commit 3b717ad0e90f88642da05bdea585d5ee98c287cb
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Nov 8 11:21:10 2023 +0100

    Linux 4.14.329
    
    Link: https://lore.kernel.org/r/20231106130257.862199836@linuxfoundation.org
    Tested-by: Pavel Machek (CIP) <pavel@denx.de>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b32baccfda9f2a1c3e7d6d48a2b403eb8b1b232a
Author: Cameron Williams <cang1@live.co.uk>
Date:   Fri Oct 20 17:03:11 2023 +0100

    tty: 8250: Add support for Intashield IS-100
    
    commit 4d994e3cf1b541ff32dfb03fbbc60eea68f9645b upstream.
    
    Add support for the Intashield IS-100 1 port serial card.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Cameron Williams <cang1@live.co.uk>
    Link: https://lore.kernel.org/r/DU0PR02MB7899A0E0CDAA505AF5A874CDC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 17b3fa1655774fa920fcf44aab23184de050cf55
Author: Cameron Williams <cang1@live.co.uk>
Date:   Fri Oct 20 17:03:10 2023 +0100

    tty: 8250: Add support for Brainboxes UP cards
    
    commit 2c6fec1e1532f15350be7e14ba6b88a39d289fe4 upstream.
    
    Add support for the Brainboxes UP (powered PCI) range of
    cards, namely UP-189, UP-200, UP-869 and UP-880.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Cameron Williams <cang1@live.co.uk>
    Link: https://lore.kernel.org/r/DU0PR02MB7899B5B59FF3D8587E88C117C4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a689cdaffddb7167b1877db00f7113019e554709
Author: Cameron Williams <cang1@live.co.uk>
Date:   Fri Oct 20 17:03:09 2023 +0100

    tty: 8250: Add support for additional Brainboxes UC cards
    
    commit c563db486db7d245c0e2f319443417ae8e692f7f upstream.
    
    Add device IDs for some more Brainboxes UC cards, namely
    UC-235/UC-246, UC-253/UC-734, UC-302, UC-313, UC-346, UC-357,
    UC-607 and UC-836.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Cameron Williams <cang1@live.co.uk>
    Link: https://lore.kernel.org/r/DU0PR02MB789969998A6C3FAFCD95C85DC4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 06a27a8fd65b007e4086677c02951fbc4c367d11
Author: Cameron Williams <cang1@live.co.uk>
Date:   Fri Oct 20 17:03:08 2023 +0100

    tty: 8250: Remove UC-257 and UC-431
    
    commit 33092fb3af51deb80849e90a17bada44bbcde6b3 upstream.
    
    The UC-257 is a serial + LPT card, so remove it from this driver.
    A patch has been submitted to add it to parport_serial instead.
    
    Additionaly, the UC-431 does not use this card ID, only the UC-420
    does. The 431 is a 3-port card and there is no generic 3-port configuration
    available, so remove reference to it from this driver.
    
    Fixes: 152d1afa834c ("tty: Add support for Brainboxes UC cards.")
    Cc: stable@vger.kernel.org
    Signed-off-by: Cameron Williams <cang1@live.co.uk>
    Link: https://lore.kernel.org/r/DU0PR02MB78995ADF7394C74AD4CF3357C4DBA@DU0PR02MB7899.eurprd02.prod.outlook.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6af059e75607a000f513551f0737b6f6dd1929c7
Author: LihaSika <lihasika@gmail.com>
Date:   Fri Oct 27 20:28:04 2023 +0300

    usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
    
    commit 0e3139e6543b241b3e65956a55c712333bef48ac upstream.
    
    Change lower bcdDevice value for "Super Top USB 2.0  SATA BRIDGE" to match
    1.50. I have such an older device with bcdDevice=1.50 and it will not work
    otherwise.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Liha Sikanen <lihasika@gmail.com>
    Link: https://lore.kernel.org/r/ccf7d12a-8362-4916-b3e0-f4150f54affd@gmail.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 25f9656c87d18a92b36f4c17051ddc91571b3382
Author: Vicki Pfau <vi@endrift.com>
Date:   Wed Sep 27 13:22:12 2023 -0700

    PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
    
    commit 7e6f3b6d2c352b5fde37ce3fed83bdf6172eebd4 upstream.
    
    The AMD VanGogh SoC contains a DesignWare USB3 Dual-Role Device that can be
    operated as either a USB Host or a USB Device, similar to on the AMD Nolan
    platform.
    
    be6646bfbaec ("PCI: Prevent xHCI driver from claiming AMD Nolan USB3 DRD
    device") added a quirk to let the dwc3 driver claim the Nolan device since
    it provides more specific support.
    
    Extend that quirk to include the VanGogh SoC USB3 device.
    
    Link: https://lore.kernel.org/r/20230927202212.2388216-1-vi@endrift.com
    Signed-off-by: Vicki Pfau <vi@endrift.com>
    [bhelgaas: include be6646bfbaec reference, add stable tag]
    Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
    Cc: stable@vger.kernel.org      # v3.19+
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit af79ea9a2443016f64d8fd8d72020cc874f0e066
Author: George Kennedy <george.kennedy@oracle.com>
Date:   Tue Jan 24 11:16:54 2023 -0500

    vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
    
    commit 226fae124b2dac217ea5436060d623ff3385bc34 upstream.
    
    After a call to console_unlock() in vcs_read() the vc_data struct can be
    freed by vc_deallocate(). Because of that, the struct vc_data pointer
    load must be done at the top of while loop in vcs_read() to avoid a UAF
    when vcs_size() is called.
    
    Syzkaller reported a UAF in vcs_size().
    
    BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
    Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537
    
    CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1
    Hardware name: Red Hat KVM, BIOS 1.15.0-2.module
    Call Trace:
      <TASK>
    __asan_report_load4_noabort (mm/kasan/report_generic.c:350)
    vcs_size (drivers/tty/vt/vc_screen.c:215)
    vcs_read (drivers/tty/vt/vc_screen.c:415)
    vfs_read (fs/read_write.c:468 fs/read_write.c:450)
    ...
      </TASK>
    
    Allocated by task 1191:
    ...
    kmalloc_trace (mm/slab_common.c:1069)
    vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720
         drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108)
    con_install (drivers/tty/vt/vt.c:3383)
    tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413
         drivers/tty/tty_io.c:1390)
    tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126)
    chrdev_open (fs/char_dev.c:415)
    do_dentry_open (fs/open.c:883)
    vfs_open (fs/open.c:1014)
    ...
    
    Freed by task 1548:
    ...
    kfree (mm/slab_common.c:1021)
    vc_port_destruct (drivers/tty/vt/vt.c:1094)
    tty_port_destructor (drivers/tty/tty_port.c:296)
    tty_port_put (drivers/tty/tty_port.c:312)
    vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
    vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
    tty_ioctl (drivers/tty/tty_io.c:2776)
    ...
    
