--- /dev/null
+From 5c7bb62cb8f53de71d8ab3d619be22740da0b837 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 14 Aug 2024 21:01:59 +0200
+Subject: ACPI: video: Add backlight=native quirk for Dell OptiPlex 7760 AIO
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 5c7bb62cb8f53de71d8ab3d619be22740da0b837 upstream.
+
+Dell All In One (AIO) models released after 2017 may use a backlight
+controller board connected to an UART.
+
+In DSDT this uart port will be defined as:
+
+ Name (_HID, "DELL0501")
+ Name (_CID, EisaId ("PNP0501")
+
+The Dell OptiPlex 7760 AIO has an ACPI device for one if its UARTs with
+the above _HID + _CID. Loading the dell-uart-backlight driver shows that
+there actually is a backlight controller board attached to the UART,
+which reports a firmware version of "G&MX01-V15".
+
+But the backlight controller board does not actually control the backlight
+brightness and the GPU's native backlight control method does work.
+
+Add a quirk to use the GPU's native backlight control method on this model.
+
+Fixes: 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver")
+Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2303936
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Link: https://patch.msgid.link/20240814190159.15650-4-hdegoede@redhat.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -808,6 +808,21 @@ static const struct dmi_system_id video_
+ },
+
+ /*
++ * Dell AIO (All in Ones) which advertise an UART attached backlight
++ * controller board in their ACPI tables (and may even have one), but
++ * which need native backlight control nevertheless.
++ */
++ {
++ /* https://bugzilla.redhat.com/show_bug.cgi?id=2303936 */
++ .callback = video_detect_force_native,
++ /* Dell OptiPlex 7760 AIO */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 7760 AIO"),
++ },
++ },
++
++ /*
+ * Models which have nvidia-ec-wmi support, but should not use it.
+ * Note this indicates a likely firmware bug on these models and should
+ * be revisited if/when Linux gets support for dynamic mux mode.
--- /dev/null
+From cd8e468efb4fb2742e06328a75b282c35c1abf8d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 14 Aug 2024 21:01:57 +0200
+Subject: ACPI: video: Add Dell UART backlight controller detection
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit cd8e468efb4fb2742e06328a75b282c35c1abf8d upstream.
+
+Dell All In One (AIO) models released after 2017 use a backlight
+controller board connected to an UART.
+
+In DSDT this uart port will be defined as:
+
+ Name (_HID, "DELL0501")
+ Name (_CID, EisaId ("PNP0501")
+
+Commit 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver")
+has added support for this, but I neglected to tie this into
+acpi_video_get_backlight_type().
+
+Now the first AIO has turned up which has not only the DSDT bits for this,
+but also an actual controller attached to the UART, yet it is not using
+this controller for backlight control.
+
+Add support to acpi_video_get_backlight_type() for a new dell_uart
+backlight type. So that the existing infra to override the backlight
+control method on the commandline or with DMI quirks can be used.
+
+Fixes: 484bae9e4d6a ("platform/x86: Add new Dell UART backlight driver")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Link: https://patch.msgid.link/20240814190159.15650-2-hdegoede@redhat.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/video_detect.c | 7 +++++++
+ include/acpi/video.h | 1 +
+ 2 files changed, 8 insertions(+)
+
+--- a/drivers/acpi/video_detect.c
++++ b/drivers/acpi/video_detect.c
+@@ -54,6 +54,8 @@ static void acpi_video_parse_cmdline(voi
+ acpi_backlight_cmdline = acpi_backlight_nvidia_wmi_ec;
+ if (!strcmp("apple_gmux", acpi_video_backlight_string))
+ acpi_backlight_cmdline = acpi_backlight_apple_gmux;
++ if (!strcmp("dell_uart", acpi_video_backlight_string))
++ acpi_backlight_cmdline = acpi_backlight_dell_uart;
+ if (!strcmp("none", acpi_video_backlight_string))
+ acpi_backlight_cmdline = acpi_backlight_none;
+ }
+@@ -902,6 +904,7 @@ enum acpi_backlight_type __acpi_video_ge
+ static DEFINE_MUTEX(init_mutex);
+ static bool nvidia_wmi_ec_present;
+ static bool apple_gmux_present;
++ static bool dell_uart_present;
+ static bool native_available;
+ static bool init_done;
+ static long video_caps;
+@@ -916,6 +919,7 @@ enum acpi_backlight_type __acpi_video_ge
+ &video_caps, NULL);
+ nvidia_wmi_ec_present = nvidia_wmi_ec_supported();
+ apple_gmux_present = apple_gmux_detect(NULL, NULL);
++ dell_uart_present = acpi_dev_present("DELL0501", NULL, -1);
+ init_done = true;
+ }
+ if (native)
+@@ -946,6 +950,9 @@ enum acpi_backlight_type __acpi_video_ge
+ if (apple_gmux_present)
+ return acpi_backlight_apple_gmux;
+
++ if (dell_uart_present)
++ return acpi_backlight_dell_uart;
++
+ /* Use ACPI video if available, except when native should be preferred. */
+ if ((video_caps & ACPI_VIDEO_BACKLIGHT) &&
+ !(native_available && prefer_native_over_acpi_video()))
+--- a/include/acpi/video.h
++++ b/include/acpi/video.h
+@@ -50,6 +50,7 @@ enum acpi_backlight_type {
+ acpi_backlight_native,
+ acpi_backlight_nvidia_wmi_ec,
+ acpi_backlight_apple_gmux,
++ acpi_backlight_dell_uart,
+ };
+
+ #if IS_ENABLED(CONFIG_ACPI_VIDEO)
--- /dev/null
+From 822c8020aebcf5804a143b891e34f29873fee5e2 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Tue, 20 Aug 2024 13:03:58 +1000
+Subject: ata: pata_macio: Fix DMA table overflow
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 822c8020aebcf5804a143b891e34f29873fee5e2 upstream.
+
+Kolbjørn and Jonáš reported that their 32-bit PowerMacs were crashing
+in pata-macio since commit 09fe2bfa6b83 ("ata: pata_macio: Fix
+max_segment_size with PAGE_SIZE == 64K").
+
+For example:
+
+ kernel BUG at drivers/ata/pata_macio.c:544!
+ Oops: Exception in kernel mode, sig: 5 [#1]
+ BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 DEBUG_PAGEALLOC PowerMac
+ ...
+ NIP pata_macio_qc_prep+0xf4/0x190
+ LR pata_macio_qc_prep+0xfc/0x190
+ Call Trace:
+ 0xc1421660 (unreliable)
+ ata_qc_issue+0x14c/0x2d4
+ __ata_scsi_queuecmd+0x200/0x53c
+ ata_scsi_queuecmd+0x50/0xe0
+ scsi_queue_rq+0x788/0xb1c
+ __blk_mq_issue_directly+0x58/0xf4
+ blk_mq_plug_issue_direct+0x8c/0x1b4
+ blk_mq_flush_plug_list.part.0+0x584/0x5e0
+ __blk_flush_plug+0xf8/0x194
+ __submit_bio+0x1b8/0x2e0
+ submit_bio_noacct_nocheck+0x230/0x304
+ btrfs_work_helper+0x200/0x338
+ process_one_work+0x1a8/0x338
+ worker_thread+0x364/0x4c0
+ kthread+0x100/0x104
+ start_kernel_thread+0x10/0x14
+
+That commit increased max_segment_size to 64KB, with the justification
+that the SCSI core was already using that size when PAGE_SIZE == 64KB,
+and that there was existing logic to split over-sized requests.
+
+However with a sufficiently large request, the splitting logic causes
+each sg to be split into two commands in the DMA table, leading to
+overflow of the DMA table, triggering the BUG_ON().
+
+With default settings the bug doesn't trigger, because the request size
+is limited by max_sectors_kb == 1280, however max_sectors_kb can be
+increased, and apparently some distros do that by default using udev
+rules.
+
+Fix the bug for 4KB kernels by reverting to the old max_segment_size.
+
+For 64KB kernels the sg_tablesize needs to be halved, to allow for the
+possibility that each sg will be split into two.
+
+Fixes: 09fe2bfa6b83 ("ata: pata_macio: Fix max_segment_size with PAGE_SIZE == 64K")
+Cc: stable@vger.kernel.org # v6.10+
+Reported-by: Kolbjørn Barmen <linux-ppc@kolla.no>
+Closes: https://lore.kernel.org/all/62d248bb-e97a-25d2-bcf2-9160c518cae5@kolla.no/
+Reported-by: Jonáš Vidra <vidra@ufal.mff.cuni.cz>
+Closes: https://lore.kernel.org/all/3b6441b8-06e6-45da-9e55-f92f2c86933e@ufal.mff.cuni.cz/
+Tested-by: Kolbjørn Barmen <linux-ppc@kolla.no>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/pata_macio.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/ata/pata_macio.c b/drivers/ata/pata_macio.c
+index 1b85e8bf4ef9..1cb8d24b088f 100644
+--- a/drivers/ata/pata_macio.c
++++ b/drivers/ata/pata_macio.c
+@@ -208,6 +208,19 @@ static const char* macio_ata_names[] = {
+ /* Don't let a DMA segment go all the way to 64K */
+ #define MAX_DBDMA_SEG 0xff00
+
++#ifdef CONFIG_PAGE_SIZE_64KB
++/*
++ * The SCSI core requires the segment size to cover at least a page, so
++ * for 64K page size kernels it must be at least 64K. However the
++ * hardware can't handle 64K, so pata_macio_qc_prep() will split large
++ * requests. To handle the split requests the tablesize must be halved.
++ */
++#define PATA_MACIO_MAX_SEGMENT_SIZE SZ_64K
++#define PATA_MACIO_SG_TABLESIZE (MAX_DCMDS / 2)
++#else
++#define PATA_MACIO_MAX_SEGMENT_SIZE MAX_DBDMA_SEG
++#define PATA_MACIO_SG_TABLESIZE MAX_DCMDS
++#endif
+
+ /*
+ * Wait 1s for disk to answer on IDE bus after a hard reset
+@@ -912,16 +925,10 @@ static int pata_macio_do_resume(struct pata_macio_priv *priv)
+
+ static const struct scsi_host_template pata_macio_sht = {
+ __ATA_BASE_SHT(DRV_NAME),
+- .sg_tablesize = MAX_DCMDS,
++ .sg_tablesize = PATA_MACIO_SG_TABLESIZE,
+ /* We may not need that strict one */
+ .dma_boundary = ATA_DMA_BOUNDARY,
+- /*
+- * The SCSI core requires the segment size to cover at least a page, so
+- * for 64K page size kernels this must be at least 64K. However the
+- * hardware can't handle 64K, so pata_macio_qc_prep() will split large
+- * requests.
