--- /dev/null
+From 0da9eccde3270b832c059ad618bf66e510c75d33 Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Mon, 16 Oct 2023 18:08:28 +0200
+Subject: ACPI: resource: Do IRQ override on TongFang GMxXGxx
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit 0da9eccde3270b832c059ad618bf66e510c75d33 upstream.
+
+The TongFang GMxXGxx/TUXEDO Stellaris/Pollaris Gen5 needs IRQ overriding
+for the keyboard to work.
+
+Adding an entry for this laptop to the override_table makes the internal
+keyboard functional.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: All applicable <stable@vger.kernel.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/resource.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -500,6 +500,18 @@ static const struct dmi_system_id mainge
+ }
+ },
+ {
++ /* TongFang GMxXGxx/TUXEDO Polaris 15 Gen5 AMD */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "GMxXGxx"),
++ },
++ },
++ {
++ /* TongFang GM6XGxX/TUXEDO Stellaris 16 Gen5 AMD */
++ .matches = {
++ DMI_MATCH(DMI_BOARD_NAME, "GM6XGxX"),
++ },
++ },
++ {
+ .ident = "MAINGEAR Vector Pro 2 17",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Micro Electronics Inc"),
--- /dev/null
+From 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 Mon Sep 17 00:00:00 2001
+From: Herve Codina <herve.codina@bootlin.com>
+Date: Tue, 24 Oct 2023 17:03:35 +0200
+Subject: genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+commit 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 upstream.
+
+irq_remove_generic_chip() calculates the Linux interrupt number for removing the
+handler and interrupt chip based on gc::irq_base as a linear function of
+the bit positions of set bits in the @msk argument.
+
+When the generic chip is present in an irq domain, i.e. created with a call
+to irq_alloc_domain_generic_chips(), gc::irq_base contains not the base
+Linux interrupt number. It contains the base hardware interrupt for this
+chip. It is set to 0 for the first chip in the domain, 0 + N for the next
+chip, where $N is the number of hardware interrupts per chip.
+
+That means the Linux interrupt number cannot be calculated based on
+gc::irq_base for irqdomain based chips without a domain map lookup, which
+is currently missing.
+
+Rework the code to take the irqdomain case into account and calculate the
+Linux interrupt number by a irqdomain lookup of the domain specific
+hardware interrupt number.
+
+[ tglx: Massage changelog. Reshuffle the logic and add a proper comment. ]
+
+Fixes: cfefd21e693d ("genirq: Add chip suspend and resume callbacks")
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231024150335.322282-1-herve.codina@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/irq/generic-chip.c | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+--- a/kernel/irq/generic-chip.c
++++ b/kernel/irq/generic-chip.c
+@@ -544,21 +544,34 @@ EXPORT_SYMBOL_GPL(irq_setup_alt_chip);
+ void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk,
+ unsigned int clr, unsigned int set)
+ {
+- unsigned int i = gc->irq_base;
++ unsigned int i, virq;
+
+ raw_spin_lock(&gc_lock);
+ list_del(&gc->list);
+ raw_spin_unlock(&gc_lock);
+
+- for (; msk; msk >>= 1, i++) {
++ for (i = 0; msk; msk >>= 1, i++) {
+ if (!(msk & 0x01))
+ continue;
+
++ /*
++ * Interrupt domain based chips store the base hardware
++ * interrupt number in gc::irq_base. Otherwise gc::irq_base
++ * contains the base Linux interrupt number.
++ */
++ if (gc->domain) {
++ virq = irq_find_mapping(gc->domain, gc->irq_base + i);
++ if (!virq)
++ continue;
++ } else {
++ virq = gc->irq_base + i;
++ }
++
+ /* Remove handler first. That will mask the irq line */
+- irq_set_handler(i, NULL);
+- irq_set_chip(i, &no_irq_chip);
+- irq_set_chip_data(i, NULL);
+- irq_modify_status(i, clr, set);
++ irq_set_handler(virq, NULL);
++ irq_set_chip(virq, &no_irq_chip);
++ irq_set_chip_data(virq, NULL);
++ irq_modify_status(virq, clr, set);
+ }
+ }
+ EXPORT_SYMBOL_GPL(irq_remove_generic_chip);
--- /dev/null
+From 31de287345f41bbfaec36a5c8cbdba035cf76442 Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Wed, 11 Oct 2023 02:08:25 +0300
+Subject: KEYS: trusted: Rollback init_trusted() consistently
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 31de287345f41bbfaec36a5c8cbdba035cf76442 upstream.
+
+Do bind neither static calls nor trusted_key_exit() before a successful
+init, in order to maintain a consistent state. In addition, depart the
+init_trusted() in the case of a real error (i.e. getting back something
+else than -ENODEV).
