--- /dev/null
+From 425fd255b46ef371fe39cb4ea592d9cc1b9cdb5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jan 2025 14:22:02 +0100
+Subject: ACPI: x86: Add skip i2c clients quirk for Vexia EDU ATLA 10 tablet 5V
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 8f62ca9c338aae4f73e9ce0221c3d4668359ddd8 ]
+
+The Vexia EDU ATLA 10 tablet comes in 2 different versions with
+significantly different mainboards. The only outward difference is that
+the charging barrel on one is marked 5V and the other is marked 9V.
+
+Both ship with Android 4.4 as factory OS and have the usual broken DSDT
+issues for x86 Android tablets.
+
+Add a quirk to skip ACPI I2C client enumeration for the 5V version to
+complement the existing quirk for the 9V version.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patch.msgid.link/20250123132202.18209-1-hdegoede@redhat.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/x86/utils.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/acpi/x86/utils.c b/drivers/acpi/x86/utils.c
+index fdfc88e09986e..e894fdf6d5531 100644
+--- a/drivers/acpi/x86/utils.c
++++ b/drivers/acpi/x86/utils.c
+@@ -400,6 +400,19 @@ static const struct dmi_system_id acpi_quirk_skip_dmi_ids[] = {
+ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS |
+ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
+ },
++ {
++ /* Vexia Edu Atla 10 tablet 5V version */
++ .matches = {
++ /* Having all 3 of these not set is somewhat unique */
++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."),
++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."),
++ /* Above strings are too generic, also match on BIOS date */
++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"),
++ },
++ .driver_data = (void *)(ACPI_QUIRK_SKIP_I2C_CLIENTS |
++ ACPI_QUIRK_SKIP_ACPI_AC_AND_BATTERY),
++ },
+ {
+ /* Vexia Edu Atla 10 tablet 9V version */
+ .matches = {
+--
+2.39.5
+
--- /dev/null
+From 9313ef65f2a4635b9f7432950f4bd192f683cd69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 12:44:20 -0500
+Subject: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
+
+From: Radu Rendec <rrendec@redhat.com>
+
+[ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ]
+
+The loop that detects/populates cache information already has a bounds
+check on the array size but does not account for cache levels with
+separate data/instructions cache. Fix this by incrementing the index
+for any populated leaf (instead of any populated level).
+
+Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information")
+
+Signed-off-by: Radu Rendec <rrendec@redhat.com>
+Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cacheinfo.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c
+index d9c9218fa1fdd..309942b06c5bc 100644
+--- a/arch/arm64/kernel/cacheinfo.c
++++ b/arch/arm64/kernel/cacheinfo.c
+@@ -101,16 +101,18 @@ int populate_cache_leaves(unsigned int cpu)
+ unsigned int level, idx;
+ enum cache_type type;
+ struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu);
+- struct cacheinfo *this_leaf = this_cpu_ci->info_list;
++ struct cacheinfo *infos = this_cpu_ci->info_list;
+
+ for (idx = 0, level = 1; level <= this_cpu_ci->num_levels &&
+- idx < this_cpu_ci->num_leaves; idx++, level++) {
++ idx < this_cpu_ci->num_leaves; level++) {
+ type = get_cache_type(level);
+ if (type == CACHE_TYPE_SEPARATE) {
+- ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
+- ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
++ if (idx + 1 >= this_cpu_ci->num_leaves)
++ break;
++ ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level);
++ ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level);
+ } else {
+- ci_leaf_init(this_leaf++, type, level);
++ ci_leaf_init(&infos[idx++], type, level);
+ }
+ }
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 086418d062fcd8c19244e90378057838d3a11c23 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jan 2025 14:25:07 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
+ 5V
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 6917192378c1ce17ba31df51c4e0d8b1c97a453b ]
+
+The Vexia EDU ATLA 10 tablet comes in 2 different versions with
+significantly different mainboards. The only outward difference is that
+the charging barrel on one is marked 5V and the other is marked 9V.
+
+The 5V version mostly works with the BYTCR defaults, except that it is
+missing a CHAN package in its ACPI tables and the default of using
+SSP0-AIF2 is wrong, instead SSP0-AIF1 must be used. That and its jack
+detect signal is not inverted as it usually is.
+
+Add a DMI quirk for the 5V version to fix sound not working.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patch.msgid.link/20250123132507.18434-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index ddf68be0af14a..ce80adc30fe94 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -1132,7 +1132,22 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_SSP0_AIF2 |
+ BYT_RT5640_MCLK_EN),
+ },
+- { /* Vexia Edu Atla 10 tablet */
++ {
++ /* Vexia Edu Atla 10 tablet 5V version */
++ .matches = {
++ /* Having all 3 of these not set is somewhat unique */
++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."),
++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."),
++ /* Above strings are too generic, also match on BIOS date */
++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"),
++ },
++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS |
++ BYT_RT5640_JD_NOT_INV |
++ BYT_RT5640_SSP0_AIF1 |
++ BYT_RT5640_MCLK_EN),
++ },
++ { /* Vexia Edu Atla 10 tablet 9V version */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+ DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
+--
+2.39.5
+
--- /dev/null
+From 2b99c4346949c183aae277ea52e117d1be0bf9a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 3 Feb 2025 12:12:03 +0300
+Subject: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt
+
+From: Murad Masimov <m.masimov@mt-integration.ru>
+
+[ Upstream commit bca0902e61731a75fc4860c8720168d9f1bae3b6 ]
+
+If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE
+socket option, a refcount leak will occur in ax25_release().
+
+Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()")
+added decrement of device refcounts in ax25_release(). In order for that
+to work correctly the refcounts must already be incremented when the
+device is bound to the socket. An AX25 device can be bound to a socket
+by either calling ax25_bind() or setting SO_BINDTODEVICE socket option.
+In both cases the refcounts should be incremented, but in fact it is done
+only in ax25_bind().
+
+This bug leads to the following issue reported by Syzkaller:
+
+================================================================
+refcount_t: decrement hit 0; leaking memory.
+WARNING: CPU: 1 PID: 5932 at lib/refcount.c:31 refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
+Modules linked in:
+CPU: 1 UID: 0 PID: 5932 Comm: syz-executor424 Not tainted 6.13.0-rc4-syzkaller-00110-g4099a71718b0 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+RIP: 0010:refcount_warn_saturate+0x1ed/0x210 lib/refcount.c:31
+Call Trace:
+ <TASK>
+ __refcount_dec include/linux/refcount.h:336 [inline]
+ refcount_dec include/linux/refcount.h:351 [inline]
+ ref_tracker_free+0x710/0x820 lib/ref_tracker.c:236
+ netdev_tracker_free include/linux/netdevice.h:4156 [inline]
+ netdev_put include/linux/netdevice.h:4173 [inline]
+ netdev_put include/linux/netdevice.h:4169 [inline]
+ ax25_release+0x33f/0xa10 net/ax25/af_ax25.c:1069
+ __sock_release+0xb0/0x270 net/socket.c:640
+ sock_close+0x1c/0x30 net/socket.c:1408
+ ...
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ ...
+ </TASK>
+================================================================
+
+Fix the implementation of ax25_setsockopt() by adding increment of
+refcounts for the new device bound, and decrement of refcounts for
+the old unbound device.
+
+Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()")
+Reported-by: syzbot+33841dc6aa3e1d86b78a@syzkaller.appspotmail.com
+Signed-off-by: Murad Masimov <m.masimov@mt-integration.ru>
+Link: https://patch.msgid.link/20250203091203.1744-1-m.masimov@mt-integration.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ax25/af_ax25.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index 0f66dd8715bd8..4a16142ac58a9 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -685,6 +685,15 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+
++ if (ax25->ax25_dev) {
++ if (dev == ax25->ax25_dev->dev) {
++ rcu_read_unlock();
++ break;
++ }
++ netdev_put(ax25->ax25_dev->dev, &ax25->dev_tracker);
++ ax25_dev_put(ax25->ax25_dev);
++ }
++
+ ax25->ax25_dev = ax25_dev_ax25dev(dev);
+ if (!ax25->ax25_dev) {
+ rcu_read_unlock();
+@@ -692,6 +701,8 @@ static int ax25_setsockopt(struct socket *sock, int level, int optname,
+ break;
+ }
+ ax25_fillin_cb(ax25, ax25->ax25_dev);
++ netdev_hold(dev, &ax25->dev_tracker, GFP_ATOMIC);
++ ax25_dev_hold(ax25->ax25_dev);
+ rcu_read_unlock();
+ break;
+
+--
+2.39.5
+
--- /dev/null
+From 1688299983f40f69dd60f433e6be882a87ec68dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 08:18:46 -0700
+Subject: block: cleanup and fix batch completion adding conditions
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ Upstream commit 1f47ed294a2bd577d5ae43e6e28e1c9a3be4a833 ]
+
+The conditions for whether or not a request is allowed adding to a
+completion batch are a bit hard to read, and they also have a few
+issues. One is that ioerror may indeed be a random value on passthrough,
+and it's being checked unconditionally of whether or not the given
+request is a passthrough request or not.
+
+Rewrite the conditions to be separate for easier reading, and only check
+ioerror for non-passthrough requests. This fixes an issue with bio
+unmapping on passthrough, where it fails getting added to a batch. This
+both leads to suboptimal performance, and may trigger a potential
+schedule-under-atomic condition for polled passthrough IO.
+
+Fixes: f794f3351f26 ("block: add support for blk_mq_end_request_batch()")
+Link: https://lore.kernel.org/r/20575f0a-656e-4bb3-9d82-dec6c7e3a35c@kernel.dk
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/blk-mq.h | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/blk-mq.h b/include/linux/blk-mq.h
+index 958ed7e89b301..1d482c2aabbdf 100644
+--- a/include/linux/blk-mq.h
++++ b/include/linux/blk-mq.h
+@@ -849,12 +849,22 @@ static inline bool blk_mq_add_to_batch(struct request *req,
+ void (*complete)(struct io_comp_batch *))
+ {
+ /*
+- * blk_mq_end_request_batch() can't end request allocated from
+- * sched tags
++ * Check various conditions that exclude batch processing:
++ * 1) No batch container
++ * 2) Has scheduler data attached
++ * 3) Not a passthrough request and end_io set
++ * 4) Not a passthrough request and an ioerror
+ */
+- if (!iob || (req->rq_flags & RQF_SCHED_TAGS) || ioerror ||
+- (req->end_io && !blk_rq_is_passthrough(req)))
++ if (!iob)
+ return false;
++ if (req->rq_flags & RQF_SCHED_TAGS)
++ return false;
++ if (!blk_rq_is_passthrough(req)) {
++ if (req->end_io)
++ return false;
++ if (ioerror < 0)
++ return false;
++ }
+
+ if (!iob->complete)
+ iob->complete = complete;
+--
+2.39.5
+
--- /dev/null
+From 99ad7d62da4f8586b8762a0c1efd1f2ec0d6b7ab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 14:24:32 +0000
+Subject: cgroup: Remove steal time from usage_usec
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Muhammad Adeel <Muhammad.Adeel@ibm.com>
+
+[ Upstream commit db5fd3cf8bf41b84b577b8ad5234ea95f327c9be ]
+
+The CPU usage time is the time when user, system or both are using the CPU.
+Steal time is the time when CPU is waiting to be run by the Hypervisor. It
+should not be added to the CPU usage time, hence removing it from the
+usage_usec entry.
+
+Fixes: 936f2a70f2077 ("cgroup: add cpu.stat file to root cgroup")
+Acked-by: Axel Busch <axel.busch@ibm.com>
+Acked-by: Michal Koutný <mkoutny@suse.com>
+Signed-off-by: Muhammad Adeel <muhammad.adeel@ibm.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/cgroup/rstat.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/kernel/cgroup/rstat.c b/kernel/cgroup/rstat.c
+index d80d7a6081412..c32439b855f5d 100644
+--- a/kernel/cgroup/rstat.c
++++ b/kernel/cgroup/rstat.c
+@@ -469,7 +469,6 @@ static void root_cgroup_cputime(struct cgroup_base_stat *bstat)
+
+ cputime->sum_exec_runtime += user;
+ cputime->sum_exec_runtime += sys;
+- cputime->sum_exec_runtime += cpustat[CPUTIME_STEAL];
+
+ #ifdef CONFIG_SCHED_CORE
+ bstat->forceidle_sum += cpustat[CPUTIME_FORCEIDLE];
+--
+2.39.5
+
--- /dev/null
+From e99932052fe7ccea63c82b40931dbe7cffd2d722 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 14:28:51 +0800
+Subject: drm/amdgpu: bail out when failed to load fw in
+ psp_init_cap_microcode()
+
+From: Jiang Liu <gerry@linux.alibaba.com>
+
+[ Upstream commit a0a455b4bc7483ad60e8b8a50330c1e05bb7bfcf ]
+
+In function psp_init_cap_microcode(), it should bail out when failed to
+load firmware, otherwise it may cause invalid memory access.
+
+Fixes: 07dbfc6b102e ("drm/amd: Use `amdgpu_ucode_*` helpers for PSP")
+Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
+Signed-off-by: Jiang Liu <gerry@linux.alibaba.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+index a4f9015345ccb..6a24e8ceb9449 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_psp.c
+@@ -3450,9 +3450,10 @@ int psp_init_cap_microcode(struct psp_context *psp, const char *chip_name)
+ if (err == -ENODEV) {
+ dev_warn(adev->dev, "cap microcode does not exist, skip\n");
+ err = 0;
+- goto out;
++ } else {
++ dev_err(adev->dev, "fail to initialize cap microcode\n");
+ }
+- dev_err(adev->dev, "fail to initialize cap microcode\n");
++ goto out;
+ }
+
+ info = &adev->firmware.ucode[AMDGPU_UCODE_ID_CAP];
+--
+2.39.5
+
--- /dev/null
+From f59d4f24f0deb3904308c6bfd6ee98de937beeb3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2025 09:19:31 +0000
+Subject: drm/i915/selftests: avoid using uninitialized context
+
+From: Krzysztof Karas <krzysztof.karas@intel.com>
+
+[ Upstream commit 53139b3f9998ea07289e7b70b909fea2264a0de9 ]
+
+There is an error path in igt_ppgtt_alloc(), which leads
+to ww object being passed down to i915_gem_ww_ctx_fini() without
+initialization. Correct that by only putting ppgtt->vm and
+returning early.
