--- /dev/null
+From 8ca7e1cd2acb326fa188685d9cbdb31b04ae6a26 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 12:11:08 -0500
+Subject: Bluetooth: bnep: Fix out-of-bound access
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ]
+
+This fixes attempting to access past ethhdr.h_source, although it seems
+intentional to copy also the contents of h_proto this triggers
+out-of-bound access problems with the likes of static analyzer, so this
+instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
+h_proto separetely.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index 43c284158f63e..089160361dded 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
+
+ case BNEP_COMPRESSED_DST_ONLY:
+ __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
+- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
++ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
++ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
+ break;
+
+ case BNEP_GENERAL:
+--
+2.43.0
+
--- /dev/null
+From 8ebb2e3af5824cf98948771f4d4c949cc06ec5ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jan 2024 02:26:32 +0100
+Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ]
+
+The pointer to root is initialized in btrfs_init_delayed_node(), no need
+to check for it again. Change the BUG_ON to assertion.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 95afe5ef7500c..e3a43bf63f06c 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -988,7 +988,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node)
+
+ if (delayed_node &&
+ test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) {
+- BUG_ON(!delayed_node->root);
++ ASSERT(delayed_node->root);
+ clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags);
+ delayed_node->count--;
+
+--
+2.43.0
+
--- /dev/null
+From 9337e23ec2fee4dd8c845244501fad2aa32cb1bd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:20:53 +0100
+Subject: btrfs: delete pointless BUG_ON check on quota root in
+ btrfs_qgroup_account_extent()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ]
+
+The BUG_ON is deep in the qgroup code where we can expect that it
+exists. A NULL pointer would cause a crash.
+
+It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup
+calculation function btrfs_qgroup_account_extents()."). It maybe made
+sense back then as the quota enable/disable state machine was not that
+robust as it is nowadays, so we can just delete it.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index d6184b6206ff2..7d0b7e58d66af 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2603,8 +2603,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr,
+ if (nr_old_roots == 0 && nr_new_roots == 0)
+ goto out_free;
+
+- BUG_ON(!fs_info->quota_root);
+-
+ trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr,
+ num_bytes, nr_old_roots, nr_new_roots);
+
+--
+2.43.0
+
--- /dev/null
+From 6901235e32bc4282eeb22ebdcfab84d0e23dda9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 22:58:01 +0100
+Subject: btrfs: handle invalid root reference found in may_destroy_subvol()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ]
+
+The may_destroy_subvol() looks up a root by a key, allowing to do an
+inexact search when key->offset is -1. It's never expected to find such
+item, as it would break the allowed range of a root id.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 2c86be3fc25cd..d2a988bf9c895 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4520,7 +4520,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root)
+ ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0);
+ if (ret < 0)
+ goto out;
+- BUG_ON(ret == 0);
++ if (ret == 0) {
++ /*
++ * Key with offset -1 found, there would have to exist a root
++ * with such id, but this is out of valid range.
++ */
++ ret = -EUCLEAN;
++ goto out;
++ }
+
+ ret = 0;
+ if (path->slots[0] > 0) {
+--
+2.43.0
+
--- /dev/null
+From 016f007211eea470364dd8593ffd0917453e8fc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 22:47:13 +0100
+Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ]
+
+Change BUG_ON to a proper error handling in the unlikely case of seeing
+data when the command is started. This is supposed to be reset when the
+command is finished (send_cmd, send_encoded_extent).
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 576c027909f8a..e1063ef3dece5 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -692,7 +692,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd)
+ if (WARN_ON(!sctx->send_buf))
+ return -EINVAL;
+
+- BUG_ON(sctx->send_size);
++ if (unlikely(sctx->send_size != 0)) {
++ btrfs_err(sctx->send_root->fs_info,
++ "send: command header buffer not empty cmd %d offset %llu",
++ cmd, sctx->send_off);
++ return -EINVAL;
++ }
+
+ sctx->send_size += sizeof(*hdr);
+ hdr = (struct btrfs_cmd_header *)sctx->send_buf;
+--
+2.43.0
+
--- /dev/null
+From 5cc85520424fb0a7ddd08c3ada4beab9c4bef559 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 03:59:43 +0100
+Subject: drm/lima: set gp bus_stop bit before hard reset
+
+From: Erico Nunes <nunes.erico@gmail.com>
+
+[ Upstream commit 27aa58ec85f973d98d336df7b7941149308db80f ]
+
+This is required for reliable hard resets. Otherwise, doing a hard reset
+while a task is still running (such as a task which is being stopped by
+the drm_sched timeout handler) may result in random mmu write timeouts
+or lockups which cause the entire gpu to hang.
