--- /dev/null
+From dfd239a039b3581ca25f932e66b6e2c2bf77c798 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Fri, 14 Jun 2024 11:06:32 -0400
+Subject: arm64: dts: imx8qm-mek: fix gpio number for reg_usdhc2_vmmc
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit dfd239a039b3581ca25f932e66b6e2c2bf77c798 upstream.
+
+The gpio in "reg_usdhc2_vmmc" should be 7 instead of 19.
+
+Cc: stable@vger.kernel.org
+Fixes: 307fd14d4b14 ("arm64: dts: imx: add imx8qm mek support")
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/freescale/imx8qm-mek.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
++++ b/arch/arm64/boot/dts/freescale/imx8qm-mek.dts
+@@ -36,7 +36,7 @@
+ regulator-name = "SD1_SPWR";
+ regulator-min-microvolt = <3000000>;
+ regulator-max-microvolt = <3000000>;
+- gpio = <&lsio_gpio4 19 GPIO_ACTIVE_HIGH>;
++ gpio = <&lsio_gpio4 7 GPIO_ACTIVE_HIGH>;
+ enable-active-high;
+ };
+ };
--- /dev/null
+From d4e001ffeccfc128c715057e866f301ac9b95728 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 20 Jun 2024 13:34:49 +0200
+Subject: dt-bindings: i2c: atmel,at91sam: correct path to i2c-controller schema
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit d4e001ffeccfc128c715057e866f301ac9b95728 upstream.
+
+The referenced i2c-controller.yaml schema is provided by dtschema
+package (outside of Linux kernel), so use full path to reference it.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ea75dd386be ("dt-bindings: i2c: convert i2c-at91 to json-schema")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml
++++ b/Documentation/devicetree/bindings/i2c/atmel,at91sam-i2c.yaml
+@@ -77,7 +77,7 @@ required:
+ - clocks
+
+ allOf:
+- - $ref: i2c-controller.yaml
++ - $ref: /schemas/i2c/i2c-controller.yaml#
+ - if:
+ properties:
+ compatible:
--- /dev/null
+From 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Thu, 20 Jun 2024 13:34:50 +0200
+Subject: dt-bindings: i2c: google,cros-ec-i2c-tunnel: correct path to i2c-controller schema
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 5c8cfd592bb7632200b4edac8f2c7ec892ed9d81 upstream.
+
+The referenced i2c-controller.yaml schema is provided by dtschema
+package (outside of Linux kernel), so use full path to reference it.
+
+Cc: stable@vger.kernel.org
+Fixes: 1acd4577a66f ("dt-bindings: i2c: convert i2c-cros-ec-tunnel to json-schema")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml
++++ b/Documentation/devicetree/bindings/i2c/google,cros-ec-i2c-tunnel.yaml
+@@ -21,7 +21,7 @@ description: |
+ google,cros-ec-spi or google,cros-ec-i2c.
+
+ allOf:
+- - $ref: i2c-controller.yaml#
++ - $ref: /schemas/i2c/i2c-controller.yaml#
+
+ properties:
+ compatible:
--- /dev/null
+From 75dde792d6f6c2d0af50278bd374bf0c512fe196 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Mon, 10 Jun 2024 16:02:13 +0200
+Subject: efi/x86: Free EFI memory map only when installing a new one.
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 75dde792d6f6c2d0af50278bd374bf0c512fe196 upstream.
+
+The logic in __efi_memmap_init() is shared between two different
+execution flows:
+- mapping the EFI memory map early or late into the kernel VA space, so
+ that its entries can be accessed;
+- the x86 specific cloning of the EFI memory map in order to insert new
+ entries that are created as a result of making a memory reservation
+ via a call to efi_mem_reserve().
+
+In the former case, the underlying memory containing the kernel's view
+of the EFI memory map (which may be heavily modified by the kernel
+itself on x86) is not modified at all, and the only thing that changes
+is the virtual mapping of this memory, which is different between early
+and late boot.
+
+In the latter case, an entirely new allocation is created that carries a
+new, updated version of the kernel's view of the EFI memory map. When
+installing this new version, the old version will no longer be
+referenced, and if the memory was allocated by the kernel, it will leak
+unless it gets freed.
+
+The logic that implements this freeing currently lives on the code path
+that is shared between these two use cases, but it should only apply to
+the latter. So move it to the correct spot.
+
+While at it, drop the dummy definition for non-x86 architectures, as
+that is no longer needed.
+
+Cc: <stable@vger.kernel.org>
+Fixes: f0ef6523475f ("efi: Fix efi_memmap_alloc() leaks")
+Tested-by: Ashish Kalra <Ashish.Kalra@amd.com>
+Link: https://lore.kernel.org/all/36ad5079-4326-45ed-85f6-928ff76483d3@amd.com
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/efi.h | 1 -
+ arch/x86/platform/efi/memmap.c | 12 +++++++++++-
+ drivers/firmware/efi/memmap.c | 9 ---------
+ 3 files changed, 11 insertions(+), 11 deletions(-)
+
+--- a/arch/x86/include/asm/efi.h
++++ b/arch/x86/include/asm/efi.h
+@@ -401,7 +401,6 @@ extern int __init efi_memmap_alloc(unsig
+ struct efi_memory_map_data *data);
+ extern void __efi_memmap_free(u64 phys, unsigned long size,
+ unsigned long flags);
+-#define __efi_memmap_free __efi_memmap_free
+
+ extern int __init efi_memmap_install(struct efi_memory_map_data *data);
+ extern int __init efi_memmap_split_count(efi_memory_desc_t *md,
+--- a/arch/x86/platform/efi/memmap.c
++++ b/arch/x86/platform/efi/memmap.c
+@@ -92,12 +92,22 @@ int __init efi_memmap_alloc(unsigned int
+ */
+ int __init efi_memmap_install(struct efi_memory_map_data *data)
+ {
++ unsigned long size = efi.memmap.desc_size * efi.memmap.nr_map;
++ unsigned long flags = efi.memmap.flags;
++ u64 phys = efi.memmap.phys_map;
++ int ret;
++
+ efi_memmap_unmap();
+
+ if (efi_enabled(EFI_PARAVIRT))
+ return 0;
+
+- return __efi_memmap_init(data);
++ ret = __efi_memmap_init(data);
++ if (ret)
++ return ret;
++
++ __efi_memmap_free(phys, size, flags);
++ return 0;
+ }
+
+ /**
+--- a/drivers/firmware/efi/memmap.c
++++ b/drivers/firmware/efi/memmap.c
+@@ -15,10 +15,6 @@
+ #include <asm/early_ioremap.h>
+ #include <asm/efi.h>
+
+-#ifndef __efi_memmap_free
+-#define __efi_memmap_free(phys, size, flags) do { } while (0)
+-#endif
+-
+ /**
+ * __efi_memmap_init - Common code for mapping the EFI memory map
+ * @data: EFI memory map data
+@@ -51,11 +47,6 @@ int __init __efi_memmap_init(struct efi_
+ return -ENOMEM;
+ }
+
+- if (efi.memmap.flags & (EFI_MEMMAP_MEMBLOCK | EFI_MEMMAP_SLAB))
+- __efi_memmap_free(efi.memmap.phys_map,
+- efi.memmap.desc_size * efi.memmap.nr_map,
+- efi.memmap.flags);
+-
+ map.phys_map = data->phys_map;
+ map.nr_map = data->size / data->desc_size;
+ map.map_end = map.map + data->size;
--- /dev/null
+From 5a72477273066b5b357801ab2d315ef14949d402 Mon Sep 17 00:00:00 2001
+From: Grygorii Tertychnyi <grembeter@gmail.com>
+Date: Mon, 20 May 2024 17:39:32 +0200
+Subject: i2c: ocores: set IACK bit after core is enabled
+
+From: Grygorii Tertychnyi <grembeter@gmail.com>
+
+commit 5a72477273066b5b357801ab2d315ef14949d402 upstream.
+
+Setting IACK bit when core is disabled does not clear the "Interrupt Flag"
+bit in the status register, and the interrupt remains pending.
+
+Sometimes it causes failure for the very first message transfer, that is
+usually a device probe.
+
+Hence, set IACK bit after core is enabled to clear pending interrupt.
+
+Fixes: 18f98b1e3147 ("[PATCH] i2c: New bus driver for the OpenCores I2C controller")
+Signed-off-by: Grygorii Tertychnyi <grygorii.tertychnyi@leica-geosystems.com>
+Acked-by: Peter Korsgaard <peter@korsgaard.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-ocores.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ocores.c
++++ b/drivers/i2c/busses/i2c-ocores.c
+@@ -442,8 +442,8 @@ static int ocores_init(struct device *de
+ oc_setreg(i2c, OCI2C_PREHIGH, prescale >> 8);
+
+ /* Init the device */
+- oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK);
+ oc_setreg(i2c, OCI2C_CONTROL, ctrl | OCI2C_CTRL_EN);
++ oc_setreg(i2c, OCI2C_CMD, OCI2C_CMD_IACK);
+
+ return 0;
+ }
--- /dev/null
+From 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 Mon Sep 17 00:00:00 2001
+From: GUO Zihua <guozihua@huawei.com>
+Date: Tue, 7 May 2024 01:25:41 +0000
+Subject: ima: Avoid blocking in RCU read-side critical section
+
+From: GUO Zihua <guozihua@huawei.com>
+
+commit 9a95c5bfbf02a0a7f5983280fe284a0ff0836c34 upstream.
