--- /dev/null
+From a124b7146e2ecb44661c977933a8c4637f73844c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 12:11:08 -0500
+Subject: Bluetooth: bnep: Fix out-of-bound access
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit 0f0639b4d6f649338ce29c62da3ec0787fa08cd1 ]
+
+This fixes attempting to access past ethhdr.h_source, although it seems
+intentional to copy also the contents of h_proto this triggers
+out-of-bound access problems with the likes of static analyzer, so this
+instead just copy ETH_ALEN and then proceed to use put_unaligned to copy
+h_proto separetely.
+
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/bnep/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
+index 7b3965861013c..a16d584a6c0d0 100644
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -385,7 +385,8 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
+
+ case BNEP_COMPRESSED_DST_ONLY:
+ __skb_put_data(nskb, skb_mac_header(skb), ETH_ALEN);
+- __skb_put_data(nskb, s->eh.h_source, ETH_ALEN + 2);
++ __skb_put_data(nskb, s->eh.h_source, ETH_ALEN);
++ put_unaligned(s->eh.h_proto, (__be16 *)__skb_put(nskb, 2));
+ break;
+
+ case BNEP_GENERAL:
+--
+2.43.0
+
--- /dev/null
+From 36326b7990c65a44778d151c19e9ab8e2da5c6ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Jan 2024 02:26:32 +0100
+Subject: btrfs: change BUG_ON to assertion when checking for delayed_node root
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit be73f4448b607e6b7ce41cd8ef2214fdf6e7986f ]
+
+The pointer to root is initialized in btrfs_init_delayed_node(), no need
+to check for it again. Change the BUG_ON to assertion.
+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/delayed-inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
+index fec62782fc86c..fa8f359d89994 100644
+--- a/fs/btrfs/delayed-inode.c
++++ b/fs/btrfs/delayed-inode.c
+@@ -984,7 +984,7 @@ static void btrfs_release_delayed_inode(struct btrfs_delayed_node *delayed_node)
+
+ if (delayed_node &&
+ test_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags)) {
+- BUG_ON(!delayed_node->root);
++ ASSERT(delayed_node->root);
+ clear_bit(BTRFS_DELAYED_NODE_INODE_DIRTY, &delayed_node->flags);
+ delayed_node->count--;
+
+--
+2.43.0
+
--- /dev/null
+From bf02b9e07be6c5fb4e5eb08dc2b4e0538e5bfe8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 23:20:53 +0100
+Subject: btrfs: delete pointless BUG_ON check on quota root in
+ btrfs_qgroup_account_extent()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit f40a3ea94881f668084f68f6b9931486b1606db0 ]
+
+The BUG_ON is deep in the qgroup code where we can expect that it
+exists. A NULL pointer would cause a crash.
+
+It was added long ago in 550d7a2ed5db35 ("btrfs: qgroup: Add new qgroup
+calculation function btrfs_qgroup_account_extents()."). It maybe made
+sense back then as the quota enable/disable state machine was not that
+robust as it is nowadays, so we can just delete it.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/qgroup.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c
+index ef95525fa6cdf..770e6f652a1e5 100644
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -2095,8 +2095,6 @@ int btrfs_qgroup_account_extent(struct btrfs_trans_handle *trans, u64 bytenr,
+ if (nr_old_roots == 0 && nr_new_roots == 0)
+ goto out_free;
+
+- BUG_ON(!fs_info->quota_root);
+-
+ trace_btrfs_qgroup_account_extent(fs_info, trans->transid, bytenr,
+ num_bytes, nr_old_roots, nr_new_roots);
+
+--
+2.43.0
+
--- /dev/null
+From 92fc3855e3d0b44364e5b32c9ec0f0edb8b16010 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jan 2024 22:58:01 +0100
+Subject: btrfs: handle invalid root reference found in may_destroy_subvol()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit 6fbc6f4ac1f4907da4fc674251527e7dc79ffbf6 ]
+
+The may_destroy_subvol() looks up a root by a key, allowing to do an
+inexact search when key->offset is -1. It's never expected to find such
+item, as it would break the allowed range of a root id.
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 7f675862ffb0e..15ebebed40056 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -4296,7 +4296,14 @@ static noinline int may_destroy_subvol(struct btrfs_root *root)
+ ret = btrfs_search_slot(NULL, fs_info->tree_root, &key, path, 0, 0);
+ if (ret < 0)
+ goto out;
+- BUG_ON(ret == 0);
++ if (ret == 0) {
++ /*
++ * Key with offset -1 found, there would have to exist a root
++ * with such id, but this is out of valid range.
++ */
++ ret = -EUCLEAN;
++ goto out;
++ }
+
+ ret = 0;
+ if (path->slots[0] > 0) {
+--
+2.43.0
+
--- /dev/null
+From 26a613e0b6c729eeaac39d77510846d030fb75ca Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 22:47:13 +0100
+Subject: btrfs: send: handle unexpected data in header buffer in begin_cmd()
+
+From: David Sterba <dsterba@suse.com>
+
+[ Upstream commit e80e3f732cf53c64b0d811e1581470d67f6c3228 ]
+
+Change BUG_ON to a proper error handling in the unlikely case of seeing
+data when the command is started. This is supposed to be reset when the
+command is finished (send_cmd, send_encoded_extent).
