Changelog in Linux kernel 6.10.4

 
ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G [+ + +]
Author: Mavroudis Chatzilazaridis <mavchatz@protonmail.com>
Date:   Sun Jul 28 12:36:04 2024 +0000

    ALSA: hda/realtek: Add quirk for Acer Aspire E5-574G
    
    commit 3c0b6f924e1259ade38587ea719b693f6f6f2f3e upstream.
    
    ALC255_FIXUP_ACER_LIMIT_INT_MIC_BOOST fixes combo jack detection and
    limits the internal microphone boost that causes clipping on this model.
    
    Signed-off-by: Mavroudis Chatzilazaridis <mavchatz@protonmail.com>
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240728123601.144017-1-mavchatz@protonmail.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: hda: Conditionally use snooping for AMD HDMI [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed Jul 31 19:05:15 2024 +0200

    ALSA: hda: Conditionally use snooping for AMD HDMI
    
    [ Upstream commit 478689b5990deb626a0b3f1ebf165979914d6be4 ]
    
    The recent regression report revealed that the use of WC pages for AMD
    HDMI device together with AMD IOMMU leads to unexpected truncation or
    noises.  The issue seems triggered by the change in the kernel core
    memory allocation that enables IOMMU driver to use always S/G
    buffers.  Meanwhile, the use of WC pages has been a workaround for the
    similar issue with standard pages in the past.  So, now we need to
    apply the workaround conditionally, namely, only when IOMMU isn't in
    place.
    
    This patch modifies the workaround code to check the DMA ops at first
    and apply the snoop-off only when needed.
    
    Fixes: f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP")
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=219087
    Link: https://patch.msgid.link/20240731170521.31714-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: hda: conexant: Fix headset auto detect fail in the polling mode [+ + +]
Author: songxiebing <songxiebing@kylinos.cn>
Date:   Fri Jul 26 18:07:26 2024 +0800

    ALSA: hda: conexant: Fix headset auto detect fail in the polling mode
    
    [ Upstream commit e60dc98122110594d0290845160f12916192fc6d ]
    
    The previous fix (7aeb25908648) only handles the unsol_event reporting
    during interrupts and does not include the polling mode used to set
    jackroll_ms, so now we are replacing it with
    snd_hda_jack_detect_enable_callback.
    
    Fixes: 7aeb25908648 ("ALSA: hda/conexant: Fix headset auto detect fail in cx8070 and SN6140")
    Co-developed-by: bo liu <bo.liu@senarytech.com>
    Signed-off-by: bo liu <bo.liu@senarytech.com>
    Signed-off-by: songxiebing <songxiebing@kylinos.cn>
    Link: https://patch.msgid.link/20240726100726.50824-1-soxiebing@163.com
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ALSA: seq: ump: Optimize conversions from SysEx to UMP [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Fri Jul 26 16:34:54 2024 +0200

    ALSA: seq: ump: Optimize conversions from SysEx to UMP
    
    commit 952b13c215234855d75ef4b5bb0138075e73677c upstream.
    
    The current conversion from the legacy SysEx event to UMP SysEx packet
    in the sequencer core has a couple of issues:
    
    * The first packet trims the SysEx start byte (0xf0), hence it
      contains only 5 bytes instead of 6.  This isn't wrong, per
      specification, but it's strange not to fill 6 bytes.
    
    * When the SysEx end marker (0xf7) is placed at the first byte of the
      next packet, it'll end up with an empty data just with the END
      status.  It can be rather folded into the previous packet with the
      END status.
    
    This patch tries to address those issues.  The first packet may have 6
    bytes even with the SysEx start, and an empty packet with the SysEx
    end marker is omitted.
    
    Fixes: e9e02819a98a ("ALSA: seq: Automatic conversion of UMP events")
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240726143455.3254-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ALSA: usb-audio: Correct surround channels in UAC1 channel map [+ + +]
Author: Takashi Iwai <tiwai@suse.de>
Date:   Wed Jul 31 16:19:41 2024 +0200

    ALSA: usb-audio: Correct surround channels in UAC1 channel map
    
    commit b7b7e1ab7619deb3b299b5e5c619c3e6f183a12d upstream.
    
    USB-audio driver puts SNDRV_CHMAP_SL and _SR as left and right
    surround channels for UAC1 channel map, respectively.  But they should
    have been SNDRV_CHMAP_RL and _RR; the current value *_SL and _SR are
    rather "side" channels, not "surround".  I guess I took those
    mistakenly when I read the spec mentioning "surround left".
    
    This patch corrects those entries to be the right channels.
    
    Suggested-by: Sylvain BERTRAND <sylvain.bertrand@legeek.net>
    Closes: https://lore.kernel.orgZ/qIyJD8lhd8hFhlC@freedom
    Fixes: 04324ccc75f9 ("ALSA: usb-audio: add channel map support")
    Cc: <stable@vger.kernel.org>
    Link: https://patch.msgid.link/20240731142018.24750-1-tiwai@suse.de
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
arm64: jump_label: Ensure patched jump_labels are visible to all CPUs [+ + +]
Author: Will Deacon <will@kernel.org>
Date:   Wed Jul 31 14:36:01 2024 +0100

    arm64: jump_label: Ensure patched jump_labels are visible to all CPUs
    
    [ Upstream commit cfb00a35786414e7c0e6226b277d9f09657eae74 ]
    
    Although the Arm architecture permits concurrent modification and
    execution of NOP and branch instructions, it still requires some
    synchronisation to ensure that other CPUs consistently execute the newly
    written instruction:
    
     >  When the modified instructions are observable, each PE that is
     >  executing the modified instructions must execute an ISB or perform a
     >  context synchronizing event to ensure execution of the modified
     >  instructions
    
    Prior to commit f6cc0c501649 ("arm64: Avoid calling stop_machine() when
    patching jump labels"), the arm64 jump_label patching machinery
    performed synchronisation using stop_machine() after each modification,
    however this was problematic when flipping static keys from atomic
    contexts (namely, the arm_arch_timer CPU hotplug startup notifier) and
    so we switched to the _nosync() patching routines to avoid "scheduling
    while atomic" BUG()s during boot.
    
    In hindsight, the analysis of the issue in f6cc0c501649 isn't quite
    right: it cites the use of IPIs in the default patching routines as the
    cause of the lockup, whereas stop_machine() does not rely on IPIs and
    the I-cache invalidation is performed using __flush_icache_range(),
    which elides the call to kick_all_cpus_sync(). In fact, the blocking
    wait for other CPUs is what triggers the BUG() and the problem remains
    even after f6cc0c501649, for example because we could block on the
    jump_label_mutex. Eventually, the arm_arch_timer driver was fixed to
    avoid the static key entirely in commit a862fc2254bd
    ("clocksource/arm_arch_timer: Remove use of workaround static key").
    
    This all leaves the jump_label patching code in a funny situation on
    arm64 as we do not synchronise with other CPUs to reduce the likelihood
    of a bug which no longer exists. Consequently, toggling a static key on
    one CPU cannot be assumed to take effect on other CPUs, leading to
    potential issues, for example with missing preempt notifiers.
    
    Rather than revert f6cc0c501649 and go back to stop_machine() for each
    patch site, implement arch_jump_label_transform_apply() and kick all
    the other CPUs with an IPI at the end of patching.
    
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Marc Zyngier <maz@kernel.org>
    Fixes: f6cc0c501649 ("arm64: Avoid calling stop_machine() when patching jump labels")
    Signed-off-by: Will Deacon <will@kernel.org>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Reviewed-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20240731133601.3073-1-will@kernel.org
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ARM: 9406/1: Fix callchain_trace() return value [+ + +]
Author: Jinjie Ruan <ruanjinjie@huawei.com>
Date:   Thu Jun 27 08:29:59 2024 +0100

    ARM: 9406/1: Fix callchain_trace() return value
    
    [ Upstream commit 4e7b4ff2dcaed228cb2fb7bfe720262c98ec1bb9 ]
    
    perf_callchain_store() return 0 on success, -1 otherwise, fix
    callchain_trace() to return correct bool value. So walk_stackframe() can
    have a chance to stop walking the stack ahead.
    
    Fixes: 70ccc7c0667b ("ARM: 9258/1: stacktrace: Make stack walk callback consistent with generic code")
    Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ARM: 9408/1: mm: CFI: Fix some erroneous reset prototypes [+ + +]
Author: Linus Walleij <linus.walleij@linaro.org>
Date:   Thu Jun 27 09:22:09 2024 +0100

    ARM: 9408/1: mm: CFI: Fix some erroneous reset prototypes
    
    [ Upstream commit 657a292d679ae3a6c733ab0e939e24ae44b20faf ]
    
    I somehow got a few cpu_nn_reset() signatures wrong in my
    patch. Fix it up.
    
    Closes: https://lore.kernel.org/oe-kbuild-all/202406260432.6WGV2jCk-lkp@intel.com/
    
    Fixes: 393999fa9627 ("ARM: 9389/2: mm: Define prototypes for all per-processor calls")
    Reported-by: kernel test robot <lkp@intel.com>
    Reported-by: Nathan Chancellor <nathan@kernel.org>
    Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
    Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Bluetooth: btintel: Fail setup on error [+ + +]
Author: Kiran K <kiran.k@intel.com>
Date:   Wed Jul 3 14:22:42 2024 +0530

    Bluetooth: btintel: Fail setup on error
    
    [ Upstream commit e22a3a9d4134d7e6351a2998771522e74bcc58da ]
    
    Do not attempt to send any hci command to controller if *setup* function
    fails.
    
    Fixes: af395330abed ("Bluetooth: btintel: Add Intel devcoredump support")
    Signed-off-by: Kiran K <kiran.k@intel.com>
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

Bluetooth: hci_event: Fix setting DISCOVERY_FINDING for passive scanning [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Thu Jul 25 18:28:08 2024 -0400

    Bluetooth: hci_event: Fix setting DISCOVERY_FINDING for passive scanning
    
    commit df3d6a3e01fd82cb74b6bb309f7be71e728a3448 upstream.
    
    DISCOVERY_FINDING shall only be set for active scanning as passive
    scanning is not meant to generate MGMT Device Found events causing
    discovering state to go out of sync since userspace would believe it
    is discovering when in fact it is just passive scanning.
    
    Cc: stable@vger.kernel.org
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=219088
    Fixes: 2e2515c1ba38 ("Bluetooth: hci_event: Set DISCOVERY_FINDING on SCAN_ENABLED")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: hci_sync: Fix suspending with wrong filter policy [+ + +]
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date:   Mon Jul 15 10:40:03 2024 -0400

    Bluetooth: hci_sync: Fix suspending with wrong filter policy
    
    [ Upstream commit 96b82af36efaa1787946e021aa3dc5410c05beeb ]
    
    When suspending the scan filter policy cannot be 0x00 (no acceptlist)
    since that means the host has to process every advertisement report
    waking up the system, so this attempts to check if hdev is marked as
    suspended and if the resulting filter policy would be 0x00 (no
    acceptlist) then skip passive scanning if thre no devices in the
    acceptlist otherwise reset the filter policy to 0x01 so the acceptlist
    is used since the devices programmed there can still wakeup be system.
    
    Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
    Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
bnxt_en: Fix RSS logic in __bnxt_reserve_rings() [+ + +]
Author: Pavan Chebbi <pavan.chebbi@broadcom.com>
Date:   Wed Jul 24 15:21:06 2024 -0700

    bnxt_en: Fix RSS logic in __bnxt_reserve_rings()
    
    [ Upstream commit 98ba1d931f611e8f8f519c0405fa0a1a76554bfa ]
    
    In __bnxt_reserve_rings(), the existing code unconditionally sets the
    default RSS indirection table to default if netif_is_rxfh_configured()
    returns false.  This used to be correct before we added RSS contexts
    support.  For example, if the user is changing the number of ethtool
    channels, we will enter this path to reserve the new number of rings.
    We will then set the RSS indirection table to default to cover the new
    number of rings if netif_is_rxfh_configured() is false.
    
    Now, with RSS contexts support, if the user has added or deleted RSS
    contexts, we may now enter this path to reserve the new number of VNICs.
    However, netif_is_rxfh_configured() will not return the correct state if
    we are still in the middle of set_rxfh().  So the existing code may
    set the indirection table of the default RSS context to default by
    mistake.
    
    Fix it to check if the reservation of the RX rings is changing.  Only
    check netif_is_rxfh_configured() if it is changing.  RX rings will not
    change in the middle of set_rxfh() and this will fix the issue.
    
    Fixes: b3d0083caf9a ("bnxt_en: Support RSS contexts in ethtool .{get|set}_rxfh()")
    Reported-and-tested-by: Jakub Kicinski <kuba@kernel.org>
    Link: https://lore.kernel.org/20240625010210.2002310-1-kuba@kernel.org
    Reviewed-by: Andy Gospodarek <andrew.gospodarek@broadcom.com>
    Signed-off-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
    Signed-off-by: Michael Chan <michael.chan@broadcom.com>
    Link: https://patch.msgid.link/20240724222106.147744-1-michael.chan@broadcom.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
btrfs: do not subtract delalloc from avail bytes [+ + +]
Author: Naohiro Aota <naohiro.aota@wdc.com>
Date:   Thu Jul 11 23:50:58 2024 +0900

    btrfs: do not subtract delalloc from avail bytes
    
    commit d89c285d28491d8f10534c262ac9e6bdcbe1b4d2 upstream.
    
    The block group's avail bytes printed when dumping a space info subtract
    the delalloc_bytes. However, as shown in btrfs_add_reserved_bytes() and
    btrfs_free_reserved_bytes(), it is added or subtracted along with
    "reserved" for the delalloc case, which means the "delalloc_bytes" is a
    part of the "reserved" bytes. So, excluding it to calculate the avail space
    counts delalloc_bytes twice, which can lead to an invalid result.
    
    Fixes: e50b122b832b ("btrfs: print available space for a block group when dumping a space info")
    CC: stable@vger.kernel.org # 6.6+
    Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
    Reviewed-by: Boris Burkov <boris@bur.io>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: make cow_file_range_inline() honor locked_page on error [+ + +]
Author: Boris Burkov <boris@bur.io>
Date:   Mon Jul 22 16:49:45 2024 -0700

    btrfs: make cow_file_range_inline() honor locked_page on error
    
    commit 478574370bef7951fbd9ef5155537d6cbed49472 upstream.
    
    The btrfs buffered write path runs through __extent_writepage() which
    has some tricky return value handling for writepage_delalloc().
    Specifically, when that returns 1, we exit, but for other return values
    we continue and end up calling btrfs_folio_end_all_writers(). If the
    folio has been unlocked (note that we check the PageLocked bit at the
    start of __extent_writepage()), this results in an assert panic like
    this one from syzbot:
    
      BTRFS: error (device loop0 state EAL) in free_log_tree:3267: errno=-5 IO failure
      BTRFS warning (device loop0 state EAL): Skipping commit of aborted transaction.
      BTRFS: error (device loop0 state EAL) in cleanup_transaction:2018: errno=-5 IO failure
      assertion failed: folio_test_locked(folio), in fs/btrfs/subpage.c:871
      ------------[ cut here ]------------
      kernel BUG at fs/btrfs/subpage.c:871!
      Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
      CPU: 1 PID: 5090 Comm: syz-executor225 Not tainted
      6.10.0-syzkaller-05505-gb1bc554e009e #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 06/27/2024
      RIP: 0010:btrfs_folio_end_all_writers+0x55b/0x610 fs/btrfs/subpage.c:871
      Code: e9 d3 fb ff ff e8 25 22 c2 fd 48 c7 c7 c0 3c 0e 8c 48 c7 c6 80 3d
      0e 8c 48 c7 c2 60 3c 0e 8c b9 67 03 00 00 e8 66 47 ad 07 90 <0f> 0b e8
      6e 45 b0 07 4c 89 ff be 08 00 00 00 e8 21 12 25 fe 4c 89
      RSP: 0018:ffffc900033d72e0 EFLAGS: 00010246
      RAX: 0000000000000045 RBX: 00fff0000000402c RCX: 663b7a08c50a0a00
      RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
      RBP: ffffc900033d73b0 R08: ffffffff8176b98c R09: 1ffff9200067adfc
      R10: dffffc0000000000 R11: fffff5200067adfd R12: 0000000000000001
      R13: dffffc0000000000 R14: 0000000000000000 R15: ffffea0001cbee80
      FS:  0000000000000000(0000) GS:ffff8880b9500000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f5f076012f8 CR3: 000000000e134000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
      <TASK>
      __extent_writepage fs/btrfs/extent_io.c:1597 [inline]
      extent_write_cache_pages fs/btrfs/extent_io.c:2251 [inline]
      btrfs_writepages+0x14d7/0x2760 fs/btrfs/extent_io.c:2373
      do_writepages+0x359/0x870 mm/page-writeback.c:2656
      filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:397
      __filemap_fdatawrite_range mm/filemap.c:430 [inline]
      __filemap_fdatawrite mm/filemap.c:436 [inline]
      filemap_flush+0xdf/0x130 mm/filemap.c:463
      btrfs_release_file+0x117/0x130 fs/btrfs/file.c:1547
      __fput+0x24a/0x8a0 fs/file_table.c:422
      task_work_run+0x24f/0x310 kernel/task_work.c:222
      exit_task_work include/linux/task_work.h:40 [inline]
      do_exit+0xa2f/0x27f0 kernel/exit.c:877
      do_group_exit+0x207/0x2c0 kernel/exit.c:1026
      __do_sys_exit_group kernel/exit.c:1037 [inline]
      __se_sys_exit_group kernel/exit.c:1035 [inline]
      __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1035
      x64_sys_call+0x2634/0x2640
      arch/x86/include/generated/asm/syscalls_64.h:232
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
      entry_SYSCALL_64_after_hwframe+0x77/0x7f
      RIP: 0033:0x7f5f075b70c9
      Code: Unable to access opcode bytes at
      0x7f5f075b709f.
    
    I was hitting the same issue by doing hundreds of accelerated runs of
    generic/475, which also hits IO errors by design.
    
