Fixes for 6.1

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.1/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch b/queue-6.1/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch
new file mode 100644 (file)
index 0000000..b03396e
--- /dev/null
+++ b/queue-6.1/afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch
@@ -0,0 +1,57 @@
+From 71ce3bc3a1d73143ddef42caccffbe9a7e1c2a54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2023 20:24:34 -0400
+Subject: afs: fix __afs_break_callback() / afs_drop_open_mmap() race
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 275655d3207b9e65d1561bf21c06a622d9ec1d43 ]
+
+In __afs_break_callback() we might check ->cb_nr_mmap and if it's non-zero
+do queue_work(&vnode->cb_work).  In afs_drop_open_mmap() we decrement
+->cb_nr_mmap and do flush_work(&vnode->cb_work) if it reaches zero.
+
+The trouble is, there's nothing to prevent __afs_break_callback() from
+seeing ->cb_nr_mmap before the decrement and do queue_work() after both
+the decrement and flush_work().  If that happens, we might be in trouble -
+vnode might get freed before the queued work runs.
+
+__afs_break_callback() is always done under ->cb_lock, so let's make
+sure that ->cb_nr_mmap can change from non-zero to zero while holding
+->cb_lock (the spinlock component of it - it's a seqlock and we don't
+need to mess with the counter).
+
+Acked-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/file.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/file.c b/fs/afs/file.c
+index 2eeab57df133a..9051ed0085544 100644
+--- a/fs/afs/file.c
++++ b/fs/afs/file.c
+@@ -525,13 +525,17 @@ static void afs_add_open_mmap(struct afs_vnode *vnode)
+ 
+ static void afs_drop_open_mmap(struct afs_vnode *vnode)
+ {
+-      if (!atomic_dec_and_test(&vnode->cb_nr_mmap))
++      if (atomic_add_unless(&vnode->cb_nr_mmap, -1, 1))
+               return;
+ 
+       down_write(&vnode->volume->cell->fs_open_mmaps_lock);
+ 
+-      if (atomic_read(&vnode->cb_nr_mmap) == 0)
++      read_seqlock_excl(&vnode->cb_lock);
++      // the only place where ->cb_nr_mmap may hit 0
++      // see __afs_break_callback() for the other side...
++      if (atomic_dec_and_test(&vnode->cb_nr_mmap))
+               list_del_init(&vnode->cb_mmap_link);
++      read_sequnlock_excl(&vnode->cb_lock);
+ 
+       up_write(&vnode->volume->cell->fs_open_mmaps_lock);
+       flush_work(&vnode->cb_work);
+-- 
+2.43.0
+

diff --git a/queue-6.1/asoc-sof-ipc4-check-return-value-of-snd_sof_ipc_msg_.patch b/queue-6.1/asoc-sof-ipc4-check-return-value-of-snd_sof_ipc_msg_.patch
new file mode 100644 (file)
index 0000000..48b4855
--- /dev/null
+++ b/queue-6.1/asoc-sof-ipc4-check-return-value-of-snd_sof_ipc_msg_.patch
@@ -0,0 +1,48 @@
+From a4c854a1cf9166d64afc70fc9feeac49ff529af6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Nov 2023 14:20:21 +0200
+Subject: ASoC: SOF: ipc4: check return value of snd_sof_ipc_msg_data
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bard Liao <yung-chuan.liao@linux.intel.com>
+
+[ Upstream commit 2bd512626f8ea3957c981cadd2ebf75feff737dd ]
+
+snd_sof_ipc_msg_data could return error.
+
+Signed-off-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Péter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Link: https://lore.kernel.org/r/20231129122021.679-1-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sof/ipc4.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/sof/ipc4.c b/sound/soc/sof/ipc4.c
+index 06e1872abfee7..1449837b0fb2c 100644
+--- a/sound/soc/sof/ipc4.c
++++ b/sound/soc/sof/ipc4.c
+@@ -616,7 +616,14 @@ static void sof_ipc4_rx_msg(struct snd_sof_dev *sdev)
+                       return;
+ 
+               ipc4_msg->data_size = data_size;
+-              snd_sof_ipc_msg_data(sdev, NULL, ipc4_msg->data_ptr, ipc4_msg->data_size);
++              err = snd_sof_ipc_msg_data(sdev, NULL, ipc4_msg->data_ptr, ipc4_msg->data_size);
++              if (err < 0) {
++                      dev_err(sdev->dev, "failed to read IPC notification data: %d\n", err);
++                      kfree(ipc4_msg->data_ptr);
++                      ipc4_msg->data_ptr = NULL;
++                      ipc4_msg->data_size = 0;
++                      return;
++              }
+       }
+ 
+       sof_ipc4_log_header(sdev->dev, "ipc rx done ", ipc4_msg, true);
+-- 
+2.43.0
+

diff --git a/queue-6.1/bluetooth-bnep-fix-out-of-bound-access.patch b/queue-6.1/bluetooth-bnep-fix-out-of-bound-access.patch
new file mode 100644 (file)
index 0000000..505c7c2
--- /dev/null
+++ b/queue-6.1/bluetooth-bnep-fix-out-of-bound-access.patch
@@ -0,0 +1,38 @@
+From 70fab94f0364889691b8d15a7bb9e31193eaaff7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 12:11:08 -0500
+Subject: Bluetooth: bnep: Fix out-of-bound access
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ]
+
+This fixes attempting to access past ethhdr.h_source, although it seems
+intentional to copy also the contents of h_proto this triggers
+out-of-bound access problems with the likes of static analyzer, so this
+instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
+h_proto separetely.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index 5a6a49885ab66..a660c428e2207 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
+ 
+       case BNEP_COMPRESSED_DST_ONLY:
+               __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
+-              __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
++              __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
++              put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
+               break;
+ 
+       case BNEP_GENERAL:
+-- 
+2.43.0
+

diff --git a/queue-6.1/bluetooth-hci_conn-check-non-null-function-before-ca.patch b/queue-6.1/bluetooth-hci_conn-check-non-null-function-before-ca.patch
new file mode 100644 (file)
index 0000000..ddd4bd9
--- /dev/null
+++ b/queue-6.1/bluetooth-hci_conn-check-non-null-function-before-ca.patch
@@ -0,0 +1,54 @@
+From 6af171e0cef6731f55b77aea8519069285fac96c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Dec 2023 09:51:26 +0800
+Subject: Bluetooth: hci_conn: Check non NULL function before calling for HFP
+ offload
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit 132d0fd0b8418094c9e269e5bc33bf5b864f4a65 ]
+
+For some controllers such as QCA2066, it does not need to send
+HCI_Configure_Data_Path to configure non-HCI data transport path to support
+HFP offload, their device drivers may set hdev->get_codec_config_data as
+NULL, so Explicitly add this non NULL checking before calling the function.
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index bac5a369d2bef..858c454e35e67 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -293,6 +293,13 @@ static int configure_datapath_sync(struct hci_dev *hdev, struct bt_codec *codec)
+       __u8 vnd_len, *vnd_data = NULL;
+       struct hci_op_configure_data_path *cmd = NULL;
+ 
++      if (!codec->data_path || !hdev->get_codec_config_data)
++              return 0;
++
++      /* Do not take me as error */
++      if (!hdev->get_codec_config_data)
++              return 0;
++
+       err = hdev->get_codec_config_data(hdev, ESCO_LINK, codec, &vnd_len,
+                                         &vnd_data);
+       if (err < 0)
+@@ -338,9 +345,7 @@ static int hci_enhanced_setup_sync(struct hci_dev *hdev, void *data)
+ 
+       bt_dev_dbg(hdev, "hcon %p", conn);
+ 
+-      /* for offload use case, codec needs to configured before opening SCO */
+-      if (conn->codec.data_path)
+-              configure_datapath_sync(hdev, &conn->codec);
++      configure_datapath_sync(hdev, &conn->codec);
+ 
+       conn->state = BT_CONNECT;
+       conn->out = true;
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch b/queue-6.1/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch
new file mode 100644 (file)
index 0000000..f22e35d
--- /dev/null
+++ b/queue-6.1/btrfs-change-bug_on-to-assertion-in-tree_move_down.patch
@@ -0,0 +1,35 @@
+From 05914d267c52e9be91e1ab2653508fd0ca9e460d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:06:46 +0100
+Subject: btrfs: change BUG_ON to assertion in tree_move_down()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 56f335e043ae73c32dbb70ba95488845dc0f1e6e ]
+
+There's only one caller of tree_move_down() that does not pass level 0
+so the assertion is better suited here.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index cfbd3ab679117..cc57a97860d8a 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -7185,8 +7185,8 @@ static int tree_move_down(struct btrfs_path *path, int *level, u64 reada_min_gen
+       u64 reada_done = 0;
+ 
+       lockdep_assert_held_read(&parent->fs_info->commit_root_sem);
++      ASSERT(*level != 0);
+ 
+-      BUG_ON(*level == 0);
+       eb = btrfs_read_node_slot(parent, slot);
+       if (IS_ERR(eb))
+               return PTR_ERR(eb);
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch b/queue-6.1/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
new file mode 100644 (file)
index 0000000..0f52eb9
--- /dev/null
+++ b/queue-6.1/btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
@@ -0,0 +1,36 @@
+From 31c3a88897f045c6196f99028da80bda0fc5f1e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jan 2024 02:26:32 +0100
+Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ]
+
+The pointer to root is initialized in btrfs_init_delayed_node(), no need
+to check for it again. Change the BUG_ON to assertion.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 948104332b4da..052112d0daa74 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -968,7 +968,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node)
+ 
+       if (delayed_node &&
+           test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) {
+-              BUG_ON(!delayed_node->root);
++              ASSERT(delayed_node->root);
+               clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags);
+               delayed_node->count--;
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-delayed-inode-drop-pointless-bug_on-in-__btrfs.patch b/queue-6.1/btrfs-delayed-inode-drop-pointless-bug_on-in-__btrfs.patch
new file mode 100644 (file)
index 0000000..b82d11a
--- /dev/null
+++ b/queue-6.1/btrfs-delayed-inode-drop-pointless-bug_on-in-__btrfs.patch
@@ -0,0 +1,38 @@
+From b7a78317b68ebb4dd70a938aac0e099f032dba0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jan 2024 02:22:37 +0100
+Subject: btrfs: delayed-inode: drop pointless BUG_ON in
+ __btrfs_remove_delayed_item()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 778e618b8bfedcc39354373c1b072c5fe044fa7b ]
+
+There's a BUG_ON checking for a valid pointer of fs_info::delayed_root
+but it is valid since init_mount_fs_info() and has the same lifetime as
+fs_info.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index 1494ce990d298..948104332b4da 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -420,8 +420,6 @@ static void __btrfs_remove_delayed_item(struct btrfs_delayed_item *delayed_item)
+ 
+       delayed_root = delayed_node->root->fs_info->delayed_root;
+ 
+-      BUG_ON(!delayed_root);
+-
+       if (delayed_item->type == BTRFS_DELAYED_INSERTION_ITEM)
+               root = &delayed_node->ins_root;
+       else
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch b/queue-6.1/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
new file mode 100644 (file)
index 0000000..004dc40
--- /dev/null
+++ b/queue-6.1/btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
@@ -0,0 +1,40 @@
+From ca2742ea1e688c6a2642adb6f8c9cf78751371a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:20:53 +0100
+Subject: btrfs: delete pointless BUG_ON check on quota root in
+ btrfs_qgroup_account_extent()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ]
+
+The BUG_ON is deep in the qgroup code where we can expect that it
+exists. A NULL pointer would cause a crash.
+
+It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup
+calculation function btrfs_qgroup_account_extents()."). It maybe made
+sense back then as the quota enable/disable state machine was not that
+robust as it is nowadays, so we can just delete it.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index e482889667ec9..f3b066b442807 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2697,8 +2697,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr,
+       if (nr_old_roots == 0 && nr_new_roots == 0)
+               goto out_free;
+ 
+-      BUG_ON(!fs_info->quota_root);
+-
+       trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr,
+                                       num_bytes, nr_old_roots, nr_new_roots);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-handle-invalid-root-reference-found-in-may_des.patch b/queue-6.1/btrfs-handle-invalid-root-reference-found-in-may_des.patch
new file mode 100644 (file)
index 0000000..5681eb1
--- /dev/null
+++ b/queue-6.1/btrfs-handle-invalid-root-reference-found-in-may_des.patch
@@ -0,0 +1,42 @@
+From d16e6deaff9b176879f111445f99aeb846b07469 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 22:58:01 +0100
+Subject: btrfs: handle invalid root reference found in may_destroy_subvol()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ]
+
+The may_destroy_subvol() looks up a root by a key, allowing to do an
+inexact search when key->offset is -1.  It's never expected to find such
+item, as it would break the allowed range of a root id.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 10ded9c2be03b..bd3388e1b532e 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4614,7 +4614,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root)
+       ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0);
+       if (ret < 0)
+               goto out;
+-      BUG_ON(ret == 0);
++      if (ret == 0) {
++              /*
++               * Key with offset -1 found, there would have to exist a root
++               * with such id, but this is out of valid range.
++               */
++              ret = -EUCLEAN;
++              goto out;
++      }
+ 
+       ret = 0;
+       if (path->slots[0] > 0) {
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch b/queue-6.1/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
new file mode 100644 (file)
index 0000000..9a41074
--- /dev/null
+++ b/queue-6.1/btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
@@ -0,0 +1,40 @@
+From e06ccc1beba959f023f96f1350f16250577c2f22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 22:47:13 +0100
+Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ]
+
+Change BUG_ON to a proper error handling in the unlikely case of seeing
+data when the command is started. This is supposed to be reset when the
+command is finished (send_cmd, send_encoded_extent).
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index ec3db315f5618..cfbd3ab679117 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -720,7 +720,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd)
+       if (WARN_ON(!sctx->send_buf))
+               return -EINVAL;
+ 
+-      BUG_ON(sctx->send_size);
++      if (unlikely(sctx->send_size != 0)) {
++              btrfs_err(sctx->send_root->fs_info,
++                        "send: command header buffer not empty cmd %d offset %llu",
++                        cmd, sctx->send_off);
++              return -EINVAL;
++      }
+ 
+       sctx->send_size += sizeof(*hdr);
+       hdr = (struct btrfs_cmd_header *)sctx->send_buf;
+-- 
+2.43.0
+