    The buggy address belongs to the object at ffff888113747800
      which belongs to the cache kmalloc-1k of size 1024
    The buggy address is located 424 bytes inside of
      1024-byte region [ffff888113747800, ffff888113747c00)
    
    The buggy address belongs to the physical page:
    page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000
         index:0x0 pfn:0x113740
    head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0
         compound_pincount:0
    anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff)
    raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001
    raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
      ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    > ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                       ^
      ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    Disabling lock debugging due to kernel taint
    
    Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()")
    Reported-by: syzkaller <syzkaller@googlegroups.com>
    Suggested-by: Jiri Slaby <jirislaby@kernel.org>
    Signed-off-by: George Kennedy <george.kennedy@oracle.com>
    Link: https://lore.kernel.org/r/1674577014-12374-1-git-send-email-george.kennedy@oracle.com
    [ 4.14: Adjust context ]
    Signed-off-by: Suraj Jitindar Singh <surajjs@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ec1d8c8afce56825101861330e813ddbda332441
Author: Christoph Hellwig <hch@lst.de>
Date:   Thu Jul 21 08:41:02 2022 +0200

    remove the sx8 block driver
    
    commit d13bc4d84a8e91060d3797fc95c1a0202bfd1499 upstream.
    
    This driver is for fairly obscure hardware, and has only seen random
    drive-by changes after the maintainer stopped working on it in 2005
    (about a year and a half after it was introduced).  It has some
    "interesting" block layer interactions, so let's just drop it unless
    anyone complains.
    
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Link: https://lore.kernel.org/r/20220721064102.1715460-1-hch@lst.de
    [axboe: fix date typo, it was in 2005, not 2015]
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a8db39338fd1373420cdf321cd4f0a471ae3d73e
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Sat Dec 3 11:54:25 2022 +0100

    ata: ahci: fix enum constants for gcc-13
    
    commit f07788079f515ca4a681c5f595bdad19cfbd7b1d upstream.
    
    gcc-13 slightly changes the type of constant expressions that are defined
    in an enum, which triggers a compile time sanity check in libata:
    
    linux/drivers/ata/libahci.c: In function 'ahci_led_store':
    linux/include/linux/compiler_types.h:357:45: error: call to '__compiletime_assert_302' declared with attribute error: BUILD_BUG_ON failed: sizeof(_s) > sizeof(long)
    357 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
    
    The new behavior is that sizeof() returns the same value for the
    constant as it does for the enum type, which is generally more sensible
    and consistent.
    
    The problem in libata is that it contains a single enum definition for
    lots of unrelated constants, some of which are large positive (unsigned)
    integers like 0xffffffff, while others like (1<<31) are interpreted as
    negative integers, and this forces the enum type to become 64 bit wide
    even though most constants would still fit into a signed 32-bit 'int'.
    
    Fix this by changing the entire enum definition to use BIT(x) in place
    of (1<<x), which results in all values being seen as 'unsigned' and
    fitting into an unsigned 32-bit type.
    
    Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107917
    Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107405
    Reported-by: Luis Machado <luis.machado@arm.com>
    Cc: linux-ide@vger.kernel.org
    Cc: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    Cc: stable@vger.kernel.org
    Cc: Randy Dunlap <rdunlap@infradead.org>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Tested-by: Luis Machado <luis.machado@arm.com>
    Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
    [Backport to linux-4.14.y]
    Signed-off-by: Paul Barker <paul.barker.ct@bp.renesas.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6856ad397941b840735d70106465660407252120
Author: Su Hui <suhui@nfschina.com>
Date:   Fri Oct 20 17:27:59 2023 +0800

    net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
    
    [ Upstream commit 9f771493da935299c6393ad3563b581255d01a37 ]
    
    t4_set_params_timeout() can return -EINVAL if failed, add check
    for this.
    
    Signed-off-by: Su Hui <suhui@nfschina.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bd935c8f452e4a2f922f7491bd1d8f0593d782fd
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Tue Oct 17 11:07:23 2023 +0200

    platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
    
    [ Upstream commit f37cc2fc277b371fc491890afb7d8a26e36bb3a1 ]
    
    Older Asus laptops change the backlight level themselves and then send
    WMI events with different codes for different backlight levels.
    
    The asus-wmi.c code maps the entire range of codes reported on
    brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code:
    
    define NOTIFY_BRNUP_MIN                0x11
    define NOTIFY_BRNUP_MAX                0x1f
    define NOTIFY_BRNDOWN_MIN              0x20
    define NOTIFY_BRNDOWN_MAX              0x2e
    
            if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX)
                    code = ASUS_WMI_BRN_UP;
            else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX)
                    code = ASUS_WMI_BRN_DOWN;
    
    Before this commit all the NOTIFY_BRNDOWN_MIN - NOTIFY_BRNDOWN_MAX
    aka 0x20 - 0x2e events were mapped to 0x20.
    
    This mapping is causing issues on new laptop models which actually
    send 0x2b events for printscreen presses and 0x2c events for
    capslock presses, which get translated into spurious brightness-down
    presses.
    
    The plan is disable the 0x11-0x2e special mapping on laptops
    where asus-wmi does not register a backlight-device to avoid
    the spurious brightness-down keypresses. New laptops always send
    0x2e for brightness-down presses, change the special internal
    ASUS_WMI_BRN_DOWN value from 0x20 to 0x2e to match this in
    preparation for fixing the spurious brightness-down presses.
    
    This change does not have any functional impact since all
    of 0x20 - 0x2e is mapped to ASUS_WMI_BRN_DOWN first and only
    then checked against the keymap code and the new 0x2e
    value is still in the 0x20 - 0x2e range.
    
    Reported-by: James John <me@donjajo.com>
    Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/
    Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Link: https://lore.kernel.org/r/20231017090725.38163-2-hdegoede@redhat.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 2f64fef12c6e64925a531c906abfb8dc4c0edd33
Author: Tomas Henzl <thenzl@redhat.com>
Date:   Sun Oct 15 13:45:29 2023 +0200

    scsi: mpt3sas: Fix in error path
    
    [ Upstream commit e40c04ade0e2f3916b78211d747317843b11ce10 ]
    
    The driver should be deregistered as misc driver after PCI registration
    failure.
    
    Signed-off-by: Tomas Henzl <thenzl@redhat.com>
    Link: https://lore.kernel.org/r/20231015114529.10725-1-thenzl@redhat.com
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit fb7ab17f40555c478c9dc421ec0f226482c18397
Author: Jorge Maidana <jorgem.linux@gmail.com>
Date:   Fri Oct 6 17:43:47 2023 -0300

    fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
    
    [ Upstream commit 1022e7e2f40574c74ed32c3811b03d26b0b81daf ]
    
    Delete the v86d netlink only after all the VBE tasks have been
    completed.
    
    Fixes initial state restore on module unload:
    uvesafb: VBE state restore call failed (eax=0x4f04, err=-19)
    
    Signed-off-by: Jorge Maidana <jorgem.linux@gmail.com>
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3d9fffe549590bddcdfce8e902a4c2a1638d0e50
Author: Shuming Fan <shumingf@realtek.com>
Date:   Fri Oct 13 17:45:25 2023 +0800

    ASoC: rt5650: fix the wrong result of key button
    
    [ Upstream commit f88dfbf333b3661faff996bb03af2024d907b76a ]
    
    The RT5650 should enable a power setting for button detection to avoid the wrong result.
    
