--- /dev/null
+From df3aaaf56872855f2bca6665383b9074588e7397 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 13:56:22 -0700
+Subject: af_unix: Remove put_pid()/put_cred() in copy_peercred().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit e4bd881d987121dbf1a288641491955a53d9f8f7 ]
+
+When (AF_UNIX, SOCK_STREAM) socket connect()s to a listening socket,
+the listener's sk_peer_pid/sk_peer_cred are copied to the client in
+copy_peercred().
+
+Then, the client's sk_peer_pid and sk_peer_cred are always NULL, so
+we need not call put_pid() and put_cred() there.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index e73c1bbc5ff8..eb916b2eb673 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -616,9 +616,6 @@ static void init_peercred(struct sock *sk)
+
+ static void copy_peercred(struct sock *sk, struct sock *peersk)
+ {
+- const struct cred *old_cred;
+- struct pid *old_pid;
+-
+ if (sk < peersk) {
+ spin_lock(&sk->sk_peer_lock);
+ spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING);
+@@ -626,16 +623,12 @@ static void copy_peercred(struct sock *sk, struct sock *peersk)
+ spin_lock(&peersk->sk_peer_lock);
+ spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING);
+ }
+- old_pid = sk->sk_peer_pid;
+- old_cred = sk->sk_peer_cred;
++
+ sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
+ sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
+
+ spin_unlock(&sk->sk_peer_lock);
+ spin_unlock(&peersk->sk_peer_lock);
+-
+- put_pid(old_pid);
+- put_cred(old_cred);
+ }
+
+ static int unix_listen(struct socket *sock, int backlog)
+--
+2.43.0
+
--- /dev/null
+From 80c0453d6f76860b327320c1cbf8d1aab8029d18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Jun 2024 09:34:47 +0200
+Subject: ALSA: hda: Add input value sanity checks to HDMI channel map controls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit 6278056e42d953e207e2afd416be39d09ed2d496 ]
+
+Add a simple sanity check to HD-audio HDMI Channel Map controls.
+Although the value might not be accepted for the actual connection, we
+can filter out some bogus values beforehand, and that should be enough
+for making kselftest happier.
+
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Link: https://lore.kernel.org/20240616073454.16512-7-tiwai@suse.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdmi_chmap.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/sound/hda/hdmi_chmap.c b/sound/hda/hdmi_chmap.c
+index aad5c4bf4d34..0ebf4d907852 100644
+--- a/sound/hda/hdmi_chmap.c
++++ b/sound/hda/hdmi_chmap.c
+@@ -753,6 +753,20 @@ static int hdmi_chmap_ctl_get(struct snd_kcontrol *kcontrol,
+ return 0;
+ }
+
++/* a simple sanity check for input values to chmap kcontrol */
++static int chmap_value_check(struct hdac_chmap *hchmap,
++ const struct snd_ctl_elem_value *ucontrol)
++{
++ int i;
++
++ for (i = 0; i < hchmap->channels_max; i++) {
++ if (ucontrol->value.integer.value[i] < 0 ||
++ ucontrol->value.integer.value[i] > SNDRV_CHMAP_LAST)
++ return -EINVAL;
++ }
++ return 0;
++}
++
+ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+ struct snd_ctl_elem_value *ucontrol)
+ {
+@@ -764,6 +778,10 @@ static int hdmi_chmap_ctl_put(struct snd_kcontrol *kcontrol,
+ unsigned char chmap[8], per_pin_chmap[8];
+ int i, err, ca, prepared = 0;
+
++ err = chmap_value_check(hchmap, ucontrol);
++ if (err < 0)
++ return err;
++
+ /* No monitor is connected in dyn_pcm_assign.
+ * It's invalid to setup the chmap
+ */
+--
+2.43.0
+
--- /dev/null
+From 2800c5f79a6ee313dab51c3812687be4c3daaa3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 12:18:40 +0200
+Subject: ASoC: topology: Properly initialize soc_enum values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+
+[ Upstream commit 8ec2a2643544ce352f012ad3d248163199d05dfc ]
+
+soc_tplg_denum_create_values() should properly set its values field.
+
+Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
+Link: https://patch.msgid.link/20240627101850.2191513-4-amadeuszx.slawinski@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-topology.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c
+index 55b69e3c6718..765024564e2b 100644
+--- a/sound/soc/soc-topology.c
++++ b/sound/soc/soc-topology.c
+@@ -913,6 +913,8 @@ static int soc_tplg_denum_create_values(struct soc_tplg *tplg, struct soc_enum *
+ se->dobj.control.dvalues[i] = le32_to_cpu(ec->values[i]);
+ }
+
++ se->items = le32_to_cpu(ec->items);
++ se->values = (const unsigned int *)se->dobj.control.dvalues;
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1a1ced00e60a33d1cd7a87a2949e2c71dbeeb71e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 13:04:07 +1000
+Subject: ata: pata_macio: Use WARN instead of BUG
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit d4bc0a264fb482b019c84fbc7202dd3cab059087 ]
+
+The overflow/underflow conditions in pata_macio_qc_prep() should never
+happen. But if they do there's no need to kill the system entirely, a
+WARN and failing the IO request should be sufficient and might allow the
+system to keep running.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/pata_macio.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c
+index be0ca8d5b345..eacebfc2ca08 100644
+--- a/drivers/ata/pata_macio.c
++++ b/drivers/ata/pata_macio.c
+@@ -540,7 +540,8 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
+
+ while (sg_len) {
+ /* table overflow should never happen */
+- BUG_ON (pi++ >= MAX_DCMDS);
++ if (WARN_ON_ONCE(pi >= MAX_DCMDS))
++ return AC_ERR_SYSTEM;
+
+ len = (sg_len < MAX_DBDMA_SEG) ? sg_len : MAX_DBDMA_SEG;
+ table->command = cpu_to_le16(write ? OUTPUT_MORE: INPUT_MORE);
+@@ -552,11 +553,13 @@ static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
+ addr += len;
+ sg_len -= len;
+ ++table;
++ ++pi;
+ }
+ }
+
+ /* Should never happen according to Tejun */
+- BUG_ON(!pi);
++ if (WARN_ON_ONCE(!pi))
++ return AC_ERR_SYSTEM;
+
+ /* Convert the last command to an input/output */
+ table--;
+--
+2.43.0
+
--- /dev/null
+From c3bacb165bff970d98451dac4e79e645fc838cf0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 17:31:07 +0200
+Subject: bareudp: Fix device stats updates.
+
+From: Guillaume Nault <gnault@redhat.com>
+
+[ Upstream commit 4963d2343af81f493519f9c3ea9f2169eaa7353a ]
+
+Bareudp devices update their stats concurrently.
+Therefore they need proper atomic increments.
+
+Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Link: https://patch.msgid.link/04b7b9d0b480158eb3ab4366ec80aa2ab7e41fcb.1725031794.git.gnault@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bareudp.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/bareudp.c b/drivers/net/bareudp.c
+index 98c915943f32..43d038a5123e 100644
+--- a/drivers/net/bareudp.c
++++ b/drivers/net/bareudp.c
+@@ -75,7 +75,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+
+ if (skb_copy_bits(skb, BAREUDP_BASE_HLEN, &ipversion,
+ sizeof(ipversion))) {
+- bareudp->dev->stats.rx_dropped++;
++ DEV_STATS_INC(bareudp->dev, rx_dropped);
+ goto drop;
+ }
+ ipversion >>= 4;
+@@ -85,7 +85,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ } else if (ipversion == 6 && bareudp->multi_proto_mode) {
+ proto = htons(ETH_P_IPV6);
+ } else {
+- bareudp->dev->stats.rx_dropped++;
++ DEV_STATS_INC(bareudp->dev, rx_dropped);
+ goto drop;
+ }
+ } else if (bareudp->ethertype == htons(ETH_P_MPLS_UC)) {
+@@ -99,7 +99,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ ipv4_is_multicast(tunnel_hdr->daddr)) {
+ proto = htons(ETH_P_MPLS_MC);
+ } else {
+- bareudp->dev->stats.rx_dropped++;
++ DEV_STATS_INC(bareudp->dev, rx_dropped);
+ goto drop;
+ }
+ } else {
+@@ -115,7 +115,7 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ (addr_type & IPV6_ADDR_MULTICAST)) {
+ proto = htons(ETH_P_MPLS_MC);
+ } else {
+- bareudp->dev->stats.rx_dropped++;
++ DEV_STATS_INC(bareudp->dev, rx_dropped);
+ goto drop;
+ }
+ }
+@@ -127,12 +127,12 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ proto,
+ !net_eq(bareudp->net,
+ dev_net(bareudp->dev)))) {
+- bareudp->dev->stats.rx_dropped++;
++ DEV_STATS_INC(bareudp->dev, rx_dropped);
+ goto drop;
+ }
+ tun_dst = udp_tun_rx_dst(skb, family, TUNNEL_KEY, 0, 0);
+ if (!tun_dst) {
+- bareudp->dev->stats.rx_dropped++;
++ DEV_STATS_INC(bareudp->dev, rx_dropped);
+ goto drop;
+ }
+ skb_dst_set(skb, &tun_dst->dst);
+@@ -158,8 +158,8 @@ static int bareudp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
+ &((struct ipv6hdr *)oiph)->saddr);
+ }
+ if (err > 1) {
+- ++bareudp->dev->stats.rx_frame_errors;
+- ++bareudp->dev->stats.rx_errors;
++ DEV_STATS_INC(bareudp->dev, rx_frame_errors);
++ DEV_STATS_INC(bareudp->dev, rx_errors);
+ goto drop;
+ }
+ }
+@@ -455,11 +455,11 @@ static netdev_tx_t bareudp_xmit(struct sk_buff *skb, struct net_device *dev)
+ dev_kfree_skb(skb);
+
+ if (err == -ELOOP)
+- dev->stats.collisions++;
++ DEV_STATS_INC(dev, collisions);
+ else if (err == -ENETUNREACH)
+- dev->stats.tx_carrier_errors++;
++ DEV_STATS_INC(dev, tx_carrier_errors);
+
+- dev->stats.tx_errors++;
++ DEV_STATS_INC(dev, tx_errors);
+ return NETDEV_TX_OK;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 67836df55b6493db5db5750d1f26d94489c60bdc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 14:12:13 -0400
+Subject: btrfs: clean up our handling of refs == 0 in snapshot delete
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit b8ccef048354074a548f108e51d0557d6adfd3a3 ]
+
+In reada we BUG_ON(refs == 0), which could be unkind since we aren't
+holding a lock on the extent leaf and thus could get a transient
+incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which
+could happen if we have extent tree corruption. Change that to return
+-EUCLEAN. In do_walk_down() we catch this case and handle it correctly,
+however we return -EIO, which -EUCLEAN is a more appropriate error code.
+Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert
+that to proper error handling. Also adjust the error message so we can
+actually do something with the information.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index ea488b5f5cd8..8a526b9e8949 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -5027,7 +5027,15 @@ static noinline void reada_walk_down(struct btrfs_trans_handle *trans,
+ /* We don't care about errors in readahead. */
+ if (ret < 0)
+ continue;
+- BUG_ON(refs == 0);
++
++ /*
++ * This could be racey, it's conceivable that we raced and end
++ * up with a bogus refs count, if that's the case just skip, if
++ * we are actually corrupt we will notice when we look up
++ * everything again with our locks.
++ */
++ if (refs == 0)
++ continue;
+
+ if (wc->stage == DROP_REFERENCE) {
+ if (refs == 1)
+@@ -5094,7 +5102,11 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+ BUG_ON(ret == -ENOMEM);
+ if (ret)
+ return ret;
+- BUG_ON(wc->refs[level] == 0);
++ if (unlikely(wc->refs[level] == 0)) {
++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++ eb->start);
++ return -EUCLEAN;
++ }
+ }
+
+ if (wc->stage == DROP_REFERENCE) {
+@@ -5224,8 +5236,9 @@ static noinline int do_walk_down(struct btrfs_trans_handle *trans,
+ goto out_unlock;
+
+ if (unlikely(wc->refs[level - 1] == 0)) {
+- btrfs_err(fs_info, "Missing references.");
+- ret = -EIO;
++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++ bytenr);
++ ret = -EUCLEAN;
+ goto out_unlock;
+ }
+ *lookup_info = 0;
+@@ -5426,7 +5439,12 @@ static noinline int walk_up_proc(struct btrfs_trans_handle *trans,
+ path->locks[level] = 0;
+ return ret;
+ }
+- BUG_ON(wc->refs[level] == 0);
++ if (unlikely(wc->refs[level] == 0)) {
++ btrfs_tree_unlock_rw(eb, path->locks[level]);
++ btrfs_err(fs_info, "bytenr %llu has 0 references, expect > 0",
++ eb->start);
++ return -EUCLEAN;
++ }
+ if (wc->refs[level] == 1) {
+ btrfs_tree_unlock_rw(eb, path->locks[level]);
+ path->locks[level] = 0;
+--
+2.43.0
+
--- /dev/null
+From 08c5cf5e7d409e4f40217fdcaeee081fc85198d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 21:59:24 +0200
+Subject: btrfs: initialize location to fix -Wmaybe-uninitialized in
+ btrfs_lookup_dentry()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit b8e947e9f64cac9df85a07672b658df5b2bcff07 ]
+
+Some arch + compiler combinations report a potentially unused variable
+location in btrfs_lookup_dentry(). This is a false alert as the variable
+is passed by value and always valid or there's an error. The compilers
+cannot probably reason about that although btrfs_inode_by_name() is in
+the same file.
+
+ > + /kisskb/src/fs/btrfs/inode.c: error: 'location.objectid' may be used
+ +uninitialized in this function [-Werror=maybe-uninitialized]: => 5603:9
+ > + /kisskb/src/fs/btrfs/inode.c: error: 'location.type' may be used
+ +uninitialized in this function [-Werror=maybe-uninitialized]: => 5674:5
+
+ m68k-gcc8/m68k-allmodconfig
+ mips-gcc8/mips-allmodconfig
+ powerpc-gcc5/powerpc-all{mod,yes}config
+ powerpc-gcc5/ppc64_defconfig
+
+Initialize it to zero, this should fix the warnings and won't change the
+behaviour as btrfs_inode_by_name() accepts only a root or inode item
+types, otherwise returns an error.
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Link: https://lore.kernel.org/linux-btrfs/bd4e9928-17b3-9257-8ba7-6b7f9bbb639a@linux-m68k.org/
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 66b56ddf3f4c..f7807f36c8e3 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -6048,7 +6048,7 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
+ struct inode *inode;
+ struct btrfs_root *root = BTRFS_I(dir)->root;
+ struct btrfs_root *sub_root = root;
+- struct btrfs_key location;
++ struct btrfs_key location = { 0 };
+ u8 di_type = 0;
+ int ret = 0;
+
+--
+2.43.0
+
--- /dev/null
+From 4cf5ff729e6889bd12f862d8c67497134eff557d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 May 2024 14:12:12 -0400
+Subject: btrfs: replace BUG_ON with ASSERT in walk_down_proc()
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 1f9d44c0a12730a24f8bb75c5e1102207413cc9b ]
+
+We have a couple of areas where we check to make sure the tree block is
+locked before looking up or messing with references. This is old code
+so it has this as BUG_ON(). Convert this to ASSERT() for developers.
+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index 24cbddc0b36f..ea488b5f5cd8 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -5086,7 +5086,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+ if (lookup_info &&
+ ((wc->stage == DROP_REFERENCE && wc->refs[level] != 1) ||
+ (wc->stage == UPDATE_BACKREF && !(wc->flags[level] & flag)))) {
+- BUG_ON(!path->locks[level]);
++ ASSERT(path->locks[level]);
+ ret = btrfs_lookup_extent_info(trans, fs_info,
+ eb->start, level, 1,
+ &wc->refs[level],
+@@ -5110,7 +5110,7 @@ static noinline int walk_down_proc(struct btrfs_trans_handle *trans,
+
+ /* wc->stage == UPDATE_BACKREF */
+ if (!(wc->flags[level] & flag)) {
+- BUG_ON(!path->locks[level]);
++ ASSERT(path->locks[level]);
+ ret = btrfs_inc_ref(trans, root, eb, 1);
+ BUG_ON(ret); /* -ENOMEM */
+ ret = btrfs_dec_ref(trans, root, eb, 0);
+--
+2.43.0
+
--- /dev/null
+From 1089ac53a2ef8ec6668c02e5a4c5caa05a8ddbf3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Jun 2024 15:55:16 +0100
+Subject: btrfs: replace BUG_ON() with error handling at update_ref_for_cow()
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit b56329a782314fde5b61058e2a25097af7ccb675 ]
+
+Instead of a BUG_ON() just return an error, log an error message and
+abort the transaction in case we find an extent buffer belonging to the
+relocation tree that doesn't have the full backref flag set. This is
+unexpected and should never happen (save for bugs or a potential bad
+memory).
+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ctree.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
+index 8b53313bf3b2..0b8c8b5094ef 100644
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -306,8 +306,16 @@ static noinline int update_ref_for_cow(struct btrfs_trans_handle *trans,
+ }
+
+ owner = btrfs_header_owner(buf);
+- BUG_ON(owner == BTRFS_TREE_RELOC_OBJECTID &&
+- !(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF));
++ if (unlikely(owner == BTRFS_TREE_RELOC_OBJECTID &&
++ !(flags & BTRFS_BLOCK_FLAG_FULL_BACKREF))) {
++ btrfs_crit(fs_info,
++"found tree block at bytenr %llu level %d root %llu refs %llu flags %llx without full backref flag set",
++ buf->start, btrfs_header_level(buf),
++ btrfs_root_id(root), refs, flags);
++ ret = -EUCLEAN;
++ btrfs_abort_transaction(trans, ret);
++ return ret;
++ }
+
+ if (refs > 1) {
+ if ((owner == root->root_key.objectid ||
+--
+2.43.0
+
--- /dev/null
+From a5252ebe516058d98b85851742f116395d47bb08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 12:28:42 -0700
+Subject: can: bcm: Remove proc entry when dev is unregistered.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 76fe372ccb81b0c89b6cd2fec26e2f38c958be85 ]
+
+syzkaller reported a warning in bcm_connect() below. [0]
+
+The repro calls connect() to vxcan1, removes vxcan1, and calls
+connect() with ifindex == 0.
+
+Calling connect() for a BCM socket allocates a proc entry.
+Then, bcm_sk(sk)->bound is set to 1 to prevent further connect().
+
+However, removing the bound device resets bcm_sk(sk)->bound to 0
+in bcm_notify().
+
+The 2nd connect() tries to allocate a proc entry with the same
+name and sets NULL to bcm_sk(sk)->bcm_proc_read, leaking the
+original proc entry.
+
+Since the proc entry is available only for connect()ed sockets,
+let's clean up the entry when the bound netdev is unregistered.
+
+[0]:
+proc_dir_entry 'can-bcm/2456' already registered
+WARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375
+Modules linked in:
+CPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+RIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375
+Code: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 <0f> 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48
+RSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246
+RAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
+RBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0
+R10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000
+R13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec
+FS: 00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <TASK>
+ proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220
+ bcm_connect+0x472/0x840 net/can/bcm.c:1673
+ __sys_connect_file net/socket.c:2049 [inline]
+ __sys_connect+0x5d2/0x690 net/socket.c:2066
+ __do_sys_connect net/socket.c:2076 [inline]
+ __se_sys_connect net/socket.c:2073 [inline]
+ __x64_sys_connect+0x8f/0x100 net/socket.c:2073
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+RIP: 0033:0x7fbd708b0e5d
+Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
+RSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d
+RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040
+R10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098
+R13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000
+ </TASK>
+remove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'
+
+Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/all/20240722192842.37421-1-kuniyu@amazon.com
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/bcm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/can/bcm.c b/net/can/bcm.c
+index a2fd68d1149b..8c039638b196 100644
+--- a/net/can/bcm.c
++++ b/net/can/bcm.c
+@@ -1423,6 +1423,10 @@ static void bcm_notify(struct bcm_sock *bo, unsigned long msg,
+
+ /* remove device reference, if this is our bound device */
+ if (bo->bound && bo->ifindex == dev->ifindex) {
++#if IS_ENABLED(CONFIG_PROC_FS)
++ if (sock_net(sk)->can.bcmproc_dir && bo->bcm_proc_read)
++ remove_proc_entry(bo->procname, sock_net(sk)->can.bcmproc_dir);
++#endif
+ bo->bound = 0;
+ bo->ifindex = 0;
+ notify_enodev = 1;
+--
+2.43.0
+
--- /dev/null
+From f1b1f8fb3bf33fa5862c9aa7a7ba0c6dc04cca62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 5 Aug 2024 15:01:58 +0100
+Subject: can: m_can: Release irq on error in m_can_open
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 06d4ef3056a7ac31be331281bb7a6302ef5a7f8a ]
+
+It appears that the irq requested in m_can_open() may be leaked
+if an error subsequently occurs: if m_can_start() fails.
+
+Address this by calling free_irq in the unwind path for
+such cases.
+
+Flagged by Smatch.
+Compile tested only.
+
+Fixes: eaacfeaca7ad ("can: m_can: Call the RAM init directly from m_can_chip_config")
+Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/all/20240805-mcan-irq-v2-1-7154c0484819@kernel.org
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/can/m_can/m_can.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
+index e027229c1955..07f61ee76ca6 100644
+--- a/drivers/net/can/m_can/m_can.c
++++ b/drivers/net/can/m_can/m_can.c
+@@ -1840,7 +1840,7 @@ static int m_can_open(struct net_device *dev)
+ /* start the m_can controller */
+ err = m_can_start(dev);
+ if (err)
+- goto exit_irq_fail;
++ goto exit_start_fail;
+
+ can_led_event(dev, CAN_LED_EVENT_OPEN);
+
+@@ -1851,6 +1851,9 @@ static int m_can_open(struct net_device *dev)
+
+ return 0;
+
++exit_start_fail:
++ if (cdev->is_peripheral || dev->irq)
++ free_irq(dev->irq, dev);
+ exit_irq_fail:
+ if (cdev->is_peripheral)
+ destroy_workqueue(cdev->tx_wq);
+--
+2.43.0
+
--- /dev/null
+From 22a70d028b958808534b9aadf609fbf9ac22f60c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 14:52:29 -0400
+Subject: cgroup: Protect css->cgroup write under css_set_lock
+
+From: Waiman Long <longman@redhat.com>
+
+[ Upstream commit 57b56d16800e8961278ecff0dc755d46c4575092 ]
+
+The writing of css->cgroup associated with the cgroup root in
+rebind_subsystems() is currently protected only by cgroup_mutex.
+However, the reading of css->cgroup in both proc_cpuset_show() and
+proc_cgroup_show() is protected just by css_set_lock. That makes the
+readers susceptible to racing problems like data tearing or caching.
+It is also a problem that can be reported by KCSAN.
+
+This can be fixed by using READ_ONCE() and WRITE_ONCE() to access
+css->cgroup. Alternatively, the writing of css->cgroup can be moved
+under css_set_lock as well which is done by this patch.
+
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/cgroup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
+index be467aea457e..84e85561a87c 100644
+--- a/kernel/cgroup/cgroup.c
++++ b/kernel/cgroup/cgroup.c
+@@ -1802,9 +1802,9 @@ int rebind_subsystems(struct cgroup_root *dst_root, u16 ss_mask)
+ RCU_INIT_POINTER(scgrp->subsys[ssid], NULL);
+ rcu_assign_pointer(dcgrp->subsys[ssid], css);
+ ss->root = dst_root;
+- css->cgroup = dcgrp;
+
+ spin_lock_irq(&css_set_lock);
++ css->cgroup = dcgrp;
+ WARN_ON(!list_empty(&dcgrp->e_csets[ss->id]));
+ list_for_each_entry_safe(cset, cset_pos, &scgrp->e_csets[ss->id],
+ e_cset_node[ss->id]) {
+--
+2.43.0
+
--- /dev/null
+From 234672b478bbb35fa56551f7d16ba816686f1cb5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 22:51:52 +0800
+Subject: devres: Initialize an uninitialized struct member
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 56a20ad349b5c51909cf8810f7c79b288864ad33 ]
+
+Initialize an uninitialized struct member for driver API
+devres_open_group().
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/1719931914-19035-4-git-send-email-quic_zijuhu@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/devres.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/base/devres.c b/drivers/base/devres.c
+index 27a43b4960f5..d3f59028dec7 100644
+--- a/drivers/base/devres.c
++++ b/drivers/base/devres.c
+@@ -562,6 +562,7 @@ void * devres_open_group(struct device *dev, void *id, gfp_t gfp)
+ grp->id = grp;
+ if (id)
+ grp->id = id;
++ grp->color = 0;
+
+ spin_lock_irqsave(&dev->devres_lock, flags);
+ add_dr(dev, &grp->node[0]);
+--
+2.43.0
+
--- /dev/null
+From 72cdd9e411d98f53e0162abf9ad2191f7f5845a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 12:13:24 +0200
+Subject: dm init: Handle minors larger than 255
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+[ Upstream commit 140ce37fd78a629105377e17842465258a5459ef ]
+
+dm_parse_device_entry() simply copies the minor number into dmi.dev, but
+the dev_t format splits the minor number between the lowest 8 bytes and
+highest 12 bytes. If the minor number is larger than 255, part of it
+will end up getting treated as the major number
+
+Fix this by checking that the minor number is valid and then encoding it
+as a dev_t.
+
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/dm-init.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
+index dc4381d68313..6e9e73a55874 100644
+--- a/drivers/md/dm-init.c
++++ b/drivers/md/dm-init.c
+@@ -213,8 +213,10 @@ static char __init *dm_parse_device_entry(struct dm_device *dev, char *str)
+ strscpy(dev->dmi.uuid, field[1], sizeof(dev->dmi.uuid));
+ /* minor */
+ if (strlen(field[2])) {
+- if (kstrtoull(field[2], 0, &dev->dmi.dev))
++ if (kstrtoull(field[2], 0, &dev->dmi.dev) ||
++ dev->dmi.dev >= (1 << MINORBITS))
+ return ERR_PTR(-EINVAL);
++ dev->dmi.dev = huge_encode_dev((dev_t)dev->dmi.dev);
+ dev->dmi.flags |= DM_PERSISTENT_DEV_FLAG;
+ }
+ /* flags */
+--
+2.43.0
+
--- /dev/null
+From 19e7e60e13fbe47fb334c19b22de6ed82d0a0c41 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 17:28:55 +0800
+Subject: dma-mapping: benchmark: Don't starve others when doing the test
+
+From: Yicong Yang <yangyicong@hisilicon.com>
+
+[ Upstream commit 54624acf8843375a6de3717ac18df3b5104c39c5 ]
+
+The test thread will start N benchmark kthreads and then schedule out
+until the test time finished and notify the benchmark kthreads to stop.
