--- /dev/null
+From c3dfd249f3e59918329f458e8ad59db9fd4ec78a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 13:52:24 +0100
+Subject: APEI: GHES: Have GHES honor the panic= setting
+
+From: Borislav Petkov <bp@alien8.de>
+
+[ Upstream commit 5c0e00a391dd0099fe95991bb2f962848d851916 ]
+
+The GHES driver overrides the panic= setting by force-rebooting the
+system after a fatal hw error has been reported. The intent being that
+such an error would be reported earlier.
+
+However, this is not optimal when a hard-to-debug issue requires long
+time to reproduce and when that happens, the box will get rebooted after
+30 seconds and thus destroy the whole hw context of when the error
+happened.
+
+So rip out the default GHES panic timeout and honor the global one.
+
+In the panic disabled (panic=0) case, the error will still be logged to
+dmesg for later inspection and if panic after a hw error is really
+required, then that can be controlled the usual way - use panic= on the
+cmdline or set it in the kernel .config's CONFIG_PANIC_TIMEOUT.
+
+Reported-by: Feng Tang <feng.tang@linux.alibaba.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Feng Tang <feng.tang@linux.alibaba.com>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Link: https://patch.msgid.link/20250113125224.GFZ4UMiNtWIJvgpveU@fat_crate.local
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/apei/ghes.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
+index dd808cf65c841..83a4b417b27b9 100644
+--- a/drivers/acpi/apei/ghes.c
++++ b/drivers/acpi/apei/ghes.c
+@@ -155,8 +155,6 @@ static unsigned long ghes_estatus_pool_size_request;
+ static struct ghes_estatus_cache *ghes_estatus_caches[GHES_ESTATUS_CACHES_SIZE];
+ static atomic_t ghes_estatus_cache_alloced;
+
+-static int ghes_panic_timeout __read_mostly = 30;
+-
+ static void __iomem *ghes_map(u64 pfn, enum fixed_addresses fixmap_idx)
+ {
+ phys_addr_t paddr;
+@@ -858,14 +856,16 @@ static void __ghes_panic(struct ghes *ghes,
+ struct acpi_hest_generic_status *estatus,
+ u64 buf_paddr, enum fixed_addresses fixmap_idx)
+ {
++ const char *msg = GHES_PFX "Fatal hardware error";
++
+ __ghes_print_estatus(KERN_EMERG, ghes->generic, estatus);
+
+ ghes_clear_estatus(ghes, estatus, buf_paddr, fixmap_idx);
+
+- /* reboot to log the error! */
+ if (!panic_timeout)
+- panic_timeout = ghes_panic_timeout;
+- panic("Fatal hardware error!");
++ pr_emerg("%s but panic disabled\n", msg);
++
++ panic(msg);
+ }
+
+ static int ghes_proc(struct ghes *ghes)
+--
+2.39.5
+
--- /dev/null
+From e254eec6cefc2a883ba1722cefffcf4b00c5851f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 12:14:07 +0530
+Subject: arm64/mm: Ensure adequate HUGE_MAX_HSTATE
+
+From: Anshuman Khandual <anshuman.khandual@arm.com>
+
+[ Upstream commit 1e5823c8e86de83a43d59a522b4de29066d3b306 ]
+
+This asserts that HUGE_MAX_HSTATE is sufficient enough preventing potential
+hugetlb_max_hstate runtime overflow in hugetlb_add_hstate() thus triggering
+a BUG_ON() there after.
+
+Cc: Catalin Marinas <catalin.marinas@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Reviewed-by: Ryan Roberts <ryan.roberts@arm.com>
+Reviewed-by: Gavin Shan <gshan@redhat.com>
+Link: https://lore.kernel.org/r/20241202064407.53807-1-anshuman.khandual@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/mm/hugetlbpage.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/arch/arm64/mm/hugetlbpage.c b/arch/arm64/mm/hugetlbpage.c
+index 134dcf6bc650c..99810310efdda 100644
+--- a/arch/arm64/mm/hugetlbpage.c
++++ b/arch/arm64/mm/hugetlbpage.c
+@@ -544,6 +544,18 @@ pte_t huge_ptep_clear_flush(struct vm_area_struct *vma,
+
+ static int __init hugetlbpage_init(void)
+ {
++ /*
++ * HugeTLB pages are supported on maximum four page table
++ * levels (PUD, CONT PMD, PMD, CONT PTE) for a given base
++ * page size, corresponding to hugetlb_add_hstate() calls
++ * here.
++ *
++ * HUGE_MAX_HSTATE should at least match maximum supported
++ * HugeTLB page sizes on the platform. Any new addition to
++ * supported HugeTLB page sizes will also require changing
++ * HUGE_MAX_HSTATE as well.
++ */
++ BUILD_BUG_ON(HUGE_MAX_HSTATE < 4);
+ if (pud_sect_supported())
+ hugetlb_add_hstate(PUD_SHIFT - PAGE_SHIFT);
+
+--
+2.39.5
+
--- /dev/null
+From 110153e317916c9a44af8726a7a4f2b462fe14f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 01:15:47 +0800
+Subject: ASoC: amd: Add ACPI dependency to fix build error
+
+From: Yu-Chun Lin <eleanor15x@gmail.com>
+
+[ Upstream commit 7e24ec93aecd12e33d31e38e5af4625553bbc727 ]
+
+As reported by the kernel test robot, the following error occurs:
+
+ sound/soc/amd/yc/acp6x-mach.c: In function 'acp6x_probe':
+>> sound/soc/amd/yc/acp6x-mach.c:573:15: error: implicit declaration of function 'acpi_evaluate_integer'; did you mean 'acpi_evaluate_object'? [-Werror=implicit-function-declaration]
+ 573 | ret = acpi_evaluate_integer(handle, "_WOV", NULL, &dmic_status);
+ | ^~~~~~~~~~~~~~~~~~~~~
+ | acpi_evaluate_object
+ cc1: some warnings being treated as errors
+
+The function 'acpi_evaluate_integer' and its prototype in 'acpi_bus.h'
+are only available when 'CONFIG_ACPI' is enabled. Add a 'depends on ACPI'
+directive in Kconfig to ensure proper compilation.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202501090345.pBIDRTym-lkp@intel.com/
+Signed-off-by: Yu-Chun Lin <eleanor15x@gmail.com>
+Link: https://patch.msgid.link/20250109171547.362412-1-eleanor15x@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/amd/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/amd/Kconfig b/sound/soc/amd/Kconfig
+index 44d4e6e51a358..6e358909bc5e3 100644
+--- a/sound/soc/amd/Kconfig
++++ b/sound/soc/amd/Kconfig
+@@ -103,7 +103,7 @@ config SND_SOC_AMD_ACP6x
+ config SND_SOC_AMD_YC_MACH
+ tristate "AMD YC support for DMIC"
+ select SND_SOC_DMIC
+- depends on SND_SOC_AMD_ACP6x
++ depends on SND_SOC_AMD_ACP6x && ACPI
+ help
+ This option enables machine driver for Yellow Carp platform
+ using dmic. ACP IP has PDM Decoder block with DMA controller.
+--
+2.39.5
+
--- /dev/null
+From b3002d1a3c82a8148aa04c1902344877a62013ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 01:21:10 +0000
+Subject: ASoC: soc-pcm: don't use soc_pcm_ret() on .prepare callback
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+[ Upstream commit 301c26a018acb94dd537a4418cefa0f654500c6f ]
+
+commit 1f5664351410 ("ASoC: lower "no backend DAIs enabled for ... Port"
+log severity") ignores -EINVAL error message on common soc_pcm_ret().
+It is used from many functions, ignoring -EINVAL is over-kill.
+
+The reason why -EINVAL was ignored was it really should only be used
+upon invalid parameters coming from userspace and in that case we don't
+want to log an error since we do not want to give userspace a way to do
+a denial-of-service attack on the syslog / diskspace.
+
+So don't use soc_pcm_ret() on .prepare callback is better idea.
+
+Link: https://lore.kernel.org/r/87v7vptzap.wl-kuninori.morimoto.gx@renesas.com
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://patch.msgid.link/87bjxg8jju.wl-kuninori.morimoto.gx@renesas.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/soc-pcm.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
+index f3964060a0447..3f998a09fc42e 100644
+--- a/sound/soc/soc-pcm.c
++++ b/sound/soc/soc-pcm.c
+@@ -906,7 +906,13 @@ static int __soc_pcm_prepare(struct snd_soc_pcm_runtime *rtd,
+ snd_soc_dai_digital_mute(dai, 0, substream->stream);
+
+ out:
+- return soc_pcm_ret(rtd, ret);
++ /*
++ * Don't use soc_pcm_ret() on .prepare callback to lower error log severity
++ *
++ * We don't want to log an error since we do not want to give userspace a way to do a
++ * denial-of-service attack on the syslog / diskspace.
++ */
++ return ret;
+ }
+
+ /* PCM prepare ops for non-DPCM streams */
+@@ -918,6 +924,13 @@ static int soc_pcm_prepare(struct snd_pcm_substream *substream)
+ snd_soc_dpcm_mutex_lock(rtd);
+ ret = __soc_pcm_prepare(rtd, substream);
+ snd_soc_dpcm_mutex_unlock(rtd);
++
++ /*
++ * Don't use soc_pcm_ret() on .prepare callback to lower error log severity
++ *
++ * We don't want to log an error since we do not want to give userspace a way to do a
++ * denial-of-service attack on the syslog / diskspace.
++ */
+ return ret;
+ }
+
+@@ -2422,7 +2435,13 @@ int dpcm_be_dai_prepare(struct snd_soc_pcm_runtime *fe, int stream)
+ be->dpcm[stream].state = SND_SOC_DPCM_STATE_PREPARE;
+ }
+
+- return soc_pcm_ret(fe, ret);
++ /*
++ * Don't use soc_pcm_ret() on .prepare callback to lower error log severity
++ *
++ * We don't want to log an error since we do not want to give userspace a way to do a
++ * denial-of-service attack on the syslog / diskspace.
++ */
++ return ret;
+ }
+
+ static int dpcm_fe_dai_prepare(struct snd_pcm_substream *substream)
+@@ -2459,7 +2478,13 @@ static int dpcm_fe_dai_prepare(struct snd_pcm_substream *substream)
+ dpcm_set_fe_update_state(fe, stream, SND_SOC_DPCM_UPDATE_NO);
+ snd_soc_dpcm_mutex_unlock(fe);
+
+- return soc_pcm_ret(fe, ret);
++ /*
++ * Don't use soc_pcm_ret() on .prepare callback to lower error log severity
++ *
++ * We don't want to log an error since we do not want to give userspace a way to do a
++ * denial-of-service attack on the syslog / diskspace.
++ */
++ return ret;
+ }
+
+ static int dpcm_run_update_shutdown(struct snd_soc_pcm_runtime *fe, int stream)
+--
+2.39.5
+
--- /dev/null
+From 45f892f2f38982bf5c91993b4fbf4d4c7f017fe6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 05:06:16 +0300
+Subject: Bluetooth: MGMT: Fix slab-use-after-free Read in
+ mgmt_remove_adv_monitor_sync
+
+From: Mazin Al Haddad <mazin@getstate.dev>
+
+[ Upstream commit 26fbd3494a7dd26269cb0817c289267dbcfdec06 ]
+
+This fixes the following crash:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543
+Read of size 8 at addr ffff88814128f898 by task kworker/u9:4/5961
+
+CPU: 1 UID: 0 PID: 5961 Comm: kworker/u9:4 Not tainted 6.12.0-syzkaller-10684-gf1cd565ce577 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Workqueue: hci0 hci_cmd_sync_work
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:489
+ kasan_report+0x143/0x180 mm/kasan/report.c:602
+ mgmt_remove_adv_monitor_sync+0x3a/0xd0 net/bluetooth/mgmt.c:5543
+ hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332
+ process_one_work kernel/workqueue.c:3229 [inline]
+ process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
+ worker_thread+0x870/0xd30 kernel/workqueue.c:3391
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+Allocated by task 16026:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4314
+ kmalloc_noprof include/linux/slab.h:901 [inline]
+ kzalloc_noprof include/linux/slab.h:1037 [inline]
+ mgmt_pending_new+0x65/0x250 net/bluetooth/mgmt_util.c:269
+ mgmt_pending_add+0x36/0x120 net/bluetooth/mgmt_util.c:296
+ remove_adv_monitor+0x102/0x1b0 net/bluetooth/mgmt.c:5568
+ hci_mgmt_cmd+0xc47/0x11d0 net/bluetooth/hci_sock.c:1712
+ hci_sock_sendmsg+0x7b8/0x11c0 net/bluetooth/hci_sock.c:1832
+ sock_sendmsg_nosec net/socket.c:711 [inline]
+ __sock_sendmsg+0x221/0x270 net/socket.c:726
+ sock_write_iter+0x2d7/0x3f0 net/socket.c:1147
+ new_sync_write fs/read_write.c:586 [inline]
+ vfs_write+0xaeb/0xd30 fs/read_write.c:679
+ ksys_write+0x18f/0x2b0 fs/read_write.c:731
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Freed by task 16022:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2338 [inline]
+ slab_free mm/slub.c:4598 [inline]
+ kfree+0x196/0x420 mm/slub.c:4746
+ mgmt_pending_foreach+0xd1/0x130 net/bluetooth/mgmt_util.c:259
+ __mgmt_power_off+0x183/0x430 net/bluetooth/mgmt.c:9550
+ hci_dev_close_sync+0x6c4/0x11c0 net/bluetooth/hci_sync.c:5208
+ hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
+ hci_dev_close+0x112/0x210 net/bluetooth/hci_core.c:508
+ sock_do_ioctl+0x158/0x460 net/socket.c:1209
+ sock_ioctl+0x626/0x8e0 net/socket.c:1328
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+479aff51bb361ef5aa18@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=479aff51bb361ef5aa18
+Tested-by: syzbot+479aff51bb361ef5aa18@syzkaller.appspotmail.com
+Signed-off-by: Mazin Al Haddad <mazin@getstate.dev>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/mgmt.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
+index dc3921269a5ab..4f116e8c84a00 100644
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -5524,10 +5524,16 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
+ {
+ struct mgmt_rp_remove_adv_monitor rp;
+ struct mgmt_pending_cmd *cmd = data;
+- struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
++ struct mgmt_cp_remove_adv_monitor *cp;
++
++ if (status == -ECANCELED ||
++ cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
++ return;
+
+ hci_dev_lock(hdev);
+
++ cp = cmd->param;
++
+ rp.monitor_handle = cp->monitor_handle;
+
+ if (!status)
+@@ -5545,6 +5551,10 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
+ static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
+ {
+ struct mgmt_pending_cmd *cmd = data;
++
++ if (cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
++ return -ECANCELED;
++
+ struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
+ u16 handle = __le16_to_cpu(cp->monitor_handle);
+
+--
+2.39.5
+
--- /dev/null
+From fc4c09c8384ddb452710d4d0bbd9914b887d69f3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 11:43:03 -0400
+Subject: btrfs: convert BUG_ON in btrfs_reloc_cow_block() to proper error
+ handling
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+[ Upstream commit 6a4730b325aaa48f7a5d5ba97aff0a955e2d9cec ]
+
+This BUG_ON is meant to catch backref cache problems, but these can
+arise from either bugs in the backref cache or corruption in the extent
+tree. Fix it to be a proper error.
+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/relocation.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
+index 4c6ba97299cd6..d6cda0b2e9256 100644
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -4423,8 +4423,18 @@ int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans,
+ WARN_ON(!first_cow && level == 0);
+
+ node = rc->backref_cache.path[level];
+- BUG_ON(node->bytenr != buf->start &&
+- node->new_bytenr != buf->start);
++
++ /*
++ * If node->bytenr != buf->start and node->new_bytenr !=
++ * buf->start then we've got the wrong backref node for what we
++ * expected to see here and the cache is incorrect.
++ */
++ if (unlikely(node->bytenr != buf->start && node->new_bytenr != buf->start)) {
++ btrfs_err(fs_info,
++"bytenr %llu was found but our backref cache was expecting %llu or %llu",
++ buf->start, node->bytenr, node->new_bytenr);
++ return -EUCLEAN;
++ }
+
+ btrfs_backref_drop_node_buffer(node);
+ atomic_inc(&cow->refs);
+--
+2.39.5
+
--- /dev/null
+From 15c0cee827d223e9e80ee1eeef5ae36183f0473c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 15:56:51 +0800
+Subject: btrfs: fix data race when accessing the inode's disk_i_size at
+ btrfs_drop_extents()
+
+From: Hao-ran Zheng <zhenghaoran154@gmail.com>
+
+[ Upstream commit 5324c4e10e9c2ce307a037e904c0d9671d7137d9 ]
+
+A data race occurs when the function `insert_ordered_extent_file_extent()`
+and the function `btrfs_inode_safe_disk_i_size_write()` are executed
+concurrently. The function `insert_ordered_extent_file_extent()` is not
+locked when reading inode->disk_i_size, causing
+`btrfs_inode_safe_disk_i_size_write()` to cause data competition when
+writing inode->disk_i_size, thus affecting the value of `modify_tree`.
+
+The specific call stack that appears during testing is as follows:
+
+ ============DATA_RACE============
+ btrfs_drop_extents+0x89a/0xa060 [btrfs]
+ insert_reserved_file_extent+0xb54/0x2960 [btrfs]
+ insert_ordered_extent_file_extent+0xff5/0x1760 [btrfs]
+ btrfs_finish_one_ordered+0x1b85/0x36a0 [btrfs]
+ btrfs_finish_ordered_io+0x37/0x60 [btrfs]
+ finish_ordered_fn+0x3e/0x50 [btrfs]
+ btrfs_work_helper+0x9c9/0x27a0 [btrfs]
+ process_scheduled_works+0x716/0xf10
+ worker_thread+0xb6a/0x1190
+ kthread+0x292/0x330
+ ret_from_fork+0x4d/0x80
+ ret_from_fork_asm+0x1a/0x30
+ ============OTHER_INFO============
+ btrfs_inode_safe_disk_i_size_write+0x4ec/0x600 [btrfs]
+ btrfs_finish_one_ordered+0x24c7/0x36a0 [btrfs]
+ btrfs_finish_ordered_io+0x37/0x60 [btrfs]
+ finish_ordered_fn+0x3e/0x50 [btrfs]
+ btrfs_work_helper+0x9c9/0x27a0 [btrfs]
+ process_scheduled_works+0x716/0xf10
+ worker_thread+0xb6a/0x1190
+ kthread+0x292/0x330
+ ret_from_fork+0x4d/0x80
+ ret_from_fork_asm+0x1a/0x30
+ =================================
+
+The main purpose of the check of the inode's disk_i_size is to avoid
+taking write locks on a btree path when we have a write at or beyond
+EOF, since in these cases we don't expect to find extent items in the
+root to drop. However if we end up taking write locks due to a data
+race on disk_i_size, everything is still correct, we only add extra
+lock contention on the tree in case there's concurrency from other tasks.
+If the race causes us to not take write locks when we actually need them,
+then everything is functionally correct as well, since if we find out we
+have extent items to drop and we took read locks (modify_tree set to 0),
+we release the path and retry again with write locks.
+
+Since this data race does not affect the correctness of the function,
+it is a harmless data race, use data_race() to check inode->disk_i_size.
+
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Hao-ran Zheng <zhenghaoran154@gmail.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
+index c8231677c79ef..bdb0f7c70752d 100644
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -234,7 +234,7 @@ int btrfs_drop_extents(struct btrfs_trans_handle *trans,
+ if (args->drop_cache)
+ btrfs_drop_extent_map_range(inode, args->start, args->end - 1, false);
+
+- if (args->start >= inode->disk_i_size && !args->replace_extent)
++ if (data_race(args->start >= inode->disk_i_size) && !args->replace_extent)
+ modify_tree = 0;
+
+ update_refs = (root->root_key.objectid != BTRFS_TREE_LOG_OBJECTID);
+--
+2.39.5
+
--- /dev/null
+From 0bd68ca944d36b0e60db95797966787b280443f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jan 2025 17:26:10 +0000
+Subject: btrfs: fix use-after-free when attempting to join an aborted
+ transaction
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit e2f0943cf37305dbdeaf9846e3c941451bcdef63 ]
+
+When we are trying to join the current transaction and if it's aborted,
+we read its 'aborted' field after unlocking fs_info->trans_lock and
+without holding any extra reference count on it. This means that a
+concurrent task that is aborting the transaction may free the transaction
+before we read its 'aborted' field, leading to a use-after-free.
+
+Fix this by reading the 'aborted' field while holding fs_info->trans_lock
+since any freeing task must first acquire that lock and set
+fs_info->running_transaction to NULL before freeing the transaction.
