--- /dev/null
+From 16dd7baa25aa337572ba9c2ac9e85eba4136552a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Oct 2023 12:28:55 +0200
+Subject: ALSA: hda: Fix possible null-ptr-deref when assigning a stream
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+[ Upstream commit f93dc90c2e8ed664985e366aa6459ac83cdab236 ]
+
+While AudioDSP drivers assign streams exclusively of HOST or LINK type,
+nothing blocks a user to attempt to assign a COUPLED stream. As
+supplied substream instance may be a stub, what is the case when
+code-loading, such scenario ends with null-ptr-deref.
+
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Link: https://lore.kernel.org/r/20231006102857.749143-2-cezary.rojewski@intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/hda/hdac_stream.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/hda/hdac_stream.c b/sound/hda/hdac_stream.c
+index 2beb94828729d..f810f401c1de8 100644
+--- a/sound/hda/hdac_stream.c
++++ b/sound/hda/hdac_stream.c
+@@ -313,8 +313,10 @@ struct hdac_stream *snd_hdac_stream_assign(struct hdac_bus *bus,
+ struct hdac_stream *res = NULL;
+
+ /* make a non-zero unique key for the substream */
+- int key = (substream->pcm->device << 16) | (substream->number << 2) |
+- (substream->stream + 1);
++ int key = (substream->number << 2) | (substream->stream + 1);
++
++ if (substream->pcm)
++ key |= (substream->pcm->device << 16);
+
+ spin_lock_irq(&bus->reg_lock);
+ list_for_each_entry(azx_dev, &bus->stream_list, list) {
+--
+2.42.0
+
--- /dev/null
+From d53529335986dd371cbb1b361ae56aeb2ec2f341 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Aug 2023 08:45:21 +0100
+Subject: ARM: 9320/1: fix stack depot IRQ stack filter
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+[ Upstream commit b0150014878c32197cfa66e3e2f79e57f66babc0 ]
+
+Place IRQ handlers such as gic_handle_irq() in the irqentry section even
+if FUNCTION_GRAPH_TRACER is not enabled. Without this, the stack
+depot's filter_irq_stacks() does not correctly filter out IRQ stacks in
+those configurations, which hampers deduplication and eventually leads
+to "Stack depot reached limit capacity" splats with KASAN.
+
+A similar fix was done for arm64 in commit f6794950f0e5ba37e3bbed
+("arm64: set __exception_irq_entry with __irq_entry as a default").
+
+Link: https://lore.kernel.org/r/20230803-arm-irqentry-v1-1-8aad8e260b1c@axis.com
+
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/include/asm/exception.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/arch/arm/include/asm/exception.h b/arch/arm/include/asm/exception.h
+index 58e039a851af0..3c82975d46db3 100644
+--- a/arch/arm/include/asm/exception.h
++++ b/arch/arm/include/asm/exception.h
+@@ -10,10 +10,6 @@
+
+ #include <linux/interrupt.h>
+
+-#ifdef CONFIG_FUNCTION_GRAPH_TRACER
+ #define __exception_irq_entry __irq_entry
+-#else
+-#define __exception_irq_entry
+-#endif
+
+ #endif /* __ASM_ARM_EXCEPTION_H */
+--
+2.42.0
+
--- /dev/null
+From 8262bb1dce7a19ce079877415391eaa98ed24188 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 07:23:38 +0200
+Subject: ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings
+
+From: Tony Lindgren <tony@atomide.com>
+
+[ Upstream commit fbb74e56378d8306f214658e3d525a8b3f000c5a ]
+
+We need to check for an active device as otherwise we get warnings
+for some mcbsp instances for "Runtime PM usage count underflow!".
+
+Reported-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Link: https://lore.kernel.org/r/20231030052340.13415-1-tony@atomide.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/ti/omap-mcbsp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/ti/omap-mcbsp.c b/sound/soc/ti/omap-mcbsp.c
+index 3273b317fa3b9..3e8ed05f3ebd8 100644
+--- a/sound/soc/ti/omap-mcbsp.c
++++ b/sound/soc/ti/omap-mcbsp.c
+@@ -74,7 +74,8 @@ static int omap2_mcbsp_set_clks_src(struct omap_mcbsp *mcbsp, u8 fck_src_id)
+ return -EINVAL;
+ }
+
+- pm_runtime_put_sync(mcbsp->dev);
++ if (mcbsp->active)
++ pm_runtime_put_sync(mcbsp->dev);
+
+ r = clk_set_parent(mcbsp->fclk, fck_src);
+ if (r) {
+@@ -84,7 +85,8 @@ static int omap2_mcbsp_set_clks_src(struct omap_mcbsp *mcbsp, u8 fck_src_id)
+ return r;
+ }
+
+- pm_runtime_get_sync(mcbsp->dev);
++ if (mcbsp->active)
++ pm_runtime_get_sync(mcbsp->dev);
+
+ clk_put(fck_src);
+
+--
+2.42.0
+
--- /dev/null
+From 2bc15c36d26c5c2e93ce5eef4764a4af60466f77 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Sep 2023 15:53:51 +0300
+Subject: atm: iphase: Do PCI error checks on own line
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit c28742447ca9879b52fbaf022ad844f0ffcd749c ]
+
+In get_esi() PCI errors are checked inside line-split "if" conditions (in
+addition to the file not following the coding style). To make the code in
+get_esi() more readable, fix the coding style and use the usual error
+handling pattern with a separate variable.
+
+In addition, initialization of 'error' variable at declaration is not
+needed.
+
+No functional changes intended.
+
+Link: https://lore.kernel.org/r/20230911125354.25501-4-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/iphase.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
+index 46990352b5d3f..bfc889367d5e3 100644
+--- a/drivers/atm/iphase.c
++++ b/drivers/atm/iphase.c
+@@ -2290,19 +2290,21 @@ static int get_esi(struct atm_dev *dev)
+ static int reset_sar(struct atm_dev *dev)
+ {
+ IADEV *iadev;
+- int i, error = 1;
++ int i, error;
+ unsigned int pci[64];
+
+ iadev = INPH_IA_DEV(dev);
+- for(i=0; i<64; i++)
+- if ((error = pci_read_config_dword(iadev->pci,
+- i*4, &pci[i])) != PCIBIOS_SUCCESSFUL)
+- return error;
++ for (i = 0; i < 64; i++) {
++ error = pci_read_config_dword(iadev->pci, i * 4, &pci[i]);
++ if (error != PCIBIOS_SUCCESSFUL)
++ return error;
++ }
+ writel(0, iadev->reg+IPHASE5575_EXT_RESET);
+- for(i=0; i<64; i++)
+- if ((error = pci_write_config_dword(iadev->pci,
+- i*4, pci[i])) != PCIBIOS_SUCCESSFUL)
+- return error;
++ for (i = 0; i < 64; i++) {
++ error = pci_write_config_dword(iadev->pci, i * 4, pci[i]);
++ if (error != PCIBIOS_SUCCESSFUL)
++ return error;
++ }
+ udelay(5);
+ return 0;
+ }
+--
+2.42.0
+
--- /dev/null
+From 4e195617b83827c9ac311f4ac041e6236402990e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 12:30:55 +0200
+Subject: Bluetooth: Fix double free in hci_conn_cleanup
+
+From: ZhengHan Wang <wzhmmmmm@gmail.com>
+
+[ Upstream commit a85fb91e3d728bdfc80833167e8162cce8bc7004 ]
+
+syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
+After releasing an object using hci_conn_del_sysfs in the
+hci_conn_cleanup function, releasing the same object again
+using the hci_dev_put and hci_conn_put functions causes a double free.
+Here's a simplified flow:
+
+hci_conn_del_sysfs:
+ hci_dev_put
+ put_device
+ kobject_put
+ kref_put
+ kobject_release
+ kobject_cleanup
+ kfree_const
+ kfree(name)
+
+hci_dev_put:
+ ...
+ kfree(name)
+
+hci_conn_put:
+ put_device
+ ...
+ kfree(name)
+
+This patch drop the hci_dev_put and hci_conn_put function
+call in hci_conn_cleanup function, because the object is
+freed in hci_conn_del_sysfs function.
+
+This patch also fixes the refcounting in hci_conn_add_sysfs() and
+hci_conn_del_sysfs() to take into account device_add() failures.
+
+This fixes CVE-2023-28464.
+
+Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
+
+Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
+Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_conn.c | 6 ++----
+ net/bluetooth/hci_sysfs.c | 23 ++++++++++++-----------
+ 2 files changed, 14 insertions(+), 15 deletions(-)
+
+diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
+index afdc0afa8ee7d..e129b7fb6540a 100644
+--- a/net/bluetooth/hci_conn.c
++++ b/net/bluetooth/hci_conn.c
+@@ -125,13 +125,11 @@ static void hci_conn_cleanup(struct hci_conn *conn)
+ if (hdev->notify)
+ hdev->notify(hdev, HCI_NOTIFY_CONN_DEL);
+
+- hci_conn_del_sysfs(conn);
+-
+ debugfs_remove_recursive(conn->debugfs);
+
+- hci_dev_put(hdev);
++ hci_conn_del_sysfs(conn);
+
+- hci_conn_put(conn);
++ hci_dev_put(hdev);
+ }
+
+ static void le_scan_cleanup(struct work_struct *work)
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index ccd2c377bf83c..266112c960ee8 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -33,7 +33,7 @@ void hci_conn_init_sysfs(struct hci_conn *conn)
+ {
+ struct hci_dev *hdev = conn->hdev;
+
+- BT_DBG("conn %p", conn);
++ bt_dev_dbg(hdev, "conn %p", conn);
+
+ conn->dev.type = &bt_link;
+ conn->dev.class = bt_class;
+@@ -46,27 +46,30 @@ void hci_conn_add_sysfs(struct hci_conn *conn)
+ {
+ struct hci_dev *hdev = conn->hdev;
+
+- BT_DBG("conn %p", conn);
++ bt_dev_dbg(hdev, "conn %p", conn);
+
+ if (device_is_registered(&conn->dev))
+ return;
+
+ dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle);
+
+- if (device_add(&conn->dev) < 0) {
++ if (device_add(&conn->dev) < 0)
+ bt_dev_err(hdev, "failed to register connection device");
+- return;
+- }
+-
+- hci_dev_hold(hdev);
+ }
+
+ void hci_conn_del_sysfs(struct hci_conn *conn)
+ {
+ struct hci_dev *hdev = conn->hdev;
+
+- if (!device_is_registered(&conn->dev))
++ bt_dev_dbg(hdev, "conn %p", conn);
++
++ if (!device_is_registered(&conn->dev)) {
++ /* If device_add() has *not* succeeded, use *only* put_device()
++ * to drop the reference count.
++ */
++ put_device(&conn->dev);
+ return;
++ }
+
+ while (1) {
+ struct device *dev;
+@@ -78,9 +81,7 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
+ put_device(dev);
+ }
+
+- device_del(&conn->dev);
+-
+- hci_dev_put(hdev);
++ device_unregister(&conn->dev);
+ }
+
+ static void bt_host_release(struct device *dev)
+--
+2.42.0
+
--- /dev/null
+From c5cb6c3e916dd54cdc3db4ca4109d0d1308712b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 18:01:02 +0000
+Subject: bonding: stop the device in bond_setup_by_slave()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 3cffa2ddc4d3fcf70cde361236f5a614f81a09b2 ]
+
+Commit 9eed321cde22 ("net: lapbether: only support ethernet devices")
+has been able to keep syzbot away from net/lapb, until today.
+
+In the following splat [1], the issue is that a lapbether device has
+been created on a bonding device without members. Then adding a non
+ARPHRD_ETHER member forced the bonding master to change its type.
+
+The fix is to make sure we call dev_close() in bond_setup_by_slave()
+so that the potential linked lapbether devices (or any other devices
+having assumptions on the physical device) are removed.
+
+A similar bug has been addressed in commit 40baec225765
+("bonding: fix panic on non-ARPHRD_ETHER enslave failure")
+
+[1]
+skbuff: skb_under_panic: text:ffff800089508810 len:44 put:40 head:ffff0000c78e7c00 data:ffff0000c78e7bea tail:0x16 end:0x140 dev:bond0
+kernel BUG at net/core/skbuff.c:192 !
+Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
+Modules linked in:
+CPU: 0 PID: 6007 Comm: syz-executor383 Not tainted 6.6.0-rc3-syzkaller-gbf6547d8715b #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
+pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : skb_panic net/core/skbuff.c:188 [inline]
+pc : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202
+lr : skb_panic net/core/skbuff.c:188 [inline]
+lr : skb_under_panic+0x13c/0x140 net/core/skbuff.c:202
+sp : ffff800096a06aa0
+x29: ffff800096a06ab0 x28: ffff800096a06ba0 x27: dfff800000000000
+x26: ffff0000ce9b9b50 x25: 0000000000000016 x24: ffff0000c78e7bea
+x23: ffff0000c78e7c00 x22: 000000000000002c x21: 0000000000000140
+x20: 0000000000000028 x19: ffff800089508810 x18: ffff800096a06100
+x17: 0000000000000000 x16: ffff80008a629a3c x15: 0000000000000001
+x14: 1fffe00036837a32 x13: 0000000000000000 x12: 0000000000000000
+x11: 0000000000000201 x10: 0000000000000000 x9 : cb50b496c519aa00
+x8 : cb50b496c519aa00 x7 : 0000000000000001 x6 : 0000000000000001
+x5 : ffff800096a063b8 x4 : ffff80008e280f80 x3 : ffff8000805ad11c
+x2 : 0000000000000001 x1 : 0000000100000201 x0 : 0000000000000086
+Call trace:
+skb_panic net/core/skbuff.c:188 [inline]
+skb_under_panic+0x13c/0x140 net/core/skbuff.c:202
+skb_push+0xf0/0x108 net/core/skbuff.c:2446
+ip6gre_header+0xbc/0x738 net/ipv6/ip6_gre.c:1384
+dev_hard_header include/linux/netdevice.h:3136 [inline]
+lapbeth_data_transmit+0x1c4/0x298 drivers/net/wan/lapbether.c:257
+lapb_data_transmit+0x8c/0xb0 net/lapb/lapb_iface.c:447
+lapb_transmit_buffer+0x178/0x204 net/lapb/lapb_out.c:149
+lapb_send_control+0x220/0x320 net/lapb/lapb_subr.c:251
+__lapb_disconnect_request+0x9c/0x17c net/lapb/lapb_iface.c:326
+lapb_device_event+0x288/0x4e0 net/lapb/lapb_iface.c:492
+notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93
+raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1970 [inline]
+call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
+call_netdevice_notifiers net/core/dev.c:2022 [inline]
+__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508
+dev_close_many+0x1e0/0x470 net/core/dev.c:1559
+dev_close+0x174/0x250 net/core/dev.c:1585
+lapbeth_device_event+0x2e4/0x958 drivers/net/wan/lapbether.c:466
+notifier_call_chain+0x1a4/0x510 kernel/notifier.c:93
+raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:461
+call_netdevice_notifiers_info net/core/dev.c:1970 [inline]
+call_netdevice_notifiers_extack net/core/dev.c:2008 [inline]
+call_netdevice_notifiers net/core/dev.c:2022 [inline]
+__dev_close_many+0x1b8/0x3c4 net/core/dev.c:1508
+dev_close_many+0x1e0/0x470 net/core/dev.c:1559
+dev_close+0x174/0x250 net/core/dev.c:1585
+bond_enslave+0x2298/0x30cc drivers/net/bonding/bond_main.c:2332
+bond_do_ioctl+0x268/0xc64 drivers/net/bonding/bond_main.c:4539
+dev_ifsioc+0x754/0x9ac
+dev_ioctl+0x4d8/0xd34 net/core/dev_ioctl.c:786
+sock_do_ioctl+0x1d4/0x2d0 net/socket.c:1217
+sock_ioctl+0x4e8/0x834 net/socket.c:1322
+vfs_ioctl fs/ioctl.c:51 [inline]
+__do_sys_ioctl fs/ioctl.c:871 [inline]
+__se_sys_ioctl fs/ioctl.c:857 [inline]
+__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857
+__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
+invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
+el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
+do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
+el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
+el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
+el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
+Code: aa1803e6 aa1903e7 a90023f5 94785b8b (d4210000)
+
+Fixes: 872254dd6b1f ("net/bonding: Enable bonding to enslave non ARPHRD_ETHER")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Link: https://lore.kernel.org/r/20231109180102.4085183-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/bonding/bond_main.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
+index afd327e88cf5e..bb1c6743222e5 100644
+--- a/drivers/net/bonding/bond_main.c
++++ b/drivers/net/bonding/bond_main.c
+@@ -1144,6 +1144,10 @@ static void bond_compute_features(struct bonding *bond)
+ static void bond_setup_by_slave(struct net_device *bond_dev,
+ struct net_device *slave_dev)
+ {
++ bool was_up = !!(bond_dev->flags & IFF_UP);
++
++ dev_close(bond_dev);
++
+ bond_dev->header_ops = slave_dev->header_ops;
+
+ bond_dev->type = slave_dev->type;
+@@ -1158,6 +1162,8 @@ static void bond_setup_by_slave(struct net_device *bond_dev,
+ bond_dev->flags &= ~(IFF_BROADCAST | IFF_MULTICAST);
+ bond_dev->flags |= (IFF_POINTOPOINT | IFF_NOARP);
+ }
++ if (was_up)
++ dev_open(bond_dev, NULL);
+ }
+
+ /* On bonding slaves other than the currently active slave, suppress
+--
+2.42.0
+
--- /dev/null
+From 7afdb6995e31f1f51b8a5d048f182380ec37fe46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Nov 2023 17:52:32 +0300
+Subject: cifs: spnego: add ';' in HOST_KEY_LEN
+
+From: Anastasia Belova <abelova@astralinux.ru>
+
+[ Upstream commit ff31ba19d732efb9aca3633935d71085e68d5076 ]
+
+"host=" should start with ';' (as in cifs_get_spnego_key)
+So its length should be 6.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
+Fixes: 7c9c3760b3a5 ("[CIFS] add constants for string lengths of keynames in SPNEGO upcall string")
+Signed-off-by: Anastasia Belova <abelova@astralinux.ru>
+Co-developed-by: Ekaterina Esina <eesina@astralinux.ru>
+Signed-off-by: Ekaterina Esina <eesina@astralinux.ru>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/cifs_spnego.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
+index 7f01c6e607918..6eb65988321fc 100644
+--- a/fs/cifs/cifs_spnego.c
++++ b/fs/cifs/cifs_spnego.c
+@@ -76,8 +76,8 @@ struct key_type cifs_spnego_key_type = {
+ * strlen(";sec=ntlmsspi") */
+ #define MAX_MECH_STR_LEN 13
+
+-/* strlen of "host=" */
+-#define HOST_KEY_LEN 5
++/* strlen of ";host=" */
++#define HOST_KEY_LEN 6
+
+ /* strlen of ";ip4=" or ";ip6=" */
+ #define IP_KEY_LEN 5
+--
+2.42.0
+
--- /dev/null
+From 5ab37991be646fc3093054d9c05cbbdf9aadc40c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 7 Oct 2023 18:17:13 +0200
+Subject: clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9
+ hardware
+
+From: Ronald Wahl <ronald.wahl@raritan.com>
+
+[ Upstream commit 6d3bc4c02d59996d1d3180d8ed409a9d7d5900e0 ]
+
+On SAM9 hardware two cascaded 16 bit timers are used to form a 32 bit
+high resolution timer that is used as scheduler clock when the kernel
+has been configured that way (CONFIG_ATMEL_CLOCKSOURCE_TCB).
+
+The driver initially triggers a reset-to-zero of the two timers but this
+reset is only performed on the next rising clock. For the first timer
+this is ok - it will be in the next 60ns (16MHz clock). For the chained
+second timer this will only happen after the first timer overflows, i.e.
+after 2^16 clocks (~4ms with a 16MHz clock). So with other words the
+scheduler clock resets to 0 after the first 2^16 clock cycles.
+
+It looks like that the scheduler does not like this and behaves wrongly
+over its lifetime, e.g. some tasks are scheduled with a long delay. Why
+that is and if there are additional requirements for this behaviour has
+not been further analysed.
+
+There is a simple fix for resetting the second timer as well when the
+first timer is reset and this is to set the ATMEL_TC_ASWTRG_SET bit in
+the Channel Mode register (CMR) of the first timer. This will also rise
+the TIOA line (clock input of the second timer) when a software trigger
+respective SYNC is issued.
+
+Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20231007161803.31342-1-rwahl@gmx.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-atmel-tcb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/clocksource/timer-atmel-tcb.c b/drivers/clocksource/timer-atmel-tcb.c
+index 7427b07495a89..906c1bfdccad3 100644
+--- a/drivers/clocksource/timer-atmel-tcb.c
++++ b/drivers/clocksource/timer-atmel-tcb.c
+@@ -310,6 +310,7 @@ static void __init tcb_setup_dual_chan(struct atmel_tc *tc, int mck_divisor_idx)
+ writel(mck_divisor_idx /* likely divide-by-8 */
+ | ATMEL_TC_WAVE
+ | ATMEL_TC_WAVESEL_UP /* free-run */
++ | ATMEL_TC_ASWTRG_SET /* TIOA0 rises at software trigger */
+ | ATMEL_TC_ACPA_SET /* TIOA0 rises at 0 */
+ | ATMEL_TC_ACPC_CLEAR, /* (duty cycle 50%) */
+ tcaddr + ATMEL_TC_REG(0, CMR));
+--
+2.42.0
+
--- /dev/null
+From 33db1a86966cfd4be6ee8eb68db012cbb175143d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Oct 2023 16:39:22 +0800
+Subject: clocksource/drivers/timer-imx-gpt: Fix potential memory leak
+
+From: Jacky Bai <ping.bai@nxp.com>
+
+[ Upstream commit 8051a993ce222a5158bccc6ac22ace9253dd71cb ]
+
+Fix coverity Issue CID 250382: Resource leak (RESOURCE_LEAK).
+Add kfree when error return.
+
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20231009083922.1942971-1-ping.bai@nxp.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-imx-gpt.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clocksource/timer-imx-gpt.c b/drivers/clocksource/timer-imx-gpt.c
+index 706c0d0ff56cc..268c09417fa21 100644
+--- a/drivers/clocksource/timer-imx-gpt.c
++++ b/drivers/clocksource/timer-imx-gpt.c
+@@ -460,12 +460,16 @@ static int __init mxc_timer_init_dt(struct device_node *np, enum imx_gpt_type t
+ return -ENOMEM;
+
+ imxtm->base = of_iomap(np, 0);
+- if (!imxtm->base)
+- return -ENXIO;
++ if (!imxtm->base) {
++ ret = -ENXIO;
++ goto err_kfree;
++ }
+
+ imxtm->irq = irq_of_parse_and_map(np, 0);
+- if (imxtm->irq <= 0)
+- return -EINVAL;
++ if (imxtm->irq <= 0) {
++ ret = -EINVAL;
++ goto err_kfree;
++ }
+
+ imxtm->clk_ipg = of_clk_get_by_name(np, "ipg");
+
+@@ -478,11 +482,15 @@ static int __init mxc_timer_init_dt(struct device_node *np, enum imx_gpt_type t
+
+ ret = _mxc_timer_init(imxtm);
+ if (ret)
+- return ret;
++ goto err_kfree;
+
+ initialized = 1;
+
+ return 0;
++
++err_kfree:
++ kfree(imxtm);
++ return ret;
+ }
+
+ static int __init imx1_timer_init_dt(struct device_node *np)
+--
+2.42.0
+
--- /dev/null
+From 9351b4a89644947712c4cf4e5574e3cdeb225a2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 13:33:41 +0000
+Subject: crypto: pcrypt - Fix hungtask for PADATA_RESET
+
+From: Lu Jialin <lujialin4@huawei.com>
+
+[ Upstream commit 8f4f68e788c3a7a696546291258bfa5fdb215523 ]
+
+We found a hungtask bug in test_aead_vec_cfg as follows:
+
+INFO: task cryptomgr_test:391009 blocked for more than 120 seconds.
+"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
+Call trace:
+ __switch_to+0x98/0xe0
+ __schedule+0x6c4/0xf40
+ schedule+0xd8/0x1b4
+ schedule_timeout+0x474/0x560
+ wait_for_common+0x368/0x4e0
+ wait_for_completion+0x20/0x30
+ wait_for_completion+0x20/0x30
+ test_aead_vec_cfg+0xab4/0xd50
+ test_aead+0x144/0x1f0
+ alg_test_aead+0xd8/0x1e0
+ alg_test+0x634/0x890
+ cryptomgr_test+0x40/0x70
+ kthread+0x1e0/0x220
+ ret_from_fork+0x10/0x18
+ Kernel panic - not syncing: hung_task: blocked tasks
+
+For padata_do_parallel, when the return err is 0 or -EBUSY, it will call
+wait_for_completion(&wait->completion) in test_aead_vec_cfg. In normal
+case, aead_request_complete() will be called in pcrypt_aead_serial and the
+return err is 0 for padata_do_parallel. But, when pinst->flags is
+PADATA_RESET, the return err is -EBUSY for padata_do_parallel, and it
+won't call aead_request_complete(). Therefore, test_aead_vec_cfg will
+hung at wait_for_completion(&wait->completion), which will cause
+hungtask.
+
+The problem comes as following:
+(padata_do_parallel) |
+ rcu_read_lock_bh(); |
+ err = -EINVAL; | (padata_replace)
+ | pinst->flags |= PADATA_RESET;
+ err = -EBUSY |
+ if (pinst->flags & PADATA_RESET) |
+ rcu_read_unlock_bh() |
+ return err
+
+In order to resolve the problem, we replace the return err -EBUSY with
+-EAGAIN, which means parallel_data is changing, and the caller should call
+it again.
+
+v3:
+remove retry and just change the return err.
+v2:
+introduce padata_try_do_parallel() in pcrypt_aead_encrypt and
+pcrypt_aead_decrypt to solve the hungtask.
+
+Signed-off-by: Lu Jialin <lujialin4@huawei.com>
+Signed-off-by: Guo Zihua <guozihua@huawei.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ crypto/pcrypt.c | 4 ++++
+ kernel/padata.c | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
+index 276d2fd9e911c..63e64164900e8 100644
+--- a/crypto/pcrypt.c
++++ b/crypto/pcrypt.c
+@@ -118,6 +118,8 @@ static int pcrypt_aead_encrypt(struct aead_request *req)
+ err = padata_do_parallel(ictx->psenc, padata, &ctx->cb_cpu);
+ if (!err)
+ return -EINPROGRESS;
++ if (err == -EBUSY)
++ return -EAGAIN;
+
+ return err;
+ }
+@@ -165,6 +167,8 @@ static int pcrypt_aead_decrypt(struct aead_request *req)
+ err = padata_do_parallel(ictx->psdec, padata, &ctx->cb_cpu);
+ if (!err)
+ return -EINPROGRESS;
++ if (err == -EBUSY)
++ return -EAGAIN;
+
+ return err;
+ }
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 92a4867e8adc7..a544da60014c0 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -130,7 +130,7 @@ int padata_do_parallel(struct padata_shell *ps,
+ *cb_cpu = cpu;
+ }
+
+- err = -EBUSY;
++ err = -EBUSY;
+ if ((pinst->flags & PADATA_RESET))
+ goto out;
+
+--
+2.42.0
+
--- /dev/null
+From 42f67b13a31bf0c7b8fa764df9b52c0091316d60 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Sep 2023 10:14:49 +0800
+Subject: drm/amd/display: Avoid NULL dereference of timing generator
+
+From: Wayne Lin <wayne.lin@amd.com>
+
+[ Upstream commit b1904ed480cee3f9f4036ea0e36d139cb5fee2d6 ]
+
+[Why & How]
+Check whether assigned timing generator is NULL or not before
+accessing its funcs to prevent NULL dereference.
+
+Reviewed-by: Jun Lei <jun.lei@amd.com>
+Acked-by: Hersen Wu <hersenxs.wu@amd.com>
+Signed-off-by: Wayne Lin <wayne.lin@amd.com>
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_stream.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+index bb09243758fe3..71b10b45a9b9e 100644
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_stream.c
+@@ -492,7 +492,7 @@ uint32_t dc_stream_get_vblank_counter(const struct dc_stream_state *stream)
+ for (i = 0; i < MAX_PIPES; i++) {
+ struct timing_generator *tg = res_ctx->pipe_ctx[i].stream_res.tg;
+
+- if (res_ctx->pipe_ctx[i].stream != stream)
++ if (res_ctx->pipe_ctx[i].stream != stream || !tg)
+ continue;
+
+ return tg->funcs->get_frame_count(tg);
+@@ -551,7 +551,7 @@ bool dc_stream_get_scanoutpos(const struct dc_stream_state *stream,
+ for (i = 0; i < MAX_PIPES; i++) {
+ struct timing_generator *tg = res_ctx->pipe_ctx[i].stream_res.tg;
+
+- if (res_ctx->pipe_ctx[i].stream != stream)
++ if (res_ctx->pipe_ctx[i].stream != stream || !tg)
+ continue;
+
+ tg->funcs->get_scanoutpos(tg,
+--
+2.42.0
+
--- /dev/null
+From faabec01bd0c59615321727ea15a1dba2ff97916 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 15:46:44 -0500
+Subject: drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 0f0e59075b5c22f1e871fbd508d6e4f495048356 ]
+
+For pptable structs that use flexible array sizes, use flexible arrays.