+The benchmark kthreads will keep running until notified to stop.
+There's a problem with current implementation when the benchmark
+kthreads number is equal to the CPUs on a non-preemptible kernel:
+since the scheduler will balance the kthreads across the CPUs and
+when the test time's out the test thread won't get a chance to be
+scheduled on any CPU then cannot notify the benchmark kthreads to stop.
+
+This can be easily reproduced on a VM (simulated with 16 CPUs) with
+PREEMPT_VOLUNTARY:
+estuary:/mnt$ ./dma_map_benchmark -t 16 -s 1
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 10-...!: (5221 ticks this GP) idle=ed24/1/0x4000000000000000 softirq=142/142 fqs=0
+ rcu: (t=5254 jiffies g=-559 q=45 ncpus=16)
+ rcu: rcu_sched kthread starved for 5255 jiffies! g-559 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=12
+ rcu: Unless rcu_sched kthread gets sufficient CPU time, OOM is now expected behavior.
+ rcu: RCU grace-period kthread stack dump:
+ task:rcu_sched state:R running task stack:0 pid:16 tgid:16 ppid:2 flags:0x00000008
+ Call trace
+ __switch_to+0xec/0x138
+ __schedule+0x2f8/0x1080
+ schedule+0x30/0x130
+ schedule_timeout+0xa0/0x188
+ rcu_gp_fqs_loop+0x128/0x528
+ rcu_gp_kthread+0x1c8/0x208
+ kthread+0xec/0xf8
+ ret_from_fork+0x10/0x20
+ Sending NMI from CPU 10 to CPUs 0:
+ NMI backtrace for cpu 0
+ CPU: 0 PID: 332 Comm: dma-map-benchma Not tainted 6.10.0-rc1-vanilla-LSE #8
+ Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
+ pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : arm_smmu_cmdq_issue_cmdlist+0x218/0x730
+ lr : arm_smmu_cmdq_issue_cmdlist+0x488/0x730
+ sp : ffff80008748b630
+ x29: ffff80008748b630 x28: 0000000000000000 x27: ffff80008748b780
+ x26: 0000000000000000 x25: 000000000000bc70 x24: 000000000001bc70
+ x23: ffff0000c12af080 x22: 0000000000010000 x21: 000000000000ffff
+ x20: ffff80008748b700 x19: ffff0000c12af0c0 x18: 0000000000010000
+ x17: 0000000000000001 x16: 0000000000000040 x15: ffffffffffffffff
+ x14: 0001ffffffffffff x13: 000000000000ffff x12: 00000000000002f1
+ x11: 000000000001ffff x10: 0000000000000031 x9 : ffff800080b6b0b8
+ x8 : ffff0000c2a48000 x7 : 000000000001bc71 x6 : 0001800000000000
+ x5 : 00000000000002f1 x4 : 01ffffffffffffff x3 : 000000000009aaf1
+ x2 : 0000000000000018 x1 : 000000000000000f x0 : ffff0000c12af18c
+ Call trace:
+ arm_smmu_cmdq_issue_cmdlist+0x218/0x730
+ __arm_smmu_tlb_inv_range+0xe0/0x1a8
+ arm_smmu_iotlb_sync+0xc0/0x128
+ __iommu_dma_unmap+0x248/0x320
+ iommu_dma_unmap_page+0x5c/0xe8
+ dma_unmap_page_attrs+0x38/0x1d0
+ map_benchmark_thread+0x118/0x2c0
+ kthread+0xec/0xf8
+ ret_from_fork+0x10/0x20
+
+Solve this by adding scheduling point in the kthread loop,
+so if there're other threads in the system they may have
+a chance to run, especially the thread to notify the test
+end. However this may degrade the test concurrency so it's
+recommended to run this on an idle system.
+
+Signed-off-by: Yicong Yang <yangyicong@hisilicon.com>
+Acked-by: Barry Song <baohua@kernel.org>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/map_benchmark.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/kernel/dma/map_benchmark.c b/kernel/dma/map_benchmark.c
+index fc67b39d8b38..b96d4fb8407b 100644
+--- a/kernel/dma/map_benchmark.c
++++ b/kernel/dma/map_benchmark.c
+@@ -112,6 +112,22 @@ static int map_benchmark_thread(void *data)
+ atomic64_add(map_sq, &map->sum_sq_map);
+ atomic64_add(unmap_sq, &map->sum_sq_unmap);
+ atomic64_inc(&map->loops);
++
++ /*
++ * We may test for a long time so periodically check whether
++ * we need to schedule to avoid starving the others. Otherwise
++ * we may hangup the kernel in a non-preemptible kernel when
++ * the test kthreads number >= CPU number, the test kthreads
++ * will run endless on every CPU since the thread resposible
++ * for notifying the kthread stop (in do_map_benchmark())
++ * could not be scheduled.
++ *
++ * Note this may degrade the test concurrency since the test
++ * threads may need to share the CPU time with other load
++ * in the system. So it's recommended to run this benchmark
++ * on an idle system.
++ */
++ cond_resched();
+ }
+
+ out:
+--
+2.43.0
+
--- /dev/null
+From d66dd1bf716a97acf8a2d257396bdb4348ea57ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Jun 2024 10:36:49 -0600
+Subject: drm/amd/display: Check HDCP returned status
+
+From: Alex Hung <alex.hung@amd.com>
+
+[ Upstream commit 5d93060d430b359e16e7c555c8f151ead1ac614b ]
+
+[WHAT & HOW]
+Check mod_hdcp_execute_and_set() return values in authenticated_dp.
+
+This fixes 3 CHECKED_RETURN issues reported by Coverity.
+
+Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Signed-off-by: Alex Hung <alex.hung@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/modules/hdcp/hdcp1_execution.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c
+index 6ec918af3bff..119b00aadd9a 100644
+--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c
++++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp1_execution.c
+@@ -433,17 +433,20 @@ static enum mod_hdcp_status authenticated_dp(struct mod_hdcp *hdcp,
+ }
+
+ if (status == MOD_HDCP_STATUS_SUCCESS)
+- mod_hdcp_execute_and_set(mod_hdcp_read_bstatus,
++ if (!mod_hdcp_execute_and_set(mod_hdcp_read_bstatus,
+ &input->bstatus_read, &status,
+- hdcp, "bstatus_read");
++ hdcp, "bstatus_read"))
++ goto out;
+ if (status == MOD_HDCP_STATUS_SUCCESS)
+- mod_hdcp_execute_and_set(check_link_integrity_dp,
++ if (!mod_hdcp_execute_and_set(check_link_integrity_dp,
+ &input->link_integrity_check, &status,
+- hdcp, "link_integrity_check");
++ hdcp, "link_integrity_check"))
++ goto out;
+ if (status == MOD_HDCP_STATUS_SUCCESS)
+- mod_hdcp_execute_and_set(check_no_reauthentication_request_dp,
++ if (!mod_hdcp_execute_and_set(check_no_reauthentication_request_dp,
+ &input->reauth_request_check, &status,
+- hdcp, "reauth_request_check");
++ hdcp, "reauth_request_check"))
++ goto out;
+ out:
+ return status;
+ }
+--
+2.43.0
+
--- /dev/null
+From 2b00eee2b905881088bde66b40514ccfcddb76b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Jun 2024 16:36:27 -0400
+Subject: drm/amdgpu: check for LINEAR_ALIGNED correctly in
+ check_tiling_flags_gfx6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Olšák <marek.olsak@amd.com>
+
+[ Upstream commit 11317d2963fa79767cd7c6231a00a9d77f2e0f54 ]
+
+Fix incorrect check.
+
+Signed-off-by: Marek Olšák <marek.olsak@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+index 11413b3e80c5..1f7ddb65383d 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+@@ -842,8 +842,7 @@ static int check_tiling_flags_gfx6(struct amdgpu_framebuffer *afb)
+ {
+ u64 micro_tile_mode;
+
+- /* Zero swizzle mode means linear */
+- if (AMDGPU_TILING_GET(afb->tiling_flags, SWIZZLE_MODE) == 0)
++ if (AMDGPU_TILING_GET(afb->tiling_flags, ARRAY_MODE) == 1) /* LINEAR_ALIGNED */
+ return 0;
+
+ micro_tile_mode = AMDGPU_TILING_GET(afb->tiling_flags, MICRO_TILE_MODE);
+--
+2.43.0
+
--- /dev/null
+From 65d72363ad9236bf654e43366c93f3cd4195ae7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jun 2024 15:06:23 +0800
+Subject: drm/amdgpu: Set no_hw_access when VF request full GPU fails
+
+From: Yifan Zha <Yifan.Zha@amd.com>
+
+[ Upstream commit 33f23fc3155b13c4a96d94a0a22dc26db767440b ]
+
+[Why]
+If VF request full GPU access and the request failed,
+the VF driver can get stuck accessing registers for an extended period during
+the unload of KMS.
+
+[How]
+Set no_hw_access flag when VF request for full GPU access fails
+This prevents further hardware access attempts, avoiding the prolonged
+stuck state.
+
+Signed-off-by: Yifan Zha <Yifan.Zha@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+index 76fc0e8dcf9c..59007024aafe 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c
+@@ -122,8 +122,10 @@ int amdgpu_virt_request_full_gpu(struct amdgpu_device *adev, bool init)
+
+ if (virt->ops && virt->ops->req_full_gpu) {
+ r = virt->ops->req_full_gpu(adev, init);
+- if (r)
++ if (r) {
++ adev->no_hw_access = true;
+ return r;
++ }
+
+ adev->virt.caps &= ~AMDGPU_SRIOV_CAPS_RUNTIME;
+ }
+--
+2.43.0
+
--- /dev/null
+From bc02f8286b4d4f9409bf9329ed8310b981f79463 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 May 2024 10:20:30 +0100
+Subject: ext4: fix possible tid_t sequence overflows
+
+From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
+
+[ Upstream commit 63469662cc45d41705f14b4648481d5d29cf5999 ]
+
+In the fast commit code there are a few places where tid_t variables are
+being compared without taking into account the fact that these sequence
+numbers may wrap. Fix this issue by using the helper functions tid_gt()
+and tid_geq().
+
+Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
+Link: https://patch.msgid.link/20240529092030.9557-3-luis.henriques@linux.dev
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/fast_commit.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/fast_commit.c b/fs/ext4/fast_commit.c
+index e81b886d9c67..62255b3eb1b4 100644
+--- a/fs/ext4/fast_commit.c
++++ b/fs/ext4/fast_commit.c
+@@ -325,7 +325,7 @@ void ext4_fc_mark_ineligible(struct super_block *sb, int reason, handle_t *handl
+ read_unlock(&sbi->s_journal->j_state_lock);
+ }
+ spin_lock(&sbi->s_fc_lock);
+- if (sbi->s_fc_ineligible_tid < tid)
++ if (tid_gt(tid, sbi->s_fc_ineligible_tid))
+ sbi->s_fc_ineligible_tid = tid;
+ spin_unlock(&sbi->s_fc_lock);
+ WARN_ON(reason >= EXT4_FC_REASON_MAX);
+@@ -1206,7 +1206,7 @@ int ext4_fc_commit(journal_t *journal, tid_t commit_tid)
+ if (ret == -EALREADY) {
+ /* There was an ongoing commit, check if we need to restart */
+ if (atomic_read(&sbi->s_fc_subtid) <= subtid &&
+- commit_tid > journal->j_commit_sequence)
++ tid_gt(commit_tid, journal->j_commit_sequence))
+ goto restart_fc;
+ ext4_fc_update_stats(sb, EXT4_FC_STATUS_SKIPPED, 0, 0);
+ return 0;
+@@ -1278,7 +1278,7 @@ static void ext4_fc_cleanup(journal_t *journal, int full, tid_t tid)
+ list_del_init(&iter->i_fc_list);
+ ext4_clear_inode_state(&iter->vfs_inode,
+ EXT4_STATE_FC_COMMITTING);
+- if (iter->i_sync_tid <= tid)
++ if (tid_geq(tid, iter->i_sync_tid))
+ ext4_fc_reset_inode(&iter->vfs_inode);
+ /* Make sure EXT4_STATE_FC_COMMITTING bit is clear */
+ smp_mb();
+@@ -1308,7 +1308,7 @@ static void ext4_fc_cleanup(journal_t *journal, int full, tid_t tid)
+ list_splice_init(&sbi->s_fc_q[FC_Q_STAGING],
+ &sbi->s_fc_q[FC_Q_MAIN]);
+
+- if (tid >= sbi->s_fc_ineligible_tid) {
++ if (tid_geq(tid, sbi->s_fc_ineligible_tid)) {
+ sbi->s_fc_ineligible_tid = 0;
+ ext4_clear_mount_flag(sb, EXT4_MF_FC_INELIGIBLE);
+ }
+--
+2.43.0
+
--- /dev/null
+From e7470c219c53d6a4ae4c98d334bafe258a50ec70 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 10:39:27 -0700
+Subject: fou: Fix null-ptr-deref in GRO.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 7e4196935069947d8b70b09c1660b67b067e75cb ]
+
+We observed a null-ptr-deref in fou_gro_receive() while shutting down
+a host. [0]
+
+The NULL pointer is sk->sk_user_data, and the offset 8 is of protocol
+in struct fou.
+
+When fou_release() is called due to netns dismantle or explicit tunnel
+teardown, udp_tunnel_sock_release() sets NULL to sk->sk_user_data.
+Then, the tunnel socket is destroyed after a single RCU grace period.
+
+So, in-flight udp4_gro_receive() could find the socket and execute the
+FOU GRO handler, where sk->sk_user_data could be NULL.
+
+Let's use rcu_dereference_sk_user_data() in fou_from_sock() and add NULL
+checks in FOU GRO handlers.
+
+[0]:
+BUG: kernel NULL pointer dereference, address: 0000000000000008
+ PF: supervisor read access in kernel mode
+ PF: error_code(0x0000) - not-present page
+PGD 80000001032f4067 P4D 80000001032f4067 PUD 103240067 PMD 0
+SMP PTI
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.10.216-204.855.amzn2.x86_64 #1
+Hardware name: Amazon EC2 c5.large/, BIOS 1.0 10/16/2017
+RIP: 0010:fou_gro_receive (net/ipv4/fou.c:233) [fou]
+Code: 41 5f c3 cc cc cc cc e8 e7 2e 69 f4 0f 1f 80 00 00 00 00 0f 1f 44 00 00 49 89 f8 41 54 48 89 f7 48 89 d6 49 8b 80 88 02 00 00 <0f> b6 48 08 0f b7 42 4a 66 25 fd fd 80 cc 02 66 89 42 4a 0f b6 42
+RSP: 0018:ffffa330c0003d08 EFLAGS: 00010297
+RAX: 0000000000000000 RBX: ffff93d9e3a6b900 RCX: 0000000000000010
+RDX: ffff93d9e3a6b900 RSI: ffff93d9e3a6b900 RDI: ffff93dac2e24d08
+RBP: ffff93d9e3a6b900 R08: ffff93dacbce6400 R09: 0000000000000002
+R10: 0000000000000000 R11: ffffffffb5f369b0 R12: ffff93dacbce6400
+R13: ffff93dac2e24d08 R14: 0000000000000000 R15: ffffffffb4edd1c0
+FS: 0000000000000000(0000) GS:ffff93daee800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000008 CR3: 0000000102140001 CR4: 00000000007706f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <IRQ>
+ ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
+ ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
+ ? no_context (arch/x86/mm/fault.c:752)
+ ? exc_page_fault (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 arch/x86/mm/fault.c:1435 arch/x86/mm/fault.c:1483)
+ ? asm_exc_page_fault (arch/x86/include/asm/idtentry.h:571)
+ ? fou_gro_receive (net/ipv4/fou.c:233) [fou]
+ udp_gro_receive (include/linux/netdevice.h:2552 net/ipv4/udp_offload.c:559)
+ udp4_gro_receive (net/ipv4/udp_offload.c:604)
+ inet_gro_receive (net/ipv4/af_inet.c:1549 (discriminator 7))
+ dev_gro_receive (net/core/dev.c:6035 (discriminator 4))
+ napi_gro_receive (net/core/dev.c:6170)
+ ena_clean_rx_irq (drivers/amazon/net/ena/ena_netdev.c:1558) [ena]
+ ena_io_poll (drivers/amazon/net/ena/ena_netdev.c:1742) [ena]
+ napi_poll (net/core/dev.c:6847)
+ net_rx_action (net/core/dev.c:6917)
+ __do_softirq (arch/x86/include/asm/jump_label.h:25 include/linux/jump_label.h:200 include/trace/events/irq.h:142 kernel/softirq.c:299)
+ asm_call_irq_on_stack (arch/x86/entry/entry_64.S:809)
+</IRQ>
+ do_softirq_own_stack (arch/x86/include/asm/irq_stack.h:27 arch/x86/include/asm/irq_stack.h:77 arch/x86/kernel/irq_64.c:77)
+ irq_exit_rcu (kernel/softirq.c:393 kernel/softirq.c:423 kernel/softirq.c:435)
+ common_interrupt (arch/x86/kernel/irq.c:239)
+ asm_common_interrupt (arch/x86/include/asm/idtentry.h:626)
+RIP: 0010:acpi_idle_do_entry (arch/x86/include/asm/irqflags.h:49 arch/x86/include/asm/irqflags.h:89 drivers/acpi/processor_idle.c:114 drivers/acpi/processor_idle.c:575)
+Code: 8b 15 d1 3c c4 02 ed c3 cc cc cc cc 65 48 8b 04 25 40 ef 01 00 48 8b 00 a8 08 75 eb 0f 1f 44 00 00 0f 00 2d d5 09 55 00 fb f4 <fa> c3 cc cc cc cc e9 be fc ff ff 66 66 2e 0f 1f 84 00 00 00 00 00
+RSP: 0018:ffffffffb5603e58 EFLAGS: 00000246
+RAX: 0000000000004000 RBX: ffff93dac0929c00 RCX: ffff93daee833900
+RDX: ffff93daee800000 RSI: ffff93daee87dc00 RDI: ffff93daee87dc64
+RBP: 0000000000000001 R08: ffffffffb5e7b6c0 R09: 0000000000000044
+R10: ffff93daee831b04 R11: 00000000000001cd R12: 0000000000000001
+R13: ffffffffb5e7b740 R14: 0000000000000001 R15: 0000000000000000
+ ? sched_clock_cpu (kernel/sched/clock.c:371)
+ acpi_idle_enter (drivers/acpi/processor_idle.c:712 (discriminator 3))
+ cpuidle_enter_state (drivers/cpuidle/cpuidle.c:237)
+ cpuidle_enter (drivers/cpuidle/cpuidle.c:353)
+ cpuidle_idle_call (kernel/sched/idle.c:158 kernel/sched/idle.c:239)
+ do_idle (kernel/sched/idle.c:302)
+ cpu_startup_entry (kernel/sched/idle.c:395 (discriminator 1))
+ start_kernel (init/main.c:1048)
+ secondary_startup_64_no_verify (arch/x86/kernel/head_64.S:310)
+Modules linked in: udp_diag tcp_diag inet_diag nft_nat ipip tunnel4 dummy fou ip_tunnel nft_masq nft_chain_nat nf_nat wireguard nft_ct curve25519_x86_64 libcurve25519_generic nf_conntrack libchacha20poly1305 nf_defrag_ipv6 nf_defrag_ipv4 nft_objref chacha_x86_64 nft_counter nf_tables nfnetlink poly1305_x86_64 ip6_udp_tunnel udp_tunnel libchacha crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper mousedev psmouse button ena ptp pps_core crc32c_intel
+CR2: 0000000000000008
+
+Fixes: d92283e338f6 ("fou: change to use UDP socket GRO")
+Reported-by: Alphonse Kurian <alkurian@amazon.com>
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20240902173927.62706-1-kuniyu@amazon.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/fou.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index 605d9673d6ec..135da756dd5a 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -48,7 +48,7 @@ struct fou_net {
+
+ static inline struct fou *fou_from_sock(struct sock *sk)
+ {
+- return sk->sk_user_data;
++ return rcu_dereference_sk_user_data(sk);
+ }
+
+ static int fou_recv_pull(struct sk_buff *skb, struct fou *fou, size_t len)
+@@ -231,9 +231,15 @@ static struct sk_buff *fou_gro_receive(struct sock *sk,
+ struct sk_buff *skb)
+ {
+ const struct net_offload __rcu **offloads;
+- u8 proto = fou_from_sock(sk)->protocol;
++ struct fou *fou = fou_from_sock(sk);
+ const struct net_offload *ops;
+ struct sk_buff *pp = NULL;
++ u8 proto;
++
++ if (!fou)
++ goto out;
++
++ proto = fou->protocol;
+
+ /* We can clear the encap_mark for FOU as we are essentially doing
+ * one of two possible things. We are either adding an L4 tunnel
+@@ -261,14 +267,24 @@ static int fou_gro_complete(struct sock *sk, struct sk_buff *skb,
+ int nhoff)
+ {
+ const struct net_offload __rcu **offloads;
+- u8 proto = fou_from_sock(sk)->protocol;
++ struct fou *fou = fou_from_sock(sk);
+ const struct net_offload *ops;
+- int err = -ENOSYS;
++ u8 proto;
++ int err;
++
++ if (!fou) {
++ err = -ENOENT;
++ goto out;
++ }
++
++ proto = fou->protocol;
+
+ offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+ ops = rcu_dereference(offloads[proto]);
+- if (WARN_ON(!ops || !ops->callbacks.gro_complete))
++ if (WARN_ON(!ops || !ops->callbacks.gro_complete)) {
++ err = -ENOSYS;
+ goto out;
++ }
+
+ err = ops->callbacks.gro_complete(skb, nhoff);
+
+@@ -318,6 +334,9 @@ static struct sk_buff *gue_gro_receive(struct sock *sk,
+ struct gro_remcsum grc;
+ u8 proto;
+
++ if (!fou)
++ goto out;
++
+ skb_gro_remcsum_init(&grc);
+
+ off = skb_gro_offset(skb);
+--
+2.43.0
+
--- /dev/null
+From 52d37dfe8bd65e17ffe62773967283267b7fc1f1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 14:53:57 +0300
+Subject: fs/ntfs3: Check more cases when directory is corrupted
+
+From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+
+[ Upstream commit 744375343662058cbfda96d871786e5a5cbe1947 ]
+
+Mark ntfs dirty in this case.
+Rename ntfs_filldir to ntfs_dir_emit.
+
+Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ntfs3/dir.c | 52 +++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 32 insertions(+), 20 deletions(-)
+
+diff --git a/fs/ntfs3/dir.c b/fs/ntfs3/dir.c
+index dcd689ed4baa..a4ab0164d150 100644
+--- a/fs/ntfs3/dir.c
++++ b/fs/ntfs3/dir.c
+@@ -272,9 +272,12 @@ struct inode *dir_search_u(struct inode *dir, const struct cpu_str *uni,
+ return err == -ENOENT ? NULL : err ? ERR_PTR(err) : inode;
+ }
+
+-static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
+- const struct NTFS_DE *e, u8 *name,
+- struct dir_context *ctx)
++/*
++ * returns false if 'ctx' if full
++ */
++static inline bool ntfs_dir_emit(struct ntfs_sb_info *sbi,
++ struct ntfs_inode *ni, const struct NTFS_DE *e,
++ u8 *name, struct dir_context *ctx)
+ {
+ const struct ATTR_FILE_NAME *fname;
+ unsigned long ino;
+@@ -284,29 +287,29 @@ static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
+ fname = Add2Ptr(e, sizeof(struct NTFS_DE));
+
+ if (fname->type == FILE_NAME_DOS)
+- return 0;
++ return true;
+
+ if (!mi_is_ref(&ni->mi, &fname->home))
+- return 0;
++ return true;
+
+ ino = ino_get(&e->ref);
+
+ if (ino == MFT_REC_ROOT)
+- return 0;
++ return true;
+
+ /* Skip meta files. Unless option to show metafiles is set. */
+ if (!sbi->options->showmeta && ntfs_is_meta_file(sbi, ino))
+- return 0;
++ return true;
+
+ if (sbi->options->nohidden && (fname->dup.fa & FILE_ATTRIBUTE_HIDDEN))
+- return 0;
++ return true;
+
+ name_len = ntfs_utf16_to_nls(sbi, fname->name, fname->name_len, name,
+ PATH_MAX);
+ if (name_len <= 0) {
+ ntfs_warn(sbi->sb, "failed to convert name for inode %lx.",
+ ino);
+- return 0;
++ return true;
+ }
+
+ /*
+@@ -336,17 +339,20 @@ static inline int ntfs_filldir(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
+ }
+ }
+
+- return !dir_emit(ctx, (s8 *)name, name_len, ino, dt_type);
++ return dir_emit(ctx, (s8 *)name, name_len, ino, dt_type);
+ }
+
+ /*
+ * ntfs_read_hdr - Helper function for ntfs_readdir().
++ *
++ * returns 0 if ok.
++ * returns -EINVAL if directory is corrupted.
++ * returns +1 if 'ctx' is full.
