--- /dev/null
+From fdbb6228d0f7f33df1f645afe7e655797a047520 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 2 Sep 2023 08:48:38 +0800
+Subject: apparmor: Fix null pointer deref when receiving skb during sock
+ creation
+
+From: Xiao Liang <shaw.leon@gmail.com>
+
+[ Upstream commit fce09ea314505a52f2436397608fa0a5d0934fb1 ]
+
+The panic below is observed when receiving ICMP packets with secmark set
+while an ICMP raw socket is being created. SK_CTX(sk)->label is updated
+in apparmor_socket_post_create(), but the packet is delivered to the
+socket before that, causing the null pointer dereference.
+Drop the packet if label context is not set.
+
+ BUG: kernel NULL pointer dereference, address: 000000000000004c
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 0 PID: 407 Comm: a.out Not tainted 6.4.12-arch1-1 #1 3e6fa2753a2d75925c34ecb78e22e85a65d083df
+ Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/28/2020
+ RIP: 0010:aa_label_next_confined+0xb/0x40
+ Code: 00 00 48 89 ef e8 d5 25 0c 00 e9 66 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 89 f0 <8b> 77 4c 39 c6 7e 1f 48 63 d0 48 8d 14 d7 eb 0b 83 c0 01 48 83 c2
+ RSP: 0018:ffffa92940003b08 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000e
+ RDX: ffffa92940003be8 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffff8b57471e7800 R08: ffff8b574c642400 R09: 0000000000000002
+ R10: ffffffffbd820eeb R11: ffffffffbeb7ff00 R12: ffff8b574c642400
+ R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
+ FS: 00007fb092ea7640(0000) GS:ffff8b577bc00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000000000000004c CR3: 00000001020f2005 CR4: 00000000007706f0
+ PKRU: 55555554
+ Call Trace:
+ <IRQ>
+ ? __die+0x23/0x70
+ ? page_fault_oops+0x171/0x4e0
+ ? exc_page_fault+0x7f/0x180
+ ? asm_exc_page_fault+0x26/0x30
+ ? aa_label_next_confined+0xb/0x40
+ apparmor_secmark_check+0xec/0x330
+ security_sock_rcv_skb+0x35/0x50
+ sk_filter_trim_cap+0x47/0x250
+ sock_queue_rcv_skb_reason+0x20/0x60
+ raw_rcv+0x13c/0x210
+ raw_local_deliver+0x1f3/0x250
+ ip_protocol_deliver_rcu+0x4f/0x2f0
+ ip_local_deliver_finish+0x76/0xa0
+ __netif_receive_skb_one_core+0x89/0xa0
+ netif_receive_skb+0x119/0x170
+ ? __netdev_alloc_skb+0x3d/0x140
+ vmxnet3_rq_rx_complete+0xb23/0x1010 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
+ vmxnet3_poll_rx_only+0x36/0xb0 [vmxnet3 56a84f9c97178c57a43a24ec073b45a9d6f01f3a]
+ __napi_poll+0x28/0x1b0
+ net_rx_action+0x2a4/0x380
+ __do_softirq+0xd1/0x2c8
+ __irq_exit_rcu+0xbb/0xf0
+ common_interrupt+0x86/0xa0
+ </IRQ>
+ <TASK>
+ asm_common_interrupt+0x26/0x40
+ RIP: 0010:apparmor_socket_post_create+0xb/0x200
+ Code: 08 48 85 ff 75 a1 eb b1 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 <55> 48 89 fd 53 45 85 c0 0f 84 b2 00 00 00 48 8b 1d 80 56 3f 02 48
+ RSP: 0018:ffffa92940ce7e50 EFLAGS: 00000286
+ RAX: ffffffffbc756440 RBX: 0000000000000000 RCX: 0000000000000001
+ RDX: 0000000000000003 RSI: 0000000000000002 RDI: ffff8b574eaab740
+ RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
+ R10: ffff8b57444cec70 R11: 0000000000000000 R12: 0000000000000003
+ R13: 0000000000000002 R14: ffff8b574eaab740 R15: ffffffffbd8e4748
+ ? __pfx_apparmor_socket_post_create+0x10/0x10
+ security_socket_post_create+0x4b/0x80
+ __sock_create+0x176/0x1f0
+ __sys_socket+0x89/0x100
+ __x64_sys_socket+0x17/0x20
+ do_syscall_64+0x5d/0x90
+ ? do_syscall_64+0x6c/0x90
+ ? do_syscall_64+0x6c/0x90
+ ? do_syscall_64+0x6c/0x90
+ entry_SYSCALL_64_after_hwframe+0x72/0xdc
+
+Fixes: ab9f2115081a ("apparmor: Allow filtering based on secmark policy")
+Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/lsm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 21e03380dd86d..4c69259b62f11 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -1035,6 +1035,13 @@ static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
+ if (!skb->secmark)
+ return 0;
+
++ /*
++ * If reach here before socket_post_create hook is called, in which
++ * case label is null, drop the packet.
++ */
++ if (!ctx->label)
++ return -EACCES;
++
+ return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
+ skb->secmark, sk);
+ }
+--
+2.43.0
+
--- /dev/null
+From 8c54cca56d36add4e3baf35b2d2c6bcbeb76083b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Mar 2020 14:14:04 +0100
+Subject: ASoC: Intel: Convert to new X86 CPU match macros
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit d51ba9c6663d7171681be357f672503f4e2ccdc1 ]
+
+The new macro set has a consistent namespace and uses C99 initializers
+instead of the grufty C89 ones.
+
+Get rid the of the local macro wrappers for consistency.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lkml.kernel.org/r/20200320131510.594671507@linutronix.de
+Stable-dep-of: 9931f7d5d251 ("ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/common/soc-intel-quirks.h | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h
+index 645baf0ed3dd1..a88a91995ce1a 100644
+--- a/sound/soc/intel/common/soc-intel-quirks.h
++++ b/sound/soc/intel/common/soc-intel-quirks.h
+@@ -16,13 +16,11 @@
+ #include <asm/intel-family.h>
+ #include <asm/iosf_mbi.h>
+
+-#define ICPU(model) { X86_VENDOR_INTEL, 6, model, X86_FEATURE_ANY, }
+-
+ #define SOC_INTEL_IS_CPU(soc, type) \
+ static inline bool soc_intel_is_##soc(void) \
+ { \
+ static const struct x86_cpu_id soc##_cpu_ids[] = { \
+- ICPU(type), \
++ X86_MATCH_INTEL_FAM6_MODEL(type, NULL), \
+ {} \
+ }; \
+ const struct x86_cpu_id *id; \
+@@ -33,11 +31,11 @@ static inline bool soc_intel_is_##soc(void) \
+ return false; \
+ }
+
+-SOC_INTEL_IS_CPU(byt, INTEL_FAM6_ATOM_SILVERMONT);
+-SOC_INTEL_IS_CPU(cht, INTEL_FAM6_ATOM_AIRMONT);
+-SOC_INTEL_IS_CPU(apl, INTEL_FAM6_ATOM_GOLDMONT);
+-SOC_INTEL_IS_CPU(glk, INTEL_FAM6_ATOM_GOLDMONT_PLUS);
+-SOC_INTEL_IS_CPU(cml, INTEL_FAM6_KABYLAKE_L);
++SOC_INTEL_IS_CPU(byt, ATOM_SILVERMONT);
++SOC_INTEL_IS_CPU(cht, ATOM_AIRMONT);
++SOC_INTEL_IS_CPU(apl, ATOM_GOLDMONT);
++SOC_INTEL_IS_CPU(glk, ATOM_GOLDMONT_PLUS);
++SOC_INTEL_IS_CPU(cml, KABYLAKE_L);
+
+ static inline bool soc_intel_is_byt_cr(struct platform_device *pdev)
+ {
+--
+2.43.0
+
--- /dev/null
+From f98aca20b2de4ead684bcbac546069851706b165 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Oct 2021 16:33:22 +0200
+Subject: ASoC: Intel: Move soc_intel_is_foo() helpers to a generic header
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit cd45c9bf8b43cd387e167cf166ae5c517f56d658 ]
+
+The soc_intel_is_foo() helpers from
+sound/soc/intel/common/soc-intel-quirks.h are useful outside of the
+sound subsystem too.