+
+Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2036742
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h
+index d5a4a08c6d392..0c61e2bc14cde 100644
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h
+@@ -164,7 +164,7 @@ typedef struct _ATOM_Tonga_State {
+ typedef struct _ATOM_Tonga_State_Array {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Tonga_State entries[1]; /* Dynamically allocate entries. */
++ ATOM_Tonga_State entries[]; /* Dynamically allocate entries. */
+ } ATOM_Tonga_State_Array;
+
+ typedef struct _ATOM_Tonga_MCLK_Dependency_Record {
+@@ -210,7 +210,7 @@ typedef struct _ATOM_Polaris_SCLK_Dependency_Record {
+ typedef struct _ATOM_Polaris_SCLK_Dependency_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Polaris_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Polaris_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Polaris_SCLK_Dependency_Table;
+
+ typedef struct _ATOM_Tonga_PCIE_Record {
+@@ -222,7 +222,7 @@ typedef struct _ATOM_Tonga_PCIE_Record {
+ typedef struct _ATOM_Tonga_PCIE_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Tonga_PCIE_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Tonga_PCIE_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Tonga_PCIE_Table;
+
+ typedef struct _ATOM_Polaris10_PCIE_Record {
+@@ -235,7 +235,7 @@ typedef struct _ATOM_Polaris10_PCIE_Record {
+ typedef struct _ATOM_Polaris10_PCIE_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Polaris10_PCIE_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Polaris10_PCIE_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Polaris10_PCIE_Table;
+
+
+@@ -252,7 +252,7 @@ typedef struct _ATOM_Tonga_MM_Dependency_Record {
+ typedef struct _ATOM_Tonga_MM_Dependency_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Tonga_MM_Dependency_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Tonga_MM_Dependency_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Tonga_MM_Dependency_Table;
+
+ typedef struct _ATOM_Tonga_Voltage_Lookup_Record {
+@@ -265,7 +265,7 @@ typedef struct _ATOM_Tonga_Voltage_Lookup_Record {
+ typedef struct _ATOM_Tonga_Voltage_Lookup_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Tonga_Voltage_Lookup_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Tonga_Voltage_Lookup_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Tonga_Voltage_Lookup_Table;
+
+ typedef struct _ATOM_Tonga_Fan_Table {
+--
+2.42.0
+
--- /dev/null
+From d5c0d7d5054abbaba22cce2a88c26e71b6c18c91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 15:22:52 -0500
+Subject: drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+[ Upstream commit 760efbca74a405dc439a013a5efaa9fadc95a8c3 ]
+
+For pptable structs that use flexible array sizes, use flexible arrays.
+
+Suggested-by: Felix Held <felix.held@amd.com>
+Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2874
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/include/pptable.h | 4 ++--
+ drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/include/pptable.h b/drivers/gpu/drm/amd/include/pptable.h
+index 0b6a057e0a4c4..5aac8d545bdc6 100644
+--- a/drivers/gpu/drm/amd/include/pptable.h
++++ b/drivers/gpu/drm/amd/include/pptable.h
+@@ -78,7 +78,7 @@ typedef struct _ATOM_PPLIB_THERMALCONTROLLER
+ typedef struct _ATOM_PPLIB_STATE
+ {
+ UCHAR ucNonClockStateIndex;
+- UCHAR ucClockStateIndices[1]; // variable-sized
++ UCHAR ucClockStateIndices[]; // variable-sized
+ } ATOM_PPLIB_STATE;
+
+
+@@ -473,7 +473,7 @@ typedef struct _ATOM_PPLIB_STATE_V2
+ /**
+ * Driver will read the first ucNumDPMLevels in this array
+ */
+- UCHAR clockInfoIndex[1];
++ UCHAR clockInfoIndex[];
+ } ATOM_PPLIB_STATE_V2;
+
+ typedef struct _StateArray{
+diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h
+index 1e870f58dd12a..d5a4a08c6d392 100644
+--- a/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h
++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/pptable_v1_0.h
+@@ -179,7 +179,7 @@ typedef struct _ATOM_Tonga_MCLK_Dependency_Record {
+ typedef struct _ATOM_Tonga_MCLK_Dependency_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Tonga_MCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Tonga_MCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Tonga_MCLK_Dependency_Table;
+
+ typedef struct _ATOM_Tonga_SCLK_Dependency_Record {
+@@ -194,7 +194,7 @@ typedef struct _ATOM_Tonga_SCLK_Dependency_Record {
+ typedef struct _ATOM_Tonga_SCLK_Dependency_Table {
+ UCHAR ucRevId;
+ UCHAR ucNumEntries; /* Number of entries. */
+- ATOM_Tonga_SCLK_Dependency_Record entries[1]; /* Dynamically allocate entries. */
++ ATOM_Tonga_SCLK_Dependency_Record entries[]; /* Dynamically allocate entries. */
+ } ATOM_Tonga_SCLK_Dependency_Table;
+
+ typedef struct _ATOM_Polaris_SCLK_Dependency_Record {
+--
+2.42.0
+
--- /dev/null
+From ee934f2ca4141dbb7f4dbfb17935ec2f6dbe8d08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 23 Oct 2023 12:56:37 +0000
+Subject: drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is
+ NULL
+
+From: Qu Huang <qu.huang@linux.dev>
+
+[ Upstream commit 5104fdf50d326db2c1a994f8b35dcd46e63ae4ad ]
+
+In certain types of chips, such as VEGA20, reading the amdgpu_regs_smc file could result in an abnormal null pointer access when the smc_rreg pointer is NULL. Below are the steps to reproduce this issue and the corresponding exception log:
+
+1. Navigate to the directory: /sys/kernel/debug/dri/0
+2. Execute command: cat amdgpu_regs_smc
+3. Exception Log::
+[4005007.702554] BUG: kernel NULL pointer dereference, address: 0000000000000000
+[4005007.702562] #PF: supervisor instruction fetch in kernel mode
+[4005007.702567] #PF: error_code(0x0010) - not-present page
+[4005007.702570] PGD 0 P4D 0
+[4005007.702576] Oops: 0010 [#1] SMP NOPTI
+[4005007.702581] CPU: 4 PID: 62563 Comm: cat Tainted: G OE 5.15.0-43-generic #46-Ubunt u
+[4005007.702590] RIP: 0010:0x0
+[4005007.702598] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+[4005007.702600] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206
+[4005007.702605] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68
+[4005007.702609] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000
+[4005007.702612] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980
+[4005007.702615] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000
+[4005007.702618] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000
+[4005007.702622] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000
+[4005007.702626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[4005007.702629] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0
+[4005007.702633] Call Trace:
+[4005007.702636] <TASK>
+[4005007.702640] amdgpu_debugfs_regs_smc_read+0xb0/0x120 [amdgpu]
+[4005007.703002] full_proxy_read+0x5c/0x80
+[4005007.703011] vfs_read+0x9f/0x1a0
+[4005007.703019] ksys_read+0x67/0xe0
+[4005007.703023] __x64_sys_read+0x19/0x20
+[4005007.703028] do_syscall_64+0x5c/0xc0
+[4005007.703034] ? do_user_addr_fault+0x1e3/0x670
+[4005007.703040] ? exit_to_user_mode_prepare+0x37/0xb0
+[4005007.703047] ? irqentry_exit_to_user_mode+0x9/0x20
+[4005007.703052] ? irqentry_exit+0x19/0x30
+[4005007.703057] ? exc_page_fault+0x89/0x160
+[4005007.703062] ? asm_exc_page_fault+0x8/0x30
+[4005007.703068] entry_SYSCALL_64_after_hwframe+0x44/0xae
+[4005007.703075] RIP: 0033:0x7f5e07672992
+[4005007.703079] Code: c0 e9 b2 fe ff ff 50 48 8d 3d fa b2 0c 00 e8 c5 1d 02 00 0f 1f 44 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 0f 05 <48> 3d 00 f0 ff ff 77 56 c3 0f 1f 44 00 00 48 83 e c 28 48 89 54 24
+[4005007.703083] RSP: 002b:00007ffe03097898 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
+[4005007.703088] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f5e07672992
+[4005007.703091] RDX: 0000000000020000 RSI: 00007f5e06753000 RDI: 0000000000000003
+[4005007.703094] RBP: 00007f5e06753000 R08: 00007f5e06752010 R09: 00007f5e06752010
+[4005007.703096] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000022000
+[4005007.703099] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
+[4005007.703105] </TASK>
+[4005007.703107] Modules linked in: nf_tables libcrc32c nfnetlink algif_hash af_alg binfmt_misc nls_ iso8859_1 ipmi_ssif ast intel_rapl_msr intel_rapl_common drm_vram_helper drm_ttm_helper amd64_edac t tm edac_mce_amd kvm_amd ccp mac_hid k10temp kvm acpi_ipmi ipmi_si rapl sch_fq_codel ipmi_devintf ipm i_msghandler msr parport_pc ppdev lp parport mtd pstore_blk efi_pstore ramoops pstore_zone reed_solo mon ip_tables x_tables autofs4 ib_uverbs ib_core amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) iommu_v 2 amd_sched(OE) amdkcl(OE) drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec rc_core drm igb ahci xhci_pci libahci i2c_piix4 i2c_algo_bit xhci_pci_renesas dca
+[4005007.703184] CR2: 0000000000000000
+[4005007.703188] ---[ end trace ac65a538d240da39 ]---
+[4005007.800865] RIP: 0010:0x0
+[4005007.800871] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6.
+[4005007.800874] RSP: 0018:ffffa82b46d27da0 EFLAGS: 00010206
+[4005007.800878] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffa82b46d27e68
+[4005007.800881] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9940656e0000
+[4005007.800883] RBP: ffffa82b46d27dd8 R08: 0000000000000000 R09: ffff994060c07980
+[4005007.800886] R10: 0000000000020000 R11: 0000000000000000 R12: 00007f5e06753000
+[4005007.800888] R13: ffff9940656e0000 R14: ffffa82b46d27e68 R15: 00007f5e06753000
+[4005007.800891] FS: 00007f5e0755b740(0000) GS:ffff99479d300000(0000) knlGS:0000000000000000
+[4005007.800895] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[4005007.800898] CR2: ffffffffffffffd6 CR3: 00000003253fc000 CR4: 00000000003506e0
+
+Signed-off-by: Qu Huang <qu.huang@linux.dev>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+index a9a81e55777bf..d81034023144a 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+@@ -392,6 +392,9 @@ static ssize_t amdgpu_debugfs_regs_smc_read(struct file *f, char __user *buf,
+ ssize_t result = 0;
+ int r;
+
++ if (!adev->smc_rreg)
++ return -EPERM;
++
+ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
+@@ -431,6 +434,9 @@ static ssize_t amdgpu_debugfs_regs_smc_write(struct file *f, const char __user *
+ ssize_t result = 0;
+ int r;
+
++ if (!adev->smc_wreg)
++ return -EPERM;
++
+ if (size & 0x3 || *pos & 0x3)
+ return -EINVAL;
+
+--
+2.42.0
+
--- /dev/null
+From 7dcb4adde5646a126c447c88d2456ed3f2e7a0ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 4 Aug 2023 10:05:53 +0800
+Subject: drm/komeda: drop all currently held locks if deadlock happens
+
+From: baozhu.liu <lucas.liu@siengine.com>
+
+[ Upstream commit 19ecbe8325a2a7ffda5ff4790955b84eaccba49f ]
+
+If komeda_pipeline_unbound_components() returns -EDEADLK,
+it means that a deadlock happened in the locking context.
+Currently, komeda is not dealing with the deadlock properly,producing the
+following output when CONFIG_DEBUG_WW_MUTEX_SLOWPATH is enabled:
+
+ ------------[ cut here ]------------
+[ 26.103984] WARNING: CPU: 2 PID: 345 at drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c:1248
+ komeda_release_unclaimed_resources+0x13c/0x170
+[ 26.117453] Modules linked in:
+[ 26.120511] CPU: 2 PID: 345 Comm: composer@2.1-se Kdump: loaded Tainted: G W 5.10.110-SE-SDK1.8-dirty #16
+[ 26.131374] Hardware name: Siengine Se1000 Evaluation board (DT)
+[ 26.137379] pstate: 20400009 (nzCv daif +PAN -UAO -TCO BTYPE=--)
+[ 26.143385] pc : komeda_release_unclaimed_resources+0x13c/0x170
+[ 26.149301] lr : komeda_release_unclaimed_resources+0xbc/0x170
+[ 26.155130] sp : ffff800017b8b8d0
+[ 26.158442] pmr_save: 000000e0
+[ 26.161493] x29: ffff800017b8b8d0 x28: ffff000cf2f96200
+[ 26.166805] x27: ffff000c8f5a8800 x26: 0000000000000000
+[ 26.172116] x25: 0000000000000038 x24: ffff8000116a0140
+[ 26.177428] x23: 0000000000000038 x22: ffff000cf2f96200
+[ 26.182739] x21: ffff000cfc300300 x20: ffff000c8ab77080
+[ 26.188051] x19: 0000000000000003 x18: 0000000000000000
+[ 26.193362] x17: 0000000000000000 x16: 0000000000000000
+[ 26.198672] x15: b400e638f738ba38 x14: 0000000000000000
+[ 26.203983] x13: 0000000106400a00 x12: 0000000000000000
+[ 26.209294] x11: 0000000000000000 x10: 0000000000000000
+[ 26.214604] x9 : ffff800012f80000 x8 : ffff000ca3308000
+[ 26.219915] x7 : 0000000ff3000000 x6 : ffff80001084034c
+[ 26.225226] x5 : ffff800017b8bc40 x4 : 000000000000000f
+[ 26.230536] x3 : ffff000ca3308000 x2 : 0000000000000000
+[ 26.235847] x1 : 0000000000000000 x0 : ffffffffffffffdd
+[ 26.241158] Call trace:
+[ 26.243604] komeda_release_unclaimed_resources+0x13c/0x170
+[ 26.249175] komeda_crtc_atomic_check+0x68/0xf0
+[ 26.253706] drm_atomic_helper_check_planes+0x138/0x1f4
+[ 26.258929] komeda_kms_check+0x284/0x36c
+[ 26.262939] drm_atomic_check_only+0x40c/0x714
+[ 26.267381] drm_atomic_nonblocking_commit+0x1c/0x60
+[ 26.272344] drm_mode_atomic_ioctl+0xa3c/0xb8c
+[ 26.276787] drm_ioctl_kernel+0xc4/0x120
+[ 26.280708] drm_ioctl+0x268/0x534
+[ 26.284109] __arm64_sys_ioctl+0xa8/0xf0
+[ 26.288030] el0_svc_common.constprop.0+0x80/0x240
+[ 26.292817] do_el0_svc+0x24/0x90
+[ 26.296132] el0_svc+0x20/0x30
+[ 26.299185] el0_sync_handler+0xe8/0xf0
+[ 26.303018] el0_sync+0x1a4/0x1c0
+[ 26.306330] irq event stamp: 0
+[ 26.309384] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+[ 26.315650] hardirqs last disabled at (0): [<ffff800010056d34>] copy_process+0x5d0/0x183c
+[ 26.323825] softirqs last enabled at (0): [<ffff800010056d34>] copy_process+0x5d0/0x183c
+[ 26.331997] softirqs last disabled at (0): [<0000000000000000>] 0x0
+[ 26.338261] ---[ end trace 20ae984fa860184a ]---
+[ 26.343021] ------------[ cut here ]------------
+[ 26.347646] WARNING: CPU: 3 PID: 345 at drivers/gpu/drm/drm_modeset_lock.c:228 drm_modeset_drop_locks+0x84/0x90
+[ 26.357727] Modules linked in:
+[ 26.360783] CPU: 3 PID: 345 Comm: composer@2.1-se Kdump: loaded Tainted: G W 5.10.110-SE-SDK1.8-dirty #16
+[ 26.371645] Hardware name: Siengine Se1000 Evaluation board (DT)
+[ 26.377647] pstate: 20400009 (nzCv daif +PAN -UAO -TCO BTYPE=--)
+[ 26.383649] pc : drm_modeset_drop_locks+0x84/0x90
+[ 26.388351] lr : drm_mode_atomic_ioctl+0x860/0xb8c
+[ 26.393137] sp : ffff800017b8bb10
+[ 26.396447] pmr_save: 000000e0
+[ 26.399497] x29: ffff800017b8bb10 x28: 0000000000000001
+[ 26.404807] x27: 0000000000000038 x26: 0000000000000002
+[ 26.410115] x25: ffff000cecbefa00 x24: ffff000cf2f96200
+[ 26.415423] x23: 0000000000000001 x22: 0000000000000018
+[ 26.420731] x21: 0000000000000001 x20: ffff800017b8bc10
+[ 26.426039] x19: 0000000000000000 x18: 0000000000000000
+[ 26.431347] x17: 0000000002e8bf2c x16: 0000000002e94c6b
+[ 26.436655] x15: 0000000002ea48b9 x14: ffff8000121f0300
+[ 26.441963] x13: 0000000002ee2ca8 x12: ffff80001129cae0
+[ 26.447272] x11: ffff800012435000 x10: ffff000ed46b5e88
+[ 26.452580] x9 : ffff000c9935e600 x8 : 0000000000000000
+[ 26.457888] x7 : 000000008020001e x6 : 000000008020001f
+[ 26.463196] x5 : ffff80001085fbe0 x4 : fffffe0033a59f20
+[ 26.468504] x3 : 000000008020001e x2 : 0000000000000000
+[ 26.473813] x1 : 0000000000000000 x0 : ffff000c8f596090
+[ 26.479122] Call trace:
+[ 26.481566] drm_modeset_drop_locks+0x84/0x90
+[ 26.485918] drm_mode_atomic_ioctl+0x860/0xb8c
+[ 26.490359] drm_ioctl_kernel+0xc4/0x120
+[ 26.494278] drm_ioctl+0x268/0x534
+[ 26.497677] __arm64_sys_ioctl+0xa8/0xf0
+[ 26.501598] el0_svc_common.constprop.0+0x80/0x240
+[ 26.506384] do_el0_svc+0x24/0x90
+[ 26.509697] el0_svc+0x20/0x30
+[ 26.512748] el0_sync_handler+0xe8/0xf0
+[ 26.516580] el0_sync+0x1a4/0x1c0
+[ 26.519891] irq event stamp: 0
+[ 26.522943] hardirqs last enabled at (0): [<0000000000000000>] 0x0
+[ 26.529207] hardirqs last disabled at (0): [<ffff800010056d34>] copy_process+0x5d0/0x183c
+[ 26.537379] softirqs last enabled at (0): [<ffff800010056d34>] copy_process+0x5d0/0x183c
+[ 26.545550] softirqs last disabled at (0): [<0000000000000000>] 0x0
+[ 26.551812] ---[ end trace 20ae984fa860184b ]---
+
+According to the call trace information,it can be located to be
+WARN_ON(IS_ERR(c_st)) in the komeda_pipeline_unbound_components function;
+Then follow the function.
+komeda_pipeline_unbound_components
+-> komeda_component_get_state_and_set_user
+ -> komeda_pipeline_get_state_and_set_crtc
+ -> komeda_pipeline_get_state
+ ->drm_atomic_get_private_obj_state
+ -> drm_atomic_get_private_obj_state
+ -> drm_modeset_lock
+
+komeda_pipeline_unbound_components
+-> komeda_component_get_state_and_set_user
+ -> komeda_component_get_state
+ -> drm_atomic_get_private_obj_state
+ -> drm_modeset_lock
+
+ret = drm_modeset_lock(&obj->lock, state->acquire_ctx); if (ret)
+ return ERR_PTR(ret);
+Here it return -EDEADLK.
+
+deal with the deadlock as suggested by [1], using the
+function drm_modeset_backoff().
+[1] https://docs.kernel.org/gpu/drm-kms.html?highlight=kms#kms-locking
+
+Therefore, handling this problem can be solved
+by adding return -EDEADLK back to the drm_modeset_backoff processing flow
+in the drm_mode_atomic_ioctl function.
+
+Signed-off-by: baozhu.liu <lucas.liu@siengine.com>
+Signed-off-by: menghui.huang <menghui.huang@siengine.com>
+Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
+Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20230804013117.6870-1-menghui.huang@siengine.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../gpu/drm/arm/display/komeda/komeda_pipeline_state.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c b/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
+index b848270e0a1f4..31527fb66b5c5 100644
+--- a/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
++++ b/drivers/gpu/drm/arm/display/komeda/komeda_pipeline_state.c
+@@ -1171,7 +1171,7 @@ int komeda_build_display_data_flow(struct komeda_crtc *kcrtc,
+ return 0;
+ }
+
+-static void
++static int
+ komeda_pipeline_unbound_components(struct komeda_pipeline *pipe,
+ struct komeda_pipeline_state *new)
+ {
+@@ -1190,8 +1190,12 @@ komeda_pipeline_unbound_components(struct komeda_pipeline *pipe,
+ c = komeda_pipeline_get_component(pipe, id);
+ c_st = komeda_component_get_state_and_set_user(c,
+ drm_st, NULL, new->crtc);
++ if (PTR_ERR(c_st) == -EDEADLK)
++ return -EDEADLK;
+ WARN_ON(IS_ERR(c_st));
+ }
++
++ return 0;
+ }
+
+ /* release unclaimed pipeline resource */
+@@ -1213,9 +1217,8 @@ int komeda_release_unclaimed_resources(struct komeda_pipeline *pipe,
+ if (WARN_ON(IS_ERR_OR_NULL(st)))
+ return -EINVAL;
+
+- komeda_pipeline_unbound_components(pipe, st);
++ return komeda_pipeline_unbound_components(pipe, st);
+
+- return 0;
+ }
+
+ void komeda_pipeline_disable(struct komeda_pipeline *pipe,
+--
+2.42.0
+
--- /dev/null
+From af7bf71b1d5207d6956f1659a74aad2714eaee14 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Oct 2023 17:56:58 +0800
+Subject: fs/jfs: Add check for negative db_l2nbperpage
+
+From: Juntong Deng <juntong.deng@outlook.com>
+
+[ Upstream commit 525b861a008143048535011f3816d407940f4bfa ]
+
+l2nbperpage is log2(number of blks per page), and the minimum legal
+value should be 0, not negative.
+
+In the case of l2nbperpage being negative, an error will occur
+when subsequently used as shift exponent.
+
+Syzbot reported this bug:
+
+UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:799:12
+shift exponent -16777216 is negative
+
+Reported-by: syzbot+debee9ab7ae2b34b0307@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=debee9ab7ae2b34b0307
+Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index a785c747a8cbb..495a1c6e5fd46 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -180,7 +180,8 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_nfree = le64_to_cpu(dbmp_le->dn_nfree);
+
+ bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage);
+- if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE) {
++ if (bmp->db_l2nbperpage > L2PSIZE - L2MINBLOCKSIZE ||
++ bmp->db_l2nbperpage < 0) {
+ err = -EINVAL;
+ goto err_release_metapage;
+ }
+--
+2.42.0
+
--- /dev/null
+From 474382787f55db4583c6556d096ebc879ecd953a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 02:06:41 +0800
+Subject: fs/jfs: Add validity check for db_maxag and db_agpref
+
+From: Juntong Deng <juntong.deng@outlook.com>
+
+[ Upstream commit 64933ab7b04881c6c18b21ff206c12278341c72e ]
+
+Both db_maxag and db_agpref are used as the index of the
+db_agfree array, but there is currently no validity check for
+db_maxag and db_agpref, which can lead to errors.
+
+The following is related bug reported by Syzbot:
+
+UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:639:20
+index 7936 is out of range for type 'atomic_t[128]'
+
+Add checking that the values of db_maxag and db_agpref are valid
+indexes for the db_agfree array.
+
+Reported-by: syzbot+38e876a8aa44b7115c76@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=38e876a8aa44b7115c76
+Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 495a1c6e5fd46..b23b219b20aab 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -195,6 +195,12 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel);
+ bmp->db_maxag = le32_to_cpu(dbmp_le->dn_maxag);
+ bmp->db_agpref = le32_to_cpu(dbmp_le->dn_agpref);
++ if (bmp->db_maxag >= MAXAG || bmp->db_maxag < 0 ||
++ bmp->db_agpref >= MAXAG || bmp->db_agpref < 0) {
++ err = -EINVAL;
++ goto err_release_metapage;
++ }
++
+ bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
+ bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
+ bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
+--
+2.42.0
+
--- /dev/null
+From 2b3fa5876f3b318d2ac9a62f2a7fd50b180a4813 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 08:46:43 -0500
+Subject: gfs2: ignore negated quota changes
+
+From: Bob Peterson <rpeterso@redhat.com>
+
+[ Upstream commit 4c6a08125f2249531ec01783a5f4317d7342add5 ]
+
+When lots of quota changes are made, there may be cases in which an
+inode's quota information is increased and then decreased, such as when
+blocks are added to a file, then deleted from it. If the timing is
+right, function do_qc can add pending quota changes to a transaction,
+then later, another call to do_qc can negate those changes, resulting
+in a net gain of 0. The quota_change information is recorded in the qc
+buffer (and qd element of the inode as well). The buffer is added to the
+transaction by the first call to do_qc, but a subsequent call changes
+the value from non-zero back to zero. At that point it's too late to
+remove the buffer_head from the transaction. Later, when the quota sync
+code is called, the zero-change qd element is discovered and flagged as
+an assert warning. If the fs is mounted with errors=panic, the kernel
+will panic.
+
+This is usually seen when files are truncated and the quota changes are
+negated by punch_hole/truncate which uses gfs2_quota_hold and
+gfs2_quota_unhold rather than block allocations that use gfs2_quota_lock
+and gfs2_quota_unlock which automatically do quota sync.
+
+This patch solves the problem by adding a check to qd_check_sync such
+that net-zero quota changes already added to the transaction are no
+longer deemed necessary to be synced, and skipped.
+
+In this case references are taken for the qd and the slot from do_qc
+so those need to be put. The normal sequence of events for a normal
+non-zero quota change is as follows:
+
+gfs2_quota_change
+ do_qc
+ qd_hold
+ slot_hold
+
+Later, when the changes are to be synced:
+
+gfs2_quota_sync
+ qd_fish
+ qd_check_sync
+ gets qd ref via lockref_get_not_dead
+ do_sync
+ do_qc(QC_SYNC)
+ qd_put
+ lockref_put_or_lock
+ qd_unlock
+ qd_put
+ lockref_put_or_lock
+
+In the net-zero change case, we add a check to qd_check_sync so it puts
+the qd and slot references acquired in gfs2_quota_change and skip the
+unneeded sync.
+
+Signed-off-by: Bob Peterson <rpeterso@redhat.com>
+Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/gfs2/quota.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
+index cbee745169b8f..ce3d65787e016 100644
+--- a/fs/gfs2/quota.c
++++ b/fs/gfs2/quota.c
+@@ -431,6 +431,17 @@ static int qd_check_sync(struct gfs2_sbd *sdp, struct gfs2_quota_data *qd,
+ (sync_gen && (qd->qd_sync_gen >= *sync_gen)))
+ return 0;
+
++ /*
++ * If qd_change is 0 it means a pending quota change was negated.
++ * We should not sync it, but we still have a qd reference and slot
++ * reference taken by gfs2_quota_change -> do_qc that need to be put.
++ */
++ if (!qd->qd_change && test_and_clear_bit(QDF_CHANGE, &qd->qd_flags)) {
++ slot_put(qd);
++ qd_put(qd);
++ return 0;
++ }
++
+ if (!lockref_get_not_dead(&qd->qd_lockref))
+ return 0;
+
+--
+2.42.0
+
--- /dev/null
+From ad7665658aef9c2511ff7f63c6071e3c54ec0b10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Oct 2023 15:32:09 +0200
+Subject: HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+[ Upstream commit 62cc9c3cb3ec1bf31cc116146185ed97b450836a ]
+
+This device needs ALWAYS_POLL quirk, otherwise it keeps reconnecting
+indefinitely.
+
+Reported-by: Robert Ayrapetyan <robert.ayrapetyan@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
+index 64842926aff64..182068bf28c0a 100644
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -350,6 +350,7 @@
+
+ #define USB_VENDOR_ID_DELL 0x413c
+ #define USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE 0x301a
++#define USB_DEVICE_ID_DELL_PRO_WIRELESS_KM5221W 0x4503
+
+ #define USB_VENDOR_ID_DELORME 0x1163
+ #define USB_DEVICE_ID_DELORME_EARTHMATE 0x0100
+diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c
+index 83c3322fcf187..fae784df084d5 100644
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -66,6 +66,7 @@ static const struct hid_device_id hid_quirks[] = {
+ { HID_USB_DEVICE(USB_VENDOR_ID_CORSAIR, USB_DEVICE_ID_CORSAIR_STRAFE), HID_QUIRK_NO_INIT_REPORTS | HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_CREATIVELABS, USB_DEVICE_ID_CREATIVE_SB_OMNI_SURROUND_51), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_DELL, USB_DEVICE_ID_DELL_PRO_WIRELESS_KM5221W), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DMI, USB_DEVICE_ID_DMI_ENC), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_2NES2SNES), HID_QUIRK_MULTI_INPUT },
+ { HID_USB_DEVICE(USB_VENDOR_ID_DRACAL_RAPHNET, USB_DEVICE_ID_RAPHNET_4NES4SNES), HID_QUIRK_MULTI_INPUT },
+--
+2.42.0
+
--- /dev/null
+From 397c72f7f293e276fc90efc011855de79e8afbcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Apr 2016 08:54:30 +0800
+Subject: i2c: sun6i-p2wi: Prevent potential division by zero
+
+From: Axel Lin <axel.lin@ingics.com>
+
+[ Upstream commit 5ac61d26b8baff5b2e5a9f3dc1ef63297e4b53e7 ]
+
+Make sure we don't OOPS in case clock-frequency is set to 0 in a DT. The
+variable set here is later used as a divisor.