+
+This was reported by syzbot and Dmitry with the following stack traces
+from KASAN:
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
+ Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128
+
+ CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+ Workqueue: events_unbound btrfs_async_reclaim_data_space
+ Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:489
+ kasan_report+0x143/0x180 mm/kasan/report.c:602
+ join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278
+ start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
+ flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803
+ btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321
+ process_one_work kernel/workqueue.c:3236 [inline]
+ process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317
+ worker_thread+0x870/0xd30 kernel/workqueue.c:3398
+ kthread+0x2f0/0x390 kernel/kthread.c:389
+ ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
+ ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
+ </TASK>
+
+ Allocated by task 5315:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
+ __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
+ kasan_kmalloc include/linux/kasan.h:260 [inline]
+ __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329
+ kmalloc_noprof include/linux/slab.h:901 [inline]
+ join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308
+ start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697
+ btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572
+ lookup_open fs/namei.c:3649 [inline]
+ open_last_lookups fs/namei.c:3748 [inline]
+ path_openat+0x1c03/0x3590 fs/namei.c:3984
+ do_filp_open+0x27f/0x4e0 fs/namei.c:4014
+ do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
+ do_sys_open fs/open.c:1417 [inline]
+ __do_sys_creat fs/open.c:1495 [inline]
+ __se_sys_creat fs/open.c:1489 [inline]
+ __x64_sys_creat+0x123/0x170 fs/open.c:1489
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Freed by task 5336:
+ kasan_save_stack mm/kasan/common.c:47 [inline]
+ kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
+ kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
+ poison_slab_object mm/kasan/common.c:247 [inline]
+ __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
+ kasan_slab_free include/linux/kasan.h:233 [inline]
+ slab_free_hook mm/slub.c:2353 [inline]
+ slab_free mm/slub.c:4613 [inline]
+ kfree+0x196/0x430 mm/slub.c:4761
+ cleanup_transaction fs/btrfs/transaction.c:2063 [inline]
+ btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598
+ insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757
+ btrfs_balance+0x992/0x10c0 fs/btrfs/volumes.c:4633
+ btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3670
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ The buggy address belongs to the object at ffff888011839000
+ which belongs to the cache kmalloc-2k of size 2048
+ The buggy address is located 36 bytes inside of
+ freed 2048-byte region [ffff888011839000, ffff888011839800)
+
+ The buggy address belongs to the physical page:
+ page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11838
+ head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+ flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
+ page_type: f5(slab)
+ raw: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002
+ raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
+ head: 00fff00000000040 ffff88801ac42000 ffffea0000493400 dead000000000002
+ head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
+ head: 00fff00000000003 ffffea0000460e01 ffffffffffffffff 0000000000000000
+ head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+ page_owner tracks the page as allocated
+ page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 57, tgid 57 (kworker/0:2), ts 67248182943, free_ts 67229742023
+ set_page_owner include/linux/page_owner.h:32 [inline]
+ post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1558
+ prep_new_page mm/page_alloc.c:1566 [inline]
+ get_page_from_freelist+0x365c/0x37a0 mm/page_alloc.c:3476
+ __alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4753
+ alloc_pages_mpol_noprof+0x3e1/0x780 mm/mempolicy.c:2269
+ alloc_slab_page+0x6a/0x110 mm/slub.c:2423
+ allocate_slab+0x5a/0x2b0 mm/slub.c:2589
+ new_slab mm/slub.c:2642 [inline]
+ ___slab_alloc+0xc27/0x14a0 mm/slub.c:3830
+ __slab_alloc+0x58/0xa0 mm/slub.c:3920
+ __slab_alloc_node mm/slub.c:3995 [inline]
+ slab_alloc_node mm/slub.c:4156 [inline]
+ __do_kmalloc_node mm/slub.c:4297 [inline]
+ __kmalloc_node_track_caller_noprof+0x2e9/0x4c0 mm/slub.c:4317
+ kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:609
+ __alloc_skb+0x1f3/0x440 net/core/skbuff.c:678
+ alloc_skb include/linux/skbuff.h:1323 [inline]
+ alloc_skb_with_frags+0xc3/0x820 net/core/skbuff.c:6612
+ sock_alloc_send_pskb+0x91a/0xa60 net/core/sock.c:2884
+ sock_alloc_send_skb include/net/sock.h:1803 [inline]
+ mld_newpack+0x1c3/0xaf0 net/ipv6/mcast.c:1747
+ add_grhead net/ipv6/mcast.c:1850 [inline]
+ add_grec+0x1492/0x19a0 net/ipv6/mcast.c:1988
+ mld_send_cr net/ipv6/mcast.c:2114 [inline]
+ mld_ifc_work+0x691/0xd90 net/ipv6/mcast.c:2651
+ page last free pid 5300 tgid 5300 stack trace:
+ reset_page_owner include/linux/page_owner.h:25 [inline]
+ free_pages_prepare mm/page_alloc.c:1127 [inline]
+ free_unref_page+0xd3f/0x1010 mm/page_alloc.c:2659
+ __slab_free+0x2c2/0x380 mm/slub.c:4524
+ qlink_free mm/kasan/quarantine.c:163 [inline]
+ qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
+ kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
+ __kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
+ kasan_slab_alloc include/linux/kasan.h:250 [inline]
+ slab_post_alloc_hook mm/slub.c:4119 [inline]
+ slab_alloc_node mm/slub.c:4168 [inline]
+ __do_kmalloc_node mm/slub.c:4297 [inline]
+ __kmalloc_noprof+0x236/0x4c0 mm/slub.c:4310
+ kmalloc_noprof include/linux/slab.h:905 [inline]
+ kzalloc_noprof include/linux/slab.h:1037 [inline]
+ fib_create_info+0xc14/0x25b0 net/ipv4/fib_semantics.c:1435
+ fib_table_insert+0x1f6/0x1f20 net/ipv4/fib_trie.c:1231
+ fib_magic+0x3d8/0x620 net/ipv4/fib_frontend.c:1112
+ fib_add_ifaddr+0x40c/0x5e0 net/ipv4/fib_frontend.c:1156
+ fib_netdev_event+0x375/0x490 net/ipv4/fib_frontend.c:1494
+ notifier_call_chain+0x1a5/0x3f0 kernel/notifier.c:85
+ __dev_notify_flags+0x207/0x400
+ dev_change_flags+0xf0/0x1a0 net/core/dev.c:9045
+ do_setlink+0xc90/0x4210 net/core/rtnetlink.c:3109
+ rtnl_changelink net/core/rtnetlink.c:3723 [inline]
+ __rtnl_newlink net/core/rtnetlink.c:3875 [inline]
+ rtnl_newlink+0x1bb6/0x2210 net/core/rtnetlink.c:4012
+
+ Memory state around the buggy address:
+ ffff888011838f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff888011838f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ >ffff888011839000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888011839080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ffff888011839100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ==================================================================
+
+Reported-by: syzbot+45212e9d87a98c3f5b42@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/linux-btrfs/678e7da5.050a0220.303755.007c.GAE@google.com/
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Link: https://lore.kernel.org/linux-btrfs/CACT4Y+ZFBdo7pT8L2AzM=vegZwjp-wNkVJZQf0Ta3vZqtExaSw@mail.gmail.com/
+Fixes: 871383be592b ("btrfs: add missing unlocks to transaction abort paths")
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/transaction.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
+index 604241e6e2c1e..ff3e0d4cf4b48 100644
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -262,8 +262,10 @@ static noinline int join_transaction(struct btrfs_fs_info *fs_info,
+ cur_trans = fs_info->running_transaction;
+ if (cur_trans) {
+ if (TRANS_ABORTED(cur_trans)) {
++ const int abort_error = cur_trans->aborted;
++
+ spin_unlock(&fs_info->trans_lock);
+- return cur_trans->aborted;
++ return abort_error;
+ }
+ if (btrfs_blocked_trans_types[cur_trans->state] & type) {
+ spin_unlock(&fs_info->trans_lock);
+--
+2.39.5
+
--- /dev/null
+From 93ee78a7732b64d4d9feb07980da05e30f55d552 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 13:30:37 -0500
+Subject: drm/amd/display: Fix Mode Cutoff in DSC Passthrough to DP2.1 Monitor
+
+From: Fangzhi Zuo <Jerry.Zuo@amd.com>
+
+[ Upstream commit e56ad45e991128bf4db160b75a1d9f647a341d8f ]
+
+Source --> DP2.1 MST hub --> DP1.4/2.1 monitor
+
+When change from DP1.4 to DP2.1 from monitor manual, modes higher than
+4k120 are all cutoff by mode validation. Switch back to DP1.4 gets all
+the modes up to 4k240 available to be enabled by dsc passthrough.
+
+[why]
+Compared to DP1.4 link from hub to monitor, DP2.1 link has larger
+full_pbn value that causes overflow in the process of doing conversion
+from pbn to kbps.
+
+[how]
+Change the data type accordingly to fit into the data limit during
+conversion calculation.
+
+Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
+Reviewed-by: Wayne Lin <wayne.lin@amd.com>
+Signed-off-by: Fangzhi Zuo <Jerry.Zuo@amd.com>
+Signed-off-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+index 1acef5f3838f3..5eb994ed54717 100644
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+@@ -1555,16 +1555,16 @@ int pre_validate_dsc(struct drm_atomic_state *state,
+ return ret;
+ }
+
+-static unsigned int kbps_from_pbn(unsigned int pbn)
++static uint32_t kbps_from_pbn(unsigned int pbn)
+ {
+- unsigned int kbps = pbn;
++ uint64_t kbps = (uint64_t)pbn;
+
+ kbps *= (1000000 / PEAK_FACTOR_X1000);
+ kbps *= 8;
+ kbps *= 54;
+ kbps /= 64;
+
+- return kbps;
++ return (uint32_t)kbps;
+ }
+
+ static bool is_dsc_common_config_possible(struct dc_stream_state *stream,
+--
+2.39.5
+
--- /dev/null
+From d13a17995be33d59524d295796406c4432a2a2f6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 18:51:22 +0800
+Subject: drm/bridge: it6505: Change definition MAX_HDCP_DOWN_STREAM_COUNT
+
+From: Hermes Wu <hermes.wu@ite.com.tw>
+
+[ Upstream commit 85597bc0d70c287ba41f17d14d3d857a38a3d727 ]
+
+A HDCP source device shall support max downstream to 127 devices.
+Change definition MAX_HDCP_DOWN_STREAM_COUNT to 127
+
+KSVs shall save for DRM blocked devices check.
+This results in struct it6505 growth by ~0.5 KiB.
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Hermes Wu <hermes.wu@ite.com.tw>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241230-v7-upstream-v7-4-e0fdd4844703@ite.corp-partner.google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index 45596b211fb88..6140dea66e43a 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -296,7 +296,7 @@
+ #define MAX_LANE_COUNT 4
+ #define MAX_LINK_RATE HBR
+ #define AUTO_TRAIN_RETRY 3
+-#define MAX_HDCP_DOWN_STREAM_COUNT 10
++#define MAX_HDCP_DOWN_STREAM_COUNT 127
+ #define MAX_CR_LEVEL 0x03
+ #define MAX_EQ_LEVEL 0x03
+ #define AUX_WAIT_TIMEOUT_MS 15
+--
+2.39.5
+
--- /dev/null
+From 73abe4314ba5084901a17d1e9fb91d41bb561949 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 18:51:23 +0800
+Subject: drm/bridge: it6505: fix HDCP Bstatus check
+
+From: Hermes Wu <hermes.wu@ite.com.tw>
+
+[ Upstream commit 0fd2ff47d8c207fa3173661de04bb9e8201c0ad2 ]
+
+When HDCP is activated,
+a DisplayPort source receiving CP_IRQ from the sink
+shall check Bstatus from DPCD and process the corresponding value
+
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Hermes Wu <hermes.wu@ite.com.tw>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241230-v7-upstream-v7-5-e0fdd4844703@ite.corp-partner.google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index 6140dea66e43a..7e82f36f9fd02 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2292,14 +2292,20 @@ static int it6505_process_hpd_irq(struct it6505 *it6505)
+ DRM_DEV_DEBUG_DRIVER(dev, "dp_irq_vector = 0x%02x", dp_irq_vector);
+
+ if (dp_irq_vector & DP_CP_IRQ) {
+- it6505_set_bits(it6505, REG_HDCP_TRIGGER, HDCP_TRIGGER_CPIRQ,
+- HDCP_TRIGGER_CPIRQ);
+-
+ bstatus = it6505_dpcd_read(it6505, DP_AUX_HDCP_BSTATUS);
+ if (bstatus < 0)
+ return bstatus;
+
+ DRM_DEV_DEBUG_DRIVER(dev, "Bstatus = 0x%02x", bstatus);
++
++ /*Check BSTATUS when recive CP_IRQ */
++ if (bstatus & DP_BSTATUS_R0_PRIME_READY &&
++ it6505->hdcp_status == HDCP_AUTH_GOING)
++ it6505_set_bits(it6505, REG_HDCP_TRIGGER, HDCP_TRIGGER_CPIRQ,
++ HDCP_TRIGGER_CPIRQ);
++ else if (bstatus & (DP_BSTATUS_REAUTH_REQ | DP_BSTATUS_LINK_FAILURE) &&
++ it6505->hdcp_status == HDCP_AUTH_DONE)
++ it6505_start_hdcp(it6505);
+ }
+
+ ret = drm_dp_dpcd_read_link_status(&it6505->aux, link_status);
+--
+2.39.5
+
--- /dev/null
+From 1529d82713c74557ac12d239e89945e6270657b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 18:51:26 +0800
+Subject: drm/bridge: it6505: fix HDCP CTS compare V matching
+
+From: Hermes Wu <hermes.wu@ite.com.tw>
+
+[ Upstream commit 0989c02c7a5c887c70afeae80c64d0291624e1a7 ]
+
+When HDCP negotiation with a repeater device.
+Checking SHA V' matching must retry 3 times before restarting HDCP.
+
+Signed-off-by: Hermes Wu <hermes.wu@ite.com.tw>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241230-v7-upstream-v7-8-e0fdd4844703@ite.corp-partner.google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 32 +++++++++++++++++------------
+ 1 file changed, 19 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index c0bc9e0ce9810..7c3bd539655b8 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2011,7 +2011,7 @@ static bool it6505_hdcp_part2_ksvlist_check(struct it6505 *it6505)
+ {
+ struct device *dev = &it6505->client->dev;
+ u8 av[5][4], bv[5][4];
+- int i, err;
++ int i, err, retry;
+
+ i = it6505_setup_sha1_input(it6505, it6505->sha1_input);
+ if (i <= 0) {
+@@ -2020,22 +2020,28 @@ static bool it6505_hdcp_part2_ksvlist_check(struct it6505 *it6505)
+ }
+
+ it6505_sha1_digest(it6505, it6505->sha1_input, i, (u8 *)av);
++ /*1B-05 V' must retry 3 times */
++ for (retry = 0; retry < 3; retry++) {
++ err = it6505_get_dpcd(it6505, DP_AUX_HDCP_V_PRIME(0), (u8 *)bv,
++ sizeof(bv));
+
+- err = it6505_get_dpcd(it6505, DP_AUX_HDCP_V_PRIME(0), (u8 *)bv,
+- sizeof(bv));
++ if (err < 0) {
++ dev_err(dev, "Read V' value Fail %d", retry);
++ continue;
++ }
+
+- if (err < 0) {
+- dev_err(dev, "Read V' value Fail");
+- return false;
+- }
++ for (i = 0; i < 5; i++) {
++ if (bv[i][3] != av[i][0] || bv[i][2] != av[i][1] ||
++ av[i][1] != av[i][2] || bv[i][0] != av[i][3])
++ break;
+
+- for (i = 0; i < 5; i++)
+- if (bv[i][3] != av[i][0] || bv[i][2] != av[i][1] ||
+- bv[i][1] != av[i][2] || bv[i][0] != av[i][3])
+- return false;
++ DRM_DEV_DEBUG_DRIVER(dev, "V' all match!! %d, %d", retry, i);
++ return true;
++ }
++ }
+
+- DRM_DEV_DEBUG_DRIVER(dev, "V' all match!!");
+- return true;
++ DRM_DEV_DEBUG_DRIVER(dev, "V' NOT match!! %d", retry);
++ return false;
+ }
+
+ static void it6505_hdcp_wait_ksv_list(struct work_struct *work)
+--
+2.39.5
+
--- /dev/null
+From e37957aa8ff273931eb6c505246a112fb783f79d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 18:51:24 +0800
+Subject: drm/bridge: it6505: fix HDCP encryption when R0 ready
+
+From: Hermes Wu <hermes.wu@ite.com.tw>
+
+[ Upstream commit 8c01b0bae2f9e58f2fee0e811cb90d8331986554 ]
+
+When starting HDCP authentication, HDCP encryption should be enabled
+when R0'is checked.
+
+Change encryption enables time at R0' ready.
+The hardware HDCP engine trigger is changed and the repeater KSV fails
+will restart HDCP.
+
+Signed-off-by: Hermes Wu <hermes.wu@ite.com.tw>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241230-v7-upstream-v7-6-e0fdd4844703@ite.corp-partner.google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bridge/ite-it6505.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/drm/bridge/ite-it6505.c b/drivers/gpu/drm/bridge/ite-it6505.c
+index 7e82f36f9fd02..c0bc9e0ce9810 100644
+--- a/drivers/gpu/drm/bridge/ite-it6505.c
++++ b/drivers/gpu/drm/bridge/ite-it6505.c
+@@ -2069,15 +2069,12 @@ static void it6505_hdcp_wait_ksv_list(struct work_struct *work)
+ ksv_list_check = it6505_hdcp_part2_ksvlist_check(it6505);
+ DRM_DEV_DEBUG_DRIVER(dev, "ksv list ready, ksv list check %s",
+ ksv_list_check ? "pass" : "fail");
+- if (ksv_list_check) {
+- it6505_set_bits(it6505, REG_HDCP_TRIGGER,
+- HDCP_TRIGGER_KSV_DONE, HDCP_TRIGGER_KSV_DONE);
++
++ if (ksv_list_check)
+ return;
+- }
++
+ timeout:
+- it6505_set_bits(it6505, REG_HDCP_TRIGGER,
+- HDCP_TRIGGER_KSV_DONE | HDCP_TRIGGER_KSV_FAIL,
+- HDCP_TRIGGER_KSV_DONE | HDCP_TRIGGER_KSV_FAIL);
++ it6505_start_hdcp(it6505);
+ }
+
+ static void it6505_hdcp_work(struct work_struct *work)
+@@ -2425,7 +2422,11 @@ static void it6505_irq_hdcp_ksv_check(struct it6505 *it6505)
+ {
+ struct device *dev = &it6505->client->dev;
+
+- DRM_DEV_DEBUG_DRIVER(dev, "HDCP event Interrupt");
++ DRM_DEV_DEBUG_DRIVER(dev, "HDCP repeater R0 event Interrupt");
++ /* 1B01 HDCP encription should start when R0 is ready*/
++ it6505_set_bits(it6505, REG_HDCP_TRIGGER,
++ HDCP_TRIGGER_KSV_DONE, HDCP_TRIGGER_KSV_DONE);
++
+ schedule_work(&it6505->hdcp_wait_ksv_list);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 60ef10ac7a15a6cfc0d7c5f9f5381d9893946e3c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 11:43:12 +0200
+Subject: drm/sti: hdmi: use eld_mutex to protect access to connector->eld
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit e99c0b517bcd53cf61f998a3c4291333401cb391 ]
+
+Reading access to connector->eld can happen at the same time the
+drm_edid_to_eld() updates the data. Take the newly added eld_mutex in
+order to protect connector->eld from concurrent access.
+
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Acked-by: Raphael Gallais-Pou <rgallaispou@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241206-drm-connector-eld-mutex-v2-9-c9bce1ee8bea@linaro.org
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/sti/sti_hdmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c
+index 8539fe1fedc4c..fdb28e05720ad 100644
+--- a/drivers/gpu/drm/sti/sti_hdmi.c
++++ b/drivers/gpu/drm/sti/sti_hdmi.c
+@@ -1220,7 +1220,9 @@ static int hdmi_audio_get_eld(struct device *dev, void *data, uint8_t *buf, size
+ struct drm_connector *connector = hdmi->drm_connector;
+
+ DRM_DEBUG_DRIVER("\n");
++ mutex_lock(&connector->eld_mutex);
+ memcpy(buf, connector->eld, min(sizeof(connector->eld), len));
++ mutex_unlock(&connector->eld_mutex);
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 46b69c4783bc8c2a77be01e9cfce9670bc40d0d6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Oct 2024 02:08:03 +0300
+Subject: drm/virtio: New fence for every plane update
+
+From: Dongwon Kim <dongwon.kim@intel.com>
+
+[ Upstream commit d3c55b8ab6fe5fa2e7ab02efd36d09c39ee5022f ]
+
+Having a fence linked to a virtio_gpu_framebuffer in the plane update
+sequence would cause conflict when several planes referencing the same
+framebuffer (e.g. Xorg screen covering multi-displays configured for an
+extended mode) and those planes are updated concurrently. So it is needed
+to allocate a fence for every plane state instead of the framebuffer.
