--- /dev/null
+From 4e7817c3190175d02a107405205be715d8ddebbd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:28 -0700
+Subject: af_unix: Annodate data-races around sk->sk_state for writers.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 942238f9735a4a4ebf8274b218d9a910158941d1 ]
+
+sk->sk_state is changed under unix_state_lock(), but it's read locklessly
+in many places.
+
+This patch adds WRITE_ONCE() on the writer side.
+
+We will add READ_ONCE() to the lockless readers in the following patches.
+
+Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 914e40697f00a..616d6c34d6102 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -542,7 +542,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ u->path.dentry = NULL;
+ u->path.mnt = NULL;
+ state = sk->sk_state;
+- sk->sk_state = TCP_CLOSE;
++ WRITE_ONCE(sk->sk_state, TCP_CLOSE);
+
+ skpair = unix_peer(sk);
+ unix_peer(sk) = NULL;
+@@ -664,7 +664,8 @@ static int unix_listen(struct socket *sock, int backlog)
+ if (backlog > sk->sk_max_ack_backlog)
+ wake_up_interruptible_all(&u->peer_wait);
+ sk->sk_max_ack_backlog = backlog;
+- sk->sk_state = TCP_LISTEN;
++ WRITE_ONCE(sk->sk_state, TCP_LISTEN);
++
+ /* set credentials so connect can copy them */
+ init_peercred(sk);
+ err = 0;
+@@ -1254,7 +1255,8 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ if (err)
+ goto out_unlock;
+
+- sk->sk_state = other->sk_state = TCP_ESTABLISHED;
++ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
++ WRITE_ONCE(other->sk_state, TCP_ESTABLISHED);
+ } else {
+ /*
+ * 1003.1g breaking connected state with AF_UNSPEC
+@@ -1271,7 +1273,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+
+ unix_peer(sk) = other;
+ if (!other)
+- sk->sk_state = TCP_CLOSE;
++ WRITE_ONCE(sk->sk_state, TCP_CLOSE);
+ unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
+
+ unix_state_double_unlock(sk, other);
+@@ -1484,7 +1486,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ copy_peercred(sk, other);
+
+ sock->state = SS_CONNECTED;
+- sk->sk_state = TCP_ESTABLISHED;
++ WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
+ sock_hold(newsk);
+
+ smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */
+@@ -1880,7 +1882,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ unix_peer(sk) = NULL;
+ unix_dgram_peer_wake_disconnect_wakeup(sk, other);
+
+- sk->sk_state = TCP_CLOSE;
++ WRITE_ONCE(sk->sk_state, TCP_CLOSE);
+ unix_state_unlock(sk);
+
+ unix_dgram_disconnected(sk, other);
+--
+2.43.0
+
--- /dev/null
+From d0211af6e254986091d952cd861d1ec9517ca5cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:37 -0700
+Subject: af_unix: Annotate data-race of net->unx.sysctl_max_dgram_qlen.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit bd9f2d05731f6a112d0c7391a0d537bfc588dbe6 ]
+
+net->unx.sysctl_max_dgram_qlen is exposed as a sysctl knob and can be
+changed concurrently.
+
+Let's use READ_ONCE() in unix_create1().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index c6d3a19956004..5c4318f64d253 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -888,7 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern,
+
+ sk->sk_allocation = GFP_KERNEL_ACCOUNT;
+ sk->sk_write_space = unix_write_space;
+- sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen;
++ sk->sk_max_ack_backlog = READ_ONCE(net->unx.sysctl_max_dgram_qlen);
+ sk->sk_destruct = unix_sock_destructor;
+ u = unix_sk(sk);
+ u->inflight = 0;
+--
+2.43.0
+
--- /dev/null
+From 94dccc65b7d84333cead9dfbd69fd322a517704d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:41 -0700
+Subject: af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit efaf24e30ec39ebbea9112227485805a48b0ceb1 ]
+
+While dumping sockets via UNIX_DIAG, we do not hold unix_state_lock().
+
+Let's use READ_ONCE() to read sk->sk_shutdown.
+
+Fixes: e4e541a84863 ("sock-diag: Report shutdown for inet and unix sockets (v2)")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 63a0040e9fb45..86b3401dcc000 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -165,7 +165,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
+ sock_diag_put_meminfo(sk, skb, UNIX_DIAG_MEMINFO))
+ goto out_nlmsg_trim;
+
+- if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, sk->sk_shutdown))
++ if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, READ_ONCE(sk->sk_shutdown)))
+ goto out_nlmsg_trim;
+
+ if ((req->udiag_show & UDIAG_SHOW_UID) &&
+--
+2.43.0
+
--- /dev/null
+From 606ac2707f4c4f563be7f791560647cbac5c339c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:29 -0700
+Subject: af_unix: Annotate data-race of sk->sk_state in unix_inq_len().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 3a0f38eb285c8c2eead4b3230c7ac2983707599d ]
+
+ioctl(SIOCINQ) calls unix_inq_len() that checks sk->sk_state first
+and returns -EINVAL if it's TCP_LISTEN.
+
+Then, for SOCK_STREAM sockets, unix_inq_len() returns the number of
+bytes in recvq.
+
+However, unix_inq_len() does not hold unix_state_lock(), and the
+concurrent listen() might change the state after checking sk->sk_state.
+
+If the race occurs, 0 is returned for the listener, instead of -EINVAL,
+because the length of skb with embryo is 0.
+
+We could hold unix_state_lock() in unix_inq_len(), but it's overkill
+given the result is true for pre-listen() TCP_CLOSE state.
+
+So, let's use READ_ONCE() for sk->sk_state in unix_inq_len().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 616d6c34d6102..18e2dea699720 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2957,7 +2957,7 @@ long unix_inq_len(struct sock *sk)
+ struct sk_buff *skb;
+ long amount = 0;
+
+- if (sk->sk_state == TCP_LISTEN)
++ if (READ_ONCE(sk->sk_state) == TCP_LISTEN)
+ return -EINVAL;
+
+ spin_lock(&sk->sk_receive_queue.lock);
+--
+2.43.0
+
--- /dev/null
+From aeec58466a73081c275584e95c683b252b99a215 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:31 -0700
+Subject: af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit a9bf9c7dc6a5899c01cb8f6e773a66315a5cd4b7 ]
+
+As small optimisation, unix_stream_connect() prefetches the client's
+sk->sk_state without unix_state_lock() and checks if it's TCP_CLOSE.
+
+Later, sk->sk_state is checked again under unix_state_lock().
+
+Let's use READ_ONCE() for the first check and TCP_CLOSE directly for
+the second check.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 9800d255a8bc7..628b3fcc74227 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1371,7 +1371,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ struct sk_buff *skb = NULL;
+ long timeo;
+ int err;
+- int st;
+
+ err = unix_validate_addr(sunaddr, addr_len);
+ if (err)
+@@ -1455,9 +1454,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+
+ Well, and we have to recheck the state after socket locked.
+ */
+- st = sk->sk_state;
+-
+- switch (st) {
++ switch (READ_ONCE(sk->sk_state)) {
+ case TCP_CLOSE:
+ /* This is ok... continue with connect */
+ break;
+@@ -1472,7 +1469,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+
+ unix_state_lock_nested(sk, U_LOCK_SECOND);
+
+- if (sk->sk_state != st) {
++ if (sk->sk_state != TCP_CLOSE) {
+ unix_state_unlock(sk);
+ unix_state_unlock(other);
+ sock_put(other);
+--
+2.43.0
+
--- /dev/null
+From 342e27acc53fd2f8a50a957f7c82bf1445299273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:34 -0700
+Subject: af_unix: Annotate data-race of sk->sk_state in
+ unix_stream_read_skb().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit af4c733b6b1aded4dc808fafece7dfe6e9d2ebb3 ]
+
+unix_stream_read_skb() is called from sk->sk_data_ready() context
+where unix_state_lock() is not held.
+
+Let's use READ_ONCE() there.
+
+Fixes: 77462de14a43 ("af_unix: Add read_sock for stream socket types")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index d00d781f777be..c6d3a19956004 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2642,7 +2642,7 @@ static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
+ static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc,
+ sk_read_actor_t recv_actor)
+ {
+- if (unlikely(sk->sk_state != TCP_ESTABLISHED))
++ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED))
+ return -ENOTCONN;
+
+ return unix_read_sock(sk, desc, recv_actor);
+--
+2.43.0
+
--- /dev/null
+From 00d7a1aca3c596b90e6bd71e005335419ed7f4fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:33 -0700
+Subject: af_unix: Annotate data-races around sk->sk_state in sendmsg() and
+ recvmsg().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 8a34d4e8d9742a24f74998f45a6a98edd923319b ]
+
+The following functions read sk->sk_state locklessly and proceed only if
+the state is TCP_ESTABLISHED.
+
+ * unix_stream_sendmsg
+ * unix_stream_read_generic
+ * unix_seqpacket_sendmsg
+ * unix_seqpacket_recvmsg
+
+Let's use READ_ONCE() there.
+
+Fixes: a05d2ad1c1f3 ("af_unix: Only allow recv on connected seqpacket sockets.")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 628b3fcc74227..d00d781f777be 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2093,7 +2093,7 @@ static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
+ }
+
+ if (msg->msg_namelen) {
+- err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
++ err = READ_ONCE(sk->sk_state) == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
+ goto out_err;
+ } else {
+ err = -ENOTCONN;
+@@ -2305,7 +2305,7 @@ static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg,
+ if (err)
+ return err;
+
+- if (sk->sk_state != TCP_ESTABLISHED)
++ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
+ return -ENOTCONN;
+
+ if (msg->msg_namelen)
+@@ -2319,7 +2319,7 @@ static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg,
+ {
+ struct sock *sk = sock->sk;
+
+- if (sk->sk_state != TCP_ESTABLISHED)
++ if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
+ return -ENOTCONN;
+
+ return unix_dgram_recvmsg(sock, msg, size, flags);
+@@ -2666,7 +2666,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state,
+ size_t size = state->size;
+ unsigned int last_len;
+
+- if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
++ if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) {
+ err = -EINVAL;
+ goto out;
+ }
+--
+2.43.0
+
--- /dev/null
+From b2efe08af840020f292ef96693445bd9feffa196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:30 -0700
+Subject: af_unix: Annotate data-races around sk->sk_state in
+ unix_write_space() and poll().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit eb0718fb3e97ad0d6f4529b810103451c90adf94 ]
+
+unix_poll() and unix_dgram_poll() read sk->sk_state locklessly and
+calls unix_writable() which also reads sk->sk_state without holding
+unix_state_lock().
+
+Let's use READ_ONCE() in unix_poll() and unix_dgram_poll() and pass
+it to unix_writable().
+
+While at it, we remove TCP_SYN_SENT check in unix_dgram_poll() as
+that state does not exist for AF_UNIX socket since the code was added.
+
+Fixes: 1586a5877db9 ("af_unix: do not report POLLOUT on listeners")
+Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 18e2dea699720..73b287b7a1154 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -455,9 +455,9 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
+ return 0;
+ }
+
+-static int unix_writable(const struct sock *sk)
++static int unix_writable(const struct sock *sk, unsigned char state)
+ {
+- return sk->sk_state != TCP_LISTEN &&
++ return state != TCP_LISTEN &&
+ (refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
+ }
+
+@@ -466,7 +466,7 @@ static void unix_write_space(struct sock *sk)
+ struct socket_wq *wq;
+
+ rcu_read_lock();
+- if (unix_writable(sk)) {
++ if (unix_writable(sk, READ_ONCE(sk->sk_state))) {
+ wq = rcu_dereference(sk->sk_wq);
+ if (skwq_has_sleeper(wq))
+ wake_up_interruptible_sync_poll(&wq->wait,
+@@ -3069,12 +3069,14 @@ static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned lon
+ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait)
+ {
+ struct sock *sk = sock->sk;
++ unsigned char state;
+ __poll_t mask;
+ u8 shutdown;
+
+ sock_poll_wait(file, sock, wait);
+ mask = 0;
+ shutdown = READ_ONCE(sk->sk_shutdown);
++ state = READ_ONCE(sk->sk_state);
+
+ /* exceptional events? */
+ if (sk->sk_err)
+@@ -3096,14 +3098,14 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa
+
+ /* Connection-based need to check for termination and startup */
+ if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) &&
+- sk->sk_state == TCP_CLOSE)
++ state == TCP_CLOSE)
+ mask |= EPOLLHUP;
+
+ /*
+ * we set writable also when the other side has shut down the
+ * connection. This prevents stuck sockets.
+ */
+- if (unix_writable(sk))
++ if (unix_writable(sk, state))
+ mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
+
+ return mask;
+@@ -3114,12 +3116,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
+ {
+ struct sock *sk = sock->sk, *other;
+ unsigned int writable;
++ unsigned char state;
+ __poll_t mask;
+ u8 shutdown;
+
+ sock_poll_wait(file, sock, wait);
+ mask = 0;
+ shutdown = READ_ONCE(sk->sk_shutdown);
++ state = READ_ONCE(sk->sk_state);
+
+ /* exceptional events? */
+ if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
+@@ -3138,19 +3142,14 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
+ mask |= EPOLLIN | EPOLLRDNORM;
+
+ /* Connection-based need to check for termination and startup */
+- if (sk->sk_type == SOCK_SEQPACKET) {
+- if (sk->sk_state == TCP_CLOSE)
+- mask |= EPOLLHUP;
+- /* connection hasn't started yet? */
+- if (sk->sk_state == TCP_SYN_SENT)
+- return mask;
+- }
++ if (sk->sk_type == SOCK_SEQPACKET && state == TCP_CLOSE)
++ mask |= EPOLLHUP;
+
+ /* No write status requested, avoid expensive OUT tests. */
+ if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT)))
+ return mask;
+
+- writable = unix_writable(sk);
++ writable = unix_writable(sk, state);
+ if (writable) {
+ unix_state_lock(sk);
+
+--
+2.43.0
+
--- /dev/null
+From 3e7745374f5d333d3c29dd950a845f1990da2cb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:35 -0700
+Subject: af_unix: Annotate data-races around sk->sk_state in UNIX_DIAG.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 0aa3be7b3e1f8f997312cc4705f8165e02806f8f ]
+
+While dumping AF_UNIX sockets via UNIX_DIAG, sk->sk_state is read
+locklessly.
+
+Let's use READ_ONCE() there.
+
+Note that the result could be inconsistent if the socket is dumped
+during the state change. This is common for other SOCK_DIAG and
+similar interfaces.
+
+Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
+Fixes: 2aac7a2cb0d9 ("unix_diag: Pending connections IDs NLA")
+Fixes: 45a96b9be6ec ("unix_diag: Dumping all sockets core")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 15aaeabb1363b..94c8f509261d0 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -65,7 +65,7 @@ static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb)
+ u32 *buf;
+ int i;
+
+- if (sk->sk_state == TCP_LISTEN) {
++ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) {
+ spin_lock(&sk->sk_receive_queue.lock);
+
+ attr = nla_reserve(nlskb, UNIX_DIAG_ICONS,
+@@ -103,7 +103,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb)
+ {
+ struct unix_diag_rqlen rql;
+
+- if (sk->sk_state == TCP_LISTEN) {
++ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) {
+ rql.udiag_rqueue = sk->sk_receive_queue.qlen;
+ rql.udiag_wqueue = sk->sk_max_ack_backlog;
+ } else {
+@@ -136,7 +136,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r
+ rep = nlmsg_data(nlh);
+ rep->udiag_family = AF_UNIX;
+ rep->udiag_type = sk->sk_type;
+- rep->udiag_state = sk->sk_state;
++ rep->udiag_state = READ_ONCE(sk->sk_state);
+ rep->pad = 0;
+ rep->udiag_ino = sk_ino;
+ sock_diag_save_cookie(sk, rep->udiag_cookie);
+@@ -219,7 +219,7 @@ static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb)
+ continue;
+ if (num < s_num)
+ goto next;
+- if (!(req->udiag_states & (1 << sk->sk_state)))
++ if (!(req->udiag_states & (1 << READ_ONCE(sk->sk_state))))
+ goto next;
+ if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk),
+ NETLINK_CB(cb->skb).portid,
+--
+2.43.0
+
--- /dev/null
+From d67e0043413caa1b66c8d9bb708330ddeebf7fa3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Mar 2023 20:57:46 +0000
+Subject: af_unix: annotate lockless accesses to sk->sk_err
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit cc04410af7de348234ac36a5f50c4ce416efdb4b ]
+
+unix_poll() and unix_dgram_poll() read sk->sk_err
+without any lock held.
+
+Add relevant READ_ONCE()/WRITE_ONCE() annotations.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 83690b82d228 ("af_unix: Use skb_queue_empty_lockless() in unix_release_sock().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 3fa86d70467c2..85b1c0d7c287a 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -500,7 +500,7 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other)
+ * when peer was not connected to us.
+ */
+ if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) {
+- other->sk_err = ECONNRESET;
++ WRITE_ONCE(other->sk_err, ECONNRESET);
+ sk_error_report(other);
+ }
+ }
+@@ -571,7 +571,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ /* No more writes */
+ WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
+ if (!skb_queue_empty(&sk->sk_receive_queue) || embrion)
+- skpair->sk_err = ECONNRESET;
++ WRITE_ONCE(skpair->sk_err, ECONNRESET);
+ unix_state_unlock(skpair);
+ skpair->sk_state_change(skpair);
+ sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
+@@ -3108,7 +3108,7 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa
+ state = READ_ONCE(sk->sk_state);
+
+ /* exceptional events? */
+- if (sk->sk_err)
++ if (READ_ONCE(sk->sk_err))
+ mask |= EPOLLERR;
+ if (shutdown == SHUTDOWN_MASK)
+ mask |= EPOLLHUP;
+@@ -3155,7 +3155,8 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
+ state = READ_ONCE(sk->sk_state);
+
+ /* exceptional events? */
+- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
++ if (READ_ONCE(sk->sk_err) ||
++ !skb_queue_empty_lockless(&sk->sk_error_queue))
+ mask |= EPOLLERR |
+ (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
+
+--
+2.43.0
+
--- /dev/null
+From 871f1d52052c897d94a9ed0573e073d4fe7ff7e0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jun 2022 10:19:08 -0700
+Subject: af_unix: Clean up some sock_net() uses.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 340c3d337119ea177a98338be2e3bc62ee87ac80 ]
+
+Some functions define a net pointer only for one-shot use. Others call
+sock_net() redundantly even when a net pointer is available. Let's fix
+these and make the code simpler.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 33 ++++++++++++++-------------------
+ net/unix/diag.c | 3 +--
+ 2 files changed, 15 insertions(+), 21 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index a848e777e448c..9800d255a8bc7 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -903,7 +903,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern,
+ memset(&u->scm_stat, 0, sizeof(struct scm_stat));
+ unix_insert_socket(unix_sockets_unbound(sk), sk);
+
+- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
++ sock_prot_inuse_add(net, sk->sk_prot, 1);
+
+ return sk;
+
+@@ -1247,9 +1247,8 @@ static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
+ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ int alen, int flags)
+ {
+- struct sock *sk = sock->sk;
+- struct net *net = sock_net(sk);
+ struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr;
++ struct sock *sk = sock->sk;
+ struct sock *other;
+ int err;
+
+@@ -1270,7 +1269,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ }
+
+ restart:
+- other = unix_find_other(net, sunaddr, alen, sock->type);
++ other = unix_find_other(sock_net(sk), sunaddr, alen, sock->type);
+ if (IS_ERR(other)) {
+ err = PTR_ERR(other);
+ goto out;
+@@ -1366,15 +1365,13 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ int addr_len, int flags)
+ {
+ struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
+- struct sock *sk = sock->sk;
+- struct net *net = sock_net(sk);
++ struct sock *sk = sock->sk, *newsk = NULL, *other = NULL;
+ struct unix_sock *u = unix_sk(sk), *newu, *otheru;
+- struct sock *newsk = NULL;
+- struct sock *other = NULL;
++ struct net *net = sock_net(sk);
+ struct sk_buff *skb = NULL;
+- int st;
+- int err;
+ long timeo;
++ int err;
++ int st;
+
+ err = unix_validate_addr(sunaddr, addr_len);
+ if (err)
+@@ -1394,7 +1391,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ */
+
+ /* create new sock for complete connection */
+- newsk = unix_create1(sock_net(sk), NULL, 0, sock->type);
++ newsk = unix_create1(net, NULL, 0, sock->type);
+ if (IS_ERR(newsk)) {
+ err = PTR_ERR(newsk);
+ newsk = NULL;
+@@ -1803,17 +1800,15 @@ static void scm_stat_del(struct sock *sk, struct sk_buff *skb)
+ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ size_t len)
+ {
+- struct sock *sk = sock->sk;
+- struct net *net = sock_net(sk);
+- struct unix_sock *u = unix_sk(sk);
+ DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
+- struct sock *other = NULL;
+- int err;
+- struct sk_buff *skb;
+- long timeo;
++ struct sock *sk = sock->sk, *other = NULL;
++ struct unix_sock *u = unix_sk(sk);
+ struct scm_cookie scm;
++ struct sk_buff *skb;
+ int data_len = 0;
+ int sk_locked;
++ long timeo;
++ int err;
+
+ wait_for_unix_gc();
+ err = scm_send(sock, msg, &scm, false);
+@@ -1880,7 +1875,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ if (sunaddr == NULL)
+ goto out_free;
+
+- other = unix_find_other(net, sunaddr, msg->msg_namelen,
++ other = unix_find_other(sock_net(sk), sunaddr, msg->msg_namelen,
+ sk->sk_type);
+ if (IS_ERR(other)) {
+ err = PTR_ERR(other);
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 006438e2e07a2..15aaeabb1363b 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -312,7 +312,6 @@ static int unix_diag_get_exact(struct sk_buff *in_skb,
+ static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ {
+ int hdrlen = sizeof(struct unix_diag_req);
+- struct net *net = sock_net(skb->sk);
+
+ if (nlmsg_len(h) < hdrlen)
+ return -EINVAL;
+@@ -321,7 +320,7 @@ static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h)
+ struct netlink_dump_control c = {
+ .dump = unix_diag_dump,
+ };
+- return netlink_dump_start(net->diag_nlsk, skb, h, &c);
++ return netlink_dump_start(sock_net(skb->sk)->diag_nlsk, skb, h, &c);
+ } else
+ return unix_diag_get_exact(skb, h, nlmsg_data(h));
+ }
+--
+2.43.0
+
--- /dev/null
+From a521bba7af6be404371346310d94ccd7c1e8c224 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 11:14:24 +0900
+Subject: af_unix: Copy unix_mkname() into unix_find_(bsd|abstract)().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit d2d8c9fddb1c11ccfa73bf0ad2b1e6b4ea7afdaf ]
+
+We should not call unix_mkname() before unix_find_other() and instead do
+the same thing where necessary based on the address type:
+
+ - terminating the address with '\0' in unix_find_bsd()
+ - calculating the hash in unix_find_abstract().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 63 ++++++++++++++++++----------------------------
+ 1 file changed, 25 insertions(+), 38 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 8aeafe66e6115..a848e777e448c 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -239,19 +239,25 @@ static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len)
+ return 0;
+ }
+
++static void unix_mkname_bsd(struct sockaddr_un *sunaddr, int addr_len)
++{
++ /* This may look like an off by one error but it is a bit more
++ * subtle. 108 is the longest valid AF_UNIX path for a binding.
++ * sun_path[108] doesn't as such exist. However in kernel space
++ * we are guaranteed that it is a valid memory location in our
++ * kernel address buffer because syscall functions always pass
++ * a pointer of struct sockaddr_storage which has a bigger buffer
++ * than 108.
++ */
++ ((char *)sunaddr)[addr_len] = 0;
++}
++
+ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp)
+ {
+ *hashp = 0;
+
+ if (sunaddr->sun_path[0]) {
+- /*
+- * This may look like an off by one error but it is a bit more
+- * subtle. 108 is the longest valid AF_UNIX path for a binding.
+- * sun_path[108] doesn't as such exist. However in kernel space
+- * we are guaranteed that it is a valid memory location in our
+- * kernel address buffer.
+- */
+- ((char *)sunaddr)[len] = 0;
++ unix_mkname_bsd(sunaddr, len);
+ len = strlen(sunaddr->sun_path) +
+ offsetof(struct sockaddr_un, sun_path) + 1;
+ return len;
+@@ -959,13 +965,14 @@ static int unix_release(struct socket *sock)
+ }
+
+ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr,
+- int type)
++ int addr_len, int type)
+ {
+ struct inode *inode;
+ struct path path;
+ struct sock *sk;
+ int err;
+
++ unix_mkname_bsd(sunaddr, addr_len);
+ err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path);
+ if (err)
+ goto fail;
+@@ -1003,9 +1010,9 @@ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr,
+
+ static struct sock *unix_find_abstract(struct net *net,
+ struct sockaddr_un *sunaddr,
+- int addr_len, int type,
+- unsigned int hash)
++ int addr_len, int type)
+ {
++ unsigned int hash = unix_hash_fold(csum_partial(sunaddr, addr_len, 0));
+ struct dentry *dentry;
+ struct sock *sk;
+
+@@ -1022,15 +1029,14 @@ static struct sock *unix_find_abstract(struct net *net,
+
+ static struct sock *unix_find_other(struct net *net,
+ struct sockaddr_un *sunaddr,
+- int addr_len, int type,
+- unsigned int hash)
++ int addr_len, int type)
+ {
+ struct sock *sk;
+
+ if (sunaddr->sun_path[0])
+- sk = unix_find_bsd(net, sunaddr, type);
++ sk = unix_find_bsd(net, sunaddr, addr_len, type);
+ else
+- sk = unix_find_abstract(net, sunaddr, addr_len, type, hash);
++ sk = unix_find_abstract(net, sunaddr, addr_len, type);
+
+ return sk;
+ }
+@@ -1245,7 +1251,6 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ struct net *net = sock_net(sk);
+ struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr;
+ struct sock *other;
+- unsigned int hash;
+ int err;
+
+ err = -EINVAL;
+@@ -1257,11 +1262,6 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ if (err)
+ goto out;
+
+- err = unix_mkname(sunaddr, alen, &hash);
+- if (err < 0)
+- goto out;
+- alen = err;
+-
+ if (test_bit(SOCK_PASSCRED, &sock->flags) &&
+ !unix_sk(sk)->addr) {
+ err = unix_autobind(sk);
+@@ -1270,7 +1270,7 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ }
+
+ restart:
+- other = unix_find_other(net, sunaddr, alen, sock->type, hash);
++ other = unix_find_other(net, sunaddr, alen, sock->type);
+ if (IS_ERR(other)) {
+ err = PTR_ERR(other);
+ goto out;
+@@ -1372,7 +1372,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ struct sock *newsk = NULL;
+ struct sock *other = NULL;
+ struct sk_buff *skb = NULL;
+- unsigned int hash;
+ int st;
+ int err;
+ long timeo;
+@@ -1381,11 +1380,6 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ if (err)
+ goto out;
+
+- err = unix_mkname(sunaddr, addr_len, &hash);
+- if (err < 0)
+- goto out;
+- addr_len = err;
+-
+ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) {
+ err = unix_autobind(sk);
+ if (err)
+@@ -1416,7 +1410,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+
+ restart:
+ /* Find listening sock. */
+- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash);
++ other = unix_find_other(net, sunaddr, addr_len, sk->sk_type);
+ if (IS_ERR(other)) {
+ err = PTR_ERR(other);
+ other = NULL;
+@@ -1814,9 +1808,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ struct unix_sock *u = unix_sk(sk);
+ DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
+ struct sock *other = NULL;
+- int namelen = 0; /* fake GCC */
+ int err;
+- unsigned int hash;
+ struct sk_buff *skb;
+ long timeo;
+ struct scm_cookie scm;
+@@ -1836,11 +1828,6 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ err = unix_validate_addr(sunaddr, msg->msg_namelen);
+ if (err)
+ goto out;
+-
+- err = unix_mkname(sunaddr, msg->msg_namelen, &hash);
+- if (err < 0)
+- goto out;
+- namelen = err;
+ } else {
+ sunaddr = NULL;
+ err = -ENOTCONN;
+@@ -1893,8 +1880,8 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ if (sunaddr == NULL)
+ goto out_free;
+
+- other = unix_find_other(net, sunaddr, namelen, sk->sk_type,
+- hash);
++ other = unix_find_other(net, sunaddr, msg->msg_namelen,
++ sk->sk_type);
+ if (IS_ERR(other)) {
+ err = PTR_ERR(other);
+ other = NULL;
+--
+2.43.0
+
--- /dev/null
+From 66094a2eae821c3437f6bee8337b83adbd0663a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 11:14:23 +0900
+Subject: af_unix: Cut unix_validate_addr() out of unix_mkname().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit b8a58aa6fccc5b2940f0da18c7f02e8a1deb693a ]
+
+unix_mkname() tests socket address length and family and does some
+processing based on the address type. It is called in the early stage,
+and therefore some instructions are redundant and can end up in vain.
+
+The address length/family tests are done twice in unix_bind(). Also, the
+address type is rechecked later in unix_bind() and unix_find_other(), where
+we can do the same processing. Moreover, in the BSD address case, the hash
+is set to 0 but never used and confusing.
+
+This patch moves the address tests out of unix_mkname(), and the following
+patches move the other part into appropriate places and remove
+unix_mkname() finally.
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 40 ++++++++++++++++++++++++++++++----------
+ 1 file changed, 30 insertions(+), 10 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 0a1258b417a9d..8aeafe66e6115 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -227,15 +227,22 @@ static inline void unix_release_addr(struct unix_address *addr)
+ * - if started by zero, it is abstract name.
+ */
+
++static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len)
++{
++ if (addr_len <= offsetof(struct sockaddr_un, sun_path) ||
++ addr_len > sizeof(*sunaddr))
++ return -EINVAL;
++
++ if (sunaddr->sun_family != AF_UNIX)
++ return -EINVAL;
++
++ return 0;
++}
++
+ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp)
+ {
+ *hashp = 0;
+
+- if (len <= offsetof(struct sockaddr_un, sun_path) ||
+- len > sizeof(*sunaddr))
+- return -EINVAL;
+- if (!sunaddr || sunaddr->sun_family != AF_UNIX)
+- return -EINVAL;
+ if (sunaddr->sun_path[0]) {
+ /*
+ * This may look like an off by one error but it is a bit more
+@@ -1178,13 +1185,14 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ unsigned int hash;
+ struct unix_address *addr;
+
+- if (addr_len < offsetofend(struct sockaddr_un, sun_family) ||
+- sunaddr->sun_family != AF_UNIX)
+- return -EINVAL;
+-
+- if (addr_len == offsetof(struct sockaddr_un, sun_path))
++ if (addr_len == offsetof(struct sockaddr_un, sun_path) &&
++ sunaddr->sun_family == AF_UNIX)
+ return unix_autobind(sk);
+
++ err = unix_validate_addr(sunaddr, addr_len);
++ if (err)
++ return err;
++
+ err = unix_mkname(sunaddr, addr_len, &hash);
+ if (err < 0)
+ return err;
+@@ -1245,6 +1253,10 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ goto out;
+
+ if (addr->sa_family != AF_UNSPEC) {
++ err = unix_validate_addr(sunaddr, alen);
++ if (err)
++ goto out;
++
+ err = unix_mkname(sunaddr, alen, &hash);
+ if (err < 0)
+ goto out;
+@@ -1365,6 +1377,10 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ int err;
+ long timeo;
+
++ err = unix_validate_addr(sunaddr, addr_len);
++ if (err)
++ goto out;
++
+ err = unix_mkname(sunaddr, addr_len, &hash);
+ if (err < 0)
+ goto out;
+@@ -1817,6 +1833,10 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto out;
+
+ if (msg->msg_namelen) {
++ err = unix_validate_addr(sunaddr, msg->msg_namelen);
++ if (err)
++ goto out;
++
+ err = unix_mkname(sunaddr, msg->msg_namelen, &hash);
+ if (err < 0)
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From 37f21e3bf98191271a970d44f8437110434cf447 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 11:14:21 +0900
+Subject: af_unix: Factorise unix_find_other() based on address types.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit fa39ef0e472961baef49ddb0e6f7b8ebb555bd8f ]
+
+As done in the commit fa42d910a38e ("unix_bind(): take BSD and abstract
+address cases into new helpers"), this patch moves BSD and abstract address
+cases from unix_find_other() into unix_find_bsd() and unix_find_abstract().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 136 +++++++++++++++++++++++++++------------------
+ 1 file changed, 81 insertions(+), 55 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 1fc3022510093..20a7be3effe83 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -951,6 +951,87 @@ static int unix_release(struct socket *sock)
+ return 0;
+ }
+
++static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr,
++ int type, int *error)
++{
++ struct inode *inode;
++ struct path path;
++ struct sock *sk;
++ int err;
++
++ err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path);
++ if (err)
++ goto fail;
++
++ err = path_permission(&path, MAY_WRITE);
++ if (err)
++ goto path_put;
++
++ err = -ECONNREFUSED;
++ inode = d_backing_inode(path.dentry);
++ if (!S_ISSOCK(inode->i_mode))
++ goto path_put;
++
++ sk = unix_find_socket_byinode(inode);
++ if (!sk)
++ goto path_put;
++
++ err = -EPROTOTYPE;
++ if (sk->sk_type == type)
++ touch_atime(&path);
++ else
++ goto sock_put;
++
++ path_put(&path);
++
++ return sk;
++
++sock_put:
++ sock_put(sk);
++path_put:
++ path_put(&path);
++fail:
++ *error = err;
++ return NULL;
++}
++
++static struct sock *unix_find_abstract(struct net *net,
++ struct sockaddr_un *sunaddr,
++ int addr_len, int type,
++ unsigned int hash, int *error)
++{
++ struct dentry *dentry;
++ struct sock *sk;
++
++ sk = unix_find_socket_byname(net, sunaddr, addr_len, type ^ hash);
++ if (!sk) {
++ *error = -ECONNREFUSED;
++ return NULL;
++ }
++
++ dentry = unix_sk(sk)->path.dentry;
++ if (dentry)
++ touch_atime(&unix_sk(sk)->path);
++
++ return sk;
++}
++
++static struct sock *unix_find_other(struct net *net,
++ struct sockaddr_un *sunaddr,
++ int addr_len, int type,
++ unsigned int hash, int *error)
++{
++ struct sock *sk;
++
++ if (sunaddr->sun_path[0])
++ sk = unix_find_bsd(net, sunaddr, type, error);
++ else
++ sk = unix_find_abstract(net, sunaddr, addr_len, type, hash,
++ error);
++
++ return sk;
++}
++
+ static int unix_autobind(struct sock *sk)
+ {
+ struct unix_sock *u = unix_sk(sk);
+@@ -1009,61 +1090,6 @@ out: mutex_unlock(&u->bindlock);
+ return err;
+ }
+
+-static struct sock *unix_find_other(struct net *net,
+- struct sockaddr_un *sunname, int len,
+- int type, unsigned int hash, int *error)
+-{
+- struct sock *u;
+- struct path path;
+- int err = 0;
+-
+- if (sunname->sun_path[0]) {
+- struct inode *inode;
+- err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path);
+- if (err)
+- goto fail;
+- inode = d_backing_inode(path.dentry);
+- err = path_permission(&path, MAY_WRITE);
+- if (err)
+- goto put_fail;
+-
+- err = -ECONNREFUSED;
+- if (!S_ISSOCK(inode->i_mode))
+- goto put_fail;
+- u = unix_find_socket_byinode(inode);
+- if (!u)
+- goto put_fail;
+-
+- if (u->sk_type == type)
+- touch_atime(&path);
+-
+- path_put(&path);
+-
+- err = -EPROTOTYPE;
+- if (u->sk_type != type) {
+- sock_put(u);
+- goto fail;
+- }
+- } else {
+- err = -ECONNREFUSED;
+- u = unix_find_socket_byname(net, sunname, len, type ^ hash);
+- if (u) {
+- struct dentry *dentry;
+- dentry = unix_sk(u)->path.dentry;
+- if (dentry)
+- touch_atime(&unix_sk(u)->path);
+- } else
+- goto fail;
+- }
+- return u;
+-
+-put_fail:
+- path_put(&path);
+-fail:
+- *error = err;
+- return NULL;
+-}
+-
+ static int unix_bind_bsd(struct sock *sk, struct unix_address *addr)
+ {
+ struct unix_sock *u = unix_sk(sk);
+--
+2.43.0
+
--- /dev/null
+From 6e28b0638dc4a6110a6b56646b3b62d9619a0076 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 11:14:20 +0900
+Subject: af_unix: Pass struct sock to unix_autobind().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit f7ed31f4615f4e1d97c0e4325c5b8a240e10073c ]
+
+We do not use struct socket in unix_autobind() and pass struct sock to
+unix_bind_bsd() and unix_bind_abstract(). Let's pass it to unix_autobind()
+as well.
+
+Also, this patch fixes these errors by checkpatch.pl.
+
+ ERROR: do not use assignment in if condition
+ #1795: FILE: net/unix/af_unix.c:1795:
+ + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr
+
+ CHECK: Logical continuations should be on the previous line
+ #1796: FILE: net/unix/af_unix.c:1796:
+ + if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr
+ + && (err = unix_autobind(sock)) != 0)
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 36 +++++++++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 15 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 7d58067ffd3f8..1fc3022510093 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -951,15 +951,13 @@ static int unix_release(struct socket *sock)
+ return 0;
+ }
+
+-static int unix_autobind(struct socket *sock)
++static int unix_autobind(struct sock *sk)
+ {
+- struct sock *sk = sock->sk;
+- struct net *net = sock_net(sk);
+ struct unix_sock *u = unix_sk(sk);
+- static u32 ordernum = 1;
+ struct unix_address *addr;
+- int err;
+ unsigned int retries = 0;
++ static u32 ordernum = 1;
++ int err;
+
+ err = mutex_lock_interruptible(&u->bindlock);
+ if (err)
+@@ -986,7 +984,8 @@ static int unix_autobind(struct socket *sock)
+ spin_lock(&unix_table_lock);
+ ordernum = (ordernum+1)&0xFFFFF;
+
+- if (__unix_find_socket_byname(net, addr->name, addr->len, addr->hash)) {
++ if (__unix_find_socket_byname(sock_net(sk), addr->name, addr->len,
++ addr->hash)) {
+ spin_unlock(&unix_table_lock);
+ /*
+ * __unix_find_socket_byname() may take long time if many names
+@@ -1162,7 +1161,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ return -EINVAL;
+
+ if (addr_len == offsetof(struct sockaddr_un, sun_path))
+- return unix_autobind(sock);
++ return unix_autobind(sk);
+
+ err = unix_mkname(sunaddr, addr_len, &hash);
+ if (err < 0)
+@@ -1230,8 +1229,11 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ alen = err;
+
+ if (test_bit(SOCK_PASSCRED, &sock->flags) &&
+- !unix_sk(sk)->addr && (err = unix_autobind(sock)) != 0)
+- goto out;
++ !unix_sk(sk)->addr) {
++ err = unix_autobind(sk);
++ if (err)
++ goto out;
++ }
+
+ restart:
+ other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err);
+@@ -1344,9 +1346,11 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ goto out;
+ addr_len = err;
+
+- if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr &&
+- (err = unix_autobind(sock)) != 0)
+- goto out;
++ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) {
++ err = unix_autobind(sk);
++ if (err)
++ goto out;
++ }
+
+ timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
+
+@@ -1798,9 +1802,11 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto out;
+ }
+
+- if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr
+- && (err = unix_autobind(sock)) != 0)
+- goto out;
++ if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) {
++ err = unix_autobind(sk);
++ if (err)
++ goto out;
++ }
+
+ err = -EMSGSIZE;
+ if (len > sk->sk_sndbuf - 32)
+--
+2.43.0
+
--- /dev/null
+From 8d66d269fbdf2e746bb696f4723f626698608dee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 11:14:22 +0900
+Subject: af_unix: Return an error as a pointer in unix_find_other().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit aed26f557bbc94f0c778f63d7dfe86af99208f68 ]
+
+We can return an error as a pointer and need not pass an additional
+argument to unix_find_other().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 40 ++++++++++++++++++++++------------------
+ 1 file changed, 22 insertions(+), 18 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 20a7be3effe83..0a1258b417a9d 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -952,7 +952,7 @@ static int unix_release(struct socket *sock)
+ }
+
+ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr,
+- int type, int *error)
++ int type)
+ {
+ struct inode *inode;
+ struct path path;
+@@ -991,23 +991,20 @@ static struct sock *unix_find_bsd(struct net *net, struct sockaddr_un *sunaddr,
+ path_put:
+ path_put(&path);
+ fail:
+- *error = err;
+- return NULL;
++ return ERR_PTR(err);
+ }
+
+ static struct sock *unix_find_abstract(struct net *net,
+ struct sockaddr_un *sunaddr,
+ int addr_len, int type,
+- unsigned int hash, int *error)
++ unsigned int hash)
+ {
+ struct dentry *dentry;
+ struct sock *sk;
+
+ sk = unix_find_socket_byname(net, sunaddr, addr_len, type ^ hash);
+- if (!sk) {
+- *error = -ECONNREFUSED;
+- return NULL;
+- }
++ if (!sk)
++ return ERR_PTR(-ECONNREFUSED);
+
+ dentry = unix_sk(sk)->path.dentry;
+ if (dentry)
+@@ -1019,15 +1016,14 @@ static struct sock *unix_find_abstract(struct net *net,
+ static struct sock *unix_find_other(struct net *net,
+ struct sockaddr_un *sunaddr,
+ int addr_len, int type,
+- unsigned int hash, int *error)
++ unsigned int hash)
+ {
+ struct sock *sk;
+
+ if (sunaddr->sun_path[0])
+- sk = unix_find_bsd(net, sunaddr, type, error);
++ sk = unix_find_bsd(net, sunaddr, type);
+ else
+- sk = unix_find_abstract(net, sunaddr, addr_len, type, hash,
+- error);
++ sk = unix_find_abstract(net, sunaddr, addr_len, type, hash);
+
+ return sk;
+ }
+@@ -1262,9 +1258,11 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+ }
+
+ restart:
+- other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err);
+- if (!other)
++ other = unix_find_other(net, sunaddr, alen, sock->type, hash);
++ if (IS_ERR(other)) {
++ err = PTR_ERR(other);
+ goto out;
++ }
+
+ unix_state_double_lock(sk, other);
+
+@@ -1402,9 +1400,12 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+
+ restart:
+ /* Find listening sock. */
+- other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash, &err);
+- if (!other)
++ other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash);
++ if (IS_ERR(other)) {
++ err = PTR_ERR(other);
++ other = NULL;
+ goto out;
++ }
+
+ /* Latch state of peer */
+ unix_state_lock(other);
+@@ -1873,9 +1874,12 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto out_free;
+
+ other = unix_find_other(net, sunaddr, namelen, sk->sk_type,
+- hash, &err);
+- if (other == NULL)
++ hash);
++ if (IS_ERR(other)) {
++ err = PTR_ERR(other);
++ other = NULL;
+ goto out_free;
++ }
+ }
+
+ if (sk_filter(other, skb) < 0) {
+--
+2.43.0
+
--- /dev/null
+From afe6f203c22c6b2ebb197c34f902211d748b58f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:27 -0700
+Subject: af_unix: Set sk->sk_state under unix_state_lock() for truly
+ disconencted peer.