+
+Fixes: 480ae79537b2 ("drm/i915/selftests: Prepare gtt tests for obj->mm.lock removal")
+Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Mikolaj Wasiak <mikolaj.wasiak@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/iuaonpjc3rywmvhna6umjlvzilocn2uqsrxfxfob24e2taocbi@lkaivvfp4777
+(cherry picked from commit 8d8334632ea62424233ac6529712868241d0f8df)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
+index 5c397a2df70e2..5d27e1c733c52 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
++++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
+@@ -168,7 +168,7 @@ static int igt_ppgtt_alloc(void *arg)
+ return PTR_ERR(ppgtt);
+
+ if (!ppgtt->vm.allocate_va_range)
+- goto err_ppgtt_cleanup;
++ goto ppgtt_vm_put;
+
+ /*
+ * While we only allocate the page tables here and so we could
+@@ -236,7 +236,7 @@ static int igt_ppgtt_alloc(void *arg)
+ goto retry;
+ }
+ i915_gem_ww_ctx_fini(&ww);
+-
++ppgtt_vm_put:
+ i915_vm_put(&ppgtt->vm);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 18809cd0d58c7e0d16a3cd6ac4a4164828362df8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 20:19:51 +0200
+Subject: fbdev: omap: use threaded IRQ for LCD DMA
+
+From: Aaro Koskinen <aaro.koskinen@iki.fi>
+
+[ Upstream commit e4b6b665df815b4841e71b72f06446884e8aad40 ]
+
+When using touchscreen and framebuffer, Nokia 770 crashes easily with:
+
+ BUG: scheduling while atomic: irq/144-ads7846/82/0x00010000
+ Modules linked in: usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap_udc ohci_omap ohci_hcd
+ CPU: 0 UID: 0 PID: 82 Comm: irq/144-ads7846 Not tainted 6.12.7-770 #2
+ Hardware name: Nokia 770
+ Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x54/0x5c
+ dump_stack_lvl from __schedule_bug+0x50/0x70
+ __schedule_bug from __schedule+0x4d4/0x5bc
+ __schedule from schedule+0x34/0xa0
+ schedule from schedule_preempt_disabled+0xc/0x10
+ schedule_preempt_disabled from __mutex_lock.constprop.0+0x218/0x3b4
+ __mutex_lock.constprop.0 from clk_prepare_lock+0x38/0xe4
+ clk_prepare_lock from clk_set_rate+0x18/0x154
+ clk_set_rate from sossi_read_data+0x4c/0x168
+ sossi_read_data from hwa742_read_reg+0x5c/0x8c
+ hwa742_read_reg from send_frame_handler+0xfc/0x300
+ send_frame_handler from process_pending_requests+0x74/0xd0
+ process_pending_requests from lcd_dma_irq_handler+0x50/0x74
+ lcd_dma_irq_handler from __handle_irq_event_percpu+0x44/0x130
+ __handle_irq_event_percpu from handle_irq_event+0x28/0x68
+ handle_irq_event from handle_level_irq+0x9c/0x170
+ handle_level_irq from generic_handle_domain_irq+0x2c/0x3c
+ generic_handle_domain_irq from omap1_handle_irq+0x40/0x8c
+ omap1_handle_irq from generic_handle_arch_irq+0x28/0x3c
+ generic_handle_arch_irq from call_with_stack+0x1c/0x24
+ call_with_stack from __irq_svc+0x94/0xa8
+ Exception stack(0xc5255da0 to 0xc5255de8)
+ 5da0: 00000001 c22fc620 00000000 00000000 c08384a8 c106fc00 00000000 c240c248
+ 5dc0: c113a600 c3f6ec30 00000001 00000000 c22fc620 c5255df0 c22fc620 c0279a94
+ 5de0: 60000013 ffffffff
+ __irq_svc from clk_prepare_lock+0x4c/0xe4
+ clk_prepare_lock from clk_get_rate+0x10/0x74
+ clk_get_rate from uwire_setup_transfer+0x40/0x180
+ uwire_setup_transfer from spi_bitbang_transfer_one+0x2c/0x9c
+ spi_bitbang_transfer_one from spi_transfer_one_message+0x2d0/0x664
+ spi_transfer_one_message from __spi_pump_transfer_message+0x29c/0x498
+ __spi_pump_transfer_message from __spi_sync+0x1f8/0x2e8
+ __spi_sync from spi_sync+0x24/0x40
+ spi_sync from ads7846_halfd_read_state+0x5c/0x1c0
+ ads7846_halfd_read_state from ads7846_irq+0x58/0x348
+ ads7846_irq from irq_thread_fn+0x1c/0x78
+ irq_thread_fn from irq_thread+0x120/0x228
+ irq_thread from kthread+0xc8/0xe8
+ kthread from ret_from_fork+0x14/0x28
+
+As a quick fix, switch to a threaded IRQ which provides a stable system.
+
+Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/omap/lcd_dma.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/fbdev/omap/lcd_dma.c b/drivers/video/fbdev/omap/lcd_dma.c
+index f85817635a8c2..0da23c57e4757 100644
+--- a/drivers/video/fbdev/omap/lcd_dma.c
++++ b/drivers/video/fbdev/omap/lcd_dma.c
+@@ -432,8 +432,8 @@ static int __init omap_init_lcd_dma(void)
+
+ spin_lock_init(&lcd_dma.lock);
+
+- r = request_irq(INT_DMA_LCD, lcd_dma_irq_handler, 0,
+- "LCD DMA", NULL);
++ r = request_threaded_irq(INT_DMA_LCD, NULL, lcd_dma_irq_handler,
++ IRQF_ONESHOT, "LCD DMA", NULL);
+ if (r != 0)
+ pr_err("unable to request IRQ for LCD DMA (error %d)\n", r);
+
+--
+2.39.5
+
--- /dev/null
+From 4981a9885b69ac439d95f092c26af209a86a2050 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 18:46:02 +0100
+Subject: gpio: bcm-kona: Add missing newline to dev_err format string
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 615279db222c3ac56d5c93716efd72b843295c1f ]
+
+Add a missing newline to the format string of the "Couldn't get IRQ
+for bank..." error message.
+
+Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-3-409135eab780@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-bcm-kona.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
+index 17f3f210fee9d..64908f1a5e7f9 100644
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -659,7 +659,7 @@ static int bcm_kona_gpio_probe(struct platform_device *pdev)
+ bank->irq = platform_get_irq(pdev, i);
+ bank->kona_gpio = kona_gpio;
+ if (bank->irq < 0) {
+- dev_err(dev, "Couldn't get IRQ for bank %d", i);
++ dev_err(dev, "Couldn't get IRQ for bank %d\n", i);
+ ret = -ENOENT;
+ goto err_irq_domain;
+ }
+--
+2.39.5
+
--- /dev/null
+From 6b2ec44689fa3f9958f16026bcf8bafcc86ade2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 18:46:00 +0100
+Subject: gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit de1d0d160f64ee76df1d364d521b2faf465a091c ]
+
+The GPIO lock/unlock functions clear/write a bit to the relevant
+register for each bank. However, due to an oversight the bit that
+was being written was based on the total GPIO number, not the index
+of the GPIO within the relevant bank, causing it to fail for any
+GPIO above 32 (thus any GPIO for banks above bank 0).
+
+Fix lock/unlock for these banks by using the correct bit.
+
+Fixes: bdb93c03c550 ("gpio: bcm281xx: Centralize register locking")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-1-409135eab780@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-bcm-kona.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
+index 5321ef98f4427..77bd4ec93a231 100644
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -86,11 +86,12 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio,
+ u32 val;
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
++ int bit = GPIO_BIT(gpio);
+
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val |= BIT(gpio);
++ val |= BIT(bit);
+ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+@@ -102,11 +103,12 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
+ u32 val;
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
++ int bit = GPIO_BIT(gpio);
+
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val &= ~BIT(gpio);
++ val &= ~BIT(bit);
+ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+--
+2.39.5
+
--- /dev/null
+From c47e9f4bff89a96e7fc94d3ac6d1cdfc8ba42983 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 18:46:01 +0100
+Subject: gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 57f5db77a915cc29461a679a6bcae7097967be1a ]
+
+The settings for all GPIOs are locked by default in bcm_kona_gpio_reset.
+The settings for a GPIO are unlocked when requesting it as a GPIO, but
+not when requesting it as an interrupt, causing the IRQ settings to not
+get applied.
+
+Fix this by making sure to unlock the right bits when an IRQ is requested.
+To avoid a situation where an IRQ being released causes a lock despite
+the same GPIO being used by a GPIO request or vice versa, add an unlock
+counter and only lock if it reaches 0.
+
+Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-2-409135eab780@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-bcm-kona.c | 67 +++++++++++++++++++++++++++++-------
+ 1 file changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
+index 77bd4ec93a231..17f3f210fee9d 100644
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -69,6 +69,22 @@ struct bcm_kona_gpio {
+ struct bcm_kona_gpio_bank {
+ int id;
+ int irq;
++ /*
++ * Used to keep track of lock/unlock operations for each GPIO in the
++ * bank.
++ *
++ * All GPIOs are locked by default (see bcm_kona_gpio_reset), and the
++ * unlock count for all GPIOs is 0 by default. Each unlock increments
++ * the counter, and each lock decrements the counter.
++ *
++ * The lock function only locks the GPIO once its unlock counter is
++ * down to 0. This is necessary because the GPIO is unlocked in two
++ * places in this driver: once for requested GPIOs, and once for
++ * requested IRQs. Since it is possible for a GPIO to be requested
++ * as both a GPIO and an IRQ, we need to ensure that we don't lock it
++ * too early.
++ */
++ u8 gpio_unlock_count[GPIO_PER_BANK];
+ /* Used in the interrupt handler */
+ struct bcm_kona_gpio *kona_gpio;
+ };
+@@ -87,14 +103,23 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio,
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
+ int bit = GPIO_BIT(gpio);
++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id];
+
+- raw_spin_lock_irqsave(&kona_gpio->lock, flags);
++ if (bank->gpio_unlock_count[bit] == 0) {
++ dev_err(kona_gpio->gpio_chip.parent,
++ "Unbalanced locks for GPIO %u\n", gpio);
++ return;
++ }
+
+- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val |= BIT(bit);
+- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
++ if (--bank->gpio_unlock_count[bit] == 0) {
++ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
++ val |= BIT(bit);
++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
++
++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ }
+ }
+
+ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
+@@ -104,14 +129,19 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
+ int bit = GPIO_BIT(gpio);
++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id];
+
+- raw_spin_lock_irqsave(&kona_gpio->lock, flags);
++ if (bank->gpio_unlock_count[bit] == 0) {
++ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val &= ~BIT(bit);
+- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
++ val &= ~BIT(bit);
++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ }
++
++ ++bank->gpio_unlock_count[bit];
+ }
+
+ static int bcm_kona_gpio_get_dir(struct gpio_chip *chip, unsigned gpio)
+@@ -362,6 +392,7 @@ static void bcm_kona_gpio_irq_mask(struct irq_data *d)
+
+ kona_gpio = irq_data_get_irq_chip_data(d);
+ reg_base = kona_gpio->reg_base;
++
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(reg_base + GPIO_INT_MASK(bank_id));
+@@ -384,6 +415,7 @@ static void bcm_kona_gpio_irq_unmask(struct irq_data *d)
+
+ kona_gpio = irq_data_get_irq_chip_data(d);
+ reg_base = kona_gpio->reg_base;
++
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(reg_base + GPIO_INT_MSKCLR(bank_id));
+@@ -479,15 +511,26 @@ static void bcm_kona_gpio_irq_handler(struct irq_desc *desc)
+ static int bcm_kona_gpio_irq_reqres(struct irq_data *d)
+ {
+ struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d);
++ unsigned int gpio = d->hwirq;
++
++ /*
++ * We need to unlock the GPIO before any other operations are performed
++ * on the relevant GPIO configuration registers
++ */
++ bcm_kona_gpio_unlock_gpio(kona_gpio, gpio);
+
+- return gpiochip_reqres_irq(&kona_gpio->gpio_chip, d->hwirq);
++ return gpiochip_reqres_irq(&kona_gpio->gpio_chip, gpio);
+ }
+
+ static void bcm_kona_gpio_irq_relres(struct irq_data *d)
+ {
+ struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d);
++ unsigned int gpio = d->hwirq;
++
++ /* Once we no longer use it, lock the GPIO again */
++ bcm_kona_gpio_lock_gpio(kona_gpio, gpio);
+
+- gpiochip_relres_irq(&kona_gpio->gpio_chip, d->hwirq);
++ gpiochip_relres_irq(&kona_gpio->gpio_chip, gpio);
+ }
+
+ static struct irq_chip bcm_gpio_irq_chip = {
+--
+2.39.5
+
--- /dev/null
+From 6618918e5b2742b902159e6c497da4e962959dcd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 17:56:46 +0200
+Subject: gpiolib: Fix crash on error in gpiochip_get_ngpios()
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7b4aebeecbbd5b5fe73e35fad3f62ed21aa7ef44 ]
+
+The gpiochip_get_ngpios() uses chip_*() macros to print messages.
+However these macros rely on gpiodev to be initialised and set,
+which is not the case when called via bgpio_init(). In such a case
+the printing messages will crash on NULL pointer dereference.
+Replace chip_*() macros by the respective dev_*() ones to avoid
+such crash.
+
+Fixes: 55b2395e4e92 ("gpio: mmio: handle "ngpios" properly in bgpio_init()")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20250213155646.2882324-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpiolib.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
+index 5c0016c77d2ab..efb592b6f6aa7 100644
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -723,13 +723,13 @@ int gpiochip_get_ngpios(struct gpio_chip *gc, struct device *dev)
+ }
+
+ if (gc->ngpio == 0) {
+- chip_err(gc, "tried to insert a GPIO chip with zero lines\n");
++ dev_err(dev, "tried to insert a GPIO chip with zero lines\n");
+ return -EINVAL;
+ }
+
+ if (gc->ngpio > FASTPATH_NGPIO)
+- chip_warn(gc, "line cnt %u is greater than fast path cnt %u\n",
+- gc->ngpio, FASTPATH_NGPIO);
++ dev_warn(dev, "line cnt %u is greater than fast path cnt %u\n",
++ gc->ngpio, FASTPATH_NGPIO);
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 3d968276f081d44d575819507cbdf63044fb5ff8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 11:35:15 +0100
+Subject: Grab mm lock before grabbing pt lock
+
+From: Maksym Planeta <maksym@exostellar.io>
+
+[ Upstream commit 6d002348789bc16e9203e9818b7a3688787e3b29 ]
+
+Function xen_pin_page calls xen_pte_lock, which in turn grab page
+table lock (ptlock). When locking, xen_pte_lock expect mm->page_table_lock
+to be held before grabbing ptlock, but this does not happen when pinning
+is caused by xen_mm_pin_all.
+
+This commit addresses lockdep warning below, which shows up when
+suspending a Xen VM.
+
+[ 3680.658422] Freezing user space processes
+[ 3680.660156] Freezing user space processes completed (elapsed 0.001 seconds)
+[ 3680.660182] OOM killer disabled.
