--- /dev/null
+From 9a6f56762d23a1f3af15e67901493c927caaf882 Mon Sep 17 00:00:00 2001
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Date: Tue, 25 Mar 2025 12:43:05 +0100
+Subject: accel/ivpu: Fix deadlock in ivpu_ms_cleanup()
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+commit 9a6f56762d23a1f3af15e67901493c927caaf882 upstream.
+
+Fix deadlock in ivpu_ms_cleanup() by preventing runtime resume after
+file_priv->ms_lock is acquired.
+
+During a failure in runtime resume, a cold boot is executed, which
+calls ivpu_ms_cleanup_all(). This function calls ivpu_ms_cleanup()
+that acquires file_priv->ms_lock and causes the deadlock.
+
+Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
+Cc: stable@vger.kernel.org # v6.11+
+Signed-off-by: Maciej Falkowski <maciej.falkowski@linux.intel.com>
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Link: https://lore.kernel.org/r/20250325114306.3740022-2-maciej.falkowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ms.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/accel/ivpu/ivpu_ms.c
++++ b/drivers/accel/ivpu/ivpu_ms.c
+@@ -4,6 +4,7 @@
+ */
+
+ #include <drm/drm_file.h>
++#include <linux/pm_runtime.h>
+
+ #include "ivpu_drv.h"
+ #include "ivpu_gem.h"
+@@ -299,6 +300,9 @@ unlock:
+ void ivpu_ms_cleanup(struct ivpu_file_priv *file_priv)
+ {
+ struct ivpu_ms_instance *ms, *tmp;
++ struct ivpu_device *vdev = file_priv->vdev;
++
++ pm_runtime_get_sync(vdev->drm.dev);
+
+ mutex_lock(&file_priv->ms_lock);
+
+@@ -311,6 +315,8 @@ void ivpu_ms_cleanup(struct ivpu_file_pr
+ free_instance(file_priv, ms);
+
+ mutex_unlock(&file_priv->ms_lock);
++
++ pm_runtime_put_autosuspend(vdev->drm.dev);
+ }
+
+ void ivpu_ms_cleanup_all(struct ivpu_device *vdev)
--- /dev/null
+From d893da85e06edf54737bb80648bb58ba8fd56d9f Mon Sep 17 00:00:00 2001
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Date: Tue, 25 Mar 2025 12:43:06 +0100
+Subject: accel/ivpu: Fix PM related deadlocks in MS IOCTLs
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+commit d893da85e06edf54737bb80648bb58ba8fd56d9f upstream.
+
+Prevent runtime resume/suspend while MS IOCTLs are in progress.
+Failed suspend will call ivpu_ms_cleanup() that would try to acquire
+file_priv->ms_lock, which is already held by the IOCTLs.
+
+Fixes: cdfad4db7756 ("accel/ivpu: Add NPU profiling support")
+Cc: stable@vger.kernel.org # v6.11+
+Signed-off-by: Maciej Falkowski <maciej.falkowski@linux.intel.com>
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Link: https://lore.kernel.org/r/20250325114306.3740022-3-maciej.falkowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_debugfs.c | 4 ++--
+ drivers/accel/ivpu/ivpu_ms.c | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+--- a/drivers/accel/ivpu/ivpu_debugfs.c
++++ b/drivers/accel/ivpu/ivpu_debugfs.c
+@@ -331,7 +331,7 @@ ivpu_force_recovery_fn(struct file *file
+ return -EINVAL;
+
+ ret = ivpu_rpm_get(vdev);
+- if (ret)
++ if (ret < 0)
+ return ret;
+
+ ivpu_pm_trigger_recovery(vdev, "debugfs");
+@@ -382,7 +382,7 @@ static int dct_active_set(void *data, u6
+ return -EINVAL;
+
+ ret = ivpu_rpm_get(vdev);
+- if (ret)
++ if (ret < 0)
+ return ret;
+
+ if (active_percent)
+--- a/drivers/accel/ivpu/ivpu_ms.c
++++ b/drivers/accel/ivpu/ivpu_ms.c
+@@ -44,6 +44,10 @@ int ivpu_ms_start_ioctl(struct drm_devic
+ args->sampling_period_ns < MS_MIN_SAMPLE_PERIOD_NS)
+ return -EINVAL;
+
++ ret = ivpu_rpm_get(vdev);
++ if (ret < 0)
++ return ret;
++
+ mutex_lock(&file_priv->ms_lock);
+
+ if (get_instance_by_mask(file_priv, args->metric_group_mask)) {
+@@ -96,6 +100,8 @@ err_free_ms:
+ kfree(ms);
+ unlock:
+ mutex_unlock(&file_priv->ms_lock);
++
++ ivpu_rpm_put(vdev);
+ return ret;
+ }
+
+@@ -160,6 +166,10 @@ int ivpu_ms_get_data_ioctl(struct drm_de
+ if (!args->metric_group_mask)
+ return -EINVAL;
+
++ ret = ivpu_rpm_get(vdev);
++ if (ret < 0)
++ return ret;
++
+ mutex_lock(&file_priv->ms_lock);
+
+ ms = get_instance_by_mask(file_priv, args->metric_group_mask);
+@@ -187,6 +197,7 @@ int ivpu_ms_get_data_ioctl(struct drm_de
+ unlock:
+ mutex_unlock(&file_priv->ms_lock);
+
++ ivpu_rpm_put(vdev);
+ return ret;
+ }
+
+@@ -204,11 +215,17 @@ int ivpu_ms_stop_ioctl(struct drm_device
+ {
+ struct ivpu_file_priv *file_priv = file->driver_priv;
+ struct drm_ivpu_metric_streamer_stop *args = data;
++ struct ivpu_device *vdev = file_priv->vdev;
+ struct ivpu_ms_instance *ms;
++ int ret;
+
+ if (!args->metric_group_mask)
+ return -EINVAL;
+
++ ret = ivpu_rpm_get(vdev);
++ if (ret < 0)
++ return ret;
++
+ mutex_lock(&file_priv->ms_lock);
+
+ ms = get_instance_by_mask(file_priv, args->metric_group_mask);
+@@ -217,6 +234,7 @@ int ivpu_ms_stop_ioctl(struct drm_device
+
+ mutex_unlock(&file_priv->ms_lock);
+
++ ivpu_rpm_put(vdev);
+ return ms ? 0 : -EINVAL;
+ }
+
--- /dev/null
+From 6b4568b675b14cf890c0c21779773c3e08e80ce5 Mon Sep 17 00:00:00 2001
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Date: Tue, 25 Mar 2025 12:42:19 +0100
+Subject: accel/ivpu: Fix warning in ivpu_ipc_send_receive_internal()
+
+From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+
+commit 6b4568b675b14cf890c0c21779773c3e08e80ce5 upstream.
+
+Warn if device is suspended only when runtime PM is enabled.
+Runtime PM is disabled during reset/recovery and it is not an error
+to use ivpu_ipc_send_receive_internal() in such cases.
+
+Fixes: 5eaa49741119 ("accel/ivpu: Prevent recovery invocation during probe and resume")
+Cc: stable@vger.kernel.org # v6.13+
+Signed-off-by: Maciej Falkowski <maciej.falkowski@linux.intel.com>
+Reviewed-by: Lizhi Hou <lizhi.hou@amd.com>
+Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
+Link: https://lore.kernel.org/r/20250325114219.3739951-1-maciej.falkowski@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accel/ivpu/ivpu_ipc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/accel/ivpu/ivpu_ipc.c
++++ b/drivers/accel/ivpu/ivpu_ipc.c
+@@ -302,7 +302,8 @@ ivpu_ipc_send_receive_internal(struct iv
+ struct ivpu_ipc_consumer cons;
+ int ret;
+
+- drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev));
++ drm_WARN_ON(&vdev->drm, pm_runtime_status_suspended(vdev->drm.dev) &&
++ pm_runtime_enabled(vdev->drm.dev));
+
+ ivpu_ipc_consumer_add(vdev, &cons, channel, NULL);
+
--- /dev/null
+From e5182305a5199246dbcb4053299dcb1c8867b6ff Mon Sep 17 00:00:00 2001
+From: Sharan Kumar M <sharweshraajan@gmail.com>
+Date: Sat, 29 Mar 2025 21:11:06 +0530
+Subject: ALSA: hda/realtek: Enable Mute LED on HP OMEN 16 Laptop xd000xx
+
+From: Sharan Kumar M <sharweshraajan@gmail.com>
+
+commit e5182305a5199246dbcb4053299dcb1c8867b6ff upstream.
+
+This patch adds the HP OMEN 16 Laptop xd000xx to enable mute led.
+it uses ALC245_FIXUP_HP_MUTE_LED_COEFBIT with a slight modification
+setting mute_led_coef.off to 0(it was set to 4 i guess
+in that function) which i referred to your previous patch disscusion
+https://bugzilla.kernel.org/show_bug.cgi?id=214735 .
+i am not sure whether i can modify the current working function so i
+added another version calling
+ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT. and both works for me.
+
+Tested on 6.13.4-arch1-1 to 6.14.0-arch1-1
+
+Signed-off-by: Sharan Kumar M <sharweshraajan@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250329154105.7618-2-sharweshraajan@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4742,6 +4742,22 @@ static void alc245_fixup_hp_mute_led_coe
+ }
+ }
+
++static void alc245_fixup_hp_mute_led_v1_coefbit(struct hda_codec *codec,
++ const struct hda_fixup *fix,
++ int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE) {
++ spec->mute_led_polarity = 0;
++ spec->mute_led_coef.idx = 0x0b;
++ spec->mute_led_coef.mask = 1 << 3;
++ spec->mute_led_coef.on = 1 << 3;
++ spec->mute_led_coef.off = 0;
++ snd_hda_gen_add_mute_led_cdev(codec, coef_mute_led_set);
++ }
++}
++
+ /* turn on/off mic-mute LED per capture hook by coef bit */
+ static int coef_micmute_led_set(struct led_classdev *led_cdev,
+ enum led_brightness brightness)
+@@ -7885,6 +7901,7 @@ enum {
+ ALC245_FIXUP_TAS2781_SPI_2,
+ ALC287_FIXUP_YOGA7_14ARB7_I2C,
+ ALC245_FIXUP_HP_MUTE_LED_COEFBIT,
++ ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT,
+ ALC245_FIXUP_HP_X360_MUTE_LEDS,
+ ALC287_FIXUP_THINKPAD_I2S_SPK,
+ ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD,
+@@ -10132,6 +10149,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc245_fixup_hp_mute_led_coefbit,
+ },
++ [ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc245_fixup_hp_mute_led_v1_coefbit,
++ },
+ [ALC245_FIXUP_HP_X360_MUTE_LEDS] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc245_fixup_hp_mute_led_coefbit,
+@@ -10626,6 +10647,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x103c, 0x8b97, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8bb3, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bb4, "HP Slim OMEN", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x103c, 0x8bcd, "HP Omen 16-xd0xxx", ALC245_FIXUP_HP_MUTE_LED_V1_COEFBIT),
+ SND_PCI_QUIRK(0x103c, 0x8bdd, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bde, "HP Envy 17", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8bdf, "HP Envy 15", ALC287_FIXUP_CS35L41_I2C_2),
--- /dev/null
+From 3371f569223c4e8d36edbb0ba789ee5f5cb7316f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 26 Mar 2025 13:08:12 -0700
+Subject: arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 3371f569223c4e8d36edbb0ba789ee5f5cb7316f upstream.
+
+Fix a silly bug where an array was used outside of its scope.
+
+Fixes: 1684e8293605 ("arm/crc-t10dif: expose CRC-T10DIF function through lib")
+Cc: stable@vger.kernel.org
+Reported-by: David Binderman <dcb314@hotmail.com>
+Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
+Link: https://lore.kernel.org/r/20250326200812.125574-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/lib/crc-t10dif-glue.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/arch/arm/lib/crc-t10dif-glue.c b/arch/arm/lib/crc-t10dif-glue.c
+index f3584ba70e57..6efad3d78284 100644
+--- a/arch/arm/lib/crc-t10dif-glue.c
++++ b/arch/arm/lib/crc-t10dif-glue.c
+@@ -44,9 +44,7 @@ u16 crc_t10dif_arch(u16 crc, const u8 *data, size_t length)
+ crc_t10dif_pmull8(crc, data, length, buf);
+ kernel_neon_end();
+
+- crc = 0;
+- data = buf;
+- length = sizeof(buf);
++ return crc_t10dif_generic(0, buf, sizeof(buf));
+ }
+ }
+ return crc_t10dif_generic(crc, data, length);
+--
+2.49.0
+
--- /dev/null
+From a9b5bd81b294d30a747edd125e9f6aef2def7c79 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:06:01 -0800
+Subject: arm64: cputype: Add MIDR_CORTEX_A76AE
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit a9b5bd81b294d30a747edd125e9f6aef2def7c79 upstream.
+
+>From the TRM, MIDR_CORTEX_A76AE has a partnum of 0xDOE and an
+implementor of 0x41 (ARM). Add the values.
+
+Cc: stable@vger.kernel.org # dependency of the next fix in the series
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20250107120555.v4.4.I151f3b7ee323bcc3082179b8c60c3cd03308aa94@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/cputype.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/include/asm/cputype.h
++++ b/arch/arm64/include/asm/cputype.h
+@@ -75,6 +75,7 @@
+ #define ARM_CPU_PART_CORTEX_A76 0xD0B
+ #define ARM_CPU_PART_NEOVERSE_N1 0xD0C
+ #define ARM_CPU_PART_CORTEX_A77 0xD0D
++#define ARM_CPU_PART_CORTEX_A76AE 0xD0E
+ #define ARM_CPU_PART_NEOVERSE_V1 0xD40
+ #define ARM_CPU_PART_CORTEX_A78 0xD41
+ #define ARM_CPU_PART_CORTEX_A78AE 0xD42
+@@ -160,6 +161,7 @@
+ #define MIDR_CORTEX_A76 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76)
+ #define MIDR_NEOVERSE_N1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N1)
+ #define MIDR_CORTEX_A77 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A77)
++#define MIDR_CORTEX_A76AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A76AE)
+ #define MIDR_NEOVERSE_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V1)
+ #define MIDR_CORTEX_A78 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78)
+ #define MIDR_CORTEX_A78AE MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A78AE)
--- /dev/null
+From d48b663f410f8b35b8ba9bd597bafaa00f53293b Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 26 Mar 2025 13:09:18 -0700
+Subject: arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d48b663f410f8b35b8ba9bd597bafaa00f53293b upstream.
+
+Fix a silly bug where an array was used outside of its scope.
+
+Fixes: 2051da858534 ("arm64/crc-t10dif: expose CRC-T10DIF function through lib")
+Cc: stable@vger.kernel.org
+Reported-by: David Binderman <dcb314@hotmail.com>
+Closes: https://lore.kernel.org/r/AS8PR02MB102170568EAE7FFDF93C8D1ED9CA62@AS8PR02MB10217.eurprd02.prod.outlook.com
+Link: https://lore.kernel.org/r/20250326200918.125743-1-ebiggers@kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/lib/crc-t10dif-glue.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/arch/arm64/lib/crc-t10dif-glue.c b/arch/arm64/lib/crc-t10dif-glue.c
+index a007d0c5f3fe..bacd18f23168 100644
+--- a/arch/arm64/lib/crc-t10dif-glue.c
++++ b/arch/arm64/lib/crc-t10dif-glue.c
+@@ -45,9 +45,7 @@ u16 crc_t10dif_arch(u16 crc, const u8 *data, size_t length)
+ crc_t10dif_pmull_p8(crc, data, length, buf);
+ kernel_neon_end();
+
+- crc = 0;
+- data = buf;
+- length = sizeof(buf);
++ return crc_t10dif_generic(0, buf, sizeof(buf));
+ }
+ }
+ return crc_t10dif_generic(crc, data, length);
+--
+2.49.0
+
--- /dev/null
+From 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:06:00 -0800
+Subject: arm64: errata: Add KRYO 2XX/3XX/4XX silver cores to Spectre BHB safe list
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit 0c9fc6e652cd5aed48c5f700c32b7642bea7f453 upstream.
+
+Qualcomm has confirmed that, much like Cortex A53 and A55, KRYO
+2XX/3XX/4XX silver cores are unaffected by Spectre BHB. Add them to
+the safe list.
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Cc: Scott Bauer <sbauer@quicinc.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
+Link: https://lore.kernel.org/r/20250107120555.v4.3.Iab8dbfb5c9b1e143e7a29f410bce5f9525a0ba32@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -854,6 +854,9 @@ static bool is_spectre_bhb_safe(int scop
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
+ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_2XX_SILVER),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_3XX_SILVER),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_SILVER),
+ {},
+ };
+ static bool all_safe = true;
--- /dev/null
+From ed1ce841245d8febe3badf51c57e81c3619d0a1d Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:05:58 -0800
+Subject: arm64: errata: Add QCOM_KRYO_4XX_GOLD to the spectre_bhb_k24_list
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit ed1ce841245d8febe3badf51c57e81c3619d0a1d upstream.
+
+Qualcomm Kryo 400-series Gold cores have a derivative of an ARM Cortex
+A76 in them. Since A76 needs Spectre mitigation via looping then the
+Kyro 400-series Gold cores also need Spectre mitigation via looping.
+
+Qualcomm has confirmed that the proper "k" value for Kryo 400-series
+Gold cores is 24.
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Cc: Scott Bauer <sbauer@quicinc.com>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Trilok Soni <quic_tsoni@quicinc.com>
+Link: https://lore.kernel.org/r/20250107120555.v4.1.Ie4ef54abe02e7eb0eee50f830575719bf23bda48@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -866,6 +866,7 @@ u8 spectre_bhb_loop_affected(int scope)
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+ {},
+ };
+ static const struct midr_range spectre_bhb_k11_list[] = {
--- /dev/null
+From e403e8538359d8580cbee1976ff71813e947101e Mon Sep 17 00:00:00 2001
+From: Douglas Anderson <dianders@chromium.org>
+Date: Tue, 7 Jan 2025 12:05:59 -0800
+Subject: arm64: errata: Assume that unknown CPUs _are_ vulnerable to Spectre BHB
+
+From: Douglas Anderson <dianders@chromium.org>
+
+commit e403e8538359d8580cbee1976ff71813e947101e upstream.
+
+The code for detecting CPUs that are vulnerable to Spectre BHB was
+based on a hardcoded list of CPU IDs that were known to be affected.
+Unfortunately, the list mostly only contained the IDs of standard ARM
+cores. The IDs for many cores that are minor variants of the standard
+ARM cores (like many Qualcomm Kyro CPUs) weren't listed. This led the
+code to assume that those variants were not affected.
+
+Flip the code on its head and instead assume that a core is vulnerable
+if it doesn't have CSV2_3 but is unrecognized as being safe. This
+involves creating a "Spectre BHB safe" list.
+
+As of right now, the only CPU IDs added to the "Spectre BHB safe" list
+are ARM Cortex A35, A53, A55, A510, and A520. This list was created by
+looking for cores that weren't listed in ARM's list [1] as per review
+feedback on v2 of this patch [2]. Additionally Brahma A53 is added as
+per mailing list feedback [3].
+
+NOTE: this patch will not actually _mitigate_ anyone, it will simply
+cause them to report themselves as vulnerable. If any cores in the
+system are reported as vulnerable but not mitigated then the whole
+system will be reported as vulnerable though the system will attempt
+to mitigate with the information it has about the known cores.
+
+[1] https://developer.arm.com/Arm%20Security%20Center/Spectre-BHB
+[2] https://lore.kernel.org/r/20241219175128.GA25477@willie-the-truck
+[3] https://lore.kernel.org/r/18dbd7d1-a46c-4112-a425-320c99f67a8d@broadcom.com
+
+Fixes: 558c303c9734 ("arm64: Mitigate spectre style branch history side channels")
+Cc: stable@vger.kernel.org
+Reviewed-by: Julius Werner <jwerner@chromium.org>
+Signed-off-by: Douglas Anderson <dianders@chromium.org>
+Link: https://lore.kernel.org/r/20250107120555.v4.2.I2040fa004dafe196243f67ebcc647cbedbb516e6@changeid
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/spectre.h | 1
+ arch/arm64/kernel/proton-pack.c | 201 +++++++++++++++++++--------------------
+ 2 files changed, 101 insertions(+), 101 deletions(-)
+
+--- a/arch/arm64/include/asm/spectre.h
++++ b/arch/arm64/include/asm/spectre.h
+@@ -97,7 +97,6 @@ enum mitigation_state arm64_get_meltdown
+
+ enum mitigation_state arm64_get_spectre_bhb_state(void);
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry, int scope);
+-u8 spectre_bhb_loop_affected(int scope);
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *__unused);
+ bool try_emulate_el1_ssbs(struct pt_regs *regs, u32 instr);
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -845,53 +845,70 @@ static unsigned long system_bhb_mitigati
+ * This must be called with SCOPE_LOCAL_CPU for each type of CPU, before any
+ * SCOPE_SYSTEM call will give the right answer.
+ */
+-u8 spectre_bhb_loop_affected(int scope)
++static bool is_spectre_bhb_safe(int scope)
++{
++ static const struct midr_range spectre_bhb_safe_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A35),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A53),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A510),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A520),
++ MIDR_ALL_VERSIONS(MIDR_BRAHMA_B53),
++ {},
++ };
++ static bool all_safe = true;
++
++ if (scope != SCOPE_LOCAL_CPU)
++ return all_safe;
++
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_safe_list))
++ return true;
++
++ all_safe = false;
++
++ return false;
++}
++
++static u8 spectre_bhb_loop_affected(void)
+ {
+ u8 k = 0;
+- static u8 max_bhb_k;
+
+- if (scope == SCOPE_LOCAL_CPU) {
+- static const struct midr_range spectre_bhb_k32_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k24_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
+- MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
+- MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k11_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_AMPERE1),
+- {},
+- };
+- static const struct midr_range spectre_bhb_k8_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
+- {},
+- };
+-
+- if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
+- k = 32;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
+- k = 24;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
+- k = 11;
+- else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
+- k = 8;
+-
+- max_bhb_k = max(max_bhb_k, k);
+- } else {
+- k = max_bhb_k;
+- }
++ static const struct midr_range spectre_bhb_k32_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78AE),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_X2),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k24_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A76),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A77),
++ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
++ MIDR_ALL_VERSIONS(MIDR_QCOM_KRYO_4XX_GOLD),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k11_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_AMPERE1),
++ {},
++ };
++ static const struct midr_range spectre_bhb_k8_list[] = {
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A72),
++ MIDR_ALL_VERSIONS(MIDR_CORTEX_A57),
++ {},
++ };
++
++ if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k32_list))
++ k = 32;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k24_list))
++ k = 24;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k11_list))
++ k = 11;
++ else if (is_midr_in_range_list(read_cpuid_id(), spectre_bhb_k8_list))
++ k = 8;
+
+ return k;
+ }
+@@ -917,29 +934,13 @@ static enum mitigation_state spectre_bhb
+ }
+ }
+
+-static bool is_spectre_bhb_fw_affected(int scope)
++static bool has_spectre_bhb_fw_mitigation(void)
+ {
+- static bool system_affected;
+ enum mitigation_state fw_state;
+ bool has_smccc = arm_smccc_1_1_get_conduit() != SMCCC_CONDUIT_NONE;
+- static const struct midr_range spectre_bhb_firmware_mitigated_list[] = {
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A73),
+- MIDR_ALL_VERSIONS(MIDR_CORTEX_A75),
+- {},
+- };
+- bool cpu_in_list = is_midr_in_range_list(read_cpuid_id(),
+- spectre_bhb_firmware_mitigated_list);
+-
+- if (scope != SCOPE_LOCAL_CPU)
+- return system_affected;
+
+ fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
+- if (cpu_in_list || (has_smccc && fw_state == SPECTRE_MITIGATED)) {
+- system_affected = true;
+- return true;
+- }
+-
+- return false;
++ return has_smccc && fw_state == SPECTRE_MITIGATED;
+ }
+
+ static bool supports_ecbhb(int scope)
+@@ -955,6 +956,8 @@ static bool supports_ecbhb(int scope)
+ ID_AA64MMFR1_EL1_ECBHB_SHIFT);
+ }
+
++static u8 max_bhb_k;
++
+ bool is_spectre_bhb_affected(const struct arm64_cpu_capabilities *entry,
+ int scope)
+ {
+@@ -963,16 +966,18 @@ bool is_spectre_bhb_affected(const struc
+ if (supports_csv2p3(scope))
+ return false;
+
+- if (supports_clearbhb(scope))
+- return true;
+-
+- if (spectre_bhb_loop_affected(scope))
+- return true;
++ if (is_spectre_bhb_safe(scope))
++ return false;
+
+- if (is_spectre_bhb_fw_affected(scope))
+- return true;
++ /*
++ * At this point the core isn't known to be "safe" so we're going to
++ * assume it's vulnerable. We still need to update `max_bhb_k` though,
++ * but only if we aren't mitigating with clearbhb though.
++ */
++ if (scope == SCOPE_LOCAL_CPU && !supports_clearbhb(SCOPE_LOCAL_CPU))
++ max_bhb_k = max(max_bhb_k, spectre_bhb_loop_affected());
+
+- return false;
++ return true;
+ }
+
+ static void this_cpu_set_vectors(enum arm64_bp_harden_el1_vectors slot)
+@@ -1003,7 +1008,7 @@ early_param("nospectre_bhb", parse_spect
+ void spectre_bhb_enable_mitigation(const struct arm64_cpu_capabilities *entry)
+ {
+ bp_hardening_cb_t cpu_cb;
+- enum mitigation_state fw_state, state = SPECTRE_VULNERABLE;
++ enum mitigation_state state = SPECTRE_VULNERABLE;
+ struct bp_hardening_data *data = this_cpu_ptr(&bp_hardening_data);
+
+ if (!is_spectre_bhb_affected(entry, SCOPE_LOCAL_CPU))
+@@ -1029,7 +1034,7 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_CLEAR_INSN);
+ state = SPECTRE_MITIGATED;
+ set_bit(BHB_INSN, &system_bhb_mitigations);
+- } else if (spectre_bhb_loop_affected(SCOPE_LOCAL_CPU)) {
++ } else if (spectre_bhb_loop_affected()) {
+ /*
+ * Ensure KVM uses the indirect vector which will have the
+ * branchy-loop added. A57/A72-r0 will already have selected
+@@ -1042,32 +1047,29 @@ void spectre_bhb_enable_mitigation(const
+ this_cpu_set_vectors(EL1_VECTOR_BHB_LOOP);
+ state = SPECTRE_MITIGATED;
+ set_bit(BHB_LOOP, &system_bhb_mitigations);
+- } else if (is_spectre_bhb_fw_affected(SCOPE_LOCAL_CPU)) {
+- fw_state = spectre_bhb_get_cpu_fw_mitigation_state();
+- if (fw_state == SPECTRE_MITIGATED) {
+- /*
+- * Ensure KVM uses one of the spectre bp_hardening
+- * vectors. The indirect vector doesn't include the EL3
+- * call, so needs upgrading to
+- * HYP_VECTOR_SPECTRE_INDIRECT.
+- */
+- if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
+- data->slot += 1;
+-
+- this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
+-
+- /*
+- * The WA3 call in the vectors supersedes the WA1 call
+- * made during context-switch. Uninstall any firmware
+- * bp_hardening callback.
+- */
+- cpu_cb = spectre_v2_get_sw_mitigation_cb();
+- if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
+- __this_cpu_write(bp_hardening_data.fn, NULL);
+-
+- state = SPECTRE_MITIGATED;
+- set_bit(BHB_FW, &system_bhb_mitigations);
+- }
++ } else if (has_spectre_bhb_fw_mitigation()) {
++ /*
++ * Ensure KVM uses one of the spectre bp_hardening
++ * vectors. The indirect vector doesn't include the EL3
++ * call, so needs upgrading to
++ * HYP_VECTOR_SPECTRE_INDIRECT.
++ */
++ if (!data->slot || data->slot == HYP_VECTOR_INDIRECT)
++ data->slot += 1;
++
++ this_cpu_set_vectors(EL1_VECTOR_BHB_FW);
++
++ /*
++ * The WA3 call in the vectors supersedes the WA1 call
++ * made during context-switch. Uninstall any firmware
++ * bp_hardening callback.
++ */
++ cpu_cb = spectre_v2_get_sw_mitigation_cb();
++ if (__this_cpu_read(bp_hardening_data.fn) != cpu_cb)
++ __this_cpu_write(bp_hardening_data.fn, NULL);
++
++ state = SPECTRE_MITIGATED;
++ set_bit(BHB_FW, &system_bhb_mitigations);
+ }
+
+ update_mitigation_state(&spectre_bhb_state, state);
+@@ -1101,7 +1103,6 @@ void noinstr spectre_bhb_patch_loop_iter
+ {
+ u8 rd;
+ u32 insn;
+- u16 loop_count = spectre_bhb_loop_affected(SCOPE_SYSTEM);
+
+ BUG_ON(nr_inst != 1); /* MOV -> MOV */
+
+@@ -1110,7 +1111,7 @@ void noinstr spectre_bhb_patch_loop_iter
+
+ insn = le32_to_cpu(*origptr);
+ rd = aarch64_insn_decode_register(AARCH64_INSN_REGTYPE_RD, insn);
+- insn = aarch64_insn_gen_movewide(rd, loop_count, 0,
++ insn = aarch64_insn_gen_movewide(rd, max_bhb_k, 0,
+ AARCH64_INSN_VARIANT_64BIT,
+ AARCH64_INSN_MOVEWIDE_ZERO);
+ *updptr++ = cpu_to_le32(insn);
--- /dev/null
+From 3e330acf4efd63876d673c046cd073a1d4ed57a8 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Wed, 26 Feb 2025 16:50:50 +0800
+Subject: ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 3e330acf4efd63876d673c046cd073a1d4ed57a8 upstream.
+
+When snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails,
+wcd937x_soc_codec_probe() returns without releasing 'wcd937x->clsh_info',
+which is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free()
+to prevent potential memory leak.
+
+Fixes: 313e978df7fc ("ASoC: codecs: wcd937x: add audio routing and Kconfig")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20250226085050.3584898-1-haoxiang_li2024@163.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/codecs/wcd937x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/soc/codecs/wcd937x.c
++++ b/sound/soc/codecs/wcd937x.c
+@@ -2563,6 +2563,7 @@ static int wcd937x_soc_codec_probe(struc
+ ARRAY_SIZE(wcd9375_dapm_widgets));
+ if (ret < 0) {
+ dev_err(component->dev, "Failed to add snd_ctls\n");
++ wcd_clsh_ctrl_free(wcd937x->clsh_info);
+ return ret;
+ }
+
+@@ -2570,6 +2571,7 @@ static int wcd937x_soc_codec_probe(struc
+ ARRAY_SIZE(wcd9375_audio_map));
+ if (ret < 0) {
+ dev_err(component->dev, "Failed to add routes\n");
++ wcd_clsh_ctrl_free(wcd937x->clsh_info);
+ return ret;
+ }
+ }
--- /dev/null
+From 0badb5432fd525a00db5630c459b635e9d47f445 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:47:57 +0000
+Subject: ASoC: q6apm: add q6apm_get_hw_pointer helper
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 0badb5432fd525a00db5630c459b635e9d47f445 upstream.
+
+Implement an helper function in q6apm to be able to read the current
+hardware pointer for both read and write buffers.