+
+Move these to include/linux/platform_data/x86/soc.h, so that
+other code can use them too.
+
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20211018143324.296961-2-hdegoede@redhat.com
+Stable-dep-of: 9931f7d5d251 ("ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is reachable")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/platform_data/x86/soc.h | 65 +++++++++++++++++++++++
+ sound/soc/intel/common/soc-intel-quirks.h | 51 ++----------------
+ 2 files changed, 68 insertions(+), 48 deletions(-)
+ create mode 100644 include/linux/platform_data/x86/soc.h
+
+diff --git a/include/linux/platform_data/x86/soc.h b/include/linux/platform_data/x86/soc.h
+new file mode 100644
+index 0000000000000..da05f425587a0
+--- /dev/null
++++ b/include/linux/platform_data/x86/soc.h
+@@ -0,0 +1,65 @@
++/* SPDX-License-Identifier: GPL-2.0-only */
++/*
++ * Helpers for Intel SoC model detection
++ *
++ * Copyright (c) 2019, Intel Corporation.
++ */
++
++#ifndef __PLATFORM_DATA_X86_SOC_H
++#define __PLATFORM_DATA_X86_SOC_H
++
++#if IS_ENABLED(CONFIG_X86)
++
++#include <asm/cpu_device_id.h>
++#include <asm/intel-family.h>
++
++#define SOC_INTEL_IS_CPU(soc, type) \
++static inline bool soc_intel_is_##soc(void) \
++{ \
++ static const struct x86_cpu_id soc##_cpu_ids[] = { \
++ X86_MATCH_INTEL_FAM6_MODEL(type, NULL), \
++ {} \
++ }; \
++ const struct x86_cpu_id *id; \
++ \
++ id = x86_match_cpu(soc##_cpu_ids); \
++ if (id) \
++ return true; \
++ return false; \
++}
++
++SOC_INTEL_IS_CPU(byt, ATOM_SILVERMONT);
++SOC_INTEL_IS_CPU(cht, ATOM_AIRMONT);
++SOC_INTEL_IS_CPU(apl, ATOM_GOLDMONT);
++SOC_INTEL_IS_CPU(glk, ATOM_GOLDMONT_PLUS);
++SOC_INTEL_IS_CPU(cml, KABYLAKE_L);
++
++#else /* IS_ENABLED(CONFIG_X86) */
++
++static inline bool soc_intel_is_byt(void)
++{
++ return false;
++}
++
++static inline bool soc_intel_is_cht(void)
++{
++ return false;
++}
++
++static inline bool soc_intel_is_apl(void)
++{
++ return false;
++}
++
++static inline bool soc_intel_is_glk(void)
++{
++ return false;
++}
++
++static inline bool soc_intel_is_cml(void)
++{
++ return false;
++}
++#endif /* IS_ENABLED(CONFIG_X86) */
++
++#endif /* __PLATFORM_DATA_X86_SOC_H */
+diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h
+index a88a91995ce1a..a46be331c178e 100644
+--- a/sound/soc/intel/common/soc-intel-quirks.h
++++ b/sound/soc/intel/common/soc-intel-quirks.h
+@@ -9,34 +9,13 @@
+ #ifndef _SND_SOC_INTEL_QUIRKS_H
+ #define _SND_SOC_INTEL_QUIRKS_H
+
++#include <linux/platform_data/x86/soc.h>
++
+ #if IS_ENABLED(CONFIG_X86)
+
+ #include <linux/dmi.h>
+-#include <asm/cpu_device_id.h>
+-#include <asm/intel-family.h>
+ #include <asm/iosf_mbi.h>
+
+-#define SOC_INTEL_IS_CPU(soc, type) \
+-static inline bool soc_intel_is_##soc(void) \
+-{ \
+- static const struct x86_cpu_id soc##_cpu_ids[] = { \
+- X86_MATCH_INTEL_FAM6_MODEL(type, NULL), \
+- {} \
+- }; \
+- const struct x86_cpu_id *id; \
+- \
+- id = x86_match_cpu(soc##_cpu_ids); \
+- if (id) \
+- return true; \
+- return false; \
+-}
+-
+-SOC_INTEL_IS_CPU(byt, ATOM_SILVERMONT);
+-SOC_INTEL_IS_CPU(cht, ATOM_AIRMONT);
+-SOC_INTEL_IS_CPU(apl, ATOM_GOLDMONT);
+-SOC_INTEL_IS_CPU(glk, ATOM_GOLDMONT_PLUS);
+-SOC_INTEL_IS_CPU(cml, KABYLAKE_L);
+-
+ static inline bool soc_intel_is_byt_cr(struct platform_device *pdev)
+ {
+ /*
+@@ -114,30 +93,6 @@ static inline bool soc_intel_is_byt_cr(struct platform_device *pdev)
+ return false;
+ }
+
+-static inline bool soc_intel_is_byt(void)
+-{
+- return false;
+-}
+-
+-static inline bool soc_intel_is_cht(void)
+-{
+- return false;
+-}
+-
+-static inline bool soc_intel_is_apl(void)
+-{
+- return false;
+-}
+-
+-static inline bool soc_intel_is_glk(void)
+-{
+- return false;
+-}
+-
+-static inline bool soc_intel_is_cml(void)
+-{
+- return false;
+-}
+ #endif
+
+- #endif /* _SND_SOC_INTEL_QUIRKS_H */
++#endif /* _SND_SOC_INTEL_QUIRKS_H */
+--
+2.43.0
+
--- /dev/null
+From deddb15405bb06112b2fd7d8218706a12c796085 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 10:30:02 +0200
+Subject: ASoC: Intel: use soc_intel_is_byt_cr() only when IOSF_MBI is
+ reachable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+
+[ Upstream commit 9931f7d5d251882a147cc5811060097df43e79f5 ]
+
+the Intel kbuild bot reports a link failure when IOSF_MBI is built-in
+but the Merrifield driver is configured as a module. The
+soc-intel-quirks.h is included for Merrifield platforms, but IOSF_MBI
+is not selected for that platform.
+
+ld.lld: error: undefined symbol: iosf_mbi_read
+>>> referenced by atom.c
+>>> sound/soc/sof/intel/atom.o:(atom_machine_select) in archive vmlinux.a
+
+This patch forces the use of the fallback static inline when IOSF_MBI is not reachable.
+
+Fixes: 536cfd2f375d ("ASoC: Intel: use common helpers to detect CPUs")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202407160704.zpdhJ8da-lkp@intel.com/
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Link: https://patch.msgid.link/20240722083002.10800-1-pierre-louis.bossart@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/common/soc-intel-quirks.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/common/soc-intel-quirks.h b/sound/soc/intel/common/soc-intel-quirks.h
+index a46be331c178e..a7960b41a6a34 100644
+--- a/sound/soc/intel/common/soc-intel-quirks.h
++++ b/sound/soc/intel/common/soc-intel-quirks.h
+@@ -11,7 +11,7 @@
+
+ #include <linux/platform_data/x86/soc.h>
+
+-#if IS_ENABLED(CONFIG_X86)
++#if IS_REACHABLE(CONFIG_IOSF_MBI)
+
+ #include <linux/dmi.h>
+ #include <asm/iosf_mbi.h>
+--
+2.43.0
+
--- /dev/null
+From e734eba261f13b17ce99bf99e458504667856567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 10:46:53 +0800
+Subject: bpf: Fix a segment issue when downgrading gso_size
+
+From: Fred Li <dracodingfly@gmail.com>
+
+[ Upstream commit fa5ef655615a01533035c6139248c5b33aa27028 ]
+
+Linearize the skb when downgrading gso_size because it may trigger a
+BUG_ON() later when the skb is segmented as described in [1,2].