+[ 3680.660192] Freezing remaining freezable tasks
+[ 3680.661485] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 3680.685254]
+[ 3680.685265] ==================================
+[ 3680.685269] WARNING: Nested lock was not taken
+[ 3680.685274] 6.12.0+ #16 Tainted: G W
+[ 3680.685279] ----------------------------------
+[ 3680.685283] migration/0/19 is trying to lock:
+[ 3680.685288] ffff88800bac33c0 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: xen_pin_page+0x175/0x1d0
+[ 3680.685303]
+[ 3680.685303] but this task is not holding:
+[ 3680.685308] init_mm.page_table_lock
+[ 3680.685311]
+[ 3680.685311] stack backtrace:
+[ 3680.685316] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16
+[ 3680.685324] Tainted: [W]=WARN
+[ 3680.685328] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0
+[ 3680.685339] Call Trace:
+[ 3680.685344] <TASK>
+[ 3680.685347] dump_stack_lvl+0x77/0xb0
+[ 3680.685356] __lock_acquire+0x917/0x2310
+[ 3680.685364] lock_acquire+0xce/0x2c0
+[ 3680.685369] ? xen_pin_page+0x175/0x1d0
+[ 3680.685373] _raw_spin_lock_nest_lock+0x2f/0x70
+[ 3680.685381] ? xen_pin_page+0x175/0x1d0
+[ 3680.685386] xen_pin_page+0x175/0x1d0
+[ 3680.685390] ? __pfx_xen_pin_page+0x10/0x10
+[ 3680.685394] __xen_pgd_walk+0x233/0x2c0
+[ 3680.685401] ? stop_one_cpu+0x91/0x100
+[ 3680.685405] __xen_pgd_pin+0x5d/0x250
+[ 3680.685410] xen_mm_pin_all+0x70/0xa0
+[ 3680.685415] xen_pv_pre_suspend+0xf/0x280
+[ 3680.685420] xen_suspend+0x57/0x1a0
+[ 3680.685428] multi_cpu_stop+0x6b/0x120
+[ 3680.685432] ? update_cpumasks_hier+0x7c/0xa60
+[ 3680.685439] ? __pfx_multi_cpu_stop+0x10/0x10
+[ 3680.685443] cpu_stopper_thread+0x8c/0x140
+[ 3680.685448] ? smpboot_thread_fn+0x20/0x1f0
+[ 3680.685454] ? __pfx_smpboot_thread_fn+0x10/0x10
+[ 3680.685458] smpboot_thread_fn+0xed/0x1f0
+[ 3680.685462] kthread+0xde/0x110
+[ 3680.685467] ? __pfx_kthread+0x10/0x10
+[ 3680.685471] ret_from_fork+0x2f/0x50
+[ 3680.685478] ? __pfx_kthread+0x10/0x10
+[ 3680.685482] ret_from_fork_asm+0x1a/0x30
+[ 3680.685489] </TASK>
+[ 3680.685491]
+[ 3680.685491] other info that might help us debug this:
+[ 3680.685497] 1 lock held by migration/0/19:
+[ 3680.685500] #0: ffffffff8284df38 (pgd_lock){+.+.}-{3:3}, at: xen_mm_pin_all+0x14/0xa0
+[ 3680.685512]
+[ 3680.685512] stack backtrace:
+[ 3680.685518] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16
+[ 3680.685528] Tainted: [W]=WARN
+[ 3680.685531] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0
+[ 3680.685538] Call Trace:
+[ 3680.685541] <TASK>
+[ 3680.685544] dump_stack_lvl+0x77/0xb0
+[ 3680.685549] __lock_acquire+0x93c/0x2310
+[ 3680.685554] lock_acquire+0xce/0x2c0
+[ 3680.685558] ? xen_pin_page+0x175/0x1d0
+[ 3680.685562] _raw_spin_lock_nest_lock+0x2f/0x70
+[ 3680.685568] ? xen_pin_page+0x175/0x1d0
+[ 3680.685572] xen_pin_page+0x175/0x1d0
+[ 3680.685578] ? __pfx_xen_pin_page+0x10/0x10
+[ 3680.685582] __xen_pgd_walk+0x233/0x2c0
+[ 3680.685588] ? stop_one_cpu+0x91/0x100
+[ 3680.685592] __xen_pgd_pin+0x5d/0x250
+[ 3680.685596] xen_mm_pin_all+0x70/0xa0
+[ 3680.685600] xen_pv_pre_suspend+0xf/0x280
+[ 3680.685607] xen_suspend+0x57/0x1a0
+[ 3680.685611] multi_cpu_stop+0x6b/0x120
+[ 3680.685615] ? update_cpumasks_hier+0x7c/0xa60
+[ 3680.685620] ? __pfx_multi_cpu_stop+0x10/0x10
+[ 3680.685625] cpu_stopper_thread+0x8c/0x140
+[ 3680.685629] ? smpboot_thread_fn+0x20/0x1f0
+[ 3680.685634] ? __pfx_smpboot_thread_fn+0x10/0x10
+[ 3680.685638] smpboot_thread_fn+0xed/0x1f0
+[ 3680.685642] kthread+0xde/0x110
+[ 3680.685645] ? __pfx_kthread+0x10/0x10
+[ 3680.685649] ret_from_fork+0x2f/0x50
+[ 3680.685654] ? __pfx_kthread+0x10/0x10
+[ 3680.685657] ret_from_fork_asm+0x1a/0x30
+[ 3680.685662] </TASK>
+[ 3680.685267] xen:grant_table: Grant tables using version 1 layout
+[ 3680.685921] OOM killer enabled.
+[ 3680.685934] Restarting tasks ... done.
+
+Signed-off-by: Maksym Planeta <maksym@exostellar.io>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20241204103516.3309112-1-maksym@exostellar.io>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index 2db46626acea2..88a722954f3f7 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -827,6 +827,7 @@ void xen_mm_pin_all(void)
+ {
+ struct page *page;
+
++ spin_lock(&init_mm.page_table_lock);
+ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+@@ -837,6 +838,7 @@ void xen_mm_pin_all(void)
+ }
+
+ spin_unlock(&pgd_lock);
++ spin_unlock(&init_mm.page_table_lock);
+ }
+
+ static void __init xen_mark_pinned(struct mm_struct *mm, struct page *page,
+@@ -936,6 +938,7 @@ void xen_mm_unpin_all(void)
+ {
+ struct page *page;
+
++ spin_lock(&init_mm.page_table_lock);
+ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+@@ -947,6 +950,7 @@ void xen_mm_unpin_all(void)
+ }
+
+ spin_unlock(&pgd_lock);
++ spin_unlock(&init_mm.page_table_lock);
+ }
+
+ static void xen_enter_mmap(struct mm_struct *mm)
+--
+2.39.5
+
--- /dev/null
+From 4e67139a2370fb1eb9a3b5dc597b23b21d42f262 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 5 Feb 2025 18:50:34 -0300
+Subject: HID: hid-thrustmaster: fix stack-out-of-bounds read in
+ usb_check_int_endpoints()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tulio Fernandes <tuliomf09@gmail.com>
+
+[ Upstream commit 0b43d98ff29be3144e86294486b1373b5df74c0e ]
+
+Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from
+hid-thrustmaster driver. This array is passed to usb_check_int_endpoints
+function from usb.c core driver, which executes a for loop that iterates
+over the elements of the passed array. Not finding a null element at the end of
+the array, it tries to read the next, non-existent element, crashing the kernel.
+
+To fix this, a 0 element was added at the end of the array to break the for
+loop.
+
+[1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad
+
+Reported-by: syzbot+9c9179ac46169c56c1ad@syzkaller.appspotmail.com
+Fixes: 50420d7c79c3 ("HID: hid-thrustmaster: Fix warning in thrustmaster_probe by adding endpoint check")
+Signed-off-by: Túlio Fernandes <tuliomf09@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-thrustmaster.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-thrustmaster.c b/drivers/hid/hid-thrustmaster.c
+index 6c3e758bbb09e..3b81468a1df29 100644
+--- a/drivers/hid/hid-thrustmaster.c
++++ b/drivers/hid/hid-thrustmaster.c
+@@ -171,7 +171,7 @@ static void thrustmaster_interrupts(struct hid_device *hdev)
+ b_ep = ep->desc.bEndpointAddress;
+
+ /* Are the expected endpoints present? */
+- u8 ep_addr[1] = {b_ep};
++ u8 ep_addr[2] = {b_ep, 0};
+
+ if (!usb_check_int_endpoints(usbif, ep_addr)) {
+ hid_err(hdev, "Unexpected non-int endpoint\n");
+--
+2.39.5
+
--- /dev/null
+From 06f5fd08d4db10b979cee7acfa1a431f93bd0657 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 14:26:21 +0800
+Subject: HID: multitouch: Add NULL check in mt_input_configured
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 9b8e2220d3a052a690b1d1b23019673e612494c5 ]
+
+devm_kasprintf() can return a NULL pointer on failure,but this
+returned value in mt_input_configured() is not checked.
+Add NULL check in mt_input_configured(), to handle kernel NULL
+pointer dereference error.
+
+Fixes: 479439463529 ("HID: multitouch: Correct devm device reference for hidinput input_dev name")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-multitouch.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index 5ad871a7d1a44..6386043aab0bb 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1668,9 +1668,12 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi)
+ break;
+ }
+
+- if (suffix)
++ if (suffix) {
+ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
+ "%s %s", hdev->name, suffix);
++ if (!hi->input->name)
++ return -ENOMEM;
++ }
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 4d0c80202c8ee91e2dea80bbe1bb8731742fed4b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 12:02:40 +0800
+Subject: LoongArch: csum: Fix OoB access in IP checksum code for negative
+ lengths
+
+From: Yuli Wang <wangyuli@uniontech.com>
+
+[ Upstream commit 6287f1a8c16138c2ec750953e35039634018c84a ]
+
+Commit 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit
+system") would cause an undefined shift and an out-of-bounds read.
+
+Commit 8bd795fedb84 ("arm64: csum: Fix OoB access in IP checksum code
+for negative lengths") fixes the same issue on ARM64.
+
+Fixes: 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit system")
+Co-developed-by: Wentao Guan <guanwentao@uniontech.com>
+Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
+Signed-off-by: Yuli Wang <wangyuli@uniontech.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/lib/csum.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/loongarch/lib/csum.c b/arch/loongarch/lib/csum.c
+index a5e84b403c3b3..df309ae4045de 100644
+--- a/arch/loongarch/lib/csum.c
++++ b/arch/loongarch/lib/csum.c
+@@ -25,7 +25,7 @@ unsigned int __no_sanitize_address do_csum(const unsigned char *buff, int len)
+ const u64 *ptr;
+ u64 data, sum64 = 0;
+
+- if (unlikely(len == 0))
++ if (unlikely(len <= 0))
+ return 0;
+
+ offset = (unsigned long)buff & 7;
+--
+2.39.5
+
--- /dev/null
+From f8e5e9acdf77c37ba8b79d17d71dd20c96274d52 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 12:02:35 +0800
+Subject: LoongArch: Fix idle VS timer enqueue
+
+From: Marco Crivellari <marco.crivellari@suse.com>
+
+[ Upstream commit edb1942542bc538707cea221e9c7923a6270465f ]
+
+LoongArch re-enables interrupts on its idle routine and performs a
+TIF_NEED_RESCHED check afterwards before putting the CPU to sleep.
+
+The IRQs firing between the check and the idle instruction may set the
+TIF_NEED_RESCHED flag. In order to deal with such a race, IRQs
+interrupting __arch_cpu_idle() rollback their return address to the
+beginning of __arch_cpu_idle() so that TIF_NEED_RESCHED is checked
+again before going back to sleep.
+
+However idle IRQs can also queue timers that may require a tick
+reprogramming through a new generic idle loop iteration but those timers
+would go unnoticed here because __arch_cpu_idle() only checks
+TIF_NEED_RESCHED. It doesn't check for pending timers.
+
+Fix this with fast-forwarding idle IRQs return address to the end of the
+idle routine instead of the beginning, so that the generic idle loop can
+handle both TIF_NEED_RESCHED and pending timers.
+
+Fixes: 0603839b18f4 ("LoongArch: Add exception/interrupt handling")
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Frederic Weisbecker <frederic@kernel.org>
+Signed-off-by: Marco Crivellari <marco.crivellari@suse.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/loongarch/kernel/genex.S | 28 +++++++++++++++-------------
+ arch/loongarch/kernel/idle.c | 3 +--
+ arch/loongarch/kernel/reset.c | 6 +++---
+ 3 files changed, 19 insertions(+), 18 deletions(-)
+
+diff --git a/arch/loongarch/kernel/genex.S b/arch/loongarch/kernel/genex.S
+index 2bb3aa2dcfcb2..e75c2dbd5f2c5 100644
+--- a/arch/loongarch/kernel/genex.S
++++ b/arch/loongarch/kernel/genex.S
+@@ -18,27 +18,29 @@
+
+ .align 5
+ SYM_FUNC_START(__arch_cpu_idle)
+- /* start of rollback region */
+- LONG_L t0, tp, TI_FLAGS
+- nop
+- andi t0, t0, _TIF_NEED_RESCHED
+- bnez t0, 1f
+- nop
+- nop
+- nop
++ /* start of idle interrupt region */
++ ori t0, zero, CSR_CRMD_IE
++ /* idle instruction needs irq enabled */
++ csrxchg t0, t0, LOONGARCH_CSR_CRMD
++ /*
++ * If an interrupt lands here; between enabling interrupts above and
++ * going idle on the next instruction, we must *NOT* go idle since the
++ * interrupt could have set TIF_NEED_RESCHED or caused an timer to need
++ * reprogramming. Fall through -- see handle_vint() below -- and have
++ * the idle loop take care of things.
++ */
+ idle 0
+- /* end of rollback region */
++ /* end of idle interrupt region */
+ 1: jr ra
+ SYM_FUNC_END(__arch_cpu_idle)
+
+ SYM_CODE_START(handle_vint)
+ BACKUP_T0T1
+ SAVE_ALL
+- la_abs t1, __arch_cpu_idle
++ la_abs t1, 1b
+ LONG_L t0, sp, PT_ERA
+- /* 32 byte rollback region */
+- ori t0, t0, 0x1f
+- xori t0, t0, 0x1f
++ /* 3 instructions idle interrupt region */
++ ori t0, t0, 0b1100
+ bne t0, t1, 1f
+ LONG_S t0, sp, PT_ERA
+ 1: move a0, sp
+diff --git a/arch/loongarch/kernel/idle.c b/arch/loongarch/kernel/idle.c
+index 0b5dd2faeb90b..54b247d8cdb69 100644
+--- a/arch/loongarch/kernel/idle.c
++++ b/arch/loongarch/kernel/idle.c
+@@ -11,7 +11,6 @@
+
+ void __cpuidle arch_cpu_idle(void)
+ {
+- raw_local_irq_enable();
+- __arch_cpu_idle(); /* idle instruction needs irq enabled */
++ __arch_cpu_idle();
+ raw_local_irq_disable();
+ }
+diff --git a/arch/loongarch/kernel/reset.c b/arch/loongarch/kernel/reset.c
+index 1ef8c63835351..de8fa5a8a825c 100644
+--- a/arch/loongarch/kernel/reset.c
++++ b/arch/loongarch/kernel/reset.c
+@@ -33,7 +33,7 @@ void machine_halt(void)
+ console_flush_on_panic(CONSOLE_FLUSH_PENDING);
+
+ while (true) {
+- __arch_cpu_idle();
++ __asm__ __volatile__("idle 0" : : : "memory");
+ }
+ }
+
+@@ -53,7 +53,7 @@ void machine_power_off(void)
+ #endif
+
+ while (true) {
+- __arch_cpu_idle();
++ __asm__ __volatile__("idle 0" : : : "memory");
+ }
+ }
+
+@@ -74,6 +74,6 @@ void machine_restart(char *command)
+ acpi_reboot();
+
+ while (true) {
+- __arch_cpu_idle();
++ __asm__ __volatile__("idle 0" : : : "memory");
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From fbacd4be2b3fc7a94ef3ac52c3cc3af324646618 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2024 11:41:42 +0100
+Subject: media: cxd2841er: fix 64-bit division on gcc-9
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ]
+
+It appears that do_div() once more gets confused by a complex
+expression that ends up not quite being constant despite
+__builtin_constant_p() thinking it is:
+
+ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined!
+
+Use div_u64() instead, forcing the expression to be evaluated
+first, and making it a bit more readable.
+
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[hverkuil: added Closes tags]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/cxd2841er.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c
+index d925ca24183b5..415f1f91cc307 100644
+--- a/drivers/media/dvb-frontends/cxd2841er.c
++++ b/drivers/media/dvb-frontends/cxd2841er.c
+@@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv,
+
+ static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz)
+ {
+- u64 tmp;
+-
+- tmp = (u64) ifhz * 16777216;
+- do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000));
+-
+- return (u32) tmp;
++ return div_u64(ifhz * 16777216ull,
++ (xtal == SONY_XTAL_24000) ? 48000000 : 41000000);
+ }
+
+ static u32 cxd2841er_calc_iffreq(u32 ifhz)
+--
+2.39.5
+
--- /dev/null
+From 0256e0d0944068390b82265bd4e5108d1a80e90b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 10:26:49 +0200
+Subject: media: i2c: ds90ub913: Add error handling to ub913_hw_init()
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit acd8f58d7a3bce0fbd3263961cd09555c00464ba ]
+
+Add error handling to ub913_hw_init() using a new helper function,
+ub913_update_bits().
