--- /dev/null
+From 6e74e53b34b6dec5a50e1404e2680852ec6768d2 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Mon, 27 Jan 2025 16:43:04 +0100
+Subject: ata: libata-sff: Ensure that we cannot write outside the allocated buffer
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream.
+
+reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
+set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
+ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
+write outside the allocated buffer, overwriting random memory.
+
+While a ATA device is supposed to abort a ATA_NOP command, there does seem
+to be a bug either in libata-sff or QEMU, where either this status is not
+set, or the status is cleared before read by ata_sff_hsm_move().
+Anyway, that is most likely a separate bug.
+
+Looking at __atapi_pio_bytes(), it already has a safety check to ensure
+that __atapi_pio_bytes() cannot write outside the allocated buffer.
+
+Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
+cannot write outside the allocated buffer.
+
+Cc: stable@vger.kernel.org
+Reported-by: reveliofuzzing <reveliofuzzing@gmail.com>
+Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/
+Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-sff.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -602,7 +602,7 @@ static void ata_pio_sector(struct ata_qu
+ {
+ struct ata_port *ap = qc->ap;
+ struct page *page;
+- unsigned int offset;
++ unsigned int offset, count;
+
+ if (!qc->cursg) {
+ qc->curbytes = qc->nbytes;
+@@ -618,25 +618,27 @@ static void ata_pio_sector(struct ata_qu
+ page = nth_page(page, (offset >> PAGE_SHIFT));
+ offset %= PAGE_SIZE;
+
+- trace_ata_sff_pio_transfer_data(qc, offset, qc->sect_size);
++ /* don't overrun current sg */
++ count = min(qc->cursg->length - qc->cursg_ofs, qc->sect_size);
++
++ trace_ata_sff_pio_transfer_data(qc, offset, count);
+
+ /*
+ * Split the transfer when it splits a page boundary. Note that the
+ * split still has to be dword aligned like all ATA data transfers.
+ */
+ WARN_ON_ONCE(offset % 4);
+- if (offset + qc->sect_size > PAGE_SIZE) {
++ if (offset + count > PAGE_SIZE) {
+ unsigned int split_len = PAGE_SIZE - offset;
+
+ ata_pio_xfer(qc, page, offset, split_len);
+- ata_pio_xfer(qc, nth_page(page, 1), 0,
+- qc->sect_size - split_len);
++ ata_pio_xfer(qc, nth_page(page, 1), 0, count - split_len);
+ } else {
+- ata_pio_xfer(qc, page, offset, qc->sect_size);
++ ata_pio_xfer(qc, page, offset, count);
+ }
+
+- qc->curbytes += qc->sect_size;
+- qc->cursg_ofs += qc->sect_size;
++ qc->curbytes += count;
++ qc->cursg_ofs += count;
+
+ if (qc->cursg_ofs == qc->cursg->length) {
+ qc->cursg = sg_next(qc->cursg);
--- /dev/null
+From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 3 Dec 2024 10:19:29 +0100
+Subject: crypto: qce - fix goto jump in error path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream.
+
+If qce_check_version() fails, we should jump to err_dma as we already
+called qce_dma_request() a couple lines before.
+
+Cc: stable@vger.kernel.org
+Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/qce/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/qce/core.c
++++ b/drivers/crypto/qce/core.c
+@@ -247,7 +247,7 @@ static int qce_crypto_probe(struct platf
+
+ ret = qce_check_version(qce);
+ if (ret)
+- goto err_clks;
++ goto err_dma;
+
+ spin_lock_init(&qce->lock);
+ tasklet_init(&qce->done_tasklet, qce_tasklet_req_done,
--- /dev/null
+From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 3 Dec 2024 10:19:30 +0100
+Subject: crypto: qce - unregister previously registered algos in error path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream.
+
+If we encounter an error when registering alorithms with the crypto
+framework, we just bail out and don't unregister the ones we
+successfully registered in prior iterations of the loop.
+
+Add code that goes back over the algos and unregisters them before
+returning an error from qce_register_algs().
+
+Cc: stable@vger.kernel.org
+Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/qce/core.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/qce/core.c
++++ b/drivers/crypto/qce/core.c
+@@ -51,16 +51,19 @@ static void qce_unregister_algs(struct q
+ static int qce_register_algs(struct qce_device *qce)
+ {
+ const struct qce_algo_ops *ops;
+- int i, ret = -ENODEV;
++ int i, j, ret = -ENODEV;
+
+ for (i = 0; i < ARRAY_SIZE(qce_ops); i++) {
+ ops = qce_ops[i];
+ ret = ops->register_algs(qce);
+- if (ret)
+- break;
++ if (ret) {
++ for (j = i - 1; j >= 0; j--)
++ ops->unregister_algs(qce);
++ return ret;
++ }
+ }
+
+- return ret;
++ return 0;
+ }
+
+ static int qce_handle_request(struct crypto_async_request *async_req)
--- /dev/null
+From b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Wed, 8 Jan 2025 17:55:33 -0500
+Subject: i3c: master: Fix missing 'ret' assignment in set_speed()
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 upstream.