+
+A panic happens in ima_match_policy:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
+PGD 42f873067 P4D 0
+Oops: 0000 [#1] SMP NOPTI
+CPU: 5 PID: 1286325 Comm: kubeletmonit.sh
+Kdump: loaded Tainted: P
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+ BIOS 0.0.0 02/06/2015
+RIP: 0010:ima_match_policy+0x84/0x450
+Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39
+ 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d
+ f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea
+ 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f
+RSP: 0018:ff71570009e07a80 EFLAGS: 00010207
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200
+RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000
+RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739
+R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970
+R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001
+FS: 00007f5195b51740(0000)
+GS:ff3e278b12d40000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ ima_get_action+0x22/0x30
+ process_measurement+0xb0/0x830
+ ? page_add_file_rmap+0x15/0x170
+ ? alloc_set_pte+0x269/0x4c0
+ ? prep_new_page+0x81/0x140
+ ? simple_xattr_get+0x75/0xa0
+ ? selinux_file_open+0x9d/0xf0
+ ima_file_check+0x64/0x90
+ path_openat+0x571/0x1720
+ do_filp_open+0x9b/0x110
+ ? page_counter_try_charge+0x57/0xc0
+ ? files_cgroup_alloc_fd+0x38/0x60
+ ? __alloc_fd+0xd4/0x250
+ ? do_sys_open+0x1bd/0x250
+ do_sys_open+0x1bd/0x250
+ do_syscall_64+0x5d/0x1d0
+ entry_SYSCALL_64_after_hwframe+0x65/0xca
+
+Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by
+ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a
+RCU read-side critical section which contains kmalloc with GFP_KERNEL.
+This implies a possible sleep and violates limitations of RCU read-side
+critical sections on non-PREEMPT systems.
+
+Sleeping within RCU read-side critical section might cause
+synchronize_rcu() returning early and break RCU protection, allowing a
+UAF to happen.
+
+The root cause of this issue could be described as follows:
+| Thread A | Thread B |
+| |ima_match_policy |
+| | rcu_read_lock |
+|ima_lsm_update_rule | |
+| synchronize_rcu | |
+| | kmalloc(GFP_KERNEL)|
+| | sleep |
+==> synchronize_rcu returns early
+| kfree(entry) | |
+| | entry = entry->next|
+==> UAF happens and entry now becomes NULL (or could be anything).
+| | entry->action |
+==> Accessing entry might cause panic.
+
+To fix this issue, we are converting all kmalloc that is called within
+RCU read-side critical section to use GFP_ATOMIC.
+
+Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()")
+Cc: stable@vger.kernel.org
+Signed-off-by: GUO Zihua <guozihua@huawei.com>
+Acked-by: John Johansen <john.johansen@canonical.com>
+Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
+Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
+[PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 2 +-
+ include/linux/security.h | 5 +++--
+ kernel/auditfilter.c | 5 +++--
+ security/apparmor/audit.c | 6 +++---
+ security/apparmor/include/audit.h | 2 +-
+ security/integrity/ima/ima.h | 2 +-
+ security/integrity/ima/ima_policy.c | 15 +++++++++------
+ security/security.c | 6 ++++--
+ security/selinux/include/audit.h | 4 +++-
+ security/selinux/ss/services.c | 5 +++--
+ security/smack/smack_lsm.c | 4 +++-
+ 11 files changed, 34 insertions(+), 22 deletions(-)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -412,7 +412,7 @@ LSM_HOOK(void, LSM_RET_VOID, key_post_cr
+
+ #ifdef CONFIG_AUDIT
+ LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr,
+- void **lsmrule)
++ void **lsmrule, gfp_t gfp)
+ LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule)
+ LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule)
+ LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule)
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -2048,7 +2048,8 @@ static inline void security_key_post_cre
+
+ #ifdef CONFIG_AUDIT
+ #ifdef CONFIG_SECURITY
+-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
++ gfp_t gfp);
+ int security_audit_rule_known(struct audit_krule *krule);
+ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule);
+ void security_audit_rule_free(void *lsmrule);
+@@ -2056,7 +2057,7 @@ void security_audit_rule_free(void *lsmr
+ #else
+
+ static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr,
+- void **lsmrule)
++ void **lsmrule, gfp_t gfp)
+ {
+ return 0;
+ }
+--- a/kernel/auditfilter.c
++++ b/kernel/auditfilter.c
+@@ -529,7 +529,8 @@ static struct audit_entry *audit_data_to
+ entry->rule.buflen += f_val;
+ f->lsm_str = str;
+ err = security_audit_rule_init(f->type, f->op, str,
+- (void **)&f->lsm_rule);
++ (void **)&f->lsm_rule,
++ GFP_KERNEL);
+ /* Keep currently invalid fields around in case they
+ * become valid after a policy reload. */
+ if (err == -EINVAL) {
+@@ -799,7 +800,7 @@ static inline int audit_dupe_lsm_field(s
+
+ /* our own (refreshed) copy of lsm_rule */
+ ret = security_audit_rule_init(df->type, df->op, df->lsm_str,
+- (void **)&df->lsm_rule);
++ (void **)&df->lsm_rule, GFP_KERNEL);
+ /* Keep currently invalid fields around in case they
+ * become valid after a policy reload. */
+ if (ret == -EINVAL) {
+--- a/security/apparmor/audit.c
++++ b/security/apparmor/audit.c
+@@ -217,7 +217,7 @@ void aa_audit_rule_free(void *vrule)
+ }
+ }
+
+-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp)
+ {
+ struct aa_audit_rule *rule;
+
+@@ -230,14 +230,14 @@ int aa_audit_rule_init(u32 field, u32 op
+ return -EINVAL;
+ }
+
+- rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
++ rule = kzalloc(sizeof(struct aa_audit_rule), gfp);
+
+ if (!rule)
+ return -ENOMEM;
+
+ /* Currently rules are treated as coming from the root ns */
+ rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
+- GFP_KERNEL, true, false);
++ gfp, true, false);
+ if (IS_ERR(rule->label)) {
+ int err = PTR_ERR(rule->label);
+ aa_audit_rule_free(rule);
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -200,7 +200,7 @@ static inline int complain_error(int err
+ }
+
+ void aa_audit_rule_free(void *vrule);
+-int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
++int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp);
+ int aa_audit_rule_known(struct audit_krule *rule);
+ int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
+
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -540,7 +540,7 @@ static inline void ima_free_modsig(struc
+ #else
+
+ static inline int ima_filter_rule_init(u32 field, u32 op, char *rulestr,
+- void **lsmrule)
++ void **lsmrule, gfp_t gfp)
+ {
+ return -EINVAL;
+ }
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -401,7 +401,8 @@ static void ima_free_rule(struct ima_rul
+ kfree(entry);
+ }
+
+-static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry)
++static struct ima_rule_entry *ima_lsm_copy_rule(struct ima_rule_entry *entry,
++ gfp_t gfp)
+ {
+ struct ima_rule_entry *nentry;
+ int i;
+@@ -410,7 +411,7 @@ static struct ima_rule_entry *ima_lsm_co
+ * Immutable elements are copied over as pointers and data; only
+ * lsm rules can change
+ */
+- nentry = kmemdup(entry, sizeof(*nentry), GFP_KERNEL);
++ nentry = kmemdup(entry, sizeof(*nentry), gfp);
+ if (!nentry)
+ return NULL;
+
+@@ -425,7 +426,8 @@ static struct ima_rule_entry *ima_lsm_co
+
+ ima_filter_rule_init(nentry->lsm[i].type, Audit_equal,
+ nentry->lsm[i].args_p,
+- &nentry->lsm[i].rule);
++ &nentry->lsm[i].rule,
++ gfp);
+ if (!nentry->lsm[i].rule)
+ pr_warn("rule for LSM \'%s\' is undefined\n",
+ nentry->lsm[i].args_p);
+@@ -438,7 +440,7 @@ static int ima_lsm_update_rule(struct im
+ int i;
+ struct ima_rule_entry *nentry;
+
+- nentry = ima_lsm_copy_rule(entry);
++ nentry = ima_lsm_copy_rule(entry, GFP_KERNEL);
+ if (!nentry)
+ return -ENOMEM;
+
+@@ -664,7 +666,7 @@ retry:
+ }
+
+ if (rc == -ESTALE && !rule_reinitialized) {
+- lsm_rule = ima_lsm_copy_rule(rule);
++ lsm_rule = ima_lsm_copy_rule(rule, GFP_ATOMIC);
+ if (lsm_rule) {
+ rule_reinitialized = true;
+ goto retry;
+@@ -1140,7 +1142,8 @@ static int ima_lsm_rule_init(struct ima_
+ entry->lsm[lsm_rule].type = audit_type;
+ result = ima_filter_rule_init(entry->lsm[lsm_rule].type, Audit_equal,
+ entry->lsm[lsm_rule].args_p,
+- &entry->lsm[lsm_rule].rule);
++ &entry->lsm[lsm_rule].rule,
++ GFP_KERNEL);
+ if (!entry->lsm[lsm_rule].rule) {
+ pr_warn("rule for LSM \'%s\' is undefined\n",
+ entry->lsm[lsm_rule].args_p);
+--- a/security/security.c
++++ b/security/security.c
+@@ -5331,15 +5331,17 @@ void security_key_post_create_or_update(
+ * @op: rule operator
+ * @rulestr: rule context
+ * @lsmrule: receive buffer for audit rule struct
++ * @gfp: GFP flag used for kmalloc
+ *
+ * Allocate and initialize an LSM audit rule structure.