+
+This should help q6apm-dai to get the hardware pointer consistently
+without it doing manual calculation, which could go wrong in some race
+conditions.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm.c | 18 +++++++++++++++++-
+ sound/soc/qcom/qdsp6/q6apm.h | 3 +++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm.c
++++ b/sound/soc/qcom/qdsp6/q6apm.c
+@@ -494,6 +494,19 @@ int q6apm_read(struct q6apm_graph *graph
+ }
+ EXPORT_SYMBOL_GPL(q6apm_read);
+
++int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir)
++{
++ struct audioreach_graph_data *data;
++
++ if (dir == SNDRV_PCM_STREAM_PLAYBACK)
++ data = &graph->rx_data;
++ else
++ data = &graph->tx_data;
++
++ return (int)atomic_read(&data->hw_ptr);
++}
++EXPORT_SYMBOL_GPL(q6apm_get_hw_pointer);
++
+ static int graph_callback(struct gpr_resp_pkt *data, void *priv, int op)
+ {
+ struct data_cmd_rsp_rd_sh_mem_ep_data_buffer_done_v2 *rd_done;
+@@ -520,7 +533,8 @@ static int graph_callback(struct gpr_res
+ done = data->payload;
+ phys = graph->rx_data.buf[token].phys;
+ mutex_unlock(&graph->lock);
+-
++ /* token numbering starts at 0 */
++ atomic_set(&graph->rx_data.hw_ptr, token + 1);
+ if (lower_32_bits(phys) == done->buf_addr_lsw &&
+ upper_32_bits(phys) == done->buf_addr_msw) {
+ graph->result.opcode = hdr->opcode;
+@@ -553,6 +567,8 @@ static int graph_callback(struct gpr_res
+ rd_done = data->payload;
+ phys = graph->tx_data.buf[hdr->token].phys;
+ mutex_unlock(&graph->lock);
++ /* token numbering starts at 0 */
++ atomic_set(&graph->tx_data.hw_ptr, hdr->token + 1);
+
+ if (upper_32_bits(phys) == rd_done->buf_addr_msw &&
+ lower_32_bits(phys) == rd_done->buf_addr_lsw) {
+--- a/sound/soc/qcom/qdsp6/q6apm.h
++++ b/sound/soc/qcom/qdsp6/q6apm.h
+@@ -2,6 +2,7 @@
+ #ifndef __Q6APM_H__
+ #define __Q6APM_H__
+ #include <linux/types.h>
++#include <linux/atomic.h>
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/kernel.h>
+@@ -77,6 +78,7 @@ struct audioreach_graph_data {
+ uint32_t num_periods;
+ uint32_t dsp_buf;
+ uint32_t mem_map_handle;
++ atomic_t hw_ptr;
+ };
+
+ struct audioreach_graph {
+@@ -150,4 +152,5 @@ int q6apm_enable_compress_module(struct
+ int q6apm_remove_initial_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples);
+ int q6apm_remove_trailing_silence(struct device *dev, struct q6apm_graph *graph, uint32_t samples);
+ int q6apm_set_real_module_id(struct device *dev, struct q6apm_graph *graph, uint32_t codec_id);
++int q6apm_get_hw_pointer(struct q6apm_graph *graph, int dir);
+ #endif /* __APM_GRAPH_ */
--- /dev/null
+From a93dad6f4e6a04a5943f6ee5686585f24abf7063 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:47:58 +0000
+Subject: ASoC: q6apm-dai: make use of q6apm_get_hw_pointer
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit a93dad6f4e6a04a5943f6ee5686585f24abf7063 upstream.
+
+With the existing code, the buffer position is only reset in pointer
+callback, which leaves the possiblity of it going over the size of
+buffer size and reporting incorrect position to userspace.
+
+Without this patch, its possible to see errors like:
+snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536
+snd-x1e80100 sound: invalid position: pcmC0D0p:0, pos = 12288, buffer size = 12288, period size = 1536
+
+Fixes: 9b4fe0f1cd791 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 23 ++++-------------------
+ 1 file changed, 4 insertions(+), 19 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -64,7 +64,6 @@ struct q6apm_dai_rtd {
+ phys_addr_t phys;
+ unsigned int pcm_size;
+ unsigned int pcm_count;
+- unsigned int pos; /* Buffer position */
+ unsigned int periods;
+ unsigned int bytes_sent;
+ unsigned int bytes_received;
+@@ -124,23 +123,16 @@ static void event_handler(uint32_t opcod
+ {
+ struct q6apm_dai_rtd *prtd = priv;
+ struct snd_pcm_substream *substream = prtd->substream;
+- unsigned long flags;
+
+ switch (opcode) {
+ case APM_CLIENT_EVENT_CMD_EOS_DONE:
+ prtd->state = Q6APM_STREAM_STOPPED;
+ break;
+ case APM_CLIENT_EVENT_DATA_WRITE_DONE:
+- spin_lock_irqsave(&prtd->lock, flags);
+- prtd->pos += prtd->pcm_count;
+- spin_unlock_irqrestore(&prtd->lock, flags);
+ snd_pcm_period_elapsed(substream);
+
+ break;
+ case APM_CLIENT_EVENT_DATA_READ_DONE:
+- spin_lock_irqsave(&prtd->lock, flags);
+- prtd->pos += prtd->pcm_count;
+- spin_unlock_irqrestore(&prtd->lock, flags);
+ snd_pcm_period_elapsed(substream);
+ if (prtd->state == Q6APM_STREAM_RUNNING)
+ q6apm_read(prtd->graph);
+@@ -247,7 +239,6 @@ static int q6apm_dai_prepare(struct snd_
+ }
+
+ prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
+- prtd->pos = 0;
+ /* rate and channels are sent to audio driver */
+ ret = q6apm_graph_media_format_shmem(prtd->graph, &cfg);
+ if (ret < 0) {
+@@ -445,16 +436,12 @@ static snd_pcm_uframes_t q6apm_dai_point
+ struct snd_pcm_runtime *runtime = substream->runtime;
+ struct q6apm_dai_rtd *prtd = runtime->private_data;
+ snd_pcm_uframes_t ptr;
+- unsigned long flags;
+
+- spin_lock_irqsave(&prtd->lock, flags);
+- if (prtd->pos == prtd->pcm_size)
+- prtd->pos = 0;
+-
+- ptr = bytes_to_frames(runtime, prtd->pos);
+- spin_unlock_irqrestore(&prtd->lock, flags);
++ ptr = q6apm_get_hw_pointer(prtd->graph, substream->stream) * runtime->period_size;
++ if (ptr)
++ return ptr - 1;
+
+- return ptr;
++ return 0;
+ }
+
+ static int q6apm_dai_hw_params(struct snd_soc_component *component,
+@@ -669,8 +656,6 @@ static int q6apm_dai_compr_set_params(st
+ prtd->pcm_size = runtime->fragments * runtime->fragment_size;
+ prtd->bits_per_sample = 16;
+
+- prtd->pos = 0;
+-
+ if (prtd->next_track != true) {
+ memcpy(&prtd->codec, codec, sizeof(*codec));
+
--- /dev/null
+From 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:47:56 +0000
+Subject: ASoC: q6apm-dai: schedule all available frames to avoid dsp under-runs
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 3d4a4411aa8bbc3653ff22a1ff0432eb93d22ae0 upstream.
+
+With the existing code, we are only setting up one period at a time, in a
+ping-pong buffer style. This triggers lot of underruns in the dsp
+leading to jitter noise during audio playback.
+
+Fix this by scheduling all available periods, this will ensure that the dsp
+has enough buffer feed and ultimatley fixing the underruns and audio
+distortion.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Reported-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 28 +++++++++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 5 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -70,6 +70,7 @@ struct q6apm_dai_rtd {
+ unsigned int bytes_received;
+ unsigned int copied_total;
+ uint16_t bits_per_sample;
++ snd_pcm_uframes_t queue_ptr;
+ bool next_track;
+ enum stream_state state;
+ struct q6apm_graph *graph;
+@@ -134,8 +135,6 @@ static void event_handler(uint32_t opcod
+ prtd->pos += prtd->pcm_count;
+ spin_unlock_irqrestore(&prtd->lock, flags);
+ snd_pcm_period_elapsed(substream);
+- if (prtd->state == Q6APM_STREAM_RUNNING)
+- q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0);
+
+ break;
+ case APM_CLIENT_EVENT_DATA_READ_DONE:
+@@ -294,6 +293,27 @@ static int q6apm_dai_prepare(struct snd_
+ return 0;
+ }
+
++static int q6apm_dai_ack(struct snd_soc_component *component, struct snd_pcm_substream *substream)
++{
++ struct snd_pcm_runtime *runtime = substream->runtime;
++ struct q6apm_dai_rtd *prtd = runtime->private_data;
++ int i, ret = 0, avail_periods;
++
++ if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
++ avail_periods = (runtime->control->appl_ptr - prtd->queue_ptr)/runtime->period_size;
++ for (i = 0; i < avail_periods; i++) {
++ ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, NO_TIMESTAMP);
++ if (ret < 0) {
++ dev_err(component->dev, "Error queuing playback buffer %d\n", ret);
++ return ret;
++ }
++ prtd->queue_ptr += runtime->period_size;
++ }
++ }
++
++ return ret;
++}
++
+ static int q6apm_dai_trigger(struct snd_soc_component *component,
+ struct snd_pcm_substream *substream, int cmd)
+ {
+@@ -305,9 +325,6 @@ static int q6apm_dai_trigger(struct snd_
+ case SNDRV_PCM_TRIGGER_START:
+ case SNDRV_PCM_TRIGGER_RESUME:
+ case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+- /* start writing buffers for playback only as we already queued capture buffers */
+- if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
+- ret = q6apm_write_async(prtd->graph, prtd->pcm_count, 0, 0, 0);
+ break;
+ case SNDRV_PCM_TRIGGER_STOP:
+ /* TODO support be handled via SoftPause Module */
+@@ -836,6 +853,7 @@ static const struct snd_soc_component_dr
+ .hw_params = q6apm_dai_hw_params,
+ .pointer = q6apm_dai_pointer,
+ .trigger = q6apm_dai_trigger,
++ .ack = q6apm_dai_ack,
+ .compress_ops = &q6apm_dai_compress_ops,
+ .use_dai_pcm_id = true,
+ };
--- /dev/null
+From 5d01ed9b9939b4c726be74db291a982bc984c584 Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:48:00 +0000
+Subject: ASoC: qdsp6: q6apm-dai: fix capture pipeline overruns.
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 5d01ed9b9939b4c726be74db291a982bc984c584 upstream.
+
+Period sizes less than 6k for capture path triggers overruns in the
+dsp capture pipeline.
+
+Change the period size and number of periods to value which DSP is happy with.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-6-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -24,8 +24,8 @@
+ #define PLAYBACK_MIN_PERIOD_SIZE 128
+ #define CAPTURE_MIN_NUM_PERIODS 2
+ #define CAPTURE_MAX_NUM_PERIODS 8
+-#define CAPTURE_MAX_PERIOD_SIZE 4096
+-#define CAPTURE_MIN_PERIOD_SIZE 320
++#define CAPTURE_MAX_PERIOD_SIZE 65536
++#define CAPTURE_MIN_PERIOD_SIZE 6144
+ #define BUFFER_BYTES_MAX (PLAYBACK_MAX_NUM_PERIODS * PLAYBACK_MAX_PERIOD_SIZE)
+ #define BUFFER_BYTES_MIN (PLAYBACK_MIN_NUM_PERIODS * PLAYBACK_MIN_PERIOD_SIZE)
+ #define COMPR_PLAYBACK_MAX_FRAGMENT_SIZE (128 * 1024)
--- /dev/null
+From 3107019501842c27334554ba9d6583b1f200f61f Mon Sep 17 00:00:00 2001
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Date: Fri, 14 Mar 2025 17:47:59 +0000
+Subject: ASoC: qdsp6: q6apm-dai: set 10 ms period and buffer alignment.
+
+From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+
+commit 3107019501842c27334554ba9d6583b1f200f61f upstream.
+
+DSP expects the periods to be aligned to fragment sizes, currently
+setting up to hw constriants on periods bytes is not going to work
+correctly as we can endup with periods sizes aligned to 32 bytes however
+not aligned to fragment size.
+
+Update the constriants to use fragment size, and also set at step of
+10ms for period size to accommodate DSP requirements of 10ms latency.
+
+Fixes: 9b4fe0f1cd79 ("ASoC: qdsp6: audioreach: add q6apm-dai support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/20250314174800.10142-5-srinivas.kandagatla@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6apm-dai.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6apm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6apm-dai.c
+@@ -385,13 +385,14 @@ static int q6apm_dai_open(struct snd_soc
+ }
+ }
+
+- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_BYTES, 32);
++ /* setup 10ms latency to accommodate DSP restrictions */
++ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, 480);
+ if (ret < 0) {
+ dev_err(dev, "constraint for period bytes step ret = %d\n", ret);
+ goto err;
+ }
+
+- ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_BYTES, 32);
++ ret = snd_pcm_hw_constraint_step(runtime, 0, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, 480);
+ if (ret < 0) {
+ dev_err(dev, "constraint for buffer bytes step ret = %d\n", ret);
+ goto err;
--- /dev/null
+From 7eccc86e90f04a0d758d16c08627a620ac59604d Mon Sep 17 00:00:00 2001
+From: Alexey Klimov <alexey.klimov@linaro.org>
+Date: Thu, 27 Mar 2025 15:46:50 +0000
+Subject: ASoC: qdsp6: q6asm-dai: fix q6asm_dai_compr_set_params error path
+
+From: Alexey Klimov <alexey.klimov@linaro.org>
+
+commit 7eccc86e90f04a0d758d16c08627a620ac59604d upstream.
+
+In case of attempts to compress playback something, for instance,
+when audio routing is not set up correctly, the audio DSP is left in
+inconsistent state because we are not doing the correct things in
+the error path of q6asm_dai_compr_set_params().
+
+So, when routing is not set up and compress playback is attempted
+the following errors are present (simplified log):
+
+q6routing routing: Routing not setup for MultiMedia-1 Session
+q6asm-dai dais: Stream reg failed ret:-22
+q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
+on 17300000.remoteproc:glink-edge:apr:service@7:dais
+
+After setting the correct routing the compress playback will always fail:
+
+q6asm-dai dais: cmd = 0x10db3 returned error = 0x9
+q6asm-dai dais: DSP returned error[9]
+q6asm-dai dais: q6asm_open_write failed
+q6asm-dai dais: ASoC error (-22): at snd_soc_component_compr_set_params()
+on 17300000.remoteproc:glink-edge:apr:service@7:dais
+
+0x9 here means "Operation is already processed". The CMD_OPEN here was
+sent the second time hence DSP responds that it was already done.
+
+Turns out the CMD_CLOSE should be sent after the q6asm_open_write()
+succeeded but something failed after that, for instance, routing
+setup.
+
+Fix this by slightly reworking the error path in
+q6asm_dai_compr_set_params().
+
+Tested on QRB5165 RB5 and SDM845 RB3 boards.
+
+Cc: stable@vger.kernel.org
+Fixes: 5b39363e54cc ("ASoC: q6asm-dai: prepare set params to accept profile change")
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Alexey Klimov <alexey.klimov@linaro.org>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://patch.msgid.link/20250327154650.337404-1-alexey.klimov@linaro.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/qcom/qdsp6/q6asm-dai.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+--- a/sound/soc/qcom/qdsp6/q6asm-dai.c
++++ b/sound/soc/qcom/qdsp6/q6asm-dai.c
+@@ -892,9 +892,7 @@ static int q6asm_dai_compr_set_params(st
+
+ if (ret < 0) {
+ dev_err(dev, "q6asm_open_write failed\n");
+- q6asm_audio_client_free(prtd->audio_client);
+- prtd->audio_client = NULL;
+- return ret;
++ goto open_err;
+ }
+ }
+
+@@ -903,7 +901,7 @@ static int q6asm_dai_compr_set_params(st
+ prtd->session_id, dir);
+ if (ret) {
+ dev_err(dev, "Stream reg failed ret:%d\n", ret);
+- return ret;
++ goto q6_err;
+ }
+
+ ret = __q6asm_dai_compr_set_codec_params(component, stream,
+@@ -911,7 +909,7 @@ static int q6asm_dai_compr_set_params(st
+ prtd->stream_id);
+ if (ret) {
+ dev_err(dev, "codec param setup failed ret:%d\n", ret);
+- return ret;
++ goto q6_err;
+ }
+
+ ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys,
+@@ -920,12 +918,21 @@ static int q6asm_dai_compr_set_params(st
+
+ if (ret < 0) {
+ dev_err(dev, "Buffer Mapping failed ret:%d\n", ret);
+- return -ENOMEM;
++ ret = -ENOMEM;
++ goto q6_err;
+ }
+
+ prtd->state = Q6ASM_STREAM_RUNNING;
+
+ return 0;
++
++q6_err:
++ q6asm_cmd(prtd->audio_client, prtd->stream_id, CMD_CLOSE);
++
++open_err:
++ q6asm_audio_client_free(prtd->audio_client);
++ prtd->audio_client = NULL;
++ return ret;
+ }
+
+ static int q6asm_dai_compr_set_metadata(struct snd_soc_component *component,
--- /dev/null
+From 9b98a7d2e5f4e2beeff88f6571da0cdc5883c7fb Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Mon, 24 Feb 2025 18:15:27 +0800
+Subject: auxdisplay: hd44780: Fix an API misuse in hd44780.c
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 9b98a7d2e5f4e2beeff88f6571da0cdc5883c7fb upstream.
+
+Variable allocated by charlcd_alloc() should be released
+by charlcd_free(). The following patch changed kfree() to
+charlcd_free() to fix an API misuse.
+
+Fixes: 718e05ed92ec ("auxdisplay: Introduce hd44780_common.[ch]")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/auxdisplay/hd44780.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/auxdisplay/hd44780.c
++++ b/drivers/auxdisplay/hd44780.c
+@@ -313,7 +313,7 @@ static int hd44780_probe(struct platform
+ fail3:
+ kfree(hd);
+ fail2:
+- kfree(lcd);
++ charlcd_free(lcd);
+ fail1:
+ kfree(hdc);
+ return ret;
+@@ -328,7 +328,7 @@ static void hd44780_remove(struct platfo
+ kfree(hdc->hd44780);
+ kfree(lcd->drvdata);
+
+- kfree(lcd);
++ charlcd_free(lcd);
+ }
+
+ static const struct of_device_id hd44780_of_match[] = {
--- /dev/null
+From fc0e982b8a3a169b1c654d9a1aa45bf292943ef2 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 10 Mar 2025 19:54:53 +0800
+Subject: block: make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit fc0e982b8a3a169b1c654d9a1aa45bf292943ef2 upstream.
+
+Make sure ->nr_integrity_segments is cloned in blk_rq_prep_clone(),
+otherwise requests cloned by device-mapper multipath will not have the
+proper nr_integrity_segments values set, then BUG() is hit from
+sg_alloc_table_chained().
+
+Fixes: b0fd271d5fba ("block: add request clone interface (v2)")
+Cc: stable@vger.kernel.org
+Cc: Christoph Hellwig <hch@infradead.org>
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250310115453.2271109-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -3314,6 +3314,7 @@ int blk_rq_prep_clone(struct request *rq
+ rq->special_vec = rq_src->special_vec;
+ }
+ rq->nr_phys_segments = rq_src->nr_phys_segments;
++ rq->nr_integrity_segments = rq_src->nr_integrity_segments;
+
+ if (rq->bio && blk_crypto_rq_bio_prep(rq, rq->bio, gfp_mask) < 0)
+ goto free_and_out;
--- /dev/null
+From 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 Mon Sep 17 00:00:00 2001
+From: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Date: Thu, 6 Mar 2025 10:29:13 -0700
+Subject: bus: mhi: host: Fix race between unprepare and queue_buf
+
+From: Jeff Hugo <quic_jhugo@quicinc.com>
+
+commit 0686a818d77a431fc3ba2fab4b46bbb04e8c9380 upstream.
+
+A client driver may use mhi_unprepare_from_transfer() to quiesce
+incoming data during the client driver's tear down. The client driver
+might also be processing data at the same time, resulting in a call to
+mhi_queue_buf() which will invoke mhi_gen_tre(). If mhi_gen_tre() runs
+after mhi_unprepare_from_transfer() has torn down the channel, a panic
+will occur due to an invalid dereference leading to a page fault.
+
+This occurs because mhi_gen_tre() does not verify the channel state
+after locking it. Fix this by having mhi_gen_tre() confirm the channel
+state is valid, or return error to avoid accessing deinitialized data.
+
+Cc: stable@vger.kernel.org # 6.8
+Fixes: b89b6a863dd5 ("bus: mhi: host: Add spinlock to protect WP access when queueing TREs")
+Signed-off-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
+Signed-off-by: Jeff Hugo <jeff.hugo@oss.qualcomm.com>
+Reviewed-by: Krishna Chaitanya Chundru <krishna.chundru@oss.qualcomm.com>
+Reviewed-by: Youssef Samir <quic_yabdulra@quicinc.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Reviewed-by: Troy Hanson <quic_thanson@quicinc.com>
+Link: https://lore.kernel.org/r/20250306172913.856982-1-jeff.hugo@oss.qualcomm.com
+[mani: added stable tag]
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/host/main.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/bus/mhi/host/main.c
++++ b/drivers/bus/mhi/host/main.c
+@@ -1207,11 +1207,16 @@ int mhi_gen_tre(struct mhi_controller *m
+ struct mhi_ring_element *mhi_tre;
+ struct mhi_buf_info *buf_info;
+ int eot, eob, chain, bei;
+- int ret;
++ int ret = 0;
+
+ /* Protect accesses for reading and incrementing WP */
+ write_lock_bh(&mhi_chan->lock);
+
++ if (mhi_chan->ch_state != MHI_CH_STATE_ENABLED) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ buf_ring = &mhi_chan->buf_ring;
+ tre_ring = &mhi_chan->tre_ring;
+
+@@ -1229,10 +1234,8 @@ int mhi_gen_tre(struct mhi_controller *m
+
+ if (!info->pre_mapped) {
+ ret = mhi_cntrl->map_single(mhi_cntrl, buf_info);
+- if (ret) {
+- write_unlock_bh(&mhi_chan->lock);
+- return ret;
+- }
++ if (ret)
++ goto out;
+ }
+
+ eob = !!(flags & MHI_EOB);
+@@ -1250,9 +1253,10 @@ int mhi_gen_tre(struct mhi_controller *m
+ mhi_add_ring_element(mhi_cntrl, tre_ring);
+ mhi_add_ring_element(mhi_cntrl, buf_ring);
+
++out:
+ write_unlock_bh(&mhi_chan->lock);
+
+- return 0;
++ return ret;
+ }
+
+ int mhi_queue_buf(struct mhi_device *mhi_dev, enum dma_data_direction dir,
--- /dev/null
+From 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 Mon Sep 17 00:00:00 2001
+From: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Date: Thu, 6 Mar 2025 11:25:01 +0100
+Subject: clocksource/drivers/stm32-lptimer: Use wakeup capable instead of init wakeup
+
+From: Alexandre Torgue <alexandre.torgue@foss.st.com>
+
+commit 96bf4b89a6ab22426ad83ef76e66c72a5a8daca0 upstream.
+
+"wakeup-source" property describes a device which has wakeup capability
+but should not force this device as a wakeup source.
+
+Fixes: 48b41c5e2de6 ("clocksource: Add Low Power STM32 timers driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Rule: add
+Link: https://lore.kernel.org/stable/20250306083407.2374894-1-fabrice.gasnier%40foss.st.com
+Link: https://lore.kernel.org/r/20250306102501.2980153-1-fabrice.gasnier@foss.st.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-stm32-lp.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/clocksource/timer-stm32-lp.c
++++ b/drivers/clocksource/timer-stm32-lp.c
+@@ -168,9 +168,7 @@ static int stm32_clkevent_lp_probe(struc
+ }
+
+ if (of_property_read_bool(pdev->dev.parent->of_node, "wakeup-source")) {
+- ret = device_init_wakeup(&pdev->dev, true);
+- if (ret)
+- goto out_clk_disable;
++ device_set_wakeup_capable(&pdev->dev, true);
+
+ ret = dev_pm_set_wake_irq(&pdev->dev, irq);
+ if (ret)
--- /dev/null
+From 3a544a39e0a4c492e3026dfbed018321d2bd6caa Mon Sep 17 00:00:00 2001
+From: Alain Volmat <alain.volmat@foss.st.com>
+Date: Mon, 10 Feb 2025 11:04:31 +0100
+Subject: dt-bindings: media: st,stmipid02: correct lane-polarities maxItems
+
+From: Alain Volmat <alain.volmat@foss.st.com>
+
+commit 3a544a39e0a4c492e3026dfbed018321d2bd6caa upstream.
+
+The MIPID02 can use up to 2 data lanes which leads to having a maximum
+item number of 3 for the lane-polarities since this also contains the
+clock lane.
+
+CC: stable@vger.kernel.org
+Fixes: c2741cbe7f8a ("dt-bindings: media: st,stmipid02: Convert the text bindings to YAML")
+Signed-off-by: Alain Volmat <alain.volmat@foss.st.com>
+Acked-by: Conor Dooley <conor.dooley@microchip.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml
++++ b/Documentation/devicetree/bindings/media/i2c/st,st-mipid02.yaml
+@@ -71,7 +71,7 @@ properties:
+ description:
+ Any lane can be inverted or not.
+ minItems: 1
+- maxItems: 2
++ maxItems: 3
+
+ required:
+ - data-lanes
--- /dev/null
+From 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d Mon Sep 17 00:00:00 2001
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Date: Fri, 4 Apr 2025 08:28:05 +0000
+Subject: ext4: fix off-by-one error in do_split
+
+From: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+
+commit 94824ac9a8aaf2fb3c54b4bdde842db80ffa555d upstream.
+
+Syzkaller detected a use-after-free issue in ext4_insert_dentry that was
+caused by out-of-bounds access due to incorrect splitting in do_split.
+
+BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
+Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847
+
+CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:377 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:488
+ kasan_report+0x143/0x180 mm/kasan/report.c:601
+ kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
+ __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106
+ ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109
+ add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154
+ make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351
+ ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455
+ ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796
+ ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431
+ vfs_symlink+0x137/0x2e0 fs/namei.c:4615
+ do_symlinkat+0x222/0x3a0 fs/namei.c:4641
+ __do_sys_symlink fs/namei.c:4662 [inline]
+ __se_sys_symlink fs/namei.c:4660 [inline]
+ __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+The following loop is located right above 'if' statement.
+
+for (i = count-1; i >= 0; i--) {
+ /* is more than half of this entry in 2nd half of the block? */
+ if (size + map[i].size/2 > blocksize/2)
+ break;
+ size += map[i].size;
+ move++;
+}
+
+'i' in this case could go down to -1, in which case sum of active entries
+wouldn't exceed half the block size, but previous behaviour would also do
+split in half if sum would exceed at the very last block, which in case of
+having too many long name files in a single block could lead to
+out-of-bounds access and following use-after-free.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Cc: stable@vger.kernel.org
+Fixes: 5872331b3d91 ("ext4: fix potential negative array index in do_split()")
+Signed-off-by: Artem Sadovnikov <a.sadovnikov@ispras.ru>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250404082804.2567-3-a.sadovnikov@ispras.ru
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/namei.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -1995,7 +1995,7 @@ static struct ext4_dir_entry_2 *do_split
+ * split it in half by count; each resulting block will have at least
+ * half the space free.
+ */
+- if (i > 0)
++ if (i >= 0)
+ split = count - move;
+ else
+ split = count/2;
--- /dev/null
+From 201e07aec617b10360df09090651dea9d0d4f7d3 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Thu, 27 Feb 2025 19:00:35 +0000
+Subject: f2fs: fix the missing write pointer correction
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 201e07aec617b10360df09090651dea9d0d4f7d3 upstream.
+
+If checkpoint was disabled, we missed to fix the write pointers.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 1015035609e4 ("f2fs: fix changing cursegs if recovery fails on zoned device")
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/super.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -4749,8 +4749,10 @@ try_onemore:
+ if (err)
+ goto free_meta;
+
+- if (unlikely(is_set_ckpt_flags(sbi, CP_DISABLED_FLAG)))
++ if (unlikely(is_set_ckpt_flags(sbi, CP_DISABLED_FLAG))) {
++ skip_recovery = true;
+ goto reset_checkpoint;
++ }
+
+ /* recover fsynced data */
+ if (!test_opt(sbi, DISABLE_ROLL_FORWARD) &&
--- /dev/null
+From f098aeba04c9328571567dca45159358a250240c Mon Sep 17 00:00:00 2001
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+Date: Fri, 14 Mar 2025 21:06:51 +0900
+Subject: f2fs: fix to avoid atomicity corruption of atomic file
+
+From: Yeongjin Gil <youngjin.gil@samsung.com>
+
+commit f098aeba04c9328571567dca45159358a250240c upstream.
+
+In the case of the following call stack for an atomic file,
+FI_DIRTY_INODE is set, but FI_ATOMIC_DIRTIED is not subsequently set.
+
+f2fs_file_write_iter
+ f2fs_map_blocks
+ f2fs_reserve_new_blocks
+ inc_valid_block_count
+ __mark_inode_dirty(dquot)
+ f2fs_dirty_inode
+
+If FI_ATOMIC_DIRTIED is not set, atomic file can encounter corruption
+due to a mismatch between old file size and new data.
+
+To resolve this issue, I changed to set FI_ATOMIC_DIRTIED when
+FI_DIRTY_INODE is set. This ensures that FI_DIRTY_INODE, which was
+previously cleared by the Writeback thread during the commit atomic, is
+set and i_size is updated.
+
+Cc: <stable@vger.kernel.org>
+Fixes: fccaa81de87e ("f2fs: prevent atomic file from being dirtied before commit")
+Reviewed-by: Sungjong Seo <sj1557.seo@samsung.com>
+Reviewed-by: Sunmin Jeong <s_min.jeong@samsung.com>
+Signed-off-by: Yeongjin Gil <youngjin.gil@samsung.com>
+Reviewed-by: Daeho Jeong <daehojeong@google.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/inode.c | 4 +---
+ fs/f2fs/super.c | 4 ++++
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -34,10 +34,8 @@ void f2fs_mark_inode_dirty_sync(struct i
+ if (f2fs_inode_dirtied(inode, sync))
+ return;
+
+- if (f2fs_is_atomic_file(inode)) {
+- set_inode_flag(inode, FI_ATOMIC_DIRTIED);
++ if (f2fs_is_atomic_file(inode))
+ return;
+- }
+
+ mark_inode_dirty_sync(inode);
+ }
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -1527,6 +1527,10 @@ int f2fs_inode_dirtied(struct inode *ino
+ inc_page_count(sbi, F2FS_DIRTY_IMETA);
+ }
+ spin_unlock(&sbi->inode_lock[DIRTY_META]);
++
++ if (!ret && f2fs_is_atomic_file(inode))
++ set_inode_flag(inode, FI_ATOMIC_DIRTIED);
++
+ return ret;
+ }
+
--- /dev/null
+From 81273eb87af86d4a43244b553762348e364b2df7 Mon Sep 17 00:00:00 2001
+From: Harshitha Ramamurthy <hramamurthy@google.com>
+Date: Mon, 17 Mar 2025 21:41:41 +0000
+Subject: gve: unlink old napi only if page pool exists
+
+From: Harshitha Ramamurthy <hramamurthy@google.com>
+
+commit 81273eb87af86d4a43244b553762348e364b2df7 upstream.
