+++ /dev/null
-From e7805ff8132c7c79fd75013d6fded2144f55e198 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 8 May 2024 12:13:13 +0200
-Subject: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD
-
-From: Jose E. Marchesi <jose.marchesi@oracle.com>
-
-[ Upstream commit 009367099eb61a4fc2af44d4eb06b6b4de7de6db ]
-
-[Changes from V1:
- - Use a default branch in the switch statement to initialize `val'.]
-
-GCC warns that `val' may be used uninitialized in the
-BPF_CRE_READ_BITFIELD macro, defined in bpf_core_read.h as:
-
- [...]
- unsigned long long val; \
- [...] \
- switch (__CORE_RELO(s, field, BYTE_SIZE)) { \
- case 1: val = *(const unsigned char *)p; break; \
- case 2: val = *(const unsigned short *)p; break; \
- case 4: val = *(const unsigned int *)p; break; \
- case 8: val = *(const unsigned long long *)p; break; \
- } \
- [...]
- val; \
- } \
-
-This patch adds a default entry in the switch statement that sets
-`val' to zero in order to avoid the warning, and random values to be
-used in case __builtin_preserve_field_info returns unexpected values
-for BPF_FIELD_BYTE_SIZE.
-
-Tested in bpf-next master.
-No regressions.
-
-Signed-off-by: Jose E. Marchesi <jose.marchesi@oracle.com>
-Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
-Link: https://lore.kernel.org/bpf/20240508101313.16662-1-jose.marchesi@oracle.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- tools/lib/bpf/bpf_core_read.h | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/lib/bpf/bpf_core_read.h b/tools/lib/bpf/bpf_core_read.h
-index 1ac57bb7ac55f..e2b9e8415c044 100644
---- a/tools/lib/bpf/bpf_core_read.h
-+++ b/tools/lib/bpf/bpf_core_read.h
-@@ -102,6 +102,7 @@ enum bpf_enum_value_kind {
- case 2: val = *(const unsigned short *)p; break; \
- case 4: val = *(const unsigned int *)p; break; \
- case 8: val = *(const unsigned long long *)p; break; \
-+ default: val = 0; break; \
- } \
- val <<= __CORE_RELO(s, field, LSHIFT_U64); \
- if (__CORE_RELO(s, field, SIGNED)) \
---
-2.43.0
-
+++ /dev/null
-From 9689d29e2b13030fc6aed3f933fd68db5ee24d66 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 10:34:17 +0800
-Subject: btrfs: scrub: initialize ret in scrub_simple_mirror() to fix
- compilation warning
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Lu Yao <yaolu@kylinos.cn>
-
-[ Upstream commit b4e585fffc1cf877112ed231a91f089e85688c2a ]
-
-The following error message is displayed:
- ../fs/btrfs/scrub.c:2152:9: error: ‘ret’ may be used uninitialized
- in this function [-Werror=maybe-uninitialized]"
-
-Compiler version: gcc version: (Debian 10.2.1-6) 10.2.1 20210110
-
-Reviewed-by: Boris Burkov <boris@bur.io>
-Signed-off-by: Lu Yao <yaolu@kylinos.cn>
-Reviewed-by: David Sterba <dsterba@suse.com>
-Signed-off-by: David Sterba <dsterba@suse.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/btrfs/scrub.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/btrfs/scrub.c b/fs/btrfs/scrub.c
-index 819973c37a148..a2d91d9f8a109 100644
---- a/fs/btrfs/scrub.c
-+++ b/fs/btrfs/scrub.c
-@@ -2020,7 +2020,7 @@ static int scrub_simple_mirror(struct scrub_ctx *sctx,
- struct btrfs_fs_info *fs_info = sctx->fs_info;
- const u64 logical_end = logical_start + logical_length;
- u64 cur_logical = logical_start;
-- int ret;
-+ int ret = 0;
-
- /* The range must be inside the bg */
- ASSERT(logical_start >= bg->start && logical_end <= bg->start + bg->length);
---
-2.43.0
-
+++ /dev/null
-From 1694a095b0798411ee8c1bbd6e7e52323d2f7156 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 23:25:20 +0100
-Subject: cdrom: rearrange last_media_change check to avoid unintentional
- overflow
-
-From: Justin Stitt <justinstitt@google.com>
-
-[ Upstream commit efb905aeb44b0e99c0e6b07865b1885ae0471ebf ]
-
-When running syzkaller with the newly reintroduced signed integer wrap
-sanitizer we encounter this splat:
-
-[ 366.015950] UBSAN: signed-integer-overflow in ../drivers/cdrom/cdrom.c:2361:33
-[ 366.021089] -9223372036854775808 - 346321 cannot be represented in type '__s64' (aka 'long long')
-[ 366.025894] program syz-executor.4 is using a deprecated SCSI ioctl, please convert it to SG_IO
-[ 366.027502] CPU: 5 PID: 28472 Comm: syz-executor.7 Not tainted 6.8.0-rc2-00035-gb3ef86b5a957 #1
-[ 366.027512] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
-[ 366.027518] Call Trace:
-[ 366.027523] <TASK>
-[ 366.027533] dump_stack_lvl+0x93/0xd0
-[ 366.027899] handle_overflow+0x171/0x1b0
-[ 366.038787] ata1.00: invalid multi_count 32 ignored
-[ 366.043924] cdrom_ioctl+0x2c3f/0x2d10
-[ 366.063932] ? __pm_runtime_resume+0xe6/0x130
-[ 366.071923] sr_block_ioctl+0x15d/0x1d0
-[ 366.074624] ? __pfx_sr_block_ioctl+0x10/0x10
-[ 366.077642] blkdev_ioctl+0x419/0x500
-[ 366.080231] ? __pfx_blkdev_ioctl+0x10/0x10
-...
-
-Historically, the signed integer overflow sanitizer did not work in the
-kernel due to its interaction with `-fwrapv` but this has since been
-changed [1] in the newest version of Clang. It was re-enabled in the
-kernel with Commit 557f8c582a9ba8ab ("ubsan: Reintroduce signed overflow
-sanitizer").
-
-Let's rearrange the check to not perform any arithmetic, thus not
-tripping the sanitizer.
-
-Link: https://github.com/llvm/llvm-project/pull/82432 [1]
-Closes: https://github.com/KSPP/linux/issues/354
-Cc: linux-hardening@vger.kernel.org
-Signed-off-by: Justin Stitt <justinstitt@google.com>
-Link: https://lore.kernel.org/lkml/20240507-b4-sio-ata1-v1-1-810ffac6080a@google.com
-Reviewed-by: Phillip Potter <phil@philpotter.co.uk>
-Link: https://lore.kernel.org/lkml/ZjqU0fbzHrlnad8D@equinox
-Signed-off-by: Phillip Potter <phil@philpotter.co.uk>
-Link: https://lore.kernel.org/r/20240507222520.1445-2-phil@philpotter.co.uk
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/cdrom/cdrom.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
-index cc28398059833..01f46caf1f88b 100644
---- a/drivers/cdrom/cdrom.c
-+++ b/drivers/cdrom/cdrom.c
-@@ -2358,7 +2358,7 @@ static int cdrom_ioctl_timed_media_change(struct cdrom_device_info *cdi,
- return -EFAULT;
-
- tmp_info.media_flags = 0;
-- if (tmp_info.last_media_change - cdi->last_media_change_ms < 0)
-+ if (cdi->last_media_change_ms > tmp_info.last_media_change)
- tmp_info.media_flags |= MEDIA_CHANGED_FLAG;
-
- tmp_info.last_media_change = cdi->last_media_change_ms;
---
-2.43.0
-
+++ /dev/null
-From 8e156e3e598e198551948f96cd9efac1de7abdab Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Apr 2024 22:19:15 +0000
-Subject: crypto: aead,cipher - zeroize key buffer after use
-
-From: Hailey Mothershead <hailmo@amazon.com>
-
-[ Upstream commit 23e4099bdc3c8381992f9eb975c79196d6755210 ]
-
-I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
-cryptographic information should be zeroized once they are no longer
-needed. Accomplish this by using kfree_sensitive for buffers that
-previously held the private key.
-
-Signed-off-by: Hailey Mothershead <hailmo@amazon.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- crypto/aead.c | 3 +--
- crypto/cipher.c | 3 +--
- 2 files changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/aead.c b/crypto/aead.c
-index d5ba204ebdbfa..ecab683016b7d 100644
---- a/crypto/aead.c
-+++ b/crypto/aead.c
-@@ -45,8 +45,7 @@ static int setkey_unaligned(struct crypto_aead *tfm, const u8 *key,
- alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
- memcpy(alignbuffer, key, keylen);
- ret = crypto_aead_alg(tfm)->setkey(tfm, alignbuffer, keylen);
-- memset(alignbuffer, 0, keylen);
-- kfree(buffer);
-+ kfree_sensitive(buffer);
- return ret;
- }
-
-diff --git a/crypto/cipher.c b/crypto/cipher.c
-index 47c77a3e59783..40cae908788ec 100644
---- a/crypto/cipher.c
-+++ b/crypto/cipher.c
-@@ -34,8 +34,7 @@ static int setkey_unaligned(struct crypto_cipher *tfm, const u8 *key,
- alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
- memcpy(alignbuffer, key, keylen);
- ret = cia->cia_setkey(crypto_cipher_tfm(tfm), alignbuffer, keylen);
-- memset(alignbuffer, 0, keylen);
-- kfree(buffer);
-+ kfree_sensitive(buffer);
- return ret;
-
- }
---
-2.43.0
-
+++ /dev/null
-From 1328f0a9c093ccdf1dd690c6155514a1782d5065 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 7 Apr 2024 15:59:53 +0800
-Subject: crypto: hisilicon/debugfs - Fix debugfs uninit process issue
-
-From: Chenghai Huang <huangchenghai2@huawei.com>
-
-[ Upstream commit 8be0913389718e8d27c4f1d4537b5e1b99ed7739 ]
-
-During the zip probe process, the debugfs failure does not stop
-the probe. When debugfs initialization fails, jumping to the
-error branch will also release regs, in addition to its own
-rollback operation.
-
-As a result, it may be released repeatedly during the regs
-uninit process. Therefore, the null check needs to be added to
-the regs uninit process.
-
-Signed-off-by: Chenghai Huang <huangchenghai2@huawei.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/crypto/hisilicon/debugfs.c | 21 ++++++++++++++++++---
- 1 file changed, 18 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/crypto/hisilicon/debugfs.c b/drivers/crypto/hisilicon/debugfs.c
-index 2cc1591949db7..bd205f1f2279e 100644
---- a/drivers/crypto/hisilicon/debugfs.c
-+++ b/drivers/crypto/hisilicon/debugfs.c
-@@ -794,8 +794,14 @@ static void dfx_regs_uninit(struct hisi_qm *qm,
- {
- int i;
-
-+ if (!dregs)
-+ return;
-+
- /* Setting the pointer is NULL to prevent double free */
- for (i = 0; i < reg_len; i++) {
-+ if (!dregs[i].regs)
-+ continue;
-+
- kfree(dregs[i].regs);
- dregs[i].regs = NULL;
- }
-@@ -845,14 +851,21 @@ static struct dfx_diff_registers *dfx_regs_init(struct hisi_qm *qm,
- static int qm_diff_regs_init(struct hisi_qm *qm,
- struct dfx_diff_registers *dregs, u32 reg_len)
- {
-+ int ret;
-+
- qm->debug.qm_diff_regs = dfx_regs_init(qm, qm_diff_regs, ARRAY_SIZE(qm_diff_regs));
-- if (IS_ERR(qm->debug.qm_diff_regs))
-- return PTR_ERR(qm->debug.qm_diff_regs);
-+ if (IS_ERR(qm->debug.qm_diff_regs)) {
-+ ret = PTR_ERR(qm->debug.qm_diff_regs);
-+ qm->debug.qm_diff_regs = NULL;
-+ return ret;
-+ }
-
- qm->debug.acc_diff_regs = dfx_regs_init(qm, dregs, reg_len);
- if (IS_ERR(qm->debug.acc_diff_regs)) {
- dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs));
-- return PTR_ERR(qm->debug.acc_diff_regs);
-+ ret = PTR_ERR(qm->debug.acc_diff_regs);
-+ qm->debug.acc_diff_regs = NULL;
-+ return ret;
- }
-
- return 0;
-@@ -893,7 +906,9 @@ static int qm_last_regs_init(struct hisi_qm *qm)
- static void qm_diff_regs_uninit(struct hisi_qm *qm, u32 reg_len)
- {
- dfx_regs_uninit(qm, qm->debug.acc_diff_regs, reg_len);
-+ qm->debug.acc_diff_regs = NULL;
- dfx_regs_uninit(qm, qm->debug.qm_diff_regs, ARRAY_SIZE(qm_diff_regs));
-+ qm->debug.qm_diff_regs = NULL;
- }
-
- /**
---
-2.43.0
-
+++ /dev/null
-From 047879bfdfe4d15d7bad3c30b5c32e190f0e29f4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 18 Apr 2024 13:27:43 -0600
-Subject: drm/amd/display: Check index msg_id before read or write
-
-From: Alex Hung <alex.hung@amd.com>
-
-[ Upstream commit 59d99deb330af206a4541db0c4da8f73880fba03 ]
-
-[WHAT]
-msg_id is used as an array index and it cannot be a negative value, and
-therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).
-
-[HOW]
-Check whether msg_id is valid before reading and setting.
-
-This fixes 4 OVERRUN issues reported by Coverity.
-
-Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
-Acked-by: Wayne Lin <wayne.lin@amd.com>
-Signed-off-by: Alex Hung <alex.hung@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
-index f7b5583ee609a..8e9caae7c9559 100644
---- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
-+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c
-@@ -156,6 +156,10 @@ static enum mod_hdcp_status read(struct mod_hdcp *hdcp,
- uint32_t cur_size = 0;
- uint32_t data_offset = 0;
-
-+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
-+ return MOD_HDCP_STATUS_DDC_FAILURE;
-+ }
-+
- if (is_dp_hdcp(hdcp)) {
- while (buf_len > 0) {
- cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
-@@ -215,6 +219,10 @@ static enum mod_hdcp_status write(struct mod_hdcp *hdcp,
- uint32_t cur_size = 0;
- uint32_t data_offset = 0;
-
-+ if (msg_id == MOD_HDCP_MESSAGE_ID_INVALID) {
-+ return MOD_HDCP_STATUS_DDC_FAILURE;
-+ }
-+
- if (is_dp_hdcp(hdcp)) {
- while (buf_len > 0) {
- cur_size = MIN(buf_len, HDCP_MAX_AUX_TRANSACTION_SIZE);
---
-2.43.0
-
+++ /dev/null
-From cc600cbe99032c802db435622d27aa5e417f3089 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 Apr 2024 18:07:17 -0600
-Subject: drm/amd/display: Check pipe offset before setting vblank
-
-From: Alex Hung <alex.hung@amd.com>
-
-[ Upstream commit 5396a70e8cf462ec5ccf2dc8de103c79de9489e6 ]
-
-pipe_ctx has a size of MAX_PIPES so checking its index before accessing
-the array.
-
-This fixes an OVERRUN issue reported by Coverity.
-
-Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
-Acked-by: Wayne Lin <wayne.lin@amd.com>
-Signed-off-by: Alex Hung <alex.hung@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- .../drm/amd/display/dc/irq/dce110/irq_service_dce110.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c
-index 44649db5f3e32..5646b7788f02e 100644
---- a/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c
-+++ b/drivers/gpu/drm/amd/display/dc/irq/dce110/irq_service_dce110.c
-@@ -211,8 +211,12 @@ bool dce110_vblank_set(struct irq_service *irq_service,
- info->ext_id);
- uint8_t pipe_offset = dal_irq_src - IRQ_TYPE_VBLANK;
-
-- struct timing_generator *tg =
-- dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
-+ struct timing_generator *tg;
-+
-+ if (pipe_offset >= MAX_PIPES)
-+ return false;
-+
-+ tg = dc->current_state->res_ctx.pipe_ctx[pipe_offset].stream_res.tg;
-
- if (enable) {
- if (!tg || !tg->funcs->arm_vert_intr(tg, 2)) {
---
-2.43.0
-
+++ /dev/null
-From bd4555f3068e7291c7320352eb90109d0d95fa7d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 15 Apr 2024 19:02:56 -0600
-Subject: drm/amd/display: Fix uninitialized variables in DM
-
-From: Alex Hung <alex.hung@amd.com>
-
-[ Upstream commit f95bcb041f213a5da3da5fcaf73269bd13dba945 ]
-
-This fixes 11 UNINIT issues reported by Coverity.
-
-Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
-Acked-by: Wayne Lin <wayne.lin@amd.com>
-Signed-off-by: Alex Hung <alex.hung@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 8 ++++----
- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 4 ++--
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
-index 7ed6bb61fe0ad..c1a0fd47802a0 100644
---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
-+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
-@@ -264,7 +264,7 @@ static u32 dm_vblank_get_counter(struct amdgpu_device *adev, int crtc)
- static int dm_crtc_get_scanoutpos(struct amdgpu_device *adev, int crtc,
- u32 *vbl, u32 *position)
- {
-- u32 v_blank_start, v_blank_end, h_position, v_position;
-+ u32 v_blank_start = 0, v_blank_end = 0, h_position = 0, v_position = 0;
- struct amdgpu_crtc *acrtc = NULL;
-
- if ((crtc < 0) || (crtc >= adev->mode_info.num_crtc))
-@@ -801,7 +801,7 @@ static void dm_handle_hpd_work(struct work_struct *work)
- */
- static void dm_dmub_outbox1_low_irq(void *interrupt_params)
- {
-- struct dmub_notification notify;
-+ struct dmub_notification notify = {0};
- struct common_irq_params *irq_params = interrupt_params;
- struct amdgpu_device *adev = irq_params->adev;
- struct amdgpu_display_manager *dm = &adev->dm;
-@@ -6895,7 +6895,7 @@ static int dm_update_mst_vcpi_slots_for_dsc(struct drm_atomic_state *state,
- struct amdgpu_dm_connector *aconnector;
- struct dm_connector_state *dm_conn_state;
- int i, j, ret;
-- int vcpi, pbn_div, pbn, slot_num = 0;
-+ int vcpi, pbn_div, pbn = 0, slot_num = 0;
-
- for_each_new_connector_in_state(state, connector, new_con_state, i) {
-
-@@ -10064,7 +10064,7 @@ static int amdgpu_dm_atomic_check(struct drm_device *dev,
- struct dm_crtc_state *dm_old_crtc_state, *dm_new_crtc_state;
- struct drm_dp_mst_topology_mgr *mgr;
- struct drm_dp_mst_topology_state *mst_state;
-- struct dsc_mst_fairness_vars vars[MAX_PIPES];
-+ struct dsc_mst_fairness_vars vars[MAX_PIPES] = {0};
-
- trace_amdgpu_dm_atomic_check_begin(state);
-
-diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
-index 2bc37c5a27605..c8609595f324b 100644
---- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
-+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
-@@ -1219,7 +1219,7 @@ static ssize_t dp_sdp_message_debugfs_write(struct file *f, const char __user *b
- size_t size, loff_t *pos)
- {
- int r;
-- uint8_t data[36];
-+ uint8_t data[36] = {0};
- struct amdgpu_dm_connector *connector = file_inode(f)->i_private;
- struct dm_crtc_state *acrtc_state;
- uint32_t write_size = 36;
-@@ -2929,7 +2929,7 @@ static int psr_read_residency(void *data, u64 *val)
- {
- struct amdgpu_dm_connector *connector = data;
- struct dc_link *link = connector->dc_link;
-- u32 residency;
-+ u32 residency = 0;
-
- link->dc->link_srv->edp_get_psr_residency(link, &residency);
-
---
-2.43.0
-
+++ /dev/null
-From 891e1fa8c401e86157567092218e36fa1e662d72 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 Apr 2024 13:52:27 -0600
-Subject: drm/amd/display: Skip finding free audio for unknown engine_id
-
-From: Alex Hung <alex.hung@amd.com>
-
-[ Upstream commit 1357b2165d9ad94faa4c4a20d5e2ce29c2ff29c3 ]
-
-[WHY]
-ENGINE_ID_UNKNOWN = -1 and can not be used as an array index. Plus, it
-also means it is uninitialized and does not need free audio.
-
-[HOW]
-Skip and return NULL.
-
-This fixes 2 OVERRUN issues reported by Coverity.
-
-Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
-Acked-by: Wayne Lin <wayne.lin@amd.com>
-Signed-off-by: Alex Hung <alex.hung@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
-index 8873acfe309c8..84923c5400d32 100644
---- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
-+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
-@@ -2385,6 +2385,9 @@ static struct audio *find_first_free_audio(
- {
- int i, available_audio_count;
-
-+ if (id == ENGINE_ID_UNKNOWN)
-+ return NULL;
-+
- available_audio_count = pool->audio_count;
-
- for (i = 0; i < available_audio_count; i++) {
---
-2.43.0
-
+++ /dev/null
-From db334bef966745d71474a037f35bcc364132dc70 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 25 Apr 2024 15:16:40 +0800
-Subject: drm/amdgpu: fix the warning about the expression (int)size - len
-
-From: Jesse Zhang <jesse.zhang@amd.com>
-
-[ Upstream commit ea686fef5489ef7a2450a9fdbcc732b837fb46a8 ]
-
-Converting size from size_t to int may overflow.
-v2: keep reverse xmas tree order (Christian)
-
-Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
-Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
-index 418ff7cd662da..1c2c9ff9d39df 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
-@@ -2052,12 +2052,13 @@ static ssize_t amdgpu_reset_dump_register_list_write(struct file *f,
- struct amdgpu_device *adev = (struct amdgpu_device *)file_inode(f)->i_private;
- char reg_offset[11];
- uint32_t *new = NULL, *tmp = NULL;
-- int ret, i = 0, len = 0;
-+ unsigned int len = 0;
-+ int ret, i = 0;
-
- do {
- memset(reg_offset, 0, 11);
- if (copy_from_user(reg_offset, buf + len,
-- min(10, ((int)size-len)))) {
-+ min(10, (size-len)))) {
- ret = -EFAULT;
- goto error_free;
- }
---
-2.43.0
-
+++ /dev/null
-From 008e2a1522fe4b34b92c5a312fc933ba30d574cc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 23 Apr 2024 14:06:28 +0800
-Subject: drm/amdgpu: fix uninitialized scalar variable warning
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Tim Huang <Tim.Huang@amd.com>
-
-[ Upstream commit 9a5f15d2a29d06ce5bd50919da7221cda92afb69 ]
-
-Clear warning that uses uninitialized value fw_size.