+ *
+ * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of
+ * an invalid rule.
+ */
+-int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
++int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
++ gfp_t gfp)
+ {
+- return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule);
++ return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp);
+ }
+
+ /**
+--- a/security/selinux/include/audit.h
++++ b/security/selinux/include/audit.h
+@@ -21,12 +21,14 @@
+ * @op: the operator the rule uses
+ * @rulestr: the text "target" of the rule
+ * @rule: pointer to the new rule structure returned via this
++ * @gfp: GFP flag used for kmalloc
+ *
+ * Returns 0 if successful, -errno if not. On success, the rule structure
+ * will be allocated internally. The caller must free this structure with
+ * selinux_audit_rule_free() after use.
+ */
+-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule);
++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule,
++ gfp_t gfp);
+
+ /**
+ * selinux_audit_rule_free - free an selinux audit rule structure.
+--- a/security/selinux/ss/services.c
++++ b/security/selinux/ss/services.c
+@@ -3508,7 +3508,8 @@ void selinux_audit_rule_free(void *vrule
+ }
+ }
+
+-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
++int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
++ gfp_t gfp)
+ {
+ struct selinux_state *state = &selinux_state;
+ struct selinux_policy *policy;
+@@ -3549,7 +3550,7 @@ int selinux_audit_rule_init(u32 field, u
+ return -EINVAL;
+ }
+
+- tmprule = kzalloc(sizeof(struct selinux_audit_rule), GFP_KERNEL);
++ tmprule = kzalloc(sizeof(struct selinux_audit_rule), gfp);
+ if (!tmprule)
+ return -ENOMEM;
+ context_init(&tmprule->au_ctxt);
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -4692,11 +4692,13 @@ static int smack_post_notification(const
+ * @op: required testing operator (=, !=, >, <, ...)
+ * @rulestr: smack label to be audited
+ * @vrule: pointer to save our own audit rule representation
++ * @gfp: type of the memory for the allocation
+ *
+ * Prepare to audit cases where (@field @op @rulestr) is true.
+ * The label to be audited is created if necessay.
+ */
+-static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
++static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule,
++ gfp_t gfp)
+ {
+ struct smack_known *skp;
+ char **rule = (char **)vrule;
--- /dev/null
+From 4a3e37b3caea817199757a0b13aa53dd7c9376c8 Mon Sep 17 00:00:00 2001
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Date: Sun, 16 Jun 2024 14:25:02 +0100
+Subject: MIPS: mipsmtregs: Fix target register for MFTC0
+
+From: Jiaxun Yang <jiaxun.yang@flygoat.com>
+
+commit 4a3e37b3caea817199757a0b13aa53dd7c9376c8 upstream.
+
+Target register of mftc0 should be __res instead of $1, this is
+a leftover from old .insn code.
+
+Fixes: dd6d29a61489 ("MIPS: Implement microMIPS MT ASE helpers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/include/asm/mipsmtregs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/mipsmtregs.h b/arch/mips/include/asm/mipsmtregs.h
+index 30e86861c206..b1ee3c48e84b 100644
+--- a/arch/mips/include/asm/mipsmtregs.h
++++ b/arch/mips/include/asm/mipsmtregs.h
+@@ -322,7 +322,7 @@ static inline void ehb(void)
+ " .set push \n" \
+ " .set "MIPS_ISA_LEVEL" \n" \
+ _ASM_SET_MFTC0 \
+- " mftc0 $1, " #rt ", " #sel " \n" \
++ " mftc0 %0, " #rt ", " #sel " \n" \
+ _ASM_UNSET_MFTC0 \
+ " .set pop \n" \
+ : "=r" (__res)); \
+--
+2.45.2
+
--- /dev/null
+From 277a0363120276645ae598d8d5fea7265e076ae9 Mon Sep 17 00:00:00 2001
+From: Martin Schiller <ms@dev.tdt.de>
+Date: Fri, 7 Jun 2024 11:04:00 +0200
+Subject: MIPS: pci: lantiq: restore reset gpio polarity
+
+From: Martin Schiller <ms@dev.tdt.de>
+
+commit 277a0363120276645ae598d8d5fea7265e076ae9 upstream.
+
+Commit 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API") not
+only switched to the gpiod API, but also inverted / changed the polarity
+of the GPIO.
+
+According to the PCI specification, the RST# pin is an active-low
+signal. However, most of the device trees that have been widely used for
+a long time (mainly in the openWrt project) define this GPIO as
+active-high and the old driver code inverted the signal internally.
+
+Apparently there are actually boards where the reset gpio must be
+operated inverted. For this reason, we cannot use the GPIOD_OUT_LOW/HIGH
+flag for initialization. Instead, we must explicitly set the gpio to
+value 1 in order to take into account any "GPIO_ACTIVE_LOW" flag that
+may have been set.
+
+In order to remain compatible with all these existing device trees, we
+should therefore keep the logic as it was before the commit.
+
+Fixes: 90c2d2eb7ab5 ("MIPS: pci: lantiq: switch to using gpiod API")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Schiller <ms@dev.tdt.de>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/pci/pci-lantiq.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/pci/pci-lantiq.c
++++ b/arch/mips/pci/pci-lantiq.c
+@@ -124,14 +124,14 @@ static int ltq_pci_startup(struct platfo
+ clk_disable(clk_external);
+
+ /* setup reset gpio used by pci */
+- reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset",
+- GPIOD_OUT_LOW);
++ reset_gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS);
+ error = PTR_ERR_OR_ZERO(reset_gpio);
+ if (error) {
+ dev_err(&pdev->dev, "failed to request gpio: %d\n", error);
+ return error;
+ }
+ gpiod_set_consumer_name(reset_gpio, "pci_reset");
++ gpiod_direction_output(reset_gpio, 1);
+
+ /* enable auto-switching between PCI and EBU */
+ ltq_pci_w32(0xa, PCI_CR_CLK_CTRL);
+@@ -194,10 +194,10 @@ static int ltq_pci_startup(struct platfo
+
+ /* toggle reset pin */
+ if (reset_gpio) {
+- gpiod_set_value_cansleep(reset_gpio, 1);
++ gpiod_set_value_cansleep(reset_gpio, 0);
+ wmb();
+ mdelay(1);
+- gpiod_set_value_cansleep(reset_gpio, 0);
++ gpiod_set_value_cansleep(reset_gpio, 1);
+ }
+ return 0;
+ }
--- /dev/null
+From 6a50c9b512f7734bc356f4bd47885a6f7c98491a Mon Sep 17 00:00:00 2001
+From: Ran Xiaokai <ran.xiaokai@zte.com.cn>
+Date: Fri, 7 Jun 2024 17:40:48 +0800
+Subject: mm: huge_memory: fix misused mapping_large_folio_support() for anon folios
+
+From: Ran Xiaokai <ran.xiaokai@zte.com.cn>
+
+commit 6a50c9b512f7734bc356f4bd47885a6f7c98491a upstream.
+
+When I did a large folios split test, a WARNING "[ 5059.122759][ T166]
+Cannot split file folio to non-0 order" was triggered. But the test cases
+are only for anonmous folios. while mapping_large_folio_support() is only
+reasonable for page cache folios.
+
+In split_huge_page_to_list_to_order(), the folio passed to
+mapping_large_folio_support() maybe anonmous folio. The folio_test_anon()
+check is missing. So the split of the anonmous THP is failed. This is
+also the same for shmem_mapping(). We'd better add a check for both. But
+the shmem_mapping() in __split_huge_page() is not involved, as for
+anonmous folios, the end parameter is set to -1, so (head[i].index >= end)
+is always false. shmem_mapping() is not called.
+
+Also add a VM_WARN_ON_ONCE() in mapping_large_folio_support() for anon
+mapping, So we can detect the wrong use more easily.
+
+THP folios maybe exist in the pagecache even the file system doesn't
+support large folio, it is because when CONFIG_TRANSPARENT_HUGEPAGE is
+enabled, khugepaged will try to collapse read-only file-backed pages to
+THP. But the mapping does not actually support multi order large folios
+properly.
+
+Using /sys/kernel/debug/split_huge_pages to verify this, with this patch,
+large anon THP is successfully split and the warning is ceased.
