--- /dev/null
+From 610010737f74482a61896596a0116876ecf9e65c Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Mon, 5 Feb 2024 15:48:53 -0600
+Subject: ASoC: amd: yc: Add DMI quirk for Lenovo Ideapad Pro 5 16ARP8
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit 610010737f74482a61896596a0116876ecf9e65c upstream.
+
+The laptop requires a quirk ID to enable its internal microphone. Add
+it to the DMI quirk table.
+
+Reported-by: Stanislav Petrov <stanislav.i.petrov@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216925
+Cc: stable@vger.kernel.org
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20240205214853.2689-1-mario.limonciello@amd.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -245,6 +245,13 @@ static const struct dmi_system_id yc_acp
+ .driver_data = &acp6x_card,
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83AS"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "82UG"),
+ }
+ },
--- /dev/null
+From efe7cf828039aedb297c1f9920b638fffee6aabc Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Fri, 20 Oct 2023 15:38:14 +0200
+Subject: can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit efe7cf828039aedb297c1f9920b638fffee6aabc upstream.
+
+Lock jsk->sk to prevent UAF when setsockopt(..., SO_J1939_FILTER, ...)
+modifies jsk->filters while receiving packets.
+
+Following trace was seen on affected system:
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ Read of size 4 at addr ffff888012144014 by task j1939/350
+
+ CPU: 0 PID: 350 Comm: j1939 Tainted: G W OE 6.5.0-rc5 #1
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
+ Call Trace:
+ print_report+0xd3/0x620
+ ? kasan_complete_mode_report_info+0x7d/0x200
+ ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ kasan_report+0xc2/0x100
+ ? j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ __asan_load4+0x84/0xb0
+ j1939_sk_recv_match_one+0x1af/0x2d0 [can_j1939]
+ j1939_sk_recv+0x20b/0x320 [can_j1939]
+ ? __kasan_check_write+0x18/0x20
+ ? __pfx_j1939_sk_recv+0x10/0x10 [can_j1939]
+ ? j1939_simple_recv+0x69/0x280 [can_j1939]
+ ? j1939_ac_recv+0x5e/0x310 [can_j1939]
+ j1939_can_recv+0x43f/0x580 [can_j1939]
+ ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
+ ? raw_rcv+0x42/0x3c0 [can_raw]
+ ? __pfx_j1939_can_recv+0x10/0x10 [can_j1939]
+ can_rcv_filter+0x11f/0x350 [can]
+ can_receive+0x12f/0x190 [can]
+ ? __pfx_can_rcv+0x10/0x10 [can]
+ can_rcv+0xdd/0x130 [can]
+ ? __pfx_can_rcv+0x10/0x10 [can]
+ __netif_receive_skb_one_core+0x13d/0x150
+ ? __pfx___netif_receive_skb_one_core+0x10/0x10
+ ? __kasan_check_write+0x18/0x20
+ ? _raw_spin_lock_irq+0x8c/0xe0
+ __netif_receive_skb+0x23/0xb0
+ process_backlog+0x107/0x260
+ __napi_poll+0x69/0x310
+ net_rx_action+0x2a1/0x580
+ ? __pfx_net_rx_action+0x10/0x10
+ ? __pfx__raw_spin_lock+0x10/0x10
+ ? handle_irq_event+0x7d/0xa0
+ __do_softirq+0xf3/0x3f8
+ do_softirq+0x53/0x80
+ </IRQ>
+ <TASK>
+ __local_bh_enable_ip+0x6e/0x70
+ netif_rx+0x16b/0x180
+ can_send+0x32b/0x520 [can]
+ ? __pfx_can_send+0x10/0x10 [can]
+ ? __check_object_size+0x299/0x410
+ raw_sendmsg+0x572/0x6d0 [can_raw]
+ ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
+ ? apparmor_socket_sendmsg+0x2f/0x40
+ ? __pfx_raw_sendmsg+0x10/0x10 [can_raw]
+ sock_sendmsg+0xef/0x100
+ sock_write_iter+0x162/0x220
+ ? __pfx_sock_write_iter+0x10/0x10
+ ? __rtnl_unlock+0x47/0x80
+ ? security_file_permission+0x54/0x320
+ vfs_write+0x6ba/0x750
+ ? __pfx_vfs_write+0x10/0x10
+ ? __fget_light+0x1ca/0x1f0
+ ? __rcu_read_unlock+0x5b/0x280
+ ksys_write+0x143/0x170
+ ? __pfx_ksys_write+0x10/0x10
+ ? __kasan_check_read+0x15/0x20
+ ? fpregs_assert_state_consistent+0x62/0x70
+ __x64_sys_write+0x47/0x60
+ do_syscall_64+0x60/0x90
+ ? do_syscall_64+0x6d/0x90
+ ? irqentry_exit+0x3f/0x50
+ ? exc_page_fault+0x79/0xf0
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Allocated by task 348:
+ kasan_save_stack+0x2a/0x50
+ kasan_set_track+0x29/0x40
+ kasan_save_alloc_info+0x1f/0x30
+ __kasan_kmalloc+0xb5/0xc0
+ __kmalloc_node_track_caller+0x67/0x160
+ j1939_sk_setsockopt+0x284/0x450 [can_j1939]
+ __sys_setsockopt+0x15c/0x2f0
+ __x64_sys_setsockopt+0x6b/0x80
+ do_syscall_64+0x60/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+ Freed by task 349:
+ kasan_save_stack+0x2a/0x50
+ kasan_set_track+0x29/0x40
+ kasan_save_free_info+0x2f/0x50
+ __kasan_slab_free+0x12e/0x1c0
+ __kmem_cache_free+0x1b9/0x380
+ kfree+0x7a/0x120
+ j1939_sk_setsockopt+0x3b2/0x450 [can_j1939]
+ __sys_setsockopt+0x15c/0x2f0
+ __x64_sys_setsockopt+0x6b/0x80
+ do_syscall_64+0x60/0x90
+ entry_SYSCALL_64_after_hwframe+0x6e/0xd8
+
+Fixes: 9d71dd0c70099 ("can: add support of SAE J1939 protocol")
+Reported-by: Sili Luo <rootlab@huawei.com>
+Suggested-by: Sili Luo <rootlab@huawei.com>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20231020133814.383996-1-o.rempel@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/j1939-priv.h | 1 +
+ net/can/j1939/socket.c | 22 ++++++++++++++++++----
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+--- a/net/can/j1939/j1939-priv.h
++++ b/net/can/j1939/j1939-priv.h
+@@ -301,6 +301,7 @@ struct j1939_sock {
+
+ int ifindex;
+ struct j1939_addr addr;
++ spinlock_t filters_lock;
+ struct j1939_filter *filters;
+ int nfilters;
+ pgn_t pgn_rx_filter;
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -262,12 +262,17 @@ static bool j1939_sk_match_dst(struct j1
+ static bool j1939_sk_match_filter(struct j1939_sock *jsk,
+ const struct j1939_sk_buff_cb *skcb)
+ {
+- const struct j1939_filter *f = jsk->filters;
+- int nfilter = jsk->nfilters;
++ const struct j1939_filter *f;
++ int nfilter;
++
++ spin_lock_bh(&jsk->filters_lock);
++
++ f = jsk->filters;
++ nfilter = jsk->nfilters;
+
+ if (!nfilter)
+ /* receive all when no filters are assigned */
+- return true;
++ goto filter_match_found;
+
+ for (; nfilter; ++f, --nfilter) {
+ if ((skcb->addr.pgn & f->pgn_mask) != f->pgn)
+@@ -276,9 +281,15 @@ static bool j1939_sk_match_filter(struct
+ continue;
+ if ((skcb->addr.src_name & f->name_mask) != f->name)
+ continue;
+- return true;
++ goto filter_match_found;
+ }
++
++ spin_unlock_bh(&jsk->filters_lock);
+ return false;
++
++filter_match_found:
++ spin_unlock_bh(&jsk->filters_lock);
++ return true;
+ }
+
+ static bool j1939_sk_recv_match_one(struct j1939_sock *jsk,
+@@ -401,6 +412,7 @@ static int j1939_sk_init(struct sock *sk
+ atomic_set(&jsk->skb_pending, 0);
+ spin_lock_init(&jsk->sk_session_queue_lock);
+ INIT_LIST_HEAD(&jsk->sk_session_queue);
++ spin_lock_init(&jsk->filters_lock);
+
+ /* j1939_sk_sock_destruct() depends on SOCK_RCU_FREE flag */
+ sock_set_flag(sk, SOCK_RCU_FREE);
+@@ -703,9 +715,11 @@ static int j1939_sk_setsockopt(struct so
+ }
+
+ lock_sock(&jsk->sk);
++ spin_lock_bh(&jsk->filters_lock);
+ ofilters = jsk->filters;
+ jsk->filters = filters;
+ jsk->nfilters = count;
++ spin_unlock_bh(&jsk->filters_lock);
+ release_sock(&jsk->sk);
+ kfree(ofilters);
+ return 0;
--- /dev/null
+From 6cdedc18ba7b9dacc36466e27e3267d201948c8d Mon Sep 17 00:00:00 2001
+From: Ziqi Zhao <astrajoan@yahoo.com>
+Date: Fri, 21 Jul 2023 09:22:26 -0700
+Subject: can: j1939: prevent deadlock by changing j1939_socks_lock to rwlock
+
+From: Ziqi Zhao <astrajoan@yahoo.com>
+
+commit 6cdedc18ba7b9dacc36466e27e3267d201948c8d upstream.
+
+The following 3 locks would race against each other, causing the
+deadlock situation in the Syzbot bug report:
+
+- j1939_socks_lock
+- active_session_list_lock
+- sk_session_queue_lock
+
+A reasonable fix is to change j1939_socks_lock to an rwlock, since in
+the rare situations where a write lock is required for the linked list
+that j1939_socks_lock is protecting, the code does not attempt to
+acquire any more locks. This would break the circular lock dependency,
+where, for example, the current thread already locks j1939_socks_lock
+and attempts to acquire sk_session_queue_lock, and at the same time,
+another thread attempts to acquire j1939_socks_lock while holding
+sk_session_queue_lock.
+
+NOTE: This patch along does not fix the unregister_netdevice bug
+reported by Syzbot; instead, it solves a deadlock situation to prepare
+for one or more further patches to actually fix the Syzbot bug, which
+appears to be a reference counting problem within the j1939 codebase.
+
+Reported-by: <syzbot+1591462f226d9cbf0564@syzkaller.appspotmail.com>
+Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com>
+Reviewed-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Link: https://lore.kernel.org/all/20230721162226.8639-1-astrajoan@yahoo.com
+[mkl: remove unrelated newline change]
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/can/j1939/j1939-priv.h | 2 +-
+ net/can/j1939/main.c | 2 +-
+ net/can/j1939/socket.c | 24 ++++++++++++------------
+ 3 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/net/can/j1939/j1939-priv.h
++++ b/net/can/j1939/j1939-priv.h
+@@ -86,7 +86,7 @@ struct j1939_priv {
+ unsigned int tp_max_packet_size;
+
+ /* lock for j1939_socks list */
+- spinlock_t j1939_socks_lock;
++ rwlock_t j1939_socks_lock;
+ struct list_head j1939_socks;
+
+ struct kref rx_kref;
+--- a/net/can/j1939/main.c
++++ b/net/can/j1939/main.c
+@@ -274,7 +274,7 @@ struct j1939_priv *j1939_netdev_start(st
+ return ERR_PTR(-ENOMEM);
+
+ j1939_tp_init(priv);
+- spin_lock_init(&priv->j1939_socks_lock);
++ rwlock_init(&priv->j1939_socks_lock);
+ INIT_LIST_HEAD(&priv->j1939_socks);
+
+ mutex_lock(&j1939_netdev_lock);
+--- a/net/can/j1939/socket.c
++++ b/net/can/j1939/socket.c
+@@ -80,16 +80,16 @@ static void j1939_jsk_add(struct j1939_p
+ jsk->state |= J1939_SOCK_BOUND;
+ j1939_priv_get(priv);
+
+- spin_lock_bh(&priv->j1939_socks_lock);
++ write_lock_bh(&priv->j1939_socks_lock);
+ list_add_tail(&jsk->list, &priv->j1939_socks);
+- spin_unlock_bh(&priv->j1939_socks_lock);
++ write_unlock_bh(&priv->j1939_socks_lock);
+ }
+
+ static void j1939_jsk_del(struct j1939_priv *priv, struct j1939_sock *jsk)
+ {
+- spin_lock_bh(&priv->j1939_socks_lock);
++ write_lock_bh(&priv->j1939_socks_lock);
+ list_del_init(&jsk->list);
+- spin_unlock_bh(&priv->j1939_socks_lock);
++ write_unlock_bh(&priv->j1939_socks_lock);
+
+ j1939_priv_put(priv);
+ jsk->state &= ~J1939_SOCK_BOUND;
+@@ -329,13 +329,13 @@ bool j1939_sk_recv_match(struct j1939_pr
+ struct j1939_sock *jsk;
+ bool match = false;
+
+- spin_lock_bh(&priv->j1939_socks_lock);
++ read_lock_bh(&priv->j1939_socks_lock);
+ list_for_each_entry(jsk, &priv->j1939_socks, list) {
+ match = j1939_sk_recv_match_one(jsk, skcb);
+ if (match)
+ break;
+ }
+- spin_unlock_bh(&priv->j1939_socks_lock);
++ read_unlock_bh(&priv->j1939_socks_lock);
+
+ return match;
+ }
+@@ -344,11 +344,11 @@ void j1939_sk_recv(struct j1939_priv *pr
+ {
+ struct j1939_sock *jsk;
+
+- spin_lock_bh(&priv->j1939_socks_lock);
++ read_lock_bh(&priv->j1939_socks_lock);
+ list_for_each_entry(jsk, &priv->j1939_socks, list) {
+ j1939_sk_recv_one(jsk, skb);
+ }
+- spin_unlock_bh(&priv->j1939_socks_lock);
++ read_unlock_bh(&priv->j1939_socks_lock);
+ }
+
+ static void j1939_sk_sock_destruct(struct sock *sk)
+@@ -1080,12 +1080,12 @@ void j1939_sk_errqueue(struct j1939_sess
+ }
+
+ /* spread RX notifications to all sockets subscribed to this session */
+- spin_lock_bh(&priv->j1939_socks_lock);
++ read_lock_bh(&priv->j1939_socks_lock);
+ list_for_each_entry(jsk, &priv->j1939_socks, list) {
+ if (j1939_sk_recv_match_one(jsk, &session->skcb))
+ __j1939_sk_errqueue(session, &jsk->sk, type);
+ }
+- spin_unlock_bh(&priv->j1939_socks_lock);
++ read_unlock_bh(&priv->j1939_socks_lock);
+ };
+
+ void j1939_sk_send_loop_abort(struct sock *sk, int err)
+@@ -1273,7 +1273,7 @@ void j1939_sk_netdev_event_netdown(struc
+ struct j1939_sock *jsk;
+ int error_code = ENETDOWN;
+
+- spin_lock_bh(&priv->j1939_socks_lock);
++ read_lock_bh(&priv->j1939_socks_lock);
+ list_for_each_entry(jsk, &priv->j1939_socks, list) {
+ jsk->sk.sk_err = error_code;
+ if (!sock_flag(&jsk->sk, SOCK_DEAD))
+@@ -1281,7 +1281,7 @@ void j1939_sk_netdev_event_netdown(struc
+
+ j1939_sk_queue_drop_all(priv, jsk, error_code);
+ }
+- spin_unlock_bh(&priv->j1939_socks_lock);
++ read_unlock_bh(&priv->j1939_socks_lock);
+ }
+
+ static int j1939_sk_no_ioctlcmd(struct socket *sock, unsigned int cmd,
--- /dev/null
+From 2aa0a5e65eae27dbd96faca92c84ecbf6f492d42 Mon Sep 17 00:00:00 2001
+From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Date: Mon, 6 Nov 2023 19:01:58 +0100
+Subject: can: netlink: Fix TDCO calculation using the old data bittiming
+
+From: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+
+commit 2aa0a5e65eae27dbd96faca92c84ecbf6f492d42 upstream.