+
+Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
+Closes: https://lore.kernel.org/linux-integrity/CAHk-=whOPoLaWM8S8GgoOPT7a2+nMH5h3TLKtn=R_3w4R1_Uvg@mail.gmail.com/
+Cc: stable@vger.kernel.org # v5.13+
+Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework")
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted-keys/trusted_core.c | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+--- a/security/keys/trusted-keys/trusted_core.c
++++ b/security/keys/trusted-keys/trusted_core.c
+@@ -358,17 +358,17 @@ static int __init init_trusted(void)
+ if (!get_random)
+ get_random = kernel_get_random;
+
+- static_call_update(trusted_key_seal,
+- trusted_key_sources[i].ops->seal);
+- static_call_update(trusted_key_unseal,
+- trusted_key_sources[i].ops->unseal);
+- static_call_update(trusted_key_get_random,
+- get_random);
+- trusted_key_exit = trusted_key_sources[i].ops->exit;
+- migratable = trusted_key_sources[i].ops->migratable;
+-
+ ret = trusted_key_sources[i].ops->init();
+- if (!ret)
++ if (!ret) {
++ static_call_update(trusted_key_seal, trusted_key_sources[i].ops->seal);
++ static_call_update(trusted_key_unseal, trusted_key_sources[i].ops->unseal);
++ static_call_update(trusted_key_get_random, get_random);
++
++ trusted_key_exit = trusted_key_sources[i].ops->exit;
++ migratable = trusted_key_sources[i].ops->migratable;
++ }
++
++ if (!ret || ret != -ENODEV)
+ break;
+ }
+
--- /dev/null
+From c745cd1718b7825d69315fe7127e2e289e617598 Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Tue, 22 Aug 2023 16:59:33 +0530
+Subject: KEYS: trusted: tee: Refactor register SHM usage
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit c745cd1718b7825d69315fe7127e2e289e617598 upstream.
+
+The OP-TEE driver using the old SMC based ABI permits overlapping shared
+buffers, but with the new FF-A based ABI each physical page may only
+be registered once.
+
+As the key and blob buffer are allocated adjancently, there is no need
+for redundant register shared memory invocation. Also, it is incompatibile
+with FF-A based ABI limitation. So refactor register shared memory
+implementation to use only single invocation to register both key and blob
+buffers.
+
+[jarkko: Added cc to stable.]
+Cc: stable@vger.kernel.org # v5.16+
+Fixes: 4615e5a34b95 ("optee: add FF-A support")
+Reported-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Tested-by: Jens Wiklander <jens.wiklander@linaro.org>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted-keys/trusted_tee.c | 64 +++++++++----------------------
+ 1 file changed, 20 insertions(+), 44 deletions(-)
+
+--- a/security/keys/trusted-keys/trusted_tee.c
++++ b/security/keys/trusted-keys/trusted_tee.c
+@@ -65,24 +65,16 @@ static int trusted_tee_seal(struct trust
+ int ret;
+ struct tee_ioctl_invoke_arg inv_arg;
+ struct tee_param param[4];
+- struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
++ struct tee_shm *reg_shm = NULL;
+
+ memset(&inv_arg, 0, sizeof(inv_arg));
+ memset(¶m, 0, sizeof(param));
+
+- reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
+- p->key_len);
+- if (IS_ERR(reg_shm_in)) {
+- dev_err(pvt_data.dev, "key shm register failed\n");
+- return PTR_ERR(reg_shm_in);
+- }
+-
+- reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob,
+- sizeof(p->blob));
+- if (IS_ERR(reg_shm_out)) {
+- dev_err(pvt_data.dev, "blob shm register failed\n");
+- ret = PTR_ERR(reg_shm_out);
+- goto out;
++ reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
++ sizeof(p->key) + sizeof(p->blob));
++ if (IS_ERR(reg_shm)) {
++ dev_err(pvt_data.dev, "shm register failed\n");
++ return PTR_ERR(reg_shm);
+ }
+
+ inv_arg.func = TA_CMD_SEAL;
+@@ -90,13 +82,13 @@ static int trusted_tee_seal(struct trust
+ inv_arg.num_params = 4;
+
+ param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
+- param[0].u.memref.shm = reg_shm_in;
++ param[0].u.memref.shm = reg_shm;
+ param[0].u.memref.size = p->key_len;
+ param[0].u.memref.shm_offs = 0;
+ param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
+- param[1].u.memref.shm = reg_shm_out;
++ param[1].u.memref.shm = reg_shm;
+ param[1].u.memref.size = sizeof(p->blob);
+- param[1].u.memref.shm_offs = 0;
++ param[1].u.memref.shm_offs = sizeof(p->key);
+
+ ret = tee_client_invoke_func(pvt_data.ctx, &inv_arg, param);