-
-Signed-off-by: Tim Huang <Tim.Huang@amd.com>
-Reviewed-by: Christian König <christian.koenig@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
-index 053983e9f4aef..0ca51df46cc0d 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
-@@ -1184,7 +1184,8 @@ void amdgpu_gfx_cp_init_microcode(struct amdgpu_device *adev,
- fw_size = le32_to_cpu(cp_hdr_v2_0->data_size_bytes);
- break;
- default:
-- break;
-+ dev_err(adev->dev, "Invalid ucode id %u\n", ucode_id);
-+ return;
- }
-
- if (adev->firmware.load_type == AMDGPU_FW_LOAD_PSP) {
---
-2.43.0
-
+++ /dev/null
-From 93ff92b586d3979e75d1bd41722366e437e6f417 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 Apr 2024 14:47:52 +0800
-Subject: drm/amdgpu: Fix uninitialized variable warnings
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Ma Jun <Jun.Ma2@amd.com>
-
-[ Upstream commit 60c448439f3b5db9431e13f7f361b4074d0e8594 ]
-
-return 0 to avoid returning an uninitialized variable r
-
-Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
-Acked-by: Christian König <christian.koenig@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/aldebaran.c | 2 +-
- drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/aldebaran.c b/drivers/gpu/drm/amd/amdgpu/aldebaran.c
-index fa6193535d485..7fea4f0f495a3 100644
---- a/drivers/gpu/drm/amd/amdgpu/aldebaran.c
-+++ b/drivers/gpu/drm/amd/amdgpu/aldebaran.c
-@@ -100,7 +100,7 @@ static int aldebaran_mode2_suspend_ip(struct amdgpu_device *adev)
- adev->ip_blocks[i].status.hw = false;
- }
-
-- return r;
-+ return 0;
- }
-
- static int
-diff --git a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c
-index 8b8086d5c864b..896c7e434d3bc 100644
---- a/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c
-+++ b/drivers/gpu/drm/amd/amdgpu/sienna_cichlid.c
-@@ -93,7 +93,7 @@ static int sienna_cichlid_mode2_suspend_ip(struct amdgpu_device *adev)
- adev->ip_blocks[i].status.hw = false;
- }
-
-- return r;
-+ return 0;
- }
-
- static int
---
-2.43.0
-
+++ /dev/null
-From 1a4ae764e86f236edceb56bb7f40bed6ddb0a3bd Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 Apr 2024 10:07:51 +0800
-Subject: drm/amdgpu: Initialize timestamp for some legacy SOCs
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Ma Jun <Jun.Ma2@amd.com>
-
-[ Upstream commit 2e55bcf3d742a4946d862b86e39e75a95cc6f1c0 ]
-
-Initialize the interrupt timestamp for some legacy SOCs
-to fix the coverity issue "Uninitialized scalar variable"
-
-Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
-Suggested-by: Christian König <christian.koenig@amd.com>
-Reviewed-by: Christian König <christian.koenig@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
-index fa6d0adcec206..5978edf7ea71e 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c
-@@ -438,6 +438,14 @@ void amdgpu_irq_dispatch(struct amdgpu_device *adev,
-
- entry.ih = ih;
- entry.iv_entry = (const uint32_t *)&ih->ring[ring_index];
-+
-+ /*
-+ * timestamp is not supported on some legacy SOCs (cik, cz, iceland,
-+ * si and tonga), so initialize timestamp and timestamp_src to 0
-+ */
-+ entry.timestamp = 0;
-+ entry.timestamp_src = 0;
-+
- amdgpu_ih_decode_iv(adev, &entry);
-
- trace_amdgpu_iv(ih - &adev->irq.ih, &entry);
---
-2.43.0
-
+++ /dev/null
-From 92d30be983a5a31e4b6607832eeb42f465885712 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 24 Apr 2024 17:10:46 +0800
-Subject: drm/amdgpu: Using uninitialized value *size when calling
- amdgpu_vce_cs_reloc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Jesse Zhang <jesse.zhang@amd.com>
-
-[ Upstream commit 88a9a467c548d0b3c7761b4fd54a68e70f9c0944 ]
-
-Initialize the size before calling amdgpu_vce_cs_reloc, such as case 0x03000001.
-V2: To really improve the handling we would actually
- need to have a separate value of 0xffffffff.(Christian)
-
-Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
-Suggested-by: Christian König <christian.koenig@amd.com>
-Reviewed-by: Christian König <christian.koenig@amd.com>
-Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
-index 1904edf684071..88a3aa36b41d7 100644
---- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
-+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vce.c
-@@ -742,7 +742,8 @@ int amdgpu_vce_ring_parse_cs(struct amdgpu_cs_parser *p,
- uint32_t created = 0;
- uint32_t allocated = 0;
- uint32_t tmp, handle = 0;
-- uint32_t *size = &tmp;
-+ uint32_t dummy = 0xffffffff;
-+ uint32_t *size = &dummy;
- unsigned int idx;
- int i, r = 0;
-
---
-2.43.0
-
+++ /dev/null
-From c56c11477c0806d163ce25e8c1b0fd3962de8b92 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 22 Apr 2024 22:19:51 +0200
-Subject: drm/i915: Fix gt reset with GuC submission is disabled
-
-From: Nirmoy Das <nirmoy.das@intel.com>
-
-[ Upstream commit 4d3421e04c5dc38baf15224c051256204f223c15 ]
-
-Currently intel_gt_reset() kills the GuC and then resets requested
-engines. This is problematic because there is a dedicated CSB FIFO
-which only GuC can access and if that FIFO fills up, the hardware
-will block on the next context switch until there is space that means
-the system is effectively hung. If an engine is reset whilst actively
-executing a context, a CSB entry will be sent to say that the context
-has gone idle. Thus if reset happens on a very busy system then
-killing GuC before killing the engines will lead to deadlock because
-of filled up CSB FIFO.
-
-To address this issue, the GuC should be killed only after resetting
-the requested engines and before calling intel_gt_init_hw().
-
-v2: Improve commit message(John)
-
-Cc: John Harrison <john.c.harrison@intel.com>
-Signed-off-by: Nirmoy Das <nirmoy.das@intel.com>
-Reviewed-by: John Harrison <John.C.Harrison@Intel.com>
-Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
-Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
-Link: https://patchwork.freedesktop.org/patch/msgid/20240422201951.633-2-nirmoy.das@intel.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/i915/gt/intel_reset.c | 16 ++++++++++++++--
- 1 file changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/i915/gt/intel_reset.c b/drivers/gpu/drm/i915/gt/intel_reset.c
-index 13fb8e5042c58..6c651ef7928b4 100644
---- a/drivers/gpu/drm/i915/gt/intel_reset.c
-+++ b/drivers/gpu/drm/i915/gt/intel_reset.c
-@@ -880,8 +880,17 @@ static intel_engine_mask_t reset_prepare(struct intel_gt *gt)
- intel_engine_mask_t awake = 0;
- enum intel_engine_id id;
-
-- /* For GuC mode, ensure submission is disabled before stopping ring */
-- intel_uc_reset_prepare(>->uc);
-+ /**
-+ * For GuC mode with submission enabled, ensure submission
-+ * is disabled before stopping ring.
-+ *
-+ * For GuC mode with submission disabled, ensure that GuC is not
-+ * sanitized, do that after engine reset. reset_prepare()
-+ * is followed by engine reset which in this mode requires GuC to
-+ * process any CSB FIFO entries generated by the resets.
-+ */
-+ if (intel_uc_uses_guc_submission(>->uc))
-+ intel_uc_reset_prepare(>->uc);
-
- for_each_engine(engine, gt, id) {
- if (intel_engine_pm_get_if_awake(engine))
-@@ -1228,6 +1237,9 @@ void intel_gt_reset(struct intel_gt *gt,
-
- intel_overlay_reset(gt->i915);
-
-+ /* sanitize uC after engine reset */
-+ if (!intel_uc_uses_guc_submission(>->uc))
-+ intel_uc_reset_prepare(>->uc);
- /*
- * Next we need to restore the context, but we don't use those
- * yet either...
---
-2.43.0
-
+++ /dev/null
-From a40ee90a5de1252188a13b4058970742f0103955 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 2 Apr 2024 00:43:28 +0200
-Subject: drm/lima: fix shared irq handling on driver remove
-
-From: Erico Nunes <nunes.erico@gmail.com>
-
-[ Upstream commit a6683c690bbfd1f371510cb051e8fa49507f3f5e ]
-
-lima uses a shared interrupt, so the interrupt handlers must be prepared
-to be called at any time. At driver removal time, the clocks are
-disabled early and the interrupts stay registered until the very end of
-the remove process due to the devm usage.
-This is potentially a bug as the interrupts access device registers
-which assumes clocks are enabled. A crash can be triggered by removing
-the driver in a kernel with CONFIG_DEBUG_SHIRQ enabled.
-This patch frees the interrupts at each lima device finishing callback
-so that the handlers are already unregistered by the time we fully
-disable clocks.
-
-Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
-Signed-off-by: Qiang Yu <yuq825@gmail.com>
-Link: https://patchwork.freedesktop.org/patch/msgid/20240401224329.1228468-2-nunes.erico@gmail.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/gpu/drm/lima/lima_gp.c | 2 ++
- drivers/gpu/drm/lima/lima_mmu.c | 5 +++++
- drivers/gpu/drm/lima/lima_pp.c | 4 ++++
- 3 files changed, 11 insertions(+)
-
-diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
-index 6cf46b653e810..ca3842f719842 100644
---- a/drivers/gpu/drm/lima/lima_gp.c
-+++ b/drivers/gpu/drm/lima/lima_gp.c
-@@ -324,7 +324,9 @@ int lima_gp_init(struct lima_ip *ip)
-
- void lima_gp_fini(struct lima_ip *ip)
- {
-+ struct lima_device *dev = ip->dev;
-
-+ devm_free_irq(dev->dev, ip->irq, ip);
- }
-
- int lima_gp_pipe_init(struct lima_device *dev)
-diff --git a/drivers/gpu/drm/lima/lima_mmu.c b/drivers/gpu/drm/lima/lima_mmu.c
-index a1ae6c252dc2b..8ca7047adbaca 100644
---- a/drivers/gpu/drm/lima/lima_mmu.c
-+++ b/drivers/gpu/drm/lima/lima_mmu.c
-@@ -118,7 +118,12 @@ int lima_mmu_init(struct lima_ip *ip)
-
- void lima_mmu_fini(struct lima_ip *ip)
- {
-+ struct lima_device *dev = ip->dev;
-+
-+ if (ip->id == lima_ip_ppmmu_bcast)
-+ return;
-
-+ devm_free_irq(dev->dev, ip->irq, ip);
- }
-
- void lima_mmu_flush_tlb(struct lima_ip *ip)
-diff --git a/drivers/gpu/drm/lima/lima_pp.c b/drivers/gpu/drm/lima/lima_pp.c
-index 54b208a4a768e..d34c9e8840f45 100644
---- a/drivers/gpu/drm/lima/lima_pp.c
-+++ b/drivers/gpu/drm/lima/lima_pp.c
-@@ -266,7 +266,9 @@ int lima_pp_init(struct lima_ip *ip)
-
- void lima_pp_fini(struct lima_ip *ip)
- {
-+ struct lima_device *dev = ip->dev;
-
-+ devm_free_irq(dev->dev, ip->irq, ip);
- }
-
- int lima_pp_bcast_resume(struct lima_ip *ip)
-@@ -299,7 +301,9 @@ int lima_pp_bcast_init(struct lima_ip *ip)
-
- void lima_pp_bcast_fini(struct lima_ip *ip)
- {
-+ struct lima_device *dev = ip->dev;
-
-+ devm_free_irq(dev->dev, ip->irq, ip);
- }
-
- static int lima_pp_task_validate(struct lima_sched_pipe *pipe,
---
-2.43.0
-
+++ /dev/null
-From ac3a42db0fcfc77f21d669c1b48442f4568bb0ba Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 11:38:47 +0800
-Subject: f2fs: check validation of fault attrs in f2fs_build_fault_attr()
-
-From: Chao Yu <chao@kernel.org>
-
-[ Upstream commit 4ed886b187f47447ad559619c48c086f432d2b77 ]
-
-- It missed to check validation of fault attrs in parse_options(),
-let's fix to add check condition in f2fs_build_fault_attr().
-- Use f2fs_build_fault_attr() in __sbi_store() to clean up code.
-
-Signed-off-by: Chao Yu <chao@kernel.org>
-Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/f2fs/f2fs.h | 12 ++++++++----
- fs/f2fs/super.c | 27 ++++++++++++++++++++-------
- fs/f2fs/sysfs.c | 14 ++++++++++----
- 3 files changed, 38 insertions(+), 15 deletions(-)
-
-diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
-index f1fbfa7fb279e..5056af9e0581c 100644
---- a/fs/f2fs/f2fs.h
-+++ b/fs/f2fs/f2fs.h
-@@ -69,7 +69,7 @@ enum {
-
- struct f2fs_fault_info {
- atomic_t inject_ops;
-- unsigned int inject_rate;
-+ int inject_rate;
- unsigned int inject_type;
- };
-
-@@ -4593,10 +4593,14 @@ static inline bool f2fs_need_verity(const struct inode *inode, pgoff_t idx)
- }
-
- #ifdef CONFIG_F2FS_FAULT_INJECTION
--extern void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,
-- unsigned int type);
-+extern int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
-+ unsigned long type);
- #else
--#define f2fs_build_fault_attr(sbi, rate, type) do { } while (0)
-+static int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
-+ unsigned long type)
-+{
-+ return 0;
-+}
- #endif
-
- static inline bool is_journalled_quota(struct f2fs_sb_info *sbi)
-diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
-index ce50d2253dd80..e022d8233c0a5 100644
---- a/fs/f2fs/super.c
-+++ b/fs/f2fs/super.c
-@@ -64,21 +64,31 @@ const char *f2fs_fault_name[FAULT_MAX] = {
- [FAULT_BLKADDR] = "invalid blkaddr",
- };
-
--void f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned int rate,
-- unsigned int type)
-+int f2fs_build_fault_attr(struct f2fs_sb_info *sbi, unsigned long rate,
-+ unsigned long type)
- {
- struct f2fs_fault_info *ffi = &F2FS_OPTION(sbi).fault_info;
-
- if (rate) {
-+ if (rate > INT_MAX)
-+ return -EINVAL;
- atomic_set(&ffi->inject_ops, 0);
-- ffi->inject_rate = rate;
-+ ffi->inject_rate = (int)rate;
- }
-
-- if (type)
-- ffi->inject_type = type;
-+ if (type) {
-+ if (type >= BIT(FAULT_MAX))
-+ return -EINVAL;
-+ ffi->inject_type = (unsigned int)type;
-+ }
-
- if (!rate && !type)
- memset(ffi, 0, sizeof(struct f2fs_fault_info));
-+ else
-+ f2fs_info(sbi,
-+ "build fault injection attr: rate: %lu, type: 0x%lx",
-+ rate, type);
-+ return 0;
- }
- #endif
-
-@@ -869,14 +879,17 @@ static int parse_options(struct super_block *sb, char *options, bool is_remount)
- case Opt_fault_injection:
- if (args->from && match_int(args, &arg))
- return -EINVAL;
-- f2fs_build_fault_attr(sbi, arg, F2FS_ALL_FAULT_TYPE);
-+ if (f2fs_build_fault_attr(sbi, arg,
-+ F2FS_ALL_FAULT_TYPE))
-+ return -EINVAL;
- set_opt(sbi, FAULT_INJECTION);
- break;
-
- case Opt_fault_type:
- if (args->from && match_int(args, &arg))
- return -EINVAL;
-- f2fs_build_fault_attr(sbi, 0, arg);
-+ if (f2fs_build_fault_attr(sbi, 0, arg))
-+ return -EINVAL;
- set_opt(sbi, FAULT_INJECTION);
- break;
- #else
-diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
-index 6347a55020c6e..180feefc4a9ce 100644
---- a/fs/f2fs/sysfs.c
-+++ b/fs/f2fs/sysfs.c
-@@ -457,10 +457,16 @@ static ssize_t __sbi_store(struct f2fs_attr *a,
- if (ret < 0)
- return ret;
- #ifdef CONFIG_F2FS_FAULT_INJECTION
-- if (a->struct_type == FAULT_INFO_TYPE && t >= BIT(FAULT_MAX))
-- return -EINVAL;
-- if (a->struct_type == FAULT_INFO_RATE && t >= UINT_MAX)
-- return -EINVAL;
-+ if (a->struct_type == FAULT_INFO_TYPE) {
-+ if (f2fs_build_fault_attr(sbi, 0, t))
-+ return -EINVAL;
-+ return count;
-+ }
-+ if (a->struct_type == FAULT_INFO_RATE) {
-+ if (f2fs_build_fault_attr(sbi, t, 0))
-+ return -EINVAL;
-+ return count;
-+ }
- #endif
- if (a->struct_type == RESERVED_BLOCKS) {
- spin_lock(&sbi->stat_lock);
---
-2.43.0
-
+++ /dev/null
-From 3376843e98b2f450476713e16264edf1d9fe469b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 Apr 2024 18:29:32 +0200
-Subject: firmware: dmi: Stop decoding on broken entry
-
-From: Jean Delvare <jdelvare@suse.de>
-
-[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ]
-
-If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
-how DMI table parsing works, it is impossible to safely recover from
-such an error, so we have to stop decoding the table.
-
-Signed-off-by: Jean Delvare <jdelvare@suse.de>
-Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/
-Reviewed-by: Michael Kelley <mhklinux@outlook.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/firmware/dmi_scan.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
-index 015c95a825d31..ac2a5d2d47463 100644
---- a/drivers/firmware/dmi_scan.c
-+++ b/drivers/firmware/dmi_scan.c
-@@ -101,6 +101,17 @@ static void dmi_decode_table(u8 *buf,
- (data - buf + sizeof(struct dmi_header)) <= dmi_len) {
- const struct dmi_header *dm = (const struct dmi_header *)data;
-
-+ /*
-+ * If a short entry is found (less than 4 bytes), not only it
-+ * is invalid, but we cannot reliably locate the next entry.
-+ */
-+ if (dm->length < sizeof(struct dmi_header)) {
-+ pr_warn(FW_BUG
-+ "Corrupted DMI table, offset %zd (only %d entries processed)\n",
-+ data - buf, i);
-+ break;
-+ }
-+
- /*
- * We want to know the total length (formatted area and
- * strings) before decoding to make sure we won't run off the
---
-2.43.0
-
+++ /dev/null
-From 39623f78da2b6c9eaf2400e5d554c86c993dd0f4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 12 Apr 2024 12:21:58 +0200
-Subject: i2c: i801: Annotate apanel_addr as __ro_after_init
-
-From: Heiner Kallweit <hkallweit1@gmail.com>
-
-[ Upstream commit 355b1513b1e97b6cef84b786c6480325dfd3753d ]
-
-Annotate this variable as __ro_after_init to protect it from being
-overwritten later.
-
-Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
-Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/i2c/busses/i2c-i801.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
-index f6bc37f5eb3a3..3410add34aad2 100644
---- a/drivers/i2c/busses/i2c-i801.c
-+++ b/drivers/i2c/busses/i2c-i801.c
-@@ -1052,7 +1052,7 @@ static const struct pci_device_id i801_ids[] = {
- MODULE_DEVICE_TABLE(pci, i801_ids);
-
- #if defined CONFIG_X86 && defined CONFIG_DMI
--static unsigned char apanel_addr;
-+static unsigned char apanel_addr __ro_after_init;
-
- /* Scan the system ROM for the signature "FJKEYINF" */
- static __init const void __iomem *bios_signature(const void __iomem *bios)
---
-2.43.0
-
+++ /dev/null
-From 58224f11c28c44060c1a630389ba38b13e3c4051 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 16 Apr 2024 15:01:44 +0300
-Subject: IB/core: Implement a limit on UMAD receive List
-
-From: Michael Guralnik <michaelgur@nvidia.com>
-
-[ Upstream commit ca0b44e20a6f3032224599f02e7c8fb49525c894 ]
-
-The existing behavior of ib_umad, which maintains received MAD
-packets in an unbounded list, poses a risk of uncontrolled growth.
-As user-space applications extract packets from this list, the rate
-of extraction may not match the rate of incoming packets, leading
-to potential list overflow.
-
-To address this, we introduce a limit to the size of the list. After
-considering typical scenarios, such as OpenSM processing, which can
-handle approximately 100k packets per second, and the 1-second retry
-timeout for most packets, we set the list size limit to 200k. Packets
-received beyond this limit are dropped, assuming they are likely timed
-out by the time they are handled by user-space.
-
-Notably, packets queued on the receive list due to reasons like
-timed-out sends are preserved even when the list is full.
-
-Signed-off-by: Michael Guralnik <michaelgur@nvidia.com>
-Reviewed-by: Mark Zhang <markzhang@nvidia.com>
-Link: https://lore.kernel.org/r/7197cb58a7d9e78399008f25036205ceab07fbd5.1713268818.git.leon@kernel.org
-Signed-off-by: Leon Romanovsky <leon@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/infiniband/core/user_mad.c | 21 +++++++++++++++------
- 1 file changed, 15 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
-index f5feca7fa9b9c..2ed749f50a29f 100644
---- a/drivers/infiniband/core/user_mad.c
-+++ b/drivers/infiniband/core/user_mad.c
-@@ -63,6 +63,8 @@ MODULE_AUTHOR("Roland Dreier");
- MODULE_DESCRIPTION("InfiniBand userspace MAD packet access");
- MODULE_LICENSE("Dual BSD/GPL");
-
-+#define MAX_UMAD_RECV_LIST_SIZE 200000
-+
- enum {
- IB_UMAD_MAX_PORTS = RDMA_MAX_PORTS,
- IB_UMAD_MAX_AGENTS = 32,
-@@ -113,6 +115,7 @@ struct ib_umad_file {
- struct mutex mutex;
- struct ib_umad_port *port;
- struct list_head recv_list;
-+ atomic_t recv_list_size;
- struct list_head send_list;
- struct list_head port_list;
- spinlock_t send_lock;
-@@ -180,24 +183,28 @@ static struct ib_mad_agent *__get_agent(struct ib_umad_file *file, int id)
- return file->agents_dead ? NULL : file->agent[id];
- }
-
--static int queue_packet(struct ib_umad_file *file,
-- struct ib_mad_agent *agent,
-- struct ib_umad_packet *packet)
-+static int queue_packet(struct ib_umad_file *file, struct ib_mad_agent *agent,
-+ struct ib_umad_packet *packet, bool is_recv_mad)
- {
- int ret = 1;
-
- mutex_lock(&file->mutex);
-
-+ if (is_recv_mad &&
-+ atomic_read(&file->recv_list_size) > MAX_UMAD_RECV_LIST_SIZE)
-+ goto unlock;
-+
- for (packet->mad.hdr.id = 0;
- packet->mad.hdr.id < IB_UMAD_MAX_AGENTS;
- packet->mad.hdr.id++)
- if (agent == __get_agent(file, packet->mad.hdr.id)) {
- list_add_tail(&packet->list, &file->recv_list);
-+ atomic_inc(&file->recv_list_size);
- wake_up_interruptible(&file->recv_wait);
- ret = 0;
- break;
- }
--
-+unlock:
- mutex_unlock(&file->mutex);
-
- return ret;
-@@ -224,7 +231,7 @@ static void send_handler(struct ib_mad_agent *agent,
- if (send_wc->status == IB_WC_RESP_TIMEOUT_ERR) {
- packet->length = IB_MGMT_MAD_HDR;
- packet->mad.hdr.status = ETIMEDOUT;
-- if (!queue_packet(file, agent, packet))
-+ if (!queue_packet(file, agent, packet, false))
- return;
- }
- kfree(packet);
-@@ -284,7 +291,7 @@ static void recv_handler(struct ib_mad_agent *agent,
- rdma_destroy_ah_attr(&ah_attr);
- }
-
-- if (queue_packet(file, agent, packet))
-+ if (queue_packet(file, agent, packet, true))
- goto err2;
- return;
-
-@@ -409,6 +416,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
-
- packet = list_entry(file->recv_list.next, struct ib_umad_packet, list);
- list_del(&packet->list);
-+ atomic_dec(&file->recv_list_size);
-
- mutex_unlock(&file->mutex);
-
-@@ -421,6 +429,7 @@ static ssize_t ib_umad_read(struct file *filp, char __user *buf,
- /* Requeue packet */
- mutex_lock(&file->mutex);
- list_add(&packet->list, &file->recv_list);
-+ atomic_inc(&file->recv_list_size);
- mutex_unlock(&file->mutex);
- } else {
- if (packet->recv_wc)
---
-2.43.0
-
+++ /dev/null
-From 51c576f7a927b06b559f1079fc51da6d316f3774 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 23 Apr 2024 12:24:54 +0200
-Subject: igc: fix a log entry using uninitialized netdev
-
-From: Corinna Vinschen <vinschen@redhat.com>
-
-[ Upstream commit 86167183a17e03ec77198897975e9fdfbd53cb0b ]
-
-During successful probe, igc logs this:
-
-[ 5.133667] igc 0000:01:00.0 (unnamed net_device) (uninitialized): PHC added
- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-The reason is that igc_ptp_init() is called very early, even before
-register_netdev() has been called. So the netdev_info() call works
-on a partially uninitialized netdev.
