--- /dev/null
+From bb6cc253861bd5a7cf8439e2118659696df9619f Mon Sep 17 00:00:00 2001
+From: Markus Weippert <markus@gekmihesg.de>
+Date: Fri, 24 Nov 2023 16:14:37 +0100
+Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
+
+From: Markus Weippert <markus@gekmihesg.de>
+
+commit bb6cc253861bd5a7cf8439e2118659696df9619f upstream.
+
+Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in
+node allocations") replaced IS_ERR_OR_NULL by IS_ERR. This leads to a
+NULL pointer dereference.
+
+BUG: kernel NULL pointer dereference, address: 0000000000000080
+Call Trace:
+ ? __die_body.cold+0x1a/0x1f
+ ? page_fault_oops+0xd2/0x2b0
+ ? exc_page_fault+0x70/0x170
+ ? asm_exc_page_fault+0x22/0x30
+ ? btree_node_free+0xf/0x160 [bcache]
+ ? up_write+0x32/0x60
+ btree_gc_coalesce+0x2aa/0x890 [bcache]
+ ? bch_extent_bad+0x70/0x170 [bcache]
+ btree_gc_recurse+0x130/0x390 [bcache]
+ ? btree_gc_mark_node+0x72/0x230 [bcache]
+ bch_btree_gc+0x5da/0x600 [bcache]
+ ? cpuusage_read+0x10/0x10
+ ? bch_btree_gc+0x600/0x600 [bcache]
+ bch_gc_thread+0x135/0x180 [bcache]
+
+The relevant code starts with:
+
+ new_nodes[0] = NULL;
+
+ for (i = 0; i < nodes; i++) {
+ if (__bch_keylist_realloc(&keylist, bkey_u64s(&r[i].b->key)))
+ goto out_nocoalesce;
+ // ...
+out_nocoalesce:
+ // ...
+ for (i = 0; i < nodes; i++)
+ if (!IS_ERR(new_nodes[i])) { // IS_ERR_OR_NULL before
+028ddcac477b
+ btree_node_free(new_nodes[i]); // new_nodes[0] is NULL
+ rw_unlock(true, new_nodes[i]);
+ }
+
+This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this.
+
+Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations")
+Link: https://lore.kernel.org/all/3DF4A87A-2AC1-4893-AE5F-E921478419A9@suse.de/
+Cc: stable@vger.kernel.org
+Cc: Zheng Wang <zyytlz.wz@163.com>
+Cc: Coly Li <colyli@suse.de>
+Signed-off-by: Markus Weippert <markus@gekmihesg.de>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/btree.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/btree.c
++++ b/drivers/md/bcache/btree.c
+@@ -1489,7 +1489,7 @@ out_nocoalesce:
+ bch_keylist_free(&keylist);
+
+ for (i = 0; i < nodes; i++)
+- if (!IS_ERR(new_nodes[i])) {
++ if (!IS_ERR_OR_NULL(new_nodes[i])) {
+ btree_node_free(new_nodes[i]);
+ rw_unlock(true, new_nodes[i]);
+ }
--- /dev/null
+From 2db313205f8b96eea467691917138d646bb50aef Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Thu, 2 Nov 2023 07:54:50 +1030
+Subject: btrfs: add dmesg output for first mount and last unmount of a filesystem
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 2db313205f8b96eea467691917138d646bb50aef upstream.
+
+There is a feature request to add dmesg output when unmounting a btrfs.
+There are several alternative methods to do the same thing, but with
+their own problems:
+
+- Use eBPF to watch btrfs_put_super()/open_ctree()
+ Not end user friendly, they have to dip their head into the source
+ code.
+
+- Watch for directory /sys/fs/<uuid>/
+ This is way more simple, but still requires some simple device -> uuid
+ lookups. And a script needs to use inotify to watch /sys/fs/.
+
+Compared to all these, directly outputting the information into dmesg
+would be the most simple one, with both device and UUID included.
+
+And since we're here, also add the output when mounting a filesystem for
+the first time for parity. A more fine grained monitoring of subvolume
+mounts should be done by another layer, like audit.