+
+Signed-off-by: Dongwon Kim <dongwon.kim@intel.com>
+[dmitry.osipenko@collabora.com: rebase, fix up, edit commit message]
+Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Acked-by: Vivek Kasireddy <vivek.kasireddy@intel.com>
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241020230803.247419-2-dmitry.osipenko@collabora.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/virtio/virtgpu_drv.h | 7 ++++
+ drivers/gpu/drm/virtio/virtgpu_plane.c | 58 +++++++++++++++++---------
+ 2 files changed, 46 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h
+index 9b98470593b06..20a418f64533b 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_drv.h
++++ b/drivers/gpu/drm/virtio/virtgpu_drv.h
+@@ -190,6 +190,13 @@ struct virtio_gpu_framebuffer {
+ #define to_virtio_gpu_framebuffer(x) \
+ container_of(x, struct virtio_gpu_framebuffer, base)
+
++struct virtio_gpu_plane_state {
++ struct drm_plane_state base;
++ struct virtio_gpu_fence *fence;
++};
++#define to_virtio_gpu_plane_state(x) \
++ container_of(x, struct virtio_gpu_plane_state, base)
++
+ struct virtio_gpu_queue {
+ struct virtqueue *vq;
+ spinlock_t qlock;
+diff --git a/drivers/gpu/drm/virtio/virtgpu_plane.c b/drivers/gpu/drm/virtio/virtgpu_plane.c
+index 4c09e313bebcd..0c073ba4974fb 100644
+--- a/drivers/gpu/drm/virtio/virtgpu_plane.c
++++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
+@@ -66,11 +66,28 @@ uint32_t virtio_gpu_translate_format(uint32_t drm_fourcc)
+ return format;
+ }
+
++static struct
++drm_plane_state *virtio_gpu_plane_duplicate_state(struct drm_plane *plane)
++{
++ struct virtio_gpu_plane_state *new;
++
++ if (WARN_ON(!plane->state))
++ return NULL;
++
++ new = kzalloc(sizeof(*new), GFP_KERNEL);
++ if (!new)
++ return NULL;
++
++ __drm_atomic_helper_plane_duplicate_state(plane, &new->base);
++
++ return &new->base;
++}
++
+ static const struct drm_plane_funcs virtio_gpu_plane_funcs = {
+ .update_plane = drm_atomic_helper_update_plane,
+ .disable_plane = drm_atomic_helper_disable_plane,
+ .reset = drm_atomic_helper_plane_reset,
+- .atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
++ .atomic_duplicate_state = virtio_gpu_plane_duplicate_state,
+ .atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
+ };
+
+@@ -128,11 +145,13 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane,
+ struct drm_device *dev = plane->dev;
+ struct virtio_gpu_device *vgdev = dev->dev_private;
+ struct virtio_gpu_framebuffer *vgfb;
++ struct virtio_gpu_plane_state *vgplane_st;
+ struct virtio_gpu_object *bo;
+
+ vgfb = to_virtio_gpu_framebuffer(plane->state->fb);
++ vgplane_st = to_virtio_gpu_plane_state(plane->state);
+ bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]);
+- if (vgfb->fence) {
++ if (vgplane_st->fence) {
+ struct virtio_gpu_object_array *objs;
+
+ objs = virtio_gpu_array_alloc(1);
+@@ -141,13 +160,11 @@ static void virtio_gpu_resource_flush(struct drm_plane *plane,
+ virtio_gpu_array_add_obj(objs, vgfb->base.obj[0]);
+ virtio_gpu_array_lock_resv(objs);
+ virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y,
+- width, height, objs, vgfb->fence);
++ width, height, objs,
++ vgplane_st->fence);
+ virtio_gpu_notify(vgdev);
+-
+- dma_fence_wait_timeout(&vgfb->fence->f, true,
++ dma_fence_wait_timeout(&vgplane_st->fence->f, true,
+ msecs_to_jiffies(50));
+- dma_fence_put(&vgfb->fence->f);
+- vgfb->fence = NULL;
+ } else {
+ virtio_gpu_cmd_resource_flush(vgdev, bo->hw_res_handle, x, y,
+ width, height, NULL, NULL);
+@@ -237,20 +254,23 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane,
+ struct drm_device *dev = plane->dev;
+ struct virtio_gpu_device *vgdev = dev->dev_private;
+ struct virtio_gpu_framebuffer *vgfb;
++ struct virtio_gpu_plane_state *vgplane_st;
+ struct virtio_gpu_object *bo;
+
+ if (!new_state->fb)
+ return 0;
+
+ vgfb = to_virtio_gpu_framebuffer(new_state->fb);
++ vgplane_st = to_virtio_gpu_plane_state(new_state);
+ bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]);
+ if (!bo || (plane->type == DRM_PLANE_TYPE_PRIMARY && !bo->guest_blob))
+ return 0;
+
+- if (bo->dumb && (plane->state->fb != new_state->fb)) {
+- vgfb->fence = virtio_gpu_fence_alloc(vgdev, vgdev->fence_drv.context,
++ if (bo->dumb) {
++ vgplane_st->fence = virtio_gpu_fence_alloc(vgdev,
++ vgdev->fence_drv.context,
+ 0);
+- if (!vgfb->fence)
++ if (!vgplane_st->fence)
+ return -ENOMEM;
+ }
+
+@@ -260,15 +280,15 @@ static int virtio_gpu_plane_prepare_fb(struct drm_plane *plane,
+ static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane,
+ struct drm_plane_state *state)
+ {
+- struct virtio_gpu_framebuffer *vgfb;
++ struct virtio_gpu_plane_state *vgplane_st;
+
+ if (!state->fb)
+ return;
+
+- vgfb = to_virtio_gpu_framebuffer(state->fb);
+- if (vgfb->fence) {
+- dma_fence_put(&vgfb->fence->f);
+- vgfb->fence = NULL;
++ vgplane_st = to_virtio_gpu_plane_state(state);
++ if (vgplane_st->fence) {
++ dma_fence_put(&vgplane_st->fence->f);
++ vgplane_st->fence = NULL;
+ }
+ }
+
+@@ -281,6 +301,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane,
+ struct virtio_gpu_device *vgdev = dev->dev_private;
+ struct virtio_gpu_output *output = NULL;
+ struct virtio_gpu_framebuffer *vgfb;
++ struct virtio_gpu_plane_state *vgplane_st;
+ struct virtio_gpu_object *bo = NULL;
+ uint32_t handle;
+
+@@ -293,6 +314,7 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane,
+
+ if (plane->state->fb) {
+ vgfb = to_virtio_gpu_framebuffer(plane->state->fb);
++ vgplane_st = to_virtio_gpu_plane_state(plane->state);
+ bo = gem_to_virtio_gpu_obj(vgfb->base.obj[0]);
+ handle = bo->hw_res_handle;
+ } else {
+@@ -312,11 +334,9 @@ static void virtio_gpu_cursor_plane_update(struct drm_plane *plane,
+ (vgdev, 0,
+ plane->state->crtc_w,
+ plane->state->crtc_h,
+- 0, 0, objs, vgfb->fence);
++ 0, 0, objs, vgplane_st->fence);
+ virtio_gpu_notify(vgdev);
+- dma_fence_wait(&vgfb->fence->f, true);
+- dma_fence_put(&vgfb->fence->f);
+- vgfb->fence = NULL;
++ dma_fence_wait(&vgplane_st->fence->f, true);
+ }
+
+ if (plane->state->fb != old_state->fb) {
+--
+2.39.5
+
--- /dev/null
+From b80e96d3823b5321c4207d188dd508ae46f9ec9d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 07:07:05 -0800
+Subject: exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 543841d1806029889c2f69f040e88b247aba8e22 ]
+
+Zbigniew mentioned at Linux Plumber's that systemd is interested in
+switching to execveat() for service execution, but can't, because the
+contents of /proc/pid/comm are the file descriptor which was used,
+instead of the path to the binary[1]. This makes the output of tools like
+top and ps useless, especially in a world where most fds are opened
+CLOEXEC so the number is truly meaningless.
+
+When the filename passed in is empty (e.g. with AT_EMPTY_PATH), use the
+dentry's filename for "comm" instead of using the useless numeral from
+the synthetic fdpath construction. This way the actual exec machinery
+is unchanged, but cosmetically the comm looks reasonable to admins
+investigating things.
+
+Instead of adding TASK_COMM_LEN more bytes to bprm, use one of the unused
+flag bits to indicate that we need to set "comm" from the dentry.
+
+Suggested-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+Suggested-by: Tycho Andersen <tandersen@netflix.com>
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://github.com/uapi-group/kernel-features#set-comm-field-before-exec [1]
+Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
+Tested-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
+Signed-off-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/exec.c | 29 ++++++++++++++++++++++++++---
+ include/linux/binfmts.h | 4 +++-
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/fs/exec.c b/fs/exec.c
+index a42c9b8b070d7..2039414cc6621 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1362,7 +1362,28 @@ int begin_new_exec(struct linux_binprm * bprm)
+ set_dumpable(current->mm, SUID_DUMP_USER);
+
+ perf_event_exec();
+- __set_task_comm(me, kbasename(bprm->filename), true);
++
++ /*
++ * If the original filename was empty, alloc_bprm() made up a path
++ * that will probably not be useful to admins running ps or similar.
++ * Let's fix it up to be something reasonable.
++ */
++ if (bprm->comm_from_dentry) {
++ /*
++ * Hold RCU lock to keep the name from being freed behind our back.
++ * Use acquire semantics to make sure the terminating NUL from
++ * __d_alloc() is seen.
++ *
++ * Note, we're deliberately sloppy here. We don't need to care about
++ * detecting a concurrent rename and just want a terminated name.
++ */
++ rcu_read_lock();
++ __set_task_comm(me, smp_load_acquire(&bprm->file->f_path.dentry->d_name.name),
++ true);
++ rcu_read_unlock();
++ } else {
++ __set_task_comm(me, kbasename(bprm->filename), true);
++ }
+
+ /* An exec changes our domain. We are no longer part of the thread
+ group */
+@@ -1521,11 +1542,13 @@ static struct linux_binprm *alloc_bprm(int fd, struct filename *filename)
+ if (fd == AT_FDCWD || filename->name[0] == '/') {
+ bprm->filename = filename->name;
+ } else {
+- if (filename->name[0] == '\0')
++ if (filename->name[0] == '\0') {
+ bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d", fd);
+- else
++ bprm->comm_from_dentry = 1;
++ } else {
+ bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d/%s",
+ fd, filename->name);
++ }
+ if (!bprm->fdpath)
+ goto out_free;
+
+diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
+index 8d51f69f9f5ef..af9056d78fadf 100644
+--- a/include/linux/binfmts.h
++++ b/include/linux/binfmts.h
+@@ -42,7 +42,9 @@ struct linux_binprm {
+ * Set when errors can no longer be returned to the
+ * original userspace.
+ */
+- point_of_no_return:1;
++ point_of_no_return:1,
++ /* Set when "comm" must come from the dentry. */
++ comm_from_dentry:1;
+ struct file *executable; /* Executable to pass to the interpreter */
+ struct file *interpreter;
+ struct file *file;
+--
+2.39.5
+
--- /dev/null
+From 68057fe402f326c37a073fdd1acecbc8ae90736b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 11:33:54 -0500
+Subject: gpio: xilinx: Convert gpio_lock to raw spinlock
+
+From: Sean Anderson <sean.anderson@linux.dev>
+
+[ Upstream commit 9860370c2172704b6b4f0075a0c2a29fd84af96a ]
+
+irq_chip functions may be called in raw spinlock context. Therefore, we
+must also use a raw spinlock for our own internal locking.
+
+This fixes the following lockdep splat:
+
+[ 5.349336] =============================
+[ 5.353349] [ BUG: Invalid wait context ]
+[ 5.357361] 6.13.0-rc5+ #69 Tainted: G W
+[ 5.363031] -----------------------------
+[ 5.367045] kworker/u17:1/44 is trying to lock:
+[ 5.371587] ffffff88018b02c0 (&chip->gpio_lock){....}-{3:3}, at: xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))
+[ 5.380079] other info that might help us debug this:
+[ 5.385138] context-{5:5}
+[ 5.387762] 5 locks held by kworker/u17:1/44:
+[ 5.392123] #0: ffffff8800014958 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3204)
+[ 5.402260] #1: ffffffc082fcbdd8 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work (kernel/workqueue.c:3205)
+[ 5.411528] #2: ffffff880172c900 (&dev->mutex){....}-{4:4}, at: __device_attach (drivers/base/dd.c:1006)
+[ 5.419929] #3: ffffff88039c8268 (request_class#2){+.+.}-{4:4}, at: __setup_irq (kernel/irq/internals.h:156 kernel/irq/manage.c:1596)
+[ 5.428331] #4: ffffff88039c80c8 (lock_class#2){....}-{2:2}, at: __setup_irq (kernel/irq/manage.c:1614)
+[ 5.436472] stack backtrace:
+[ 5.439359] CPU: 2 UID: 0 PID: 44 Comm: kworker/u17:1 Tainted: G W 6.13.0-rc5+ #69
+[ 5.448690] Tainted: [W]=WARN
+[ 5.451656] Hardware name: xlnx,zynqmp (DT)
+[ 5.455845] Workqueue: events_unbound deferred_probe_work_func
+[ 5.461699] Call trace:
+[ 5.464147] show_stack+0x18/0x24 C
+[ 5.467821] dump_stack_lvl (lib/dump_stack.c:123)
+[ 5.471501] dump_stack (lib/dump_stack.c:130)
+[ 5.474824] __lock_acquire (kernel/locking/lockdep.c:4828 kernel/locking/lockdep.c:4898 kernel/locking/lockdep.c:5176)
+[ 5.478758] lock_acquire (arch/arm64/include/asm/percpu.h:40 kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851 kernel/locking/lockdep.c:5814)
+[ 5.482429] _raw_spin_lock_irqsave (include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162)
+[ 5.486797] xgpio_irq_unmask (drivers/gpio/gpio-xilinx.c:433 (discriminator 8))
+[ 5.490737] irq_enable (kernel/irq/internals.h:236 kernel/irq/chip.c:170 kernel/irq/chip.c:439 kernel/irq/chip.c:432 kernel/irq/chip.c:345)
+[ 5.494060] __irq_startup (kernel/irq/internals.h:241 kernel/irq/chip.c:180 kernel/irq/chip.c:250)
+[ 5.497645] irq_startup (kernel/irq/chip.c:270)
+[ 5.501143] __setup_irq (kernel/irq/manage.c:1807)
+[ 5.504728] request_threaded_irq (kernel/irq/manage.c:2208)
+
+Fixes: a32c7caea292 ("gpio: gpio-xilinx: Add interrupt support")
+Signed-off-by: Sean Anderson <sean.anderson@linux.dev>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250110163354.2012654-1-sean.anderson@linux.dev
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-xilinx.c | 32 ++++++++++++++++----------------
+ 1 file changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/drivers/gpio/gpio-xilinx.c b/drivers/gpio/gpio-xilinx.c
+index 31f05c7d5915e..06ab5b71dcee2 100644
+--- a/drivers/gpio/gpio-xilinx.c
++++ b/drivers/gpio/gpio-xilinx.c
+@@ -66,7 +66,7 @@ struct xgpio_instance {
+ DECLARE_BITMAP(state, 64);
+ DECLARE_BITMAP(last_irq_read, 64);
+ DECLARE_BITMAP(dir, 64);
+- spinlock_t gpio_lock; /* For serializing operations */
++ raw_spinlock_t gpio_lock; /* For serializing operations */
+ int irq;
+ DECLARE_BITMAP(enable, 64);
+ DECLARE_BITMAP(rising_edge, 64);
+@@ -180,14 +180,14 @@ static void xgpio_set(struct gpio_chip *gc, unsigned int gpio, int val)
+ struct xgpio_instance *chip = gpiochip_get_data(gc);
+ int bit = xgpio_to_bit(chip, gpio);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ /* Write to GPIO signal and set its direction to output */
+ __assign_bit(bit, chip->state, val);
+
+ xgpio_write_ch(chip, XGPIO_DATA_OFFSET, bit, chip->state);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+ }
+
+ /**
+@@ -211,7 +211,7 @@ static void xgpio_set_multiple(struct gpio_chip *gc, unsigned long *mask,
+ bitmap_remap(hw_mask, mask, chip->sw_map, chip->hw_map, 64);
+ bitmap_remap(hw_bits, bits, chip->sw_map, chip->hw_map, 64);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ bitmap_replace(state, chip->state, hw_bits, hw_mask, 64);
+
+@@ -219,7 +219,7 @@ static void xgpio_set_multiple(struct gpio_chip *gc, unsigned long *mask,
+
+ bitmap_copy(chip->state, state, 64);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+ }
+
+ /**
+@@ -237,13 +237,13 @@ static int xgpio_dir_in(struct gpio_chip *gc, unsigned int gpio)
+ struct xgpio_instance *chip = gpiochip_get_data(gc);
+ int bit = xgpio_to_bit(chip, gpio);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ /* Set the GPIO bit in shadow register and set direction as input */
+ __set_bit(bit, chip->dir);
+ xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+
+ return 0;
+ }
+@@ -266,7 +266,7 @@ static int xgpio_dir_out(struct gpio_chip *gc, unsigned int gpio, int val)
+ struct xgpio_instance *chip = gpiochip_get_data(gc);
+ int bit = xgpio_to_bit(chip, gpio);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ /* Write state of GPIO signal */
+ __assign_bit(bit, chip->state, val);
+@@ -276,7 +276,7 @@ static int xgpio_dir_out(struct gpio_chip *gc, unsigned int gpio, int val)
+ __clear_bit(bit, chip->dir);
+ xgpio_write_ch(chip, XGPIO_TRI_OFFSET, bit, chip->dir);
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+
+ return 0;
+ }
+@@ -404,7 +404,7 @@ static void xgpio_irq_mask(struct irq_data *irq_data)
+ int bit = xgpio_to_bit(chip, irq_offset);
+ u32 mask = BIT(bit / 32), temp;
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ __clear_bit(bit, chip->enable);
+
+@@ -414,7 +414,7 @@ static void xgpio_irq_mask(struct irq_data *irq_data)
+ temp &= ~mask;
+ xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp);
+ }
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+
+ gpiochip_disable_irq(&chip->gc, irq_offset);
+ }
+@@ -434,7 +434,7 @@ static void xgpio_irq_unmask(struct irq_data *irq_data)
+
+ gpiochip_enable_irq(&chip->gc, irq_offset);
+
+- spin_lock_irqsave(&chip->gpio_lock, flags);
++ raw_spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ __set_bit(bit, chip->enable);
+
+@@ -453,7 +453,7 @@ static void xgpio_irq_unmask(struct irq_data *irq_data)
+ xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, val);
+ }
+
+- spin_unlock_irqrestore(&chip->gpio_lock, flags);
++ raw_spin_unlock_irqrestore(&chip->gpio_lock, flags);
+ }
+
+ /**
+@@ -518,7 +518,7 @@ static void xgpio_irqhandler(struct irq_desc *desc)
+
+ chained_irq_enter(irqchip, desc);
+
+- spin_lock(&chip->gpio_lock);
++ raw_spin_lock(&chip->gpio_lock);
+
+ xgpio_read_ch_all(chip, XGPIO_DATA_OFFSET, all);
+
+@@ -535,7 +535,7 @@ static void xgpio_irqhandler(struct irq_desc *desc)
+ bitmap_copy(chip->last_irq_read, all, 64);
+ bitmap_or(all, rising, falling, 64);
+
+- spin_unlock(&chip->gpio_lock);
++ raw_spin_unlock(&chip->gpio_lock);
+
+ dev_dbg(gc->parent, "IRQ rising %*pb falling %*pb\n", 64, rising, 64, falling);
+
+@@ -636,7 +636,7 @@ static int xgpio_probe(struct platform_device *pdev)
+ bitmap_set(chip->hw_map, 0, width[0]);
+ bitmap_set(chip->hw_map, 32, width[1]);
+
+- spin_lock_init(&chip->gpio_lock);
++ raw_spin_lock_init(&chip->gpio_lock);
+
+ chip->gc.base = -1;
+ chip->gc.ngpio = bitmap_weight(chip->hw_map, 64);
+--
+2.39.5
+
--- /dev/null
+From 03f4a34261520ac68d8288581ccdcebdb301d172 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Mar 2023 10:55:15 +0100
+Subject: gpio: xilinx: Convert to immutable irq_chip
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+[ Upstream commit b4510f8fd5d0e9afa777f115871f5d522540c417 ]
+
+Convert the driver to immutable irq-chip with a bit of
+intuition.
+
+Cc: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Stable-dep-of: 9860370c2172 ("gpio: xilinx: Convert gpio_lock to raw spinlock")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-xilinx.c | 23 +++++++++++++++--------
+ 1 file changed, 15 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpio/gpio-xilinx.c b/drivers/gpio/gpio-xilinx.c
+index 2fc6b6ff7f165..31f05c7d5915e 100644
+--- a/drivers/gpio/gpio-xilinx.c
++++ b/drivers/gpio/gpio-xilinx.c
+@@ -68,7 +68,6 @@ struct xgpio_instance {
+ DECLARE_BITMAP(dir, 64);
+ spinlock_t gpio_lock; /* For serializing operations */
+ int irq;
+- struct irq_chip irqchip;
+ DECLARE_BITMAP(enable, 64);
+ DECLARE_BITMAP(rising_edge, 64);
+ DECLARE_BITMAP(falling_edge, 64);
+@@ -416,6 +415,8 @@ static void xgpio_irq_mask(struct irq_data *irq_data)
+ xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, temp);
+ }
+ spin_unlock_irqrestore(&chip->gpio_lock, flags);
++
++ gpiochip_disable_irq(&chip->gc, irq_offset);
+ }
+
+ /**
+@@ -431,6 +432,8 @@ static void xgpio_irq_unmask(struct irq_data *irq_data)
+ u32 old_enable = xgpio_get_value32(chip->enable, bit);
+ u32 mask = BIT(bit / 32), val;
+
++ gpiochip_enable_irq(&chip->gc, irq_offset);
++
+ spin_lock_irqsave(&chip->gpio_lock, flags);
+
+ __set_bit(bit, chip->enable);
+@@ -544,6 +547,16 @@ static void xgpio_irqhandler(struct irq_desc *desc)
+ chained_irq_exit(irqchip, desc);
+ }
+
++static const struct irq_chip xgpio_irq_chip = {
++ .name = "gpio-xilinx",
++ .irq_ack = xgpio_irq_ack,
++ .irq_mask = xgpio_irq_mask,
++ .irq_unmask = xgpio_irq_unmask,
++ .irq_set_type = xgpio_set_irq_type,
++ .flags = IRQCHIP_IMMUTABLE,
++ GPIOCHIP_IRQ_RESOURCE_HELPERS,
++};
++
+ /**
+ * xgpio_probe - Probe method for the GPIO device.
