out;
+ }
+- mutex_unlock(&test_fw_mutex);
+
+- rc = test_dev_config_update_size_t(buf, count,
+- &test_fw_config->buf_size);
++ rc = __test_dev_config_update_size_t(buf, count,
++ &test_fw_config->buf_size);
++ mutex_unlock(&test_fw_mutex);
+
+ out:
+ return rc;
+@@ -548,10 +566,10 @@ static ssize_t config_file_offset_store(
+ mutex_unlock(&test_fw_mutex);
+ goto out;
+ }
+- mutex_unlock(&test_fw_mutex);
+
+- rc = test_dev_config_update_size_t(buf, count,
+- &test_fw_config->file_offset);
++ rc = __test_dev_config_update_size_t(buf, count,
++ &test_fw_config->file_offset);
++ mutex_unlock(&test_fw_mutex);
+
+ out:
+ return rc;
--- /dev/null
+From e30fbc618e97b38dbb49f1d44dcd0778d3f23b8c Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Google)" <rostedt@goodmis.org>
+Date: Tue, 23 May 2023 22:11:08 -0400
+Subject: tracing/histograms: Allow variables to have some modifiers
+
+From: Steven Rostedt (Google) <rostedt@goodmis.org>
+
+commit e30fbc618e97b38dbb49f1d44dcd0778d3f23b8c upstream.
+
+Modifiers are used to change the behavior of keys. For instance, they
+can grouped into buckets, converted to syscall names (from the syscall
+identifier), show task->comm of the current pid, be an array of longs
+that represent a stacktrace, and more.
+
+It was found that nothing stopped a value from taking a modifier. As
+values are simple counters. If this happened, it would call code that
+was not expecting a modifier and crash the kernel. This was fixed by
+having the ___create_val_field() function test if a modifier was present
+and fail if one was. This fixed the crash.
+
+Now there's a problem with variables. Variables are used to pass fields
+from one event to another. Variables are allowed to have some modifiers,
+as the processing may need to happen at the time of the event (like
+stacktraces and comm names of the current pid). The issue is that it too
+uses __create_val_field(). Now that fails on modifiers, variables can no
+longer use them (this is a regression).
+
+As not all modifiers are for variables, have them use a separate check.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230523221108.064a5d82@rorschach.local.home
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Tom Zanussi <zanussi@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Fixes: e0213434fe3e4 ("tracing: Do not let histogram values have some modifiers")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_events_hist.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/kernel/trace/trace_events_hist.c
++++ b/kernel/trace/trace_events_hist.c
+@@ -4238,13 +4238,19 @@ static int __create_val_field(struct his
+ goto out;
+ }
+
+- /* Some types cannot be a value */
+- if (hist_field->flags & (HIST_FIELD_FL_GRAPH | HIST_FIELD_FL_PERCENT |
+- HIST_FIELD_FL_BUCKET | HIST_FIELD_FL_LOG2 |
+- HIST_FIELD_FL_SYM | HIST_FIELD_FL_SYM_OFFSET |
+- HIST_FIELD_FL_SYSCALL | HIST_FIELD_FL_STACKTRACE)) {
+- hist_err(file->tr, HIST_ERR_BAD_FIELD_MODIFIER, errpos(field_str));
+- ret = -EINVAL;
++ /* values and variables should not have some modifiers */
++ if (hist_field->flags & HIST_FIELD_FL_VAR) {
++ /* Variable */
++ if (hist_field->flags & (HIST_FIELD_FL_GRAPH | HIST_FIELD_FL_PERCENT |
++ HIST_FIELD_FL_BUCKET | HIST_FIELD_FL_LOG2))
++ goto err;
++ } else {
++ /* Value */
++ if (hist_field->flags & (HIST_FIELD_FL_GRAPH | HIST_FIELD_FL_PERCENT |
++ HIST_FIELD_FL_BUCKET | HIST_FIELD_FL_LOG2 |
++ HIST_FIELD_FL_SYM | HIST_FIELD_FL_SYM_OFFSET |
++ HIST_FIELD_FL_SYSCALL | HIST_FIELD_FL_STACKTRACE))
++ goto err;
+ }
+
+ hist_data->fields[val_idx] = hist_field;
+@@ -4256,6 +4262,9 @@ static int __create_val_field(struct his
+ ret = -EINVAL;
+ out:
+ return ret;
++ err:
++ hist_err(file->tr, HIST_ERR_BAD_FIELD_MODIFIER, errpos(field_str));
++ return -EINVAL;
+ }
+
+ static int create_val_field(struct hist_trigger_data *hist_data,
--- /dev/null
+From 81d0fa4cb4fc0e1a49c2b22f92c43d9fe972ebcf Mon Sep 17 00:00:00 2001
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+Date: Sat, 28 Jan 2023 16:23:41 +0000
+Subject: tracing/probe: trace_probe_primary_from_call(): checked list_first_entry
+
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+
+commit 81d0fa4cb4fc0e1a49c2b22f92c43d9fe972ebcf upstream.