+
+Now mounting a btrfs with all default mkfs options would look like this:
+
+ [81.906566] BTRFS info (device dm-8): first mount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2
+ [81.907494] BTRFS info (device dm-8): using crc32c (crc32c-intel) checksum algorithm
+ [81.908258] BTRFS info (device dm-8): using free space tree
+ [81.912644] BTRFS info (device dm-8): auto enabling async discard
+ [81.913277] BTRFS info (device dm-8): checking UUID tree
+ [91.668256] BTRFS info (device dm-8): last unmount of filesystem 633b5c16-afe3-4b79-b195-138fe145e4f2
+
+CC: stable@vger.kernel.org # 5.4+
+Link: https://github.com/kdave/btrfs-progs/issues/689
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ update changelog ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 1 +
+ fs/btrfs/super.c | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -3204,6 +3204,7 @@ int __cold open_ctree(struct super_block
+ goto fail_alloc;
+ }
+
++ btrfs_info(fs_info, "first mount of filesystem %pU", disk_super->fsid);
+ /*
+ * Verify the type first, if that or the checksum value are
+ * corrupted, we'll find out
+--- a/fs/btrfs/super.c
++++ b/fs/btrfs/super.c
+@@ -337,7 +337,10 @@ void __btrfs_panic(struct btrfs_fs_info
+
+ static void btrfs_put_super(struct super_block *sb)
+ {
+- close_ctree(btrfs_sb(sb));
++ struct btrfs_fs_info *fs_info = btrfs_sb(sb);
++
++ btrfs_info(fs_info, "last unmount of filesystem %pU", fs_info->fs_devices->fsid);
++ close_ctree(fs_info);
+ }
+
+ enum {
--- /dev/null
+From 5fba5a571858ce2d787fdaf55814e42725bfa895 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 21 Nov 2023 13:38:32 +0000
+Subject: btrfs: fix off-by-one when checking chunk map includes logical address
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 5fba5a571858ce2d787fdaf55814e42725bfa895 upstream.
+
+At btrfs_get_chunk_map() we get the extent map for the chunk that contains
+the given logical address stored in the 'logical' argument. Then we do
+sanity checks to verify the extent map contains the logical address. One
+of these checks verifies if the extent map covers a range with an end
+offset behind the target logical address - however this check has an
+off-by-one error since it will consider an extent map whose start offset
+plus its length matches the target logical address as inclusive, while
+the fact is that the last byte it covers is behind the target logical
+address (by 1).
+
+So fix this condition by using '<=' rather than '<' when comparing the
+extent map's "start + length" against the target logical address.
+
+CC: stable@vger.kernel.org # 4.14+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3069,7 +3069,7 @@ struct extent_map *btrfs_get_chunk_map(s
+ return ERR_PTR(-EINVAL);
+ }
+
+- if (em->start > logical || em->start + em->len < logical) {
++ if (em->start > logical || em->start + em->len <= logical) {
+ btrfs_crit(fs_info,
+ "found a bad mapping, wanted %llu-%llu, found %llu-%llu",
+ logical, length, em->start, em->start + em->len);
--- /dev/null
+From 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 21 Nov 2023 13:38:33 +0000
+Subject: btrfs: make error messages more clear when getting a chunk map
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 7d410d5efe04e42a6cd959bfe6d59d559fdf8b25 upstream.
+
+When getting a chunk map, at btrfs_get_chunk_map(), we do some sanity
+checks to verify we found a chunk map and that map found covers the
+logical address the caller passed in. However the messages aren't very
+clear in the sense that don't mention the issue is with a chunk map and
+one of them prints the 'length' argument as if it were the end offset of
+the requested range (while the in the string format we use %llu-%llu
+which suggests a range, and the second %llu-%llu is actually a range for
+the chunk map). So improve these two details in the error messages.
+
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3064,15 +3064,16 @@ struct extent_map *btrfs_get_chunk_map(s
+ read_unlock(&em_tree->lock);
+
+ if (!em) {
+- btrfs_crit(fs_info, "unable to find logical %llu length %llu",
++ btrfs_crit(fs_info,
++ "unable to find chunk map for logical %llu length %llu",
+ logical, length);
+ return ERR_PTR(-EINVAL);
+ }
+
+ if (em->start > logical || em->start + em->len <= logical) {
+ btrfs_crit(fs_info,
+- "found a bad mapping, wanted %llu-%llu, found %llu-%llu",
+- logical, length, em->start, em->start + em->len);
++ "found a bad chunk map, wanted %llu-%llu, found %llu-%llu",
++ logical, logical + length, em->start, em->start + em->len);
+ free_extent_map(em);
+ return ERR_PTR(-EINVAL);
+ }
--- /dev/null
+From f91192cd68591c6b037da345bc9fcd5e50540358 Mon Sep 17 00:00:00 2001
+From: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
+Date: Sat, 18 Nov 2023 14:40:12 +0530
+Subject: btrfs: ref-verify: fix memory leaks in btrfs_ref_tree_mod()
+
+From: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
+
+commit f91192cd68591c6b037da345bc9fcd5e50540358 upstream.
+
+In btrfs_ref_tree_mod(), when !parent 're' was allocated through
+kmalloc(). In the following code, if an error occurs, the execution will
+be redirected to 'out' or 'out_unlock' and the function will be exited.
+However, on some of the paths, 're' are not deallocated and may lead to
+memory leaks.
+
+For example: lookup_block_entry() for 'be' returns NULL, the out label
+will be invoked. During that flow ref and 'ra' are freed but not 're',
+which can potentially lead to a memory leak.
