--- /dev/null
+From 9a7ff5089a10a60993f946a8106a81e317e3048c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 07:07:38 +0300
+Subject: ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for
+ mapphone
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit 5ad37b5e30433afa7a5513e3eb61f69fa0976785 ]
+
+On mapphone devices we may get lots of noise on the micro-USB port in debug
+uart mode until the phy-cpcap-usb driver probes. Let's limit the noise by
+using overrun-throttle-ms.
+
+Note that there is also a related separate issue where the charger cable
+connected may cause random sysrq requests until phy-cpcap-usb probes that
+still remains.
+
+Cc: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
+Cc: Carl Philipp Klemm <philipp@uvos.xyz>
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap4-droid4-xt894.dts | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm/boot/dts/omap4-droid4-xt894.dts b/arch/arm/boot/dts/omap4-droid4-xt894.dts
+index 459720f5f5586..91c8a05ab67ae 100644
+--- a/arch/arm/boot/dts/omap4-droid4-xt894.dts
++++ b/arch/arm/boot/dts/omap4-droid4-xt894.dts
+@@ -669,6 +669,7 @@ &uart1 {
+ &uart3 {
+ interrupts-extended = <&wakeupgen GIC_SPI 74 IRQ_TYPE_LEVEL_HIGH
+ &omap4_pmx_core 0x17c>;
++ overrun-throttle-ms = <500>;
+ };
+
+ &uart4 {
+--
+2.40.1
+
--- /dev/null
+From 4fc2761182c4e880684534e1c3cd1f029a54cca1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 09:08:40 +0900
+Subject: ata: libata-eh: Fix compilation warning in ata_eh_link_report()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+[ Upstream commit 49728bdc702391902a473b9393f1620eea32acb0 ]
+
+The 6 bytes length of the tries_buf string in ata_eh_link_report() is
+too short and results in a gcc compilation warning with W-!:
+
+drivers/ata/libata-eh.c: In function ‘ata_eh_link_report’:
+drivers/ata/libata-eh.c:2371:59: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 4 [-Wformat-truncation=]
+ 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
+ | ^~
+drivers/ata/libata-eh.c:2371:56: note: directive argument in the range [-2147483648, 4]
+ 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
+ | ^~~~~~
+drivers/ata/libata-eh.c:2371:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 6
+ 2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 2372 | ap->eh_tries);
+ | ~~~~~~~~~~~~~
+
+Avoid this warning by increasing the string size to 16B.
+
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index 73a4dd37d04ae..63423d9e1457c 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -2443,7 +2443,7 @@ static void ata_eh_link_report(struct ata_link *link)
+ struct ata_eh_context *ehc = &link->eh_context;
+ struct ata_queued_cmd *qc;
+ const char *frozen, *desc;
+- char tries_buf[6] = "";
++ char tries_buf[16] = "";
+ int tag, nr_failed = 0;
+
+ if (ehc->i.flags & ATA_EHI_QUIET)
+--
+2.40.1
+
--- /dev/null
+From 967a9e93927507dfde797093c7177c92ee3d8752 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 04:39:34 +0000
+Subject: Bluetooth: Avoid redundant authentication
+
+From: Ying Hsu <yinghsu@chromium.org>
+
+[ Upstream commit 1d8e801422d66e4b8c7b187c52196bef94eed887 ]
+
+While executing the Android 13 CTS Verifier Secure Server test on a
+ChromeOS device, it was observed that the Bluetooth host initiates
+authentication for an RFCOMM connection after SSP completes.
+When this happens, some Intel Bluetooth controllers, like AC9560, would
+disconnect with "Connection Rejected due to Security Reasons (0x0e)".
+
+Historically, BlueZ did not mandate this authentication while an
+authenticated combination key was already in use for the connection.
+This behavior was changed since commit 7b5a9241b780
+("Bluetooth: Introduce requirements for security level 4").
+So, this patch addresses the aforementioned disconnection issue by
+restoring the previous behavior.
+
+Signed-off-by: Ying Hsu <yinghsu@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 63 ++++++++++++++++++++++------------------
+ 1 file changed, 35 insertions(+), 28 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index 9d01cccc84ade..b876e97b61c92 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -1388,34 +1388,41 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
+ if (!test_bit(HCI_CONN_AUTH, &conn->flags))
+ goto auth;
+
+- /* An authenticated FIPS approved combination key has sufficient
+- * security for security level 4. */
+- if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
+- sec_level == BT_SECURITY_FIPS)
+- goto encrypt;
+-
+- /* An authenticated combination key has sufficient security for
+- security level 3. */
+- if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
+- conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
+- sec_level == BT_SECURITY_HIGH)
+- goto encrypt;
+-
+- /* An unauthenticated combination key has sufficient security for
+- security level 1 and 2. */
+- if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
+- conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
+- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
+- goto encrypt;
+-
+- /* A combination key has always sufficient security for the security
+- levels 1 or 2. High security level requires the combination key
+- is generated using maximum PIN code length (16).
+- For pre 2.1 units. */
+- if (conn->key_type == HCI_LK_COMBINATION &&
+- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
+- conn->pin_length == 16))
+- goto encrypt;
++ switch (conn->key_type) {
++ case HCI_LK_AUTH_COMBINATION_P256:
++ /* An authenticated FIPS approved combination key has
++ * sufficient security for security level 4 or lower.
++ */
++ if (sec_level <= BT_SECURITY_FIPS)
++ goto encrypt;
++ break;
++ case HCI_LK_AUTH_COMBINATION_P192:
++ /* An authenticated combination key has sufficient security for
++ * security level 3 or lower.
++ */
++ if (sec_level <= BT_SECURITY_HIGH)
++ goto encrypt;
++ break;
++ case HCI_LK_UNAUTH_COMBINATION_P192:
++ case HCI_LK_UNAUTH_COMBINATION_P256:
++ /* An unauthenticated combination key has sufficient security
++ * for security level 2 or lower.
++ */
++ if (sec_level <= BT_SECURITY_MEDIUM)
++ goto encrypt;
++ break;
++ case HCI_LK_COMBINATION:
++ /* A combination key has always sufficient security for the
++ * security levels 2 or lower. High security level requires the
++ * combination key is generated using maximum PIN code length
++ * (16). For pre 2.1 units.