+
+Reported-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Closes: https://lore.kernel.org/all/Zv40EQSR__JDN_0M@kekkonen.localdomain/
+Reviewed-by: Jai Luthra <jai.luthra@ideasonboard.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ds90ub913.c | 25 +++++++++++++++++++++----
+ 1 file changed, 21 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/i2c/ds90ub913.c b/drivers/media/i2c/ds90ub913.c
+index 5a650facae415..ae33d1ecf835d 100644
+--- a/drivers/media/i2c/ds90ub913.c
++++ b/drivers/media/i2c/ds90ub913.c
+@@ -8,6 +8,7 @@
+ * Copyright (c) 2023 Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/clk-provider.h>
+ #include <linux/clk.h>
+ #include <linux/delay.h>
+@@ -146,6 +147,19 @@ static int ub913_write(const struct ub913_data *priv, u8 reg, u8 val)
+ return ret;
+ }
+
++static int ub913_update_bits(const struct ub913_data *priv, u8 reg, u8 mask,
++ u8 val)
++{
++ int ret;
++
++ ret = regmap_update_bits(priv->regmap, reg, mask, val);
++ if (ret < 0)
++ dev_err(&priv->client->dev,
++ "Cannot update register 0x%02x %d!\n", reg, ret);
++
++ return ret;
++}
++
+ /*
+ * GPIO chip
+ */
+@@ -733,10 +747,13 @@ static int ub913_hw_init(struct ub913_data *priv)
+ if (ret)
+ return dev_err_probe(dev, ret, "i2c master init failed\n");
+
+- ub913_read(priv, UB913_REG_GENERAL_CFG, &v);
+- v &= ~UB913_REG_GENERAL_CFG_PCLK_RISING;
+- v |= priv->pclk_polarity_rising ? UB913_REG_GENERAL_CFG_PCLK_RISING : 0;
+- ub913_write(priv, UB913_REG_GENERAL_CFG, v);
++ ret = ub913_update_bits(priv, UB913_REG_GENERAL_CFG,
++ UB913_REG_GENERAL_CFG_PCLK_RISING,
++ FIELD_PREP(UB913_REG_GENERAL_CFG_PCLK_RISING,
++ priv->pclk_polarity_rising));
++
++ if (ret)
++ return ret;
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From ba8d5f0bcc4f6f2f97bf73bbf23a3e61e49f3724 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 10:26:50 +0200
+Subject: media: i2c: ds90ub953: Add error handling for i2c reads/writes
+
+From: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+
+[ Upstream commit 0794c43ea1e451007e80246e1288ebbf44139397 ]
+
+Add error handling for i2c reads/writes in various places.
+
+Reported-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Closes: https://lore.kernel.org/all/Zv40EQSR__JDN_0M@kekkonen.localdomain/
+Reviewed-by: Jai Luthra <jai.luthra@ideasonboard.com>
+Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/i2c/ds90ub953.c | 46 ++++++++++++++++++++++++-----------
+ 1 file changed, 32 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/media/i2c/ds90ub953.c b/drivers/media/i2c/ds90ub953.c
+index 1dd29137d2d9f..007c95ac34d93 100644
+--- a/drivers/media/i2c/ds90ub953.c
++++ b/drivers/media/i2c/ds90ub953.c
+@@ -398,8 +398,13 @@ static int ub953_gpiochip_probe(struct ub953_data *priv)
+ int ret;
+
+ /* Set all GPIOs to local input mode */
+- ub953_write(priv, UB953_REG_LOCAL_GPIO_DATA, 0);
+- ub953_write(priv, UB953_REG_GPIO_INPUT_CTRL, 0xf);
++ ret = ub953_write(priv, UB953_REG_LOCAL_GPIO_DATA, 0);
++ if (ret)
++ return ret;
++
++ ret = ub953_write(priv, UB953_REG_GPIO_INPUT_CTRL, 0xf);
++ if (ret)
++ return ret;
+
+ gc->label = dev_name(dev);
+ gc->parent = dev;
+@@ -961,10 +966,11 @@ static void ub953_calc_clkout_params(struct ub953_data *priv,
+ clkout_data->rate = clkout_rate;
+ }
+
+-static void ub953_write_clkout_regs(struct ub953_data *priv,
+- const struct ub953_clkout_data *clkout_data)
++static int ub953_write_clkout_regs(struct ub953_data *priv,
++ const struct ub953_clkout_data *clkout_data)
+ {
+ u8 clkout_ctrl0, clkout_ctrl1;
++ int ret;
+
+ if (priv->hw_data->is_ub971)
+ clkout_ctrl0 = clkout_data->m;
+@@ -974,8 +980,15 @@ static void ub953_write_clkout_regs(struct ub953_data *priv,
+
+ clkout_ctrl1 = clkout_data->n;
+
+- ub953_write(priv, UB953_REG_CLKOUT_CTRL0, clkout_ctrl0);
+- ub953_write(priv, UB953_REG_CLKOUT_CTRL1, clkout_ctrl1);
++ ret = ub953_write(priv, UB953_REG_CLKOUT_CTRL0, clkout_ctrl0);
++ if (ret)
++ return ret;
++
++ ret = ub953_write(priv, UB953_REG_CLKOUT_CTRL1, clkout_ctrl1);
++ if (ret)
++ return ret;
++
++ return 0;
+ }
+
+ static unsigned long ub953_clkout_recalc_rate(struct clk_hw *hw,
+@@ -1055,9 +1068,7 @@ static int ub953_clkout_set_rate(struct clk_hw *hw, unsigned long rate,
+ dev_dbg(&priv->client->dev, "%s %lu (requested %lu)\n", __func__,
+ clkout_data.rate, rate);
+
+- ub953_write_clkout_regs(priv, &clkout_data);
+-
+- return 0;
++ return ub953_write_clkout_regs(priv, &clkout_data);
+ }
+
+ static const struct clk_ops ub953_clkout_ops = {
+@@ -1082,7 +1093,9 @@ static int ub953_register_clkout(struct ub953_data *priv)
+
+ /* Initialize clkout to 25MHz by default */
+ ub953_calc_clkout_params(priv, UB953_DEFAULT_CLKOUT_RATE, &clkout_data);
+- ub953_write_clkout_regs(priv, &clkout_data);
++ ret = ub953_write_clkout_regs(priv, &clkout_data);
++ if (ret)
++ return ret;
+
+ priv->clkout_clk_hw.init = &init;
+
+@@ -1229,10 +1242,15 @@ static int ub953_hw_init(struct ub953_data *priv)
+ if (ret)
+ return dev_err_probe(dev, ret, "i2c init failed\n");
+
+- ub953_write(priv, UB953_REG_GENERAL_CFG,
+- (priv->non_continous_clk ? 0 : UB953_REG_GENERAL_CFG_CONT_CLK) |
+- ((priv->num_data_lanes - 1) << UB953_REG_GENERAL_CFG_CSI_LANE_SEL_SHIFT) |
+- UB953_REG_GENERAL_CFG_CRC_TX_GEN_ENABLE);
++ v = 0;
++ v |= priv->non_continous_clk ? 0 : UB953_REG_GENERAL_CFG_CONT_CLK;
++ v |= (priv->num_data_lanes - 1) <<
++ UB953_REG_GENERAL_CFG_CSI_LANE_SEL_SHIFT;
++ v |= UB953_REG_GENERAL_CFG_CRC_TX_GEN_ENABLE;
++
++ ret = ub953_write(priv, UB953_REG_GENERAL_CFG, v);
++ if (ret)
++ return ret;
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 64d007708a8d4149b7add0bb02be692ede8dc9b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 11:13:51 +0000
+Subject: media: uvcvideo: Add Kurokesu C1 PRO camera
+
+From: Isaac Scott <isaac.scott@ideasonboard.com>
+
+[ Upstream commit 2762eab6d4140781840f253f9a04b8627017248b ]
+
+Add support for the Kurokesu C1 PRO camera. This camera experiences the
+same issues faced by the Sonix Technology Co. 292A IPC AR0330. As such,
+enable the UVC_QUIRK_MJPEG_NO_EOF quirk for this device to prevent
+frames from being erroneously dropped.
+
+Signed-off-by: Isaac Scott <isaac.scott@ideasonboard.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 1e8a3b069266d..ae2e8bd2b3f73 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2923,6 +2923,15 @@ static const struct usb_device_id uvc_ids[] = {
+ .bInterfaceSubClass = 1,
+ .bInterfaceProtocol = 0,
+ .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax },
++ /* Kurokesu C1 PRO */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x16d0,
++ .idProduct = 0x0ed1,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_MJPEG_NO_EOF) },
+ /* Syntek (HP Spartan) */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
+--
+2.39.5
+
--- /dev/null
+From b057f599fce755a5b81d46ce1958f9289bd4529b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 14:51:44 +0000
+Subject: media: uvcvideo: Add new quirk definition for the Sonix Technology
+ Co. 292a camera
+
+From: Isaac Scott <isaac.scott@ideasonboard.com>
+
+[ Upstream commit 81f8c0e138c43610cf09b8d2a533068aa58e538e ]
+
+The Sonix Technology Co. 292A camera (which uses an AR0330 sensor), can
+produce MJPEG and H.264 streams concurrently. When doing so, it drops
+the last packets of MJPEG frames every time the H.264 stream generates a
+key frame. Set the UVC_QUIRK_MJPEG_NO_EOF quirk to work around the
+issue.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Isaac Scott <isaac.scott@ideasonboard.com>
+Link: https://lore.kernel.org/r/20241128145144.61475-3-isaac.scott@ideasonboard.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 95c5b90f3e7c1..1e8a3b069266d 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2886,6 +2886,15 @@ static const struct usb_device_id uvc_ids[] = {
+ .bInterfaceSubClass = 1,
+ .bInterfaceProtocol = 0,
+ .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax },
++ /* Sonix Technology Co. Ltd. - 292A IPC AR0330 */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x0c45,
++ .idProduct = 0x6366,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_MJPEG_NO_EOF) },
+ /* MT6227 */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
+--
+2.39.5
+
--- /dev/null
+From c18138f787183381f23640007566c87be4d4a83f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 14:51:43 +0000
+Subject: media: uvcvideo: Implement dual stream quirk to fix loss of usb
+ packets
+
+From: Isaac Scott <isaac.scott@ideasonboard.com>
+
+[ Upstream commit c2eda35e675b6ea4a0a21a4b1167b121571a9036 ]
+
+Some cameras, such as the Sonix Technology Co. 292A, exhibit issues when
+running two parallel streams, causing USB packets to be dropped when an
+H.264 stream posts a keyframe while an MJPEG stream is running
+simultaneously. This occasionally causes the driver to erroneously
+output two consecutive JPEG images as a single frame.
+
+To fix this, we inspect the buffer, and trigger a new frame when we
+find an SOI.
+
+Signed-off-by: Isaac Scott <isaac.scott@ideasonboard.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20241128145144.61475-2-isaac.scott@ideasonboard.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_video.c | 27 ++++++++++++++++++++++++++-
+ drivers/media/usb/uvc/uvcvideo.h | 1 +
+ 2 files changed, 27 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_video.c b/drivers/media/usb/uvc/uvc_video.c
+index a2504e1e991b9..9572fdfe74f24 100644
+--- a/drivers/media/usb/uvc/uvc_video.c
++++ b/drivers/media/usb/uvc/uvc_video.c
+@@ -20,6 +20,7 @@
+ #include <linux/atomic.h>
+ #include <asm/unaligned.h>
+
++#include <media/jpeg.h>
+ #include <media/v4l2-common.h>
+
+ #include "uvcvideo.h"
+@@ -1114,6 +1115,7 @@ static void uvc_video_stats_stop(struct uvc_streaming *stream)
+ static int uvc_video_decode_start(struct uvc_streaming *stream,
+ struct uvc_buffer *buf, const u8 *data, int len)
+ {
++ u8 header_len;
+ u8 fid;
+
+ /*
+@@ -1127,6 +1129,7 @@ static int uvc_video_decode_start(struct uvc_streaming *stream,
+ return -EINVAL;
+ }
+
++ header_len = data[0];
+ fid = data[1] & UVC_STREAM_FID;
+
+ /*
+@@ -1208,9 +1211,31 @@ static int uvc_video_decode_start(struct uvc_streaming *stream,
+ return -EAGAIN;
+ }
+
++ /*
++ * Some cameras, when running two parallel streams (one MJPEG alongside
++ * another non-MJPEG stream), are known to lose the EOF packet for a frame.
++ * We can detect the end of a frame by checking for a new SOI marker, as
++ * the SOI always lies on the packet boundary between two frames for
++ * these devices.
++ */
++ if (stream->dev->quirks & UVC_QUIRK_MJPEG_NO_EOF &&
++ (stream->cur_format->fcc == V4L2_PIX_FMT_MJPEG ||
++ stream->cur_format->fcc == V4L2_PIX_FMT_JPEG)) {
++ const u8 *packet = data + header_len;
++
++ if (len >= header_len + 2 &&
++ packet[0] == 0xff && packet[1] == JPEG_MARKER_SOI &&
++ buf->bytesused != 0) {
++ buf->state = UVC_BUF_STATE_READY;
++ buf->error = 1;
++ stream->last_fid ^= UVC_STREAM_FID;
++ return -EAGAIN;
++ }
++ }
++
+ stream->last_fid = fid;
+
+- return data[0];
++ return header_len;
+ }
+
+ static inline enum dma_data_direction uvc_stream_dir(
+diff --git a/drivers/media/usb/uvc/uvcvideo.h b/drivers/media/usb/uvc/uvcvideo.h
+index 997f4b5b5e22a..30fd056b2aec9 100644
+--- a/drivers/media/usb/uvc/uvcvideo.h
++++ b/drivers/media/usb/uvc/uvcvideo.h
+@@ -76,6 +76,7 @@
+ #define UVC_QUIRK_NO_RESET_RESUME 0x00004000
+ #define UVC_QUIRK_DISABLE_AUTOSUSPEND 0x00008000
+ #define UVC_QUIRK_INVALID_DEVICE_SOF 0x00010000
++#define UVC_QUIRK_MJPEG_NO_EOF 0x00020000
+
+ /* Format flags */
+ #define UVC_FMT_FLAG_COMPRESSED 0x00000001
+--
+2.39.5
+
--- /dev/null
+From da4024f32a26b3f90f4bfcb5db6d29003e1af7b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Dec 2024 18:50:39 +0800
+Subject: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 1221989555db711578a327a9367f1be46500cb48 ]
+
+syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]
+
+If dvb->mux is not initialized successfully by vidtv_mux_init() in the
+vidtv_start_streaming(), it will trigger null pointer dereference about mux
+in vidtv_mux_stop_thread().
+
+Adjust the timing of streaming initialization and check it before
+stopping it.
+
+[1]
+KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
+CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471
+Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8
+RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125
+RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128
+RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188
+R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710
+FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]
+ vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252
+ dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000
+ dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486
+ dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559
+ dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+ dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+ __fput+0x3f8/0xb60 fs/file_table.c:450
+ task_work_run+0x14e/0x250 kernel/task_work.c:239
+ get_signal+0x1d3/0x2610 kernel/signal.c:2790
+ arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
+ exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
+ syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
+ do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+5e248227c80a3be8e96a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=5e248227c80a3be8e96a
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+index 8b04e12af286c..6e030584d598a 100644
+--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+@@ -191,10 +191,11 @@ static int vidtv_start_streaming(struct vidtv_dvb *dvb)
+
+ mux_args.mux_buf_sz = mux_buf_sz;
+
+- dvb->streaming = true;
+ dvb->mux = vidtv_mux_init(dvb->fe[0], dev, &mux_args);
+ if (!dvb->mux)
+ return -ENOMEM;
++
++ dvb->streaming = true;
+ vidtv_mux_start_thread(dvb->mux);
+
+ dev_dbg_ratelimited(dev, "Started streaming\n");
+@@ -205,6 +206,11 @@ static int vidtv_stop_streaming(struct vidtv_dvb *dvb)
+ {
+ struct device *dev = &dvb->pdev->dev;
+
++ if (!dvb->streaming) {
++ dev_warn_ratelimited(dev, "No streaming. Skipping.\n");
++ return 0;
++ }
++
+ dvb->streaming = false;
+ vidtv_mux_stop_thread(dvb->mux);
+ vidtv_mux_destroy(dvb->mux);
+--
+2.39.5
+
--- /dev/null
+From a25d8c6f334f2954a7461d61245556ffc2ea6e59 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 13:58:33 +0000
+Subject: ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 48145a57d4bbe3496e8e4880b23ea6b511e6e519 ]
+
+ndisc_send_redirect() is called under RCU protection, not RTNL.