+
+Commit de70981f295e ("gve: unlink old napi when stopping a queue using
+queue API") unlinks the old napi when stopping a queue. But this breaks
+QPL mode of the driver which does not use page pool. Fix this by checking
+that there's a page pool associated with the ring.
+
+Cc: stable@vger.kernel.org
+Fixes: de70981f295e ("gve: unlink old napi when stopping a queue using queue API")
+Reviewed-by: Joshua Washington <joshwash@google.com>
+Signed-off-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250317214141.286854-1-hramamurthy@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_rx_dqo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_rx_dqo.c
++++ b/drivers/net/ethernet/google/gve/gve_rx_dqo.c
+@@ -114,7 +114,8 @@ void gve_rx_stop_ring_dqo(struct gve_pri
+ if (!gve_rx_was_added_to_block(priv, idx))
+ return;
+
+- page_pool_disable_direct_recycling(rx->dqo.page_pool);
++ if (rx->dqo.page_pool)
++ page_pool_disable_direct_recycling(rx->dqo.page_pool);
+ gve_remove_napi(priv, ntfy_idx);
+ gve_rx_remove_from_block(priv, idx);
+ gve_rx_reset_ring_dqo(priv, idx);
--- /dev/null
+From cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 7 Apr 2025 07:51:23 -0600
+Subject: io_uring/kbuf: reject zero sized provided buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit cf960726eb65e8d0bfecbcce6cf95f47b1ffa6cc upstream.
+
+This isn't fixing a real issue, but there's also zero point in going
+through group and buffer setup, when the buffers are going to be
+rejected once attempted to get used.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+58928048fd1416f1457c@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/kbuf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/kbuf.c
++++ b/io_uring/kbuf.c
+@@ -480,6 +480,8 @@ int io_provide_buffers_prep(struct io_ki
+ p->nbufs = tmp;
+ p->addr = READ_ONCE(sqe->addr);
+ p->len = READ_ONCE(sqe->len);
++ if (!p->len)
++ return -EINVAL;
+
+ if (check_mul_overflow((unsigned long)p->len, (unsigned long)p->nbufs,
+ &size))
--- /dev/null
+From f6a89bf5278d6e15016a736db67043560d1b50d5 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Sun, 23 Feb 2025 17:22:29 +0000
+Subject: io_uring/net: fix accept multishot handling
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit f6a89bf5278d6e15016a736db67043560d1b50d5 upstream.
+
+REQ_F_APOLL_MULTISHOT doesn't guarantee it's executed from the multishot
+context, so a multishot accept may get executed inline, fail
+io_req_post_cqe(), and ask the core code to kill the request with
+-ECANCELED by returning IOU_STOP_MULTISHOT even when a socket has been
+accepted and installed.
+
+Cc: stable@vger.kernel.org
+Fixes: 390ed29b5e425 ("io_uring: add IORING_ACCEPT_MULTISHOT for accept")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/51c6deb01feaa78b08565ca8f24843c017f5bc80.1740331076.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1650,6 +1650,8 @@ retry:
+ }
+
+ io_req_set_res(req, ret, cflags);
++ if (!(issue_flags & IO_URING_F_MULTISHOT))
++ return IOU_OK;
+ return IOU_STOP_MULTISHOT;
+ }
+
--- /dev/null
+From 6889ae1b4df1579bcdffef023e2ea9a982565dff Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Thu, 27 Mar 2025 09:57:27 +0000
+Subject: io_uring/net: fix io_req_post_cqe abuse by send bundle
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 6889ae1b4df1579bcdffef023e2ea9a982565dff upstream.
+
+[ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0
+[ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0
+[ 115.001880][ T5313] Call Trace:
+[ 115.002222][ T5313] <TASK>
+[ 115.007813][ T5313] io_send+0x4fe/0x10f0
+[ 115.009317][ T5313] io_issue_sqe+0x1a6/0x1740
+[ 115.012094][ T5313] io_wq_submit_work+0x38b/0xed0
+[ 115.013223][ T5313] io_worker_handle_work+0x62a/0x1600
+[ 115.013876][ T5313] io_wq_worker+0x34f/0xdf0
+
+As the comment states, io_req_post_cqe() should only be used by
+multishot requests, i.e. REQ_F_APOLL_MULTISHOT, which bundled sends are
+not. Add a flag signifying whether a request wants to post multiple
+CQEs. Eventually REQ_F_APOLL_MULTISHOT should imply the new flag, but
+that's left out for simplicity.
+
+Cc: stable@vger.kernel.org
+Fixes: a05d1f625c7aa ("io_uring/net: support bundles for send")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/8b611dbb54d1cd47a88681f5d38c84d0c02bc563.1743067183.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/io_uring_types.h | 3 +++
+ io_uring/io_uring.c | 4 ++--
+ io_uring/net.c | 1 +
+ 3 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/include/linux/io_uring_types.h
++++ b/include/linux/io_uring_types.h
+@@ -470,6 +470,7 @@ enum {
+ REQ_F_SKIP_LINK_CQES_BIT,
+ REQ_F_SINGLE_POLL_BIT,
+ REQ_F_DOUBLE_POLL_BIT,
++ REQ_F_MULTISHOT_BIT,
+ REQ_F_APOLL_MULTISHOT_BIT,
+ REQ_F_CLEAR_POLLIN_BIT,
+ /* keep async read/write and isreg together and in order */
+@@ -546,6 +547,8 @@ enum {
+ REQ_F_SINGLE_POLL = IO_REQ_FLAG(REQ_F_SINGLE_POLL_BIT),
+ /* double poll may active */
+ REQ_F_DOUBLE_POLL = IO_REQ_FLAG(REQ_F_DOUBLE_POLL_BIT),
++ /* request posts multiple completions, should be set at prep time */
++ REQ_F_MULTISHOT = IO_REQ_FLAG(REQ_F_MULTISHOT_BIT),
+ /* fast poll multishot mode */
+ REQ_F_APOLL_MULTISHOT = IO_REQ_FLAG(REQ_F_APOLL_MULTISHOT_BIT),
+ /* recvmsg special flag, clear EPOLLIN */
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1818,7 +1818,7 @@ fail:
+ * Don't allow any multishot execution from io-wq. It's more restrictive
+ * than necessary and also cleaner.
+ */
+- if (req->flags & REQ_F_APOLL_MULTISHOT) {
++ if (req->flags & (REQ_F_MULTISHOT|REQ_F_APOLL_MULTISHOT)) {
+ err = -EBADFD;
+ if (!io_file_can_poll(req))
+ goto fail;
+@@ -1829,7 +1829,7 @@ fail:
+ goto fail;
+ return;
+ } else {
+- req->flags &= ~REQ_F_APOLL_MULTISHOT;
++ req->flags &= ~(REQ_F_APOLL_MULTISHOT|REQ_F_MULTISHOT);
+ }
+ }
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -429,6 +429,7 @@ int io_sendmsg_prep(struct io_kiocb *req
+ sr->msg_flags |= MSG_WAITALL;
+ sr->buf_group = req->buf_index;
+ req->buf_list = NULL;
++ req->flags |= REQ_F_MULTISHOT;
+ }
+
+ #ifdef CONFIG_COMPAT
--- /dev/null
+From 72310650788ad3d3afe3810735656dd291fea885 Mon Sep 17 00:00:00 2001
+From: Biju Das <biju.das.jz@bp.renesas.com>
+Date: Mon, 24 Feb 2025 13:11:18 +0000
+Subject: irqchip/renesas-rzv2h: Fix wrong variable usage in rzv2h_tint_set_type()
+
+From: Biju Das <biju.das.jz@bp.renesas.com>
+
+commit 72310650788ad3d3afe3810735656dd291fea885 upstream.
+
+The variable tssel_n is used for selecting TINT source and titsel_n for
+setting the interrupt type. The variable titsel_n is wrongly used for
+enabling the TINT interrupt in rzv2h_tint_set_type(). Fix this issue by
+using the correct variable tssel_n.
+
+While at it, move the tien variable assignment near to tssr.
+
+Fixes: 0d7605e75ac2 ("irqchip: Add RZ/V2H(P) Interrupt Control Unit (ICU) driver")
+Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250224131253.134199-3-biju.das.jz@bp.renesas.com
+Closes: https://lore.kernel.org/CAMuHMdU3xJpz-jh=j7t4JreBat2of2ksP_OR3+nKAoZBr4pSxg@mail.gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-renesas-rzv2h.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-renesas-rzv2h.c
++++ b/drivers/irqchip/irq-renesas-rzv2h.c
+@@ -301,10 +301,10 @@ static int rzv2h_tint_set_type(struct ir
+
+ tssr_k = ICU_TSSR_K(tint_nr);
+ tssel_n = ICU_TSSR_TSSEL_N(tint_nr);
++ tien = ICU_TSSR_TIEN(tssel_n);
+
+ titsr_k = ICU_TITSR_K(tint_nr);
+ titsel_n = ICU_TITSR_TITSEL_N(tint_nr);
+- tien = ICU_TSSR_TIEN(titsel_n);
+
+ guard(raw_spinlock)(&priv->lock);
+
--- /dev/null
+From f2aeb7bbd5745fbcf7f0769e29a184e24924b9a9 Mon Sep 17 00:00:00 2001
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+Date: Sat, 15 Mar 2025 18:12:10 +0900
+Subject: KVM: arm64: PMU: Set raw values from user to PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}
+
+From: Akihiko Odaki <akihiko.odaki@daynix.com>
+
+commit f2aeb7bbd5745fbcf7f0769e29a184e24924b9a9 upstream.
+
+Commit a45f41d754e0 ("KVM: arm64: Add {get,set}_user for
+PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}") changed KVM_SET_ONE_REG to update
+the mentioned registers in a way matching with the behavior of guest
+register writes. This is a breaking change of a UAPI though the new
+semantics looks cleaner and VMMs are not prepared for this.
+
+Firecracker, QEMU, and crosvm perform migration by listing registers
+with KVM_GET_REG_LIST, getting their values with KVM_GET_ONE_REG and
+setting them with KVM_SET_ONE_REG. This algorithm assumes
+KVM_SET_ONE_REG restores the values retrieved with KVM_GET_ONE_REG
+without any alteration. However, bit operations added by the earlier
+commit do not preserve the values retried with KVM_GET_ONE_REG and
+potentially break migration.
+
+Remove the bit operations that alter the values retrieved with
+KVM_GET_ONE_REG.
+
+Cc: stable@vger.kernel.org
+Fixes: a45f41d754e0 ("KVM: arm64: Add {get,set}_user for PM{C,I}NTEN{SET,CLR}, PMOVS{SET,CLR}")
+Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20250315-pmc-v5-1-ecee87dab216@daynix.com
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/sys_regs.c | 21 ++-------------------
+ 1 file changed, 2 insertions(+), 19 deletions(-)
+
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -1051,26 +1051,9 @@ static bool access_pmu_evtyper(struct kv
+
+ static int set_pmreg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r, u64 val)
+ {
+- bool set;
+-
+- val &= kvm_pmu_accessible_counter_mask(vcpu);
+-
+- switch (r->reg) {
+- case PMOVSSET_EL0:
+- /* CRm[1] being set indicates a SET register, and CLR otherwise */
+- set = r->CRm & 2;
+- break;
+- default:
+- /* Op2[0] being set indicates a SET register, and CLR otherwise */
+- set = r->Op2 & 1;
+- break;
+- }
+-
+- if (set)
+- __vcpu_sys_reg(vcpu, r->reg) |= val;
+- else
+- __vcpu_sys_reg(vcpu, r->reg) &= ~val;
++ u64 mask = kvm_pmu_accessible_counter_mask(vcpu);
+
++ __vcpu_sys_reg(vcpu, r->reg) = val & mask;
+ return 0;
+ }
+
--- /dev/null
+From 4cd48565b0e5df398e7253c0d2d8c0403d69e7bf Mon Sep 17 00:00:00 2001
+From: Oliver Upton <oliver.upton@linux.dev>
+Date: Mon, 24 Feb 2025 16:53:57 -0800
+Subject: KVM: arm64: Set HCR_EL2.TID1 unconditionally
+
+From: Oliver Upton <oliver.upton@linux.dev>
+
+commit 4cd48565b0e5df398e7253c0d2d8c0403d69e7bf upstream.
+
+commit 90807748ca3a ("KVM: arm64: Hide SME system registers from
+guests") added trap handling for SMIDR_EL1, treating it as UNDEFINED as
+KVM does not support SME. This is right for the most part, however KVM
+needs to set HCR_EL2.TID1 to _actually_ trap the register.
+
+Unfortunately, this comes with some collateral damage as TID1 forces
+REVIDR_EL1 and AIDR_EL1 to trap as well. KVM has long treated these
+registers as "invariant" which is an awful term for the following:
+
+ - Userspace sees the boot CPU values on all vCPUs
+
+ - The guest sees the hardware values of the CPU on which a vCPU is
+ scheduled
+
+Keep the plates spinning by adding trap handling for the affected
+registers and repaint all of the "invariant" crud into terms of
+identifying an implementation. Yes, at this point we only need to
+set TID1 on SME hardware, but REVIDR_EL1 and AIDR_EL1 are about to
+become mutable anyway.
+
+Cc: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Fixes: 90807748ca3a ("KVM: arm64: Hide SME system registers from guests")
+[maz: handle traps from 32bit]
+Co-developed-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20250225005401.679536-2-oliver.upton@linux.dev
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/kvm_arm.h | 4
+ arch/arm64/kvm/sys_regs.c | 183 ++++++++++++++++++++-------------------
+ 2 files changed, 100 insertions(+), 87 deletions(-)
+
+--- a/arch/arm64/include/asm/kvm_arm.h
++++ b/arch/arm64/include/asm/kvm_arm.h
+@@ -92,12 +92,12 @@
+ * SWIO: Turn set/way invalidates into set/way clean+invalidate
+ * PTW: Take a stage2 fault if a stage1 walk steps in device memory
+ * TID3: Trap EL1 reads of group 3 ID registers
+- * TID2: Trap CTR_EL0, CCSIDR2_EL1, CLIDR_EL1, and CSSELR_EL1
++ * TID1: Trap REVIDR_EL1, AIDR_EL1, and SMIDR_EL1
+ */
+ #define HCR_GUEST_FLAGS (HCR_TSC | HCR_TSW | HCR_TWE | HCR_TWI | HCR_VM | \
+ HCR_BSU_IS | HCR_FB | HCR_TACR | \
+ HCR_AMO | HCR_SWIO | HCR_TIDCP | HCR_RW | HCR_TLOR | \
+- HCR_FMO | HCR_IMO | HCR_PTW | HCR_TID3)
++ HCR_FMO | HCR_IMO | HCR_PTW | HCR_TID3 | HCR_TID1)
+ #define HCR_HOST_NVHE_FLAGS (HCR_RW | HCR_API | HCR_APK | HCR_ATA)
+ #define HCR_HOST_NVHE_PROTECTED_FLAGS (HCR_HOST_NVHE_FLAGS | HCR_TSC)
+ #define HCR_HOST_VHE_FLAGS (HCR_RW | HCR_TGE | HCR_E2H)
+--- a/arch/arm64/kvm/sys_regs.c
++++ b/arch/arm64/kvm/sys_regs.c
+@@ -2476,6 +2476,93 @@ static bool access_mdcr(struct kvm_vcpu
+ return true;
+ }
+
++/*
++ * For historical (ahem ABI) reasons, KVM treated MIDR_EL1, REVIDR_EL1, and
++ * AIDR_EL1 as "invariant" registers, meaning userspace cannot change them.
++ * The values made visible to userspace were the register values of the boot
++ * CPU.
++ *
++ * At the same time, reads from these registers at EL1 previously were not
++ * trapped, allowing the guest to read the actual hardware value. On big-little
++ * machines, this means the VM can see different values depending on where a
++ * given vCPU got scheduled.
++ *
++ * These registers are now trapped as collateral damage from SME, and what
++ * follows attempts to give a user / guest view consistent with the existing
++ * ABI.
++ */
++static bool access_imp_id_reg(struct kvm_vcpu *vcpu,
++ struct sys_reg_params *p,
++ const struct sys_reg_desc *r)
++{
++ if (p->is_write)
++ return write_to_read_only(vcpu, p, r);
++
++ switch (reg_to_encoding(r)) {
++ case SYS_REVIDR_EL1:
++ p->regval = read_sysreg(revidr_el1);
++ break;
++ case SYS_AIDR_EL1:
++ p->regval = read_sysreg(aidr_el1);
++ break;
++ default:
++ WARN_ON_ONCE(1);
++ }
++
++ return true;
++}
++
++static u64 __ro_after_init boot_cpu_midr_val;
++static u64 __ro_after_init boot_cpu_revidr_val;
++static u64 __ro_after_init boot_cpu_aidr_val;
++
++static void init_imp_id_regs(void)
++{
++ boot_cpu_midr_val = read_sysreg(midr_el1);
++ boot_cpu_revidr_val = read_sysreg(revidr_el1);
++ boot_cpu_aidr_val = read_sysreg(aidr_el1);
++}
++
++static int get_imp_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r,
++ u64 *val)
++{
++ switch (reg_to_encoding(r)) {
++ case SYS_MIDR_EL1:
++ *val = boot_cpu_midr_val;
++ break;
++ case SYS_REVIDR_EL1:
++ *val = boot_cpu_revidr_val;
++ break;
++ case SYS_AIDR_EL1:
++ *val = boot_cpu_aidr_val;
++ break;
++ default:
++ WARN_ON_ONCE(1);
++ return -EINVAL;
++ }
++
++ return 0;
++}
++
++static int set_imp_id_reg(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r,
++ u64 val)
++{
++ u64 expected;
++ int ret;
++
++ ret = get_imp_id_reg(vcpu, r, &expected);
++ if (ret)
++ return ret;
++
++ return (expected == val) ? 0 : -EINVAL;
++}
++
++#define IMPLEMENTATION_ID(reg) { \
++ SYS_DESC(SYS_##reg), \
++ .access = access_imp_id_reg, \
++ .get_user = get_imp_id_reg, \
++ .set_user = set_imp_id_reg, \
++}
+
+ /*
+ * Architected system registers.
+@@ -2525,7 +2612,9 @@ static const struct sys_reg_desc sys_reg
+
+ { SYS_DESC(SYS_DBGVCR32_EL2), undef_access, reset_val, DBGVCR32_EL2, 0 },
+
++ IMPLEMENTATION_ID(MIDR_EL1),
+ { SYS_DESC(SYS_MPIDR_EL1), NULL, reset_mpidr, MPIDR_EL1 },
++ IMPLEMENTATION_ID(REVIDR_EL1),
+
+ /*
+ * ID regs: all ID_SANITISED() entries here must have corresponding
+@@ -2797,6 +2886,7 @@ static const struct sys_reg_desc sys_reg
+ .set_user = set_clidr, .val = ~CLIDR_EL1_RES0 },
+ { SYS_DESC(SYS_CCSIDR2_EL1), undef_access },
+ { SYS_DESC(SYS_SMIDR_EL1), undef_access },
++ IMPLEMENTATION_ID(AIDR_EL1),
+ { SYS_DESC(SYS_CSSELR_EL1), access_csselr, reset_unknown, CSSELR_EL1 },
+ ID_FILTERED(CTR_EL0, ctr_el0,
+ CTR_EL0_DIC_MASK |
+@@ -4255,9 +4345,13 @@ int kvm_handle_cp15_32(struct kvm_vcpu *
+ * Certain AArch32 ID registers are handled by rerouting to the AArch64
+ * system register table. Registers in the ID range where CRm=0 are
+ * excluded from this scheme as they do not trivially map into AArch64
+- * system register encodings.
++ * system register encodings, except for AIDR/REVIDR.
+ */
+- if (params.Op1 == 0 && params.CRn == 0 && params.CRm)
++ if (params.Op1 == 0 && params.CRn == 0 &&
++ (params.CRm || params.Op2 == 6 /* REVIDR */))
++ return kvm_emulate_cp15_id_reg(vcpu, ¶ms);
++ if (params.Op1 == 1 && params.CRn == 0 &&
++ params.CRm == 0 && params.Op2 == 7 /* AIDR */)
+ return kvm_emulate_cp15_id_reg(vcpu, ¶ms);
+
+ return kvm_handle_cp_32(vcpu, ¶ms, cp15_regs, ARRAY_SIZE(cp15_regs));
+@@ -4561,65 +4655,6 @@ id_to_sys_reg_desc(struct kvm_vcpu *vcpu
+ return r;
+ }
+
+-/*
+- * These are the invariant sys_reg registers: we let the guest see the
+- * host versions of these, so they're part of the guest state.
+- *
+- * A future CPU may provide a mechanism to present different values to
+- * the guest, or a future kvm may trap them.
+- */
+-
+-#define FUNCTION_INVARIANT(reg) \
+- static u64 reset_##reg(struct kvm_vcpu *v, \
+- const struct sys_reg_desc *r) \
+- { \
+- ((struct sys_reg_desc *)r)->val = read_sysreg(reg); \
+- return ((struct sys_reg_desc *)r)->val; \
+- }
+-
+-FUNCTION_INVARIANT(midr_el1)
+-FUNCTION_INVARIANT(revidr_el1)
+-FUNCTION_INVARIANT(aidr_el1)
+-
+-/* ->val is filled in by kvm_sys_reg_table_init() */
+-static struct sys_reg_desc invariant_sys_regs[] __ro_after_init = {
+- { SYS_DESC(SYS_MIDR_EL1), NULL, reset_midr_el1 },
+- { SYS_DESC(SYS_REVIDR_EL1), NULL, reset_revidr_el1 },
+- { SYS_DESC(SYS_AIDR_EL1), NULL, reset_aidr_el1 },
+-};
+-
+-static int get_invariant_sys_reg(u64 id, u64 __user *uaddr)
+-{
+- const struct sys_reg_desc *r;
+-
+- r = get_reg_by_id(id, invariant_sys_regs,
+- ARRAY_SIZE(invariant_sys_regs));
+- if (!r)
+- return -ENOENT;
+-
+- return put_user(r->val, uaddr);
+-}
+-
+-static int set_invariant_sys_reg(u64 id, u64 __user *uaddr)
+-{
+- const struct sys_reg_desc *r;
+- u64 val;
+-
+- r = get_reg_by_id(id, invariant_sys_regs,
+- ARRAY_SIZE(invariant_sys_regs));
+- if (!r)
+- return -ENOENT;
+-
+- if (get_user(val, uaddr))
+- return -EFAULT;
+-
+- /* This is what we mean by invariant: you can't change it. */
+- if (r->val != val)
+- return -EINVAL;
+-
+- return 0;
+-}
+-
+ static int demux_c15_get(struct kvm_vcpu *vcpu, u64 id, void __user *uaddr)
+ {
+ u32 val;
+@@ -4701,15 +4736,10 @@ int kvm_sys_reg_get_user(struct kvm_vcpu
+ int kvm_arm_sys_reg_get_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
+ {
+ void __user *uaddr = (void __user *)(unsigned long)reg->addr;
+- int err;
+
+ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_DEMUX)
+ return demux_c15_get(vcpu, reg->id, uaddr);
+
+- err = get_invariant_sys_reg(reg->id, uaddr);
+- if (err != -ENOENT)
+- return err;
+-
+ return kvm_sys_reg_get_user(vcpu, reg,
+ sys_reg_descs, ARRAY_SIZE(sys_reg_descs));
+ }
+@@ -4745,15 +4775,10 @@ int kvm_sys_reg_set_user(struct kvm_vcpu
+ int kvm_arm_sys_reg_set_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
+ {
+ void __user *uaddr = (void __user *)(unsigned long)reg->addr;
+- int err;
+
+ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_DEMUX)
+ return demux_c15_set(vcpu, reg->id, uaddr);
+
+- err = set_invariant_sys_reg(reg->id, uaddr);
+- if (err != -ENOENT)
+- return err;
+-
+ return kvm_sys_reg_set_user(vcpu, reg,
+ sys_reg_descs, ARRAY_SIZE(sys_reg_descs));
+ }
+@@ -4842,23 +4867,14 @@ static int walk_sys_regs(struct kvm_vcpu
+
+ unsigned long kvm_arm_num_sys_reg_descs(struct kvm_vcpu *vcpu)
+ {
+- return ARRAY_SIZE(invariant_sys_regs)
+- + num_demux_regs()
++ return num_demux_regs()
+ + walk_sys_regs(vcpu, (u64 __user *)NULL);
+ }
+
+ int kvm_arm_copy_sys_reg_indices(struct kvm_vcpu *vcpu, u64 __user *uindices)
+ {
+- unsigned int i;
+ int err;
+
+- /* Then give them all the invariant registers' indices. */
+- for (i = 0; i < ARRAY_SIZE(invariant_sys_regs); i++) {
+- if (put_user(sys_reg_to_index(&invariant_sys_regs[i]), uindices))
+- return -EFAULT;
+- uindices++;
+- }
+-
+ err = walk_sys_regs(vcpu, uindices);
+ if (err < 0)
+ return err;
+@@ -5084,15 +5100,12 @@ int __init kvm_sys_reg_table_init(void)
+ valid &= check_sysreg_table(cp14_64_regs, ARRAY_SIZE(cp14_64_regs), true);
+ valid &= check_sysreg_table(cp15_regs, ARRAY_SIZE(cp15_regs), true);
+ valid &= check_sysreg_table(cp15_64_regs, ARRAY_SIZE(cp15_64_regs), true);
+- valid &= check_sysreg_table(invariant_sys_regs, ARRAY_SIZE(invariant_sys_regs), false);
+ valid &= check_sysreg_table(sys_insn_descs, ARRAY_SIZE(sys_insn_descs), false);
+
+ if (!valid)
+ return -EINVAL;
+
+- /* We abuse the reset function to overwrite the table itself. */
+- for (i = 0; i < ARRAY_SIZE(invariant_sys_regs); i++)
+- invariant_sys_regs[i].reset(NULL, &invariant_sys_regs[i]);
++ init_imp_id_regs();
+
+ ret = populate_nv_trap_config();
+
--- /dev/null
+From 250f25367b58d8c65a1b060a2dda037eea09a672 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 14 Mar 2025 13:34:09 +0000
+Subject: KVM: arm64: Tear down vGIC on failed vCPU creation
+
+From: Will Deacon <will@kernel.org>
+
+commit 250f25367b58d8c65a1b060a2dda037eea09a672 upstream.
+
+If kvm_arch_vcpu_create() fails to share the vCPU page with the
+hypervisor, we propagate the error back to the ioctl but leave the
+vGIC vCPU data initialised. Note only does this leak the corresponding
+memory when the vCPU is destroyed but it can also lead to use-after-free
+if the redistributor device handling tries to walk into the vCPU.
+
+Add the missing cleanup to kvm_arch_vcpu_create(), ensuring that the
+vGIC vCPU structures are destroyed on error.
+
+Cc: <stable@vger.kernel.org>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: Oliver Upton <oliver.upton@linux.dev>
+Cc: Quentin Perret <qperret@google.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20250314133409.9123-1-will@kernel.org
+Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kvm/arm.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kvm/arm.c
++++ b/arch/arm64/kvm/arm.c
+@@ -466,7 +466,11 @@ int kvm_arch_vcpu_create(struct kvm_vcpu
+ if (err)
+ return err;
+
+- return kvm_share_hyp(vcpu, vcpu + 1);
++ err = kvm_share_hyp(vcpu, vcpu + 1);
++ if (err)
++ kvm_vgic_vcpu_destroy(vcpu);
++
++ return err;
+ }
+
+ void kvm_arch_vcpu_postcreate(struct kvm_vcpu *vcpu)
--- /dev/null
+From ac35f768986610480a1c01323d9cf9f5eaf3ee9b Mon Sep 17 00:00:00 2001
+From: "Jackson.lee" <jackson.lee@chipsnmedia.com>
+Date: Tue, 17 Dec 2024 13:51:23 +0900
+Subject: media: chips-media: wave5: Avoid race condition in the interrupt handler
+
+From: Jackson.lee <jackson.lee@chipsnmedia.com>
+
+commit ac35f768986610480a1c01323d9cf9f5eaf3ee9b upstream.
+
+In case of multiple active instances, new interrupts can occur as soon
+as the current interrupt is cleared. If the driver reads the
+instance_info after clearing the interrupt, then there is no guarantee,
+that the instance_info is still valid for the current interrupt.
+
+Read the instance_info register for each interrupt before clearing the
+interrupt.
+
+Fixes: ed7276ed2fd0 ("media: chips-media: wave5: Add hrtimer based polling support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
+Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/chips-media/wave5/wave5-vpu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/chips-media/wave5/wave5-vpu.c
++++ b/drivers/media/platform/chips-media/wave5/wave5-vpu.c
+@@ -55,12 +55,12 @@ static void wave5_vpu_handle_irq(void *d
+ struct vpu_device *dev = dev_id;
+
+ irq_reason = wave5_vdi_read_register(dev, W5_VPU_VINT_REASON);
++ seq_done = wave5_vdi_read_register(dev, W5_RET_SEQ_DONE_INSTANCE_INFO);
++ cmd_done = wave5_vdi_read_register(dev, W5_RET_QUEUE_CMD_DONE_INST);
+ wave5_vdi_write_register(dev, W5_VPU_VINT_REASON_CLR, irq_reason);
+ wave5_vdi_write_register(dev, W5_VPU_VINT_CLEAR, 0x1);
+
+ list_for_each_entry(inst, &dev->instances, list) {
+- seq_done = wave5_vdi_read_register(dev, W5_RET_SEQ_DONE_INSTANCE_INFO);
+- cmd_done = wave5_vdi_read_register(dev, W5_RET_QUEUE_CMD_DONE_INST);
+
+ if (irq_reason & BIT(INT_WAVE5_INIT_SEQ) ||
+ irq_reason & BIT(INT_WAVE5_ENC_SET_PARAM)) {
--- /dev/null
+From a2c75e964e51b096e9fe6adfa3eaed53594a668b Mon Sep 17 00:00:00 2001
+From: "Jackson.lee" <jackson.lee@chipsnmedia.com>
+Date: Tue, 17 Dec 2024 13:51:24 +0900
+Subject: media: chips-media: wave5: Fix a hang after seeking
+
+From: Jackson.lee <jackson.lee@chipsnmedia.com>
+
+commit a2c75e964e51b096e9fe6adfa3eaed53594a668b upstream.
+
+While seeking, the driver calls the flush command. Before the flush
+command is sent to the VPU, the driver should handle the display buffer
+flags and should get all decoded information from the VPU if the VCORE
+is running.