+ if ((ret < 0) || (inv_arg.ret != 0)) {
+@@ -107,11 +99,7 @@ static int trusted_tee_seal(struct trust
+ p->blob_len = param[1].u.memref.size;
+ }
+
+-out:
+- if (reg_shm_out)
+- tee_shm_free(reg_shm_out);
+- if (reg_shm_in)
+- tee_shm_free(reg_shm_in);
++ tee_shm_free(reg_shm);
+
+ return ret;
+ }
+@@ -124,24 +112,16 @@ static int trusted_tee_unseal(struct tru
+ int ret;
+ struct tee_ioctl_invoke_arg inv_arg;
+ struct tee_param param[4];
+- struct tee_shm *reg_shm_in = NULL, *reg_shm_out = NULL;
++ struct tee_shm *reg_shm = NULL;
+
+ memset(&inv_arg, 0, sizeof(inv_arg));
+ memset(¶m, 0, sizeof(param));
+
+- reg_shm_in = tee_shm_register_kernel_buf(pvt_data.ctx, p->blob,
+- p->blob_len);
+- if (IS_ERR(reg_shm_in)) {
+- dev_err(pvt_data.dev, "blob shm register failed\n");
+- return PTR_ERR(reg_shm_in);
+- }
+-
+- reg_shm_out = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
+- sizeof(p->key));
+- if (IS_ERR(reg_shm_out)) {
+- dev_err(pvt_data.dev, "key shm register failed\n");
+- ret = PTR_ERR(reg_shm_out);
+- goto out;
++ reg_shm = tee_shm_register_kernel_buf(pvt_data.ctx, p->key,
++ sizeof(p->key) + sizeof(p->blob));
++ if (IS_ERR(reg_shm)) {
++ dev_err(pvt_data.dev, "shm register failed\n");
++ return PTR_ERR(reg_shm);
+ }
+
+ inv_arg.func = TA_CMD_UNSEAL;
+@@ -149,11 +129,11 @@ static int trusted_tee_unseal(struct tru
+ inv_arg.num_params = 4;
+
+ param[0].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_INPUT;
+- param[0].u.memref.shm = reg_shm_in;
++ param[0].u.memref.shm = reg_shm;
+ param[0].u.memref.size = p->blob_len;
+- param[0].u.memref.shm_offs = 0;
++ param[0].u.memref.shm_offs = sizeof(p->key);
+ param[1].attr = TEE_IOCTL_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
+- param[1].u.memref.shm = reg_shm_out;
++ param[1].u.memref.shm = reg_shm;
+ param[1].u.memref.size = sizeof(p->key);
+ param[1].u.memref.shm_offs = 0;
+
+@@ -166,11 +146,7 @@ static int trusted_tee_unseal(struct tru
+ p->key_len = param[1].u.memref.size;
+ }
+
+-out:
+- if (reg_shm_out)
+- tee_shm_free(reg_shm_out);
+- if (reg_shm_in)
+- tee_shm_free(reg_shm_in);
++ tee_shm_free(reg_shm);
+
+ return ret;
+ }
--- /dev/null
+From 35f5d94187a6a3a8df2cba54beccca1c2379edb8 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Thu, 19 Oct 2023 19:49:20 +0000
+Subject: mm/damon: implement a function for max nr_accesses safe calculation
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 35f5d94187a6a3a8df2cba54beccca1c2379edb8 upstream.
+
+Patch series "avoid divide-by-zero due to max_nr_accesses overflow".
+
+The maximum nr_accesses of given DAMON context can be calculated by
+dividing the aggregation interval by the sampling interval. Some logics
+in DAMON uses the maximum nr_accesses as a divisor. Hence, the value
+shouldn't be zero. Such case is avoided since DAMON avoids setting the
+agregation interval as samller than the sampling interval. However, since
+nr_accesses is unsigned int while the intervals are unsigned long, the
+maximum nr_accesses could be zero while casting.
+
+Avoid the divide-by-zero by implementing a function that handles the
+corner case (first patch), and replaces the vulnerable direct max
+nr_accesses calculations (remaining patches).
+
+Note that the patches for the replacements are divided for broken commits,
+to make backporting on required tres easier. Especially, the last patch
+is for a patch that not yet merged into the mainline but in mm tree.
+
+
+This patch (of 4):
+
+The maximum nr_accesses of given DAMON context can be calculated by
+dividing the aggregation interval by the sampling interval. Some logics
+in DAMON uses the maximum nr_accesses as a divisor. Hence, the value
+shouldn't be zero. Such case is avoided since DAMON avoids setting the
+agregation interval as samller than the sampling interval. However, since
+nr_accesses is unsigned int while the intervals are unsigned long, the
+maximum nr_accesses could be zero while casting. Implement a function
+that handles the corner case.
+
+Note that this commit is not fixing the real issue since this is only
+introducing the safe function that will replaces the problematic
+divisions. The replacements will be made by followup commits, to make
+backporting on stable series easier.