+
+It must use dev_get_by_index_rcu() instead of __dev_get_by_index()
+
+Fixes: 2f17becfbea5 ("vrf: check the original netdevice for generating redirect")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250207135841.1948589-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ndisc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index 2ad0ef47b07c2..561972143ca42 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1680,7 +1680,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
+ bool ret;
+
+ if (netif_is_l3_master(skb->dev)) {
+- dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
++ dev = dev_get_by_index_rcu(dev_net(skb->dev), IPCB(skb)->iif);
+ if (!dev)
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 2aa68ed1ac959274480f4cfad7ec6d703c081d0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 00:13:12 +0800
+Subject: NFS: Fix potential buffer overflowin nfs_sysfs_link_rpc_client()
+
+From: Zichen Xie <zichenxie0106@gmail.com>
+
+[ Upstream commit 49fd4e34751e90e6df009b70cd0659dc839e7ca8 ]
+
+name is char[64] where the size of clnt->cl_program->name remains
+unknown. Invoking strcat() directly will also lead to potential buffer
+overflow. Change them to strscpy() and strncat() to fix potential
+issues.
+
+Signed-off-by: Zichen Xie <zichenxie0106@gmail.com>
+Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/sysfs.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c
+index bf378ecd5d9fd..7b59a40d40c06 100644
+--- a/fs/nfs/sysfs.c
++++ b/fs/nfs/sysfs.c
+@@ -280,9 +280,9 @@ void nfs_sysfs_link_rpc_client(struct nfs_server *server,
+ char name[RPC_CLIENT_NAME_SIZE];
+ int ret;
+
+- strcpy(name, clnt->cl_program->name);
+- strcat(name, uniq ? uniq : "");
+- strcat(name, "_client");
++ strscpy(name, clnt->cl_program->name, sizeof(name));
++ strncat(name, uniq ? uniq : "", sizeof(name) - strlen(name) - 1);
++ strncat(name, "_client", sizeof(name) - strlen(name) - 1);
+
+ ret = sysfs_create_link_nowarn(&server->kobj,
+ &clnt->cl_sysfs->kobject, name);
+--
+2.39.5
+
--- /dev/null
+From 0d4cd482d15c660ef542172879bf01d758b0538a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 14:21:08 -0500
+Subject: orangefs: fix a oob in orangefs_debug_write
+
+From: Mike Marshall <hubcap@omnibond.com>
+
+[ Upstream commit f7c848431632598ff9bce57a659db6af60d75b39 ]
+
+I got a syzbot report: slab-out-of-bounds Read in
+orangefs_debug_write... several people suggested fixes,
+I tested Al Viro's suggestion and made this patch.
+
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index 1b508f5433846..fa41db0884880 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file,
+ * Thwart users who try to jamb a ridiculous number
+ * of bytes into the debug file...
+ */
+- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
++ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ silly = count;
+- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
++ count = ORANGEFS_MAX_DEBUG_STRING_LEN;
+ }
+
+ buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From f5770af8f157755dbf255323588cb2bcdafd3a6c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 17:43:13 +0100
+Subject: PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b198499c7d2508a76243b98e7cca992f6fd2b7f7 ]
+
+Apparently the Raptor Lake-P reference firmware configures the PIO log size
+correctly, but some vendor BIOSes, including at least ASUSTeK COMPUTER INC.
+Zenbook UX3402VA_UX3402VA, do not.
+
+Apply the quirk for Raptor Lake-P. This prevents kernel complaints like:
+
+ DPC: RP PIO log size 0 is invalid
+
+and also enables the DPC driver to dump the RP PIO Log registers when DPC
+is triggered.
+
+Note that the bug report also mentions 8086:a76e, which has been already
+added by 627c6db20703 ("PCI/DPC: Quirk PIO log size for Intel Raptor Lake
+Root Ports").
+
+Link: https://lore.kernel.org/r/20250102164315.7562-1-tiwai@suse.de
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1234623
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index fd35ad0648a07..a256928fb126c 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -6247,6 +6247,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2b, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2d, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2f, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a31, dpc_log_size);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa72f, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa73f, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa76e, dpc_log_size);
+ #endif
+--
+2.39.5
+
--- /dev/null
+From b14272445a9f6d33f8779b4e941f500f21f2ef55 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jan 2025 15:25:24 +0530
+Subject: PCI: switchtec: Add Microchip PCI100X device IDs
+
+From: Rakesh Babu Saladi <Saladi.Rakeshbabu@microchip.com>
+
+[ Upstream commit a3282f84b2151d254dc4abf24d1255c6382be774 ]
+
+Add Microchip parts to the Device ID table so the driver supports PCI100x
+devices.
+
+Add a new macro to quirk the Microchip Switchtec PCI100x parts to allow DMA
+access via NTB to work when the IOMMU is turned on.
+
+PCI100x family has 6 variants; each variant is designed for different
+application usages, different port counts and lane counts:
+
+ PCI1001 has 1 x4 upstream port and 3 x4 downstream ports
+ PCI1002 has 1 x4 upstream port and 4 x2 downstream ports
+ PCI1003 has 2 x4 upstream ports, 2 x2 upstream ports, and 2 x2
+ downstream ports
+ PCI1004 has 4 x4 upstream ports
+ PCI1005 has 1 x4 upstream port and 6 x2 downstream ports
+ PCI1006 has 6 x2 upstream ports and 2 x2 downstream ports
+
+[Historical note: these parts use PCI_VENDOR_ID_EFAR (0x1055), from EFAR
+Microsystems, which was acquired in 1996 by Standard Microsystems Corp,
+which was acquired by Microchip Technology in 2012. The PCI-SIG confirms
+that Vendor ID 0x1055 is assigned to Microchip even though it's not
+visible via https://pcisig.com/membership/member-companies]
+
+Link: https://lore.kernel.org/r/20250120095524.243103-1-Saladi.Rakeshbabu@microchip.com
+Signed-off-by: Rakesh Babu Saladi <Saladi.Rakeshbabu@microchip.com>
+[bhelgaas: Vendor ID history]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-By: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 11 +++++++++++
+ drivers/pci/switch/switchtec.c | 26 ++++++++++++++++++++++++++
+ 2 files changed, 37 insertions(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index a256928fb126c..70f484b811dea 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -5978,6 +5978,17 @@ SWITCHTEC_QUIRK(0x5552); /* PAXA 52XG5 */
+ SWITCHTEC_QUIRK(0x5536); /* PAXA 36XG5 */
+ SWITCHTEC_QUIRK(0x5528); /* PAXA 28XG5 */
+
++#define SWITCHTEC_PCI100X_QUIRK(vid) \
++ DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_EFAR, vid, \
++ PCI_CLASS_BRIDGE_OTHER, 8, quirk_switchtec_ntb_dma_alias)
++SWITCHTEC_PCI100X_QUIRK(0x1001); /* PCI1001XG4 */
++SWITCHTEC_PCI100X_QUIRK(0x1002); /* PCI1002XG4 */
++SWITCHTEC_PCI100X_QUIRK(0x1003); /* PCI1003XG4 */
++SWITCHTEC_PCI100X_QUIRK(0x1004); /* PCI1004XG4 */
++SWITCHTEC_PCI100X_QUIRK(0x1005); /* PCI1005XG4 */
++SWITCHTEC_PCI100X_QUIRK(0x1006); /* PCI1006XG4 */
++
++
+ /*
+ * The PLX NTB uses devfn proxy IDs to move TLPs between NT endpoints.
+ * These IDs are used to forward responses to the originator on the other
+diff --git a/drivers/pci/switch/switchtec.c b/drivers/pci/switch/switchtec.c
+index 5a4adf6c04cf8..455fa5035a245 100644
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -1737,6 +1737,26 @@ static void switchtec_pci_remove(struct pci_dev *pdev)
+ .driver_data = gen, \
+ }
+
++#define SWITCHTEC_PCI100X_DEVICE(device_id, gen) \
++ { \
++ .vendor = PCI_VENDOR_ID_EFAR, \
++ .device = device_id, \
++ .subvendor = PCI_ANY_ID, \
++ .subdevice = PCI_ANY_ID, \
++ .class = (PCI_CLASS_MEMORY_OTHER << 8), \
++ .class_mask = 0xFFFFFFFF, \
++ .driver_data = gen, \
++ }, \
++ { \
++ .vendor = PCI_VENDOR_ID_EFAR, \
++ .device = device_id, \
++ .subvendor = PCI_ANY_ID, \
++ .subdevice = PCI_ANY_ID, \
++ .class = (PCI_CLASS_BRIDGE_OTHER << 8), \
++ .class_mask = 0xFFFFFFFF, \
++ .driver_data = gen, \
++ }
++
+ static const struct pci_device_id switchtec_pci_tbl[] = {
+ SWITCHTEC_PCI_DEVICE(0x8531, SWITCHTEC_GEN3), /* PFX 24xG3 */
+ SWITCHTEC_PCI_DEVICE(0x8532, SWITCHTEC_GEN3), /* PFX 32xG3 */
+@@ -1831,6 +1851,12 @@ static const struct pci_device_id switchtec_pci_tbl[] = {
+ SWITCHTEC_PCI_DEVICE(0x5552, SWITCHTEC_GEN5), /* PAXA 52XG5 */
+ SWITCHTEC_PCI_DEVICE(0x5536, SWITCHTEC_GEN5), /* PAXA 36XG5 */
+ SWITCHTEC_PCI_DEVICE(0x5528, SWITCHTEC_GEN5), /* PAXA 28XG5 */
++ SWITCHTEC_PCI100X_DEVICE(0x1001, SWITCHTEC_GEN4), /* PCI1001 16XG4 */
++ SWITCHTEC_PCI100X_DEVICE(0x1002, SWITCHTEC_GEN4), /* PCI1002 12XG4 */
++ SWITCHTEC_PCI100X_DEVICE(0x1003, SWITCHTEC_GEN4), /* PCI1003 16XG4 */
++ SWITCHTEC_PCI100X_DEVICE(0x1004, SWITCHTEC_GEN4), /* PCI1004 16XG4 */
++ SWITCHTEC_PCI100X_DEVICE(0x1005, SWITCHTEC_GEN4), /* PCI1005 16XG4 */
++ SWITCHTEC_PCI100X_DEVICE(0x1006, SWITCHTEC_GEN4), /* PCI1006 16XG4 */
+ {0}
+ };
+ MODULE_DEVICE_TABLE(pci, switchtec_pci_tbl);
+--
+2.39.5
+
--- /dev/null
+From 0d34c123c4daf556b0befca5f4809c2f61a407ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jan 2025 16:21:45 +0200
+Subject: pinctrl: cy8c95x0: Respect IRQ trigger settings from firmware
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 1ddee69108d305bbc059cbf31c0b47626796be77 ]
+
+Some of the platforms may connect the INT pin via inversion logic
+effectively make the triggering to be active-low.
+Remove explicit trigger flag to respect the settings from firmware.
+
+Without this change even idling chip produces spurious interrupts
+and kernel disables the line in the result:
+
+ irq 33: nobody cared (try booting with the "irqpoll" option)
+ CPU: 0 UID: 0 PID: 125 Comm: irq/33-i2c-INT3 Not tainted 6.12.0-00236-g8b874ed11dae #64
+ Hardware name: Intel Corp. QUARK/Galileo, BIOS 0x01000900 01/01/2014
+ ...
+ handlers:
+ [<86e86bea>] irq_default_primary_handler threaded [<d153e44a>] cy8c95x0_irq_handler [pinctrl_cy8c95x0]
+ Disabling IRQ #33
+
+Fixes: e6cbbe42944d ("pinctrl: Add Cypress cy8c95x0 support")
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/20250117142304.596106-2-andriy.shevchenko@linux.intel.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/pinctrl-cy8c95x0.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pinctrl/pinctrl-cy8c95x0.c b/drivers/pinctrl/pinctrl-cy8c95x0.c
+index f2b9db66fdb6a..d2488d80912c9 100644
+--- a/drivers/pinctrl/pinctrl-cy8c95x0.c
++++ b/drivers/pinctrl/pinctrl-cy8c95x0.c
+@@ -1281,7 +1281,7 @@ static int cy8c95x0_irq_setup(struct cy8c95x0_pinctrl *chip, int irq)
+
+ ret = devm_request_threaded_irq(chip->dev, irq,
+ NULL, cy8c95x0_irq_handler,
+- IRQF_ONESHOT | IRQF_SHARED | IRQF_TRIGGER_HIGH,
++ IRQF_ONESHOT | IRQF_SHARED,
+ dev_name(chip->dev), chip);
+ if (ret) {
+ dev_err(chip->dev, "failed to request irq %d\n", irq);
+--
+2.39.5
+
--- /dev/null
+From b3354f606c3330b015d501d58ee42a8273beea31 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Dec 2024 13:15:48 +0000
+Subject: RDMA/efa: Reset device on probe failure
+
+From: Michael Margolin <mrgolin@amazon.com>
+
+[ Upstream commit 123c13f10ed3627ba112172d8bd122a72cae226d ]
+
+Make sure the device is being reset on driver exit whatever the reason
+is, to keep the device aligned and allow it to close shared resources
+(e.g. admin queue).
+
+Reviewed-by: Firas Jahjah <firasj@amazon.com>
+Reviewed-by: Yonatan Nachum <ynachum@amazon.com>
+Signed-off-by: Michael Margolin <mrgolin@amazon.com>
+Link: https://patch.msgid.link/20241225131548.15155-1-mrgolin@amazon.com
+Reviewed-by: Gal Pressman <gal.pressman@linux.dev>
+Signed-off-by: Leon Romanovsky <leon@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/efa/efa_main.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/infiniband/hw/efa/efa_main.c b/drivers/infiniband/hw/efa/efa_main.c
+index 15ee920811187..924940ca9de0a 100644
+--- a/drivers/infiniband/hw/efa/efa_main.c
++++ b/drivers/infiniband/hw/efa/efa_main.c
+@@ -452,7 +452,6 @@ static void efa_ib_device_remove(struct efa_dev *dev)
+ ibdev_info(&dev->ibdev, "Unregister ib device\n");
+ ib_unregister_device(&dev->ibdev);
+ efa_destroy_eqs(dev);
+- efa_com_dev_reset(&dev->edev, EFA_REGS_RESET_NORMAL);
+ efa_release_doorbell_bar(dev);
+ }
+
+@@ -623,12 +622,14 @@ static struct efa_dev *efa_probe_device(struct pci_dev *pdev)
+ return ERR_PTR(err);
+ }
+
+-static void efa_remove_device(struct pci_dev *pdev)
++static void efa_remove_device(struct pci_dev *pdev,
++ enum efa_regs_reset_reason_types reset_reason)
+ {
+ struct efa_dev *dev = pci_get_drvdata(pdev);
+ struct efa_com_dev *edev;
+
+ edev = &dev->edev;
++ efa_com_dev_reset(edev, reset_reason);
+ efa_com_admin_destroy(edev);
+ efa_free_irq(dev, &dev->admin_irq);
+ efa_disable_msix(dev);
+@@ -656,7 +657,7 @@ static int efa_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
+ return 0;
+
+ err_remove_device:
+- efa_remove_device(pdev);
++ efa_remove_device(pdev, EFA_REGS_RESET_INIT_ERR);
+ return err;
+ }
+
+@@ -665,7 +666,7 @@ static void efa_remove(struct pci_dev *pdev)
+ struct efa_dev *dev = pci_get_drvdata(pdev);
+
+ efa_ib_device_remove(dev);
+- efa_remove_device(pdev);
++ efa_remove_device(pdev, EFA_REGS_RESET_NORMAL);
+ }
+
+ static struct pci_driver efa_pci_driver = {
+--
+2.39.5
+
--- /dev/null
+From c0f013eee3f06c1ef0a3bd7bcfeb6de49b31d12c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 15:49:30 +0100
+Subject: rtla/timerlat_hist: Abort event processing on second signal
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+[ Upstream commit d6899e560366e10141189697502bc5521940c588 ]
+
+If either SIGINT is received twice, or after a SIGALRM (that is, after
+timerlat was supposed to stop), abort processing events currently left
+in the tracefs buffer and exit immediately.
