--- /dev/null
+From 358040e3807754944dbddf948a23c6d914297ed7 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 29 Aug 2023 15:43:44 +0200
+Subject: ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 358040e3807754944dbddf948a23c6d914297ed7 upstream.
+
+The update of rate_num/den and msbits were factored out to
+fixup_unreferenced_params() function to be called explicitly after the
+hw_refine or hw_params procedure. It's called from
+snd_pcm_hw_refine_user(), but it's forgotten in the PCM compat ioctl.
+This ended up with the incomplete rate_num/den and msbits parameters
+when 32bit compat ioctl is used.
+
+This patch adds the missing call in snd_pcm_ioctl_hw_params_compat().
+
+Reported-by: Meng_Cai@novatek.com.cn
+Fixes: f9a076bff053 ("ALSA: pcm: calculate non-mask/non-interval parameters always when possible")
+Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20230829134344.31588-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/pcm_compat.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -253,10 +253,14 @@ static int snd_pcm_ioctl_hw_params_compa
+ goto error;
+ }
+
+- if (refine)
++ if (refine) {
+ err = snd_pcm_hw_refine(substream, data);
+- else
++ if (err < 0)
++ goto error;
++ err = fixup_unreferenced_params(substream, data);
++ } else {
+ err = snd_pcm_hw_params(substream, data);
++ }
+ if (err < 0)
+ goto error;
+ if (copy_to_user(data32, data, sizeof(*data32)) ||
--- /dev/null
+From 847fb80cc01a54bc827b02547bb8743bdb59ddab Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Wed, 7 Jun 2023 22:12:11 -0600
+Subject: ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 847fb80cc01a54bc827b02547bb8743bdb59ddab upstream.
+
+If function pwrdm_read_prev_pwrst() returns -EINVAL, we will end
+up accessing array pwrdm->state_counter through negative index
+-22. This is wrong and the compiler is legitimately warning us
+about this potential problem.
+
+Fix this by sanity checking the value stored in variable _prev_
+before accessing array pwrdm->state_counter.
+
+Address the following -Warray-bounds warning:
+arch/arm/mach-omap2/powerdomain.c:178:45: warning: array subscript -22 is below array bounds of 'unsigned int[4]' [-Warray-bounds]
+
+Link: https://github.com/KSPP/linux/issues/307
+Fixes: ba20bb126940 ("OMAP: PM counter infrastructure.")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Link: https://lore.kernel.org/lkml/20230607050639.LzbPn%25lkp@intel.com/
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Message-ID: <ZIFVGwImU3kpaGeH@work>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-omap2/powerdomain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/mach-omap2/powerdomain.c
++++ b/arch/arm/mach-omap2/powerdomain.c
+@@ -174,7 +174,7 @@ static int _pwrdm_state_switch(struct po
+ break;
+ case PWRDM_STATE_PREV:
+ prev = pwrdm_read_prev_pwrst(pwrdm);
+- if (pwrdm->state != prev)
++ if (prev >= 0 && pwrdm->state != prev)
+ pwrdm->state_counter[prev]++;
+ if (prev == PWRDM_POWER_RET)
+ _update_logic_membank_counters(pwrdm);
--- /dev/null
+From 110e70fccce4f22b53986ae797d665ffb1950aa6 Mon Sep 17 00:00:00 2001
+From: Amit Pundir <amit.pundir@linaro.org>
+Date: Wed, 26 Jul 2023 18:57:19 +0530
+Subject: arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved
+
+From: Amit Pundir <amit.pundir@linaro.org>
+
+commit 110e70fccce4f22b53986ae797d665ffb1950aa6 upstream.
+
+Adding a reserved memory region for the framebuffer memory
+(the splash memory region set up by the bootloader).
+
+It fixes a kernel panic (arm-smmu: Unhandled context fault
+at this particular memory region) reported on DB845c running
+v5.10.y.
+
+Cc: stable@vger.kernel.org # v5.10+
+Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20230726132719.2117369-2-amit.pundir@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/qcom/sdm845-db845c.dts | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
++++ b/arch/arm64/boot/dts/qcom/sdm845-db845c.dts
+@@ -101,6 +101,14 @@
+ };
+ };
+
++ reserved-memory {
++ /* Cont splash region set up by the bootloader */
++ cont_splash_mem: framebuffer@9d400000 {
++ reg = <0x0 0x9d400000 0x0 0x2400000>;
++ no-map;
++ };
++ };
++
+ lt9611_1v8: lt9611-vdd18-regulator {
+ compatible = "regulator-fixed";
+ regulator-name = "LT9611_1V8";
+@@ -506,6 +514,7 @@
+ };
+
+ &mdss {
++ memory-region = <&cont_splash_mem>;
+ status = "okay";
+ };
+
--- /dev/null
+From 2b8272ff4a70b866106ae13c36be7ecbef5d5da2 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 23 Aug 2023 10:47:02 +0200
+Subject: cpu/hotplug: Prevent self deadlock on CPU hot-unplug
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 2b8272ff4a70b866106ae13c36be7ecbef5d5da2 upstream.
+
+Xiongfeng reported and debugged a self deadlock of the task which initiates
+and controls a CPU hot-unplug operation vs. the CFS bandwidth timer.
+
+ CPU1 CPU2
+
+T1 sets cfs_quota
+ starts hrtimer cfs_bandwidth 'period_timer'
+T1 is migrated to CPU2
+ T1 initiates offlining of CPU1
+Hotplug operation starts
+ ...
+'period_timer' expires and is re-enqueued on CPU1
+ ...
+take_cpu_down()
+ CPU1 shuts down and does not handle timers
+ anymore. They have to be migrated in the
+ post dead hotplug steps by the control task.
+
+ T1 runs the post dead offline operation
+ T1 is scheduled out
+ T1 waits for 'period_timer' to expire
+
+T1 waits there forever if it is scheduled out before it can execute the hrtimer
+offline callback hrtimers_dead_cpu().
+
+Cure this by delegating the hotplug control operation to a worker thread on
+an online CPU. This takes the initiating user space task, which might be
+affected by the bandwidth timer, completely out of the picture.
+
+Reported-by: Xiongfeng Wang <wangxiongfeng2@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Yu Liao <liaoyu15@huawei.com>
+Acked-by: Vincent Guittot <vincent.guittot@linaro.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/lkml/8e785777-03aa-99e1-d20e-e956f5685be6@huawei.com
+Link: https://lore.kernel.org/r/87h6oqdq0i.ffs@tglx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cpu.c | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -1467,8 +1467,22 @@ out:
+ return ret;
+ }
+
++struct cpu_down_work {
++ unsigned int cpu;
++ enum cpuhp_state target;
++};
++
++static long __cpu_down_maps_locked(void *arg)
++{
++ struct cpu_down_work *work = arg;
++
++ return _cpu_down(work->cpu, 0, work->target);
++}
++
+ static int cpu_down_maps_locked(unsigned int cpu, enum cpuhp_state target)
+ {
++ struct cpu_down_work work = { .cpu = cpu, .target = target, };
++
+ /*
+ * If the platform does not support hotplug, report it explicitly to
+ * differentiate it from a transient offlining failure.
+@@ -1477,7 +1491,15 @@ static int cpu_down_maps_locked(unsigned
+ return -EOPNOTSUPP;
+ if (cpu_hotplug_disabled)
+ return -EBUSY;
+- return _cpu_down(cpu, 0, target);
++
++ /*
++ * Ensure that the control task does not run on the to be offlined
++ * CPU to prevent a deadlock against cfs_b->period_timer.
++ */
++ cpu = cpumask_any_but(cpu_online_mask, cpu);
++ if (cpu >= nr_cpu_ids)
++ return -EBUSY;
++ return work_on_cpu(cpu, __cpu_down_maps_locked, &work);
+ }
+
+ static int cpu_down(unsigned int cpu, enum cpuhp_state target)
--- /dev/null
+From 4b9c2edaf7282d60e069551b4b28abc2932cd3e3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christoph=20B=C3=B6hmwalder?=
+ <christoph.boehmwalder@linbit.com>
+Date: Wed, 6 Sep 2023 15:30:34 +0200
+Subject: drbd: swap bvec_set_page len and offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+
+commit 4b9c2edaf7282d60e069551b4b28abc2932cd3e3 upstream.
+
+bvec_set_page has the following signature:
+
+static inline void bvec_set_page(struct bio_vec *bv, struct page *page,
+ unsigned int len, unsigned int offset)
+
+However, the usage in DRBD swaps the len and offset parameters. This
+leads to a bvec with length=0 instead of the intended length=4096, which
+causes sock_sendmsg to return -EIO.