+- */
+- .max_segment_size = SZ_64K,
++ .max_segment_size = PATA_MACIO_MAX_SEGMENT_SIZE,
+ .device_configure = pata_macio_device_configure,
+ .sdev_groups = ata_common_sdev_groups,
+ .can_queue = ATA_DEF_QUEUE,
+--
+2.46.0
+
--- /dev/null
+From 311a1bdc44a8e06024df4fd3392be0dfc8298655 Mon Sep 17 00:00:00 2001
+From: Waiman Long <longman@redhat.com>
+Date: Sun, 4 Aug 2024 21:30:16 -0400
+Subject: cgroup/cpuset: Clear effective_xcpus on cpus_allowed clearing only if cpus.exclusive not set
+
+From: Waiman Long <longman@redhat.com>
+
+commit 311a1bdc44a8e06024df4fd3392be0dfc8298655 upstream.
+
+Commit e2ffe502ba45 ("cgroup/cpuset: Add cpuset.cpus.exclusive for
+v2") adds a user writable cpuset.cpus.exclusive file for setting
+exclusive CPUs to be used for the creation of partitions. Since then
+effective_xcpus depends on both the cpuset.cpus and cpuset.cpus.exclusive
+setting. If cpuset.cpus.exclusive is set, effective_xcpus will depend
+only on cpuset.cpus.exclusive. When it is not set, effective_xcpus
+will be set according to the cpuset.cpus value when the cpuset becomes
+a valid partition root.
+
+When cpuset.cpus is being cleared by the user, effective_xcpus should
+only be cleared when cpuset.cpus.exclusive is not set. However, that
+is not currently the case.
+
+ # cd /sys/fs/cgroup/
+ # mkdir test
+ # echo +cpuset > cgroup.subtree_control
+ # cd test
+ # echo 3 > cpuset.cpus.exclusive
+ # cat cpuset.cpus.exclusive.effective
+ 3
+ # echo > cpuset.cpus
+ # cat cpuset.cpus.exclusive.effective // was cleared
+
+Fix it by clearing effective_xcpus only if cpuset.cpus.exclusive is
+not set.
+
+Fixes: e2ffe502ba45 ("cgroup/cpuset: Add cpuset.cpus.exclusive for v2")
+Cc: stable@vger.kernel.org # v6.7+
+Reported-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -2474,7 +2474,8 @@ static int update_cpumask(struct cpuset
+ */
+ if (!*buf) {
+ cpumask_clear(trialcs->cpus_allowed);
+- cpumask_clear(trialcs->effective_xcpus);
++ if (cpumask_empty(trialcs->exclusive_cpus))
++ cpumask_clear(trialcs->effective_xcpus);
+ } else {
+ retval = cpulist_parse(buf, trialcs->cpus_allowed);
+ if (retval < 0)
--- /dev/null
+From 959ab6350add903e352890af53e86663739fcb9a Mon Sep 17 00:00:00 2001
+From: Chen Ridong <chenridong@huawei.com>
+Date: Sun, 4 Aug 2024 21:30:15 -0400
+Subject: cgroup/cpuset: fix panic caused by partcmd_update
+
+From: Chen Ridong <chenridong@huawei.com>
+
+commit 959ab6350add903e352890af53e86663739fcb9a upstream.
+
+We find a bug as below:
+BUG: unable to handle page fault for address: 00000003
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 3 PID: 358 Comm: bash Tainted: G W I 6.6.0-10893-g60d6
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/4
+RIP: 0010:partition_sched_domains_locked+0x483/0x600
+Code: 01 48 85 d2 74 0d 48 83 05 29 3f f8 03 01 f3 48 0f bc c2 89 c0 48 9
+RSP: 0018:ffffc90000fdbc58 EFLAGS: 00000202
+RAX: 0000000100000003 RBX: ffff888100b3dfa0 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000002fe80
+RBP: ffff888100b3dfb0 R08: 0000000000000001 R09: 0000000000000000
+R10: ffffc90000fdbcb0 R11: 0000000000000004 R12: 0000000000000002
+R13: ffff888100a92b48 R14: 0000000000000000 R15: 0000000000000000
+FS: 00007f44a5425740(0000) GS:ffff888237d80000(0000) knlGS:0000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000100030973 CR3: 000000010722c000 CR4: 00000000000006e0
+Call Trace:
+ <TASK>
+ ? show_regs+0x8c/0xa0
+ ? __die_body+0x23/0xa0
+ ? __die+0x3a/0x50
+ ? page_fault_oops+0x1d2/0x5c0
+ ? partition_sched_domains_locked+0x483/0x600
+ ? search_module_extables+0x2a/0xb0
+ ? search_exception_tables+0x67/0x90
+ ? kernelmode_fixup_or_oops+0x144/0x1b0
+ ? __bad_area_nosemaphore+0x211/0x360
+ ? up_read+0x3b/0x50
+ ? bad_area_nosemaphore+0x1a/0x30
+ ? exc_page_fault+0x890/0xd90
+ ? __lock_acquire.constprop.0+0x24f/0x8d0
+ ? __lock_acquire.constprop.0+0x24f/0x8d0
+ ? asm_exc_page_fault+0x26/0x30
+ ? partition_sched_domains_locked+0x483/0x600
+ ? partition_sched_domains_locked+0xf0/0x600
+ rebuild_sched_domains_locked+0x806/0xdc0
+ update_partition_sd_lb+0x118/0x130
+ cpuset_write_resmask+0xffc/0x1420
+ cgroup_file_write+0xb2/0x290
+ kernfs_fop_write_iter+0x194/0x290
+ new_sync_write+0xeb/0x160
+ vfs_write+0x16f/0x1d0
+ ksys_write+0x81/0x180
+ __x64_sys_write+0x21/0x30
+ x64_sys_call+0x2f25/0x4630
+ do_syscall_64+0x44/0xb0
+ entry_SYSCALL_64_after_hwframe+0x78/0xe2
+RIP: 0033:0x7f44a553c887
+
+It can be reproduced with cammands:
+cd /sys/fs/cgroup/
+mkdir test
+cd test/
+echo +cpuset > ../cgroup.subtree_control
+echo root > cpuset.cpus.partition
+cat /sys/fs/cgroup/cpuset.cpus.effective
+0-3
+echo 0-3 > cpuset.cpus // taking away all cpus from root
+
+This issue is caused by the incorrect rebuilding of scheduling domains.
+In this scenario, test/cpuset.cpus.partition should be an invalid root
+and should not trigger the rebuilding of scheduling domains. When calling
+update_parent_effective_cpumask with partcmd_update, if newmask is not
+null, it should recheck newmask whether there are cpus is available
+for parect/cs that has tasks.
+
+Fixes: 0c7f293efc87 ("cgroup/cpuset: Add cpuset.cpus.exclusive.effective for v2")
+Cc: stable@vger.kernel.org # v6.7+
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cpuset.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cgroup/cpuset.c
++++ b/kernel/cgroup/cpuset.c
+@@ -1940,6 +1940,8 @@ static int update_parent_effective_cpuma
+ part_error = PERR_CPUSEMPTY;
+ goto write_error;
+ }
++ /* Check newmask again, whether cpus are available for parent/cs */
++ nocpu |= tasks_nocpu_error(parent, cs, newmask);
+
+ /*
+ * partcmd_update with newmask:
--- /dev/null
+From 80a1e7b83bb1834b5568a3872e64c05795d88f31 Mon Sep 17 00:00:00 2001
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+Date: Mon, 19 Aug 2024 10:54:08 +0300
+Subject: cxgb4: add forgotten u64 ivlan cast before shift
+
+From: Nikolay Kuratov <kniv@yandex-team.ru>
+
+commit 80a1e7b83bb1834b5568a3872e64c05795d88f31 upstream.
+
+It is done everywhere in cxgb4 code, e.g. in is_filter_exact_match()
+There is no reason it should not be done here
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE
+
+Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
+Cc: stable@vger.kernel.org
+Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters")
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20240819075408.92378-1-kniv@yandex-team.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_filter.c
+@@ -1244,7 +1244,8 @@ static u64 hash_filter_ntuple(struct ch_
+ * in the Compressed Filter Tuple.
+ */
+ if (tp->vlan_shift >= 0 && fs->mask.ivlan)
+- ntuple |= (FT_VLAN_VLD_F | fs->val.ivlan) << tp->vlan_shift;
++ ntuple |= (u64)(FT_VLAN_VLD_F |
++ fs->val.ivlan) << tp->vlan_shift;
+
+ if (tp->port_shift >= 0 && fs->mask.iport)
+ ntuple |= (u64)fs->val.iport << tp->port_shift;
--- /dev/null
+From 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Thu, 4 Jan 2024 19:31:17 +0100
+Subject: Input: i8042 - add forcenorestore quirk to leave controller untouched even on s3
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit 3d765ae2daccc570b3f4fbcb57eb321b12cdded2 upstream.
+
+On s3 resume the i8042 driver tries to restore the controller to a known
+state by reinitializing things, however this can confuse the controller
+with different effects. Mostly occasionally unresponsive keyboards after
+resume.
+
+These issues do not rise on s0ix resume as here the controller is assumed
+to preserved its state from before suspend.
+
+This patch adds a quirk for devices where the reinitialization on s3 resume
+is not needed and might be harmful as described above. It does this by
+using the s0ix resume code path at selected locations.
+
+This new quirk goes beyond what the preexisting reset=never quirk does,
+which only skips some reinitialization steps.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20240104183118.779778-2-wse@tuxedocomputers.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-acpipnpio.h | 10 +++++++---
+ drivers/input/serio/i8042.c | 10 +++++++---
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/drivers/input/serio/i8042-acpipnpio.h
++++ b/drivers/input/serio/i8042-acpipnpio.h
+@@ -83,6 +83,7 @@ static inline void i8042_write_command(i
+ #define SERIO_QUIRK_KBDRESET BIT(12)
+ #define SERIO_QUIRK_DRITEK BIT(13)
+ #define SERIO_QUIRK_NOPNP BIT(14)
++#define SERIO_QUIRK_FORCENORESTORE BIT(15)
+
+ /* Quirk table for different mainboards. Options similar or identical to i8042
+ * module parameters.
