--- /dev/null
+From a9b5bd81b294d30a747edd125e9f6aef2def7c79 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:06:01 -0800
+Subject: arm64: cputype: Add MIDR_CORTEX_A76AE
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream.
+
+>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an
+implementor of 0x41 (ARM). Add the values.
+
+Cc: stable@vger.kernel.org # dependency of the next fix in the series
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -75,6 +75,7 @@
+ #define ARM_CPU_PART_CORTEX_A76 0xD0B
+ #define ARM_CPU_PART_NEOVERSE_N1 0xD0C
+ #define ARM_CPU_PART_CORTEX_A77 0xD0D
++#define ARM_CPU_PART_CORTEX_A76AE 0xD0E
+ #define ARM_CPU_PART_NEOVERSE_V1 0xD40
+ #define ARM_CPU_PART_CORTEX_A78 0xD41
+ #define ARM_CPU_PART_CORTEX_A78AE 0xD42
+@@ -159,6 +160,7 @@
+ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76)
+ #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1)
+ #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77)
++#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE)
+ #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1)
+ #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
+ #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
--- /dev/null
+From 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:06:00 -0800
+Subject: arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 upstream.
+
+Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO
+2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to
+the safe list.
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Cc: Scott Bauer <sbauer@quicinc.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
+Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -854,6 +854,9 @@ static bool is_spectre_bhb_safe(int scop
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
+ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
+ {},
+ };
+ static bool all_safe = true;
--- /dev/null
+From ed1ce841245d8febe3badf51c57e81c3619d0a1d Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:05:58 -0800
+Subject: arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream.
+
+Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex
+A76 in them. Since A76 needs Spectre mitigation via looping then the
+Kyro 400-series Gold cores also need Spectre mitigation via looping.
+
+Qualcomm has confirmed that the proper "k" value for Kryo 400-series
+Gold cores is 24.
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Cc: Scott Bauer <sbauer@quicinc.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
+Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -866,6 +866,7 @@ u8 spectre_bhb_loop_affected(int scope)
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k11_list[] = {
--- /dev/null
+From e403e8538359d8580cbee1976ff71813e947101e Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:05:59 -0800
+Subject: arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit e403e8538359d8580cbee1976ff71813e947101e upstream.
+
+The code for detecting CPUs that are vulnerable to Spectre BHB was
+based on a hardcoded list of CPU IDs that were known to be affected.
+Unfortunately, the list mostly only contained the IDs of standard ARM
+cores. The IDs for many cores that are minor variants of the standard
+ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the
+code to assume that those variants were not affected.
+
+Flip the code on its head and instead assume that a core is vulnerable
+if it doesn't have CSV2_3 but is unrecognized as being safe. This
+involves creating a "Spectre BHB safe" list.
+
+As of right now, the only CPU IDs added to the "Spectre BHB safe" list
+are ARM Cortex A35, A53, A55, A510, and A520. This list was created by
+looking for cores that weren't listed in ARM's list [1] as per review
+feedback on v2 of this patch [2]. Additionally Brahma A53 is added as
+per mailing list feedback [3].
+
+NOTE: this patch will not actually _mitigate_ anyone, it will simply
+cause them to report themselves as vulnerable. If any cores in the
+system are reported as vulnerable but not mitigated then the whole
+system will be reported as vulnerable though the system will attempt
+to mitigate with the information it has about the known cores.
+
+[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
+[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck
+[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Reviewed-by: Julius Werner <jwerner@chromium.org>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/spectre.h | 1
+ arch/arm64/kernel/proton-pack.c | 201 +++++++++++++++++++--------------------
+ 2 files changed, 101 insertions(+), 101 deletions(-)
+
+--- a/arch/arm64/include/asm/spectre.h
++++ b/arch/arm64/include/asm/spectre.h
+@@ -97,7 +97,6 @@ enum mitigation_state arm64_get_meltdown
+
+ enum mitigation_state arm64_get_spectre_bhb_state(void);
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
+-u8 spectre_bhb_loop_affected(int scope);
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
+ bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -845,53 +845,70 @@ static unsigned long system_bhb_mitigati
+ * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
+ * SCOPE_SYSTEM call will give the right answer.
+ */
+-u8 spectre_bhb_loop_affected(int scope)
++static bool is_spectre_bhb_safe(int scope)
++{
++ static const struct midr_range spectre_bhb_safe_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
++ {},
++ };
++ static bool all_safe = true;
++
++ if (scope != SCOPE_LOCAL_CPU)
++ return all_safe;
++
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list))
++ return true;
++
++ all_safe = false;
++
++ return false;
++}
++
++static u8 spectre_bhb_loop_affected(void)
+ {
+ u8 k = 0;
+- static u8 max_bhb_k;
+
+- if (scope == SCOPE_LOCAL_CPU) {
+- static const struct midr_range spectre_bhb_k32_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k24_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k11_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_AMPERE1),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k8_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
+- {},
+- };
+-
+- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+- k = 32;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+- k = 24;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
+- k = 11;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
+- k = 8;
+-
+- max_bhb_k = max(max_bhb_k, k);
+- } else {
+- k = max_bhb_k;
+- }
++ static const struct midr_range spectre_bhb_k32_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k24_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k11_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k8_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
++ {},
++ };
++
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
++ k = 32;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
++ k = 24;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
++ k = 11;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
++ k = 8;
+
+ return k;
+ }
+@@ -917,29 +934,13 @@ static enum mitigation_state spectre_bhb
+ }
+ }
+
+-static bool is_spectre_bhb_fw_affected(int scope)
++static bool has_spectre_bhb_fw_mitigation(void)
+ {
+- static bool system_affected;
+ enum mitigation_state fw_state;
+ bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
+- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
+- {},
+- };
+- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
+- spectre_bhb_firmware_mitigated_list);
+-
+- if (scope != SCOPE_LOCAL_CPU)
+- return system_affected;
+
+ fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
+- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
+- system_affected = true;
+- return true;
+- }
+-
+- return false;
++ return has_smccc && fw_state == SPECTRE_MITIGATED;
+ }
+
+ static bool supports_ecbhb(int scope)
+@@ -955,6 +956,8 @@ static bool supports_ecbhb(int scope)
+ ID_AA64MMFR1_EL1_ECBHB_SHIFT);
+ }
+
++static u8 max_bhb_k;
++
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
+ int scope)
+ {
+@@ -963,16 +966,18 @@ bool is_spectre_bhb_affected(const struc
+ if (supports_csv2p3(scope))
+ return false;
+
+- if (supports_clearbhb(scope))
+- return true;
+-
+- if (spectre_bhb_loop_affected(scope))
+- return true;
++ if (is_spectre_bhb_safe(scope))
++ return false;
+
+- if (is_spectre_bhb_fw_affected(scope))
+- return true;
++ /*
++ * At this point the core isn't known to be "safe" so we're going to
++ * assume it's vulnerable. We still need to update `max_bhb_k` though,
++ * but only if we aren't mitigating with clearbhb though.
++ */
++ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU))
++ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected());
+
+- return false;
++ return true;
+ }
+
+ static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
+@@ -1003,7 +1008,7 @@ early_param("nospectre_bhb", parse_spect
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
+ {
+ bp_hardening_cb_t cpu_cb;
+- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
++ enum mitigation_state state = SPECTRE_VULNERABLE;
+ struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data);
+
+ if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU))
+@@ -1029,7 +1034,7 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
+ state = SPECTRE_MITIGATED;
+ set_bit(BHB_INSN, &system_bhb_mitigations);
+- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
++ } else if (spectre_bhb_loop_affected()) {
+ /*
+ * Ensure KVM uses the indirect vector which will have the
+ * branchy-loop added. A57/A72-r0 will already have selected
+@@ -1042,32 +1047,29 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
+ state = SPECTRE_MITIGATED;
+ set_bit(BHB_LOOP, &system_bhb_mitigations);
+- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
+- fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
+- if (fw_state == SPECTRE_MITIGATED) {
+- /*
+- * Ensure KVM uses one of the spectre bp_hardening
+- * vectors. The indirect vector doesn't include the EL3
+- * call, so needs upgrading to
+- * HYP_VECTOR_SPECTRE_INDIRECT.
+- */
+- if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
+- data->slot += 1;
+-
+- this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
+-
+- /*
+- * The WA3 call in the vectors supersedes the WA1 call
+- * made during context-switch. Uninstall any firmware
+- * bp_hardening callback.
+- */
+- cpu_cb = spectre_v2_get_sw_mitigation_cb();
+- if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
+- __this_cpu_write(bp_hardening_data.fn, NULL);
+-
+- state = SPECTRE_MITIGATED;
+- set_bit(BHB_FW, &system_bhb_mitigations);
+- }
++ } else if (has_spectre_bhb_fw_mitigation()) {
++ /*
++ * Ensure KVM uses one of the spectre bp_hardening
++ * vectors. The indirect vector doesn't include the EL3
++ * call, so needs upgrading to
++ * HYP_VECTOR_SPECTRE_INDIRECT.
++ */
++ if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
++ data->slot += 1;
++
++ this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
++
++ /*
++ * The WA3 call in the vectors supersedes the WA1 call
++ * made during context-switch. Uninstall any firmware
++ * bp_hardening callback.
++ */
++ cpu_cb = spectre_v2_get_sw_mitigation_cb();
++ if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
++ __this_cpu_write(bp_hardening_data.fn, NULL);
++
++ state = SPECTRE_MITIGATED;
++ set_bit(BHB_FW, &system_bhb_mitigations);
+ }
+
+ update_mitigation_state(&spectre_bhb_state, state);
+@@ -1101,7 +1103,6 @@ void noinstr spectre_bhb_patch_loop_iter
+ {
+ u8 rd;
+ u32 insn;
+- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
+
+ BUG_ON(nr_inst != 1); /* MOV -> MOV */
+
+@@ -1110,7 +1111,7 @@ void noinstr spectre_bhb_patch_loop_iter
+
+ insn = le32_to_cpu(*origptr);
+ rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
+- insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
++ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0,
+ AARCH64_INSN_VARIANT_64BIT,
+ AARCH64_INSN_MOVEWIDE_ZERO);
+ *updptr++ = cpu_to_le32(insn);
--- /dev/null
+From 0badb5432fd525a00db5630c459b635e9d47f445 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:47:57 +0000
+Subject: ASoC: q6apm: add q6apm_get_hw_pointer helper
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 0badb5432fd525a00db5630c459b635e9d47f445 upstream.