+
+This leaves DRBD unable to transmit any pages and thus completely
+broken.
+
+Swapping the parameters fixes the regression.
+
+Fixes: eeac7405c735 ("drbd: Use sendmsg(MSG_SPLICE_PAGES) rather than sendpage()")
+Reported-by: Serguei Ivantsov <manowar@gsc-game.com>
+Link: https://lore.kernel.org/regressions/CAKH+VT3YLmAn0Y8=q37UTDShqxDLsqPcQ4hBMzY7HPn7zNx+RQ@mail.gmail.com/
+Cc: stable@vger.kernel.org
+Signed-off-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Link: https://lore.kernel.org/r/20230906133034.948817-1-christoph.boehmwalder@linbit.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/drbd/drbd_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
+index 79ab532aabaf..6bc86106c7b2 100644
+--- a/drivers/block/drbd/drbd_main.c
++++ b/drivers/block/drbd/drbd_main.c
+@@ -1557,7 +1557,7 @@ static int _drbd_send_page(struct drbd_peer_device *peer_device, struct page *pa
+ do {
+ int sent;
+
+- bvec_set_page(&bvec, page, offset, len);
++ bvec_set_page(&bvec, page, len, offset);
+ iov_iter_bvec(&msg.msg_iter, ITER_SOURCE, &bvec, 1, len);
+
+ sent = sock_sendmsg(socket, &msg);
+--
+2.42.0
+
--- /dev/null
+From 180b10bd160b014448366e5bc86e0558f8acb74f Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Fri, 1 Sep 2023 14:24:24 +0200
+Subject: gpio: zynq: restore zynq_gpio_irq_reqres/zynq_gpio_irq_relres callbacks
+
+From: Daniel Mack <daniel@zonque.org>
+
+commit 180b10bd160b014448366e5bc86e0558f8acb74f upstream.
+
+Commit f56914393537 ("gpio: zynq: fix zynqmp_gpio not an immutable chip
+warning") ditched the open-coded resource allocation handlers in favor
+of the generic ones. These generic handlers don't maintain the PM
+runtime anymore, which causes a regression in that level IRQs are no
+longer reported.
+
+Restore the original handlers to fix this.
+
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Fixes: f56914393537 ("gpio: zynq: fix zynqmp_gpio not an immutable chip warning")
+Cc: stable@kernel.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-zynq.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
+index 0a7264aabe48..324e942c0650 100644
+--- a/drivers/gpio/gpio-zynq.c
++++ b/drivers/gpio/gpio-zynq.c
+@@ -575,6 +575,26 @@ static int zynq_gpio_set_wake(struct irq_data *data, unsigned int on)
+ return 0;
+ }
+
++static int zynq_gpio_irq_reqres(struct irq_data *d)
++{
++ struct gpio_chip *chip = irq_data_get_irq_chip_data(d);
++ int ret;
++
++ ret = pm_runtime_resume_and_get(chip->parent);
++ if (ret < 0)
++ return ret;
++
++ return gpiochip_reqres_irq(chip, d->hwirq);
++}
++
++static void zynq_gpio_irq_relres(struct irq_data *d)
++{
++ struct gpio_chip *chip = irq_data_get_irq_chip_data(d);
++
++ gpiochip_relres_irq(chip, d->hwirq);
++ pm_runtime_put(chip->parent);
++}
++
+ /* irq chip descriptor */
+ static const struct irq_chip zynq_gpio_level_irqchip = {
+ .name = DRIVER_NAME,
+@@ -584,9 +604,10 @@ static const struct irq_chip zynq_gpio_level_irqchip = {
+ .irq_unmask = zynq_gpio_irq_unmask,
+ .irq_set_type = zynq_gpio_set_irq_type,
+ .irq_set_wake = zynq_gpio_set_wake,
++ .irq_request_resources = zynq_gpio_irq_reqres,
++ .irq_release_resources = zynq_gpio_irq_relres,
+ .flags = IRQCHIP_EOI_THREADED | IRQCHIP_EOI_IF_HANDLED |
+ IRQCHIP_MASK_ON_SUSPEND | IRQCHIP_IMMUTABLE,
+- GPIOCHIP_IRQ_RESOURCE_HELPERS,
+ };
+
+ static const struct irq_chip zynq_gpio_edge_irqchip = {
+@@ -597,8 +618,9 @@ static const struct irq_chip zynq_gpio_edge_irqchip = {
+ .irq_unmask = zynq_gpio_irq_unmask,
+ .irq_set_type = zynq_gpio_set_irq_type,
+ .irq_set_wake = zynq_gpio_set_wake,
++ .irq_request_resources = zynq_gpio_irq_reqres,
++ .irq_release_resources = zynq_gpio_irq_relres,
+ .flags = IRQCHIP_MASK_ON_SUSPEND | IRQCHIP_IMMUTABLE,
+- GPIOCHIP_IRQ_RESOURCE_HELPERS,
+ };
+
+ static void zynq_gpio_handle_bank_irq(struct zynq_gpio *gpio,
+--
+2.42.0
+
--- /dev/null
+From bb5ed01cd2428cd25b1c88a3a9cba87055eb289f Mon Sep 17 00:00:00 2001
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Date: Thu, 24 Aug 2023 13:46:19 -0700
+Subject: igb: set max size RX buffer when store bad packet is enabled
+
+From: Radoslaw Tyl <radoslawx.tyl@intel.com>
+
+commit bb5ed01cd2428cd25b1c88a3a9cba87055eb289f upstream.
+
+Increase the RX buffer size to 3K when the SBP bit is on. The size of
+the RX buffer determines the number of pages allocated which may not
+be sufficient for receive frames larger than the set MTU size.
+
+Cc: stable@vger.kernel.org
+Fixes: 89eaefb61dc9 ("igb: Support RX-ALL feature flag.")
+Reported-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
+Signed-off-by: Radoslaw Tyl <radoslawx.tyl@intel.com>
+Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -4814,6 +4814,10 @@ void igb_configure_rx_ring(struct igb_ad
+ static void igb_set_rx_buffer_len(struct igb_adapter *adapter,
+ struct igb_ring *rx_ring)
+ {
++#if (PAGE_SIZE < 8192)
++ struct e1000_hw *hw = &adapter->hw;
++#endif
++
+ /* set build_skb and buffer size flags */
+ clear_ring_build_skb_enabled(rx_ring);
+ clear_ring_uses_large_buffer(rx_ring);
+@@ -4824,10 +4828,9 @@ static void igb_set_rx_buffer_len(struct
+ set_ring_build_skb_enabled(rx_ring);
+
+ #if (PAGE_SIZE < 8192)
+- if (adapter->max_frame_size <= IGB_MAX_FRAME_BUILD_SKB)
+- return;
+-
+- set_ring_uses_large_buffer(rx_ring);
++ if (adapter->max_frame_size > IGB_MAX_FRAME_BUILD_SKB ||
++ rd32(E1000_RCTL) & E1000_RCTL_SBP)
++ set_ring_uses_large_buffer(rx_ring);
+ #endif
+ }
+
--- /dev/null
+From 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f Mon Sep 17 00:00:00 2001
+From: Yi Yang <yiyang13@huawei.com>
+Date: Thu, 29 Jun 2023 20:33:28 +0800
+Subject: ipmi_si: fix a memleak in try_smi_init()
+
+From: Yi Yang <yiyang13@huawei.com>
+
+commit 6cf1a126de2992b4efe1c3c4d398f8de4aed6e3f upstream.
+
+Kmemleak reported the following leak info in try_smi_init():
+
+unreferenced object 0xffff00018ecf9400 (size 1024):
+ comm "modprobe", pid 2707763, jiffies 4300851415 (age 773.308s)
+ backtrace:
+ [<000000004ca5b312>] __kmalloc+0x4b8/0x7b0
+ [<00000000953b1072>] try_smi_init+0x148/0x5dc [ipmi_si]
+ [<000000006460d325>] 0xffff800081b10148
+ [<0000000039206ea5>] do_one_initcall+0x64/0x2a4
+ [<00000000601399ce>] do_init_module+0x50/0x300
+ [<000000003c12ba3c>] load_module+0x7a8/0x9e0
+ [<00000000c246fffe>] __se_sys_init_module+0x104/0x180
+ [<00000000eea99093>] __arm64_sys_init_module+0x24/0x30
+ [<0000000021b1ef87>] el0_svc_common.constprop.0+0x94/0x250
+ [<0000000070f4f8b7>] do_el0_svc+0x48/0xe0
+ [<000000005a05337f>] el0_svc+0x24/0x3c
+ [<000000005eb248d6>] el0_sync_handler+0x160/0x164
+ [<0000000030a59039>] el0_sync+0x160/0x180
+
+The problem was that when an error occurred before handlers registration
+and after allocating `new_smi->si_sm`, the variable wouldn't be freed in
+the error handling afterwards since `shutdown_smi()` hadn't been
+registered yet. Fix it by adding a `kfree()` in the error handling path
+in `try_smi_init()`.