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 26bfb8b57063f52b867f9b6c8d1742fcb5bd656c ]
+
+When a SOCK_DGRAM socket connect()s to another socket, the both sockets'
+sk->sk_state are changed to TCP_ESTABLISHED so that we can register them
+to BPF SOCKMAP.
+
+When the socket disconnects from the peer by connect(AF_UNSPEC), the state
+is set back to TCP_CLOSE.
+
+Then, the peer's state is also set to TCP_CLOSE, but the update is done
+locklessly and unconditionally.
+
+Let's say socket A connect()ed to B, B connect()ed to C, and A disconnects
+from B.
+
+After the first two connect()s, all three sockets' sk->sk_state are
+TCP_ESTABLISHED:
+
+ $ ss -xa
+ Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
+ u_dgr ESTAB 0 0 @A 641 * 642
+ u_dgr ESTAB 0 0 @B 642 * 643
+ u_dgr ESTAB 0 0 @C 643 * 0
+
+And after the disconnect, B's state is TCP_CLOSE even though it's still
+connected to C and C's state is TCP_ESTABLISHED.
+
+ $ ss -xa
+ Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
+ u_dgr UNCONN 0 0 @A 641 * 0
+ u_dgr UNCONN 0 0 @B 642 * 643
+ u_dgr ESTAB 0 0 @C 643 * 0
+
+In this case, we cannot register B to SOCKMAP.
+
+So, when a socket disconnects from the peer, we should not set TCP_CLOSE to
+the peer if the peer is connected to yet another socket, and this must be
+done under unix_state_lock().
+
+Note that we use WRITE_ONCE() for sk->sk_state as there are many lockless
+readers. These data-races will be fixed in the following patches.
+
+Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 80f91b5ab4012..914e40697f00a 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -495,7 +495,6 @@ static void unix_dgram_disconnected(struct sock *sk, struct sock *other)
+ sk_error_report(other);
+ }
+ }
+- other->sk_state = TCP_CLOSE;
+ }
+
+ static void unix_sock_destructor(struct sock *sk)
+@@ -1277,8 +1276,15 @@ static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
+
+ unix_state_double_unlock(sk, other);
+
+- if (other != old_peer)
++ if (other != old_peer) {
+ unix_dgram_disconnected(sk, old_peer);
++
++ unix_state_lock(old_peer);
++ if (!unix_peer(old_peer))
++ WRITE_ONCE(old_peer->sk_state, TCP_CLOSE);
++ unix_state_unlock(old_peer);
++ }
++
+ sock_put(old_peer);
+ } else {
+ unix_peer(sk) = other;
+--
+2.43.0
+
--- /dev/null
+From 9f19d9848e020c6dd48d37bfff3428f2376e72dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Nov 2021 11:14:19 +0900
+Subject: af_unix: Use offsetof() instead of sizeof().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+
+[ Upstream commit 755662ce78d14c1a9118df921c528b1f992ded2e ]
+
+The length of the AF_UNIX socket address contains an offset to the member
+sun_path of struct sockaddr_un.
+
+Currently, the preceding member is just sun_family, and its type is
+sa_family_t and resolved to short. Therefore, the offset is represented by
+sizeof(short). However, it is not clear and fragile to changes in struct
+sockaddr_storage or sockaddr_un.
+
+This commit makes it clear and robust by rewriting sizeof() with
+offsetof().
+
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 19 ++++++++++++-------
+ net/unix/diag.c | 3 ++-
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 262aeaea9861c..7d58067ffd3f8 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -231,7 +231,8 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp
+ {
+ *hashp = 0;
+
+- if (len <= sizeof(short) || len > sizeof(*sunaddr))
++ if (len <= offsetof(struct sockaddr_un, sun_path) ||
++ len > sizeof(*sunaddr))
+ return -EINVAL;
+ if (!sunaddr || sunaddr->sun_family != AF_UNIX)
+ return -EINVAL;
+@@ -244,7 +245,8 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp
+ * kernel address buffer.
+ */
+ ((char *)sunaddr)[len] = 0;
+- len = strlen(sunaddr->sun_path)+1+sizeof(short);
++ len = strlen(sunaddr->sun_path) +
++ offsetof(struct sockaddr_un, sun_path) + 1;
+ return len;
+ }
+
+@@ -967,7 +969,8 @@ static int unix_autobind(struct socket *sock)
+ goto out;
+
+ err = -ENOMEM;
+- addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL);
++ addr = kzalloc(sizeof(*addr) +
++ offsetof(struct sockaddr_un, sun_path) + 16, GFP_KERNEL);
+ if (!addr)
+ goto out;
+
+@@ -975,7 +978,8 @@ static int unix_autobind(struct socket *sock)
+ refcount_set(&addr->refcnt, 1);
+
+ retry:
+- addr->len = sprintf(addr->name->sun_path+1, "%05x", ordernum) + 1 + sizeof(short);
++ addr->len = sprintf(addr->name->sun_path + 1, "%05x", ordernum) +
++ offsetof(struct sockaddr_un, sun_path) + 1;
+ addr->hash = unix_hash_fold(csum_partial(addr->name, addr->len, 0));
+ addr->hash ^= sk->sk_type;
+
+@@ -1157,7 +1161,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ sunaddr->sun_family != AF_UNIX)
+ return -EINVAL;
+
+- if (addr_len == sizeof(short))
++ if (addr_len == offsetof(struct sockaddr_un, sun_path))
+ return unix_autobind(sock);
+
+ err = unix_mkname(sunaddr, addr_len, &hash);
+@@ -1607,7 +1611,7 @@ static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
+ if (!addr) {
+ sunaddr->sun_family = AF_UNIX;
+ sunaddr->sun_path[0] = 0;
+- err = sizeof(short);
++ err = offsetof(struct sockaddr_un, sun_path);
+ } else {
+ err = addr->len;
+ memcpy(sunaddr, addr->name, addr->len);
+@@ -3271,7 +3275,8 @@ static int unix_seq_show(struct seq_file *seq, void *v)
+ seq_putc(seq, ' ');
+
+ i = 0;
+- len = u->addr->len - sizeof(short);
++ len = u->addr->len -
++ offsetof(struct sockaddr_un, sun_path);
+ if (!UNIX_ABSTRACT(s))
+ len--;
+ else {
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index daef19932f780..006438e2e07a2 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -19,7 +19,8 @@ static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
+ if (!addr)
+ return 0;
+
+- return nla_put(nlskb, UNIX_DIAG_NAME, addr->len - sizeof(short),
++ return nla_put(nlskb, UNIX_DIAG_NAME,
++ addr->len - offsetof(struct sockaddr_un, sun_path),
+ addr->name->sun_path);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 0d596d22aae72b7ca666d21a079b8f63449f0407 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:39 -0700
+Subject: af_unix: Use skb_queue_empty_lockless() in unix_release_sock().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 83690b82d228b3570565ebd0b41873933238b97f ]
+
+If the socket type is SOCK_STREAM or SOCK_SEQPACKET, unix_release_sock()
+checks the length of the peer socket's recvq under unix_state_lock().
+
+However, unix_stream_read_generic() calls skb_unlink() after releasing
+the lock. Also, for SOCK_SEQPACKET, __skb_try_recv_datagram() unlinks
+skb without unix_state_lock().
+
+Thues, unix_state_lock() does not protect qlen.
+
+Let's use skb_queue_empty_lockless() in unix_release_sock().
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 85b1c0d7c287a..12099b06d7e88 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -570,7 +570,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ unix_state_lock(skpair);
+ /* No more writes */
+ WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
+- if (!skb_queue_empty(&sk->sk_receive_queue) || embrion)
++ if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion)
+ WRITE_ONCE(skpair->sk_err, ECONNRESET);
+ unix_state_unlock(skpair);
+ skpair->sk_state_change(skpair);
+--
+2.43.0
+
--- /dev/null
+From 27be04be4ebc9fca755aeeec004c4367ae4dc3eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:40 -0700
+Subject: af_unix: Use skb_queue_len_lockless() in sk_diag_show_rqlen().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 5d915e584d8408211d4567c22685aae8820bfc55 ]
+
+We can dump the socket queue length via UNIX_DIAG by specifying
+UDIAG_SHOW_RQLEN.
+
+If sk->sk_state is TCP_LISTEN, we return the recv queue length,
+but here we do not hold recvq lock.
+
+Let's use skb_queue_len_lockless() in sk_diag_show_rqlen().
+
+Fixes: c9da99e6475f ("unix_diag: Fixup RQLEN extension report")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/diag.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/unix/diag.c b/net/unix/diag.c
+index 94c8f509261d0..63a0040e9fb45 100644
+--- a/net/unix/diag.c
++++ b/net/unix/diag.c
+@@ -104,7 +104,7 @@ static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb)
+ struct unix_diag_rqlen rql;
+
+ if (READ_ONCE(sk->sk_state) == TCP_LISTEN) {
+- rql.udiag_rqueue = sk->sk_receive_queue.qlen;
++ rql.udiag_rqueue = skb_queue_len_lockless(&sk->sk_receive_queue);
+ rql.udiag_wqueue = sk->sk_max_ack_backlog;
+ } else {
+ rql.udiag_rqueue = (u32) unix_inq_len(sk);
+--
+2.43.0
+
--- /dev/null
+From 17eb75b26b34dcf7b81ff17b71e88f908abe9198 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 09:52:38 -0700
+Subject: af_unix: Use unix_recvq_full_lockless() in unix_stream_connect().
+
+From: Kuniyuki Iwashima <kuniyu@amazon.com>
+
+[ Upstream commit 45d872f0e65593176d880ec148f41ad7c02e40a7 ]
+
+Once sk->sk_state is changed to TCP_LISTEN, it never changes.
+
+unix_accept() takes advantage of this characteristics; it does not
+hold the listener's unix_state_lock() and only acquires recvq lock
+to pop one skb.
+
+It means unix_state_lock() does not prevent the queue length from
+changing in unix_stream_connect().
+
+Thus, we need to use unix_recvq_full_lockless() to avoid data-race.
+
+Now we remove unix_recvq_full() as no one uses it.
+
+Note that we can remove READ_ONCE() for sk->sk_max_ack_backlog in
+unix_recvq_full_lockless() because of the following reasons:
+
+ (1) For SOCK_DGRAM, it is a written-once field in unix_create1()
+
+ (2) For SOCK_STREAM and SOCK_SEQPACKET, it is changed under the
+ listener's unix_state_lock() in unix_listen(), and we hold
+ the lock in unix_stream_connect()
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/unix/af_unix.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 5c4318f64d253..3fa86d70467c2 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -190,15 +190,9 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk)
+ return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
+ }
+
+-static inline int unix_recvq_full(const struct sock *sk)
+-{
+- return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
+-}
+-
+ static inline int unix_recvq_full_lockless(const struct sock *sk)
+ {
+- return skb_queue_len_lockless(&sk->sk_receive_queue) >
+- READ_ONCE(sk->sk_max_ack_backlog);
++ return skb_queue_len_lockless(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
+ }
+
+ struct sock *unix_peer_get(struct sock *s)
+@@ -1429,7 +1423,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
+ if (other->sk_shutdown & RCV_SHUTDOWN)
+ goto out_unlock;
+
+- if (unix_recvq_full(other)) {
++ if (unix_recvq_full_lockless(other)) {
+ err = -EAGAIN;
+ if (!timeo)
+ goto out_unlock;
+--
+2.43.0
+
--- /dev/null
+From 98c19c5237cadc9efec6b16923140e860e0ce0dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 08:56:29 +0200
+Subject: Bluetooth: btqca: Add WCN3988 support
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+[ Upstream commit f904feefe60c28b6852d5625adc4a2c39426a2d9 ]
+
+Add support for the Bluetooth chip codenamed APACHE which is part of
+WCN3988.
+
+The firmware for this chip has a slightly different naming scheme
+compared to most others. For ROM Version 0x0200 we need to use
+apbtfw10.tlv + apnv10.bin and for ROM version 0x201 apbtfw11.tlv +
+apnv11.bin
+
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 13 +++++++++++--
+ drivers/bluetooth/btqca.h | 12 ++++++++++--
+ drivers/bluetooth/hci_qca.c | 12 ++++++++++++
+ 3 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index b850b5de9f862..6ae806b9e77f2 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -595,11 +595,17 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ /* Firmware files to download are based on ROM version.
+ * ROM version is derived from last two bytes of soc_ver.
+ */
+- rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
++ if (soc_type == QCA_WCN3988)
++ rom_ver = ((soc_ver & 0x00000f00) >> 0x05) | (soc_ver & 0x0000000f);
++ else
++ rom_ver = ((soc_ver & 0x00000f00) >> 0x04) | (soc_ver & 0x0000000f);
+
+ /* Download rampatch file */
+ config.type = TLV_TYPE_PATCH;
+- if (qca_is_wcn399x(soc_type)) {
++ if (soc_type == QCA_WCN3988) {
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/apbtfw%02x.tlv", rom_ver);
++ } else if (qca_is_wcn399x(soc_type)) {
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crbtfw%02x.tlv", rom_ver);
+ } else if (soc_type == QCA_QCA6390) {
+@@ -634,6 +640,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ if (firmware_name)
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/%s", firmware_name);
++ else if (soc_type == QCA_WCN3988)
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/apnv%02x.bin", rom_ver);
+ else if (qca_is_wcn399x(soc_type)) {
+ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
+ snprintf(config.fwname, sizeof(config.fwname),
+diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
+index b83bf202ea604..104bb12c88adf 100644
+--- a/drivers/bluetooth/btqca.h
++++ b/drivers/bluetooth/btqca.h
+@@ -140,6 +140,7 @@ enum qca_btsoc_type {
+ QCA_INVALID = -1,
+ QCA_AR3002,
+ QCA_ROME,
++ QCA_WCN3988,
+ QCA_WCN3990,
+ QCA_WCN3998,
+ QCA_WCN3991,
+@@ -160,8 +161,15 @@ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr);
+ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev);
+ static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type)
+ {
+- return soc_type == QCA_WCN3990 || soc_type == QCA_WCN3991 ||
+- soc_type == QCA_WCN3998;
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ return true;
++ default:
++ return false;
++ }
+ }
+ static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type)
+ {
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 1c2bd292ecb7c..3e67e07161969 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1834,6 +1834,17 @@ static const struct hci_uart_proto qca_proto = {
+ .dequeue = qca_dequeue,
+ };
+
++static const struct qca_device_data qca_soc_data_wcn3988 __maybe_unused = {
++ .soc_type = QCA_WCN3988,
++ .vregs = (struct qca_vreg []) {
++ { "vddio", 15000 },
++ { "vddxo", 80000 },
++ { "vddrf", 300000 },
++ { "vddch0", 450000 },
++ },
++ .num_vregs = 4,
++};
++
+ static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = {
+ .soc_type = QCA_WCN3990,
+ .vregs = (struct qca_vreg []) {
+@@ -2359,6 +2370,7 @@ static const struct of_device_id qca_bluetooth_of_match[] = {
+ { .compatible = "qcom,qca6174-bt" },
+ { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390},
+ { .compatible = "qcom,qca9377-bt" },
++ { .compatible = "qcom,wcn3988-bt", .data = &qca_soc_data_wcn3988},
+ { .compatible = "qcom,wcn3990-bt", .data = &qca_soc_data_wcn3990},
+ { .compatible = "qcom,wcn3991-bt", .data = &qca_soc_data_wcn3991},
+ { .compatible = "qcom,wcn3998-bt", .data = &qca_soc_data_wcn3998},
+--
+2.43.0
+
--- /dev/null
+From 3323f172de3ed2953633009e6517363a8d748667 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 19 May 2023 18:43:23 +0800
+Subject: Bluetooth: btqca: use le32_to_cpu for ver.soc_id
+
+From: Min-Hua Chen <minhuadotchen@gmail.com>
+
+[ Upstream commit 8153b738bc547878a017889d2b1cf8dd2de0e0c6 ]
+
+Use le32_to_cpu for ver.soc_id to fix the following
+sparse warning.
+
+drivers/bluetooth/btqca.c:640:24: sparse: warning: restricted
+__le32 degrades to integer
+
+Signed-off-by: Min-Hua Chen <minhuadotchen@gmail.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index d4ae33a5f805e..b850b5de9f862 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -635,7 +635,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/%s", firmware_name);
+ else if (qca_is_wcn399x(soc_type)) {
+- if (ver.soc_id == QCA_WCN3991_SOC_ID) {
++ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crnv%02xu.bin", rom_ver);
+ } else {
+--
+2.43.0
+
--- /dev/null
+From 391192635689b4cde600c4d5be334134929a0e79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Mar 2023 12:13:53 +0100
+Subject: Bluetooth: hci_qca: mark OF related data as maybe unused
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 44fac8a2fd2f72ee98ee41e6bc9ecc7765b5d3cc ]
+
+The driver can be compile tested with !CONFIG_OF making certain data
+unused:
+
+ drivers/bluetooth/hci_qca.c:1869:37: error: ‘qca_soc_data_wcn6750’
+ defined but not used [-Werror=unused-const-variable=]
+ drivers/bluetooth/hci_qca.c:1853:37: error: ‘qca_soc_data_wcn3998’
+ defined but not used [-Werror=unused-const-variable=]
+ drivers/bluetooth/hci_qca.c:1841:37: error: ‘qca_soc_data_wcn3991’
+ defined but not used [-Werror=unused-const-variable=]
+ drivers/bluetooth/hci_qca.c:1830:37: error: ‘qca_soc_data_wcn3990’
+ defined but not used [-Werror=unused-const-variable=]
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_qca.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index fb71caa31daa7..1c2bd292ecb7c 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1834,7 +1834,7 @@ static const struct hci_uart_proto qca_proto = {
+ .dequeue = qca_dequeue,
+ };
+
+-static const struct qca_device_data qca_soc_data_wcn3990 = {
++static const struct qca_device_data qca_soc_data_wcn3990 __maybe_unused = {
+ .soc_type = QCA_WCN3990,
+ .vregs = (struct qca_vreg []) {
+ { "vddio", 15000 },
+@@ -1845,7 +1845,7 @@ static const struct qca_device_data qca_soc_data_wcn3990 = {
+ .num_vregs = 4,
+ };
+
+-static const struct qca_device_data qca_soc_data_wcn3991 = {
++static const struct qca_device_data qca_soc_data_wcn3991 __maybe_unused = {
+ .soc_type = QCA_WCN3991,
+ .vregs = (struct qca_vreg []) {
+ { "vddio", 15000 },
+@@ -1857,7 +1857,7 @@ static const struct qca_device_data qca_soc_data_wcn3991 = {
+ .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES,
+ };
+
+-static const struct qca_device_data qca_soc_data_wcn3998 = {
++static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = {
+ .soc_type = QCA_WCN3998,
+ .vregs = (struct qca_vreg []) {
+ { "vddio", 10000 },
+@@ -1868,13 +1868,13 @@ static const struct qca_device_data qca_soc_data_wcn3998 = {
+ .num_vregs = 4,
+ };
+
+-static const struct qca_device_data qca_soc_data_qca6390 = {
++static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = {
+ .soc_type = QCA_QCA6390,
+ .num_vregs = 0,
+ .capabilities = QCA_CAP_WIDEBAND_SPEECH | QCA_CAP_VALID_LE_STATES,
+ };
+
+-static const struct qca_device_data qca_soc_data_wcn6750 = {
++static const struct qca_device_data qca_soc_data_wcn6750 __maybe_unused = {
+ .soc_type = QCA_WCN6750,
+ .vregs = (struct qca_vreg []) {
+ { "vddio", 5000 },
+--
+2.43.0
+
--- /dev/null
+From 2bb103505fb2d3ef1afb539e814575d11df48336 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Sep 2023 17:39:57 +0800
+Subject: Bluetooth: qca: add support for QCA2066
+
+From: Tim Jiang <quic_tjiang@quicinc.com>
+
+[ Upstream commit a7f8dedb4be2cc930a29af24427b885405ecd15d ]
+
+This patch adds support for QCA2066 firmware patch and NVM downloading.
+as the RF performance of QCA2066 SOC chip from different foundries may
+vary. Therefore we use different NVM to configure them based on board ID.
+
+Changes in v2
+ - optimize the function qca_generate_hsp_nvm_name
+ - remove redundant debug code for function qca_read_fw_board_id
+
+Signed-off-by: Tim Jiang <quic_tjiang@quicinc.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 68 +++++++++++++++++++++++++++++++++++++
+ drivers/bluetooth/btqca.h | 5 ++-
+ drivers/bluetooth/hci_qca.c | 11 ++++++
+ 3 files changed, 83 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index b14201b7bcd04..abd621d224667 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -160,6 +160,44 @@ static int qca_send_reset(struct hci_dev *hdev)
+ return 0;
+ }
+
++static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid)
++{
++ u8 cmd;
++ struct sk_buff *skb;
++ struct edl_event_hdr *edl;
++ int err = 0;
++
++ cmd = EDL_GET_BID_REQ_CMD;
++ skb = __hci_cmd_sync_ev(hdev, EDL_PATCH_CMD_OPCODE, EDL_PATCH_CMD_LEN,
++ &cmd, 0, HCI_INIT_TIMEOUT);
++ if (IS_ERR(skb)) {
++ err = PTR_ERR(skb);
++ bt_dev_err(hdev, "Reading QCA board ID failed (%d)", err);
++ return err;
++ }
++
++ edl = skb_pull_data(skb, sizeof(*edl));
++ if (!edl) {
++ bt_dev_err(hdev, "QCA read board ID with no header");
++ err = -EILSEQ;
++ goto out;
++ }
++
++ if (edl->cresp != EDL_CMD_REQ_RES_EVT ||
++ edl->rtype != EDL_GET_BID_REQ_CMD) {
++ bt_dev_err(hdev, "QCA Wrong packet: %d %d", edl->cresp, edl->rtype);
++ err = -EIO;
++ goto out;
++ }
++
++ *bid = (edl->data[1] << 8) + edl->data[2];
++ bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
++
++out:
++ kfree_skb(skb);
++ return err;
++}
++
+ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
+ {
+ struct sk_buff *skb;
+@@ -575,6 +613,23 @@ int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
+ }
+ EXPORT_SYMBOL_GPL(qca_set_bdaddr_rome);
+
++static void qca_generate_hsp_nvm_name(char *fwname, size_t max_size,
++ struct qca_btsoc_version ver, u8 rom_ver, u16 bid)
++{
++ const char *variant;
++
++ /* hsp gf chip */
++ if ((le32_to_cpu(ver.soc_id) & QCA_HSP_GF_SOC_MASK) == QCA_HSP_GF_SOC_ID)
++ variant = "g";
++ else
++ variant = "";
++
++ if (bid == 0x0)
++ snprintf(fwname, max_size, "qca/hpnv%02x%s.bin", rom_ver, variant);
++ else
++ snprintf(fwname, max_size, "qca/hpnv%02x%s.%x", rom_ver, variant, bid);
++}
++
+ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ enum qca_btsoc_type soc_type, struct qca_btsoc_version ver,
+ const char *firmware_name)
+@@ -583,6 +638,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ int err;
+ u8 rom_ver = 0;
+ u32 soc_ver;
++ u16 boardid = 0;
+
+ bt_dev_dbg(hdev, "QCA setup on UART");
+
+@@ -613,6 +669,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/apbtfw%02x.tlv", rom_ver);
+ break;
++ case QCA_QCA2066:
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/hpbtfw%02x.tlv", rom_ver);
++ break;
+ case QCA_QCA6390:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/htbtfw%02x.tlv", rom_ver);
+@@ -643,6 +703,9 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ /* Give the controller some time to get ready to receive the NVM */
+ msleep(10);
+
++ if (soc_type == QCA_QCA2066)
++ qca_read_fw_board_id(hdev, &boardid);
++
+ /* Download NVM configuration */
+ config.type = TLV_TYPE_NVM;
+ if (firmware_name) {
+@@ -665,6 +728,10 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/apnv%02x.bin", rom_ver);
+ break;
++ case QCA_QCA2066:
++ qca_generate_hsp_nvm_name(config.fwname,
++ sizeof(config.fwname), ver, rom_ver, boardid);
++ break;
+ case QCA_QCA6390:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/htnv%02x.bin", rom_ver);
+@@ -692,6 +759,7 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+
+ switch (soc_type) {
+ case QCA_WCN3991:
++ case QCA_QCA2066:
+ case QCA_QCA6390:
+ case QCA_WCN6750:
+ case QCA_WCN6855:
+diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
+index fa77c07daecf5..d69ecfdef2a20 100644
+--- a/drivers/bluetooth/btqca.h
++++ b/drivers/bluetooth/btqca.h
+@@ -12,6 +12,7 @@
+ #define EDL_PATCH_VER_REQ_CMD (0x19)
+ #define EDL_PATCH_TLV_REQ_CMD (0x1E)
+ #define EDL_GET_BUILD_INFO_CMD (0x20)
++#define EDL_GET_BID_REQ_CMD (0x23)
+ #define EDL_NVM_ACCESS_SET_REQ_CMD (0x01)
+ #define MAX_SIZE_PER_TLV_SEGMENT (243)
+ #define QCA_PRE_SHUTDOWN_CMD (0xFC08)
+@@ -45,7 +46,8 @@
+ ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver)))
+
+ #define QCA_FW_BUILD_VER_LEN 255
+-
++#define QCA_HSP_GF_SOC_ID 0x1200
++#define QCA_HSP_GF_SOC_MASK 0x0000ff00
+
+ enum qca_baudrate {
+ QCA_BAUDRATE_115200 = 0,
+@@ -144,6 +146,7 @@ enum qca_btsoc_type {
+ QCA_WCN3990,
+ QCA_WCN3998,
+ QCA_WCN3991,
++ QCA_QCA2066,
+ QCA_QCA6390,
+ QCA_WCN6750,
+ QCA_WCN6855,
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 62491e7610384..0800f6e62b7f0 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1801,6 +1801,10 @@ static int qca_setup(struct hci_uart *hu)
+ set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
+
+ switch (soc_type) {
++ case QCA_QCA2066:
++ soc_name = "qca2066";
++ break;
++
+ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+@@ -1981,6 +1985,11 @@ static const struct qca_device_data qca_soc_data_wcn3998 __maybe_unused = {
+ .num_vregs = 4,
+ };
+
++static const struct qca_device_data qca_soc_data_qca2066 __maybe_unused = {
++ .soc_type = QCA_QCA2066,
++ .num_vregs = 0,
++};
++
+ static const struct qca_device_data qca_soc_data_qca6390 __maybe_unused = {
+ .soc_type = QCA_QCA6390,
+ .num_vregs = 0,
+@@ -2492,6 +2501,7 @@ static SIMPLE_DEV_PM_OPS(qca_pm_ops, qca_suspend, qca_resume);
+
+ #ifdef CONFIG_OF
+ static const struct of_device_id qca_bluetooth_of_match[] = {
++ { .compatible = "qcom,qca2066-bt", .data = &qca_soc_data_qca2066},
+ { .compatible = "qcom,qca6174-bt" },
+ { .compatible = "qcom,qca6390-bt", .data = &qca_soc_data_qca6390},
+ { .compatible = "qcom,qca9377-bt" },
+@@ -2508,6 +2518,7 @@ MODULE_DEVICE_TABLE(of, qca_bluetooth_of_match);
+
+ #ifdef CONFIG_ACPI
+ static const struct acpi_device_id qca_bluetooth_acpi_match[] = {
++ { "QCOM2066", (kernel_ulong_t)&qca_soc_data_qca2066 },
+ { "QCOM6390", (kernel_ulong_t)&qca_soc_data_qca6390 },
+ { "DLA16390", (kernel_ulong_t)&qca_soc_data_qca6390 },
+ { "DLB16390", (kernel_ulong_t)&qca_soc_data_qca6390 },
+--
+2.43.0
+
--- /dev/null
+From 9a92c309f6ebee38d42f674015c7ad8270d8d690 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 14:34:52 +0200
+Subject: Bluetooth: qca: fix info leak when fetching fw build id
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit cda0d6a198e2a7ec6f176c36173a57bdd8af7af2 ]
+
+Add the missing sanity checks and move the 255-byte build-id buffer off
+the stack to avoid leaking stack data through debugfs in case the
+build-info reply is malformed.
+
+Fixes: c0187b0bd3e9 ("Bluetooth: btqca: Add support to read FW build version for WCN3991 BTSoC")
+Cc: stable@vger.kernel.org # 5.12
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 25 +++++++++++++++++++++----
+ drivers/bluetooth/btqca.h | 1 -
+ 2 files changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index abd621d224667..7011151420e48 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -98,7 +98,8 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
+ {
+ struct sk_buff *skb;
+ struct edl_event_hdr *edl;
+- char cmd, build_label[QCA_FW_BUILD_VER_LEN];
++ char *build_label;
++ char cmd;
+ int build_lbl_len, err = 0;
+
+ bt_dev_dbg(hdev, "QCA read fw build info");
+@@ -113,6 +114,11 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
+ return err;
+ }
+
++ if (skb->len < sizeof(*edl)) {
++ err = -EILSEQ;
++ goto out;
++ }
++
+ edl = (struct edl_event_hdr *)(skb->data);
+ if (!edl) {
+ bt_dev_err(hdev, "QCA read fw build info with no header");
+@@ -128,14 +134,25 @@ static int qca_read_fw_build_info(struct hci_dev *hdev)
+ goto out;
+ }
+
++ if (skb->len < sizeof(*edl) + 1) {
++ err = -EILSEQ;
++ goto out;
++ }
++
+ build_lbl_len = edl->data[0];
+- if (build_lbl_len <= QCA_FW_BUILD_VER_LEN - 1) {
+- memcpy(build_label, edl->data + 1, build_lbl_len);
+- *(build_label + build_lbl_len) = '\0';
++
++ if (skb->len < sizeof(*edl) + 1 + build_lbl_len) {
++ err = -EILSEQ;
++ goto out;
+ }
+
++ build_label = kstrndup(&edl->data[1], build_lbl_len, GFP_KERNEL);
++ if (!build_label)
++ goto out;
++
+ hci_set_fw_info(hdev, "%s", build_label);
+
++ kfree(build_label);
+ out:
+ kfree_skb(skb);
+ return err;
+diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
+index d69ecfdef2a20..6a6a286bc8547 100644
+--- a/drivers/bluetooth/btqca.h
++++ b/drivers/bluetooth/btqca.h
+@@ -45,7 +45,6 @@
+ #define get_soc_ver(soc_id, rom_ver) \
+ ((le32_to_cpu(soc_id) << 16) | (le16_to_cpu(rom_ver)))
+
+-#define QCA_FW_BUILD_VER_LEN 255
+ #define QCA_HSP_GF_SOC_ID 0x1200
+ #define QCA_HSP_GF_SOC_MASK 0x0000ff00
+
+--
+2.43.0
+
--- /dev/null
+From ff36c600c800a4cbeb2ae58251e1465104807b29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Aug 2023 10:06:47 +0200
+Subject: Bluetooth: qca: use switch case for soc type behavior
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit 691d54d0f7cb14baac1ff4af210d13c0e4897e27 ]
+
+Use switch/case to handle soc type specific behaviour,
+the permit dropping the qca_is_xxx() inline functions
+and make the code clearer and easier to update for new
+SoCs.
+
+Suggested-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Suggested-by: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btqca.c | 87 +++++++++-----
+ drivers/bluetooth/btqca.h | 36 ------
+ drivers/bluetooth/hci_qca.c | 233 +++++++++++++++++++++++++++---------
+ 3 files changed, 236 insertions(+), 120 deletions(-)
+
+diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
+index 6ae806b9e77f2..b14201b7bcd04 100644
+--- a/drivers/bluetooth/btqca.c
++++ b/drivers/bluetooth/btqca.c
+@@ -602,26 +602,34 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+
+ /* Download rampatch file */
+ config.type = TLV_TYPE_PATCH;
+- if (soc_type == QCA_WCN3988) {
+- snprintf(config.fwname, sizeof(config.fwname),
+- "qca/apbtfw%02x.tlv", rom_ver);
+- } else if (qca_is_wcn399x(soc_type)) {
++ switch (soc_type) {
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/crbtfw%02x.tlv", rom_ver);
+- } else if (soc_type == QCA_QCA6390) {
++ break;
++ case QCA_WCN3988:
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/apbtfw%02x.tlv", rom_ver);
++ break;
++ case QCA_QCA6390:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/htbtfw%02x.tlv", rom_ver);
+- } else if (soc_type == QCA_WCN6750) {
++ break;
++ case QCA_WCN6750:
+ /* Choose mbn file by default.If mbn file is not found
+ * then choose tlv file
+ */
+ config.type = ELF_TYPE_PATCH;
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/msbtfw%02x.mbn", rom_ver);
+- } else if (soc_type == QCA_WCN6855) {
++ break;
++ case QCA_WCN6855:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/hpbtfw%02x.tlv", rom_ver);
+- } else {
++ break;
++ default:
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/rampatch_%08x.bin", soc_ver);
+ }
+@@ -637,33 +645,44 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+
+ /* Download NVM configuration */
+ config.type = TLV_TYPE_NVM;
+- if (firmware_name)
++ if (firmware_name) {
+ snprintf(config.fwname, sizeof(config.fwname),
+ "qca/%s", firmware_name);
+- else if (soc_type == QCA_WCN3988)
+- snprintf(config.fwname, sizeof(config.fwname),
+- "qca/apnv%02x.bin", rom_ver);
+- else if (qca_is_wcn399x(soc_type)) {
+- if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
++ } else {
++ switch (soc_type) {
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ if (le32_to_cpu(ver.soc_id) == QCA_WCN3991_SOC_ID) {
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/crnv%02xu.bin", rom_ver);
++ } else {
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/crnv%02x.bin", rom_ver);
++ }
++ break;
++ case QCA_WCN3988:
+ snprintf(config.fwname, sizeof(config.fwname),
+- "qca/crnv%02xu.bin", rom_ver);
+- } else {
++ "qca/apnv%02x.bin", rom_ver);
++ break;
++ case QCA_QCA6390:
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/htnv%02x.bin", rom_ver);
++ break;
++ case QCA_WCN6750:
+ snprintf(config.fwname, sizeof(config.fwname),
+- "qca/crnv%02x.bin", rom_ver);
++ "qca/msnv%02x.bin", rom_ver);
++ break;
++ case QCA_WCN6855:
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/hpnv%02x.bin", rom_ver);
++ break;
++
++ default:
++ snprintf(config.fwname, sizeof(config.fwname),
++ "qca/nvm_%08x.bin", soc_ver);
+ }
+ }
+- else if (soc_type == QCA_QCA6390)
+- snprintf(config.fwname, sizeof(config.fwname),
+- "qca/htnv%02x.bin", rom_ver);
+- else if (soc_type == QCA_WCN6750)
+- snprintf(config.fwname, sizeof(config.fwname),
+- "qca/msnv%02x.bin", rom_ver);
+- else if (soc_type == QCA_WCN6855)
+- snprintf(config.fwname, sizeof(config.fwname),
+- "qca/hpnv%02x.bin", rom_ver);
+- else
+- snprintf(config.fwname, sizeof(config.fwname),
+- "qca/nvm_%08x.bin", soc_ver);
+
+ err = qca_download_firmware(hdev, &config, soc_type, rom_ver);
+ if (err < 0) {
+@@ -671,16 +690,24 @@ int qca_uart_setup(struct hci_dev *hdev, uint8_t baudrate,
+ return err;
+ }
+
+- if (soc_type >= QCA_WCN3991) {
++ switch (soc_type) {
++ case QCA_WCN3991:
++ case QCA_QCA6390:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ err = qca_disable_soc_logging(hdev);
+ if (err < 0)
+ return err;
++ break;
++ default:
++ break;
+ }
+
+ /* WCN399x and WCN6750 supports the Microsoft vendor extension with 0xFD70 as the
+ * VsMsftOpCode.
+ */
+ switch (soc_type) {
++ case QCA_WCN3988:
+ case QCA_WCN3990:
+ case QCA_WCN3991:
+ case QCA_WCN3998:
+diff --git a/drivers/bluetooth/btqca.h b/drivers/bluetooth/btqca.h
+index 104bb12c88adf..fa77c07daecf5 100644
+--- a/drivers/bluetooth/btqca.h
++++ b/drivers/bluetooth/btqca.h
+@@ -159,27 +159,6 @@ int qca_read_soc_version(struct hci_dev *hdev, struct qca_btsoc_version *ver,
+ enum qca_btsoc_type);
+ int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr);
+ int qca_send_pre_shutdown_cmd(struct hci_dev *hdev);
+-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type)
+-{
+- switch (soc_type) {
+- case QCA_WCN3988:
+- case QCA_WCN3990:
+- case QCA_WCN3991:
+- case QCA_WCN3998:
+- return true;
+- default:
+- return false;
+- }
+-}
+-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type)
+-{
+- return soc_type == QCA_WCN6750;
+-}
+-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type)
+-{
+- return soc_type == QCA_WCN6855;
+-}
+-
+ #else
+
+ static inline int qca_set_bdaddr_rome(struct hci_dev *hdev, const bdaddr_t *bdaddr)
+@@ -207,21 +186,6 @@ static inline int qca_set_bdaddr(struct hci_dev *hdev, const bdaddr_t *bdaddr)
+ return -EOPNOTSUPP;
+ }
+
+-static inline bool qca_is_wcn399x(enum qca_btsoc_type soc_type)
+-{
+- return false;
+-}
+-
+-static inline bool qca_is_wcn6750(enum qca_btsoc_type soc_type)
+-{
+- return false;
+-}
+-
+-static inline bool qca_is_wcn6855(enum qca_btsoc_type soc_type)
+-{
+- return false;
+-}
+-
+ static inline int qca_send_pre_shutdown_cmd(struct hci_dev *hdev)
+ {
+ return -EOPNOTSUPP;
+diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c
+index 3e67e07161969..62491e7610384 100644
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -606,9 +606,18 @@ static int qca_open(struct hci_uart *hu)
+ if (hu->serdev) {
+ qcadev = serdev_device_get_drvdata(hu->serdev);
+
+- if (qca_is_wcn399x(qcadev->btsoc_type) ||
+- qca_is_wcn6750(qcadev->btsoc_type))
++ switch (qcadev->btsoc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
+ hu->init_speed = qcadev->init_speed;
++ break;
++
++ default:
++ break;
++ }
+
+ if (qcadev->oper_speed)
+ hu->oper_speed = qcadev->oper_speed;
+@@ -1314,12 +1323,19 @@ static int qca_set_baudrate(struct hci_dev *hdev, uint8_t baudrate)
+ msecs_to_jiffies(CMD_TRANS_TIMEOUT_MS));
+
+ /* Give the controller time to process the request */
+- if (qca_is_wcn399x(qca_soc_type(hu)) ||
+- qca_is_wcn6750(qca_soc_type(hu)) ||
+- qca_is_wcn6855(qca_soc_type(hu)))
++ switch (qca_soc_type(hu)) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ usleep_range(1000, 10000);
+- else
++ break;
++
++ default:
+ msleep(300);
++ }
+
+ return 0;
+ }
+@@ -1392,13 +1408,19 @@ static unsigned int qca_get_speed(struct hci_uart *hu,
+
+ static int qca_check_speeds(struct hci_uart *hu)
+ {
+- if (qca_is_wcn399x(qca_soc_type(hu)) ||
+- qca_is_wcn6750(qca_soc_type(hu)) ||
+- qca_is_wcn6855(qca_soc_type(hu))) {
++ switch (qca_soc_type(hu)) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ if (!qca_get_speed(hu, QCA_INIT_SPEED) &&
+ !qca_get_speed(hu, QCA_OPER_SPEED))
+ return -EINVAL;
+- } else {
++ break;
++
++ default:
+ if (!qca_get_speed(hu, QCA_INIT_SPEED) ||
+ !qca_get_speed(hu, QCA_OPER_SPEED))
+ return -EINVAL;
+@@ -1427,14 +1449,28 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
+ /* Disable flow control for wcn3990 to deassert RTS while
+ * changing the baudrate of chip and host.
+ */
+- if (qca_is_wcn399x(soc_type) ||
+- qca_is_wcn6750(soc_type) ||
+- qca_is_wcn6855(soc_type))
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ hci_uart_set_flow_control(hu, true);
++ break;
+
+- if (soc_type == QCA_WCN3990) {
++ default:
++ break;
++ }
++
++ switch (soc_type) {
++ case QCA_WCN3990:
+ reinit_completion(&qca->drop_ev_comp);
+ set_bit(QCA_DROP_VENDOR_EVENT, &qca->flags);
++ break;
++
++ default:
++ break;
+ }
+
+ qca_baudrate = qca_get_baudrate_value(speed);
+@@ -1446,12 +1482,22 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
+ host_set_baudrate(hu, speed);
+
+ error:
+- if (qca_is_wcn399x(soc_type) ||
+- qca_is_wcn6750(soc_type) ||
+- qca_is_wcn6855(soc_type))
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ hci_uart_set_flow_control(hu, false);
++ break;
+
+- if (soc_type == QCA_WCN3990) {
++ default:
++ break;
++ }
++
++ switch (soc_type) {
++ case QCA_WCN3990:
+ /* Wait for the controller to send the vendor event
+ * for the baudrate change command.
+ */
+@@ -1463,6 +1509,10 @@ static int qca_set_speed(struct hci_uart *hu, enum qca_speed_type speed_type)
+ }
+
+ clear_bit(QCA_DROP_VENDOR_EVENT, &qca->flags);
++ break;
++
++ default:
++ break;
+ }
+ }
+
+@@ -1627,12 +1677,20 @@ static int qca_regulator_init(struct hci_uart *hu)
+ }
+ }
+
+- if (qca_is_wcn399x(soc_type)) {
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
+ /* Forcefully enable wcn399x to enter in to boot mode. */
+ host_set_baudrate(hu, 2400);
+ ret = qca_send_power_pulse(hu, false);
+ if (ret)
+ return ret;
++ break;
++
++ default:
++ break;
+ }
+
+ /* For wcn6750 need to enable gpio bt_en */
+@@ -1649,10 +1707,18 @@ static int qca_regulator_init(struct hci_uart *hu)
+
+ qca_set_speed(hu, QCA_INIT_SPEED);
+
+- if (qca_is_wcn399x(soc_type)) {
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
+ ret = qca_send_power_pulse(hu, true);
+ if (ret)
+ return ret;
++ break;
++
++ default:
++ break;
+ }
+
+ /* Now the device is in ready state to communicate with host.
