--- /dev/null
+From 7804e84316eab278104f4a13bdc6a519fcef4ab3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Nov 2019 10:26:52 +0100
+Subject: arm64: Kconfig: add a choice for endianness
+
+From: Anders Roxell <anders.roxell@linaro.org>
+
+[ Upstream commit d8e85e144bbe12e8d82c6b05d690a34da62cc991 ]
+
+When building allmodconfig KCONFIG_ALLCONFIG=$(pwd)/arch/arm64/configs/defconfig
+CONFIG_CPU_BIG_ENDIAN gets enabled. Which tends not to be what most
+people want. Another concern that has come up is that ACPI isn't built
+for an allmodconfig kernel today since that also depends on !CPU_BIG_ENDIAN.
+
+Rework so that we introduce a 'choice' and default the choice to
+CPU_LITTLE_ENDIAN. That means that when we build an allmodconfig kernel
+it will default to CPU_LITTLE_ENDIAN that most people tends to want.
+
+Reviewed-by: John Garry <john.garry@huawei.com>
+Acked-by: Will Deacon <will@kernel.org>
+Signed-off-by: Anders Roxell <anders.roxell@linaro.org>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Stable-dep-of: 146a15b87335 ("arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 384b1bf56667c..185262e0e1da3 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -877,10 +877,26 @@ config ARM64_PA_BITS
+ default 48 if ARM64_PA_BITS_48
+ default 52 if ARM64_PA_BITS_52
+
++choice
++ prompt "Endianness"
++ default CPU_LITTLE_ENDIAN
++ help
++ Select the endianness of data accesses performed by the CPU. Userspace
++ applications will need to be compiled and linked for the endianness
++ that is selected here.
++
+ config CPU_BIG_ENDIAN
+ bool "Build big-endian kernel"
+ help
+- Say Y if you plan on running a kernel in big-endian mode.
++ Say Y if you plan on running a kernel with a big-endian userspace.
++
++config CPU_LITTLE_ENDIAN
++ bool "Build little-endian kernel"
++ help
++ Say Y if you plan on running a kernel with a little-endian userspace.
++ This is usually the case for distributions targeting arm64.
++
++endchoice
+
+ config SCHED_MC
+ bool "Multi-core scheduler support"
+--
+2.42.0
+
--- /dev/null
+From 3012012bdce962b1e725e342cc20b11244403591 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Feb 2021 17:57:20 -0700
+Subject: arm64: Make CPU_BIG_ENDIAN depend on ld.bfd or ld.lld 13.0.0+
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit e9c6deee00e9197e75cd6aa0d265d3d45bd7cc28 ]
+
+Similar to commit 28187dc8ebd9 ("ARM: 9025/1: Kconfig: CPU_BIG_ENDIAN
+depends on !LD_IS_LLD"), ld.lld prior to 13.0.0 does not properly
+support aarch64 big endian, leading to the following build error when
+CONFIG_CPU_BIG_ENDIAN is selected:
+
+ld.lld: error: unknown emulation: aarch64linuxb
+
+This has been resolved in LLVM 13. To avoid errors like this, only allow
+CONFIG_CPU_BIG_ENDIAN to be selected if using ld.bfd or ld.lld 13.0.0
+and newer.
+
+While we are here, the indentation of this symbol used spaces since its
+introduction in commit a872013d6d03 ("arm64: kconfig: allow
+CPU_BIG_ENDIAN to be selected"). Change it to tabs to be consistent with
+kernel coding style.
+
+Link: https://github.com/ClangBuiltLinux/linux/issues/380
+Link: https://github.com/ClangBuiltLinux/linux/issues/1288
+Link: https://github.com/llvm/llvm-project/commit/7605a9a009b5fa3bdac07e3131c8d82f6d08feb7
+Link: https://github.com/llvm/llvm-project/commit/eea34aae2e74e9b6fbdd5b95f479bc7f397bf387
+Reported-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/r/20210209005719.803608-1-nathan@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: 146a15b87335 ("arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 185262e0e1da3..306772b7de5fc 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -886,8 +886,9 @@ choice
+ that is selected here.
+
+ config CPU_BIG_ENDIAN
+- bool "Build big-endian kernel"
+- help
++ bool "Build big-endian kernel"
++ depends on !LD_IS_LLD || LLD_VERSION >= 130000
++ help
+ Say Y if you plan on running a kernel with a big-endian userspace.
+
+ config CPU_LITTLE_ENDIAN
+--
+2.42.0
+
--- /dev/null
+From 85f92e443bd225e10b31d0034d1e743620e5c6c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 10:21:28 -0700
+Subject: arm64: Restrict CPU_BIG_ENDIAN to GNU as or LLVM IAS 15.x or newer
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+[ Upstream commit 146a15b873353f8ac28dc281c139ff611a3c4848 ]
+
+Prior to LLVM 15.0.0, LLVM's integrated assembler would incorrectly
+byte-swap NOP when compiling for big-endian, and the resulting series of
+bytes happened to match the encoding of FNMADD S21, S30, S0, S0.
+
+This went unnoticed until commit:
+
+ 34f66c4c4d5518c1 ("arm64: Use a positive cpucap for FP/SIMD")
+
+Prior to that commit, the kernel would always enable the use of FPSIMD
+early in boot when __cpu_setup() initialized CPACR_EL1, and so usage of
+FNMADD within the kernel was not detected, but could result in the
+corruption of user or kernel FPSIMD state.
+
+After that commit, the instructions happen to trap during boot prior to
+FPSIMD being detected and enabled, e.g.
+
+| Unhandled 64-bit el1h sync exception on CPU0, ESR 0x000000001fe00000 -- ASIMD
+| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1
+| Hardware name: linux,dummy-virt (DT)
+| pstate: 400000c9 (nZcv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : __pi_strcmp+0x1c/0x150
+| lr : populate_properties+0xe4/0x254
+| sp : ffffd014173d3ad0
+| x29: ffffd014173d3af0 x28: fffffbfffddffcb8 x27: 0000000000000000
+| x26: 0000000000000058 x25: fffffbfffddfe054 x24: 0000000000000008
+| x23: fffffbfffddfe000 x22: fffffbfffddfe000 x21: fffffbfffddfe044
+| x20: ffffd014173d3b70 x19: 0000000000000001 x18: 0000000000000005
+| x17: 0000000000000010 x16: 0000000000000000 x15: 00000000413e7000
+| x14: 0000000000000000 x13: 0000000000001bcc x12: 0000000000000000
+| x11: 00000000d00dfeed x10: ffffd414193f2cd0 x9 : 0000000000000000
+| x8 : 0101010101010101 x7 : ffffffffffffffc0 x6 : 0000000000000000
+| x5 : 0000000000000000 x4 : 0101010101010101 x3 : 000000000000002a
+| x2 : 0000000000000001 x1 : ffffd014171f2988 x0 : fffffbfffddffcb8
+| Kernel panic - not syncing: Unhandled exception
+| CPU: 0 PID: 0 Comm: swapper Not tainted 6.6.0-rc3-00013-g34f66c4c4d55 #1
+| Hardware name: linux,dummy-virt (DT)
+| Call trace:
+| dump_backtrace+0xec/0x108
+| show_stack+0x18/0x2c
+| dump_stack_lvl+0x50/0x68
+| dump_stack+0x18/0x24
+| panic+0x13c/0x340
+| el1t_64_irq_handler+0x0/0x1c
+| el1_abort+0x0/0x5c
+| el1h_64_sync+0x64/0x68
+| __pi_strcmp+0x1c/0x150
+| unflatten_dt_nodes+0x1e8/0x2d8
+| __unflatten_device_tree+0x5c/0x15c
+| unflatten_device_tree+0x38/0x50
+| setup_arch+0x164/0x1e0
+| start_kernel+0x64/0x38c
+| __primary_switched+0xbc/0xc4
+
+Restrict CONFIG_CPU_BIG_ENDIAN to a known good assembler, which is
+either GNU as or LLVM's IAS 15.0.0 and newer, which contains the linked
+commit.
+
+Closes: https://github.com/ClangBuiltLinux/linux/issues/1948
+Link: https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Cc: stable@vger.kernel.org
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20231025-disable-arm64-be-ias-b4-llvm-15-v1-1-b25263ed8b23@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/Kconfig | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
+index 306772b7de5fc..b301b591dc35b 100644
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -888,6 +888,8 @@ choice
+ config CPU_BIG_ENDIAN
+ bool "Build big-endian kernel"
+ depends on !LD_IS_LLD || LLD_VERSION >= 130000
++ # https://github.com/llvm/llvm-project/commit/1379b150991f70a5782e9a143c2ba5308da1161c
++ depends on AS_IS_GNU || AS_VERSION >= 150000
+ help
+ Say Y if you plan on running a kernel with a big-endian userspace.
+
+--
+2.42.0
+
--- /dev/null
+From 5816a32c25992fc73b3e10a25808d673079c936c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 14:41:13 +0100
+Subject: cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily
+
+From: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+
+[ Upstream commit 2e4e0984c7d696cc74cf2fd7e7f62997f0e9ebe6 ]
+
+For a 900MHz i.MX6ULL CPU the 792MHz OPP is disabled. There is no
+convincing reason to disable this OPP. If a CPU can run at 900MHz,
+it should also be able to cope with 792MHz. Looking at the voltage
+level of 792MHz in [1] (page 24, table 10. "Operating Ranges") the
+current defined OPP is above the minimum. So the voltage level
+shouldn't be a problem. However in [2] (page 24, table 10.
+"Operating Ranges"), it is not mentioned that 792MHz OPP isn't
+allowed. Change it to only disable 792MHz OPP for i.MX6ULL types
+below 792 MHz.
