Fixes for 5.15

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.15/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch b/queue-5.15/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch
new file mode 100644 (file)
index 0000000..cf56767
--- /dev/null
+++ b/queue-5.15/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch
@@ -0,0 +1,57 @@
+From 0164c21a453f20a4f1b241b85977373627c35038 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 20:24:34 -0400
+Subject: afs: fix __afs_break_callback() / afs_drop_open_mmap() race
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 275655d3207b9e65d1561bf21c06a622d9ec1d43 ]
+
+In __afs_break_callback() we might check ->cb_nr_mmap and if it's non-zero
+do queue_work(&vnode->cb_work).  In afs_drop_open_mmap() we decrement
+->cb_nr_mmap and do flush_work(&vnode->cb_work) if it reaches zero.
+
+The trouble is, there's nothing to prevent __afs_break_callback() from
+seeing ->cb_nr_mmap before the decrement and do queue_work() after both
+the decrement and flush_work().  If that happens, we might be in trouble -
+vnode might get freed before the queued work runs.
+
+__afs_break_callback() is always done under ->cb_lock, so let's make
+sure that ->cb_nr_mmap can change from non-zero to zero while holding
+->cb_lock (the spinlock component of it - it's a seqlock and we don't
+need to mess with the counter).
+
+Acked-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/file.c b/fs/afs/file.c
+index b165377179c3c..6774e1fcf7c5c 100644
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -512,13 +512,17 @@ static void afs_add_open_mmap(struct afs_vnode *vnode)
+ 
+ static void afs_drop_open_mmap(struct afs_vnode *vnode)
+ {
+-      if (!atomic_dec_and_test(&vnode->cb_nr_mmap))
++      if (atomic_add_unless(&vnode->cb_nr_mmap, -1, 1))
+               return;
+ 
+       down_write(&vnode->volume->cell->fs_open_mmaps_lock);
+ 
+-      if (atomic_read(&vnode->cb_nr_mmap) == 0)
++      read_seqlock_excl(&vnode->cb_lock);
++      // the only place where ->cb_nr_mmap may hit 0
++      // see __afs_break_callback() for the other side...
++      if (atomic_dec_and_test(&vnode->cb_nr_mmap))
+               list_del_init(&vnode->cb_mmap_link);
++      read_sequnlock_excl(&vnode->cb_lock);
+ 
+       up_write(&vnode->volume->cell->fs_open_mmaps_lock);
+       flush_work(&vnode->cb_work);
+-- 
+2.43.0
+

diff --git a/queue-5.15/bluetooth-bnep-fix-out-of-bound-access.patch b/queue-5.15/bluetooth-bnep-fix-out-of-bound-access.patch
new file mode 100644 (file)
index 0000000..0ff207c
--- /dev/null
+++ b/queue-5.15/bluetooth-bnep-fix-out-of-bound-access.patch
@@ -0,0 +1,38 @@
+From 65601c313afadfe32caee789c1bc76029ef9fa0b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 12:11:08 -0500
+Subject: Bluetooth: bnep: Fix out-of-bound access
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ]
+
+This fixes attempting to access past ethhdr.h_source, although it seems
+intentional to copy also the contents of h_proto this triggers
+out-of-bound access problems with the likes of static analyzer, so this
+instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
+h_proto separetely.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index a796d72c7dbaa..8bb6c8ad11313 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
+ 
+       case BNEP_COMPRESSED_DST_ONLY:
+               __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
+-              __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
++              __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
++              put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
+               break;
+ 
+       case BNEP_GENERAL:
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch b/queue-5.15/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch
new file mode 100644 (file)
index 0000000..17566c3
--- /dev/null
+++ b/queue-5.15/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch
@@ -0,0 +1,35 @@
+From 19b7f68b3d5bd999ef91d57b449a9416d46b42a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:06:46 +0100
+Subject: btrfs: change BUG_ON to assertion in tree_move_down()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 56f335e043ae73c32dbb70ba95488845dc0f1e6e ]
+
+There's only one caller of tree_move_down() that does not pass level 0
+so the assertion is better suited here.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index 27a33dfa93212..577980b33aeb7 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6882,8 +6882,8 @@ static int tree_move_down(struct btrfs_path *path, int *level, u64 reada_min_gen
+       u64 reada_done = 0;
+ 
+       lockdep_assert_held_read(&parent->fs_info->commit_root_sem);
++      ASSERT(*level != 0);
+ 
+-      BUG_ON(*level == 0);
+       eb = btrfs_read_node_slot(parent, slot);
+       if (IS_ERR(eb))
+               return PTR_ERR(eb);
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch b/queue-5.15/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
new file mode 100644 (file)
index 0000000..5094d06
--- /dev/null
+++ b/queue-5.15/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
@@ -0,0 +1,36 @@
+From f686cc5b0c4c67295013055419fec8f744b3e6cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jan 2024 02:26:32 +0100
+Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ]
+
+The pointer to root is initialized in btrfs_init_delayed_node(), no need
+to check for it again. Change the BUG_ON to assertion.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 8d8b455992362..fa4a5053ca89a 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -901,7 +901,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node)
+ 
+       if (delayed_node &&
+           test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) {
+-              BUG_ON(!delayed_node->root);
++              ASSERT(delayed_node->root);
+               clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags);
+               delayed_node->count--;
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch b/queue-5.15/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
new file mode 100644 (file)
index 0000000..4dada43
--- /dev/null
+++ b/queue-5.15/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
@@ -0,0 +1,40 @@
+From 7dde506ebc4a98e3ddc894d4d0314efd06a9c325 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:20:53 +0100
+Subject: btrfs: delete pointless BUG_ON check on quota root in
+ btrfs_qgroup_account_extent()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ]
+
+The BUG_ON is deep in the qgroup code where we can expect that it
+exists. A NULL pointer would cause a crash.
+
+It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup
+calculation function btrfs_qgroup_account_extents()."). It maybe made
+sense back then as the quota enable/disable state machine was not that
+robust as it is nowadays, so we can just delete it.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index 1f5ab51e18dc4..a4908fd31ccc3 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2648,8 +2648,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr,
+       if (nr_old_roots == 0 && nr_new_roots == 0)
+               goto out_free;
+ 
+-      BUG_ON(!fs_info->quota_root);
+-
+       trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr,
+                                       num_bytes, nr_old_roots, nr_new_roots);
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-handle-invalid-root-reference-found-in-may_des.patch b/queue-5.15/btrfs-handle-invalid-root-reference-found-in-may_des.patch
new file mode 100644 (file)
index 0000000..c5e23c5
--- /dev/null
+++ b/queue-5.15/btrfs-handle-invalid-root-reference-found-in-may_des.patch
@@ -0,0 +1,42 @@
+From c855bb06f6ed2d3a0b5fe0a0d3e4afd610b961a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 22:58:01 +0100
+Subject: btrfs: handle invalid root reference found in may_destroy_subvol()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ]
+
+The may_destroy_subvol() looks up a root by a key, allowing to do an
+inexact search when key->offset is -1.  It's never expected to find such
+item, as it would break the allowed range of a root id.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 07c6ab4ba0d43..66b56ddf3f4cc 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4411,7 +4411,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root)
+       ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0);
+       if (ret < 0)
+               goto out;
+-      BUG_ON(ret == 0);
++      if (ret == 0) {
++              /*
++               * Key with offset -1 found, there would have to exist a root
++               * with such id, but this is out of valid range.
++               */
++              ret = -EUCLEAN;
++              goto out;
++      }
+ 
+       ret = 0;
+       if (path->slots[0] > 0) {
+-- 
+2.43.0
+

diff --git a/queue-5.15/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch b/queue-5.15/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
new file mode 100644 (file)
index 0000000..e6f7ff1
--- /dev/null
+++ b/queue-5.15/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
@@ -0,0 +1,40 @@
+From a905d39693962c54cbb714c1b8f92ad38410700b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 22:47:13 +0100
+Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ]
+
+Change BUG_ON to a proper error handling in the unlikely case of seeing
+data when the command is started. This is supposed to be reset when the
+command is finished (send_cmd, send_encoded_extent).
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index c2842e892e4ed..27a33dfa93212 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -695,7 +695,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd)
+       if (WARN_ON(!sctx->send_buf))
+               return -EINVAL;
+ 
+-      BUG_ON(sctx->send_size);
++      if (unlikely(sctx->send_size != 0)) {
++              btrfs_err(sctx->send_root->fs_info,
++                        "send: command header buffer not empty cmd %d offset %llu",
++                        cmd, sctx->send_off);
++              return -EINVAL;
++      }
+ 
+       sctx->send_size += sizeof(*hdr);
+       hdr = (struct btrfs_cmd_header *)sctx->send_buf;
+-- 
+2.43.0
+

diff --git a/queue-5.15/clocksource-drivers-arm_global_timer-guard-against-d.patch b/queue-5.15/clocksource-drivers-arm_global_timer-guard-against-d.patch
new file mode 100644 (file)
index 0000000..9e60737
--- /dev/null
+++ b/queue-5.15/clocksource-drivers-arm_global_timer-guard-against-d.patch
@@ -0,0 +1,56 @@
+From 08bd45e344cc26eb5db0a34b3f05f3173ddd0dc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Feb 2024 16:13:35 +0100
+Subject: clocksource/drivers/arm_global_timer: Guard against division by zero
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit e651f2fae33634175fae956d896277cf916f5d09 ]
+
+The result of the division of new_rate by gt_target_rate can be zero (if
+new_rate is smaller than gt_target_rate). Using that result as divisor
+without checking can result in a division by zero error. Guard against
+this by checking for a zero value earlier.
+While here, also change the psv variable to an unsigned long to make
+sure we don't overflow the datatype as all other types involved are also
+unsiged long.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20240225151336.2728533-3-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/arm_global_timer.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clocksource/arm_global_timer.c b/drivers/clocksource/arm_global_timer.c
+index e1c773bb55359..22a58d35a41fa 100644
+--- a/drivers/clocksource/arm_global_timer.c
++++ b/drivers/clocksource/arm_global_timer.c
+@@ -290,18 +290,17 @@ static int gt_clk_rate_change_cb(struct notifier_block *nb,
+       switch (event) {
+       case PRE_RATE_CHANGE:
+       {
+-              int psv;
++              unsigned long psv;
+ 
+-              psv = DIV_ROUND_CLOSEST(ndata->new_rate,
+-                                      gt_target_rate);
+-
+-              if (abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR)
++              psv = DIV_ROUND_CLOSEST(ndata->new_rate, gt_target_rate);
++              if (!psv ||
++                  abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR)
+                       return NOTIFY_BAD;
+ 
+               psv--;
+ 
+               /* prescaler within legal range? */
+-              if (psv < 0 || psv > GT_CONTROL_PRESCALER_MAX)
++              if (psv > GT_CONTROL_PRESCALER_MAX)
+                       return NOTIFY_BAD;
+ 
+               /*
+-- 
+2.43.0
+