+
+The TDCO calculation was done using the currently applied data bittiming,
+instead of the newly computed data bittiming, which means that the TDCO
+had an invalid value unless setting the same data bittiming twice.
+
+Fixes: d99755f71a80 ("can: netlink: add interface for CAN-FD Transmitter Delay Compensation (TDC)")
+Signed-off-by: Maxime Jayat <maxime.jayat@mobile-devices.fr>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Link: https://lore.kernel.org/all/40579c18-63c0-43a4-8d4c-f3a6c1c0b417@munic.io
+Cc: stable@vger.kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev/netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev/netlink.c
++++ b/drivers/net/can/dev/netlink.c
+@@ -311,7 +311,7 @@ static int can_changelink(struct net_dev
+ /* Neither of TDC parameters nor TDC flags are
+ * provided: do calculation
+ */
+- can_calc_tdco(&priv->tdc, priv->tdc_const, &priv->data_bittiming,
++ can_calc_tdco(&priv->tdc, priv->tdc_const, &dbt,
+ &priv->ctrlmode, priv->ctrlmode_supported);
+ } /* else: both CAN_CTRLMODE_TDC_{AUTO,MANUAL} are explicitly
+ * turned off. TDC is disabled: do nothing
--- /dev/null
+From cda4672da1c26835dcbd7aec2bfed954eda9b5ef Mon Sep 17 00:00:00 2001
+From: Rishabh Dave <ridave@redhat.com>
+Date: Thu, 1 Feb 2024 17:07:16 +0530
+Subject: ceph: prevent use-after-free in encode_cap_msg()
+
+From: Rishabh Dave <ridave@redhat.com>
+
+commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef upstream.
+
+In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
+caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
+implies before the refcount could be increment here, it was freed.
+
+In same file, in "handle_cap_grant()" refcount is decremented by this
+line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
+occurred and resource was freed by the latter line before the former
+line could increment it.
+
+encode_cap_msg() is called by __send_cap() and __send_cap() is called by
+ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
+arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
+the refcount must be increased to prevent "use after free" error.
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/59259
+Signed-off-by: Rishabh Dave <ridave@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Xiubo Li <xiubli@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/caps.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1391,7 +1391,7 @@ static void __prep_cap(struct cap_msg_ar
+ if (flushing & CEPH_CAP_XATTR_EXCL) {
+ arg->old_xattr_buf = __ceph_build_xattrs_blob(ci);
+ arg->xattr_version = ci->i_xattrs.version;
+- arg->xattr_buf = ci->i_xattrs.blob;
++ arg->xattr_buf = ceph_buffer_get(ci->i_xattrs.blob);
+ } else {
+ arg->xattr_buf = NULL;
+ arg->old_xattr_buf = NULL;
+@@ -1457,6 +1457,7 @@ static void __send_cap(struct cap_msg_ar
+ encode_cap_msg(msg, arg);
+ ceph_con_send(&arg->session->s_con, msg);
+ ceph_buffer_put(arg->old_xattr_buf);
++ ceph_buffer_put(arg->xattr_buf);
+ if (arg->wake)
+ wake_up_all(&ci->i_cap_wq);
+ }
--- /dev/null
+From ccb88e9549e7cfd8bcd511c538f437e20026e983 Mon Sep 17 00:00:00 2001
+From: Kim Phillips <kim.phillips@amd.com>
+Date: Thu, 25 Jan 2024 17:12:53 -0600
+Subject: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked
+
+From: Kim Phillips <kim.phillips@amd.com>
+
+commit ccb88e9549e7cfd8bcd511c538f437e20026e983 upstream.
+
+The SEV platform device can be shutdown with a null psp_master,
+e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN:
+
+[ 137.148210] ccp 0000:23:00.1: enabling device (0000 -> 0002)
+[ 137.162647] ccp 0000:23:00.1: no command queues available
+[ 137.170598] ccp 0000:23:00.1: sev enabled
+[ 137.174645] ccp 0000:23:00.1: psp enabled
+[ 137.178890] general protection fault, probably for non-canonical address 0xdffffc000000001e: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN NOPTI
+[ 137.182693] KASAN: null-ptr-deref in range [0x00000000000000f0-0x00000000000000f7]
+[ 137.182693] CPU: 93 PID: 1 Comm: swapper/0 Not tainted 6.8.0-rc1+ #311
+[ 137.182693] RIP: 0010:__sev_platform_shutdown_locked+0x51/0x180
+[ 137.182693] Code: 08 80 3c 08 00 0f 85 0e 01 00 00 48 8b 1d 67 b6 01 08 48 b8 00 00 00 00 00 fc ff df 48 8d bb f0 00 00 00 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 fe 00 00 00 48 8b 9b f0 00 00 00 48 85 db 74 2c
+[ 137.182693] RSP: 0018:ffffc900000cf9b0 EFLAGS: 00010216
+[ 137.182693] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 000000000000001e
+[ 137.182693] RDX: 0000000000000000 RSI: 0000000000000008 RDI: 00000000000000f0
+[ 137.182693] RBP: ffffc900000cf9c8 R08: 0000000000000000 R09: fffffbfff58f5a66
+[ 137.182693] R10: ffffc900000cf9c8 R11: ffffffffac7ad32f R12: ffff8881e5052c28
+[ 137.182693] R13: ffff8881e5052c28 R14: ffff8881758e43e8 R15: ffffffffac64abf8
+[ 137.182693] FS: 0000000000000000(0000) GS:ffff889de7000000(0000) knlGS:0000000000000000
+[ 137.182693] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 137.182693] CR2: 0000000000000000 CR3: 0000001cf7c7e000 CR4: 0000000000350ef0
+[ 137.182693] Call Trace:
+[ 137.182693] <TASK>
+[ 137.182693] ? show_regs+0x6c/0x80
+[ 137.182693] ? __die_body+0x24/0x70
+[ 137.182693] ? die_addr+0x4b/0x80
+[ 137.182693] ? exc_general_protection+0x126/0x230
+[ 137.182693] ? asm_exc_general_protection+0x2b/0x30
+[ 137.182693] ? __sev_platform_shutdown_locked+0x51/0x180
+[ 137.182693] sev_firmware_shutdown.isra.0+0x1e/0x80
+[ 137.182693] sev_dev_destroy+0x49/0x100
+[ 137.182693] psp_dev_destroy+0x47/0xb0
+[ 137.182693] sp_destroy+0xbb/0x240
+[ 137.182693] sp_pci_remove+0x45/0x60
+[ 137.182693] pci_device_remove+0xaa/0x1d0
+[ 137.182693] device_remove+0xc7/0x170
+[ 137.182693] really_probe+0x374/0xbe0
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] __driver_probe_device+0x199/0x460
+[ 137.182693] driver_probe_device+0x4e/0xd0
+[ 137.182693] __driver_attach+0x191/0x3d0
+[ 137.182693] ? __pfx___driver_attach+0x10/0x10
+[ 137.182693] bus_for_each_dev+0x100/0x190
+[ 137.182693] ? __pfx_bus_for_each_dev+0x10/0x10
+[ 137.182693] ? __kasan_check_read+0x15/0x20
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] ? _raw_spin_unlock+0x27/0x50
+[ 137.182693] driver_attach+0x41/0x60
+[ 137.182693] bus_add_driver+0x2a8/0x580
+[ 137.182693] driver_register+0x141/0x480
+[ 137.182693] __pci_register_driver+0x1d6/0x2a0
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] ? esrt_sysfs_init+0x1cd/0x5d0
+[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
+[ 137.182693] sp_pci_init+0x22/0x30
+[ 137.182693] sp_mod_init+0x14/0x30
+[ 137.182693] ? __pfx_sp_mod_init+0x10/0x10
+[ 137.182693] do_one_initcall+0xd1/0x470
+[ 137.182693] ? __pfx_do_one_initcall+0x10/0x10
+[ 137.182693] ? parameq+0x80/0xf0
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] ? __kmalloc+0x3b0/0x4e0
+[ 137.182693] ? kernel_init_freeable+0x92d/0x1050
+[ 137.182693] ? kasan_populate_vmalloc_pte+0x171/0x190
+[ 137.182693] ? srso_return_thunk+0x5/0x5f
+[ 137.182693] kernel_init_freeable+0xa64/0x1050
+[ 137.182693] ? __pfx_kernel_init+0x10/0x10
+[ 137.182693] kernel_init+0x24/0x160
+[ 137.182693] ? __switch_to_asm+0x3e/0x70
+[ 137.182693] ret_from_fork+0x40/0x80
+[ 137.182693] ? __pfx_kernel_init+0x10/0x10
+[ 137.182693] ret_from_fork_asm+0x1b/0x30
+[ 137.182693] </TASK>
+[ 137.182693] Modules linked in:
+[ 137.538483] ---[ end trace 0000000000000000 ]---
+
+Fixes: 1b05ece0c931 ("crypto: ccp - During shutdown, check SEV data pointer before using")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Kim Phillips <kim.phillips@amd.com>
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Acked-by: John Allen <john.allen@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/ccp/sev-dev.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/ccp/sev-dev.c
++++ b/drivers/crypto/ccp/sev-dev.c
+@@ -515,10 +515,16 @@ EXPORT_SYMBOL_GPL(sev_platform_init);
+
+ static int __sev_platform_shutdown_locked(int *error)
+ {
+- struct sev_device *sev = psp_master->sev_data;
++ struct psp_device *psp = psp_master;
++ struct sev_device *sev;
+ int ret;
+
+- if (!sev || sev->state == SEV_STATE_UNINIT)
++ if (!psp || !psp->sev_data)
++ return 0;
++
++ sev = psp->sev_data;
++
++ if (sev->state == SEV_STATE_UNINIT)
+ return 0;
+
+ ret = __sev_do_cmd_locked(SEV_CMD_SHUTDOWN, NULL, error);
--- /dev/null
+From c1be35a16b2f1fe21f4f26f9de030ad6eaaf6a25 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Tue, 23 Jan 2024 16:34:00 +0100
+Subject: exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock)
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit c1be35a16b2f1fe21f4f26f9de030ad6eaaf6a25 upstream.
+
+After the recent changes nobody use siglock to read the values protected
+by stats_lock, we can kill spin_lock_irq(¤t->sighand->siglock) and
+update the comment.
+
+With this patch only __exit_signal() and thread_group_start_cputime() take
+stats_lock under siglock.
+
+Link: https://lkml.kernel.org/r/20240123153359.GA21866@redhat.com
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Dylan Hatch <dylanbhatch@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/exit.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1146,17 +1146,14 @@ static int wait_task_zombie(struct wait_
+ * and nobody can change them.
+ *
+ * psig->stats_lock also protects us from our sub-threads
+- * which can reap other children at the same time. Until
+- * we change k_getrusage()-like users to rely on this lock
+- * we have to take ->siglock as well.
++ * which can reap other children at the same time.
+ *
+ * We use thread_group_cputime_adjusted() to get times for
+ * the thread group, which consolidates times for all threads
+ * in the group including the group leader.