    I instrumented that reproducer with bpftrace and found that the
    undesirable folio_unlock was coming from the following callstack:
    
      folio_unlock+5
      __process_pages_contig+475
      cow_file_range_inline.constprop.0+230
      cow_file_range+803
      btrfs_run_delalloc_range+566
      writepage_delalloc+332
      __extent_writepage # inlined in my stacktrace, but I added it here
      extent_write_cache_pages+622
    
    Looking at the bisected-to patch in the syzbot report, Josef realized
    that the logic of the cow_file_range_inline error path subtly changing.
    In the past, on error, it jumped to out_unlock in cow_file_range(),
    which honors the locked_page, so when we ultimately call
    folio_end_all_writers(), the folio of interest is still locked. After
    the change, we always unlocked ignoring the locked_page, on both success
    and error. On the success path, this all results in returning 1 to
    __extent_writepage(), which skips the folio_end_all_writers() call,
    which makes it OK to have unlocked.
    
    Fix the bug by wiring the locked_page into cow_file_range_inline() and
    only setting locked_page to NULL on success.
    
    Reported-by: syzbot+a14d8ac9af3a2a4fd0c8@syzkaller.appspotmail.com
    Fixes: 0586d0a89e77 ("btrfs: move extent bit and page cleanup into cow_file_range_inline")
    CC: stable@vger.kernel.org # 6.10+
    Reviewed-by: Qu Wenruo <wqu@suse.com>
    Signed-off-by: Boris Burkov <boris@bur.io>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

btrfs: zoned: fix zone_unusable accounting on making block group read-write again [+ + +]
Author: Naohiro Aota <naohiro.aota@wdc.com>
Date:   Wed Feb 15 09:18:02 2023 +0900

    btrfs: zoned: fix zone_unusable accounting on making block group read-write again
    
    commit 8cd44dd1d17a23d5cc8c443c659ca57aa76e2fa5 upstream.
    
    When btrfs makes a block group read-only, it adds all free regions in the
    block group to space_info->bytes_readonly. That free space excludes
    reserved and pinned regions. OTOH, when btrfs makes the block group
    read-write again, it moves all the unused regions into the block group's
    zone_unusable. That unused region includes reserved and pinned regions.
    As a result, it counts too much zone_unusable bytes.
    
    Fortunately (or unfortunately), having erroneous zone_unusable does not
    affect the calculation of space_info->bytes_readonly, because free
    space (num_bytes in btrfs_dec_block_group_ro) calculation is done based on
    the erroneous zone_unusable and it reduces the num_bytes just to cancel the
    error.
    
    This behavior can be easily discovered by adding a WARN_ON to check e.g,
    "bg->pinned > 0" in btrfs_dec_block_group_ro(), and running fstests test
    case like btrfs/282.
    
    Fix it by properly considering pinned and reserved in
    btrfs_dec_block_group_ro(). Also, add a WARN_ON and introduce
    btrfs_space_info_update_bytes_zone_unusable() to catch a similar mistake.
    
    Fixes: 169e0da91a21 ("btrfs: zoned: track unusable bytes for zones")
    CC: stable@vger.kernel.org # 5.15+
    Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
    Reviewed-by: Josef Bacik <josef@toxicpanda.com>
    Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ceph: force sending a cap update msg back to MDS for revoke op [+ + +]
Author: Xiubo Li <xiubli@redhat.com>
Date:   Fri Jul 12 12:40:19 2024 +0800

    ceph: force sending a cap update msg back to MDS for revoke op
    
    commit 31634d7597d8c57894b6c98eeefc9e58cf842993 upstream.
    
    If a client sends out a cap update dropping caps with the prior 'seq'
    just before an incoming cap revoke request, then the client may drop
    the revoke because it believes it's already released the requested
    capabilities.
    
    This causes the MDS to wait indefinitely for the client to respond
    to the revoke. It's therefore always a good idea to ack the cap
    revoke request with the bumped up 'seq'.
    
    Currently if the cap->issued equals to the newcaps the check_caps()
    will do nothing, we should force flush the caps.
    
    Cc: stable@vger.kernel.org
    Link: https://tracker.ceph.com/issues/61782
    Signed-off-by: Xiubo Li <xiubli@redhat.com>
    Reviewed-by: Venky Shankar <vshankar@redhat.com>
    Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/amdgpu: fix contiguous handling for IB parsing v2 [+ + +]
Author: Christian König <christian.koenig@amd.com>
Date:   Wed Jul 24 09:24:02 2024 +0200

    drm/amdgpu: fix contiguous handling for IB parsing v2
    
    commit f3572db3c049b4d32bb5ba77ad5305616c44c7c1 upstream.
    
    Otherwise we won't get correct access to the IB.
    
    v2: keep setting AMDGPU_GEM_CREATE_VRAM_CONTIGUOUS to avoid problems in
        the VRAM backend.
    
    Signed-off-by: Christian König <christian.koenig@amd.com>
    Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3501
    Fixes: e362b7c8f8c7 ("drm/amdgpu: Modify the contiguous flags behaviour")
    Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Tested-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    (cherry picked from commit fbfb5f0342253d92c4e446588c428a9d90c3f610)
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/ast: astdp: Wake up during connector status detection [+ + +]
Author: Thomas Zimmermann <tzimmermann@suse.de>
Date:   Wed Jul 17 16:24:16 2024 +0200

    drm/ast: astdp: Wake up during connector status detection
    
    commit 0ce91928ec62d189b5c51816e325f02587b53118 upstream.
    
    Power up the ASTDP connector for connection status detection if the
    connector is not active. Keep it powered if a display is attached.
    
    This fixes a bug where the connector does not come back after
    disconnecting the display. The encoder's atomic_disable turns off
    power on the physical connector. Further HPD reads will fail,
    thus preventing the driver from detecting re-connected displays.
    
    For connectors that are actively used, only test the HPD flag without
    touching power.
    
    Fixes: f81bb0ac7872 ("drm/ast: report connection status on Display Port.")
    Cc: Jocelyn Falempe <jfalempe@redhat.com>
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Cc: Dave Airlie <airlied@redhat.com>
    Cc: dri-devel@lists.freedesktop.org
    Cc: <stable@vger.kernel.org> # v6.6+
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240717143319.104012-2-tzimmermann@suse.de
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/ast: Fix black screen after resume [+ + +]
Author: Jammy Huang <jammy_huang@aspeedtech.com>
Date:   Thu Jul 18 11:03:52 2024 +0800

    drm/ast: Fix black screen after resume
    
    commit 12c35c5582acb0fd8f7713ffa75f450766022ff1 upstream.
    
    Suspend will disable pcie device. Thus, resume should do full hw
    initialization again.
    Add some APIs to ast_drm_thaw() before ast_post_gpu() to fix the issue.
    
    v2:
    - fix function-call arguments
    
    Fixes: 5b71707dd13c ("drm/ast: Enable and unlock device access early during init")
    Reported-by: Cary Garrett <cogarre@gmail.com>
    Closes: https://lore.kernel.org/dri-devel/8ce1e1cc351153a890b65e62fed93b54ccd43f6a.camel@gmail.com/
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Cc: Jocelyn Falempe <jfalempe@redhat.com>
    Cc: Dave Airlie <airlied@redhat.com>
    Cc: dri-devel@lists.freedesktop.org
    Cc: <stable@vger.kernel.org> # v6.6+
    Signed-off-by: Jammy Huang <jammy_huang@aspeedtech.com>
    Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240718030352.654155-1-jammy_huang@aspeedtech.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/atomic: Allow userspace to use damage clips with async flips [+ + +]
Author: André Almeida <andrealmeid@igalia.com>
Date:   Tue Jul 2 18:22:15 2024 -0300

    drm/atomic: Allow userspace to use damage clips with async flips
    
    [ Upstream commit f85de245c6a8e2654e1e9158588bcf78e38cd5a5 ]
    
    Allow userspace to use damage clips with atomic async flips. Damage
    clips are useful for partial plane updates, which can be helpful for
    clients that want to do flips asynchronously.
    
    Fixes: 0e26cc72c71c ("drm: Refuse to async flip with atomic prop changes")
    Signed-off-by: André Almeida <andrealmeid@igalia.com>
    Reviewed-by: Simon Ser <contact@emersion.fr>
    Signed-off-by: Simon Ser <contact@emersion.fr>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240702212215.109696-2-andrealmeid@igalia.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/atomic: Allow userspace to use explicit sync with atomic async flips [+ + +]
Author: André Almeida <andrealmeid@igalia.com>
Date:   Tue Jul 2 18:22:14 2024 -0300

    drm/atomic: Allow userspace to use explicit sync with atomic async flips
    
    [ Upstream commit e0fa4132bfae725a60c50d53bac80ec31fc20d89 ]
    
    Allow userspace to use explicit synchronization with atomic async flips.
    That means that the flip will wait for some hardware fence, and then
    will flip as soon as possible (async) in regard of the vblank.
    
    Fixes: 0e26cc72c71c ("drm: Refuse to async flip with atomic prop changes")
    Signed-off-by: André Almeida <andrealmeid@igalia.com>
    Reviewed-by: Simon Ser <contact@emersion.fr>
    Signed-off-by: Simon Ser <contact@emersion.fr>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240702212215.109696-1-andrealmeid@igalia.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/client: Fix error code in drm_client_buffer_vmap_local() [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Wed Jul 24 11:09:54 2024 -0500

    drm/client: Fix error code in drm_client_buffer_vmap_local()
    
    [ Upstream commit b5fbf924f125ba3638cfdc21c0515eb7e76264ca ]
    
    This function accidentally returns zero/success on the failure path.
    It leads to locking issues and an uninitialized *map_copy in the
    caller.
    
    Fixes: b4b0193e83cb ("drm/fbdev-generic: Fix locking with drm_client_buffer_vmap_local()")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
    Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Link: https://patchwork.freedesktop.org/patch/msgid/89d13df3-747c-4c5d-b122-d081aef5110a@stanley.mountain
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/gpuvm: fix missing dependency to DRM_EXEC [+ + +]
Author: Danilo Krummrich <dakr@redhat.com>
Date:   Mon Jul 15 15:51:33 2024 +0200

    drm/gpuvm: fix missing dependency to DRM_EXEC
    
    [ Upstream commit eeb1f825b5dc68047a0556e5ae86d1467920db41 ]
    
    In commit 50c1a36f594b ("drm/gpuvm: track/lock/validate external/evicted
    objects") we started using drm_exec, but did not select DRM_EXEC in the
    Kconfig for DRM_GPUVM, fix this.
    
    Cc: Christian König <christian.koenig@amd.com>
    Cc: Boris Brezillon <boris.brezillon@collabora.com>
    Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
    Fixes: 50c1a36f594b ("drm/gpuvm: track/lock/validate external/evicted objects")
    Signed-off-by: Danilo Krummrich <dakr@redhat.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240715135158.133287-1-dakr@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro [+ + +]
Author: Suraj Kandpal <suraj.kandpal@intel.com>
Date:   Tue Jul 30 09:25:05 2024 +0530

    drm/i915/hdcp: Fix HDCP2_STREAM_STATUS macro
    
    [ Upstream commit 555069117390a5d581863bc797fb546bb4417c31 ]
    
    Fix HDCP2_STREAM_STATUS macro, it called pipe instead of port never
    threw a compile error as no one used it.
    
    --v2
    -Add Fixes [Jani]
    
    Fixes: d631b984cc90 ("drm/i915/hdcp: Add HDCP 2.2 stream register")
    Signed-off-by: Suraj Kandpal <suraj.kandpal@intel.com>
    Reviewed-by: Jani Nikula <jani.nikula@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240730035505.3759899-1-suraj.kandpal@intel.com
    (cherry picked from commit 73d7cd542bbd0a7c6881ea0df5255f190a1e7236)
    Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll() [+ + +]
Author: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Date:   Mon Jul 29 10:40:35 2024 -0700

    drm/i915: Fix possible int overflow in skl_ddi_calculate_wrpll()
    
    commit 5b511572660190db1dc8ba412efd0be0d3781ab6 upstream.
    
    On the off chance that clock value ends up being too high (by means
    of skl_ddi_calculate_wrpll() having been called with big enough
    value of crtc_state->port_clock * 1000), one possible consequence
    may be that the result will not be able to fit into signed int.
    
    Fix this issue by moving conversion of clock parameter from kHz to Hz
    into the body of skl_ddi_calculate_wrpll(), as well as casting the
    same parameter to u64 type while calculating the value for AFE clock.
    This both mitigates the overflow problem and avoids possible erroneous
    integer promotion mishaps.
    
    Found by Linux Verification Center (linuxtesting.org) with static
    analysis tool SVACE.
    
    Fixes: 82d354370189 ("drm/i915/skl: Implementation of SKL DPLL programming")
    Cc: stable@vger.kernel.org
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
    Reviewed-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240729174035.25727-1-n.zhandarovich@fintech.ru
    (cherry picked from commit 833cf12846aa19adf9b76bc79c40747726f3c0c1)
    Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/nouveau: prime: fix refcount underflow [+ + +]
Author: Danilo Krummrich <dakr@kernel.org>
Date:   Thu Jul 18 18:58:46 2024 +0200

    drm/nouveau: prime: fix refcount underflow
    
    [ Upstream commit a9bf3efc33f1fbf88787a277f7349459283c9b95 ]
    
    Calling nouveau_bo_ref() on a nouveau_bo without initializing it (and
    hence the backing ttm_bo) leads to a refcount underflow.
    
    Instead of calling nouveau_bo_ref() in the unwind path of
    drm_gem_object_init(), clean things up manually.
    
    Fixes: ab9ccb96a6e6 ("drm/nouveau: use prime helpers")
    Reviewed-by: Ben Skeggs <bskeggs@nvidia.com>
    Reviewed-by: Christian König <christian.koenig@amd.com>
    Signed-off-by: Danilo Krummrich <dakr@kernel.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240718165959.3983-2-dakr@kernel.org
    (cherry picked from commit 1b93f3e89d03cfc576636e195466a0d728ad8de5)
    Signed-off-by: Danilo Krummrich <dakr@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
drm/v3d: Fix potential memory leak in the performance extension [+ + +]
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Date:   Thu Jul 11 14:53:32 2024 +0100

    drm/v3d: Fix potential memory leak in the performance extension
    
    commit 32df4abc44f24dbec239d43e2b26d5768c5d1a78 upstream.
    
    If fetching of userspace memory fails during the main loop, all drm sync
    objs looked up until that point will be leaked because of the missing
    drm_syncobj_put.
    
    Fix it by exporting and using a common cleanup helper.
    
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
    Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job")
    Cc: Maíra Canal <mcanal@igalia.com>
    Cc: Iago Toral Quiroga <itoral@igalia.com>
    Cc: stable@vger.kernel.org # v6.8+
    Signed-off-by: Maíra Canal <mcanal@igalia.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-4-tursulin@igalia.com
    (cherry picked from commit 484de39fa5f5b7bd0c5f2e2c5265167250ef7501)
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/v3d: Fix potential memory leak in the timestamp extension [+ + +]
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Date:   Thu Jul 11 14:53:31 2024 +0100

    drm/v3d: Fix potential memory leak in the timestamp extension
    
    commit 0e50fcc20bd87584840266e8004f9064a8985b4f upstream.
    
    If fetching of userspace memory fails during the main loop, all drm sync
    objs looked up until that point will be leaked because of the missing
    drm_syncobj_put.
    
    Fix it by exporting and using a common cleanup helper.
    
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
    Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job")
    Cc: Maíra Canal <mcanal@igalia.com>
    Cc: Iago Toral Quiroga <itoral@igalia.com>
    Cc: stable@vger.kernel.org # v6.8+
    Reviewed-by: Maíra Canal <mcanal@igalia.com>
    Signed-off-by: Maíra Canal <mcanal@igalia.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-3-tursulin@igalia.com
    (cherry picked from commit 753ce4fea62182c77e1691ab4f9022008f25b62e)
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/v3d: Prevent out of bounds access in performance query extensions [+ + +]
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Date:   Thu Jul 11 14:53:30 2024 +0100

    drm/v3d: Prevent out of bounds access in performance query extensions
    
    commit 6ce9efd12ae81cf46bf44eb0348594558dfbb9d2 upstream.
    
    Check that the number of perfmons userspace is passing in the copy and
    reset extensions is not greater than the internal kernel storage where
    the ids will be copied into.
    
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
    Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job")
    Cc: Maíra Canal <mcanal@igalia.com>
    Cc: Iago Toral Quiroga <itoral@igalia.com>
    Cc: stable@vger.kernel.org # v6.8+
    Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
    Reviewed-by: Maíra Canal <mcanal@igalia.com>
    Signed-off-by: Maíra Canal <mcanal@igalia.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-2-tursulin@igalia.com
    (cherry picked from commit f32b5128d2c440368b5bf3a7a356823e235caabb)
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/v3d: Validate passed in drm syncobj handles in the performance extension [+ + +]
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Date:   Thu Jul 11 14:53:34 2024 +0100

    drm/v3d: Validate passed in drm syncobj handles in the performance extension
    
    commit 4ecc24a84d7e0254efd150ec23e0b89638386516 upstream.
    
    If userspace provides an unknown or invalid handle anywhere in the handle
    array the rest of the driver will not handle that well.
    
    Fix it by checking handle was looked up successfully or otherwise fail the
    extension by jumping into the existing unwind.
    
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
    Fixes: bae7cb5d6800 ("drm/v3d: Create a CPU job extension for the reset performance query job")
    Cc: Maíra Canal <mcanal@igalia.com>
    Cc: Iago Toral Quiroga <itoral@igalia.com>
    Cc: stable@vger.kernel.org # v6.8+
    Reviewed-by: Maíra Canal <mcanal@igalia.com>
    Signed-off-by: Maíra Canal <mcanal@igalia.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-6-tursulin@igalia.com
    (cherry picked from commit a546b7e4d73c23838d7e4d2c92882b3ca902d213)
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/v3d: Validate passed in drm syncobj handles in the timestamp extension [+ + +]
Author: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Date:   Thu Jul 11 14:53:33 2024 +0100

    drm/v3d: Validate passed in drm syncobj handles in the timestamp extension
    
    commit 023d22e8bb0cdd6900382ad1ed06df3b6c2ea791 upstream.
    
    If userspace provides an unknown or invalid handle anywhere in the handle
    array the rest of the driver will not handle that well.
    
    Fix it by checking handle was looked up successfully or otherwise fail the
    extension by jumping into the existing unwind.
    
    Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
    Fixes: 9ba0ff3e083f ("drm/v3d: Create a CPU job extension for the timestamp query job")
    Cc: Maíra Canal <mcanal@igalia.com>
    Cc: Iago Toral Quiroga <itoral@igalia.com>
    Cc: stable@vger.kernel.org # v6.8+
    Reviewed-by: Maíra Canal <mcanal@igalia.com>
    Signed-off-by: Maíra Canal <mcanal@igalia.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240711135340.84617-5-tursulin@igalia.com
    (cherry picked from commit 8d1276d1b8f738c3afe1457d4dff5cc66fc848a3)
    Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/virtio: Fix type of dma-fence context variable [+ + +]
Author: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Date:   Sun Jul 14 23:50:09 2024 +0300

    drm/virtio: Fix type of dma-fence context variable
    
    commit 445d336cd15860f1efb441e6d694f829fbf679eb upstream.
    
    Type of DMA fence context is u64. Fence-waiting code uses u32 for the
    context variable, fix it.
    
    Fixes: e4812ab8e6b1 ("drm/virtio: Refactor and optimize job submission code path")
    Cc: <stable@vger.kernel.org> # v6.4+
    Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
    Reviewed-by: Rob Clark <robdclark@gmail.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240714205009.3408298-1-dmitry.osipenko@collabora.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
drm/vmwgfx: Fix a deadlock in dma buf fence polling [+ + +]
Author: Zack Rusin <zack.rusin@broadcom.com>
Date:   Mon Jul 22 14:41:13 2024 -0400

    drm/vmwgfx: Fix a deadlock in dma buf fence polling
    
    commit e58337100721f3cc0c7424a18730e4f39844934f upstream.
    
    Introduce a version of the fence ops that on release doesn't remove
    the fence from the pending list, and thus doesn't require a lock to
    fix poll->fence wait->fence unref deadlocks.
    
    vmwgfx overwrites the wait callback to iterate over the list of all
    fences and update their status, to do that it holds a lock to prevent
    the list modifcations from other threads. The fence destroy callback
    both deletes the fence and removes it from the list of pending
    fences, for which it holds a lock.
    
    dma buf polling cb unrefs a fence after it's been signaled: so the poll
    calls the wait, which signals the fences, which are being destroyed.
    The destruction tries to acquire the lock on the pending fences list
    which it can never get because it's held by the wait from which it
    was called.
    
    Old bug, but not a lot of userspace apps were using dma-buf polling
    interfaces. Fix those, in particular this fixes KDE stalls/deadlock.
    
    Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
    Fixes: 2298e804e96e ("drm/vmwgfx: rework to new fence interface, v2")
    Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
    Cc: dri-devel@lists.freedesktop.org
    Cc: <stable@vger.kernel.org> # v6.2+
    Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
    Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240722184313.181318-2-zack.rusin@broadcom.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/vmwgfx: Fix handling of dumb buffers [+ + +]
Author: Zack Rusin <zack.rusin@broadcom.com>
Date:   Mon Jul 22 14:41:15 2024 -0400

    drm/vmwgfx: Fix handling of dumb buffers
    
    commit d6667f0ddf46c671d379cd5fe66ce0a54d2a743a upstream.
    
    Dumb buffers can be used in kms but also through prime with gallium's
    resource_from_handle. In the second case the dumb buffers can be
    rendered by the GPU where with the regular DRM kms interfaces they
    are mapped and written to by the CPU. Because the same buffer can
    be written to by the GPU and CPU vmwgfx needs to use vmw_surface (object
    which properly tracks dirty state of the guest and gpu memory)
    instead of vmw_bo (which is just guest side memory).
    
    Furthermore the dumb buffer handles are expected to be gem objects by
    a lot of userspace.
    
    Make vmwgfx accept gem handles in prime and kms but internally switch
    to vmw_surface's to properly track the dirty state of the objects between
    the GPU and CPU.
    
    Fixes new kwin and kde on wayland.
    
    Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
    Fixes: b32233acceff ("drm/vmwgfx: Fix prime import/export")
    Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
    Cc: dri-devel@lists.freedesktop.org
    Cc: <stable@vger.kernel.org> # v6.9+
    Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
    Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240722184313.181318-4-zack.rusin@broadcom.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drm/vmwgfx: Fix overlay when using Screen Targets [+ + +]
Author: Ian Forbes <ian.forbes@broadcom.com>
Date:   Fri Jul 19 11:36:27 2024 -0500

    drm/vmwgfx: Fix overlay when using Screen Targets
    
    [ Upstream commit cb372a505a994cb39aa75acfb8b3bcf94787cf94 ]
    
    This code was never updated to support Screen Targets.
    Fixes a bug where Xv playback displays a green screen instead of actual
    video contents when 3D acceleration is disabled in the guest.
    
    Fixes: c8261a961ece ("vmwgfx: Major KMS refactoring / cleanup in preparation of screen targets")
    Reported-by: Doug Brown <doug@schmorgal.com>
    Closes: https://lore.kernel.org/all/bd9cb3c7-90e8-435d-bc28-0e38fee58977@schmorgal.com
    Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
    Tested-by: Doug Brown <doug@schmorgal.com>
    Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240719163627.20888-1-ian.forbes@broadcom.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/vmwgfx: Make sure the screen surface is ref counted [+ + +]
Author: Zack Rusin <zack.rusin@broadcom.com>
Date:   Mon Jul 22 14:41:14 2024 -0400

    drm/vmwgfx: Make sure the screen surface is ref counted
    
    [ Upstream commit 09f34a00272d2311f6e5d64ed8ad824ef78f7487 ]
    
    Fix races issues in virtual crc generation by making sure the surface
    the code uses for crc computation is properly ref counted.
    
    Crc generation was trying to be too clever by allowing the surfaces
    to go in and out of scope, with the hope of always having some kind
    of screen present. That's not always the code, in particular during
    atomic disable, so to make sure the surface, when present, is not
    being actively destroyed at the same time, hold a reference to it.
    
    Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
    Fixes: 7b0062036c3b ("drm/vmwgfx: Implement virtual crc generation")
    Cc: Zack Rusin <zack.rusin@broadcom.com>
    Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
    Cc: dri-devel@lists.freedesktop.org
    Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
    Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240722184313.181318-3-zack.rusin@broadcom.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

drm/vmwgfx: Trigger a modeset when the screen moves [+ + +]
Author: Ian Forbes <ian.forbes@broadcom.com>
Date:   Mon Jun 24 15:59:51 2024 -0500

    drm/vmwgfx: Trigger a modeset when the screen moves
    
    [ Upstream commit 75c3e8a26a35d4f3eee299b3cc7e465f166f4e2d ]
    
    When multi-monitor is cycled the X,Y position of the Screen Target will
    likely change but the resolution will not. We need to trigger a modeset
    when this occurs in order to recreate the Screen Target with the correct
    X,Y position.
    
    Fixes a bug where multiple displays are shown in a single scrollable
    host window rather than in 2+ windows on separate host displays.
    
    Fixes: 426826933109 ("drm/vmwgfx: Filter modes which exceed graphics memory")
    Signed-off-by: Ian Forbes <ian.forbes@broadcom.com>
    Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240624205951.23343-1-ian.forbes@broadcom.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ethtool: fix setting key and resetting indir at once [+ + +]
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Thu Jul 25 15:23:51 2024 -0700

    ethtool: fix setting key and resetting indir at once
    
    [ Upstream commit 7195f0ef7f5b8c678cf28de7c9b619cb908b482c ]
    
    The indirection table and the key follow struct ethtool_rxfh
    in user memory.
    
    To reset the indirection table user space calls SET_RXFH with
    table of size 0 (OTOH to say "no change" it should use -1 / ~0).
    The logic for calculating the offset where they key sits is
    incorrect in this case, as kernel would still offset by the full
    table length, while for the reset there is no indir table and
    key is immediately after the struct.
    
      $ ethtool -X eth0 default hkey 01:02:03...
      $ ethtool -x eth0
      [...]
      RSS hash key:
    00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
      [...]
    
    Fixes: 3de0b592394d ("ethtool: Support for configurable RSS hash key")
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ethtool: rss: echo the context number back [+ + +]
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Wed Jul 24 16:42:49 2024 -0700

    ethtool: rss: echo the context number back
    
    [ Upstream commit f96aae91b0d260f682e630e092ef70a05a718a43 ]
    
    The response to a GET request in Netlink should fully identify
    the queried object. RSS_GET accepts context id as an input,
    so it must echo that attribute back to the response.
    
    After (assuming context 1 has been created):
    
      $ ./cli.py --spec netlink/specs/ethtool.yaml \
                 --do rss-get \
                 --json '{"header": {"dev-index": 2}, "context": 1}'
      {'context': 1,
       'header': {'dev-index': 2, 'dev-name': 'eth0'},
      [...]
    
    Fixes: 7112a04664bf ("ethtool: add netlink based get rss support")
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Joe Damato <jdamato@fastly.com>
    Link: https://patch.msgid.link/20240724234249.2621109-3-kuba@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ext4: check the extent status again before inserting delalloc block [+ + +]
Author: Zhang Yi <yi.zhang@huawei.com>
Date:   Fri May 17 20:39:57 2024 +0800

    ext4: check the extent status again before inserting delalloc block
    
    [ Upstream commit 0ea6560abb3bac1ffcfa4bf6b2c4d344fdc27b3c ]
    
    ext4_da_map_blocks looks up for any extent entry in the extent status
    tree (w/o i_data_sem) and then the looks up for any ondisk extent
    mapping (with i_data_sem in read mode).
    
    If it finds a hole in the extent status tree or if it couldn't find any
    entry at all, it then takes the i_data_sem in write mode to add a da
    entry into the extent status tree. This can actually race with page
    mkwrite & fallocate path.
    
    Note that this is ok between
    1. ext4 buffered-write path v/s ext4_page_mkwrite(), because of the
       folio lock
    2. ext4 buffered write path v/s ext4 fallocate because of the inode
       lock.
    
    But this can race between ext4_page_mkwrite() & ext4 fallocate path
    
    ext4_page_mkwrite()             ext4_fallocate()
     block_page_mkwrite()
      ext4_da_map_blocks()
       //find hole in extent status tree
                                     ext4_alloc_file_blocks()
                                      ext4_map_blocks()
                                       //allocate block and unwritten extent
       ext4_insert_delayed_block()
        ext4_da_reserve_space()
         //reserve one more block
        ext4_es_insert_delayed_block()
         //drop unwritten extent and add delayed extent by mistake
    
    Then, the delalloc extent is wrong until writeback and the extra
    reserved block can't be released any more and it triggers below warning:
    
     EXT4-fs (pmem2): Inode 13 (00000000bbbd4d23): i_reserved_data_blocks(1) not cleared!
    
    Fix the problem by looking up extent status tree again while the
    i_data_sem is held in write mode. If it still can't find any entry, then
    we insert a new da entry into the extent status tree.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240517124005.347221-3-yi.zhang@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ext4: factor out a common helper to query extent map [+ + +]
Author: Zhang Yi <yi.zhang@huawei.com>
Date:   Fri May 17 20:39:56 2024 +0800

    ext4: factor out a common helper to query extent map
    
    [ Upstream commit 8e4e5cdf2fdeb99445a468b6b6436ad79b9ecb30 ]
    
    Factor out a new common helper ext4_map_query_blocks() from the
    ext4_da_map_blocks(), it query and return the extent map status on the
    inode's extent path, no logic changes.
    
    Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
    Reviewed-by: Jan Kara <jack@suse.cz>
    Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
    Link: https://patch.msgid.link/20240517124005.347221-2-yi.zhang@huaweicloud.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>
    Stable-dep-of: 0ea6560abb3b ("ext4: check the extent status again before inserting delalloc block")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid [+ + +]
Author: Jaegeuk Kim <jaegeuk@kernel.org>
Date:   Tue Jun 18 02:15:38 2024 +0000

    f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid
    
    [ Upstream commit 8cb1f4080dd91c6e6b01dbea013a3f42341cb6a1 ]
    
    mkdir /mnt/test/comp
    f2fs_io setflags compression /mnt/test/comp
    dd if=/dev/zero of=/mnt/test/comp/testfile bs=16k count=1
    truncate --size 13 /mnt/test/comp/testfile
    
    In the above scenario, we can get a BUG_ON.
     kernel BUG at fs/f2fs/segment.c:3589!
     Call Trace:
      do_write_page+0x78/0x390 [f2fs]
      f2fs_outplace_write_data+0x62/0xb0 [f2fs]
      f2fs_do_write_data_page+0x275/0x740 [f2fs]
      f2fs_write_single_data_page+0x1dc/0x8f0 [f2fs]
      f2fs_write_multi_pages+0x1e5/0xae0 [f2fs]
      f2fs_write_cache_pages+0xab1/0xc60 [f2fs]
      f2fs_write_data_pages+0x2d8/0x330 [f2fs]
      do_writepages+0xcf/0x270
      __writeback_single_inode+0x44/0x350
      writeback_sb_inodes+0x242/0x530
      __writeback_inodes_wb+0x54/0xf0
      wb_writeback+0x192/0x310
      wb_workfn+0x30d/0x400
    
    The reason is we gave CURSEG_ALL_DATA_ATGC to COMPR_ADDR where the
    page was set the gcing flag by set_cluster_dirty().
    
    Cc: stable@vger.kernel.org
    Fixes: 4961acdd65c9 ("f2fs: fix to tag gcing flag on page during block migration")
    Reviewed-by: Chao Yu <chao@kernel.org>
    Tested-by: Will McVicker <willmcvicker@google.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

f2fs: fix to avoid use SSR allocate when do defragment [+ + +]
Author: Zhiguo Niu <zhiguo.niu@unisoc.com>
Date:   Wed May 29 17:47:00 2024 +0800

    f2fs: fix to avoid use SSR allocate when do defragment
    
    [ Upstream commit 21327a042dd94bc73181d7300e688699cb1f467e ]
    
    SSR allocate mode will be used when doing file defragment
    if ATGC is working at the same time, that is because
    set_page_private_gcing may make CURSEG_ALL_DATA_ATGC segment
    type got in f2fs_allocate_data_block when defragment page
    is writeback, which may cause file fragmentation is worse.
    
    A file with 2 fragmentations is changed as following after defragment:
    
    ----------------file info-------------------
    sensorsdata :
    --------------------------------------------
    dev       [254:48]
    ino       [0x    3029 : 12329]
    mode      [0x    81b0 : 33200]
    nlink     [0x       1 : 1]
    uid       [0x    27e6 : 10214]
    gid       [0x    27e6 : 10214]
    size      [0x  242000 : 2367488]
    blksize   [0x    1000 : 4096]
    blocks    [0x    1210 : 4624]
    --------------------------------------------
    
    file_pos   start_blk     end_blk        blks
           0    11361121    11361207          87
      356352    11361215    11361216           2
      364544    11361218    11361218           1
      368640    11361220    11361221           2
      376832    11361224    11361225           2
      385024    11361227    11361238          12
      434176    11361240    11361252          13
      487424    11361254    11361254           1
      491520    11361271    11361279           9
      528384     3681794     3681795           2
      536576     3681797     3681797           1
      540672     3681799     3681799           1
      544768     3681803     3681803           1
      548864     3681805     3681805           1
      552960     3681807     3681807           1
      557056     3681809     3681809           1
    
    Signed-off-by: Zhiguo Niu <zhiguo.niu@unisoc.com>
    Reviewed-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Stable-dep-of: 8cb1f4080dd9 ("f2fs: assign CURSEG_ALL_DATA_ATGC if blkaddr is valid")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
HID: amd_sfh: Move sensor discovery before HID device initialization [+ + +]
Author: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
Date:   Thu Jul 18 16:46:16 2024 +0530

    HID: amd_sfh: Move sensor discovery before HID device initialization
    
    [ Upstream commit 8031b001da700474c11d28629581480b12a0d8d4 ]
    
    Sensors discovery is independent of HID device initialization. If sensor
    discovery fails after HID initialization, then the HID device needs to be
    deinitialized. Therefore, sensors discovery should be moved before HID
    device initialization.
    
    Fixes: 7bcfdab3f0c6 ("HID: amd_sfh: if no sensors are enabled, clean up")
    Tested-by: Aurinko <petrvelicka@tuta.io>
    Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
    Link: https://patch.msgid.link/20240718111616.3012155-1-Basavaraj.Natikar@amd.com
    Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

HID: wacom: Modify pen IDs [+ + +]
Author: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
Date:   Tue Jul 9 14:57:28 2024 +0900

    HID: wacom: Modify pen IDs
    
    commit f0d17d696dfce77c9abc830e4ac2d677890a2dad upstream.
    
    The pen ID, 0x80842, was not the correct ID for wacom driver to
    treat. The ID was corrected to 0x8842.
    Also, 0x4200 was not the expected ID used on any Wacom device.
    Therefore, 0x4200 was removed.
    
    Signed-off-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
    Signed-off-by: Tatsunosuke Tobita <tatsunosuke.wacom@gmail.com>
    Fixes: bfdc750c4cb2 ("HID: wacom: add three styli to wacom_intuos_get_tool_type")
    Cc: stable@kernel.org #6.2
    Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
    Link: https://patch.msgid.link/20240709055729.17158-1-tatsunosuke.wacom@gmail.com
    Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
i915/perf: Remove code to update PWR_CLK_STATE for gen12 [+ + +]
Author: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
Date:   Fri Jun 28 17:56:43 2024 -0700

    i915/perf: Remove code to update PWR_CLK_STATE for gen12
    
    [ Upstream commit 4bc14b9cfaa2149d41baef2f2620e9f82d9847d7 ]
    
    PWR_CLK_STATE only needs to be modified up until gen11. For gen12 this
    code is not applicable. Remove code to update context image with
    PWR_CLK_STATE for gen12.
    
    Fixes: 00a7f0d7155c ("drm/i915/tgl: Add perf support on TGL")
    Signed-off-by: Umesh Nerlige Ramappa <umesh.nerlige.ramappa@intel.com>
    Reviewed-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240629005643.3050678-1-umesh.nerlige.ramappa@intel.com
    (cherry picked from commit 7b5bdae7740eb6a3d09f9cd4e4b07362a15b86b3)
    Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:15 2024 +0200

    ice: add missing WRITE_ONCE when clearing ice_rx_ring::xdp_prog
    
    [ Upstream commit 6044ca26210ba72b3dcc649fae1cbedd9e6ab018 ]
    
    It is read by data path and modified from process context on remote cpu
    so it is needed to use WRITE_ONCE to clear the pointer.
    
