--- /dev/null
+From 1b0e32753d8550908dff8982410357b5114be78c Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sat, 31 Aug 2024 12:11:28 +0200
+Subject: ARM: dts: imx6ul-geam: fix fsl,pins property in tscgrp pinctrl
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 1b0e32753d8550908dff8982410357b5114be78c upstream.
+
+The property is "fsl,pins", not "fsl,pin". Wrong property means the pin
+configuration was not applied. Fixes dtbs_check warnings:
+
+ imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pins' is a required property
+ imx6ul-geam.dtb: pinctrl@20e0000: tscgrp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Cc: stable@vger.kernel.org
+Fixes: a58e4e608bc8 ("ARM: dts: imx6ul-geam: Add Engicam IMX6UL GEA M6UL initial support")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Michael Trimarchi <michael@amarulasolutions.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts
++++ b/arch/arm/boot/dts/nxp/imx/imx6ul-geam.dts
+@@ -365,7 +365,7 @@
+ };
+
+ pinctrl_tsc: tscgrp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_GPIO1_IO01__GPIO1_IO01 0xb0
+ MX6UL_PAD_GPIO1_IO02__GPIO1_IO02 0xb0
+ MX6UL_PAD_GPIO1_IO03__GPIO1_IO03 0xb0
--- /dev/null
+From 3dedd4889cfc2851444a1f7626b293c0bfd1e42c Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Sat, 31 Aug 2024 12:11:29 +0200
+Subject: ARM: dts: imx6ull-seeed-npi: fix fsl,pins property in tscgrp pinctrl
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 3dedd4889cfc2851444a1f7626b293c0bfd1e42c upstream.
+
+The property is "fsl,pins", not "fsl,pin". Wrong property means the pin
+configuration was not applied. Fixes dtbs_check warnings:
+
+ imx6ull-seeed-npi-dev-board-emmc.dtb: pinctrl@20e0000: uart1grp: 'fsl,pins' is a required property
+ imx6ull-seeed-npi-dev-board-emmc.dtb: pinctrl@20e0000: uart1grp: 'fsl,pin' does not match any of the regexes: 'pinctrl-[0-9]+'
+
+Cc: stable@vger.kernel.org
+Fixes: e3b5697195c8 ("ARM: dts: imx6ull: add seeed studio NPi dev board")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Parthiban Nallathambi <parthiban@linumiz.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi
++++ b/arch/arm/boot/dts/nxp/imx/imx6ull-seeed-npi-dev-board.dtsi
+@@ -339,14 +339,14 @@
+ };
+
+ pinctrl_uart1: uart1grp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_UART1_TX_DATA__UART1_DCE_TX 0x1b0b1
+ MX6UL_PAD_UART1_RX_DATA__UART1_DCE_RX 0x1b0b1
+ >;
+ };
+
+ pinctrl_uart2: uart2grp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_UART2_TX_DATA__UART2_DCE_TX 0x1b0b1
+ MX6UL_PAD_UART2_RX_DATA__UART2_DCE_RX 0x1b0b1
+ MX6UL_PAD_UART2_CTS_B__UART2_DCE_CTS 0x1b0b1
+@@ -355,7 +355,7 @@
+ };
+
+ pinctrl_uart3: uart3grp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_UART3_TX_DATA__UART3_DCE_TX 0x1b0b1
+ MX6UL_PAD_UART3_RX_DATA__UART3_DCE_RX 0x1b0b1
+ MX6UL_PAD_UART3_CTS_B__UART3_DCE_CTS 0x1b0b1
+@@ -364,21 +364,21 @@
+ };
+
+ pinctrl_uart4: uart4grp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_UART4_TX_DATA__UART4_DCE_TX 0x1b0b1
+ MX6UL_PAD_UART4_RX_DATA__UART4_DCE_RX 0x1b0b1
+ >;
+ };
+
+ pinctrl_uart5: uart5grp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_UART5_TX_DATA__UART5_DCE_TX 0x1b0b1
+ MX6UL_PAD_UART5_RX_DATA__UART5_DCE_RX 0x1b0b1
+ >;
+ };
+
+ pinctrl_usb_otg1_id: usbotg1idgrp {
+- fsl,pin = <
++ fsl,pins = <
+ MX6UL_PAD_GPIO1_IO00__ANATOP_OTG1_ID 0x17059
+ >;
+ };
--- /dev/null
+From 3079fb09ddac159bd8bb87f6f15b924e265f8d4d Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wenst@chromium.org>
+Date: Wed, 21 Aug 2024 12:28:34 +0800
+Subject: arm64: dts: mediatek: mt8186-corsola: Disable DPI display interface
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+commit 3079fb09ddac159bd8bb87f6f15b924e265f8d4d upstream.
+
+The DPI display interface feeds the external display pipeline. However
+the pipeline representation is currently incomplete. Efforts are still
+under way to come up with a way to represent the "creative" repurposing
+of the DP bridge chip's internal output mux, which is meant to support
+USB type-C orientation changes, to output to one of two type-C ports.
+
+Until that is finalized, the external display can't be fully described,
+and thus won't work. Even worse, the half complete graph potentially
+confuses the OS, breaking the internal display as well.
+
+Disable the external display interface across the whole Corsola family
+until the DP / USB Type-C muxing graph binding is ready.
+
+Reported-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
+Closes: https://lore.kernel.org/linux-mediatek/38a703a9-6efb-456a-a248-1dd3687e526d@gmail.com/
+Fixes: 8855d01fb81f ("arm64: dts: mediatek: Add MT8186 Krabby platform based Tentacruel / Tentacool")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Tested-by: Alper Nebi Yasak <alpernebiyasak@gmail.com>
+Reviewed-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
+Link: https://lore.kernel.org/r/20240821042836.2631815-1-wenst@chromium.org
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi
+@@ -353,7 +353,8 @@
+ pinctrl-names = "default", "sleep";
+ pinctrl-0 = <&dpi_pins_default>;
+ pinctrl-1 = <&dpi_pins_sleep>;
+- status = "okay";
++ /* TODO Re-enable after DP to Type-C port muxing can be described */
++ status = "disabled";
+ };
+
+ &dpi_out {
--- /dev/null
+From 421688265d7f5d3ff4211982e7231765378bb64f Mon Sep 17 00:00:00 2001
+From: Qingqing Zhou <quic_qqzhou@quicinc.com>
+Date: Thu, 25 Jul 2024 12:51:17 +0530
+Subject: arm64: dts: qcom: sa8775p: Mark APPS and PCIe SMMUs as DMA coherent
+
+From: Qingqing Zhou <quic_qqzhou@quicinc.com>
+
+commit 421688265d7f5d3ff4211982e7231765378bb64f upstream.
+
+The SMMUs on sa8775p are cache-coherent. GPU SMMU is marked as such,
+mark the APPS and PCIe ones as well.
+
+Fixes: 603f96d4c9d0 ("arm64: dts: qcom: add initial support for qcom sa8775p-ride")
+Fixes: 2dba7a613a6e ("arm64: dts: qcom: sa8775p: add the pcie smmu node")
+Cc: stable@vger.kernel.org
+Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Qingqing Zhou <quic_qqzhou@quicinc.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20240723075948.9545-1-quic_qqzhou%40quicinc.com
+Link: https://lore.kernel.org/r/20240725072117.22425-1-quic_qqzhou@quicinc.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/sa8775p.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/sa8775p.dtsi
++++ b/arch/arm64/boot/dts/qcom/sa8775p.dtsi
+@@ -3070,6 +3070,7 @@
+ reg = <0x0 0x15000000 0x0 0x100000>;
+ #iommu-cells = <2>;
+ #global-interrupts = <2>;
++ dma-coherent;
+
+ interrupts = <GIC_SPI 119 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 120 IRQ_TYPE_LEVEL_HIGH>,
+@@ -3208,6 +3209,7 @@
+ reg = <0x0 0x15200000 0x0 0x80000>;
+ #iommu-cells = <2>;
+ #global-interrupts = <2>;
++ dma-coherent;
+
+ interrupts = <GIC_SPI 920 IRQ_TYPE_LEVEL_HIGH>,
+ <GIC_SPI 921 IRQ_TYPE_LEVEL_HIGH>,
--- /dev/null
+From def33fb1191207f5afa6dcb681d71fef2a6c1293 Mon Sep 17 00:00:00 2001
+From: Dragan Simic <dsimic@manjaro.org>
+Date: Mon, 15 Jul 2024 19:44:20 +0200
+Subject: arm64: dts: rockchip: Correct the Pinebook Pro battery design capacity
+
+From: Dragan Simic <dsimic@manjaro.org>
+
+commit def33fb1191207f5afa6dcb681d71fef2a6c1293 upstream.
+
+All batches of the Pine64 Pinebook Pro, except the latest batch (as of 2024)
+whose hardware design was revised due to the component shortage, use a 1S
+lithium battery whose nominal/design capacity is 10,000 mAh, according to the
+battery datasheet. [1][2] Let's correct the design full-charge value in the
+Pinebook Pro board dts, to improve the accuracy of the hardware description,
+and to hopefully improve the accuracy of the fuel gauge a bit on all units
+that don't belong to the latest batch.
+
+The above-mentioned latest batch uses a different 1S lithium battery with
+a slightly lower capacity, more precisely 9,600 mAh. To make the fuel gauge
+work reliably on the latest batch, a sample battery would need to be sent to
+CellWise, to obtain its proprietary battery profile, whose data goes into
+"cellwise,battery-profile" in the Pinebook Pro board dts. Without that data,
+the fuel gauge reportedly works unreliably, so changing the design capacity
+won't have any negative effects on the already unreliable operation of the
+fuel gauge in the Pinebook Pros that belong to the latest batch.
+
+According to the battery datasheet, its voltage can go as low as 2.75 V while
+discharging, but it's better to leave the current 3.0 V value in the dts file,
+because of the associated Pinebook Pro's voltage regulation issues.
+
+[1] https://wiki.pine64.org/index.php/Pinebook_Pro#Battery
+[2] https://files.pine64.org/doc/datasheet/pinebook/40110175P%203.8V%2010000mAh%E8%A7%84%E6%A0%BC%E4%B9%A6-14.pdf
+
+Fixes: c7c4d698cd28 ("arm64: dts: rockchip: add fuel gauge to Pinebook Pro dts")
+Cc: stable@vger.kernel.org
+Cc: Marek Kraus <gamiee@pine64.org>
+Signed-off-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://lore.kernel.org/r/731f8ef9b1a867bcc730d19ed277c8c0534c0842.1721065172.git.dsimic@manjaro.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts
+@@ -37,7 +37,7 @@
+
+ bat: battery {
+ compatible = "simple-battery";
+- charge-full-design-microamp-hours = <9800000>;
++ charge-full-design-microamp-hours = <10000000>;
+ voltage-max-design-microvolt = <4350000>;
+ voltage-min-design-microvolt = <3000000>;
+ };
--- /dev/null
+From 8c51521de18755d4112a77a598a348b38d0af370 Mon Sep 17 00:00:00 2001
+From: Dragan Simic <dsimic@manjaro.org>
+Date: Sun, 4 Aug 2024 23:10:24 +0200
+Subject: arm64: dts: rockchip: Raise Pinebook Pro's panel backlight PWM frequency
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dragan Simic <dsimic@manjaro.org>
+
+commit 8c51521de18755d4112a77a598a348b38d0af370 upstream.
+
+Increase the frequency of the PWM signal that drives the LED backlight of
+the Pinebook Pro's panel, from about 1.35 KHz (which equals to the PWM
+period of 740,740 ns), to exactly 8 kHz (which equals to the PWM period of
+125,000 ns). Using a higher PWM frequency for the panel backlight, which
+reduces the flicker, can only be beneficial to the end users' eyes.
+
+On top of that, increasing the backlight PWM signal frequency reportedly
+eliminates the buzzing emitted from the Pinebook Pro's built-in speakers
+when certain backlight levels are set, which cause some weird interference
+with some of the components of the Pinebook Pro's audio chain.
+
+The old value for the backlight PWM period, i.e. 740,740 ns, is pretty much
+an arbitrary value that was selected during the very early bring-up of the
+Pinebook Pro, only because that value seemed to minimize horizontal line
+distortion on the display, which resulted from the old X.org drivers causing
+screen tearing when dragging windows around. That's no longer an issue, so
+there are no reasons to stick with the old PWM period value.
+
+The lower and the upper backlight PWM frequency limits for the Pinebook Pro's
+panel, according to its datasheet, are 200 Hz and 10 kHz, respectively. [1]
+These changes still leave some headroom, which may have some positive effects
+on the lifetime expectancy of the panel's backlight LEDs.
+
+[1] https://files.pine64.org/doc/datasheet/PinebookPro/NV140FHM-N49_Rev.P0_20160804_201710235838.pdf
+
+Fixes: 5a65505a6988 ("arm64: dts: rockchip: Add initial support for Pinebook Pro")
+Cc: stable@vger.kernel.org
+Reported-by: Nikola Radojevic <nikola@radojevic.rs>
+Signed-off-by: Dragan Simic <dsimic@manjaro.org>
+Tested-by: Nikola Radojević <nikola@radojevic.rs>
+Link: https://lore.kernel.org/r/2a23b6cfd8c0513e5b233b4006ee3d3ed09b824f.1722805655.git.dsimic@manjaro.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts
++++ b/arch/arm64/boot/dts/rockchip/rk3399-pinebook-pro.dts
+@@ -32,7 +32,7 @@
+ backlight: edp-backlight {
+ compatible = "pwm-backlight";
+ power-supply = <&vcc_12v>;
+- pwms = <&pwm0 0 740740 0>;
++ pwms = <&pwm0 0 125000 0>;
+ };
+
+ bat: battery {
--- /dev/null
+From db0d8a84348b876df7c4276f0cbce5df3b769f5f Mon Sep 17 00:00:00 2001
+From: D Scott Phillips <scott@os.amperecomputing.com>
+Date: Tue, 27 Aug 2024 14:17:01 -0700
+Subject: arm64: errata: Enable the AC03_CPU_38 workaround for ampere1a
+
+From: D Scott Phillips <scott@os.amperecomputing.com>
+
+commit db0d8a84348b876df7c4276f0cbce5df3b769f5f upstream.