++ */
++ if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
++ goto encrypt;
++ break;
++ default:
++ break;
++ }
+
+ auth:
+ if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
+--
+2.40.1
+
--- /dev/null
+From 6703715f46b0b7a7e73248e1fdbc00db1c7c6ecc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Sep 2023 14:42:27 -0700
+Subject: Bluetooth: hci_core: Fix build warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit dcda165706b9fbfd685898d46a6749d7d397e0c0 ]
+
+This fixes the following warnings:
+
+net/bluetooth/hci_core.c: In function ‘hci_register_dev’:
+net/bluetooth/hci_core.c:2620:54: warning: ‘%d’ directive output may
+be truncated writing between 1 and 10 bytes into a region of size 5
+[-Wformat-truncation=]
+ 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ | ^~
+net/bluetooth/hci_core.c:2620:50: note: directive argument in the range
+[0, 2147483647]
+ 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ | ^~~~~~~
+net/bluetooth/hci_core.c:2620:9: note: ‘snprintf’ output between 5 and
+14 bytes into a destination of size 8
+ 2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 2 +-
+ net/bluetooth/hci_core.c | 8 +++++---
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 464a78200a31f..d3503f8c054ee 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -209,7 +209,7 @@ struct hci_dev {
+ struct list_head list;
+ struct mutex lock;
+
+- char name[8];
++ const char *name;
+ unsigned long flags;
+ __u16 id;
+ __u8 bus;
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index 9fdc772ab32ea..4d89e38dceec3 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3193,7 +3193,11 @@ int hci_register_dev(struct hci_dev *hdev)
+ if (id < 0)
+ return id;
+
+- snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
++ error = dev_set_name(&hdev->dev, "hci%u", id);
++ if (error)
++ return error;
++
++ hdev->name = dev_name(&hdev->dev);
+ hdev->id = id;
+
+ BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+@@ -3215,8 +3219,6 @@ int hci_register_dev(struct hci_dev *hdev)
+ if (!IS_ERR_OR_NULL(bt_debugfs))
+ hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
+
+- dev_set_name(&hdev->dev, "%s", hdev->name);
+-
+ error = device_add(&hdev->dev);
+ if (error < 0)
+ goto err_wqueue;
+--
+2.40.1
+
--- /dev/null
+From 2b8771c101f4eec583b6f6867f0db9918be0f6b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Oct 2023 13:59:59 -0700
+Subject: Bluetooth: hci_event: Fix using memcmp when comparing keys
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit b541260615f601ae1b5d6d0cc54e790de706303b ]
+
+memcmp is not consider safe to use with cryptographic secrets:
+
+ 'Do not use memcmp() to compare security critical data, such as
+ cryptographic secrets, because the required CPU time depends on the
+ number of equal bytes.'
+
+While usage of memcmp for ZERO_KEY may not be considered a security
+critical data, it can lead to more usage of memcmp with pairing keys
+which could introduce more security problems.
+
+Fixes: 455c2ff0a558 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data")
+Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index 843502783b268..8b59f7808628a 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -25,6 +25,8 @@
+ /* Bluetooth HCI event handling. */
+
+ #include <asm/unaligned.h>
++#include <linux/crypto.h>
++#include <crypto/algapi.h>
+
+ #include <net/bluetooth/bluetooth.h>
+ #include <net/bluetooth/hci_core.h>
+@@ -3827,7 +3829,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
+ goto unlock;
+
+ /* Ignore NULL link key against CVE-2020-26555 */
+- if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
++ if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
+ &ev->bdaddr);
+ hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
+@@ -4313,8 +4315,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
+ * available, then do not declare that OOB data is
+ * present.
+ */
+- if (!memcmp(data->rand256, ZERO_KEY, 16) ||
+- !memcmp(data->hash256, ZERO_KEY, 16))
++ if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
++ !crypto_memneq(data->hash256, ZERO_KEY, 16))
+ return 0x00;
+
+ return 0x02;
+@@ -4324,8 +4326,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
+ * not supported by the hardware, then check that if
+ * P-192 data values are present.
+ */
+- if (!memcmp(data->rand192, ZERO_KEY, 16) ||
+- !memcmp(data->hash192, ZERO_KEY, 16))
++ if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
++ !crypto_memneq(data->hash192, ZERO_KEY, 16))
+ return 0x00;
+
+ return 0x01;
+--
+2.40.1
+
--- /dev/null
+From 3a425a8d3570058211d24e308e495c44d64f0b4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 15:47:27 -0400
+Subject: btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 9147b9ded499d9853bdf0e9804b7eaa99c4429ed ]
+
+Jens reported the following warnings from -Wmaybe-uninitialized recent
+Linus' branch.
+
+ In file included from ./include/asm-generic/rwonce.h:26,
+ from ./arch/arm64/include/asm/rwonce.h:71,
+ from ./include/linux/compiler.h:246,
+ from ./include/linux/export.h:5,
+ from ./include/linux/linkage.h:7,
+ from ./include/linux/kernel.h:17,
+ from fs/btrfs/ioctl.c:6:
+ In function ‘instrument_copy_from_user_before’,
+ inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3,
+ inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7,
+ inlined from ‘btrfs_ioctl_space_info’ at fs/btrfs/ioctl.c:2999:6,
+ inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4616:10:
+ ./include/linux/kasan-checks.h:38:27: warning: ‘space_args’ may be used
+ uninitialized [-Wmaybe-uninitialized]
+ 38 | #define kasan_check_write __kasan_check_write
+ ./include/linux/instrumented.h:129:9: note: in expansion of macro
+ ‘kasan_check_write’
+ 129 | kasan_check_write(to, n);
+ | ^~~~~~~~~~~~~~~~~
+ ./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’:
+ ./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const
+ volatile void *’ to ‘__kasan_check_write’ declared here
+ 20 | bool __kasan_check_write(const volatile void *p, unsigned int
+ size);
+ | ^~~~~~~~~~~~~~~~~~~
+ fs/btrfs/ioctl.c:2981:39: note: ‘space_args’ declared here
+ 2981 | struct btrfs_ioctl_space_args space_args;
+ | ^~~~~~~~~~
+ In function ‘instrument_copy_from_user_before’,
+ inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3,
+ inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7,
+ inlined from ‘_btrfs_ioctl_send’ at fs/btrfs/ioctl.c:4343:9,
+ inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4658:10:
+ ./include/linux/kasan-checks.h:38:27: warning: ‘args32’ may be used
+ uninitialized [-Wmaybe-uninitialized]
+ 38 | #define kasan_check_write __kasan_check_write
+ ./include/linux/instrumented.h:129:9: note: in expansion of macro
+ ‘kasan_check_write’
+ 129 | kasan_check_write(to, n);
+ | ^~~~~~~~~~~~~~~~~
+ ./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’:
+ ./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const
+ volatile void *’ to ‘__kasan_check_write’ declared here
+ 20 | bool __kasan_check_write(const volatile void *p, unsigned int
+ size);
+ | ^~~~~~~~~~~~~~~~~~~
+ fs/btrfs/ioctl.c:4341:49: note: ‘args32’ declared here
+ 4341 | struct btrfs_ioctl_send_args_32 args32;
+ | ^~~~~~
+
+This was due to his config options and having KASAN turned on,
+which adds some extra checks around copy_from_user(), which then
+triggered the -Wmaybe-uninitialized checker for these cases.