+
+CC: stable@vger.kernel.org # 5.10+
+Reported-and-tested-by: syzbot+d66de4cbf532749df35f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=d66de4cbf532749df35f
+Signed-off-by: Bragatheswaran Manickavel <bragathemanick0908@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ref-verify.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ref-verify.c
++++ b/fs/btrfs/ref-verify.c
+@@ -788,6 +788,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i
+ dump_ref_action(fs_info, ra);
+ kfree(ref);
+ kfree(ra);
++ kfree(re);
+ goto out_unlock;
+ } else if (be->num_refs == 0) {
+ btrfs_err(fs_info,
+@@ -797,6 +798,7 @@ int btrfs_ref_tree_mod(struct btrfs_fs_i
+ dump_ref_action(fs_info, ra);
+ kfree(ref);
+ kfree(ra);
++ kfree(re);
+ goto out_unlock;
+ }
+
--- /dev/null
+From 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 24 Nov 2023 17:48:31 +0100
+Subject: btrfs: send: ensure send_fd is writable
+
+From: Jann Horn <jannh@google.com>
+
+commit 0ac1d13a55eb37d398b63e6ff6db4a09a2c9128c upstream.
+
+kernel_write() requires the caller to ensure that the file is writable.
+Let's do that directly after looking up the ->send_fd.
+
+We don't need a separate bailout path because the "out" path already
+does fput() if ->send_filp is non-NULL.
+
+This has no security impact for two reasons:
+
+ - the ioctl requires CAP_SYS_ADMIN
+ - __kernel_write() bails out on read-only files - but only since 5.8,
+ see commit a01ac27be472 ("fs: check FMODE_WRITE in __kernel_write")
+
+Reported-and-tested-by: syzbot+12e098239d20385264d3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=12e098239d20385264d3
+Fixes: 31db9f7c23fb ("Btrfs: introduce BTRFS_IOC_SEND for btrfs send/receive")
+CC: stable@vger.kernel.org # 4.14+
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -7576,7 +7576,7 @@ long btrfs_ioctl_send(struct file *mnt_f
+ sctx->flags = arg->flags;
+
+ sctx->send_filp = fget(arg->send_fd);
+- if (!sctx->send_filp) {
++ if (!sctx->send_filp || !(sctx->send_filp->f_mode & FMODE_WRITE)) {
+ ret = -EBADF;
+ goto out;
+ }
--- /dev/null
+From e28a0974d749e5105d77233c0a84d35c37da047e Mon Sep 17 00:00:00 2001
+From: Max Nguyen <maxwell.nguyen@hp.com>
+Date: Sun, 17 Sep 2023 22:21:53 -0700
+Subject: Input: xpad - add HyperX Clutch Gladiate Support
+
+From: Max Nguyen <maxwell.nguyen@hp.com>
+
+commit e28a0974d749e5105d77233c0a84d35c37da047e upstream.
+
+Add HyperX controller support to xpad_device and xpad_table.
+
+Suggested-by: Chris Toledanes <chris.toledanes@hp.com>
+Reviewed-by: Carl Ng <carl.ng@hp.com>
+Signed-off-by: Max Nguyen <maxwell.nguyen@hp.com>
+Reviewed-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Link: https://lore.kernel.org/r/20230906231514.4291-1-hphyperxdev@gmail.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -120,6 +120,7 @@ static const struct xpad_device {
+ { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX },
+ { 0x044f, 0x0f10, "Thrustmaster Modena GT Wheel", 0, XTYPE_XBOX },
+ { 0x044f, 0xb326, "Thrustmaster Gamepad GP XID", 0, XTYPE_XBOX360 },
++ { 0x03f0, 0x0495, "HyperX Clutch Gladiate", 0, XTYPE_XBOXONE },
+ { 0x045e, 0x0202, "Microsoft X-Box pad v1 (US)", 0, XTYPE_XBOX },
+ { 0x045e, 0x0285, "Microsoft X-Box pad (Japan)", 0, XTYPE_XBOX },
+ { 0x045e, 0x0287, "Microsoft Xbox Controller S", 0, XTYPE_XBOX },
+@@ -434,6 +435,7 @@ static const struct usb_device_id xpad_t
+ XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */
+ XPAD_XBOX360_VENDOR(0x03eb), /* Wooting Keyboards (Legacy) */
+ XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */
++ XPAD_XBOXONE_VENDOR(0x03f0), /* HP HyperX Xbox One Controllers */
+ XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */
+ XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */
+ XPAD_XBOX360_VENDOR(0x046d), /* Logitech X-Box 360 style controllers */
--- /dev/null
+From 85b80fdffa867d75dfb9084a839e7949e29064e8 Mon Sep 17 00:00:00 2001
+From: "Abdul Halim, Mohd Syazwan" <mohd.syazwan.abdul.halim@intel.com>
+Date: Wed, 22 Nov 2023 11:26:06 +0800
+Subject: iommu/vt-d: Add MTL to quirk list to skip TE disabling
+
+From: Abdul Halim, Mohd Syazwan <mohd.syazwan.abdul.halim@intel.com>
+
+commit 85b80fdffa867d75dfb9084a839e7949e29064e8 upstream.