+@@ -1686,11 +1752,17 @@ static int qca_power_on(struct hci_dev *hdev)
+ if (!hu->serdev)
+ return 0;
+
+- if (qca_is_wcn399x(soc_type) ||
+- qca_is_wcn6750(soc_type) ||
+- qca_is_wcn6855(soc_type)) {
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ ret = qca_regulator_init(hu);
+- } else {
++ break;
++
++ default:
+ qcadev = serdev_device_get_drvdata(hu->serdev);
+ if (qcadev->bt_en) {
+ gpiod_set_value_cansleep(qcadev->bt_en, 1);
+@@ -1713,6 +1785,7 @@ static int qca_setup(struct hci_uart *hu)
+ const char *firmware_name = qca_get_firmware_name(hu);
+ int ret;
+ struct qca_btsoc_version ver;
++ const char *soc_name;
+
+ ret = qca_check_speeds(hu);
+ if (ret)
+@@ -1727,10 +1800,26 @@ static int qca_setup(struct hci_uart *hu)
+ */
+ set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
+
+- bt_dev_info(hdev, "setting up %s",
+- qca_is_wcn399x(soc_type) ? "wcn399x" :
+- (soc_type == QCA_WCN6750) ? "wcn6750" :
+- (soc_type == QCA_WCN6855) ? "wcn6855" : "ROME/QCA6390");
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ soc_name = "wcn399x";
++ break;
++
++ case QCA_WCN6750:
++ soc_name = "wcn6750";
++ break;
++
++ case QCA_WCN6855:
++ soc_name = "wcn6855";
++ break;
++
++ default:
++ soc_name = "ROME/QCA6390";
++ }
++ bt_dev_info(hdev, "setting up %s", soc_name);
+
+ qca->memdump_state = QCA_MEMDUMP_IDLE;
+
+@@ -1741,15 +1830,21 @@ static int qca_setup(struct hci_uart *hu)
+
+ clear_bit(QCA_SSR_TRIGGERED, &qca->flags);
+
+- if (qca_is_wcn399x(soc_type) ||
+- qca_is_wcn6750(soc_type) ||
+- qca_is_wcn6855(soc_type)) {
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ set_bit(HCI_QUIRK_USE_BDADDR_PROPERTY, &hdev->quirks);
+
+ ret = qca_read_soc_version(hdev, &ver, soc_type);
+ if (ret)
+ goto out;
+- } else {
++ break;
++
++ default:
+ qca_set_speed(hu, QCA_INIT_SPEED);
+ }
+
+@@ -1763,9 +1858,16 @@ static int qca_setup(struct hci_uart *hu)
+ qca_baudrate = qca_get_baudrate_value(speed);
+ }
+
+- if (!(qca_is_wcn399x(soc_type) ||
+- qca_is_wcn6750(soc_type) ||
+- qca_is_wcn6855(soc_type))) {
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
++ break;
++
++ default:
+ /* Get QCA version information */
+ ret = qca_read_soc_version(hdev, &ver, soc_type);
+ if (ret)
+@@ -1941,11 +2043,18 @@ static void qca_power_shutdown(struct hci_uart *hu)
+
+ qcadev = serdev_device_get_drvdata(hu->serdev);
+
+- if (qca_is_wcn399x(soc_type)) {
++ switch (soc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
+ host_set_baudrate(hu, 2400);
+ qca_send_power_pulse(hu, false);
+ qca_regulator_disable(qcadev);
+- } else if (soc_type == QCA_WCN6750 || soc_type == QCA_WCN6855) {
++ break;
++
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ gpiod_set_value_cansleep(qcadev->bt_en, 0);
+ msleep(100);
+ qca_regulator_disable(qcadev);
+@@ -1953,7 +2062,9 @@ static void qca_power_shutdown(struct hci_uart *hu)
+ sw_ctrl_state = gpiod_get_value_cansleep(qcadev->sw_ctrl);
+ bt_dev_dbg(hu->hdev, "SW_CTRL is %d", sw_ctrl_state);
+ }
+- } else if (qcadev->bt_en) {
++ break;
++
++ default:
+ gpiod_set_value_cansleep(qcadev->bt_en, 0);
+ }
+
+@@ -2078,11 +2189,18 @@ static int qca_serdev_probe(struct serdev_device *serdev)
+ if (!qcadev->oper_speed)
+ BT_DBG("UART will pick default operating speed");
+
+- if (data &&
+- (qca_is_wcn399x(data->soc_type) ||
+- qca_is_wcn6750(data->soc_type) ||
+- qca_is_wcn6855(data->soc_type))) {
++ if (data)
+ qcadev->btsoc_type = data->soc_type;
++ else
++ qcadev->btsoc_type = QCA_ROME;
++
++ switch (qcadev->btsoc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
+ qcadev->bt_power = devm_kzalloc(&serdev->dev,
+ sizeof(struct qca_power),
+ GFP_KERNEL);
+@@ -2126,12 +2244,9 @@ static int qca_serdev_probe(struct serdev_device *serdev)
+ BT_ERR("wcn3990 serdev registration failed");
+ return err;
+ }
+- } else {
+- if (data)
+- qcadev->btsoc_type = data->soc_type;
+- else
+- qcadev->btsoc_type = QCA_ROME;
++ break;
+
++ default:
+ qcadev->bt_en = devm_gpiod_get_optional(&serdev->dev, "enable",
+ GPIOD_OUT_LOW);
+ if (IS_ERR(qcadev->bt_en)) {
+@@ -2187,13 +2302,23 @@ static void qca_serdev_remove(struct serdev_device *serdev)
+ struct qca_serdev *qcadev = serdev_device_get_drvdata(serdev);
+ struct qca_power *power = qcadev->bt_power;
+
+- if ((qca_is_wcn399x(qcadev->btsoc_type) ||
+- qca_is_wcn6750(qcadev->btsoc_type) ||
+- qca_is_wcn6855(qcadev->btsoc_type)) &&
+- power->vregs_on)
+- qca_power_shutdown(&qcadev->serdev_hu);
+- else if (qcadev->susclk)
+- clk_disable_unprepare(qcadev->susclk);
++ switch (qcadev->btsoc_type) {
++ case QCA_WCN3988:
++ case QCA_WCN3990:
++ case QCA_WCN3991:
++ case QCA_WCN3998:
++ case QCA_WCN6750:
++ case QCA_WCN6855:
++ if (power->vregs_on) {
++ qca_power_shutdown(&qcadev->serdev_hu);
++ break;
++ }
++ fallthrough;
++
++ default:
++ if (qcadev->susclk)
++ clk_disable_unprepare(qcadev->susclk);
++ }
+
+ hci_uart_unregister_device(&qcadev->serdev_hu);
+ }
+--
+2.43.0
+
--- /dev/null
+From ee021c76a34f6d96be17d94e197d8b14a4d4b5d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 17:00:24 +0200
+Subject: bpf: Set run context for rawtp test_run callback
+
+From: Jiri Olsa <jolsa@kernel.org>
+
+[ Upstream commit d0d1df8ba18abc57f28fb3bc053b2bf319367f2c ]
+
+syzbot reported crash when rawtp program executed through the
+test_run interface calls bpf_get_attach_cookie helper or any
+other helper that touches task->bpf_ctx pointer.
+
+Setting the run context (task->bpf_ctx pointer) for test_run
+callback.
+
+Fixes: 7adfc6c9b315 ("bpf: Add bpf_get_attach_cookie() BPF helper to access bpf_cookie value")
+Reported-by: syzbot+3ab78ff125b7979e45f9@syzkaller.appspotmail.com
+Signed-off-by: Jiri Olsa <jolsa@kernel.org>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Closes: https://syzkaller.appspot.com/bug?extid=3ab78ff125b7979e45f9
+Link: https://lore.kernel.org/bpf/20240604150024.359247-1-jolsa@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bpf/test_run.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
+index 11d254ce3581c..a0d75c33b5d6a 100644
+--- a/net/bpf/test_run.c
++++ b/net/bpf/test_run.c
+@@ -326,10 +326,16 @@ static void
+ __bpf_prog_test_run_raw_tp(void *data)
+ {
+ struct bpf_raw_tp_test_run_info *info = data;
++ struct bpf_trace_run_ctx run_ctx = {};
++ struct bpf_run_ctx *old_run_ctx;
++
++ old_run_ctx = bpf_set_run_ctx(&run_ctx.run_ctx);
+
+ rcu_read_lock();
+ info->retval = bpf_prog_run(info->prog, info->ctx);
+ rcu_read_unlock();
++
++ bpf_reset_run_ctx(old_run_ctx);
+ }
+
+ int bpf_prog_test_run_raw_tp(struct bpf_prog *prog,
+--
+2.43.0
+
--- /dev/null
+From e889b0b319a8f077d83a493209c9a0ff93c16830 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jun 2024 12:49:08 +0100
+Subject: btrfs: fix leak of qgroup extent records after transaction abort
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit fb33eb2ef0d88e75564983ef057b44c5b7e4fded ]
+
+Qgroup extent records are created when delayed ref heads are created and
+then released after accounting extents at btrfs_qgroup_account_extents(),
+called during the transaction commit path.
+
+If a transaction is aborted we free the qgroup records by calling
+btrfs_qgroup_destroy_extent_records() at btrfs_destroy_delayed_refs(),
+unless we don't have delayed references. We are incorrectly assuming
+that no delayed references means we don't have qgroup extents records.
+
+We can currently have no delayed references because we ran them all
+during a transaction commit and the transaction was aborted after that
+due to some error in the commit path.
+
+So fix this by ensuring we btrfs_qgroup_destroy_extent_records() at
+btrfs_destroy_delayed_refs() even if we don't have any delayed references.
+
+Reported-by: syzbot+0fecc032fa134afd49df@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/0000000000004e7f980619f91835@google.com/
+Fixes: 81f7eb00ff5b ("btrfs: destroy qgroup extent records on transaction abort")
+CC: stable@vger.kernel.org # 6.1+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/disk-io.c | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
+index c1dfde886b1e3..092ebed754b0c 100644
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -4707,19 +4707,11 @@ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
+ struct btrfs_fs_info *fs_info)
+ {
+ struct rb_node *node;
+- struct btrfs_delayed_ref_root *delayed_refs;
++ struct btrfs_delayed_ref_root *delayed_refs = &trans->delayed_refs;
+ struct btrfs_delayed_ref_node *ref;
+ int ret = 0;
+
+- delayed_refs = &trans->delayed_refs;
+-
+ spin_lock(&delayed_refs->lock);
+- if (atomic_read(&delayed_refs->num_entries) == 0) {
+- spin_unlock(&delayed_refs->lock);
+- btrfs_debug(fs_info, "delayed_refs has NO entry");
+- return ret;
+- }
+-
+ while ((node = rb_first_cached(&delayed_refs->href_root)) != NULL) {
+ struct btrfs_delayed_ref_head *head;
+ struct rb_node *n;
+--
+2.43.0
+
--- /dev/null
+From ad9e4137a36db6cf7391c2f51b2fe9cd6ab0911a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Mar 2022 14:43:17 -0700
+Subject: cma: factor out minimum alignment requirement
+
+From: David Hildenbrand <david@redhat.com>
+
+[ Upstream commit e16faf26780fc0c8dd693ea9ee8420a7706cb2f5 ]
+
+Patch series "mm: enforce pageblock_order < MAX_ORDER".
+
+Having pageblock_order >= MAX_ORDER seems to be able to happen in corner
+cases and some parts of the kernel are not prepared for it.
+
+For example, Aneesh has shown [1] that such kernels can be compiled on
+ppc64 with 64k base pages by setting FORCE_MAX_ZONEORDER=8, which will
+run into a WARN_ON_ONCE(order >= MAX_ORDER) in comapction code right
+during boot.
+
+We can get pageblock_order >= MAX_ORDER when the default hugetlb size is
+bigger than the maximum allocation granularity of the buddy, in which
+case we are no longer talking about huge pages but instead gigantic
+pages.
+
+Having pageblock_order >= MAX_ORDER can only make alloc_contig_range()
+of such gigantic pages more likely to succeed.
+
+Reliable use of gigantic pages either requires boot time allcoation or
+CMA, no need to overcomplicate some places in the kernel to optimize for
+corner cases that are broken in other areas of the kernel.
+
+This patch (of 2):
+
+Let's enforce pageblock_order < MAX_ORDER and simplify.
+
+Especially patch #1 can be regarded a cleanup before:
+ [PATCH v5 0/6] Use pageblock_order for cma and alloc_contig_range
+ alignment. [2]
+
+[1] https://lkml.kernel.org/r/87r189a2ks.fsf@linux.ibm.com
+[2] https://lkml.kernel.org/r/20220211164135.1803616-1-zi.yan@sent.com
+
+Link: https://lkml.kernel.org/r/20220214174132.219303-2-david@redhat.com
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Acked-by: Rob Herring <robh@kernel.org>
+Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Frank Rowand <frowand.list@gmail.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Robin Murphy <robin.murphy@arm.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Vlastimil Babka <vbabka@suse.cz>
+Cc: John Garry via iommu <iommu@lists.linux-foundation.org>
+
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Stable-dep-of: b174f139bdc8 ("mm/cma: drop incorrect alignment check in cma_init_reserved_mem")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/include/asm/fadump-internal.h | 5 -----
+ arch/powerpc/kernel/fadump.c | 2 +-
+ drivers/of/of_reserved_mem.c | 9 +++------
+ include/linux/cma.h | 9 +++++++++
+ kernel/dma/contiguous.c | 4 +---
+ mm/cma.c | 20 +++++---------------
+ 6 files changed, 19 insertions(+), 30 deletions(-)
+
+diff --git a/arch/powerpc/include/asm/fadump-internal.h b/arch/powerpc/include/asm/fadump-internal.h
+index 8d61c8f3fec47..d06b2be645326 100644
+--- a/arch/powerpc/include/asm/fadump-internal.h
++++ b/arch/powerpc/include/asm/fadump-internal.h
+@@ -19,11 +19,6 @@
+
+ #define memblock_num_regions(memblock_type) (memblock.memblock_type.cnt)
+
+-/* Alignment per CMA requirement. */
+-#define FADUMP_CMA_ALIGNMENT (PAGE_SIZE << \
+- max_t(unsigned long, MAX_ORDER - 1, \
+- pageblock_order))
+-
+ /* FAD commands */
+ #define FADUMP_REGISTER 1
+ #define FADUMP_UNREGISTER 2
+diff --git a/arch/powerpc/kernel/fadump.c b/arch/powerpc/kernel/fadump.c
+index d496dc5151aa1..35b142ad0e40e 100644
+--- a/arch/powerpc/kernel/fadump.c
++++ b/arch/powerpc/kernel/fadump.c
+@@ -544,7 +544,7 @@ int __init fadump_reserve_mem(void)
+ if (!fw_dump.nocma) {
+ fw_dump.boot_memory_size =
+ ALIGN(fw_dump.boot_memory_size,
+- FADUMP_CMA_ALIGNMENT);
++ CMA_MIN_ALIGNMENT_BYTES);
+ }
+ #endif
+
+diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
+index 9e949ddcb1464..6ec668ae2d6fa 100644
+--- a/drivers/of/of_reserved_mem.c
++++ b/drivers/of/of_reserved_mem.c
+@@ -22,6 +22,7 @@
+ #include <linux/slab.h>
+ #include <linux/memblock.h>
+ #include <linux/kmemleak.h>
++#include <linux/cma.h>
+
+ #include "of_private.h"
+
+@@ -117,12 +118,8 @@ static int __init __reserved_mem_alloc_size(unsigned long node,
+ if (IS_ENABLED(CONFIG_CMA)
+ && of_flat_dt_is_compatible(node, "shared-dma-pool")
+ && of_get_flat_dt_prop(node, "reusable", NULL)
+- && !nomap) {
+- unsigned long order =
+- max_t(unsigned long, MAX_ORDER - 1, pageblock_order);
+-
+- align = max(align, (phys_addr_t)PAGE_SIZE << order);
+- }
++ && !nomap)
++ align = max_t(phys_addr_t, align, CMA_MIN_ALIGNMENT_BYTES);
+
+ prop = of_get_flat_dt_prop(node, "alloc-ranges", &len);
+ if (prop) {
+diff --git a/include/linux/cma.h b/include/linux/cma.h
+index 53fd8c3cdbd04..1b302e204c09b 100644
+--- a/include/linux/cma.h
++++ b/include/linux/cma.h
+@@ -20,6 +20,15 @@
+
+ #define CMA_MAX_NAME 64
+
++/*
++ * TODO: once the buddy -- especially pageblock merging and alloc_contig_range()
++ * -- can deal with only some pageblocks of a higher-order page being
++ * MIGRATE_CMA, we can use pageblock_nr_pages.
++ */
++#define CMA_MIN_ALIGNMENT_PAGES max_t(phys_addr_t, MAX_ORDER_NR_PAGES, \
++ pageblock_nr_pages)
++#define CMA_MIN_ALIGNMENT_BYTES (PAGE_SIZE * CMA_MIN_ALIGNMENT_PAGES)
++
+ struct cma;
+
+ extern unsigned long totalcma_pages;
+diff --git a/kernel/dma/contiguous.c b/kernel/dma/contiguous.c
+index 3d63d91cba5cf..6ea80ae426228 100644
+--- a/kernel/dma/contiguous.c
++++ b/kernel/dma/contiguous.c
+@@ -399,8 +399,6 @@ static const struct reserved_mem_ops rmem_cma_ops = {
+
+ static int __init rmem_cma_setup(struct reserved_mem *rmem)
+ {
+- phys_addr_t align = PAGE_SIZE << max(MAX_ORDER - 1, pageblock_order);
+- phys_addr_t mask = align - 1;
+ unsigned long node = rmem->fdt_node;
+ bool default_cma = of_get_flat_dt_prop(node, "linux,cma-default", NULL);
+ struct cma *cma;
+@@ -416,7 +414,7 @@ static int __init rmem_cma_setup(struct reserved_mem *rmem)
+ of_get_flat_dt_prop(node, "no-map", NULL))
+ return -EINVAL;
+
+- if ((rmem->base & mask) || (rmem->size & mask)) {
++ if (!IS_ALIGNED(rmem->base | rmem->size, CMA_MIN_ALIGNMENT_BYTES)) {
+ pr_err("Reserved memory: incorrect alignment of CMA region\n");
+ return -EINVAL;
+ }
+diff --git a/mm/cma.c b/mm/cma.c
+index 26967c70e9c73..5208aee4f45ad 100644
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -169,7 +169,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size,
+ struct cma **res_cma)
+ {
+ struct cma *cma;
+- phys_addr_t alignment;
+
+ /* Sanity checks */
+ if (cma_area_count == ARRAY_SIZE(cma_areas)) {
+@@ -180,15 +179,12 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size,
+ if (!size || !memblock_is_region_reserved(base, size))
+ return -EINVAL;
+
+- /* ensure minimal alignment required by mm core */
+- alignment = PAGE_SIZE <<
+- max_t(unsigned long, MAX_ORDER - 1, pageblock_order);
+-
+ /* alignment should be aligned with order_per_bit */
+- if (!IS_ALIGNED(alignment >> PAGE_SHIFT, 1 << order_per_bit))
++ if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit))
+ return -EINVAL;
+
+- if (ALIGN(base, alignment) != base || ALIGN(size, alignment) != size)
++ /* ensure minimal alignment required by mm core */
++ if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES))
+ return -EINVAL;
+
+ /*
+@@ -263,14 +259,8 @@ int __init cma_declare_contiguous_nid(phys_addr_t base,
+ if (alignment && !is_power_of_2(alignment))
+ return -EINVAL;
+
+- /*
+- * Sanitise input arguments.
+- * Pages both ends in CMA area could be merged into adjacent unmovable
+- * migratetype page by page allocator's buddy algorithm. In the case,
+- * you couldn't get a contiguous memory, which is not what we want.
+- */
+- alignment = max(alignment, (phys_addr_t)PAGE_SIZE <<
+- max_t(unsigned long, MAX_ORDER - 1, pageblock_order));
++ /* Sanitise input arguments. */
++ alignment = max_t(phys_addr_t, alignment, CMA_MIN_ALIGNMENT_BYTES);
+ if (fixed && base & (alignment - 1)) {
+ ret = -EINVAL;
+ pr_err("Region at %pa must be aligned to %pa bytes\n",
+--
+2.43.0
+
--- /dev/null
+From aa5d2fb014aac47ef4182aca7ff801989be6f6a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jul 2022 15:25:55 +0800
+Subject: drm/amd/display: Clean up some inconsistent indenting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 1da2fcc435114ea5a65d7e15fc31b4d0ce11113c ]
+
+Eliminate the follow smatch warning:
+
+drivers/gpu/drm/amd/amdgpu/../display/dmub/src/dmub_srv.c:622
+dmub_srv_cmd_execute() warn: inconsistent indenting.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++++++----------
+ 1 file changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index ed2f6802b0e20..fc0f6b0089ba0 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -1315,9 +1315,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -1421,9 +1421,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx || !pipe_ctx->stream)
+@@ -1506,9 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -1610,9 +1610,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx || !pipe_ctx->stream)
+@@ -1695,9 +1695,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -1799,9 +1799,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx || !pipe_ctx->stream)
+@@ -1880,9 +1880,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -1981,9 +1981,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx || !pipe_ctx->stream)
+@@ -2060,9 +2060,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -2121,9 +2121,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -2197,9 +2197,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+@@ -2273,9 +2273,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
+- break;
++ if (pipe_ctx && pipe_ctx->stream &&
++ pipe_ctx->stream->link == aconnector->dc_link)
++ break;
+ }
+
+ if (!pipe_ctx) {
+--
+2.43.0
+
--- /dev/null
+From d0bfe387038bc7b99948146c0ed1e5dccf9c366d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 27 Dec 2022 20:04:15 +0300
+Subject: drm/amd/display: drop unnecessary NULL checks in debugfs
+
+From: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+
+[ Upstream commit f8e12e770e8049917f82387033b3cf44bc43b915 ]
+
+pipe_ctx pointer cannot be NULL when getting the address of
+an element of the pipe_ctx array. Moreover, the MAX_PIPES is
+defined as 6, so pipe_ctx is not NULL after the loop either.
+
+Detected using the static analysis tool - Svace.
+
+Signed-off-by: Alexey Kodanev <aleksei.kodanev@bell-sw.com>
+Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Stable-dep-of: 892b41b16f61 ("drm/amd/display: Fix incorrect DSC instance for MST")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 72 +++++--------------
+ 1 file changed, 16 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index fc0f6b0089ba0..939734eecf709 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -1315,16 +1315,11 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -1421,12 +1416,12 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx || !pipe_ctx->stream)
++ if (!pipe_ctx->stream)
+ goto done;
+
+ // Get CRTC state
+@@ -1506,16 +1501,11 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -1610,12 +1600,12 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx || !pipe_ctx->stream)
++ if (!pipe_ctx->stream)
+ goto done;
+
+ // Safely get CRTC state
+@@ -1695,16 +1685,11 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -1799,12 +1784,12 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx || !pipe_ctx->stream)
++ if (!pipe_ctx->stream)
+ goto done;
+
+ // Get CRTC state
+@@ -1880,16 +1865,11 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -1981,12 +1961,12 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx || !pipe_ctx->stream)
++ if (!pipe_ctx->stream)
+ goto done;
+
+ // Get CRTC state
+@@ -2060,16 +2040,11 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -2121,16 +2096,11 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -2197,16 +2167,11 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+@@ -2273,16 +2238,11 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf,
+
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+- if (pipe_ctx && pipe_ctx->stream &&
++ if (pipe_ctx->stream &&
+ pipe_ctx->stream->link == aconnector->dc_link)
+ break;
+ }
+
+- if (!pipe_ctx) {
+- kfree(rd_buf);
+- return -ENXIO;
+- }
+-
+ dsc = pipe_ctx->stream_res.dsc;
+ if (dsc)
+ dsc->funcs->dsc_read_state(dsc, &dsc_state);
+--
+2.43.0
+
--- /dev/null
+From 961b1d2a069a0595b8b3afd8b7094469d9ca1308 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 13 Feb 2024 14:26:06 -0500
+Subject: drm/amd/display: Fix incorrect DSC instance for MST
+
+From: Hersen Wu <hersenxs.wu@amd.com>
+
+[ Upstream commit 892b41b16f6163e6556545835abba668fcab4eea ]
+
+[Why] DSC debugfs, such as dp_dsc_clock_en_read,
+use aconnector->dc_link to find pipe_ctx for display.
+Displays connected to MST hub share the same dc_link.
+DSC instance is from pipe_ctx. This causes incorrect
+DSC instance for display connected to MST hub.
+
+[How] Add aconnector->sink check to find pipe_ctx.
+
+CC: stable@vger.kernel.org
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Signed-off-by: Hersen Wu <hersenxs.wu@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../amd/display/amdgpu_dm/amdgpu_dm_debugfs.c | 48 ++++++++++++++-----
+ 1 file changed, 36 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+index 939734eecf709..8ccd43ec68829 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+@@ -1316,7 +1316,9 @@ static ssize_t dp_dsc_clock_en_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1417,7 +1419,9 @@ static ssize_t dp_dsc_clock_en_write(struct file *f, const char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1502,7 +1506,9 @@ static ssize_t dp_dsc_slice_width_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1601,7 +1607,9 @@ static ssize_t dp_dsc_slice_width_write(struct file *f, const char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1686,7 +1694,9 @@ static ssize_t dp_dsc_slice_height_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1785,7 +1795,9 @@ static ssize_t dp_dsc_slice_height_write(struct file *f, const char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1866,7 +1878,9 @@ static ssize_t dp_dsc_bits_per_pixel_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -1962,7 +1976,9 @@ static ssize_t dp_dsc_bits_per_pixel_write(struct file *f, const char __user *bu
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -2041,7 +2057,9 @@ static ssize_t dp_dsc_pic_width_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -2097,7 +2115,9 @@ static ssize_t dp_dsc_pic_height_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -2168,7 +2188,9 @@ static ssize_t dp_dsc_chunk_size_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+@@ -2239,7 +2261,9 @@ static ssize_t dp_dsc_slice_bpg_offset_read(struct file *f, char __user *buf,
+ for (i = 0; i < MAX_PIPES; i++) {
+ pipe_ctx = &aconnector->dc_link->dc->current_state->res_ctx.pipe_ctx[i];
+ if (pipe_ctx->stream &&
+- pipe_ctx->stream->link == aconnector->dc_link)
++ pipe_ctx->stream->link == aconnector->dc_link &&
++ pipe_ctx->stream->sink &&
++ pipe_ctx->stream->sink == aconnector->dc_sink)
+ break;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ae2b75cf1443bc3a0d7f3bcbf705251d594ad09c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Sep 2021 19:55:39 -0400
+Subject: drm/amd/display: Handle Y carry-over in VCP X.Y calculation
+
+From: George Shen <george.shen@amd.com>
+
+[ Upstream commit 3626a6aebe62ce7067cdc460c0c644e9445386bb ]
+
+[Why/How]
+Theoretically rare corner case where ceil(Y) results in rounding
+up to an integer. If this happens, the 1 should be carried over to
+the X value.
+
+Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
+Acked-by: Anson Jacob <Anson.Jacob@amd.com>
+Signed-off-by: George Shen <george.shen@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c
+index cf364ae931386..d0799c426a84d 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_stream_encoder.c
+@@ -644,6 +644,12 @@ void enc1_stream_encoder_set_throttled_vcp_size(
+ x),
+ 26));
+
++ // If y rounds up to integer, carry it over to x.
++ if (y >> 26) {
++ x += 1;
++ y = 0;
++ }
++
+ REG_SET_2(DP_MSE_RATE_CNTL, 0,
+ DP_MSE_RATE_X, x,
+ DP_MSE_RATE_Y, y);
+--
+2.43.0
+
--- /dev/null
+From e8887fbea9da99ad55188ba9a0829f88c1d44ef0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2024 03:28:59 +0800
+Subject: ftrace: Fix possible use-after-free issue in ftrace_location()
+
+From: Zheng Yejian <zhengyejian1@huawei.com>
+
+[ Upstream commit e60b613df8b6253def41215402f72986fee3fc8d ]
+
+KASAN reports a bug:
+
+ BUG: KASAN: use-after-free in ftrace_location+0x90/0x120
+ Read of size 8 at addr ffff888141d40010 by task insmod/424
+ CPU: 8 PID: 424 Comm: insmod Tainted: G W 6.9.0-rc2+
+ [...]
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x68/0xa0
+ print_report+0xcf/0x610
+ kasan_report+0xb5/0xe0
+ ftrace_location+0x90/0x120
+ register_kprobe+0x14b/0xa40
+ kprobe_init+0x2d/0xff0 [kprobe_example]
+ do_one_initcall+0x8f/0x2d0
+ do_init_module+0x13a/0x3c0
+ load_module+0x3082/0x33d0
+ init_module_from_file+0xd2/0x130
+ __x64_sys_finit_module+0x306/0x440
+ do_syscall_64+0x68/0x140
+ entry_SYSCALL_64_after_hwframe+0x71/0x79
+
+The root cause is that, in lookup_rec(), ftrace record of some address
+is being searched in ftrace pages of some module, but those ftrace pages
+at the same time is being freed in ftrace_release_mod() as the
+corresponding module is being deleted:
+
+ CPU1 | CPU2
+ register_kprobes() { | delete_module() {
+ check_kprobe_address_safe() { |
+ arch_check_ftrace_location() { |
+ ftrace_location() { |
+ lookup_rec() // USE! | ftrace_release_mod() // Free!
+
+To fix this issue:
+ 1. Hold rcu lock as accessing ftrace pages in ftrace_location_range();
+ 2. Use ftrace_location_range() instead of lookup_rec() in
+ ftrace_location();
+ 3. Call synchronize_rcu() before freeing any ftrace pages both in
+ ftrace_process_locs()/ftrace_release_mod()/ftrace_free_mem().
+
+Link: https://lore.kernel.org/linux-trace-kernel/20240509192859.1273558-1-zhengyejian1@huawei.com
+
+Cc: stable@vger.kernel.org
+Cc: <mhiramat@kernel.org>
+Cc: <mark.rutland@arm.com>
+Cc: <mathieu.desnoyers@efficios.com>
+Fixes: ae6aa16fdc16 ("kprobes: introduce ftrace based optimization")
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/ftrace.c | 39 +++++++++++++++++++++++----------------
+ 1 file changed, 23 insertions(+), 16 deletions(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 3dce1a107a7c7..780f1c0563f58 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1566,12 +1566,15 @@ static struct dyn_ftrace *lookup_rec(unsigned long start, unsigned long end)
+ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
+ {
+ struct dyn_ftrace *rec;
++ unsigned long ip = 0;
+
++ rcu_read_lock();
+ rec = lookup_rec(start, end);
+ if (rec)
+- return rec->ip;
++ ip = rec->ip;
++ rcu_read_unlock();
+
+- return 0;
++ return ip;
+ }
+
+ /**
+@@ -1584,25 +1587,22 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
+ */
+ unsigned long ftrace_location(unsigned long ip)
+ {
+- struct dyn_ftrace *rec;
++ unsigned long loc;
+ unsigned long offset;
+ unsigned long size;
+
+- rec = lookup_rec(ip, ip);
+- if (!rec) {
++ loc = ftrace_location_range(ip, ip);
++ if (!loc) {
+ if (!kallsyms_lookup_size_offset(ip, &size, &offset))
+ goto out;
+
+ /* map sym+0 to __fentry__ */
+ if (!offset)
+- rec = lookup_rec(ip, ip + size - 1);
++ loc = ftrace_location_range(ip, ip + size - 1);
+ }
+
+- if (rec)
+- return rec->ip;
+-
+ out:
+- return 0;
++ return loc;
+ }
+
+ /**
+@@ -6325,6 +6325,8 @@ static int ftrace_process_locs(struct module *mod,
+ /* We should have used all pages unless we skipped some */
+ if (pg_unuse) {
+ WARN_ON(!skipped);
++ /* Need to synchronize with ftrace_location_range() */
++ synchronize_rcu();
+ ftrace_free_pages(pg_unuse);
+ }
+ return ret;
+@@ -6507,6 +6509,9 @@ void ftrace_release_mod(struct module *mod)
+ out_unlock:
+ mutex_unlock(&ftrace_lock);
+
++ /* Need to synchronize with ftrace_location_range() */
++ if (tmp_page)
++ synchronize_rcu();
+ for (pg = tmp_page; pg; pg = tmp_page) {
+
+ /* Needs to be called outside of ftrace_lock */
+@@ -6829,6 +6834,7 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr)
+ unsigned long start = (unsigned long)(start_ptr);
+ unsigned long end = (unsigned long)(end_ptr);
+ struct ftrace_page **last_pg = &ftrace_pages_start;
++ struct ftrace_page *tmp_page = NULL;
+ struct ftrace_page *pg;
+ struct dyn_ftrace *rec;
+ struct dyn_ftrace key;
+@@ -6872,12 +6878,8 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr)
+ ftrace_update_tot_cnt--;
+ if (!pg->index) {
+ *last_pg = pg->next;
+- if (pg->records) {
+- free_pages((unsigned long)pg->records, pg->order);
+- ftrace_number_of_pages -= 1 << pg->order;
+- }
+- ftrace_number_of_groups--;
+- kfree(pg);
++ pg->next = tmp_page;
++ tmp_page = pg;
+ pg = container_of(last_pg, struct ftrace_page, next);
+ if (!(*last_pg))
+ ftrace_pages = pg;
+@@ -6894,6 +6896,11 @@ void ftrace_free_mem(struct module *mod, void *start_ptr, void *end_ptr)
+ clear_func_from_hashes(func);
+ kfree(func);
+ }
++ /* Need to synchronize with ftrace_location_range() */
++ if (tmp_page) {
++ synchronize_rcu();
++ ftrace_free_pages(tmp_page);
++ }
+ }
+
+ void __init ftrace_free_init_mem(void)
+--
+2.43.0
+
--- /dev/null
+From d4c7d1bb33b84b3c22d3f68f53d01f37f26edcb7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2024 11:16:32 +1300
+Subject: i2c: acpi: Unbind mux adapters before delete
+
+From: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+
+[ Upstream commit 3f858bbf04dbac934ac279aaee05d49eb9910051 ]
+
+There is an issue with ACPI overlay table removal specifically related
+to I2C multiplexers.
+
+Consider an ACPI SSDT Overlay that defines a PCA9548 I2C mux on an
+existing I2C bus. When this table is loaded we see the creation of a
+device for the overall PCA9548 chip and 8 further devices - one
+i2c_adapter each for the mux channels. These are all bound to their
+ACPI equivalents via an eventual invocation of acpi_bind_one().
+
+When we unload the SSDT overlay we run into the problem. The ACPI
+devices are deleted as normal via acpi_device_del_work_fn() and the
+acpi_device_del_list.
+
+However, the following warning and stack trace is output as the
+deletion does not go smoothly:
+------------[ cut here ]------------
+kernfs: can not remove 'physical_node', no directory
+WARNING: CPU: 1 PID: 11 at fs/kernfs/dir.c:1674 kernfs_remove_by_name_ns+0xb9/0xc0
+Modules linked in:
+CPU: 1 PID: 11 Comm: kworker/u128:0 Not tainted 6.8.0-rc6+ #1
+Hardware name: congatec AG conga-B7E3/conga-B7E3, BIOS 5.13 05/16/2023
+Workqueue: kacpi_hotplug acpi_device_del_work_fn
+RIP: 0010:kernfs_remove_by_name_ns+0xb9/0xc0
+Code: e4 00 48 89 ef e8 07 71 db ff 5b b8 fe ff ff ff 5d 41 5c 41 5d e9 a7 55 e4 00 0f 0b eb a6 48 c7 c7 f0 38 0d 9d e8 97 0a d5 ff <0f> 0b eb dc 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
+RSP: 0018:ffff9f864008fb28 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: ffff8ef90a8d4940 RCX: 0000000000000000
+RDX: ffff8f000e267d10 RSI: ffff8f000e25c780 RDI: ffff8f000e25c780
+RBP: ffff8ef9186f9870 R08: 0000000000013ffb R09: 00000000ffffbfff
+R10: 00000000ffffbfff R11: ffff8f000e0a0000 R12: ffff9f864008fb50
+R13: ffff8ef90c93dd60 R14: ffff8ef9010d0958 R15: ffff8ef9186f98c8
+FS: 0000000000000000(0000) GS:ffff8f000e240000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f48f5253a08 CR3: 00000003cb82e000 CR4: 00000000003506f0
+Call Trace:
+ <TASK>
+ ? kernfs_remove_by_name_ns+0xb9/0xc0
+ ? __warn+0x7c/0x130
+ ? kernfs_remove_by_name_ns+0xb9/0xc0
+ ? report_bug+0x171/0x1a0
+ ? handle_bug+0x3c/0x70
+ ? exc_invalid_op+0x17/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? kernfs_remove_by_name_ns+0xb9/0xc0
+ ? kernfs_remove_by_name_ns+0xb9/0xc0
+ acpi_unbind_one+0x108/0x180
+ device_del+0x18b/0x490
+ ? srso_return_thunk+0x5/0x5f
+ ? srso_return_thunk+0x5/0x5f
+ device_unregister+0xd/0x30
+ i2c_del_adapter.part.0+0x1bf/0x250
+ i2c_mux_del_adapters+0xa1/0xe0
+ i2c_device_remove+0x1e/0x80
+ device_release_driver_internal+0x19a/0x200
+ bus_remove_device+0xbf/0x100
+ device_del+0x157/0x490
+ ? __pfx_device_match_fwnode+0x10/0x10
+ ? srso_return_thunk+0x5/0x5f
+ device_unregister+0xd/0x30
+ i2c_acpi_notify+0x10f/0x140
+ notifier_call_chain+0x58/0xd0
+ blocking_notifier_call_chain+0x3a/0x60
+ acpi_device_del_work_fn+0x85/0x1d0
+ process_one_work+0x134/0x2f0
+ worker_thread+0x2f0/0x410
+ ? __pfx_worker_thread+0x10/0x10
+ kthread+0xe3/0x110
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork+0x2f/0x50
+ ? __pfx_kthread+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+---[ end trace 0000000000000000 ]---
+...
+repeated 7 more times, 1 for each channel of the mux
+...
+
+The issue is that the binding of the ACPI devices to their peer I2C
+adapters is not correctly cleaned up. Digging deeper into the issue we
+see that the deletion order is such that the ACPI devices matching the
+mux channel i2c adapters are deleted first during the SSDT overlay
+removal. For each of the channels we see a call to i2c_acpi_notify()
+with ACPI_RECONFIG_DEVICE_REMOVE but, because these devices are not
+actually i2c_clients, nothing is done for them.
+
+Later on, after each of the mux channels has been dealt with, we come
+to delete the i2c_client representing the PCA9548 device. This is the
+call stack we see above, whereby the kernel cleans up the i2c_client
+including destruction of the mux and its channel adapters. At this
+point we do attempt to unbind from the ACPI peers but those peers no
+longer exist and so we hit the kernfs errors.
+
+The fix is to augment i2c_acpi_notify() to handle i2c_adapters. But,
+given that the life cycle of the adapters is linked to the i2c_client,
+instead of deleting the i2c_adapters during the i2c_acpi_notify(), we
+just trigger unbinding of the ACPI device from the adapter device, and
+allow the clean up of the adapter to continue in the way it always has.
+
+Signed-off-by: Hamish Martin <hamish.martin@alliedtelesis.co.nz>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
+Fixes: 525e6fabeae2 ("i2c / ACPI: add support for ACPI reconfigure notifications")
+Cc: <stable@vger.kernel.org> # v4.8+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 29a482abf1eed..6ce05441178a3 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -424,6 +424,11 @@ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev)
+ return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev));
+ }
+
++static struct i2c_adapter *i2c_acpi_find_adapter_by_adev(struct acpi_device *adev)
++{
++ return i2c_find_adapter_by_fwnode(acpi_fwnode_handle(adev));
++}
++
+ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
+ void *arg)
+ {
+@@ -450,11 +455,17 @@ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
+ break;
+
+ client = i2c_acpi_find_client_by_adev(adev);
+- if (!client)
+- break;
++ if (client) {
++ i2c_unregister_device(client);
++ put_device(&client->dev);
++ }
++
++ adapter = i2c_acpi_find_adapter_by_adev(adev);
++ if (adapter) {
++ acpi_unbind_one(&adapter->dev);
++ put_device(&adapter->dev);
++ }
+
+- i2c_unregister_device(client);
+- put_device(&client->dev);
+ break;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 6b51c4fd816685f533c92a285f28dd79b97699c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Jan 2023 10:54:21 +0000
+Subject: i2c: add fwnode APIs
+
+From: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+
+[ Upstream commit 373c612d72461ddaea223592df31e62c934aae61 ]
+
+Add fwnode APIs for finding and getting I2C adapters, which will be
+used by the SFP code. These are passed the fwnode corresponding to
+the adapter, and return the I2C adapter. It is the responsibility of
+the caller to find the appropriate fwnode.
+
+We keep the DT and ACPI interfaces, but where appropriate, recode them
+to use the fwnode interfaces internally.
+
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Stable-dep-of: 3f858bbf04db ("i2c: acpi: Unbind mux adapters before delete")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 13 +----
+ drivers/i2c/i2c-core-base.c | 98 +++++++++++++++++++++++++++++++++++++
+ drivers/i2c/i2c-core-of.c | 66 -------------------------
+ include/linux/i2c.h | 24 +++++++--
+ 4 files changed, 120 insertions(+), 81 deletions(-)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 546cc935e035a..29a482abf1eed 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -421,18 +421,7 @@ EXPORT_SYMBOL_GPL(i2c_acpi_find_adapter_by_handle);
+
+ static struct i2c_client *i2c_acpi_find_client_by_adev(struct acpi_device *adev)
+ {
+- struct device *dev;
+- struct i2c_client *client;
+-
+- dev = bus_find_device_by_acpi_dev(&i2c_bus_type, adev);
+- if (!dev)
+- return NULL;
+-
+- client = i2c_verify_client(dev);
+- if (!client)
+- put_device(dev);
+-
+- return client;
++ return i2c_find_device_by_fwnode(acpi_fwnode_handle(adev));
+ }
+
+ static int i2c_acpi_notify(struct notifier_block *nb, unsigned long value,
+diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
+index 1810a994c07ca..505eebbc98a09 100644
+--- a/drivers/i2c/i2c-core-base.c
++++ b/drivers/i2c/i2c-core-base.c
+@@ -1009,6 +1009,35 @@ void i2c_unregister_device(struct i2c_client *client)
+ }
+ EXPORT_SYMBOL_GPL(i2c_unregister_device);
+
++/**
++ * i2c_find_device_by_fwnode() - find an i2c_client for the fwnode
++ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_client
++ *
++ * Look up and return the &struct i2c_client corresponding to the @fwnode.
++ * If no client can be found, or @fwnode is NULL, this returns NULL.
++ *
++ * The user must call put_device(&client->dev) once done with the i2c client.