+
+[1] https://www.nxp.com/docs/en/data-sheet/IMX6ULLIEC.pdf
+[2] https://www.nxp.com/docs/en/data-sheet/IMX6ULLCEC.pdf
+
+Fixes: 0aa9abd4c212 ("cpufreq: imx6q: check speed grades for i.MX6ULL")
+Signed-off-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Reviewed-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Fabio Estevam <festevam@denx.de>
+[ Viresh: Edited subject ]
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/imx6q-cpufreq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
+index 1ed62924df405..84f6dbd4e9795 100644
+--- a/drivers/cpufreq/imx6q-cpufreq.c
++++ b/drivers/cpufreq/imx6q-cpufreq.c
+@@ -319,7 +319,7 @@ static int imx6ul_opp_check_speed_grading(struct device *dev)
+ imx6x_disable_freq_in_opp(dev, 696000000);
+
+ if (of_machine_is_compatible("fsl,imx6ull")) {
+- if (val != OCOTP_CFG3_6ULL_SPEED_792MHZ)
++ if (val < OCOTP_CFG3_6ULL_SPEED_792MHZ)
+ imx6x_disable_freq_in_opp(dev, 792000000);
+
+ if (val != OCOTP_CFG3_6ULL_SPEED_900MHZ)
+--
+2.42.0
+
--- /dev/null
+From 787cb7894798c56f0563265896729a9749c85f43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 May 2023 17:07:11 +0200
+Subject: cpufreq: imx6q: don't warn for disabling a non-existing frequency
+
+From: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+
+[ Upstream commit 11a3b0ac33d95aa84be426e801f800997262a225 ]
+
+It is confusing if a warning is given for disabling a non-existent
+frequency of the operating performance points (OPP). In this case
+the function dev_pm_opp_disable() returns -ENODEV. Check the return
+value and avoid the output of a warning in this case. Avoid code
+duplication by using a separate function.
+
+Signed-off-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+[ Viresh : Updated commit subject ]
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Stable-dep-of: 2e4e0984c7d6 ("cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/imx6q-cpufreq.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/cpufreq/imx6q-cpufreq.c b/drivers/cpufreq/imx6q-cpufreq.c
+index edef3399c9794..1ed62924df405 100644
+--- a/drivers/cpufreq/imx6q-cpufreq.c
++++ b/drivers/cpufreq/imx6q-cpufreq.c
+@@ -210,6 +210,14 @@ static struct cpufreq_driver imx6q_cpufreq_driver = {
+ .suspend = cpufreq_generic_suspend,
+ };
+
++static void imx6x_disable_freq_in_opp(struct device *dev, unsigned long freq)
++{
++ int ret = dev_pm_opp_disable(dev, freq);
++
++ if (ret < 0 && ret != -ENODEV)
++ dev_warn(dev, "failed to disable %ldMHz OPP\n", freq / 1000000);
++}
++
+ #define OCOTP_CFG3 0x440
+ #define OCOTP_CFG3_SPEED_SHIFT 16
+ #define OCOTP_CFG3_SPEED_1P2GHZ 0x3
+@@ -245,17 +253,15 @@ static void imx6q_opp_check_speed_grading(struct device *dev)
+ val &= 0x3;
+
+ if (val < OCOTP_CFG3_SPEED_996MHZ)
+- if (dev_pm_opp_disable(dev, 996000000))
+- dev_warn(dev, "failed to disable 996MHz OPP\n");
++ imx6x_disable_freq_in_opp(dev, 996000000);
+
+ if (of_machine_is_compatible("fsl,imx6q") ||
+ of_machine_is_compatible("fsl,imx6qp")) {
+ if (val != OCOTP_CFG3_SPEED_852MHZ)
+- if (dev_pm_opp_disable(dev, 852000000))
+- dev_warn(dev, "failed to disable 852MHz OPP\n");
++ imx6x_disable_freq_in_opp(dev, 852000000);
++
+ if (val != OCOTP_CFG3_SPEED_1P2GHZ)
+- if (dev_pm_opp_disable(dev, 1200000000))
+- dev_warn(dev, "failed to disable 1.2GHz OPP\n");
++ imx6x_disable_freq_in_opp(dev, 1200000000);
+ }
+ iounmap(base);
+ put_node:
+@@ -308,20 +314,16 @@ static int imx6ul_opp_check_speed_grading(struct device *dev)
+ val >>= OCOTP_CFG3_SPEED_SHIFT;
+ val &= 0x3;
+
+- if (of_machine_is_compatible("fsl,imx6ul")) {
++ if (of_machine_is_compatible("fsl,imx6ul"))
+ if (val != OCOTP_CFG3_6UL_SPEED_696MHZ)
+- if (dev_pm_opp_disable(dev, 696000000))
+- dev_warn(dev, "failed to disable 696MHz OPP\n");
+- }
++ imx6x_disable_freq_in_opp(dev, 696000000);
+
+ if (of_machine_is_compatible("fsl,imx6ull")) {
+ if (val != OCOTP_CFG3_6ULL_SPEED_792MHZ)
+- if (dev_pm_opp_disable(dev, 792000000))
+- dev_warn(dev, "failed to disable 792MHz OPP\n");
++ imx6x_disable_freq_in_opp(dev, 792000000);
+
+ if (val != OCOTP_CFG3_6ULL_SPEED_900MHZ)
+- if (dev_pm_opp_disable(dev, 900000000))
+- dev_warn(dev, "failed to disable 900MHz OPP\n");
++ imx6x_disable_freq_in_opp(dev, 900000000);
+ }
+
+ return ret;
+--
+2.42.0
+
--- /dev/null
+From b761964a221739a6175a704f4e3304bd8b809f3f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 May 2022 13:14:02 +0200
+Subject: ext4: improve write performance with disabled delalloc
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 8d5459c11f548131ce48b2fbf45cccc5c382558f ]
+
+When delayed allocation is disabled (either through mount option or
+because we are running low on free space), ext4_write_begin() allocates
+blocks with EXT4_GET_BLOCKS_IO_CREATE_EXT flag. With this flag extent
+merging is disabled and since ext4_write_begin() is called for each page
+separately, we end up with a *lot* of 1 block extents in the extent tree
+and following writeback is writing 1 block at a time which results in
+very poor write throughput (4 MB/s instead of 200 MB/s). These days when
+ext4_get_block_unwritten() is used only by ext4_write_begin(),
+ext4_page_mkwrite() and inline data conversion, we can safely allow
+extent merging to happen from these paths since following writeback will
+happen on different boundaries anyway. So use
+EXT4_GET_BLOCKS_CREATE_UNRIT_EXT instead which restores the performance.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20220520111402.4252-1-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Stable-dep-of: 2cd8bdb5efc1 ("ext4: mark buffer new if it is unwritten to avoid stale data exposure")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 8a0bca3b653bc..9ca7db0c4039a 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -830,7 +830,7 @@ int ext4_get_block_unwritten(struct inode *inode, sector_t iblock,
+ ext4_debug("ext4_get_block_unwritten: inode %lu, create flag %d\n",
+ inode->i_ino, create);
+ return _ext4_get_block(inode, iblock, bh_result,
+- EXT4_GET_BLOCKS_IO_CREATE_EXT);
++ EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT);
+ }
+
+ /* Maximum number of blocks we map for direct IO at once. */
+--
+2.42.0
+
--- /dev/null
+From eb57900d1090262be4fa3b51cd416e0fe82cd0c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 16:15:50 +0530
+Subject: ext4: mark buffer new if it is unwritten to avoid stale data exposure
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit 2cd8bdb5efc1e0d5b11a4b7ba6b922fd2736a87f ]
+
+** Short Version **
+
+In ext4 with dioread_nolock, we could have a scenario where the bh returned by
+get_blocks (ext4_get_block_unwritten()) in __block_write_begin_int() has
+UNWRITTEN and MAPPED flag set. Since such a bh does not have NEW flag set we
+never zero out the range of bh that is not under write, causing whatever stale
+data is present in the folio at that time to be written out to disk. To fix this
+mark the buffer as new, in case it is unwritten, in ext4_get_block_unwritten().
+
+** Long Version **
+
+The issue mentioned above was resulting in two different bugs:
+
+1. On block size < page size case in ext4, generic/269 was reliably
+failing with dioread_nolock. The state of the write was as follows:
+
+ * The write was extending i_size.
+ * The last block of the file was fallocated and had an unwritten extent
+ * We were near ENOSPC and hence we were switching to non-delayed alloc
+ allocation.
+
+In this case, the back trace that triggers the bug is as follows:
+
+ ext4_da_write_begin()
+ /* switch to nodelalloc due to low space */
+ ext4_write_begin()
+ ext4_should_dioread_nolock() // true since mount flags still have delalloc
+ __block_write_begin(..., ext4_get_block_unwritten)
+ __block_write_begin_int()
+ for(each buffer head in page) {
+ /* first iteration, this is bh1 which contains i_size */
+ if (!buffer_mapped)
+ get_block() /* returns bh with only UNWRITTEN and MAPPED */
+ /* second iteration, bh2 */
+ if (!buffer_mapped)
+ get_block() /* we fail here, could be ENOSPC */
+ }
+ if (err)
+ /*
+ * this would zero out all new buffers and mark them uptodate.
+ * Since bh1 was never marked new, we skip it here which causes
+ * the bug later.