+@@ -1685,6 +1686,8 @@ static void __init i8042_check_quirks(vo
+ if (quirks & SERIO_QUIRK_NOPNP)
+ i8042_nopnp = true;
+ #endif
++ if (quirks & SERIO_QUIRK_FORCENORESTORE)
++ i8042_forcenorestore = true;
+ }
+ #else
+ static inline void i8042_check_quirks(void) {}
+@@ -1718,7 +1721,7 @@ static int __init i8042_platform_init(vo
+
+ i8042_check_quirks();
+
+- pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
++ pr_debug("Active quirks (empty means none):%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n",
+ i8042_nokbd ? " nokbd" : "",
+ i8042_noaux ? " noaux" : "",
+ i8042_nomux ? " nomux" : "",
+@@ -1738,10 +1741,11 @@ static int __init i8042_platform_init(vo
+ "",
+ #endif
+ #ifdef CONFIG_PNP
+- i8042_nopnp ? " nopnp" : "");
++ i8042_nopnp ? " nopnp" : "",
+ #else
+- "");
++ "",
+ #endif
++ i8042_forcenorestore ? " forcenorestore" : "");
+
+ retval = i8042_pnp_init();
+ if (retval)
+--- a/drivers/input/serio/i8042.c
++++ b/drivers/input/serio/i8042.c
+@@ -115,6 +115,10 @@ module_param_named(nopnp, i8042_nopnp, b
+ MODULE_PARM_DESC(nopnp, "Do not use PNP to detect controller settings");
+ #endif
+
++static bool i8042_forcenorestore;
++module_param_named(forcenorestore, i8042_forcenorestore, bool, 0);
++MODULE_PARM_DESC(forcenorestore, "Force no restore on s3 resume, copying s2idle behaviour");
++
+ #define DEBUG
+ #ifdef DEBUG
+ static bool i8042_debug;
+@@ -1232,7 +1236,7 @@ static int i8042_pm_suspend(struct devic
+ {
+ int i;
+
+- if (pm_suspend_via_firmware())
++ if (!i8042_forcenorestore && pm_suspend_via_firmware())
+ i8042_controller_reset(true);
+
+ /* Set up serio interrupts for system wakeup. */
+@@ -1248,7 +1252,7 @@ static int i8042_pm_suspend(struct devic
+
+ static int i8042_pm_resume_noirq(struct device *dev)
+ {
+- if (!pm_resume_via_firmware())
++ if (i8042_forcenorestore || !pm_resume_via_firmware())
+ i8042_interrupt(0, NULL);
+
+ return 0;
+@@ -1271,7 +1275,7 @@ static int i8042_pm_resume(struct device
+ * not restore the controller state to whatever it had been at boot
+ * time, so we do not need to do anything.
+ */
+- if (!pm_suspend_via_firmware())
++ if (i8042_forcenorestore || !pm_suspend_via_firmware())
+ return 0;
+
+ /*
--- /dev/null
+From aaa4ca873d3da768896ffc909795359a01e853ef Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Thu, 4 Jan 2024 19:31:18 +0100
+Subject: Input: i8042 - use new forcenorestore quirk to replace old buggy quirk combination
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit aaa4ca873d3da768896ffc909795359a01e853ef upstream.
+
+The old quirk combination sometimes cause a laggy keyboard after boot. With
+the new quirk the initial issue of an unresponsive keyboard after s3 resume
+is also fixed, but it doesn't have the negative side effect of the
+sometimes laggy keyboard.
+
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20240104183118.779778-3-wse@tuxedocomputers.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-acpipnpio.h | 10 +---------
+ 1 file changed, 1 insertion(+), 9 deletions(-)
+
+--- a/drivers/input/serio/i8042-acpipnpio.h
++++ b/drivers/input/serio/i8042-acpipnpio.h
+@@ -1150,18 +1150,10 @@ static const struct dmi_system_id i8042_
+ SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
+ },
+ {
+- /*
+- * Setting SERIO_QUIRK_NOMUX or SERIO_QUIRK_RESET_ALWAYS makes
+- * the keyboard very laggy for ~5 seconds after boot and
+- * sometimes also after resume.
+- * However both are required for the keyboard to not fail
+- * completely sometimes after boot or resume.
+- */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_NAME, "N150CU"),
+ },
+- .driver_data = (void *)(SERIO_QUIRK_NOMUX | SERIO_QUIRK_RESET_ALWAYS |
+- SERIO_QUIRK_NOLOOP | SERIO_QUIRK_NOPNP)
++ .driver_data = (void *)(SERIO_QUIRK_FORCENORESTORE)
+ },
+ {
+ .matches = {
--- /dev/null
+From 950aeefb34923fe3c28ade35fe05f24e2c5b1d55 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicolinc@nvidia.com>
+Date: Wed, 17 Jul 2024 22:01:30 -0700
+Subject: iommufd/device: Fix hwpt at err_unresv in iommufd_device_do_replace()
+
+From: Nicolin Chen <nicolinc@nvidia.com>
+
+commit 950aeefb34923fe3c28ade35fe05f24e2c5b1d55 upstream.
+
+The rewind routine should remove the reserved iovas added to the new hwpt.
+
+Fixes: 89db31635c87 ("iommufd: Derive iommufd_hwpt_paging from iommufd_hw_pagetable")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/r/20240718050130.1956804-1-nicolinc@nvidia.com
+Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/iommufd/device.c
++++ b/drivers/iommu/iommufd/device.c
+@@ -525,7 +525,7 @@ iommufd_device_do_replace(struct iommufd
+ err_unresv:
+ if (hwpt_is_paging(hwpt))
+ iommufd_group_remove_reserved_iova(igroup,
+- to_hwpt_paging(old_hwpt));
++ to_hwpt_paging(hwpt));
+ err_unlock:
+ mutex_unlock(&idev->igroup->lock);
+ return ERR_PTR(rc);
--- /dev/null
+From 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Tue, 20 Aug 2024 11:03:38 +0100
+Subject: KVM: arm64: Make ICC_*SGI*_EL1 undef in the absence of a vGICv3
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 3e6245ebe7ef341639e9a7e402b3ade8ad45a19f upstream.
+
+On a system with a GICv3, if a guest hasn't been configured with
+GICv3 and that the host is not capable of GICv2 emulation,
+a write to any of the ICC_*SGI*_EL1 registers is trapped to EL2.
+
+We therefore try to emulate the SGI access, only to hit a NULL
+pointer as no private interrupt is allocated (no GIC, remember?).
+
+The obvious fix is to give the guest what it deserves, in the
+shape of a UNDEF exception.
+
+Reported-by: Alexander Potapenko <glider@google.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240820100349.3544850-2-maz@kernel.org
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/sys_regs.c | 6 ++++++
+ arch/arm64/kvm/vgic/vgic.h | 7 +++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -33,6 +33,7 @@
+ #include <trace/events/kvm.h>
+
+ #include "sys_regs.h"
++#include "vgic/vgic.h"
+
+ #include "trace.h"
+
+@@ -428,6 +429,11 @@ static bool access_gic_sgi(struct kvm_vc
+ {
+ bool g1;
+
++ if (!kvm_has_gicv3(vcpu->kvm)) {
++ kvm_inject_undefined(vcpu);
++ return false;
++ }
++
+ if (!p->is_write)
+ return read_from_write_only(vcpu, p, r);
+
+--- a/arch/arm64/kvm/vgic/vgic.h
++++ b/arch/arm64/kvm/vgic/vgic.h
+@@ -346,4 +346,11 @@ void vgic_v4_configure_vsgis(struct kvm
+ void vgic_v4_get_vlpi_state(struct vgic_irq *irq, bool *val);
+ int vgic_v4_request_vpe_irq(struct kvm_vcpu *vcpu, int irq);
+
++static inline bool kvm_has_gicv3(struct kvm *kvm)
++{
++ return (static_branch_unlikely(&kvm_vgic_global_state.gicv3_cpuif) &&
++ irqchip_in_kernel(kvm) &&
++ kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V3);
++}
++
+ #endif
--- /dev/null
+From 2240a50e6294214de791729e9dcba6880fa7e44e Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Sat, 17 Aug 2024 18:15:41 +0800
+Subject: KVM: arm64: vgic-debug: Don't put unmarked LPIs
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+commit 2240a50e6294214de791729e9dcba6880fa7e44e upstream.
+
+If there were LPIs being mapped behind our back (i.e., between .start() and
+.stop()), we would put them at iter_unmark_lpis() without checking if they
+were actually *marked*, which is obviously not good.
+
+Switch to use the xa_for_each_marked() iterator to fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 85d3ccc8b75b ("KVM: arm64: vgic-debug: Use an xarray mark for debug iterator")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240817101541.1664-1-yuzenghui@huawei.com
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/vgic/vgic-debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/vgic/vgic-debug.c
++++ b/arch/arm64/kvm/vgic/vgic-debug.c
+@@ -84,7 +84,7 @@ static void iter_unmark_lpis(struct kvm
+ struct vgic_irq *irq;
+ unsigned long intid;
+
+- xa_for_each(&dist->lpi_xa, intid, irq) {
++ xa_for_each_marked(&dist->lpi_xa, intid, irq, LPI_XA_MARK_DEBUG_ITER) {
+ xa_clear_mark(&dist->lpi_xa, intid, LPI_XA_MARK_DEBUG_ITER);
+ vgic_put_irq(kvm, irq);
+ }
--- /dev/null
+From 6275c7bc8dd07644ea8142a1773d826800f0f3f7 Mon Sep 17 00:00:00 2001
+From: Ben Whitten <ben.whitten@gmail.com>
+Date: Sun, 11 Aug 2024 22:22:11 +0100
+Subject: mmc: dw_mmc: allow biu and ciu clocks to defer
+
+From: Ben Whitten <ben.whitten@gmail.com>
+
+commit 6275c7bc8dd07644ea8142a1773d826800f0f3f7 upstream.
+
+Fix a race condition if the clock provider comes up after mmc is probed,
+this causes mmc to fail without retrying.
+When given the DEFER error from the clk source, pass it on up the chain.
+
+Fixes: f90a0612f0e1 ("mmc: dw_mmc: lookup for optional biu and ciu clocks")
+Signed-off-by: Ben Whitten <ben.whitten@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240811212212.123255-1-ben.whitten@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/dw_mmc.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -3293,6 +3293,10 @@ int dw_mci_probe(struct dw_mci *host)
+ host->biu_clk = devm_clk_get(host->dev, "biu");
+ if (IS_ERR(host->biu_clk)) {
+ dev_dbg(host->dev, "biu clock not available\n");
++ ret = PTR_ERR(host->biu_clk);
++ if (ret == -EPROBE_DEFER)
++ return ret;
++
+ } else {
+ ret = clk_prepare_enable(host->biu_clk);
+ if (ret) {
+@@ -3304,6 +3308,10 @@ int dw_mci_probe(struct dw_mci *host)
+ host->ciu_clk = devm_clk_get(host->dev, "ciu");
+ if (IS_ERR(host->ciu_clk)) {
+ dev_dbg(host->dev, "ciu clock not available\n");
++ ret = PTR_ERR(host->ciu_clk);
++ if (ret == -EPROBE_DEFER)
++ goto err_clk_biu;
++
+ host->bus_hz = host->pdata->bus_hz;
+ } else {
+ ret = clk_prepare_enable(host->ciu_clk);
--- /dev/null
+From 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d Mon Sep 17 00:00:00 2001
+From: Mengqi Zhang <mengqi.zhang@mediatek.com>
+Date: Tue, 16 Jul 2024 09:37:04 +0800
+Subject: mmc: mtk-sd: receive cmd8 data when hs400 tuning fail
+
+From: Mengqi Zhang <mengqi.zhang@mediatek.com>
+
+commit 9374ae912dbb1eed8139ed75fd2c0f1b30ca454d upstream.