+
+Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240124025947.2110659-5-nunes.erico@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/lima/lima_gp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
+index 3fca560087c97..4bf216cb33030 100644
+--- a/drivers/gpu/drm/lima/lima_gp.c
++++ b/drivers/gpu/drm/lima/lima_gp.c
+@@ -138,6 +138,11 @@ static void lima_gp_task_run(struct lima_sched_pipe *pipe,
+ gp_write(LIMA_GP_CMD, cmd);
+ }
+
++static int lima_gp_bus_stop_poll(struct lima_ip *ip)
++{
++ return !!(gp_read(LIMA_GP_STATUS) & LIMA_GP_STATUS_BUS_STOPPED);
++}
++
+ static int lima_gp_hard_reset_poll(struct lima_ip *ip)
+ {
+ gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC01A0000);
+@@ -151,6 +156,13 @@ static int lima_gp_hard_reset(struct lima_ip *ip)
+
+ gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC0FFE000);
+ gp_write(LIMA_GP_INT_MASK, 0);
++
++ gp_write(LIMA_GP_CMD, LIMA_GP_CMD_STOP_BUS);
++ ret = lima_poll_timeout(ip, lima_gp_bus_stop_poll, 10, 100);
++ if (ret) {
++ dev_err(dev->dev, "%s bus stop timeout\n", lima_ip_name(ip));
++ return ret;
++ }
+ gp_write(LIMA_GP_CMD, LIMA_GP_CMD_RESET);
+ ret = lima_poll_timeout(ip, lima_gp_hard_reset_poll, 10, 100);
+ if (ret) {
+--
+2.43.0
+
--- /dev/null
+From 6d444d0d10862bc45713291b6fdb1b4301c3c6ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jan 2024 22:20:34 +0800
+Subject: ext4: do not trim the group with corrupted block bitmap
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ]
+
+Otherwise operating on an incorrupted block bitmap can lead to all sorts
+of unknown problems.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 9bc590564ea1f..b268dc0e1df44 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5227,6 +5227,9 @@ static int ext4_try_to_trim_range(struct super_block *sb,
+ bool set_trimmed = false;
+ void *bitmap;
+
++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)))
++ return 0;
++
+ last = ext4_last_grp_cluster(sb, e4b->bd_group);
+ bitmap = e4b->bd_bitmap;
+ if (start == 0 && max >= last)
+--
+2.43.0
+
--- /dev/null
+From 3ac5e6a2c67427d55bd6b02aa3dda281851f2f34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 19:33:24 +0800
+Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ]
+
+The max_zeroout is of type int and the s_extent_max_zeroout_kb is of
+type uint, and the s_extent_max_zeroout_kb can be freely modified via
+the sysfs interface. When the block size is 1024, max_zeroout may
+overflow, so declare it as unsigned int to avoid overflow.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 90b12c7c0f20a..fed3dfed2c249 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3591,9 +3591,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
+ struct ext4_extent *ex, *abut_ex;
+ ext4_lblk_t ee_block, eof_block;
+ unsigned int ee_len, depth, map_len = map->m_len;
+- int allocated = 0, max_zeroout = 0;
+ int err = 0;
+ int split_flag = EXT4_EXT_DATA_VALID2;
++ int allocated = 0;
++ unsigned int max_zeroout = 0;
+
+ ext_debug("ext4_ext_convert_to_initialized: inode %lu, logical"
+ "block %llu, max_blocks %u\n", inode->i_ino,
+--
+2.43.0
+
--- /dev/null
+From 0bb70e209ab70aa47ae26c385612cb453b835ba1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 19:59:54 +0800
+Subject: f2fs: fix to do sanity check in update_sit_entry
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ]
+
+If GET_SEGNO return NULL_SEGNO for some unecpected case,
+update_sit_entry will access invalid memory address,
+cause system crash. It is better to do sanity check about
+GET_SEGNO just like update_segment_mtime & locate_dirty_segment.
+
+Also remove some redundant judgment code.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index e43b57755a7fe..da37e2b8a0ec7 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2131,6 +2131,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
+ #endif
+
+ segno = GET_SEGNO(sbi, blkaddr);
++ if (segno == NULL_SEGNO)
++ return;
+
+ se = get_seg_entry(sbi, segno);
+ new_vblocks = se->valid_blocks + del;
+@@ -3113,8 +3115,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+ * since SSR needs latest valid block information.
+ */
+ update_sit_entry(sbi, *new_blkaddr, 1);
+- if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO)
+- update_sit_entry(sbi, old_blkaddr, -1);
++ update_sit_entry(sbi, old_blkaddr, -1);
+
+ if (!__has_curseg_space(sbi, type))
+ sit_i->s_ops->allocate_segment(sbi, type, false);
+--
+2.43.0
+
--- /dev/null
+From da3edf472393103b800f9fb7a9ab5cd1f4e2a955 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 21:20:21 -0400
+Subject: fbdev: offb: replace of_node_put with __free(device_node)
+
+From: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+
+[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ]
+
+Replaced instance of of_node_put with __free(device_node)
+to simplify code and protect against any memory leaks
+due to future changes in the control flow.
+
+Suggested-by: Julia Lawall <julia.lawall@inria.fr>
+Signed-off-by: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/offb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
+index fbc6eafb63c77..fcff3601b05cc 100644
+--- a/drivers/video/fbdev/offb.c
++++ b/drivers/video/fbdev/offb.c
+@@ -354,7 +354,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+ par->cmap_type = cmap_gxt2000;
+ } else if (of_node_name_prefix(dp, "vga,Display-")) {
+ /* Look for AVIVO initialized by SLOF */
+- struct device_node *pciparent = of_get_parent(dp);
++ struct device_node *pciparent __free(device_node) = of_get_parent(dp);
+ const u32 *vid, *did;
+ vid = of_get_property(pciparent, "vendor-id", NULL);
+ did = of_get_property(pciparent, "device-id", NULL);
+@@ -366,7 +366,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+ if (par->cmap_adr)
+ par->cmap_type = cmap_avivo;
+ }
+- of_node_put(pciparent);
+ } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) {
+ #ifdef __BIG_ENDIAN
+ const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 };
+--
+2.43.0
+
--- /dev/null
+From e10c2b2cd84485322b58cad587413e1488a0b405 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 07:06:37 -0800
+Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ]
+
+Static FDPIC executable may get an executable stack even when it has
+non-executable GNU_STACK segment. This happens when STACK segment has rw
+permissions, but does not specify stack size. In that case FDPIC loader
+uses permissions of the interpreter's stack, and for static executables
+with no interpreter it results in choosing the arch-default permissions
+for the stack.