+
+Fixes: 9707a6254a8a ("media: chips-media: wave5: Add the v4l2 layer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
+Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c | 17 ++++++++++++++-
+ drivers/media/platform/chips-media/wave5/wave5-vpuapi.c | 10 ++++++++
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
++++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
+@@ -1369,6 +1369,16 @@ static int streamoff_output(struct vb2_q
+ struct vb2_v4l2_buffer *buf;
+ int ret;
+ dma_addr_t new_rd_ptr;
++ struct dec_output_info dec_info;
++ unsigned int i;
++
++ for (i = 0; i < v4l2_m2m_num_dst_bufs_ready(m2m_ctx); i++) {
++ ret = wave5_vpu_dec_set_disp_flag(inst, i);
++ if (ret)
++ dev_dbg(inst->dev->dev,
++ "%s: Setting display flag of buf index: %u, fail: %d\n",
++ __func__, i, ret);
++ }
+
+ while ((buf = v4l2_m2m_src_buf_remove(m2m_ctx))) {
+ dev_dbg(inst->dev->dev, "%s: (Multiplanar) buf type %4u | index %4u\n",
+@@ -1376,6 +1386,11 @@ static int streamoff_output(struct vb2_q
+ v4l2_m2m_buf_done(buf, VB2_BUF_STATE_ERROR);
+ }
+
++ while (wave5_vpu_dec_get_output_info(inst, &dec_info) == 0) {
++ if (dec_info.index_frame_display >= 0)
++ wave5_vpu_dec_set_disp_flag(inst, dec_info.index_frame_display);
++ }
++
+ ret = wave5_vpu_flush_instance(inst);
+ if (ret)
+ return ret;
+@@ -1459,7 +1474,7 @@ static void wave5_vpu_dec_stop_streaming
+ break;
+
+ if (wave5_vpu_dec_get_output_info(inst, &dec_output_info))
+- dev_dbg(inst->dev->dev, "Getting decoding results from fw, fail\n");
++ dev_dbg(inst->dev->dev, "there is no output info\n");
+ }
+
+ v4l2_m2m_update_stop_streaming_state(m2m_ctx, q);
+--- a/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
++++ b/drivers/media/platform/chips-media/wave5/wave5-vpuapi.c
+@@ -75,6 +75,16 @@ int wave5_vpu_flush_instance(struct vpu_
+ inst->type == VPU_INST_TYPE_DEC ? "DECODER" : "ENCODER", inst->id);
+ mutex_unlock(&inst->dev->hw_lock);
+ return -ETIMEDOUT;
++ } else if (ret == -EBUSY) {
++ struct dec_output_info dec_info;
++
++ mutex_unlock(&inst->dev->hw_lock);
++ wave5_vpu_dec_get_output_info(inst, &dec_info);
++ ret = mutex_lock_interruptible(&inst->dev->hw_lock);
++ if (ret)
++ return ret;
++ if (dec_info.index_frame_display > 0)
++ wave5_vpu_dec_set_disp_flag(inst, dec_info.index_frame_display);
+ }
+ } while (ret != 0);
+ mutex_unlock(&inst->dev->hw_lock);
--- /dev/null
+From 6bae4d5053da634eecb611118e7cd91a677a4bbf Mon Sep 17 00:00:00 2001
+From: "Jackson.lee" <jackson.lee@chipsnmedia.com>
+Date: Tue, 17 Dec 2024 13:51:22 +0900
+Subject: media: chips-media: wave5: Fix gray color on screen
+
+From: Jackson.lee <jackson.lee@chipsnmedia.com>
+
+commit 6bae4d5053da634eecb611118e7cd91a677a4bbf upstream.
+
+When a decoder instance is created, the W5_CMD_ERR_CONCEAL register
+should be initialized to 0. Otherwise, gray color is occasionally
+displayed on the screen while decoding.
+
+Fixes: 45d1a2b93277 ("media: chips-media: wave5: Add vpuapi layer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
+Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/chips-media/wave5/wave5-hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/chips-media/wave5/wave5-hw.c
++++ b/drivers/media/platform/chips-media/wave5/wave5-hw.c
+@@ -585,7 +585,7 @@ int wave5_vpu_build_up_dec_param(struct
+ vpu_write_reg(inst->dev, W5_CMD_NUM_CQ_DEPTH_M1,
+ WAVE521_COMMAND_QUEUE_DEPTH - 1);
+ }
+-
++ vpu_write_reg(inst->dev, W5_CMD_ERR_CONCEAL, 0);
+ ret = send_firmware_command(inst, W5_CREATE_INSTANCE, true, NULL, NULL);
+ if (ret) {
+ wave5_vdi_free_dma_memory(vpu_dev, &p_dec_info->vb_work);
--- /dev/null
+From 035371c9e5098018b8512efc6a8812912469480c Mon Sep 17 00:00:00 2001
+From: "Jackson.lee" <jackson.lee@chipsnmedia.com>
+Date: Tue, 17 Dec 2024 13:51:25 +0900
+Subject: media: chips-media: wave5: Fix timeout while testing 10bit hevc fluster
+
+From: Jackson.lee <jackson.lee@chipsnmedia.com>
+
+commit 035371c9e5098018b8512efc6a8812912469480c upstream.
+
+The Wave5 521C variant does not support 10 bit decoding. When 10 bit
+decoding support was added for the 515 variant, a section of the code
+was removed which returned an error. This removal causes a timeout for
+the 521 variant, which was discovered during HEVC 10-bit decoding tests.
+
+Fixes: 143e7ab4d9a0 ("media: chips-media: wave5: support decoding HEVC Main10 profile")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jackson.lee <jackson.lee@chipsnmedia.com>
+Signed-off-by: Nas Chung <nas.chung@chipsnmedia.com>
+Reviewed-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
++++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c
+@@ -1345,10 +1345,24 @@ static int wave5_vpu_dec_start_streaming
+ if (ret)
+ goto free_bitstream_vbuf;
+ } else if (q->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE) {
++ struct dec_initial_info *initial_info =
++ &inst->codec_info->dec_info.initial_info;
++
+ if (inst->state == VPU_INST_STATE_STOP)
+ ret = switch_state(inst, VPU_INST_STATE_INIT_SEQ);
+ if (ret)
+ goto return_buffers;
++
++ if (inst->state == VPU_INST_STATE_INIT_SEQ &&
++ inst->dev->product_code == WAVE521C_CODE) {
++ if (initial_info->luma_bitdepth != 8) {
++ dev_info(inst->dev->dev, "%s: no support for %d bit depth",
++ __func__, initial_info->luma_bitdepth);
++ ret = -EINVAL;
++ goto return_buffers;
++ }
++ }
++
+ }
+ pm_runtime_mark_last_busy(inst->dev->dev);
+ pm_runtime_put_autosuspend(inst->dev->dev);
--- /dev/null
+From ed554da65abd0c561e40d35272d1a61d030fe977 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Thu, 19 Dec 2024 20:27:30 +0100
+Subject: media: hi556: Fix memory leak (on error) in hi556_check_hwcfg()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit ed554da65abd0c561e40d35272d1a61d030fe977 upstream.
+
+Commit 7d968b5badfc ("media: hi556: Return -EPROBE_DEFER if no endpoint is
+found") moved the v4l2_fwnode_endpoint_alloc_parse() call in
+hi556_check_hwcfg() up, but it did not make the error-exit paths between
+the old and new call-site use "goto check_hwcfg_error;" to free the bus_cfg
+on errors.
+
+Add the missing "goto check_hwcfg_error;" statements to fix a memleak on
+early error-exits from hi556_check_hwcfg().
+
+Fixes: 7d968b5badfc ("media: hi556: Return -EPROBE_DEFER if no endpoint is found")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/hi556.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/hi556.c
++++ b/drivers/media/i2c/hi556.c
+@@ -1230,12 +1230,13 @@ static int hi556_check_hwcfg(struct devi
+ ret = fwnode_property_read_u32(fwnode, "clock-frequency", &mclk);
+ if (ret) {
+ dev_err(dev, "can't get clock frequency");
+- return ret;
++ goto check_hwcfg_error;
+ }
+
+ if (mclk != HI556_MCLK) {
+ dev_err(dev, "external clock %d is not supported", mclk);
+- return -EINVAL;
++ ret = -EINVAL;
++ goto check_hwcfg_error;
+ }
+
+ if (bus_cfg.bus.mipi_csi2.num_data_lanes != 2) {
--- /dev/null
+From 9e38acacb9d809b97a0bdc5c76e725355a47158a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niklas=20S=C3=B6derlund?=
+ <niklas.soderlund+renesas@ragnatech.se>
+Date: Tue, 21 Jan 2025 21:44:00 +0100
+Subject: media: i2c: adv748x: Fix test pattern selection mask
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+commit 9e38acacb9d809b97a0bdc5c76e725355a47158a upstream.
+
+The mask to select the test-pattern in register ADV748X_SDP_FRP is
+incorrect, it's the lower 3 bits which controls the pattern. The
+GENMASK() macro is used incorrectly and the generated mask is 0x0e
+instead of 0x07.
+
+The result is that not all test patterns are selectable, and that in
+some cases the wrong test pattern is activated. Fix this by correcting
+the GENMASK().
+
+Fixes: 3e89586a64df ("media: i2c: adv748x: add adv748x driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[hverkuil: fixed tiny typo in commit log: my -> by]
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv748x/adv748x.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/adv748x/adv748x.h
++++ b/drivers/media/i2c/adv748x/adv748x.h
+@@ -320,7 +320,7 @@ struct adv748x_state {
+
+ /* Free run pattern select */
+ #define ADV748X_SDP_FRP 0x14
+-#define ADV748X_SDP_FRP_MASK GENMASK(3, 1)
++#define ADV748X_SDP_FRP_MASK GENMASK(2, 0)
+
+ /* Saturation */
+ #define ADV748X_SDP_SD_SAT_U 0xe3 /* user_map_rw_reg_e3 */
--- /dev/null
+From 80704d14f1bd3628f578510e0a88b66824990ef6 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 15:54:22 +0200
+Subject: media: i2c: ccs: Set the device's runtime PM status correctly in probe
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 80704d14f1bd3628f578510e0a88b66824990ef6 upstream.
+
+Set the device's runtime PM status to suspended in probe error paths where
+it was previously set to active.
+
+Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
+Cc: stable@vger.kernel.org # for >= v5.15
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -3566,6 +3566,7 @@ static int ccs_probe(struct i2c_client *
+ out_disable_runtime_pm:
+ pm_runtime_put_noidle(&client->dev);
+ pm_runtime_disable(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
+
+ out_cleanup:
+ ccs_cleanup(sensor);
--- /dev/null
+From e04604583095faf455b3490b004254a225fd60d4 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 14:50:27 +0200
+Subject: media: i2c: ccs: Set the device's runtime PM status correctly in remove
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit e04604583095faf455b3490b004254a225fd60d4 upstream.
+
+Set the device's runtime PM status to suspended in device removal only if
+it wasn't suspended already.
+
+Fixes: 9447082ae666 ("[media] smiapp: Implement power-on and power-off sequences without runtime PM")
+Cc: stable@vger.kernel.org # for >= v5.15
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -3595,9 +3595,10 @@ static void ccs_remove(struct i2c_client
+ v4l2_async_unregister_subdev(subdev);
+
+ pm_runtime_disable(&client->dev);
+- if (!pm_runtime_status_suspended(&client->dev))
++ if (!pm_runtime_status_suspended(&client->dev)) {
+ ccs_power_off(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
++ }
+
+ for (i = 0; i < sensor->ssds_used; i++)
+ v4l2_device_unregister_subdev(&sensor->ssds[i].sd);
--- /dev/null
+From ccc888d1698b6f42d52ddf5cecfe50fe925c95e5 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 14:36:01 +0200
+Subject: media: i2c: imx214: Rectify probe error handling related to runtime PM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit ccc888d1698b6f42d52ddf5cecfe50fe925c95e5 upstream.
+
+There were multiple issues in the driver's probe function related to
+error handling:
+
+- Device's PM runtime status wasn't reverted to suspended on some errors
+ in probe.
+
+- Runtime PM was left enabled for the device on some probe errors.
+
+- Device was left powered on if a probe failure happened or when it
+ was removed when it was powered on.
+
+- An extra pm_runtime_set_suspended() was issued in driver's remove
+ function when the device was suspended.
+
+Fix these bugs.
+
+Fixes: 436190596241 ("media: imx214: Add imx214 camera sensor driver")
+Cc: stable@vger.kernel.org # for >= v6.12
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Acked-by: André Apitzsch <git@apitzsch.eu>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx214.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+--- a/drivers/media/i2c/imx214.c
++++ b/drivers/media/i2c/imx214.c
+@@ -1075,10 +1075,6 @@ static int imx214_probe(struct i2c_clien
+ */
+ imx214_power_on(imx214->dev);
+
+- pm_runtime_set_active(imx214->dev);
+- pm_runtime_enable(imx214->dev);
+- pm_runtime_idle(imx214->dev);
+-
+ ret = imx214_ctrls_init(imx214);
+ if (ret < 0)
+ goto error_power_off;
+@@ -1099,21 +1095,30 @@ static int imx214_probe(struct i2c_clien
+
+ imx214_entity_init_state(&imx214->sd, NULL);
+
++ pm_runtime_set_active(imx214->dev);
++ pm_runtime_enable(imx214->dev);
++
+ ret = v4l2_async_register_subdev_sensor(&imx214->sd);
+ if (ret < 0) {
+ dev_err(dev, "could not register v4l2 device\n");
+ goto free_entity;
+ }
+
++ pm_runtime_idle(imx214->dev);
++
+ return 0;
+
+ free_entity:
++ pm_runtime_disable(imx214->dev);
++ pm_runtime_set_suspended(&client->dev);
+ media_entity_cleanup(&imx214->sd.entity);
++
+ free_ctrl:
+ mutex_destroy(&imx214->mutex);
+ v4l2_ctrl_handler_free(&imx214->ctrls);
++
+ error_power_off:
+- pm_runtime_disable(imx214->dev);
++ imx214_power_off(imx214->dev);
+
+ return ret;
+ }
+@@ -1126,11 +1131,12 @@ static void imx214_remove(struct i2c_cli
+ v4l2_async_unregister_subdev(&imx214->sd);
+ media_entity_cleanup(&imx214->sd.entity);
+ v4l2_ctrl_handler_free(&imx214->ctrls);
+-
+- pm_runtime_disable(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
+-
+ mutex_destroy(&imx214->mutex);
++ pm_runtime_disable(&client->dev);
++ if (!pm_runtime_status_suspended(&client->dev)) {
++ imx214_power_off(imx214->dev);
++ pm_runtime_set_suspended(&client->dev);
++ }
+ }
+
+ static const struct of_device_id imx214_of_match[] = {
--- /dev/null
+From 42eceae9793566d0df53d509be3e416465c347f5 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 14:53:20 +0200
+Subject: media: i2c: imx219: Rectify runtime PM handling in probe and remove
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 42eceae9793566d0df53d509be3e416465c347f5 upstream.
+
+Set the device's runtime PM status and enable runtime PM before
+registering the async sub-device. This is needed to avoid the case where
+the device is runtime PM resumed while runtime PM has not been enabled
+yet.
+
+Also set the device's runtime PM status to suspended in remove only if it
+wasn't so already.
+
+Fixes: 1283b3b8f82b ("media: i2c: Add driver for Sony IMX219 sensor")
+Cc: stable@vger.kernel.org # for >= v6.6
+Reviewed-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx219.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/i2c/imx219.c
++++ b/drivers/media/i2c/imx219.c
+@@ -1223,6 +1223,9 @@ static int imx219_probe(struct i2c_clien
+ goto error_media_entity;
+ }
+
++ pm_runtime_set_active(dev);
++ pm_runtime_enable(dev);
++
+ ret = v4l2_async_register_subdev_sensor(&imx219->sd);
+ if (ret < 0) {
+ dev_err_probe(dev, ret,
+@@ -1230,15 +1233,14 @@ static int imx219_probe(struct i2c_clien
+ goto error_subdev_cleanup;
+ }
+
+- /* Enable runtime PM and turn off the device */
+- pm_runtime_set_active(dev);
+- pm_runtime_enable(dev);
+ pm_runtime_idle(dev);
+
+ return 0;
+
+ error_subdev_cleanup:
+ v4l2_subdev_cleanup(&imx219->sd);
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
+
+ error_media_entity:
+ media_entity_cleanup(&imx219->sd.entity);
+@@ -1263,9 +1265,10 @@ static void imx219_remove(struct i2c_cli
+ imx219_free_controls(imx219);
+
+ pm_runtime_disable(&client->dev);
+- if (!pm_runtime_status_suspended(&client->dev))
++ if (!pm_runtime_status_suspended(&client->dev)) {
+ imx219_power_off(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ pm_runtime_set_suspended(&client->dev);
++ }
+ }
+
+ static const struct of_device_id imx219_dt_ids[] = {
--- /dev/null
+From 5f5ffd3bc62b2e6c478061918b10473d8b90ac2d Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 14:55:59 +0200
+Subject: media: i2c: imx319: Rectify runtime PM handling probe and remove
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 5f5ffd3bc62b2e6c478061918b10473d8b90ac2d upstream.
+
+Idle the device only after the async sub-device has been successfully
+registered. In error handling, set the device's runtime PM status to
+suspended only if it has been set to active previously in probe.
+
+Also set the device's runtime PM status to suspended in remove only if it
+wasn't so already.
+
+Fixes: 8a89dc62f28c ("media: add imx319 camera sensor driver")
+Cc: stable@vger.kernel.org # for >= v6.12
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx319.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/i2c/imx319.c
++++ b/drivers/media/i2c/imx319.c
+@@ -2442,17 +2442,19 @@ static int imx319_probe(struct i2c_clien
+ if (full_power)
+ pm_runtime_set_active(&client->dev);
+ pm_runtime_enable(&client->dev);
+- pm_runtime_idle(&client->dev);
+
+ ret = v4l2_async_register_subdev_sensor(&imx319->sd);
+ if (ret < 0)
+ goto error_media_entity_pm;
+
++ pm_runtime_idle(&client->dev);
++
+ return 0;
+
+ error_media_entity_pm:
+ pm_runtime_disable(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ if (full_power)
++ pm_runtime_set_suspended(&client->dev);
+ media_entity_cleanup(&imx319->sd.entity);
+
+ error_handler_free:
+@@ -2474,7 +2476,8 @@ static void imx319_remove(struct i2c_cli
+ v4l2_ctrl_handler_free(sd->ctrl_handler);
+
+ pm_runtime_disable(&client->dev);
+- pm_runtime_set_suspended(&client->dev);
++ if (!pm_runtime_status_suspended(&client->dev))
++ pm_runtime_set_suspended(&client->dev);
+
+ mutex_destroy(&imx319->mutex);
+ }
--- /dev/null
+From 3d391292cdd53984ec1b9a1f6182a62a62751e03 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 17 Jan 2025 16:04:02 +0200
+Subject: media: i2c: ov7251: Introduce 1 ms delay between regulators and en GPIO
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 3d391292cdd53984ec1b9a1f6182a62a62751e03 upstream.
+
+Lift the xshutdown (enable) GPIO 1 ms after enabling the regulators, as
+required by the sensor's power-up sequence.
+
+Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov7251.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/i2c/ov7251.c
++++ b/drivers/media/i2c/ov7251.c
+@@ -922,6 +922,8 @@ static int ov7251_set_power_on(struct de
+ return ret;
+ }
+
++ usleep_range(1000, 1100);
++
+ gpiod_set_value_cansleep(ov7251->enable_gpio, 1);
+
+ /* wait at least 65536 external clock cycles */
--- /dev/null
+From a1963698d59cec83df640ded343af08b76c8e9c5 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 17 Jan 2025 15:38:13 +0200
+Subject: media: i2c: ov7251: Set enable GPIO low in probe
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit a1963698d59cec83df640ded343af08b76c8e9c5 upstream.
+
+Set the enable GPIO low when acquiring it.
+
+Fixes: d30bb512da3d ("media: Add a driver for the ov7251 camera sensor")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov7251.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ov7251.c
++++ b/drivers/media/i2c/ov7251.c
+@@ -1696,7 +1696,7 @@ static int ov7251_probe(struct i2c_clien
+ return PTR_ERR(ov7251->analog_regulator);
+ }
+
+- ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_HIGH);
++ ov7251->enable_gpio = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW);
+ if (IS_ERR(ov7251->enable_gpio)) {
+ dev_err(dev, "cannot get enable gpio\n");
+ return PTR_ERR(ov7251->enable_gpio);
--- /dev/null
+From 591a07588c03437dbcc3addfff07675de95a461e Mon Sep 17 00:00:00 2001
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Date: Thu, 23 Jan 2025 15:37:49 +0000
+Subject: media: imx219: Adjust PLL settings based on the number of MIPI lanes
+
+From: Dave Stevenson <dave.stevenson@raspberrypi.com>
+
+commit 591a07588c03437dbcc3addfff07675de95a461e upstream.
+
+Commit ceddfd4493b3 ("media: i2c: imx219: Support four-lane operation")
+added support for device tree to allow configuration of the sensor to
+use 4 lanes with a link frequency of 363MHz, and amended the advertised
+pixel rate to 280.8MPix/s.
+
+However it didn't change any of the PLL settings, so actually it would
+have been running overclocked in the MIPI block, and with the frame
+rate and exposure calculations being wrong as the pixel rate was
+unchanged.
+
+The pixel rate and link frequency advertised were taken from the "Clock
+Setting Example" section of the datasheet. However those are based on an
+external clock of 12MHz, and are unachievable with a clock of 24MHz - it
+seems PREPLLCLK_VT_DIV and PREPLLCK_OP_DIV can ONLY be set via the
+automatic configuration documented in "9-1-2 EXCK_FREQ setting depend on
+INCK frequency", not by writing the registers.
+The closest we can get with a 24MHz clock is 281.6MPix/s and 364MHz.
+
+Dropping all support for the 363MHz link frequency would cause problems
+for existing users, so allow it, but log a warning that the requested
+value is being changed to the supported one.
+
+Fixes: ceddfd4493b3 ("media: i2c: imx219: Support four-lane operation")
+Cc: stable@vger.kernel.org
+Co-developed-by: Peyton Howe <peyton.howe@bellsouth.net>
+Signed-off-by: Peyton Howe <peyton.howe@bellsouth.net>
+Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx219.c | 93 +++++++++++++++++++++++++++++++++------------
+ 1 file changed, 69 insertions(+), 24 deletions(-)
+
+--- a/drivers/media/i2c/imx219.c
++++ b/drivers/media/i2c/imx219.c
+@@ -133,10 +133,11 @@
+
+ /* Pixel rate is fixed for all the modes */
+ #define IMX219_PIXEL_RATE 182400000
+-#define IMX219_PIXEL_RATE_4LANE 280800000
++#define IMX219_PIXEL_RATE_4LANE 281600000
+
+ #define IMX219_DEFAULT_LINK_FREQ 456000000
+-#define IMX219_DEFAULT_LINK_FREQ_4LANE 363000000
++#define IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED 363000000
++#define IMX219_DEFAULT_LINK_FREQ_4LANE 364000000
+
+ /* IMX219 native and active pixel array size. */
+ #define IMX219_NATIVE_WIDTH 3296U
+@@ -168,15 +169,6 @@ static const struct cci_reg_sequence imx
+ { CCI_REG8(0x30eb), 0x05 },
+ { CCI_REG8(0x30eb), 0x09 },
+
+- /* PLL Clock Table */
+- { IMX219_REG_VTPXCK_DIV, 5 },
+- { IMX219_REG_VTSYCK_DIV, 1 },
+- { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */
+- { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */
+- { IMX219_REG_PLL_VT_MPY, 57 },
+- { IMX219_REG_OPSYCK_DIV, 1 },
+- { IMX219_REG_PLL_OP_MPY, 114 },
+-
+ /* Undocumented registers */
+ { CCI_REG8(0x455e), 0x00 },
+ { CCI_REG8(0x471e), 0x4b },
+@@ -201,12 +193,45 @@ static const struct cci_reg_sequence imx
+ { IMX219_REG_EXCK_FREQ, IMX219_EXCK_FREQ(IMX219_XCLK_FREQ / 1000000) },
+ };
+
++static const struct cci_reg_sequence imx219_2lane_regs[] = {
++ /* PLL Clock Table */
++ { IMX219_REG_VTPXCK_DIV, 5 },
++ { IMX219_REG_VTSYCK_DIV, 1 },
++ { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */
++ { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */
++ { IMX219_REG_PLL_VT_MPY, 57 },
++ { IMX219_REG_OPSYCK_DIV, 1 },
++ { IMX219_REG_PLL_OP_MPY, 114 },
++
++ /* 2-Lane CSI Mode */
++ { IMX219_REG_CSI_LANE_MODE, IMX219_CSI_2_LANE_MODE },
++};
++
++static const struct cci_reg_sequence imx219_4lane_regs[] = {
++ /* PLL Clock Table */
++ { IMX219_REG_VTPXCK_DIV, 5 },
++ { IMX219_REG_VTSYCK_DIV, 1 },
++ { IMX219_REG_PREPLLCK_VT_DIV, 3 }, /* 0x03 = AUTO set */
++ { IMX219_REG_PREPLLCK_OP_DIV, 3 }, /* 0x03 = AUTO set */
++ { IMX219_REG_PLL_VT_MPY, 88 },
++ { IMX219_REG_OPSYCK_DIV, 1 },
++ { IMX219_REG_PLL_OP_MPY, 91 },
++
++ /* 4-Lane CSI Mode */
++ { IMX219_REG_CSI_LANE_MODE, IMX219_CSI_4_LANE_MODE },
++};
++
+ static const s64 imx219_link_freq_menu[] = {
+ IMX219_DEFAULT_LINK_FREQ,
+ };
+
+ static const s64 imx219_link_freq_4lane_menu[] = {
+ IMX219_DEFAULT_LINK_FREQ_4LANE,
++ /*
++ * This will never be advertised to userspace, but will be used for
++ * v4l2_link_freq_to_bitmap
++ */
++ IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED,
+ };
+
+ static const char * const imx219_test_pattern_menu[] = {
+@@ -662,9 +687,11 @@ static int imx219_set_framefmt(struct im
+
+ static int imx219_configure_lanes(struct imx219 *imx219)
+ {
+- return cci_write(imx219->regmap, IMX219_REG_CSI_LANE_MODE,
+- imx219->lanes == 2 ? IMX219_CSI_2_LANE_MODE :
+- IMX219_CSI_4_LANE_MODE, NULL);
++ /* Write the appropriate PLL settings for the number of MIPI lanes */
++ return cci_multi_reg_write(imx219->regmap,
++ imx219->lanes == 2 ? imx219_2lane_regs : imx219_4lane_regs,
++ imx219->lanes == 2 ? ARRAY_SIZE(imx219_2lane_regs) :
++ ARRAY_SIZE(imx219_4lane_regs), NULL);
+ };
+
+ static int imx219_start_streaming(struct imx219 *imx219,
+@@ -1035,6 +1062,7 @@ static int imx219_check_hwcfg(struct dev
+ struct v4l2_fwnode_endpoint ep_cfg = {
+ .bus_type = V4L2_MBUS_CSI2_DPHY
+ };
++ unsigned long link_freq_bitmap;
+ int ret = -EINVAL;
+
+ endpoint = fwnode_graph_get_next_endpoint(dev_fwnode(dev), NULL);
+@@ -1056,23 +1084,40 @@ static int imx219_check_hwcfg(struct dev
+ imx219->lanes = ep_cfg.bus.mipi_csi2.num_data_lanes;
+
+ /* Check the link frequency set in device tree */
+- if (!ep_cfg.nr_of_link_frequencies) {
+- dev_err_probe(dev, -EINVAL,
+- "link-frequency property not found in DT\n");
+- goto error_out;
++ switch (imx219->lanes) {
++ case 2:
++ ret = v4l2_link_freq_to_bitmap(dev,
++ ep_cfg.link_frequencies,
++ ep_cfg.nr_of_link_frequencies,
++ imx219_link_freq_menu,
++ ARRAY_SIZE(imx219_link_freq_menu),
++ &link_freq_bitmap);
++ break;
++ case 4:
++ ret = v4l2_link_freq_to_bitmap(dev,
++ ep_cfg.link_frequencies,
++ ep_cfg.nr_of_link_frequencies,
++ imx219_link_freq_4lane_menu,
++ ARRAY_SIZE(imx219_link_freq_4lane_menu),
++ &link_freq_bitmap);
++
++ if (!ret && (link_freq_bitmap & BIT(1))) {
++ dev_warn(dev, "Link frequency of %d not supported, but has been incorrectly advertised previously\n",
++ IMX219_DEFAULT_LINK_FREQ_4LANE_UNSUPPORTED);
++ dev_warn(dev, "Using link frequency of %d\n",
++ IMX219_DEFAULT_LINK_FREQ_4LANE);
++ link_freq_bitmap |= BIT(0);
++ }
++ break;
+ }
+
+- if (ep_cfg.nr_of_link_frequencies != 1 ||
+- (ep_cfg.link_frequencies[0] != ((imx219->lanes == 2) ?
+- IMX219_DEFAULT_LINK_FREQ : IMX219_DEFAULT_LINK_FREQ_4LANE))) {
++ if (ret || !(link_freq_bitmap & BIT(0))) {
++ ret = -EINVAL;
+ dev_err_probe(dev, -EINVAL,
+ "Link frequency not supported: %lld\n",
+ ep_cfg.link_frequencies[0]);
+- goto error_out;
+ }
+
+- ret = 0;
+-
+ error_out:
+ v4l2_fwnode_endpoint_free(&ep_cfg);
+ fwnode_handle_put(endpoint);
--- /dev/null
+From 6f0ab5d3671f7cbb326c8cab6fb69cb7ab9901cc Mon Sep 17 00:00:00 2001
+From: Bingbu Cao <bingbu.cao@intel.com>
+Date: Fri, 14 Feb 2025 18:52:38 +0800
+Subject: media: intel/ipu6: set the dev_parent of video device to pdev
+
+From: Bingbu Cao <bingbu.cao@intel.com>
+
+commit 6f0ab5d3671f7cbb326c8cab6fb69cb7ab9901cc upstream.
+
+The bus_info in v4l2_capability of IPU6 isys v4l2_dev is missing.
+The driver didn't set the dev_parent of v4l2_dev, its parent is set
+to its parent auxdev which is neither platform nor PCI device, thus
+media_set_bus_info() will not set the bus_info of v4l2_capability, then
+`v4l2-ctl --all` cannot show the bus_info.
+
+This patch fixes it by setting the dev_parent of video_device and v4l2
+framework can detect the device type and set the bus_info instead.
+
+Fixes: 3c1dfb5a69cf ("media: intel/ipu6: input system video nodes and buffer queues")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hidenori Kobayashi <hidenorik@chromium.org>
+Signed-off-by: Bingbu Cao <bingbu.cao@intel.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/intel/ipu6/ipu6-isys-video.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
++++ b/drivers/media/pci/intel/ipu6/ipu6-isys-video.c
+@@ -1296,6 +1296,7 @@ int ipu6_isys_video_init(struct ipu6_isy
+ av->vdev.release = video_device_release_empty;
+ av->vdev.fops = &isys_fops;
+ av->vdev.v4l2_dev = &av->isys->v4l2_dev;
++ av->vdev.dev_parent = &av->isys->adev->isp->pdev->dev;
+ if (!av->vdev.ioctl_ops)
+ av->vdev.ioctl_ops = &ipu6_v4l2_ioctl_ops;
+ av->vdev.queue = &av->aq.vbq;
--- /dev/null
+From 4936cd5817af35d23e4d283f48fa59a18ef481e4 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Tue, 18 Feb 2025 18:58:09 +0000
+Subject: media: mediatek: vcodec: Fix a resource leak related to the scp device in FW initialization
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit 4936cd5817af35d23e4d283f48fa59a18ef481e4 upstream.
+
+On Mediatek devices with a system companion processor (SCP) the mtk_scp
+structure has to be removed explicitly to avoid a resource leak.
+Free the structure in case the allocation of the firmware structure fails
+during the firmware initialization.