+
+Cc: stable@vger.kernel.org # 4.19+
+Fixes: 7960f18a5647 ("ipmi_si: Convert over to a shutdown handler")
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Co-developed-by: GONG, Ruiqi <gongruiqi@huaweicloud.com>
+Signed-off-by: GONG, Ruiqi <gongruiqi@huaweicloud.com>
+Message-Id: <20230629123328.2402075-1-gongruiqi@huaweicloud.com>
+Signed-off-by: Corey Minyard <minyard@acm.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_si_intf.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/char/ipmi/ipmi_si_intf.c
++++ b/drivers/char/ipmi/ipmi_si_intf.c
+@@ -2082,6 +2082,11 @@ static int try_smi_init(struct smi_info
+ new_smi->io.io_cleanup = NULL;
+ }
+
++ if (rv && new_smi->si_sm) {
++ kfree(new_smi->si_sm);
++ new_smi->si_sm = NULL;
++ }
++
+ return rv;
+ }
+
--- /dev/null
+From 7d3c7d2a2914e10bec3b9cdacdadb8e1f65f715a Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Thu, 15 Jun 2023 10:29:07 +0200
+Subject: media: i2c: Add a camera sensor top level menu
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 7d3c7d2a2914e10bec3b9cdacdadb8e1f65f715a upstream.
+
+Select V4L2_FWNODE and VIDEO_V4L2_SUBDEV_API for all sensor drivers. This
+also adds the options to drivers that don't specifically need them, these
+are still seldom used drivers using old APIs. The upside is that these
+should now all compile --- many drivers have had missing dependencies.
+
+The "menu" is replaced by selectable "menuconfig" to select the needed
+V4L2_FWNODE and VIDEO_V4L2_SUBDEV_API options.
+
+Also select MEDIA_CONTROLLER which VIDEO_V4L2_SUBDEV_API effectively
+depends on, and add the I2C dependency to the menu.
+
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: stable@vger.kernel.org # for >= 6.1
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/Kconfig | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/i2c/Kconfig
++++ b/drivers/media/i2c/Kconfig
+@@ -25,8 +25,15 @@ config VIDEO_IR_I2C
+ # V4L2 I2C drivers that are related with Camera support
+ #
+
+-menu "Camera sensor devices"
+- visible if MEDIA_CAMERA_SUPPORT
++menuconfig VIDEO_CAMERA_SENSOR
++ bool "Camera sensor devices"
++ depends on MEDIA_CAMERA_SUPPORT && I2C
++ select MEDIA_CONTROLLER
++ select V4L2_FWNODE
++ select VIDEO_V4L2_SUBDEV_API
++ default y
++
++if VIDEO_CAMERA_SENSOR
+
+ config VIDEO_APTINA_PLL
+ tristate
+@@ -810,7 +817,7 @@ config VIDEO_ST_VGXY61
+ source "drivers/media/i2c/ccs/Kconfig"
+ source "drivers/media/i2c/et8ek8/Kconfig"
+
+-endmenu
++endif
+
+ menu "Lens drivers"
+ visible if MEDIA_CAMERA_SUPPORT
--- /dev/null
+From 607bcc4213d998d051541d8f10b5bbb7d546c0be Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Sat, 29 Jul 2023 20:59:25 +0200
+Subject: media: i2c: ccs: Check rules is non-NULL
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 607bcc4213d998d051541d8f10b5bbb7d546c0be upstream.
+
+Fix the following smatch warning:
+
+drivers/media/i2c/ccs/ccs-data.c:524 ccs_data_parse_rules() warn: address
+of NULL pointer 'rules'
+
+The CCS static data rule parser does not check an if rule has been
+obtained before checking for other rule types (which depend on the if
+rule). In practice this means parsing invalid CCS static data could lead
+to dereferencing a NULL pointer.
+
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Fixes: a6b396f410b1 ("media: ccs: Add CCS static data parser library")
+Cc: stable@vger.kernel.org # for 5.11 and up
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-data.c | 101 +++++++++++++++++++++------------------
+ 1 file changed, 56 insertions(+), 45 deletions(-)
+
+--- a/drivers/media/i2c/ccs/ccs-data.c
++++ b/drivers/media/i2c/ccs/ccs-data.c
+@@ -464,8 +464,7 @@ static int ccs_data_parse_rules(struct b
+ rule_payload = __rule_type + 1;
+ rule_plen2 = rule_plen - sizeof(*__rule_type);
+
+- switch (*__rule_type) {
+- case CCS_DATA_BLOCK_RULE_ID_IF: {
++ if (*__rule_type == CCS_DATA_BLOCK_RULE_ID_IF) {
+ const struct __ccs_data_block_rule_if *__if_rules =
+ rule_payload;
+ const size_t __num_if_rules =
+@@ -514,49 +513,61 @@ static int ccs_data_parse_rules(struct b
+ rules->if_rules = if_rule;
+ rules->num_if_rules = __num_if_rules;
+ }
+- break;
+- }
+- case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
+- rval = ccs_data_parse_reg_rules(bin, &rules->read_only_regs,
+- &rules->num_read_only_regs,
+- rule_payload,
+- rule_payload + rule_plen2,
+- dev);
+- if (rval)
+- return rval;
+- break;
+- case CCS_DATA_BLOCK_RULE_ID_FFD:
+- rval = ccs_data_parse_ffd(bin, &rules->frame_format,
+- rule_payload,
+- rule_payload + rule_plen2,
+- dev);
+- if (rval)
+- return rval;
+- break;
+- case CCS_DATA_BLOCK_RULE_ID_MSR:
+- rval = ccs_data_parse_reg_rules(bin,
+- &rules->manufacturer_regs,
+- &rules->num_manufacturer_regs,
+- rule_payload,
+- rule_payload + rule_plen2,
+- dev);
+- if (rval)
+- return rval;
+- break;
+- case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
+- rval = ccs_data_parse_pdaf_readout(bin,
+- &rules->pdaf_readout,
+- rule_payload,
+- rule_payload + rule_plen2,
+- dev);
+- if (rval)
+- return rval;
+- break;
+- default:
+- dev_dbg(dev,
+- "Don't know how to handle rule type %u!\n",
+- *__rule_type);
+- return -EINVAL;
++ } else {
++ /* Check there was an if rule before any other rules */
++ if (bin->base && !rules)
++ return -EINVAL;
++
++ switch (*__rule_type) {
++ case CCS_DATA_BLOCK_RULE_ID_READ_ONLY_REGS:
++ rval = ccs_data_parse_reg_rules(bin,
++ rules ?
++ &rules->read_only_regs : NULL,
++ rules ?
++ &rules->num_read_only_regs : NULL,
++ rule_payload,
++ rule_payload + rule_plen2,
++ dev);
++ if (rval)
++ return rval;
++ break;
++ case CCS_DATA_BLOCK_RULE_ID_FFD:
++ rval = ccs_data_parse_ffd(bin, rules ?
++ &rules->frame_format : NULL,
++ rule_payload,
++ rule_payload + rule_plen2,
++ dev);
++ if (rval)
++ return rval;
++ break;
++ case CCS_DATA_BLOCK_RULE_ID_MSR:
++ rval = ccs_data_parse_reg_rules(bin,
++ rules ?
++ &rules->manufacturer_regs : NULL,
++ rules ?
++ &rules->num_manufacturer_regs : NULL,
++ rule_payload,
++ rule_payload + rule_plen2,
++ dev);
++ if (rval)
++ return rval;
++ break;
++ case CCS_DATA_BLOCK_RULE_ID_PDAF_READOUT:
++ rval = ccs_data_parse_pdaf_readout(bin,
++ rules ?