+
+Link: https://lkml.kernel.org/r/20231019194924.100347-1-sj@kernel.org
+Link: https://lkml.kernel.org/r/20231019194924.100347-2-sj@kernel.org
+Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Reported-by: Jakub Acs <acsjakub@amazon.de>
+Cc: <stable@vger.kernel.org> [5.16+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/damon.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/include/linux/damon.h
++++ b/include/linux/damon.h
+@@ -559,6 +559,13 @@ static inline bool damon_target_has_pid(
+ return ctx->ops.id == DAMON_OPS_VADDR || ctx->ops.id == DAMON_OPS_FVADDR;
+ }
+
++static inline unsigned int damon_max_nr_accesses(const struct damon_attrs *attrs)
++{
++ /* {aggr,sample}_interval are unsigned long, hence could overflow */
++ return min(attrs->aggr_interval / attrs->sample_interval,
++ (unsigned long)UINT_MAX);
++}
++
+
+ int damon_start(struct damon_ctx **ctxs, int nr_ctxs, bool exclusive);
+ int damon_stop(struct damon_ctx **ctxs, int nr_ctxs);
--- /dev/null
+From 44063f125af4bb4efd1d500d8091fa33a98af325 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Thu, 19 Oct 2023 19:49:23 +0000
+Subject: mm/damon/lru_sort: avoid divide-by-zero in hot threshold calculation
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 44063f125af4bb4efd1d500d8091fa33a98af325 upstream.
+
+When calculating the hotness threshold for lru_prio scheme of
+DAMON_LRU_SORT, the module divides some values by the maximum nr_accesses.
+However, due to the type of the related variables, simple division-based
+calculation of the divisor can return zero. As a result, divide-by-zero
+is possible. Fix it by using damon_max_nr_accesses(), which handles the
+case.
+
+Link: https://lkml.kernel.org/r/20231019194924.100347-5-sj@kernel.org
+Fixes: 40e983cca927 ("mm/damon: introduce DAMON-based LRU-lists Sorting")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Reported-by: Jakub Acs <acsjakub@amazon.de>
+Cc: <stable@vger.kernel.org> [6.0+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/lru_sort.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/mm/damon/lru_sort.c
++++ b/mm/damon/lru_sort.c
+@@ -195,9 +195,7 @@ static int damon_lru_sort_apply_paramete
+ if (err)
+ return err;
+
+- /* aggr_interval / sample_interval is the maximum nr_accesses */
+- hot_thres = damon_lru_sort_mon_attrs.aggr_interval /
+- damon_lru_sort_mon_attrs.sample_interval *
++ hot_thres = damon_max_nr_accesses(&damon_lru_sort_mon_attrs) *
+ hot_thres_access_freq / 1000;
+ scheme = damon_lru_sort_new_hot_scheme(hot_thres);
+ if (!scheme)
--- /dev/null
+From 3bafc47d3c4a2fc4d3b382aeb3c087f8fc84d9fd Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Thu, 19 Oct 2023 19:49:22 +0000
+Subject: mm/damon/ops-common: avoid divide-by-zero during region hotness calculation
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 3bafc47d3c4a2fc4d3b382aeb3c087f8fc84d9fd upstream.
+
+When calculating the hotness of each region for the under-quota regions
+prioritization, DAMON divides some values by the maximum nr_accesses.
+However, due to the type of the related variables, simple division-based
+calculation of the divisor can return zero. As a result, divide-by-zero
+is possible. Fix it by using damon_max_nr_accesses(), which handles the
+case.
+
+Link: https://lkml.kernel.org/r/20231019194924.100347-4-sj@kernel.org
+Fixes: 198f0f4c58b9 ("mm/damon/vaddr,paddr: support pageout prioritization")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Reported-by: Jakub Acs <acsjakub@amazon.de>
+Cc: <stable@vger.kernel.org> [5.16+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/ops-common.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/mm/damon/ops-common.c
++++ b/mm/damon/ops-common.c
+@@ -87,7 +87,6 @@ void damon_pmdp_mkold(pmd_t *pmd, struct
+ int damon_hot_score(struct damon_ctx *c, struct damon_region *r,
+ struct damos *s)
+ {
+- unsigned int max_nr_accesses;
+ int freq_subscore;
+ unsigned int age_in_sec;
+ int age_in_log, age_subscore;
+@@ -95,8 +94,8 @@ int damon_hot_score(struct damon_ctx *c,
+ unsigned int age_weight = s->quota.weight_age;
+ int hotness;
+
+- max_nr_accesses = c->attrs.aggr_interval / c->attrs.sample_interval;
+- freq_subscore = r->nr_accesses * DAMON_MAX_SUBSCORE / max_nr_accesses;
++ freq_subscore = r->nr_accesses * DAMON_MAX_SUBSCORE /
++ damon_max_nr_accesses(&c->attrs);
+
+ age_in_sec = (unsigned long)r->age * c->attrs.aggr_interval / 1000000;
+ for (age_in_log = 0; age_in_log < DAMON_MAX_AGE_IN_LOG && age_in_sec;
--- /dev/null
+From b4936b544b08ed44949055b92bd25f77759ebafc Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Mon, 6 Nov 2023 23:34:06 +0000
+Subject: mm/damon/sysfs: check error from damon_sysfs_update_target()
+
+From: SeongJae Park <sj@kernel.org>
+
+commit b4936b544b08ed44949055b92bd25f77759ebafc upstream.