+
+This allows the user to exit rtla without waiting for processing all
+events, should that take longer than wanted, at the cost of not
+processing all samples.
+
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-5-tglozar@redhat.com
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/tracing/rtla/src/timerlat_hist.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tools/tracing/rtla/src/timerlat_hist.c b/tools/tracing/rtla/src/timerlat_hist.c
+index 1525e88c6cf96..a985e57954820 100644
+--- a/tools/tracing/rtla/src/timerlat_hist.c
++++ b/tools/tracing/rtla/src/timerlat_hist.c
+@@ -952,6 +952,14 @@ static int stop_tracing;
+ static struct trace_instance *hist_inst = NULL;
+ static void stop_hist(int sig)
+ {
++ if (stop_tracing) {
++ /*
++ * Stop requested twice in a row; abort event processing and
++ * exit immediately
++ */
++ tracefs_iterate_stop(hist_inst->inst);
++ return;
++ }
+ stop_tracing = 1;
+ if (hist_inst)
+ trace_instance_stop(hist_inst);
+--
+2.39.5
+
--- /dev/null
+From 15641f8bfd3a062eab10cae8bebf754ca8ab21d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 15:49:31 +0100
+Subject: rtla/timerlat_top: Abort event processing on second signal
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+[ Upstream commit 80967b354a76b360943af384c10d807d98bea5c4 ]
+
+If either SIGINT is received twice, or after a SIGALRM (that is, after
+timerlat was supposed to stop), abort processing events currently left
+in the tracefs buffer and exit immediately.
+
+This allows the user to exit rtla without waiting for processing all
+events, should that take longer than wanted, at the cost of not
+processing all samples.
+
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-6-tglozar@redhat.com
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/tracing/rtla/src/timerlat_top.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/tools/tracing/rtla/src/timerlat_top.c b/tools/tracing/rtla/src/timerlat_top.c
+index 5a33789a375e3..1fed4c8d8520f 100644
+--- a/tools/tracing/rtla/src/timerlat_top.c
++++ b/tools/tracing/rtla/src/timerlat_top.c
+@@ -731,6 +731,14 @@ static int stop_tracing;
+ static struct trace_instance *top_inst = NULL;
+ static void stop_top(int sig)
+ {
++ if (stop_tracing) {
++ /*
++ * Stop requested twice in a row; abort event processing and
++ * exit immediately
++ */
++ tracefs_iterate_stop(top_inst->inst);
++ return;
++ }
+ stop_tracing = 1;
+ if (top_inst)
+ trace_instance_stop(top_inst);
+--
+2.39.5
+
--- /dev/null
+From 3b1565ff73ce7105227522fab1efdacfc1622f90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 09:42:14 +0800
+Subject: scsi: ufs: bsg: Set bsg_queue to NULL after removal
+
+From: Guixin Liu <kanie@linux.alibaba.com>
+
+[ Upstream commit 1e95c798d8a7f70965f0f88d4657b682ff0ec75f ]
+
+Currently, this does not cause any issues, but I believe it is necessary to
+set bsg_queue to NULL after removing it to prevent potential use-after-free
+(UAF) access.
+
+Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20241218014214.64533-3-kanie@linux.alibaba.com
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ufs/core/ufs_bsg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ufs/core/ufs_bsg.c b/drivers/ufs/core/ufs_bsg.c
+index f21423a7a6d7d..8fbd46cd8c2b8 100644
+--- a/drivers/ufs/core/ufs_bsg.c
++++ b/drivers/ufs/core/ufs_bsg.c
+@@ -216,6 +216,7 @@ void ufs_bsg_remove(struct ufs_hba *hba)
+ return;
+
+ bsg_remove_queue(hba->bsg_queue);
++ hba->bsg_queue = NULL;
+
+ device_del(bsg_dev);
+ put_device(bsg_dev);
+--
+2.39.5
+
--- /dev/null
+From 80d70a01feb3bd6bcd795bd70bcf21c3fafcf85e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2025 13:33:09 +0900
+Subject: selftests: gpio: gpio-sim: Fix missing chip disablements
+
+From: Koichiro Den <koichiro.den@canonical.com>
+
+[ Upstream commit f8524ac33cd452aef5384504b3264db6039a455e ]
+
+Since upstream commit 8bd76b3d3f3a ("gpio: sim: lock up configfs that an
+instantiated device depends on"), rmdir for an active virtual devices
+been prohibited.
+
+Update gpio-sim selftest to align with the change.
+
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Closes: https://lore.kernel.org/oe-lkp/202501221006.a1ca5dfa-lkp@intel.com
+Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
+Link: https://lore.kernel.org/r/20250122043309.304621-1-koichiro.den@canonical.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/gpio/gpio-sim.sh | 31 +++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/tools/testing/selftests/gpio/gpio-sim.sh b/tools/testing/selftests/gpio/gpio-sim.sh
+index 6fb66a687f173..bbc29ed9c60a9 100755
+--- a/tools/testing/selftests/gpio/gpio-sim.sh
++++ b/tools/testing/selftests/gpio/gpio-sim.sh
+@@ -46,12 +46,6 @@ remove_chip() {
+ rmdir $CONFIGFS_DIR/$CHIP || fail "Unable to remove the chip"
+ }
+
+-configfs_cleanup() {
+- for CHIP in `ls $CONFIGFS_DIR/`; do
+- remove_chip $CHIP
+- done
+-}
+-
+ create_chip() {
+ local CHIP=$1
+
+@@ -105,6 +99,13 @@ disable_chip() {
+ echo 0 > $CONFIGFS_DIR/$CHIP/live || fail "Unable to disable the chip"
+ }
+
++configfs_cleanup() {
++ for CHIP in `ls $CONFIGFS_DIR/`; do
++ disable_chip $CHIP
++ remove_chip $CHIP
++ done
++}
++
+ configfs_chip_name() {
+ local CHIP=$1
+ local BANK=$2
+@@ -181,6 +182,7 @@ create_chip chip
+ create_bank chip bank
+ enable_chip chip
+ test -n `cat $CONFIGFS_DIR/chip/bank/chip_name` || fail "chip_name doesn't work"
++disable_chip chip
+ remove_chip chip
+
+ echo "1.2. chip_name returns 'none' if the chip is still pending"
+@@ -195,6 +197,7 @@ create_chip chip
+ create_bank chip bank
+ enable_chip chip
+ test -n `cat $CONFIGFS_DIR/chip/dev_name` || fail "dev_name doesn't work"
++disable_chip chip
+ remove_chip chip
+
+ echo "2. Creating and configuring simulated chips"
+@@ -204,6 +207,7 @@ create_chip chip
+ create_bank chip bank
+ enable_chip chip
+ test "`get_chip_num_lines chip bank`" = "1" || fail "default number of lines is not 1"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.2. Number of lines can be specified"
+@@ -212,6 +216,7 @@ create_bank chip bank
+ set_num_lines chip bank 16
+ enable_chip chip
+ test "`get_chip_num_lines chip bank`" = "16" || fail "number of lines is not 16"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.3. Label can be set"
+@@ -220,6 +225,7 @@ create_bank chip bank
+ set_label chip bank foobar
+ enable_chip chip
+ test "`get_chip_label chip bank`" = "foobar" || fail "label is incorrect"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.4. Label can be left empty"
+@@ -227,6 +233,7 @@ create_chip chip
+ create_bank chip bank
+ enable_chip chip
+ test -z "`cat $CONFIGFS_DIR/chip/bank/label`" || fail "label is not empty"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.5. Line names can be configured"
+@@ -238,6 +245,7 @@ set_line_name chip bank 2 bar
+ enable_chip chip
+ test "`get_line_name chip bank 0`" = "foo" || fail "line name is incorrect"
+ test "`get_line_name chip bank 2`" = "bar" || fail "line name is incorrect"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.6. Line config can remain unused if offset is greater than number of lines"
+@@ -248,6 +256,7 @@ set_line_name chip bank 5 foobar
+ enable_chip chip
+ test "`get_line_name chip bank 0`" = "" || fail "line name is incorrect"
+ test "`get_line_name chip bank 1`" = "" || fail "line name is incorrect"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.7. Line configfs directory names are sanitized"
+@@ -267,6 +276,7 @@ for CHIP in $CHIPS; do
+ enable_chip $CHIP
+ done
+ for CHIP in $CHIPS; do
++ disable_chip $CHIP
+ remove_chip $CHIP
+ done
+
+@@ -278,6 +288,7 @@ echo foobar > $CONFIGFS_DIR/chip/bank/label 2> /dev/null && \
+ fail "Setting label of a live chip should fail"
+ echo 8 > $CONFIGFS_DIR/chip/bank/num_lines 2> /dev/null && \
+ fail "Setting number of lines of a live chip should fail"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.10. Can't create line items when chip is live"
+@@ -285,6 +296,7 @@ create_chip chip
+ create_bank chip bank
+ enable_chip chip
+ mkdir $CONFIGFS_DIR/chip/bank/line0 2> /dev/null && fail "Creating line item should fail"
++disable_chip chip
+ remove_chip chip
+
+ echo "2.11. Probe errors are propagated to user-space"
+@@ -316,6 +328,7 @@ mkdir -p $CONFIGFS_DIR/chip/bank/line4/hog
+ enable_chip chip
+ $BASE_DIR/gpio-mockup-cdev -s 1 /dev/`configfs_chip_name chip bank` 4 2> /dev/null && \
+ fail "Setting the value of a hogged line shouldn't succeed"
++disable_chip chip
+ remove_chip chip
+
+ echo "3. Controlling simulated chips"
+@@ -331,6 +344,7 @@ test "$?" = "1" || fail "pull set incorrectly"
+ sysfs_set_pull chip bank 0 pull-down
+ $BASE_DIR/gpio-mockup-cdev /dev/`configfs_chip_name chip bank` 1
+ test "$?" = "0" || fail "pull set incorrectly"
++disable_chip chip
+ remove_chip chip
+
+ echo "3.2. Pull can be read from sysfs"
+@@ -344,6 +358,7 @@ SYSFS_PATH=/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/pull
+ test `cat $SYSFS_PATH` = "pull-down" || fail "reading the pull failed"
+ sysfs_set_pull chip bank 0 pull-up
+ test `cat $SYSFS_PATH` = "pull-up" || fail "reading the pull failed"
++disable_chip chip
+ remove_chip chip
+
+ echo "3.3. Incorrect input in sysfs is rejected"
+@@ -355,6 +370,7 @@ DEVNAME=`configfs_dev_name chip`
+ CHIPNAME=`configfs_chip_name chip bank`
+ SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/pull"
+ echo foobar > $SYSFS_PATH 2> /dev/null && fail "invalid input not detected"
++disable_chip chip
+ remove_chip chip
+
+ echo "3.4. Can't write to value"
+@@ -365,6 +381,7 @@ DEVNAME=`configfs_dev_name chip`
+ CHIPNAME=`configfs_chip_name chip bank`
+ SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/value"
+ echo 1 > $SYSFS_PATH 2> /dev/null && fail "writing to 'value' succeeded unexpectedly"
++disable_chip chip
+ remove_chip chip
+
+ echo "4. Simulated GPIO chips are functional"
+@@ -382,6 +399,7 @@ $BASE_DIR/gpio-mockup-cdev -s 1 /dev/`configfs_chip_name chip bank` 0 &
+ sleep 0.1 # FIXME Any better way?
+ test `cat $SYSFS_PATH` = "1" || fail "incorrect value read from sysfs"
+ kill $!
++disable_chip chip
+ remove_chip chip
+
+ echo "4.2. Bias settings work correctly"
+@@ -394,6 +412,7 @@ CHIPNAME=`configfs_chip_name chip bank`
+ SYSFS_PATH="/sys/devices/platform/$DEVNAME/$CHIPNAME/sim_gpio0/value"
+ $BASE_DIR/gpio-mockup-cdev -b pull-up /dev/`configfs_chip_name chip bank` 0
+ test `cat $SYSFS_PATH` = "1" || fail "bias setting does not work"
++disable_chip chip
+ remove_chip chip
+
+ echo "GPIO $MODULE test PASS"
+--
+2.39.5
+
nfsd-clear-acl_access-acl_default-after-releasing-them.patch
nfsd-fix-hang-in-nfsd4_shutdown_callback.patch
+pinctrl-cy8c95x0-respect-irq-trigger-settings-from-f.patch
+hid-multitouch-add-null-check-in-mt_input_configured.patch
+hid-hid-thrustmaster-fix-stack-out-of-bounds-read-in.patch
+spi-sn-f-ospi-fix-division-by-zero.patch
+ax25-fix-refcount-leak-caused-by-setting-so_bindtode.patch
+ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch
+vrf-use-rcu-protection-in-l3mdev_l3_out.patch
+vxlan-check-vxlan_vnigroup_init-return-value.patch
+loongarch-fix-idle-vs-timer-enqueue.patch
+loongarch-csum-fix-oob-access-in-ip-checksum-code-fo.patch
+team-better-team_option_type_string-validation.patch
+arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch
+cgroup-remove-steal-time-from-usage_usec.patch
+drm-i915-selftests-avoid-using-uninitialized-context.patch
+gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch
+gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch
+gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch
+drm-amdgpu-bail-out-when-failed-to-load-fw-in-psp_in.patch
+xen-swiotlb-relax-alignment-requirements.patch
+x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch
+block-cleanup-and-fix-batch-completion-adding-condit.patch
+gpiolib-fix-crash-on-error-in-gpiochip_get_ngpios.patch
+tools-fix-annoying-mkdir-p-.-logs-when-building-tool.patch
+rdma-efa-reset-device-on-probe-failure.patch
+fbdev-omap-use-threaded-irq-for-lcd-dma.patch
+soc-tegra-fuse-update-tegra234-nvmem-keepout-list.patch
+media-cxd2841er-fix-64-bit-division-on-gcc-9.patch
+media-i2c-ds90ub913-add-error-handling-to-ub913_hw_i.patch
+media-i2c-ds90ub953-add-error-handling-for-i2c-reads.patch
+media-uvcvideo-implement-dual-stream-quirk-to-fix-lo.patch
+media-uvcvideo-add-new-quirk-definition-for-the-soni.patch
+media-uvcvideo-add-kurokesu-c1-pro-camera.patch
+media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch
+pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch
+pci-switchtec-add-microchip-pci100x-device-ids.patch
+scsi-ufs-bsg-set-bsg_queue-to-null-after-removal.patch
+rtla-timerlat_hist-abort-event-processing-on-second-.patch
+rtla-timerlat_top-abort-event-processing-on-second-s.patch
+vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch
+nfs-fix-potential-buffer-overflowin-nfs_sysfs_link_r.patch
+grab-mm-lock-before-grabbing-pt-lock.patch
+selftests-gpio-gpio-sim-fix-missing-chip-disablement.patch
+acpi-x86-add-skip-i2c-clients-quirk-for-vexia-edu-at.patch
+x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch
+orangefs-fix-a-oob-in-orangefs_debug_write.patch
+asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch
--- /dev/null
+From 165825def33b927ee83d5bb908367266d3116a3e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Nov 2024 11:40:53 +0530
+Subject: soc/tegra: fuse: Update Tegra234 nvmem keepout list
+
+From: Kartik Rajput <kkartik@nvidia.com>
+
+[ Upstream commit 836b341cc8dab680acc06a7883bfeea89680b689 ]
+
+Various Nvidia userspace applications and tests access following fuse
+via Fuse nvmem interface:
+
+ * odmid
+ * odminfo
+ * boot_security_info
+ * public_key_hash
+ * reserved_odm0
+ * reserved_odm1
+ * reserved_odm2
+ * reserved_odm3
+ * reserved_odm4
+ * reserved_odm5
+ * reserved_odm6
+ * reserved_odm7
+ * odm_lock
+ * pk_h1
+ * pk_h2
+ * revoke_pk_h0
+ * revoke_pk_h1
+ * security_mode
+ * system_fw_field_ratchet0
+ * system_fw_field_ratchet1
+ * system_fw_field_ratchet2
+ * system_fw_field_ratchet3
+ * optin_enable
+
+Update tegra234_fuse_keepouts list to allow reading these fuse from
+nvmem sysfs interface.