+
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/send.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
+index e3b6ca9176afe..2840abf2037b1 100644
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -677,7 +677,12 @@ static int begin_cmd(struct send_ctx *sctx, int cmd)
+ if (WARN_ON(!sctx->send_buf))
+ return -EINVAL;
+
+- BUG_ON(sctx->send_size);
++ if (unlikely(sctx->send_size != 0)) {
++ btrfs_err(sctx->send_root->fs_info,
++ "send: command header buffer not empty cmd %d offset %llu",
++ cmd, sctx->send_off);
++ return -EINVAL;
++ }
+
+ sctx->send_size += sizeof(*hdr);
+ hdr = (struct btrfs_cmd_header *)sctx->send_buf;
+--
+2.43.0
+
--- /dev/null
+From c4aed850fea42bc2e942505c0d3fdaa1362e1578 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 4 Jan 2024 22:20:34 +0800
+Subject: ext4: do not trim the group with corrupted block bitmap
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 172202152a125955367393956acf5f4ffd092e0d ]
+
+Otherwise operating on an incorrupted block bitmap can lead to all sorts
+of unknown problems.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240104142040.2835097-3-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/mballoc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
+index 5dcc3cad5c7d3..75dbe40ed8f72 100644
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -5219,6 +5219,9 @@ static int ext4_try_to_trim_range(struct super_block *sb,
+ bool set_trimmed = false;
+ void *bitmap;
+
++ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)))
++ return 0;
++
+ last = ext4_last_grp_cluster(sb, e4b->bd_group);
+ bitmap = e4b->bd_bitmap;
+ if (start == 0 && max >= last)
+--
+2.43.0
+
--- /dev/null
+From 89c3d6bfda66c716a70324d205b847dc99fd426d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 19 Mar 2024 19:33:24 +0800
+Subject: ext4: set the type of max_zeroout to unsigned int to avoid overflow
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit 261341a932d9244cbcd372a3659428c8723e5a49 ]
+
+The max_zeroout is of type int and the s_extent_max_zeroout_kb is of
+type uint, and the s_extent_max_zeroout_kb can be freely modified via
+the sysfs interface. When the block size is 1024, max_zeroout may
+overflow, so declare it as unsigned int to avoid overflow.
+
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20240319113325.3110393-9-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/extents.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index d931252b7d0d1..d162cc0590533 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3445,9 +3445,10 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
+ struct ext4_extent *ex, *abut_ex;
+ ext4_lblk_t ee_block, eof_block;
+ unsigned int ee_len, depth, map_len = map->m_len;
+- int allocated = 0, max_zeroout = 0;
+ int err = 0;
+ int split_flag = EXT4_EXT_DATA_VALID2;
++ int allocated = 0;
++ unsigned int max_zeroout = 0;
+
+ ext_debug("ext4_ext_convert_to_initialized: inode %lu, logical"
+ "block %llu, max_blocks %u\n", inode->i_ino,
+--
+2.43.0
+
--- /dev/null
+From f8770d25c5af27da52519e5ebb55241ef5059289 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 19:59:54 +0800
+Subject: f2fs: fix to do sanity check in update_sit_entry
+
+From: Zhiguo Niu <zhiguo.niu@unisoc.com>
+
+[ Upstream commit 36959d18c3cf09b3c12157c6950e18652067de77 ]
+
+If GET_SEGNO return NULL_SEGNO for some unecpected case,
+update_sit_entry will access invalid memory address,
+cause system crash. It is better to do sanity check about
+GET_SEGNO just like update_segment_mtime & locate_dirty_segment.
+
+Also remove some redundant judgment code.
+
+Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/segment.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
+index 34090edc8ce25..6750cda692cc3 100644
+--- a/fs/f2fs/segment.c
++++ b/fs/f2fs/segment.c
+@@ -2018,6 +2018,8 @@ static void update_sit_entry(struct f2fs_sb_info *sbi, block_t blkaddr, int del)
+ #endif
+
+ segno = GET_SEGNO(sbi, blkaddr);
++ if (segno == NULL_SEGNO)
++ return;
+
+ se = get_seg_entry(sbi, segno);
+ new_vblocks = se->valid_blocks + del;
+@@ -2935,8 +2937,7 @@ void f2fs_allocate_data_block(struct f2fs_sb_info *sbi, struct page *page,
+ * since SSR needs latest valid block information.
+ */
+ update_sit_entry(sbi, *new_blkaddr, 1);
+- if (GET_SEGNO(sbi, old_blkaddr) != NULL_SEGNO)
+- update_sit_entry(sbi, old_blkaddr, -1);
++ update_sit_entry(sbi, old_blkaddr, -1);
+
+ if (!__has_curseg_space(sbi, type))
+ sit_i->s_ops->allocate_segment(sbi, type, false);
+--
+2.43.0
+
--- /dev/null
+From bd7378b4c91f74c593c678515d52900f2e9a3fc6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Apr 2024 21:20:21 -0400
+Subject: fbdev: offb: replace of_node_put with __free(device_node)
+
+From: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+
+[ Upstream commit ce4a7ae84a58b9f33aae8d6c769b3c94f3d5ce76 ]
+
+Replaced instance of of_node_put with __free(device_node)
+to simplify code and protect against any memory leaks
+due to future changes in the control flow.