+
+Fix a probe failure in the i3c master driver that occurs when no i3c
+devices are connected to the bus.
+
+The issue arises in `i3c_master_bus_init()` where the `ret` value is not
+updated after calling `master->ops->set_speed()`. If no devices are
+present, `ret` remains set to `I3C_ERROR_M2`, causing the code to
+incorrectly proceed to `err_bus_cleanup`.
+
+Cc: stable@vger.kernel.org
+Fixes: aef79e189ba2 ("i3c: master: support to adjust first broadcast address speed")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Acked-by: Mukesh Kumar Savaliya <quic_msavaliy@quicinc.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20250108225533.915334-1-Frank.Li@nxp.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -1878,7 +1878,7 @@ static int i3c_master_bus_init(struct i3
+ goto err_bus_cleanup;
+
+ if (master->ops->set_speed) {
+- master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED);
++ ret = master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED);
+ if (ret)
+ goto err_bus_cleanup;
+ }
--- /dev/null
+From d63b0e8a628e62ca85a0f7915230186bb92f8bb4 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Tue, 28 Jan 2025 00:55:24 +0000
+Subject: io_uring: fix multishots with selected buffers
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit d63b0e8a628e62ca85a0f7915230186bb92f8bb4 upstream.
+
+We do io_kbuf_recycle() when arming a poll but every iteration of a
+multishot can grab more buffers, which is why we need to flush the kbuf
+ring state before continuing with waiting.
+
+Cc: stable@vger.kernel.org
+Fixes: b3fdea6ecb55c ("io_uring: multishot recv")
+Reported-by: Muhammad Ramdhan <ramdhan@starlabs.sg>
+Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Reported-by: Jacob Soo <jacob.soo@starlabs.sg>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/1bfc9990fe435f1fc6152ca9efeba5eb3e68339c.1738025570.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -350,8 +350,10 @@ void io_poll_task_func(struct io_kiocb *
+
+ ret = io_poll_check_events(req, ts);
+ if (ret == IOU_POLL_NO_ACTION) {
++ io_kbuf_recycle(req, 0);
+ return;
+ } else if (ret == IOU_POLL_REQUEUE) {
++ io_kbuf_recycle(req, 0);
+ __io_poll_execute(req, 0);
+ return;
+ }
--- /dev/null
+From 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 30 Jan 2025 08:40:29 -0700
+Subject: io_uring/net: don't retry connect operation on EPOLLERR
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 upstream.
+
+If a socket is shutdown before the connection completes, POLLERR is set
+in the poll mask. However, connect ignores this as it doesn't know, and
+attempts the connection again. This may lead to a bogus -ETIMEDOUT
+result, where it should have noticed the POLLERR and just returned
+-ECONNRESET instead.
+
+Have the poll logic check for whether or not POLLERR is set in the mask,
+and if so, mark the request as failed. Then connect can appropriately
+fail the request rather than retry it.
+
+Reported-by: Sergey Galas <ssgalas@cloud.ru>
+Cc: stable@vger.kernel.org
+Link: https://github.com/axboe/liburing/discussions/1335
+Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 5 +++++
+ io_uring/poll.c | 2 ++
+ 2 files changed, 7 insertions(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1533,6 +1533,11 @@ int io_connect(struct io_kiocb *req, uns
+ io = &__io;
+ }
+
++ if (unlikely(req->flags & REQ_F_FAIL)) {
++ ret = -ECONNRESET;
++ goto out;
++ }
++
+ file_flags = force_nonblock ? O_NONBLOCK : 0;
+
+ ret = __sys_connect_file(req->file, &io->address,
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -308,6 +308,8 @@ static int io_poll_check_events(struct i
+ return IOU_POLL_REISSUE;
+ }
+ }
++ if (unlikely(req->cqe.res & EPOLLERR))
++ req_set_fail(req);
+ if (req->apoll_events & EPOLLONESHOT)
+ return IOU_POLL_DONE;
+
--- /dev/null
+From 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 Mon Sep 17 00:00:00 2001
+From: Nick Chan <towinchenmi@gmail.com>
+Date: Sun, 19 Jan 2025 00:31:42 +0800
+Subject: irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so
+
+From: Nick Chan <towinchenmi@gmail.com>
+
+commit 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 upstream.
+
+The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of
+several ways, and since Apple A11 one of the methods is FIQ, but the check
+of the configuration register fails to test explicitely for FIQ mode. It
+tests whether the IMODE bitfield is zero or not and the PMCRO_IACT bit is
+set. That results in false positives when the IMODE bitfield is not zero,
+but does not have the mode PMCR0_IMODE_FIQ.