+ */
+ folio_zero_new_buffers();
+ /* ext4_wrte_begin() error handling */
+ ext4_truncate_failed_write()
+ ext4_truncate()
+ ext4_block_truncate_page()
+ __ext4_block_zero_page_range()
+ if(!buffer_uptodate())
+ ext4_read_bh_lock()
+ ext4_read_bh() -> ... ext4_submit_bh_wbc()
+ BUG_ON(buffer_unwritten(bh)); /* !!! */
+
+2. The second issue is stale data exposure with page size >= blocksize
+with dioread_nolock. The conditions needed for it to happen are same as
+the previous issue ie dioread_nolock around ENOSPC condition. The issue
+is also similar where in __block_write_begin_int() when we call
+ext4_get_block_unwritten() on the buffer_head and the underlying extent
+is unwritten, we get an unwritten and mapped buffer head. Since it is
+not new, we never zero out the partial range which is not under write,
+thus writing stale data to disk. This can be easily observed with the
+following reproducer:
+
+ fallocate -l 4k testfile
+ xfs_io -c "pwrite 2k 2k" testfile
+ # hexdump output will have stale data in from byte 0 to 2k in testfile
+ hexdump -C testfile
+
+NOTE: To trigger this, we need dioread_nolock enabled and write happening via
+ext4_write_begin(), which is usually used when we have -o nodealloc. Since
+dioread_nolock is disabled with nodelalloc, the only alternate way to call
+ext4_write_begin() is to ensure that delayed alloc switches to nodelalloc ie
+ext4_da_write_begin() calls ext4_write_begin(). This will usually happen when
+ext4 is almost full like the way generic/269 was triggering it in Issue 1 above.
+This might make the issue harder to hit. Hence, for reliable replication, I used
+the below patch to temporarily allow dioread_nolock with nodelalloc and then
+mount the disk with -o nodealloc,dioread_nolock. With this you can hit the stale
+data issue 100% of times:
+
+@@ -508,8 +508,8 @@ static inline int ext4_should_dioread_nolock(struct inode *inode)
+ if (ext4_should_journal_data(inode))
+ return 0;
+ /* temporary fix to prevent generic/422 test failures */
+- if (!test_opt(inode->i_sb, DELALLOC))
+- return 0;
++ // if (!test_opt(inode->i_sb, DELALLOC))
++ // return 0;
+ return 1;
+ }
+
+After applying this patch to mark buffer as NEW, both the above issues are
+fixed.
+
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Cc: stable@kernel.org
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: "Ritesh Harjani (IBM)" <ritesh.list@gmail.com>
+Link: https://lore.kernel.org/r/d0ed09d70a9733fbb5349c5c7b125caac186ecdf.1695033645.git.ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/inode.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
+index 9ca7db0c4039a..0847657400a92 100644
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -827,10 +827,22 @@ int ext4_get_block(struct inode *inode, sector_t iblock,
+ int ext4_get_block_unwritten(struct inode *inode, sector_t iblock,
+ struct buffer_head *bh_result, int create)
+ {
++ int ret = 0;
++
+ ext4_debug("ext4_get_block_unwritten: inode %lu, create flag %d\n",
+ inode->i_ino, create);
+- return _ext4_get_block(inode, iblock, bh_result,
++ ret = _ext4_get_block(inode, iblock, bh_result,
+ EXT4_GET_BLOCKS_CREATE_UNWRIT_EXT);
++
++ /*
++ * If the buffer is marked unwritten, mark it as new to make sure it is
++ * zeroed out correctly in case of partial writes. Otherwise, there is
++ * a chance of stale data getting exposed.
++ */
++ if (ret == 0 && buffer_unwritten(bh_result))
++ set_buffer_new(bh_result);
++
++ return ret;
+ }
+
+ /* Maximum number of blocks we map for direct IO at once. */
+--
+2.42.0
+
--- /dev/null
+From c7c41185a379f6a8e016ab0495d3a8f3f73313c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Oct 2023 13:36:48 +0200
+Subject: fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 8a32aa17c1cd48df1ddaa78e45abcb8c7a2220d6 ]
+
+The pointer to the next STI font is actually a signed 32-bit
+offset. With this change the 64-bit kernel will correctly subract
+the (signed 32-bit) offset instead of adding a (unsigned 32-bit)
+offset. It has no effect on 32-bit kernels.
+
+This fixes the stifb driver with a 64-bit kernel on qemu.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sticore.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/sticore.h b/drivers/video/fbdev/sticore.h
+index fb8f58f9867a7..0416e2bc27d85 100644
+--- a/drivers/video/fbdev/sticore.h
++++ b/drivers/video/fbdev/sticore.h
+@@ -237,7 +237,7 @@ struct sti_rom_font {
+ u8 height;
+ u8 font_type; /* language type */
+ u8 bytes_per_char;
+- u32 next_font;
++ s32 next_font; /* note: signed int */
+ u8 underline_height;
+ u8 underline_pos;
+ u8 res008[2];
+--
+2.42.0
+
--- /dev/null
+From 0ceacef5844dc04426a2389d39e58dac3f22dd9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 14:15:58 +0300
+Subject: ima: annotate iint mutex to avoid lockdep false positive warnings
+
+From: Amir Goldstein <amir73il@gmail.com>
+
+[ Upstream commit e044374a8a0a99e46f4e6d6751d3042b6d9cc12e ]
+
+It is not clear that IMA should be nested at all, but as long is it
+measures files both on overlayfs and on underlying fs, we need to
+annotate the iint mutex to avoid lockdep false positives related to
+IMA + overlayfs, same as overlayfs annotates the inode mutex.
+
+Reported-and-tested-by: syzbot+b42fe626038981fb7bfa@syzkaller.appspotmail.com
+Signed-off-by: Amir Goldstein <amir73il@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/iint.c | 48 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/security/integrity/iint.c b/security/integrity/iint.c
+index ff37143000b4c..ffdc3ca1e9c16 100644
+--- a/security/integrity/iint.c
++++ b/security/integrity/iint.c
+@@ -66,9 +66,32 @@ struct integrity_iint_cache *integrity_iint_find(struct inode *inode)
+ return iint;
+ }
+
+-static void iint_free(struct integrity_iint_cache *iint)
++#define IMA_MAX_NESTING (FILESYSTEM_MAX_STACK_DEPTH+1)
++
++/*
++ * It is not clear that IMA should be nested at all, but as long is it measures
++ * files both on overlayfs and on underlying fs, we need to annotate the iint
++ * mutex to avoid lockdep false positives related to IMA + overlayfs.
++ * See ovl_lockdep_annotate_inode_mutex_key() for more details.
++ */
++static inline void iint_lockdep_annotate(struct integrity_iint_cache *iint,
++ struct inode *inode)
++{
++#ifdef CONFIG_LOCKDEP
++ static struct lock_class_key iint_mutex_key[IMA_MAX_NESTING];
++
++ int depth = inode->i_sb->s_stack_depth;
++
++ if (WARN_ON_ONCE(depth < 0 || depth >= IMA_MAX_NESTING))
++ depth = 0;
++
++ lockdep_set_class(&iint->mutex, &iint_mutex_key[depth]);
++#endif
++}
++
++static void iint_init_always(struct integrity_iint_cache *iint,
++ struct inode *inode)
+ {
+- kfree(iint->ima_hash);
+ iint->ima_hash = NULL;
+ iint->version = 0;
+ iint->flags = 0UL;
+@@ -80,6 +103,14 @@ static void iint_free(struct integrity_iint_cache *iint)
+ iint->ima_creds_status = INTEGRITY_UNKNOWN;
+ iint->evm_status = INTEGRITY_UNKNOWN;
+ iint->measured_pcrs = 0;
++ mutex_init(&iint->mutex);
++ iint_lockdep_annotate(iint, inode);
++}
++
++static void iint_free(struct integrity_iint_cache *iint)
++{
++ kfree(iint->ima_hash);
++ mutex_destroy(&iint->mutex);
+ kmem_cache_free(iint_cache, iint);
+ }
+
+@@ -112,6 +143,8 @@ struct integrity_iint_cache *integrity_inode_get(struct inode *inode)
+ if (!iint)
+ return NULL;
+
++ iint_init_always(iint, inode);
++
+ write_lock(&integrity_iint_lock);
+
+ p = &integrity_iint_tree.rb_node;
+@@ -161,25 +194,18 @@ void integrity_inode_free(struct inode *inode)
+ iint_free(iint);
+ }
+
+-static void init_once(void *foo)
++static void iint_init_once(void *foo)
+ {
+ struct integrity_iint_cache *iint = foo;
+
+ memset(iint, 0, sizeof(*iint));
+- iint->ima_file_status = INTEGRITY_UNKNOWN;
+- iint->ima_mmap_status = INTEGRITY_UNKNOWN;
+- iint->ima_bprm_status = INTEGRITY_UNKNOWN;
+- iint->ima_read_status = INTEGRITY_UNKNOWN;
+- iint->ima_creds_status = INTEGRITY_UNKNOWN;
+- iint->evm_status = INTEGRITY_UNKNOWN;
+- mutex_init(&iint->mutex);
+ }
+
+ static int __init integrity_iintcache_init(void)
+ {
+ iint_cache =
+ kmem_cache_create("iint_cache", sizeof(struct integrity_iint_cache),
+- 0, SLAB_PANIC, init_once);
++ 0, SLAB_PANIC, iint_init_once);
+ return 0;
+ }
+ DEFINE_LSM(integrity) = {
+--
+2.42.0
+
--- /dev/null
+From be81730849472a9a8c5cbf43ec154b1e85b05bc3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 14:47:02 -0400
+Subject: ima: detect changes to the backing overlay file
+
+From: Mimi Zohar <zohar@linux.ibm.com>
+
+[ Upstream commit b836c4d29f2744200b2af41e14bf50758dddc818 ]
+
+Commit 18b44bc5a672 ("ovl: Always reevaluate the file signature for
+IMA") forced signature re-evaulation on every file access.