+ * @pdev: pointer to the platform device
+@@ -664,12 +677,6 @@ static int xgpio_probe(struct platform_device *pdev)
+ if (chip->irq <= 0)
+ goto skip_irq;
+
+- chip->irqchip.name = "gpio-xilinx";
+- chip->irqchip.irq_ack = xgpio_irq_ack;
+- chip->irqchip.irq_mask = xgpio_irq_mask;
+- chip->irqchip.irq_unmask = xgpio_irq_unmask;
+- chip->irqchip.irq_set_type = xgpio_set_irq_type;
+-
+ /* Disable per-channel interrupts */
+ xgpio_writereg(chip->regs + XGPIO_IPIER_OFFSET, 0);
+ /* Clear any existing per-channel interrupts */
+@@ -679,7 +686,7 @@ static int xgpio_probe(struct platform_device *pdev)
+ xgpio_writereg(chip->regs + XGPIO_GIER_OFFSET, XGPIO_GIER_IE);
+
+ girq = &chip->gc.irq;
+- girq->chip = &chip->irqchip;
++ gpio_irq_chip_set_chip(girq, &xgpio_irq_chip);
+ girq->parent_handler = xgpio_irqhandler;
+ girq->num_parents = 1;
+ girq->parents = devm_kcalloc(&pdev->dev, 1,
+--
+2.39.5
+
--- /dev/null
+From a0900a0a1569d9c31ab849abeedbfbb580d3f205 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Dec 2024 09:35:27 +0800
+Subject: HID: Wacom: Add PCI Wacom device support
+
+From: Even Xu <even.xu@intel.com>
+
+[ Upstream commit c4c123504a65583e3689b3de04a61dc5272e453a ]
+
+Add PCI device ID of wacom device into driver support list.
+
+Signed-off-by: Even Xu <even.xu@intel.com>
+Tested-by: Tatsunosuke Tobita <tatsunosuke.tobita@wacom.com>
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/wacom_wac.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
+index 3551a6d3795e6..ce54b8354a7d4 100644
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -4914,6 +4914,10 @@ static const struct wacom_features wacom_features_0x94 =
+ HID_DEVICE(BUS_I2C, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
+ .driver_data = (kernel_ulong_t)&wacom_features_##prod
+
++#define PCI_DEVICE_WACOM(prod) \
++ HID_DEVICE(BUS_PCI, HID_GROUP_WACOM, USB_VENDOR_ID_WACOM, prod),\
++ .driver_data = (kernel_ulong_t)&wacom_features_##prod
++
+ #define USB_DEVICE_LENOVO(prod) \
+ HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, prod), \
+ .driver_data = (kernel_ulong_t)&wacom_features_##prod
+@@ -5083,6 +5087,7 @@ const struct hid_device_id wacom_ids[] = {
+
+ { USB_DEVICE_WACOM(HID_ANY_ID) },
+ { I2C_DEVICE_WACOM(HID_ANY_ID) },
++ { PCI_DEVICE_WACOM(HID_ANY_ID) },
+ { BT_DEVICE_WACOM(HID_ANY_ID) },
+ { }
+ };
+--
+2.39.5
+
--- /dev/null
+From ec02b4c0e89e03c387cdbb285ca320f2c9da941f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 14:52:37 -0500
+Subject: i2c: Force ELAN06FA touchpad I2C bus freq to 100KHz
+
+From: Randolph Ha <rha051117@gmail.com>
+
+[ Upstream commit bfd74cd1fbc026f04446e67d6915c7e199c2bffd ]
+
+When a 400KHz freq is used on this model of ELAN touchpad in Linux,
+excessive smoothing (similar to when the touchpad's firmware detects
+a noisy signal) is sometimes applied. As some devices' (e.g, Lenovo
+V15 G4) ACPI tables specify a 400KHz frequency for this device and
+some I2C busses (e.g, Designware I2C) default to a 400KHz freq,
+force the speed to 100KHz as a workaround.
+
+For future investigation: This problem may be related to the default
+HCNT/LCNT values given by some busses' drivers, because they are not
+specified in the aforementioned devices' ACPI tables, and because
+the device works without issues on Windows at what is expected to be
+a 400KHz frequency. The root cause of the issue is not known.
+
+Signed-off-by: Randolph Ha <rha051117@gmail.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-acpi.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
+index 14ae0cfc325ef..d2499f302b508 100644
+--- a/drivers/i2c/i2c-core-acpi.c
++++ b/drivers/i2c/i2c-core-acpi.c
+@@ -355,6 +355,25 @@ static const struct acpi_device_id i2c_acpi_force_400khz_device_ids[] = {
+ {}
+ };
+
++static const struct acpi_device_id i2c_acpi_force_100khz_device_ids[] = {
++ /*
++ * When a 400KHz freq is used on this model of ELAN touchpad in Linux,
++ * excessive smoothing (similar to when the touchpad's firmware detects
++ * a noisy signal) is sometimes applied. As some devices' (e.g, Lenovo
++ * V15 G4) ACPI tables specify a 400KHz frequency for this device and
++ * some I2C busses (e.g, Designware I2C) default to a 400KHz freq,
++ * force the speed to 100KHz as a workaround.
++ *
++ * For future investigation: This problem may be related to the default
++ * HCNT/LCNT values given by some busses' drivers, because they are not
++ * specified in the aforementioned devices' ACPI tables, and because
++ * the device works without issues on Windows at what is expected to be
++ * a 400KHz frequency. The root cause of the issue is not known.
++ */
++ { "ELAN06FA", 0 },
++ {}
++};
++
+ static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level,
+ void *data, void **return_value)
+ {
+@@ -373,6 +392,9 @@ static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level,
+ if (acpi_match_device_ids(adev, i2c_acpi_force_400khz_device_ids) == 0)
+ lookup->force_speed = I2C_MAX_FAST_MODE_FREQ;
+
++ if (acpi_match_device_ids(adev, i2c_acpi_force_100khz_device_ids) == 0)
++ lookup->force_speed = I2C_MAX_STANDARD_MODE_FREQ;
++
+ return AE_OK;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e5703a799d78affe8a187483b28c13b554059178 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 18:39:29 +0100
+Subject: Input: allocate keycode for phone linking
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Illia Ostapyshyn <illia@yshyn.com>
+
+[ Upstream commit 1bebc7869c99d466f819dd2cffaef0edf7d7a035 ]
+
+The F11 key on the new Lenovo Thinkpad T14 Gen 5, T16 Gen 3, and P14s
+Gen 5 laptops includes a symbol showing a smartphone and a laptop
+chained together. According to the user manual, it starts the Microsoft
+Phone Link software used to connect to Android/iOS devices and relay
+messages/calls or sync data.
+
+As there are no suitable keycodes for this action, introduce a new one.
+
+Signed-off-by: Illia Ostapyshyn <illia@yshyn.com>
+Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Link: https://lore.kernel.org/r/20241114173930.44983-2-illia@yshyn.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/uapi/linux/input-event-codes.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h
+index 1ce8a91349e9f..f410c22e080d3 100644
+--- a/include/uapi/linux/input-event-codes.h
++++ b/include/uapi/linux/input-event-codes.h
+@@ -519,6 +519,7 @@
+ #define KEY_NOTIFICATION_CENTER 0x1bc /* Show/hide the notification center */
+ #define KEY_PICKUP_PHONE 0x1bd /* Answer incoming call */
+ #define KEY_HANGUP_PHONE 0x1be /* Decline incoming call */
++#define KEY_LINK_PHONE 0x1bf /* AL Phone Syncing */
+
+ #define KEY_DEL_EOL 0x1c0
+ #define KEY_DEL_EOS 0x1c1
+--
+2.39.5
+
--- /dev/null
+From cdb479091b880db38d2afb83c710f60ca9da87a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:33:57 +0000
+Subject: iommu/arm-smmu-v3: Clean up more on probe failure
+
+From: Robin Murphy <robin.murphy@arm.com>
+
+[ Upstream commit fcbd621567420b3a2f21f49bbc056de8b273c625 ]
+
+kmemleak noticed that the iopf queue allocated deep down within
+arm_smmu_init_structures() can be leaked by a subsequent error return
+from arm_smmu_device_probe(). Furthermore, after arm_smmu_device_reset()
+we will also leave the SMMU enabled with an empty Stream Table, silently
+blocking all DMA. This proves rather annoying for debugging said probe
+failure, so let's handle it a bit better by putting the SMMU back into
+(more or less) the same state as if it hadn't probed at all.
+
+Signed-off-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/5137901958471cf67f2fad5c2229f8a8f1ae901a.1733406914.git.robin.murphy@arm.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+index 45b43f729f895..96b72f3dad0d0 100644
+--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
++++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+@@ -3880,7 +3880,7 @@ static int arm_smmu_device_probe(struct platform_device *pdev)
+ /* Initialise in-memory data structures */
+ ret = arm_smmu_init_structures(smmu);
+ if (ret)
+- return ret;
++ goto err_free_iopf;
+
+ /* Record our private device structure */
+ platform_set_drvdata(pdev, smmu);
+@@ -3891,22 +3891,29 @@ static int arm_smmu_device_probe(struct platform_device *pdev)
+ /* Reset the device */
+ ret = arm_smmu_device_reset(smmu, bypass);
+ if (ret)
+- return ret;
++ goto err_disable;
+
+ /* And we're up. Go go go! */
+ ret = iommu_device_sysfs_add(&smmu->iommu, dev, NULL,
+ "smmu3.%pa", &ioaddr);
+ if (ret)
+- return ret;
++ goto err_disable;
+
+ ret = iommu_device_register(&smmu->iommu, &arm_smmu_ops, dev);
+ if (ret) {
+ dev_err(dev, "Failed to register iommu\n");
+- iommu_device_sysfs_remove(&smmu->iommu);
+- return ret;
++ goto err_free_sysfs;
+ }
+
+ return 0;
++
++err_free_sysfs:
++ iommu_device_sysfs_remove(&smmu->iommu);
++err_disable:
++ arm_smmu_device_disable(smmu);
++err_free_iopf:
++ iopf_queue_free(smmu->evtq.iopf);
++ return ret;
+ }
+
+ static int arm_smmu_device_remove(struct platform_device *pdev)
+--
+2.39.5
+
--- /dev/null
+From 88adb90df6b3b36d6eb51a44e533bb46d4744e5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 12 Jan 2025 10:34:44 +0100
+Subject: KVM: e500: always restore irqs
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit 87ecfdbc699cc95fac73291b52650283ddcf929d ]
+
+If find_linux_pte fails, IRQs will not be restored. This is unlikely
+to happen in practice since it would have been reported as hanging
+hosts, but it should of course be fixed anyway.
+
+Cc: stable@vger.kernel.org
+Reported-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/e500_mmu_host.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c
+index 3907922b6a8a2..138fe5eb3801f 100644
+--- a/arch/powerpc/kvm/e500_mmu_host.c
++++ b/arch/powerpc/kvm/e500_mmu_host.c
+@@ -479,7 +479,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ if (pte_present(pte)) {
+ wimg = (pte_val(pte) >> PTE_WIMGE_SHIFT) &
+ MAS2_WIMGE_MASK;
+- local_irq_restore(flags);
+ } else {
+ local_irq_restore(flags);
+ pr_err_ratelimited("%s: pte not present: gfn %lx,pfn %lx\n",
+@@ -488,8 +487,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ goto out;
+ }
+ }
+- writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
++ local_irq_restore(flags);
+
++ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
+ kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize,
+ ref, gvaddr, stlbe);
+
+--
+2.39.5
+
--- /dev/null
+From ecb7ecec9a2dac08bf2064d0e699ee04fc725f93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 11:23:54 -0700
+Subject: KVM: PPC: e500: Mark "struct page" dirty in kvmppc_e500_shadow_map()
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit c9be85dabb376299504e0d391d15662c0edf8273 ]
+
+Mark the underlying page as dirty in kvmppc_e500_ref_setup()'s sole
+caller, kvmppc_e500_shadow_map(), which will allow converting e500 to
+__kvm_faultin_pfn() + kvm_release_faultin_page() without having to do
+a weird dance between ref_setup() and shadow_map().
+
+Opportunistically drop the redundant kvm_set_pfn_accessed(), as
+shadow_map() puts the page via kvm_release_pfn_clean().
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20241010182427.1434605-53-seanjc@google.com>
+Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/e500_mmu_host.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c
+index 05668e9641406..4a086724db8c4 100644
+--- a/arch/powerpc/kvm/e500_mmu_host.c
++++ b/arch/powerpc/kvm/e500_mmu_host.c
+@@ -242,7 +242,7 @@ static inline int tlbe_is_writable(struct kvm_book3e_206_tlb_entry *tlbe)
+ return tlbe->mas7_3 & (MAS3_SW|MAS3_UW);
+ }
+
+-static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref,
++static inline bool kvmppc_e500_ref_setup(struct tlbe_ref *ref,
+ struct kvm_book3e_206_tlb_entry *gtlbe,
+ kvm_pfn_t pfn, unsigned int wimg)
+ {
+@@ -252,11 +252,7 @@ static inline void kvmppc_e500_ref_setup(struct tlbe_ref *ref,
+ /* Use guest supplied MAS2_G and MAS2_E */
+ ref->flags |= (gtlbe->mas2 & MAS2_ATTRIB_MASK) | wimg;
+
+- /* Mark the page accessed */
+- kvm_set_pfn_accessed(pfn);
+-
+- if (tlbe_is_writable(gtlbe))
+- kvm_set_pfn_dirty(pfn);
++ return tlbe_is_writable(gtlbe);
+ }
+
+ static inline void kvmppc_e500_ref_release(struct tlbe_ref *ref)
+@@ -337,6 +333,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ unsigned int wimg = 0;
+ pgd_t *pgdir;
+ unsigned long flags;
++ bool writable = false;
+
+ /* used to check for invalidations in progress */
+ mmu_seq = kvm->mmu_invalidate_seq;
+@@ -490,7 +487,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ goto out;
+ }
+ }
+- kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
++ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
++ if (writable)
++ kvm_set_pfn_dirty(pfn);
+
+ kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize,
+ ref, gvaddr, stlbe);
+--
+2.39.5
+
--- /dev/null
+From 7bd164fd95d6a5f547d29d516473af1b6a6473d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 11:23:55 -0700
+Subject: KVM: PPC: e500: Mark "struct page" pfn accessed before dropping
+ mmu_lock
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 84cf78dcd9d65c45ab73998d4ad50f433d53fb93 ]
+
+Mark pages accessed before dropping mmu_lock when faulting in guest memory
+so that shadow_map() can convert to kvm_release_faultin_page() without
+tripping its lockdep assertion on mmu_lock being held. Marking pages
+accessed outside of mmu_lock is ok (not great, but safe), but marking
+pages _dirty_ outside of mmu_lock can make filesystems unhappy.
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20241010182427.1434605-54-seanjc@google.com>
+Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/e500_mmu_host.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c
+index 4a086724db8c4..29f3e3463f400 100644
+--- a/arch/powerpc/kvm/e500_mmu_host.c
++++ b/arch/powerpc/kvm/e500_mmu_host.c
+@@ -498,11 +498,9 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ kvmppc_mmu_flush_icache(pfn);
+
+ out:
+- spin_unlock(&kvm->mmu_lock);
+-
+ /* Drop refcount on page, so that mmu notifiers can clear it */
+ kvm_release_pfn_clean(pfn);
+-
++ spin_unlock(&kvm->mmu_lock);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From a223f1d07ca3dd56753ef1395d7543e040230758 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 10 Oct 2024 11:23:56 -0700
+Subject: KVM: PPC: e500: Use __kvm_faultin_pfn() to handle page faults
+
+From: Sean Christopherson <seanjc@google.com>
+
+[ Upstream commit 419cfb983ca93e75e905794521afefcfa07988bb ]
+
+Convert PPC e500 to use __kvm_faultin_pfn()+kvm_release_faultin_page(),
+and continue the inexorable march towards the demise of
+kvm_pfn_to_refcounted_page().
+
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Tested-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-ID: <20241010182427.1434605-55-seanjc@google.com>
+Stable-dep-of: 87ecfdbc699c ("KVM: e500: always restore irqs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kvm/e500_mmu_host.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/arch/powerpc/kvm/e500_mmu_host.c b/arch/powerpc/kvm/e500_mmu_host.c
+index 29f3e3463f400..3907922b6a8a2 100644
+--- a/arch/powerpc/kvm/e500_mmu_host.c
++++ b/arch/powerpc/kvm/e500_mmu_host.c
+@@ -322,6 +322,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ {
+ struct kvm_memory_slot *slot;
+ unsigned long pfn = 0; /* silence GCC warning */
++ struct page *page = NULL;
+ unsigned long hva;
+ int pfnmap = 0;
+ int tsize = BOOK3E_PAGESZ_4K;
+@@ -443,7 +444,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+
+ if (likely(!pfnmap)) {
+ tsize_pages = 1UL << (tsize + 10 - PAGE_SHIFT);
+- pfn = gfn_to_pfn_memslot(slot, gfn);
++ pfn = __kvm_faultin_pfn(slot, gfn, FOLL_WRITE, NULL, &page);
+ if (is_error_noslot_pfn(pfn)) {
+ if (printk_ratelimit())
+ pr_err("%s: real page not found for gfn %lx\n",
+@@ -488,8 +489,6 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ }
+ }
+ writable = kvmppc_e500_ref_setup(ref, gtlbe, pfn, wimg);
+- if (writable)
+- kvm_set_pfn_dirty(pfn);
+
+ kvmppc_e500_setup_stlbe(&vcpu_e500->vcpu, gtlbe, tsize,
+ ref, gvaddr, stlbe);
+@@ -498,8 +497,7 @@ static inline int kvmppc_e500_shadow_map(struct kvmppc_vcpu_e500 *vcpu_e500,
+ kvmppc_mmu_flush_icache(pfn);
+
+ out:
+- /* Drop refcount on page, so that mmu notifiers can clear it */
+- kvm_release_pfn_clean(pfn);
++ kvm_release_faultin_page(kvm, page, !!ret, writable);
+ spin_unlock(&kvm->mmu_lock);
+ return ret;
+ }
+--
+2.39.5
+
--- /dev/null
+From b259537fba984c058d4a7699137e149bc55a7c10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 18:36:26 +0000
+Subject: lockdep: Fix upper limit for LOCKDEP_*_BITS configs
+
+From: Carlos Llamas <cmllamas@google.com>
+
+[ Upstream commit e638072e61726cae363d48812815197a2a0e097f ]
+
+Lockdep has a set of configs used to determine the size of the static
+arrays that it uses. However, the upper limit that was initially setup
+for these configs is too high (30 bit shift). This equates to several
+GiB of static memory for individual symbols. Using such high values
+leads to linker errors:
+
+ $ make defconfig
+ $ ./scripts/config -e PROVE_LOCKING --set-val LOCKDEP_BITS 30
+ $ make olddefconfig all
+ [...]
+ ld: kernel image bigger than KERNEL_IMAGE_SIZE
+ ld: section .bss VMA wraps around address space
+
+Adjust the upper limits to the maximum values that avoid these issues.
+The need for anything more, likely points to a problem elsewhere. Note
+that LOCKDEP_CHAINS_BITS was intentionally left out as its upper limit
+had a different symptom and has already been fixed [1].
+
+Reported-by: J. R. Okajima <hooanon05g@gmail.com>
+Closes: https://lore.kernel.org/all/30795.1620913191@jrobl/ [1]
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Boqun Feng <boqun.feng@gmail.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Will Deacon <will@kernel.org>
+Acked-by: Waiman Long <longman@redhat.com>
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Link: https://lore.kernel.org/r/20241024183631.643450-2-cmllamas@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/Kconfig.debug | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index b2dff19358938..e5fbae585e522 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -1409,7 +1409,7 @@ config LOCKDEP_SMALL
+ config LOCKDEP_BITS
+ int "Bitsize for MAX_LOCKDEP_ENTRIES"
+ depends on LOCKDEP && !LOCKDEP_SMALL
+- range 10 30
++ range 10 24
+ default 15
+ help
+ Try increasing this value if you hit "BUG: MAX_LOCKDEP_ENTRIES too low!" message.
+@@ -1425,7 +1425,7 @@ config LOCKDEP_CHAINS_BITS
+ config LOCKDEP_STACK_TRACE_BITS
+ int "Bitsize for MAX_STACK_TRACE_ENTRIES"
+ depends on LOCKDEP && !LOCKDEP_SMALL
+- range 10 30
++ range 10 26
+ default 19
+ help
+ Try increasing this value if you hit "BUG: MAX_STACK_TRACE_ENTRIES too low!" message.
+@@ -1433,7 +1433,7 @@ config LOCKDEP_STACK_TRACE_BITS
+ config LOCKDEP_STACK_TRACE_HASH_BITS
+ int "Bitsize for STACK_TRACE_HASH_SIZE"
+ depends on LOCKDEP && !LOCKDEP_SMALL
+- range 10 30
++ range 10 26
+ default 14
+ help
+ Try increasing this value if you need large MAX_STACK_TRACE_ENTRIES.
+@@ -1441,7 +1441,7 @@ config LOCKDEP_STACK_TRACE_HASH_BITS
+ config LOCKDEP_CIRCULAR_QUEUE_BITS
+ int "Bitsize for elements in circular_queue struct"
+ depends on LOCKDEP
+- range 10 30
++ range 10 26
+ default 12
+ help
+ Try increasing this value if you hit "lockdep bfs error:-1" warning due to __cq_enqueue() failure.