+
+Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured
+to fire FIQs, i.e. the IMODE bitfield value is PMCR0_IMODE_FIQ and
+PMCR0_IACT is set.
+
+Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts")
+Signed-off-by: Nick Chan <towinchenmi@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250118163554.16733-1-towinchenmi@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-apple-aic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-apple-aic.c
++++ b/drivers/irqchip/irq-apple-aic.c
+@@ -563,7 +563,8 @@ static void __exception_irq_entry aic_ha
+ AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT));
+ }
+
+- if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) {
++ if ((read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & (PMCR0_IMODE | PMCR0_IACT)) ==
++ (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) {
+ int irq;
+ if (cpumask_test_cpu(smp_processor_id(),
+ &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff))
--- /dev/null
+From 0b7f8328f988178b55ee11d772a6e1238c04d29d Mon Sep 17 00:00:00 2001
+From: Pekka Pessi <ppessi@nvidia.com>
+Date: Mon, 2 Dec 2024 15:35:59 +0530
+Subject: mailbox: tegra-hsp: Clear mailbox before using message
+
+From: Pekka Pessi <ppessi@nvidia.com>
+
+commit 0b7f8328f988178b55ee11d772a6e1238c04d29d upstream.
+
+The Tegra RCE (Camera) driver expects the mailbox to be empty before
+processing the IVC messages. On RT kernel, the threads processing the
+IVC messages (which are invoked after `mbox_chan_received_data()` is
+called) may be on a different CPU or running with a higher priority
+than the HSP interrupt handler thread. This can cause it to act on the
+message before the mailbox gets cleared in the HSP interrupt handler
+resulting in a loss of IVC notification.
+
+Fix this by clearing the mailbox data register before calling
+`mbox_chan_received_data()`.
+
+Fixes: 8f585d14030d ("mailbox: tegra-hsp: Add tegra_hsp_sm_ops")
+Fixes: 74c20dd0f892 ("mailbox: tegra-hsp: Add 128-bit shared mailbox support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pekka Pessi <ppessi@nvidia.com>
+Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mailbox/tegra-hsp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mailbox/tegra-hsp.c
++++ b/drivers/mailbox/tegra-hsp.c
+@@ -388,7 +388,6 @@ static void tegra_hsp_sm_recv32(struct t
+ value = tegra_hsp_channel_readl(channel, HSP_SM_SHRD_MBOX);
+ value &= ~HSP_SM_SHRD_MBOX_FULL;
+ msg = (void *)(unsigned long)value;
+- mbox_chan_received_data(channel->chan, msg);
+
+ /*
+ * Need to clear all bits here since some producers, such as TCU, depend
+@@ -398,6 +397,8 @@ static void tegra_hsp_sm_recv32(struct t
+ * explicitly, so we have to make sure we cover all possible cases.
+ */
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SM_SHRD_MBOX);
++
++ mbox_chan_received_data(channel->chan, msg);
+ }
+
+ static const struct tegra_hsp_sm_ops tegra_hsp_sm_32bit_ops = {
+@@ -433,7 +434,6 @@ static void tegra_hsp_sm_recv128(struct
+ value[3] = tegra_hsp_channel_readl(channel, HSP_SHRD_MBOX_TYPE1_DATA3);
+
+ msg = (void *)(unsigned long)value;
+- mbox_chan_received_data(channel->chan, msg);
+
+ /*
+ * Clear data registers and tag.
+@@ -443,6 +443,8 @@ static void tegra_hsp_sm_recv128(struct
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA2);
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA3);
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_TAG);
++
++ mbox_chan_received_data(channel->chan, msg);
+ }
+
+ static const struct tegra_hsp_sm_ops tegra_hsp_sm_128bit_ops = {
--- /dev/null
+From 4f6a6bed0bfef4b966f076f33eb4f5547226056a Mon Sep 17 00:00:00 2001
+From: Wei Yang <richard.weiyang@gmail.com>
+Date: Wed, 13 Nov 2024 03:16:14 +0000
+Subject: maple_tree: simplify split calculation
+
+From: Wei Yang <richard.weiyang@gmail.com>
+
+commit 4f6a6bed0bfef4b966f076f33eb4f5547226056a upstream.
+
+Patch series "simplify split calculation", v3.
+
+
+This patch (of 3):
+
+The current calculation for splitting nodes tries to enforce a minimum
+span on the leaf nodes. This code is complex and never worked correctly
+to begin with, due to the min value being passed as 0 for all leaves.
+
+The calculation should just split the data as equally as possible
+between the new nodes. Note that b_end will be one more than the data,
+so the left side is still favoured in the calculation.
+
+The current code may also lead to a deficient node by not leaving enough
+data for the right side of the split. This issue is also addressed with
+the split calculation change.