    Signed-off-by: Shuming Fan <shumingf@realtek.com>
    Link: https://lore.kernel.org/r/20231013094525.715518-1-shumingf@realtek.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 886115a8379caf34574539b11c0cebc2d717bb75
Author: Florian Westphal <fw@strlen.de>
Date:   Thu Oct 5 10:53:08 2023 +0200

    netfilter: nfnetlink_log: silence bogus compiler warning
    
    [ Upstream commit 2e1d175410972285333193837a4250a74cd472e6 ]
    
    net/netfilter/nfnetlink_log.c:800:18: warning: variable 'ctinfo' is uninitialized
    
    The warning is bogus, the variable is only used if ct is non-NULL and
    always initialised in that case.  Init to 0 too to silence this.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Closes: https://lore.kernel.org/oe-kbuild-all/202309100514.ndBFebXN-lkp@intel.com/
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 8b836d641daa04bd2c66c95171adaa7b912743ca
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Thu Sep 21 19:04:21 2023 +0800

    fbdev: atyfb: only use ioremap_uc() on i386 and ia64
    
    [ Upstream commit c1a8d1d0edb71dec15c9649cb56866c71c1ecd9e ]
    
    ioremap_uc() is only meaningful on old x86-32 systems with the PAT
    extension, and on ia64 with its slightly unconventional ioremap()
    behavior, everywhere else this is the same as ioremap() anyway.
    
    Change the only driver that still references ioremap_uc() to only do so
    on x86-32/ia64 in order to allow removing that interface at some
    point in the future for the other architectures.
    
    On some architectures, ioremap_uc() just returns NULL, changing
    the driver to call ioremap() means that they now have a chance
    of working correctly.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Baoquan He <bhe@redhat.com>
    Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
    Cc: Helge Deller <deller@gmx.de>
    Cc: Thomas Zimmermann <tzimmermann@suse.de>
    Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
    Cc: linux-fbdev@vger.kernel.org
    Cc: dri-devel@lists.freedesktop.org
    Signed-off-by: Helge Deller <deller@gmx.de>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 365fbb85bbffeb9f8310a35df55cff4acdee0ac5
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Fri Oct 13 17:29:57 2023 -0700

    Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
    
    [ Upstream commit 5030b2fe6aab37fe42d14f31842ea38be7c55c57 ]
    
    Touch controllers need some time after receiving reset command for the
    firmware to finish re-initializing and be ready to respond to commands
    from the host. The driver already had handling for the post-reset delay
    for I2C and SPI transports, this change adds the handling to
    SMBus-connected devices.
    
    SMBus devices are peculiar because they implement legacy PS/2
    compatibility mode, so reset is actually issued by psmouse driver on the
    associated serio port, after which the control is passed to the RMI4
    driver with SMBus companion device.
    
    Note that originally the delay was added to psmouse driver in
    92e24e0e57f7 ("Input: psmouse - add delay when deactivating for SMBus
    mode"), but that resulted in an unwanted delay in "fast" reconnect
    handler for the serio port, so it was decided to revert the patch and
    have the delay being handled in the RMI4 driver, similar to the other
    transports.
    
    Tested-by: Jeffery Miller <jefferymiller@google.com>
    Link: https://lore.kernel.org/r/ZR1yUFJ8a9Zt606N@penguin
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3b6a41708d0c95fcd28f776d12fd3657c5c57ce1
Author: Zhang Shurong <zhang_shurong@foxmail.com>
Date:   Thu Oct 5 22:28:35 2023 +0800

    dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
    
    [ Upstream commit 0618c077a8c20e8c81e367988f70f7e32bb5a717 ]
    
    The pm_runtime_enable will increase power disable depth. Thus
    a pairing decrement is needed on the error handling path to
    keep it balanced according to context.
    We fix it by calling pm_runtime_disable when error returns.
    
    Signed-off-by: Zhang Shurong <zhang_shurong@foxmail.com>
    Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
    Link: https://lore.kernel.org/r/tencent_DD2D371DB5925B4B602B1E1D0A5FA88F1208@qq.com
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f4ba1dc579ee05f8a8dc437bb64f8882b36b7c31
Author: Ben Wolsieffer <ben.wolsieffer@hefring.com>
Date:   Tue Oct 3 12:20:03 2023 -0400

    irqchip/stm32-exti: add missing DT IRQ flag translation
    
    [ Upstream commit 8554cba1d6dbd3c74e0549e28ddbaccbb1d6b30a ]
    
    The STM32F4/7 EXTI driver was missing the xlate callback, so IRQ trigger
    flags specified in the device tree were being ignored. This was
    preventing the RTC alarm interrupt from working, because it must be set
    to trigger on the rising edge to function correctly.
    
    Signed-off-by: Ben Wolsieffer <ben.wolsieffer@hefring.com>
    Signed-off-by: Marc Zyngier <maz@kernel.org>
    Link: https://lore.kernel.org/r/20231003162003.1649967-1-ben.wolsieffer@hefring.com
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 01eb805a8293b8274c45c74d836eb8596997fcb7
Author: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Date:   Tue Sep 19 05:34:18 2023 +0000

    ASoC: simple-card: fixup asoc_simple_probe() error handling
    
    [ Upstream commit 41bae58df411f9accf01ea660730649b2fab1dab ]
    
    asoc_simple_probe() is used for both "DT probe" (A) and "platform probe"
    (B). It uses "goto err" when error case, but it is not needed for
    "platform probe" case (B). Thus it is using "return" directly there.
    
            static int asoc_simple_probe(...)
            {
     ^              if (...) {
     |                      ...
    (A)                     if (ret < 0)
     |                              goto err;
     v              } else {
     ^                      ...
     |                      if (ret < 0)
    (B)                             return -Exxx;
     v              }
    
                    ...
     ^              if (ret < 0)
    (C)                     goto err;
     v              ...
    
            err:
    (D)             simple_util_clean_reference(card);
    
                    return ret;
            }
    
    Both case are using (C) part, and it calls (D) when err case.
    But (D) will do nothing for (B) case.
    Because of these behavior, current code itself is not wrong,
    but is confusable, and more, static analyzing tool will warning on
    (B) part (should use goto err).
    
    To avoid static analyzing tool warning, this patch uses "goto err"
    on (B) part.
    
    Reported-by: kernel test robot <lkp@intel.com>
    Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    Link: https://lore.kernel.org/r/87o7hy7mlh.wl-kuninori.morimoto.gx@renesas.com
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit bdd1afefe10b64ecfca1fa22b3930e4c5add828f
Author: Juergen Gross <jgross@suse.com>
Date:   Thu Jun 30 09:14:41 2022 +0200

    x86: Fix .brk attribute in linker script
    
    commit 7e09ac27f43b382f5fe9bb7c7f4c465ece1f8a23 upstream.
    
    Commit in Fixes added the "NOLOAD" attribute to the .brk section as a
    "failsafe" measure.
    
    Unfortunately, this leads to the linker no longer covering the .brk
    section in a program header, resulting in the kernel loader not knowing
    that the memory for the .brk section must be reserved.
    
    This has led to crashes when loading the kernel as PV dom0 under Xen,
    but other scenarios could be hit by the same problem (e.g. in case an
    uncompressed kernel is used and the initrd is placed directly behind
    it).
    
    So drop the "NOLOAD" attribute. This has been verified to correctly
    cover the .brk section by a program header of the resulting ELF file.
    
    Fixes: e32683c6f7d2 ("x86/mm: Fix RESERVE_BRK() for older binutils")
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Josh Poimboeuf <jpoimboe@kernel.org>
    Link: https://lore.kernel.org/r/20220630071441.28576-4-jgross@suse.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 280ae5a028ef5d14ef9277746a3026a30aaebe4f
Author: Hangyu Hua <hbh25y@gmail.com>
Date:   Tue Oct 31 11:41:50 2023 +0000

    rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
    
    commit d7bd416d35121c95fe47330e09a5c04adbc5f928 upstream.
    
    rpmsg_register_device_override need to call put_device to free vch when
    driver_set_override fails.
    