++ &rules->pdaf_readout : NULL,
++ rule_payload,
++ rule_payload + rule_plen2,
++ dev);
++ if (rval)
++ return rval;
++ break;
++ default:
++ dev_dbg(dev,
++ "Don't know how to handle rule type %u!\n",
++ *__rule_type);
++ return -EINVAL;
++ }
+ }
+ __next_rule = __next_rule + rule_hlen + rule_plen;
+ }
--- /dev/null
+From 0818e739b5c061b0251c30152380600fb9b84c0c Mon Sep 17 00:00:00 2001
+From: "Joel Fernandes (Google)" <joel@joelfernandes.org>
+Date: Mon, 4 Sep 2023 18:08:04 +0000
+Subject: mm/vmalloc: add a safer version of find_vm_area() for debug
+
+From: Joel Fernandes (Google) <joel@joelfernandes.org>
+
+commit 0818e739b5c061b0251c30152380600fb9b84c0c upstream.
+
+It is unsafe to dump vmalloc area information when trying to do so from
+some contexts. Add a safer trylock version of the same function to do a
+best-effort VMA finding and use it from vmalloc_dump_obj().
+
+[applied test robot feedback on unused function fix.]
+[applied Uladzislau feedback on locking.]
+Link: https://lkml.kernel.org/r/20230904180806.1002832-1-joel@joelfernandes.org
+Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory")
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reviewed-by: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Reported-by: Zhen Lei <thunder.leizhen@huaweicloud.com>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Zqiang <qiang.zhang1211@gmail.com>
+Cc: <stable@vger.kernel.org>
+Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmalloc.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -4278,14 +4278,32 @@ void pcpu_free_vm_areas(struct vm_struct
+ #ifdef CONFIG_PRINTK
+ bool vmalloc_dump_obj(void *object)
+ {
+- struct vm_struct *vm;
+ void *objp = (void *)PAGE_ALIGN((unsigned long)object);
++ const void *caller;
++ struct vm_struct *vm;
++ struct vmap_area *va;
++ unsigned long addr;
++ unsigned int nr_pages;
++
++ if (!spin_trylock(&vmap_area_lock))
++ return false;
++ va = __find_vmap_area((unsigned long)objp, &vmap_area_root);
++ if (!va) {
++ spin_unlock(&vmap_area_lock);
++ return false;
++ }
+
+- vm = find_vm_area(objp);
+- if (!vm)
++ vm = va->vm;
++ if (!vm) {
++ spin_unlock(&vmap_area_lock);
+ return false;
++ }
++ addr = (unsigned long)vm->addr;
++ caller = vm->caller;
++ nr_pages = vm->nr_pages;
++ spin_unlock(&vmap_area_lock);
+ pr_cont(" %u-page vmalloc region starting at %#lx allocated at %pS\n",
+- vm->nr_pages, (unsigned long)vm->addr, vm->caller);
++ nr_pages, addr, caller);
+ return true;
+ }
+ #endif
--- /dev/null
+From 669281ee7ef731fb5204df9d948669bf32a5e68d Mon Sep 17 00:00:00 2001
+From: Kalesh Singh <kaleshsingh@google.com>
+Date: Tue, 1 Aug 2023 19:56:02 -0700
+Subject: Multi-gen LRU: fix per-zone reclaim
+
+From: Kalesh Singh <kaleshsingh@google.com>
+
+commit 669281ee7ef731fb5204df9d948669bf32a5e68d upstream.
+
+MGLRU has a LRU list for each zone for each type (anon/file) in each
+generation:
+
+ long nr_pages[MAX_NR_GENS][ANON_AND_FILE][MAX_NR_ZONES];
+
+The min_seq (oldest generation) can progress independently for each
+type but the max_seq (youngest generation) is shared for both anon and
+file. This is to maintain a common frame of reference.
+
+In order for eviction to advance the min_seq of a type, all the per-zone
+lists in the oldest generation of that type must be empty.
+
+The eviction logic only considers pages from eligible zones for
+eviction or promotion.
+
+ scan_folios() {
+ ...
+ for (zone = sc->reclaim_idx; zone >= 0; zone--) {
+ ...
+ sort_folio(); // Promote
+ ...
+ isolate_folio(); // Evict
+ }
+ ...
+ }
+
+Consider the system has the movable zone configured and default 4
+generations. The current state of the system is as shown below
+(only illustrating one type for simplicity):
+
+Type: ANON
+
+ Zone DMA32 Normal Movable Device
+
+ Gen 0 0 0 4GB 0
+
+ Gen 1 0 1GB 1MB 0
+
+ Gen 2 1MB 4GB 1MB 0
+
+ Gen 3 1MB 1MB 1MB 0
+
+Now consider there is a GFP_KERNEL allocation request (eligible zone
+index <= Normal), evict_folios() will return without doing any work
+since there are no pages to scan in the eligible zones of the oldest
+generation. Reclaim won't make progress until triggered from a ZONE_MOVABLE
+allocation request; which may not happen soon if there is a lot of free
+memory in the movable zone. This can lead to OOM kills, although there
+is 1GB pages in the Normal zone of Gen 1 that we have not yet tried to
+reclaim.
+
+This issue is not seen in the conventional active/inactive LRU since
+there are no per-zone lists.
+
+If there are no (not enough) folios to scan in the eligible zones, move
+folios from ineligible zone (zone_index > reclaim_index) to the next
+generation. This allows for the progression of min_seq and reclaiming
+from the next generation (Gen 1).
+
+Qualcomm, Mediatek and raspberrypi [1] discovered this issue independently.
+
+[1] https://github.com/raspberrypi/linux/issues/5395
+
+Link: https://lkml.kernel.org/r/20230802025606.346758-1-kaleshsingh@google.com
+Fixes: ac35a4902374 ("mm: multi-gen LRU: minimal implementation")
+Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
+Reported-by: Charan Teja Kalla <quic_charante@quicinc.com>
+Reported-by: Lecopzer Chen <lecopzer.chen@mediatek.com>
+Tested-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com> [mediatek]
+Tested-by: Charan Teja Kalla <quic_charante@quicinc.com>
+Cc: Yu Zhao <yuzhao@google.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Brian Geffon <bgeffon@google.com>
+Cc: Jan Alexander Steffens (heftig) <heftig@archlinux.org>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: Oleksandr Natalenko <oleksandr@natalenko.name>
+Cc: Qi Zheng <zhengqi.arch@bytedance.com>
+Cc: Steven Barrett <steven@liquorix.net>
+Cc: Suleiman Souhlal <suleiman@google.com>
+Cc: Suren Baghdasaryan <surenb@google.com>
+Cc: Aneesh Kumar K V <aneesh.kumar@linux.ibm.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/vmscan.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -4891,7 +4891,8 @@ static int lru_gen_memcg_seg(struct lruv
+ * the eviction
+ ******************************************************************************/
+
+-static bool sort_folio(struct lruvec *lruvec, struct folio *folio, int tier_idx)
++static bool sort_folio(struct lruvec *lruvec, struct folio *folio, struct scan_control *sc,
++ int tier_idx)
+ {
+ bool success;
+ int gen = folio_lru_gen(folio);
+@@ -4941,6 +4942,13 @@ static bool sort_folio(struct lruvec *lr
+ return true;
+ }
+
++ /* ineligible */
++ if (zone > sc->reclaim_idx) {
++ gen = folio_inc_gen(lruvec, folio, false);
++ list_move_tail(&folio->lru, &lrugen->folios[gen][type][zone]);
++ return true;
++ }
++
+ /* waiting for writeback */
+ if (folio_test_locked(folio) || folio_test_writeback(folio) ||
+ (type == LRU_GEN_FILE && folio_test_dirty(folio))) {
+@@ -4989,7 +4997,8 @@ static bool isolate_folio(struct lruvec
+ static int scan_folios(struct lruvec *lruvec, struct scan_control *sc,
+ int type, int tier, struct list_head *list)
+ {
+- int gen, zone;
++ int i;
++ int gen;
+ enum vm_event_item item;
+ int sorted = 0;
+ int scanned = 0;
+@@ -5005,9 +5014,10 @@ static int scan_folios(struct lruvec *lr
+
+ gen = lru_gen_from_seq(lrugen->min_seq[type]);
+
+- for (zone = sc->reclaim_idx; zone >= 0; zone--) {
++ for (i = MAX_NR_ZONES; i > 0; i--) {
+ LIST_HEAD(moved);
+ int skipped = 0;
++ int zone = (sc->reclaim_idx + i) % MAX_NR_ZONES;
+ struct list_head *head = &lrugen->folios[gen][type][zone];
+
+ while (!list_empty(head)) {
+@@ -5021,7 +5031,7 @@ static int scan_folios(struct lruvec *lr
+
+ scanned += delta;
+
+- if (sort_folio(lruvec, folio, tier))
++ if (sort_folio(lruvec, folio, sc, tier))
+ sorted += delta;
+ else if (isolate_folio(lruvec, folio, sc)) {
+ list_add(&folio->lru, list);
--- /dev/null
+From 28427f368f0e08d504ed06e74bc7cc79d6d06511 Mon Sep 17 00:00:00 2001
+From: Xiao Liang <shaw.leon@gmail.com>
+Date: Fri, 25 Aug 2023 13:33:27 +0800
+Subject: netfilter: nft_exthdr: Fix non-linear header modification
+
+From: Xiao Liang <shaw.leon@gmail.com>
+
+commit 28427f368f0e08d504ed06e74bc7cc79d6d06511 upstream.