+
+Fix the warnings by initializing the different structs we're copying
+into.
+
+Reported-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index f009d585e72f8..e3f18edc1afee 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -4526,7 +4526,7 @@ static void get_block_group_info(struct list_head *groups_list,
+ static long btrfs_ioctl_space_info(struct btrfs_fs_info *fs_info,
+ void __user *arg)
+ {
+- struct btrfs_ioctl_space_args space_args;
++ struct btrfs_ioctl_space_args space_args = { 0 };
+ struct btrfs_ioctl_space_info space;
+ struct btrfs_ioctl_space_info *dest;
+ struct btrfs_ioctl_space_info *dest_orig;
+@@ -5884,7 +5884,7 @@ static int _btrfs_ioctl_send(struct file *file, void __user *argp, bool compat)
+
+ if (compat) {
+ #if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT)
+- struct btrfs_ioctl_send_args_32 args32;
++ struct btrfs_ioctl_send_args_32 args32 = { 0 };
+
+ ret = copy_from_user(&args32, argp, sizeof(args32));
+ if (ret)
+--
+2.40.1
+
--- /dev/null
+From 3c52b7b407c486315ab1b85fb25b3d0dd92ef95e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 5 Sep 2023 12:15:24 -0400
+Subject: btrfs: initialize start_slot in btrfs_log_prealloc_extents
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit b4c639f699349880b7918b861e1bd360442ec450 ]
+
+Jens reported a compiler warning when using
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y that looks like this
+
+ fs/btrfs/tree-log.c: In function ‘btrfs_log_prealloc_extents’:
+ fs/btrfs/tree-log.c:4828:23: warning: ‘start_slot’ may be used
+ uninitialized [-Wmaybe-uninitialized]
+ 4828 | ret = copy_items(trans, inode, dst_path, path,
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 4829 | start_slot, ins_nr, 1, 0);
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~
+ fs/btrfs/tree-log.c:4725:13: note: ‘start_slot’ was declared here
+ 4725 | int start_slot;
+ | ^~~~~~~~~~
+
+The compiler is incorrect, as we only use this code when ins_len > 0,
+and when ins_len > 0 we have start_slot properly initialized. However
+we generally find the -Wmaybe-uninitialized warnings valuable, so
+initialize start_slot to get rid of the warning.
+
+Reported-by: Jens Axboe <axboe@kernel.dk>
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tree-log.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
+index 0fe32c567ed74..23ec766eeb0a3 100644
+--- a/fs/btrfs/tree-log.c
++++ b/fs/btrfs/tree-log.c
+@@ -4236,7 +4236,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
+ struct extent_buffer *leaf;
+ int slot;
+ int ins_nr = 0;
+- int start_slot;
++ int start_slot = 0;
+ int ret;
+
+ if (!(inode->flags & BTRFS_INODE_PREALLOC))
+--
+2.40.1
+
--- /dev/null
+From 792c3e7939575fb19cdf08e331919adc217af983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 18:20:23 +0100
+Subject: btrfs: return -EUCLEAN for delayed tree ref with a ref count not
+ equals to 1
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 1bf76df3fee56d6637718e267f7c34ed70d0c7dc ]
+
+When running a delayed tree reference, if we find a ref count different
+from 1, we return -EIO. This isn't an IO error, as it indicates either a
+bug in the delayed refs code or a memory corruption, so change the error
+code from -EIO to -EUCLEAN. Also tag the branch as 'unlikely' as this is
+not expected to ever happen, and change the error message to print the
+tree block's bytenr without the parenthesis (and there was a missing space
+between the 'block' word and the opening parenthesis), for consistency as
+that's the style we used everywhere else.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/extent-tree.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
+index bb05b0a82c8ba..902ab00bfd7ab 100644
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -2327,12 +2327,12 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans,
+ parent = ref->parent;
+ ref_root = ref->root;
+
+- if (node->ref_mod != 1) {
++ if (unlikely(node->ref_mod != 1)) {
+ btrfs_err(trans->fs_info,
+- "btree block(%llu) has %d references rather than 1: action %d ref_root %llu parent %llu",
++ "btree block %llu has %d references rather than 1: action %d ref_root %llu parent %llu",
+ node->bytenr, node->ref_mod, node->action, ref_root,
+ parent);
+- return -EIO;
++ return -EUCLEAN;
+ }
+ if (node->action == BTRFS_ADD_DELAYED_REF && insert_reserved) {
+ BUG_ON(!extent_op || !extent_op->update_flags);
+--
+2.40.1
+
--- /dev/null
+From ec4f6189213941fb32633b3d882e7903a7dd3985 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 1 Oct 2023 13:47:10 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for One Mix 2S
+
+From: Kai Uwe Broulik <foss-linux@broulik.de>
+
+[ Upstream commit cbb7eb2dbd9472816e42a1b0fdb51af49abbf812 ]
+
+The One Mix 2S is a mini laptop with a 1200x1920 portrait screen
+mounted in a landscape oriented clamshell case. Because of the too
+generic DMI strings this entry is also doing bios-date matching.
+
+Signed-off-by: Kai Uwe Broulik <foss-linux@broulik.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231001114710.336172-1-foss-linux@broulik.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 7a2a148b8ec62..597db0acef95a 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -44,6 +44,14 @@ static const struct drm_dmi_panel_orientation_data gpd_micropc = {
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+ };
+
++static const struct drm_dmi_panel_orientation_data gpd_onemix2s = {
++ .width = 1200,
++ .height = 1920,
++ .bios_dates = (const char * const []){ "05/21/2018", "10/26/2018",
++ "03/04/2019", NULL },
++ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
++};
++
+ static const struct drm_dmi_panel_orientation_data gpd_pocket = {
+ .width = 1200,
+ .height = 1920,
+@@ -219,6 +227,14 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "LTH17"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* One Mix 2S (generic strings, also match on bios date) */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Default string"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Default string"),
++ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Default string"),
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
++ },
++ .driver_data = (void *)&gpd_onemix2s,
+ },
+ {}
+ };
+--
+2.40.1
+
--- /dev/null
+From 033bb212fc1e9aa52681f271400c1bda39686925 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Sep 2023 10:29:14 +0000
+Subject: gpio: timberdale: Fix potential deadlock on &tgpio->lock
+
+From: Chengfeng Ye <dg573847474@gmail.com>
+
+[ Upstream commit 9e8bc2dda5a7a8e2babc9975f4b11c9a6196e490 ]
+
+As timbgpio_irq_enable()/timbgpio_irq_disable() callback could be
+executed under irq context, it could introduce double locks on
+&tgpio->lock if it preempts other execution units requiring
+the same locks.