+ */
+ static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
+ const struct INDEX_HDR *hdr, u64 vbo, u64 pos,
+ u8 *name, struct dir_context *ctx)
+ {
+- int err;
+ const struct NTFS_DE *e;
+ u32 e_size;
+ u32 end = le32_to_cpu(hdr->used);
+@@ -354,12 +360,12 @@ static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
+
+ for (;; off += e_size) {
+ if (off + sizeof(struct NTFS_DE) > end)
+- return -1;
++ return -EINVAL;
+
+ e = Add2Ptr(hdr, off);
+ e_size = le16_to_cpu(e->size);
+ if (e_size < sizeof(struct NTFS_DE) || off + e_size > end)
+- return -1;
++ return -EINVAL;
+
+ if (de_is_last(e))
+ return 0;
+@@ -369,14 +375,15 @@ static int ntfs_read_hdr(struct ntfs_sb_info *sbi, struct ntfs_inode *ni,
+ continue;
+
+ if (le16_to_cpu(e->key_size) < SIZEOF_ATTRIBUTE_FILENAME)
+- return -1;
++ return -EINVAL;
+
+ ctx->pos = vbo + off;
+
+ /* Submit the name to the filldir callback. */
+- err = ntfs_filldir(sbi, ni, e, name, ctx);
+- if (err)
+- return err;
++ if (!ntfs_dir_emit(sbi, ni, e, name, ctx)) {
++ /* ctx is full. */
++ return +1;
++ }
+ }
+ }
+
+@@ -475,8 +482,6 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx)
+
+ vbo = (u64)bit << index_bits;
+ if (vbo >= i_size) {
+- ntfs_inode_err(dir, "Looks like your dir is corrupt");
+- ctx->pos = eod;
+ err = -EINVAL;
+ goto out;
+ }
+@@ -499,9 +504,16 @@ static int ntfs_readdir(struct file *file, struct dir_context *ctx)
+ __putname(name);
+ put_indx_node(node);
+
+- if (err == -ENOENT) {
++ if (err == 1) {
++ /* 'ctx' is full. */
++ err = 0;
++ } else if (err == -ENOENT) {
+ err = 0;
+ ctx->pos = pos;
++ } else if (err < 0) {
++ if (err == -EINVAL)
++ ntfs_inode_err(dir, "directory corrupted");
++ ctx->pos = eod;
+ }
+
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 986d3f32f44f8556dec475b2962986897f5a4fd1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 14:56:08 -0800
+Subject: gro: remove rcu_read_lock/rcu_read_unlock from gro_complete handlers
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 627b94f75b82d13d1530b59155a545fd99d807db ]
+
+All gro_complete() handlers are called from napi_gro_complete()
+while rcu_read_lock() has been called.
+
+There is no point stacking more rcu_read_lock()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 7e4196935069 ("fou: Fix null-ptr-deref in GRO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/geneve.c | 3 ---
+ net/8021q/vlan_core.c | 2 --
+ net/ethernet/eth.c | 2 --
+ net/ipv4/af_inet.c | 7 ++-----
+ net/ipv4/fou.c | 13 ++++---------
+ net/ipv4/gre_offload.c | 3 ---
+ net/ipv4/udp_offload.c | 2 --
+ net/ipv6/ip6_offload.c | 8 ++------
+ 8 files changed, 8 insertions(+), 32 deletions(-)
+
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index eb5b7c66db93..1bff01f8b16d 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -558,13 +558,10 @@ static int geneve_gro_complete(struct sock *sk, struct sk_buff *skb,
+ gh_len = geneve_hlen(gh);
+ type = gh->proto_type;
+
+- rcu_read_lock();
+ ptype = gro_find_complete_by_type(type);
+ if (ptype)
+ err = ptype->callbacks.gro_complete(skb, nhoff + gh_len);
+
+- rcu_read_unlock();
+-
+ skb_set_inner_mac_header(skb, nhoff + gh_len);
+
+ return err;
+diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
+index 40bbe08c1aa4..29c326f98743 100644
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -520,14 +520,12 @@ static int vlan_gro_complete(struct sk_buff *skb, int nhoff)
+ struct packet_offload *ptype;
+ int err = -ENOENT;
+
+- rcu_read_lock();
+ ptype = gro_find_complete_by_type(type);
+ if (ptype)
+ err = INDIRECT_CALL_INET(ptype->callbacks.gro_complete,
+ ipv6_gro_complete, inet_gro_complete,
+ skb, nhoff + sizeof(*vhdr));
+
+- rcu_read_unlock();
+ return err;
+ }
+
+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
+index 72841efebcb1..ab2ef6250142 100644
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -455,14 +455,12 @@ int eth_gro_complete(struct sk_buff *skb, int nhoff)
+ if (skb->encapsulation)
+ skb_set_inner_mac_header(skb, nhoff);
+
+- rcu_read_lock();
+ ptype = gro_find_complete_by_type(type);
+ if (ptype != NULL)
+ err = INDIRECT_CALL_INET(ptype->callbacks.gro_complete,
+ ipv6_gro_complete, inet_gro_complete,
+ skb, nhoff + sizeof(*eh));
+
+- rcu_read_unlock();
+ return err;
+ }
+ EXPORT_SYMBOL(eth_gro_complete);
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index c9156e7605db..b225e049daea 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1639,10 +1639,9 @@ int inet_gro_complete(struct sk_buff *skb, int nhoff)
+ csum_replace2(&iph->check, iph->tot_len, newlen);
+ iph->tot_len = newlen;
+
+- rcu_read_lock();
+ ops = rcu_dereference(inet_offloads[proto]);
+ if (WARN_ON(!ops || !ops->callbacks.gro_complete))
+- goto out_unlock;
++ goto out;
+
+ /* Only need to add sizeof(*iph) to get to the next hdr below
+ * because any hdr with option will have been flushed in
+@@ -1652,9 +1651,7 @@ int inet_gro_complete(struct sk_buff *skb, int nhoff)
+ tcp4_gro_complete, udp4_gro_complete,
+ skb, nhoff + sizeof(*iph));
+
+-out_unlock:
+- rcu_read_unlock();
+-
++out:
+ return err;
+ }
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index 5aacc75e495c..605d9673d6ec 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -265,19 +265,16 @@ static int fou_gro_complete(struct sock *sk, struct sk_buff *skb,
+ const struct net_offload *ops;
+ int err = -ENOSYS;
+
+- rcu_read_lock();
+ offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+ ops = rcu_dereference(offloads[proto]);
+ if (WARN_ON(!ops || !ops->callbacks.gro_complete))
+- goto out_unlock;
++ goto out;
+
+ err = ops->callbacks.gro_complete(skb, nhoff);
+
+ skb_set_inner_mac_header(skb, nhoff);
+
+-out_unlock:
+- rcu_read_unlock();
+-
++out:
+ return err;
+ }
+
+@@ -479,18 +476,16 @@ static int gue_gro_complete(struct sock *sk, struct sk_buff *skb, int nhoff)
+ return err;
+ }
+
+- rcu_read_lock();
+ offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+ ops = rcu_dereference(offloads[proto]);
+ if (WARN_ON(!ops || !ops->callbacks.gro_complete))
+- goto out_unlock;
++ goto out;
+
+ err = ops->callbacks.gro_complete(skb, nhoff + guehlen);
+
+ skb_set_inner_mac_header(skb, nhoff + guehlen);
+
+-out_unlock:
+- rcu_read_unlock();
++out:
+ return err;
+ }
+
+diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
+index c12b4b2fc638..9a18fd1d5648 100644
+--- a/net/ipv4/gre_offload.c
++++ b/net/ipv4/gre_offload.c
+@@ -252,13 +252,10 @@ static int gre_gro_complete(struct sk_buff *skb, int nhoff)
+ if (greh->flags & GRE_CSUM)
+ grehlen += GRE_HEADER_SECTION;
+
+- rcu_read_lock();
+ ptype = gro_find_complete_by_type(type);
+ if (ptype)
+ err = ptype->callbacks.gro_complete(skb, nhoff + grehlen);
+
+- rcu_read_unlock();
+-
+ skb_set_inner_mac_header(skb, nhoff + grehlen);
+
+ return err;
+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
+index 0406097e7c29..feb40325f8d7 100644
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -657,7 +657,6 @@ int udp_gro_complete(struct sk_buff *skb, int nhoff,
+
+ uh->len = newlen;
+
+- rcu_read_lock();
+ sk = INDIRECT_CALL_INET(lookup, udp6_lib_lookup_skb,
+ udp4_lib_lookup_skb, skb, uh->source, uh->dest);
+ if (sk && udp_sk(sk)->gro_complete) {
+@@ -678,7 +677,6 @@ int udp_gro_complete(struct sk_buff *skb, int nhoff,
+ } else {
+ err = udp_gro_complete_segment(skb);
+ }
+- rcu_read_unlock();
+
+ if (skb->remcsum_offload)
+ skb_shinfo(skb)->gso_type |= SKB_GSO_TUNNEL_REMCSUM;
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index 46587894c8c9..30c56143d79b 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -329,18 +329,14 @@ INDIRECT_CALLABLE_SCOPE int ipv6_gro_complete(struct sk_buff *skb, int nhoff)
+
+ iph->payload_len = htons(skb->len - nhoff - sizeof(*iph));
+
+- rcu_read_lock();
+-
+ nhoff += sizeof(*iph) + ipv6_exthdrs_len(iph, &ops);
+ if (WARN_ON(!ops || !ops->callbacks.gro_complete))
+- goto out_unlock;
++ goto out;
+
+ err = INDIRECT_CALL_L4(ops->callbacks.gro_complete, tcp6_gro_complete,
+ udp6_gro_complete, skb, nhoff);
+
+-out_unlock:
+- rcu_read_unlock();
+-
++out:
+ return err;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 72c2e80fcb8204e477e5fd9adb00bf367d8073ff Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Nov 2021 14:56:07 -0800
+Subject: gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit fc1ca3348a74a1afaa7ffebc2b2f2cc149e11278 ]
+
+All gro_receive() handlers are called from dev_gro_receive()
+while rcu_read_lock() has been called.
+
+There is no point stacking more rcu_read_lock()
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: 7e4196935069 ("fou: Fix null-ptr-deref in GRO.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/geneve.c | 5 +----
+ net/8021q/vlan_core.c | 5 +----
+ net/ethernet/eth.c | 5 +----
+ net/ipv4/af_inet.c | 12 ++++--------
+ net/ipv4/fou.c | 12 +++---------
+ net/ipv4/gre_offload.c | 9 +++------
+ net/ipv4/udp_offload.c | 2 --
+ net/ipv6/ip6_offload.c | 6 +-----
+ net/ipv6/udp_offload.c | 2 --
+ 9 files changed, 14 insertions(+), 44 deletions(-)
+
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index 0e4ea3c0fe82..eb5b7c66db93 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -530,18 +530,15 @@ static struct sk_buff *geneve_gro_receive(struct sock *sk,
+
+ type = gh->proto_type;
+
+- rcu_read_lock();
+ ptype = gro_find_receive_by_type(type);
+ if (!ptype)
+- goto out_unlock;
++ goto out;
+
+ skb_gro_pull(skb, gh_len);
+ skb_gro_postpull_rcsum(skb, gh, gh_len);
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
+ flush = 0;
+
+-out_unlock:
+- rcu_read_unlock();
+ out:
+ skb_gro_flush_final(skb, pp, flush);
+
+diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
+index 8710d5d7d3c1..40bbe08c1aa4 100644
+--- a/net/8021q/vlan_core.c
++++ b/net/8021q/vlan_core.c
+@@ -483,10 +483,9 @@ static struct sk_buff *vlan_gro_receive(struct list_head *head,
+
+ type = vhdr->h_vlan_encapsulated_proto;
+
+- rcu_read_lock();
+ ptype = gro_find_receive_by_type(type);
+ if (!ptype)
+- goto out_unlock;
++ goto out;
+
+ flush = 0;
+
+@@ -508,8 +507,6 @@ static struct sk_buff *vlan_gro_receive(struct list_head *head,
+ ipv6_gro_receive, inet_gro_receive,
+ head, skb);
+
+-out_unlock:
+- rcu_read_unlock();
+ out:
+ skb_gro_flush_final(skb, pp, flush);
+
+diff --git a/net/ethernet/eth.c b/net/ethernet/eth.c
+index 9ad4a15232af..72841efebcb1 100644
+--- a/net/ethernet/eth.c
++++ b/net/ethernet/eth.c
+@@ -425,11 +425,10 @@ struct sk_buff *eth_gro_receive(struct list_head *head, struct sk_buff *skb)
+
+ type = eh->h_proto;
+
+- rcu_read_lock();
+ ptype = gro_find_receive_by_type(type);
+ if (ptype == NULL) {
+ flush = 1;
+- goto out_unlock;
++ goto out;
+ }
+
+ skb_gro_pull(skb, sizeof(*eh));
+@@ -439,8 +438,6 @@ struct sk_buff *eth_gro_receive(struct list_head *head, struct sk_buff *skb)
+ ipv6_gro_receive, inet_gro_receive,
+ head, skb);
+
+-out_unlock:
+- rcu_read_unlock();
+ out:
+ skb_gro_flush_final(skb, pp, flush);
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index 20cdd0efb95b..c9156e7605db 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -1477,19 +1477,18 @@ struct sk_buff *inet_gro_receive(struct list_head *head, struct sk_buff *skb)
+
+ proto = iph->protocol;
+
+- rcu_read_lock();
+ ops = rcu_dereference(inet_offloads[proto]);
+ if (!ops || !ops->callbacks.gro_receive)
+- goto out_unlock;
++ goto out;
+
+ if (*(u8 *)iph != 0x45)
+- goto out_unlock;
++ goto out;
+
+ if (ip_is_fragment(iph))
+- goto out_unlock;
++ goto out;
+
+ if (unlikely(ip_fast_csum((u8 *)iph, 5)))
+- goto out_unlock;
++ goto out;
+
+ id = ntohl(*(__be32 *)&iph->id);
+ flush = (u16)((ntohl(*(__be32 *)iph) ^ skb_gro_len(skb)) | (id & ~IP_DF));
+@@ -1566,9 +1565,6 @@ struct sk_buff *inet_gro_receive(struct list_head *head, struct sk_buff *skb)
+ pp = indirect_call_gro_receive(tcp4_gro_receive, udp4_gro_receive,
+ ops->callbacks.gro_receive, head, skb);
+
+-out_unlock:
+- rcu_read_unlock();
+-
+ out:
+ skb_gro_flush_final(skb, pp, flush);
+
+diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
+index 8fcbc6258ec5..5aacc75e495c 100644
+--- a/net/ipv4/fou.c
++++ b/net/ipv4/fou.c
+@@ -246,17 +246,14 @@ static struct sk_buff *fou_gro_receive(struct sock *sk,
+ /* Flag this frame as already having an outer encap header */
+ NAPI_GRO_CB(skb)->is_fou = 1;
+
+- rcu_read_lock();
+ offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+ ops = rcu_dereference(offloads[proto]);
+ if (!ops || !ops->callbacks.gro_receive)
+- goto out_unlock;
++ goto out;
+
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
+
+-out_unlock:
+- rcu_read_unlock();
+-
++out:
+ return pp;
+ }
+
+@@ -438,17 +435,14 @@ static struct sk_buff *gue_gro_receive(struct sock *sk,
+ /* Flag this frame as already having an outer encap header */
+ NAPI_GRO_CB(skb)->is_fou = 1;
+
+- rcu_read_lock();
+ offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
+ ops = rcu_dereference(offloads[proto]);
+ if (WARN_ON_ONCE(!ops || !ops->callbacks.gro_receive))
+- goto out_unlock;
++ goto out;
+
+ pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
+ flush = 0;
+
+-out_unlock:
+- rcu_read_unlock();
+ out:
+ skb_gro_flush_final_remcsum(skb, pp, flush, &grc);
+
+diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
+index 1121a9d5fed9..c12b4b2fc638 100644
+--- a/net/ipv4/gre_offload.c
++++ b/net/ipv4/gre_offload.c
+@@ -162,10 +162,9 @@ static struct sk_buff *gre_gro_receive(struct list_head *head,
+
+ type = greh->protocol;
+
+- rcu_read_lock();
+ ptype = gro_find_receive_by_type(type);
+ if (!ptype)
+- goto out_unlock;
++ goto out;
+
+ grehlen = GRE_HEADER_SECTION;
+
+@@ -179,13 +178,13 @@ static struct sk_buff *gre_gro_receive(struct list_head *head,
+ if (skb_gro_header_hard(skb, hlen)) {
+ greh = skb_gro_header_slow(skb, hlen, off);
+ if (unlikely(!greh))
+- goto out_unlock;
++ goto out;
+ }
+
+ /* Don't bother verifying checksum if we're going to flush anyway. */
+ if ((greh->flags & GRE_CSUM) && !NAPI_GRO_CB(skb)->flush) {
+ if (skb_gro_checksum_simple_validate(skb))
+- goto out_unlock;
++ goto out;
+
+ skb_gro_checksum_try_convert(skb, IPPROTO_GRE,
+ null_compute_pseudo);
+@@ -229,8 +228,6 @@ static struct sk_buff *gre_gro_receive(struct list_head *head,
+ pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);
+ flush = 0;
+
+-out_unlock:
+- rcu_read_unlock();
+ out:
+ skb_gro_flush_final(skb, pp, flush);
+
+diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
+index c61268849948..0406097e7c29 100644
+--- a/net/ipv4/udp_offload.c
++++ b/net/ipv4/udp_offload.c
+@@ -618,13 +618,11 @@ struct sk_buff *udp4_gro_receive(struct list_head *head, struct sk_buff *skb)
+ inet_gro_compute_pseudo);
+ skip:
+ NAPI_GRO_CB(skb)->is_ipv6 = 0;
+- rcu_read_lock();
+
+ if (static_branch_unlikely(&udp_encap_needed_key))
+ sk = udp4_gro_lookup_skb(skb, uh->source, uh->dest);
+
+ pp = udp_gro_receive(head, skb, uh, sk);
+- rcu_read_unlock();
+ return pp;
+
+ flush:
+diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
+index 172565d12570..46587894c8c9 100644
+--- a/net/ipv6/ip6_offload.c
++++ b/net/ipv6/ip6_offload.c
+@@ -210,7 +210,6 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *ipv6_gro_receive(struct list_head *head,
+
+ flush += ntohs(iph->payload_len) != skb_gro_len(skb);
+
+- rcu_read_lock();
+ proto = iph->nexthdr;
+ ops = rcu_dereference(inet6_offloads[proto]);
+ if (!ops || !ops->callbacks.gro_receive) {
+@@ -223,7 +222,7 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *ipv6_gro_receive(struct list_head *head,
+
+ ops = rcu_dereference(inet6_offloads[proto]);
+ if (!ops || !ops->callbacks.gro_receive)
+- goto out_unlock;
++ goto out;
+
+ iph = ipv6_hdr(skb);
+ }
+@@ -281,9 +280,6 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *ipv6_gro_receive(struct list_head *head,
+ pp = indirect_call_gro_receive_l4(tcp6_gro_receive, udp6_gro_receive,
+ ops->callbacks.gro_receive, head, skb);
+
+-out_unlock:
+- rcu_read_unlock();
+-
+ out:
+ skb_gro_flush_final(skb, pp, flush);
+
+diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
+index 28f63c01a595..f93195fcc059 100644
+--- a/net/ipv6/udp_offload.c
++++ b/net/ipv6/udp_offload.c
+@@ -144,13 +144,11 @@ struct sk_buff *udp6_gro_receive(struct list_head *head, struct sk_buff *skb)
+
+ skip:
+ NAPI_GRO_CB(skb)->is_ipv6 = 1;
+- rcu_read_lock();
+
+ if (static_branch_unlikely(&udpv6_encap_needed_key))
+ sk = udp6_gro_lookup_skb(skb, uh->source, uh->dest);
+
+ pp = udp_gro_receive(head, skb, uh, sk);
+- rcu_read_unlock();
+ return pp;
+
+ flush:
+--
+2.43.0
+
--- /dev/null
+From bf41ef90dd2b29c7bf8af8647c8498cbd5008bad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 10:44:35 +0200
+Subject: HID: amd_sfh: free driver_data after destroying hid device
+
+From: Olivier Sobrie <olivier@sobrie.be>
+
+[ Upstream commit 97155021ae17b86985121b33cf8098bcde00d497 ]
+
+HID driver callbacks aren't called anymore once hid_destroy_device() has
+been called. Hence, hid driver_data should be freed only after the
+hid_destroy_device() function returned as driver_data is used in several
+callbacks.