+
+Fix that by using the interpreter's properties only when the interpreter
+is actually used.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf_fdpic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 28aef31a6e6f2..aeeba59fa7342 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -320,7 +320,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm)
+ else
+ executable_stack = EXSTACK_DEFAULT;
+
+- if (stack_size == 0) {
++ if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) {
+ stack_size = interp_params.stack_size;
+ if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
+ executable_stack = EXSTACK_ENABLE_X;
+--
+2.43.0
+
--- /dev/null
+From 511dc15d619e3a9d3e62003f7f2e192afe91e81e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 21:31:36 +0800
+Subject: hrtimer: Prevent queuing of hrtimer without a function callback
+
+From: Phil Chang <phil.chang@mediatek.com>
+
+[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ]
+
+The hrtimer function callback must not be NULL. It has to be specified by
+the call side but it is not validated by the hrtimer code. When a hrtimer
+is queued without a function callback, the kernel crashes with a null
+pointer dereference when trying to execute the callback in __run_hrtimer().
+
+Introduce a validation before queuing the hrtimer in
+hrtimer_start_range_ns().
+
+[anna-maria: Rephrase commit message]
+
+Signed-off-by: Phil Chang <phil.chang@mediatek.com>
+Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 1b301dd1692b8..2e4f136bdf6ab 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1183,6 +1183,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ struct hrtimer_clock_base *base;
+ unsigned long flags;
+
++ if (WARN_ON_ONCE(!timer->function))
++ return;
+ /*
+ * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft
+ * match on CONFIG_PREEMPT_RT = n. With PREEMPT_RT check the hard
+--
+2.43.0
+
--- /dev/null
+From 5ca1ee6e93d19596cc9075e4d37f46a0af9a641e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 14:10:53 +0800
+Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
+
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+
+[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
+
+This BUG_ON() is useless, because the same effect will be obtained
+by letting the code run its course and vm being dereferenced,
+triggering an exception.
+
+So just remove this check.
+
+Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index d16776c6dee7b..ae3378ef469b0 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -3085,8 +3085,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+ struct page *vprop_page;
+ int base, nr_ids, i, err = 0;
+
+- BUG_ON(!vm);
+-
+ bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
+ if (!bitmap)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From b25b3bb5ae3d8d2375d622e80b22a07df652d5c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:38 +0800
+Subject: md: clean up invalid BUG_ON in md_ioctl
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ]
+
+'disk->private_data' is set to mddev in md_alloc() and never set to NULL,
+and users need to open mddev before submitting ioctl. So mddev must not
+have been freed during ioctl, and there is no need to check mddev here.
+Clean up it.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 61c3e8df1b55b..e5f3010debb85 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7396,11 +7396,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+
+ mddev = bdev->bd_disk->private_data;
+
+- if (!mddev) {
+- BUG();
+- goto out;
+- }
+-
+ /* Some actions do not requires the mutex */
+ switch (cmd) {
+ case GET_ARRAY_INFO:
+--
+2.43.0
+
--- /dev/null
+From dbbb93f1e84ae769faed5370ef502113fba54e92 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 08:58:49 +0200
+Subject: media: pci: cx23885: check cx23885_vdev_init() return
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ]
+
+cx23885_vdev_init() can return a NULL pointer, but that pointer
+is used in the next line without a check.
+
+Add a NULL pointer check and go to the error unwind if it is NULL.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Sicong Huang <huangsicong@iie.ac.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
+index 90224a9947022..e4e295067a7ee 100644
+--- a/drivers/media/pci/cx23885/cx23885-video.c
++++ b/drivers/media/pci/cx23885/cx23885-video.c
+@@ -1299,6 +1299,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+ /* register Video device */
+ dev->video_dev = cx23885_vdev_init(dev, dev->pci,
+ &cx23885_video_template, "video");
++ if (!dev->video_dev) {
++ err = -ENOMEM;
++ goto fail_unreg;
++ }
+ dev->video_dev->queue = &dev->vb2_vidq;
+ dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
+ V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE;
+@@ -1317,6 +1321,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+ /* register VBI device */
+ dev->vbi_dev = cx23885_vdev_init(dev, dev->pci,
+ &cx23885_vbi_template, "vbi");
++ if (!dev->vbi_dev) {
++ err = -ENOMEM;
++ goto fail_unreg;
++ }
+ dev->vbi_dev->queue = &dev->vb2_vbiq;
+ dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
+ V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE;
+--
+2.43.0
+
--- /dev/null
+From c90114e73df4072e96311d7bd10076579a275791 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 08:16:54 -0800
+Subject: net/sun3_82586: Avoid reading past buffer in debug output
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ]
+
+Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and
+-Warraybounds, this build warning is visible[1]:
+
+drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout':
+drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=]
+ 990 | printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
+ | ~~~~~~~~~~~~^~~
+...
+drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds'
+ 156 | volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS];
+
+Avoid accessing index 1 since it doesn't exist.
+
+Link: https://github.com/KSPP/linux/issues/325 [1]
+Cc: Sam Creasey <sammy@sammy.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/sun3_82586.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c
+index 1a86184d44c0a..e0c9fee4e1e65 100644
+--- a/drivers/net/ethernet/i825xx/sun3_82586.c
++++ b/drivers/net/ethernet/i825xx/sun3_82586.c
+@@ -990,7 +990,7 @@ static void sun3_82586_timeout(struct net_device *dev)
+ {
+ #ifdef DEBUG
+ printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus);
+- printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
++ printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status));
+ printk("%s: check, whether you set the right interrupt number!\n",dev->name);
+ #endif
+ sun3_82586_close(dev);
+--
+2.43.0
+
--- /dev/null
+From d2cc55ebf365e0ca473a530dfc5cc9e154cb1315 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 11:24:53 +1100
+Subject: NFS: avoid infinite loop in pnfs_update_layout.
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ]
+
+If pnfsd_update_layout() is called on a file for which recovery has
+failed it will enter a tight infinite loop.
+
+NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will
+return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so
+nfs4_client_recover_expired_lease() will not wait. So the code will
+loop indefinitely.
+
+Break the loop by testing the validity of the open stateid at the top of
+the loop.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 3b19fa74b0620..3f7d905d7528d 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1953,6 +1953,14 @@ pnfs_update_layout(struct inode *ino,
+ }
+
+ lookup_again:
++ if (!nfs4_valid_open_stateid(ctx->state)) {
++ trace_pnfs_update_layout(ino, pos, count,
++ iomode, lo, lseg,
++ PNFS_UPDATE_LAYOUT_INVALID_OPEN);
++ lseg = ERR_PTR(-EIO);
++ goto out;
++ }
++
+ lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp));
+ if (IS_ERR(lseg))
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From d6b801dd4fdee49c4a43e77e6d7fd48a9f0f3cba Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 06:20:30 -0800
+Subject: nvme: clear caller pointer on identify failure
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 7e80eb792bd7377a20f204943ac31c77d859be89 ]
+
+The memory allocated for the identification is freed on failure. Set
+it to NULL so the caller doesn't have a pointer to that freed address.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 9144ed14b0741..0676637e1eab6 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1080,8 +1080,10 @@ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id)
+
+ error = nvme_submit_sync_cmd(dev->admin_q, &c, *id,
+ sizeof(struct nvme_id_ctrl));
+- if (error)
++ if (error) {
+ kfree(*id);
++ *id = NULL;
++ }
+ return error;
+ }
+
+@@ -1193,6 +1195,7 @@ static int nvme_identify_ns(struct nvme_ctrl *ctrl,
+ if (error) {
+ dev_warn(ctrl->device, "Identify namespace failed (%d)\n", error);
+ kfree(*id);
++ *id = NULL;
+ }
+
+ return error;
+--
+2.43.0
+
--- /dev/null
+From 1cc2c07a3c3b446a964ebd2424dc435071e4fed2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:53:06 +0300
+Subject: nvmet-rdma: fix possible bad dereference when freeing rsps
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ]
+
+It is possible that the host connected and saw a cm established
+event and started sending nvme capsules on the qp, however the
+ctrl did not yet see an established event. This is why the
+rsp_wait_list exists (for async handling of these cmds, we move
+them to a pending list).
+
+Furthermore, it is possible that the ctrl cm times out, resulting
+in a connect-error cm event. in this case we hit a bad deref [1]
+because in nvmet_rdma_free_rsps we assume that all the responses
+are in the free list.
+
+We are freeing the cmds array anyways, so don't even bother to
+remove the rsp from the free_list. It is also guaranteed that we
+are not racing anything when we are releasing the queue so no
+other context accessing this array should be running.
+
+[1]:
+--
+Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma]
+[...]
+pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ Call trace:
+ nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+ nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ process_one_work+0x1ec/0x4a0
+ worker_thread+0x48/0x490
+ kthread+0x158/0x160
+ ret_from_fork+0x10/0x18
+--
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/rdma.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index 50e2007092bc0..ae41b6001c7e2 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -428,12 +428,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue)
+ return 0;
+
+ out_free:
+- while (--i >= 0) {
+- struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+- list_del(&rsp->free_list);
+- nvmet_rdma_free_rsp(ndev, rsp);
+- }
++ while (--i >= 0)
++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+ kfree(queue->rsps);
+ out:
+ return ret;
+@@ -444,12 +440,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue)
+ struct nvmet_rdma_device *ndev = queue->dev;
+ int i, nr_rsps = queue->recv_queue_size * 2;
+
+- for (i = 0; i < nr_rsps; i++) {
+- struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+- list_del(&rsp->free_list);
+- nvmet_rdma_free_rsp(ndev, rsp);
+- }
++ for (i = 0; i < nr_rsps; i++)
++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+ kfree(queue->rsps);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5bcda32312ccee3396b5703b6dc0429e91a65a5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 08:11:05 +0100
+Subject: nvmet-tcp: do not continue for invalid icreq
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ]
+
+When the length check for an icreq sqe fails we should not
+continue processing but rather return immediately as all
+other contents of that sqe cannot be relied on.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index d40bd57537ba1..fa6e7fbf356e7 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -792,6 +792,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
+ pr_err("bad nvme-tcp pdu length (%d)\n",
+ le32_to_cpu(icreq->hdr.plen));
+ nvmet_tcp_fatal_error(queue);
++ return -EPROTO;
+ }
+
+ if (icreq->pfv != NVME_TCP_PFV_1_0) {
+--
+2.43.0
+
--- /dev/null
+From 8d880632f2000b80810f218507a7af0eba5dfbae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 16:30:51 +0100
+Subject: nvmet-trace: avoid dereferencing pointer too early
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit 0e716cec6fb11a14c220ee17c404b67962e902f7 ]
+
+The first command issued from the host to the target is the fabrics
+connect command. At this point, neither the target queue nor the
+controller have been allocated. But we already try to trace this command
+in nvmet_req_init.