+
+timbgpio_gpio_set()
+--> timbgpio_update_bit()
+--> spin_lock(&tgpio->lock)
+<interrupt>
+ --> timbgpio_irq_disable()
+ --> spin_lock_irqsave(&tgpio->lock)
+
+This flaw was found by an experimental static analysis tool I am
+developing for irq-related deadlock.
+
+To prevent the potential deadlock, the patch uses spin_lock_irqsave()
+on &tgpio->lock inside timbgpio_gpio_set() to prevent the possible
+deadlock scenario.
+
+Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-timberdale.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-timberdale.c b/drivers/gpio/gpio-timberdale.c
+index 314e300d6ba33..1e6925c27ae29 100644
+--- a/drivers/gpio/gpio-timberdale.c
++++ b/drivers/gpio/gpio-timberdale.c
+@@ -55,9 +55,10 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index,
+ unsigned offset, bool enabled)
+ {
+ struct timbgpio *tgpio = gpiochip_get_data(gpio);
++ unsigned long flags;
+ u32 reg;
+
+- spin_lock(&tgpio->lock);
++ spin_lock_irqsave(&tgpio->lock, flags);
+ reg = ioread32(tgpio->membase + offset);
+
+ if (enabled)
+@@ -66,7 +67,7 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index,
+ reg &= ~(1 << index);
+
+ iowrite32(reg, tgpio->membase + offset);
+- spin_unlock(&tgpio->lock);
++ spin_unlock_irqrestore(&tgpio->lock, flags);
+
+ return 0;
+ }
+--
+2.40.1
+
--- /dev/null
+From 286a629fb57ab9307ccf7027771977b147d3ad53 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Sep 2023 10:40:59 +0800
+Subject: HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
+
+From: Ma Ke <make_ruc2021@163.com>
+
+[ Upstream commit ffe3b7837a2bb421df84d0177481db9f52c93a71 ]
+
+There is a slab-out-of-bounds Write bug in hid-holtek-kbd driver.
+The problem is the driver assumes the device must have an input
+but some malicious devices violate this assumption.
+
+Fix this by checking hid_device's input is non-empty before its usage.
+
+Signed-off-by: Ma Ke <make_ruc2021@163.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-holtek-kbd.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/hid/hid-holtek-kbd.c b/drivers/hid/hid-holtek-kbd.c
+index 2f8eb66397444..72788ca260e08 100644
+--- a/drivers/hid/hid-holtek-kbd.c
++++ b/drivers/hid/hid-holtek-kbd.c
+@@ -133,6 +133,10 @@ static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type,
+ return -ENODEV;
+
+ boot_hid = usb_get_intfdata(boot_interface);
++ if (list_empty(&boot_hid->inputs)) {
++ hid_err(hid, "no inputs found\n");
++ return -ENODEV;
++ }
+ boot_hid_input = list_first_entry(&boot_hid->inputs,
+ struct hid_input, list);
+
+--
+2.40.1
+
--- /dev/null
+From 648ea05d50959872e4ac898aa6e8ec9e50e00d0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Sep 2023 23:54:06 +0200
+Subject: i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+[ Upstream commit b13e59e74ff71a1004e0508107e91e9a84fd7388 ]
+
+I2C_CLASS_DEPRECATED is a flag and not an actual class.
+There's nothing speaking against both, parent and child, having
+I2C_CLASS_DEPRECATED set. Therefore exclude it from the check.
+
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Acked-by: Peter Rosin <peda@axentia.se>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-mux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c
+index f330690b41253..83a79bcb71ea5 100644
+--- a/drivers/i2c/i2c-mux.c
++++ b/drivers/i2c/i2c-mux.c
+@@ -334,7 +334,7 @@ int i2c_mux_add_adapter(struct i2c_mux_core *muxc,
+ priv->adap.lock_ops = &i2c_parent_lock_ops;
+
+ /* Sanity check on class */
+- if (i2c_mux_parent_classes(parent) & class)
++ if (i2c_mux_parent_classes(parent) & class & ~I2C_CLASS_DEPRECATED)
+ dev_err(&parent->dev,
+ "Segment %d behind mux can't share classes with ancestors\n",
+ chan_id);
+--
+2.40.1
+
--- /dev/null
+From 56bc433278225b6c845468a236092bf7f7232b11 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 May 2019 09:38:46 -0400
+Subject: libceph: fix unaligned accesses in ceph_entity_addr handling
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit cede185b1ba3118e1912385db4812a37d9e9b205 ]
+
+GCC9 is throwing a lot of warnings about unaligned access. This patch
+fixes some of them by changing most of the sockaddr handling functions
+to take a pointer to struct ceph_entity_addr instead of struct
+sockaddr_storage. The lower functions can then make copies or do
+unaligned accesses as needed.