diff --git a/queue-6.1/btrfs-tests-allocate-dummy-fs_info-and-root-in-test_.patch b/queue-6.1/btrfs-tests-allocate-dummy-fs_info-and-root-in-test_.patch
new file mode 100644 (file)
index 0000000..63c2e93
--- /dev/null
+++ b/queue-6.1/btrfs-tests-allocate-dummy-fs_info-and-root-in-test_.patch
@@ -0,0 +1,94 @@
+From a51702fbb1cf4ae9f31ea126ddd04ef003357ca8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 29 Jan 2024 19:04:33 +0100
+Subject: btrfs: tests: allocate dummy fs_info and root in test_find_delalloc()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit b2136cc288fce2f24a92f3d656531b2d50ebec5a ]
+
+Allocate fs_info and root to have a valid fs_info pointer in case it's
+dereferenced by a helper outside of tests, like find_lock_delalloc_range().
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tests/extent-io-tests.c | 28 ++++++++++++++++++++++++----
+ 1 file changed, 24 insertions(+), 4 deletions(-)
+
+diff --git a/fs/btrfs/tests/extent-io-tests.c b/fs/btrfs/tests/extent-io-tests.c
+index 350da449db084..d6a5e6afd5dc0 100644
+--- a/fs/btrfs/tests/extent-io-tests.c
++++ b/fs/btrfs/tests/extent-io-tests.c
+@@ -11,6 +11,7 @@
+ #include "btrfs-tests.h"
+ #include "../ctree.h"
+ #include "../extent_io.h"
++#include "../disk-io.h"
+ #include "../btrfs_inode.h"
+ 
+ #define PROCESS_UNLOCK                (1 << 0)
+@@ -105,9 +106,11 @@ static void dump_extent_io_tree(const struct extent_io_tree *tree)
+       }
+ }
+ 
+-static int test_find_delalloc(u32 sectorsize)
++static int test_find_delalloc(u32 sectorsize, u32 nodesize)
+ {
+-      struct inode *inode;
++      struct btrfs_fs_info *fs_info;
++      struct btrfs_root *root = NULL;
++      struct inode *inode = NULL;
+       struct extent_io_tree *tmp;
+       struct page *page;
+       struct page *locked_page = NULL;
+@@ -121,12 +124,27 @@ static int test_find_delalloc(u32 sectorsize)
+ 
+       test_msg("running find delalloc tests");
+ 
++      fs_info = btrfs_alloc_dummy_fs_info(nodesize, sectorsize);
++      if (!fs_info) {
++              test_std_err(TEST_ALLOC_FS_INFO);
++              return -ENOMEM;
++      }
++
++      root = btrfs_alloc_dummy_root(fs_info);
++      if (IS_ERR(root)) {
++              test_std_err(TEST_ALLOC_ROOT);
++              ret = PTR_ERR(root);
++              goto out;
++      }
++
+       inode = btrfs_new_test_inode();
+       if (!inode) {
+               test_std_err(TEST_ALLOC_INODE);
+-              return -ENOMEM;
++              ret = -ENOMEM;
++              goto out;
+       }
+       tmp = &BTRFS_I(inode)->io_tree;
++      BTRFS_I(inode)->root = root;
+ 
+       /*
+        * Passing NULL as we don't have fs_info but tracepoints are not used
+@@ -316,6 +334,8 @@ static int test_find_delalloc(u32 sectorsize)
+       process_page_range(inode, 0, total_dirty - 1,
+                          PROCESS_UNLOCK | PROCESS_RELEASE);
+       iput(inode);
++      btrfs_free_dummy_root(root);
++      btrfs_free_dummy_fs_info(fs_info);
+       return ret;
+ }
+ 
+@@ -598,7 +618,7 @@ int btrfs_test_extent_io(u32 sectorsize, u32 nodesize)
+ 
+       test_msg("running extent I/O tests");
+ 
+-      ret = test_find_delalloc(sectorsize);
++      ret = test_find_delalloc(sectorsize, nodesize);
+       if (ret)
+               goto out;
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/clocksource-drivers-arm_global_timer-guard-against-d.patch b/queue-6.1/clocksource-drivers-arm_global_timer-guard-against-d.patch
new file mode 100644 (file)
index 0000000..47cbb55
--- /dev/null
+++ b/queue-6.1/clocksource-drivers-arm_global_timer-guard-against-d.patch
@@ -0,0 +1,56 @@
+From 0fb7e0d87898d6db3e81a4257e1a6bc89a683491 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Feb 2024 16:13:35 +0100
+Subject: clocksource/drivers/arm_global_timer: Guard against division by zero
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+[ Upstream commit e651f2fae33634175fae956d896277cf916f5d09 ]
+
+The result of the division of new_rate by gt_target_rate can be zero (if
+new_rate is smaller than gt_target_rate). Using that result as divisor
+without checking can result in a division by zero error. Guard against
+this by checking for a zero value earlier.
+While here, also change the psv variable to an unsigned long to make
+sure we don't overflow the datatype as all other types involved are also
+unsiged long.
+
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20240225151336.2728533-3-martin.blumenstingl@googlemail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/arm_global_timer.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/clocksource/arm_global_timer.c b/drivers/clocksource/arm_global_timer.c
+index e1c773bb55359..22a58d35a41fa 100644
+--- a/drivers/clocksource/arm_global_timer.c
++++ b/drivers/clocksource/arm_global_timer.c
+@@ -290,18 +290,17 @@ static int gt_clk_rate_change_cb(struct notifier_block *nb,
+       switch (event) {
+       case PRE_RATE_CHANGE:
+       {
+-              int psv;
++              unsigned long psv;
+ 
+-              psv = DIV_ROUND_CLOSEST(ndata->new_rate,
+-                                      gt_target_rate);
+-
+-              if (abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR)
++              psv = DIV_ROUND_CLOSEST(ndata->new_rate, gt_target_rate);
++              if (!psv ||
++                  abs(gt_target_rate - (ndata->new_rate / psv)) > MAX_F_ERR)
+                       return NOTIFY_BAD;
+ 
+               psv--;
+ 
+               /* prescaler within legal range? */
+-              if (psv < 0 || psv > GT_CONTROL_PRESCALER_MAX)
++              if (psv > GT_CONTROL_PRESCALER_MAX)
+                       return NOTIFY_BAD;
+ 
+               /*
+-- 
+2.43.0
+

diff --git a/queue-6.1/clocksource-make-watchdog-and-suspend-timing-multipl.patch b/queue-6.1/clocksource-make-watchdog-and-suspend-timing-multipl.patch
new file mode 100644 (file)
index 0000000..65e59f9
--- /dev/null
+++ b/queue-6.1/clocksource-make-watchdog-and-suspend-timing-multipl.patch
@@ -0,0 +1,143 @@
+From 83d1d03ce78dd1290b5f8303e78629d005396578 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Mar 2024 08:40:23 +0200
+Subject: clocksource: Make watchdog and suspend-timing multiplication overflow
+ safe
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+[ Upstream commit d0304569fb019d1bcfbbbce1ce6df6b96f04079b ]
+
+Kernel timekeeping is designed to keep the change in cycles (since the last
+timer interrupt) below max_cycles, which prevents multiplication overflow
+when converting cycles to nanoseconds. However, if timer interrupts stop,
+the clocksource_cyc2ns() calculation will eventually overflow.
+
+Add protection against that. Simplify by folding together
+clocksource_delta() and clocksource_cyc2ns() into cycles_to_nsec_safe().
+Check against max_cycles, falling back to a slower higher precision
+calculation.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/r/20240325064023.2997-20-adrian.hunter@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/clocksource.c | 42 +++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+diff --git a/kernel/time/clocksource.c b/kernel/time/clocksource.c
+index cd9a59011dee9..a3650699463bb 100644
+--- a/kernel/time/clocksource.c
++++ b/kernel/time/clocksource.c
+@@ -20,6 +20,16 @@
+ #include "tick-internal.h"
+ #include "timekeeping_internal.h"
+ 
++static noinline u64 cycles_to_nsec_safe(struct clocksource *cs, u64 start, u64 end)
++{
++      u64 delta = clocksource_delta(end, start, cs->mask);
++
++      if (likely(delta < cs->max_cycles))
++              return clocksource_cyc2ns(delta, cs->mult, cs->shift);
++
++      return mul_u64_u32_shr(delta, cs->mult, cs->shift);
++}
++
+ /**
+  * clocks_calc_mult_shift - calculate mult/shift factors for scaled math of clocks
+  * @mult:     pointer to mult variable
+@@ -219,8 +229,8 @@ enum wd_read_status {
+ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow, u64 *wdnow)
+ {
+       unsigned int nretries, max_retries;
+-      u64 wd_end, wd_end2, wd_delta;
+       int64_t wd_delay, wd_seq_delay;
++      u64 wd_end, wd_end2;
+ 
+       max_retries = clocksource_get_max_watchdog_retry();
+       for (nretries = 0; nretries <= max_retries; nretries++) {
+@@ -231,9 +241,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
+               wd_end2 = watchdog->read(watchdog);
+               local_irq_enable();
+ 
+-              wd_delta = clocksource_delta(wd_end, *wdnow, watchdog->mask);
+-              wd_delay = clocksource_cyc2ns(wd_delta, watchdog->mult,
+-                                            watchdog->shift);
++              wd_delay = cycles_to_nsec_safe(watchdog, *wdnow, wd_end);
+               if (wd_delay <= WATCHDOG_MAX_SKEW) {
+                       if (nretries > 1 && nretries >= max_retries) {
+                               pr_warn("timekeeping watchdog on CPU%d: %s retried %d times before success\n",
+@@ -251,8 +259,7 @@ static enum wd_read_status cs_watchdog_read(struct clocksource *cs, u64 *csnow,
+                * report system busy, reinit the watchdog and skip the current
+                * watchdog test.
+                */
+-              wd_delta = clocksource_delta(wd_end2, wd_end, watchdog->mask);
+-              wd_seq_delay = clocksource_cyc2ns(wd_delta, watchdog->mult, watchdog->shift);
++              wd_seq_delay = cycles_to_nsec_safe(watchdog, wd_end, wd_end2);
+               if (wd_seq_delay > WATCHDOG_MAX_SKEW/2)
+                       goto skip_test;
+       }
+@@ -363,8 +370,7 @@ void clocksource_verify_percpu(struct clocksource *cs)
+               delta = (csnow_end - csnow_mid) & cs->mask;
+               if (delta < 0)
+                       cpumask_set_cpu(cpu, &cpus_ahead);
+-              delta = clocksource_delta(csnow_end, csnow_begin, cs->mask);
+-              cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift);
++              cs_nsec = cycles_to_nsec_safe(cs, csnow_begin, csnow_end);
+               if (cs_nsec > cs_nsec_max)
+                       cs_nsec_max = cs_nsec;
+               if (cs_nsec < cs_nsec_min)
+@@ -395,8 +401,8 @@ static inline void clocksource_reset_watchdog(void)
+ 
+ static void clocksource_watchdog(struct timer_list *unused)
+ {
+-      u64 csnow, wdnow, cslast, wdlast, delta;
+       int64_t wd_nsec, cs_nsec, interval;
++      u64 csnow, wdnow, cslast, wdlast;
+       int next_cpu, reset_pending;
+       struct clocksource *cs;
+       enum wd_read_status read_ret;
+@@ -453,12 +459,8 @@ static void clocksource_watchdog(struct timer_list *unused)
+                       continue;
+               }
+ 
+-              delta = clocksource_delta(wdnow, cs->wd_last, watchdog->mask);
+-              wd_nsec = clocksource_cyc2ns(delta, watchdog->mult,
+-                                           watchdog->shift);
+-
+-              delta = clocksource_delta(csnow, cs->cs_last, cs->mask);
+-              cs_nsec = clocksource_cyc2ns(delta, cs->mult, cs->shift);
++              wd_nsec = cycles_to_nsec_safe(watchdog, cs->wd_last, wdnow);
++              cs_nsec = cycles_to_nsec_safe(cs, cs->cs_last, csnow);
+               wdlast = cs->wd_last; /* save these in case we print them */
+               cslast = cs->cs_last;
+               cs->cs_last = csnow;
+@@ -821,7 +823,7 @@ void clocksource_start_suspend_timing(struct clocksource *cs, u64 start_cycles)
+  */
+ u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now)
+ {
+-      u64 now, delta, nsec = 0;
++      u64 now, nsec = 0;
+ 
+       if (!suspend_clocksource)
+               return 0;
+@@ -836,12 +838,8 @@ u64 clocksource_stop_suspend_timing(struct clocksource *cs, u64 cycle_now)
+       else
+               now = suspend_clocksource->read(suspend_clocksource);
+ 
+-      if (now > suspend_start) {
+-              delta = clocksource_delta(now, suspend_start,
+-                                        suspend_clocksource->mask);
+-              nsec = mul_u64_u32_shr(delta, suspend_clocksource->mult,
+-                                     suspend_clocksource->shift);
+-      }
++      if (now > suspend_start)
++              nsec = cycles_to_nsec_safe(suspend_clocksource, suspend_start, now);
+ 
+       /*
+        * Disable the suspend timer to save power if current clocksource is
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-fix-dereference-null-return-value-for-the.patch b/queue-6.1/drm-amdgpu-fix-dereference-null-return-value-for-the.patch
new file mode 100644 (file)
index 0000000..cc91ff1
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-fix-dereference-null-return-value-for-the.patch
@@ -0,0 +1,49 @@
+From f755bc6a094a422d32a6c64035c752ca04668144 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 May 2024 17:14:45 +0800
+Subject: drm/amdgpu: fix dereference null return value for the function
+ amdgpu_vm_pt_parent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jesse Zhang <jesse.zhang@amd.com>
+
+[ Upstream commit 511a623fb46a6cf578c61d4f2755783c48807c77 ]
+
+The pointer parent may be NULLed by the function amdgpu_vm_pt_parent.
+To make the code more robust, check the pointer parent.
+
+Signed-off-by: Jesse Zhang <Jesse.Zhang@amd.com>
+Suggested-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
+index 69b3829bbe53f..370d02bdde862 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm_pt.c
+@@ -754,11 +754,15 @@ int amdgpu_vm_pde_update(struct amdgpu_vm_update_params *params,
+                        struct amdgpu_vm_bo_base *entry)
+ {
+       struct amdgpu_vm_bo_base *parent = amdgpu_vm_pt_parent(entry);
+-      struct amdgpu_bo *bo = parent->bo, *pbo;
++      struct amdgpu_bo *bo, *pbo;
+       struct amdgpu_vm *vm = params->vm;
+       uint64_t pde, pt, flags;
+       unsigned int level;
+ 
++      if (WARN_ON(!parent))
++              return -EINVAL;
++
++      bo = parent->bo;
+       for (level = 0, pbo = bo->parent; pbo; ++level)
+               pbo = pbo->parent;
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-amdgpu-gfx11-need-acquire-mutex-before-access-cp.patch b/queue-6.1/drm-amdgpu-gfx11-need-acquire-mutex-before-access-cp.patch
new file mode 100644 (file)
index 0000000..1bbdcb7
--- /dev/null
+++ b/queue-6.1/drm-amdgpu-gfx11-need-acquire-mutex-before-access-cp.patch
@@ -0,0 +1,102 @@
+From 446e7eb59c66c034599fde1946932a5f6393a89e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Dec 2023 17:10:34 +0800
+Subject: drm/amdgpu/gfx11: need acquire mutex before access CP_VMID_RESET v2
+
+From: Jack Xiao <Jack.Xiao@amd.com>
+
+[ Upstream commit 4b5c5f5ad38b9435518730cc7f8f1e8de9c5cb2f ]
+
+It's required to take the gfx mutex before access to CP_VMID_RESET,
+for there is a race condition with CP firmware to write the register.
+
+v2: add extra code to ensure the mutex releasing is successful.
+
+Signed-off-by: Jack Xiao <Jack.Xiao@amd.com>
+Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 48 +++++++++++++++++++++++++-
+ 1 file changed, 47 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+index 1f9f7fdd4b8e0..85598c08897a0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+@@ -4521,11 +4521,43 @@ static int gfx_v11_0_wait_for_idle(void *handle)
+       return -ETIMEDOUT;
+ }
+ 
++static int gfx_v11_0_request_gfx_index_mutex(struct amdgpu_device *adev,
++                                           int req)
++{
++      u32 i, tmp, val;
++
++      for (i = 0; i < adev->usec_timeout; i++) {
++              /* Request with MeId=2, PipeId=0 */
++              tmp = REG_SET_FIELD(0, CP_GFX_INDEX_MUTEX, REQUEST, req);
++              tmp = REG_SET_FIELD(tmp, CP_GFX_INDEX_MUTEX, CLIENTID, 4);
++              WREG32_SOC15(GC, 0, regCP_GFX_INDEX_MUTEX, tmp);
++
++              val = RREG32_SOC15(GC, 0, regCP_GFX_INDEX_MUTEX);
++              if (req) {
++                      if (val == tmp)
++                              break;
++              } else {
++                      tmp = REG_SET_FIELD(tmp, CP_GFX_INDEX_MUTEX,
++                                          REQUEST, 1);
++
++                      /* unlocked or locked by firmware */
++                      if (val != tmp)
++                              break;
++              }
++              udelay(1);
++      }
++
++      if (i >= adev->usec_timeout)
++              return -EINVAL;
++
++      return 0;
++}
++
+ static int gfx_v11_0_soft_reset(void *handle)
+ {
+       u32 grbm_soft_reset = 0;
+       u32 tmp;
+-      int i, j, k;
++      int r, i, j, k;
+       struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+ 
+       tmp = RREG32_SOC15(GC, 0, regCP_INT_CNTL);
+@@ -4565,6 +4597,13 @@ static int gfx_v11_0_soft_reset(void *handle)
+               }
+       }
+ 
++      /* Try to acquire the gfx mutex before access to CP_VMID_RESET */
++      r = gfx_v11_0_request_gfx_index_mutex(adev, 1);
++      if (r) {
++              DRM_ERROR("Failed to acquire the gfx mutex during soft reset\n");
++              return r;
++      }
++
+       WREG32_SOC15(GC, 0, regCP_VMID_RESET, 0xfffffffe);
+ 
+       // Read CP_VMID_RESET register three times.
+@@ -4573,6 +4612,13 @@ static int gfx_v11_0_soft_reset(void *handle)
+       RREG32_SOC15(GC, 0, regCP_VMID_RESET);
+       RREG32_SOC15(GC, 0, regCP_VMID_RESET);
+ 
++      /* release the gfx mutex */
++      r = gfx_v11_0_request_gfx_index_mutex(adev, 0);
++      if (r) {
++              DRM_ERROR("Failed to release the gfx mutex during soft reset\n");
++              return r;
++      }
++
+       for (i = 0; i < adev->usec_timeout; i++) {
+               if (!RREG32_SOC15(GC, 0, regCP_HQD_ACTIVE) &&
+                   !RREG32_SOC15(GC, 0, regCP_GFX_HQD_ACTIVE))
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch b/queue-6.1/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
new file mode 100644 (file)
index 0000000..40c24d1
--- /dev/null
+++ b/queue-6.1/drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
@@ -0,0 +1,55 @@
+From 023a28e1738f3fe83eb2aebc8c91d2733bcaebb8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 03:59:43 +0100
+Subject: drm/lima: set gp bus_stop bit before hard reset
+
+From: Erico Nunes <nunes.erico@gmail.com>
+
+[ Upstream commit 27aa58ec85f973d98d336df7b7941149308db80f ]
+
+This is required for reliable hard resets. Otherwise, doing a hard reset
+while a task is still running (such as a task which is being stopped by
+the drm_sched timeout handler) may result in random mmu write timeouts
+or lockups which cause the entire gpu to hang.
+
+Signed-off-by: Erico Nunes <nunes.erico@gmail.com>
+Signed-off-by: Qiang Yu <yuq825@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240124025947.2110659-5-nunes.erico@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/lima/lima_gp.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/lima/lima_gp.c b/drivers/gpu/drm/lima/lima_gp.c
+index ca3842f719842..82071835ec9ed 100644
+--- a/drivers/gpu/drm/lima/lima_gp.c
++++ b/drivers/gpu/drm/lima/lima_gp.c
+@@ -166,6 +166,11 @@ static void lima_gp_task_run(struct lima_sched_pipe *pipe,
+       gp_write(LIMA_GP_CMD, cmd);
+ }
+ 
++static int lima_gp_bus_stop_poll(struct lima_ip *ip)
++{
++      return !!(gp_read(LIMA_GP_STATUS) & LIMA_GP_STATUS_BUS_STOPPED);
++}
++
+ static int lima_gp_hard_reset_poll(struct lima_ip *ip)
+ {
+       gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC01A0000);
+@@ -179,6 +184,13 @@ static int lima_gp_hard_reset(struct lima_ip *ip)
+ 
+       gp_write(LIMA_GP_PERF_CNT_0_LIMIT, 0xC0FFE000);
+       gp_write(LIMA_GP_INT_MASK, 0);
++
++      gp_write(LIMA_GP_CMD, LIMA_GP_CMD_STOP_BUS);
++      ret = lima_poll_timeout(ip, lima_gp_bus_stop_poll, 10, 100);
++      if (ret) {
++              dev_err(dev->dev, "%s bus stop timeout\n", lima_ip_name(ip));
++              return ret;
++      }
+       gp_write(LIMA_GP_CMD, LIMA_GP_CMD_RESET);
+       ret = lima_poll_timeout(ip, lima_gp_hard_reset_poll, 10, 100);
+       if (ret) {
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-msm-reduce-fallout-of-fence-signaling-vs-reclaim.patch b/queue-6.1/drm-msm-reduce-fallout-of-fence-signaling-vs-reclaim.patch
new file mode 100644 (file)
index 0000000..75b778d
--- /dev/null
+++ b/queue-6.1/drm-msm-reduce-fallout-of-fence-signaling-vs-reclaim.patch
@@ -0,0 +1,39 @@
+From dc832d086f21fd92026e34354329b001b63247ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Nov 2023 07:14:19 -0800
+Subject: drm/msm: Reduce fallout of fence signaling vs reclaim hangs
+
+From: Rob Clark <robdclark@chromium.org>
+
+[ Upstream commit 4bea53b9c7c72fd12a0ceebe88a71723c0a514b8 ]
+
+Until various PM devfreq/QoS and interconnect patches land, we could
+potentially trigger reclaim from gpu scheduler thread, and under enough
+memory pressure that could trigger a sort of deadlock.  Eventually the
+wait will timeout and we'll move on to consider other GEM objects.  But
+given that there is still a potential for deadlock/stalling, we should
+reduce the timeout to contain the damage.
+
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Patchwork: https://patchwork.freedesktop.org/patch/568031/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/msm/msm_gem_shrinker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_shrinker.c b/drivers/gpu/drm/msm/msm_gem_shrinker.c
+index 31f054c903a43..a35c98306f1e5 100644
+--- a/drivers/gpu/drm/msm/msm_gem_shrinker.c
++++ b/drivers/gpu/drm/msm/msm_gem_shrinker.c
+@@ -76,7 +76,7 @@ static bool
+ wait_for_idle(struct drm_gem_object *obj)
+ {
+       enum dma_resv_usage usage = dma_resv_usage_rw(true);
+-      return dma_resv_wait_timeout(obj->resv, usage, false, 1000) > 0;
++      return dma_resv_wait_timeout(obj->resv, usage, false, 10) > 0;
+ }
+ 
+ static bool
+-- 
+2.43.0
+