+
+Suggested-by: Julia Lawall <julia.lawall@inria.fr>
+Signed-off-by: Abdulrasaq Lawani <abdulrasaqolawani@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/offb.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/offb.c b/drivers/video/fbdev/offb.c
+index 77c0a2f45b3b9..b52c6080abe44 100644
+--- a/drivers/video/fbdev/offb.c
++++ b/drivers/video/fbdev/offb.c
+@@ -352,7 +352,7 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+ par->cmap_type = cmap_gxt2000;
+ } else if (dp && !strncmp(name, "vga,Display-", 12)) {
+ /* Look for AVIVO initialized by SLOF */
+- struct device_node *pciparent = of_get_parent(dp);
++ struct device_node *pciparent __free(device_node) = of_get_parent(dp);
+ const u32 *vid, *did;
+ vid = of_get_property(pciparent, "vendor-id", NULL);
+ did = of_get_property(pciparent, "device-id", NULL);
+@@ -364,7 +364,6 @@ static void offb_init_palette_hacks(struct fb_info *info, struct device_node *dp
+ if (par->cmap_adr)
+ par->cmap_type = cmap_avivo;
+ }
+- of_node_put(pciparent);
+ } else if (dp && of_device_is_compatible(dp, "qemu,std-vga")) {
+ #ifdef __BIG_ENDIAN
+ const __be32 io_of_addr[3] = { 0x01000000, 0x0, 0x0 };
+--
+2.43.0
+
--- /dev/null
+From 8fc2881465cd39fff94ba6c9df53844e31807fcb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Jan 2024 07:06:37 -0800
+Subject: fs: binfmt_elf_efpic: don't use missing interpreter's properties
+
+From: Max Filippov <jcmvbkbc@gmail.com>
+
+[ Upstream commit 15fd1dc3dadb4268207fa6797e753541aca09a2a ]
+
+Static FDPIC executable may get an executable stack even when it has
+non-executable GNU_STACK segment. This happens when STACK segment has rw
+permissions, but does not specify stack size. In that case FDPIC loader
+uses permissions of the interpreter's stack, and for static executables
+with no interpreter it results in choosing the arch-default permissions
+for the stack.
+
+Fix that by using the interpreter's properties only when the interpreter
+is actually used.
+
+Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
+Link: https://lore.kernel.org/r/20240118150637.660461-1-jcmvbkbc@gmail.com
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/binfmt_elf_fdpic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index a7c2efcd0a4a3..0dbbb3a21e6c3 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -324,7 +324,7 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm)
+ else
+ executable_stack = EXSTACK_DEFAULT;
+
+- if (stack_size == 0) {
++ if (stack_size == 0 && interp_params.flags & ELF_FDPIC_FLAG_PRESENT) {
+ stack_size = interp_params.stack_size;
+ if (interp_params.flags & ELF_FDPIC_FLAG_EXEC_STACK)
+ executable_stack = EXSTACK_ENABLE_X;
+--
+2.43.0
+
--- /dev/null
+From 3b235d37b2d97bbcc87699a30b4a73d96559c110 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Jun 2024 21:31:36 +0800
+Subject: hrtimer: Prevent queuing of hrtimer without a function callback
+
+From: Phil Chang <phil.chang@mediatek.com>
+
+[ Upstream commit 5a830bbce3af16833fe0092dec47b6dd30279825 ]
+
+The hrtimer function callback must not be NULL. It has to be specified by
+the call side but it is not validated by the hrtimer code. When a hrtimer
+is queued without a function callback, the kernel crashes with a null
+pointer dereference when trying to execute the callback in __run_hrtimer().
+
+Introduce a validation before queuing the hrtimer in
+hrtimer_start_range_ns().
+
+[anna-maria: Rephrase commit message]
+
+Signed-off-by: Phil Chang <phil.chang@mediatek.com>
+Signed-off-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Anna-Maria Behnsen <anna-maria@linutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/time/hrtimer.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index 0eb5b6cc6d939..b600dc1290d7e 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -1172,6 +1172,8 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ struct hrtimer_clock_base *base;
+ unsigned long flags;
+
++ if (WARN_ON_ONCE(!timer->function))
++ return;
+ /*
+ * Check whether the HRTIMER_MODE_SOFT bit and hrtimer.is_soft
+ * match.
+--
+2.43.0
+
--- /dev/null
+From edea4e8398c458d82d779606910b1a3461863375 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 Apr 2024 14:10:53 +0800
+Subject: irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc
+
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+
+[ Upstream commit 382d2ffe86efb1e2fa803d2cf17e5bfc34e574f3 ]
+
+This BUG_ON() is useless, because the same effect will be obtained
+by letting the code run its course and vm being dereferenced,
+triggering an exception.
+
+So just remove this check.
+
+Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20240418061053.96803-3-guanrui.huang@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
+index 6b58194c1e346..2e0478e8be747 100644
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -2958,8 +2958,6 @@ static int its_vpe_irq_domain_alloc(struct irq_domain *domain, unsigned int virq
+ struct page *vprop_page;
+ int base, nr_ids, i, err = 0;
+
+- BUG_ON(!vm);
+-
+ bitmap = its_lpi_alloc(roundup_pow_of_two(nr_irqs), &base, &nr_ids);
+ if (!bitmap)
+ return -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 5a4e39eef7516ae55ed0dfdbc171d379ccc7aefd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Feb 2024 11:14:38 +0800
+Subject: md: clean up invalid BUG_ON in md_ioctl
+
+From: Li Nan <linan122@huawei.com>
+
+[ Upstream commit 9dd8702e7cd28ebf076ff838933f29cf671165ec ]
+
+'disk->private_data' is set to mddev in md_alloc() and never set to NULL,
+and users need to open mddev before submitting ioctl. So mddev must not
+have been freed during ioctl, and there is no need to check mddev here.
+Clean up it.
+
+Signed-off-by: Li Nan <linan122@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Song Liu <song@kernel.org>
+Link: https://lore.kernel.org/r/20240226031444.3606764-4-linan666@huaweicloud.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/md/md.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/drivers/md/md.c b/drivers/md/md.c
+index 68eb3220be1c9..6f463eec60b48 100644
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -7245,11 +7245,6 @@ static int md_ioctl(struct block_device *bdev, fmode_t mode,
+
+ mddev = bdev->bd_disk->private_data;
+
+- if (!mddev) {
+- BUG();
+- goto out;
+- }
+-
+ /* Some actions do not requires the mutex */
+ switch (cmd) {
+ case GET_ARRAY_INFO:
+--
+2.43.0
+
--- /dev/null
+From 33b9c9655cff418833f0fc6ba4018f9b1bf16878 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Oct 2023 08:58:49 +0200
+Subject: media: pci: cx23885: check cx23885_vdev_init() return
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit 15126b916e39b0cb67026b0af3c014bfeb1f76b3 ]
+
+cx23885_vdev_init() can return a NULL pointer, but that pointer
+is used in the next line without a check.