+
+Fixes: 2be7e212d5419 ("bpf: add bpf_skb_adjust_room helper")
+Signed-off-by: Fred Li <dracodingfly@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/all/20240626065555.35460-2-dracodingfly@gmail.com [1]
+Link: https://lore.kernel.org/all/668d5cf1ec330_1c18c32947@willemb.c.googlers.com.notmuch [2]
+Link: https://lore.kernel.org/bpf/20240719024653.77006-1-dracodingfly@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/filter.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/net/core/filter.c b/net/core/filter.c
+index 3c4dcdc7217e0..f82c27668623c 100644
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -3126,13 +3126,20 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 off, u32 len_diff,
+ if (skb_is_gso(skb)) {
+ struct skb_shared_info *shinfo = skb_shinfo(skb);
+
+- /* Due to header grow, MSS needs to be downgraded. */
+- if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO))
+- skb_decrease_gso_size(shinfo, len_diff);
+-
+ /* Header must be checked, and gso_segs recomputed. */
+ shinfo->gso_type |= gso_type;
+ shinfo->gso_segs = 0;
++
++ /* Due to header growth, MSS needs to be downgraded.
++ * There is a BUG_ON() when segmenting the frag_list with
++ * head_frag true, so linearize the skb after downgrading
++ * the MSS.
++ */
++ if (!(flags & BPF_F_ADJ_ROOM_FIXED_GSO)) {
++ skb_decrease_gso_size(shinfo, len_diff);
++ if (shinfo->frag_list)
++ return skb_linearize(skb);
++ }
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From 047e57a4b62b51751532f677901854f4f53d31b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 14:38:24 +0000
+Subject: dma: fix call order in dmam_free_coherent
+
+From: Lance Richardson <rlance@google.com>
+
+[ Upstream commit 28e8b7406d3a1f5329a03aa25a43aa28e087cb20 ]
+
+dmam_free_coherent() frees a DMA allocation, which makes the
+freed vaddr available for reuse, then calls devres_destroy()
+to remove and free the data structure used to track the DMA
+allocation. Between the two calls, it is possible for a
+concurrent task to make an allocation with the same vaddr
+and add it to the devres list.
+
+If this happens, there will be two entries in the devres list
+with the same vaddr and devres_destroy() can free the wrong
+entry, triggering the WARN_ON() in dmam_match.
+
+Fix by destroying the devres entry before freeing the DMA
+allocation.
+
+Tested:
+ kokonut //net/encryption
+ http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075b03
+
+Fixes: 9ac7849e35f7 ("devres: device resource management")
+Signed-off-by: Lance Richardson <rlance@google.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/dma/mapping.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/dma/mapping.c b/kernel/dma/mapping.c
+index 8682a5305cb36..942e489bc1fcb 100644
+--- a/kernel/dma/mapping.c
++++ b/kernel/dma/mapping.c
+@@ -59,8 +59,8 @@ void dmam_free_coherent(struct device *dev, size_t size, void *vaddr,
+ {
+ struct dma_devres match_data = { size, vaddr, dma_handle };
+
+- dma_free_coherent(dev, size, vaddr, dma_handle);
+ WARN_ON(devres_destroy(dev, dmam_release, dmam_match, &match_data));
++ dma_free_coherent(dev, size, vaddr, dma_handle);
+ }
+ EXPORT_SYMBOL(dmam_free_coherent);
+
+--
+2.43.0
+
--- /dev/null
+From 5fc748ea1060a3e1e3bef541f1cf8aa882aaee2c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jul 2024 15:34:07 +0300
+Subject: ipv4: Fix incorrect source address in Record Route option
+
+From: Ido Schimmel <idosch@nvidia.com>
+
+[ Upstream commit cc73bbab4b1fb8a4f53a24645871dafa5f81266a ]
+
+The Record Route IP option records the addresses of the routers that
+routed the packet. In the case of forwarded packets, the kernel performs
+a route lookup via fib_lookup() and fills in the preferred source
+address of the matched route.
+
+The lookup is performed with the DS field of the forwarded packet, but
+using the RT_TOS() macro which only masks one of the two ECN bits. If
+the packet is ECT(0) or CE, the matched route might be different than
+the route via which the packet was forwarded as the input path masks
+both of the ECN bits, resulting in the wrong address being filled in the
+Record Route option.
+
+Fix by masking both of the ECN bits.
+
+Fixes: 8e36360ae876 ("ipv4: Remove route key identity dependencies in ip_rt_get_source().")
+Signed-off-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Guillaume Nault <gnault@redhat.com>
+Link: https://patch.msgid.link/20240718123407.434778-1-idosch@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/route.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/route.c b/net/ipv4/route.c
+index 2672b71e662d3..f3e77b1e1d4b9 100644
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -1283,7 +1283,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
+ struct flowi4 fl4 = {
+ .daddr = iph->daddr,
+ .saddr = iph->saddr,
+- .flowi4_tos = RT_TOS(iph->tos),
++ .flowi4_tos = iph->tos & IPTOS_RT_MASK,
+ .flowi4_oif = rt->dst.dev->ifindex,
+ .flowi4_iif = skb->dev->ifindex,
+ .flowi4_mark = skb->mark,
+--
+2.43.0
+
--- /dev/null
+From fa7e2daf17c876af7bb487f29f097cc0dd83f860 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 22:28:09 +0900
+Subject: jfs: Fix array-index-out-of-bounds in diFree
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+[ Upstream commit f73f969b2eb39ad8056f6c7f3a295fa2f85e313a ]
+
+Reported-by: syzbot+241c815bda521982cb49@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_imap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index b0965f3ef1865..36ed756820648 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -292,7 +292,7 @@ int diSync(struct inode *ipimap)
+ int diRead(struct inode *ip)
+ {
+ struct jfs_sb_info *sbi = JFS_SBI(ip->i_sb);
+- int iagno, ino, extno, rc;
++ int iagno, ino, extno, rc, agno;
+ struct inode *ipimap;
+ struct dinode *dp;
+ struct iag *iagp;
+@@ -341,8 +341,11 @@ int diRead(struct inode *ip)
+
+ /* get the ag for the iag */
+ agstart = le64_to_cpu(iagp->agstart);
++ agno = BLKTOAG(agstart, JFS_SBI(ip->i_sb));
+
+ release_metapage(mp);
++ if (agno >= MAXAG || agno < 0)
++ return -EIO;
+
+ rel_inode = (ino & (INOSPERPAGE - 1));
+ pageno = blkno >> sbi->l2nbperpage;
+--
+2.43.0
+
--- /dev/null
+From 68495d3c3d4d08952c815627cbe5bcb098be0462 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 14:11:48 +0200
+Subject: kdb: address -Wformat-security warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 70867efacf4370b6c7cdfc7a5b11300e9ef7de64 ]
+
+When -Wformat-security is not disabled, using a string pointer
+as a format causes a warning:
+
+kernel/debug/kdb/kdb_io.c: In function 'kdb_read':
+kernel/debug/kdb/kdb_io.c:365:36: error: format not a string literal and no format arguments [-Werror=format-security]
+ 365 | kdb_printf(kdb_prompt_str);
+ | ^~~~~~~~~~~~~~
+kernel/debug/kdb/kdb_io.c: In function 'kdb_getstr':
+kernel/debug/kdb/kdb_io.c:456:20: error: format not a string literal and no format arguments [-Werror=format-security]
+ 456 | kdb_printf(kdb_prompt_str);
+ | ^~~~~~~~~~~~~~
+
+Use an explcit "%s" format instead.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)")
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240528121154.3662553-1-arnd@kernel.org
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index 5358e8a8b6f11..9ce4e52532b77 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -368,7 +368,7 @@ static char *kdb_read(char *buffer, size_t bufsize)
+ if (i >= dtab_count)
+ kdb_printf("...");
+ kdb_printf("\n");
+- kdb_printf(kdb_prompt_str);
++ kdb_printf("%s", kdb_prompt_str);
+ kdb_printf("%s", buffer);
+ if (cp != lastchar)
+ kdb_position_cursor(kdb_prompt_str, buffer, cp);
+@@ -460,7 +460,7 @@ char *kdb_getstr(char *buffer, size_t bufsize, const char *prompt)
+ {
+ if (prompt && kdb_prompt_str != prompt)
+ strscpy(kdb_prompt_str, prompt, CMD_BUFLEN);
+- kdb_printf(kdb_prompt_str);
++ kdb_printf("%s", kdb_prompt_str);
+ kdb_nextline = 1; /* Prompt and input resets line number */
+ return kdb_read(buffer, bufsize);
+ }
+--
+2.43.0
+
--- /dev/null
+From fe3961a8cc7afb8d6c538a909f2ae5f898b815f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 07:11:48 -0700
+Subject: kdb: Use the passed prompt in kdb_position_cursor()
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit e2e821095949cde46256034975a90f88626a2a73 ]
+
+The function kdb_position_cursor() takes in a "prompt" parameter but
+never uses it. This doesn't _really_ matter since all current callers
+of the function pass the same value and it's a global variable, but
+it's a bit ugly. Let's clean it up.