diff --git a/queue-6.1/drm-rockchip-vop2-clear-afbc-en-and-transform-bit-fo.patch b/queue-6.1/drm-rockchip-vop2-clear-afbc-en-and-transform-bit-fo.patch
new file mode 100644 (file)
index 0000000..9953301
--- /dev/null
+++ b/queue-6.1/drm-rockchip-vop2-clear-afbc-en-and-transform-bit-fo.patch
@@ -0,0 +1,46 @@
+From ddefd2d688d1a742b6f130c005a0c6a81c2de207 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Dec 2023 19:57:41 +0800
+Subject: drm/rockchip: vop2: clear afbc en and transform bit for cluster
+ window at linear mode
+
+From: Andy Yan <andy.yan@rock-chips.com>
+
+[ Upstream commit 20529a68307feed00dd3d431d3fff0572616b0f2 ]
+
+The enable bit and transform offset of cluster windows should be
+cleared when it work at linear mode, or we may have a iommu fault
+issue on rk3588 which cluster windows switch between afbc and linear
+mode.
+
+As the cluster windows of rk3568 only supports afbc format
+so is therefore not affected.
+
+Signed-off-by: Andy Yan <andy.yan@rock-chips.com>
+Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20231211115741.1784954-1-andyshrk@163.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/rockchip/rockchip_drm_vop2.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+index 80b8c83342840..a6071464a543f 100644
+--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop2.c
+@@ -1258,6 +1258,11 @@ static void vop2_plane_atomic_update(struct drm_plane *plane,
+               vop2_win_write(win, VOP2_WIN_AFBC_ROTATE_270, rotate_270);
+               vop2_win_write(win, VOP2_WIN_AFBC_ROTATE_90, rotate_90);
+       } else {
++              if (vop2_cluster_window(win)) {
++                      vop2_win_write(win, VOP2_WIN_AFBC_ENABLE, 0);
++                      vop2_win_write(win, VOP2_WIN_AFBC_TRANSFORM_OFFSET, 0);
++              }
++
+               vop2_win_write(win, VOP2_WIN_YRGB_VIR, DIV_ROUND_UP(fb->pitches[0], 4));
+       }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch b/queue-6.1/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
new file mode 100644 (file)
index 0000000..e700498
--- /dev/null
+++ b/queue-6.1/ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
@@ -0,0 +1,38 @@
+From fc75ecb7900c8ffdf46281de6aa18c6b8ad7f92b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jan 2024 22:20:34 +0800
+Subject: ext4: do not trim the group with corrupted block bitmap
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ]
+
+Otherwise operating on an incorrupted block bitmap can lead to all sorts
+of unknown problems.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 004ad321a45d6..c723ee3e49959 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -6483,6 +6483,9 @@ __releases(ext4_group_lock_ptr(sb, e4b->bd_group))
+       bool set_trimmed = false;
+       void *bitmap;
+ 
++      if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)))
++              return 0;
++
+       last = ext4_last_grp_cluster(sb, e4b->bd_group);
+       bitmap = e4b->bd_bitmap;
+       if (start == 0 && max >= last)
+-- 
+2.43.0
+

diff --git a/queue-6.1/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch b/queue-6.1/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
new file mode 100644 (file)
index 0000000..f8ec948
--- /dev/null
+++ b/queue-6.1/ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
@@ -0,0 +1,42 @@
+From 318734557e8ad4ae38ded714a49eb3071993e196 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 19:33:24 +0800
+Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ]
+
+The max_zeroout is of type int and the s_extent_max_zeroout_kb is of
+type uint, and the s_extent_max_zeroout_kb can be freely modified via
+the sysfs interface. When the block size is 1024, max_zeroout may
+overflow, so declare it as unsigned int to avoid overflow.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 5cbe5ae5ad4a2..92b540754799c 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3404,9 +3404,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
+       struct ext4_extent *ex, *abut_ex;
+       ext4_lblk_t ee_block, eof_block;
+       unsigned int ee_len, depth, map_len = map->m_len;
+-      int allocated = 0, max_zeroout = 0;
+       int err = 0;
+       int split_flag = EXT4_EXT_DATA_VALID2;
++      int allocated = 0;
++      unsigned int max_zeroout = 0;
+ 
+       ext_debug(inode, "logical block %llu, max_blocks %u\n",
+                 (unsigned long long)map->m_lblk, map_len);
+-- 
+2.43.0
+

diff --git a/queue-6.1/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch b/queue-6.1/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
new file mode 100644 (file)
index 0000000..5a7d177
--- /dev/null
+++ b/queue-6.1/f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
@@ -0,0 +1,50 @@
+From 7f98f4221e9daf8b6a7e2977b9f943aacb1e0b24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 19:59:54 +0800
+Subject: f2fs: fix to do sanity check in update_sit_entry
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ]
+
+If GET_SEGNO return NULL_SEGNO for some unecpected case,
+update_sit_entry will access invalid memory address,
+cause system crash. It is better to do sanity check about
+GET_SEGNO just like update_segment_mtime & locate_dirty_segment.
+
+Also remove some redundant judgment code.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 1264a350d4d75..947849e66b0a7 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2191,6 +2191,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
+ #endif
+ 
+       segno = GET_SEGNO(sbi, blkaddr);
++      if (segno == NULL_SEGNO)
++              return;
+ 
+       se = get_seg_entry(sbi, segno);
+       new_vblocks = se->valid_blocks + del;
+@@ -3286,8 +3288,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+        * since SSR needs latest valid block information.
+        */
+       update_sit_entry(sbi, *new_blkaddr, 1);
+-      if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO)
+-              update_sit_entry(sbi, old_blkaddr, -1);
++      update_sit_entry(sbi, old_blkaddr, -1);
+ 
+       if (!__has_curseg_space(sbi, curseg)) {
+               if (from_gc)
+-- 
+2.43.0
+

diff --git a/queue-6.1/fbdev-offb-replace-of_node_put-with-__free-device_no.patch b/queue-6.1/fbdev-offb-replace-of_node_put-with-__free-device_no.patch
new file mode 100644 (file)
index 0000000..f54e525
--- /dev/null
+++ b/queue-6.1/fbdev-offb-replace-of_node_put-with-__free-device_no.patch
@@ -0,0 +1,45 @@
+From d10d5747985eaa4fd81a9b3d523d86cfcc497466 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 21:20:21 -0400
+Subject: fbdev: offb: replace of_node_put with __free(device_node)
+
+From: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+
+[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ]
+
+Replaced instance of of_node_put with __free(device_node)
+to simplify code and protect against any memory leaks
+due to future changes in the control flow.
+
+Suggested-by: Julia Lawall <julia.lawall@inria.fr>
+Signed-off-by: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/offb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
+index 91001990e351c..6f0a9851b0924 100644
+--- a/drivers/video/fbdev/offb.c
++++ b/drivers/video/fbdev/offb.c
+@@ -355,7 +355,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+                       par->cmap_type = cmap_gxt2000;
+       } else if (of_node_name_prefix(dp, "vga,Display-")) {
+               /* Look for AVIVO initialized by SLOF */
+-              struct device_node *pciparent = of_get_parent(dp);
++              struct device_node *pciparent __free(device_node) = of_get_parent(dp);
+               const u32 *vid, *did;
+               vid = of_get_property(pciparent, "vendor-id", NULL);
+               did = of_get_property(pciparent, "device-id", NULL);
+@@ -367,7 +367,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+                       if (par->cmap_adr)
+                               par->cmap_type = cmap_avivo;
+               }
+-              of_node_put(pciparent);
+       } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) {
+ #ifdef __BIG_ENDIAN
+               const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 };
+-- 
+2.43.0
+

diff --git a/queue-6.1/firmware-cirrus-cs_dsp-initialize-debugfs_root-to-in.patch b/queue-6.1/firmware-cirrus-cs_dsp-initialize-debugfs_root-to-in.patch
new file mode 100644 (file)
index 0000000..8696b42
--- /dev/null
+++ b/queue-6.1/firmware-cirrus-cs_dsp-initialize-debugfs_root-to-in.patch
@@ -0,0 +1,51 @@
+From 8e2cd7e06b3bfd2a95613c678288c0d58bf28ac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 10:53:53 +0000
+Subject: firmware: cirrus: cs_dsp: Initialize debugfs_root to invalid
+
+From: Richard Fitzgerald <rf@opensource.cirrus.com>
+
+[ Upstream commit 66626b15636b5f5cf3d7f6104799f77462748974 ]
+
+Initialize debugfs_root to -ENODEV so that if the client never sets a
+valid debugfs root the debugfs files will not be created.
+
+A NULL pointer passed to any of the debugfs_create_*() functions means
+"create in the root of debugfs". It doesn't mean "ignore".
+
+Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
+Link: https://msgid.link/r/20240307105353.40067-1-rf@opensource.cirrus.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/cirrus/cs_dsp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/cirrus/cs_dsp.c b/drivers/firmware/cirrus/cs_dsp.c
+index ee4c32669607f..68005cce01360 100644
+--- a/drivers/firmware/cirrus/cs_dsp.c
++++ b/drivers/firmware/cirrus/cs_dsp.c
+@@ -490,7 +490,7 @@ void cs_dsp_cleanup_debugfs(struct cs_dsp *dsp)
+ {
+       cs_dsp_debugfs_clear(dsp);
+       debugfs_remove_recursive(dsp->debugfs_root);
+-      dsp->debugfs_root = NULL;
++      dsp->debugfs_root = ERR_PTR(-ENODEV);
+ }
+ EXPORT_SYMBOL_GPL(cs_dsp_cleanup_debugfs);
+ #else
+@@ -2300,6 +2300,11 @@ static int cs_dsp_common_init(struct cs_dsp *dsp)
+ 
+       mutex_init(&dsp->pwr_lock);
+ 
++#ifdef CONFIG_DEBUG_FS
++      /* Ensure this is invalid if client never provides a debugfs root */
++      dsp->debugfs_root = ERR_PTR(-ENODEV);
++#endif
++
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch b/queue-6.1/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
new file mode 100644 (file)
index 0000000..22c75da
--- /dev/null
+++ b/queue-6.1/fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
@@ -0,0 +1,43 @@
+From a61493aad1de10275fa140c4f5c5449d1f95957a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 07:06:37 -0800
+Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ]
+
+Static FDPIC executable may get an executable stack even when it has
+non-executable GNU_STACK segment. This happens when STACK segment has rw
+permissions, but does not specify stack size. In that case FDPIC loader
+uses permissions of the interpreter's stack, and for static executables
+with no interpreter it results in choosing the arch-default permissions
+for the stack.
+
+Fix that by using the interpreter's properties only when the interpreter
+is actually used.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf_fdpic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 2aecd4ffb13b3..c71a409273150 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -320,7 +320,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm)
+       else
+               executable_stack = EXSTACK_DEFAULT;
+ 
+-      if (stack_size == 0) {
++      if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) {
+               stack_size = interp_params.stack_size;
+               if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
+                       executable_stack = EXSTACK_ENABLE_X;
+-- 
+2.43.0
+