+
+Signed-off-by: Axel Lin <axel.lin@ingics.com>
+Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-sun6i-p2wi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/i2c/busses/i2c-sun6i-p2wi.c b/drivers/i2c/busses/i2c-sun6i-p2wi.c
+index 7c07ce116e384..540c33f4e3500 100644
+--- a/drivers/i2c/busses/i2c-sun6i-p2wi.c
++++ b/drivers/i2c/busses/i2c-sun6i-p2wi.c
+@@ -202,6 +202,11 @@ static int p2wi_probe(struct platform_device *pdev)
+ return -EINVAL;
+ }
+
++ if (clk_freq == 0) {
++ dev_err(dev, "clock-frequency is set to 0 in DT\n");
++ return -EINVAL;
++ }
++
+ if (of_get_child_count(np) > 1) {
+ dev_err(dev, "P2WI only supports one slave device\n");
+ return -EINVAL;
+--
+2.42.0
+
--- /dev/null
+From 17a92c2135fb7185f5d119f13c8fc5801a713942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 15:22:41 +0000
+Subject: ipvlan: add ipvlan_route_v6_outbound() helper
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 18f039428c7df183b09c69ebf10ffd4e521035d2 ]
+
+Inspired by syzbot reports using a stack of multiple ipvlan devices.
+
+Reduce stack size needed in ipvlan_process_v6_outbound() by moving
+the flowi6 struct used for the route lookup in an non inlined
+helper. ipvlan_route_v6_outbound() needs 120 bytes on the stack,
+immediately reclaimed.
+
+Also make sure ipvlan_process_v4_outbound() is not inlined.
+
+We might also have to lower MAX_NEST_DEV, because only syzbot uses
+setups with more than four stacked devices.
+
+BUG: TASK stack guard page was hit at ffffc9000e803ff8 (stack is ffffc9000e804000..ffffc9000e808000)
+stack guard page: 0000 [#1] SMP KASAN
+CPU: 0 PID: 13442 Comm: syz-executor.4 Not tainted 6.1.52-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
+RIP: 0010:kasan_check_range+0x4/0x2a0 mm/kasan/generic.c:188
+Code: 48 01 c6 48 89 c7 e8 db 4e c1 03 31 c0 5d c3 cc 0f 0b eb 02 0f 0b b8 ea ff ff ff 5d c3 cc 00 00 cc cc 00 00 cc cc 55 48 89 e5 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 a4 01 00 00 48 89
+RSP: 0018:ffffc9000e804000 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817e5bf2
+RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff887c6568
+RBP: ffffc9000e804000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: dffffc0000000001 R12: 1ffff92001d0080c
+R13: dffffc0000000000 R14: ffffffff87e6b100 R15: 0000000000000000
+FS: 00007fd0c55826c0(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffc9000e803ff8 CR3: 0000000170ef7000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+<#DF>
+</#DF>
+<TASK>
+[<ffffffff81f281d1>] __kasan_check_read+0x11/0x20 mm/kasan/shadow.c:31
+[<ffffffff817e5bf2>] instrument_atomic_read include/linux/instrumented.h:72 [inline]
+[<ffffffff817e5bf2>] _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
+[<ffffffff817e5bf2>] cpumask_test_cpu include/linux/cpumask.h:506 [inline]
+[<ffffffff817e5bf2>] cpu_online include/linux/cpumask.h:1092 [inline]
+[<ffffffff817e5bf2>] trace_lock_acquire include/trace/events/lock.h:24 [inline]
+[<ffffffff817e5bf2>] lock_acquire+0xe2/0x590 kernel/locking/lockdep.c:5632
+[<ffffffff8563221e>] rcu_lock_acquire+0x2e/0x40 include/linux/rcupdate.h:306
+[<ffffffff8561464d>] rcu_read_lock include/linux/rcupdate.h:747 [inline]
+[<ffffffff8561464d>] ip6_pol_route+0x15d/0x1440 net/ipv6/route.c:2221
+[<ffffffff85618120>] ip6_pol_route_output+0x50/0x80 net/ipv6/route.c:2606
+[<ffffffff856f65b5>] pol_lookup_func include/net/ip6_fib.h:584 [inline]
+[<ffffffff856f65b5>] fib6_rule_lookup+0x265/0x620 net/ipv6/fib6_rules.c:116
+[<ffffffff85618009>] ip6_route_output_flags_noref+0x2d9/0x3a0 net/ipv6/route.c:2638
+[<ffffffff8561821a>] ip6_route_output_flags+0xca/0x340 net/ipv6/route.c:2651
+[<ffffffff838bd5a3>] ip6_route_output include/net/ip6_route.h:100 [inline]
+[<ffffffff838bd5a3>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:473 [inline]
+[<ffffffff838bd5a3>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff838bd5a3>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff838bd5a3>] ipvlan_queue_xmit+0xc33/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
+[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
+[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
+[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
+[<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
+[<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
+[<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
+[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
+[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
+[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
+[<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
+[<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
+[<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
+[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
+[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
+[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
+[<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
+[<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
+[<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
+[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
+[<ffffffff855ce4cd>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
+[<ffffffff855ce4cd>] neigh_hh_output include/net/neighbour.h:529 [inline]
+[<ffffffff855ce4cd>] neigh_output include/net/neighbour.h:543 [inline]
+[<ffffffff855ce4cd>] ip6_finish_output2+0x160d/0x1ae0 net/ipv6/ip6_output.c:139
+[<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff8575d27f>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff8575d27f>] ip6_local_out+0x10f/0x140 net/ipv6/output_core.c:161
+[<ffffffff838bdae4>] ipvlan_process_v6_outbound drivers/net/ipvlan/ipvlan_core.c:483 [inline]
+[<ffffffff838bdae4>] ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:529 [inline]
+[<ffffffff838bdae4>] ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
+[<ffffffff838bdae4>] ipvlan_queue_xmit+0x1174/0x1be0 drivers/net/ipvlan/ipvlan_core.c:677
+[<ffffffff838c2909>] ipvlan_start_xmit+0x49/0x100 drivers/net/ipvlan/ipvlan_main.c:229
+[<ffffffff84d03900>] netdev_start_xmit include/linux/netdevice.h:4966 [inline]
+[<ffffffff84d03900>] xmit_one net/core/dev.c:3644 [inline]
+[<ffffffff84d03900>] dev_hard_start_xmit+0x320/0x980 net/core/dev.c:3660
+[<ffffffff84d080e2>] __dev_queue_xmit+0x16b2/0x3370 net/core/dev.c:4324
+[<ffffffff84d4a65e>] dev_queue_xmit include/linux/netdevice.h:3067 [inline]
+[<ffffffff84d4a65e>] neigh_resolve_output+0x64e/0x750 net/core/neighbour.c:1560
+[<ffffffff855ce503>] neigh_output include/net/neighbour.h:545 [inline]
+[<ffffffff855ce503>] ip6_finish_output2+0x1643/0x1ae0 net/ipv6/ip6_output.c:139
+[<ffffffff855b8616>] __ip6_finish_output net/ipv6/ip6_output.c:200 [inline]
+[<ffffffff855b8616>] ip6_finish_output+0x6c6/0xb10 net/ipv6/ip6_output.c:211
+[<ffffffff855b7e3c>] NF_HOOK_COND include/linux/netfilter.h:298 [inline]
+[<ffffffff855b7e3c>] ip6_output+0x2bc/0x3d0 net/ipv6/ip6_output.c:232
+[<ffffffff855b9ce4>] dst_output include/net/dst.h:444 [inline]
+[<ffffffff855b9ce4>] NF_HOOK include/linux/netfilter.h:309 [inline]
+[<ffffffff855b9ce4>] ip6_xmit+0x11a4/0x1b20 net/ipv6/ip6_output.c:352
+[<ffffffff8597984e>] sctp_v6_xmit+0x9ae/0x1230 net/sctp/ipv6.c:250
+[<ffffffff8594623e>] sctp_packet_transmit+0x25de/0x2bc0 net/sctp/output.c:653
+[<ffffffff858f5142>] sctp_packet_singleton+0x202/0x310 net/sctp/outqueue.c:783
+[<ffffffff858ea411>] sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
+[<ffffffff858ea411>] sctp_outq_flush+0x661/0x3d40 net/sctp/outqueue.c:1212
+[<ffffffff858f02f9>] sctp_outq_uncork+0x79/0xb0 net/sctp/outqueue.c:764
+[<ffffffff8589f060>] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
+[<ffffffff8589f060>] sctp_do_sm+0x55c0/0x5c30 net/sctp/sm_sideeffect.c:1170
+[<ffffffff85941567>] sctp_primitive_ASSOCIATE+0x97/0xc0 net/sctp/primitive.c:73
+[<ffffffff859408b2>] sctp_sendmsg_to_asoc+0xf62/0x17b0 net/sctp/socket.c:1839
+[<ffffffff85910b5e>] sctp_sendmsg+0x212e/0x33b0 net/sctp/socket.c:2029
+[<ffffffff8544d559>] inet_sendmsg+0x149/0x310 net/ipv4/af_inet.c:849
+[<ffffffff84c6c4d2>] sock_sendmsg_nosec net/socket.c:716 [inline]
+[<ffffffff84c6c4d2>] sock_sendmsg net/socket.c:736 [inline]
+[<ffffffff84c6c4d2>] ____sys_sendmsg+0x572/0x8c0 net/socket.c:2504
+[<ffffffff84c6ca91>] ___sys_sendmsg net/socket.c:2558 [inline]
+[<ffffffff84c6ca91>] __sys_sendmsg+0x271/0x360 net/socket.c:2587
+[<ffffffff84c6cbff>] __do_sys_sendmsg net/socket.c:2596 [inline]
+[<ffffffff84c6cbff>] __se_sys_sendmsg net/socket.c:2594 [inline]
+[<ffffffff84c6cbff>] __x64_sys_sendmsg+0x7f/0x90 net/socket.c:2594
+[<ffffffff85b32553>] do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+[<ffffffff85b32553>] do_syscall_64+0x53/0x80 arch/x86/entry/common.c:84
+[<ffffffff85c00087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
+
+Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Mahesh Bandewar <maheshb@google.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ipvlan/ipvlan_core.c | 41 +++++++++++++++++++-------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
+index b5a61b16a7eab..bfea28bd45027 100644
+--- a/drivers/net/ipvlan/ipvlan_core.c
++++ b/drivers/net/ipvlan/ipvlan_core.c
+@@ -412,7 +412,7 @@ struct ipvl_addr *ipvlan_addr_lookup(struct ipvl_port *port, void *lyr3h,
+ return addr;
+ }
+
+-static int ipvlan_process_v4_outbound(struct sk_buff *skb)
++static noinline_for_stack int ipvlan_process_v4_outbound(struct sk_buff *skb)
+ {
+ const struct iphdr *ip4h = ip_hdr(skb);
+ struct net_device *dev = skb->dev;
+@@ -454,13 +454,11 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
+ }
+
+ #if IS_ENABLED(CONFIG_IPV6)
+-static int ipvlan_process_v6_outbound(struct sk_buff *skb)
++
++static noinline_for_stack int
++ipvlan_route_v6_outbound(struct net_device *dev, struct sk_buff *skb)
+ {
+ const struct ipv6hdr *ip6h = ipv6_hdr(skb);
+- struct net_device *dev = skb->dev;
+- struct net *net = dev_net(dev);
+- struct dst_entry *dst;
+- int err, ret = NET_XMIT_DROP;
+ struct flowi6 fl6 = {
+ .flowi6_oif = dev->ifindex,
+ .daddr = ip6h->daddr,
+@@ -470,27 +468,38 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
+ .flowi6_mark = skb->mark,
+ .flowi6_proto = ip6h->nexthdr,
+ };
++ struct dst_entry *dst;
++ int err;
+
+- dst = ip6_route_output(net, NULL, &fl6);
+- if (dst->error) {
+- ret = dst->error;
++ dst = ip6_route_output(dev_net(dev), NULL, &fl6);
++ err = dst->error;
++ if (err) {
+ dst_release(dst);
+- goto err;
++ return err;
+ }
+ skb_dst_set(skb, dst);
++ return 0;
++}
++
++static int ipvlan_process_v6_outbound(struct sk_buff *skb)
++{
++ struct net_device *dev = skb->dev;
++ int err, ret = NET_XMIT_DROP;
++
++ err = ipvlan_route_v6_outbound(dev, skb);
++ if (unlikely(err)) {
++ DEV_STATS_INC(dev, tx_errors);
++ kfree_skb(skb);
++ return err;
++ }
+
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+
+- err = ip6_local_out(net, skb->sk, skb);
++ err = ip6_local_out(dev_net(dev), skb->sk, skb);
+ if (unlikely(net_xmit_eval(err)))
+ DEV_STATS_INC(dev, tx_errors);
+ else
+ ret = NET_XMIT_SUCCESS;
+- goto out;
+-err:
+- DEV_STATS_INC(dev, tx_errors);
+- kfree_skb(skb);
+-out:
+ return ret;
+ }
+ #else
+--
+2.42.0
+
--- /dev/null
+From dc210c4f76c10a925dbd69b6033e0c9e8a0cb856 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 11:17:18 +0530
+Subject: jfs: fix array-index-out-of-bounds in dbFindLeaf
+
+From: Manas Ghandat <ghandatmanas@gmail.com>
+
+[ Upstream commit 22cad8bc1d36547cdae0eef316c47d917ce3147c ]
+
+Currently while searching for dmtree_t for sufficient free blocks there
+is an array out of bounds while getting element in tp->dm_stree. To add
+the required check for out of bound we first need to determine the type
+of dmtree. Thus added an extra parameter to dbFindLeaf so that the type
+of tree can be determined and the required check can be applied.
+
+Reported-by: syzbot+aea1ad91e854d0a83e04@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=aea1ad91e854d0a83e04
+Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index b23b219b20aab..ea330ce921b1a 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -87,7 +87,7 @@ static int dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno,
+ static int dbExtend(struct inode *ip, s64 blkno, s64 nblocks, s64 addnblocks);
+ static int dbFindBits(u32 word, int l2nb);
+ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno);
+-static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx);
++static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl);
+ static int dbFreeBits(struct bmap * bmp, struct dmap * dp, s64 blkno,
+ int nblocks);
+ static int dbFreeDmap(struct bmap * bmp, struct dmap * dp, s64 blkno,
+@@ -1785,7 +1785,7 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int level, s64 * blkno)
+ * dbFindLeaf() returns the index of the leaf at which
+ * free space was found.
+ */
+- rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx);
++ rc = dbFindLeaf((dmtree_t *) dcp, l2nb, &leafidx, true);
+
+ /* release the buffer.
+ */
+@@ -2032,7 +2032,7 @@ dbAllocDmapLev(struct bmap * bmp,
+ * free space. if sufficient free space is found, dbFindLeaf()
+ * returns the index of the leaf at which free space was found.
+ */
+- if (dbFindLeaf((dmtree_t *) & dp->tree, l2nb, &leafidx))
++ if (dbFindLeaf((dmtree_t *) &dp->tree, l2nb, &leafidx, false))
+ return -ENOSPC;
+
+ if (leafidx < 0)
+@@ -2992,14 +2992,18 @@ static void dbAdjTree(dmtree_t * tp, int leafno, int newval)
+ * leafidx - return pointer to be set to the index of the leaf
+ * describing at least l2nb free blocks if sufficient
+ * free blocks are found.
++ * is_ctl - determines if the tree is of type ctl
+ *
+ * RETURN VALUES:
+ * 0 - success
+ * -ENOSPC - insufficient free blocks.
+ */
+-static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx)
++static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
+ {
+ int ti, n = 0, k, x = 0;
++ int max_size;
++
++ max_size = is_ctl ? CTLTREESIZE : TREESIZE;
+
+ /* first check the root of the tree to see if there is
+ * sufficient free space.
+@@ -3020,6 +3024,8 @@ static int dbFindLeaf(dmtree_t * tp, int l2nb, int *leafidx)
+ /* sufficient free space found. move to the next
+ * level (or quit if this is the last level).
+ */
++ if (x + n > max_size)
++ return -ENOSPC;
+ if (l2nb <= tp->dmt_stree[x + n])
+ break;
+ }
+--
+2.42.0
+
--- /dev/null
+From ea6ac2f450cb110ad577c45a1e4a3bae464a2e68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Oct 2023 13:10:40 +0530
+Subject: jfs: fix array-index-out-of-bounds in diAlloc
+
+From: Manas Ghandat <ghandatmanas@gmail.com>
+
+[ Upstream commit 05d9ea1ceb62a55af6727a69269a4fd310edf483 ]
+
+Currently there is not check against the agno of the iag while
+allocating new inodes to avoid fragmentation problem. Added the check
+which is required.
+
+Reported-by: syzbot+79d792676d8ac050949f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=79d792676d8ac050949f
+Signed-off-by: Manas Ghandat <ghandatmanas@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_imap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index 67c67604b8c85..14f918a4831d3 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -1322,7 +1322,7 @@ diInitInode(struct inode *ip, int iagno, int ino, int extno, struct iag * iagp)
+ int diAlloc(struct inode *pip, bool dir, struct inode *ip)
+ {
+ int rc, ino, iagno, addext, extno, bitno, sword;
+- int nwords, rem, i, agno;
++ int nwords, rem, i, agno, dn_numag;
+ u32 mask, inosmap, extsmap;
+ struct inode *ipimap;
+ struct metapage *mp;
+@@ -1358,6 +1358,9 @@ int diAlloc(struct inode *pip, bool dir, struct inode *ip)
+
+ /* get the ag number of this iag */
+ agno = BLKTOAG(JFS_IP(pip)->agstart, JFS_SBI(pip->i_sb));
++ dn_numag = JFS_SBI(pip->i_sb)->bmap->db_numag;
++ if (agno < 0 || agno > dn_numag)
++ return -EIO;
+
+ if (atomic_read(&JFS_SBI(pip->i_sb)->bmap->db_active[agno])) {
+ /*
+--
+2.42.0
+
--- /dev/null
+From 68899b4e8f79a7a6763fc7c716c504f4121fbfb9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 22 Aug 2023 13:19:46 -0700
+Subject: kgdb: Flush console before entering kgdb on panic
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit dd712d3d45807db9fcae28a522deee85c1f2fde6 ]
+
+When entering kdb/kgdb on a kernel panic, it was be observed that the
+console isn't flushed before the `kdb` prompt came up. Specifically,
+when using the buddy lockup detector on arm64 and running:
+ echo HARDLOCKUP > /sys/kernel/debug/provoke-crash/DIRECT
+
+I could see:
+ [ 26.161099] lkdtm: Performing direct entry HARDLOCKUP
+ [ 32.499881] watchdog: Watchdog detected hard LOCKUP on cpu 6
+ [ 32.552865] Sending NMI from CPU 5 to CPUs 6:
+ [ 32.557359] NMI backtrace for cpu 6
+ ... [backtrace for cpu 6] ...
+ [ 32.558353] NMI backtrace for cpu 5
+ ... [backtrace for cpu 5] ...
+ [ 32.867471] Sending NMI from CPU 5 to CPUs 0-4,7:
+ [ 32.872321] NMI backtrace forP cpuANC: Hard LOCKUP
+
+ Entering kdb (current=..., pid 0) on processor 5 due to Keyboard Entry
+ [5]kdb>
+
+As you can see, backtraces for the other CPUs start printing and get
+interleaved with the kdb PANIC print.
+
+Let's replicate the commands to flush the console in the kdb panic
+entry point to avoid this.
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20230822131945.1.I5b460ae8f954e4c4f628a373d6e74713c06dd26f@changeid
+Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/debug/debug_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
+index f88611fadb195..1ab2e97034868 100644
+--- a/kernel/debug/debug_core.c
++++ b/kernel/debug/debug_core.c
+@@ -945,6 +945,9 @@ void kgdb_panic(const char *msg)
+ if (panic_timeout)
+ return;
+
++ debug_locks_off();
++ console_flush_on_panic(CONSOLE_FLUSH_PENDING);
++
+ if (dbg_kdb_mode)
+ kdb_printf("PANIC: %s\n", msg);
+
+--
+2.42.0
+
--- /dev/null
+From fde7d1de4daf5429db6da558aa0dbfbbb8150c57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Sep 2023 04:36:00 +0000
+Subject: locking/ww_mutex/test: Fix potential workqueue corruption
+
+From: John Stultz <jstultz@google.com>
+
+[ Upstream commit bccdd808902f8c677317cec47c306e42b93b849e ]
+
+In some cases running with the test-ww_mutex code, I was seeing
+odd behavior where sometimes it seemed flush_workqueue was
+returning before all the work threads were finished.
+
+Often this would cause strange crashes as the mutexes would be
+freed while they were being used.
+
+Looking at the code, there is a lifetime problem as the
+controlling thread that spawns the work allocates the
+"struct stress" structures that are passed to the workqueue
+threads. Then when the workqueue threads are finished,
+they free the stress struct that was passed to them.
+
+Unfortunately the workqueue work_struct node is in the stress
+struct. Which means the work_struct is freed before the work
+thread returns and while flush_workqueue is waiting.
+
+It seems like a better idea to have the controlling thread
+both allocate and free the stress structures, so that we can
+be sure we don't corrupt the workqueue by freeing the structure
+prematurely.
+
+So this patch reworks the test to do so, and with this change
+I no longer see the early flush_workqueue returns.
+
+Signed-off-by: John Stultz <jstultz@google.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Link: https://lore.kernel.org/r/20230922043616.19282-3-jstultz@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/locking/test-ww_mutex.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c
+index 3e82f449b4ff7..da36997d8742c 100644
+--- a/kernel/locking/test-ww_mutex.c
++++ b/kernel/locking/test-ww_mutex.c
+@@ -426,7 +426,6 @@ static void stress_inorder_work(struct work_struct *work)
+ } while (!time_after(jiffies, stress->timeout));
+
+ kfree(order);
+- kfree(stress);
+ }
+
+ struct reorder_lock {
+@@ -491,7 +490,6 @@ static void stress_reorder_work(struct work_struct *work)
+ list_for_each_entry_safe(ll, ln, &locks, link)
+ kfree(ll);
+ kfree(order);
+- kfree(stress);
+ }
+
+ static void stress_one_work(struct work_struct *work)
+@@ -512,8 +510,6 @@ static void stress_one_work(struct work_struct *work)
+ break;
+ }
+ } while (!time_after(jiffies, stress->timeout));
+-
+- kfree(stress);
+ }
+
+ #define STRESS_INORDER BIT(0)
+@@ -524,15 +520,24 @@ static void stress_one_work(struct work_struct *work)
+ static int stress(int nlocks, int nthreads, unsigned int flags)
+ {
+ struct ww_mutex *locks;
+- int n;
++ struct stress *stress_array;
++ int n, count;
+
+ locks = kmalloc_array(nlocks, sizeof(*locks), GFP_KERNEL);
+ if (!locks)
+ return -ENOMEM;
+
++ stress_array = kmalloc_array(nthreads, sizeof(*stress_array),
++ GFP_KERNEL);
++ if (!stress_array) {
++ kfree(locks);
++ return -ENOMEM;
++ }
++
+ for (n = 0; n < nlocks; n++)
+ ww_mutex_init(&locks[n], &ww_class);
+
++ count = 0;
+ for (n = 0; nthreads; n++) {
+ struct stress *stress;
+ void (*fn)(struct work_struct *work);
+@@ -556,9 +561,7 @@ static int stress(int nlocks, int nthreads, unsigned int flags)
+ if (!fn)
+ continue;
+
+- stress = kmalloc(sizeof(*stress), GFP_KERNEL);
+- if (!stress)
+- break;
++ stress = &stress_array[count++];
+
+ INIT_WORK(&stress->work, fn);
+ stress->locks = locks;
+@@ -573,6 +576,7 @@ static int stress(int nlocks, int nthreads, unsigned int flags)
+
+ for (n = 0; n < nlocks; n++)
+ ww_mutex_destroy(&locks[n]);
++ kfree(stress_array);
+ kfree(locks);
+
+ return 0;
+--
+2.42.0
+
--- /dev/null
+From 0f25ed5e7730595969da5aa923e4d35f96b5df29 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 18:59:15 +0100
+Subject: macvlan: Don't propagate promisc change to lower dev in passthru
+
+From: Vlad Buslov <vladbu@nvidia.com>
+
+[ Upstream commit 7e1caeace0418381f36b3aa8403dfd82fc57fc53 ]
+
+Macvlan device in passthru mode sets its lower device promiscuous mode
+according to its MACVLAN_FLAG_NOPROMISC flag instead of synchronizing it to
+its own promiscuity setting. However, macvlan_change_rx_flags() function
+doesn't check the mode before propagating such changes to the lower device
+which can cause net_device->promiscuity counter overflow as illustrated by
+reproduction example [0] and resulting dmesg log [1]. Fix the issue by
+first verifying the mode in macvlan_change_rx_flags() function before
+propagating promiscuous mode change to the lower device.
+
+[0]:
+ip link add macvlan1 link enp8s0f0 type macvlan mode passthru
+ip link set macvlan1 promisc on
+ip l set dev macvlan1 up
+ip link set macvlan1 promisc off
+ip l set dev macvlan1 down
+ip l set dev macvlan1 up
+
+[1]:
+[ 5156.281724] macvlan1: entered promiscuous mode
+[ 5156.285467] mlx5_core 0000:08:00.0 enp8s0f0: entered promiscuous mode
+[ 5156.287639] macvlan1: left promiscuous mode
+[ 5156.288339] mlx5_core 0000:08:00.0 enp8s0f0: left promiscuous mode
+[ 5156.290907] mlx5_core 0000:08:00.0 enp8s0f0: entered promiscuous mode
+[ 5156.317197] mlx5_core 0000:08:00.0 enp8s0f0: promiscuity touches roof, set promiscuity failed. promiscuity feature of device might be broken.
+
+Fixes: efdbd2b30caa ("macvlan: Propagate promiscuity setting to lower devices.")
+Reviewed-by: Gal Pressman <gal@nvidia.com>
+Signed-off-by: Vlad Buslov <vladbu@nvidia.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20231114175915.1649154-1-vladbu@nvidia.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/macvlan.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
+index 545d181453504..46398b06676c0 100644
+--- a/drivers/net/macvlan.c
++++ b/drivers/net/macvlan.c
+@@ -765,7 +765,7 @@ static void macvlan_change_rx_flags(struct net_device *dev, int change)
+ if (dev->flags & IFF_UP) {
+ if (change & IFF_ALLMULTI)
+ dev_set_allmulti(lowerdev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+- if (change & IFF_PROMISC)
++ if (!macvlan_passthru(vlan->port) && change & IFF_PROMISC)
+ dev_set_promiscuity(lowerdev,
+ dev->flags & IFF_PROMISC ? 1 : -1);
+
+--
+2.42.0
+
--- /dev/null
+From 89bc8b205db1f7fabe302675a5a81c28a2c61acb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 15:27:40 +0300
+Subject: media: cobalt: Use FIELD_GET() to extract Link Width
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit f301fedbeecfdce91cb898d6fa5e62f269801fee ]
+
+Use FIELD_GET() to extract PCIe Negotiated and Maximum Link Width fields
+instead of custom masking and shifting.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cobalt/cobalt-driver.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/pci/cobalt/cobalt-driver.c b/drivers/media/pci/cobalt/cobalt-driver.c
+index 1bd8bbe57a30e..1f230b14cbfdd 100644
+--- a/drivers/media/pci/cobalt/cobalt-driver.c
++++ b/drivers/media/pci/cobalt/cobalt-driver.c
+@@ -8,6 +8,7 @@
+ * All rights reserved.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/delay.h>
+ #include <media/i2c/adv7604.h>
+ #include <media/i2c/adv7842.h>
+@@ -210,17 +211,17 @@ void cobalt_pcie_status_show(struct cobalt *cobalt)
+ pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &stat);
+ cobalt_info("PCIe link capability 0x%08x: %s per lane and %u lanes\n",
+ capa, get_link_speed(capa),
+- (capa & PCI_EXP_LNKCAP_MLW) >> 4);
++ FIELD_GET(PCI_EXP_LNKCAP_MLW, capa));
+ cobalt_info("PCIe link control 0x%04x\n", ctrl);
+ cobalt_info("PCIe link status 0x%04x: %s per lane and %u lanes\n",
+ stat, get_link_speed(stat),
+- (stat & PCI_EXP_LNKSTA_NLW) >> 4);
++ FIELD_GET(PCI_EXP_LNKSTA_NLW, stat));
+
+ /* Bus */
+ pcie_capability_read_dword(pci_bus_dev, PCI_EXP_LNKCAP, &capa);
+ cobalt_info("PCIe bus link capability 0x%08x: %s per lane and %u lanes\n",
+ capa, get_link_speed(capa),
+- (capa & PCI_EXP_LNKCAP_MLW) >> 4);
++ FIELD_GET(PCI_EXP_LNKCAP_MLW, capa));
+
+ /* Slot */
+ pcie_capability_read_dword(pci_dev, PCI_EXP_SLTCAP, &capa);
+@@ -239,7 +240,7 @@ static unsigned pcie_link_get_lanes(struct cobalt *cobalt)
+ if (!pci_is_pcie(pci_dev))
+ return 0;
+ pcie_capability_read_word(pci_dev, PCI_EXP_LNKSTA, &link);
+- return (link & PCI_EXP_LNKSTA_NLW) >> 4;
++ return FIELD_GET(PCI_EXP_LNKSTA_NLW, link);
+ }
+
+ static unsigned pcie_bus_link_get_lanes(struct cobalt *cobalt)
+@@ -250,7 +251,7 @@ static unsigned pcie_bus_link_get_lanes(struct cobalt *cobalt)
+ if (!pci_is_pcie(pci_dev))
+ return 0;
+ pcie_capability_read_dword(pci_dev, PCI_EXP_LNKCAP, &link);
+- return (link & PCI_EXP_LNKCAP_MLW) >> 4;
++ return FIELD_GET(PCI_EXP_LNKCAP_MLW, link);
+ }
+
+ static void msi_config_show(struct cobalt *cobalt, struct pci_dev *pci_dev)
+--
+2.42.0
+
--- /dev/null
+From a2fc5fe278a102fc0f095d299bc3c6ec9d427bd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Aug 2023 13:14:01 +0530
+Subject: media: gspca: cpia1: shift-out-of-bounds in set_flicker
+
+From: Rajeshwar R Shinde <coolrrsh@gmail.com>
+
+[ Upstream commit 099be1822d1f095433f4b08af9cc9d6308ec1953 ]
+
+Syzkaller reported the following issue:
+UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27
+shift exponent 245 is too large for 32-bit type 'int'
+
+When the value of the variable "sd->params.exposure.gain" exceeds the
+number of bits in an integer, a shift-out-of-bounds error is reported. It
+is triggered because the variable "currentexp" cannot be left-shifted by
+more than the number of bits in an integer. In order to avoid invalid
+range during left-shift, the conditional expression is added.