+
+Implement an helper function in q6apm to be able to read the current
+hardware pointer for both read and write buffers.
+
+This should help q6apm-dai to get the hardware pointer consistently
+without it doing manual calculation, which could go wrong in some race
+conditions.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm.c | 18 +++++++++++++++++-
+ sound/soc/qcom/qdsp6/q6apm.h | 3 +++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm.c
++++ b/sound/soc/qcom/qdsp6/q6apm.c
+@@ -494,6 +494,19 @@ int q6apm_read(struct q6apm_graph *graph
+ }
+ EXPORT_SYMBOL_GPL(q6apm_read);
+
++int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir)
++{
++ struct audioreach_graph_data *data;
++
++ if (dir == SNDRV_PCM_STREAM_PLAYBACK)
++ data = &graph->rx_data;
++ else
++ data = &graph->tx_data;
++
++ return (int)atomic_read(&data->hw_ptr);
++}
++EXPORT_SYMBOL_GPL(q6apm_get_hw_pointer);
++
+ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op)
+ {
+ struct data_cmd_rsp_rd_sh_mem_ep_data_buffer_done_v2 *rd_done;
+@@ -520,7 +533,8 @@ static int graph_callback(struct gpr_res
+ done = data->payload;
+ phys = graph->rx_data.buf[token].phys;
+ mutex_unlock(&graph->lock);
+-
++ /* token numbering starts at 0 */
++ atomic_set(&graph->rx_data.hw_ptr, token + 1);
+ if (lower_32_bits(phys) == done->buf_addr_lsw &&
+ upper_32_bits(phys) == done->buf_addr_msw) {
+ graph->result.opcode = hdr->opcode;
+@@ -553,6 +567,8 @@ static int graph_callback(struct gpr_res
+ rd_done = data->payload;
+ phys = graph->tx_data.buf[hdr->token].phys;
+ mutex_unlock(&graph->lock);
++ /* token numbering starts at 0 */
++ atomic_set(&graph->tx_data.hw_ptr, hdr->token + 1);
+
+ if (upper_32_bits(phys) == rd_done->buf_addr_msw &&
+ lower_32_bits(phys) == rd_done->buf_addr_lsw) {
+--- a/sound/soc/qcom/qdsp6/q6apm.h
++++ b/sound/soc/qcom/qdsp6/q6apm.h
+@@ -2,6 +2,7 @@
+ #ifndef __Q6APM_H__
+ #define __Q6APM_H__
+ #include <linux/types.h>
++#include <linux/atomic.h>
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/kernel.h>
+@@ -78,6 +79,7 @@ struct audioreach_graph_data {
+ uint32_t num_periods;
+ uint32_t dsp_buf;
+ uint32_t mem_map_handle;
++ atomic_t hw_ptr;
+ };
+
+ struct audioreach_graph {
+@@ -151,4 +153,5 @@ int q6apm_enable_compress_module(struct
+ int q6apm_remove_initial_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples);
+ int q6apm_remove_trailing_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples);
+ int q6apm_set_real_module_id(struct device *dev, struct q6apm_graph *graph, uint32_t codec_id);
++int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir);
+ #endif /* __APM_GRAPH_ */
--- /dev/null
+From 5d01ed9b9939b4c726be74db291a982bc984c584 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:48:00 +0000
+Subject: ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 5d01ed9b9939b4c726be74db291a982bc984c584 upstream.
+
+Period sizes less than 6k for capture path triggers overruns in the
+dsp capture pipeline.
+
+Change the period size and number of periods to value which DSP is happy with.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-6-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -24,8 +24,8 @@
+ #define PLAYBACK_MIN_PERIOD_SIZE 128
+ #define CAPTURE_MIN_NUM_PERIODS 2
+ #define CAPTURE_MAX_NUM_PERIODS 8
+-#define CAPTURE_MAX_PERIOD_SIZE 4096
+-#define CAPTURE_MIN_PERIOD_SIZE 320
++#define CAPTURE_MAX_PERIOD_SIZE 65536
++#define CAPTURE_MIN_PERIOD_SIZE 6144
+ #define BUFFER_BYTES_MAX (PLAYBACK_MAX_NUM_PERIODS * PLAYBACK_MAX_PERIOD_SIZE)
+ #define BUFFER_BYTES_MIN (PLAYBACK_MIN_NUM_PERIODS * PLAYBACK_MIN_PERIOD_SIZE)
+ #define COMPR_PLAYBACK_MAX_FRAGMENT_SIZE (128 * 1024)
--- /dev/null
+From 3107019501842c27334554ba9d6583b1f200f61f Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:47:59 +0000
+Subject: ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 3107019501842c27334554ba9d6583b1f200f61f upstream.
+
+DSP expects the periods to be aligned to fragment sizes, currently
+setting up to hw constriants on periods bytes is not going to work
+correctly as we can endup with periods sizes aligned to 32 bytes however
+not aligned to fragment size.
+
+Update the constriants to use fragment size, and also set at step of
+10ms for period size to accommodate DSP requirements of 10ms latency.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-5-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -380,13 +380,14 @@ static int q6apm_dai_open(struct snd_soc
+ }
+ }
+
+- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
++ /* setup 10ms latency to accommodate DSP restrictions */
++ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
+ if (ret < 0) {
+ dev_err(dev, "constraint for period bytes step ret = %d\n", ret);
+ goto err;
+ }
+
+- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
++ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
+ if (ret < 0) {
+ dev_err(dev, "constraint for buffer bytes step ret = %d\n", ret);
+ goto err;
--- /dev/null
+From 7eccc86e90f04a0d758d16c08627a620ac59604d Mon Sep 17 00:00:00 2001
+From: Alexey Klimov <alexey.klimov@linaro.org>
+Date: Thu, 27 Mar 2025 15:46:50 +0000
+Subject: ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
+
+From: Alexey Klimov <alexey.klimov@linaro.org>
+
+commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream.
+
+In case of attempts to compress playback something, for instance,
+when audio routing is not set up correctly, the audio DSP is left in
+inconsistent state because we are not doing the correct things in
+the error path of q6asm_dai_compr_set_params().
+
+So, when routing is not set up and compress playback is attempted
+the following errors are present (simplified log):
+
+q6routing routing: Routing not setup for MultiMedia-1 Session
+q6asm-dai dais: Stream reg failed ret:-22
+q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
+on 17300000.remoteproc:glink-edge:apr:service@7:dais
+
+After setting the correct routing the compress playback will always fail:
+
+q6asm-dai dais: cmd = 0x10db3 returned error = 0x9
+q6asm-dai dais: DSP returned error[9]
+q6asm-dai dais: q6asm_open_write failed
+q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
+on 17300000.remoteproc:glink-edge:apr:service@7:dais
+
+0x9 here means "Operation is already processed". The CMD_OPEN here was
+sent the second time hence DSP responds that it was already done.
+
+Turns out the CMD_CLOSE should be sent after the q6asm_open_write()
+succeeded but something failed after that, for instance, routing
+setup.
+
+Fix this by slightly reworking the error path in
+q6asm_dai_compr_set_params().
+
+Tested on QRB5165 RB5 and SDM845 RB3 boards.
+
+Cc: stable@vger.kernel.org
+Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
+@@ -902,9 +902,7 @@ static int q6asm_dai_compr_set_params(st
+
+ if (ret < 0) {
+ dev_err(dev, "q6asm_open_write failed\n");
+- q6asm_audio_client_free(prtd->audio_client);
+- prtd->audio_client = NULL;
+- return ret;
++ goto open_err;
+ }
+ }
+
+@@ -913,7 +911,7 @@ static int q6asm_dai_compr_set_params(st
+ prtd->session_id, dir);
+ if (ret) {
+ dev_err(dev, "Stream reg failed ret:%d\n", ret);
+- return ret;
++ goto q6_err;
+ }
+
+ ret = __q6asm_dai_compr_set_codec_params(component, stream,
+@@ -921,7 +919,7 @@ static int q6asm_dai_compr_set_params(st
+ prtd->stream_id);
+ if (ret) {
+ dev_err(dev, "codec param setup failed ret:%d\n", ret);
+- return ret;
++ goto q6_err;
+ }
+
+ ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
+@@ -930,12 +928,21 @@ static int q6asm_dai_compr_set_params(st
+
+ if (ret < 0) {
+ dev_err(dev, "Buffer Mapping failed ret:%d\n", ret);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto q6_err;
+ }
+
+ prtd->state = Q6ASM_STREAM_RUNNING;
+
+ return 0;
++
++q6_err:
++ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
++
++open_err:
++ q6asm_audio_client_free(prtd->audio_client);
++ prtd->audio_client = NULL;
++ return ret;
+ }
+
+ static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component,
--- /dev/null
+From 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Date: Thu, 6 Mar 2025 10:29:13 -0700
+Subject: bus: mhi: host: Fix race between unprepare and queue_buf
+
+From: Jeff Hugo <quic_jhugo@quicinc.com>
+
+commit 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 upstream.
+
+A client driver may use mhi_unprepare_from_transfer() to quiesce
+incoming data during the client driver's tear down. The client driver
+might also be processing data at the same time, resulting in a call to
+mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
+after mhi_unprepare_from_transfer() has torn down the channel, a panic
+will occur due to an invalid dereference leading to a page fault.
+
+This occurs because mhi_gen_tre() does not verify the channel state
+after locking it. Fix this by having mhi_gen_tre() confirm the channel
+state is valid, or return error to avoid accessing deinitialized data.