+
+Add a NULL pointer check and go to the error unwind if it is NULL.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reported-by: Sicong Huang <huangsicong@iie.ac.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23885-video.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
+index 16564899f1141..435a3c1c7e650 100644
+--- a/drivers/media/pci/cx23885/cx23885-video.c
++++ b/drivers/media/pci/cx23885/cx23885-video.c
+@@ -1297,6 +1297,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+ /* register Video device */
+ dev->video_dev = cx23885_vdev_init(dev, dev->pci,
+ &cx23885_video_template, "video");
++ if (!dev->video_dev) {
++ err = -ENOMEM;
++ goto fail_unreg;
++ }
+ dev->video_dev->queue = &dev->vb2_vidq;
+ err = video_register_device(dev->video_dev, VFL_TYPE_GRABBER,
+ video_nr[dev->nr]);
+@@ -1311,6 +1315,10 @@ int cx23885_video_register(struct cx23885_dev *dev)
+ /* register VBI device */
+ dev->vbi_dev = cx23885_vdev_init(dev, dev->pci,
+ &cx23885_vbi_template, "vbi");
++ if (!dev->vbi_dev) {
++ err = -ENOMEM;
++ goto fail_unreg;
++ }
+ dev->vbi_dev->queue = &dev->vb2_vbiq;
+ err = video_register_device(dev->vbi_dev, VFL_TYPE_VBI,
+ vbi_nr[dev->nr]);
+--
+2.43.0
+
--- /dev/null
+From a3ec9a4c0754a8d58fc0c6cb5c8b305309842ba4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Feb 2024 08:16:54 -0800
+Subject: net/sun3_82586: Avoid reading past buffer in debug output
+
+From: Kees Cook <keescook@chromium.org>
+
+[ Upstream commit 4bea747f3fbec33c16d369b2f51e55981d7c78d0 ]
+
+Since NUM_XMIT_BUFFS is always 1, building m68k with sun3_defconfig and
+-Warraybounds, this build warning is visible[1]:
+
+drivers/net/ethernet/i825xx/sun3_82586.c: In function 'sun3_82586_timeout':
+drivers/net/ethernet/i825xx/sun3_82586.c:990:122: warning: array subscript 1 is above array bounds of 'volatile struct transmit_cmd_struct *[1]' [-Warray-bounds=]
+ 990 | printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
+ | ~~~~~~~~~~~~^~~
+...
+drivers/net/ethernet/i825xx/sun3_82586.c:156:46: note: while referencing 'xmit_cmds'
+ 156 | volatile struct transmit_cmd_struct *xmit_cmds[NUM_XMIT_BUFFS];
+
+Avoid accessing index 1 since it doesn't exist.
+
+Link: https://github.com/KSPP/linux/issues/325 [1]
+Cc: Sam Creasey <sammy@sammy.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Tested-by: Simon Horman <horms@kernel.org> # build-tested
+Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Link: https://lore.kernel.org/r/20240206161651.work.876-kees@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/i825xx/sun3_82586.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/i825xx/sun3_82586.c b/drivers/net/ethernet/i825xx/sun3_82586.c
+index 1a86184d44c0a..e0c9fee4e1e65 100644
+--- a/drivers/net/ethernet/i825xx/sun3_82586.c
++++ b/drivers/net/ethernet/i825xx/sun3_82586.c
+@@ -990,7 +990,7 @@ static void sun3_82586_timeout(struct net_device *dev)
+ {
+ #ifdef DEBUG
+ printk("%s: xmitter timed out, try to restart! stat: %02x\n",dev->name,p->scb->cus);
+- printk("%s: command-stats: %04x %04x\n",dev->name,swab16(p->xmit_cmds[0]->cmd_status),swab16(p->xmit_cmds[1]->cmd_status));
++ printk("%s: command-stats: %04x\n", dev->name, swab16(p->xmit_cmds[0]->cmd_status));
+ printk("%s: check, whether you set the right interrupt number!\n",dev->name);
+ #endif
+ sun3_82586_close(dev);
+--
+2.43.0
+
--- /dev/null
+From d56dce3ad484823bd5118e1968d577c182d0ebb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Feb 2024 11:24:53 +1100
+Subject: NFS: avoid infinite loop in pnfs_update_layout.
+
+From: NeilBrown <neilb@suse.de>
+
+[ Upstream commit 2fdbc20036acda9e5694db74a032d3c605323005 ]
+
+If pnfsd_update_layout() is called on a file for which recovery has
+failed it will enter a tight infinite loop.
+
+NFS_LAYOUT_INVALID_STID will be set, nfs4_select_rw_stateid() will
+return -EIO, and nfs4_schedule_stateid_recovery() will do nothing, so
+nfs4_client_recover_expired_lease() will not wait. So the code will
+loop indefinitely.
+
+Break the loop by testing the validity of the open stateid at the top of
+the loop.