+
+Reported-by: syzbot+e27f3dbdab04e43b9f73@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/20230818164522.12806-1-coolrrsh@gmail.com
+Link: https://syzkaller.appspot.com/bug?extid=e27f3dbdab04e43b9f73
+Signed-off-by: Rajeshwar R Shinde <coolrrsh@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/gspca/cpia1.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/media/usb/gspca/cpia1.c b/drivers/media/usb/gspca/cpia1.c
+index d93d384286c16..de945e13c7c6b 100644
+--- a/drivers/media/usb/gspca/cpia1.c
++++ b/drivers/media/usb/gspca/cpia1.c
+@@ -18,6 +18,7 @@
+
+ #include <linux/input.h>
+ #include <linux/sched/signal.h>
++#include <linux/bitops.h>
+
+ #include "gspca.h"
+
+@@ -1027,6 +1028,8 @@ static int set_flicker(struct gspca_dev *gspca_dev, int on, int apply)
+ sd->params.exposure.expMode = 2;
+ sd->exposure_status = EXPOSURE_NORMAL;
+ }
++ if (sd->params.exposure.gain >= BITS_PER_TYPE(currentexp))
++ return -EINVAL;
+ currentexp = currentexp << sd->params.exposure.gain;
+ sd->params.exposure.gain = 0;
+ /* round down current exposure to nearest value */
+--
+2.42.0
+
--- /dev/null
+From 03f367ad5dc774c77287a9c53f27e7bc4a18210c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Sep 2023 17:20:48 +0200
+Subject: media: vivid: avoid integer overflow
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 4567ebf8e8f9546b373e78e3b7d584cc30b62028 ]
+
+Fixes these compiler warnings:
+
+drivers/media/test-drivers/vivid/vivid-rds-gen.c: In function 'vivid_rds_gen_fill':
+drivers/media/test-drivers/vivid/vivid-rds-gen.c:147:56: warning: '.' directive output may be truncated writing 1 byte into a region of size between 0 and 3 [-Wformat-truncation=]
+ 147 | snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d",
+ | ^
+drivers/media/test-drivers/vivid/vivid-rds-gen.c:147:52: note: directive argument in the range [0, 9]
+ 147 | snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d",
+ | ^~~~~~~~~
+drivers/media/test-drivers/vivid/vivid-rds-gen.c:147:9: note: 'snprintf' output between 9 and 12 bytes into a destination of size 9
+ 147 | snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d",
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 148 | freq / 16, ((freq & 0xf) * 10) / 16);
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/vivid/vivid-rds-gen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/vivid/vivid-rds-gen.c b/drivers/media/platform/vivid/vivid-rds-gen.c
+index b5b104ee64c99..c57771119a34b 100644
+--- a/drivers/media/platform/vivid/vivid-rds-gen.c
++++ b/drivers/media/platform/vivid/vivid-rds-gen.c
+@@ -145,7 +145,7 @@ void vivid_rds_gen_fill(struct vivid_rds_gen *rds, unsigned freq,
+ rds->ta = alt;
+ rds->ms = true;
+ snprintf(rds->psname, sizeof(rds->psname), "%6d.%1d",
+- freq / 16, ((freq & 0xf) * 10) / 16);
++ (freq / 16) % 1000000, (((freq & 0xf) * 10) / 16) % 10);
+ if (alt)
+ strscpy(rds->radiotext,
+ " The Radio Data System can switch between different Radio Texts ",
+--
+2.42.0
+
--- /dev/null
+From abe97fd1907b60b9c10e739339db12acc224bddd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 20:28:18 +0000
+Subject: net: annotate data-races around sk->sk_dst_pending_confirm
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit eb44ad4e635132754bfbcb18103f1dcb7058aedd ]
+
+This field can be read or written without socket lock being held.
+
+Add annotations to avoid load-store tearing.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 6 +++---
+ net/core/sock.c | 2 +-
+ net/ipv4/tcp_output.c | 2 +-
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index b021c8912e2cf..5293f2b65fb55 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1941,7 +1941,7 @@ static inline void dst_negative_advice(struct sock *sk)
+ if (ndst != dst) {
+ rcu_assign_pointer(sk->sk_dst_cache, ndst);
+ sk_tx_queue_clear(sk);
+- sk->sk_dst_pending_confirm = 0;
++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0);
+ }
+ }
+ }
+@@ -1952,7 +1952,7 @@ __sk_dst_set(struct sock *sk, struct dst_entry *dst)
+ struct dst_entry *old_dst;
+
+ sk_tx_queue_clear(sk);
+- sk->sk_dst_pending_confirm = 0;
++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0);
+ old_dst = rcu_dereference_protected(sk->sk_dst_cache,
+ lockdep_sock_is_held(sk));
+ rcu_assign_pointer(sk->sk_dst_cache, dst);
+@@ -1965,7 +1965,7 @@ sk_dst_set(struct sock *sk, struct dst_entry *dst)
+ struct dst_entry *old_dst;
+
+ sk_tx_queue_clear(sk);
+- sk->sk_dst_pending_confirm = 0;
++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0);
+ old_dst = xchg((__force struct dst_entry **)&sk->sk_dst_cache, dst);
+ dst_release(old_dst);
+ }
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 9979cd602dfac..2c3c5df139345 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -545,7 +545,7 @@ struct dst_entry *__sk_dst_check(struct sock *sk, u32 cookie)
+
+ if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {
+ sk_tx_queue_clear(sk);
+- sk->sk_dst_pending_confirm = 0;
++ WRITE_ONCE(sk->sk_dst_pending_confirm, 0);
+ RCU_INIT_POINTER(sk->sk_dst_cache, NULL);
+ dst_release(dst);
+ return NULL;
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 0107436860171..1dce05bfa3005 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -1103,7 +1103,7 @@ static int __tcp_transmit_skb(struct sock *sk, struct sk_buff *skb,
+ skb_set_hash_from_sk(skb, sk);
+ refcount_add(skb->truesize, &sk->sk_wmem_alloc);
+
+- skb_set_dst_pending_confirm(skb, sk->sk_dst_pending_confirm);
++ skb_set_dst_pending_confirm(skb, READ_ONCE(sk->sk_dst_pending_confirm));
+
+ /* Build TCP header and checksum it. */
+ th = (struct tcphdr *)skb->data;
+--
+2.42.0
+
--- /dev/null
+From de2537e0c48179b392e82cb932bcb03bee72ce5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Sep 2023 20:28:17 +0000
+Subject: net: annotate data-races around sk->sk_tx_queue_mapping
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0bb4d124d34044179b42a769a0c76f389ae973b6 ]
+
+This field can be read or written without socket lock being held.
+
+Add annotations to avoid load-store tearing.
+
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/sock.h | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index f73ef7087a187..b021c8912e2cf 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1782,21 +1782,33 @@ static inline void sk_tx_queue_set(struct sock *sk, int tx_queue)
+ /* sk_tx_queue_mapping accept only upto a 16-bit value */
+ if (WARN_ON_ONCE((unsigned short)tx_queue >= USHRT_MAX))
+ return;
+- sk->sk_tx_queue_mapping = tx_queue;
++ /* Paired with READ_ONCE() in sk_tx_queue_get() and
++ * other WRITE_ONCE() because socket lock might be not held.
++ */
++ WRITE_ONCE(sk->sk_tx_queue_mapping, tx_queue);
+ }
+
+ #define NO_QUEUE_MAPPING USHRT_MAX
+
+ static inline void sk_tx_queue_clear(struct sock *sk)
+ {
+- sk->sk_tx_queue_mapping = NO_QUEUE_MAPPING;
++ /* Paired with READ_ONCE() in sk_tx_queue_get() and
++ * other WRITE_ONCE() because socket lock might be not held.
++ */
++ WRITE_ONCE(sk->sk_tx_queue_mapping, NO_QUEUE_MAPPING);
+ }
+
+ static inline int sk_tx_queue_get(const struct sock *sk)
+ {
+- if (sk && sk->sk_tx_queue_mapping != NO_QUEUE_MAPPING)
+- return sk->sk_tx_queue_mapping;
++ if (sk) {
++ /* Paired with WRITE_ONCE() in sk_tx_queue_clear()
++ * and sk_tx_queue_set().
++ */
++ int val = READ_ONCE(sk->sk_tx_queue_mapping);
+
++ if (val != NO_QUEUE_MAPPING)
++ return val;
++ }
+ return -1;
+ }
+
+--
+2.42.0
+
--- /dev/null
+From e4672a207ffe5ca871911b0374145debc96828eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 10:03:12 +0100
+Subject: net: ethernet: cortina: Fix max RX frame define
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit 510e35fb931ffc3b100e5d5ae4595cd3beca9f1a ]
+
+Enumerator 3 is 1548 bytes according to the datasheet.
+Not 1542.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-1-6e611528db08@linaro.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 4 ++--
+ drivers/net/ethernet/cortina/gemini.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index a8a8b77c1611e..fbb50a0602832 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -432,8 +432,8 @@ static const struct gmac_max_framelen gmac_maxlens[] = {
+ .val = CONFIG0_MAXLEN_1536,
+ },
+ {
+- .max_l3_len = 1542,
+- .val = CONFIG0_MAXLEN_1542,
++ .max_l3_len = 1548,
++ .val = CONFIG0_MAXLEN_1548,
+ },
+ {
+ .max_l3_len = 9212,
+diff --git a/drivers/net/ethernet/cortina/gemini.h b/drivers/net/ethernet/cortina/gemini.h
+index 9fdf77d5eb374..99efb11557436 100644
+--- a/drivers/net/ethernet/cortina/gemini.h
++++ b/drivers/net/ethernet/cortina/gemini.h
+@@ -787,7 +787,7 @@ union gmac_config0 {
+ #define CONFIG0_MAXLEN_1536 0
+ #define CONFIG0_MAXLEN_1518 1
+ #define CONFIG0_MAXLEN_1522 2
+-#define CONFIG0_MAXLEN_1542 3
++#define CONFIG0_MAXLEN_1548 3
+ #define CONFIG0_MAXLEN_9k 4 /* 9212 */
+ #define CONFIG0_MAXLEN_10k 5 /* 10236 */
+ #define CONFIG0_MAXLEN_1518__6 6
+--
+2.42.0
+
--- /dev/null
+From f65a2a59bd07cafde84d5dd393a4e6b2a6e9a3d1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 10:03:14 +0100
+Subject: net: ethernet: cortina: Fix MTU max setting
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit dc6c0bfbaa947dd7976e30e8c29b10c868b6fa42 ]
+
+The RX max frame size is over 10000 for the Gemini ethernet,
+but the TX max frame size is actually just 2047 (0x7ff after
+checking the datasheet). Reflect this in what we offer to Linux,
+cap the MTU at the TX max frame minus ethernet headers.
+
+We delete the code disabling the hardware checksum for large
+MTUs as netdev->mtu can no longer be larger than
+netdev->max_mtu meaning the if()-clause in gmac_fix_features()
+is never true.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-3-6e611528db08@linaro.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 17 ++++-------------
+ drivers/net/ethernet/cortina/gemini.h | 2 +-
+ 2 files changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index ce1ada712af69..4bcdb48b0e9cc 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -2015,15 +2015,6 @@ static int gmac_change_mtu(struct net_device *netdev, int new_mtu)
+ return 0;
+ }
+
+-static netdev_features_t gmac_fix_features(struct net_device *netdev,
+- netdev_features_t features)
+-{
+- if (netdev->mtu + ETH_HLEN + VLAN_HLEN > MTU_SIZE_BIT_MASK)
+- features &= ~GMAC_OFFLOAD_FEATURES;
+-
+- return features;
+-}
+-
+ static int gmac_set_features(struct net_device *netdev,
+ netdev_features_t features)
+ {
+@@ -2244,7 +2235,6 @@ static const struct net_device_ops gmac_351x_ops = {
+ .ndo_set_mac_address = gmac_set_mac_address,
+ .ndo_get_stats64 = gmac_get_stats64,
+ .ndo_change_mtu = gmac_change_mtu,
+- .ndo_fix_features = gmac_fix_features,
+ .ndo_set_features = gmac_set_features,
+ };
+
+@@ -2498,11 +2488,12 @@ static int gemini_ethernet_port_probe(struct platform_device *pdev)
+
+ netdev->hw_features = GMAC_OFFLOAD_FEATURES;
+ netdev->features |= GMAC_OFFLOAD_FEATURES | NETIF_F_GRO;
+- /* We can handle jumbo frames up to 10236 bytes so, let's accept
+- * payloads of 10236 bytes minus VLAN and ethernet header
++ /* We can receive jumbo frames up to 10236 bytes but only
++ * transmit 2047 bytes so, let's accept payloads of 2047
++ * bytes minus VLAN and ethernet header
+ */
+ netdev->min_mtu = ETH_MIN_MTU;
+- netdev->max_mtu = 10236 - VLAN_ETH_HLEN;
++ netdev->max_mtu = MTU_SIZE_BIT_MASK - VLAN_ETH_HLEN;
+
+ port->freeq_refill = 0;
+ netif_napi_add(netdev, &port->napi, gmac_napi_poll,
+diff --git a/drivers/net/ethernet/cortina/gemini.h b/drivers/net/ethernet/cortina/gemini.h
+index 99efb11557436..24bb989981f23 100644
+--- a/drivers/net/ethernet/cortina/gemini.h
++++ b/drivers/net/ethernet/cortina/gemini.h
+@@ -502,7 +502,7 @@ union gmac_txdesc_3 {
+ #define SOF_BIT 0x80000000
+ #define EOF_BIT 0x40000000
+ #define EOFIE_BIT BIT(29)
+-#define MTU_SIZE_BIT_MASK 0x1fff
++#define MTU_SIZE_BIT_MASK 0x7ff /* Max MTU 2047 bytes */
+
+ /* GMAC Tx Descriptor */
+ struct gmac_txdesc {
+--
+2.42.0
+
--- /dev/null
+From 33f4c3547379bfa97c0369916217f83d2eb637d8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 10:03:13 +0100
+Subject: net: ethernet: cortina: Handle large frames
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit d4d0c5b4d279bfe3585fbd806efefd3e51c82afa ]
+
+The Gemini ethernet controller provides hardware checksumming
+for frames up to 1514 bytes including ethernet headers but not
+FCS.
+
+If we start sending bigger frames (after first bumping up the MTU
+on both interfaces sending and receiving the frames), truncated
+packets start to appear on the target such as in this tcpdump
+resulting from ping -s 1474:
+
+23:34:17.241983 14:d6:4d:a8:3c:4f (oui Unknown) > bc:ae:c5:6b:a8:3d (oui Unknown),
+ethertype IPv4 (0x0800), length 1514: truncated-ip - 2 bytes missing!
+(tos 0x0, ttl 64, id 32653, offset 0, flags [DF], proto ICMP (1), length 1502)
+OpenWrt.lan > Fecusia: ICMP echo request, id 1672, seq 50, length 1482
+
+If we bypass the hardware checksumming and provide a software
+fallback, everything starts working fine up to the max TX MTU
+of 2047 bytes, for example ping -s2000 192.168.1.2:
+
+00:44:29.587598 bc:ae:c5:6b:a8:3d (oui Unknown) > 14:d6:4d:a8:3c:4f (oui Unknown),
+ethertype IPv4 (0x0800), length 2042:
+(tos 0x0, ttl 64, id 51828, offset 0, flags [none], proto ICMP (1), length 2028)
+Fecusia > OpenWrt.lan: ICMP echo reply, id 1683, seq 4, length 2008
+
+The bit enabling to bypass hardware checksum (or any of the
+"TSS" bits) are undocumented in the hardware reference manual.
+The entire hardware checksum unit appears undocumented. The
+conclusion that we need to use the "bypass" bit was found by
+trial-and-error.
+
+Since no hardware checksum will happen, we slot in a software
+checksum fallback.
+
+Check for the condition where we need to compute checksum on the
+skb with either hardware or software using == CHECKSUM_PARTIAL instead
+of != CHECKSUM_NONE which is an incomplete check according to
+<linux/skbuff.h>.
+
+On the D-Link DIR-685 router this fixes a bug on the conduit
+interface to the RTL8366RB DSA switch: as the switch needs to add
+space for its tag it increases the MTU on the conduit interface
+to 1504 and that means that when the router sends packages
+of 1500 bytes these get an extra 4 bytes of DSA tag and the
+transfer fails because of the erroneous hardware checksumming,
+affecting such basic functionality as the LuCI web interface.
+
+Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet")
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
+Link: https://lore.kernel.org/r/20231109-gemini-largeframe-fix-v4-2-6e611528db08@linaro.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/cortina/gemini.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
+index fbb50a0602832..ce1ada712af69 100644
+--- a/drivers/net/ethernet/cortina/gemini.c
++++ b/drivers/net/ethernet/cortina/gemini.c
+@@ -1152,6 +1152,7 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
+ dma_addr_t mapping;
+ unsigned short mtu;
+ void *buffer;
++ int ret;
+
+ mtu = ETH_HLEN;
+ mtu += netdev->mtu;
+@@ -1166,9 +1167,30 @@ static int gmac_map_tx_bufs(struct net_device *netdev, struct sk_buff *skb,
+ word3 |= mtu;
+ }
+
+- if (skb->ip_summed != CHECKSUM_NONE) {
++ if (skb->len >= ETH_FRAME_LEN) {
++ /* Hardware offloaded checksumming isn't working on frames
++ * bigger than 1514 bytes. A hypothesis about this is that the
++ * checksum buffer is only 1518 bytes, so when the frames get
++ * bigger they get truncated, or the last few bytes get
++ * overwritten by the FCS.
++ *
++ * Just use software checksumming and bypass on bigger frames.
++ */
++ if (skb->ip_summed == CHECKSUM_PARTIAL) {
++ ret = skb_checksum_help(skb);
++ if (ret)
++ return ret;
++ }
++ word1 |= TSS_BYPASS_BIT;
++ } else if (skb->ip_summed == CHECKSUM_PARTIAL) {
+ int tcp = 0;
+
++ /* We do not switch off the checksumming on non TCP/UDP
++ * frames: as is shown from tests, the checksumming engine
++ * is smart enough to see that a frame is not actually TCP
++ * or UDP and then just pass it through without any changes
++ * to the frame.
++ */
+ if (skb->protocol == htons(ETH_P_IP)) {
+ word1 |= TSS_IP_CHKSUM_BIT;
+ tcp = ip_hdr(skb)->protocol == IPPROTO_TCP;
+--
+2.42.0
+
--- /dev/null
+From aeded8533f3a1b8722ecc4570967bd63eea5aa51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Nov 2023 17:37:11 +0800
+Subject: net: hns3: fix variable may not initialized problem in
+ hns3_init_mac_addr()
+
+From: Yonglong Liu <liuyonglong@huawei.com>
+
+[ Upstream commit dbd2f3b20c6ae425665b6975d766e3653d453e73 ]
+
+When a VF is calling hns3_init_mac_addr(), get_mac_addr() may
+return fail, then the value of mac_addr_temp is not initialized.
+
+Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
+Signed-off-by: Yonglong Liu <liuyonglong@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index ffd1018d43fbe..d09cc10b3517f 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -3773,7 +3773,7 @@ static int hns3_init_mac_addr(struct net_device *netdev, bool init)
+ {
+ struct hns3_nic_priv *priv = netdev_priv(netdev);
+ struct hnae3_handle *h = priv->ae_handle;
+- u8 mac_addr_temp[ETH_ALEN];
++ u8 mac_addr_temp[ETH_ALEN] = {0};
+ int ret = 0;
+
+ if (h->ae_algo->ops->get_mac_addr && init) {
+--
+2.42.0
+
--- /dev/null
+From 6a8d1b0ee1c0dae6b20176231f896f174a474249 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 4 Oct 2020 14:30:58 +0300
+Subject: net/mlx5_core: Clean driver version and name
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 17a7612b99e66d2539341ab4f888f970c2c7f76d ]
+
+Remove exposed driver version as it was done in other drivers,
+so module version will work correctly by displaying the kernel
+version for which it is compiled.
+
+And move mlx5_core module name to general include, so auxiliary drivers
+will be able to use it as a basis for a name in their device ID tables.
+
+Reviewed-by: Parav Pandit <parav@nvidia.com>
+Reviewed-by: Roi Dayan <roid@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Stable-dep-of: 1b2bd0c0264f ("net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/devlink.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 1 -
+ .../net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c | 2 +-
+ drivers/net/ethernet/mellanox/mlx5/core/main.c | 10 ++++++----
+ drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h | 3 ---
+ include/linux/mlx5/driver.h | 2 ++
+ 7 files changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+index d63ce3feb65ca..6e763699d5043 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/devlink.c
+@@ -55,7 +55,7 @@ mlx5_devlink_info_get(struct devlink *devlink, struct devlink_info_req *req,
+ u32 running_fw, stored_fw;
+ int err;
+
+- err = devlink_info_driver_name_put(req, DRIVER_NAME);
++ err = devlink_info_driver_name_put(req, KBUILD_MODNAME);
+ if (err)
+ return err;
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+index e92cc60eade3f..18e0cb02aee18 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c
+@@ -40,9 +40,7 @@ void mlx5e_ethtool_get_drvinfo(struct mlx5e_priv *priv,
+ {
+ struct mlx5_core_dev *mdev = priv->mdev;
+
+- strlcpy(drvinfo->driver, DRIVER_NAME, sizeof(drvinfo->driver));
+- strlcpy(drvinfo->version, DRIVER_VERSION,
+- sizeof(drvinfo->version));
++ strlcpy(drvinfo->driver, KBUILD_MODNAME, sizeof(drvinfo->driver));
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)",
+ fw_rev_maj(mdev), fw_rev_min(mdev), fw_rev_sub(mdev),
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index f448a139e222e..e150d9fbd2ce1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -74,7 +74,6 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev,
+
+ strlcpy(drvinfo->driver, mlx5e_rep_driver_name,
+ sizeof(drvinfo->driver));
+- strlcpy(drvinfo->version, UTS_RELEASE, sizeof(drvinfo->version));
+ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ "%d.%d.%04d (%.16s)",
+ fw_rev_maj(mdev), fw_rev_min(mdev),
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c
+index 90cb50fe17fd9..f7f8098879843 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/ipoib/ethtool.c
+@@ -39,7 +39,7 @@ static void mlx5i_get_drvinfo(struct net_device *dev,
+ struct mlx5e_priv *priv = mlx5i_epriv(dev);
+
+ mlx5e_ethtool_get_drvinfo(priv, drvinfo);
+- strlcpy(drvinfo->driver, DRIVER_NAME "[ib_ipoib]",
++ strlcpy(drvinfo->driver, KBUILD_MODNAME "[ib_ipoib]",
+ sizeof(drvinfo->driver));
+ }
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/main.c b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+index ff9ac7cffc321..a183613420d27 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
+@@ -75,7 +75,6 @@
+ MODULE_AUTHOR("Eli Cohen <eli@mellanox.com>");
+ MODULE_DESCRIPTION("Mellanox 5th generation network adapters (ConnectX series) core driver");
+ MODULE_LICENSE("Dual BSD/GPL");
+-MODULE_VERSION(DRIVER_VERSION);
+
+ unsigned int mlx5_core_debug_mask;
+ module_param_named(debug_mask, mlx5_core_debug_mask, uint, 0644);
+@@ -222,7 +221,7 @@ static void mlx5_set_driver_version(struct mlx5_core_dev *dev)
+ strncat(string, ",", remaining_size);
+
+ remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
+- strncat(string, DRIVER_NAME, remaining_size);
++ strncat(string, KBUILD_MODNAME, remaining_size);
+
+ remaining_size = max_t(int, 0, driver_ver_sz - strlen(string));
+ strncat(string, ",", remaining_size);
+@@ -307,7 +306,7 @@ static int request_bar(struct pci_dev *pdev)
+ return -ENODEV;
+ }
+
+- err = pci_request_regions(pdev, DRIVER_NAME);
++ err = pci_request_regions(pdev, KBUILD_MODNAME);
+ if (err)
+ dev_err(&pdev->dev, "Couldn't get PCI resources, aborting\n");
+
+@@ -1618,7 +1617,7 @@ void mlx5_recover_device(struct mlx5_core_dev *dev)
+ }
+
+ static struct pci_driver mlx5_core_driver = {
+- .name = DRIVER_NAME,
++ .name = KBUILD_MODNAME,
+ .id_table = mlx5_core_pci_table,
+ .probe = init_one,
+ .remove = remove_one,
+@@ -1644,6 +1643,9 @@ static int __init mlx5_init(void)
+ {
+ int err;
+
++ WARN_ONCE(strcmp(MLX5_ADEV_NAME, KBUILD_MODNAME),
++ "mlx5_core name not in sync with kernel module name");
++
+ get_random_bytes(&sw_owner_id, sizeof(sw_owner_id));
+
+ mlx5_core_verify_params();
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+index b100489dc85c8..e053a17e0c7ae 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
++++ b/drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h
+@@ -43,9 +43,6 @@
+ #include <linux/mlx5/fs.h>
+ #include <linux/mlx5/driver.h>
+
+-#define DRIVER_NAME "mlx5_core"
+-#define DRIVER_VERSION "5.0-0"
+-
+ extern uint mlx5_core_debug_mask;
+
+ #define mlx5_core_dbg(__dev, format, ...) \
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 3a19b9202a12d..18fd0a030584c 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -56,6 +56,8 @@
+ #include <linux/ptp_clock_kernel.h>
+ #include <net/devlink.h>
+
++#define MLX5_ADEV_NAME "mlx5_core"
++
+ enum {
+ MLX5_BOARD_ID_LEN = 64,
+ };
+--
+2.42.0
+
--- /dev/null
+From 1019a537ad96cea56fbeb5689329aff81b133642 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 13:58:46 -0800
+Subject: net/mlx5e: Check return value of snprintf writing to fw_version
+ buffer for representors
+
+From: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+
+[ Upstream commit 1b2bd0c0264febcd8d47209079a6671c38e6558b ]
+
+Treat the operation as an error case when the return value is equivalent to
+the size of the name buffer. Failed to write null terminator to the name
+buffer, making the string malformed and should not be used. Provide a
+string with only the firmware version when forming the string with the
+board id fails. This logic for representors is identical to normal flow
+with ethtool.
+
+Without check, will trigger -Wformat-truncation with W=1.