+
+Patch series "mm/damon/sysfs: fix unhandled return values".
+
+Some of DAMON sysfs interface code is not handling return values from some
+functions. As a result, confusing user input handling or NULL-dereference
+is possible. Check those properly.
+
+
+This patch (of 3):
+
+damon_sysfs_update_target() returns error code for failures, but its
+caller, damon_sysfs_set_targets() is ignoring that. The update function
+seems making no critical change in case of such failures, but the behavior
+will look like DAMON sysfs is silently ignoring or only partially
+accepting the user input. Fix it.
+
+Link: https://lkml.kernel.org/r/20231106233408.51159-1-sj@kernel.org
+Link: https://lkml.kernel.org/r/20231106233408.51159-2-sj@kernel.org
+Fixes: 19467a950b49 ("mm/damon/sysfs: remove requested targets when online-commit inputs")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: <stable@vger.kernel.org> [5.19+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/sysfs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/damon/sysfs.c
++++ b/mm/damon/sysfs.c
+@@ -2241,8 +2241,10 @@ static int damon_sysfs_set_targets(struc
+
+ damon_for_each_target_safe(t, next, ctx) {
+ if (i < sysfs_targets->nr) {
+- damon_sysfs_update_target(t, ctx,
++ err = damon_sysfs_update_target(t, ctx,
+ sysfs_targets->targets_arr[i]);
++ if (err)
++ return err;
+ } else {
+ if (damon_target_has_pid(ctx))
+ put_pid(t->pid);
--- /dev/null
+From 57925e16c9f7d18012bcf45bfa658f92c087981a Mon Sep 17 00:00:00 2001
+From: Rong Chen <rong.chen@amlogic.com>
+Date: Thu, 26 Oct 2023 15:31:56 +0800
+Subject: mmc: meson-gx: Remove setting of CMD_CFG_ERROR
+
+From: Rong Chen <rong.chen@amlogic.com>
+
+commit 57925e16c9f7d18012bcf45bfa658f92c087981a upstream.
+
+For the t7 and older SoC families, the CMD_CFG_ERROR has no effect.
+Starting from SoC family C3, setting this bit without SG LINK data
+address will cause the controller to generate an IRQ and stop working.
+
+To fix it, don't set the bit CMD_CFG_ERROR anymore.
+
+Fixes: 18f92bc02f17 ("mmc: meson-gx: make sure the descriptor is stopped on errors")
+Signed-off-by: Rong Chen <rong.chen@amlogic.com>
+Reviewed-by: Jerome Brunet <jbrunet@baylibre.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20231026073156.2868310-1-rong.chen@amlogic.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/meson-gx-mmc.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/mmc/host/meson-gx-mmc.c
++++ b/drivers/mmc/host/meson-gx-mmc.c
+@@ -817,7 +817,6 @@ static void meson_mmc_start_cmd(struct m
+
+ cmd_cfg |= FIELD_PREP(CMD_CFG_CMD_INDEX_MASK, cmd->opcode);
+ cmd_cfg |= CMD_CFG_OWNER; /* owned by CPU */
+- cmd_cfg |= CMD_CFG_ERROR; /* stop in case of error */
+
+ meson_mmc_set_response_bits(cmd, &cmd_cfg);
+
--- /dev/null
+From 7994db905c0fd692cf04c527585f08a91b560144 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Sun, 1 Oct 2023 19:02:54 +0200
+Subject: PCI: keystone: Don't discard .probe() callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 7994db905c0fd692cf04c527585f08a91b560144 upstream.
+
+The __init annotation makes the ks_pcie_probe() function disappear after
+booting completes. However a device can also be bound later. In that case,
+we try to call ks_pcie_probe(), but the backing memory is likely already
+overwritten.
+
+The right thing to do is do always have the probe callback available. Note
+that the (wrong) __refdata annotation prevented this issue to be noticed by
+modpost.
+
+Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
+Link: https://lore.kernel.org/r/20231001170254.2506508-5-u.kleine-koenig@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -1101,7 +1101,7 @@ static const struct of_device_id ks_pcie
+ { },
+ };
+
+-static int __init ks_pcie_probe(struct platform_device *pdev)
++static int ks_pcie_probe(struct platform_device *pdev)
+ {
+ const struct dw_pcie_host_ops *host_ops;
+ const struct dw_pcie_ep_ops *ep_ops;
+@@ -1319,7 +1319,7 @@ static int ks_pcie_remove(struct platfor
+ return 0;
+ }
+
+-static struct platform_driver ks_pcie_driver __refdata = {
++static struct platform_driver ks_pcie_driver = {
+ .probe = ks_pcie_probe,
+ .remove = ks_pcie_remove,
+ .driver = {
--- /dev/null
+From 200bddbb3f5202bbce96444fdc416305de14f547 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Sun, 1 Oct 2023 19:02:53 +0200
+Subject: PCI: keystone: Don't discard .remove() callback
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 200bddbb3f5202bbce96444fdc416305de14f547 upstream.