    Fixes: efc2214b6047 ("ice: Add support for XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: don't busy wait for Rx queue disable in ice_qp_dis() [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:10 2024 +0200

    ice: don't busy wait for Rx queue disable in ice_qp_dis()
    
    [ Upstream commit 1ff72a2f67791cd4ddad19ed830445f57b30e992 ]
    
    When ice driver is spammed with multiple xdpsock instances and flow
    control is enabled, there are cases when Rx queue gets stuck and unable
    to reflect the disable state in QRX_CTRL register. Similar issue has
    previously been addressed in commit 13a6233b033f ("ice: Add support to
    enable/disable all Rx queues before waiting").
    
    To workaround this, let us simply not wait for a disabled state as later
    patch will make sure that regardless of the encountered error in the
    process of disabling a queue pair, the Rx queue will be enabled.
    
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: improve updating ice_{t,r}x_ring::xsk_pool [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:14 2024 +0200

    ice: improve updating ice_{t,r}x_ring::xsk_pool
    
    [ Upstream commit ebc33a3f8d0aeddf19fd5827add24b82ae171829 ]
    
    xsk_buff_pool pointers that ice ring structs hold are updated via
    ndo_bpf that is executed in process context while it can be read by
    remote CPU at the same time within NAPI poll. Use synchronize_net()
    after pointer update and {READ,WRITE}_ONCE() when working with mentioned
    pointer.
    
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: modify error handling when setting XSK pool in ndo_bpf [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:12 2024 +0200

    ice: modify error handling when setting XSK pool in ndo_bpf
    
    [ Upstream commit d5922717994911e8f0eab736f3ba0d968c158823 ]
    
    Don't bail out right when spotting an error within ice_qp_{dis,ena}()
    but rather track error and go through whole flow of disabling and
    enabling queue pair.
    
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: replace synchronize_rcu with synchronize_net [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:11 2024 +0200

    ice: replace synchronize_rcu with synchronize_net
    
    [ Upstream commit 405d9999aa0b4ae467ef391d1d9c7e0d30ad0841 ]
    
    Given that ice_qp_dis() is called under rtnl_lock, synchronize_net() can
    be called instead of synchronize_rcu() so that XDP rings can finish its
    job in a faster way. Also let us do this as earlier in XSK queue disable
    flow.
    
    Additionally, turn off regular Tx queue before disabling irqs and NAPI.
    
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: respect netif readiness in AF_XDP ZC related ndo's [+ + +]
Author: Michal Kubiak <michal.kubiak@intel.com>
Date:   Fri Jul 26 20:17:09 2024 +0200

    ice: respect netif readiness in AF_XDP ZC related ndo's
    
    [ Upstream commit ec145a18687fec8dd97eeb4f30057fa4debef577 ]
    
    Address a scenario in which XSK ZC Tx produces descriptors to XDP Tx
    ring when link is either not yet fully initialized or process of
    stopping the netdev has already started. To avoid this, add checks
    against carrier readiness in ice_xsk_wakeup() and in ice_xmit_zc().
    One could argue that bailing out early in ice_xsk_wakeup() would be
    sufficient but given the fact that we produce Tx descriptors on behalf
    of NAPI that is triggered for Rx traffic, the latter is also needed.
    
    Bringing link up is an asynchronous event executed within
    ice_service_task so even though interface has been brought up there is
    still a time frame where link is not yet ok.
    
    Without this patch, when AF_XDP ZC Tx is used simultaneously with stack
    Tx, Tx timeouts occur after going through link flap (admin brings
    interface down then up again). HW seem to be unable to transmit
    descriptor to the wire after HW tail register bump which in turn causes
    bit __QUEUE_STATE_STACK_XOFF to be set forever as
    netdev_tx_completed_queue() sees no cleaned bytes on the input.
    
    Fixes: 126cdfe1007a ("ice: xsk: Improve AF_XDP ZC Tx and use batching API")
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Michal Kubiak <michal.kubiak@intel.com>
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: toggle netif_carrier when setting up XSK pool [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:13 2024 +0200

    ice: toggle netif_carrier when setting up XSK pool
    
    [ Upstream commit 9da75a511c5558fa3da56759984fd1fa859186f0 ]
    
    This so we prevent Tx timeout issues. One of conditions checked on
    running in the background dev_watchdog() is netif_carrier_ok(), so let
    us turn it off when we disable the queues that belong to a q_vector
    where XSK pool is being configured. Turn carrier on in ice_qp_ena()
    only when ice_get_link_status() tells us that physical link is up.
    
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

ice: xsk: fix txq interrupt mapping [+ + +]
Author: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Date:   Fri Jul 26 20:17:16 2024 +0200

    ice: xsk: fix txq interrupt mapping
    
    [ Upstream commit 963fb4612295a5c35b1b89c8bff3bdd4f9127af6 ]
    
    ice_cfg_txq_interrupt() internally handles XDP Tx ring. Do not use
    ice_for_each_tx_ring() in ice_qvec_cfg_msix() as this causing us to
    treat XDP ring that belongs to queue vector as Tx ring and therefore
    misconfiguring the interrupts.
    
    Fixes: 2d4238f55697 ("ice: Add support for AF_XDP")
    Reviewed-by: Shannon Nelson <shannon.nelson@amd.com>
    Tested-by: Chandan Kumar Rout <chandanx.rout@intel.com> (A Contingent Worker at Intel)
    Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
igc: Fix double reset adapter triggered from a single taprio cmd [+ + +]
Author: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
Date:   Tue Jul 30 10:33:02 2024 -0700

    igc: Fix double reset adapter triggered from a single taprio cmd
    
    [ Upstream commit b9e7fc0aeda79031a101610b2fcb12bf031056e9 ]
    
    Following the implementation of "igc: Add TransmissionOverrun counter"
    patch, when a taprio command is triggered by user, igc processes two
    commands: TAPRIO_CMD_REPLACE followed by TAPRIO_CMD_STATS. However, both
    commands unconditionally pass through igc_tsn_offload_apply() which
    evaluates and triggers reset adapter. The double reset causes issues in
    the calculation of adapter->qbv_count in igc.
    
    TAPRIO_CMD_REPLACE command is expected to reset the adapter since it
    activates qbv. It's unexpected for TAPRIO_CMD_STATS to do the same
    because it doesn't configure any driver-specific TSN settings. So, the
    evaluation in igc_tsn_offload_apply() isn't needed for TAPRIO_CMD_STATS.
    
    To address this, commands parsing are relocated to
    igc_tsn_enable_qbv_scheduling(). Commands that don't require an adapter
    reset will exit after processing, thus avoiding igc_tsn_offload_apply().
    
    Fixes: d3750076d464 ("igc: Add TransmissionOverrun counter")
    Signed-off-by: Faizal Rahim <faizal.abdul.rahim@linux.intel.com>
    Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
    Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
    Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
    Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
    Link: https://patch.msgid.link/20240730173304.865479-1-anthony.l.nguyen@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
io_uring: keep multishot request NAPI timeout current [+ + +]
Author: Olivier Langlois <olivier@trillion01.com>
Date:   Mon Jul 29 19:03:33 2024 -0400

    io_uring: keep multishot request NAPI timeout current
    
    commit 2c762be5b798c443612c1bb9b011de4fdaebd1c5 upstream.
    
    This refresh statement was originally present in the original patch:
    https://lore.kernel.org/netdev/20221121191437.996297-2-shr@devkernel.io/
    
    It has been removed with no explanation in v6:
    https://lore.kernel.org/netdev/20230201222254.744422-2-shr@devkernel.io/
    
    It is important to make the refresh for multishot requests, because if no
    new requests using the same NAPI device are added to the ring, the entry
    will become stale and be removed silently. The unsuspecting user will
    not know that their ring had busy polling for only 60 seconds before
    being pruned.
    
    Signed-off-by: Olivier Langlois <olivier@trillion01.com>
    Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
    Fixes: 8d0c12a80cdeb ("io-uring: add napi busy poll support")
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/0fe61a019ec61e5708cd117cb42ed0dab95e1617.1722294646.git.olivier@trillion01.com
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
ipv6: fix ndisc_is_useropt() handling for PIO [+ + +]
Author: Maciej Żenczykowski <maze@google.com>
Date:   Mon Jul 29 17:17:48 2024 -0700

    ipv6: fix ndisc_is_useropt() handling for PIO
    
    [ Upstream commit a46c68debf3be3a477a69ccbf0a1d050df841676 ]
    
    The current logic only works if the PIO is between two
    other ND user options.  This fixes it so that the PIO
    can also be either before or after other ND user options
    (for example the first or last option in the RA).
    
    side note: there's actually Android tests verifying
    a portion of the old broken behaviour, so:
      https://android-review.googlesource.com/c/kernel/tests/+/3196704
    fixes those up.
    
    Cc: Jen Linkova <furry@google.com>
    Cc: Lorenzo Colitti <lorenzo@google.com>
    Cc: Patrick Rohr <prohr@google.com>
    Cc: David Ahern <dsahern@kernel.org>
    Cc: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Maciej Żenczykowski <maze@google.com>
    Fixes: 048c796beb6e ("ipv6: adjust ndisc_is_useropt() to also return true for PIO")
    Link: https://patch.msgid.link/20240730001748.147636-1-maze@google.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
Linux: Linux 6.10.4 [+ + +]
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sun Aug 11 12:58:04 2024 +0200

    Linux 6.10.4
    
    Link: https://lore.kernel.org/r/20240807150020.790615758@linuxfoundation.org
    Tested-by: Ronald Warsow <rwarsow@gmx.de>
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
    Tested-by: Shuah Khan <skhan@linuxfoundation.org>
    Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
    Tested-by: Salvatore Bonaccorso <carnil@debian.org>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Kevin Holm <kevin@holm.dev>
    Tested-by: Christian Heusel <christian@heusel.eu>
    Tested-by: Miguel Ojeda <ojeda@kernel.org>
    Tested-by: Ron Economos <re@w6rz.net>
    Tested-by: Markus Reichelt <lkt+2023@mareichelt.com>
    Tested-by: Allen Pais <apais@linux.microsoft.com>
    Tested-by: Peter Schneider <pschneider1968@googlemail.com>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: kernelci.org bot <bot@kernelci.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
MIPS: dts: loongson: Fix liointc IRQ polarity [+ + +]
Author: Jiaxun Yang <jiaxun.yang@flygoat.com>
Date:   Fri Jun 14 16:40:10 2024 +0100

    MIPS: dts: loongson: Fix liointc IRQ polarity
    
    [ Upstream commit dbb69b9d6234aad23b3ecd33e5bc8a8ae1485b7d ]
    
    All internal liointc interrupts are high level triggered.
    
    Fixes: b1a792601f26 ("MIPS: Loongson64: DeviceTree for Loongson-2K1000")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

MIPS: dts: loongson: Fix ls2k1000-rtc interrupt [+ + +]
Author: Jiaxun Yang <jiaxun.yang@flygoat.com>
Date:   Fri Jun 14 16:40:11 2024 +0100

    MIPS: dts: loongson: Fix ls2k1000-rtc interrupt
    
    [ Upstream commit f70fd92df7529e7283e02a6c3a2510075f13ba30 ]
    
    The correct interrupt line for RTC is line 8 on liointc1.
    
    Fixes: e47084e116fc ("MIPS: Loongson64: DTS: Add RTC support to Loongson-2K1000")
    Cc: stable@vger.kernel.org
    Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a [+ + +]
Author: Jiaxun Yang <jiaxun.yang@flygoat.com>
Date:   Tue May 7 19:51:22 2024 +0100

    MIPS: Loongson64: DTS: Fix PCIe port nodes for ls7a
    
    [ Upstream commit d89a415ff8d5e0aad4963f2d8ebb0f9e8110b7fa ]
    
    Add various required properties to silent warnings:
    
    arch/mips/boot/dts/loongson/loongson64-2k1000.dtsi:116.16-297.5: Warning (interrupt_provider): /bus@10000000/pci@1a000000: '#interrupt-cells' found, but node is not an interrupt provider
    arch/mips/boot/dts/loongson/loongson64_2core_2k1000.dtb: Warning (interrupt_map): Failed prerequisite 'interrupt_provider'
    
    Signed-off-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
    Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
    Stable-dep-of: dbb69b9d6234 ("MIPS: dts: loongson: Fix liointc IRQ polarity")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mm/huge_memory: mark racy access onhuge_anon_orders_always [+ + +]
Author: Ran Xiaokai <ran.xiaokai@zte.com.cn>
Date:   Wed May 15 10:47:54 2024 +0800

    mm/huge_memory: mark racy access onhuge_anon_orders_always
    
    [ Upstream commit 7f83bf14603ef41a44dc907594d749a283e22c37 ]
    
    huge_anon_orders_always is accessed lockless, it is better to use the
    READ_ONCE() wrapper.  This is not fixing any visible bug, hopefully this
    can cease some KCSAN complains in the future.  Also do that for
    huge_anon_orders_madvise.
    
    Link: https://lkml.kernel.org/r/20240515104754889HqrahFPePOIE1UlANHVAh@zte.com.cn
    Signed-off-by: Ran Xiaokai <ran.xiaokai@zte.com.cn>
    Acked-by: David Hildenbrand <david@redhat.com>
    Reviewed-by: Lu Zhongjun <lu.zhongjun@zte.com.cn>
    Reviewed-by: xu xin <xu.xin16@zte.com.cn>
    Cc: Yang Yang <yang.yang29@zte.com.cn>
    Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
    Cc: Yang Shi <shy828301@gmail.com>
    Cc: Zi Yan <ziy@nvidia.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: 00f58104202c ("mm: fix khugepaged activation policy")
    Signed-off-by: Sasha Levin <sashal@kernel.org>
 
mm/migrate: make migrate_misplaced_folio() return 0 on success [+ + +]
Author: David Hildenbrand <david@redhat.com>
Date:   Thu Jun 20 23:29:34 2024 +0200

    mm/migrate: make migrate_misplaced_folio() return 0 on success
    
    [ Upstream commit 4b88c23ab8c9bc3857f7c8847e2c6bed95185530 ]
    
    Patch series "mm/migrate: move NUMA hinting fault folio isolation + checks
    under PTL".
    
    Let's just return 0 on success, which is less confusing.
    
    ...  especially because we got it wrong in the migrate.h stub where we
    have "return -EAGAIN; /* can't migrate now */" instead of "return 0;".
    Likely this wrong return value doesn't currently matter, but it certainly
    adds confusion.
    
    We'll add migrate_misplaced_folio_prepare() next, where we want to use the
    same "return 0 on success" approach, so let's just clean this up.
    
    Link: https://lkml.kernel.org/r/20240620212935.656243-1-david@redhat.com
    Link: https://lkml.kernel.org/r/20240620212935.656243-2-david@redhat.com
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Reviewed-by: Zi Yan <ziy@nvidia.com>
    Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
    Cc: Donet Tom <donettom@linux.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: 6e49019db5f7 ("mm/migrate: putback split folios when numa hint migration fails")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

mm/migrate: move NUMA hinting fault folio isolation + checks under PTL [+ + +]
Author: David Hildenbrand <david@redhat.com>
Date:   Thu Jun 20 23:29:35 2024 +0200

    mm/migrate: move NUMA hinting fault folio isolation + checks under PTL
    
    [ Upstream commit ee86814b0562f18255b55c5e6a01a022895994cf ]
    
    Currently we always take a folio reference even if migration will not even
    be tried or isolation failed, requiring us to grab+drop an additional
    reference.
    
    Further, we end up calling folio_likely_mapped_shared() while the folio
    might have already been unmapped, because after we dropped the PTL, that
    can easily happen.  We want to stop touching mapcounts and friends from
    such context, and only call folio_likely_mapped_shared() while the folio
    is still mapped: mapcount information is pretty much stale and unreliable
    otherwise.
    
    So let's move checks into numamigrate_isolate_folio(), rename that
    function to migrate_misplaced_folio_prepare(), and call that function from
    callsites where we call migrate_misplaced_folio(), but still with the PTL
    held.
    
    We can now stop taking temporary folio references, and really only take a
    reference if folio isolation succeeded.  Doing the
    folio_likely_mapped_shared() + folio isolation under PT lock is now
    similar to how we handle MADV_PAGEOUT.
    
    While at it, combine the folio_is_file_lru() checks.
    
    [david@redhat.com: fix list_del() corruption]
      Link: https://lkml.kernel.org/r/8f85c31a-e603-4578-bf49-136dae0d4b69@redhat.com
      Link: https://lkml.kernel.org/r/20240626191129.658CFC32782@smtp.kernel.org
    Link: https://lkml.kernel.org/r/20240620212935.656243-3-david@redhat.com
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
    Reviewed-by: Zi Yan <ziy@nvidia.com>
    Tested-by: Donet Tom <donettom@linux.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Stable-dep-of: 6e49019db5f7 ("mm/migrate: putback split folios when numa hint migration fails")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

mm/migrate: putback split folios when numa hint migration fails [+ + +]
Author: Peter Xu <peterx@redhat.com>
Date:   Mon Jul 8 17:55:37 2024 -0400

    mm/migrate: putback split folios when numa hint migration fails
    
    [ Upstream commit 6e49019db5f7a09a9c0e8ac4d108e656c3f8e583 ]
    
    This issue is not from any report yet, but by code observation only.
    
    This is yet another fix besides Hugh's patch [1] but on relevant code
    path, where eager split of folio can happen if the folio is already on
    deferred list during a folio migration.
    
    Here the issue is NUMA path (migrate_misplaced_folio()) may start to
    encounter such folio split now even with MR_NUMA_MISPLACED hint applied.
    Then when migrate_pages() didn't migrate all the folios, it's possible the
    split small folios be put onto the list instead of the original folio.
    Then putting back only the head page won't be enough.
    
    Fix it by putting back all the folios on the list.
    