+
+The ampere1a cpu is affected by erratum AC04_CPU_10 which is the same
+bug as AC03_CPU_38. Add ampere1a to the AC03_CPU_38 workaround midr list.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: D Scott Phillips <scott@os.amperecomputing.com>
+Acked-by: Oliver Upton <oliver.upton@linux.dev>
+Link: https://lore.kernel.org/r/20240827211701.2216719-1-scott@os.amperecomputing.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/arch/arm64/silicon-errata.rst | 2 ++
+ arch/arm64/Kconfig | 2 +-
+ arch/arm64/include/asm/cputype.h | 2 ++
+ arch/arm64/kernel/cpu_errata.c | 10 +++++++++-
+ 4 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/Documentation/arch/arm64/silicon-errata.rst
++++ b/Documentation/arch/arm64/silicon-errata.rst
+@@ -55,6 +55,8 @@ stable kernels.
+ +----------------+-----------------+-----------------+-----------------------------+
+ | Ampere | AmpereOne | AC03_CPU_38 | AMPERE_ERRATUM_AC03_CPU_38 |
+ +----------------+-----------------+-----------------+-----------------------------+
++| Ampere | AmpereOne AC04 | AC04_CPU_10 | AMPERE_ERRATUM_AC03_CPU_38 |
+++----------------+-----------------+-----------------+-----------------------------+
+ +----------------+-----------------+-----------------+-----------------------------+
+ | ARM | Cortex-A510 | #2457168 | ARM64_ERRATUM_2457168 |
+ +----------------+-----------------+-----------------+-----------------------------+
+--- a/arch/arm64/Kconfig
++++ b/arch/arm64/Kconfig
+@@ -423,7 +423,7 @@ config AMPERE_ERRATUM_AC03_CPU_38
+ default y
+ help
+ This option adds an alternative code sequence to work around Ampere
+- erratum AC03_CPU_38 on AmpereOne.
++ errata AC03_CPU_38 and AC04_CPU_10 on AmpereOne.
+
+ The affected design reports FEAT_HAFDBS as not implemented in
+ ID_AA64MMFR1_EL1.HAFDBS, but (V)TCR_ELx.{HA,HD} are not RES0
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -143,6 +143,7 @@
+ #define APPLE_CPU_PART_M2_AVALANCHE_MAX 0x039
+
+ #define AMPERE_CPU_PART_AMPERE1 0xAC3
++#define AMPERE_CPU_PART_AMPERE1A 0xAC4
+
+ #define MICROSOFT_CPU_PART_AZURE_COBALT_100 0xD49 /* Based on r0p0 of ARM Neoverse N2 */
+
+@@ -212,6 +213,7 @@
+ #define MIDR_APPLE_M2_BLIZZARD_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_BLIZZARD_MAX)
+ #define MIDR_APPLE_M2_AVALANCHE_MAX MIDR_CPU_MODEL(ARM_CPU_IMP_APPLE, APPLE_CPU_PART_M2_AVALANCHE_MAX)
+ #define MIDR_AMPERE1 MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1)
++#define MIDR_AMPERE1A MIDR_CPU_MODEL(ARM_CPU_IMP_AMPERE, AMPERE_CPU_PART_AMPERE1A)
+ #define MIDR_MICROSOFT_AZURE_COBALT_100 MIDR_CPU_MODEL(ARM_CPU_IMP_MICROSOFT, MICROSOFT_CPU_PART_AZURE_COBALT_100)
+
+ /* Fujitsu Erratum 010001 affects A64FX 1.0 and 1.1, (v0r0 and v1r0) */
+--- a/arch/arm64/kernel/cpu_errata.c
++++ b/arch/arm64/kernel/cpu_errata.c
+@@ -456,6 +456,14 @@ static const struct midr_range erratum_s
+ };
+ #endif
+
++#ifdef CONFIG_AMPERE_ERRATUM_AC03_CPU_38
++static const struct midr_range erratum_ac03_cpu_38_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
++ MIDR_ALL_VERSIONS(MIDR_AMPERE1A),
++ {},
++};
++#endif
++
+ const struct arm64_cpu_capabilities arm64_errata[] = {
+ #ifdef CONFIG_ARM64_WORKAROUND_CLEAN_CACHE
+ {
+@@ -772,7 +780,7 @@ const struct arm64_cpu_capabilities arm6
+ {
+ .desc = "AmpereOne erratum AC03_CPU_38",
+ .capability = ARM64_WORKAROUND_AMPERE_AC03_CPU_38,
+- ERRATA_MIDR_ALL_VERSIONS(MIDR_AMPERE1),
++ ERRATA_MIDR_RANGE_LIST(erratum_ac03_cpu_38_list),
+ },
+ #endif
+ {
--- /dev/null
+From b6db3eb6c373b97d9e433530d748590421bbeea7 Mon Sep 17 00:00:00 2001
+From: Anastasia Belova <abelova@astralinux.ru>
+Date: Tue, 10 Sep 2024 11:50:16 +0300
+Subject: arm64: esr: Define ESR_ELx_EC_* constants as UL
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+commit b6db3eb6c373b97d9e433530d748590421bbeea7 upstream.
+
+Add explicit casting to prevent expantion of 32th bit of
+u32 into highest half of u64 in several places.
+
+For example, in inject_abt64:
+ESR_ELx_EC_DABT_LOW << ESR_ELx_EC_SHIFT = 0x24 << 26.
+This operation's result is int with 1 in 32th bit.
+While casting this value into u64 (esr is u64) 1
+fills 32 highest bits.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Cc: <stable@vger.kernel.org>
+Fixes: aa8eff9bfbd5 ("arm64: KVM: fault injection into a guest")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/stable/20240910085016.32120-1-abelova%40astralinux.ru
+Link: https://lore.kernel.org/r/20240910085016.32120-1-abelova@astralinux.ru
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/esr.h | 88 +++++++++++++++++++++----------------------
+ 1 file changed, 44 insertions(+), 44 deletions(-)
+
+--- a/arch/arm64/include/asm/esr.h
++++ b/arch/arm64/include/asm/esr.h
+@@ -10,63 +10,63 @@
+ #include <asm/memory.h>
+ #include <asm/sysreg.h>
+
+-#define ESR_ELx_EC_UNKNOWN (0x00)
+-#define ESR_ELx_EC_WFx (0x01)
++#define ESR_ELx_EC_UNKNOWN UL(0x00)
++#define ESR_ELx_EC_WFx UL(0x01)
+ /* Unallocated EC: 0x02 */
+-#define ESR_ELx_EC_CP15_32 (0x03)
+-#define ESR_ELx_EC_CP15_64 (0x04)
+-#define ESR_ELx_EC_CP14_MR (0x05)
+-#define ESR_ELx_EC_CP14_LS (0x06)
+-#define ESR_ELx_EC_FP_ASIMD (0x07)
+-#define ESR_ELx_EC_CP10_ID (0x08) /* EL2 only */
+-#define ESR_ELx_EC_PAC (0x09) /* EL2 and above */
++#define ESR_ELx_EC_CP15_32 UL(0x03)
++#define ESR_ELx_EC_CP15_64 UL(0x04)
++#define ESR_ELx_EC_CP14_MR UL(0x05)
++#define ESR_ELx_EC_CP14_LS UL(0x06)
++#define ESR_ELx_EC_FP_ASIMD UL(0x07)
++#define ESR_ELx_EC_CP10_ID UL(0x08) /* EL2 only */
++#define ESR_ELx_EC_PAC UL(0x09) /* EL2 and above */
+ /* Unallocated EC: 0x0A - 0x0B */
+-#define ESR_ELx_EC_CP14_64 (0x0C)
+-#define ESR_ELx_EC_BTI (0x0D)
+-#define ESR_ELx_EC_ILL (0x0E)
++#define ESR_ELx_EC_CP14_64 UL(0x0C)
++#define ESR_ELx_EC_BTI UL(0x0D)
++#define ESR_ELx_EC_ILL UL(0x0E)
+ /* Unallocated EC: 0x0F - 0x10 */
+-#define ESR_ELx_EC_SVC32 (0x11)
+-#define ESR_ELx_EC_HVC32 (0x12) /* EL2 only */
+-#define ESR_ELx_EC_SMC32 (0x13) /* EL2 and above */
++#define ESR_ELx_EC_SVC32 UL(0x11)
++#define ESR_ELx_EC_HVC32 UL(0x12) /* EL2 only */
++#define ESR_ELx_EC_SMC32 UL(0x13) /* EL2 and above */
+ /* Unallocated EC: 0x14 */
+-#define ESR_ELx_EC_SVC64 (0x15)
+-#define ESR_ELx_EC_HVC64 (0x16) /* EL2 and above */
+-#define ESR_ELx_EC_SMC64 (0x17) /* EL2 and above */
+-#define ESR_ELx_EC_SYS64 (0x18)
+-#define ESR_ELx_EC_SVE (0x19)
+-#define ESR_ELx_EC_ERET (0x1a) /* EL2 only */
++#define ESR_ELx_EC_SVC64 UL(0x15)
++#define ESR_ELx_EC_HVC64 UL(0x16) /* EL2 and above */
++#define ESR_ELx_EC_SMC64 UL(0x17) /* EL2 and above */
++#define ESR_ELx_EC_SYS64 UL(0x18)
++#define ESR_ELx_EC_SVE UL(0x19)
++#define ESR_ELx_EC_ERET UL(0x1a) /* EL2 only */
+ /* Unallocated EC: 0x1B */
+-#define ESR_ELx_EC_FPAC (0x1C) /* EL1 and above */
+-#define ESR_ELx_EC_SME (0x1D)
++#define ESR_ELx_EC_FPAC UL(0x1C) /* EL1 and above */
++#define ESR_ELx_EC_SME UL(0x1D)
+ /* Unallocated EC: 0x1E */
+-#define ESR_ELx_EC_IMP_DEF (0x1f) /* EL3 only */
+-#define ESR_ELx_EC_IABT_LOW (0x20)
+-#define ESR_ELx_EC_IABT_CUR (0x21)
+-#define ESR_ELx_EC_PC_ALIGN (0x22)
++#define ESR_ELx_EC_IMP_DEF UL(0x1f) /* EL3 only */
++#define ESR_ELx_EC_IABT_LOW UL(0x20)
++#define ESR_ELx_EC_IABT_CUR UL(0x21)
++#define ESR_ELx_EC_PC_ALIGN UL(0x22)
+ /* Unallocated EC: 0x23 */
+-#define ESR_ELx_EC_DABT_LOW (0x24)
+-#define ESR_ELx_EC_DABT_CUR (0x25)
+-#define ESR_ELx_EC_SP_ALIGN (0x26)
+-#define ESR_ELx_EC_MOPS (0x27)
+-#define ESR_ELx_EC_FP_EXC32 (0x28)
++#define ESR_ELx_EC_DABT_LOW UL(0x24)
++#define ESR_ELx_EC_DABT_CUR UL(0x25)
++#define ESR_ELx_EC_SP_ALIGN UL(0x26)
++#define ESR_ELx_EC_MOPS UL(0x27)
++#define ESR_ELx_EC_FP_EXC32 UL(0x28)
+ /* Unallocated EC: 0x29 - 0x2B */
+-#define ESR_ELx_EC_FP_EXC64 (0x2C)
++#define ESR_ELx_EC_FP_EXC64 UL(0x2C)
+ /* Unallocated EC: 0x2D - 0x2E */
+-#define ESR_ELx_EC_SERROR (0x2F)
+-#define ESR_ELx_EC_BREAKPT_LOW (0x30)
+-#define ESR_ELx_EC_BREAKPT_CUR (0x31)
+-#define ESR_ELx_EC_SOFTSTP_LOW (0x32)
+-#define ESR_ELx_EC_SOFTSTP_CUR (0x33)
+-#define ESR_ELx_EC_WATCHPT_LOW (0x34)
+-#define ESR_ELx_EC_WATCHPT_CUR (0x35)
++#define ESR_ELx_EC_SERROR UL(0x2F)
++#define ESR_ELx_EC_BREAKPT_LOW UL(0x30)
++#define ESR_ELx_EC_BREAKPT_CUR UL(0x31)
++#define ESR_ELx_EC_SOFTSTP_LOW UL(0x32)
++#define ESR_ELx_EC_SOFTSTP_CUR UL(0x33)
++#define ESR_ELx_EC_WATCHPT_LOW UL(0x34)
++#define ESR_ELx_EC_WATCHPT_CUR UL(0x35)
+ /* Unallocated EC: 0x36 - 0x37 */
+-#define ESR_ELx_EC_BKPT32 (0x38)
++#define ESR_ELx_EC_BKPT32 UL(0x38)
+ /* Unallocated EC: 0x39 */
+-#define ESR_ELx_EC_VECTOR32 (0x3A) /* EL2 only */
++#define ESR_ELx_EC_VECTOR32 UL(0x3A) /* EL2 only */
+ /* Unallocated EC: 0x3B */
+-#define ESR_ELx_EC_BRK64 (0x3C)
++#define ESR_ELx_EC_BRK64 UL(0x3C)
+ /* Unallocated EC: 0x3D - 0x3F */
+-#define ESR_ELx_EC_MAX (0x3F)
++#define ESR_ELx_EC_MAX UL(0x3F)
+
+ #define ESR_ELx_EC_SHIFT (26)
+ #define ESR_ELx_EC_WIDTH (6)
--- /dev/null
+From a3ed1cc4136df01e74a8b6df8c562db69e752bad Mon Sep 17 00:00:00 2001
+From: Alyssa Ross <hi@alyssa.is>
+Date: Sat, 7 Sep 2024 18:00:26 +0200
+Subject: bcachefs: Fix negative timespecs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alyssa Ross <hi@alyssa.is>
+
+commit a3ed1cc4136df01e74a8b6df8c562db69e752bad upstream.