+
+Fix skb_ensure_writable() size. Don't use nft_tcp_header_pointer() to
+make it explicit that pointers point to the packet (not local buffer).
+
+Fixes: 99d1712bc41c ("netfilter: exthdr: tcp option set support")
+Fixes: 7890cbea66e7 ("netfilter: exthdr: add support for tcp option removal")
+Cc: stable@vger.kernel.org
+Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_exthdr.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -238,7 +238,12 @@ static void nft_exthdr_tcp_set_eval(cons
+ if (!tcph)
+ goto err;
+
++ if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len))
++ goto err;
++
++ tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt));
+ opt = (u8 *)tcph;
++
+ for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
+ union {
+ __be16 v16;
+@@ -253,15 +258,6 @@ static void nft_exthdr_tcp_set_eval(cons
+ if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
+ goto err;
+
+- if (skb_ensure_writable(pkt->skb,
+- nft_thoff(pkt) + i + priv->len))
+- goto err;
+-
+- tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
+- &tcphdr_len);
+- if (!tcph)
+- goto err;
+-
+ offset = i + priv->offset;
+
+ switch (priv->len) {
+@@ -325,9 +321,9 @@ static void nft_exthdr_tcp_strip_eval(co
+ if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len))
+ goto drop;
+
+- opt = (u8 *)nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
+- if (!opt)
+- goto err;
++ tcph = (struct tcphdr *)(pkt->skb->data + nft_thoff(pkt));
++ opt = (u8 *)tcph;
++
+ for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
+ unsigned int j;
+
--- /dev/null
+From e99476497687ef9e850748fe6d232264f30bc8f9 Mon Sep 17 00:00:00 2001
+From: Wander Lairson Costa <wander@redhat.com>
+Date: Mon, 28 Aug 2023 19:12:55 -0300
+Subject: netfilter: xt_sctp: validate the flag_info count
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+commit e99476497687ef9e850748fe6d232264f30bc8f9 upstream.
+
+sctp_mt_check doesn't validate the flag_count field. An attacker can
+take advantage of that to trigger a OOB read and leak memory
+information.
+
+Add the field validation in the checkentry function.
+
+Fixes: 2e4e6a17af35 ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
+Cc: stable@vger.kernel.org
+Reported-by: Lucas Leong <wmliang@infosec.exchange>
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_sctp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/xt_sctp.c
++++ b/net/netfilter/xt_sctp.c
+@@ -149,6 +149,8 @@ static int sctp_mt_check(const struct xt
+ {
+ const struct xt_sctp_info *info = par->matchinfo;
+
++ if (info->flag_count > ARRAY_SIZE(info->flag_info))
++ return -EINVAL;
+ if (info->flags & ~XT_SCTP_VALID_FLAGS)
+ return -EINVAL;
+ if (info->invflags & ~XT_SCTP_VALID_FLAGS)
--- /dev/null
+From 69c5d284f67089b4750d28ff6ac6f52ec224b330 Mon Sep 17 00:00:00 2001
+From: Wander Lairson Costa <wander@redhat.com>
+Date: Mon, 28 Aug 2023 10:21:07 -0300
+Subject: netfilter: xt_u32: validate user space input
+
+From: Wander Lairson Costa <wander@redhat.com>
+
+commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream.
+
+The xt_u32 module doesn't validate the fields in the xt_u32 structure.
+An attacker may take advantage of this to trigger an OOB read by setting
+the size fields with a value beyond the arrays boundaries.
+
+Add a checkentry function to validate the structure.
+
+This was originally reported by the ZDI project (ZDI-CAN-18408).
+
+Fixes: 1b50b8a371e9 ("[NETFILTER]: Add u32 match")
+Cc: stable@vger.kernel.org
+Signed-off-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/xt_u32.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/net/netfilter/xt_u32.c
++++ b/net/netfilter/xt_u32.c
+@@ -96,11 +96,32 @@ static bool u32_mt(const struct sk_buff
+ return ret ^ data->invert;
+ }
+
++static int u32_mt_checkentry(const struct xt_mtchk_param *par)
++{
++ const struct xt_u32 *data = par->matchinfo;
++ const struct xt_u32_test *ct;
++ unsigned int i;
++
++ if (data->ntests > ARRAY_SIZE(data->tests))
++ return -EINVAL;
++
++ for (i = 0; i < data->ntests; ++i) {
++ ct = &data->tests[i];
++
++ if (ct->nnums > ARRAY_SIZE(ct->location) ||
++ ct->nvalues > ARRAY_SIZE(ct->value))
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
+ static struct xt_match xt_u32_mt_reg __read_mostly = {
+ .name = "u32",
+ .revision = 0,
+ .family = NFPROTO_UNSPEC,
+ .match = u32_mt,
++ .checkentry = u32_mt_checkentry,
+ .matchsize = sizeof(struct xt_u32),
+ .me = THIS_MODULE,
+ };
--- /dev/null
+From 77e0ddf097d6d4ceaf898e088b133b99e0a97fa0 Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Mon, 28 Aug 2023 17:29:46 +0200
+Subject: parisc: ccio-dma: Create private runway procfs root entry
+
+From: Helge Deller <deller@gmx.de>
+
+commit 77e0ddf097d6d4ceaf898e088b133b99e0a97fa0 upstream.
+
+Create an own procfs "runway" root entry for the CCIO driver.
+No need to share it with the sba_iommu driver, as only one
+of those busses can be active in one machine anyway.
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 547259580dfa ("parisc: Move proc_mckinley_root and proc_runway_root to sba_iommu")
+Cc: <stable@vger.kernel.org> # v6.5
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/include/asm/runway.h | 3 ---
+ drivers/parisc/ccio-dma.c | 11 +++++++----
+ drivers/parisc/sba_iommu.c | 2 +-
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+--- a/arch/parisc/include/asm/runway.h
++++ b/arch/parisc/include/asm/runway.h
+@@ -2,9 +2,6 @@
+ #ifndef ASM_PARISC_RUNWAY_H
+ #define ASM_PARISC_RUNWAY_H
+
+-/* declared in arch/parisc/kernel/setup.c */
+-extern struct proc_dir_entry * proc_runway_root;
+-
+ #define RUNWAY_STATUS 0x10
+ #define RUNWAY_DEBUG 0x40
+
+--- a/drivers/parisc/ccio-dma.c
++++ b/drivers/parisc/ccio-dma.c
+@@ -71,8 +71,6 @@
+ #undef CCIO_COLLECT_STATS
+ #endif
+
+-#include <asm/runway.h> /* for proc_runway_root */
+-
+ #ifdef DEBUG_CCIO_INIT
+ #define DBG_INIT(x...) printk(x)
+ #else
+@@ -1567,10 +1565,15 @@ static int __init ccio_probe(struct pari
+
+ #ifdef CONFIG_PROC_FS
+ if (ioc_count == 0) {
+- proc_create_single(MODULE_NAME, 0, proc_runway_root,
++ struct proc_dir_entry *runway;
++
++ runway = proc_mkdir("bus/runway", NULL);
++ if (runway) {
++ proc_create_single(MODULE_NAME, 0, runway,
+ ccio_proc_info);
+- proc_create_single(MODULE_NAME"-bitmap", 0, proc_runway_root,
++ proc_create_single(MODULE_NAME"-bitmap", 0, runway,
+ ccio_proc_bitmap_info);
++ }
+ }
+ #endif
+ ioc_count++;
+--- a/drivers/parisc/sba_iommu.c
++++ b/drivers/parisc/sba_iommu.c
+@@ -121,7 +121,7 @@ module_param(sba_reserve_agpgart, int, 0
+ MODULE_PARM_DESC(sba_reserve_agpgart, "Reserve half of IO pdir as AGPGART");
+ #endif
+
+-struct proc_dir_entry *proc_runway_root __ro_after_init;
++static struct proc_dir_entry *proc_runway_root __ro_after_init;
+ struct proc_dir_entry *proc_mckinley_root __ro_after_init;
+
+ /************************************
--- /dev/null
+From cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 Mon Sep 17 00:00:00 2001
+From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+Date: Mon, 3 Jul 2023 10:58:45 +0200
+Subject: PCI: rockchip: Use 64-bit mask on MSI 64-bit PCI address
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+
+commit cdb50033dd6dfcf02ae3d4ee56bc1a9555be6d36 upstream.
