--- /dev/null
+From 33fcafe6ec70516212ad324486e98fe8a901d05b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 18:04:22 +0100
+Subject: ALSA: seq: ump: Fix seq port updates per FB info notify
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit aaa55faa2495320e44bc643a917c701f2cc89ee7 ]
+
+update_port_infos() is called when a UMP FB Info update notification
+is received, and this function is supposed to update the attributes of
+the corresponding sequencer port. However, the function had a few
+issues and it brought to the incorrect states. Namely:
+
+- It tried to get a wrong sequencer info for the update without
+ correcting the port number with the group-offset 1
+- The loop exited immediately when a sequencer port isn't present;
+ this ended up with the truncation if a sequencer port in the middle
+ goes away
+
+This patch addresses those bugs.
+
+Fixes: 4a16a3af0571 ("ALSA: seq: ump: Handle FB info update")
+Link: https://patch.msgid.link/20241128170423.23351-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_ump_client.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c
+index 91773f8ca7828..1c6c49560ae12 100644
+--- a/sound/core/seq/seq_ump_client.c
++++ b/sound/core/seq/seq_ump_client.c
+@@ -258,12 +258,12 @@ static void update_port_infos(struct seq_ump_client *client)
+ continue;
+
+ old->addr.client = client->seq_client;
+- old->addr.port = i;
++ old->addr.port = ump_group_to_seq_port(i);
+ err = snd_seq_kernel_client_ctl(client->seq_client,
+ SNDRV_SEQ_IOCTL_GET_PORT_INFO,
+ old);
+ if (err < 0)
+- return;
++ continue;
+ fill_port_info(new, client, &client->ump->groups[i]);
+ if (old->capability == new->capability &&
+ !strcmp(old->name, new->name))
+@@ -272,7 +272,7 @@ static void update_port_infos(struct seq_ump_client *client)
+ SNDRV_SEQ_IOCTL_SET_PORT_INFO,
+ new);
+ if (err < 0)
+- return;
++ continue;
+ /* notify to system port */
+ snd_seq_system_client_ev_port_change(client->seq_client, i);
+ }
+--
+2.43.0
+
--- /dev/null
+From afaedd416b779a92cf0324491dd068448384c48c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 12:15:08 +0100
+Subject: ALSA: seq: ump: Use automatic cleanup of kfree()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 316e38ef776663a7a4c5d76438c42c948c574df4 ]
+
+There are common patterns where a temporary buffer is allocated and
+freed at the exit, and those can be simplified with the recent cleanup
+mechanism via __free(kfree).
+
+No functional changes, only code refactoring.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/r/20240222111509.28390-9-tiwai@suse.de
+Stable-dep-of: aaa55faa2495 ("ALSA: seq: ump: Fix seq port updates per FB info notify")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/core/seq/seq_ump_client.c | 33 ++++++++++++---------------------
+ 1 file changed, 12 insertions(+), 21 deletions(-)
+
+diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c
+index eaf7181b9af5b..b4c7543a24249 100644
+--- a/sound/core/seq/seq_ump_client.c
++++ b/sound/core/seq/seq_ump_client.c
+@@ -225,18 +225,15 @@ static bool skip_group(struct seq_ump_client *client, struct seq_ump_group *grou
+ static int seq_ump_group_init(struct seq_ump_client *client, int group_index)
+ {
+ struct seq_ump_group *group = &client->groups[group_index];
+- struct snd_seq_port_info *port;
++ struct snd_seq_port_info *port __free(kfree) = NULL;
+ struct snd_seq_port_callback pcallbacks;
+- int err;
+
+ if (skip_group(client, group))
+ return 0;
+
+ port = kzalloc(sizeof(*port), GFP_KERNEL);
+- if (!port) {
+- err = -ENOMEM;
+- goto error;
+- }
++ if (!port)
++ return -ENOMEM;
+
+ fill_port_info(port, client, group);
+ port->flags = SNDRV_SEQ_PORT_FLG_GIVEN_PORT;
+@@ -249,24 +246,22 @@ static int seq_ump_group_init(struct seq_ump_client *client, int group_index)
+ pcallbacks.unuse = seq_ump_unuse;
+ pcallbacks.event_input = seq_ump_process_event;
+ port->kernel = &pcallbacks;
+- err = snd_seq_kernel_client_ctl(client->seq_client,
+- SNDRV_SEQ_IOCTL_CREATE_PORT,
+- port);
+- error:
+- kfree(port);
+- return err;
++ return snd_seq_kernel_client_ctl(client->seq_client,
++ SNDRV_SEQ_IOCTL_CREATE_PORT,
++ port);
+ }
+
+ /* update the sequencer ports; called from notify_fb_change callback */
+ static void update_port_infos(struct seq_ump_client *client)
+ {
+- struct snd_seq_port_info *old, *new;
++ struct snd_seq_port_info *old __free(kfree) = NULL;
++ struct snd_seq_port_info *new __free(kfree) = NULL;
+ int i, err;
+
+ old = kzalloc(sizeof(*old), GFP_KERNEL);
+ new = kzalloc(sizeof(*new), GFP_KERNEL);
+ if (!old || !new)
+- goto error;
++ return;
+
+ for (i = 0; i < SNDRV_UMP_MAX_GROUPS; i++) {
+ if (skip_group(client, &client->groups[i]))
+@@ -278,7 +273,7 @@ static void update_port_infos(struct seq_ump_client *client)
+ SNDRV_SEQ_IOCTL_GET_PORT_INFO,
+ old);
+ if (err < 0)
+- goto error;
++ return;
+ fill_port_info(new, client, &client->groups[i]);
+ if (old->capability == new->capability &&
+ !strcmp(old->name, new->name))
+@@ -287,13 +282,10 @@ static void update_port_infos(struct seq_ump_client *client)
+ SNDRV_SEQ_IOCTL_SET_PORT_INFO,
+ new);
+ if (err < 0)
+- goto error;
++ return;
+ /* notify to system port */
+ snd_seq_system_client_ev_port_change(client->seq_client, i);
+ }
+- error:
+- kfree(new);
+- kfree(old);
+ }
+
+ /* update dir_bits and active flag for all groups in the client */
+@@ -350,7 +342,7 @@ static void update_group_attrs(struct seq_ump_client *client)
+ /* create a UMP Endpoint port */
+ static int create_ump_endpoint_port(struct seq_ump_client *client)
+ {
+- struct snd_seq_port_info *port;
++ struct snd_seq_port_info *port __free(kfree) = NULL;
+ struct snd_seq_port_callback pcallbacks;
+ unsigned int rawmidi_info = client->ump->core.info_flags;
+ int err;
+@@ -399,7 +391,6 @@ static int create_ump_endpoint_port(struct seq_ump_client *client)
+ err = snd_seq_kernel_client_ctl(client->seq_client,
+ SNDRV_SEQ_IOCTL_CREATE_PORT,
+ port);
+- kfree(port);
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From f90a979d22f784711aa3173a268effbbce53cfeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 16:13:14 +0200
+Subject: ALSA: ump: Update substream name from assigned FB names
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 0642a3c5cacc0321c755d45ae48f2c84475469a6 ]
+
+We had a nice name scheme in ALSA sequencer UMP binding for each
+sequencer port referring to each assigned Function Block name, while
+the legacy rawmidi refers only to the UMP Endpoint name. It's better
+to align both.
+
+This patch moves the UMP Group attribute update functions into the
+core UMP code from the sequencer binding code, and improve the
+substream name of the legacy rawmidi.
+
+Link: https://patch.msgid.link/20240729141315.18253-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Stable-dep-of: aaa55faa2495 ("ALSA: seq: ump: Fix seq port updates per FB info notify")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/sound/ump.h | 10 +++++
+ sound/core/seq/seq_ump_client.c | 75 +++-----------------------------
+ sound/core/ump.c | 76 ++++++++++++++++++++++++++++++---
+ 3 files changed, 87 insertions(+), 74 deletions(-)
+
+diff --git a/include/sound/ump.h b/include/sound/ump.h
+index 91238dabe3075..7f68056acdffe 100644
+--- a/include/sound/ump.h
++++ b/include/sound/ump.h
+@@ -13,6 +13,14 @@ struct snd_ump_ops;
+ struct ump_cvt_to_ump;
+ struct snd_seq_ump_ops;
+
++struct snd_ump_group {
++ int group; /* group index (0-based) */
++ unsigned int dir_bits; /* directions */
++ bool active; /* activeness */
++ bool valid; /* valid group (referred by blocks) */
++ char name[64]; /* group name */
++};
++
+ struct snd_ump_endpoint {
+ struct snd_rawmidi core; /* raw UMP access */
+
+@@ -41,6 +49,8 @@ struct snd_ump_endpoint {
+
+ struct mutex open_mutex;
+
++ struct snd_ump_group groups[SNDRV_UMP_MAX_GROUPS]; /* table of groups */
++
+ #if IS_ENABLED(CONFIG_SND_UMP_LEGACY_RAWMIDI)
+ spinlock_t legacy_locks[2];
+ struct snd_rawmidi *legacy_rmidi;
+diff --git a/sound/core/seq/seq_ump_client.c b/sound/core/seq/seq_ump_client.c
+index b4c7543a24249..91773f8ca7828 100644
+--- a/sound/core/seq/seq_ump_client.c
++++ b/sound/core/seq/seq_ump_client.c
+@@ -23,15 +23,6 @@ enum {
+ STR_OUT = SNDRV_RAWMIDI_STREAM_OUTPUT
+ };
+
+-/* object per UMP group; corresponding to a sequencer port */
+-struct seq_ump_group {
+- int group; /* group index (0-based) */
+- unsigned int dir_bits; /* directions */
+- bool active; /* activeness */
+- bool valid; /* valid group (referred by blocks) */
+- char name[64]; /* seq port name */
+-};
+-
+ /* context for UMP input parsing, per EP */
+ struct seq_ump_input_buffer {
+ unsigned char len; /* total length in words */
+@@ -48,7 +39,6 @@ struct seq_ump_client {
+ int opened[2]; /* current opens for each direction */
+ struct snd_rawmidi_file out_rfile; /* rawmidi for output */
+ struct seq_ump_input_buffer input; /* input parser context */
+- struct seq_ump_group groups[SNDRV_UMP_MAX_GROUPS]; /* table of groups */
+ void *ump_info[SNDRV_UMP_MAX_BLOCKS + 1]; /* shadow of seq client ump_info */
+ struct work_struct group_notify_work; /* FB change notification */
+ };