+
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Stable-dep-of: 7563cf17dce0 ("libceph: use kernel_connect()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ceph/messenger.c | 77 +++++++++++++++++++++-----------------------
+ 1 file changed, 37 insertions(+), 40 deletions(-)
+
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 21bd37ec5511c..53ab8fc713a3e 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -462,7 +462,7 @@ static void set_sock_callbacks(struct socket *sock,
+ */
+ static int ceph_tcp_connect(struct ceph_connection *con)
+ {
+- struct sockaddr_storage *paddr = &con->peer_addr.in_addr;
++ struct sockaddr_storage ss = con->peer_addr.in_addr; /* align */
+ struct socket *sock;
+ unsigned int noio_flag;
+ int ret;
+@@ -471,7 +471,7 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+
+ /* sock_create_kern() allocates with GFP_KERNEL */
+ noio_flag = memalloc_noio_save();
+- ret = sock_create_kern(read_pnet(&con->msgr->net), paddr->ss_family,
++ ret = sock_create_kern(read_pnet(&con->msgr->net), ss.ss_family,
+ SOCK_STREAM, IPPROTO_TCP, &sock);
+ memalloc_noio_restore(noio_flag);
+ if (ret)
+@@ -487,7 +487,7 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+ dout("connect %s\n", ceph_pr_addr(&con->peer_addr.in_addr));
+
+ con_sock_state_connecting(con);
+- ret = sock->ops->connect(sock, (struct sockaddr *)paddr, sizeof(*paddr),
++ ret = sock->ops->connect(sock, (struct sockaddr *)&ss, sizeof(ss),
+ O_NONBLOCK);
+ if (ret == -EINPROGRESS) {
+ dout("connect %s EINPROGRESS sk_state = %u\n",
+@@ -1824,14 +1824,15 @@ static int verify_hello(struct ceph_connection *con)
+ return 0;
+ }
+
+-static bool addr_is_blank(struct sockaddr_storage *ss)
++static bool addr_is_blank(struct ceph_entity_addr *addr)
+ {
+- struct in_addr *addr = &((struct sockaddr_in *)ss)->sin_addr;
+- struct in6_addr *addr6 = &((struct sockaddr_in6 *)ss)->sin6_addr;
++ struct sockaddr_storage ss = addr->in_addr; /* align */
++ struct in_addr *addr4 = &((struct sockaddr_in *)&ss)->sin_addr;
++ struct in6_addr *addr6 = &((struct sockaddr_in6 *)&ss)->sin6_addr;
+
+- switch (ss->ss_family) {
++ switch (ss.ss_family) {
+ case AF_INET:
+- return addr->s_addr == htonl(INADDR_ANY);
++ return addr4->s_addr == htonl(INADDR_ANY);
+ case AF_INET6:
+ return ipv6_addr_any(addr6);
+ default:
+@@ -1839,25 +1840,25 @@ static bool addr_is_blank(struct sockaddr_storage *ss)
+ }
+ }
+
+-static int addr_port(struct sockaddr_storage *ss)
++static int addr_port(struct ceph_entity_addr *addr)
+ {
+- switch (ss->ss_family) {
++ switch (get_unaligned(&addr->in_addr.ss_family)) {
+ case AF_INET:
+- return ntohs(((struct sockaddr_in *)ss)->sin_port);
++ return ntohs(get_unaligned(&((struct sockaddr_in *)&addr->in_addr)->sin_port));
+ case AF_INET6:
+- return ntohs(((struct sockaddr_in6 *)ss)->sin6_port);
++ return ntohs(get_unaligned(&((struct sockaddr_in6 *)&addr->in_addr)->sin6_port));
+ }
+ return 0;
+ }
+
+-static void addr_set_port(struct sockaddr_storage *ss, int p)
++static void addr_set_port(struct ceph_entity_addr *addr, int p)
+ {
+- switch (ss->ss_family) {
++ switch (get_unaligned(&addr->in_addr.ss_family)) {
+ case AF_INET:
+- ((struct sockaddr_in *)ss)->sin_port = htons(p);
++ put_unaligned(htons(p), &((struct sockaddr_in *)&addr->in_addr)->sin_port);
+ break;
+ case AF_INET6:
+- ((struct sockaddr_in6 *)ss)->sin6_port = htons(p);
++ put_unaligned(htons(p), &((struct sockaddr_in6 *)&addr->in_addr)->sin6_port);
+ break;
+ }
+ }
+@@ -1865,21 +1866,18 @@ static void addr_set_port(struct sockaddr_storage *ss, int p)
+ /*
+ * Unlike other *_pton function semantics, zero indicates success.
+ */
+-static int ceph_pton(const char *str, size_t len, struct sockaddr_storage *ss,
++static int ceph_pton(const char *str, size_t len, struct ceph_entity_addr *addr,
+ char delim, const char **ipend)
+ {
+- struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
+- struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
+-
+- memset(ss, 0, sizeof(*ss));
++ memset(&addr->in_addr, 0, sizeof(addr->in_addr));
+
+- if (in4_pton(str, len, (u8 *)&in4->sin_addr.s_addr, delim, ipend)) {
+- ss->ss_family = AF_INET;
++ if (in4_pton(str, len, (u8 *)&((struct sockaddr_in *)&addr->in_addr)->sin_addr.s_addr, delim, ipend)) {
++ put_unaligned(AF_INET, &addr->in_addr.ss_family);
+ return 0;
+ }
+
+- if (in6_pton(str, len, (u8 *)&in6->sin6_addr.s6_addr, delim, ipend)) {
+- ss->ss_family = AF_INET6;
++ if (in6_pton(str, len, (u8 *)&((struct sockaddr_in6 *)&addr->in_addr)->sin6_addr.s6_addr, delim, ipend)) {
++ put_unaligned(AF_INET6, &addr->in_addr.ss_family);
+ return 0;
+ }
+
+@@ -1891,7 +1889,7 @@ static int ceph_pton(const char *str, size_t len, struct sockaddr_storage *ss,
+ */
+ #ifdef CONFIG_CEPH_LIB_USE_DNS_RESOLVER
+ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+- struct sockaddr_storage *ss, char delim, const char **ipend)
++ struct ceph_entity_addr *addr, char delim, const char **ipend)
+ {
+ const char *end, *delim_p;
+ char *colon_p, *ip_addr = NULL;
+@@ -1920,7 +1918,7 @@ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+ /* do dns_resolve upcall */
+ ip_len = dns_query(NULL, name, end - name, NULL, &ip_addr, NULL);
+ if (ip_len > 0)
+- ret = ceph_pton(ip_addr, ip_len, ss, -1, NULL);
++ ret = ceph_pton(ip_addr, ip_len, addr, -1, NULL);
+ else
+ ret = -ESRCH;
+
+@@ -1929,13 +1927,13 @@ static int ceph_dns_resolve_name(const char *name, size_t namelen,
+ *ipend = end;
+
+ pr_info("resolve '%.*s' (ret=%d): %s\n", (int)(end - name), name,
+- ret, ret ? "failed" : ceph_pr_addr(ss));
++ ret, ret ? "failed" : ceph_pr_addr(&addr->in_addr));
+
+ return ret;
+ }
+ #else
+ static inline int ceph_dns_resolve_name(const char *name, size_t namelen,
+- struct sockaddr_storage *ss, char delim, const char **ipend)
++ struct ceph_entity_addr *addr, char delim, const char **ipend)
+ {
+ return -EINVAL;
+ }
+@@ -1946,13 +1944,13 @@ static inline int ceph_dns_resolve_name(const char *name, size_t namelen,
+ * then try to extract a hostname to resolve using userspace DNS upcall.