+
+Found by code inspection. This patch is expected to functionally be a
+no-op.
+
+Fixes: 09b35989421d ("kdb: Use format-strings rather than '\0' injection in kdb_read()")
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20240528071144.1.I0feb49839c6b6f4f2c4bf34764f5e95de3f55a66@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/kdb/kdb_io.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c
+index 9ce4e52532b77..bfce77a0daac8 100644
+--- a/kernel/debug/kdb/kdb_io.c
++++ b/kernel/debug/kdb/kdb_io.c
+@@ -192,7 +192,7 @@ static int kdb_read_get_key(char *buffer, size_t bufsize)
+ */
+ static void kdb_position_cursor(char *prompt, char *buffer, char *cp)
+ {
+- kdb_printf("\r%s", kdb_prompt_str);
++ kdb_printf("\r%s", prompt);
+ if (cp > buffer)
+ kdb_printf("%.*s", (int)(cp - buffer), buffer);
+ }
+--
+2.43.0
+
--- /dev/null
+From 37e55d54112c1b9dde67859ba9e4f080de1ab905 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 12 Jul 2024 15:44:42 -0700
+Subject: libbpf: Fix no-args func prototype BTF dumping syntax
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+[ Upstream commit 189f1a976e426011e6a5588f1d3ceedf71fe2965 ]
+
+For all these years libbpf's BTF dumper has been emitting not strictly
+valid syntax for function prototypes that have no input arguments.
+
+Instead of `int (*blah)()` we should emit `int (*blah)(void)`.
+
+This is not normally a problem, but it manifests when we get kfuncs in
+vmlinux.h that have no input arguments. Due to compiler internal
+specifics, we get no BTF information for such kfuncs, if they are not
+declared with proper `(void)`.
+
+The fix is trivial. We also need to adjust a few ancient tests that
+happily assumed `()` is correct.
+
+Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion")
+Reported-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://lore.kernel.org/bpf/20240712224442.282823-1-andrii@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/bpf/btf_dump.c | 8 +++++---
+ .../selftests/bpf/progs/btf_dump_test_case_multidim.c | 4 ++--
+ .../selftests/bpf/progs/btf_dump_test_case_syntax.c | 4 ++--
+ 3 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/tools/lib/bpf/btf_dump.c b/tools/lib/bpf/btf_dump.c
+index a1176a9e8430a..1391f6c292054 100644
+--- a/tools/lib/bpf/btf_dump.c
++++ b/tools/lib/bpf/btf_dump.c
+@@ -1302,10 +1302,12 @@ static void btf_dump_emit_type_chain(struct btf_dump *d,
+ * Clang for BPF target generates func_proto with no
+ * args as a func_proto with a single void arg (e.g.,
+ * `int (*f)(void)` vs just `int (*f)()`). We are
+- * going to pretend there are no args for such case.
++ * going to emit valid empty args (void) syntax for
++ * such case. Similarly and conveniently, valid
++ * no args case can be special-cased here as well.
+ */
+- if (vlen == 1 && p->type == 0) {
+- btf_dump_printf(d, ")");
++ if (vlen == 0 || (vlen == 1 && p->type == 0)) {
++ btf_dump_printf(d, "void)");
+ return;
+ }
+
+diff --git a/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c b/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c
+index ba97165bdb282..a657651eba523 100644
+--- a/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c
++++ b/tools/testing/selftests/bpf/progs/btf_dump_test_case_multidim.c
+@@ -14,9 +14,9 @@ typedef int *ptr_arr_t[6];
+
+ typedef int *ptr_multiarr_t[7][8][9][10];
+
+-typedef int * (*fn_ptr_arr_t[11])();
++typedef int * (*fn_ptr_arr_t[11])(void);
+
+-typedef int * (*fn_ptr_multiarr_t[12][13])();
++typedef int * (*fn_ptr_multiarr_t[12][13])(void);
+
+ struct root_struct {
+ arr_t _1;
+diff --git a/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c b/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c
+index 0620580a5c16c..1fcca43ab342d 100644
+--- a/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c
++++ b/tools/testing/selftests/bpf/progs/btf_dump_test_case_syntax.c
+@@ -67,7 +67,7 @@ typedef void (*printf_fn_t)(const char *, ...);
+ * `int -> char *` function and returns pointer to a char. Equivalent:
+ * typedef char * (*fn_input_t)(int);
+ * typedef char * (*fn_output_outer_t)(fn_input_t);
+- * typedef const fn_output_outer_t (* fn_output_inner_t)();
++ * typedef const fn_output_outer_t (* fn_output_inner_t)(void);
+ * typedef const fn_output_inner_t fn_ptr_arr2_t[5];
+ */
+ /* ----- START-EXPECTED-OUTPUT ----- */
+@@ -94,7 +94,7 @@ typedef void (* (*signal_t)(int, void (*)(int)))(int);
+
+ typedef char * (*fn_ptr_arr1_t[10])(int **);
+
+-typedef char * (* (* const fn_ptr_arr2_t[5])())(char * (*)(int));
++typedef char * (* (* const fn_ptr_arr2_t[5])(void))(char * (*)(int));
+
+ struct struct_w_typedefs {
+ int_t a;
+--
+2.43.0
+
--- /dev/null
+From 1c51fd73490149923bcf08d8c6a54076d0548a7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jul 2024 15:15:39 +0200
+Subject: MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later
+
+From: Gregory CLEMENT <gregory.clement@bootlin.com>
+
+[ Upstream commit a263e5f309f32301e1f3ad113293f4e68a82a646 ]
+
+When the CM block migrated from CM2.5 to CM3.0, the address offset for
+the Global CSR Access Privilege register was modified. We saw this in
+the "MIPS64 I6500 Multiprocessing System Programmer's Guide," it is
+stated that "the Global CSR Access Privilege register is located at
+offset 0x0120" in section 5.4. It is at least the same for I6400.
+
+This fix allows to use the VP cores in SMP mode if the reset values
+were modified by the bootloader.
+
+Based on the work of Vladimir Kondratiev
+<vladimir.kondratiev@mobileye.com> and the feedback from Jiaxun Yang
+<jiaxun.yang@flygoat.com>.