+
+Instead of always re-evaluating the file's integrity, detect a change
+to the backing file, by comparing the cached file metadata with the
+backing file's metadata. Verifying just the i_version has not changed
+is insufficient. In addition save and compare the i_ino and s_dev
+as well.
+
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Tested-by: Eric Snowberg <eric.snowberg@oracle.com>
+Tested-by: Raul E Rangel <rrangel@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/ima/ima_api.c | 5 +++++
+ security/integrity/ima/ima_main.c | 16 +++++++++++++++-
+ security/integrity/integrity.h | 2 ++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
+index 610759fe63b8a..364979233a174 100644
+--- a/security/integrity/ima/ima_api.c
++++ b/security/integrity/ima/ima_api.c
+@@ -209,6 +209,7 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
+ {
+ const char *audit_cause = "failed";
+ struct inode *inode = file_inode(file);
++ struct inode *real_inode = d_real_inode(file_dentry(file));
+ const char *filename = file->f_path.dentry->d_name.name;
+ int result = 0;
+ int length;
+@@ -259,6 +260,10 @@ int ima_collect_measurement(struct integrity_iint_cache *iint,
+ iint->ima_hash = tmpbuf;
+ memcpy(iint->ima_hash, &hash, length);
+ iint->version = i_version;
++ if (real_inode != inode) {
++ iint->real_ino = real_inode->i_ino;
++ iint->real_dev = real_inode->i_sb->s_dev;
++ }
+
+ /* Possibly temporary failure due to type of read (eg. O_DIRECT) */
+ if (!result)
+diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
+index 6a2377eee03d8..09b9c2b252944 100644
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -27,6 +27,7 @@
+ #include <linux/ima.h>
+ #include <linux/iversion.h>
+ #include <linux/fs.h>
++#include <linux/iversion.h>
+
+ #include "ima.h"
+
+@@ -193,7 +194,7 @@ static int process_measurement(struct file *file, const struct cred *cred,
+ u32 secid, char *buf, loff_t size, int mask,
+ enum ima_hooks func)
+ {
+- struct inode *inode = file_inode(file);
++ struct inode *backing_inode, *inode = file_inode(file);
+ struct integrity_iint_cache *iint = NULL;
+ struct ima_template_desc *template_desc = NULL;
+ char *pathbuf = NULL;
+@@ -267,6 +268,19 @@ static int process_measurement(struct file *file, const struct cred *cred,
+ iint->measured_pcrs = 0;
+ }
+
++ /* Detect and re-evaluate changes made to the backing file. */
++ backing_inode = d_real_inode(file_dentry(file));
++ if (backing_inode != inode &&
++ (action & IMA_DO_MASK) && (iint->flags & IMA_DONE_MASK)) {
++ if (!IS_I_VERSION(backing_inode) ||
++ backing_inode->i_sb->s_dev != iint->real_dev ||
++ backing_inode->i_ino != iint->real_ino ||
++ !inode_eq_iversion(backing_inode, iint->version)) {
++ iint->flags &= ~IMA_DONE_MASK;
++ iint->measured_pcrs = 0;
++ }
++ }
++
+ /* Determine if already appraised/measured based on bitmask
+ * (IMA_MEASURE, IMA_MEASURED, IMA_XXXX_APPRAISE, IMA_XXXX_APPRAISED,
+ * IMA_AUDIT, IMA_AUDITED)
+diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
+index d9323d31a3a83..f63516ebec5db 100644
+--- a/security/integrity/integrity.h
++++ b/security/integrity/integrity.h
+@@ -124,6 +124,8 @@ struct integrity_iint_cache {
+ unsigned long flags;
+ unsigned long measured_pcrs;
+ unsigned long atomic_flags;
++ unsigned long real_ino;
++ dev_t real_dev;
+ enum integrity_status ima_file_status:4;
+ enum integrity_status ima_mmap_status:4;
+ enum integrity_status ima_bprm_status:4;
+--
+2.42.0
+
--- /dev/null
+From cf4937dd9cf10cac29442fd8294aebbd3b2129f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Nov 2023 15:13:14 +0800
+Subject: ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
+
+From: Zhengchao Shao <shaozhengchao@huawei.com>
+
+[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
+
+When I perform the following test operations:
+1.ip link add br0 type bridge
+2.brctl addif br0 eth0
+3.ip addr add 239.0.0.1/32 dev eth0
+4.ip addr add 239.0.0.1/32 dev br0
+5.ip addr add 224.0.0.1/32 dev br0
+6.while ((1))
+ do
+ ifconfig br0 up
+ ifconfig br0 down
+ done
+7.send IGMPv2 query packets to port eth0 continuously. For example,
+./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
+1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
+
+The preceding tests may trigger the refcnt uaf issue of the mc list. The
+stack is as follows:
+ refcount_t: addition on 0; use-after-free.
+ WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
+ CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
+ Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+ RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
+ RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
+ RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
+ RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
+ RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
+ R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
+ R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
+ FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
+ Call Trace:
+ <TASK>
+ igmp_heard_query (net/ipv4/igmp.c:1068)
+ igmp_rcv (net/ipv4/igmp.c:1132)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
+ ip_local_deliver_finish (net/ipv4/ip_input.c:234)
+ __netif_receive_skb_one_core (net/core/dev.c:5529)
+ netif_receive_skb_internal (net/core/dev.c:5729)
+ netif_receive_skb (net/core/dev.c:5788)
+ br_handle_frame_finish (net/bridge/br_input.c:216)
+ nf_hook_bridge_pre (net/bridge/br_input.c:294)
+ __netif_receive_skb_core (net/core/dev.c:5423)
+ __netif_receive_skb_list_core (net/core/dev.c:5606)
+ __netif_receive_skb_list (net/core/dev.c:5674)
+ netif_receive_skb_list_internal (net/core/dev.c:5764)
+ napi_gro_receive (net/core/gro.c:609)
+ e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
+ e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
+ __napi_poll (net/core/dev.c:6533)
+ net_rx_action (net/core/dev.c:6735)
+ __do_softirq (kernel/softirq.c:554)
+ run_ksoftirqd (kernel/softirq.c:913)
+ smpboot_thread_fn (kernel/smpboot.c:164)
+ kthread (kernel/kthread.c:388)
+ ret_from_fork (arch/x86/kernel/process.c:153)
+ ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
+ </TASK>
+
+The root causes are as follows:
+Thread A Thread B
+... netif_receive_skb
+br_dev_stop ...
+ br_multicast_leave_snoopers ...
+ __ip_mc_dec_group ...
+ __igmp_group_dropped igmp_rcv
+ igmp_stop_timer igmp_heard_query //ref = 1
+ ip_ma_put igmp_mod_timer
+ refcount_dec_and_test igmp_start_timer //ref = 0
+ ... refcount_inc //ref increases from 0
+When the device receives an IGMPv2 Query message, it starts the timer
+immediately, regardless of whether the device is running. If the device is
+down and has left the multicast group, it will cause the mc list refcount
+uaf issue.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/igmp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
+index cb031e851c127..715f99e76826e 100644
+--- a/net/ipv4/igmp.c
++++ b/net/ipv4/igmp.c
+@@ -218,8 +218,10 @@ static void igmp_start_timer(struct ip_mc_list *im, int max_delay)
+ int tv = prandom_u32() % max_delay;
+
+ im->tm_running = 1;
+- if (!mod_timer(&im->timer, jiffies+tv+2))
+- refcount_inc(&im->refcnt);
++ if (refcount_inc_not_zero(&im->refcnt)) {
++ if (mod_timer(&im->timer, jiffies + tv + 2))
++ ip_ma_put(im);
++ }
+ }
+
+ static void igmp_gq_start_timer(struct in_device *in_dev)
+--
+2.42.0
+
--- /dev/null
+From a4ae02a562048f5804f9e40ea39297efbfbfb062 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 22:30:29 +0200
+Subject: mtd: cfi_cmdset_0001: Byte swap OTP info
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 565fe150624ee77dc63a735cc1b3bff5101f38a3 ]
+
+Currently the offset into the device when looking for OTP
+bits can go outside of the address of the MTD NOR devices,
+and if that memory isn't readable, bad things happen
+on the IXP4xx (added prints that illustrate the problem before
+the crash):
+
+cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100
+ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78
+cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000
+ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78
+8<--- cut here ---
+Unable to handle kernel paging request at virtual address db000000
+[db000000] *pgd=00000000
+(...)
+
+This happens in this case because the IXP4xx is big endian and
+the 32- and 16-bit fields in the struct cfi_intelext_otpinfo are not
+properly byteswapped. Compare to how the code in read_pri_intelext()
+byteswaps the fields in struct cfi_pri_intelext.
+
+Adding a small byte swapping loop for the OTP in read_pri_intelext()
+and the crash goes away.