+
+Signed-off-by: NeilBrown <neilb@suse.de>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/pnfs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
+index cfb1fe5dfb1e1..7a0d9a1e6d134 100644
+--- a/fs/nfs/pnfs.c
++++ b/fs/nfs/pnfs.c
+@@ -1889,6 +1889,14 @@ pnfs_update_layout(struct inode *ino,
+ }
+
+ lookup_again:
++ if (!nfs4_valid_open_stateid(ctx->state)) {
++ trace_pnfs_update_layout(ino, pos, count,
++ iomode, lo, lseg,
++ PNFS_UPDATE_LAYOUT_INVALID_OPEN);
++ lseg = ERR_PTR(-EIO);
++ goto out;
++ }
++
+ lseg = ERR_PTR(nfs4_client_recover_expired_lease(clp));
+ if (IS_ERR(lseg))
+ goto out;
+--
+2.43.0
+
--- /dev/null
+From 2d0955213bba30349e3a580ae5a3b4b462c234e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 May 2024 10:53:06 +0300
+Subject: nvmet-rdma: fix possible bad dereference when freeing rsps
+
+From: Sagi Grimberg <sagi@grimberg.me>
+
+[ Upstream commit 73964c1d07c054376f1b32a62548571795159148 ]
+
+It is possible that the host connected and saw a cm established
+event and started sending nvme capsules on the qp, however the
+ctrl did not yet see an established event. This is why the
+rsp_wait_list exists (for async handling of these cmds, we move
+them to a pending list).
+
+Furthermore, it is possible that the ctrl cm times out, resulting
+in a connect-error cm event. in this case we hit a bad deref [1]
+because in nvmet_rdma_free_rsps we assume that all the responses
+are in the free list.
+
+We are freeing the cmds array anyways, so don't even bother to
+remove the rsp from the free_list. It is also guaranteed that we
+are not racing anything when we are releasing the queue so no
+other context accessing this array should be running.
+
+[1]:
+--
+Workqueue: nvmet-free-wq nvmet_rdma_free_queue_work [nvmet_rdma]
+[...]
+pc : nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+lr : nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ Call trace:
+ nvmet_rdma_free_rsps+0x78/0xb8 [nvmet_rdma]
+ nvmet_rdma_free_queue_work+0x88/0x120 [nvmet_rdma]
+ process_one_work+0x1ec/0x4a0
+ worker_thread+0x48/0x490
+ kthread+0x158/0x160
+ ret_from_fork+0x10/0x18
+--
+
+Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/target/rdma.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
+index cfd26437aeaea..7889a55156f4d 100644
+--- a/drivers/nvme/target/rdma.c
++++ b/drivers/nvme/target/rdma.c
+@@ -435,12 +435,8 @@ nvmet_rdma_alloc_rsps(struct nvmet_rdma_queue *queue)
+ return 0;
+
+ out_free:
+- while (--i >= 0) {
+- struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+- list_del(&rsp->free_list);
+- nvmet_rdma_free_rsp(ndev, rsp);
+- }
++ while (--i >= 0)
++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+ kfree(queue->rsps);
+ out:
+ return ret;
+@@ -451,12 +447,8 @@ static void nvmet_rdma_free_rsps(struct nvmet_rdma_queue *queue)
+ struct nvmet_rdma_device *ndev = queue->dev;
+ int i, nr_rsps = queue->recv_queue_size * 2;
+
+- for (i = 0; i < nr_rsps; i++) {
+- struct nvmet_rdma_rsp *rsp = &queue->rsps[i];
+-
+- list_del(&rsp->free_list);
+- nvmet_rdma_free_rsp(ndev, rsp);
+- }
++ for (i = 0; i < nr_rsps; i++)
++ nvmet_rdma_free_rsp(ndev, &queue->rsps[i]);
+ kfree(queue->rsps);
+ }
+
+--
+2.43.0
+
--- /dev/null
+From 1e11022bc396695657474bb079bb254cf575e95b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Feb 2024 16:29:30 -0800
+Subject: openrisc: Call setup_memory() earlier in the init sequence
+
+From: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+
+[ Upstream commit 7b432bf376c9c198a7ff48f1ed14a14c0ffbe1fe ]
+
+The unflatten_and_copy_device_tree() function contains a call to
+memblock_alloc(). This means that memblock is allocating memory before
+any of the reserved memory regions are set aside in the setup_memory()
+function which calls early_init_fdt_scan_reserved_mem(). Therefore,
+there is a possibility for memblock to allocate from any of the
+reserved memory regions.
+
+Hence, move the call to setup_memory() to be earlier in the init
+sequence so that the reserved memory regions are set aside before any
+allocations are done using memblock.
+
+Signed-off-by: Oreoluwa Babatunde <quic_obabatun@quicinc.com>
+Signed-off-by: Stafford Horne <shorne@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/openrisc/kernel/setup.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/openrisc/kernel/setup.c b/arch/openrisc/kernel/setup.c
+index f3a7375ac3cd9..f306816c98cb2 100644
+--- a/arch/openrisc/kernel/setup.c
++++ b/arch/openrisc/kernel/setup.c
+@@ -287,6 +287,9 @@ void calibrate_delay(void)
+
+ void __init setup_arch(char **cmdline_p)
+ {
++ /* setup memblock allocator */
++ setup_memory();
++
+ unflatten_and_copy_device_tree();
+
+ setup_cpuinfo();
+@@ -311,9 +314,6 @@ void __init setup_arch(char **cmdline_p)
+ initrd_below_start_ok = 1;
+ #endif
+
+- /* setup memblock allocator */
+- setup_memory();
+-
+ /* paging_init() sets up the MMU and marks all pages as reserved */
+ paging_init();
+
+--
+2.43.0
+
--- /dev/null
+From 917da4e505b60ebde7022c3a68c654527c366aa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Nov 2023 23:16:00 +0100
+Subject: parisc: Use irq_enter_rcu() to fix warning at
+ kernel/context_tracking.c:367
+
+From: Helge Deller <deller@gmx.de>
+
+[ Upstream commit 73cb4a2d8d7e0259f94046116727084f21e4599f ]
+
+Use irq*_rcu() functions to fix this kernel warning:
+
+ WARNING: CPU: 0 PID: 0 at kernel/context_tracking.c:367 ct_irq_enter+0xa0/0xd0
+ Modules linked in:
+ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc3-64bit+ #1037
+ Hardware name: 9000/785/C3700
+
+ IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000412cd758 00000000412cd75c