diff --git a/queue-5.15/clocksource-make-watchdog-and-suspend-timing-multipl.patch b/queue-5.15/clocksource-make-watchdog-and-suspend-timing-multipl.patch
new file mode 100644 (file)
index 0000000..27fe233
--- /dev/null
+++ b/queue-5.15/clocksource-make-watchdog-and-suspend-timing-multipl.patch
@@ -0,0 +1,143 @@
+From b6d7b374eb0672fc46c548cce29cbf26f5506fc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 08:40:23 +0200
+Subject: clocksource: Make watchdog and suspend-timing multiplication overflow
+ safe
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit d0304569fb019d1bcfbbbce1ce6df6b96f04079b ]
+
+Kernel timekeeping is designed to keep the change in cycles (since the last
+timer interrupt) below max_cycles, which prevents multiplication overflow
+when converting cycles to nanoseconds. However, if timer interrupts stop,
+the clocksource_cyc2ns() calculation will eventually overflow.
+
+Add protection against that. Simplify by folding together
+clocksource_delta() and clocksource_cyc2ns() into cycles_to_nsec_safe().
+Check against max_cycles, falling back to a slower higher precision
+calculation.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20240325064023.2997-20-adrian.hunter@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/clocksource.c | 42 +++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
+index 3ccb383741d08..5aa8eec89e781 100644
+--- a/kernel/time/clocksource.c
++++ b/kernel/time/clocksource.c
+@@ -20,6 +20,16 @@
+ #include "tick-internal.h"
+ #include "timekeeping_internal.h"
+ 
++static noinline u64 cycles_to_nsec_safe(struct clocksource *cs, u64 start, u64 end)
++{
++      u64 delta = clocksource_delta(end, start, cs->mask);
++
++      if (likely(delta < cs->max_cycles))
++              return clocksource_cyc2ns(delta, cs->mult, cs->shift);
++
++      return mul_u64_u32_shr(delta, cs->mult, cs->shift);
++}
++
+ /**
+  * clocks_calc_mult_shift - calculate mult/shift factors for scaled math of clocks
+  * @mult:     pointer to mult variable
+@@ -213,8 +223,8 @@ enum wd_read_status {
+ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
+ {
+       unsigned int nretries, max_retries;
+-      u64 wd_end, wd_end2, wd_delta;
+       int64_t wd_delay, wd_seq_delay;
++      u64 wd_end, wd_end2;
+ 
+       max_retries = clocksource_get_max_watchdog_retry();
+       for (nretries = 0; nretries <= max_retries; nretries++) {
+@@ -225,9 +235,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
+               wd_end2 = watchdog->read(watchdog);
+               local_irq_enable();
+ 
+-              wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
+-              wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
+-                                            watchdog->shift);
++              wd_delay = cycles_to_nsec_safe(watchdog, *wdnow, wd_end);
+               if (wd_delay <= WATCHDOG_MAX_SKEW) {
+                       if (nretries > 1 && nretries >= max_retries) {
+                               pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
+@@ -245,8 +253,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
+                * report system busy, reinit the watchdog and skip the current
+                * watchdog test.
+                */
+-              wd_delta = clocksource_delta(wd_end2, wd_end, watchdog->mask);
+-              wd_seq_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, watchdog->shift);
++              wd_seq_delay = cycles_to_nsec_safe(watchdog, wd_end, wd_end2);
+               if (wd_seq_delay > WATCHDOG_MAX_SKEW/2)
+                       goto skip_test;
+       }
+@@ -357,8 +364,7 @@ void clocksource_verify_percpu(struct clocksource *cs)
+               delta = (csnow_end - csnow_mid) & cs->mask;
+               if (delta < 0)
+                       cpumask_set_cpu(cpu, &cpus_ahead);
+-              delta = clocksource_delta(csnow_end, csnow_begin, cs->mask);
+-              cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift);
++              cs_nsec = cycles_to_nsec_safe(cs, csnow_begin, csnow_end);
+               if (cs_nsec > cs_nsec_max)
+                       cs_nsec_max = cs_nsec;
+               if (cs_nsec < cs_nsec_min)
+@@ -389,8 +395,8 @@ static inline void clocksource_reset_watchdog(void)
+ 
+ static void clocksource_watchdog(struct timer_list *unused)
+ {
+-      u64 csnow, wdnow, cslast, wdlast, delta;
+       int64_t wd_nsec, cs_nsec, interval;
++      u64 csnow, wdnow, cslast, wdlast;
+       int next_cpu, reset_pending;
+       struct clocksource *cs;
+       enum wd_read_status read_ret;
+@@ -447,12 +453,8 @@ static void clocksource_watchdog(struct timer_list *unused)
+                       continue;
+               }
+ 
+-              delta = clocksource_delta(wdnow, cs->wd_last, watchdog->mask);
+-              wd_nsec = clocksource_cyc2ns(delta, watchdog->mult,
+-                                           watchdog->shift);
+-
+-              delta = clocksource_delta(csnow, cs->cs_last, cs->mask);
+-              cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift);
++              wd_nsec = cycles_to_nsec_safe(watchdog, cs->wd_last, wdnow);
++              cs_nsec = cycles_to_nsec_safe(cs, cs->cs_last, csnow);
+               wdlast = cs->wd_last; /* save these in case we print them */
+               cslast = cs->cs_last;
+               cs->cs_last = csnow;
+@@ -815,7 +817,7 @@ void clocksource_start_suspend_timing(struct clocksource *cs, u64 start_cycles)
+  */
+ u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now)
+ {
+-      u64 now, delta, nsec = 0;
++      u64 now, nsec = 0;
+ 
+       if (!suspend_clocksource)
+               return 0;
+@@ -830,12 +832,8 @@ u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now)
+       else
+               now = suspend_clocksource->read(suspend_clocksource);
+ 
+-      if (now > suspend_start) {
+-              delta = clocksource_delta(now, suspend_start,
+-                                        suspend_clocksource->mask);
+-              nsec = mul_u64_u32_shr(delta, suspend_clocksource->mult,
+-                                     suspend_clocksource->shift);
+-      }
++      if (now > suspend_start)
++              nsec = cycles_to_nsec_safe(suspend_clocksource, suspend_start, now);
+ 
+       /*
+        * Disable the suspend timer to save power if current clocksource is
+-- 
+2.43.0
+

diff --git a/queue-5.15/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch b/queue-5.15/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
new file mode 100644 (file)
index 0000000..3da8d63
--- /dev/null
+++ b/queue-5.15/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
@@ -0,0 +1,55 @@
+From 9d0b8e6ad234be076006fb8024e0cf63c80f1c4d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 03:59:43 +0100
+Subject: drm/lima: set gp bus_stop bit before hard reset
+
+From: Erico Nunes <nunes.erico@gmail.com>
+
+[ Upstream commit 27aa58ec85f973d98d336df7b7941149308db80f ]
+
+This is required for reliable hard resets. Otherwise, doing a hard reset
+while a task is still running (such as a task which is being stopped by
+the drm_sched timeout handler) may result in random mmu write timeouts
+or lockups which cause the entire gpu to hang.
+
+Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240124025947.2110659-5-nunes.erico@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/lima/lima_gp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
+index ca3842f719842..82071835ec9ed 100644
+--- a/drivers/gpu/drm/lima/lima_gp.c
++++ b/drivers/gpu/drm/lima/lima_gp.c
+@@ -166,6 +166,11 @@ static void lima_gp_task_run(struct lima_sched_pipe *pipe,
+       gp_write(LIMA_GP_CMD, cmd);
+ }
+ 
++static int lima_gp_bus_stop_poll(struct lima_ip *ip)
++{
++      return !!(gp_read(LIMA_GP_STATUS) & LIMA_GP_STATUS_BUS_STOPPED);
++}
++
+ static int lima_gp_hard_reset_poll(struct lima_ip *ip)
+ {
+       gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC01A0000);
+@@ -179,6 +184,13 @@ static int lima_gp_hard_reset(struct lima_ip *ip)
+ 
+       gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC0FFE000);
+       gp_write(LIMA_GP_INT_MASK, 0);
++
++      gp_write(LIMA_GP_CMD, LIMA_GP_CMD_STOP_BUS);
++      ret = lima_poll_timeout(ip, lima_gp_bus_stop_poll, 10, 100);
++      if (ret) {
++              dev_err(dev->dev, "%s bus stop timeout\n", lima_ip_name(ip));
++              return ret;
++      }
+       gp_write(LIMA_GP_CMD, LIMA_GP_CMD_RESET);
+       ret = lima_poll_timeout(ip, lima_gp_hard_reset_poll, 10, 100);
+       if (ret) {
+-- 
+2.43.0
+

diff --git a/queue-5.15/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch b/queue-5.15/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
new file mode 100644 (file)
index 0000000..e75663c
--- /dev/null
+++ b/queue-5.15/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
@@ -0,0 +1,38 @@
+From 7283c987396e3defb44b3dfd9562b75aaf88a688 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jan 2024 22:20:34 +0800
+Subject: ext4: do not trim the group with corrupted block bitmap
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ]
+
+Otherwise operating on an incorrupted block bitmap can lead to all sorts
+of unknown problems.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 630a5e5a380e2..a48c9cc5aa6e8 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -6496,6 +6496,9 @@ __releases(ext4_group_lock_ptr(sb, e4b->bd_group))
+       bool set_trimmed = false;
+       void *bitmap;
+ 
++      if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)))
++              return 0;
++
+       last = ext4_last_grp_cluster(sb, e4b->bd_group);
+       bitmap = e4b->bd_bitmap;
+       if (start == 0 && max >= last)
+-- 
+2.43.0
+

diff --git a/queue-5.15/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch b/queue-5.15/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
new file mode 100644 (file)
index 0000000..292284b
--- /dev/null
+++ b/queue-5.15/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
@@ -0,0 +1,42 @@
+From 6ad1b4f25f9f761710a8bf6704fdeb7c531f7f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 19:33:24 +0800
+Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ]
+
+The max_zeroout is of type int and the s_extent_max_zeroout_kb is of
+type uint, and the s_extent_max_zeroout_kb can be freely modified via
+the sysfs interface. When the block size is 1024, max_zeroout may
+overflow, so declare it as unsigned int to avoid overflow.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 6c41bf322315c..a3869e9c71b91 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3404,9 +3404,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
+       struct ext4_extent *ex, *abut_ex;
+       ext4_lblk_t ee_block, eof_block;
+       unsigned int ee_len, depth, map_len = map->m_len;
+-      int allocated = 0, max_zeroout = 0;
+       int err = 0;
+       int split_flag = EXT4_EXT_DATA_VALID2;
++      int allocated = 0;
++      unsigned int max_zeroout = 0;
+ 
+       ext_debug(inode, "logical block %llu, max_blocks %u\n",
+                 (unsigned long long)map->m_lblk, map_len);
+-- 
+2.43.0
+