+
+I observed a crash with kernel 6.10.0 on my T14s Gen 3, after enabling
+KASAN to debug memory allocation, I got this output:
+
+ [ 13.050438] ==================================================================
+ [ 13.054060] BUG: KASAN: slab-use-after-free in amd_sfh_get_report+0x3ec/0x530 [amd_sfh]
+ [ 13.054809] psmouse serio1: trackpoint: Synaptics TrackPoint firmware: 0x02, buttons: 3/3
+ [ 13.056432] Read of size 8 at addr ffff88813152f408 by task (udev-worker)/479
+
+ [ 13.060970] CPU: 5 PID: 479 Comm: (udev-worker) Not tainted 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
+ [ 13.063978] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
+ [ 13.067860] Call Trace:
+ [ 13.069383] input: TPPS/2 Synaptics TrackPoint as /devices/platform/i8042/serio1/input/input8
+ [ 13.071486] <TASK>
+ [ 13.071492] dump_stack_lvl+0x5d/0x80
+ [ 13.074870] snd_hda_intel 0000:33:00.6: enabling device (0000 -> 0002)
+ [ 13.078296] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.082199] print_report+0x174/0x505
+ [ 13.085776] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+ [ 13.089367] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.093255] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.097464] kasan_report+0xc8/0x150
+ [ 13.101461] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.105802] amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.110303] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.114879] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.119450] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
+ [ 13.124097] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
+ [ 13.127404] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.131925] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
+ [ 13.136455] ? _raw_spin_lock_irqsave+0x96/0xf0
+ [ 13.140197] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+ [ 13.143602] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
+ [ 13.147234] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.150446] ? __devm_add_action+0x167/0x1d0
+ [ 13.155061] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
+ [ 13.158581] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.161814] platform_probe+0xa2/0x150
+ [ 13.165029] really_probe+0x1e3/0x8a0
+ [ 13.168243] __driver_probe_device+0x18c/0x370
+ [ 13.171500] driver_probe_device+0x4a/0x120
+ [ 13.175000] __driver_attach+0x190/0x4a0
+ [ 13.178521] ? __pfx___driver_attach+0x10/0x10
+ [ 13.181771] bus_for_each_dev+0x106/0x180
+ [ 13.185033] ? __pfx__raw_spin_lock+0x10/0x10
+ [ 13.188229] ? __pfx_bus_for_each_dev+0x10/0x10
+ [ 13.191446] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.194382] bus_add_driver+0x29e/0x4d0
+ [ 13.197328] driver_register+0x1a5/0x360
+ [ 13.200283] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
+ [ 13.203362] do_one_initcall+0xa7/0x380
+ [ 13.206432] ? __pfx_do_one_initcall+0x10/0x10
+ [ 13.210175] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.213211] ? kasan_unpoison+0x44/0x70
+ [ 13.216688] do_init_module+0x238/0x750
+ [ 13.219696] load_module+0x5011/0x6af0
+ [ 13.223096] ? kasan_save_stack+0x30/0x50
+ [ 13.226743] ? kasan_save_track+0x14/0x30
+ [ 13.230080] ? kasan_save_free_info+0x3b/0x60
+ [ 13.233323] ? poison_slab_object+0x109/0x180
+ [ 13.236778] ? __pfx_load_module+0x10/0x10
+ [ 13.239703] ? poison_slab_object+0x109/0x180
+ [ 13.243070] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.245924] ? init_module_from_file+0x13d/0x150
+ [ 13.248745] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.251503] ? init_module_from_file+0xdf/0x150
+ [ 13.254198] init_module_from_file+0xdf/0x150
+ [ 13.256826] ? __pfx_init_module_from_file+0x10/0x10
+ [ 13.259428] ? kasan_save_track+0x14/0x30
+ [ 13.261959] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.264471] ? kasan_save_free_info+0x3b/0x60
+ [ 13.267026] ? poison_slab_object+0x109/0x180
+ [ 13.269494] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.271949] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.274324] ? _raw_spin_lock+0x85/0xe0
+ [ 13.276671] ? __pfx__raw_spin_lock+0x10/0x10
+ [ 13.278963] ? __rseq_handle_notify_resume+0x1a6/0xad0
+ [ 13.281193] idempotent_init_module+0x23b/0x650
+ [ 13.283420] ? __pfx_idempotent_init_module+0x10/0x10
+ [ 13.285619] ? __pfx___seccomp_filter+0x10/0x10
+ [ 13.287714] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.289828] ? __fget_light+0x57/0x420
+ [ 13.291870] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.293880] ? security_capable+0x74/0xb0
+ [ 13.295820] __x64_sys_finit_module+0xbe/0x130
+ [ 13.297874] do_syscall_64+0x82/0x190
+ [ 13.299898] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.301905] ? irqtime_account_irq+0x3d/0x1f0
+ [ 13.303877] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.305753] ? __irq_exit_rcu+0x4e/0x130
+ [ 13.307577] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.309489] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [ 13.311371] RIP: 0033:0x7a21f96ade9d
+ [ 13.313234] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
+ [ 13.317051] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+ [ 13.319024] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
+ [ 13.321100] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
+ [ 13.323314] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
+ [ 13.325505] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
+ [ 13.327637] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
+ [ 13.329737] </TASK>
+
+ [ 13.333945] Allocated by task 139:
+ [ 13.336111] kasan_save_stack+0x30/0x50
+ [ 13.336121] kasan_save_track+0x14/0x30
+ [ 13.336125] __kasan_kmalloc+0xaa/0xb0
+ [ 13.336129] amdtp_hid_probe+0xb1/0x440 [amd_sfh]
+ [ 13.336138] amd_sfh_hid_client_init+0xb8a/0x10f0 [amd_sfh]
+ [ 13.336144] sfh_init_work+0x47/0x120 [amd_sfh]
+ [ 13.336150] process_one_work+0x673/0xeb0
+ [ 13.336155] worker_thread+0x795/0x1250
+ [ 13.336160] kthread+0x290/0x350
+ [ 13.336164] ret_from_fork+0x34/0x70
+ [ 13.336169] ret_from_fork_asm+0x1a/0x30
+
+ [ 13.338175] Freed by task 139:
+ [ 13.340064] kasan_save_stack+0x30/0x50
+ [ 13.340072] kasan_save_track+0x14/0x30
+ [ 13.340076] kasan_save_free_info+0x3b/0x60
+ [ 13.340081] poison_slab_object+0x109/0x180
+ [ 13.340085] __kasan_slab_free+0x32/0x50
+ [ 13.340089] kfree+0xe5/0x310
+ [ 13.340094] amdtp_hid_remove+0xb2/0x160 [amd_sfh]
+ [ 13.340102] amd_sfh_hid_client_deinit+0x324/0x640 [amd_sfh]
+ [ 13.340107] amd_sfh_hid_client_init+0x94a/0x10f0 [amd_sfh]
+ [ 13.340113] sfh_init_work+0x47/0x120 [amd_sfh]
+ [ 13.340118] process_one_work+0x673/0xeb0
+ [ 13.340123] worker_thread+0x795/0x1250
+ [ 13.340127] kthread+0x290/0x350
+ [ 13.340132] ret_from_fork+0x34/0x70
+ [ 13.340136] ret_from_fork_asm+0x1a/0x30
+
+ [ 13.342482] The buggy address belongs to the object at ffff88813152f400
+ which belongs to the cache kmalloc-64 of size 64
+ [ 13.347357] The buggy address is located 8 bytes inside of
+ freed 64-byte region [ffff88813152f400, ffff88813152f440)
+
+ [ 13.347367] The buggy address belongs to the physical page:
+ [ 13.355409] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13152f
+ [ 13.355416] anon flags: 0x2ffff8000000000(node=0|zone=2|lastcpupid=0x1ffff)
+ [ 13.355423] page_type: 0xffffefff(slab)
+ [ 13.355429] raw: 02ffff8000000000 ffff8881000428c0 ffffea0004c43a00 0000000000000005
+ [ 13.355435] raw: 0000000000000000 0000000000200020 00000001ffffefff 0000000000000000
+ [ 13.355439] page dumped because: kasan: bad access detected
+
+ [ 13.357295] Memory state around the buggy address:
+ [ 13.357299] ffff88813152f300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ [ 13.357303] ffff88813152f380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ [ 13.357306] >ffff88813152f400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+ [ 13.357309] ^
+ [ 13.357311] ffff88813152f480: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
+ [ 13.357315] ffff88813152f500: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc
+ [ 13.357318] ==================================================================
+ [ 13.357405] Disabling lock debugging due to kernel taint
+ [ 13.383534] Oops: general protection fault, probably for non-canonical address 0xe0a1bc4140000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
+ [ 13.383544] KASAN: maybe wild-memory-access in range [0x050e020a00000098-0x050e020a0000009f]
+ [ 13.383551] CPU: 3 PID: 479 Comm: (udev-worker) Tainted: G B 6.10.0-arch1-2 #1 893bb55d7f0073f25c46adbb49eb3785fefd74b0
+ [ 13.383561] Hardware name: LENOVO 21CQCTO1WW/21CQCTO1WW, BIOS R22ET70W (1.40 ) 03/21/2024
+ [ 13.383565] RIP: 0010:amd_sfh_get_report+0x81/0x530 [amd_sfh]
+ [ 13.383580] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 78 03 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 08 49 8d 7c 24 10 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 1a 03 00 00 45 8b 74 24 10 45
+ [ 13.383585] RSP: 0018:ffff8881261f7388 EFLAGS: 00010212
+ [ 13.383592] RAX: dffffc0000000000 RBX: ffff88813152f400 RCX: 0000000000000002
+ [ 13.383597] RDX: 00a1c04140000013 RSI: 0000000000000008 RDI: 050e020a0000009b
+ [ 13.383600] RBP: ffff88814d010000 R08: 0000000000000002 R09: fffffbfff3ddb8c0
+ [ 13.383604] R10: ffffffff9eedc607 R11: ffff88810ce98000 R12: 050e020a0000008b
+ [ 13.383607] R13: ffff88814d010000 R14: dffffc0000000000 R15: 0000000000000004
+ [ 13.383611] FS: 00007a21f94d0880(0000) GS:ffff8887e7d80000(0000) knlGS:0000000000000000
+ [ 13.383615] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 13.383618] CR2: 00007e0014c438f0 CR3: 000000012614c000 CR4: 0000000000f50ef0
+ [ 13.383622] PKRU: 55555554
+ [ 13.383625] Call Trace:
+ [ 13.383629] <TASK>
+ [ 13.383632] ? __die_body.cold+0x19/0x27
+ [ 13.383644] ? die_addr+0x46/0x70
+ [ 13.383652] ? exc_general_protection+0x150/0x240
+ [ 13.383664] ? asm_exc_general_protection+0x26/0x30
+ [ 13.383674] ? amd_sfh_get_report+0x81/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.383686] ? amd_sfh_get_report+0x3ec/0x530 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.383697] amdtp_hid_request+0xb8/0x110 [amd_sfh 05f43221435b5205f734cd9da29399130f398a38]
+ [ 13.383706] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.383713] sensor_hub_get_feature+0x1d3/0x540 [hid_sensor_hub 3f13be3016ff415bea03008d45d99da837ee3082]
+ [ 13.383727] hid_sensor_parse_common_attributes+0x4d0/0xad0 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
+ [ 13.383739] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.383745] ? __pfx_hid_sensor_parse_common_attributes+0x10/0x10 [hid_sensor_iio_common c3a5cbe93969c28b122609768bbe23efe52eb8f5]
+ [ 13.383753] ? _raw_spin_lock_irqsave+0x96/0xf0
+ [ 13.383762] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
+ [ 13.383768] ? devm_iio_device_alloc+0x34/0x50 [industrialio 3d261d5e5765625d2b052be40e526d62b1d2123b]
+ [ 13.383790] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.383795] ? __devm_add_action+0x167/0x1d0
+ [ 13.383806] hid_gyro_3d_probe+0x120/0x7f0 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
+ [ 13.383818] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.383826] platform_probe+0xa2/0x150
+ [ 13.383832] really_probe+0x1e3/0x8a0
+ [ 13.383838] __driver_probe_device+0x18c/0x370
+ [ 13.383844] driver_probe_device+0x4a/0x120
+ [ 13.383851] __driver_attach+0x190/0x4a0
+ [ 13.383857] ? __pfx___driver_attach+0x10/0x10
+ [ 13.383863] bus_for_each_dev+0x106/0x180
+ [ 13.383868] ? __pfx__raw_spin_lock+0x10/0x10
+ [ 13.383874] ? __pfx_bus_for_each_dev+0x10/0x10
+ [ 13.383880] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.383887] bus_add_driver+0x29e/0x4d0
+ [ 13.383895] driver_register+0x1a5/0x360
+ [ 13.383902] ? __pfx_hid_gyro_3d_platform_driver_init+0x10/0x10 [hid_sensor_gyro_3d 63da36a143b775846ab2dbb86c343b401b5e3172]
+ [ 13.383910] do_one_initcall+0xa7/0x380
+ [ 13.383919] ? __pfx_do_one_initcall+0x10/0x10
+ [ 13.383927] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.383933] ? kasan_unpoison+0x44/0x70
+ [ 13.383943] do_init_module+0x238/0x750
+ [ 13.383955] load_module+0x5011/0x6af0
+ [ 13.383962] ? kasan_save_stack+0x30/0x50
+ [ 13.383968] ? kasan_save_track+0x14/0x30
+ [ 13.383973] ? kasan_save_free_info+0x3b/0x60
+ [ 13.383980] ? poison_slab_object+0x109/0x180
+ [ 13.383993] ? __pfx_load_module+0x10/0x10
+ [ 13.384007] ? poison_slab_object+0x109/0x180
+ [ 13.384012] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384018] ? init_module_from_file+0x13d/0x150
+ [ 13.384025] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384032] ? init_module_from_file+0xdf/0x150
+ [ 13.384037] init_module_from_file+0xdf/0x150
+ [ 13.384044] ? __pfx_init_module_from_file+0x10/0x10
+ [ 13.384050] ? kasan_save_track+0x14/0x30
+ [ 13.384055] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384060] ? kasan_save_free_info+0x3b/0x60
+ [ 13.384066] ? poison_slab_object+0x109/0x180
+ [ 13.384071] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384080] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384085] ? _raw_spin_lock+0x85/0xe0
+ [ 13.384091] ? __pfx__raw_spin_lock+0x10/0x10
+ [ 13.384096] ? __rseq_handle_notify_resume+0x1a6/0xad0
+ [ 13.384106] idempotent_init_module+0x23b/0x650
+ [ 13.384114] ? __pfx_idempotent_init_module+0x10/0x10
+ [ 13.384120] ? __pfx___seccomp_filter+0x10/0x10
+ [ 13.384129] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384135] ? __fget_light+0x57/0x420
+ [ 13.384142] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384147] ? security_capable+0x74/0xb0
+ [ 13.384157] __x64_sys_finit_module+0xbe/0x130
+ [ 13.384164] do_syscall_64+0x82/0x190
+ [ 13.384174] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384179] ? irqtime_account_irq+0x3d/0x1f0
+ [ 13.384188] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384193] ? __irq_exit_rcu+0x4e/0x130
+ [ 13.384201] ? srso_alias_return_thunk+0x5/0xfbef5
+ [ 13.384206] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [ 13.384212] RIP: 0033:0x7a21f96ade9d
+ [ 13.384263] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 63 de 0c 00 f7 d8 64 89 01 48
+ [ 13.384267] RSP: 002b:00007ffeae934e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
+ [ 13.384273] RAX: ffffffffffffffda RBX: 00005987276bfcf0 RCX: 00007a21f96ade9d
+ [ 13.384277] RDX: 0000000000000004 RSI: 00007a21f8eda376 RDI: 000000000000001c
+ [ 13.384280] RBP: 00007a21f8eda376 R08: 0000000000000001 R09: 00007ffeae934ec0
+ [ 13.384284] R10: 0000000000000050 R11: 0000000000000246 R12: 0000000000020000
+ [ 13.384288] R13: 00005987276c1250 R14: 0000000000000000 R15: 00005987276c4530
+ [ 13.384297] </TASK>
+ [ 13.384299] Modules linked in: soundwire_amd(+) hid_sensor_gyro_3d(+) hid_sensor_magn_3d hid_sensor_accel_3d soundwire_generic_allocation amdxcp hid_sensor_trigger drm_exec industrialio_triggered_buffer soundwire_bus gpu_sched kvm_amd kfifo_buf qmi_helpers joydev drm_buddy hid_sensor_iio_common mousedev snd_soc_core industrialio i2c_algo_bit mac80211 snd_compress drm_suballoc_helper kvm snd_hda_intel drm_ttm_helper ac97_bus snd_pcm_dmaengine snd_intel_dspcfg ttm thinkpad_acpi(+) snd_intel_sdw_acpi hid_sensor_hub snd_rpl_pci_acp6x drm_display_helper snd_hda_codec hid_multitouch libarc4 snd_acp_pci platform_profile think_lmi(+) hid_generic firmware_attributes_class wmi_bmof cec snd_acp_legacy_common sparse_keymap rapl snd_hda_core psmouse cfg80211 pcspkr snd_pci_acp6x snd_hwdep video snd_pcm snd_pci_acp5x snd_timer snd_rn_pci_acp3x ucsi_acpi snd_acp_config snd sp5100_tco rfkill snd_soc_acpi typec_ucsi thunderbolt amd_sfh k10temp mhi soundcore i2c_piix4 snd_pci_acp3x typec i2c_hid_acpi roles i2c_hid wmi acpi_tad amd_pmc
+ [ 13.384454] mac_hid i2c_dev crypto_user loop nfnetlink zram ip_tables x_tables dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel serio_raw sha512_ssse3 atkbd sha256_ssse3 libps2 sha1_ssse3 vivaldi_fmap nvme aesni_intel crypto_simd nvme_core cryptd ccp xhci_pci i8042 nvme_auth xhci_pci_renesas serio vfat fat btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq
+ [ 13.384552] ---[ end trace 0000000000000000 ]---
+
+KASAN reports a use-after-free of hid->driver_data in function
+amd_sfh_get_report(). The backtrace indicates that the function is called
+by amdtp_hid_request() which is one of the callbacks of hid device.
+The current make sure that driver_data is freed only once
+hid_destroy_device() returned.
+
+Note that I observed the crash both on v6.9.9 and v6.10.0. The
+code seems to be as it was from the early days of the driver.
+
+Signed-off-by: Olivier Sobrie <olivier@sobrie.be>
+Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/amd-sfh-hid/amd_sfh_hid.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
+index 3b0615c6aecf..b47228207d98 100644
+--- a/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
++++ b/drivers/hid/amd-sfh-hid/amd_sfh_hid.c
+@@ -164,11 +164,13 @@ int amdtp_hid_probe(u32 cur_hid_dev, struct amdtp_cl_data *cli_data)
+ void amdtp_hid_remove(struct amdtp_cl_data *cli_data)
+ {
+ int i;
++ struct amdtp_hid_data *hid_data;
+
+ for (i = 0; i < cli_data->num_hid_devices; ++i) {
+ if (cli_data->hid_sensor_hubs[i]) {
+- kfree(cli_data->hid_sensor_hubs[i]->driver_data);
++ hid_data = cli_data->hid_sensor_hubs[i]->driver_data;
+ hid_destroy_device(cli_data->hid_sensor_hubs[i]);
++ kfree(hid_data);
+ cli_data->hid_sensor_hubs[i] = NULL;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 1f28d1b3ec108c57512c591661a99d7b33f8694b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Jul 2024 19:42:43 -0400
+Subject: HID: cougar: fix slab-out-of-bounds Read in cougar_report_fixup
+
+From: Camila Alvarez <cam.alvarez.i@gmail.com>
+
+[ Upstream commit a6e9c391d45b5865b61e569146304cff72821a5d ]
+
+report_fixup for the Cougar 500k Gaming Keyboard was not verifying
+that the report descriptor size was correct before accessing it
+
+Reported-by: syzbot+24c0361074799d02c452@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=24c0361074799d02c452
+Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
+Reviewed-by: Silvan Jegen <s.jegen@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-cougar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-cougar.c b/drivers/hid/hid-cougar.c
+index 28d671c5e0ca..d173b13ff198 100644
+--- a/drivers/hid/hid-cougar.c
++++ b/drivers/hid/hid-cougar.c
+@@ -106,7 +106,7 @@ static void cougar_fix_g6_mapping(void)
+ static __u8 *cougar_report_fixup(struct hid_device *hdev, __u8 *rdesc,
+ unsigned int *rsize)
+ {
+- if (rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
++ if (*rsize >= 117 && rdesc[2] == 0x09 && rdesc[3] == 0x02 &&
+ (rdesc[115] | rdesc[116] << 8) >= HID_MAX_USAGES) {
+ hid_info(hdev,
+ "usage count exceeds max: fixing up report descriptor\n");
+--
+2.43.0
+
--- /dev/null
+From 4d97da17cf3abab491aeef9465c8217966cbfc99 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:43:04 -0700
+Subject: hwmon: (adc128d818) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 8cad724c8537fe3e0da8004646abc00290adae40 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/adc128d818.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/adc128d818.c b/drivers/hwmon/adc128d818.c
+index fd938c70293f..739cd48228d4 100644
+--- a/drivers/hwmon/adc128d818.c
++++ b/drivers/hwmon/adc128d818.c
+@@ -176,7 +176,7 @@ static ssize_t adc128_in_store(struct device *dev,
+
+ mutex_lock(&data->update_lock);
+ /* 10 mV LSB on limit registers */
+- regval = clamp_val(DIV_ROUND_CLOSEST(val, 10), 0, 255);
++ regval = DIV_ROUND_CLOSEST(clamp_val(val, 0, 2550), 10);
+ data->in[index][nr] = regval << 4;
+ reg = index == 1 ? ADC128_REG_IN_MIN(nr) : ADC128_REG_IN_MAX(nr);
+ i2c_smbus_write_byte_data(data->client, reg, regval);
+@@ -214,7 +214,7 @@ static ssize_t adc128_temp_store(struct device *dev,
+ return err;
+
+ mutex_lock(&data->update_lock);
+- regval = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127);
++ regval = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000);
+ data->temp[index] = regval << 1;
+ i2c_smbus_write_byte_data(data->client,
+ index == 1 ? ADC128_REG_TEMP_MAX
+--
+2.43.0
+
--- /dev/null
+From 8857eb2dd85ab5f2c1e4103727eab07ee3966101 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:48:42 -0700
+Subject: hwmon: (lm95234) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit af64e3e1537896337405f880c1e9ac1f8c0c6198 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/lm95234.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/hwmon/lm95234.c b/drivers/hwmon/lm95234.c
+index ac169a994ae0..db2aecdfbd17 100644
+--- a/drivers/hwmon/lm95234.c
++++ b/drivers/hwmon/lm95234.c
+@@ -301,7 +301,8 @@ static ssize_t tcrit2_store(struct device *dev, struct device_attribute *attr,
+ if (ret < 0)
+ return ret;
+
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, index ? 255 : 127);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, (index ? 255 : 127) * 1000),
++ 1000);
+
+ mutex_lock(&data->update_lock);
+ data->tcrit2[index] = val;
+@@ -350,7 +351,7 @@ static ssize_t tcrit1_store(struct device *dev, struct device_attribute *attr,
+ if (ret < 0)
+ return ret;
+
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 255);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 255000), 1000);
+
+ mutex_lock(&data->update_lock);
+ data->tcrit1[index] = val;
+@@ -391,7 +392,7 @@ static ssize_t tcrit1_hyst_store(struct device *dev,
+ if (ret < 0)
+ return ret;
+
+- val = DIV_ROUND_CLOSEST(val, 1000);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, -255000, 255000), 1000);
+ val = clamp_val((int)data->tcrit1[index] - val, 0, 31);
+
+ mutex_lock(&data->update_lock);
+@@ -431,7 +432,7 @@ static ssize_t offset_store(struct device *dev, struct device_attribute *attr,
+ return ret;
+
+ /* Accuracy is 1/2 degrees C */
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 500), -128, 127);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, -64000, 63500), 500);
+
+ mutex_lock(&data->update_lock);
+ data->toffset[index] = val;
+--
+2.43.0
+
--- /dev/null
+From ca22051a9e4e895f2f5a97a5cbb0a0714fa58fee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:50:08 -0700
+Subject: hwmon: (nct6775-core) Fix underflows seen when writing limit
+ attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 0403e10bf0824bf0ec2bb135d4cf1c0cc3bf4bf0 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/nct6775.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
+index 5bd15622a85f..3645a19cdaf4 100644
+--- a/drivers/hwmon/nct6775.c
++++ b/drivers/hwmon/nct6775.c
+@@ -2374,7 +2374,7 @@ store_temp_offset(struct device *dev, struct device_attribute *attr,
+ if (err < 0)
+ return err;
+
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), -128, 127);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, -128000, 127000), 1000);
+
+ mutex_lock(&data->update_lock);
+ data->temp_offset[nr] = val;
+--
+2.43.0
+
--- /dev/null
+From 226b72a015a09561146824653dfe231926db282c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 6 Jul 2024 23:51:34 -0700
+Subject: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+[ Upstream commit 5c1de37969b7bc0abcb20b86e91e70caebbd4f89 ]
+
+DIV_ROUND_CLOSEST() after kstrtol() results in an underflow if a large
+negative number such as -9223372036854775808 is provided by the user.
+Fix it by reordering clamp_val() and DIV_ROUND_CLOSEST() operations.
+
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/w83627ehf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c
+index 705a59663d42..b6bae04d656e 100644
+--- a/drivers/hwmon/w83627ehf.c
++++ b/drivers/hwmon/w83627ehf.c
+@@ -895,7 +895,7 @@ store_target_temp(struct device *dev, struct device_attribute *attr,
+ if (err < 0)
+ return err;
+
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 127);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 127000), 1000);
+
+ mutex_lock(&data->update_lock);
+ data->target_temp[nr] = val;
+@@ -920,7 +920,7 @@ store_tolerance(struct device *dev, struct device_attribute *attr,
+ return err;
+
+ /* Limit the temp to 0C - 15C */
+- val = clamp_val(DIV_ROUND_CLOSEST(val, 1000), 0, 15);
++ val = DIV_ROUND_CLOSEST(clamp_val(val, 0, 15000), 1000);
+
+ mutex_lock(&data->update_lock);
+ reg = w83627ehf_read_value(data, W83627EHF_REG_TOLERANCE[nr]);
+--
+2.43.0
+
--- /dev/null
+From 62e788e9d1757aa454db55cbc36575e8a55f280d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2024 16:15:58 +0300
+Subject: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup
+
+From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+
+[ Upstream commit 8a2be2f1db268ec735419e53ef04ca039fc027dc ]
+
+Definitely condition dma_get_cache_alignment * defined value > 256
+during driver initialization is not reason to BUG_ON(). Turn that to
+graceful error out with -EINVAL.
+
+Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Link: https://lore.kernel.org/r/20240628131559.502822-3-jarkko.nikula@linux.intel.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master/mipi-i3c-hci/dma.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master/mipi-i3c-hci/dma.c b/drivers/i3c/master/mipi-i3c-hci/dma.c
+index 5e3f0ee1cfd0..b9b6be186438 100644
+--- a/drivers/i3c/master/mipi-i3c-hci/dma.c
++++ b/drivers/i3c/master/mipi-i3c-hci/dma.c
+@@ -291,7 +291,10 @@ static int hci_dma_init(struct i3c_hci *hci)
+
+ rh->ibi_chunk_sz = dma_get_cache_alignment();
+ rh->ibi_chunk_sz *= IBI_CHUNK_CACHELINES;
+- BUG_ON(rh->ibi_chunk_sz > 256);
++ if (rh->ibi_chunk_sz > 256) {
++ ret = -EINVAL;
++ goto err_out;
++ }
+
+ ibi_status_ring_sz = rh->ibi_status_sz * rh->ibi_status_entries;
+ ibi_data_ring_sz = rh->ibi_chunk_sz * rh->ibi_chunks_total;
+--
+2.43.0
+
--- /dev/null
+From a05b25c275d94d9723e32d7607ee1cd957205765 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Aug 2024 11:59:29 +0200
+Subject: ice: check ICE_VSI_DOWN under rtnl_lock when preparing for reset
+
+From: Larysa Zaremba <larysa.zaremba@intel.com>
+
+[ Upstream commit d8c40b9d3a6cef61eb5a0c58c34a3090ea938d89 ]
+
+Consider the following scenario:
+
+.ndo_bpf() | ice_prepare_for_reset() |
+________________________|_______________________________________|
+rtnl_lock() | |
+ice_down() | |
+ | test_bit(ICE_VSI_DOWN) - true |
+ | ice_dis_vsi() returns |
+ice_up() | |
+ | proceeds to rebuild a running VSI |
+
+.ndo_bpf() is not the only rtnl-locked callback that toggles the interface
+to apply new configuration. Another example is .set_channels().
+
+To avoid the race condition above, act only after reading ICE_VSI_DOWN
+under rtnl_lock.
+
+Fixes: 0f9d5027a749 ("ice: Refactor VSI allocation, deletion and rebuild flow")
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com>
+Signed-off-by: Larysa Zaremba <larysa.zaremba@intel.com>
+Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/ice/ice_lib.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
+index 8c0ee9a8ff86..8a00864ead7c 100644
+--- a/drivers/net/ethernet/intel/ice/ice_lib.c
++++ b/drivers/net/ethernet/intel/ice/ice_lib.c
+@@ -2751,8 +2751,7 @@ int ice_ena_vsi(struct ice_vsi *vsi, bool locked)
+ */
+ void ice_dis_vsi(struct ice_vsi *vsi, bool locked)
+ {
+- if (test_bit(ICE_VSI_DOWN, vsi->state))
+- return;
++ bool already_down = test_bit(ICE_VSI_DOWN, vsi->state);
+
+ set_bit(ICE_VSI_NEEDS_RESTART, vsi->state);
+
+@@ -2760,15 +2759,16 @@ void ice_dis_vsi(struct ice_vsi *vsi, bool locked)
+ if (netif_running(vsi->netdev)) {
+ if (!locked)
+ rtnl_lock();
+-
+- ice_vsi_close(vsi);
++ already_down = test_bit(ICE_VSI_DOWN, vsi->state);
++ if (!already_down)
++ ice_vsi_close(vsi);
+
+ if (!locked)
+ rtnl_unlock();
+- } else {
++ } else if (!already_down) {
+ ice_vsi_close(vsi);
+ }
+- } else if (vsi->type == ICE_VSI_CTRL) {
++ } else if (vsi->type == ICE_VSI_CTRL && !already_down) {
+ ice_vsi_close(vsi);
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 2997ab56ab7f1a9ffd89dfc3267ed59190f4ccfc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 21:55:53 -0700
+Subject: igb: Fix not clearing TimeSync interrupts for 82580
+
+From: Daiwei Li <daiweili@google.com>
+
+[ Upstream commit ba8cf80724dbc09825b52498e4efacb563935408 ]
+
+82580 NICs have a hardware bug that makes it
+necessary to write into the TSICR (TimeSync Interrupt Cause) register
+to clear it:
+https://lore.kernel.org/all/CDCB8BE0.1EC2C%25matthew.vick@intel.com/
+
+Add a conditional so only for 82580 we write into the TSICR register,
+so we don't risk losing events for other models.
+
+Without this change, when running ptp4l with an Intel 82580 card,
+I get the following output:
+
+> timed out while polling for tx timestamp increasing tx_timestamp_timeout or
+> increasing kworker priority may correct this issue, but a driver bug likely
+> causes it
+
+This goes away with this change.
+
+This (partially) reverts commit ee14cc9ea19b ("igb: Fix missing time sync events").
+
+Fixes: ee14cc9ea19b ("igb: Fix missing time sync events")
+Closes: https://lore.kernel.org/intel-wired-lan/CAN0jFd1kO0MMtOh8N2Ztxn6f7vvDKp2h507sMryobkBKe=xk=w@mail.gmail.com/
+Tested-by: Daiwei Li <daiweili@google.com>
+Suggested-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Signed-off-by: Daiwei Li <daiweili@google.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Kurt Kanzenbach <kurt@linutronix.de>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 03a4da6a1447..420bc34fb8c1 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6799,10 +6799,20 @@ static void igb_extts(struct igb_adapter *adapter, int tsintr_tt)
+
+ static void igb_tsync_interrupt(struct igb_adapter *adapter)
+ {
++ const u32 mask = (TSINTR_SYS_WRAP | E1000_TSICR_TXTS |
++ TSINTR_TT0 | TSINTR_TT1 |
++ TSINTR_AUTT0 | TSINTR_AUTT1);
+ struct e1000_hw *hw = &adapter->hw;
+ u32 tsicr = rd32(E1000_TSICR);
+ struct ptp_clock_event event;
+
++ if (hw->mac.type == e1000_82580) {
++ /* 82580 has a hardware bug that requires an explicit
++ * write to clear the TimeSync interrupt cause.