    Fix this by adding a put_device() to the error path.
    
    Fixes: bb17d110cbf2 ("rpmsg: Fix calling device_lock() on non-initialized device")
    Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
    Link: https://lore.kernel.org/r/20220624024120.11576-1-hbh25y@gmail.com
    Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
    (cherry picked from commit d7bd416d35121c95fe47330e09a5c04adbc5f928)
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dea7b8757bea80e79bf746e5c13feed112c72f1e
Author: Bjorn Andersson <quic_bjorande@quicinc.com>
Date:   Tue Oct 31 11:41:49 2023 +0000

    rpmsg: glink: Release driver_override
    
    commit fb80ef67e8ff6a00d3faad4cb348dafdb8eccfd8 upstream.
    
    Upon termination of the rpmsg_device, driver_override needs to be freed
    to avoid leaking the potentially assigned string.
    
    Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override")
    Fixes: 39e47767ec9b ("rpmsg: Add driver_override device attribute for rpmsg_device")
    Reviewed-by: Chris Lew <quic_clew@quicinc.com>
    Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
    Signed-off-by: Bjorn Andersson <andersson@kernel.org>
    Link: https://lore.kernel.org/r/20230109223931.1706429-1-quic_bjorande@quicinc.com
    (cherry picked from commit fb80ef67e8ff6a00d3faad4cb348dafdb8eccfd8)
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b585daa34a0a852e6d5e553132b411b6a0192d27
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Oct 31 11:41:48 2023 +0000

    rpmsg: Fix calling device_lock() on non-initialized device
    
    commit bb17d110cbf270d5247a6e261c5ad50e362d1675 upstream.
    
    driver_set_override() helper uses device_lock() so it should not be
    called before rpmsg_register_device() (which calls device_register()).
    Effect can be seen with CONFIG_DEBUG_MUTEXES:
    
      DEBUG_LOCKS_WARN_ON(lock->magic != lock)
      WARNING: CPU: 3 PID: 57 at kernel/locking/mutex.c:582 __mutex_lock+0x1ec/0x430
      ...
      Call trace:
       __mutex_lock+0x1ec/0x430
       mutex_lock_nested+0x44/0x50
       driver_set_override+0x124/0x150
       qcom_glink_native_probe+0x30c/0x3b0
       glink_rpm_probe+0x274/0x350
       platform_probe+0x6c/0xe0
       really_probe+0x17c/0x3d0
       __driver_probe_device+0x114/0x190
       driver_probe_device+0x3c/0xf0
       ...
    
    Refactor the rpmsg_register_device() function to use two-step device
    registering (initialization + add) and call driver_set_override() in
    proper moment.
    
    This moves the code around, so while at it also NULL-ify the
    rpdev->driver_override in error path to be sure it won't be kfree()
    second time.
    
    Fixes: 42cd402b8fd4 ("rpmsg: Fix kfree() of static memory on setting driver_override")
    Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Link: https://lore.kernel.org/r/20220429195946.1061725-2-krzysztof.kozlowski@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    (cherry picked from commit bb17d110cbf270d5247a6e261c5ad50e362d1675)
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 79ec08a67907c16283589bbf59de4998ecdaec0f
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Oct 31 11:41:47 2023 +0000

    rpmsg: Fix kfree() of static memory on setting driver_override
    
    commit 42cd402b8fd4672b692400fe5f9eecd55d2794ac upstream.
    
    The driver_override field from platform driver should not be initialized
    from static memory (string literal) because the core later kfree() it,
    for example when driver_override is set via sysfs.
    
    Use dedicated helper to set driver_override properly.
    
    Fixes: 950a7388f02b ("rpmsg: Turn name service into a stand alone driver")
    Fixes: c0cdc19f84a4 ("rpmsg: Driver for user space endpoint interface")
    Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20220419113435.246203-13-krzysztof.kozlowski@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9a07a58533b8f1ee188e75f66cb11b3a16ee026
Author: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Date:   Tue Oct 31 11:41:46 2023 +0000

    driver: platform: Add helper for safer setting of driver_override
    
    commit 6c2f421174273de8f83cde4286d1c076d43a2d35 upstream.
    
    Several core drivers and buses expect that driver_override is a
    dynamically allocated memory thus later they can kfree() it.
    
    However such assumption is not documented, there were in the past and
    there are already users setting it to a string literal. This leads to
    kfree() of static memory during device release (e.g. in error paths or
    during unbind):
    
        kernel BUG at ../mm/slub.c:3960!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
        ...
        (kfree) from [<c058da50>] (platform_device_release+0x88/0xb4)
        (platform_device_release) from [<c0585be0>] (device_release+0x2c/0x90)
        (device_release) from [<c0a69050>] (kobject_put+0xec/0x20c)
        (kobject_put) from [<c0f2f120>] (exynos5_clk_probe+0x154/0x18c)
        (exynos5_clk_probe) from [<c058de70>] (platform_drv_probe+0x6c/0xa4)
        (platform_drv_probe) from [<c058b7ac>] (really_probe+0x280/0x414)
        (really_probe) from [<c058baf4>] (driver_probe_device+0x78/0x1c4)
        (driver_probe_device) from [<c0589854>] (bus_for_each_drv+0x74/0xb8)
        (bus_for_each_drv) from [<c058b48c>] (__device_attach+0xd4/0x16c)
        (__device_attach) from [<c058a638>] (bus_probe_device+0x88/0x90)
        (bus_probe_device) from [<c05871fc>] (device_add+0x3dc/0x62c)
        (device_add) from [<c075ff10>] (of_platform_device_create_pdata+0x94/0xbc)
        (of_platform_device_create_pdata) from [<c07600ec>] (of_platform_bus_create+0x1a8/0x4fc)
        (of_platform_bus_create) from [<c0760150>] (of_platform_bus_create+0x20c/0x4fc)
        (of_platform_bus_create) from [<c07605f0>] (of_platform_populate+0x84/0x118)
        (of_platform_populate) from [<c0f3c964>] (of_platform_default_populate_init+0xa0/0xb8)
        (of_platform_default_populate_init) from [<c01031f8>] (do_one_initcall+0x8c/0x404)
    
    Provide a helper which clearly documents the usage of driver_override.
    This will allow later to reuse the helper and reduce the amount of
    duplicated code.
    
    Convert the platform driver to use a new helper and make the
    driver_override field const char (it is not modified by the core).
    
    Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
    Link: https://lore.kernel.org/r/20220419113435.246203-2-krzysztof.kozlowski@linaro.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Lee Jones <lee@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6bde9454e1c3b54ae0a90b81139ab86fc5bc9a8b
Author: Josh Poimboeuf <jpoimboe@kernel.org>
Date:   Thu Jun 9 00:17:32 2022 -0700

    x86/mm: Fix RESERVE_BRK() for older binutils
    
    commit e32683c6f7d22ba624e0bfc58b02cf3348bdca63 upstream.
    
    With binutils 2.26, RESERVE_BRK() causes a build failure:
    
      /tmp/ccnGOKZ5.s: Assembler messages:
      /tmp/ccnGOKZ5.s:98: Error: missing ')'
      /tmp/ccnGOKZ5.s:98: Error: missing ')'
      /tmp/ccnGOKZ5.s:98: Error: missing ')'
      /tmp/ccnGOKZ5.s:98: Error: junk at end of line, first unrecognized
      character is `U'
    
    The problem is this line:
    
      RESERVE_BRK(early_pgt_alloc, INIT_PGT_BUF_SIZE)
    
    Specifically, the INIT_PGT_BUF_SIZE macro which (via PAGE_SIZE's use
    _AC()) has a "1UL", which makes older versions of the assembler unhappy.
    Unfortunately the _AC() macro doesn't work for inline asm.
    