+
+Reported by KASAN.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/trace.c | 6 +++---
+ drivers/nvme/target/trace.h | 28 +++++++++++++++++-----------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/nvme/target/trace.c b/drivers/nvme/target/trace.c
+index 1373a3c67962a..a3564e12927b6 100644
+--- a/drivers/nvme/target/trace.c
++++ b/drivers/nvme/target/trace.c
+@@ -195,7 +195,7 @@ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name)
+ return ret;
+ }
+
+-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id)
+ {
+ const char *ret = trace_seq_buffer_ptr(p);
+
+@@ -208,8 +208,8 @@ const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
+ * If we can know the extra data of the connect command in this stage,
+ * we can update this print statement later.
+ */
+- if (ctrl)
+- trace_seq_printf(p, "%d", ctrl->cntlid);
++ if (ctrl_id)
++ trace_seq_printf(p, "%d", ctrl_id);
+ else
+ trace_seq_printf(p, "_");
+ trace_seq_putc(p, 0);
+diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h
+index 3f61b6657175e..5b00a338d52ca 100644
+--- a/drivers/nvme/target/trace.h
++++ b/drivers/nvme/target/trace.h
+@@ -32,18 +32,24 @@ const char *nvmet_trace_parse_fabrics_cmd(struct trace_seq *p, u8 fctype,
+ nvmet_trace_parse_nvm_cmd(p, opcode, cdw10) : \
+ nvmet_trace_parse_admin_cmd(p, opcode, cdw10)))
+
+-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl);
+-#define __print_ctrl_name(ctrl) \
+- nvmet_trace_ctrl_name(p, ctrl)
++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id);
++#define __print_ctrl_id(ctrl_id) \
++ nvmet_trace_ctrl_id(p, ctrl_id)
+
+ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name);
+ #define __print_disk_name(name) \
+ nvmet_trace_disk_name(p, name)
+
+ #ifndef TRACE_HEADER_MULTI_READ
+-static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req)
++static inline u16 nvmet_req_to_ctrl_id(struct nvmet_req *req)
+ {
+- return req->sq->ctrl;
++ /*
++ * The queue and controller pointers are not valid until an association
++ * has been established.
++ */
++ if (!req->sq || !req->sq->ctrl)
++ return 0;
++ return req->sq->ctrl->cntlid;
+ }
+
+ static inline void __assign_req_name(char *name, struct nvmet_req *req)
+@@ -60,7 +66,7 @@ TRACE_EVENT(nvmet_req_init,
+ TP_ARGS(req, cmd),
+ TP_STRUCT__entry(
+ __field(struct nvme_command *, cmd)
+- __field(struct nvmet_ctrl *, ctrl)
++ __field(u16, ctrl_id)
+ __array(char, disk, DISK_NAME_LEN)
+ __field(int, qid)
+ __field(u16, cid)
+@@ -73,7 +79,7 @@ TRACE_EVENT(nvmet_req_init,
+ ),
+ TP_fast_assign(
+ __entry->cmd = cmd;
+- __entry->ctrl = nvmet_req_to_ctrl(req);
++ __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
+ __assign_req_name(__entry->disk, req);
+ __entry->qid = req->sq->qid;
+ __entry->cid = cmd->common.command_id;
+@@ -87,7 +93,7 @@ TRACE_EVENT(nvmet_req_init,
+ ),
+ TP_printk("nvmet%s: %sqid=%d, cmdid=%u, nsid=%u, flags=%#x, "
+ "meta=%#llx, cmd=(%s, %s)",
+- __print_ctrl_name(__entry->ctrl),
++ __print_ctrl_id(__entry->ctrl_id),
+ __print_disk_name(__entry->disk),
+ __entry->qid, __entry->cid, __entry->nsid,
+ __entry->flags, __entry->metadata,
+@@ -101,7 +107,7 @@ TRACE_EVENT(nvmet_req_complete,
+ TP_PROTO(struct nvmet_req *req),
+ TP_ARGS(req),
+ TP_STRUCT__entry(
+- __field(struct nvmet_ctrl *, ctrl)
++ __field(u16, ctrl_id)
+ __array(char, disk, DISK_NAME_LEN)
+ __field(int, qid)
+ __field(int, cid)
+@@ -109,7 +115,7 @@ TRACE_EVENT(nvmet_req_complete,
+ __field(u16, status)
+ ),
+ TP_fast_assign(
+- __entry->ctrl = nvmet_req_to_ctrl(req);
++ __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
+ __entry->qid = req->cq->qid;
+ __entry->cid = req->cqe->command_id;
+ __entry->result = le64_to_cpu(req->cqe->result.u64);
+@@ -117,7 +123,7 @@ TRACE_EVENT(nvmet_req_complete,
+ __assign_req_name(__entry->disk, req);
+ ),
+ TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x",
+- __print_ctrl_name(__entry->ctrl),
++ __print_ctrl_id(__entry->ctrl_id),
+ __print_disk_name(__entry->disk),
+ __entry->qid, __entry->cid, __entry->result, __entry->status)
+
+--
+2.43.0
+
--- /dev/null
+From 01824c19d9904a72a807cb76b9cb64272a019a0c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 16:29:30 -0800
+Subject: openrisc: Call setup_memory() earlier in the init sequence
+
+From: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+
+[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ]
+
+The unflatten_and_copy_device_tree() function contains a call to
+memblock_alloc(). This means that memblock is allocating memory before
+any of the reserved memory regions are set aside in the setup_memory()
+function which calls early_init_fdt_scan_reserved_mem(). Therefore,
+there is a possibility for memblock to allocate from any of the
+reserved memory regions.