+
+Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
+Link: https://lore.kernel.org/r/20241127061053.16775-1-kkartik@nvidia.com
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/tegra/fuse/fuse-tegra30.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/soc/tegra/fuse/fuse-tegra30.c b/drivers/soc/tegra/fuse/fuse-tegra30.c
+index e94d46372a639..402cf939c0326 100644
+--- a/drivers/soc/tegra/fuse/fuse-tegra30.c
++++ b/drivers/soc/tegra/fuse/fuse-tegra30.c
+@@ -646,15 +646,20 @@ static const struct nvmem_cell_lookup tegra234_fuse_lookups[] = {
+ };
+
+ static const struct nvmem_keepout tegra234_fuse_keepouts[] = {
+- { .start = 0x01c, .end = 0x0c8 },
+- { .start = 0x12c, .end = 0x184 },
++ { .start = 0x01c, .end = 0x064 },
++ { .start = 0x084, .end = 0x0a0 },
++ { .start = 0x0a4, .end = 0x0c8 },
++ { .start = 0x12c, .end = 0x164 },
++ { .start = 0x16c, .end = 0x184 },
+ { .start = 0x190, .end = 0x198 },
+ { .start = 0x1a0, .end = 0x204 },
+- { .start = 0x21c, .end = 0x250 },
+- { .start = 0x25c, .end = 0x2f0 },
++ { .start = 0x21c, .end = 0x2f0 },
+ { .start = 0x310, .end = 0x3d8 },
+- { .start = 0x400, .end = 0x4f0 },
+- { .start = 0x4f8, .end = 0x7e8 },
++ { .start = 0x400, .end = 0x420 },
++ { .start = 0x444, .end = 0x490 },
++ { .start = 0x4bc, .end = 0x4f0 },
++ { .start = 0x4f8, .end = 0x54c },
++ { .start = 0x57c, .end = 0x7e8 },
+ { .start = 0x8d0, .end = 0x8d8 },
+ { .start = 0xacc, .end = 0xf00 }
+ };
+--
+2.39.5
+
--- /dev/null
+From 9b8e6f3e691cf50464397099a7c95d1deb077e28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 17:57:47 +0900
+Subject: spi: sn-f-ospi: Fix division by zero
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+[ Upstream commit 3588b1c0fde2f58d166e3f94a5a58d64b893526c ]
+
+When there is no dummy cycle in the spi-nor commands, both dummy bus cycle
+bytes and width are zero. Because of the cpu's warning when divided by
+zero, the warning should be avoided. Return just zero to avoid such
+calculations.
+
+Fixes: 1b74dd64c861 ("spi: Add Socionext F_OSPI SPI flash controller driver")
+Co-developed-by: Kohei Ito <ito.kohei@socionext.com>
+Signed-off-by: Kohei Ito <ito.kohei@socionext.com>
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Link: https://patch.msgid.link/20250206085747.3834148-1-hayashi.kunihiko@socionext.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-sn-f-ospi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/spi/spi-sn-f-ospi.c b/drivers/spi/spi-sn-f-ospi.c
+index a7c3b3923b4af..fd8c8eb37d01d 100644
+--- a/drivers/spi/spi-sn-f-ospi.c
++++ b/drivers/spi/spi-sn-f-ospi.c
+@@ -116,6 +116,9 @@ struct f_ospi {
+
+ static u32 f_ospi_get_dummy_cycle(const struct spi_mem_op *op)
+ {
++ if (!op->dummy.nbytes)
++ return 0;
++
+ return (op->dummy.nbytes * 8) / op->dummy.buswidth;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 8eb97009446cde5b3ed415a60e80611541fd9ba0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 13:49:28 +0000
+Subject: team: better TEAM_OPTION_TYPE_STRING validation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5bef3ac184b5626ea62385d6b82a1992b89d7940 ]
+
+syzbot reported following splat [1]
+
+Make sure user-provided data contains one nul byte.
+
+[1]
+ BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
+ BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714
+ string_nocheck lib/vsprintf.c:633 [inline]
+ string+0x3ec/0x5f0 lib/vsprintf.c:714
+ vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
+ __request_module+0x252/0x9f0 kernel/module/kmod.c:149
+ team_mode_get drivers/net/team/team_core.c:480 [inline]
+ team_change_mode drivers/net/team/team_core.c:607 [inline]
+ team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401
+ team_option_set drivers/net/team/team_core.c:375 [inline]
+ team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543
+ genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:718 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:733
+ ____sys_sendmsg+0x877/0xb60 net/socket.c:2573
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
+ __sys_sendmsg net/socket.c:2659 [inline]
+ __do_sys_sendmsg net/socket.c:2664 [inline]
+ __se_sys_sendmsg net/socket.c:2662 [inline]
+ __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
+ x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://patch.msgid.link/20250212134928.1541609-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 46a7c9fb6300e..1ce3bccd4ebd4 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2657,7 +2657,9 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ ctx.data.u32_val = nla_get_u32(attr_data);
+ break;
+ case TEAM_OPTION_TYPE_STRING:
+- if (nla_len(attr_data) > TEAM_STRING_MAX_LEN) {
++ if (nla_len(attr_data) > TEAM_STRING_MAX_LEN ||
++ !memchr(nla_data(attr_data), '\0',
++ nla_len(attr_data))) {
+ err = -EINVAL;
+ goto team_put;
+ }
+--
+2.39.5
+
--- /dev/null
+From 0c868a9f2f4d0224afbb20f7900acfac5e6dcac3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 09:29:06 +0900
+Subject: tools: fix annoying "mkdir -p ..." logs when building tools in
+ parallel
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+[ Upstream commit d1d0963121769d8d16150b913fe886e48efefa51 ]
+
+When CONFIG_OBJTOOL=y or CONFIG_DEBUG_INFO_BTF=y, parallel builds
+show awkward "mkdir -p ..." logs.
+
+ $ make -j16
+ [ snip ]
+ mkdir -p /home/masahiro/ref/linux/tools/objtool && make O=/home/masahiro/ref/linux subdir=tools/objtool --no-print-directory -C objtool
+ mkdir -p /home/masahiro/ref/linux/tools/bpf/resolve_btfids && make O=/home/masahiro/ref/linux subdir=tools/bpf/resolve_btfids --no-print-directory -C bpf/resolve_btfids
+
+Defining MAKEFLAGS=<value> on the command line wipes out command line
+switches from the resultant MAKEFLAGS definition, even though the command
+line switches are active. [1]
+
+MAKEFLAGS puts all single-letter options into the first word, and that
+word will be empty if no single-letter options were given. [2]
+However, this breaks if MAKEFLAGS=<value> is given on the command line.
+
+The tools/ and tools/% targets set MAKEFLAGS=<value> on the command
+line, which breaks the following code in tools/scripts/Makefile.include:
+
+ short-opts := $(firstword -$(MAKEFLAGS))
+
+If MAKEFLAGS really needs modification, it should be done through the
+environment variable, as follows:
+
+ MAKEFLAGS=<value> $(MAKE) ...
+
+That said, I question whether modifying MAKEFLAGS is necessary here.
+The only flag we might want to exclude is --no-print-directory, as the
+tools build system changes the working directory. However, people might
+find the "Entering/Leaving directory" logs annoying.
+
+I simply removed the offending MAKEFLAGS=<value>.
+
+[1]: https://savannah.gnu.org/bugs/?62469
+[2]: https://www.gnu.org/software/make/manual/make.html#Testing-Flags
+
+Fixes: ea01fa9f63ae ("tools: Connect to the kernel build system")
+Fixes: a50e43332756 ("perf tools: Honor parallel jobs")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Tested-by: Daniel Xu <dxu@dxuuu.xyz>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Makefile | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 1d777c3eb7fb9..cbd091c511d82 100644
+--- a/Makefile
++++ b/Makefile
+@@ -1348,18 +1348,13 @@ ifneq ($(wildcard $(resolve_btfids_O)),)
+ $(Q)$(MAKE) -sC $(srctree)/tools/bpf/resolve_btfids O=$(resolve_btfids_O) clean
+ endif
+
+-# Clear a bunch of variables before executing the submake
+-ifeq ($(quiet),silent_)
+-tools_silent=s
+-endif
+-
+ tools/: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(tools_silent) $(filter --j% -j,$(MAKEFLAGS))" O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
++ $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/
+
+ tools/%: FORCE
+ $(Q)mkdir -p $(objtree)/tools
+- $(Q)$(MAKE) LDFLAGS= MAKEFLAGS="$(tools_silent) $(filter --j% -j,$(MAKEFLAGS))" O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
++ $(Q)$(MAKE) LDFLAGS= O=$(abspath $(objtree)) subdir=tools -C $(srctree)/tools/ $*
+
+ # ---------------------------------------------------------------------------
+ # Kernel selftest
+--
+2.39.5
+
--- /dev/null
+From b203959301eb4f50e3a79678fe5cc85556700230 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 05:19:37 -0800
+Subject: vfio/pci: Enable iowrite64 and ioread64 for vfio pci
+
+From: Ramesh Thomas <ramesh.thomas@intel.com>
+
+[ Upstream commit 2b938e3db335e3670475e31a722c2bee34748c5a ]
+
+Definitions of ioread64 and iowrite64 macros in asm/io.h called by vfio
+pci implementations are enclosed inside check for CONFIG_GENERIC_IOMAP.
+They don't get defined if CONFIG_GENERIC_IOMAP is defined. Include
+linux/io-64-nonatomic-lo-hi.h to define iowrite64 and ioread64 macros
+when they are not defined. io-64-nonatomic-lo-hi.h maps the macros to
+generic implementation in lib/iomap.c. The generic implementation does
+64 bit rw if readq/writeq is defined for the architecture, otherwise it
+would do 32 bit back to back rw.
+
+Note that there are two versions of the generic implementation that
+differs in the order the 32 bit words are written if 64 bit support is
+not present. This is not the little/big endian ordering, which is
+handled separately. This patch uses the lo followed by hi word ordering
+which is consistent with current back to back implementation in the
+vfio/pci code.
+
+Signed-off-by: Ramesh Thomas <ramesh.thomas@intel.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20241210131938.303500-2-ramesh.thomas@intel.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_rdwr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
+index e27de61ac9fe7..8191c8fcfb256 100644
+--- a/drivers/vfio/pci/vfio_pci_rdwr.c
++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
+@@ -16,6 +16,7 @@
+ #include <linux/io.h>
+ #include <linux/vfio.h>
+ #include <linux/vgaarb.h>
++#include <linux/io-64-nonatomic-lo-hi.h>
+
+ #include "vfio_pci_priv.h"
+
+--
+2.39.5
+
--- /dev/null
+From 84197a8c2821ab3ca5b61a47fbe9f821640ec0fe Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 13:58:38 +0000
+Subject: vrf: use RCU protection in l3mdev_l3_out()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ]
+
+l3mdev_l3_out() can be called without RCU being held:
+
+raw_sendmsg()
+ ip_push_pending_frames()
+ ip_send_skb()
+ ip_local_out()
+ __ip_local_out()
+ l3mdev_ip_out()
+
+Add rcu_read_lock() / rcu_read_unlock() pair to avoid
+a potential UAF.
+
+Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/l3mdev.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h
+index 031c661aa14df..bdfa9d414360c 100644
+--- a/include/net/l3mdev.h
++++ b/include/net/l3mdev.h
+@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
+ if (netif_is_l3_slave(dev)) {
+ struct net_device *master;
+
++ rcu_read_lock();
+ master = netdev_master_upper_dev_get_rcu(dev);
+ if (master && master->l3mdev_ops->l3mdev_l3_out)
+ skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
+ skb, proto);
++ rcu_read_unlock();
+ }
+
+ return skb;
+--
+2.39.5
+
--- /dev/null
+From 19d9c086e2a0e8756f3a8fe5d94043bb85e0776d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 10:52:42 +0000
+Subject: vxlan: check vxlan_vnigroup_init() return value
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5805402dcc56241987bca674a1b4da79a249bab7 ]
+
+vxlan_init() must check vxlan_vnigroup_init() success
+otherwise a crash happens later, spotted by syzbot.
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI
+KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167]
+CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+ RIP: 0010:vxlan_vnigroup_uninit+0x89/0x500 drivers/net/vxlan/vxlan_vnifilter.c:912
+Code: 00 48 8b 44 24 08 4c 8b b0 98 41 00 00 49 8d 86 60 01 00 00 48 89 c2 48 89 44 24 10 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4d 04 00 00 49 8b 86 60 01 00 00 48 ba 00 00 00
+RSP: 0018:ffffc9000cc1eea8 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff8672effb
+RDX: 000000000000002c RSI: ffffffff8672ecb9 RDI: ffff8880461b4f18
+RBP: ffff8880461b4ef4 R08: 0000000000000001 R09: 0000000000000000
+R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000020000
+R13: ffff8880461b0d80 R14: 0000000000000000 R15: dffffc0000000000
+FS: 00007fecfa95d6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fecfa95cfb8 CR3: 000000004472c000 CR4: 0000000000352ef0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ vxlan_uninit+0x1ab/0x200 drivers/net/vxlan/vxlan_core.c:2942
+ unregister_netdevice_many_notify+0x12d6/0x1f30 net/core/dev.c:11824
+ unregister_netdevice_many net/core/dev.c:11866 [inline]
+ unregister_netdevice_queue+0x307/0x3f0 net/core/dev.c:11736
+ register_netdevice+0x1829/0x1eb0 net/core/dev.c:10901
+ __vxlan_dev_create+0x7c6/0xa30 drivers/net/vxlan/vxlan_core.c:3981
+ vxlan_newlink+0xd1/0x130 drivers/net/vxlan/vxlan_core.c:4407
+ rtnl_newlink_create net/core/rtnetlink.c:3795 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3906 [inline]
+
+Fixes: f9c4bb0b245c ("vxlan: vni filtering support on collect metadata device")
+Reported-by: syzbot+6a9624592218c2c5e7aa@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/67a9d9b4.050a0220.110943.002d.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Roopa Prabhu <roopa@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250210105242.883482-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/vxlan/vxlan_core.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
+index ee02a92338da1..64db3e98a1b66 100644
+--- a/drivers/net/vxlan/vxlan_core.c
++++ b/drivers/net/vxlan/vxlan_core.c
+@@ -2966,8 +2966,11 @@ static int vxlan_init(struct net_device *dev)
+ struct vxlan_dev *vxlan = netdev_priv(dev);
+ int err;
+
+- if (vxlan->cfg.flags & VXLAN_F_VNIFILTER)
+- vxlan_vnigroup_init(vxlan);
++ if (vxlan->cfg.flags & VXLAN_F_VNIFILTER) {
++ err = vxlan_vnigroup_init(vxlan);
++ if (err)
++ return err;
++ }
+
+ dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+ if (!dev->tstats) {
+--
+2.39.5
+
--- /dev/null
+From dfea89d4a4340fc47ccad2d1911c1df0dd16a216 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 21:03:16 -0500
+Subject: x86/mm/tlb: Only trim the mm_cpumask once a second
+
+From: Rik van Riel <riel@fb.com>
+
+[ Upstream commit 6db2526c1d694c91c6e05e2f186c085e9460f202 ]
+
+Setting and clearing CPU bits in the mm_cpumask is only ever done
+by the CPU itself, from the context switch code or the TLB flush
+code.