+
+Link: https://lkml.kernel.org/r/202406071740485174hcFl7jRxncsHDtI-Pz-o@zte.com.cn
+Fixes: c010d47f107f ("mm: thp: split huge page to any lower order pages")
+Reviewed-by: Barry Song <baohua@kernel.org>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn>
+Cc: Michal Hocko <mhocko@kernel.org>
+Cc: xu xin <xu.xin16@zte.com.cn>
+Cc: Yang Yang <yang.yang29@zte.com.cn>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/pagemap.h | 4 ++++
+ mm/huge_memory.c | 28 +++++++++++++++++-----------
+ 2 files changed, 21 insertions(+), 11 deletions(-)
+
+--- a/include/linux/pagemap.h
++++ b/include/linux/pagemap.h
+@@ -379,6 +379,10 @@ static inline void mapping_set_large_fol
+ */
+ static inline bool mapping_large_folio_support(struct address_space *mapping)
+ {
++ /* AS_LARGE_FOLIO_SUPPORT is only reasonable for pagecache folios */
++ VM_WARN_ONCE((unsigned long)mapping & PAGE_MAPPING_ANON,
++ "Anonymous mapping always supports large folio");
++
+ return IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE) &&
+ test_bit(AS_LARGE_FOLIO_SUPPORT, &mapping->flags);
+ }
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -3058,30 +3058,36 @@ int split_huge_page_to_list_to_order(str
+ if (new_order >= folio_order(folio))
+ return -EINVAL;
+
+- /* Cannot split anonymous THP to order-1 */
+- if (new_order == 1 && folio_test_anon(folio)) {
+- VM_WARN_ONCE(1, "Cannot split to order-1 folio");
+- return -EINVAL;
+- }
+-
+- if (new_order) {
+- /* Only swapping a whole PMD-mapped folio is supported */
+- if (folio_test_swapcache(folio))
++ if (folio_test_anon(folio)) {
++ /* order-1 is not supported for anonymous THP. */
++ if (new_order == 1) {
++ VM_WARN_ONCE(1, "Cannot split to order-1 folio");
+ return -EINVAL;
++ }
++ } else if (new_order) {
+ /* Split shmem folio to non-zero order not supported */
+ if (shmem_mapping(folio->mapping)) {
+ VM_WARN_ONCE(1,
+ "Cannot split shmem folio to non-0 order");
+ return -EINVAL;
+ }
+- /* No split if the file system does not support large folio */
+- if (!mapping_large_folio_support(folio->mapping)) {
++ /*
++ * No split if the file system does not support large folio.
++ * Note that we might still have THPs in such mappings due to
++ * CONFIG_READ_ONLY_THP_FOR_FS. But in that case, the mapping
++ * does not actually support large folios properly.
++ */
++ if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) &&
++ !mapping_large_folio_support(folio->mapping)) {
+ VM_WARN_ONCE(1,
+ "Cannot split file folio to non-0 order");
+ return -EINVAL;
+ }
+ }
+
++ /* Only swapping a whole PMD-mapped folio is supported */
++ if (folio_test_swapcache(folio) && new_order)
++ return -EINVAL;
+
+ is_hzp = is_huge_zero_page(&folio->page);
+ if (is_hzp) {
--- /dev/null
+From 3afb76a66b5559a7b595155803ce23801558a7a9 Mon Sep 17 00:00:00 2001
+From: Rafael Aquini <aquini@redhat.com>
+Date: Thu, 6 Jun 2024 14:06:22 -0400
+Subject: mm: mmap: allow for the maximum number of bits for randomizing mmap_base by default
+
+From: Rafael Aquini <aquini@redhat.com>
+
+commit 3afb76a66b5559a7b595155803ce23801558a7a9 upstream.
+
+An ASLR regression was noticed [1] and tracked down to file-mapped areas
+being backed by THP in recent kernels. The 21-bit alignment constraint
+for such mappings reduces the entropy for randomizing the placement of
+64-bit library mappings and breaks ASLR completely for 32-bit libraries.
+
+The reported issue is easily addressed by increasing vm.mmap_rnd_bits and
+vm.mmap_rnd_compat_bits. This patch just provides a simple way to set
+ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS to their maximum values
+allowed by the architecture at build time.
+
+[1] https://zolutal.github.io/aslrnt/
+
+[akpm@linux-foundation.org: default to `y' if 32-bit, per Rafael]
+Link: https://lkml.kernel.org/r/20240606180622.102099-1-aquini@redhat.com
+Fixes: 1854bc6e2420 ("mm/readahead: Align file mappings for non-DAX")
+Signed-off-by: Rafael Aquini <aquini@redhat.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Mike Rapoport (IBM) <rppt@kernel.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Samuel Holland <samuel.holland@sifive.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/Kconfig | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -1029,10 +1029,21 @@ config ARCH_MMAP_RND_BITS_MAX
+ config ARCH_MMAP_RND_BITS_DEFAULT
+ int
+
++config FORCE_MAX_MMAP_RND_BITS
++ bool "Force maximum number of bits to use for ASLR of mmap base address"
++ default y if !64BIT
++ help
++ ARCH_MMAP_RND_BITS and ARCH_MMAP_RND_COMPAT_BITS represent the number
++ of bits to use for ASLR and if no custom value is assigned (EXPERT)
++ then the architecture's lower bound (minimum) value is assumed.
++ This toggle changes that default assumption to assume the arch upper
++ bound (maximum) value instead.
++
+ config ARCH_MMAP_RND_BITS
+ int "Number of bits to use for ASLR of mmap base address" if EXPERT
+ range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
+ default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
++ default ARCH_MMAP_RND_BITS_MAX if FORCE_MAX_MMAP_RND_BITS
+ default ARCH_MMAP_RND_BITS_MIN
+ depends on HAVE_ARCH_MMAP_RND_BITS
+ help
+@@ -1067,6 +1078,7 @@ config ARCH_MMAP_RND_COMPAT_BITS
+ int "Number of bits to use for ASLR of mmap base address for compatible applications" if EXPERT
+ range ARCH_MMAP_RND_COMPAT_BITS_MIN ARCH_MMAP_RND_COMPAT_BITS_MAX
+ default ARCH_MMAP_RND_COMPAT_BITS_DEFAULT if ARCH_MMAP_RND_COMPAT_BITS_DEFAULT
++ default ARCH_MMAP_RND_COMPAT_BITS_MAX if FORCE_MAX_MMAP_RND_BITS
+ default ARCH_MMAP_RND_COMPAT_BITS_MIN
+ depends on HAVE_ARCH_MMAP_RND_COMPAT_BITS
+ help
--- /dev/null
+From 8bb592c2eca8fd2bc06db7d80b38da18da4a2f43 Mon Sep 17 00:00:00 2001
+From: Peter Xu <peterx@redhat.com>
+Date: Wed, 5 Jun 2024 17:21:46 -0400
+Subject: mm/page_table_check: fix crash on ZONE_DEVICE
+
+From: Peter Xu <peterx@redhat.com>
+
+commit 8bb592c2eca8fd2bc06db7d80b38da18da4a2f43 upstream.
+
+Not all pages may apply to pgtable check. One example is ZONE_DEVICE
+pages: they map PFNs directly, and they don't allocate page_ext at all
+even if there's struct page around. One may reference
+devm_memremap_pages().
+
+When both ZONE_DEVICE and page-table-check enabled, then try to map some
+dax memories, one can trigger kernel bug constantly now when the kernel
+was trying to inject some pfn maps on the dax device:
+
+ kernel BUG at mm/page_table_check.c:55!
+
+While it's pretty legal to use set_pxx_at() for ZONE_DEVICE pages for page
+fault resolutions, skip all the checks if page_ext doesn't even exist in
+pgtable checker, which applies to ZONE_DEVICE but maybe more.
+
+Link: https://lkml.kernel.org/r/20240605212146.994486-1-peterx@redhat.com
+Fixes: df4e817b7108 ("mm: page table check")
+Signed-off-by: Peter Xu <peterx@redhat.com>
+Reviewed-by: Pasha Tatashin <pasha.tatashin@soleen.com>
+Reviewed-by: Dan Williams <dan.j.williams@intel.com>
+Reviewed-by: Alistair Popple <apopple@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/page_table_check.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/mm/page_table_check.c
++++ b/mm/page_table_check.c
+@@ -71,6 +71,9 @@ static void page_table_check_clear(unsig
+ page = pfn_to_page(pfn);
+ page_ext = page_ext_get(page);
+
++ if (!page_ext)
++ return;
++
+ BUG_ON(PageSlab(page));
+ anon = PageAnon(page);
+
+@@ -108,6 +111,9 @@ static void page_table_check_set(unsigne
+ page = pfn_to_page(pfn);
+ page_ext = page_ext_get(page);
+
++ if (!page_ext)
++ return;
++
+ BUG_ON(PageSlab(page));
+ anon = PageAnon(page);
+
+@@ -138,7 +144,10 @@ void __page_table_check_zero(struct page
+ BUG_ON(PageSlab(page));
+
+ page_ext = page_ext_get(page);
+- BUG_ON(!page_ext);
++
++ if (!page_ext)
++ return;
++
+ for (i = 0; i < (1ul << order); i++) {
+ struct page_table_check *ptc = get_page_table_check(page_ext);
+
--- /dev/null
+From 9094b4a1c76cfe84b906cc152bab34d4ba26fa5c Mon Sep 17 00:00:00 2001
+From: Baolin Wang <baolin.wang@linux.alibaba.com>
+Date: Thu, 13 Jun 2024 16:21:19 +0800
+Subject: mm: shmem: fix getting incorrect lruvec when replacing a shmem folio
+
+From: Baolin Wang <baolin.wang@linux.alibaba.com>
+
+commit 9094b4a1c76cfe84b906cc152bab34d4ba26fa5c upstream.