+
+With CONFIG_PCIE_KEYSTONE=y and ks_pcie_remove() marked with __exit, the
+function is discarded from the driver. In this case a bound device can
+still get unbound, e.g via sysfs. Then no cleanup code is run resulting in
+resource leaks or worse.
+
+The right thing to do is do always have the remove callback available.
+Note that this driver cannot be compiled as a module, so ks_pcie_remove()
+was always discarded before this change and modpost couldn't warn about
+this issue. Furthermore the __ref annotation also prevents a warning.
+
+Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver")
+Link: https://lore.kernel.org/r/20231001170254.2506508-4-u.kleine-koenig@pengutronix.de
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/dwc/pci-keystone.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/pci/controller/dwc/pci-keystone.c
++++ b/drivers/pci/controller/dwc/pci-keystone.c
+@@ -1303,7 +1303,7 @@ err_link:
+ return ret;
+ }
+
+-static int __exit ks_pcie_remove(struct platform_device *pdev)
++static int ks_pcie_remove(struct platform_device *pdev)
+ {
+ struct keystone_pcie *ks_pcie = platform_get_drvdata(pdev);
+ struct device_link **link = ks_pcie->link;
+@@ -1321,7 +1321,7 @@ static int __exit ks_pcie_remove(struct
+
+ static struct platform_driver ks_pcie_driver __refdata = {
+ .probe = ks_pcie_probe,
+- .remove = __exit_p(ks_pcie_remove),
++ .remove = ks_pcie_remove,
+ .driver = {
+ .name = "keystone-pcie",
+ .of_match_table = ks_pcie_of_match,
--- /dev/null
+From 0ec7731655de196bc1e4af99e495b38778109d22 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Thu, 26 Oct 2023 16:49:19 +0100
+Subject: regmap: Ensure range selector registers are updated after cache sync
+
+From: Mark Brown <broonie@kernel.org>
+
+commit 0ec7731655de196bc1e4af99e495b38778109d22 upstream.
+
+When we sync the register cache we do so with the cache bypassed in order
+to avoid overhead from writing the synced values back into the cache. If
+the regmap has ranges and the selector register for those ranges is in a
+register which is cached this has the unfortunate side effect of meaning
+that the physical and cached copies of the selector register can be out of
+sync after a cache sync. The cache will have whatever the selector was when
+the sync started and the hardware will have the selector for the register
+that was synced last.
+
+Fix this by rewriting all cached selector registers after every sync,
+ensuring that the hardware and cache have the same content. This will
+result in extra writes that wouldn't otherwise be needed but is simple
+so hopefully robust. We don't read from the hardware since not all
+devices have physical read support.
+
+Given that nobody noticed this until now it is likely that we are rarely if
+ever hitting this case.
+
+Reported-by: Hector Martin <marcan@marcan.st>
+Cc: stable@vger.kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20231026-regmap-fix-selector-sync-v1-1-633ded82770d@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regcache.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/drivers/base/regmap/regcache.c
++++ b/drivers/base/regmap/regcache.c
+@@ -331,6 +331,11 @@ static int regcache_default_sync(struct
+ return 0;
+ }
+
++static int rbtree_all(const void *key, const struct rb_node *node)
++{
++ return 0;
++}
++
+ /**
+ * regcache_sync - Sync the register cache with the hardware.
+ *
+@@ -348,6 +353,7 @@ int regcache_sync(struct regmap *map)
+ unsigned int i;
+ const char *name;
+ bool bypass;
++ struct rb_node *node;
+
+ if (WARN_ON(map->cache_type == REGCACHE_NONE))
+ return -EINVAL;
+@@ -392,6 +398,30 @@ out:
+ map->async = false;
+ map->cache_bypass = bypass;
+ map->no_sync_defaults = false;
++
++ /*
++ * If we did any paging with cache bypassed and a cached
++ * paging register then the register and cache state might
++ * have gone out of sync, force writes of all the paging
++ * registers.