++ */
++ wr32(E1000_TSICR, tsicr & mask);
++ }
++
+ if (tsicr & TSINTR_SYS_WRAP) {
+ event.type = PTP_CLOCK_PPS;
+ if (adapter->ptp_caps.pps)
+--
+2.43.0
+
--- /dev/null
+From 5d12d588b4fbd0908d6ca73d37bd46cb5ca3b41a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 22:22:45 +0300
+Subject: igc: Unlock on error in igc_io_resume()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit ef4a99a0164e3972abb421cbb1b09ea6c61414df ]
+
+Call rtnl_unlock() on this error path, before returning.
+
+Fixes: bc23aa949aeb ("igc: Add pcie error handler support")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Gerhard Engleder <gerhard@engleder-embedded.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igc/igc_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
+index 7605115e6a1b..27c24bfc2dbe 100644
+--- a/drivers/net/ethernet/intel/igc/igc_main.c
++++ b/drivers/net/ethernet/intel/igc/igc_main.c
+@@ -7057,6 +7057,7 @@ static void igc_io_resume(struct pci_dev *pdev)
+ rtnl_lock();
+ if (netif_running(netdev)) {
+ if (igc_open(netdev)) {
++ rtnl_unlock();
+ netdev_err(netdev, "igc_open failed after reset\n");
+ return;
+ }
+--
+2.43.0
+
--- /dev/null
+From c37b8ca013a58b3afb07b280b2103d46a3332e50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Aug 2024 17:50:25 -0700
+Subject: Input: uinput - reject requests with unreasonable number of slots
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+[ Upstream commit 206f533a0a7c683982af473079c4111f4a0f9f5e ]
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+When exercising uinput interface syzkaller may try setting up device
+with a really large number of slots, which causes memory allocation
+failure in input_mt_init_slots(). While this allocation failure is
+handled properly and request is rejected, it results in syzkaller
+reports. Additionally, such request may put undue burden on the
+system which will try to free a lot of memory for a bogus request.
+
+Fix it by limiting allowed number of slots to 100. This can easily
+be extended if we see devices that can track more than 100 contacts.
+
+Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+0122fa359a69694395d5@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=0122fa359a69694395d5
+Link: https://lore.kernel.org/r/Zqgi7NYEbpRsJfa2@google.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/misc/uinput.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
+index f2593133e524..790db3ceb208 100644
+--- a/drivers/input/misc/uinput.c
++++ b/drivers/input/misc/uinput.c
+@@ -416,6 +416,20 @@ static int uinput_validate_absinfo(struct input_dev *dev, unsigned int code,
+ return -EINVAL;
+ }
+
++ /*
++ * Limit number of contacts to a reasonable value (100). This
++ * ensures that we need less than 2 pages for struct input_mt
++ * (we are not using in-kernel slot assignment so not going to
++ * allocate memory for the "red" table), and we should have no
++ * trouble getting this much memory.
++ */
++ if (code == ABS_MT_SLOT && max > 99) {
++ printk(KERN_DEBUG
++ "%s: unreasonably large number of slots requested: %d\n",
++ UINPUT_NAME, max);
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 936d131057466a1e8cfd14b6c38a2f3ef186b12a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 16 Jun 2024 23:40:52 +0100
+Subject: iommu: sun50i: clear bypass register
+
+From: Jernej Skrabec <jernej.skrabec@gmail.com>
+
+[ Upstream commit 927c70c93d929f4c2dcaf72f51b31bb7d118a51a ]
+
+The Allwinner H6 IOMMU has a bypass register, which allows to circumvent
+the page tables for each possible master. The reset value for this
+register is 0, which disables the bypass.
+The Allwinner H616 IOMMU resets this register to 0x7f, which activates
+the bypass for all masters, which is not what we want.
+
+Always clear this register to 0, to enforce the usage of page tables,
+and make this driver compatible with the H616 in this respect.
+
+Signed-off-by: Jernej Skrabec <jernej.skrabec@gmail.com>
+Signed-off-by: Andre Przywara <andre.przywara@arm.com>
+Reviewed-by: Chen-Yu Tsai <wens@csie.org>
+Link: https://lore.kernel.org/r/20240616224056.29159-2-andre.przywara@arm.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/sun50i-iommu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/iommu/sun50i-iommu.c b/drivers/iommu/sun50i-iommu.c
+index ed3574195599..8593c79cfaeb 100644
+--- a/drivers/iommu/sun50i-iommu.c
++++ b/drivers/iommu/sun50i-iommu.c
+@@ -379,6 +379,7 @@ static int sun50i_iommu_enable(struct sun50i_iommu *iommu)
+ IOMMU_TLB_PREFETCH_MASTER_ENABLE(3) |
+ IOMMU_TLB_PREFETCH_MASTER_ENABLE(4) |
+ IOMMU_TLB_PREFETCH_MASTER_ENABLE(5));
++ iommu_write(iommu, IOMMU_BYPASS_REG, 0);
+ iommu_write(iommu, IOMMU_INT_ENABLE_REG, IOMMU_INT_MASK);
+ iommu_write(iommu, IOMMU_DM_AUT_CTRL_REG(SUN50I_IOMMU_ACI_NONE),
+ IOMMU_DM_AUT_CTRL_RD_UNAVAIL(SUN50I_IOMMU_ACI_NONE, 0) |
+--
+2.43.0
+
--- /dev/null
+From 007613aaad8598e921c1ba71253625e4885324c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 2 Jul 2024 21:08:33 +0800
+Subject: iommu/vt-d: Handle volatile descriptor status read
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+[ Upstream commit b5e86a95541cea737394a1da967df4cd4d8f7182 ]
+
+Queued invalidation wait descriptor status is volatile in that IOMMU
+hardware writes the data upon completion.
+
+Use READ_ONCE() to prevent compiler optimizations which ensures memory
+reads every time. As a side effect, READ_ONCE() also enforces strict
+types and may add an extra instruction. But it should not have negative
+performance impact since we use cpu_relax anyway and the extra time(by
+adding an instruction) may allow IOMMU HW request cacheline ownership
+easier.
+
+e.g. gcc 12.3
+BEFORE:
+ 81 38 ad de 00 00 cmpl $0x2,(%rax)
+
+AFTER (with READ_ONCE())
+ 772f: 8b 00 mov (%rax),%eax
+ 7731: 3d ad de 00 00 cmp $0x2,%eax
+ //status data is 32 bit
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Link: https://lore.kernel.org/r/20240607173817.3914600-1-jacob.jun.pan@linux.intel.com
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20240702130839.108139-2-baolu.lu@linux.intel.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/intel/dmar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/iommu/intel/dmar.c b/drivers/iommu/intel/dmar.c
+index 0ad33d8d99d1..1134aa24d67f 100644
+--- a/drivers/iommu/intel/dmar.c
++++ b/drivers/iommu/intel/dmar.c
+@@ -1418,7 +1418,7 @@ int qi_submit_sync(struct intel_iommu *iommu, struct qi_desc *desc,
+ */
+ writel(qi->free_head << shift, iommu->reg + DMAR_IQT_REG);
+
+- while (qi->desc_status[wait_index] != QI_DONE) {
++ while (READ_ONCE(qi->desc_status[wait_index]) != QI_DONE) {
+ /*
+ * We will leave the interrupts disabled, to prevent interrupt
+ * context to queue another cmd while a cmd is already submitted
+--
+2.43.0
+
--- /dev/null
+From f715d836efa6f2334667f6c6968c09e421ce5598 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 11:38:28 +0200
+Subject: irqchip/armada-370-xp: Do not allow mapping IRQ 0 and 1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+[ Upstream commit 3cef738208e5c3cb7084e208caf9bbf684f24feb ]
+
+IRQs 0 (IPI) and 1 (MSI) are handled internally by this driver,
+generic_handle_domain_irq() is never called for these IRQs.
+
+Disallow mapping these IRQs.
+
+[ Marek: changed commit message ]
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-armada-370-xp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/irqchip/irq-armada-370-xp.c b/drivers/irqchip/irq-armada-370-xp.c
+index 01709c61e364..3fa6bd70684b 100644
+--- a/drivers/irqchip/irq-armada-370-xp.c
++++ b/drivers/irqchip/irq-armada-370-xp.c
+@@ -546,6 +546,10 @@ static struct irq_chip armada_370_xp_irq_chip = {
+ static int armada_370_xp_mpic_irq_map(struct irq_domain *h,
+ unsigned int virq, irq_hw_number_t hw)
+ {
++ /* IRQs 0 and 1 cannot be mapped, they are handled internally */
++ if (hw <= 1)
++ return -EINVAL;
++
+ armada_370_xp_irq_mask(irq_get_irq_data(virq));
+ if (!is_percpu_irq(hw))
+ writel(hw, per_cpu_int_base +
+--
+2.43.0
+
--- /dev/null
+From 4ab6b642d1181207b6203dac042c7ac818534f3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 5 Jul 2024 10:31:53 +0100
+Subject: irqchip/gic-v4: Always configure affinity on VPE activation
+
+From: Marc Zyngier <maz@kernel.org>
+
+[ Upstream commit 7d2c2048a86477461f7bc75d064579ed349472bc ]
+
+There are currently two paths to set the initial affinity of a VPE:
+
+ - at activation time on GICv4 without the stupid VMOVP list, and
+ on GICv4.1
+
+ - at map time for GICv4 with VMOVP list
+
+The latter location may end-up modifying the affinity of VPE that is
+currently running, making the results unpredictible.
+
+Instead, unify the two paths, making sure to set the initial affinity only
+at activation time.
+
+Reported-by: Nianyao Tang <tangnianyao@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Nianyao Tang <tangnianyao@huawei.com>
+Link: https://lore.kernel.org/r/20240705093155.871070-2-maz@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 3fa6c7184326..b346753135e0 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -1794,13 +1794,9 @@ static void its_map_vm(struct its_node *its, struct its_vm *vm)
+
+ for (i = 0; i < vm->nr_vpes; i++) {
+ struct its_vpe *vpe = vm->vpes[i];
+- struct irq_data *d = irq_get_irq_data(vpe->irq);
+
+- /* Map the VPE to the first possible CPU */
+- vpe->col_idx = cpumask_first(cpu_online_mask);
+ its_send_vmapp(its, vpe, true);
+ its_send_vinvall(its, vpe);
+- irq_data_update_effective_affinity(d, cpumask_of(vpe->col_idx));
+ }
+ }
+
+@@ -4540,6 +4536,10 @@ static int its_vpe_irq_domain_activate(struct irq_domain *domain,
+ struct its_vpe *vpe = irq_data_get_irq_chip_data(d);
+ struct its_node *its;
+
++ /* Map the VPE to the first possible CPU */
++ vpe->col_idx = cpumask_first(cpu_online_mask);
++ irq_data_update_effective_affinity(d, cpumask_of(vpe->col_idx));
++
+ /*
+ * If we use the list map, we issue VMAPP on demand... Unless
+ * we're on a GICv4.1 and we eagerly map the VPE on all ITSs
+@@ -4548,9 +4548,6 @@ static int its_vpe_irq_domain_activate(struct irq_domain *domain,
+ if (!gic_requires_eager_mapping())
+ return 0;
+
+- /* Map the VPE to the first possible CPU */
+- vpe->col_idx = cpumask_first(cpu_online_mask);
+-
+ list_for_each_entry(its, &its_nodes, entry) {
+ if (!is_v4(its))
+ continue;
+@@ -4559,8 +4556,6 @@ static int its_vpe_irq_domain_activate(struct irq_domain *domain,
+ its_send_vinvall(its, vpe);
+ }
+
+- irq_data_update_effective_affinity(d, cpumask_of(vpe->col_idx));
+-
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 724efc5d1125f8c5232285f3ea0c5b3d2f2e65ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 10:46:04 +0800
+Subject: kselftests: dmabuf-heaps: Ensure the driver name is null-terminated
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+[ Upstream commit 291e4baf70019f17a81b7b47aeb186b27d222159 ]
+
+Even if a vgem device is configured in, we will skip the import_vgem_fd()
+test almost every time.
+
+ TAP version 13
+ 1..11
+ # Testing heap: system
+ # =======================================
+ # Testing allocation and importing:
+ ok 1 # SKIP Could not open vgem -1
+
+The problem is that we use the DRM_IOCTL_VERSION ioctl to query the driver
+version information but leave the name field a non-null-terminated string.
+Terminate it properly to actually test against the vgem device.
+
+While at it, let's check the length of the driver name is exactly 4 bytes
+and return early otherwise (in case there is a name like "vgemfoo" that
+gets converted to "vgem\0" unexpectedly).
+
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240729024604.2046-1-yuzenghui@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c b/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c
+index 29af27acd40e..a0d3d2ed7a4a 100644
+--- a/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c
++++ b/tools/testing/selftests/dmabuf-heaps/dmabuf-heap.c
+@@ -29,9 +29,11 @@ static int check_vgem(int fd)
+ version.name = name;
+
+ ret = ioctl(fd, DRM_IOCTL_VERSION, &version);
+- if (ret)
++ if (ret || version.name_len != 4)
+ return 0;
+
++ name[4] = '\0';
++
+ return !strcmp(name, "vgem");
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a84221dcaf7f154a3bf0ea128d7dd847d9e5261e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 20:29:18 +0300
+Subject: leds: spi-byte: Call of_node_put() on error path
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7f9ab862e05c5bc755f65bf6db7edcffb3b49dfc ]
+
+Add a missing call to of_node_put(np) on error.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20240606173037.3091598-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-spi-byte.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/leds/leds-spi-byte.c b/drivers/leds/leds-spi-byte.c
+index f1964c96fb15..82696e0607a5 100644
+--- a/drivers/leds/leds-spi-byte.c
++++ b/drivers/leds/leds-spi-byte.c
+@@ -91,7 +91,6 @@ static int spi_byte_probe(struct spi_device *spi)
+ dev_err(dev, "Device must have exactly one LED sub-node.");
+ return -EINVAL;
+ }
+- child = of_get_next_available_child(dev_of_node(dev), NULL);
+
+ led = devm_kzalloc(dev, sizeof(*led), GFP_KERNEL);
+ if (!led)
+@@ -107,11 +106,13 @@ static int spi_byte_probe(struct spi_device *spi)
+ led->ldev.max_brightness = led->cdef->max_value - led->cdef->off_value;
+ led->ldev.brightness_set_blocking = spi_byte_brightness_set_blocking;
+
++ child = of_get_next_available_child(dev_of_node(dev), NULL);
+ state = of_get_property(child, "default-state", NULL);
+ if (state) {
+ if (!strcmp(state, "on")) {
+ led->ldev.brightness = led->ldev.max_brightness;
+ } else if (strcmp(state, "off")) {
++ of_node_put(child);
+ /* all other cases except "off" */
+ dev_err(dev, "default-state can only be 'on' or 'off'");
+ return -EINVAL;
+@@ -122,9 +123,12 @@ static int spi_byte_probe(struct spi_device *spi)
+
+ ret = devm_led_classdev_register(&spi->dev, &led->ldev);
+ if (ret) {
++ of_node_put(child);
+ mutex_destroy(&led->mutex);
+ return ret;
+ }
++
++ of_node_put(child);
+ spi_set_drvdata(spi, led);
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 2653977dda8358827b4a4b23e75c008ad1e338c5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 10 Aug 2024 21:04:35 -0400
+Subject: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc()
+
+From: Kent Overstreet <kent.overstreet@linux.dev>
+
+[ Upstream commit b2f11c6f3e1fc60742673b8675c95b78447f3dae ]
+
+If we need to increase the tree depth, allocate a new node, and then
+race with another thread that increased the tree depth before us, we'll
+still have a preallocated node that might be used later.
+
+If we then use that node for a new non-root node, it'll still have a
+pointer to the old root instead of being zeroed - fix this by zeroing it
+in the cmpxchg failure path.
+
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/generic-radix-tree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c
+index f25eb111c051..34d3ac52de89 100644
+--- a/lib/generic-radix-tree.c
++++ b/lib/generic-radix-tree.c
+@@ -131,6 +131,8 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset,
+ if ((v = cmpxchg_release(&radix->root, r, new_root)) == r) {
+ v = new_root;
+ new_node = NULL;
++ } else {
++ new_node->children[0] = NULL;
+ }
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 68968a9bf54b85bef6c527e6a557edbfd4b5df13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 10:34:36 +0200
+Subject: libbpf: Add NULL checks to bpf_object__{prev_map,next_map}
+
+From: Andreas Ziegler <ziegler.andreas@siemens.com>
+
+[ Upstream commit cedc12c5b57f7efa6dbebfb2b140e8675f5a2616 ]
+
+In the current state, an erroneous call to
+bpf_object__find_map_by_name(NULL, ...) leads to a segmentation
+fault through the following call chain:
+
+ bpf_object__find_map_by_name(obj = NULL, ...)
+ -> bpf_object__for_each_map(pos, obj = NULL)
+ -> bpf_object__next_map((obj = NULL), NULL)
+ -> return (obj = NULL)->maps
+
+While calling bpf_object__find_map_by_name with obj = NULL is
+obviously incorrect, this should not lead to a segmentation
+fault but rather be handled gracefully.
+
+As __bpf_map__iter already handles this situation correctly, we
+can delegate the check for the regular case there and only add
+a check in case the prev or next parameter is NULL.
+
+Signed-off-by: Andreas Ziegler <ziegler.andreas@siemens.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20240703083436.505124-1-ziegler.andreas@siemens.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/libbpf.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
+index 0c201f07d8ae..d201a7356fad 100644
+--- a/tools/lib/bpf/libbpf.c
++++ b/tools/lib/bpf/libbpf.c
+@@ -8729,7 +8729,7 @@ __bpf_map__iter(const struct bpf_map *m, const struct bpf_object *obj, int i)
+ struct bpf_map *
+ bpf_map__next(const struct bpf_map *prev, const struct bpf_object *obj)
+ {
+- if (prev == NULL)
++ if (prev == NULL && obj != NULL)
+ return obj->maps;
+
+ return __bpf_map__iter(prev, obj, 1);
+@@ -8738,7 +8738,7 @@ bpf_map__next(const struct bpf_map *prev, const struct bpf_object *obj)
+ struct bpf_map *
+ bpf_map__prev(const struct bpf_map *next, const struct bpf_object *obj)
+ {
+- if (next == NULL) {
++ if (next == NULL && obj != NULL) {
+ if (!obj->nr_maps)
+ return NULL;
+ return obj->maps + obj->nr_maps - 1;
+--
+2.43.0
+
--- /dev/null
+From e823d4bf9061a475f29c9f6c91852caf265178b7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Jun 2024 09:35:22 +0800
+Subject: media: qcom: camss: Add check for v4l2_fwnode_endpoint_parse
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit 4caf6d93d9f2c11d6441c64e1c549c445fa322ed ]
+
+Add check for the return value of v4l2_fwnode_endpoint_parse() and
+return the error if it fails in order to catch the error.
+
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/qcom/camss/camss.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/qcom/camss/camss.c b/drivers/media/platform/qcom/camss/camss.c
+index e53f575b32f5..da5a8e18bb1e 100644
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -835,8 +835,11 @@ static int camss_of_parse_endpoint_node(struct device *dev,
+ struct v4l2_fwnode_bus_mipi_csi2 *mipi_csi2;
+ struct v4l2_fwnode_endpoint vep = { { 0 } };
+ unsigned int i;
++ int ret;
+
+- v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep);
++ ret = v4l2_fwnode_endpoint_parse(of_fwnode_handle(node), &vep);
++ if (ret)
++ return ret;
+
+ csd->interface.csiphy_id = vep.base.port;
+
+--
+2.43.0
+
--- /dev/null
+From 15d1756de7aac2852fb0341de2e721ea12772b2e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jun 2024 12:52:59 +0300
+Subject: media: vivid: don't set HDMI TX controls if there are no HDMI outputs
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 17763960b1784578e8fe915304b330922f646209 ]
+
+When setting the EDID it would attempt to update two controls
+that are only present if there is an HDMI output configured.
+
+If there isn't any (e.g. when the vivid module is loaded with
+node_types=1), then calling VIDIOC_S_EDID would crash.
+
+Fix this by first checking if outputs are present.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+index af0ca7366abf..c663daedb82c 100644
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -1798,8 +1798,10 @@ int vidioc_s_edid(struct file *file, void *_fh,
+ return -EINVAL;
+ if (edid->blocks == 0) {
+ dev->edid_blocks = 0;
+- v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, 0);
+- v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, 0);
++ if (dev->num_outputs) {
++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, 0);
++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, 0);
++ }
+ phys_addr = CEC_PHYS_ADDR_INVALID;
+ goto set_phys_addr;
+ }
+@@ -1823,8 +1825,10 @@ int vidioc_s_edid(struct file *file, void *_fh,
+ display_present |=
+ dev->display_present[i] << j++;
+
+- v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, display_present);
+- v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, display_present);
++ if (dev->num_outputs) {
++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_edid_present, display_present);
++ v4l2_ctrl_s_ctrl(dev->ctrl_tx_hotplug, display_present);
++ }
+
+ set_phys_addr:
+ /* TODO: a proper hotplug detect cycle should be emulated here */
+--
+2.43.0
+
--- /dev/null
+From b86b8135021058aac0e458e3f201bce411fae8ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 26 Jun 2024 12:59:13 +0200
+Subject: media: vivid: fix wrong sizeimage value for mplane
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 0fd7c0c2c156270dceb8c15fad3120cdce03e539 ]
+
+In several places a division by fmt->vdownsampling[p] was
+missing in the sizeimage[p] calculation, causing incorrect
+behavior for multiplanar formats were some planes are smaller
+than the first plane.
+
+Found by new v4l2-compliance tests.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c | 5 +++--
+ drivers/media/test-drivers/vivid/vivid-vid-out.c | 16 +++++++++-------
+ 2 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/media/test-drivers/vivid/vivid-vid-cap.c b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+index 331a3f4286d2..af0ca7366abf 100644
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -113,8 +113,9 @@ static int vid_cap_queue_setup(struct vb2_queue *vq,
+ if (*nplanes != buffers)
+ return -EINVAL;
+ for (p = 0; p < buffers; p++) {
+- if (sizes[p] < tpg_g_line_width(&dev->tpg, p) * h +
+- dev->fmt_cap->data_offset[p])
++ if (sizes[p] < tpg_g_line_width(&dev->tpg, p) * h /
++ dev->fmt_cap->vdownsampling[p] +
++ dev->fmt_cap->data_offset[p])
+ return -EINVAL;
+ }
+ } else {
+diff --git a/drivers/media/test-drivers/vivid/vivid-vid-out.c b/drivers/media/test-drivers/vivid/vivid-vid-out.c
+index 9f731f085179..e96d3d014143 100644
+--- a/drivers/media/test-drivers/vivid/vivid-vid-out.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-out.c
+@@ -63,14 +63,16 @@ static int vid_out_queue_setup(struct vb2_queue *vq,
+ if (sizes[0] < size)
+ return -EINVAL;
+ for (p = 1; p < planes; p++) {
+- if (sizes[p] < dev->bytesperline_out[p] * h +
+- vfmt->data_offset[p])
++ if (sizes[p] < dev->bytesperline_out[p] * h /
++ vfmt->vdownsampling[p] +
++ vfmt->data_offset[p])
+ return -EINVAL;
+ }
+ } else {
+ for (p = 0; p < planes; p++)
+- sizes[p] = p ? dev->bytesperline_out[p] * h +
+- vfmt->data_offset[p] : size;
++ sizes[p] = p ? dev->bytesperline_out[p] * h /
++ vfmt->vdownsampling[p] +
++ vfmt->data_offset[p] : size;
+ }
+
+ if (vq->num_buffers + *nbuffers < 2)
+@@ -127,7 +129,7 @@ static int vid_out_buf_prepare(struct vb2_buffer *vb)
+
+ for (p = 0; p < planes; p++) {
+ if (p)
+- size = dev->bytesperline_out[p] * h;
++ size = dev->bytesperline_out[p] * h / vfmt->vdownsampling[p];
+ size += vb->planes[p].data_offset;
+
+ if (vb2_get_plane_payload(vb, p) < size) {
+@@ -334,8 +336,8 @@ int vivid_g_fmt_vid_out(struct file *file, void *priv,
+ for (p = 0; p < mp->num_planes; p++) {
+ mp->plane_fmt[p].bytesperline = dev->bytesperline_out[p];
+ mp->plane_fmt[p].sizeimage =
+- mp->plane_fmt[p].bytesperline * mp->height +
+- fmt->data_offset[p];
++ mp->plane_fmt[p].bytesperline * mp->height /
++ fmt->vdownsampling[p] + fmt->data_offset[p];
+ }
+ for (p = fmt->buffers; p < fmt->planes; p++) {
+ unsigned stride = dev->bytesperline_out[p];
+--
+2.43.0
+
--- /dev/null
+From e2071aecd17f3ae0b0d17395b435c72366788ac6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Aug 2024 10:59:08 +0100
+Subject: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is
+ installed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+[ Upstream commit 50f2b98dc83de7809a5c5bf0ccf9af2e75c37c13 ]
+
+This avoids warning:
+
+[ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283
+
+Caused by get_c0_compare_int on secondary CPU.
+
+We also skipped saving IRQ number to struct clock_event_device *cd as
+it's never used by clockevent core, as per comments it's only meant
+for "non CPU local devices".
+
+Reported-by: Serge Semin <fancer.lancer@gmail.com>
+Closes: https://lore.kernel.org/linux-mips/6szkkqxpsw26zajwysdrwplpjvhl5abpnmxgu2xuj3dkzjnvsf@4daqrz4mf44k/
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Tested-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/kernel/cevt-r4k.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/arch/mips/kernel/cevt-r4k.c b/arch/mips/kernel/cevt-r4k.c
+index 32ec67c9ab67..77028aa8c107 100644
+--- a/arch/mips/kernel/cevt-r4k.c
++++ b/arch/mips/kernel/cevt-r4k.c
+@@ -303,13 +303,6 @@ int r4k_clockevent_init(void)
+ if (!c0_compare_int_usable())
+ return -ENXIO;
+
+- /*
+- * With vectored interrupts things are getting platform specific.