+
+When we use cmd8 as the tuning command in hs400 mode, the command
+response sent back by some eMMC devices cannot be correctly sampled
+by MTK eMMC controller at some weak sample timing. In this case,
+command timeout error may occur. So we must receive the following
+data to make sure the next cmd8 send correctly.
+
+Signed-off-by: Mengqi Zhang <mengqi.zhang@mediatek.com>
+Fixes: c4ac38c6539b ("mmc: mtk-sd: Add HS400 online tuning support")
+Cc: stable@vger.stable.com
+Link: https://lore.kernel.org/r/20240716013704.10578-1-mengqi.zhang@mediatek.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -1230,7 +1230,7 @@ static bool msdc_cmd_done(struct msdc_ho
+ }
+
+ if (!sbc_error && !(events & MSDC_INT_CMDRDY)) {
+- if (events & MSDC_INT_CMDTMO ||
++ if ((events & MSDC_INT_CMDTMO && !host->hs400_tuning) ||
+ (!mmc_op_tuning(cmd->opcode) && !host->hs400_tuning))
+ /*
+ * should not clear fifo/interrupt as the tune data
+@@ -1323,9 +1323,9 @@ static void msdc_start_command(struct ms
+ static void msdc_cmd_next(struct msdc_host *host,
+ struct mmc_request *mrq, struct mmc_command *cmd)
+ {
+- if ((cmd->error &&
+- !(cmd->error == -EILSEQ &&
+- (mmc_op_tuning(cmd->opcode) || host->hs400_tuning))) ||
++ if ((cmd->error && !host->hs400_tuning &&
++ !(cmd->error == -EILSEQ &&
++ mmc_op_tuning(cmd->opcode))) ||
+ (mrq->sbc && mrq->sbc->error))
+ msdc_request_done(host, mrq);
+ else if (cmd == mrq->sbc)
--- /dev/null
+From 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:32 +0200
+Subject: mptcp: pm: avoid possible UaF when selecting endp
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 48e50dcbcbaaf713d82bf2da5c16aeced94ad07d upstream.
+
+select_local_address() and select_signal_address() both select an
+endpoint entry from the list inside an RCU protected section, but return
+a reference to it, to be read later on. If the entry is dereferenced
+after the RCU unlock, reading info could cause a Use-after-Free.
+
+A simple solution is to copy the required info while inside the RCU
+protected section to avoid any risk of UaF later. The address ID might
+need to be modified later to handle the ID0 case later, so a copy seems
+OK to deal with.
+
+Reported-by: Paolo Abeni <pabeni@redhat.com>
+Closes: https://lore.kernel.org/45cd30d3-7710-491c-ae4d-a1368c00beb1@redhat.com
+Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-14-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 64 ++++++++++++++++++++++++++-----------------------
+ 1 file changed, 34 insertions(+), 30 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -143,11 +143,13 @@ static bool lookup_subflow_by_daddr(cons
+ return false;
+ }
+
+-static struct mptcp_pm_addr_entry *
++static bool
+ select_local_address(const struct pm_nl_pernet *pernet,
+- const struct mptcp_sock *msk)
++ const struct mptcp_sock *msk,
++ struct mptcp_pm_addr_entry *new_entry)
+ {
+- struct mptcp_pm_addr_entry *entry, *ret = NULL;
++ struct mptcp_pm_addr_entry *entry;
++ bool found = false;
+
+ msk_owned_by_me(msk);
+
+@@ -159,17 +161,21 @@ select_local_address(const struct pm_nl_
+ if (!test_bit(entry->addr.id, msk->pm.id_avail_bitmap))
+ continue;
+
+- ret = entry;
++ *new_entry = *entry;
++ found = true;
+ break;
+ }
+ rcu_read_unlock();
+- return ret;
++
++ return found;
+ }
+
+-static struct mptcp_pm_addr_entry *
+-select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk)
++static bool
++select_signal_address(struct pm_nl_pernet *pernet, const struct mptcp_sock *msk,
++ struct mptcp_pm_addr_entry *new_entry)
+ {
+- struct mptcp_pm_addr_entry *entry, *ret = NULL;
++ struct mptcp_pm_addr_entry *entry;
++ bool found = false;
+
+ rcu_read_lock();
+ /* do not keep any additional per socket state, just signal
+@@ -184,11 +190,13 @@ select_signal_address(struct pm_nl_perne
+ if (!(entry->flags & MPTCP_PM_ADDR_FLAG_SIGNAL))
+ continue;
+
+- ret = entry;
++ *new_entry = *entry;
++ found = true;
+ break;
+ }
+ rcu_read_unlock();
+- return ret;
++
++ return found;
+ }
+
+ unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk)
+@@ -512,9 +520,10 @@ __lookup_addr(struct pm_nl_pernet *perne
+
+ static void mptcp_pm_create_subflow_or_signal_addr(struct mptcp_sock *msk)
+ {
+- struct mptcp_pm_addr_entry *local, *signal_and_subflow = NULL;
+ struct sock *sk = (struct sock *)msk;
++ struct mptcp_pm_addr_entry local;
+ unsigned int add_addr_signal_max;
++ bool signal_and_subflow = false;
+ unsigned int local_addr_max;
+ struct pm_nl_pernet *pernet;
+ unsigned int subflows_max;
+@@ -565,23 +574,22 @@ static void mptcp_pm_create_subflow_or_s
+ if (msk->pm.addr_signal & BIT(MPTCP_ADD_ADDR_SIGNAL))
+ return;
+
+- local = select_signal_address(pernet, msk);
+- if (!local)
++ if (!select_signal_address(pernet, msk, &local))
+ goto subflow;
+
+ /* If the alloc fails, we are on memory pressure, not worth
+ * continuing, and trying to create subflows.
+ */
+- if (!mptcp_pm_alloc_anno_list(msk, &local->addr))
++ if (!mptcp_pm_alloc_anno_list(msk, &local.addr))
+ return;
+
+- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
++ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
+ msk->pm.add_addr_signaled++;
+- mptcp_pm_announce_addr(msk, &local->addr, false);
++ mptcp_pm_announce_addr(msk, &local.addr, false);
+ mptcp_pm_nl_addr_send_ack(msk);
+
+- if (local->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)
+- signal_and_subflow = local;
++ if (local.flags & MPTCP_PM_ADDR_FLAG_SUBFLOW)
++ signal_and_subflow = true;
+ }
+
+ subflow:
+@@ -592,26 +600,22 @@ subflow:
+ bool fullmesh;
+ int i, nr;
+
+- if (signal_and_subflow) {
+- local = signal_and_subflow;
+- signal_and_subflow = NULL;
+- } else {
+- local = select_local_address(pernet, msk);
+- if (!local)
+- break;
+- }
++ if (signal_and_subflow)
++ signal_and_subflow = false;
++ else if (!select_local_address(pernet, msk, &local))
++ break;
+
+- fullmesh = !!(local->flags & MPTCP_PM_ADDR_FLAG_FULLMESH);
++ fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH);
+
+ msk->pm.local_addr_used++;
+- __clear_bit(local->addr.id, msk->pm.id_avail_bitmap);
+- nr = fill_remote_addresses_vec(msk, &local->addr, fullmesh, addrs);
++ __clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
++ nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs);
+ if (nr == 0)
+ continue;
+
+ spin_unlock_bh(&msk->pm.lock);
+ for (i = 0; i < nr; i++)
+- __mptcp_subflow_connect(sk, &local->addr, &addrs[i]);
++ __mptcp_subflow_connect(sk, &local.addr, &addrs[i]);
+ spin_lock_bh(&msk->pm.lock);
+ }
+ mptcp_pm_nl_check_work_pending(msk);
--- /dev/null
+From 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:28 +0200
+Subject: mptcp: pm: check add_addr_accept_max before accepting new ADD_ADDR
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 0137a3c7c2ea3f9df8ebfc65d78b4ba712a187bb upstream.
+
+The limits might have changed in between, it is best to check them
+before accepting new ADD_ADDR.
+
+Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-10-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -848,8 +848,8 @@ static void mptcp_pm_nl_rm_addr_or_subfl
+ /* Note: if the subflow has been closed before, this
+ * add_addr_accepted counter will not be decremented.
+ */
+- msk->pm.add_addr_accepted--;
+- WRITE_ONCE(msk->pm.accept_addr, true);
++ if (--msk->pm.add_addr_accepted < mptcp_pm_get_add_addr_accept_max(msk))
++ WRITE_ONCE(msk->pm.accept_addr, true);
+ }
+ }
+ }
--- /dev/null
+From 09355f7abb9fbfc1a240be029837921ea417bf4f Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:30 +0200
+Subject: mptcp: pm: fullmesh: select the right ID later
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 09355f7abb9fbfc1a240be029837921ea417bf4f upstream.
+
+When reacting upon the reception of an ADD_ADDR, the in-kernel PM first
+looks for fullmesh endpoints. If there are some, it will pick them,
+using their entry ID.
+
+It should set the ID 0 when using the endpoint corresponding to the
+initial subflow, it is a special case imposed by the MPTCP specs.
+
+Note that msk->mpc_endpoint_id might not be set when receiving the first
+ADD_ADDR from the server. So better to compare the addresses.