+ */
+ thread_group_cputime_adjusted(p, &tgutime, &tgstime);
+- spin_lock_irq(¤t->sighand->siglock);
+- write_seqlock(&psig->stats_lock);
++ write_seqlock_irq(&psig->stats_lock);
+ psig->cutime += tgutime + sig->cutime;
+ psig->cstime += tgstime + sig->cstime;
+ psig->cgtime += task_gtime(p) + sig->gtime + sig->cgtime;
+@@ -1179,8 +1176,7 @@ static int wait_task_zombie(struct wait_
+ psig->cmaxrss = maxrss;
+ task_io_accounting_add(&psig->ioac, &p->ioac);
+ task_io_accounting_add(&psig->ioac, &sig->ioac);
+- write_sequnlock(&psig->stats_lock);
+- spin_unlock_irq(¤t->sighand->siglock);
++ write_sequnlock_irq(&psig->stats_lock);
+ }
+
+ if (wo->wo_rusage)
--- /dev/null
+From 79d72c68c58784a3e1cd2378669d51bfd0cb7498 Mon Sep 17 00:00:00 2001
+From: Oscar Salvador <osalvador@suse.de>
+Date: Tue, 30 Jan 2024 22:04:18 +0100
+Subject: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
+
+From: Oscar Salvador <osalvador@suse.de>
+
+commit 79d72c68c58784a3e1cd2378669d51bfd0cb7498 upstream.
+
+When configuring a hugetlb filesystem via the fsconfig() syscall, there is
+a possible NULL dereference in hugetlbfs_fill_super() caused by assigning
+NULL to ctx->hstate in hugetlbfs_parse_param() when the requested pagesize
+is non valid.
+
+E.g: Taking the following steps:
+
+ fd = fsopen("hugetlbfs", FSOPEN_CLOEXEC);
+ fsconfig(fd, FSCONFIG_SET_STRING, "pagesize", "1024", 0);
+ fsconfig(fd, FSCONFIG_CMD_CREATE, NULL, NULL, 0);
+
+Given that the requested "pagesize" is invalid, ctxt->hstate will be replaced
+with NULL, losing its previous value, and we will print an error:
+
+ ...
+ ...
+ case Opt_pagesize:
+ ps = memparse(param->string, &rest);
+ ctx->hstate = h;
+ if (!ctx->hstate) {
+ pr_err("Unsupported page size %lu MB\n", ps / SZ_1M);
+ return -EINVAL;
+ }
+ return 0;
+ ...
+ ...
+
+This is a problem because later on, we will dereference ctxt->hstate in
+hugetlbfs_fill_super()
+
+ ...
+ ...
+ sb->s_blocksize = huge_page_size(ctx->hstate);
+ ...
+ ...
+
+Causing below Oops.
+
+Fix this by replacing cxt->hstate value only when then pagesize is known
+to be valid.
+
+ kernel: hugetlbfs: Unsupported page size 0 MB
+ kernel: BUG: kernel NULL pointer dereference, address: 0000000000000028
+ kernel: #PF: supervisor read access in kernel mode
+ kernel: #PF: error_code(0x0000) - not-present page
+ kernel: PGD 800000010f66c067 P4D 800000010f66c067 PUD 1b22f8067 PMD 0
+ kernel: Oops: 0000 [#1] PREEMPT SMP PTI
+ kernel: CPU: 4 PID: 5659 Comm: syscall Tainted: G E 6.8.0-rc2-default+ #22 5a47c3fef76212addcc6eb71344aabc35190ae8f
+ kernel: Hardware name: Intel Corp. GROVEPORT/GROVEPORT, BIOS GVPRCRB1.86B.0016.D04.1705030402 05/03/2017
+ kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0
+ kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28
+ kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246
+ kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004
+ kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000
+ kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004
+ kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000
+ kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400
+ kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000
+ kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0
+ kernel: Call Trace:
+ kernel: <TASK>
+ kernel: ? __die_body+0x1a/0x60
+ kernel: ? page_fault_oops+0x16f/0x4a0
+ kernel: ? search_bpf_extables+0x65/0x70
+ kernel: ? fixup_exception+0x22/0x310
+ kernel: ? exc_page_fault+0x69/0x150
+ kernel: ? asm_exc_page_fault+0x22/0x30
+ kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10
+ kernel: ? hugetlbfs_fill_super+0xb4/0x1a0
+ kernel: ? hugetlbfs_fill_super+0x28/0x1a0
+ kernel: ? __pfx_hugetlbfs_fill_super+0x10/0x10
+ kernel: vfs_get_super+0x40/0xa0
+ kernel: ? __pfx_bpf_lsm_capable+0x10/0x10
+ kernel: vfs_get_tree+0x25/0xd0
+ kernel: vfs_cmd_create+0x64/0xe0
+ kernel: __x64_sys_fsconfig+0x395/0x410
+ kernel: do_syscall_64+0x80/0x160
+ kernel: ? syscall_exit_to_user_mode+0x82/0x240
+ kernel: ? do_syscall_64+0x8d/0x160
+ kernel: ? syscall_exit_to_user_mode+0x82/0x240
+ kernel: ? do_syscall_64+0x8d/0x160
+ kernel: ? exc_page_fault+0x69/0x150
+ kernel: entry_SYSCALL_64_after_hwframe+0x6e/0x76
+ kernel: RIP: 0033:0x7ffbc0cb87c9
+ kernel: Code: 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 97 96 0d 00 f7 d8 64 89 01 48
+ kernel: RSP: 002b:00007ffc29d2f388 EFLAGS: 00000206 ORIG_RAX: 00000000000001af
+ kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ffbc0cb87c9
+ kernel: RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000003
+ kernel: RBP: 00007ffc29d2f3b0 R08: 0000000000000000 R09: 0000000000000000
+ kernel: R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
+ kernel: R13: 00007ffc29d2f4c0 R14: 0000000000000000 R15: 0000000000000000
+ kernel: </TASK>
+ kernel: Modules linked in: rpcsec_gss_krb5(E) auth_rpcgss(E) nfsv4(E) dns_resolver(E) nfs(E) lockd(E) grace(E) sunrpc(E) netfs(E) af_packet(E) bridge(E) stp(E) llc(E) iscsi_ibft(E) iscsi_boot_sysfs(E) intel_rapl_msr(E) intel_rapl_common(E) iTCO_wdt(E) intel_pmc_bxt(E) sb_edac(E) iTCO_vendor_support(E) x86_pkg_temp_thermal(E) intel_powerclamp(E) coretemp(E) kvm_intel(E) rfkill(E) ipmi_ssif(E) kvm(E) acpi_ipmi(E) irqbypass(E) pcspkr(E) igb(E) ipmi_si(E) mei_me(E) i2c_i801(E) joydev(E) intel_pch_thermal(E) i2c_smbus(E) dca(E) lpc_ich(E) mei(E) ipmi_devintf(E) ipmi_msghandler(E) acpi_pad(E) tiny_power_button(E) button(E) fuse(E) efi_pstore(E) configfs(E) ip_tables(E) x_tables(E) ext4(E) mbcache(E) jbd2(E) hid_generic(E) usbhid(E) sd_mod(E) t10_pi(E) crct10dif_pclmul(E) crc32_pclmul(E) crc32c_intel(E) polyval_clmulni(E) ahci(E) xhci_pci(E) polyval_generic(E) gf128mul(E) ghash_clmulni_intel(E) sha512_ssse3(E) sha256_ssse3(E) xhci_pci_renesas(E) libahci(E) ehci_pci(E) sha1_ssse3(E) xhci_hcd(E) ehci_hcd(E) libata(E)
+ kernel: mgag200(E) i2c_algo_bit(E) usbcore(E) wmi(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) scsi_common(E) aesni_intel(E) crypto_simd(E) cryptd(E)
+ kernel: Unloaded tainted modules: acpi_cpufreq(E):1 fjes(E):1
+ kernel: CR2: 0000000000000028
+ kernel: ---[ end trace 0000000000000000 ]---
+ kernel: RIP: 0010:hugetlbfs_fill_super+0xb4/0x1a0
+ kernel: Code: 48 8b 3b e8 3e c6 ed ff 48 85 c0 48 89 45 20 0f 84 d6 00 00 00 48 b8 ff ff ff ff ff ff ff 7f 4c 89 e7 49 89 44 24 20 48 8b 03 <8b> 48 28 b8 00 10 00 00 48 d3 e0 49 89 44 24 18 48 8b 03 8b 40 28
+ kernel: RSP: 0018:ffffbe9960fcbd48 EFLAGS: 00010246
+ kernel: RAX: 0000000000000000 RBX: ffff9af5272ae780 RCX: 0000000000372004
+ kernel: RDX: ffffffffffffffff RSI: ffffffffffffffff RDI: ffff9af555e9b000
+ kernel: RBP: ffff9af52ee66b00 R08: 0000000000000040 R09: 0000000000370004
+ kernel: R10: ffffbe9960fcbd48 R11: 0000000000000040 R12: ffff9af555e9b000
+ kernel: R13: ffffffffa66b86c0 R14: ffff9af507d2f400 R15: ffff9af507d2f400
+ kernel: FS: 00007ffbc0ba4740(0000) GS:ffff9b0bd7000000(0000) knlGS:0000000000000000
+ kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ kernel: CR2: 0000000000000028 CR3: 00000001b1ee0000 CR4: 00000000001506f0
+
+Link: https://lkml.kernel.org/r/20240130210418.3771-1-osalvador@suse.de
+Fixes: 32021982a324 ("hugetlbfs: Convert to fs_context")
+Signed-off-by: Michal Hocko <mhocko@suse.com>
+Signed-off-by: Oscar Salvador <osalvador@suse.de>
+Acked-by: Muchun Song <muchun.song@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hugetlbfs/inode.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -1350,6 +1350,7 @@ static int hugetlbfs_parse_param(struct
+ {
+ struct hugetlbfs_fs_context *ctx = fc->fs_private;
+ struct fs_parse_result result;
++ struct hstate *h;
+ char *rest;
+ unsigned long ps;
+ int opt;
+@@ -1394,11 +1395,12 @@ static int hugetlbfs_parse_param(struct
+
+ case Opt_pagesize:
+ ps = memparse(param->string, &rest);
+- ctx->hstate = size_to_hstate(ps);
+- if (!ctx->hstate) {
++ h = size_to_hstate(ps);
++ if (!h) {
+ pr_err("Unsupported page size %lu MB\n", ps / SZ_1M);
+ return -EINVAL;
+ }
++ ctx->hstate = h;
+ return 0;
+
+ case Opt_min_size:
--- /dev/null
+From 60f92acb60a989b14e4b744501a0df0f82ef30a3 Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Tue, 23 Jan 2024 16:33:55 +0100
+Subject: fs/proc: do_task_stat: move thread_group_cputime_adjusted() outside of lock_task_sighand()
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 60f92acb60a989b14e4b744501a0df0f82ef30a3 upstream.
+
+Patch series "fs/proc: do_task_stat: use sig->stats_".
+
+do_task_stat() has the same problem as getrusage() had before "getrusage:
+use sig->stats_lock rather than lock_task_sighand()": a hard lockup. If
+NR_CPUS threads call lock_task_sighand() at the same time and the process
+has NR_THREADS, spin_lock_irq will spin with irqs disabled O(NR_CPUS *
+NR_THREADS) time.
+
+
+This patch (of 3):
+
+thread_group_cputime() does its own locking, we can safely shift
+thread_group_cputime_adjusted() which does another for_each_thread loop
+outside of ->siglock protected section.
+
+Not only this removes for_each_thread() from the critical section with
+irqs disabled, this removes another case when stats_lock is taken with
+siglock held. We want to remove this dependency, then we can change the
+users of stats_lock to not disable irqs.
+
+Link: https://lkml.kernel.org/r/20240123153313.GA21832@redhat.com
+Link: https://lkml.kernel.org/r/20240123153355.GA21854@redhat.com
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Dylan Hatch <dylanbhatch@google.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/array.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/proc/array.c
++++ b/fs/proc/array.c
+@@ -501,7 +501,7 @@ static int do_task_stat(struct seq_file
+
+ sigemptyset(&sigign);
+ sigemptyset(&sigcatch);
+- cutime = cstime = utime = stime = 0;
++ cutime = cstime = 0;
+ cgtime = gtime = 0;
+
+ if (lock_task_sighand(task, &flags)) {
+@@ -535,7 +535,6 @@ static int do_task_stat(struct seq_file
+
+ min_flt += sig->min_flt;
+ maj_flt += sig->maj_flt;
+- thread_group_cputime_adjusted(task, &utime, &stime);
+ gtime += sig->gtime;
+
+ if (sig->flags & (SIGNAL_GROUP_EXIT | SIGNAL_STOP_STOPPED))
+@@ -551,10 +550,13 @@ static int do_task_stat(struct seq_file
+
+ if (permitted && (!whole || num_threads < 2))
+ wchan = !task_is_running(task);
+- if (!whole) {
++
++ if (whole) {
++ thread_group_cputime_adjusted(task, &utime, &stime);
++ } else {
++ task_cputime_adjusted(task, &utime, &stime);
+ min_flt = task->min_flt;
+ maj_flt = task->maj_flt;
+- task_cputime_adjusted(task, &utime, &stime);
+ gtime = task_gtime(task);
+ }
+
--- /dev/null
+From 46f5ab762d048dad224436978315cbc2fa79c630 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 6 Feb 2024 11:22:09 +0100
+Subject: fs: relax mount_setattr() permission checks
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 46f5ab762d048dad224436978315cbc2fa79c630 upstream.
+
+When we added mount_setattr() I added additional checks compared to the
+legacy do_reconfigure_mnt() and do_change_type() helpers used by regular
+mount(2). If that mount had a parent then verify that the caller and the
+mount namespace the mount is attached to match and if not make sure that
+it's an anonymous mount.