++ */
++struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode)
++{
++ struct i2c_client *client;
++ struct device *dev;
++
++ if (!fwnode)
++ return NULL;
++
++ dev = bus_find_device_by_fwnode(&i2c_bus_type, fwnode);
++ if (!dev)
++ return NULL;
++
++ client = i2c_verify_client(dev);
++ if (!client)
++ put_device(dev);
++
++ return client;
++}
++EXPORT_SYMBOL(i2c_find_device_by_fwnode);
++
+
+ static const struct i2c_device_id dummy_id[] = {
+ { "dummy", 0 },
+@@ -1764,6 +1793,75 @@ int devm_i2c_add_adapter(struct device *dev, struct i2c_adapter *adapter)
+ }
+ EXPORT_SYMBOL_GPL(devm_i2c_add_adapter);
+
++static int i2c_dev_or_parent_fwnode_match(struct device *dev, const void *data)
++{
++ if (dev_fwnode(dev) == data)
++ return 1;
++
++ if (dev->parent && dev_fwnode(dev->parent) == data)
++ return 1;
++
++ return 0;
++}
++
++/**
++ * i2c_find_adapter_by_fwnode() - find an i2c_adapter for the fwnode
++ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter
++ *
++ * Look up and return the &struct i2c_adapter corresponding to the @fwnode.
++ * If no adapter can be found, or @fwnode is NULL, this returns NULL.
++ *
++ * The user must call put_device(&adapter->dev) once done with the i2c adapter.
++ */
++struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode)
++{
++ struct i2c_adapter *adapter;
++ struct device *dev;
++
++ if (!fwnode)
++ return NULL;
++
++ dev = bus_find_device(&i2c_bus_type, NULL, fwnode,
++ i2c_dev_or_parent_fwnode_match);
++ if (!dev)
++ return NULL;
++
++ adapter = i2c_verify_adapter(dev);
++ if (!adapter)
++ put_device(dev);
++
++ return adapter;
++}
++EXPORT_SYMBOL(i2c_find_adapter_by_fwnode);
++
++/**
++ * i2c_get_adapter_by_fwnode() - find an i2c_adapter for the fwnode
++ * @fwnode: &struct fwnode_handle corresponding to the &struct i2c_adapter
++ *
++ * Look up and return the &struct i2c_adapter corresponding to the @fwnode,
++ * and increment the adapter module's use count. If no adapter can be found,
++ * or @fwnode is NULL, this returns NULL.
++ *
++ * The user must call i2c_put_adapter(adapter) once done with the i2c adapter.
++ * Note that this is different from i2c_find_adapter_by_node().
++ */
++struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode)
++{
++ struct i2c_adapter *adapter;
++
++ adapter = i2c_find_adapter_by_fwnode(fwnode);
++ if (!adapter)
++ return NULL;
++
++ if (!try_module_get(adapter->owner)) {
++ put_device(&adapter->dev);
++ adapter = NULL;
++ }
++
++ return adapter;
++}
++EXPORT_SYMBOL(i2c_get_adapter_by_fwnode);
++
+ static void i2c_parse_timing(struct device *dev, char *prop_name, u32 *cur_val_p,
+ u32 def_val, bool use_def)
+ {
+diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c
+index 3ed74aa4b44bb..bce6b796e04c2 100644
+--- a/drivers/i2c/i2c-core-of.c
++++ b/drivers/i2c/i2c-core-of.c
+@@ -113,72 +113,6 @@ void of_i2c_register_devices(struct i2c_adapter *adap)
+ of_node_put(bus);
+ }
+
+-static int of_dev_or_parent_node_match(struct device *dev, const void *data)
+-{
+- if (dev->of_node == data)
+- return 1;
+-
+- if (dev->parent)
+- return dev->parent->of_node == data;
+-
+- return 0;
+-}
+-
+-/* must call put_device() when done with returned i2c_client device */
+-struct i2c_client *of_find_i2c_device_by_node(struct device_node *node)
+-{
+- struct device *dev;
+- struct i2c_client *client;
+-
+- dev = bus_find_device_by_of_node(&i2c_bus_type, node);
+- if (!dev)
+- return NULL;
+-
+- client = i2c_verify_client(dev);
+- if (!client)
+- put_device(dev);
+-
+- return client;
+-}
+-EXPORT_SYMBOL(of_find_i2c_device_by_node);
+-
+-/* must call put_device() when done with returned i2c_adapter device */
+-struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node)
+-{
+- struct device *dev;
+- struct i2c_adapter *adapter;
+-
+- dev = bus_find_device(&i2c_bus_type, NULL, node,
+- of_dev_or_parent_node_match);
+- if (!dev)
+- return NULL;
+-
+- adapter = i2c_verify_adapter(dev);
+- if (!adapter)
+- put_device(dev);
+-
+- return adapter;
+-}
+-EXPORT_SYMBOL(of_find_i2c_adapter_by_node);
+-
+-/* must call i2c_put_adapter() when done with returned i2c_adapter device */
+-struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node)
+-{
+- struct i2c_adapter *adapter;
+-
+- adapter = of_find_i2c_adapter_by_node(node);
+- if (!adapter)
+- return NULL;
+-
+- if (!try_module_get(adapter->owner)) {
+- put_device(&adapter->dev);
+- adapter = NULL;
+- }
+-
+- return adapter;
+-}
+-EXPORT_SYMBOL(of_get_i2c_adapter_by_node);
+-
+ static const struct of_device_id*
+ i2c_of_match_device_sysfs(const struct of_device_id *matches,
+ struct i2c_client *client)
+diff --git a/include/linux/i2c.h b/include/linux/i2c.h
+index 2ce3efbe9198a..f071a121ed914 100644
+--- a/include/linux/i2c.h
++++ b/include/linux/i2c.h
+@@ -954,15 +954,33 @@ int i2c_handle_smbus_host_notify(struct i2c_adapter *adap, unsigned short addr);
+
+ #endif /* I2C */
+
++/* must call put_device() when done with returned i2c_client device */
++struct i2c_client *i2c_find_device_by_fwnode(struct fwnode_handle *fwnode);
++
++/* must call put_device() when done with returned i2c_adapter device */
++struct i2c_adapter *i2c_find_adapter_by_fwnode(struct fwnode_handle *fwnode);
++
++/* must call i2c_put_adapter() when done with returned i2c_adapter device */
++struct i2c_adapter *i2c_get_adapter_by_fwnode(struct fwnode_handle *fwnode);
++
+ #if IS_ENABLED(CONFIG_OF)
+ /* must call put_device() when done with returned i2c_client device */
+-struct i2c_client *of_find_i2c_device_by_node(struct device_node *node);
++static inline struct i2c_client *of_find_i2c_device_by_node(struct device_node *node)
++{
++ return i2c_find_device_by_fwnode(of_fwnode_handle(node));
++}
+
+ /* must call put_device() when done with returned i2c_adapter device */
+-struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node);
++static inline struct i2c_adapter *of_find_i2c_adapter_by_node(struct device_node *node)
++{
++ return i2c_find_adapter_by_fwnode(of_fwnode_handle(node));
++}
+
+ /* must call i2c_put_adapter() when done with returned i2c_adapter device */
+-struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node);
++static inline struct i2c_adapter *of_get_i2c_adapter_by_node(struct device_node *node)
++{
++ return i2c_get_adapter_by_fwnode(of_fwnode_handle(node));
++}
+
+ const struct of_device_id
+ *i2c_of_match_device(const struct of_device_id *matches,
+--
+2.43.0
+
--- /dev/null
+From 5ec1f0816a672a4ab79c27ec0ab1f6d269ccb84a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Mar 2024 12:37:00 +0100
+Subject: iio: accel: mxc4005: Reset chip on probe() and resume()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 6b8cffdc4a31e4a72f75ecd1bc13fbf0dafee390 ]
+
+On some designs the chip is not properly reset when powered up at boot or
+after a suspend/resume cycle.
+
+Use the sw-reset feature to ensure that the chip is in a clean state
+after probe() / resume() and in the case of resume() restore the settings
+(scale, trigger-enabled).
+
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218578
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20240326113700.56725-3-hdegoede@redhat.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/accel/mxc4005.c | 68 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 68 insertions(+)
+
+diff --git a/drivers/iio/accel/mxc4005.c b/drivers/iio/accel/mxc4005.c
+index ffae30e5eb5be..8db5611134da4 100644
+--- a/drivers/iio/accel/mxc4005.c
++++ b/drivers/iio/accel/mxc4005.c
+@@ -5,6 +5,7 @@
+ * Copyright (c) 2014, Intel Corporation.
+ */
+
++#include <linux/delay.h>
+ #include <linux/module.h>
+ #include <linux/i2c.h>
+ #include <linux/iio/iio.h>
+@@ -36,6 +37,7 @@
+
+ #define MXC4005_REG_INT_CLR1 0x01
+ #define MXC4005_REG_INT_CLR1_BIT_DRDYC 0x01
++#define MXC4005_REG_INT_CLR1_SW_RST 0x10
+
+ #define MXC4005_REG_CONTROL 0x0D
+ #define MXC4005_REG_CONTROL_MASK_FSR GENMASK(6, 5)
+@@ -43,6 +45,9 @@
+
+ #define MXC4005_REG_DEVICE_ID 0x0E
+
++/* Datasheet does not specify a reset time, this is a conservative guess */
++#define MXC4005_RESET_TIME_US 2000
++
+ enum mxc4005_axis {
+ AXIS_X,
+ AXIS_Y,
+@@ -66,6 +71,8 @@ struct mxc4005_data {
+ s64 timestamp __aligned(8);
+ } scan;
+ bool trigger_enabled;
++ unsigned int control;
++ unsigned int int_mask1;
+ };
+
+ /*
+@@ -349,6 +356,7 @@ static int mxc4005_set_trigger_state(struct iio_trigger *trig,
+ return ret;
+ }
+
++ data->int_mask1 = val;
+ data->trigger_enabled = state;
+ mutex_unlock(&data->mutex);
+
+@@ -384,6 +392,13 @@ static int mxc4005_chip_init(struct mxc4005_data *data)
+
+ dev_dbg(data->dev, "MXC4005 chip id %02x\n", reg);
+
++ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1,
++ MXC4005_REG_INT_CLR1_SW_RST);
++ if (ret < 0)
++ return dev_err_probe(data->dev, ret, "resetting chip\n");
++
++ fsleep(MXC4005_RESET_TIME_US);
++
+ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0);
+ if (ret < 0)
+ return dev_err_probe(data->dev, ret, "writing INT_MASK0\n");
+@@ -480,6 +495,58 @@ static int mxc4005_probe(struct i2c_client *client,
+ return devm_iio_device_register(&client->dev, indio_dev);
+ }
+
++static int mxc4005_suspend(struct device *dev)
++{
++ struct iio_dev *indio_dev = dev_get_drvdata(dev);
++ struct mxc4005_data *data = iio_priv(indio_dev);
++ int ret;
++
++ /* Save control to restore it on resume */
++ ret = regmap_read(data->regmap, MXC4005_REG_CONTROL, &data->control);
++ if (ret < 0)
++ dev_err(data->dev, "failed to read reg_control\n");
++
++ return ret;
++}
++
++static int mxc4005_resume(struct device *dev)
++{
++ struct iio_dev *indio_dev = dev_get_drvdata(dev);
++ struct mxc4005_data *data = iio_priv(indio_dev);
++ int ret;
++
++ ret = regmap_write(data->regmap, MXC4005_REG_INT_CLR1,
++ MXC4005_REG_INT_CLR1_SW_RST);
++ if (ret) {
++ dev_err(data->dev, "failed to reset chip: %d\n", ret);
++ return ret;
++ }
++
++ fsleep(MXC4005_RESET_TIME_US);
++
++ ret = regmap_write(data->regmap, MXC4005_REG_CONTROL, data->control);
++ if (ret) {
++ dev_err(data->dev, "failed to restore control register\n");
++ return ret;
++ }
++
++ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK0, 0);
++ if (ret) {
++ dev_err(data->dev, "failed to restore interrupt 0 mask\n");
++ return ret;
++ }
++
++ ret = regmap_write(data->regmap, MXC4005_REG_INT_MASK1, data->int_mask1);
++ if (ret) {
++ dev_err(data->dev, "failed to restore interrupt 1 mask\n");
++ return ret;
++ }
++
++ return 0;
++}
++
++static DEFINE_SIMPLE_DEV_PM_OPS(mxc4005_pm_ops, mxc4005_suspend, mxc4005_resume);
++
+ static const struct acpi_device_id mxc4005_acpi_match[] = {
+ {"MXC4005", 0},
+ {"MXC6655", 0},
+@@ -498,6 +565,7 @@ static struct i2c_driver mxc4005_driver = {
+ .driver = {
+ .name = MXC4005_DRV_NAME,
+ .acpi_match_table = ACPI_PTR(mxc4005_acpi_match),
++ .pm = pm_sleep_ptr(&mxc4005_pm_ops),
+ },
+ .probe = mxc4005_probe,
+ .id_table = mxc4005_id,
+--
+2.43.0
+
--- /dev/null
+From 04c9445b5ceb19ca07135611ecd02104fb94ff93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 19:35:49 +0000
+Subject: ipv6: fix possible race in __fib6_drop_pcpu_from()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b01e1c030770ff3b4fe37fc7cc6bca03f594133f ]
+
+syzbot found a race in __fib6_drop_pcpu_from() [1]
+
+If compiler reads more than once (*ppcpu_rt),
+second read could read NULL, if another cpu clears
+the value in rt6_get_pcpu_route().
+
+Add a READ_ONCE() to prevent this race.
+
+Also add rcu_read_lock()/rcu_read_unlock() because
+we rely on RCU protection while dereferencing pcpu_rt.
+
+[1]
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000012: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000090-0x0000000000000097]
+CPU: 0 PID: 7543 Comm: kworker/u8:17 Not tainted 6.10.0-rc1-syzkaller-00013-g2bfcfd584ff5 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
+Workqueue: netns cleanup_net
+ RIP: 0010:__fib6_drop_pcpu_from.part.0+0x10a/0x370 net/ipv6/ip6_fib.c:984
+Code: f8 48 c1 e8 03 80 3c 28 00 0f 85 16 02 00 00 4d 8b 3f 4d 85 ff 74 31 e8 74 a7 fa f7 49 8d bf 90 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c 28 00 0f 85 1e 02 00 00 49 8b 87 90 00 00 00 48 8b 0c 24 48
+RSP: 0018:ffffc900040df070 EFLAGS: 00010206
+RAX: 0000000000000012 RBX: 0000000000000001 RCX: ffffffff89932e16
+RDX: ffff888049dd1e00 RSI: ffffffff89932d7c RDI: 0000000000000091
+RBP: dffffc0000000000 R08: 0000000000000005 R09: 0000000000000007
+R10: 0000000000000001 R11: 0000000000000006 R12: ffff88807fa080b8
+R13: fffffbfff1a9a07d R14: ffffed100ff41022 R15: 0000000000000001
+FS: 0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000001b32c26000 CR3: 000000005d56e000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __fib6_drop_pcpu_from net/ipv6/ip6_fib.c:966 [inline]
+ fib6_drop_pcpu_from net/ipv6/ip6_fib.c:1027 [inline]
+ fib6_purge_rt+0x7f2/0x9f0 net/ipv6/ip6_fib.c:1038
+ fib6_del_route net/ipv6/ip6_fib.c:1998 [inline]
+ fib6_del+0xa70/0x17b0 net/ipv6/ip6_fib.c:2043
+ fib6_clean_node+0x426/0x5b0 net/ipv6/ip6_fib.c:2205
+ fib6_walk_continue+0x44f/0x8d0 net/ipv6/ip6_fib.c:2127
+ fib6_walk+0x182/0x370 net/ipv6/ip6_fib.c:2175
+ fib6_clean_tree+0xd7/0x120 net/ipv6/ip6_fib.c:2255
+ __fib6_clean_all+0x100/0x2d0 net/ipv6/ip6_fib.c:2271
+ rt6_sync_down_dev net/ipv6/route.c:4906 [inline]
+ rt6_disable_ip+0x7ed/0xa00 net/ipv6/route.c:4911
+ addrconf_ifdown.isra.0+0x117/0x1b40 net/ipv6/addrconf.c:3855
+ addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3778
+ notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
+ call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1992
+ call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
+ call_netdevice_notifiers net/core/dev.c:2044 [inline]
+ dev_close_many+0x333/0x6a0 net/core/dev.c:1585
+ unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11193
+ unregister_netdevice_many net/core/dev.c:11276 [inline]
+ default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11759
+ ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
+ cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
+ process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231
+ process_scheduled_works kernel/workqueue.c:3312 [inline]
+ worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393
+ kthread+0x2c1/0x3a0 kernel/kthread.c:389
+ ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+
+Fixes: d52d3997f843 ("ipv6: Create percpu rt6_info")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/r/20240604193549.981839-1-edumazet@google.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ip6_fib.c | 6 +++++-
+ net/ipv6/route.c | 1 +
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
+index c0ff5ee490e7b..7d09193c14445 100644
+--- a/net/ipv6/ip6_fib.c
++++ b/net/ipv6/ip6_fib.c
+@@ -961,6 +961,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
+ if (!fib6_nh->rt6i_pcpu)
+ return;
+
++ rcu_read_lock();
+ /* release the reference to this fib entry from
+ * all of its cached pcpu routes
+ */
+@@ -969,7 +970,9 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
+ struct rt6_info *pcpu_rt;
+
+ ppcpu_rt = per_cpu_ptr(fib6_nh->rt6i_pcpu, cpu);
+- pcpu_rt = *ppcpu_rt;
++
++ /* Paired with xchg() in rt6_get_pcpu_route() */
++ pcpu_rt = READ_ONCE(*ppcpu_rt);
+
+ /* only dropping the 'from' reference if the cached route
+ * is using 'match'. The cached pcpu_rt->from only changes
+@@ -983,6 +986,7 @@ static void __fib6_drop_pcpu_from(struct fib6_nh *fib6_nh,
+ fib6_info_release(from);
+ }
+ }
++ rcu_read_unlock();
+ }
+
+ struct fib6_nh_pcpu_arg {
+diff --git a/net/ipv6/route.c b/net/ipv6/route.c
+index 3bc3a30363e19..2c60270c5798b 100644
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -1398,6 +1398,7 @@ static struct rt6_info *rt6_get_pcpu_route(const struct fib6_result *res)
+ struct rt6_info *prev, **p;
+
+ p = this_cpu_ptr(res->nh->rt6i_pcpu);
++ /* Paired with READ_ONCE() in __fib6_drop_pcpu_from() */
+ prev = xchg(p, NULL);
+ if (prev) {
+ dst_dev_put(&prev->dst);
+--
+2.43.0
+
--- /dev/null
+From 93568aa9547731c6c2711c5caa0d7a8c76e3787f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 31 May 2024 13:26:34 +0000
+Subject: ipv6: sr: block BH in seg6_output_core() and seg6_input_core()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit c0b98ac1cc104f48763cdb27b1e9ac25fd81fc90 ]
+
+As explained in commit 1378817486d6 ("tipc: block BH
+before using dst_cache"), net/core/dst_cache.c
+helpers need to be called with BH disabled.
+
+Disabling preemption in seg6_output_core() is not good enough,
+because seg6_output_core() is called from process context,
+lwtunnel_output() only uses rcu_read_lock().
+
+We might be interrupted by a softirq, re-enter seg6_output_core()
+and corrupt dst_cache data structures.
+
+Fix the race by using local_bh_disable() instead of
+preempt_disable().
+
+Apply a similar change in seg6_input_core().
+
+Fixes: fa79581ea66c ("ipv6: sr: fix several BUGs when preemption is enabled")
+Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: David Lebrun <dlebrun@google.com>
+Acked-by: Paolo Abeni <pabeni@redhat.com>
+Link: https://lore.kernel.org/r/20240531132636.2637995-4-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/seg6_iptunnel.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
+index f98bb719190be..135712649d25f 100644
+--- a/net/ipv6/seg6_iptunnel.c
++++ b/net/ipv6/seg6_iptunnel.c
+@@ -332,9 +332,8 @@ static int seg6_input_core(struct net *net, struct sock *sk,
+
+ slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
+
+- preempt_disable();
++ local_bh_disable();
+ dst = dst_cache_get(&slwt->cache);
+- preempt_enable();
+
+ skb_dst_drop(skb);
+
+@@ -342,14 +341,13 @@ static int seg6_input_core(struct net *net, struct sock *sk,
+ ip6_route_input(skb);
+ dst = skb_dst(skb);
+ if (!dst->error) {
+- preempt_disable();
+ dst_cache_set_ip6(&slwt->cache, dst,
+ &ipv6_hdr(skb)->saddr);
+- preempt_enable();
+ }
+ } else {
+ skb_dst_set(skb, dst);
+ }
++ local_bh_enable();
+
+ err = skb_cow_head(skb, LL_RESERVED_SPACE(dst->dev));
+ if (unlikely(err))
+@@ -405,9 +403,9 @@ static int seg6_output_core(struct net *net, struct sock *sk,
+
+ slwt = seg6_lwt_lwtunnel(orig_dst->lwtstate);
+
+- preempt_disable();
++ local_bh_disable();
+ dst = dst_cache_get(&slwt->cache);
+- preempt_enable();
++ local_bh_enable();
+
+ if (unlikely(!dst)) {
+ struct ipv6hdr *hdr = ipv6_hdr(skb);
+@@ -427,9 +425,9 @@ static int seg6_output_core(struct net *net, struct sock *sk,
+ goto drop;
+ }
+
+- preempt_disable();
++ local_bh_disable();
+ dst_cache_set_ip6(&slwt->cache, dst, &fl6.saddr);
+- preempt_enable();
++ local_bh_enable();
+ }
+
+ skb_dst_drop(skb);
+--
+2.43.0
+
--- /dev/null
+From 667d7657871bd1a717461173de1518aac7a9233c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 09:18:27 +0200
+Subject: misc/pvpanic: deduplicate common code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit c1426d392aebc51da4944d950d89e483e43f6f14 ]
+
+pvpanic-mmio.c and pvpanic-pci.c share a lot of code.
+Refactor it into pvpanic.c where it doesn't have to be kept in sync
+manually and where the core logic can be understood more easily.
+
+No functional change.
+
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Link: https://lore.kernel.org/r/20231011-pvpanic-cleanup-v2-1-4b21d56f779f@weissschuh.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/pvpanic/pvpanic-mmio.c | 58 +---------------------
+ drivers/misc/pvpanic/pvpanic-pci.c | 58 +---------------------
+ drivers/misc/pvpanic/pvpanic.c | 76 ++++++++++++++++++++++++++++-
+ drivers/misc/pvpanic/pvpanic.h | 10 +---
+ 4 files changed, 80 insertions(+), 122 deletions(-)
+
+diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c
+index eb97167c03fb4..9715798acce3d 100644
+--- a/drivers/misc/pvpanic/pvpanic-mmio.c
++++ b/drivers/misc/pvpanic/pvpanic-mmio.c
+@@ -24,52 +24,9 @@ MODULE_AUTHOR("Hu Tao <hutao@cn.fujitsu.com>");
+ MODULE_DESCRIPTION("pvpanic-mmio device driver");
+ MODULE_LICENSE("GPL");
+
+-static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
+-{
+- struct pvpanic_instance *pi = dev_get_drvdata(dev);
+-
+- return sysfs_emit(buf, "%x\n", pi->capability);
+-}
+-static DEVICE_ATTR_RO(capability);
+-
+-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+-{
+- struct pvpanic_instance *pi = dev_get_drvdata(dev);
+-
+- return sysfs_emit(buf, "%x\n", pi->events);
+-}
+-
+-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+- const char *buf, size_t count)
+-{
+- struct pvpanic_instance *pi = dev_get_drvdata(dev);
+- unsigned int tmp;
+- int err;
+-
+- err = kstrtouint(buf, 16, &tmp);
+- if (err)
+- return err;
+-
+- if ((tmp & pi->capability) != tmp)
+- return -EINVAL;
+-
+- pi->events = tmp;
+-
+- return count;
+-}
+-static DEVICE_ATTR_RW(events);
+-
+-static struct attribute *pvpanic_mmio_dev_attrs[] = {
+- &dev_attr_capability.attr,
+- &dev_attr_events.attr,
+- NULL
+-};
+-ATTRIBUTE_GROUPS(pvpanic_mmio_dev);
+-
+ static int pvpanic_mmio_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- struct pvpanic_instance *pi;
+ struct resource *res;
+ void __iomem *base;
+
+@@ -92,18 +49,7 @@ static int pvpanic_mmio_probe(struct platform_device *pdev)
+ return -EINVAL;
+ }
+
+- pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL);
+- if (!pi)
+- return -ENOMEM;
+-
+- pi->base = base;
+- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED;
+-
+- /* initialize capability by RDPT */
+- pi->capability &= ioread8(base);
+- pi->events = pi->capability;
+-
+- return devm_pvpanic_probe(dev, pi);
++ return devm_pvpanic_probe(dev, base);
+ }
+
+ static const struct of_device_id pvpanic_mmio_match[] = {
+@@ -123,7 +69,7 @@ static struct platform_driver pvpanic_mmio_driver = {
+ .name = "pvpanic-mmio",
+ .of_match_table = pvpanic_mmio_match,
+ .acpi_match_table = pvpanic_device_ids,
+- .dev_groups = pvpanic_mmio_dev_groups,
++ .dev_groups = pvpanic_dev_groups,
+ },
+ .probe = pvpanic_mmio_probe,
+ };
+diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
+index 07eddb5ea30fa..689af4c28c2a9 100644
+--- a/drivers/misc/pvpanic/pvpanic-pci.c
++++ b/drivers/misc/pvpanic/pvpanic-pci.c
+@@ -22,51 +22,8 @@ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
+ MODULE_DESCRIPTION("pvpanic device driver");
+ MODULE_LICENSE("GPL");
+
+-static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
+-{
+- struct pvpanic_instance *pi = dev_get_drvdata(dev);
+-
+- return sysfs_emit(buf, "%x\n", pi->capability);
+-}
+-static DEVICE_ATTR_RO(capability);
+-
+-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+-{
+- struct pvpanic_instance *pi = dev_get_drvdata(dev);
+-
+- return sysfs_emit(buf, "%x\n", pi->events);
+-}
+-
+-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+- const char *buf, size_t count)
+-{
+- struct pvpanic_instance *pi = dev_get_drvdata(dev);
+- unsigned int tmp;
+- int err;
+-
+- err = kstrtouint(buf, 16, &tmp);
+- if (err)
+- return err;
+-
+- if ((tmp & pi->capability) != tmp)
+- return -EINVAL;
+-
+- pi->events = tmp;
+-
+- return count;
+-}
+-static DEVICE_ATTR_RW(events);
+-
+-static struct attribute *pvpanic_pci_dev_attrs[] = {
+- &dev_attr_capability.attr,
+- &dev_attr_events.attr,
+- NULL
+-};
+-ATTRIBUTE_GROUPS(pvpanic_pci_dev);
+-
+ static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+- struct pvpanic_instance *pi;
+ void __iomem *base;
+ int ret;
+
+@@ -78,18 +35,7 @@ static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *e
+ if (!base)
+ return -ENOMEM;
+
+- pi = devm_kmalloc(&pdev->dev, sizeof(*pi), GFP_KERNEL);
+- if (!pi)
+- return -ENOMEM;
+-
+- pi->base = base;
+- pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED;
+-
+- /* initlize capability by RDPT */
+- pi->capability &= ioread8(base);
+- pi->events = pi->capability;
+-
+- return devm_pvpanic_probe(&pdev->dev, pi);
++ return devm_pvpanic_probe(&pdev->dev, base);
+ }
+
+ static const struct pci_device_id pvpanic_pci_id_tbl[] = {
+@@ -103,7 +49,7 @@ static struct pci_driver pvpanic_pci_driver = {
+ .id_table = pvpanic_pci_id_tbl,
+ .probe = pvpanic_pci_probe,
+ .driver = {
+- .dev_groups = pvpanic_pci_dev_groups,
++ .dev_groups = pvpanic_dev_groups,
+ },
+ };
+ module_pci_driver(pvpanic_pci_driver);
+diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c
+index 049a120063489..305b367e0ce34 100644
+--- a/drivers/misc/pvpanic/pvpanic.c
++++ b/drivers/misc/pvpanic/pvpanic.c
+@@ -7,6 +7,7 @@
+ * Copyright (C) 2021 Oracle.
+ */
+
++#include <linux/device.h>
+ #include <linux/io.h>
+ #include <linux/kernel.h>
+ #include <linux/kexec.h>
+@@ -26,6 +27,13 @@ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
+ MODULE_DESCRIPTION("pvpanic device driver");
+ MODULE_LICENSE("GPL");
+
++struct pvpanic_instance {
++ void __iomem *base;
++ unsigned int capability;
++ unsigned int events;
++ struct list_head list;
++};
++
+ static struct list_head pvpanic_list;
+ static spinlock_t pvpanic_lock;
+
+@@ -81,11 +89,75 @@ static void pvpanic_remove(void *param)
+ spin_unlock(&pvpanic_lock);
+ }
+
+-int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi)
++static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
++{
++ struct pvpanic_instance *pi = dev_get_drvdata(dev);
++
++ return sysfs_emit(buf, "%x\n", pi->capability);
++}
++static DEVICE_ATTR_RO(capability);
++
++static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
++{
++ struct pvpanic_instance *pi = dev_get_drvdata(dev);
++
++ return sysfs_emit(buf, "%x\n", pi->events);
++}
++
++static ssize_t events_store(struct device *dev, struct device_attribute *attr,
++ const char *buf, size_t count)
++{
++ struct pvpanic_instance *pi = dev_get_drvdata(dev);
++ unsigned int tmp;
++ int err;
++
++ err = kstrtouint(buf, 16, &tmp);
++ if (err)
++ return err;
++
++ if ((tmp & pi->capability) != tmp)
++ return -EINVAL;
++
++ pi->events = tmp;
++
++ return count;
++}
++static DEVICE_ATTR_RW(events);
++
++static struct attribute *pvpanic_dev_attrs[] = {
++ &dev_attr_capability.attr,
++ &dev_attr_events.attr,
++ NULL
++};
++
++static const struct attribute_group pvpanic_dev_group = {
++ .attrs = pvpanic_dev_attrs,
++};
++
++const struct attribute_group *pvpanic_dev_groups[] = {
++ &pvpanic_dev_group,
++ NULL
++};
++EXPORT_SYMBOL_GPL(pvpanic_dev_groups);
++
++int devm_pvpanic_probe(struct device *dev, void __iomem *base)
+ {
+- if (!pi || !pi->base)
++ struct pvpanic_instance *pi;
++
++ if (!base)
+ return -EINVAL;
+
++ pi = devm_kmalloc(dev, sizeof(*pi), GFP_KERNEL);
++ if (!pi)
++ return -ENOMEM;
++
++ pi->base = base;
++ pi->capability = PVPANIC_PANICKED | PVPANIC_CRASH_LOADED;
++
++ /* initlize capability by RDPT */
++ pi->capability &= ioread8(base);
++ pi->events = pi->capability;
++
+ spin_lock(&pvpanic_lock);
+ list_add(&pi->list, &pvpanic_list);
+ spin_unlock(&pvpanic_lock);
+diff --git a/drivers/misc/pvpanic/pvpanic.h b/drivers/misc/pvpanic/pvpanic.h
+index 4935459517548..46ffb10438adf 100644
+--- a/drivers/misc/pvpanic/pvpanic.h
++++ b/drivers/misc/pvpanic/pvpanic.h
+@@ -8,13 +8,7 @@
+ #ifndef PVPANIC_H_
+ #define PVPANIC_H_
+
+-struct pvpanic_instance {
+- void __iomem *base;
+- unsigned int capability;
+- unsigned int events;
+- struct list_head list;
+-};
+-
+-int devm_pvpanic_probe(struct device *dev, struct pvpanic_instance *pi);
++int devm_pvpanic_probe(struct device *dev, void __iomem *base);
++extern const struct attribute_group *pvpanic_dev_groups[];
+
+ #endif /* PVPANIC_H_ */
+--
+2.43.0
+
--- /dev/null
+From d12d57cd2c7be519b412445578f9d583ff77f91a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 11 Apr 2024 23:33:51 +0200
+Subject: misc/pvpanic-pci: register attributes via pci_driver
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit ee59be35d7a8be7fcaa2d61fb89734ab5c25e4ee ]
+
+In __pci_register_driver(), the pci core overwrites the dev_groups field of
+the embedded struct device_driver with the dev_groups from the outer
+struct pci_driver unconditionally.
+
+Set dev_groups in the pci_driver to make sure it is used.
+
+This was broken since the introduction of pvpanic-pci.
+
+Fixes: db3a4f0abefd ("misc/pvpanic: add PCI driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Fixes: ded13b9cfd59 ("PCI: Add support for dev_groups to struct pci_driver")
+Link: https://lore.kernel.org/r/20240411-pvpanic-pci-dev-groups-v1-1-db8cb69f1b09@weissschuh.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/pvpanic/pvpanic-pci.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
+index 689af4c28c2a9..2494725dfacfa 100644
+--- a/drivers/misc/pvpanic/pvpanic-pci.c
++++ b/drivers/misc/pvpanic/pvpanic-pci.c
+@@ -48,8 +48,6 @@ static struct pci_driver pvpanic_pci_driver = {
+ .name = "pvpanic-pci",
+ .id_table = pvpanic_pci_id_tbl,
+ .probe = pvpanic_pci_probe,
+- .driver = {
+- .dev_groups = pvpanic_dev_groups,
+- },
++ .dev_groups = pvpanic_dev_groups,
+ };
+ module_pci_driver(pvpanic_pci_driver);
+--
+2.43.0
+
--- /dev/null
+From 6f73cf81e6438c334ae03321c915e9d376501fd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 18:20:50 -0700
+Subject: mm: avoid unnecessary flush on change_huge_pmd()
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit 4f83145721f362c2f4d312edc4755269a2069488 ]
+
+Calls to change_protection_range() on THP can trigger, at least on x86,
+two TLB flushes for one page: one immediately, when pmdp_invalidate() is
+called by change_huge_pmd(), and then another one later (that can be
+batched) when change_protection_range() finishes.
+
+The first TLB flush is only necessary to prevent the dirty bit (and with a
+lesser importance the access bit) from changing while the PTE is modified.
+However, this is not necessary as the x86 CPUs set the dirty-bit
+atomically with an additional check that the PTE is (still) present. One
+caveat is Intel's Knights Landing that has a bug and does not do so.
+
+Leverage this behavior to eliminate the unnecessary TLB flush in
+change_huge_pmd(). Introduce a new arch specific pmdp_invalidate_ad()
+that only invalidates the access and dirty bit from further changes.
+
+Link: https://lkml.kernel.org/r/20220401180821.1986781-4-namit@vmware.com
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Nick Piggin <npiggin@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/pgtable.h | 5 +++++
+ arch/x86/mm/pgtable.c | 10 ++++++++++
+ include/linux/pgtable.h | 20 ++++++++++++++++++++
+ mm/huge_memory.c | 4 ++--
+ mm/pgtable-generic.c | 8 ++++++++
+ 5 files changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
+index 448cd01eb3ecb..c04be133a6cd7 100644
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -1146,6 +1146,11 @@ static inline pmd_t pmdp_establish(struct vm_area_struct *vma,
+ }
+ }
+ #endif
++
++#define __HAVE_ARCH_PMDP_INVALIDATE_AD
++extern pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma,
++ unsigned long address, pmd_t *pmdp);
++
+ /*
+ * Page table pages are page-aligned. The lower half of the top
+ * level is used for userspace and the top half for the kernel.
+diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
+index 3481b35cb4ec7..f16059e9a85e7 100644
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -608,6 +608,16 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma,
+
+ return young;
+ }
++
++pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address,
++ pmd_t *pmdp)
++{
++ /*
++ * No flush is necessary. Once an invalid PTE is established, the PTE's
++ * access and dirty bits cannot be updated.
++ */
++ return pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp));
++}
+ #endif
+
+ /**
+diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h
+index d468efcf48f45..952969aa19ec1 100644
+--- a/include/linux/pgtable.h
++++ b/include/linux/pgtable.h
+@@ -562,6 +562,26 @@ extern pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ pmd_t *pmdp);
+ #endif
+
++#ifndef __HAVE_ARCH_PMDP_INVALIDATE_AD
++
++/*
++ * pmdp_invalidate_ad() invalidates the PMD while changing a transparent
++ * hugepage mapping in the page tables. This function is similar to
++ * pmdp_invalidate(), but should only be used if the access and dirty bits would
++ * not be cleared by the software in the new PMD value. The function ensures
++ * that hardware changes of the access and dirty bits updates would not be lost.
++ *
++ * Doing so can allow in certain architectures to avoid a TLB flush in most
++ * cases. Yet, another TLB flush might be necessary later if the PMD update
++ * itself requires such flush (e.g., if protection was set to be stricter). Yet,
++ * even when a TLB flush is needed because of the update, the caller may be able
++ * to batch these TLB flushing operations, so fewer TLB flush operations are
++ * needed.
++ */
++extern pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma,
++ unsigned long address, pmd_t *pmdp);
++#endif
++
+ #ifndef __HAVE_ARCH_PTE_SAME
+ static inline int pte_same(pte_t pte_a, pte_t pte_b)
+ {
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 8ab6316d85391..265ef8d1393c5 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1798,10 +1798,10 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ * The race makes MADV_DONTNEED miss the huge pmd and don't clear it
+ * which may break userspace.
+ *
+- * pmdp_invalidate() is required to make sure we don't miss
++ * pmdp_invalidate_ad() is required to make sure we don't miss
+ * dirty/young flags set by hardware.
+ */
+- oldpmd = pmdp_invalidate(vma, addr, pmd);
++ oldpmd = pmdp_invalidate_ad(vma, addr, pmd);
+
+ entry = pmd_modify(oldpmd, newprot);
+ if (preserve_write)
+diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c
+index 4e640baf97948..b0ce6c7391bf4 100644
+--- a/mm/pgtable-generic.c
++++ b/mm/pgtable-generic.c
+@@ -200,6 +200,14 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ }
+ #endif
+
++#ifndef __HAVE_ARCH_PMDP_INVALIDATE_AD
++pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address,
++ pmd_t *pmdp)
++{
++ return pmdp_invalidate(vma, address, pmdp);
++}
++#endif
++
+ #ifndef pmdp_collapse_flush
+ pmd_t pmdp_collapse_flush(struct vm_area_struct *vma, unsigned long address,
+ pmd_t *pmdp)
+--
+2.43.0
+
--- /dev/null
+From f3f649041a190cda4c4b0f15f9898ad8f6653c30 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Apr 2024 16:25:14 +0000
+Subject: mm/cma: drop incorrect alignment check in cma_init_reserved_mem
+
+From: Frank van der Linden <fvdl@google.com>
+
+[ Upstream commit b174f139bdc8aaaf72f5b67ad1bd512c4868a87e ]
+
+cma_init_reserved_mem uses IS_ALIGNED to check if the size represented by
+one bit in the cma allocation bitmask is aligned with
+CMA_MIN_ALIGNMENT_BYTES (pageblock size).
+
+However, this is too strict, as this will fail if order_per_bit >
+pageblock_order, which is a valid configuration.
+
+We could check IS_ALIGNED both ways, but since both numbers are powers of
+two, no check is needed at all.
+
+Link: https://lkml.kernel.org/r/20240404162515.527802-1-fvdl@google.com
+Fixes: de9e14eebf33 ("drivers: dma-contiguous: add initialization from device tree")
+Signed-off-by: Frank van der Linden <fvdl@google.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Marek Szyprowski <m.szyprowski@samsung.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Roman Gushchin <roman.gushchin@linux.dev>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/cma.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/mm/cma.c b/mm/cma.c
+index 5208aee4f45ad..88fbd4f8124d3 100644
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -179,10 +179,6 @@ int __init cma_init_reserved_mem(phys_addr_t base, phys_addr_t size,
+ if (!size || !memblock_is_region_reserved(base, size))
+ return -EINVAL;
+
+- /* alignment should be aligned with order_per_bit */
+- if (!IS_ALIGNED(CMA_MIN_ALIGNMENT_PAGES, 1 << order_per_bit))
+- return -EINVAL;
+-
+ /* ensure minimal alignment required by mm core */
+ if (!IS_ALIGNED(base | size, CMA_MIN_ALIGNMENT_BYTES))
+ return -EINVAL;
+--
+2.43.0
+
--- /dev/null
+From dca09ad288fc1dd6652c82f0aa90f993a357f4f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 May 2024 15:33:10 +0100
+Subject: mm: fix race between __split_huge_pmd_locked() and GUP-fast
+
+From: Ryan Roberts <ryan.roberts@arm.com>
+
+[ Upstream commit 3a5a8d343e1cf96eb9971b17cbd4b832ab19b8e7 ]
+
+__split_huge_pmd_locked() can be called for a present THP, devmap or
+(non-present) migration entry. It calls pmdp_invalidate() unconditionally
+on the pmdp and only determines if it is present or not based on the
+returned old pmd. This is a problem for the migration entry case because
+pmd_mkinvalid(), called by pmdp_invalidate() must only be called for a
+present pmd.
+
+On arm64 at least, pmd_mkinvalid() will mark the pmd such that any future
+call to pmd_present() will return true. And therefore any lockless
+pgtable walker could see the migration entry pmd in this state and start
+interpretting the fields as if it were present, leading to BadThings (TM).
+GUP-fast appears to be one such lockless pgtable walker.
+
+x86 does not suffer the above problem, but instead pmd_mkinvalid() will
+corrupt the offset field of the swap entry within the swap pte. See link
+below for discussion of that problem.
+
+Fix all of this by only calling pmdp_invalidate() for a present pmd. And
+for good measure let's add a warning to all implementations of
+pmdp_invalidate[_ad](). I've manually reviewed all other
+pmdp_invalidate[_ad]() call sites and believe all others to be conformant.
+
+This is a theoretical bug found during code review. I don't have any test
+case to trigger it in practice.