+ */
+ static int ceph_parse_server_name(const char *name, size_t namelen,
+- struct sockaddr_storage *ss, char delim, const char **ipend)
++ struct ceph_entity_addr *addr, char delim, const char **ipend)
+ {
+ int ret;
+
+- ret = ceph_pton(name, namelen, ss, delim, ipend);
++ ret = ceph_pton(name, namelen, addr, delim, ipend);
+ if (ret)
+- ret = ceph_dns_resolve_name(name, namelen, ss, delim, ipend);
++ ret = ceph_dns_resolve_name(name, namelen, addr, delim, ipend);
+
+ return ret;
+ }
+@@ -1971,7 +1969,6 @@ int ceph_parse_ips(const char *c, const char *end,
+ dout("parse_ips on '%.*s'\n", (int)(end-c), c);
+ for (i = 0; i < max_count; i++) {
+ const char *ipend;
+- struct sockaddr_storage *ss = &addr[i].in_addr;
+ int port;
+ char delim = ',';
+
+@@ -1980,7 +1977,7 @@ int ceph_parse_ips(const char *c, const char *end,
+ p++;
+ }
+
+- ret = ceph_parse_server_name(p, end - p, ss, delim, &ipend);
++ ret = ceph_parse_server_name(p, end - p, &addr[i], delim, &ipend);
+ if (ret)
+ goto bad;
+ ret = -EINVAL;
+@@ -2011,9 +2008,9 @@ int ceph_parse_ips(const char *c, const char *end,
+ port = CEPH_MON_PORT;
+ }
+
+- addr_set_port(ss, port);
++ addr_set_port(&addr[i], port);
+
+- dout("parse_ips got %s\n", ceph_pr_addr(ss));
++ dout("parse_ips got %s\n", ceph_pr_addr(&addr[i].in_addr));
+
+ if (p == end)
+ break;
+@@ -2052,7 +2049,7 @@ static int process_banner(struct ceph_connection *con)
+ */
+ if (memcmp(&con->peer_addr, &con->actual_peer_addr,
+ sizeof(con->peer_addr)) != 0 &&
+- !(addr_is_blank(&con->actual_peer_addr.in_addr) &&
++ !(addr_is_blank(&con->actual_peer_addr) &&
+ con->actual_peer_addr.nonce == con->peer_addr.nonce)) {
+ pr_warn("wrong peer, want %s/%d, got %s/%d\n",
+ ceph_pr_addr(&con->peer_addr.in_addr),
+@@ -2066,13 +2063,13 @@ static int process_banner(struct ceph_connection *con)
+ /*
+ * did we learn our address?
+ */
+- if (addr_is_blank(&con->msgr->inst.addr.in_addr)) {
+- int port = addr_port(&con->msgr->inst.addr.in_addr);
++ if (addr_is_blank(&con->msgr->inst.addr)) {
++ int port = addr_port(&con->msgr->inst.addr);
+
+ memcpy(&con->msgr->inst.addr.in_addr,
+ &con->peer_addr_for_me.in_addr,
+ sizeof(con->peer_addr_for_me.in_addr));
+- addr_set_port(&con->msgr->inst.addr.in_addr, port);
++ addr_set_port(&con->msgr->inst.addr, port);
+ encode_my_addr(con->msgr);
+ dout("process_banner learned my addr is %s\n",
+ ceph_pr_addr(&con->msgr->inst.addr.in_addr));
+--
+2.40.1
+
--- /dev/null
+From 57582d427ff2c2dbb1ca581f90e9cdb61d029c05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 18:38:27 -0500
+Subject: libceph: use kernel_connect()
+
+From: Jordan Rife <jrife@google.com>
+
+[ Upstream commit 7563cf17dce0a875ba3d872acdc63a78ea344019 ]
+
+Direct calls to ops->connect() can overwrite the address parameter when
+used in conjunction with BPF SOCK_ADDR hooks. Recent changes to
+kernel_connect() ensure that callers are insulated from such side
+effects. This patch wraps the direct call to ops->connect() with
+kernel_connect() to prevent unexpected changes to the address passed to
+ceph_tcp_connect().
+
+This change was originally part of a larger patch targeting the net tree
+addressing all instances of unprotected calls to ops->connect()
+throughout the kernel, but this change was split up into several patches
+targeting various trees.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/netdev/20230821100007.559638-1-jrife@google.com/
+Link: https://lore.kernel.org/netdev/9944248dba1bce861375fcce9de663934d933ba9.camel@redhat.com/
+Fixes: d74bad4e74ee ("bpf: Hooks for sys_connect")
+Signed-off-by: Jordan Rife <jrife@google.com>
+Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ceph/messenger.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
+index 53ab8fc713a3e..7fd18e10755ec 100644
+--- a/net/ceph/messenger.c
++++ b/net/ceph/messenger.c
+@@ -487,8 +487,8 @@ static int ceph_tcp_connect(struct ceph_connection *con)
+ dout("connect %s\n", ceph_pr_addr(&con->peer_addr.in_addr));
+
+ con_sock_state_connecting(con);
+- ret = sock->ops->connect(sock, (struct sockaddr *)&ss, sizeof(ss),
+- O_NONBLOCK);
++ ret = kernel_connect(sock, (struct sockaddr *)&ss, sizeof(ss),
++ O_NONBLOCK);
+ if (ret == -EINPROGRESS) {
+ dout("connect %s EINPROGRESS sk_state = %u\n",
+ ceph_pr_addr(&con->peer_addr.in_addr),
+--
+2.40.1
+
--- /dev/null
+From d6ff80289f2932a8746a7efe60a20e98e8006b07 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 09:33:12 -0400
+Subject: overlayfs: set ctime when setting mtime and atime
+
+From: Jeff Layton <jlayton@kernel.org>
+
+[ Upstream commit 03dbab3bba5f009d053635c729d1244f2c8bad38 ]
+
+Nathan reported that he was seeing the new warning in
+setattr_copy_mgtime pop when starting podman containers. Overlayfs is
+trying to set the atime and mtime via notify_change without also
+setting the ctime.
+
+POSIX states that when the atime and mtime are updated via utimes() that
+we must also update the ctime to the current time. The situation with
+overlayfs copy-up is analogies, so add ATTR_CTIME to the bitmask.
+notify_change will fill in the value.