diff --git a/queue-6.1/fuse-fix-uaf-in-rcu-pathwalks.patch b/queue-6.1/fuse-fix-uaf-in-rcu-pathwalks.patch
new file mode 100644 (file)
index 0000000..feecc29
--- /dev/null
+++ b/queue-6.1/fuse-fix-uaf-in-rcu-pathwalks.patch
@@ -0,0 +1,105 @@
+From d9e9122aea394165c3793660b877f3aaeb2fc013 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 00:19:39 -0400
+Subject: fuse: fix UAF in rcu pathwalks
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 053fc4f755ad43cf35210677bcba798ccdc48d0c ]
+
+->permission(), ->get_link() and ->inode_get_acl() might dereference
+->s_fs_info (and, in case of ->permission(), ->s_fs_info->fc->user_ns
+as well) when called from rcu pathwalk.
+
+Freeing ->s_fs_info->fc is rcu-delayed; we need to make freeing ->s_fs_info
+and dropping ->user_ns rcu-delayed too.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/cuse.c   |  3 +--
+ fs/fuse/fuse_i.h |  1 +
+ fs/fuse/inode.c  | 15 +++++++++++----
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
+index c7d882a9fe339..295344a462e1d 100644
+--- a/fs/fuse/cuse.c
++++ b/fs/fuse/cuse.c
+@@ -474,8 +474,7 @@ static int cuse_send_init(struct cuse_conn *cc)
+ 
+ static void cuse_fc_release(struct fuse_conn *fc)
+ {
+-      struct cuse_conn *cc = fc_to_cc(fc);
+-      kfree_rcu(cc, fc.rcu);
++      kfree(fc_to_cc(fc));
+ }
+ 
+ /**
+diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
+index 253b9b78d6f13..66c2a99994683 100644
+--- a/fs/fuse/fuse_i.h
++++ b/fs/fuse/fuse_i.h
+@@ -872,6 +872,7 @@ struct fuse_mount {
+ 
+       /* Entry on fc->mounts */
+       struct list_head fc_entry;
++      struct rcu_head rcu;
+ };
+ 
+ static inline struct fuse_mount *get_fuse_mount_super(struct super_block *sb)
+diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
+index f19bdd7cbd779..64618548835b4 100644
+--- a/fs/fuse/inode.c
++++ b/fs/fuse/inode.c
+@@ -925,6 +925,14 @@ void fuse_conn_init(struct fuse_conn *fc, struct fuse_mount *fm,
+ }
+ EXPORT_SYMBOL_GPL(fuse_conn_init);
+ 
++static void delayed_release(struct rcu_head *p)
++{
++      struct fuse_conn *fc = container_of(p, struct fuse_conn, rcu);
++
++      put_user_ns(fc->user_ns);
++      fc->release(fc);
++}
++
+ void fuse_conn_put(struct fuse_conn *fc)
+ {
+       if (refcount_dec_and_test(&fc->count)) {
+@@ -936,13 +944,12 @@ void fuse_conn_put(struct fuse_conn *fc)
+               if (fiq->ops->release)
+                       fiq->ops->release(fiq);
+               put_pid_ns(fc->pid_ns);
+-              put_user_ns(fc->user_ns);
+               bucket = rcu_dereference_protected(fc->curr_bucket, 1);
+               if (bucket) {
+                       WARN_ON(atomic_read(&bucket->count) != 1);
+                       kfree(bucket);
+               }
+-              fc->release(fc);
++              call_rcu(&fc->rcu, delayed_release);
+       }
+ }
+ EXPORT_SYMBOL_GPL(fuse_conn_put);
+@@ -1356,7 +1363,7 @@ EXPORT_SYMBOL_GPL(fuse_send_init);
+ void fuse_free_conn(struct fuse_conn *fc)
+ {
+       WARN_ON(!list_empty(&fc->devices));
+-      kfree_rcu(fc, rcu);
++      kfree(fc);
+ }
+ EXPORT_SYMBOL_GPL(fuse_free_conn);
+ 
+@@ -1895,7 +1902,7 @@ static void fuse_sb_destroy(struct super_block *sb)
+ void fuse_mount_destroy(struct fuse_mount *fm)
+ {
+       fuse_conn_put(fm->fc);
+-      kfree(fm);
++      kfree_rcu(fm, rcu);
+ }
+ EXPORT_SYMBOL(fuse_mount_destroy);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/gfs2-refcounting-fix-in-gfs2_thaw_super.patch b/queue-6.1/gfs2-refcounting-fix-in-gfs2_thaw_super.patch
new file mode 100644 (file)
index 0000000..a534029
--- /dev/null
+++ b/queue-6.1/gfs2-refcounting-fix-in-gfs2_thaw_super.patch
@@ -0,0 +1,46 @@
+From cac69531b06595b4fc0945bf6a8dd8348b7f119d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Dec 2023 20:07:46 +0100
+Subject: gfs2: Refcounting fix in gfs2_thaw_super
+
+From: Andreas Gruenbacher <agruenba@redhat.com>
+
+[ Upstream commit 4e58543e7da4859c4ba61d15493e3522b6ad71fd ]
+
+It turns out that the .freeze_super and .thaw_super operations require
+the filesystem to manage the superblock refcount itself.  We are using
+the freeze_super() and thaw_super() helpers to mostly take care of that
+for us, but this means that the superblock may no longer be around by
+when thaw_super() returns, and gfs2_thaw_super() will then access freed
+memory.  Take an extra superblock reference in gfs2_thaw_super() to fix
+that.
+
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
+index f9b47df485d17..aff8cdc61eff7 100644
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -814,6 +814,7 @@ static int gfs2_thaw_super(struct super_block *sb)
+       if (!test_bit(SDF_FREEZE_INITIATOR, &sdp->sd_flags))
+               goto out;
+ 
++      atomic_inc(&sb->s_active);
+       gfs2_freeze_unlock(&sdp->sd_freeze_gh);
+ 
+       error = gfs2_do_thaw(sdp);
+@@ -824,6 +825,7 @@ static int gfs2_thaw_super(struct super_block *sb)
+       }
+ out:
+       mutex_unlock(&sdp->sd_freeze_mutex);
++      deactivate_super(sb);
+       return error;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch b/queue-6.1/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch
new file mode 100644 (file)
index 0000000..754e843
--- /dev/null
+++ b/queue-6.1/hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch
@@ -0,0 +1,44 @@
+From 9c80aef00c7ee71a72ce1fa4bc2634e1a0d4a8b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 21:31:36 +0800
+Subject: hrtimer: Prevent queuing of hrtimer without a function callback
+
+From: Phil Chang <phil.chang@mediatek.com>
+
+[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ]
+
+The hrtimer function callback must not be NULL. It has to be specified by
+the call side but it is not validated by the hrtimer code. When a hrtimer
+is queued without a function callback, the kernel crashes with a null
+pointer dereference when trying to execute the callback in __run_hrtimer().
+
+Introduce a validation before queuing the hrtimer in
+hrtimer_start_range_ns().
+
+[anna-maria: Rephrase commit message]
+
+Signed-off-by: Phil Chang <phil.chang@mediatek.com>
+Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 314fb7598a879..f62cc13b5f143 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1285,6 +1285,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+       struct hrtimer_clock_base *base;
+       unsigned long flags;
+ 
++      if (WARN_ON_ONCE(!timer->function))
++              return;
+       /*
+        * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft
+        * match on CONFIG_PREEMPT_RT = n. With PREEMPT_RT check the hard
+-- 
+2.43.0
+

diff --git a/queue-6.1/hrtimer-select-housekeeping-cpu-during-migration.patch b/queue-6.1/hrtimer-select-housekeeping-cpu-during-migration.patch
new file mode 100644 (file)
index 0000000..608d7b9
--- /dev/null
+++ b/queue-6.1/hrtimer-select-housekeeping-cpu-during-migration.patch
@@ -0,0 +1,50 @@
+From aefae93c9875abef7e99c8d128e014ddc77da0a4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 22:08:56 +0200
+Subject: hrtimer: Select housekeeping CPU during migration
+
+From: Costa Shulyupin <costa.shul@redhat.com>
+
+[ Upstream commit 56c2cb10120894be40c40a9bf0ce798da14c50f6 ]
+
+During CPU-down hotplug, hrtimers may migrate to isolated CPUs,
+compromising CPU isolation.
+
+Address this issue by masking valid CPUs for hrtimers using
+housekeeping_cpumask(HK_TYPE_TIMER).
+
+Suggested-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Costa Shulyupin <costa.shul@redhat.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Link: https://lore.kernel.org/r/20240222200856.569036-1-costa.shul@redhat.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 9bb88836c42e6..314fb7598a879 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -38,6 +38,7 @@
+ #include <linux/sched/deadline.h>
+ #include <linux/sched/nohz.h>
+ #include <linux/sched/debug.h>
++#include <linux/sched/isolation.h>
+ #include <linux/timer.h>
+ #include <linux/freezer.h>
+ #include <linux/compat.h>
+@@ -2220,8 +2221,8 @@ static void migrate_hrtimer_list(struct hrtimer_clock_base *old_base,
+ 
+ int hrtimers_cpu_dying(unsigned int dying_cpu)
+ {
++      int i, ncpu = cpumask_any_and(cpu_active_mask, housekeeping_cpumask(HK_TYPE_TIMER));
+       struct hrtimer_cpu_base *old_base, *new_base;
+-      int i, ncpu = cpumask_first(cpu_active_mask);
+ 
+       tick_cancel_sched_timer(dying_cpu);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/hwmon-pc87360-bounds-check-data-innr-usage.patch b/queue-6.1/hwmon-pc87360-bounds-check-data-innr-usage.patch
new file mode 100644 (file)
index 0000000..0c148cf
--- /dev/null
+++ b/queue-6.1/hwmon-pc87360-bounds-check-data-innr-usage.patch
@@ -0,0 +1,60 @@
+From 66ca8d9064900aef2904c74e20ba2a31258037d2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Nov 2023 12:02:07 -0800
+Subject: hwmon: (pc87360) Bounds check data->innr usage
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 4265eb062a7303e537ab3792ade31f424c3c5189 ]
+
+Without visibility into the initializers for data->innr, GCC suspects
+using it as an index could walk off the end of the various 14-element
+arrays in data. Perform an explicit clamp to the array size. Silences
+the following warning with GCC 12+:
+
+../drivers/hwmon/pc87360.c: In function 'pc87360_update_device':
+../drivers/hwmon/pc87360.c:341:49: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=]
+  341 |                                 data->in_max[i] = pc87360_read_value(data,
+      |                                 ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~
+  342 |                                                   LD_IN, i,
+      |                                                   ~~~~~~~~~
+  343 |                                                   PC87365_REG_IN_MAX);
+      |                                                   ~~~~~~~~~~~~~~~~~~~
+../drivers/hwmon/pc87360.c:209:12: note: at offset 255 into destination object 'in_max' of size 14
+  209 |         u8 in_max[14];          /* Register value */
+      |            ^~~~~~
+
+Cc: Jim Cromie <jim.cromie@gmail.com>
+Cc: Jean Delvare <jdelvare@suse.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: linux-hwmon@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20231130200207.work.679-kees@kernel.org
+[groeck: Added comment into code clarifying context]
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwmon/pc87360.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hwmon/pc87360.c b/drivers/hwmon/pc87360.c
+index a4adc8bd531ff..534a6072036c9 100644
+--- a/drivers/hwmon/pc87360.c
++++ b/drivers/hwmon/pc87360.c
+@@ -323,7 +323,11 @@ static struct pc87360_data *pc87360_update_device(struct device *dev)
+               }
+ 
+               /* Voltages */
+-              for (i = 0; i < data->innr; i++) {
++              /*
++               * The min() below does not have any practical meaning and is
++               * only needed to silence a warning observed with gcc 12+.
++               */
++              for (i = 0; i < min(data->innr, ARRAY_SIZE(data->in)); i++) {
+                       data->in_status[i] = pc87360_read_value(data, LD_IN, i,
+                                            PC87365_REG_IN_STATUS);
+                       /* Clear bits */
+-- 
+2.43.0
+

diff --git a/queue-6.1/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch b/queue-6.1/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
new file mode 100644 (file)
index 0000000..f27ab4a
--- /dev/null
+++ b/queue-6.1/irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
@@ -0,0 +1,41 @@
+From 6e19750ae3aca42ec538293156b084fe890f42f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 14:10:53 +0800
+Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
+
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+
+[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
+
+This BUG_ON() is useless, because the same effect will be obtained
+by letting the code run its course and vm being dereferenced,
+triggering an exception.
+
+So just remove this check.
+
+Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 3620bdb5200f2..a7a952bbfdc28 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -4476,8 +4476,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+       struct page *vprop_page;
+       int base, nr_ids, i, err = 0;
+ 
+-      BUG_ON(!vm);
+-
+       bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
+       if (!bitmap)
+               return -ENOMEM;
+-- 
+2.43.0
+

diff --git a/queue-6.1/irqchip-renesas-rzg2l-do-not-set-tien-and-tint-sourc.patch b/queue-6.1/irqchip-renesas-rzg2l-do-not-set-tien-and-tint-sourc.patch
new file mode 100644 (file)
index 0000000..6510f4a
--- /dev/null
+++ b/queue-6.1/irqchip-renesas-rzg2l-do-not-set-tien-and-tint-sourc.patch
@@ -0,0 +1,69 @@
+From 502f75b4c232807166c52d5319c0b81645fb062f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Mar 2024 08:50:40 +0000
+Subject: irqchip/renesas-rzg2l: Do not set TIEN and TINT source at the same
+ time
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+[ Upstream commit dce0919c83c325ac9dec5bc8838d5de6d32c01b1 ]
+
+As per the hardware team, TIEN and TINT source should not set at the same
+time due to a possible hardware race leading to spurious IRQ.
+
+Currently on some scenarios hardware settings for TINT detection is not in
+sync with TINT source as the enable/disable overrides source setting value
+leading to hardware inconsistent state. For eg: consider the case GPIOINT0
+is used as TINT interrupt and configuring GPIOINT5 as edge type. During
+rzg2l_irq_set_type(), TINT source for GPIOINT5 is set. On disable(),
+clearing of the entire bytes of TINT source selection for GPIOINT5 is same
+as GPIOINT0 with TIEN disabled. Apart from this during enable(), the
+setting of GPIOINT5 with TIEN results in spurious IRQ as due to a HW race,
+it is possible that IP can use the TIEN with previous source value
+(GPIOINT0).
+
+So, just update TIEN during enable/disable as TINT source is already set
+during rzg2l_irq_set_type(). This will make the consistent hardware
+settings for detection method tied with TINT source and allows to simplify
+the code.
+
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-renesas-rzg2l.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/irqchip/irq-renesas-rzg2l.c b/drivers/irqchip/irq-renesas-rzg2l.c
+index be71459c7465a..70279ca7e6278 100644
+--- a/drivers/irqchip/irq-renesas-rzg2l.c
++++ b/drivers/irqchip/irq-renesas-rzg2l.c
+@@ -132,7 +132,7 @@ static void rzg2l_irqc_irq_disable(struct irq_data *d)
+ 
+               raw_spin_lock(&priv->lock);
+               reg = readl_relaxed(priv->base + TSSR(tssr_index));
+-              reg &= ~(TSSEL_MASK << TSSEL_SHIFT(tssr_offset));
++              reg &= ~(TIEN << TSSEL_SHIFT(tssr_offset));
+               writel_relaxed(reg, priv->base + TSSR(tssr_index));
+               raw_spin_unlock(&priv->lock);
+       }
+@@ -145,7 +145,6 @@ static void rzg2l_irqc_irq_enable(struct irq_data *d)
+ 
+       if (hw_irq >= IRQC_TINT_START && hw_irq < IRQC_NUM_IRQ) {
+               struct rzg2l_irqc_priv *priv = irq_data_to_priv(d);
+-              unsigned long tint = (uintptr_t)d->chip_data;
+               u32 offset = hw_irq - IRQC_TINT_START;
+               u32 tssr_offset = TSSR_OFFSET(offset);
+               u8 tssr_index = TSSR_INDEX(offset);
+@@ -153,7 +152,7 @@ static void rzg2l_irqc_irq_enable(struct irq_data *d)
+ 
+               raw_spin_lock(&priv->lock);
+               reg = readl_relaxed(priv->base + TSSR(tssr_index));
+-              reg |= (TIEN | tint) << TSSEL_SHIFT(tssr_offset);
++              reg |= TIEN << TSSEL_SHIFT(tssr_offset);
+               writel_relaxed(reg, priv->base + TSSR(tssr_index));
+               raw_spin_unlock(&priv->lock);
+       }
+-- 
+2.43.0
+

diff --git a/queue-6.1/kernfs-fix-false-positive-warn-nr_mmapped-in-kernfs_.patch b/queue-6.1/kernfs-fix-false-positive-warn-nr_mmapped-in-kernfs_.patch
new file mode 100644 (file)
index 0000000..5c45690
--- /dev/null
+++ b/queue-6.1/kernfs-fix-false-positive-warn-nr_mmapped-in-kernfs_.patch
@@ -0,0 +1,65 @@
+From 4c12049c8c74df5f5cb1d639c5efc8ef6a4fc375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Jan 2024 15:46:36 -0800
+Subject: kernfs: fix false-positive WARN(nr_mmapped) in
+ kernfs_drain_open_files
+
+From: Neel Natu <neelnatu@google.com>
+
+[ Upstream commit 05d8f255867e3196565bb31a911a437697fab094 ]
+
+Prior to this change 'on->nr_mmapped' tracked the total number of
+mmaps across all of its associated open files via kernfs_fop_mmap().
+Thus if the file descriptor associated with a kernfs_open_file was
+mmapped 10 times then we would have: 'of->mmapped = true' and
+'of_on(of)->nr_mmapped = 10'.
+
+The problem is that closing or draining a 'of->mmapped' file would
+only decrement one from the 'of_on(of)->nr_mmapped' counter.
+
+For e.g. we have this from kernfs_unlink_open_file():
+        if (of->mmapped)
+                on->nr_mmapped--;
+
+The WARN_ON_ONCE(on->nr_mmapped) in kernfs_drain_open_files() is
+easy to reproduce by:
+1. opening a (mmap-able) kernfs file.
+2. mmap-ing that file more than once (mapping just once masks the issue).
+3. trigger a drain of that kernfs file.
+
+Modulo out-of-tree patches I was able to trigger this reliably by
+identifying pci device nodes in sysfs that have resource regions
+that are mmap-able and that don't have any driver attached to them
+(steps 1 and 2). For step 3 we can "echo 1 > remove" to trigger a
+kernfs_drain.
+
+Signed-off-by: Neel Natu <neelnatu@google.com>
+Link: https://lore.kernel.org/r/20240127234636.609265-1-neelnatu@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/kernfs/file.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
+index e4a50e4ff0d23..adf3536cfec81 100644
+--- a/fs/kernfs/file.c
++++ b/fs/kernfs/file.c
+@@ -532,9 +532,11 @@ static int kernfs_fop_mmap(struct file *file, struct vm_area_struct *vma)
+               goto out_put;
+ 
+       rc = 0;
+-      of->mmapped = true;
+-      of_on(of)->nr_mmapped++;
+-      of->vm_ops = vma->vm_ops;
++      if (!of->mmapped) {
++              of->mmapped = true;
++              of_on(of)->nr_mmapped++;
++              of->vm_ops = vma->vm_ops;
++      }
+       vma->vm_ops = &kernfs_vm_ops;
+ out_put:
+       kernfs_put_active(of->kn);
+-- 
+2.43.0
+