+--
+2.39.5
+
--- /dev/null
+From 1f2ea20df20fa633850d173c2530c98280f62d1a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 20:38:08 +0100
+Subject: mfd: lpc_ich: Add another Gemini Lake ISA bridge PCI device-id
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 1e89d21f8189d286f80b900e1b7cf57cb1f3037e ]
+
+On N4100 / N4120 Gemini Lake SoCs the ISA bridge PCI device-id is 31e8
+rather the 3197 found on e.g. the N4000 / N4020.
+
+While at fix the existing GLK PCI-id table entry breaking the table
+being sorted by device-id.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Andy Shevchenko <andy@kernel.org>
+Link: https://lore.kernel.org/r/20241114193808.110132-1-hdegoede@redhat.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mfd/lpc_ich.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/lpc_ich.c b/drivers/mfd/lpc_ich.c
+index 7b1c597b6879f..03367fcac42a7 100644
+--- a/drivers/mfd/lpc_ich.c
++++ b/drivers/mfd/lpc_ich.c
+@@ -756,8 +756,9 @@ static const struct pci_device_id lpc_ich_ids[] = {
+ { PCI_VDEVICE(INTEL, 0x2917), LPC_ICH9ME},
+ { PCI_VDEVICE(INTEL, 0x2918), LPC_ICH9},
+ { PCI_VDEVICE(INTEL, 0x2919), LPC_ICH9M},
+- { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK},
+ { PCI_VDEVICE(INTEL, 0x2b9c), LPC_COUGARMOUNTAIN},
++ { PCI_VDEVICE(INTEL, 0x3197), LPC_GLK},
++ { PCI_VDEVICE(INTEL, 0x31e8), LPC_GLK},
+ { PCI_VDEVICE(INTEL, 0x3a14), LPC_ICH10DO},
+ { PCI_VDEVICE(INTEL, 0x3a16), LPC_ICH10R},
+ { PCI_VDEVICE(INTEL, 0x3a18), LPC_ICH10},
+--
+2.39.5
+
--- /dev/null
+From 77010bea5241d61ce5845d1ef1b9d1de82774e8b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Nov 2024 17:37:22 +0800
+Subject: mmc: core: Respect quirk_max_rate for non-UHS SDIO card
+
+From: Shawn Lin <shawn.lin@rock-chips.com>
+
+[ Upstream commit a2a44f8da29352f76c99c6904ee652911b8dc7dd ]
+
+The card-quirk was added to limit the clock-rate for a card with UHS-mode
+support, although let's respect the quirk for non-UHS mode too, to make the
+behaviour consistent.
+
+Signed-off-by: Shawn Lin <shawn.lin@rock-chips.com>
+Message-ID: <1732268242-72799-1-git-send-email-shawn.lin@rock-chips.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/core/sdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/mmc/core/sdio.c b/drivers/mmc/core/sdio.c
+index 5914516df2f7f..cb87e82737793 100644
+--- a/drivers/mmc/core/sdio.c
++++ b/drivers/mmc/core/sdio.c
+@@ -458,6 +458,8 @@ static unsigned mmc_sdio_get_max_clock(struct mmc_card *card)
+ if (mmc_card_sd_combo(card))
+ max_dtr = min(max_dtr, mmc_sd_get_max_clock(card));
+
++ max_dtr = min_not_zero(max_dtr, card->quirk_max_rate);
++
+ return max_dtr;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From aff9ad92584a43202af33a5fca587e59e0801142 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jan 2025 16:35:14 +0800
+Subject: mmc: sdhci-msm: Correctly set the load for the regulator
+
+From: Yuanjie Yang <quic_yuanjiey@quicinc.com>
+
+[ Upstream commit 20a0c37e44063997391430c4ae09973e9cbc3911 ]
+
+Qualcomm regulator supports two power supply modes: HPM and LPM.
+Currently, the sdhci-msm.c driver does not set the load to adjust
+the current for eMMC and SD. If the regulator dont't set correct
+load in LPM state, it will lead to the inability to properly
+initialize eMMC and SD.
+
+Set the correct regulator current for eMMC and SD to ensure that the
+device can work normally even when the regulator is in LPM.
+
+Signed-off-by: Yuanjie Yang <quic_yuanjiey@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20250114083514.258379-1-quic_yuanjiey@quicinc.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 53 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 51 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/mmc/host/sdhci-msm.c b/drivers/mmc/host/sdhci-msm.c
+index 28bd562c439ef..c8488b8e20734 100644
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -132,9 +132,18 @@
+ /* Timeout value to avoid infinite waiting for pwr_irq */
+ #define MSM_PWR_IRQ_TIMEOUT_MS 5000
+
++/* Max load for eMMC Vdd supply */
++#define MMC_VMMC_MAX_LOAD_UA 570000
++
+ /* Max load for eMMC Vdd-io supply */
+ #define MMC_VQMMC_MAX_LOAD_UA 325000
+
++/* Max load for SD Vdd supply */
++#define SD_VMMC_MAX_LOAD_UA 800000
++
++/* Max load for SD Vdd-io supply */
++#define SD_VQMMC_MAX_LOAD_UA 22000
++
+ #define msm_host_readl(msm_host, host, offset) \
+ msm_host->var_ops->msm_readl_relaxed(host, offset)
+
+@@ -1399,11 +1408,48 @@ static int sdhci_msm_set_pincfg(struct sdhci_msm_host *msm_host, bool level)
+ return ret;
+ }
+
+-static int sdhci_msm_set_vmmc(struct mmc_host *mmc)
++static void msm_config_vmmc_regulator(struct mmc_host *mmc, bool hpm)
++{
++ int load;
++
++ if (!hpm)
++ load = 0;
++ else if (!mmc->card)
++ load = max(MMC_VMMC_MAX_LOAD_UA, SD_VMMC_MAX_LOAD_UA);
++ else if (mmc_card_mmc(mmc->card))
++ load = MMC_VMMC_MAX_LOAD_UA;
++ else if (mmc_card_sd(mmc->card))
++ load = SD_VMMC_MAX_LOAD_UA;
++ else
++ return;
++
++ regulator_set_load(mmc->supply.vmmc, load);
++}
++
++static void msm_config_vqmmc_regulator(struct mmc_host *mmc, bool hpm)
++{
++ int load;
++
++ if (!hpm)
++ load = 0;
++ else if (!mmc->card)
++ load = max(MMC_VQMMC_MAX_LOAD_UA, SD_VQMMC_MAX_LOAD_UA);
++ else if (mmc_card_sd(mmc->card))
++ load = SD_VQMMC_MAX_LOAD_UA;
++ else
++ return;
++
++ regulator_set_load(mmc->supply.vqmmc, load);
++}
++
++static int sdhci_msm_set_vmmc(struct sdhci_msm_host *msm_host,
++ struct mmc_host *mmc, bool hpm)
+ {
+ if (IS_ERR(mmc->supply.vmmc))
+ return 0;
+
++ msm_config_vmmc_regulator(mmc, hpm);
++
+ return mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, mmc->ios.vdd);
+ }
+
+@@ -1416,6 +1462,8 @@ static int msm_toggle_vqmmc(struct sdhci_msm_host *msm_host,
+ if (msm_host->vqmmc_enabled == level)
+ return 0;
+
++ msm_config_vqmmc_regulator(mmc, level);
++
+ if (level) {
+ /* Set the IO voltage regulator to default voltage level */
+ if (msm_host->caps_0 & CORE_3_0V_SUPPORT)
+@@ -1638,7 +1686,8 @@ static void sdhci_msm_handle_pwr_irq(struct sdhci_host *host, int irq)
+ }
+
+ if (pwr_state) {
+- ret = sdhci_msm_set_vmmc(mmc);
++ ret = sdhci_msm_set_vmmc(msm_host, mmc,
++ pwr_state & REQ_BUS_ON);
+ if (!ret)
+ ret = sdhci_msm_set_vqmmc(msm_host, mmc,
+ pwr_state & REQ_BUS_ON);
+--
+2.39.5
+
--- /dev/null
+From 0a2a332e295987db1139fcd209e95373cff6c333 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 7 Jan 2025 02:48:12 -0800
+Subject: net/mlx5: use do_aux_work for PHC overflow checks
+
+From: Vadim Fedorenko <vadfed@meta.com>
+
+[ Upstream commit e61e6c415ba9ff2b32bb6780ce1b17d1d76238f1 ]
+
+The overflow_work is using system wq to do overflow checks and updates
+for PHC device timecounter, which might be overhelmed by other tasks.
+But there is dedicated kthread in PTP subsystem designed for such
+things. This patch changes the work queue to proper align with PTP
+subsystem and to avoid overloading system work queue.
+The adjfine() function acts the same way as overflow check worker,
+we can postpone ptp aux worker till the next overflow period after
+adjfine() was called.
+
+Reviewed-by: Dragos Tatulea <dtatulea@nvidia.com>
+Signed-off-by: Vadim Fedorenko <vadfed@meta.com>
+Acked-by: Tariq Toukan <tariqt@nvidia.com>
+Link: https://patch.msgid.link/20250107104812.380225-1-vadfed@meta.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../ethernet/mellanox/mlx5/core/lib/clock.c | 24 ++++++++++---------
+ include/linux/mlx5/driver.h | 1 -
+ 2 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+index 2ac255bb918ba..133e8220aaeaf 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/clock.c
+@@ -186,17 +186,16 @@ static void mlx5_pps_out(struct work_struct *work)
+ }
+ }
+
+-static void mlx5_timestamp_overflow(struct work_struct *work)
++static long mlx5_timestamp_overflow(struct ptp_clock_info *ptp_info)
+ {
+- struct delayed_work *dwork = to_delayed_work(work);
+ struct mlx5_core_dev *mdev;
+ struct mlx5_timer *timer;
+ struct mlx5_clock *clock;
+ unsigned long flags;
+
+- timer = container_of(dwork, struct mlx5_timer, overflow_work);
+- clock = container_of(timer, struct mlx5_clock, timer);
++ clock = container_of(ptp_info, struct mlx5_clock, ptp_info);
+ mdev = container_of(clock, struct mlx5_core_dev, clock);
++ timer = &clock->timer;
+
+ if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR)
+ goto out;
+@@ -207,7 +206,7 @@ static void mlx5_timestamp_overflow(struct work_struct *work)
+ write_sequnlock_irqrestore(&clock->lock, flags);
+
+ out:
+- schedule_delayed_work(&timer->overflow_work, timer->overflow_period);
++ return timer->overflow_period;
+ }
+
+ static int mlx5_ptp_settime_real_time(struct mlx5_core_dev *mdev,
+@@ -375,6 +374,7 @@ static int mlx5_ptp_adjfreq(struct ptp_clock_info *ptp, s32 delta)
+ timer->nominal_c_mult + diff;
+ mlx5_update_clock_info_page(mdev);
+ write_sequnlock_irqrestore(&clock->lock, flags);
++ ptp_schedule_worker(clock->ptp, timer->overflow_period);
+
+ return 0;
+ }
+@@ -708,6 +708,7 @@ static const struct ptp_clock_info mlx5_ptp_clock_info = {
+ .settime64 = mlx5_ptp_settime,
+ .enable = NULL,
+ .verify = NULL,
++ .do_aux_work = mlx5_timestamp_overflow,
+ };
+
+ static int mlx5_query_mtpps_pin_mode(struct mlx5_core_dev *mdev, u8 pin,
+@@ -908,12 +909,11 @@ static void mlx5_init_overflow_period(struct mlx5_clock *clock)
+ do_div(ns, NSEC_PER_SEC / HZ);
+ timer->overflow_period = ns;
+
+- INIT_DELAYED_WORK(&timer->overflow_work, mlx5_timestamp_overflow);
+- if (timer->overflow_period)
+- schedule_delayed_work(&timer->overflow_work, 0);
+- else
++ if (!timer->overflow_period) {
++ timer->overflow_period = HZ;
+ mlx5_core_warn(mdev,
+- "invalid overflow period, overflow_work is not scheduled\n");
++ "invalid overflow period, overflow_work is scheduled once per second\n");
++ }
+
+ if (clock_info)
+ clock_info->overflow_period = timer->overflow_period;
+@@ -999,6 +999,9 @@ void mlx5_init_clock(struct mlx5_core_dev *mdev)
+
+ MLX5_NB_INIT(&clock->pps_nb, mlx5_pps_event, PPS_EVENT);
+ mlx5_eq_notifier_register(mdev, &clock->pps_nb);
++
++ if (clock->ptp)
++ ptp_schedule_worker(clock->ptp, 0);
+ }
+
+ void mlx5_cleanup_clock(struct mlx5_core_dev *mdev)
+@@ -1015,7 +1018,6 @@ void mlx5_cleanup_clock(struct mlx5_core_dev *mdev)
+ }
+
+ cancel_work_sync(&clock->pps_info.out_work);
+- cancel_delayed_work_sync(&clock->timer.overflow_work);
+
+ if (mdev->clock_info) {
+ free_page((unsigned long)mdev->clock_info);
+diff --git a/include/linux/mlx5/driver.h b/include/linux/mlx5/driver.h
+index 2588ddd3512b1..3c3e0f26c2446 100644
+--- a/include/linux/mlx5/driver.h
++++ b/include/linux/mlx5/driver.h
+@@ -716,7 +716,6 @@ struct mlx5_timer {
+ struct timecounter tc;
+ u32 nominal_c_mult;
+ unsigned long overflow_period;
+- struct delayed_work overflow_work;
+ };
+
+ struct mlx5_clock {
+--
+2.39.5
+
--- /dev/null
+From 9d6df93c6591c807dc0cc4d1e4b291e1bc00ff24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Nov 2023 10:07:35 -0600
+Subject: net/ncsi: Add NC-SI 1.2 Get MC MAC Address command
+
+From: Peter Delevoryas <peter@pjd.dev>
+
+[ Upstream commit b8291cf3d1180b5b61299922f17c9441616a805a ]
+
+This change adds support for the NC-SI 1.2 Get MC MAC Address command,
+specified here:
+
+https://www.dmtf.org/sites/default/files/standards/documents/DSP0222_1.2.0.pdf
+
+It serves the exact same function as the existing OEM Get MAC Address
+commands, so if a channel reports that it supports NC-SI 1.2, we prefer
+to use the standard command rather than the OEM command.
+
+Verified with an invalid MAC address and 2 valid ones:
+
+[ 55.137072] ftgmac100 1e690000.ftgmac eth0: NCSI: Received 3 provisioned MAC addresses
+[ 55.137614] ftgmac100 1e690000.ftgmac eth0: NCSI: MAC address 0: 00:00:00:00:00:00
+[ 55.138026] ftgmac100 1e690000.ftgmac eth0: NCSI: MAC address 1: fa:ce:b0:0c:20:22
+[ 55.138528] ftgmac100 1e690000.ftgmac eth0: NCSI: MAC address 2: fa:ce:b0:0c:20:23
+[ 55.139241] ftgmac100 1e690000.ftgmac eth0: NCSI: Unable to assign 00:00:00:00:00:00 to device
+[ 55.140098] ftgmac100 1e690000.ftgmac eth0: NCSI: Set MAC address to fa:ce:b0:0c:20:22
+
+Signed-off-by: Peter Delevoryas <peter@pjd.dev>
+Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Stable-dep-of: 9e2bbab94b88 ("net/ncsi: fix locking in Get MAC Address handling")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/ncsi-cmd.c | 3 ++-
+ net/ncsi/ncsi-manage.c | 9 +++++++--
+ net/ncsi/ncsi-pkt.h | 10 ++++++++++
+ net/ncsi/ncsi-rsp.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 59 insertions(+), 4 deletions(-)
+
+diff --git a/net/ncsi/ncsi-cmd.c b/net/ncsi/ncsi-cmd.c
+index dda8b76b77988..7be177f551731 100644
+--- a/net/ncsi/ncsi-cmd.c
++++ b/net/ncsi/ncsi-cmd.c
+@@ -269,7 +269,8 @@ static struct ncsi_cmd_handler {
+ { NCSI_PKT_CMD_GPS, 0, ncsi_cmd_handler_default },
+ { NCSI_PKT_CMD_OEM, -1, ncsi_cmd_handler_oem },
+ { NCSI_PKT_CMD_PLDM, 0, NULL },
+- { NCSI_PKT_CMD_GPUUID, 0, ncsi_cmd_handler_default }
++ { NCSI_PKT_CMD_GPUUID, 0, ncsi_cmd_handler_default },
++ { NCSI_PKT_CMD_GMCMA, 0, ncsi_cmd_handler_default }
+ };
+
+ static struct ncsi_request *ncsi_alloc_command(struct ncsi_cmd_arg *nca)
+diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
+index 760b33fa03a8b..4583b29971933 100644
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -1040,11 +1040,16 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
+ case ncsi_dev_state_config_oem_gma:
+ nd->state = ncsi_dev_state_config_clear_vids;
+
+- nca.type = NCSI_PKT_CMD_OEM;
+ nca.package = np->id;
+ nca.channel = nc->id;
+ ndp->pending_req_num = 1;
+- ret = ncsi_gma_handler(&nca, nc->version.mf_id);
++ if (nc->version.major >= 1 && nc->version.minor >= 2) {
++ nca.type = NCSI_PKT_CMD_GMCMA;
++ ret = ncsi_xmit_cmd(&nca);
++ } else {
++ nca.type = NCSI_PKT_CMD_OEM;
++ ret = ncsi_gma_handler(&nca, nc->version.mf_id);
++ }
+ if (ret < 0)
+ schedule_work(&ndp->work);
+
+diff --git a/net/ncsi/ncsi-pkt.h b/net/ncsi/ncsi-pkt.h
+index c9d1da34dc4dc..f2f3b5c1b9412 100644
+--- a/net/ncsi/ncsi-pkt.h
++++ b/net/ncsi/ncsi-pkt.h
+@@ -338,6 +338,14 @@ struct ncsi_rsp_gpuuid_pkt {
+ __be32 checksum;
+ };
+
++/* Get MC MAC Address */
++struct ncsi_rsp_gmcma_pkt {
++ struct ncsi_rsp_pkt_hdr rsp;
++ unsigned char address_count;
++ unsigned char reserved[3];
++ unsigned char addresses[][ETH_ALEN];
++};
++
+ /* AEN: Link State Change */
+ struct ncsi_aen_lsc_pkt {
+ struct ncsi_aen_pkt_hdr aen; /* AEN header */
+@@ -398,6 +406,7 @@ struct ncsi_aen_hncdsc_pkt {
+ #define NCSI_PKT_CMD_GPUUID 0x52 /* Get package UUID */
+ #define NCSI_PKT_CMD_QPNPR 0x56 /* Query Pending NC PLDM request */
+ #define NCSI_PKT_CMD_SNPR 0x57 /* Send NC PLDM Reply */
++#define NCSI_PKT_CMD_GMCMA 0x58 /* Get MC MAC Address */
+
+
+ /* NCSI packet responses */
+@@ -433,6 +442,7 @@ struct ncsi_aen_hncdsc_pkt {
+ #define NCSI_PKT_RSP_GPUUID (NCSI_PKT_CMD_GPUUID + 0x80)
+ #define NCSI_PKT_RSP_QPNPR (NCSI_PKT_CMD_QPNPR + 0x80)
+ #define NCSI_PKT_RSP_SNPR (NCSI_PKT_CMD_SNPR + 0x80)
++#define NCSI_PKT_RSP_GMCMA (NCSI_PKT_CMD_GMCMA + 0x80)
+
+ /* NCSI response code/reason */
+ #define NCSI_PKT_RSP_C_COMPLETED 0x0000 /* Command Completed */
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index f22d67cb04d37..e28be33bdf2c4 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -1093,6 +1093,44 @@ static int ncsi_rsp_handler_netlink(struct ncsi_request *nr)
+ return ret;
+ }
+
++static int ncsi_rsp_handler_gmcma(struct ncsi_request *nr)
++{
++ struct ncsi_dev_priv *ndp = nr->ndp;
++ struct net_device *ndev = ndp->ndev.dev;
++ struct ncsi_rsp_gmcma_pkt *rsp;
++ struct sockaddr saddr;
++ int ret = -1;
++ int i;
++
++ rsp = (struct ncsi_rsp_gmcma_pkt *)skb_network_header(nr->rsp);
++ saddr.sa_family = ndev->type;
++ ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
++
++ netdev_info(ndev, "NCSI: Received %d provisioned MAC addresses\n",
++ rsp->address_count);
++ for (i = 0; i < rsp->address_count; i++) {
++ netdev_info(ndev, "NCSI: MAC address %d: %02x:%02x:%02x:%02x:%02x:%02x\n",
++ i, rsp->addresses[i][0], rsp->addresses[i][1],
++ rsp->addresses[i][2], rsp->addresses[i][3],
++ rsp->addresses[i][4], rsp->addresses[i][5]);
++ }
++
++ for (i = 0; i < rsp->address_count; i++) {
++ memcpy(saddr.sa_data, &rsp->addresses[i], ETH_ALEN);
++ ret = ndev->netdev_ops->ndo_set_mac_address(ndev, &saddr);
++ if (ret < 0) {
++ netdev_warn(ndev, "NCSI: Unable to assign %pM to device\n",
++ saddr.sa_data);
++ continue;
++ }
++ netdev_warn(ndev, "NCSI: Set MAC address to %pM\n", saddr.sa_data);
++ break;
++ }
++
++ ndp->gma_flag = ret == 0;
++ return ret;
++}
++
+ static struct ncsi_rsp_handler {
+ unsigned char type;
+ int payload;
+@@ -1129,7 +1167,8 @@ static struct ncsi_rsp_handler {
+ { NCSI_PKT_RSP_PLDM, -1, ncsi_rsp_handler_pldm },
+ { NCSI_PKT_RSP_GPUUID, 20, ncsi_rsp_handler_gpuuid },
+ { NCSI_PKT_RSP_QPNPR, -1, ncsi_rsp_handler_pldm },
+- { NCSI_PKT_RSP_SNPR, -1, ncsi_rsp_handler_pldm }
++ { NCSI_PKT_RSP_SNPR, -1, ncsi_rsp_handler_pldm },
++ { NCSI_PKT_RSP_GMCMA, -1, ncsi_rsp_handler_gmcma },
+ };
+
+ int ncsi_rcv_rsp(struct sk_buff *skb, struct net_device *dev,
+--
+2.39.5
+
--- /dev/null
+From 2fcf36d55407b0c031404b5356ac9102474f7fe4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2025 17:50:54 +0300
+Subject: net/ncsi: fix locking in Get MAC Address handling
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+[ Upstream commit 9e2bbab94b88295dcc57c7580393c9ee08d7314d ]
+
+Obtaining RTNL lock in a response handler is not allowed since it runs
+in an atomic softirq context. Postpone setting the MAC address by adding
+a dedicated step to the configuration FSM.