+
+A 32-bit mask was used on the 64-bit PCI address used for mapping MSIs.
+This would result in the upper 32 bits being unintentionally zeroed and
+MSIs getting mapped to incorrect PCI addresses if the address had any
+of the upper bits set.
+
+Replace 32-bit mask by appropriate 64-bit mask.
+
+[kwilczynski: use GENMASK_ULL() over GENMASK() for 32-bit compatibility]
+Fixes: dc73ed0f1b8b ("PCI: rockchip: Fix window mapping and address translation for endpoint")
+Closes: https://lore.kernel.org/linux-pci/8d19e5b7-8fa0-44a4-90e2-9bb06f5eb694@moroto.mountain
+Link: https://lore.kernel.org/linux-pci/20230703085845.2052008-1-rick.wertenbroek@gmail.com
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Rick Wertenbroek <rick.wertenbroek@gmail.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rockchip.h
++++ b/drivers/pci/controller/pcie-rockchip.h
+@@ -158,7 +158,9 @@
+ #define PCIE_RC_CONFIG_THP_CAP (PCIE_RC_CONFIG_BASE + 0x274)
+ #define PCIE_RC_CONFIG_THP_CAP_NEXT_MASK GENMASK(31, 20)
+
+-#define PCIE_ADDR_MASK 0xffffff00
++#define MAX_AXI_IB_ROOTPORT_REGION_NUM 3
++#define MIN_AXI_ADDR_BITS_PASSED 8
++#define PCIE_ADDR_MASK GENMASK_ULL(63, MIN_AXI_ADDR_BITS_PASSED)
+ #define PCIE_CORE_AXI_CONF_BASE 0xc00000
+ #define PCIE_CORE_OB_REGION_ADDR0 (PCIE_CORE_AXI_CONF_BASE + 0x0)
+ #define PCIE_CORE_OB_REGION_ADDR0_NUM_BITS 0x3f
+@@ -185,8 +187,6 @@
+ #define AXI_WRAPPER_TYPE1_CFG 0xb
+ #define AXI_WRAPPER_NOR_MSG 0xc
+
+-#define MAX_AXI_IB_ROOTPORT_REGION_NUM 3
+-#define MIN_AXI_ADDR_BITS_PASSED 8
+ #define PCIE_RC_SEND_PME_OFF 0x11960
+ #define ROCKCHIP_VENDOR_ID 0x1d87
+ #define PCIE_LINK_IS_L2(x) \
--- /dev/null
+From 5693d077595de721f9ddbf9d37f40e5409707dfe Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@collabora.com>
+Date: Wed, 9 Aug 2023 13:31:08 +0200
+Subject: PM / devfreq: Fix leak in devfreq_dev_release()
+
+From: Boris Brezillon <boris.brezillon@collabora.com>
+
+commit 5693d077595de721f9ddbf9d37f40e5409707dfe upstream.
+
+srcu_init_notifier_head() allocates resources that need to be released
+with a srcu_cleanup_notifier_head() call.
+
+Reported by kmemleak.
+
+Fixes: 0fe3a66410a3 ("PM / devfreq: Add new DEVFREQ_TRANSITION_NOTIFIER notifier")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/devfreq/devfreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/devfreq/devfreq.c
++++ b/drivers/devfreq/devfreq.c
+@@ -763,6 +763,7 @@ static void devfreq_dev_release(struct d
+ dev_pm_opp_put_opp_table(devfreq->opp_table);
+
+ mutex_destroy(&devfreq->lock);
++ srcu_cleanup_notifier_head(&devfreq->transition_notifier_list);
+ kfree(devfreq);
+ }
+
--- /dev/null
+From 53e9e33ede37a247d926db5e4a9e56b55204e66c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 10 Aug 2023 22:45:32 -0700
+Subject: printk: ringbuffer: Fix truncating buffer size min_t cast
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 53e9e33ede37a247d926db5e4a9e56b55204e66c upstream.
+
+If an output buffer size exceeded U16_MAX, the min_t(u16, ...) cast in
+copy_data() was causing writes to truncate. This manifested as output
+bytes being skipped, seen as %NUL bytes in pstore dumps when the available
+record size was larger than 65536. Fix the cast to no longer truncate
+the calculation.
+
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: John Ogness <john.ogness@linutronix.de>
+Reported-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
+Link: https://lore.kernel.org/lkml/d8bb1ec7-a4c5-43a2-9de0-9643a70b899f@linux.microsoft.com/
+Fixes: b6cf8b3f3312 ("printk: add lockless ringbuffer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Vijay Balakrishna <vijayb@linux.microsoft.com>
+Tested-by: Guilherme G. Piccoli <gpiccoli@igalia.com> # Steam Deck
+Reviewed-by: Tyler Hicks (Microsoft) <code@tyhicks.com>
+Tested-by: Tyler Hicks (Microsoft) <code@tyhicks.com>
+Reviewed-by: John Ogness <john.ogness@linutronix.de>
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20230811054528.never.165-kees@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/printk/printk_ringbuffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/printk/printk_ringbuffer.c
++++ b/kernel/printk/printk_ringbuffer.c
+@@ -1735,7 +1735,7 @@ static bool copy_data(struct prb_data_ri
+ if (!buf || !buf_size)
+ return true;
+
+- data_size = min_t(u16, buf_size, len);
++ data_size = min_t(unsigned int, buf_size, len);
+
+ memcpy(&buf[0], data, data_size); /* LMM(copy_data:A) */
+ return true;
--- /dev/null
+From c83ad36a18c02c0f51280b50272327807916987f Mon Sep 17 00:00:00 2001
+From: Zqiang <qiang.zhang1211@gmail.com>
+Date: Mon, 4 Sep 2023 18:08:05 +0000
+Subject: rcu: dump vmalloc memory info safely
+
+From: Zqiang <qiang.zhang1211@gmail.com>
+
+commit c83ad36a18c02c0f51280b50272327807916987f upstream.
+
+Currently, for double invoke call_rcu(), will dump rcu_head objects memory
+info, if the objects is not allocated from the slab allocator, the
+vmalloc_dump_obj() will be invoke and the vmap_area_lock spinlock need to
+be held, since the call_rcu() can be invoked in interrupt context,
+therefore, there is a possibility of spinlock deadlock scenarios.
+
+And in Preempt-RT kernel, the rcutorture test also trigger the following
+lockdep warning:
+
+BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48
+in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1, name: swapper/0
+preempt_count: 1, expected: 0
+RCU nest depth: 1, expected: 1
+3 locks held by swapper/0/1:
+ #0: ffffffffb534ee80 (fullstop_mutex){+.+.}-{4:4}, at: torture_init_begin+0x24/0xa0
+ #1: ffffffffb5307940 (rcu_read_lock){....}-{1:3}, at: rcu_torture_init+0x1ec7/0x2370
+ #2: ffffffffb536af40 (vmap_area_lock){+.+.}-{3:3}, at: find_vmap_area+0x1f/0x70
+irq event stamp: 565512
+hardirqs last enabled at (565511): [<ffffffffb379b138>] __call_rcu_common+0x218/0x940
+hardirqs last disabled at (565512): [<ffffffffb5804262>] rcu_torture_init+0x20b2/0x2370
+softirqs last enabled at (399112): [<ffffffffb36b2586>] __local_bh_enable_ip+0x126/0x170
+softirqs last disabled at (399106): [<ffffffffb43fef59>] inet_register_protosw+0x9/0x1d0
+Preemption disabled at:
+[<ffffffffb58040c3>] rcu_torture_init+0x1f13/0x2370
+CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.5.0-rc4-rt2-yocto-preempt-rt+ #15
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x68/0xb0
+ dump_stack+0x14/0x20
+ __might_resched+0x1aa/0x280
+ ? __pfx_rcu_torture_err_cb+0x10/0x10
+ rt_spin_lock+0x53/0x130
+ ? find_vmap_area+0x1f/0x70
+ find_vmap_area+0x1f/0x70
+ vmalloc_dump_obj+0x20/0x60
+ mem_dump_obj+0x22/0x90
+ __call_rcu_common+0x5bf/0x940
+ ? debug_smp_processor_id+0x1b/0x30
+ call_rcu_hurry+0x14/0x20
+ rcu_torture_init+0x1f82/0x2370
+ ? __pfx_rcu_torture_leak_cb+0x10/0x10
+ ? __pfx_rcu_torture_leak_cb+0x10/0x10
+ ? __pfx_rcu_torture_init+0x10/0x10
+ do_one_initcall+0x6c/0x300
+ ? debug_smp_processor_id+0x1b/0x30
+ kernel_init_freeable+0x2b9/0x540
+ ? __pfx_kernel_init+0x10/0x10
+ kernel_init+0x1f/0x150
+ ret_from_fork+0x40/0x50
+ ? __pfx_kernel_init+0x10/0x10
+ ret_from_fork_asm+0x1b/0x30
+ </TASK>
+
+The previous patch fixes this by using the deadlock-safe best-effort
+version of find_vm_area. However, in case of failure print the fact that
+the pointer was a vmalloc pointer so that we print at least something.