    Inline asm was only needed here to convince the toolchain to add the
    STT_NOBITS flag.  However, if a C variable is placed in a section whose
    name is prefixed with ".bss", GCC and Clang automatically set
    STT_NOBITS.  In fact, ".bss..page_aligned" already relies on this trick.
    
    So fix the build failure (and simplify the macro) by allocating the
    variable in C.
    
    Also, add NOLOAD to the ".brk" output section clause in the linker
    script.  This is a failsafe in case the ".bss" prefix magic trick ever
    stops working somehow.  If there's a section type mismatch, the GNU
    linker will force the ".brk" output section to be STT_NOBITS.  The LLVM
    linker will fail with a "section type mismatch" error.
    
    Note this also changes the name of the variable from .brk.##name to
    __brk_##name.  The variable names aren't actually used anywhere, so it's
    harmless.
    
    Fixes: a1e2c031ec39 ("x86/mm: Simplify RESERVE_BRK()")
    Reported-by: Joe Damato <jdamato@fastly.com>
    Reported-by: Byungchul Park <byungchul.park@lge.com>
    Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Tested-by: Joe Damato <jdamato@fastly.com>
    Link: https://lore.kernel.org/r/22d07a44c80d8e8e1e82b9a806ddc8c6bbb2606e.1654759036.git.jpoimboe@kernel.org
    [nathan: Fix conflict due to lack of 360db4ace311 and resolve silent
             conflict with 360db4ace3117]
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3c48f28150632b56a93feba802c7d10518d58734
Author: Josh Poimboeuf <jpoimboe@kernel.org>
Date:   Fri May 6 14:14:32 2022 +0200

    x86/mm: Simplify RESERVE_BRK()
    
    commit a1e2c031ec3949b8c039b739c0b5bf9c30007b00 upstream.
    
    RESERVE_BRK() reserves data in the .brk_reservation section.  The data
    is initialized to zero, like BSS, so the macro specifies 'nobits' to
    prevent the data from taking up space in the vmlinux binary.  The only
    way to get the compiler to do that (without putting the variable in .bss
    proper) is to use inline asm.
    
    The macro also has a hack which encloses the inline asm in a discarded
    function, which allows the size to be passed (global inline asm doesn't
    allow inputs).
    
    Remove the need for the discarded function hack by just stringifying the
    size rather than supplying it as an input to the inline asm.
    
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Borislav Petkov <bp@suse.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Link: https://lore.kernel.org/r/20220506121631.133110232@infradead.org
    [nathan: Fix conflict due to lack of 2b6ff7dea670 and 33def8498fdd]
    Signed-off-by: Nathan Chancellor <nathan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 75e4376b640c02274a88707f109946db6a9b2212
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Wed Oct 25 23:04:15 2023 +0200

    x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
    
    commit 128b0c9781c9f2651bea163cb85e52a6c7be0f9e upstream.
    
    David and a few others reported that on certain newer systems some legacy
    interrupts fail to work correctly.
    
    Debugging revealed that the BIOS of these systems leaves the legacy PIC in
    uninitialized state which makes the PIC detection fail and the kernel
    switches to a dummy implementation.
    
    Unfortunately this fallback causes quite some code to fail as it depends on
    checks for the number of legacy PIC interrupts or the availability of the
    real PIC.
    
    In theory there is no reason to use the PIC on any modern system when
    IO/APIC is available, but the dependencies on the related checks cannot be
    resolved trivially and on short notice. This needs lots of analysis and
    rework.
    
    The PIC detection has been added to avoid quirky checks and force selection
    of the dummy implementation all over the place, especially in VM guest
    scenarios. So it's not an option to revert the relevant commit as that
    would break a lot of other scenarios.
    
    One solution would be to try to initialize the PIC on detection fail and
    retry the detection, but that puts the burden on everything which does not
    have a PIC.
    
    Fortunately the ACPI/MADT table header has a flag field, which advertises
    in bit 0 that the system is PCAT compatible, which means it has a legacy
    8259 PIC.
    
    Evaluate that bit and if set avoid the detection routine and keep the real
    PIC installed, which then gets initialized (for nothing) and makes the rest
    of the code with all the dependencies work again.
    
    Fixes: e179f6914152 ("x86, irq, pic: Probe for legacy PIC and set legacy_pic appropriately")
    Reported-by: David Lazar <dlazar@gmail.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Tested-by: David Lazar <dlazar@gmail.com>
    Reviewed-by: Hans de Goede <hdegoede@redhat.com>
    Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
    Cc: stable@vger.kernel.org
    Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218003
    Link: https://lore.kernel.org/r/875y2u5s8g.ffs@tglx
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9dd1c2431ea0ba6e2cb6da58c7b35b7ad37185c0
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Sat Oct 14 21:34:40 2023 -0400

    nfsd: lock_rename() needs both directories to live on the same fs
    
    commit 1aee9158bc978f91701c5992e395efbc6da2de3c upstream.
    
    ... checking that after lock_rename() is too late.  Incidentally,
    NFSv2 had no nfserr_xdev...
    
    Fixes: aa387d6ce153 "nfsd: fix EXDEV checking in rename"
    Cc: stable@vger.kernel.org # v3.9+
    Reviewed-by: Jeff Layton <jlayton@kernel.org>
    Acked-by: Chuck Lever <chuck.lever@oracle.com>
    Tested-by: Jeff Layton <jlayton@kernel.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a481db81e7ead1369acca8e13b6939778cb7d2c5
Author: Chao Yu <chao@kernel.org>
Date:   Mon Dec 6 22:44:19 2021 +0800

    f2fs: fix to do sanity check on inode type during garbage collection
    
    commit 9056d6489f5a41cfbb67f719d2c0ce61ead72d9f upstream.
    
    As report by Wenqing Liu in bugzilla:
    
    https://bugzilla.kernel.org/show_bug.cgi?id=215231
    
    - Overview
    kernel NULL pointer dereference triggered  in folio_mark_dirty() when mount and operate on a crafted f2fs image
    
    - Reproduce
    tested on kernel 5.16-rc3, 5.15.X under root
    
    1. mkdir mnt
    2. mount -t f2fs tmp1.img mnt
    3. touch tmp
    4. cp tmp mnt
    
    F2FS-fs (loop0): sanity_check_inode: inode (ino=49) extent info [5942, 4294180864, 4] is incorrect, run fsck to fix
    F2FS-fs (loop0): f2fs_check_nid_range: out-of-range nid=31340049, run fsck to fix.
    BUG: kernel NULL pointer dereference, address: 0000000000000000
     folio_mark_dirty+0x33/0x50
     move_data_page+0x2dd/0x460 [f2fs]
     do_garbage_collect+0xc18/0x16a0 [f2fs]
     f2fs_gc+0x1d3/0xd90 [f2fs]
     f2fs_balance_fs+0x13a/0x570 [f2fs]
     f2fs_create+0x285/0x840 [f2fs]
     path_openat+0xe6d/0x1040
     do_filp_open+0xc5/0x140
     do_sys_openat2+0x23a/0x310
     do_sys_open+0x57/0x80
    
    The root cause is for special file: e.g. character, block, fifo or socket file,
    f2fs doesn't assign address space operations pointer array for mapping->a_ops field,
    so, in a fuzzed image, SSA table indicates a data block belong to special file, when
    f2fs tries to migrate that block, it causes NULL pointer access once move_data_page()
    calls a_ops->set_dirty_page().
    