+
+Link: https://lkml.kernel.org/r/20240501143310.1381675-1-ryan.roberts@arm.com
+Link: https://lore.kernel.org/all/0dd7827a-6334-439a-8fd0-43c98e6af22b@arm.com/
+Fixes: 84c3fc4e9c56 ("mm: thp: check pmd migration entry in common path")
+Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
+Reviewed-by: Zi Yan <ziy@nvidia.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Cc: Andreas Larsson <andreas@gaisler.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
+Cc: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Christian Borntraeger <borntraeger@linux.ibm.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/vm/arch_pgtable_helpers.rst | 6 ++-
+ arch/powerpc/mm/book3s64/pgtable.c | 1 +
+ arch/s390/include/asm/pgtable.h | 4 +-
+ arch/sparc/mm/tlb.c | 1 +
+ arch/x86/mm/pgtable.c | 2 +
+ mm/huge_memory.c | 49 ++++++++++++-----------
+ mm/pgtable-generic.c | 2 +
+ 7 files changed, 39 insertions(+), 26 deletions(-)
+
+diff --git a/Documentation/vm/arch_pgtable_helpers.rst b/Documentation/vm/arch_pgtable_helpers.rst
+index 552567d863b86..b8ae5d040b998 100644
+--- a/Documentation/vm/arch_pgtable_helpers.rst
++++ b/Documentation/vm/arch_pgtable_helpers.rst
+@@ -134,7 +134,8 @@ PMD Page Table Helpers
+ +---------------------------+--------------------------------------------------+
+ | pmd_swp_clear_soft_dirty | Clears a soft dirty swapped PMD |
+ +---------------------------+--------------------------------------------------+
+-| pmd_mkinvalid | Invalidates a mapped PMD [1] |
++| pmd_mkinvalid | Invalidates a present PMD; do not call for |
++| | non-present PMD [1] |
+ +---------------------------+--------------------------------------------------+
+ | pmd_set_huge | Creates a PMD huge mapping |
+ +---------------------------+--------------------------------------------------+
+@@ -190,7 +191,8 @@ PUD Page Table Helpers
+ +---------------------------+--------------------------------------------------+
+ | pud_mkdevmap | Creates a ZONE_DEVICE mapped PUD |
+ +---------------------------+--------------------------------------------------+
+-| pud_mkinvalid | Invalidates a mapped PUD [1] |
++| pud_mkinvalid | Invalidates a present PUD; do not call for |
++| | non-present PUD [1] |
+ +---------------------------+--------------------------------------------------+
+ | pud_set_huge | Creates a PUD huge mapping |
+ +---------------------------+--------------------------------------------------+
+diff --git a/arch/powerpc/mm/book3s64/pgtable.c b/arch/powerpc/mm/book3s64/pgtable.c
+index da15f28c7b13a..3a22e7d970f33 100644
+--- a/arch/powerpc/mm/book3s64/pgtable.c
++++ b/arch/powerpc/mm/book3s64/pgtable.c
+@@ -115,6 +115,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ {
+ unsigned long old_pmd;
+
++ VM_WARN_ON_ONCE(!pmd_present(*pmdp));
+ old_pmd = pmd_hugepage_update(vma->vm_mm, address, pmdp, _PAGE_PRESENT, _PAGE_INVALID);
+ flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
+ return __pmd(old_pmd);
+diff --git a/arch/s390/include/asm/pgtable.h b/arch/s390/include/asm/pgtable.h
+index b61426c9ef178..b65ce0c90dd0e 100644
+--- a/arch/s390/include/asm/pgtable.h
++++ b/arch/s390/include/asm/pgtable.h
+@@ -1625,8 +1625,10 @@ static inline pmd_t pmdp_huge_clear_flush(struct vm_area_struct *vma,
+ static inline pmd_t pmdp_invalidate(struct vm_area_struct *vma,
+ unsigned long addr, pmd_t *pmdp)
+ {
+- pmd_t pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID);
++ pmd_t pmd;
+
++ VM_WARN_ON_ONCE(!pmd_present(*pmdp));
++ pmd = __pmd(pmd_val(*pmdp) | _SEGMENT_ENTRY_INVALID);
+ return pmdp_xchg_direct(vma->vm_mm, addr, pmdp, pmd);
+ }
+
+diff --git a/arch/sparc/mm/tlb.c b/arch/sparc/mm/tlb.c
+index 9a725547578e8..946f33c1b032f 100644
+--- a/arch/sparc/mm/tlb.c
++++ b/arch/sparc/mm/tlb.c
+@@ -245,6 +245,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ {
+ pmd_t old, entry;
+
++ VM_WARN_ON_ONCE(!pmd_present(*pmdp));
+ entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID);
+ old = pmdp_establish(vma, address, pmdp, entry);
+ flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
+diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
+index f16059e9a85e7..5c2be867a2ed9 100644
+--- a/arch/x86/mm/pgtable.c
++++ b/arch/x86/mm/pgtable.c
+@@ -612,6 +612,8 @@ int pmdp_clear_flush_young(struct vm_area_struct *vma,
+ pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address,
+ pmd_t *pmdp)
+ {
++ VM_WARN_ON_ONCE(!pmd_present(*pmdp));
++
+ /*
+ * No flush is necessary. Once an invalid PTE is established, the PTE's
+ * access and dirty bits cannot be updated.
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 265ef8d1393c5..99d38f712863b 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -2024,32 +2024,11 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
+ return __split_huge_zero_page_pmd(vma, haddr, pmd);
+ }
+
+- /*
+- * Up to this point the pmd is present and huge and userland has the
+- * whole access to the hugepage during the split (which happens in
+- * place). If we overwrite the pmd with the not-huge version pointing
+- * to the pte here (which of course we could if all CPUs were bug
+- * free), userland could trigger a small page size TLB miss on the
+- * small sized TLB while the hugepage TLB entry is still established in
+- * the huge TLB. Some CPU doesn't like that.
+- * See http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum
+- * 383 on page 105. Intel should be safe but is also warns that it's
+- * only safe if the permission and cache attributes of the two entries
+- * loaded in the two TLB is identical (which should be the case here).
+- * But it is generally safer to never allow small and huge TLB entries
+- * for the same virtual address to be loaded simultaneously. So instead
+- * of doing "pmd_populate(); flush_pmd_tlb_range();" we first mark the
+- * current pmd notpresent (atomically because here the pmd_trans_huge
+- * must remain set at all times on the pmd until the split is complete
+- * for this pmd), then we flush the SMP TLB and finally we write the
+- * non-huge version of the pmd entry with pmd_populate.
+- */
+- old_pmd = pmdp_invalidate(vma, haddr, pmd);
+-
+- pmd_migration = is_pmd_migration_entry(old_pmd);
++ pmd_migration = is_pmd_migration_entry(*pmd);
+ if (unlikely(pmd_migration)) {
+ swp_entry_t entry;
+
++ old_pmd = *pmd;
+ entry = pmd_to_swp_entry(old_pmd);
+ page = pfn_swap_entry_to_page(entry);
+ write = is_writable_migration_entry(entry);
+@@ -2057,6 +2036,30 @@ static void __split_huge_pmd_locked(struct vm_area_struct *vma, pmd_t *pmd,
+ soft_dirty = pmd_swp_soft_dirty(old_pmd);
+ uffd_wp = pmd_swp_uffd_wp(old_pmd);
+ } else {
++ /*
++ * Up to this point the pmd is present and huge and userland has
++ * the whole access to the hugepage during the split (which
++ * happens in place). If we overwrite the pmd with the not-huge
++ * version pointing to the pte here (which of course we could if
++ * all CPUs were bug free), userland could trigger a small page
++ * size TLB miss on the small sized TLB while the hugepage TLB
++ * entry is still established in the huge TLB. Some CPU doesn't
++ * like that. See
++ * http://support.amd.com/TechDocs/41322_10h_Rev_Gd.pdf, Erratum
++ * 383 on page 105. Intel should be safe but is also warns that
++ * it's only safe if the permission and cache attributes of the
++ * two entries loaded in the two TLB is identical (which should
++ * be the case here). But it is generally safer to never allow
++ * small and huge TLB entries for the same virtual address to be
++ * loaded simultaneously. So instead of doing "pmd_populate();
++ * flush_pmd_tlb_range();" we first mark the current pmd
++ * notpresent (atomically because here the pmd_trans_huge must
++ * remain set at all times on the pmd until the split is
++ * complete for this pmd), then we flush the SMP TLB and finally
++ * we write the non-huge version of the pmd entry with
++ * pmd_populate.
++ */
++ old_pmd = pmdp_invalidate(vma, haddr, pmd);
+ page = pmd_page(old_pmd);
+ if (pmd_dirty(old_pmd))
+ SetPageDirty(page);
+diff --git a/mm/pgtable-generic.c b/mm/pgtable-generic.c
+index b0ce6c7391bf4..cc8b11724cf5a 100644
+--- a/mm/pgtable-generic.c
++++ b/mm/pgtable-generic.c
+@@ -194,6 +194,7 @@ pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp)
+ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ pmd_t *pmdp)
+ {
++ VM_WARN_ON_ONCE(!pmd_present(*pmdp));
+ pmd_t old = pmdp_establish(vma, address, pmdp, pmd_mkinvalid(*pmdp));
+ flush_pmd_tlb_range(vma, address, address + HPAGE_PMD_SIZE);
+ return old;
+@@ -204,6 +205,7 @@ pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address,
+ pmd_t pmdp_invalidate_ad(struct vm_area_struct *vma, unsigned long address,
+ pmd_t *pmdp)
+ {
++ VM_WARN_ON_ONCE(!pmd_present(*pmdp));
+ return pmdp_invalidate(vma, address, pmdp);
+ }
+ #endif
+--
+2.43.0
+
--- /dev/null
+From 2031c117202f5d2e11b95194e0012d36553e6e78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 18:20:50 -0700
+Subject: mm/mprotect: do not flush when not required architecturally
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit c9fe66560bf2dc7d109754414e309888cb8c9ba9 ]
+
+Currently, using mprotect() to unprotect a memory region or uffd to
+unprotect a memory region causes a TLB flush. However, in such cases the
+PTE is often not modified (i.e., remain RO) and therefore not TLB flush is
+needed.
+
+Add an arch-specific pte_needs_flush() which tells whether a TLB flush is
+needed based on the old PTE and the new one. Implement an x86
+pte_needs_flush().
+
+Always flush the TLB when it is architecturally needed even when skipping
+a TLB flush might only result in a spurious page-faults by skipping the
+flush.
+
+Even with such conservative manner, we can in the future further refine
+the checks to test whether a PTE is present by only considering the
+architectural _PAGE_PRESENT flag instead of {pte|pmd}_preesnt(). For not
+be careful and use the latter.
+
+Link: https://lkml.kernel.org/r/20220401180821.1986781-3-namit@vmware.com
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Nick Piggin <npiggin@gmail.com>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Peter Xu <peterx@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/pgtable_types.h | 2 +
+ arch/x86/include/asm/tlbflush.h | 97 ++++++++++++++++++++++++++++
+ include/asm-generic/tlb.h | 14 ++++
+ mm/huge_memory.c | 9 +--
+ mm/mprotect.c | 3 +-
+ 5 files changed, 120 insertions(+), 5 deletions(-)
+
+diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
+index 28e59576c75be..de9e3c635618e 100644
+--- a/arch/x86/include/asm/pgtable_types.h
++++ b/arch/x86/include/asm/pgtable_types.h
+@@ -110,9 +110,11 @@
+ #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
+ #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
+ #define _PAGE_DEVMAP (_AT(u64, 1) << _PAGE_BIT_DEVMAP)
++#define _PAGE_SOFTW4 (_AT(pteval_t, 1) << _PAGE_BIT_SOFTW4)
+ #else
+ #define _PAGE_NX (_AT(pteval_t, 0))
+ #define _PAGE_DEVMAP (_AT(pteval_t, 0))
++#define _PAGE_SOFTW4 (_AT(pteval_t, 0))
+ #endif
+
+ #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
+index b587a9ee9cb25..8be1ff9081728 100644
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -259,6 +259,103 @@ static inline void arch_tlbbatch_add_mm(struct arch_tlbflush_unmap_batch *batch,
+
+ extern void arch_tlbbatch_flush(struct arch_tlbflush_unmap_batch *batch);
+
++static inline bool pte_flags_need_flush(unsigned long oldflags,
++ unsigned long newflags,
++ bool ignore_access)
++{
++ /*
++ * Flags that require a flush when cleared but not when they are set.
++ * Only include flags that would not trigger spurious page-faults.
++ * Non-present entries are not cached. Hardware would set the
++ * dirty/access bit if needed without a fault.
++ */
++ const pteval_t flush_on_clear = _PAGE_DIRTY | _PAGE_PRESENT |
++ _PAGE_ACCESSED;
++ const pteval_t software_flags = _PAGE_SOFTW1 | _PAGE_SOFTW2 |
++ _PAGE_SOFTW3 | _PAGE_SOFTW4;
++ const pteval_t flush_on_change = _PAGE_RW | _PAGE_USER | _PAGE_PWT |
++ _PAGE_PCD | _PAGE_PSE | _PAGE_GLOBAL | _PAGE_PAT |
++ _PAGE_PAT_LARGE | _PAGE_PKEY_BIT0 | _PAGE_PKEY_BIT1 |
++ _PAGE_PKEY_BIT2 | _PAGE_PKEY_BIT3 | _PAGE_NX;
++ unsigned long diff = oldflags ^ newflags;
++
++ BUILD_BUG_ON(flush_on_clear & software_flags);
++ BUILD_BUG_ON(flush_on_clear & flush_on_change);
++ BUILD_BUG_ON(flush_on_change & software_flags);
++
++ /* Ignore software flags */
++ diff &= ~software_flags;
++
++ if (ignore_access)
++ diff &= ~_PAGE_ACCESSED;
++
++ /*
++ * Did any of the 'flush_on_clear' flags was clleared set from between
++ * 'oldflags' and 'newflags'?
++ */
++ if (diff & oldflags & flush_on_clear)
++ return true;
++
++ /* Flush on modified flags. */
++ if (diff & flush_on_change)
++ return true;
++
++ /* Ensure there are no flags that were left behind */
++ if (IS_ENABLED(CONFIG_DEBUG_VM) &&
++ (diff & ~(flush_on_clear | software_flags | flush_on_change))) {
++ VM_WARN_ON_ONCE(1);
++ return true;
++ }
++
++ return false;
++}
++
++/*
++ * pte_needs_flush() checks whether permissions were demoted and require a
++ * flush. It should only be used for userspace PTEs.
++ */
++static inline bool pte_needs_flush(pte_t oldpte, pte_t newpte)
++{
++ /* !PRESENT -> * ; no need for flush */
++ if (!(pte_flags(oldpte) & _PAGE_PRESENT))
++ return false;
++
++ /* PFN changed ; needs flush */
++ if (pte_pfn(oldpte) != pte_pfn(newpte))
++ return true;
++
++ /*
++ * check PTE flags; ignore access-bit; see comment in
++ * ptep_clear_flush_young().
++ */
++ return pte_flags_need_flush(pte_flags(oldpte), pte_flags(newpte),
++ true);
++}
++#define pte_needs_flush pte_needs_flush
++
++/*
++ * huge_pmd_needs_flush() checks whether permissions were demoted and require a
++ * flush. It should only be used for userspace huge PMDs.
++ */
++static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd)
++{
++ /* !PRESENT -> * ; no need for flush */
++ if (!(pmd_flags(oldpmd) & _PAGE_PRESENT))
++ return false;
++
++ /* PFN changed ; needs flush */
++ if (pmd_pfn(oldpmd) != pmd_pfn(newpmd))
++ return true;
++
++ /*
++ * check PMD flags; do not ignore access-bit; see
++ * pmdp_clear_flush_young().
++ */
++ return pte_flags_need_flush(pmd_flags(oldpmd), pmd_flags(newpmd),
++ false);
++}
++#define huge_pmd_needs_flush huge_pmd_needs_flush
++
+ #endif /* !MODULE */
+
+ #endif /* _ASM_X86_TLBFLUSH_H */
+diff --git a/include/asm-generic/tlb.h b/include/asm-generic/tlb.h
+index c99710b3027a0..7afde1eff2398 100644
+--- a/include/asm-generic/tlb.h
++++ b/include/asm-generic/tlb.h
+@@ -662,6 +662,20 @@ static inline void tlb_flush_p4d_range(struct mmu_gather *tlb,
+ } while (0)
+ #endif
+
++#ifndef pte_needs_flush
++static inline bool pte_needs_flush(pte_t oldpte, pte_t newpte)
++{
++ return true;
++}
++#endif
++
++#ifndef huge_pmd_needs_flush
++static inline bool huge_pmd_needs_flush(pmd_t oldpmd, pmd_t newpmd)
++{
++ return true;
++}
++#endif
++
+ #endif /* CONFIG_MMU */
+
+ #endif /* _ASM_GENERIC__TLB_H */
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 661dd29642ebc..8ab6316d85391 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1726,7 +1726,7 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ spinlock_t *ptl;
+- pmd_t entry;
++ pmd_t oldpmd, entry;
+ bool preserve_write;
+ int ret;
+ bool prot_numa = cp_flags & MM_CP_PROT_NUMA;
+@@ -1801,9 +1801,9 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ * pmdp_invalidate() is required to make sure we don't miss
+ * dirty/young flags set by hardware.
+ */
+- entry = pmdp_invalidate(vma, addr, pmd);
++ oldpmd = pmdp_invalidate(vma, addr, pmd);
+
+- entry = pmd_modify(entry, newprot);
++ entry = pmd_modify(oldpmd, newprot);
+ if (preserve_write)
+ entry = pmd_mk_savedwrite(entry);
+ if (uffd_wp) {
+@@ -1820,7 +1820,8 @@ int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ ret = HPAGE_PMD_NR;
+ set_pmd_at(mm, addr, pmd, entry);
+
+- tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE);
++ if (huge_pmd_needs_flush(oldpmd, entry))
++ tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE);
+
+ BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry));
+ unlock:
+diff --git a/mm/mprotect.c b/mm/mprotect.c
+index fe1196be9ca28..09c5c448b9e7c 100644
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -141,7 +141,8 @@ static unsigned long change_pte_range(struct mmu_gather *tlb,
+ ptent = pte_mkwrite(ptent);
+ }
+ ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent);
+- tlb_flush_pte_range(tlb, addr, PAGE_SIZE);
++ if (pte_needs_flush(oldpte, ptent))
++ tlb_flush_pte_range(tlb, addr, PAGE_SIZE);
+ pages++;
+ } else if (is_swap_pte(oldpte)) {
+ swp_entry_t entry = pte_to_swp_entry(oldpte);
+--
+2.43.0
+
--- /dev/null
+From 61cba6a6dc1cc6682b9aeff3aff3114f0ff30462 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 May 2022 18:20:50 -0700
+Subject: mm/mprotect: use mmu_gather
+
+From: Nadav Amit <namit@vmware.com>
+
+[ Upstream commit 4a18419f71cdf9155d2d2a6c79546f720978b990 ]
+
+Patch series "mm/mprotect: avoid unnecessary TLB flushes", v6.
+
+This patchset is intended to remove unnecessary TLB flushes during
+mprotect() syscalls. Once this patch-set make it through, similar and
+further optimizations for MADV_COLD and userfaultfd would be possible.
+
+Basically, there are 3 optimizations in this patch-set:
+
+1. Use TLB batching infrastructure to batch flushes across VMAs and do
+ better/fewer flushes. This would also be handy for later userfaultfd
+ enhancements.
+
+2. Avoid unnecessary TLB flushes. This optimization is the one that
+ provides most of the performance benefits. Unlike previous versions,
+ we now only avoid flushes that would not result in spurious
+ page-faults.
+
+3. Avoiding TLB flushes on change_huge_pmd() that are only needed to
+ prevent the A/D bits from changing.
+
+Andrew asked for some benchmark numbers. I do not have an easy
+determinate macrobenchmark in which it is easy to show benefit. I
+therefore ran a microbenchmark: a loop that does the following on
+anonymous memory, just as a sanity check to see that time is saved by
+avoiding TLB flushes. The loop goes:
+
+ mprotect(p, PAGE_SIZE, PROT_READ)
+ mprotect(p, PAGE_SIZE, PROT_READ|PROT_WRITE)
+ *p = 0; // make the page writable
+
+The test was run in KVM guest with 1 or 2 threads (the second thread was
+busy-looping). I measured the time (cycles) of each operation:
+
+ 1 thread 2 threads
+ mmots +patch mmots +patch
+PROT_READ 3494 2725 (-22%) 8630 7788 (-10%)
+PROT_READ|WRITE 3952 2724 (-31%) 9075 2865 (-68%)
+
+[ mmots = v5.17-rc6-mmots-2022-03-06-20-38 ]
+
+The exact numbers are really meaningless, but the benefit is clear. There
+are 2 interesting results though.
+
+(1) PROT_READ is cheaper, while one can expect it not to be affected.
+This is presumably due to TLB miss that is saved
+
+(2) Without memory access (*p = 0), the speedup of the patch is even
+greater. In that scenario mprotect(PROT_READ) also avoids the TLB flush.
+As a result both operations on the patched kernel take roughly ~1500
+cycles (with either 1 or 2 threads), whereas on mmotm their cost is as
+high as presented in the table.
+
+This patch (of 3):
+
+change_pXX_range() currently does not use mmu_gather, but instead
+implements its own deferred TLB flushes scheme. This both complicates the
+code, as developers need to be aware of different invalidation schemes,
+and prevents opportunities to avoid TLB flushes or perform them in finer
+granularity.
+
+The use of mmu_gather for modified PTEs has benefits in various scenarios
+even if pages are not released. For instance, if only a single page needs
+to be flushed out of a range of many pages, only that page would be
+flushed. If a THP page is flushed, on x86 a single TLB invlpg instruction
+can be used instead of 512 instructions (or a full TLB flush, which would
+Linux would actually use by default). mprotect() over multiple VMAs
+requires a single flush.
+
+Use mmu_gather in change_pXX_range(). As the pages are not released, only
+record the flushed range using tlb_flush_pXX_range().
+
+Handle THP similarly and get rid of flush_cache_range() which becomes
+redundant since tlb_start_vma() calls it when needed.
+
+Link: https://lkml.kernel.org/r/20220401180821.1986781-1-namit@vmware.com
+Link: https://lkml.kernel.org/r/20220401180821.1986781-2-namit@vmware.com
+Signed-off-by: Nadav Amit <namit@vmware.com>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Andrew Cooper <andrew.cooper3@citrix.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Will Deacon <will@kernel.org>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Nick Piggin <npiggin@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 3a5a8d343e1c ("mm: fix race between __split_huge_pmd_locked() and GUP-fast")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 6 ++-
+ include/linux/huge_mm.h | 5 ++-
+ include/linux/mm.h | 5 ++-
+ mm/huge_memory.c | 10 ++++-
+ mm/mempolicy.c | 9 +++-
+ mm/mprotect.c | 92 ++++++++++++++++++++++-------------------
+ mm/userfaultfd.c | 6 ++-
+ 7 files changed, 82 insertions(+), 51 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 03516b704d8a4..3cf38e5e8b733 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -758,6 +758,7 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ unsigned long stack_size;
+ unsigned long stack_expand;
+ unsigned long rlim_stack;
++ struct mmu_gather tlb;
+
+ #ifdef CONFIG_STACK_GROWSUP
+ /* Limit stack size */
+@@ -812,8 +813,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ vm_flags |= mm->def_flags;
+ vm_flags |= VM_STACK_INCOMPLETE_SETUP;
+
+- ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
++ tlb_gather_mmu(&tlb, mm);
++ ret = mprotect_fixup(&tlb, vma, &prev, vma->vm_start, vma->vm_end,
+ vm_flags);
++ tlb_finish_mmu(&tlb);
++
+ if (ret)
+ goto out_unlock;
+ BUG_ON(prev != vma);
+diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
+index f123e15d966e8..6cb3e6fe11e7f 100644
+--- a/include/linux/huge_mm.h
++++ b/include/linux/huge_mm.h
+@@ -36,8 +36,9 @@ int zap_huge_pud(struct mmu_gather *tlb, struct vm_area_struct *vma, pud_t *pud,
+ unsigned long addr);
+ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
+ unsigned long new_addr, pmd_t *old_pmd, pmd_t *new_pmd);
+-int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr,
+- pgprot_t newprot, unsigned long cp_flags);
++int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
++ pmd_t *pmd, unsigned long addr, pgprot_t newprot,
++ unsigned long cp_flags);
+ vm_fault_t vmf_insert_pfn_pmd_prot(struct vm_fault *vmf, pfn_t pfn,
+ pgprot_t pgprot, bool write);
+
+diff --git a/include/linux/mm.h b/include/linux/mm.h
+index 5692055f202cb..e05c91ea5735d 100644
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1899,10 +1899,11 @@ extern unsigned long move_page_tables(struct vm_area_struct *vma,
+ #define MM_CP_UFFD_WP_ALL (MM_CP_UFFD_WP | \
+ MM_CP_UFFD_WP_RESOLVE)
+
+-extern unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
++extern unsigned long change_protection(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, unsigned long start,
+ unsigned long end, pgprot_t newprot,
+ unsigned long cp_flags);
+-extern int mprotect_fixup(struct vm_area_struct *vma,
++extern int mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma,
+ struct vm_area_struct **pprev, unsigned long start,
+ unsigned long end, unsigned long newflags);
+
+diff --git a/mm/huge_memory.c b/mm/huge_memory.c
+index 98ff57c8eda69..661dd29642ebc 100644
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -1720,8 +1720,9 @@ bool move_huge_pmd(struct vm_area_struct *vma, unsigned long old_addr,
+ * or if prot_numa but THP migration is not supported
+ * - HPAGE_PMD_NR if protections changed and TLB flush necessary
+ */
+-int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
+- unsigned long addr, pgprot_t newprot, unsigned long cp_flags)
++int change_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma,
++ pmd_t *pmd, unsigned long addr, pgprot_t newprot,
++ unsigned long cp_flags)
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ spinlock_t *ptl;
+@@ -1732,6 +1733,8 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
+ bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
+ bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
+
++ tlb_change_page_size(tlb, HPAGE_PMD_SIZE);
++
+ if (prot_numa && !thp_migration_supported())
+ return 1;
+
+@@ -1816,6 +1819,9 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd,
+ }
+ ret = HPAGE_PMD_NR;
+ set_pmd_at(mm, addr, pmd, entry);
++
++ tlb_flush_pmd_range(tlb, addr, HPAGE_PMD_SIZE);
++
+ BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry));
+ unlock:
+ spin_unlock(ptl);
+diff --git a/mm/mempolicy.c b/mm/mempolicy.c
+index 818753635e427..c05e979fd8695 100644
+--- a/mm/mempolicy.c
++++ b/mm/mempolicy.c
+@@ -104,6 +104,7 @@
+ #include <linux/swapops.h>
+
+ #include <asm/tlbflush.h>
++#include <asm/tlb.h>
+ #include <linux/uaccess.h>
+
+ #include "internal.h"
+@@ -634,12 +635,18 @@ static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask,
+ unsigned long change_prot_numa(struct vm_area_struct *vma,
+ unsigned long addr, unsigned long end)
+ {
++ struct mmu_gather tlb;
+ int nr_updated;
+
+- nr_updated = change_protection(vma, addr, end, PAGE_NONE, MM_CP_PROT_NUMA);
++ tlb_gather_mmu(&tlb, vma->vm_mm);
++
++ nr_updated = change_protection(&tlb, vma, addr, end, PAGE_NONE,
++ MM_CP_PROT_NUMA);
+ if (nr_updated)
+ count_vm_numa_events(NUMA_PTE_UPDATES, nr_updated);
+
++ tlb_finish_mmu(&tlb);
++
+ return nr_updated;
+ }
+ #else
+diff --git a/mm/mprotect.c b/mm/mprotect.c
+index ed18dc49533f6..fe1196be9ca28 100644
+--- a/mm/mprotect.c
++++ b/mm/mprotect.c
+@@ -32,12 +32,13 @@
+ #include <asm/cacheflush.h>
+ #include <asm/mmu_context.h>
+ #include <asm/tlbflush.h>
++#include <asm/tlb.h>
+
+ #include "internal.h"
+
+-static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
+- unsigned long addr, unsigned long end, pgprot_t newprot,
+- unsigned long cp_flags)
++static unsigned long change_pte_range(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr,
++ unsigned long end, pgprot_t newprot, unsigned long cp_flags)
+ {
+ pte_t *pte, oldpte;
+ spinlock_t *ptl;
+@@ -48,6 +49,8 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
+ bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
+ bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
+
++ tlb_change_page_size(tlb, PAGE_SIZE);
++
+ /*
+ * Can be called with only the mmap_lock for reading by
+ * prot_numa so we must check the pmd isn't constantly
+@@ -138,6 +141,7 @@ static unsigned long change_pte_range(struct vm_area_struct *vma, pmd_t *pmd,
+ ptent = pte_mkwrite(ptent);
+ }
+ ptep_modify_prot_commit(vma, addr, pte, oldpte, ptent);
++ tlb_flush_pte_range(tlb, addr, PAGE_SIZE);
+ pages++;
+ } else if (is_swap_pte(oldpte)) {
+ swp_entry_t entry = pte_to_swp_entry(oldpte);
+@@ -219,9 +223,9 @@ static inline int pmd_none_or_clear_bad_unless_trans_huge(pmd_t *pmd)
+ return 0;
+ }
+
+-static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+- pud_t *pud, unsigned long addr, unsigned long end,
+- pgprot_t newprot, unsigned long cp_flags)
++static inline unsigned long change_pmd_range(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, pud_t *pud, unsigned long addr,
++ unsigned long end, pgprot_t newprot, unsigned long cp_flags)
+ {
+ pmd_t *pmd;
+ unsigned long next;
+@@ -261,8 +265,12 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+ if (next - addr != HPAGE_PMD_SIZE) {
+ __split_huge_pmd(vma, pmd, addr, false, NULL);
+ } else {
+- int nr_ptes = change_huge_pmd(vma, pmd, addr,
+- newprot, cp_flags);
++ /*
++ * change_huge_pmd() does not defer TLB flushes,
++ * so no need to propagate the tlb argument.
++ */
++ int nr_ptes = change_huge_pmd(tlb, vma, pmd,
++ addr, newprot, cp_flags);
+
+ if (nr_ptes) {
+ if (nr_ptes == HPAGE_PMD_NR) {
+@@ -276,8 +284,8 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+ }
+ /* fall through, the trans huge pmd just split */
+ }
+- this_pages = change_pte_range(vma, pmd, addr, next, newprot,
+- cp_flags);
++ this_pages = change_pte_range(tlb, vma, pmd, addr, next,
++ newprot, cp_flags);
+ pages += this_pages;
+ next:
+ cond_resched();
+@@ -291,9 +299,9 @@ static inline unsigned long change_pmd_range(struct vm_area_struct *vma,
+ return pages;
+ }
+
+-static inline unsigned long change_pud_range(struct vm_area_struct *vma,
+- p4d_t *p4d, unsigned long addr, unsigned long end,
+- pgprot_t newprot, unsigned long cp_flags)
++static inline unsigned long change_pud_range(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, p4d_t *p4d, unsigned long addr,
++ unsigned long end, pgprot_t newprot, unsigned long cp_flags)
+ {
+ pud_t *pud;
+ unsigned long next;
+@@ -304,16 +312,16 @@ static inline unsigned long change_pud_range(struct vm_area_struct *vma,
+ next = pud_addr_end(addr, end);
+ if (pud_none_or_clear_bad(pud))
+ continue;
+- pages += change_pmd_range(vma, pud, addr, next, newprot,
++ pages += change_pmd_range(tlb, vma, pud, addr, next, newprot,
+ cp_flags);
+ } while (pud++, addr = next, addr != end);
+
+ return pages;
+ }
+
+-static inline unsigned long change_p4d_range(struct vm_area_struct *vma,
+- pgd_t *pgd, unsigned long addr, unsigned long end,
+- pgprot_t newprot, unsigned long cp_flags)
++static inline unsigned long change_p4d_range(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, pgd_t *pgd, unsigned long addr,
++ unsigned long end, pgprot_t newprot, unsigned long cp_flags)
+ {
+ p4d_t *p4d;
+ unsigned long next;
+@@ -324,44 +332,40 @@ static inline unsigned long change_p4d_range(struct vm_area_struct *vma,
+ next = p4d_addr_end(addr, end);
+ if (p4d_none_or_clear_bad(p4d))
+ continue;
+- pages += change_pud_range(vma, p4d, addr, next, newprot,
++ pages += change_pud_range(tlb, vma, p4d, addr, next, newprot,
+ cp_flags);
+ } while (p4d++, addr = next, addr != end);
+
+ return pages;
+ }
+
+-static unsigned long change_protection_range(struct vm_area_struct *vma,
+- unsigned long addr, unsigned long end, pgprot_t newprot,
+- unsigned long cp_flags)
++static unsigned long change_protection_range(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, unsigned long addr,
++ unsigned long end, pgprot_t newprot, unsigned long cp_flags)
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ pgd_t *pgd;
+ unsigned long next;
+- unsigned long start = addr;
+ unsigned long pages = 0;
+
+ BUG_ON(addr >= end);
+ pgd = pgd_offset(mm, addr);
+- flush_cache_range(vma, addr, end);
+- inc_tlb_flush_pending(mm);
++ tlb_start_vma(tlb, vma);
+ do {
+ next = pgd_addr_end(addr, end);
+ if (pgd_none_or_clear_bad(pgd))
+ continue;
+- pages += change_p4d_range(vma, pgd, addr, next, newprot,
++ pages += change_p4d_range(tlb, vma, pgd, addr, next, newprot,
+ cp_flags);
+ } while (pgd++, addr = next, addr != end);
+
+- /* Only flush the TLB if we actually modified any entries: */
+- if (pages)
+- flush_tlb_range(vma, start, end);
+- dec_tlb_flush_pending(mm);
++ tlb_end_vma(tlb, vma);
+
+ return pages;
+ }
+
+-unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
++unsigned long change_protection(struct mmu_gather *tlb,
++ struct vm_area_struct *vma, unsigned long start,
+ unsigned long end, pgprot_t newprot,
+ unsigned long cp_flags)
+ {
+@@ -372,7 +376,7 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
+ if (is_vm_hugetlb_page(vma))
+ pages = hugetlb_change_protection(vma, start, end, newprot);
+ else
+- pages = change_protection_range(vma, start, end, newprot,
++ pages = change_protection_range(tlb, vma, start, end, newprot,
+ cp_flags);
+
+ return pages;
+@@ -406,8 +410,9 @@ static const struct mm_walk_ops prot_none_walk_ops = {
+ };
+
+ int
+-mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
+- unsigned long start, unsigned long end, unsigned long newflags)
++mprotect_fixup(struct mmu_gather *tlb, struct vm_area_struct *vma,
++ struct vm_area_struct **pprev, unsigned long start,
++ unsigned long end, unsigned long newflags)
+ {
+ struct mm_struct *mm = vma->vm_mm;
+ unsigned long oldflags = vma->vm_flags;
+@@ -494,7 +499,7 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
+ dirty_accountable = vma_wants_writenotify(vma, vma->vm_page_prot);
+ vma_set_page_prot(vma);
+
+- change_protection(vma, start, end, vma->vm_page_prot,
++ change_protection(tlb, vma, start, end, vma->vm_page_prot,
+ dirty_accountable ? MM_CP_DIRTY_ACCT : 0);
+
+ /*
+@@ -528,6 +533,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
+ const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP);
+ const bool rier = (current->personality & READ_IMPLIES_EXEC) &&
+ (prot & PROT_READ);
++ struct mmu_gather tlb;
+
+ start = untagged_addr(start);
+
+@@ -584,6 +590,7 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
+ if (start > vma->vm_start)
+ prev = vma;
+
++ tlb_gather_mmu(&tlb, current->mm);
+ for (nstart = start ; ; ) {
+ unsigned long mask_off_old_flags;
+ unsigned long newflags;
+@@ -610,18 +617,18 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
+ /* newflags >> 4 shift VM_MAY% in place of VM_% */
+ if ((newflags & ~(newflags >> 4)) & VM_ACCESS_FLAGS) {
+ error = -EACCES;
+- goto out;
++ break;
+ }
+
+ /* Allow architectures to sanity-check the new flags */
+ if (!arch_validate_flags(newflags)) {
+ error = -EINVAL;
+- goto out;
++ break;
+ }
+
+ error = security_file_mprotect(vma, reqprot, prot);
+ if (error)
+- goto out;
++ break;
+
+ tmp = vma->vm_end;
+ if (tmp > end)
+@@ -630,27 +637,28 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
+ if (vma->vm_ops && vma->vm_ops->mprotect) {
+ error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags);
+ if (error)
+- goto out;
++ break;
+ }
+
+- error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
++ error = mprotect_fixup(&tlb, vma, &prev, nstart, tmp, newflags);
+ if (error)
+- goto out;
++ break;
+
+ nstart = tmp;
+
+ if (nstart < prev->vm_end)
+ nstart = prev->vm_end;
+ if (nstart >= end)
+- goto out;
++ break;
+
+ vma = prev->vm_next;
+ if (!vma || vma->vm_start != nstart) {
+ error = -ENOMEM;
+- goto out;
++ break;
+ }
+ prot = reqprot;
+ }
++ tlb_finish_mmu(&tlb);
+ out:
+ mmap_write_unlock(current->mm);
+ return error;
+diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
+index 98a9d0ef2d917..eafdc112ac7aa 100644
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -16,6 +16,7 @@
+ #include <linux/hugetlb.h>
+ #include <linux/shmem_fs.h>
+ #include <asm/tlbflush.h>
++#include <asm/tlb.h>
+ #include "internal.h"
+
+ static __always_inline
+@@ -698,6 +699,7 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start,
+ atomic_t *mmap_changing)
+ {
+ struct vm_area_struct *dst_vma;
++ struct mmu_gather tlb;
+ pgprot_t newprot;
+ int err;
+
+@@ -739,8 +741,10 @@ int mwriteprotect_range(struct mm_struct *dst_mm, unsigned long start,
+ else
+ newprot = vm_get_page_prot(dst_vma->vm_flags);
+
+- change_protection(dst_vma, start, start + len, newprot,
++ tlb_gather_mmu(&tlb, dst_mm);
++ change_protection(&tlb, dst_vma, start, start + len, newprot,
+ enable_wp ? MM_CP_UFFD_WP : MM_CP_UFFD_WP_RESOLVE);
++ tlb_finish_mmu(&tlb);
+
+ err = 0;
+ out_unlock:
+--
+2.43.0
+
--- /dev/null
+From db1dc85c7dd16e575bad700b7761451733db9665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Mar 2024 12:40:17 +0100
+Subject: mmc: davinci: Don't strip remove function when driver is builtin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 55c421b364482b61c4c45313a535e61ed5ae4ea3 ]
+
+Using __exit for the remove function results in the remove callback being
+discarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.
+using sysfs or hotplug), the driver is just removed without the cleanup
+being performed. This results in resource leaks. Fix it by compiling in the
+remove callback unconditionally.