++ */
++ rb_for_each(node, 0, &map->range_tree, rbtree_all) {
++ struct regmap_range_node *this =
++ rb_entry(node, struct regmap_range_node, node);
++
++ /* If there's nothing in the cache there's nothing to sync */
++ ret = regcache_read(map, this->selector_reg, &i);
++ if (ret != 0)
++ continue;
++
++ ret = _regmap_write(map, this->selector_reg, i);
++ if (ret != 0) {
++ dev_err(map->dev, "Failed to write %x = %x: %d\n",
++ this->selector_reg, i, ret);
++ break;
++ }
++ }
++
+ map->unlock(map->lock_arg);
+
+ regmap_async_complete(map);
pci-sysfs-protect-driver-s-d3cold-preference-from-user-space.patch
mm-damon-sysfs-remove-requested-targets-when-online-commit-inputs.patch
mm-damon-sysfs-update-monitoring-target-regions-for-online-input-commit.patch
+watchdog-move-softlockup_panic-back-to-early_param.patch
+mm-damon-lru_sort-avoid-divide-by-zero-in-hot-threshold-calculation.patch
+mm-damon-ops-common-avoid-divide-by-zero-during-region-hotness-calculation.patch
+mm-damon-implement-a-function-for-max-nr_accesses-safe-calculation.patch
+mm-damon-sysfs-check-error-from-damon_sysfs_update_target.patch
+acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch
+regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch
+wifi-ath11k-fix-temperature-event-locking.patch
+wifi-ath11k-fix-dfs-radar-event-locking.patch
+wifi-ath11k-fix-htt-pktlog-locking.patch
+wifi-ath11k-fix-gtk-offload-status-event-locking.patch
+mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch
+genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch
+keys-trusted-tee-refactor-register-shm-usage.patch
+keys-trusted-rollback-init_trusted-consistently.patch
+pci-keystone-don-t-discard-.remove-callback.patch
+pci-keystone-don-t-discard-.probe-callback.patch
--- /dev/null
+From 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb Mon Sep 17 00:00:00 2001
+From: Krister Johansen <kjlx@templeofstupid.com>
+Date: Fri, 27 Oct 2023 14:46:53 -0700
+Subject: watchdog: move softlockup_panic back to early_param
+
+From: Krister Johansen <kjlx@templeofstupid.com>
+
+commit 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb upstream.
+
+Setting softlockup_panic from do_sysctl_args() causes it to take effect
+later in boot. The lockup detector is enabled before SMP is brought
+online, but do_sysctl_args runs afterwards. If a user wants to set
+softlockup_panic on boot and have it trigger should a softlockup occur
+during onlining of the non-boot processors, they could do this prior to
+commit f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot
+parameters to sysctl aliases"). However, after this commit the value
+of softlockup_panic is set too late to be of help for this type of
+problem. Restore the prior behavior.
+
+Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
+Cc: stable@vger.kernel.org
+Fixes: f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot parameters to sysctl aliases")
+Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/proc_sysctl.c | 1 -
+ kernel/watchdog.c | 7 +++++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/proc/proc_sysctl.c
++++ b/fs/proc/proc_sysctl.c
+@@ -1814,7 +1814,6 @@ static const struct sysctl_alias sysctl_
+ {"hung_task_panic", "kernel.hung_task_panic" },
+ {"numa_zonelist_order", "vm.numa_zonelist_order" },
+ {"softlockup_all_cpu_backtrace", "kernel.softlockup_all_cpu_backtrace" },
+- {"softlockup_panic", "kernel.softlockup_panic" },
+ { }
+ };
+
+--- a/kernel/watchdog.c
++++ b/kernel/watchdog.c
+@@ -183,6 +183,13 @@ static DEFINE_PER_CPU(unsigned long, hrt
+ static DEFINE_PER_CPU(unsigned long, hrtimer_interrupts_saved);
+ static unsigned long soft_lockup_nmi_warn;
+
++static int __init softlockup_panic_setup(char *str)
++{
++ softlockup_panic = simple_strtoul(str, NULL, 0);
++ return 1;
++}
++__setup("softlockup_panic=", softlockup_panic_setup);
++
+ static int __init nowatchdog_setup(char *str)
+ {
+ watchdog_user_enabled = 0;
--- /dev/null
+From 3b6c14833165f689cc5928574ebafe52bbce5f1e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Thu, 19 Oct 2023 17:31:15 +0200
+Subject: wifi: ath11k: fix dfs radar event locking
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 3b6c14833165f689cc5928574ebafe52bbce5f1e upstream.
+
+The ath11k active pdevs are protected by RCU but the DFS radar event
+handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a
+read-side critical section.
+
+Mark the code in question as an RCU read-side critical section to avoid
+any potential use-after-free issues.
+
+Compile tested only.
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org # 5.6
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20231019153115.26401-3-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -7729,6 +7729,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event
+ ev->detector_id, ev->segment_id, ev->timestamp, ev->is_chirp,
+ ev->freq_offset, ev->sidx);
+
++ rcu_read_lock();
++
+ ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id);
+
+ if (!ar) {
+@@ -7746,6 +7748,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event
+ ieee80211_radar_detected(ar->hw);
+
+ exit:
++ rcu_read_unlock();
++
+ kfree(tb);
+ }
+
--- /dev/null
+From 1dea3c0720a146bd7193969f2847ccfed5be2221 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Thu, 19 Oct 2023 17:53:42 +0200
+Subject: wifi: ath11k: fix gtk offload status event locking
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 1dea3c0720a146bd7193969f2847ccfed5be2221 upstream.