+
+This fixes two problems in the handling of negative times:
+
+ • rem is signed, but the rem * c->sb.nsec_per_time_unit operation
+ produced a bogus unsigned result, because s32 * u32 = u32.
+
+ • The timespec was not normalized (it could contain more than a
+ billion nanoseconds).
+
+For example, { .tv_sec = -14245441, .tv_nsec = 750000000 }, after
+being round tripped through timespec_to_bch2_time and then
+bch2_time_to_timespec would come back as
+{ .tv_sec = -14245440, .tv_nsec = 4044967296 } (more than 4 billion
+nanoseconds).
+
+Cc: stable@vger.kernel.org
+Fixes: 595c1e9bab7f ("bcachefs: Fix time handling")
+Closes: https://github.com/koverstreet/bcachefs/issues/743
+Co-developed-by: Erin Shepherd <erin.shepherd@e43.eu>
+Signed-off-by: Erin Shepherd <erin.shepherd@e43.eu>
+Co-developed-by: Ryan Lahfa <ryan@lahfa.xyz>
+Signed-off-by: Ryan Lahfa <ryan@lahfa.xyz>
+Signed-off-by: Alyssa Ross <hi@alyssa.is>
+Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/bcachefs/bcachefs.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/bcachefs/bcachefs.h
++++ b/fs/bcachefs/bcachefs.h
+@@ -1195,12 +1195,15 @@ static inline bool btree_id_cached(const
+ static inline struct timespec64 bch2_time_to_timespec(const struct bch_fs *c, s64 time)
+ {
+ struct timespec64 t;
++ s64 sec;
+ s32 rem;
+
+ time += c->sb.time_base_lo;
+
+- t.tv_sec = div_s64_rem(time, c->sb.time_units_per_sec, &rem);
+- t.tv_nsec = rem * c->sb.nsec_per_time_unit;
++ sec = div_s64_rem(time, c->sb.time_units_per_sec, &rem);
++
++ set_normalized_timespec64(&t, sec, rem * (s64)c->sb.nsec_per_time_unit);
++
+ return t;
+ }
+
--- /dev/null
+From 3368597206dc3c6c3c2247ee146beada14c67380 Mon Sep 17 00:00:00 2001
+From: Luca Stefani <luca.stefani.ge1@gmail.com>
+Date: Mon, 2 Sep 2024 13:10:53 +0200
+Subject: btrfs: always update fstrim_range on failure in FITRIM ioctl
+
+From: Luca Stefani <luca.stefani.ge1@gmail.com>
+
+commit 3368597206dc3c6c3c2247ee146beada14c67380 upstream.
+
+Even in case of failure we could've discarded some data and userspace
+should be made aware of it, so copy fstrim_range to userspace
+regardless.
+
+Also make sure to update the trimmed bytes amount even if
+btrfs_trim_free_extents fails.
+
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Luca Stefani <luca.stefani.ge1@gmail.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/extent-tree.c | 4 ++--
+ fs/btrfs/ioctl.c | 4 +---
+ 2 files changed, 3 insertions(+), 5 deletions(-)
+
+--- a/fs/btrfs/extent-tree.c
++++ b/fs/btrfs/extent-tree.c
+@@ -6551,13 +6551,13 @@ int btrfs_trim_fs(struct btrfs_fs_info *
+ continue;
+
+ ret = btrfs_trim_free_extents(device, &group_trimmed);
++
++ trimmed += group_trimmed;
+ if (ret) {
+ dev_failed++;
+ dev_ret = ret;
+ break;
+ }
+-
+- trimmed += group_trimmed;
+ }
+ mutex_unlock(&fs_devices->device_list_mutex);
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -543,13 +543,11 @@ static noinline int btrfs_ioctl_fitrim(s
+
+ range.minlen = max(range.minlen, minlen);
+ ret = btrfs_trim_fs(fs_info, &range);
+- if (ret < 0)
+- return ret;
+
+ if (copy_to_user(arg, &range, sizeof(range)))
+ return -EFAULT;
+
+- return 0;
++ return ret;
+ }
+
+ int __pure btrfs_is_empty_uuid(const u8 *uuid)
--- /dev/null
+From 7ee85f5515e86a4e2a2f51969795920733912bad Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Tue, 3 Sep 2024 10:55:36 +0100
+Subject: btrfs: fix race setting file private on concurrent lseek using same fd
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 7ee85f5515e86a4e2a2f51969795920733912bad upstream.
+
+When doing concurrent lseek(2) system calls against the same file
+descriptor, using multiple threads belonging to the same process, we have
+a short time window where a race happens and can result in a memory leak.
+
+The race happens like this:
+
+1) A program opens a file descriptor for a file and then spawns two
+ threads (with the pthreads library for example), lets call them
+ task A and task B;
+
+2) Task A calls lseek with SEEK_DATA or SEEK_HOLE and ends up at
+ file.c:find_desired_extent() while holding a read lock on the inode;
+
+3) At the start of find_desired_extent(), it extracts the file's
+ private_data pointer into a local variable named 'private', which has
+ a value of NULL;
+
+4) Task B also calls lseek with SEEK_DATA or SEEK_HOLE, locks the inode
+ in shared mode and enters file.c:find_desired_extent(), where it also
+ extracts file->private_data into its local variable 'private', which
+ has a NULL value;
+
+5) Because it saw a NULL file private, task A allocates a private
+ structure and assigns to the file structure;
+
+6) Task B also saw a NULL file private so it also allocates its own file
+ private and then assigns it to the same file structure, since both
+ tasks are using the same file descriptor.
+
+ At this point we leak the private structure allocated by task A.
+
+Besides the memory leak, there's also the detail that both tasks end up
+using the same cached state record in the private structure (struct
+btrfs_file_private::llseek_cached_state), which can result in a
+use-after-free problem since one task can free it while the other is
+still using it (only one task took a reference count on it). Also, sharing
+the cached state is not a good idea since it could result in incorrect
+results in the future - right now it should not be a problem because it
+end ups being used only in extent-io-tree.c:count_range_bits() where we do
+range validation before using the cached state.
+
+Fix this by protecting the private assignment and check of a file while
+holding the inode's spinlock and keep track of the task that allocated
+the private, so that it's used only by that task in order to prevent
+user-after-free issues with the cached state record as well as potentially
+using it incorrectly in the future.
+
+Fixes: 3c32c7212f16 ("btrfs: use cached state when looking for delalloc ranges with lseek")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/btrfs_inode.h | 1 +
+ fs/btrfs/ctree.h | 2 ++
+ fs/btrfs/file.c | 34 +++++++++++++++++++++++++++++++---
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+--- a/fs/btrfs/btrfs_inode.h
++++ b/fs/btrfs/btrfs_inode.h
+@@ -152,6 +152,7 @@ struct btrfs_inode {
+ * logged_trans), to access/update delalloc_bytes, new_delalloc_bytes,
+ * defrag_bytes, disk_i_size, outstanding_extents, csum_bytes and to
+ * update the VFS' inode number of bytes used.
++ * Also protects setting struct file::private_data.
+ */
+ spinlock_t lock;
+
+--- a/fs/btrfs/ctree.h
++++ b/fs/btrfs/ctree.h
+@@ -459,6 +459,8 @@ struct btrfs_file_private {
+ void *filldir_buf;
+ u64 last_index;
+ struct extent_state *llseek_cached_state;
++ /* Task that allocated this structure. */
++ struct task_struct *owner_task;
+ };
+
+ static inline u32 BTRFS_LEAF_DATA_SIZE(const struct btrfs_fs_info *info)
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -3485,7 +3485,7 @@ static bool find_desired_extent_in_hole(
+ static loff_t find_desired_extent(struct file *file, loff_t offset, int whence)
+ {
+ struct btrfs_inode *inode = BTRFS_I(file->f_mapping->host);
+- struct btrfs_file_private *private = file->private_data;
++ struct btrfs_file_private *private;
+ struct btrfs_fs_info *fs_info = inode->root->fs_info;
+ struct extent_state *cached_state = NULL;
+ struct extent_state **delalloc_cached_state;
+@@ -3513,7 +3513,19 @@ static loff_t find_desired_extent(struct
+ inode_get_bytes(&inode->vfs_inode) == i_size)
+ return i_size;
+
+- if (!private) {
++ spin_lock(&inode->lock);
++ private = file->private_data;
++ spin_unlock(&inode->lock);
++
++ if (private && private->owner_task != current) {
++ /*
++ * Not allocated by us, don't use it as its cached state is used
++ * by the task that allocated it and we don't want neither to
++ * mess with it nor get incorrect results because it reflects an
++ * invalid state for the current task.
++ */
++ private = NULL;
++ } else if (!private) {
+ private = kzalloc(sizeof(*private), GFP_KERNEL);
+ /*
+ * No worries if memory allocation failed.
+@@ -3521,7 +3533,23 @@ static loff_t find_desired_extent(struct
+ * lseek SEEK_HOLE/DATA calls to a file when there's delalloc,
+ * so everything will still be correct.
+ */
+- file->private_data = private;
++ if (private) {
++ bool free = false;
++
++ private->owner_task = current;
++
++ spin_lock(&inode->lock);
++ if (file->private_data)
++ free = true;
++ else
++ file->private_data = private;
++ spin_unlock(&inode->lock);
++
++ if (free) {
++ kfree(private);
++ private = NULL;
++ }
++ }
+ }
+
+ if (private)
--- /dev/null
+From b0b595e61d97de61c15b379b754b2caa90e83e5c Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Wed, 11 Sep 2024 07:06:45 +0930
+Subject: btrfs: tree-checker: fix the wrong output of data backref objectid
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit b0b595e61d97de61c15b379b754b2caa90e83e5c upstream.
+
+[BUG]
+There are some reports about invalid data backref objectids, the report
+looks like this:
+
+ BTRFS critical (device sda): corrupt leaf: block=333654787489792 slot=110 extent bytenr=333413935558656 len=65536 invalid data ref objectid value 2543
+
+The data ref objectid is the inode number inside the subvolume.
+
+But in above case, the value is completely sane, not really showing the
+problem.
+
+[CAUSE]
+The root cause of the problem is the deprecated feature, inode cache.
+
+This feature results a special inode number, -12ULL, and it's no longer
+recognized by tree-checker, triggering the error.
+
+The direct problem here is the output of data ref objectid. The value
+shown is in fact the dref_root (subvolume id), not the dref_objectid
+(inode number).
+
+[FIX]
+Fix the output to use dref_objectid instead.
+
+Reported-by: Neil Parton <njparton@gmail.com>
+Reported-by: Archange <archange@archlinux.org>
+Link: https://lore.kernel.org/linux-btrfs/CAAYHqBbrrgmh6UmW3ANbysJX9qG9Pbg3ZwnKsV=5mOpv_qix_Q@mail.gmail.com/
+Link: https://lore.kernel.org/linux-btrfs/9541deea-9056-406e-be16-a996b549614d@archlinux.org/
+Fixes: f333a3c7e832 ("btrfs: tree-checker: validate dref root and objectid")
+CC: stable@vger.kernel.org # 6.11
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/tree-checker.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/tree-checker.c
++++ b/fs/btrfs/tree-checker.c
+@@ -1517,7 +1517,7 @@ static int check_extent_item(struct exte
+ dref_objectid > BTRFS_LAST_FREE_OBJECTID)) {
+ extent_err(leaf, slot,
+ "invalid data ref objectid value %llu",
+- dref_root);
++ dref_objectid);
+ return -EUCLEAN;
+ }
+ if (unlikely(!IS_ALIGNED(dref_offset,
--- /dev/null
+From a309320ddbac6b1583224fcb6bacd424bcf8637f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Tue, 20 Aug 2024 11:40:22 +0200
+Subject: cpuidle: riscv-sbi: Use scoped device node handling to fix missing of_node_put
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit a309320ddbac6b1583224fcb6bacd424bcf8637f upstream.
+
+Two return statements in sbi_cpuidle_dt_init_states() did not drop the
+OF node reference count. Solve the issue and simplify entire error
+handling with scoped/cleanup.h.