+
+Hence, move the call to setup_memory() to be earlier in the init
+sequence so that the reserved memory regions are set aside before any
+allocations are done using memblock.
+
+Signed-off-by: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/setup.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c
+index ae104eb4becc7..bd0ba3157d515 100644
+--- a/arch/openrisc/kernel/setup.c
++++ b/arch/openrisc/kernel/setup.c
+@@ -280,6 +280,9 @@ void calibrate_delay(void)
+
+ void __init setup_arch(char **cmdline_p)
+ {
++ /* setup memblock allocator */
++ setup_memory();
++
+ unflatten_and_copy_device_tree();
+
+ setup_cpuinfo();
+@@ -304,9 +307,6 @@ void __init setup_arch(char **cmdline_p)
+ initrd_below_start_ok = 1;
+ #endif
+
+- /* setup memblock allocator */
+- setup_memory();
+-
+ /* paging_init() sets up the MMU and marks all pages as reserved */
+ paging_init();
+
+--
+2.43.0
+
--- /dev/null
+From 11c92a40903910f237644097a6d1cc46e5a019e2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 23:16:00 +0100
+Subject: parisc: Use irq_enter_rcu() to fix warning at
+ kernel/context_tracking.c:367
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ]
+
+Use irq*_rcu() functions to fix this kernel warning:
+
+ WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037
+ Hardware name: 9000/785/C3700
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c
+ IIR: 03ffe01f ISR: 0000000000000000 IOR: 0000000043c20c20
+ CPU: 0 CR30: 0000000041caa000 CR31: 0000000000000000
+ ORIG_R28: 0000000000000005
+ IAOQ[0]: ct_irq_enter+0xa0/0xd0
+ IAOQ[1]: ct_irq_enter+0xa4/0xd0
+ RP(r2): irq_enter+0x34/0x68
+ Backtrace:
+ [<000000004034a3ec>] irq_enter+0x34/0x68
+ [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450
+ [<0000000040303070>] intr_return+0x0/0xc
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/irq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
+index b4aa5af943ba5..c4c06bcd04835 100644
+--- a/arch/parisc/kernel/irq.c
++++ b/arch/parisc/kernel/irq.c
+@@ -520,7 +520,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+
+ old_regs = set_irq_regs(regs);
+ local_irq_disable();
+- irq_enter();
++ irq_enter_rcu();
+
+ eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu);
+ if (!eirr_val)
+@@ -555,7 +555,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+ #endif /* CONFIG_IRQSTACKS */
+
+ out:
+- irq_exit();
++ irq_exit_rcu();
+ set_irq_regs(old_regs);
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 71ce334380aec84d5b2186531df70337e9ef5857 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Dec 2022 10:18:16 +0800
+Subject: powerpc/boot: Handle allocation failure in simple_realloc()
+
+From: Li zeming <zeming@nfschina.com>
+
+[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ]
+
+simple_malloc() will return NULL when there is not enough memory left.
+Check pointer 'new' before using it to copy the old data.
+
+Signed-off-by: Li zeming <zeming@nfschina.com>
+[mpe: Reword subject, use change log from Christophe]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 65ec135d01579..188c4f996512a 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -114,7 +114,9 @@ static void *simple_realloc(void *ptr, unsigned long size)
+ return ptr;
+
+ new = simple_malloc(size);
+- memcpy(new, ptr, p->size);
++ if (new)
++ memcpy(new, ptr, p->size);
++
+ simple_free(ptr);
+ return new;
+ }
+--
+2.43.0
+
--- /dev/null
+From e9098cc97d6c1b8861602a428a8728c6b019be3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 22:51:49 +1100
+Subject: powerpc/boot: Only free if realloc() succeeds
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ]
+
+simple_realloc() frees the original buffer (ptr) even if the
+reallocation failed.