+
+Fixes: 790071347a0a ("net/ncsi: change from ndo_set_mac_address to dev_set_mac_address")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20241129-potin-revert-ncsi-set-mac-addr-v1-1-94ea2cb596af@gmail.com
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Tested-by: Potin Lai <potin.lai.pt@gmail.com>
+Link: https://patch.msgid.link/20250109145054.30925-1-fercerpav@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ncsi/internal.h | 2 ++
+ net/ncsi/ncsi-manage.c | 16 ++++++++++++++--
+ net/ncsi/ncsi-rsp.c | 19 ++++++-------------
+ 3 files changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
+index ef0f8f73826f5..4e0842df5234e 100644
+--- a/net/ncsi/internal.h
++++ b/net/ncsi/internal.h
+@@ -289,6 +289,7 @@ enum {
+ ncsi_dev_state_config_sp = 0x0301,
+ ncsi_dev_state_config_cis,
+ ncsi_dev_state_config_oem_gma,
++ ncsi_dev_state_config_apply_mac,
+ ncsi_dev_state_config_clear_vids,
+ ncsi_dev_state_config_svf,
+ ncsi_dev_state_config_ev,
+@@ -322,6 +323,7 @@ struct ncsi_dev_priv {
+ #define NCSI_DEV_RESHUFFLE 4
+ #define NCSI_DEV_RESET 8 /* Reset state of NC */
+ unsigned int gma_flag; /* OEM GMA flag */
++ struct sockaddr pending_mac; /* MAC address received from GMA */
+ spinlock_t lock; /* Protect the NCSI device */
+ unsigned int package_probe_id;/* Current ID during probe */
+ unsigned int package_num; /* Number of packages */
+diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
+index 4583b29971933..2281eb1a0a03b 100644
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -1038,7 +1038,7 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
+ : ncsi_dev_state_config_clear_vids;
+ break;
+ case ncsi_dev_state_config_oem_gma:
+- nd->state = ncsi_dev_state_config_clear_vids;
++ nd->state = ncsi_dev_state_config_apply_mac;
+
+ nca.package = np->id;
+ nca.channel = nc->id;
+@@ -1050,10 +1050,22 @@ static void ncsi_configure_channel(struct ncsi_dev_priv *ndp)
+ nca.type = NCSI_PKT_CMD_OEM;
+ ret = ncsi_gma_handler(&nca, nc->version.mf_id);
+ }
+- if (ret < 0)
++ if (ret < 0) {
++ nd->state = ncsi_dev_state_config_clear_vids;
+ schedule_work(&ndp->work);
++ }
+
+ break;
++ case ncsi_dev_state_config_apply_mac:
++ rtnl_lock();
++ ret = dev_set_mac_address(dev, &ndp->pending_mac, NULL);
++ rtnl_unlock();
++ if (ret < 0)
++ netdev_warn(dev, "NCSI: 'Writing MAC address to device failed\n");
++
++ nd->state = ncsi_dev_state_config_clear_vids;
++
++ fallthrough;
+ case ncsi_dev_state_config_clear_vids:
+ case ncsi_dev_state_config_svf:
+ case ncsi_dev_state_config_ev:
+diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
+index e28be33bdf2c4..14bd66909ca45 100644
+--- a/net/ncsi/ncsi-rsp.c
++++ b/net/ncsi/ncsi-rsp.c
+@@ -628,16 +628,14 @@ static int ncsi_rsp_handler_snfc(struct ncsi_request *nr)
+ static int ncsi_rsp_handler_oem_gma(struct ncsi_request *nr, int mfr_id)
+ {
+ struct ncsi_dev_priv *ndp = nr->ndp;
++ struct sockaddr *saddr = &ndp->pending_mac;
+ struct net_device *ndev = ndp->ndev.dev;
+ struct ncsi_rsp_oem_pkt *rsp;
+- struct sockaddr saddr;
+ u32 mac_addr_off = 0;
+- int ret = 0;
+
+ /* Get the response header */
+ rsp = (struct ncsi_rsp_oem_pkt *)skb_network_header(nr->rsp);
+
+- saddr.sa_family = ndev->type;
+ ndev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
+ if (mfr_id == NCSI_OEM_MFR_BCM_ID)
+ mac_addr_off = BCM_MAC_ADDR_OFFSET;
+@@ -646,22 +644,17 @@ static int ncsi_rsp_handler_oem_gma(struct ncsi_request *nr, int mfr_id)
+ else if (mfr_id == NCSI_OEM_MFR_INTEL_ID)
+ mac_addr_off = INTEL_MAC_ADDR_OFFSET;
+
+- memcpy(saddr.sa_data, &rsp->data[mac_addr_off], ETH_ALEN);
++ saddr->sa_family = ndev->type;
++ memcpy(saddr->sa_data, &rsp->data[mac_addr_off], ETH_ALEN);
+ if (mfr_id == NCSI_OEM_MFR_BCM_ID || mfr_id == NCSI_OEM_MFR_INTEL_ID)
+- eth_addr_inc((u8 *)saddr.sa_data);
+- if (!is_valid_ether_addr((const u8 *)saddr.sa_data))
++ eth_addr_inc((u8 *)saddr->sa_data);
++ if (!is_valid_ether_addr((const u8 *)saddr->sa_data))
+ return -ENXIO;
+
+ /* Set the flag for GMA command which should only be called once */
+ ndp->gma_flag = 1;
+
+- rtnl_lock();
+- ret = dev_set_mac_address(ndev, &saddr, NULL);
+- rtnl_unlock();
+- if (ret < 0)
+- netdev_warn(ndev, "NCSI: 'Writing mac address to device failed\n");
+-
+- return ret;
++ return 0;
+ }
+
+ /* Response handler for Mellanox card */
+--
+2.39.5
+
--- /dev/null
+From 43848fa76ae8740e24b2fdd68b0c4e9596c6e926 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2025 00:33:50 +0100
+Subject: net: wwan: iosm: Fix hibernation by re-binding the driver around it
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+[ Upstream commit 0b6f6593aa8c3a05f155c12fd0e7ad33a5149c31 ]
+
+Currently, the driver is seriously broken with respect to the
+hibernation (S4): after image restore the device is back into
+IPC_MEM_EXEC_STAGE_BOOT (which AFAIK means bootloader stage) and needs
+full re-launch of the rest of its firmware, but the driver restore
+handler treats the device as merely sleeping and just sends it a
+wake-up command.
+
+This wake-up command times out but device nodes (/dev/wwan*) remain
+accessible.
+However attempting to use them causes the bootloader to crash and
+enter IPC_MEM_EXEC_STAGE_CD_READY stage (which apparently means "a crash
+dump is ready").
+
+It seems that the device cannot be re-initialized from this crashed
+stage without toggling some reset pin (on my test platform that's
+apparently what the device _RST ACPI method does).
+
+While it would theoretically be possible to rewrite the driver to tear
+down the whole MUX / IPC layers on hibernation (so the bootloader does
+not crash from improper access) and then re-launch the device on
+restore this would require significant refactoring of the driver
+(believe me, I've tried), since there are quite a few assumptions
+hard-coded in the driver about the device never being partially
+de-initialized (like channels other than devlink cannot be closed,
+for example).
+Probably this would also need some programming guide for this hardware.
+
+Considering that the driver seems orphaned [1] and other people are
+hitting this issue too [2] fix it by simply unbinding the PCI driver
+before hibernation and re-binding it after restore, much like
+USB_QUIRK_RESET_RESUME does for USB devices that exhibit a similar
+problem.
+
+Tested on XMM7360 in HP EliteBook 855 G7 both with s2idle (which uses
+the existing suspend / resume handlers) and S4 (which uses the new code).
+
+[1]: https://lore.kernel.org/all/c248f0b4-2114-4c61-905f-466a786bdebb@leemhuis.info/
+[2]:
+https://github.com/xmm7360/xmm7360-pci/issues/211#issuecomment-1804139413
+
+Reviewed-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Link: https://patch.msgid.link/e60287ebdb0ab54c4075071b72568a40a75d0205.1736372610.git.mail@maciej.szmigiero.name
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wwan/iosm/iosm_ipc_pcie.c | 56 ++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+index 04517bd3325a2..a066977af0be5 100644
+--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c
++++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+@@ -6,6 +6,7 @@
+ #include <linux/acpi.h>
+ #include <linux/bitfield.h>
+ #include <linux/module.h>
++#include <linux/suspend.h>
+ #include <net/rtnetlink.h>
+
+ #include "iosm_ipc_imem.h"
+@@ -18,6 +19,7 @@ MODULE_LICENSE("GPL v2");
+ /* WWAN GUID */
+ static guid_t wwan_acpi_guid = GUID_INIT(0xbad01b75, 0x22a8, 0x4f48, 0x87, 0x92,
+ 0xbd, 0xde, 0x94, 0x67, 0x74, 0x7d);
++static bool pci_registered;
+
+ static void ipc_pcie_resources_release(struct iosm_pcie *ipc_pcie)
+ {
+@@ -448,7 +450,6 @@ static struct pci_driver iosm_ipc_driver = {
+ },
+ .id_table = iosm_ipc_ids,
+ };
+-module_pci_driver(iosm_ipc_driver);
+
+ int ipc_pcie_addr_map(struct iosm_pcie *ipc_pcie, unsigned char *data,
+ size_t size, dma_addr_t *mapping, int direction)
+@@ -530,3 +531,56 @@ void ipc_pcie_kfree_skb(struct iosm_pcie *ipc_pcie, struct sk_buff *skb)
+ IPC_CB(skb)->mapping = 0;
+ dev_kfree_skb(skb);
+ }
++
++static int pm_notify(struct notifier_block *nb, unsigned long mode, void *_unused)
++{
++ if (mode == PM_HIBERNATION_PREPARE || mode == PM_RESTORE_PREPARE) {
++ if (pci_registered) {
++ pci_unregister_driver(&iosm_ipc_driver);
++ pci_registered = false;
++ }
++ } else if (mode == PM_POST_HIBERNATION || mode == PM_POST_RESTORE) {
++ if (!pci_registered) {
++ int ret;
++
++ ret = pci_register_driver(&iosm_ipc_driver);
++ if (ret) {
++ pr_err(KBUILD_MODNAME ": unable to re-register PCI driver: %d\n",
++ ret);
++ } else {
++ pci_registered = true;
++ }
++ }
++ }
++
++ return 0;
++}
++
++static struct notifier_block pm_notifier = {
++ .notifier_call = pm_notify,
++};
++
++static int __init iosm_ipc_driver_init(void)
++{
++ int ret;
++
++ ret = pci_register_driver(&iosm_ipc_driver);
++ if (ret)
++ return ret;
++
++ pci_registered = true;
++
++ register_pm_notifier(&pm_notifier);
++
++ return 0;
++}
++module_init(iosm_ipc_driver_init);
++
++static void __exit iosm_ipc_driver_exit(void)
++{
++ unregister_pm_notifier(&pm_notifier);
++
++ if (pci_registered)
++ pci_unregister_driver(&iosm_ipc_driver);
++}
++module_exit(iosm_ipc_driver_exit);
+--
+2.39.5
+
--- /dev/null
+From 9bb8a392c53aab2d39e469102ce9aef6f1f1d3d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jan 2025 21:17:22 +0100
+Subject: platform/x86: acer-wmi: Ignore AC events
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+[ Upstream commit f6bfa25c6665f8721421ea94fe506cc22f1d4b43 ]
+
+On the Acer Swift SFG14-41, the events 8 - 1 and 8 - 0 are printed on
+AC connect/disconnect. Ignore those events to avoid spamming the
+kernel log with error messages.
+
+Reported-by: Farhan Anwar <farhan.anwar8@gmail.com>
+Closes: https://lore.kernel.org/platform-driver-x86/2ffb529d-e7c8-4026-a3b8-120c8e7afec8@gmail.com
+Tested-by: Rayan Margham <rayanmargham4@gmail.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Link: https://lore.kernel.org/r/20250119201723.11102-2-W_Armin@gmx.de
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/acer-wmi.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c
+index ee67efdd54995..da765a7dedbc4 100644
+--- a/drivers/platform/x86/acer-wmi.c
++++ b/drivers/platform/x86/acer-wmi.c
+@@ -88,6 +88,7 @@ enum acer_wmi_event_ids {
+ WMID_HOTKEY_EVENT = 0x1,
+ WMID_ACCEL_OR_KBD_DOCK_EVENT = 0x5,
+ WMID_GAMING_TURBO_KEY_EVENT = 0x7,
++ WMID_AC_EVENT = 0x8,
+ };
+
+ static const struct key_entry acer_wmi_keymap[] __initconst = {
+@@ -1999,6 +2000,9 @@ static void acer_wmi_notify(u32 value, void *context)
+ if (return_value.key_num == 0x4)
+ acer_toggle_turbo();
+ break;
++ case WMID_AC_EVENT:
++ /* We ignore AC events here */
++ break;
+ default:
+ pr_warn("Unknown function number - %d - %d\n",
+ return_value.function, return_value.key_num);
+--
+2.39.5
+
--- /dev/null
+From 624885ed5c6042d944e7579554608abc9b349525 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 9 Dec 2024 23:05:19 +0100
+Subject: platform/x86: int3472: Check for adev == NULL
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit cd2fd6eab480dfc247b737cf7a3d6b009c4d0f1c ]
+
+Not all devices have an ACPI companion fwnode, so adev might be NULL. This
+can e.g. (theoretically) happen when a user manually binds one of
+the int3472 drivers to another i2c/platform device through sysfs.
+
+Add a check for adev not being set and return -ENODEV in that case to
+avoid a possible NULL pointer deref in skl_int3472_get_acpi_buffer().
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20241209220522.25288-1-hdegoede@redhat.com
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/platform/x86/intel/int3472/discrete.c | 3 +++
+ drivers/platform/x86/intel/int3472/tps68470.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/drivers/platform/x86/intel/int3472/discrete.c b/drivers/platform/x86/intel/int3472/discrete.c
+index c42c3faa2c32d..0f16436e5804b 100644
+--- a/drivers/platform/x86/intel/int3472/discrete.c
++++ b/drivers/platform/x86/intel/int3472/discrete.c
+@@ -359,6 +359,9 @@ static int skl_int3472_discrete_probe(struct platform_device *pdev)
+ struct int3472_cldb cldb;
+ int ret;
+
++ if (!adev)
++ return -ENODEV;
++
+ ret = skl_int3472_fill_cldb(adev, &cldb);
+ if (ret) {
+ dev_err(&pdev->dev, "Couldn't fill CLDB structure\n");
+diff --git a/drivers/platform/x86/intel/int3472/tps68470.c b/drivers/platform/x86/intel/int3472/tps68470.c
+index 5b8d1a9620a5d..82fb2fbc1000f 100644
+--- a/drivers/platform/x86/intel/int3472/tps68470.c
++++ b/drivers/platform/x86/intel/int3472/tps68470.c
+@@ -152,6 +152,9 @@ static int skl_int3472_tps68470_probe(struct i2c_client *client)
+ int ret;
+ int i;
+
++ if (!adev)
++ return -ENODEV;
++
+ n_consumers = skl_int3472_fill_clk_pdata(&client->dev, &clk_pdata);
+ if (n_consumers < 0)
+ return n_consumers;
+--
+2.39.5
+
--- /dev/null
+From 44fae478edb9d3fe62fb573a71db70b60bbe357f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Sep 2024 19:36:08 +0800
+Subject: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX
+
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+
+[ Upstream commit 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a ]
+
+Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which
+leads to undefined behavior. To prevent this, cast 1 to u32 before
+performing the shift, ensuring well-defined behavior.
+
+This change explicitly avoids any potential overflow by ensuring that
+the shift occurs on an unsigned 32-bit integer.
+
+Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
+Acked-by: Petr Mladek <pmladek@suse.com>
+Link: https://lore.kernel.org/r/20240928113608.1438087-1-visitorckw@gmail.com
+Signed-off-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/printk/printk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
+index 5a88134fba79f..c93beab96c860 100644
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -403,7 +403,7 @@ static struct latched_seq clear_seq = {
+ /* record buffer */
+ #define LOG_ALIGN __alignof__(unsigned long)
+ #define __LOG_BUF_LEN (1 << CONFIG_LOG_BUF_SHIFT)
+-#define LOG_BUF_LEN_MAX (u32)(1 << 31)
++#define LOG_BUF_LEN_MAX ((u32)1 << 31)
+ static char __log_buf[__LOG_BUF_LEN] __aligned(LOG_ALIGN);
+ static char *log_buf = __log_buf;
+ static u32 log_buf_len = __LOG_BUF_LEN;
+--
+2.39.5
+
--- /dev/null
+From 4fdd1064916ba2783f4f06b6aaeecffddeaea6d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 10:26:57 -0800
+Subject: safesetid: check size of policy writes
+
+From: Leo Stone <leocstone@gmail.com>
+
+[ Upstream commit f09ff307c7299392f1c88f763299e24bc99811c7 ]
+
+syzbot attempts to write a buffer with a large size to a sysfs entry
+with writes handled by handle_policy_update(), triggering a warning
+in kmalloc.
+
+Check the size specified for write buffers before allocating.
+
+Reported-by: syzbot+4eb7a741b3216020043a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4eb7a741b3216020043a
+Signed-off-by: Leo Stone <leocstone@gmail.com>
+[PM: subject tweak]
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/safesetid/securityfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/security/safesetid/securityfs.c b/security/safesetid/securityfs.c
+index 25310468bcddf..8e1ffd70b18ab 100644
+--- a/security/safesetid/securityfs.c
++++ b/security/safesetid/securityfs.c
+@@ -143,6 +143,9 @@ static ssize_t handle_policy_update(struct file *file,
+ char *buf, *p, *end;
+ int err;
+
++ if (len >= KMALLOC_MAX_SIZE)
++ return -EINVAL;
++
+ pol = kmalloc(sizeof(struct setid_ruleset), GFP_KERNEL);
+ if (!pol)
+ return -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From 8bae72f6c2119288a55bf2f44719eb7bfeeb6c79 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 13:37:45 +0900
+Subject: sched: Don't try to catch up excess steal time.
+
+From: Suleiman Souhlal <suleiman@google.com>
+
+[ Upstream commit 108ad0999085df2366dd9ef437573955cb3f5586 ]
+
+When steal time exceeds the measured delta when updating clock_task, we
+currently try to catch up the excess in future updates.
+However, this results in inaccurate run times for the future things using
+clock_task, in some situations, as they end up getting additional steal
+time that did not actually happen.
+This is because there is a window between reading the elapsed time in
+update_rq_clock() and sampling the steal time in update_rq_clock_task().
+If the VCPU gets preempted between those two points, any additional
+steal time is accounted to the outgoing task even though the calculated
+delta did not actually contain any of that "stolen" time.
+When this race happens, we can end up with steal time that exceeds the
+calculated delta, and the previous code would try to catch up that excess
+steal time in future clock updates, which is given to the next,
+incoming task, even though it did not actually have any time stolen.
+
+This behavior is particularly bad when steal time can be very long,
+which we've seen when trying to extend steal time to contain the duration
+that the host was suspended [0]. When this happens, clock_task stays
+frozen, during which the running task stays running for the whole
+duration, since its run time doesn't increase.
+However the race can happen even under normal operation.
+
+Ideally we would read the elapsed cpu time and the steal time atomically,
+to prevent this race from happening in the first place, but doing so
+is non-trivial.
+
+Since the time between those two points isn't otherwise accounted anywhere,
+neither to the outgoing task nor the incoming task (because the "end of
+outgoing task" and "start of incoming task" timestamps are the same),
+I would argue that the right thing to do is to simply drop any excess steal
+time, in order to prevent these issues.