diff --git a/queue-5.15/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch b/queue-5.15/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
new file mode 100644 (file)
index 0000000..28e787a
--- /dev/null
+++ b/queue-5.15/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
@@ -0,0 +1,50 @@
+From e16102d6a0537f98760eb60df3c51b05ad7a64b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 19:59:54 +0800
+Subject: f2fs: fix to do sanity check in update_sit_entry
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ]
+
+If GET_SEGNO return NULL_SEGNO for some unecpected case,
+update_sit_entry will access invalid memory address,
+cause system crash. It is better to do sanity check about
+GET_SEGNO just like update_segment_mtime & locate_dirty_segment.
+
+Also remove some redundant judgment code.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 1c69dc91c3292..dc33b4e5c07b8 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2269,6 +2269,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
+ #endif
+ 
+       segno = GET_SEGNO(sbi, blkaddr);
++      if (segno == NULL_SEGNO)
++              return;
+ 
+       se = get_seg_entry(sbi, segno);
+       new_vblocks = se->valid_blocks + del;
+@@ -3443,8 +3445,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+        * since SSR needs latest valid block information.
+        */
+       update_sit_entry(sbi, *new_blkaddr, 1);
+-      if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO)
+-              update_sit_entry(sbi, old_blkaddr, -1);
++      update_sit_entry(sbi, old_blkaddr, -1);
+ 
+       if (!__has_curseg_space(sbi, curseg)) {
+               if (from_gc)
+-- 
+2.43.0
+

diff --git a/queue-5.15/fbdev-offb-replace-of_node_put-with-__free-device_no.patch b/queue-5.15/fbdev-offb-replace-of_node_put-with-__free-device_no.patch
new file mode 100644 (file)
index 0000000..a58591d
--- /dev/null
+++ b/queue-5.15/fbdev-offb-replace-of_node_put-with-__free-device_no.patch
@@ -0,0 +1,45 @@
+From 9b7cb86683b052d647bcc6b28f576dfb53438f24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 21:20:21 -0400
+Subject: fbdev: offb: replace of_node_put with __free(device_node)
+
+From: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+
+[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ]
+
+Replaced instance of of_node_put with __free(device_node)
+to simplify code and protect against any memory leaks
+due to future changes in the control flow.
+
+Suggested-by: Julia Lawall <julia.lawall@inria.fr>
+Signed-off-by: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/offb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
+index 4501e848a36f2..766adaf2618c5 100644
+--- a/drivers/video/fbdev/offb.c
++++ b/drivers/video/fbdev/offb.c
+@@ -354,7 +354,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+                       par->cmap_type = cmap_gxt2000;
+       } else if (of_node_name_prefix(dp, "vga,Display-")) {
+               /* Look for AVIVO initialized by SLOF */
+-              struct device_node *pciparent = of_get_parent(dp);
++              struct device_node *pciparent __free(device_node) = of_get_parent(dp);
+               const u32 *vid, *did;
+               vid = of_get_property(pciparent, "vendor-id", NULL);
+               did = of_get_property(pciparent, "device-id", NULL);
+@@ -366,7 +366,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+                       if (par->cmap_adr)
+                               par->cmap_type = cmap_avivo;
+               }
+-              of_node_put(pciparent);
+       } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) {
+ #ifdef __BIG_ENDIAN
+               const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 };
+-- 
+2.43.0
+

diff --git a/queue-5.15/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch b/queue-5.15/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
new file mode 100644 (file)
index 0000000..07c5c66
--- /dev/null
+++ b/queue-5.15/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
@@ -0,0 +1,43 @@
+From a2eb8e0d6c3c20983a24feaf3ce46bcc1b73e5c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 07:06:37 -0800
+Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ]
+
+Static FDPIC executable may get an executable stack even when it has
+non-executable GNU_STACK segment. This happens when STACK segment has rw
+permissions, but does not specify stack size. In that case FDPIC loader
+uses permissions of the interpreter's stack, and for static executables
+with no interpreter it results in choosing the arch-default permissions
+for the stack.
+
+Fix that by using the interpreter's properties only when the interpreter
+is actually used.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf_fdpic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index f51f6e4d1a322..a7084a720b28c 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -320,7 +320,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm)
+       else
+               executable_stack = EXSTACK_DEFAULT;
+ 
+-      if (stack_size == 0) {
++      if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) {
+               stack_size = interp_params.stack_size;
+               if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
+                       executable_stack = EXSTACK_ENABLE_X;
+-- 
+2.43.0
+

diff --git a/queue-5.15/fuse-fix-uaf-in-rcu-pathwalks.patch b/queue-5.15/fuse-fix-uaf-in-rcu-pathwalks.patch
new file mode 100644 (file)
index 0000000..9759a99
--- /dev/null
+++ b/queue-5.15/fuse-fix-uaf-in-rcu-pathwalks.patch
@@ -0,0 +1,105 @@
+From 2375baca0732a42987589a7397cbf6c795d5bcb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 00:19:39 -0400
+Subject: fuse: fix UAF in rcu pathwalks
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 053fc4f755ad43cf35210677bcba798ccdc48d0c ]
+
+->permission(), ->get_link() and ->inode_get_acl() might dereference
+->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns
+as well) when called from rcu pathwalk.
+
+Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info
+and dropping ->user_ns rcu-delayed too.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/cuse.c   |  3 +--
+ fs/fuse/fuse_i.h |  1 +
+ fs/fuse/inode.c  | 15 +++++++++++----
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
+index c7d882a9fe339..295344a462e1d 100644
+--- a/fs/fuse/cuse.c
++++ b/fs/fuse/cuse.c
+@@ -474,8 +474,7 @@ static int cuse_send_init(struct cuse_conn *cc)
+ 
+ static void cuse_fc_release(struct fuse_conn *fc)
+ {
+-      struct cuse_conn *cc = fc_to_cc(fc);
+-      kfree_rcu(cc, fc.rcu);
++      kfree(fc_to_cc(fc));
+ }
+ 
+ /**
+diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
+index 55b7ca26fb8ab..ac655c7a15db2 100644
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -848,6 +848,7 @@ struct fuse_mount {
+ 
+       /* Entry on fc->mounts */
+       struct list_head fc_entry;
++      struct rcu_head rcu;
+ };
+ 
+ static inline struct fuse_mount *get_fuse_mount_super(struct super_block *sb)
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index 396866f9d72c3..40a4c7680bd7e 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -883,6 +883,14 @@ void fuse_conn_init(struct fuse_conn *fc, struct fuse_mount *fm,
+ }
+ EXPORT_SYMBOL_GPL(fuse_conn_init);
+ 
++static void delayed_release(struct rcu_head *p)
++{
++      struct fuse_conn *fc = container_of(p, struct fuse_conn, rcu);
++
++      put_user_ns(fc->user_ns);
++      fc->release(fc);
++}
++
+ void fuse_conn_put(struct fuse_conn *fc)
+ {
+       if (refcount_dec_and_test(&fc->count)) {
+@@ -894,13 +902,12 @@ void fuse_conn_put(struct fuse_conn *fc)
+               if (fiq->ops->release)
+                       fiq->ops->release(fiq);
+               put_pid_ns(fc->pid_ns);
+-              put_user_ns(fc->user_ns);
+               bucket = rcu_dereference_protected(fc->curr_bucket, 1);
+               if (bucket) {
+                       WARN_ON(atomic_read(&bucket->count) != 1);
+                       kfree(bucket);
+               }
+-              fc->release(fc);
++              call_rcu(&fc->rcu, delayed_release);
+       }
+ }
+ EXPORT_SYMBOL_GPL(fuse_conn_put);
+@@ -1297,7 +1304,7 @@ EXPORT_SYMBOL_GPL(fuse_send_init);
+ void fuse_free_conn(struct fuse_conn *fc)
+ {
+       WARN_ON(!list_empty(&fc->devices));
+-      kfree_rcu(fc, rcu);
++      kfree(fc);
+ }
+ EXPORT_SYMBOL_GPL(fuse_free_conn);
+ 
+@@ -1836,7 +1843,7 @@ static void fuse_sb_destroy(struct super_block *sb)
+ void fuse_mount_destroy(struct fuse_mount *fm)
+ {
+       fuse_conn_put(fm->fc);
+-      kfree(fm);
++      kfree_rcu(fm, rcu);
+ }
+ EXPORT_SYMBOL(fuse_mount_destroy);
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch b/queue-5.15/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch
new file mode 100644 (file)
index 0000000..06b59c3
--- /dev/null
+++ b/queue-5.15/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch
@@ -0,0 +1,44 @@
+From a8ebb99e00eeb2bbd27259b7143641b79cfae73b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 21:31:36 +0800
+Subject: hrtimer: Prevent queuing of hrtimer without a function callback
+
+From: Phil Chang <phil.chang@mediatek.com>
+
+[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ]
+
+The hrtimer function callback must not be NULL. It has to be specified by
+the call side but it is not validated by the hrtimer code. When a hrtimer
+is queued without a function callback, the kernel crashes with a null
+pointer dereference when trying to execute the callback in __run_hrtimer().
+
+Introduce a validation before queuing the hrtimer in
+hrtimer_start_range_ns().
+
+[anna-maria: Rephrase commit message]
+
+Signed-off-by: Phil Chang <phil.chang@mediatek.com>
+Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 5502c687bd401..bdd9041d595e9 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1284,6 +1284,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+       struct hrtimer_clock_base *base;
+       unsigned long flags;
+ 
++      if (WARN_ON_ONCE(!timer->function))
++              return;
+       /*
+        * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft
+        * match on CONFIG_PREEMPT_RT = n. With PREEMPT_RT check the hard
+-- 
+2.43.0
+

diff --git a/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
new file mode 100644 (file)
index 0000000..c06c0ab
--- /dev/null
+++ b/queue-5.15/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
@@ -0,0 +1,41 @@
+From e31ed48d4e237dfd969f1f8159d1f8d561df68fd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 14:10:53 +0800
+Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
+
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+
+[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
+
+This BUG_ON() is useless, because the same effect will be obtained
+by letting the code run its course and vm being dereferenced,
+triggering an exception.
+
+So just remove this check.
+
+Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index fa89e590c1333..3fa6c71843261 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -4491,8 +4491,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+       struct page *vprop_page;
+       int base, nr_ids, i, err = 0;
+ 
+-      BUG_ON(!vm);
+-
+       bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
+       if (!bitmap)
+               return -ENOMEM;
+-- 
+2.43.0
+