+@@ -178,7 +168,7 @@ static int seq_ump_unuse(void *pdata, struct snd_seq_port_subscribe *info)
+ /* fill port_info from the given UMP EP and group info */
+ static void fill_port_info(struct snd_seq_port_info *port,
+ struct seq_ump_client *client,
+- struct seq_ump_group *group)
++ struct snd_ump_group *group)
+ {
+ unsigned int rawmidi_info = client->ump->core.info_flags;
+
+@@ -215,7 +205,7 @@ static void fill_port_info(struct snd_seq_port_info *port,
+ }
+
+ /* skip non-existing group for static blocks */
+-static bool skip_group(struct seq_ump_client *client, struct seq_ump_group *group)
++static bool skip_group(struct seq_ump_client *client, struct snd_ump_group *group)
+ {
+ return !group->valid &&
+ (client->ump->info.flags & SNDRV_UMP_EP_INFO_STATIC_BLOCKS);
+@@ -224,7 +214,7 @@ static bool skip_group(struct seq_ump_client *client, struct seq_ump_group *grou
+ /* create a new sequencer port per UMP group */
+ static int seq_ump_group_init(struct seq_ump_client *client, int group_index)
+ {
+- struct seq_ump_group *group = &client->groups[group_index];
++ struct snd_ump_group *group = &client->ump->groups[group_index];
+ struct snd_seq_port_info *port __free(kfree) = NULL;
+ struct snd_seq_port_callback pcallbacks;
+
+@@ -264,7 +254,7 @@ static void update_port_infos(struct seq_ump_client *client)
+ return;
+
+ for (i = 0; i < SNDRV_UMP_MAX_GROUPS; i++) {
+- if (skip_group(client, &client->groups[i]))
++ if (skip_group(client, &client->ump->groups[i]))
+ continue;
+
+ old->addr.client = client->seq_client;
+@@ -274,7 +264,7 @@ static void update_port_infos(struct seq_ump_client *client)
+ old);
+ if (err < 0)
+ return;
+- fill_port_info(new, client, &client->groups[i]);
++ fill_port_info(new, client, &client->ump->groups[i]);
+ if (old->capability == new->capability &&
+ !strcmp(old->name, new->name))
+ continue;
+@@ -288,57 +278,6 @@ static void update_port_infos(struct seq_ump_client *client)
+ }
+ }
+
+-/* update dir_bits and active flag for all groups in the client */
+-static void update_group_attrs(struct seq_ump_client *client)
+-{
+- struct snd_ump_block *fb;
+- struct seq_ump_group *group;
+- int i;
+-
+- for (i = 0; i < SNDRV_UMP_MAX_GROUPS; i++) {
+- group = &client->groups[i];
+- *group->name = 0;
+- group->dir_bits = 0;
+- group->active = 0;
+- group->group = i;
+- group->valid = false;
+- }
+-
+- list_for_each_entry(fb, &client->ump->block_list, list) {
+- if (fb->info.first_group + fb->info.num_groups > SNDRV_UMP_MAX_GROUPS)
+- break;
+- group = &client->groups[fb->info.first_group];
+- for (i = 0; i < fb->info.num_groups; i++, group++) {
+- group->valid = true;
+- if (fb->info.active)
+- group->active = 1;
+- switch (fb->info.direction) {
+- case SNDRV_UMP_DIR_INPUT:
+- group->dir_bits |= (1 << STR_IN);
+- break;
+- case SNDRV_UMP_DIR_OUTPUT:
+- group->dir_bits |= (1 << STR_OUT);
+- break;
+- case SNDRV_UMP_DIR_BIDIRECTION:
+- group->dir_bits |= (1 << STR_OUT) | (1 << STR_IN);
+- break;
+- }
+- if (!*fb->info.name)
+- continue;
+- if (!*group->name) {
+- /* store the first matching name */
+- strscpy(group->name, fb->info.name,
+- sizeof(group->name));
+- } else {
+- /* when overlapping, concat names */
+- strlcat(group->name, ", ", sizeof(group->name));
+- strlcat(group->name, fb->info.name,
+- sizeof(group->name));
+- }
+- }
+- }
+-}
+-
+ /* create a UMP Endpoint port */
+ static int create_ump_endpoint_port(struct seq_ump_client *client)
+ {
+@@ -435,7 +374,7 @@ static void setup_client_group_filter(struct seq_ump_client *client)
+ return;
+ filter = ~(1U << 0); /* always allow groupless messages */
+ for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) {
+- if (client->groups[p].active)
++ if (client->ump->groups[p].active)
+ filter &= ~(1U << (p + 1));
+ }
+ cptr->group_filter = filter;
+@@ -448,7 +387,6 @@ static void handle_group_notify(struct work_struct *work)
+ struct seq_ump_client *client =
+ container_of(work, struct seq_ump_client, group_notify_work);
+
+- update_group_attrs(client);
+ update_port_infos(client);
+ setup_client_group_filter(client);
+ }
+@@ -511,7 +449,6 @@ static int snd_seq_ump_probe(struct device *_dev)
+ client->ump_info[fb->info.block_id + 1] = &fb->info;
+
+ setup_client_midi_version(client);
+- update_group_attrs(client);
+
+ for (p = 0; p < SNDRV_UMP_MAX_GROUPS; p++) {
+ err = seq_ump_group_init(client, p);
+diff --git a/sound/core/ump.c b/sound/core/ump.c
+index b1ce4756961a5..248fb1c8cad07 100644
+--- a/sound/core/ump.c
++++ b/sound/core/ump.c
+@@ -524,6 +524,58 @@ static void snd_ump_proc_read(struct snd_info_entry *entry,
+ }
+ }
+
++/* update dir_bits and active flag for all groups in the client */
++static void update_group_attrs(struct snd_ump_endpoint *ump)
++{
++ struct snd_ump_block *fb;
++ struct snd_ump_group *group;
++ int i;
++
++ for (i = 0; i < SNDRV_UMP_MAX_GROUPS; i++) {
++ group = &ump->groups[i];
++ *group->name = 0;
++ group->dir_bits = 0;
++ group->active = 0;
++ group->group = i;
++ group->valid = false;
++ }
++
++ list_for_each_entry(fb, &ump->block_list, list) {
++ if (fb->info.first_group + fb->info.num_groups > SNDRV_UMP_MAX_GROUPS)
++ break;
++ group = &ump->groups[fb->info.first_group];
++ for (i = 0; i < fb->info.num_groups; i++, group++) {
++ group->valid = true;
++ if (fb->info.active)
++ group->active = 1;
++ switch (fb->info.direction) {
++ case SNDRV_UMP_DIR_INPUT:
++ group->dir_bits |= (1 << SNDRV_RAWMIDI_STREAM_INPUT);
++ break;
++ case SNDRV_UMP_DIR_OUTPUT:
++ group->dir_bits |= (1 << SNDRV_RAWMIDI_STREAM_OUTPUT);
++ break;
++ case SNDRV_UMP_DIR_BIDIRECTION:
++ group->dir_bits |= (1 << SNDRV_RAWMIDI_STREAM_INPUT) |
++ (1 << SNDRV_RAWMIDI_STREAM_OUTPUT);
++ break;
++ }
++ if (!*fb->info.name)
++ continue;
++ if (!*group->name) {
++ /* store the first matching name */
++ strscpy(group->name, fb->info.name,
++ sizeof(group->name));
++ } else {
++ /* when overlapping, concat names */
++ strlcat(group->name, ", ", sizeof(group->name));
++ strlcat(group->name, fb->info.name,
++ sizeof(group->name));
++ }
++ }
++ }
++}
++
+ /*
+ * UMP endpoint and function block handling
+ */
+@@ -795,8 +847,10 @@ static int ump_handle_fb_info_msg(struct snd_ump_endpoint *ump,
+
+ if (fb) {
+ fill_fb_info(ump, &fb->info, buf);
+- if (ump->parsed)
++ if (ump->parsed) {
++ update_group_attrs(ump);
+ seq_notify_fb_change(ump, fb);
++ }
+ }
+
+ return 1; /* finished */
+@@ -825,8 +879,10 @@ static int ump_handle_fb_name_msg(struct snd_ump_endpoint *ump,
+ ret = ump_append_string(ump, fb->info.name, sizeof(fb->info.name),
+ buf->raw, 3);
+ /* notify the FB name update to sequencer, too */
+- if (ret > 0 && ump->parsed)
++ if (ret > 0 && ump->parsed) {
++ update_group_attrs(ump);
+ seq_notify_fb_change(ump, fb);
++ }
+ return ret;
+ }
+
+@@ -998,6 +1054,9 @@ int snd_ump_parse_endpoint(struct snd_ump_endpoint *ump)
+ continue;
+ }
+
++ /* initialize group attributions */
++ update_group_attrs(ump);
++
+ error:
+ ump->parsed = true;
+ ump_request_close(ump);
+@@ -1186,10 +1245,17 @@ static void fill_substream_names(struct snd_ump_endpoint *ump,
+ struct snd_rawmidi *rmidi, int dir)
+ {
+ struct snd_rawmidi_substream *s;
+-
+- list_for_each_entry(s, &rmidi->streams[dir].substreams, list)
++ const char *name;
++ int idx;
++
++ list_for_each_entry(s, &rmidi->streams[dir].substreams, list) {
++ idx = ump->legacy_mapping[s->number];
++ name = ump->groups[idx].name;
++ if (!*name)
++ name = ump->info.name;
+ snprintf(s->name, sizeof(s->name), "Group %d (%.16s)",
+- ump->legacy_mapping[s->number] + 1, ump->info.name);
++ idx + 1, name);
++ }
+ }
+
+ int snd_ump_attach_legacy_rawmidi(struct snd_ump_endpoint *ump,
+--
+2.43.0
+
--- /dev/null
+From 3be3c3206c84f0df6d2aba0d14bffe41dc4a443a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 09:04:16 +0100
+Subject: ALSA: usb-audio: Notify xrun for low-latency mode
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 4f9d674377d090e38d93360bd4df21b67534d622 ]
+
+The low-latency mode of USB-audio driver uses a similar approach like
+the implicit feedback mode but it has an explicit queuing at the
+trigger start time. The difference is, however, that no packet will
+be handled any longer after all queued packets are handled but no
+enough data is fed. In the case of implicit feedback mode, the
+capture-side packet handling triggers the re-queuing, and this checks
+the XRUN. OTOH, in the low-latency mode, it just stops without XRUN
+notification unless any new action is taken from user-space via ack
+callback. For example, when you stop the stream in aplay, no XRUN is
+reported.
+
+This patch adds the XRUN check at the packet complete callback in the
+case all pending URBs are exhausted. Strictly speaking, this state
+doesn't match really with XRUN; in theory the application may queue
+immediately after this happens. But such behavior is only for
+1-period configuration, which the USB-audio driver doesn't support.
+So we may conclude that this situation leads certainly to XRUN.
+
+A caveat is that the XRUN should be triggered only for the PCM RUNNING
+state, and not during DRAINING. This additional state check is put in
+notify_xrun(), too.