+
+Fixes: 53dbe0850444 ("media: mtk-vcodec: potential null pointer deference in SCP")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c
++++ b/drivers/media/platform/mediatek/vcodec/common/mtk_vcodec_fw_scp.c
+@@ -79,8 +79,11 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_
+ }
+
+ fw = devm_kzalloc(&plat_dev->dev, sizeof(*fw), GFP_KERNEL);
+- if (!fw)
++ if (!fw) {
++ scp_put(scp);
+ return ERR_PTR(-ENOMEM);
++ }
++
+ fw->type = SCP;
+ fw->ops = &mtk_vcodec_rproc_msg;
+ fw->scp = scp;
--- /dev/null
+From dd05443189f9ae175dd806594b67bf55ddb6539e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20T=C5=AFma?= <martin.tuma@digiteqautomotive.com>
+Date: Fri, 21 Feb 2025 13:07:42 +0100
+Subject: media: mgb4: Fix CMT registers update logic
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Tůma <martin.tuma@digiteqautomotive.com>
+
+commit dd05443189f9ae175dd806594b67bf55ddb6539e upstream.
+
+The CMT "magic values" registers must be updated while the CMT reset
+registers are active.
+
+Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/mgb4/mgb4_cmt.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/pci/mgb4/mgb4_cmt.c
++++ b/drivers/media/pci/mgb4/mgb4_cmt.c
+@@ -206,10 +206,11 @@ u32 mgb4_cmt_set_vout_freq(struct mgb4_v
+
+ mgb4_write_reg(video, regs->config, 0x1 | (config & ~0x3));
+
++ mgb4_mask_reg(video, regs->config, 0x100, 0x100);
++
+ for (i = 0; i < ARRAY_SIZE(cmt_addrs_out[0]); i++)
+ mgb4_write_reg(&voutdev->mgbdev->cmt, addr[i], reg_set[i]);
+
+- mgb4_mask_reg(video, regs->config, 0x100, 0x100);
+ mgb4_mask_reg(video, regs->config, 0x100, 0x0);
+
+ mgb4_write_reg(video, regs->config, config & ~0x1);
+@@ -236,10 +237,11 @@ void mgb4_cmt_set_vin_freq_range(struct
+
+ mgb4_write_reg(video, regs->config, 0x1 | (config & ~0x3));
+
++ mgb4_mask_reg(video, regs->config, 0x1000, 0x1000);
++
+ for (i = 0; i < ARRAY_SIZE(cmt_addrs_in[0]); i++)
+ mgb4_write_reg(&vindev->mgbdev->cmt, addr[i], reg_set[i]);
+
+- mgb4_mask_reg(video, regs->config, 0x1000, 0x1000);
+ mgb4_mask_reg(video, regs->config, 0x1000, 0x0);
+
+ mgb4_write_reg(video, regs->config, config & ~0x1);
--- /dev/null
+From 450acf0840232eaf6eb7a80da11cf492e57498e8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20T=C5=AFma?= <martin.tuma@digiteqautomotive.com>
+Date: Fri, 21 Feb 2025 13:07:43 +0100
+Subject: media: mgb4: Fix switched CMT frequency range "magic values" sets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Tůma <martin.tuma@digiteqautomotive.com>
+
+commit 450acf0840232eaf6eb7a80da11cf492e57498e8 upstream.
+
+The reason why this passed unnoticed is that most infotainment systems
+use frequencies near enough the middle (50MHz) where both sets work.
+
+Fixes: 0ab13674a9bd ("media: pci: mgb4: Added Digiteq Automotive MGB4 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Tůma <martin.tuma@digiteqautomotive.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/mgb4/mgb4_cmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/pci/mgb4/mgb4_cmt.c
++++ b/drivers/media/pci/mgb4/mgb4_cmt.c
+@@ -135,8 +135,8 @@ static const u16 cmt_vals_out[][15] = {
+ };
+
+ static const u16 cmt_vals_in[][13] = {
+- {0x1082, 0x0000, 0x5104, 0x0000, 0x11C7, 0x0000, 0x1041, 0x02BC, 0x7C01, 0xFFE9, 0x9900, 0x9908, 0x8100},
+ {0x1104, 0x0000, 0x9208, 0x0000, 0x138E, 0x0000, 0x1041, 0x015E, 0x7C01, 0xFFE9, 0x0100, 0x0908, 0x1000},
++ {0x1082, 0x0000, 0x5104, 0x0000, 0x11C7, 0x0000, 0x1041, 0x02BC, 0x7C01, 0xFFE9, 0x9900, 0x9908, 0x8100},
+ };
+
+ static const u32 cmt_addrs_out[][15] = {
--- /dev/null
+From 07df4f23ef3ffe6fee697cd2e03623ad27108843 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 18 Oct 2024 15:21:10 +0000
+Subject: media: mtk-vcodec: venc: avoid -Wenum-compare-conditional warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 07df4f23ef3ffe6fee697cd2e03623ad27108843 upstream.
+
+This is one of three clang warnings about incompatible enum types
+in a conditional expression:
+
+drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c:597:29: error: conditional expression between different enumeration types ('enum scp_ipi_id' and 'enum ipi_id') [-Werror,-Wenum-compare-conditional]
+ 597 | inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264;
+ | ^ ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~
+
+The code is correct, so just rework it to avoid the warning.
+
+Fixes: 0dc4b3286125 ("media: mtk-vcodec: venc: support SCP firmware")
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Alexandre Courbot <acourbot@google.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
++++ b/drivers/media/platform/mediatek/vcodec/encoder/venc/venc_h264_if.c
+@@ -594,7 +594,11 @@ static int h264_enc_init(struct mtk_vcod
+
+ inst->ctx = ctx;
+ inst->vpu_inst.ctx = ctx;
+- inst->vpu_inst.id = is_ext ? SCP_IPI_VENC_H264 : IPI_VENC_H264;
++ if (is_ext)
++ inst->vpu_inst.id = SCP_IPI_VENC_H264;
++ else
++ inst->vpu_inst.id = IPI_VENC_H264;
++
+ inst->hw_base = mtk_vcodec_get_reg_addr(inst->ctx->dev->reg_base, VENC_SYS);
+
+ ret = vpu_enc_init(&inst->vpu_inst);
--- /dev/null
+From 8ba4ef40ad6ca62368292a69855324213181abfb Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 07:03:54 +0000
+Subject: media: nuvoton: Fix reference handling of ece_node
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 8ba4ef40ad6ca62368292a69855324213181abfb upstream.
+
+Make sure all the code paths call of_node_put().
+
+Instead of manually calling of_node_put, use the __free macros/helpers.
+
+Cc: stable@vger.kernel.org
+Fixes: 46c15a4ff1f4 ("media: nuvoton: Add driver for NPCM video capture and encoding engine")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nuvoton/npcm-video.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/media/platform/nuvoton/npcm-video.c
++++ b/drivers/media/platform/nuvoton/npcm-video.c
+@@ -1648,8 +1648,8 @@ rel_ctrl_handler:
+
+ static int npcm_video_ece_init(struct npcm_video *video)
+ {
++ struct device_node *ece_node __free(device_node) = NULL;
+ struct device *dev = video->dev;
+- struct device_node *ece_node;
+ struct platform_device *ece_pdev;
+ void __iomem *regs;
+
+@@ -1669,7 +1669,6 @@ static int npcm_video_ece_init(struct np
+ dev_err(dev, "Failed to find ECE device\n");
+ return -ENODEV;
+ }
+- of_node_put(ece_node);
+
+ regs = devm_platform_ioremap_resource(ece_pdev, 0);
+ if (IS_ERR(regs)) {
--- /dev/null
+From 453d5cadab1bde8e6fdd5bd05f4200338cb21e72 Mon Sep 17 00:00:00 2001
+From: Ricardo Ribalda <ribalda@chromium.org>
+Date: Mon, 24 Feb 2025 07:03:55 +0000
+Subject: media: nuvoton: Fix reference handling of ece_pdev
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+commit 453d5cadab1bde8e6fdd5bd05f4200338cb21e72 upstream.
+
+When we obtain a reference to of a platform_device, we need to release
+it via put_device.
+
+Found by cocci:
+./platform/nuvoton/npcm-video.c:1677:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
+./platform/nuvoton/npcm-video.c:1684:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
+./platform/nuvoton/npcm-video.c:1690:3-9: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
+./platform/nuvoton/npcm-video.c:1694:1-7: ERROR: missing put_device; call of_find_device_by_node on line 1667, but without a corresponding object release within this function.
+
+Instead of manually calling put_device, use the __free macros.
+
+Cc: stable@vger.kernel.org
+Fixes: 46c15a4ff1f4 ("media: nuvoton: Add driver for NPCM video capture and encoding engine")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/nuvoton/npcm-video.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/nuvoton/npcm-video.c
++++ b/drivers/media/platform/nuvoton/npcm-video.c
+@@ -1669,6 +1669,7 @@ static int npcm_video_ece_init(struct np
+ dev_err(dev, "Failed to find ECE device\n");
+ return -ENODEV;
+ }
++ struct device *ece_dev __free(put_device) = &ece_pdev->dev;
+
+ regs = devm_platform_ioremap_resource(ece_pdev, 0);
+ if (IS_ERR(regs)) {
+@@ -1683,7 +1684,7 @@ static int npcm_video_ece_init(struct np
+ return PTR_ERR(video->ece.regmap);
+ }
+
+- video->ece.reset = devm_reset_control_get(&ece_pdev->dev, NULL);
++ video->ece.reset = devm_reset_control_get(ece_dev, NULL);
+ if (IS_ERR(video->ece.reset)) {
+ dev_err(dev, "Failed to get ECE reset control in DTS\n");
+ return PTR_ERR(video->ece.reset);
--- /dev/null
+From 69dea0ed84611b2b83f4f5fb4f5a1ec4b6bc902d Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 20 Dec 2024 15:41:21 +0100
+Subject: media: ov08x40: Properly turn sensor on/off when runtime-suspended
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 69dea0ed84611b2b83f4f5fb4f5a1ec4b6bc902d upstream.
+
+Commit df1ae2251a50 ("media: ov08x40: Add OF probe support") added support
+for a reset GPIO, regulators and a clk provider controlled through new
+ov08x40_power_off() and ov08x40_power_on() functions.
+
+But it missed adding a pm ops structure to call these functions on
+runtime suspend/resume. Add the missing pm ops and only call
+ov08x40_power_off() on remove() when not already runtime-suspended
+to avoid unbalanced regulator / clock disable calls.
+
+Fixes: df1ae2251a50 ("media: ov08x40: Add OF probe support")
+Cc: stable@vger.kernel.org
+Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ov08x40.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/i2c/ov08x40.c
++++ b/drivers/media/i2c/ov08x40.c
+@@ -2324,11 +2324,14 @@ static void ov08x40_remove(struct i2c_cl
+ ov08x40_free_controls(ov08x);
+
+ pm_runtime_disable(&client->dev);
++ if (!pm_runtime_status_suspended(&client->dev))
++ ov08x40_power_off(&client->dev);
+ pm_runtime_set_suspended(&client->dev);
+-
+- ov08x40_power_off(&client->dev);
+ }
+
++static DEFINE_RUNTIME_DEV_PM_OPS(ov08x40_pm_ops, ov08x40_power_off,
++ ov08x40_power_on, NULL);
++
+ #ifdef CONFIG_ACPI
+ static const struct acpi_device_id ov08x40_acpi_ids[] = {
+ {"OVTI08F4"},
+@@ -2349,6 +2352,7 @@ static struct i2c_driver ov08x40_i2c_dri
+ .name = "ov08x40",
+ .acpi_match_table = ACPI_PTR(ov08x40_acpi_ids),
+ .of_match_table = ov08x40_of_match,
++ .pm = pm_sleep_ptr(&ov08x40_pm_ops),
+ },
+ .probe = ov08x40_probe,
+ .remove = ov08x40_remove,
--- /dev/null
+From f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Fri, 22 Nov 2024 20:46:03 +0000
+Subject: media: platform: stm32: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit f883f34b6a46b1a09d44d7f94c3cd72fe0e8f93b upstream.
+
+Add check for the return value of clk_enable() to gurantee the success.
+
+Fixes: 002e8f0d5927 ("media: stm32-dma2d: STM32 DMA2D driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/st/stm32/dma2d/dma2d.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/st/stm32/dma2d/dma2d.c
++++ b/drivers/media/platform/st/stm32/dma2d/dma2d.c
+@@ -490,7 +490,8 @@ static void device_run(void *prv)
+ dst->sequence = frm_cap->sequence++;
+ v4l2_m2m_buf_copy_metadata(src, dst, true);
+
+- clk_enable(dev->gate);
++ if (clk_enable(dev->gate))
++ goto end;
+
+ dma2d_config_fg(dev, frm_out,
+ vb2_dma_contig_plane_dma_addr(&src->vb2_buf, 0));
--- /dev/null
+From 11de3582675cc0b7136e12f3971f1da3e5a05382 Mon Sep 17 00:00:00 2001
+From: John Keeping <jkeeping@inmusicbrands.com>
+Date: Sat, 10 Aug 2024 14:02:54 +0100
+Subject: media: rockchip: rga: fix rga offset lookup
+
+From: John Keeping <jkeeping@inmusicbrands.com>
+
+commit 11de3582675cc0b7136e12f3971f1da3e5a05382 upstream.
+
+The arguments to rga_lookup_draw_pos() are passed in the wrong order,
+rotate mode should be before mirror mode.
+
+Fixes: 558c248f930e6 ("media: rockchip: rga: split src and dst buffer setup")
+Cc: stable@vger.kernel.org
+Signed-off-by: John Keeping <jkeeping@inmusicbrands.com>
+Reviewed-by: Michael Tretter <m.tretter@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/rockchip/rga/rga-hw.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/rockchip/rga/rga-hw.c
++++ b/drivers/media/platform/rockchip/rga/rga-hw.c
+@@ -376,7 +376,7 @@ static void rga_cmd_set_dst_info(struct
+ * Configure the dest framebuffer base address with pixel offset.
+ */
+ offsets = rga_get_addr_offset(&ctx->out, offset, dst_x, dst_y, dst_w, dst_h);
+- dst_offset = rga_lookup_draw_pos(&offsets, mir_mode, rot_mode);
++ dst_offset = rga_lookup_draw_pos(&offsets, rot_mode, mir_mode);
+
+ dest[(RGA_DST_Y_RGB_BASE_ADDR - RGA_MODE_BASE_REG) >> 2] =
+ dst_offset->y_off;
--- /dev/null
+From 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d Mon Sep 17 00:00:00 2001
+From: Yuan Can <yuancan@huawei.com>
+Date: Tue, 22 Oct 2024 14:50:37 +0800
+Subject: media: siano: Fix error handling in smsdvb_module_init()
+
+From: Yuan Can <yuancan@huawei.com>
+
+commit 734ac57e47b3bdd140a1119e2c4e8e6f8ef8b33d upstream.
+
+The smsdvb_module_init() returns without checking the retval from
+smscore_register_hotplug().
+If the smscore_register_hotplug() failed, the module failed to install,
+leaving the smsdvb_debugfs not unregistered.
+
+Fixes: 3f6b87cff66b ("[media] siano: allow showing the complete statistics via debugfs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yuan Can <yuancan@huawei.com>
+Acked-by: Ricardo Ribalda <ribalda@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/common/siano/smsdvb-main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/common/siano/smsdvb-main.c
++++ b/drivers/media/common/siano/smsdvb-main.c
+@@ -1243,6 +1243,8 @@ static int __init smsdvb_module_init(voi
+ smsdvb_debugfs_register();
+
+ rc = smscore_register_hotplug(smsdvb_hotplug);
++ if (rc)
++ smsdvb_debugfs_unregister();
+
+ pr_debug("\n");
+
--- /dev/null
+From 549f6d348167fb2f7800ed7c8d4bce9630c74498 Mon Sep 17 00:00:00 2001
+From: Murad Masimov <m.masimov@mt-integration.ru>
+Date: Mon, 13 Jan 2025 13:51:31 +0300
+Subject: media: streamzap: prevent processing IR data on URB failure
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+commit 549f6d348167fb2f7800ed7c8d4bce9630c74498 upstream.
+
+If streamzap_callback() receives an urb with any non-critical error
+status, i.e. any error code other than -ECONNRESET, -ENOENT or -ESHUTDOWN,
+it will try to process IR data, ignoring a possible transfer failure.
+
+Make streamzap_callback() process IR data only when urb->status is 0.
+Move processing logic to a separate function to make code cleaner and
+more similar to the URB completion handlers in other RC drivers.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 19770693c354 ("V4L/DVB: staging/lirc: add lirc_streamzap driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/streamzap.c | 68 ++++++++++++++++++++++++-------------------
+ 1 file changed, 38 insertions(+), 30 deletions(-)
+
+--- a/drivers/media/rc/streamzap.c
++++ b/drivers/media/rc/streamzap.c
+@@ -138,39 +138,10 @@ static void sz_push_half_space(struct st
+ sz_push_full_space(sz, value & SZ_SPACE_MASK);
+ }
+
+-/*
+- * streamzap_callback - usb IRQ handler callback
+- *
+- * This procedure is invoked on reception of data from
+- * the usb remote.
+- */
+-static void streamzap_callback(struct urb *urb)
++static void sz_process_ir_data(struct streamzap_ir *sz, int len)
+ {
+- struct streamzap_ir *sz;
+ unsigned int i;
+- int len;
+-
+- if (!urb)
+- return;
+-
+- sz = urb->context;
+- len = urb->actual_length;
+-
+- switch (urb->status) {
+- case -ECONNRESET:
+- case -ENOENT:
+- case -ESHUTDOWN:
+- /*
+- * this urb is terminated, clean up.
+- * sz might already be invalid at this point
+- */
+- dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
+- return;
+- default:
+- break;
+- }
+
+- dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
+ for (i = 0; i < len; i++) {
+ dev_dbg(sz->dev, "sz->buf_in[%d]: %x\n",
+ i, (unsigned char)sz->buf_in[i]);
+@@ -219,6 +190,43 @@ static void streamzap_callback(struct ur
+ }
+
+ ir_raw_event_handle(sz->rdev);
++}
++
++/*
++ * streamzap_callback - usb IRQ handler callback
++ *
++ * This procedure is invoked on reception of data from
++ * the usb remote.
++ */
++static void streamzap_callback(struct urb *urb)
++{
++ struct streamzap_ir *sz;
++ int len;
++
++ if (!urb)
++ return;
++
++ sz = urb->context;
++ len = urb->actual_length;
++
++ switch (urb->status) {
++ case 0:
++ dev_dbg(sz->dev, "%s: received urb, len %d\n", __func__, len);
++ sz_process_ir_data(sz, len);
++ break;
++ case -ECONNRESET:
++ case -ENOENT:
++ case -ESHUTDOWN:
++ /*
++ * this urb is terminated, clean up.
++ * sz might already be invalid at this point
++ */
++ dev_err(sz->dev, "urb terminated, status: %d\n", urb->status);
++ return;
++ default:
++ break;
++ }
++
+ usb_submit_urb(urb, GFP_ATOMIC);
+ }
+
--- /dev/null
+From 7b0ee2de7c76e5518e2235a927fd211bc785d320 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niklas=20S=C3=B6derlund?=
+ <niklas.soderlund+renesas@ragnatech.se>
+Date: Wed, 12 Feb 2025 17:50:53 +0100
+Subject: media: uapi: rkisp1-config: Fix typo in extensible params example
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+commit 7b0ee2de7c76e5518e2235a927fd211bc785d320 upstream.
+
+The define used for the version in the example diagram does not match what
+is defined in enum rksip1_ext_param_buffer_version, nor the description
+above it. Correct the typo to make it clear which define to use.
+
+Fixes: e9d05e9d5db1 ("media: uapi: rkisp1-config: Add extensible params format")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/uapi/linux/rkisp1-config.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/uapi/linux/rkisp1-config.h
++++ b/include/uapi/linux/rkisp1-config.h
+@@ -1528,7 +1528,7 @@ enum rksip1_ext_param_buffer_version {
+ * The expected memory layout of the parameters buffer is::
+ *
+ * +-------------------- struct rkisp1_ext_params_cfg -------------------+
+- * | version = RKISP_EXT_PARAMS_BUFFER_V1; |
++ * | version = RKISP1_EXT_PARAM_BUFFER_V1; |
+ * | data_size = sizeof(struct rkisp1_ext_params_bls_config) |
+ * | + sizeof(struct rkisp1_ext_params_dpcc_config); |
+ * | +------------------------- data ---------------------------------+ |
--- /dev/null
+From 3edd1fc48d2c045e8259561797c89fe78f01717e Mon Sep 17 00:00:00 2001
+From: Karina Yankevich <k.yankevich@omp.ru>
+Date: Wed, 21 Aug 2024 14:31:34 +0300
+Subject: media: v4l2-dv-timings: prevent possible overflow in v4l2_detect_gtf()
+
+From: Karina Yankevich <k.yankevich@omp.ru>
+
+commit 3edd1fc48d2c045e8259561797c89fe78f01717e upstream.
+
+In v4l2_detect_gtf(), it seems safer to cast the 32-bit image_width
+variable to the 64-bit type u64 before multiplying to avoid
+a possible overflow. The resulting object code even seems to
+look better, at least on x86_64.
+
+Found by Linux Verification Center (linuxtesting.org) with Svace.
+
+[Sergey: rewrote the patch subject/descripition]
+
+Fixes: c9bc9f50753d ("[media] v4l2-dv-timings: fix overflow in gtf timings calculation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Karina Yankevich <k.yankevich@omp.ru>
+Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -764,7 +764,7 @@ bool v4l2_detect_gtf(unsigned int frame_
+ u64 num;
+ u32 den;
+
+- num = ((image_width * GTF_D_C_PRIME * (u64)hfreq) -
++ num = (((u64)image_width * GTF_D_C_PRIME * hfreq) -
+ ((u64)image_width * GTF_D_M_PRIME * 1000));
+ den = (hfreq * (100 - GTF_D_C_PRIME) + GTF_D_M_PRIME * 1000) *
+ (2 * GTF_CELL_GRAN);
+@@ -774,7 +774,7 @@ bool v4l2_detect_gtf(unsigned int frame_
+ u64 num;
+ u32 den;
+
+- num = ((image_width * GTF_S_C_PRIME * (u64)hfreq) -
++ num = (((u64)image_width * GTF_S_C_PRIME * hfreq) -
+ ((u64)image_width * GTF_S_M_PRIME * 1000));
+ den = (hfreq * (100 - GTF_S_C_PRIME) + GTF_S_M_PRIME * 1000) *
+ (2 * GTF_CELL_GRAN);
--- /dev/null
+From f4b211714bcc70effa60c34d9fa613d182e3ef1e Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:11 +0530
+Subject: media: venus: hfi: add a check to handle OOB in sfr region
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit f4b211714bcc70effa60c34d9fa613d182e3ef1e upstream.
+
+sfr->buf_size is in shared memory and can be modified by malicious user.
+OOB write is possible when the size is made higher than actual sfr data
+buffer. Cap the size to allocated size for such cases.
+
+Cc: stable@vger.kernel.org
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -1035,18 +1035,26 @@ static void venus_sfr_print(struct venus
+ {
+ struct device *dev = hdev->core->dev;
+ struct hfi_sfr *sfr = hdev->sfr.kva;
++ u32 size;
+ void *p;
+
+ if (!sfr)
+ return;
+
+- p = memchr(sfr->data, '\0', sfr->buf_size);
++ size = sfr->buf_size;
++ if (!size)
++ return;
++
++ if (size > ALIGNED_SFR_SIZE)
++ size = ALIGNED_SFR_SIZE;
++
++ p = memchr(sfr->data, '\0', size);
+ /*
+ * SFR isn't guaranteed to be NULL terminated since SYS_ERROR indicates
+ * that Venus is in the process of crashing.
+ */
+ if (!p)
+- sfr->data[sfr->buf_size - 1] = '\0';
++ sfr->data[size - 1] = '\0';
+
+ dev_err_ratelimited(dev, "SFR message from FW: %s\n", sfr->data);
+ }
--- /dev/null
+From 69baf245b23e20efda0079238b27fc63ecf13de1 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:10 +0530
+Subject: media: venus: hfi: add check to handle incorrect queue size
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 69baf245b23e20efda0079238b27fc63ecf13de1 upstream.
+
+qsize represents size of shared queued between driver and video
+firmware. Firmware can modify this value to an invalid large value. In
+such situation, empty_space will be bigger than the space actually
+available. Since new_wr_idx is not checked, so the following code will
+result in an OOB write.
+...
+qsize = qhdr->q_size
+
+if (wr_idx >= rd_idx)
+ empty_space = qsize - (wr_idx - rd_idx)
+....
+if (new_wr_idx < qsize) {
+ memcpy(wr_ptr, packet, dwords << 2) --> OOB write
+
+Add check to ensure qsize is within the allocated size while
+reading and writing packets into the queue.
+
+Cc: stable@vger.kernel.org
+Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_venus.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_venus.c
++++ b/drivers/media/platform/qcom/venus/hfi_venus.c
+@@ -187,6 +187,9 @@ static int venus_write_queue(struct venu
+ /* ensure rd/wr indices's are read from memory */
+ rmb();
+
++ if (qsize > IFACEQ_QUEUE_SIZE / 4)
++ return -EINVAL;
++
+ if (wr_idx >= rd_idx)
+ empty_space = qsize - (wr_idx - rd_idx);
+ else
+@@ -255,6 +258,9 @@ static int venus_read_queue(struct venus
+ wr_idx = qhdr->write_idx;
+ qsize = qhdr->q_size;
+
++ if (qsize > IFACEQ_QUEUE_SIZE / 4)
++ return -EINVAL;
++
+ /* make sure data is valid before using it */
+ rmb();
+
--- /dev/null
+From 172bf5a9ef70a399bb227809db78442dc01d9e48 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:08 +0530
+Subject: media: venus: hfi_parser: add check to avoid out of bound access
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 172bf5a9ef70a399bb227809db78442dc01d9e48 upstream.
+
+There is a possibility that init_codecs is invoked multiple times during
+manipulated payload from video firmware. In such case, if codecs_count
+can get incremented to value more than MAX_CODEC_NUM, there can be OOB
+access. Reset the count so that it always starts from beginning.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -19,6 +19,8 @@ static void init_codecs(struct venus_cor
+ struct hfi_plat_caps *caps = core->caps, *cap;
+ unsigned long bit;
+
++ core->codecs_count = 0;
++
+ if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
+ return;
+
--- /dev/null
+From 9edaaa8e3e15aab1ca413ab50556de1975bcb329 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 20 Feb 2025 22:50:09 +0530
+Subject: media: venus: hfi_parser: refactor hfi packet parsing logic
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 9edaaa8e3e15aab1ca413ab50556de1975bcb329 upstream.
+
+words_count denotes the number of words in total payload, while data
+points to payload of various property within it. When words_count
+reaches last word, data can access memory beyond the total payload. This
+can lead to OOB access. With this patch, the utility api for handling
+individual properties now returns the size of data consumed. Accordingly
+remaining bytes are calculated before parsing the payload, thereby
+eliminates the OOB access possibilities.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 98 ++++++++++++++++++-------
+ 1 file changed, 72 insertions(+), 26 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -64,7 +64,7 @@ fill_buf_mode(struct hfi_plat_caps *cap,
+ cap->cap_bufs_mode_dynamic = true;
+ }
+
+-static void
++static int
+ parse_alloc_mode(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_buffer_alloc_mode_supported *mode = data;
+@@ -72,7 +72,7 @@ parse_alloc_mode(struct venus_core *core
+ u32 *type;
+
+ if (num_entries > MAX_ALLOC_MODE_ENTRIES)
+- return;
++ return -EINVAL;
+
+ type = mode->data;
+
+@@ -84,6 +84,8 @@ parse_alloc_mode(struct venus_core *core
+
+ type++;
+ }
++
++ return sizeof(*mode);
+ }
+
+ static void fill_profile_level(struct hfi_plat_caps *cap, const void *data,
+@@ -98,7 +100,7 @@ static void fill_profile_level(struct hf
+ cap->num_pl += num;
+ }
+
+-static void
++static int
+ parse_profile_level(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_profile_level_supported *pl = data;
+@@ -106,12 +108,14 @@ parse_profile_level(struct venus_core *c
+ struct hfi_profile_level pl_arr[HFI_MAX_PROFILE_COUNT] = {};
+
+ if (pl->profile_count > HFI_MAX_PROFILE_COUNT)
+- return;
++ return -EINVAL;
+
+ memcpy(pl_arr, proflevel, pl->profile_count * sizeof(*proflevel));
+
+ for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
+ fill_profile_level, pl_arr, pl->profile_count);
++
++ return pl->profile_count * sizeof(*proflevel) + sizeof(u32);
+ }
+
+ static void
+@@ -126,7 +130,7 @@ fill_caps(struct hfi_plat_caps *cap, con
+ cap->num_caps += num;
+ }
+
+-static void
++static int
+ parse_caps(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_capabilities *caps = data;
+@@ -135,12 +139,14 @@ parse_caps(struct venus_core *core, u32
+ struct hfi_capability caps_arr[MAX_CAP_ENTRIES] = {};
+
+ if (num_caps > MAX_CAP_ENTRIES)
+- return;
++ return -EINVAL;
+
+ memcpy(caps_arr, cap, num_caps * sizeof(*cap));
+
+ for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
+ fill_caps, caps_arr, num_caps);
++
++ return sizeof(*caps);
+ }
+
+ static void fill_raw_fmts(struct hfi_plat_caps *cap, const void *fmts,
+@@ -155,7 +161,7 @@ static void fill_raw_fmts(struct hfi_pla
+ cap->num_fmts += num_fmts;
+ }
+
+-static void
++static int
+ parse_raw_formats(struct venus_core *core, u32 codecs, u32 domain, void *data)
+ {
+ struct hfi_uncompressed_format_supported *fmt = data;
+@@ -164,7 +170,8 @@ parse_raw_formats(struct venus_core *cor
+ struct raw_formats rawfmts[MAX_FMT_ENTRIES] = {};
+ u32 entries = fmt->format_entries;
+ unsigned int i = 0;
+- u32 num_planes;
++ u32 num_planes = 0;
++ u32 size;
+
+ while (entries) {
+ num_planes = pinfo->num_planes;
+@@ -174,7 +181,7 @@ parse_raw_formats(struct venus_core *cor
+ i++;
+
+ if (i >= MAX_FMT_ENTRIES)
+- return;
++ return -EINVAL;
+
+ if (pinfo->num_planes > MAX_PLANES)
+ break;
+@@ -186,9 +193,13 @@ parse_raw_formats(struct venus_core *cor
+
+ for_each_codec(core->caps, ARRAY_SIZE(core->caps), codecs, domain,
+ fill_raw_fmts, rawfmts, i);
++ size = fmt->format_entries * (sizeof(*constr) * num_planes + 2 * sizeof(u32))
++ + 2 * sizeof(u32);
++
++ return size;
+ }
+
+-static void parse_codecs(struct venus_core *core, void *data)
++static int parse_codecs(struct venus_core *core, void *data)
+ {
+ struct hfi_codec_supported *codecs = data;
+
+@@ -200,21 +211,27 @@ static void parse_codecs(struct venus_co
+ core->dec_codecs &= ~HFI_VIDEO_CODEC_SPARK;
+ core->enc_codecs &= ~HFI_VIDEO_CODEC_HEVC;
+ }
++
++ return sizeof(*codecs);
+ }
+
+-static void parse_max_sessions(struct venus_core *core, const void *data)
++static int parse_max_sessions(struct venus_core *core, const void *data)
+ {
+ const struct hfi_max_sessions_supported *sessions = data;
+
+ core->max_sessions_supported = sessions->max_sessions;
++
++ return sizeof(*sessions);
+ }
+
+-static void parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
++static int parse_codecs_mask(u32 *codecs, u32 *domain, void *data)
+ {
+ struct hfi_codec_mask_supported *mask = data;
+
+ *codecs = mask->codecs;
+ *domain = mask->video_domains;
++
++ return sizeof(*mask);
+ }
+
+ static void parser_init(struct venus_inst *inst, u32 *codecs, u32 *domain)
+@@ -283,8 +300,9 @@ static int hfi_platform_parser(struct ve
+ u32 hfi_parser(struct venus_core *core, struct venus_inst *inst, void *buf,
+ u32 size)
+ {
+- unsigned int words_count = size >> 2;
+- u32 *word = buf, *data, codecs = 0, domain = 0;
++ u32 *words = buf, *payload, codecs = 0, domain = 0;
++ u32 *frame_size = buf + size;
++ u32 rem_bytes = size;
+ int ret;
+
+ ret = hfi_platform_parser(core, inst);
+@@ -301,38 +319,66 @@ u32 hfi_parser(struct venus_core *core,
+ memset(core->caps, 0, sizeof(core->caps));
+ }
+
+- while (words_count) {
+- data = word + 1;
++ while (words < frame_size) {
++ payload = words + 1;
+
+- switch (*word) {
++ switch (*words) {
+ case HFI_PROPERTY_PARAM_CODEC_SUPPORTED:
+- parse_codecs(core, data);
++ if (rem_bytes <= sizeof(struct hfi_codec_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_codecs(core, payload);
++ if (ret < 0)
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
+ init_codecs(core);
+ break;
+ case HFI_PROPERTY_PARAM_MAX_SESSIONS_SUPPORTED:
+- parse_max_sessions(core, data);
++ if (rem_bytes <= sizeof(struct hfi_max_sessions_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_max_sessions(core, payload);
+ break;
+ case HFI_PROPERTY_PARAM_CODEC_MASK_SUPPORTED:
+- parse_codecs_mask(&codecs, &domain, data);
++ if (rem_bytes <= sizeof(struct hfi_codec_mask_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_codecs_mask(&codecs, &domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_UNCOMPRESSED_FORMAT_SUPPORTED:
+- parse_raw_formats(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_uncompressed_format_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_raw_formats(core, codecs, domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_CAPABILITY_SUPPORTED:
+- parse_caps(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_capabilities))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_caps(core, codecs, domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_PROFILE_LEVEL_SUPPORTED:
+- parse_profile_level(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_profile_level_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_profile_level(core, codecs, domain, payload);
+ break;
+ case HFI_PROPERTY_PARAM_BUFFER_ALLOC_MODE_SUPPORTED:
+- parse_alloc_mode(core, codecs, domain, data);
++ if (rem_bytes <= sizeof(struct hfi_buffer_alloc_mode_supported))
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ ret = parse_alloc_mode(core, codecs, domain, payload);
+ break;
+ default:
++ ret = sizeof(u32);
+ break;
+ }
+
+- word++;
+- words_count--;
++ if (ret < 0)
++ return HFI_ERR_SYS_INSUFFICIENT_RESOURCES;
++
++ words += ret / sizeof(u32);
++ rem_bytes -= ret;
+ }
+
+ if (!core->max_sessions_supported)
--- /dev/null
+From 143d75583f2427f3a97dba62413c4f0604867ebf Mon Sep 17 00:00:00 2001
+From: Matthew Majewski <mattwmajewski@gmail.com>
+Date: Wed, 19 Feb 2025 14:05:01 -0500
+Subject: media: vim2m: print device name after registering device
+
+From: Matthew Majewski <mattwmajewski@gmail.com>
+
+commit 143d75583f2427f3a97dba62413c4f0604867ebf upstream.