+
+The VT-d spec requires (10.4.4 Global Command Register, TE field) that:
+
+Hardware implementations supporting DMA draining must drain any in-flight
+DMA read/write requests queued within the Root-Complex before switching
+address translation on or off and reflecting the status of the command
+through the TES field in the Global Status register.
+
+Unfortunately, some integrated graphic devices fail to do so after some
+kind of power state transition. As the result, the system might stuck in
+iommu_disable_translation(), waiting for the completion of TE transition.
+
+Add MTL to the quirk list for those devices and skips TE disabling if the
+qurik hits.
+
+Fixes: b1012ca8dc4f ("iommu/vt-d: Skip TE disabling on quirky gfx dedicated iommu")
+Cc: stable@vger.kernel.org
+Signed-off-by: Abdul Halim, Mohd Syazwan <mohd.syazwan.abdul.halim@intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Link: https://lore.kernel.org/r/20231116022324.30120-1-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel/iommu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -5749,7 +5749,7 @@ static void quirk_igfx_skip_te_disable(s
+ ver = (dev->device >> 8) & 0xff;
+ if (ver != 0x45 && ver != 0x46 && ver != 0x4c &&
+ ver != 0x4e && ver != 0x8a && ver != 0x98 &&
+- ver != 0x9a && ver != 0xa7)
++ ver != 0x9a && ver != 0xa7 && ver != 0x7d)
+ return;
+
+ if (risky_device(dev))
--- /dev/null
+From e5f3e299a2b1e9c3ece24a38adfc089aef307e8a Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Thu, 23 Nov 2023 20:28:27 +0100
+Subject: parisc: Drop the HP-UX ENOSYM and EREMOTERELEASE error codes
+
+From: Helge Deller <deller@gmx.de>
+
+commit e5f3e299a2b1e9c3ece24a38adfc089aef307e8a upstream.
+
+Those return codes are only defined for the parisc architecture and
+are leftovers from when we wanted to be HP-UX compatible.
+
+They are not returned by any Linux kernel syscall but do trigger
+problems with the glibc strerrorname_np() and strerror() functions as
+reported in glibc issue #31080.
+
+There is no need to keep them, so simply remove them.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: Bruno Haible <bruno@clisp.org>
+Closes: https://sourceware.org/bugzilla/show_bug.cgi?id=31080
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/uapi/asm/errno.h | 2 --
+ lib/errname.c | 6 ------
+ tools/arch/parisc/include/uapi/asm/errno.h | 2 --
+ 3 files changed, 10 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/errno.h
++++ b/arch/parisc/include/uapi/asm/errno.h
+@@ -75,7 +75,6 @@
+
+ /* We now return you to your regularly scheduled HPUX. */
+
+-#define ENOSYM 215 /* symbol does not exist in executable */
+ #define ENOTSOCK 216 /* Socket operation on non-socket */
+ #define EDESTADDRREQ 217 /* Destination address required */
+ #define EMSGSIZE 218 /* Message too long */
+@@ -101,7 +100,6 @@
+ #define ETIMEDOUT 238 /* Connection timed out */
+ #define ECONNREFUSED 239 /* Connection refused */
+ #define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+-#define EREMOTERELEASE 240 /* Remote peer released connection */
+ #define EHOSTDOWN 241 /* Host is down */
+ #define EHOSTUNREACH 242 /* No route to host */
+
+--- a/lib/errname.c
++++ b/lib/errname.c
+@@ -111,9 +111,6 @@ static const char *names_0[] = {
+ E(ENOSPC),
+ E(ENOSR),
+ E(ENOSTR),
+-#ifdef ENOSYM
+- E(ENOSYM),
+-#endif
+ E(ENOSYS),
+ E(ENOTBLK),
+ E(ENOTCONN),
+@@ -144,9 +141,6 @@ static const char *names_0[] = {
+ #endif
+ E(EREMOTE),
+ E(EREMOTEIO),
+-#ifdef EREMOTERELEASE
+- E(EREMOTERELEASE),
+-#endif
+ E(ERESTART),
+ E(ERFKILL),
+ E(EROFS),
+--- a/tools/arch/parisc/include/uapi/asm/errno.h
++++ b/tools/arch/parisc/include/uapi/asm/errno.h
+@@ -75,7 +75,6 @@
+
+ /* We now return you to your regularly scheduled HPUX. */
+
+-#define ENOSYM 215 /* symbol does not exist in executable */
+ #define ENOTSOCK 216 /* Socket operation on non-socket */
+ #define EDESTADDRREQ 217 /* Destination address required */
+ #define EMSGSIZE 218 /* Message too long */
+@@ -101,7 +100,6 @@
+ #define ETIMEDOUT 238 /* Connection timed out */
+ #define ECONNREFUSED 239 /* Connection refused */
+ #define EREFUSED ECONNREFUSED /* for HP's NFS apparently */
+-#define EREMOTERELEASE 240 /* Remote peer released connection */
+ #define EHOSTDOWN 241 /* Host is down */
+ #define EHOSTUNREACH 242 /* No route to host */
+
--- /dev/null
+From 5e1d824f9a283cbf90f25241b66d1f69adb3835b Mon Sep 17 00:00:00 2001
+From: Timothy Pearson <tpearson@raptorengineering.com>
+Date: Sun, 19 Nov 2023 09:18:02 -0600
+Subject: powerpc: Don't clobber f0/vs0 during fp|altivec register save
+
+From: Timothy Pearson <tpearson@raptorengineering.com>
+
+commit 5e1d824f9a283cbf90f25241b66d1f69adb3835b upstream.