-
-Fix this by calling igc_ptp_init() after register_netdev(), right
-after the media autosense check, just as in igb. Add a comment,
-just as in igb.
-
-Now the log message is fine:
-
-[ 5.200987] igc 0000:01:00.0 eth0: PHC added
-
-Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
-Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
-Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
-Tested-by: Naama Meir <naamax.meir@linux.intel.com>
-Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/ethernet/intel/igc/igc_main.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/ethernet/intel/igc/igc_main.c b/drivers/net/ethernet/intel/igc/igc_main.c
-index e83700ad7e622..5715fc6779117 100644
---- a/drivers/net/ethernet/intel/igc/igc_main.c
-+++ b/drivers/net/ethernet/intel/igc/igc_main.c
-@@ -6908,8 +6908,6 @@ static int igc_probe(struct pci_dev *pdev,
- device_set_wakeup_enable(&adapter->pdev->dev,
- adapter->flags & IGC_FLAG_WOL_SUPPORTED);
-
-- igc_ptp_init(adapter);
--
- igc_tsn_clear_schedule(adapter);
-
- /* reset the hardware with the new settings */
-@@ -6931,6 +6929,9 @@ static int igc_probe(struct pci_dev *pdev,
- /* Check if Media Autosense is enabled */
- adapter->ei = *ei;
-
-+ /* do hw tstamp init after resetting */
-+ igc_ptp_init(adapter);
-+
- /* print pcie link status and MAC address */
- pcie_print_link_status(pdev);
- netdev_info(netdev, "MAC: %pM\n", netdev->dev_addr);
---
-2.43.0
-
+++ /dev/null
-From 834e6e69ff289d42d1cb5ee5c1ed205258284921 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 27 Apr 2024 17:05:56 +0200
-Subject: Input: ff-core - prefer struct_size over open coded arithmetic
-
-From: Erick Archer <erick.archer@outlook.com>
-
-[ Upstream commit a08b8f8557ad88ffdff8905e5da972afe52e3307 ]
-
-This is an effort to get rid of all multiplications from allocation
-functions in order to prevent integer overflows [1][2].
-
-As the "ff" variable is a pointer to "struct ff_device" and this
-structure ends in a flexible array:
-
-struct ff_device {
- [...]
- struct file *effect_owners[] __counted_by(max_effects);
-};
-
-the preferred way in the kernel is to use the struct_size() helper to
-do the arithmetic instead of the calculation "size + count * size" in
-the kzalloc() function.
-
-The struct_size() helper returns SIZE_MAX on overflow. So, refactor
-the comparison to take advantage of this.
-
-This way, the code is more readable and safer.
-
-This code was detected with the help of Coccinelle, and audited and
-modified manually.
-
-Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
-Link: https://github.com/KSPP/linux/issues/160 [2]
-Signed-off-by: Erick Archer <erick.archer@outlook.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Link: https://lore.kernel.org/r/AS8PR02MB72371E646714BAE2E51A6A378B152@AS8PR02MB7237.eurprd02.prod.outlook.com
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/input/ff-core.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/input/ff-core.c b/drivers/input/ff-core.c
-index 16231fe080b00..609a5f01761bd 100644
---- a/drivers/input/ff-core.c
-+++ b/drivers/input/ff-core.c
-@@ -9,8 +9,10 @@
- /* #define DEBUG */
-
- #include <linux/input.h>
-+#include <linux/limits.h>
- #include <linux/module.h>
- #include <linux/mutex.h>
-+#include <linux/overflow.h>
- #include <linux/sched.h>
- #include <linux/slab.h>
-
-@@ -315,9 +317,8 @@ int input_ff_create(struct input_dev *dev, unsigned int max_effects)
- return -EINVAL;
- }
-
-- ff_dev_size = sizeof(struct ff_device) +
-- max_effects * sizeof(struct file *);
-- if (ff_dev_size < max_effects) /* overflow */
-+ ff_dev_size = struct_size(ff, effect_owners, max_effects);
-+ if (ff_dev_size == SIZE_MAX) /* overflow */
- return -EINVAL;
-
- ff = kzalloc(ff_dev_size, GFP_KERNEL);
---
-2.43.0
-
+++ /dev/null
-From f516d8d207bdf2107ee12198fd932431dfeff3e7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 18 Apr 2024 14:10:53 +0800
-Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
-
-From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
-
-[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
-
-This BUG_ON() is useless, because the same effect will be obtained
-by letting the code run its course and vm being dereferenced,
-triggering an exception.
-
-So just remove this check.
-
-Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
-Acked-by: Marc Zyngier <maz@kernel.org>
-Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/irqchip/irq-gic-v3-its.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
-index c7d6e6987166f..350abbb36e04b 100644
---- a/drivers/irqchip/irq-gic-v3-its.c
-+++ b/drivers/irqchip/irq-gic-v3-its.c
-@@ -4501,8 +4501,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
- struct page *vprop_page;
- int base, nr_ids, i, err = 0;
-
-- BUG_ON(!vm);
--
- bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
- if (!bitmap)
- return -ENOMEM;
---
-2.43.0
-
+++ /dev/null
-From e268bed9ec9cce9658bfe9ac63bf1e4d38ba0ae8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 15:00:46 +0800
-Subject: jffs2: Fix potential illegal address access in jffs2_free_inode
-
-From: Wang Yong <wang.yong12@zte.com.cn>
-
-[ Upstream commit af9a8730ddb6a4b2edd779ccc0aceb994d616830 ]
-
-During the stress testing of the jffs2 file system,the following
-abnormal printouts were found:
-[ 2430.649000] Unable to handle kernel paging request at virtual address 0069696969696948
-[ 2430.649622] Mem abort info:
-[ 2430.649829] ESR = 0x96000004
-[ 2430.650115] EC = 0x25: DABT (current EL), IL = 32 bits
-[ 2430.650564] SET = 0, FnV = 0
-[ 2430.650795] EA = 0, S1PTW = 0
-[ 2430.651032] FSC = 0x04: level 0 translation fault
-[ 2430.651446] Data abort info:
-[ 2430.651683] ISV = 0, ISS = 0x00000004
-[ 2430.652001] CM = 0, WnR = 0
-[ 2430.652558] [0069696969696948] address between user and kernel address ranges
-[ 2430.653265] Internal error: Oops: 96000004 [#1] PREEMPT SMP
-[ 2430.654512] CPU: 2 PID: 20919 Comm: cat Not tainted 5.15.25-g512f31242bf6 #33
-[ 2430.655008] Hardware name: linux,dummy-virt (DT)
-[ 2430.655517] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
-[ 2430.656142] pc : kfree+0x78/0x348
-[ 2430.656630] lr : jffs2_free_inode+0x24/0x48
-[ 2430.657051] sp : ffff800009eebd10
-[ 2430.657355] x29: ffff800009eebd10 x28: 0000000000000001 x27: 0000000000000000
-[ 2430.658327] x26: ffff000038f09d80 x25: 0080000000000000 x24: ffff800009d38000
-[ 2430.658919] x23: 5a5a5a5a5a5a5a5a x22: ffff000038f09d80 x21: ffff8000084f0d14
-[ 2430.659434] x20: ffff0000bf9a6ac0 x19: 0169696969696940 x18: 0000000000000000
-[ 2430.659969] x17: ffff8000b6506000 x16: ffff800009eec000 x15: 0000000000004000
-[ 2430.660637] x14: 0000000000000000 x13: 00000001000820a1 x12: 00000000000d1b19
-[ 2430.661345] x11: 0004000800000000 x10: 0000000000000001 x9 : ffff8000084f0d14
-[ 2430.662025] x8 : ffff0000bf9a6b40 x7 : ffff0000bf9a6b48 x6 : 0000000003470302
-[ 2430.662695] x5 : ffff00002e41dcc0 x4 : ffff0000bf9aa3b0 x3 : 0000000003470342
-[ 2430.663486] x2 : 0000000000000000 x1 : ffff8000084f0d14 x0 : fffffc0000000000
-[ 2430.664217] Call trace:
-[ 2430.664528] kfree+0x78/0x348
-[ 2430.664855] jffs2_free_inode+0x24/0x48
-[ 2430.665233] i_callback+0x24/0x50
-[ 2430.665528] rcu_do_batch+0x1ac/0x448
-[ 2430.665892] rcu_core+0x28c/0x3c8
-[ 2430.666151] rcu_core_si+0x18/0x28
-[ 2430.666473] __do_softirq+0x138/0x3cc
-[ 2430.666781] irq_exit+0xf0/0x110
-[ 2430.667065] handle_domain_irq+0x6c/0x98
-[ 2430.667447] gic_handle_irq+0xac/0xe8
-[ 2430.667739] call_on_irq_stack+0x28/0x54
-The parameter passed to kfree was 5a5a5a5a, which corresponds to the target field of
-the jffs_inode_info structure. It was found that all variables in the jffs_inode_info
-structure were 5a5a5a5a, except for the first member sem. It is suspected that these
-variables are not initialized because they were set to 5a5a5a5a during memory testing,
-which is meant to detect uninitialized memory.The sem variable is initialized in the
-function jffs2_i_init_once, while other members are initialized in
-the function jffs2_init_inode_info.
-
-The function jffs2_init_inode_info is called after iget_locked,
-but in the iget_locked function, the destroy_inode process is triggered,
-which releases the inode and consequently, the target member of the inode
-is not initialized.In concurrent high pressure scenarios, iget_locked
-may enter the destroy_inode branch as described in the code.
-
-Since the destroy_inode functionality of jffs2 only releases the target,
-the fix method is to set target to NULL in jffs2_i_init_once.
-
-Signed-off-by: Wang Yong <wang.yong12@zte.com.cn>
-Reviewed-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
-Reviewed-by: Yang Tao <yang.tao172@zte.com.cn>
-Cc: Xu Xin <xu.xin16@zte.com.cn>
-Cc: Yang Yang <yang.yang29@zte.com.cn>
-Signed-off-by: Richard Weinberger <richard@nod.at>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/jffs2/super.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/fs/jffs2/super.c b/fs/jffs2/super.c
-index 7ea37f49f1e18..e71f4c94c4483 100644
---- a/fs/jffs2/super.c
-+++ b/fs/jffs2/super.c
-@@ -58,6 +58,7 @@ static void jffs2_i_init_once(void *foo)
- struct jffs2_inode_info *f = foo;
-
- mutex_init(&f->sem);
-+ f->target = NULL;
- inode_init_once(&f->vfs_inode);
- }
-
---
-2.43.0
-
+++ /dev/null
-From 6e35a9fdb36f9fcd67b4c31888d375622eecd911 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Apr 2024 09:46:21 +0200
-Subject: kunit: Fix timeout message
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Mickaël Salaün <mic@digikod.net>
-
-[ Upstream commit 53026ff63bb07c04a0e962a74723eb10ff6f9dc7 ]
-
-The exit code is always checked, so let's properly handle the -ETIMEDOUT
-error code.
-
-Cc: Brendan Higgins <brendanhiggins@google.com>
-Cc: Shuah Khan <skhan@linuxfoundation.org>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: David Gow <davidgow@google.com>
-Reviewed-by: Rae Moar <rmoar@google.com>
-Signed-off-by: Mickaël Salaün <mic@digikod.net>
-Link: https://lore.kernel.org/r/20240408074625.65017-4-mic@digikod.net
-Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- lib/kunit/try-catch.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
-index d9d1df28cc52e..9c9e4dcf06d96 100644
---- a/lib/kunit/try-catch.c
-+++ b/lib/kunit/try-catch.c
-@@ -78,7 +78,6 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
- time_remaining = wait_for_completion_timeout(&try_completion,
- kunit_test_timeout());
- if (time_remaining == 0) {
-- kunit_err(test, "try timed out\n");
- try_catch->try_result = -ETIMEDOUT;
- kthread_stop(task_struct);
- }
-@@ -93,6 +92,8 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
- try_catch->try_result = 0;
- else if (exit_code == -EINTR)
- kunit_err(test, "wake_up_process() was never called\n");
-+ else if (exit_code == -ETIMEDOUT)
-+ kunit_err(test, "try timed out\n");
- else if (exit_code)
- kunit_err(test, "Unknown error: %d\n", exit_code);
-
---
-2.43.0
-
+++ /dev/null
-From 4526a635f191bb9f921c9ca366789050785207d0 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 8 Apr 2024 09:46:22 +0200
-Subject: kunit: Handle test faults
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Mickaël Salaün <mic@digikod.net>
-
-[ Upstream commit 3a35c13007dea132a65f07de05c26b87837fadc2 ]
-
-Previously, when a kernel test thread crashed (e.g. NULL pointer
-dereference, general protection fault), the KUnit test hanged for 30
-seconds and exited with a timeout error.
-
-Fix this issue by waiting on task_struct->vfork_done instead of the
-custom kunit_try_catch.try_completion, and track the execution state by
-initially setting try_result with -EINTR and only setting it to 0 if
-the test passed.
-
-Fix kunit_generic_run_threadfn_adapter() signature by returning 0
-instead of calling kthread_complete_and_exit(). Because thread's exit
-code is never checked, always set it to 0 to make it clear. To make
-this explicit, export kthread_exit() for KUnit tests built as module.
-
-Fix the -EINTR error message, which couldn't be reached until now.
-
-This is tested with a following patch.
-
-Cc: Brendan Higgins <brendanhiggins@google.com>
-Cc: Eric W. Biederman <ebiederm@xmission.com>
-Cc: Shuah Khan <skhan@linuxfoundation.org>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Reviewed-by: David Gow <davidgow@google.com>
-Tested-by: Rae Moar <rmoar@google.com>
-Signed-off-by: Mickaël Salaün <mic@digikod.net>
-Link: https://lore.kernel.org/r/20240408074625.65017-5-mic@digikod.net
-Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/kunit/try-catch.h | 3 ---
- kernel/kthread.c | 1 +
- lib/kunit/try-catch.c | 19 ++++++++++++-------
- 3 files changed, 13 insertions(+), 10 deletions(-)
-
-diff --git a/include/kunit/try-catch.h b/include/kunit/try-catch.h
-index c507dd43119d5..7c966a1adbd30 100644
---- a/include/kunit/try-catch.h
-+++ b/include/kunit/try-catch.h
-@@ -14,13 +14,11 @@
-
- typedef void (*kunit_try_catch_func_t)(void *);
-
--struct completion;
- struct kunit;
-
- /**
- * struct kunit_try_catch - provides a generic way to run code which might fail.
- * @test: The test case that is currently being executed.
-- * @try_completion: Completion that the control thread waits on while test runs.
- * @try_result: Contains any errno obtained while running test case.
- * @try: The function, the test case, to attempt to run.
- * @catch: The function called if @try bails out.
-@@ -46,7 +44,6 @@ struct kunit;
- struct kunit_try_catch {
- /* private: internal use only. */
- struct kunit *test;
-- struct completion *try_completion;
- int try_result;
- kunit_try_catch_func_t try;
- kunit_try_catch_func_t catch;
-diff --git a/kernel/kthread.c b/kernel/kthread.c
-index 290cbc845225e..2afdba66b729e 100644
---- a/kernel/kthread.c
-+++ b/kernel/kthread.c
-@@ -315,6 +315,7 @@ void __noreturn kthread_exit(long result)
- kthread->result = result;
- do_exit(0);
- }
-+EXPORT_SYMBOL(kthread_exit);
-
- /**
- * kthread_complete_and_exit - Exit the current kthread.
-diff --git a/lib/kunit/try-catch.c b/lib/kunit/try-catch.c
-index 9c9e4dcf06d96..34d30a6f23054 100644
---- a/lib/kunit/try-catch.c
-+++ b/lib/kunit/try-catch.c
-@@ -18,7 +18,7 @@
- void __noreturn kunit_try_catch_throw(struct kunit_try_catch *try_catch)
- {
- try_catch->try_result = -EFAULT;
-- kthread_complete_and_exit(try_catch->try_completion, -EFAULT);
-+ kthread_exit(0);
- }
- EXPORT_SYMBOL_GPL(kunit_try_catch_throw);
-
-@@ -26,9 +26,12 @@ static int kunit_generic_run_threadfn_adapter(void *data)
- {
- struct kunit_try_catch *try_catch = data;
-
-+ try_catch->try_result = -EINTR;
- try_catch->try(try_catch->context);
-+ if (try_catch->try_result == -EINTR)
-+ try_catch->try_result = 0;
-
-- kthread_complete_and_exit(try_catch->try_completion, 0);
-+ return 0;
- }
-
- static unsigned long kunit_test_timeout(void)
-@@ -58,13 +61,11 @@ static unsigned long kunit_test_timeout(void)
-
- void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
- {
-- DECLARE_COMPLETION_ONSTACK(try_completion);
- struct kunit *test = try_catch->test;
- struct task_struct *task_struct;
- int exit_code, time_remaining;
-
- try_catch->context = context;
-- try_catch->try_completion = &try_completion;
- try_catch->try_result = 0;
- task_struct = kthread_create(kunit_generic_run_threadfn_adapter,
- try_catch, "kunit_try_catch_thread");
-@@ -74,8 +75,12 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
- }
- get_task_struct(task_struct);
- wake_up_process(task_struct);
--
-- time_remaining = wait_for_completion_timeout(&try_completion,
-+ /*
-+ * As for a vfork(2), task_struct->vfork_done (pointing to the
-+ * underlying kthread->exited) can be used to wait for the end of a
-+ * kernel thread.
-+ */
-+ time_remaining = wait_for_completion_timeout(task_struct->vfork_done,
- kunit_test_timeout());
- if (time_remaining == 0) {
- try_catch->try_result = -ETIMEDOUT;
-@@ -91,7 +96,7 @@ void kunit_try_catch_run(struct kunit_try_catch *try_catch, void *context)
- if (exit_code == -EFAULT)
- try_catch->try_result = 0;
- else if (exit_code == -EINTR)
-- kunit_err(test, "wake_up_process() was never called\n");
-+ kunit_err(test, "try faulted\n");
- else if (exit_code == -ETIMEDOUT)
- kunit_err(test, "try timed out\n");
- else if (exit_code)
---
-2.43.0
-
+++ /dev/null
-From 1fc2f94ab93d9bcabbbd77c9cd70f4e0a1d63e8a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 11 Apr 2024 19:10:32 +0300
-Subject: leds: an30259a: Use devm_mutex_init() for mutex initialization
-
-From: George Stark <gnstark@salutedevices.com>
-
-[ Upstream commit c382e2e3eccb6b7ca8c7aff5092c1668428e7de6 ]
-
-In this driver LEDs are registered using devm_led_classdev_register()
-so they are automatically unregistered after module's remove() is done.
-led_classdev_unregister() calls module's led_set_brightness() to turn off
-the LEDs and that callback uses mutex which was destroyed already
-in module's remove() so use devm API instead.
-
-Signed-off-by: George Stark <gnstark@salutedevices.com>
-Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-Link: https://lore.kernel.org/r/20240411161032.609544-9-gnstark@salutedevices.com
-Signed-off-by: Lee Jones <lee@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/leds/leds-an30259a.c | 14 ++++----------
- 1 file changed, 4 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/leds/leds-an30259a.c b/drivers/leds/leds-an30259a.c
-index 0216afed3b6e7..decfca447d8a7 100644
---- a/drivers/leds/leds-an30259a.c
-+++ b/drivers/leds/leds-an30259a.c
-@@ -283,7 +283,10 @@ static int an30259a_probe(struct i2c_client *client)
- if (err < 0)
- return err;
-
-- mutex_init(&chip->mutex);
-+ err = devm_mutex_init(&client->dev, &chip->mutex);
-+ if (err)
-+ return err;
-+
- chip->client = client;
- i2c_set_clientdata(client, chip);
-
-@@ -317,17 +320,9 @@ static int an30259a_probe(struct i2c_client *client)
- return 0;
-
- exit:
-- mutex_destroy(&chip->mutex);
- return err;
- }
-
--static void an30259a_remove(struct i2c_client *client)
--{
-- struct an30259a *chip = i2c_get_clientdata(client);
--
-- mutex_destroy(&chip->mutex);
--}
--
- static const struct of_device_id an30259a_match_table[] = {
- { .compatible = "panasonic,an30259a", },
- { /* sentinel */ },
-@@ -347,7 +342,6 @@ static struct i2c_driver an30259a_driver = {
- .of_match_table = an30259a_match_table,
- },
- .probe = an30259a_probe,
-- .remove = an30259a_remove,
- .id_table = an30259a_id,
- };
-
---
-2.43.0
-
+++ /dev/null
-From 13d66adf56ede1c549b0e9016a11cc133b9ffce8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 11 Apr 2024 19:10:25 +0300
-Subject: locking/mutex: Introduce devm_mutex_init()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: George Stark <gnstark@salutedevices.com>
-
-[ Upstream commit 4cd47222e435dec8e3787614924174f53fcfb5ae ]
-
-Using of devm API leads to a certain order of releasing resources.
-So all dependent resources which are not devm-wrapped should be deleted
-with respect to devm-release order. Mutex is one of such objects that
-often is bound to other resources and has no own devm wrapping.
-Since mutex_destroy() actually does nothing in non-debug builds
-frequently calling mutex_destroy() is just ignored which is safe for now
-but wrong formally and can lead to a problem if mutex_destroy() will be
-extended so introduce devm_mutex_init().