+
+This also fixes a W=1 modpost warning:
+
+WARNING: modpost: drivers/mmc/host/davinci_mmc: section mismatch in
+reference: davinci_mmcsd_driver+0x10 (section: .data) ->
+davinci_mmcsd_remove (section: .exit.text)
+
+Fixes: b4cff4549b7a ("DaVinci: MMC: MMC/SD controller driver for DaVinci family")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240324114017.231936-2-u.kleine-koenig@pengutronix.de
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/davinci_mmc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
+index 36c45867eb643..e0175808c3b0d 100644
+--- a/drivers/mmc/host/davinci_mmc.c
++++ b/drivers/mmc/host/davinci_mmc.c
+@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static void __exit davinci_mmcsd_remove(struct platform_device *pdev)
++static void davinci_mmcsd_remove(struct platform_device *pdev)
+ {
+ struct mmc_davinci_host *host = platform_get_drvdata(pdev);
+
+@@ -1402,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = {
+ .of_match_table = davinci_mmc_dt_ids,
+ },
+ .probe = davinci_mmcsd_probe,
+- .remove_new = __exit_p(davinci_mmcsd_remove),
++ .remove_new = davinci_mmcsd_remove,
+ .id_table = davinci_mmc_devtype,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From d2d80526ac7c82e3143dd7b830c6843e7acbbf7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Jul 2023 14:59:56 +0800
+Subject: mmc: davinci_mmc: Convert to platform remove callback returning void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yangtao Li <frank.li@vivo.com>
+
+[ Upstream commit bc1711e8332da03648d8fe1950189237e66313af ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Cc: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Yangtao Li <frank.li@vivo.com>
+Link: https://lore.kernel.org/r/20230727070051.17778-7-frank.li@vivo.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 55c421b36448 ("mmc: davinci: Don't strip remove function when driver is builtin")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/davinci_mmc.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
+index 80de660027d89..36c45867eb643 100644
+--- a/drivers/mmc/host/davinci_mmc.c
++++ b/drivers/mmc/host/davinci_mmc.c
+@@ -1347,7 +1347,7 @@ static int davinci_mmcsd_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static int __exit davinci_mmcsd_remove(struct platform_device *pdev)
++static void __exit davinci_mmcsd_remove(struct platform_device *pdev)
+ {
+ struct mmc_davinci_host *host = platform_get_drvdata(pdev);
+
+@@ -1356,8 +1356,6 @@ static int __exit davinci_mmcsd_remove(struct platform_device *pdev)
+ davinci_release_dma_channels(host);
+ clk_disable_unprepare(host->clk);
+ mmc_free_host(host->mmc);
+-
+- return 0;
+ }
+
+ #ifdef CONFIG_PM
+@@ -1404,7 +1402,7 @@ static struct platform_driver davinci_mmcsd_driver = {
+ .of_match_table = davinci_mmc_dt_ids,
+ },
+ .probe = davinci_mmcsd_probe,
+- .remove = __exit_p(davinci_mmcsd_remove),
++ .remove_new = __exit_p(davinci_mmcsd_remove),
+ .id_table = davinci_mmc_devtype,
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 273f0826c81d3fcfcfdbcf1cd99efe2202aa4709 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 09:11:50 -0800
+Subject: net: drop nopreempt requirement on sock_prot_inuse_add()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b3cb764aa1d753cf6a58858f9e2097ba71e8100b ]
+
+This is distracting really, let's make this simpler,
+because many callers had to take care of this
+by themselves, even if on x86 this adds more
+code than really needed.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 4 ++--
+ net/ieee802154/socket.c | 4 ++--
+ net/ipv4/raw.c | 2 +-
+ net/ipv6/ipv6_sockglue.c | 8 ++++----
+ net/netlink/af_netlink.c | 4 ----
+ net/packet/af_packet.c | 4 ----
+ net/sctp/socket.c | 5 -----
+ net/smc/af_smc.c | 2 +-
+ net/unix/af_unix.c | 4 ----
+ net/xdp/xsk.c | 4 ----
+ 10 files changed, 10 insertions(+), 31 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index c13c284222424..146f1b9c30636 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1464,11 +1464,11 @@ proto_memory_pressure(struct proto *prot)
+ struct prot_inuse {
+ int val[PROTO_INUSE_NR];
+ };
+-/* Called with local bh disabled */
++
+ static inline void sock_prot_inuse_add(const struct net *net,
+ const struct proto *prot, int val)
+ {
+- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
++ this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
+ }
+ int sock_prot_inuse_get(struct net *net, struct proto *proto);
+ int sock_inuse_get(struct net *net);
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index c33f46c9b6b34..586a6c4adf246 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -174,8 +174,8 @@ static int raw_hash(struct sock *sk)
+ {
+ write_lock_bh(&raw_lock);
+ sk_add_node(sk, &raw_head);
+- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+ write_unlock_bh(&raw_lock);
++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ return 0;
+ }
+@@ -458,8 +458,8 @@ static int dgram_hash(struct sock *sk)
+ {
+ write_lock_bh(&dgram_lock);
+ sk_add_node(sk, &dgram_head);
+- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+ write_unlock_bh(&dgram_lock);
++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ return 0;
+ }
+diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
+index f532589d26926..cc8e946768e43 100644
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -99,8 +99,8 @@ int raw_hash_sk(struct sock *sk)
+
+ write_lock_bh(&h->lock);
+ sk_add_node(sk, head);
+- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+ write_unlock_bh(&h->lock);
++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ return 0;
+ }
+diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
+index 197e12d5607f1..2071a212a2679 100644
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -471,10 +471,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+
+ if (sk->sk_protocol == IPPROTO_TCP) {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+- local_bh_disable();
++
+ sock_prot_inuse_add(net, sk->sk_prot, -1);
+ sock_prot_inuse_add(net, &tcp_prot, 1);
+- local_bh_enable();
++
+ sk->sk_prot = &tcp_prot;
+ icsk->icsk_af_ops = &ipv4_specific;
+ sk->sk_socket->ops = &inet_stream_ops;
+@@ -485,10 +485,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+
+ if (sk->sk_protocol == IPPROTO_UDPLITE)
+ prot = &udplite_prot;
+- local_bh_disable();
++
+ sock_prot_inuse_add(net, sk->sk_prot, -1);
+ sock_prot_inuse_add(net, prot, 1);
+- local_bh_enable();
++
+ sk->sk_prot = prot;
+ sk->sk_socket->ops = &inet_dgram_ops;
+ sk->sk_family = PF_INET;
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 216445dd44db9..18a38db2b27eb 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -711,9 +711,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
+ if (err < 0)
+ goto out_module;
+
+- local_bh_disable();
+ sock_prot_inuse_add(net, &netlink_proto, 1);
+- local_bh_enable();
+
+ nlk = nlk_sk(sock->sk);
+ nlk->module = module;
+@@ -813,9 +811,7 @@ static int netlink_release(struct socket *sock)
+ netlink_table_ungrab();
+ }
+
+- local_bh_disable();
+ sock_prot_inuse_add(sock_net(sk), &netlink_proto, -1);
+- local_bh_enable();
+ call_rcu(&nlk->rcu, deferred_put_nlk_sk);
+ return 0;
+ }
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 0ab3b09f863ba..4f920502f92fe 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3092,9 +3092,7 @@ static int packet_release(struct socket *sock)
+ sk_del_node_init_rcu(sk);
+ mutex_unlock(&net->packet.sklist_lock);
+
+- preempt_disable();
+ sock_prot_inuse_add(net, sk->sk_prot, -1);
+- preempt_enable();
+
+ spin_lock(&po->bind_lock);
+ unregister_prot_hook(sk, false);
+@@ -3361,9 +3359,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
+ sk_add_node_tail_rcu(sk, &net->packet.sklist);
+ mutex_unlock(&net->packet.sklist_lock);
+
+- preempt_disable();
+ sock_prot_inuse_add(net, &packet_proto, 1);
+- preempt_enable();
+
+ return 0;
+ out2:
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index 57acf7ed80de3..d9271ffb29781 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -5073,12 +5073,9 @@ static int sctp_init_sock(struct sock *sk)
+
+ SCTP_DBG_OBJCNT_INC(sock);
+
+- local_bh_disable();
+ sk_sockets_allocated_inc(sk);
+ sock_prot_inuse_add(net, sk->sk_prot, 1);
+
+- local_bh_enable();
+-
+ return 0;
+ }
+
+@@ -5104,10 +5101,8 @@ static void sctp_destroy_sock(struct sock *sk)
+ list_del(&sp->auto_asconf_list);
+ }
+ sctp_endpoint_free(sp->ep);
+- local_bh_disable();
+ sk_sockets_allocated_dec(sk);
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+- local_bh_enable();
+ }
+
+ /* Triggered when there are no references on the socket anymore */
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 8c11eb70c0f69..bd0b3a8b95d50 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -88,8 +88,8 @@ int smc_hash_sk(struct sock *sk)
+
+ write_lock_bh(&h->lock);
+ sk_add_node(sk, head);
+- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+ write_unlock_bh(&h->lock);
++ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ return 0;
+ }
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 73b287b7a1154..262aeaea9861c 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -515,9 +515,7 @@ static void unix_sock_destructor(struct sock *sk)
+ unix_release_addr(u->addr);
+
+ atomic_long_dec(&unix_nr_socks);
+- local_bh_disable();
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+- local_bh_enable();
+ #ifdef UNIX_REFCNT_DEBUG
+ pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk,
+ atomic_long_read(&unix_nr_socks));
+@@ -890,9 +888,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern,
+ memset(&u->scm_stat, 0, sizeof(struct scm_stat));
+ unix_insert_socket(unix_sockets_unbound(sk), sk);
+
+- local_bh_disable();
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+- local_bh_enable();
+
+ return sk;
+
+diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
+index 1f61d15b3d1d4..da31a99ce6521 100644
+--- a/net/xdp/xsk.c
++++ b/net/xdp/xsk.c
+@@ -842,9 +842,7 @@ static int xsk_release(struct socket *sock)
+ sk_del_node_init_rcu(sk);
+ mutex_unlock(&net->xdp.lock);
+
+- local_bh_disable();
+ sock_prot_inuse_add(net, sk->sk_prot, -1);
+- local_bh_enable();
+
+ xsk_delete_from_maps(xs);
+ mutex_lock(&xs->mutex);
+@@ -1465,9 +1463,7 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol,
+ sk_add_node_rcu(sk, &net->xdp.list);
+ mutex_unlock(&net->xdp.lock);
+
+- local_bh_disable();
+ sock_prot_inuse_add(net, &xsk_proto, 1);
+- local_bh_enable();
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From ab981fed621a211beeedabf25d14259651bfa005 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Nov 2021 09:11:47 -0800
+Subject: net: inline sock_prot_inuse_add()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 2a12ae5d433df3d3c3f1a930799ec09cb2b8058f ]
+
+sock_prot_inuse_add() is very small, we can inline it.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: a9bf9c7dc6a5 ("af_unix: Annotate data-race of sk->sk_state in unix_stream_connect().")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 14 +++++++++++---
+ net/core/sock.c | 11 -----------
+ 2 files changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index b8de579b916e8..c13c284222424 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1460,13 +1460,21 @@ proto_memory_pressure(struct proto *prot)
+
+
+ #ifdef CONFIG_PROC_FS
++#define PROTO_INUSE_NR 64 /* should be enough for the first time */
++struct prot_inuse {
++ int val[PROTO_INUSE_NR];
++};
+ /* Called with local bh disabled */
+-void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
++static inline void sock_prot_inuse_add(const struct net *net,
++ const struct proto *prot, int val)
++{
++ __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
++}
+ int sock_prot_inuse_get(struct net *net, struct proto *proto);
+ int sock_inuse_get(struct net *net);
+ #else
+-static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
+- int inc)
++static inline void sock_prot_inuse_add(const struct net *net,
++ const struct proto *prot, int val)
+ {
+ }
+ #endif
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 62e376f09f957..e79e1c7933537 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -3497,19 +3497,8 @@ void sk_get_meminfo(const struct sock *sk, u32 *mem)
+ }
+
+ #ifdef CONFIG_PROC_FS
+-#define PROTO_INUSE_NR 64 /* should be enough for the first time */
+-struct prot_inuse {
+- int val[PROTO_INUSE_NR];
+-};
+-
+ static DECLARE_BITMAP(proto_inuse_idx, PROTO_INUSE_NR);
+
+-void sock_prot_inuse_add(struct net *net, struct proto *prot, int val)
+-{
+- __this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
+-}
+-EXPORT_SYMBOL_GPL(sock_prot_inuse_add);
+-
+ int sock_prot_inuse_get(struct net *net, struct proto *prot)
+ {
+ int cpu, idx = prot->inuse_idx;
+--
+2.43.0
+
--- /dev/null
+From 26e01ee3bec1ebf251e1e9c3050de28cba208228 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 May 2024 14:58:55 +0800
+Subject: net/ncsi: Fix the multi thread manner of NCSI driver
+
+From: DelphineCCChiu <delphine_cc_chiu@wiwynn.com>
+
+[ Upstream commit e85e271dec0270982afed84f70dc37703fcc1d52 ]
+
+Currently NCSI driver will send several NCSI commands back to back without
+waiting the response of previous NCSI command or timeout in some state
+when NIC have multi channel. This operation against the single thread
+manner defined by NCSI SPEC(section 6.3.2.3 in DSP0222_1.1.1)
+
+According to NCSI SPEC(section 6.2.13.1 in DSP0222_1.1.1), we should probe
+one channel at a time by sending NCSI commands (Clear initial state, Get
+version ID, Get capabilities...), than repeat this steps until the max
+number of channels which we got from NCSI command (Get capabilities) has
+been probed.
+
+Fixes: e6f44ed6d04d ("net/ncsi: Package and channel management")
+Signed-off-by: DelphineCCChiu <delphine_cc_chiu@wiwynn.com>
+Link: https://lore.kernel.org/r/20240529065856.825241-1-delphine_cc_chiu@wiwynn.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 2 ++
+ net/ncsi/ncsi-manage.c | 73 +++++++++++++++++++++---------------------
+ net/ncsi/ncsi-rsp.c | 4 ++-
+ 3 files changed, 41 insertions(+), 38 deletions(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index 374412ed780b6..ef0f8f73826f5 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -325,6 +325,7 @@ struct ncsi_dev_priv {
+ spinlock_t lock; /* Protect the NCSI device */
+ unsigned int package_probe_id;/* Current ID during probe */
+ unsigned int package_num; /* Number of packages */
++ unsigned int channel_probe_id;/* Current cahnnel ID during probe */
+ struct list_head packages; /* List of packages */
+ struct ncsi_channel *hot_channel; /* Channel was ever active */
+ struct ncsi_request requests[256]; /* Request table */
+@@ -343,6 +344,7 @@ struct ncsi_dev_priv {
+ bool multi_package; /* Enable multiple packages */
+ bool mlx_multi_host; /* Enable multi host Mellanox */
+ u32 package_whitelist; /* Packages to configure */
++ unsigned char channel_count; /* Num of channels to probe */
+ };
+
+ struct ncsi_cmd_arg {
+diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
+index 734feb2352fbc..30f5502530374 100644
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -510,17 +510,19 @@ static void ncsi_suspend_channel(struct ncsi_dev_priv *ndp)
+
+ break;
+ case ncsi_dev_state_suspend_gls:
+- ndp->pending_req_num = np->channel_num;
++ ndp->pending_req_num = 1;
+
+ nca.type = NCSI_PKT_CMD_GLS;
+ nca.package = np->id;
++ nca.channel = ndp->channel_probe_id;
++ ret = ncsi_xmit_cmd(&nca);
++ if (ret)
++ goto error;
++ ndp->channel_probe_id++;
+
+- nd->state = ncsi_dev_state_suspend_dcnt;
+- NCSI_FOR_EACH_CHANNEL(np, nc) {
+- nca.channel = nc->id;
+- ret = ncsi_xmit_cmd(&nca);
+- if (ret)
+- goto error;
++ if (ndp->channel_probe_id == ndp->channel_count) {
++ ndp->channel_probe_id = 0;
++ nd->state = ncsi_dev_state_suspend_dcnt;
+ }
+
+ break;
+@@ -1340,7 +1342,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+ {
+ struct ncsi_dev *nd = &ndp->ndev;
+ struct ncsi_package *np;
+- struct ncsi_channel *nc;
+ struct ncsi_cmd_arg nca;
+ unsigned char index;
+ int ret;
+@@ -1418,23 +1419,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+
+ nd->state = ncsi_dev_state_probe_cis;
+ break;
+- case ncsi_dev_state_probe_cis:
+- ndp->pending_req_num = NCSI_RESERVED_CHANNEL;
+-
+- /* Clear initial state */
+- nca.type = NCSI_PKT_CMD_CIS;
+- nca.package = ndp->active_package->id;
+- for (index = 0; index < NCSI_RESERVED_CHANNEL; index++) {
+- nca.channel = index;
+- ret = ncsi_xmit_cmd(&nca);
+- if (ret)
+- goto error;
+- }
+-
+- nd->state = ncsi_dev_state_probe_gvi;
+- if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY))
+- nd->state = ncsi_dev_state_probe_keep_phy;
+- break;
+ case ncsi_dev_state_probe_keep_phy:
+ ndp->pending_req_num = 1;
+
+@@ -1447,14 +1431,17 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+
+ nd->state = ncsi_dev_state_probe_gvi;
+ break;
++ case ncsi_dev_state_probe_cis:
+ case ncsi_dev_state_probe_gvi:
+ case ncsi_dev_state_probe_gc:
+ case ncsi_dev_state_probe_gls:
+ np = ndp->active_package;
+- ndp->pending_req_num = np->channel_num;
++ ndp->pending_req_num = 1;
+
+- /* Retrieve version, capability or link status */
+- if (nd->state == ncsi_dev_state_probe_gvi)
++ /* Clear initial state Retrieve version, capability or link status */
++ if (nd->state == ncsi_dev_state_probe_cis)
++ nca.type = NCSI_PKT_CMD_CIS;
++ else if (nd->state == ncsi_dev_state_probe_gvi)
+ nca.type = NCSI_PKT_CMD_GVI;
+ else if (nd->state == ncsi_dev_state_probe_gc)
+ nca.type = NCSI_PKT_CMD_GC;
+@@ -1462,19 +1449,29 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+ nca.type = NCSI_PKT_CMD_GLS;
+
+ nca.package = np->id;
+- NCSI_FOR_EACH_CHANNEL(np, nc) {
+- nca.channel = nc->id;
+- ret = ncsi_xmit_cmd(&nca);
+- if (ret)
+- goto error;
+- }
++ nca.channel = ndp->channel_probe_id;
+
+- if (nd->state == ncsi_dev_state_probe_gvi)
++ ret = ncsi_xmit_cmd(&nca);
++ if (ret)
++ goto error;
++
++ if (nd->state == ncsi_dev_state_probe_cis) {
++ nd->state = ncsi_dev_state_probe_gvi;
++ if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY) && ndp->channel_probe_id == 0)
++ nd->state = ncsi_dev_state_probe_keep_phy;
++ } else if (nd->state == ncsi_dev_state_probe_gvi) {
+ nd->state = ncsi_dev_state_probe_gc;
+- else if (nd->state == ncsi_dev_state_probe_gc)
++ } else if (nd->state == ncsi_dev_state_probe_gc) {
+ nd->state = ncsi_dev_state_probe_gls;
+- else
++ } else {
++ nd->state = ncsi_dev_state_probe_cis;
++ ndp->channel_probe_id++;
++ }
++
++ if (ndp->channel_probe_id == ndp->channel_count) {
++ ndp->channel_probe_id = 0;
+ nd->state = ncsi_dev_state_probe_dp;
++ }
+ break;
+ case ncsi_dev_state_probe_dp:
+ ndp->pending_req_num = 1;
+@@ -1775,6 +1772,7 @@ struct ncsi_dev *ncsi_register_dev(struct net_device *dev,
+ ndp->requests[i].ndp = ndp;
+ timer_setup(&ndp->requests[i].timer, ncsi_request_timeout, 0);
+ }
++ ndp->channel_count = NCSI_RESERVED_CHANNEL;
+
+ spin_lock_irqsave(&ncsi_dev_lock, flags);
+ list_add_tail_rcu(&ndp->node, &ncsi_dev_list);
+@@ -1807,6 +1805,7 @@ int ncsi_start_dev(struct ncsi_dev *nd)
+
+ if (!(ndp->flags & NCSI_DEV_PROBED)) {
+ ndp->package_probe_id = 0;
++ ndp->channel_probe_id = 0;
+ nd->state = ncsi_dev_state_probe;
+ schedule_work(&ndp->work);
+ return 0;
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index 480e80e3c2836..f22d67cb04d37 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -795,12 +795,13 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
+ struct ncsi_rsp_gc_pkt *rsp;
+ struct ncsi_dev_priv *ndp = nr->ndp;
+ struct ncsi_channel *nc;
++ struct ncsi_package *np;
+ size_t size;
+
+ /* Find the channel */
+ rsp = (struct ncsi_rsp_gc_pkt *)skb_network_header(nr->rsp);
+ ncsi_find_package_and_channel(ndp, rsp->rsp.common.channel,
+- NULL, &nc);
++ &np, &nc);
+ if (!nc)
+ return -ENODEV;
+
+@@ -835,6 +836,7 @@ static int ncsi_rsp_handler_gc(struct ncsi_request *nr)
+ */
+ nc->vlan_filter.bitmap = U64_MAX;
+ nc->vlan_filter.n_vids = rsp->vlan_cnt;
++ np->ndp->channel_count = rsp->channel_cnt;
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From db8e971e5aefe4855b8299f3e2aafa6081ffedcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 10:07:33 -0600
+Subject: net/ncsi: Simplify Kconfig/dts control flow
+
+From: Peter Delevoryas <peter@pjd.dev>
+
+[ Upstream commit c797ce168930ce3d62a9b7fc4d7040963ee6a01e ]
+
+Background:
+
+1. CONFIG_NCSI_OEM_CMD_KEEP_PHY
+
+If this is enabled, we send an extra OEM Intel command in the probe
+sequence immediately after discovering a channel (e.g. after "Clear
+Initial State").
+
+2. CONFIG_NCSI_OEM_CMD_GET_MAC
+
+If this is enabled, we send one of 3 OEM "Get MAC Address" commands from
+Broadcom, Mellanox (Nvidida), and Intel in the *configuration* sequence
+for a channel.
+
+3. mellanox,multi-host (or mlx,multi-host)
+
+Introduced by this patch:
+
+https://lore.kernel.org/all/20200108234341.2590674-1-vijaykhemka@fb.com/
+
+Which was actually originally from cosmo.chou@quantatw.com:
+
+https://github.com/facebook/openbmc-linux/commit/9f132a10ec48db84613519258cd8a317fb9c8f1b
+
+Cosmo claimed that the Nvidia ConnectX-4 and ConnectX-6 NIC's don't
+respond to Get Version ID, et. al in the probe sequence unless you send
+the Set MC Affinity command first.
+
+Problem Statement:
+
+We've been using a combination of #ifdef code blocks and IS_ENABLED()
+conditions to conditionally send these OEM commands.
+
+It makes adding any new code around these commands hard to understand.
+
+Solution:
+
+In this patch, I just want to remove the conditionally compiled blocks
+of code, and always use IS_ENABLED(...) to do dynamic control flow.
+
+I don't think the small amount of code this adds to non-users of the OEM
+Kconfigs is a big deal.
+
+Signed-off-by: Peter Delevoryas <peter@pjd.dev>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: e85e271dec02 ("net/ncsi: Fix the multi thread manner of NCSI driver")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/ncsi-manage.c | 20 +++-----------------
+ 1 file changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
+index 7121ce2a47c0b..734feb2352fbc 100644
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -689,8 +689,6 @@ static int set_one_vid(struct ncsi_dev_priv *ndp, struct ncsi_channel *nc,
+ return 0;
+ }
+
+-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)
+-
+ static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca)
+ {
+ unsigned char data[NCSI_OEM_INTEL_CMD_KEEP_PHY_LEN];
+@@ -716,10 +714,6 @@ static int ncsi_oem_keep_phy_intel(struct ncsi_cmd_arg *nca)
+ return ret;
+ }
+
+-#endif
+-
+-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
+-
+ /* NCSI OEM Command APIs */
+ static int ncsi_oem_gma_handler_bcm(struct ncsi_cmd_arg *nca)
+ {
+@@ -856,8 +850,6 @@ static int ncsi_gma_handler(struct ncsi_cmd_arg *nca, unsigned int mf_id)
+ return nch->handler(nca);
+ }
+
+-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
+-
+ /* Determine if a given channel from the channel_queue should be used for Tx */
+ static bool ncsi_channel_is_tx(struct ncsi_dev_priv *ndp,
+ struct ncsi_channel *nc)
+@@ -1039,20 +1031,18 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
+ goto error;
+ }
+
+- nd->state = ncsi_dev_state_config_oem_gma;
++ nd->state = IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
++ ? ncsi_dev_state_config_oem_gma
++ : ncsi_dev_state_config_clear_vids;
+ break;
+ case ncsi_dev_state_config_oem_gma:
+ nd->state = ncsi_dev_state_config_clear_vids;
+- ret = -1;
+
+-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
+ nca.type = NCSI_PKT_CMD_OEM;
+ nca.package = np->id;
+ nca.channel = nc->id;
+ ndp->pending_req_num = 1;
+ ret = ncsi_gma_handler(&nca, nc->version.mf_id);
+-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
+-
+ if (ret < 0)
+ schedule_work(&ndp->work);
+
+@@ -1404,7 +1394,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+
+ schedule_work(&ndp->work);
+ break;
+-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_GET_MAC)
+ case ncsi_dev_state_probe_mlx_gma:
+ ndp->pending_req_num = 1;
+
+@@ -1429,7 +1418,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+
+ nd->state = ncsi_dev_state_probe_cis;
+ break;
+-#endif /* CONFIG_NCSI_OEM_CMD_GET_MAC */
+ case ncsi_dev_state_probe_cis:
+ ndp->pending_req_num = NCSI_RESERVED_CHANNEL;
+
+@@ -1447,7 +1435,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+ if (IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY))
+ nd->state = ncsi_dev_state_probe_keep_phy;
+ break;
+-#if IS_ENABLED(CONFIG_NCSI_OEM_CMD_KEEP_PHY)
+ case ncsi_dev_state_probe_keep_phy:
+ ndp->pending_req_num = 1;
+
+@@ -1460,7 +1447,6 @@ static void ncsi_probe_channel(struct ncsi_dev_priv *ndp)
+
+ nd->state = ncsi_dev_state_probe_gvi;
+ break;
+-#endif /* CONFIG_NCSI_OEM_CMD_KEEP_PHY */
+ case ncsi_dev_state_probe_gvi:
+ case ncsi_dev_state_probe_gc:
+ case ncsi_dev_state_probe_gls:
+--
+2.43.0
+
--- /dev/null
+From 012580408a8964b935cf4734390a75966d84b01b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jun 2024 15:13:03 +0800
+Subject: net: sched: sch_multiq: fix possible OOB write in multiq_tune()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit affc18fdc694190ca7575b9a86632a73b9fe043d ]
+
+q->bands will be assigned to qopt->bands to execute subsequent code logic
+after kmalloc. So the old q->bands should not be used in kmalloc.
+Otherwise, an out-of-bounds write will occur.
+
+Fixes: c2999f7fb05b ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Acked-by: Cong Wang <cong.wang@bytedance.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_multiq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c
+index 8b99f07aa3a76..caa76c96b02ba 100644
+--- a/net/sched/sch_multiq.c
++++ b/net/sched/sch_multiq.c
+@@ -185,7 +185,7 @@ static int multiq_tune(struct Qdisc *sch, struct nlattr *opt,
+
+ qopt->bands = qdisc_dev(sch)->real_num_tx_queues;
+
+- removed = kmalloc(sizeof(*removed) * (q->max_bands - q->bands),
++ removed = kmalloc(sizeof(*removed) * (q->max_bands - qopt->bands),
+ GFP_KERNEL);
+ if (!removed)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From cb00efe7d5844d0eb017cce05e8791cb4c6f0650 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 18:15:11 +0000
+Subject: net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit f921a58ae20852d188f70842431ce6519c4fdc36 ]
+
+If one TCA_TAPRIO_ATTR_PRIOMAP attribute has been provided,
+taprio_parse_mqprio_opt() must validate it, or userspace
+can inject arbitrary data to the kernel, the second time
+taprio_change() is called.
+
+First call (with valid attributes) sets dev->num_tc
+to a non zero value.
+
+Second call (with arbitrary mqprio attributes)
+returns early from taprio_parse_mqprio_opt()
+and bad things can happen.
+
+Fixes: a3d43c0d56f1 ("taprio: Add support adding an admin schedule")
+Reported-by: Noam Rathaus <noamr@ssd-disclosure.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
+Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
+Link: https://lore.kernel.org/r/20240604181511.769870-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_taprio.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
+index e40b4425eb6b5..4a0986843fb5d 100644
+--- a/net/sched/sch_taprio.c
++++ b/net/sched/sch_taprio.c
+@@ -947,16 +947,13 @@ static int taprio_parse_mqprio_opt(struct net_device *dev,
+ {
+ int i, j;
+
+- if (!qopt && !dev->num_tc) {
+- NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary");
+- return -EINVAL;
+- }
+-
+- /* If num_tc is already set, it means that the user already
+- * configured the mqprio part
+- */
+- if (dev->num_tc)
++ if (!qopt) {
++ if (!dev->num_tc) {
++ NL_SET_ERR_MSG(extack, "'mqprio' configuration is necessary");
++ return -EINVAL;
++ }
+ return 0;
++ }
+
+ /* Verify num_tc is not out of max range */
+ if (qopt->num_tc > TC_MAX_QUEUE) {
+--
+2.43.0
+
--- /dev/null
+From 9d2b4690a8d80d81e80ac17bbfc4cf4183de4f43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 22:42:55 +0900
+Subject: nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+[ Upstream commit 7373a51e7998b508af7136530f3a997b286ce81c ]
+
+The error handling in nilfs_empty_dir() when a directory folio/page read
+fails is incorrect, as in the old ext2 implementation, and if the
+folio/page cannot be read or nilfs_check_folio() fails, it will falsely
+determine the directory as empty and corrupt the file system.
+
+In addition, since nilfs_empty_dir() does not immediately return on a
+failed folio/page read, but continues to loop, this can cause a long loop
+with I/O if i_size of the directory's inode is also corrupted, causing the
+log writer thread to wait and hang, as reported by syzbot.
+
+Fix these issues by making nilfs_empty_dir() immediately return a false
+value (0) if it fails to get a directory folio/page.
+
+Link: https://lkml.kernel.org/r/20240604134255.7165-1-konishi.ryusuke@gmail.com
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+c8166c541d3971bf6c87@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=c8166c541d3971bf6c87
+Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
+Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
+index 22f1f75a90c1a..552234ef22fe7 100644
+--- a/fs/nilfs2/dir.c
++++ b/fs/nilfs2/dir.c
+@@ -627,7 +627,7 @@ int nilfs_empty_dir(struct inode *inode)
+
+ kaddr = nilfs_get_page(inode, i, &page);
+ if (IS_ERR(kaddr))
+- continue;
++ return 0;
+
+ de = (struct nilfs_dir_entry *)kaddr;
+ kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1);
+--
+2.43.0
+
--- /dev/null
+From ab84725bc1775d0a3ef5fd2ea6a661463a5fd832 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 May 2022 18:12:25 -0400
+Subject: nilfs2: Remove check for PageError
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 79ea65563ad8aaab309d61eeb4d5019dd6cf5fa0 ]
+
+If read_mapping_page() encounters an error, it returns an errno, not a
+page with PageError set, so this test is not needed.
+
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
+index eb7de9e2a384e..24cfe9db66e02 100644
+--- a/fs/nilfs2/dir.c
++++ b/fs/nilfs2/dir.c
+@@ -194,7 +194,7 @@ static struct page *nilfs_get_page(struct inode *dir, unsigned long n)
+ if (!IS_ERR(page)) {
+ kmap(page);
+ if (unlikely(!PageChecked(page))) {
+- if (PageError(page) || !nilfs_check_page(page))
++ if (!nilfs_check_page(page))
+ goto fail;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 396dd465c29ba59fbc07ee78f1ad824e6b0a42b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Nov 2023 23:30:25 +0900
+Subject: nilfs2: return the mapped address from nilfs_get_page()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+[ Upstream commit 09a46acb3697e50548bb265afa1d79163659dd85 ]
+
+In prepartion for switching from kmap() to kmap_local(), return the kmap
+address from nilfs_get_page() instead of having the caller look up
+page_address().
+
+[konishi.ryusuke: fixed a missing blank line after declaration]
+Link: https://lkml.kernel.org/r/20231127143036.2425-7-konishi.ryusuke@gmail.com
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 7373a51e7998 ("nilfs2: fix nilfs_empty_dir() misjudgment and long loop on I/O errors")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nilfs2/dir.c | 57 +++++++++++++++++++++++--------------------------
+ 1 file changed, 27 insertions(+), 30 deletions(-)
+
+diff --git a/fs/nilfs2/dir.c b/fs/nilfs2/dir.c
+index 24cfe9db66e02..22f1f75a90c1a 100644
+--- a/fs/nilfs2/dir.c
++++ b/fs/nilfs2/dir.c
+@@ -186,19 +186,24 @@ static bool nilfs_check_page(struct page *page)
+ return false;
+ }
+
+-static struct page *nilfs_get_page(struct inode *dir, unsigned long n)
++static void *nilfs_get_page(struct inode *dir, unsigned long n,
++ struct page **pagep)
+ {
+ struct address_space *mapping = dir->i_mapping;
+ struct page *page = read_mapping_page(mapping, n, NULL);
++ void *kaddr;
+
+- if (!IS_ERR(page)) {
+- kmap(page);
+- if (unlikely(!PageChecked(page))) {
+- if (!nilfs_check_page(page))
+- goto fail;
+- }
++ if (IS_ERR(page))
++ return page;
++
++ kaddr = kmap(page);
++ if (unlikely(!PageChecked(page))) {
++ if (!nilfs_check_page(page))
++ goto fail;
+ }
+- return page;
++
++ *pagep = page;
++ return kaddr;
+
+ fail:
+ nilfs_put_page(page);
+@@ -275,14 +280,14 @@ static int nilfs_readdir(struct file *file, struct dir_context *ctx)
+ for ( ; n < npages; n++, offset = 0) {
+ char *kaddr, *limit;
+ struct nilfs_dir_entry *de;
+- struct page *page = nilfs_get_page(inode, n);
++ struct page *page;
+
+- if (IS_ERR(page)) {
++ kaddr = nilfs_get_page(inode, n, &page);
++ if (IS_ERR(kaddr)) {
+ nilfs_error(sb, "bad page in #%lu", inode->i_ino);
+ ctx->pos += PAGE_SIZE - offset;
+ return -EIO;
+ }
+- kaddr = page_address(page);
+ de = (struct nilfs_dir_entry *)(kaddr + offset);
+ limit = kaddr + nilfs_last_byte(inode, n) -
+ NILFS_DIR_REC_LEN(1);
+@@ -345,11 +350,9 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr,
+ start = 0;
+ n = start;
+ do {
+- char *kaddr;
++ char *kaddr = nilfs_get_page(dir, n, &page);
+
+- page = nilfs_get_page(dir, n);
+- if (!IS_ERR(page)) {
+- kaddr = page_address(page);
++ if (!IS_ERR(kaddr)) {
+ de = (struct nilfs_dir_entry *)kaddr;
+ kaddr += nilfs_last_byte(dir, n) - reclen;
+ while ((char *) de <= kaddr) {
+@@ -387,15 +390,11 @@ nilfs_find_entry(struct inode *dir, const struct qstr *qstr,
+
+ struct nilfs_dir_entry *nilfs_dotdot(struct inode *dir, struct page **p)
+ {
+- struct page *page = nilfs_get_page(dir, 0);
+- struct nilfs_dir_entry *de = NULL;
++ struct nilfs_dir_entry *de = nilfs_get_page(dir, 0, p);
+
+- if (!IS_ERR(page)) {
+- de = nilfs_next_entry(
+- (struct nilfs_dir_entry *)page_address(page));
+- *p = page;
+- }
+- return de;
++ if (IS_ERR(de))
++ return NULL;
++ return nilfs_next_entry(de);
+ }
+
+ ino_t nilfs_inode_by_name(struct inode *dir, const struct qstr *qstr)
+@@ -459,12 +458,11 @@ int nilfs_add_link(struct dentry *dentry, struct inode *inode)
+ for (n = 0; n <= npages; n++) {
+ char *dir_end;
+
+- page = nilfs_get_page(dir, n);
+- err = PTR_ERR(page);
+- if (IS_ERR(page))
++ kaddr = nilfs_get_page(dir, n, &page);
++ err = PTR_ERR(kaddr);
++ if (IS_ERR(kaddr))
+ goto out;
+ lock_page(page);
+- kaddr = page_address(page);
+ dir_end = kaddr + nilfs_last_byte(dir, n);
+ de = (struct nilfs_dir_entry *)kaddr;
+ kaddr += PAGE_SIZE - reclen;
+@@ -627,11 +625,10 @@ int nilfs_empty_dir(struct inode *inode)
+ char *kaddr;
+ struct nilfs_dir_entry *de;
+
+- page = nilfs_get_page(inode, i);
+- if (IS_ERR(page))
++ kaddr = nilfs_get_page(inode, i, &page);
++ if (IS_ERR(kaddr))
+ continue;
+
+- kaddr = page_address(page);
+ de = (struct nilfs_dir_entry *)kaddr;
+ kaddr += nilfs_last_byte(inode, i) - NILFS_DIR_REC_LEN(1);
+
+--
+2.43.0
+
--- /dev/null
+From 6cbbf3cbece256826d736dea4d0ab50d3dca35cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 May 2024 20:59:44 +0530
+Subject: octeontx2-af: Always allocate PF entries from low prioriy zone
+
+From: Subbaraya Sundeep <sbhatta@marvell.com>
+
+[ Upstream commit 8b0f7410942cdc420c4557eda02bfcdf60ccec17 ]
+
+PF mcam entries has to be at low priority always so that VF
+can install longest prefix match rules at higher priority.
+This was taken care currently but when priority allocation
+wrt reference entry is requested then entries are allocated
+from mid-zone instead of low priority zone. Fix this and
+always allocate entries from low priority zone for PFs.
+
+Fixes: 7df5b4b260dd ("octeontx2-af: Allocate low priority entries for PF")
+Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/marvell/octeontx2/af/rvu_npc.c | 33 ++++++++++++-------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+index c6b6d709e5908..84003243e3b75 100644
+--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
++++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_npc.c
+@@ -2459,7 +2459,17 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc,
+ * - when available free entries are less.
+ * Lower priority ones out of avaialble free entries are always
+ * chosen when 'high vs low' question arises.
++ *
++ * For a VF base MCAM match rule is set by its PF. And all the
++ * further MCAM rules installed by VF on its own are
++ * concatenated with the base rule set by its PF. Hence PF entries
++ * should be at lower priority compared to VF entries. Otherwise
++ * base rule is hit always and rules installed by VF will be of
++ * no use. Hence if the request is from PF then allocate low
++ * priority entries.
+ */
++ if (!(pcifunc & RVU_PFVF_FUNC_MASK))
++ goto lprio_alloc;
+
+ /* Get the search range for priority allocation request */
+ if (req->priority) {
+@@ -2468,17 +2478,6 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc,
+ goto alloc;
+ }
+
+- /* For a VF base MCAM match rule is set by its PF. And all the
+- * further MCAM rules installed by VF on its own are
+- * concatenated with the base rule set by its PF. Hence PF entries
+- * should be at lower priority compared to VF entries. Otherwise
+- * base rule is hit always and rules installed by VF will be of
+- * no use. Hence if the request is from PF and NOT a priority
+- * allocation request then allocate low priority entries.
+- */
+- if (!(pcifunc & RVU_PFVF_FUNC_MASK))
+- goto lprio_alloc;
+-
+ /* Find out the search range for non-priority allocation request
+ *
+ * Get MCAM free entry count in middle zone.
+@@ -2508,6 +2507,18 @@ static int npc_mcam_alloc_entries(struct npc_mcam *mcam, u16 pcifunc,
+ reverse = true;
+ start = 0;
+ end = mcam->bmap_entries;
++ /* Ensure PF requests are always at bottom and if PF requests
++ * for higher/lower priority entry wrt reference entry then
++ * honour that criteria and start search for entries from bottom
++ * and not in mid zone.
++ */
++ if (!(pcifunc & RVU_PFVF_FUNC_MASK) &&
++ req->priority == NPC_MCAM_HIGHER_PRIO)
++ end = req->ref_entry;
++
++ if (!(pcifunc & RVU_PFVF_FUNC_MASK) &&
++ req->priority == NPC_MCAM_LOWER_PRIO)
++ start = req->ref_entry;
+ }
+
+ alloc:
+--
+2.43.0
+
--- /dev/null
+From f37792d6c0c499db4e2e02e7a69d41d5e837ce08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 14:05:27 +0200
+Subject: ptp: Fix error message on failed pin verification
+
+From: Karol Kolacinski <karol.kolacinski@intel.com>
+
+[ Upstream commit 323a359f9b077f382f4483023d096a4d316fd135 ]
+
+On failed verification of PTP clock pin, error message prints channel
+number instead of pin index after "pin", which is incorrect.
+
+Fix error message by adding channel number to the message and printing
+pin number instead of channel number.
+
+Fixes: 6092315dfdec ("ptp: introduce programmable pins.")
+Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Link: https://lore.kernel.org/r/20240604120555.16643-1-karol.kolacinski@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_chardev.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
+index 9311f3d09c8fc..8eb902fe73a98 100644
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -84,7 +84,8 @@ int ptp_set_pinfunc(struct ptp_clock *ptp, unsigned int pin,
+ }
+
+ if (info->verify(info, pin, func, chan)) {
+- pr_err("driver cannot use function %u on pin %u\n", func, chan);
++ pr_err("driver cannot use function %u and channel %u on pin %u\n",
++ func, chan, pin);
+ return -EOPNOTSUPP;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 06f0f18c3ad2b8622e86d452bf46b13e1f0c79f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 15:43:54 +0300
+Subject: pvpanic: Indentation fixes here and there
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 84b0f12a953c4feff9994b1c4583ed18b441f482 ]
+
+1) replace double spaces with single;
+2) relax line width limitation a bit.
+
+Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210829124354.81653-3-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/pvpanic/pvpanic-mmio.c | 7 +++----
+ drivers/misc/pvpanic/pvpanic-pci.c | 12 +++++-------
+ drivers/misc/pvpanic/pvpanic.c | 11 ++++-------
+ 3 files changed, 12 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/misc/pvpanic/pvpanic-mmio.c b/drivers/misc/pvpanic/pvpanic-mmio.c
+index 61dbff5f0065c..eb97167c03fb4 100644
+--- a/drivers/misc/pvpanic/pvpanic-mmio.c
++++ b/drivers/misc/pvpanic/pvpanic-mmio.c
+@@ -24,8 +24,7 @@ MODULE_AUTHOR("Hu Tao <hutao@cn.fujitsu.com>");
+ MODULE_DESCRIPTION("pvpanic-mmio device driver");
+ MODULE_LICENSE("GPL");
+
+-static ssize_t capability_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+
+@@ -33,14 +32,14 @@ static ssize_t capability_show(struct device *dev,
+ }
+ static DEVICE_ATTR_RO(capability);
+
+-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
++static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+
+ return sysfs_emit(buf, "%x\n", pi->events);
+ }
+
+-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
++static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
+index 7d1220f4c95bc..07eddb5ea30fa 100644
+--- a/drivers/misc/pvpanic/pvpanic-pci.c
++++ b/drivers/misc/pvpanic/pvpanic-pci.c
+@@ -19,11 +19,10 @@
+ #define PCI_DEVICE_ID_REDHAT_PVPANIC 0x0011
+
+ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
+-MODULE_DESCRIPTION("pvpanic device driver ");
++MODULE_DESCRIPTION("pvpanic device driver");
+ MODULE_LICENSE("GPL");
+
+-static ssize_t capability_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
++static ssize_t capability_show(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+
+@@ -31,14 +30,14 @@ static ssize_t capability_show(struct device *dev,
+ }
+ static DEVICE_ATTR_RO(capability);
+
+-static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
++static ssize_t events_show(struct device *dev, struct device_attribute *attr, char *buf)
+ {
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+
+ return sysfs_emit(buf, "%x\n", pi->events);
+ }
+
+-static ssize_t events_store(struct device *dev, struct device_attribute *attr,
++static ssize_t events_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct pvpanic_instance *pi = dev_get_drvdata(dev);
+@@ -65,8 +64,7 @@ static struct attribute *pvpanic_pci_dev_attrs[] = {
+ };
+ ATTRIBUTE_GROUPS(pvpanic_pci_dev);
+
+-static int pvpanic_pci_probe(struct pci_dev *pdev,
+- const struct pci_device_id *ent)
++static int pvpanic_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ {
+ struct pvpanic_instance *pi;
+ void __iomem *base;
+diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c
+index 477bf9c6b6bc5..049a120063489 100644
+--- a/drivers/misc/pvpanic/pvpanic.c
++++ b/drivers/misc/pvpanic/pvpanic.c
+@@ -23,7 +23,7 @@
+ #include "pvpanic.h"
+
+ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
+-MODULE_DESCRIPTION("pvpanic device driver ");
++MODULE_DESCRIPTION("pvpanic device driver");
+ MODULE_LICENSE("GPL");
+
+ static struct list_head pvpanic_list;
+@@ -45,8 +45,7 @@ pvpanic_send_event(unsigned int event)
+ }
+
+ static int
+-pvpanic_panic_notify(struct notifier_block *nb, unsigned long code,
+- void *unused)
++pvpanic_panic_notify(struct notifier_block *nb, unsigned long code, void *unused)
+ {
+ unsigned int event = PVPANIC_PANICKED;
+
+@@ -102,8 +101,7 @@ static int pvpanic_init(void)
+ INIT_LIST_HEAD(&pvpanic_list);
+ spin_lock_init(&pvpanic_lock);
+
+- atomic_notifier_chain_register(&panic_notifier_list,
+- &pvpanic_panic_nb);
++ atomic_notifier_chain_register(&panic_notifier_list, &pvpanic_panic_nb);
+
+ return 0;
+ }
+@@ -111,8 +109,7 @@ module_init(pvpanic_init);
+
+ static void pvpanic_exit(void)
+ {
+- atomic_notifier_chain_unregister(&panic_notifier_list,
+- &pvpanic_panic_nb);
++ atomic_notifier_chain_unregister(&panic_notifier_list, &pvpanic_panic_nb);
+
+ }
+ module_exit(pvpanic_exit);
+--
+2.43.0
+
--- /dev/null
+From 1d75229b9ef3c1ca26bf3b39c0da530ef818899d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Aug 2021 15:43:52 +0300
+Subject: pvpanic: Keep single style across modules
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 33a430419456991480cde9d8889e5a27f6049df4 ]
+
+We have different style on where we place module_*() and MODULE_*() macros.
+Inherit the style from the original module (now pvpanic-mmio.c).