    Cc: stable@vger.kernel.org
    Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
    Signed-off-by: Chao Yu <chao@kernel.org>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Kazunori Kobayashi <kazunori.kobayashi@miraclelinux.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b43cf5ad5241d6f33a02c93271a282d5ed6c4cce
Author: Wang Hai <wanghai38@huawei.com>
Date:   Tue Dec 20 09:21:43 2022 +0800

    kobject: Fix slab-out-of-bounds in fill_kobj_path()
    
    commit 3bb2a01caa813d3a1845d378bbe4169ef280d394 upstream.
    
    In kobject_get_path(), if kobj->name is changed between calls
    get_kobj_path_length() and fill_kobj_path() and the length becomes
    longer, then fill_kobj_path() will have an out-of-bounds bug.
    
    The actual current problem occurs when the ixgbe probe.
    
    In ixgbe_mii_bus_init(), if the length of netdev->dev.kobj.name
    length becomes longer, out-of-bounds will occur.
    
    cpu0                                         cpu1
    ixgbe_probe
     register_netdev(netdev)
      netdev_register_kobject
       device_add
        kobject_uevent // Sending ADD events
                                                 systemd-udevd // rename netdev
                                                  dev_change_name
                                                   device_rename
                                                    kobject_rename
     ixgbe_mii_bus_init                             |
      mdiobus_register                              |
       __mdiobus_register                           |
        device_register                             |
         device_add                                 |
          kobject_uevent                            |
           kobject_get_path                         |
            len = get_kobj_path_length // old name  |
            path = kzalloc(len, gfp_mask);          |
                                                    kobj->name = name;
                                                    /* name length becomes
                                                     * longer
                                                     */
            fill_kobj_path /* kobj path length is
                            * longer than path,
                            * resulting in out of
                            * bounds when filling path
                            */
    
    This is the kasan report:
    
    ==================================================================
    BUG: KASAN: slab-out-of-bounds in fill_kobj_path+0x50/0xc0
    Write of size 7 at addr ff1100090573d1fd by task kworker/28:1/673
    
     Workqueue: events work_for_cpu_fn
     Call Trace:
     <TASK>
     dump_stack_lvl+0x34/0x48
     print_address_description.constprop.0+0x86/0x1e7
     print_report+0x36/0x4f
     kasan_report+0xad/0x130
     kasan_check_range+0x35/0x1c0
     memcpy+0x39/0x60
     fill_kobj_path+0x50/0xc0
     kobject_get_path+0x5a/0xc0
     kobject_uevent_env+0x140/0x460
     device_add+0x5c7/0x910
     __mdiobus_register+0x14e/0x490
     ixgbe_probe.cold+0x441/0x574 [ixgbe]
     local_pci_probe+0x78/0xc0
     work_for_cpu_fn+0x26/0x40
     process_one_work+0x3b6/0x6a0
     worker_thread+0x368/0x520
     kthread+0x165/0x1a0
     ret_from_fork+0x1f/0x30
    
    This reproducer triggers that bug:
    
    while:
    do
        rmmod ixgbe
        sleep 0.5
        modprobe ixgbe
        sleep 0.5
    
    When calling fill_kobj_path() to fill path, if the name length of
    kobj becomes longer, return failure and retry. This fixes the problem.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Wang Hai <wanghai38@huawei.com>
    Link: https://lore.kernel.org/r/20221220012143.52141-1-wanghai38@huawei.com
    Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 826e52559783d934cae02a1f32c95ff25dcd1d3a
Author: Lukasz Majczak <lma@semihalf.com>
Date:   Fri Sep 22 08:34:10 2023 +0200

    drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
    
    commit 3d887d512494d678b17c57b835c32f4e48d34f26 upstream.
    
    As drm_dp_get_mst_branch_device_by_guid() is called from
    drm_dp_get_mst_branch_device_by_guid(), mstb parameter has to be checked,
    otherwise NULL dereference may occur in the call to
    the memcpy() and cause following:
    
    [12579.365869] BUG: kernel NULL pointer dereference, address: 0000000000000049
    [12579.365878] #PF: supervisor read access in kernel mode
    [12579.365880] #PF: error_code(0x0000) - not-present page
    [12579.365882] PGD 0 P4D 0
    [12579.365887] Oops: 0000 [#1] PREEMPT SMP NOPTI
    ...
    [12579.365895] Workqueue: events_long drm_dp_mst_up_req_work
    [12579.365899] RIP: 0010:memcmp+0xb/0x29
    [12579.365921] Call Trace:
    [12579.365927] get_mst_branch_device_by_guid_helper+0x22/0x64
    [12579.365930] drm_dp_mst_up_req_work+0x137/0x416
    [12579.365933] process_one_work+0x1d0/0x419
    [12579.365935] worker_thread+0x11a/0x289
    [12579.365938] kthread+0x13e/0x14f
    [12579.365941] ? process_one_work+0x419/0x419
    [12579.365943] ? kthread_blkcg+0x31/0x31
    [12579.365946] ret_from_fork+0x1f/0x30
    
    As get_mst_branch_device_by_guid_helper() is recursive, moving condition
    to the first line allow to remove a similar one for step over of NULL elements
    inside a loop.
    
    Fixes: 5e93b8208d3c ("drm/dp/mst: move GUID storage from mgr, port to only mst branch")
    Cc: <stable@vger.kernel.org> # 4.14+
    Signed-off-by: Lukasz Majczak <lma@semihalf.com>
    Reviewed-by: Radoslaw Biernacki <rad@chromium.org>
    Signed-off-by: Manasi Navare <navaremanasi@chromium.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/20230922063410.23626-1-lma@semihalf.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3ab03df64f7754728a2257c47775a70a88428331
Author: Nick Desaulniers <ndesaulniers@google.com>
Date:   Mon Nov 4 19:31:45 2019 +0100

    ARM: 8933/1: replace Sun/Solaris style flag on section directive
    
    [ Upstream commit 790756c7e0229dedc83bf058ac69633045b1000e ]
    
    It looks like a section directive was using "Solaris style" to declare
    the section flags. Replace this with the GNU style so that Clang's
    integrated assembler can assemble this directive.
    
    The modified instances were identified via:
    $ ag \.section | grep #
    
    Link: https://ftp.gnu.org/old-gnu/Manuals/gas-2.9.1/html_chapter/as_7.html#SEC119
    Link: https://github.com/ClangBuiltLinux/linux/issues/744
    Link: https://bugs.llvm.org/show_bug.cgi?id=43759
    Link: https://reviews.llvm.org/D69296
    
    Acked-by: Nicolas Pitre <nico@fluxnic.net>
    Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
    Reviewed-by: Stefan Agner <stefan@agner.ch>
    Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
    Suggested-by: Fangrui Song <maskray@google.com>
    Suggested-by: Jian Cai <jiancai@google.com>
    Suggested-by: Peter Smith <peter.smith@linaro.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 13ab9909f388ab7bfd373350a7f84e47def14216
Author: Trond Myklebust <trondmy@gmail.com>
Date:   Sun Apr 7 13:59:03 2019 -0400

    NFS: Don't call generic_error_remove_page() while holding locks
    
    [ Upstream commit 22876f540bdf19af9e4fca893ce02ba7ee65ebcc ]
    
    The NFS read code can trigger writeback while holding the page lock.
    If an error then triggers a call to nfs_write_error_remove_page(),
    we can deadlock.
    