+
+During floating point and vector save to thread data f0/vs0 are
+clobbered by the FPSCR/VSCR store routine. This has been obvserved to
+lead to userspace register corruption and application data corruption
+with io-uring.
+
+Fix it by restoring f0/vs0 after FPSCR/VSCR store has completed for
+all the FP, altivec, VMX register save paths.
+
+Tested under QEMU in kvm mode, running on a Talos II workstation with
+dual POWER9 DD2.2 CPUs.
+
+Additional detail (mpe):
+
+Typically save_fpu() is called from __giveup_fpu() which saves the FP
+regs and also *turns off FP* in the tasks MSR, meaning the kernel will
+reload the FP regs from the thread struct before letting the task use FP
+again. So in that case save_fpu() is free to clobber f0 because the FP
+regs no longer hold live values for the task.
+
+There is another case though, which is the path via:
+ sys_clone()
+ ...
+ copy_process()
+ dup_task_struct()
+ arch_dup_task_struct()
+ flush_all_to_thread()
+ save_all()
+
+That path saves the FP regs but leaves them live. That's meant as an
+optimisation for a process that's using FP/VSX and then calls fork(),
+leaving the regs live means the parent process doesn't have to take a
+fault after the fork to get its FP regs back. The optimisation was added
+in commit 8792468da5e1 ("powerpc: Add the ability to save FPU without
+giving it up").
+
+That path does clobber f0, but f0 is volatile across function calls,
+and typically programs reach copy_process() from userspace via a syscall
+wrapper function. So in normal usage f0 being clobbered across a
+syscall doesn't cause visible data corruption.
+
+But there is now a new path, because io-uring can call copy_process()
+via create_io_thread() from the signal handling path. That's OK if the
+signal is handled as part of syscall return, but it's not OK if the
+signal is handled due to some other interrupt.
+
+That path is:
+
+interrupt_return_srr_user()
+ interrupt_exit_user_prepare()
+ interrupt_exit_user_prepare_main()
+ do_notify_resume()
+ get_signal()
+ task_work_run()
+ create_worker_cb()
+ create_io_worker()
+ copy_process()
+ dup_task_struct()
+ arch_dup_task_struct()
+ flush_all_to_thread()
+ save_all()
+ if (tsk->thread.regs->msr & MSR_FP)
+ save_fpu()
+ # f0 is clobbered and potentially live in userspace
+
+Note the above discussion applies equally to save_altivec().
+
+Fixes: 8792468da5e1 ("powerpc: Add the ability to save FPU without giving it up")
+Cc: stable@vger.kernel.org # v4.6+
+Closes: https://lore.kernel.org/all/480932026.45576726.1699374859845.JavaMail.zimbra@raptorengineeringinc.com/
+Closes: https://lore.kernel.org/linuxppc-dev/480221078.47953493.1700206777956.JavaMail.zimbra@raptorengineeringinc.com/
+Tested-by: Timothy Pearson <tpearson@raptorengineering.com>
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Timothy Pearson <tpearson@raptorengineering.com>
+[mpe: Reword change log to describe exact path of corruption & other minor tweaks]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/1921539696.48534988.1700407082933.JavaMail.zimbra@raptorengineeringinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/fpu.S | 13 +++++++++++++
+ arch/powerpc/kernel/vector.S | 2 ++
+ 2 files changed, 15 insertions(+)
+
+--- a/arch/powerpc/kernel/fpu.S
++++ b/arch/powerpc/kernel/fpu.S
+@@ -23,6 +23,15 @@
+ #include <asm/feature-fixups.h>
+
+ #ifdef CONFIG_VSX
++#define __REST_1FPVSR(n,c,base) \
++BEGIN_FTR_SECTION \
++ b 2f; \
++END_FTR_SECTION_IFSET(CPU_FTR_VSX); \
++ REST_FPR(n,base); \
++ b 3f; \
++2: REST_VSR(n,c,base); \
++3:
++
+ #define __REST_32FPVSRS(n,c,base) \
+ BEGIN_FTR_SECTION \
+ b 2f; \
+@@ -41,9 +50,11 @@ END_FTR_SECTION_IFSET(CPU_FTR_VSX);
+ 2: SAVE_32VSRS(n,c,base); \
+ 3:
+ #else
++#define __REST_1FPVSR(n,b,base) REST_FPR(n, base)
+ #define __REST_32FPVSRS(n,b,base) REST_32FPRS(n, base)
+ #define __SAVE_32FPVSRS(n,b,base) SAVE_32FPRS(n, base)
+ #endif
++#define REST_1FPVSR(n,c,base) __REST_1FPVSR(n,__REG_##c,__REG_##base)
+ #define REST_32FPVSRS(n,c,base) __REST_32FPVSRS(n,__REG_##c,__REG_##base)
+ #define SAVE_32FPVSRS(n,c,base) __SAVE_32FPVSRS(n,__REG_##c,__REG_##base)
+
+@@ -67,6 +78,7 @@ _GLOBAL(store_fp_state)