+
+Cc: stable@vger.kernel.org # 6.8
+Fixes: b89b6a863dd5 ("bus: mhi: host: Add spinlock to protect WP access when queueing TREs")
+Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Reviewed-by: Youssef Samir <quic_yabdulra@quicinc.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Troy Hanson <quic_thanson@quicinc.com>
+Link: https://lore.kernel.org/r/20250306172913.856982-1-jeff.hugo@oss.qualcomm.com
+[mani: added stable tag]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/main.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/bus/mhi/host/main.c
++++ b/drivers/bus/mhi/host/main.c
+@@ -1204,11 +1204,16 @@ int mhi_gen_tre(struct mhi_controller *m
+ struct mhi_ring_element *mhi_tre;
+ struct mhi_buf_info *buf_info;
+ int eot, eob, chain, bei;
+- int ret;
++ int ret = 0;
+
+ /* Protect accesses for reading and incrementing WP */
+ write_lock_bh(&mhi_chan->lock);
+
++ if (mhi_chan->ch_state != MHI_CH_STATE_ENABLED) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ buf_ring = &mhi_chan->buf_ring;
+ tre_ring = &mhi_chan->tre_ring;
+
+@@ -1226,10 +1231,8 @@ int mhi_gen_tre(struct mhi_controller *m
+
+ if (!info->pre_mapped) {
+ ret = mhi_cntrl->map_single(mhi_cntrl, buf_info);
+- if (ret) {
+- write_unlock_bh(&mhi_chan->lock);
+- return ret;
+- }
++ if (ret)
++ goto out;
+ }
+
+ eob = !!(flags & MHI_EOB);
+@@ -1246,9 +1249,10 @@ int mhi_gen_tre(struct mhi_controller *m
+ mhi_add_ring_element(mhi_cntrl, tre_ring);
+ mhi_add_ring_element(mhi_cntrl, buf_ring);
+
++out:
+ write_unlock_bh(&mhi_chan->lock);
+
+- return 0;
++ return ret;
+ }
+
+ int mhi_queue_buf(struct mhi_device *mhi_dev, enum dma_data_direction dir,
--- /dev/null
+From 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 Mon Sep 17 00:00:00 2001
+From: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Date: Thu, 6 Mar 2025 11:25:01 +0100
+Subject: clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
+
+From: Alexandre Torgue <alexandre.torgue@foss.st.com>
+
+commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream.
+
+"wakeup-source" property describes a device which has wakeup capability
+but should not force this device as a wakeup source.
+
+Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com
+Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-stm32-lp.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/clocksource/timer-stm32-lp.c
++++ b/drivers/clocksource/timer-stm32-lp.c
+@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc
+ }
+
+ if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) {
+- ret = device_init_wakeup(&pdev->dev, true);
+- if (ret)
+- goto out_clk_disable;
++ device_set_wakeup_capable(&pdev->dev, true);
+
+ ret = dev_pm_set_wake_irq(&pdev->dev, irq);
+ if (ret)
--- /dev/null
+From 3a544a39e0a4c492e3026dfbed018321d2bd6caa Mon Sep 17 00:00:00 2001
+From: Alain Volmat <alain.volmat@foss.st.com>
+Date: Mon, 10 Feb 2025 11:04:31 +0100
+Subject: dt-bindings: media: st,stmipid02: correct lane-polarities maxItems
+
+From: Alain Volmat <alain.volmat@foss.st.com>
+
+commit 3a544a39e0a4c492e3026dfbed018321d2bd6caa upstream.
+
+The MIPID02 can use up to 2 data lanes which leads to having a maximum
+item number of 3 for the lane-polarities since this also contains the
+clock lane.
+
+CC: stable@vger.kernel.org
+Fixes: c2741cbe7f8a ("dt-bindings: media: st,stmipid02: Convert the text bindings to YAML")
+Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml
++++ b/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml
+@@ -71,7 +71,7 @@ properties:
+ description:
+ Any lane can be inverted or not.
+ minItems: 1
+- maxItems: 2
++ maxItems: 3
+
+ required:
+ - data-lanes
--- /dev/null
+From 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d Mon Sep 17 00:00:00 2001
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Date: Fri, 4 Apr 2025 08:28:05 +0000
+Subject: ext4: fix off-by-one error in do_split
+
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+
+commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
+
+Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
+caused by out-of-bounds access due to incorrect splitting in do_split.
+
+BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
+Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
+
+CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
+ add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
+ make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
+ ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
+ ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
+ ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
+ vfs_symlink+0x137/0x2e0 fs/namei.c:4615
+ do_symlinkat+0x222/0x3a0 fs/namei.c:4641
+ __do_sys_symlink fs/namei.c:4662 [inline]
+ __se_sys_symlink fs/namei.c:4660 [inline]
+ __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+The following loop is located right above 'if' statement.
+
+for (i = count-1; i >= 0; i--) {
+ /* is more than half of this entry in 2nd half of the block? */
+ if (size + map[i].size/2 > blocksize/2)
+ break;
+ size += map[i].size;
+ move++;
+}
+
+'i' in this case could go down to -1, in which case sum of active entries
+wouldn't exceed half the block size, but previous behaviour would also do
+split in half if sum would exceed at the very last block, which in case of
+having too many long name files in a single block could lead to
+out-of-bounds access and following use-after-free.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Cc: stable@vger.kernel.org
+Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
+Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2041,7 +2041,7 @@ static struct ext4_dir_entry_2 *do_split
+ * split it in half by count; each resulting block will have at least
+ * half the space free.
+ */
+- if (i > 0)
++ if (i >= 0)
+ split = count - move;
+ else
+ split = count/2;
--- /dev/null
+From f098aeba04c9328571567dca45159358a250240c Mon Sep 17 00:00:00 2001
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+Date: Fri, 14 Mar 2025 21:06:51 +0900
+Subject: f2fs: fix to avoid atomicity corruption of atomic file
+
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+
+commit f098aeba04c9328571567dca45159358a250240c upstream.
+
+In the case of the following call stack for an atomic file,
+FI_DIRTY_INODE is set, but FI_ATOMIC_DIRTIED is not subsequently set.
+
+f2fs_file_write_iter
+ f2fs_map_blocks
+ f2fs_reserve_new_blocks
+ inc_valid_block_count
+ __mark_inode_dirty(dquot)
+ f2fs_dirty_inode
+
+If FI_ATOMIC_DIRTIED is not set, atomic file can encounter corruption
+due to a mismatch between old file size and new data.
+
+To resolve this issue, I changed to set FI_ATOMIC_DIRTIED when
+FI_DIRTY_INODE is set. This ensures that FI_DIRTY_INODE, which was
+previously cleared by the Writeback thread during the commit atomic, is
+set and i_size is updated.
+
+Cc: <stable@vger.kernel.org>
+Fixes: fccaa81de87e ("f2fs: prevent atomic file from being dirtied before commit")
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c | 4 +---
+ fs/f2fs/super.c | 4 ++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -35,10 +35,8 @@ void f2fs_mark_inode_dirty_sync(struct i
+ if (f2fs_inode_dirtied(inode, sync))
+ return;
+
+- if (f2fs_is_atomic_file(inode)) {
+- set_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ if (f2fs_is_atomic_file(inode))
+ return;
+- }
+
+ mark_inode_dirty_sync(inode);
+ }
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1499,6 +1499,10 @@ int f2fs_inode_dirtied(struct inode *ino
+ inc_page_count(sbi, F2FS_DIRTY_IMETA);
+ }
+ spin_unlock(&sbi->inode_lock[DIRTY_META]);
++
++ if (!ret && f2fs_is_atomic_file(inode))
++ set_inode_flag(inode, FI_ATOMIC_DIRTIED);
++
+ return ret;
+ }
+
--- /dev/null
+From cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 7 Apr 2025 07:51:23 -0600
+Subject: io_uring/kbuf: reject zero sized provided buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc upstream.
+
+This isn't fixing a real issue, but there's also zero point in going
+through group and buffer setup, when the buffers are going to be
+rejected once attempted to get used.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+58928048fd1416f1457c@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/kbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/kbuf.c
++++ b/io_uring/kbuf.c
+@@ -321,6 +321,8 @@ int io_provide_buffers_prep(struct io_ki
+ p->nbufs = tmp;
+ p->addr = READ_ONCE(sqe->addr);
+ p->len = READ_ONCE(sqe->len);
++ if (!p->len)
++ return -EINVAL;
+
+ if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
+ &size))
--- /dev/null
+From 250f25367b58d8c65a1b060a2dda037eea09a672 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 14 Mar 2025 13:34:09 +0000
+Subject: KVM: arm64: Tear down vGIC on failed vCPU creation
+
+From: Will Deacon <will@kernel.org>
+
+commit 250f25367b58d8c65a1b060a2dda037eea09a672 upstream.
+
+If kvm_arch_vcpu_create() fails to share the vCPU page with the
+hypervisor, we propagate the error back to the ioctl but leave the
+vGIC vCPU data initialised. Note only does this leak the corresponding
+memory when the vCPU is destroyed but it can also lead to use-after-free
+if the redistributor device handling tries to walk into the vCPU.
+
+Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
+vGIC vCPU structures are destroyed on error.
+
+Cc: <stable@vger.kernel.org>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Oliver Upton <oliver.upton@linux.dev>
+Cc: Quentin Perret <qperret@google.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20250314133409.9123-1-will@kernel.org
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/arm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/arm.c
++++ b/arch/arm64/kvm/arm.c
+@@ -391,7 +391,11 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
+ if (err)
+ return err;
+
+- return kvm_share_hyp(vcpu, vcpu + 1);
++ err = kvm_share_hyp(vcpu, vcpu + 1);
++ if (err)
++ kvm_vgic_vcpu_destroy(vcpu);
++
++ return err;
+ }
+
+ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
--- /dev/null
+From 9e38acacb9d809b97a0bdc5c76e725355a47158a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niklas=20S=C3=B6derlund?=
+ <niklas.soderlund+renesas@ragnatech.se>
+Date: Tue, 21 Jan 2025 21:44:00 +0100
+Subject: media: i2c: adv748x: Fix test pattern selection mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream.
+
+The mask to select the test-pattern in register ADV748X_SDP_FRP is
+incorrect, it's the lower 3 bits which controls the pattern. The
+GENMASK() macro is used incorrectly and the generated mask is 0x0e
+instead of 0x07.
+
+The result is that not all test patterns are selectable, and that in
+some cases the wrong test pattern is activated. Fix this by correcting
+the GENMASK().
+
+Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[hverkuil: fixed tiny typo in commit log: my -> by]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv748x/adv748x.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/adv748x/adv748x.h
++++ b/drivers/media/i2c/adv748x/adv748x.h
+@@ -322,7 +322,7 @@ struct adv748x_state {
+
+ /* Free run pattern select */
+ #define ADV748X_SDP_FRP 0x14
+-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1)
++#define ADV748X_SDP_FRP_MASK GENMASK(2, 0)
+
+ /* Saturation */
+ #define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */
--- /dev/null
+From 80704d14f1bd3628f578510e0a88b66824990ef6 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 15:54:22 +0200
+Subject: media: i2c: ccs: Set the device's runtime PM status correctly in probe
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 80704d14f1bd3628f578510e0a88b66824990ef6 upstream.