+
+Fixes: d5f871f89e21 ("ALSA: usb-audio: Improved lowlatency playback support")
+Reported-by: Leonard Crestez <cdleonard@gmail.com>
+Link: https://lore.kernel.org/25d5b0d8-4efd-4630-9d33-7a9e3fa9dc2b@gmail.com
+Link: https://patch.msgid.link/20241128080446.1181-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/endpoint.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/sound/usb/endpoint.c b/sound/usb/endpoint.c
+index 8f65349a06d36..68aa174be12d7 100644
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -403,10 +403,15 @@ static int prepare_inbound_urb(struct snd_usb_endpoint *ep,
+ static void notify_xrun(struct snd_usb_endpoint *ep)
+ {
+ struct snd_usb_substream *data_subs;
++ struct snd_pcm_substream *psubs;
+
+ data_subs = READ_ONCE(ep->data_subs);
+- if (data_subs && data_subs->pcm_substream)
+- snd_pcm_stop_xrun(data_subs->pcm_substream);
++ if (!data_subs)
++ return;
++ psubs = data_subs->pcm_substream;
++ if (psubs && psubs->runtime &&
++ psubs->runtime->state == SNDRV_PCM_STATE_RUNNING)
++ snd_pcm_stop_xrun(psubs);
+ }
+
+ static struct snd_usb_packet_info *
+@@ -562,7 +567,10 @@ static void snd_complete_urb(struct urb *urb)
+ push_back_to_ready_list(ep, ctx);
+ clear_bit(ctx->index, &ep->active_mask);
+ snd_usb_queue_pending_output_urbs(ep, false);
+- atomic_dec(&ep->submitted_urbs); /* decrement at last */
++ /* decrement at last, and check xrun */
++ if (atomic_dec_and_test(&ep->submitted_urbs) &&
++ !snd_usb_endpoint_implicit_feedback_sink(ep))
++ notify_xrun(ep);
+ return;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6ce92766fa704ca0ca909edbb692bc7217101d6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 16:20:58 -0300
+Subject: ASoC: mediatek: mt8188-mt6359: Remove hardcoded dmic codec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+
+[ Upstream commit ec16a3cdf37e507013062f9c4a2067eacdd12b62 ]
+
+Remove hardcoded dmic codec from the UL_SRC dai link to avoid requiring
+a dmic codec to be present for the driver to probe, as not every
+MT8188-based platform might need a dmic codec. The codec can be assigned
+to the dai link through the dai-link property in Devicetree on the
+platforms where it is needed.
+
+No Devicetree currently relies on it so it is safe to remove without
+worrying about backward compatibility.
+
+Fixes: 9f08dcbddeb3 ("ASoC: mediatek: mt8188-mt6359: support new board with nau88255")
+Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patch.msgid.link/20241203-mt8188-6359-unhardcode-dmic-v1-1-346e3e5cbe6d@collabora.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/mediatek/mt8188/mt8188-mt6359.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/sound/soc/mediatek/mt8188/mt8188-mt6359.c b/sound/soc/mediatek/mt8188/mt8188-mt6359.c
+index f7e22abb75846..61813b658e3b4 100644
+--- a/sound/soc/mediatek/mt8188/mt8188-mt6359.c
++++ b/sound/soc/mediatek/mt8188/mt8188-mt6359.c
+@@ -171,9 +171,7 @@ SND_SOC_DAILINK_DEFS(pcm1,
+ SND_SOC_DAILINK_DEFS(ul_src,
+ DAILINK_COMP_ARRAY(COMP_CPU("UL_SRC")),
+ DAILINK_COMP_ARRAY(COMP_CODEC("mt6359-sound",
+- "mt6359-snd-codec-aif1"),
+- COMP_CODEC("dmic-codec",
+- "dmic-hifi")),
++ "mt6359-snd-codec-aif1")),
+ DAILINK_COMP_ARRAY(COMP_EMPTY()));
+
+ struct mt8188_mt6359_priv {
+--
+2.43.0
+
--- /dev/null
+From e16cc9eda74bd1fae54b38c639642b7f54cd0307 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2024 17:29:54 +0800
+Subject: ASoC: SOF: ipc3-topology: Convert the topology pin index to ALH dai
+ index
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit e9db1b551774037ebe39dde4a658d89ba95e260b ]
+
+Intel SoundWire machine driver always uses Pin number 2 and above.
+Currently, the pin number is used as the FW DAI index directly. As a
+result, FW DAI 0 and 1 are never used. That worked fine because we use
+up to 2 DAIs in a SDW link. Convert the topology pin index to ALH dai
+index, the mapping is using 2-off indexing, iow, pin #2 is ALH dai #0.
+
+The issue exists since beginning. And the Fixes tag is the first commit
+that this commit can be applied.
+
+Fixes: b66bfc3a9810 ("ASoC: SOF: sof-audio: Fix broken early bclk feature for SSP")
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Liam Girdwood <liam.r.girdwood@intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Link: https://patch.msgid.link/20241127092955.20026-1-yung-chuan.liao@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc3-topology.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c
+index d96555438c6bf..a1eab10211b0e 100644
+--- a/sound/soc/sof/ipc3-topology.c
++++ b/sound/soc/sof/ipc3-topology.c
+@@ -20,6 +20,9 @@
+ /* size of tplg ABI in bytes */
+ #define SOF_IPC3_TPLG_ABI_SIZE 3
+
++/* Base of SOF_DAI_INTEL_ALH, this should be aligned with SOC_SDW_INTEL_BIDIR_PDI_BASE */
++#define INTEL_ALH_DAI_INDEX_BASE 2
++
+ struct sof_widget_data {
+ int ctrl_type;
+ int ipc_cmd;
+@@ -1509,6 +1512,17 @@ static int sof_ipc3_widget_setup_comp_dai(struct snd_sof_widget *swidget)
+ if (ret < 0)
+ goto free;
+
++ /* Subtract the base to match the FW dai index. */
++ if (comp_dai->type == SOF_DAI_INTEL_ALH) {
++ if (comp_dai->dai_index < INTEL_ALH_DAI_INDEX_BASE) {
++ dev_err(sdev->dev,
++ "Invalid ALH dai index %d, only Pin numbers >= %d can be used\n",
++ comp_dai->dai_index, INTEL_ALH_DAI_INDEX_BASE);
++ return -EINVAL;
++ }
++ comp_dai->dai_index -= INTEL_ALH_DAI_INDEX_BASE;
++ }
++
+ dev_dbg(scomp->dev, "dai %s: type %d index %d\n",
+ swidget->widget->name, comp_dai->type, comp_dai->dai_index);
+ sof_dbg_comp_config(scomp, &comp_dai->config);
+@@ -2076,8 +2090,16 @@ static int sof_ipc3_dai_config(struct snd_sof_dev *sdev, struct snd_sof_widget *
+ case SOF_DAI_INTEL_ALH:
+ if (data) {
+ /* save the dai_index during hw_params and reuse it for hw_free */
+- if (flags & SOF_DAI_CONFIG_FLAGS_HW_PARAMS)
+- config->dai_index = data->dai_index;
++ if (flags & SOF_DAI_CONFIG_FLAGS_HW_PARAMS) {
++ /* Subtract the base to match the FW dai index. */
++ if (data->dai_index < INTEL_ALH_DAI_INDEX_BASE) {
++ dev_err(sdev->dev,
++ "Invalid ALH dai index %d, only Pin numbers >= %d can be used\n",
++ config->dai_index, INTEL_ALH_DAI_INDEX_BASE);
++ return -EINVAL;
++ }
++ config->dai_index = data->dai_index - INTEL_ALH_DAI_INDEX_BASE;
++ }
+ config->alh.stream_id = data->dai_data;
+ }
+ break;
+--
+2.43.0
+
--- /dev/null
+From 920bfe4cbde00efe1773d11b60f2437f28b96055 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2024 13:09:06 +0300
+Subject: ASoC: SOF: ipc3-topology: fix resource leaks in
+ sof_ipc3_widget_setup_comp_dai()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 6d544ea21d367cbd9746ae882e67a839391a6594 ]
+
+These error paths should free comp_dai before returning.
+
+Fixes: 909dadf21aae ("ASoC: SOF: topology: Make DAI widget parsing IPC agnostic")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/67d185cf-d139-4f8c-970a-dbf0542246a8@stanley.mountain
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc3-topology.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/sof/ipc3-topology.c b/sound/soc/sof/ipc3-topology.c
+index a1eab10211b0e..0e5ae7fa0ef7a 100644
+--- a/sound/soc/sof/ipc3-topology.c
++++ b/sound/soc/sof/ipc3-topology.c
+@@ -1503,14 +1503,14 @@ static int sof_ipc3_widget_setup_comp_dai(struct snd_sof_widget *swidget)
+ ret = sof_update_ipc_object(scomp, comp_dai, SOF_DAI_TOKENS, swidget->tuples,
+ swidget->num_tuples, sizeof(*comp_dai), 1);
+ if (ret < 0)
+- goto free;
++ goto free_comp;
+
+ /* update comp_tokens */
+ ret = sof_update_ipc_object(scomp, &comp_dai->config, SOF_COMP_TOKENS,
+ swidget->tuples, swidget->num_tuples,
+ sizeof(comp_dai->config), 1);
+ if (ret < 0)
+- goto free;
++ goto free_comp;
+
+ /* Subtract the base to match the FW dai index. */
+ if (comp_dai->type == SOF_DAI_INTEL_ALH) {
+@@ -1518,7 +1518,8 @@ static int sof_ipc3_widget_setup_comp_dai(struct snd_sof_widget *swidget)
+ dev_err(sdev->dev,
+ "Invalid ALH dai index %d, only Pin numbers >= %d can be used\n",
+ comp_dai->dai_index, INTEL_ALH_DAI_INDEX_BASE);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto free_comp;
+ }
+ comp_dai->dai_index -= INTEL_ALH_DAI_INDEX_BASE;
+ }
+--
+2.43.0
+
--- /dev/null
+From 105ee6d4eb228d8d06776317cd8a342f014307c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:06:18 +0800
+Subject: bpf: Fix exact match conditions in trie_get_next_key()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 27abc7b3fa2e09bbe41e2924d328121546865eda ]
+
+trie_get_next_key() uses node->prefixlen == key->prefixlen to identify
+an exact match, However, it is incorrect because when the target key
+doesn't fully match the found node (e.g., node->prefixlen != matchlen),
+these two nodes may also have the same prefixlen. It will return
+expected result when the passed key exist in the trie. However when a
+recently-deleted key or nonexistent key is passed to
+trie_get_next_key(), it may skip keys and return incorrect result.
+
+Fix it by using node->prefixlen == matchlen to identify exact matches.
+When the condition is true after the search, it also implies
+node->prefixlen equals key->prefixlen, otherwise, the search would
+return NULL instead.
+
+Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map")
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20241206110622.1161752-6-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index 958f907cdaf0e..c4f1d465ae35c 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -638,7 +638,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key)
+ struct lpm_trie_node **node_stack = NULL;
+ int err = 0, stack_ptr = -1;
+ unsigned int next_bit;
+- size_t matchlen;
++ size_t matchlen = 0;
+
+ /* The get_next_key follows postorder. For the 4 node example in
+ * the top of this file, the trie_get_next_key() returns the following
+@@ -677,7 +677,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key)
+ next_bit = extract_bit(key->data, node->prefixlen);
+ node = rcu_dereference(node->child[next_bit]);
+ }
+- if (!node || node->prefixlen != key->prefixlen ||
++ if (!node || node->prefixlen != matchlen ||
+ (node->flags & LPM_TREE_NODE_FLAG_IM))
+ goto find_leftmost;
+
+--
+2.43.0
+
--- /dev/null
+From 56bc7476b3f9340e9dafc6f70bd58743d1d55113 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 20:47:54 -0800
+Subject: bpf: Fix narrow scalar spill onto 64-bit spilled scalar slots
+
+From: Tao Lyu <tao.lyu@epfl.ch>
+
+[ Upstream commit b0e66977dc072906bb76555fb1a64261d7f63d0f ]
+
+When CAP_PERFMON and CAP_SYS_ADMIN (allow_ptr_leaks) are disabled, the
+verifier aims to reject partial overwrite on an 8-byte stack slot that
+contains a spilled pointer.
+
+However, in such a scenario, it rejects all partial stack overwrites as
+long as the targeted stack slot is a spilled register, because it does
+not check if the stack slot is a spilled pointer.