+
+Reviewed-by: Mihai Carabas <mihai.carabas@oracle.com
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210829124354.81653-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: ee59be35d7a8 ("misc/pvpanic-pci: register attributes via pci_driver")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/pvpanic/pvpanic-pci.c | 14 ++++++--------
+ drivers/misc/pvpanic/pvpanic.c | 3 +--
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+diff --git a/drivers/misc/pvpanic/pvpanic-pci.c b/drivers/misc/pvpanic/pvpanic-pci.c
+index 741116b3d9958..7d1220f4c95bc 100644
+--- a/drivers/misc/pvpanic/pvpanic-pci.c
++++ b/drivers/misc/pvpanic/pvpanic-pci.c
+@@ -22,11 +22,6 @@ MODULE_AUTHOR("Mihai Carabas <mihai.carabas@oracle.com>");
+ MODULE_DESCRIPTION("pvpanic device driver ");
+ MODULE_LICENSE("GPL");
+
+-static const struct pci_device_id pvpanic_pci_id_tbl[] = {
+- { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)},
+- {}
+-};
+-
+ static ssize_t capability_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+@@ -99,6 +94,12 @@ static int pvpanic_pci_probe(struct pci_dev *pdev,
+ return devm_pvpanic_probe(&pdev->dev, pi);
+ }
+
++static const struct pci_device_id pvpanic_pci_id_tbl[] = {
++ { PCI_DEVICE(PCI_VENDOR_ID_REDHAT, PCI_DEVICE_ID_REDHAT_PVPANIC)},
++ {}
++};
++MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl);
++
+ static struct pci_driver pvpanic_pci_driver = {
+ .name = "pvpanic-pci",
+ .id_table = pvpanic_pci_id_tbl,
+@@ -107,7 +108,4 @@ static struct pci_driver pvpanic_pci_driver = {
+ .dev_groups = pvpanic_pci_dev_groups,
+ },
+ };
+-
+-MODULE_DEVICE_TABLE(pci, pvpanic_pci_id_tbl);
+-
+ module_pci_driver(pvpanic_pci_driver);
+diff --git a/drivers/misc/pvpanic/pvpanic.c b/drivers/misc/pvpanic/pvpanic.c
+index b9e6400a574b0..477bf9c6b6bc5 100644
+--- a/drivers/misc/pvpanic/pvpanic.c
++++ b/drivers/misc/pvpanic/pvpanic.c
+@@ -107,6 +107,7 @@ static int pvpanic_init(void)
+
+ return 0;
+ }
++module_init(pvpanic_init);
+
+ static void pvpanic_exit(void)
+ {
+@@ -114,6 +115,4 @@ static void pvpanic_exit(void)
+ &pvpanic_panic_nb);
+
+ }
+-
+-module_init(pvpanic_init);
+ module_exit(pvpanic_exit);
+--
+2.43.0
+
--- /dev/null
+From 7942fb2584daa8140ea8680021b03bf0b9c9a0d4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 13:13:56 +0530
+Subject: selftests/mm: compaction_test: fix bogus test success on Aarch64
+
+From: Dev Jain <dev.jain@arm.com>
+
+[ Upstream commit d4202e66a4b1fe6968f17f9f09bbc30d08f028a1 ]
+
+Patch series "Fixes for compaction_test", v2.
+
+The compaction_test memory selftest introduces fragmentation in memory
+and then tries to allocate as many hugepages as possible. This series
+addresses some problems.
+
+On Aarch64, if nr_hugepages == 0, then the test trivially succeeds since
+compaction_index becomes 0, which is less than 3, due to no division by
+zero exception being raised. We fix that by checking for division by
+zero.
+
+Secondly, correctly set the number of hugepages to zero before trying
+to set a large number of them.
+
+Now, consider a situation in which, at the start of the test, a non-zero
+number of hugepages have been already set (while running the entire
+selftests/mm suite, or manually by the admin). The test operates on 80%
+of memory to avoid OOM-killer invocation, and because some memory is
+already blocked by hugepages, it would increase the chance of OOM-killing.
+Also, since mem_free used in check_compaction() is the value before we
+set nr_hugepages to zero, the chance that the compaction_index will
+be small is very high if the preset nr_hugepages was high, leading to a
+bogus test success.
+
+This patch (of 3):
+
+Currently, if at runtime we are not able to allocate a huge page, the test
+will trivially pass on Aarch64 due to no exception being raised on
+division by zero while computing compaction_index. Fix that by checking
+for nr_hugepages == 0. Anyways, in general, avoid a division by zero by
+exiting the program beforehand. While at it, fix a typo, and handle the
+case where the number of hugepages may overflow an integer.
+
+Link: https://lkml.kernel.org/r/20240521074358.675031-1-dev.jain@arm.com
+Link: https://lkml.kernel.org/r/20240521074358.675031-2-dev.jain@arm.com
+Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
+Signed-off-by: Dev Jain <dev.jain@arm.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Sri Jayaramappa <sjayaram@akamai.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/compaction_test.c | 20 +++++++++++++-------
+ 1 file changed, 13 insertions(+), 7 deletions(-)
+
+diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
+index 6aa6460b854ea..309b3750e57e1 100644
+--- a/tools/testing/selftests/vm/compaction_test.c
++++ b/tools/testing/selftests/vm/compaction_test.c
+@@ -82,12 +82,13 @@ int prereq(void)
+ return -1;
+ }
+
+-int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
++int check_compaction(unsigned long mem_free, unsigned long hugepage_size)
+ {
++ unsigned long nr_hugepages_ul;
+ int fd, ret = -1;
+ int compaction_index = 0;
+- char initial_nr_hugepages[10] = {0};
+- char nr_hugepages[10] = {0};
++ char initial_nr_hugepages[20] = {0};
++ char nr_hugepages[20] = {0};
+
+ /* We want to test with 80% of available memory. Else, OOM killer comes
+ in to play */
+@@ -136,7 +137,12 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+
+ /* We should have been able to request at least 1/3 rd of the memory in
+ huge pages */
+- compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size);
++ nr_hugepages_ul = strtoul(nr_hugepages, NULL, 10);
++ if (!nr_hugepages_ul) {
++ ksft_print_msg("ERROR: No memory is available as huge pages\n");
++ goto close_fd;
++ }
++ compaction_index = mem_free/(nr_hugepages_ul * hugepage_size);
+
+ lseek(fd, 0, SEEK_SET);
+
+@@ -147,11 +153,11 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+ goto close_fd;
+ }
+
+- ksft_print_msg("Number of huge pages allocated = %d\n",
+- atoi(nr_hugepages));
++ ksft_print_msg("Number of huge pages allocated = %lu\n",
++ nr_hugepages_ul);
+
+ if (compaction_index > 3) {
+- ksft_print_msg("ERROR: Less that 1/%d of memory is available\n"
++ ksft_print_msg("ERROR: Less than 1/%d of memory is available\n"
+ "as huge pages\n", compaction_index);
+ goto close_fd;
+ }
+--
+2.43.0
+
--- /dev/null
+From 8122b9a1d85ed20baf5b0f0dc31e8a912e38559f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 13:13:57 +0530
+Subject: selftests/mm: compaction_test: fix incorrect write of zero to
+ nr_hugepages
+
+From: Dev Jain <dev.jain@arm.com>
+
+[ Upstream commit 9ad665ef55eaad1ead1406a58a34f615a7c18b5e ]
+
+Currently, the test tries to set nr_hugepages to zero, but that is not
+actually done because the file offset is not reset after read(). Fix that
+using lseek().
+
+Link: https://lkml.kernel.org/r/20240521074358.675031-3-dev.jain@arm.com
+Fixes: bd67d5c15cc1 ("Test compaction of mlocked memory")
+Signed-off-by: Dev Jain <dev.jain@arm.com>
+Cc: <stable@vger.kernel.org>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Sri Jayaramappa <sjayaram@akamai.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/compaction_test.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
+index 9b420140ba2ba..55dec92e1e58c 100644
+--- a/tools/testing/selftests/vm/compaction_test.c
++++ b/tools/testing/selftests/vm/compaction_test.c
+@@ -103,6 +103,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+ goto close_fd;
+ }
+
++ lseek(fd, 0, SEEK_SET);
++
+ /* Start with the initial condition of 0 huge pages*/
+ if (write(fd, "0", sizeof(char)) != sizeof(char)) {
+ perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n");
+--
+2.43.0
+
--- /dev/null
+From fc916f38ee158cfe606782f4c93fb9e349c54cd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Jan 2024 13:36:12 +0500
+Subject: selftests/mm: conform test to TAP format output
+
+From: Muhammad Usama Anjum <usama.anjum@collabora.com>
+
+[ Upstream commit 9a21701edc41465de56f97914741bfb7bfc2517d ]
+
+Conform the layout, informational and status messages to TAP. No
+functional change is intended other than the layout of output messages.
+
+Link: https://lkml.kernel.org/r/20240101083614.1076768-1-usama.anjum@collabora.com
+Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/compaction_test.c | 91 ++++++++++----------
+ 1 file changed, 44 insertions(+), 47 deletions(-)
+
+diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
+index 55dec92e1e58c..f81931c1f8386 100644
+--- a/tools/testing/selftests/vm/compaction_test.c
++++ b/tools/testing/selftests/vm/compaction_test.c
+@@ -33,7 +33,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize)
+ FILE *cmdfile = popen(cmd, "r");
+
+ if (!(fgets(buffer, sizeof(buffer), cmdfile))) {
+- perror("Failed to read meminfo\n");
++ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno));
+ return -1;
+ }
+
+@@ -44,7 +44,7 @@ int read_memory_info(unsigned long *memfree, unsigned long *hugepagesize)
+ cmdfile = popen(cmd, "r");
+
+ if (!(fgets(buffer, sizeof(buffer), cmdfile))) {
+- perror("Failed to read meminfo\n");
++ ksft_print_msg("Failed to read meminfo: %s\n", strerror(errno));
+ return -1;
+ }
+
+@@ -62,14 +62,14 @@ int prereq(void)
+ fd = open("/proc/sys/vm/compact_unevictable_allowed",
+ O_RDONLY | O_NONBLOCK);
+ if (fd < 0) {
+- perror("Failed to open\n"
+- "/proc/sys/vm/compact_unevictable_allowed\n");
++ ksft_print_msg("Failed to open /proc/sys/vm/compact_unevictable_allowed: %s\n",
++ strerror(errno));
+ return -1;
+ }
+
+ if (read(fd, &allowed, sizeof(char)) != sizeof(char)) {
+- perror("Failed to read from\n"
+- "/proc/sys/vm/compact_unevictable_allowed\n");
++ ksft_print_msg("Failed to read from /proc/sys/vm/compact_unevictable_allowed: %s\n",
++ strerror(errno));
+ close(fd);
+ return -1;
+ }
+@@ -78,12 +78,13 @@ int prereq(void)
+ if (allowed == '1')
+ return 0;
+
++ ksft_print_msg("Compaction isn't allowed\n");
+ return -1;
+ }
+
+ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+ {
+- int fd;
++ int fd, ret = -1;
+ int compaction_index = 0;
+ char initial_nr_hugepages[10] = {0};
+ char nr_hugepages[10] = {0};
+@@ -94,12 +95,14 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+
+ fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK);
+ if (fd < 0) {
+- perror("Failed to open /proc/sys/vm/nr_hugepages");
++ ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ return -1;
+ }
+
+ if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) {
+- perror("Failed to read from /proc/sys/vm/nr_hugepages");
++ ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+@@ -107,7 +110,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+
+ /* Start with the initial condition of 0 huge pages*/
+ if (write(fd, "0", sizeof(char)) != sizeof(char)) {
+- perror("Failed to write 0 to /proc/sys/vm/nr_hugepages\n");
++ ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+@@ -116,14 +120,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+ /* Request a large number of huge pages. The Kernel will allocate
+ as much as it can */
+ if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) {
+- perror("Failed to write 100000 to /proc/sys/vm/nr_hugepages\n");
++ ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+ lseek(fd, 0, SEEK_SET);
+
+ if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
+- perror("Failed to re-read from /proc/sys/vm/nr_hugepages\n");
++ ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+@@ -131,67 +137,58 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+ huge pages */
+ compaction_index = mem_free/(atoi(nr_hugepages) * hugepage_size);
+
+- if (compaction_index > 3) {
+- printf("No of huge pages allocated = %d\n",
+- (atoi(nr_hugepages)));
+- fprintf(stderr, "ERROR: Less that 1/%d of memory is available\n"
+- "as huge pages\n", compaction_index);
+- goto close_fd;
+- }
+-
+- printf("No of huge pages allocated = %d\n",
+- (atoi(nr_hugepages)));
+-
+ lseek(fd, 0, SEEK_SET);
+
+ if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages))
+ != strlen(initial_nr_hugepages)) {
+- perror("Failed to write value to /proc/sys/vm/nr_hugepages\n");
++ ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+- close(fd);
+- return 0;
++ if (compaction_index > 3) {
++ ksft_print_msg("ERROR: Less that 1/%d of memory is available\n"
++ "as huge pages\n", compaction_index);
++ ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages)));
++ goto close_fd;
++ }
++
++ ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n",
++ (atoi(nr_hugepages)));
++ ret = 0;
+
+ close_fd:
+ close(fd);
+- printf("Not OK. Compaction test failed.");
+- return -1;
++ return ret;
+ }
+
+
+ int main(int argc, char **argv)
+ {
+ struct rlimit lim;
+- struct map_list *list, *entry;
++ struct map_list *list = NULL, *entry;
+ size_t page_size, i;
+ void *map = NULL;
+ unsigned long mem_free = 0;
+ unsigned long hugepage_size = 0;
+ long mem_fragmentable_MB = 0;
+
+- if (prereq() != 0) {
+- printf("Either the sysctl compact_unevictable_allowed is not\n"
+- "set to 1 or couldn't read the proc file.\n"
+- "Skipping the test\n");
+- return KSFT_SKIP;
+- }
++ ksft_print_header();
++
++ if (prereq() != 0)
++ return ksft_exit_pass();
++
++ ksft_set_plan(1);
+
+ lim.rlim_cur = RLIM_INFINITY;
+ lim.rlim_max = RLIM_INFINITY;
+- if (setrlimit(RLIMIT_MEMLOCK, &lim)) {
+- perror("Failed to set rlimit:\n");
+- return -1;
+- }
++ if (setrlimit(RLIMIT_MEMLOCK, &lim))
++ ksft_exit_fail_msg("Failed to set rlimit: %s\n", strerror(errno));
+
+ page_size = getpagesize();
+
+- list = NULL;
+-
+- if (read_memory_info(&mem_free, &hugepage_size) != 0) {
+- printf("ERROR: Cannot read meminfo\n");
+- return -1;
+- }
++ if (read_memory_info(&mem_free, &hugepage_size) != 0)
++ ksft_exit_fail_msg("Failed to get meminfo\n");
+
+ mem_fragmentable_MB = mem_free * 0.8 / 1024;
+
+@@ -227,7 +224,7 @@ int main(int argc, char **argv)
+ }
+
+ if (check_compaction(mem_free, hugepage_size) == 0)
+- return 0;
++ return ksft_exit_pass();
+
+- return -1;
++ return ksft_exit_fail();
+ }
+--
+2.43.0
+
--- /dev/null
+From 853c0f059d7a91d4bd850040a0da0512dbfeedda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 14:30:04 +0000
+Subject: selftests/mm: log a consistent test name for check_compaction
+
+From: Mark Brown <broonie@kernel.org>
+
+[ Upstream commit f3b7568c49420d2dcd251032c9ca1e069ec8a6c9 ]
+
+Every test result report in the compaction test prints a distinct log
+messae, and some of the reports print a name that varies at runtime. This
+causes problems for automation since a lot of automation software uses the
+printed string as the name of the test, if the name varies from run to run
+and from pass to fail then the automation software can't identify that a
+test changed result or that the same tests are being run.
+
+Refactor the logging to use a consistent name when printing the result of
+the test, printing the existing messages as diagnostic information instead
+so they are still available for people trying to interpret the results.
+
+Link: https://lkml.kernel.org/r/20240209-kselftest-mm-cleanup-v1-2-a3c0386496b5@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: d4202e66a4b1 ("selftests/mm: compaction_test: fix bogus test success on Aarch64")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/vm/compaction_test.c | 35 +++++++++++---------
+ 1 file changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/tools/testing/selftests/vm/compaction_test.c b/tools/testing/selftests/vm/compaction_test.c
+index f81931c1f8386..6aa6460b854ea 100644
+--- a/tools/testing/selftests/vm/compaction_test.c
++++ b/tools/testing/selftests/vm/compaction_test.c
+@@ -95,14 +95,15 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+
+ fd = open("/proc/sys/vm/nr_hugepages", O_RDWR | O_NONBLOCK);
+ if (fd < 0) {
+- ksft_test_result_fail("Failed to open /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
+- return -1;
++ ksft_print_msg("Failed to open /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
++ ret = -1;
++ goto out;
+ }
+
+ if (read(fd, initial_nr_hugepages, sizeof(initial_nr_hugepages)) <= 0) {
+- ksft_test_result_fail("Failed to read from /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
++ ksft_print_msg("Failed to read from /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+@@ -110,8 +111,8 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+
+ /* Start with the initial condition of 0 huge pages*/
+ if (write(fd, "0", sizeof(char)) != sizeof(char)) {
+- ksft_test_result_fail("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
++ ksft_print_msg("Failed to write 0 to /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+@@ -120,16 +121,16 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+ /* Request a large number of huge pages. The Kernel will allocate
+ as much as it can */
+ if (write(fd, "100000", (6*sizeof(char))) != (6*sizeof(char))) {
+- ksft_test_result_fail("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
++ ksft_print_msg("Failed to write 100000 to /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+ lseek(fd, 0, SEEK_SET);
+
+ if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
+- ksft_test_result_fail("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
++ ksft_print_msg("Failed to re-read from /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
+@@ -141,24 +142,26 @@ int check_compaction(unsigned long mem_free, unsigned int hugepage_size)
+
+ if (write(fd, initial_nr_hugepages, strlen(initial_nr_hugepages))
+ != strlen(initial_nr_hugepages)) {
+- ksft_test_result_fail("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n",
+- strerror(errno));
++ ksft_print_msg("Failed to write value to /proc/sys/vm/nr_hugepages: %s\n",
++ strerror(errno));
+ goto close_fd;
+ }
+
++ ksft_print_msg("Number of huge pages allocated = %d\n",
++ atoi(nr_hugepages));
++
+ if (compaction_index > 3) {
+ ksft_print_msg("ERROR: Less that 1/%d of memory is available\n"
+ "as huge pages\n", compaction_index);
+- ksft_test_result_fail("No of huge pages allocated = %d\n", (atoi(nr_hugepages)));
+ goto close_fd;
+ }
+
+- ksft_test_result_pass("Memory compaction succeeded. No of huge pages allocated = %d\n",
+- (atoi(nr_hugepages)));
+ ret = 0;
+
+ close_fd:
+ close(fd);
++ out:
++ ksft_test_result(ret == 0, "check_compaction\n");
+ return ret;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 8caf55f63a641ad26dbc95f25a4d9d3e1308b18b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 30 Apr 2024 16:04:30 -0400
+Subject: serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using
+ prescaler
+
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+[ Upstream commit 8492bd91aa055907c67ef04f2b56f6dadd1f44bf ]
+
+When using a high speed clock with a low baud rate, the 4x prescaler is
+automatically selected if required. In that case, sc16is7xx_set_baud()
+properly configures the chip registers, but returns an incorrect baud
+rate by not taking into account the prescaler value. This incorrect baud
+rate is then fed to uart_update_timeout().
+
+For example, with an input clock of 80MHz, and a selected baud rate of 50,
+sc16is7xx_set_baud() will return 200 instead of 50.
+
+Fix this by first changing the prescaler variable to hold the selected
+prescaler value instead of the MCR bitfield. Then properly take into
+account the selected prescaler value in the return value computation.
+
+Also add better documentation about the divisor value computation.
+
+Fixes: dfeae619d781 ("serial: sc16is7xx")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20240430200431.4102923-1-hugo@hugovil.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index 25e625c2ee74b..d274a847c6ab3 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -490,16 +490,28 @@ static bool sc16is7xx_regmap_noinc(struct device *dev, unsigned int reg)
+ return reg == SC16IS7XX_RHR_REG;
+ }
+
++/*
++ * Configure programmable baud rate generator (divisor) according to the
++ * desired baud rate.
++ *
++ * From the datasheet, the divisor is computed according to:
++ *
++ * XTAL1 input frequency
++ * -----------------------
++ * prescaler
++ * divisor = ---------------------------
++ * baud-rate x sampling-rate
++ */
+ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ {
+ struct sc16is7xx_port *s = dev_get_drvdata(port->dev);
+ u8 lcr;
+- u8 prescaler = 0;
++ unsigned int prescaler = 1;
+ unsigned long clk = port->uartclk, div = clk / 16 / baud;
+
+ if (div >= BIT(16)) {
+- prescaler = SC16IS7XX_MCR_CLKSEL_BIT;
+- div /= 4;
++ prescaler = 4;
++ div /= prescaler;
+ }
+
+ /* In an amazing feat of design, the Enhanced Features Register shares
+@@ -534,9 +546,10 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+
+ mutex_unlock(&s->efr_lock);
+
++ /* If bit MCR_CLKSEL is set, the divide by 4 prescaler is activated. */
+ sc16is7xx_port_update(port, SC16IS7XX_MCR_REG,
+ SC16IS7XX_MCR_CLKSEL_BIT,
+- prescaler);
++ prescaler == 1 ? 0 : SC16IS7XX_MCR_CLKSEL_BIT);
+
+ /* Open the LCR divisors for configuration */
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG,
+@@ -551,7 +564,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ /* Put LCR back to the normal mode */
+ sc16is7xx_port_write(port, SC16IS7XX_LCR_REG, lcr);
+
+- return DIV_ROUND_CLOSEST(clk / 16, div);
++ return DIV_ROUND_CLOSEST((clk / prescaler) / 16, div);
+ }
+
+ static void sc16is7xx_handle_rx(struct uart_port *port, unsigned int rxlen,
+--
+2.43.0
+
--- /dev/null
+From 33192d74cb6f30113e61243ae4fae4f917008d94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Dec 2023 18:18:19 -0500
+Subject: serial: sc16is7xx: replace hardcoded divisor value with BIT() macro
+
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+[ Upstream commit 2e57cefc4477659527f7adab1f87cdbf60ef1ae6 ]
+
+To better show why the limit is what it is, since we have only 16 bits for
+the divisor.
+
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Suggested-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Link: https://lore.kernel.org/r/20231221231823.2327894-13-hugo@hugovil.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 8492bd91aa05 ("serial: sc16is7xx: fix bug in sc16is7xx_set_baud() when using prescaler")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sc16is7xx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/sc16is7xx.c b/drivers/tty/serial/sc16is7xx.c
+index 35f8675db1d89..25e625c2ee74b 100644
+--- a/drivers/tty/serial/sc16is7xx.c
++++ b/drivers/tty/serial/sc16is7xx.c
+@@ -497,7 +497,7 @@ static int sc16is7xx_set_baud(struct uart_port *port, int baud)
+ u8 prescaler = 0;
+ unsigned long clk = port->uartclk, div = clk / 16 / baud;
+
+- if (div > 0xffff) {
++ if (div >= BIT(16)) {
+ prescaler = SC16IS7XX_MCR_CLKSEL_BIT;
+ div /= 4;
+ }
+--
+2.43.0
+
nfs-fix-undefined-behavior-in-nfs_block_bits.patch
nfs-fix-read_plus-when-server-doesn-t-support-op_read_plus.patch
scsi-ufs-ufs-qcom-clear-qunipro_g4_sel-for-hw-major-version-5.patch
+wifi-mac80211-mesh-fix-leak-of-mesh_preq_queue-objec.patch
+wifi-mac80211-fix-deadlock-in-ieee80211_sta_ps_deliv.patch
+wifi-cfg80211-lock-wiphy-in-cfg80211_get_station.patch
+wifi-cfg80211-pmsr-use-correct-nla_get_ux-functions.patch
+wifi-iwlwifi-mvm-revert-gen2-tx-a-mpdu-size-to-64.patch
+wifi-iwlwifi-dbg_ini-move-iwl_dbg_tlv_free-outside-o.patch
+wifi-iwlwifi-mvm-check-n_ssids-before-accessing-the-.patch
+wifi-iwlwifi-mvm-don-t-read-past-the-mfuart-notifcat.patch
+wifi-mac80211-correctly-parse-spatial-reuse-paramete.patch
+net-ncsi-simplify-kconfig-dts-control-flow.patch
+net-ncsi-fix-the-multi-thread-manner-of-ncsi-driver.patch
+ipv6-sr-block-bh-in-seg6_output_core-and-seg6_input_.patch
+bpf-set-run-context-for-rawtp-test_run-callback.patch
+octeontx2-af-always-allocate-pf-entries-from-low-pri.patch
+net-sched-sch_multiq-fix-possible-oob-write-in-multi.patch
+vxlan-fix-regression-when-dropping-packets-due-to-in.patch
+tcp-count-close-wait-sockets-for-tcp_mib_currestab.patch
+net-sched-taprio-always-validate-tca_taprio_attr_pri.patch
+ptp-fix-error-message-on-failed-pin-verification.patch
+af_unix-set-sk-sk_state-under-unix_state_lock-for-tr.patch
+af_unix-annodate-data-races-around-sk-sk_state-for-w.patch
+af_unix-annotate-data-race-of-sk-sk_state-in-unix_in.patch
+af_unix-annotate-data-races-around-sk-sk_state-in-un.patch
+net-inline-sock_prot_inuse_add.patch
+net-drop-nopreempt-requirement-on-sock_prot_inuse_ad.patch
+af_unix-use-offsetof-instead-of-sizeof.patch
+af_unix-pass-struct-sock-to-unix_autobind.patch
+af_unix-factorise-unix_find_other-based-on-address-t.patch
+af_unix-return-an-error-as-a-pointer-in-unix_find_ot.patch
+af_unix-cut-unix_validate_addr-out-of-unix_mkname.patch
+af_unix-copy-unix_mkname-into-unix_find_-bsd-abstrac.patch
+af_unix-clean-up-some-sock_net-uses.patch
+af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch
+af_unix-annotate-data-races-around-sk-sk_state-in-se.patch
+af_unix-annotate-data-race-of-sk-sk_state-in-unix_st.patch-5290
+af_unix-annotate-data-races-around-sk-sk_state-in-un.patch-6162
+af_unix-annotate-data-race-of-net-unx.sysctl_max_dgr.patch
+af_unix-use-unix_recvq_full_lockless-in-unix_stream_.patch
+af_unix-annotate-lockless-accesses-to-sk-sk_err.patch
+af_unix-use-skb_queue_empty_lockless-in-unix_release.patch
+af_unix-use-skb_queue_len_lockless-in-sk_diag_show_r.patch
+af_unix-annotate-data-race-of-sk-sk_shutdown-in-sk_d.patch
+ipv6-fix-possible-race-in-__fib6_drop_pcpu_from.patch
+usb-gadget-f_fs-use-io_data-status-consistently.patch
+usb-gadget-f_fs-fix-race-between-aio_cancel-and-aio-.patch
+iio-accel-mxc4005-reset-chip-on-probe-and-resume.patch
+drm-amd-display-handle-y-carry-over-in-vcp-x.y-calcu.patch
+drm-amd-display-clean-up-some-inconsistent-indenting.patch
+drm-amd-display-drop-unnecessary-null-checks-in-debu.patch
+drm-amd-display-fix-incorrect-dsc-instance-for-mst.patch
+pvpanic-keep-single-style-across-modules.patch
+pvpanic-indentation-fixes-here-and-there.patch
+misc-pvpanic-deduplicate-common-code.patch
+misc-pvpanic-pci-register-attributes-via-pci_driver.patch
+skbuff-introduce-skb_pull_data.patch
+bluetooth-hci_qca-mark-of-related-data-as-maybe-unus.patch
+bluetooth-btqca-use-le32_to_cpu-for-ver.soc_id.patch
+bluetooth-btqca-add-wcn3988-support.patch
+bluetooth-qca-use-switch-case-for-soc-type-behavior.patch
+bluetooth-qca-add-support-for-qca2066.patch
+bluetooth-qca-fix-info-leak-when-fetching-fw-build-i.patch
+serial-sc16is7xx-replace-hardcoded-divisor-value-wit.patch
+serial-sc16is7xx-fix-bug-in-sc16is7xx_set_baud-when-.patch
+x86-ibt-ftrace-search-for-__fentry__-location.patch
+ftrace-fix-possible-use-after-free-issue-in-ftrace_l.patch
+mmc-davinci_mmc-convert-to-platform-remove-callback-.patch
+mmc-davinci-don-t-strip-remove-function-when-driver-.patch
+mm-mprotect-use-mmu_gather.patch
+mm-mprotect-do-not-flush-when-not-required-architect.patch
+mm-avoid-unnecessary-flush-on-change_huge_pmd.patch
+mm-fix-race-between-__split_huge_pmd_locked-and-gup-.patch
+i2c-add-fwnode-apis.patch
+i2c-acpi-unbind-mux-adapters-before-delete.patch
+cma-factor-out-minimum-alignment-requirement.patch
+mm-cma-drop-incorrect-alignment-check-in-cma_init_re.patch
+selftests-mm-compaction_test-fix-incorrect-write-of-.patch
+selftests-mm-conform-test-to-tap-format-output.patch
+selftests-mm-log-a-consistent-test-name-for-check_co.patch
+selftests-mm-compaction_test-fix-bogus-test-success-.patch
+wifi-ath10k-store-wlan-firmware-version-in-smem-imag.patch
+wifi-ath10k-fix-qcom_smem-dependency.patch
+wifi-ath10k-fix-qcom_rproc_common-dependency.patch
+btrfs-fix-leak-of-qgroup-extent-records-after-transa.patch
+nilfs2-remove-check-for-pageerror.patch
+nilfs2-return-the-mapped-address-from-nilfs_get_page.patch
+nilfs2-fix-nilfs_empty_dir-misjudgment-and-long-loop.patch
--- /dev/null
+From 2d4f94517222d0fa628417ac8333611548ca21fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Dec 2021 10:54:52 -0800
+Subject: skbuff: introduce skb_pull_data
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 13244cccc2b61ec715f0ac583d3037497004d4a5 ]
+
+Like skb_pull but returns the original data pointer before pulling the
+data after performing a check against sbk->len.
+
+This allows to change code that does "struct foo *p = (void *)skb->data;"
+which is hard to audit and error prone, to:
+
+ p = skb_pull_data(skb, sizeof(*p));
+ if (!p)
+ return;
+
+Which is both safer and cleaner.
+
+Acked-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Stable-dep-of: cda0d6a198e2 ("Bluetooth: qca: fix info leak when fetching fw build id")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/skbuff.h | 2 ++
+ net/core/skbuff.c | 24 ++++++++++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
+index 15de91c65a09a..b230c422dc3b9 100644
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2447,6 +2447,8 @@ static inline void *skb_pull_inline(struct sk_buff *skb, unsigned int len)
+ return unlikely(len > skb->len) ? NULL : __skb_pull(skb, len);
+ }
+
++void *skb_pull_data(struct sk_buff *skb, size_t len);
++
+ void *__pskb_pull_tail(struct sk_buff *skb, int delta);
+
+ static inline void *__pskb_pull(struct sk_buff *skb, unsigned int len)
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 4ec8cfd357eba..17073429cc365 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2071,6 +2071,30 @@ void *skb_pull(struct sk_buff *skb, unsigned int len)
+ }
+ EXPORT_SYMBOL(skb_pull);
+
++/**
++ * skb_pull_data - remove data from the start of a buffer returning its
++ * original position.
++ * @skb: buffer to use
++ * @len: amount of data to remove
++ *
++ * This function removes data from the start of a buffer, returning
++ * the memory to the headroom. A pointer to the original data in the buffer
++ * is returned after checking if there is enough data to pull. Once the
++ * data has been pulled future pushes will overwrite the old data.
++ */
++void *skb_pull_data(struct sk_buff *skb, size_t len)
++{
++ void *data = skb->data;
++
++ if (skb->len < len)
++ return NULL;
++
++ skb_pull(skb, len);
++
++ return data;
++}
++EXPORT_SYMBOL(skb_pull_data);
++
+ /**
+ * skb_trim - remove end from a buffer
+ * @skb: buffer to alter
+--
+2.43.0
+
--- /dev/null
+From bd1a843eb8e9bc02a9d6eb451012475bcef63b78 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Jun 2024 01:02:16 +0800
+Subject: tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
+
+From: Jason Xing <kernelxing@tencent.com>
+
+[ Upstream commit a46d0ea5c94205f40ecf912d1bb7806a8a64704f ]
+
+According to RFC 1213, we should also take CLOSE-WAIT sockets into
+consideration:
+
+ "tcpCurrEstab OBJECT-TYPE
+ ...
+ The number of TCP connections for which the current state
+ is either ESTABLISHED or CLOSE- WAIT."
+
+After this, CurrEstab counter will display the total number of
+ESTABLISHED and CLOSE-WAIT sockets.
+
+The logic of counting
+When we increment the counter?
+a) if we change the state to ESTABLISHED.
+b) if we change the state from SYN-RECEIVED to CLOSE-WAIT.
+
+When we decrement the counter?
+a) if the socket leaves ESTABLISHED and will never go into CLOSE-WAIT,
+say, on the client side, changing from ESTABLISHED to FIN-WAIT-1.
+b) if the socket leaves CLOSE-WAIT, say, on the server side, changing
+from CLOSE-WAIT to LAST-ACK.
+
+Please note: there are two chances that old state of socket can be changed
+to CLOSE-WAIT in tcp_fin(). One is SYN-RECV, the other is ESTABLISHED.
+So we have to take care of the former case.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jason Xing <kernelxing@tencent.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index 9c7998377d6bd..31c572882b41f 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2619,6 +2619,10 @@ void tcp_set_state(struct sock *sk, int state)
+ if (oldstate != TCP_ESTABLISHED)
+ TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
+ break;
++ case TCP_CLOSE_WAIT:
++ if (oldstate == TCP_SYN_RECV)
++ TCP_INC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
++ break;
+
+ case TCP_CLOSE:
+ if (oldstate == TCP_CLOSE_WAIT || oldstate == TCP_ESTABLISHED)
+@@ -2630,7 +2634,7 @@ void tcp_set_state(struct sock *sk, int state)
+ inet_put_port(sk);
+ fallthrough;
+ default:
+- if (oldstate == TCP_ESTABLISHED)
++ if (oldstate == TCP_ESTABLISHED || oldstate == TCP_CLOSE_WAIT)
+ TCP_DEC_STATS(sock_net(sk), TCP_MIB_CURRESTAB);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 2ad8b03cc0c9d860a128967ac53f5515871ca327 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 8 Apr 2024 18:40:59 -0700
+Subject: usb: gadget: f_fs: Fix race between aio_cancel() and AIO request
+ complete
+
+From: Wesley Cheng <quic_wcheng@quicinc.com>
+
+[ Upstream commit 24729b307eefcd7c476065cd7351c1a018082c19 ]
+
+FFS based applications can utilize the aio_cancel() callback to dequeue
+pending USB requests submitted to the UDC. There is a scenario where the
+FFS application issues an AIO cancel call, while the UDC is handling a
+soft disconnect. For a DWC3 based implementation, the callstack looks
+like the following:
+
+ DWC3 Gadget FFS Application
+dwc3_gadget_soft_disconnect() ...
+ --> dwc3_stop_active_transfers()
+ --> dwc3_gadget_giveback(-ESHUTDOWN)
+ --> ffs_epfile_async_io_complete() ffs_aio_cancel()
+ --> usb_ep_free_request() --> usb_ep_dequeue()
+
+There is currently no locking implemented between the AIO completion
+handler and AIO cancel, so the issue occurs if the completion routine is
+running in parallel to an AIO cancel call coming from the FFS application.
+As the completion call frees the USB request (io_data->req) the FFS
+application is also referencing it for the usb_ep_dequeue() call. This can
+lead to accessing a stale/hanging pointer.
+
+commit b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
+relocated the usb_ep_free_request() into ffs_epfile_async_io_complete().
+However, in order to properly implement locking to mitigate this issue, the
+spinlock can't be added to ffs_epfile_async_io_complete(), as
+usb_ep_dequeue() (if successfully dequeuing a USB request) will call the
+function driver's completion handler in the same context. Hence, leading
+into a deadlock.
+
+Fix this issue by moving the usb_ep_free_request() back to
+ffs_user_copy_worker(), and ensuring that it explicitly sets io_data->req
+to NULL after freeing it within the ffs->eps_lock. This resolves the race
+condition above, as the ffs_aio_cancel() routine will not continue
+attempting to dequeue a request that has already been freed, or the
+ffs_user_copy_work() not freeing the USB request until the AIO cancel is
+done referencing it.
+
+This fix depends on
+ commit b566d38857fc ("usb: gadget: f_fs: use io_data->status
+ consistently")
+
+Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
+Cc: stable <stable@kernel.org> # b566d38857fc ("usb: gadget: f_fs: use io_data->status consistently")
+Signed-off-by: Wesley Cheng <quic_wcheng@quicinc.com>
+Link: https://lore.kernel.org/r/20240409014059.6740-1-quic_wcheng@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index 37d18e27ddc64..ad858044e0bfd 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -832,6 +832,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
+ work);
+ int ret = io_data->status;
+ bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
++ unsigned long flags;
+
+ if (io_data->read && ret > 0) {
+ kthread_use_mm(io_data->mm);
+@@ -844,6 +845,11 @@ static void ffs_user_copy_worker(struct work_struct *work)
+ if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
+ eventfd_signal(io_data->ffs->ffs_eventfd, 1);
+
++ spin_lock_irqsave(&io_data->ffs->eps_lock, flags);
++ usb_ep_free_request(io_data->ep, io_data->req);
++ io_data->req = NULL;
++ spin_unlock_irqrestore(&io_data->ffs->eps_lock, flags);
++
+ if (io_data->read)
+ kfree(io_data->to_free);
+ ffs_free_buffer(io_data);
+@@ -859,7 +865,6 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
+ ENTER();
+
+ io_data->status = req->status ? req->status : req->actual;
+- usb_ep_free_request(_ep, req);
+
+ INIT_WORK(&io_data->work, ffs_user_copy_worker);
+ queue_work(ffs->io_completion_wq, &io_data->work);
+--
+2.43.0
+
--- /dev/null
+From b9cb2103b4d487c469b2b22b29d80343f0db2928 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Nov 2022 17:04:28 +0000
+Subject: usb: gadget: f_fs: use io_data->status consistently
+
+From: John Keeping <john@metanate.com>
+
+[ Upstream commit b566d38857fcb6777f25b674b90a831eec0817a2 ]
+
+Commit fb1f16d74e26 ("usb: gadget: f_fs: change ep->status safe in
+ffs_epfile_io()") added a new ffs_io_data::status field to fix lifetime
+issues in synchronous requests.
+
+While there are no similar lifetime issues for asynchronous requests
+(the separate ep member in ffs_io_data avoids them) using the status
+field means the USB request can be freed earlier and that there is more
+consistency between the synchronous and asynchronous I/O paths.
+
+Cc: Linyu Yuan <quic_linyyuan@quicinc.com>
+Signed-off-by: John Keeping <john@metanate.com>
+Reviewed-by: Linyu Yuan <quic_linyyuan@quicinc.com>
+Link: https://lore.kernel.org/r/20221124170430.3998755-1-john@metanate.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 24729b307eef ("usb: gadget: f_fs: Fix race between aio_cancel() and AIO request complete")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
+index a4367a43cdd87..37d18e27ddc64 100644
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -830,8 +830,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
+ {
+ struct ffs_io_data *io_data = container_of(work, struct ffs_io_data,
+ work);
+- int ret = io_data->req->status ? io_data->req->status :
+- io_data->req->actual;
++ int ret = io_data->status;
+ bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+
+ if (io_data->read && ret > 0) {
+@@ -845,8 +844,6 @@ static void ffs_user_copy_worker(struct work_struct *work)
+ if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
+ eventfd_signal(io_data->ffs->ffs_eventfd, 1);
+
+- usb_ep_free_request(io_data->ep, io_data->req);
+-
+ if (io_data->read)
+ kfree(io_data->to_free);
+ ffs_free_buffer(io_data);
+@@ -861,6 +858,9 @@ static void ffs_epfile_async_io_complete(struct usb_ep *_ep,
+
+ ENTER();
+
++ io_data->status = req->status ? req->status : req->actual;
++ usb_ep_free_request(_ep, req);
++
+ INIT_WORK(&io_data->work, ffs_user_copy_worker);
+ queue_work(ffs->io_completion_wq, &io_data->work);
+ }
+--
+2.43.0
+
--- /dev/null
+From 347d5f5211f188728422fcaa093770a7d47d5931 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Jun 2024 10:59:26 +0200
+Subject: vxlan: Fix regression when dropping packets due to invalid src
+ addresses
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+[ Upstream commit 1cd4bc987abb2823836cbb8f887026011ccddc8a ]
+
+Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
+has recently been added to vxlan mainly in the context of source
+address snooping/learning so that when it is enabled, an entry in the
+FDB is not being created for an invalid address for the corresponding
+tunnel endpoint.
+
+Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in
+that it passed through whichever macs were set in the L2 header. It
+turns out that this change in behavior breaks setups, for example,
+Cilium with netkit in L3 mode for Pods as well as tunnel mode has been
+passing before the change in f58f45c1e5b9 for both vxlan and geneve.
+After mentioned change it is only passing for geneve as in case of
+vxlan packets are dropped due to vxlan_set_mac() returning false as
+source and destination macs are zero which for E/W traffic via tunnel
+is totally fine.
+
+Fix it by only opting into the is_valid_ether_addr() check in
+vxlan_set_mac() when in fact source address snooping/learning is
+actually enabled in vxlan. This is done by moving the check into
+vxlan_snoop(). With this change, the Cilium connectivity test suite
+passes again for both tunnel flavors.
+
+Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: David Bauer <mail@david-bauer.net>
+Cc: Ido Schimmel <idosch@nvidia.com>
+Cc: Nikolay Aleksandrov <razor@blackwall.org>
+Cc: Martin KaFai Lau <martin.lau@kernel.org>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
+Reviewed-by: David Bauer <mail@david-bauer.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index 41b1b23fdd3e9..65a2f4ab89970 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -1493,6 +1493,10 @@ static bool vxlan_snoop(struct net_device *dev,
+ struct vxlan_fdb *f;
+ u32 ifindex = 0;
+
++ /* Ignore packets from invalid src-address */
++ if (!is_valid_ether_addr(src_mac))
++ return true;
++
+ #if IS_ENABLED(CONFIG_IPV6)
+ if (src_ip->sa.sa_family == AF_INET6 &&
+ (ipv6_addr_type(&src_ip->sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL))
+--
+2.43.0
+
--- /dev/null
+From 007ce78d1573733ad037be53635cf0f2ab6c9ff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 May 2024 10:00:28 +0300
+Subject: wifi: ath10k: fix QCOM_RPROC_COMMON dependency
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 21ae74e1bf18331ae5e279bd96304b3630828009 ]
+
+If ath10k_snoc is built-in, while Qualcomm remoteprocs are built as
+modules, compilation fails with:
+
+/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_init':
+drivers/net/wireless/ath/ath10k/snoc.c:1534: undefined reference to `qcom_register_ssr_notifier'
+/usr/bin/aarch64-linux-gnu-ld: drivers/net/wireless/ath/ath10k/snoc.o: in function `ath10k_modem_deinit':
+drivers/net/wireless/ath/ath10k/snoc.c:1551: undefined reference to `qcom_unregister_ssr_notifier'
+
+Add corresponding dependency to ATH10K_SNOC Kconfig entry so that it's
+built as module if QCOM_RPROC_COMMON is built as module too.