+
+Synchronization is handled by switch_mm_irqs_off() blocking interrupts.
+
+Sending TLB flush IPIs to CPUs that are in the mm_cpumask, but no
+longer running the program causes a regression in the will-it-scale
+tlbflush2 test. This test is contrived, but a large regression here
+might cause a small regression in some real world workload.
+
+Instead of always sending IPIs to CPUs that are in the mm_cpumask,
+but no longer running the program, send these IPIs only once a second.
+
+The rest of the time we can skip over CPUs where the loaded_mm is
+different from the target mm.
+
+Reported-by: kernel test roboto <oliver.sang@intel.com>
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241204210316.612ee573@fangorn
+Closes: https://lore.kernel.org/oe-lkp/202411282207.6bd28eae-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/mmu.h | 2 ++
+ arch/x86/include/asm/mmu_context.h | 1 +
+ arch/x86/include/asm/tlbflush.h | 1 +
+ arch/x86/mm/tlb.c | 35 +++++++++++++++++++++++++++---
+ 4 files changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
+index 0da5c227f490c..53763cf192777 100644
+--- a/arch/x86/include/asm/mmu.h
++++ b/arch/x86/include/asm/mmu.h
+@@ -37,6 +37,8 @@ typedef struct {
+ */
+ atomic64_t tlb_gen;
+
++ unsigned long next_trim_cpumask;
++
+ #ifdef CONFIG_MODIFY_LDT_SYSCALL
+ struct rw_semaphore ldt_usr_sem;
+ struct ldt_struct *ldt;
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
+index 8dac45a2c7fcf..f5afd956d5e50 100644
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -145,6 +145,7 @@ static inline int init_new_context(struct task_struct *tsk,
+
+ mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
+ atomic64_set(&mm->context.tlb_gen, 0);
++ mm->context.next_trim_cpumask = jiffies + HZ;
+
+ #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
+ if (cpu_feature_enabled(X86_FEATURE_OSPKE)) {
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
+index 25726893c6f4d..5d61adc6e892e 100644
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -222,6 +222,7 @@ struct flush_tlb_info {
+ unsigned int initiating_cpu;
+ u8 stride_shift;
+ u8 freed_tables;
++ u8 trim_cpumask;
+ };
+
+ void flush_tlb_local(void);
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
+index 64f594826a282..df1794a5e38a5 100644
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -898,9 +898,36 @@ static void flush_tlb_func(void *info)
+ nr_invalidate);
+ }
+
+-static bool tlb_is_not_lazy(int cpu, void *data)
++static bool should_flush_tlb(int cpu, void *data)
+ {
+- return !per_cpu(cpu_tlbstate_shared.is_lazy, cpu);
++ struct flush_tlb_info *info = data;
++
++ /* Lazy TLB will get flushed at the next context switch. */
++ if (per_cpu(cpu_tlbstate_shared.is_lazy, cpu))
++ return false;
++
++ /* No mm means kernel memory flush. */
++ if (!info->mm)
++ return true;
++
++ /* The target mm is loaded, and the CPU is not lazy. */
++ if (per_cpu(cpu_tlbstate.loaded_mm, cpu) == info->mm)
++ return true;
++
++ /* In cpumask, but not the loaded mm? Periodically remove by flushing. */
++ if (info->trim_cpumask)
++ return true;
++
++ return false;
++}
++
++static bool should_trim_cpumask(struct mm_struct *mm)
++{
++ if (time_after(jiffies, READ_ONCE(mm->context.next_trim_cpumask))) {
++ WRITE_ONCE(mm->context.next_trim_cpumask, jiffies + HZ);
++ return true;
++ }
++ return false;
+ }
+
+ DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state_shared, cpu_tlbstate_shared);
+@@ -934,7 +961,7 @@ STATIC_NOPV void native_flush_tlb_multi(const struct cpumask *cpumask,
+ if (info->freed_tables)
+ on_each_cpu_mask(cpumask, flush_tlb_func, (void *)info, true);
+ else
+- on_each_cpu_cond_mask(tlb_is_not_lazy, flush_tlb_func,
++ on_each_cpu_cond_mask(should_flush_tlb, flush_tlb_func,
+ (void *)info, 1, cpumask);
+ }
+
+@@ -985,6 +1012,7 @@ static struct flush_tlb_info *get_flush_tlb_info(struct mm_struct *mm,
+ info->freed_tables = freed_tables;
+ info->new_tlb_gen = new_tlb_gen;
+ info->initiating_cpu = smp_processor_id();
++ info->trim_cpumask = 0;
+
+ return info;
+ }
+@@ -1027,6 +1055,7 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
+ * flush_tlb_func_local() directly in this case.
+ */
+ if (cpumask_any_but(mm_cpumask(mm), cpu) < nr_cpu_ids) {
++ info->trim_cpumask = should_trim_cpumask(mm);
+ flush_tlb_multi(mm_cpumask(mm), info);
+ } else if (mm == this_cpu_read(cpu_tlbstate.loaded_mm)) {
+ lockdep_assert_irqs_enabled();
+--
+2.39.5
+
--- /dev/null
+From 69293bd4ff8ad0fa94b77fef992002cc52842512 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 11:16:28 +0100
+Subject: x86/xen: allow larger contiguous memory regions in PV guests
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit e93ec87286bd1fd30b7389e7a387cfb259f297e3 ]
+
+Today a PV guest (including dom0) can create 2MB contiguous memory
+regions for DMA buffers at max. This has led to problems at least
+with the megaraid_sas driver, which wants to allocate a 2.3MB DMA
+buffer.
+
+The limiting factor is the frame array used to do the hypercall for
+making the memory contiguous, which has 512 entries and is just a
+static array in mmu_pv.c.
+
+In order to not waste memory for non-PV guests, put the initial
+frame array into .init.data section and dynamically allocate an array
+from the .init_after_bootmem hook of PV guests.
+
+In case a contiguous memory area larger than the initially supported
+2MB is requested, allocate a larger buffer for the frame list. Note
+that such an allocation is tried only after memory management has been
+initialized properly, which is tested via a flag being set in the
+.init_after_bootmem hook.
+
+Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Alan Robinson <Alan.Robinson@fujitsu.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 71 +++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 62 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index 6b201e64d8abc..2db46626acea2 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -113,6 +113,51 @@ static pud_t level3_user_vsyscall[PTRS_PER_PUD] __page_aligned_bss;
+ */
+ static DEFINE_SPINLOCK(xen_reservation_lock);
+
++/* Protected by xen_reservation_lock. */
++#define MIN_CONTIG_ORDER 9 /* 2MB */
++static unsigned int discontig_frames_order = MIN_CONTIG_ORDER;
++static unsigned long discontig_frames_early[1UL << MIN_CONTIG_ORDER] __initdata;
++static unsigned long *discontig_frames __refdata = discontig_frames_early;
++static bool discontig_frames_dyn;
++
++static int alloc_discontig_frames(unsigned int order)
++{
++ unsigned long *new_array, *old_array;
++ unsigned int old_order;
++ unsigned long flags;
++
++ BUG_ON(order < MIN_CONTIG_ORDER);
++ BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE);
++
++ new_array = (unsigned long *)__get_free_pages(GFP_KERNEL,
++ order - MIN_CONTIG_ORDER);
++ if (!new_array)
++ return -ENOMEM;
++
++ spin_lock_irqsave(&xen_reservation_lock, flags);
++
++ old_order = discontig_frames_order;
++
++ if (order > discontig_frames_order || !discontig_frames_dyn) {
++ if (!discontig_frames_dyn)
++ old_array = NULL;
++ else
++ old_array = discontig_frames;
++
++ discontig_frames = new_array;
++ discontig_frames_order = order;
++ discontig_frames_dyn = true;
++ } else {
++ old_array = new_array;
++ }
++
++ spin_unlock_irqrestore(&xen_reservation_lock, flags);
++
++ free_pages((unsigned long)old_array, old_order - MIN_CONTIG_ORDER);
++
++ return 0;
++}
++
+ /*
+ * Note about cr3 (pagetable base) values:
+ *
+@@ -813,6 +858,9 @@ static void __init xen_after_bootmem(void)
+ SetPagePinned(virt_to_page(level3_user_vsyscall));
+ #endif
+ xen_pgd_walk(&init_mm, xen_mark_pinned, FIXADDR_TOP);
++
++ if (alloc_discontig_frames(MIN_CONTIG_ORDER))
++ BUG();
+ }
+
+ static void xen_unpin_page(struct mm_struct *mm, struct page *page,
+@@ -2199,10 +2247,6 @@ void __init xen_init_mmu_ops(void)
+ memset(dummy_mapping, 0xff, PAGE_SIZE);
+ }
+
+-/* Protected by xen_reservation_lock. */
+-#define MAX_CONTIG_ORDER 9 /* 2MB */
+-static unsigned long discontig_frames[1<<MAX_CONTIG_ORDER];
+-
+ #define VOID_PTE (mfn_pte(0, __pgprot(0)))
+ static void xen_zap_pfn_range(unsigned long vaddr, unsigned int order,
+ unsigned long *in_frames,
+@@ -2319,18 +2363,25 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
+ unsigned int address_bits,
+ dma_addr_t *dma_handle)
+ {
+- unsigned long *in_frames = discontig_frames, out_frame;
++ unsigned long *in_frames, out_frame;
+ unsigned long flags;
+ int success;
+ unsigned long vstart = (unsigned long)phys_to_virt(pstart);
+
+- if (unlikely(order > MAX_CONTIG_ORDER))
+- return -ENOMEM;
++ if (unlikely(order > discontig_frames_order)) {
++ if (!discontig_frames_dyn)
++ return -ENOMEM;
++
++ if (alloc_discontig_frames(order))
++ return -ENOMEM;
++ }
+
+ memset((void *) vstart, 0, PAGE_SIZE << order);
+
+ spin_lock_irqsave(&xen_reservation_lock, flags);
+
++ in_frames = discontig_frames;
++
+ /* 1. Zap current PTEs, remembering MFNs. */
+ xen_zap_pfn_range(vstart, order, in_frames, NULL);
+
+@@ -2354,12 +2405,12 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
+
+ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order)
+ {
+- unsigned long *out_frames = discontig_frames, in_frame;
++ unsigned long *out_frames, in_frame;
+ unsigned long flags;
+ int success;
+ unsigned long vstart;
+
+- if (unlikely(order > MAX_CONTIG_ORDER))
++ if (unlikely(order > discontig_frames_order))
+ return;
+
+ vstart = (unsigned long)phys_to_virt(pstart);
+@@ -2367,6 +2418,8 @@ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order)
+
+ spin_lock_irqsave(&xen_reservation_lock, flags);
+
++ out_frames = discontig_frames;
++
+ /* 1. Find start MFN of contiguous extent. */
+ in_frame = virt_to_mfn((void *)vstart);
+
+--
+2.39.5
+
--- /dev/null
+From 39fdd0e05286e51be4c6acafd01f5819e5ecbfde Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2025 08:43:39 +0100
+Subject: xen/swiotlb: relax alignment requirements
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit 85fcb57c983f423180ba6ec5d0034242da05cc54 ]
+
+When mapping a buffer for DMA via .map_page or .map_sg DMA operations,
+there is no need to check the machine frames to be aligned according
+to the mapped areas size. All what is needed in these cases is that the
+buffer is contiguous at machine level.
+
+So carve out the alignment check from range_straddles_page_boundary()
+and move it to a helper called by xen_swiotlb_alloc_coherent() and
+xen_swiotlb_free_coherent() directly.
+
+Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers")
+Reported-by: Jan Vejvalka <jan.vejvalka@lfmotol.cuni.cz>
+Tested-by: Jan Vejvalka <jan.vejvalka@lfmotol.cuni.cz>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/xen/swiotlb-xen.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c
+index 6d0d1c8a508bf..b6e54ab3b6f3b 100644
+--- a/drivers/xen/swiotlb-xen.c
++++ b/drivers/xen/swiotlb-xen.c
+@@ -74,19 +74,21 @@ static inline phys_addr_t xen_dma_to_phys(struct device *dev,
+ return xen_bus_to_phys(dev, dma_to_phys(dev, dma_addr));
+ }
+
++static inline bool range_requires_alignment(phys_addr_t p, size_t size)
++{
++ phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT);
++ phys_addr_t bus_addr = pfn_to_bfn(XEN_PFN_DOWN(p)) << XEN_PAGE_SHIFT;
++
++ return IS_ALIGNED(p, algn) && !IS_ALIGNED(bus_addr, algn);
++}
++
+ static inline int range_straddles_page_boundary(phys_addr_t p, size_t size)
+ {
+ unsigned long next_bfn, xen_pfn = XEN_PFN_DOWN(p);
+ unsigned int i, nr_pages = XEN_PFN_UP(xen_offset_in_page(p) + size);
+- phys_addr_t algn = 1ULL << (get_order(size) + PAGE_SHIFT);
+
+ next_bfn = pfn_to_bfn(xen_pfn);
+
+- /* If buffer is physically aligned, ensure DMA alignment. */
+- if (IS_ALIGNED(p, algn) &&
+- !IS_ALIGNED((phys_addr_t)next_bfn << XEN_PAGE_SHIFT, algn))
+- return 1;
+-
+ for (i = 1; i < nr_pages; i++)
+ if (pfn_to_bfn(++xen_pfn) != ++next_bfn)
+ return 1;
+@@ -155,7 +157,8 @@ xen_swiotlb_alloc_coherent(struct device *dev, size_t size,
+
+ *dma_handle = xen_phys_to_dma(dev, phys);
+ if (*dma_handle + size - 1 > dma_mask ||
+- range_straddles_page_boundary(phys, size)) {
++ range_straddles_page_boundary(phys, size) ||
++ range_requires_alignment(phys, size)) {
+ if (xen_create_contiguous_region(phys, order, fls64(dma_mask),
+ dma_handle) != 0)
+ goto out_free_pages;
+@@ -181,7 +184,8 @@ xen_swiotlb_free_coherent(struct device *dev, size_t size, void *vaddr,
+ size = ALIGN(size, XEN_PAGE_SIZE);
+
+ if (WARN_ON_ONCE(dma_handle + size - 1 > dev->coherent_dma_mask) ||
+- WARN_ON_ONCE(range_straddles_page_boundary(phys, size)))
++ WARN_ON_ONCE(range_straddles_page_boundary(phys, size) ||
++ range_requires_alignment(phys, size)))
+ return;
+
+ if (TestClearPageXenRemapped(virt_to_page(vaddr)))
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