+
+When testing shmem swapin, I encountered the warning below on my machine.
+The reason is that replacing an old shmem folio with a new one causes
+mem_cgroup_migrate() to clear the old folio's memcg data. As a result,
+the old folio cannot get the correct memcg's lruvec needed to remove
+itself from the LRU list when it is being freed. This could lead to
+possible serious problems, such as LRU list crashes due to holding the
+wrong LRU lock, and incorrect LRU statistics.
+
+To fix this issue, we can fallback to use the mem_cgroup_replace_folio()
+to replace the old shmem folio.
+
+[ 5241.100311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d9960
+[ 5241.100317] head: order:4 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+[ 5241.100319] flags: 0x17fffe0000040068(uptodate|lru|head|swapbacked|node=0|zone=2|lastcpupid=0x3ffff)
+[ 5241.100323] raw: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000
+[ 5241.100325] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 5241.100326] head: 17fffe0000040068 fffffdffd6687948 fffffdffd69ae008 0000000000000000
+[ 5241.100327] head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+[ 5241.100328] head: 17fffe0000000204 fffffdffd6665801 ffffffffffffffff 0000000000000000
+[ 5241.100329] head: 0000000a00000010 0000000000000000 00000000ffffffff 0000000000000000
+[ 5241.100330] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
+[ 5241.100338] ------------[ cut here ]------------
+[ 5241.100339] WARNING: CPU: 19 PID: 78402 at include/linux/memcontrol.h:775 folio_lruvec_lock_irqsave+0x140/0x150
+[...]
+[ 5241.100374] pc : folio_lruvec_lock_irqsave+0x140/0x150
+[ 5241.100375] lr : folio_lruvec_lock_irqsave+0x138/0x150
+[ 5241.100376] sp : ffff80008b38b930
+[...]
+[ 5241.100398] Call trace:
+[ 5241.100399] folio_lruvec_lock_irqsave+0x140/0x150
+[ 5241.100401] __page_cache_release+0x90/0x300
+[ 5241.100404] __folio_put+0x50/0x108
+[ 5241.100406] shmem_replace_folio+0x1b4/0x240
+[ 5241.100409] shmem_swapin_folio+0x314/0x528
+[ 5241.100411] shmem_get_folio_gfp+0x3b4/0x930
+[ 5241.100412] shmem_fault+0x74/0x160
+[ 5241.100414] __do_fault+0x40/0x218
+[ 5241.100417] do_shared_fault+0x34/0x1b0
+[ 5241.100419] do_fault+0x40/0x168
+[ 5241.100420] handle_pte_fault+0x80/0x228
+[ 5241.100422] __handle_mm_fault+0x1c4/0x440
+[ 5241.100424] handle_mm_fault+0x60/0x1f0
+[ 5241.100426] do_page_fault+0x120/0x488
+[ 5241.100429] do_translation_fault+0x4c/0x68
+[ 5241.100431] do_mem_abort+0x48/0xa0
+[ 5241.100434] el0_da+0x38/0xc0
+[ 5241.100436] el0t_64_sync_handler+0x68/0xc0
+[ 5241.100437] el0t_64_sync+0x14c/0x150
+[ 5241.100439] ---[ end trace 0000000000000000 ]---
+
+[baolin.wang@linux.alibaba.com: remove less helpful comments, per Matthew]
+ Link: https://lkml.kernel.org/r/ccad3fe1375b468ebca3227b6b729f3eaf9d8046.1718423197.git.baolin.wang@linux.alibaba.com
+Link: https://lkml.kernel.org/r/3c11000dd6c1df83015a8321a859e9775ebbc23e.1718266112.git.baolin.wang@linux.alibaba.com
+Fixes: 85ce2c517ade ("memcontrol: only transfer the memcg data for migration")
+Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com>
+Reviewed-by: Shakeel Butt <shakeel.butt@linux.dev>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: Nhat Pham <nphamcs@gmail.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memcontrol.c | 3 +--
+ mm/shmem.c | 2 +-
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -7531,8 +7531,7 @@ void __mem_cgroup_uncharge_folios(struct
+ * @new: Replacement folio.
+ *
+ * Charge @new as a replacement folio for @old. @old will
+- * be uncharged upon free. This is only used by the page cache
+- * (in replace_page_cache_folio()).
++ * be uncharged upon free.
+ *
+ * Both folios must be locked, @new->mapping must be set up.
+ */
+--- a/mm/shmem.c
++++ b/mm/shmem.c
+@@ -1786,7 +1786,7 @@ static int shmem_replace_folio(struct fo
+ xa_lock_irq(&swap_mapping->i_pages);
+ error = shmem_replace_entry(swap_mapping, swap_index, old, new);
+ if (!error) {
+- mem_cgroup_migrate(old, new);
++ mem_cgroup_replace_folio(old, new);
+ __lruvec_stat_mod_folio(new, NR_FILE_PAGES, 1);
+ __lruvec_stat_mod_folio(new, NR_SHMEM, 1);
+ __lruvec_stat_mod_folio(old, NR_FILE_PAGES, -1);
--- /dev/null
+From e874557fce1b6023efafd523aee0c347bf7f1694 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Fri, 14 Jun 2024 19:15:29 +0200
+Subject: selftests: mptcp: userspace_pm: fixed subtest names
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit e874557fce1b6023efafd523aee0c347bf7f1694 upstream.
+
+It is important to have fixed (sub)test names in TAP, because these
+names are used to identify them. If they are not fixed, tracking cannot
+be done.
+
+Some subtests from the userspace_pm selftest were using random numbers
+in their names: the client and server address IDs from $RANDOM, and the
+client port number randomly picked by the kernel when creating the
+connection. These values have been replaced by 'client' and 'server'
+words: that's even more helpful than showing random numbers. Note that
+the addresses IDs are incremented and decremented in the test: +1 or -1
+are then displayed in these cases.
+
+Not to loose info that can be useful for debugging in case of issues,
+these random numbers are now displayed at the beginning of the test.