+
+The ath11k active pdevs are protected by RCU but the gtk offload status
+event handling code calling ath11k_mac_get_arvif_by_vdev_id() was not
+marked as a read-side critical section.
+
+Mark the code in question as an RCU read-side critical section to avoid
+any potential use-after-free issues.
+
+Compile tested only.
+
+Fixes: a16d9b50cfba ("ath11k: support GTK rekey offload")
+Cc: stable@vger.kernel.org # 5.18
+Cc: Carl Huang <quic_cjhuang@quicinc.com>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20231019155342.31631-1-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -8001,12 +8001,13 @@ static void ath11k_wmi_gtk_offload_statu
+ return;
+ }
+
++ rcu_read_lock();
++
+ arvif = ath11k_mac_get_arvif_by_vdev_id(ab, ev->vdev_id);
+ if (!arvif) {
+ ath11k_warn(ab, "failed to get arvif for vdev_id:%d\n",
+ ev->vdev_id);
+- kfree(tb);
+- return;
++ goto exit;
+ }
+
+ ath11k_dbg(ab, ATH11K_DBG_WMI, "wmi gtk offload event refresh_cnt %d\n",
+@@ -8023,6 +8024,8 @@ static void ath11k_wmi_gtk_offload_statu
+
+ ieee80211_gtk_rekey_notify(arvif->vif, arvif->bssid,
+ (void *)&replay_ctr_be, GFP_ATOMIC);
++exit:
++ rcu_read_unlock();
+
+ kfree(tb);
+ }
--- /dev/null
+From 3f77c7d605b29df277d77e9ee75d96e7ad145d2d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Thu, 19 Oct 2023 13:25:21 +0200
+Subject: wifi: ath11k: fix htt pktlog locking
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 3f77c7d605b29df277d77e9ee75d96e7ad145d2d upstream.
+
+The ath11k active pdevs are protected by RCU but the htt pktlog handling
+code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a
+read-side critical section.
+
+Mark the code in question as an RCU read-side critical section to avoid
+any potential use-after-free issues.
+
+Compile tested only.
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org # 5.6
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20231019112521.2071-1-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -1621,14 +1621,20 @@ static void ath11k_htt_pktlog(struct ath
+ u8 pdev_id;
+
+ pdev_id = FIELD_GET(HTT_T2H_PPDU_STATS_INFO_PDEV_ID, data->hdr);
++
++ rcu_read_lock();
++
+ ar = ath11k_mac_get_ar_by_pdev_id(ab, pdev_id);
+ if (!ar) {
+ ath11k_warn(ab, "invalid pdev id %d on htt pktlog\n", pdev_id);
+- return;
++ goto out;
+ }
+
+ trace_ath11k_htt_pktlog(ar, data->payload, hdr->size,
+ ar->ab->pktlog_defs_checksum);
++
++out:
++ rcu_read_unlock();
+ }
+
+ static void ath11k_htt_backpressure_event_handler(struct ath11k_base *ab,
--- /dev/null
+From 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Thu, 19 Oct 2023 17:31:14 +0200
+Subject: wifi: ath11k: fix temperature event locking
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 upstream.
+
+The ath11k active pdevs are protected by RCU but the temperature event
+handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a
+read-side critical section as reported by RCU lockdep:
+
+ =============================
+ WARNING: suspicious RCU usage
+ 6.6.0-rc6 #7 Not tainted
+ -----------------------------
+ drivers/net/wireless/ath/ath11k/mac.c:638 suspicious rcu_dereference_check() usage!
+
+ other info that might help us debug this:
+
+ rcu_scheduler_active = 2, debug_locks = 1
+ no locks held by swapper/0/0.
+ ...
+ Call trace:
+ ...
+ lockdep_rcu_suspicious+0x16c/0x22c
+ ath11k_mac_get_ar_by_pdev_id+0x194/0x1b0 [ath11k]
+ ath11k_wmi_tlv_op_rx+0xa84/0x2c1c [ath11k]
+ ath11k_htc_rx_completion_handler+0x388/0x510 [ath11k]
+
+Mark the code in question as an RCU read-side critical section to avoid
+any potential use-after-free issues.
+
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23
+
+Fixes: a41d10348b01 ("ath11k: add thermal sensor device support")
+Cc: stable@vger.kernel.org # 5.7
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20231019153115.26401-2-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -7775,15 +7775,19 @@ ath11k_wmi_pdev_temperature_event(struct
+ ath11k_dbg(ab, ATH11K_DBG_WMI,
+ "pdev temperature ev temp %d pdev_id %d\n", ev->temp, ev->pdev_id);
+
++ rcu_read_lock();
++
+ ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id);
+ if (!ar) {
+ ath11k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev->pdev_id);
+- kfree(tb);
+- return;
++ goto exit;
+ }
+
+ ath11k_thermal_event_temperature(ar, ev->temp);
+
++exit:
++ rcu_read_unlock();
++
+ kfree(tb);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