+
+The real rootfs falls into neither category. It is neither an anoymous
+mount because it is obviously attached to the initial mount namespace
+but it also obviously doesn't have a parent mount. So that means legacy
+mount(2) allows changing mount properties on the real rootfs but
+mount_setattr(2) blocks this. I never thought much about this but of
+course someone on this planet of earth changes properties on the real
+rootfs as can be seen in [1].
+
+Since util-linux finally switched to the new mount api in 2.39 not so
+long ago it also relies on mount_setattr() and that surfaced this issue
+when Fedora 39 finally switched to it. Fix this.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2256843
+Link: https://lore.kernel.org/r/20240206-vfs-mount-rootfs-v1-1-19b335eee133@kernel.org
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reported-by: Karel Zak <kzak@redhat.com>
+Cc: stable@vger.kernel.org # v5.12+
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/namespace.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -4172,10 +4172,15 @@ static int do_mount_setattr(struct path
+ /*
+ * If this is an attached mount make sure it's located in the callers
+ * mount namespace. If it's not don't let the caller interact with it.
+- * If this is a detached mount make sure it has an anonymous mount
+- * namespace attached to it, i.e. we've created it via OPEN_TREE_CLONE.
++ *
++ * If this mount doesn't have a parent it's most often simply a
++ * detached mount with an anonymous mount namespace. IOW, something
++ * that's simply not attached yet. But there are apparently also users
++ * that do change mount properties on the rootfs itself. That obviously
++ * neither has a parent nor is it a detached mount so we cannot
++ * unconditionally check for detached mounts.
+ */
+- if (!(mnt_has_parent(mnt) ? check_mnt(mnt) : is_anon_ns(mnt->mnt_ns)))
++ if ((mnt_has_parent(mnt) || !is_anon_ns(mnt->mnt_ns)) && !check_mnt(mnt))
+ goto out;
+
+ /*
--- /dev/null
+From 9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2 Mon Sep 17 00:00:00 2001
+From: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Date: Thu, 1 Feb 2024 20:40:38 -0800
+Subject: hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed
+
+From: Shradha Gupta <shradhagupta@linux.microsoft.com>
+
+commit 9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2 upstream.
+
+If hv_netvsc driver is unloaded and reloaded, the NET_DEVICE_REGISTER
+handler cannot perform VF register successfully as the register call
+is received before netvsc_probe is finished. This is because we
+register register_netdevice_notifier() very early( even before
+vmbus_driver_register()).
+To fix this, we try to register each such matching VF( if it is visible
+as a netdevice) at the end of netvsc_probe.
+
+Cc: stable@vger.kernel.org
+Fixes: 85520856466e ("hv_netvsc: Fix race of register_netdevice_notifier and VF register")
+Suggested-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Reviewed-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/hyperv/netvsc_drv.c | 82 ++++++++++++++++++++++++++++++----------
+ 1 file changed, 62 insertions(+), 20 deletions(-)
+
+--- a/drivers/net/hyperv/netvsc_drv.c
++++ b/drivers/net/hyperv/netvsc_drv.c
+@@ -42,6 +42,10 @@
+ #define LINKCHANGE_INT (2 * HZ)
+ #define VF_TAKEOVER_INT (HZ / 10)
+
++/* Macros to define the context of vf registration */
++#define VF_REG_IN_PROBE 1
++#define VF_REG_IN_NOTIFIER 2
++
+ static unsigned int ring_size __ro_after_init = 128;
+ module_param(ring_size, uint, 0444);
+ MODULE_PARM_DESC(ring_size, "Ring buffer size (# of 4K pages)");
+@@ -2181,7 +2185,7 @@ static rx_handler_result_t netvsc_vf_han
+ }
+
+ static int netvsc_vf_join(struct net_device *vf_netdev,
+- struct net_device *ndev)
++ struct net_device *ndev, int context)
+ {
+ struct net_device_context *ndev_ctx = netdev_priv(ndev);
+ int ret;
+@@ -2204,7 +2208,11 @@ static int netvsc_vf_join(struct net_dev
+ goto upper_link_failed;
+ }
+
+- schedule_delayed_work(&ndev_ctx->vf_takeover, VF_TAKEOVER_INT);
++ /* If this registration is called from probe context vf_takeover
++ * is taken care of later in probe itself.
++ */
++ if (context == VF_REG_IN_NOTIFIER)
++ schedule_delayed_work(&ndev_ctx->vf_takeover, VF_TAKEOVER_INT);
+
+ call_netdevice_notifiers(NETDEV_JOIN, vf_netdev);
+
+@@ -2342,7 +2350,7 @@ static int netvsc_prepare_bonding(struct
+ return NOTIFY_DONE;
+ }
+
+-static int netvsc_register_vf(struct net_device *vf_netdev)
++static int netvsc_register_vf(struct net_device *vf_netdev, int context)
+ {
+ struct net_device_context *net_device_ctx;
+ struct netvsc_device *netvsc_dev;
+@@ -2382,7 +2390,7 @@ static int netvsc_register_vf(struct net
+
+ netdev_info(ndev, "VF registering: %s\n", vf_netdev->name);
+
+- if (netvsc_vf_join(vf_netdev, ndev) != 0)
++ if (netvsc_vf_join(vf_netdev, ndev, context) != 0)
+ return NOTIFY_DONE;
+
+ dev_hold(vf_netdev);
+@@ -2480,10 +2488,31 @@ static int netvsc_unregister_vf(struct n
+ return NOTIFY_OK;
+ }
+
++static int check_dev_is_matching_vf(struct net_device *event_ndev)
++{
++ /* Skip NetVSC interfaces */
++ if (event_ndev->netdev_ops == &device_ops)
++ return -ENODEV;
++
++ /* Avoid non-Ethernet type devices */
++ if (event_ndev->type != ARPHRD_ETHER)
++ return -ENODEV;
++
++ /* Avoid Vlan dev with same MAC registering as VF */
++ if (is_vlan_dev(event_ndev))
++ return -ENODEV;
++
++ /* Avoid Bonding master dev with same MAC registering as VF */
++ if (netif_is_bond_master(event_ndev))
++ return -ENODEV;
++
++ return 0;
++}
++
+ static int netvsc_probe(struct hv_device *dev,
+ const struct hv_vmbus_device_id *dev_id)
+ {
+- struct net_device *net = NULL;
++ struct net_device *net = NULL, *vf_netdev;
+ struct net_device_context *net_device_ctx;
+ struct netvsc_device_info *device_info = NULL;
+ struct netvsc_device *nvdev;
+@@ -2592,6 +2621,30 @@ static int netvsc_probe(struct hv_device
+ }
+
+ list_add(&net_device_ctx->list, &netvsc_dev_list);
++
++ /* When the hv_netvsc driver is unloaded and reloaded, the
++ * NET_DEVICE_REGISTER for the vf device is replayed before probe
++ * is complete. This is because register_netdevice_notifier() gets
++ * registered before vmbus_driver_register() so that callback func
++ * is set before probe and we don't miss events like NETDEV_POST_INIT
++ * So, in this section we try to register the matching vf device that
++ * is present as a netdevice, knowing that its register call is not
++ * processed in the netvsc_netdev_notifier(as probing is progress and
++ * get_netvsc_byslot fails).
++ */
++ for_each_netdev(dev_net(net), vf_netdev) {
++ ret = check_dev_is_matching_vf(vf_netdev);
++ if (ret != 0)
++ continue;
++
++ if (net != get_netvsc_byslot(vf_netdev))
++ continue;
++
++ netvsc_prepare_bonding(vf_netdev);
++ netvsc_register_vf(vf_netdev, VF_REG_IN_PROBE);
++ __netvsc_vf_setup(net, vf_netdev);
++ break;
++ }
+ rtnl_unlock();
+
+ netvsc_devinfo_put(device_info);
+@@ -2748,28 +2801,17 @@ static int netvsc_netdev_event(struct no
+ unsigned long event, void *ptr)
+ {
+ struct net_device *event_dev = netdev_notifier_info_to_dev(ptr);
++ int ret = 0;
+
+- /* Skip our own events */
+- if (event_dev->netdev_ops == &device_ops)
+- return NOTIFY_DONE;
+-
+- /* Avoid non-Ethernet type devices */
+- if (event_dev->type != ARPHRD_ETHER)
+- return NOTIFY_DONE;
+-
+- /* Avoid Vlan dev with same MAC registering as VF */
+- if (is_vlan_dev(event_dev))
+- return NOTIFY_DONE;
+-
+- /* Avoid Bonding master dev with same MAC registering as VF */
+- if (netif_is_bond_master(event_dev))
++ ret = check_dev_is_matching_vf(event_dev);
++ if (ret != 0)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_POST_INIT:
+ return netvsc_prepare_bonding(event_dev);
+ case NETDEV_REGISTER:
+- return netvsc_register_vf(event_dev);
++ return netvsc_register_vf(event_dev, VF_REG_IN_NOTIFIER);
+ case NETDEV_UNREGISTER:
+ return netvsc_unregister_vf(event_dev);
+ case NETDEV_UP:
--- /dev/null
+From af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 13 Feb 2024 10:12:06 +0000
+Subject: irqchip/gic-v3-its: Fix GICv4.1 VPE affinity update
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit af9acbfc2c4b72c378d0b9a2ee023ed01055d3e2 upstream.
+
+When updating the affinity of a VPE, the VMOVP command is currently skipped
+if the two CPUs are part of the same VPE affinity.
+
+But this is wrong, as the doorbell corresponding to this VPE is still
+delivered on the 'old' CPU, which screws up the balancing. Furthermore,
+offlining that 'old' CPU results in doorbell interrupts generated for this
+VPE being discarded.
+
+The harsh reality is that VMOVP cannot be elided when a set_affinity()
+request occurs. It needs to be obeyed, and if an optimisation is to be
+made, it is at the point where the affinity change request is made (such as
+in KVM).
+
+Drop the VMOVP elision altogether, and only use the vpe_table_mask
+to try and stay within the same ITS affinity group if at all possible.
+
+Fixes: dd3f050a216e (irqchip/gic-v4.1: Implement the v4.1 flavour of VMOVP)
+Reported-by: Kunkun Jiang <jiangkunkun@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240213101206.2137483-4-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3805,8 +3805,9 @@ static int its_vpe_set_affinity(struct i
+ bool force)
+ {
+ struct its_vpe *vpe = irq_data_get_irq_chip_data(d);
+- int from, cpu = cpumask_first(mask_val);
++ struct cpumask common, *table_mask;
+ unsigned long flags;
++ int from, cpu;
+
+ /*
+ * Changing affinity is mega expensive, so let's be as lazy as
+@@ -3822,19 +3823,22 @@ static int its_vpe_set_affinity(struct i
+ * taken on any vLPI handling path that evaluates vpe->col_idx.
+ */
+ from = vpe_to_cpuid_lock(vpe, &flags);
+- if (from == cpu)
+- goto out;
+-
+- vpe->col_idx = cpu;
++ table_mask = gic_data_rdist_cpu(from)->vpe_table_mask;
+
+ /*
+- * GICv4.1 allows us to skip VMOVP if moving to a cpu whose RD
+- * is sharing its VPE table with the current one.
++ * If we are offered another CPU in the same GICv4.1 ITS
++ * affinity, pick this one. Otherwise, any CPU will do.
+ */
+- if (gic_data_rdist_cpu(cpu)->vpe_table_mask &&
+- cpumask_test_cpu(from, gic_data_rdist_cpu(cpu)->vpe_table_mask))
++ if (table_mask && cpumask_and(&common, mask_val, table_mask))
++ cpu = cpumask_test_cpu(from, &common) ? from : cpumask_first(&common);
++ else
++ cpu = cpumask_first(mask_val);
++
++ if (from == cpu)
+ goto out;
+
++ vpe->col_idx = cpu;
++
+ its_send_vmovp(vpe);
+ its_vpe_db_proxy_move(vpe, from, cpu);
+
--- /dev/null
+From b0344d6854d25a8b3b901c778b1728885dd99007 Mon Sep 17 00:00:00 2001
+From: Doug Berger <opendmb@gmail.com>
+Date: Fri, 9 Feb 2024 17:24:49 -0800
+Subject: irqchip/irq-brcmstb-l2: Add write memory barrier before exit
+
+From: Doug Berger <opendmb@gmail.com>
+
+commit b0344d6854d25a8b3b901c778b1728885dd99007 upstream.
+
+It was observed on Broadcom devices that use GIC v3 architecture L1
+interrupt controllers as the parent of brcmstb-l2 interrupt controllers
+that the deactivation of the parent interrupt could happen before the
+brcmstb-l2 deasserted its output. This would lead the GIC to reactivate the
+interrupt only to find that no L2 interrupt was pending. The result was a
+spurious interrupt invoking handle_bad_irq() with its associated
+messaging. While this did not create a functional problem it is a waste of
+cycles.
+
+The hazard exists because the memory mapped bus writes to the brcmstb-l2
+registers are buffered and the GIC v3 architecture uses a very efficient
+system register write to deactivate the interrupt.
+
+Add a write memory barrier prior to invoking chained_irq_exit() to
+introduce a dsb(st) on those systems to ensure the system register write
+cannot be executed until the memory mapped writes are visible to the
+system.