diff --git a/queue-6.1/md-clean-up-invalid-bug_on-in-md_ioctl.patch b/queue-6.1/md-clean-up-invalid-bug_on-in-md_ioctl.patch
new file mode 100644 (file)
index 0000000..8ab6b7f
--- /dev/null
+++ b/queue-6.1/md-clean-up-invalid-bug_on-in-md_ioctl.patch
@@ -0,0 +1,42 @@
+From e5aabd04770d921d7a33c935fb94187405f9e0d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:38 +0800
+Subject: md: clean up invalid BUG_ON in md_ioctl
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ]
+
+'disk->private_data' is set to mddev in md_alloc() and never set to NULL,
+and users need to open mddev before submitting ioctl. So mddev must not
+have been freed during ioctl, and there is no need to check mddev here.
+Clean up it.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index b87c6ef0da8ab..297c86f5c70b5 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7614,11 +7614,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+ 
+       mddev = bdev->bd_disk->private_data;
+ 
+-      if (!mddev) {
+-              BUG();
+-              goto out;
+-      }
+-
+       /* Some actions do not requires the mutex */
+       switch (cmd) {
+       case GET_ARRAY_INFO:
+-- 
+2.43.0
+

diff --git a/queue-6.1/md-fix-overflow-in-is_mddev_idle.patch b/queue-6.1/md-fix-overflow-in-is_mddev_idle.patch
new file mode 100644 (file)
index 0000000..d1a31fd
--- /dev/null
+++ b/queue-6.1/md-fix-overflow-in-is_mddev_idle.patch
@@ -0,0 +1,104 @@
+From 5b4bb06afdccff756d8c31a557d5320841b0fe24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jan 2024 11:19:45 +0800
+Subject: md: Fix overflow in is_mddev_idle
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 3f9f231236ce7e48780d8a4f1f8cb9fae2df1e4e ]
+
+UBSAN reports this problem:
+
+  UBSAN: Undefined behaviour in drivers/md/md.c:8175:15
+  signed integer overflow:
+  -2147483291 - 2072033152 cannot be represented in type 'int'
+  Call trace:
+   dump_backtrace+0x0/0x310
+   show_stack+0x28/0x38
+   dump_stack+0xec/0x15c
+   ubsan_epilogue+0x18/0x84
+   handle_overflow+0x14c/0x19c
+   __ubsan_handle_sub_overflow+0x34/0x44
+   is_mddev_idle+0x338/0x3d8
+   md_do_sync+0x1bb8/0x1cf8
+   md_thread+0x220/0x288
+   kthread+0x1d8/0x1e0
+   ret_from_fork+0x10/0x18
+
+'curr_events' will overflow when stat accum or 'sync_io' is greater than
+INT_MAX.
+
+Fix it by changing sync_io, last_events and curr_events to 64bit.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240117031946.2324519-2-linan666@huaweicloud.com
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c        | 7 ++++---
+ drivers/md/md.h        | 4 ++--
+ include/linux/blkdev.h | 2 +-
+ 3 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 297c86f5c70b5..a3b0ac0732c94 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8540,14 +8540,15 @@ static int is_mddev_idle(struct mddev *mddev, int init)
+ {
+       struct md_rdev *rdev;
+       int idle;
+-      int curr_events;
++      long long curr_events;
+ 
+       idle = 1;
+       rcu_read_lock();
+       rdev_for_each_rcu(rdev, mddev) {
+               struct gendisk *disk = rdev->bdev->bd_disk;
+-              curr_events = (int)part_stat_read_accum(disk->part0, sectors) -
+-                            atomic_read(&disk->sync_io);
++              curr_events =
++                      (long long)part_stat_read_accum(disk->part0, sectors) -
++                      atomic64_read(&disk->sync_io);
+               /* sync IO will cause sync_io to increase before the disk_stats
+                * as sync_io is counted when a request starts, and
+                * disk_stats is counted when it completes.
+diff --git a/drivers/md/md.h b/drivers/md/md.h
+index 4f0b480974552..5910527514db2 100644
+--- a/drivers/md/md.h
++++ b/drivers/md/md.h
+@@ -50,7 +50,7 @@ struct md_rdev {
+ 
+       sector_t sectors;               /* Device size (in 512bytes sectors) */
+       struct mddev *mddev;            /* RAID array if running */
+-      int last_events;                /* IO event timestamp */
++      long long last_events;          /* IO event timestamp */
+ 
+       /*
+        * If meta_bdev is non-NULL, it means that a separate device is
+@@ -576,7 +576,7 @@ extern void mddev_unlock(struct mddev *mddev);
+ 
+ static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
+ {
+-      atomic_add(nr_sectors, &bdev->bd_disk->sync_io);
++      atomic64_add(nr_sectors, &bdev->bd_disk->sync_io);
+ }
+ 
+ static inline void md_sync_acct_bio(struct bio *bio, unsigned long nr_sectors)
+diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
+index e255674a9ee72..02e55676e0283 100644
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -161,7 +161,7 @@ struct gendisk {
+       struct list_head slave_bdevs;
+ #endif
+       struct timer_rand_state *random;
+-      atomic_t sync_io;               /* RAID */
++      atomic64_t sync_io;             /* RAID */
+       struct disk_events *ev;
+ #ifdef  CONFIG_BLK_DEV_INTEGRITY
+       struct kobject integrity_kobj;
+-- 
+2.43.0
+

diff --git a/queue-6.1/media-drivers-media-dvb-core-copy-user-arrays-safely.patch b/queue-6.1/media-drivers-media-dvb-core-copy-user-arrays-safely.patch
new file mode 100644 (file)
index 0000000..2901c9c
--- /dev/null
+++ b/queue-6.1/media-drivers-media-dvb-core-copy-user-arrays-safely.patch
@@ -0,0 +1,70 @@
+From 9c3292ad601619c4b146d439b4d1b79a696991b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Nov 2023 20:16:34 +0100
+Subject: media: drivers/media/dvb-core: copy user arrays safely
+
+From: Philipp Stanner <pstanner@redhat.com>
+
+[ Upstream commit 102fb77c2deb0df3683ef8ff7a6f4cf91dc456e2 ]
+
+At several positions in dvb_frontend.c, memdup_user() is utilized to
+copy userspace arrays. This is done without overflow checks.
+
+Use the new wrapper memdup_array_user() to copy the arrays more safely.
+
+Link: https://lore.kernel.org/linux-media/20231102191633.52592-2-pstanner@redhat.com
+Suggested-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Philipp Stanner <pstanner@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-core/dvb_frontend.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
+index fce0e20940780..a1a3dbb0e7388 100644
+--- a/drivers/media/dvb-core/dvb_frontend.c
++++ b/drivers/media/dvb-core/dvb_frontend.c
+@@ -2160,7 +2160,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
+               if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
+                       return -EINVAL;
+ 
+-              tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
++              tvp = memdup_array_user(compat_ptr(tvps->props),
++                                      tvps->num, sizeof(*tvp));
+               if (IS_ERR(tvp))
+                       return PTR_ERR(tvp);
+ 
+@@ -2191,7 +2192,8 @@ static int dvb_frontend_handle_compat_ioctl(struct file *file, unsigned int cmd,
+               if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
+                       return -EINVAL;
+ 
+-              tvp = memdup_user(compat_ptr(tvps->props), tvps->num * sizeof(*tvp));
++              tvp = memdup_array_user(compat_ptr(tvps->props),
++                                      tvps->num, sizeof(*tvp));
+               if (IS_ERR(tvp))
+                       return PTR_ERR(tvp);
+ 
+@@ -2368,7 +2370,8 @@ static int dvb_get_property(struct dvb_frontend *fe, struct file *file,
+       if (!tvps->num || tvps->num > DTV_IOCTL_MAX_MSGS)
+               return -EINVAL;
+ 
+-      tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
++      tvp = memdup_array_user((void __user *)tvps->props,
++                              tvps->num, sizeof(*tvp));
+       if (IS_ERR(tvp))
+               return PTR_ERR(tvp);
+ 
+@@ -2446,7 +2449,8 @@ static int dvb_frontend_handle_ioctl(struct file *file,
+               if (!tvps->num || (tvps->num > DTV_IOCTL_MAX_MSGS))
+                       return -EINVAL;
+ 
+-              tvp = memdup_user((void __user *)tvps->props, tvps->num * sizeof(*tvp));
++              tvp = memdup_array_user((void __user *)tvps->props,
++                                      tvps->num, sizeof(*tvp));
+               if (IS_ERR(tvp))
+                       return PTR_ERR(tvp);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/media-pci-cx23885-check-cx23885_vdev_init-return.patch b/queue-6.1/media-pci-cx23885-check-cx23885_vdev_init-return.patch
new file mode 100644 (file)
index 0000000..8965883
--- /dev/null
+++ b/queue-6.1/media-pci-cx23885-check-cx23885_vdev_init-return.patch
@@ -0,0 +1,50 @@
+From fec2569118b670167e659a781fd99ce783968fb6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 08:58:49 +0200
+Subject: media: pci: cx23885: check cx23885_vdev_init() return
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ]
+
+cx23885_vdev_init() can return a NULL pointer, but that pointer
+is used in the next line without a check.
+
+Add a NULL pointer check and go to the error unwind if it is NULL.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Sicong Huang <huangsicong@iie.ac.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
+index 9af2c5596121c..51d7d720ec48b 100644
+--- a/drivers/media/pci/cx23885/cx23885-video.c
++++ b/drivers/media/pci/cx23885/cx23885-video.c
+@@ -1354,6 +1354,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+       /* register Video device */
+       dev->video_dev = cx23885_vdev_init(dev, dev->pci,
+               &cx23885_video_template, "video");
++      if (!dev->video_dev) {
++              err = -ENOMEM;
++              goto fail_unreg;
++      }
+       dev->video_dev->queue = &dev->vb2_vidq;
+       dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
+                                     V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE;
+@@ -1382,6 +1386,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+       /* register VBI device */
+       dev->vbi_dev = cx23885_vdev_init(dev, dev->pci,
+               &cx23885_vbi_template, "vbi");
++      if (!dev->vbi_dev) {
++              err = -ENOMEM;
++              goto fail_unreg;
++      }
+       dev->vbi_dev->queue = &dev->vb2_vbiq;
+       dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
+                                   V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE;
+-- 
+2.43.0
+

diff --git a/queue-6.1/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch b/queue-6.1/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch
new file mode 100644 (file)
index 0000000..62cd635
--- /dev/null
+++ b/queue-6.1/memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch
@@ -0,0 +1,283 @@
+From ba84093b0be2de9e4c0a38d9dd6cba201f296f14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:25 +0100
+Subject: memory: stm32-fmc2-ebi: check regmap_read return value
+
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+
+[ Upstream commit 722463f73bcf65a8c818752a38c14ee672c77da1 ]
+
+Check regmap_read return value to avoid to use uninitialized local
+variables.
+
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Link: https://lore.kernel.org/r/20240226101428.37791-3-christophe.kerello@foss.st.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/stm32-fmc2-ebi.c | 122 +++++++++++++++++++++++---------
+ 1 file changed, 88 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/memory/stm32-fmc2-ebi.c b/drivers/memory/stm32-fmc2-ebi.c
+index ffec26a99313b..5c387d32c078f 100644
+--- a/drivers/memory/stm32-fmc2-ebi.c
++++ b/drivers/memory/stm32-fmc2-ebi.c
+@@ -179,8 +179,11 @@ static int stm32_fmc2_ebi_check_mux(struct stm32_fmc2_ebi *ebi,
+                                   int cs)
+ {
+       u32 bcr;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if (bcr & FMC2_BCR_MTYP)
+               return 0;
+@@ -193,8 +196,11 @@ static int stm32_fmc2_ebi_check_waitcfg(struct stm32_fmc2_ebi *ebi,
+                                       int cs)
+ {
+       u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_NOR);
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN)
+               return 0;
+@@ -207,8 +213,11 @@ static int stm32_fmc2_ebi_check_sync_trans(struct stm32_fmc2_ebi *ebi,
+                                          int cs)
+ {
+       u32 bcr;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if (bcr & FMC2_BCR_BURSTEN)
+               return 0;
+@@ -221,8 +230,11 @@ static int stm32_fmc2_ebi_check_async_trans(struct stm32_fmc2_ebi *ebi,
+                                           int cs)
+ {
+       u32 bcr;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if (!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW))
+               return 0;
+@@ -235,8 +247,11 @@ static int stm32_fmc2_ebi_check_cpsize(struct stm32_fmc2_ebi *ebi,
+                                      int cs)
+ {
+       u32 bcr, val = FIELD_PREP(FMC2_BCR_MTYP, FMC2_BCR_MTYP_PSRAM);
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+       if ((bcr & FMC2_BCR_MTYP) == val && bcr & FMC2_BCR_BURSTEN)
+               return 0;
+@@ -249,12 +264,18 @@ static int stm32_fmc2_ebi_check_address_hold(struct stm32_fmc2_ebi *ebi,
+                                            int cs)
+ {
+       u32 bcr, bxtr, val = FIELD_PREP(FMC2_BXTR_ACCMOD, FMC2_BXTR_EXTMOD_D);
++      int ret;
++
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+       if (prop->reg_type == FMC2_REG_BWTR)
+-              regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
+       else
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++      if (ret)
++              return ret;
+ 
+       if ((!(bcr & FMC2_BCR_BURSTEN) || !(bcr & FMC2_BCR_CBURSTRW)) &&
+           ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN))
+@@ -268,12 +289,19 @@ static int stm32_fmc2_ebi_check_clk_period(struct stm32_fmc2_ebi *ebi,
+                                          int cs)
+ {
+       u32 bcr, bcr1;
++      int ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
+-      if (cs)
+-              regmap_read(ebi->regmap, FMC2_BCR1, &bcr1);
+-      else
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
++
++      if (cs) {
++              ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr1);
++              if (ret)
++                      return ret;
++      } else {
+               bcr1 = bcr;
++      }
+ 
+       if (bcr & FMC2_BCR_BURSTEN && (!cs || !(bcr1 & FMC2_BCR1_CCLKEN)))
+               return 0;
+@@ -305,12 +333,18 @@ static u32 stm32_fmc2_ebi_ns_to_clk_period(struct stm32_fmc2_ebi *ebi,
+ {
+       u32 nb_clk_cycles = stm32_fmc2_ebi_ns_to_clock_cycles(ebi, cs, setup);
+       u32 bcr, btr, clk_period;
++      int ret;
++
++      ret = regmap_read(ebi->regmap, FMC2_BCR1, &bcr);
++      if (ret)
++              return ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR1, &bcr);
+       if (bcr & FMC2_BCR1_CCLKEN || !cs)
+-              regmap_read(ebi->regmap, FMC2_BTR1, &btr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR1, &btr);
+       else
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &btr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &btr);
++      if (ret)
++              return ret;
+ 
+       clk_period = FIELD_GET(FMC2_BTR_CLKDIV, btr) + 1;
+ 
+@@ -569,11 +603,16 @@ static int stm32_fmc2_ebi_set_address_setup(struct stm32_fmc2_ebi *ebi,
+       if (ret)
+               return ret;
+ 
+-      regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++      if (ret)
++              return ret;
++
+       if (prop->reg_type == FMC2_REG_BWTR)
+-              regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BWTR(cs), &bxtr);
+       else
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++              ret = regmap_read(ebi->regmap, FMC2_BTR(cs), &bxtr);
++      if (ret)
++              return ret;
+ 
+       if ((bxtr & FMC2_BXTR_ACCMOD) == val || bcr & FMC2_BCR_MUXEN)
+               val = clamp_val(setup, 1, FMC2_BXTR_ADDSET_MAX);
+@@ -691,11 +730,14 @@ static int stm32_fmc2_ebi_set_max_low_pulse(struct stm32_fmc2_ebi *ebi,
+                                           int cs, u32 setup)
+ {
+       u32 old_val, new_val, pcscntr;
++      int ret;
+ 
+       if (setup < 1)
+               return 0;
+ 
+-      regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr);
++      ret = regmap_read(ebi->regmap, FMC2_PCSCNTR, &pcscntr);
++      if (ret)
++              return ret;
+ 
+       /* Enable counter for the bank */
+       regmap_update_bits(ebi->regmap, FMC2_PCSCNTR,
+@@ -942,17 +984,20 @@ static void stm32_fmc2_ebi_disable_bank(struct stm32_fmc2_ebi *ebi, int cs)
+       regmap_update_bits(ebi->regmap, FMC2_BCR(cs), FMC2_BCR_MBKEN, 0);
+ }
+ 
+-static void stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi)
++static int stm32_fmc2_ebi_save_setup(struct stm32_fmc2_ebi *ebi)
+ {
+       unsigned int cs;
++      int ret;
+ 
+       for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) {
+-              regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]);
+-              regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]);
+-              regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]);
++              ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &ebi->bcr[cs]);
++              ret |= regmap_read(ebi->regmap, FMC2_BTR(cs), &ebi->btr[cs]);
++              ret |= regmap_read(ebi->regmap, FMC2_BWTR(cs), &ebi->bwtr[cs]);
++              if (ret)
++                      return ret;
+       }
+ 
+-      regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr);
++      return regmap_read(ebi->regmap, FMC2_PCSCNTR, &ebi->pcscntr);
+ }
+ 
+ static void stm32_fmc2_ebi_set_setup(struct stm32_fmc2_ebi *ebi)
+@@ -981,22 +1026,29 @@ static void stm32_fmc2_ebi_disable_banks(struct stm32_fmc2_ebi *ebi)
+ }
+ 
+ /* NWAIT signal can not be connected to EBI controller and NAND controller */
+-static bool stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi)
++static int stm32_fmc2_ebi_nwait_used_by_ctrls(struct stm32_fmc2_ebi *ebi)
+ {
++      struct device *dev = ebi->dev;
+       unsigned int cs;
+       u32 bcr;
++      int ret;
+ 
+       for (cs = 0; cs < FMC2_MAX_EBI_CE; cs++) {
+               if (!(ebi->bank_assigned & BIT(cs)))
+                       continue;
+ 
+-              regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++              ret = regmap_read(ebi->regmap, FMC2_BCR(cs), &bcr);
++              if (ret)
++                      return ret;
++
+               if ((bcr & FMC2_BCR_WAITEN || bcr & FMC2_BCR_ASYNCWAIT) &&
+-                  ebi->bank_assigned & BIT(FMC2_NAND))
+-                      return true;
++                  ebi->bank_assigned & BIT(FMC2_NAND)) {
++                      dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n");
++                      return -EINVAL;
++              }
+       }
+ 
+-      return false;
++      return 0;
+ }
+ 
+ static void stm32_fmc2_ebi_enable(struct stm32_fmc2_ebi *ebi)
+@@ -1083,10 +1135,9 @@ static int stm32_fmc2_ebi_parse_dt(struct stm32_fmc2_ebi *ebi)
+               return -ENODEV;
+       }
+ 
+-      if (stm32_fmc2_ebi_nwait_used_by_ctrls(ebi)) {
+-              dev_err(dev, "NWAIT signal connected to EBI and NAND controllers\n");
+-              return -EINVAL;
+-      }
++      ret = stm32_fmc2_ebi_nwait_used_by_ctrls(ebi);
++      if (ret)
++              return ret;
+ 
+       stm32_fmc2_ebi_enable(ebi);
+ 
+@@ -1131,7 +1182,10 @@ static int stm32_fmc2_ebi_probe(struct platform_device *pdev)
+       if (ret)
+               goto err_release;
+ 
+-      stm32_fmc2_ebi_save_setup(ebi);
++      ret = stm32_fmc2_ebi_save_setup(ebi);
++      if (ret)
++              goto err_release;
++
+       platform_set_drvdata(pdev, ebi);
+ 
+       return 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/memory-tegra-skip-sid-programming-if-sid-registers-a.patch b/queue-6.1/memory-tegra-skip-sid-programming-if-sid-registers-a.patch
new file mode 100644 (file)
index 0000000..4e1824d
--- /dev/null
+++ b/queue-6.1/memory-tegra-skip-sid-programming-if-sid-registers-a.patch
@@ -0,0 +1,39 @@
+From 24092ca9f25ab57efae104f9d8609368d867d077 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Nov 2023 16:57:13 +0530
+Subject: memory: tegra: Skip SID programming if SID registers aren't set
+
+From: Ashish Mhetre <amhetre@nvidia.com>
+
+[ Upstream commit 0d6c918011ce4764ed277de4726a468b7ffe5fed ]
+
+There are few MC clients where SID security and override register
+offsets are not specified like "sw_cluster0" in tegra234. Don't program
+SID override for such clients because it leads to access to invalid
+addresses.
+
+Signed-off-by: Ashish Mhetre <amhetre@nvidia.com>
+Link: https://lore.kernel.org/r/20231107112713.21399-2-amhetre@nvidia.com
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/memory/tegra/tegra186.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/memory/tegra/tegra186.c b/drivers/memory/tegra/tegra186.c
+index 7bb73f06fad3e..fd6f5e2e01a28 100644
+--- a/drivers/memory/tegra/tegra186.c
++++ b/drivers/memory/tegra/tegra186.c
+@@ -74,6 +74,9 @@ static void tegra186_mc_client_sid_override(struct tegra_mc *mc,
+ {
+       u32 value, old;
+ 
++      if (client->regs.sid.security == 0 && client->regs.sid.override == 0)
++              return;
++
+       value = readl(mc->regs + client->regs.sid.security);
+       if ((value & MC_SID_STREAMID_SECURITY_OVERRIDE) == 0) {
+               /*
+-- 
+2.43.0
+