+- * get_c0_compare_int is a hook to allow a platform to return the
+- * interrupt number of its liking.
+- */
+- irq = get_c0_compare_int();
+-
+ cd = &per_cpu(mips_clockevent_device, cpu);
+
+ cd->name = "MIPS";
+@@ -320,7 +313,6 @@ int r4k_clockevent_init(void)
+ min_delta = calculate_min_delta();
+
+ cd->rating = 300;
+- cd->irq = irq;
+ cd->cpumask = cpumask_of(cpu);
+ cd->set_next_event = mips_next_event;
+ cd->event_handler = mips_event_handler;
+@@ -332,6 +324,13 @@ int r4k_clockevent_init(void)
+
+ cp0_timer_irq_installed = 1;
+
++ /*
++ * With vectored interrupts things are getting platform specific.
++ * get_c0_compare_int is a hook to allow a platform to return the
++ * interrupt number of its liking.
++ */
++ irq = get_c0_compare_int();
++
+ if (request_irq(irq, c0_compare_interrupt, flags, "timer",
+ c0_compare_interrupt))
+ pr_err("Failed to request irq %d (timer)\n", irq);
+--
+2.43.0
+
--- /dev/null
+From e6390be54d0197c224506071e2da88ddeb069f97 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 10:19:57 +0200
+Subject: net: bridge: br_fdb_external_learn_add(): always set EXT_LEARN
+
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+
+[ Upstream commit bee2ef946d3184e99077be526567d791c473036f ]
+
+When userspace wants to take over a fdb entry by setting it as
+EXTERN_LEARNED, we set both flags BR_FDB_ADDED_BY_EXT_LEARN and
+BR_FDB_ADDED_BY_USER in br_fdb_external_learn_add().
+
+If the bridge updates the entry later because its port changed, we clear
+the BR_FDB_ADDED_BY_EXT_LEARN flag, but leave the BR_FDB_ADDED_BY_USER
+flag set.
+
+If userspace then wants to take over the entry again,
+br_fdb_external_learn_add() sees that BR_FDB_ADDED_BY_USER and skips
+setting the BR_FDB_ADDED_BY_EXT_LEARN flags, thus silently ignores the
+update.
+
+Fix this by always allowing to set BR_FDB_ADDED_BY_EXT_LEARN regardless
+if this was a user fdb entry or not.
+
+Fixes: 710ae7287737 ("net: bridge: Mark FDB entries that were added by user as such")
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20240903081958.29951-1-jonas.gorski@bisdn.de
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/br_fdb.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
+index 46812b659710..83ec74b67340 100644
+--- a/net/bridge/br_fdb.c
++++ b/net/bridge/br_fdb.c
+@@ -1299,12 +1299,10 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
+ modified = true;
+ }
+
+- if (test_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
++ if (test_and_set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags)) {
+ /* Refresh entry */
+ fdb->used = jiffies;
+- } else if (!test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags)) {
+- /* Take over SW learned entry */
+- set_bit(BR_FDB_ADDED_BY_EXT_LEARN, &fdb->flags);
++ } else {
+ modified = true;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 7e34b9088085d6499cfaadfa4ca93cb582f94d79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 14 Jul 2024 01:53:32 +0300
+Subject: net: dpaa: avoid on-stack arrays of NR_CPUS elements
+
+From: Vladimir Oltean <vladimir.oltean@nxp.com>
+
+[ Upstream commit 555a05d84ca2c587e2d4777006e2c2fb3dfbd91d ]
+
+The dpaa-eth driver is written for PowerPC and Arm SoCs which have 1-24
+CPUs. It depends on CONFIG_NR_CPUS having a reasonably small value in
+Kconfig. Otherwise, there are 2 functions which allocate on-stack arrays
+of NR_CPUS elements, and these can quickly explode in size, leading to
+warnings such as:
+
+ drivers/net/ethernet/freescale/dpaa/dpaa_eth.c:3280:12: warning:
+ stack frame size (16664) exceeds limit (2048) in 'dpaa_eth_probe' [-Wframe-larger-than]
+
+The problem is twofold:
+- Reducing the array size to the boot-time num_possible_cpus() (rather
+ than the compile-time NR_CPUS) creates a variable-length array,
+ which should be avoided in the Linux kernel.
+- Using NR_CPUS as an array size makes the driver blow up in stack
+ consumption with generic, as opposed to hand-crafted, .config files.
+
+A simple solution is to use dynamic allocation for num_possible_cpus()
+elements (aka a small number determined at runtime).
+
+Link: https://lore.kernel.org/all/202406261920.l5pzM1rj-lkp@intel.com/
+Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Reviewed-by: Breno Leitao <leitao@debian.org>
+Acked-by: Madalin Bucur <madalin.bucur@oss.nxp.com>
+Link: https://patch.msgid.link/20240713225336.1746343-2-vladimir.oltean@nxp.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/freescale/dpaa/dpaa_eth.c | 20 ++++++++++++++-----
+ .../ethernet/freescale/dpaa/dpaa_ethtool.c | 10 +++++++++-
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+index 1766b7d94ffa..119f560b2e65 100644
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+@@ -910,14 +910,18 @@ static inline void dpaa_setup_egress(const struct dpaa_priv *priv,
+ }
+ }
+
+-static void dpaa_fq_setup(struct dpaa_priv *priv,
+- const struct dpaa_fq_cbs *fq_cbs,
+- struct fman_port *tx_port)
++static int dpaa_fq_setup(struct dpaa_priv *priv,
++ const struct dpaa_fq_cbs *fq_cbs,
++ struct fman_port *tx_port)
+ {
+ int egress_cnt = 0, conf_cnt = 0, num_portals = 0, portal_cnt = 0, cpu;
+ const cpumask_t *affine_cpus = qman_affine_cpus();
+- u16 channels[NR_CPUS];
+ struct dpaa_fq *fq;
++ u16 *channels;
++
++ channels = kcalloc(num_possible_cpus(), sizeof(u16), GFP_KERNEL);
++ if (!channels)
++ return -ENOMEM;
+
+ for_each_cpu_and(cpu, affine_cpus, cpu_online_mask)
+ channels[num_portals++] = qman_affine_channel(cpu);
+@@ -976,6 +980,10 @@ static void dpaa_fq_setup(struct dpaa_priv *priv,
+ break;
+ }
+ }
++
++ kfree(channels);
++
++ return 0;
+ }
+
+ static inline int dpaa_tx_fq_to_id(const struct dpaa_priv *priv,
+@@ -3444,7 +3452,9 @@ static int dpaa_eth_probe(struct platform_device *pdev)
+ */
+ dpaa_eth_add_channel(priv->channel, &pdev->dev);
+
+- dpaa_fq_setup(priv, &dpaa_fq_cbs, priv->mac_dev->port[TX]);
++ err = dpaa_fq_setup(priv, &dpaa_fq_cbs, priv->mac_dev->port[TX]);
++ if (err)
++ goto free_dpaa_bps;
+
+ /* Create a congestion group for this netdev, with
+ * dynamically-allocated CGR ID.
+diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+index 5750f9a56393..df6af1097dd2 100644
+--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c
+@@ -541,12 +541,16 @@ static int dpaa_set_coalesce(struct net_device *dev,
+ struct netlink_ext_ack *extack)
+ {
+ const cpumask_t *cpus = qman_affine_cpus();
+- bool needs_revert[NR_CPUS] = {false};
+ struct qman_portal *portal;
+ u32 period, prev_period;
+ u8 thresh, prev_thresh;
++ bool *needs_revert;
+ int cpu, res;
+
++ needs_revert = kcalloc(num_possible_cpus(), sizeof(bool), GFP_KERNEL);
++ if (!needs_revert)
++ return -ENOMEM;
++
+ period = c->rx_coalesce_usecs;
+ thresh = c->rx_max_coalesced_frames;
+
+@@ -569,6 +573,8 @@ static int dpaa_set_coalesce(struct net_device *dev,
+ needs_revert[cpu] = true;
+ }
+
++ kfree(needs_revert);
++
+ return 0;
+
+ revert_values:
+@@ -582,6 +588,8 @@ static int dpaa_set_coalesce(struct net_device *dev,
+ qman_dqrr_set_ithresh(portal, prev_thresh);
+ }
+
++ kfree(needs_revert);
++
+ return res;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 02169d5dd9c458afe87c5b3e3fe046ed5d379340 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Sep 2024 22:33:41 +0200
+Subject: net: dsa: vsc73xx: fix possible subblocks range of CAPT block
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+[ Upstream commit 8e69c96df771ab469cec278edb47009351de4da6 ]
+
+CAPT block (CPU Capture Buffer) have 7 sublocks: 0-3, 4, 6, 7.
+Function 'vsc73xx_is_addr_valid' allows to use only block 0 at this
+moment.
+
+This patch fix it.
+
+Fixes: 05bd97fc559d ("net: dsa: Add Vitesse VSC73xx DSA router driver")
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20240903203340.1518789-1-paweldembicki@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/vitesse-vsc73xx-core.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/dsa/vitesse-vsc73xx-core.c b/drivers/net/dsa/vitesse-vsc73xx-core.c
+index 592527f06944..36da2107b5d9 100644
+--- a/drivers/net/dsa/vitesse-vsc73xx-core.c
++++ b/drivers/net/dsa/vitesse-vsc73xx-core.c
+@@ -35,7 +35,7 @@
+ #define VSC73XX_BLOCK_ANALYZER 0x2 /* Only subblock 0 */
+ #define VSC73XX_BLOCK_MII 0x3 /* Subblocks 0 and 1 */
+ #define VSC73XX_BLOCK_MEMINIT 0x3 /* Only subblock 2 */
+-#define VSC73XX_BLOCK_CAPTURE 0x4 /* Only subblock 2 */
++#define VSC73XX_BLOCK_CAPTURE 0x4 /* Subblocks 0-4, 6, 7 */
+ #define VSC73XX_BLOCK_ARBITER 0x5 /* Only subblock 0 */
+ #define VSC73XX_BLOCK_SYSTEM 0x7 /* Only subblock 0 */
+
+@@ -371,13 +371,19 @@ int vsc73xx_is_addr_valid(u8 block, u8 subblock)
+ break;
+
+ case VSC73XX_BLOCK_MII:
+- case VSC73XX_BLOCK_CAPTURE:
+ case VSC73XX_BLOCK_ARBITER:
+ switch (subblock) {
+ case 0 ... 1:
+ return 1;
+ }
+ break;
++ case VSC73XX_BLOCK_CAPTURE:
++ switch (subblock) {
++ case 0 ... 4:
++ case 6 ... 7:
++ return 1;
++ }
++ break;
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From c29602f5e49ed982bdaedf27546ce563a48dd7ba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Oct 2021 06:12:06 -0700
+Subject: net: usb: don't write directly to netdev->dev_addr
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 2674e7ea22ba0e22a2d1603bd51e0b8f6442a267 ]
+
+Commit 406f42fa0d3c ("net-next: When a bond have a massive amount
+of VLANs...") introduced a rbtree for faster Ethernet address look
+up. To maintain netdev->dev_addr in this tree we need to make all
+the writes to it got through appropriate helpers.
+
+Manually fix all net/usb drivers without separate maintainers.
+
+v2: catc does DMA to the buffer, leave the conversion to Oliver
+
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: bab8eb0dd4cb ("usbnet: modern method to get random MAC")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ch9200.c | 4 +++-
+ drivers/net/usb/cx82310_eth.c | 5 +++--
+ drivers/net/usb/kaweth.c | 3 +--
+ drivers/net/usb/mcs7830.c | 4 +++-
+ drivers/net/usb/sierra_net.c | 6 ++++--
+ drivers/net/usb/sr9700.c | 4 +++-
+ drivers/net/usb/sr9800.c | 5 +++--
+ drivers/net/usb/usbnet.c | 6 ++++--
+ 8 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/usb/ch9200.c b/drivers/net/usb/ch9200.c
+index d7f3b70d5477..f69d9b902da0 100644
+--- a/drivers/net/usb/ch9200.c
++++ b/drivers/net/usb/ch9200.c
+@@ -336,6 +336,7 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ int retval = 0;
+ unsigned char data[2];
++ u8 addr[ETH_ALEN];
+
+ retval = usbnet_get_endpoints(dev, intf);
+ if (retval)
+@@ -383,7 +384,8 @@ static int ch9200_bind(struct usbnet *dev, struct usb_interface *intf)
+ retval = control_write(dev, REQUEST_WRITE, 0, MAC_REG_CTRL, data, 0x02,
+ CONTROL_TIMEOUT_MS);
+
+- retval = get_mac_address(dev, dev->net->dev_addr);
++ retval = get_mac_address(dev, addr);
++ eth_hw_addr_set(dev->net, addr);
+
+ return retval;
+ }
+diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
+index c4568a491dc4..79a47e2fd437 100644
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -146,6 +146,7 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+ u8 link[3];
+ int timeout = 50;
+ struct cx82310_priv *priv;
++ u8 addr[ETH_ALEN];
+
+ /* avoid ADSL modems - continue only if iProduct is "USB NET CARD" */
+ if (usb_string(udev, udev->descriptor.iProduct, buf, sizeof(buf)) > 0
+@@ -202,12 +203,12 @@ static int cx82310_bind(struct usbnet *dev, struct usb_interface *intf)
+ goto err;
+
+ /* get the MAC address */
+- ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0,
+- dev->net->dev_addr, ETH_ALEN);
++ ret = cx82310_cmd(dev, CMD_GET_MAC_ADDR, true, NULL, 0, addr, ETH_ALEN);
+ if (ret) {
+ netdev_err(dev->net, "unable to read MAC address: %d\n", ret);
+ goto err;
+ }
++ eth_hw_addr_set(dev->net, addr);
+
+ /* start (does not seem to have any effect?) */
+ ret = cx82310_cmd(dev, CMD_START, false, NULL, 0, NULL, 0);
+diff --git a/drivers/net/usb/kaweth.c b/drivers/net/usb/kaweth.c
+index 144c686b4333..9b2bc1993ece 100644
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1044,8 +1044,7 @@ static int kaweth_probe(
+ goto err_all_but_rxbuf;
+
+ memcpy(netdev->broadcast, &bcast_addr, sizeof(bcast_addr));
+- memcpy(netdev->dev_addr, &kaweth->configuration.hw_addr,
+- sizeof(kaweth->configuration.hw_addr));
++ eth_hw_addr_set(netdev, (u8 *)&kaweth->configuration.hw_addr);
+
+ netdev->netdev_ops = &kaweth_netdev_ops;
+ netdev->watchdog_timeo = KAWETH_TX_TIMEOUT;
+diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c
+index 8f484c4949d9..f62169216d8c 100644
+--- a/drivers/net/usb/mcs7830.c
++++ b/drivers/net/usb/mcs7830.c
+@@ -481,17 +481,19 @@ static const struct net_device_ops mcs7830_netdev_ops = {
+ static int mcs7830_bind(struct usbnet *dev, struct usb_interface *udev)
+ {
+ struct net_device *net = dev->net;
++ u8 addr[ETH_ALEN];
+ int ret;
+ int retry;
+
+ /* Initial startup: Gather MAC address setting from EEPROM */
+ ret = -EINVAL;
+ for (retry = 0; retry < 5 && ret; retry++)
+- ret = mcs7830_hif_get_mac_address(dev, net->dev_addr);
++ ret = mcs7830_hif_get_mac_address(dev, addr);
+ if (ret) {
+ dev_warn(&dev->udev->dev, "Cannot read MAC address\n");
+ goto out;
+ }
++ eth_hw_addr_set(net, addr);
+
+ mcs7830_data_set_multicast(net);
+
+diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
+index 55025202dc4f..bb4cbe8fc846 100644
+--- a/drivers/net/usb/sierra_net.c
++++ b/drivers/net/usb/sierra_net.c
+@@ -669,6 +669,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
+ 0x00, 0x00, SIERRA_NET_HIP_MSYNC_ID, 0x00};
+ static const u8 shdwn_tmplate[sizeof(priv->shdwn_msg)] = {
+ 0x00, 0x00, SIERRA_NET_HIP_SHUTD_ID, 0x00};
++ u8 mod[2];
+
+ dev_dbg(&dev->udev->dev, "%s", __func__);
+
+@@ -698,8 +699,9 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
+ dev->net->netdev_ops = &sierra_net_device_ops;
+
+ /* change MAC addr to include, ifacenum, and to be unique */
+- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
+- dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
++ mod[0] = atomic_inc_return(&iface_counter);
++ mod[1] = ifacenum;
++ dev_addr_mod(dev->net, ETH_ALEN - 2, mod, 2);
+
+ /* prepare shutdown message template */
+ memcpy(priv->shdwn_msg, shdwn_tmplate, sizeof(priv->shdwn_msg));
+diff --git a/drivers/net/usb/sr9700.c b/drivers/net/usb/sr9700.c
+index 3cff3c9d7b89..5b29da399d95 100644
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -327,6 +327,7 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+ struct net_device *netdev;
+ struct mii_if_info *mii;
++ u8 addr[ETH_ALEN];
+ int ret;
+
+ ret = usbnet_get_endpoints(dev, intf);
+@@ -357,11 +358,12 @@ static int sr9700_bind(struct usbnet *dev, struct usb_interface *intf)
+ * EEPROM automatically to PAR. In case there is no EEPROM externally,
+ * a default MAC address is stored in PAR for making chip work properly.
+ */
+- if (sr_read(dev, SR_PAR, ETH_ALEN, netdev->dev_addr) < 0) {
++ if (sr_read(dev, SR_PAR, ETH_ALEN, addr) < 0) {
+ netdev_err(netdev, "Error reading MAC address\n");
+ ret = -ENODEV;
+ goto out;
+ }
++ eth_hw_addr_set(netdev, addr);
+
+ /* power up and reset phy */
+ sr_write_reg(dev, SR_PRR, PRR_PHY_RST);
+diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
+index 79358369c456..2d553604f179 100644
+--- a/drivers/net/usb/sr9800.c
++++ b/drivers/net/usb/sr9800.c
+@@ -731,6 +731,7 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+ struct sr_data *data = (struct sr_data *)&dev->data;
+ u16 led01_mux, led23_mux;
+ int ret, embd_phy;
++ u8 addr[ETH_ALEN];
+ u32 phyid;
+ u16 rx_ctl;
+
+@@ -756,12 +757,12 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
+ }
+
+ /* Get the MAC address */
+- ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN,
+- dev->net->dev_addr);
++ ret = sr_read_cmd(dev, SR_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, addr);
+ if (ret < 0) {
+ netdev_dbg(dev->net, "Failed to read MAC address: %d\n", ret);
+ return ret;
+ }
++ eth_hw_addr_set(dev->net, addr);
+ netdev_dbg(dev->net, "mac addr : %pM\n", dev->net->dev_addr);
+
+ /* Initialize MII structure */
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 566aa01ad281..95b8c612a179 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -165,12 +165,13 @@ EXPORT_SYMBOL_GPL(usbnet_get_endpoints);
+
+ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
+ {
++ u8 addr[ETH_ALEN];
+ int tmp = -1, ret;
+ unsigned char buf [13];
+
+ ret = usb_string(dev->udev, iMACAddress, buf, sizeof buf);
+ if (ret == 12)
+- tmp = hex2bin(dev->net->dev_addr, buf, 6);
++ tmp = hex2bin(addr, buf, 6);
+ if (tmp < 0) {
+ dev_dbg(&dev->udev->dev,
+ "bad MAC string %d fetch, %d\n", iMACAddress, tmp);
+@@ -178,6 +179,7 @@ int usbnet_get_ethernet_addr(struct usbnet *dev, int iMACAddress)
+ ret = -EINVAL;
+ return ret;
+ }
++ eth_hw_addr_set(dev->net, addr);
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(usbnet_get_ethernet_addr);
+@@ -1727,7 +1729,7 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+
+ dev->net = net;
+ strscpy(net->name, "usb%d", sizeof(net->name));
+- memcpy (net->dev_addr, node_id, sizeof node_id);
++ eth_hw_addr_set(net, node_id);
+
+ /* rx and tx sides can use different message sizes;
+ * bind() should set rx_urb_size in that case.
+--
+2.43.0
+
--- /dev/null
+From bd944f232163e89e6fe42b38d566922d5980ef17 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 11:48:47 +0800
+Subject: netfilter: nf_conncount: fix wrong variable type
+
+From: Yunjian Wang <wangyunjian@huawei.com>
+
+[ Upstream commit 0b88d1654d556264bcd24a9cb6383f0888e30131 ]
+
+Now there is a issue is that code checks reports a warning: implicit
+narrowing conversion from type 'unsigned int' to small type 'u8' (the
+'keylen' variable). Fix it by removing the 'keylen' variable.
+
+Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nf_conncount.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
+index 82f36beb2e76..0ce12a33ffda 100644
+--- a/net/netfilter/nf_conncount.c
++++ b/net/netfilter/nf_conncount.c
+@@ -310,7 +310,6 @@ insert_tree(struct net *net,
+ struct nf_conncount_rb *rbconn;
+ struct nf_conncount_tuple *conn;
+ unsigned int count = 0, gc_count = 0;
+- u8 keylen = data->keylen;
+ bool do_gc = true;
+
+ spin_lock_bh(&nf_conncount_locks[hash]);
+@@ -322,7 +321,7 @@ insert_tree(struct net *net,
+ rbconn = rb_entry(*rbnode, struct nf_conncount_rb, node);
+
+ parent = *rbnode;
+- diff = key_diff(key, rbconn->key, keylen);
++ diff = key_diff(key, rbconn->key, data->keylen);
+ if (diff < 0) {
+ rbnode = &((*rbnode)->rb_left);
+ } else if (diff > 0) {
+@@ -367,7 +366,7 @@ insert_tree(struct net *net,
+
+ conn->tuple = *tuple;
+ conn->zone = *zone;
+- memcpy(rbconn->key, key, sizeof(u32) * keylen);
++ memcpy(rbconn->key, key, sizeof(u32) * data->keylen);
+
+ nf_conncount_list_init(&rbconn->list);
+ list_add(&conn->node, &rbconn->list.head);
+@@ -392,7 +391,6 @@ count_tree(struct net *net,
+ struct rb_node *parent;
+ struct nf_conncount_rb *rbconn;
+ unsigned int hash;
+- u8 keylen = data->keylen;
+
+ hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS;
+ root = &data->root[hash];
+@@ -403,7 +401,7 @@ count_tree(struct net *net,
+
+ rbconn = rb_entry(parent, struct nf_conncount_rb, node);
+
+- diff = key_diff(key, rbconn->key, keylen);
++ diff = key_diff(key, rbconn->key, data->keylen);
+ if (diff < 0) {
+ parent = rcu_dereference_raw(parent->rb_left);
+ } else if (diff > 0) {
+--
+2.43.0
+
--- /dev/null
+From faaa9a7fb3748f54982e2c7b4545264d198faa50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 21 Aug 2024 14:05:00 -0400
+Subject: NFSv4: Add missing rescheduling points in
+ nfs_client_return_marked_delegations
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+[ Upstream commit a017ad1313fc91bdf235097fd0a02f673fc7bb11 ]
+
+We're seeing reports of soft lockups when iterating through the loops,
+so let's add rescheduling points.
+
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/super.c b/fs/nfs/super.c
+index a847011f36c9..9e672aed3590 100644
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -47,6 +47,7 @@
+ #include <linux/vfs.h>
+ #include <linux/inet.h>
+ #include <linux/in6.h>
++#include <linux/sched.h>
+ #include <linux/slab.h>
+ #include <net/ipv6.h>
+ #include <linux/netdevice.h>
+@@ -219,6 +220,7 @@ static int __nfs_list_for_each_server(struct list_head *head,
+ ret = fn(server, data);
+ if (ret)
+ goto out;
++ cond_resched();
+ rcu_read_lock();
+ }
+ rcu_read_unlock();
+--
+2.43.0
+
--- /dev/null
+From c68406445d95a446ff978caa649c8272066b97e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 12:06:51 +0200
+Subject: of/irq: Prevent device address out-of-bounds read in interrupt map
+ walk
+
+From: Stefan Wiehler <stefan.wiehler@nokia.com>
+
+[ Upstream commit b739dffa5d570b411d4bdf4bb9b8dfd6b7d72305 ]
+
+When of_irq_parse_raw() is invoked with a device address smaller than
+the interrupt parent node (from #address-cells property), KASAN detects
+the following out-of-bounds read when populating the initial match table
+(dyndbg="func of_irq_parse_* +p"):
+
+ OF: of_irq_parse_one: dev=/soc@0/picasso/watchdog, index=0
+ OF: parent=/soc@0/pci@878000000000/gpio0@17,0, intsize=2
+ OF: intspec=4
+ OF: of_irq_parse_raw: ipar=/soc@0/pci@878000000000/gpio0@17,0, size=2
+ OF: -> addrsize=3
+ ==================================================================
+ BUG: KASAN: slab-out-of-bounds in of_irq_parse_raw+0x2b8/0x8d0
+ Read of size 4 at addr ffffff81beca5608 by task bash/764
+
+ CPU: 1 PID: 764 Comm: bash Tainted: G O 6.1.67-484c613561-nokia_sm_arm64 #1
+ Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2023.01-12.24.03-dirty 01/01/2023
+ Call trace:
+ dump_backtrace+0xdc/0x130
+ show_stack+0x1c/0x30
+ dump_stack_lvl+0x6c/0x84
+ print_report+0x150/0x448
+ kasan_report+0x98/0x140
+ __asan_load4+0x78/0xa0
+ of_irq_parse_raw+0x2b8/0x8d0
+ of_irq_parse_one+0x24c/0x270
+ parse_interrupts+0xc0/0x120
+ of_fwnode_add_links+0x100/0x2d0
+ fw_devlink_parse_fwtree+0x64/0xc0
+ device_add+0xb38/0xc30
+ of_device_add+0x64/0x90
+ of_platform_device_create_pdata+0xd0/0x170
+ of_platform_bus_create+0x244/0x600
+ of_platform_notify+0x1b0/0x254
+ blocking_notifier_call_chain+0x9c/0xd0
+ __of_changeset_entry_notify+0x1b8/0x230
+ __of_changeset_apply_notify+0x54/0xe4
+ of_overlay_fdt_apply+0xc04/0xd94
+ ...