+
+Incomplete checks will result in the rejection of valid programs, which
+spill narrower scalar values onto scalar slots, as shown below.
+
+0: R1=ctx() R10=fp0
+; asm volatile ( @ repro.bpf.c:679
+0: (7a) *(u64 *)(r10 -8) = 1 ; R10=fp0 fp-8_w=1
+1: (62) *(u32 *)(r10 -8) = 1
+attempt to corrupt spilled pointer on stack
+processed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0.
+
+Fix this by expanding the check to not consider spilled scalar registers
+when rejecting the write into the stack.
+
+Previous discussion on this patch is at link [0].
+
+ [0]: https://lore.kernel.org/bpf/20240403202409.2615469-1-tao.lyu@epfl.ch
+
+Fixes: ab125ed3ec1c ("bpf: fix check for attempt to corrupt spilled pointer")
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Tao Lyu <tao.lyu@epfl.ch>
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Link: https://lore.kernel.org/r/20241204044757.1483141-3-memxor@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 5ca02af3a8728..3f47cfa17141a 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -4599,6 +4599,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
+ */
+ if (!env->allow_ptr_leaks &&
+ is_spilled_reg(&state->stack[spi]) &&
++ !is_spilled_scalar_reg(&state->stack[spi]) &&
+ size != BPF_REG_SIZE) {
+ verbose(env, "attempt to corrupt spilled pointer on stack\n");
+ return -EACCES;
+--
+2.43.0
+
--- /dev/null
+From d4f251159cf0325e207b7507a28f8b7270a9c4a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:06:16 +0800
+Subject: bpf: Handle BPF_EXIST and BPF_NOEXIST for LPM trie
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit eae6a075e9537dd69891cf77ca5a88fa8a28b4a1 ]
+
+Add the currently missing handling for the BPF_EXIST and BPF_NOEXIST
+flags. These flags can be specified by users and are relevant since LPM
+trie supports exact matches during update.
+
+Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation")
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20241206110622.1161752-4-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index daf8ffcfcdac4..0b1931ad3b1dd 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -368,6 +368,10 @@ static long trie_update_elem(struct bpf_map *map,
+ * simply assign the @new_node to that slot and be done.
+ */
+ if (!node) {
++ if (flags == BPF_EXIST) {
++ ret = -ENOENT;
++ goto out;
++ }
+ rcu_assign_pointer(*slot, new_node);
+ goto out;
+ }
+@@ -376,18 +380,31 @@ static long trie_update_elem(struct bpf_map *map,
+ * which already has the correct data array set.
+ */
+ if (node->prefixlen == matchlen) {
++ if (!(node->flags & LPM_TREE_NODE_FLAG_IM)) {
++ if (flags == BPF_NOEXIST) {
++ ret = -EEXIST;
++ goto out;
++ }
++ trie->n_entries--;
++ } else if (flags == BPF_EXIST) {
++ ret = -ENOENT;
++ goto out;
++ }
++
+ new_node->child[0] = node->child[0];
+ new_node->child[1] = node->child[1];
+
+- if (!(node->flags & LPM_TREE_NODE_FLAG_IM))
+- trie->n_entries--;
+-
+ rcu_assign_pointer(*slot, new_node);
+ free_node = node;
+
+ goto out;
+ }
+
++ if (flags == BPF_EXIST) {
++ ret = -ENOENT;
++ goto out;
++ }
++
+ /* If the new node matches the prefix completely, it must be inserted
+ * as an ancestor. Simply insert it between @node and *@slot.
+ */
+--
+2.43.0
+
--- /dev/null
+From 091a657be1714e2ee5b330e240b87e4052ebead7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:06:17 +0800
+Subject: bpf: Handle in-place update for full LPM trie correctly
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 532d6b36b2bfac5514426a97a4df8d103d700d43 ]
+
+When a LPM trie is full, in-place updates of existing elements
+incorrectly return -ENOSPC.
+
+Fix this by deferring the check of trie->n_entries. For new insertions,
+n_entries must not exceed max_entries. However, in-place updates are
+allowed even when the trie is full.
+
+Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation")
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20241206110622.1161752-5-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 44 +++++++++++++++++++++----------------------
+ 1 file changed, 21 insertions(+), 23 deletions(-)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index db1b36c09eafa..958f907cdaf0e 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -302,6 +302,16 @@ static struct lpm_trie_node *lpm_trie_node_alloc(const struct lpm_trie *trie,
+ return node;
+ }
+
++static int trie_check_add_elem(struct lpm_trie *trie, u64 flags)
++{
++ if (flags == BPF_EXIST)
++ return -ENOENT;
++ if (trie->n_entries == trie->map.max_entries)
++ return -ENOSPC;
++ trie->n_entries++;
++ return 0;
++}
++
+ /* Called from syscall or from eBPF program */
+ static long trie_update_elem(struct bpf_map *map,
+ void *_key, void *value, u64 flags)
+@@ -325,20 +335,12 @@ static long trie_update_elem(struct bpf_map *map,
+ spin_lock_irqsave(&trie->lock, irq_flags);
+
+ /* Allocate and fill a new node */
+-
+- if (trie->n_entries == trie->map.max_entries) {
+- ret = -ENOSPC;
+- goto out;
+- }
+-
+ new_node = lpm_trie_node_alloc(trie, value);
+ if (!new_node) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+- trie->n_entries++;
+-
+ new_node->prefixlen = key->prefixlen;
+ RCU_INIT_POINTER(new_node->child[0], NULL);
+ RCU_INIT_POINTER(new_node->child[1], NULL);
+@@ -368,10 +370,10 @@ static long trie_update_elem(struct bpf_map *map,
+ * simply assign the @new_node to that slot and be done.
+ */
+ if (!node) {
+- if (flags == BPF_EXIST) {
+- ret = -ENOENT;
++ ret = trie_check_add_elem(trie, flags);
++ if (ret)
+ goto out;
+- }
++
+ rcu_assign_pointer(*slot, new_node);
+ goto out;
+ }
+@@ -385,10 +387,10 @@ static long trie_update_elem(struct bpf_map *map,
+ ret = -EEXIST;
+ goto out;
+ }
+- trie->n_entries--;
+- } else if (flags == BPF_EXIST) {
+- ret = -ENOENT;
+- goto out;
++ } else {
++ ret = trie_check_add_elem(trie, flags);
++ if (ret)
++ goto out;
+ }
+
+ new_node->child[0] = node->child[0];
+@@ -400,10 +402,9 @@ static long trie_update_elem(struct bpf_map *map,
+ goto out;
+ }
+
+- if (flags == BPF_EXIST) {
+- ret = -ENOENT;
++ ret = trie_check_add_elem(trie, flags);
++ if (ret)
+ goto out;
+- }
+
+ /* If the new node matches the prefix completely, it must be inserted
+ * as an ancestor. Simply insert it between @node and *@slot.
+@@ -417,6 +418,7 @@ static long trie_update_elem(struct bpf_map *map,
+
+ im_node = lpm_trie_node_alloc(trie, NULL);
+ if (!im_node) {
++ trie->n_entries--;
+ ret = -ENOMEM;
+ goto out;
+ }
+@@ -438,12 +440,8 @@ static long trie_update_elem(struct bpf_map *map,
+ rcu_assign_pointer(*slot, im_node);
+
+ out:
+- if (ret) {
+- if (new_node)
+- trie->n_entries--;
++ if (ret)
+ kfree(new_node);
+- }
+-
+ spin_unlock_irqrestore(&trie->lock, irq_flags);
+ kfree_rcu(free_node, rcu);
+
+--
+2.43.0
+
--- /dev/null
+From 952be82698d17f33a47691e36936fcd4a2aa3499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 19:06:15 +0800
+Subject: bpf: Remove unnecessary kfree(im_node) in lpm_trie_update_elem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hou Tao <houtao1@huawei.com>
+
+[ Upstream commit 3d5611b4d7efbefb85a74fcdbc35c603847cc022 ]
+
+There is no need to call kfree(im_node) when updating element fails,
+because im_node must be NULL. Remove the unnecessary kfree() for
+im_node.
+
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Link: https://lore.kernel.org/r/20241206110622.1161752-3-houtao@huaweicloud.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Stable-dep-of: 532d6b36b2bf ("bpf: Handle in-place update for full LPM trie correctly")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/lpm_trie.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
+index 0b1931ad3b1dd..db1b36c09eafa 100644
+--- a/kernel/bpf/lpm_trie.c
++++ b/kernel/bpf/lpm_trie.c
+@@ -307,7 +307,7 @@ static long trie_update_elem(struct bpf_map *map,
+ void *_key, void *value, u64 flags)
+ {
+ struct lpm_trie *trie = container_of(map, struct lpm_trie, map);
+- struct lpm_trie_node *node, *im_node = NULL, *new_node = NULL;
++ struct lpm_trie_node *node, *im_node, *new_node = NULL;
+ struct lpm_trie_node *free_node = NULL;
+ struct lpm_trie_node __rcu **slot;
+ struct bpf_lpm_trie_key_u8 *key = _key;
+@@ -441,9 +441,7 @@ static long trie_update_elem(struct bpf_map *map,
+ if (ret) {
+ if (new_node)
+ trie->n_entries--;
+-
+ kfree(new_node);
+- kfree(im_node);
+ }
+
+ spin_unlock_irqrestore(&trie->lock, irq_flags);
+--
+2.43.0
+
--- /dev/null
+From 7a8783a5eb44ebe9995508e3eaae00fa861db7f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 22:03:41 +0100
+Subject: bpf, vsock: Fix poll() missing a queue
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 9f0fc98145218ff8f50d8cfa3b393785056c53e1 ]
+
+When a verdict program simply passes a packet without redirection, sk_msg
+is enqueued on sk_psock::ingress_msg. Add a missing check to poll().
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-1-f1b9669cacdc@rbox.co
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index f5eb737a677d9..7ba3357c9882c 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1050,6 +1050,9 @@ static __poll_t vsock_poll(struct file *file, struct socket *sock,
+ mask |= EPOLLRDHUP;
+ }
+
++ if (sk_is_readable(sk))
++ mask |= EPOLLIN | EPOLLRDNORM;
++
+ if (sock->type == SOCK_DGRAM) {
+ /* For datagram sockets we can read if there is something in
+ * the queue and write as long as the socket isn't shutdown for
+--
+2.43.0
+
--- /dev/null
+From a350a763d99262dfd40fa67b37831f2ccf29627c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 22:03:43 +0100
+Subject: bpf, vsock: Invoke proto::close on close()
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit 135ffc7becc82cfb84936ae133da7969220b43b2 ]
+
+vsock defines a BPF callback to be invoked when close() is called. However,
+this callback is never actually executed. As a result, a closed vsock
+socket is not automatically removed from the sockmap/sockhash.
+
+Introduce a dummy vsock_close() and make vsock_release() call proto::close.
+
+Note: changes in __vsock_release() look messy, but it's only due to indent
+level reduction and variables xmas tree reorder.