    [1] https://lore.kernel.org/all/46c948b4-4dd8-6e03-4c7b-ce4e81cfa536@google.com/
    
    [akpm@linux-foundation.org: remove now unused local `nr_pages']
    Link: https://lkml.kernel.org/r/20240708215537.2630610-1-peterx@redhat.com
    Fixes: 7262f208ca68 ("mm/migrate: split source folio if it is on deferred split list")
    Signed-off-by: Peter Xu <peterx@redhat.com>
    Reviewed-by: Zi Yan <ziy@nvidia.com>
    Reviewed-by: Baolin Wang <baolin.wang@linux.alibaba.com>
    Cc: Yang Shi <shy828301@gmail.com>
    Cc: Hugh Dickins <hughd@google.com>
    Cc: Huang Ying <ying.huang@intel.com>
    Cc: David Hildenbrand <david@redhat.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mm: fix khugepaged activation policy [+ + +]
Author: Ryan Roberts <ryan.roberts@arm.com>
Date:   Thu Jul 4 10:10:50 2024 +0100

    mm: fix khugepaged activation policy
    
    [ Upstream commit 00f58104202c472e487f0866fbd38832523fd4f9 ]
    
    Since the introduction of mTHP, the docuementation has stated that
    khugepaged would be enabled when any mTHP size is enabled, and disabled
    when all mTHP sizes are disabled.  There are 2 problems with this; 1.
    this is not what was implemented by the code and 2.  this is not the
    desirable behavior.
    
    Desirable behavior is for khugepaged to be enabled when any PMD-sized THP
    is enabled, anon or file.  (Note that file THP is still controlled by the
    top-level control so we must always consider that, as well as the PMD-size
    mTHP control for anon).  khugepaged only supports collapsing to PMD-sized
    THP so there is no value in enabling it when PMD-sized THP is disabled.
    So let's change the code and documentation to reflect this policy.
    
    Further, per-size enabled control modification events were not previously
    forwarded to khugepaged to give it an opportunity to start or stop.
    Consequently the following was resulting in khugepaged eroneously not
    being activated:
    
      echo never > /sys/kernel/mm/transparent_hugepage/enabled
      echo always > /sys/kernel/mm/transparent_hugepage/hugepages-2048kB/enabled
    
    [ryan.roberts@arm.com: v3]
      Link: https://lkml.kernel.org/r/20240705102849.2479686-1-ryan.roberts@arm.com
    Link: https://lkml.kernel.org/r/20240705102849.2479686-1-ryan.roberts@arm.com
    Link: https://lkml.kernel.org/r/20240704091051.2411934-1-ryan.roberts@arm.com
    Signed-off-by: Ryan Roberts <ryan.roberts@arm.com>
    Fixes: 3485b88390b0 ("mm: thp: introduce multi-size THP sysfs interface")
    Closes: https://lore.kernel.org/linux-mm/7a0bbe69-1e3d-4263-b206-da007791a5c4@redhat.com/
    Acked-by: David Hildenbrand <david@redhat.com>
    Cc: Baolin Wang <baolin.wang@linux.alibaba.com>
    Cc: Barry Song <baohua@kernel.org>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Lance Yang <ioworker0@gmail.com>
    Cc: Yang Shi <shy828301@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
mptcp: distinguish rcv vs sent backup flag in requests [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:24 2024 +0200

    mptcp: distinguish rcv vs sent backup flag in requests
    
    commit efd340bf3d7779a3a8ec954d8ec0fb8a10f24982 upstream.
    
    When sending an MP_JOIN + SYN + ACK, it is possible to mark the subflow
    as 'backup' by setting the flag with the same name. Before this patch,
    the backup was set if the other peer set it in its MP_JOIN + SYN
    request.
    
    It is not correct: the backup flag should be set in the MPJ+SYN+ACK only
    if the host asks for it, and not mirroring what was done by the other
    peer. It is then required to have a dedicated bit for each direction,
    similar to what is done in the subflow context.
    
    Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: fix bad RCVPRUNED mib accounting [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Wed Jul 31 12:10:14 2024 +0200

    mptcp: fix bad RCVPRUNED mib accounting
    
    commit 0a567c2a10033bf04ed618368d179bce6977984b upstream.
    
    Since its introduction, the mentioned MIB accounted for the wrong
    event: wake-up being skipped as not-needed on some edge condition
    instead of incoming skb being dropped after landing in the (subflow)
    receive queue.
    
    Move the increment in the correct location.
    
    Fixes: ce599c516386 ("mptcp: properly account bulk freed memory")
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: fix duplicate data handling [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Wed Jul 31 12:10:15 2024 +0200

    mptcp: fix duplicate data handling
    
    commit 68cc924729ffcfe90d0383177192030a9aeb2ee4 upstream.
    
    When a subflow receives and discards duplicate data, the mptcp
    stack assumes that the consumed offset inside the current skb is
    zero.
    
    With multiple subflows receiving data simultaneously such assertion
    does not held true. As a result the subflow-level copied_seq will
    be incorrectly increased and later on the same subflow will observe
    a bad mapping, leading to subflow reset.
    
    Address the issue taking into account the skb consumed offset in
    mptcp_subflow_discard_data().
    
    Fixes: 04e4cd4f7ca4 ("mptcp: cleanup mptcp_subflow_discard_data()")
    Cc: stable@vger.kernel.org
    Link: https://github.com/multipath-tcp/mptcp_net-next/issues/501
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: fix NL PM announced address accounting [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Sat Jul 27 11:04:00 2024 +0200

    mptcp: fix NL PM announced address accounting
    
    commit 4b317e0eb287bd30a1b329513531157c25e8b692 upstream.
    
    Currently the per connection announced address counter is never
    decreased. As a consequence, after connection establishment, if
    the NL PM deletes an endpoint and adds a new/different one, no
    additional subflow is created for the new endpoint even if the
    current limits allow that.
    
    Address the issue properly updating the signaled address counter
    every time the NL PM removes such addresses.
    
    Fixes: 01cacb00b35c ("mptcp: add netlink-based PM")
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: fix user-space PM announced address accounting [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Sat Jul 27 11:03:59 2024 +0200

    mptcp: fix user-space PM announced address accounting
    
    commit 167b93258d1e2230ee3e8a97669b4db4cc9e90aa upstream.
    
    Currently the per-connection announced address counter is never
    decreased. When the user-space PM is in use, this just affect
    the information exposed via diag/sockopt, but it could still foul
    the PM to wrong decision.
    
    Add the missing accounting for the user-space PM's sake.
    
    Fixes: 8b1c94da1e48 ("mptcp: only send RM_ADDR in nl_cmd_remove")
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: mib: count MPJ with backup flag [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:26 2024 +0200

    mptcp: mib: count MPJ with backup flag
    
    commit 4dde0d72ccec500c60c798e036b852e013d6e124 upstream.
    
    Without such counters, it is difficult to easily debug issues with MPJ
    not having the backup flags on production servers.
    
    This is not strictly a fix, but it eases to validate the following
    patches without requiring to take packet traces, to query ongoing
    connections with Netlink with admin permissions, or to guess by looking
    at the behaviour of the packet scheduler. Also, the modification is self
    contained, isolated, well controlled, and the increments are done just
    after others, there from the beginning. It looks then safe, and helpful
    to backport this.
    
    Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: pm: fix backup support in signal endpoints [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:28 2024 +0200

    mptcp: pm: fix backup support in signal endpoints
    
    commit 6834097fc38c5416701c793da94558cea49c0a1f upstream.
    
    There was a support for signal endpoints, but only when the endpoint's
    flag was changed during a connection. If an endpoint with the signal and
    backup was already present, the MP_JOIN reply was not containing the
    backup flag as expected.
    
    That's confusing to have this inconsistent behaviour. On the other hand,
    the infrastructure to set the backup flag in the SYN + ACK + MP_JOIN was
    already there, it was just never set before. Now when requesting the
    local ID from the path-manager, the backup status is also requested.
    
    Note that when the userspace PM is used, the backup flag can be set if
    the local address was already used before with a backup flag, e.g. if
    the address was announced with the 'backup' flag, or a subflow was
    created with the 'backup' flag.
    
    Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
    Cc: stable@vger.kernel.org
    Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/507
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: pm: only set request_bkup flag when sending MP_PRIO [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:25 2024 +0200

    mptcp: pm: only set request_bkup flag when sending MP_PRIO
    
    commit 4258b94831bb7ff28ab80e3c8d94db37db930728 upstream.
    
    The 'backup' flag from mptcp_subflow_context structure is supposed to be
    set only when the other peer flagged a subflow as backup, not the
    opposite.
    
    Fixes: 067065422fcd ("mptcp: add the outgoing MP_PRIO support")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

mptcp: sched: check both directions for backup [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:23 2024 +0200

    mptcp: sched: check both directions for backup
    
    commit b6a66e521a2032f7fcba2af5a9bcbaeaa19b7ca3 upstream.
    
    The 'mptcp_subflow_context' structure has two items related to the
    backup flags:
    
     - 'backup': the subflow has been marked as backup by the other peer
    
     - 'request_bkup': the backup flag has been set by the host
    
    Before this patch, the scheduler was only looking at the 'backup' flag.
    That can make sense in some cases, but it looks like that's not what we
    wanted for the general use, because either the path-manager was setting
    both of them when sending an MP_PRIO, or the receiver was duplicating
    the 'backup' flag in the subflow request.
    
    Note that the use of these two flags in the path-manager are going to be
    fixed in the next commits, but this change here is needed not to modify
    the behaviour.
    
    Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
net/iucv: fix use after free in iucv_sock_close() [+ + +]
Author: Alexandra Winter <wintera@linux.ibm.com>
Date:   Mon Jul 29 14:28:16 2024 +0200

    net/iucv: fix use after free in iucv_sock_close()
    
    [ Upstream commit f558120cd709682b739207b48cf7479fd9568431 ]
    
    iucv_sever_path() is called from process context and from bh context.
    iucv->path is used as indicator whether somebody else is taking care of
    severing the path (or it is already removed / never existed).
    This needs to be done with atomic compare and swap, otherwise there is a
    small window where iucv_sock_close() will try to work with a path that has
    already been severed and freed by iucv_callback_connrej() called by
    iucv_tasklet_fn().
    
    Example:
    [452744.123844] Call Trace:
    [452744.123845] ([<0000001e87f03880>] 0x1e87f03880)
    [452744.123966]  [<00000000d593001e>] iucv_path_sever+0x96/0x138
    [452744.124330]  [<000003ff801ddbca>] iucv_sever_path+0xc2/0xd0 [af_iucv]
    [452744.124336]  [<000003ff801e01b6>] iucv_sock_close+0xa6/0x310 [af_iucv]
    [452744.124341]  [<000003ff801e08cc>] iucv_sock_release+0x3c/0xd0 [af_iucv]
    [452744.124345]  [<00000000d574794e>] __sock_release+0x5e/0xe8
    [452744.124815]  [<00000000d5747a0c>] sock_close+0x34/0x48
    [452744.124820]  [<00000000d5421642>] __fput+0xba/0x268
    [452744.124826]  [<00000000d51b382c>] task_work_run+0xbc/0xf0
    [452744.124832]  [<00000000d5145710>] do_notify_resume+0x88/0x90
    [452744.124841]  [<00000000d5978096>] system_call+0xe2/0x2c8
    [452744.125319] Last Breaking-Event-Address:
    [452744.125321]  [<00000000d5930018>] iucv_path_sever+0x90/0x138
    [452744.125324]
    [452744.125325] Kernel panic - not syncing: Fatal exception in interrupt
    
    Note that bh_lock_sock() is not serializing the tasklet context against
    process context, because the check for sock_owned_by_user() and
    corresponding handling is missing.
    
    Ideas for a future clean-up patch:
    A) Correct usage of bh_lock_sock() in tasklet context, as described in
    Link: https://lore.kernel.org/netdev/1280155406.2899.407.camel@edumazet-laptop/
    Re-enqueue, if needed. This may require adding return values to the
    tasklet functions and thus changes to all users of iucv.
    
    B) Change iucv tasklet into worker and use only lock_sock() in af_iucv.
    
    Fixes: 7d316b945352 ("af_iucv: remove IUCV-pathes completely")
    Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
    Signed-off-by: Alexandra Winter <wintera@linux.ibm.com>
    Link: https://patch.msgid.link/20240729122818.947756-1-wintera@linux.ibm.com
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5: Always drain health in shutdown callback [+ + +]
Author: Shay Drory <shayd@nvidia.com>
Date:   Tue Jul 30 09:16:30 2024 +0300

    net/mlx5: Always drain health in shutdown callback
    
    [ Upstream commit 1b75da22ed1e6171e261bc9265370162553d5393 ]
    
    There is no point in recovery during device shutdown. if health
    work started need to wait for it to avoid races and NULL pointer
    access.
    
    Hence, drain health WQ on shutdown callback.
    
    Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver")
    Fixes: d2aa060d40fa ("net/mlx5: Cancel health poll before sending panic teardown command")
    Signed-off-by: Shay Drory <shayd@nvidia.com>
    Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-2-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5: Fix error handling in irq_pool_request_irq [+ + +]
Author: Shay Drory <shayd@nvidia.com>
Date:   Tue Jul 30 09:16:31 2024 +0300

    net/mlx5: Fix error handling in irq_pool_request_irq
    
    [ Upstream commit a4557b0b57c40871ff00da4f623cf79211e052f3 ]
    
    In case mlx5_irq_alloc fails, the previously allocated index remains
    in the XArray, which could lead to inconsistencies.
    
    Fix it by adding error handling that erases the allocated index
    from the XArray if mlx5_irq_alloc returns an error.
    
    Fixes: c36326d38d93 ("net/mlx5: Round-Robin EQs over IRQs")
    Signed-off-by: Shay Drory <shayd@nvidia.com>
    Reviewed-by: Maher Sanalla <msanalla@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-3-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5: Fix missing lock on sync reset reload [+ + +]
Author: Moshe Shemesh <moshe@nvidia.com>
Date:   Tue Jul 30 09:16:34 2024 +0300

    net/mlx5: Fix missing lock on sync reset reload
    
    [ Upstream commit 572f9caa9e7295f8c8822e4122c7ae8f1c412ff9 ]
    
    On sync reset reload work, when remote host updates devlink on reload
    actions performed on that host, it misses taking devlink lock before
    calling devlink_remote_reload_actions_performed() which results in
    triggering lock assert like the following:
    
    WARNING: CPU: 4 PID: 1164 at net/devlink/core.c:261 devl_assert_locked+0x3e/0x50
    …
     CPU: 4 PID: 1164 Comm: kworker/u96:6 Tainted: G S      W          6.10.0-rc2+ #116
     Hardware name: Supermicro SYS-2028TP-DECTR/X10DRT-PT, BIOS 2.0 12/18/2015
     Workqueue: mlx5_fw_reset_events mlx5_sync_reset_reload_work [mlx5_core]
     RIP: 0010:devl_assert_locked+0x3e/0x50
    …
     Call Trace:
      <TASK>
      ? __warn+0xa4/0x210
      ? devl_assert_locked+0x3e/0x50
      ? report_bug+0x160/0x280
      ? handle_bug+0x3f/0x80
      ? exc_invalid_op+0x17/0x40
      ? asm_exc_invalid_op+0x1a/0x20
      ? devl_assert_locked+0x3e/0x50
      devlink_notify+0x88/0x2b0
      ? mlx5_attach_device+0x20c/0x230 [mlx5_core]
      ? __pfx_devlink_notify+0x10/0x10
      ? process_one_work+0x4b6/0xbb0
      process_one_work+0x4b6/0xbb0
    […]
    
    Fixes: 84a433a40d0e ("net/mlx5: Lock mlx5 devlink reload callbacks")
    Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
    Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-6-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5: Lag, don't use the hardcoded value of the first port [+ + +]
Author: Mark Bloch <mbloch@nvidia.com>
Date:   Tue Jul 30 09:16:33 2024 +0300

    net/mlx5: Lag, don't use the hardcoded value of the first port
    
    [ Upstream commit 3fda84dc090390573cfbd0b1d70372663315de21 ]
    
    The cited commit didn't change the body of the loop as it should.
    It shouldn't be using MLX5_LAG_P1.
    
    Fixes: 7e978e7714d6 ("net/mlx5: Lag, use actual number of lag ports")
    Signed-off-by: Mark Bloch <mbloch@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-5-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys [+ + +]
Author: Shahar Shitrit <shshitrit@nvidia.com>
Date:   Tue Jul 30 09:16:37 2024 +0300

    net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys
    
    [ Upstream commit 3f8e82a020a5c22f9b791f4ac499b8e18007fbda ]
    
    Since the documentation for mlx5_toggle_port_link states that it should
    only be used after setting the port register, we add a check for the
    return value from mlx5_port_set_eth_ptys to ensure the register was
    successfully set before calling it.
    
    Fixes: 667daedaecd1 ("net/mlx5e: Toggle link only after modifying port parameters")
    Signed-off-by: Shahar Shitrit <shshitrit@nvidia.com>
    Reviewed-by: Carolina Jubran <cjubran@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-9-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5e: Fix CT entry update leaks of modify header context [+ + +]
Author: Chris Mi <cmi@nvidia.com>
Date:   Tue Jul 30 09:16:36 2024 +0300

    net/mlx5e: Fix CT entry update leaks of modify header context
    
    [ Upstream commit 025f2b85a5e5a46df14ecf162c3c80a957a36d0b ]
    
    The cited commit allocates a new modify header to replace the old
    one when updating CT entry. But if failed to allocate a new one, eg.
    exceed the max number firmware can support, modify header will be
    an error pointer that will trigger a panic when deallocating it. And
    the old modify header point is copied to old attr. When the old
    attr is freed, the old modify header is lost.
    
    Fix it by restoring the old attr to attr when failed to allocate a
    new modify header context. So when the CT entry is freed, the right
    modify header context will be freed. And the panic of accessing
    error pointer is also fixed.
    