+
+Fixes: f589234e1af0 ("selftests: mptcp: userspace_pm: format subtests results in TAP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://lore.kernel.org/r/20240614-upstream-net-20240614-selftests-mptcp-uspace-pm-fixed-test-names-v1-1-460ad3edb429@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/userspace_pm.sh | 46 +++++++++++++---------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/userspace_pm.sh
++++ b/tools/testing/selftests/net/mptcp/userspace_pm.sh
+@@ -160,10 +160,12 @@ make_connection()
+ local is_v6=$1
+ local app_port=$app4_port
+ local connect_addr="10.0.1.1"
++ local client_addr="10.0.1.2"
+ local listen_addr="0.0.0.0"
+ if [ "$is_v6" = "v6" ]
+ then
+ connect_addr="dead:beef:1::1"
++ client_addr="dead:beef:1::2"
+ listen_addr="::"
+ app_port=$app6_port
+ else
+@@ -206,6 +208,7 @@ make_connection()
+ [ "$server_serverside" = 1 ]
+ then
+ test_pass
++ print_title "Connection info: ${client_addr}:${client_port} -> ${connect_addr}:${app_port}"
+ else
+ test_fail "Expected tokens (c:${client_token} - s:${server_token}) and server (c:${client_serverside} - s:${server_serverside})"
+ mptcp_lib_result_print_all_tap
+@@ -297,7 +300,7 @@ test_announce()
+ ip netns exec "$ns2"\
+ ./pm_nl_ctl ann 10.0.2.2 token "$client4_token" id $client_addr_id dev\
+ ns2eth1
+- print_test "ADD_ADDR id:${client_addr_id} 10.0.2.2 (ns2) => ns1, reuse port"
++ print_test "ADD_ADDR id:client 10.0.2.2 (ns2) => ns1, reuse port"
+ sleep 0.5
+ verify_announce_event $server_evts $ANNOUNCED $server4_token "10.0.2.2" $client_addr_id \
+ "$client4_port"
+@@ -306,7 +309,7 @@ test_announce()
+ :>"$server_evts"
+ ip netns exec "$ns2" ./pm_nl_ctl ann\
+ dead:beef:2::2 token "$client6_token" id $client_addr_id dev ns2eth1
+- print_test "ADD_ADDR6 id:${client_addr_id} dead:beef:2::2 (ns2) => ns1, reuse port"
++ print_test "ADD_ADDR6 id:client dead:beef:2::2 (ns2) => ns1, reuse port"
+ sleep 0.5
+ verify_announce_event "$server_evts" "$ANNOUNCED" "$server6_token" "dead:beef:2::2"\
+ "$client_addr_id" "$client6_port" "v6"
+@@ -316,7 +319,7 @@ test_announce()
+ client_addr_id=$((client_addr_id+1))
+ ip netns exec "$ns2" ./pm_nl_ctl ann 10.0.2.2 token "$client4_token" id\
+ $client_addr_id dev ns2eth1 port $new4_port
+- print_test "ADD_ADDR id:${client_addr_id} 10.0.2.2 (ns2) => ns1, new port"
++ print_test "ADD_ADDR id:client+1 10.0.2.2 (ns2) => ns1, new port"
+ sleep 0.5
+ verify_announce_event "$server_evts" "$ANNOUNCED" "$server4_token" "10.0.2.2"\
+ "$client_addr_id" "$new4_port"
+@@ -327,7 +330,7 @@ test_announce()
+ # ADD_ADDR from the server to client machine reusing the subflow port
+ ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server4_token" id\
+ $server_addr_id dev ns1eth2
+- print_test "ADD_ADDR id:${server_addr_id} 10.0.2.1 (ns1) => ns2, reuse port"
++ print_test "ADD_ADDR id:server 10.0.2.1 (ns1) => ns2, reuse port"
+ sleep 0.5
+ verify_announce_event "$client_evts" "$ANNOUNCED" "$client4_token" "10.0.2.1"\
+ "$server_addr_id" "$app4_port"
+@@ -336,7 +339,7 @@ test_announce()
+ :>"$client_evts"
+ ip netns exec "$ns1" ./pm_nl_ctl ann dead:beef:2::1 token "$server6_token" id\
+ $server_addr_id dev ns1eth2
+- print_test "ADD_ADDR6 id:${server_addr_id} dead:beef:2::1 (ns1) => ns2, reuse port"
++ print_test "ADD_ADDR6 id:server dead:beef:2::1 (ns1) => ns2, reuse port"
+ sleep 0.5
+ verify_announce_event "$client_evts" "$ANNOUNCED" "$client6_token" "dead:beef:2::1"\
+ "$server_addr_id" "$app6_port" "v6"
+@@ -346,7 +349,7 @@ test_announce()
+ server_addr_id=$((server_addr_id+1))
+ ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server4_token" id\
+ $server_addr_id dev ns1eth2 port $new4_port
+- print_test "ADD_ADDR id:${server_addr_id} 10.0.2.1 (ns1) => ns2, new port"
++ print_test "ADD_ADDR id:server+1 10.0.2.1 (ns1) => ns2, new port"
+ sleep 0.5
+ verify_announce_event "$client_evts" "$ANNOUNCED" "$client4_token" "10.0.2.1"\
+ "$server_addr_id" "$new4_port"
+@@ -380,7 +383,7 @@ test_remove()
+ local invalid_token=$(( client4_token - 1 ))
+ ip netns exec "$ns2" ./pm_nl_ctl rem token $invalid_token id\
+ $client_addr_id > /dev/null 2>&1
+- print_test "RM_ADDR id:${client_addr_id} ns2 => ns1, invalid token"
++ print_test "RM_ADDR id:client ns2 => ns1, invalid token"
+ local type
+ type=$(mptcp_lib_evts_get_info type "$server_evts")
+ if [ "$type" = "" ]
+@@ -394,7 +397,7 @@ test_remove()
+ local invalid_id=$(( client_addr_id + 1 ))
+ ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\
+ $invalid_id > /dev/null 2>&1
+- print_test "RM_ADDR id:${invalid_id} ns2 => ns1, invalid id"
++ print_test "RM_ADDR id:client+1 ns2 => ns1, invalid id"
+ type=$(mptcp_lib_evts_get_info type "$server_evts")
+ if [ "$type" = "" ]
+ then
+@@ -407,7 +410,7 @@ test_remove()
+ :>"$server_evts"
+ ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\
+ $client_addr_id
+- print_test "RM_ADDR id:${client_addr_id} ns2 => ns1"
++ print_test "RM_ADDR id:client ns2 => ns1"
+ sleep 0.5
+ verify_remove_event "$server_evts" "$REMOVED" "$server4_token" "$client_addr_id"
+
+@@ -416,7 +419,7 @@ test_remove()
+ client_addr_id=$(( client_addr_id - 1 ))
+ ip netns exec "$ns2" ./pm_nl_ctl rem token "$client4_token" id\
+ $client_addr_id
+- print_test "RM_ADDR id:${client_addr_id} ns2 => ns1"
++ print_test "RM_ADDR id:client-1 ns2 => ns1"
+ sleep 0.5
+ verify_remove_event "$server_evts" "$REMOVED" "$server4_token" "$client_addr_id"
+
+@@ -424,7 +427,7 @@ test_remove()
+ :>"$server_evts"
+ ip netns exec "$ns2" ./pm_nl_ctl rem token "$client6_token" id\
+ $client_addr_id
+- print_test "RM_ADDR6 id:${client_addr_id} ns2 => ns1"
++ print_test "RM_ADDR6 id:client-1 ns2 => ns1"
+ sleep 0.5
+ verify_remove_event "$server_evts" "$REMOVED" "$server6_token" "$client_addr_id"
+
+@@ -434,7 +437,7 @@ test_remove()
+ # RM_ADDR from the server to client machine
+ ip netns exec "$ns1" ./pm_nl_ctl rem token "$server4_token" id\
+ $server_addr_id
+- print_test "RM_ADDR id:${server_addr_id} ns1 => ns2"
++ print_test "RM_ADDR id:server ns1 => ns2"
+ sleep 0.5
+ verify_remove_event "$client_evts" "$REMOVED" "$client4_token" "$server_addr_id"
+
+@@ -443,7 +446,7 @@ test_remove()
+ server_addr_id=$(( server_addr_id - 1 ))
+ ip netns exec "$ns1" ./pm_nl_ctl rem token "$server4_token" id\
+ $server_addr_id
+- print_test "RM_ADDR id:${server_addr_id} ns1 => ns2"
++ print_test "RM_ADDR id:server-1 ns1 => ns2"
+ sleep 0.5
+ verify_remove_event "$client_evts" "$REMOVED" "$client4_token" "$server_addr_id"
+
+@@ -451,7 +454,7 @@ test_remove()
+ :>"$client_evts"
+ ip netns exec "$ns1" ./pm_nl_ctl rem token "$server6_token" id\
+ $server_addr_id
+- print_test "RM_ADDR6 id:${server_addr_id} ns1 => ns2"
++ print_test "RM_ADDR6 id:server-1 ns1 => ns2"
+ sleep 0.5
+ verify_remove_event "$client_evts" "$REMOVED" "$client6_token" "$server_addr_id"
+ }
+@@ -479,8 +482,14 @@ verify_subflow_events()
+ local locid
+ local remid
+ local info
++ local e_dport_txt
+
+- info="${e_saddr} (${e_from}) => ${e_daddr}:${e_dport} (${e_to})"
++ # only display the fixed ports
++ if [ "${e_dport}" -ge "${app4_port}" ] && [ "${e_dport}" -le "${app6_port}" ]; then
++ e_dport_txt=":${e_dport}"
++ fi
++
++ info="${e_saddr} (${e_from}) => ${e_daddr}${e_dport_txt} (${e_to})"
+
+ if [ "$e_type" = "$SUB_ESTABLISHED" ]
+ then
+@@ -766,7 +775,7 @@ test_subflows_v4_v6_mix()
+ :>"$client_evts"
+ ip netns exec "$ns1" ./pm_nl_ctl ann 10.0.2.1 token "$server6_token" id\
+ $server_addr_id dev ns1eth2
+- print_test "ADD_ADDR4 id:${server_addr_id} 10.0.2.1 (ns1) => ns2, reuse port"
++ print_test "ADD_ADDR4 id:server 10.0.2.1 (ns1) => ns2, reuse port"
+ sleep 0.5
+ verify_announce_event "$client_evts" "$ANNOUNCED" "$client6_token" "10.0.2.1"\
+ "$server_addr_id" "$app6_port"
+@@ -861,7 +870,7 @@ test_listener()
+ local listener_pid=$!
+
+ sleep 0.5
+- print_test "CREATE_LISTENER 10.0.2.2:$client4_port"
++ print_test "CREATE_LISTENER 10.0.2.2 (client port)"
+ verify_listener_events $client_evts $LISTENER_CREATED $AF_INET 10.0.2.2 $client4_port
+
+ # ADD_ADDR from client to server machine reusing the subflow port
+@@ -878,13 +887,14 @@ test_listener()
+ mptcp_lib_kill_wait $listener_pid
+
+ sleep 0.5
+- print_test "CLOSE_LISTENER 10.0.2.2:$client4_port"
++ print_test "CLOSE_LISTENER 10.0.2.2 (client port)"
+ verify_listener_events $client_evts $LISTENER_CLOSED $AF_INET 10.0.2.2 $client4_port
+ }
+
+ print_title "Make connections"
+ make_connection
+ make_connection "v6"
++print_title "Will be using address IDs ${client_addr_id} (client) and ${server_addr_id} (server)"
+
+ test_announce
+ test_remove
--- /dev/null
+From 2c94512055f362dd789e0f87b8566feeddec83c9 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 14 May 2024 22:05:54 +0300
+Subject: serial: 8250_dw: Revert "Move definitions to the shared header"
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 2c94512055f362dd789e0f87b8566feeddec83c9 upstream.