+
+Fix it to behave like standard realloc() and only free the original
+buffer if the reallocation succeeded.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 188c4f996512a..bc99f75b8582d 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -114,10 +114,11 @@ static void *simple_realloc(void *ptr, unsigned long size)
+ return ptr;
+
+ new = simple_malloc(size);
+- if (new)
++ if (new) {
+ memcpy(new, ptr, p->size);
++ simple_free(ptr);
++ }
+
+- simple_free(ptr);
+ return new;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From a0a35f789dbb7438187c07fe7d9fad18dd10ebc4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 11:06:51 +0800
+Subject: powerpc/xics: Check return value of kasprintf in
+ icp_native_map_one_cpu
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure. Ensure the allocation was successful
+by checking the pointer validity.
+
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xics/icp-native.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c
+index 7d13d2ef5a905..66de291b27d08 100644
+--- a/arch/powerpc/sysdev/xics/icp-native.c
++++ b/arch/powerpc/sysdev/xics/icp-native.c
+@@ -235,6 +235,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr,
+ rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation",
+ cpu, hw_id);
+
++ if (!rname)
++ return -ENOMEM;
+ if (!request_mem_region(addr, size, rname)) {
+ pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n",
+ cpu, hw_id);
+--
+2.43.0
+
--- /dev/null
+From 448b8073ccc7f612b73723048ec226be5f70fe06 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 13:34:08 +0200
+Subject: quota: Remove BUG_ON from dqget()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ]
+
+dqget() checks whether dquot->dq_sb is set when returning it using
+BUG_ON. Firstly this doesn't work as an invalidation check for quite
+some time (we release dquot with dq_sb set these days), secondly using
+BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still
+hashed instead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index a7ddb874912d4..14c0dd5b65a43 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -986,9 +986,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
+ * smp_mb__before_atomic() in dquot_acquire().
+ */
+ smp_rmb();
+-#ifdef CONFIG_QUOTA_DEBUG
+- BUG_ON(!dquot->dq_sb); /* Has somebody invalidated entry under us? */
+-#endif
++ /* Has somebody invalidated entry under us? */
++ WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash));
+ out:
+ if (empty)
+ do_destroy_dquot(empty);
+--
+2.43.0
+
--- /dev/null
+From 7a6f2cb5f26fd4c2c31c590d3b0148b7e92d36d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 13:13:26 +0100
+Subject: s390/iucv: fix receive buffer virtual vs physical address confusion
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ]
+
+Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion.
+This does not fix a bug since virtual and physical address spaces are
+currently the same.
+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index f0364649186b9..dc85973479284 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -1136,8 +1136,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path,
+ size = (size < 8) ? size : 8;
+ for (array = buffer; size > 0; array++) {
+ copy = min_t(size_t, size, array->length);
+- memcpy((u8 *)(addr_t) array->address,
+- rmmsg, copy);
++ memcpy(phys_to_virt(array->address), rmmsg, copy);
+ rmmsg += copy;
+ size -= copy;
+ }
+--
+2.43.0
+
--- /dev/null
+From 64f8e58e588bc64a6efd214b48c1dd671e9d01be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 10:50:56 -0800
+Subject: scsi: lpfc: Initialize status local variable in
+ lpfc_sli4_repost_sgl_list()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ]
+
+A static code analyzer tool indicates that the local variable called status
+in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage
+uninitialized values in the routine's log message.
+
+Fix by initializing to zero.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index e489c68cfb631..04b9a94f2f5e5 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -6902,7 +6902,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba,
+ struct lpfc_sglq *sglq_entry = NULL;
+ struct lpfc_sglq *sglq_entry_next = NULL;
+ struct lpfc_sglq *sglq_entry_first = NULL;
+- int status, total_cnt;
++ int status = 0, total_cnt;
+ int post_cnt = 0, num_posted = 0, block_cnt = 0;
+ int last_xritag = NO_XRI;
+ LIST_HEAD(prep_sgl_list);
+--
+2.43.0
+
--- /dev/null
+From 31e0926dc36cbc9c0c3928681e1d15c93fdc262b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 22:45:28 +0100
+Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ]
+
+The interrupt service routine is always invoked with disabled
+interrupts.
+
+Remove the _irqsave() from the locking functions in the interrupts
+service routine/ pch_uart_interrupt().
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/pch_uart.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index 317067184bfa4..048851d663ca5 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -1077,11 +1077,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+ u8 lsr;
+ int ret = 0;
+ unsigned char iid;
+- unsigned long flags;
+ int next = 1;
+ u8 msr;
+
+- spin_lock_irqsave(&priv->lock, flags);
++ spin_lock(&priv->lock);
+ handled = 0;
+ while (next) {
+ iid = pch_uart_hal_get_iid(priv);
+@@ -1141,7 +1140,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+ handled |= (unsigned int)ret;
+ }
+
+- spin_unlock_irqrestore(&priv->lock, flags);
++ spin_unlock(&priv->lock);
+ return IRQ_RETVAL(handled);
+ }
+
+--
+2.43.0
+
gfs2-setattr_chown-add-missing-initialization.patch
wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch
ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch
+powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
+nvmet-trace-avoid-dereferencing-pointer-too-early.patch
+ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
+quota-remove-bug_on-from-dqget.patch
+media-pci-cx23885-check-cx23885_vdev_init-return.patch
+fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
+scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
+net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
+drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
+virtiofs-forbid-newlines-in-tags.patch
+md-clean-up-invalid-bug_on-in-md_ioctl.patch
+x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
+parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
+serial-pch-don-t-disable-interrupts-while-acquiring-.patch
+powerpc-boot-handle-allocation-failure-in-simple_rea.patch
+powerpc-boot-only-free-if-realloc-succeeds.patch
+btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
+btrfs-handle-invalid-root-reference-found-in-may_des.patch
+btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
+btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
+f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
+usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
+nvme-clear-caller-pointer-on-identify-failure.patch
+bluetooth-bnep-fix-out-of-bound-access.patch
+nvmet-tcp-do-not-continue-for-invalid-icreq.patch
+nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
+openrisc-call-setup_memory-earlier-in-the-init-seque.patch
+s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
+usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
+fbdev-offb-replace-of_node_put-with-__free-device_no.patch
+irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
+ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
+nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
+hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch
--- /dev/null
+From 04189db474048168da841a0820f4dbefb63d0c61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Apr 2024 10:18:55 +0530
+Subject: usb: dwc3: core: Skip setting event buffers for host only controllers
+
+From: Krishna Kurapati <quic_kriskura@quicinc.com>
+
+[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ]
+
+On some SoC's like SA8295P where the tertiary controller is host-only
+capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible.