+
+[ florian: Added Fixes tag ]
+
+Fixes: 7f646e92766e ("irqchip: brcmstb-l2: Add Broadcom Set Top Box Level-2 interrupt controller")
+Signed-off-by: Doug Berger <opendmb@gmail.com>
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240210012449.3009125-1-florian.fainelli@broadcom.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-brcmstb-l2.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-brcmstb-l2.c
++++ b/drivers/irqchip/irq-brcmstb-l2.c
+@@ -2,7 +2,7 @@
+ /*
+ * Generic Broadcom Set Top Box Level 2 Interrupt controller driver
+ *
+- * Copyright (C) 2014-2017 Broadcom
++ * Copyright (C) 2014-2024 Broadcom
+ */
+
+ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+@@ -113,6 +113,9 @@ static void brcmstb_l2_intc_irq_handle(s
+ generic_handle_domain_irq(b->domain, irq);
+ } while (status);
+ out:
++ /* Don't ack parent before all device writes are done */
++ wmb();
++
+ chained_irq_exit(chip, desc);
+ }
+
--- /dev/null
+From e656c7a9e59607d1672d85ffa9a89031876ffe67 Mon Sep 17 00:00:00 2001
+From: Prakash Sangappa <prakash.sangappa@oracle.com>
+Date: Tue, 23 Jan 2024 12:04:42 -0800
+Subject: mm: hugetlb pages should not be reserved by shmat() if SHM_NORESERVE
+
+From: Prakash Sangappa <prakash.sangappa@oracle.com>
+
+commit e656c7a9e59607d1672d85ffa9a89031876ffe67 upstream.
+
+For shared memory of type SHM_HUGETLB, hugetlb pages are reserved in
+shmget() call. If SHM_NORESERVE flags is specified then the hugetlb pages
+are not reserved. However when the shared memory is attached with the
+shmat() call the hugetlb pages are getting reserved incorrectly for
+SHM_HUGETLB shared memory created with SHM_NORESERVE which is a bug.
+
+-------------------------------
+Following test shows the issue.
+
+$cat shmhtb.c
+
+int main()
+{
+ int shmflags = 0660 | IPC_CREAT | SHM_HUGETLB | SHM_NORESERVE;
+ int shmid;
+
+ shmid = shmget(SKEY, SHMSZ, shmflags);
+ if (shmid < 0)
+ {
+ printf("shmat: shmget() failed, %d\n", errno);
+ return 1;
+ }
+ printf("After shmget()\n");
+ system("cat /proc/meminfo | grep -i hugepages_");
+
+ shmat(shmid, NULL, 0);
+ printf("\nAfter shmat()\n");
+ system("cat /proc/meminfo | grep -i hugepages_");
+
+ shmctl(shmid, IPC_RMID, NULL);
+ return 0;
+}
+
+ #sysctl -w vm.nr_hugepages=20
+ #./shmhtb
+
+After shmget()
+HugePages_Total: 20
+HugePages_Free: 20
+HugePages_Rsvd: 0
+HugePages_Surp: 0
+
+After shmat()
+HugePages_Total: 20
+HugePages_Free: 20
+HugePages_Rsvd: 5 <--
+HugePages_Surp: 0
+--------------------------------
+
+Fix is to ensure that hugetlb pages are not reserved for SHM_HUGETLB shared
+memory in the shmat() call.
+
+Link: https://lkml.kernel.org/r/1706040282-12388-1-git-send-email-prakash.sangappa@oracle.com
+Signed-off-by: Prakash Sangappa <prakash.sangappa@oracle.com>
+Acked-by: Muchun Song <muchun.song@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/hugetlbfs/inode.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/fs/hugetlbfs/inode.c
++++ b/fs/hugetlbfs/inode.c
+@@ -123,6 +123,7 @@ static int hugetlbfs_file_mmap(struct fi
+ loff_t len, vma_len;
+ int ret;
+ struct hstate *h = hstate_file(file);
++ vm_flags_t vm_flags;
+
+ /*
+ * vma address alignment (but not the pgoff alignment) has
+@@ -164,10 +165,20 @@ static int hugetlbfs_file_mmap(struct fi
+ file_accessed(file);
+
+ ret = -ENOMEM;
++
++ vm_flags = vma->vm_flags;
++ /*
++ * for SHM_HUGETLB, the pages are reserved in the shmget() call so skip
++ * reserving here. Note: only for SHM hugetlbfs file, the inode
++ * flag S_PRIVATE is set.
++ */
++ if (inode->i_flags & S_PRIVATE)
++ vm_flags |= VM_NORESERVE;
++
+ if (!hugetlb_reserve_pages(inode,
+ vma->vm_pgoff >> huge_page_order(h),
+ len >> huge_page_shift(h), vma,
+- vma->vm_flags))
++ vm_flags))
+ goto out;
+
+ ret = 0;
--- /dev/null
+From 58aeb5623c2ebdadefe6352b14f8076a7073fea0 Mon Sep 17 00:00:00 2001
+From: Fred Ai <fred.ai@bayhubtech.com>
+Date: Sat, 3 Feb 2024 02:29:08 -0800
+Subject: mmc: sdhci-pci-o2micro: Fix a warm reboot issue that disk can't be detected by BIOS
+
+From: Fred Ai <fred.ai@bayhubtech.com>
+
+commit 58aeb5623c2ebdadefe6352b14f8076a7073fea0 upstream.
+
+Driver shall switch clock source from DLL clock to
+OPE clock when power off card to ensure that card
+can be identified with OPE clock by BIOS.
+
+Signed-off-by: Fred Ai <fred.ai@bayhubtech.com>
+Fixes:4be33cf18703 ("mmc: sdhci-pci-o2micro: Improve card input timing at SDR104/HS200 mode")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240203102908.4683-1-fredaibayhubtech@126.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-o2micro.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-o2micro.c
++++ b/drivers/mmc/host/sdhci-pci-o2micro.c
+@@ -602,6 +602,35 @@ static void sdhci_pci_o2_set_clock(struc
+ sdhci_o2_enable_clk(host, clk);
+ }
+
++static void sdhci_pci_o2_set_power(struct sdhci_host *host, unsigned char mode, unsigned short vdd)
++{
++ struct sdhci_pci_chip *chip;
++ struct sdhci_pci_slot *slot = sdhci_priv(host);
++ u32 scratch_32 = 0;
++ u8 scratch_8 = 0;
++
++ chip = slot->chip;
++
++ if (mode == MMC_POWER_OFF) {
++ /* UnLock WP */
++ pci_read_config_byte(chip->pdev, O2_SD_LOCK_WP, &scratch_8);
++ scratch_8 &= 0x7f;
++ pci_write_config_byte(chip->pdev, O2_SD_LOCK_WP, scratch_8);
++
++ /* Set PCR 0x354[16] to switch Clock Source back to OPE Clock */
++ pci_read_config_dword(chip->pdev, O2_SD_OUTPUT_CLK_SOURCE_SWITCH, &scratch_32);
++ scratch_32 &= ~(O2_SD_SEL_DLL);
++ pci_write_config_dword(chip->pdev, O2_SD_OUTPUT_CLK_SOURCE_SWITCH, scratch_32);
++
++ /* Lock WP */
++ pci_read_config_byte(chip->pdev, O2_SD_LOCK_WP, &scratch_8);
++ scratch_8 |= 0x80;
++ pci_write_config_byte(chip->pdev, O2_SD_LOCK_WP, scratch_8);
++ }
++
++ sdhci_set_power(host, mode, vdd);
++}
++
+ static int sdhci_pci_o2_probe_slot(struct sdhci_pci_slot *slot)
+ {
+ struct sdhci_pci_chip *chip;
+@@ -911,6 +940,7 @@ static const struct sdhci_ops sdhci_pci_
+ .set_bus_width = sdhci_set_bus_width,
+ .reset = sdhci_reset,
+ .set_uhs_signaling = sdhci_set_uhs_signaling,
++ .set_power = sdhci_pci_o2_set_power,
+ };
+
+ const struct sdhci_pci_fixes sdhci_o2 = {
--- /dev/null
+From bc4ce46b1e3d1da4309405cd4afc7c0fcddd0b90 Mon Sep 17 00:00:00 2001
+From: Sinthu Raja <sinthu.raja@ti.com>
+Date: Tue, 6 Feb 2024 06:29:28 +0530
+Subject: net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio
+
+From: Sinthu Raja <sinthu.raja@ti.com>
+
+commit bc4ce46b1e3d1da4309405cd4afc7c0fcddd0b90 upstream.
+
+The below commit introduced a WARN when phy state is not in the states:
+PHY_HALTED, PHY_READY and PHY_UP.
+commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
+
+When cpsw resumes, there have port in PHY_NOLINK state, so the below
+warning comes out. Set mac_managed_pm be true to tell mdio that the phy
+resume/suspend is managed by the mac, to fix the following warning:
+
+WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144
+CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1
+Hardware name: Generic AM33XX (Flattened Device Tree)
+ unwind_backtrace from show_stack+0x18/0x1c
+ show_stack from dump_stack_lvl+0x24/0x2c
+ dump_stack_lvl from __warn+0x84/0x15c
+ __warn from warn_slowpath_fmt+0x1a8/0x1c8
+ warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144
+ mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140
+ dpm_run_callback from device_resume+0xb8/0x2b8
+ device_resume from dpm_resume+0x144/0x314
+ dpm_resume from dpm_resume_end+0x14/0x20
+ dpm_resume_end from suspend_devices_and_enter+0xd0/0x924
+ suspend_devices_and_enter from pm_suspend+0x2e0/0x33c
+ pm_suspend from state_store+0x74/0xd0
+ state_store from kernfs_fop_write_iter+0x104/0x1ec
+ kernfs_fop_write_iter from vfs_write+0x1b8/0x358
+ vfs_write from ksys_write+0x78/0xf8
+ ksys_write from ret_fast_syscall+0x0/0x54
+Exception stack(0xe094dfa8 to 0xe094dff0)
+dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001
+dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000
+dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66
+
+Cc: <stable@vger.kernel.org> # v6.0+
+Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
+Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
+Signed-off-by: Sinthu Raja <sinthu.raja@ti.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/ti/cpsw.c
++++ b/drivers/net/ethernet/ti/cpsw.c
+@@ -631,6 +631,8 @@ static void cpsw_slave_open(struct cpsw_
+ }
+ }
+
++ phy->mac_managed_pm = true;
++
+ slave->phy = phy;
+
+ phy_attached_info(slave->phy);
--- /dev/null
+From 9def04e759caa5a3d741891037ae99f81e2fff01 Mon Sep 17 00:00:00 2001
+From: Sinthu Raja <sinthu.raja@ti.com>
+Date: Tue, 6 Feb 2024 06:29:27 +0530
+Subject: net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio
+
+From: Sinthu Raja <sinthu.raja@ti.com>
+
+commit 9def04e759caa5a3d741891037ae99f81e2fff01 upstream.
+
+The below commit introduced a WARN when phy state is not in the states:
+PHY_HALTED, PHY_READY and PHY_UP.
+commit 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
+
+When cpsw_new resumes, there have port in PHY_NOLINK state, so the below
+warning comes out. Set mac_managed_pm be true to tell mdio that the phy
+resume/suspend is managed by the mac, to fix the following warning:
+
+WARNING: CPU: 0 PID: 965 at drivers/net/phy/phy_device.c:326 mdio_bus_phy_resume+0x140/0x144
+CPU: 0 PID: 965 Comm: sh Tainted: G O 6.1.46-g247b2535b2 #1
+Hardware name: Generic AM33XX (Flattened Device Tree)
+ unwind_backtrace from show_stack+0x18/0x1c
+ show_stack from dump_stack_lvl+0x24/0x2c
+ dump_stack_lvl from __warn+0x84/0x15c
+ __warn from warn_slowpath_fmt+0x1a8/0x1c8
+ warn_slowpath_fmt from mdio_bus_phy_resume+0x140/0x144
+ mdio_bus_phy_resume from dpm_run_callback+0x3c/0x140
+ dpm_run_callback from device_resume+0xb8/0x2b8
+ device_resume from dpm_resume+0x144/0x314
+ dpm_resume from dpm_resume_end+0x14/0x20
+ dpm_resume_end from suspend_devices_and_enter+0xd0/0x924
+ suspend_devices_and_enter from pm_suspend+0x2e0/0x33c
+ pm_suspend from state_store+0x74/0xd0
+ state_store from kernfs_fop_write_iter+0x104/0x1ec
+ kernfs_fop_write_iter from vfs_write+0x1b8/0x358
+ vfs_write from ksys_write+0x78/0xf8
+ ksys_write from ret_fast_syscall+0x0/0x54
+Exception stack(0xe094dfa8 to 0xe094dff0)
+dfa0: 00000004 005c3fb8 00000001 005c3fb8 00000004 00000001
+dfc0: 00000004 005c3fb8 b6f6bba0 00000004 00000004 0059edb8 00000000 00000000
+dfe0: 00000004 bed918f0 b6f09bd3 b6e89a66
+
+Cc: <stable@vger.kernel.org> # v6.0+
+Fixes: 744d23c71af3 ("net: phy: Warn about incorrect mdio_bus_phy_resume() state")
+Fixes: fba863b81604 ("net: phy: make PHY PM ops a no-op if MAC driver manages PHY PM")
+Signed-off-by: Sinthu Raja <sinthu.raja@ti.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/cpsw_new.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/ti/cpsw_new.c
++++ b/drivers/net/ethernet/ti/cpsw_new.c
+@@ -772,6 +772,9 @@ static void cpsw_slave_open(struct cpsw_
+ slave->slave_num);
+ return;
+ }
++
++ phy->mac_managed_pm = true;
++
+ slave->phy = phy;
+
+ phy_attached_info(slave->phy);
--- /dev/null
+From 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 Mon Sep 17 00:00:00 2001
+From: Daniel de Villiers <daniel.devilliers@corigine.com>
+Date: Fri, 2 Feb 2024 13:37:18 +0200
+Subject: nfp: flower: prevent re-adding mac index for bonded port
+
+From: Daniel de Villiers <daniel.devilliers@corigine.com>
+
+commit 1a1c13303ff6d64e6f718dc8aa614e580ca8d9b4 upstream.