+
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Tested-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Christian Brauner <brauner@kernel.org>
+Acked-by: Amir Goldstein <amir73il@gmail.com>
+Message-Id: <20230913-ctime-v1-1-c6bc509cbc27@kernel.org>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/overlayfs/copy_up.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
+index 3d7a700350c1d..debcac35a51dc 100644
+--- a/fs/overlayfs/copy_up.c
++++ b/fs/overlayfs/copy_up.c
+@@ -195,7 +195,7 @@ static int ovl_set_timestamps(struct dentry *upperdentry, struct kstat *stat)
+ {
+ struct iattr attr = {
+ .ia_valid =
+- ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET,
++ ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_CTIME,
+ .ia_atime = stat->atime,
+ .ia_mtime = stat->mtime,
+ };
+--
+2.40.1
+
net-sched-sch_hfsc-upgrade-rt-to-sc-when-it-becomes-a-inner-curve.patch
netfilter-nft_set_rbtree-.deactivate-fails-if-element-has-expired.patch
net-pktgen-fix-interface-flags-printing.patch
+libceph-fix-unaligned-accesses-in-ceph_entity_addr-h.patch
+libceph-use-kernel_connect.patch
+arm-dts-ti-omap-fix-noisy-serial-with-overrun-thrott.patch
+btrfs-return-euclean-for-delayed-tree-ref-with-a-ref.patch
+btrfs-initialize-start_slot-in-btrfs_log_prealloc_ex.patch
+i2c-mux-avoid-potential-false-error-message-in-i2c_m.patch
+overlayfs-set-ctime-when-setting-mtime-and-atime.patch
+gpio-timberdale-fix-potential-deadlock-on-tgpio-lock.patch
+ata-libata-eh-fix-compilation-warning-in-ata_eh_link.patch
+tracing-relax-trace_event_eval_update-execution-with.patch
+hid-holtek-fix-slab-out-of-bounds-write-in-holtek_kb.patch
+bluetooth-avoid-redundant-authentication.patch
+bluetooth-hci_core-fix-build-warnings.patch
+wifi-mac80211-allow-transmitting-eapol-frames-with-t.patch
+wifi-cfg80211-avoid-leaking-stack-data-into-trace.patch
+sky2-make-sure-there-is-at-least-one-frag_addr-avail.patch
+drm-panel-orientation-quirks-add-quirk-for-one-mix-2.patch
+btrfs-fix-some-wmaybe-uninitialized-warnings-in-ioct.patch
+bluetooth-hci_event-fix-using-memcmp-when-comparing-.patch
--- /dev/null
+From 5c24319845276d49b900934eba5ee38990699c6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 09:50:39 -0700
+Subject: sky2: Make sure there is at least one frag_addr available
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 6a70e5cbedaf8ad10528ac9ac114f3ec20f422df ]
+
+In the pathological case of building sky2 with 16k PAGE_SIZE, the
+frag_addr[] array would never be used, so the original code was correct
+that size should be 0. But the compiler now gets upset with 0 size arrays
+in places where it hasn't eliminated the code that might access such an
+array (it can't figure out that in this case an rx skb with fragments
+would never be created). To keep the compiler happy, make sure there is
+at least 1 frag_addr in struct rx_ring_info:
+
+ In file included from include/linux/skbuff.h:28,
+ from include/net/net_namespace.h:43,
+ from include/linux/netdevice.h:38,
+ from drivers/net/ethernet/marvell/sky2.c:18:
+ drivers/net/ethernet/marvell/sky2.c: In function 'sky2_rx_unmap_skb':
+ include/linux/dma-mapping.h:416:36: warning: array subscript i is outside array bounds of 'dma_addr_t[0]' {aka 'long long unsigned int[]'} [-Warray-bounds=]
+ 416 | #define dma_unmap_page(d, a, s, r) dma_unmap_page_attrs(d, a, s, r, 0)
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ drivers/net/ethernet/marvell/sky2.c:1257:17: note: in expansion of macro 'dma_unmap_page'
+ 1257 | dma_unmap_page(&pdev->dev, re->frag_addr[i],
+ | ^~~~~~~~~~~~~~
+ In file included from drivers/net/ethernet/marvell/sky2.c:41:
+ drivers/net/ethernet/marvell/sky2.h:2198:25: note: while referencing 'frag_addr'
+ 2198 | dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT];
+ | ^~~~~~~~~
+
+With CONFIG_PAGE_SIZE_16KB=y, PAGE_SHIFT == 14, so:
+
+ #define ETH_JUMBO_MTU 9000
+
+causes "ETH_JUMBO_MTU >> PAGE_SHIFT" to be 0. Use "?: 1" to solve this build warning.
+
+Cc: Mirko Lindner <mlindner@marvell.com>
+Cc: Stephen Hemminger <stephen@networkplumber.org>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: netdev@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202309191958.UBw1cjXk-lkp@intel.com/
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/marvell/sky2.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/marvell/sky2.h b/drivers/net/ethernet/marvell/sky2.h
+index b02b6523083ce..99451585a45f2 100644
+--- a/drivers/net/ethernet/marvell/sky2.h
++++ b/drivers/net/ethernet/marvell/sky2.h
+@@ -2201,7 +2201,7 @@ struct rx_ring_info {
+ struct sk_buff *skb;
+ dma_addr_t data_addr;
+ DEFINE_DMA_UNMAP_LEN(data_size);
+- dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT];
++ dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT ?: 1];
+ };
+
+ enum flow_control {
+--
+2.40.1
+
--- /dev/null
+From 280e98774fd8be4d19feba643f309b883937ce5f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 21:16:37 +0200
+Subject: tracing: relax trace_event_eval_update() execution with
+ cond_resched()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Clément Léger <cleger@rivosinc.com>
+
+[ Upstream commit 23cce5f25491968b23fb9c399bbfb25f13870cd9 ]
+
+When kernel is compiled without preemption, the eval_map_work_func()
+(which calls trace_event_eval_update()) will not be preempted up to its
+complete execution. This can actually cause a problem since if another
+CPU call stop_machine(), the call will have to wait for the
+eval_map_work_func() function to finish executing in the workqueue
+before being able to be scheduled. This problem was observe on a SMP
+system at boot time, when the CPU calling the initcalls executed
+clocksource_done_booting() which in the end calls stop_machine(). We
+observed a 1 second delay because one CPU was executing
+eval_map_work_func() and was not preempted by the stop_machine() task.
+
+Adding a call to cond_resched() in trace_event_eval_update() allows
+other tasks to be executed and thus continue working asynchronously
+like before without blocking any pending task at boot time.
+
+Link: https://lore.kernel.org/linux-trace-kernel/20230929191637.416931-1-cleger@rivosinc.com
+
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Clément Léger <cleger@rivosinc.com>
+Tested-by: Atish Patra <atishp@rivosinc.com>
+Reviewed-by: Atish Patra <atishp@rivosinc.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
+index a3dc6c126b3ee..ed39d3ec202e6 100644
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -2242,6 +2242,7 @@ void trace_event_eval_update(struct trace_eval_map **map, int len)
+ update_event_printk(call, map[i]);
+ }
+ }
++ cond_resched();
+ }
+ up_write(&trace_event_sem);
+ }
+--
+2.40.1
+
--- /dev/null
+From 7d0948441adf4bbdaea4209403a25db77161291d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 17:18:56 +0200
+Subject: wifi: cfg80211: avoid leaking stack data into trace
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+[ Upstream commit 334bf33eec5701a1e4e967bcb7cc8611a998334b ]
+
+If the structure is not initialized then boolean types might be copied
+into the tracing data without being initialised. This causes data from
+the stack to leak into the trace and also triggers a UBSAN failure which
+can easily be avoided here.