+
+Move the v4l2_info() call displaying the video device name after the
+device is actually registered.
+
+This fixes a bug where the driver was always displaying "/dev/video0"
+since it was reading from the vfd before it was registered.
+
+Fixes: cf7f34777a5b ("media: vim2m: Register video device after setting up internals")
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthew Majewski <mattwmajewski@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vim2m.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/test-drivers/vim2m.c
++++ b/drivers/media/test-drivers/vim2m.c
+@@ -1314,9 +1314,6 @@ static int vim2m_probe(struct platform_d
+ vfd->v4l2_dev = &dev->v4l2_dev;
+
+ video_set_drvdata(vfd, dev);
+- v4l2_info(&dev->v4l2_dev,
+- "Device registered as /dev/video%d\n", vfd->num);
+-
+ platform_set_drvdata(pdev, dev);
+
+ dev->m2m_dev = v4l2_m2m_init(&m2m_ops);
+@@ -1343,6 +1340,9 @@ static int vim2m_probe(struct platform_d
+ goto error_m2m;
+ }
+
++ v4l2_info(&dev->v4l2_dev,
++ "Device registered as /dev/video%d\n", vfd->num);
++
+ #ifdef CONFIG_MEDIA_CONTROLLER
+ ret = v4l2_m2m_register_media_controller(dev->m2m_dev, vfd,
+ MEDIA_ENT_F_PROC_VIDEO_SCALER);
--- /dev/null
+From d98e9213a768a3cc3a99f5e1abe09ad3baff2104 Mon Sep 17 00:00:00 2001
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Date: Tue, 10 Dec 2024 16:02:53 -0500
+Subject: media: visl: Fix ERANGE error when setting enum controls
+
+From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+
+commit d98e9213a768a3cc3a99f5e1abe09ad3baff2104 upstream.
+
+The visl driver supports both frame and slice mode, with and without a
+start-code. But, the range and default for these enum controls was not
+set, which currently limits the decoder to enums with a value of 0. Fix
+this by setting the decoder mode and start code controls for both the
+H.264 and HEVC codecs.
+
+Fixes: 0c078e310b6d ("media: visl: add virtual stateless decoder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
+Signed-off-by: Sebastian Fricke <sebastian.fricke@collabora.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/visl/visl-core.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/test-drivers/visl/visl-core.c
++++ b/drivers/media/test-drivers/visl/visl-core.c
+@@ -161,9 +161,15 @@ static const struct visl_ctrl_desc visl_
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_H264_DECODE_MODE,
++ .cfg.min = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED,
++ .cfg.max = V4L2_STATELESS_H264_DECODE_MODE_FRAME_BASED,
++ .cfg.def = V4L2_STATELESS_H264_DECODE_MODE_SLICE_BASED,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_H264_START_CODE,
++ .cfg.min = V4L2_STATELESS_H264_START_CODE_NONE,
++ .cfg.max = V4L2_STATELESS_H264_START_CODE_ANNEX_B,
++ .cfg.def = V4L2_STATELESS_H264_START_CODE_NONE,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_H264_SLICE_PARAMS,
+@@ -198,9 +204,15 @@ static const struct visl_ctrl_desc visl_
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_HEVC_DECODE_MODE,
++ .cfg.min = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED,
++ .cfg.max = V4L2_STATELESS_HEVC_DECODE_MODE_FRAME_BASED,
++ .cfg.def = V4L2_STATELESS_HEVC_DECODE_MODE_SLICE_BASED,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_HEVC_START_CODE,
++ .cfg.min = V4L2_STATELESS_HEVC_START_CODE_NONE,
++ .cfg.max = V4L2_STATELESS_HEVC_START_CODE_ANNEX_B,
++ .cfg.def = V4L2_STATELESS_HEVC_START_CODE_NONE,
+ },
+ {
+ .cfg.id = V4L2_CID_STATELESS_HEVC_ENTRY_POINT_OFFSETS,
--- /dev/null
+From 347d84833faac79a105e438168cedf0b9658445b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Mon, 4 Nov 2024 20:16:19 +0300
+Subject: media: xilinx-tpg: fix double put in xtpg_parse_of()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 347d84833faac79a105e438168cedf0b9658445b upstream.
+
+This loop was recently converted to use for_each_of_graph_port() which
+automatically does __cleanup__ on the "port" iterator variable. Delete
+the calls to of_node_put(port) to avoid a double put bug.
+
+Fixes: 393194cdf11e ("media: xilinx-tpg: use new of_graph functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/xilinx/xilinx-tpg.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/media/platform/xilinx/xilinx-tpg.c
++++ b/drivers/media/platform/xilinx/xilinx-tpg.c
+@@ -722,7 +722,6 @@ static int xtpg_parse_of(struct xtpg_dev
+ format = xvip_of_get_format(port);
+ if (IS_ERR(format)) {
+ dev_err(dev, "invalid format in DT");
+- of_node_put(port);
+ return PTR_ERR(format);
+ }
+
+@@ -731,7 +730,6 @@ static int xtpg_parse_of(struct xtpg_dev
+ xtpg->vip_format = format;
+ } else if (xtpg->vip_format != format) {
+ dev_err(dev, "in/out format mismatch in DT");
+- of_node_put(port);
+ return -EINVAL;
+ }
+
--- /dev/null
+From e2f4ac7bab2205d3c4dd9464e6ffd82502177c51 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Fri, 14 Mar 2025 21:11:33 +0100
+Subject: mptcp: sockopt: fix getting freebind & transparent
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit e2f4ac7bab2205d3c4dd9464e6ffd82502177c51 upstream.
+
+When adding a socket option support in MPTCP, both the get and set parts
+are supposed to be implemented.
+
+IP(V6)_FREEBIND and IP(V6)_TRANSPARENT support for the setsockopt part
+has been added a while ago, but it looks like the get part got
+forgotten. It should have been present as a way to verify a setting has
+been set as expected, and not to act differently from TCP or any other
+socket types.
+
+Everything was in place to expose it, just the last step was missing.
+Only new code is added to cover these specific getsockopt(), that seems
+safe.
+
+Fixes: c9406a23c116 ("mptcp: sockopt: add SOL_IP freebind & transparent options")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-3-122dbb249db3@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -1419,6 +1419,12 @@ static int mptcp_getsockopt_v4(struct mp
+ switch (optname) {
+ case IP_TOS:
+ return mptcp_put_int_option(msk, optval, optlen, READ_ONCE(inet_sk(sk)->tos));
++ case IP_FREEBIND:
++ return mptcp_put_int_option(msk, optval, optlen,
++ inet_test_bit(FREEBIND, sk));
++ case IP_TRANSPARENT:
++ return mptcp_put_int_option(msk, optval, optlen,
++ inet_test_bit(TRANSPARENT, sk));
+ case IP_BIND_ADDRESS_NO_PORT:
+ return mptcp_put_int_option(msk, optval, optlen,
+ inet_test_bit(BIND_ADDRESS_NO_PORT, sk));
+@@ -1439,6 +1445,12 @@ static int mptcp_getsockopt_v6(struct mp
+ case IPV6_V6ONLY:
+ return mptcp_put_int_option(msk, optval, optlen,
+ sk->sk_ipv6only);
++ case IPV6_TRANSPARENT:
++ return mptcp_put_int_option(msk, optval, optlen,
++ inet_test_bit(TRANSPARENT, sk));
++ case IPV6_FREEBIND:
++ return mptcp_put_int_option(msk, optval, optlen,
++ inet_test_bit(FREEBIND, sk));
+ }
+
+ return -EOPNOTSUPP;
--- /dev/null
+From 8c39633759885b6ff85f6d96cf445560e74df5e8 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Fri, 14 Mar 2025 21:11:32 +0100
+Subject: mptcp: sockopt: fix getting IPV6_V6ONLY
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 8c39633759885b6ff85f6d96cf445560e74df5e8 upstream.
+
+When adding a socket option support in MPTCP, both the get and set parts
+are supposed to be implemented.
+
+IPV6_V6ONLY support for the setsockopt part has been added a while ago,
+but it looks like the get part got forgotten. It should have been
+present as a way to verify a setting has been set as expected, and not
+to act differently from TCP or any other socket types.
+
+Not supporting this getsockopt(IPV6_V6ONLY) blocks some apps which want
+to check the default value, before doing extra actions. On Linux, the
+default value is 0, but this can be changed with the net.ipv6.bindv6only
+sysctl knob. On Windows, it is set to 1 by default. So supporting the
+get part, like for all other socket options, is important.
+
+Everything was in place to expose it, just the last step was missing.
+Only new code is added to cover this specific getsockopt(), that seems
+safe.
+
+Fixes: c9b95a135987 ("mptcp: support IPV6_V6ONLY setsockopt")
+Cc: stable@vger.kernel.org
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/550
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250314-net-mptcp-fix-data-stream-corr-sockopt-v1-2-122dbb249db3@kernel.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -1430,6 +1430,20 @@ static int mptcp_getsockopt_v4(struct mp
+ return -EOPNOTSUPP;
+ }
+
++static int mptcp_getsockopt_v6(struct mptcp_sock *msk, int optname,
++ char __user *optval, int __user *optlen)
++{
++ struct sock *sk = (void *)msk;
++
++ switch (optname) {
++ case IPV6_V6ONLY:
++ return mptcp_put_int_option(msk, optval, optlen,
++ sk->sk_ipv6only);
++ }
++
++ return -EOPNOTSUPP;
++}
++
+ static int mptcp_getsockopt_sol_mptcp(struct mptcp_sock *msk, int optname,
+ char __user *optval, int __user *optlen)
+ {
+@@ -1469,6 +1483,8 @@ int mptcp_getsockopt(struct sock *sk, in
+
+ if (level == SOL_IP)
+ return mptcp_getsockopt_v4(msk, optname, optval, option);
++ if (level == SOL_IPV6)
++ return mptcp_getsockopt_v6(msk, optname, optval, option);
+ if (level == SOL_TCP)
+ return mptcp_getsockopt_sol_tcp(msk, optname, optval, option);
+ if (level == SOL_MPTCP)
--- /dev/null
+From 2aee30bb10d7bad0a60255059c9ce1b84cf0130e Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Wed, 5 Feb 2025 02:31:41 +0000
+Subject: mtd: Add check for devm_kcalloc()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit 2aee30bb10d7bad0a60255059c9ce1b84cf0130e upstream.
+
+Add a check for devm_kcalloc() to ensure successful allocation.
+
+Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdpstore.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/mtdpstore.c
++++ b/drivers/mtd/mtdpstore.c
+@@ -423,6 +423,9 @@ static void mtdpstore_notify_add(struct
+ longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
+ cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+
++ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
++ return;
++
+ /* just support dmesg right now */
+ cxt->dev.flags = PSTORE_FLAGS_DMESG;
+ cxt->dev.zone.read = mtdpstore_read;
--- /dev/null
+From ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 Mon Sep 17 00:00:00 2001
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+Date: Thu, 27 Feb 2025 12:46:08 -0500
+Subject: mtd: rawnand: brcmnand: fix PM resume warning
+
+From: Kamal Dasu <kamal.dasu@broadcom.com>
+
+commit ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 upstream.
+
+Fixed warning on PM resume as shown below caused due to uninitialized
+struct nand_operation that checks chip select field :
+WARN_ON(op->cs >= nanddev_ntargets(&chip->base)
+
+[ 14.588522] ------------[ cut here ]------------
+[ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8
+[ 14.588553] Modules linked in: bdc udc_core
+[ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16
+[ 14.588590] Tainted: [W]=WARN
+[ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree)
+[ 14.588598] Call trace:
+[ 14.588604] dump_backtrace from show_stack+0x18/0x1c
+[ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c
+[ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c
+[ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c
+[ 14.588653] r5:c08d40b0 r4:c1003cb0
+[ 14.588656] dump_stack from __warn+0x84/0xe4
+[ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194
+[ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000
+[ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8
+[ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048
+[ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150
+[ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040
+[ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54
+[ 14.588735] r5:00000010 r4:c0840a50
+[ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c
+[ 14.588757] dpm_run_callback from device_resume+0xc0/0x324
+[ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010
+[ 14.588779] device_resume from dpm_resume+0x130/0x160
+[ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0
+[ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20
+[ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414
+[ 14.588826] r4:00000010
+[ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8
+[ 14.588848] r5:c228a414 r4:00000000
+[ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc
+[ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000
+[ 14.588871] r4:00000003
+[ 14.588874] pm_suspend from state_store+0x74/0xd0
+[ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003
+[ 14.588892] state_store from kobj_attr_store+0x1c/0x28
+[ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250
+[ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c
+[ 14.588936] r5:c3502900 r4:c0d92a48
+[ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0
+[ 14.588956] r5:c3502900 r4:c3501f40
+[ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420
+[ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00
+[ 14.588983] r4:c042a88c
+[ 14.588987] vfs_write from ksys_write+0x74/0xe4
+[ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00
+[ 14.589008] r4:c34f7f00
+[ 14.589011] ksys_write from sys_write+0x10/0x14
+[ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004
+[ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c
+[ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)
+[ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001
+[ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78
+[ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8
+[ 14.589065] ---[ end trace 0000000000000000 ]---
+
+The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when
+doing PM resume operation in compliance with the controller support for single
+die nand chip. Switching from nand_reset_op() to nand_reset() implies more
+than just setting the cs field op->cs, it also reconfigures the data interface
+(ie. the timings). Tested and confirmed the NAND chip is in sync timing wise
+with host after the fix.
+
+Fixes: 97d90da8a886 ("mtd: nand: provide several helpers to do common NAND operations")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kamal Dasu <kamal.dasu@broadcom.com>
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/brcmnand/brcmnand.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
++++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
+@@ -3008,7 +3008,7 @@ static int brcmnand_resume(struct device
+ brcmnand_save_restore_cs_config(host, 1);
+
+ /* Reset the chip, required by some chips after power-up */
+- nand_reset_op(chip);
++ nand_reset(chip, 0);
+ }
+
+ return 0;
--- /dev/null
+From 1b61a59876f0eafc19b23007c522ee407f55dbec Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Date: Wed, 5 Feb 2025 02:31:40 +0000
+Subject: mtd: Replace kcalloc() with devm_kcalloc()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+commit 1b61a59876f0eafc19b23007c522ee407f55dbec upstream.
+
+Replace kcalloc() with devm_kcalloc() to prevent memory leaks in case of
+errors.
+
+Fixes: 78c08247b9d3 ("mtd: Support kmsg dumper based on pstore/blk")
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/mtdpstore.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+--- a/drivers/mtd/mtdpstore.c
++++ b/drivers/mtd/mtdpstore.c
+@@ -417,11 +417,11 @@ static void mtdpstore_notify_add(struct
+ }
+
+ longcnt = BITS_TO_LONGS(div_u64(mtd->size, info->kmsg_size));
+- cxt->rmmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
+- cxt->usedmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
++ cxt->rmmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
++ cxt->usedmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+
+ longcnt = BITS_TO_LONGS(div_u64(mtd->size, mtd->erasesize));
+- cxt->badmap = kcalloc(longcnt, sizeof(long), GFP_KERNEL);
++ cxt->badmap = devm_kcalloc(&mtd->dev, longcnt, sizeof(long), GFP_KERNEL);
+
+ if (!cxt->rmmap || !cxt->usedmap || !cxt->badmap)
+ return;
+@@ -530,9 +530,6 @@ static void mtdpstore_notify_remove(stru
+ mtdpstore_flush_removed(cxt);
+
+ unregister_pstore_device(&cxt->dev);
+- kfree(cxt->badmap);
+- kfree(cxt->usedmap);
+- kfree(cxt->rmmap);
+ cxt->mtd = NULL;
+ cxt->index = -1;
+ }
--- /dev/null
+From 52fdc41c3278c981066a461d03d5477ebfcf270c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Mon, 17 Mar 2025 18:32:49 +0100
+Subject: net: dsa: mv88e6xxx: fix internal PHYs for 6320 family
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 52fdc41c3278c981066a461d03d5477ebfcf270c upstream.
+
+Fix internal PHYs definition for the 6320 family, which has only 2
+internal PHYs (on ports 3 and 4).
+
+Fixes: bc3931557d1d ("net: dsa: mv88e6xxx: Add number of internal PHYs")
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Cc: <stable@vger.kernel.org> # 6.6.x
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250317173250.28780-7-kabel@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -6259,7 +6259,8 @@ static const struct mv88e6xxx_info mv88e
+ .num_databases = 4096,
+ .num_macs = 8192,
+ .num_ports = 7,
+- .num_internal_phys = 5,
++ .num_internal_phys = 2,
++ .internal_phys_offset = 3,
+ .num_gpio = 15,
+ .max_vid = 4095,
+ .max_sid = 63,
+@@ -6286,7 +6287,8 @@ static const struct mv88e6xxx_info mv88e
+ .num_databases = 4096,
+ .num_macs = 8192,
+ .num_ports = 7,
+- .num_internal_phys = 5,
++ .num_internal_phys = 2,
++ .internal_phys_offset = 3,
+ .num_gpio = 15,
+ .max_vid = 4095,
+ .max_sid = 63,
--- /dev/null
+From 1ebc8e1ef906db9c08e9abe9776d85ddec837725 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Mon, 17 Mar 2025 18:32:50 +0100
+Subject: net: dsa: mv88e6xxx: workaround RGMII transmit delay erratum for 6320 family
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 1ebc8e1ef906db9c08e9abe9776d85ddec837725 upstream.
+
+Implement the workaround for erratum
+ 3.3 RGMII timing may be out of spec when transmit delay is enabled
+for the 6320 family, which says:
+
+ When transmit delay is enabled via Port register 1 bit 14 = 1, duty
+ cycle may be out of spec. Under very rare conditions this may cause
+ the attached device receive CRC errors.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Cc: <stable@vger.kernel.org> # 5.4.x
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250317173250.28780-8-kabel@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3674,6 +3674,21 @@ static int mv88e6xxx_stats_setup(struct
+ return mv88e6xxx_g1_stats_clear(chip);
+ }
+
++static int mv88e6320_setup_errata(struct mv88e6xxx_chip *chip)
++{
++ u16 dummy;
++ int err;
++
++ /* Workaround for erratum
++ * 3.3 RGMII timing may be out of spec when transmit delay is enabled
++ */
++ err = mv88e6xxx_port_hidden_write(chip, 0, 0xf, 0x7, 0xe000);
++ if (err)
++ return err;
++
++ return mv88e6xxx_port_hidden_read(chip, 0, 0xf, 0x7, &dummy);
++}
++
+ /* Check if the errata has already been applied. */
+ static bool mv88e6390_setup_errata_applied(struct mv88e6xxx_chip *chip)
+ {
+@@ -5130,6 +5145,7 @@ static const struct mv88e6xxx_ops mv88e6
+
+ static const struct mv88e6xxx_ops mv88e6320_ops = {
+ /* MV88E6XXX_FAMILY_6320 */
++ .setup_errata = mv88e6320_setup_errata,
+ .ieee_pri_map = mv88e6085_g1_ieee_pri_map,
+ .ip_pri_map = mv88e6085_g1_ip_pri_map,
+ .irl_init_all = mv88e6352_g2_irl_init_all,
+@@ -5182,6 +5198,7 @@ static const struct mv88e6xxx_ops mv88e6
+
+ static const struct mv88e6xxx_ops mv88e6321_ops = {
+ /* MV88E6XXX_FAMILY_6320 */
++ .setup_errata = mv88e6320_setup_errata,
+ .ieee_pri_map = mv88e6085_g1_ieee_pri_map,
+ .ip_pri_map = mv88e6085_g1_ip_pri_map,
+ .irl_init_all = mv88e6352_g2_irl_init_all,
--- /dev/null
+From c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef Mon Sep 17 00:00:00 2001
+From: Qingfang Deng <dqfext@gmail.com>
+Date: Tue, 18 Mar 2025 11:24:23 +0800
+Subject: net: stmmac: Fix accessing freed irq affinity_hint
+
+From: Qingfang Deng <dqfext@gmail.com>
+
+commit c60d101a226f18e9a8f01bb4c6ca2b47dfcb15ef upstream.
+
+The cpumask should not be a local variable, since its pointer is saved
+to irq_desc and may be accessed from procfs.
+To fix it, use the persistent mask cpumask_of(cpu#).
+
+Cc: stable@vger.kernel.org
+Fixes: 8deec94c6040 ("net: stmmac: set IRQ affinity hint for multi MSI vectors")
+Signed-off-by: Qingfang Deng <dqfext@gmail.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Link: https://patch.msgid.link/20250318032424.112067-1-dqfext@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -3640,7 +3640,6 @@ static int stmmac_request_irq_multi_msi(
+ {
+ struct stmmac_priv *priv = netdev_priv(dev);
+ enum request_irq_err irq_err;
+- cpumask_t cpu_mask;
+ int irq_idx = 0;
+ char *int_name;
+ int ret;
+@@ -3769,9 +3768,8 @@ static int stmmac_request_irq_multi_msi(
+ irq_idx = i;
+ goto irq_error;
+ }
+- cpumask_clear(&cpu_mask);
+- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask);
+- irq_set_affinity_hint(priv->rx_irq[i], &cpu_mask);
++ irq_set_affinity_hint(priv->rx_irq[i],
++ cpumask_of(i % num_online_cpus()));
+ }
+
+ /* Request Tx MSI irq */
+@@ -3794,9 +3792,8 @@ static int stmmac_request_irq_multi_msi(
+ irq_idx = i;
+ goto irq_error;
+ }
+- cpumask_clear(&cpu_mask);
+- cpumask_set_cpu(i % num_online_cpus(), &cpu_mask);
+- irq_set_affinity_hint(priv->tx_irq[i], &cpu_mask);
++ irq_set_affinity_hint(priv->tx_irq[i],
++ cpumask_of(i % num_online_cpus()));
+ }
+
+ return 0;
--- /dev/null
+From abd88757252c2a2cea7909f3922de1f0e9e04002 Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Fri, 10 Jan 2025 10:11:51 +0200
+Subject: Revert "media: imx214: Fix the error handling in imx214_probe()"
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit abd88757252c2a2cea7909f3922de1f0e9e04002 upstream.
+
+This reverts commit 9bc92332cc3f06fda3c6e2423995ca2da0a7ec9a.
+
+Revert this "fix" as it's not really helpful but makes backporting a
+proper fix harder.
+
+Fixes: 9bc92332cc3f ("media: imx214: Fix the error handling in imx214_probe()")
+Cc: stable@vger.kernel.org # for >= v6.12
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/imx214.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/media/i2c/imx214.c
++++ b/drivers/media/i2c/imx214.c
+@@ -1114,7 +1114,6 @@ free_ctrl:
+ v4l2_ctrl_handler_free(&imx214->ctrls);
+ error_power_off:
+ pm_runtime_disable(imx214->dev);
+- regulator_bulk_disable(IMX214_NUM_SUPPLIES, imx214->supplies);
+
+ return ret;
+ }
--- /dev/null
+From 766ea2cf5a398c7eed519b12c6c6cf1631143ea2 Mon Sep 17 00:00:00 2001
+From: Sean Wang <sean.wang@mediatek.com>
+Date: Tue, 4 Mar 2025 16:08:46 -0800
+Subject: Revert "wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO"
+
+From: Sean Wang <sean.wang@mediatek.com>
+
+commit 766ea2cf5a398c7eed519b12c6c6cf1631143ea2 upstream.
+
+For MLO, mac80211 will send the BA action for each link to
+the driver, so the driver does not need to handle it itself.
+Therefore, revert this patch.
+
+Fixes: eb2a9a12c609 ("wifi: mt76: mt7925: Update mt7925_mcu_uni_[tx,rx]_ba for MLO")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Tested-by: Caleb Jorden <cjorden@gmail.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Link: https://patch.msgid.link/20250305000851.493671-1-sean.wang@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 10 ++--
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 52 ++++-----------------
+ drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 2
+ 3 files changed, 15 insertions(+), 49 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -1289,22 +1289,22 @@ mt7925_ampdu_action(struct ieee80211_hw
+ case IEEE80211_AMPDU_RX_START:
+ mt76_rx_aggr_start(&dev->mt76, &msta->deflink.wcid, tid, ssn,
+ params->buf_size);
+- mt7925_mcu_uni_rx_ba(dev, vif, params, true);
++ mt7925_mcu_uni_rx_ba(dev, params, true);
+ break;
+ case IEEE80211_AMPDU_RX_STOP:
+ mt76_rx_aggr_stop(&dev->mt76, &msta->deflink.wcid, tid);
+- mt7925_mcu_uni_rx_ba(dev, vif, params, false);
++ mt7925_mcu_uni_rx_ba(dev, params, false);
+ break;
+ case IEEE80211_AMPDU_TX_OPERATIONAL:
+ mtxq->aggr = true;
+ mtxq->send_bar = false;
+- mt7925_mcu_uni_tx_ba(dev, vif, params, true);
++ mt7925_mcu_uni_tx_ba(dev, params, true);
+ break;
+ case IEEE80211_AMPDU_TX_STOP_FLUSH:
+ case IEEE80211_AMPDU_TX_STOP_FLUSH_CONT:
+ mtxq->aggr = false;
+ clear_bit(tid, &msta->deflink.wcid.ampdu_state);
+- mt7925_mcu_uni_tx_ba(dev, vif, params, false);
++ mt7925_mcu_uni_tx_ba(dev, params, false);
+ break;
+ case IEEE80211_AMPDU_TX_START:
+ set_bit(tid, &msta->deflink.wcid.ampdu_state);
+@@ -1313,7 +1313,7 @@ mt7925_ampdu_action(struct ieee80211_hw
+ case IEEE80211_AMPDU_TX_STOP_CONT:
+ mtxq->aggr = false;
+ clear_bit(tid, &msta->deflink.wcid.ampdu_state);
+- mt7925_mcu_uni_tx_ba(dev, vif, params, false);
++ mt7925_mcu_uni_tx_ba(dev, params, false);
+ ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid);
+ break;
+ }
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+@@ -576,10 +576,10 @@ void mt7925_mcu_rx_event(struct mt792x_d
+
+ static int
+ mt7925_mcu_sta_ba(struct mt76_dev *dev, struct mt76_vif_link *mvif,
+- struct mt76_wcid *wcid,
+ struct ieee80211_ampdu_params *params,
+ bool enable, bool tx)
+ {
++ struct mt76_wcid *wcid = (struct mt76_wcid *)params->sta->drv_priv;
+ struct sta_rec_ba_uni *ba;
+ struct sk_buff *skb;
+ struct tlv *tlv;
+@@ -607,60 +607,28 @@ mt7925_mcu_sta_ba(struct mt76_dev *dev,
+
+ /** starec & wtbl **/
+ int mt7925_mcu_uni_tx_ba(struct mt792x_dev *dev,
+- struct ieee80211_vif *vif,
+ struct ieee80211_ampdu_params *params,
+ bool enable)
+ {
+ struct mt792x_sta *msta = (struct mt792x_sta *)params->sta->drv_priv;
+- struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+- struct mt792x_link_sta *mlink;
+- struct mt792x_bss_conf *mconf;
+- unsigned long usable_links = ieee80211_vif_usable_links(vif);
+- struct mt76_wcid *wcid;
+- u8 link_id, ret;
+-
+- for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) {
+- mconf = mt792x_vif_to_link(mvif, link_id);
+- mlink = mt792x_sta_to_link(msta, link_id);
+- wcid = &mlink->wcid;
+-
+- if (enable && !params->amsdu)
+- mlink->wcid.amsdu = false;
+-
+- ret = mt7925_mcu_sta_ba(&dev->mt76, &mconf->mt76, wcid, params,
+- enable, true);
+- if (ret < 0)
+- break;
+- }
++ struct mt792x_vif *mvif = msta->vif;
+
+- return ret;
++ if (enable && !params->amsdu)
++ msta->deflink.wcid.amsdu = false;
++
++ return mt7925_mcu_sta_ba(&dev->mt76, &mvif->bss_conf.mt76, params,
++ enable, true);
+ }
+
+ int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev,
+- struct ieee80211_vif *vif,
+ struct ieee80211_ampdu_params *params,
+ bool enable)
+ {
+ struct mt792x_sta *msta = (struct mt792x_sta *)params->sta->drv_priv;
+- struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+- struct mt792x_link_sta *mlink;
+- struct mt792x_bss_conf *mconf;
+- unsigned long usable_links = ieee80211_vif_usable_links(vif);
+- struct mt76_wcid *wcid;
+- u8 link_id, ret;
+-
+- for_each_set_bit(link_id, &usable_links, IEEE80211_MLD_MAX_NUM_LINKS) {
+- mconf = mt792x_vif_to_link(mvif, link_id);
+- mlink = mt792x_sta_to_link(msta, link_id);
+- wcid = &mlink->wcid;
+-
+- ret = mt7925_mcu_sta_ba(&dev->mt76, &mconf->mt76, wcid, params,
+- enable, false);
+- if (ret < 0)
+- break;
+- }
++ struct mt792x_vif *mvif = msta->vif;
+
+- return ret;
++ return mt7925_mcu_sta_ba(&dev->mt76, &mvif->bss_conf.mt76, params,
++ enable, false);
+ }
+
+ static int mt7925_load_clc(struct mt792x_dev *dev, const char *fw_name)
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+@@ -263,11 +263,9 @@ int mt7925_mcu_set_beacon_filter(struct
+ struct ieee80211_vif *vif,
+ bool enable);
+ int mt7925_mcu_uni_tx_ba(struct mt792x_dev *dev,
+- struct ieee80211_vif *vif,
+ struct ieee80211_ampdu_params *params,
+ bool enable);
+ int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev,
+- struct ieee80211_vif *vif,
+ struct ieee80211_ampdu_params *params,
+ bool enable);
+ void mt7925_scan_work(struct work_struct *work);
--- /dev/null
+From 040492ac2578b66d3ff4dcefb4f56811634de53d Mon Sep 17 00:00:00 2001
+From: "Ewan D. Milne" <emilne@redhat.com>
+Date: Mon, 17 Mar 2025 12:37:31 -0400
+Subject: scsi: lpfc: Restore clearing of NLP_UNREG_INP in ndlp->nlp_flag
+
+From: Ewan D. Milne <emilne@redhat.com>
+
+commit 040492ac2578b66d3ff4dcefb4f56811634de53d upstream.