diff --git a/queue-6.1/net-hns3-add-checking-for-vf-id-of-mailbox.patch b/queue-6.1/net-hns3-add-checking-for-vf-id-of-mailbox.patch
new file mode 100644 (file)
index 0000000..816f730
--- /dev/null
+++ b/queue-6.1/net-hns3-add-checking-for-vf-id-of-mailbox.patch
@@ -0,0 +1,43 @@
+From 60ee5f292add641f274578dd444f36bc335e2359 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Mar 2024 09:01:15 +0800
+Subject: net: hns3: add checking for vf id of mailbox
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 4e2969a0d6a7549bc0bc1ebc990588b622c4443d ]
+
+Add checking for vf id of mailbox, in order to avoid array
+out-of-bounds risk.
+
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Reviewed-by: Sunil Goutham <sgoutham@marvell.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+index 877feee53804f..61e155c4d441e 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+@@ -1124,10 +1124,11 @@ void hclge_mbx_handler(struct hclge_dev *hdev)
+               req = (struct hclge_mbx_vf_to_pf_cmd *)desc->data;
+ 
+               flag = le16_to_cpu(crq->desc[crq->next_to_use].flag);
+-              if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B))) {
++              if (unlikely(!hnae3_get_bit(flag, HCLGE_CMDQ_RX_OUTVLD_B) ||
++                           req->mbx_src_vfid > hdev->num_req_vfs)) {
+                       dev_warn(&hdev->pdev->dev,
+-                               "dropped invalid mailbox message, code = %u\n",
+-                               req->msg.code);
++                               "dropped invalid mailbox message, code = %u, vfid = %u\n",
++                               req->msg.code, req->mbx_src_vfid);
+ 
+                       /* dropping/not processing this invalid message */
+                       crq->desc[crq->next_to_use].flag = 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch b/queue-6.1/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
new file mode 100644 (file)
index 0000000..8053d24
--- /dev/null
+++ b/queue-6.1/net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
@@ -0,0 +1,51 @@
+From b005c3cb976c346842d3ca95eefe549a0ad96faf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 08:16:54 -0800
+Subject: net/sun3_82586: Avoid reading past buffer in debug output
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ]
+
+Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and
+-Warraybounds, this build warning is visible[1]:
+
+drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout':
+drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=]
+  990 |                 printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
+      |                                                                                                               ~~~~~~~~~~~~^~~
+...
+drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds'
+  156 |         volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS];
+
+Avoid accessing index 1 since it doesn't exist.
+
+Link: https://github.com/KSPP/linux/issues/325 [1]
+Cc: Sam Creasey <sammy@sammy.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/sun3_82586.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c
+index 3909c6a0af89f..72d3b5328ebb4 100644
+--- a/drivers/net/ethernet/i825xx/sun3_82586.c
++++ b/drivers/net/ethernet/i825xx/sun3_82586.c
+@@ -986,7 +986,7 @@ static void sun3_82586_timeout(struct net_device *dev, unsigned int txqueue)
+       {
+ #ifdef DEBUG
+               printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus);
+-              printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
++              printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status));
+               printk("%s: check, whether you set the right interrupt number!\n",dev->name);
+ #endif
+               sun3_82586_close(dev);
+-- 
+2.43.0
+

diff --git a/queue-6.1/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch b/queue-6.1/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch
new file mode 100644 (file)
index 0000000..c6c612f
--- /dev/null
+++ b/queue-6.1/netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch
@@ -0,0 +1,80 @@
+From 2031c847a23a05808a7605d38c1f315f53ca8b2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 22 Feb 2024 10:50:13 +0000
+Subject: netlink: hold nlk->cb_mutex longer in __netlink_dump_start()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit b5590270068c4324dac4a2b5a4a156e02e21339f ]
+
+__netlink_dump_start() releases nlk->cb_mutex right before
+calling netlink_dump() which grabs it again.
+
+This seems dangerous, even if KASAN did not bother yet.
+
+Add a @lock_taken parameter to netlink_dump() to let it
+grab the mutex if called from netlink_recvmsg() only.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netlink/af_netlink.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index e9b81cba1e2b4..8d26bd2ae3d55 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -130,7 +130,7 @@ static const char *const nlk_cb_mutex_key_strings[MAX_LINKS + 1] = {
+       "nlk_cb_mutex-MAX_LINKS"
+ };
+ 
+-static int netlink_dump(struct sock *sk);
++static int netlink_dump(struct sock *sk, bool lock_taken);
+ 
+ /* nl_table locking explained:
+  * Lookup and traversal are protected with an RCU read-side lock. Insertion
+@@ -1953,7 +1953,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
+ 
+       if (READ_ONCE(nlk->cb_running) &&
+           atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
+-              ret = netlink_dump(sk);
++              ret = netlink_dump(sk, false);
+               if (ret) {
+                       WRITE_ONCE(sk->sk_err, -ret);
+                       sk_error_report(sk);
+@@ -2163,7 +2163,7 @@ static int netlink_dump_done(struct netlink_sock *nlk, struct sk_buff *skb,
+       return 0;
+ }
+ 
+-static int netlink_dump(struct sock *sk)
++static int netlink_dump(struct sock *sk, bool lock_taken)
+ {
+       struct netlink_sock *nlk = nlk_sk(sk);
+       struct netlink_ext_ack extack = {};
+@@ -2175,7 +2175,8 @@ static int netlink_dump(struct sock *sk)
+       int alloc_min_size;
+       int alloc_size;
+ 
+-      mutex_lock(nlk->cb_mutex);
++      if (!lock_taken)
++              mutex_lock(nlk->cb_mutex);
+       if (!nlk->cb_running) {
+               err = -EINVAL;
+               goto errout_skb;
+@@ -2330,9 +2331,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
+       WRITE_ONCE(nlk->cb_running, true);
+       nlk->dump_done_errno = INT_MAX;
+ 
+-      mutex_unlock(nlk->cb_mutex);
+-
+-      ret = netlink_dump(sk);
++      ret = netlink_dump(sk, true);
+ 
+       sock_put(sk);
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch b/queue-6.1/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
new file mode 100644 (file)
index 0000000..cefd4d2
--- /dev/null
+++ b/queue-6.1/nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
@@ -0,0 +1,49 @@
+From eef7b3ae9736e8b0f6ce7d93a80eae340856dd5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 11:24:53 +1100
+Subject: NFS: avoid infinite loop in pnfs_update_layout.
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ]
+
+If pnfsd_update_layout() is called on a file for which recovery has
+failed it will enter a tight infinite loop.
+
+NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will
+return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so
+nfs4_client_recover_expired_lease() will not wait.  So the code will
+loop indefinitely.
+
+Break the loop by testing the validity of the open stateid at the top of
+the loop.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index 4448ff829cbb9..8c1f47ca5dc53 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1997,6 +1997,14 @@ pnfs_update_layout(struct inode *ino,
+       }
+ 
+ lookup_again:
++      if (!nfs4_valid_open_stateid(ctx->state)) {
++              trace_pnfs_update_layout(ino, pos, count,
++                                       iomode, lo, lseg,
++                                       PNFS_UPDATE_LAYOUT_INVALID_OPEN);
++              lseg = ERR_PTR(-EIO);
++              goto out;
++      }
++
+       lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp));
+       if (IS_ERR(lseg))
+               goto out;
+-- 
+2.43.0
+

diff --git a/queue-6.1/nvme-clear-caller-pointer-on-identify-failure.patch b/queue-6.1/nvme-clear-caller-pointer-on-identify-failure.patch
new file mode 100644 (file)
index 0000000..de59ed2
--- /dev/null
+++ b/queue-6.1/nvme-clear-caller-pointer-on-identify-failure.patch
@@ -0,0 +1,46 @@
+From b79f43644c7ace46af0f1a711d1e52065d3b7682 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Mar 2024 06:20:30 -0800
+Subject: nvme: clear caller pointer on identify failure
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 7e80eb792bd7377a20f204943ac31c77d859be89 ]
+
+The memory allocated for the identification is freed on failure. Set
+it to NULL so the caller doesn't have a pointer to that freed address.
+
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index 1aff793a1d77e..0729ab5430725 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -1366,8 +1366,10 @@ static int nvme_identify_ctrl(struct nvme_ctrl *dev, struct nvme_id_ctrl **id)
+ 
+       error = nvme_submit_sync_cmd(dev->admin_q, &c, *id,
+                       sizeof(struct nvme_id_ctrl));
+-      if (error)
++      if (error) {
+               kfree(*id);
++              *id = NULL;
++      }
+       return error;
+ }
+ 
+@@ -1496,6 +1498,7 @@ static int nvme_identify_ns(struct nvme_ctrl *ctrl, unsigned nsid,
+       if (error) {
+               dev_warn(ctrl->device, "Identify namespace failed (%d)\n", error);
+               kfree(*id);
++              *id = NULL;
+       }
+       return error;
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch b/queue-6.1/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
new file mode 100644 (file)
index 0000000..7b5b0ac
--- /dev/null
+++ b/queue-6.1/nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
@@ -0,0 +1,85 @@
+From a439ba23b21514f8b86754aff8501798a074a559 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:53:06 +0300
+Subject: nvmet-rdma: fix possible bad dereference when freeing rsps
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ]
+
+It is possible that the host connected and saw a cm established
+event and started sending nvme capsules on the qp, however the
+ctrl did not yet see an established event. This is why the
+rsp_wait_list exists (for async handling of these cmds, we move
+them to a pending list).
+
+Furthermore, it is possible that the ctrl cm times out, resulting
+in a connect-error cm event. in this case we hit a bad deref [1]
+because in nvmet_rdma_free_rsps we assume that all the responses
+are in the free list.
+
+We are freeing the cmds array anyways, so don't even bother to
+remove the rsp from the free_list. It is also guaranteed that we
+are not racing anything when we are releasing the queue so no
+other context accessing this array should be running.
+
+[1]:
+--
+Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma]
+[...]
+pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ Call trace:
+ nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+ nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ process_one_work+0x1ec/0x4a0
+ worker_thread+0x48/0x490
+ kthread+0x158/0x160
+ ret_from_fork+0x10/0x18
+--
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/rdma.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index 4597bca43a6d8..a6d55ebb82382 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -473,12 +473,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue)
+       return 0;
+ 
+ out_free:
+-      while (--i >= 0) {
+-              struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+-              list_del(&rsp->free_list);
+-              nvmet_rdma_free_rsp(ndev, rsp);
+-      }
++      while (--i >= 0)
++              nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+       kfree(queue->rsps);
+ out:
+       return ret;
+@@ -489,12 +485,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue)
+       struct nvmet_rdma_device *ndev = queue->dev;
+       int i, nr_rsps = queue->recv_queue_size * 2;
+ 
+-      for (i = 0; i < nr_rsps; i++) {
+-              struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+-              list_del(&rsp->free_list);
+-              nvmet_rdma_free_rsp(ndev, rsp);
+-      }
++      for (i = 0; i < nr_rsps; i++)
++              nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+       kfree(queue->rsps);
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/nvmet-tcp-do-not-continue-for-invalid-icreq.patch b/queue-6.1/nvmet-tcp-do-not-continue-for-invalid-icreq.patch
new file mode 100644 (file)
index 0000000..a56c5b1
--- /dev/null
+++ b/queue-6.1/nvmet-tcp-do-not-continue-for-invalid-icreq.patch
@@ -0,0 +1,37 @@
+From f526751a74645696449217ea70c7e34ffb5922fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Mar 2024 08:11:05 +0100
+Subject: nvmet-tcp: do not continue for invalid icreq
+
+From: Hannes Reinecke <hare@suse.de>
+
+[ Upstream commit 0889d13b9e1cbef49e802ae09f3b516911ad82a1 ]
+
+When the length check for an icreq sqe fails we should not
+continue processing but rather return immediately as all
+other contents of that sqe cannot be relied on.
+
+Signed-off-by: Hannes Reinecke <hare@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/tcp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/nvme/target/tcp.c b/drivers/nvme/target/tcp.c
+index 5556f55880411..76b9eb438268f 100644
+--- a/drivers/nvme/target/tcp.c
++++ b/drivers/nvme/target/tcp.c
+@@ -836,6 +836,7 @@ static int nvmet_tcp_handle_icreq(struct nvmet_tcp_queue *queue)
+               pr_err("bad nvme-tcp pdu length (%d)\n",
+                       le32_to_cpu(icreq->hdr.plen));
+               nvmet_tcp_fatal_error(queue);
++              return -EPROTO;
+       }
+ 
+       if (icreq->pfv != NVME_TCP_PFV_1_0) {
+-- 
+2.43.0
+