+
+The problem went unnoticed for many years until I enabled
+CONFIG_MTD_OTP on the IXP4xx as well, triggering the bug.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20231020-mtd-otp-byteswap-v4-1-0d132c06aa9d@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/chips/cfi_cmdset_0001.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
+index 1d77687b67169..dc350272d9ef6 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0001.c
++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
+@@ -420,9 +420,25 @@ read_pri_intelext(struct map_info *map, __u16 adr)
+ extra_size = 0;
+
+ /* Protection Register info */
+- if (extp->NumProtectionFields)
++ if (extp->NumProtectionFields) {
++ struct cfi_intelext_otpinfo *otp =
++ (struct cfi_intelext_otpinfo *)&extp->extra[0];
++
+ extra_size += (extp->NumProtectionFields - 1) *
+- sizeof(struct cfi_intelext_otpinfo);
++ sizeof(struct cfi_intelext_otpinfo);
++
++ if (extp_size >= sizeof(*extp) + extra_size) {
++ int i;
++
++ /* Do some byteswapping if necessary */
++ for (i = 0; i < extp->NumProtectionFields - 1; i++) {
++ otp->ProtRegAddr = le32_to_cpu(otp->ProtRegAddr);
++ otp->FactGroups = le16_to_cpu(otp->FactGroups);
++ otp->UserGroups = le16_to_cpu(otp->UserGroups);
++ otp++;
++ }
++ }
++ }
+ }
+
+ if (extp->MinorVersion >= '1') {
+--
+2.42.0
+
--- /dev/null
+From e2b25543a142a226cdf4a9e2435bc6c7e9620893 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Apr 2020 16:23:26 +0200
+Subject: mtd: cfi_cmdset_0001: Support the absence of protection registers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+
+[ Upstream commit b359ed5184aebf9d987e54abc5dae7ac03ed29ae ]
+
+The flash controller implemented by the Arm Base platform behaves like
+the Intel StrataFlash J3 device, but omits several features. In
+particular it doesn't implement a protection register, so "Number of
+Protection register fields" in the Primary Vendor-Specific Extended
+Query, is 0.
+
+The Intel StrataFlash J3 datasheet only lists 1 as a valid value for
+NumProtectionFields. It describes the field as:
+
+ "Number of Protection register fields in JEDEC ID space.
+ “00h,” indicates that 256 protection bytes are available"
+
+While a value of 0 may arguably not be architecturally valid, the
+driver's current behavior is certainly wrong: if NumProtectionFields is
+0, read_pri_intelext() adds a negative value to the unsigned extra_size,
+and ends up in an infinite loop.
+
+Fix it by ignoring a NumProtectionFields of 0.
+
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Tested-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Stable-dep-of: 565fe150624e ("mtd: cfi_cmdset_0001: Byte swap OTP info")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/chips/cfi_cmdset_0001.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/mtd/chips/cfi_cmdset_0001.c b/drivers/mtd/chips/cfi_cmdset_0001.c
+index 79a53cb8507b6..1d77687b67169 100644
+--- a/drivers/mtd/chips/cfi_cmdset_0001.c
++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
+@@ -420,8 +420,9 @@ read_pri_intelext(struct map_info *map, __u16 adr)
+ extra_size = 0;
+
+ /* Protection Register info */
+- extra_size += (extp->NumProtectionFields - 1) *
+- sizeof(struct cfi_intelext_otpinfo);
++ if (extp->NumProtectionFields)
++ extra_size += (extp->NumProtectionFields - 1) *
++ sizeof(struct cfi_intelext_otpinfo);
+ }
+
+ if (extp->MinorVersion >= '1') {
+@@ -695,14 +696,16 @@ static int cfi_intelext_partition_fixup(struct mtd_info *mtd,
+ */
+ if (extp && extp->MajorVersion == '1' && extp->MinorVersion >= '3'
+ && extp->FeatureSupport & (1 << 9)) {
++ int offs = 0;
+ struct cfi_private *newcfi;
+ struct flchip *chip;
+ struct flchip_shared *shared;
+- int offs, numregions, numparts, partshift, numvirtchips, i, j;
++ int numregions, numparts, partshift, numvirtchips, i, j;
+
+ /* Protection Register info */
+- offs = (extp->NumProtectionFields - 1) *
+- sizeof(struct cfi_intelext_otpinfo);
++ if (extp->NumProtectionFields)
++ offs = (extp->NumProtectionFields - 1) *
++ sizeof(struct cfi_intelext_otpinfo);
+
+ /* Burst Read info */
+ offs += extp->extra[offs+1]+2;
+--
+2.42.0
+
--- /dev/null
+From c4e211ca7d342d16bb3afe4df2e6c6c5d9bed395 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 10:04:37 +0200
+Subject: net: ravb: Start TX queues after HW initialization succeeded
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 6f32c086602050fc11157adeafaa1c1eb393f0af ]
+
+ravb_phy_start() may fail. If that happens, the TX queues will remain
+started. Thus, move the netif_tx_start_all_queues() after PHY is
+successfully initialized.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 815aa18782165..42e62f51ba6d1 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1380,13 +1380,13 @@ static int ravb_open(struct net_device *ndev)
+ if (priv->chip_id == RCAR_GEN2)
+ ravb_ptp_init(ndev, priv->pdev);
+
+- netif_tx_start_all_queues(ndev);
+-
+ /* PHY control start */
+ error = ravb_phy_start(ndev);
+ if (error)
+ goto out_ptp_stop;
+
++ netif_tx_start_all_queues(ndev);
++
+ return 0;
+
+ out_ptp_stop:
+--
+2.42.0
+
--- /dev/null
+From e0ec0bd82e97d3a1b556ff719876ca802205e5c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 10:04:35 +0200
+Subject: net: ravb: Use pm_runtime_resume_and_get()
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+[ Upstream commit 88b74831faaee455c2af380382d979fc38e79270 ]
+
+pm_runtime_get_sync() may return an error. In case it returns with an error
+dev->power.usage_count needs to be decremented. pm_runtime_resume_and_get()
+takes care of this. Thus use it.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 765e55b489dbf..815aa18782165 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -2039,7 +2039,9 @@ static int ravb_probe(struct platform_device *pdev)
+ ndev->hw_features = NETIF_F_RXCSUM;
+
+ pm_runtime_enable(&pdev->dev);
+- pm_runtime_get_sync(&pdev->dev);
++ error = pm_runtime_resume_and_get(&pdev->dev);
++ if (error < 0)
++ goto out_rpm_disable;
+
+ /* The Ether-specific entries in the device structure. */
+ ndev->base_addr = res->start;
+@@ -2210,6 +2212,7 @@ static int ravb_probe(struct platform_device *pdev)
+ free_netdev(ndev);
+
+ pm_runtime_put(&pdev->dev);
++out_rpm_disable:
+ pm_runtime_disable(&pdev->dev);
+ return error;
+ }
+--
+2.42.0
+
--- /dev/null
+From 4f31b563b388e0796bfa049149febf8228411d46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Nov 2023 14:01:26 +0800
+Subject: net: stmmac: xgmac: Disable FPE MMC interrupts
+
+From: Furong Xu <0x1207@gmail.com>
+
+[ Upstream commit e54d628a2721bfbb002c19f6e8ca6746cec7640f ]
+
+Commit aeb18dd07692 ("net: stmmac: xgmac: Disable MMC interrupts
+by default") tries to disable MMC interrupts to avoid a storm of
+unhandled interrupts, but leaves the FPE(Frame Preemption) MMC
+interrupts enabled, FPE MMC interrupts can cause the same problem.
+Now we mask FPE TX and RX interrupts to disable all MMC interrupts.
+
+Fixes: aeb18dd07692 ("net: stmmac: xgmac: Disable MMC interrupts by default")
+Reviewed-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Signed-off-by: Furong Xu <0x1207@gmail.com>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Link: https://lore.kernel.org/r/20231125060126.2328690-1-0x1207@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/mmc_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
+index 252cf48c58166..5b9f344fdd32a 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
++++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
+@@ -170,8 +170,10 @@
+ #define MMC_XGMAC_RX_DISCARD_OCT_GB 0x1b4
+ #define MMC_XGMAC_RX_ALIGN_ERR_PKT 0x1bc
+
++#define MMC_XGMAC_TX_FPE_INTR_MASK 0x204
+ #define MMC_XGMAC_TX_FPE_FRAG 0x208
+ #define MMC_XGMAC_TX_HOLD_REQ 0x20c
++#define MMC_XGMAC_RX_FPE_INTR_MASK 0x224
+ #define MMC_XGMAC_RX_PKT_ASSEMBLY_ERR 0x228
+ #define MMC_XGMAC_RX_PKT_SMD_ERR 0x22c
+ #define MMC_XGMAC_RX_PKT_ASSEMBLY_OK 0x230
+@@ -336,6 +338,8 @@ static void dwxgmac_mmc_intr_all_mask(void __iomem *mmcaddr)
+ {
+ writel(0x0, mmcaddr + MMC_RX_INTR_MASK);
+ writel(0x0, mmcaddr + MMC_TX_INTR_MASK);
++ writel(MMC_DEFAULT_MASK, mmcaddr + MMC_XGMAC_TX_FPE_INTR_MASK);
++ writel(MMC_DEFAULT_MASK, mmcaddr + MMC_XGMAC_RX_FPE_INTR_MASK);
+ writel(MMC_DEFAULT_MASK, mmcaddr + MMC_XGMAC_RX_IPC_INTR_MASK);
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 06cad914b6f00266a3156bb1b3000a22a1582acf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Apr 2020 11:29:47 +0300
+Subject: ovl: skip overlayfs superblocks at global sync
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+[ Upstream commit 32b1924b210a70dcacdf65abd687c5ef86a67541 ]
+
+Stacked filesystems like overlayfs has no own writeback, but they have to
+forward syncfs() requests to backend for keeping data integrity.
+
+During global sync() each overlayfs instance calls method ->sync_fs() for
+backend although it itself is in global list of superblocks too. As a
+result one syscall sync() could write one superblock several times and send
+multiple disk barriers.
+
+This patch adds flag SB_I_SKIP_SYNC into sb->sb_iflags to avoid that.