+
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c: In function 'mlx5e_rep_get_drvinfo':
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c:78:31: warning: '%.16s' directive output may be truncated writing up to 16 bytes into a region of size between 13 and 22 [-Wformat-truncation=]
+ 78 | "%d.%d.%04d (%.16s)",
+ | ^~~~~
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c:77:9: note: 'snprintf' output between 12 and 37 bytes into a destination of size 32
+ 77 | snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 78 | "%d.%d.%04d (%.16s)",
+ | ~~~~~~~~~~~~~~~~~~~~~
+ 79 | fw_rev_maj(mdev), fw_rev_min(mdev),
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ 80 | fw_rev_sub(mdev), mdev->board_id);
+ | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Fixes: cf83c8fdcd47 ("net/mlx5e: Add missing ethtool driver info for representors")
+Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d4ab2e97dcfbcd748ae71761a9d8e5e41cc732c
+Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Link: https://lore.kernel.org/r/20231114215846.5902-16-saeed@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+index e150d9fbd2ce1..ed37cc7c9ae00 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+@@ -71,13 +71,17 @@ static void mlx5e_rep_get_drvinfo(struct net_device *dev,
+ {
+ struct mlx5e_priv *priv = netdev_priv(dev);
+ struct mlx5_core_dev *mdev = priv->mdev;
++ int count;
+
+ strlcpy(drvinfo->driver, mlx5e_rep_driver_name,
+ sizeof(drvinfo->driver));
+- snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
+- "%d.%d.%04d (%.16s)",
+- fw_rev_maj(mdev), fw_rev_min(mdev),
+- fw_rev_sub(mdev), mdev->board_id);
++ count = snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
++ "%d.%d.%04d (%.16s)", fw_rev_maj(mdev),
++ fw_rev_min(mdev), fw_rev_sub(mdev), mdev->board_id);
++ if (count == sizeof(drvinfo->fw_version))
++ snprintf(drvinfo->fw_version, sizeof(drvinfo->fw_version),
++ "%d.%d.%04d", fw_rev_maj(mdev),
++ fw_rev_min(mdev), fw_rev_sub(mdev));
+ }
+
+ static void mlx5e_uplink_rep_get_drvinfo(struct net_device *dev,
+--
+2.42.0
+
--- /dev/null
+From 2dddd89d32ed3a0b06623431ff4ecc91f5438fb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 13:58:36 -0800
+Subject: net/mlx5e: fix double free of encap_header
+
+From: Dust Li <dust.li@linux.alibaba.com>
+
+[ Upstream commit 6f9b1a0731662648949a1c0587f6acb3b7f8acf1 ]
+
+When mlx5_packet_reformat_alloc() fails, the encap_header allocated in
+mlx5e_tc_tun_create_header_ipv4{6} will be released within it. However,
+e->encap_header is already set to the previously freed encap_header
+before mlx5_packet_reformat_alloc(). As a result, the later
+mlx5e_encap_put() will free e->encap_header again, causing a double free
+issue.
+
+mlx5e_encap_put()
+ --> mlx5e_encap_dealloc()
+ --> kfree(e->encap_header)
+
+This happens when cmd: MLX5_CMD_OP_ALLOC_PACKET_REFORMAT_CONTEXT fail.
+
+This patch fix it by not setting e->encap_header until
+mlx5_packet_reformat_alloc() success.
+
+Fixes: d589e785baf5e ("net/mlx5e: Allow concurrent creation of encap entries")
+Reported-by: Cruz Zhao <cruzzhao@linux.alibaba.com>
+Reported-by: Tianchen Ding <dtcccc@linux.alibaba.com>
+Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
+Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
+Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+index 362f01bc8372e..5a4bee5253ec1 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c
+@@ -290,9 +290,6 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
+- e->encap_size = ipv4_encap_size;
+- e->encap_header = encap_header;
+-
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -309,6 +306,8 @@ int mlx5e_tc_tun_create_header_ipv4(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
++ e->encap_size = ipv4_encap_size;
++ e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(out_dev));
+ neigh_release(n);
+@@ -408,9 +407,6 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ if (err)
+ goto destroy_neigh_entry;
+
+- e->encap_size = ipv6_encap_size;
+- e->encap_header = encap_header;
+-
+ if (!(nud_state & NUD_VALID)) {
+ neigh_event_send(n, NULL);
+ /* the encap entry will be made valid on neigh update event
+@@ -428,6 +424,8 @@ int mlx5e_tc_tun_create_header_ipv6(struct mlx5e_priv *priv,
+ goto destroy_neigh_entry;
+ }
+
++ e->encap_size = ipv6_encap_size;
++ e->encap_header = encap_header;
+ e->flags |= MLX5_ENCAP_ENTRY_VALID;
+ mlx5e_rep_queue_neigh_stats_work(netdev_priv(out_dev));
+ neigh_release(n);
+--
+2.42.0
+
--- /dev/null
+From b6e11efdf709ebe63bf5c94046da73025a4c6e5c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Nov 2023 19:42:49 +0200
+Subject: net: stmmac: fix rx budget limit check
+
+From: Baruch Siach <baruch@tkos.co.il>
+
+[ Upstream commit fa02de9e75889915b554eda1964a631fd019973b ]
+
+The while loop condition verifies 'count < limit'. Neither value change
+before the 'count >= limit' check. As is this check is dead code. But
+code inspection reveals a code path that modifies 'count' and then goto
+'drain_data' and back to 'read_again'. So there is a need to verify
+count value sanity after 'read_again'.
+
+Move 'read_again' up to fix the count limit check.
+
+Fixes: ec222003bd94 ("net: stmmac: Prepare to add Split Header support")
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Link: https://lore.kernel.org/r/d9486296c3b6b12ab3a0515fcd47d56447a07bfc.1699897370.git.baruch@tkos.co.il
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index e521ab508f030..4eaa65e8d58f2 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3536,10 +3536,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ len = 0;
+ }
+
++read_again:
+ if (count >= limit)
+ break;
+
+-read_again:
+ buf1_len = 0;
+ buf2_len = 0;
+ entry = next_entry;
+--
+2.42.0
+
--- /dev/null
+From 705a2d7f14cc8ad07b32d2aeca3ce035bb565ae6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2019 15:42:38 +0100
+Subject: net: stmmac: Rework stmmac_rx()
+
+From: Jose Abreu <Jose.Abreu@synopsys.com>
+
+[ Upstream commit 88ebe2cf7f3fc9da95e0f06483fd58da3e67e675 ]
+
+This looks over-engineered. Let's use some helpers to get the buffer
+length and hereby simplify the stmmac_rx() function. No performance drop
+was seen with the new implementation.
+
+Signed-off-by: Jose Abreu <Jose.Abreu@synopsys.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: fa02de9e7588 ("net: stmmac: fix rx budget limit check")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../net/ethernet/stmicro/stmmac/stmmac_main.c | 146 +++++++++++-------
+ 1 file changed, 94 insertions(+), 52 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+index 6a3b0f76d9729..e521ab508f030 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3440,6 +3440,55 @@ static inline void stmmac_rx_refill(struct stmmac_priv *priv, u32 queue)
+ stmmac_set_rx_tail_ptr(priv, priv->ioaddr, rx_q->rx_tail_addr, queue);
+ }
+
++static unsigned int stmmac_rx_buf1_len(struct stmmac_priv *priv,
++ struct dma_desc *p,
++ int status, unsigned int len)
++{
++ int ret, coe = priv->hw->rx_csum;
++ unsigned int plen = 0, hlen = 0;
++
++ /* Not first descriptor, buffer is always zero */
++ if (priv->sph && len)
++ return 0;
++
++ /* First descriptor, get split header length */
++ ret = stmmac_get_rx_header_len(priv, p, &hlen);
++ if (priv->sph && hlen) {
++ priv->xstats.rx_split_hdr_pkt_n++;
++ return hlen;
++ }
++
++ /* First descriptor, not last descriptor and not split header */
++ if (status & rx_not_ls)
++ return priv->dma_buf_sz;
++
++ plen = stmmac_get_rx_frame_len(priv, p, coe);
++
++ /* First descriptor and last descriptor and not split header */
++ return min_t(unsigned int, priv->dma_buf_sz, plen);
++}
++
++static unsigned int stmmac_rx_buf2_len(struct stmmac_priv *priv,
++ struct dma_desc *p,
++ int status, unsigned int len)
++{
++ int coe = priv->hw->rx_csum;
++ unsigned int plen = 0;
++
++ /* Not split header, buffer is not available */
++ if (!priv->sph)
++ return 0;
++
++ /* Not last descriptor */
++ if (status & rx_not_ls)
++ return priv->dma_buf_sz;
++
++ plen = stmmac_get_rx_frame_len(priv, p, coe);
++
++ /* Last descriptor */
++ return plen - len;
++}
++
+ /**
+ * stmmac_rx - manage the receive process
+ * @priv: driver private structure
+@@ -3469,11 +3518,10 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ stmmac_display_ring(priv, rx_head, DMA_RX_SIZE, true);
+ }
+ while (count < limit) {
+- unsigned int hlen = 0, prev_len = 0;
++ unsigned int buf1_len = 0, buf2_len = 0;
+ enum pkt_hash_types hash_type;
+ struct stmmac_rx_buffer *buf;
+ struct dma_desc *np, *p;
+- unsigned int sec_len;
+ int entry;
+ u32 hash;
+
+@@ -3492,7 +3540,8 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ break;
+
+ read_again:
+- sec_len = 0;
++ buf1_len = 0;
++ buf2_len = 0;
+ entry = next_entry;
+ buf = &rx_q->buf_pool[entry];
+
+@@ -3517,7 +3566,6 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ np = rx_q->dma_rx + next_entry;
+
+ prefetch(np);
+- prefetch(page_address(buf->page));
+
+ if (priv->extend_desc)
+ stmmac_rx_extended_status(priv, &priv->dev->stats,
+@@ -3534,69 +3582,61 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ goto read_again;
+ if (unlikely(error)) {
+ dev_kfree_skb(skb);
++ skb = NULL;
+ count++;
+ continue;
+ }
+
+ /* Buffer is good. Go on. */
+
+- if (likely(status & rx_not_ls)) {
+- len += priv->dma_buf_sz;
+- } else {
+- prev_len = len;
+- len = stmmac_get_rx_frame_len(priv, p, coe);
+-
+- /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3
+- * Type frames (LLC/LLC-SNAP)
+- *
+- * llc_snap is never checked in GMAC >= 4, so this ACS
+- * feature is always disabled and packets need to be
+- * stripped manually.
+- */
+- if (unlikely(priv->synopsys_id >= DWMAC_CORE_4_00) ||
+- unlikely(status != llc_snap))
+- len -= ETH_FCS_LEN;
++ prefetch(page_address(buf->page));
++ if (buf->sec_page)
++ prefetch(page_address(buf->sec_page));
++
++ buf1_len = stmmac_rx_buf1_len(priv, p, status, len);
++ len += buf1_len;
++ buf2_len = stmmac_rx_buf2_len(priv, p, status, len);
++ len += buf2_len;
++
++ /* ACS is set; GMAC core strips PAD/FCS for IEEE 802.3
++ * Type frames (LLC/LLC-SNAP)
++ *
++ * llc_snap is never checked in GMAC >= 4, so this ACS
++ * feature is always disabled and packets need to be
++ * stripped manually.
++ */
++ if (unlikely(priv->synopsys_id >= DWMAC_CORE_4_00) ||
++ unlikely(status != llc_snap)) {
++ if (buf2_len)
++ buf2_len -= ETH_FCS_LEN;
++ else
++ buf1_len -= ETH_FCS_LEN;
++
++ len -= ETH_FCS_LEN;
+ }
+
+ if (!skb) {
+- int ret = stmmac_get_rx_header_len(priv, p, &hlen);
+-
+- if (priv->sph && !ret && (hlen > 0)) {
+- sec_len = len;
+- if (!(status & rx_not_ls))
+- sec_len = sec_len - hlen;
+- len = hlen;
+-
+- prefetch(page_address(buf->sec_page));
+- priv->xstats.rx_split_hdr_pkt_n++;
+- }
+-
+- skb = napi_alloc_skb(&ch->rx_napi, len);
++ skb = napi_alloc_skb(&ch->rx_napi, buf1_len);
+ if (!skb) {
+ priv->dev->stats.rx_dropped++;
+ count++;
+- continue;
++ goto drain_data;
+ }
+
+- dma_sync_single_for_cpu(priv->device, buf->addr, len,
+- DMA_FROM_DEVICE);
++ dma_sync_single_for_cpu(priv->device, buf->addr,
++ buf1_len, DMA_FROM_DEVICE);
+ skb_copy_to_linear_data(skb, page_address(buf->page),
+- len);
+- skb_put(skb, len);
++ buf1_len);
++ skb_put(skb, buf1_len);
+
+ /* Data payload copied into SKB, page ready for recycle */
+ page_pool_recycle_direct(rx_q->page_pool, buf->page);
+ buf->page = NULL;
+- } else {
+- unsigned int buf_len = len - prev_len;
+-
+- if (likely(status & rx_not_ls))
+- buf_len = priv->dma_buf_sz;
+-
++ } else if (buf1_len) {
+ dma_sync_single_for_cpu(priv->device, buf->addr,
+- buf_len, DMA_FROM_DEVICE);
++ buf1_len, DMA_FROM_DEVICE);
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+- buf->page, 0, buf_len,
++ buf->page, 0, buf1_len,
+ priv->dma_buf_sz);
+
+ /* Data payload appended into SKB */
+@@ -3604,22 +3644,23 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+ buf->page = NULL;
+ }
+
+- if (sec_len > 0) {
++ if (buf2_len) {
+ dma_sync_single_for_cpu(priv->device, buf->sec_addr,
+- sec_len, DMA_FROM_DEVICE);
++ buf2_len, DMA_FROM_DEVICE);
+ skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags,
+- buf->sec_page, 0, sec_len,
++ buf->sec_page, 0, buf2_len,
+ priv->dma_buf_sz);
+
+- len += sec_len;
+-
+ /* Data payload appended into SKB */
+ page_pool_release_page(rx_q->page_pool, buf->sec_page);
+ buf->sec_page = NULL;
+ }
+
++drain_data:
+ if (likely(status & rx_not_ls))
+ goto read_again;
++ if (!skb)
++ continue;
+
+ /* Got entire packet into SKB. Finish it. */
+
+@@ -3637,13 +3678,14 @@ static int stmmac_rx(struct stmmac_priv *priv, int limit, u32 queue)
+
+ skb_record_rx_queue(skb, queue);
+ napi_gro_receive(&ch->rx_napi, skb);
++ skb = NULL;
+
+ priv->dev->stats.rx_packets++;
+ priv->dev->stats.rx_bytes += len;
+ count++;
+ }
+
+- if (status & rx_not_ls) {
++ if (status & rx_not_ls || skb) {
+ rx_q->state_saved = true;
+ rx_q->state.skb = skb;
+ rx_q->state.error = error;
+--
+2.42.0
+
--- /dev/null
+From 86e54acc53b7ad7635b08208f568701cf8ff65aa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 1 Nov 2023 11:20:18 +0800
+Subject: netfilter: nf_conntrack_bridge: initialize err to 0
+
+From: Linkui Xiao <xiaolinkui@kylinos.cn>
+
+[ Upstream commit a44af08e3d4d7566eeea98d7a29fe06e7b9de944 ]
+
+K2CI reported a problem:
+
+ consume_skb(skb);
+ return err;
+[nf_br_ip_fragment() error] uninitialized symbol 'err'.
+
+err is not initialized, because returning 0 is expected, initialize err
+to 0.
+
+Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
+Reported-by: k2ci <kernel-bot@kylinos.cn>
+Signed-off-by: Linkui Xiao <xiaolinkui@kylinos.cn>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bridge/netfilter/nf_conntrack_bridge.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
+index fdbed31585553..d14b2dbbd1dfb 100644
+--- a/net/bridge/netfilter/nf_conntrack_bridge.c
++++ b/net/bridge/netfilter/nf_conntrack_bridge.c
+@@ -36,7 +36,7 @@ static int nf_br_ip_fragment(struct net *net, struct sock *sk,
+ ktime_t tstamp = skb->tstamp;
+ struct ip_frag_state state;
+ struct iphdr *iph;
+- int err;
++ int err = 0;
+
+ /* for offloaded checksums cleanup checksum before fragmentation */
+ if (skb->ip_summed == CHECKSUM_PARTIAL &&
+--
+2.42.0
+
--- /dev/null
+From fa3d340d413c01f29d40b41a25b5a642fad28f25 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Oct 2023 11:04:10 -0400
+Subject: NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO
+
+From: Olga Kornievskaia <kolga@netapp.com>
+
+[ Upstream commit 5cc7688bae7f0757c39c1d3dfdd827b724061067 ]
+
+If the client is doing pnfs IO and Kerberos is configured and EXCHANGEID
+successfully negotiated SP4_MACH_CRED and WRITE/COMMIT are on the
+list of state protected operations, then we need to make sure to
+choose the DS's rpc_client structure instead of the MDS's one.
+
+Fixes: fb91fb0ee7b2 ("NFS: Move call to nfs4_state_protect_write() to nfs4_write_setup()")
+Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs4proc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index c41d149626047..b7529656b4307 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -5369,7 +5369,7 @@ static void nfs4_proc_write_setup(struct nfs_pgio_header *hdr,
+
+ msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_WRITE];
+ nfs4_init_sequence(&hdr->args.seq_args, &hdr->res.seq_res, 0, 0);
+- nfs4_state_protect_write(server->nfs_client, clnt, msg, hdr);
++ nfs4_state_protect_write(hdr->ds_clp ? hdr->ds_clp : server->nfs_client, clnt, msg, hdr);
+ }
+
+ static void nfs4_proc_commit_rpc_prepare(struct rpc_task *task, struct nfs_commit_data *data)
+@@ -5410,7 +5410,8 @@ static void nfs4_proc_commit_setup(struct nfs_commit_data *data, struct rpc_mess
+ data->res.server = server;
+ msg->rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_COMMIT];
+ nfs4_init_sequence(&data->args.seq_args, &data->res.seq_res, 1, 0);
+- nfs4_state_protect(server->nfs_client, NFS_SP4_MACH_CRED_COMMIT, clnt, msg);
++ nfs4_state_protect(data->ds_clp ? data->ds_clp : server->nfs_client,
++ NFS_SP4_MACH_CRED_COMMIT, clnt, msg);
+ }
+
+ static int _nfs4_proc_commit(struct file *dst, struct nfs_commitargs *args,
+--
+2.42.0
+
--- /dev/null
+From 5ebedb5153ecc3b51fa9cb51e8e0ae52e13d087a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 15:56:44 +0300
+Subject: PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 759574abd78e3b47ec45bbd31a64e8832cf73f97 ]
+
+Use FIELD_GET() to extract PCIe Negotiated Link Width field instead of
+custom masking and shifting.
+
+Similarly, change custom code that misleadingly used
+PCI_EXP_LNKSTA_NLW_SHIFT to prepare value for PCI_EXP_LNKCAP write
+to use FIELD_PREP() with correct field define (PCI_EXP_LNKCAP_MLW).
+
+Link: https://lore.kernel.org/r/20230919125648.1920-5-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/dwc/pcie-tegra194.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/pci/controller/dwc/pcie-tegra194.c b/drivers/pci/controller/dwc/pcie-tegra194.c
+index 120d64c1a27fd..1cf94854c44fd 100644
+--- a/drivers/pci/controller/dwc/pcie-tegra194.c
++++ b/drivers/pci/controller/dwc/pcie-tegra194.c
+@@ -7,6 +7,7 @@
+ * Author: Vidya Sagar <vidyas@nvidia.com>
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/clk.h>
+ #include <linux/debugfs.h>
+ #include <linux/delay.h>
+@@ -321,8 +322,7 @@ static void apply_bad_link_workaround(struct pcie_port *pp)
+ */
+ val = dw_pcie_readw_dbi(pci, pcie->pcie_cap_base + PCI_EXP_LNKSTA);
+ if (val & PCI_EXP_LNKSTA_LBMS) {
+- current_link_width = (val & PCI_EXP_LNKSTA_NLW) >>
+- PCI_EXP_LNKSTA_NLW_SHIFT;
++ current_link_width = FIELD_GET(PCI_EXP_LNKSTA_NLW, val);
+ if (pcie->init_link_width > current_link_width) {
+ dev_warn(pci->dev, "PCIe link is bad, width reduced\n");
+ val = dw_pcie_readw_dbi(pci, pcie->pcie_cap_base +
+@@ -596,8 +596,7 @@ static void tegra_pcie_enable_system_interrupts(struct pcie_port *pp)
+
+ val_w = dw_pcie_readw_dbi(&pcie->pci, pcie->pcie_cap_base +
+ PCI_EXP_LNKSTA);
+- pcie->init_link_width = (val_w & PCI_EXP_LNKSTA_NLW) >>
+- PCI_EXP_LNKSTA_NLW_SHIFT;
++ pcie->init_link_width = FIELD_GET(PCI_EXP_LNKSTA_NLW, val_w);
+
+ val_w = dw_pcie_readw_dbi(&pcie->pci, pcie->pcie_cap_base +
+ PCI_EXP_LNKCTL);
+@@ -773,7 +772,7 @@ static void tegra_pcie_prepare_host(struct pcie_port *pp)
+ /* Configure Max lane width from DT */
+ val = dw_pcie_readl_dbi(pci, pcie->pcie_cap_base + PCI_EXP_LNKCAP);
+ val &= ~PCI_EXP_LNKCAP_MLW;
+- val |= (pcie->num_lanes << PCI_EXP_LNKSTA_NLW_SHIFT);
++ val |= FIELD_PREP(PCI_EXP_LNKCAP_MLW, pcie->num_lanes);
+ dw_pcie_writel_dbi(pci, pcie->pcie_cap_base + PCI_EXP_LNKCAP, val);
+
+ config_gen3_gen4_eq_presets(pcie);
+--
+2.42.0
+
--- /dev/null
+From 29acde4be274e393f06b76c4987471896af5ddc2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Sep 2023 08:43:07 +0800
+Subject: perf/core: Bail out early if the request AUX area is out of bound
+
+From: Shuai Xue <xueshuai@linux.alibaba.com>
+
+[ Upstream commit 54aee5f15b83437f23b2b2469bcf21bdd9823916 ]
+
+When perf-record with a large AUX area, e.g 4GB, it fails with:
+
+ #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1
+ failed to mmap with 12 (Cannot allocate memory)
+
+and it reveals a WARNING with __alloc_pages():
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 44 PID: 17573 at mm/page_alloc.c:5568 __alloc_pages+0x1ec/0x248
+ Call trace:
+ __alloc_pages+0x1ec/0x248
+ __kmalloc_large_node+0xc0/0x1f8
+ __kmalloc_node+0x134/0x1e8
+ rb_alloc_aux+0xe0/0x298
+ perf_mmap+0x440/0x660
+ mmap_region+0x308/0x8a8
+ do_mmap+0x3c0/0x528
+ vm_mmap_pgoff+0xf4/0x1b8
+ ksys_mmap_pgoff+0x18c/0x218
+ __arm64_sys_mmap+0x38/0x58
+ invoke_syscall+0x50/0x128
+ el0_svc_common.constprop.0+0x58/0x188
+ do_el0_svc+0x34/0x50
+ el0_svc+0x34/0x108
+ el0t_64_sync_handler+0xb8/0xc0
+ el0t_64_sync+0x1a4/0x1a8
+
+'rb->aux_pages' allocated by kcalloc() is a pointer array which is used to
+maintains AUX trace pages. The allocated page for this array is physically
+contiguous (and virtually contiguous) with an order of 0..MAX_ORDER. If the
+size of pointer array crosses the limitation set by MAX_ORDER, it reveals a
+WARNING.
+
+So bail out early with -ENOMEM if the request AUX area is out of bound,
+e.g.:
+
+ #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1
+ failed to mmap with 12 (Cannot allocate memory)
+
+Signed-off-by: Shuai Xue <xueshuai@linux.alibaba.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/events/ring_buffer.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
+index ffb59a4ef4ff3..fb3edb2f8ac93 100644
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -653,6 +653,12 @@ int rb_alloc_aux(struct ring_buffer *rb, struct perf_event *event,
+ max_order--;
+ }
+
++ /*
++ * kcalloc_node() is unable to allocate buffer if the size is larger
++ * than: PAGE_SIZE << MAX_ORDER; directly bail out in this case.
++ */
++ if (get_order((unsigned long)nr_pages * sizeof(void *)) > MAX_ORDER)
++ return -ENOMEM;
+ rb->aux_pages = kcalloc_node(nr_pages, sizeof(void *), GFP_KERNEL,
+ node);
+ if (!rb->aux_pages)
+--
+2.42.0
+
--- /dev/null
+From 2b73494eaefac7c2b344ec6820f3b6bd6e2a037f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 15:23:08 -0700
+Subject: perf hist: Add missing puts to hist__account_cycles
+
+From: Ian Rogers <irogers@google.com>
+
+[ Upstream commit c1149037f65bcf0334886180ebe3d5efcf214912 ]
+
+Caught using reference count checking on perf top with
+"--call-graph=lbr". After this no memory leaks were detected.
+
+Fixes: 57849998e2cd ("perf report: Add processing for cycle histograms")
+Signed-off-by: Ian Rogers <irogers@google.com>
+Cc: K Prateek Nayak <kprateek.nayak@amd.com>
+Cc: Ravi Bangoria <ravi.bangoria@amd.com>
+Cc: Sandipan Das <sandipan.das@amd.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: German Gomez <german.gomez@arm.com>
+Cc: James Clark <james.clark@arm.com>
+Cc: Nick Terrell <terrelln@fb.com>
+Cc: Sean Christopherson <seanjc@google.com>
+Cc: Changbin Du <changbin.du@huawei.com>
+Cc: liuwenyu <liuwenyu7@huawei.com>
+Cc: Yang Jihong <yangjihong1@huawei.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Miguel Ojeda <ojeda@kernel.org>
+Cc: Song Liu <song@kernel.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Kajol Jain <kjain@linux.ibm.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Cc: Yanteng Si <siyanteng@loongson.cn>
+Cc: Liam Howlett <liam.howlett@oracle.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Link: https://lore.kernel.org/r/20231024222353.3024098-6-irogers@google.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/hist.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
+index 151b9e43c88f9..9a02c1fd83493 100644
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -2576,8 +2576,6 @@ void hist__account_cycles(struct branch_stack *bs, struct addr_location *al,
+
+ /* If we have branch cycles always annotate them. */
+ if (bs && bs->nr && entries[0].flags.cycles) {
+- int i;
+-
+ bi = sample__resolve_bstack(sample, al);
+ if (bi) {
+ struct addr_map_symbol *prev = NULL;
+@@ -2592,12 +2590,18 @@ void hist__account_cycles(struct branch_stack *bs, struct addr_location *al,
+ * Note that perf stores branches reversed from
+ * program order!
+ */
+- for (i = bs->nr - 1; i >= 0; i--) {
++ for (int i = bs->nr - 1; i >= 0; i--) {
+ addr_map_symbol__account_cycles(&bi[i].from,
+ nonany_branch_mode ? NULL : prev,
+ bi[i].flags.cycles);
+ prev = &bi[i].to;
+ }
++ for (unsigned int i = 0; i < bs->nr; i++) {
++ map__put(bi[i].to.ms.map);
++ maps__put(bi[i].to.ms.maps);
++ map__put(bi[i].from.ms.map);
++ maps__put(bi[i].from.ms.maps);
++ }
+ free(bi);
+ }
+ }
+--
+2.42.0
+
--- /dev/null
+From 3239799eddc8e6fe00bdf5533fec028a4cfdcaf9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 28 Feb 2020 08:30:00 -0800
+Subject: perf tools: Add hw_idx in struct branch_stack
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit 42bbabed09ce6208026648a71a45b4394c74585a ]
+
+The low level index of raw branch records for the most recent branch can
+be recorded in a sample with PERF_SAMPLE_BRANCH_HW_INDEX
+branch_sample_type. Extend struct branch_stack to support it.
+
+However, if the PERF_SAMPLE_BRANCH_HW_INDEX is not applied, only nr and
+entries[] will be output by kernel. The pointer of entries[] could be
+wrong, since the output format is different with new struct
+branch_stack. Add a variable no_hw_idx in struct perf_sample to
+indicate whether the hw_idx is output. Add get_branch_entry() to return
+corresponding pointer of entries[0].
+
+To make dummy branch sample consistent as new branch sample, add hw_idx
+in struct dummy_branch_stack for cs-etm and intel-pt.
+
+Apply the new struct branch_stack for synthetic events as well.
+
+Extend test case sample-parsing to support new struct branch_stack.
+
+Committer notes:
+
+Renamed get_branch_entries() to perf_sample__branch_entries() to have
+proper namespacing and pave the way for this to be moved to libperf,
+eventually.
+
+Add 'static' to that inline as it is in a header.
+
+Add 'hw_idx' to 'struct dummy_branch_stack' in cs-etm.c to fix the build
+on arm64.