+Trying to access them leads to a crash.
+
+For DRD/Peripheral supported controllers, event buffer setup is done
+again in gadget_pullup. Skip setup or cleanup of event buffers if
+controller is host-only capable.
+
+Suggested-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 12e72e804278e..cbe475134b3c6 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -391,6 +391,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
+ static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned length)
+ {
+ struct dwc3_event_buffer *evt;
++ unsigned int hw_mode;
++
++ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
++ if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) {
++ dwc->ev_buf = NULL;
++ return 0;
++ }
+
+ evt = dwc3_alloc_one_event_buffer(dwc, length);
+ if (IS_ERR(evt)) {
+@@ -412,6 +419,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
+ {
+ struct dwc3_event_buffer *evt;
+
++ if (!dwc->ev_buf)
++ return 0;
++
+ evt = dwc->ev_buf;
+ evt->lpos = 0;
+ dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0),
+@@ -429,6 +439,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
+ {
+ struct dwc3_event_buffer *evt;
+
++ if (!dwc->ev_buf)
++ return;
++
+ evt = dwc->ev_buf;
+
+ evt->lpos = 0;
+--
+2.43.0
+
--- /dev/null
+From 6bc5815ea9bbc8b101748ef1039623304d3a6438 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 18:33:16 +0100
+Subject: usb: gadget: fsl: Increase size of name buffer for endpoints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ]
+
+This fixes a W=1 warning about sprintf writing up to 16 bytes into a
+buffer of size 14. There is no practical relevance because there are not
+more than 32 endpoints.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index 9a05863b28768..6a4e206b1e2df 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -2503,7 +2503,7 @@ static int fsl_udc_probe(struct platform_device *pdev)
+ /* setup the udc->eps[] for non-control endpoints and link
+ * to gadget.ep_list */
+ for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
+- char name[14];
++ char name[16];
+
+ sprintf(name, "ep%dout", i);
+ struct_ep_setup(udc_controller, i * 2, name, 1);
+--
+2.43.0
+
--- /dev/null
+From ce93a1a34b21d334a546a52950bccdb4b0414262 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Feb 2024 19:11:47 -0500
+Subject: virtiofs: forbid newlines in tags
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ]
+
+Newlines in virtiofs tags are awkward for users and potential vectors
+for string injection attacks.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/virtio_fs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
+index fadf6fb90fe22..48f144d083813 100644
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -237,6 +237,16 @@ static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs)
+ return -ENOMEM;
+ memcpy(fs->tag, tag_buf, len);
+ fs->tag[len] = '\0';
++
++ /* While the VIRTIO specification allows any character, newlines are
++ * awkward on mount(8) command-lines and cause problems in the sysfs
++ * "tag" attr and uevent TAG= properties. Forbid them.
++ */
++ if (strchr(fs->tag, '\n')) {
++ dev_dbg(&vdev->dev, "refusing virtiofs tag with newline character\n");
++ return -EINVAL;
++ }
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 887edd139a09098ecf50947f0eceb3b5465674ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 22:25:43 -0800
+Subject: x86: Increase brk randomness entropy for 64-bit systems
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 44c76825d6eefee9eb7ce06c38e1a6632ac7eb7d ]
+
+In commit c1d171a00294 ("x86: randomize brk"), arch_randomize_brk() was
+defined to use a 32MB range (13 bits of entropy), but was never increased
+when moving to 64-bit. The default arch_randomize_brk() uses 32MB for
+32-bit tasks, and 1GB (18 bits of entropy) for 64-bit tasks.
+
+Update x86_64 to match the entropy used by arm64 and other 64-bit
+architectures.
+
+Reported-by: y0un9n132@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Jiri Kosina <jkosina@suse.com>
+Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
+Link: https://lore.kernel.org/r/20240217062545.1631668-1-keescook@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index b8de27bb6e09c..c402b079b74e8 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -793,7 +793,10 @@ unsigned long arch_align_stack(unsigned long sp)
+
+ unsigned long arch_randomize_brk(struct mm_struct *mm)
+ {
+- return randomize_page(mm->brk, 0x02000000);
++ if (mmap_is_ia32())
++ return randomize_page(mm->brk, SZ_32M);
++
++ return randomize_page(mm->brk, SZ_1G);
+ }
+
+ /*
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