+
+Reported-by: Dmitry Monakhov <dmtrmonakhov@yandex-team.ru>
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Stable-dep-of: b836c4d29f27 ("ima: detect changes to the backing overlay file")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/super.c | 5 +++--
+ fs/sync.c | 3 ++-
+ include/linux/fs.h | 2 ++
+ 3 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
+index f5cf0938f298d..fcf453f7f4aef 100644
+--- a/fs/overlayfs/super.c
++++ b/fs/overlayfs/super.c
+@@ -263,8 +263,8 @@ static int ovl_sync_fs(struct super_block *sb, int wait)
+ return 0;
+
+ /*
+- * If this is a sync(2) call or an emergency sync, all the super blocks
+- * will be iterated, including upper_sb, so no need to do anything.
++ * Not called for sync(2) call or an emergency sync (SB_I_SKIP_SYNC).
++ * All the super blocks will be iterated, including upper_sb.
+ *
+ * If this is a syncfs(2) call, then we do need to call
+ * sync_filesystem() on upper_sb, but enough if we do it when being
+@@ -1710,6 +1710,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
+ sb->s_xattr = ovl_xattr_handlers;
+ sb->s_fs_info = ofs;
+ sb->s_flags |= SB_POSIXACL;
++ sb->s_iflags |= SB_I_SKIP_SYNC;
+
+ err = -ENOMEM;
+ root_dentry = d_make_root(ovl_new_inode(sb, S_IFDIR, 0));
+diff --git a/fs/sync.c b/fs/sync.c
+index 4d1ff010bc5af..16c2630ee4bf1 100644
+--- a/fs/sync.c
++++ b/fs/sync.c
+@@ -76,7 +76,8 @@ static void sync_inodes_one_sb(struct super_block *sb, void *arg)
+
+ static void sync_fs_one_sb(struct super_block *sb, void *arg)
+ {
+- if (!sb_rdonly(sb) && sb->s_op->sync_fs)
++ if (!sb_rdonly(sb) && !(sb->s_iflags & SB_I_SKIP_SYNC) &&
++ sb->s_op->sync_fs)
+ sb->s_op->sync_fs(sb, *(int *)arg);
+ }
+
+diff --git a/include/linux/fs.h b/include/linux/fs.h
+index 4b1553f570f2c..fbbd7ef7f6535 100644
+--- a/include/linux/fs.h
++++ b/include/linux/fs.h
+@@ -1404,6 +1404,8 @@ extern int send_sigurg(struct fown_struct *fown);
+ #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020
+ #define SB_I_UNTRUSTED_MOUNTER 0x00000040
+
++#define SB_I_SKIP_SYNC 0x00000100 /* Skip superblock at global sync */
++
+ /* Possible states of 'frozen' field */
+ enum {
+ SB_UNFROZEN = 0, /* FS is unfrozen */
+--
+2.42.0
+
--- /dev/null
+From 066b799f813d593968446cf973dd49952030b7a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Feb 2021 11:57:59 +0200
+Subject: perf intel-pt: Adjust sample flags for VM-Exit
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit 695fc4510615f8db40ebaf7a2c011f0a594b5f77 ]
+
+Use the change of NR to detect whether an asynchronous branch is a VM-Exit.
+
+Note VM-Entry is determined from the vmlaunch or vmresume instruction,
+in which case, sample flags will show "VMentry" even if the VM-Entry fails.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Andi Kleen <ak@linux.intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Link: https://lore.kernel.org/r/20210218095801.19576-10-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: f2d87895cbc4 ("perf intel-pt: Fix async branch flags")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index b40832419a279..bead66d65dc0b 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -997,13 +997,16 @@ static void intel_pt_sample_flags(struct intel_pt_queue *ptq)
+ if (ptq->state->flags & INTEL_PT_ABORT_TX) {
+ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_TX_ABORT;
+ } else if (ptq->state->flags & INTEL_PT_ASYNC) {
+- if (ptq->state->to_ip)
++ if (!ptq->state->to_ip)
++ ptq->flags = PERF_IP_FLAG_BRANCH |
++ PERF_IP_FLAG_TRACE_END;
++ else if (ptq->state->from_nr && !ptq->state->to_nr)
++ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL |
++ PERF_IP_FLAG_VMEXIT;
++ else
+ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL |
+ PERF_IP_FLAG_ASYNC |
+ PERF_IP_FLAG_INTERRUPT;
+- else
+- ptq->flags = PERF_IP_FLAG_BRANCH |
+- PERF_IP_FLAG_TRACE_END;
+ ptq->insn_len = 0;
+ } else {
+ if (ptq->state->from_ip)
+--
+2.42.0
+
--- /dev/null
+From d20ed623e00c1bb490b735a413de98503691796d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 10:29:53 +0300
+Subject: perf intel-pt: Fix async branch flags
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit f2d87895cbc4af80649850dcf5da36de6b2ed3dd ]
+
+Ensure PERF_IP_FLAG_ASYNC is set always for asynchronous branches (i.e.
+interrupts etc).
+
+Fixes: 90e457f7be08 ("perf tools: Add Intel PT support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Link: https://lore.kernel.org/r/20230928072953.19369-1-adrian.hunter@intel.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/intel-pt.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index bead66d65dc0b..8da264dd8c286 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -999,9 +999,11 @@ static void intel_pt_sample_flags(struct intel_pt_queue *ptq)
+ } else if (ptq->state->flags & INTEL_PT_ASYNC) {
+ if (!ptq->state->to_ip)
+ ptq->flags = PERF_IP_FLAG_BRANCH |
++ PERF_IP_FLAG_ASYNC |
+ PERF_IP_FLAG_TRACE_END;
+ else if (ptq->state->from_nr && !ptq->state->to_nr)
+ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL |
++ PERF_IP_FLAG_ASYNC |
+ PERF_IP_FLAG_VMEXIT;
+ else
+ ptq->flags = PERF_IP_FLAG_BRANCH | PERF_IP_FLAG_CALL |
+--
+2.42.0
+
--- /dev/null
+From 05a34ef0daf11bd2a8e58aac24fc31a270af3809 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 21:24:20 +0900
+Subject: ravb: Fix races between ravb_tx_timeout_work() and net related ops
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+[ Upstream commit 9870257a0a338cd8d6c1cddab74e703f490f6779 ]
+
+Fix races between ravb_tx_timeout_work() and functions of net_device_ops
+and ethtool_ops by using rtnl_trylock() and rtnl_unlock(). Note that
+since ravb_close() is under the rtnl lock and calls cancel_work_sync(),
+ravb_tx_timeout_work() should calls rtnl_trylock(). Otherwise, a deadlock
+may happen in ravb_tx_timeout_work() like below:
+
+CPU0 CPU1
+ ravb_tx_timeout()
+ schedule_work()
+...
+__dev_close_many()
+// Under rtnl lock
+ravb_close()
+cancel_work_sync()
+// Waiting
+ ravb_tx_timeout_work()
+ rtnl_lock()
+ // This is possible to cause a deadlock
+
+If rtnl_trylock() fails, rescheduling the work with sleep for 1 msec.
+
+Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Link: https://lore.kernel.org/r/20231127122420.3706751-1-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/ravb_main.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c
+index 367da05ddb1e7..765e55b489dbf 100644
+--- a/drivers/net/ethernet/renesas/ravb_main.c
++++ b/drivers/net/ethernet/renesas/ravb_main.c
+@@ -1435,6 +1435,12 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ struct net_device *ndev = priv->ndev;
+ int error;
+
++ if (!rtnl_trylock()) {
++ usleep_range(1000, 2000);
++ schedule_work(&priv->work);
++ return;
++ }
++
+ netif_tx_stop_all_queues(ndev);
+
+ /* Stop PTP Clock driver */
+@@ -1467,7 +1473,7 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ */
+ netdev_err(ndev, "%s: ravb_dmac_init() failed, error %d\n",
+ __func__, error);
+- return;
++ goto out_unlock;
+ }
+ ravb_emac_init(ndev);
+
+@@ -1477,6 +1483,9 @@ static void ravb_tx_timeout_work(struct work_struct *work)
+ ravb_ptp_init(ndev, priv->pdev);
+
+ netif_tx_start_all_queues(ndev);
++
++out_unlock:
++ rtnl_unlock();
+ }
+
+ /* Packet transmit function for Ethernet AVB */
+--
+2.42.0
+
--- /dev/null
+From 71de14f230aae677f94a799a2dfcee84f9037077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 10:15:19 +0200
+Subject: s390/cmma: fix detection of DAT pages
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 44d93045247661acbd50b1629e62f415f2747577 ]
+
+If the cmma no-dat feature is available the kernel page tables are walked
+to identify and mark all pages which are used for address translation (all
+region, segment, and page tables). In a subsequent loop all other pages are
+marked as "no-dat" pages with the ESSA instruction.
+
+This information is visible to the hypervisor, so that the hypervisor can
+optimize purging of guest TLB entries. The initial loop however is
+incorrect: only the first three of the four pages which belong to segment
+and region tables will be marked as being used for DAT. The last page is
+incorrectly marked as no-dat.
+
+This can result in incorrect guest TLB flushes.
+
+Fix this by simply marking all four pages.