-
-Suggested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Signed-off-by: George Stark <gnstark@salutedevices.com>
-Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
-Reviewed-by: Marek Behún <kabel@kernel.org>
-Acked-by: Waiman Long <longman@redhat.com>
-Link: https://lore.kernel.org/r/20240411161032.609544-2-gnstark@salutedevices.com
-Signed-off-by: Lee Jones <lee@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- include/linux/mutex.h | 27 +++++++++++++++++++++++++++
- kernel/locking/mutex-debug.c | 12 ++++++++++++
- 2 files changed, 39 insertions(+)
-
-diff --git a/include/linux/mutex.h b/include/linux/mutex.h
-index a33aa9eb9fc3b..5b5630e58407a 100644
---- a/include/linux/mutex.h
-+++ b/include/linux/mutex.h
-@@ -21,6 +21,8 @@
- #include <linux/debug_locks.h>
- #include <linux/cleanup.h>
-
-+struct device;
-+
- #ifdef CONFIG_DEBUG_LOCK_ALLOC
- # define __DEP_MAP_MUTEX_INITIALIZER(lockname) \
- , .dep_map = { \
-@@ -171,6 +173,31 @@ do { \
- } while (0)
- #endif /* CONFIG_PREEMPT_RT */
-
-+#ifdef CONFIG_DEBUG_MUTEXES
-+
-+int __devm_mutex_init(struct device *dev, struct mutex *lock);
-+
-+#else
-+
-+static inline int __devm_mutex_init(struct device *dev, struct mutex *lock)
-+{
-+ /*
-+ * When CONFIG_DEBUG_MUTEXES is off mutex_destroy() is just a nop so
-+ * no really need to register it in the devm subsystem.
-+ */
-+ return 0;
-+}
-+
-+#endif
-+
-+#define devm_mutex_init(dev, mutex) \
-+({ \
-+ typeof(mutex) mutex_ = (mutex); \
-+ \
-+ mutex_init(mutex_); \
-+ __devm_mutex_init(dev, mutex_); \
-+})
-+
- /*
- * See kernel/locking/mutex.c for detailed documentation of these APIs.
- * Also see Documentation/locking/mutex-design.rst.
-diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
-index bc8abb8549d20..6e6f6071cfa27 100644
---- a/kernel/locking/mutex-debug.c
-+++ b/kernel/locking/mutex-debug.c
-@@ -12,6 +12,7 @@
- */
- #include <linux/mutex.h>
- #include <linux/delay.h>
-+#include <linux/device.h>
- #include <linux/export.h>
- #include <linux/poison.h>
- #include <linux/sched.h>
-@@ -89,6 +90,17 @@ void debug_mutex_init(struct mutex *lock, const char *name,
- lock->magic = lock;
- }
-
-+static void devm_mutex_release(void *res)
-+{
-+ mutex_destroy(res);
-+}
-+
-+int __devm_mutex_init(struct device *dev, struct mutex *lock)
-+{
-+ return devm_add_action_or_reset(dev, devm_mutex_release, lock);
-+}
-+EXPORT_SYMBOL_GPL(__devm_mutex_init);
-+
- /***
- * mutex_destroy - mark a mutex unusable
- * @lock: the mutex to be destroyed
---
-2.43.0
-
+++ /dev/null
-From b9b15405056ee9b2a19b67cc25208d465f2a1b5d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 10 Apr 2024 12:24:37 +0000
-Subject: media: dvb: as102-fe: Fix as10x_register_addr packing
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 309422d280748c74f57f471559980268ac27732a ]
-
-This structure is embedded in multiple other structures that are packed,
-which conflicts with it being aligned.
-
-drivers/media/usb/as102/as10x_cmd.h:379:30: warning: field reg_addr within 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' is less aligned than 'struct as10x_register_addr' and is usually due to 'struct as10x_dump_memory::(unnamed at drivers/media/usb/as102/as10x_cmd.h:373:2)' being packed, which can lead to unaligned accesses [-Wunaligned-access]
-
-Mark it as being packed.
-
-Marking the inner struct as 'packed' does not change the layout, since the
-whole struct is already packed, it just silences the clang warning. See
-also this llvm discussion:
-
-https://github.com/llvm/llvm-project/issues/55520
-
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/dvb-frontends/as102_fe_types.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/media/dvb-frontends/as102_fe_types.h b/drivers/media/dvb-frontends/as102_fe_types.h
-index 297f9520ebf9d..8a4e392c88965 100644
---- a/drivers/media/dvb-frontends/as102_fe_types.h
-+++ b/drivers/media/dvb-frontends/as102_fe_types.h
-@@ -174,6 +174,6 @@ struct as10x_register_addr {
- uint32_t addr;
- /* register mode access */
- uint8_t mode;
--};
-+} __packed;
-
- #endif
---
-2.43.0
-
+++ /dev/null
-From 9c513071b00da4816b63d01df488b77e3306cb1c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 16:05:04 +0100
-Subject: media: dvb-frontends: tda10048: Fix integer overflow
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 1aa1329a67cc214c3b7bd2a14d1301a795760b07 ]
-
-state->xtal_hz can be up to 16M, so it can overflow a 32 bit integer
-when multiplied by pll_mfactor.
-
-Create a new 64 bit variable to hold the calculations.
-
-Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-25-3c4865f5a4b0@chromium.org
-Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/dvb-frontends/tda10048.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/dvb-frontends/tda10048.c b/drivers/media/dvb-frontends/tda10048.c
-index 5d5e4e9e4422e..3e725cdcc66bd 100644
---- a/drivers/media/dvb-frontends/tda10048.c
-+++ b/drivers/media/dvb-frontends/tda10048.c
-@@ -410,6 +410,7 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw)
- struct tda10048_config *config = &state->config;
- int i;
- u32 if_freq_khz;
-+ u64 sample_freq;
-
- dprintk(1, "%s(bw = %d)\n", __func__, bw);
-
-@@ -451,9 +452,11 @@ static int tda10048_set_if(struct dvb_frontend *fe, u32 bw)
- dprintk(1, "- pll_pfactor = %d\n", state->pll_pfactor);
-
- /* Calculate the sample frequency */
-- state->sample_freq = state->xtal_hz * (state->pll_mfactor + 45);
-- state->sample_freq /= (state->pll_nfactor + 1);
-- state->sample_freq /= (state->pll_pfactor + 4);
-+ sample_freq = state->xtal_hz;
-+ sample_freq *= state->pll_mfactor + 45;
-+ do_div(sample_freq, state->pll_nfactor + 1);
-+ do_div(sample_freq, state->pll_pfactor + 4);
-+ state->sample_freq = sample_freq;
- dprintk(1, "- sample_freq = %d\n", state->sample_freq);
-
- /* Update the I/F */
---
-2.43.0
-
+++ /dev/null
-From 4f8fbc960e9171d0cf3ce0db8a11c1463822dd1f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 16:04:47 +0100
-Subject: media: dvb-frontends: tda18271c2dd: Remove casting during div
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit e9a844632630e18ed0671a7e3467431bd719952e ]
-
-do_div() divides 64 bits by 32. We were adding a casting to the divider
-to 64 bits, for a number that fits perfectly in 32 bits. Remove it.
-
-Found by cocci:
-drivers/media/dvb-frontends/tda18271c2dd.c:355:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
-drivers/media/dvb-frontends/tda18271c2dd.c:331:1-7: WARNING: do_div() does a 64-by-32 division, please consider using div64_u64 instead.
-
-Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-8-3c4865f5a4b0@chromium.org
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/dvb-frontends/tda18271c2dd.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/dvb-frontends/tda18271c2dd.c b/drivers/media/dvb-frontends/tda18271c2dd.c
-index a348344879433..fd928787207ed 100644
---- a/drivers/media/dvb-frontends/tda18271c2dd.c
-+++ b/drivers/media/dvb-frontends/tda18271c2dd.c
-@@ -328,7 +328,7 @@ static int CalcMainPLL(struct tda_state *state, u32 freq)
-
- OscFreq = (u64) freq * (u64) Div;
- OscFreq *= (u64) 16384;
-- do_div(OscFreq, (u64)16000000);
-+ do_div(OscFreq, 16000000);
- MainDiv = OscFreq;
-
- state->m_Regs[MPD] = PostDiv & 0x77;
-@@ -352,7 +352,7 @@ static int CalcCalPLL(struct tda_state *state, u32 freq)
- OscFreq = (u64)freq * (u64)Div;
- /* CalDiv = u32( OscFreq * 16384 / 16000000 ); */
- OscFreq *= (u64)16384;
-- do_div(OscFreq, (u64)16000000);
-+ do_div(OscFreq, 16000000);
- CalDiv = OscFreq;
-
- state->m_Regs[CPD] = PostDiv;
---
-2.43.0
-
+++ /dev/null
-From e12c3a06574796e66faa9ccf0841b03f19be4ba1 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 11 Apr 2024 21:17:56 +0000
-Subject: media: dvb-usb: dib0700_devices: Add missing release_firmware()
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 4b267c23ee064bd24c6933df0588ad1b6e111145 ]
-
-Add missing release_firmware on the error paths.
-
-drivers/media/usb/dvb-usb/dib0700_devices.c:2415 stk9090m_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2415.
-drivers/media/usb/dvb-usb/dib0700_devices.c:2497 nim9090md_frontend_attach() warn: 'state->frontend_firmware' from request_firmware() not released on lines: 2489,2497.
-
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/dvb-usb/dib0700_devices.c | 18 +++++++++++++++---
- 1 file changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/media/usb/dvb-usb/dib0700_devices.c b/drivers/media/usb/dvb-usb/dib0700_devices.c
-index 3af594134a6de..6ddc205133939 100644
---- a/drivers/media/usb/dvb-usb/dib0700_devices.c
-+++ b/drivers/media/usb/dvb-usb/dib0700_devices.c
-@@ -2412,7 +2412,12 @@ static int stk9090m_frontend_attach(struct dvb_usb_adapter *adap)
-
- adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &stk9090m_config);
-
-- return adap->fe_adap[0].fe == NULL ? -ENODEV : 0;
-+ if (!adap->fe_adap[0].fe) {
-+ release_firmware(state->frontend_firmware);
-+ return -ENODEV;
-+ }
-+
-+ return 0;
- }
-
- static int dib9090_tuner_attach(struct dvb_usb_adapter *adap)
-@@ -2485,8 +2490,10 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap)
- dib9000_i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, 0x80);
- adap->fe_adap[0].fe = dvb_attach(dib9000_attach, &adap->dev->i2c_adap, 0x80, &nim9090md_config[0]);
-
-- if (adap->fe_adap[0].fe == NULL)
-+ if (!adap->fe_adap[0].fe) {
-+ release_firmware(state->frontend_firmware);
- return -ENODEV;
-+ }
-
- i2c = dib9000_get_i2c_master(adap->fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_3_4, 0);
- dib9000_i2c_enumeration(i2c, 1, 0x12, 0x82);
-@@ -2494,7 +2501,12 @@ static int nim9090md_frontend_attach(struct dvb_usb_adapter *adap)
- fe_slave = dvb_attach(dib9000_attach, i2c, 0x82, &nim9090md_config[1]);
- dib9000_set_slave_frontend(adap->fe_adap[0].fe, fe_slave);
-
-- return fe_slave == NULL ? -ENODEV : 0;
-+ if (!fe_slave) {
-+ release_firmware(state->frontend_firmware);
-+ return -ENODEV;
-+ }
-+
-+ return 0;
- }
-
- static int nim9090md_tuner_attach(struct dvb_usb_adapter *adap)
---
-2.43.0
-
+++ /dev/null
-From d5721af75c164d8edbe50ec28b2a13abdeb1fb65 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 16 Jan 2022 11:22:36 +0000
-Subject: media: dw2102: Don't translate i2c read into write
-
-From: Michael Bunk <micha@freedict.org>
-
-[ Upstream commit 0e148a522b8453115038193e19ec7bea71403e4a ]
-
-The code ignored the I2C_M_RD flag on I2C messages. Instead it assumed
-an i2c transaction with a single message must be a write operation and a
-transaction with two messages would be a read operation.
-
-Though this works for the driver code, it leads to problems once the i2c
-device is exposed to code not knowing this convention. For example,
-I did "insmod i2c-dev" and issued read requests from userspace, which
-were translated into write requests and destroyed the EEPROM of my
-device.
-
-So, just check and respect the I2C_M_READ flag, which indicates a read
-when set on a message. If it is absent, it is a write message.
-
-Incidentally, changing from the case statement to a while loop allows
-the code to lift the limitation to two i2c messages per transaction.
-
-There are 4 more *_i2c_transfer functions affected by the same behaviour
-and limitation that should be fixed in the same way.
-
-Link: https://lore.kernel.org/linux-media/20220116112238.74171-2-micha@freedict.org
-Signed-off-by: Michael Bunk <micha@freedict.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/dvb-usb/dw2102.c | 120 ++++++++++++++++++-----------
- 1 file changed, 73 insertions(+), 47 deletions(-)
-
-diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c
-index b3bb1805829ad..10351308b0d02 100644
---- a/drivers/media/usb/dvb-usb/dw2102.c
-+++ b/drivers/media/usb/dvb-usb/dw2102.c
-@@ -716,6 +716,7 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
- {
- struct dvb_usb_device *d = i2c_get_adapdata(adap);
- struct dw2102_state *state;
-+ int j;
-
- if (!d)
- return -ENODEV;
-@@ -729,11 +730,11 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
- return -EAGAIN;
- }
-
-- switch (num) {
-- case 1:
-- switch (msg[0].addr) {
-+ j = 0;
-+ while (j < num) {
-+ switch (msg[j].addr) {
- case SU3000_STREAM_CTRL:
-- state->data[0] = msg[0].buf[0] + 0x36;
-+ state->data[0] = msg[j].buf[0] + 0x36;
- state->data[1] = 3;
- state->data[2] = 0;
- if (dvb_usb_generic_rw(d, state->data, 3,
-@@ -745,61 +746,86 @@ static int su3000_i2c_transfer(struct i2c_adapter *adap, struct i2c_msg msg[],
- if (dvb_usb_generic_rw(d, state->data, 1,
- state->data, 2, 0) < 0)
- err("i2c transfer failed.");
-- msg[0].buf[1] = state->data[0];
-- msg[0].buf[0] = state->data[1];
-+ msg[j].buf[1] = state->data[0];
-+ msg[j].buf[0] = state->data[1];
- break;
- default:
-- if (3 + msg[0].len > sizeof(state->data)) {
-- warn("i2c wr: len=%d is too big!\n",
-- msg[0].len);
-+ /* if the current write msg is followed by a another
-+ * read msg to/from the same address
-+ */
-+ if ((j+1 < num) && (msg[j+1].flags & I2C_M_RD) &&
-+ (msg[j].addr == msg[j+1].addr)) {
-+ /* join both i2c msgs to one usb read command */
-+ if (4 + msg[j].len > sizeof(state->data)) {
-+ warn("i2c combined wr/rd: write len=%d is too big!\n",
-+ msg[j].len);
-+ num = -EOPNOTSUPP;
-+ break;
-+ }
-+ if (1 + msg[j+1].len > sizeof(state->data)) {
-+ warn("i2c combined wr/rd: read len=%d is too big!\n",
-+ msg[j+1].len);
-+ num = -EOPNOTSUPP;
-+ break;
-+ }
-+
-+ state->data[0] = 0x09;
-+ state->data[1] = msg[j].len;
-+ state->data[2] = msg[j+1].len;
-+ state->data[3] = msg[j].addr;
-+ memcpy(&state->data[4], msg[j].buf, msg[j].len);
-+
-+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 4,
-+ state->data, msg[j+1].len + 1, 0) < 0)
-+ err("i2c transfer failed.");
-+
-+ memcpy(msg[j+1].buf, &state->data[1], msg[j+1].len);
-+ j++;
-+ break;
-+ }
-+
-+ if (msg[j].flags & I2C_M_RD) {
-+ /* single read */
-+ if (1 + msg[j].len > sizeof(state->data)) {
-+ warn("i2c rd: len=%d is too big!\n", msg[j].len);
-+ num = -EOPNOTSUPP;
-+ break;
-+ }
-+
-+ state->data[0] = 0x09;
-+ state->data[1] = 0;
-+ state->data[2] = msg[j].len;
-+ state->data[3] = msg[j].addr;
-+ memcpy(&state->data[4], msg[j].buf, msg[j].len);
-+
-+ if (dvb_usb_generic_rw(d, state->data, 4,
-+ state->data, msg[j].len + 1, 0) < 0)
-+ err("i2c transfer failed.");
-+
-+ memcpy(msg[j].buf, &state->data[1], msg[j].len);
-+ break;
-+ }
-+
-+ /* single write */
-+ if (3 + msg[j].len > sizeof(state->data)) {
-+ warn("i2c wr: len=%d is too big!\n", msg[j].len);
- num = -EOPNOTSUPP;
- break;
- }
-
-- /* always i2c write*/
- state->data[0] = 0x08;
-- state->data[1] = msg[0].addr;
-- state->data[2] = msg[0].len;
-+ state->data[1] = msg[j].addr;
-+ state->data[2] = msg[j].len;
-
-- memcpy(&state->data[3], msg[0].buf, msg[0].len);
-+ memcpy(&state->data[3], msg[j].buf, msg[j].len);
-
-- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 3,
-+ if (dvb_usb_generic_rw(d, state->data, msg[j].len + 3,
- state->data, 1, 0) < 0)
- err("i2c transfer failed.");
-+ } // switch
-+ j++;
-
-- }
-- break;
-- case 2:
-- /* always i2c read */
-- if (4 + msg[0].len > sizeof(state->data)) {
-- warn("i2c rd: len=%d is too big!\n",
-- msg[0].len);
-- num = -EOPNOTSUPP;
-- break;
-- }
-- if (1 + msg[1].len > sizeof(state->data)) {
-- warn("i2c rd: len=%d is too big!\n",
-- msg[1].len);
-- num = -EOPNOTSUPP;
-- break;
-- }
--
-- state->data[0] = 0x09;
-- state->data[1] = msg[0].len;
-- state->data[2] = msg[1].len;
-- state->data[3] = msg[0].addr;
-- memcpy(&state->data[4], msg[0].buf, msg[0].len);
--
-- if (dvb_usb_generic_rw(d, state->data, msg[0].len + 4,
-- state->data, msg[1].len + 1, 0) < 0)
-- err("i2c transfer failed.");
--
-- memcpy(msg[1].buf, &state->data[1], msg[1].len);
-- break;
-- default:
-- warn("more than 2 i2c messages at a time is not handled yet.");
-- break;
-- }
-+ } // while
- mutex_unlock(&d->data_mutex);
- mutex_unlock(&d->i2c_mutex);
- return num;
---
-2.43.0
-
+++ /dev/null
-From 707121775ab7a1c0a75624b5e39f0a58e0886154 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 21 Dec 2023 09:17:46 +0000
-Subject: media: mediatek: vcodec: Only free buffer VA that is not NULL
-
-From: Fei Shao <fshao@chromium.org>
-
-[ Upstream commit eb005c801ec70ff4307727bd3bd6e8280169ef32 ]
-
-In the MediaTek vcodec driver, while mtk_vcodec_mem_free() is mostly
-called only when the buffer to free exists, there are some instances
-that didn't do the check and triggered warnings in practice.
-
-We believe those checks were forgotten unintentionally. Add the checks
-back to fix the warnings.
-
-Signed-off-by: Fei Shao <fshao@chromium.org>
-Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
-Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@collabora.com>
-Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- .../vcodec/decoder/vdec/vdec_av1_req_lat_if.c | 22 +++++++++++++------
- .../vcodec/encoder/venc/venc_h264_if.c | 5 +++--
- 2 files changed, 18 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c
-index 2b6a5adbc4199..b0e2e59f61b5d 100644
---- a/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c
-+++ b/drivers/media/platform/mediatek/vcodec/decoder/vdec/vdec_av1_req_lat_if.c
-@@ -1023,18 +1023,26 @@ static void vdec_av1_slice_free_working_buffer(struct vdec_av1_slice_instance *i
- int i;
-
- for (i = 0; i < ARRAY_SIZE(instance->mv); i++)
-- mtk_vcodec_mem_free(ctx, &instance->mv[i]);
-+ if (instance->mv[i].va)
-+ mtk_vcodec_mem_free(ctx, &instance->mv[i]);
-
- for (i = 0; i < ARRAY_SIZE(instance->seg); i++)
-- mtk_vcodec_mem_free(ctx, &instance->seg[i]);
-+ if (instance->seg[i].va)
-+ mtk_vcodec_mem_free(ctx, &instance->seg[i]);
-
- for (i = 0; i < ARRAY_SIZE(instance->cdf); i++)
-- mtk_vcodec_mem_free(ctx, &instance->cdf[i]);
-+ if (instance->cdf[i].va)
-+ mtk_vcodec_mem_free(ctx, &instance->cdf[i]);
-+
-
-- mtk_vcodec_mem_free(ctx, &instance->tile);
-- mtk_vcodec_mem_free(ctx, &instance->cdf_temp);
-- mtk_vcodec_mem_free(ctx, &instance->cdf_table);
-- mtk_vcodec_mem_free(ctx, &instance->iq_table);
-+ if (instance->tile.va)
-+ mtk_vcodec_mem_free(ctx, &instance->tile);
-+ if (instance->cdf_temp.va)
-+ mtk_vcodec_mem_free(ctx, &instance->cdf_temp);
-+ if (instance->cdf_table.va)
-+ mtk_vcodec_mem_free(ctx, &instance->cdf_table);
-+ if (instance->iq_table.va)
-+ mtk_vcodec_mem_free(ctx, &instance->iq_table);
-
- instance->level = AV1_RES_NONE;
- }
-diff --git a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
-index a68dac72c4e42..f8145998fcaf7 100644
---- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
-+++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
-@@ -301,11 +301,12 @@ static void h264_enc_free_work_buf(struct venc_h264_inst *inst)
- * other buffers need to be freed by AP.
- */
- for (i = 0; i < VENC_H264_VPU_WORK_BUF_MAX; i++) {
-- if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME)
-+ if (i != VENC_H264_VPU_WORK_BUF_SKIP_FRAME && inst->work_bufs[i].va)
- mtk_vcodec_mem_free(inst->ctx, &inst->work_bufs[i]);
- }
-
-- mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf);
-+ if (inst->pps_buf.va)
-+ mtk_vcodec_mem_free(inst->ctx, &inst->pps_buf);
- }
-
- static int h264_enc_alloc_work_buf(struct venc_h264_inst *inst, bool is_34bit)
---
-2.43.0
-
+++ /dev/null
-From 444cc5a99f28c41bcc717b7e7bb82f56a6968f6e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 16:04:50 +0100
-Subject: media: s2255: Use refcount_t instead of atomic_t for num_channels
-
-From: Ricardo Ribalda <ribalda@chromium.org>
-
-[ Upstream commit 6cff72f6bcee89228a662435b7c47e21a391c8d0 ]
-
-Use an API that resembles more the actual use of num_channels.
-
-Found by cocci:
-drivers/media/usb/s2255/s2255drv.c:2362:5-24: WARNING: atomic_dec_and_test variation before object free at line 2363.
-drivers/media/usb/s2255/s2255drv.c:1557:5-24: WARNING: atomic_dec_and_test variation before object free at line 1558.