+
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexey Budankov <alexey.budankov@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Pavel Gerasimov <pavel.gerasimov@intel.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
+Cc: Stephane Eranian <eranian@google.com>
+Cc: Vitaly Slobodskoy <vitaly.slobodskoy@intel.com>
+Link: http://lore.kernel.org/lkml/20200228163011.19358-2-kan.liang@linux.intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: c1149037f65b ("perf hist: Add missing puts to hist__account_cycles")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-script.c | 70 ++++++++++---------
+ tools/perf/tests/sample-parsing.c | 7 +-
+ tools/perf/util/branch.h | 22 ++++++
+ tools/perf/util/cs-etm.c | 2 +
+ tools/perf/util/event.h | 1 +
+ tools/perf/util/evsel.c | 5 ++
+ tools/perf/util/evsel.h | 5 ++
+ tools/perf/util/hist.c | 3 +-
+ tools/perf/util/intel-pt.c | 2 +
+ tools/perf/util/machine.c | 35 +++++-----
+ .../scripting-engines/trace-event-python.c | 30 ++++----
+ tools/perf/util/session.c | 8 ++-
+ tools/perf/util/synthetic-events.c | 6 +-
+ 13 files changed, 125 insertions(+), 71 deletions(-)
+
+diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
+index bbf1f2d3387e3..bb64dbfe043a5 100644
+--- a/tools/perf/builtin-script.c
++++ b/tools/perf/builtin-script.c
+@@ -735,6 +735,7 @@ static int perf_sample__fprintf_brstack(struct perf_sample *sample,
+ struct perf_event_attr *attr, FILE *fp)
+ {
+ struct branch_stack *br = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ struct addr_location alf, alt;
+ u64 i, from, to;
+ int printed = 0;
+@@ -743,8 +744,8 @@ static int perf_sample__fprintf_brstack(struct perf_sample *sample,
+ return 0;
+
+ for (i = 0; i < br->nr; i++) {
+- from = br->entries[i].from;
+- to = br->entries[i].to;
++ from = entries[i].from;
++ to = entries[i].to;
+
+ if (PRINT_FIELD(DSO)) {
+ memset(&alf, 0, sizeof(alf));
+@@ -768,10 +769,10 @@ static int perf_sample__fprintf_brstack(struct perf_sample *sample,
+ }
+
+ printed += fprintf(fp, "/%c/%c/%c/%d ",
+- mispred_str( br->entries + i),
+- br->entries[i].flags.in_tx? 'X' : '-',
+- br->entries[i].flags.abort? 'A' : '-',
+- br->entries[i].flags.cycles);
++ mispred_str(entries + i),
++ entries[i].flags.in_tx ? 'X' : '-',
++ entries[i].flags.abort ? 'A' : '-',
++ entries[i].flags.cycles);
+ }
+
+ return printed;
+@@ -782,6 +783,7 @@ static int perf_sample__fprintf_brstacksym(struct perf_sample *sample,
+ struct perf_event_attr *attr, FILE *fp)
+ {
+ struct branch_stack *br = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ struct addr_location alf, alt;
+ u64 i, from, to;
+ int printed = 0;
+@@ -793,8 +795,8 @@ static int perf_sample__fprintf_brstacksym(struct perf_sample *sample,
+
+ memset(&alf, 0, sizeof(alf));
+ memset(&alt, 0, sizeof(alt));
+- from = br->entries[i].from;
+- to = br->entries[i].to;
++ from = entries[i].from;
++ to = entries[i].to;
+
+ thread__find_symbol_fb(thread, sample->cpumode, from, &alf);
+ thread__find_symbol_fb(thread, sample->cpumode, to, &alt);
+@@ -813,10 +815,10 @@ static int perf_sample__fprintf_brstacksym(struct perf_sample *sample,
+ printed += fprintf(fp, ")");
+ }
+ printed += fprintf(fp, "/%c/%c/%c/%d ",
+- mispred_str( br->entries + i),
+- br->entries[i].flags.in_tx? 'X' : '-',
+- br->entries[i].flags.abort? 'A' : '-',
+- br->entries[i].flags.cycles);
++ mispred_str(entries + i),
++ entries[i].flags.in_tx ? 'X' : '-',
++ entries[i].flags.abort ? 'A' : '-',
++ entries[i].flags.cycles);
+ }
+
+ return printed;
+@@ -827,6 +829,7 @@ static int perf_sample__fprintf_brstackoff(struct perf_sample *sample,
+ struct perf_event_attr *attr, FILE *fp)
+ {
+ struct branch_stack *br = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ struct addr_location alf, alt;
+ u64 i, from, to;
+ int printed = 0;
+@@ -838,8 +841,8 @@ static int perf_sample__fprintf_brstackoff(struct perf_sample *sample,
+
+ memset(&alf, 0, sizeof(alf));
+ memset(&alt, 0, sizeof(alt));
+- from = br->entries[i].from;
+- to = br->entries[i].to;
++ from = entries[i].from;
++ to = entries[i].to;
+
+ if (thread__find_map_fb(thread, sample->cpumode, from, &alf) &&
+ !alf.map->dso->adjust_symbols)
+@@ -862,10 +865,10 @@ static int perf_sample__fprintf_brstackoff(struct perf_sample *sample,
+ printed += fprintf(fp, ")");
+ }
+ printed += fprintf(fp, "/%c/%c/%c/%d ",
+- mispred_str(br->entries + i),
+- br->entries[i].flags.in_tx ? 'X' : '-',
+- br->entries[i].flags.abort ? 'A' : '-',
+- br->entries[i].flags.cycles);
++ mispred_str(entries + i),
++ entries[i].flags.in_tx ? 'X' : '-',
++ entries[i].flags.abort ? 'A' : '-',
++ entries[i].flags.cycles);
+ }
+
+ return printed;
+@@ -1011,6 +1014,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ struct machine *machine, FILE *fp)
+ {
+ struct branch_stack *br = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ u64 start, end;
+ int i, insn, len, nr, ilen, printed = 0;
+ struct perf_insn x;
+@@ -1031,31 +1035,31 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ printed += fprintf(fp, "%c", '\n');
+
+ /* Handle first from jump, of which we don't know the entry. */
+- len = grab_bb(buffer, br->entries[nr-1].from,
+- br->entries[nr-1].from,
++ len = grab_bb(buffer, entries[nr-1].from,
++ entries[nr-1].from,
+ machine, thread, &x.is64bit, &x.cpumode, false);
+ if (len > 0) {
+- printed += ip__fprintf_sym(br->entries[nr - 1].from, thread,
++ printed += ip__fprintf_sym(entries[nr - 1].from, thread,
+ x.cpumode, x.cpu, &lastsym, attr, fp);
+- printed += ip__fprintf_jump(br->entries[nr - 1].from, &br->entries[nr - 1],
++ printed += ip__fprintf_jump(entries[nr - 1].from, &entries[nr - 1],
+ &x, buffer, len, 0, fp, &total_cycles);
+ if (PRINT_FIELD(SRCCODE))
+- printed += print_srccode(thread, x.cpumode, br->entries[nr - 1].from);
++ printed += print_srccode(thread, x.cpumode, entries[nr - 1].from);
+ }
+
+ /* Print all blocks */
+ for (i = nr - 2; i >= 0; i--) {
+- if (br->entries[i].from || br->entries[i].to)
++ if (entries[i].from || entries[i].to)
+ pr_debug("%d: %" PRIx64 "-%" PRIx64 "\n", i,
+- br->entries[i].from,
+- br->entries[i].to);
+- start = br->entries[i + 1].to;
+- end = br->entries[i].from;
++ entries[i].from,
++ entries[i].to);
++ start = entries[i + 1].to;
++ end = entries[i].from;
+
+ len = grab_bb(buffer, start, end, machine, thread, &x.is64bit, &x.cpumode, false);
+ /* Patch up missing kernel transfers due to ring filters */
+ if (len == -ENXIO && i > 0) {
+- end = br->entries[--i].from;
++ end = entries[--i].from;
+ pr_debug("\tpatching up to %" PRIx64 "-%" PRIx64 "\n", start, end);
+ len = grab_bb(buffer, start, end, machine, thread, &x.is64bit, &x.cpumode, false);
+ }
+@@ -1068,7 +1072,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+
+ printed += ip__fprintf_sym(ip, thread, x.cpumode, x.cpu, &lastsym, attr, fp);
+ if (ip == end) {
+- printed += ip__fprintf_jump(ip, &br->entries[i], &x, buffer + off, len - off, ++insn, fp,
++ printed += ip__fprintf_jump(ip, &entries[i], &x, buffer + off, len - off, ++insn, fp,
+ &total_cycles);
+ if (PRINT_FIELD(SRCCODE))
+ printed += print_srccode(thread, x.cpumode, ip);
+@@ -1092,9 +1096,9 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ * Hit the branch? In this case we are already done, and the target
+ * has not been executed yet.
+ */
+- if (br->entries[0].from == sample->ip)
++ if (entries[0].from == sample->ip)
+ goto out;
+- if (br->entries[0].flags.abort)
++ if (entries[0].flags.abort)
+ goto out;
+
+ /*
+@@ -1105,7 +1109,7 @@ static int perf_sample__fprintf_brstackinsn(struct perf_sample *sample,
+ * between final branch and sample. When this happens just
+ * continue walking after the last TO until we hit a branch.
+ */
+- start = br->entries[0].to;
++ start = entries[0].to;
+ end = sample->ip;
+ if (end < start) {
+ /* Missing jump. Scan 128 bytes for the next branch */
+diff --git a/tools/perf/tests/sample-parsing.c b/tools/perf/tests/sample-parsing.c
+index 2f76d4a9de860..6da067d339429 100644
+--- a/tools/perf/tests/sample-parsing.c
++++ b/tools/perf/tests/sample-parsing.c
+@@ -99,6 +99,7 @@ static bool samples_same(const struct perf_sample *s1,
+
+ if (type & PERF_SAMPLE_BRANCH_STACK) {
+ COMP(branch_stack->nr);
++ COMP(branch_stack->hw_idx);
+ for (i = 0; i < s1->branch_stack->nr; i++)
+ MCOMP(branch_stack->entries[i]);
+ }
+@@ -177,7 +178,7 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format)
+ u64 data[64];
+ } branch_stack = {
+ /* 1 branch_entry */
+- .data = {1, 211, 212, 213},
++ .data = {1, -1ULL, 211, 212, 213},
+ };
+ u64 regs[64];
+ const u32 raw_data[] = {0x12345678, 0x0a0b0c0d, 0x11020304, 0x05060708, 0 };
+@@ -198,6 +199,7 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format)
+ .transaction = 112,
+ .raw_data = (void *)raw_data,
+ .callchain = &callchain.callchain,
++ .no_hw_idx = false,
+ .branch_stack = &branch_stack.branch_stack,
+ .user_regs = {
+ .abi = PERF_SAMPLE_REGS_ABI_64,
+@@ -230,6 +232,9 @@ static int do_test(u64 sample_type, u64 sample_regs, u64 read_format)
+ if (sample_type & PERF_SAMPLE_REGS_INTR)
+ evsel.core.attr.sample_regs_intr = sample_regs;
+
++ if (sample_type & PERF_SAMPLE_BRANCH_STACK)
++ evsel.core.attr.branch_sample_type |= PERF_SAMPLE_BRANCH_HW_INDEX;
++
+ for (i = 0; i < sizeof(regs); i++)
+ *(i + (u8 *)regs) = i & 0xfe;
+
+diff --git a/tools/perf/util/branch.h b/tools/perf/util/branch.h
+index 88e00d268f6f2..154a05cd03af5 100644
+--- a/tools/perf/util/branch.h
++++ b/tools/perf/util/branch.h
+@@ -12,6 +12,7 @@
+ #include <linux/stddef.h>
+ #include <linux/perf_event.h>
+ #include <linux/types.h>
++#include "event.h"
+
+ struct branch_flags {
+ u64 mispred:1;
+@@ -39,9 +40,30 @@ struct branch_entry {
+
+ struct branch_stack {
+ u64 nr;
++ u64 hw_idx;
+ struct branch_entry entries[0];
+ };
+
++/*
++ * The hw_idx is only available when PERF_SAMPLE_BRANCH_HW_INDEX is applied.
++ * Otherwise, the output format of a sample with branch stack is
++ * struct branch_stack {
++ * u64 nr;
++ * struct branch_entry entries[0];
++ * }
++ * Check whether the hw_idx is available,
++ * and return the corresponding pointer of entries[0].
++ */
++static inline struct branch_entry *perf_sample__branch_entries(struct perf_sample *sample)
++{
++ u64 *entry = (u64 *)sample->branch_stack;
++
++ entry++;
++ if (sample->no_hw_idx)
++ return (struct branch_entry *)entry;
++ return (struct branch_entry *)(++entry);
++}
++
+ struct branch_type_stat {
+ bool branch_to;
+ u64 counts[PERF_BR_MAX];
+diff --git a/tools/perf/util/cs-etm.c b/tools/perf/util/cs-etm.c
+index f5a9cb4088080..f9cc15f93c4a7 100644
+--- a/tools/perf/util/cs-etm.c
++++ b/tools/perf/util/cs-etm.c
+@@ -1192,6 +1192,7 @@ static int cs_etm__synth_branch_sample(struct cs_etm_queue *etmq,
+ union perf_event *event = tidq->event_buf;
+ struct dummy_branch_stack {
+ u64 nr;
++ u64 hw_idx;
+ struct branch_entry entries;
+ } dummy_bs;
+ u64 ip;
+@@ -1222,6 +1223,7 @@ static int cs_etm__synth_branch_sample(struct cs_etm_queue *etmq,
+ if (etm->synth_opts.last_branch) {
+ dummy_bs = (struct dummy_branch_stack){
+ .nr = 1,
++ .hw_idx = -1ULL,
+ .entries = {
+ .from = sample.ip,
+ .to = sample.addr,
+diff --git a/tools/perf/util/event.h b/tools/perf/util/event.h
+index a0a0c91cde4a6..47d1d0b78be10 100644
+--- a/tools/perf/util/event.h
++++ b/tools/perf/util/event.h
+@@ -134,6 +134,7 @@ struct perf_sample {
+ u16 insn_len;
+ u8 cpumode;
+ u16 misc;
++ bool no_hw_idx; /* No hw_idx collected in branch_stack */
+ char insn[MAX_INSN];
+ void *raw_data;
+ struct ip_callchain *callchain;
+diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
+index 9dd9e3f4ef591..ee0ed7067cdb0 100644
+--- a/tools/perf/util/evsel.c
++++ b/tools/perf/util/evsel.c
+@@ -2126,7 +2126,12 @@ int perf_evsel__parse_sample(struct evsel *evsel, union perf_event *event,
+
+ if (data->branch_stack->nr > max_branch_nr)
+ return -EFAULT;
++
+ sz = data->branch_stack->nr * sizeof(struct branch_entry);
++ if (perf_evsel__has_branch_hw_idx(evsel))
++ sz += sizeof(u64);
++ else
++ data->no_hw_idx = true;
+ OVERFLOW_CHECK(array, sz, max_size);
+ array = (void *)array + sz;
+ }
+diff --git a/tools/perf/util/evsel.h b/tools/perf/util/evsel.h
+index ddc5ee6f6592b..ae2c5c22357ad 100644
+--- a/tools/perf/util/evsel.h
++++ b/tools/perf/util/evsel.h
+@@ -382,6 +382,11 @@ static inline bool perf_evsel__has_branch_callstack(const struct evsel *evsel)
+ return evsel->core.attr.branch_sample_type & PERF_SAMPLE_BRANCH_CALL_STACK;
+ }
+
++static inline bool perf_evsel__has_branch_hw_idx(const struct evsel *evsel)
++{
++ return evsel->core.attr.branch_sample_type & PERF_SAMPLE_BRANCH_HW_INDEX;
++}
++
+ static inline bool evsel__has_callchain(const struct evsel *evsel)
+ {
+ return (evsel->core.attr.sample_type & PERF_SAMPLE_CALLCHAIN) != 0;
+diff --git a/tools/perf/util/hist.c b/tools/perf/util/hist.c
+index 7b6eaf5e0bda5..151b9e43c88f9 100644
+--- a/tools/perf/util/hist.c
++++ b/tools/perf/util/hist.c
+@@ -2572,9 +2572,10 @@ void hist__account_cycles(struct branch_stack *bs, struct addr_location *al,
+ struct perf_sample *sample, bool nonany_branch_mode)
+ {
+ struct branch_info *bi;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+
+ /* If we have branch cycles always annotate them. */
+- if (bs && bs->nr && bs->entries[0].flags.cycles) {
++ if (bs && bs->nr && entries[0].flags.cycles) {
+ int i;
+
+ bi = sample__resolve_bstack(sample, al);
+diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c
+index b40832419a279..94f11cfe02364 100644
+--- a/tools/perf/util/intel-pt.c
++++ b/tools/perf/util/intel-pt.c
+@@ -1278,6 +1278,7 @@ static int intel_pt_synth_branch_sample(struct intel_pt_queue *ptq)
+ struct perf_sample sample = { .ip = 0, };
+ struct dummy_branch_stack {
+ u64 nr;
++ u64 hw_idx;
+ struct branch_entry entries;
+ } dummy_bs;
+
+@@ -1299,6 +1300,7 @@ static int intel_pt_synth_branch_sample(struct intel_pt_queue *ptq)
+ if (pt->synth_opts.last_branch && sort__mode == SORT_MODE__BRANCH) {
+ dummy_bs = (struct dummy_branch_stack){
+ .nr = 1,
++ .hw_idx = -1ULL,
+ .entries = {
+ .from = sample.ip,
+ .to = sample.addr,
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index 8c3addc2e9e1e..0046ca19ca1a4 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -2082,15 +2082,16 @@ struct branch_info *sample__resolve_bstack(struct perf_sample *sample,
+ {
+ unsigned int i;
+ const struct branch_stack *bs = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ struct branch_info *bi = calloc(bs->nr, sizeof(struct branch_info));
+
+ if (!bi)
+ return NULL;
+
+ for (i = 0; i < bs->nr; i++) {
+- ip__resolve_ams(al->thread, &bi[i].to, bs->entries[i].to);
+- ip__resolve_ams(al->thread, &bi[i].from, bs->entries[i].from);
+- bi[i].flags = bs->entries[i].flags;
++ ip__resolve_ams(al->thread, &bi[i].to, entries[i].to);
++ ip__resolve_ams(al->thread, &bi[i].from, entries[i].from);
++ bi[i].flags = entries[i].flags;
+ }
+ return bi;
+ }
+@@ -2186,6 +2187,7 @@ static int resolve_lbr_callchain_sample(struct thread *thread,
+ /* LBR only affects the user callchain */
+ if (i != chain_nr) {
+ struct branch_stack *lbr_stack = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ int lbr_nr = lbr_stack->nr, j, k;
+ bool branch;
+ struct branch_flags *flags;
+@@ -2211,31 +2213,29 @@ static int resolve_lbr_callchain_sample(struct thread *thread,
+ ip = chain->ips[j];
+ else if (j > i + 1) {
+ k = j - i - 2;
+- ip = lbr_stack->entries[k].from;
++ ip = entries[k].from;
+ branch = true;
+- flags = &lbr_stack->entries[k].flags;
++ flags = &entries[k].flags;
+ } else {
+- ip = lbr_stack->entries[0].to;
++ ip = entries[0].to;
+ branch = true;
+- flags = &lbr_stack->entries[0].flags;
+- branch_from =
+- lbr_stack->entries[0].from;
++ flags = &entries[0].flags;
++ branch_from = entries[0].from;
+ }
+ } else {
+ if (j < lbr_nr) {
+ k = lbr_nr - j - 1;
+- ip = lbr_stack->entries[k].from;
++ ip = entries[k].from;
+ branch = true;
+- flags = &lbr_stack->entries[k].flags;
++ flags = &entries[k].flags;
+ }
+ else if (j > lbr_nr)
+ ip = chain->ips[i + 1 - (j - lbr_nr)];
+ else {
+- ip = lbr_stack->entries[0].to;
++ ip = entries[0].to;
+ branch = true;
+- flags = &lbr_stack->entries[0].flags;
+- branch_from =
+- lbr_stack->entries[0].from;
++ flags = &entries[0].flags;
++ branch_from = entries[0].from;
+ }
+ }
+
+@@ -2282,6 +2282,7 @@ static int thread__resolve_callchain_sample(struct thread *thread,
+ int max_stack)
+ {
+ struct branch_stack *branch = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ struct ip_callchain *chain = sample->callchain;
+ int chain_nr = 0;
+ u8 cpumode = PERF_RECORD_MISC_USER;
+@@ -2329,7 +2330,7 @@ static int thread__resolve_callchain_sample(struct thread *thread,
+
+ for (i = 0; i < nr; i++) {
+ if (callchain_param.order == ORDER_CALLEE) {
+- be[i] = branch->entries[i];
++ be[i] = entries[i];
+
+ if (chain == NULL)
+ continue;
+@@ -2348,7 +2349,7 @@ static int thread__resolve_callchain_sample(struct thread *thread,
+ be[i].from >= chain->ips[first_call] - 8)
+ first_call++;
+ } else
+- be[i] = branch->entries[branch->nr - i - 1];
++ be[i] = entries[branch->nr - i - 1];
+ }
+
+ memset(iter, 0, sizeof(struct iterations) * nr);
+diff --git a/tools/perf/util/scripting-engines/trace-event-python.c b/tools/perf/util/scripting-engines/trace-event-python.c
+index 3b02c3f1b2895..2bdd10c4c2460 100644
+--- a/tools/perf/util/scripting-engines/trace-event-python.c
++++ b/tools/perf/util/scripting-engines/trace-event-python.c
+@@ -464,6 +464,7 @@ static PyObject *python_process_brstack(struct perf_sample *sample,
+ struct thread *thread)
+ {
+ struct branch_stack *br = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ PyObject *pylist;
+ u64 i;
+
+@@ -484,28 +485,28 @@ static PyObject *python_process_brstack(struct perf_sample *sample,
+ Py_FatalError("couldn't create Python dictionary");
+
+ pydict_set_item_string_decref(pyelem, "from",
+- PyLong_FromUnsignedLongLong(br->entries[i].from));
++ PyLong_FromUnsignedLongLong(entries[i].from));
+ pydict_set_item_string_decref(pyelem, "to",
+- PyLong_FromUnsignedLongLong(br->entries[i].to));
++ PyLong_FromUnsignedLongLong(entries[i].to));
+ pydict_set_item_string_decref(pyelem, "mispred",
+- PyBool_FromLong(br->entries[i].flags.mispred));
++ PyBool_FromLong(entries[i].flags.mispred));
+ pydict_set_item_string_decref(pyelem, "predicted",
+- PyBool_FromLong(br->entries[i].flags.predicted));
++ PyBool_FromLong(entries[i].flags.predicted));
+ pydict_set_item_string_decref(pyelem, "in_tx",
+- PyBool_FromLong(br->entries[i].flags.in_tx));
++ PyBool_FromLong(entries[i].flags.in_tx));
+ pydict_set_item_string_decref(pyelem, "abort",
+- PyBool_FromLong(br->entries[i].flags.abort));
++ PyBool_FromLong(entries[i].flags.abort));
+ pydict_set_item_string_decref(pyelem, "cycles",
+- PyLong_FromUnsignedLongLong(br->entries[i].flags.cycles));
++ PyLong_FromUnsignedLongLong(entries[i].flags.cycles));
+
+ thread__find_map_fb(thread, sample->cpumode,
+- br->entries[i].from, &al);
++ entries[i].from, &al);
+ dsoname = get_dsoname(al.map);
+ pydict_set_item_string_decref(pyelem, "from_dsoname",
+ _PyUnicode_FromString(dsoname));
+
+ thread__find_map_fb(thread, sample->cpumode,
+- br->entries[i].to, &al);
++ entries[i].to, &al);
+ dsoname = get_dsoname(al.map);
+ pydict_set_item_string_decref(pyelem, "to_dsoname",
+ _PyUnicode_FromString(dsoname));
+@@ -561,6 +562,7 @@ static PyObject *python_process_brstacksym(struct perf_sample *sample,
+ struct thread *thread)
+ {
+ struct branch_stack *br = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ PyObject *pylist;
+ u64 i;
+ char bf[512];
+@@ -581,22 +583,22 @@ static PyObject *python_process_brstacksym(struct perf_sample *sample,
+ Py_FatalError("couldn't create Python dictionary");
+
+ thread__find_symbol_fb(thread, sample->cpumode,
+- br->entries[i].from, &al);
++ entries[i].from, &al);
+ get_symoff(al.sym, &al, true, bf, sizeof(bf));
+ pydict_set_item_string_decref(pyelem, "from",
+ _PyUnicode_FromString(bf));
+
+ thread__find_symbol_fb(thread, sample->cpumode,
+- br->entries[i].to, &al);
++ entries[i].to, &al);
+ get_symoff(al.sym, &al, true, bf, sizeof(bf));
+ pydict_set_item_string_decref(pyelem, "to",
+ _PyUnicode_FromString(bf));
+
+- get_br_mspred(&br->entries[i].flags, bf, sizeof(bf));
++ get_br_mspred(&entries[i].flags, bf, sizeof(bf));
+ pydict_set_item_string_decref(pyelem, "pred",
+ _PyUnicode_FromString(bf));
+
+- if (br->entries[i].flags.in_tx) {
++ if (entries[i].flags.in_tx) {
+ pydict_set_item_string_decref(pyelem, "in_tx",
+ _PyUnicode_FromString("X"));
+ } else {
+@@ -604,7 +606,7 @@ static PyObject *python_process_brstacksym(struct perf_sample *sample,
+ _PyUnicode_FromString("-"));
+ }
+
+- if (br->entries[i].flags.abort) {
++ if (entries[i].flags.abort) {
+ pydict_set_item_string_decref(pyelem, "abort",
+ _PyUnicode_FromString("A"));
+ } else {
+diff --git a/tools/perf/util/session.c b/tools/perf/util/session.c
+index 01e15b445cb58..2f08e590c03b1 100644
+--- a/tools/perf/util/session.c
++++ b/tools/perf/util/session.c
+@@ -1003,6 +1003,7 @@ static void callchain__lbr_callstack_printf(struct perf_sample *sample)
+ {
+ struct ip_callchain *callchain = sample->callchain;
+ struct branch_stack *lbr_stack = sample->branch_stack;
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ u64 kernel_callchain_nr = callchain->nr;
+ unsigned int i;
+
+@@ -1039,10 +1040,10 @@ static void callchain__lbr_callstack_printf(struct perf_sample *sample)
+ i, callchain->ips[i]);
+
+ printf("..... %2d: %016" PRIx64 "\n",
+- (int)(kernel_callchain_nr), lbr_stack->entries[0].to);
++ (int)(kernel_callchain_nr), entries[0].to);
+ for (i = 0; i < lbr_stack->nr; i++)
+ printf("..... %2d: %016" PRIx64 "\n",
+- (int)(i + kernel_callchain_nr + 1), lbr_stack->entries[i].from);
++ (int)(i + kernel_callchain_nr + 1), entries[i].from);
+ }
+ }
+
+@@ -1064,6 +1065,7 @@ static void callchain__printf(struct evsel *evsel,
+
+ static void branch_stack__printf(struct perf_sample *sample, bool callstack)
+ {
++ struct branch_entry *entries = perf_sample__branch_entries(sample);
+ uint64_t i;
+
+ printf("%s: nr:%" PRIu64 "\n",
+@@ -1071,7 +1073,7 @@ static void branch_stack__printf(struct perf_sample *sample, bool callstack)
+ sample->branch_stack->nr);
+
+ for (i = 0; i < sample->branch_stack->nr; i++) {
+- struct branch_entry *e = &sample->branch_stack->entries[i];
++ struct branch_entry *e = &entries[i];
+
+ if (!callstack) {
+ printf("..... %2"PRIu64": %016" PRIx64 " -> %016" PRIx64 " %hu cycles %s%s%s%s %x\n",
+diff --git a/tools/perf/util/synthetic-events.c b/tools/perf/util/synthetic-events.c
+index 807cbca403a7d..e5fbece642d3c 100644
+--- a/tools/perf/util/synthetic-events.c
++++ b/tools/perf/util/synthetic-events.c
+@@ -1183,7 +1183,8 @@ size_t perf_event__sample_event_size(const struct perf_sample *sample, u64 type,
+
+ if (type & PERF_SAMPLE_BRANCH_STACK) {
+ sz = sample->branch_stack->nr * sizeof(struct branch_entry);
+- sz += sizeof(u64);
++ /* nr, hw_idx */
++ sz += 2 * sizeof(u64);
+ result += sz;
+ }
+
+@@ -1339,7 +1340,8 @@ int perf_event__synthesize_sample(union perf_event *event, u64 type, u64 read_fo
+
+ if (type & PERF_SAMPLE_BRANCH_STACK) {
+ sz = sample->branch_stack->nr * sizeof(struct branch_entry);
+- sz += sizeof(u64);
++ /* nr, hw_idx */
++ sz += 2 * sizeof(u64);
+ memcpy(array, sample->branch_stack, sz);
+ array = (void *)array + sz;
+ }
+--
+2.42.0
+
--- /dev/null
+From 424404e36557662e2e0e1fa2696cfed8bc98a810 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Oct 2023 22:09:21 +0300
+Subject: platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Olli Asikainen <olli.asikainen@gmail.com>
+
+[ Upstream commit 916646758aea81a143ce89103910f715ed923346 ]
+
+Thinkpad X120e also needs this battery quirk.
+
+Signed-off-by: Olli Asikainen <olli.asikainen@gmail.com>
+Link: https://lore.kernel.org/r/20231024190922.2742-1-olli.asikainen@gmail.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
+index 5d114088c88fb..f0d6bb567d1dc 100644
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -9699,6 +9699,7 @@ static const struct tpacpi_quirk battery_quirk_table[] __initconst = {
+ * Individual addressing is broken on models that expose the
+ * primary battery as BAT1.