+
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/page-states.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/mm/page-states.c b/arch/s390/mm/page-states.c
+index 10d81deef330f..bef7e07da98ef 100644
+--- a/arch/s390/mm/page-states.c
++++ b/arch/s390/mm/page-states.c
+@@ -131,7 +131,7 @@ static void mark_kernel_pud(p4d_t *p4d, unsigned long addr, unsigned long end)
+ continue;
+ if (!pud_folded(*pud)) {
+ page = phys_to_page(pud_val(*pud));
+- for (i = 0; i < 3; i++)
++ for (i = 0; i < 4; i++)
+ set_bit(PG_arch_1, &page[i].flags);
+ }
+ mark_kernel_pmd(pud, addr, next);
+@@ -152,7 +152,7 @@ static void mark_kernel_p4d(pgd_t *pgd, unsigned long addr, unsigned long end)
+ continue;
+ if (!p4d_folded(*p4d)) {
+ page = phys_to_page(p4d_val(*p4d));
+- for (i = 0; i < 3; i++)
++ for (i = 0; i < 4; i++)
+ set_bit(PG_arch_1, &page[i].flags);
+ }
+ mark_kernel_pud(p4d, addr, next);
+@@ -174,7 +174,7 @@ static void mark_kernel_pgd(void)
+ continue;
+ if (!pgd_folded(*pgd)) {
+ page = phys_to_page(pgd_val(*pgd));
+- for (i = 0; i < 3; i++)
++ for (i = 0; i < 4; i++)
+ set_bit(PG_arch_1, &page[i].flags);
+ }
+ mark_kernel_p4d(pgd, addr, next);
+--
+2.42.0
+
--- /dev/null
+From 75b811b2bb8a3c3bc0c83064628f70c25b4ee9c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Mar 2021 18:32:55 +0200
+Subject: s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions
+ family
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 3784231b1e091857bd129fd9658a8b3cedbdcd58 ]
+
+Due to historical reasons mark_kernel_pXd() functions
+misuse the notion of physical vs virtual addresses
+difference.
+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Stable-dep-of: 44d930452476 ("s390/cmma: fix detection of DAT pages")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/page-states.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/mm/page-states.c b/arch/s390/mm/page-states.c
+index fc141893d0284..10d81deef330f 100644
+--- a/arch/s390/mm/page-states.c
++++ b/arch/s390/mm/page-states.c
+@@ -112,7 +112,7 @@ static void mark_kernel_pmd(pud_t *pud, unsigned long addr, unsigned long end)
+ next = pmd_addr_end(addr, end);
+ if (pmd_none(*pmd) || pmd_large(*pmd))
+ continue;
+- page = virt_to_page(pmd_val(*pmd));
++ page = phys_to_page(pmd_val(*pmd));
+ set_bit(PG_arch_1, &page->flags);
+ } while (pmd++, addr = next, addr != end);
+ }
+@@ -130,7 +130,7 @@ static void mark_kernel_pud(p4d_t *p4d, unsigned long addr, unsigned long end)
+ if (pud_none(*pud) || pud_large(*pud))
+ continue;
+ if (!pud_folded(*pud)) {
+- page = virt_to_page(pud_val(*pud));
++ page = phys_to_page(pud_val(*pud));
+ for (i = 0; i < 3; i++)
+ set_bit(PG_arch_1, &page[i].flags);
+ }
+@@ -151,7 +151,7 @@ static void mark_kernel_p4d(pgd_t *pgd, unsigned long addr, unsigned long end)
+ if (p4d_none(*p4d))
+ continue;
+ if (!p4d_folded(*p4d)) {
+- page = virt_to_page(p4d_val(*p4d));
++ page = phys_to_page(p4d_val(*p4d));
+ for (i = 0; i < 3; i++)
+ set_bit(PG_arch_1, &page[i].flags);
+ }
+@@ -173,7 +173,7 @@ static void mark_kernel_pgd(void)
+ if (pgd_none(*pgd))
+ continue;
+ if (!pgd_folded(*pgd)) {
+- page = virt_to_page(pgd_val(*pgd));
++ page = phys_to_page(pgd_val(*pgd));
+ for (i = 0; i < 3; i++)
+ set_bit(PG_arch_1, &page[i].flags);
+ }
+--
+2.42.0
+
--- /dev/null
+From d0f346c9e21dbd4dc404d9a10e313ed95318386a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 16:03:04 -0700
+Subject: scsi: core: Introduce the scsi_cmd_to_rq() function
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit 51f3a478892873337c54068d1185bcd797000a52 ]
+
+The 'request' member of struct scsi_cmnd is superfluous. The struct request
+and struct scsi_cmnd data structures are adjacent and hence the request
+pointer can be derived easily from a scsi_cmnd pointer. Introduce a helper
+function that performs that conversion in a type-safe way. This patch is
+the first step towards removing the request member from struct
+scsi_cmnd. Making that change has the following advantages:
+
+ - This is a performance optimization since adding an offset to a pointer
+ takes less time than dereferencing a pointer.
+
+ - struct scsi_cmnd becomes smaller.
+
+Link: https://lore.kernel.org/r/20210809230355.8186-2-bvanassche@acm.org
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 19597cad64d6 ("scsi: qla2xxx: Fix system crash due to bad pointer access")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/scsi/scsi_cmnd.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/include/scsi/scsi_cmnd.h b/include/scsi/scsi_cmnd.h
+index 7738a055d9535..dafde3d764d03 100644
+--- a/include/scsi/scsi_cmnd.h
++++ b/include/scsi/scsi_cmnd.h
+@@ -143,6 +143,12 @@ struct scsi_cmnd {
+ unsigned char tag; /* SCSI-II queued command tag */
+ };
+
++/* Variant of blk_mq_rq_from_pdu() that verifies the type of its argument. */
++static inline struct request *scsi_cmd_to_rq(struct scsi_cmnd *scmd)
++{
++ return blk_mq_rq_from_pdu(scmd);
++}
++
+ /*
+ * Return the driver private allocation behind the command.
+ * Only works if cmd_size is set in the host template.
+--
+2.42.0
+
--- /dev/null
+From 0076df71443c65ab7a1479b25490fe1c967b55ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 12:19:12 +0530
+Subject: scsi: qla2xxx: Fix system crash due to bad pointer access
+
+From: Quinn Tran <qutran@marvell.com>
+
+[ Upstream commit 19597cad64d608aa8ac2f8aef50a50187a565223 ]
+
+User experiences system crash when running AER error injection. The
+perturbation causes the abort-all-I/O path to trigger. The driver assumes
+all I/O on this path is FCP only. If there is both NVMe & FCP traffic, a
+system crash happens. Add additional check to see if I/O is FCP or not
+before access.
+
+PID: 999019 TASK: ff35d769f24722c0 CPU: 53 COMMAND: "kworker/53:1"
+ 0 [ff3f78b964847b58] machine_kexec at ffffffffae86973d
+ 1 [ff3f78b964847ba8] __crash_kexec at ffffffffae9be29d
+ 2 [ff3f78b964847c70] crash_kexec at ffffffffae9bf528
+ 3 [ff3f78b964847c78] oops_end at ffffffffae8282ab
+ 4 [ff3f78b964847c98] exc_page_fault at ffffffffaf2da502
+ 5 [ff3f78b964847cc0] asm_exc_page_fault at ffffffffaf400b62
+ [exception RIP: qla2x00_abort_srb+444]
+ RIP: ffffffffc07b5f8c RSP: ff3f78b964847d78 RFLAGS: 00010046
+ RAX: 0000000000000282 RBX: ff35d74a0195a200 RCX: ff35d76886fd03a0
+ RDX: 0000000000000001 RSI: ffffffffc07c5ec8 RDI: ff35d74a0195a200
+ RBP: ff35d76913d22080 R8: ff35d7694d103200 R9: ff35d7694d103200
+ R10: 0000000100000000 R11: ffffffffb05d6630 R12: 0000000000010000
+ R13: ff3f78b964847df8 R14: ff35d768d8754000 R15: ff35d768877248e0
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
+ 6 [ff3f78b964847d70] qla2x00_abort_srb at ffffffffc07b5f84 [qla2xxx]
+ 7 [ff3f78b964847de0] __qla2x00_abort_all_cmds at ffffffffc07b6238 [qla2xxx]
+ 8 [ff3f78b964847e38] qla2x00_abort_all_cmds at ffffffffc07ba635 [qla2xxx]
+ 9 [ff3f78b964847e58] qla2x00_terminate_rport_io at ffffffffc08145eb [qla2xxx]
+10 [ff3f78b964847e70] fc_terminate_rport_io at ffffffffc045987e [scsi_transport_fc]
+11 [ff3f78b964847e88] process_one_work at ffffffffae914f15
+12 [ff3f78b964847ed0] worker_thread at ffffffffae9154c0
+13 [ff3f78b964847f10] kthread at ffffffffae91c456
+14 [ff3f78b964847f50] ret_from_fork at ffffffffae8036ef
+
+Cc: stable@vger.kernel.org
+Fixes: f45bca8c5052 ("scsi: qla2xxx: Fix double scsi_done for abort path")
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20231030064912.37912-1-njavali@marvell.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index eb6fb78ebefde..6da85ad96c9b8 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1705,8 +1705,16 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
+ }
+
+ spin_lock_irqsave(qp->qp_lock_ptr, *flags);
+- if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd)))
+- sp->done(sp, res);
++ switch (sp->type) {
++ case SRB_SCSI_CMD:
++ if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd)))
++ sp->done(sp, res);
++ break;
++ default:
++ if (ret_cmd)
++ sp->done(sp, res);
++ break;
++ }
+ } else {
+ sp->done(sp, res);
+ }
+--
+2.42.0
+
--- /dev/null
+From b9082ca9d25d2ef2cb12cd011dbb577ef1d7da4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2020 20:34:37 -0800
+Subject: scsi: qla2xxx: Simplify the code for aborting SCSI commands
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit c81ef0ed4477c637d1f1dd96ecd8e8fbe18b7283 ]
+
+Since the SCSI core does not reuse the tag of the SCSI command that is
+being aborted by .eh_abort() before .eh_abort() has finished it is not
+necessary to check from inside that callback whether or not the SCSI
+command has already completed. Instead, rely on the firmware to return an
+error code when attempting to abort a command that has already
+completed. Additionally, rely on the firmware to return an error code when
+attempting to abort an already aborted command.