+
+Fixes: 634f1a7110b4 ("vsock: support sockmap")
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Link: https://lore.kernel.org/r/20241118-vsock-bpf-poll-close-v1-3-f1b9669cacdc@rbox.co
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 67 ++++++++++++++++++++++++----------------
+ 1 file changed, 40 insertions(+), 27 deletions(-)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 7ba3357c9882c..6e1cd71d33a59 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -116,12 +116,14 @@
+ static int __vsock_bind(struct sock *sk, struct sockaddr_vm *addr);
+ static void vsock_sk_destruct(struct sock *sk);
+ static int vsock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
++static void vsock_close(struct sock *sk, long timeout);
+
+ /* Protocol family. */
+ struct proto vsock_proto = {
+ .name = "AF_VSOCK",
+ .owner = THIS_MODULE,
+ .obj_size = sizeof(struct vsock_sock),
++ .close = vsock_close,
+ #ifdef CONFIG_BPF_SYSCALL
+ .psock_update_sk_prot = vsock_bpf_update_proto,
+ #endif
+@@ -796,39 +798,37 @@ static bool sock_type_connectible(u16 type)
+
+ static void __vsock_release(struct sock *sk, int level)
+ {
+- if (sk) {
+- struct sock *pending;
+- struct vsock_sock *vsk;
+-
+- vsk = vsock_sk(sk);
+- pending = NULL; /* Compiler warning. */
++ struct vsock_sock *vsk;
++ struct sock *pending;
+
+- /* When "level" is SINGLE_DEPTH_NESTING, use the nested
+- * version to avoid the warning "possible recursive locking
+- * detected". When "level" is 0, lock_sock_nested(sk, level)
+- * is the same as lock_sock(sk).
+- */
+- lock_sock_nested(sk, level);
++ vsk = vsock_sk(sk);
++ pending = NULL; /* Compiler warning. */
+
+- if (vsk->transport)
+- vsk->transport->release(vsk);
+- else if (sock_type_connectible(sk->sk_type))
+- vsock_remove_sock(vsk);
++ /* When "level" is SINGLE_DEPTH_NESTING, use the nested
++ * version to avoid the warning "possible recursive locking
++ * detected". When "level" is 0, lock_sock_nested(sk, level)
++ * is the same as lock_sock(sk).
++ */
++ lock_sock_nested(sk, level);
+
+- sock_orphan(sk);
+- sk->sk_shutdown = SHUTDOWN_MASK;
++ if (vsk->transport)
++ vsk->transport->release(vsk);
++ else if (sock_type_connectible(sk->sk_type))
++ vsock_remove_sock(vsk);
+
+- skb_queue_purge(&sk->sk_receive_queue);
++ sock_orphan(sk);
++ sk->sk_shutdown = SHUTDOWN_MASK;
+
+- /* Clean up any sockets that never were accepted. */
+- while ((pending = vsock_dequeue_accept(sk)) != NULL) {
+- __vsock_release(pending, SINGLE_DEPTH_NESTING);
+- sock_put(pending);
+- }
++ skb_queue_purge(&sk->sk_receive_queue);
+
+- release_sock(sk);
+- sock_put(sk);
++ /* Clean up any sockets that never were accepted. */
++ while ((pending = vsock_dequeue_accept(sk)) != NULL) {
++ __vsock_release(pending, SINGLE_DEPTH_NESTING);
++ sock_put(pending);
+ }
++
++ release_sock(sk);
++ sock_put(sk);
+ }
+
+ static void vsock_sk_destruct(struct sock *sk)
+@@ -897,9 +897,22 @@ void vsock_data_ready(struct sock *sk)
+ }
+ EXPORT_SYMBOL_GPL(vsock_data_ready);
+
++/* Dummy callback required by sockmap.
++ * See unconditional call of saved_close() in sock_map_close().
++ */
++static void vsock_close(struct sock *sk, long timeout)
++{
++}
++
+ static int vsock_release(struct socket *sock)
+ {
+- __vsock_release(sock->sk, 0);
++ struct sock *sk = sock->sk;
++
++ if (!sk)
++ return 0;
++
++ sk->sk_prot->close(sk, 0);
++ __vsock_release(sk, 0);
+ sock->sk = NULL;
+ sock->state = SS_FREE;
+
+--
+2.43.0
+
--- /dev/null
+From 3bf02b76057b435b0864a2bf8307c367a0ede73e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 12:04:13 +0330
+Subject: bpftool: fix potential NULL pointer dereferencing in prog_dump()
+
+From: Amir Mohammadi <amirmohammadi1999.am@gmail.com>
+
+[ Upstream commit ef3ba8c258ee368a5343fa9329df85b4bcb9e8b5 ]
+
+A NULL pointer dereference could occur if ksyms
+is not properly checked before usage in the prog_dump() function.
+
+Fixes: b053b439b72a ("bpf: libbpf: bpftool: Print bpf_line_info during prog dump")
+Signed-off-by: Amir Mohammadi <amiremohamadi@yahoo.com>
+Reviewed-by: Quentin Monnet <qmo@kernel.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/r/20241121083413.7214-1-amiremohamadi@yahoo.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bpf/bpftool/prog.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
+index e5e0fe3854a35..90ae2ea61324c 100644
+--- a/tools/bpf/bpftool/prog.c
++++ b/tools/bpf/bpftool/prog.c
+@@ -818,11 +818,18 @@ prog_dump(struct bpf_prog_info *info, enum dump_mode mode,
+ printf("%s:\n", sym_name);
+ }
+
+- if (disasm_print_insn(img, lens[i], opcodes,
+- name, disasm_opt, btf,
+- prog_linfo, ksyms[i], i,
+- linum))
+- goto exit_free;
++ if (ksyms) {
++ if (disasm_print_insn(img, lens[i], opcodes,
++ name, disasm_opt, btf,
++ prog_linfo, ksyms[i], i,
++ linum))
++ goto exit_free;
++ } else {
++ if (disasm_print_insn(img, lens[i], opcodes,
++ name, disasm_opt, btf,
++ NULL, 0, 0, false))
++ goto exit_free;
++ }
+
+ img += lens[i];
+
+--
+2.43.0
+
--- /dev/null
+From 15f1af6ca5a40f93475af09e798714b4227a9de7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2024 15:21:36 +0800
+Subject: drm/sti: Add __iomem for mixer_dbg_mxn's parameter
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+[ Upstream commit 86e8f94789dd6f3e705bfa821e1e416f97a2f863 ]
+
+Sparse complains about incorrect type in argument 1.
+expected void const volatile __iomem *ptr but got void *.
+so modify mixer_dbg_mxn's addr parameter.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202411191809.6V3c826r-lkp@intel.com/
+Fixes: a5f81078a56c ("drm/sti: add debugfs entries for MIXER crtc")
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Acked-by: Raphael Gallais-Pou <rgallaispou@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/c28f0dcb6a4526721d83ba1f659bba30564d3d54.1732087094.git.xiaopei01@kylinos.cn
+Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sti/sti_mixer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/sti/sti_mixer.c b/drivers/gpu/drm/sti/sti_mixer.c
+index 7e5f14646625b..06c1b81912f79 100644
+--- a/drivers/gpu/drm/sti/sti_mixer.c
++++ b/drivers/gpu/drm/sti/sti_mixer.c
+@@ -137,7 +137,7 @@ static void mixer_dbg_crb(struct seq_file *s, int val)
+ }
+ }
+
+-static void mixer_dbg_mxn(struct seq_file *s, void *addr)
++static void mixer_dbg_mxn(struct seq_file *s, void __iomem *addr)
+ {
+ int i;
+
+--
+2.43.0
+
--- /dev/null
+From 95eb5cf9a46206a46f4ea01452566b78d9ea9434 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 09:28:31 -0300
+Subject: drm/v3d: Enable Performance Counters before clearing them
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+[ Upstream commit c98b10496b2f3c4f576af3482c71aadcfcbf765e ]
+
+On the Raspberry Pi 5, performance counters are not being cleared
+when `v3d_perfmon_start()` is called, even though we write to the
+CLR register. As a result, their values accumulate until they
+overflow.
+
+The expected behavior is for performance counters to reset to zero
+at the start of a job. When the job finishes and the perfmon is
+stopped, the counters should accurately reflect the values for that
+specific job.
+
+To ensure this behavior, the performance counters are now enabled
+before being cleared. This allows the CLR register to function as
+intended, zeroing the counter values when the job begins.
+
+Fixes: 26a4dc29b74a ("drm/v3d: Expose performance counters to userspace")
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241204122831.17015-1-mcanal@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/v3d/v3d_perfmon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/v3d/v3d_perfmon.c b/drivers/gpu/drm/v3d/v3d_perfmon.c
+index 73b9c92dc0fc5..141b8abf08629 100644
+--- a/drivers/gpu/drm/v3d/v3d_perfmon.c
++++ b/drivers/gpu/drm/v3d/v3d_perfmon.c
+@@ -51,9 +51,9 @@ void v3d_perfmon_start(struct v3d_dev *v3d, struct v3d_perfmon *perfmon)
+ V3D_CORE_WRITE(0, V3D_V4_PCTR_0_SRC_X(source), channel);
+ }
+
++ V3D_CORE_WRITE(0, V3D_V4_PCTR_0_EN, mask);
+ V3D_CORE_WRITE(0, V3D_V4_PCTR_0_CLR, mask);
+ V3D_CORE_WRITE(0, V3D_PCTR_0_OVERFLOW, mask);
+- V3D_CORE_WRITE(0, V3D_V4_PCTR_0_EN, mask);
+
+ v3d->active_perfmon = perfmon;
+ }
+--
+2.43.0
+
--- /dev/null
+From b7a667ba6efa372d85f0a7814880b3c3b5cbab06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2024 22:25:07 +0100
+Subject: iio: magnetometer: yas530: use signed integer type for clamp limits
+
+From: Jakob Hauser <jahau@rocketmail.com>
+
+[ Upstream commit f1ee5483e40881d8ad5a63aa148b753b5c6a839b ]
+
+In the function yas537_measure() there is a clamp_val() with limits of
+-BIT(13) and BIT(13) - 1. The input clamp value h[] is of type s32. The
+BIT() is of type unsigned long integer due to its define in
+include/vdso/bits.h. The lower limit -BIT(13) is recognized as -8192 but
+expressed as an unsigned long integer. The size of an unsigned long
+integer differs between 32-bit and 64-bit architectures. Converting this
+to type s32 may lead to undesired behavior.
+
+Additionally, in the calculation lines h[0], h[1] and h[2] the unsigned
+long integer divisor BIT(13) causes an unsigned division, shifting the
+left-hand side of the equation back and forth, possibly ending up in large
+positive values instead of negative values on 32-bit architectures.
+
+To solve those two issues, declare a signed integer with a value of
+BIT(13).
+
+There is another omission in the clamp line: clamp_val() returns a value
+and it's going nowhere here. Self-assign it to h[i] to make use of the
+clamp macro.
+
+Finally, replace clamp_val() macro by clamp() because after changing the
+limits from type unsigned long integer to signed integer it's fine that
+way.