diff --git a/queue-5.15/md-clean-up-invalid-bug_on-in-md_ioctl.patch b/queue-5.15/md-clean-up-invalid-bug_on-in-md_ioctl.patch
new file mode 100644 (file)
index 0000000..83cb6ab
--- /dev/null
+++ b/queue-5.15/md-clean-up-invalid-bug_on-in-md_ioctl.patch
@@ -0,0 +1,42 @@
+From 8bc331ae1515e92512d3d2aab9fb214cb985d01e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:38 +0800
+Subject: md: clean up invalid BUG_ON in md_ioctl
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ]
+
+'disk->private_data' is set to mddev in md_alloc() and never set to NULL,
+and users need to open mddev before submitting ioctl. So mddev must not
+have been freed during ioctl, and there is no need to check mddev here.
+Clean up it.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 5b6c366587d54..332458ad96637 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7589,11 +7589,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ 
+       mddev = bdev->bd_disk->private_data;
+ 
+-      if (!mddev) {
+-              BUG();
+-              goto out;
+-      }
+-
+       /* Some actions do not requires the mutex */
+       switch (cmd) {
+       case GET_ARRAY_INFO:
+-- 
+2.43.0
+

diff --git a/queue-5.15/media-drivers-media-dvb-core-copy-user-arrays-safely.patch b/queue-5.15/media-drivers-media-dvb-core-copy-user-arrays-safely.patch
new file mode 100644 (file)
index 0000000..4b64a43
--- /dev/null
+++ b/queue-5.15/media-drivers-media-dvb-core-copy-user-arrays-safely.patch
@@ -0,0 +1,70 @@
+From a24970d9a3a62c231a2168e36e1b7acaac6a8d2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Nov 2023 20:16:34 +0100
+Subject: media: drivers/media/dvb-core: copy user arrays safely
+
+From: Philipp Stanner <pstanner@redhat.com>
+
+[ Upstream commit 102fb77c2deb0df3683ef8ff7a6f4cf91dc456e2 ]
+
+At several positions in dvb_frontend.c, memdup_user() is utilized to
+copy userspace arrays. This is done without overflow checks.
+
+Use the new wrapper memdup_array_user() to copy the arrays more safely.
+
+Link: https://lore.kernel.org/linux-media/20231102191633.52592-2-pstanner@redhat.com
+Suggested-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Philipp Stanner <pstanner@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index fea62bce97468..d76ac3ec93c2f 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -2160,7 +2160,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
+               if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
+                       return -EINVAL;
+ 
+-              tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
++              tvp = memdup_array_user(compat_ptr(tvps->props),
++                                      tvps->num, sizeof(*tvp));
+               if (IS_ERR(tvp))
+                       return PTR_ERR(tvp);
+ 
+@@ -2191,7 +2192,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
+               if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
+                       return -EINVAL;
+ 
+-              tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
++              tvp = memdup_array_user(compat_ptr(tvps->props),
++                                      tvps->num, sizeof(*tvp));
+               if (IS_ERR(tvp))
+                       return PTR_ERR(tvp);
+ 
+@@ -2368,7 +2370,8 @@ static int dvb_get_property(struct dvb_frontend *fe, struct file *file,
+       if (!tvps->num || tvps->num > DTV_IOCTL_MAX_MSGS)
+               return -EINVAL;
+ 
+-      tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
++      tvp = memdup_array_user((void __user *)tvps->props,
++                              tvps->num, sizeof(*tvp));
+       if (IS_ERR(tvp))
+               return PTR_ERR(tvp);
+ 
+@@ -2446,7 +2449,8 @@ static int dvb_frontend_handle_ioctl(struct file *file,
+               if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
+                       return -EINVAL;
+ 
+-              tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
++              tvp = memdup_array_user((void __user *)tvps->props,
++                                      tvps->num, sizeof(*tvp));
+               if (IS_ERR(tvp))
+                       return PTR_ERR(tvp);
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/media-pci-cx23885-check-cx23885_vdev_init-return.patch b/queue-5.15/media-pci-cx23885-check-cx23885_vdev_init-return.patch
new file mode 100644 (file)
index 0000000..379498f
--- /dev/null
+++ b/queue-5.15/media-pci-cx23885-check-cx23885_vdev_init-return.patch
@@ -0,0 +1,50 @@
+From ae155d287f5c3241eb6c371ad2f3a4d8a96c23ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 08:58:49 +0200
+Subject: media: pci: cx23885: check cx23885_vdev_init() return
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ]
+
+cx23885_vdev_init() can return a NULL pointer, but that pointer
+is used in the next line without a check.
+
+Add a NULL pointer check and go to the error unwind if it is NULL.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Sicong Huang <huangsicong@iie.ac.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
+index 6851e01da1c5b..7a696aea52f10 100644
+--- a/drivers/media/pci/cx23885/cx23885-video.c
++++ b/drivers/media/pci/cx23885/cx23885-video.c
+@@ -1354,6 +1354,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+       /* register Video device */
+       dev->video_dev = cx23885_vdev_init(dev, dev->pci,
+               &cx23885_video_template, "video");
++      if (!dev->video_dev) {
++              err = -ENOMEM;
++              goto fail_unreg;
++      }
+       dev->video_dev->queue = &dev->vb2_vidq;
+       dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
+                                     V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE;
+@@ -1382,6 +1386,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+       /* register VBI device */
+       dev->vbi_dev = cx23885_vdev_init(dev, dev->pci,
+               &cx23885_vbi_template, "vbi");
++      if (!dev->vbi_dev) {
++              err = -ENOMEM;
++              goto fail_unreg;
++      }
+       dev->vbi_dev->queue = &dev->vb2_vbiq;
+       dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
+                                   V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE;
+-- 
+2.43.0
+