-
-Link: https://lore.kernel.org/linux-media/20240429-fix-cocci-v3-11-3c4865f5a4b0@chromium.org
-Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/media/usb/s2255/s2255drv.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/media/usb/s2255/s2255drv.c b/drivers/media/usb/s2255/s2255drv.c
-index 3c2627712fe9d..6f78be3c42d6a 100644
---- a/drivers/media/usb/s2255/s2255drv.c
-+++ b/drivers/media/usb/s2255/s2255drv.c
-@@ -247,7 +247,7 @@ struct s2255_vc {
- struct s2255_dev {
- struct s2255_vc vc[MAX_CHANNELS];
- struct v4l2_device v4l2_dev;
-- atomic_t num_channels;
-+ refcount_t num_channels;
- int frames;
- struct mutex lock; /* channels[].vdev.lock */
- struct mutex cmdlock; /* protects cmdbuf */
-@@ -1550,11 +1550,11 @@ static void s2255_video_device_release(struct video_device *vdev)
- container_of(vdev, struct s2255_vc, vdev);
-
- dprintk(dev, 4, "%s, chnls: %d\n", __func__,
-- atomic_read(&dev->num_channels));
-+ refcount_read(&dev->num_channels));
-
- v4l2_ctrl_handler_free(&vc->hdl);
-
-- if (atomic_dec_and_test(&dev->num_channels))
-+ if (refcount_dec_and_test(&dev->num_channels))
- s2255_destroy(dev);
- return;
- }
-@@ -1659,7 +1659,7 @@ static int s2255_probe_v4l(struct s2255_dev *dev)
- "failed to register video device!\n");
- break;
- }
-- atomic_inc(&dev->num_channels);
-+ refcount_inc(&dev->num_channels);
- v4l2_info(&dev->v4l2_dev, "V4L2 device registered as %s\n",
- video_device_node_name(&vc->vdev));
-
-@@ -1667,11 +1667,11 @@ static int s2255_probe_v4l(struct s2255_dev *dev)
- pr_info("Sensoray 2255 V4L driver Revision: %s\n",
- S2255_VERSION);
- /* if no channels registered, return error and probe will fail*/
-- if (atomic_read(&dev->num_channels) == 0) {
-+ if (refcount_read(&dev->num_channels) == 0) {
- v4l2_device_unregister(&dev->v4l2_dev);
- return ret;
- }
-- if (atomic_read(&dev->num_channels) != MAX_CHANNELS)
-+ if (refcount_read(&dev->num_channels) != MAX_CHANNELS)
- pr_warn("s2255: Not all channels available.\n");
- return 0;
- }
-@@ -2220,7 +2220,7 @@ static int s2255_probe(struct usb_interface *interface,
- goto errorFWDATA1;
- }
-
-- atomic_set(&dev->num_channels, 0);
-+ refcount_set(&dev->num_channels, 0);
- dev->pid = id->idProduct;
- dev->fw_data = kzalloc(sizeof(struct s2255_fw), GFP_KERNEL);
- if (!dev->fw_data)
-@@ -2340,12 +2340,12 @@ static void s2255_disconnect(struct usb_interface *interface)
- {
- struct s2255_dev *dev = to_s2255_dev(usb_get_intfdata(interface));
- int i;
-- int channels = atomic_read(&dev->num_channels);
-+ int channels = refcount_read(&dev->num_channels);
- mutex_lock(&dev->lock);
- v4l2_device_disconnect(&dev->v4l2_dev);
- mutex_unlock(&dev->lock);
- /*see comments in the uvc_driver.c usb disconnect function */
-- atomic_inc(&dev->num_channels);
-+ refcount_inc(&dev->num_channels);
- /* unregister each video device. */
- for (i = 0; i < channels; i++)
- video_unregister_device(&dev->vc[i].vdev);
-@@ -2358,7 +2358,7 @@ static void s2255_disconnect(struct usb_interface *interface)
- dev->vc[i].vidstatus_ready = 1;
- wake_up(&dev->vc[i].wait_vidstatus);
- }
-- if (atomic_dec_and_test(&dev->num_channels))
-+ if (refcount_dec_and_test(&dev->num_channels))
- s2255_destroy(dev);
- dev_info(&interface->dev, "%s\n", __func__);
- }
---
-2.43.0
-
+++ /dev/null
-From 3d2c7d55832703b24e7c6ddb9a635eadf0681ead Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 Apr 2024 18:46:45 +0100
-Subject: net: dsa: mv88e6xxx: Correct check for empty list
-
-From: Simon Horman <horms@kernel.org>
-
-[ Upstream commit 4c7f3950a9fd53a62b156c0fe7c3a2c43b0ba19b ]
-
-Since commit a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO
-busses") mv88e6xxx_default_mdio_bus() has checked that the
-return value of list_first_entry() is non-NULL.
-
-This appears to be intended to guard against the list chip->mdios being
-empty. However, it is not the correct check as the implementation of
-list_first_entry is not designed to return NULL for empty lists.
-
-Instead, use list_first_entry_or_null() which does return NULL if the
-list is empty.
-
-Flagged by Smatch.
-Compile tested only.
-
-Reviewed-by: Andrew Lunn <andrew@lunn.ch>
-Signed-off-by: Simon Horman <horms@kernel.org>
-Link: https://lore.kernel.org/r/20240430-mv88e6xx-list_empty-v3-1-c35c69d88d2e@kernel.org
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/dsa/mv88e6xxx/chip.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
-index 9571e1b1e59ef..354d4af134562 100644
---- a/drivers/net/dsa/mv88e6xxx/chip.c
-+++ b/drivers/net/dsa/mv88e6xxx/chip.c
-@@ -131,8 +131,8 @@ struct mii_bus *mv88e6xxx_default_mdio_bus(struct mv88e6xxx_chip *chip)
- {
- struct mv88e6xxx_mdio_bus *mdio_bus;
-
-- mdio_bus = list_first_entry(&chip->mdios, struct mv88e6xxx_mdio_bus,
-- list);
-+ mdio_bus = list_first_entry_or_null(&chip->mdios,
-+ struct mv88e6xxx_mdio_bus, list);
- if (!mdio_bus)
- return NULL;
-
---
-2.43.0
-
+++ /dev/null
-From 0a4b85a0171cf02957912465811221dba77bde1e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 9 May 2024 07:14:29 +0900
-Subject: nilfs2: convert BUG_ON() in nilfs_finish_roll_forward() to WARN_ON()
-
-From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-
-[ Upstream commit 0a73eac1ed10097d1799c10dff2172605fd40c75 ]
-
-The BUG_ON check performed on the return value of __getblk() in
-nilfs_finish_roll_forward() assumes that a buffer that has been
-successfully read once is retrieved with the same parameters and does not
-fail (__getblk() does not return an error due to memory allocation
-failure). Also, nilfs_finish_roll_forward() is called at most once during
-mount.
-
-Taking these into consideration, rewrite the check to use WARN_ON() to
-avoid using BUG_ON().
-
-Link: https://lkml.kernel.org/r/20240508221429.7559-1-konishi.ryusuke@gmail.com
-Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/nilfs2/recovery.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/fs/nilfs2/recovery.c b/fs/nilfs2/recovery.c
-index a9b8d77c8c1d5..3be374fee5c13 100644
---- a/fs/nilfs2/recovery.c
-+++ b/fs/nilfs2/recovery.c
-@@ -698,7 +698,9 @@ static void nilfs_finish_roll_forward(struct the_nilfs *nilfs,
- return;
-
- bh = __getblk(nilfs->ns_bdev, ri->ri_lsegs_start, nilfs->ns_blocksize);
-- BUG_ON(!bh);
-+ if (WARN_ON(!bh))
-+ return; /* should never happen */
-+
- memset(bh->b_data, 0, bh->b_size);
- set_buffer_dirty(bh);
- err = sync_dirty_buffer(bh);
---
-2.43.0
-
+++ /dev/null
-From 08f0979e8c7d7c1d6e2e823057701b56fc4109e4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 1 May 2024 16:20:36 -0400
-Subject: orangefs: fix out-of-bounds fsid access
-
-From: Mike Marshall <hubcap@omnibond.com>
-
-[ Upstream commit 53e4efa470d5fc6a96662d2d3322cfc925818517 ]
-
-Arnd Bergmann sent a patch to fsdevel, he says:
-
-"orangefs_statfs() copies two consecutive fields of the superblock into
-the statfs structure, which triggers a warning from the string fortification
-helpers"
-
-Jan Kara suggested an alternate way to do the patch to make it more readable.
-
-I ran both ideas through xfstests and both seem fine. This patch
-is based on Jan Kara's suggestion.
-
-Signed-off-by: Mike Marshall <hubcap@omnibond.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- fs/orangefs/super.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/fs/orangefs/super.c b/fs/orangefs/super.c
-index 4ca8ed410c3cf..24e028c119c1b 100644
---- a/fs/orangefs/super.c
-+++ b/fs/orangefs/super.c
-@@ -201,7 +201,8 @@ static int orangefs_statfs(struct dentry *dentry, struct kstatfs *buf)
- (long)new_op->downcall.resp.statfs.files_avail);
-
- buf->f_type = sb->s_magic;
-- memcpy(&buf->f_fsid, &ORANGEFS_SB(sb)->fs_id, sizeof(buf->f_fsid));
-+ buf->f_fsid.val[0] = ORANGEFS_SB(sb)->fs_id;
-+ buf->f_fsid.val[1] = ORANGEFS_SB(sb)->id;
- buf->f_bsize = new_op->downcall.resp.statfs.block_size;
- buf->f_namelen = ORANGEFS_NAME_MAX;
-
---
-2.43.0
-
+++ /dev/null
-From 4eba5668374f467e2f9f2e7f820a422cff5c4ca8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 00:04:06 -0300
-Subject: perf probe: Use zfree() to avoid possibly accessing dangling pointers
-
-From: Arnaldo Carvalho de Melo <acme@redhat.com>
-
-[ Upstream commit b78854e5c008b01265d78c181332a3bb66c0abdf ]
-
-When freeing a->b it is good practice to set a->b to NULL using
-zfree(&a->b) so that when we have a bug where a reference to a freed 'a'
-pointer is kept somewhere, we can more quickly cause a segfault if some
-code tries to use a->b.
-
-Convert one such case in the 'perf probe' codebase.
-
-Cc: Adrian Hunter <adrian.hunter@intel.com>
-Cc: Ian Rogers <irogers@google.com>
-Cc: Jiri Olsa <jolsa@kernel.org>
-Cc: Kan Liang <kan.liang@linux.intel.com>
-Cc: Namhyung Kim <namhyung@kernel.org>
-Link: https://lore.kernel.org/lkml/ZjpBnkL2wO3QJa5W@x1
-Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- tools/perf/builtin-probe.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c
-index 019fef8da6a8e..003a3bcebfdfc 100644
---- a/tools/perf/builtin-probe.c
-+++ b/tools/perf/builtin-probe.c
-@@ -325,7 +325,7 @@ static void cleanup_params(void)
- for (i = 0; i < params->nevents; i++)
- clear_perf_probe_event(params->events + i);
- line_range__clear(¶ms->line_range);
-- free(params->target);
-+ zfree(¶ms->target);
- strfilter__delete(params->filter);
- nsinfo__put(params->nsi);
- zfree(¶ms);
---
-2.43.0
-
+++ /dev/null
-From 119192ec5dbbf64fcf640bad32144beb77589658 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 3 May 2024 17:56:19 +1000
-Subject: powerpc/64: Set _IO_BASE to POISON_POINTER_DELTA not 0 for
- CONFIG_PCI=n
-
-From: Michael Ellerman <mpe@ellerman.id.au>
-
-[ Upstream commit be140f1732b523947425aaafbe2e37b41b622d96 ]
-
-There is code that builds with calls to IO accessors even when
-CONFIG_PCI=n, but the actual calls are guarded by runtime checks.
-
-If not those calls would be faulting, because the page at virtual
-address zero is (usually) not mapped into the kernel. As Arnd pointed
-out, it is possible a large port value could cause the address to be
-above mmap_min_addr which would then access userspace, which would be
-a bug.
-
-To avoid any such issues, set _IO_BASE to POISON_POINTER_DELTA. That
-is a value chosen to point into unmapped space between the kernel and
-userspace, so any access will always fault.
-
-Note that on 32-bit POISON_POINTER_DELTA is 0, so the patch only has an
-effect on 64-bit.
-
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/20240503075619.394467-2-mpe@ellerman.id.au
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/include/asm/io.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h
-index 59cc25cb4578e..99419e87f5556 100644
---- a/arch/powerpc/include/asm/io.h
-+++ b/arch/powerpc/include/asm/io.h
-@@ -37,7 +37,7 @@ extern struct pci_dev *isa_bridge_pcidev;
- * define properly based on the platform
- */
- #ifndef CONFIG_PCI
--#define _IO_BASE 0
-+#define _IO_BASE POISON_POINTER_DELTA
- #define _ISA_MEM_BASE 0
- #define PCI_DRAM_OFFSET 0
- #elif defined(CONFIG_PPC32)
---
-2.43.0
-
+++ /dev/null
-From 0aa6be87450e9562cb55c81d0b001b7aa2e5b5be Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 10 Apr 2024 10:00:06 +0530
-Subject: powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
-
-From: Mahesh Salgaonkar <mahesh@linux.ibm.com>
-
-[ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ]
-
-nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel
-crash when invoked during real mode interrupt handling (e.g. early HMI/MCE
-interrupt handler) if percpu allocation comes from vmalloc area.
-
-Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()
-wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when
-percpu allocation is from the embedded first chunk. However with
-CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu
-allocation can come from the vmalloc area.
-
-With kernel command line "percpu_alloc=page" we can force percpu allocation
-to come from vmalloc area and can see kernel crash in machine_check_early:
-
-[ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110
-[ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0
-[ 1.215719] --- interrupt: 200
-[ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)
-[ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0
-[ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8
-
-Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu
-first chunk is not embedded.
-
-Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
-Tested-by: Shirisha Ganta <shirisha@linux.ibm.com>
-Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/include/asm/interrupt.h | 10 ++++++++++
- arch/powerpc/include/asm/percpu.h | 10 ++++++++++
- arch/powerpc/kernel/setup_64.c | 2 ++
- 3 files changed, 22 insertions(+)
-
-diff --git a/arch/powerpc/include/asm/interrupt.h b/arch/powerpc/include/asm/interrupt.h
-index a4196ab1d0167..5f9d61b2159cc 100644
---- a/arch/powerpc/include/asm/interrupt.h
-+++ b/arch/powerpc/include/asm/interrupt.h
-@@ -336,6 +336,14 @@ static inline void interrupt_nmi_enter_prepare(struct pt_regs *regs, struct inte
- if (IS_ENABLED(CONFIG_KASAN))
- return;
-
-+ /*
-+ * Likewise, do not use it in real mode if percpu first chunk is not
-+ * embedded. With CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there
-+ * are chances where percpu allocation can come from vmalloc area.
-+ */
-+ if (percpu_first_chunk_is_paged)
-+ return;
-+
- /* Otherwise, it should be safe to call it */
- nmi_enter();
- }
-@@ -351,6 +359,8 @@ static inline void interrupt_nmi_exit_prepare(struct pt_regs *regs, struct inter
- // no nmi_exit for a pseries hash guest taking a real mode exception
- } else if (IS_ENABLED(CONFIG_KASAN)) {
- // no nmi_exit for KASAN in real mode
-+ } else if (percpu_first_chunk_is_paged) {
-+ // no nmi_exit if percpu first chunk is not embedded
- } else {
- nmi_exit();
- }
-diff --git a/arch/powerpc/include/asm/percpu.h b/arch/powerpc/include/asm/percpu.h
-index 8e5b7d0b851c6..634970ce13c6b 100644
---- a/arch/powerpc/include/asm/percpu.h
-+++ b/arch/powerpc/include/asm/percpu.h
-@@ -15,6 +15,16 @@
- #endif /* CONFIG_SMP */
- #endif /* __powerpc64__ */
-
-+#if defined(CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK) && defined(CONFIG_SMP)
-+#include <linux/jump_label.h>
-+DECLARE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged);
-+
-+#define percpu_first_chunk_is_paged \
-+ (static_key_enabled(&__percpu_first_chunk_is_paged.key))
-+#else
-+#define percpu_first_chunk_is_paged false
-+#endif /* CONFIG_PPC64 && CONFIG_SMP */
-+
- #include <asm-generic/percpu.h>
-
- #include <asm/paca.h>
-diff --git a/arch/powerpc/kernel/setup_64.c b/arch/powerpc/kernel/setup_64.c
-index 246201d0d879e..394f209536cee 100644
---- a/arch/powerpc/kernel/setup_64.c
-+++ b/arch/powerpc/kernel/setup_64.c
-@@ -834,6 +834,7 @@ static __init int pcpu_cpu_to_node(int cpu)
-
- unsigned long __per_cpu_offset[NR_CPUS] __read_mostly;
- EXPORT_SYMBOL(__per_cpu_offset);
-+DEFINE_STATIC_KEY_FALSE(__percpu_first_chunk_is_paged);
-
- void __init setup_per_cpu_areas(void)
- {
-@@ -876,6 +877,7 @@ void __init setup_per_cpu_areas(void)
- if (rc < 0)
- panic("cannot initialize percpu area (err=%d)", rc);
-
-+ static_key_enable(&__percpu_first_chunk_is_paged.key);
- delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
- for_each_possible_cpu(cpu) {
- __per_cpu_offset[cpu] = delta + pcpu_unit_offsets[cpu];
---
-2.43.0
-
+++ /dev/null
-From 2f507dfbd19c0fd05e85b7ad6e8c3a120a23cc9f Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 17 Apr 2024 21:23:19 +1000
-Subject: powerpc/dexcr: Reset DEXCR value across exec
-
-From: Benjamin Gray <bgray@linux.ibm.com>
-
-[ Upstream commit bbd99922d0f4518518282217159666c679c6a0d1 ]
-
-Inheriting the DEXCR across exec can have security and usability
-concerns. If a program is compiled with hash instructions it generally
-expects to run with NPHIE enabled. But if the parent process disables
-NPHIE then if it's not careful it will be disabled for any children too
-and the protection offered by hash checks is basically worthless.
-
-This patch introduces a per-process reset value that new execs in a
-particular process tree are initialized with. This enables fine grained
-control over what DEXCR value child processes run with by default.
-For example, containers running legacy binaries that expect hash
-instructions to act as NOPs could configure the reset value of the
-container root to control the default reset value for all members of
-the container.
-
-Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
-[mpe: Add missing SPDX tag on dexcr.c]
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/20240417112325.728010-4-bgray@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/include/asm/processor.h | 2 +-
- arch/powerpc/kernel/Makefile | 1 +
- arch/powerpc/kernel/dexcr.c | 23 +++++++++++++++++++++++
- arch/powerpc/kernel/process.c | 7 +++++++
- 4 files changed, 32 insertions(+), 1 deletion(-)
- create mode 100644 arch/powerpc/kernel/dexcr.c
-
-diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
-index 882e31296ea6b..aad85a24134ac 100644
---- a/arch/powerpc/include/asm/processor.h
-+++ b/arch/powerpc/include/asm/processor.h
-@@ -261,7 +261,7 @@ struct thread_struct {
- unsigned long sier3;
- unsigned long hashkeyr;
- unsigned long dexcr;
--
-+ unsigned long dexcr_onexec; /* Reset value to load on exec */
- #endif
- };
-
-diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
-index 2919433be3557..24f82b09246cf 100644
---- a/arch/powerpc/kernel/Makefile
-+++ b/arch/powerpc/kernel/Makefile
-@@ -88,6 +88,7 @@ obj-$(CONFIG_HAVE_HW_BREAKPOINT) += hw_breakpoint.o
- obj-$(CONFIG_PPC_DAWR) += dawr.o
- obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_ppc970.o cpu_setup_pa6t.o
- obj-$(CONFIG_PPC_BOOK3S_64) += cpu_setup_power.o
-+obj-$(CONFIG_PPC_BOOK3S_64) += dexcr.o
- obj-$(CONFIG_PPC_BOOK3S_64) += mce.o mce_power.o
- obj-$(CONFIG_PPC_BOOK3E_64) += exceptions-64e.o idle_64e.o
- obj-$(CONFIG_PPC_BARRIER_NOSPEC) += security.o
-diff --git a/arch/powerpc/kernel/dexcr.c b/arch/powerpc/kernel/dexcr.c
-new file mode 100644
-index 0000000000000..d5cd77421088d
---- /dev/null
-+++ b/arch/powerpc/kernel/dexcr.c
-@@ -0,0 +1,23 @@
-+// SPDX-License-Identifier: GPL-2.0-or-later
-+
-+#include <linux/capability.h>
-+#include <linux/cpu.h>
-+#include <linux/init.h>
-+#include <linux/prctl.h>
-+#include <linux/sched.h>
-+
-+#include <asm/cpu_has_feature.h>
-+#include <asm/cputable.h>
-+#include <asm/processor.h>
-+#include <asm/reg.h>
-+
-+static int __init init_task_dexcr(void)
-+{
-+ if (!early_cpu_has_feature(CPU_FTR_ARCH_31))
-+ return 0;
-+
-+ current->thread.dexcr_onexec = mfspr(SPRN_DEXCR);
-+
-+ return 0;
-+}
-+early_initcall(init_task_dexcr)
-diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index d482c3fd81d7a..8ab779a3bddeb 100644
---- a/arch/powerpc/kernel/process.c
-+++ b/arch/powerpc/kernel/process.c
-@@ -1641,6 +1641,13 @@ void arch_setup_new_exec(void)
- current->thread.regs->amr = default_amr;
- current->thread.regs->iamr = default_iamr;
- #endif
-+
-+#ifdef CONFIG_PPC_BOOK3S_64
-+ if (cpu_has_feature(CPU_FTR_ARCH_31)) {
-+ current->thread.dexcr = current->thread.dexcr_onexec;
-+ mtspr(SPRN_DEXCR, current->thread.dexcr);
-+ }
-+#endif /* CONFIG_PPC_BOOK3S_64 */
- }
-
- #ifdef CONFIG_PPC64
---
-2.43.0
-
+++ /dev/null
-From 0ce55705dc1635b3631caec878c1bed60d30526b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 17 Apr 2024 21:23:18 +1000
-Subject: powerpc/dexcr: Track the DEXCR per-process
-
-From: Benjamin Gray <bgray@linux.ibm.com>
-
-[ Upstream commit 75171f06c4507c3b6b5a69d793879fb20d108bb1 ]
-
-Add capability to make the DEXCR act as a per-process SPR.
-
-We do not yet have an interface for changing the values per task. We
-also expect the kernel to use a single DEXCR value across all tasks
-while in privileged state, so there is no need to synchronize after
-changing it (the userspace aspects will synchronize upon returning to
-userspace).