+
+Link: https://lkml.kernel.org/r/20230904180806.1002832-2-joel@joelfernandes.org
+Fixes: 98f180837a89 ("mm: Make mem_dump_obj() handle vmalloc() memory")
+Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
+Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Reported-by: Zhen Lei <thunder.leizhen@huaweicloud.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: Paul E. McKenney <paulmck@kernel.org>
+Cc: Uladzislau Rezki (Sony) <urezki@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -1071,7 +1071,9 @@ void mem_dump_obj(void *object)
+ if (vmalloc_dump_obj(object))
+ return;
+
+- if (virt_addr_valid(object))
++ if (is_vmalloc_addr(object))
++ type = "vmalloc memory";
++ else if (virt_addr_valid(object))
+ type = "non-slab/vmalloc memory";
+ else if (object == NULL)
+ type = "NULL pointer";
--- /dev/null
+From dd7664d67b478afeb79a89e4586c2cd7707d17d6 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Tue, 4 Jul 2023 09:43:56 +0200
+Subject: riscv: Mark KASAN tmp* page tables variables as static
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit dd7664d67b478afeb79a89e4586c2cd7707d17d6 upstream.
+
+tmp_pg_dir, tmp_p4d and tmp_pud are only used in kasan_init.c so they
+should be declared as static.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202306282202.bODptiGE-lkp@intel.com/
+Fixes: 96f9d4daf745 ("riscv: Rework kasan population functions")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20230704074357.233982-1-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/kasan_init.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/riscv/mm/kasan_init.c
++++ b/arch/riscv/mm/kasan_init.c
+@@ -22,9 +22,9 @@
+ * region is not and then we have to go down to the PUD level.
+ */
+
+-pgd_t tmp_pg_dir[PTRS_PER_PGD] __page_aligned_bss;
+-p4d_t tmp_p4d[PTRS_PER_P4D] __page_aligned_bss;
+-pud_t tmp_pud[PTRS_PER_PUD] __page_aligned_bss;
++static pgd_t tmp_pg_dir[PTRS_PER_PGD] __page_aligned_bss;
++static p4d_t tmp_p4d[PTRS_PER_P4D] __page_aligned_bss;
++static pud_t tmp_pud[PTRS_PER_PUD] __page_aligned_bss;
+
+ static void __init kasan_populate_pte(pmd_t *pmd, unsigned long vaddr, unsigned long end)
+ {
--- /dev/null
+From 9bdd924803787ceeb10f1ea399e91d75fb05d3a7 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Tue, 4 Jul 2023 09:43:57 +0200
+Subject: riscv: Move create_tmp_mapping() to init sections
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit 9bdd924803787ceeb10f1ea399e91d75fb05d3a7 upstream.
+
+This function is only used at boot time so mark it as __init.
+
+Fixes: 96f9d4daf745 ("riscv: Rework kasan population functions")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20230704074357.233982-2-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/kasan_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/mm/kasan_init.c
++++ b/arch/riscv/mm/kasan_init.c
+@@ -438,7 +438,7 @@ static void __init kasan_shallow_populat
+ kasan_shallow_populate_pgd(vaddr, vend);
+ }
+
+-static void create_tmp_mapping(void)
++static void __init create_tmp_mapping(void)
+ {
+ void *ptr;
+ p4d_t *base_p4d;
--- /dev/null
+From f669b8a683e4ee26fa5cafe19d71cec1786b556a Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Fri, 21 Jul 2023 09:01:32 -0700
+Subject: scsi: core: Fix the scsi_set_resid() documentation
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit f669b8a683e4ee26fa5cafe19d71cec1786b556a upstream.
+
+Because scsi_finish_command() subtracts the residual from the buffer
+length, residual overflows must not be reported. Reflect this in the SCSI
+documentation. See also commit 9237f04e12cc ("scsi: core: Fix
+scsi_get/set_resid() interface")
+
+Cc: Damien Le Moal <dlemoal@kernel.org>
+Cc: Hannes Reinecke <hare@suse.de>
+Cc: Douglas Gilbert <dgilbert@interlog.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Link: https://lore.kernel.org/r/20230721160154.874010-2-bvanassche@acm.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/scsi/scsi_mid_low_api.rst | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/scsi/scsi_mid_low_api.rst
++++ b/Documentation/scsi/scsi_mid_low_api.rst
+@@ -1190,11 +1190,11 @@ Members of interest:
+ - pointer to scsi_device object that this command is
+ associated with.
+ resid
+- - an LLD should set this signed integer to the requested
++ - an LLD should set this unsigned integer to the requested
+ transfer length (i.e. 'request_bufflen') less the number
+ of bytes that are actually transferred. 'resid' is
+ preset to 0 so an LLD can ignore it if it cannot detect
+- underruns (overruns should be rare). If possible an LLD
++ underruns (overruns should not be reported). An LLD
+ should set 'resid' prior to invoking 'done'. The most
+ interesting case is data transfers from a SCSI target
+ device (e.g. READs) that underrun.
net-deal-with-integer-overflows-in-kmalloc_reserve.patch
igmp-limit-igmpv3_newpack-packet-size-to-ip_max_mtu.patch
netfilter-ipset-add-the-missing-ip_set_hash_with_net0-macro-for-ip_set_hash_netportnet.c.patch
+netfilter-nft_exthdr-fix-non-linear-header-modification.patch
+netfilter-xt_u32-validate-user-space-input.patch
+netfilter-xt_sctp-validate-the-flag_info-count.patch
+skbuff-skb_segment-call-zero-copy-functions-before-using-skbuff-frags.patch
+drbd-swap-bvec_set_page-len-and-offset.patch
+gpio-zynq-restore-zynq_gpio_irq_reqres-zynq_gpio_irq_relres-callbacks.patch
+igb-set-max-size-rx-buffer-when-store-bad-packet-is-enabled.patch
+parisc-ccio-dma-create-private-runway-procfs-root-entry.patch
+pm-devfreq-fix-leak-in-devfreq_dev_release.patch
+multi-gen-lru-fix-per-zone-reclaim.patch
+alsa-pcm-fix-missing-fixup-call-in-compat-hw_refine-ioctl.patch
+arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory-region-as-reserved.patch
+virtio_pmem-add-the-missing-req_op_write-for-flush-bio.patch
+rcu-dump-vmalloc-memory-info-safely.patch
+printk-ringbuffer-fix-truncating-buffer-size-min_t-cast.patch
+scsi-core-fix-the-scsi_set_resid-documentation.patch
+mm-vmalloc-add-a-safer-version-of-find_vm_area-for-debug.patch
+cpu-hotplug-prevent-self-deadlock-on-cpu-hot-unplug.patch
+media-i2c-ccs-check-rules-is-non-null.patch
+media-i2c-add-a-camera-sensor-top-level-menu.patch
+pci-rockchip-use-64-bit-mask-on-msi-64-bit-pci-address.patch
+ipmi_si-fix-a-memleak-in-try_smi_init.patch
+arm-omap2-fix-warray-bounds-warning-in-_pwrdm_state_switch.patch
+riscv-move-create_tmp_mapping-to-init-sections.patch
+riscv-mark-kasan-tmp-page-tables-variables-as-static.patch
--- /dev/null
+From 2ea35288c83b3d501a88bc17f2df8f176b5cc96f Mon Sep 17 00:00:00 2001
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+Date: Thu, 31 Aug 2023 02:17:02 -0600
+Subject: skbuff: skb_segment, Call zero copy functions before using skbuff frags
+
+From: Mohamed Khalfella <mkhalfella@purestorage.com>
+
+commit 2ea35288c83b3d501a88bc17f2df8f176b5cc96f upstream.