+
+Link: https://lkml.kernel.org/r/11609b2243c295d65ab4d47e78c239d61ad6be75.1732914810.git.jahau@rocketmail.com
+Fixes: 65f79b501030 ("iio: magnetometer: yas530: Add YAS537 variant")
+Signed-off-by: Jakob Hauser <jahau@rocketmail.com>
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202411230458.dhZwh3TT-lkp@intel.com/
+Closes: https://lore.kernel.org/oe-kbuild-all/202411282222.oF0B4110-lkp@intel.com/
+Reviewed-by: David Laight <david.laight@aculab.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Cc: Lars-Peter Clausen <lars@metafoo.de>
+Cc: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/magnetometer/yamaha-yas530.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/iio/magnetometer/yamaha-yas530.c b/drivers/iio/magnetometer/yamaha-yas530.c
+index c5e485bfc6fc0..0b6cabc7501bb 100644
+--- a/drivers/iio/magnetometer/yamaha-yas530.c
++++ b/drivers/iio/magnetometer/yamaha-yas530.c
+@@ -372,6 +372,7 @@ static int yas537_measure(struct yas5xx *yas5xx, u16 *t, u16 *x, u16 *y1, u16 *y
+ u8 data[8];
+ u16 xy1y2[3];
+ s32 h[3], s[3];
++ int half_range = BIT(13);
+ int i, ret;
+
+ mutex_lock(&yas5xx->lock);
+@@ -406,13 +407,13 @@ static int yas537_measure(struct yas5xx *yas5xx, u16 *t, u16 *x, u16 *y1, u16 *y
+ /* The second version of YAS537 needs to include calibration coefficients */
+ if (yas5xx->version == YAS537_VERSION_1) {
+ for (i = 0; i < 3; i++)
+- s[i] = xy1y2[i] - BIT(13);
+- h[0] = (c->k * (128 * s[0] + c->a2 * s[1] + c->a3 * s[2])) / BIT(13);
+- h[1] = (c->k * (c->a4 * s[0] + c->a5 * s[1] + c->a6 * s[2])) / BIT(13);
+- h[2] = (c->k * (c->a7 * s[0] + c->a8 * s[1] + c->a9 * s[2])) / BIT(13);
++ s[i] = xy1y2[i] - half_range;
++ h[0] = (c->k * (128 * s[0] + c->a2 * s[1] + c->a3 * s[2])) / half_range;
++ h[1] = (c->k * (c->a4 * s[0] + c->a5 * s[1] + c->a6 * s[2])) / half_range;
++ h[2] = (c->k * (c->a7 * s[0] + c->a8 * s[1] + c->a9 * s[2])) / half_range;
+ for (i = 0; i < 3; i++) {
+- clamp_val(h[i], -BIT(13), BIT(13) - 1);
+- xy1y2[i] = h[i] + BIT(13);
++ h[i] = clamp(h[i], -half_range, half_range - 1);
++ xy1y2[i] = h[i] + half_range;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 3de5e30af2ac76595220706e83535ede0f2da534 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Nov 2024 22:28:34 +0900
+Subject: ocfs2: free inode when ocfs2_get_init_inode() fails
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 965b5dd1894f4525f38c1b5f99b0106a07dbb5db ]
+
+syzbot is reporting busy inodes after unmount, for commit 9c89fe0af826
+("ocfs2: Handle error from dquot_initialize()") forgot to call iput() when
+new_inode() succeeded and dquot_initialize() failed.
+
+Link: https://lkml.kernel.org/r/e68c0224-b7c6-4784-b4fa-a9fc8c675525@I-love.SAKURA.ne.jp
+Fixes: 9c89fe0af826 ("ocfs2: Handle error from dquot_initialize()")
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0af00f6a2cba2058b5db
+Tested-by: syzbot+0af00f6a2cba2058b5db@syzkaller.appspotmail.com
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/namei.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/namei.c b/fs/ocfs2/namei.c
+index 21b3d5b9be603..4e6d8a3f727df 100644
+--- a/fs/ocfs2/namei.c
++++ b/fs/ocfs2/namei.c
+@@ -200,8 +200,10 @@ static struct inode *ocfs2_get_init_inode(struct inode *dir, umode_t mode)
+ mode = mode_strip_sgid(&nop_mnt_idmap, dir, mode);
+ inode_init_owner(&nop_mnt_idmap, inode, dir, mode);
+ status = dquot_initialize(inode);
+- if (status)
++ if (status) {
++ iput(inode);
+ return ERR_PTR(status);
++ }
+
+ return inode;
+ }
+--
+2.43.0
+
--- /dev/null
+From 0287acf80b8cab46771e7893374f523db91bad76 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Nov 2024 18:24:06 -0800
+Subject: scatterlist: fix incorrect func name in kernel-doc
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit d89c8ec0546184267cb211b579514ebaf8916100 ]
+
+Fix a kernel-doc warning by making the kernel-doc function description
+match the function name:
+
+include/linux/scatterlist.h:323: warning: expecting prototype for sg_unmark_bus_address(). Prototype was for sg_dma_unmark_bus_address() instead
+
+Link: https://lkml.kernel.org/r/20241130022406.537973-1-rdunlap@infradead.org
+Fixes: 42399301203e ("lib/scatterlist: add flag for indicating P2PDMA segments in an SGL")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Logan Gunthorpe <logang@deltatee.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/scatterlist.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
+index 77df3d7b18a61..d45529cbd0bd5 100644
+--- a/include/linux/scatterlist.h
++++ b/include/linux/scatterlist.h
+@@ -313,7 +313,7 @@ static inline void sg_dma_mark_bus_address(struct scatterlist *sg)
+ }
+
+ /**
+- * sg_unmark_bus_address - Unmark the scatterlist entry as a bus address
++ * sg_dma_unmark_bus_address - Unmark the scatterlist entry as a bus address
+ * @sg: SG entry
+ *
+ * Description:
+--
+2.43.0
+
--- /dev/null
+From db857f3810f2d9794d960509c2ab5cd12a97dc53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 13:00:45 +0000
+Subject: scsi: scsi_debug: Fix hrtimer support for ndelay
+
+From: John Garry <john.g.garry@oracle.com>
+
+[ Upstream commit 6918141d815acef056a0d10e966a027d869a922d ]
+
+Since commit 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration
+calculation"), ns_from_boot value is only evaluated in schedule_resp()
+for polled requests.
+
+However, ns_from_boot is also required for hrtimer support for when
+ndelay is less than INCLUSIVE_TIMING_MAX_NS, so fix up the logic to
+decide when to evaluate ns_from_boot.
+
+Fixes: 771f712ba5b0 ("scsi: scsi_debug: Fix cmd duration calculation")
+Signed-off-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20241202130045.2335194-1-john.g.garry@oracle.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c
+index 9c0af50501f9a..841f924746781 100644
+--- a/drivers/scsi/scsi_debug.c
++++ b/drivers/scsi/scsi_debug.c
+@@ -5583,7 +5583,7 @@ static int schedule_resp(struct scsi_cmnd *cmnd, struct sdebug_dev_info *devip,
+ }
+ sd_dp = &sqcp->sd_dp;
+
+- if (polled)
++ if (polled || (ndelay > 0 && ndelay < INCLUSIVE_TIMING_MAX_NS))
+ ns_from_boot = ktime_get_boottime_ns();
+
+ /* one of the resp_*() response functions is called here */
+--
+2.43.0
+
--- /dev/null
+From 63611a6659ebda7d7da600487411ff566a8ccbeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Nov 2024 18:29:44 +0530
+Subject: scsi: sg: Fix slab-use-after-free read in sg_release()
+
+From: Suraj Sonawane <surajsonawane0215@gmail.com>
+
+[ Upstream commit f10593ad9bc36921f623361c9e3dd96bd52d85ee ]
+
+Fix a use-after-free bug in sg_release(), detected by syzbot with KASAN:
+
+BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30
+kernel/locking/lockdep.c:5838
+__mutex_unlock_slowpath+0xe2/0x750 kernel/locking/mutex.c:912
+sg_release+0x1f4/0x2e0 drivers/scsi/sg.c:407
+
+In sg_release(), the function kref_put(&sfp->f_ref, sg_remove_sfp) is
+called before releasing the open_rel_lock mutex. The kref_put() call may
+decrement the reference count of sfp to zero, triggering its cleanup
+through sg_remove_sfp(). This cleanup includes scheduling deferred work
+via sg_remove_sfp_usercontext(), which ultimately frees sfp.
+
+After kref_put(), sg_release() continues to unlock open_rel_lock and may
+reference sfp or sdp. If sfp has already been freed, this results in a
+slab-use-after-free error.
+
+Move the kref_put(&sfp->f_ref, sg_remove_sfp) call after unlocking the
+open_rel_lock mutex. This ensures:
+
+ - No references to sfp or sdp occur after the reference count is
+ decremented.
+
+ - Cleanup functions such as sg_remove_sfp() and
+ sg_remove_sfp_usercontext() can safely execute without impacting the
+ mutex handling in sg_release().
+
+The fix has been tested and validated by syzbot. This patch closes the
+bug reported at the following syzkaller link and ensures proper
+sequencing of resource cleanup and mutex operations, eliminating the
+risk of use-after-free errors in sg_release().
+
+Reported-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7efb5850a17ba6ce098b
+Tested-by: syzbot+7efb5850a17ba6ce098b@syzkaller.appspotmail.com
+Fixes: cc833acbee9d ("sg: O_EXCL and other lock handling")
+Signed-off-by: Suraj Sonawane <surajsonawane0215@gmail.com>
+Link: https://lore.kernel.org/r/20241120125944.88095-1-surajsonawane0215@gmail.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index dc9722b290f20..62574886a9111 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -386,7 +386,6 @@ sg_release(struct inode *inode, struct file *filp)
+ SCSI_LOG_TIMEOUT(3, sg_printk(KERN_INFO, sdp, "sg_release\n"));
+
+ mutex_lock(&sdp->open_rel_lock);
+- kref_put(&sfp->f_ref, sg_remove_sfp);
+ sdp->open_cnt--;
+
+ /* possibly many open()s waiting on exlude clearing, start many;
+@@ -398,6 +397,7 @@ sg_release(struct inode *inode, struct file *filp)
+ wake_up_interruptible(&sdp->open_wait);
+ }
+ mutex_unlock(&sdp->open_rel_lock);
++ kref_put(&sfp->f_ref, sg_remove_sfp);
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From b8e11fcd72a1c0ae7f80af3ab88a6cf4de557e91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Nov 2024 17:56:04 +0800
+Subject: scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG
+
+From: Ziqi Chen <quic_ziqichen@quicinc.com>
+
+[ Upstream commit 60b4dd1460f6d65739acb0f28d12bd9abaeb34b4 ]
+
+User layer applications can send UIC GET/SET commands via the BSG
+framework, and if the user layer application sends a UIC SET command to the
+PA_PWRMODE attribute, a power mode change shall be initiated in UniPro and
+two interrupts shall be triggered if the power mode is successfully
+changed, i.e., UIC Command Completion interrupt and UIC Power Mode
+interrupt.
+
+The current UFS BSG code calls ufshcd_send_uic_cmd() directly, with which
+the second interrupt, i.e., UIC Power Mode interrupt, shall be treated as
+unhandled interrupt. In addition, after the UIC command is completed, user
+layer application has to poll UniPro and/or M-PHY state machine to confirm
+the power mode change is finished.
+
+Add a new wrapper function ufshcd_send_bsg_uic_cmd() and call it from
+ufs_bsg_request() so that if a UIC SET command is targeting the PA_PWRMODE
+attribute it can be redirected to ufshcd_uic_pwr_ctrl().