+
+All callers of trace_probe_primary_from_call() check the return
+value to be non NULL. However, the function returns
+list_first_entry(&tpe->probes, ...) which can never be NULL.
+Additionally, it does not check for the list being possibly empty,
+possibly causing a type confusion on empty lists.
+Use list_first_entry_or_null() which solves both problems.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230128-list-entry-null-check-v1-1-8bde6a3da2ef@diag.uniroma1.it/
+
+Fixes: 60d53e2c3b75 ("tracing/probe: Split trace_event related data from trace_probe")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Acked-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_probe.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace_probe.h
++++ b/kernel/trace/trace_probe.h
+@@ -308,7 +308,7 @@ trace_probe_primary_from_call(struct tra
+ {
+ struct trace_probe_event *tpe = trace_probe_event_from_call(call);
+
+- return list_first_entry(&tpe->probes, struct trace_probe, list);
++ return list_first_entry_or_null(&tpe->probes, struct trace_probe, list);
+ }
+
+ static inline struct list_head *trace_probe_probe_list(struct trace_probe *tp)
--- /dev/null
+From 632478a05821bc1c9b55c3a1dd0fb1be7bfa1acc Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Thu, 11 May 2023 18:32:01 +0200
+Subject: tracing/timerlat: Always wakeup the timerlat thread
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit 632478a05821bc1c9b55c3a1dd0fb1be7bfa1acc upstream.
+
+While testing rtla timerlat auto analysis, I reach a condition where
+the interface was not receiving tracing data. I was able to manually
+reproduce the problem with these steps:
+
+ # echo 0 > tracing_on # disable trace
+ # echo 1 > osnoise/stop_tracing_us # stop trace if timerlat irq > 1 us
+ # echo timerlat > current_tracer # enable timerlat tracer
+ # sleep 1 # wait... that is the time when rtla
+ # apply configs like prio or cgroup
+ # echo 1 > tracing_on # start tracing
+ # cat trace
+ # tracer: timerlat
+ #
+ # _-----=> irqs-off
+ # / _----=> need-resched
+ # | / _---=> hardirq/softirq
+ # || / _--=> preempt-depth
+ # ||| / _-=> migrate-disable
+ # |||| / delay
+ # ||||| ACTIVATION
+ # TASK-PID CPU# ||||| TIMESTAMP ID CONTEXT LATENCY
+ # | | | ||||| | | | |
+ NOTHING!
+
+Then, trying to enable tracing again with echo 1 > tracing_on resulted
+in no change: the trace was still not tracing.
+
+This problem happens because the timerlat IRQ hits the stop tracing
+condition while tracing is off, and do not wake up the timerlat thread,
+so the timerlat threads are kept sleeping forever, resulting in no
+trace, even after re-enabling the tracer.
+
+Avoid this condition by always waking up the threads, even after stopping
+tracing, allowing the tracer to return to its normal operating after
+a new tracing on.
+
+Link: https://lore.kernel.org/linux-trace-kernel/1ed8f830638b20a39d535d27d908e319a9a3c4e2.1683822622.git.bristot@kernel.org
+
+Cc: Juri Lelli <juri.lelli@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: a955d7eac177 ("trace: Add timerlat tracer")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -1652,6 +1652,8 @@ static enum hrtimer_restart timerlat_irq
+ osnoise_stop_tracing();
+ notify_new_max_latency(diff);
+
++ wake_up_process(tlat->kthread);
++
+ return HRTIMER_NORESTART;
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