+
+Fixes: 6abf32f1d9c5 ("cpuidle: Add RISC-V SBI CPU idle driver")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Anup Patel <anup@brainfault.org>
+Link: https://patch.msgid.link/20240820094023.61155-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cpuidle/cpuidle-riscv-sbi.c | 21 +++++++--------------
+ 1 file changed, 7 insertions(+), 14 deletions(-)
+
+--- a/drivers/cpuidle/cpuidle-riscv-sbi.c
++++ b/drivers/cpuidle/cpuidle-riscv-sbi.c
+@@ -8,6 +8,7 @@
+
+ #define pr_fmt(fmt) "cpuidle-riscv-sbi: " fmt
+
++#include <linux/cleanup.h>
+ #include <linux/cpuhotplug.h>
+ #include <linux/cpuidle.h>
+ #include <linux/cpumask.h>
+@@ -236,19 +237,16 @@ static int sbi_cpuidle_dt_init_states(st
+ {
+ struct sbi_cpuidle_data *data = per_cpu_ptr(&sbi_cpuidle_data, cpu);
+ struct device_node *state_node;
+- struct device_node *cpu_node;
+ u32 *states;
+ int i, ret;
+
+- cpu_node = of_cpu_device_node_get(cpu);
++ struct device_node *cpu_node __free(device_node) = of_cpu_device_node_get(cpu);
+ if (!cpu_node)
+ return -ENODEV;
+
+ states = devm_kcalloc(dev, state_count, sizeof(*states), GFP_KERNEL);
+- if (!states) {
+- ret = -ENOMEM;
+- goto fail;
+- }
++ if (!states)
++ return -ENOMEM;
+
+ /* Parse SBI specific details from state DT nodes */
+ for (i = 1; i < state_count; i++) {
+@@ -264,10 +262,8 @@ static int sbi_cpuidle_dt_init_states(st
+
+ pr_debug("sbi-state %#x index %d\n", states[i], i);
+ }
+- if (i != state_count) {
+- ret = -ENODEV;
+- goto fail;
+- }
++ if (i != state_count)
++ return -ENODEV;
+
+ /* Initialize optional data, used for the hierarchical topology. */
+ ret = sbi_dt_cpu_init_topology(drv, data, state_count, cpu);
+@@ -277,10 +273,7 @@ static int sbi_cpuidle_dt_init_states(st
+ /* Store states in the per-cpu struct. */
+ data->states = states;
+
+-fail:
+- of_node_put(cpu_node);
+-
+- return ret;
++ return 0;
+ }
+
+ static void sbi_cpuidle_deinit_cpu(int cpu)
--- /dev/null
+From 12736adc43b7cd5cb83f274f8f37b0f89d107c97 Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Thu, 5 Sep 2024 17:43:35 +0800
+Subject: dt-bindings: spi: nxp-fspi: add imx8ulp support
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit 12736adc43b7cd5cb83f274f8f37b0f89d107c97 upstream.
+
+The flexspi on imx8ulp only has 16 number of LUTs, it is different
+with flexspi on other imx SoC which has 32 number of LUTs.
+
+Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node")
+Cc: stable@kernel.org
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20240905094338.1986871-2-haibo.chen@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml
++++ b/Documentation/devicetree/bindings/spi/spi-nxp-fspi.yaml
+@@ -21,6 +21,7 @@ properties:
+ - nxp,imx8mm-fspi
+ - nxp,imx8mp-fspi
+ - nxp,imx8qxp-fspi
++ - nxp,imx8ulp-fspi
+ - nxp,lx2160a-fspi
+ - items:
+ - enum:
--- /dev/null
+From 0ad875f442e95d69a1145a38aabac2fd29984fe3 Mon Sep 17 00:00:00 2001
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Date: Wed, 14 Aug 2024 14:10:11 +0800
+Subject: EDAC/igen6: Fix conversion of system address to physical memory address
+
+From: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+
+commit 0ad875f442e95d69a1145a38aabac2fd29984fe3 upstream.
+
+The conversion of system address to physical memory address (as viewed by
+the memory controller) by igen6_edac is incorrect when the system address
+is above the TOM (Total amount Of populated physical Memory) for Elkhart
+Lake and Ice Lake (Neural Network Processor). Fix this conversion.
+
+Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC")
+Signed-off-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/stable/20240814061011.43545-1-qiuxu.zhuo%40intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/igen6_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/igen6_edac.c
++++ b/drivers/edac/igen6_edac.c
+@@ -316,7 +316,7 @@ static u64 ehl_err_addr_to_imc_addr(u64
+ if (igen6_tom <= _4GB)
+ return eaddr + igen6_tolud - _4GB;
+
+- if (eaddr < _4GB)
++ if (eaddr >= igen6_tom)
+ return eaddr + igen6_tolud - igen6_tom;
+
+ return eaddr;
--- /dev/null
+From b9ca079dd6b09e08863aa998edf5c47597806c05 Mon Sep 17 00:00:00 2001
+From: Martin Karsten <mkarsten@uwaterloo.ca>
+Date: Tue, 6 Aug 2024 12:33:01 +0000
+Subject: eventpoll: Annotate data-race of busy_poll_usecs
+
+From: Martin Karsten <mkarsten@uwaterloo.ca>
+
+commit b9ca079dd6b09e08863aa998edf5c47597806c05 upstream.
+
+A struct eventpoll's busy_poll_usecs field can be modified via a user
+ioctl at any time. All reads of this field should be annotated with
+READ_ONCE.
+
+Fixes: 85455c795c07 ("eventpoll: support busy poll per epoll instance")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Karsten <mkarsten@uwaterloo.ca>
+Link: https://lore.kernel.org/r/20240806123301.167557-1-jdamato@fastly.com
+Reviewed-by: Joe Damato <jdamato@fastly.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/eventpoll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/eventpoll.c
++++ b/fs/eventpoll.c
+@@ -420,7 +420,7 @@ static bool busy_loop_ep_timeout(unsigne
+
+ static bool ep_busy_loop_on(struct eventpoll *ep)
+ {
+- return !!ep->busy_poll_usecs || net_busy_loop_on();
++ return !!READ_ONCE(ep->busy_poll_usecs) || net_busy_loop_on();
+ }
+
+ static bool ep_busy_loop_end(void *p, unsigned long start_time)
--- /dev/null
+From 50438dbc483ca6a133d2bce9d5d6747bcee38371 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Wed, 24 Jul 2024 10:51:58 -0700
+Subject: f2fs: avoid potential int overflow in sanity_check_area_boundary()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 50438dbc483ca6a133d2bce9d5d6747bcee38371 upstream.
+
+While calculating the end addresses of main area and segment 0, u32
+may be not enough to hold the result without the danger of int
+overflow.
+
+Just in case, play it safe and cast one of the operands to a
+wider type (u64).
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: fd694733d523 ("f2fs: cover large section in sanity check of super")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -3356,9 +3356,9 @@ static inline bool sanity_check_area_bou
+ u32 segment_count = le32_to_cpu(raw_super->segment_count);
+ u32 log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg);
+ u64 main_end_blkaddr = main_blkaddr +
+- (segment_count_main << log_blocks_per_seg);
++ ((u64)segment_count_main << log_blocks_per_seg);
+ u64 seg_end_blkaddr = segment0_blkaddr +
+- (segment_count << log_blocks_per_seg);
++ ((u64)segment_count << log_blocks_per_seg);
+
+ if (segment0_blkaddr != cp_blkaddr) {
+ f2fs_info(sbi, "Mismatch start address, segment0(%u) cp_blkaddr(%u)",
--- /dev/null
+From 43aec4d01bd2ce961817a777b3846f8318f398e4 Mon Sep 17 00:00:00 2001
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Date: Fri, 16 Aug 2024 13:07:03 +0900
+Subject: f2fs: check discard support for conventional zones
+
+From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+
+commit 43aec4d01bd2ce961817a777b3846f8318f398e4 upstream.
+
+As the helper function f2fs_bdev_support_discard() shows, f2fs checks if
+the target block devices support discard by calling
+bdev_max_discard_sectors() and bdev_is_zoned(). This check works well
+for most cases, but it does not work for conventional zones on zoned
+block devices. F2fs assumes that zoned block devices support discard,
+and calls __submit_discard_cmd(). When __submit_discard_cmd() is called
+for sequential write required zones, it works fine since
+__submit_discard_cmd() issues zone reset commands instead of discard
+commands. However, when __submit_discard_cmd() is called for
+conventional zones, __blkdev_issue_discard() is called even when the
+devices do not support discard.
+
+The inappropriate __blkdev_issue_discard() call was not a problem before
+the commit 30f1e7241422 ("block: move discard checks into the ioctl
+handler") because __blkdev_issue_discard() checked if the target devices
+support discard or not. If not, it returned EOPNOTSUPP. After the
+commit, __blkdev_issue_discard() no longer checks it. It always returns
+zero and sets NULL to the given bio pointer. This NULL pointer triggers
+f2fs_bug_on() in __submit_discard_cmd(). The BUG is recreated with the
+commands below at the umount step, where /dev/nullb0 is a zoned null_blk
+with 5GB total size, 128MB zone size and 10 conventional zones.
+
+$ mkfs.f2fs -f -m /dev/nullb0
+$ mount /dev/nullb0 /mnt
+$ for ((i=0;i<5;i++)); do dd if=/dev/zero of=/mnt/test bs=65536 count=1600 conv=fsync; done
+$ umount /mnt
+
+To fix the BUG, avoid the inappropriate __blkdev_issue_discard() call.
+When discard is requested for conventional zones, check if the device
+supports discard or not. If not, return EOPNOTSUPP.
+
+Fixes: 30f1e7241422 ("block: move discard checks into the ioctl handler")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/segment.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -1290,6 +1290,13 @@ static int __submit_discard_cmd(struct f
+ wait_list, issued);
+ return 0;
+ }
++
++ /*
++ * Issue discard for conventional zones only if the device
++ * supports discard.
++ */
++ if (!bdev_max_discard_sectors(bdev))
++ return -EOPNOTSUPP;
+ }
+ #endif
+
--- /dev/null
+From 1cade98cf6415897bf9342ee451cc5b40b58c638 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Wed, 24 Jul 2024 10:28:38 -0700
+Subject: f2fs: fix several potential integer overflows in file offsets
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 1cade98cf6415897bf9342ee451cc5b40b58c638 upstream.
+
+When dealing with large extents and calculating file offsets by
+summing up according extent offsets and lengths of unsigned int type,
+one may encounter possible integer overflow if the values are
+big enough.
+
+Prevent this from happening by expanding one of the addends to
+(pgoff_t) type.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: d323d005ac4a ("f2fs: support file defragment")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/extent_cache.c | 4 ++--
+ fs/f2fs/file.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/extent_cache.c
++++ b/fs/f2fs/extent_cache.c
+@@ -366,7 +366,7 @@ static unsigned int __free_extent_tree(s
+ static void __drop_largest_extent(struct extent_tree *et,
+ pgoff_t fofs, unsigned int len)
+ {
+- if (fofs < et->largest.fofs + et->largest.len &&
++ if (fofs < (pgoff_t)et->largest.fofs + et->largest.len &&
+ fofs + len > et->largest.fofs) {
+ et->largest.len = 0;
+ et->largest_updated = true;
+@@ -456,7 +456,7 @@ static bool __lookup_extent_tree(struct
+
+ if (type == EX_READ &&
+ et->largest.fofs <= pgofs &&
+- et->largest.fofs + et->largest.len > pgofs) {
++ (pgoff_t)et->largest.fofs + et->largest.len > pgofs) {
+ *ei = et->largest;
+ ret = true;
+ stat_inc_largest_node_hit(sbi);
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2730,7 +2730,7 @@ static int f2fs_defragment_range(struct
+ * block addresses are continuous.
+ */
+ if (f2fs_lookup_read_extent_cache(inode, pg_start, &ei)) {
+- if (ei.fofs + ei.len >= pg_end)
++ if ((pgoff_t)ei.fofs + ei.len >= pg_end)
+ goto out;
+ }
+
--- /dev/null
+From bfe5c02654261bfb8bd9cb174a67f3279ea99e58 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 4 Sep 2024 11:20:47 +0800
+Subject: f2fs: fix to check atomic_file in f2fs ioctl interfaces
+
+From: Chao Yu <chao@kernel.org>
+
+commit bfe5c02654261bfb8bd9cb174a67f3279ea99e58 upstream.
+
+Some f2fs ioctl interfaces like f2fs_ioc_set_pin_file(),
+f2fs_move_file_range(), and f2fs_defragment_range() missed to
+check atomic_write status, which may cause potential race issue,
+fix it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2715,7 +2715,8 @@ static int f2fs_defragment_range(struct
+ (range->start + range->len) >> PAGE_SHIFT,
+ DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE));
+
+- if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED)) {
++ if (is_inode_flag_set(inode, FI_COMPRESS_RELEASED) ||
++ f2fs_is_atomic_file(inode)) {
+ err = -EINVAL;
+ goto unlock_out;
+ }
+@@ -2948,6 +2949,11 @@ static int f2fs_move_file_range(struct f
+ goto out_unlock;
+ }
+
++ if (f2fs_is_atomic_file(src) || f2fs_is_atomic_file(dst)) {
++ ret = -EINVAL;
++ goto out_unlock;
++ }
++
+ ret = -EINVAL;
+ if (pos_in + len > src->i_size || pos_in + len < pos_in)
+ goto out_unlock;
+@@ -3331,6 +3337,11 @@ static int f2fs_ioc_set_pin_file(struct
+
+ inode_lock(inode);
+
++ if (f2fs_is_atomic_file(inode)) {
++ ret = -EINVAL;
++ goto out;
++ }
++
+ if (!pin) {
+ clear_inode_flag(inode, FI_PIN_FILE);
+ f2fs_i_gc_failures_write(inode, 0);
--- /dev/null
+From 96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Thu, 27 Jun 2024 15:17:11 +0800
+Subject: f2fs: fix to wait dio completion
+
+From: Chao Yu <chao@kernel.org>
+
+commit 96cfeb0389530ae32ade8a48ae3ae1ac3b6c009d upstream.
+
+It should wait all existing dio write IOs before block removal,
+otherwise, previous direct write IO may overwrite data in the
+block which may be reused by other inode.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -1054,6 +1054,13 @@ int f2fs_setattr(struct mnt_idmap *idmap
+ return err;
+ }
+
++ /*
++ * wait for inflight dio, blocks should be removed after
++ * IO completion.