-
-Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/20240417112325.728010-3-bgray@linux.ibm.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/include/asm/processor.h | 1 +
- arch/powerpc/kernel/process.c | 10 ++++++++++
- arch/powerpc/kernel/ptrace/ptrace-view.c | 7 +------
- 3 files changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/arch/powerpc/include/asm/processor.h b/arch/powerpc/include/asm/processor.h
-index b2c51d337e60c..882e31296ea6b 100644
---- a/arch/powerpc/include/asm/processor.h
-+++ b/arch/powerpc/include/asm/processor.h
-@@ -260,6 +260,7 @@ struct thread_struct {
- unsigned long sier2;
- unsigned long sier3;
- unsigned long hashkeyr;
-+ unsigned long dexcr;
-
- #endif
- };
-diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
-index 9452a54d356c9..d482c3fd81d7a 100644
---- a/arch/powerpc/kernel/process.c
-+++ b/arch/powerpc/kernel/process.c
-@@ -1185,6 +1185,9 @@ static inline void save_sprs(struct thread_struct *t)
-
- if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
- t->hashkeyr = mfspr(SPRN_HASHKEYR);
-+
-+ if (cpu_has_feature(CPU_FTR_ARCH_31))
-+ t->dexcr = mfspr(SPRN_DEXCR);
- #endif
- }
-
-@@ -1267,6 +1270,10 @@ static inline void restore_sprs(struct thread_struct *old_thread,
- if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE) &&
- old_thread->hashkeyr != new_thread->hashkeyr)
- mtspr(SPRN_HASHKEYR, new_thread->hashkeyr);
-+
-+ if (cpu_has_feature(CPU_FTR_ARCH_31) &&
-+ old_thread->dexcr != new_thread->dexcr)
-+ mtspr(SPRN_DEXCR, new_thread->dexcr);
- #endif
-
- }
-@@ -1878,6 +1885,9 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
- #ifdef CONFIG_PPC_BOOK3S_64
- if (cpu_has_feature(CPU_FTR_DEXCR_NPHIE))
- p->thread.hashkeyr = current->thread.hashkeyr;
-+
-+ if (cpu_has_feature(CPU_FTR_ARCH_31))
-+ p->thread.dexcr = mfspr(SPRN_DEXCR);
- #endif
- return 0;
- }
-diff --git a/arch/powerpc/kernel/ptrace/ptrace-view.c b/arch/powerpc/kernel/ptrace/ptrace-view.c
-index 584cf5c3df509..c1819e0a66842 100644
---- a/arch/powerpc/kernel/ptrace/ptrace-view.c
-+++ b/arch/powerpc/kernel/ptrace/ptrace-view.c
-@@ -469,12 +469,7 @@ static int dexcr_get(struct task_struct *target, const struct user_regset *regse
- if (!cpu_has_feature(CPU_FTR_ARCH_31))
- return -ENODEV;
-
-- /*
-- * The DEXCR is currently static across all CPUs, so we don't
-- * store the target's value anywhere, but the static value
-- * will also be correct.
-- */
-- membuf_store(&to, (u64)lower_32_bits(DEXCR_INIT));
-+ membuf_store(&to, (u64)lower_32_bits(target->thread.dexcr));
-
- /*
- * Technically the HDEXCR is per-cpu, but a hypervisor can't reasonably
---
-2.43.0
-
+++ /dev/null
-From 0735f5cdd392e57aeebae772f1d154e40cbdc45c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 9 Mar 2021 19:11:10 +0100
-Subject: powerpc/xmon: Check cpu id in commands "c#", "dp#" and "dx#"
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Greg Kurz <groug@kaod.org>
-
-[ Upstream commit 8873aab8646194a4446117bb617cc71bddda2dee ]
-
-All these commands end up peeking into the PACA using the user
-originated cpu id as an index. Check the cpu id is valid in order
-to prevent xmon to crash. Instead of printing an error, this follows
-the same behavior as the "lp s #" command : ignore the buggy cpu id
-parameter and fall back to the #-less version of the command.
-
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Link: https://msgid.link/161531347060.252863.10490063933688958044.stgit@bahia.lan
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/powerpc/xmon/xmon.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/arch/powerpc/xmon/xmon.c b/arch/powerpc/xmon/xmon.c
-index b3b94cd377137..1d815405a3b4f 100644
---- a/arch/powerpc/xmon/xmon.c
-+++ b/arch/powerpc/xmon/xmon.c
-@@ -1352,7 +1352,7 @@ static int cpu_cmd(void)
- }
- termch = cpu;
-
-- if (!scanhex(&cpu)) {
-+ if (!scanhex(&cpu) || cpu >= num_possible_cpus()) {
- /* print cpus waiting or in xmon */
- printf("cpus stopped:");
- last_cpu = first_cpu = NR_CPUS;
-@@ -2774,7 +2774,7 @@ static void dump_pacas(void)
-
- termch = c; /* Put c back, it wasn't 'a' */
-
-- if (scanhex(&num))
-+ if (scanhex(&num) && num < num_possible_cpus())
- dump_one_paca(num);
- else
- dump_one_paca(xmon_owner);
-@@ -2847,7 +2847,7 @@ static void dump_xives(void)
-
- termch = c; /* Put c back, it wasn't 'a' */
-
-- if (scanhex(&num))
-+ if (scanhex(&num) && num < num_possible_cpus())
- dump_one_xive(num);
- else
- dump_one_xive(xmon_owner);
---
-2.43.0
-
+++ /dev/null
-From 1dc2e35d7fea66c532a8b5faef252c8ee30542b8 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 20 Apr 2024 08:17:26 -0700
-Subject: RISC-V: KVM: Fix the initial sample period value
-
-From: Atish Patra <atishp@rivosinc.com>
-
-[ Upstream commit 57990ab90ce31aadac0d5a6293f5582e24ff7521 ]
-
-The initial sample period value when counter value is not assigned
-should be set to maximum value supported by the counter width.
-Otherwise, it may result in spurious interrupts.
-
-Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
-Signed-off-by: Atish Patra <atishp@rivosinc.com>
-Reviewed-by: Anup Patel <anup@brainfault.org>
-Link: https://lore.kernel.org/r/20240420151741.962500-11-atishp@rivosinc.com
-Signed-off-by: Anup Patel <anup@brainfault.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/riscv/kvm/vcpu_pmu.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
-index 86391a5061dda..cee1b9ca4ec48 100644
---- a/arch/riscv/kvm/vcpu_pmu.c
-+++ b/arch/riscv/kvm/vcpu_pmu.c
-@@ -39,7 +39,7 @@ static u64 kvm_pmu_get_sample_period(struct kvm_pmc *pmc)
- u64 sample_period;
-
- if (!pmc->counter_val)
-- sample_period = counter_val_mask + 1;
-+ sample_period = counter_val_mask;
- else
- sample_period = (-pmc->counter_val) & counter_val_mask;
-
---
-2.43.0
-
+++ /dev/null
-From a4fe10b18b527b13c03e55dc83678740f937ee0d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 26 Mar 2024 21:49:48 -0700
-Subject: riscv: Apply SiFive CIP-1200 workaround to single-ASID sfence.vma
-
-From: Samuel Holland <samuel.holland@sifive.com>
-
-[ Upstream commit 20e03d702e00a3e0269a1d6f9549c2e370492054 ]
-
-commit 3f1e782998cd ("riscv: add ASID-based tlbflushing methods") added
-calls to the sfence.vma instruction with rs2 != x0. These single-ASID
-instruction variants are also affected by SiFive errata CIP-1200.
-
-Until now, the errata workaround was not needed for the single-ASID
-sfence.vma variants, because they were only used when the ASID allocator
-was enabled, and the affected SiFive platforms do not support multiple
-ASIDs. However, we are going to start using those sfence.vma variants
-regardless of ASID support, so now we need alternatives covering them.
-
-Signed-off-by: Samuel Holland <samuel.holland@sifive.com>
-Link: https://lore.kernel.org/r/20240327045035.368512-8-samuel.holland@sifive.com
-Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/riscv/include/asm/errata_list.h | 12 +++++++++++-
- arch/riscv/include/asm/tlbflush.h | 19 ++++++++++++++++++-
- arch/riscv/mm/tlbflush.c | 23 -----------------------
- 3 files changed, 29 insertions(+), 25 deletions(-)
-
-diff --git a/arch/riscv/include/asm/errata_list.h b/arch/riscv/include/asm/errata_list.h
-index b55b434f00591..d3f3c237adad7 100644
---- a/arch/riscv/include/asm/errata_list.h
-+++ b/arch/riscv/include/asm/errata_list.h
-@@ -44,11 +44,21 @@ ALTERNATIVE(__stringify(RISCV_PTR do_page_fault), \
- CONFIG_ERRATA_SIFIVE_CIP_453)
- #else /* !__ASSEMBLY__ */
-
--#define ALT_FLUSH_TLB_PAGE(x) \
-+#define ALT_SFENCE_VMA_ASID(asid) \
-+asm(ALTERNATIVE("sfence.vma x0, %0", "sfence.vma", SIFIVE_VENDOR_ID, \
-+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \
-+ : : "r" (asid) : "memory")
-+
-+#define ALT_SFENCE_VMA_ADDR(addr) \
- asm(ALTERNATIVE("sfence.vma %0", "sfence.vma", SIFIVE_VENDOR_ID, \
- ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \
- : : "r" (addr) : "memory")
-
-+#define ALT_SFENCE_VMA_ADDR_ASID(addr, asid) \
-+asm(ALTERNATIVE("sfence.vma %0, %1", "sfence.vma", SIFIVE_VENDOR_ID, \
-+ ERRATA_SIFIVE_CIP_1200, CONFIG_ERRATA_SIFIVE_CIP_1200) \
-+ : : "r" (addr), "r" (asid) : "memory")
-+
- /*
- * _val is marked as "will be overwritten", so need to set it to 0
- * in the default case.
-diff --git a/arch/riscv/include/asm/tlbflush.h b/arch/riscv/include/asm/tlbflush.h
-index 51664ae4852e7..97711d5bd8ef9 100644
---- a/arch/riscv/include/asm/tlbflush.h
-+++ b/arch/riscv/include/asm/tlbflush.h
-@@ -22,10 +22,27 @@ static inline void local_flush_tlb_all(void)
- __asm__ __volatile__ ("sfence.vma" : : : "memory");
- }
-
-+static inline void local_flush_tlb_all_asid(unsigned long asid)
-+{
-+ if (asid != FLUSH_TLB_NO_ASID)
-+ ALT_SFENCE_VMA_ASID(asid);
-+ else
-+ local_flush_tlb_all();
-+}
-+
- /* Flush one page from local TLB */
- static inline void local_flush_tlb_page(unsigned long addr)
- {
-- ALT_FLUSH_TLB_PAGE(__asm__ __volatile__ ("sfence.vma %0" : : "r" (addr) : "memory"));
-+ ALT_SFENCE_VMA_ADDR(addr);
-+}
-+
-+static inline void local_flush_tlb_page_asid(unsigned long addr,
-+ unsigned long asid)
-+{
-+ if (asid != FLUSH_TLB_NO_ASID)
-+ ALT_SFENCE_VMA_ADDR_ASID(addr, asid);
-+ else
-+ local_flush_tlb_page(addr);
- }
- #else /* CONFIG_MMU */
- #define local_flush_tlb_all() do { } while (0)
-diff --git a/arch/riscv/mm/tlbflush.c b/arch/riscv/mm/tlbflush.c
-index bdee5de918e06..324e8cd9b5022 100644
---- a/arch/riscv/mm/tlbflush.c
-+++ b/arch/riscv/mm/tlbflush.c
-@@ -6,29 +6,6 @@
- #include <asm/sbi.h>
- #include <asm/mmu_context.h>
-
--static inline void local_flush_tlb_all_asid(unsigned long asid)
--{
-- if (asid != FLUSH_TLB_NO_ASID)
-- __asm__ __volatile__ ("sfence.vma x0, %0"
-- :
-- : "r" (asid)
-- : "memory");
-- else
-- local_flush_tlb_all();
--}
--
--static inline void local_flush_tlb_page_asid(unsigned long addr,
-- unsigned long asid)
--{
-- if (asid != FLUSH_TLB_NO_ASID)
-- __asm__ __volatile__ ("sfence.vma %0, %1"
-- :
-- : "r" (addr), "r" (asid)
-- : "memory");
-- else
-- local_flush_tlb_page(addr);
--}
--
- /*
- * Flush entire TLB if number of entries to be flushed is greater
- * than the threshold below.
---
-2.43.0
-
+++ /dev/null
-From b732d944f8364006bfcd4a9d0d9213fb2606f4b4 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 30 Apr 2024 16:30:01 +0200
-Subject: s390: Mark psw in __load_psw_mask() as __unitialized
-
-From: Sven Schnelle <svens@linux.ibm.com>
-
-[ Upstream commit 7278a8fb8d032dfdc03d9b5d17e0bc451cdc1492 ]
-
-Without __unitialized, the following code is generated when
-INIT_STACK_ALL_ZERO is enabled:
-
-86: d7 0f f0 a0 f0 a0 xc 160(16,%r15), 160(%r15)
-8c: e3 40 f0 a0 00 24 stg %r4, 160(%r15)
-92: c0 10 00 00 00 08 larl %r1, 0xa2
-98: e3 10 f0 a8 00 24 stg %r1, 168(%r15)
-9e: b2 b2 f0 a0 lpswe 160(%r15)
-
-The xc is not adding any security because psw is fully initialized
-with the following instructions. Add __unitialized to the psw
-definitiation to avoid the superfluous clearing of psw.
-
-Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
-Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
-Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/s390/include/asm/processor.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/s390/include/asm/processor.h b/arch/s390/include/asm/processor.h
-index dc17896a001a9..e7338ed540d8f 100644
---- a/arch/s390/include/asm/processor.h
-+++ b/arch/s390/include/asm/processor.h
-@@ -308,8 +308,8 @@ static inline void __load_psw(psw_t psw)
- */
- static __always_inline void __load_psw_mask(unsigned long mask)
- {
-+ psw_t psw __uninitialized;
- unsigned long addr;
-- psw_t psw;
-
- psw.mask = mask;
-
---
-2.43.0
-
+++ /dev/null
-From 48ca1500fc87611663502ad99be17c22a277f1db Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 7 May 2024 17:03:18 +0200
-Subject: s390/pkey: Wipe sensitive data on failure
-
-From: Holger Dengler <dengler@linux.ibm.com>
-
-[ Upstream commit 1d8c270de5eb74245d72325d285894a577a945d9 ]
-
-Wipe sensitive data from stack also if the copy_to_user() fails.
-
-Suggested-by: Heiko Carstens <hca@linux.ibm.com>
-Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
-Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
-Acked-by: Heiko Carstens <hca@linux.ibm.com>
-Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
-Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/s390/crypto/pkey_api.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
-index 6cfb6b2340c99..d2ffdf2491da0 100644
---- a/drivers/s390/crypto/pkey_api.c
-+++ b/drivers/s390/crypto/pkey_api.c
-@@ -1369,7 +1369,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
- if (rc)
- break;
- if (copy_to_user(ucs, &kcs, sizeof(kcs)))
-- return -EFAULT;
-+ rc = -EFAULT;
- memzero_explicit(&kcs, sizeof(kcs));
- break;
- }
-@@ -1404,7 +1404,7 @@ static long pkey_unlocked_ioctl(struct file *filp, unsigned int cmd,
- if (rc)
- break;
- if (copy_to_user(ucp, &kcp, sizeof(kcp)))
-- return -EFAULT;
-+ rc = -EFAULT;
- memzero_explicit(&kcp, sizeof(kcp));
- break;
- }
---
-2.43.0
-
+++ /dev/null
-From f762309d54ca8666623b375738d93cbed14a9e2b Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 26 Feb 2024 16:10:13 +0100
-Subject: scsi: mpi3mr: Sanitise num_phys
-
-From: Tomas Henzl <thenzl@redhat.com>
-
-[ Upstream commit 3668651def2c1622904e58b0280ee93121f2b10b ]
-
-Information is stored in mr_sas_port->phy_mask, values larger then size of
-this field shouldn't be allowed.
-
-Signed-off-by: Tomas Henzl <thenzl@redhat.com>
-Link: https://lore.kernel.org/r/20240226151013.8653-1-thenzl@redhat.com
-Acked-by: Sathya Prakash Veerichetty <sathya.prakash@broadcom.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/mpi3mr/mpi3mr_transport.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/drivers/scsi/mpi3mr/mpi3mr_transport.c b/drivers/scsi/mpi3mr/mpi3mr_transport.c
-index 82b55e9557304..91c2f667a4c0b 100644
---- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
-+++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
-@@ -1355,11 +1355,21 @@ static struct mpi3mr_sas_port *mpi3mr_sas_port_add(struct mpi3mr_ioc *mrioc,
- mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node,
- mr_sas_port->remote_identify.sas_address, hba_port);
-
-+ if (mr_sas_node->num_phys > sizeof(mr_sas_port->phy_mask) * 8)
-+ ioc_info(mrioc, "max port count %u could be too high\n",
-+ mr_sas_node->num_phys);
-+
- for (i = 0; i < mr_sas_node->num_phys; i++) {
- if ((mr_sas_node->phy[i].remote_identify.sas_address !=
- mr_sas_port->remote_identify.sas_address) ||
- (mr_sas_node->phy[i].hba_port != hba_port))
- continue;
-+
-+ if (i > sizeof(mr_sas_port->phy_mask) * 8) {
-+ ioc_warn(mrioc, "skipping port %u, max allowed value is %lu\n",
-+ i, sizeof(mr_sas_port->phy_mask) * 8);
-+ goto out_fail;
-+ }
- list_add_tail(&mr_sas_node->phy[i].port_siblings,
- &mr_sas_port->phy_list);
- mr_sas_port->num_phys++;
---
-2.43.0
-
+++ /dev/null
-From 4146af2361ebb36a1e98f09599edb3da307440cc Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 3 Apr 2024 11:01:55 -0400
-Subject: scsi: qedf: Make qedf_execute_tmf() non-preemptible
-
-From: John Meneghini <jmeneghi@redhat.com>
-
-[ Upstream commit 0d8b637c9c5eeaa1a4e3dfb336f3ff918eb64fec ]
-
-Stop calling smp_processor_id() from preemptible code in
-qedf_execute_tmf90. This results in BUG_ON() when running an RT kernel.
-
-[ 659.343280] BUG: using smp_processor_id() in preemptible [00000000] code: sg_reset/3646
-[ 659.343282] caller is qedf_execute_tmf+0x8b/0x360 [qedf]
-
-Tested-by: Guangwu Zhang <guazhang@redhat.com>
-Cc: Saurav Kashyap <skashyap@marvell.com>
-Cc: Nilesh Javali <njavali@marvell.com>
-Signed-off-by: John Meneghini <jmeneghi@redhat.com>
-Link: https://lore.kernel.org/r/20240403150155.412954-1-jmeneghi@redhat.com
-Acked-by: Saurav Kashyap <skashyap@marvell.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/scsi/qedf/qedf_io.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/scsi/qedf/qedf_io.c b/drivers/scsi/qedf/qedf_io.c
-index 10fe3383855c0..031e605b3f427 100644
---- a/drivers/scsi/qedf/qedf_io.c
-+++ b/drivers/scsi/qedf/qedf_io.c
-@@ -2331,9 +2331,6 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd,
- io_req->fcport = fcport;
- io_req->cmd_type = QEDF_TASK_MGMT_CMD;
-
-- /* Record which cpu this request is associated with */
-- io_req->cpu = smp_processor_id();
--
- /* Set TM flags */
- io_req->io_req_flags = QEDF_READ;
- io_req->data_xfer_len = 0;
-@@ -2355,6 +2352,9 @@ static int qedf_execute_tmf(struct qedf_rport *fcport, struct scsi_cmnd *sc_cmd,
-
- spin_lock_irqsave(&fcport->rport_lock, flags);
-
-+ /* Record which cpu this request is associated with */
-+ io_req->cpu = smp_processor_id();
-+
- sqe_idx = qedf_get_sqe_idx(fcport);
- sqe = &fcport->sq[sqe_idx];
- memset(sqe, 0, sizeof(struct fcoe_wqe));
---
-2.43.0
-
+++ /dev/null
-From 6416a2395a6fbc37fc7c83d2bdd933991ce59a8a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sat, 27 Apr 2024 19:23:36 +0200
-Subject: sctp: prefer struct_size over open coded arithmetic
-
-From: Erick Archer <erick.archer@outlook.com>
-
-[ Upstream commit e5c5f3596de224422561d48eba6ece5210d967b3 ]
-
-This is an effort to get rid of all multiplications from allocation
-functions in order to prevent integer overflows [1][2].
-
-As the "ids" variable is a pointer to "struct sctp_assoc_ids" and this
-structure ends in a flexible array:
-
-struct sctp_assoc_ids {
- [...]
- sctp_assoc_t gaids_assoc_id[];
-};
-
-the preferred way in the kernel is to use the struct_size() helper to
-do the arithmetic instead of the calculation "size + size * count" in
-the kmalloc() function.
-
-Also, refactor the code adding the "ids_size" variable to avoid sizing
-twice.
-
-This way, the code is more readable and safer.
-
-This code was detected with the help of Coccinelle, and audited and
-modified manually.
-
-Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments [1]
-Link: https://github.com/KSPP/linux/issues/160 [2]
-Signed-off-by: Erick Archer <erick.archer@outlook.com>
-Acked-by: Xin Long <lucien.xin@gmail.com>
-Reviewed-by: Kees Cook <keescook@chromium.org>
-Link: https://lore.kernel.org/r/PAXPR02MB724871DB78375AB06B5171C88B152@PAXPR02MB7248.eurprd02.prod.outlook.com
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/sctp/socket.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 6b9fcdb0952a0..225dfacfd233f 100644
---- a/net/sctp/socket.c
-+++ b/net/sctp/socket.c
-@@ -7118,6 +7118,7 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
- struct sctp_sock *sp = sctp_sk(sk);
- struct sctp_association *asoc;
- struct sctp_assoc_ids *ids;
-+ size_t ids_size;
- u32 num = 0;
-
- if (sctp_style(sk, TCP))
-@@ -7130,11 +7131,11 @@ static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
- num++;
- }
-
-- if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
-+ ids_size = struct_size(ids, gaids_assoc_id, num);
-+ if (len < ids_size)
- return -EINVAL;
-
-- len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
--
-+ len = ids_size;
- ids = kmalloc(len, GFP_USER | __GFP_NOWARN);
- if (unlikely(!ids))
- return -ENOMEM;
---
-2.43.0
-
+++ /dev/null
-From 03801d362788ea4788e54ef80c2c8f3c69f0c8c6 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 23 Apr 2024 18:28:18 -0700
-Subject: selftests/bpf: adjust dummy_st_ops_success to detect additional error
-
-From: Eduard Zingerman <eddyz87@gmail.com>
-
-[ Upstream commit 3b3b84aacb4420226576c9732e7b539ca7b79633 ]
-
-As reported by Jose E. Marchesi in off-list discussion, GCC and LLVM
-generate slightly different code for dummy_st_ops_success/test_1():
-
- SEC("struct_ops/test_1")
- int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
- {
- int ret;
-
- if (!state)
- return 0xf2f3f4f5;
-
- ret = state->val;
- state->val = 0x5a;
- return ret;
- }
-
- GCC-generated LLVM-generated
- ---------------------------- ---------------------------
- 0: r1 = *(u64 *)(r1 + 0x0) 0: w0 = -0xd0c0b0b
- 1: if r1 == 0x0 goto 5f 1: r1 = *(u64 *)(r1 + 0x0)
- 2: r0 = *(s32 *)(r1 + 0x0) 2: if r1 == 0x0 goto 6f
- 3: *(u32 *)(r1 + 0x0) = 0x5a 3: r0 = *(u32 *)(r1 + 0x0)
- 4: exit 4: w2 = 0x5a
- 5: r0 = -0xd0c0b0b 5: *(u32 *)(r1 + 0x0) = r2
- 6: exit 6: exit
-
-If the 'state' argument is not marked as nullable in
-net/bpf/bpf_dummy_struct_ops.c, the verifier would assume that
-'r1 == 0x0' is never true:
-- for the GCC version, this means that instructions #5-6 would be
- marked as dead and removed;
-- for the LLVM version, all instructions would be marked as live.