    Fixes: 94ceffb48eac ("net/mlx5e: Implement CT entry update")
    Signed-off-by: Chris Mi <cmi@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-8-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net/mlx5e: Require mlx5 tc classifier action support for IPsec prio capability [+ + +]
Author: Rahul Rameshbabu <rrameshbabu@nvidia.com>
Date:   Tue Jul 30 09:16:35 2024 +0300

    net/mlx5e: Require mlx5 tc classifier action support for IPsec prio capability
    
    [ Upstream commit 06827e27fdcd197557be72b2229dbd362303794f ]
    
    Require mlx5 classifier action support when creating IPSec chains in
    offload path. MLX5_IPSEC_CAP_PRIO should only be set if CONFIG_MLX5_CLS_ACT
    is enabled. If CONFIG_MLX5_CLS_ACT=n and MLX5_IPSEC_CAP_PRIO is set,
    configuring IPsec offload will fail due to the mlxx5 ipsec chain rules
    failing to be created due to lack of classifier action support.
    
    Fixes: fa5aa2f89073 ("net/mlx5e: Use chains for IPsec policy priority offload")
    Signed-off-by: Rahul Rameshbabu <rrameshbabu@nvidia.com>
    Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
    Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/20240730061638.1831002-7-tariqt@nvidia.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
net: axienet: start napi before enabling Rx/Tx [+ + +]
Author: Andy Chiu <andy.chiu@sifive.com>
Date:   Fri Jul 26 15:06:50 2024 +0800

    net: axienet: start napi before enabling Rx/Tx
    
    [ Upstream commit 799a829507506924add8a7620493adc1c3cfda30 ]
    
    softirq may get lost if an Rx interrupt comes before we call
    napi_enable. Move napi_enable in front of axienet_setoptions(), which
    turns on the device, to address the issue.
    
    Link: https://lists.gnu.org/archive/html/qemu-devel/2024-07/msg06160.html
    Fixes: cc37610caaf8 ("net: axienet: implement NAPI and GRO receive")
    Signed-off-by: Andy Chiu <andy.chiu@sifive.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: mvpp2: Don't re-use loop iterator [+ + +]
Author: Dan Carpenter <dan.carpenter@linaro.org>
Date:   Wed Jul 24 11:06:56 2024 -0500

    net: mvpp2: Don't re-use loop iterator
    
    [ Upstream commit 0aa3ca956c46d849775eae1816cef8fe4bc8b50e ]
    
    This function has a nested loop.  The problem is that both the inside
    and outside loop use the same variable as an iterator.  I found this
    via static analysis so I'm not sure the impact.  It could be that it
    loops forever or, more likely, the loop exits early.
    
    Fixes: 3a616b92a9d1 ("net: mvpp2: Add TX flow control support for jumbo frames")
    Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/eaa8f403-7779-4d81-973d-a9ecddc0bf6f@stanley.mountain
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: micrel: Fix the KSZ9131 MDI-X status issue [+ + +]
Author: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
Date:   Thu Jul 25 12:41:25 2024 +0530

    net: phy: micrel: Fix the KSZ9131 MDI-X status issue
    
    [ Upstream commit 84383b5ef4cd21b4a67de92afdc05a03b5247db9 ]
    
    The MDIX status is not accurately reflecting the current state after the link
    partner has manually altered its MDIX configuration while operating in forced
    mode.
    
    Access information about Auto mdix completion and pair selection from the
    KSZ9131's Auto/MDI/MDI-X status register
    
    Fixes: b64e6a8794d9 ("net: phy: micrel: Add PHY Auto/MDI/MDI-X set driver for KSZ9131")
    Signed-off-by: Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
    Reviewed-by: Andrew Lunn <andrew@lunn.ch>
    Link: https://patch.msgid.link/20240725071125.13960-1-Raju.Lakkaraju@microchip.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: phy: realtek: add support for RTL8366S Gigabit PHY [+ + +]
Author: Mark Mentovai <mark@mentovai.com>
Date:   Thu Jul 25 16:41:44 2024 -0400

    net: phy: realtek: add support for RTL8366S Gigabit PHY
    
    [ Upstream commit 225990c487c1023e7b3aa89beb6a68011fbc0461 ]
    
    The PHY built in to the Realtek RTL8366S switch controller was
    previously supported by genphy_driver. This PHY does not implement MMD
    operations. Since commit 9b01c885be36 ("net: phy: c22: migrate to
    genphy_c45_write_eee_adv()"), MMD register reads have been made during
    phy_probe to determine EEE support. For genphy_driver, these reads are
    transformed into 802.3 annex 22D clause 45-over-clause 22
    mmd_phy_indirect operations that perform MII register writes to
    MII_MMD_CTRL and MII_MMD_DATA. This overwrites those two MII registers,
    which on this PHY are reserved and have another function, rendering the
    PHY unusable while so configured.
    
    Proper support for this PHY is restored by providing a phy_driver that
    declares MMD operations as unsupported by using the helper functions
    provided for that purpose, while remaining otherwise identical to
    genphy_driver.
    
    Fixes: 9b01c885be36 ("net: phy: c22: migrate to genphy_c45_write_eee_adv()")
    Reported-by: Russell Senior <russell@personaltelco.net>
    Closes: https://github.com/openwrt/openwrt/issues/15981
    Link: https://github.com/openwrt/openwrt/issues/15739
    Signed-off-by: Mark Mentovai <mark@mentovai.com>
    Reviewed-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

net: usb: sr9700: fix uninitialized variable use in sr_mdio_read [+ + +]
Author: Ma Ke <make24@iscas.ac.cn>
Date:   Thu Jul 25 10:29:42 2024 +0800

    net: usb: sr9700: fix uninitialized variable use in sr_mdio_read
    
    commit 08f3a5c38087d1569e982a121aad1e6acbf145ce upstream.
    
    It could lead to error happen because the variable res is not updated if
    the call to sr_share_read_word returns an error. In this particular case
    error code was returned and res stayed uninitialized. Same issue also
    applies to sr_read_reg.
    
    This can be avoided by checking the return value of sr_share_read_word
    and sr_read_reg, and propagating the error if the read operation failed.
    
    Found by code review.
    
    Cc: stable@vger.kernel.org
    Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
    Signed-off-by: Ma Ke <make24@iscas.ac.cn>
    Reviewed-by: Shigeru Yoshida <syoshida@redhat.com>
    Reviewed-by: Hariprasad Kelam <hkelam@marvell.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex [+ + +]
Author: Herve Codina <herve.codina@bootlin.com>
Date:   Tue Jul 30 08:31:04 2024 +0200

    net: wan: fsl_qmc_hdlc: Convert carrier_lock spinlock to a mutex
    
    commit c4d6a347ba7babdf9d90a0eb24048c266cae0532 upstream.
    
    The carrier_lock spinlock protects the carrier detection. While it is
    held, framer_get_status() is called which in turn takes a mutex.
    This is not correct and can lead to a deadlock.
    
    A run with PROVE_LOCKING enabled detected the issue:
      [ BUG: Invalid wait context ]
      ...
      c204ddbc (&framer->mutex){+.+.}-{3:3}, at: framer_get_status+0x40/0x78
      other info that might help us debug this:
      context-{4:4}
      2 locks held by ifconfig/146:
      #0: c0926a38 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x12c/0x664
      #1: c2006a40 (&qmc_hdlc->carrier_lock){....}-{2:2}, at: qmc_hdlc_framer_set_carrier+0x30/0x98
    
    Avoid the spinlock usage and convert carrier_lock to a mutex.
    
    Fixes: 54762918ca85 ("net: wan: fsl_qmc_hdlc: Add framer support")
    Cc: stable@vger.kernel.org
    Signed-off-by: Herve Codina <herve.codina@bootlin.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240730063104.179553-1-herve.codina@bootlin.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net: wan: fsl_qmc_hdlc: Discard received CRC [+ + +]
Author: Herve Codina <herve.codina@bootlin.com>
Date:   Tue Jul 30 08:31:33 2024 +0200

    net: wan: fsl_qmc_hdlc: Discard received CRC
    
    commit e549360069b4a57e111b8222fc072f3c7c1688ab upstream.
    
    Received frame from QMC contains the CRC.
    Upper layers don't need this CRC and tcpdump mentioned trailing junk
    data due to this CRC presence.
    
    As some other HDLC driver, simply discard this CRC.
    
    Fixes: d0f2258e79fd ("net: wan: Add support for QMC HDLC")
    Cc: stable@vger.kernel.org
    Signed-off-by: Herve Codina <herve.codina@bootlin.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Link: https://patch.msgid.link/20240730063133.179598-1-herve.codina@bootlin.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Thu Jul 25 12:28:20 2024 -0700

    netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().
    
    [ Upstream commit 5830aa863981d43560748aa93589c0695191d95d ]
    
    We had a report that iptables-restore sometimes triggered null-ptr-deref
    at boot time. [0]
    
    The problem is that iptable_nat_table_init() is exposed to user space
    before the kernel fully initialises netns.
    
    In the small race window, a user could call iptable_nat_table_init()
    that accesses net_generic(net, iptable_nat_net_id), which is available
    only after registering iptable_nat_net_ops.
    
    Let's call register_pernet_subsys() before xt_register_template().
    
    [0]:
    bpfilter: Loaded bpfilter_umh pid 11702
    Started bpfilter
    BUG: kernel NULL pointer dereference, address: 0000000000000013
     PF: supervisor write access in kernel mode
     PF: error_code(0x0002) - not-present page
    PGD 0 P4D 0
    PREEMPT SMP NOPTI
    CPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1
    Hardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017
    RIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
    Code: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 <48> 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c
    RSP: 0018:ffffbef902843cd0 EFLAGS: 00010246
    RAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80
    RDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0
    RBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240
    R10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000
    R13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004
    FS:  00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0
    DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    PKRU: 55555554
    Call Trace:
     <TASK>
     ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
     ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
     ? xt_find_table_lock (net/netfilter/x_tables.c:1259)
     ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
     ? page_fault_oops (arch/x86/mm/fault.c:727)
     ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)
     ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)
     ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
     xt_find_table_lock (net/netfilter/x_tables.c:1259)
     xt_request_find_table_lock (net/netfilter/x_tables.c:1287)
     get_info (net/ipv4/netfilter/ip_tables.c:965)
     ? security_capable (security/security.c:809 (discriminator 13))
     ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)
     ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)
     ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter
     nf_getsockopt (net/netfilter/nf_sockopt.c:116)
     ip_getsockopt (net/ipv4/ip_sockglue.c:1827)
     __sys_getsockopt (net/socket.c:2327)
     __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)
     do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)
     entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
    RIP: 0033:0x7f62844685ee
    Code: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09
    RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
    RAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee
    RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004
    RBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0
    R10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2
    R13: 00007f628455baa0 R14: 00007ffd1f83d7b0 R15: 00007f628457a008
     </TASK>
    Modules linked in: iptable_nat(+) bpfilter rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache veth xt_state xt_connmark xt_nat xt_statistic xt_MASQUERADE xt_mark xt_addrtype ipt_REJECT nf_reject_ipv4 nft_chain_nat nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment nft_compat nf_tables nfnetlink overlay nls_ascii nls_cp437 vfat fat ghash_clmulni_intel aesni_intel ena crypto_simd ptp cryptd i8042 pps_core serio button sunrpc sch_fq_codel configfs loop dm_mod fuse dax dmi_sysfs crc32_pclmul crc32c_intel efivarfs
    CR2: 0000000000000013
    
    Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
    Reported-by: Takahiro Kawahara <takawaha@amazon.co.jp>
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Thu Jul 25 12:28:21 2024 -0700

    netfilter: iptables: Fix potential null-ptr-deref in ip6table_nat_table_init().
    
    [ Upstream commit c22921df777de5606f1047b1345b8d22ef1c0b34 ]
    
    ip6table_nat_table_init() accesses net->gen->ptr[ip6table_nat_net_ops.id],
    but the function is exposed to user space before the entry is allocated
    via register_pernet_subsys().
    
    Let's call register_pernet_subsys() before xt_register_template().
    
    Fixes: fdacd57c79b7 ("netfilter: x_tables: never register tables by default")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
netlink: specs: correct the spec of ethtool [+ + +]
Author: Jakub Kicinski <kuba@kernel.org>
Date:   Wed Jul 24 16:42:48 2024 -0700

    netlink: specs: correct the spec of ethtool
    
    [ Upstream commit a40c7a24f97edda025f53cfe8f0bc6a6e3c12fa6 ]
    
    The spec for Ethtool is a bit inaccurate. We don't currently
    support dump. Context is only accepted as input and not echoed
    to output (which is a separate bug).
    
    Fixes: a353318ebf24 ("tools: ynl: populate most of the ethtool spec")
    Acked-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Joe Damato <jdamato@fastly.com>
    Link: https://patch.msgid.link/20240724234249.2621109-2-kuba@kernel.org
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
nouveau: set placement to original placement on uvmm validate. [+ + +]
Author: Dave Airlie <airlied@redhat.com>
Date:   Wed May 15 12:55:41 2024 +1000

    nouveau: set placement to original placement on uvmm validate.
    
    commit 9c685f61722d30a22d55bb8a48f7a48bb2e19bcc upstream.
    
    When a buffer is evicted for memory pressure or TTM evict all,
    the placement is set to the eviction domain, this means the
    buffer never gets revalidated on the next exec to the correct domain.
    
    I think this should be fine to use the initial domain from the
    object creation, as least with VM_BIND this won't change after
    init so this should be the correct answer.
    
    Fixes: b88baab82871 ("drm/nouveau: implement new VM_BIND uAPI")
    Cc: Danilo Krummrich <dakr@redhat.com>
    Cc: <stable@vger.kernel.org> # v6.6
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Signed-off-by: Danilo Krummrich <dakr@kernel.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20240515025542.2156774-1-airlied@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
PCI: pciehp: Retain Power Indicator bits for userspace indicators [+ + +]
Author: Blazej Kucman <blazej.kucman@intel.com>
Date:   Mon Jul 22 16:14:40 2024 +0200

    PCI: pciehp: Retain Power Indicator bits for userspace indicators
    
    commit 5560a612c20d3daacbf5da7913deefa5c31742f4 upstream.
    
    The sysfs "attention" file normally controls the Slot Control Attention
    Indicator with 0 (off), 1 (on), 2 (blink) settings.
    
    576243b3f9ea ("PCI: pciehp: Allow exclusive userspace control of
    indicators") added pciehp_set_raw_indicator_status() to allow userspace to
    directly control all four bits in both the Attention Indicator and the
    Power Indicator fields via the "attention" file.
    
    This is used on Intel VMD bridges so utilities like "ledmon" can use sysfs
    "attention" to control up to 16 indicators for NVMe device RAID status.
    
    abaaac4845a0 ("PCI: hotplug: Use FIELD_GET/PREP()") broke this by masking
    the sysfs data with PCI_EXP_SLTCTL_AIC, which discards the upper two bits
    intended for the Power Indicator Control field (PCI_EXP_SLTCTL_PIC).
    
    For NVMe devices behind an Intel VMD, ledmon settings that use the
    PCI_EXP_SLTCTL_PIC bits, i.e., ATTENTION_REBUILD (0x5), ATTENTION_LOCATE
    (0x7), ATTENTION_FAILURE (0xD), ATTENTION_OFF (0xF), no longer worked
    correctly.
    
    Mask with PCI_EXP_SLTCTL_AIC | PCI_EXP_SLTCTL_PIC to retain both the
    Attention Indicator and the Power Indicator bits.
    
    Fixes: abaaac4845a0 ("PCI: hotplug: Use FIELD_GET/PREP()")
    Link: https://lore.kernel.org/r/20240722141440.7210-1-blazej.kucman@intel.com
    Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
    [bhelgaas: commit log]
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org      # v6.7+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
perf arch events: Fix duplicate RISC-V SBI firmware event name [+ + +]
Author: Eric Lin <eric.lin@sifive.com>
Date:   Fri Jul 19 19:50:18 2024 +0800

    perf arch events: Fix duplicate RISC-V SBI firmware event name
    
    [ Upstream commit 63ba5b0fb4f54db256ec43b3062b2606b383055d ]
    
    Currently, the RISC-V firmware JSON file has duplicate event name
    "FW_SFENCE_VMA_RECEIVED". According to the RISC-V SBI PMU extension[1],
    the event name should be "FW_SFENCE_VMA_ASID_SENT".
    
    Before this patch:
    $ perf list
    
    firmware:
      fw_access_load
           [Load access trap event. Unit: cpu]
      fw_access_store
           [Store access trap event. Unit: cpu]
    ....
     fw_set_timer
           [Set timer event. Unit: cpu]
      fw_sfence_vma_asid_received
           [Received SFENCE.VMA with ASID request from other HART event. Unit: cpu]
      fw_sfence_vma_received
           [Sent SFENCE.VMA with ASID request to other HART event. Unit: cpu]
    
    After this patch:
    $ perf list
    
    firmware:
      fw_access_load
           [Load access trap event. Unit: cpu]
      fw_access_store
           [Store access trap event. Unit: cpu]
    .....
      fw_set_timer
           [Set timer event. Unit: cpu]
      fw_sfence_vma_asid_received
           [Received SFENCE.VMA with ASID request from other HART event. Unit: cpu]
      fw_sfence_vma_asid_sent
           [Sent SFENCE.VMA with ASID request to other HART event. Unit: cpu]
      fw_sfence_vma_received
           [Received SFENCE.VMA request from other HART event. Unit: cpu]
    
    Link: https://github.com/riscv-non-isa/riscv-sbi-doc/blob/master/src/ext-pmu.adoc#event-firmware-events-type-15 [1]
    Fixes: 8f0dcb4e7364 ("perf arch events: riscv sbi firmware std event files")
    Fixes: c4f769d4093d ("perf vendor events riscv: add Sifive U74 JSON file")
    Fixes: acbf6de674ef ("perf vendor events riscv: Add StarFive Dubhe-80 JSON file")
    Fixes: 7340c6df49df ("perf vendor events riscv: add T-HEAD C9xx JSON file")
    Fixes: f5102e31c209 ("riscv: andes: Support specifying symbolic firmware and hardware raw event")
    Signed-off-by: Eric Lin <eric.lin@sifive.com>
    Reviewed-by: Samuel Holland <samuel.holland@sifive.com>
    Reviewed-by: Nikita Shubin <n.shubin@yadro.com>
    Reviewed-by: Inochi Amaoto <inochiama@outlook.com>
    Reviewed-by: Andrew Jones <ajones@ventanamicro.com>
    Reviewed-by: Atish Patra <atishp@rivosinc.com>
    Link: https://lore.kernel.org/r/20240719115018.27356-1-eric.lin@sifive.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf tool: fix dereferencing NULL al->maps [+ + +]
Author: Casey Chen <cachen@purestorage.com>
Date:   Mon Jul 22 15:15:48 2024 -0600

    perf tool: fix dereferencing NULL al->maps
    
    [ Upstream commit 4c17736689ccfc44ec7dcc472577f25c34cf8724 ]
    
    With 0dd5041c9a0e ("perf addr_location: Add init/exit/copy functions"),
    when cpumode is 3 (macro PERF_RECORD_MISC_HYPERVISOR),
    thread__find_map() could return with al->maps being NULL.
    