++ */
++ if (attr->ia_size < old_size)
++ inode_dio_wait(inode);
++
+ f2fs_down_write(&fi->i_gc_rwsem[WRITE]);
+ filemap_invalidate_lock(inode->i_mapping);
+
+@@ -1890,6 +1897,12 @@ static long f2fs_fallocate(struct file *
+ if (ret)
+ goto out;
+
++ /*
++ * wait for inflight dio, blocks should be removed after IO
++ * completion.
++ */
++ inode_dio_wait(inode);
++
+ if (mode & FALLOC_FL_PUNCH_HOLE) {
+ if (offset >= inode->i_size)
+ goto out;
--- /dev/null
+From 47f268f33dff4a5e31541a990dc09f116f80e61c Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Wed, 24 Jul 2024 10:05:44 -0700
+Subject: f2fs: prevent possible int overflow in dir_block_index()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 47f268f33dff4a5e31541a990dc09f116f80e61c upstream.
+
+The result of multiplication between values derived from functions
+dir_buckets() and bucket_blocks() *could* technically reach
+2^30 * 2^2 = 2^32.
+
+While unlikely to happen, it is prudent to ensure that it will not
+lead to integer overflow. Thus, use mul_u32_u32() as it's more
+appropriate to mitigate the issue.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 3843154598a0 ("f2fs: introduce large directory support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/dir.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/dir.c
++++ b/fs/f2fs/dir.c
+@@ -166,7 +166,8 @@ static unsigned long dir_block_index(uns
+ unsigned long bidx = 0;
+
+ for (i = 0; i < level; i++)
+- bidx += dir_buckets(i, dir_level) * bucket_blocks(i);
++ bidx += mul_u32_u32(dir_buckets(i, dir_level),
++ bucket_blocks(i));
+ bidx += idx * bucket_blocks(level);
+ return bidx;
+ }
--- /dev/null
+From 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 6 Aug 2024 16:07:16 +0200
+Subject: f2fs: Require FMODE_WRITE for atomic write ioctls
+
+From: Jann Horn <jannh@google.com>
+
+commit 4f5a100f87f32cb65d4bb1ad282a08c92f6f591e upstream.
+
+The F2FS ioctls for starting and committing atomic writes check for
+inode_owner_or_capable(), but this does not give LSMs like SELinux or
+Landlock an opportunity to deny the write access - if the caller's FSUID
+matches the inode's UID, inode_owner_or_capable() immediately returns true.
+
+There are scenarios where LSMs want to deny a process the ability to write
+particular files, even files that the FSUID of the process owns; but this
+can currently partially be bypassed using atomic write ioctls in two ways:
+
+ - F2FS_IOC_START_ATOMIC_REPLACE + F2FS_IOC_COMMIT_ATOMIC_WRITE can
+ truncate an inode to size 0
+ - F2FS_IOC_START_ATOMIC_WRITE + F2FS_IOC_ABORT_ATOMIC_WRITE can revert
+ changes another process concurrently made to a file
+
+Fix it by requiring FMODE_WRITE for these operations, just like for
+F2FS_IOC_MOVE_RANGE. Since any legitimate caller should only be using these
+ioctls when intending to write into the file, that seems unlikely to break
+anything.
+
+Fixes: 88b88a667971 ("f2fs: support atomic writes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/file.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/f2fs/file.c
++++ b/fs/f2fs/file.c
+@@ -2134,6 +2134,9 @@ static int f2fs_ioc_start_atomic_write(s
+ loff_t isize;
+ int ret;
+
++ if (!(filp->f_mode & FMODE_WRITE))
++ return -EBADF;
++
+ if (!inode_owner_or_capable(idmap, inode))
+ return -EACCES;
+
+@@ -2241,6 +2244,9 @@ static int f2fs_ioc_commit_atomic_write(
+ struct mnt_idmap *idmap = file_mnt_idmap(filp);
+ int ret;
+
++ if (!(filp->f_mode & FMODE_WRITE))
++ return -EBADF;
++
+ if (!inode_owner_or_capable(idmap, inode))
+ return -EACCES;
+
+@@ -2273,6 +2279,9 @@ static int f2fs_ioc_abort_atomic_write(s
+ struct mnt_idmap *idmap = file_mnt_idmap(filp);
+ int ret;
+
++ if (!(filp->f_mode & FMODE_WRITE))
++ return -EBADF;
++
+ if (!inode_owner_or_capable(idmap, inode))
+ return -EACCES;
+
--- /dev/null
+From 26f204380a3c182e5adf1a798db0724d6111b597 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Wed, 21 Aug 2024 11:56:05 +0200
+Subject: fs: Fix file_set_fowner LSM hook inconsistencies
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit 26f204380a3c182e5adf1a798db0724d6111b597 upstream.
+
+The fcntl's F_SETOWN command sets the process that handle SIGIO/SIGURG
+for the related file descriptor. Before this change, the
+file_set_fowner LSM hook was always called, ignoring the VFS logic which
+may not actually change the process that handles SIGIO (e.g. TUN, TTY,
+dnotify), nor update the related UID/EUID.
+
+Moreover, because security_file_set_fowner() was called without lock
+(e.g. f_owner.lock), concurrent F_SETOWN commands could result to a race
+condition and inconsistent LSM states (e.g. SELinux's fown_sid) compared
+to struct fown_struct's UID/EUID.
+
+This change makes sure the LSM states are always in sync with the VFS
+state by moving the security_file_set_fowner() call close to the
+UID/EUID updates and using the same f_owner.lock .
+
+Rename f_modown() to __f_setown() to simplify code.
+
+Cc: stable@vger.kernel.org
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Casey Schaufler <casey@schaufler-ca.com>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: James Morris <jmorris@namei.org>
+Cc: Jann Horn <jannh@google.com>
+Cc: Ondrej Mosnacek <omosnace@redhat.com>
+Cc: Paul Moore <paul@paul-moore.com>
+Cc: Serge E. Hallyn <serge@hallyn.com>
+Cc: Stephen Smalley <stephen.smalley.work@gmail.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/fcntl.c | 14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -87,8 +87,8 @@ static int setfl(int fd, struct file * f
+ return error;
+ }
+
+-static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
+- int force)
++void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
++ int force)
+ {
+ write_lock_irq(&filp->f_owner.lock);
+ if (force || !filp->f_owner.pid) {
+@@ -98,19 +98,13 @@ static void f_modown(struct file *filp,
+
+ if (pid) {
+ const struct cred *cred = current_cred();
++ security_file_set_fowner(filp);
+ filp->f_owner.uid = cred->uid;
+ filp->f_owner.euid = cred->euid;
+ }
+ }
+ write_unlock_irq(&filp->f_owner.lock);
+ }
+-
+-void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
+- int force)
+-{
+- security_file_set_fowner(filp);
+- f_modown(filp, pid, type, force);
+-}
+ EXPORT_SYMBOL(__f_setown);
+
+ int f_setown(struct file *filp, int who, int force)
+@@ -146,7 +140,7 @@ EXPORT_SYMBOL(f_setown);
+
+ void f_delown(struct file *filp)
+ {
+- f_modown(filp, NULL, PIDTYPE_TGID, 1);
++ __f_setown(filp, NULL, PIDTYPE_TGID, 1);
+ }
+
+ pid_t f_getown(struct file *filp)
--- /dev/null
+From d57e2f7cffd57fe2800332dec768ec1b67a4159f Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Sat, 3 Aug 2024 14:49:22 +0800
+Subject: hwrng: bcm2835 - Add missing clk_disable_unprepare in bcm2835_rng_init
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit d57e2f7cffd57fe2800332dec768ec1b67a4159f upstream.
+
+Add the missing clk_disable_unprepare() before return in
+bcm2835_rng_init().
+
+Fixes: e5f9f41d5e62 ("hwrng: bcm2835 - add reset support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/bcm2835-rng.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/hw_random/bcm2835-rng.c
++++ b/drivers/char/hw_random/bcm2835-rng.c
+@@ -94,8 +94,10 @@ static int bcm2835_rng_init(struct hwrng
+ return ret;
+
+ ret = reset_control_reset(priv->reset);
+- if (ret)
++ if (ret) {
++ clk_disable_unprepare(priv->clk);
+ return ret;
++ }
+
+ if (priv->mask_interrupts) {
+ /* mask the interrupt */
--- /dev/null
+From 4b7acc85de14ee8a2236f54445dc635d47eceac0 Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Sat, 3 Aug 2024 14:49:23 +0800
+Subject: hwrng: cctrng - Add missing clk_disable_unprepare in cctrng_resume
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 4b7acc85de14ee8a2236f54445dc635d47eceac0 upstream.
+
+Add the missing clk_disable_unprepare() before return in
+cctrng_resume().
+
+Fixes: a583ed310bb6 ("hwrng: cctrng - introduce Arm CryptoCell driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/cctrng.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/char/hw_random/cctrng.c
++++ b/drivers/char/hw_random/cctrng.c
+@@ -622,6 +622,7 @@ static int __maybe_unused cctrng_resume(
+ /* wait for Cryptocell reset completion */
+ if (!cctrng_wait_for_reset_completion(drvdata)) {
+ dev_err(dev, "Cryptocell reset not completed");
++ clk_disable_unprepare(drvdata->clk);
+ return -EBUSY;
+ }
+
--- /dev/null
+From 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 Mon Sep 17 00:00:00 2001
+From: Guoqing Jiang <guoqing.jiang@canonical.com>
+Date: Mon, 26 Aug 2024 15:04:15 +0800
+Subject: hwrng: mtk - Use devm_pm_runtime_enable
+
+From: Guoqing Jiang <guoqing.jiang@canonical.com>
+
+commit 78cb66caa6ab5385ac2090f1aae5f3c19e08f522 upstream.
+
+Replace pm_runtime_enable with the devres-enabled version which
+can trigger pm_runtime_disable.
+
+Otherwise, the below appears during reload driver.
+
+mtk_rng 1020f000.rng: Unbalanced pm_runtime_enable!
+
+Fixes: 81d2b34508c6 ("hwrng: mtk - add runtime PM support")
+Cc: <stable@vger.kernel.org>
+Suggested-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Guoqing Jiang <guoqing.jiang@canonical.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/hw_random/mtk-rng.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/char/hw_random/mtk-rng.c
++++ b/drivers/char/hw_random/mtk-rng.c
+@@ -142,7 +142,7 @@ static int mtk_rng_probe(struct platform
+ dev_set_drvdata(&pdev->dev, priv);
+ pm_runtime_set_autosuspend_delay(&pdev->dev, RNG_AUTOSUSPEND_TIMEOUT);
+ pm_runtime_use_autosuspend(&pdev->dev);
+- pm_runtime_enable(&pdev->dev);
++ devm_pm_runtime_enable(&pdev->dev);
+
+ dev_info(&pdev->dev, "registered RNG driver\n");
+
--- /dev/null
+From 8c2bd38b95f75f3d2a08c93e35303e26d480d24e Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Thu, 29 Aug 2024 14:46:39 +0000
+Subject: icmp: change the order of rate limits
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 8c2bd38b95f75f3d2a08c93e35303e26d480d24e upstream.
+
+ICMP messages are ratelimited :
+
+After the blamed commits, the two rate limiters are applied in this order:
+
+1) host wide ratelimit (icmp_global_allow())
+
+2) Per destination ratelimit (inetpeer based)
+
+In order to avoid side-channels attacks, we need to apply
+the per destination check first.
+
+This patch makes the following change :
+
+1) icmp_global_allow() checks if the host wide limit is reached.
+ But credits are not yet consumed. This is deferred to 3)
+
+2) The per destination limit is checked/updated.
+ This might add a new node in inetpeer tree.
+
+3) icmp_global_consume() consumes tokens if prior operations succeeded.
+
+This means that host wide ratelimit is still effective
+in keeping inetpeer tree small even under DDOS.
+
+As a bonus, I removed icmp_global.lock as the fast path
+can use a lock-free operation.
+
+Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited")
+Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
+Reported-by: Keyu Man <keyu.man@email.ucr.edu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Cc: Jesper Dangaard Brouer <hawk@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20240829144641.3880376-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip.h | 2 +
+ net/ipv4/icmp.c | 103 +++++++++++++++++++++++++++++--------------------------
+ net/ipv6/icmp.c | 28 +++++++++-----
+ 3 files changed, 76 insertions(+), 57 deletions(-)
+
+--- a/include/net/ip.h
++++ b/include/net/ip.h
+@@ -795,6 +795,8 @@ static inline void ip_cmsg_recv(struct m
+ }
+
+ bool icmp_global_allow(void);
++void icmp_global_consume(void);
++
+ extern int sysctl_icmp_msgs_per_sec;
+ extern int sysctl_icmp_msgs_burst;
+
+--- a/net/ipv4/icmp.c
++++ b/net/ipv4/icmp.c
+@@ -224,57 +224,59 @@ int sysctl_icmp_msgs_per_sec __read_most
+ int sysctl_icmp_msgs_burst __read_mostly = 50;
+
+ static struct {
+- spinlock_t lock;
+- u32 credit;
++ atomic_t credit;
+ u32 stamp;
+-} icmp_global = {
+- .lock = __SPIN_LOCK_UNLOCKED(icmp_global.lock),
+-};
++} icmp_global;
+
+ /**
+ * icmp_global_allow - Are we allowed to send one more ICMP message ?
+ *
+ * Uses a token bucket to limit our ICMP messages to ~sysctl_icmp_msgs_per_sec.
+ * Returns false if we reached the limit and can not send another packet.
+- * Note: called with BH disabled
++ * Works in tandem with icmp_global_consume().
+ */
+ bool icmp_global_allow(void)
+ {
+- u32 credit, delta, incr = 0, now = (u32)jiffies;
+- bool rc = false;
++ u32 delta, now, oldstamp;
++ int incr, new, old;
+
+- /* Check if token bucket is empty and cannot be refilled
+- * without taking the spinlock. The READ_ONCE() are paired
+- * with the following WRITE_ONCE() in this same function.