+ IIR: 03ffe01f ISR: 0000000000000000 IOR: 0000000043c20c20
+ CPU: 0 CR30: 0000000041caa000 CR31: 0000000000000000
+ ORIG_R28: 0000000000000005
+ IAOQ[0]: ct_irq_enter+0xa0/0xd0
+ IAOQ[1]: ct_irq_enter+0xa4/0xd0
+ RP(r2): irq_enter+0x34/0x68
+ Backtrace:
+ [<000000004034a3ec>] irq_enter+0x34/0x68
+ [<000000004030dc48>] do_cpu_irq_mask+0xc0/0x450
+ [<0000000040303070>] intr_return+0x0/0xc
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/parisc/kernel/irq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/parisc/kernel/irq.c b/arch/parisc/kernel/irq.c
+index 11c1505775f87..6b20a0a11913b 100644
+--- a/arch/parisc/kernel/irq.c
++++ b/arch/parisc/kernel/irq.c
+@@ -524,7 +524,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+
+ old_regs = set_irq_regs(regs);
+ local_irq_disable();
+- irq_enter();
++ irq_enter_rcu();
+
+ eirr_val = mfctl(23) & cpu_eiem & per_cpu(local_ack_eiem, cpu);
+ if (!eirr_val)
+@@ -559,7 +559,7 @@ void do_cpu_irq_mask(struct pt_regs *regs)
+ #endif /* CONFIG_IRQSTACKS */
+
+ out:
+- irq_exit();
++ irq_exit_rcu();
+ set_irq_regs(old_regs);
+ return;
+
+--
+2.43.0
+
--- /dev/null
+From 4a47a84716de36b3a42e2b0005c95bff471fb499 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 19 Dec 2022 10:18:16 +0800
+Subject: powerpc/boot: Handle allocation failure in simple_realloc()
+
+From: Li zeming <zeming@nfschina.com>
+
+[ Upstream commit 69b0194ccec033c208b071e019032c1919c2822d ]
+
+simple_malloc() will return NULL when there is not enough memory left.
+Check pointer 'new' before using it to copy the old data.
+
+Signed-off-by: Li zeming <zeming@nfschina.com>
+[mpe: Reword subject, use change log from Christophe]
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20221219021816.3012-1-zeming@nfschina.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 65ec135d01579..188c4f996512a 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -114,7 +114,9 @@ static void *simple_realloc(void *ptr, unsigned long size)
+ return ptr;
+
+ new = simple_malloc(size);
+- memcpy(new, ptr, p->size);
++ if (new)
++ memcpy(new, ptr, p->size);
++
+ simple_free(ptr);
+ return new;
+ }
+--
+2.43.0
+
--- /dev/null
+From f7e392f464dc1026793bc9358b9e1d7017d2bdeb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Feb 2024 22:51:49 +1100
+Subject: powerpc/boot: Only free if realloc() succeeds
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit f2d5bccaca3e8c09c9b9c8485375f7bdbb2631d2 ]
+
+simple_realloc() frees the original buffer (ptr) even if the
+reallocation failed.
+
+Fix it to behave like standard realloc() and only free the original
+buffer if the reallocation succeeded.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20240229115149.749264-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/boot/simple_alloc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/boot/simple_alloc.c b/arch/powerpc/boot/simple_alloc.c
+index 188c4f996512a..bc99f75b8582d 100644
+--- a/arch/powerpc/boot/simple_alloc.c
++++ b/arch/powerpc/boot/simple_alloc.c
+@@ -114,10 +114,11 @@ static void *simple_realloc(void *ptr, unsigned long size)
+ return ptr;
+
+ new = simple_malloc(size);
+- if (new)
++ if (new) {
+ memcpy(new, ptr, p->size);
++ simple_free(ptr);
++ }
+
+- simple_free(ptr);
+ return new;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From e4437cfaf219608d9a4824ed4c2c83fbfcfaad5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Nov 2023 11:06:51 +0800
+Subject: powerpc/xics: Check return value of kasprintf in
+ icp_native_map_one_cpu
+
+From: Kunwu Chan <chentao@kylinos.cn>
+
+[ Upstream commit 45b1ba7e5d1f6881050d558baf9bc74a2ae13930 ]
+
+kasprintf() returns a pointer to dynamically allocated memory
+which can be NULL upon failure. Ensure the allocation was successful
+by checking the pointer validity.
+
+Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://msgid.link/20231122030651.3818-1-chentao@kylinos.cn
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/sysdev/xics/icp-native.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/powerpc/sysdev/xics/icp-native.c b/arch/powerpc/sysdev/xics/icp-native.c
+index 340de58a15bd6..71278d554715d 100644
+--- a/arch/powerpc/sysdev/xics/icp-native.c
++++ b/arch/powerpc/sysdev/xics/icp-native.c
+@@ -240,6 +240,8 @@ static int __init icp_native_map_one_cpu(int hw_id, unsigned long addr,
+ rname = kasprintf(GFP_KERNEL, "CPU %d [0x%x] Interrupt Presentation",
+ cpu, hw_id);
+
++ if (!rname)
++ return -ENOMEM;
+ if (!request_mem_region(addr, size, rname)) {
+ pr_warn("icp_native: Could not reserve ICP MMIO for CPU %d, interrupt server #0x%x\n",
+ cpu, hw_id);
+--
+2.43.0
+
--- /dev/null
+From bd5b304beb9a2a127aec0840c9fc1dd730241a33 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Oct 2023 13:34:08 +0200
+Subject: quota: Remove BUG_ON from dqget()
+
+From: Jan Kara <jack@suse.cz>
+
+[ Upstream commit 249f374eb9b6b969c64212dd860cc1439674c4a8 ]
+
+dqget() checks whether dquot->dq_sb is set when returning it using
+BUG_ON. Firstly this doesn't work as an invalidation check for quite
+some time (we release dquot with dq_sb set these days), secondly using
+BUG_ON is quite harsh. Use WARN_ON_ONCE and check whether dquot is still
+hashed instead.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/quota/dquot.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/fs/quota/dquot.c b/fs/quota/dquot.c
+index 6bdb44fb07a7f..a470bb4e00f18 100644
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -985,9 +985,8 @@ struct dquot *dqget(struct super_block *sb, struct kqid qid)
+ * smp_mb__before_atomic() in dquot_acquire().