+
+Set the device's runtime PM status to suspended in probe error paths where
+it was previously set to active.
+
+Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
+Cc: stable@vger.kernel.org # for >= v5.15
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -3651,6 +3651,7 @@ static int ccs_probe(struct i2c_client *
+ out_disable_runtime_pm:
+ pm_runtime_put_noidle(&client->dev);
+ pm_runtime_disable(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
+
+ out_media_entity_cleanup:
+ media_entity_cleanup(&sensor->src->sd.entity);
--- /dev/null
+From e04604583095faf455b3490b004254a225fd60d4 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 14:50:27 +0200
+Subject: media: i2c: ccs: Set the device's runtime PM status correctly in remove
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit e04604583095faf455b3490b004254a225fd60d4 upstream.
+
+Set the device's runtime PM status to suspended in device removal only if
+it wasn't suspended already.
+
+Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
+Cc: stable@vger.kernel.org # for >= v5.15
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -3683,9 +3683,10 @@ static void ccs_remove(struct i2c_client
+ v4l2_async_unregister_subdev(subdev);
+
+ pm_runtime_disable(&client->dev);
+- if (!pm_runtime_status_suspended(&client->dev))
++ if (!pm_runtime_status_suspended(&client->dev)) {
+ ccs_power_off(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
++ }
+
+ for (i = 0; i < sensor->ssds_used; i++) {
+ v4l2_device_unregister_subdev(&sensor->ssds[i].sd);
--- /dev/null
+From 42eceae9793566d0df53d509be3e416465c347f5 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 14:53:20 +0200
+Subject: media: i2c: imx219: Rectify runtime PM handling in probe and remove
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 42eceae9793566d0df53d509be3e416465c347f5 upstream.
+
+Set the device's runtime PM status and enable runtime PM before
+registering the async sub-device. This is needed to avoid the case where
+the device is runtime PM resumed while runtime PM has not been enabled
+yet.
+
+Also set the device's runtime PM status to suspended in remove only if it
+wasn't so already.
+
+Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
+Cc: stable@vger.kernel.org # for >= v6.6
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx219.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/i2c/imx219.c
++++ b/drivers/media/i2c/imx219.c
+@@ -1334,21 +1334,23 @@ static int imx219_probe(struct i2c_clien
+ goto error_media_entity;
+ }
+
++ pm_runtime_set_active(dev);
++ pm_runtime_enable(dev);
++
+ ret = v4l2_async_register_subdev_sensor(&imx219->sd);
+ if (ret < 0) {
+ dev_err(dev, "failed to register sensor sub-device: %d\n", ret);
+ goto error_subdev_cleanup;
+ }
+
+- /* Enable runtime PM and turn off the device */
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
+ pm_runtime_idle(dev);
+
+ return 0;
+
+ error_subdev_cleanup:
+ v4l2_subdev_cleanup(&imx219->sd);
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
+
+ error_media_entity:
+ media_entity_cleanup(&imx219->sd.entity);
+@@ -1373,9 +1375,10 @@ static void imx219_remove(struct i2c_cli
+ imx219_free_controls(imx219);
+
+ pm_runtime_disable(&client->dev);
+- if (!pm_runtime_status_suspended(&client->dev))
++ if (!pm_runtime_status_suspended(&client->dev)) {
+ imx219_power_off(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
++ }
+ }
+
+ static const struct of_device_id imx219_dt_ids[] = {
--- /dev/null
+From 3d391292cdd53984ec1b9a1f6182a62a62751e03 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 17 Jan 2025 16:04:02 +0200
+Subject: media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream.
+
+Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as
+required by the sensor's power-up sequence.
+
+Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov7251.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ov7251.c
++++ b/drivers/media/i2c/ov7251.c
+@@ -922,6 +922,8 @@ static int ov7251_set_power_on(struct de
+ return ret;
+ }
+
++ usleep_range(1000, 1100);
++
+ gpiod_set_value_cansleep(ov7251->enable_gpio, 1);
+
+ /* wait at least 65536 external clock cycles */
--- /dev/null
+From a1963698d59cec83df640ded343af08b76c8e9c5 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 17 Jan 2025 15:38:13 +0200
+Subject: media: i2c: ov7251: Set enable GPIO low in probe
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream.
+
+Set the enable GPIO low when acquiring it.
+
+Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov7251.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ov7251.c
++++ b/drivers/media/i2c/ov7251.c
+@@ -1675,7 +1675,7 @@ static int ov7251_probe(struct i2c_clien
+ return PTR_ERR(ov7251->analog_regulator);
+ }
+
+- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH);
++ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW);
+ if (IS_ERR(ov7251->enable_gpio)) {
+ dev_err(dev, "cannot get enable gpio\n");
+ return PTR_ERR(ov7251->enable_gpio);
--- /dev/null
+From 4936cd5817af35d23e4d283f48fa59a18ef481e4 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Tue, 18 Feb 2025 18:58:09 +0000
+Subject: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit 4936cd5817af35d23e4d283f48fa59a18ef481e4 upstream.
+
+On Mediatek devices with a system companion processor (SCP) the mtk_scp
+structure has to be removed explicitly to avoid a resource leak.
+Free the structure in case the allocation of the firmware structure fails
+during the firmware initialization.
+
+Fixes: 53dbe0850444 ("media: mtk-vcodec: potential null pointer deference in SCP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c
++++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c
+@@ -79,8 +79,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_
+ }
+
+ fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL);
+- if (!fw)
++ if (!fw) {
++ scp_put(scp);
+ return ERR_PTR(-ENOMEM);
++ }
++
+ fw->type = SCP;
+ fw->ops = &mtk_vcodec_rproc_msg;
+ fw->scp = scp;
--- /dev/null
+From 07df4f23ef3ffe6fee697cd2e03623ad27108843 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 18 Oct 2024 15:21:10 +0000
+Subject: media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 07df4f23ef3ffe6fee697cd2e03623ad27108843 upstream.
+
+This is one of three clang warnings about incompatible enum types
+in a conditional expression:
+
+drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional]
+ 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264;
+ | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
+
+The code is correct, so just rework it to avoid the warning.
+
+Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Alexandre Courbot <acourbot@google.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
++++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
+@@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcod
+
+ inst->ctx = ctx;
+ inst->vpu_inst.ctx = ctx;
+- inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264;
++ if (is_ext)
++ inst->vpu_inst.id = SCP_IPI_VENC_H264;
++ else
++ inst->vpu_inst.id = IPI_VENC_H264;
++
+ inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS);
+
+ ret = vpu_enc_init(&inst->vpu_inst);
--- /dev/null
+From f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Fri, 22 Nov 2024 20:46:03 +0000
+Subject: media: platform: stm32: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b upstream.
+
+Add check for the return value of clk_enable() to gurantee the success.
+
+Fixes: 002e8f0d5927 ("media: stm32-dma2d: STM32 DMA2D driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/st/stm32/dma2d/dma2d.c
++++ b/drivers/media/platform/st/stm32/dma2d/dma2d.c
+@@ -492,7 +492,8 @@ static void device_run(void *prv)
+ dst->sequence = frm_cap->sequence++;
+ v4l2_m2m_buf_copy_metadata(src, dst, true);
+
+- clk_enable(dev->gate);
++ if (clk_enable(dev->gate))
++ goto end;
+
+ dma2d_config_fg(dev, frm_out,
+ vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0));
--- /dev/null
+From 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d Mon Sep 17 00:00:00 2001
+From: Yuan Can <yuancan@huawei.com>
+Date: Tue, 22 Oct 2024 14:50:37 +0800
+Subject: media: siano: Fix error handling in smsdvb_module_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream.
+
+The smsdvb_module_init() returns without checking the retval from
+smscore_register_hotplug().
+If the smscore_register_hotplug() failed, the module failed to install,
+leaving the smsdvb_debugfs not unregistered.
+
+Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/siano/smsdvb-main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/common/siano/smsdvb-main.c
++++ b/drivers/media/common/siano/smsdvb-main.c
+@@ -1243,6 +1243,8 @@ static int __init smsdvb_module_init(voi
+ smsdvb_debugfs_register();
+
+ rc = smscore_register_hotplug(smsdvb_hotplug);
++ if (rc)
++ smsdvb_debugfs_unregister();
+
+ pr_debug("\n");
+
--- /dev/null
+From 549f6d348167fb2f7800ed7c8d4bce9630c74498 Mon Sep 17 00:00:00 2001
+From: Murad Masimov <m.masimov@mt-integration.ru>
+Date: Mon, 13 Jan 2025 13:51:31 +0300
+Subject: media: streamzap: prevent processing IR data on URB failure
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream.
+
+If streamzap_callback() receives an urb with any non-critical error
+status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN,
+it will try to process IR data, ignoring a possible transfer failure.
+
+Make streamzap_callback() process IR data only when urb->status is 0.
+Move processing logic to a separate function to make code cleaner and
+more similar to the URB completion handlers in other RC drivers.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++-------------------
+ 1 file changed, 38 insertions(+), 30 deletions(-)
+
+--- a/drivers/media/rc/streamzap.c
++++ b/drivers/media/rc/streamzap.c
+@@ -138,39 +138,10 @@ static void sz_push_half_space(struct st
+ sz_push_full_space(sz, value & SZ_SPACE_MASK);
+ }
+
+-/*
+- * streamzap_callback - usb IRQ handler callback
+- *
+- * This procedure is invoked on reception of data from
+- * the usb remote.
+- */
+-static void streamzap_callback(struct urb *urb)
++static void sz_process_ir_data(struct streamzap_ir *sz, int len)
+ {
+- struct streamzap_ir *sz;
+ unsigned int i;
+- int len;
+-
+- if (!urb)
+- return;
+-
+- sz = urb->context;
+- len = urb->actual_length;
+-
+- switch (urb->status) {
+- case -ECONNRESET:
+- case -ENOENT:
+- case -ESHUTDOWN:
+- /*
+- * this urb is terminated, clean up.
+- * sz might already be invalid at this point
+- */
+- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+- return;
+- default:
+- break;
+- }
+
+- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
+ for (i = 0; i < len; i++) {
+ dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n",
+ i, (unsigned char)sz->buf_in[i]);
+@@ -219,6 +190,43 @@ static void streamzap_callback(struct ur
+ }
+
+ ir_raw_event_handle(sz->rdev);
++}
++
++/*
++ * streamzap_callback - usb IRQ handler callback
++ *
++ * This procedure is invoked on reception of data from
++ * the usb remote.