+
+Fixes: e77044c5a842 ("scsi: ufs-bsg: Add support for uic commands in ufs_bsg_request()")
+Co-developed-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Ziqi Chen <quic_ziqichen@quicinc.com>
+Link: https://lore.kernel.org/r/20241119095613.121385-1-quic_ziqichen@quicinc.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufs_bsg.c | 2 +-
+ drivers/ufs/core/ufshcd-priv.h | 1 +
+ drivers/ufs/core/ufshcd.c | 36 ++++++++++++++++++++++++++++++++++
+ 3 files changed, 38 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c
+index 374e5aae4e7e8..fec5993c66c39 100644
+--- a/drivers/ufs/core/ufs_bsg.c
++++ b/drivers/ufs/core/ufs_bsg.c
+@@ -170,7 +170,7 @@ static int ufs_bsg_request(struct bsg_job *job)
+ break;
+ case UPIU_TRANSACTION_UIC_CMD:
+ memcpy(&uc, &bsg_request->upiu_req.uc, UIC_CMD_SIZE);
+- ret = ufshcd_send_uic_cmd(hba, &uc);
++ ret = ufshcd_send_bsg_uic_cmd(hba, &uc);
+ if (ret)
+ dev_err(hba->dev, "send uic cmd: error code %d\n", ret);
+
+diff --git a/drivers/ufs/core/ufshcd-priv.h b/drivers/ufs/core/ufshcd-priv.h
+index f42d99ce5bf1e..099a54009a16f 100644
+--- a/drivers/ufs/core/ufshcd-priv.h
++++ b/drivers/ufs/core/ufshcd-priv.h
+@@ -89,6 +89,7 @@ int ufshcd_read_string_desc(struct ufs_hba *hba, u8 desc_index,
+ u8 **buf, bool ascii);
+
+ int ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd);
++int ufshcd_send_bsg_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd);
+
+ int ufshcd_exec_raw_upiu_cmd(struct ufs_hba *hba,
+ struct utp_upiu_req *req_upiu,
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index 44b2cd66b8189..f1bb2d5081360 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4206,6 +4206,42 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ return ret;
+ }
+
++/**
++ * ufshcd_send_bsg_uic_cmd - Send UIC commands requested via BSG layer and retrieve the result
++ * @hba: per adapter instance
++ * @uic_cmd: UIC command
++ *
++ * Return: 0 only if success.
++ */
++int ufshcd_send_bsg_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
++{
++ int ret;
++
++ if (hba->quirks & UFSHCD_QUIRK_BROKEN_UIC_CMD)
++ return 0;
++
++ ufshcd_hold(hba);
++
++ if (uic_cmd->argument1 == UIC_ARG_MIB(PA_PWRMODE) &&
++ uic_cmd->command == UIC_CMD_DME_SET) {
++ ret = ufshcd_uic_pwr_ctrl(hba, uic_cmd);
++ goto out;
++ }
++
++ mutex_lock(&hba->uic_cmd_mutex);
++ ufshcd_add_delay_before_dme_cmd(hba);
++
++ ret = __ufshcd_send_uic_cmd(hba, uic_cmd);
++ if (!ret)
++ ret = ufshcd_wait_for_uic_cmd(hba, uic_cmd);
++
++ mutex_unlock(&hba->uic_cmd_mutex);
++
++out:
++ ufshcd_release(hba);
++ return ret;
++}
++
+ /**
+ * ufshcd_uic_change_pwr_mode - Perform the UIC power mode chage
+ * using DME_SET primitives.
+--
+2.43.0
+
--- /dev/null
+From 8b1aae30c3e4ce7ae3eb1bb028175c56ee68b6b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 15:30:05 -0700
+Subject: scsi: ufs: core: Always initialize the UIC done completion
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit b1e8c53749adb795bfb0bf4e2f7836e26684bb90 ]
+
+Simplify __ufshcd_send_uic_cmd() by always initializing the
+uic_cmd::done completion. This is fine since the time required to
+initialize a completion is small compared to the time required to
+process an UIC command.
+
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20240912223019.3510966-5-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 60b4dd1460f6 ("scsi: ufs: core: Add ufshcd_send_bsg_uic_cmd() for UFS BSG")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufshcd.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
+index db4044358e22d..44b2cd66b8189 100644
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -2399,13 +2399,11 @@ ufshcd_wait_for_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
+ * __ufshcd_send_uic_cmd - Send UIC commands and retrieve the result
+ * @hba: per adapter instance
+ * @uic_cmd: UIC command
+- * @completion: initialize the completion only if this is set to true
+ *
+ * Return: 0 only if success.
+ */
+ static int
+-__ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd,
+- bool completion)
++__ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
+ {
+ lockdep_assert_held(&hba->uic_cmd_mutex);
+
+@@ -2415,8 +2413,7 @@ __ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd,
+ return -EIO;
+ }
+
+- if (completion)
+- init_completion(&uic_cmd->done);
++ init_completion(&uic_cmd->done);
+
+ uic_cmd->cmd_active = 1;
+ ufshcd_dispatch_uic_cmd(hba, uic_cmd);
+@@ -2442,7 +2439,7 @@ int ufshcd_send_uic_cmd(struct ufs_hba *hba, struct uic_command *uic_cmd)
+ mutex_lock(&hba->uic_cmd_mutex);
+ ufshcd_add_delay_before_dme_cmd(hba);
+
+- ret = __ufshcd_send_uic_cmd(hba, uic_cmd, true);
++ ret = __ufshcd_send_uic_cmd(hba, uic_cmd);
+ if (!ret)
+ ret = ufshcd_wait_for_uic_cmd(hba, uic_cmd);
+
+@@ -4154,7 +4151,7 @@ static int ufshcd_uic_pwr_ctrl(struct ufs_hba *hba, struct uic_command *cmd)
+ reenable_intr = true;
+ }
+ spin_unlock_irqrestore(hba->host->host_lock, flags);
+- ret = __ufshcd_send_uic_cmd(hba, cmd, false);
++ ret = __ufshcd_send_uic_cmd(hba, cmd);
+ if (ret) {
+ dev_err(hba->dev,
+ "pwr ctrl cmd 0x%x with mode 0x%x uic error %d\n",
+--
+2.43.0
+
i3c-master-fix-dynamic-address-leak-when-assigned-ad.patch
drm-bridge-it6505-update-usleep_range-for-rc-circuit.patch
drm-bridge-it6505-fix-inverted-reset-polarity.patch
+scsi-ufs-core-always-initialize-the-uic-done-complet.patch
+scsi-ufs-core-add-ufshcd_send_bsg_uic_cmd-for-ufs-bs.patch
+bpf-vsock-fix-poll-missing-a-queue.patch
+bpf-vsock-invoke-proto-close-on-close.patch
+xsk-always-clear-dma-mapping-information-when-unmapp.patch
+bpftool-fix-potential-null-pointer-dereferencing-in-.patch
+drm-sti-add-__iomem-for-mixer_dbg_mxn-s-parameter.patch
+tcp_bpf-fix-the-sk_mem_uncharge-logic-in-tcp_bpf_sen.patch
+alsa-seq-ump-use-automatic-cleanup-of-kfree.patch
+alsa-ump-update-substream-name-from-assigned-fb-name.patch
+alsa-seq-ump-fix-seq-port-updates-per-fb-info-notify.patch
+alsa-usb-audio-notify-xrun-for-low-latency-mode.patch
+tools-override-makefile-arch-variable-if-defined-but.patch
+spi-mpc52xx-add-cancel_work_sync-before-module-remov.patch
+asoc-sof-ipc3-topology-convert-the-topology-pin-inde.patch
+asoc-sof-ipc3-topology-fix-resource-leaks-in-sof_ipc.patch
+bpf-fix-narrow-scalar-spill-onto-64-bit-spilled-scal.patch
+scsi-sg-fix-slab-use-after-free-read-in-sg_release.patch
+scsi-scsi_debug-fix-hrtimer-support-for-ndelay.patch
+asoc-mediatek-mt8188-mt6359-remove-hardcoded-dmic-co.patch
+drm-v3d-enable-performance-counters-before-clearing-.patch
+ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch
+scatterlist-fix-incorrect-func-name-in-kernel-doc.patch
+iio-magnetometer-yas530-use-signed-integer-type-for-.patch
+bpf-handle-bpf_exist-and-bpf_noexist-for-lpm-trie.patch
+bpf-remove-unnecessary-kfree-im_node-in-lpm_trie_upd.patch
+bpf-handle-in-place-update-for-full-lpm-trie-correct.patch
+bpf-fix-exact-match-conditions-in-trie_get_next_key.patch
+x86-cpu-amd-warn-when-setting-efer.autoibrs-if-and-o.patch
--- /dev/null
+From a94f63e9e87573ccbcd649689b0e00559ac05f0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 16:38:17 +0800
+Subject: spi: mpc52xx: Add cancel_work_sync before module remove
+
+From: Pei Xiao <xiaopei01@kylinos.cn>
+
+[ Upstream commit 984836621aad98802d92c4a3047114cf518074c8 ]
+
+If we remove the module which will call mpc52xx_spi_remove
+it will free 'ms' through spi_unregister_controller.
+while the work ms->work will be used. The sequence of operations
+that may lead to a UAF bug.
+
+Fix it by ensuring that the work is canceled before proceeding with
+the cleanup in mpc52xx_spi_remove.
+
+Fixes: ca632f556697 ("spi: reorganize drivers")
+Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
+Link: https://patch.msgid.link/1f16f8ae0e50ca9adb1dc849bf2ac65a40c9ceb9.1732783000.git.xiaopei01@kylinos.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-mpc52xx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
+index ab7df5f64342a..b8e2d9263fc88 100644
+--- a/drivers/spi/spi-mpc52xx.c
++++ b/drivers/spi/spi-mpc52xx.c
+@@ -519,6 +519,7 @@ static void mpc52xx_spi_remove(struct platform_device *op)
+ struct mpc52xx_spi *ms = spi_master_get_devdata(master);
+ int i;
+
++ cancel_work_sync(&ms->work);
+ free_irq(ms->irq0, ms);
+ free_irq(ms->irq1, ms);
+
+--
+2.43.0
+
--- /dev/null
+From 7cdd4ba13f2d8367a4a78ecb6e67ee5a837140ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 23:48:38 +0000
+Subject: tcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_sendmsg
+
+From: Zijian Zhang <zijianzhang@bytedance.com>
+
+[ Upstream commit ca70b8baf2bd125b2a4d96e76db79375c07d7ff2 ]
+
+The current sk memory accounting logic in __SK_REDIRECT is pre-uncharging
+tosend bytes, which is either msg->sg.size or a smaller value apply_bytes.
+
+Potential problems with this strategy are as follows:
+
+- If the actual sent bytes are smaller than tosend, we need to charge some
+ bytes back, as in line 487, which is okay but seems not clean.
+
+- When tosend is set to apply_bytes, as in line 417, and (ret < 0), we may
+ miss uncharging (msg->sg.size - apply_bytes) bytes.
+
+[...]
+415 tosend = msg->sg.size;
+416 if (psock->apply_bytes && psock->apply_bytes < tosend)
+417 tosend = psock->apply_bytes;
+[...]
+443 sk_msg_return(sk, msg, tosend);
+444 release_sock(sk);
+446 origsize = msg->sg.size;
+447 ret = tcp_bpf_sendmsg_redir(sk_redir, redir_ingress,
+448 msg, tosend, flags);
+449 sent = origsize - msg->sg.size;
+[...]
+454 lock_sock(sk);
+455 if (unlikely(ret < 0)) {
+456 int free = sk_msg_free_nocharge(sk, msg);
+458 if (!cork)
+459 *copied -= free;
+460 }
+[...]