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit ce7c6ad176a3c101826735365a04f961921fe7dd
Author: Peter Zijlstra <peterz@infradead.org>
Date:   Tue Oct 24 11:42:21 2023 +0200

    perf/core: Fix potential NULL deref
    
    commit a71ef31485bb51b846e8db8b3a35e432cc15afb5 upstream.
    
    Smatch is awesome.
    
    Fixes: 32671e3799ca ("perf: Disallow mis-matched inherited group reads")
    Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe031abf4739d6306c8194d3fc184c5f9b218c41
Author: Herve Codina <herve.codina@bootlin.com>
Date:   Fri Oct 20 17:30:12 2023 +0200

    i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
    
    commit 0fb118de5003028ad092a4e66fc6d07b86c3bc94 upstream.
    
    i2c-demux-pinctrl uses the pair of_find_i2c_adapter_by_node() /
    i2c_put_adapter(). These pair alone is not correct to properly lock the
    I2C parent adapter.
    
    Indeed, i2c_put_adapter() decrements the module refcount while
    of_find_i2c_adapter_by_node() does not increment it. This leads to an
    underflow of the parent module refcount.
    
    Use the dedicated function, of_get_i2c_adapter_by_node(), to handle
    correctly the module refcount.
    
    Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver")
    Signed-off-by: Herve Codina <herve.codina@bootlin.com>
    Cc: stable@vger.kernel.org
    Acked-by: Peter Rosin <peda@axentia.se>
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0855d30a44a6354b936cc762424c5375c42c58be
Author: Herve Codina <herve.codina@bootlin.com>
Date:   Fri Oct 20 17:30:13 2023 +0200

    i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
    
    commit 3dc0ec46f6e7511fc4fdf6b6cda439382bc957f1 upstream.
    
    i2c-mux-gpmux uses the pair of_find_i2c_adapter_by_node() /
    i2c_put_adapter(). These pair alone is not correct to properly lock the
    I2C parent adapter.
    
    Indeed, i2c_put_adapter() decrements the module refcount while
    of_find_i2c_adapter_by_node() does not increment it. This leads to an
    underflow of the parent module refcount.
    
    Use the dedicated function, of_get_i2c_adapter_by_node(), to handle
    correctly the module refcount.
    
    Fixes: ac8498f0ce53 ("i2c: i2c-mux-gpmux: new driver")
    Signed-off-by: Herve Codina <herve.codina@bootlin.com>
    Cc: stable@vger.kernel.org
    Acked-by: Peter Rosin <peda@axentia.se>
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8682ab6f7ce1a6962f73d572e395d6679cd6a55d
Author: Herve Codina <herve.codina@bootlin.com>
Date:   Fri Oct 20 17:30:11 2023 +0200

    i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
    
    commit 3171d37b58a76e1febbf3f4af2d06234a98cf88b upstream.
    
    i2c-mux-pinctrl uses the pair of_find_i2c_adapter_by_node() /
    i2c_put_adapter(). These pair alone is not correct to properly lock the
    I2C parent adapter.
    
    Indeed, i2c_put_adapter() decrements the module refcount while
    of_find_i2c_adapter_by_node() does not increment it. This leads to an
    underflow of the parent module refcount.
    
    Use the dedicated function, of_get_i2c_adapter_by_node(), to handle
    correctly the module refcount.
    
    Fixes: c4aee3e1b0de ("i2c: mux: pinctrl: remove platform_data")
    Signed-off-by: Herve Codina <herve.codina@bootlin.com>
    Cc: stable@vger.kernel.org
    Acked-by: Peter Rosin <peda@axentia.se>
    Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: Wolfram Sang <wsa@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 587f2a2273b9a437482d0b76c0138017bad196cc
Author: Ivan Vecera <ivecera@redhat.com>
Date:   Mon Oct 23 14:27:14 2023 -0700

    i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
    
    [ Upstream commit 77a8c982ff0d4c3a14022c6fe9e3dbfb327552ec ]
    
    The I40E_TXR_FLAGS_WB_ON_ITR is i40e_ring flag and not i40e_pf one.
    
    Fixes: 8e0764b4d6be42 ("i40e/i40evf: Add support for writeback on ITR feature for X722")
    Signed-off-by: Ivan Vecera <ivecera@redhat.com>
    Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Link: https://lore.kernel.org/r/20231023212714.178032-1-jacob.e.keller@intel.com
    Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit c6fc37a3012a52974723e95f4d83b9f4fcf78a5f
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Sun Oct 22 22:25:17 2023 +0200

    gtp: uapi: fix GTPA_MAX
    
    [ Upstream commit adc8df12d91a2b8350b0cd4c7fec3e8546c9d1f8 ]
    
    Subtract one to __GTPA_MAX, otherwise GTPA_MAX is off by 2.
    
    Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 3b5eb92c09e31a0d0f124da5cbfd758f5db39b77
Author: Fred Chen <fred.chenchen03@gmail.com>
Date:   Sat Oct 21 08:19:47 2023 +0800

    tcp: fix wrong RTO timeout when received SACK reneging
    
    [ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ]
    
    This commit fix wrong RTO timeout when received SACK reneging.
    
    When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging()
    will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future.
    
    But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when
    CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer()
    is moved after tcp_fastretrans_alert()(which do the SACK reneging check),
    so the RTO timeout will be overwrited by tcp_set_xmit_timer() with
    icsk_rto instead of 1/2*srtt.
    
    Here is a packetdrill script to check this bug:
    0     socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
    +0    bind(3, ..., ...) = 0
    +0    listen(3, 1) = 0
    
    // simulate srtt to 100ms
    +0    < S 0:0(0) win 32792 <mss 1000, sackOK,nop,nop,nop,wscale 7>
    +0    > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    +.1    < . 1:1(0) ack 1 win 1024
    
    +0    accept(3, ..., ...) = 4
    
    +0    write(4, ..., 10000) = 10000
    +0    > P. 1:10001(10000) ack 1
    
    // inject sack
    +.1    < . 1:1(0) ack 1 win 257 <sack 1001:10001,nop,nop>
    +0    > . 1:1001(1000) ack 1
    
    // inject sack reneging
    +.1    < . 1:1(0) ack 1001 win 257 <sack 9001:10001,nop,nop>
    
    // we expect rto fired in 1/2*srtt (50ms)
    +.05    > . 1001:2001(1000) ack 1
    
    This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when
    tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid
    being overwrited later.
    
    Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN")
    Signed-off-by: Fred Chen <fred.chenchen03@gmail.com>
    Reviewed-by: Neal Cardwell <ncardwell@google.com>
    Tested-by: Neal Cardwell <ncardwell@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6112a326fc272bd37b17c94bfc3a5594232f5706
Author: Douglas Anderson <dianders@chromium.org>
Date:   Fri Oct 20 14:06:52 2023 -0700

    r8152: Increase USB control msg timeout to 5000ms as per spec
    
    [ Upstream commit a5feba71ec9c14a54c3babdc732c5b6866d8ee43 ]
    
    According to the comment next to USB_CTRL_GET_TIMEOUT and
    USB_CTRL_SET_TIMEOUT, although sending/receiving control messages is
    usually quite fast, the spec allows them to take up to 5 seconds.
    Let's increase the timeout in the Realtek driver from 500ms to 5000ms
    (using the #defines) to account for this.
    