+
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Link: https://lore.kernel.org/r/20230925171855.a9271ef53b05.I8180bae663984c91a3e036b87f36a640ba409817@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 534f57363f4ae..e33c1175b1582 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -6504,7 +6504,7 @@ static int nl80211_update_mesh_config(struct sk_buff *skb,
+ struct cfg80211_registered_device *rdev = info->user_ptr[0];
+ struct net_device *dev = info->user_ptr[1];
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
+- struct mesh_config cfg;
++ struct mesh_config cfg = {};
+ u32 mask;
+ int err;
+
+--
+2.40.1
+
--- /dev/null
+From d14754e36b9b9ee228390b59994b0c4b54dd4fd3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Aug 2023 02:47:51 -0400
+Subject: wifi: mac80211: allow transmitting EAPOL frames with tainted key
+
+From: Wen Gong <quic_wgong@quicinc.com>
+
+[ Upstream commit 61304336c67358d49a989e5e0060d8c99bad6ca8 ]
+
+Lower layer device driver stop/wake TX by calling ieee80211_stop_queue()/
+ieee80211_wake_queue() while hw scan. Sometimes hw scan and PTK rekey are
+running in parallel, when M4 sent from wpa_supplicant arrive while the TX
+queue is stopped, then the M4 will pending send, and then new key install
+from wpa_supplicant. After TX queue wake up by lower layer device driver,
+the M4 will be dropped by below call stack.
+
+When key install started, the current key flag is set KEY_FLAG_TAINTED in
+ieee80211_pairwise_rekey(), and then mac80211 wait key install complete by
+lower layer device driver. Meanwhile ieee80211_tx_h_select_key() will return
+TX_DROP for the M4 in step 12 below, and then ieee80211_free_txskb() called
+by ieee80211_tx_dequeue(), so the M4 will not send and free, then the rekey
+process failed becaue AP not receive M4. Please see details in steps below.
+
+There are a interval between KEY_FLAG_TAINTED set for current key flag and
+install key complete by lower layer device driver, the KEY_FLAG_TAINTED is
+set in this interval, all packet including M4 will be dropped in this
+interval, the interval is step 8~13 as below.
+
+issue steps:
+ TX thread install key thread
+1. stop_queue -idle-
+2. sending M4 -idle-
+3. M4 pending -idle-
+4. -idle- starting install key from wpa_supplicant
+5. -idle- =>ieee80211_key_replace()
+6. -idle- =>ieee80211_pairwise_rekey() and set
+ currently key->flags |= KEY_FLAG_TAINTED
+7. -idle- =>ieee80211_key_enable_hw_accel()
+8. -idle- =>drv_set_key() and waiting key install
+ complete from lower layer device driver
+9. wake_queue -waiting state-
+10. re-sending M4 -waiting state-
+11. =>ieee80211_tx_h_select_key() -waiting state-
+12. drop M4 by KEY_FLAG_TAINTED -waiting state-
+13. -idle- install key complete with success/fail
+ success: clear flag KEY_FLAG_TAINTED
+ fail: start disconnect
+
+Hence add check in step 11 above to allow the EAPOL send out in the
+interval. If lower layer device driver use the old key/cipher to encrypt
+the M4, then AP received/decrypt M4 correctly, after M4 send out, lower
+layer device driver install the new key/cipher to hardware and return
+success.
+
+If lower layer device driver use new key/cipher to send the M4, then AP
+will/should drop the M4, then it is same result with this issue, AP will/
+should kick out station as well as this issue.
+
+issue log:
+kworker/u16:4-5238 [000] 6456.108926: stop_queue: phy1 queue:0, reason:0
+wpa_supplicant-961 [003] 6456.119737: rdev_tx_control_port: wiphy_name=phy1 name=wlan0 ifindex=6 dest=ARRAY[9e, 05, 31, 20, 9b, d0] proto=36488 unencrypted=0
+wpa_supplicant-961 [003] 6456.119839: rdev_return_int_cookie: phy1, returned 0, cookie: 504
+wpa_supplicant-961 [003] 6456.120287: rdev_add_key: phy1, netdev:wlan0(6), key_index: 0, mode: 0, pairwise: true, mac addr: 9e:05:31:20:9b:d0
+wpa_supplicant-961 [003] 6456.120453: drv_set_key: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 cipher:0xfac04, flags=0x9, keyidx=0, hw_key_idx=0
+kworker/u16:9-3829 [001] 6456.168240: wake_queue: phy1 queue:0, reason:0
+kworker/u16:9-3829 [001] 6456.168255: drv_wake_tx_queue: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 ac:0 tid:7
+kworker/u16:9-3829 [001] 6456.168305: cfg80211_control_port_tx_status: wdev(1), cookie: 504, ack: false
+wpa_supplicant-961 [003] 6459.167982: drv_return_int: phy1 - -110
+
+issue call stack:
+nl80211_frame_tx_status+0x230/0x340 [cfg80211]
+cfg80211_control_port_tx_status+0x1c/0x28 [cfg80211]
+ieee80211_report_used_skb+0x374/0x3e8 [mac80211]
+ieee80211_free_txskb+0x24/0x40 [mac80211]
+ieee80211_tx_dequeue+0x644/0x954 [mac80211]
+ath10k_mac_tx_push_txq+0xac/0x238 [ath10k_core]
+ath10k_mac_op_wake_tx_queue+0xac/0xe0 [ath10k_core]
+drv_wake_tx_queue+0x80/0x168 [mac80211]
+__ieee80211_wake_txqs+0xe8/0x1c8 [mac80211]
+_ieee80211_wake_txqs+0xb4/0x120 [mac80211]
+ieee80211_wake_txqs+0x48/0x80 [mac80211]
+tasklet_action_common+0xa8/0x254
+tasklet_action+0x2c/0x38
+__do_softirq+0xdc/0x384
+
+Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
+Link: https://lore.kernel.org/r/20230801064751.25803-1-quic_wgong@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 74045e927e044..3a0aadf881fc9 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -654,7 +654,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
+ }
+
+ if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
+- !ieee80211_is_deauth(hdr->frame_control)))
++ !ieee80211_is_deauth(hdr->frame_control)) &&
++ tx->skb->protocol != tx->sdata->control_port_protocol)
+ return TX_DROP;
+
+ if (!skip_hw && tx->key &&
+--
+2.40.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