++ /* Note: many cpus could find this condition true.
++ * Then later icmp_global_consume() could consume more credits,
++ * this is an acceptable race.
+ */
+- if (!READ_ONCE(icmp_global.credit)) {
+- delta = min_t(u32, now - READ_ONCE(icmp_global.stamp), HZ);
+- if (delta < HZ / 50)
+- return false;
+- }
++ if (atomic_read(&icmp_global.credit) > 0)
++ return true;
+
+- spin_lock(&icmp_global.lock);
+- delta = min_t(u32, now - icmp_global.stamp, HZ);
+- if (delta >= HZ / 50) {
+- incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ;
+- if (incr)
+- WRITE_ONCE(icmp_global.stamp, now);
+- }
+- credit = min_t(u32, icmp_global.credit + incr,
+- READ_ONCE(sysctl_icmp_msgs_burst));
+- if (credit) {
+- /* We want to use a credit of one in average, but need to randomize
+- * it for security reasons.
+- */
+- credit = max_t(int, credit - get_random_u32_below(3), 0);
+- rc = true;
++ now = jiffies;
++ oldstamp = READ_ONCE(icmp_global.stamp);
++ delta = min_t(u32, now - oldstamp, HZ);
++ if (delta < HZ / 50)
++ return false;
++
++ incr = READ_ONCE(sysctl_icmp_msgs_per_sec) * delta / HZ;
++ if (!incr)
++ return false;
++
++ if (cmpxchg(&icmp_global.stamp, oldstamp, now) == oldstamp) {
++ old = atomic_read(&icmp_global.credit);
++ do {
++ new = min(old + incr, READ_ONCE(sysctl_icmp_msgs_burst));
++ } while (!atomic_try_cmpxchg(&icmp_global.credit, &old, new));
+ }
+- WRITE_ONCE(icmp_global.credit, credit);
+- spin_unlock(&icmp_global.lock);
+- return rc;
++ return true;
+ }
+ EXPORT_SYMBOL(icmp_global_allow);
+
++void icmp_global_consume(void)
++{
++ int credits = get_random_u32_below(3);
++
++ /* Note: this might make icmp_global.credit negative. */
++ if (credits)
++ atomic_sub(credits, &icmp_global.credit);
++}
++EXPORT_SYMBOL(icmp_global_consume);
++
+ static bool icmpv4_mask_allow(struct net *net, int type, int code)
+ {
+ if (type > NR_ICMP_TYPES)
+@@ -291,14 +293,16 @@ static bool icmpv4_mask_allow(struct net
+ return false;
+ }
+
+-static bool icmpv4_global_allow(struct net *net, int type, int code)
++static bool icmpv4_global_allow(struct net *net, int type, int code,
++ bool *apply_ratelimit)
+ {
+ if (icmpv4_mask_allow(net, type, code))
+ return true;
+
+- if (icmp_global_allow())
++ if (icmp_global_allow()) {
++ *apply_ratelimit = true;
+ return true;
+-
++ }
+ __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);
+ return false;
+ }
+@@ -308,15 +312,16 @@ static bool icmpv4_global_allow(struct n
+ */
+
+ static bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
+- struct flowi4 *fl4, int type, int code)
++ struct flowi4 *fl4, int type, int code,
++ bool apply_ratelimit)
+ {
+ struct dst_entry *dst = &rt->dst;
+ struct inet_peer *peer;
+ bool rc = true;
+ int vif;
+
+- if (icmpv4_mask_allow(net, type, code))
+- goto out;
++ if (!apply_ratelimit)
++ return true;
+
+ /* No rate limit on loopback */
+ if (dst->dev && (dst->dev->flags&IFF_LOOPBACK))
+@@ -331,6 +336,8 @@ static bool icmpv4_xrlim_allow(struct ne
+ out:
+ if (!rc)
+ __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITHOST);
++ else
++ icmp_global_consume();
+ return rc;
+ }
+
+@@ -402,6 +409,7 @@ static void icmp_reply(struct icmp_bxm *
+ struct ipcm_cookie ipc;
+ struct rtable *rt = skb_rtable(skb);
+ struct net *net = dev_net(rt->dst.dev);
++ bool apply_ratelimit = false;
+ struct flowi4 fl4;
+ struct sock *sk;
+ struct inet_sock *inet;
+@@ -413,11 +421,11 @@ static void icmp_reply(struct icmp_bxm *
+ if (ip_options_echo(net, &icmp_param->replyopts.opt.opt, skb))
+ return;
+
+- /* Needed by both icmp_global_allow and icmp_xmit_lock */
++ /* Needed by both icmpv4_global_allow and icmp_xmit_lock */
+ local_bh_disable();
+
+- /* global icmp_msgs_per_sec */
+- if (!icmpv4_global_allow(net, type, code))
++ /* is global icmp_msgs_per_sec exhausted ? */
++ if (!icmpv4_global_allow(net, type, code, &apply_ratelimit))
+ goto out_bh_enable;
+
+ sk = icmp_xmit_lock(net);
+@@ -450,7 +458,7 @@ static void icmp_reply(struct icmp_bxm *
+ rt = ip_route_output_key(net, &fl4);
+ if (IS_ERR(rt))
+ goto out_unlock;
+- if (icmpv4_xrlim_allow(net, rt, &fl4, type, code))
++ if (icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit))
+ icmp_push_reply(sk, icmp_param, &fl4, &ipc, &rt);
+ ip_rt_put(rt);
+ out_unlock:
+@@ -596,6 +604,7 @@ void __icmp_send(struct sk_buff *skb_in,
+ int room;
+ struct icmp_bxm icmp_param;
+ struct rtable *rt = skb_rtable(skb_in);
++ bool apply_ratelimit = false;
+ struct ipcm_cookie ipc;
+ struct flowi4 fl4;
+ __be32 saddr;
+@@ -677,7 +686,7 @@ void __icmp_send(struct sk_buff *skb_in,
+ }
+ }
+
+- /* Needed by both icmp_global_allow and icmp_xmit_lock */
++ /* Needed by both icmpv4_global_allow and icmp_xmit_lock */
+ local_bh_disable();
+
+ /* Check global sysctl_icmp_msgs_per_sec ratelimit, unless
+@@ -685,7 +694,7 @@ void __icmp_send(struct sk_buff *skb_in,
+ * loopback, then peer ratelimit still work (in icmpv4_xrlim_allow)
+ */
+ if (!(skb_in->dev && (skb_in->dev->flags&IFF_LOOPBACK)) &&
+- !icmpv4_global_allow(net, type, code))
++ !icmpv4_global_allow(net, type, code, &apply_ratelimit))
+ goto out_bh_enable;
+
+ sk = icmp_xmit_lock(net);
+@@ -744,7 +753,7 @@ void __icmp_send(struct sk_buff *skb_in,
+ goto out_unlock;
+
+ /* peer icmp_ratelimit */
+- if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code))
++ if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code, apply_ratelimit))
+ goto ende;
+
+ /* RFC says return as much as we can without exceeding 576 bytes. */
+--- a/net/ipv6/icmp.c
++++ b/net/ipv6/icmp.c
+@@ -175,14 +175,16 @@ static bool icmpv6_mask_allow(struct net
+ return false;
+ }
+
+-static bool icmpv6_global_allow(struct net *net, int type)
++static bool icmpv6_global_allow(struct net *net, int type,
++ bool *apply_ratelimit)
+ {
+ if (icmpv6_mask_allow(net, type))
+ return true;
+
+- if (icmp_global_allow())
++ if (icmp_global_allow()) {
++ *apply_ratelimit = true;
+ return true;
+-
++ }
+ __ICMP_INC_STATS(net, ICMP_MIB_RATELIMITGLOBAL);
+ return false;
+ }
+@@ -191,13 +193,13 @@ static bool icmpv6_global_allow(struct n
+ * Check the ICMP output rate limit
+ */
+ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
+- struct flowi6 *fl6)
++ struct flowi6 *fl6, bool apply_ratelimit)
+ {
+ struct net *net = sock_net(sk);
+ struct dst_entry *dst;
+ bool res = false;
+
+- if (icmpv6_mask_allow(net, type))
++ if (!apply_ratelimit)
+ return true;
+
+ /*
+@@ -228,6 +230,8 @@ static bool icmpv6_xrlim_allow(struct so
+ if (!res)
+ __ICMP6_INC_STATS(net, ip6_dst_idev(dst),
+ ICMP6_MIB_RATELIMITHOST);
++ else
++ icmp_global_consume();
+ dst_release(dst);
+ return res;
+ }
+@@ -452,6 +456,7 @@ void icmp6_send(struct sk_buff *skb, u8
+ struct net *net;
+ struct ipv6_pinfo *np;
+ const struct in6_addr *saddr = NULL;
++ bool apply_ratelimit = false;
+ struct dst_entry *dst;
+ struct icmp6hdr tmp_hdr;
+ struct flowi6 fl6;
+@@ -533,11 +538,12 @@ void icmp6_send(struct sk_buff *skb, u8
+ return;
+ }
+
+- /* Needed by both icmp_global_allow and icmpv6_xmit_lock */
++ /* Needed by both icmpv6_global_allow and icmpv6_xmit_lock */
+ local_bh_disable();
+
+ /* Check global sysctl_icmp_msgs_per_sec ratelimit */
+- if (!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, type))
++ if (!(skb->dev->flags & IFF_LOOPBACK) &&
++ !icmpv6_global_allow(net, type, &apply_ratelimit))
+ goto out_bh_enable;
+
+ mip6_addr_swap(skb, parm);
+@@ -575,7 +581,7 @@ void icmp6_send(struct sk_buff *skb, u8
+
+ np = inet6_sk(sk);
+
+- if (!icmpv6_xrlim_allow(sk, type, &fl6))
++ if (!icmpv6_xrlim_allow(sk, type, &fl6, apply_ratelimit))
+ goto out;
+
+ tmp_hdr.icmp6_type = type;
+@@ -717,6 +723,7 @@ static enum skb_drop_reason icmpv6_echo_
+ struct ipv6_pinfo *np;
+ const struct in6_addr *saddr = NULL;
+ struct icmp6hdr *icmph = icmp6_hdr(skb);
++ bool apply_ratelimit = false;
+ struct icmp6hdr tmp_hdr;
+ struct flowi6 fl6;
+ struct icmpv6_msg msg;
+@@ -781,8 +788,9 @@ static enum skb_drop_reason icmpv6_echo_
+ goto out;
+
+ /* Check the ratelimit */
+- if ((!(skb->dev->flags & IFF_LOOPBACK) && !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY)) ||
+- !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6))
++ if ((!(skb->dev->flags & IFF_LOOPBACK) &&
++ !icmpv6_global_allow(net, ICMPV6_ECHO_REPLY, &apply_ratelimit)) ||
++ !icmpv6_xrlim_allow(sk, ICMPV6_ECHO_REPLY, &fl6, apply_ratelimit))
+ goto out_dst_release;
+
+ idev = __in6_dev_get(skb->dev);
--- /dev/null
+From 63dff3e48871b0583be5032ff8fb7260c349a18c Mon Sep 17 00:00:00 2001
+From: Paul Moore <paul@paul-moore.com>
+Date: Tue, 9 Jul 2024 19:43:06 -0400
+Subject: lsm: add the inode_free_security_rcu() LSM implementation hook
+
+From: Paul Moore <paul@paul-moore.com>
+
+commit 63dff3e48871b0583be5032ff8fb7260c349a18c upstream.
+
+The LSM framework has an existing inode_free_security() hook which
+is used by LSMs that manage state associated with an inode, but
+due to the use of RCU to protect the inode, special care must be
+taken to ensure that the LSMs do not fully release the inode state
+until it is safe from a RCU perspective.
+
+This patch implements a new inode_free_security_rcu() implementation
+hook which is called when it is safe to free the LSM's internal inode
+state. Unfortunately, this new hook does not have access to the inode
+itself as it may already be released, so the existing
+inode_free_security() hook is retained for those LSMs which require
+access to the inode.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+5446fbf332b0602ede0b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/r/00000000000076ba3b0617f65cc8@google.com
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 1 +
+ security/integrity/ima/ima.h | 2 +-
+ security/integrity/ima/ima_iint.c | 20 ++++++++------------
+ security/integrity/ima/ima_main.c | 2 +-
+ security/landlock/fs.c | 9 ++++++---
+ security/security.c | 32 ++++++++++++++++----------------
+ 6 files changed, 33 insertions(+), 33 deletions(-)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -114,6 +114,7 @@ LSM_HOOK(int, 0, path_notify, const stru
+ unsigned int obj_type)
+ LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode)
+ LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode)
++LSM_HOOK(void, LSM_RET_VOID, inode_free_security_rcu, void *inode_security)
+ LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode,
+ struct inode *dir, const struct qstr *qstr, struct xattr *xattrs,
+ int *xattr_count)
+--- a/security/integrity/ima/ima.h
++++ b/security/integrity/ima/ima.h
+@@ -223,7 +223,7 @@ static inline void ima_inode_set_iint(co
+
+ struct ima_iint_cache *ima_iint_find(struct inode *inode);
+ struct ima_iint_cache *ima_inode_get(struct inode *inode);
+-void ima_inode_free(struct inode *inode);
++void ima_inode_free_rcu(void *inode_security);
+ void __init ima_iintcache_init(void);
+
+ extern const int read_idmap[];
+--- a/security/integrity/ima/ima_iint.c
++++ b/security/integrity/ima/ima_iint.c
+@@ -109,22 +109,18 @@ struct ima_iint_cache *ima_inode_get(str
+ }
+
+ /**
+- * ima_inode_free - Called on inode free
+- * @inode: Pointer to the inode
++ * ima_inode_free_rcu - Called to free an inode via a RCU callback
++ * @inode_security: The inode->i_security pointer
+ *
+- * Free the iint associated with an inode.