+
+This reverts commit d9666dfb314e1ffd6eb9c3c4243fe3e094c047a7.
+
+The container of the struct dw8250_port_data is private to the actual
+driver. In particular, 8250_lpss and 8250_dw use different data types
+that are assigned to the UART port private_data. Hence, it must not
+be used outside the specific driver.
+
+Fix the mistake made in the past by moving the respective definitions
+to the specific driver.
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20240514190730.2787071-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_dw.c | 27 +++++++++++++++++++++++++++
+ drivers/tty/serial/8250/8250_dwlib.h | 32 --------------------------------
+ 2 files changed, 27 insertions(+), 32 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_dw.c
++++ b/drivers/tty/serial/8250/8250_dw.c
+@@ -57,6 +57,33 @@
+ #define DW_UART_QUIRK_APMC0D08 BIT(4)
+ #define DW_UART_QUIRK_CPR_VALUE BIT(5)
+
++struct dw8250_platform_data {
++ u8 usr_reg;
++ u32 cpr_value;
++ unsigned int quirks;
++};
++
++struct dw8250_data {
++ struct dw8250_port_data data;
++ const struct dw8250_platform_data *pdata;
++
++ int msr_mask_on;
++ int msr_mask_off;
++ struct clk *clk;
++ struct clk *pclk;
++ struct notifier_block clk_notifier;
++ struct work_struct clk_work;
++ struct reset_control *rst;
++
++ unsigned int skip_autocfg:1;
++ unsigned int uart_16550_compatible:1;
++};
++
++static inline struct dw8250_data *to_dw8250_data(struct dw8250_port_data *data)
++{
++ return container_of(data, struct dw8250_data, data);
++}
++
+ static inline struct dw8250_data *clk_to_dw8250_data(struct notifier_block *nb)
+ {
+ return container_of(nb, struct dw8250_data, clk_notifier);
+--- a/drivers/tty/serial/8250/8250_dwlib.h
++++ b/drivers/tty/serial/8250/8250_dwlib.h
+@@ -2,15 +2,10 @@
+ /* Synopsys DesignWare 8250 library header file. */
+
+ #include <linux/io.h>
+-#include <linux/notifier.h>
+ #include <linux/types.h>
+-#include <linux/workqueue.h>
+
+ #include "8250.h"
+
+-struct clk;
+-struct reset_control;
+-
+ struct dw8250_port_data {
+ /* Port properties */
+ int line;
+@@ -26,36 +21,9 @@ struct dw8250_port_data {
+ bool hw_rs485_support;
+ };
+
+-struct dw8250_platform_data {
+- u8 usr_reg;
+- u32 cpr_value;
+- unsigned int quirks;
+-};
+-
+-struct dw8250_data {
+- struct dw8250_port_data data;
+- const struct dw8250_platform_data *pdata;
+-
+- int msr_mask_on;
+- int msr_mask_off;
+- struct clk *clk;
+- struct clk *pclk;
+- struct notifier_block clk_notifier;
+- struct work_struct clk_work;
+- struct reset_control *rst;
+-
+- unsigned int skip_autocfg:1;
+- unsigned int uart_16550_compatible:1;
+-};
+-
+ void dw8250_do_set_termios(struct uart_port *p, struct ktermios *termios, const struct ktermios *old);
+ void dw8250_setup_port(struct uart_port *p);
+
+-static inline struct dw8250_data *to_dw8250_data(struct dw8250_port_data *data)
+-{
+- return container_of(data, struct dw8250_data, data);
+-}
+-
+ static inline u32 dw8250_readl_ext(struct uart_port *p, int offset)
+ {
+ if (p->iotype == UPIO_MEM32BE)
net-tcp_ao-don-t-leak-ao_info-on-error-path.patch
gcov-add-support-for-gcc-14.patch
kcov-don-t-lose-track-of-remote-references-during-softirqs.patch
+efi-x86-free-efi-memory-map-only-when-installing-a-new-one.patch
+serial-8250_dw-revert-move-definitions-to-the-shared-header.patch
+mips-pci-lantiq-restore-reset-gpio-polarity.patch
+mips-mipsmtregs-fix-target-register-for-mftc0.patch
+mm-mmap-allow-for-the-maximum-number-of-bits-for-randomizing-mmap_base-by-default.patch
+mm-huge_memory-fix-misused-mapping_large_folio_support-for-anon-folios.patch
+mm-shmem-fix-getting-incorrect-lruvec-when-replacing-a-shmem-folio.patch
+selftests-mptcp-userspace_pm-fixed-subtest-names.patch
+tcp-clear-tp-retrans_stamp-in-tcp_rcv_fastopen_synack.patch
+mm-page_table_check-fix-crash-on-zone_device.patch
+ima-avoid-blocking-in-rcu-read-side-critical-section.patch
+i2c-ocores-set-iack-bit-after-core-is-enabled.patch
+dt-bindings-i2c-atmel-at91sam-correct-path-to-i2c-controller-schema.patch
+virt-guest_memfd-fix-reference-leak-on-hwpoisoned-page.patch
+dt-bindings-i2c-google-cros-ec-i2c-tunnel-correct-path-to-i2c-controller-schema.patch
+thermal-int340x-processor_thermal-support-shared-interrupts.patch
+spi-stm32-qspi-fix-dual-flash-mode-sanity-test-in-stm32_qspi_setup.patch
+arm64-dts-imx8qm-mek-fix-gpio-number-for-reg_usdhc2_vmmc.patch
+thermal-core-change-pm-notifier-priority-to-the-minimum.patch
+spi-stm32-qspi-clamp-stm32_qspi_get_mode-output-to-ccr_buswidth_4.patch
--- /dev/null
+From 63deee52811b2f84ed2da55ad47252f0e8145d62 Mon Sep 17 00:00:00 2001
+From: Patrice Chotard <patrice.chotard@foss.st.com>
+Date: Tue, 18 Jun 2024 15:29:50 +0200
+Subject: spi: stm32: qspi: Clamp stm32_qspi_get_mode() output to CCR_BUSWIDTH_4
+
+From: Patrice Chotard <patrice.chotard@foss.st.com>
+
+commit 63deee52811b2f84ed2da55ad47252f0e8145d62 upstream.
+
+In case usage of OCTAL mode, buswidth parameter can take the value 8.
+As return value of stm32_qspi_get_mode() is used to configure fields
+of CCR registers that are 2 bits only (fields IMODE, ADMODE, ADSIZE,
+ DMODE), clamp return value of stm32_qspi_get_mode() to 4.
+
+Fixes: a557fca630cc ("spi: stm32_qspi: Add transfer_one_message() spi callback")
+Cc: stable@vger.kernel.org
+Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
+Link: https://msgid.link/r/20240618132951.2743935-3-patrice.chotard@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-stm32-qspi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-stm32-qspi.c
++++ b/drivers/spi/spi-stm32-qspi.c
+@@ -349,7 +349,7 @@ static int stm32_qspi_wait_poll_status(s
+
+ static int stm32_qspi_get_mode(u8 buswidth)
+ {
+- if (buswidth == 4)
++ if (buswidth >= 4)
+ return CCR_BUSWIDTH_4;
+
+ return buswidth;
--- /dev/null
+From c2bd0791c5f02e964402624dfff45ca8995f5397 Mon Sep 17 00:00:00 2001
+From: Patrice Chotard <patrice.chotard@foss.st.com>
+Date: Tue, 18 Jun 2024 15:29:49 +0200
+Subject: spi: stm32: qspi: Fix dual flash mode sanity test in stm32_qspi_setup()
+
+From: Patrice Chotard <patrice.chotard@foss.st.com>
+
+commit c2bd0791c5f02e964402624dfff45ca8995f5397 upstream.
+
+Misplaced parenthesis make test of mode wrong in case mode is equal to
+SPI_TX_OCTAL or SPI_RX_OCTAL.
+
+Simplify this sanity test, if one of this bit is set, property
+cs-gpio must be present in DT.