+
+Commit 32566a6f1ae5 ("scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist
+structure") introduced a regression with SLI-3 adapters (e.g. LPe12000 8Gb)
+where a Link Down / Link Up such as caused by disabling an host FC switch
+port would result in the devices remaining in the transport-offline state
+and multipath reporting them as failed. This problem was not seen with
+newer SLI-4 adapters.
+
+The problem was caused by portions of the patch which removed the functions
+__lpfc_sli_rpi_release() and lpfc_sli_rpi_release() and all their callers.
+This was presumably because with the removal of the NLP_RELEASE_RPI flag
+there was no need to free the rpi.
+
+However, __lpfc_sli_rpi_release() and lpfc_sli_rpi_release() which calls it
+reset the NLP_UNREG_INP flag. And, lpfc_sli_def_mbox_cmpl() has a path
+where __lpfc_sli_rpi_release() was called in a particular case where
+NLP_UNREG_INP was not otherwise cleared because of other conditions.
+
+Restoring the else clause of this conditional and simply clearing the
+NLP_UNREG_INP flag appears to resolve the problem with SLI-3 adapters. It
+should be noted that the code path in question is not specific to SLI-3,
+but there are other SLI-4 code paths which may have masked the issue.
+
+Fixes: 32566a6f1ae5 ("scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist structure")
+Cc: stable@vger.kernel.org
+Tested-by: Marco Patalano <mpatalan@redhat.com>
+Signed-off-by: Ewan D. Milne <emilne@redhat.com>
+Link: https://lore.kernel.org/r/20250317163731.356873-1-emilne@redhat.com
+Reviewed-by: Justin Tee <justin.tee@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/lpfc/lpfc_sli.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/scsi/lpfc/lpfc_sli.c
++++ b/drivers/scsi/lpfc/lpfc_sli.c
+@@ -2923,6 +2923,8 @@ lpfc_sli_def_mbox_cmpl(struct lpfc_hba *
+ clear_bit(NLP_UNREG_INP, &ndlp->nlp_flag);
+ ndlp->nlp_defer_did = NLP_EVT_NOTHING_PENDING;
+ lpfc_issue_els_plogi(vport, ndlp->nlp_DID, 0);
++ } else {
++ clear_bit(NLP_UNREG_INP, &ndlp->nlp_flag);
+ }
+
+ /* The unreg_login mailbox is complete and had a
hid-pidff-compute-infinite-value-instead-of-using-ha.patch
hid-pidff-fix-90-degrees-direction-name-north-east.patch
hid-pidff-fix-set_device_control.patch
+auxdisplay-hd44780-fix-an-api-misuse-in-hd44780.c.patch
+dt-bindings-media-st-stmipid02-correct-lane-polarities-maxitems.patch
+media-mediatek-vcodec-fix-a-resource-leak-related-to-the-scp-device-in-fw-initialization.patch
+media-mtk-vcodec-venc-avoid-wenum-compare-conditional-warning.patch
+media-uapi-rkisp1-config-fix-typo-in-extensible-params-example.patch
+media-mgb4-fix-cmt-registers-update-logic.patch
+media-i2c-adv748x-fix-test-pattern-selection-mask.patch
+media-mgb4-fix-switched-cmt-frequency-range-magic-values-sets.patch
+media-intel-ipu6-set-the-dev_parent-of-video-device-to-pdev.patch
+media-venus-hfi-add-a-check-to-handle-oob-in-sfr-region.patch
+media-venus-hfi-add-check-to-handle-incorrect-queue-size.patch
+media-vim2m-print-device-name-after-registering-device.patch
+media-siano-fix-error-handling-in-smsdvb_module_init.patch
+media-rockchip-rga-fix-rga-offset-lookup.patch
+xenfs-xensyms-respect-hypervisor-s-next-indication.patch
+kvm-arm64-pmu-set-raw-values-from-user-to-pm-c-i-nten-set-clr-pmovs-set-clr.patch
+arm64-cputype-add-midr_cortex_a76ae.patch
+arm64-errata-add-qcom_kryo_4xx_gold-to-the-spectre_bhb_k24_list.patch
+arm64-errata-assume-that-unknown-cpus-_are_-vulnerable-to-spectre-bhb.patch
+arm64-errata-add-kryo-2xx-3xx-4xx-silver-cores-to-spectre-bhb-safe-list.patch
+kvm-arm64-tear-down-vgic-on-failed-vcpu-creation.patch
+kvm-arm64-set-hcr_el2.tid1-unconditionally.patch
+spi-cadence-qspi-fix-probe-on-am62a-lp-sk.patch
+mtd-rawnand-brcmnand-fix-pm-resume-warning.patch
+tpm-tpm_tis-fix-timeout-handling-when-waiting-for-tpm-status.patch
+accel-ivpu-fix-pm-related-deadlocks-in-ms-ioctls.patch
+media-ov08x40-properly-turn-sensor-on-off-when-runtime-suspended.patch
+media-streamzap-prevent-processing-ir-data-on-urb-failure.patch
+media-hi556-fix-memory-leak-on-error-in-hi556_check_hwcfg.patch
+media-visl-fix-erange-error-when-setting-enum-controls.patch
+media-platform-stm32-add-check-for-clk_enable.patch
+media-xilinx-tpg-fix-double-put-in-xtpg_parse_of.patch
+media-imx219-adjust-pll-settings-based-on-the-number-of-mipi-lanes.patch
+media-v4l2-dv-timings-prevent-possible-overflow-in-v4l2_detect_gtf.patch
+revert-media-imx214-fix-the-error-handling-in-imx214_probe.patch
+media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-remove.patch
+media-i2c-ccs-set-the-device-s-runtime-pm-status-correctly-in-probe.patch
+media-i2c-ov7251-set-enable-gpio-low-in-probe.patch
+media-i2c-ov7251-introduce-1-ms-delay-between-regulators-and-en-gpio.patch
+media-nuvoton-fix-reference-handling-of-ece_node.patch
+media-nuvoton-fix-reference-handling-of-ece_pdev.patch
+media-venus-hfi_parser-add-check-to-avoid-out-of-bound-access.patch
+media-venus-hfi_parser-refactor-hfi-packet-parsing-logic.patch
+media-i2c-imx319-rectify-runtime-pm-handling-probe-and-remove.patch
+media-i2c-imx219-rectify-runtime-pm-handling-in-probe-and-remove.patch
+media-i2c-imx214-rectify-probe-error-handling-related-to-runtime-pm.patch
+media-chips-media-wave5-fix-gray-color-on-screen.patch
+media-chips-media-wave5-avoid-race-condition-in-the-interrupt-handler.patch
+media-chips-media-wave5-fix-a-hang-after-seeking.patch
+media-chips-media-wave5-fix-timeout-while-testing-10bit-hevc-fluster.patch
+irqchip-renesas-rzv2h-fix-wrong-variable-usage-in-rzv2h_tint_set_type.patch
+gve-unlink-old-napi-only-if-page-pool-exists.patch
+mptcp-sockopt-fix-getting-ipv6_v6only.patch
+mptcp-sockopt-fix-getting-freebind-transparent.patch
+block-make-sure-nr_integrity_segments-is-cloned-in-blk_rq_prep_clone.patch
+mtd-add-check-for-devm_kcalloc.patch
+net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch
+net-dsa-mv88e6xxx-fix-internal-phys-for-6320-family.patch
+mtd-replace-kcalloc-with-devm_kcalloc.patch
+clocksource-drivers-stm32-lptimer-use-wakeup-capable-instead-of-init-wakeup.patch
+revert-wifi-mt76-mt7925-update-mt7925_mcu_uni__ba-for-mlo.patch
+wifi-mt76-add-check-for-devm_kstrdup.patch
+wifi-mt76-mt792x-re-register-chanctx_sta_csa-only-for-the-mt7921-series.patch
+wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch
+wifi-mt76-mt7925-ensure-wow-pattern-command-align-fw-format.patch
+wifi-mt76-mt7925-fix-country-count-limitation-for-clc.patch
+wifi-mt76-mt7925-fix-the-wrong-link_idx-when-a-p2p_device-is-present.patch
+wifi-mt76-mt7925-fix-the-wrong-simultaneous-cap-for-mlo.patch
+wifi-mt76-mt7925-adjust-rm-bss-flow-to-prevent-next-connection-failure.patch
+wifi-mt76-mt7925-integrate-mlo_sta_cmd-and-sta_cmd.patch
+wifi-mt76-mt7925-update-the-power-saving-flow.patch
+scsi-lpfc-restore-clearing-of-nlp_unreg_inp-in-ndlp-nlp_flag.patch
+net-stmmac-fix-accessing-freed-irq-affinity_hint.patch
+io_uring-net-fix-accept-multishot-handling.patch
+io_uring-net-fix-io_req_post_cqe-abuse-by-send-bundle.patch
+io_uring-kbuf-reject-zero-sized-provided-buffers.patch
+asoc-codecs-wcd937x-fix-a-potential-memory-leak-in-wcd937x_soc_codec_probe.patch
+asoc-q6apm-add-q6apm_get_hw_pointer-helper.patch
+asoc-q6apm-dai-schedule-all-available-frames-to-avoid-dsp-under-runs.patch
+asoc-q6apm-dai-make-use-of-q6apm_get_hw_pointer.patch
+asoc-qdsp6-q6apm-dai-set-10-ms-period-and-buffer-alignment.patch
+asoc-qdsp6-q6apm-dai-fix-capture-pipeline-overruns.patch
+asoc-qdsp6-q6asm-dai-fix-q6asm_dai_compr_set_params-error-path.patch
+alsa-hda-realtek-enable-mute-led-on-hp-omen-16-laptop-xd000xx.patch
+accel-ivpu-fix-warning-in-ivpu_ipc_send_receive_internal.patch
+accel-ivpu-fix-deadlock-in-ivpu_ms_cleanup.patch
+arm-crc-t10dif-fix-use-of-out-of-scope-array-in-crc_t10dif_arch.patch
+arm64-crc-t10dif-fix-use-of-out-of-scope-array-in-crc_t10dif_arch.patch
+bus-mhi-host-fix-race-between-unprepare-and-queue_buf.patch
+ext4-fix-off-by-one-error-in-do_split.patch
+f2fs-fix-the-missing-write-pointer-correction.patch
+f2fs-fix-to-avoid-atomicity-corruption-of-atomic-file.patch
+vdpa-mlx5-fix-oversized-null-mkey-longer-than-32bit.patch
+udf-fix-inode_getblk-return-value.patch
+tpm-do-not-start-chip-while-suspended.patch
+svcrdma-do-not-unregister-device-for-listeners.patch
+soc-samsung-exynos-chipid-add-null-pointer-check-in-exynos_chipid_probe.patch
+smb311-client-fix-missing-tcon-check-when-mounting-with-linux-posix-extensions.patch
--- /dev/null
+From b365b9d404b7376c60c91cd079218bfef11b7822 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Sun, 6 Apr 2025 14:09:19 -0500
+Subject: smb311 client: fix missing tcon check when mounting with linux/posix extensions
+
+From: Steve French <stfrench@microsoft.com>
+
+commit b365b9d404b7376c60c91cd079218bfef11b7822 upstream.
+
+When mounting the same share twice, once with the "linux" mount parameter
+(or equivalently "posix") and then once without (or e.g. with "nolinux"),
+we were incorrectly reusing the same tree connection for both mounts.
+This meant that the first mount of the share on the client, would
+cause subsequent mounts of that same share on the same client to
+ignore that mount parm ("linux" vs. "nolinux") and incorrectly reuse
+the same tcon.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/connect.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -2455,6 +2455,8 @@ static int match_tcon(struct cifs_tcon *
+ return 0;
+ if (tcon->nodelete != ctx->nodelete)
+ return 0;
++ if (tcon->posix_extensions != ctx->linux_ext)
++ return 0;
+ return 1;
+ }
+
--- /dev/null
+From c8222ef6cf29dd7cad21643228f96535cc02b327 Mon Sep 17 00:00:00 2001
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+Date: Wed, 12 Feb 2025 15:35:18 -0600
+Subject: soc: samsung: exynos-chipid: Add NULL pointer check in exynos_chipid_probe()
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+commit c8222ef6cf29dd7cad21643228f96535cc02b327 upstream.
+
+soc_dev_attr->revision could be NULL, thus,
+a pointer check is added to prevent potential NULL pointer dereference.
+This is similar to the fix in commit 3027e7b15b02
+("ice: Fix some null pointer dereference issues in ice_ptp.c").
+
+This issue is found by our static analysis tool.
+
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Link: https://lore.kernel.org/r/20250212213518.69432-1-chenyuan0y@gmail.com
+Fixes: 3253b7b7cd44 ("soc: samsung: Add exynos chipid driver support")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/samsung/exynos-chipid.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/soc/samsung/exynos-chipid.c
++++ b/drivers/soc/samsung/exynos-chipid.c
+@@ -134,6 +134,8 @@ static int exynos_chipid_probe(struct pl
+
+ soc_dev_attr->revision = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "%x", soc_info.revision);
++ if (!soc_dev_attr->revision)
++ return -ENOMEM;
+ soc_dev_attr->soc_id = product_id_to_soc_id(soc_info.product_id);
+ if (!soc_dev_attr->soc_id) {
+ pr_err("Unknown SoC\n");
--- /dev/null
+From b8665a1b49f5498edb7b21d730030c06b7348a3c Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 5 Mar 2025 21:09:32 +0100
+Subject: spi: cadence-qspi: Fix probe on AM62A LP SK
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit b8665a1b49f5498edb7b21d730030c06b7348a3c upstream.
+
+In 2020, there's been an unnoticed change which rightfully attempted to
+report probe deferrals upon DMA absence by checking the return value of
+dma_request_chan_by_mask(). By doing so, it also reported errors which
+were simply ignored otherwise, likely on purpose.
+
+This change actually turned a void return into an error code. Hence, not
+only the -EPROBE_DEFER error codes but all error codes got reported to
+the callers, now failing to probe in the absence of Rx DMA channel,
+despite the fact that DMA seems to not be supported natively by many
+implementations.
+
+Looking at the history, this change probably led to:
+ad2775dc3fc5 ("spi: cadence-quadspi: Disable the DAC for Intel LGM SoC")
+f724c296f2f2 ("spi: cadence-quadspi: fix Direct Access Mode disable for SoCFPGA")
+
+In my case, the AM62A LP SK core octo-SPI node from TI does not
+advertise any DMA channel, hinting that there is likely no support for
+it, but yet when the support for the am654 compatible was added, DMA
+seemed to be used, so just discarding its use with the
+CQSPI_DISABLE_DAC_MODE quirk for this compatible does not seem the
+correct approach.
+
+Let's get change the return condition back to:
+- return a probe deferral error if we get one
+- ignore the return value otherwise
+The "error" log level was however likely too high for something that is
+expected to fail, so let's lower it arbitrarily to the info level.
+
+Fixes: 935da5e5100f ("mtd: spi-nor: cadence-quadspi: Handle probe deferral while requesting DMA channel")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://patch.msgid.link/20250305200933.2512925-2-miquel.raynal@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -1658,6 +1658,12 @@ static int cqspi_request_mmap_dma(struct
+ int ret = PTR_ERR(cqspi->rx_chan);
+
+ cqspi->rx_chan = NULL;
++ if (ret == -ENODEV) {
++ /* DMA support is not mandatory */
++ dev_info(&cqspi->pdev->dev, "No Rx DMA available\n");
++ return 0;
++ }
++
+ return dev_err_probe(&cqspi->pdev->dev, ret, "No Rx DMA available\n");
+ }
+ init_completion(&cqspi->rx_dma_complete);
--- /dev/null
+From 750037aa0a9f28d84df3dcf319a28423d69092fd Mon Sep 17 00:00:00 2001
+From: Olga Kornievskaia <okorniev@redhat.com>
+Date: Thu, 6 Feb 2025 13:15:34 -0500
+Subject: svcrdma: do not unregister device for listeners
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+commit 750037aa0a9f28d84df3dcf319a28423d69092fd upstream.
+
+On an rdma-capable machine, a start/stop/start and then on a stop of
+a knfsd server would lead kref underflow warning because svc_rdma_free
+would indiscriminately unregister the rdma device but a listening
+transport never calls the rdma_rn_register() thus leading to kref
+going down to 0 on the 1st stop of the server and on the 2nd stop
+it leads to a problem.
+
+Suggested-by: Chuck Lever <chuck.lever@oracle.com>
+Fixes: c4de97f7c454 ("svcrdma: Handle device removal outside of the CM event handler")
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sunrpc/xprtrdma/svc_rdma_transport.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
++++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
+@@ -621,7 +621,8 @@ static void __svc_rdma_free(struct work_
+ /* Destroy the CM ID */
+ rdma_destroy_id(rdma->sc_cm_id);
+
+- rpcrdma_rn_unregister(device, &rdma->sc_rn);
++ if (!test_bit(XPT_LISTENER, &rdma->sc_xprt.xpt_flags))
++ rpcrdma_rn_unregister(device, &rdma->sc_rn);
+ kfree(rdma);
+ }
+
--- /dev/null
+From 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Fri, 7 Feb 2025 15:07:46 -0300
+Subject: tpm: do not start chip while suspended
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd upstream.
+
+Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can
+lead to a spurious tpm_chip_start() call:
+
+[35985.503771] i2c i2c-1: Transfer while suspended
+[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810
+[35985.503802] Modules linked in:
+[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f
+[35985.503814] Tainted: [W]=WARN
+[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
+[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810
+[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5
+[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246
+[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000
+[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001
+[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
+[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820
+[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120
+[35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000
+[35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0
+[35985.503855] Call Trace:
+[35985.503859] <TASK>
+[35985.503863] ? __warn+0xd4/0x260
+[35985.503868] ? __i2c_transfer+0xbe/0x810
+[35985.503874] ? report_bug+0xf3/0x210
+[35985.503882] ? handle_bug+0x63/0xb0
+[35985.503887] ? exc_invalid_op+0x16/0x50
+[35985.503892] ? asm_exc_invalid_op+0x16/0x20
+[35985.503904] ? __i2c_transfer+0xbe/0x810
+[35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0
+[35985.503920] tpm_cr50_i2c_read+0x8e/0x120
+[35985.503928] tpm_cr50_request_locality+0x75/0x170
+[35985.503935] tpm_chip_start+0x116/0x160
+[35985.503942] tpm_try_get_ops+0x57/0x90
+[35985.503948] tpm_find_get_ops+0x26/0xd0
+[35985.503955] tpm_get_random+0x2d/0x80
+
+Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless
+TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in
+such a failure case.
+
+Fixes: 9265fed6db60 ("tpm: Lock TPM chip in tpm_pm_suspend() first")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Cc: stable@vger.kernel.org
+Cc: Jerry Snitselaar <jsnitsel@redhat.com>
+Cc: Mike Seo <mikeseohyungjin@gmail.com>
+Cc: Jarkko Sakkinen <jarkko@kernel.org>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm-chip.c | 5 +++++
+ drivers/char/tpm/tpm-interface.c | 7 -------
+ 2 files changed, 5 insertions(+), 7 deletions(-)
+
+--- a/drivers/char/tpm/tpm-chip.c
++++ b/drivers/char/tpm/tpm-chip.c
+@@ -168,6 +168,11 @@ int tpm_try_get_ops(struct tpm_chip *chi
+ goto out_ops;
+
+ mutex_lock(&chip->tpm_mutex);
++
++ /* tmp_chip_start may issue IO that is denied while suspended */
++ if (chip->flags & TPM_CHIP_FLAG_SUSPENDED)
++ goto out_lock;
++
+ rc = tpm_chip_start(chip);
+ if (rc)
+ goto out_lock;
+--- a/drivers/char/tpm/tpm-interface.c
++++ b/drivers/char/tpm/tpm-interface.c
+@@ -445,18 +445,11 @@ int tpm_get_random(struct tpm_chip *chip
+ if (!chip)
+ return -ENODEV;
+
+- /* Give back zero bytes, as TPM chip has not yet fully resumed: */
+- if (chip->flags & TPM_CHIP_FLAG_SUSPENDED) {
+- rc = 0;
+- goto out;
+- }
+-
+ if (chip->flags & TPM_CHIP_FLAG_TPM2)
+ rc = tpm2_get_random(chip, out, max);
+ else
+ rc = tpm1_get_random(chip, out, max);
+
+-out:
+ tpm_put_ops(chip);
+ return rc;
+ }
--- /dev/null
+From 7146dffa875cd00e7a7f918e1fce79c7593ac1fa Mon Sep 17 00:00:00 2001
+From: Jonathan McDowell <noodles@meta.com>
+Date: Wed, 12 Mar 2025 07:31:57 +0200
+Subject: tpm, tpm_tis: Fix timeout handling when waiting for TPM status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jonathan McDowell <noodles@meta.com>
+
+commit 7146dffa875cd00e7a7f918e1fce79c7593ac1fa upstream.
+
+The change to only use interrupts to handle supported status changes
+introduced an issue when it is necessary to poll for the status. Rather
+than checking for the status after sleeping the code now sleeps after
+the check. This means a correct, but slower, status change on the part
+of the TPM can be missed, resulting in a spurious timeout error,
+especially on a more loaded system. Switch back to sleeping *then*
+checking. An up front check of the status has been done at the start of
+the function, so this does not cause an additional delay when the status
+is already what we're looking for.
+
+Cc: stable@vger.kernel.org # v6.4+
+Fixes: e87fcf0dc2b4 ("tpm, tpm_tis: Only handle supported interrupts")
+Signed-off-by: Jonathan McDowell <noodles@meta.com>
+Reviewed-by: Michal Suchánek <msuchanek@suse.de>
+Reviewed-by: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -114,11 +114,10 @@ again:
+ return 0;
+ /* process status changes without irq support */
+ do {
++ usleep_range(priv->timeout_min, priv->timeout_max);
+ status = chip->ops->status(chip);
+ if ((status & mask) == mask)
+ return 0;
+- usleep_range(priv->timeout_min,
+- priv->timeout_max);
+ } while (time_before(jiffies, stop));
+ return -ETIME;
+ }
--- /dev/null
+From 6afdc60ec30b0a9390d11b7cebed79c857ce82aa Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 12 Mar 2025 16:18:39 +0100
+Subject: udf: Fix inode_getblk() return value
+
+From: Jan Kara <jack@suse.cz>
+
+commit 6afdc60ec30b0a9390d11b7cebed79c857ce82aa upstream.
+
+Smatch noticed that inode_getblk() can return 1 on successful mapping of
+a block instead of expected 0 after commit b405c1e58b73 ("udf: refactor
+udf_next_aext() to handle error"). This could confuse some of the
+callers and lead to strange failures (although the one reported by
+Smatch in udf_mkdir() is impossible to trigger in practice). Fix the
+return value of inode_getblk().
+
+Link: https://lore.kernel.org/all/cb514af7-bbe0-435b-934f-dd1d7a16d2cd@stanley.mountain
+Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
+Fixes: b405c1e58b73 ("udf: refactor udf_next_aext() to handle error")
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/udf/inode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -810,6 +810,7 @@ static int inode_getblk(struct inode *in
+ }
+ map->oflags = UDF_BLK_MAPPED;
+ map->pblk = udf_get_lb_pblock(inode->i_sb, &eloc, offset);
++ ret = 0;
+ goto out_free;
+ }
+
--- /dev/null
+From a6097e0a54a5c24f8d577ffecbc35289ae281c2e Mon Sep 17 00:00:00 2001
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+Date: Thu, 20 Feb 2025 21:37:33 +0200
+Subject: vdpa/mlx5: Fix oversized null mkey longer than 32bit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Si-Wei Liu <si-wei.liu@oracle.com>
+
+commit a6097e0a54a5c24f8d577ffecbc35289ae281c2e upstream.
+
+create_user_mr() has correct code to count the number of null keys
+used to fill in a hole for the memory map. However, fill_indir()
+does not follow the same to cap the range up to the 1GB limit
+correspondingly. Fill in more null keys for the gaps in between,
+so that null keys are correctly populated.
+
+Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code")
+Cc: stable@vger.kernel.org
+Reported-by: Cong Meng <cong.meng@oracle.com>
+Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
+Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
+Acked-by: Eugenio Pérez <eperezma@redhat.com>
+Message-Id: <20250220193732.521462-2-dtatulea@nvidia.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vdpa/mlx5/core/mr.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/vdpa/mlx5/core/mr.c
++++ b/drivers/vdpa/mlx5/core/mr.c
+@@ -190,9 +190,12 @@ again:
+ klm->bcount = cpu_to_be32(klm_bcount(dmr->end - dmr->start));
+ preve = dmr->end;
+ } else {
++ u64 bcount = min_t(u64, dmr->start - preve, MAX_KLM_SIZE);
++
+ klm->key = cpu_to_be32(mvdev->res.null_mkey);
+- klm->bcount = cpu_to_be32(klm_bcount(dmr->start - preve));
+- preve = dmr->start;
++ klm->bcount = cpu_to_be32(klm_bcount(bcount));
++ preve += bcount;
++
+ goto again;
+ }
+ }
--- /dev/null
+From d00c0c4105e5ab8a6a13ed23d701cceb285761fa Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Wed, 12 Feb 2025 08:21:25 +0000
+Subject: wifi: mac80211: fix integer overflow in hwmp_route_info_get()
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit d00c0c4105e5ab8a6a13ed23d701cceb285761fa upstream.
+
+Since the new_metric and last_hop_metric variables can reach
+the MAX_METRIC(0xffffffff) value, an integer overflow may occur
+when multiplying them by 10/9. It can lead to incorrect behavior.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with SVACE.
+
+Fixes: a8d418d9ac25 ("mac80211: mesh: only switch path when new metric is at least 10% better")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Link: https://patch.msgid.link/20250212082124.4078236-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/mesh_hwmp.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -367,6 +367,12 @@ u32 airtime_link_metric_get(struct ieee8
+ return (u32)result;
+ }
+
++/* Check that the first metric is at least 10% better than the second one */
++static bool is_metric_better(u32 x, u32 y)
++{
++ return (x < y) && (x < (y - x / 10));
++}
++
+ /**
+ * hwmp_route_info_get - Update routing info to originator and transmitter
+ *
+@@ -458,8 +464,8 @@ static u32 hwmp_route_info_get(struct ie
+ (mpath->sn == orig_sn &&
+ (rcu_access_pointer(mpath->next_hop) !=
+ sta ?
+- mult_frac(new_metric, 10, 9) :
+- new_metric) >= mpath->metric)) {
++ !is_metric_better(new_metric, mpath->metric) :
++ new_metric >= mpath->metric))) {
+ process = false;
+ fresh_info = false;
+ }
+@@ -533,8 +539,8 @@ static u32 hwmp_route_info_get(struct ie
+ if ((mpath->flags & MESH_PATH_FIXED) ||
+ ((mpath->flags & MESH_PATH_ACTIVE) &&
+ ((rcu_access_pointer(mpath->next_hop) != sta ?
+- mult_frac(last_hop_metric, 10, 9) :
+- last_hop_metric) > mpath->metric)))
++ !is_metric_better(last_hop_metric, mpath->metric) :
++ last_hop_metric > mpath->metric))))
+ fresh_info = false;
+ } else {
+ mpath = mesh_path_add(sdata, ta);
--- /dev/null
+From 4bc1da524b502999da28d287de4286c986a1af57 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Wed, 19 Feb 2025 11:36:45 +0800
+Subject: wifi: mt76: Add check for devm_kstrdup()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 4bc1da524b502999da28d287de4286c986a1af57 upstream.
+
+Add check for the return value of devm_kstrdup() in
+mt76_get_of_data_from_mtd() to catch potential exception.
+
+Fixes: e7a6a044f9b9 ("mt76: testmode: move mtd part to mt76_dev")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20250219033645.2594753-1-haoxiang_li2024@163.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/eeprom.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/eeprom.c
+@@ -95,6 +95,10 @@ int mt76_get_of_data_from_mtd(struct mt7
+
+ #ifdef CONFIG_NL80211_TESTMODE
+ dev->test_mtd.name = devm_kstrdup(dev->dev, part, GFP_KERNEL);
++ if (!dev->test_mtd.name) {
++ ret = -ENOMEM;
++ goto out_put_node;
++ }
+ dev->test_mtd.offset = offset;
+ #endif
+
--- /dev/null
+From 0ebb60da8416c1d8e84c7e511a5687ce76a9467a Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Tue, 4 Mar 2025 16:08:49 -0800
+Subject: wifi: mt76: mt7925: adjust rm BSS flow to prevent next connection failure
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 0ebb60da8416c1d8e84c7e511a5687ce76a9467a upstream.