    The path below could add a callchain_cursor_node with NULL ms.maps.
    
    add_callchain_ip()
      thread__find_symbol(.., &al)
        thread__find_map(.., &al)   // al->maps becomes NULL
      ms.maps = maps__get(al.maps)
      callchain_cursor_append(..., &ms, ...)
        node->ms.maps = maps__get(ms->maps)
    
    Then the path below would dereference NULL maps and get segfault.
    
    fill_callchain_info()
      maps__machine(node->ms.maps);
    
    Fix it by checking if maps is NULL in fill_callchain_info().
    
    Fixes: 0dd5041c9a0e ("perf addr_location: Add init/exit/copy functions")
    Signed-off-by: Casey Chen <cachen@purestorage.com>
    Reviewed-by: Ian Rogers <irogers@google.com>
    Reviewed-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Acked-by: Namhyung Kim <namhyung@kernel.org>
    Cc: yzhong@purestorage.com
    Link: https://lore.kernel.org/r/20240722211548.61455-1-cachen@purestorage.com
    Signed-off-by: Namhyung Kim <namhyung@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf/x86/intel: Add a distinct name for Granite Rapids [+ + +]
Author: Kan Liang <kan.liang@linux.intel.com>
Date:   Mon Jul 8 12:33:35 2024 -0700

    perf/x86/intel: Add a distinct name for Granite Rapids
    
    [ Upstream commit fa0c1c9d283b37fdb7fc1dcccbb88fc8f48a4aa4 ]
    
    Currently, the Sapphire Rapids and Granite Rapids share the same PMU
    name, sapphire_rapids. Because from the kernel’s perspective, GNR is
    similar to SPR. The only key difference is that they support different
    extra MSRs. The code path and the PMU name are shared.
    
    However, from end users' perspective, they are quite different. Besides
    the extra MSRs, GNR has a newer PEBS format, supports Retire Latency,
    supports new CPUID enumeration architecture, doesn't required the
    load-latency AUX event, has additional TMA Level 1 Architectural Events,
    etc. The differences can be enumerated by CPUID or the PERF_CAPABILITIES
    MSR. They weren't reflected in the model-specific kernel setup.
    But it is worth to have a distinct PMU name for GNR.
    
    Fixes: a6742cb90b56 ("perf/x86/intel: Fix the FRONTEND encoding on GNR and MTL")
    Suggested-by: Ahmad Yasin <ahmad.yasin@intel.com>
    Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20240708193336.1192217-3-kan.liang@linux.intel.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

perf/x86/intel: Switch to new Intel CPU model defines [+ + +]
Author: Tony Luck <tony.luck@intel.com>
Date:   Mon May 20 15:46:02 2024 -0700

    perf/x86/intel: Switch to new Intel CPU model defines
    
    [ Upstream commit d142df13f3574237688c7a20e0019cccc7ae39eb ]
    
    New CPU #defines encode vendor and family as well as model.
    
    Signed-off-by: Tony Luck <tony.luck@intel.com>
    Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
    Link: https://lore.kernel.org/all/20240520224620.9480-32-tony.luck%40intel.com
    Stable-dep-of: fa0c1c9d283b ("perf/x86/intel: Add a distinct name for Granite Rapids")
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
perf: imx_perf: fix counter start and config sequence [+ + +]
Author: Xu Yang <xu.yang_2@nxp.com>
Date:   Wed May 29 16:03:55 2024 +0800

    perf: imx_perf: fix counter start and config sequence
    
    [ Upstream commit ac9aa295f7a89d38656739628796f086f0b160e2 ]
    
    In current driver, the counter will start firstly and then be configured.
    This sequence is not correct for AXI filter events since the correct
    AXI_MASK and AXI_ID are not set yet. Then the results may be inaccurate.
    
    Reviewed-by: Frank Li <Frank.Li@nxp.com>
    Fixes: 55691f99d417 ("drivers/perf: imx_ddr: Add support for NXP i.MX9 SoC DDRC PMU driver")
    cc: stable@vger.kernel.org
    Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
    Link: https://lore.kernel.org/r/20240529080358.703784-5-xu.yang_2@nxp.com
    Signed-off-by: Will Deacon <will@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

perf: riscv: Fix selecting counters in legacy mode [+ + +]
Author: Shifrin Dmitry <dmitry.shifrin@syntacore.com>
Date:   Mon Jul 29 15:58:58 2024 +0300

    perf: riscv: Fix selecting counters in legacy mode
    
    [ Upstream commit 941a8e9b7a86763ac52d5bf6ccc9986d37fde628 ]
    
    It is required to check event type before checking event config.
    Events with the different types can have the same config.
    This check is missed for legacy mode code
    
    For such perf usage:
        sysctl -w kernel.perf_user_access=2
        perf stat -e cycles,L1-dcache-loads --
    driver will try to force both events to CYCLE counter.
    
    This commit implements event type check before forcing
    events on the special counters.
    
    Signed-off-by: Shifrin Dmitry <dmitry.shifrin@syntacore.com>
    Reviewed-by: Atish Patra <atishp@rivosinc.com>
    Fixes: cc4c07c89aad ("drivers: perf: Implement perf event mmap support in the SBI backend")
    Link: https://lore.kernel.org/r/20240729125858.630653-1-dmitry.shifrin@syntacore.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
platform/chrome: cros_ec_proto: Lock device when updating MKBP version [+ + +]
Author: Patryk Duda <patrykd@google.com>
Date:   Tue Jul 30 10:44:25 2024 +0000

    platform/chrome: cros_ec_proto: Lock device when updating MKBP version
    
    commit df615907f1bf907260af01ccb904d0e9304b5278 upstream.
    
    The cros_ec_get_host_command_version_mask() function requires that the
    caller must have ec_dev->lock mutex before calling it. This requirement
    was not met and as a result it was possible that two commands were sent
    to the device at the same time.
    
    The problem was observed while using UART backend which doesn't use any
    additional locks, unlike SPI backend which locks the controller until
    response is received.
    
    Fixes: f74c7557ed0d ("platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure")
    Cc: stable@vger.kernel.org
    Signed-off-by: Patryk Duda <patrykd@google.com>
    Link: https://lore.kernel.org/r/20240730104425.607083-1-patrykd@google.com
    Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Linux: protect the fetch of ->fd[fd] in do_dup2() from mispredictions [+ + +]
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Aug 1 15:22:22 2024 -0400

    protect the fetch of ->fd[fd] in do_dup2() from mispredictions
    
    commit 8aa37bde1a7b645816cda8b80df4753ecf172bf1 upstream.
    
    both callers have verified that fd is not greater than ->max_fds;
    however, misprediction might end up with
            tofree = fdt->fd[fd];
    being speculatively executed.  That's wrong for the same reasons
    why it's wrong in close_fd()/file_close_fd_locked(); the same
    solution applies - array_index_nospec(fd, fdt->max_fds) could differ
    from fd only in case of speculative execution on mispredicted path.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY [+ + +]
Author: Heiner Kallweit <hkallweit1@gmail.com>
Date:   Tue Jul 30 21:51:52 2024 +0200

    r8169: don't increment tx_dropped in case of NETDEV_TX_BUSY
    
    commit d516b187a9cc2e842030dd005be2735db3e8f395 upstream.
    
    The skb isn't consumed in case of NETDEV_TX_BUSY, therefore don't
    increment the tx_dropped counter.
    
    Fixes: 188f4af04618 ("r8169: use NETDEV_TX_{BUSY/OK}")
    Cc: stable@vger.kernel.org
    Suggested-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Link: https://patch.msgid.link/bbba9c48-8bac-4932-9aa1-d2ed63bc9433@gmail.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
Revert "ALSA: firewire-lib: obsolete workqueue for period update" [+ + +]
Author: Edmund Raile <edmund.raile@protonmail.com>
Date:   Tue Jul 30 19:53:26 2024 +0000

    Revert "ALSA: firewire-lib: obsolete workqueue for period update"
    
    commit 6ccf9984d6be3c2f804087b736db05c2ec42664b upstream.
    
    prepare resolution of AB/BA deadlock competition for substream lock:
    restore workqueue previously used for process context:
    
    revert commit b5b519965c4c ("ALSA: firewire-lib: obsolete workqueue
    for period update")
    
    Cc: stable@vger.kernel.org
    Link: https://lore.kernel.org/r/kwryofzdmjvzkuw6j3clftsxmoolynljztxqwg76hzeo4simnl@jn3eo7pe642q/
    Signed-off-by: Edmund Raile <edmund.raile@protonmail.com>
    Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Link: https://patch.msgid.link/20240730195318.869840-2-edmund.raile@protonmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Revert "ALSA: firewire-lib: operate for period elapse event in process context" [+ + +]
Author: Edmund Raile <edmund.raile@protonmail.com>
Date:   Tue Jul 30 19:53:29 2024 +0000

    Revert "ALSA: firewire-lib: operate for period elapse event in process context"
    
    commit 3dab73ab925a51ab05543b491bf17463a48ca323 upstream.
    
    Commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event
    in process context") removed the process context workqueue from
    amdtp_domain_stream_pcm_pointer() and update_pcm_pointers() to remove
    its overhead.
    
    With RME Fireface 800, this lead to a regression since
    Kernels 5.14.0, causing an AB/BA deadlock competition for the
    substream lock with eventual system freeze under ALSA operation:
    
    thread 0:
        * (lock A) acquire substream lock by
            snd_pcm_stream_lock_irq() in
            snd_pcm_status64()
        * (lock B) wait for tasklet to finish by calling
            tasklet_unlock_spin_wait() in
            tasklet_disable_in_atomic() in
            ohci_flush_iso_completions() of ohci.c
    
    thread 1:
        * (lock B) enter tasklet
        * (lock A) attempt to acquire substream lock,
            waiting for it to be released:
            snd_pcm_stream_lock_irqsave() in
            snd_pcm_period_elapsed() in
            update_pcm_pointers() in
            process_ctx_payloads() in
            process_rx_packets() of amdtp-stream.c
    
    ? tasklet_unlock_spin_wait
     </NMI>
     <TASK>
    ohci_flush_iso_completions firewire_ohci
    amdtp_domain_stream_pcm_pointer snd_firewire_lib
    snd_pcm_update_hw_ptr0 snd_pcm
    snd_pcm_status64 snd_pcm
    
    ? native_queued_spin_lock_slowpath
     </NMI>
     <IRQ>
    _raw_spin_lock_irqsave
    snd_pcm_period_elapsed snd_pcm
    process_rx_packets snd_firewire_lib
    irq_target_callback snd_firewire_lib
    handle_it_packet firewire_ohci
    context_tasklet firewire_ohci
    
    Restore the process context work queue to prevent deadlock
    AB/BA deadlock competition for ALSA substream lock of
    snd_pcm_stream_lock_irq() in snd_pcm_status64()
    and snd_pcm_stream_lock_irqsave() in snd_pcm_period_elapsed().
    
    revert commit 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period
    elapse event in process context")
    
    Replace inline description to prevent future deadlock.
    
    Cc: stable@vger.kernel.org
    Fixes: 7ba5ca32fe6e ("ALSA: firewire-lib: operate for period elapse event in process context")
    Reported-by: edmund.raile <edmund.raile@proton.me>
    Closes: https://lore.kernel.org/r/kwryofzdmjvzkuw6j3clftsxmoolynljztxqwg76hzeo4simnl@jn3eo7pe642q/
    Signed-off-by: Edmund Raile <edmund.raile@protonmail.com>
    Reviewed-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Link: https://patch.msgid.link/20240730195318.869840-3-edmund.raile@protonmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
RISC-V: Enable the IPI before workqueue_online_cpu() [+ + +]
Author: Nick Hu <nick.hu@sifive.com>
Date:   Wed Jul 17 11:17:14 2024 +0800

    RISC-V: Enable the IPI before workqueue_online_cpu()
    
    [ Upstream commit 3908ba2e0b2476e2ec13e15967bf6a37e449f2af ]
    
    Sometimes the hotplug cpu stalls at the arch_cpu_idle() for a while after
    workqueue_online_cpu(). When cpu stalls at the idle loop, the reschedule
    IPI is pending. However the enable bit is not enabled yet so the cpu stalls
    at WFI until watchdog timeout. Therefore enable the IPI before the
    workqueue_online_cpu() to fix the issue.
    
    Fixes: 63c5484e7495 ("workqueue: Add multiple affinity scopes and interface to select them")
    Signed-off-by: Nick Hu <nick.hu@sifive.com>
    Reviewed-by: Anup Patel <anup@brainfault.org>
    Link: https://lore.kernel.org/r/20240717031714.1946036-1-nick.hu@sifive.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error() [+ + +]
Author: Zhe Qiao <qiaozhe@iscas.ac.cn>
Date:   Wed Jul 31 16:45:47 2024 +0800

    riscv/mm: Add handling for VM_FAULT_SIGSEGV in mm_fault_error()
    
    [ Upstream commit 0c710050c47d45eb77b28c271cddefc5c785cb40 ]
    
    Handle VM_FAULT_SIGSEGV in the page fault path so that we correctly
    kill the process and we don't BUG() the kernel.
    
    Fixes: 07037db5d479 ("RISC-V: Paging and MMU")
    Signed-off-by: Zhe Qiao <qiaozhe@iscas.ac.cn>
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Link: https://lore.kernel.org/r/20240731084547.85380-1-qiaozhe@iscas.ac.cn
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
riscv/purgatory: align riscv_kernel_entry [+ + +]
Author: Daniel Maslowski <cyrevolt@googlemail.com>
Date:   Fri Jul 19 19:04:37 2024 +0200

    riscv/purgatory: align riscv_kernel_entry
    
    [ Upstream commit fb197c5d2fd24b9af3d4697d0cf778645846d6d5 ]
    
    When alignment handling is delegated to the kernel, everything must be
    word-aligned in purgatory, since the trap handler is then set to the
    kexec one. Without the alignment, hitting the exception would
    ultimately crash. On other occasions, the kernel's handler would take
    care of exceptions.
    This has been tested on a JH7110 SoC with oreboot and its SBI delegating
    unaligned access exceptions and the kernel configured to handle them.
    
    Fixes: 736e30af583fb ("RISC-V: Add purgatory")
    Signed-off-by: Daniel Maslowski <cyrevolt@gmail.com>
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Link: https://lore.kernel.org/r/20240719170437.247457-1-cyrevolt@gmail.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
riscv: Fix linear mapping checks for non-contiguous memory regions [+ + +]
Author: Stuart Menefy <stuart.menefy@codasip.com>
Date:   Sat Jun 22 12:42:16 2024 +0100

    riscv: Fix linear mapping checks for non-contiguous memory regions
    
    [ Upstream commit 3b6564427aea83b7a35a15ca278291d50a1edcfc ]
    
    The RISC-V kernel already has checks to ensure that memory which would
    lie outside of the linear mapping is not used. However those checks
    use memory_limit, which is used to implement the mem= kernel command
    line option (to limit the total amount of memory, not its address
    range). When memory is made up of two or more non-contiguous memory
    banks this check is incorrect.
    
    Two changes are made here:
     - add a call in setup_bootmem() to memblock_cap_memory_range() which
       will cause any memory which falls outside the linear mapping to be
       removed from the memory regions.
     - remove the check in create_linear_mapping_page_table() which was
       intended to remove memory which is outside the liner mapping based
       on memory_limit, as it is no longer needed. Note a check for
       mapping more memory than memory_limit (to implement mem=) is
       unnecessary because of the existing call to
       memblock_enforce_memory_limit().
    
    This issue was seen when booting on a SV39 platform with two memory
    banks:
      0x00,80000000 1GiB
      0x20,00000000 32GiB
    This memory range is 158GiB from top to bottom, but the linear mapping
    is limited to 128GiB, so the lower block of RAM will be mapped at
    PAGE_OFFSET, and the upper block straddles the top of the linear
    mapping.
    