+ SAVE_32FPVSRS(0, R4, R3)
+ mffs fr0
+ stfd fr0,FPSTATE_FPSCR(r3)
++ REST_1FPVSR(0, R4, R3)
+ blr
+ EXPORT_SYMBOL(store_fp_state)
+
+@@ -133,4 +145,5 @@ _GLOBAL(save_fpu)
+ 2: SAVE_32FPVSRS(0, R4, R6)
+ mffs fr0
+ stfd fr0,FPSTATE_FPSCR(r6)
++ REST_1FPVSR(0, R4, R6)
+ blr
+--- a/arch/powerpc/kernel/vector.S
++++ b/arch/powerpc/kernel/vector.S
+@@ -32,6 +32,7 @@ _GLOBAL(store_vr_state)
+ mfvscr v0
+ li r4, VRSTATE_VSCR
+ stvx v0, r4, r3
++ lvx v0, 0, r3
+ blr
+ EXPORT_SYMBOL(store_vr_state)
+
+@@ -104,6 +105,7 @@ _GLOBAL(save_altivec)
+ mfvscr v0
+ li r4,VRSTATE_VSCR
+ stvx v0,r4,r7
++ lvx v0,0,r7
+ blr
+
+ #ifdef CONFIG_VSX
--- /dev/null
+From 48f8070f5dd8e13148ae4647780a452d53c457a2 Mon Sep 17 00:00:00 2001
+From: Patrick Wang <patrick.wang.shcn@gmail.com>
+Date: Tue, 26 Apr 2022 18:45:02 +0800
+Subject: rcu: Avoid tracing a few functions executed in stop machine
+
+From: Patrick Wang <patrick.wang.shcn@gmail.com>
+
+commit 48f8070f5dd8e13148ae4647780a452d53c457a2 upstream.
+
+Stop-machine recently started calling additional functions while waiting:
+
+----------------------------------------------------------------
+Former stop machine wait loop:
+do {
+ cpu_relax(); => macro
+ ...
+} while (curstate != STOPMACHINE_EXIT);
+-----------------------------------------------------------------
+Current stop machine wait loop:
+do {
+ stop_machine_yield(cpumask); => function (notraced)
+ ...
+ touch_nmi_watchdog(); => function (notraced, inside calls also notraced)
+ ...
+ rcu_momentary_dyntick_idle(); => function (notraced, inside calls traced)
+} while (curstate != MULTI_STOP_EXIT);
+------------------------------------------------------------------
+
+These functions (and the functions that they call) must be marked
+notrace to prevent them from being updated while they are executing.
+The consequences of failing to mark these functions can be severe:
+
+ rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
+ rcu: 1-...!: (0 ticks this GP) idle=14f/1/0x4000000000000000 softirq=3397/3397 fqs=0
+ rcu: 3-...!: (0 ticks this GP) idle=ee9/1/0x4000000000000000 softirq=5168/5168 fqs=0
+ (detected by 0, t=8137 jiffies, g=5889, q=2 ncpus=4)
+ Task dump for CPU 1:
+ task:migration/1 state:R running task stack: 0 pid: 19 ppid: 2 flags:0x00000000
+ Stopper: multi_cpu_stop+0x0/0x18c <- stop_machine_cpuslocked+0x128/0x174
+ Call Trace:
+ Task dump for CPU 3:
+ task:migration/3 state:R running task stack: 0 pid: 29 ppid: 2 flags:0x00000000
+ Stopper: multi_cpu_stop+0x0/0x18c <- stop_machine_cpuslocked+0x128/0x174
+ Call Trace:
+ rcu: rcu_preempt kthread timer wakeup didn't happen for 8136 jiffies! g5889 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402
+ rcu: Possible timer handling issue on cpu=2 timer-softirq=594
+ rcu: rcu_preempt kthread starved for 8137 jiffies! g5889 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=2
+ rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
+ rcu: RCU grace-period kthread stack dump:
+ task:rcu_preempt state:I stack: 0 pid: 14 ppid: 2 flags:0x00000000
+ Call Trace:
+ schedule+0x56/0xc2
+ schedule_timeout+0x82/0x184
+ rcu_gp_fqs_loop+0x19a/0x318
+ rcu_gp_kthread+0x11a/0x140
+ kthread+0xee/0x118
+ ret_from_exception+0x0/0x14
+ rcu: Stack dump where RCU GP kthread last ran:
+ Task dump for CPU 2:
+ task:migration/2 state:R running task stack: 0 pid: 24 ppid: 2 flags:0x00000000
+ Stopper: multi_cpu_stop+0x0/0x18c <- stop_machine_cpuslocked+0x128/0x174
+ Call Trace:
+
+This commit therefore marks these functions notrace:
+ rcu_preempt_deferred_qs()
+ rcu_preempt_need_deferred_qs()
+ rcu_preempt_deferred_qs_irqrestore()
+
+[ paulmck: Apply feedback from Neeraj Upadhyay. ]
+
+Signed-off-by: Patrick Wang <patrick.wang.shcn@gmail.com>
+Acked-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Reviewed-by: Neeraj Upadhyay <quic_neeraju@quicinc.com>
+Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/rcu/tree_plugin.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/kernel/rcu/tree_plugin.h
++++ b/kernel/rcu/tree_plugin.h
+@@ -458,7 +458,7 @@ static bool rcu_preempt_has_tasks(struct
+ * be quite short, for example, in the case of the call from
+ * rcu_read_unlock_special().