-
-The test dummy_st_ops/dummy_init_ret_value actually sets the 'state'
-parameter to NULL.
-
-Therefore, when the 'state' argument is not marked as nullable,
-the GCC-generated version of the code would trigger a NULL pointer
-dereference at instruction #3.
-
-This patch updates the test_1() test case to always follow a shape
-similar to the GCC-generated version above, in order to verify whether
-the 'state' nullability is marked correctly.
-
-Reported-by: Jose E. Marchesi <jemarch@gnu.org>
-Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
-Link: https://lore.kernel.org/r/20240424012821.595216-3-eddyz87@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- .../selftests/bpf/progs/dummy_st_ops_success.c | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
-index 1efa746c25dc7..cc7b69b001aae 100644
---- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
-+++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
-@@ -11,8 +11,17 @@ int BPF_PROG(test_1, struct bpf_dummy_ops_state *state)
- {
- int ret;
-
-- if (!state)
-- return 0xf2f3f4f5;
-+ /* Check that 'state' nullable status is detected correctly.
-+ * If 'state' argument would be assumed non-null by verifier
-+ * the code below would be deleted as dead (which it shouldn't).
-+ * Hide it from the compiler behind 'asm' block to avoid
-+ * unnecessary optimizations.
-+ */
-+ asm volatile (
-+ "if %[state] != 0 goto +2;"
-+ "r0 = 0xf2f3f4f5;"
-+ "exit;"
-+ ::[state]"p"(state));
-
- ret = state->val;
- state->val = 0x5a;
---
-2.43.0
-
+++ /dev/null
-From 7e20c2230947ae6610737bf6da567b9e2e429491 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 23 Apr 2024 18:28:19 -0700
-Subject: selftests/bpf: do not pass NULL for non-nullable params in
- dummy_st_ops
-
-From: Eduard Zingerman <eddyz87@gmail.com>
-
-[ Upstream commit f612210d456a0b969a0adca91e68dbea0e0ea301 ]
-
-dummy_st_ops.test_2 and dummy_st_ops.test_sleepable do not have their
-'state' parameter marked as nullable. Update dummy_st_ops.c to avoid
-passing NULL for such parameters, as the next patch would allow kernel
-to enforce this restriction.
-
-Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
-Link: https://lore.kernel.org/r/20240424012821.595216-4-eddyz87@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c | 7 +++++--
- tools/testing/selftests/bpf/progs/dummy_st_ops_success.c | 2 +-
- 2 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
-index f43fcb13d2c46..dd926c00f4146 100644
---- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
-+++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
-@@ -98,7 +98,8 @@ static void test_dummy_init_ptr_arg(void)
-
- static void test_dummy_multiple_args(void)
- {
-- __u64 args[5] = {0, -100, 0x8a5f, 'c', 0x1234567887654321ULL};
-+ struct bpf_dummy_ops_state st = { 7 };
-+ __u64 args[5] = {(__u64)&st, -100, 0x8a5f, 'c', 0x1234567887654321ULL};
- LIBBPF_OPTS(bpf_test_run_opts, attr,
- .ctx_in = args,
- .ctx_size_in = sizeof(args),
-@@ -115,6 +116,7 @@ static void test_dummy_multiple_args(void)
- fd = bpf_program__fd(skel->progs.test_2);
- err = bpf_prog_test_run_opts(fd, &attr);
- ASSERT_OK(err, "test_run");
-+ args[0] = 7;
- for (i = 0; i < ARRAY_SIZE(args); i++) {
- snprintf(name, sizeof(name), "arg %zu", i);
- ASSERT_EQ(skel->bss->test_2_args[i], args[i], name);
-@@ -125,7 +127,8 @@ static void test_dummy_multiple_args(void)
-
- static void test_dummy_sleepable(void)
- {
-- __u64 args[1] = {0};
-+ struct bpf_dummy_ops_state st;
-+ __u64 args[1] = {(__u64)&st};
- LIBBPF_OPTS(bpf_test_run_opts, attr,
- .ctx_in = args,
- .ctx_size_in = sizeof(args),
-diff --git a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
-index cc7b69b001aae..ec0c595d47af8 100644
---- a/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
-+++ b/tools/testing/selftests/bpf/progs/dummy_st_ops_success.c
-@@ -34,7 +34,7 @@ SEC("struct_ops/test_2")
- int BPF_PROG(test_2, struct bpf_dummy_ops_state *state, int a1, unsigned short a2,
- char a3, unsigned long a4)
- {
-- test_2_args[0] = (unsigned long)state;
-+ test_2_args[0] = state->val;
- test_2_args[1] = a1;
- test_2_args[2] = a2;
- test_2_args[3] = a3;
---
-2.43.0
-
+++ /dev/null
-From cd7278af049942234f24d92459f736d850173dab Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Tue, 23 Apr 2024 18:28:21 -0700
-Subject: selftests/bpf: dummy_st_ops should reject 0 for non-nullable params
-
-From: Eduard Zingerman <eddyz87@gmail.com>
-
-[ Upstream commit 6a2d30d3c5bf9f088dcfd5f3746b04d84f2fab83 ]
-
-Check if BPF_PROG_TEST_RUN for bpf_dummy_struct_ops programs
-rejects execution if NULL is passed for non-nullable parameter.
-
-Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
-Link: https://lore.kernel.org/r/20240424012821.595216-6-eddyz87@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- .../selftests/bpf/prog_tests/dummy_st_ops.c | 27 +++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
-index dd926c00f4146..d3d94596ab79c 100644
---- a/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
-+++ b/tools/testing/selftests/bpf/prog_tests/dummy_st_ops.c
-@@ -147,6 +147,31 @@ static void test_dummy_sleepable(void)
- dummy_st_ops_success__destroy(skel);
- }
-
-+/* dummy_st_ops.test_sleepable() parameter is not marked as nullable,
-+ * thus bpf_prog_test_run_opts() below should be rejected as it tries
-+ * to pass NULL for this parameter.
-+ */
-+static void test_dummy_sleepable_reject_null(void)
-+{
-+ __u64 args[1] = {0};
-+ LIBBPF_OPTS(bpf_test_run_opts, attr,
-+ .ctx_in = args,
-+ .ctx_size_in = sizeof(args),
-+ );
-+ struct dummy_st_ops_success *skel;
-+ int fd, err;
-+
-+ skel = dummy_st_ops_success__open_and_load();
-+ if (!ASSERT_OK_PTR(skel, "dummy_st_ops_load"))
-+ return;
-+
-+ fd = bpf_program__fd(skel->progs.test_sleepable);
-+ err = bpf_prog_test_run_opts(fd, &attr);
-+ ASSERT_EQ(err, -EINVAL, "test_run");
-+
-+ dummy_st_ops_success__destroy(skel);
-+}
-+
- void test_dummy_st_ops(void)
- {
- if (test__start_subtest("dummy_st_ops_attach"))
-@@ -159,6 +184,8 @@ void test_dummy_st_ops(void)
- test_dummy_multiple_args();
- if (test__start_subtest("dummy_sleepable"))
- test_dummy_sleepable();
-+ if (test__start_subtest("dummy_sleepable_reject_null"))
-+ test_dummy_sleepable_reject_null();
-
- RUN_TESTS(dummy_st_ops_fail);
- }
---
-2.43.0
-
+++ /dev/null
-From da5a832a60d201c758e9510d6d832ba59d50a2e7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 6 May 2024 12:02:04 -0700
-Subject: selftests/net: fix uninitialized variables
-
-From: John Hubbard <jhubbard@nvidia.com>
-
-[ Upstream commit eb709b5f6536636dfb87b85ded0b2af9bb6cd9e6 ]
-
-When building with clang, via:
-
- make LLVM=1 -C tools/testing/selftest
-
-...clang warns about three variables that are not initialized in all
-cases:
-
-1) The opt_ipproto_off variable is used uninitialized if "testname" is
-not "ip". Willem de Bruijn pointed out that this is an actual bug, and
-suggested the fix that I'm using here (thanks!).
-
-2) The addr_len is used uninitialized, but only in the assert case,
- which bails out, so this is harmless.
-
-3) The family variable in add_listener() is only used uninitialized in
- the error case (neither IPv4 nor IPv6 is specified), so it's also
- harmless.
-
-Fix by initializing each variable.
-
-Signed-off-by: John Hubbard <jhubbard@nvidia.com>
-Reviewed-by: Willem de Bruijn <willemb@google.com>
-Acked-by: Mat Martineau <martineau@kernel.org>
-Link: https://lore.kernel.org/r/20240506190204.28497-1-jhubbard@nvidia.com
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- tools/testing/selftests/net/gro.c | 3 +++
- tools/testing/selftests/net/ip_local_port_range.c | 2 +-
- tools/testing/selftests/net/mptcp/pm_nl_ctl.c | 2 +-
- 3 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/tools/testing/selftests/net/gro.c b/tools/testing/selftests/net/gro.c
-index 30024d0ed3739..b204df4f33322 100644
---- a/tools/testing/selftests/net/gro.c
-+++ b/tools/testing/selftests/net/gro.c
-@@ -113,6 +113,9 @@ static void setup_sock_filter(int fd)
- next_off = offsetof(struct ipv6hdr, nexthdr);
- ipproto_off = ETH_HLEN + next_off;
-
-+ /* Overridden later if exthdrs are used: */
-+ opt_ipproto_off = ipproto_off;
-+
- if (strcmp(testname, "ip") == 0) {
- if (proto == PF_INET)
- optlen = sizeof(struct ip_timestamp);
-diff --git a/tools/testing/selftests/net/ip_local_port_range.c b/tools/testing/selftests/net/ip_local_port_range.c
-index 75e3fdacdf735..2465ff5bb3a8e 100644
---- a/tools/testing/selftests/net/ip_local_port_range.c
-+++ b/tools/testing/selftests/net/ip_local_port_range.c
-@@ -343,7 +343,7 @@ TEST_F(ip_local_port_range, late_bind)
- struct sockaddr_in v4;
- struct sockaddr_in6 v6;
- } addr;
-- socklen_t addr_len;
-+ socklen_t addr_len = 0;
- const int one = 1;
- int fd, err;
- __u32 range;
-diff --git a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
-index 49369c4a5f261..763402dd17742 100644
---- a/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
-+++ b/tools/testing/selftests/net/mptcp/pm_nl_ctl.c
-@@ -1239,7 +1239,7 @@ int add_listener(int argc, char *argv[])
- struct sockaddr_storage addr;
- struct sockaddr_in6 *a6;
- struct sockaddr_in *a4;
-- u_int16_t family;
-+ u_int16_t family = AF_UNSPEC;
- int enable = 1;
- int sock;
- int err;
---
-2.43.0
-
+++ /dev/null
-From 89c70fb5cc60a27517a89098fbbd13a4b07d814d Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 8 May 2024 15:37:44 +0200
-Subject: serial: imx: Raise TX trigger level to 8
-
-From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
-
-[ Upstream commit a3d8728ab079951741efa11360df43dbfacba7ab ]
-
-At the default TX trigger level of 2 in non-DMA mode (meaning that an
-interrupt is generated when less than 2 characters are left in the
-FIFO), we have observed frequent buffer underruns at 115200 Baud on an
-i.MX8M Nano. This can cause communication issues if the receiving side
-expects a continuous transfer.
-
-Increasing the level to 8 makes the UART trigger an interrupt earlier,
-giving the kernel enough time to refill the FIFO, at the cost of
-triggering one interrupt per ~24 instead of ~30 bytes of transmitted
-data (as the i.MX UART has a 32 byte FIFO).
-
-Signed-off-by: Michael Krummsdorf <michael.krummsdorf@tq-group.com>
-Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
-Link: https://lore.kernel.org/r/20240508133744.35858-1-matthias.schiffer@ew.tq-group.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/tty/serial/imx.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c
-index 285e0e1144c4c..a5d0df2ba5c55 100644
---- a/drivers/tty/serial/imx.c
-+++ b/drivers/tty/serial/imx.c
-@@ -1320,7 +1320,7 @@ static void imx_uart_clear_rx_errors(struct imx_port *sport)
-
- }
-
--#define TXTL_DEFAULT 2 /* reset default */
-+#define TXTL_DEFAULT 8
- #define RXTL_DEFAULT 8 /* 8 characters or aging timer */
- #define TXTL_DMA 8 /* DMA burst setting */
- #define RXTL_DMA 9 /* DMA burst setting */
---
-2.43.0
-
+++ /dev/null
-locking-mutex-introduce-devm_mutex_init.patch
-leds-an30259a-use-devm_mutex_init-for-mutex-initiali.patch
-crypto-hisilicon-debugfs-fix-debugfs-uninit-process-.patch
-drm-lima-fix-shared-irq-handling-on-driver-remove.patch
-powerpc-avoid-nmi_enter-nmi_exit-in-real-mode-interr.patch
-media-dvb-as102-fe-fix-as10x_register_addr-packing.patch
-media-dvb-usb-dib0700_devices-add-missing-release_fi.patch
-ib-core-implement-a-limit-on-umad-receive-list.patch
-drm-i915-fix-gt-reset-with-guc-submission-is-disable.patch
-scsi-qedf-make-qedf_execute_tmf-non-preemptible.patch
-irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
-selftests-bpf-adjust-dummy_st_ops_success-to-detect-.patch
-selftests-bpf-do-not-pass-null-for-non-nullable-para.patch
-selftests-bpf-dummy_st_ops-should-reject-0-for-non-n.patch
-risc-v-kvm-fix-the-initial-sample-period-value.patch
-crypto-aead-cipher-zeroize-key-buffer-after-use.patch
-media-mediatek-vcodec-only-free-buffer-va-that-is-no.patch
-drm-amdgpu-fix-uninitialized-variable-warnings.patch
-drm-amdgpu-using-uninitialized-value-size-when-calli.patch
-drm-amdgpu-initialize-timestamp-for-some-legacy-socs.patch
-drm-amd-display-check-index-msg_id-before-read-or-wr.patch
-drm-amd-display-check-pipe-offset-before-setting-vbl.patch
-drm-amd-display-skip-finding-free-audio-for-unknown-.patch
-drm-amd-display-fix-uninitialized-variables-in-dm.patch
-drm-amdgpu-fix-uninitialized-scalar-variable-warning.patch
-drm-amdgpu-fix-the-warning-about-the-expression-int-.patch
-media-dw2102-don-t-translate-i2c-read-into-write.patch
-riscv-apply-sifive-cip-1200-workaround-to-single-asi.patch
-sctp-prefer-struct_size-over-open-coded-arithmetic.patch
-firmware-dmi-stop-decoding-on-broken-entry.patch
-input-ff-core-prefer-struct_size-over-open-coded-ari.patch
-usb-xhci-prevent-potential-failure-in-handle_tx_even.patch
-wifi-mt76-replace-skb_put-with-skb_put_zero.patch
-wifi-mt76-mt7996-add-sanity-checks-for-background-ra.patch
-thermal-drivers-mediatek-lvts_thermal-check-null-ptr.patch
-net-dsa-mv88e6xxx-correct-check-for-empty-list.patch
-media-dvb-frontends-tda18271c2dd-remove-casting-duri.patch
-media-s2255-use-refcount_t-instead-of-atomic_t-for-n.patch
-media-dvb-frontends-tda10048-fix-integer-overflow.patch
-powerpc-dexcr-track-the-dexcr-per-process.patch
-powerpc-dexcr-reset-dexcr-value-across-exec.patch
-i2c-i801-annotate-apanel_addr-as-__ro_after_init.patch
-powerpc-64-set-_io_base-to-poison_pointer_delta-not-.patch
-orangefs-fix-out-of-bounds-fsid-access.patch
-kunit-fix-timeout-message.patch
-kunit-handle-test-faults.patch
-powerpc-xmon-check-cpu-id-in-commands-c-dp-and-dx.patch
-perf-probe-use-zfree-to-avoid-possibly-accessing-dan.patch
-selftests-net-fix-uninitialized-variables.patch
-igc-fix-a-log-entry-using-uninitialized-netdev.patch
-bpf-avoid-uninitialized-value-in-bpf_core_read_bitfi.patch
-f2fs-check-validation-of-fault-attrs-in-f2fs_build_f.patch
-scsi-mpi3mr-sanitise-num_phys.patch
-serial-imx-raise-tx-trigger-level-to-8.patch
-nilfs2-convert-bug_on-in-nilfs_finish_roll_forward-t.patch
-jffs2-fix-potential-illegal-address-access-in-jffs2_.patch
-s390-mark-psw-in-__load_psw_mask-as-__unitialized.patch
-s390-pkey-wipe-sensitive-data-on-failure.patch
-btrfs-scrub-initialize-ret-in-scrub_simple_mirror-to.patch
-cdrom-rearrange-last_media_change-check-to-avoid-uni.patch
-tools-power-turbostat-remember-global-max_die_id.patch
-vhost-use-virtqueue-mutex-for-swapping-worker.patch
-vhost-release-worker-mutex-during-flushes.patch
-vhost_task-handle-sigkill-by-flushing-work-and-exiti.patch
+++ /dev/null
-From e056b473a8b4edd5d94792abbbff20b16970f508 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 2 May 2024 15:46:03 +0200
-Subject: thermal/drivers/mediatek/lvts_thermal: Check NULL ptr on lvts_data
-
-From: Julien Panis <jpanis@baylibre.com>
-
-[ Upstream commit a1191a77351e25ddf091bb1a231cae12ee598b5d ]
-
-Verify that lvts_data is not NULL before using it.
-
-Signed-off-by: Julien Panis <jpanis@baylibre.com>
-Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
-Link: https://lore.kernel.org/r/20240502-mtk-thermal-lvts-data-v1-1-65f1b0bfad37@baylibre.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/thermal/mediatek/lvts_thermal.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
-index 666f440b66631..8d0ccf494ba22 100644
---- a/drivers/thermal/mediatek/lvts_thermal.c
-+++ b/drivers/thermal/mediatek/lvts_thermal.c
-@@ -1208,6 +1208,8 @@ static int lvts_probe(struct platform_device *pdev)
- return -ENOMEM;
-
- lvts_data = of_device_get_match_data(dev);
-+ if (!lvts_data)
-+ return -ENODEV;
-
- lvts_td->clk = devm_clk_get_enabled(dev, NULL);
- if (IS_ERR(lvts_td->clk))
---
-2.43.0
-
+++ /dev/null
-From 33b2094192bf39bf30af964e463042c6e728096c Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Sun, 21 Apr 2024 11:56:48 -0400
-Subject: tools/power turbostat: Remember global max_die_id
-
-From: Len Brown <len.brown@intel.com>
-
-[ Upstream commit cda203388687aa075db6f8996c3c4549fa518ea8 ]
-
-This is necessary to gracefully handle sparse die_id's.
-
-no functional change
-
-Signed-off-by: Len Brown <len.brown@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- tools/power/x86/turbostat/turbostat.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
-index ffa964ddbacef..6fad5fbfb0f96 100644
---- a/tools/power/x86/turbostat/turbostat.c
-+++ b/tools/power/x86/turbostat/turbostat.c
-@@ -566,6 +566,7 @@ struct topo_params {
- int num_cpus;
- int num_cores;
- int max_cpu_num;
-+ int max_die_id;
- int max_node_num;
- int nodes_per_pkg;
- int cores_per_node;
-@@ -5871,7 +5872,6 @@ void topology_probe()
- int i;
- int max_core_id = 0;
- int max_package_id = 0;
-- int max_die_id = 0;
- int max_siblings = 0;
-
- /* Initialize num_cpus, max_cpu_num */
-@@ -5940,8 +5940,8 @@ void topology_probe()
-
- /* get die information */
- cpus[i].die_id = get_die_id(i);
-- if (cpus[i].die_id > max_die_id)
-- max_die_id = cpus[i].die_id;
-+ if (cpus[i].die_id > topo.max_die_id)
-+ topo.max_die_id = cpus[i].die_id;
-
- /* get numa node information */
- cpus[i].physical_node_id = get_physical_node_id(&cpus[i]);
-@@ -5967,9 +5967,9 @@ void topology_probe()
- if (!summary_only && topo.cores_per_node > 1)
- BIC_PRESENT(BIC_Core);
-
-- topo.num_die = max_die_id + 1;
-+ topo.num_die = topo.max_die_id + 1;
- if (debug > 1)
-- fprintf(outf, "max_die_id %d, sizing for %d die\n", max_die_id, topo.num_die);
-+ fprintf(outf, "max_die_id %d, sizing for %d die\n", topo.max_die_id, topo.num_die);
- if (!summary_only && topo.num_die > 1)
- BIC_PRESENT(BIC_Die);
-
---
-2.43.0
-
+++ /dev/null
-From 750b747d4a2f3cb907831b8992bdf518d25f1a02 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Mon, 29 Apr 2024 17:02:37 +0300
-Subject: usb: xhci: prevent potential failure in handle_tx_event() for
- Transfer events without TRB
-
-From: Niklas Neronin <niklas.neronin@linux.intel.com>
-
-[ Upstream commit 66cb618bf0bb82859875b00eeffaf223557cb416 ]
-
-Some transfer events don't always point to a TRB, and consequently don't
-have a endpoint ring. In these cases, function handle_tx_event() should
-not proceed, because if 'ep->skip' is set, the pointer to the endpoint
-ring is used.
-
-To prevent a potential failure and make the code logical, return after
-checking the completion code for a Transfer event without TRBs.
-
-Signed-off-by: Niklas Neronin <niklas.neronin@linux.intel.com>
-Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
-Link: https://lore.kernel.org/r/20240429140245.3955523-11-mathias.nyman@linux.intel.com
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/usb/host/xhci-ring.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
-index 8dd85221cd927..592dabc785152 100644
---- a/drivers/usb/host/xhci-ring.c
-+++ b/drivers/usb/host/xhci-ring.c
-@@ -2649,16 +2649,17 @@ static int handle_tx_event(struct xhci_hcd *xhci,
- else
- xhci_handle_halted_endpoint(xhci, ep, NULL,
- EP_SOFT_RESET);
-- goto cleanup;
-+ break;
- case COMP_RING_UNDERRUN:
- case COMP_RING_OVERRUN:
- case COMP_STOPPED_LENGTH_INVALID:
-- goto cleanup;
-+ break;
- default:
- xhci_err(xhci, "ERROR Transfer event for unknown stream ring slot %u ep %u\n",
- slot_id, ep_index);
- goto err_out;
- }
-+ return 0;
- }
-
- /* Count current td numbers if ep->skip is set */
---
-2.43.0
-
+++ /dev/null
-From 31ffc26384603bb2752f08d7696be57ee52f11f2 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Mar 2024 19:47:05 -0500
-Subject: vhost: Release worker mutex during flushes
-
-From: Mike Christie <michael.christie@oracle.com>
-
-[ Upstream commit ba704ff4e142fd3cfaf3379dd3b3b946754e06e3 ]
-
-In the next patches where the worker can be killed while in use, we
-need to be able to take the worker mutex and kill queued works for
-new IO and flushes, and set some new flags to prevent new
-__vhost_vq_attach_worker calls from swapping in/out killed workers.