    This is not just a theoretical change. The need for the longer timeout
    was seen in testing. Specifically, if you drop a sc7180-trogdor based
    Chromebook into the kdb debugger and then "go" again after sitting in
    the debugger for a while, the next USB control message takes a long
    time. Out of ~40 tests the slowest USB control message was 4.5
    seconds.
    
    While dropping into kdb is not exactly an end-user scenario, the above
    is similar to what could happen due to an temporary interrupt storm,
    what could happen if there was a host controller (HW or SW) issue, or
    what could happen if the Realtek device got into a confused state and
    needed time to recover.
    
    This change is fairly critical since the r8152 driver in Linux doesn't
    expect register reads/writes (which are backed by USB control
    messages) to fail.
    
    Fixes: ac718b69301c ("net/usb: new driver for RTL8152")
    Suggested-by: Hayes Wang <hayeswang@realtek.com>
    Signed-off-by: Douglas Anderson <dianders@chromium.org>
    Reviewed-by: Grant Grundler <grundler@chromium.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 85e60d18d25e98a69eff792701ee3786dff16264
Author: Mateusz Palczewski <mateusz.palczewski@intel.com>
Date:   Thu Oct 19 13:40:35 2023 -0700

    igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
    
    [ Upstream commit 8c0b48e01daba5ca58f939a8425855d3f4f2ed14 ]
    
    Add check for return of igb_update_ethtool_nfc_entry so that in case
    of any potential errors the memory alocated for input will be freed.
    
    Fixes: 0e71def25281 ("igb: add support of RX network flow classification")
    Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
    Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
    Tested-by: Arpana Arland <arpanax.arland@intel.com> (A Contingent worker at Intel)
    Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 9dce306d9e54281c009404863e7b1b94325180b1
Author: Kunwu Chan <chentao@kylinos.cn>
Date:   Fri Oct 20 17:31:56 2023 +0800

    treewide: Spelling fix in comment
    
    [ Upstream commit fb71ba0ed8be9534493c80ba00142a64d9972a72 ]
    
    reques -> request
    
    Fixes: 09dde54c6a69 ("PS3: gelic: Add wireless support for PS3")
    Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
    Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit f3eb8a53b72ca6aadcce059f6a2764f3f4e413e5
Author: Gavin Shan <gshan@redhat.com>
Date:   Thu Aug 31 11:10:07 2023 +1000

    virtio_balloon: Fix endless deflation and inflation on arm64
    
    commit 07622bd415639e9709579f400afd19e7e9866e5e upstream.
    
    The deflation request to the target, which isn't unaligned to the
    guest page size causes endless deflation and inflation actions. For
    example, we receive the flooding QMP events for the changes on memory
    balloon's size after a deflation request to the unaligned target is
    sent for the ARM64 guest, where we have 64KB base page size.
    
      /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64      \
      -accel kvm -machine virt,gic-version=host -cpu host          \
      -smp maxcpus=8,cpus=8,sockets=2,clusters=2,cores=2,threads=1 \
      -m 1024M,slots=16,maxmem=64G                                 \
      -object memory-backend-ram,id=mem0,size=512M                 \
      -object memory-backend-ram,id=mem1,size=512M                 \
      -numa node,nodeid=0,memdev=mem0,cpus=0-3                     \
      -numa node,nodeid=1,memdev=mem1,cpus=4-7                     \
        :                                                          \
      -device virtio-balloon-pci,id=balloon0,bus=pcie.10
    
      { "execute" : "balloon", "arguments": { "value" : 1073672192 } }
      {"return": {}}
      {"timestamp": {"seconds": 1693272173, "microseconds": 88667},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272174, "microseconds": 89704},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272175, "microseconds": 90819},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272176, "microseconds": 91961},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272177, "microseconds": 93040},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
      {"timestamp": {"seconds": 1693272178, "microseconds": 94117},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
      {"timestamp": {"seconds": 1693272179, "microseconds": 95337},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272180, "microseconds": 96615},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
      {"timestamp": {"seconds": 1693272181, "microseconds": 97626},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272182, "microseconds": 98693},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
      {"timestamp": {"seconds": 1693272183, "microseconds": 99698},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272184, "microseconds": 100727},  \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272185, "microseconds": 90430},   \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      {"timestamp": {"seconds": 1693272186, "microseconds": 102999},  \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073676288}}
         :
      <The similar QMP events repeat>
    
    Fix it by aligning the target up to the guest page size, 64KB in this
    specific case. With this applied, no flooding QMP events are observed
    and the memory balloon's size can be stablizied to 0x3ffe0000 soon
    after the deflation request is sent.
    
      { "execute" : "balloon", "arguments": { "value" : 1073672192 } }
      {"return": {}}
      {"timestamp": {"seconds": 1693273328, "microseconds": 793075},  \
       "event": "BALLOON_CHANGE", "data": {"actual": 1073610752}}
      { "execute" : "query-balloon" }
      {"return": {"actual": 1073610752}}
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Gavin Shan <gshan@redhat.com>
    Tested-by: Zhenyu Zhang <zhenyzha@redhat.com>
    Message-Id: <20230831011007.1032822-1-gshan@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Reviewed-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 44759b1bb78853c3af3a5f08f58d1fba83097de9
Author: Rodríguez Barbarin, José Javier <JoseJavier.Rodriguez@duagon.com>
Date:   Tue Apr 11 10:33:29 2023 +0200

    mcb-lpc: Reallocate memory region to avoid memory overlapping
    
    [ Upstream commit 2025b2ca8004c04861903d076c67a73a0ec6dfca ]
    
    mcb-lpc requests a fixed-size memory region to parse the chameleon
    table, however, if the chameleon table is smaller that the allocated
    region, it could overlap with the IP Cores' memory regions.
    
    After parsing the chameleon table, drop/reallocate the memory region
    with the actual chameleon table size.
    
    Co-developed-by: Jorge Sanjuan Garcia <jorge.sanjuangarcia@duagon.com>
    Signed-off-by: Jorge Sanjuan Garcia <jorge.sanjuangarcia@duagon.com>
    Signed-off-by: Javier Rodriguez <josejavier.rodriguez@duagon.com>
    Signed-off-by: Johannes Thumshirn <jth@kernel.org>
    Link: https://lore.kernel.org/r/20230411083329.4506-4-jth@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 902a3b36e23b9ccf15bc271971e9f41c54647ac2
Author: Rodríguez Barbarin, José Javier <JoseJavier.Rodriguez@duagon.com>
Date:   Tue Apr 11 10:33:27 2023 +0200

    mcb: Return actual parsed size when reading chameleon table
    
    [ Upstream commit a889c276d33d333ae96697510f33533f6e9d9591 ]
    
    The function chameleon_parse_cells() returns the number of cells
    parsed which has an undetermined size. This return value is only
    used for error checking but the number of cells is never used.
    
    Change return value to be number of bytes parsed to allow for
    memory management improvements.
    
    Co-developed-by: Jorge Sanjuan Garcia <jorge.sanjuangarcia@duagon.com>
    Signed-off-by: Jorge Sanjuan Garcia <jorge.sanjuangarcia@duagon.com>
    Signed-off-by: Javier Rodriguez <josejavier.rodriguez@duagon.com>
    Signed-off-by: Johannes Thumshirn <jth@kernel.org>
    Link: https://lore.kernel.org/r/20230411083329.4506-2-jth@kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <sashal@kernel.org>