+ */
+-static void
++static notrace void
+ rcu_preempt_deferred_qs_irqrestore(struct task_struct *t, unsigned long flags)
+ {
+ bool empty_exp;
+@@ -578,7 +578,7 @@ rcu_preempt_deferred_qs_irqrestore(struc
+ * is disabled. This function cannot be expected to understand these
+ * nuances, so the caller must handle them.
+ */
+-static bool rcu_preempt_need_deferred_qs(struct task_struct *t)
++static notrace bool rcu_preempt_need_deferred_qs(struct task_struct *t)
+ {
+ return (__this_cpu_read(rcu_data.exp_deferred_qs) ||
+ READ_ONCE(t->rcu_read_unlock_special.s)) &&
+@@ -592,7 +592,7 @@ static bool rcu_preempt_need_deferred_qs
+ * evaluate safety in terms of interrupt, softirq, and preemption
+ * disabling.
+ */
+-static void rcu_preempt_deferred_qs(struct task_struct *t)
++static notrace void rcu_preempt_deferred_qs(struct task_struct *t)
+ {
+ unsigned long flags;
+
+@@ -923,7 +923,7 @@ static bool rcu_preempt_has_tasks(struct
+ * Because there is no preemptible RCU, there can be no deferred quiescent
+ * states.
+ */
+-static bool rcu_preempt_need_deferred_qs(struct task_struct *t)
++static notrace bool rcu_preempt_need_deferred_qs(struct task_struct *t)
+ {
+ return false;
+ }
alsa-hda-realtek-add-supported-alc257-for-chromeos.patch
dm-verity-align-struct-dm_verity_fec_io-properly.patch
dm-verity-don-t-perform-fec-for-failed-readahead-io.patch
+bcache-revert-replacing-is_err_or_null-with-is_err.patch
+iommu-vt-d-add-mtl-to-quirk-list-to-skip-te-disabling.patch
+powerpc-don-t-clobber-f0-vs0-during-fp-altivec-register-save.patch
+parisc-drop-the-hp-ux-enosym-and-eremoterelease-error-codes.patch
+btrfs-add-dmesg-output-for-first-mount-and-last-unmount-of-a-filesystem.patch
+btrfs-ref-verify-fix-memory-leaks-in-btrfs_ref_tree_mod.patch
+btrfs-fix-off-by-one-when-checking-chunk-map-includes-logical-address.patch
+btrfs-send-ensure-send_fd-is-writable.patch
+btrfs-make-error-messages-more-clear-when-getting-a-chunk-map.patch
+input-xpad-add-hyperx-clutch-gladiate-support.patch
+vlan-introduce-vlan_dev_free_egress_priority.patch
+vlan-move-dev_put-into-vlan_dev_uninit.patch
+rcu-avoid-tracing-a-few-functions-executed-in-stop-machine.patch
--- /dev/null
+From 37aa50c539bcbcc01767e515bd170787fcfc0f33 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 9 Feb 2022 03:19:55 -0500
+Subject: vlan: introduce vlan_dev_free_egress_priority
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 37aa50c539bcbcc01767e515bd170787fcfc0f33 upstream.