diff --git a/queue-6.1/nvmet-trace-avoid-dereferencing-pointer-too-early.patch b/queue-6.1/nvmet-trace-avoid-dereferencing-pointer-too-early.patch
new file mode 100644 (file)
index 0000000..3353f47
--- /dev/null
+++ b/queue-6.1/nvmet-trace-avoid-dereferencing-pointer-too-early.patch
@@ -0,0 +1,141 @@
+From fc3e1e312c5ffcda87c6dd74ea3de0b67d2fc41d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Dec 2023 16:30:51 +0100
+Subject: nvmet-trace: avoid dereferencing pointer too early
+
+From: Daniel Wagner <dwagner@suse.de>
+
+[ Upstream commit 0e716cec6fb11a14c220ee17c404b67962e902f7 ]
+
+The first command issued from the host to the target is the fabrics
+connect command. At this point, neither the target queue nor the
+controller have been allocated. But we already try to trace this command
+in nvmet_req_init.
+
+Reported by KASAN.
+
+Reviewed-by: Hannes Reinecke <hare@suse.de>
+Signed-off-by: Daniel Wagner <dwagner@suse.de>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/trace.c |  6 +++---
+ drivers/nvme/target/trace.h | 28 +++++++++++++++++-----------
+ 2 files changed, 20 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/nvme/target/trace.c b/drivers/nvme/target/trace.c
+index bff454d46255b..6ee1f3db81d04 100644
+--- a/drivers/nvme/target/trace.c
++++ b/drivers/nvme/target/trace.c
+@@ -211,7 +211,7 @@ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name)
+       return ret;
+ }
+ 
+-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id)
+ {
+       const char *ret = trace_seq_buffer_ptr(p);
+ 
+@@ -224,8 +224,8 @@ const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl)
+        * If we can know the extra data of the connect command in this stage,
+        * we can update this print statement later.
+        */
+-      if (ctrl)
+-              trace_seq_printf(p, "%d", ctrl->cntlid);
++      if (ctrl_id)
++              trace_seq_printf(p, "%d", ctrl_id);
+       else
+               trace_seq_printf(p, "_");
+       trace_seq_putc(p, 0);
+diff --git a/drivers/nvme/target/trace.h b/drivers/nvme/target/trace.h
+index 974d99d47f514..7f7ebf9558e50 100644
+--- a/drivers/nvme/target/trace.h
++++ b/drivers/nvme/target/trace.h
+@@ -32,18 +32,24 @@ const char *nvmet_trace_parse_fabrics_cmd(struct trace_seq *p, u8 fctype,
+        nvmet_trace_parse_nvm_cmd(p, opcode, cdw10) :                  \
+        nvmet_trace_parse_admin_cmd(p, opcode, cdw10)))
+ 
+-const char *nvmet_trace_ctrl_name(struct trace_seq *p, struct nvmet_ctrl *ctrl);
+-#define __print_ctrl_name(ctrl)                               \
+-      nvmet_trace_ctrl_name(p, ctrl)
++const char *nvmet_trace_ctrl_id(struct trace_seq *p, u16 ctrl_id);
++#define __print_ctrl_id(ctrl_id)                      \
++      nvmet_trace_ctrl_id(p, ctrl_id)
+ 
+ const char *nvmet_trace_disk_name(struct trace_seq *p, char *name);
+ #define __print_disk_name(name)                               \
+       nvmet_trace_disk_name(p, name)
+ 
+ #ifndef TRACE_HEADER_MULTI_READ
+-static inline struct nvmet_ctrl *nvmet_req_to_ctrl(struct nvmet_req *req)
++static inline u16 nvmet_req_to_ctrl_id(struct nvmet_req *req)
+ {
+-      return req->sq->ctrl;
++      /*
++       * The queue and controller pointers are not valid until an association
++       * has been established.
++       */
++      if (!req->sq || !req->sq->ctrl)
++              return 0;
++      return req->sq->ctrl->cntlid;
+ }
+ 
+ static inline void __assign_req_name(char *name, struct nvmet_req *req)
+@@ -62,7 +68,7 @@ TRACE_EVENT(nvmet_req_init,
+       TP_ARGS(req, cmd),
+       TP_STRUCT__entry(
+               __field(struct nvme_command *, cmd)
+-              __field(struct nvmet_ctrl *, ctrl)
++              __field(u16, ctrl_id)
+               __array(char, disk, DISK_NAME_LEN)
+               __field(int, qid)
+               __field(u16, cid)
+@@ -75,7 +81,7 @@ TRACE_EVENT(nvmet_req_init,
+       ),
+       TP_fast_assign(
+               __entry->cmd = cmd;
+-              __entry->ctrl = nvmet_req_to_ctrl(req);
++              __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
+               __assign_req_name(__entry->disk, req);
+               __entry->qid = req->sq->qid;
+               __entry->cid = cmd->common.command_id;
+@@ -89,7 +95,7 @@ TRACE_EVENT(nvmet_req_init,
+       ),
+       TP_printk("nvmet%s: %sqid=%d, cmdid=%u, nsid=%u, flags=%#x, "
+                 "meta=%#llx, cmd=(%s, %s)",
+-              __print_ctrl_name(__entry->ctrl),
++              __print_ctrl_id(__entry->ctrl_id),
+               __print_disk_name(__entry->disk),
+               __entry->qid, __entry->cid, __entry->nsid,
+               __entry->flags, __entry->metadata,
+@@ -103,7 +109,7 @@ TRACE_EVENT(nvmet_req_complete,
+       TP_PROTO(struct nvmet_req *req),
+       TP_ARGS(req),
+       TP_STRUCT__entry(
+-              __field(struct nvmet_ctrl *, ctrl)
++              __field(u16, ctrl_id)
+               __array(char, disk, DISK_NAME_LEN)
+               __field(int, qid)
+               __field(int, cid)
+@@ -111,7 +117,7 @@ TRACE_EVENT(nvmet_req_complete,
+               __field(u16, status)
+       ),
+       TP_fast_assign(
+-              __entry->ctrl = nvmet_req_to_ctrl(req);
++              __entry->ctrl_id = nvmet_req_to_ctrl_id(req);
+               __entry->qid = req->cq->qid;
+               __entry->cid = req->cqe->command_id;
+               __entry->result = le64_to_cpu(req->cqe->result.u64);
+@@ -119,7 +125,7 @@ TRACE_EVENT(nvmet_req_complete,
+               __assign_req_name(__entry->disk, req);
+       ),
+       TP_printk("nvmet%s: %sqid=%d, cmdid=%u, res=%#llx, status=%#x",
+-              __print_ctrl_name(__entry->ctrl),
++              __print_ctrl_id(__entry->ctrl_id),
+               __print_disk_name(__entry->disk),
+               __entry->qid, __entry->cid, __entry->result, __entry->status)
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/openrisc-call-setup_memory-earlier-in-the-init-seque.patch b/queue-6.1/openrisc-call-setup_memory-earlier-in-the-init-seque.patch
new file mode 100644 (file)
index 0000000..4aabaf2
--- /dev/null
+++ b/queue-6.1/openrisc-call-setup_memory-earlier-in-the-init-seque.patch
@@ -0,0 +1,54 @@
+From a796628e0c60ff6795d5918a1dbc50cfa96dc8b3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 16:29:30 -0800
+Subject: openrisc: Call setup_memory() earlier in the init sequence
+
+From: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+
+[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ]
+
+The unflatten_and_copy_device_tree() function contains a call to
+memblock_alloc(). This means that memblock is allocating memory before
+any of the reserved memory regions are set aside in the setup_memory()
+function which calls early_init_fdt_scan_reserved_mem(). Therefore,
+there is a possibility for memblock to allocate from any of the
+reserved memory regions.
+
+Hence, move the call to setup_memory() to be earlier in the init
+sequence so that the reserved memory regions are set aside before any
+allocations are done using memblock.
+
+Signed-off-by: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/setup.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c
+index 0cd04d936a7a1..f2fe45d3094df 100644
+--- a/arch/openrisc/kernel/setup.c
++++ b/arch/openrisc/kernel/setup.c
+@@ -270,6 +270,9 @@ void calibrate_delay(void)
+ 
+ void __init setup_arch(char **cmdline_p)
+ {
++      /* setup memblock allocator */
++      setup_memory();
++
+       unflatten_and_copy_device_tree();
+ 
+       setup_cpuinfo();
+@@ -293,9 +296,6 @@ void __init setup_arch(char **cmdline_p)
+       }
+ #endif
+ 
+-      /* setup memblock allocator */
+-      setup_memory();
+-
+       /* paging_init() sets up the MMU and marks all pages as reserved */
+       paging_init();
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch b/queue-6.1/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
new file mode 100644 (file)
index 0000000..ebeb630
--- /dev/null
+++ b/queue-6.1/parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
@@ -0,0 +1,60 @@
+From 492da3b59d09bd0a5b0287db6830be6716e4fe71 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 23:16:00 +0100
+Subject: parisc: Use irq_enter_rcu() to fix warning at
+ kernel/context_tracking.c:367
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ]
+
+Use irq*_rcu() functions to fix this kernel warning:
+
+ WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037
+ Hardware name: 9000/785/C3700
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c
+  IIR: 03ffe01f    ISR: 0000000000000000  IOR: 0000000043c20c20
+  CPU:        0   CR30: 0000000041caa000 CR31: 0000000000000000
+  ORIG_R28: 0000000000000005
+  IAOQ[0]: ct_irq_enter+0xa0/0xd0
+  IAOQ[1]: ct_irq_enter+0xa4/0xd0
+  RP(r2): irq_enter+0x34/0x68
+ Backtrace:
+  [<000000004034a3ec>] irq_enter+0x34/0x68
+  [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450
+  [<0000000040303070>] intr_return+0x0/0xc
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/irq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
+index 9ddb2e3970589..b481cde6bfb62 100644
+--- a/arch/parisc/kernel/irq.c
++++ b/arch/parisc/kernel/irq.c
+@@ -501,7 +501,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+ 
+       old_regs = set_irq_regs(regs);
+       local_irq_disable();
+-      irq_enter();
++      irq_enter_rcu();
+ 
+       eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu);
+       if (!eirr_val)
+@@ -536,7 +536,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+ #endif /* CONFIG_IRQSTACKS */
+ 
+  out:
+-      irq_exit();
++      irq_exit_rcu();
+       set_irq_regs(old_regs);
+       return;
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/platform-x86-lg-laptop-fix-s-null-argument-warning.patch b/queue-6.1/platform-x86-lg-laptop-fix-s-null-argument-warning.patch
new file mode 100644 (file)
index 0000000..fc25ec8
--- /dev/null
+++ b/queue-6.1/platform-x86-lg-laptop-fix-s-null-argument-warning.patch
@@ -0,0 +1,44 @@
+From db159e2272c3701f6e1d15fcd0e8e4f0007ae427 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 3 Apr 2024 16:34:27 +0200
+Subject: platform/x86: lg-laptop: fix %s null argument warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Gergo Koteles <soyer@irl.hu>
+
+[ Upstream commit e71c8481692582c70cdfd0996c20cdcc71e425d3 ]
+
+W=1 warns about null argument to kprintf:
+warning: ‘%s’ directive argument is null [-Wformat-overflow=]
+pr_info("product: %s  year: %d\n", product, year);
+
+Use "unknown" instead of NULL.
+
+Signed-off-by: Gergo Koteles <soyer@irl.hu>
+Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
+Link: https://lore.kernel.org/r/33d40e976f08f82b9227d0ecae38c787fcc0c0b2.1712154684.git.soyer@irl.hu
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/lg-laptop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/platform/x86/lg-laptop.c b/drivers/platform/x86/lg-laptop.c
+index 2e1dc91bfc764..5704981d18487 100644
+--- a/drivers/platform/x86/lg-laptop.c
++++ b/drivers/platform/x86/lg-laptop.c
+@@ -715,7 +715,7 @@ static int acpi_add(struct acpi_device *device)
+               default:
+                       year = 2019;
+               }
+-      pr_info("product: %s  year: %d\n", product, year);
++      pr_info("product: %s  year: %d\n", product ?: "unknown", year);
+ 
+       if (year >= 2019)
+               battery_limit_use_wmbb = 1;
+-- 
+2.43.0
+

diff --git a/queue-6.1/powerpc-boot-handle-allocation-failure-in-simple_rea.patch b/queue-6.1/powerpc-boot-handle-allocation-failure-in-simple_rea.patch
new file mode 100644 (file)
index 0000000..7608572
--- /dev/null
+++ b/queue-6.1/powerpc-boot-handle-allocation-failure-in-simple_rea.patch
@@ -0,0 +1,39 @@
+From 1d71db1baeabdde18e40872ff9b2582f74aa8309 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Dec 2022 10:18:16 +0800
+Subject: powerpc/boot: Handle allocation failure in simple_realloc()
+
+From: Li zeming <zeming@nfschina.com>
+
+[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ]
+
+simple_malloc() will return NULL when there is not enough memory left.
+Check pointer 'new' before using it to copy the old data.
+
+Signed-off-by: Li zeming <zeming@nfschina.com>
+[mpe: Reword subject, use change log from Christophe]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 267d6524caac4..db9aaa5face3f 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -112,7 +112,9 @@ static void *simple_realloc(void *ptr, unsigned long size)
+               return ptr;
+ 
+       new = simple_malloc(size);
+-      memcpy(new, ptr, p->size);
++      if (new)
++              memcpy(new, ptr, p->size);
++
+       simple_free(ptr);
+       return new;
+ }
+-- 
+2.43.0
+

diff --git a/queue-6.1/powerpc-boot-only-free-if-realloc-succeeds.patch b/queue-6.1/powerpc-boot-only-free-if-realloc-succeeds.patch
new file mode 100644 (file)
index 0000000..03ddd96
--- /dev/null
+++ b/queue-6.1/powerpc-boot-only-free-if-realloc-succeeds.patch
@@ -0,0 +1,43 @@
+From 98675d2c661b16fa7dc510d05042f6e4cbf74c38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 22:51:49 +1100
+Subject: powerpc/boot: Only free if realloc() succeeds
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ]
+
+simple_realloc() frees the original buffer (ptr) even if the
+reallocation failed.
+
+Fix it to behave like standard realloc() and only free the original
+buffer if the reallocation succeeded.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index db9aaa5face3f..d07796fdf91aa 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -112,10 +112,11 @@ static void *simple_realloc(void *ptr, unsigned long size)
+               return ptr;
+ 
+       new = simple_malloc(size);
+-      if (new)
++      if (new) {
+               memcpy(new, ptr, p->size);
++              simple_free(ptr);
++      }
+ 
+-      simple_free(ptr);
+       return new;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch b/queue-6.1/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
new file mode 100644 (file)
index 0000000..ca7219d
--- /dev/null
+++ b/queue-6.1/powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
@@ -0,0 +1,38 @@
+From 0a1c5100e1c591866f86c4634b773d6e1e643ece Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 11:06:51 +0800
+Subject: powerpc/xics: Check return value of kasprintf in
+ icp_native_map_one_cpu
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure. Ensure the allocation was successful
+by checking the pointer validity.
+
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xics/icp-native.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c
+index edc17b6b1cc2f..9b2238d73003b 100644
+--- a/arch/powerpc/sysdev/xics/icp-native.c
++++ b/arch/powerpc/sysdev/xics/icp-native.c
+@@ -236,6 +236,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr,
+       rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation",
+                         cpu, hw_id);
+ 
++      if (!rname)
++              return -ENOMEM;
+       if (!request_mem_region(addr, size, rname)) {
+               pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n",
+                       cpu, hw_id);
+-- 
+2.43.0
+