-
-If we are holding the worker mutex during a flush and the flush's work
-is still in the queue, the worker code that will handle the SIGKILL
-cleanup won't be able to take the mutex and perform it's cleanup. So
-this patch has us drop the worker mutex while waiting for the flush
-to complete.
-
-Signed-off-by: Mike Christie <michael.christie@oracle.com>
-Message-Id: <20240316004707.45557-8-michael.christie@oracle.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/vhost/vhost.c | 44 +++++++++++++++++++++++++++++--------------
- 1 file changed, 30 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 67bd947cc556d..069c8a23bff9e 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -276,21 +276,36 @@ void vhost_vq_flush(struct vhost_virtqueue *vq)
- EXPORT_SYMBOL_GPL(vhost_vq_flush);
-
- /**
-- * vhost_worker_flush - flush a worker
-+ * __vhost_worker_flush - flush a worker
- * @worker: worker to flush
- *
-- * This does not use RCU to protect the worker, so the device or worker
-- * mutex must be held.
-+ * The worker's flush_mutex must be held.
- */
--static void vhost_worker_flush(struct vhost_worker *worker)
-+static void __vhost_worker_flush(struct vhost_worker *worker)
- {
- struct vhost_flush_struct flush;
-
-+ if (!worker->attachment_cnt)
-+ return;
-+
- init_completion(&flush.wait_event);
- vhost_work_init(&flush.work, vhost_flush_work);
-
- vhost_worker_queue(worker, &flush.work);
-+ /*
-+ * Drop mutex in case our worker is killed and it needs to take the
-+ * mutex to force cleanup.
-+ */
-+ mutex_unlock(&worker->mutex);
- wait_for_completion(&flush.wait_event);
-+ mutex_lock(&worker->mutex);
-+}
-+
-+static void vhost_worker_flush(struct vhost_worker *worker)
-+{
-+ mutex_lock(&worker->mutex);
-+ __vhost_worker_flush(worker);
-+ mutex_unlock(&worker->mutex);
- }
-
- void vhost_dev_flush(struct vhost_dev *dev)
-@@ -298,15 +313,8 @@ void vhost_dev_flush(struct vhost_dev *dev)
- struct vhost_worker *worker;
- unsigned long i;
-
-- xa_for_each(&dev->worker_xa, i, worker) {
-- mutex_lock(&worker->mutex);
-- if (!worker->attachment_cnt) {
-- mutex_unlock(&worker->mutex);
-- continue;
-- }
-+ xa_for_each(&dev->worker_xa, i, worker)
- vhost_worker_flush(worker);
-- mutex_unlock(&worker->mutex);
-- }
- }
- EXPORT_SYMBOL_GPL(vhost_dev_flush);
-
-@@ -685,7 +693,6 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
- * device wide flushes which doesn't use RCU for execution.
- */
- mutex_lock(&old_worker->mutex);
-- old_worker->attachment_cnt--;
- /*
- * We don't want to call synchronize_rcu for every vq during setup
- * because it will slow down VM startup. If we haven't done
-@@ -696,6 +703,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
- mutex_lock(&vq->mutex);
- if (!vhost_vq_get_backend(vq) && !vq->kick) {
- mutex_unlock(&vq->mutex);
-+
-+ old_worker->attachment_cnt--;
- mutex_unlock(&old_worker->mutex);
- /*
- * vsock can queue anytime after VHOST_VSOCK_SET_GUEST_CID.
-@@ -711,7 +720,8 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
- /* Make sure new vq queue/flush/poll calls see the new worker */
- synchronize_rcu();
- /* Make sure whatever was queued gets run */
-- vhost_worker_flush(old_worker);
-+ __vhost_worker_flush(old_worker);
-+ old_worker->attachment_cnt--;
- mutex_unlock(&old_worker->mutex);
- }
-
-@@ -764,6 +774,12 @@ static int vhost_free_worker(struct vhost_dev *dev,
- mutex_unlock(&worker->mutex);
- return -EBUSY;
- }
-+ /*
-+ * A flush might have raced and snuck in before attachment_cnt was set
-+ * to zero. Make sure flushes are flushed from the queue before
-+ * freeing.
-+ */
-+ __vhost_worker_flush(worker);
- mutex_unlock(&worker->mutex);
-
- vhost_worker_destroy(dev, worker);
---
-2.43.0
-
+++ /dev/null
-From 0dbcc0f96e0e15fd7b95f2cf0e4aa429ecff9caa Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Mar 2024 19:47:04 -0500
-Subject: vhost: Use virtqueue mutex for swapping worker
-
-From: Mike Christie <michael.christie@oracle.com>
-
-[ Upstream commit 34cf9ba5f00a222dddd9fc71de7c68fdaac7fb97 ]
-
-__vhost_vq_attach_worker uses the vhost_dev mutex to serialize the
-swapping of a virtqueue's worker. This was done for simplicity because
-we are already holding that mutex.
-
-In the next patches where the worker can be killed while in use, we need
-finer grained locking because some drivers will hold the vhost_dev mutex
-while flushing. However in the SIGKILL handler in the next patches, we
-will need to be able to swap workers (set current one to NULL), kill
-queued works and stop new flushes while flushes are in progress.
-
-To prepare us, this has us use the virtqueue mutex for swapping workers
-instead of the vhost_dev one.
-
-Signed-off-by: Mike Christie <michael.christie@oracle.com>
-Message-Id: <20240316004707.45557-7-michael.christie@oracle.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/vhost/vhost.c | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 88362c0afe452..67bd947cc556d 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -664,16 +664,22 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
- {
- struct vhost_worker *old_worker;
-
-- old_worker = rcu_dereference_check(vq->worker,
-- lockdep_is_held(&vq->dev->mutex));
--
- mutex_lock(&worker->mutex);
-- worker->attachment_cnt++;
-- mutex_unlock(&worker->mutex);
-+ mutex_lock(&vq->mutex);
-+
-+ old_worker = rcu_dereference_check(vq->worker,
-+ lockdep_is_held(&vq->mutex));
- rcu_assign_pointer(vq->worker, worker);
-+ worker->attachment_cnt++;
-
-- if (!old_worker)
-+ if (!old_worker) {
-+ mutex_unlock(&vq->mutex);
-+ mutex_unlock(&worker->mutex);
- return;
-+ }
-+ mutex_unlock(&vq->mutex);
-+ mutex_unlock(&worker->mutex);
-+
- /*
- * Take the worker mutex to make sure we see the work queued from
- * device wide flushes which doesn't use RCU for execution.
---
-2.43.0
-
+++ /dev/null
-From ed47288271efa5a89f32da858a07b8913080455a Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Fri, 15 Mar 2024 19:47:06 -0500
-Subject: vhost_task: Handle SIGKILL by flushing work and exiting
-
-From: Mike Christie <michael.christie@oracle.com>
-
-[ Upstream commit db5247d9bf5c6ade9fd70b4e4897441e0269b233 ]
-
-Instead of lingering until the device is closed, this has us handle
-SIGKILL by:
-
-1. marking the worker as killed so we no longer try to use it with
- new virtqueues and new flush operations.
-2. setting the virtqueue to worker mapping so no new works are queued.
-3. running all the exiting works.
-
-Suggested-by: Edward Adam Davis <eadavis@qq.com>
-Reported-and-tested-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com
-Message-Id: <tencent_546DA49414E876EEBECF2C78D26D242EE50A@qq.com>
-Signed-off-by: Mike Christie <michael.christie@oracle.com>
-Message-Id: <20240316004707.45557-9-michael.christie@oracle.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/vhost/vhost.c | 54 +++++++++++++++++++++++++++++---
- drivers/vhost/vhost.h | 2 ++
- include/linux/sched/vhost_task.h | 3 +-
- kernel/vhost_task.c | 53 ++++++++++++++++++++-----------
- 4 files changed, 88 insertions(+), 24 deletions(-)
-
-diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
-index 069c8a23bff9e..d0238bd741b08 100644
---- a/drivers/vhost/vhost.c
-+++ b/drivers/vhost/vhost.c
-@@ -285,7 +285,7 @@ static void __vhost_worker_flush(struct vhost_worker *worker)
- {
- struct vhost_flush_struct flush;
-
-- if (!worker->attachment_cnt)
-+ if (!worker->attachment_cnt || worker->killed)
- return;
-
- init_completion(&flush.wait_event);
-@@ -400,7 +400,7 @@ static void vhost_vq_reset(struct vhost_dev *dev,
- __vhost_vq_meta_reset(vq);
- }
-
--static bool vhost_worker(void *data)
-+static bool vhost_run_work_list(void *data)
- {
- struct vhost_worker *worker = data;
- struct vhost_work *work, *work_next;
-@@ -425,6 +425,40 @@ static bool vhost_worker(void *data)
- return !!node;
- }
-
-+static void vhost_worker_killed(void *data)
-+{
-+ struct vhost_worker *worker = data;
-+ struct vhost_dev *dev = worker->dev;
-+ struct vhost_virtqueue *vq;
-+ int i, attach_cnt = 0;
-+
-+ mutex_lock(&worker->mutex);
-+ worker->killed = true;
-+
-+ for (i = 0; i < dev->nvqs; i++) {
-+ vq = dev->vqs[i];
-+
-+ mutex_lock(&vq->mutex);
-+ if (worker ==
-+ rcu_dereference_check(vq->worker,
-+ lockdep_is_held(&vq->mutex))) {
-+ rcu_assign_pointer(vq->worker, NULL);
-+ attach_cnt++;
-+ }
-+ mutex_unlock(&vq->mutex);
-+ }
-+
-+ worker->attachment_cnt -= attach_cnt;
-+ if (attach_cnt)
-+ synchronize_rcu();
-+ /*
-+ * Finish vhost_worker_flush calls and any other works that snuck in
-+ * before the synchronize_rcu.
-+ */
-+ vhost_run_work_list(worker);
-+ mutex_unlock(&worker->mutex);
-+}
-+
- static void vhost_vq_free_iovecs(struct vhost_virtqueue *vq)
- {
- kfree(vq->indirect);
-@@ -639,9 +673,11 @@ static struct vhost_worker *vhost_worker_create(struct vhost_dev *dev)
- if (!worker)
- return NULL;
-
-+ worker->dev = dev;
- snprintf(name, sizeof(name), "vhost-%d", current->pid);
-
-- vtsk = vhost_task_create(vhost_worker, worker, name);
-+ vtsk = vhost_task_create(vhost_run_work_list, vhost_worker_killed,
-+ worker, name);
- if (!vtsk)
- goto free_worker;
-
-@@ -673,6 +709,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
- struct vhost_worker *old_worker;
-
- mutex_lock(&worker->mutex);
-+ if (worker->killed) {
-+ mutex_unlock(&worker->mutex);
-+ return;
-+ }
-+
- mutex_lock(&vq->mutex);
-
- old_worker = rcu_dereference_check(vq->worker,
-@@ -693,6 +734,11 @@ static void __vhost_vq_attach_worker(struct vhost_virtqueue *vq,
- * device wide flushes which doesn't use RCU for execution.
- */
- mutex_lock(&old_worker->mutex);
-+ if (old_worker->killed) {
-+ mutex_unlock(&old_worker->mutex);
-+ return;
-+ }
-+
- /*
- * We don't want to call synchronize_rcu for every vq during setup
- * because it will slow down VM startup. If we haven't done
-@@ -770,7 +816,7 @@ static int vhost_free_worker(struct vhost_dev *dev,
- return -ENODEV;
-
- mutex_lock(&worker->mutex);
-- if (worker->attachment_cnt) {
-+ if (worker->attachment_cnt || worker->killed) {
- mutex_unlock(&worker->mutex);
- return -EBUSY;
- }
-diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h
-index f60d5f7bef944..8014d2b359503 100644
---- a/drivers/vhost/vhost.h
-+++ b/drivers/vhost/vhost.h
-@@ -28,12 +28,14 @@ struct vhost_work {
-
- struct vhost_worker {
- struct vhost_task *vtsk;
-+ struct vhost_dev *dev;
- /* Used to serialize device wide flushing with worker swapping. */
- struct mutex mutex;
- struct llist_head work_list;
- u64 kcov_handle;
- u32 id;
- int attachment_cnt;
-+ bool killed;
- };
-
- /* Poll a file (eventfd or socket) */
-diff --git a/include/linux/sched/vhost_task.h b/include/linux/sched/vhost_task.h
-index 837a23624a66a..3612de6ea1c5d 100644
---- a/include/linux/sched/vhost_task.h
-+++ b/include/linux/sched/vhost_task.h
-@@ -5,7 +5,8 @@
-
- struct vhost_task;
-
--struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg,
-+struct vhost_task *vhost_task_create(bool (*fn)(void *),
-+ void (*handle_kill)(void *), void *arg,
- const char *name);
- void vhost_task_start(struct vhost_task *vtsk);
- void vhost_task_stop(struct vhost_task *vtsk);
-diff --git a/kernel/vhost_task.c b/kernel/vhost_task.c
-index da35e5b7f0473..8800f5acc0071 100644
---- a/kernel/vhost_task.c
-+++ b/kernel/vhost_task.c
-@@ -10,38 +10,32 @@
-
- enum vhost_task_flags {
- VHOST_TASK_FLAGS_STOP,
-+ VHOST_TASK_FLAGS_KILLED,
- };
-
- struct vhost_task {
- bool (*fn)(void *data);
-+ void (*handle_sigkill)(void *data);
- void *data;
- struct completion exited;
- unsigned long flags;
- struct task_struct *task;
-+ /* serialize SIGKILL and vhost_task_stop calls */
-+ struct mutex exit_mutex;
- };
-
- static int vhost_task_fn(void *data)
- {
- struct vhost_task *vtsk = data;
-- bool dead = false;
-
- for (;;) {
- bool did_work;
-
-- if (!dead && signal_pending(current)) {
-+ if (signal_pending(current)) {
- struct ksignal ksig;
-- /*
-- * Calling get_signal will block in SIGSTOP,
-- * or clear fatal_signal_pending, but remember
-- * what was set.
-- *
-- * This thread won't actually exit until all
-- * of the file descriptors are closed, and
-- * the release function is called.
-- */
-- dead = get_signal(&ksig);
-- if (dead)
-- clear_thread_flag(TIF_SIGPENDING);
-+
-+ if (get_signal(&ksig))
-+ break;
- }
-
- /* mb paired w/ vhost_task_stop */
-@@ -57,7 +51,19 @@ static int vhost_task_fn(void *data)
- schedule();
- }
-
-+ mutex_lock(&vtsk->exit_mutex);
-+ /*
-+ * If a vhost_task_stop and SIGKILL race, we can ignore the SIGKILL.
-+ * When the vhost layer has called vhost_task_stop it's already stopped
-+ * new work and flushed.
-+ */
-+ if (!test_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags)) {
-+ set_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags);
-+ vtsk->handle_sigkill(vtsk->data);
-+ }
-+ mutex_unlock(&vtsk->exit_mutex);
- complete(&vtsk->exited);
-+
- do_exit(0);
- }
-
-@@ -78,12 +84,17 @@ EXPORT_SYMBOL_GPL(vhost_task_wake);
- * @vtsk: vhost_task to stop
- *
- * vhost_task_fn ensures the worker thread exits after
-- * VHOST_TASK_FLAGS_SOP becomes true.
-+ * VHOST_TASK_FLAGS_STOP becomes true.
- */
- void vhost_task_stop(struct vhost_task *vtsk)
- {
-- set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags);
-- vhost_task_wake(vtsk);
-+ mutex_lock(&vtsk->exit_mutex);
-+ if (!test_bit(VHOST_TASK_FLAGS_KILLED, &vtsk->flags)) {
-+ set_bit(VHOST_TASK_FLAGS_STOP, &vtsk->flags);
-+ vhost_task_wake(vtsk);
-+ }
-+ mutex_unlock(&vtsk->exit_mutex);
-+
- /*
- * Make sure vhost_task_fn is no longer accessing the vhost_task before
- * freeing it below.
-@@ -96,14 +107,16 @@ EXPORT_SYMBOL_GPL(vhost_task_stop);
- /**
- * vhost_task_create - create a copy of a task to be used by the kernel
- * @fn: vhost worker function
-- * @arg: data to be passed to fn
-+ * @handle_sigkill: vhost function to handle when we are killed
-+ * @arg: data to be passed to fn and handled_kill
- * @name: the thread's name
- *
- * This returns a specialized task for use by the vhost layer or NULL on
- * failure. The returned task is inactive, and the caller must fire it up
- * through vhost_task_start().
- */
--struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg,
-+struct vhost_task *vhost_task_create(bool (*fn)(void *),
-+ void (*handle_sigkill)(void *), void *arg,
- const char *name)
- {
- struct kernel_clone_args args = {
-@@ -122,8 +135,10 @@ struct vhost_task *vhost_task_create(bool (*fn)(void *), void *arg,
- if (!vtsk)
- return NULL;
- init_completion(&vtsk->exited);
-+ mutex_init(&vtsk->exit_mutex);
- vtsk->data = arg;
- vtsk->fn = fn;
-+ vtsk->handle_sigkill = handle_sigkill;
-
- args.fn_arg = vtsk;
-
---
-2.43.0
-
+++ /dev/null
-From 45b41d7da1398b03b51955378e1b15c0501896e7 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 20 Mar 2024 19:09:16 +0800
-Subject: wifi: mt76: mt7996: add sanity checks for background radar trigger
-
-From: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
-
-[ Upstream commit ec55d8e7dfea92daff87f5c01689633f8c4e6a62 ]
-
-Check if background radar is enabled or not before manually triggering it,
-and also add more checks in radar detected event.
-
-Signed-off-by: StanleyYP Wang <StanleyYP.Wang@mediatek.com>
-Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c | 5 +++++
- drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 ++++-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c
-index 4d40ec7ff57f5..630520c21a47f 100644
---- a/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c
-+++ b/drivers/net/wireless/mediatek/mt76/mt7996/debugfs.c
-@@ -225,6 +225,11 @@ mt7996_radar_trigger(void *data, u64 val)
- if (val > MT_RX_SEL2)
- return -EINVAL;
-
-+ if (val == MT_RX_SEL2 && !dev->rdd2_phy) {
-+ dev_err(dev->mt76.dev, "Background radar is not enabled\n");
-+ return -EINVAL;
-+ }
-+
- return mt7996_mcu_rdd_cmd(dev, RDD_RADAR_EMULATE,
- val, 0, 0);
- }
-diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
-index b4ea7d0a7f5a0..b66f712e1b17b 100644
---- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
-+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
-@@ -339,7 +339,10 @@ mt7996_mcu_rx_radar_detected(struct mt7996_dev *dev, struct sk_buff *skb)
- if (r->band_idx >= ARRAY_SIZE(dev->mt76.phys))
- return;
-
-- if (dev->rdd2_phy && r->band_idx == MT_RX_SEL2)
-+ if (r->band_idx == MT_RX_SEL2 && !dev->rdd2_phy)
-+ return;
-+
-+ if (r->band_idx == MT_RX_SEL2)
- mphy = dev->rdd2_phy->mt76;
- else
- mphy = dev->mt76.phys[r->band_idx];
---
-2.43.0
-
+++ /dev/null
-From 62c20ee8bf2e288bb068a03b46b843c70559d9ed Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Thu, 14 Mar 2024 17:02:52 +0100
-Subject: wifi: mt76: replace skb_put with skb_put_zero
-
-From: Felix Fietkau <nbd@nbd.name>
-
-[ Upstream commit 7f819a2f4fbc510e088b49c79addcf1734503578 ]
-
-Avoid potentially reusing uninitialized data
-
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +++++-----
- drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 2 +-
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
-index dc4fbab1e1b75..998cfd73764a9 100644
---- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
-+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
-@@ -255,7 +255,7 @@ mt76_connac_mcu_add_nested_tlv(struct sk_buff *skb, int tag, int len,
- };
- u16 ntlv;
-
-- ptlv = skb_put(skb, len);
-+ ptlv = skb_put_zero(skb, len);
- memcpy(ptlv, &tlv, sizeof(tlv));
-
- ntlv = le16_to_cpu(ntlv_hdr->tlv_num);
-@@ -1654,7 +1654,7 @@ int mt76_connac_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif,
- set_bit(MT76_HW_SCANNING, &phy->state);
- mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f;
-
-- req = (struct mt76_connac_hw_scan_req *)skb_put(skb, sizeof(*req));
-+ req = (struct mt76_connac_hw_scan_req *)skb_put_zero(skb, sizeof(*req));
-
- req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7;
- req->bss_idx = mvif->idx;
-@@ -1782,7 +1782,7 @@ int mt76_connac_mcu_sched_scan_req(struct mt76_phy *phy,
-
- mvif->scan_seq_num = (mvif->scan_seq_num + 1) & 0x7f;
-
-- req = (struct mt76_connac_sched_scan_req *)skb_put(skb, sizeof(*req));
-+ req = (struct mt76_connac_sched_scan_req *)skb_put_zero(skb, sizeof(*req));
- req->version = 1;
- req->seq_num = mvif->scan_seq_num | mvif->band_idx << 7;
-
-@@ -2416,7 +2416,7 @@ int mt76_connac_mcu_update_gtk_rekey(struct ieee80211_hw *hw,
- return -ENOMEM;
-
- skb_put_data(skb, &hdr, sizeof(hdr));
-- gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put(skb,
-+ gtk_tlv = (struct mt76_connac_gtk_rekey_tlv *)skb_put_zero(skb,
- sizeof(*gtk_tlv));
- gtk_tlv->tag = cpu_to_le16(UNI_OFFLOAD_OFFLOAD_GTK_REKEY);
- gtk_tlv->len = cpu_to_le16(sizeof(*gtk_tlv));
-@@ -2539,7 +2539,7 @@ mt76_connac_mcu_set_wow_pattern(struct mt76_dev *dev,
- return -ENOMEM;
-
- skb_put_data(skb, &hdr, sizeof(hdr));
-- ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put(skb, sizeof(*ptlv));
-+ ptlv = (struct mt76_connac_wow_pattern_tlv *)skb_put_zero(skb, sizeof(*ptlv));
- ptlv->tag = cpu_to_le16(UNI_SUSPEND_WOW_PATTERN);
- ptlv->len = cpu_to_le16(sizeof(*ptlv));
- ptlv->data_len = pattern->pattern_len;
-diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
-index 5d8e985cd7d45..272e55ef8e2d2 100644
---- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
-+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
-@@ -422,7 +422,7 @@ mt7915_mcu_add_nested_subtlv(struct sk_buff *skb, int sub_tag, int sub_len,
- .len = cpu_to_le16(sub_len),
- };
-
-- ptlv = skb_put(skb, sub_len);
-+ ptlv = skb_put_zero(skb, sub_len);
- memcpy(ptlv, &tlv, sizeof(tlv));
-
- le16_add_cpu(sub_ntlv, 1);
---
-2.43.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