+ */
+ smp_rmb();
+-#ifdef CONFIG_QUOTA_DEBUG
+- BUG_ON(!dquot->dq_sb); /* Has somebody invalidated entry under us? */
+-#endif
++ /* Has somebody invalidated entry under us? */
++ WARN_ON_ONCE(hlist_unhashed(&dquot->dq_hash));
+ out:
+ if (empty)
+ do_destroy_dquot(empty);
+--
+2.43.0
+
--- /dev/null
+From e9a13be48897f9e4e4a2f2b129259d3413b03b9b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 16 Feb 2024 13:13:26 +0100
+Subject: s390/iucv: fix receive buffer virtual vs physical address confusion
+
+From: Alexander Gordeev <agordeev@linux.ibm.com>
+
+[ Upstream commit 4e8477aeb46dfe74e829c06ea588dd00ba20c8cc ]
+
+Fix IUCV_IPBUFLST-type buffers virtual vs physical address confusion.
+This does not fix a bug since virtual and physical address spaces are
+currently the same.
+
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/iucv/iucv.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
+index 2f82a6f0992e4..b1ecf008fa507 100644
+--- a/net/iucv/iucv.c
++++ b/net/iucv/iucv.c
+@@ -1149,8 +1149,7 @@ static int iucv_message_receive_iprmdata(struct iucv_path *path,
+ size = (size < 8) ? size : 8;
+ for (array = buffer; size > 0; array++) {
+ copy = min_t(size_t, size, array->length);
+- memcpy((u8 *)(addr_t) array->address,
+- rmmsg, copy);
++ memcpy(phys_to_virt(array->address), rmmsg, copy);
+ rmmsg += copy;
+ size -= copy;
+ }
+--
+2.43.0
+
--- /dev/null
+From 92307cd1d652d7d1129d92016ef75805804f2080 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 31 Jan 2024 10:50:56 -0800
+Subject: scsi: lpfc: Initialize status local variable in
+ lpfc_sli4_repost_sgl_list()
+
+From: Justin Tee <justin.tee@broadcom.com>
+
+[ Upstream commit 3d0f9342ae200aa1ddc4d6e7a573c6f8f068d994 ]
+
+A static code analyzer tool indicates that the local variable called status
+in the lpfc_sli4_repost_sgl_list() routine could be used to print garbage
+uninitialized values in the routine's log message.
+
+Fix by initializing to zero.
+
+Signed-off-by: Justin Tee <justin.tee@broadcom.com>
+Link: https://lore.kernel.org/r/20240131185112.149731-2-justintee8345@gmail.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
+index e72fc88aeb40e..9da9d5ee0b8ef 100644
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -6597,7 +6597,7 @@ lpfc_sli4_repost_sgl_list(struct lpfc_hba *phba,
+ struct lpfc_sglq *sglq_entry = NULL;
+ struct lpfc_sglq *sglq_entry_next = NULL;
+ struct lpfc_sglq *sglq_entry_first = NULL;
+- int status, total_cnt;
++ int status = 0, total_cnt;
+ int post_cnt = 0, num_posted = 0, block_cnt = 0;
+ int last_xritag = NO_XRI;
+ LIST_HEAD(prep_sgl_list);
+--
+2.43.0
+
--- /dev/null
+From 5256e661321670d7aff0456bc2028f8309b6098f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Mar 2024 22:45:28 +0100
+Subject: serial: pch: Don't disable interrupts while acquiring lock in ISR.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit f8ff23ebce8c305383c8070e1ea3b08a69eb1e8d ]
+
+The interrupt service routine is always invoked with disabled
+interrupts.
+
+Remove the _irqsave() from the locking functions in the interrupts
+service routine/ pch_uart_interrupt().