++ */
++static void streamzap_callback(struct urb *urb)
++{
++ struct streamzap_ir *sz;
++ int len;
++
++ if (!urb)
++ return;
++
++ sz = urb->context;
++ len = urb->actual_length;
++
++ switch (urb->status) {
++ case 0:
++ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
++ sz_process_ir_data(sz, len);
++ break;
++ case -ECONNRESET:
++ case -ENOENT:
++ case -ESHUTDOWN:
++ /*
++ * this urb is terminated, clean up.
++ * sz might already be invalid at this point
++ */
++ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
++ return;
++ default:
++ break;
++ }
++
+ usb_submit_urb(urb, GFP_ATOMIC);
+ }
+
--- /dev/null
+From 3edd1fc48d2c045e8259561797c89fe78f01717e Mon Sep 17 00:00:00 2001
+From: Karina Yankevich <k.yankevich@omp.ru>
+Date: Wed, 21 Aug 2024 14:31:34 +0300
+Subject: media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
+
+From: Karina Yankevich <k.yankevich@omp.ru>
+
+commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream.
+
+In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width
+variable to the 64-bit type u64 before multiplying to avoid
+a possible overflow. The resulting object code even seems to
+look better, at least on x86_64.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+[Sergey: rewrote the patch subject/descripition]
+
+Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_
+ u64 num;
+ u32 den;
+
+- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) -
++ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) -
+ ((u64)image_width * GTF_D_M_PRIME * 1000));
+ den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) *
+ (2 * GTF_CELL_GRAN);
+@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_
+ u64 num;
+ u32 den;
+
+- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) -
++ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) -
+ ((u64)image_width * GTF_S_M_PRIME * 1000));
+ den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) *
+ (2 * GTF_CELL_GRAN);
--- /dev/null
+From f4b211714bcc70effa60c34d9fa613d182e3ef1e Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:11 +0530
+Subject: media: venus: hfi: add a check to handle OOB in sfr region
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream.
+
+sfr->buf_size is in shared memory and can be modified by malicious user.
+OOB write is possible when the size is made higher than actual sfr data
+buffer. Cap the size to allocated size for such cases.
+
+Cc: stable@vger.kernel.org
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -1035,18 +1035,26 @@ static void venus_sfr_print(struct venus
+ {
+ struct device *dev = hdev->core->dev;
+ struct hfi_sfr *sfr = hdev->sfr.kva;
++ u32 size;
+ void *p;
+
+ if (!sfr)
+ return;
+
+- p = memchr(sfr->data, '\0', sfr->buf_size);
++ size = sfr->buf_size;
++ if (!size)
++ return;
++
++ if (size > ALIGNED_SFR_SIZE)
++ size = ALIGNED_SFR_SIZE;
++
++ p = memchr(sfr->data, '\0', size);
+ /*
+ * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
+ * that Venus is in the process of crashing.
+ */
+ if (!p)
+- sfr->data[sfr->buf_size - 1] = '\0';
++ sfr->data[size - 1] = '\0';
+
+ dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
+ }
--- /dev/null
+From 69baf245b23e20efda0079238b27fc63ecf13de1 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:10 +0530
+Subject: media: venus: hfi: add check to handle incorrect queue size
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream.
+
+qsize represents size of shared queued between driver and video
+firmware. Firmware can modify this value to an invalid large value. In
+such situation, empty_space will be bigger than the space actually
+available. Since new_wr_idx is not checked, so the following code will
+result in an OOB write.
+...
+qsize = qhdr->q_size
+
+if (wr_idx >= rd_idx)
+ empty_space = qsize - (wr_idx - rd_idx)
+....
+if (new_wr_idx < qsize) {
+ memcpy(wr_ptr, packet, dwords << 2) --> OOB write
+
+Add check to ensure qsize is within the allocated size while
+reading and writing packets into the queue.
+
+Cc: stable@vger.kernel.org
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -187,6 +187,9 @@ static int venus_write_queue(struct venu
+ /* ensure rd/wr indices's are read from memory */
+ rmb();
+
++ if (qsize > IFACEQ_QUEUE_SIZE / 4)
++ return -EINVAL;
++
+ if (wr_idx >= rd_idx)
+ empty_space = qsize - (wr_idx - rd_idx);
+ else
+@@ -255,6 +258,9 @@ static int venus_read_queue(struct venus
+ wr_idx = qhdr->write_idx;
+ qsize = qhdr->q_size;
+
++ if (qsize > IFACEQ_QUEUE_SIZE / 4)
++ return -EINVAL;
++
+ /* make sure data is valid before using it */
+ rmb();
+
--- /dev/null
+From 172bf5a9ef70a399bb227809db78442dc01d9e48 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:08 +0530
+Subject: media: venus: hfi_parser: add check to avoid out of bound access
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream.
+
+There is a possibility that init_codecs is invoked multiple times during
+manipulated payload from video firmware. In such case, if codecs_count
+can get incremented to value more than MAX_CODEC_NUM, there can be OOB
+access. Reset the count so that it always starts from beginning.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor
+ struct hfi_plat_caps *caps = core->caps, *cap;
+ unsigned long bit;
+
++ core->codecs_count = 0;
++
+ if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
+ return;
+
--- /dev/null
+From 9edaaa8e3e15aab1ca413ab50556de1975bcb329 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:09 +0530
+Subject: media: venus: hfi_parser: refactor hfi packet parsing logic
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 9edaaa8e3e15aab1ca413ab50556de1975bcb329 upstream.
+
+words_count denotes the number of words in total payload, while data
+points to payload of various property within it. When words_count
+reaches last word, data can access memory beyond the total payload. This
+can lead to OOB access. With this patch, the utility api for handling
+individual properties now returns the size of data consumed. Accordingly
+remaining bytes are calculated before parsing the payload, thereby
+eliminates the OOB access possibilities.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 98 ++++++++++++++++++-------
+ 1 file changed, 72 insertions(+), 26 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -64,7 +64,7 @@ fill_buf_mode(struct hfi_plat_caps *cap,
+ cap->cap_bufs_mode_dynamic = true;
+ }
+
+-static void
++static int
+ parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_buffer_alloc_mode_supported *mode = data;
+@@ -72,7 +72,7 @@ parse_alloc_mode(struct venus_core *core
+ u32 *type;
+
+ if (num_entries > MAX_ALLOC_MODE_ENTRIES)
+- return;
++ return -EINVAL;
+
+ type = mode->data;
+
+@@ -84,6 +84,8 @@ parse_alloc_mode(struct venus_core *core
+
+ type++;
+ }
++
++ return sizeof(*mode);
+ }
+
+ static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
+@@ -98,7 +100,7 @@ static void fill_profile_level(struct hf
+ cap->num_pl += num;
+ }
+
+-static void
++static int
+ parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_profile_level_supported *pl = data;
+@@ -106,12 +108,14 @@ parse_profile_level(struct venus_core *c
+ struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {};
+
+ if (pl->profile_count > HFI_MAX_PROFILE_COUNT)
+- return;
++ return -EINVAL;
+
+ memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel));
+
+ for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
+ fill_profile_level, pl_arr, pl->profile_count);
++
++ return pl->profile_count * sizeof(*proflevel) + sizeof(u32);
+ }
+
+ static void
+@@ -126,7 +130,7 @@ fill_caps(struct hfi_plat_caps *cap, con
+ cap->num_caps += num;
+ }
+
+-static void
++static int
+ parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_capabilities *caps = data;
+@@ -135,12 +139,14 @@ parse_caps(struct venus_core *core, u32
+ struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {};
+
+ if (num_caps > MAX_CAP_ENTRIES)
+- return;
++ return -EINVAL;
+
+ memcpy(caps_arr, cap, num_caps * sizeof(*cap));
+
+ for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
+ fill_caps, caps_arr, num_caps);
++
++ return sizeof(*caps);
+ }
+
+ static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
+@@ -155,7 +161,7 @@ static void fill_raw_fmts(struct hfi_pla
+ cap->num_fmts += num_fmts;
+ }
+
+-static void
++static int
+ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_uncompressed_format_supported *fmt = data;
+@@ -164,7 +170,8 @@ parse_raw_formats(struct venus_core *cor
+ struct raw_formats rawfmts[MAX_FMT_ENTRIES] = {};
+ u32 entries = fmt->format_entries;
+ unsigned int i = 0;
+- u32 num_planes;
++ u32 num_planes = 0;
++ u32 size;
+
+ while (entries) {
+ num_planes = pinfo->num_planes;
+@@ -174,7 +181,7 @@ parse_raw_formats(struct venus_core *cor
+ i++;
+
+ if (i >= MAX_FMT_ENTRIES)
+- return;
++ return -EINVAL;
+
+ if (pinfo->num_planes > MAX_PLANES)
+ break;
+@@ -186,9 +193,13 @@ parse_raw_formats(struct venus_core *cor
+
+ for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
+ fill_raw_fmts, rawfmts, i);
++ size = fmt->format_entries * (sizeof(*constr) * num_planes + 2 * sizeof(u32))
++ + 2 * sizeof(u32);
++
++ return size;
+ }
+
+-static void parse_codecs(struct venus_core *core, void *data)
++static int parse_codecs(struct venus_core *core, void *data)
+ {
+ struct hfi_codec_supported *codecs = data;
+
+@@ -200,21 +211,27 @@ static void parse_codecs(struct venus_co
+ core->dec_codecs &= ~HFI_VIDEO_CODEC_SPARK;
+ core->enc_codecs &= ~HFI_VIDEO_CODEC_HEVC;
+ }
++
++ return sizeof(*codecs);
+ }
+
+-static void parse_max_sessions(struct venus_core *core, const void *data)
++static int parse_max_sessions(struct venus_core *core, const void *data)
+ {
+ const struct hfi_max_sessions_supported *sessions = data;
+
+ core->max_sessions_supported = sessions->max_sessions;
++
++ return sizeof(*sessions);
+ }
+
+-static void parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
++static int parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
+ {
+ struct hfi_codec_mask_supported *mask = data;
+
+ *codecs = mask->codecs;
+ *domain = mask->video_domains;
++
++ return sizeof(*mask);
+ }
+
+ static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain)
+@@ -283,8 +300,9 @@ static int hfi_platform_parser(struct ve
+ u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
+ u32 size)
+ {
+- unsigned int words_count = size >> 2;
+- u32 *word = buf, *data, codecs = 0, domain = 0;
++ u32 *words = buf, *payload, codecs = 0, domain = 0;
++ u32 *frame_size = buf + size;
++ u32 rem_bytes = size;
+ int ret;
+
+ ret = hfi_platform_parser(core, inst);
+@@ -301,38 +319,66 @@ u32 hfi_parser(struct venus_core *core,
+ memset(core->caps, 0, sizeof(core->caps));
+ }
+
+- while (words_count) {
+- data = word + 1;
++ while (words < frame_size) {
++ payload = words + 1;
+
+- switch (*word) {
++ switch (*words) {
+ case HFI_PROPERTY_PARAM_CODEC_SUPPORTED:
+- parse_codecs(core, data);
++ if (rem_bytes <= sizeof(struct hfi_codec_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_codecs(core, payload);
++ if (ret < 0)
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
+ init_codecs(core);
+ break;
+ case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED:
+- parse_max_sessions(core, data);
++ if (rem_bytes <= sizeof(struct hfi_max_sessions_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_max_sessions(core, payload);
+ break;
+ case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED:
+- parse_codecs_mask(&codecs, &domain, data);
++ if (rem_bytes <= sizeof(struct hfi_codec_mask_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_codecs_mask(&codecs, &domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED:
+- parse_raw_formats(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_uncompressed_format_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_raw_formats(core, codecs, domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED:
+- parse_caps(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_capabilities))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_caps(core, codecs, domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED:
+- parse_profile_level(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_profile_level_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_profile_level(core, codecs, domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED:
+- parse_alloc_mode(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_buffer_alloc_mode_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_alloc_mode(core, codecs, domain, payload);
+ break;
+ default:
++ ret = sizeof(u32);
+ break;
+ }
+
+- word++;
+- words_count--;
++ if (ret < 0)
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ words += ret / sizeof(u32);
++ rem_bytes -= ret;
+ }
+
+ if (!core->max_sessions_supported)
--- /dev/null
+From 143d75583f2427f3a97dba62413c4f0604867ebf Mon Sep 17 00:00:00 2001
+From: Matthew Majewski <mattwmajewski@gmail.com>
+Date: Wed, 19 Feb 2025 14:05:01 -0500
+Subject: media: vim2m: print device name after registering device
+
+From: Matthew Majewski <mattwmajewski@gmail.com>
+
+commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream.