+
+When physical ports are reset (either through link failure or manually
+toggled down and up again) that are slaved to a Linux bond with a tunnel
+endpoint IP address on the bond device, not all tunnel packets arriving
+on the bond port are decapped as expected.
+
+The bond dev assigns the same MAC address to itself and each of its
+slaves. When toggling a slave device, the same MAC address is therefore
+offloaded to the NFP multiple times with different indexes.
+
+The issue only occurs when re-adding the shared mac. The
+nfp_tunnel_add_shared_mac() function has a conditional check early on
+that checks if a mac entry already exists and if that mac entry is
+global: (entry && nfp_tunnel_is_mac_idx_global(entry->index)). In the
+case of a bonded device (For example br-ex), the mac index is obtained,
+and no new index is assigned.
+
+We therefore modify the conditional in nfp_tunnel_add_shared_mac() to
+check if the port belongs to the LAG along with the existing checks to
+prevent a new global mac index from being re-assigned to the slave port.
+
+Fixes: 20cce8865098 ("nfp: flower: enable MAC address sharing for offloadable devs")
+CC: stable@vger.kernel.org # 5.1+
+Signed-off-by: Daniel de Villiers <daniel.devilliers@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
++++ b/drivers/net/ethernet/netronome/nfp/flower/tunnel_conf.c
+@@ -980,7 +980,7 @@ nfp_tunnel_add_shared_mac(struct nfp_app
+ u16 nfp_mac_idx = 0;
+
+ entry = nfp_tunnel_lookup_offloaded_macs(app, netdev->dev_addr);
+- if (entry && nfp_tunnel_is_mac_idx_global(entry->index)) {
++ if (entry && (nfp_tunnel_is_mac_idx_global(entry->index) || netif_is_lag_port(netdev))) {
+ if (entry->bridge_count ||
+ !nfp_flower_is_supported_bridge(netdev)) {
+ nfp_tunnel_offloaded_macs_inc_ref_and_link(entry,
--- /dev/null
+From b3d4f7f2288901ed2392695919b3c0e24c1b4084 Mon Sep 17 00:00:00 2001
+From: Daniel Basilio <daniel.basilio@corigine.com>
+Date: Fri, 2 Feb 2024 13:37:17 +0200
+Subject: nfp: use correct macro for LengthSelect in BAR config
+
+From: Daniel Basilio <daniel.basilio@corigine.com>
+
+commit b3d4f7f2288901ed2392695919b3c0e24c1b4084 upstream.
+
+The 1st and 2nd expansion BAR configuration registers are configured,
+when the driver starts up, in variables 'barcfg_msix_general' and
+'barcfg_msix_xpb', respectively. The 'LengthSelect' field is ORed in
+from bit 0, which is incorrect. The 'LengthSelect' field should
+start from bit 27.
+
+This has largely gone un-noticed because
+NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT happens to be 0.
+
+Fixes: 4cb584e0ee7d ("nfp: add CPP access core")
+Cc: stable@vger.kernel.org # 4.11+
+Signed-off-by: Daniel Basilio <daniel.basilio@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
+@@ -537,11 +537,13 @@ static int enable_bars(struct nfp6000_pc
+ const u32 barcfg_msix_general =
+ NFP_PCIE_BAR_PCIE2CPP_MapType(
+ NFP_PCIE_BAR_PCIE2CPP_MapType_GENERAL) |
+- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT;
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT);
+ const u32 barcfg_msix_xpb =
+ NFP_PCIE_BAR_PCIE2CPP_MapType(
+ NFP_PCIE_BAR_PCIE2CPP_MapType_BULK) |
+- NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT |
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect(
++ NFP_PCIE_BAR_PCIE2CPP_LengthSelect_32BIT) |
+ NFP_PCIE_BAR_PCIE2CPP_Target_BaseAddress(
+ NFP_CPP_TARGET_ISLAND_XPB);
+ const u32 barcfg_explicit[4] = {
--- /dev/null
+From 8f7e917907385e112a845d668ae2832f41e64bf5 Mon Sep 17 00:00:00 2001
+From: Nuno Sa <nuno.sa@analog.com>
+Date: Tue, 23 Jan 2024 16:14:22 +0100
+Subject: of: property: fix typo in io-channels
+
+From: Nuno Sa <nuno.sa@analog.com>
+
+commit 8f7e917907385e112a845d668ae2832f41e64bf5 upstream.
+
+The property is io-channels and not io-channel. This was effectively
+preventing the devlink creation.
+
+Fixes: 8e12257dead7 ("of: property: Add device link support for iommus, mboxes and io-channels")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nuno Sa <nuno.sa@analog.com>
+Reviewed-by: Saravana Kannan <saravanak@google.com>
+Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20240123-iio-backend-v7-1-1bff236b8693@analog.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/property.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/property.c
++++ b/drivers/of/property.c
+@@ -1243,7 +1243,7 @@ DEFINE_SIMPLE_PROP(clocks, "clocks", "#c
+ DEFINE_SIMPLE_PROP(interconnects, "interconnects", "#interconnect-cells")
+ DEFINE_SIMPLE_PROP(iommus, "iommus", "#iommu-cells")
+ DEFINE_SIMPLE_PROP(mboxes, "mboxes", "#mbox-cells")
+-DEFINE_SIMPLE_PROP(io_channels, "io-channel", "#io-channel-cells")
++DEFINE_SIMPLE_PROP(io_channels, "io-channels", "#io-channel-cells")
+ DEFINE_SIMPLE_PROP(interrupt_parent, "interrupt-parent", NULL)
+ DEFINE_SIMPLE_PROP(dmas, "dmas", "#dma-cells")
+ DEFINE_SIMPLE_PROP(power_domains, "power-domains", "#power-domain-cells")
--- /dev/null
+From 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 Mon Sep 17 00:00:00 2001
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+Date: Wed, 27 Dec 2023 16:21:24 +0100
+Subject: pmdomain: core: Move the unused cleanup to a _sync initcall
+
+From: Konrad Dybcio <konrad.dybcio@linaro.org>
+
+commit 741ba0134fa7822fcf4e4a0a537a5c4cfd706b20 upstream.
+
+The unused clock cleanup uses the _sync initcall to give all users at
+earlier initcalls time to probe. Do the same to avoid leaving some PDs
+dangling at "on" (which actually happened on qcom!).
+
+Fixes: 2fe71dcdfd10 ("PM / domains: Add late_initcall to disable unused PM domains")
+Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231227-topic-pmdomain_sync_cleanup-v1-1-5f36769d538b@linaro.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/domain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/domain.c
++++ b/drivers/base/power/domain.c
+@@ -1052,7 +1052,7 @@ static int __init genpd_power_off_unused
+
+ return 0;
+ }
+-late_initcall(genpd_power_off_unused);
++late_initcall_sync(genpd_power_off_unused);
+
+ #ifdef CONFIG_PM_SLEEP
+
--- /dev/null
+From 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a Mon Sep 17 00:00:00 2001
+From: Alexandra Winter <wintera@linux.ibm.com>
+Date: Tue, 6 Feb 2024 09:58:49 +0100
+Subject: s390/qeth: Fix potential loss of L3-IP@ in case of network issues
+
+From: Alexandra Winter <wintera@linux.ibm.com>
+
+commit 2fe8a236436fe40d8d26a1af8d150fc80f04ee1a upstream.
+
+Symptom:
+In case of a bad cable connection (e.g. dirty optics) a fast sequence of
+network DOWN-UP-DOWN-UP could happen. UP triggers recovery of the qeth
+interface. In case of a second DOWN while recovery is still ongoing, it
+can happen that the IP@ of a Layer3 qeth interface is lost and will not
+be recovered by the second UP.
+
+Problem:
+When registration of IP addresses with Layer 3 qeth devices fails, (e.g.
+because of bad address format) the respective IP address is deleted from
+its hash-table in the driver. If registration fails because of a ENETDOWN
+condition, the address should stay in the hashtable, so a subsequent
+recovery can restore it.
+
+3caa4af834df ("qeth: keep ip-address after LAN_OFFLINE failure")
+fixes this for registration failures during normal operation, but not
+during recovery.
+
+Solution:
+Keep L3-IP address in case of ENETDOWN in qeth_l3_recover_ip(). For
+consistency with qeth_l3_add_ip() we also keep it in case of EADDRINUSE,
+i.e. for some reason the card already/still has this address registered.
+
+Fixes: 4a71df50047f ("qeth: new qeth device driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
+Link: https://lore.kernel.org/r/20240206085849.2902775-1-wintera@linux.ibm.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/net/qeth_l3_main.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/s390/net/qeth_l3_main.c
++++ b/drivers/s390/net/qeth_l3_main.c
+@@ -254,9 +254,10 @@ static void qeth_l3_clear_ip_htable(stru
+ if (!recover) {
+ hash_del(&addr->hnode);
+ kfree(addr);
+- continue;
++ } else {
++ /* prepare for recovery */
++ addr->disp_flag = QETH_DISP_ADDR_ADD;
+ }
+- addr->disp_flag = QETH_DISP_ADDR_ADD;
+ }
+
+ mutex_unlock(&card->ip_lock);
+@@ -277,9 +278,11 @@ static void qeth_l3_recover_ip(struct qe
+ if (addr->disp_flag == QETH_DISP_ADDR_ADD) {
+ rc = qeth_l3_register_addr_entry(card, addr);
+
+- if (!rc) {
++ if (!rc || rc == -EADDRINUSE || rc == -ENETDOWN) {
++ /* keep it in the records */
+ addr->disp_flag = QETH_DISP_ADDR_DO_NOTHING;
+ } else {
++ /* bad address */
+ hash_del(&addr->hnode);
+ kfree(addr);
+ }
alsa-hda-conexant-add-quirk-for-sws-js201d.patch
nilfs2-fix-data-corruption-in-dsync-block-recovery-for-small-block-sizes.patch
nilfs2-fix-hang-in-nilfs_lookup_dirty_data_buffers.patch
+crypto-ccp-fix-null-pointer-dereference-in-__sev_platform_shutdown_locked.patch
+nfp-use-correct-macro-for-lengthselect-in-bar-config.patch
+nfp-flower-prevent-re-adding-mac-index-for-bonded-port.patch
+wifi-cfg80211-fix-wiphy-delayed-work-queueing.patch
+wifi-mac80211-reload-info-pointer-in-ieee80211_tx_dequeue.patch
+exit-wait_task_zombie-kill-the-no-longer-necessary-spin_lock_irq-siglock.patch
+irqchip-irq-brcmstb-l2-add-write-memory-barrier-before-exit.patch
+irqchip-gic-v3-its-fix-gicv4.1-vpe-affinity-update.patch
+zonefs-improve-error-handling.patch
+mmc-sdhci-pci-o2micro-fix-a-warm-reboot-issue-that-disk-can-t-be-detected-by-bios.patch
+asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-pro-5-16arp8.patch
+tools-rtla-remove-unused-sched_getattr-function.patch
+tools-rtla-replace-setting-prio-with-nice-for-sched_other.patch
+tools-rtla-exit-with-exit_success-when-help-is-invoked.patch
+tools-rtla-fix-uninitialized-bucket-data-bucket_size-warning.patch
+tools-rtla-fix-makefile-compiler-options-for-clang.patch
+fs-relax-mount_setattr-permission-checks.patch
+net-ethernet-ti-cpsw-enable-mac_managed_pm-to-fix-mdio.patch
+s390-qeth-fix-potential-loss-of-l3-ip-in-case-of-network-issues.patch
+net-ethernet-ti-cpsw_new-enable-mac_managed_pm-to-fix-mdio.patch
+hv_netvsc-register-vf-in-netvsc_probe-if-net_device_register-missed.patch
+ceph-prevent-use-after-free-in-encode_cap_msg.patch
+fs-hugetlb-fix-null-pointer-dereference-in-hugetlbs_fill_super.patch
+mm-hugetlb-pages-should-not-be-reserved-by-shmat-if-shm_noreserve.patch
+of-property-fix-typo-in-io-channels.patch
+can-netlink-fix-tdco-calculation-using-the-old-data-bittiming.patch
+can-j1939-prevent-deadlock-by-changing-j1939_socks_lock-to-rwlock.patch
+can-j1939-fix-uaf-in-j1939_sk_match_filter-during-setsockopt-so_j1939_filter.patch
+pmdomain-core-move-the-unused-cleanup-to-a-_sync-initcall.patch
+fs-proc-do_task_stat-move-thread_group_cputime_adjusted-outside-of-lock_task_sighand.patch
--- /dev/null
+From b5f319360371087d52070d8f3fc7789e80ce69a6 Mon Sep 17 00:00:00 2001
+From: John Kacur <jkacur@redhat.com>
+Date: Fri, 2 Feb 2024 19:16:07 -0500
+Subject: tools/rtla: Exit with EXIT_SUCCESS when help is invoked
+
+From: John Kacur <jkacur@redhat.com>
+
+commit b5f319360371087d52070d8f3fc7789e80ce69a6 upstream.