+
+Fixes: 197e89e0984a ("MIPS: mips-cm: Implement mips_cm_revision")
+Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
+Reviewed-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/include/asm/mips-cm.h | 4 ++++
+ arch/mips/kernel/smp-cps.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/mips-cm.h b/arch/mips/include/asm/mips-cm.h
+index 23c67c0871b17..696b40beb774f 100644
+--- a/arch/mips/include/asm/mips-cm.h
++++ b/arch/mips/include/asm/mips-cm.h
+@@ -228,6 +228,10 @@ GCR_ACCESSOR_RO(32, 0x0d0, gic_status)
+ GCR_ACCESSOR_RO(32, 0x0f0, cpc_status)
+ #define CM_GCR_CPC_STATUS_EX BIT(0)
+
++/* GCR_ACCESS - Controls core/IOCU access to GCRs */
++GCR_ACCESSOR_RW(32, 0x120, access_cm3)
++#define CM_GCR_ACCESS_ACCESSEN GENMASK(7, 0)
++
+ /* GCR_L2_CONFIG - Indicates L2 cache configuration when Config5.L2C=1 */
+ GCR_ACCESSOR_RW(32, 0x130, l2_config)
+ #define CM_GCR_L2_CONFIG_BYPASS BIT(20)
+diff --git a/arch/mips/kernel/smp-cps.c b/arch/mips/kernel/smp-cps.c
+index f659adb681bc3..02ae0b29e6888 100644
+--- a/arch/mips/kernel/smp-cps.c
++++ b/arch/mips/kernel/smp-cps.c
+@@ -229,7 +229,10 @@ static void boot_core(unsigned int core, unsigned int vpe_id)
+ write_gcr_co_reset_ext_base(CM_GCR_Cx_RESET_EXT_BASE_UEB);
+
+ /* Ensure the core can access the GCRs */
+- set_gcr_access(1 << core);
++ if (mips_cm_revision() < CM_REV_CM3)
++ set_gcr_access(1 << core);
++ else
++ set_gcr_access_cm3(1 << core);
+
+ if (mips_cpc_present()) {
+ /* Reset the core */
+--
+2.43.0
+
--- /dev/null
+From d821b2eb81c1e849278f5b1cd0ec54c4ab676938 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 11:08:18 -0500
+Subject: mISDN: Fix a use after free in hfcmulti_tx()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 61ab751451f5ebd0b98e02276a44e23a10110402 ]
+
+Don't dereference *sp after calling dev_kfree_skb(*sp).
+
+Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/8be65f5a-c2dd-4ba0-8a10-bfe5980b8cfb@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/isdn/hardware/mISDN/hfcmulti.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c
+index 2c74064652334..6e09975613300 100644
+--- a/drivers/isdn/hardware/mISDN/hfcmulti.c
++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c
+@@ -1931,7 +1931,7 @@ hfcmulti_dtmf(struct hfc_multi *hc)
+ static void
+ hfcmulti_tx(struct hfc_multi *hc, int ch)
+ {
+- int i, ii, temp, len = 0;
++ int i, ii, temp, tmp_len, len = 0;
+ int Zspace, z1, z2; /* must be int for calculation */
+ int Fspace, f1, f2;
+ u_char *d;
+@@ -2152,14 +2152,15 @@ hfcmulti_tx(struct hfc_multi *hc, int ch)
+ HFC_wait_nodebug(hc);
+ }
+
++ tmp_len = (*sp)->len;
+ dev_kfree_skb(*sp);
+ /* check for next frame */
+ if (bch && get_next_bframe(bch)) {
+- len = (*sp)->len;
++ len = tmp_len;
+ goto next_frame;
+ }
+ if (dch && get_next_dframe(dch)) {
+- len = (*sp)->len;
++ len = tmp_len;
+ goto next_frame;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 5f85dd82f5db72211992a3ef42aaac1a9f601a56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 Jul 2024 09:41:18 -0700
+Subject: net: bonding: correctly annotate RCU in bond_should_notify_peers()
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684 ]
+
+RCU use in bond_should_notify_peers() looks wrong, since it does
+rcu_dereference(), leaves the critical section, and uses the
+pointer after that.
+
+Luckily, it's called either inside a nested RCU critical section
+or with the RTNL held.
+
+Annotate it with rcu_dereference_rtnl() instead, and remove the
+inner RCU critical section.
+
+Fixes: 4cb4f97b7e36 ("bonding: rebuild the lock use for bond_mii_monitor()")
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Acked-by: Jay Vosburgh <jv@jvosburgh.net>
+Link: https://patch.msgid.link/20240719094119.35c62455087d.I68eb9c0f02545b364b79a59f2110f2cf5682a8e2@changeid
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index bb1c6743222e5..89797b2575733 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -784,13 +784,10 @@ static struct slave *bond_find_best_slave(struct bonding *bond)
+ return bestslave;
+ }
+
++/* must be called in RCU critical section or with RTNL held */
+ static bool bond_should_notify_peers(struct bonding *bond)
+ {
+- struct slave *slave;
+-
+- rcu_read_lock();
+- slave = rcu_dereference(bond->curr_active_slave);
+- rcu_read_unlock();
++ struct slave *slave = rcu_dereference_rtnl(bond->curr_active_slave);
+
+ if (!slave || !bond->send_peer_notif ||
+ bond->send_peer_notif %
+--
+2.43.0
+
--- /dev/null
+From 7fe21c8111bb7e29a86a08fb059677be1ccd07bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 23 Jul 2024 18:04:16 +0200
+Subject: net: nexthop: Initialize all fields in dumped nexthops
+
+From: Petr Machata <petrm@nvidia.com>
+
+[ Upstream commit 6d745cd0e9720282cd291d36b9db528aea18add2 ]
+
+struct nexthop_grp contains two reserved fields that are not initialized by
+nla_put_nh_group(), and carry garbage. This can be observed e.g. with
+strace (edited for clarity):
+
+ # ip nexthop add id 1 dev lo
+ # ip nexthop add id 101 group 1
+ # strace -e recvmsg ip nexthop get id 101
+ ...
+ recvmsg(... [{nla_len=12, nla_type=NHA_GROUP},
+ [{id=1, weight=0, resvd1=0x69, resvd2=0x67}]] ...) = 52
+
+The fields are reserved and therefore not currently used. But as they are, they
+leak kernel memory, and the fact they are not just zero complicates repurposing
+of the fields for new ends. Initialize the full structure.
+
+Fixes: 430a049190de ("nexthop: Add support for nexthop groups")
+Signed-off-by: Petr Machata <petrm@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/nexthop.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/nexthop.c b/net/ipv4/nexthop.c
+index 0137854a7faaa..388f5773b88d2 100644
+--- a/net/ipv4/nexthop.c
++++ b/net/ipv4/nexthop.c
+@@ -201,9 +201,10 @@ static int nla_put_nh_group(struct sk_buff *skb, struct nh_group *nhg)
+
+ p = nla_data(nla);
+ for (i = 0; i < nhg->num_nh; ++i) {
+- p->id = nhg->nh_entries[i].nh->id;
+- p->weight = nhg->nh_entries[i].weight - 1;
+- p += 1;
++ *p++ = (struct nexthop_grp) {
++ .id = nhg->nh_entries[i].nh->id,
++ .weight = nhg->nh_entries[i].weight - 1,
++ };
+ }
+
+ return 0;
+--
+2.43.0
+
--- /dev/null
+From bac41444d9b662115ed579bbf295883ea361266b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 13:31:14 +0300
+Subject: nvme-pci: add missing condition check for existence of mapped data
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit c31fad1470389666ac7169fe43aa65bf5b7e2cfd ]
+
+nvme_map_data() is called when request has physical segments, hence
+the nvme_unmap_data() should have same condition to avoid dereference.