+
+Fixes: 1a0d6136c5f0 ("mptcp: local addresses fullmesh")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-12-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -636,6 +636,7 @@ static unsigned int fill_local_addresses
+ {
+ struct sock *sk = (struct sock *)msk;
+ struct mptcp_pm_addr_entry *entry;
++ struct mptcp_addr_info mpc_addr;
+ struct pm_nl_pernet *pernet;
+ unsigned int subflows_max;
+ int i = 0;
+@@ -643,6 +644,8 @@ static unsigned int fill_local_addresses
+ pernet = pm_nl_get_pernet_from_msk(msk);
+ subflows_max = mptcp_pm_get_subflows_max(msk);
+
++ mptcp_local_address((struct sock_common *)msk, &mpc_addr);
++
+ rcu_read_lock();
+ list_for_each_entry_rcu(entry, &pernet->local_addr_list, list) {
+ if (!(entry->flags & MPTCP_PM_ADDR_FLAG_FULLMESH))
+@@ -653,7 +656,13 @@ static unsigned int fill_local_addresses
+
+ if (msk->pm.subflows < subflows_max) {
+ msk->pm.subflows++;
+- addrs[i++] = entry->addr;
++ addrs[i] = entry->addr;
++
++ /* Special case for ID0: set the correct ID */
++ if (mptcp_addresses_equal(&entry->addr, &mpc_addr, entry->addr.port))
++ addrs[i].id = 0;
++
++ i++;
+ }
+ }
+ rcu_read_unlock();
--- /dev/null
+From 1c1f721375989579e46741f59523e39ec9b2a9bd Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:27 +0200
+Subject: mptcp: pm: only decrement add_addr_accepted for MPJ req
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 1c1f721375989579e46741f59523e39ec9b2a9bd upstream.
+
+Adding the following warning ...
+
+ WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)
+
+... before decrementing the add_addr_accepted counter helped to find a
+bug when running the "remove single subflow" subtest from the
+mptcp_join.sh selftest.
+
+Removing a 'subflow' endpoint will first trigger a RM_ADDR, then the
+subflow closure. Before this patch, and upon the reception of the
+RM_ADDR, the other peer will then try to decrement this
+add_addr_accepted. That's not correct because the attached subflows have
+not been created upon the reception of an ADD_ADDR.
+
+A way to solve that is to decrement the counter only if the attached
+subflow was an MP_JOIN to a remote id that was not 0, and initiated by
+the host receiving the RM_ADDR.
+
+Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-9-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -829,7 +829,7 @@ static void mptcp_pm_nl_rm_addr_or_subfl
+ mptcp_close_ssk(sk, ssk, subflow);
+ spin_lock_bh(&msk->pm.lock);
+
+- removed = true;
++ removed |= subflow->request_join;
+ if (rm_type == MPTCP_MIB_RMSUBFLOW)
+ __MPTCP_INC_STATS(sock_net(sk), rm_type);
+ }
+@@ -843,7 +843,11 @@ static void mptcp_pm_nl_rm_addr_or_subfl
+ if (!mptcp_pm_is_kernel(msk))
+ continue;
+
+- if (rm_type == MPTCP_MIB_RMADDR) {
++ if (rm_type == MPTCP_MIB_RMADDR && rm_id &&
++ !WARN_ON_ONCE(msk->pm.add_addr_accepted == 0)) {
++ /* Note: if the subflow has been closed before, this
++ * add_addr_accepted counter will not be decremented.
++ */
+ msk->pm.add_addr_accepted--;
+ WRITE_ONCE(msk->pm.accept_addr, true);
+ }
--- /dev/null
+From ca6e55a703ca2894611bb5c5bca8bfd2290fd91e Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:29 +0200
+Subject: mptcp: pm: only in-kernel cannot have entries with ID 0
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit ca6e55a703ca2894611bb5c5bca8bfd2290fd91e upstream.
+
+The ID 0 is specific per MPTCP connections. The per netns entries cannot
+have this special ID 0 then.
+
+But that's different for the userspace PM where the entries are per
+connection, they can then use this special ID 0.
+
+Fixes: f40be0db0b76 ("mptcp: unify pm get_flags_and_ifindex_by_id")
+Cc: stable@vger.kernel.org
+Acked-by: Geliang Tang <geliang@kernel.org>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-11-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm.c | 3 ---
+ net/mptcp/pm_netlink.c | 4 ++++
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/mptcp/pm.c
++++ b/net/mptcp/pm.c
+@@ -434,9 +434,6 @@ int mptcp_pm_get_flags_and_ifindex_by_id
+ *flags = 0;
+ *ifindex = 0;
+
+- if (!id)
+- return 0;
+-
+ if (mptcp_pm_is_userspace(msk))
+ return mptcp_userspace_pm_get_flags_and_ifindex_by_id(msk, id, flags, ifindex);
+ return mptcp_pm_nl_get_flags_and_ifindex_by_id(msk, id, flags, ifindex);
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1395,6 +1395,10 @@ int mptcp_pm_nl_get_flags_and_ifindex_by
+ struct sock *sk = (struct sock *)msk;
+ struct net *net = sock_net(sk);
+
++ /* No entries with ID 0 */
++ if (id == 0)
++ return 0;
++
+ rcu_read_lock();
+ entry = __lookup_addr_by_id(pm_nl_get_pernet(net), id);
+ if (entry) {
--- /dev/null
+From 322ea3778965da72862cca2a0c50253aacf65fe6 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:26 +0200
+Subject: mptcp: pm: only mark 'subflow' endp as available
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 322ea3778965da72862cca2a0c50253aacf65fe6 upstream.
+
+Adding the following warning ...
+
+ WARN_ON_ONCE(msk->pm.local_addr_used == 0)
+
+... before decrementing the local_addr_used counter helped to find a bug
+when running the "remove single address" subtest from the mptcp_join.sh
+selftests.
+
+Removing a 'signal' endpoint will trigger the removal of all subflows
+linked to this endpoint via mptcp_pm_nl_rm_addr_or_subflow() with
+rm_type == MPTCP_MIB_RMSUBFLOW. This will decrement the local_addr_used
+counter, which is wrong in this case because this counter is linked to
+'subflow' endpoints, and here it is a 'signal' endpoint that is being
+removed.
+
+Now, the counter is decremented, only if the ID is being used outside
+of mptcp_pm_nl_rm_addr_or_subflow(), only for 'subflow' endpoints, and
+if the ID is not 0 -- local_addr_used is not taking into account these
+ones. This marking of the ID as being available, and the decrement is
+done no matter if a subflow using this ID is currently available,
+because the subflow could have been closed before.
+
+Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-8-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -833,10 +833,10 @@ static void mptcp_pm_nl_rm_addr_or_subfl
+ if (rm_type == MPTCP_MIB_RMSUBFLOW)
+ __MPTCP_INC_STATS(sock_net(sk), rm_type);
+ }
+- if (rm_type == MPTCP_MIB_RMSUBFLOW)
+- __set_bit(rm_id ? rm_id : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap);
+- else if (rm_type == MPTCP_MIB_RMADDR)
++
++ if (rm_type == MPTCP_MIB_RMADDR)
+ __MPTCP_INC_STATS(sock_net(sk), rm_type);
++
+ if (!removed)
+ continue;
+
+@@ -846,8 +846,6 @@ static void mptcp_pm_nl_rm_addr_or_subfl
+ if (rm_type == MPTCP_MIB_RMADDR) {
+ msk->pm.add_addr_accepted--;
+ WRITE_ONCE(msk->pm.accept_addr, true);
+- } else if (rm_type == MPTCP_MIB_RMSUBFLOW) {
+- msk->pm.local_addr_used--;
+ }
+ }
+ }
+@@ -1441,6 +1439,14 @@ static bool mptcp_pm_remove_anno_addr(st
+ return ret;
+ }
+
++static void __mark_subflow_endp_available(struct mptcp_sock *msk, u8 id)
++{
++ /* If it was marked as used, and not ID 0, decrement local_addr_used */
++ if (!__test_and_set_bit(id ? : msk->mpc_endpoint_id, msk->pm.id_avail_bitmap) &&
++ id && !WARN_ON_ONCE(msk->pm.local_addr_used == 0))
++ msk->pm.local_addr_used--;
++}
++
+ static int mptcp_nl_remove_subflow_and_signal_addr(struct net *net,
+ const struct mptcp_pm_addr_entry *entry)
+ {
+@@ -1474,11 +1480,11 @@ static int mptcp_nl_remove_subflow_and_s
+ spin_lock_bh(&msk->pm.lock);
+ mptcp_pm_nl_rm_subflow_received(msk, &list);
+ spin_unlock_bh(&msk->pm.lock);
+- } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
+- /* If the subflow has been used, but now closed */
++ }
++
++ if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
+ spin_lock_bh(&msk->pm.lock);
+- if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap))
+- msk->pm.local_addr_used--;
++ __mark_subflow_endp_available(msk, list.ids[0]);
+ spin_unlock_bh(&msk->pm.lock);
+ }
+
+@@ -1516,6 +1522,7 @@ static int mptcp_nl_remove_id_zero_addre
+ spin_lock_bh(&msk->pm.lock);
+ mptcp_pm_remove_addr(msk, &list);
+ mptcp_pm_nl_rm_subflow_received(msk, &list);
++ __mark_subflow_endp_available(msk, 0);
+ spin_unlock_bh(&msk->pm.lock);
+ release_sock(sk);
+
+@@ -1917,6 +1924,7 @@ static void mptcp_pm_nl_fullmesh(struct
+
+ spin_lock_bh(&msk->pm.lock);
+ mptcp_pm_nl_rm_subflow_received(msk, &list);
++ __mark_subflow_endp_available(msk, list.ids[0]);
+ mptcp_pm_create_subflow_or_signal_addr(msk);
+ spin_unlock_bh(&msk->pm.lock);
+ }
--- /dev/null
+From ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:23 +0200
+Subject: mptcp: pm: re-using ID of unused flushed subflows
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit ef34a6ea0cab1800f4b3c9c3c2cefd5091e03379 upstream.
+
+If no subflows are attached to the 'subflow' endpoints that are being
+flushed, the corresponding addr IDs will not be marked as available
+again.
+
+Mark all ID as being available when flushing all the 'subflow'
+endpoints, and reset local_addr_used counter to cover these cases.
+
+Note that mptcp_pm_remove_addrs_and_subflows() helper is only called for
+flushing operations, not to remove a specific set of addresses and
+subflows.
+
+Fixes: 06faa2271034 ("mptcp: remove multi addresses and subflows in PM")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-5-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1623,8 +1623,15 @@ static void mptcp_pm_remove_addrs_and_su
+ mptcp_pm_remove_addr(msk, &alist);
+ spin_unlock_bh(&msk->pm.lock);
+ }
++
+ if (slist.nr)
+ mptcp_pm_remove_subflow(msk, &slist);
++
++ /* Reset counters: maybe some subflows have been removed before */
++ spin_lock_bh(&msk->pm.lock);
++ bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
++ msk->pm.local_addr_used = 0;
++ spin_unlock_bh(&msk->pm.lock);
+ }
+
+ static void mptcp_nl_remove_addrs_list(struct net *net,
--- /dev/null
+From e255683c06df572ead96db5efb5d21be30c0efaa Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:19 +0200
+Subject: mptcp: pm: re-using ID of unused removed ADD_ADDR
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit e255683c06df572ead96db5efb5d21be30c0efaa upstream.