+ */
++ TPACPI_Q_LNV('8', 'F', true), /* Thinkpad X120e */
+ TPACPI_Q_LNV('J', '7', true), /* B5400 */
+ TPACPI_Q_LNV('J', 'I', true), /* Thinkpad 11e */
+ TPACPI_Q_LNV3('R', '0', 'B', true), /* Thinkpad 11e gen 3 */
+--
+2.42.0
+
--- /dev/null
+From 466e6f729e6466cc7c776dded5fadcfb34b6f41f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Nov 2023 22:16:32 -0500
+Subject: ppp: limit MRU to 64K
+
+From: Willem de Bruijn <willemb@google.com>
+
+[ Upstream commit c0a2a1b0d631fc460d830f52d06211838874d655 ]
+
+ppp_sync_ioctl allows setting device MRU, but does not sanity check
+this input.
+
+Limit to a sane upper bound of 64KB.
+
+No implementation I could find generates larger than 64KB frames.
+RFC 2823 mentions an upper bound of PPP over SDL of 64KB based on the
+16-bit length field. Other protocols will be smaller, such as PPPoE
+(9KB jumbo frame) and PPPoA (18190 maximum CPCS-SDU size, RFC 2364).
+PPTP and L2TP encapsulate in IP.
+
+Syzbot managed to trigger alloc warning in __alloc_pages:
+
+ if (WARN_ON_ONCE_GFP(order > MAX_ORDER, gfp))
+
+ WARNING: CPU: 1 PID: 37 at mm/page_alloc.c:4544 __alloc_pages+0x3ab/0x4a0 mm/page_alloc.c:4544
+
+ __alloc_skb+0x12b/0x330 net/core/skbuff.c:651
+ __netdev_alloc_skb+0x72/0x3f0 net/core/skbuff.c:715
+ netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
+ dev_alloc_skb include/linux/skbuff.h:3238 [inline]
+ ppp_sync_input drivers/net/ppp/ppp_synctty.c:669 [inline]
+ ppp_sync_receive+0xff/0x680 drivers/net/ppp/ppp_synctty.c:334
+ tty_ldisc_receive_buf+0x14c/0x180 drivers/tty/tty_buffer.c:390
+ tty_port_default_receive_buf+0x70/0xb0 drivers/tty/tty_port.c:37
+ receive_buf drivers/tty/tty_buffer.c:444 [inline]
+ flush_to_ldisc+0x261/0x780 drivers/tty/tty_buffer.c:494
+ process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
+
+With call
+
+ ioctl$PPPIOCSMRU1(r1, 0x40047452, &(0x7f0000000100)=0x5e6417a8)
+
+Similar code exists in other drivers that implement ppp_channel_ops
+ioctl PPPIOCSMRU. Those might also be in scope. Notably excluded from
+this are pppol2tp_ioctl and pppoe_ioctl.
+
+This code goes back to the start of git history.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+6177e1f90d92583bcc58@syzkaller.appspotmail.com
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_synctty.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
+index d5af6b06a66a4..55641e01192dd 100644
+--- a/drivers/net/ppp/ppp_synctty.c
++++ b/drivers/net/ppp/ppp_synctty.c
+@@ -463,6 +463,10 @@ ppp_sync_ioctl(struct ppp_channel *chan, unsigned int cmd, unsigned long arg)
+ case PPPIOCSMRU:
+ if (get_user(val, (int __user *) argp))
+ break;
++ if (val > U16_MAX) {
++ err = -EINVAL;
++ break;
++ }
+ if (val < PPP_MRU)
+ val = PPP_MRU;
+ ap->mru = val;
+--
+2.42.0
+
--- /dev/null
+From 39672046ab06687f88aa101d1fd8dcbeec285841 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 17:48:59 +0000
+Subject: ptp: annotate data-race around q->head and q->tail
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 73bde5a3294853947252cd9092a3517c7cb0cd2d ]
+
+As I was working on a syzbot report, I found that KCSAN would
+probably complain that reading q->head or q->tail without
+barriers could lead to invalid results.
+
+Add corresponding READ_ONCE() and WRITE_ONCE() to avoid
+load-store tearing.
+
+Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Link: https://lore.kernel.org/r/20231109174859.3995880-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ptp/ptp_chardev.c | 3 ++-
+ drivers/ptp/ptp_clock.c | 5 +++--
+ drivers/ptp/ptp_private.h | 8 ++++++--
+ drivers/ptp/ptp_sysfs.c | 3 ++-
+ 4 files changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c
+index 9d72ab593f13f..87bd6c072ac2f 100644
+--- a/drivers/ptp/ptp_chardev.c
++++ b/drivers/ptp/ptp_chardev.c
+@@ -443,7 +443,8 @@ ssize_t ptp_read(struct posix_clock *pc,
+
+ for (i = 0; i < cnt; i++) {
+ event[i] = queue->buf[queue->head];
+- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;
++ /* Paired with READ_ONCE() in queue_cnt() */
++ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);
+ }
+
+ spin_unlock_irqrestore(&queue->lock, flags);
+diff --git a/drivers/ptp/ptp_clock.c b/drivers/ptp/ptp_clock.c
+index eedf067ee8e35..a6ff02a02cab1 100644
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -55,10 +55,11 @@ static void enqueue_external_timestamp(struct timestamp_event_queue *queue,
+ dst->t.sec = seconds;
+ dst->t.nsec = remainder;
+
++ /* Both WRITE_ONCE() are paired with READ_ONCE() in queue_cnt() */
+ if (!queue_free(queue))
+- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;
++ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);
+
+- queue->tail = (queue->tail + 1) % PTP_MAX_TIMESTAMPS;
++ WRITE_ONCE(queue->tail, (queue->tail + 1) % PTP_MAX_TIMESTAMPS);
+
+ spin_unlock_irqrestore(&queue->lock, flags);
+ }
+diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
+index 6b97155148f11..d2cb956706763 100644
+--- a/drivers/ptp/ptp_private.h
++++ b/drivers/ptp/ptp_private.h
+@@ -55,9 +55,13 @@ struct ptp_clock {
+ * that a writer might concurrently increment the tail does not
+ * matter, since the queue remains nonempty nonetheless.
+ */
+-static inline int queue_cnt(struct timestamp_event_queue *q)
++static inline int queue_cnt(const struct timestamp_event_queue *q)
+ {
+- int cnt = q->tail - q->head;
++ /*
++ * Paired with WRITE_ONCE() in enqueue_external_timestamp(),
++ * ptp_read(), extts_fifo_show().
++ */
++ int cnt = READ_ONCE(q->tail) - READ_ONCE(q->head);
+ return cnt < 0 ? PTP_MAX_TIMESTAMPS + cnt : cnt;
+ }
+
+diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
+index 8cd59e8481631..8d52815e05b31 100644
+--- a/drivers/ptp/ptp_sysfs.c
++++ b/drivers/ptp/ptp_sysfs.c
+@@ -78,7 +78,8 @@ static ssize_t extts_fifo_show(struct device *dev,
+ qcnt = queue_cnt(queue);
+ if (qcnt) {
+ event = queue->buf[queue->head];
+- queue->head = (queue->head + 1) % PTP_MAX_TIMESTAMPS;
++ /* Paired with READ_ONCE() in queue_cnt() */
++ WRITE_ONCE(queue->head, (queue->head + 1) % PTP_MAX_TIMESTAMPS);
+ }
+ spin_unlock_irqrestore(&queue->lock, flags);
+
+--
+2.42.0
+
--- /dev/null
+From efafe0d29be370d12dfe654bfa9358884b34a7e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 14:58:18 +0300
+Subject: pwm: Fix double shift bug
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit d27abbfd4888d79dd24baf50e774631046ac4732 ]
+
+These enums are passed to set/test_bit(). The set/test_bit() functions
+take a bit number instead of a shifted value. Passing a shifted value
+is a double shift bug like doing BIT(BIT(1)). The double shift bug
+doesn't cause a problem here because we are only checking 0 and 1 but
+if the value was 5 or above then it can lead to a buffer overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/pwm.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/include/linux/pwm.h b/include/linux/pwm.h
+index b2c9c460947d1..d1c26f5174e53 100644
+--- a/include/linux/pwm.h
++++ b/include/linux/pwm.h
+@@ -44,8 +44,8 @@ struct pwm_args {
+ };
+
+ enum {
+- PWMF_REQUESTED = 1 << 0,
+- PWMF_EXPORTED = 1 << 1,
++ PWMF_REQUESTED = 0,
++ PWMF_EXPORTED = 1,
+ };
+
+ /*
+--
+2.42.0
+
--- /dev/null
+From dd6c9c3a6cbd548a80eec9dfd912af86c18d6ade Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Sep 2023 15:56:41 +0300
+Subject: RDMA/hfi1: Use FIELD_GET() to extract Link Width
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 8bf7187d978610b9e327a3d92728c8864a575ebd ]
+
+Use FIELD_GET() to extract PCIe Negotiated Link Width field instead of
+custom masking and shifting, and remove extract_width() which only
+wraps that FIELD_GET().
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20230919125648.1920-2-ilpo.jarvinen@linux.intel.com
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Reviewed-by: Dean Luick <dean.luick@cornelisnetworks.com>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/hfi1/pcie.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/hfi1/pcie.c b/drivers/infiniband/hw/hfi1/pcie.c
+index 61362bd6d3ced..111705e6609c9 100644
+--- a/drivers/infiniband/hw/hfi1/pcie.c
++++ b/drivers/infiniband/hw/hfi1/pcie.c
+@@ -45,6 +45,7 @@
+ *
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/pci.h>
+ #include <linux/io.h>
+ #include <linux/delay.h>
+@@ -261,12 +262,6 @@ static u32 extract_speed(u16 linkstat)
+ return speed;
+ }
+
+-/* return the PCIe link speed from the given link status */
+-static u32 extract_width(u16 linkstat)
+-{
+- return (linkstat & PCI_EXP_LNKSTA_NLW) >> PCI_EXP_LNKSTA_NLW_SHIFT;
+-}
+-
+ /* read the link status and set dd->{lbus_width,lbus_speed,lbus_info} */
+ static void update_lbus_info(struct hfi1_devdata *dd)
+ {
+@@ -279,7 +274,7 @@ static void update_lbus_info(struct hfi1_devdata *dd)
+ return;
+ }
+
+- dd->lbus_width = extract_width(linkstat);
++ dd->lbus_width = FIELD_GET(PCI_EXP_LNKSTA_NLW, linkstat);
+ dd->lbus_speed = extract_speed(linkstat);
+ snprintf(dd->lbus_info, sizeof(dd->lbus_info),
+ "PCIe,%uMHz,x%u", dd->lbus_speed, dd->lbus_width);
+--
+2.42.0
+
--- /dev/null
+From ff6137d7c182e131ef288df14f210707c9a15bfe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Oct 2023 21:03:50 +0800
+Subject: scsi: libfc: Fix potential NULL pointer dereference in
+ fc_lport_ptp_setup()
+
+From: Wenchao Hao <haowenchao2@huawei.com>
+
+[ Upstream commit 4df105f0ce9f6f30cda4e99f577150d23f0c9c5f ]
+
+fc_lport_ptp_setup() did not check the return value of fc_rport_create()
+which can return NULL and would cause a NULL pointer dereference. Address
+this issue by checking return value of fc_rport_create() and log error
+message on fc_rport_create() failed.
+
+Signed-off-by: Wenchao Hao <haowenchao2@huawei.com>
+Link: https://lore.kernel.org/r/20231011130350.819571-1-haowenchao2@huawei.com
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/libfc/fc_lport.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
+index 9399e1455d597..97087eef05dbc 100644
+--- a/drivers/scsi/libfc/fc_lport.c
++++ b/drivers/scsi/libfc/fc_lport.c
+@@ -238,6 +238,12 @@ static void fc_lport_ptp_setup(struct fc_lport *lport,
+ }
+ mutex_lock(&lport->disc.disc_mutex);
+ lport->ptp_rdata = fc_rport_create(lport, remote_fid);
++ if (!lport->ptp_rdata) {
++ printk(KERN_WARNING "libfc: Failed to setup lport 0x%x\n",
++ lport->port_id);
++ mutex_unlock(&lport->disc.disc_mutex);
++ return;
++ }
+ kref_get(&lport->ptp_rdata->kref);
+ lport->ptp_rdata->ids.port_name = remote_wwpn;
+ lport->ptp_rdata->ids.node_name = remote_wwnn;
+--
+2.42.0
+
--- /dev/null
+From 8e8d90e826e94ca53c86fe54879d4eb599648abc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Oct 2023 18:59:21 -0700
+Subject: selftests/efivarfs: create-read: fix a resource leak
+
+From: zhujun2 <zhujun2@cmss.chinamobile.com>
+
+[ Upstream commit 3f6f8a8c5e11a9b384a36df4f40f0c9a653b6975 ]
+
+The opened file should be closed in main(), otherwise resource
+leak will occur that this problem was discovered by code reading
+
+Signed-off-by: zhujun2 <zhujun2@cmss.chinamobile.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/efivarfs/create-read.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tools/testing/selftests/efivarfs/create-read.c b/tools/testing/selftests/efivarfs/create-read.c
+index 9674a19396a32..7bc7af4eb2c17 100644
+--- a/tools/testing/selftests/efivarfs/create-read.c
++++ b/tools/testing/selftests/efivarfs/create-read.c
+@@ -32,8 +32,10 @@ int main(int argc, char **argv)
+ rc = read(fd, buf, sizeof(buf));
+ if (rc != 0) {
+ fprintf(stderr, "Reading a new var should return EOF\n");
++ close(fd);
+ return EXIT_FAILURE;
+ }
+
++ close(fd);
+ return EXIT_SUCCESS;
+ }
+--
+2.42.0
+
--- /dev/null
+locking-ww_mutex-test-fix-potential-workqueue-corrup.patch
+perf-core-bail-out-early-if-the-request-aux-area-is-.patch
+clocksource-drivers-timer-imx-gpt-fix-potential-memo.patch
+clocksource-drivers-timer-atmel-tcb-fix-initializati.patch
+x86-mm-drop-the-4-mb-restriction-on-minimal-numa-nod.patch
+wifi-mac80211_hwsim-fix-clang-specific-fortify-warni.patch
+wifi-mac80211-don-t-return-unset-power-in-ieee80211_.patch
+wifi-ath9k-fix-clang-specific-fortify-warnings.patch
+wifi-ath10k-fix-clang-specific-fortify-warning.patch
+net-annotate-data-races-around-sk-sk_tx_queue_mappin.patch
+net-annotate-data-races-around-sk-sk_dst_pending_con.patch
+wifi-ath10k-don-t-touch-the-ce-interrupt-registers-a.patch
+bluetooth-fix-double-free-in-hci_conn_cleanup.patch
+platform-x86-thinkpad_acpi-add-battery-quirk-for-thi.patch
+drm-komeda-drop-all-currently-held-locks-if-deadlock.patch
+drm-amd-fix-ubsan-array-index-out-of-bounds-for-smu7.patch
+drm-amd-fix-ubsan-array-index-out-of-bounds-for-pola.patch
+drm-amdgpu-fix-a-null-pointer-access-when-the-smc_rr.patch
+selftests-efivarfs-create-read-fix-a-resource-leak.patch
+crypto-pcrypt-fix-hungtask-for-padata_reset.patch
+rdma-hfi1-use-field_get-to-extract-link-width.patch
+fs-jfs-add-check-for-negative-db_l2nbperpage.patch
+fs-jfs-add-validity-check-for-db_maxag-and-db_agpref.patch
+jfs-fix-array-index-out-of-bounds-in-dbfindleaf.patch
+jfs-fix-array-index-out-of-bounds-in-dialloc.patch
+arm-9320-1-fix-stack-depot-irq-stack-filter.patch
+alsa-hda-fix-possible-null-ptr-deref-when-assigning-.patch
+pci-tegra194-use-field_get-field_prep-with-link-widt.patch
+atm-iphase-do-pci-error-checks-on-own-line.patch
+scsi-libfc-fix-potential-null-pointer-dereference-in.patch
+hid-add-quirk-for-dell-pro-wireless-keyboard-and-mou.patch
+tty-vcc-add-check-for-kstrdup-in-vcc_probe.patch
+usb-gadget-f_ncm-always-set-current-gadget-in-ncm_bi.patch
+i2c-sun6i-p2wi-prevent-potential-division-by-zero.patch
+media-gspca-cpia1-shift-out-of-bounds-in-set_flicker.patch
+media-vivid-avoid-integer-overflow.patch
+gfs2-ignore-negated-quota-changes.patch
+media-cobalt-use-field_get-to-extract-link-width.patch
+drm-amd-display-avoid-null-dereference-of-timing-gen.patch
+kgdb-flush-console-before-entering-kgdb-on-panic.patch
+asoc-ti-omap-mcbsp-fix-runtime-pm-underflow-warnings.patch
+pwm-fix-double-shift-bug.patch
+wifi-iwlwifi-use-fw-rate-for-non-data-frames.patch
+perf-tools-add-hw_idx-in-struct-branch_stack.patch
+perf-hist-add-missing-puts-to-hist__account_cycles.patch
+nfsv4.1-fix-sp4_mach_cred-protection-for-pnfs-io.patch
+ipvlan-add-ipvlan_route_v6_outbound-helper.patch
+tty-fix-uninit-value-access-in-ppp_sync_receive.patch
+net-hns3-fix-variable-may-not-initialized-problem-in.patch
+tipc-fix-kernel-infoleak-due-to-uninitialized-tlv-va.patch
+ppp-limit-mru-to-64k.patch
+xen-events-fix-delayed-eoi-list-handling.patch
+ptp-annotate-data-race-around-q-head-and-q-tail.patch
+bonding-stop-the-device-in-bond_setup_by_slave.patch
+net-ethernet-cortina-fix-max-rx-frame-define.patch
+net-ethernet-cortina-handle-large-frames.patch
+net-ethernet-cortina-fix-mtu-max-setting.patch
+netfilter-nf_conntrack_bridge-initialize-err-to-0.patch
+net-stmmac-rework-stmmac_rx.patch
+net-stmmac-fix-rx-budget-limit-check.patch
+net-mlx5e-fix-double-free-of-encap_header.patch
+net-mlx5_core-clean-driver-version-and-name.patch
+net-mlx5e-check-return-value-of-snprintf-writing-to-.patch
+macvlan-don-t-propagate-promisc-change-to-lower-dev-.patch
+tools-power-turbostat-fix-a-knl-bug.patch
+cifs-spnego-add-in-host_key_len.patch
--- /dev/null
+From 01c7a690a46996b32678af6cd1c1efd85da15993 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 11 Nov 2023 01:39:47 +0900
+Subject: tipc: Fix kernel-infoleak due to uninitialized TLV value
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit fb317eb23b5ee4c37b0656a9a52a3db58d9dd072 ]
+
+KMSAN reported the following kernel-infoleak issue:
+
+=====================================================
+BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
+BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
+BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
+BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
+BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
+ instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ copy_to_user_iter lib/iov_iter.c:24 [inline]
+ iterate_ubuf include/linux/iov_iter.h:29 [inline]
+ iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
+ iterate_and_advance include/linux/iov_iter.h:271 [inline]
+ _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
+ copy_to_iter include/linux/uio.h:197 [inline]
+ simple_copy_to_iter net/core/datagram.c:532 [inline]
+ __skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
+ skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
+ skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
+ netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
+ sock_recvmsg_nosec net/socket.c:1044 [inline]
+ sock_recvmsg net/socket.c:1066 [inline]
+ __sys_recvfrom+0x476/0x860 net/socket.c:2246
+ __do_sys_recvfrom net/socket.c:2264 [inline]
+ __se_sys_recvfrom net/socket.c:2260 [inline]
+ __x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
+ slab_alloc_node mm/slub.c:3478 [inline]
+ kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
+ kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
+ __alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
+ alloc_skb include/linux/skbuff.h:1286 [inline]
+ tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
+ tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
+ tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
+ genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
+ netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
+ genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
+ netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
+ netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
+ netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg net/socket.c:745 [inline]
+ ____sys_sendmsg+0x997/0xd60 net/socket.c:2588
+ ___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
+ __sys_sendmsg net/socket.c:2671 [inline]
+ __do_sys_sendmsg net/socket.c:2680 [inline]
+ __se_sys_sendmsg net/socket.c:2678 [inline]
+ __x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Bytes 34-35 of 36 are uninitialized
+Memory access of size 36 starts at ffff88802d464a00
+Data copied to user address 00007ff55033c0a0
+
+CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
+=====================================================
+
+tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
+calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
+the length of TLV value passed as an argument, and aligns the result to a
+multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
+
+If the size of struct tlv_desc plus the length of TLV value is not aligned,
+the current implementation leaves the remaining bytes uninitialized. This
+is the cause of the above kernel-infoleak issue.
+
+This patch resolves this issue by clearing data up to an aligned size.
+
+Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/netlink_compat.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
+index bef28e900b3ed..5c61b8ee7fc09 100644
+--- a/net/tipc/netlink_compat.c
++++ b/net/tipc/netlink_compat.c
+@@ -101,6 +101,7 @@ static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
+ return -EMSGSIZE;
+
+ skb_put(skb, TLV_SPACE(len));
++ memset(tlv, 0, TLV_SPACE(len));
+ tlv->tlv_type = htons(type);
+ tlv->tlv_len = htons(TLV_LENGTH(len));
+ if (len && data)
+--
+2.42.0
+
--- /dev/null
+From 41c028e4225490888f00f1ecd93859440d4315de Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Mar 2023 21:57:07 +0800
+Subject: tools/power/turbostat: Fix a knl bug
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+[ Upstream commit 137f01b3529d292a68d22e9681e2f903c768f790 ]
+
+MSR_KNL_CORE_C6_RESIDENCY should be evaluated only if
+1. this is KNL platform
+AND
+2. need to get C6 residency or need to calculate C1 residency
+
+Fix the broken logic introduced by commit 1e9042b9c8d4 ("tools/power
+turbostat: Fix CPU%C1 display value").
+
+Fixes: 1e9042b9c8d4 ("tools/power turbostat: Fix CPU%C1 display value")
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Reviewed-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/power/x86/turbostat/turbostat.c b/tools/power/x86/turbostat/turbostat.c
+index 8bf6b01b35608..d4235d1ab912c 100644
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -1881,7 +1881,7 @@ int get_counters(struct thread_data *t, struct core_data *c, struct pkg_data *p)
+ if ((DO_BIC(BIC_CPU_c6) || soft_c1_residency_display(BIC_CPU_c6)) && !do_knl_cstates) {
+ if (get_msr(cpu, MSR_CORE_C6_RESIDENCY, &c->c6))
+ return -7;
+- } else if (do_knl_cstates || soft_c1_residency_display(BIC_CPU_c6)) {
++ } else if (do_knl_cstates && soft_c1_residency_display(BIC_CPU_c6)) {
+ if (get_msr(cpu, MSR_KNL_CORE_C6_RESIDENCY, &c->c6))
+ return -7;
+ }
+--
+2.42.0
+
--- /dev/null
+From fab79ab2563bc6a8bef824035a1fdace421e4e48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Nov 2023 00:44:20 +0900
+Subject: tty: Fix uninit-value access in ppp_sync_receive()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+[ Upstream commit 719639853d88071dfdfd8d9971eca9c283ff314c ]
+
+KMSAN reported the following uninit-value access issue:
+
+=====================================================
+BUG: KMSAN: uninit-value in ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline]
+BUG: KMSAN: uninit-value in ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334
+ ppp_sync_input drivers/net/ppp/ppp_synctty.c:690 [inline]
+ ppp_sync_receive+0xdc9/0xe70 drivers/net/ppp/ppp_synctty.c:334
+ tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295
+ tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:871 [inline]
+ __se_sys_ioctl+0x211/0x400 fs/ioctl.c:857
+ __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+Uninit was created at:
+ __alloc_pages+0x75d/0xe80 mm/page_alloc.c:4591
+ __alloc_pages_node include/linux/gfp.h:238 [inline]
+ alloc_pages_node include/linux/gfp.h:261 [inline]
+ __page_frag_cache_refill+0x9a/0x2c0 mm/page_alloc.c:4691
+ page_frag_alloc_align+0x91/0x5d0 mm/page_alloc.c:4722
+ page_frag_alloc include/linux/gfp.h:322 [inline]
+ __netdev_alloc_skb+0x215/0x6d0 net/core/skbuff.c:728
+ netdev_alloc_skb include/linux/skbuff.h:3225 [inline]
+ dev_alloc_skb include/linux/skbuff.h:3238 [inline]
+ ppp_sync_input drivers/net/ppp/ppp_synctty.c:669 [inline]
+ ppp_sync_receive+0x237/0xe70 drivers/net/ppp/ppp_synctty.c:334
+ tiocsti+0x328/0x450 drivers/tty/tty_io.c:2295
+ tty_ioctl+0x808/0x1920 drivers/tty/tty_io.c:2694
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:871 [inline]
+ __se_sys_ioctl+0x211/0x400 fs/ioctl.c:857
+ __x64_sys_ioctl+0x97/0xe0 fs/ioctl.c:857
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
+ entry_SYSCALL_64_after_hwframe+0x63/0x6b
+
+CPU: 0 PID: 12950 Comm: syz-executor.1 Not tainted 6.6.0-14500-g1c41041124bd #10
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
+=====================================================
+
+ppp_sync_input() checks the first 2 bytes of the data are PPP_ALLSTATIONS
+and PPP_UI. However, if the data length is 1 and the first byte is
+PPP_ALLSTATIONS, an access to an uninitialized value occurs when checking
+PPP_UI. This patch resolves this issue by checking the data length.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ppp/ppp_synctty.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
+index 0f338752c38b9..d5af6b06a66a4 100644
+--- a/drivers/net/ppp/ppp_synctty.c
++++ b/drivers/net/ppp/ppp_synctty.c
+@@ -698,7 +698,7 @@ ppp_sync_input(struct syncppp *ap, const unsigned char *buf,
+
+ /* strip address/control field if present */
+ p = skb->data;
+- if (p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) {
++ if (skb->len >= 2 && p[0] == PPP_ALLSTATIONS && p[1] == PPP_UI) {
+ /* chop off address/control */
+ if (skb->len < 3)
+ goto err;
+--
+2.42.0
+
--- /dev/null
+From 313bd3ef43a3e0d002c3c3c74a0103495da97075 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Sep 2023 11:52:20 +0800
+Subject: tty: vcc: Add check for kstrdup() in vcc_probe()
+
+From: Yi Yang <yiyang13@huawei.com>
+
+[ Upstream commit d81ffb87aaa75f842cd7aa57091810353755b3e6 ]
+
+Add check for the return value of kstrdup() and return the error, if it
+fails in order to avoid NULL pointer dereference.
+
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20230904035220.48164-1-yiyang13@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vcc.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c
+index 9ffd42e333b83..6b2d35ac6e3b3 100644
+--- a/drivers/tty/vcc.c
++++ b/drivers/tty/vcc.c
+@@ -587,18 +587,22 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ return -ENOMEM;
+
+ name = kstrdup(dev_name(&vdev->dev), GFP_KERNEL);
++ if (!name) {
++ rv = -ENOMEM;
++ goto free_port;
++ }
+
+ rv = vio_driver_init(&port->vio, vdev, VDEV_CONSOLE_CON, vcc_versions,
+ ARRAY_SIZE(vcc_versions), NULL, name);
+ if (rv)
+- goto free_port;
++ goto free_name;
+
+ port->vio.debug = vcc_dbg_vio;
+ vcc_ldc_cfg.debug = vcc_dbg_ldc;
+
+ rv = vio_ldc_alloc(&port->vio, &vcc_ldc_cfg, port);
+ if (rv)
+- goto free_port;
++ goto free_name;
+
+ spin_lock_init(&port->lock);
+
+@@ -632,6 +636,11 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ goto unreg_tty;
+ }
+ port->domain = kstrdup(domain, GFP_KERNEL);
++ if (!port->domain) {
++ rv = -ENOMEM;
++ goto unreg_tty;
++ }
++
+
+ mdesc_release(hp);
+
+@@ -661,8 +670,9 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
+ vcc_table_remove(port->index);
+ free_ldc:
+ vio_ldc_free(&port->vio);
+-free_port:
++free_name:
+ kfree(name);
++free_port:
+ kfree(port);
+
+ return rv;
+--
+2.42.0
+
--- /dev/null
+From 47e78dad48c2d6821ce76e1f566ee97a18893893 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 17:33:24 +0200
+Subject: usb: gadget: f_ncm: Always set current gadget in ncm_bind()
+
+From: Hardik Gajjar <hgajjar@de.adit-jv.com>
+
+[ Upstream commit a04224da1f3424b2c607b12a3bd1f0e302fb8231 ]
+
+Previously, gadget assignment to the net device occurred exclusively
+during the initial binding attempt.
+
+Nevertheless, the gadget pointer could change during bind/unbind
+cycles due to various conditions, including the unloading/loading
+of the UDC device driver or the detachment/reconnection of an
+OTG-capable USB hub device.
+
+This patch relocates the gether_set_gadget() function out from
+ncm_opts->bound condition check, ensuring that the correct gadget
+is assigned during each bind request.
+
+The provided logs demonstrate the consistency of ncm_opts throughout
+the power cycle, while the gadget may change.