+
+Move the v4l2_info() call displaying the video device name after the
+device is actually registered.
+
+This fixes a bug where the driver was always displaying "/dev/video0"
+since it was reading from the vfd before it was registered.
+
+Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthew Majewski <mattwmajewski@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vim2m.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/test-drivers/vim2m.c
++++ b/drivers/media/test-drivers/vim2m.c
+@@ -1316,9 +1316,6 @@ static int vim2m_probe(struct platform_d
+ vfd->v4l2_dev = &dev->v4l2_dev;
+
+ video_set_drvdata(vfd, dev);
+- v4l2_info(&dev->v4l2_dev,
+- "Device registered as /dev/video%d\n", vfd->num);
+-
+ platform_set_drvdata(pdev, dev);
+
+ dev->m2m_dev = v4l2_m2m_init(&m2m_ops);
+@@ -1345,6 +1342,9 @@ static int vim2m_probe(struct platform_d
+ goto error_m2m;
+ }
+
++ v4l2_info(&dev->v4l2_dev,
++ "Device registered as /dev/video%d\n", vfd->num);
++
+ #ifdef CONFIG_MEDIA_CONTROLLER
+ ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd,
+ MEDIA_ENT_F_PROC_VIDEO_SCALER);
--- /dev/null
+From d98e9213a768a3cc3a99f5e1abe09ad3baff2104 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Tue, 10 Dec 2024 16:02:53 -0500
+Subject: media: visl: Fix ERANGE error when setting enum controls
+
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+
+commit d98e9213a768a3cc3a99f5e1abe09ad3baff2104 upstream.
+
+The visl driver supports both frame and slice mode, with and without a
+start-code. But, the range and default for these enum controls was not
+set, which currently limits the decoder to enums with a value of 0. Fix
+this by setting the decoder mode and start code controls for both the
+H.264 and HEVC codecs.
+
+Fixes: 0c078e310b6d ("media: visl: add virtual stateless decoder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/visl/visl-core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/test-drivers/visl/visl-core.c
++++ b/drivers/media/test-drivers/visl/visl-core.c
+@@ -156,9 +156,15 @@ static const struct visl_ctrl_desc visl_
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_H264_DECODE_MODE,
++ .cfg.min = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED,
++ .cfg.max = V4L2_STATELESS_H264_DECODE_MODE_FRAME_BASED,
++ .cfg.def = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_H264_START_CODE,
++ .cfg.min = V4L2_STATELESS_H264_START_CODE_NONE,
++ .cfg.max = V4L2_STATELESS_H264_START_CODE_ANNEX_B,
++ .cfg.def = V4L2_STATELESS_H264_START_CODE_NONE,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_H264_SLICE_PARAMS,
+@@ -193,9 +199,15 @@ static const struct visl_ctrl_desc visl_
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_HEVC_DECODE_MODE,
++ .cfg.min = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED,
++ .cfg.max = V4L2_STATELESS_HEVC_DECODE_MODE_FRAME_BASED,
++ .cfg.def = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_HEVC_START_CODE,
++ .cfg.min = V4L2_STATELESS_HEVC_START_CODE_NONE,
++ .cfg.max = V4L2_STATELESS_HEVC_START_CODE_ANNEX_B,
++ .cfg.def = V4L2_STATELESS_HEVC_START_CODE_NONE,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_HEVC_ENTRY_POINT_OFFSETS,
--- /dev/null
+From 8c39633759885b6ff85f6d96cf445560e74df5e8 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Fri, 14 Mar 2025 21:11:32 +0100
+Subject: mptcp: sockopt: fix getting IPV6_V6ONLY
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream.
+
+When adding a socket option support in MPTCP, both the get and set parts
+are supposed to be implemented.
+
+IPV6_V6ONLY support for the setsockopt part has been added a while ago,
+but it looks like the get part got forgotten. It should have been
+present as a way to verify a setting has been set as expected, and not
+to act differently from TCP or any other socket types.
+
+Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want
+to check the default value, before doing extra actions. On Linux, the
+default value is 0, but this can be changed with the net.ipv6.bindv6only
+sysctl knob. On Windows, it is set to 1 by default. So supporting the
+get part, like for all other socket options, is important.
+
+Everything was in place to expose it, just the last step was missing.
+Only new code is added to cover this specific getsockopt(), that seems
+safe.
+
+Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -1393,6 +1393,20 @@ static int mptcp_getsockopt_v4(struct mp
+ return -EOPNOTSUPP;
+ }
+
++static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname,
++ char __user *optval, int __user *optlen)
++{
++ struct sock *sk = (void *)msk;
++
++ switch (optname) {
++ case IPV6_V6ONLY:
++ return mptcp_put_int_option(msk, optval, optlen,
++ sk->sk_ipv6only);
++ }
++
++ return -EOPNOTSUPP;
++}
++
+ static int mptcp_getsockopt_sol_mptcp(struct mptcp_sock *msk, int optname,
+ char __user *optval, int __user *optlen)
+ {
+@@ -1432,6 +1446,8 @@ int mptcp_getsockopt(struct sock *sk, in
+
+ if (level == SOL_IP)
+ return mptcp_getsockopt_v4(msk, optname, optval, option);
++ if (level == SOL_IPV6)
++ return mptcp_getsockopt_v6(msk, optname, optval, option);
+ if (level == SOL_TCP)
+ return mptcp_getsockopt_sol_tcp(msk, optname, optval, option);
+ if (level == SOL_MPTCP)
--- /dev/null
+From 2aee30bb10d7bad0a60255059c9ce1b84cf0130e Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Wed, 5 Feb 2025 02:31:41 +0000
+Subject: mtd: Add check for devm_kcalloc()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit 2aee30bb10d7bad0a60255059c9ce1b84cf0130e upstream.
+
+Add a check for devm_kcalloc() to ensure successful allocation.
+
+Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdpstore.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/mtdpstore.c
++++ b/drivers/mtd/mtdpstore.c
+@@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct
+ longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
+ cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+
++ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
++ return;
++
+ /* just support dmesg right now */
+ cxt->dev.flags = PSTORE_FLAGS_DMESG;
+ cxt->dev.zone.read = mtdpstore_read;
--- /dev/null
+From ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+Date: Thu, 27 Feb 2025 12:46:08 -0500
+Subject: mtd: rawnand: brcmnand: fix PM resume warning
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream.
+
+Fixed warning on PM resume as shown below caused due to uninitialized
+struct nand_operation that checks chip select field :
+WARN_ON(op->cs >= nanddev_ntargets(&chip->base)
+
+[ 14.588522] ------------[ cut here ]------------
+[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
+[ 14.588553] Modules linked in: bdc udc_core
+[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16
+[ 14.588590] Tainted: [W]=WARN
+[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
+[ 14.588598] Call trace:
+[ 14.588604] dump_backtrace from show_stack+0x18/0x1c
+[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
+[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c
+[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c
+[ 14.588653] r5:c08d40b0 r4:c1003cb0
+[ 14.588656] dump_stack from __warn+0x84/0xe4
+[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194
+[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
+[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
+[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
+[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150
+[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
+[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54
+[ 14.588735] r5:00000010 r4:c0840a50
+[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c
+[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324
+[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
+[ 14.588779] device_resume from dpm_resume+0x130/0x160
+[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
+[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20
+[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
+[ 14.588826] r4:00000010
+[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
+[ 14.588848] r5:c228a414 r4:00000000
+[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc
+[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
+[ 14.588871] r4:00000003
+[ 14.588874] pm_suspend from state_store+0x74/0xd0
+[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
+[ 14.588892] state_store from kobj_attr_store+0x1c/0x28
+[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
+[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c
+[ 14.588936] r5:c3502900 r4:c0d92a48
+[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
+[ 14.588956] r5:c3502900 r4:c3501f40
+[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420
+[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
+[ 14.588983] r4:c042a88c
+[ 14.588987] vfs_write from ksys_write+0x74/0xe4
+[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
+[ 14.589008] r4:c34f7f00
+[ 14.589011] ksys_write from sys_write+0x10/0x14
+[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004
+[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c
+[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
+[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001
+[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
+[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
+[ 14.589065] ---[ end trace 0000000000000000 ]---
+
+The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
+doing PM resume operation in compliance with the controller support for single
+die nand chip. Switching from nand_reset_op() to nand_reset() implies more
+than just setting the cs field op->cs, it also reconfigures the data interface
+(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise
+with host after the fix.