+
+Fixes: a557fca630cc ("spi: stm32_qspi: Add transfer_one_message() spi callback")
+Cc: stable@vger.kernel.org
+Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
+Link: https://msgid.link/r/20240618132951.2743935-2-patrice.chotard@foss.st.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-stm32-qspi.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/spi/spi-stm32-qspi.c
++++ b/drivers/spi/spi-stm32-qspi.c
+@@ -653,9 +653,7 @@ static int stm32_qspi_setup(struct spi_d
+ return -EINVAL;
+
+ mode = spi->mode & (SPI_TX_OCTAL | SPI_RX_OCTAL);
+- if ((mode == SPI_TX_OCTAL || mode == SPI_RX_OCTAL) ||
+- ((mode == (SPI_TX_OCTAL | SPI_RX_OCTAL)) &&
+- gpiod_count(qspi->dev, "cs") == -ENOENT)) {
++ if (mode && gpiod_count(qspi->dev, "cs") == -ENOENT) {
+ dev_err(qspi->dev, "spi-rx-bus-width\\/spi-tx-bus-width\\/cs-gpios\n");
+ dev_err(qspi->dev, "configuration not supported\n");
+
+@@ -676,10 +674,10 @@ static int stm32_qspi_setup(struct spi_d
+ qspi->cr_reg = CR_APMS | 3 << CR_FTHRES_SHIFT | CR_SSHIFT | CR_EN;
+
+ /*
+- * Dual flash mode is only enable in case SPI_TX_OCTAL and SPI_TX_OCTAL
+- * are both set in spi->mode and "cs-gpios" properties is found in DT
++ * Dual flash mode is only enable in case SPI_TX_OCTAL or SPI_RX_OCTAL
++ * is set in spi->mode and "cs-gpios" properties is found in DT
+ */
+- if (mode == (SPI_TX_OCTAL | SPI_RX_OCTAL)) {
++ if (mode) {
+ qspi->cr_reg |= CR_DFM;
+ dev_dbg(qspi->dev, "Dual flash mode enable");
+ }
--- /dev/null
+From 9e046bb111f13461d3f9331e24e974324245140e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 14 Jun 2024 13:06:15 +0000
+Subject: tcp: clear tp->retrans_stamp in tcp_rcv_fastopen_synack()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 9e046bb111f13461d3f9331e24e974324245140e upstream.
+
+Some applications were reporting ETIMEDOUT errors on apparently
+good looking flows, according to packet dumps.
+
+We were able to root cause the issue to an accidental setting
+of tp->retrans_stamp in the following scenario:
+
+- client sends TFO SYN with data.
+- server has TFO disabled, ACKs only SYN but not payload.
+- client receives SYNACK covering only SYN.
+- tcp_ack() eats SYN and sets tp->retrans_stamp to 0.
+- tcp_rcv_fastopen_synack() calls tcp_xmit_retransmit_queue()
+ to retransmit TFO payload w/o SYN, sets tp->retrans_stamp to "now",
+ but we are not in any loss recovery state.
+- TFO payload is ACKed.
+- we are not in any loss recovery state, and don't see any dupacks,
+ so we don't get to any code path that clears tp->retrans_stamp.
+- tp->retrans_stamp stays non-zero for the lifetime of the connection.
+- after first RTO, tcp_clamp_rto_to_user_timeout() clamps second RTO
+ to 1 jiffy due to bogus tp->retrans_stamp.
+- on clamped RTO with non-zero icsk_retransmits, retransmits_timed_out()
+ sets start_ts from tp->retrans_stamp from TFO payload retransmit
+ hours/days ago, and computes bogus long elapsed time for loss recovery,
+ and suffers ETIMEDOUT early.
+
+Fixes: a7abf3cd76e1 ("tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()")
+CC: stable@vger.kernel.org
+Co-developed-by: Neal Cardwell <ncardwell@google.com>
+Signed-off-by: Neal Cardwell <ncardwell@google.com>
+Co-developed-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://lore.kernel.org/r/20240614130615.396837-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_input.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -6289,6 +6289,7 @@ static bool tcp_rcv_fastopen_synack(stru
+ skb_rbtree_walk_from(data)
+ tcp_mark_skb_lost(sk, data);
+ tcp_xmit_retransmit_queue(sk);
++ tp->retrans_stamp = 0;
+ NET_INC_STATS(sock_net(sk),
+ LINUX_MIB_TCPFASTOPENACTIVEFAIL);
+ return true;
--- /dev/null
+From 494c7d055081da066424706b28faa9a4c719d852 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 14 Jun 2024 17:26:00 +0200
+Subject: thermal: core: Change PM notifier priority to the minimum
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 494c7d055081da066424706b28faa9a4c719d852 upstream.
+
+It is reported that commit 5a5efdaffda5 ("thermal: core: Resume thermal
+zones asynchronously") causes battery data in sysfs on Thinkpad P1 Gen2
+to become invalid after a resume from S3 (and it is necessary to reboot
+the machine to restore correct battery data). Some investigation into
+the problem indicated that it happened because, after the commit in
+question, the ACPI battery PM notifier ran in parallel with
+thermal_zone_device_resume() for one of the thermal zones which
+apparently confused the platform firmware on the affected system.
+
+While the exact reason for the firmware confusion remains unclear, it
+is arguably not particularly relevant, and the expected behavior of the
+affected system can be restored by making the thermal PM notifier run
+at the lowest priority which avoids interference between work items
+spawned by it and the other PM notifiers (that will run before those
+work items now).
+
+Fixes: 5a5efdaffda5 ("thermal: core: Resume thermal zones asynchronously")
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218881
+Reported-by: fhortner@yahoo.de
+Tested-by: fhortner@yahoo.de
+Cc: 6.8+ <stable@vger.kernel.org> # 6.8+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/thermal/thermal_core.c
++++ b/drivers/thermal/thermal_core.c
+@@ -1633,6 +1633,12 @@ static int thermal_pm_notify(struct noti
+
+ static struct notifier_block thermal_pm_nb = {
+ .notifier_call = thermal_pm_notify,
++ /*
++ * Run at the lowest priority to avoid interference between the thermal
++ * zone resume work items spawned by thermal_pm_notify() and the other
++ * PM notifiers.
++ */
++ .priority = INT_MIN,
+ };
+
+ static int __init thermal_init(void)
--- /dev/null
+From 096597cfe4ea08b1830e775436d76d7c9d6d3037 Mon Sep 17 00:00:00 2001
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Date: Tue, 18 Jun 2024 21:44:24 -0700
+Subject: thermal: int340x: processor_thermal: Support shared interrupts
+
+From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+
+commit 096597cfe4ea08b1830e775436d76d7c9d6d3037 upstream.
+
+On some systems the processor thermal device interrupt is shared with
+other PCI devices. In this case return IRQ_NONE from the interrupt
+handler when the interrupt is not for the processor thermal device.
+
+Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Fixes: f0658708e863 ("thermal: int340x: processor_thermal: Use non MSI interrupts by default")
+Cc: 6.7+ <stable@vger.kernel.org> # 6.7+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../intel/int340x_thermal/processor_thermal_device_pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c
+index 14e34eabc419..4a1bfebb1b8e 100644
+--- a/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c
++++ b/drivers/thermal/intel/int340x_thermal/processor_thermal_device_pci.c
+@@ -150,7 +150,7 @@ static irqreturn_t proc_thermal_irq_handler(int irq, void *devid)
+ {
+ struct proc_thermal_pci *pci_info = devid;
+ struct proc_thermal_device *proc_priv;
+- int ret = IRQ_HANDLED;
++ int ret = IRQ_NONE;
+ u32 status;
+
+ proc_priv = pci_info->proc_priv;
+@@ -175,6 +175,7 @@ static irqreturn_t proc_thermal_irq_handler(int irq, void *devid)
+ /* Disable enable interrupt flag */
+ proc_thermal_mmio_write(pci_info, PROC_THERMAL_MMIO_INT_ENABLE_0, 0);
+ pkg_thermal_schedule_work(&pci_info->work);
++ ret = IRQ_HANDLED;
+ }
+
+ pci_write_config_byte(pci_info->pdev, 0xdc, 0x01);
+--
+2.45.2
+
--- /dev/null
+From c31745d2c508796a0996c88bf2e55f552d513f65 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 11 Jun 2024 04:22:18 -0400
+Subject: virt: guest_memfd: fix reference leak on hwpoisoned page
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit c31745d2c508796a0996c88bf2e55f552d513f65 upstream.
+
+If kvm_gmem_get_pfn() detects an hwpoisoned page, it returns -EHWPOISON
+but it does not put back the reference that kvm_gmem_get_folio() had
+grabbed. Add the forgotten folio_put().
+
+Fixes: a7800aa80ea4 ("KVM: Add KVM_CREATE_GUEST_MEMFD ioctl() for guest-specific backing memory")
+Cc: stable@vger.kernel.org
+Reviewed-by: Liam Merwick <liam.merwick@oracle.com>
+Reviewed-by: Isaku Yamahata <isaku.yamahata@intel.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ virt/kvm/guest_memfd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
+index 0f4e0cf4f158..747fe251e445 100644
+--- a/virt/kvm/guest_memfd.c
++++ b/virt/kvm/guest_memfd.c
+@@ -510,8 +510,10 @@ int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot,
+ }
+
+ if (folio_test_hwpoison(folio)) {
++ folio_unlock(folio);
++ folio_put(folio);
+ r = -EHWPOISON;
+- goto out_unlock;
++ goto out_fput;
+ }
+
+ page = folio_file_page(folio, index);
+@@ -522,7 +524,6 @@ int kvm_gmem_get_pfn(struct kvm *kvm, struct kvm_memory_slot *slot,
+
+ r = 0;
+
+-out_unlock:
+ folio_unlock(folio);
+ out_fput:
+ fput(file);
+--
+2.45.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