+
+ The buggy address belongs to the object at ffffff81beca5600
+ which belongs to the cache kmalloc-128 of size 128
+ The buggy address is located 8 bytes inside of
+ 128-byte region [ffffff81beca5600, ffffff81beca5680)
+
+ The buggy address belongs to the physical page:
+ page:00000000230d3d03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1beca4
+ head:00000000230d3d03 order:1 compound_mapcount:0 compound_pincount:0
+ flags: 0x8000000000010200(slab|head|zone=2)
+ raw: 8000000000010200 0000000000000000 dead000000000122 ffffff810000c300
+ raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+ ffffff81beca5500: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffff81beca5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ >ffffff81beca5600: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ^
+ ffffff81beca5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffffff81beca5700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
+ ==================================================================
+ OF: -> got it !
+
+Prevent the out-of-bounds read by copying the device address into a
+buffer of sufficient size.
+
+Signed-off-by: Stefan Wiehler <stefan.wiehler@nokia.com>
+Link: https://lore.kernel.org/r/20240812100652.3800963-1-stefan.wiehler@nokia.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/irq.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/of/irq.c b/drivers/of/irq.c
+index 352e14b007e7..ad0cb49e233a 100644
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -288,7 +288,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+ struct device_node *p;
+ const __be32 *addr;
+ u32 intsize;
+- int i, res;
++ int i, res, addr_len;
++ __be32 addr_buf[3] = { 0 };
+
+ pr_debug("of_irq_parse_one: dev=%pOF, index=%d\n", device, index);
+
+@@ -297,13 +298,19 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+ return of_irq_parse_oldworld(device, index, out_irq);
+
+ /* Get the reg property (if any) */
+- addr = of_get_property(device, "reg", NULL);
++ addr = of_get_property(device, "reg", &addr_len);
++
++ /* Prevent out-of-bounds read in case of longer interrupt parent address size */
++ if (addr_len > (3 * sizeof(__be32)))
++ addr_len = 3 * sizeof(__be32);
++ if (addr)
++ memcpy(addr_buf, addr, addr_len);
+
+ /* Try the new-style interrupts-extended first */
+ res = of_parse_phandle_with_args(device, "interrupts-extended",
+ "#interrupt-cells", index, out_irq);
+ if (!res)
+- return of_irq_parse_raw(addr, out_irq);
++ return of_irq_parse_raw(addr_buf, out_irq);
+
+ /* Look for the interrupt parent. */
+ p = of_irq_find_parent(device);
+@@ -333,7 +340,7 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
+
+
+ /* Check if there are any interrupt-map translations to process */
+- res = of_irq_parse_raw(addr, out_irq);
++ res = of_irq_parse_raw(addr_buf, out_irq);
+ out:
+ of_node_put(p);
+ return res;
+--
+2.43.0
+
--- /dev/null
+From 2117a81156b5dbe587543a8292afec4c1f7eb576 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 18:04:35 -0700
+Subject: PCI: Add missing bridge lock to pci_bus_lock()
+
+From: Dan Williams <dan.j.williams@intel.com>
+
+[ Upstream commit a4e772898f8bf2e7e1cf661a12c60a5612c4afab ]
+
+One of the true positives that the cfg_access_lock lockdep effort
+identified is this sequence:
+
+ WARNING: CPU: 14 PID: 1 at drivers/pci/pci.c:4886 pci_bridge_secondary_bus_reset+0x5d/0x70
+ RIP: 0010:pci_bridge_secondary_bus_reset+0x5d/0x70
+ Call Trace:
+ <TASK>
+ ? __warn+0x8c/0x190
+ ? pci_bridge_secondary_bus_reset+0x5d/0x70
+ ? report_bug+0x1f8/0x200
+ ? handle_bug+0x3c/0x70
+ ? exc_invalid_op+0x18/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? pci_bridge_secondary_bus_reset+0x5d/0x70
+ pci_reset_bus+0x1d8/0x270
+ vmd_probe+0x778/0xa10
+ pci_device_probe+0x95/0x120
+
+Where pci_reset_bus() users are triggering unlocked secondary bus resets.
+Ironically pci_bus_reset(), several calls down from pci_reset_bus(), uses
+pci_bus_lock() before issuing the reset which locks everything *but* the
+bridge itself.
+
+For the same motivation as adding:
+
+ bridge = pci_upstream_bridge(dev);
+ if (bridge)
+ pci_dev_lock(bridge);
+
+to pci_reset_function() for the "bus" and "cxl_bus" reset cases, add
+pci_dev_lock() for @bus->self to pci_bus_lock().
+
+Link: https://lore.kernel.org/r/171711747501.1628941.15217746952476635316.stgit@dwillia2-xfh.jf.intel.com
+Reported-by: Imre Deak <imre.deak@intel.com>
+Closes: http://lore.kernel.org/r/6657833b3b5ae_14984b29437@dwillia2-xfh.jf.intel.com.notmuch
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+[bhelgaas: squash in recursive locking deadlock fix from Keith Busch:
+https://lore.kernel.org/r/20240711193650.701834-1-kbusch@meta.com]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Kalle Valo <kvalo@kernel.org>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/pci.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index a88909f2ae65..ee1d74f89a05 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5496,10 +5496,12 @@ static void pci_bus_lock(struct pci_bus *bus)
+ {
+ struct pci_dev *dev;
+
++ pci_dev_lock(bus->self);
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+- pci_dev_lock(dev);
+ if (dev->subordinate)
+ pci_bus_lock(dev->subordinate);
++ else
++ pci_dev_lock(dev);
+ }
+ }
+
+@@ -5511,8 +5513,10 @@ static void pci_bus_unlock(struct pci_bus *bus)
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+ if (dev->subordinate)
+ pci_bus_unlock(dev->subordinate);
+- pci_dev_unlock(dev);
++ else
++ pci_dev_unlock(dev);
+ }
++ pci_dev_unlock(bus->self);
+ }
+
+ /* Return 1 on successful lock, 0 on contention */
+@@ -5520,15 +5524,15 @@ static int pci_bus_trylock(struct pci_bus *bus)
+ {
+ struct pci_dev *dev;
+
++ if (!pci_dev_trylock(bus->self))
++ return 0;
++
+ list_for_each_entry(dev, &bus->devices, bus_list) {
+- if (!pci_dev_trylock(dev))
+- goto unlock;
+ if (dev->subordinate) {
+- if (!pci_bus_trylock(dev->subordinate)) {
+- pci_dev_unlock(dev);
++ if (!pci_bus_trylock(dev->subordinate))
+ goto unlock;
+- }
+- }
++ } else if (!pci_dev_trylock(dev))
++ goto unlock;
+ }
+ return 1;
+
+@@ -5536,8 +5540,10 @@ static int pci_bus_trylock(struct pci_bus *bus)
+ list_for_each_entry_continue_reverse(dev, &bus->devices, bus_list) {
+ if (dev->subordinate)
+ pci_bus_unlock(dev->subordinate);
+- pci_dev_unlock(dev);
++ else
++ pci_dev_unlock(dev);
+ }
++ pci_dev_unlock(bus->self);
+ return 0;
+ }
+
+@@ -5569,9 +5575,10 @@ static void pci_slot_lock(struct pci_slot *slot)
+ list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+ if (!dev->slot || dev->slot != slot)
+ continue;
+- pci_dev_lock(dev);
+ if (dev->subordinate)
+ pci_bus_lock(dev->subordinate);
++ else
++ pci_dev_lock(dev);
+ }
+ }
+
+@@ -5597,14 +5604,13 @@ static int pci_slot_trylock(struct pci_slot *slot)
+ list_for_each_entry(dev, &slot->bus->devices, bus_list) {
+ if (!dev->slot || dev->slot != slot)
+ continue;
+- if (!pci_dev_trylock(dev))
+- goto unlock;
+ if (dev->subordinate) {
+ if (!pci_bus_trylock(dev->subordinate)) {
+ pci_dev_unlock(dev);
+ goto unlock;
+ }
+- }
++ } else if (!pci_dev_trylock(dev))
++ goto unlock;
+ }
+ return 1;
+
+@@ -5615,7 +5621,8 @@ static int pci_slot_trylock(struct pci_slot *slot)
+ continue;
+ if (dev->subordinate)
+ pci_bus_unlock(dev->subordinate);
+- pci_dev_unlock(dev);
++ else
++ pci_dev_unlock(dev);
+ }
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From c92cbae129c63279d42eefa53ebac06d84356350 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jul 2024 13:15:06 +0530
+Subject: pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv
+
+From: Krishna Kumar <krishnak@linux.ibm.com>
+
+[ Upstream commit 335e35b748527f0c06ded9eebb65387f60647fda ]
+
+The hotplug driver for powerpc (pci/hotplug/pnv_php.c) causes a kernel
+crash when we try to hot-unplug/disable the PCIe switch/bridge from
+the PHB.
+
+The crash occurs because although the MSI data structure has been
+released during disable/hot-unplug path and it has been assigned
+with NULL, still during unregistration the code was again trying to
+explicitly disable the MSI which causes the NULL pointer dereference and
+kernel crash.
+
+The patch fixes the check during unregistration path to prevent invoking
+pci_disable_msi/msix() since its data structure is already freed.
+
+Reported-by: Timothy Pearson <tpearson@raptorengineering.com>
+Closes: https://lore.kernel.org/all/1981605666.2142272.1703742465927.JavaMail.zimbra@raptorengineeringinc.com/
+Acked-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Shawn Anastasio <sanastasio@raptorengineering.com>
+Signed-off-by: Krishna Kumar <krishnak@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240701074513.94873-2-krishnak@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/hotplug/pnv_php.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/pci/hotplug/pnv_php.c b/drivers/pci/hotplug/pnv_php.c
+index f4c2e6e01be0..e233f8402e8c 100644
+--- a/drivers/pci/hotplug/pnv_php.c
++++ b/drivers/pci/hotplug/pnv_php.c
+@@ -38,7 +38,6 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+ bool disable_device)
+ {
+ struct pci_dev *pdev = php_slot->pdev;
+- int irq = php_slot->irq;
+ u16 ctrl;
+
+ if (php_slot->irq > 0) {
+@@ -57,7 +56,7 @@ static void pnv_php_disable_irq(struct pnv_php_slot *php_slot,
+ php_slot->wq = NULL;
+ }
+
+- if (disable_device || irq > 0) {
++ if (disable_device) {
+ if (pdev->msix_enabled)
+ pci_disable_msix(pdev);
+ else if (pdev->msi_enabled)
+--
+2.43.0
+
--- /dev/null
+From 035cb23c32c943e80d8608bcf8a7d33e46aee11c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Jun 2024 13:45:29 +0200
+Subject: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+[ Upstream commit 86f271f22bbb6391410a07e08d6ca3757fda01fa ]
+
+Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0
+(SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an
+inbound PCIe TLP spans more than two internal AXI 128-byte bursts,
+the bus may corrupt the packet payload and the corrupt data may
+cause associated applications or the processor to hang.
+
+The workaround for Errata #i2037 is to limit the maximum read
+request size and maximum payload size to 128 bytes. Add workaround
+for Errata #i2037 here.
+
+The errata and workaround is applicable only to AM65x SR 1.0 and
+later versions of the silicon will have this fixed.
+
+[1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf
+
+Link: https://lore.kernel.org/linux-pci/16e1fcae-1ea7-46be-b157-096e05661b15@siemens.com
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Achal Verma <a-verma1@ti.com>
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 44 ++++++++++++++++++++++-
+ 1 file changed, 43 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/dwc/pci-keystone.c b/drivers/pci/controller/dwc/pci-keystone.c
+index 09379e5f7724..24031123a550 100644
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -35,6 +35,11 @@
+ #define PCIE_DEVICEID_SHIFT 16
+
+ /* Application registers */
++#define PID 0x000
++#define RTL GENMASK(15, 11)
++#define RTL_SHIFT 11
++#define AM6_PCI_PG1_RTL_VER 0x15
++
+ #define CMD_STATUS 0x004
+ #define LTSSM_EN_VAL BIT(0)
+ #define OB_XLAT_EN_VAL BIT(1)
+@@ -105,6 +110,8 @@
+
+ #define to_keystone_pcie(x) dev_get_drvdata((x)->dev)
+
++#define PCI_DEVICE_ID_TI_AM654X 0xb00c
++
+ struct ks_pcie_of_data {
+ enum dw_pcie_device_mode mode;
+ const struct dw_pcie_host_ops *host_ops;
+@@ -528,7 +535,11 @@ static int ks_pcie_start_link(struct dw_pcie *pci)
+ static void ks_pcie_quirk(struct pci_dev *dev)
+ {
+ struct pci_bus *bus = dev->bus;
++ struct keystone_pcie *ks_pcie;
++ struct device *bridge_dev;
+ struct pci_dev *bridge;
++ u32 val;
++
+ static const struct pci_device_id rc_pci_devids[] = {
+ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2HK),
+ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+@@ -540,6 +551,11 @@ static void ks_pcie_quirk(struct pci_dev *dev)
+ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
+ { 0, },
+ };
++ static const struct pci_device_id am6_pci_devids[] = {
++ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_AM654X),
++ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, },
++ { 0, },
++ };
+
+ if (pci_is_root_bus(bus))
+ bridge = dev;
+@@ -561,10 +577,36 @@ static void ks_pcie_quirk(struct pci_dev *dev)
+ */
+ if (pci_match_id(rc_pci_devids, bridge)) {
+ if (pcie_get_readrq(dev) > 256) {
+- dev_info(&dev->dev, "limiting MRRS to 256\n");
++ dev_info(&dev->dev, "limiting MRRS to 256 bytes\n");
+ pcie_set_readrq(dev, 256);
+ }
+ }
++
++ /*
++ * Memory transactions fail with PCI controller in AM654 PG1.0
++ * when MRRS is set to more than 128 bytes. Force the MRRS to
++ * 128 bytes in all downstream devices.
++ */
++ if (pci_match_id(am6_pci_devids, bridge)) {
++ bridge_dev = pci_get_host_bridge_device(dev);
++ if (!bridge_dev && !bridge_dev->parent)
++ return;
++
++ ks_pcie = dev_get_drvdata(bridge_dev->parent);
++ if (!ks_pcie)
++ return;
++
++ val = ks_pcie_app_readl(ks_pcie, PID);
++ val &= RTL;
++ val >>= RTL_SHIFT;
++ if (val != AM6_PCI_PG1_RTL_VER)
++ return;
++
++ if (pcie_get_readrq(dev) > 128) {
++ dev_info(&dev->dev, "limiting MRRS to 128 bytes\n");
++ pcie_set_readrq(dev, 128);
++ }
++ }
+ }
+ DECLARE_PCI_FIXUP_ENABLE(PCI_ANY_ID, PCI_ANY_ID, ks_pcie_quirk);
+
+--
+2.43.0
+
--- /dev/null
+From 34322e1d100eb2bec1648fa7fad8294c4b8658f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 May 2024 23:31:21 +0100
+Subject: pcmcia: Use resource_size function on resource object
+
+From: Jules Irenge <jbi.octave@gmail.com>
+
+[ Upstream commit 24a025497e7e883bd2adef5d0ece1e9b9268009f ]
+
+Cocinnele reports a warning
+
+WARNING: Suspicious code. resource_size is maybe missing with root
+
+The root cause is the function resource_size is not used when needed
+
+Use resource_size() on variable "root" of type resource
+
+Signed-off-by: Jules Irenge <jbi.octave@gmail.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/yenta_socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pcmcia/yenta_socket.c b/drivers/pcmcia/yenta_socket.c
+index 84bfc0e85d6b..f15b72c6e57e 100644
+--- a/drivers/pcmcia/yenta_socket.c
++++ b/drivers/pcmcia/yenta_socket.c
+@@ -636,11 +636,11 @@ static int yenta_search_one_res(struct resource *root, struct resource *res,
+ start = PCIBIOS_MIN_CARDBUS_IO;
+ end = ~0U;
+ } else {
+- unsigned long avail = root->end - root->start;
++ unsigned long avail = resource_size(root);
+ int i;
+ size = BRIDGE_MEM_MAX;
+- if (size > avail/8) {
+- size = (avail+1)/8;
++ if (size > (avail - 1) / 8) {
++ size = avail / 8;
+ /* round size down to next power of 2 */
+ i = 0;
+ while ((size /= 2) != 0)
+--
+2.43.0
+
--- /dev/null
+From 522e9d2e8d15ad0d09bedbcee981040489b7b99d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 09:54:28 +0300
+Subject: platform/x86: dell-smbios: Fix error path in dell_smbios_init()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+[ Upstream commit ffc17e1479e8e9459b7afa80e5d9d40d0dd78abb ]
+
+In case of error in build_tokens_sysfs(), all the memory that has been
+allocated is freed at end of this function. But then free_group() is
+called which performs memory deallocation again.
+
+Also, instead of free_group() call, there should be exit_dell_smbios_smm()
+and exit_dell_smbios_wmi() calls, since there is initialization, but there
+is no release of resources in case of an error.
+
+Fix these issues by replacing free_group() call with
+exit_dell_smbios_wmi() and exit_dell_smbios_smm().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Link: https://lore.kernel.org/r/20240830065428.9544-1-amishin@t-argos.ru
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/dell/dell-smbios-base.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/dell/dell-smbios-base.c b/drivers/platform/x86/dell/dell-smbios-base.c
+index 77b0f5bbe3ac..b19c5ff31a70 100644
+--- a/drivers/platform/x86/dell/dell-smbios-base.c
++++ b/drivers/platform/x86/dell/dell-smbios-base.c
+@@ -589,7 +589,10 @@ static int __init dell_smbios_init(void)
+ return 0;
+
+ fail_sysfs:
+- free_group(platform_device);
++ if (!wmi)
++ exit_dell_smbios_wmi();
++ if (!smm)
++ exit_dell_smbios_smm();
+
+ fail_create_group:
+ platform_device_del(platform_device);
+--
+2.43.0
+
--- /dev/null
+From f21aaee1ede5572ec11401094eb07c64b267886d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:24:45 +0800
+Subject: riscv: set trap vector earlier
+
+From: yang.zhang <yang.zhang@hexintek.com>
+
+[ Upstream commit 6ad8735994b854b23c824dd6b1dd2126e893a3b4 ]
+
+The exception vector of the booting hart is not set before enabling
+the mmu and then still points to the value of the previous firmware,
+typically _start. That makes it hard to debug setup_vm() when bad
+things happen. So fix that by setting the exception vector earlier.
+
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: yang.zhang <yang.zhang@hexintek.com>
+Link: https://lore.kernel.org/r/20240508022445.6131-1-gaoshanliukou@163.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/riscv/kernel/head.S | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/riscv/kernel/head.S b/arch/riscv/kernel/head.S
+index 4c3c7592b6fc..a89c59fb08ba 100644
+--- a/arch/riscv/kernel/head.S
++++ b/arch/riscv/kernel/head.S
+@@ -309,6 +309,9 @@ clear_bss_done:
+ #else
+ mv a0, s1
+ #endif /* CONFIG_BUILTIN_DTB */
++ /* Set trap vector to spin forever to help debug */
++ la a3, .Lsecondary_park
++ csrw CSR_TVEC, a3
+ call setup_vm
+ #ifdef CONFIG_MMU
+ la a0, early_pg_dir
+--
+2.43.0
+
--- /dev/null
+From 64228d0cb6bb538752e21c8d68230ed1297edbce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jul 2024 13:06:43 +0200
+Subject: s390/vmlinux.lds.S: Move ro_after_init section behind rodata section
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 75c10d5377d8821efafed32e4d72068d9c1f8ec0 ]
+
+The .data.rel.ro and .got section were added between the rodata and
+ro_after_init data section, which adds an RW mapping in between all RO
+mapping of the kernel image:
+
+---[ Kernel Image Start ]---
+0x000003ffe0000000-0x000003ffe0e00000 14M PMD RO X
+0x000003ffe0e00000-0x000003ffe0ec7000 796K PTE RO X
+0x000003ffe0ec7000-0x000003ffe0f00000 228K PTE RO NX
+0x000003ffe0f00000-0x000003ffe1300000 4M PMD RO NX
+0x000003ffe1300000-0x000003ffe1331000 196K PTE RO NX
+0x000003ffe1331000-0x000003ffe13b3000 520K PTE RW NX <---
+0x000003ffe13b3000-0x000003ffe13d5000 136K PTE RO NX
+0x000003ffe13d5000-0x000003ffe1400000 172K PTE RW NX
+0x000003ffe1400000-0x000003ffe1500000 1M PMD RW NX
+0x000003ffe1500000-0x000003ffe1700000 2M PTE RW NX
+0x000003ffe1700000-0x000003ffe1800000 1M PMD RW NX
+0x000003ffe1800000-0x000003ffe187e000 504K PTE RW NX
+---[ Kernel Image End ]---
+
+Move the ro_after_init data section again right behind the rodata
+section to prevent interleaving RO and RW mappings:
+
+---[ Kernel Image Start ]---
+0x000003ffe0000000-0x000003ffe0e00000 14M PMD RO X
+0x000003ffe0e00000-0x000003ffe0ec7000 796K PTE RO X
+0x000003ffe0ec7000-0x000003ffe0f00000 228K PTE RO NX
+0x000003ffe0f00000-0x000003ffe1300000 4M PMD RO NX
+0x000003ffe1300000-0x000003ffe1353000 332K PTE RO NX
+0x000003ffe1353000-0x000003ffe1400000 692K PTE RW NX
+0x000003ffe1400000-0x000003ffe1500000 1M PMD RW NX
+0x000003ffe1500000-0x000003ffe1700000 2M PTE RW NX
+0x000003ffe1700000-0x000003ffe1800000 1M PMD RW NX
+0x000003ffe1800000-0x000003ffe187e000 504K PTE RW NX
+---[ Kernel Image End ]---
+
+Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/vmlinux.lds.S | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/arch/s390/kernel/vmlinux.lds.S b/arch/s390/kernel/vmlinux.lds.S
+index 853b80770c6d..bf509f6194d0 100644
+--- a/arch/s390/kernel/vmlinux.lds.S
++++ b/arch/s390/kernel/vmlinux.lds.S
+@@ -72,6 +72,15 @@ SECTIONS
+ . = ALIGN(PAGE_SIZE);
+ __end_ro_after_init = .;
+
++ .data.rel.ro : {
++ *(.data.rel.ro .data.rel.ro.*)
++ }
++ .got : {
++ __got_start = .;
++ *(.got)
++ __got_end = .;
++ }
++
+ RW_DATA(0x100, PAGE_SIZE, THREAD_SIZE)
+ BOOT_DATA_PRESERVED
+
+--
+2.43.0
+
mptcp-pm-skip-connecting-to-already-established-sf.patch
mptcp-pr_debug-add-missing-n-at-the-end.patch
mptcp-pm-send-ack-on-an-active-subflow.patch
+alsa-hda-add-input-value-sanity-checks-to-hdmi-chann.patch
+smack-unix-sockets-fix-accept-ed-socket-label.patch
+irqchip-armada-370-xp-do-not-allow-mapping-irq-0-and.patch
+af_unix-remove-put_pid-put_cred-in-copy_peercred.patch
+iommu-sun50i-clear-bypass-register.patch
+netfilter-nf_conncount-fix-wrong-variable-type.patch
+udf-avoid-excessive-partition-lengths.patch
+media-vivid-fix-wrong-sizeimage-value-for-mplane.patch
+leds-spi-byte-call-of_node_put-on-error-path.patch
+wifi-brcmsmac-advertise-mfp_capable-to-enable-wpa3.patch
+usb-uas-set-host-status-byte-on-data-completion-erro.patch
+drm-amd-display-check-hdcp-returned-status.patch
+media-vivid-don-t-set-hdmi-tx-controls-if-there-are-.patch
+pci-keystone-add-workaround-for-errata-i2037-am65x-s.patch
+media-qcom-camss-add-check-for-v4l2_fwnode_endpoint_.patch
+pcmcia-use-resource_size-function-on-resource-object.patch
+drm-amdgpu-check-for-linear_aligned-correctly-in-che.patch
+can-bcm-remove-proc-entry-when-dev-is-unregistered.patch
+can-m_can-release-irq-on-error-in-m_can_open.patch
+igb-fix-not-clearing-timesync-interrupts-for-82580.patch
+platform-x86-dell-smbios-fix-error-path-in-dell_smbi.patch
+tcp_bpf-fix-return-value-of-tcp_bpf_sendmsg.patch-8319
+igc-unlock-on-error-in-igc_io_resume.patch
+ice-check-ice_vsi_down-under-rtnl_lock-when-preparin.patch
+net-usb-don-t-write-directly-to-netdev-dev_addr.patch
+usbnet-modern-method-to-get-random-mac.patch
+bareudp-fix-device-stats-updates.patch
+gro-remove-rcu_read_lock-rcu_read_unlock-from-gro_re.patch
+gro-remove-rcu_read_lock-rcu_read_unlock-from-gro_co.patch
+fou-fix-null-ptr-deref-in-gro.patch
+net-bridge-br_fdb_external_learn_add-always-set-ext_.patch
+net-dsa-vsc73xx-fix-possible-subblocks-range-of-capt.patch
+asoc-topology-properly-initialize-soc_enum-values.patch
+dm-init-handle-minors-larger-than-255.patch
+iommu-vt-d-handle-volatile-descriptor-status-read.patch
+cgroup-protect-css-cgroup-write-under-css_set_lock.patch
+um-line-always-fill-error_out-in-setup_one_line.patch
+devres-initialize-an-uninitialized-struct-member.patch
+pci-hotplug-pnv_php-fix-hotplug-driver-crash-on-powe.patch
+hwmon-adc128d818-fix-underflows-seen-when-writing-li.patch
+hwmon-lm95234-fix-underflows-seen-when-writing-limit.patch
+hwmon-nct6775-core-fix-underflows-seen-when-writing-.patch
+hwmon-w83627ehf-fix-underflows-seen-when-writing-lim.patch
+libbpf-add-null-checks-to-bpf_object__-prev_map-next.patch
+drm-amdgpu-set-no_hw_access-when-vf-request-full-gpu.patch
+ext4-fix-possible-tid_t-sequence-overflows.patch
+dma-mapping-benchmark-don-t-starve-others-when-doing.patch
+wifi-mwifiex-do-not-return-unused-priv-in-mwifiex_ge.patch
+smp-add-missing-destroy_work_on_stack-call-in-smp_ca.patch
+fs-ntfs3-check-more-cases-when-directory-is-corrupte.patch
+btrfs-replace-bug_on-with-assert-in-walk_down_proc.patch
+btrfs-clean-up-our-handling-of-refs-0-in-snapshot-de.patch
+btrfs-replace-bug_on-with-error-handling-at-update_r.patch
+riscv-set-trap-vector-earlier.patch
+pci-add-missing-bridge-lock-to-pci_bus_lock.patch
+net-dpaa-avoid-on-stack-arrays-of-nr_cpus-elements.patch
+irqchip-gic-v4-always-configure-affinity-on-vpe-acti.patch
+i3c-mipi-i3c-hci-error-out-instead-on-bug_on-in-ibi-.patch
+kselftests-dmabuf-heaps-ensure-the-driver-name-is-nu.patch
+btrfs-initialize-location-to-fix-wmaybe-uninitialize.patch
+s390-vmlinux.lds.s-move-ro_after_init-section-behind.patch
+hid-cougar-fix-slab-out-of-bounds-read-in-cougar_rep.patch
+hid-amd_sfh-free-driver_data-after-destroying-hid-de.patch
+input-uinput-reject-requests-with-unreasonable-numbe.patch
+usbnet-ipheth-race-between-ipheth_close-and-error-ha.patch
+squashfs-sanity-check-symbolic-link-size.patch
+of-irq-prevent-device-address-out-of-bounds-read-in-.patch
+lib-generic-radix-tree.c-fix-rare-race-in-__genradix.patch
+mips-cevt-r4k-don-t-call-get_c0_compare_int-if-timer.patch
+ata-pata_macio-use-warn-instead-of-bug.patch
+nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch
--- /dev/null
+From d4507d4124fdd26c5814b633d654cb1a10602fb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 01:44:30 +0300
+Subject: smack: unix sockets: fix accept()ed socket label
+
+From: Konstantin Andreev <andreev@swemel.ru>
+
+[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ]
+
+When a process accept()s connection from a unix socket
+(either stream or seqpacket)
+it gets the socket with the label of the connecting process.