+
+Fix rtla so that the following commands exit with 0 when help is invoked
+
+rtla osnoise top -h
+rtla osnoise hist -h
+rtla timerlat top -h
+rtla timerlat hist -h
+
+Link: https://lore.kernel.org/linux-trace-devel/20240203001607.69703-1-jkacur@redhat.com
+
+Cc: stable@vger.kernel.org
+Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode")
+Signed-off-by: John Kacur <jkacur@redhat.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/osnoise_hist.c | 6 +++++-
+ tools/tracing/rtla/src/osnoise_top.c | 6 +++++-
+ tools/tracing/rtla/src/timerlat_hist.c | 6 +++++-
+ tools/tracing/rtla/src/timerlat_top.c | 6 +++++-
+ 4 files changed, 20 insertions(+), 4 deletions(-)
+
+--- a/tools/tracing/rtla/src/osnoise_hist.c
++++ b/tools/tracing/rtla/src/osnoise_hist.c
+@@ -472,7 +472,11 @@ static void osnoise_hist_usage(char *usa
+
+ for (i = 0; msg[i]; i++)
+ fprintf(stderr, "%s\n", msg[i]);
+- exit(1);
++
++ if (usage)
++ exit(EXIT_FAILURE);
++
++ exit(EXIT_SUCCESS);
+ }
+
+ /*
+--- a/tools/tracing/rtla/src/osnoise_top.c
++++ b/tools/tracing/rtla/src/osnoise_top.c
+@@ -282,7 +282,11 @@ void osnoise_top_usage(char *usage)
+
+ for (i = 0; msg[i]; i++)
+ fprintf(stderr, "%s\n", msg[i]);
+- exit(1);
++
++ if (usage)
++ exit(EXIT_FAILURE);
++
++ exit(EXIT_SUCCESS);
+ }
+
+ /*
+--- a/tools/tracing/rtla/src/timerlat_hist.c
++++ b/tools/tracing/rtla/src/timerlat_hist.c
+@@ -475,7 +475,11 @@ static void timerlat_hist_usage(char *us
+
+ for (i = 0; msg[i]; i++)
+ fprintf(stderr, "%s\n", msg[i]);
+- exit(1);
++
++ if (usage)
++ exit(EXIT_FAILURE);
++
++ exit(EXIT_SUCCESS);
+ }
+
+ /*
+--- a/tools/tracing/rtla/src/timerlat_top.c
++++ b/tools/tracing/rtla/src/timerlat_top.c
+@@ -305,7 +305,11 @@ static void timerlat_top_usage(char *usa
+
+ for (i = 0; msg[i]; i++)
+ fprintf(stderr, "%s\n", msg[i]);
+- exit(1);
++
++ if (usage)
++ exit(EXIT_FAILURE);
++
++ exit(EXIT_SUCCESS);
+ }
+
+ /*
--- /dev/null
+From bc4cbc9d260ba8358ca63662919f4bb223cb603b Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Tue, 6 Feb 2024 12:05:29 +0100
+Subject: tools/rtla: Fix Makefile compiler options for clang
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit bc4cbc9d260ba8358ca63662919f4bb223cb603b upstream.
+
+The following errors are showing up when compiling rtla with clang:
+
+ $ make HOSTCC=clang CC=clang LLVM_IAS=1
+ [...]
+
+ clang -O -g -DVERSION=\"6.8.0-rc1\" -flto=auto -ffat-lto-objects
+ -fexceptions -fstack-protector-strong
+ -fasynchronous-unwind-tables -fstack-clash-protection -Wall
+ -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
+ -Wp,-D_GLIBCXX_ASSERTIONS -Wno-maybe-uninitialized
+ $(pkg-config --cflags libtracefs) -c -o src/utils.o src/utils.c
+
+ clang: warning: optimization flag '-ffat-lto-objects' is not supported [-Wignored-optimization-argument]
+ warning: unknown warning option '-Wno-maybe-uninitialized'; did you mean '-Wno-uninitialized'? [-Wunknown-warning-option]
+ 1 warning generated.
+
+ clang -o rtla -ggdb src/osnoise.o src/osnoise_hist.o src/osnoise_top.o
+ src/rtla.o src/timerlat_aa.o src/timerlat.o src/timerlat_hist.o
+ src/timerlat_top.o src/timerlat_u.o src/trace.o src/utils.o $(pkg-config --libs libtracefs)
+
+ src/osnoise.o: file not recognized: file format not recognized
+ clang: error: linker command failed with exit code 1 (use -v to see invocation)
+ make: *** [Makefile:110: rtla] Error 1
+
+Solve these issues by:
+ - removing -ffat-lto-objects and -Wno-maybe-uninitialized if using clang
+ - informing the linker about -flto=auto
+
+Link: https://lore.kernel.org/linux-trace-kernel/567ac1b94effc228ce9a0225b9df7232a9b35b55.1707217097.git.bristot@kernel.org
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Fixes: 1a7b22ab15eb ("tools/rtla: Build with EXTRA_{C,LD}FLAGS")
+Suggested-by: Donald Zickus <dzickus@redhat.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/Makefile | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/Makefile
++++ b/tools/tracing/rtla/Makefile
+@@ -28,10 +28,15 @@ FOPTS := -flto=auto -ffat-lto-objects -f
+ -fasynchronous-unwind-tables -fstack-clash-protection
+ WOPTS := -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -Wno-maybe-uninitialized
+
++ifeq ($(CC),clang)
++ FOPTS := $(filter-out -ffat-lto-objects, $(FOPTS))
++ WOPTS := $(filter-out -Wno-maybe-uninitialized, $(WOPTS))
++endif
++
+ TRACEFS_HEADERS := $$($(PKG_CONFIG) --cflags libtracefs)
+
+ CFLAGS := -O -g -DVERSION=\"$(VERSION)\" $(FOPTS) $(MOPTS) $(WOPTS) $(TRACEFS_HEADERS) $(EXTRA_CFLAGS)
+-LDFLAGS := -ggdb $(EXTRA_LDFLAGS)
++LDFLAGS := -flto=auto -ggdb $(EXTRA_LDFLAGS)
+ LIBS := $$($(PKG_CONFIG) --libs libtracefs)
+
+ SRC := $(wildcard src/*.c)
--- /dev/null
+From 64dc40f7523369912d7adb22c8cb655f71610505 Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Tue, 6 Feb 2024 12:05:30 +0100
+Subject: tools/rtla: Fix uninitialized bucket/data->bucket_size warning
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit 64dc40f7523369912d7adb22c8cb655f71610505 upstream.
+
+When compiling rtla with clang, I am getting the following warnings:
+
+$ make HOSTCC=clang CC=clang LLVM_IAS=1
+
+[..]
+clang -O -g -DVERSION=\"6.8.0-rc3\" -flto=auto -fexceptions
+ -fstack-protector-strong -fasynchronous-unwind-tables
+ -fstack-clash-protection -Wall -Werror=format-security
+ -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
+ $(pkg-config --cflags libtracefs)
+ -c -o src/osnoise_hist.o src/osnoise_hist.c
+src/osnoise_hist.c:138:6: warning: variable 'bucket' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
+ 138 | if (data->bucket_size)
+ | ^~~~~~~~~~~~~~~~~
+src/osnoise_hist.c:149:6: note: uninitialized use occurs here
+ 149 | if (bucket < entries)
+ | ^~~~~~
+src/osnoise_hist.c:138:2: note: remove the 'if' if its condition is always true
+ 138 | if (data->bucket_size)
+ | ^~~~~~~~~~~~~~~~~~~~~~
+ 139 | bucket = duration / data->bucket_size;
+src/osnoise_hist.c:132:12: note: initialize the variable 'bucket' to silence this warning
+ 132 | int bucket;
+ | ^
+ | = 0
+1 warning generated.
+
+[...]
+
+clang -O -g -DVERSION=\"6.8.0-rc3\" -flto=auto -fexceptions
+ -fstack-protector-strong -fasynchronous-unwind-tables
+ -fstack-clash-protection -Wall -Werror=format-security
+ -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
+ $(pkg-config --cflags libtracefs)
+ -c -o src/timerlat_hist.o src/timerlat_hist.c
+src/timerlat_hist.c:181:6: warning: variable 'bucket' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
+ 181 | if (data->bucket_size)
+ | ^~~~~~~~~~~~~~~~~
+src/timerlat_hist.c:204:6: note: uninitialized use occurs here
+ 204 | if (bucket < entries)
+ | ^~~~~~
+src/timerlat_hist.c:181:2: note: remove the 'if' if its condition is always true
+ 181 | if (data->bucket_size)
+ | ^~~~~~~~~~~~~~~~~~~~~~
+ 182 | bucket = latency / data->bucket_size;
+src/timerlat_hist.c:175:12: note: initialize the variable 'bucket' to silence this warning
+ 175 | int bucket;
+ | ^
+ | = 0
+1 warning generated.
+
+This is a legit warning, but data->bucket_size is always > 0 (see
+timerlat_hist_parse_args()), so the if is not necessary.
+
+Remove the unneeded if (data->bucket_size) to avoid the warning.
+
+Link: https://lkml.kernel.org/r/6e1b1665cd99042ae705b3e0fc410858c4c42346.1707217097.git.bristot@kernel.org
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Donald Zickus <dzickus@redhat.com>
+Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode")
+Fixes: 829a6c0b5698 ("rtla/osnoise: Add the hist mode")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/osnoise_hist.c | 3 +--
+ tools/tracing/rtla/src/timerlat_hist.c | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/tools/tracing/rtla/src/osnoise_hist.c
++++ b/tools/tracing/rtla/src/osnoise_hist.c
+@@ -129,8 +129,7 @@ static void osnoise_hist_update_multiple
+ if (params->output_divisor)
+ duration = duration / params->output_divisor;
+
+- if (data->bucket_size)
+- bucket = duration / data->bucket_size;
++ bucket = duration / data->bucket_size;
+
+ total_duration = duration * count;
+
+--- a/tools/tracing/rtla/src/timerlat_hist.c
++++ b/tools/tracing/rtla/src/timerlat_hist.c
+@@ -151,8 +151,7 @@ timerlat_hist_update(struct osnoise_tool
+ if (params->output_divisor)
+ latency = latency / params->output_divisor;
+
+- if (data->bucket_size)
+- bucket = latency / data->bucket_size;
++ bucket = latency / data->bucket_size;
+
+ if (!thread) {
+ hist = data->hist[cpu].irq;
--- /dev/null
+From 084ce16df0f060efd371092a09a7ae74a536dc11 Mon Sep 17 00:00:00 2001
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+Date: Tue, 6 Feb 2024 12:05:32 +0100
+Subject: tools/rtla: Remove unused sched_getattr() function
+
+From: Daniel Bristot de Oliveira <bristot@kernel.org>
+
+commit 084ce16df0f060efd371092a09a7ae74a536dc11 upstream.
+
+Clang is reporting:
+
+$ make HOSTCC=clang CC=clang LLVM_IAS=1
+[...]
+clang -O -g -DVERSION=\"6.8.0-rc3\" -flto=auto -fexceptions -fstack-protector-strong -fasynchronous-unwind-tables -fstack-clash-protection -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS $(pkg-config --cflags libtracefs) -c -o src/utils.o src/utils.c
+src/utils.c:241:19: warning: unused function 'sched_getattr' [-Wunused-function]
+ 241 | static inline int sched_getattr(pid_t pid, struct sched_attr *attr,
+ | ^~~~~~~~~~~~~
+1 warning generated.
+
+Which is correct, so remove the unused function.
+
+Link: https://lkml.kernel.org/r/eaed7ba122c4ae88ce71277c824ef41cbf789385.1707217097.git.bristot@kernel.org
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Nathan Chancellor <nathan@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: Bill Wendling <morbo@google.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: Donald Zickus <dzickus@redhat.com>
+Fixes: b1696371d865 ("rtla: Helper functions for rtla")
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/utils.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+--- a/tools/tracing/rtla/src/utils.c
++++ b/tools/tracing/rtla/src/utils.c
+@@ -243,12 +243,6 @@ static inline int sched_setattr(pid_t pi
+ return syscall(__NR_sched_setattr, pid, attr, flags);
+ }
+
+-static inline int sched_getattr(pid_t pid, struct sched_attr *attr,
+- unsigned int size, unsigned int flags)
+-{
+- return syscall(__NR_sched_getattr, pid, attr, size, flags);
+-}
+-
+ int __set_sched_attr(int pid, struct sched_attr *attr)
+ {
+ int flags = 0;
--- /dev/null
+From 14f08c976ffe0d2117c6199c32663df1cbc45c65 Mon Sep 17 00:00:00 2001
+From: limingming3 <limingming890315@gmail.com>
+Date: Wed, 7 Feb 2024 14:51:42 +0800
+Subject: tools/rtla: Replace setting prio with nice for SCHED_OTHER
+
+From: limingming3 <limingming890315@gmail.com>
+
+commit 14f08c976ffe0d2117c6199c32663df1cbc45c65 upstream.
+
+Since the sched_priority for SCHED_OTHER is always 0, it makes no
+sence to set it.
+Setting nice for SCHED_OTHER seems more meaningful.
+
+Link: https://lkml.kernel.org/r/20240207065142.1753909-1-limingming3@lixiang.com
+
+Cc: stable@vger.kernel.org
+Fixes: b1696371d865 ("rtla: Helper functions for rtla")
+Signed-off-by: limingming3 <limingming3@lixiang.com>
+Signed-off-by: Daniel Bristot de Oliveira <bristot@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/utils.c | 6 +++---
+ tools/tracing/rtla/src/utils.h | 2 ++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/tools/tracing/rtla/src/utils.c
++++ b/tools/tracing/rtla/src/utils.c
+@@ -478,13 +478,13 @@ int parse_prio(char *arg, struct sched_a
+ if (prio == INVALID_VAL)
+ return -1;
+
+- if (prio < sched_get_priority_min(SCHED_OTHER))
++ if (prio < MIN_NICE)
+ return -1;
+- if (prio > sched_get_priority_max(SCHED_OTHER))
++ if (prio > MAX_NICE)
+ return -1;
+
+ sched_param->sched_policy = SCHED_OTHER;
+- sched_param->sched_priority = prio;
++ sched_param->sched_nice = prio;
+ break;
+ default:
+ return -1;
+--- a/tools/tracing/rtla/src/utils.h
++++ b/tools/tracing/rtla/src/utils.h
+@@ -7,6 +7,8 @@
+ */
+ #define BUFF_U64_STR_SIZE 24
+ #define MAX_PATH 1024
++#define MAX_NICE 20
++#define MIN_NICE -19
+
+ #define container_of(ptr, type, member)({ \
+ const typeof(((type *)0)->member) *__mptr = (ptr); \
--- /dev/null
+From b743287d7a0007493f5cada34ed2085d475050b4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 25 Jan 2024 09:51:09 +0100
+Subject: wifi: cfg80211: fix wiphy delayed work queueing
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b743287d7a0007493f5cada34ed2085d475050b4 upstream.