    This causes the following Oops:
    [    0.000000] Linux version 6.10.0-rc2-gd3b8dd5b51dd-dirty (stuart.menefy@codasip.com) (riscv64-codasip-linux-gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41.0.20231213) #20 SMP Sat Jun 22 11:34:22 BST 2024
    [    0.000000] memblock_add: [0x0000000080000000-0x00000000bfffffff] early_init_dt_add_memory_arch+0x4a/0x52
    [    0.000000] memblock_add: [0x0000002000000000-0x00000027ffffffff] early_init_dt_add_memory_arch+0x4a/0x52
    ...
    [    0.000000] memblock_alloc_try_nid: 23724 bytes align=0x8 nid=-1 from=0x0000000000000000 max_addr=0x0000000000000000 early_init_dt_alloc_memory_arch+0x1e/0x48
    [    0.000000] memblock_reserve: [0x00000027ffff5350-0x00000027ffffaffb] memblock_alloc_range_nid+0xb8/0x132
    [    0.000000] Unable to handle kernel paging request at virtual address fffffffe7fff5350
    [    0.000000] Oops [#1]
    [    0.000000] Modules linked in:
    [    0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 6.10.0-rc2-gd3b8dd5b51dd-dirty #20
    [    0.000000] Hardware name: codasip,a70x (DT)
    [    0.000000] epc : __memset+0x8c/0x104
    [    0.000000]  ra : memblock_alloc_try_nid+0x74/0x84
    [    0.000000] epc : ffffffff805e88c8 ra : ffffffff806148f6 sp : ffffffff80e03d50
    [    0.000000]  gp : ffffffff80ec4158 tp : ffffffff80e0bec0 t0 : fffffffe7fff52f8
    [    0.000000]  t1 : 00000027ffffb000 t2 : 5f6b636f6c626d65 s0 : ffffffff80e03d90
    [    0.000000]  s1 : 0000000000005cac a0 : fffffffe7fff5350 a1 : 0000000000000000
    [    0.000000]  a2 : 0000000000005cac a3 : fffffffe7fffaff8 a4 : 000000000000002c
    [    0.000000]  a5 : ffffffff805e88c8 a6 : 0000000000005cac a7 : 0000000000000030
    [    0.000000]  s2 : fffffffe7fff5350 s3 : ffffffffffffffff s4 : 0000000000000000
    [    0.000000]  s5 : ffffffff8062347e s6 : 0000000000000000 s7 : 0000000000000001
    [    0.000000]  s8 : 0000000000002000 s9 : 00000000800226d0 s10: 0000000000000000
    [    0.000000]  s11: 0000000000000000 t3 : ffffffff8080a928 t4 : ffffffff8080a928
    [    0.000000]  t5 : ffffffff8080a928 t6 : ffffffff8080a940
    [    0.000000] status: 0000000200000100 badaddr: fffffffe7fff5350 cause: 000000000000000f
    [    0.000000] [<ffffffff805e88c8>] __memset+0x8c/0x104
    [    0.000000] [<ffffffff8062349c>] early_init_dt_alloc_memory_arch+0x1e/0x48
    [    0.000000] [<ffffffff8043e892>] __unflatten_device_tree+0x52/0x114
    [    0.000000] [<ffffffff8062441e>] unflatten_device_tree+0x9e/0xb8
    [    0.000000] [<ffffffff806046fe>] setup_arch+0xd4/0x5bc
    [    0.000000] [<ffffffff806007aa>] start_kernel+0x76/0x81a
    [    0.000000] Code: b823 02b2 bc23 02b2 b023 04b2 b423 04b2 b823 04b2 (bc23) 04b2
    [    0.000000] ---[ end trace 0000000000000000 ]---
    [    0.000000] Kernel panic - not syncing: Attempted to kill the idle task!
    [    0.000000] ---[ end Kernel panic - not syncing: Attempted to kill the idle task! ]---
    
    The problem is that memblock (unaware that some physical memory cannot
    be used) has allocated memory from the top of memory but which is
    outside the linear mapping region.
    
    Signed-off-by: Stuart Menefy <stuart.menefy@codasip.com>
    Fixes: c99127c45248 ("riscv: Make sure the linear mapping does not use the kernel mapping")
    Reviewed-by: David McKay <david.mckay@codasip.com>
    Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
    Link: https://lore.kernel.org/r/20240622114217.2158495-1-stuart.menefy@codasip.com
    Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink(). [+ + +]
Author: Kuniyuki Iwashima <kuniyu@amazon.com>
Date:   Fri Jul 26 17:19:53 2024 -0700

    rtnetlink: Don't ignore IFLA_TARGET_NETNSID when ifname is specified in rtnl_dellink().
    
    [ Upstream commit 9415d375d8520e0ed55f0c0b058928da9a5b5b3d ]
    
    The cited commit accidentally replaced tgt_net with net in rtnl_dellink().
    
    As a result, IFLA_TARGET_NETNSID is ignored if the interface is specified
    with IFLA_IFNAME or IFLA_ALT_IFNAME.
    
    Let's pass tgt_net to rtnl_dev_get().
    
    Fixes: cc6090e985d7 ("net: rtnetlink: introduce helper to get net_device instance by ifname")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
    Reviewed-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
rust: SHADOW_CALL_STACK is incompatible with Rust [+ + +]
Author: Alice Ryhl <aliceryhl@google.com>
Date:   Mon Jul 29 14:22:49 2024 +0000

    rust: SHADOW_CALL_STACK is incompatible with Rust
    
    commit f126745da81783fb1d082e67bf14c6795e489a88 upstream.
    
    When using the shadow call stack sanitizer, all code must be compiled
    with the -ffixed-x18 flag, but this flag is not currently being passed
    to Rust. This results in crashes that are extremely difficult to debug.
    
    To ensure that nobody else has to go through the same debugging session
    that I had to, prevent configurations that enable both SHADOW_CALL_STACK
    and RUST.
    
    It is rather common for people to backport 724a75ac9542 ("arm64: rust:
    Enable Rust support for AArch64"), so I recommend applying this fix all
    the way back to 6.1.
    
    Cc: stable@vger.kernel.org # 6.1 and later
    Fixes: 724a75ac9542 ("arm64: rust: Enable Rust support for AArch64")
    Signed-off-by: Alice Ryhl <aliceryhl@google.com>
    Acked-by: Miguel Ojeda <ojeda@kernel.org>
    Link: https://lore.kernel.org/r/20240729-shadow-call-stack-v4-1-2a664b082ea4@google.com
    Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
s390/fpu: Re-add exception handling in load_fpu_state() [+ + +]
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Thu Jul 25 11:31:52 2024 +0200

    s390/fpu: Re-add exception handling in load_fpu_state()
    
    commit 4734406c39238cbeafe66f0060084caa3247ff53 upstream.
    
    With the recent rewrite of the fpu code exception handling for the
    lfpc instruction within load_fpu_state() was erroneously removed.
    
    Add it again to prevent that loading invalid floating point register
    values cause an unhandled specification exception.
    
    Fixes: 8c09871a950a ("s390/fpu: limit save and restore to used registers")
    Cc: stable@vger.kernel.org
    Reported-by: Aristeu Rozanski <aris@redhat.com>
    Tested-by: Aristeu Rozanski <aris@redhat.com>
    Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
s390/mm/ptdump: Fix handling of identity mapping area [+ + +]
Author: Heiko Carstens <hca@linux.ibm.com>
Date:   Tue Jul 23 20:49:53 2024 +0200

    s390/mm/ptdump: Fix handling of identity mapping area
    
    [ Upstream commit 373953444ce542db43535861fb8ebf3a1e05669c ]
    
    Since virtual and real addresses are not the same anymore the
    assumption that the kernel image is contained within the identity
    mapping is also not true anymore.
    
    Fix this by adding two explicit areas and at the correct locations: one
    for the 8kb lowcore area, and one for the identity mapping.
    
    Fixes: c98d2ecae08f ("s390/mm: Uncouple physical vs virtual address spaces")
    Reviewed-by: Alexander Gordeev <agordeev@linux.ibm.com>
    Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
    Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
sched: act_ct: take care of padding in struct zones_ht_key [+ + +]
Author: Eric Dumazet <edumazet@google.com>
Date:   Thu Jul 25 09:27:45 2024 +0000

    sched: act_ct: take care of padding in struct zones_ht_key
    
    [ Upstream commit 2191a54f63225b548fd8346be3611c3219a24738 ]
    
    Blamed commit increased lookup key size from 2 bytes to 16 bytes,
    because zones_ht_key got a struct net pointer.
    
    Make sure rhashtable_lookup() is not using the padding bytes
    which are not initialized.
    
     BUG: KMSAN: uninit-value in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
     BUG: KMSAN: uninit-value in __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
     BUG: KMSAN: uninit-value in rhashtable_lookup include/linux/rhashtable.h:646 [inline]
     BUG: KMSAN: uninit-value in rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
     BUG: KMSAN: uninit-value in tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
      rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
      __rhashtable_lookup include/linux/rhashtable.h:607 [inline]
      rhashtable_lookup include/linux/rhashtable.h:646 [inline]
      rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
      tcf_ct_flow_table_get+0x611/0x2260 net/sched/act_ct.c:329
      tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
      tcf_action_init_1+0x6cc/0xb30 net/sched/act_api.c:1425
      tcf_action_init+0x458/0xf00 net/sched/act_api.c:1488
      tcf_action_add net/sched/act_api.c:2061 [inline]
      tc_ctl_action+0x4be/0x19d0 net/sched/act_api.c:2118
      rtnetlink_rcv_msg+0x12fc/0x1410 net/core/rtnetlink.c:6647
      netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2550
      rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6665
      netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
      netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1357
      netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1901
      sock_sendmsg_nosec net/socket.c:730 [inline]
      __sock_sendmsg+0x30f/0x380 net/socket.c:745
      ____sys_sendmsg+0x877/0xb60 net/socket.c:2597
      ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2651
      __sys_sendmsg net/socket.c:2680 [inline]
      __do_sys_sendmsg net/socket.c:2689 [inline]
      __se_sys_sendmsg net/socket.c:2687 [inline]
      __x64_sys_sendmsg+0x307/0x4a0 net/socket.c:2687
      x64_sys_call+0x2dd6/0x3c10 arch/x86/include/generated/asm/syscalls_64.h:47
      do_syscall_x64 arch/x86/entry/common.c:52 [inline]
      do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
     entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    Local variable key created at:
      tcf_ct_flow_table_get+0x4a/0x2260 net/sched/act_ct.c:324
      tcf_ct_init+0xa67/0x2890 net/sched/act_ct.c:1408
    
    Fixes: 88c67aeb1407 ("sched: act_ct: add netns into the key of tcf_ct_flow_table")
    Reported-by: syzbot+1b5e4e187cc586d05ea0@syzkaller.appspotmail.com
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Cc: Xin Long <lucien.xin@gmail.com>
    Reviewed-by: Simon Horman <horms@kernel.org>
    Reviewed-by: Xin Long <lucien.xin@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
selftests: mptcp: always close input's FD if opened [+ + +]
Author: Liu Jing <liujing@cmss.chinamobile.com>
Date:   Sat Jul 27 11:04:03 2024 +0200

    selftests: mptcp: always close input's FD if opened
    
    commit 7c70bcc2a84cf925f655ea1ac4b8088062b144a3 upstream.
    
    In main_loop_s function, when the open(cfg_input, O_RDONLY) function is
    run, the last fd is not closed if the "--cfg_repeat > 0" branch is not
    taken.
    
    Fixes: 05be5e273c84 ("selftests: mptcp: add disconnect tests")
    Cc: stable@vger.kernel.org
    Signed-off-by: Liu Jing <liujing@cmss.chinamobile.com>
    Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

selftests: mptcp: fix error path [+ + +]
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Sat Jul 27 11:04:02 2024 +0200

    selftests: mptcp: fix error path
    
    commit 4a2f48992ddf4b8c2fba846c6754089edae6db5a upstream.
    
    pm_nl_check_endpoint() currently calls an not existing helper
    to mark the test as failed. Fix the wrong call.
    
    Fixes: 03668c65d153 ("selftests: mptcp: join: rework detailed report")
    Cc: stable@vger.kernel.org
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

selftests: mptcp: join: check backup support in signal endp [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:29 2024 +0200

    selftests: mptcp: join: check backup support in signal endp
    
    commit f833470c27832136d4416d8fc55d658082af0989 upstream.
    
    Before the previous commit, 'signal' endpoints with the 'backup' flag
    were ignored when sending the MP_JOIN.
    
    The MPTCP Join selftest has then been modified to validate this case:
    the "single address, backup" test, is now validating the MP_JOIN with a
    backup flag as it is what we expect it to do with such name. The
    previous version has been kept, but renamed to "single address, switch
    to backup" to avoid confusions.
    
    The "single address with port, backup" test is also now validating the
    MPJ with a backup flag, which makes more sense than checking the switch
    to backup with an MP_PRIO.
    
    The "mpc backup both sides" test is now validating that the backup flag
    is also set in MP_JOIN from and to the addresses used in the initial
    subflow, using the special ID 0.
    
    The 'Fixes' tag here below is the same as the one from the previous
    commit: this patch here is not fixing anything wrong in the selftests,
    but it validates the previous fix for an issue introduced by this commit
    ID.
    
    Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

selftests: mptcp: join: validate backup in MPJ [+ + +]
Author: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Date:   Sat Jul 27 12:01:27 2024 +0200

    selftests: mptcp: join: validate backup in MPJ
    
    commit 935ff5bb8a1cfcdf8e60c8f5c794d0bbbc234437 upstream.
    
    A peer can notify the other one that a subflow has to be treated as
    "backup" by two different ways: either by sending a dedicated MP_PRIO
    notification, or by setting the backup flag in the MP_JOIN handshake.
    
    The selftests were previously monitoring the former, but not the latter.
    This is what is now done here by looking at these new MIB counters when
    validating the 'backup' cases:
    
      MPTcpExtMPJoinSynBackupRx
      MPTcpExtMPJoinSynAckBackupRx
    
    The 'Fixes' tag here below is the same as the one from the previous
    commit: this patch here is not fixing anything wrong in the selftests,
    but it will help to validate a new fix for an issue introduced by this
    commit ID.
    
    Fixes: 4596a2c1b7f5 ("mptcp: allow creating non-backup subflows")
    Cc: stable@vger.kernel.org
    Reviewed-by: Mat Martineau <martineau@kernel.org>
    Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 
tcp: Adjust clamping window for applications specifying SO_RCVBUF [+ + +]
Author: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
Date:   Fri Jul 26 13:41:05 2024 -0700

    tcp: Adjust clamping window for applications specifying SO_RCVBUF
    
    [ Upstream commit 05f76b2d634e65ab34472802d9b142ea9e03f74e ]
    
    tp->scaling_ratio is not updated based on skb->len/skb->truesize once
    SO_RCVBUF is set leading to the maximum window scaling to be 25% of
    rcvbuf after
    commit dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale")
    and 50% of rcvbuf after
    commit 697a6c8cec03 ("tcp: increase the default TCP scaling ratio").
    50% tries to emulate the behavior of older kernels using
    sysctl_tcp_adv_win_scale with default value.
    
    Systems which were using a different values of sysctl_tcp_adv_win_scale
    in older kernels ended up seeing reduced download speeds in certain
    cases as covered in https://lists.openwall.net/netdev/2024/05/15/13
    While the sysctl scheme is no longer acceptable, the value of 50% is
    a bit conservative when the skb->len/skb->truesize ratio is later
    determined to be ~0.66.
    
    Applications not specifying SO_RCVBUF update the window scaling and
    the receiver buffer every time data is copied to userspace. This
    computation is now used for applications setting SO_RCVBUF to update
    the maximum window scaling while ensuring that the receive buffer
    is within the application specified limit.
    
    Fixes: dfa2f0483360 ("tcp: get rid of sysctl_tcp_adv_win_scale")
    Signed-off-by: Sean Tranchetti <quic_stranche@quicinc.com>
    Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com>
    Reviewed-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

 
wifi: ath12k: fix soft lockup on suspend [+ + +]
Author: Johan Hovold <johan+linaro@kernel.org>
Date:   Tue Jul 9 09:31:32 2024 +0200

    wifi: ath12k: fix soft lockup on suspend
    
    commit a47f3320bb4ba6714abe8dddb36399367b491358 upstream.
    
    The ext interrupts are enabled when the firmware has been started, but
    this may never happen, for example, if the board configuration file is
    missing.
    
    When the system is later suspended, the driver unconditionally tries to
    disable interrupts, which results in an irq disable imbalance and causes
    the driver to spin indefinitely in napi_synchronize().
    
    Make sure that the interrupts have been enabled before attempting to
    disable them.
    
    Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
    Cc: stable@vger.kernel.org      # 6.3
    Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
    Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
    Link: https://patch.msgid.link/20240709073132.9168-1-johan+linaro@kernel.org
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

wifi: cfg80211: correct S1G beacon length calculation [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Wed Jul 24 13:29:12 2024 +0200

    wifi: cfg80211: correct S1G beacon length calculation
    
    [ Upstream commit 6873cc4416078202882691b424fcca5b5fb1a94d ]
    
    The minimum header length calculation (equivalent to the start
    of the elements) for the S1G long beacon erroneously required
    only up to the start of u.s1g_beacon rather than the start of
    u.s1g_beacon.variable. Fix that, and also shuffle the branches
    around a bit to not assign useless values that are overwritten
    later.
    
    Reported-by: syzbot+0f3afa93b91202f21939@syzkaller.appspotmail.com
    Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results")
    Link: https://patch.msgid.link/20240724132912.9662972db7c1.I8779675b5bbda4994cc66f876b6b87a2361c3c0b@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: cfg80211: fix reporting failed MLO links status with cfg80211_connect_done [+ + +]
Author: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Date:   Wed Jul 24 18:23:27 2024 +0530

    wifi: cfg80211: fix reporting failed MLO links status with cfg80211_connect_done
    
    [ Upstream commit baeaabf970b9a90999f62ae27edf63f6cb86c023 ]
    
    Individual MLO links connection status is not copied to
    EVENT_CONNECT_RESULT data while processing the connect response
    information in cfg80211_connect_done(). Due to this failed links
    are wrongly indicated with success status in EVENT_CONNECT_RESULT.
    
    To fix this, copy the individual MLO links status to the
    EVENT_CONNECT_RESULT data.
    
    Fixes: 53ad07e9823b ("wifi: cfg80211: support reporting failed links")
    Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
    Reviewed-by: Carlos Llamas <cmllamas@google.com>
    Link: https://patch.msgid.link/20240724125327.3495874-1-quic_vjakkam@quicinc.com
    [commit message editorial changes]
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

wifi: mac80211: use monitor sdata with driver only if desired [+ + +]
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Thu Jul 25 18:48:36 2024 +0200

    wifi: mac80211: use monitor sdata with driver only if desired
    
    commit 8f4fa0876231c426f880a2bff25ac49fac67d805 upstream.
    
    In commit 0d9c2beed116 ("wifi: mac80211: fix monitor channel
    with chanctx emulation") I changed mac80211 to always have an
    internal monitor_sdata to have something to have the chanctx
    bound to.
    
    However, if the driver didn't also have the WANT_MONITOR flag
    this would cause mac80211 to allocate it without telling the
    driver (which was intentional) but also use it for later APIs
    to the driver without it ever having known about it which was
    _not_ intentional.
    
    Check through the code and only use the monitor_sdata in the
    relevant places (TX, MU-MIMO follow settings, TX power, and
    interface iteration) when the WANT_MONITOR flag is set.
    
    Cc: stable@vger.kernel.org
    Fixes: 0d9c2beed116 ("wifi: mac80211: fix monitor channel with chanctx emulation")
    Reported-by: ZeroBeat <ZeroBeat@gmx.de>
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219086
    Tested-by: Lorenzo Bianconi <lorenzo@kernel.org>
    Link: https://patch.msgid.link/20240725184836.25d334157a8e.I02574086da2c5cf0e18264ce5807db6f14ffd9c0@changeid
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>