diff --git a/queue-5.15/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch b/queue-5.15/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch
new file mode 100644 (file)
index 0000000..452b4c9
--- /dev/null
+++ b/queue-5.15/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch
@@ -0,0 +1,283 @@
+From 12c1899fb107563c7fe09f05d1f6fbd6a7624b3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:25 +0100
+Subject: memory: stm32-fmc2-ebi: check regmap_read return value
+
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+
+[ Upstream commit 722463f73bcf65a8c818752a38c14ee672c77da1 ]
+
+Check regmap_read return value to avoid to use uninitialized local
+variables.
+
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Link: https://lore.kernel.org/r/20240226101428.37791-3-christophe.kerello@foss.st.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/stm32-fmc2-ebi.c | 122 +++++++++++++++++++++++---------
+ 1 file changed, 88 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/memory/stm32-fmc2-ebi.c b/drivers/memory/stm32-fmc2-ebi.c
+index ffec26a99313b..5c387d32c078f 100644
+--- a/drivers/memory/stm32-fmc2-ebi.c
++++ b/drivers/memory/stm32-fmc2-ebi.c
+@@ -179,8 +179,11 @@ static int stm32_fmc2_ebi_check_mux(struct stm32_fmc2_ebi *ebi,
+                                   int cs)
+ {
+       u32 bcr;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if (bcr & FMC2_BCR_MTYP)
+               return 0;
+@@ -193,8 +196,11 @@ static int stm32_fmc2_ebi_check_waitcfg(struct stm32_fmc2_ebi *ebi,
+                                       int cs)
+ {
+       u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_NOR);
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN)
+               return 0;
+@@ -207,8 +213,11 @@ static int stm32_fmc2_ebi_check_sync_trans(struct stm32_fmc2_ebi *ebi,
+                                          int cs)
+ {
+       u32 bcr;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if (bcr & FMC2_BCR_BURSTEN)
+               return 0;
+@@ -221,8 +230,11 @@ static int stm32_fmc2_ebi_check_async_trans(struct stm32_fmc2_ebi *ebi,
+                                           int cs)
+ {
+       u32 bcr;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if (!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW))
+               return 0;
+@@ -235,8 +247,11 @@ static int stm32_fmc2_ebi_check_cpsize(struct stm32_fmc2_ebi *ebi,
+                                      int cs)
+ {
+       u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_PSRAM);
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN)
+               return 0;
+@@ -249,12 +264,18 @@ static int stm32_fmc2_ebi_check_address_hold(struct stm32_fmc2_ebi *ebi,
+                                            int cs)
+ {
+       u32 bcr, bxtr, val = FIELD_PREP(FMC2_BXTR_ACCMOD, FMC2_BXTR_EXTMOD_D);
++      int ret;
++
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+       if (prop->reg_type == FMC2_REG_BWTR)
+-              regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
+       else
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++      if (ret)
++              return ret;
+ 
+       if ((!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW)) &&
+           ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN))
+@@ -268,12 +289,19 @@ static int stm32_fmc2_ebi_check_clk_period(struct stm32_fmc2_ebi *ebi,
+                                          int cs)
+ {
+       u32 bcr, bcr1;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+-      if (cs)
+-              regmap_read(ebi->regmap, FMC2_BCR1, &bcr1);
+-      else
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
++
++      if (cs) {
++              ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr1);
++              if (ret)
++                      return ret;
++      } else {
+               bcr1 = bcr;
++      }
+ 
+       if (bcr & FMC2_BCR_BURSTEN && (!cs || !(bcr1 & FMC2_BCR1_CCLKEN)))
+               return 0;
+@@ -305,12 +333,18 @@ static u32 stm32_fmc2_ebi_ns_to_clk_period(struct stm32_fmc2_ebi *ebi,
+ {
+       u32 nb_clk_cycles = stm32_fmc2_ebi_ns_to_clock_cycles(ebi, cs, setup);
+       u32 bcr, btr, clk_period;
++      int ret;
++
++      ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr);
++      if (ret)
++              return ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR1, &bcr);
+       if (bcr & FMC2_BCR1_CCLKEN || !cs)
+-              regmap_read(ebi->regmap, FMC2_BTR1, &btr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR1, &btr);
+       else
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &btr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &btr);
++      if (ret)
++              return ret;
+ 
+       clk_period = FIELD_GET(FMC2_BTR_CLKDIV, btr) + 1;
+ 
+@@ -569,11 +603,16 @@ static int stm32_fmc2_ebi_set_address_setup(struct stm32_fmc2_ebi *ebi,
+       if (ret)
+               return ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
++
+       if (prop->reg_type == FMC2_REG_BWTR)
+-              regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
+       else
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++      if (ret)
++              return ret;
+ 
+       if ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN)
+               val = clamp_val(setup, 1, FMC2_BXTR_ADDSET_MAX);
+@@ -691,11 +730,14 @@ static int stm32_fmc2_ebi_set_max_low_pulse(struct stm32_fmc2_ebi *ebi,
+                                           int cs, u32 setup)
+ {
+       u32 old_val, new_val, pcscntr;
++      int ret;
+ 
+       if (setup < 1)
+               return 0;
+ 
+-      regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr);
++      ret = regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr);
++      if (ret)
++              return ret;
+ 
+       /* Enable counter for the bank */
+       regmap_update_bits(ebi->regmap, FMC2_PCSCNTR,
+@@ -942,17 +984,20 @@ static void stm32_fmc2_ebi_disable_bank(struct stm32_fmc2_ebi *ebi, int cs)
+       regmap_update_bits(ebi->regmap, FMC2_BCR(cs), FMC2_BCR_MBKEN, 0);
+ }
+ 
+-static void stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi)
++static int stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi)
+ {
+       unsigned int cs;
++      int ret;
+ 
+       for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) {
+-              regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]);
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]);
+-              regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]);
++              ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]);
++              ret |= regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]);
++              ret |= regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]);
++              if (ret)
++                      return ret;
+       }
+ 
+-      regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr);
++      return regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr);
+ }
+ 
+ static void stm32_fmc2_ebi_set_setup(struct stm32_fmc2_ebi *ebi)
+@@ -981,22 +1026,29 @@ static void stm32_fmc2_ebi_disable_banks(struct stm32_fmc2_ebi *ebi)
+ }
+ 
+ /* NWAIT signal can not be connected to EBI controller and NAND controller */
+-static bool stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi)
++static int stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi)
+ {
++      struct device *dev = ebi->dev;
+       unsigned int cs;
+       u32 bcr;
++      int ret;
+ 
+       for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) {
+               if (!(ebi->bank_assigned & BIT(cs)))
+                       continue;
+ 
+-              regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++              ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++              if (ret)
++                      return ret;
++
+               if ((bcr & FMC2_BCR_WAITEN || bcr & FMC2_BCR_ASYNCWAIT) &&
+-                  ebi->bank_assigned & BIT(FMC2_NAND))
+-                      return true;
++                  ebi->bank_assigned & BIT(FMC2_NAND)) {
++                      dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n");
++                      return -EINVAL;
++              }
+       }
+ 
+-      return false;
++      return 0;
+ }
+ 
+ static void stm32_fmc2_ebi_enable(struct stm32_fmc2_ebi *ebi)
+@@ -1083,10 +1135,9 @@ static int stm32_fmc2_ebi_parse_dt(struct stm32_fmc2_ebi *ebi)
+               return -ENODEV;
+       }
+ 
+-      if (stm32_fmc2_ebi_nwait_used_by_ctrls(ebi)) {
+-              dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n");
+-              return -EINVAL;
+-      }
++      ret = stm32_fmc2_ebi_nwait_used_by_ctrls(ebi);
++      if (ret)
++              return ret;
+ 
+       stm32_fmc2_ebi_enable(ebi);
+ 
+@@ -1131,7 +1182,10 @@ static int stm32_fmc2_ebi_probe(struct platform_device *pdev)
+       if (ret)
+               goto err_release;
+ 
+-      stm32_fmc2_ebi_save_setup(ebi);
++      ret = stm32_fmc2_ebi_save_setup(ebi);
++      if (ret)
++              goto err_release;
++
+       platform_set_drvdata(pdev, ebi);
+ 
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-5.15/memory-tegra-skip-sid-programming-if-sid-registers-a.patch b/queue-5.15/memory-tegra-skip-sid-programming-if-sid-registers-a.patch
new file mode 100644 (file)
index 0000000..5cd9527
--- /dev/null
+++ b/queue-5.15/memory-tegra-skip-sid-programming-if-sid-registers-a.patch
@@ -0,0 +1,39 @@
+From 3778704dee812b82f27e21671ecb0043410ebccc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Nov 2023 16:57:13 +0530
+Subject: memory: tegra: Skip SID programming if SID registers aren't set
+
+From: Ashish Mhetre <amhetre@nvidia.com>
+
+[ Upstream commit 0d6c918011ce4764ed277de4726a468b7ffe5fed ]
+
+There are few MC clients where SID security and override register
+offsets are not specified like "sw_cluster0" in tegra234. Don't program
+SID override for such clients because it leads to access to invalid
+addresses.
+
+Signed-off-by: Ashish Mhetre <amhetre@nvidia.com>
+Link: https://lore.kernel.org/r/20231107112713.21399-2-amhetre@nvidia.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/tegra/tegra186.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/memory/tegra/tegra186.c b/drivers/memory/tegra/tegra186.c
+index 4bed0e54fd456..2ff586c6b1021 100644
+--- a/drivers/memory/tegra/tegra186.c
++++ b/drivers/memory/tegra/tegra186.c
+@@ -43,6 +43,9 @@ static void tegra186_mc_client_sid_override(struct tegra_mc *mc,
+ {
+       u32 value, old;
+ 
++      if (client->regs.sid.security == 0 && client->regs.sid.override == 0)
++              return;
++
+       value = readl(mc->regs + client->regs.sid.security);
+       if ((value & MC_SID_STREAMID_SECURITY_OVERRIDE) == 0) {
+               /*
+-- 
+2.43.0
+

diff --git a/queue-5.15/net-hns3-add-checking-for-vf-id-of-mailbox.patch b/queue-5.15/net-hns3-add-checking-for-vf-id-of-mailbox.patch
new file mode 100644 (file)
index 0000000..53faabc
--- /dev/null
+++ b/queue-5.15/net-hns3-add-checking-for-vf-id-of-mailbox.patch
@@ -0,0 +1,43 @@
+From 51ec63516fc61675fb915be8db67c633e425d5b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 09:01:15 +0800
+Subject: net: hns3: add checking for vf id of mailbox
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 4e2969a0d6a7549bc0bc1ebc990588b622c4443d ]
+
+Add checking for vf id of mailbox, in order to avoid array
+out-of-bounds risk.
+
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+index 77c432ab7856c..e2fe41d3972fb 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+@@ -1066,10 +1066,11 @@ void hclge_mbx_handler(struct hclge_dev *hdev)
+               req = (struct hclge_mbx_vf_to_pf_cmd *)desc->data;
+ 
+               flag = le16_to_cpu(crq->desc[crq->next_to_use].flag);
+-              if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B))) {
++              if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B) ||
++                           req->mbx_src_vfid > hdev->num_req_vfs)) {
+                       dev_warn(&hdev->pdev->dev,
+-                               "dropped invalid mailbox message, code = %u\n",
+-                               req->msg.code);
++                               "dropped invalid mailbox message, code = %u, vfid = %u\n",
++                               req->msg.code, req->mbx_src_vfid);
+ 
+                       /* dropping/not processing this invalid message */
+                       crq->desc[crq->next_to_use].flag = 0;
+-- 
+2.43.0
+

diff --git a/queue-5.15/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch b/queue-5.15/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
new file mode 100644 (file)
index 0000000..42ebf9f
--- /dev/null
+++ b/queue-5.15/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
@@ -0,0 +1,51 @@
+From b932eb35c34e268aed1b23a79abf1917738dc6f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 08:16:54 -0800
+Subject: net/sun3_82586: Avoid reading past buffer in debug output
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ]
+
+Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and
+-Warraybounds, this build warning is visible[1]:
+
+drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout':
+drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=]
+  990 |                 printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
+      |                                                                                                               ~~~~~~~~~~~~^~~
+...
+drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds'
+  156 |         volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS];
+
+Avoid accessing index 1 since it doesn't exist.
+
+Link: https://github.com/KSPP/linux/issues/325 [1]
+Cc: Sam Creasey <sammy@sammy.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/sun3_82586.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c
+index 18d32302c3c7a..6c89aa7eaa222 100644
+--- a/drivers/net/ethernet/i825xx/sun3_82586.c
++++ b/drivers/net/ethernet/i825xx/sun3_82586.c
+@@ -987,7 +987,7 @@ static void sun3_82586_timeout(struct net_device *dev, unsigned int txqueue)
+       {
+ #ifdef DEBUG
+               printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus);
+-              printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
++              printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status));
+               printk("%s: check, whether you set the right interrupt number!\n",dev->name);
+ #endif
+               sun3_82586_close(dev);
+-- 
+2.43.0
+

diff --git a/queue-5.15/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch b/queue-5.15/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch
new file mode 100644 (file)
index 0000000..d8c18ea
--- /dev/null
+++ b/queue-5.15/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch
@@ -0,0 +1,80 @@
+From 6dbc30cea51606e37a9305912ee82fc676c4035f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 10:50:13 +0000
+Subject: netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b5590270068c4324dac4a2b5a4a156e02e21339f ]
+
+__netlink_dump_start() releases nlk->cb_mutex right before
+calling netlink_dump() which grabs it again.
+
+This seems dangerous, even if KASAN did not bother yet.
+
+Add a @lock_taken parameter to netlink_dump() to let it
+grab the mutex if called from netlink_recvmsg() only.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 18a38db2b27eb..258d885548ae4 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -128,7 +128,7 @@ static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = {
+       "nlk_cb_mutex-MAX_LINKS"
+ };
+ 
+-static int netlink_dump(struct sock *sk);
++static int netlink_dump(struct sock *sk, bool lock_taken);
+ 
+ /* nl_table locking explained:
+  * Lookup and traversal are protected with an RCU read-side lock. Insertion
+@@ -2000,7 +2000,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ 
+       if (READ_ONCE(nlk->cb_running) &&
+           atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
+-              ret = netlink_dump(sk);
++              ret = netlink_dump(sk, false);
+               if (ret) {
+                       WRITE_ONCE(sk->sk_err, -ret);
+                       sk_error_report(sk);
+@@ -2210,7 +2210,7 @@ static int netlink_dump_done(struct netlink_sock *nlk, struct sk_buff *skb,
+       return 0;
+ }
+ 
+-static int netlink_dump(struct sock *sk)
++static int netlink_dump(struct sock *sk, bool lock_taken)
+ {
+       struct netlink_sock *nlk = nlk_sk(sk);
+       struct netlink_ext_ack extack = {};
+@@ -2222,7 +2222,8 @@ static int netlink_dump(struct sock *sk)
+       int alloc_min_size;
+       int alloc_size;
+ 
+-      mutex_lock(nlk->cb_mutex);
++      if (!lock_taken)
++              mutex_lock(nlk->cb_mutex);
+       if (!nlk->cb_running) {
+               err = -EINVAL;
+               goto errout_skb;
+@@ -2378,9 +2379,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+       WRITE_ONCE(nlk->cb_running, true);
+       nlk->dump_done_errno = INT_MAX;
+ 
+-      mutex_unlock(nlk->cb_mutex);
+-
+-      ret = netlink_dump(sk);
++      ret = netlink_dump(sk, true);
+ 
+       sock_put(sk);
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch b/queue-5.15/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
new file mode 100644 (file)
index 0000000..c1e2fc6
--- /dev/null
+++ b/queue-5.15/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
@@ -0,0 +1,49 @@
+From 2deb29b4983d72e06cfcce1ef75f0bb164b9310e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 11:24:53 +1100
+Subject: NFS: avoid infinite loop in pnfs_update_layout.
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ]
+
+If pnfsd_update_layout() is called on a file for which recovery has
+failed it will enter a tight infinite loop.
+
+NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will
+return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so
+nfs4_client_recover_expired_lease() will not wait.  So the code will
+loop indefinitely.
+
+Break the loop by testing the validity of the open stateid at the top of
+the loop.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 9f6776c7062ec..e13f1c762951a 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1994,6 +1994,14 @@ pnfs_update_layout(struct inode *ino,
+       }
+ 
+ lookup_again:
++      if (!nfs4_valid_open_stateid(ctx->state)) {
++              trace_pnfs_update_layout(ino, pos, count,
++                                       iomode, lo, lseg,
++                                       PNFS_UPDATE_LAYOUT_INVALID_OPEN);
++              lseg = ERR_PTR(-EIO);
++              goto out;
++      }
++
+       lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp));
+       if (IS_ERR(lseg))
+               goto out;
+-- 
+2.43.0
+