+
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/20240301215246.891055-16-bigeasy@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/pch_uart.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
+index 4b035d61b280a..99375814be8b9 100644
+--- a/drivers/tty/serial/pch_uart.c
++++ b/drivers/tty/serial/pch_uart.c
+@@ -1093,11 +1093,10 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+ u8 lsr;
+ int ret = 0;
+ unsigned char iid;
+- unsigned long flags;
+ int next = 1;
+ u8 msr;
+
+- spin_lock_irqsave(&priv->lock, flags);
++ spin_lock(&priv->lock);
+ handled = 0;
+ while (next) {
+ iid = pch_uart_hal_get_iid(priv);
+@@ -1157,7 +1156,7 @@ static irqreturn_t pch_uart_interrupt(int irq, void *dev_id)
+ handled |= (unsigned int)ret;
+ }
+
+- spin_unlock_irqrestore(&priv->lock, flags);
++ spin_unlock(&priv->lock);
+ return IRQ_RETVAL(handled);
+ }
+
+--
+2.43.0
+
scsi-spi-fix-sshdr-use.patch
gfs2-setattr_chown-add-missing-initialization.patch
wifi-iwlwifi-abort-scan-when-rfkill-on-but-device-en.patch
+powerpc-xics-check-return-value-of-kasprintf-in-icp_.patch
+ext4-do-not-trim-the-group-with-corrupted-block-bitm.patch
+quota-remove-bug_on-from-dqget.patch
+media-pci-cx23885-check-cx23885_vdev_init-return.patch
+fs-binfmt_elf_efpic-don-t-use-missing-interpreter-s-.patch
+scsi-lpfc-initialize-status-local-variable-in-lpfc_s.patch
+net-sun3_82586-avoid-reading-past-buffer-in-debug-ou.patch
+md-clean-up-invalid-bug_on-in-md_ioctl.patch
+parisc-use-irq_enter_rcu-to-fix-warning-at-kernel-co.patch
+serial-pch-don-t-disable-interrupts-while-acquiring-.patch
+powerpc-boot-handle-allocation-failure-in-simple_rea.patch
+powerpc-boot-only-free-if-realloc-succeeds.patch
+btrfs-change-bug_on-to-assertion-when-checking-for-d.patch
+btrfs-handle-invalid-root-reference-found-in-may_des.patch
+btrfs-send-handle-unexpected-data-in-header-buffer-i.patch
+btrfs-delete-pointless-bug_on-check-on-quota-root-in.patch
+f2fs-fix-to-do-sanity-check-in-update_sit_entry.patch
+usb-gadget-fsl-increase-size-of-name-buffer-for-endp.patch
+bluetooth-bnep-fix-out-of-bound-access.patch
+nfs-avoid-infinite-loop-in-pnfs_update_layout.patch
+openrisc-call-setup_memory-earlier-in-the-init-seque.patch
+s390-iucv-fix-receive-buffer-virtual-vs-physical-add.patch
+usb-dwc3-core-skip-setting-event-buffers-for-host-on.patch
+fbdev-offb-replace-of_node_put-with-__free-device_no.patch
+irqchip-gic-v3-its-remove-bug_on-in-its_vpe_irq_doma.patch
+ext4-set-the-type-of-max_zeroout-to-unsigned-int-to-.patch
+nvmet-rdma-fix-possible-bad-dereference-when-freeing.patch
+hrtimer-prevent-queuing-of-hrtimer-without-a-functio.patch
--- /dev/null
+From dc8271f07aa961dd74fa00f6b3924cb19e37366c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 20 Apr 2024 10:18:55 +0530
+Subject: usb: dwc3: core: Skip setting event buffers for host only controllers
+
+From: Krishna Kurapati <quic_kriskura@quicinc.com>
+
+[ Upstream commit 89d7f962994604a3e3d480832788d06179abefc5 ]
+
+On some SoC's like SA8295P where the tertiary controller is host-only
+capable, GEVTADDRHI/LO, GEVTSIZ, GEVTCOUNT registers are not accessible.
+Trying to access them leads to a crash.
+
+For DRD/Peripheral supported controllers, event buffer setup is done
+again in gadget_pullup. Skip setup or cleanup of event buffers if
+controller is host-only capable.
+
+Suggested-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Krishna Kurapati <quic_kriskura@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://lore.kernel.org/r/20240420044901.884098-4-quic_kriskura@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc3/core.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c
+index fd82904e14657..b14e06ee831bc 100644
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -372,6 +372,13 @@ static void dwc3_free_event_buffers(struct dwc3 *dwc)
+ static int dwc3_alloc_event_buffers(struct dwc3 *dwc, unsigned length)
+ {
+ struct dwc3_event_buffer *evt;
++ unsigned int hw_mode;
++
++ hw_mode = DWC3_GHWPARAMS0_MODE(dwc->hwparams.hwparams0);
++ if (hw_mode == DWC3_GHWPARAMS0_MODE_HOST) {
++ dwc->ev_buf = NULL;
++ return 0;
++ }
+
+ evt = dwc3_alloc_one_event_buffer(dwc, length);
+ if (IS_ERR(evt)) {
+@@ -393,6 +400,9 @@ int dwc3_event_buffers_setup(struct dwc3 *dwc)
+ {
+ struct dwc3_event_buffer *evt;
+
++ if (!dwc->ev_buf)
++ return 0;
++
+ evt = dwc->ev_buf;
+ evt->lpos = 0;
+ dwc3_writel(dwc->regs, DWC3_GEVNTADRLO(0),
+@@ -410,6 +420,9 @@ void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
+ {
+ struct dwc3_event_buffer *evt;
+
++ if (!dwc->ev_buf)
++ return;
++
+ evt = dwc->ev_buf;
+
+ evt->lpos = 0;
+--
+2.43.0
+
--- /dev/null
+From 55a787fc7c9d7dd0332debd7bd60f34a60cf2aee Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Feb 2024 18:33:16 +0100
+Subject: usb: gadget: fsl: Increase size of name buffer for endpoints
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 87850f6cc20911e35eafcbc1d56b0d649ae9162d ]
+
+This fixes a W=1 warning about sprintf writing up to 16 bytes into a
+buffer of size 14. There is no practical relevance because there are not
+more than 32 endpoints.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/6754df25c56aae04f8110594fad2cd2452b1862a.1708709120.git.u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/fsl_udc_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/fsl_udc_core.c b/drivers/usb/gadget/udc/fsl_udc_core.c
+index 367697144cda2..b86f86902f55e 100644
+--- a/drivers/usb/gadget/udc/fsl_udc_core.c
++++ b/drivers/usb/gadget/udc/fsl_udc_core.c
+@@ -2501,7 +2501,7 @@ static int fsl_udc_probe(struct platform_device *pdev)
+ /* setup the udc->eps[] for non-control endpoints and link
+ * to gadget.ep_list */
+ for (i = 1; i < (int)(udc_controller->max_ep / 2); i++) {
+- char name[14];
++ char name[16];
+
+ sprintf(name, "ep%dout", i);
+ struct_ep_setup(udc_controller, i * 2, name, 1);
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