diff --git a/queue-6.1/quota-remove-bug_on-from-dqget.patch b/queue-6.1/quota-remove-bug_on-from-dqget.patch
new file mode 100644 (file)
index 0000000..b44e1a8
--- /dev/null
+++ b/queue-6.1/quota-remove-bug_on-from-dqget.patch
@@ -0,0 +1,40 @@
+From b30be09531e6b108a97bbd766d4d1671acf9a211 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 13:34:08 +0200
+Subject: quota: Remove BUG_ON from dqget()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ]
+
+dqget() checks whether dquot->dq_sb is set when returning it using
+BUG_ON. Firstly this doesn't work as an invalidation check for quite
+some time (we release dquot with dq_sb set these days), secondly using
+BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still
+hashed instead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index b67557647d61f..f7ab6b44011b5 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -995,9 +995,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
+        * smp_mb__before_atomic() in dquot_acquire().
+        */
+       smp_rmb();
+-#ifdef CONFIG_QUOTA_DEBUG
+-      BUG_ON(!dquot->dq_sb);  /* Has somebody invalidated entry under us? */
+-#endif
++      /* Has somebody invalidated entry under us? */
++      WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash));
+ out:
+       if (empty)
+               do_destroy_dquot(empty);
+-- 
+2.43.0
+

diff --git a/queue-6.1/rtc-nct3018y-fix-possible-null-dereference.patch b/queue-6.1/rtc-nct3018y-fix-possible-null-dereference.patch
new file mode 100644 (file)
index 0000000..3d49fd0
--- /dev/null
+++ b/queue-6.1/rtc-nct3018y-fix-possible-null-dereference.patch
@@ -0,0 +1,51 @@
+From d561db60584fbb1a8acaaff0d58f647ac209c9a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 23:21:27 +0100
+Subject: rtc: nct3018y: fix possible NULL dereference
+
+From: Alexandre Belloni <alexandre.belloni@bootlin.com>
+
+[ Upstream commit babfeb9cbe7ebc657bd5b3e4f9fde79f560b6acc ]
+
+alarm_enable and alarm_flag are allowed to be NULL but will be dereferenced
+later by the dev_dbg call.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Closes: https://lore.kernel.org/r/202305180042.DEzW1pSd-lkp@intel.com/
+Link: https://lore.kernel.org/r/20240229222127.1878176-1-alexandre.belloni@bootlin.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-nct3018y.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/rtc/rtc-nct3018y.c b/drivers/rtc/rtc-nct3018y.c
+index d43acd3920ed3..108eced8f0030 100644
+--- a/drivers/rtc/rtc-nct3018y.c
++++ b/drivers/rtc/rtc-nct3018y.c
+@@ -99,6 +99,8 @@ static int nct3018y_get_alarm_mode(struct i2c_client *client, unsigned char *ala
+               if (flags < 0)
+                       return flags;
+               *alarm_enable = flags & NCT3018Y_BIT_AIE;
++              dev_dbg(&client->dev, "%s:alarm_enable:%x\n", __func__, *alarm_enable);
++
+       }
+ 
+       if (alarm_flag) {
+@@ -107,11 +109,9 @@ static int nct3018y_get_alarm_mode(struct i2c_client *client, unsigned char *ala
+               if (flags < 0)
+                       return flags;
+               *alarm_flag = flags & NCT3018Y_BIT_AF;
++              dev_dbg(&client->dev, "%s:alarm_flag:%x\n", __func__, *alarm_flag);
+       }
+ 
+-      dev_dbg(&client->dev, "%s:alarm_enable:%x alarm_flag:%x\n",
+-              __func__, *alarm_enable, *alarm_flag);
+-
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch b/queue-6.1/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
new file mode 100644 (file)
index 0000000..1b81384
--- /dev/null
+++ b/queue-6.1/s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
@@ -0,0 +1,38 @@
+From 9878b94990528894f3cd8a27ca3ec57182be12f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 13:13:26 +0100
+Subject: s390/iucv: fix receive buffer virtual vs physical address confusion
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ]
+
+Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion.
+This does not fix a bug since virtual and physical address spaces are
+currently the same.
+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index db41eb2d977f2..038e1ba9aec27 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -1090,8 +1090,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path,
+               size = (size < 8) ? size : 8;
+               for (array = buffer; size > 0; array++) {
+                       copy = min_t(size_t, size, array->length);
+-                      memcpy((u8 *)(addr_t) array->address,
+-                              rmmsg, copy);
++                      memcpy(phys_to_virt(array->address), rmmsg, copy);
+                       rmmsg += copy;
+                       size -= copy;
+               }
+-- 
+2.43.0
+

diff --git a/queue-6.1/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch b/queue-6.1/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
new file mode 100644 (file)
index 0000000..580593f
--- /dev/null
+++ b/queue-6.1/scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
@@ -0,0 +1,41 @@
+From ace7bcad92740dbd3380bf34b6c9663b46d13db7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 10:50:56 -0800
+Subject: scsi: lpfc: Initialize status local variable in
+ lpfc_sli4_repost_sgl_list()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ]
+
+A static code analyzer tool indicates that the local variable called status
+in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage
+uninitialized values in the routine's log message.
+
+Fix by initializing to zero.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index 47b8102a7063a..587e3c2f7c48c 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -7596,7 +7596,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba,
+       struct lpfc_sglq *sglq_entry = NULL;
+       struct lpfc_sglq *sglq_entry_next = NULL;
+       struct lpfc_sglq *sglq_entry_first = NULL;
+-      int status, total_cnt;
++      int status = 0, total_cnt;
+       int post_cnt = 0, num_posted = 0, block_cnt = 0;
+       int last_xritag = NO_XRI;
+       LIST_HEAD(prep_sgl_list);
+-- 
+2.43.0
+

diff --git a/queue-6.1/serial-pch-don-t-disable-interrupts-while-acquiring-.patch b/queue-6.1/serial-pch-don-t-disable-interrupts-while-acquiring-.patch
new file mode 100644 (file)
index 0000000..4a84571
--- /dev/null
+++ b/queue-6.1/serial-pch-don-t-disable-interrupts-while-acquiring-.patch
@@ -0,0 +1,52 @@
+From 2e7194802a740ab6ef47e19e56bd1b06c03610d3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 22:45:28 +0100
+Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ]
+
+The interrupt service routine is always invoked with disabled
+interrupts.
+
+Remove the _irqsave() from the locking functions in the interrupts
+service routine/ pch_uart_interrupt().
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/pch_uart.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index abff1c6470f6a..d638e890ef6f0 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -1023,11 +1023,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+       u8 lsr;
+       int ret = 0;
+       unsigned char iid;
+-      unsigned long flags;
+       int next = 1;
+       u8 msr;
+ 
+-      spin_lock_irqsave(&priv->lock, flags);
++      spin_lock(&priv->lock);
+       handled = 0;
+       while (next) {
+               iid = pch_uart_hal_get_iid(priv);
+@@ -1087,7 +1086,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+               handled |= (unsigned int)ret;
+       }
+ 
+-      spin_unlock_irqrestore(&priv->lock, flags);
++      spin_unlock(&priv->lock);
+       return IRQ_RETVAL(handled);
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/series b/queue-6.1/series
index 6baebd935ff3cf679c8f42cd734f2dce40ab757c..ed2f3cd25b85f583fe0c7843d3da4475befbf400 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -148,3 +148,64 @@ rust-suppress-error-messages-from-config_-rustc-bind.patch
 rust-fix-the-default-format-for-config_-rustc-bindge.patch
 arm64-fix-kasan-random-tag-seed-initialization.patch
 block-fix-lockdep-warning-in-blk_mq_mark_tag_wait.patch
+drm-msm-reduce-fallout-of-fence-signaling-vs-reclaim.patch
+memory-tegra-skip-sid-programming-if-sid-registers-a.patch
+powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
+asoc-sof-ipc4-check-return-value-of-snd_sof_ipc_msg_.patch
+hwmon-pc87360-bounds-check-data-innr-usage.patch
+drm-rockchip-vop2-clear-afbc-en-and-transform-bit-fo.patch
+bluetooth-hci_conn-check-non-null-function-before-ca.patch
+gfs2-refcounting-fix-in-gfs2_thaw_super.patch
+drm-amdgpu-gfx11-need-acquire-mutex-before-access-cp.patch
+nvmet-trace-avoid-dereferencing-pointer-too-early.patch
+ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
+afs-fix-__afs_break_callback-afs_drop_open_mmap-race.patch
+fuse-fix-uaf-in-rcu-pathwalks.patch
+quota-remove-bug_on-from-dqget.patch
+kernfs-fix-false-positive-warn-nr_mmapped-in-kernfs_.patch
+media-pci-cx23885-check-cx23885_vdev_init-return.patch
+fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
+scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
+media-drivers-media-dvb-core-copy-user-arrays-safely.patch
+net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
+drm-lima-set-gp-bus_stop-bit-before-hard-reset.patch
+hrtimer-select-housekeeping-cpu-during-migration.patch
+virtiofs-forbid-newlines-in-tags.patch
+clocksource-drivers-arm_global_timer-guard-against-d.patch
+netlink-hold-nlk-cb_mutex-longer-in-__netlink_dump_s.patch
+md-clean-up-invalid-bug_on-in-md_ioctl.patch
+x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
+memory-stm32-fmc2-ebi-check-regmap_read-return-value.patch
+parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
+serial-pch-don-t-disable-interrupts-while-acquiring-.patch
+powerpc-boot-handle-allocation-failure-in-simple_rea.patch
+powerpc-boot-only-free-if-realloc-succeeds.patch
+btrfs-delayed-inode-drop-pointless-bug_on-in-__btrfs.patch
+btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
+btrfs-tests-allocate-dummy-fs_info-and-root-in-test_.patch
+btrfs-handle-invalid-root-reference-found-in-may_des.patch
+btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
+btrfs-change-bug_on-to-assertion-in-tree_move_down.patch
+btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
+f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
+usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
+nvme-clear-caller-pointer-on-identify-failure.patch
+bluetooth-bnep-fix-out-of-bound-access.patch
+firmware-cirrus-cs_dsp-initialize-debugfs_root-to-in.patch
+rtc-nct3018y-fix-possible-null-dereference.patch
+net-hns3-add-checking-for-vf-id-of-mailbox.patch
+nvmet-tcp-do-not-continue-for-invalid-icreq.patch
+nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
+openrisc-call-setup_memory-earlier-in-the-init-seque.patch
+s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
+irqchip-renesas-rzg2l-do-not-set-tien-and-tint-sourc.patch
+clocksource-make-watchdog-and-suspend-timing-multipl.patch
+platform-x86-lg-laptop-fix-s-null-argument-warning.patch
+md-fix-overflow-in-is_mddev_idle.patch
+usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
+fbdev-offb-replace-of_node_put-with-__free-device_no.patch
+irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
+ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
+nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
+drm-amdgpu-fix-dereference-null-return-value-for-the.patch
+hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch

diff --git a/queue-6.1/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch b/queue-6.1/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
new file mode 100644 (file)
index 0000000..6db087a
--- /dev/null
+++ b/queue-6.1/usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
@@ -0,0 +1,71 @@
+From f9ef75935c9489ad1689580747958d8c3bbfe6d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Apr 2024 10:18:55 +0530
+Subject: usb: dwc3: core: Skip setting event buffers for host only controllers
+
+From: Krishna Kurapati <quic_kriskura@quicinc.com>
+
+[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ]
+
+On some SoC's like SA8295P where the tertiary controller is host-only
+capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible.
+Trying to access them leads to a crash.
+
+For DRD/Peripheral supported controllers, event buffer setup is done
+again in gadget_pullup. Skip setup or cleanup of event buffers if
+controller is host-only capable.
+
+Suggested-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index 94bc7786a3c4e..4964fa7419efa 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -506,6 +506,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
+ static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned int length)
+ {
+       struct dwc3_event_buffer *evt;
++      unsigned int hw_mode;
++
++      hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
++      if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) {
++              dwc->ev_buf = NULL;
++              return 0;
++      }
+ 
+       evt = dwc3_alloc_one_event_buffer(dwc, length);
+       if (IS_ERR(evt)) {
+@@ -527,6 +534,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
+ {
+       struct dwc3_event_buffer        *evt;
+ 
++      if (!dwc->ev_buf)
++              return 0;
++
+       evt = dwc->ev_buf;
+       evt->lpos = 0;
+       dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0),
+@@ -544,6 +554,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
+ {
+       struct dwc3_event_buffer        *evt;
+ 
++      if (!dwc->ev_buf)
++              return;
++
+       evt = dwc->ev_buf;
+ 
+       evt->lpos = 0;
+-- 
+2.43.0
+

diff --git a/queue-6.1/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch b/queue-6.1/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
new file mode 100644 (file)
index 0000000..a38914d
--- /dev/null
+++ b/queue-6.1/usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
@@ -0,0 +1,40 @@
+From 8bf0e544ac00d087996c634d0baccf373a1ea1ed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 18:33:16 +0100
+Subject: usb: gadget: fsl: Increase size of name buffer for endpoints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ]
+
+This fixes a W=1 warning about sprintf writing up to 16 bytes into a
+buffer of size 14. There is no practical relevance because there are not
+more than 32 endpoints.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index a67873a074b7b..c1a62ebd78d66 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -2487,7 +2487,7 @@ static int fsl_udc_probe(struct platform_device *pdev)
+       /* setup the udc->eps[] for non-control endpoints and link
+        * to gadget.ep_list */
+       for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
+-              char name[14];
++              char name[16];
+ 
+               sprintf(name, "ep%dout", i);
+               struct_ep_setup(udc_controller, i * 2, name, 1);
+-- 
+2.43.0
+

diff --git a/queue-6.1/virtiofs-forbid-newlines-in-tags.patch b/queue-6.1/virtiofs-forbid-newlines-in-tags.patch
new file mode 100644 (file)
index 0000000..17a557e
--- /dev/null
+++ b/queue-6.1/virtiofs-forbid-newlines-in-tags.patch
@@ -0,0 +1,44 @@
+From 8170ce24777809e6e6bf1c0d61e38396b41e9ea1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Feb 2024 19:11:47 -0500
+Subject: virtiofs: forbid newlines in tags
+
+From: Stefan Hajnoczi <stefanha@redhat.com>
+
+[ Upstream commit 40488cc16f7ea0d193a4e248f0d809c25cc377db ]
+
+Newlines in virtiofs tags are awkward for users and potential vectors
+for string injection attacks.
+
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/fuse/virtio_fs.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/fs/fuse/virtio_fs.c b/fs/fuse/virtio_fs.c
+index 4d8d4f16c727b..92d41269f1d35 100644
+--- a/fs/fuse/virtio_fs.c
++++ b/fs/fuse/virtio_fs.c
+@@ -323,6 +323,16 @@ static int virtio_fs_read_tag(struct virtio_device *vdev, struct virtio_fs *fs)
+               return -ENOMEM;
+       memcpy(fs->tag, tag_buf, len);
+       fs->tag[len] = '\0';
++
++      /* While the VIRTIO specification allows any character, newlines are
++       * awkward on mount(8) command-lines and cause problems in the sysfs
++       * "tag" attr and uevent TAG= properties. Forbid them.
++       */
++      if (strchr(fs->tag, '\n')) {
++              dev_dbg(&vdev->dev, "refusing virtiofs tag with newline character\n");
++              return -EINVAL;
++      }
++
+       return 0;
+ }
+ 
+-- 
+2.43.0
+

diff --git a/queue-6.1/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch b/queue-6.1/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
new file mode 100644 (file)
index 0000000..5fb2bf4
--- /dev/null
+++ b/queue-6.1/x86-increase-brk-randomness-entropy-for-64-bit-syste.patch
@@ -0,0 +1,47 @@
+From dc9d49196365f17f8138d46a715f8512e34f6bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 22:25:43 -0800
+Subject: x86: Increase brk randomness entropy for 64-bit systems
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 44c76825d6eefee9eb7ce06c38e1a6632ac7eb7d ]
+
+In commit c1d171a00294 ("x86: randomize brk"), arch_randomize_brk() was
+defined to use a 32MB range (13 bits of entropy), but was never increased
+when moving to 64-bit. The default arch_randomize_brk() uses 32MB for
+32-bit tasks, and 1GB (18 bits of entropy) for 64-bit tasks.
+
+Update x86_64 to match the entropy used by arm64 and other 64-bit
+architectures.
+
+Reported-by: y0un9n132@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Jiri Kosina <jkosina@suse.com>
+Closes: https://lore.kernel.org/linux-hardening/CA+2EKTVLvc8hDZc+2Yhwmus=dzOUG5E4gV7ayCbu0MPJTZzWkw@mail.gmail.com/
+Link: https://lore.kernel.org/r/20240217062545.1631668-1-keescook@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/process.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
+index 279b5e9be80fc..acc83738bf5b4 100644
+--- a/arch/x86/kernel/process.c
++++ b/arch/x86/kernel/process.c
+@@ -991,7 +991,10 @@ unsigned long arch_align_stack(unsigned long sp)
+ 
+ unsigned long arch_randomize_brk(struct mm_struct *mm)
+ {
+-      return randomize_page(mm->brk, 0x02000000);
++      if (mmap_is_ia32())
++              return randomize_page(mm->brk, SZ_32M);
++
++      return randomize_page(mm->brk, SZ_1G);
+ }
+ 
+ /*
+-- 
+2.43.0
+