+
+If no subflow is attached to the 'signal' endpoint that is being
+removed, the addr ID will not be marked as available again.
+
+Mark the linked ID as available when removing the address entry from the
+list to cover this case.
+
+Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-1-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1431,7 +1431,10 @@ static bool mptcp_pm_remove_anno_addr(st
+ ret = remove_anno_list_by_saddr(msk, addr);
+ if (ret || force) {
+ spin_lock_bh(&msk->pm.lock);
+- msk->pm.add_addr_signaled -= ret;
++ if (ret) {
++ __set_bit(addr->id, msk->pm.id_avail_bitmap);
++ msk->pm.add_addr_signaled--;
++ }
+ mptcp_pm_remove_addr(msk, &list);
+ spin_unlock_bh(&msk->pm.lock);
+ }
--- /dev/null
+From edd8b5d868a4d459f3065493001e293901af758d Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:21 +0200
+Subject: mptcp: pm: re-using ID of unused removed subflows
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit edd8b5d868a4d459f3065493001e293901af758d upstream.
+
+If no subflow is attached to the 'subflow' endpoint that is being
+removed, the addr ID will not be marked as available again.
+
+Mark the linked ID as available when removing the 'subflow' endpoint if
+no subflow is attached to it.
+
+While at it, the local_addr_used counter is decremented if the ID was
+marked as being used to reflect the reality, but also to allow adding
+new endpoints after that.
+
+Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-3-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -1469,8 +1469,17 @@ static int mptcp_nl_remove_subflow_and_s
+ remove_subflow = lookup_subflow_by_saddr(&msk->conn_list, addr);
+ mptcp_pm_remove_anno_addr(msk, addr, remove_subflow &&
+ !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT));
+- if (remove_subflow)
++
++ if (remove_subflow) {
+ mptcp_pm_remove_subflow(msk, &list);
++ } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
++ /* If the subflow has been used, but now closed */
++ spin_lock_bh(&msk->pm.lock);
++ if (!__test_and_set_bit(entry->addr.id, msk->pm.id_avail_bitmap))
++ msk->pm.local_addr_used--;
++ spin_unlock_bh(&msk->pm.lock);
++ }
++
+ release_sock(sk);
+
+ next:
--- /dev/null
+From f448451aa62d54be16acb0034223c17e0d12bc69 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:25 +0200
+Subject: mptcp: pm: remove mptcp_pm_remove_subflow()
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit f448451aa62d54be16acb0034223c17e0d12bc69 upstream.
+
+This helper is confusing. It is in pm.c, but it is specific to the
+in-kernel PM and it cannot be used by the userspace one. Also, it simply
+calls one in-kernel specific function with the PM lock, while the
+similar mptcp_pm_remove_addr() helper requires the PM lock.
+
+What's left is the pr_debug(), which is not that useful, because a
+similar one is present in the only function called by this helper:
+
+ mptcp_pm_nl_rm_subflow_received()
+
+After these modifications, this helper can be marked as 'static', and
+the lock can be taken only once in mptcp_pm_flush_addrs_and_subflows().
+
+Note that it is not a bug fix, but it will help backporting the
+following commits.
+
+Fixes: 0ee4261a3681 ("mptcp: implement mptcp_pm_remove_subflow")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-7-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm.c | 10 ----------
+ net/mptcp/pm_netlink.c | 16 +++++++---------
+ net/mptcp/protocol.h | 3 ---
+ 3 files changed, 7 insertions(+), 22 deletions(-)
+
+--- a/net/mptcp/pm.c
++++ b/net/mptcp/pm.c
+@@ -60,16 +60,6 @@ int mptcp_pm_remove_addr(struct mptcp_so
+ return 0;
+ }
+
+-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list)
+-{
+- pr_debug("msk=%p, rm_list_nr=%d", msk, rm_list->nr);
+-
+- spin_lock_bh(&msk->pm.lock);
+- mptcp_pm_nl_rm_subflow_received(msk, rm_list);
+- spin_unlock_bh(&msk->pm.lock);
+- return 0;
+-}
+-
+ /* path manager event handlers */
+
+ void mptcp_pm_new_connection(struct mptcp_sock *msk, const struct sock *ssk, int server_side)
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -857,8 +857,8 @@ static void mptcp_pm_nl_rm_addr_received
+ mptcp_pm_nl_rm_addr_or_subflow(msk, &msk->pm.rm_list_rx, MPTCP_MIB_RMADDR);
+ }
+
+-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk,
+- const struct mptcp_rm_list *rm_list)
++static void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk,
++ const struct mptcp_rm_list *rm_list)
+ {
+ mptcp_pm_nl_rm_addr_or_subflow(msk, rm_list, MPTCP_MIB_RMSUBFLOW);
+ }
+@@ -1471,7 +1471,9 @@ static int mptcp_nl_remove_subflow_and_s
+ !(entry->flags & MPTCP_PM_ADDR_FLAG_IMPLICIT));
+
+ if (remove_subflow) {
+- mptcp_pm_remove_subflow(msk, &list);
++ spin_lock_bh(&msk->pm.lock);
++ mptcp_pm_nl_rm_subflow_received(msk, &list);
++ spin_unlock_bh(&msk->pm.lock);
+ } else if (entry->flags & MPTCP_PM_ADDR_FLAG_SUBFLOW) {
+ /* If the subflow has been used, but now closed */
+ spin_lock_bh(&msk->pm.lock);
+@@ -1617,18 +1619,14 @@ static void mptcp_pm_remove_addrs_and_su
+ alist.ids[alist.nr++] = entry->addr.id;
+ }
+
++ spin_lock_bh(&msk->pm.lock);
+ if (alist.nr) {
+- spin_lock_bh(&msk->pm.lock);
+ msk->pm.add_addr_signaled -= alist.nr;
+ mptcp_pm_remove_addr(msk, &alist);
+- spin_unlock_bh(&msk->pm.lock);
+ }
+-
+ if (slist.nr)
+- mptcp_pm_remove_subflow(msk, &slist);
+-
++ mptcp_pm_nl_rm_subflow_received(msk, &slist);
+ /* Reset counters: maybe some subflows have been removed before */
+- spin_lock_bh(&msk->pm.lock);
+ bitmap_fill(msk->pm.id_avail_bitmap, MPTCP_PM_MAX_ADDR_ID + 1);
+ msk->pm.local_addr_used = 0;
+ spin_unlock_bh(&msk->pm.lock);
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -1021,7 +1021,6 @@ int mptcp_pm_announce_addr(struct mptcp_
+ const struct mptcp_addr_info *addr,
+ bool echo);
+ int mptcp_pm_remove_addr(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list);
+-int mptcp_pm_remove_subflow(struct mptcp_sock *msk, const struct mptcp_rm_list *rm_list);
+ void mptcp_pm_remove_addrs(struct mptcp_sock *msk, struct list_head *rm_list);
+
+ void mptcp_free_local_addr_list(struct mptcp_sock *msk);
+@@ -1128,8 +1127,6 @@ static inline u8 subflow_get_local_id(co
+
+ void __init mptcp_pm_nl_init(void);
+ void mptcp_pm_nl_work(struct mptcp_sock *msk);
+-void mptcp_pm_nl_rm_subflow_received(struct mptcp_sock *msk,
+- const struct mptcp_rm_list *rm_list);
+ unsigned int mptcp_pm_get_add_addr_signal_max(const struct mptcp_sock *msk);
+ unsigned int mptcp_pm_get_add_addr_accept_max(const struct mptcp_sock *msk);
+ unsigned int mptcp_pm_get_subflows_max(const struct mptcp_sock *msk);
--- /dev/null
+From 9b340aeb26d50e9a9ec99599e2a39b035fac978e Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Fri, 16 Aug 2024 06:19:23 +1000
+Subject: nouveau/firmware: use dma non-coherent allocator
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit 9b340aeb26d50e9a9ec99599e2a39b035fac978e upstream.
+
+Currently, enabling SG_DEBUG in the kernel will cause nouveau to hit a
+BUG() on startup, when the iommu is enabled:
+
+kernel BUG at include/linux/scatterlist.h:187!
+invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 7 PID: 930 Comm: (udev-worker) Not tainted 6.9.0-rc3Lyude-Test+ #30
+Hardware name: MSI MS-7A39/A320M GAMING PRO (MS-7A39), BIOS 1.I0 01/22/2019
+RIP: 0010:sg_init_one+0x85/0xa0
+Code: 69 88 32 01 83 e1 03 f6 c3 03 75 20 a8 01 75 1e 48 09 cb 41 89 54
+24 08 49 89 1c 24 41 89 6c 24 0c 5b 5d 41 5c e9 7b b9 88 00 <0f> 0b 0f 0b
+0f 0b 48 8b 05 5e 46 9a 01 eb b2 66 66 2e 0f 1f 84 00
+RSP: 0018:ffffa776017bf6a0 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffffa77600d87000 RCX: 000000000000002b
+RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffa77680d87000
+RBP: 000000000000e000 R08: 0000000000000000 R09: 0000000000000000
+R10: ffff98f4c46aa508 R11: 0000000000000000 R12: ffff98f4c46aa508
+R13: ffff98f4c46aa008 R14: ffffa77600d4a000 R15: ffffa77600d4a018
+FS: 00007feeb5aae980(0000) GS:ffff98f5c4dc0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f22cb9a4520 CR3: 00000001043ba000 CR4: 00000000003506f0
+Call Trace:
+ <TASK>
+ ? die+0x36/0x90
+ ? do_trap+0xdd/0x100
+ ? sg_init_one+0x85/0xa0
+ ? do_error_trap+0x65/0x80
+ ? sg_init_one+0x85/0xa0
+ ? exc_invalid_op+0x50/0x70
+ ? sg_init_one+0x85/0xa0
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? sg_init_one+0x85/0xa0
+ nvkm_firmware_ctor+0x14a/0x250 [nouveau]
+ nvkm_falcon_fw_ctor+0x42/0x70 [nouveau]
+ ga102_gsp_booter_ctor+0xb4/0x1a0 [nouveau]
+ r535_gsp_oneinit+0xb3/0x15f0 [nouveau]
+ ? srso_return_thunk+0x5/0x5f
+ ? srso_return_thunk+0x5/0x5f
+ ? nvkm_udevice_new+0x95/0x140 [nouveau]
+ ? srso_return_thunk+0x5/0x5f
+ ? srso_return_thunk+0x5/0x5f
+ ? ktime_get+0x47/0xb0
+
+Fix this by using the non-coherent allocator instead, I think there
+might be a better answer to this, but it involve ripping up some of
+APIs using sg lists.