+
+For example, if a connecting process has a label 'foo',
+the accept()ed socket will also have 'in' and 'out' labels 'foo',
+regardless of the label of the listener process.
+
+This is because kernel creates unix child sockets
+in the context of the connecting process.
+
+I do not see any obvious way for the listener to abuse
+alien labels coming with the new socket, but,
+to be on the safe side, it's better fix new socket labels.
+
+Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/smack/smack_lsm.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 25c46b56fae8..1eaf3e075db6 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -3641,12 +3641,18 @@ static int smack_unix_stream_connect(struct sock *sock,
+ }
+ }
+
+- /*
+- * Cross reference the peer labels for SO_PEERSEC.
+- */
+ if (rc == 0) {
++ /*
++ * Cross reference the peer labels for SO_PEERSEC.
++ */
+ nsp->smk_packet = ssp->smk_out;
+ ssp->smk_packet = osp->smk_out;
++
++ /*
++ * new/child/established socket must inherit listening socket labels
++ */
++ nsp->smk_out = osp->smk_out;
++ nsp->smk_in = osp->smk_in;
+ }
+
+ return rc;
+--
+2.43.0
+
--- /dev/null
+From 980ff31965d13cc50ca842bce398a76ec2d6f146 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jul 2024 14:52:13 +0800
+Subject: smp: Add missing destroy_work_on_stack() call in smp_call_on_cpu()
+
+From: Zqiang <qiang.zhang1211@gmail.com>
+
+[ Upstream commit 77aeb1b685f9db73d276bad4bb30d48505a6fd23 ]
+
+For CONFIG_DEBUG_OBJECTS_WORK=y kernels sscs.work defined by
+INIT_WORK_ONSTACK() is initialized by debug_object_init_on_stack() for
+the debug check in __init_work() to work correctly.
+
+But this lacks the counterpart to remove the tracked object from debug
+objects again, which will cause a debug object warning once the stack is
+freed.
+
+Add the missing destroy_work_on_stack() invocation to cure that.
+
+[ tglx: Massaged changelog ]
+
+Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Paul E. McKenney <paulmck@kernel.org>
+Link: https://lore.kernel.org/r/20240704065213.13559-1-qiang.zhang1211@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/smp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/smp.c b/kernel/smp.c
+index 82825345432c..b60525b34ab0 100644
+--- a/kernel/smp.c
++++ b/kernel/smp.c
+@@ -1233,6 +1233,7 @@ int smp_call_on_cpu(unsigned int cpu, int (*func)(void *), void *par, bool phys)
+
+ queue_work_on(cpu, system_wq, &sscs.work);
+ wait_for_completion(&sscs.done);
++ destroy_work_on_stack(&sscs.work);
+
+ return sscs.ret;
+ }
+--
+2.43.0
+
--- /dev/null
+From 89b97f0d8f0440ab6384e40ced34db01e1f5f092 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 00:28:21 +0100
+Subject: Squashfs: sanity check symbolic link size
+
+From: Phillip Lougher <phillip@squashfs.org.uk>
+
+[ Upstream commit 810ee43d9cd245d138a2733d87a24858a23f577d ]
+
+Syzkiller reports a "KMSAN: uninit-value in pick_link" bug.
+
+This is caused by an uninitialised page, which is ultimately caused
+by a corrupted symbolic link size read from disk.
+
+The reason why the corrupted symlink size causes an uninitialised
+page is due to the following sequence of events:
+
+1. squashfs_read_inode() is called to read the symbolic
+ link from disk. This assigns the corrupted value
+ 3875536935 to inode->i_size.
+
+2. Later squashfs_symlink_read_folio() is called, which assigns
+ this corrupted value to the length variable, which being a
+ signed int, overflows producing a negative number.
+
+3. The following loop that fills in the page contents checks that
+ the copied bytes is less than length, which being negative means
+ the loop is skipped, producing an uninitialised page.
+
+This patch adds a sanity check which checks that the symbolic
+link size is not larger than expected.
+
+--
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+Link: https://lore.kernel.org/r/20240811232821.13903-1-phillip@squashfs.org.uk
+Reported-by: Lizhi Xu <lizhi.xu@windriver.com>
+Reported-by: syzbot+24ac24ff58dc5b0d26b9@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/000000000000a90e8c061e86a76b@google.com/
+V2: fix spelling mistake.
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/squashfs/inode.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/squashfs/inode.c b/fs/squashfs/inode.c
+index 24463145b351..f31649080a88 100644
+--- a/fs/squashfs/inode.c
++++ b/fs/squashfs/inode.c
+@@ -276,8 +276,13 @@ int squashfs_read_inode(struct inode *inode, long long ino)
+ if (err < 0)
+ goto failed_read;
+
+- set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+ inode->i_size = le32_to_cpu(sqsh_ino->symlink_size);
++ if (inode->i_size > PAGE_SIZE) {
++ ERROR("Corrupted symlink\n");
++ return -EINVAL;
++ }
++
++ set_nlink(inode, le32_to_cpu(sqsh_ino->nlink));
+ inode->i_op = &squashfs_symlink_inode_ops;
+ inode_nohighmem(inode);
+ inode->i_data.a_ops = &squashfs_symlink_aops;
+--
+2.43.0
+
--- /dev/null
+From 42df3dda910048bbb05ac5b1d13258ecba3d6cb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Aug 2024 20:07:44 -0700
+Subject: tcp_bpf: fix return value of tcp_bpf_sendmsg()
+
+From: Cong Wang <cong.wang@bytedance.com>
+
+[ Upstream commit fe1910f9337bd46a9343967b547ccab26b4b2c6e ]
+
+When we cork messages in psock->cork, the last message triggers the
+flushing will result in sending a sk_msg larger than the current
+message size. In this case, in tcp_bpf_send_verdict(), 'copied' becomes
+negative at least in the following case:
+
+468 case __SK_DROP:
+469 default:
+470 sk_msg_free_partial(sk, msg, tosend);
+471 sk_msg_apply_bytes(psock, tosend);
+472 *copied -= (tosend + delta); // <==== HERE
+473 return -EACCES;
+
+Therefore, it could lead to the following BUG with a proper value of
+'copied' (thanks to syzbot). We should not use negative 'copied' as a
+return value here.
+
+ ------------[ cut here ]------------
+ kernel BUG at net/socket.c:733!
+ Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+ Modules linked in:
+ CPU: 0 UID: 0 PID: 3265 Comm: syz-executor510 Not tainted 6.11.0-rc3-syzkaller-00060-gd07b43284ab3 #0
+ Hardware name: linux,dummy-virt (DT)
+ pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+ pc : sock_sendmsg_nosec net/socket.c:733 [inline]
+ pc : sock_sendmsg_nosec net/socket.c:728 [inline]
+ pc : __sock_sendmsg+0x5c/0x60 net/socket.c:745
+ lr : sock_sendmsg_nosec net/socket.c:730 [inline]
+ lr : __sock_sendmsg+0x54/0x60 net/socket.c:745
+ sp : ffff800088ea3b30
+ x29: ffff800088ea3b30 x28: fbf00000062bc900 x27: 0000000000000000
+ x26: ffff800088ea3bc0 x25: ffff800088ea3bc0 x24: 0000000000000000
+ x23: f9f00000048dc000 x22: 0000000000000000 x21: ffff800088ea3d90
+ x20: f9f00000048dc000 x19: ffff800088ea3d90 x18: 0000000000000001
+ x17: 0000000000000000 x16: 0000000000000000 x15: 000000002002ffaf
+ x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
+ x11: 0000000000000000 x10: ffff8000815849c0 x9 : ffff8000815b49c0
+ x8 : 0000000000000000 x7 : 000000000000003f x6 : 0000000000000000
+ x5 : 00000000000007e0 x4 : fff07ffffd239000 x3 : fbf00000062bc900
+ x2 : 0000000000000000 x1 : 0000000000000000 x0 : 00000000fffffdef
+ Call trace:
+ sock_sendmsg_nosec net/socket.c:733 [inline]
+ __sock_sendmsg+0x5c/0x60 net/socket.c:745
+ ____sys_sendmsg+0x274/0x2ac net/socket.c:2597
+ ___sys_sendmsg+0xac/0x100 net/socket.c:2651
+ __sys_sendmsg+0x84/0xe0 net/socket.c:2680
+ __do_sys_sendmsg net/socket.c:2689 [inline]
+ __se_sys_sendmsg net/socket.c:2687 [inline]
+ __arm64_sys_sendmsg+0x24/0x30 net/socket.c:2687
+ __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
+ invoke_syscall+0x48/0x110 arch/arm64/kernel/syscall.c:49
+ el0_svc_common.constprop.0+0x40/0xe0 arch/arm64/kernel/syscall.c:132
+ do_el0_svc+0x1c/0x28 arch/arm64/kernel/syscall.c:151
+ el0_svc+0x34/0xec arch/arm64/kernel/entry-common.c:712
+ el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
+ el0t_64_sync+0x19c/0x1a0 arch/arm64/kernel/entry.S:598
+ Code: f9404463 d63f0060 3108441f 54fffe81 (d4210000)
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: 4f738adba30a ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
+Reported-by: syzbot+58c03971700330ce14d8@syzkaller.appspotmail.com
+Cc: Jakub Sitnicki <jakub@cloudflare.com>
+Signed-off-by: Cong Wang <cong.wang@bytedance.com>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
+Link: https://patch.msgid.link/20240821030744.320934-1-xiyou.wangcong@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_bpf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
+index f8685237033f..f7b0027ae201 100644
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -533,7 +533,7 @@ static int tcp_bpf_sendmsg(struct sock *sk, struct msghdr *msg, size_t size)
+ err = sk_stream_error(sk, msg->msg_flags, err);
+ release_sock(sk);
+ sk_psock_put(sk, psock);
+- return copied ? copied : err;
++ return copied > 0 ? copied : err;
+ }
+
+ static int tcp_bpf_sendpage(struct sock *sk, struct page *page, int offset,
+--
+2.43.0
+
--- /dev/null
+From 946213db61fdf4817b39c905896a333b42ad0cfb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Jun 2024 12:52:17 +0200
+Subject: udf: Avoid excessive partition lengths
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
+
+Avoid mounting filesystems where the partition would overflow the
+32-bits used for block number. Also refuse to mount filesystems where
+the partition length is so large we cannot safely index bits in a
+block bitmap.
+
+Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/udf/super.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 8691f7c31bf9..4275d2bc0c36 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1084,12 +1084,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+ struct udf_part_map *map;
+ struct udf_sb_info *sbi = UDF_SB(sb);
+ struct partitionHeaderDesc *phd;
++ u32 sum;
+ int err;
+
+ map = &sbi->s_partmaps[p_index];
+
+ map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
+ map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
++ if (check_add_overflow(map->s_partition_root, map->s_partition_len,
++ &sum)) {
++ udf_err(sb, "Partition %d has invalid location %u + %u\n",
++ p_index, map->s_partition_root, map->s_partition_len);
++ return -EFSCORRUPTED;
++ }
+
+ if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
+ map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
+@@ -1145,6 +1152,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
+ bitmap->s_extPosition = le32_to_cpu(
+ phd->unallocSpaceBitmap.extPosition);
+ map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
++ /* Check whether math over bitmap won't overflow. */
++ if (check_add_overflow(map->s_partition_len,
++ sizeof(struct spaceBitmapDesc) << 3,
++ &sum)) {
++ udf_err(sb, "Partition %d is too long (%u)\n", p_index,
++ map->s_partition_len);
++ return -EFSCORRUPTED;
++ }
+ udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
+ p_index, bitmap->s_extPosition);
+ }
+--
+2.43.0
+
--- /dev/null
+From 826bb1fc518a51321b3385337a720070162e434a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 17:22:36 +0200
+Subject: um: line: always fill *error_out in setup_one_line()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 824ac4a5edd3f7494ab1996826c4f47f8ef0f63d ]
+
+The pointer isn't initialized by callers, but I have
+encountered cases where it's still printed; initialize
+it in all possible cases in setup_one_line().
+
+Link: https://patch.msgid.link/20240703172235.ad863568b55f.Iaa1eba4db8265d7715ba71d5f6bb8c7ff63d27e9@changeid
+Acked-By: Anton Ivanov <anton.ivanov@cambridgegreys.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/drivers/line.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c
+index 95ad6b190d1d..6b4faca401ea 100644
+--- a/arch/um/drivers/line.c
++++ b/arch/um/drivers/line.c
+@@ -383,6 +383,7 @@ int setup_one_line(struct line *lines, int n, char *init,
+ parse_chan_pair(NULL, line, n, opts, error_out);
+ err = 0;
+ }
++ *error_out = "configured as 'none'";
+ } else {
+ char *new = kstrdup(init, GFP_KERNEL);
+ if (!new) {
+@@ -406,6 +407,7 @@ int setup_one_line(struct line *lines, int n, char *init,
+ }
+ }
+ if (err) {
++ *error_out = "failed to parse channel pair";
+ line->init_str = NULL;
+ line->valid = 0;
+ kfree(new);
+--
+2.43.0
+
--- /dev/null
+From cd7902d8ecd562a84d65cfac5b5d458be9dfebc1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Jun 2024 23:32:57 -0400
+Subject: usb: uas: set host status byte on data completion error
+
+From: Shantanu Goel <sgoel01@yahoo.com>
+
+[ Upstream commit 9d32685a251a754f1823d287df233716aa23bcb9 ]
+
+Set the host status byte when a data completion error is encountered
+otherwise the upper layer may end up using the invalid zero'ed data.
+The following output was observed from scsi/sd.c prior to this fix.
+
+[ 11.872824] sd 0:0:0:1: [sdf] tag#9 data cmplt err -75 uas-tag 1 inflight:
+[ 11.872826] sd 0:0:0:1: [sdf] tag#9 CDB: Read capacity(16) 9e 10 00 00 00 00 00 00 00 00 00 00 00 20 00 00
+[ 11.872830] sd 0:0:0:1: [sdf] Sector size 0 reported, assuming 512.
+
+Signed-off-by: Shantanu Goel <sgoel01@yahoo.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/87msnx4ec6.fsf@yahoo.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/uas.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index 11a551a9cd05..aa61b1041028 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -422,6 +422,7 @@ static void uas_data_cmplt(struct urb *urb)
+ uas_log_cmd_state(cmnd, "data cmplt err", status);
+ /* error: no data transfered */
+ scsi_set_resid(cmnd, sdb->length);
++ set_host_byte(cmnd, DID_ERROR);
+ } else {
+ scsi_set_resid(cmnd, sdb->length - urb->actual_length);
+ }
+--
+2.43.0
+
--- /dev/null
+From 9b798fb0cba3a2ab7cbf47e27fb81905beecb03b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Aug 2024 19:28:05 +0200
+Subject: usbnet: ipheth: race between ipheth_close and error handling
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit e5876b088ba03a62124266fa20d00e65533c7269 ]
+
+ipheth_sndbulk_callback() can submit carrier_work
+as a part of its error handling. That means that
+the driver must make sure that the work is cancelled
+after it has made sure that no more URB can terminate
+with an error condition.
+
+Hence the order of actions in ipheth_close() needs
+to be inverted.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Tested-by: Georgi Valkov <gvalkov@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/ipheth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index d56e276e4d80..4485388dcff2 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -353,8 +353,8 @@ static int ipheth_close(struct net_device *net)
+ {
+ struct ipheth_device *dev = netdev_priv(net);
+
+- cancel_delayed_work_sync(&dev->carrier_work);
+ netif_stop_queue(net);
++ cancel_delayed_work_sync(&dev->carrier_work);
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 513aae7117344a0a99858f55e95e98b4ee30973f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 19:50:55 +0200
+Subject: usbnet: modern method to get random MAC
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit bab8eb0dd4cb995caa4a0529d5655531c2ec5e8e ]
+
+The driver generates a random MAC once on load
+and uses it over and over, including on two devices
+needing a random MAC at the same time.
+
+Jakub suggested revamping the driver to the modern
+API for setting a random MAC rather than fixing
+the old stuff.
+
+The bug is as old as the driver.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Link: https://patch.msgid.link/20240829175201.670718-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/usbnet.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 95b8c612a179..8e4f85fb8c77 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -64,9 +64,6 @@
+
+ /*-------------------------------------------------------------------------*/
+
+-// randomly generated ethernet address
+-static u8 node_id [ETH_ALEN];
+-
+ /* use ethtool to change the level for any given device */
+ static int msg_level = -1;
+ module_param (msg_level, int, 0);
+@@ -1729,7 +1726,6 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+
+ dev->net = net;
+ strscpy(net->name, "usb%d", sizeof(net->name));
+- eth_hw_addr_set(net, node_id);
+
+ /* rx and tx sides can use different message sizes;
+ * bind() should set rx_urb_size in that case.
+@@ -1803,9 +1799,9 @@ usbnet_probe (struct usb_interface *udev, const struct usb_device_id *prod)
+ goto out4;
+ }
+
+- /* let userspace know we have a random address */
+- if (ether_addr_equal(net->dev_addr, node_id))
+- net->addr_assign_type = NET_ADDR_RANDOM;
++ /* this flags the device for user space */
++ if (!is_valid_ether_addr(net->dev_addr))
++ eth_hw_addr_random(net);
+
+ if ((dev->driver_info->flags & FLAG_WLAN) != 0)
+ SET_NETDEV_DEVTYPE(net, &wlan_type);
+@@ -2215,7 +2211,6 @@ static int __init usbnet_init(void)
+ BUILD_BUG_ON(
+ sizeof_field(struct sk_buff, cb) < sizeof(struct skb_data));
+
+- eth_random_addr(node_id);
+ return 0;
+ }
+ module_init(usbnet_init);
+--
+2.43.0
+
--- /dev/null
+From f81e043c756fdd357c70db354de5cdc83da6f92f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 14:26:09 +0200
+Subject: wifi: brcmsmac: advertise MFP_CAPABLE to enable WPA3
+
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+
+[ Upstream commit dbb5265a5d7cca1cdba7736dba313ab7d07bc19d ]
+
+After being asked about support for WPA3 for BCM43224 chipset it
+was found that all it takes is setting the MFP_CAPABLE flag and
+mac80211 will take care of all that is needed [1].
+
+Link: https://lore.kernel.org/linux-wireless/20200526155909.5807-2-Larry.Finger@lwfinger.net/ [1]
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Tested-by: Reijer Boekhoff <reijerboekhoff@protonmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240617122609.349582-1-arend.vanspriel@broadcom.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+index eadac0f5590f..e09f5416abe7 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c
+@@ -1088,6 +1088,7 @@ static int ieee_hw_init(struct ieee80211_hw *hw)
+ ieee80211_hw_set(hw, AMPDU_AGGREGATION);
+ ieee80211_hw_set(hw, SIGNAL_DBM);
+ ieee80211_hw_set(hw, REPORTS_TX_ACK_STATUS);
++ ieee80211_hw_set(hw, MFP_CAPABLE);
+
+ hw->extra_tx_headroom = brcms_c_get_header_len();
+ hw->queues = N_TX_QUEUES;
+--
+2.43.0
+
--- /dev/null
+From 4847bd9558f2d151f1ad33f0f6f584dfd8a6e10d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Jul 2024 09:24:09 +0200
+Subject: wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id()
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+[ Upstream commit c145eea2f75ff7949392aebecf7ef0a81c1f6c14 ]
+
+mwifiex_get_priv_by_id() returns the priv pointer corresponding to
+the bss_num and bss_type, but without checking if the priv is actually
+currently in use.
+Unused priv pointers do not have a wiphy attached to them which can
+lead to NULL pointer dereferences further down the callstack. Fix
+this by returning only used priv pointers which have priv->bss_mode
+set to something else than NL80211_IFTYPE_UNSPECIFIED.
+
+Said NULL pointer dereference happened when an Accesspoint was started
+with wpa_supplicant -i mlan0 with this config:
+
+network={
+ ssid="somessid"
+ mode=2
+ frequency=2412
+ key_mgmt=WPA-PSK WPA-PSK-SHA256
+ proto=RSN
+ group=CCMP
+ pairwise=CCMP
+ psk="12345678"
+}
+
+When waiting for the AP to be established, interrupting wpa_supplicant
+with <ctrl-c> and starting it again this happens:
+
+| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000140
+| Mem abort info:
+| ESR = 0x0000000096000004
+| EC = 0x25: DABT (current EL), IL = 32 bits
+| SET = 0, FnV = 0
+| EA = 0, S1PTW = 0
+| FSC = 0x04: level 0 translation fault
+| Data abort info:
+| ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+| CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+| GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+| user pgtable: 4k pages, 48-bit VAs, pgdp=0000000046d96000
+| [0000000000000140] pgd=0000000000000000, p4d=0000000000000000
+| Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
+| Modules linked in: caam_jr caamhash_desc spidev caamalg_desc crypto_engine authenc libdes mwifiex_sdio
++mwifiex crct10dif_ce cdc_acm onboard_usb_hub fsl_imx8_ddr_perf imx8m_ddrc rtc_ds1307 lm75 rtc_snvs
++imx_sdma caam imx8mm_thermal spi_imx error imx_cpufreq_dt fuse ip_tables x_tables ipv6
+| CPU: 0 PID: 8 Comm: kworker/0:1 Not tainted 6.9.0-00007-g937242013fce-dirty #18
+| Hardware name: somemachine (DT)
+| Workqueue: events sdio_irq_work
+| pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+| pc : mwifiex_get_cfp+0xd8/0x15c [mwifiex]
+| lr : mwifiex_get_cfp+0x34/0x15c [mwifiex]
+| sp : ffff8000818b3a70
+| x29: ffff8000818b3a70 x28: ffff000006bfd8a5 x27: 0000000000000004
+| x26: 000000000000002c x25: 0000000000001511 x24: 0000000002e86bc9
+| x23: ffff000006bfd996 x22: 0000000000000004 x21: ffff000007bec000
+| x20: 000000000000002c x19: 0000000000000000 x18: 0000000000000000
+| x17: 000000040044ffff x16: 00500072b5503510 x15: ccc283740681e517
+| x14: 0201000101006d15 x13: 0000000002e8ff43 x12: 002c01000000ffb1
+| x11: 0100000000000000 x10: 02e8ff43002c0100 x9 : 0000ffb100100157
+| x8 : ffff000003d20000 x7 : 00000000000002f1 x6 : 00000000ffffe124
+| x5 : 0000000000000001 x4 : 0000000000000003 x3 : 0000000000000000
+| x2 : 0000000000000000 x1 : 0001000000011001 x0 : 0000000000000000
+| Call trace:
+| mwifiex_get_cfp+0xd8/0x15c [mwifiex]
+| mwifiex_parse_single_response_buf+0x1d0/0x504 [mwifiex]
+| mwifiex_handle_event_ext_scan_report+0x19c/0x2f8 [mwifiex]
+| mwifiex_process_sta_event+0x298/0xf0c [mwifiex]
+| mwifiex_process_event+0x110/0x238 [mwifiex]
+| mwifiex_main_process+0x428/0xa44 [mwifiex]
+| mwifiex_sdio_interrupt+0x64/0x12c [mwifiex_sdio]
+| process_sdio_pending_irqs+0x64/0x1b8
+| sdio_irq_work+0x4c/0x7c
+| process_one_work+0x148/0x2a0
+| worker_thread+0x2fc/0x40c
+| kthread+0x110/0x114
+| ret_from_fork+0x10/0x20
+| Code: a94153f3 a8c37bfd d50323bf d65f03c0 (f940a000)
+| ---[ end trace 0000000000000000 ]---
+
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Acked-by: Brian Norris <briannorris@chromium.org>
+Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20240703072409.556618-1-s.hauer@pengutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/marvell/mwifiex/main.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h
+index f4e3dce10d65..5b14fe08811e 100644
+--- a/drivers/net/wireless/marvell/mwifiex/main.h
++++ b/drivers/net/wireless/marvell/mwifiex/main.h
+@@ -1310,6 +1310,9 @@ mwifiex_get_priv_by_id(struct mwifiex_adapter *adapter,
+
+ for (i = 0; i < adapter->priv_num; i++) {
+ if (adapter->priv[i]) {
++ if (adapter->priv[i]->bss_mode == NL80211_IFTYPE_UNSPECIFIED)
++ continue;
++
+ if ((adapter->priv[i]->bss_num == bss_num) &&
+ (adapter->priv[i]->bss_type == bss_type))
+ break;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