++ * Free the IMA data associated with an inode.
+ */
+-void ima_inode_free(struct inode *inode)
++void ima_inode_free_rcu(void *inode_security)
+ {
+- struct ima_iint_cache *iint;
++ struct ima_iint_cache **iint_p = inode_security + ima_blob_sizes.lbs_inode;
+
+- if (!IS_IMA(inode))
+- return;
+-
+- iint = ima_iint_find(inode);
+- ima_inode_set_iint(inode, NULL);
+-
+- ima_iint_free(iint);
++ /* *iint_p should be NULL if !IS_IMA(inode) */
++ if (*iint_p)
++ ima_iint_free(*iint_p);
+ }
+
+ static void ima_iint_init_once(void *foo)
+--- a/security/integrity/ima/ima_main.c
++++ b/security/integrity/ima/ima_main.c
+@@ -1193,7 +1193,7 @@ static struct security_hook_list ima_hoo
+ #ifdef CONFIG_INTEGRITY_ASYMMETRIC_KEYS
+ LSM_HOOK_INIT(kernel_module_request, ima_kernel_module_request),
+ #endif
+- LSM_HOOK_INIT(inode_free_security, ima_inode_free),
++ LSM_HOOK_INIT(inode_free_security_rcu, ima_inode_free_rcu),
+ };
+
+ static const struct lsm_id ima_lsmid = {
+--- a/security/landlock/fs.c
++++ b/security/landlock/fs.c
+@@ -1207,13 +1207,16 @@ static int current_check_refer_path(stru
+
+ /* Inode hooks */
+
+-static void hook_inode_free_security(struct inode *const inode)
++static void hook_inode_free_security_rcu(void *inode_security)
+ {
++ struct landlock_inode_security *inode_sec;
++
+ /*
+ * All inodes must already have been untied from their object by
+ * release_inode() or hook_sb_delete().
+ */
+- WARN_ON_ONCE(landlock_inode(inode)->object);
++ inode_sec = inode_security + landlock_blob_sizes.lbs_inode;
++ WARN_ON_ONCE(inode_sec->object);
+ }
+
+ /* Super-block hooks */
+@@ -1637,7 +1640,7 @@ static int hook_file_ioctl_compat(struct
+ }
+
+ static struct security_hook_list landlock_hooks[] __ro_after_init = {
+- LSM_HOOK_INIT(inode_free_security, hook_inode_free_security),
++ LSM_HOOK_INIT(inode_free_security_rcu, hook_inode_free_security_rcu),
+
+ LSM_HOOK_INIT(sb_delete, hook_sb_delete),
+ LSM_HOOK_INIT(sb_mount, hook_sb_mount),
+--- a/security/security.c
++++ b/security/security.c
+@@ -1596,9 +1596,8 @@ int security_inode_alloc(struct inode *i
+
+ static void inode_free_by_rcu(struct rcu_head *head)
+ {
+- /*
+- * The rcu head is at the start of the inode blob
+- */
++ /* The rcu head is at the start of the inode blob */
++ call_void_hook(inode_free_security_rcu, head);
+ kmem_cache_free(lsm_inode_cache, head);
+ }
+
+@@ -1606,23 +1605,24 @@ static void inode_free_by_rcu(struct rcu
+ * security_inode_free() - Free an inode's LSM blob
+ * @inode: the inode
+ *
+- * Deallocate the inode security structure and set @inode->i_security to NULL.
++ * Release any LSM resources associated with @inode, although due to the
++ * inode's RCU protections it is possible that the resources will not be
++ * fully released until after the current RCU grace period has elapsed.
++ *
++ * It is important for LSMs to note that despite being present in a call to
++ * security_inode_free(), @inode may still be referenced in a VFS path walk
++ * and calls to security_inode_permission() may be made during, or after,
++ * a call to security_inode_free(). For this reason the inode->i_security
++ * field is released via a call_rcu() callback and any LSMs which need to
++ * retain inode state for use in security_inode_permission() should only
++ * release that state in the inode_free_security_rcu() LSM hook callback.
+ */
+ void security_inode_free(struct inode *inode)
+ {
+ call_void_hook(inode_free_security, inode);
+- /*
+- * The inode may still be referenced in a path walk and
+- * a call to security_inode_permission() can be made
+- * after inode_free_security() is called. Ideally, the VFS
+- * wouldn't do this, but fixing that is a much harder
+- * job. For now, simply free the i_security via RCU, and
+- * leave the current inode->i_security pointer intact.
+- * The inode will be freed after the RCU grace period too.
+- */
+- if (inode->i_security)
+- call_rcu((struct rcu_head *)inode->i_security,
+- inode_free_by_rcu);
++ if (!inode->i_security)
++ return;
++ call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu);
+ }
+
+ /**
--- /dev/null
+From 86ad4cda79e0dade87d4bb0d32e1fe541d4a63e8 Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Thu, 1 Aug 2024 20:47:46 +0800
+Subject: md: Don't flush sync_work in md_write_start()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit 86ad4cda79e0dade87d4bb0d32e1fe541d4a63e8 upstream.
+
+Because flush sync_work may trigger mddev_suspend() if there are spares,
+and this should never be done in IO path because mddev_suspend() is used
+to wait for IO.
+
+This problem is found by code review.
+
+Fixes: bc08041b32ab ("md: suspend array in md_start_sync() if array need reconfiguration")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Link: https://lore.kernel.org/r/20240801124746.242558-1-yukuai1@huaweicloud.com
+Signed-off-by: Song Liu <song@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/md.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -8668,7 +8668,6 @@ void md_write_start(struct mddev *mddev,
+ BUG_ON(mddev->ro == MD_RDONLY);
+ if (mddev->ro == MD_AUTO_READ) {
+ /* need to switch to read/write */
+- flush_work(&mddev->sync_work);
+ mddev->ro = MD_RDWR;
+ set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
+ md_wakeup_thread(mddev->thread);
--- /dev/null
+From 3c58a9575e02c2b90a3180007d57105ceaa7c246 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Mon, 26 Aug 2024 19:34:04 +0800
+Subject: netfs: Delete subtree of 'fs/netfs' when netfs module exits
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 3c58a9575e02c2b90a3180007d57105ceaa7c246 upstream.
+
+In netfs_init() or fscache_proc_init(), we create dentry under 'fs/netfs',
+but in netfs_exit(), we only delete the proc entry of 'fs/netfs' without
+deleting its subtree. This triggers the following WARNING:
+
+==================================================================
+remove_proc_entry: removing non-empty directory 'fs/netfs', leaking at least 'requests'
+WARNING: CPU: 4 PID: 566 at fs/proc/generic.c:717 remove_proc_entry+0x160/0x1c0
+Modules linked in: netfs(-)
+CPU: 4 UID: 0 PID: 566 Comm: rmmod Not tainted 6.11.0-rc3 #860
+RIP: 0010:remove_proc_entry+0x160/0x1c0
+Call Trace:
+ <TASK>
+ netfs_exit+0x12/0x620 [netfs]
+ __do_sys_delete_module.isra.0+0x14c/0x2e0
+ do_syscall_64+0x4b/0x110
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+==================================================================
+
+Therefore use remove_proc_subtree() instead of remove_proc_entry() to
+fix the above problem.
+
+Fixes: 7eb5b3e3a0a5 ("netfs, fscache: Move /proc/fs/fscache to /proc/fs/netfs and put in a symlink")
+Cc: stable@kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Link: https://lore.kernel.org/r/20240826113404.3214786-1-libaokun@huaweicloud.com
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/netfs/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/netfs/main.c
++++ b/fs/netfs/main.c
+@@ -142,7 +142,7 @@ static int __init netfs_init(void)
+
+ error_fscache:
+ error_procfile:
+- remove_proc_entry("fs/netfs", NULL);
++ remove_proc_subtree("fs/netfs", NULL);
+ error_proc:
+ mempool_exit(&netfs_subrequest_pool);
+ error_subreqpool:
+@@ -159,7 +159,7 @@ fs_initcall(netfs_init);
+ static void __exit netfs_exit(void)
+ {
+ fscache_exit();
+- remove_proc_entry("fs/netfs", NULL);
++ remove_proc_subtree("fs/netfs", NULL);
+ mempool_exit(&netfs_subrequest_pool);
+ kmem_cache_destroy(netfs_subrequest_slab);
+ mempool_exit(&netfs_request_pool);
--- /dev/null
+From 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 Mon Sep 17 00:00:00 2001
+From: Li Lingfeng <lilingfeng3@huawei.com>
+Date: Wed, 4 Sep 2024 20:34:57 +0800
+Subject: nfs: fix memory leak in error path of nfs4_do_reclaim
+
+From: Li Lingfeng <lilingfeng3@huawei.com>
+
+commit 8f6a7c9467eaf39da4c14e5474e46190ab3fb529 upstream.
+
+Commit c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in
+nfs4_do_reclaim()") separate out the freeing of the state owners from
+nfs4_purge_state_owners() and finish it outside the rcu lock.
+However, the error path is omitted. As a result, the state owners in
+"freeme" will not be released.
+Fix it by adding freeing in the error path.
+
+Fixes: c77e22834ae9 ("NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()")
+Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/nfs4state.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/nfs/nfs4state.c
++++ b/fs/nfs/nfs4state.c
+@@ -1957,6 +1957,7 @@ restart:
+ set_bit(ops->owner_flag_bit, &sp->so_flags);
+ nfs4_put_state_owner(sp);
+ status = nfs4_recovery_handle_error(clp, status);
++ nfs4_free_state_owners(&freeme);
+ return (status != 0) ? status : -EAGAIN;
+ }
+
--- /dev/null
+From 9a22b2812393d93d84358a760c347c21939029a6 Mon Sep 17 00:00:00 2001
+From: VanGiang Nguyen <vangiang.nguyen@rohde-schwarz.com>
+Date: Fri, 9 Aug 2024 06:21:42 +0000
+Subject: padata: use integer wrap around to prevent deadlock on seq_nr overflow
+
+From: VanGiang Nguyen <vangiang.nguyen@rohde-schwarz.com>
+
+commit 9a22b2812393d93d84358a760c347c21939029a6 upstream.
+
+When submitting more than 2^32 padata objects to padata_do_serial, the
+current sorting implementation incorrectly sorts padata objects with
+overflowed seq_nr, causing them to be placed before existing objects in
+the reorder list. This leads to a deadlock in the serialization process
+as padata_find_next cannot match padata->seq_nr and pd->processed
+because the padata instance with overflowed seq_nr will be selected
+next.
+
+To fix this, we use an unsigned integer wrap around to correctly sort
+padata objects in scenarios with integer overflow.
+
+Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs")
+Cc: <stable@vger.kernel.org>
+Co-developed-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
+Signed-off-by: Christian Gafert <christian.gafert@rohde-schwarz.com>
+Co-developed-by: Max Ferger <max.ferger@rohde-schwarz.com>
+Signed-off-by: Max Ferger <max.ferger@rohde-schwarz.com>
+Signed-off-by: Van Giang Nguyen <vangiang.nguyen@rohde-schwarz.com>
+Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/padata.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -404,7 +404,8 @@ void padata_do_serial(struct padata_priv
+ /* Sort in ascending order of sequence number. */
+ list_for_each_prev(pos, &reorder->list) {
+ cur = list_entry(pos, struct padata_priv, list);
+- if (cur->seq_nr < padata->seq_nr)
++ /* Compare by difference to consider integer wrap around */
++ if ((signed int)(cur->seq_nr - padata->seq_nr) < 0)
+ break;
+ }
+ list_add(&padata->list, pos);
wifi-mt76-mt7925-fix-a-potential-association-failure-upon-resuming.patch
debugfs-show-actual-source-in-proc-mounts.patch
debugobjects-fix-conditions-in-fill_pool.patch
+btrfs-fix-race-setting-file-private-on-concurrent-lseek-using-same-fd.patch
+btrfs-tree-checker-fix-the-wrong-output-of-data-backref-objectid.patch
+btrfs-always-update-fstrim_range-on-failure-in-fitrim-ioctl.patch
+f2fs-fix-to-wait-dio-completion.patch
+f2fs-fix-several-potential-integer-overflows-in-file-offsets.patch
+f2fs-prevent-possible-int-overflow-in-dir_block_index.patch
+f2fs-avoid-potential-int-overflow-in-sanity_check_area_boundary.patch
+f2fs-require-fmode_write-for-atomic-write-ioctls.patch
+f2fs-check-discard-support-for-conventional-zones.patch
+f2fs-fix-to-check-atomic_file-in-f2fs-ioctl-interfaces.patch
+hwrng-mtk-use-devm_pm_runtime_enable.patch
+hwrng-bcm2835-add-missing-clk_disable_unprepare-in-bcm2835_rng_init.patch
+hwrng-cctrng-add-missing-clk_disable_unprepare-in-cctrng_resume.patch
+arm64-esr-define-esr_elx_ec_-constants-as-ul.patch
+arm64-errata-enable-the-ac03_cpu_38-workaround-for-ampere1a.patch
+arm64-dts-mediatek-mt8186-corsola-disable-dpi-display-interface.patch
+arm64-dts-rockchip-raise-pinebook-pro-s-panel-backlight-pwm-frequency.patch
+arm64-dts-qcom-sa8775p-mark-apps-and-pcie-smmus-as-dma-coherent.patch
+arm64-dts-rockchip-correct-the-pinebook-pro-battery-design-capacity.patch
+vfs-fix-race-between-evice_inodes-and-find_inode-iput.patch
+netfs-delete-subtree-of-fs-netfs-when-netfs-module-exits.patch
+fs-fix-file_set_fowner-lsm-hook-inconsistencies.patch
+nfs-fix-memory-leak-in-error-path-of-nfs4_do_reclaim.patch
+bcachefs-fix-negative-timespecs.patch
+edac-igen6-fix-conversion-of-system-address-to-physical-memory-address.patch
+icmp-change-the-order-of-rate-limits.patch
+eventpoll-annotate-data-race-of-busy_poll_usecs.patch
+md-don-t-flush-sync_work-in-md_write_start.patch
+cpuidle-riscv-sbi-use-scoped-device-node-handling-to-fix-missing-of_node_put.patch
+padata-use-integer-wrap-around-to-prevent-deadlock-on-seq_nr-overflow.patch
+lsm-add-the-inode_free_security_rcu-lsm-implementation-hook.patch
+spi-fspi-involve-lut_num-for-struct-nxp_fspi_devtype_data.patch
+dt-bindings-spi-nxp-fspi-add-imx8ulp-support.patch
+arm-dts-imx6ul-geam-fix-fsl-pins-property-in-tscgrp-pinctrl.patch
+arm-dts-imx6ull-seeed-npi-fix-fsl-pins-property-in-tscgrp-pinctrl.patch
+tools-nolibc-include-arch.h-from-string.h.patch
--- /dev/null
+From 190b7e2efb1ed8435fc7431d9c7a2447d05d5066 Mon Sep 17 00:00:00 2001
+From: Haibo Chen <haibo.chen@nxp.com>
+Date: Thu, 5 Sep 2024 17:43:36 +0800
+Subject: spi: fspi: involve lut_num for struct nxp_fspi_devtype_data
+
+From: Haibo Chen <haibo.chen@nxp.com>
+
+commit 190b7e2efb1ed8435fc7431d9c7a2447d05d5066 upstream.