diff --git a/queue-5.15/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch b/queue-5.15/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
new file mode 100644 (file)
index 0000000..14300f4
--- /dev/null
+++ b/queue-5.15/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
@@ -0,0 +1,85 @@
+From e123ecbb571b1c27e3968029ab22e435486b80ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:53:06 +0300
+Subject: nvmet-rdma: fix possible bad dereference when freeing rsps
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ]
+
+It is possible that the host connected and saw a cm established
+event and started sending nvme capsules on the qp, however the
+ctrl did not yet see an established event. This is why the
+rsp_wait_list exists (for async handling of these cmds, we move
+them to a pending list).
+
+Furthermore, it is possible that the ctrl cm times out, resulting
+in a connect-error cm event. in this case we hit a bad deref [1]
+because in nvmet_rdma_free_rsps we assume that all the responses
+are in the free list.
+
+We are freeing the cmds array anyways, so don't even bother to
+remove the rsp from the free_list. It is also guaranteed that we
+are not racing anything when we are releasing the queue so no
+other context accessing this array should be running.
+
+[1]:
+--
+Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma]
+[...]
+pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ Call trace:
+ nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+ nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ process_one_work+0x1ec/0x4a0
+ worker_thread+0x48/0x490
+ kthread+0x158/0x160
+ ret_from_fork+0x10/0x18
+--
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/rdma.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index 18e082091c821..9561ba3d43138 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -472,12 +472,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue)
+       return 0;
+ 
+ out_free:
+-      while (--i >= 0) {
+-              struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+-              list_del(&rsp->free_list);
+-              nvmet_rdma_free_rsp(ndev, rsp);
+-      }
++      while (--i >= 0)
++              nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+       kfree(queue->rsps);
+ out:
+       return ret;
+@@ -488,12 +484,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue)
+       struct nvmet_rdma_device *ndev = queue->dev;
+       int i, nr_rsps = queue->recv_queue_size * 2;
+ 
+-      for (i = 0; i < nr_rsps; i++) {
+-              struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+-              list_del(&rsp->free_list);
+-              nvmet_rdma_free_rsp(ndev, rsp);
+-      }
++      for (i = 0; i < nr_rsps; i++)
++              nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+       kfree(queue->rsps);
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/nvmet-tcp-do-not-continue-for-invalid-icreq.patch b/queue-5.15/nvmet-tcp-do-not-continue-for-invalid-icreq.patch
new file mode 100644 (file)
index 0000000..91c4eec
--- /dev/null
+++ b/queue-5.15/nvmet-tcp-do-not-continue-for-invalid-icreq.patch
@@ -0,0 +1,37 @@
+From d00bbf4f0832d1e873edf94cb17987e6218dc6b9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 08:11:05 +0100
+Subject: nvmet-tcp: do not continue for invalid icreq
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ]
+
+When the length check for an icreq sqe fails we should not
+continue processing but rather return immediately as all
+other contents of that sqe cannot be relied on.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 8468a41322f25..df044a79a7348 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -858,6 +858,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
+               pr_err("bad nvme-tcp pdu length (%d)\n",
+                       le32_to_cpu(icreq->hdr.plen));
+               nvmet_tcp_fatal_error(queue);
++              return -EPROTO;
+       }
+ 
+       if (icreq->pfv != NVME_TCP_PFV_1_0) {
+-- 
+2.43.0
+

diff --git a/queue-5.15/nvmet-trace-avoid-dereferencing-pointer-too-early.patch b/queue-5.15/nvmet-trace-avoid-dereferencing-pointer-too-early.patch
new file mode 100644 (file)
index 0000000..c743350
--- /dev/null
+++ b/queue-5.15/nvmet-trace-avoid-dereferencing-pointer-too-early.patch
@@ -0,0 +1,141 @@
+From 51a27ae75016a0b8d592f0327157b53af971252b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 16:30:51 +0100
+Subject: nvmet-trace: avoid dereferencing pointer too early
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit 0e716cec6fb11a14c220ee17c404b67962e902f7 ]
+
+The first command issued from the host to the target is the fabrics
+connect command. At this point, neither the target queue nor the
+controller have been allocated. But we already try to trace this command
+in nvmet_req_init.
+
+Reported by KASAN.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/trace.c |  6 +++---
+ drivers/nvme/target/trace.h | 28 +++++++++++++++++-----------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/nvme/target/trace.c b/drivers/nvme/target/trace.c
+index bff454d46255b..6ee1f3db81d04 100644
+--- a/drivers/nvme/target/trace.c
++++ b/drivers/nvme/target/trace.c
+@@ -211,7 +211,7 @@ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name)
+       return ret;
+ }
+ 
+-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id)
+ {
+       const char *ret = trace_seq_buffer_ptr(p);
+ 
+@@ -224,8 +224,8 @@ const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
+        * If we can know the extra data of the connect command in this stage,
+        * we can update this print statement later.
+        */
+-      if (ctrl)
+-              trace_seq_printf(p, "%d", ctrl->cntlid);
++      if (ctrl_id)
++              trace_seq_printf(p, "%d", ctrl_id);
+       else
+               trace_seq_printf(p, "_");
+       trace_seq_putc(p, 0);
+diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h
+index 155334ddc13f3..89020018a0e35 100644
+--- a/drivers/nvme/target/trace.h
++++ b/drivers/nvme/target/trace.h
+@@ -32,18 +32,24 @@ const char *nvmet_trace_parse_fabrics_cmd(struct trace_seq *p, u8 fctype,
+        nvmet_trace_parse_nvm_cmd(p, opcode, cdw10) :                  \
+        nvmet_trace_parse_admin_cmd(p, opcode, cdw10)))
+ 
+-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl);
+-#define __print_ctrl_name(ctrl)                               \
+-      nvmet_trace_ctrl_name(p, ctrl)
++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id);
++#define __print_ctrl_id(ctrl_id)                      \
++      nvmet_trace_ctrl_id(p, ctrl_id)
+ 
+ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name);
+ #define __print_disk_name(name)                               \
+       nvmet_trace_disk_name(p, name)
+ 
+ #ifndef TRACE_HEADER_MULTI_READ
+-static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req)
++static inline u16 nvmet_req_to_ctrl_id(struct nvmet_req *req)
+ {
+-      return req->sq->ctrl;
++      /*
++       * The queue and controller pointers are not valid until an association
++       * has been established.
++       */
++      if (!req->sq || !req->sq->ctrl)
++              return 0;
++      return req->sq->ctrl->cntlid;
+ }
+ 
+ static inline void __assign_req_name(char *name, struct nvmet_req *req)
+@@ -62,7 +68,7 @@ TRACE_EVENT(nvmet_req_init,
+       TP_ARGS(req, cmd),
+       TP_STRUCT__entry(
+               __field(struct nvme_command *, cmd)
+-              __field(struct nvmet_ctrl *, ctrl)
++              __field(u16, ctrl_id)
+               __array(char, disk, DISK_NAME_LEN)
+               __field(int, qid)
+               __field(u16, cid)
+@@ -75,7 +81,7 @@ TRACE_EVENT(nvmet_req_init,
+       ),
+       TP_fast_assign(
+               __entry->cmd = cmd;
+-              __entry->ctrl = nvmet_req_to_ctrl(req);
++              __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
+               __assign_req_name(__entry->disk, req);
+               __entry->qid = req->sq->qid;
+               __entry->cid = cmd->common.command_id;
+@@ -89,7 +95,7 @@ TRACE_EVENT(nvmet_req_init,
+       ),
+       TP_printk("nvmet%s: %sqid=%d, cmdid=%u, nsid=%u, flags=%#x, "
+                 "meta=%#llx, cmd=(%s, %s)",
+-              __print_ctrl_name(__entry->ctrl),
++              __print_ctrl_id(__entry->ctrl_id),
+               __print_disk_name(__entry->disk),
+               __entry->qid, __entry->cid, __entry->nsid,
+               __entry->flags, __entry->metadata,
+@@ -103,7 +109,7 @@ TRACE_EVENT(nvmet_req_complete,
+       TP_PROTO(struct nvmet_req *req),
+       TP_ARGS(req),
+       TP_STRUCT__entry(
+-              __field(struct nvmet_ctrl *, ctrl)
++              __field(u16, ctrl_id)
+               __array(char, disk, DISK_NAME_LEN)
+               __field(int, qid)
+               __field(int, cid)
+@@ -111,7 +117,7 @@ TRACE_EVENT(nvmet_req_complete,
+               __field(u16, status)
+       ),
+       TP_fast_assign(
+-              __entry->ctrl = nvmet_req_to_ctrl(req);
++              __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
+               __entry->qid = req->cq->qid;
+               __entry->cid = req->cqe->command_id;
+               __entry->result = le64_to_cpu(req->cqe->result.u64);
+@@ -119,7 +125,7 @@ TRACE_EVENT(nvmet_req_complete,
+               __assign_req_name(__entry->disk, req);
+       ),
+       TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x",
+-              __print_ctrl_name(__entry->ctrl),
++              __print_ctrl_id(__entry->ctrl_id),
+               __print_disk_name(__entry->disk),
+               __entry->qid, __entry->cid, __entry->result, __entry->status)
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/openrisc-call-setup_memory-earlier-in-the-init-seque.patch b/queue-5.15/openrisc-call-setup_memory-earlier-in-the-init-seque.patch
new file mode 100644 (file)
index 0000000..abe92e1
--- /dev/null
+++ b/queue-5.15/openrisc-call-setup_memory-earlier-in-the-init-seque.patch
@@ -0,0 +1,54 @@
+From beae755abcc89c2b2d13c36f9f81c909f1e86912 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 16:29:30 -0800
+Subject: openrisc: Call setup_memory() earlier in the init sequence
+
+From: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+
+[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ]
+
+The unflatten_and_copy_device_tree() function contains a call to
+memblock_alloc(). This means that memblock is allocating memory before
+any of the reserved memory regions are set aside in the setup_memory()
+function which calls early_init_fdt_scan_reserved_mem(). Therefore,
+there is a possibility for memblock to allocate from any of the
+reserved memory regions.
+
+Hence, move the call to setup_memory() to be earlier in the init
+sequence so that the reserved memory regions are set aside before any
+allocations are done using memblock.
+
+Signed-off-by: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/setup.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c
+index 0cd04d936a7a1..f2fe45d3094df 100644
+--- a/arch/openrisc/kernel/setup.c
++++ b/arch/openrisc/kernel/setup.c
+@@ -270,6 +270,9 @@ void calibrate_delay(void)
+ 
+ void __init setup_arch(char **cmdline_p)
+ {
++      /* setup memblock allocator */
++      setup_memory();
++
+       unflatten_and_copy_device_tree();
+ 
+       setup_cpuinfo();
+@@ -293,9 +296,6 @@ void __init setup_arch(char **cmdline_p)
+       }
+ #endif
+ 
+-      /* setup memblock allocator */
+-      setup_memory();
+-
+       /* paging_init() sets up the MMU and marks all pages as reserved */
+       paging_init();
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch b/queue-5.15/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
new file mode 100644 (file)
index 0000000..e89a9f2
--- /dev/null
+++ b/queue-5.15/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
@@ -0,0 +1,60 @@
+From 82a259a6ea51e54ae2732b6c7196018e2a9da64d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 23:16:00 +0100
+Subject: parisc: Use irq_enter_rcu() to fix warning at
+ kernel/context_tracking.c:367
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ]
+
+Use irq*_rcu() functions to fix this kernel warning:
+
+ WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037
+ Hardware name: 9000/785/C3700
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c
+  IIR: 03ffe01f    ISR: 0000000000000000  IOR: 0000000043c20c20
+  CPU:        0   CR30: 0000000041caa000 CR31: 0000000000000000
+  ORIG_R28: 0000000000000005
+  IAOQ[0]: ct_irq_enter+0xa0/0xd0
+  IAOQ[1]: ct_irq_enter+0xa4/0xd0
+  RP(r2): irq_enter+0x34/0x68
+ Backtrace:
+  [<000000004034a3ec>] irq_enter+0x34/0x68
+  [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450
+  [<0000000040303070>] intr_return+0x0/0xc
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/irq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
+index 5d9044e65a1a6..04127377b7be8 100644
+--- a/arch/parisc/kernel/irq.c
++++ b/arch/parisc/kernel/irq.c
+@@ -518,7 +518,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+ 
+       old_regs = set_irq_regs(regs);
+       local_irq_disable();
+-      irq_enter();
++      irq_enter_rcu();
+ 
+       eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu);
+       if (!eirr_val)
+@@ -553,7 +553,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+ #endif /* CONFIG_IRQSTACKS */
+ 
+  out:
+-      irq_exit();
++      irq_exit_rcu();
+       set_irq_regs(old_regs);
+       return;
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/platform-x86-lg-laptop-fix-s-null-argument-warning.patch b/queue-5.15/platform-x86-lg-laptop-fix-s-null-argument-warning.patch
new file mode 100644 (file)
index 0000000..fbfb048
--- /dev/null
+++ b/queue-5.15/platform-x86-lg-laptop-fix-s-null-argument-warning.patch
@@ -0,0 +1,44 @@
+From ad82f18195a414427bb50425b3f86ec098333fb0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 16:34:27 +0200
+Subject: platform/x86: lg-laptop: fix %s null argument warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gergo Koteles <soyer@irl.hu>
+
+[ Upstream commit e71c8481692582c70cdfd0996c20cdcc71e425d3 ]
+
+W=1 warns about null argument to kprintf:
+warning: ‘%s’ directive argument is null [-Wformat-overflow=]
+pr_info("product: %s  year: %d\n", product, year);
+
+Use "unknown" instead of NULL.
+
+Signed-off-by: Gergo Koteles <soyer@irl.hu>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Link: https://lore.kernel.org/r/33d40e976f08f82b9227d0ecae38c787fcc0c0b2.1712154684.git.soyer@irl.hu
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/lg-laptop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c
+index 5f9fbea8fc3c2..b374b0c7c62f6 100644
+--- a/drivers/platform/x86/lg-laptop.c
++++ b/drivers/platform/x86/lg-laptop.c
+@@ -665,7 +665,7 @@ static int acpi_add(struct acpi_device *device)
+               default:
+                       year = 2019;
+               }
+-      pr_info("product: %s  year: %d\n", product, year);
++      pr_info("product: %s  year: %d\n", product ?: "unknown", year);
+ 
+       if (year >= 2019)
+               battery_limit_use_wmbb = 1;
+-- 
+2.43.0
+