+
+Fixes: 747ff7d3d742 ("ath10k: Don't always treat modem stop events as crashes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://msgid.link/20240511-ath10k-snoc-dep-v1-1-9666e3af5c27@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig
+index e6ea884cafc19..4f385f4a8cef2 100644
+--- a/drivers/net/wireless/ath/ath10k/Kconfig
++++ b/drivers/net/wireless/ath/ath10k/Kconfig
+@@ -45,6 +45,7 @@ config ATH10K_SNOC
+ depends on ATH10K
+ depends on ARCH_QCOM || COMPILE_TEST
+ depends on QCOM_SMEM
++ depends on QCOM_RPROC_COMMON || QCOM_RPROC_COMMON=n
+ select QCOM_SCM
+ select QCOM_QMI_HELPERS
+ help
+--
+2.43.0
+
--- /dev/null
+From 12b52b078e5bfd61b72af37318d48c6d850cce63 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Dec 2022 12:30:27 +0200
+Subject: wifi: ath10k: fix QCOM_SMEM dependency
+
+From: Kalle Valo <quic_kvalo@quicinc.com>
+
+[ Upstream commit d03407183d97554dfffea70f385b5bdd520f846c ]
+
+Nathan noticed that when HWSPINLOCK is disabled there's a Kconfig warning:
+
+ WARNING: unmet direct dependencies detected for QCOM_SMEM
+ Depends on [n]: (ARCH_QCOM [=y] || COMPILE_TEST [=n]) && HWSPINLOCK [=n]
+ Selected by [m]:
+ - ATH10K_SNOC [=m] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && ATH10K [=m] && (ARCH_QCOM [=y] || COMPILE_TEST [=n])
+
+The problem here is that QCOM_SMEM depends on HWSPINLOCK so we cannot select
+QCOM_SMEM and instead we neeed to use 'depends on'.
+
+Reported-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/all/Y4YsyaIW+CPdHWv3@dev-arch.thelio-3990X/
+Fixes: 4d79f6f34bbb ("wifi: ath10k: Store WLAN firmware version in SMEM image table")
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20221202103027.25974-1-kvalo@kernel.org
+Stable-dep-of: 21ae74e1bf18 ("wifi: ath10k: fix QCOM_RPROC_COMMON dependency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig
+index e0a51dad8e420..e6ea884cafc19 100644
+--- a/drivers/net/wireless/ath/ath10k/Kconfig
++++ b/drivers/net/wireless/ath/ath10k/Kconfig
+@@ -44,7 +44,7 @@ config ATH10K_SNOC
+ tristate "Qualcomm ath10k SNOC support"
+ depends on ATH10K
+ depends on ARCH_QCOM || COMPILE_TEST
+- select QCOM_SMEM
++ depends on QCOM_SMEM
+ select QCOM_SCM
+ select QCOM_QMI_HELPERS
+ help
+--
+2.43.0
+
--- /dev/null
+From a54a8f74e25cdef2f972684f063bd23c9b4bab95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Nov 2022 23:35:34 +0530
+Subject: wifi: ath10k: Store WLAN firmware version in SMEM image table
+
+From: Youghandhar Chintala <quic_youghand@quicinc.com>
+
+[ Upstream commit 4d79f6f34bbb01c6715b31ef457d5ab0390501a1 ]
+
+In a SoC based solution, it would be useful to know the versions of the
+various binary firmware blobs the system is running on. On a QCOM based
+SoC, this info can be obtained from socinfo debugfs infrastructure. For
+this to work, respective subsystem drivers have to export the firmware
+version information to an SMEM based version information table.
+
+Having firmware version information at one place will help quickly
+figure out the firmware versions of various subsystems on the device
+instead of going through builds/logs in an event of a system crash.
+
+Fill WLAN firmware version information in SMEM version table to be
+printed as part of socinfo debugfs infrastructure on a Qualcomm based
+SoC.
+
+This change is applicable only for SNOC/QMI based targets.
+
+Example:
+cat /sys/kernel/debug/qcom_socinfo/cnss/name
+QC_IMAGE_VERSION_STRING=WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1
+
+Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1
+
+Signed-off-by: Youghandhar Chintala <quic_youghand@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20221117180534.2267-1-quic_youghand@quicinc.com
+Stable-dep-of: 21ae74e1bf18 ("wifi: ath10k: fix QCOM_RPROC_COMMON dependency")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/Kconfig | 1 +
+ drivers/net/wireless/ath/ath10k/qmi.c | 35 +++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath10k/Kconfig b/drivers/net/wireless/ath/ath10k/Kconfig
+index ca007b800f756..e0a51dad8e420 100644
+--- a/drivers/net/wireless/ath/ath10k/Kconfig
++++ b/drivers/net/wireless/ath/ath10k/Kconfig
+@@ -44,6 +44,7 @@ config ATH10K_SNOC
+ tristate "Qualcomm ath10k SNOC support"
+ depends on ATH10K
+ depends on ARCH_QCOM || COMPILE_TEST
++ select QCOM_SMEM
+ select QCOM_SCM
+ select QCOM_QMI_HELPERS
+ help
+diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c
+index 80fcb917fe4e1..22bd97d434cc9 100644
+--- a/drivers/net/wireless/ath/ath10k/qmi.c
++++ b/drivers/net/wireless/ath/ath10k/qmi.c
+@@ -14,6 +14,7 @@
+ #include <linux/net.h>
+ #include <linux/platform_device.h>
+ #include <linux/qcom_scm.h>
++#include <linux/soc/qcom/smem.h>
+ #include <linux/string.h>
+ #include <net/sock.h>
+
+@@ -22,6 +23,10 @@
+
+ #define ATH10K_QMI_CLIENT_ID 0x4b4e454c
+ #define ATH10K_QMI_TIMEOUT 30
++#define SMEM_IMAGE_VERSION_TABLE 469
++#define SMEM_IMAGE_TABLE_CNSS_INDEX 13
++#define SMEM_IMAGE_VERSION_ENTRY_SIZE 128
++#define SMEM_IMAGE_VERSION_NAME_SIZE 75
+
+ static int ath10k_qmi_map_msa_permission(struct ath10k_qmi *qmi,
+ struct ath10k_msa_mem_info *mem_info)
+@@ -536,6 +541,33 @@ int ath10k_qmi_wlan_disable(struct ath10k *ar)
+ return ath10k_qmi_mode_send_sync_msg(ar, QMI_WLFW_OFF_V01);
+ }
+
++static void ath10k_qmi_add_wlan_ver_smem(struct ath10k *ar, const char *fw_build_id)
++{
++ u8 *table_ptr;
++ size_t smem_item_size;
++ const u32 smem_img_idx_wlan = SMEM_IMAGE_TABLE_CNSS_INDEX *
++ SMEM_IMAGE_VERSION_ENTRY_SIZE;
++
++ table_ptr = qcom_smem_get(QCOM_SMEM_HOST_ANY,
++ SMEM_IMAGE_VERSION_TABLE,
++ &smem_item_size);
++
++ if (IS_ERR(table_ptr)) {
++ ath10k_err(ar, "smem image version table not found\n");
++ return;
++ }
++
++ if (smem_img_idx_wlan + SMEM_IMAGE_VERSION_ENTRY_SIZE >
++ smem_item_size) {
++ ath10k_err(ar, "smem block size too small: %zu\n",
++ smem_item_size);
++ return;
++ }
++
++ strscpy(table_ptr + smem_img_idx_wlan, fw_build_id,
++ SMEM_IMAGE_VERSION_NAME_SIZE);
++}
++
+ static int ath10k_qmi_cap_send_sync_msg(struct ath10k_qmi *qmi)
+ {
+ struct wlfw_cap_resp_msg_v01 *resp;
+@@ -606,6 +638,9 @@ static int ath10k_qmi_cap_send_sync_msg(struct ath10k_qmi *qmi)
+ qmi->fw_version, qmi->fw_build_timestamp, qmi->fw_build_id);
+ }
+
++ if (resp->fw_build_id_valid)
++ ath10k_qmi_add_wlan_ver_smem(ar, qmi->fw_build_id);
++
+ kfree(resp);
+ return 0;
+
+--
+2.43.0
+
--- /dev/null
+From a54a4bdf1179814d1e07117f7184a40be1b736ee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 21:47:26 +0200
+Subject: wifi: cfg80211: Lock wiphy in cfg80211_get_station
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 642f89daa34567d02f312d03e41523a894906dae ]
+
+Wiphy should be locked before calling rdev_get_station() (see lockdep
+assert in ieee80211_get_station()).
+
+This fixes the following kernel NULL dereference:
+
+ Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
+ Mem abort info:
+ ESR = 0x0000000096000006
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x06: level 2 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000006
+ CM = 0, WnR = 0
+ user pgtable: 4k pages, 48-bit VAs, pgdp=0000000003001000
+ [0000000000000050] pgd=0800000002dca003, p4d=0800000002dca003, pud=08000000028e9003, pmd=0000000000000000
+ Internal error: Oops: 0000000096000006 [#1] SMP
+ Modules linked in: netconsole dwc3_meson_g12a dwc3_of_simple dwc3 ip_gre gre ath10k_pci ath10k_core ath9k ath9k_common ath9k_hw ath
+ CPU: 0 PID: 1091 Comm: kworker/u8:0 Not tainted 6.4.0-02144-g565f9a3a7911-dirty #705
+ Hardware name: RPT (r1) (DT)
+ Workqueue: bat_events batadv_v_elp_throughput_metric_update
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
+ lr : sta_set_sinfo+0xcc/0xbd4
+ sp : ffff000007b43ad0
+ x29: ffff000007b43ad0 x28: ffff0000071fa900 x27: ffff00000294ca98
+ x26: ffff000006830880 x25: ffff000006830880 x24: ffff00000294c000
+ x23: 0000000000000001 x22: ffff000007b43c90 x21: ffff800008898acc
+ x20: ffff00000294c6e8 x19: ffff000007b43c90 x18: 0000000000000000
+ x17: 445946354d552d78 x16: 62661f7200000000 x15: 57464f445946354d
+ x14: 0000000000000000 x13: 00000000000000e3 x12: d5f0acbcebea978e
+ x11: 00000000000000e3 x10: 000000010048fe41 x9 : 0000000000000000
+ x8 : ffff000007b43d90 x7 : 000000007a1e2125 x6 : 0000000000000000
+ x5 : ffff0000024e0900 x4 : ffff800000a0250c x3 : ffff000007b43c90
+ x2 : ffff00000294ca98 x1 : ffff000006831920 x0 : 0000000000000000
+ Call trace:
+ ath10k_sta_statistics+0x10/0x2dc [ath10k_core]
+ sta_set_sinfo+0xcc/0xbd4
+ ieee80211_get_station+0x2c/0x44
+ cfg80211_get_station+0x80/0x154
+ batadv_v_elp_get_throughput+0x138/0x1fc
+ batadv_v_elp_throughput_metric_update+0x1c/0xa4
+ process_one_work+0x1ec/0x414
+ worker_thread+0x70/0x46c
+ kthread+0xdc/0xe0
+ ret_from_fork+0x10/0x20
+ Code: a9bb7bfd 910003fd a90153f3 f9411c40 (f9402814)
+
+This happens because STA has time to disconnect and reconnect before
+batadv_v_elp_throughput_metric_update() delayed work gets scheduled. In
+this situation, ath10k_sta_state() can be in the middle of resetting
+arsta data when the work queue get chance to be scheduled and ends up
+accessing it. Locking wiphy prevents that.
+
+Fixes: 7406353d43c8 ("cfg80211: implement cfg80211_get_station cfg80211 API")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Reviewed-by: Nicolas Escande <nico.escande@gmail.com>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Link: https://msgid.link/983b24a6a176e0800c01aedcd74480d9b551cb13.1716046653.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/wireless/util.c b/net/wireless/util.c
+index cb15d7f4eb05a..d40c2cf777dc0 100644
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -2033,6 +2033,7 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr,
+ {
+ struct cfg80211_registered_device *rdev;
+ struct wireless_dev *wdev;
++ int ret;
+
+ wdev = dev->ieee80211_ptr;
+ if (!wdev)
+@@ -2044,7 +2045,11 @@ int cfg80211_get_station(struct net_device *dev, const u8 *mac_addr,
+
+ memset(sinfo, 0, sizeof(*sinfo));
+
+- return rdev_get_station(rdev, dev, mac_addr, sinfo);
++ wiphy_lock(&rdev->wiphy);
++ ret = rdev_get_station(rdev, dev, mac_addr, sinfo);
++ wiphy_unlock(&rdev->wiphy);
++
++ return ret;
+ }
+ EXPORT_SYMBOL(cfg80211_get_station);
+
+--
+2.43.0
+
--- /dev/null
+From 48052b5da2a3440cd9119e4c0aef05bed91e3e50 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 15:50:59 +0800
+Subject: wifi: cfg80211: pmsr: use correct nla_get_uX functions
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit ab904521f4de52fef4f179d2dfc1877645ef5f5c ]
+
+The commit 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM
+initiator API") defines four attributes NL80211_PMSR_FTM_REQ_ATTR_
+{NUM_BURSTS_EXP}/{BURST_PERIOD}/{BURST_DURATION}/{FTMS_PER_BURST} in
+following ways.
+
+static const struct nla_policy
+nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
+ ...
+ [NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP] =
+ NLA_POLICY_MAX(NLA_U8, 15),
+ [NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD] = { .type = NLA_U16 },
+ [NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
+ NLA_POLICY_MAX(NLA_U8, 15),
+ [NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
+ NLA_POLICY_MAX(NLA_U8, 31),
+ ...
+};
+
+That is, those attributes are expected to be NLA_U8 and NLA_U16 types.
+However, the consumers of these attributes in `pmsr_parse_ftm` blindly
+all use `nla_get_u32`, which is incorrect and causes functionality issues
+on little-endian platforms. Hence, fix them with the correct `nla_get_u8`
+and `nla_get_u16` functions.
+
+Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Link: https://msgid.link/20240521075059.47999-1-linma@zju.edu.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/pmsr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
+index 328cf54bda826..65fa39275f73f 100644
+--- a/net/wireless/pmsr.c
++++ b/net/wireless/pmsr.c
+@@ -58,7 +58,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
+ out->ftm.burst_period = 0;
+ if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD])
+ out->ftm.burst_period =
+- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]);
++ nla_get_u16(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_PERIOD]);
+
+ out->ftm.asap = !!tb[NL80211_PMSR_FTM_REQ_ATTR_ASAP];
+ if (out->ftm.asap && !capa->ftm.asap) {
+@@ -77,7 +77,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
+ out->ftm.num_bursts_exp = 0;
+ if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP])
+ out->ftm.num_bursts_exp =
+- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]);
++ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_BURSTS_EXP]);
+
+ if (capa->ftm.max_bursts_exponent >= 0 &&
+ out->ftm.num_bursts_exp > capa->ftm.max_bursts_exponent) {
+@@ -90,7 +90,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
+ out->ftm.burst_duration = 15;
+ if (tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION])
+ out->ftm.burst_duration =
+- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]);
++ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION]);
+
+ out->ftm.ftms_per_burst = 0;
+ if (tb[NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST])
+@@ -109,7 +109,7 @@ static int pmsr_parse_ftm(struct cfg80211_registered_device *rdev,
+ out->ftm.ftmr_retries = 3;
+ if (tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES])
+ out->ftm.ftmr_retries =
+- nla_get_u32(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]);
++ nla_get_u8(tb[NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES]);
+
+ out->ftm.request_lci = !!tb[NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI];
+ if (out->ftm.request_lci && !capa->ftm.request_lci) {
+--
+2.43.0
+
--- /dev/null
+From b8239fdc32879358756bf6bd00e43f9866554f0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2024 17:06:39 +0300
+Subject: wifi: iwlwifi: dbg_ini: move iwl_dbg_tlv_free outside of debugfs
+ ifdef
+
+From: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+
+[ Upstream commit 87821b67dea87addbc4ab093ba752753b002176a ]
+
+The driver should call iwl_dbg_tlv_free even if debugfs is not defined
+since ini mode does not depend on debugfs ifdef.
+
+Fixes: 68f6f492c4fa ("iwlwifi: trans: support loading ini TLVs from external file")
+Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
+Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240510170500.c8e3723f55b0.I5e805732b0be31ee6b83c642ec652a34e974ff10@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index 524b0ad873578..afa89deb7bc3a 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1667,8 +1667,8 @@ struct iwl_drv *iwl_drv_start(struct iwl_trans *trans)
+ err_fw:
+ #ifdef CONFIG_IWLWIFI_DEBUGFS
+ debugfs_remove_recursive(drv->dbgfs_drv);
+- iwl_dbg_tlv_free(drv->trans);
+ #endif
++ iwl_dbg_tlv_free(drv->trans);
+ kfree(drv);
+ err:
+ return ERR_PTR(ret);
+--
+2.43.0
+
--- /dev/null
+From 3ecd00c9f7dbcae03177c8a0f79029e10116f6d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 13:27:12 +0300
+Subject: wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit 60d62757df30b74bf397a2847a6db7385c6ee281 ]
+
+In some versions of cfg80211, the ssids poinet might be a valid one even
+though n_ssids is 0. Accessing the pointer in this case will cuase an
+out-of-bound access. Fix this by checking n_ssids first.
+
+Fixes: c1a7515393e4 ("iwlwifi: mvm: add adaptive dwell support")
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Reviewed-by: Ilan Peer <ilan.peer@intel.com>
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Link: https://msgid.link/20240513132416.6e4d1762bf0d.I5a0e6cc8f02050a766db704d15594c61fe583d45@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+index c0ffa26bc5aaa..0605363b62720 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+@@ -1312,7 +1312,7 @@ static void iwl_mvm_scan_umac_dwell(struct iwl_mvm *mvm,
+ if (IWL_MVM_ADWELL_MAX_BUDGET)
+ cmd->v7.adwell_max_budget =
+ cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET);
+- else if (params->ssids && params->ssids[0].ssid_len)
++ else if (params->n_ssids && params->ssids[0].ssid_len)
+ cmd->v7.adwell_max_budget =
+ cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN);
+ else
+@@ -1414,7 +1414,7 @@ iwl_mvm_scan_umac_dwell_v10(struct iwl_mvm *mvm,
+ if (IWL_MVM_ADWELL_MAX_BUDGET)
+ general_params->adwell_max_budget =
+ cpu_to_le16(IWL_MVM_ADWELL_MAX_BUDGET);
+- else if (params->ssids && params->ssids[0].ssid_len)
++ else if (params->n_ssids && params->ssids[0].ssid_len)
+ general_params->adwell_max_budget =
+ cpu_to_le16(IWL_SCAN_ADWELL_MAX_BUDGET_DIRECTED_SCAN);
+ else
+--
+2.43.0
+
--- /dev/null
+From d3db3ca66ecb01738b7ffce54eb38ceaa4894e24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 May 2024 13:27:14 +0300
+Subject: wifi: iwlwifi: mvm: don't read past the mfuart notifcation
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+[ Upstream commit 4bb95f4535489ed830cf9b34b0a891e384d1aee4 ]
+
+In case the firmware sends a notification that claims it has more data
+than it has, we will read past that was allocated for the notification.
+Remove the print of the buffer, we won't see it by default. If needed,
+we can see the content with tracing.
+
+This was reported by KFENCE.
+
+Fixes: bdccdb854f2f ("iwlwifi: mvm: support MFUART dump in case of MFUART assert")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240513132416.ba82a01a559e.Ia91dd20f5e1ca1ad380b95e68aebf2794f553d9b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+index d22a5628f9e0d..578956032e08b 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+@@ -95,20 +95,10 @@ void iwl_mvm_mfu_assert_dump_notif(struct iwl_mvm *mvm,
+ {
+ struct iwl_rx_packet *pkt = rxb_addr(rxb);
+ struct iwl_mfu_assert_dump_notif *mfu_dump_notif = (void *)pkt->data;
+- __le32 *dump_data = mfu_dump_notif->data;
+- int n_words = le32_to_cpu(mfu_dump_notif->data_size) / sizeof(__le32);
+- int i;
+
+ if (mfu_dump_notif->index_num == 0)
+ IWL_INFO(mvm, "MFUART assert id 0x%x occurred\n",
+ le32_to_cpu(mfu_dump_notif->assert_id));
+-
+- for (i = 0; i < n_words; i++)
+- IWL_DEBUG_INFO(mvm,
+- "MFUART assert dump, dword %u: 0x%08x\n",
+- le16_to_cpu(mfu_dump_notif->index_num) *
+- n_words + i,
+- le32_to_cpu(dump_data[i]));
+ }
+
+ static bool iwl_alive_fn(struct iwl_notif_wait_data *notif_wait,
+--
+2.43.0
+
--- /dev/null
+From f43dd9b31cbdfd1b9a58a2ad68715fa957b39518 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 May 2024 17:06:33 +0300
+Subject: wifi: iwlwifi: mvm: revert gen2 TX A-MPDU size to 64
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 4a7aace2899711592327463c1a29ffee44fcc66e ]
+
+We don't actually support >64 even for HE devices, so revert
+back to 64. This fixes an issue where the session is refused
+because the queue is configured differently from the actual
+session later.
+
+Fixes: 514c30696fbc ("iwlwifi: add support for IEEE802.11ax")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Reviewed-by: Liad Kaufman <liad.kaufman@intel.com>
+Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240510170500.52f7b4cf83aa.If47e43adddf7fe250ed7f5571fbb35d8221c7c47@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h
+index 32104c9f8f5ee..d59a47637d120 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.h
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.h
+@@ -133,13 +133,8 @@ enum {
+
+ #define LINK_QUAL_AGG_FRAME_LIMIT_DEF (63)
+ #define LINK_QUAL_AGG_FRAME_LIMIT_MAX (63)
+-/*
+- * FIXME - various places in firmware API still use u8,
+- * e.g. LQ command and SCD config command.
+- * This should be 256 instead.
+- */
+-#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (255)
+-#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (255)
++#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_DEF (64)
++#define LINK_QUAL_AGG_FRAME_LIMIT_GEN2_MAX (64)
+ #define LINK_QUAL_AGG_FRAME_LIMIT_MIN (0)
+
+ #define LQ_SIZE 2 /* 2 mode tables: "Active" and "Search" */
+--
+2.43.0
+
--- /dev/null
+From 2a41bcec40274c2e17b22cc71054b443bc89ed46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 May 2024 10:18:54 +0800
+Subject: wifi: mac80211: correctly parse Spatial Reuse Parameter Set element
+
+From: Lingbo Kong <quic_lingbok@quicinc.com>
+
+[ Upstream commit a26d8dc5227f449a54518a8b40733a54c6600a8b ]
+
+Currently, the way of parsing Spatial Reuse Parameter Set element is
+incorrect and some members of struct ieee80211_he_obss_pd are not assigned.
+
+To address this issue, it must be parsed in the order of the elements of
+Spatial Reuse Parameter Set defined in the IEEE Std 802.11ax specification.
+
+The diagram of the Spatial Reuse Parameter Set element (IEEE Std 802.11ax
+-2021-9.4.2.252).
+
+-------------------------------------------------------------------------
+| | | | |Non-SRG| SRG | SRG | SRG | SRG |
+|Element|Length| Element | SR |OBSS PD|OBSS PD|OBSS PD| BSS |Partial|
+| ID | | ID |Control| Max | Min | Max |Color | BSSID |
+| | |Extension| | Offset| Offset|Offset |Bitmap|Bitmap |
+-------------------------------------------------------------------------
+
+Fixes: 1ced169cc1c2 ("mac80211: allow setting spatial reuse parameters from bss_conf")
+Signed-off-by: Lingbo Kong <quic_lingbok@quicinc.com>
+Link: https://msgid.link/20240516021854.5682-3-quic_lingbok@quicinc.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/he.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/he.c b/net/mac80211/he.c
+index c05af7018f79f..c730ce5132cbc 100644
+--- a/net/mac80211/he.c
++++ b/net/mac80211/he.c
+@@ -223,15 +223,21 @@ ieee80211_he_spr_ie_to_bss_conf(struct ieee80211_vif *vif,
+
+ if (!he_spr_ie_elem)
+ return;
++
++ he_obss_pd->sr_ctrl = he_spr_ie_elem->he_sr_control;
+ data = he_spr_ie_elem->optional;
+
+ if (he_spr_ie_elem->he_sr_control &
+ IEEE80211_HE_SPR_NON_SRG_OFFSET_PRESENT)
+- data++;
++ he_obss_pd->non_srg_max_offset = *data++;
++
+ if (he_spr_ie_elem->he_sr_control &
+ IEEE80211_HE_SPR_SRG_INFORMATION_PRESENT) {
+- he_obss_pd->max_offset = *data++;
+ he_obss_pd->min_offset = *data++;
++ he_obss_pd->max_offset = *data++;
++ memcpy(he_obss_pd->bss_color_bitmap, data, 8);
++ data += 8;
++ memcpy(he_obss_pd->partial_bssid_bitmap, data, 8);
+ he_obss_pd->enable = true;
+ }
+ }
+--
+2.43.0
+
--- /dev/null
+From 6e8dfd5b602d19e685cb7fa1d5ac3c57d4c339c2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 May 2024 08:57:53 +0200
+Subject: wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 44c06bbde6443de206b30f513100b5670b23fc5e ]
+
+The ieee80211_sta_ps_deliver_wakeup() function takes sta->ps_lock to
+synchronizes with ieee80211_tx_h_unicast_ps_buf() which is called from
+softirq context. However using only spin_lock() to get sta->ps_lock in
+ieee80211_sta_ps_deliver_wakeup() does not prevent softirq to execute
+on this same CPU, to run ieee80211_tx_h_unicast_ps_buf() and try to
+take this same lock ending in deadlock. Below is an example of rcu stall
+that arises in such situation.
+
+ rcu: INFO: rcu_sched self-detected stall on CPU
+ rcu: 2-....: (42413413 ticks this GP) idle=b154/1/0x4000000000000000 softirq=1763/1765 fqs=21206996
+ rcu: (t=42586894 jiffies g=2057 q=362405 ncpus=4)
+ CPU: 2 PID: 719 Comm: wpa_supplicant Tainted: G W 6.4.0-02158-g1b062f552873 #742
+ Hardware name: RPT (r1) (DT)
+ pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : queued_spin_lock_slowpath+0x58/0x2d0
+ lr : invoke_tx_handlers_early+0x5b4/0x5c0
+ sp : ffff00001ef64660
+ x29: ffff00001ef64660 x28: ffff000009bc1070 x27: ffff000009bc0ad8
+ x26: ffff000009bc0900 x25: ffff00001ef647a8 x24: 0000000000000000
+ x23: ffff000009bc0900 x22: ffff000009bc0900 x21: ffff00000ac0e000
+ x20: ffff00000a279e00 x19: ffff00001ef646e8 x18: 0000000000000000
+ x17: ffff800016468000 x16: ffff00001ef608c0 x15: 0010533c93f64f80
+ x14: 0010395c9faa3946 x13: 0000000000000000 x12: 00000000fa83b2da
+ x11: 000000012edeceea x10: ffff0000010fbe00 x9 : 0000000000895440
+ x8 : 000000000010533c x7 : ffff00000ad8b740 x6 : ffff00000c350880
+ x5 : 0000000000000007 x4 : 0000000000000001 x3 : 0000000000000000
+ x2 : 0000000000000000 x1 : 0000000000000001 x0 : ffff00000ac0e0e8
+ Call trace:
+ queued_spin_lock_slowpath+0x58/0x2d0
+ ieee80211_tx+0x80/0x12c
+ ieee80211_tx_pending+0x110/0x278
+ tasklet_action_common.constprop.0+0x10c/0x144
+ tasklet_action+0x20/0x28
+ _stext+0x11c/0x284
+ ____do_softirq+0xc/0x14
+ call_on_irq_stack+0x24/0x34
+ do_softirq_own_stack+0x18/0x20
+ do_softirq+0x74/0x7c
+ __local_bh_enable_ip+0xa0/0xa4
+ _ieee80211_wake_txqs+0x3b0/0x4b8
+ __ieee80211_wake_queue+0x12c/0x168
+ ieee80211_add_pending_skbs+0xec/0x138
+ ieee80211_sta_ps_deliver_wakeup+0x2a4/0x480
+ ieee80211_mps_sta_status_update.part.0+0xd8/0x11c
+ ieee80211_mps_sta_status_update+0x18/0x24
+ sta_apply_parameters+0x3bc/0x4c0
+ ieee80211_change_station+0x1b8/0x2dc
+ nl80211_set_station+0x444/0x49c
+ genl_family_rcv_msg_doit.isra.0+0xa4/0xfc
+ genl_rcv_msg+0x1b0/0x244
+ netlink_rcv_skb+0x38/0x10c
+ genl_rcv+0x34/0x48
+ netlink_unicast+0x254/0x2bc
+ netlink_sendmsg+0x190/0x3b4
+ ____sys_sendmsg+0x1e8/0x218
+ ___sys_sendmsg+0x68/0x8c
+ __sys_sendmsg+0x44/0x84
+ __arm64_sys_sendmsg+0x20/0x28
+ do_el0_svc+0x6c/0xe8
+ el0_svc+0x14/0x48
+ el0t_64_sync_handler+0xb0/0xb4
+ el0t_64_sync+0x14c/0x150
+
+Using spin_lock_bh()/spin_unlock_bh() instead prevents softirq to raise
+on the same CPU that is holding the lock.
+
+Fixes: 1d147bfa6429 ("mac80211: fix AP powersave TX vs. wakeup race")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://msgid.link/8e36fe07d0fbc146f89196cd47a53c8a0afe84aa.1716910344.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/sta_info.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
+index f4deee1926e58..6d2b42cb3ad58 100644
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1339,7 +1339,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+ skb_queue_head_init(&pending);
+
+ /* sync with ieee80211_tx_h_unicast_ps_buf */
+- spin_lock(&sta->ps_lock);
++ spin_lock_bh(&sta->ps_lock);
+ /* Send all buffered frames to the station */
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ int count = skb_queue_len(&pending), tmp;
+@@ -1368,7 +1368,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
+ */
+ clear_sta_flag(sta, WLAN_STA_PSPOLL);
+ clear_sta_flag(sta, WLAN_STA_UAPSD);
+- spin_unlock(&sta->ps_lock);
++ spin_unlock_bh(&sta->ps_lock);
+
+ atomic_dec(&ps->num_sta_ps);
+
+--
+2.43.0
+
--- /dev/null
+From 36c885782014e1a47d629d5661ec18cc037a39db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 May 2024 16:26:05 +0200
+Subject: wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
+
+From: Nicolas Escande <nico.escande@gmail.com>
+
+[ Upstream commit b7d7f11a291830fdf69d3301075dd0fb347ced84 ]
+
+The hwmp code use objects of type mesh_preq_queue, added to a list in
+ieee80211_if_mesh, to keep track of mpath we need to resolve. If the mpath
+gets deleted, ex mesh interface is removed, the entries in that list will
+never get cleaned. Fix this by flushing all corresponding items of the
+preq_queue in mesh_path_flush_pending().
+
+This should take care of KASAN reports like this:
+
+unreferenced object 0xffff00000668d800 (size 128):
+ comm "kworker/u8:4", pid 67, jiffies 4295419552 (age 1836.444s)
+ hex dump (first 32 bytes):
+ 00 1f 05 09 00 00 ff ff 00 d5 68 06 00 00 ff ff ..........h.....
+ 8e 97 ea eb 3e b8 01 00 00 00 00 00 00 00 00 00 ....>...........
+ backtrace:
+ [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
+ [<00000000049bd418>] kmalloc_trace+0x34/0x80
+ [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
+ [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
+ [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
+ [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
+ [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
+ [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
+ [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
+ [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
+ [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
+ [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
+ [<00000000b36425d1>] worker_thread+0x9c/0x634
+ [<0000000005852dd5>] kthread+0x1bc/0x1c4
+ [<000000005fccd770>] ret_from_fork+0x10/0x20
+unreferenced object 0xffff000009051f00 (size 128):
+ comm "kworker/u8:4", pid 67, jiffies 4295419553 (age 1836.440s)
+ hex dump (first 32 bytes):
+ 90 d6 92 0d 00 00 ff ff 00 d8 68 06 00 00 ff ff ..........h.....
+ 36 27 92 e4 02 e0 01 00 00 58 79 06 00 00 ff ff 6'.......Xy.....
+ backtrace:
+ [<000000007302a0b6>] __kmem_cache_alloc_node+0x1e0/0x35c
+ [<00000000049bd418>] kmalloc_trace+0x34/0x80
+ [<0000000000d792bb>] mesh_queue_preq+0x44/0x2a8
+ [<00000000c99c3696>] mesh_nexthop_resolve+0x198/0x19c
+ [<00000000926bf598>] ieee80211_xmit+0x1d0/0x1f4
+ [<00000000fc8c2284>] __ieee80211_subif_start_xmit+0x30c/0x764
+ [<000000005926ee38>] ieee80211_subif_start_xmit+0x9c/0x7a4
+ [<000000004c86e916>] dev_hard_start_xmit+0x174/0x440
+ [<0000000023495647>] __dev_queue_xmit+0xe24/0x111c
+ [<00000000cfe9ca78>] batadv_send_skb_packet+0x180/0x1e4
+ [<000000007bacc5d5>] batadv_v_elp_periodic_work+0x2f4/0x508
+ [<00000000adc3cd94>] process_one_work+0x4b8/0xa1c
+ [<00000000b36425d1>] worker_thread+0x9c/0x634
+ [<0000000005852dd5>] kthread+0x1bc/0x1c4
+ [<000000005fccd770>] ret_from_fork+0x10/0x20
+
+Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
+Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
+Link: https://msgid.link/20240528142605.1060566-1-nico.escande@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_pathtbl.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
+index 69d5e1ec6edef..e7b9dcf30adc9 100644
+--- a/net/mac80211/mesh_pathtbl.c
++++ b/net/mac80211/mesh_pathtbl.c
+@@ -723,10 +723,23 @@ void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata,
+ */
+ void mesh_path_flush_pending(struct mesh_path *mpath)
+ {
++ struct ieee80211_sub_if_data *sdata = mpath->sdata;
++ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
++ struct mesh_preq_queue *preq, *tmp;
+ struct sk_buff *skb;
+
+ while ((skb = skb_dequeue(&mpath->frame_queue)) != NULL)
+ mesh_path_discard_frame(mpath->sdata, skb);
++
++ spin_lock_bh(&ifmsh->mesh_preq_queue_lock);
++ list_for_each_entry_safe(preq, tmp, &ifmsh->preq_queue.list, list) {
++ if (ether_addr_equal(mpath->dst, preq->dst)) {
++ list_del(&preq->list);
++ kfree(preq);
++ --ifmsh->preq_queue_len;
++ }
++ }
++ spin_unlock_bh(&ifmsh->mesh_preq_queue_lock);
+ }
+
+ /**
+--
+2.43.0
+
--- /dev/null
+From 0fb3ba2981bdfeed49e23a1f6c7b020405952b3b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 8 Mar 2022 16:30:29 +0100
+Subject: x86/ibt,ftrace: Search for __fentry__ location
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+[ Upstream commit aebfd12521d9c7d0b502cf6d06314cfbcdccfe3b ]
+
+Currently a lot of ftrace code assumes __fentry__ is at sym+0. However
+with Intel IBT enabled the first instruction of a function will most
+likely be ENDBR.
+
+Change ftrace_location() to not only return the __fentry__ location
+when called for the __fentry__ location, but also when called for the
+sym+0 location.
+
+Then audit/update all callsites of this function to consistently use
+these new semantics.
+
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Acked-by: Josh Poimboeuf <jpoimboe@redhat.com>
+Link: https://lore.kernel.org/r/20220308154318.227581603@infradead.org
+Stable-dep-of: e60b613df8b6 ("ftrace: Fix possible use-after-free issue in ftrace_location()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/kprobes/core.c | 11 ++------
+ kernel/bpf/trampoline.c | 20 +++-----------
+ kernel/kprobes.c | 8 ++----
+ kernel/trace/ftrace.c | 48 ++++++++++++++++++++++++++++------
+ 4 files changed, 48 insertions(+), 39 deletions(-)
+
+diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
+index 893f040b97b7d..99dd504307fdc 100644
+--- a/arch/x86/kernel/kprobes/core.c
++++ b/arch/x86/kernel/kprobes/core.c
+@@ -194,17 +194,10 @@ static unsigned long
+ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
+ {
+ struct kprobe *kp;
+- unsigned long faddr;
++ bool faddr;
+
+ kp = get_kprobe((void *)addr);
+- faddr = ftrace_location(addr);
+- /*
+- * Addresses inside the ftrace location are refused by
+- * arch_check_ftrace_location(). Something went terribly wrong
+- * if such an address is checked here.
+- */
+- if (WARN_ON(faddr && faddr != addr))
+- return 0UL;
++ faddr = ftrace_location(addr) == addr;
+ /*
+ * Use the current code if it is not modified by Kprobe
+ * and it cannot be modified by ftrace.
+diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c
+index 4fa75791b45e2..1bffee0458863 100644
+--- a/kernel/bpf/trampoline.c
++++ b/kernel/bpf/trampoline.c
+@@ -108,18 +108,6 @@ static void bpf_trampoline_module_put(struct bpf_trampoline *tr)
+ tr->mod = NULL;
+ }
+
+-static int is_ftrace_location(void *ip)
+-{
+- long addr;
+-
+- addr = ftrace_location((long)ip);
+- if (!addr)
+- return 0;
+- if (WARN_ON_ONCE(addr != (long)ip))
+- return -EFAULT;
+- return 1;
+-}
+-
+ static int unregister_fentry(struct bpf_trampoline *tr, void *old_addr)
+ {
+ void *ip = tr->func.addr;
+@@ -151,12 +139,12 @@ static int modify_fentry(struct bpf_trampoline *tr, void *old_addr, void *new_ad
+ static int register_fentry(struct bpf_trampoline *tr, void *new_addr)
+ {
+ void *ip = tr->func.addr;
++ unsigned long faddr;
+ int ret;
+
+- ret = is_ftrace_location(ip);
+- if (ret < 0)
+- return ret;
+- tr->func.ftrace_managed = ret;
++ faddr = ftrace_location((unsigned long)ip);
++ if (faddr)
++ tr->func.ftrace_managed = true;
+
+ if (bpf_trampoline_module_get(tr))
+ return -ENOENT;
+diff --git a/kernel/kprobes.c b/kernel/kprobes.c
+index af57705e1fef3..258d425b2c4a5 100644
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1526,14 +1526,10 @@ static inline int warn_kprobe_rereg(struct kprobe *p)
+
+ int __weak arch_check_ftrace_location(struct kprobe *p)
+ {
+- unsigned long ftrace_addr;
++ unsigned long addr = (unsigned long)p->addr;
+
+- ftrace_addr = ftrace_location((unsigned long)p->addr);
+- if (ftrace_addr) {
++ if (ftrace_location(addr) == addr) {
+ #ifdef CONFIG_KPROBES_ON_FTRACE
+- /* Given address is not on the instruction boundary */
+- if ((unsigned long)p->addr != ftrace_addr)
+- return -EILSEQ;
+ p->flags |= KPROBE_FLAG_FTRACE;
+ #else /* !CONFIG_KPROBES_ON_FTRACE */
+ return -EINVAL;
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index 157a1d2d9802f..3dce1a107a7c7 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1575,17 +1575,34 @@ unsigned long ftrace_location_range(unsigned long start, unsigned long end)
+ }
+
+ /**
+- * ftrace_location - return true if the ip giving is a traced location
++ * ftrace_location - return the ftrace location
+ * @ip: the instruction pointer to check
+ *
+- * Returns rec->ip if @ip given is a pointer to a ftrace location.
+- * That is, the instruction that is either a NOP or call to
+- * the function tracer. It checks the ftrace internal tables to
+- * determine if the address belongs or not.
++ * If @ip matches the ftrace location, return @ip.
++ * If @ip matches sym+0, return sym's ftrace location.
++ * Otherwise, return 0.
+ */
+ unsigned long ftrace_location(unsigned long ip)
+ {
+- return ftrace_location_range(ip, ip);
++ struct dyn_ftrace *rec;
++ unsigned long offset;
++ unsigned long size;
++
++ rec = lookup_rec(ip, ip);
++ if (!rec) {
++ if (!kallsyms_lookup_size_offset(ip, &size, &offset))
++ goto out;
++
++ /* map sym+0 to __fentry__ */
++ if (!offset)
++ rec = lookup_rec(ip, ip + size - 1);
++ }
++
++ if (rec)
++ return rec->ip;
++
++out:
++ return 0;
+ }
+
+ /**
+@@ -4942,7 +4959,8 @@ ftrace_match_addr(struct ftrace_hash *hash, unsigned long ip, int remove)
+ {
+ struct ftrace_func_entry *entry;
+
+- if (!ftrace_location(ip))
++ ip = ftrace_location(ip);
++ if (!ip)
+ return -EINVAL;
+
+ if (remove) {
+@@ -5090,11 +5108,16 @@ int register_ftrace_direct(unsigned long ip, unsigned long addr)
+ struct ftrace_func_entry *entry;
+ struct ftrace_hash *free_hash = NULL;
+ struct dyn_ftrace *rec;
+- int ret = -EBUSY;
++ int ret = -ENODEV;
+
+ mutex_lock(&direct_mutex);
+
++ ip = ftrace_location(ip);
++ if (!ip)
++ goto out_unlock;
++
+ /* See if there's a direct function at @ip already */
++ ret = -EBUSY;
+ if (ftrace_find_rec_direct(ip))
+ goto out_unlock;
+
+@@ -5223,6 +5246,10 @@ int unregister_ftrace_direct(unsigned long ip, unsigned long addr)
+
+ mutex_lock(&direct_mutex);
+
++ ip = ftrace_location(ip);
++ if (!ip)
++ goto out_unlock;
++
+ entry = find_direct_entry(&ip, NULL);
+ if (!entry)
+ goto out_unlock;
+@@ -5354,6 +5381,11 @@ int modify_ftrace_direct(unsigned long ip,
+ mutex_lock(&direct_mutex);
+
+ mutex_lock(&ftrace_lock);
++
++ ip = ftrace_location(ip);
++ if (!ip)
++ goto out_unlock;
++
+ entry = find_direct_entry(&ip, &rec);
+ if (!entry)
+ goto out_unlock;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