+
+The flexspi on different SoCs may have different number of LUTs.
+So involve lut_num in nxp_fspi_devtype_data to make distinguish.
+This patch prepare for the adding of imx8ulp.
+
+Fixes: ef89fd56bdfc ("arm64: dts: imx8ulp: add flexspi node")
+Cc: stable@kernel.org
+Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://patch.msgid.link/20240905094338.1986871-3-haibo.chen@nxp.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-nxp-fspi.c | 44 +++++++++++++++++++++++++-------------------
+ 1 file changed, 25 insertions(+), 19 deletions(-)
+
+--- a/drivers/spi/spi-nxp-fspi.c
++++ b/drivers/spi/spi-nxp-fspi.c
+@@ -57,13 +57,6 @@
+ #include <linux/spi/spi.h>
+ #include <linux/spi/spi-mem.h>
+
+-/*
+- * The driver only uses one single LUT entry, that is updated on
+- * each call of exec_op(). Index 0 is preset at boot with a basic
+- * read operation, so let's use the last entry (31).
+- */
+-#define SEQID_LUT 31
+-
+ /* Registers used by the driver */
+ #define FSPI_MCR0 0x00
+ #define FSPI_MCR0_AHB_TIMEOUT(x) ((x) << 24)
+@@ -263,9 +256,6 @@
+ #define FSPI_TFDR 0x180
+
+ #define FSPI_LUT_BASE 0x200
+-#define FSPI_LUT_OFFSET (SEQID_LUT * 4 * 4)
+-#define FSPI_LUT_REG(idx) \
+- (FSPI_LUT_BASE + FSPI_LUT_OFFSET + (idx) * 4)
+
+ /* register map end */
+
+@@ -341,6 +331,7 @@ struct nxp_fspi_devtype_data {
+ unsigned int txfifo;
+ unsigned int ahb_buf_size;
+ unsigned int quirks;
++ unsigned int lut_num;
+ bool little_endian;
+ };
+
+@@ -349,6 +340,7 @@ static struct nxp_fspi_devtype_data lx21
+ .txfifo = SZ_1K, /* (128 * 64 bits) */
+ .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */
+ .quirks = 0,
++ .lut_num = 32,
+ .little_endian = true, /* little-endian */
+ };
+
+@@ -357,6 +349,7 @@ static struct nxp_fspi_devtype_data imx8
+ .txfifo = SZ_1K, /* (128 * 64 bits) */
+ .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */
+ .quirks = 0,
++ .lut_num = 32,
+ .little_endian = true, /* little-endian */
+ };
+
+@@ -365,6 +358,7 @@ static struct nxp_fspi_devtype_data imx8
+ .txfifo = SZ_1K, /* (128 * 64 bits) */
+ .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */
+ .quirks = 0,
++ .lut_num = 32,
+ .little_endian = true, /* little-endian */
+ };
+
+@@ -373,6 +367,7 @@ static struct nxp_fspi_devtype_data imx8
+ .txfifo = SZ_1K, /* (128 * 64 bits) */
+ .ahb_buf_size = SZ_2K, /* (256 * 64 bits) */
+ .quirks = FSPI_QUIRK_USE_IP_ONLY,
++ .lut_num = 32,
+ .little_endian = true, /* little-endian */
+ };
+
+@@ -544,6 +539,8 @@ static void nxp_fspi_prepare_lut(struct
+ void __iomem *base = f->iobase;
+ u32 lutval[4] = {};
+ int lutidx = 1, i;
++ u32 lut_offset = (f->devtype_data->lut_num - 1) * 4 * 4;
++ u32 target_lut_reg;
+
+ /* cmd */
+ lutval[0] |= LUT_DEF(0, LUT_CMD, LUT_PAD(op->cmd.buswidth),
+@@ -588,8 +585,10 @@ static void nxp_fspi_prepare_lut(struct
+ fspi_writel(f, FSPI_LCKER_UNLOCK, f->iobase + FSPI_LCKCR);
+
+ /* fill LUT */
+- for (i = 0; i < ARRAY_SIZE(lutval); i++)
+- fspi_writel(f, lutval[i], base + FSPI_LUT_REG(i));
++ for (i = 0; i < ARRAY_SIZE(lutval); i++) {
++ target_lut_reg = FSPI_LUT_BASE + lut_offset + i * 4;
++ fspi_writel(f, lutval[i], base + target_lut_reg);
++ }
+
+ dev_dbg(f->dev, "CMD[%02x] lutval[0:%08x 1:%08x 2:%08x 3:%08x], size: 0x%08x\n",
+ op->cmd.opcode, lutval[0], lutval[1], lutval[2], lutval[3], op->data.nbytes);
+@@ -876,7 +875,7 @@ static int nxp_fspi_do_op(struct nxp_fsp
+ void __iomem *base = f->iobase;
+ int seqnum = 0;
+ int err = 0;
+- u32 reg;
++ u32 reg, seqid_lut;
+
+ reg = fspi_readl(f, base + FSPI_IPRXFCR);
+ /* invalid RXFIFO first */
+@@ -892,8 +891,9 @@ static int nxp_fspi_do_op(struct nxp_fsp
+ * the LUT at each exec_op() call. And also specify the DATA
+ * length, since it's has not been specified in the LUT.
+ */
++ seqid_lut = f->devtype_data->lut_num - 1;
+ fspi_writel(f, op->data.nbytes |
+- (SEQID_LUT << FSPI_IPCR1_SEQID_SHIFT) |
++ (seqid_lut << FSPI_IPCR1_SEQID_SHIFT) |
+ (seqnum << FSPI_IPCR1_SEQNUM_SHIFT),
+ base + FSPI_IPCR1);
+
+@@ -1017,7 +1017,7 @@ static int nxp_fspi_default_setup(struct
+ {
+ void __iomem *base = f->iobase;
+ int ret, i;
+- u32 reg;
++ u32 reg, seqid_lut;
+
+ /* disable and unprepare clock to avoid glitch pass to controller */
+ nxp_fspi_clk_disable_unprep(f);
+@@ -1092,11 +1092,17 @@ static int nxp_fspi_default_setup(struct
+ fspi_writel(f, reg, base + FSPI_FLSHB1CR1);
+ fspi_writel(f, reg, base + FSPI_FLSHB2CR1);
+
++ /*
++ * The driver only uses one single LUT entry, that is updated on
++ * each call of exec_op(). Index 0 is preset at boot with a basic
++ * read operation, so let's use the last entry.
++ */
++ seqid_lut = f->devtype_data->lut_num - 1;
+ /* AHB Read - Set lut sequence ID for all CS. */
+- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHA1CR2);
+- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHA2CR2);
+- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHB1CR2);
+- fspi_writel(f, SEQID_LUT, base + FSPI_FLSHB2CR2);
++ fspi_writel(f, seqid_lut, base + FSPI_FLSHA1CR2);
++ fspi_writel(f, seqid_lut, base + FSPI_FLSHA2CR2);
++ fspi_writel(f, seqid_lut, base + FSPI_FLSHB1CR2);
++ fspi_writel(f, seqid_lut, base + FSPI_FLSHB2CR2);
+
+ f->selected = -1;
+
--- /dev/null
+From 6ea2987c9a7b6c5f37d08a3eaa664c9ff7467670 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Thu, 25 Jul 2024 18:54:18 +0200
+Subject: tools/nolibc: include arch.h from string.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit 6ea2987c9a7b6c5f37d08a3eaa664c9ff7467670 upstream.
+
+string.h tests for the macros NOLIBC_ARCH_HAS_$FUNC to use the
+architecture-optimized function variants.
+However if string.h is included before arch.h header then that check
+does not work, leading to duplicate function definitions.
+
+Fixes: 553845eebd60 ("tools/nolibc: x86-64: Use `rep movsb` for `memcpy()` and `memmove()`")
+Fixes: 12108aa8c1a1 ("tools/nolibc: x86-64: Use `rep stosb` for `memset()`")
+Cc: stable@vger.kernel.org
+Acked-by: Willy Tarreau <w@1wt.eu>
+Link: https://lore.kernel.org/r/20240725-arch-has-func-v1-1-5521ed354acd@weissschuh.net
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/nolibc/string.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/include/nolibc/string.h
++++ b/tools/include/nolibc/string.h
+@@ -7,6 +7,7 @@
+ #ifndef _NOLIBC_STRING_H
+ #define _NOLIBC_STRING_H
+
++#include "arch.h"
+ #include "std.h"
+
+ static void *malloc(size_t len);
--- /dev/null
+From 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 Mon Sep 17 00:00:00 2001
+From: Julian Sun <sunjunchao2870@gmail.com>
+Date: Fri, 23 Aug 2024 21:07:30 +0800
+Subject: vfs: fix race between evice_inodes() and find_inode()&iput()
+
+From: Julian Sun <sunjunchao2870@gmail.com>
+
+commit 88b1afbf0f6b221f6c5bb66cc80cd3b38d696687 upstream.
+
+Hi, all
+
+Recently I noticed a bug[1] in btrfs, after digged it into
+and I believe it'a race in vfs.
+
+Let's assume there's a inode (ie ino 261) with i_count 1 is
+called by iput(), and there's a concurrent thread calling
+generic_shutdown_super().
+
+cpu0: cpu1:
+iput() // i_count is 1
+ ->spin_lock(inode)
+ ->dec i_count to 0
+ ->iput_final() generic_shutdown_super()
+ ->__inode_add_lru() ->evict_inodes()
+ // cause some reason[2] ->if (atomic_read(inode->i_count)) continue;
+ // return before // inode 261 passed the above check
+ // list_lru_add_obj() // and then schedule out
+ ->spin_unlock()
+// note here: the inode 261
+// was still at sb list and hash list,
+// and I_FREEING|I_WILL_FREE was not been set
+
+btrfs_iget()
+ // after some function calls
+ ->find_inode()
+ // found the above inode 261
+ ->spin_lock(inode)
+ // check I_FREEING|I_WILL_FREE
+ // and passed
+ ->__iget()
+ ->spin_unlock(inode) // schedule back
+ ->spin_lock(inode)
+ // check (I_NEW|I_FREEING|I_WILL_FREE) flags,
+ // passed and set I_FREEING
+iput() ->spin_unlock(inode)
+ ->spin_lock(inode) ->evict()
+ // dec i_count to 0
+ ->iput_final()
+ ->spin_unlock()
+ ->evict()
+
+Now, we have two threads simultaneously evicting
+the same inode, which may trigger the BUG(inode->i_state & I_CLEAR)
+statement both within clear_inode() and iput().
+
+To fix the bug, recheck the inode->i_count after holding i_lock.
+Because in the most scenarios, the first check is valid, and
+the overhead of spin_lock() can be reduced.
+
+If there is any misunderstanding, please let me know, thanks.
+
+[1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/
+[2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable()
+return false when I reproduced the bug.
+
+Reported-by: syzbot+67ba3c42bcbb4665d3ad@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=67ba3c42bcbb4665d3ad
+CC: stable@vger.kernel.org
+Fixes: 63997e98a3be ("split invalidate_inodes()")
+Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
+Link: https://lore.kernel.org/r/20240823130730.658881-1-sunjunchao2870@gmail.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/inode.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/inode.c
++++ b/fs/inode.c
+@@ -770,6 +770,10 @@ again:
+ continue;
+
+ spin_lock(&inode->i_lock);
++ if (atomic_read(&inode->i_count)) {
++ spin_unlock(&inode->i_lock);
++ continue;
++ }
+ if (inode->i_state & (I_NEW | I_FREEING | I_WILL_FREE)) {
+ spin_unlock(&inode->i_lock);
+ continue;
projects / thirdparty / kernel / stable-queue.git / commitdiff