+
+Fixes: 4aedb705437f ("nvme-pci: split metadata handling from nvme_map_data / nvme_unmap_data")
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index 486e44d20b430..1a6a628bb6f9f 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -938,7 +938,8 @@ static blk_status_t nvme_queue_rq(struct blk_mq_hw_ctx *hctx,
+ nvme_submit_cmd(nvmeq, &cmnd, bd->last);
+ return BLK_STS_OK;
+ out_unmap_data:
+- nvme_unmap_data(dev, req);
++ if (blk_rq_nr_phys_segments(req))
++ nvme_unmap_data(dev, req);
+ out_free_cmd:
+ nvme_cleanup_cmd(req);
+ return ret;
+--
+2.43.0
+
--- /dev/null
+From 9db685eb50108da50dce99cc310f709da1b08f86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 May 2024 23:54:55 -0400
+Subject: powerpc: fix a file leak in kvm_vcpu_ioctl_enable_cap()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit b4cf5fc01ce83e5c0bcf3dbb9f929428646b9098 ]
+
+missing fdput() on one of the failure exits
+
+Fixes: eacc56bb9de3e # v5.2
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/powerpc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
+index eb8c72846b7fc..7c5986aec64e2 100644
+--- a/arch/powerpc/kvm/powerpc.c
++++ b/arch/powerpc/kvm/powerpc.c
+@@ -1950,8 +1950,10 @@ static int kvm_vcpu_ioctl_enable_cap(struct kvm_vcpu *vcpu,
+ break;
+
+ r = -ENXIO;
+- if (!xive_enabled())
++ if (!xive_enabled()) {
++ fdput(f);
+ break;
++ }
+
+ r = -EPERM;
+ dev = kvm_device_from_filp(f.file);
+--
+2.43.0
+
--- /dev/null
+From a4b03f82e4bd552b03b5be90dd9585d8454a138c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 15:45:27 +0200
+Subject: s390/pci: Allow allocation of more than 1 MSI interrupt
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+[ Upstream commit ab42fcb511fd9d241bbab7cc3ca04e34e9fc0666 ]
+
+On a PCI adapter that provides up to 8 MSI interrupt sources the s390
+implementation of PCI interrupts rejected to accommodate them, although
+the underlying hardware is able to support that.
+
+For MSI-X it is sufficient to allocate a single irq_desc per msi_desc,
+but for MSI multiple irq descriptors are attached to and controlled by
+a single msi descriptor. Add the appropriate loops to maintain multiple
+irq descriptors and tie/untie them to/from the appropriate AIBV bit, if
+a device driver allocates more than 1 MSI interrupt.
+
+Common PCI code passes on requests to allocate a number of interrupt
+vectors based on the device drivers' demand and the PCI functions'
+capabilities. However, the root-complex of s390 systems support just a
+limited number of interrupt vectors per PCI function.
+Produce a kernel log message to inform about any architecture-specific
+capping that might be done.
+
+With this change, we had a PCI adapter successfully raising
+interrupts to its device driver via all 8 sources.
+
+Fixes: a384c8924a8b ("s390/PCI: Fix single MSI only check")
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_irq.c | 62 ++++++++++++++++++++++++++++-------------
+ 1 file changed, 42 insertions(+), 20 deletions(-)
+
+diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c
+index b36f5ef34a6c1..690f6999287bc 100644
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -262,8 +262,8 @@ static int __alloc_airq(struct zpci_dev *zdev, int msi_vecs,
+
+ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ {
++ unsigned int hwirq, msi_vecs, irqs_per_msi, i, cpu;
+ struct zpci_dev *zdev = to_zpci(pdev);
+- unsigned int hwirq, msi_vecs, cpu;
+ struct msi_desc *msi;
+ struct msi_msg msg;
+ unsigned long bit;
+@@ -273,30 +273,46 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ zdev->aisb = -1UL;
+ zdev->msi_first_bit = -1U;
+
+- if (type == PCI_CAP_ID_MSI && nvec > 1)
+- return 1;
+ msi_vecs = min_t(unsigned int, nvec, zdev->max_msi);
++ if (msi_vecs < nvec) {
++ pr_info("%s requested %d irqs, allocate system limit of %d",
++ pci_name(pdev), nvec, zdev->max_msi);
++ }
+
+ rc = __alloc_airq(zdev, msi_vecs, &bit);
+ if (rc < 0)
+ return rc;
+
+- /* Request MSI interrupts */
++ /*
++ * Request MSI interrupts:
++ * When using MSI, nvec_used interrupt sources and their irq
++ * descriptors are controlled through one msi descriptor.
++ * Thus the outer loop over msi descriptors shall run only once,
++ * while two inner loops iterate over the interrupt vectors.
++ * When using MSI-X, each interrupt vector/irq descriptor
++ * is bound to exactly one msi descriptor (nvec_used is one).
++ * So the inner loops are executed once, while the outer iterates
++ * over the MSI-X descriptors.
++ */
+ hwirq = bit;
+ msi_for_each_desc(msi, &pdev->dev, MSI_DESC_NOTASSOCIATED) {
+- rc = -EIO;
+ if (hwirq - bit >= msi_vecs)
+ break;
+- irq = __irq_alloc_descs(-1, 0, 1, 0, THIS_MODULE,
+- (irq_delivery == DIRECTED) ?
+- msi->affinity : NULL);
++ irqs_per_msi = min_t(unsigned int, msi_vecs, msi->nvec_used);
++ irq = __irq_alloc_descs(-1, 0, irqs_per_msi, 0, THIS_MODULE,
++ (irq_delivery == DIRECTED) ?
++ msi->affinity : NULL);
+ if (irq < 0)
+ return -ENOMEM;
+- rc = irq_set_msi_desc(irq, msi);
+- if (rc)
+- return rc;
+- irq_set_chip_and_handler(irq, &zpci_irq_chip,
+- handle_percpu_irq);
++
++ for (i = 0; i < irqs_per_msi; i++) {
++ rc = irq_set_msi_desc_off(irq, i, msi);
++ if (rc)
++ return rc;
++ irq_set_chip_and_handler(irq + i, &zpci_irq_chip,
++ handle_percpu_irq);
++ }
++
+ msg.data = hwirq - bit;
+ if (irq_delivery == DIRECTED) {
+ if (msi->affinity)
+@@ -309,19 +325,22 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ msg.address_lo |= (cpu_addr << 8);
+
+ for_each_possible_cpu(cpu) {
+- airq_iv_set_data(zpci_ibv[cpu], hwirq, irq);
++ for (i = 0; i < irqs_per_msi; i++)
++ airq_iv_set_data(zpci_ibv[cpu],
++ hwirq + i, irq + i);
+ }
+ } else {
+ msg.address_lo = zdev->msi_addr & 0xffffffff;
+- airq_iv_set_data(zdev->aibv, hwirq, irq);
++ for (i = 0; i < irqs_per_msi; i++)
++ airq_iv_set_data(zdev->aibv, hwirq + i, irq + i);
+ }
+ msg.address_hi = zdev->msi_addr >> 32;
+ pci_write_msi_msg(irq, &msg);
+- hwirq++;
++ hwirq += irqs_per_msi;
+ }
+
+ zdev->msi_first_bit = bit;
+- zdev->msi_nr_irqs = msi_vecs;
++ zdev->msi_nr_irqs = hwirq - bit;
+
+ if (irq_delivery == DIRECTED)
+ rc = zpci_set_directed_irq(zdev);
+@@ -330,13 +349,14 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ if (rc)
+ return rc;
+
+- return (msi_vecs == nvec) ? 0 : msi_vecs;
++ return (zdev->msi_nr_irqs == nvec) ? 0 : zdev->msi_nr_irqs;
+ }
+
+ void arch_teardown_msi_irqs(struct pci_dev *pdev)
+ {
+ struct zpci_dev *zdev = to_zpci(pdev);
+ struct msi_desc *msi;
++ unsigned int i;
+ int rc;
+
+ /* Disable interrupts */
+@@ -349,8 +369,10 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev)
+
+ /* Release MSI interrupts */
+ msi_for_each_desc(msi, &pdev->dev, MSI_DESC_ASSOCIATED) {
+- irq_set_msi_desc(msi->irq, NULL);
+- irq_free_desc(msi->irq);
++ for (i = 0; i < msi->nvec_used; i++) {
++ irq_set_msi_desc(msi->irq + i, NULL);
++ irq_free_desc(msi->irq + i);
++ }
+ msi->msg.address_lo = 0;
+ msi->msg.address_hi = 0;
+ msi->msg.data = 0;
+--
+2.43.0
+
--- /dev/null
+From 5639e6dc7a8ec92b75a3234c92fd9825cb0dfc96 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Jul 2021 23:51:51 +0200
+Subject: s390/pci: Do not mask MSI[-X] entries on teardown
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 3998527d2e3ee2bfdf710a45b7b90968ff87babc ]
+
+The PCI core already ensures that the MSI[-X] state is correct when MSI[-X]
+is disabled. For MSI the reset state is all entries unmasked and for MSI-X
+all vectors are masked.