+
+Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -2974,7 +2974,7 @@ static int brcmnand_resume(struct device
+ brcmnand_save_restore_cs_config(host, 1);
+
+ /* Reset the chip, required by some chips after power-up */
+- nand_reset_op(chip);
++ nand_reset(chip, 0);
+ }
+
+ return 0;
--- /dev/null
+From 1b61a59876f0eafc19b23007c522ee407f55dbec Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Wed, 5 Feb 2025 02:31:40 +0000
+Subject: mtd: Replace kcalloc() with devm_kcalloc()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream.
+
+Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of
+errors.
+
+Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdpstore.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/mtd/mtdpstore.c
++++ b/drivers/mtd/mtdpstore.c
+@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct
+ }
+
+ longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size));
+- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
++ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
++ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+
+ longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
+- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
++ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+
+ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
+ return;
+@@ -530,9 +530,6 @@ static void mtdpstore_notify_remove(stru
+ mtdpstore_flush_removed(cxt);
+
+ unregister_pstore_device(&cxt->dev);
+- kfree(cxt->badmap);
+- kfree(cxt->usedmap);
+- kfree(cxt->rmmap);
+ cxt->mtd = NULL;
+ cxt->index = -1;
+ }
--- /dev/null
+From 1ebc8e1ef906db9c08e9abe9776d85ddec837725 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Mon, 17 Mar 2025 18:32:50 +0100
+Subject: net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream.
+
+Implement the workaround for erratum
+ 3.3 RGMII timing may be out of spec when transmit delay is enabled
+for the 6320 family, which says:
+
+ When transmit delay is enabled via Port register 1 bit 14 = 1, duty
+ cycle may be out of spec. Under very rare conditions this may cause
+ the attached device receive CRC errors.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Cc: <stable@vger.kernel.org> # 5.4.x
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3555,6 +3555,21 @@ static int mv88e6xxx_stats_setup(struct
+ return mv88e6xxx_g1_stats_clear(chip);
+ }
+
++static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip)
++{
++ u16 dummy;
++ int err;
++
++ /* Workaround for erratum
++ * 3.3 RGMII timing may be out of spec when transmit delay is enabled
++ */
++ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000);
++ if (err)
++ return err;
++
++ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy);
++}
++
+ /* Check if the errata has already been applied. */
+ static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip)
+ {
+@@ -5005,6 +5020,7 @@ static const struct mv88e6xxx_ops mv88e6
+
+ static const struct mv88e6xxx_ops mv88e6320_ops = {
+ /* MV88E6XXX_FAMILY_6320 */
++ .setup_errata = mv88e6320_setup_errata,
+ .ieee_pri_map = mv88e6085_g1_ieee_pri_map,
+ .ip_pri_map = mv88e6085_g1_ip_pri_map,
+ .irl_init_all = mv88e6352_g2_irl_init_all,
+@@ -5054,6 +5070,7 @@ static const struct mv88e6xxx_ops mv88e6
+
+ static const struct mv88e6xxx_ops mv88e6321_ops = {
+ /* MV88E6XXX_FAMILY_6320 */
++ .setup_errata = mv88e6320_setup_errata,
+ .ieee_pri_map = mv88e6085_g1_ieee_pri_map,
+ .ip_pri_map = mv88e6085_g1_ip_pri_map,
+ .irl_init_all = mv88e6352_g2_irl_init_all,
pwm-fsl-ftm-handle-clk_get_rate-returning-0.patch
bpf-support-skf_net_off-and-skf_ll_off-on-skb-frags.patch
ext4-don-t-treat-fhandle-lookup-of-ea_inode-as-fs-co.patch
+dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch
+media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch
+media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch
+media-i2c-adv748x-fix-test-pattern-selection-mask.patch
+media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch
+media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch
+media-vim2m-print-device-name-after-registering-device.patch
+media-siano-fix-error-handling-in-smsdvb_module_init.patch
+xenfs-xensyms-respect-hypervisor-s-next-indication.patch
+arm64-cputype-add-midr_cortex_a76ae.patch
+arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch
+arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch
+arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch
+kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch
+spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch
+mtd-rawnand-brcmnand-fix-pm-resume-warning.patch
+tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch
+media-streamzap-prevent-processing-ir-data-on-urb-failure.patch
+media-visl-fix-erange-error-when-setting-enum-controls.patch
+media-platform-stm32-add-check-for-clk_enable.patch
+media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch
+media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch
+media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch
+media-i2c-ov7251-set-enable-gpio-low-in-probe.patch
+media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch
+media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch
+media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch
+media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch
+mptcp-sockopt-fix-getting-ipv6_v6only.patch
+mtd-add-check-for-devm_kcalloc.patch
+net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch
+mtd-replace-kcalloc-with-devm_kcalloc.patch
+clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch
+wifi-mt76-add-check-for-devm_kstrdup.patch
+wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch
+io_uring-kbuf-reject-zero-sized-provided-buffers.patch
+asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch
+asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch
+asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch
+asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch
+bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch
+ext4-fix-off-by-one-error-in-do_split.patch
+f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch
+vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch
+udf-fix-inode_getblk-return-value.patch
+tpm-do-not-start-chip-while-suspended.patch
+soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch
+smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch
--- /dev/null
+From b365b9d404b7376c60c91cd079218bfef11b7822 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 6 Apr 2025 14:09:19 -0500
+Subject: smb311 client: fix missing tcon check when mounting with linux/posix extensions
+
+From: Steve French <stfrench@microsoft.com>
+
+commit b365b9d404b7376c60c91cd079218bfef11b7822 upstream.
+
+When mounting the same share twice, once with the "linux" mount parameter
+(or equivalently "posix") and then once without (or e.g. with "nolinux"),
+we were incorrectly reusing the same tree connection for both mounts.
+This meant that the first mount of the share on the client, would
+cause subsequent mounts of that same share on the same client to
+ignore that mount parm ("linux" vs. "nolinux") and incorrectly reuse
+the same tcon.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -2488,6 +2488,8 @@ static int match_tcon(struct cifs_tcon *
+ return 0;
+ if (tcon->nodelete != ctx->nodelete)
+ return 0;
++ if (tcon->posix_extensions != ctx->linux_ext)
++ return 0;
+ return 1;
+ }
+
--- /dev/null
+From c8222ef6cf29dd7cad21643228f96535cc02b327 Mon Sep 17 00:00:00 2001
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+Date: Wed, 12 Feb 2025 15:35:18 -0600
+Subject: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+commit c8222ef6cf29dd7cad21643228f96535cc02b327 upstream.
+
+soc_dev_attr->revision could be NULL, thus,
+a pointer check is added to prevent potential NULL pointer dereference.
+This is similar to the fix in commit 3027e7b15b02
+("ice: Fix some null pointer dereference issues in ice_ptp.c").
+
+This issue is found by our static analysis tool.
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Link: https://lore.kernel.org/r/20250212213518.69432-1-chenyuan0y@gmail.com
+Fixes: 3253b7b7cd44 ("soc: samsung: Add exynos chipid driver support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/samsung/exynos-chipid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/soc/samsung/exynos-chipid.c
++++ b/drivers/soc/samsung/exynos-chipid.c
+@@ -130,6 +130,8 @@ static int exynos_chipid_probe(struct pl
+
+ soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "%x", soc_info.revision);
++ if (!soc_dev_attr->revision)
++ return -ENOMEM;
+ soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id);
+ if (!soc_dev_attr->soc_id) {
+ pr_err("Unknown SoC\n");
--- /dev/null
+From b8665a1b49f5498edb7b21d730030c06b7348a3c Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 5 Mar 2025 21:09:32 +0100
+Subject: spi: cadence-qspi: Fix probe on AM62A LP SK
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream.
+
+In 2020, there's been an unnoticed change which rightfully attempted to
+report probe deferrals upon DMA absence by checking the return value of
+dma_request_chan_by_mask(). By doing so, it also reported errors which
+were simply ignored otherwise, likely on purpose.
+
+This change actually turned a void return into an error code. Hence, not
+only the -EPROBE_DEFER error codes but all error codes got reported to
+the callers, now failing to probe in the absence of Rx DMA channel,
+despite the fact that DMA seems to not be supported natively by many
+implementations.
+
+Looking at the history, this change probably led to:
+ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC")
+f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA")
+
+In my case, the AM62A LP SK core octo-SPI node from TI does not
+advertise any DMA channel, hinting that there is likely no support for
+it, but yet when the support for the am654 compatible was added, DMA
+seemed to be used, so just discarding its use with the
+CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the
+correct approach.
+
+Let's get change the return condition back to:
+- return a probe deferral error if we get one
+- ignore the return value otherwise
+The "error" log level was however likely too high for something that is
+expected to fail, so let's lower it arbitrarily to the info level.
+
+Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -1576,6 +1576,12 @@ static int cqspi_request_mmap_dma(struct
+ int ret = PTR_ERR(cqspi->rx_chan);
+
+ cqspi->rx_chan = NULL;
++ if (ret == -ENODEV) {
++ /* DMA support is not mandatory */
++ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n");
++ return 0;
++ }
++
+ return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n");
+ }
+ init_completion(&cqspi->rx_dma_complete);
--- /dev/null
+From 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Fri, 7 Feb 2025 15:07:46 -0300
+Subject: tpm: do not start chip while suspended
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd upstream.