diff --git a/queue-5.15/powerpc-boot-handle-allocation-failure-in-simple_rea.patch b/queue-5.15/powerpc-boot-handle-allocation-failure-in-simple_rea.patch
new file mode 100644 (file)
index 0000000..5882465
--- /dev/null
+++ b/queue-5.15/powerpc-boot-handle-allocation-failure-in-simple_rea.patch
@@ -0,0 +1,39 @@
+From c0f241e9d10c01764c513f82dca023fe1f634238 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Dec 2022 10:18:16 +0800
+Subject: powerpc/boot: Handle allocation failure in simple_realloc()
+
+From: Li zeming <zeming@nfschina.com>
+
+[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ]
+
+simple_malloc() will return NULL when there is not enough memory left.
+Check pointer 'new' before using it to copy the old data.
+
+Signed-off-by: Li zeming <zeming@nfschina.com>
+[mpe: Reword subject, use change log from Christophe]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 65ec135d01579..188c4f996512a 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -114,7 +114,9 @@ static void *simple_realloc(void *ptr, unsigned long size)
+               return ptr;
+ 
+       new = simple_malloc(size);
+-      memcpy(new, ptr, p->size);
++      if (new)
++              memcpy(new, ptr, p->size);
++
+       simple_free(ptr);
+       return new;
+ }
+-- 
+2.43.0
+

diff --git a/queue-5.15/powerpc-boot-only-free-if-realloc-succeeds.patch b/queue-5.15/powerpc-boot-only-free-if-realloc-succeeds.patch
new file mode 100644 (file)
index 0000000..a4e2b14
--- /dev/null
+++ b/queue-5.15/powerpc-boot-only-free-if-realloc-succeeds.patch
@@ -0,0 +1,43 @@
+From c9a96a40744485089dc00251f384ca979cdcfd05 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 22:51:49 +1100
+Subject: powerpc/boot: Only free if realloc() succeeds
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ]
+
+simple_realloc() frees the original buffer (ptr) even if the
+reallocation failed.
+
+Fix it to behave like standard realloc() and only free the original
+buffer if the reallocation succeeded.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 188c4f996512a..bc99f75b8582d 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -114,10 +114,11 @@ static void *simple_realloc(void *ptr, unsigned long size)
+               return ptr;
+ 
+       new = simple_malloc(size);
+-      if (new)
++      if (new) {
+               memcpy(new, ptr, p->size);
++              simple_free(ptr);
++      }
+ 
+-      simple_free(ptr);
+       return new;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch b/queue-5.15/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
new file mode 100644 (file)
index 0000000..ae5b784
--- /dev/null
+++ b/queue-5.15/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
@@ -0,0 +1,38 @@
+From 819f020b291e9b822d9852747d4dbbe3ab11d37e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 11:06:51 +0800
+Subject: powerpc/xics: Check return value of kasprintf in
+ icp_native_map_one_cpu
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure. Ensure the allocation was successful
+by checking the pointer validity.
+
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xics/icp-native.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c
+index 7d13d2ef5a905..66de291b27d08 100644
+--- a/arch/powerpc/sysdev/xics/icp-native.c
++++ b/arch/powerpc/sysdev/xics/icp-native.c
+@@ -235,6 +235,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr,
+       rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation",
+                         cpu, hw_id);
+ 
++      if (!rname)
++              return -ENOMEM;
+       if (!request_mem_region(addr, size, rname)) {
+               pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n",
+                       cpu, hw_id);
+-- 
+2.43.0
+

diff --git a/queue-5.15/quota-remove-bug_on-from-dqget.patch b/queue-5.15/quota-remove-bug_on-from-dqget.patch
new file mode 100644 (file)
index 0000000..444b407
--- /dev/null
+++ b/queue-5.15/quota-remove-bug_on-from-dqget.patch
@@ -0,0 +1,40 @@
+From 89e7b676a536476331d05402512cd32dd64f2a52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 13:34:08 +0200
+Subject: quota: Remove BUG_ON from dqget()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ]
+
+dqget() checks whether dquot->dq_sb is set when returning it using
+BUG_ON. Firstly this doesn't work as an invalidation check for quite
+some time (we release dquot with dq_sb set these days), secondly using
+BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still
+hashed instead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index edb414d3fd164..3b62fbcefa8c3 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -995,9 +995,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
+        * smp_mb__before_atomic() in dquot_acquire().
+        */
+       smp_rmb();
+-#ifdef CONFIG_QUOTA_DEBUG
+-      BUG_ON(!dquot->dq_sb);  /* Has somebody invalidated entry under us? */
+-#endif
++      /* Has somebody invalidated entry under us? */
++      WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash));
+ out:
+       if (empty)
+               do_destroy_dquot(empty);
+-- 
+2.43.0
+

diff --git a/queue-5.15/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch b/queue-5.15/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
new file mode 100644 (file)
index 0000000..4f77168
--- /dev/null
+++ b/queue-5.15/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
@@ -0,0 +1,38 @@
+From d366a04d19ac722bfea3f0e309004c3eed27322e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 13:13:26 +0100
+Subject: s390/iucv: fix receive buffer virtual vs physical address confusion
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ]
+
+Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion.
+This does not fix a bug since virtual and physical address spaces are
+currently the same.
+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index 30fc78236050a..1a88ed72a7a97 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -1090,8 +1090,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path,
+               size = (size < 8) ? size : 8;
+               for (array = buffer; size > 0; array++) {
+                       copy = min_t(size_t, size, array->length);
+-                      memcpy((u8 *)(addr_t) array->address,
+-                              rmmsg, copy);
++                      memcpy(phys_to_virt(array->address), rmmsg, copy);
+                       rmmsg += copy;
+                       size -= copy;
+               }
+-- 
+2.43.0
+