+
+S390 masks all MSI entries and masks the already masked MSI-X entries
+again. Remove it and let the device in the correct state.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Tested-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Acked-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Link: https://lore.kernel.org/r/20210729222542.939798136@linutronix.de
+Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_irq.c | 4 ----
+ drivers/pci/msi.c | 4 ++--
+ include/linux/msi.h | 2 --
+ 3 files changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c
+index 75217fb63d7b3..5036e00b7ec1b 100644
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -341,10 +341,6 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev)
+ for_each_pci_msi_entry(msi, pdev) {
+ if (!msi->irq)
+ continue;
+- if (msi->msi_attrib.is_msix)
+- __pci_msix_desc_mask_irq(msi, 1);
+- else
+- __pci_msi_desc_mask_irq(msi, 1, 1);
+ irq_set_msi_desc(msi->irq, NULL);
+ irq_free_desc(msi->irq);
+ msi->msg.address_lo = 0;
+diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
+index 1701d3de24da7..a37e3541c9377 100644
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -170,7 +170,7 @@ static inline __attribute_const__ u32 msi_mask(unsigned x)
+ * reliably as devices without an INTx disable bit will then generate a
+ * level IRQ which will never be cleared.
+ */
+-void __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag)
++static void __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag)
+ {
+ raw_spinlock_t *lock = &desc->dev->msi_lock;
+ unsigned long flags;
+@@ -207,7 +207,7 @@ static void __iomem *pci_msix_desc_addr(struct msi_desc *desc)
+ * file. This saves a few milliseconds when initialising devices with lots
+ * of MSI-X interrupts.
+ */
+-u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag)
++static u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag)
+ {
+ u32 mask_bits = desc->masked;
+ void __iomem *desc_addr;
+diff --git a/include/linux/msi.h b/include/linux/msi.h
+index 758e32f0d4434..31193305807d0 100644
+--- a/include/linux/msi.h
++++ b/include/linux/msi.h
+@@ -193,8 +193,6 @@ void free_msi_entry(struct msi_desc *entry);
+ void __pci_read_msi_msg(struct msi_desc *entry, struct msi_msg *msg);
+ void __pci_write_msi_msg(struct msi_desc *entry, struct msi_msg *msg);
+
+-u32 __pci_msix_desc_mask_irq(struct msi_desc *desc, u32 flag);
+-void __pci_msi_desc_mask_irq(struct msi_desc *desc, u32 mask, u32 flag);
+ void pci_msi_mask_irq(struct irq_data *data);
+ void pci_msi_unmask_irq(struct irq_data *data);
+
+--
+2.43.0
+
--- /dev/null
+From eb1570b580a005bd5c3a2e2076b4919d5b482af9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Nov 2020 18:00:37 +0100
+Subject: s390/pci: fix CPU address in MSI for directed IRQ
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit a2bd4097b3ec242f4de4924db463a9c94530e03a ]
+
+The directed MSIs are delivered to CPUs whose address is
+written to the MSI message address. The current code assumes
+that a CPU logical number (as it is seen by the kernel)
+is also the CPU address.
+
+The above assumption is not correct, as the CPU address
+is rather the value returned by STAP instruction. That
+value does not necessarily match the kernel logical CPU
+number.
+
+Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts")
+Cc: <stable@vger.kernel.org> # v5.2+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_irq.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c
+index 743f257cf2cbd..75217fb63d7b3 100644
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -103,9 +103,10 @@ static int zpci_set_irq_affinity(struct irq_data *data, const struct cpumask *de
+ {
+ struct msi_desc *entry = irq_get_msi_desc(data->irq);
+ struct msi_msg msg = entry->msg;
++ int cpu_addr = smp_cpu_get_cpu_address(cpumask_first(dest));
+
+ msg.address_lo &= 0xff0000ff;
+- msg.address_lo |= (cpumask_first(dest) << 8);
++ msg.address_lo |= (cpu_addr << 8);
+ pci_write_msi_msg(data->irq, &msg);
+
+ return IRQ_SET_MASK_OK;
+@@ -238,6 +239,7 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ unsigned long bit;
+ struct msi_desc *msi;
+ struct msi_msg msg;
++ int cpu_addr;
+ int rc, irq;
+
+ zdev->aisb = -1UL;
+@@ -287,9 +289,15 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ handle_percpu_irq);
+ msg.data = hwirq - bit;
+ if (irq_delivery == DIRECTED) {
++ if (msi->affinity)
++ cpu = cpumask_first(&msi->affinity->mask);
++ else
++ cpu = 0;
++ cpu_addr = smp_cpu_get_cpu_address(cpu);
++
+ msg.address_lo = zdev->msi_addr & 0xff0000ff;
+- msg.address_lo |= msi->affinity ?
+- (cpumask_first(&msi->affinity->mask) << 8) : 0;
++ msg.address_lo |= (cpu_addr << 8);
++
+ for_each_possible_cpu(cpu) {
+ airq_iv_set_data(zpci_ibv[cpu], hwirq, irq);
+ }
+--
+2.43.0
+
--- /dev/null
+From 712d01b388700377d93ded50ada7eeb7d69a9530 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Jul 2024 15:45:26 +0200
+Subject: s390/pci: Refactor arch_setup_msi_irqs()
+
+From: Gerd Bayer <gbayer@linux.ibm.com>
+
+[ Upstream commit 5fd11b96b43708f2f6e3964412c301c1bd20ec0f ]
+
+Factor out adapter interrupt allocation from arch_setup_msi_irqs() in
+preparation for enabling registration of multiple MSIs. Code movement
+only, no change of functionality intended.