+
+In qla2x00_abort_srb(), use blk_mq_request_started() instead of
+sp->completed and sp->aborted.
+
+Link: https://lore.kernel.org/r/20200220043441.20504-2-bvanassche@acm.org
+Cc: Martin Wilck <mwilck@suse.com>
+Cc: Quinn Tran <qutran@marvell.com>
+Reviewed-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
+Acked-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 19597cad64d6 ("scsi: qla2xxx: Fix system crash due to bad pointer access")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 3 ---
+ drivers/scsi/qla2xxx/qla_isr.c | 5 -----
+ drivers/scsi/qla2xxx/qla_os.c | 27 ++++++++++++++-------------
+ 3 files changed, 14 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_def.h b/drivers/scsi/qla2xxx/qla_def.h
+index 2ef6277244f57..bfddae586995a 100644
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -596,9 +596,6 @@ typedef struct srb {
+ struct fc_port *fcport;
+ struct scsi_qla_host *vha;
+ unsigned int start_timer:1;
+- unsigned int abort:1;
+- unsigned int aborted:1;
+- unsigned int completed:1;
+
+ uint32_t handle;
+ uint16_t flags;
+diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c
+index aca8ec3ff9391..c5021bd1ad5e5 100644
+--- a/drivers/scsi/qla2xxx/qla_isr.c
++++ b/drivers/scsi/qla2xxx/qla_isr.c
+@@ -2479,11 +2479,6 @@ qla2x00_status_entry(scsi_qla_host_t *vha, struct rsp_que *rsp, void *pkt)
+ return;
+ }
+
+- if (sp->abort)
+- sp->aborted = 1;
+- else
+- sp->completed = 1;
+-
+ if (sp->cmd_type != TYPE_SRB) {
+ req->outstanding_cmds[handle] = NULL;
+ ql_dbg(ql_dbg_io, vha, 0x3015,
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 57f8d2378f778..8329b80c41eb7 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -1243,17 +1243,6 @@ qla2xxx_eh_abort(struct scsi_cmnd *cmd)
+ return fast_fail_status != SUCCESS ? fast_fail_status : FAILED;
+
+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
+- if (sp->completed) {
+- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+- return SUCCESS;
+- }
+-
+- if (sp->abort || sp->aborted) {
+- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+- return FAILED;
+- }
+-
+- sp->abort = 1;
+ sp->comp = ∁
+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+
+@@ -1661,6 +1650,10 @@ qla2x00_loop_reset(scsi_qla_host_t *vha)
+ return QLA_SUCCESS;
+ }
+
++/*
++ * The caller must ensure that no completion interrupts will happen
++ * while this function is in progress.
++ */
+ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
+ unsigned long *flags)
+ __releases(qp->qp_lock_ptr)
+@@ -1669,6 +1662,7 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
+ DECLARE_COMPLETION_ONSTACK(comp);
+ scsi_qla_host_t *vha = qp->vha;
+ struct qla_hw_data *ha = vha->hw;
++ struct scsi_cmnd *cmd = GET_CMD_SP(sp);
+ int rval;
+ bool ret_cmd;
+ uint32_t ratov_j;
+@@ -1688,7 +1682,6 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
+ }
+
+ sp->comp = ∁
+- sp->abort = 1;
+ spin_unlock_irqrestore(qp->qp_lock_ptr, *flags);
+
+ rval = ha->isp_ops->abort_command(sp);
+@@ -1712,13 +1705,17 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
+ }
+
+ spin_lock_irqsave(qp->qp_lock_ptr, *flags);
+- if (ret_cmd && (!sp->completed || !sp->aborted))
++ if (ret_cmd && blk_mq_request_started(cmd->request))
+ sp->done(sp, res);
+ } else {
+ sp->done(sp, res);
+ }
+ }
+
++/*
++ * The caller must ensure that no completion interrupts will happen
++ * while this function is in progress.
++ */
+ static void
+ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ {
+@@ -1776,6 +1773,10 @@ __qla2x00_abort_all_cmds(struct qla_qpair *qp, int res)
+ spin_unlock_irqrestore(qp->qp_lock_ptr, flags);
+ }
+
++/*
++ * The caller must ensure that no completion interrupts will happen
++ * while this function is in progress.
++ */
+ void
+ qla2x00_abort_all_cmds(scsi_qla_host_t *vha, int res)
+ {
+--
+2.42.0
+
--- /dev/null
+From f2bda75431e401cf645d5ff6890b14d18be641a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Aug 2021 16:03:41 -0700
+Subject: scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+[ Upstream commit c7d6b2c2cd5656b05849afb0de3f422da1742d0f ]
+
+Prepare for removal of the request pointer by using scsi_cmd_to_rq()
+instead. This patch does not change any functionality.
+
+Link: https://lore.kernel.org/r/20210809230355.8186-39-bvanassche@acm.org
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: 19597cad64d6 ("scsi: qla2xxx: Fix system crash due to bad pointer access")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
+index 8329b80c41eb7..eb6fb78ebefde 100644
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -814,7 +814,7 @@ qla2xxx_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *cmd)
+ uint16_t hwq;
+ struct qla_qpair *qpair = NULL;
+
+- tag = blk_mq_unique_tag(cmd->request);
++ tag = blk_mq_unique_tag(scsi_cmd_to_rq(cmd));
+ hwq = blk_mq_unique_tag_to_hwq(tag);
+ qpair = ha->queue_pair_map[hwq];
+
+@@ -1705,7 +1705,7 @@ static void qla2x00_abort_srb(struct qla_qpair *qp, srb_t *sp, const int res,
+ }
+
+ spin_lock_irqsave(qp->qp_lock_ptr, *flags);
+- if (ret_cmd && blk_mq_request_started(cmd->request))
++ if (ret_cmd && blk_mq_request_started(scsi_cmd_to_rq(cmd)))
+ sp->done(sp, res);
+ } else {
+ sp->done(sp, res);
+--
+2.42.0
+
btrfs-send-ensure-send_fd-is-writable.patch
btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch
input-xpad-add-hyperx-clutch-gladiate-support.patch
+ipv4-igmp-fix-refcnt-uaf-issue-when-receiving-igmp-q.patch
+net-stmmac-xgmac-disable-fpe-mmc-interrupts.patch
+ravb-fix-races-between-ravb_tx_timeout_work-and-net-.patch
+net-ravb-use-pm_runtime_resume_and_get.patch
+net-ravb-start-tx-queues-after-hw-initialization-suc.patch
+perf-intel-pt-adjust-sample-flags-for-vm-exit.patch
+perf-intel-pt-fix-async-branch-flags.patch
+ext4-improve-write-performance-with-disabled-delallo.patch
+ext4-mark-buffer-new-if-it-is-unwritten-to-avoid-sta.patch
+smb3-fix-touch-h-of-symlink.patch
+s390-mm-fix-phys-vs-virt-confusion-in-mark_kernel_px.patch
+s390-cmma-fix-detection-of-dat-pages.patch
+arm64-kconfig-add-a-choice-for-endianness.patch
+arm64-make-cpu_big_endian-depend-on-ld.bfd-or-ld.lld.patch
+arm64-restrict-cpu_big_endian-to-gnu-as-or-llvm-ias-.patch
+mtd-cfi_cmdset_0001-support-the-absence-of-protectio.patch
+mtd-cfi_cmdset_0001-byte-swap-otp-info.patch
+fbdev-stifb-make-the-sti-next-font-pointer-a-32-bit-.patch
+ima-annotate-iint-mutex-to-avoid-lockdep-false-posit.patch
+ovl-skip-overlayfs-superblocks-at-global-sync.patch
+ima-detect-changes-to-the-backing-overlay-file.patch
+scsi-qla2xxx-simplify-the-code-for-aborting-scsi-com.patch
+scsi-core-introduce-the-scsi_cmd_to_rq-function.patch
+scsi-qla2xxx-use-scsi_cmd_to_rq-instead-of-scsi_cmnd.patch
+scsi-qla2xxx-fix-system-crash-due-to-bad-pointer-acc.patch
+cpufreq-imx6q-don-t-warn-for-disabling-a-non-existin.patch
+cpufreq-imx6q-don-t-disable-792-mhz-opp-unnecessaril.patch
--- /dev/null
+From 46a4b3c859d93ff6de2930ac65868aeba2b0d401 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Oct 2023 12:18:23 -0500
+Subject: smb3: fix touch -h of symlink
+
+From: Steve French <stfrench@microsoft.com>
+
+[ Upstream commit 475efd9808a3094944a56240b2711349e433fb66 ]
+
+For example:
+ touch -h -t 02011200 testfile
+where testfile is a symlink would not change the timestamp, but
+ touch -t 02011200 testfile
+does work to change the timestamp of the target
+
+Suggested-by: David Howells <dhowells@redhat.com>
+Reported-by: Micah Veilleux <micah.veilleux@iba-group.com>
+Closes: https://bugzilla.samba.org/show_bug.cgi?id=14476
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifsfs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
+index b6149952ab846..917441e3018ad 100644
+--- a/fs/cifs/cifsfs.c
++++ b/fs/cifs/cifsfs.c
+@@ -1062,6 +1062,7 @@ const struct inode_operations cifs_file_inode_ops = {
+
+ const struct inode_operations cifs_symlink_inode_ops = {
+ .get_link = cifs_get_link,
++ .setattr = cifs_setattr,
+ .permission = cifs_permission,
+ .listxattr = cifs_listxattr,
+ };
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