diff --git a/queue-5.15/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch b/queue-5.15/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
new file mode 100644 (file)
index 0000000..2218bd7
--- /dev/null
+++ b/queue-5.15/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
@@ -0,0 +1,41 @@
+From f084306f8cb93ef17293c48246fca19ad4d0bab1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 10:50:56 -0800
+Subject: scsi: lpfc: Initialize status local variable in
+ lpfc_sli4_repost_sgl_list()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ]
+
+A static code analyzer tool indicates that the local variable called status
+in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage
+uninitialized values in the routine's log message.
+
+Fix by initializing to zero.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 30bc72324f068..68b015bb6d157 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -7490,7 +7490,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba,
+       struct lpfc_sglq *sglq_entry = NULL;
+       struct lpfc_sglq *sglq_entry_next = NULL;
+       struct lpfc_sglq *sglq_entry_first = NULL;
+-      int status, total_cnt;
++      int status = 0, total_cnt;
+       int post_cnt = 0, num_posted = 0, block_cnt = 0;
+       int last_xritag = NO_XRI;
+       LIST_HEAD(prep_sgl_list);
+-- 
+2.43.0
+

diff --git a/queue-5.15/serial-pch-don-t-disable-interrupts-while-acquiring-.patch b/queue-5.15/serial-pch-don-t-disable-interrupts-while-acquiring-.patch
new file mode 100644 (file)
index 0000000..df618d8
--- /dev/null
+++ b/queue-5.15/serial-pch-don-t-disable-interrupts-while-acquiring-.patch
@@ -0,0 +1,52 @@
+From 333c74d574bb988fa14d20dc98e5a5abe38d83e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 22:45:28 +0100
+Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ]
+
+The interrupt service routine is always invoked with disabled
+interrupts.
+
+Remove the _irqsave() from the locking functions in the interrupts
+service routine/ pch_uart_interrupt().
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/pch_uart.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index e783a4225bf04..932e978b5497e 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -1066,11 +1066,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+       u8 lsr;
+       int ret = 0;
+       unsigned char iid;
+-      unsigned long flags;
+       int next = 1;
+       u8 msr;
+ 
+-      spin_lock_irqsave(&priv->lock, flags);
++      spin_lock(&priv->lock);
+       handled = 0;
+       while (next) {
+               iid = pch_uart_hal_get_iid(priv);
+@@ -1130,7 +1129,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+               handled |= (unsigned int)ret;
+       }
+ 
+-      spin_unlock_irqrestore(&priv->lock, flags);
++      spin_unlock(&priv->lock);
+       return IRQ_RETVAL(handled);
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/series b/queue-5.15/series
index dec4090464689bf9f159a5db929ee1fd842827cc..a70d5435c92b6fcac4a81df75cb6b69723832fd6 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -62,3 +62,47 @@ wifi-iwlwifi-fw-fix-debugfs-command-sending.patch
 ib-hfi1-fix-potential-deadlock-on-irq_src_lock-and-d.patch
 hwmon-ltc2992-avoid-division-by-zero.patch
 arm64-fix-kasan-random-tag-seed-initialization.patch
+memory-tegra-skip-sid-programming-if-sid-registers-a.patch
+powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
+nvmet-trace-avoid-dereferencing-pointer-too-early.patch
+ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
+afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch
+fuse-fix-uaf-in-rcu-pathwalks.patch
+quota-remove-bug_on-from-dqget.patch
+media-pci-cx23885-check-cx23885_vdev_init-return.patch
+fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
+scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
+media-drivers-media-dvb-core-copy-user-arrays-safely.patch
+net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
+drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
+virtiofs-forbid-newlines-in-tags.patch
+clocksource-drivers-arm_global_timer-guard-against-d.patch
+netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch
+md-clean-up-invalid-bug_on-in-md_ioctl.patch
+x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
+memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch
+parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
+serial-pch-don-t-disable-interrupts-while-acquiring-.patch
+powerpc-boot-handle-allocation-failure-in-simple_rea.patch
+powerpc-boot-only-free-if-realloc-succeeds.patch
+btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
+btrfs-handle-invalid-root-reference-found-in-may_des.patch
+btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
+btrfs-change-bug_on-to-assertion-in-tree_move_down.patch
+btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
+f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
+usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
+bluetooth-bnep-fix-out-of-bound-access.patch
+net-hns3-add-checking-for-vf-id-of-mailbox.patch
+nvmet-tcp-do-not-continue-for-invalid-icreq.patch
+nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
+openrisc-call-setup_memory-earlier-in-the-init-seque.patch
+s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
+clocksource-make-watchdog-and-suspend-timing-multipl.patch
+platform-x86-lg-laptop-fix-s-null-argument-warning.patch
+usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
+fbdev-offb-replace-of_node_put-with-__free-device_no.patch
+irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
+ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
+nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
+hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch

diff --git a/queue-5.15/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch b/queue-5.15/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
new file mode 100644 (file)
index 0000000..73f3fd1
--- /dev/null
+++ b/queue-5.15/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
@@ -0,0 +1,71 @@
+From da5733ff91ab2f534e420bd0a6868a14719ca5b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Apr 2024 10:18:55 +0530
+Subject: usb: dwc3: core: Skip setting event buffers for host only controllers
+
+From: Krishna Kurapati <quic_kriskura@quicinc.com>
+
+[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ]
+
+On some SoC's like SA8295P where the tertiary controller is host-only
+capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible.
+Trying to access them leads to a crash.
+
+For DRD/Peripheral supported controllers, event buffer setup is done
+again in gadget_pullup. Skip setup or cleanup of event buffers if
+controller is host-only capable.
+
+Suggested-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 1dc417da1a0fe..26eaeb7a0301b 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -430,6 +430,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
+ static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned length)
+ {
+       struct dwc3_event_buffer *evt;
++      unsigned int hw_mode;
++
++      hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
++      if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) {
++              dwc->ev_buf = NULL;
++              return 0;
++      }
+ 
+       evt = dwc3_alloc_one_event_buffer(dwc, length);
+       if (IS_ERR(evt)) {
+@@ -451,6 +458,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
+ {
+       struct dwc3_event_buffer        *evt;
+ 
++      if (!dwc->ev_buf)
++              return 0;
++
+       evt = dwc->ev_buf;
+       evt->lpos = 0;
+       dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0),
+@@ -468,6 +478,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
+ {
+       struct dwc3_event_buffer        *evt;
+ 
++      if (!dwc->ev_buf)
++              return;
++
+       evt = dwc->ev_buf;
+ 
+       evt->lpos = 0;
+-- 
+2.43.0
+

diff --git a/queue-5.15/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch b/queue-5.15/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
new file mode 100644 (file)
index 0000000..118f987
--- /dev/null
+++ b/queue-5.15/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
@@ -0,0 +1,40 @@
+From 22b9a1c86b63a81c95483940476a9d7d7124258e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 18:33:16 +0100
+Subject: usb: gadget: fsl: Increase size of name buffer for endpoints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ]
+
+This fixes a W=1 warning about sprintf writing up to 16 bytes into a
+buffer of size 14. There is no practical relevance because there are not
+more than 32 endpoints.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index 29fcb9b461d71..abe7c9a6ce234 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -2485,7 +2485,7 @@ static int fsl_udc_probe(struct platform_device *pdev)
+       /* setup the udc->eps[] for non-control endpoints and link
+        * to gadget.ep_list */
+       for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
+-              char name[14];
++              char name[16];
+ 
+               sprintf(name, "ep%dout", i);
+               struct_ep_setup(udc_controller, i * 2, name, 1);
+-- 
+2.43.0
+

diff --git a/queue-5.15/virtiofs-forbid-newlines-in-tags.patch b/queue-5.15/virtiofs-forbid-newlines-in-tags.patch
new file mode 100644 (file)
index 0000000..2f311c4
--- /dev/null
+++ b/queue-5.15/virtiofs-forbid-newlines-in-tags.patch
@@ -0,0 +1,44 @@
+From d49d76a586b7dc3d97822c2163f0debddc042a56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Feb 2024 19:11:47 -0500
+Subject: virtiofs: forbid newlines in tags
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ]
+
+Newlines in virtiofs tags are awkward for users and potential vectors
+for string injection attacks.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/virtio_fs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
+index 94fc874f5de7f..a4deacc6f78c7 100644
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -310,6 +310,16 @@ static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs)
+               return -ENOMEM;
+       memcpy(fs->tag, tag_buf, len);
+       fs->tag[len] = '\0';
++
++      /* While the VIRTIO specification allows any character, newlines are
++       * awkward on mount(8) command-lines and cause problems in the sysfs
++       * "tag" attr and uevent TAG= properties. Forbid them.
++       */
++      if (strchr(fs->tag, '\n')) {
++              dev_dbg(&vdev->dev, "refusing virtiofs tag with newline character\n");
++              return -EINVAL;
++      }
++
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-5.15/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch b/queue-5.15/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
new file mode 100644 (file)
index 0000000..c33e79c
--- /dev/null
+++ b/queue-5.15/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
@@ -0,0 +1,47 @@
+From 31c46a2b61935e613954aadd9e1b4373e5841f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 22:25:43 -0800
+Subject: x86: Increase brk randomness entropy for 64-bit systems
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 44c76825d6eefee9eb7ce06c38e1a6632ac7eb7d ]
+
+In commit c1d171a00294 ("x86: randomize brk"), arch_randomize_brk() was
+defined to use a 32MB range (13 bits of entropy), but was never increased
+when moving to 64-bit. The default arch_randomize_brk() uses 32MB for
+32-bit tasks, and 1GB (18 bits of entropy) for 64-bit tasks.
+
+Update x86_64 to match the entropy used by arm64 and other 64-bit
+architectures.
+
+Reported-by: y0un9n132@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Jiri Kosina <jkosina@suse.com>
+Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
+Link: https://lore.kernel.org/r/20240217062545.1631668-1-keescook@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index e6b28c689e9a9..720d99520316a 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -937,7 +937,10 @@ unsigned long arch_align_stack(unsigned long sp)
+ 
+ unsigned long arch_randomize_brk(struct mm_struct *mm)
+ {
+-      return randomize_page(mm->brk, 0x02000000);
++      if (mmap_is_ia32())
++              return randomize_page(mm->brk, SZ_32M);
++
++      return randomize_page(mm->brk, SZ_1G);
+ }
+ 
+ /*
+-- 
+2.43.0
+