+
+When a wiphy work is queued with timer, and then again
+without a delay, it's started immediately but *also*
+started again after the timer expires. This can lead,
+for example, to warnings in mac80211's offchannel code
+as reported by Jouni. Running the same work twice isn't
+expected, of course. Fix this by deleting the timer at
+this point, when queuing immediately due to delay=0.
+
+Cc: stable@vger.kernel.org
+Reported-by: Jouni Malinen <j@w1.fi>
+Fixes: a3ee4dc84c4e ("wifi: cfg80211: add a work abstraction with special semantics")
+Link: https://msgid.link/20240125095108.2feb0eaaa446.I4617f3210ed0e7f252290d5970dac6a876aa595b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1671,6 +1671,7 @@ void wiphy_delayed_work_queue(struct wip
+ unsigned long delay)
+ {
+ if (!delay) {
++ del_timer(&dwork->timer);
+ wiphy_work_queue(wiphy, &dwork->work);
+ return;
+ }
--- /dev/null
+From c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 31 Jan 2024 16:49:10 +0100
+Subject: wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c98d8836b817d11fdff4ca7749cbbe04ff7f0c64 upstream.
+
+This pointer can change here since the SKB can change, so we
+actually later open-coded IEEE80211_SKB_CB() again. Reload
+the pointer where needed, so the monitor-mode case using it
+gets fixed, and then use info-> later as well.
+
+Cc: stable@vger.kernel.org
+Fixes: 531682159092 ("mac80211: fix VLAN handling with TXQs")
+Link: https://msgid.link/20240131164910.b54c28d583bc.I29450cec84ea6773cff5d9c16ff92b836c331471@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/tx.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -5,7 +5,7 @@
+ * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz>
+ * Copyright 2007 Johannes Berg <johannes@sipsolutions.net>
+ * Copyright 2013-2014 Intel Mobile Communications GmbH
+- * Copyright (C) 2018-2022 Intel Corporation
++ * Copyright (C) 2018-2024 Intel Corporation
+ *
+ * Transmit and frame generation functions.
+ */
+@@ -3838,6 +3838,7 @@ begin:
+ goto begin;
+
+ skb = __skb_dequeue(&tx.skbs);
++ info = IEEE80211_SKB_CB(skb);
+
+ if (!skb_queue_empty(&tx.skbs)) {
+ spin_lock_bh(&fq->lock);
+@@ -3882,7 +3883,7 @@ begin:
+ }
+
+ encap_out:
+- IEEE80211_SKB_CB(skb)->control.vif = vif;
++ info->control.vif = vif;
+
+ if (tx.sta &&
+ wiphy_ext_feature_isset(local->hw.wiphy, NL80211_EXT_FEATURE_AQL)) {
--- /dev/null
+From 14db5f64a971fce3d8ea35de4dfc7f443a3efb92 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Thu, 8 Feb 2024 17:26:59 +0900
+Subject: zonefs: Improve error handling
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 14db5f64a971fce3d8ea35de4dfc7f443a3efb92 upstream.
+
+Write error handling is racy and can sometime lead to the error recovery
+path wrongly changing the inode size of a sequential zone file to an
+incorrect value which results in garbage data being readable at the end
+of a file. There are 2 problems:
+
+1) zonefs_file_dio_write() updates a zone file write pointer offset
+ after issuing a direct IO with iomap_dio_rw(). This update is done
+ only if the IO succeed for synchronous direct writes. However, for
+ asynchronous direct writes, the update is done without waiting for
+ the IO completion so that the next asynchronous IO can be
+ immediately issued. However, if an asynchronous IO completes with a
+ failure right before the i_truncate_mutex lock protecting the update,
+ the update may change the value of the inode write pointer offset
+ that was corrected by the error path (zonefs_io_error() function).
+
+2) zonefs_io_error() is called when a read or write error occurs. This
+ function executes a report zone operation using the callback function
+ zonefs_io_error_cb(), which does all the error recovery handling
+ based on the current zone condition, write pointer position and
+ according to the mount options being used. However, depending on the
+ zoned device being used, a report zone callback may be executed in a
+ context that is different from the context of __zonefs_io_error(). As
+ a result, zonefs_io_error_cb() may be executed without the inode
+ truncate mutex lock held, which can lead to invalid error processing.
+
+Fix both problems as follows:
+- Problem 1: Perform the inode write pointer offset update before a
+ direct write is issued with iomap_dio_rw(). This is safe to do as
+ partial direct writes are not supported (IOMAP_DIO_PARTIAL is not
+ set) and any failed IO will trigger the execution of zonefs_io_error()
+ which will correct the inode write pointer offset to reflect the
+ current state of the one on the device.
+- Problem 2: Change zonefs_io_error_cb() into zonefs_handle_io_error()
+ and call this function directly from __zonefs_io_error() after
+ obtaining the zone information using blkdev_report_zones() with a
+ simple callback function that copies to a local stack variable the
+ struct blk_zone obtained from the device. This ensures that error
+ handling is performed holding the inode truncate mutex.
+ This change also simplifies error handling for conventional zone files
+ by bypassing the execution of report zones entirely. This is safe to
+ do because the condition of conventional zones cannot be read-only or
+ offline and conventional zone files are always fully mapped with a
+ constant file size.
+
+Reported-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/zonefs/file.c | 42 +++++++++++++++++++++------------
+ fs/zonefs/super.c | 68 ++++++++++++++++++++++++++++++------------------------
+ 2 files changed, 66 insertions(+), 44 deletions(-)
+
+--- a/fs/zonefs/file.c
++++ b/fs/zonefs/file.c
+@@ -349,7 +349,12 @@ static int zonefs_file_write_dio_end_io(
+ struct zonefs_inode_info *zi = ZONEFS_I(inode);
+
+ if (error) {
+- zonefs_io_error(inode, true);
++ /*
++ * For Sync IOs, error recovery is called from
++ * zonefs_file_dio_write().
++ */
++ if (!is_sync_kiocb(iocb))
++ zonefs_io_error(inode, true);
+ return error;
+ }
+
+@@ -577,6 +582,14 @@ static ssize_t zonefs_file_dio_write(str
+ ret = -EINVAL;
+ goto inode_unlock;
+ }
++ /*
++ * Advance the zone write pointer offset. This assumes that the
++ * IO will succeed, which is OK to do because we do not allow
++ * partial writes (IOMAP_DIO_PARTIAL is not set) and if the IO
++ * fails, the error path will correct the write pointer offset.
++ */
++ z->z_wpoffset += count;
++ zonefs_inode_account_active(inode);
+ mutex_unlock(&zi->i_truncate_mutex);
+ append = sync;
+ }
+@@ -596,20 +609,19 @@ static ssize_t zonefs_file_dio_write(str
+ ret = -EBUSY;
+ }
+
+- if (zonefs_zone_is_seq(z) &&
+- (ret > 0 || ret == -EIOCBQUEUED)) {
+- if (ret > 0)
+- count = ret;
+-
+- /*
+- * Update the zone write pointer offset assuming the write
+- * operation succeeded. If it did not, the error recovery path
+- * will correct it. Also do active seq file accounting.
+- */
+- mutex_lock(&zi->i_truncate_mutex);
+- z->z_wpoffset += count;
+- zonefs_inode_account_active(inode);
+- mutex_unlock(&zi->i_truncate_mutex);
++ /*
++ * For a failed IO or partial completion, trigger error recovery
++ * to update the zone write pointer offset to a correct value.
++ * For asynchronous IOs, zonefs_file_write_dio_end_io() may already
++ * have executed error recovery if the IO already completed when we
++ * reach here. However, we cannot know that and execute error recovery
++ * again (that will not change anything).
++ */
++ if (zonefs_zone_is_seq(z)) {
++ if (ret > 0 && ret != count)
++ ret = -EIO;
++ if (ret < 0 && ret != -EIOCBQUEUED)
++ zonefs_io_error(inode, true);
+ }
+
+ inode_unlock:
+--- a/fs/zonefs/super.c
++++ b/fs/zonefs/super.c
+@@ -245,16 +245,18 @@ static void zonefs_inode_update_mode(str
+ z->z_flags &= ~ZONEFS_ZONE_INIT_MODE;
+ }
+
+-struct zonefs_ioerr_data {
+- struct inode *inode;
+- bool write;
+-};
+-
+ static int zonefs_io_error_cb(struct blk_zone *zone, unsigned int idx,
+ void *data)
+ {
+- struct zonefs_ioerr_data *err = data;
+- struct inode *inode = err->inode;
++ struct blk_zone *z = data;
++
++ *z = *zone;
++ return 0;
++}
++
++static void zonefs_handle_io_error(struct inode *inode, struct blk_zone *zone,
++ bool write)
++{
+ struct zonefs_zone *z = zonefs_inode_zone(inode);
+ struct super_block *sb = inode->i_sb;
+ struct zonefs_sb_info *sbi = ZONEFS_SB(sb);
+@@ -269,8 +271,8 @@ static int zonefs_io_error_cb(struct blk
+ data_size = zonefs_check_zone_condition(sb, z, zone);
+ isize = i_size_read(inode);
+ if (!(z->z_flags & (ZONEFS_ZONE_READONLY | ZONEFS_ZONE_OFFLINE)) &&
+- !err->write && isize == data_size)
+- return 0;
++ !write && isize == data_size)
++ return;
+
+ /*
+ * At this point, we detected either a bad zone or an inconsistency
+@@ -291,7 +293,7 @@ static int zonefs_io_error_cb(struct blk
+ * In all cases, warn about inode size inconsistency and handle the
+ * IO error according to the zone condition and to the mount options.
+ */
+- if (zonefs_zone_is_seq(z) && isize != data_size)
++ if (isize != data_size)
+ zonefs_warn(sb,
+ "inode %lu: invalid size %lld (should be %lld)\n",
+ inode->i_ino, isize, data_size);
+@@ -351,8 +353,6 @@ static int zonefs_io_error_cb(struct blk
+ zonefs_i_size_write(inode, data_size);
+ z->z_wpoffset = data_size;
+ zonefs_inode_account_active(inode);
+-
+- return 0;
+ }
+
+ /*
+@@ -366,23 +366,25 @@ void __zonefs_io_error(struct inode *ino
+ {
+ struct zonefs_zone *z = zonefs_inode_zone(inode);
+ struct super_block *sb = inode->i_sb;
+- struct zonefs_sb_info *sbi = ZONEFS_SB(sb);
+ unsigned int noio_flag;
+- unsigned int nr_zones = 1;
+- struct zonefs_ioerr_data err = {
+- .inode = inode,
+- .write = write,
+- };
++ struct blk_zone zone;
+ int ret;
+
+ /*
+- * The only files that have more than one zone are conventional zone
+- * files with aggregated conventional zones, for which the inode zone
+- * size is always larger than the device zone size.
+- */
+- if (z->z_size > bdev_zone_sectors(sb->s_bdev))
+- nr_zones = z->z_size >>
+- (sbi->s_zone_sectors_shift + SECTOR_SHIFT);
++ * Conventional zone have no write pointer and cannot become read-only
++ * or offline. So simply fake a report for a single or aggregated zone
++ * and let zonefs_handle_io_error() correct the zone inode information
++ * according to the mount options.
++ */
++ if (!zonefs_zone_is_seq(z)) {
++ zone.start = z->z_sector;
++ zone.len = z->z_size >> SECTOR_SHIFT;
++ zone.wp = zone.start + zone.len;
++ zone.type = BLK_ZONE_TYPE_CONVENTIONAL;
++ zone.cond = BLK_ZONE_COND_NOT_WP;
++ zone.capacity = zone.len;
++ goto handle_io_error;
++ }
+
+ /*
+ * Memory allocations in blkdev_report_zones() can trigger a memory
+@@ -393,12 +395,20 @@ void __zonefs_io_error(struct inode *ino
+ * the GFP_NOIO context avoids both problems.
+ */
+ noio_flag = memalloc_noio_save();
+- ret = blkdev_report_zones(sb->s_bdev, z->z_sector, nr_zones,
+- zonefs_io_error_cb, &err);
+- if (ret != nr_zones)
++ ret = blkdev_report_zones(sb->s_bdev, z->z_sector, 1,
++ zonefs_io_error_cb, &zone);
++ memalloc_noio_restore(noio_flag);
++
++ if (ret != 1) {
+ zonefs_err(sb, "Get inode %lu zone information failed %d\n",
+ inode->i_ino, ret);
+- memalloc_noio_restore(noio_flag);
++ zonefs_warn(sb, "remounting filesystem read-only\n");
++ sb->s_flags |= SB_RDONLY;
++ return;
++ }
++
++handle_io_error:
++ zonefs_handle_io_error(inode, &zone, write);
+ }
+
+ static struct kmem_cache *zonefs_inode_cachep;
projects / thirdparty / kernel / stable-queue.git / commitdiff