+487 if (eval == __SK_REDIRECT)
+488 sk_mem_charge(sk, tosend - sent);
+[...]
+
+When running the selftest test_txmsg_redir_wait_sndmem with txmsg_apply,
+the following warning will be reported:
+
+------------[ cut here ]------------
+WARNING: CPU: 6 PID: 57 at net/ipv4/af_inet.c:156 inet_sock_destruct+0x190/0x1a0
+Modules linked in:
+CPU: 6 UID: 0 PID: 57 Comm: kworker/6:0 Not tainted 6.12.0-rc1.bm.1-amd64+ #43
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
+Workqueue: events sk_psock_destroy
+RIP: 0010:inet_sock_destruct+0x190/0x1a0
+RSP: 0018:ffffad0a8021fe08 EFLAGS: 00010206
+RAX: 0000000000000011 RBX: ffff9aab4475b900 RCX: ffff9aab481a0800
+RDX: 0000000000000303 RSI: 0000000000000011 RDI: ffff9aab4475b900
+RBP: ffff9aab4475b990 R08: 0000000000000000 R09: ffff9aab40050ec0
+R10: 0000000000000000 R11: ffff9aae6fdb1d01 R12: ffff9aab49c60400
+R13: ffff9aab49c60598 R14: ffff9aab49c60598 R15: dead000000000100
+FS: 0000000000000000(0000) GS:ffff9aae6fd80000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffec7e47bd8 CR3: 00000001a1a1c004 CR4: 0000000000770ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+<TASK>
+? __warn+0x89/0x130
+? inet_sock_destruct+0x190/0x1a0
+? report_bug+0xfc/0x1e0
+? handle_bug+0x5c/0xa0
+? exc_invalid_op+0x17/0x70
+? asm_exc_invalid_op+0x1a/0x20
+? inet_sock_destruct+0x190/0x1a0
+__sk_destruct+0x25/0x220
+sk_psock_destroy+0x2b2/0x310
+process_scheduled_works+0xa3/0x3e0
+worker_thread+0x117/0x240
+? __pfx_worker_thread+0x10/0x10
+kthread+0xcf/0x100
+? __pfx_kthread+0x10/0x10
+ret_from_fork+0x31/0x40
+? __pfx_kthread+0x10/0x10
+ret_from_fork_asm+0x1a/0x30
+</TASK>
+---[ end trace 0000000000000000 ]---
+
+In __SK_REDIRECT, a more concise way is delaying the uncharging after sent
+bytes are finalized, and uncharge this value. When (ret < 0), we shall
+invoke sk_msg_free.
+
+Same thing happens in case __SK_DROP, when tosend is set to apply_bytes,
+we may miss uncharging (msg->sg.size - apply_bytes) bytes. The same
+warning will be reported in selftest.
+
+[...]
+468 case __SK_DROP:
+469 default:
+470 sk_msg_free_partial(sk, msg, tosend);
+471 sk_msg_apply_bytes(psock, tosend);
+472 *copied -= (tosend + delta);
+473 return -EACCES;
+[...]
+
+So instead of sk_msg_free_partial we can do sk_msg_free here.
+
+Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
+Fixes: 8ec95b94716a ("bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues")
+Signed-off-by: Zijian Zhang <zijianzhang@bytedance.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Link: https://lore.kernel.org/bpf/20241016234838.3167769-3-zijianzhang@bytedance.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index 915286c3615a2..0a42d73c0850e 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -441,7 +441,6 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ cork = true;
+ psock->cork = NULL;
+ }
+- sk_msg_return(sk, msg, tosend);
+ release_sock(sk);
+
+ origsize = msg->sg.size;
+@@ -453,8 +452,9 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ sock_put(sk_redir);
+
+ lock_sock(sk);
++ sk_mem_uncharge(sk, sent);
+ if (unlikely(ret < 0)) {
+- int free = sk_msg_free_nocharge(sk, msg);
++ int free = sk_msg_free(sk, msg);
+
+ if (!cork)
+ *copied -= free;
+@@ -468,7 +468,7 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ break;
+ case __SK_DROP:
+ default:
+- sk_msg_free_partial(sk, msg, tosend);
++ sk_msg_free(sk, msg);
+ sk_msg_apply_bytes(psock, tosend);
+ *copied -= (tosend + delta);
+ return -EACCES;
+@@ -484,11 +484,8 @@ static int tcp_bpf_send_verdict(struct sock *sk, struct sk_psock *psock,
+ }
+ if (msg &&
+ msg->sg.data[msg->sg.start].page_link &&
+- msg->sg.data[msg->sg.start].length) {
+- if (eval == __SK_REDIRECT)
+- sk_mem_charge(sk, tosend - sent);
++ msg->sg.data[msg->sg.start].length)
+ goto more_data;
+- }
+ }
+ return ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 524c3b46cdb2975ea3881e5c136c716ba81ed973 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2024 11:17:46 +0100
+Subject: tools: Override makefile ARCH variable if defined, but empty
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Björn Töpel <bjorn@rivosinc.com>
+
+[ Upstream commit 537a2525eaf76ea9b0dca62b994500d8670b39d5 ]
+
+There are a number of tools (bpftool, selftests), that require a
+"bootstrap" build. Here, a bootstrap build is a build host variant of
+a target. E.g., assume that you're performing a bpftool cross-build on
+x86 to riscv, a bootstrap build would then be an x86 variant of
+bpftool. The typical way to perform the host build variant, is to pass
+"ARCH=" in a sub-make. However, if a variable has been set with a
+command argument, then ordinary assignments in the makefile are
+ignored.
+
+This side-effect results in that ARCH, and variables depending on ARCH
+are not set. Workaround by overriding ARCH to the host arch, if ARCH
+is empty.
+
+Fixes: 8859b0da5aac ("tools/bpftool: Fix cross-build")
+Signed-off-by: Björn Töpel <bjorn@rivosinc.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Reviewed-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Reviewed-by: Namhyung Kim <namhyung@kernel.org>
+Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Acked-by: Quentin Monnet <qmo@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Link: https://lore.kernel.org/bpf/20241127101748.165693-1-bjorn@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/scripts/Makefile.arch | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/scripts/Makefile.arch b/tools/scripts/Makefile.arch
+index f6a50f06dfc45..eabfe9f411d91 100644
+--- a/tools/scripts/Makefile.arch
++++ b/tools/scripts/Makefile.arch
+@@ -7,8 +7,8 @@ HOSTARCH := $(shell uname -m | sed -e s/i.86/x86/ -e s/x86_64/x86/ \
+ -e s/sh[234].*/sh/ -e s/aarch64.*/arm64/ \
+ -e s/riscv.*/riscv/ -e s/loongarch.*/loongarch/)
+
+-ifndef ARCH
+-ARCH := $(HOSTARCH)
++ifeq ($(strip $(ARCH)),)
++override ARCH := $(HOSTARCH)
+ endif
+
+ SRCARCH := $(ARCH)
+--
+2.43.0
+
--- /dev/null
+From 3d30b30f731b3d19bbc80129460575e7bdd7ff3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 08:20:06 -0800
+Subject: x86/CPU/AMD: WARN when setting EFER.AUTOIBRS if and only if the WRMSR
+ fails
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 492077668fb453b8b16c842fcf3fafc2ebc190e9 ]
+
+When ensuring EFER.AUTOIBRS is set, WARN only on a negative return code
+from msr_set_bit(), as '1' is used to indicate the WRMSR was successful
+('0' indicates the MSR bit was already set).
+
+Fixes: 8cc68c9c9e92 ("x86/CPU/AMD: Make sure EFER[AIBRSE] is set")
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/Z1MkNofJjt7Oq0G6@google.com
+Closes: https://lore.kernel.org/all/20241205220604.GA2054199@thelio-3990X
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 145c81c68394b..9413fb767c6a7 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -1205,7 +1205,7 @@ static void init_amd(struct cpuinfo_x86 *c)
+ */
+ if (spectre_v2_in_eibrs_mode(spectre_v2_enabled) &&
+ cpu_has(c, X86_FEATURE_AUTOIBRS))
+- WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS));
++ WARN_ON_ONCE(msr_set_bit(MSR_EFER, _EFER_AUTOIBRS) < 0);
+
+ if (!cpu_has(c, X86_FEATURE_HYPERVISOR) &&
+ cpu_has_amd_erratum(c, amd_erratum_1485))
+--
+2.43.0
+
--- /dev/null
+From b3574a56697a4dade9a70f24c4b62a4292a9b841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 12:29:09 +0100
+Subject: xsk: always clear DMA mapping information when unmapping the pool
+
+From: Larysa Zaremba <larysa.zaremba@intel.com>
+
+[ Upstream commit ac9a48a6f1610b094072b815e884e1668aea4401 ]
+
+When the umem is shared, the DMA mapping is also shared between the xsk
+pools, therefore it should stay valid as long as at least 1 user remains.
+However, the pool also keeps the copies of DMA-related information that are
+initialized in the same way in xp_init_dma_info(), but cleared by
+xp_dma_unmap() only for the last remaining pool, this causes the problems
+below.
+
+The first one is that the commit adbf5a42341f ("ice: remove af_xdp_zc_qps
+bitmap") relies on pool->dev to determine the presence of a ZC pool on a
+given queue, avoiding internal bookkeeping. This works perfectly fine if
+the UMEM is not shared, but reliably fails otherwise as stated in the
+linked report.
+
+The second one is pool->dma_pages which is dynamically allocated and
+only freed in xp_dma_unmap(), this leads to a small memory leak. kmemleak
+does not catch it, but by printing the allocation results after terminating
+the userspace program it is possible to see that all addresses except the
+one belonging to the last detached pool are still accessible through the
+kmemleak dump functionality.
+
+Always clear the DMA mapping information from the pool and free
+pool->dma_pages when unmapping the pool, so that the only difference
+between results of the last remaining user's call and the ones before would
+be the destruction of the DMA mapping.
+
+Fixes: adbf5a42341f ("ice: remove af_xdp_zc_qps bitmap")
+Fixes: 921b68692abb ("xsk: Enable sharing of dma mappings")
+Reported-by: Alasdair McWilliam <alasdair.mcwilliam@outlook.com>
+Closes: https://lore.kernel.org/PA4P194MB10056F208AF221D043F57A3D86512@PA4P194MB1005.EURP194.PROD.OUTLOOK.COM
+Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Link: https://lore.kernel.org/r/20241122112912.89881-1-larysa.zaremba@intel.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xdp/xsk_buff_pool.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/xdp/xsk_buff_pool.c b/net/xdp/xsk_buff_pool.c
+index b0a611677865d..f38388b6b62c2 100644
+--- a/net/xdp/xsk_buff_pool.c
++++ b/net/xdp/xsk_buff_pool.c
+@@ -369,10 +369,9 @@ void xp_dma_unmap(struct xsk_buff_pool *pool, unsigned long attrs)
+ return;
+ }
+
+- if (!refcount_dec_and_test(&dma_map->users))
+- return;
++ if (refcount_dec_and_test(&dma_map->users))
++ __xp_dma_unmap(dma_map, attrs);
+
+- __xp_dma_unmap(dma_map, attrs);
+ kvfree(pool->dma_pages);
+ pool->dma_pages = NULL;
+ pool->dma_pages_cnt = 0;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