+
+Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
+Reviewed-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_irq.c | 54 ++++++++++++++++++++++++-----------------
+ 1 file changed, 32 insertions(+), 22 deletions(-)
+
+diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c
+index 9ed76fa9391cb..b36f5ef34a6c1 100644
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -232,33 +232,20 @@ static void zpci_floating_irq_handler(struct airq_struct *airq, bool floating)
+ }
+ }
+
+-int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
++static int __alloc_airq(struct zpci_dev *zdev, int msi_vecs,
++ unsigned long *bit)
+ {
+- struct zpci_dev *zdev = to_zpci(pdev);
+- unsigned int hwirq, msi_vecs, cpu;
+- unsigned long bit;
+- struct msi_desc *msi;
+- struct msi_msg msg;
+- int cpu_addr;
+- int rc, irq;
+-
+- zdev->aisb = -1UL;
+- zdev->msi_first_bit = -1U;
+- if (type == PCI_CAP_ID_MSI && nvec > 1)
+- return 1;
+- msi_vecs = min_t(unsigned int, nvec, zdev->max_msi);
+-
+ if (irq_delivery == DIRECTED) {
+ /* Allocate cpu vector bits */
+- bit = airq_iv_alloc(zpci_ibv[0], msi_vecs);
+- if (bit == -1UL)
++ *bit = airq_iv_alloc(zpci_ibv[0], msi_vecs);
++ if (*bit == -1UL)
+ return -EIO;
+ } else {
+ /* Allocate adapter summary indicator bit */
+- bit = airq_iv_alloc_bit(zpci_sbv);
+- if (bit == -1UL)
++ *bit = airq_iv_alloc_bit(zpci_sbv);
++ if (*bit == -1UL)
+ return -EIO;
+- zdev->aisb = bit;
++ zdev->aisb = *bit;
+
+ /* Create adapter interrupt vector */
+ zdev->aibv = airq_iv_create(msi_vecs, AIRQ_IV_DATA | AIRQ_IV_BITLOCK);
+@@ -266,10 +253,33 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+ return -ENOMEM;
+
+ /* Wire up shortcut pointer */
+- zpci_ibv[bit] = zdev->aibv;
++ zpci_ibv[*bit] = zdev->aibv;
+ /* Each function has its own interrupt vector */
+- bit = 0;
++ *bit = 0;
+ }
++ return 0;
++}
++
++int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
++{
++ struct zpci_dev *zdev = to_zpci(pdev);
++ unsigned int hwirq, msi_vecs, cpu;
++ struct msi_desc *msi;
++ struct msi_msg msg;
++ unsigned long bit;
++ int cpu_addr;
++ int rc, irq;
++
++ zdev->aisb = -1UL;
++ zdev->msi_first_bit = -1U;
++
++ if (type == PCI_CAP_ID_MSI && nvec > 1)
++ return 1;
++ msi_vecs = min_t(unsigned int, nvec, zdev->max_msi);
++
++ rc = __alloc_airq(zdev, msi_vecs, &bit);
++ if (rc < 0)
++ return rc;
+
+ /* Request MSI interrupts */
+ hwirq = bit;
+--
+2.43.0
+
--- /dev/null
+From 099f3562e9d7e56da6367d64319cca12107afdae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Dec 2021 23:51:23 +0100
+Subject: s390/pci: Rework MSI descriptor walk
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 2ca5e908d0f4cde61d9d3595e8314adca5d914a1 ]
+
+Replace the about to vanish iterators and make use of the filtering.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Acked-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Link: https://lore.kernel.org/r/20211206210748.305656158@linutronix.de
+Stable-dep-of: ab42fcb511fd ("s390/pci: Allow allocation of more than 1 MSI interrupt")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/pci/pci_irq.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/arch/s390/pci/pci_irq.c b/arch/s390/pci/pci_irq.c
+index 5036e00b7ec1b..9ed76fa9391cb 100644
+--- a/arch/s390/pci/pci_irq.c
++++ b/arch/s390/pci/pci_irq.c
+@@ -273,7 +273,7 @@ int arch_setup_msi_irqs(struct pci_dev *pdev, int nvec, int type)
+
+ /* Request MSI interrupts */
+ hwirq = bit;
+- for_each_pci_msi_entry(msi, pdev) {
++ msi_for_each_desc(msi, &pdev->dev, MSI_DESC_NOTASSOCIATED) {
+ rc = -EIO;
+ if (hwirq - bit >= msi_vecs)
+ break;
+@@ -338,9 +338,7 @@ void arch_teardown_msi_irqs(struct pci_dev *pdev)
+ return;
+
+ /* Release MSI interrupts */
+- for_each_pci_msi_entry(msi, pdev) {
+- if (!msi->irq)
+- continue;
++ msi_for_each_desc(msi, &pdev->dev, MSI_DESC_ASSOCIATED) {
+ irq_set_msi_desc(msi->irq, NULL);
+ irq_free_desc(msi->irq);
+ msi->msg.address_lo = 0;
+--
+2.43.0
+
bluetooth-btusb-add-rtl8852be-device-0489-e125-to-device-tables.patch
bluetooth-btusb-add-realtek-rtl8852be-support-id-0x13d3-0x3591.patch
nilfs2-handle-inconsistent-state-in-nilfs_btnode_create_block.patch
+kdb-address-wformat-security-warnings.patch
+kdb-use-the-passed-prompt-in-kdb_position_cursor.patch
+jfs-fix-array-index-out-of-bounds-in-difree.patch
+um-time-travel-fix-time-travel-start-option.patch
+libbpf-fix-no-args-func-prototype-btf-dumping-syntax.patch
+dma-fix-call-order-in-dmam_free_coherent.patch
+mips-smp-cps-fix-address-for-gcr_access-register-for.patch
+ipv4-fix-incorrect-source-address-in-record-route-op.patch
+net-bonding-correctly-annotate-rcu-in-bond_should_no.patch
+tipc-return-non-zero-value-from-tipc_udp_addr2str-on.patch
+net-nexthop-initialize-all-fields-in-dumped-nexthops.patch
+bpf-fix-a-segment-issue-when-downgrading-gso_size.patch
+misdn-fix-a-use-after-free-in-hfcmulti_tx.patch
+apparmor-fix-null-pointer-deref-when-receiving-skb-d.patch
+powerpc-fix-a-file-leak-in-kvm_vcpu_ioctl_enable_cap.patch
+asoc-intel-convert-to-new-x86-cpu-match-macros.patch
+asoc-intel-move-soc_intel_is_foo-helpers-to-a-generi.patch
+asoc-intel-use-soc_intel_is_byt_cr-only-when-iosf_mb.patch
+s390-pci-fix-cpu-address-in-msi-for-directed-irq.patch
+s390-pci-do-not-mask-msi-x-entries-on-teardown.patch
+s390-pci-rework-msi-descriptor-walk.patch
+s390-pci-refactor-arch_setup_msi_irqs.patch
+s390-pci-allow-allocation-of-more-than-1-msi-interru.patch
+nvme-pci-add-missing-condition-check-for-existence-o.patch
--- /dev/null
+From 12e9bbd55f910746322b2521d3091f162ce6305f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 16 Jul 2024 11:09:05 +0900
+Subject: tipc: Return non-zero value from tipc_udp_addr2str() on error
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit fa96c6baef1b5385e2f0c0677b32b3839e716076 ]
+
+tipc_udp_addr2str() should return non-zero value if the UDP media
+address is invalid. Otherwise, a buffer overflow access can occur in
+tipc_media_addr_printf(). Fix this by returning 1 on an invalid UDP
+media address.
+
+Fixes: d0f91938bede ("tipc: add ip/udp media type")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Tung Nguyen <tung.q.nguyen@endava.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/udp_media.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 1fb0535e2eb47..4db2185a32aec 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -128,8 +128,11 @@ static int tipc_udp_addr2str(struct tipc_media_addr *a, char *buf, int size)
+ snprintf(buf, size, "%pI4:%u", &ua->ipv4, ntohs(ua->port));
+ else if (ntohs(ua->proto) == ETH_P_IPV6)
+ snprintf(buf, size, "%pI6:%u", &ua->ipv6, ntohs(ua->port));
+- else
++ else {
+ pr_err("Invalid UDP media address\n");
++ return 1;
++ }
++
+ return 0;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From b0f4b15f4a170753444ce46d23fa384b15b87ccd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Apr 2024 10:27:45 +0200
+Subject: um: time-travel: fix time-travel-start option
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 7d0a8a490aa3a2a82de8826aaf1dfa38575cb77a ]
+
+We need to have the = as part of the option so that the
+value can be parsed properly. Also document that it must
+be given in nanoseconds, not seconds.
+
+Fixes: 065038706f77 ("um: Support time travel mode")
+Link: https://patch.msgid.link/20240417102744.14b9a9d4eba0.Ib22e9136513126b2099d932650f55f193120cd97@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/um/kernel/time.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/um/kernel/time.c b/arch/um/kernel/time.c
+index 94ea87bd231cb..3ccbb42c171c6 100644
+--- a/arch/um/kernel/time.c
++++ b/arch/um/kernel/time.c
+@@ -256,9 +256,9 @@ int setup_time_travel_start(char *str)
+ return 1;
+ }
+
+-__setup("time-travel-start", setup_time_travel_start);
++__setup("time-travel-start=", setup_time_travel_start);
+ __uml_help(setup_time_travel_start,
+-"time-travel-start=<seconds>\n"
++"time-travel-start=<nanoseconds>\n"
+ "Configure the UML instance's wall clock to start at this value rather than\n"
+ "the host's wall clock at the time of UML boot.\n");
+ #endif
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