+
+[0] https://lore.kernel.org/kvm/20240820043543.837914-1-suleiman@google.com/
+
+Signed-off-by: Suleiman Souhlal <suleiman@google.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20241118043745.1857272-1-suleiman@google.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/core.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index f54d2da2f9a67..2f7519022c01c 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -704,13 +704,15 @@ static void update_rq_clock_task(struct rq *rq, s64 delta)
+ #endif
+ #ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
+ if (static_key_false((¶virt_steal_rq_enabled))) {
+- steal = paravirt_steal_clock(cpu_of(rq));
++ u64 prev_steal;
++
++ steal = prev_steal = paravirt_steal_clock(cpu_of(rq));
+ steal -= rq->prev_steal_time_rq;
+
+ if (unlikely(steal > delta))
+ steal = delta;
+
+- rq->prev_steal_time_rq += steal;
++ rq->prev_steal_time_rq = prev_steal;
+ delta -= steal;
+ }
+ #endif
+--
+2.39.5
+
--- /dev/null
+From a2048d31e4b3c33a2207cf43c7a9aca766e49a95 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 09:30:37 +0800
+Subject: selftests/net/ipsec: Fix Null pointer dereference in rtattr_pack()
+
+From: Liu Ye <liuye@kylinos.cn>
+
+[ Upstream commit 3a0b7fa095212b51ed63892540c4f249991a2d74 ]
+
+Address Null pointer dereference / undefined behavior in rtattr_pack
+(note that size is 0 in the bad case).
+
+Flagged by cppcheck as:
+ tools/testing/selftests/net/ipsec.c:230:25: warning: Possible null pointer
+ dereference: payload [nullPointer]
+ memcpy(RTA_DATA(attr), payload, size);
+ ^
+ tools/testing/selftests/net/ipsec.c:1618:54: note: Calling function 'rtattr_pack',
+ 4th argument 'NULL' value is 0
+ if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
+ ^
+ tools/testing/selftests/net/ipsec.c:230:25: note: Null pointer dereference
+ memcpy(RTA_DATA(attr), payload, size);
+ ^
+Signed-off-by: Liu Ye <liuye@kylinos.cn>
+
+Link: https://patch.msgid.link/20250116013037.29470-1-liuye@kylinos.cn
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/net/ipsec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/net/ipsec.c b/tools/testing/selftests/net/ipsec.c
+index be4a30a0d02ae..9b44a091802cb 100644
+--- a/tools/testing/selftests/net/ipsec.c
++++ b/tools/testing/selftests/net/ipsec.c
+@@ -227,7 +227,8 @@ static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
+
+ attr->rta_len = RTA_LENGTH(size);
+ attr->rta_type = rta_type;
+- memcpy(RTA_DATA(attr), payload, size);
++ if (payload)
++ memcpy(RTA_DATA(attr), payload, size);
+
+ return 0;
+ }
+--
+2.39.5
+
ptp-properly-handle-compat-ioctls.patch
s390-add-std-gnu11-to-decompressor-and-purgatory-cflags.patch
pinctrl-stm32-fix-array-read-out-of-bound.patch
+btrfs-fix-use-after-free-when-attempting-to-join-an-.patch
+arm64-mm-ensure-adequate-huge_max_hstate.patch
+exec-fix-up-proc-pid-comm-in-the-execveat-at_empty_p.patch
+btrfs-fix-data-race-when-accessing-the-inode-s-disk_.patch
+btrfs-convert-bug_on-in-btrfs_reloc_cow_block-to-pro.patch
+sched-don-t-try-to-catch-up-excess-steal-time.patch
+lockdep-fix-upper-limit-for-lockdep_-_bits-configs.patch
+x86-amd_nb-restrict-init-function-to-amd-based-syste.patch
+drm-virtio-new-fence-for-every-plane-update.patch
+printk-fix-signed-integer-overflow-when-defining-log.patch
+drm-sti-hdmi-use-eld_mutex-to-protect-access-to-conn.patch
+drm-amd-display-fix-mode-cutoff-in-dsc-passthrough-t.patch
+drm-bridge-it6505-change-definition-max_hdcp_down_st.patch
+drm-bridge-it6505-fix-hdcp-bstatus-check.patch
+drm-bridge-it6505-fix-hdcp-encryption-when-r0-ready.patch
+drm-bridge-it6505-fix-hdcp-cts-compare-v-matching.patch
+safesetid-check-size-of-policy-writes.patch
+tun-fix-group-permission-check.patch
+mmc-core-respect-quirk_max_rate-for-non-uhs-sdio-car.patch
+wifi-brcmsmac-add-gain-range-check-to-wlc_phy_iqcal_.patch
+tomoyo-don-t-emit-warning-in-tomoyo_write_control.patch
+mfd-lpc_ich-add-another-gemini-lake-isa-bridge-pci-d.patch
+hid-wacom-add-pci-wacom-device-support.patch
+net-mlx5-use-do_aux_work-for-phc-overflow-checks.patch
+wifi-brcmfmac-check-the-return-value-of-of_property_.patch
+wifi-iwlwifi-avoid-memory-leak.patch
+i2c-force-elan06fa-touchpad-i2c-bus-freq-to-100khz.patch
+apei-ghes-have-ghes-honor-the-panic-setting.patch
+bluetooth-mgmt-fix-slab-use-after-free-read-in-mgmt_.patch
+net-wwan-iosm-fix-hibernation-by-re-binding-the-driv.patch
+mmc-sdhci-msm-correctly-set-the-load-for-the-regulat.patch
+tipc-re-order-conditions-in-tipc_crypto_key_rcv.patch
+selftests-net-ipsec-fix-null-pointer-dereference-in-.patch
+x86-kexec-allocate-pgd-for-x86_64-transition-page-ta.patch
+iommu-arm-smmu-v3-clean-up-more-on-probe-failure.patch
+platform-x86-int3472-check-for-adev-null.patch
+asoc-soc-pcm-don-t-use-soc_pcm_ret-on-.prepare-callb.patch
+asoc-amd-add-acpi-dependency-to-fix-build-error.patch
+input-allocate-keycode-for-phone-linking.patch
+platform-x86-acer-wmi-ignore-ac-events.patch
+kvm-ppc-e500-mark-struct-page-dirty-in-kvmppc_e500_s.patch
+kvm-ppc-e500-mark-struct-page-pfn-accessed-before-dr.patch
+kvm-ppc-e500-use-__kvm_faultin_pfn-to-handle-page-fa.patch
+kvm-e500-always-restore-irqs.patch
+usb-chipidea-ci_hdrc_imx-convert-to-platform-remove-.patch
+usb-chipidea-ci_hdrc_imx-decrement-device-s-refcount.patch
+net-ncsi-add-nc-si-1.2-get-mc-mac-address-command.patch
+net-ncsi-fix-locking-in-get-mac-address-handling.patch
+gpio-xilinx-convert-to-immutable-irq_chip.patch
+gpio-xilinx-convert-gpio_lock-to-raw-spinlock.patch
+xfs-report-realtime-block-quota-limits-on-realtime-d.patch
+xfs-don-t-over-report-free-space-or-inodes-in-statvf.patch
--- /dev/null
+From 6f0546dfa7efc7a9733de8345bc0d124fc643248 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 17 Jan 2025 12:36:14 +0300
+Subject: tipc: re-order conditions in tipc_crypto_key_rcv()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 5fe71fda89745fc3cd95f70d06e9162b595c3702 ]
+
+On a 32bit system the "keylen + sizeof(struct tipc_aead_key)" math could
+have an integer wrapping issue. It doesn't matter because the "keylen"
+is checked on the next line, but just to make life easier for static
+analysis tools, let's re-order these conditions and avoid the integer
+overflow.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/tipc/crypto.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/tipc/crypto.c b/net/tipc/crypto.c
+index 65f59739a041a..25c18f8783ce9 100644
+--- a/net/tipc/crypto.c
++++ b/net/tipc/crypto.c
+@@ -2293,8 +2293,8 @@ static bool tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr)
+ keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
+
+ /* Verify the supplied size values */
+- if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
+- keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
++ if (unlikely(keylen > TIPC_AEAD_KEY_SIZE_MAX ||
++ size != keylen + sizeof(struct tipc_aead_key))) {
+ pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
+ goto exit;
+ }
+--
+2.39.5
+
--- /dev/null
+From 76ebe8a08e5cc8e33d74f50ecde89009655fd1d7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2024 19:38:40 +0900
+Subject: tomoyo: don't emit warning in tomoyo_write_control()
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+[ Upstream commit 3df7546fc03b8f004eee0b9e3256369f7d096685 ]
+
+syzbot is reporting too large allocation warning at tomoyo_write_control(),
+for one can write a very very long line without new line character. To fix
+this warning, I use __GFP_NOWARN rather than checking for KMALLOC_MAX_SIZE,
+for practically a valid line should be always shorter than 32KB where the
+"too small to fail" memory-allocation rule applies.
+
+One might try to write a valid line that is longer than 32KB, but such
+request will likely fail with -ENOMEM. Therefore, I feel that separately
+returning -EINVAL when a line is longer than KMALLOC_MAX_SIZE is redundant.
+There is no need to distinguish over-32KB and over-KMALLOC_MAX_SIZE.
+
+Reported-by: syzbot+7536f77535e5210a5c76@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7536f77535e5210a5c76
+Reported-by: Leo Stone <leocstone@gmail.com>
+Closes: https://lkml.kernel.org/r/20241216021459.178759-2-leocstone@gmail.com
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/tomoyo/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
+index a7af085550b2d..5f1cdd0af115d 100644
+--- a/security/tomoyo/common.c
++++ b/security/tomoyo/common.c
+@@ -2664,7 +2664,7 @@ ssize_t tomoyo_write_control(struct tomoyo_io_buffer *head,
+
+ if (head->w.avail >= head->writebuf_size - 1) {
+ const int len = head->writebuf_size * 2;
+- char *cp = kzalloc(len, GFP_NOFS);
++ char *cp = kzalloc(len, GFP_NOFS | __GFP_NOWARN);
+
+ if (!cp) {
+ error = -ENOMEM;
+--
+2.39.5
+
--- /dev/null
+From f45ed231d169fe68a8abc156eb68b000ebc8367e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 10:36:14 +0300
+Subject: tun: fix group permission check
+
+From: Stas Sergeev <stsp2@yandex.ru>
+
+[ Upstream commit 3ca459eaba1bf96a8c7878de84fa8872259a01e3 ]
+
+Currently tun checks the group permission even if the user have matched.
+Besides going against the usual permission semantic, this has a
+very interesting implication: if the tun group is not among the
+supplementary groups of the tun user, then effectively no one can
+access the tun device. CAP_SYS_ADMIN still can, but its the same as
+not setting the tun ownership.
+
+This patch relaxes the group checking so that either the user match
+or the group match is enough. This avoids the situation when no one
+can access the device even though the ownership is properly set.
+
+Also I simplified the logic by removing the redundant inversions:
+tun_not_capable() --> !tun_capable()
+
+Signed-off-by: Stas Sergeev <stsp2@yandex.ru>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20241205073614.294773-1-stsp2@yandex.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/tun.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index ea98d93138c12..a6c9f9062dbd4 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -574,14 +574,18 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb,
+ return ret;
+ }
+
+-static inline bool tun_not_capable(struct tun_struct *tun)
++static inline bool tun_capable(struct tun_struct *tun)
+ {
+ const struct cred *cred = current_cred();
+ struct net *net = dev_net(tun->dev);
+
+- return ((uid_valid(tun->owner) && !uid_eq(cred->euid, tun->owner)) ||
+- (gid_valid(tun->group) && !in_egroup_p(tun->group))) &&
+- !ns_capable(net->user_ns, CAP_NET_ADMIN);
++ if (ns_capable(net->user_ns, CAP_NET_ADMIN))
++ return 1;
++ if (uid_valid(tun->owner) && uid_eq(cred->euid, tun->owner))
++ return 1;
++ if (gid_valid(tun->group) && in_egroup_p(tun->group))
++ return 1;
++ return 0;
+ }
+
+ static void tun_set_real_num_queues(struct tun_struct *tun)
+@@ -2767,7 +2771,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
+ !!(tun->flags & IFF_MULTI_QUEUE))
+ return -EINVAL;
+
+- if (tun_not_capable(tun))
++ if (!tun_capable(tun))
+ return -EPERM;
+ err = security_tun_dev_open(tun->security);
+ if (err < 0)
+--
+2.39.5
+
--- /dev/null
+From 2246205c9f31d0e737165325dc75526adbd60e6f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 18 May 2023 01:01:07 +0200
+Subject: usb: chipidea/ci_hdrc_imx: Convert to platform remove callback
+ returning void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit ad593ed671feb49e93a77653886c042f68b6cdfd ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is ignored (apart from
+emitting a warning) and this typically results in resource leaks. To improve
+here there is a quest to make the remove callback return void. In the first
+step of this quest all drivers are converted to .remove_new() which already
+returns void. Eventually after all drivers are converted, .remove_new() is
+renamed to .remove().
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20230517230239.187727-6-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 74adad500346 ("usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove() and in the error path of .probe()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/ci_hdrc_imx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c
+index 984087bbf3e2b..362dcb2374bb7 100644
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
+@@ -507,7 +507,7 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static int ci_hdrc_imx_remove(struct platform_device *pdev)
++static void ci_hdrc_imx_remove(struct platform_device *pdev)
+ {
+ struct ci_hdrc_imx_data *data = platform_get_drvdata(pdev);
+
+@@ -527,8 +527,6 @@ static int ci_hdrc_imx_remove(struct platform_device *pdev)
+ if (data->hsic_pad_regulator)
+ regulator_disable(data->hsic_pad_regulator);
+ }
+-
+- return 0;
+ }
+
+ static void ci_hdrc_imx_shutdown(struct platform_device *pdev)
+@@ -674,7 +672,7 @@ static const struct dev_pm_ops ci_hdrc_imx_pm_ops = {
+ };
+ static struct platform_driver ci_hdrc_imx_driver = {
+ .probe = ci_hdrc_imx_probe,
+- .remove = ci_hdrc_imx_remove,
++ .remove_new = ci_hdrc_imx_remove,
+ .shutdown = ci_hdrc_imx_shutdown,
+ .driver = {
+ .name = "imx_usb",
+--
+2.39.5
+
--- /dev/null
+From 140aa7e1e44ba4ea0e10abdfce327f8e85292976 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2024 10:55:39 +0900
+Subject: usb: chipidea: ci_hdrc_imx: decrement device's refcount in .remove()
+ and in the error path of .probe()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 74adad500346fb07d69af2c79acbff4adb061134 ]
+
+Current implementation of ci_hdrc_imx_driver does not decrement the
+refcount of the device obtained in usbmisc_get_init_data(). Add a
+put_device() call in .remove() and in .probe() before returning an
+error.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Cc: stable <stable@kernel.org>
+Fixes: f40017e0f332 ("chipidea: usbmisc_imx: Add USB support for VF610 SoCs")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20241216015539.352579-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/ci_hdrc_imx.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/usb/chipidea/ci_hdrc_imx.c b/drivers/usb/chipidea/ci_hdrc_imx.c
+index 362dcb2374bb7..07872440a8d96 100644
+--- a/drivers/usb/chipidea/ci_hdrc_imx.c
++++ b/drivers/usb/chipidea/ci_hdrc_imx.c
+@@ -357,25 +357,29 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ data->pinctrl = devm_pinctrl_get(dev);
+ if (PTR_ERR(data->pinctrl) == -ENODEV)
+ data->pinctrl = NULL;
+- else if (IS_ERR(data->pinctrl))
+- return dev_err_probe(dev, PTR_ERR(data->pinctrl),
++ else if (IS_ERR(data->pinctrl)) {
++ ret = dev_err_probe(dev, PTR_ERR(data->pinctrl),
+ "pinctrl get failed\n");
++ goto err_put;
++ }
+
+ data->hsic_pad_regulator =
+ devm_regulator_get_optional(dev, "hsic");
+ if (PTR_ERR(data->hsic_pad_regulator) == -ENODEV) {
+ /* no pad regualator is needed */
+ data->hsic_pad_regulator = NULL;
+- } else if (IS_ERR(data->hsic_pad_regulator))
+- return dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator),
++ } else if (IS_ERR(data->hsic_pad_regulator)) {
++ ret = dev_err_probe(dev, PTR_ERR(data->hsic_pad_regulator),
+ "Get HSIC pad regulator error\n");
++ goto err_put;
++ }
+
+ if (data->hsic_pad_regulator) {
+ ret = regulator_enable(data->hsic_pad_regulator);
+ if (ret) {
+ dev_err(dev,
+ "Failed to enable HSIC pad regulator\n");
+- return ret;
++ goto err_put;
+ }
+ }
+ }
+@@ -389,13 +393,14 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ dev_err(dev,
+ "pinctrl_hsic_idle lookup failed, err=%ld\n",
+ PTR_ERR(pinctrl_hsic_idle));
+- return PTR_ERR(pinctrl_hsic_idle);
++ ret = PTR_ERR(pinctrl_hsic_idle);
++ goto err_put;
+ }
+
+ ret = pinctrl_select_state(data->pinctrl, pinctrl_hsic_idle);
+ if (ret) {
+ dev_err(dev, "hsic_idle select failed, err=%d\n", ret);
+- return ret;
++ goto err_put;
+ }
+
+ data->pinctrl_hsic_active = pinctrl_lookup_state(data->pinctrl,
+@@ -404,7 +409,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ dev_err(dev,
+ "pinctrl_hsic_active lookup failed, err=%ld\n",
+ PTR_ERR(data->pinctrl_hsic_active));
+- return PTR_ERR(data->pinctrl_hsic_active);
++ ret = PTR_ERR(data->pinctrl_hsic_active);
++ goto err_put;
+ }
+ }
+
+@@ -504,6 +510,8 @@ static int ci_hdrc_imx_probe(struct platform_device *pdev)
+ if (pdata.flags & CI_HDRC_PMQOS)
+ cpu_latency_qos_remove_request(&data->pm_qos_req);
+ data->ci_pdev = NULL;
++err_put:
++ put_device(data->usbmisc_data->dev);
+ return ret;
+ }
+
+@@ -527,6 +535,7 @@ static void ci_hdrc_imx_remove(struct platform_device *pdev)
+ if (data->hsic_pad_regulator)
+ regulator_disable(data->hsic_pad_regulator);
+ }
++ put_device(data->usbmisc_data->dev);
+ }
+
+ static void ci_hdrc_imx_shutdown(struct platform_device *pdev)
+--
+2.39.5
+
--- /dev/null
+From 9f83516b8c23e778a08c946e7c7d5419d1a9d373 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jan 2025 20:09:58 +0300
+Subject: wifi: brcmfmac: Check the return value of
+ of_property_read_string_index()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Dösinger <stefan@codeweavers.com>
+
+[ Upstream commit 082d9e263af8de68f0c34f67b251818205160f6e ]
+
+Somewhen between 6.10 and 6.11 the driver started to crash on my
+MacBookPro14,3. The property doesn't exist and 'tmp' remains
+uninitialized, so we pass a random pointer to devm_kstrdup().
+
+The crash I am getting looks like this:
+
+BUG: unable to handle page fault for address: 00007f033c669379
+PF: supervisor read access in kernel mode
+PF: error_code(0x0001) - permissions violation
+PGD 8000000101341067 P4D 8000000101341067 PUD 101340067 PMD 1013bb067 PTE 800000010aee9025
+Oops: Oops: 0001 [#1] SMP PTI
+CPU: 4 UID: 0 PID: 827 Comm: (udev-worker) Not tainted 6.11.8-gentoo #1
+Hardware name: Apple Inc. MacBookPro14,3/Mac-551B86E5744E2388, BIOS 529.140.2.0.0 06/23/2024
+RIP: 0010:strlen+0x4/0x30
+Code: f7 75 ec 31 c0 c3 cc cc cc cc 48 89 f8 c3 cc cc cc cc 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <80> 3f 00 74 14 48 89 f8 48 83 c0 01 80 38 00 75 f7 48 29 f8 c3 cc
+RSP: 0018:ffffb4aac0683ad8 EFLAGS: 00010202
+RAX: 00000000ffffffea RBX: 00007f033c669379 RCX: 0000000000000001
+RDX: 0000000000000cc0 RSI: 00007f033c669379 RDI: 00007f033c669379
+RBP: 00000000ffffffea R08: 0000000000000000 R09: 00000000c0ba916a
+R10: ffffffffffffffff R11: ffffffffb61ea260 R12: ffff91f7815b50c8
+R13: 0000000000000cc0 R14: ffff91fafefffe30 R15: ffffb4aac0683b30
+FS: 00007f033ccbe8c0(0000) GS:ffff91faeed00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f033c669379 CR3: 0000000107b1e004 CR4: 00000000003706f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ? __die+0x23/0x70
+ ? page_fault_oops+0x149/0x4c0
+ ? raw_spin_rq_lock_nested+0xe/0x20
+ ? sched_balance_newidle+0x22b/0x3c0
+ ? update_load_avg+0x78/0x770
+ ? exc_page_fault+0x6f/0x150
+ ? asm_exc_page_fault+0x26/0x30
+ ? __pfx_pci_conf1_write+0x10/0x10
+ ? strlen+0x4/0x30
+ devm_kstrdup+0x25/0x70
+ brcmf_of_probe+0x273/0x350 [brcmfmac]
+
+Signed-off-by: Stefan Dösinger <stefan@codeweavers.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20250106170958.3595-1-stefan@codeweavers.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+index 0eb852896322b..f117c90c53f59 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+@@ -89,13 +89,13 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
+ /* Set board-type to the first string of the machine compatible prop */
+ root = of_find_node_by_path("/");
+ if (root && err) {
+- char *board_type;
++ char *board_type = NULL;
+ const char *tmp;
+
+- of_property_read_string_index(root, "compatible", 0, &tmp);
+-
+ /* get rid of '/' in the compatible string to be able to find the FW */
+- board_type = devm_kstrdup(dev, tmp, GFP_KERNEL);
++ if (!of_property_read_string_index(root, "compatible", 0, &tmp))
++ board_type = devm_kstrdup(dev, tmp, GFP_KERNEL);
++
+ if (!board_type) {
+ of_node_put(root);
+ return;
+--
+2.39.5
+
--- /dev/null
+From 32492beec303edcce910ce8a73e1b28ebead8a2a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 10:04:41 +0300
+Subject: wifi: brcmsmac: add gain range check to
+ wlc_phy_iqcal_gainparams_nphy()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 3f4a0948c3524ae50f166dbc6572a3296b014e62 ]
+
+In 'wlc_phy_iqcal_gainparams_nphy()', add gain range check to WARN()
+instead of possible out-of-bounds 'tbl_iqcal_gainparams_nphy' access.
+Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241210070441.836362-1-dmantipov@yandex.ru
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
+index 8580a27547891..42e7bc67e9143 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c
+@@ -23427,6 +23427,9 @@ wlc_phy_iqcal_gainparams_nphy(struct brcms_phy *pi, u16 core_no,
+ break;
+ }
+
++ if (WARN_ON(k == NPHY_IQCAL_NUMGAINS))
++ return;
++
+ params->txgm = tbl_iqcal_gainparams_nphy[band_idx][k][1];
+ params->pga = tbl_iqcal_gainparams_nphy[band_idx][k][2];
+ params->pad = tbl_iqcal_gainparams_nphy[band_idx][k][3];
+--
+2.39.5
+
--- /dev/null
+From 62cd5501b43df182193102b64902128de2145f00 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Dec 2024 22:34:15 +0200
+Subject: wifi: iwlwifi: avoid memory leak
+
+From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+
+[ Upstream commit 80e96206a3ef348fbd658d98f2f43149c36df8bc ]
+
+A caller of iwl_acpi_get_dsm_object must free the returned object.
+iwl_acpi_get_dsm_integer returns immediately without freeing
+it if the expected size is more than 8 bytes. Fix that.
+
+Note that with the current code this will never happen, since the caller
+of iwl_acpi_get_dsm_integer already checks that the expected size if
+either 1 or 4 bytes, so it can't exceed 8 bytes.
+
+While at it, print the DSM value instead of the return value, as this
+was the intention in the first place.
+
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://patch.msgid.link/20241228223206.bf61eaab99f8.Ibdc5df02f885208c222456d42c889c43b7e3b2f7@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+index c96dfd7fd3dc8..84980f6a0d603 100644
+--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+@@ -123,7 +123,7 @@ static int iwl_acpi_get_dsm_integer(struct device *dev, int rev, int func,
+ size_t expected_size)
+ {
+ union acpi_object *obj;
+- int ret = 0;
++ int ret;
+
+ obj = iwl_acpi_get_dsm_object(dev, rev, func, NULL, guid);
+ if (IS_ERR(obj)) {
+@@ -138,8 +138,10 @@ static int iwl_acpi_get_dsm_integer(struct device *dev, int rev, int func,
+ } else if (obj->type == ACPI_TYPE_BUFFER) {
+ __le64 le_value = 0;
+
+- if (WARN_ON_ONCE(expected_size > sizeof(le_value)))
+- return -EINVAL;
++ if (WARN_ON_ONCE(expected_size > sizeof(le_value))) {
++ ret = -EINVAL;
++ goto out;
++ }
+
+ /* if the buffer size doesn't match the expected size */
+ if (obj->buffer.length != expected_size)
+@@ -160,8 +162,9 @@ static int iwl_acpi_get_dsm_integer(struct device *dev, int rev, int func,
+ }
+
+ IWL_DEBUG_DEV_RADIO(dev,
+- "ACPI: DSM method evaluated: func=%d, ret=%d\n",
+- func, ret);
++ "ACPI: DSM method evaluated: func=%d, value=%lld\n",
++ func, *value);
++ ret = 0;
+ out:
+ ACPI_FREE(obj);
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 7481980dc95632ba0e73377bb15c31991eac6d8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 16:11:55 +0000
+Subject: x86/amd_nb: Restrict init function to AMD-based systems
+
+From: Yazen Ghannam <yazen.ghannam@amd.com>
+
+[ Upstream commit bee9e840609cc67d0a7d82f22a2130fb7a0a766d ]
+
+The code implicitly operates on AMD-based systems by matching on PCI
+IDs. However, the use of these IDs is going away.
+
+Add an explicit CPU vendor check instead of relying on PCI IDs.
+
+Signed-off-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Link: https://lore.kernel.org/r/20241206161210.163701-3-yazen.ghannam@amd.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/amd_nb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/kernel/amd_nb.c b/arch/x86/kernel/amd_nb.c
+index e8cc042e4905c..8992a6bce9f00 100644
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -519,6 +519,10 @@ static __init void fix_erratum_688(void)
+
+ static __init int init_amd_nbs(void)
+ {
++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD &&
++ boot_cpu_data.x86_vendor != X86_VENDOR_HYGON)
++ return 0;
++
+ amd_cache_northbridges();
+ amd_cache_gart();
+
+--
+2.39.5
+
--- /dev/null
+From 47178b77f2d4b81d9587ad1062a462ed0c59a58c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 15:05:11 +0000
+Subject: x86/kexec: Allocate PGD for x86_64 transition page tables separately
+
+From: David Woodhouse <dwmw@amazon.co.uk>
+
+[ Upstream commit 4b5bc2ec9a239bce261ffeafdd63571134102323 ]
+
+Now that the following fix:
+
+ d0ceea662d45 ("x86/mm: Add _PAGE_NOPTISHADOW bit to avoid updating userspace page tables")
+
+stops kernel_ident_mapping_init() from scribbling over the end of a
+4KiB PGD by assuming the following 4KiB will be a userspace PGD,
+there's no good reason for the kexec PGD to be part of a single
+8KiB allocation with the control_code_page.
+
+( It's not clear that that was the reason for x86_64 kexec doing it that
+ way in the first place either; there were no comments to that effect and
+ it seems to have been the case even before PTI came along. It looks like
+ it was just a happy accident which prevented memory corruption on kexec. )
+
+Either way, it definitely isn't needed now. Just allocate the PGD
+separately on x86_64, like i386 already does.
+
+Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Cc: Ard Biesheuvel <ardb@kernel.org>
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Link: https://lore.kernel.org/r/20241205153343.3275139-6-dwmw2@infradead.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/kexec.h | 18 +++++++++---
+ arch/x86/kernel/machine_kexec_64.c | 45 ++++++++++++++++--------------
+ 2 files changed, 38 insertions(+), 25 deletions(-)
+
+diff --git a/arch/x86/include/asm/kexec.h b/arch/x86/include/asm/kexec.h
+index 256eee99afc8f..e2e1ec99c9998 100644
+--- a/arch/x86/include/asm/kexec.h
++++ b/arch/x86/include/asm/kexec.h
+@@ -16,6 +16,7 @@
+ # define PAGES_NR 4
+ #endif
+
++# define KEXEC_CONTROL_PAGE_SIZE 4096
+ # define KEXEC_CONTROL_CODE_MAX_SIZE 2048
+
+ #ifndef __ASSEMBLY__
+@@ -44,7 +45,6 @@ struct kimage;
+ /* Maximum address we can use for the control code buffer */
+ # define KEXEC_CONTROL_MEMORY_LIMIT TASK_SIZE
+
+-# define KEXEC_CONTROL_PAGE_SIZE 4096
+
+ /* The native architecture */
+ # define KEXEC_ARCH KEXEC_ARCH_386
+@@ -59,9 +59,6 @@ struct kimage;
+ /* Maximum address we can use for the control pages */
+ # define KEXEC_CONTROL_MEMORY_LIMIT (MAXMEM-1)
+
+-/* Allocate one page for the pdp and the second for the code */
+-# define KEXEC_CONTROL_PAGE_SIZE (4096UL + 4096UL)
+-
+ /* The native architecture */
+ # define KEXEC_ARCH KEXEC_ARCH_X86_64
+ #endif
+@@ -146,6 +143,19 @@ struct kimage_arch {
+ };
+ #else
+ struct kimage_arch {
++ /*
++ * This is a kimage control page, as it must not overlap with either
++ * source or destination address ranges.
++ */
++ pgd_t *pgd;
++ /*
++ * The virtual mapping of the control code page itself is used only
++ * during the transition, while the current kernel's pages are all
++ * in place. Thus the intermediate page table pages used to map it
++ * are not control pages, but instead just normal pages obtained
++ * with get_zeroed_page(). And have to be tracked (below) so that
++ * they can be freed.
++ */
+ p4d_t *p4d;
+ pud_t *pud;
+ pmd_t *pmd;
+diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
+index 24b6eaacc81eb..5d61a342871b5 100644
+--- a/arch/x86/kernel/machine_kexec_64.c
++++ b/arch/x86/kernel/machine_kexec_64.c
+@@ -149,7 +149,8 @@ static void free_transition_pgtable(struct kimage *image)
+ image->arch.pte = NULL;
+ }
+
+-static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
++static int init_transition_pgtable(struct kimage *image, pgd_t *pgd,
++ unsigned long control_page)
+ {
+ pgprot_t prot = PAGE_KERNEL_EXEC_NOENC;
+ unsigned long vaddr, paddr;
+@@ -160,7 +161,7 @@ static int init_transition_pgtable(struct kimage *image, pgd_t *pgd)
+ pte_t *pte;
+
+ vaddr = (unsigned long)relocate_kernel;
+- paddr = __pa(page_address(image->control_code_page)+PAGE_SIZE);
++ paddr = control_page;
+ pgd += pgd_index(vaddr);
+ if (!pgd_present(*pgd)) {
+ p4d = (p4d_t *)get_zeroed_page(GFP_KERNEL);
+@@ -219,7 +220,7 @@ static void *alloc_pgt_page(void *data)
+ return p;
+ }
+
+-static int init_pgtable(struct kimage *image, unsigned long start_pgtable)
++static int init_pgtable(struct kimage *image, unsigned long control_page)
+ {
+ struct x86_mapping_info info = {
+ .alloc_pgt_page = alloc_pgt_page,
+@@ -228,12 +229,12 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable)
+ .kernpg_flag = _KERNPG_TABLE_NOENC,
+ };
+ unsigned long mstart, mend;
+- pgd_t *level4p;
+ int result;
+ int i;
+
+- level4p = (pgd_t *)__va(start_pgtable);
+- clear_page(level4p);
++ image->arch.pgd = alloc_pgt_page(image);
++ if (!image->arch.pgd)
++ return -ENOMEM;
+
+ if (cc_platform_has(CC_ATTR_GUEST_MEM_ENCRYPT)) {
+ info.page_flag |= _PAGE_ENC;
+@@ -247,8 +248,8 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable)
+ mstart = pfn_mapped[i].start << PAGE_SHIFT;
+ mend = pfn_mapped[i].end << PAGE_SHIFT;
+
+- result = kernel_ident_mapping_init(&info,
+- level4p, mstart, mend);
++ result = kernel_ident_mapping_init(&info, image->arch.pgd,
++ mstart, mend);
+ if (result)
+ return result;
+ }
+@@ -263,8 +264,8 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable)
+ mstart = image->segment[i].mem;
+ mend = mstart + image->segment[i].memsz;
+
+- result = kernel_ident_mapping_init(&info,
+- level4p, mstart, mend);
++ result = kernel_ident_mapping_init(&info, image->arch.pgd,
++ mstart, mend);
+
+ if (result)
+ return result;
+@@ -274,15 +275,19 @@ static int init_pgtable(struct kimage *image, unsigned long start_pgtable)
+ * Prepare EFI systab and ACPI tables for kexec kernel since they are
+ * not covered by pfn_mapped.
+ */
+- result = map_efi_systab(&info, level4p);
++ result = map_efi_systab(&info, image->arch.pgd);
+ if (result)
+ return result;
+
+- result = map_acpi_tables(&info, level4p);
++ result = map_acpi_tables(&info, image->arch.pgd);
+ if (result)
+ return result;
+
+- return init_transition_pgtable(image, level4p);
++ /*
++ * This must be last because the intermediate page table pages it
++ * allocates will not be control pages and may overlap the image.
++ */
++ return init_transition_pgtable(image, image->arch.pgd, control_page);
+ }
+
+ static void load_segments(void)
+@@ -299,14 +304,14 @@ static void load_segments(void)
+
+ int machine_kexec_prepare(struct kimage *image)
+ {
+- unsigned long start_pgtable;
++ unsigned long control_page;
+ int result;
+
+ /* Calculate the offsets */
+- start_pgtable = page_to_pfn(image->control_code_page) << PAGE_SHIFT;
++ control_page = page_to_pfn(image->control_code_page) << PAGE_SHIFT;
+
+ /* Setup the identity mapped 64bit page table */
+- result = init_pgtable(image, start_pgtable);
++ result = init_pgtable(image, control_page);
+ if (result)
+ return result;
+
+@@ -353,13 +358,12 @@ void machine_kexec(struct kimage *image)
+ #endif
+ }
+
+- control_page = page_address(image->control_code_page) + PAGE_SIZE;
++ control_page = page_address(image->control_code_page);
+ __memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
+
+ page_list[PA_CONTROL_PAGE] = virt_to_phys(control_page);
+ page_list[VA_CONTROL_PAGE] = (unsigned long)control_page;
+- page_list[PA_TABLE_PAGE] =
+- (unsigned long)__pa(page_address(image->control_code_page));
++ page_list[PA_TABLE_PAGE] = (unsigned long)__pa(image->arch.pgd);
+
+ if (image->type == KEXEC_TYPE_DEFAULT)
+ page_list[PA_SWAP_PAGE] = (page_to_pfn(image->swap_page)
+@@ -578,8 +582,7 @@ static void kexec_mark_crashkres(bool protect)
+
+ /* Don't touch the control code page used in crash_kexec().*/
+ control = PFN_PHYS(page_to_pfn(kexec_crash_image->control_code_page));
+- /* Control code page is located in the 2nd page. */
+- kexec_mark_range(crashk_res.start, control + PAGE_SIZE - 1, protect);
++ kexec_mark_range(crashk_res.start, control - 1, protect);
+ control += KEXEC_CONTROL_PAGE_SIZE;
+ kexec_mark_range(control, crashk_res.end, protect);
+ }
+--
+2.39.5
+
--- /dev/null
+From 36df30bbeb61135743a10e45d4a03c3c10877c88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 14:37:56 -0800
+Subject: xfs: don't over-report free space or inodes in statvfs
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+[ Upstream commit 4b8d867ca6e2fc6d152f629fdaf027053b81765a ]
+
+Emmanual Florac reports a strange occurrence when project quota limits
+are enabled, free space is lower than the remaining quota, and someone
+runs statvfs:
+
+ # mkfs.xfs -f /dev/sda
+ # mount /dev/sda /mnt -o prjquota
+ # xfs_quota -x -c 'limit -p bhard=2G 55' /mnt
+ # mkdir /mnt/dir
+ # xfs_io -c 'chproj 55' -c 'chattr +P' -c 'stat -vvvv' /mnt/dir
+ # fallocate -l 19g /mnt/a
+ # df /mnt /mnt/dir
+ Filesystem Size Used Avail Use% Mounted on
+ /dev/sda 20G 20G 345M 99% /mnt
+ /dev/sda 2.0G 0 2.0G 0% /mnt
+
+I think the bug here is that xfs_fill_statvfs_from_dquot unconditionally
+assigns to f_bfree without checking that the filesystem has enough free
+space to fill the remaining project quota. However, this is a
+longstanding behavior of xfs so it's unclear what to do here.
+
+Cc: <stable@vger.kernel.org> # v2.6.18
+Fixes: 932f2c323196c2 ("[XFS] statvfs component of directory/project quota support, code originally by Glen.")
+Reported-by: Emmanuel Florac <eflorac@intellique.com>
+Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_qm_bhv.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/fs/xfs/xfs_qm_bhv.c b/fs/xfs/xfs_qm_bhv.c
+index 268a07218c777..26b2c449f3c66 100644
+--- a/fs/xfs/xfs_qm_bhv.c
++++ b/fs/xfs/xfs_qm_bhv.c
+@@ -32,21 +32,28 @@ xfs_fill_statvfs_from_dquot(
+ limit = blkres->softlimit ?
+ blkres->softlimit :
+ blkres->hardlimit;
+- if (limit && statp->f_blocks > limit) {
+- statp->f_blocks = limit;
+- statp->f_bfree = statp->f_bavail =
+- (statp->f_blocks > blkres->reserved) ?
+- (statp->f_blocks - blkres->reserved) : 0;
++ if (limit) {
++ uint64_t remaining = 0;
++
++ if (limit > blkres->reserved)
++ remaining = limit - blkres->reserved;
++
++ statp->f_blocks = min(statp->f_blocks, limit);
++ statp->f_bfree = min(statp->f_bfree, remaining);
++ statp->f_bavail = min(statp->f_bavail, remaining);
+ }
+
+ limit = dqp->q_ino.softlimit ?
+ dqp->q_ino.softlimit :
+ dqp->q_ino.hardlimit;
+- if (limit && statp->f_files > limit) {
+- statp->f_files = limit;
+- statp->f_ffree =
+- (statp->f_files > dqp->q_ino.reserved) ?
+- (statp->f_files - dqp->q_ino.reserved) : 0;
++ if (limit) {
++ uint64_t remaining = 0;
++
++ if (limit > dqp->q_ino.reserved)
++ remaining = limit - dqp->q_ino.reserved;
++
++ statp->f_files = min(statp->f_files, limit);
++ statp->f_ffree = min(statp->f_ffree, remaining);
+ }
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b294dee299f2f6d40554e94abf934b2342bdbb13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Nov 2024 20:19:40 -0800
+Subject: xfs: report realtime block quota limits on realtime directories
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+[ Upstream commit 9a17ebfea9d0c7e0bb7409dcf655bf982a5d6e52 ]
+
+On the data device, calling statvfs on a projinherit directory results
+in the block and avail counts being curtailed to the project quota block
+limits, if any are set. Do the same for realtime files or directories,
+only use the project quota rt block limits.
+
+Signed-off-by: Darrick J. Wong <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Stable-dep-of: 4b8d867ca6e2 ("xfs: don't over-report free space or inodes in statvfs")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/xfs/xfs_qm_bhv.c | 18 ++++++++++++------
+ fs/xfs/xfs_super.c | 11 +++++------
+ 2 files changed, 17 insertions(+), 12 deletions(-)
+
+diff --git a/fs/xfs/xfs_qm_bhv.c b/fs/xfs/xfs_qm_bhv.c
+index b77673dd05581..268a07218c777 100644
+--- a/fs/xfs/xfs_qm_bhv.c
++++ b/fs/xfs/xfs_qm_bhv.c
+@@ -19,18 +19,24 @@
+ STATIC void
+ xfs_fill_statvfs_from_dquot(
+ struct kstatfs *statp,
++ struct xfs_inode *ip,
+ struct xfs_dquot *dqp)
+ {
++ struct xfs_dquot_res *blkres = &dqp->q_blk;
+ uint64_t limit;
+
+- limit = dqp->q_blk.softlimit ?
+- dqp->q_blk.softlimit :
+- dqp->q_blk.hardlimit;
++ if (XFS_IS_REALTIME_MOUNT(ip->i_mount) &&
++ (ip->i_diflags & (XFS_DIFLAG_RTINHERIT | XFS_DIFLAG_REALTIME)))
++ blkres = &dqp->q_rtb;
++
++ limit = blkres->softlimit ?
++ blkres->softlimit :
++ blkres->hardlimit;
+ if (limit && statp->f_blocks > limit) {
+ statp->f_blocks = limit;
+ statp->f_bfree = statp->f_bavail =
+- (statp->f_blocks > dqp->q_blk.reserved) ?
+- (statp->f_blocks - dqp->q_blk.reserved) : 0;
++ (statp->f_blocks > blkres->reserved) ?
++ (statp->f_blocks - blkres->reserved) : 0;
+ }
+
+ limit = dqp->q_ino.softlimit ?
+@@ -61,7 +67,7 @@ xfs_qm_statvfs(
+ struct xfs_dquot *dqp;
+
+ if (!xfs_qm_dqget(mp, ip->i_projid, XFS_DQTYPE_PROJ, false, &dqp)) {
+- xfs_fill_statvfs_from_dquot(statp, dqp);
++ xfs_fill_statvfs_from_dquot(statp, ip, dqp);
+ xfs_qm_dqput(dqp);
+ }
+ }
+diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
+index 1c143c69da6ed..2ef331132fca7 100644
+--- a/fs/xfs/xfs_super.c
++++ b/fs/xfs/xfs_super.c
+@@ -849,12 +849,6 @@ xfs_fs_statfs(
+ ffree = statp->f_files - (icount - ifree);
+ statp->f_ffree = max_t(int64_t, ffree, 0);
+
+-
+- if ((ip->i_diflags & XFS_DIFLAG_PROJINHERIT) &&
+- ((mp->m_qflags & (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD))) ==
+- (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD))
+- xfs_qm_statvfs(ip, statp);
+-
+ if (XFS_IS_REALTIME_MOUNT(mp) &&
+ (ip->i_diflags & (XFS_DIFLAG_RTINHERIT | XFS_DIFLAG_REALTIME))) {
+ s64 freertx;
+@@ -864,6 +858,11 @@ xfs_fs_statfs(
+ statp->f_bavail = statp->f_bfree = freertx * sbp->sb_rextsize;
+ }
+
++ if ((ip->i_diflags & XFS_DIFLAG_PROJINHERIT) &&
++ ((mp->m_qflags & (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD))) ==
++ (XFS_PQUOTA_ACCT|XFS_PQUOTA_ENFD))
++ xfs_qm_statvfs(ip, statp);
++
+ return 0;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