+
+Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can
+lead to a spurious tpm_chip_start() call:
+
+[35985.503771] i2c i2c-1: Transfer while suspended
+[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810
+[35985.503802] Modules linked in:
+[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f
+[35985.503814] Tainted: [W]=WARN
+[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
+[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810
+[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5
+[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246
+[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000
+[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001
+[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
+[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820
+[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120
+[35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000
+[35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0
+[35985.503855] Call Trace:
+[35985.503859] <TASK>
+[35985.503863] ? __warn+0xd4/0x260
+[35985.503868] ? __i2c_transfer+0xbe/0x810
+[35985.503874] ? report_bug+0xf3/0x210
+[35985.503882] ? handle_bug+0x63/0xb0
+[35985.503887] ? exc_invalid_op+0x16/0x50
+[35985.503892] ? asm_exc_invalid_op+0x16/0x20
+[35985.503904] ? __i2c_transfer+0xbe/0x810
+[35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0
+[35985.503920] tpm_cr50_i2c_read+0x8e/0x120
+[35985.503928] tpm_cr50_request_locality+0x75/0x170
+[35985.503935] tpm_chip_start+0x116/0x160
+[35985.503942] tpm_try_get_ops+0x57/0x90
+[35985.503948] tpm_find_get_ops+0x26/0xd0
+[35985.503955] tpm_get_random+0x2d/0x80
+
+Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless
+TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in
+such a failure case.
+
+Fixes: 9265fed6db60 ("tpm: Lock TPM chip in tpm_pm_suspend() first")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Cc: stable@vger.kernel.org
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Cc: Mike Seo <mikeseohyungjin@gmail.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm-chip.c | 5 +++++
+ drivers/char/tpm/tpm-interface.c | 7 -------
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -165,6 +165,11 @@ int tpm_try_get_ops(struct tpm_chip *chi
+ goto out_ops;
+
+ mutex_lock(&chip->tpm_mutex);
++
++ /* tmp_chip_start may issue IO that is denied while suspended */
++ if (chip->flags & TPM_CHIP_FLAG_SUSPENDED)
++ goto out_lock;
++
+ rc = tpm_chip_start(chip);
+ if (rc)
+ goto out_lock;
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -468,18 +468,11 @@ int tpm_get_random(struct tpm_chip *chip
+ if (!chip)
+ return -ENODEV;
+
+- /* Give back zero bytes, as TPM chip has not yet fully resumed: */
+- if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) {
+- rc = 0;
+- goto out;
+- }
+-
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ rc = tpm2_get_random(chip, out, max);
+ else
+ rc = tpm1_get_random(chip, out, max);
+
+-out:
+ tpm_put_ops(chip);
+ return rc;
+ }
--- /dev/null
+From 7146dffa875cd00e7a7f918e1fce79c7593ac1fa Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@meta.com>
+Date: Wed, 12 Mar 2025 07:31:57 +0200
+Subject: tpm, tpm_tis: Fix timeout handling when waiting for TPM status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan McDowell <noodles@meta.com>
+
+commit 7146dffa875cd00e7a7f918e1fce79c7593ac1fa upstream.
+
+The change to only use interrupts to handle supported status changes
+introduced an issue when it is necessary to poll for the status. Rather
+than checking for the status after sleeping the code now sleeps after
+the check. This means a correct, but slower, status change on the part
+of the TPM can be missed, resulting in a spurious timeout error,
+especially on a more loaded system. Switch back to sleeping *then*
+checking. An up front check of the status has been done at the start of
+the function, so this does not cause an additional delay when the status
+is already what we're looking for.
+
+Cc: stable@vger.kernel.org # v6.4+
+Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts")
+Signed-off-by: Jonathan McDowell <noodles@meta.com>
+Reviewed-by: Michal Suchánek <msuchanek@suse.de>
+Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -114,11 +114,10 @@ again:
+ return 0;
+ /* process status changes without irq support */
+ do {
++ usleep_range(priv->timeout_min, priv->timeout_max);
+ status = chip->ops->status(chip);
+ if ((status & mask) == mask)
+ return 0;
+- usleep_range(priv->timeout_min,
+- priv->timeout_max);
+ } while (time_before(jiffies, stop));
+ return -ETIME;
+ }
--- /dev/null
+From 6afdc60ec30b0a9390d11b7cebed79c857ce82aa Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 12 Mar 2025 16:18:39 +0100
+Subject: udf: Fix inode_getblk() return value
+
+From: Jan Kara <jack@suse.cz>
+
+commit 6afdc60ec30b0a9390d11b7cebed79c857ce82aa upstream.
+
+Smatch noticed that inode_getblk() can return 1 on successful mapping of
+a block instead of expected 0 after commit b405c1e58b73 ("udf: refactor
+udf_next_aext() to handle error"). This could confuse some of the
+callers and lead to strange failures (although the one reported by
+Smatch in udf_mkdir() is impossible to trigger in practice). Fix the
+return value of inode_getblk().
+
+Link: https://lore.kernel.org/all/cb514af7-bbe0-435b-934f-dd1d7a16d2cd@stanley.mountain
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -814,6 +814,7 @@ static int inode_getblk(struct inode *in
+ }
+ map->oflags = UDF_BLK_MAPPED;
+ map->pblk = udf_get_lb_pblock(inode->i_sb, &eloc, offset);
++ ret = 0;
+ goto out_free;
+ }
+
--- /dev/null
+From a6097e0a54a5c24f8d577ffecbc35289ae281c2e Mon Sep 17 00:00:00 2001
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+Date: Thu, 20 Feb 2025 21:37:33 +0200
+Subject: vdpa/mlx5: Fix oversized null mkey longer than 32bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+
+commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream.
+
+create_user_mr() has correct code to count the number of null keys
+used to fill in a hole for the memory map. However, fill_indir()
+does not follow the same to cap the range up to the 1GB limit
+correspondingly. Fill in more null keys for the gaps in between,
+so that null keys are correctly populated.
+
+Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
+Cc: stable@vger.kernel.org
+Reported-by: Cong Meng <cong.meng@oracle.com>
+Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Acked-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vdpa/mlx5/core/mr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -166,9 +166,12 @@ again:
+ klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start));
+ preve = dmr->end;
+ } else {
++ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE);
++
+ klm->key = cpu_to_be32(mvdev->res.null_mkey);
+- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve));
+- preve = dmr->start;
++ klm->bcount = cpu_to_be32(klm_bcount(bcount));
++ preve += bcount;
++
+ goto again;
+ }
+ }
--- /dev/null
+From d00c0c4105e5ab8a6a13ed23d701cceb285761fa Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Wed, 12 Feb 2025 08:21:25 +0000
+Subject: wifi: mac80211: fix integer overflow in hwmp_route_info_get()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream.
+
+Since the new_metric and last_hop_metric variables can reach
+the MAX_METRIC(0xffffffff) value, an integer overflow may occur
+when multiplying them by 10/9. It can lead to incorrect behavior.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh_hwmp.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -365,6 +365,12 @@ u32 airtime_link_metric_get(struct ieee8
+ return (u32)result;
+ }
+
++/* Check that the first metric is at least 10% better than the second one */
++static bool is_metric_better(u32 x, u32 y)
++{
++ return (x < y) && (x < (y - x / 10));
++}
++
+ /**
+ * hwmp_route_info_get - Update routing info to originator and transmitter
+ *
+@@ -456,8 +462,8 @@ static u32 hwmp_route_info_get(struct ie
+ (mpath->sn == orig_sn &&
+ (rcu_access_pointer(mpath->next_hop) !=
+ sta ?
+- mult_frac(new_metric, 10, 9) :
+- new_metric) >= mpath->metric)) {
++ !is_metric_better(new_metric, mpath->metric) :
++ new_metric >= mpath->metric))) {
+ process = false;
+ fresh_info = false;
+ }
+@@ -531,8 +537,8 @@ static u32 hwmp_route_info_get(struct ie
+ if ((mpath->flags & MESH_PATH_FIXED) ||
+ ((mpath->flags & MESH_PATH_ACTIVE) &&
+ ((rcu_access_pointer(mpath->next_hop) != sta ?
+- mult_frac(last_hop_metric, 10, 9) :
+- last_hop_metric) > mpath->metric)))
++ !is_metric_better(last_hop_metric, mpath->metric) :
++ last_hop_metric > mpath->metric))))
+ fresh_info = false;
+ } else {
+ mpath = mesh_path_add(sdata, ta);
--- /dev/null
+From 4bc1da524b502999da28d287de4286c986a1af57 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Wed, 19 Feb 2025 11:36:45 +0800
+Subject: wifi: mt76: Add check for devm_kstrdup()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 4bc1da524b502999da28d287de4286c986a1af57 upstream.
+
+Add check for the return value of devm_kstrdup() in
+mt76_get_of_data_from_mtd() to catch potential exception.
+
+Fixes: e7a6a044f9b9 ("mt76: testmode: move mtd part to mt76_dev")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20250219033645.2594753-1-haoxiang_li2024@163.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/eeprom.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
+@@ -95,6 +95,10 @@ static int mt76_get_of_epprom_from_mtd(s
+
+ #ifdef CONFIG_NL80211_TESTMODE
+ dev->test_mtd.name = devm_kstrdup(dev->dev, part, GFP_KERNEL);
++ if (!dev->test_mtd.name) {
++ ret = -ENOMEM;
++ goto out_put_node;
++ }
+ dev->test_mtd.offset = offset;
+ #endif
+
--- /dev/null
+From 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Wed, 12 Mar 2025 16:32:45 +0100
+Subject: xenfs/xensyms: respect hypervisor's "next" indication
+
+From: Jan Beulich <jbeulich@suse.com>
+
+commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream.
+
+The interface specifies the symnum field as an input and output; the
+hypervisor sets it to the next sequential symbol's index. xensyms_next()
+incrementing the position explicitly (and xensyms_next_sym()
+decrementing it to "rewind") is only correct as long as the sequence of
+symbol indexes is non-sparse. Use the hypervisor-supplied value instead
+to update the position in xensyms_next(), and use the saved incoming
+index in xensyms_next_sym().
+
+Cc: stable@kernel.org
+Fixes: a11f4f0a4e18 ("xen: xensyms support")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenfs/xensyms.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/xenfs/xensyms.c
++++ b/drivers/xen/xenfs/xensyms.c
+@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy
+ return -ENOMEM;
+
+ set_xen_guest_handle(symdata->name, xs->name);
+- symdata->symnum--; /* Rewind */
++ symdata->symnum = symnum; /* Rewind */
+
+ ret = HYPERVISOR_platform_op(&xs->op);
+ if (ret < 0)
+@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil
+ {
+ struct xensyms *xs = m->private;
+
+- xs->op.u.symdata.symnum = ++(*pos);
++ *pos = xs->op.u.symdata.symnum;
+
+ if (xensyms_next_sym(xs))
+ return NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