+
+Commit bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions
+once per nskb") added the call to zero copy functions in skb_segment().
+The change introduced a bug in skb_segment() because skb_orphan_frags()
+may possibly change the number of fragments or allocate new fragments
+altogether leaving nrfrags and frag to point to the old values. This can
+cause a panic with stacktrace like the one below.
+
+[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc
+[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26
+[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0
+[ 194.021892] Call Trace:
+[ 194.027422] <TASK>
+[ 194.072861] tcp_gso_segment+0x107/0x540
+[ 194.082031] inet_gso_segment+0x15c/0x3d0
+[ 194.090783] skb_mac_gso_segment+0x9f/0x110
+[ 194.095016] __skb_gso_segment+0xc1/0x190
+[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem]
+[ 194.107071] dev_qdisc_enqueue+0x16/0x70
+[ 194.110884] __dev_queue_xmit+0x63b/0xb30
+[ 194.121670] bond_start_xmit+0x159/0x380 [bonding]
+[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0
+[ 194.131787] __dev_queue_xmit+0x8a0/0xb30
+[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan]
+[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0
+[ 194.144622] sch_direct_xmit+0xe3/0x280
+[ 194.147748] __dev_queue_xmit+0x54a/0xb30
+[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap]
+[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap]
+[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]
+[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net]
+[ 194.176959] vhost_worker+0x76/0xb0 [vhost]
+[ 194.183667] kthread+0x118/0x140
+[ 194.190358] ret_from_fork+0x1f/0x30
+[ 194.193670] </TASK>
+
+In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags
+local variable in skb_segment() stale. This resulted in the code hitting
+i >= nrfrags prematurely and trying to move to next frag_skb using
+list_skb pointer, which was NULL, and caused kernel panic. Move the call
+to zero copy functions before using frags and nr_frags.
+
+Fixes: bf5c25d60861 ("skbuff: in skb_segment, call zerocopy functions once per nskb")
+Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
+Reported-by: Amit Goyal <agoyal@purestorage.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/skbuff.c | 34 ++++++++++++++++++++--------------
+ 1 file changed, 20 insertions(+), 14 deletions(-)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -4360,21 +4360,20 @@ struct sk_buff *skb_segment(struct sk_bu
+ struct sk_buff *segs = NULL;
+ struct sk_buff *tail = NULL;
+ struct sk_buff *list_skb = skb_shinfo(head_skb)->frag_list;
+- skb_frag_t *frag = skb_shinfo(head_skb)->frags;
+ unsigned int mss = skb_shinfo(head_skb)->gso_size;
+ unsigned int doffset = head_skb->data - skb_mac_header(head_skb);
+- struct sk_buff *frag_skb = head_skb;
+ unsigned int offset = doffset;
+ unsigned int tnl_hlen = skb_tnl_header_len(head_skb);
+ unsigned int partial_segs = 0;
+ unsigned int headroom;
+ unsigned int len = head_skb->len;
++ struct sk_buff *frag_skb;
++ skb_frag_t *frag;
+ __be16 proto;
+ bool csum, sg;
+- int nfrags = skb_shinfo(head_skb)->nr_frags;
+ int err = -ENOMEM;
+ int i = 0;
+- int pos;
++ int nfrags, pos;
+
+ if ((skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY) &&
+ mss != GSO_BY_FRAGS && mss != skb_headlen(head_skb)) {
+@@ -4451,6 +4450,13 @@ normal:
+ headroom = skb_headroom(head_skb);
+ pos = skb_headlen(head_skb);
+
++ if (skb_orphan_frags(head_skb, GFP_ATOMIC))
++ return ERR_PTR(-ENOMEM);
++
++ nfrags = skb_shinfo(head_skb)->nr_frags;
++ frag = skb_shinfo(head_skb)->frags;
++ frag_skb = head_skb;
++
+ do {
+ struct sk_buff *nskb;
+ skb_frag_t *nskb_frag;
+@@ -4471,6 +4477,10 @@ normal:
+ (skb_headlen(list_skb) == len || sg)) {
+ BUG_ON(skb_headlen(list_skb) > len);
+
++ nskb = skb_clone(list_skb, GFP_ATOMIC);
++ if (unlikely(!nskb))
++ goto err;
++
+ i = 0;
+ nfrags = skb_shinfo(list_skb)->nr_frags;
+ frag = skb_shinfo(list_skb)->frags;
+@@ -4489,12 +4499,8 @@ normal:
+ frag++;
+ }
+
+- nskb = skb_clone(list_skb, GFP_ATOMIC);
+ list_skb = list_skb->next;
+
+- if (unlikely(!nskb))
+- goto err;
+-
+ if (unlikely(pskb_trim(nskb, len))) {
+ kfree_skb(nskb);
+ goto err;
+@@ -4570,12 +4576,16 @@ normal:
+ skb_shinfo(nskb)->flags |= skb_shinfo(head_skb)->flags &
+ SKBFL_SHARED_FRAG;
+
+- if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
+- skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
++ if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+ goto err;
+
+ while (pos < offset + len) {
+ if (i >= nfrags) {
++ if (skb_orphan_frags(list_skb, GFP_ATOMIC) ||
++ skb_zerocopy_clone(nskb, list_skb,
++ GFP_ATOMIC))
++ goto err;
++
+ i = 0;
+ nfrags = skb_shinfo(list_skb)->nr_frags;
+ frag = skb_shinfo(list_skb)->frags;
+@@ -4589,10 +4599,6 @@ normal:
+ i--;
+ frag--;
+ }
+- if (skb_orphan_frags(frag_skb, GFP_ATOMIC) ||
+- skb_zerocopy_clone(nskb, frag_skb,
+- GFP_ATOMIC))
+- goto err;
+
+ list_skb = list_skb->next;
+ }
--- /dev/null
+From c1dbd8a849183b9c12d257ad3043ecec50db50b3 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Thu, 13 Jul 2023 21:54:13 +0800
+Subject: virtio_pmem: add the missing REQ_OP_WRITE for flush bio
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit c1dbd8a849183b9c12d257ad3043ecec50db50b3 upstream.
+
+When doing mkfs.xfs on a pmem device, the following warning was
+reported:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 2 PID: 384 at block/blk-core.c:751 submit_bio_noacct
+ Modules linked in:
+ CPU: 2 PID: 384 Comm: mkfs.xfs Not tainted 6.4.0-rc7+ #154
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+ RIP: 0010:submit_bio_noacct+0x340/0x520
+ ......
+ Call Trace:
+ <TASK>
+ ? submit_bio_noacct+0xd5/0x520
+ submit_bio+0x37/0x60
+ async_pmem_flush+0x79/0xa0
+ nvdimm_flush+0x17/0x40
+ pmem_submit_bio+0x370/0x390
+ __submit_bio+0xbc/0x190
+ submit_bio_noacct_nocheck+0x14d/0x370
+ submit_bio_noacct+0x1ef/0x520
+ submit_bio+0x55/0x60
+ submit_bio_wait+0x5a/0xc0
+ blkdev_issue_flush+0x44/0x60
+
+The root cause is that submit_bio_noacct() needs bio_op() is either
+WRITE or ZONE_APPEND for flush bio and async_pmem_flush() doesn't assign
+REQ_OP_WRITE when allocating flush bio, so submit_bio_noacct just fail
+the flush bio.
+
+Simply fix it by adding the missing REQ_OP_WRITE for flush bio. And we
+could fix the flush order issue and do flush optimization later.
+
+Cc: stable@vger.kernel.org # 6.3+
+Fixes: b4a6bb3a67aa ("block: add a sanity check for non-write flush/fua bios")
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
+Reviewed-by: Pankaj Gupta <pankaj.gupta@amd.com>
+Tested-by: Pankaj Gupta <pankaj.gupta@amd.com>
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvdimm/nd_virtio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvdimm/nd_virtio.c
++++ b/drivers/nvdimm/nd_virtio.c
+@@ -105,7 +105,8 @@ int async_pmem_flush(struct nd_region *n
+ * parent bio. Otherwise directly call nd_region flush.
+ */
+ if (bio && bio->bi_iter.bi_sector != -1) {
+- struct bio *child = bio_alloc(bio->bi_bdev, 0, REQ_PREFLUSH,
++ struct bio *child = bio_alloc(bio->bi_bdev, 0,
++ REQ_OP_WRITE | REQ_PREFLUSH,
+ GFP_ATOMIC);
+
+ if (!child)
projects / thirdparty / kernel / stable-queue.git / commitdiff