+
+Removing BSS without removing STAREC first will cause firmware
+abnormal and next connection fail.
+
+Fixes: 816161051a03 ("wifi: mt76: mt7925: Cleanup MLO settings post-disconnection")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Tested-by: Caleb Jorden <cjorden@gmail.com>
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250305000851.493671-4-sean.wang@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 66 +++++++++++------------
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 56 +++++++++++++++++++
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 2
+ 3 files changed, 91 insertions(+), 33 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -1155,7 +1155,12 @@ static void mt7925_mac_link_sta_remove(s
+ struct mt792x_bss_conf *mconf;
+
+ mconf = mt792x_link_conf_to_mconf(link_conf);
+- mt792x_mac_link_bss_remove(dev, mconf, mlink);
++
++ if (ieee80211_vif_is_mld(vif))
++ mt792x_mac_link_bss_remove(dev, mconf, mlink);
++ else
++ mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf,
++ link_sta, false);
+ }
+
+ spin_lock_bh(&mdev->sta_poll_lock);
+@@ -1175,6 +1180,31 @@ mt7925_mac_sta_remove_links(struct mt792
+ struct mt76_wcid *wcid;
+ unsigned int link_id;
+
++ /* clean up bss before starec */
++ for_each_set_bit(link_id, &old_links, IEEE80211_MLD_MAX_NUM_LINKS) {
++ struct ieee80211_link_sta *link_sta;
++ struct ieee80211_bss_conf *link_conf;
++ struct mt792x_bss_conf *mconf;
++ struct mt792x_link_sta *mlink;
++
++ link_sta = mt792x_sta_to_link_sta(vif, sta, link_id);
++ if (!link_sta)
++ continue;
++
++ mlink = mt792x_sta_to_link(msta, link_id);
++ if (!mlink)
++ continue;
++
++ link_conf = mt792x_vif_to_bss_conf(vif, link_id);
++ if (!link_conf)
++ continue;
++
++ mconf = mt792x_link_conf_to_mconf(link_conf);
++
++ mt7925_mcu_add_bss_info(&dev->phy, mconf->mt76.ctx, link_conf,
++ link_sta, false);
++ }
++
+ for_each_set_bit(link_id, &old_links, IEEE80211_MLD_MAX_NUM_LINKS) {
+ struct ieee80211_link_sta *link_sta;
+ struct mt792x_link_sta *mlink;
+@@ -1212,44 +1242,14 @@ void mt7925_mac_sta_remove(struct mt76_d
+ {
+ struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76);
+ struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv;
+- struct {
+- struct {
+- u8 omac_idx;
+- u8 band_idx;
+- __le16 pad;
+- } __packed hdr;
+- struct req_tlv {
+- __le16 tag;
+- __le16 len;
+- u8 active;
+- u8 link_idx; /* hw link idx */
+- u8 omac_addr[ETH_ALEN];
+- } __packed tlv;
+- } dev_req = {
+- .hdr = {
+- .omac_idx = 0,
+- .band_idx = 0,
+- },
+- .tlv = {
+- .tag = cpu_to_le16(DEV_INFO_ACTIVE),
+- .len = cpu_to_le16(sizeof(struct req_tlv)),
+- .active = true,
+- },
+- };
+ unsigned long rem;
+
+ rem = ieee80211_vif_is_mld(vif) ? msta->valid_links : BIT(0);
+
+ mt7925_mac_sta_remove_links(dev, vif, sta, rem);
+
+- if (ieee80211_vif_is_mld(vif)) {
+- mt7925_mcu_set_dbdc(&dev->mphy, false);
+-
+- /* recovery omac address for the legacy interface */
+- memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
+- mt76_mcu_send_msg(mdev, MCU_UNI_CMD(DEV_INFO_UPDATE),
+- &dev_req, sizeof(dev_req), true);
+- }
++ if (ieee80211_vif_is_mld(vif))
++ mt7925_mcu_del_dev(mdev, vif);
+
+ if (vif->type == NL80211_IFTYPE_STATION) {
+ struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+@@ -2636,6 +2636,62 @@ int mt7925_mcu_set_timing(struct mt792x_
+ MCU_UNI_CMD(BSS_INFO_UPDATE), true);
+ }
+
++void mt7925_mcu_del_dev(struct mt76_dev *mdev,
++ struct ieee80211_vif *vif)
++{
++ struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv;
++ struct {
++ struct {
++ u8 omac_idx;
++ u8 band_idx;
++ __le16 pad;
++ } __packed hdr;
++ struct req_tlv {
++ __le16 tag;
++ __le16 len;
++ u8 active;
++ u8 link_idx; /* hw link idx */
++ u8 omac_addr[ETH_ALEN];
++ } __packed tlv;
++ } dev_req = {
++ .tlv = {
++ .tag = cpu_to_le16(DEV_INFO_ACTIVE),
++ .len = cpu_to_le16(sizeof(struct req_tlv)),
++ .active = true,
++ },
++ };
++ struct {
++ struct {
++ u8 bss_idx;
++ u8 pad[3];
++ } __packed hdr;
++ struct mt76_connac_bss_basic_tlv basic;
++ } basic_req = {
++ .basic = {
++ .tag = cpu_to_le16(UNI_BSS_INFO_BASIC),
++ .len = cpu_to_le16(sizeof(struct mt76_connac_bss_basic_tlv)),
++ .active = true,
++ .conn_state = 1,
++ },
++ };
++
++ dev_req.hdr.omac_idx = mvif->omac_idx;
++ dev_req.hdr.band_idx = mvif->band_idx;
++
++ basic_req.hdr.bss_idx = mvif->idx;
++ basic_req.basic.omac_idx = mvif->omac_idx;
++ basic_req.basic.band_idx = mvif->band_idx;
++ basic_req.basic.link_idx = mvif->link_idx;
++
++ mt76_mcu_send_msg(mdev, MCU_UNI_CMD(BSS_INFO_UPDATE),
++ &basic_req, sizeof(basic_req), true);
++
++ /* recovery omac address for the legacy interface */
++ memcpy(dev_req.tlv.omac_addr, vif->addr, ETH_ALEN);
++ mt76_mcu_send_msg(mdev, MCU_UNI_CMD(DEV_INFO_UPDATE),
++ &dev_req, sizeof(dev_req), true);
++}
++
+ int mt7925_mcu_add_bss_info(struct mt792x_phy *phy,
+ struct ieee80211_chanctx_conf *ctx,
+ struct ieee80211_bss_conf *link_conf,
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
+@@ -627,6 +627,8 @@ int mt7925_mcu_sched_scan_req(struct mt7
+ int mt7925_mcu_sched_scan_enable(struct mt76_phy *phy,
+ struct ieee80211_vif *vif,
+ bool enable);
++void mt7925_mcu_del_dev(struct mt76_dev *mdev,
++ struct ieee80211_vif *vif);
+ int mt7925_mcu_add_bss_info(struct mt792x_phy *phy,
+ struct ieee80211_chanctx_conf *ctx,
+ struct ieee80211_bss_conf *link_conf,
--- /dev/null
+From 8ae45b1f699bbc27ea8647093f794f671e77410b Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Thu, 16 Jan 2025 13:59:25 +0800
+Subject: wifi: mt76: mt7925: ensure wow pattern command align fw format
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 8ae45b1f699bbc27ea8647093f794f671e77410b upstream.
+
+Align the format of "struct mt7925_wow_pattern_tlv" with
+firmware to ensure proper functionality.
+
+Cc: stable@vger.kernel.org
+Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250116055925.3856856-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.h
+@@ -566,8 +566,8 @@ struct mt7925_wow_pattern_tlv {
+ u8 offset;
+ u8 mask[MT76_CONNAC_WOW_MASK_MAX_LEN];
+ u8 pattern[MT76_CONNAC_WOW_PATTEN_MAX_LEN];
+- u8 rsv[7];
+-} __packed;
++ u8 rsv[4];
++};
+
+ struct roc_acquire_tlv {
+ __le16 tag;
--- /dev/null
+From 6458d760a0c0afd2fda11e83ed3e1125a252432f Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Thu, 16 Jan 2025 14:21:31 +0800
+Subject: wifi: mt76: mt7925: fix country count limitation for CLC
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 6458d760a0c0afd2fda11e83ed3e1125a252432f upstream.
+
+Due to the increase in the number of power tables for 6Ghz on CLC,
+the variable nr_country is no longer sufficient to represent the
+total quantity. Therefore, we have switched to calculating the
+length of clc buf to obtain the correct power table.
+
+Cc: stable@vger.kernel.org
+Fixes: c948b5da6bbe ("wifi: mt76: mt7925: add Mediatek Wi-Fi7 driver for mt7925 chips")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250116062131.3860198-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+@@ -3125,13 +3125,14 @@ __mt7925_mcu_set_clc(struct mt792x_dev *
+ .env = env_cap,
+ };
+ int ret, valid_cnt = 0;
+- u8 i, *pos;
++ u8 *pos, *last_pos;
+
+ if (!clc)
+ return 0;
+
+ pos = clc->data + sizeof(*seg) * clc->nr_seg;
+- for (i = 0; i < clc->nr_country; i++) {
++ last_pos = clc->data + le32_to_cpu(*(__le32 *)(clc->data + 4));
++ while (pos < last_pos) {
+ struct mt7925_clc_rule *rule = (struct mt7925_clc_rule *)pos;
+
+ pos += sizeof(*rule);
--- /dev/null
+From 4bada9b0a29c185d45cc9512509edd6069fbfa79 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Tue, 4 Mar 2025 16:08:47 -0800
+Subject: wifi: mt76: mt7925: fix the wrong link_idx when a p2p_device is present
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 4bada9b0a29c185d45cc9512509edd6069fbfa79 upstream.
+
+When the p2p device and MLO station are running concurrently, the p2p device
+will occupy the wrong link_idx when the MLO secondary link is added.
+
+Fixes: 9e4c3a007f01 ("wifi: mt76: connac: Extend mt76_connac_mcu_uni_add_dev for MLO")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Tested-by: Caleb Jorden <cjorden@gmail.com>
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250305000851.493671-2-sean.wang@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76.h | 1 +
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c | 4 ++--
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 14 ++++++++++----
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76.h
++++ b/drivers/net/wireless/mediatek/mt76/mt76.h
+@@ -769,6 +769,7 @@ struct mt76_testmode_data {
+
+ struct mt76_vif_link {
+ u8 idx;
++ u8 link_idx;
+ u8 omac_idx;
+ u8 band_idx;
+ u8 wmm_idx;
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c
+@@ -1168,7 +1168,7 @@ int mt76_connac_mcu_uni_add_dev(struct m
+ .tag = cpu_to_le16(DEV_INFO_ACTIVE),
+ .len = cpu_to_le16(sizeof(struct req_tlv)),
+ .active = enable,
+- .link_idx = mvif->idx,
++ .link_idx = mvif->link_idx,
+ },
+ };
+ struct {
+@@ -1191,7 +1191,7 @@ int mt76_connac_mcu_uni_add_dev(struct m
+ .bmc_tx_wlan_idx = cpu_to_le16(wcid->idx),
+ .sta_idx = cpu_to_le16(wcid->idx),
+ .conn_state = 1,
+- .link_idx = mvif->idx,
++ .link_idx = mvif->link_idx,
+ },
+ };
+ int err, idx, cmd, len;
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -360,10 +360,15 @@ static int mt7925_mac_link_bss_add(struc
+ struct mt76_txq *mtxq;
+ int idx, ret = 0;
+
+- mconf->mt76.idx = __ffs64(~dev->mt76.vif_mask);
+- if (mconf->mt76.idx >= MT792x_MAX_INTERFACES) {
+- ret = -ENOSPC;
+- goto out;
++ if (vif->type == NL80211_IFTYPE_P2P_DEVICE) {
++ mconf->mt76.idx = MT792x_MAX_INTERFACES;
++ } else {
++ mconf->mt76.idx = __ffs64(~dev->mt76.vif_mask);
++
++ if (mconf->mt76.idx >= MT792x_MAX_INTERFACES) {
++ ret = -ENOSPC;
++ goto out;
++ }
+ }
+
+ mconf->mt76.omac_idx = ieee80211_vif_is_mld(vif) ?
+@@ -371,6 +376,7 @@ static int mt7925_mac_link_bss_add(struc
+ mconf->mt76.band_idx = 0xff;
+ mconf->mt76.wmm_idx = ieee80211_vif_is_mld(vif) ?
+ 0 : mconf->mt76.idx % MT76_CONNAC_MAX_WMM_SETS;
++ mconf->mt76.link_idx = hweight16(mvif->valid_links);
+
+ if (mvif->phy->mt76->chandef.chan->band != NL80211_BAND_2GHZ)
+ mconf->mt76.basic_rates_idx = MT792x_BASIC_RATES_TBL + 4;
--- /dev/null
+From 7dcea6fe33ee3d7cbb65baee0dd7adc76d1c9ddc Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Tue, 4 Mar 2025 16:08:48 -0800
+Subject: wifi: mt76: mt7925: fix the wrong simultaneous cap for MLO
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 7dcea6fe33ee3d7cbb65baee0dd7adc76d1c9ddc upstream.
+
+The mt7925 chip is only support a single radio, so the maximum
+number of simultaneous should be 0.
+
+Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Tested-by: Caleb Jorden <cjorden@gmail.com>
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250305000851.493671-3-sean.wang@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -256,7 +256,7 @@ int mt7925_init_mlo_caps(struct mt792x_p
+
+ ext_capab[0].eml_capabilities = phy->eml_cap;
+ ext_capab[0].mld_capa_and_ops =
+- u16_encode_bits(1, IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS);
++ u16_encode_bits(0, IEEE80211_MLD_CAP_OP_MAX_SIMUL_LINKS);
+
+ wiphy->flags |= WIPHY_FLAG_SUPPORTS_MLO;
+ wiphy->iftype_ext_capab = ext_capab;
--- /dev/null
+From cb1353ef34735ec1e5d9efa1fe966f05ff1dc1e1 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Tue, 4 Mar 2025 16:08:50 -0800
+Subject: wifi: mt76: mt7925: integrate *mlo_sta_cmd and *sta_cmd
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit cb1353ef34735ec1e5d9efa1fe966f05ff1dc1e1 upstream.
+
+Integrate *mlo_sta_cmd and *sta_cmd for the MLO firmware.
+
+Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Tested-by: Caleb Jorden <cjorden@gmail.com>
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250305000851.493671-5-sean.wang@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/mcu.c | 59 +-----------------------
+ 1 file changed, 4 insertions(+), 55 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mcu.c
+@@ -1818,49 +1818,6 @@ mt7925_mcu_sta_mld_tlv(struct sk_buff *s
+ }
+ }
+
+-static int
+-mt7925_mcu_sta_cmd(struct mt76_phy *phy,
+- struct mt76_sta_cmd_info *info)
+-{
+- struct mt76_vif_link *mvif = (struct mt76_vif_link *)info->vif->drv_priv;
+- struct mt76_dev *dev = phy->dev;
+- struct sk_buff *skb;
+- int conn_state;
+-
+- skb = __mt76_connac_mcu_alloc_sta_req(dev, mvif, info->wcid,
+- MT7925_STA_UPDATE_MAX_SIZE);
+- if (IS_ERR(skb))
+- return PTR_ERR(skb);
+-
+- conn_state = info->enable ? CONN_STATE_PORT_SECURE :
+- CONN_STATE_DISCONNECT;
+- if (info->link_sta)
+- mt76_connac_mcu_sta_basic_tlv(dev, skb, info->link_conf,
+- info->link_sta,
+- conn_state, info->newly);
+- if (info->link_sta && info->enable) {
+- mt7925_mcu_sta_phy_tlv(skb, info->vif, info->link_sta);
+- mt7925_mcu_sta_ht_tlv(skb, info->link_sta);
+- mt7925_mcu_sta_vht_tlv(skb, info->link_sta);
+- mt76_connac_mcu_sta_uapsd(skb, info->vif, info->link_sta->sta);
+- mt7925_mcu_sta_amsdu_tlv(skb, info->vif, info->link_sta);
+- mt7925_mcu_sta_he_tlv(skb, info->link_sta);
+- mt7925_mcu_sta_he_6g_tlv(skb, info->link_sta);
+- mt7925_mcu_sta_eht_tlv(skb, info->link_sta);
+- mt7925_mcu_sta_rate_ctrl_tlv(skb, info->vif,
+- info->link_sta);
+- mt7925_mcu_sta_state_v2_tlv(phy, skb, info->link_sta,
+- info->vif, info->rcpi,
+- info->state);
+- mt7925_mcu_sta_mld_tlv(skb, info->vif, info->link_sta->sta);
+- }
+-
+- if (info->enable)
+- mt7925_mcu_sta_hdr_trans_tlv(skb, info->vif, info->link_sta);
+-
+- return mt76_mcu_skb_send_msg(dev, skb, info->cmd, true);
+-}
+-
+ static void
+ mt7925_mcu_sta_remove_tlv(struct sk_buff *skb)
+ {
+@@ -1873,8 +1830,8 @@ mt7925_mcu_sta_remove_tlv(struct sk_buff
+ }
+
+ static int
+-mt7925_mcu_mlo_sta_cmd(struct mt76_phy *phy,
+- struct mt76_sta_cmd_info *info)
++mt7925_mcu_sta_cmd(struct mt76_phy *phy,
++ struct mt76_sta_cmd_info *info)
+ {
+ struct mt792x_vif *mvif = (struct mt792x_vif *)info->vif->drv_priv;
+ struct mt76_dev *dev = phy->dev;
+@@ -1888,12 +1845,10 @@ mt7925_mcu_mlo_sta_cmd(struct mt76_phy *
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+
+- if (info->enable)
++ if (info->enable && info->link_sta) {
+ mt76_connac_mcu_sta_basic_tlv(dev, skb, info->link_conf,
+ info->link_sta,
+ info->enable, info->newly);
+-
+- if (info->enable && info->link_sta) {
+ mt7925_mcu_sta_phy_tlv(skb, info->vif, info->link_sta);
+ mt7925_mcu_sta_ht_tlv(skb, info->link_sta);
+ mt7925_mcu_sta_vht_tlv(skb, info->link_sta);
+@@ -1944,7 +1899,6 @@ int mt7925_mcu_sta_update(struct mt792x_
+ };
+ struct mt792x_sta *msta;
+ struct mt792x_link_sta *mlink;
+- int err;
+
+ if (link_sta) {
+ msta = (struct mt792x_sta *)link_sta->sta->drv_priv;
+@@ -1957,12 +1911,7 @@ int mt7925_mcu_sta_update(struct mt792x_
+ else
+ info.newly = state == MT76_STA_INFO_STATE_ASSOC ? false : true;
+
+- if (ieee80211_vif_is_mld(vif))
+- err = mt7925_mcu_mlo_sta_cmd(&dev->mphy, &info);
+- else
+- err = mt7925_mcu_sta_cmd(&dev->mphy, &info);
+-
+- return err;
++ return mt7925_mcu_sta_cmd(&dev->mphy, &info);
+ }
+
+ int mt7925_mcu_set_beacon_filter(struct mt792x_dev *dev,
--- /dev/null
+From 276a568832577c81ec90b62dc506bbdc3781ca46 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Tue, 4 Mar 2025 16:08:51 -0800
+Subject: wifi: mt76: mt7925: update the power-saving flow
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 276a568832577c81ec90b62dc506bbdc3781ca46 upstream.
+
+After joining MLO, ensure that all links are setup before
+enabling power-saving.
+
+Fixes: 86c051f2c418 ("wifi: mt76: mt7925: enabling MLO when the firmware supports it")
+Cc: stable@vger.kernel.org
+Co-developed-by: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Sean Wang <sean.wang@mediatek.com>
+Tested-by: Caleb Jorden <cjorden@gmail.com>
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250305000851.493671-6-sean.wang@kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7925/init.c | 1
+ drivers/net/wireless/mediatek/mt76/mt7925/main.c | 68 +++++++++++++++++----
+ drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h | 1
+ drivers/net/wireless/mediatek/mt76/mt792x.h | 9 ++
+ 4 files changed, 68 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/init.c
+@@ -244,6 +244,7 @@ int mt7925_register_device(struct mt792x
+ dev->mt76.tx_worker.fn = mt792x_tx_worker;
+
+ INIT_DELAYED_WORK(&dev->pm.ps_work, mt792x_pm_power_save_work);
++ INIT_DELAYED_WORK(&dev->mlo_pm_work, mt7925_mlo_pm_work);
+ INIT_WORK(&dev->pm.wake_work, mt792x_pm_wake_work);
+ spin_lock_init(&dev->pm.wake.lock);
+ mutex_init(&dev->pm.mutex);
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c
+@@ -427,6 +427,7 @@ mt7925_add_interface(struct ieee80211_hw
+ mvif->bss_conf.vif = mvif;
+ mvif->sta.vif = mvif;
+ mvif->deflink_id = IEEE80211_LINK_UNSPECIFIED;
++ mvif->mlo_pm_state = MT792x_MLO_LINK_DISASSOC;
+
+ ret = mt7925_mac_link_bss_add(dev, &vif->bss_conf, &mvif->sta.deflink);
+ if (ret < 0)
+@@ -1242,6 +1243,7 @@ void mt7925_mac_sta_remove(struct mt76_d
+ {
+ struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev, mt76);
+ struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv;
++ struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+ unsigned long rem;
+
+ rem = ieee80211_vif_is_mld(vif) ? msta->valid_links : BIT(0);
+@@ -1252,11 +1254,11 @@ void mt7925_mac_sta_remove(struct mt76_d
+ mt7925_mcu_del_dev(mdev, vif);
+
+ if (vif->type == NL80211_IFTYPE_STATION) {
+- struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
+-
+ mvif->wep_sta = NULL;
+ ewma_rssi_init(&mvif->bss_conf.rssi);
+ }
++
++ mvif->mlo_pm_state = MT792x_MLO_LINK_DISASSOC;
+ }
+ EXPORT_SYMBOL_GPL(mt7925_mac_sta_remove);
+
+@@ -1328,6 +1330,38 @@ mt7925_ampdu_action(struct ieee80211_hw
+ return ret;
+ }
+
++static void
++mt7925_mlo_pm_iter(void *priv, u8 *mac, struct ieee80211_vif *vif)
++{
++ struct mt792x_dev *dev = priv;
++ struct mt792x_vif *mvif = (struct mt792x_vif *)vif->drv_priv;
++ unsigned long valid = ieee80211_vif_is_mld(vif) ?
++ mvif->valid_links : BIT(0);
++ struct ieee80211_bss_conf *bss_conf;
++ int i;
++
++ if (mvif->mlo_pm_state != MT792x_MLO_CHANGED_PS)
++ return;
++
++ mt792x_mutex_acquire(dev);
++ for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
++ bss_conf = mt792x_vif_to_bss_conf(vif, i);
++ mt7925_mcu_uni_bss_ps(dev, bss_conf);
++ }
++ mt792x_mutex_release(dev);
++}
++
++void mt7925_mlo_pm_work(struct work_struct *work)
++{
++ struct mt792x_dev *dev = container_of(work, struct mt792x_dev,
++ mlo_pm_work.work);
++ struct ieee80211_hw *hw = mt76_hw(dev);
++
++ ieee80211_iterate_active_interfaces(hw,
++ IEEE80211_IFACE_ITER_RESUME_ALL,
++ mt7925_mlo_pm_iter, dev);
++}
++
+ static bool is_valid_alpha2(const char *alpha2)
+ {
+ if (!alpha2)
+@@ -1877,6 +1911,9 @@ static void mt7925_vif_cfg_changed(struc
+ mt7925_mcu_sta_update(dev, NULL, vif, true,
+ MT76_STA_INFO_STATE_ASSOC);
+ mt7925_mcu_set_beacon_filter(dev, vif, vif->cfg.assoc);
++
++ if (ieee80211_vif_is_mld(vif))
++ mvif->mlo_pm_state = MT792x_MLO_LINK_ASSOC;
+ }
+
+ if (changed & BSS_CHANGED_ARP_FILTER) {
+@@ -1887,9 +1924,19 @@ static void mt7925_vif_cfg_changed(struc
+ }
+
+ if (changed & BSS_CHANGED_PS) {
+- for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
+- bss_conf = mt792x_vif_to_bss_conf(vif, i);
++ if (hweight16(mvif->valid_links) < 2) {
++ /* legacy */
++ bss_conf = &vif->bss_conf;
+ mt7925_mcu_uni_bss_ps(dev, bss_conf);
++ } else {
++ if (mvif->mlo_pm_state == MT792x_MLO_LINK_ASSOC) {
++ mvif->mlo_pm_state = MT792x_MLO_CHANGED_PS_PENDING;
++ } else if (mvif->mlo_pm_state == MT792x_MLO_CHANGED_PS) {
++ for_each_set_bit(i, &valid, IEEE80211_MLD_MAX_NUM_LINKS) {
++ bss_conf = mt792x_vif_to_bss_conf(vif, i);
++ mt7925_mcu_uni_bss_ps(dev, bss_conf);
++ }
++ }
+ }
+ }
+
+@@ -1940,11 +1987,12 @@ static void mt7925_link_info_changed(str
+ if (changed & (BSS_CHANGED_QOS | BSS_CHANGED_BEACON_ENABLED))
+ mt7925_mcu_set_tx(dev, info);
+
+- if (changed & BSS_CHANGED_BSSID) {
+- if (ieee80211_vif_is_mld(vif) &&
+- hweight16(mvif->valid_links) == 2)
+- /* Indicate the secondary setup done */
+- mt7925_mcu_uni_bss_bcnft(dev, info, true);
++ if (mvif->mlo_pm_state == MT792x_MLO_CHANGED_PS_PENDING) {
++ /* Indicate the secondary setup done */
++ mt7925_mcu_uni_bss_bcnft(dev, info, true);
++
++ ieee80211_queue_delayed_work(hw, &dev->mlo_pm_work, 5 * HZ);
++ mvif->mlo_pm_state = MT792x_MLO_CHANGED_PS;
+ }
+
+ mt792x_mutex_release(dev);
+@@ -2028,8 +2076,6 @@ mt7925_change_vif_links(struct ieee80211
+ goto free;
+
+ if (mconf != &mvif->bss_conf) {
+- mt7925_mcu_set_bss_pm(dev, link_conf, true);
+-
+ err = mt7925_set_mlo_roc(phy, &mvif->bss_conf,
+ vif->active_links);
+ if (err < 0)
+--- a/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
++++ b/drivers/net/wireless/mediatek/mt76/mt7925/mt7925.h
+@@ -268,6 +268,7 @@ int mt7925_mcu_uni_tx_ba(struct mt792x_d
+ int mt7925_mcu_uni_rx_ba(struct mt792x_dev *dev,
+ struct ieee80211_ampdu_params *params,
+ bool enable);
++void mt7925_mlo_pm_work(struct work_struct *work);
+ void mt7925_scan_work(struct work_struct *work);
+ void mt7925_roc_work(struct work_struct *work);
+ int mt7925_mcu_uni_bss_ps(struct mt792x_dev *dev,
+--- a/drivers/net/wireless/mediatek/mt76/mt792x.h
++++ b/drivers/net/wireless/mediatek/mt76/mt792x.h
+@@ -81,6 +81,13 @@ enum mt792x_reg_power_type {
+ MT_AP_VLP,
+ };
+
++enum mt792x_mlo_pm_state {
++ MT792x_MLO_LINK_DISASSOC,
++ MT792x_MLO_LINK_ASSOC,
++ MT792x_MLO_CHANGED_PS_PENDING,
++ MT792x_MLO_CHANGED_PS,
++};
++
+ DECLARE_EWMA(avg_signal, 10, 8)
+
+ struct mt792x_link_sta {
+@@ -134,6 +141,7 @@ struct mt792x_vif {
+ struct mt792x_phy *phy;
+ u16 valid_links;
+ u8 deflink_id;
++ enum mt792x_mlo_pm_state mlo_pm_state;
+
+ struct work_struct csa_work;
+ struct timer_list csa_timer;
+@@ -239,6 +247,7 @@ struct mt792x_dev {
+ const struct mt792x_irq_map *irq_map;
+
+ struct work_struct ipv6_ns_work;
++ struct delayed_work mlo_pm_work;
+ /* IPv6 addresses for WoWLAN */
+ struct sk_buff_head ipv6_ns_list;
+
--- /dev/null
+From 06e70003d88218675c566584dd76867fcb39706d Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Thu, 13 Mar 2025 13:40:44 +0800
+Subject: wifi: mt76: mt792x: re-register CHANCTX_STA_CSA only for the mt7921 series
+
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+
+commit 06e70003d88218675c566584dd76867fcb39706d upstream.
+
+CSA is currently not supported on mt7925, so CSA is only registered for
+the mt7921 series
+
+Cc: stable@vger.kernel.org
+Fixes: 8aa2f59260eb ("wifi: mt76: mt7921: introduce CSA support")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Link: https://patch.msgid.link/20250313054044.2638837-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt792x_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt792x_core.c
++++ b/drivers/net/wireless/mediatek/mt76/mt792x_core.c
+@@ -665,7 +665,8 @@ int mt792x_init_wiphy(struct ieee80211_h
+ ieee80211_hw_set(hw, SUPPORTS_DYNAMIC_PS);
+ ieee80211_hw_set(hw, SUPPORTS_VHT_EXT_NSS_BW);
+ ieee80211_hw_set(hw, CONNECTION_MONITOR);
+- ieee80211_hw_set(hw, CHANCTX_STA_CSA);
++ if (is_mt7921(&dev->mt76))
++ ieee80211_hw_set(hw, CHANCTX_STA_CSA);
+
+ if (dev->pm.enable)
+ ieee80211_hw_set(hw, CONNECTION_MONITOR);
--- /dev/null
+From 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Wed, 12 Mar 2025 16:32:45 +0100
+Subject: xenfs/xensyms: respect hypervisor's "next" indication
+
+From: Jan Beulich <jbeulich@suse.com>
+
+commit 5c4e79e29a9fe4ea132118ac40c2bc97cfe23077 upstream.
+
+The interface specifies the symnum field as an input and output; the
+hypervisor sets it to the next sequential symbol's index. xensyms_next()
+incrementing the position explicitly (and xensyms_next_sym()
+decrementing it to "rewind") is only correct as long as the sequence of
+symbol indexes is non-sparse. Use the hypervisor-supplied value instead
+to update the position in xensyms_next(), and use the saved incoming
+index in xensyms_next_sym().
+
+Cc: stable@kernel.org
+Fixes: a11f4f0a4e18 ("xen: xensyms support")
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Message-ID: <15d5e7fa-ec5d-422f-9319-d28bed916349@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/xenfs/xensyms.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/xen/xenfs/xensyms.c
++++ b/drivers/xen/xenfs/xensyms.c
+@@ -48,7 +48,7 @@ static int xensyms_next_sym(struct xensy
+ return -ENOMEM;
+
+ set_xen_guest_handle(symdata->name, xs->name);
+- symdata->symnum--; /* Rewind */
++ symdata->symnum = symnum; /* Rewind */
+
+ ret = HYPERVISOR_platform_op(&xs->op);
+ if (ret < 0)
+@@ -78,7 +78,7 @@ static void *xensyms_next(struct seq_fil
+ {
+ struct xensyms *xs = m->private;
+
+- xs->op.u.symdata.symnum = ++(*pos);
++ *pos = xs->op.u.symdata.symnum;
+
+ if (xensyms_next_sym(xs))
+ return NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