+
+Cc: stable@vger.kernel.org
+Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs")
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240815201923.632803-1-airlied@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nvkm/core/firmware.c | 9 ++++++---
+ drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/core/firmware.c
++++ b/drivers/gpu/drm/nouveau/nvkm/core/firmware.c
+@@ -205,7 +205,8 @@ nvkm_firmware_dtor(struct nvkm_firmware
+ break;
+ case NVKM_FIRMWARE_IMG_DMA:
+ nvkm_memory_unref(&memory);
+- dma_free_coherent(fw->device->dev, sg_dma_len(&fw->mem.sgl), fw->img, fw->phys);
++ dma_free_noncoherent(fw->device->dev, sg_dma_len(&fw->mem.sgl),
++ fw->img, fw->phys, DMA_TO_DEVICE);
+ break;
+ case NVKM_FIRMWARE_IMG_SGT:
+ nvkm_memory_unref(&memory);
+@@ -236,10 +237,12 @@ nvkm_firmware_ctor(const struct nvkm_fir
+ break;
+ case NVKM_FIRMWARE_IMG_DMA: {
+ dma_addr_t addr;
+-
+ len = ALIGN(fw->len, PAGE_SIZE);
+
+- fw->img = dma_alloc_coherent(fw->device->dev, len, &addr, GFP_KERNEL);
++ fw->img = dma_alloc_noncoherent(fw->device->dev,
++ len, &addr,
++ DMA_TO_DEVICE,
++ GFP_KERNEL);
+ if (fw->img) {
+ memcpy(fw->img, src, fw->len);
+ fw->phys = addr;
+--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
++++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+@@ -89,6 +89,12 @@ nvkm_falcon_fw_boot(struct nvkm_falcon_f
+ nvkm_falcon_fw_dtor_sigs(fw);
+ }
+
++ /* after last write to the img, sync dma mappings */
++ dma_sync_single_for_device(fw->fw.device->dev,
++ fw->fw.phys,
++ sg_dma_len(&fw->fw.mem.sgl),
++ DMA_TO_DEVICE);
++
+ FLCNFW_DBG(fw, "resetting");
+ fw->func->reset(fw);
+
--- /dev/null
+From 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 Mon Sep 17 00:00:00 2001
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+Date: Wed, 17 Jul 2024 10:03:33 +0200
+Subject: pmdomain: imx: scu-pd: Remove duplicated clocks
+
+From: Alexander Stein <alexander.stein@ew.tq-group.com>
+
+commit 50359c9c3cb3e55e840e3485f5ee37da5b2b16b6 upstream.
+
+These clocks are already added to the list. Remove the duplicates ones.
+
+Fixes: a67d780720ff ("genpd: imx: scu-pd: add more PDs")
+Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240717080334.2210988-1-alexander.stein@ew.tq-group.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/scu-pd.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/pmdomain/imx/scu-pd.c
++++ b/drivers/pmdomain/imx/scu-pd.c
+@@ -223,11 +223,6 @@ static const struct imx_sc_pd_range imx8
+ { "lvds1-pwm", IMX_SC_R_LVDS_1_PWM_0, 1, false, 0 },
+ { "lvds1-lpi2c", IMX_SC_R_LVDS_1_I2C_0, 2, true, 0 },
+
+- { "mipi1", IMX_SC_R_MIPI_1, 1, 0 },
+- { "mipi1-pwm0", IMX_SC_R_MIPI_1_PWM_0, 1, 0 },
+- { "mipi1-i2c", IMX_SC_R_MIPI_1_I2C_0, 2, 1 },
+- { "lvds1", IMX_SC_R_LVDS_1, 1, 0 },
+-
+ /* DC SS */
+ { "dc0", IMX_SC_R_DC_0, 1, false, 0 },
+ { "dc0-pll", IMX_SC_R_DC_0_PLL_0, 2, true, 0 },
--- /dev/null
+From 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb Mon Sep 17 00:00:00 2001
+From: Peng Fan <peng.fan@nxp.com>
+Date: Wed, 14 Aug 2024 20:47:40 +0800
+Subject: pmdomain: imx: wait SSAR when i.MX93 power domain on
+
+From: Peng Fan <peng.fan@nxp.com>
+
+commit 52dd070c62e4ae2b5e7411b920e3f7a64235ecfb upstream.
+
+With "quiet" set in bootargs, there is power domain failure:
+"imx93_power_domain 44462400.power-domain: pd_off timeout: name:
+ 44462400.power-domain, stat: 4"
+
+The current power on opertation takes ISO state as power on finished
+flag, but it is wrong. Before powering on operation really finishes,
+powering off comes and powering off will never finish because the last
+powering on still not finishes, so the following powering off actually
+not trigger hardware state machine to run. SSAR is the last step when
+powering on a domain, so need to wait SSAR done when powering on.
+
+Since EdgeLock Enclave(ELE) handshake is involved in the flow, enlarge
+the waiting time to 10ms for both on and off to avoid timeout.
+
+Cc: stable@vger.kernel.org
+Fixes: 0a0f7cc25d4a ("soc: imx: add i.MX93 SRC power domain driver")
+Reviewed-by: Jacky Bai <ping.bai@nxp.com>
+Signed-off-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/20240814124740.2778952-1-peng.fan@oss.nxp.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/imx93-pd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/pmdomain/imx/imx93-pd.c
++++ b/drivers/pmdomain/imx/imx93-pd.c
+@@ -20,6 +20,7 @@
+ #define FUNC_STAT_PSW_STAT_MASK BIT(0)
+ #define FUNC_STAT_RST_STAT_MASK BIT(2)
+ #define FUNC_STAT_ISO_STAT_MASK BIT(4)
++#define FUNC_STAT_SSAR_STAT_MASK BIT(8)
+
+ struct imx93_power_domain {
+ struct generic_pm_domain genpd;
+@@ -50,7 +51,7 @@ static int imx93_pd_on(struct generic_pm
+ writel(val, addr + MIX_SLICE_SW_CTRL_OFF);
+
+ ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val,
+- !(val & FUNC_STAT_ISO_STAT_MASK), 1, 10000);
++ !(val & FUNC_STAT_SSAR_STAT_MASK), 1, 10000);
+ if (ret) {
+ dev_err(domain->dev, "pd_on timeout: name: %s, stat: %x\n", genpd->name, val);
+ return ret;
+@@ -72,7 +73,7 @@ static int imx93_pd_off(struct generic_p
+ writel(val, addr + MIX_SLICE_SW_CTRL_OFF);
+
+ ret = readl_poll_timeout(addr + MIX_FUNC_STAT_OFF, val,
+- val & FUNC_STAT_PSW_STAT_MASK, 1, 1000);
++ val & FUNC_STAT_PSW_STAT_MASK, 1, 10000);
+ if (ret) {
+ dev_err(domain->dev, "pd_off timeout: name: %s, stat: %x\n", genpd->name, val);
+ return ret;
--- /dev/null
+From 65fb58afa341ad68e71e5c4d816b407e6a683a66 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:22 +0200
+Subject: selftests: mptcp: join: check re-using ID of closed subflow
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 65fb58afa341ad68e71e5c4d816b407e6a683a66 upstream.
+
+This test extends "delete and re-add" to validate the previous commit. A
+new 'subflow' endpoint is added, but the subflow request will be
+rejected. The result is that no subflow will be established from this
+address.
+
+Later, the endpoint is removed and re-added after having cleared the
+firewall rule. Before the previous commit, the client would not have
+been able to create this new subflow.
+
+While at it, extra checks have been added to validate the expected
+numbers of MPJ and RM_ADDR.
+
+The 'Fixes' tag here below is the same as the one from the previous
+commit: this patch here is not fixing anything wrong in the selftests,
+but it validates the previous fix for an issue introduced by this commit
+ID.
+
+Fixes: b6c08380860b ("mptcp: remove addr and subflow in PM netlink")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-4-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 27 +++++++++++++++++++-----
+ 1 file changed, 22 insertions(+), 5 deletions(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -436,9 +436,10 @@ reset_with_tcp_filter()
+ local ns="${!1}"
+ local src="${2}"
+ local target="${3}"
++ local chain="${4:-INPUT}"
+
+ if ! ip netns exec "${ns}" ${iptables} \
+- -A INPUT \
++ -A "${chain}" \
+ -s "${src}" \
+ -p tcp \
+ -j "${target}"; then
+@@ -3572,10 +3573,10 @@ endpoint_tests()
+ mptcp_lib_kill_wait $tests_pid
+ fi
+
+- if reset "delete and re-add" &&
++ if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT &&
+ mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
+- pm_nl_set_limits $ns1 1 1
+- pm_nl_set_limits $ns2 1 1
++ pm_nl_set_limits $ns1 0 2
++ pm_nl_set_limits $ns2 0 2
+ pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
+ test_linkfail=4 speed=20 \
+ run_tests $ns1 $ns2 10.0.1.1 &
+@@ -3592,11 +3593,27 @@ endpoint_tests()
+ chk_subflow_nr "after delete" 1
+ chk_mptcp_info subflows 0 subflows 0
+
+- pm_nl_add_endpoint $ns2 10.0.2.2 dev ns2eth2 flags subflow
++ pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
+ wait_mpj $ns2
+ chk_subflow_nr "after re-add" 2
+ chk_mptcp_info subflows 1 subflows 1
++
++ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow
++ wait_attempt_fail $ns2
++ chk_subflow_nr "after new reject" 2
++ chk_mptcp_info subflows 1 subflows 1
++
++ ip netns exec "${ns2}" ${iptables} -D OUTPUT -s "10.0.3.2" -p tcp -j REJECT
++ pm_nl_del_endpoint $ns2 3 10.0.3.2
++ pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow
++ wait_mpj $ns2
++ chk_subflow_nr "after no reject" 3
++ chk_mptcp_info subflows 2 subflows 2
++
+ mptcp_lib_kill_wait $tests_pid
++
++ chk_join_nr 3 3 3
++ chk_rm_nr 1 1
+ fi
+ }
+
--- /dev/null
+From 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Mon, 19 Aug 2024 21:45:31 +0200
+Subject: selftests: mptcp: join: validate fullmesh endp on 1st sf
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 4878f9f8421f4587bee7b232c1c8a9d3a7d4d782 upstream.
+
+This case was not covered, and the wrong ID was set before the previous
+commit.
+
+The rest is not modified, it is just that it will increase the code
+coverage.