+
+This patch is to introduce vlan_dev_free_egress_priority() to
+free egress priority for vlan dev, and keep vlan_dev_uninit()
+static as .ndo_uninit. It makes the code more clear and safer
+when adding new code in vlan_dev_uninit() in the future.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan.h | 2 +-
+ net/8021q/vlan_dev.c | 7 ++++++-
+ net/8021q/vlan_netlink.c | 7 ++++---
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/net/8021q/vlan.h
++++ b/net/8021q/vlan.h
+@@ -129,6 +129,7 @@ void vlan_dev_set_ingress_priority(const
+ u32 skb_prio, u16 vlan_prio);
+ int vlan_dev_set_egress_priority(const struct net_device *dev,
+ u32 skb_prio, u16 vlan_prio);
++void vlan_dev_free_egress_priority(const struct net_device *dev);
+ int vlan_dev_change_flags(const struct net_device *dev, u32 flag, u32 mask);
+ void vlan_dev_get_realdev_name(const struct net_device *dev, char *result,
+ size_t size);
+@@ -139,7 +140,6 @@ int vlan_check_real_dev(struct net_devic
+ void vlan_setup(struct net_device *dev);
+ int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack);
+ void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
+-void vlan_dev_uninit(struct net_device *dev);
+ bool vlan_dev_inherit_address(struct net_device *dev,
+ struct net_device *real_dev);
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -622,7 +622,7 @@ static int vlan_dev_init(struct net_devi
+ }
+
+ /* Note: this function might be called multiple times for the same device. */
+-void vlan_dev_uninit(struct net_device *dev)
++void vlan_dev_free_egress_priority(const struct net_device *dev)
+ {
+ struct vlan_priority_tci_mapping *pm;
+ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+@@ -636,6 +636,11 @@ void vlan_dev_uninit(struct net_device *
+ }
+ }
+
++static void vlan_dev_uninit(struct net_device *dev)
++{
++ vlan_dev_free_egress_priority(dev);
++}
++
+ static netdev_features_t vlan_dev_fix_features(struct net_device *dev,
+ netdev_features_t features)
+ {
+--- a/net/8021q/vlan_netlink.c
++++ b/net/8021q/vlan_netlink.c
+@@ -183,10 +183,11 @@ static int vlan_newlink(struct net *src_
+ return -EINVAL;
+
+ err = vlan_changelink(dev, tb, data, extack);
+- if (!err)
+- err = register_vlan_dev(dev, extack);
+ if (err)
+- vlan_dev_uninit(dev);
++ return err;
++ err = register_vlan_dev(dev, extack);
++ if (err)
++ vlan_dev_free_egress_priority(dev);
+ return err;
+ }
+
--- /dev/null
+From d6ff94afd90b0ce8d1715f8ef77d4347d7a7f2c0 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Wed, 9 Feb 2022 03:19:56 -0500
+Subject: vlan: move dev_put into vlan_dev_uninit
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit d6ff94afd90b0ce8d1715f8ef77d4347d7a7f2c0 upstream.
+
+Shuang Li reported an QinQ issue by simply doing:
+
+ # ip link add dummy0 type dummy
+ # ip link add link dummy0 name dummy0.1 type vlan id 1
+ # ip link add link dummy0.1 name dummy0.1.2 type vlan id 2
+ # rmmod 8021q
+
+ unregister_netdevice: waiting for dummy0.1 to become free. Usage count = 1
+
+When rmmods 8021q, all vlan devs are deleted from their real_dev's vlan grp
+and added into list_kill by unregister_vlan_dev(). dummy0.1 is unregistered
+before dummy0.1.2, as it's using for_each_netdev() in __rtnl_kill_links().
+
+When unregisters dummy0.1, dummy0.1.2 is not unregistered in the event of
+NETDEV_UNREGISTER, as it's been deleted from dummy0.1's vlan grp. However,
+due to dummy0.1.2 still holding dummy0.1, dummy0.1 will keep waiting in
+netdev_wait_allrefs(), while dummy0.1.2 will never get unregistered and
+release dummy0.1, as it delays dev_put until calling dev->priv_destructor,
+vlan_dev_free().
+
+This issue was introduced by Commit 563bcbae3ba2 ("net: vlan: fix a UAF in
+vlan_dev_real_dev()"), and this patch is to fix it by moving dev_put() into
+vlan_dev_uninit(), which is called after NETDEV_UNREGISTER event but before
+netdev_wait_allrefs().
+
+Fixes: 563bcbae3ba2 ("net: vlan: fix a UAF in vlan_dev_real_dev()")
+Reported-by: Shuang Li <shuali@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/8021q/vlan_dev.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -638,7 +638,12 @@ void vlan_dev_free_egress_priority(const
+
+ static void vlan_dev_uninit(struct net_device *dev)
+ {
++ struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
++
+ vlan_dev_free_egress_priority(dev);
++
++ /* Get rid of the vlan's reference to real_dev */
++ dev_put(vlan->real_dev);
+ }
+
+ static netdev_features_t vlan_dev_fix_features(struct net_device *dev,
+@@ -851,9 +856,6 @@ static void vlan_dev_free(struct net_dev
+
+ free_percpu(vlan->vlan_pcpu_stats);
+ vlan->vlan_pcpu_stats = NULL;
+-
+- /* Get rid of the vlan's reference to real_dev */
+- dev_put(vlan->real_dev);
+ }
+
+ void vlan_setup(struct net_device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