+
+* OTG hub connected during boot up and assignment of gadget and
+ ncm_opts pointer
+
+[ 2.366301] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105
+[ 2.366304] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[ 2.366306] usb 2-1.5: Product: H2H Bridge
+[ 2.366308] usb 2-1.5: Manufacturer: Aptiv
+[ 2.366309] usb 2-1.5: SerialNumber: 13FEB2021
+[ 2.427989] usb 2-1.5: New USB device found, VID=2996, PID=0105
+[ 2.428959] dabridge 2-1.5:1.0: dabridge 2-4 total endpoints=5, 0000000093a8d681
+[ 2.429710] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed
+[ 2.429714] dabridge 2-1.5:1.0: Hub 2-2 P(0151) V(06.87)
+[ 2.429956] dabridge 2-1.5:1.0: All downstream ports in host mode
+
+[ 2.430093] gadget 000000003c414d59 ------> gadget pointer
+
+* NCM opts and associated gadget pointer during First ncm_bind
+
+[ 34.763929] NCM opts 00000000aa304ac9
+[ 34.763930] NCM gadget 000000003c414d59
+
+* OTG capable hub disconnecte or assume driver unload.
+
+[ 97.203114] usb 2-1: USB disconnect, device number 2
+[ 97.203118] usb 2-1.1: USB disconnect, device number 3
+[ 97.209217] usb 2-1.5: USB disconnect, device number 4
+[ 97.230990] dabr_udc deleted
+
+* Reconnect the OTG hub or load driver assaign new gadget pointer.
+
+[ 111.534035] usb 2-1.1: New USB device found, idVendor=2996, idProduct=0120, bcdDevice= 6.87
+[ 111.534038] usb 2-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[ 111.534040] usb 2-1.1: Product: Vendor
+[ 111.534041] usb 2-1.1: Manufacturer: Aptiv
+[ 111.534042] usb 2-1.1: SerialNumber: Superior
+[ 111.535175] usb 2-1.1: New USB device found, VID=2996, PID=0120
+[ 111.610995] usb 2-1.5: new high-speed USB device number 8 using xhci-hcd
+[ 111.630052] usb 2-1.5: New USB device found, idVendor=2996, idProduct=0105, bcdDevice=21.02
+[ 111.630055] usb 2-1.5: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+[ 111.630057] usb 2-1.5: Product: H2H Bridge
+[ 111.630058] usb 2-1.5: Manufacturer: Aptiv
+[ 111.630059] usb 2-1.5: SerialNumber: 13FEB2021
+[ 111.687464] usb 2-1.5: New USB device found, VID=2996, PID=0105
+[ 111.690375] dabridge 2-1.5:1.0: dabridge 2-8 total endpoints=5, 000000000d87c961
+[ 111.691172] dabridge 2-1.5:1.0: P(0105) D(22.06.22) F(17.3.16) H(1.1) high-speed
+[ 111.691176] dabridge 2-1.5:1.0: Hub 2-6 P(0151) V(06.87)
+[ 111.691646] dabridge 2-1.5:1.0: All downstream ports in host mode
+
+[ 111.692298] gadget 00000000dc72f7a9 --------> new gadget ptr on connect
+
+* NCM opts and associated gadget pointer during second ncm_bind
+
+[ 113.271786] NCM opts 00000000aa304ac9 -----> same opts ptr used during first bind
+[ 113.271788] NCM gadget 00000000dc72f7a9 ----> however new gaget ptr, that will not set
+ in net_device due to ncm_opts->bound = true
+
+Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
+Link: https://lore.kernel.org/r/20231020153324.82794-1-hgajjar@de.adit-jv.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 27 +++++++++++----------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/function/f_ncm.c
+index 8d23a870b7b7f..2ef2464a50432 100644
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -1435,7 +1435,7 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
+ struct usb_composite_dev *cdev = c->cdev;
+ struct f_ncm *ncm = func_to_ncm(f);
+ struct usb_string *us;
+- int status;
++ int status = 0;
+ struct usb_ep *ep;
+ struct f_ncm_opts *ncm_opts;
+
+@@ -1453,22 +1453,17 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
+ f->os_desc_table[0].os_desc = &ncm_opts->ncm_os_desc;
+ }
+
+- /*
+- * in drivers/usb/gadget/configfs.c:configfs_composite_bind()
+- * configurations are bound in sequence with list_for_each_entry,
+- * in each configuration its functions are bound in sequence
+- * with list_for_each_entry, so we assume no race condition
+- * with regard to ncm_opts->bound access
+- */
+- if (!ncm_opts->bound) {
+- mutex_lock(&ncm_opts->lock);
+- gether_set_gadget(ncm_opts->net, cdev->gadget);
++ mutex_lock(&ncm_opts->lock);
++ gether_set_gadget(ncm_opts->net, cdev->gadget);
++ if (!ncm_opts->bound)
+ status = gether_register_netdev(ncm_opts->net);
+- mutex_unlock(&ncm_opts->lock);
+- if (status)
+- goto fail;
+- ncm_opts->bound = true;
+- }
++ mutex_unlock(&ncm_opts->lock);
++
++ if (status)
++ goto fail;
++
++ ncm_opts->bound = true;
++
+ us = usb_gstrings_attach(cdev, ncm_strings,
+ ARRAY_SIZE(ncm_string_defs));
+ if (IS_ERR(us)) {
+--
+2.42.0
+
--- /dev/null
+From c60efa48cdb4e7c78a6b7b71e31390e4474f7c6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Sep 2023 07:54:48 +0300
+Subject: wifi: ath10k: Don't touch the CE interrupt registers after power up
+
+From: Douglas Anderson <dianders@chromium.org>
+
+[ Upstream commit 170c75d43a77dc937c58f07ecf847ba1b42ab74e ]
+
+As talked about in commit d66d24ac300c ("ath10k: Keep track of which
+interrupts fired, don't poll them"), if we access the copy engine
+register at a bad time then ath10k can go boom. However, it's not
+necessarily easy to know when it's safe to access them.
+
+The ChromeOS test labs saw a crash that looked like this at
+shutdown/reboot time (on a chromeos-5.15 kernel, but likely the
+problem could also reproduce upstream):
+
+Internal error: synchronous external abort: 96000010 [#1] PREEMPT SMP
+...
+CPU: 4 PID: 6168 Comm: reboot Not tainted 5.15.111-lockdep-19350-g1d624fe6758f #1 010b9b233ab055c27c6dc88efb0be2f4e9e86f51
+Hardware name: Google Kingoftown (DT)
+...
+pc : ath10k_snoc_read32+0x50/0x74 [ath10k_snoc]
+lr : ath10k_snoc_read32+0x24/0x74 [ath10k_snoc]
+...
+Call trace:
+ath10k_snoc_read32+0x50/0x74 [ath10k_snoc ...]
+ath10k_ce_disable_interrupt+0x190/0x65c [ath10k_core ...]
+ath10k_ce_disable_interrupts+0x8c/0x120 [ath10k_core ...]
+ath10k_snoc_hif_stop+0x78/0x660 [ath10k_snoc ...]
+ath10k_core_stop+0x13c/0x1ec [ath10k_core ...]
+ath10k_halt+0x398/0x5b0 [ath10k_core ...]
+ath10k_stop+0xfc/0x1a8 [ath10k_core ...]
+drv_stop+0x148/0x6b4 [mac80211 ...]
+ieee80211_stop_device+0x70/0x80 [mac80211 ...]
+ieee80211_do_stop+0x10d8/0x15b0 [mac80211 ...]
+ieee80211_stop+0x144/0x1a0 [mac80211 ...]
+__dev_close_many+0x1e8/0x2c0
+dev_close_many+0x198/0x33c
+dev_close+0x140/0x210
+cfg80211_shutdown_all_interfaces+0xc8/0x1e0 [cfg80211 ...]
+ieee80211_remove_interfaces+0x118/0x5c4 [mac80211 ...]
+ieee80211_unregister_hw+0x64/0x1f4 [mac80211 ...]
+ath10k_mac_unregister+0x4c/0xf0 [ath10k_core ...]
+ath10k_core_unregister+0x80/0xb0 [ath10k_core ...]
+ath10k_snoc_free_resources+0xb8/0x1ec [ath10k_snoc ...]
+ath10k_snoc_shutdown+0x98/0xd0 [ath10k_snoc ...]
+platform_shutdown+0x7c/0xa0
+device_shutdown+0x3e0/0x58c
+kernel_restart_prepare+0x68/0xa0
+kernel_restart+0x28/0x7c
+
+Though there's no known way to reproduce the problem, it makes sense
+that it would be the same issue where we're trying to access copy
+engine registers when it's not allowed.
+
+Let's fix this by changing how we "disable" the interrupts. Instead of
+tweaking the copy engine registers we'll just use disable_irq() and
+enable_irq(). Then we'll configure the interrupts once at power up
+time.
+
+Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.2.2.c10-00754-QCAHLSWMTPL-1
+
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230630151842.1.If764ede23c4e09a43a842771c2ddf99608f25f8e@changeid
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/snoc.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
+index b6762fe2efe26..29d52f7b4336d 100644
+--- a/drivers/net/wireless/ath/ath10k/snoc.c
++++ b/drivers/net/wireless/ath/ath10k/snoc.c
+@@ -821,12 +821,20 @@ static void ath10k_snoc_hif_get_default_pipe(struct ath10k *ar,
+
+ static inline void ath10k_snoc_irq_disable(struct ath10k *ar)
+ {
+- ath10k_ce_disable_interrupts(ar);
++ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar);
++ int id;
++
++ for (id = 0; id < CE_COUNT_MAX; id++)
++ disable_irq(ar_snoc->ce_irqs[id].irq_line);
+ }
+
+ static inline void ath10k_snoc_irq_enable(struct ath10k *ar)
+ {
+- ath10k_ce_enable_interrupts(ar);
++ struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar);
++ int id;
++
++ for (id = 0; id < CE_COUNT_MAX; id++)
++ enable_irq(ar_snoc->ce_irqs[id].irq_line);
+ }
+
+ static void ath10k_snoc_rx_pipe_cleanup(struct ath10k_snoc_pipe *snoc_pipe)
+@@ -1042,6 +1050,8 @@ static int ath10k_snoc_hif_power_up(struct ath10k *ar,
+ goto err_free_rri;
+ }
+
++ ath10k_ce_enable_interrupts(ar);
++
+ return 0;
+
+ err_free_rri:
+@@ -1196,8 +1206,8 @@ static int ath10k_snoc_request_irq(struct ath10k *ar)
+
+ for (id = 0; id < CE_COUNT_MAX; id++) {
+ ret = request_irq(ar_snoc->ce_irqs[id].irq_line,
+- ath10k_snoc_per_engine_handler, 0,
+- ce_name[id], ar);
++ ath10k_snoc_per_engine_handler,
++ IRQF_NO_AUTOEN, ce_name[id], ar);
+ if (ret) {
+ ath10k_err(ar,
+ "failed to register IRQ handler for CE %d: %d",
+--
+2.42.0
+
--- /dev/null
+From 2518c4eb206f14225ea57852c1e4c865237b1d7d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 12:36:02 +0300
+Subject: wifi: ath10k: fix clang-specific fortify warning
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit cb4c132ebfeac5962f7258ffc831caa0c4dada1a ]
+
+When compiling with clang 16.0.6 and CONFIG_FORTIFY_SOURCE=y, I've
+noticed the following (somewhat confusing due to absence of an actual
+source code location):
+
+In file included from drivers/net/wireless/ath/ath10k/debug.c:8:
+In file included from ./include/linux/module.h:13:
+In file included from ./include/linux/stat.h:19:
+In file included from ./include/linux/time.h:60:
+In file included from ./include/linux/time32.h:13:
+In file included from ./include/linux/timex.h:67:
+In file included from ./arch/x86/include/asm/timex.h:5:
+In file included from ./arch/x86/include/asm/processor.h:23:
+In file included from ./arch/x86/include/asm/msr.h:11:
+In file included from ./arch/x86/include/asm/cpumask.h:5:
+In file included from ./include/linux/cpumask.h:12:
+In file included from ./include/linux/bitmap.h:11:
+In file included from ./include/linux/string.h:254:
+./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field'
+declared with 'warning' attribute: detected read beyond size of field (2nd
+parameter); maybe use struct_group()? [-Wattribute-warning]
+ __read_overflow2_field(q_size_field, size);
+
+The compiler actually complains on 'ath10k_debug_get_et_strings()' where
+fortification logic inteprets call to 'memcpy()' as an attempt to copy
+the whole 'ath10k_gstrings_stats' array from it's first member and so
+issues an overread warning. This warning may be silenced by passing
+an address of the whole array and not the first member to 'memcpy()'.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230829093652.234537-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath10k/debug.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
+index 04c50a26a4f47..34db968c4bd0b 100644
+--- a/drivers/net/wireless/ath/ath10k/debug.c
++++ b/drivers/net/wireless/ath/ath10k/debug.c
+@@ -1138,7 +1138,7 @@ void ath10k_debug_get_et_strings(struct ieee80211_hw *hw,
+ u32 sset, u8 *data)
+ {
+ if (sset == ETH_SS_STATS)
+- memcpy(data, *ath10k_gstrings_stats,
++ memcpy(data, ath10k_gstrings_stats,
+ sizeof(ath10k_gstrings_stats));
+ }
+
+--
+2.42.0
+
--- /dev/null
+From e342c5a8b4b1aa1d06a418ecdea91204052dc028 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 12:38:12 +0300
+Subject: wifi: ath9k: fix clang-specific fortify warnings
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 95f97fe0ac974467ab4da215985a32b2fdf48af0 ]
+
+When compiling with clang 16.0.6 and CONFIG_FORTIFY_SOURCE=y, I've
+noticed the following (somewhat confusing due to absence of an actual
+source code location):
+
+In file included from drivers/net/wireless/ath/ath9k/debug.c:17:
+In file included from ./include/linux/slab.h:16:
+In file included from ./include/linux/gfp.h:7:
+In file included from ./include/linux/mmzone.h:8:
+In file included from ./include/linux/spinlock.h:56:
+In file included from ./include/linux/preempt.h:79:
+In file included from ./arch/x86/include/asm/preempt.h:9:
+In file included from ./include/linux/thread_info.h:60:
+In file included from ./arch/x86/include/asm/thread_info.h:53:
+In file included from ./arch/x86/include/asm/cpufeature.h:5:
+In file included from ./arch/x86/include/asm/processor.h:23:
+In file included from ./arch/x86/include/asm/msr.h:11:
+In file included from ./arch/x86/include/asm/cpumask.h:5:
+In file included from ./include/linux/cpumask.h:12:
+In file included from ./include/linux/bitmap.h:11:
+In file included from ./include/linux/string.h:254:
+./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field'
+declared with 'warning' attribute: detected read beyond size of field (2nd
+parameter); maybe use struct_group()? [-Wattribute-warning]
+ __read_overflow2_field(q_size_field, size);
+
+In file included from drivers/net/wireless/ath/ath9k/htc_drv_debug.c:17:
+In file included from drivers/net/wireless/ath/ath9k/htc.h:20:
+In file included from ./include/linux/module.h:13:
+In file included from ./include/linux/stat.h:19:
+In file included from ./include/linux/time.h:60:
+In file included from ./include/linux/time32.h:13:
+In file included from ./include/linux/timex.h:67:
+In file included from ./arch/x86/include/asm/timex.h:5:
+In file included from ./arch/x86/include/asm/processor.h:23:
+In file included from ./arch/x86/include/asm/msr.h:11:
+In file included from ./arch/x86/include/asm/cpumask.h:5:
+In file included from ./include/linux/cpumask.h:12:
+In file included from ./include/linux/bitmap.h:11:
+In file included from ./include/linux/string.h:254:
+./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field'
+declared with 'warning' attribute: detected read beyond size of field (2nd
+parameter); maybe use struct_group()? [-Wattribute-warning]
+ __read_overflow2_field(q_size_field, size);
+
+The compiler actually complains on 'ath9k_get_et_strings()' and
+'ath9k_htc_get_et_strings()' due to the same reason: fortification logic
+inteprets call to 'memcpy()' as an attempt to copy the whole array from
+it's first member and so issues an overread warning. These warnings may
+be silenced by passing an address of the whole array and not the first
+member to 'memcpy()'.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230829093856.234584-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/debug.c | 2 +-
+ drivers/net/wireless/ath/ath9k/htc_drv_debug.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
+index 859a865c59950..8d98347e0ddff 100644
+--- a/drivers/net/wireless/ath/ath9k/debug.c
++++ b/drivers/net/wireless/ath/ath9k/debug.c
+@@ -1284,7 +1284,7 @@ void ath9k_get_et_strings(struct ieee80211_hw *hw,
+ u32 sset, u8 *data)
+ {
+ if (sset == ETH_SS_STATS)
+- memcpy(data, *ath9k_gstrings_stats,
++ memcpy(data, ath9k_gstrings_stats,
+ sizeof(ath9k_gstrings_stats));
+ }
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+index c55aab01fff5d..e79bbcd3279af 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
++++ b/drivers/net/wireless/ath/ath9k/htc_drv_debug.c
+@@ -428,7 +428,7 @@ void ath9k_htc_get_et_strings(struct ieee80211_hw *hw,
+ u32 sset, u8 *data)
+ {
+ if (sset == ETH_SS_STATS)
+- memcpy(data, *ath9k_htc_gstrings_stats,
++ memcpy(data, ath9k_htc_gstrings_stats,
+ sizeof(ath9k_htc_gstrings_stats));
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 4e124c5800a3d3a7cd23a19c49773b1ea96dc6cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Sep 2023 14:56:45 +0300
+Subject: wifi: iwlwifi: Use FW rate for non-data frames
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit 499d02790495958506a64f37ceda7e97345a50a8 ]
+
+Currently we are setting the rate in the tx cmd for
+mgmt frames (e.g. during connection establishment).
+This was problematic when sending mgmt frames in eSR mode,
+as we don't know what link this frame will be sent on
+(This is decided by the FW), so we don't know what is the
+lowest rate.
+Fix this by not setting the rate in tx cmd and rely
+on FW to choose the right one.
+Set rate only for injected frames with fixed rate,
+or when no sta is given.
+Also set for important frames (EAPOL etc.) the High Priority flag.
+
+Fixes: 055b22e770dd ("iwlwifi: mvm: Set Tx rate and flags when there is not station")
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230913145231.6c7e59620ee0.I6eaed3ccdd6dd62b9e664facc484081fc5275843@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+index 9a81ce299d0d1..fbcd46aedade3 100644
+--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+@@ -529,16 +529,20 @@ iwl_mvm_set_tx_params(struct iwl_mvm *mvm, struct sk_buff *skb,
+ flags |= IWL_TX_FLAGS_ENCRYPT_DIS;
+
+ /*
+- * For data packets rate info comes from the fw. Only
+- * set rate/antenna during connection establishment or in case
+- * no station is given.
++ * For data and mgmt packets rate info comes from the fw. Only
++ * set rate/antenna for injected frames with fixed rate, or
++ * when no sta is given.
+ */
+- if (!sta || !ieee80211_is_data(hdr->frame_control) ||
+- mvmsta->sta_state < IEEE80211_STA_AUTHORIZED) {
++ if (unlikely(!sta ||
++ info->control.flags & IEEE80211_TX_CTRL_RATE_INJECT)) {
+ flags |= IWL_TX_FLAGS_CMD_RATE;
+ rate_n_flags =
+ iwl_mvm_get_tx_rate_n_flags(mvm, info, sta,
+ hdr->frame_control);
++ } else if (!ieee80211_is_data(hdr->frame_control) ||
++ mvmsta->sta_state < IEEE80211_STA_AUTHORIZED) {
++ /* These are important frames */
++ flags |= IWL_TX_FLAGS_HIGH_PRI;
+ }
+
+ if (mvm->trans->trans_cfg->device_family >=
+--
+2.42.0
+
--- /dev/null
+From f3b5bb9c38e468aaa72761cec63c8e926bbb7cec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Feb 2023 10:36:36 +0800
+Subject: wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+[ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ]
+
+We can get a UBSAN warning if ieee80211_get_tx_power() returns the
+INT_MIN value mac80211 internally uses for "unset power level".
+
+ UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5
+ -2147483648 * 100 cannot be represented in type 'int'
+ CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE
+ Call Trace:
+ dump_stack+0x74/0x92
+ ubsan_epilogue+0x9/0x50
+ handle_overflow+0x8d/0xd0
+ __ubsan_handle_mul_overflow+0xe/0x10
+ nl80211_send_iface+0x688/0x6b0 [cfg80211]
+ [...]
+ cfg80211_register_wdev+0x78/0xb0 [cfg80211]
+ cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211]
+ [...]
+ ieee80211_if_add+0x60e/0x8f0 [mac80211]
+ ieee80211_register_hw+0xda5/0x1170 [mac80211]
+
+In this case, simply return an error instead, to indicate
+that no data is available.
+
+Cc: Zong-Zhe Yang <kevin_yang@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
+index 9e3bff5aaf8b8..6428c0d371458 100644
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2581,6 +2581,10 @@ static int ieee80211_get_tx_power(struct wiphy *wiphy,
+ else
+ *dbm = sdata->vif.bss_conf.txpower;
+
++ /* INT_MIN indicates no power level was set yet */
++ if (*dbm == INT_MIN)
++ return -EINVAL;
++
+ return 0;
+ }
+
+--
+2.42.0
+
--- /dev/null
+From ce890e4fe109de8b628d439321cc09b4dff88567 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 29 Aug 2023 12:41:01 +0300
+Subject: wifi: mac80211_hwsim: fix clang-specific fortify warning
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit cbaccdc42483c65016f1bae89128c08dc17cfb2a ]
+
+When compiling with clang 16.0.6 and CONFIG_FORTIFY_SOURCE=y, I've
+noticed the following (somewhat confusing due to absence of an actual
+source code location):
+
+In file included from drivers/net/wireless/virtual/mac80211_hwsim.c:18:
+In file included from ./include/linux/slab.h:16:
+In file included from ./include/linux/gfp.h:7:
+In file included from ./include/linux/mmzone.h:8:
+In file included from ./include/linux/spinlock.h:56:
+In file included from ./include/linux/preempt.h:79:
+In file included from ./arch/x86/include/asm/preempt.h:9:
+In file included from ./include/linux/thread_info.h:60:
+In file included from ./arch/x86/include/asm/thread_info.h:53:
+In file included from ./arch/x86/include/asm/cpufeature.h:5:
+In file included from ./arch/x86/include/asm/processor.h:23:
+In file included from ./arch/x86/include/asm/msr.h:11:
+In file included from ./arch/x86/include/asm/cpumask.h:5:
+In file included from ./include/linux/cpumask.h:12:
+In file included from ./include/linux/bitmap.h:11:
+In file included from ./include/linux/string.h:254:
+./include/linux/fortify-string.h:592:4: warning: call to '__read_overflow2_field'
+declared with 'warning' attribute: detected read beyond size of field (2nd
+parameter); maybe use struct_group()? [-Wattribute-warning]
+ __read_overflow2_field(q_size_field, size);
+
+The compiler actually complains on 'mac80211_hwsim_get_et_strings()' where
+fortification logic inteprets call to 'memcpy()' as an attempt to copy the
+whole 'mac80211_hwsim_gstrings_stats' array from its first member and so
+issues an overread warning. This warning may be silenced by passing
+an address of the whole array and not the first member to 'memcpy()'.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://lore.kernel.org/r/20230829094140.234636-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
+index a21739b2f44e6..634e8c1e71cca 100644
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -2323,7 +2323,7 @@ static void mac80211_hwsim_get_et_strings(struct ieee80211_hw *hw,
+ u32 sset, u8 *data)
+ {
+ if (sset == ETH_SS_STATS)
+- memcpy(data, *mac80211_hwsim_gstrings_stats,
++ memcpy(data, mac80211_hwsim_gstrings_stats,
+ sizeof(mac80211_hwsim_gstrings_stats));
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 2fde309fc81c35b4f0af6fd69d0a34504afde866 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Oct 2023 12:42:50 +0200
+Subject: x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
+
+From: Mike Rapoport (IBM) <rppt@kernel.org>
+
+[ Upstream commit a1e2b8b36820d8c91275f207e77e91645b7c6836 ]
+
+Qi Zheng reported crashes in a production environment and provided a
+simplified example as a reproducer:
+
+ | For example, if we use Qemu to start a two NUMA node kernel,
+ | one of the nodes has 2M memory (less than NODE_MIN_SIZE),
+ | and the other node has 2G, then we will encounter the
+ | following panic:
+ |
+ | BUG: kernel NULL pointer dereference, address: 0000000000000000
+ | <...>
+ | RIP: 0010:_raw_spin_lock_irqsave+0x22/0x40
+ | <...>
+ | Call Trace:
+ | <TASK>
+ | deactivate_slab()
+ | bootstrap()
+ | kmem_cache_init()
+ | start_kernel()
+ | secondary_startup_64_no_verify()
+
+The crashes happen because of inconsistency between the nodemask that
+has nodes with less than 4MB as memoryless, and the actual memory fed
+into the core mm.
+
+The commit:
+
+ 9391a3f9c7f1 ("[PATCH] x86_64: Clear more state when ignoring empty node in SRAT parsing")
+
+... that introduced minimal size of a NUMA node does not explain why
+a node size cannot be less than 4MB and what boot failures this
+restriction might fix.
+
+Fixes have been submitted to the core MM code to tighten up the
+memory topologies it accepts and to not crash on weird input:
+
+ mm: page_alloc: skip memoryless nodes entirely
+ mm: memory_hotplug: drop memoryless node from fallback lists
+
+Andrew has accepted them into the -mm tree, but there are no
+stable SHA1's yet.
+
+This patch drops the limitation for minimal node size on x86:
+
+ - which works around the crash without the fixes to the core MM.
+ - makes x86 topologies less weird,
+ - removes an arbitrary and undocumented limitation on NUMA topologies.
+
+[ mingo: Improved changelog clarity. ]
+
+Reported-by: Qi Zheng <zhengqi.arch@bytedance.com>
+Tested-by: Mario Casquero <mcasquer@redhat.com>
+Signed-off-by: Mike Rapoport (IBM) <rppt@kernel.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Rik van Riel <riel@surriel.com>
+Link: https://lore.kernel.org/r/ZS+2qqjEO5/867br@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/numa.h | 7 -------
+ arch/x86/mm/numa.c | 7 -------
+ 2 files changed, 14 deletions(-)
+
+diff --git a/arch/x86/include/asm/numa.h b/arch/x86/include/asm/numa.h
+index bbfde3d2662f4..4bcd9d0c7bee7 100644
+--- a/arch/x86/include/asm/numa.h
++++ b/arch/x86/include/asm/numa.h
+@@ -11,13 +11,6 @@
+
+ #define NR_NODE_MEMBLKS (MAX_NUMNODES*2)
+
+-/*
+- * Too small node sizes may confuse the VM badly. Usually they
+- * result from BIOS bugs. So dont recognize nodes as standalone
+- * NUMA entities that have less than this amount of RAM listed:
+- */
+-#define NODE_MIN_SIZE (4*1024*1024)
+-
+ extern int numa_off;
+
+ /*
+diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
+index 67c617c4a7f20..7316dca7e846a 100644
+--- a/arch/x86/mm/numa.c
++++ b/arch/x86/mm/numa.c
+@@ -581,13 +581,6 @@ static int __init numa_register_memblks(struct numa_meminfo *mi)
+ if (start >= end)
+ continue;
+
+- /*
+- * Don't confuse VM with a node that doesn't have the
+- * minimum amount of memory:
+- */
+- if (end && (end - start) < NODE_MIN_SIZE)
+- continue;
+-
+ alloc_node_data(nid);
+ }
+
+--
+2.42.0
+
--- /dev/null
+From 7716d34d7bfed067e4d0b86a80306e614632fa43 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Sep 2023 17:54:13 +0200
+Subject: xen/events: fix delayed eoi list handling
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 47d970204054f859f35a2237baa75c2d84fcf436 ]
+
+When delaying eoi handling of events, the related elements are queued
+into the percpu lateeoi list. In case the list isn't empty, the
+elements should be sorted by the time when eoi handling is to happen.
+
+Unfortunately a new element will never be queued at the start of the
+list, even if it has a handling time lower than all other list
+elements.
+
+Fix that by handling that case the same way as for an empty list.
+
+Fixes: e99502f76271 ("xen/events: defer eoi in case of excessive number of events")
+Reported-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/events/events_base.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
+index 230e77f9637cd..91806dc1236de 100644
+--- a/drivers/xen/events/events_base.c
++++ b/drivers/xen/events/events_base.c
+@@ -491,7 +491,9 @@ static void lateeoi_list_add(struct irq_info *info)
+
+ spin_lock_irqsave(&eoi->eoi_list_lock, flags);
+
+- if (list_empty(&eoi->eoi_list)) {
++ elem = list_first_entry_or_null(&eoi->eoi_list, struct irq_info,
++ eoi_list);
++ if (!elem || info->eoi_time < elem->eoi_time) {
+ list_add(&info->eoi_list, &eoi->eoi_list);
+ mod_delayed_work_on(info->eoi_cpu, system_wq,
+ &eoi->delayed, delay);
+--
+2.42.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