+
+The right address ID can be verified by looking at the packet traces. We
+could automate that using Netfilter with some cBPF code for example, but
+that's always a bit cryptic. Packetdrill seems better fitted for that.
+
+Fixes: 4f49d63352da ("selftests: mptcp: add fullmesh testcases")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20240819-net-mptcp-pm-reusing-id-v1-13-38035d40de5b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_join.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
++++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
+@@ -3058,6 +3058,7 @@ fullmesh_tests()
+ pm_nl_set_limits $ns1 1 3
+ pm_nl_set_limits $ns2 1 3
+ pm_nl_add_endpoint $ns1 10.0.2.1 flags signal
++ pm_nl_add_endpoint $ns2 10.0.1.2 flags subflow,fullmesh
+ fullmesh=1 speed=slow \
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr 3 3 3
net-dsa-microchip-fix-ptp-config-failure-when-using-multiple-ports.patch
mips-loongson64-set-timer-mode-in-cpu-probe.patch
hid-wacom-defer-calculation-of-resolution-until-resolution_code-is-known.patch
+iommufd-device-fix-hwpt-at-err_unresv-in-iommufd_device_do_replace.patch
+input-i8042-add-forcenorestore-quirk-to-leave-controller-untouched-even-on-s3.patch
+input-i8042-use-new-forcenorestore-quirk-to-replace-old-buggy-quirk-combination.patch
+ata-pata_macio-fix-dma-table-overflow.patch
+cxgb4-add-forgotten-u64-ivlan-cast-before-shift.patch
+kvm-arm64-vgic-debug-don-t-put-unmarked-lpis.patch
+kvm-arm64-make-icc_-sgi-_el1-undef-in-the-absence-of-a-vgicv3.patch
+acpi-video-add-dell-uart-backlight-controller-detection.patch
+acpi-video-add-backlight-native-quirk-for-dell-optiplex-7760-aio.patch
+cgroup-cpuset-fix-panic-caused-by-partcmd_update.patch
+cgroup-cpuset-clear-effective_xcpus-on-cpus_allowed-clearing-only-if-cpus.exclusive-not-set.patch
+mmc-mtk-sd-receive-cmd8-data-when-hs400-tuning-fail.patch
+mmc-dw_mmc-allow-biu-and-ciu-clocks-to-defer.patch
+smb3-fix-broken-cached-reads-when-posix-locks.patch
+pmdomain-imx-scu-pd-remove-duplicated-clocks.patch
+pmdomain-imx-wait-ssar-when-i.mx93-power-domain-on.patch
+nouveau-firmware-use-dma-non-coherent-allocator.patch
+thermal-of-fix-of-node-leak-in-thermal_of_trips_init-error-path.patch
+thermal-of-fix-of-node-leak-in-thermal_of_zone_register.patch
+thermal-of-fix-of-node-leak-in-of_thermal_zone_find-error-paths.patch
+mptcp-pm-re-using-id-of-unused-removed-add_addr.patch
+mptcp-pm-re-using-id-of-unused-removed-subflows.patch
+mptcp-pm-re-using-id-of-unused-flushed-subflows.patch
+mptcp-pm-remove-mptcp_pm_remove_subflow.patch
+mptcp-pm-only-mark-subflow-endp-as-available.patch
+mptcp-pm-only-decrement-add_addr_accepted-for-mpj-req.patch
+mptcp-pm-check-add_addr_accept_max-before-accepting-new-add_addr.patch
+mptcp-pm-only-in-kernel-cannot-have-entries-with-id-0.patch
+mptcp-pm-fullmesh-select-the-right-id-later.patch
+mptcp-pm-avoid-possible-uaf-when-selecting-endp.patch
+selftests-mptcp-join-validate-fullmesh-endp-on-1st-sf.patch
+selftests-mptcp-join-check-re-using-id-of-closed-subflow.patch
--- /dev/null
+From e4be320eeca842a3d7648258ee3673f1755a5a59 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 15 Aug 2024 18:31:36 -0500
+Subject: smb3: fix broken cached reads when posix locks
+
+From: Steve French <stfrench@microsoft.com>
+
+commit e4be320eeca842a3d7648258ee3673f1755a5a59 upstream.
+
+Mandatory locking is enforced for cached reads, which violates
+default posix semantics, and also it is enforced inconsistently.
+This affected recent versions of libreoffice, and can be
+demonstrated by opening a file twice from the same client,
+locking it from handle one and trying to read from it from
+handle two (which fails, returning EACCES).
+
+There is already a mount option "forcemandatorylock"
+(which defaults to off), so with this change only when the user
+intentionally specifies "forcemandatorylock" on mount will we
+break posix semantics on read to a locked range (ie we will
+only fail in this case, if the user mounts with
+"forcemandatorylock").
+
+An earlier patch fixed the write path.
+
+Fixes: 85160e03a79e ("CIFS: Implement caching mechanism for mandatory brlocks")
+Cc: stable@vger.kernel.org
+Cc: Pavel Shilovsky <piastryyy@gmail.com>
+Reviewed-by: David Howells <dhowells@redhat.com>
+Reported-by: abartlet@samba.org
+Reported-by: Kevin Ottens <kevin.ottens@enioka.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/file.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/smb/client/file.c
++++ b/fs/smb/client/file.c
+@@ -2912,9 +2912,7 @@ cifs_strict_readv(struct kiocb *iocb, st
+ if (!CIFS_CACHE_READ(cinode))
+ return netfs_unbuffered_read_iter(iocb, to);
+
+- if (cap_unix(tcon->ses) &&
+- (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) &&
+- ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0)) {
++ if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_NOPOSIXBRL) == 0) {
+ if (iocb->ki_flags & IOCB_DIRECT)
+ return netfs_unbuffered_read_iter(iocb, to);
+ return netfs_buffered_read_iter(iocb, to);
--- /dev/null
+From c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 14 Aug 2024 21:58:23 +0200
+Subject: thermal: of: Fix OF node leak in of_thermal_zone_find() error paths
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 upstream.
+
+Terminating for_each_available_child_of_node() loop requires dropping OF
+node reference, so bailing out on errors misses this. Solve the OF node
+reference leak with scoped for_each_available_child_of_node_scoped().
+
+Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_of.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/thermal/thermal_of.c
++++ b/drivers/thermal/thermal_of.c
+@@ -184,14 +184,14 @@ static struct device_node *of_thermal_zo
+ * Search for each thermal zone, a defined sensor
+ * corresponding to the one passed as parameter
+ */
+- for_each_available_child_of_node(np, tz) {
++ for_each_available_child_of_node_scoped(np, child) {
+
+ int count, i;
+
+- count = of_count_phandle_with_args(tz, "thermal-sensors",
++ count = of_count_phandle_with_args(child, "thermal-sensors",
+ "#thermal-sensor-cells");
+ if (count <= 0) {
+- pr_err("%pOFn: missing thermal sensor\n", tz);
++ pr_err("%pOFn: missing thermal sensor\n", child);
+ tz = ERR_PTR(-EINVAL);
+ goto out;
+ }
+@@ -200,18 +200,19 @@ static struct device_node *of_thermal_zo
+
+ int ret;
+
+- ret = of_parse_phandle_with_args(tz, "thermal-sensors",
++ ret = of_parse_phandle_with_args(child, "thermal-sensors",
+ "#thermal-sensor-cells",
+ i, &sensor_specs);
+ if (ret < 0) {
+- pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret);
++ pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret);
+ tz = ERR_PTR(ret);
+ goto out;
+ }
+
+ if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ?
+ sensor_specs.args[0] : 0)) {
+- pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz);
++ pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child);
++ tz = no_free_ptr(child);
+ goto out;
+ }
+ }
--- /dev/null
+From afc954fd223ded70b1fa000767e2531db55cce58 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 14 Aug 2024 21:58:21 +0200
+Subject: thermal: of: Fix OF node leak in thermal_of_trips_init() error path
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit afc954fd223ded70b1fa000767e2531db55cce58 upstream.
+
+Terminating for_each_child_of_node() loop requires dropping OF node
+reference, so bailing out after thermal_of_populate_trip() error misses
+this. Solve the OF node reference leak with scoped
+for_each_child_of_node_scoped().
+
+Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/20240814195823.437597-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_of.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/thermal/thermal_of.c
++++ b/drivers/thermal/thermal_of.c
+@@ -125,7 +125,7 @@ static int thermal_of_populate_trip(stru
+ static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips)
+ {
+ struct thermal_trip *tt;
+- struct device_node *trips, *trip;
++ struct device_node *trips;
+ int ret, count;
+
+ trips = of_get_child_by_name(np, "trips");
+@@ -150,7 +150,7 @@ static struct thermal_trip *thermal_of_t
+ *ntrips = count;
+
+ count = 0;
+- for_each_child_of_node(trips, trip) {
++ for_each_child_of_node_scoped(trips, trip) {
+ ret = thermal_of_populate_trip(trip, &tt[count++]);
+ if (ret)
+ goto out_kfree;
--- /dev/null
+From 662b52b761bfe0ba970e5823759798faf809b896 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 14 Aug 2024 21:58:22 +0200
+Subject: thermal: of: Fix OF node leak in thermal_of_zone_register()
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 662b52b761bfe0ba970e5823759798faf809b896 upstream.
+
+thermal_of_zone_register() calls of_thermal_zone_find() which will
+iterate over OF nodes with for_each_available_child_of_node() to find
+matching thermal zone node. When it finds such, it exits the loop and
+returns the node. Prematurely ending for_each_available_child_of_node()
+loops requires dropping OF node reference, thus success of
+of_thermal_zone_find() means that caller must drop the reference.
+
+Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://patch.msgid.link/20240814195823.437597-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/thermal_of.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/thermal/thermal_of.c
++++ b/drivers/thermal/thermal_of.c
+@@ -491,7 +491,8 @@ static struct thermal_zone_device *therm
+ trips = thermal_of_trips_init(np, &ntrips);
+ if (IS_ERR(trips)) {
+ pr_err("Failed to find trip points for %pOFn id=%d\n", sensor, id);
+- return ERR_CAST(trips);
++ ret = PTR_ERR(trips);
++ goto out_of_node_put;
+ }
+
+ ret = thermal_of_monitor_init(np, &delay, &pdelay);
+@@ -519,6 +520,7 @@ static struct thermal_zone_device *therm
+ goto out_kfree_trips;
+ }
+
++ of_node_put(np);
+ kfree(trips);
+
+ ret = thermal_zone_device_enable(tz);
+@@ -533,6 +535,8 @@ static struct thermal_zone_device *therm
+
+ out_kfree_trips:
+ kfree(trips);
++out_of_node_put:
++ of_node_put(np);
+
+ return ERR_PTR(ret);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