+
+[Liam.Howlett@Oracle.com: rephrase the change log]
+Link: https://lkml.kernel.org/r/20241113031616.10530-1-richard.weiyang@gmail.com
+Link: https://lkml.kernel.org/r/20241113031616.10530-2-richard.weiyang@gmail.com
+Fixes: 54a611b60590 ("Maple Tree: add new data structure")
+Signed-off-by: Wei Yang <richard.weiyang@gmail.com>
+Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com>
+Cc: Sidhartha Kumar <sidhartha.kumar@oracle.com>
+Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/maple_tree.c | 23 ++++++-----------------
+ 1 file changed, 6 insertions(+), 17 deletions(-)
+
+--- a/lib/maple_tree.c
++++ b/lib/maple_tree.c
+@@ -1870,11 +1870,11 @@ static inline int mab_no_null_split(stru
+ * Return: The first split location. The middle split is set in @mid_split.
+ */
+ static inline int mab_calc_split(struct ma_state *mas,
+- struct maple_big_node *bn, unsigned char *mid_split, unsigned long min)
++ struct maple_big_node *bn, unsigned char *mid_split)
+ {
+ unsigned char b_end = bn->b_end;
+ int split = b_end / 2; /* Assume equal split. */
+- unsigned char slot_min, slot_count = mt_slots[bn->type];
++ unsigned char slot_count = mt_slots[bn->type];
+
+ /*
+ * To support gap tracking, all NULL entries are kept together and a node cannot
+@@ -1907,18 +1907,7 @@ static inline int mab_calc_split(struct
+ split = b_end / 3;
+ *mid_split = split * 2;
+ } else {
+- slot_min = mt_min_slots[bn->type];
+-
+ *mid_split = 0;
+- /*
+- * Avoid having a range less than the slot count unless it
+- * causes one node to be deficient.
+- * NOTE: mt_min_slots is 1 based, b_end and split are zero.
+- */
+- while ((split < slot_count - 1) &&
+- ((bn->pivot[split] - min) < slot_count - 1) &&
+- (b_end - split > slot_min))
+- split++;
+ }
+
+ /* Avoid ending a node on a NULL entry */
+@@ -2402,7 +2391,7 @@ static inline struct maple_enode
+ static inline unsigned char mas_mab_to_node(struct ma_state *mas,
+ struct maple_big_node *b_node, struct maple_enode **left,
+ struct maple_enode **right, struct maple_enode **middle,
+- unsigned char *mid_split, unsigned long min)
++ unsigned char *mid_split)
+ {
+ unsigned char split = 0;
+ unsigned char slot_count = mt_slots[b_node->type];
+@@ -2415,7 +2404,7 @@ static inline unsigned char mas_mab_to_n
+ if (b_node->b_end < slot_count) {
+ split = b_node->b_end;
+ } else {
+- split = mab_calc_split(mas, b_node, mid_split, min);
++ split = mab_calc_split(mas, b_node, mid_split);
+ *right = mas_new_ma_node(mas, b_node);
+ }
+
+@@ -2905,7 +2894,7 @@ static int mas_spanning_rebalance(struct
+ mast->bn->b_end--;
+ mast->bn->type = mte_node_type(mast->orig_l->node);
+ split = mas_mab_to_node(mas, mast->bn, &left, &right, &middle,
+- &mid_split, mast->orig_l->min);
++ &mid_split);
+ mast_set_split_parents(mast, left, middle, right, split,
+ mid_split);
+ mast_cp_to_nodes(mast, left, middle, right, split, mid_split);
+@@ -3413,7 +3402,7 @@ static int mas_split(struct ma_state *ma
+ if (mas_push_data(mas, height, &mast, false))
+ break;
+
+- split = mab_calc_split(mas, b_node, &mid_split, prev_l_mas.min);
++ split = mab_calc_split(mas, b_node, &mid_split);
+ mast_split_data(&mast, mas, split);
+ /*
+ * Usually correct, mab_mas_cp in the above call overwrites
--- /dev/null
+From 637c20002dc8c347001292664055bfbf56544ec6 Mon Sep 17 00:00:00 2001
+From: Anandu Krishnan E <quic_anane@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:37 +0000
+Subject: misc: fastrpc: Deregister device nodes properly in error scenarios
+
+From: Anandu Krishnan E <quic_anane@quicinc.com>
+
+commit 637c20002dc8c347001292664055bfbf56544ec6 upstream.
+
+During fastrpc_rpmsg_probe, if secure device node registration
+succeeds but non-secure device node registration fails, the secure
+device node deregister is not called during error cleanup. Add proper
+exit paths to ensure proper cleanup in case of error.
+
+Fixes: 3abe3ab3cdab ("misc: fastrpc: add secure domain support")
+Cc: stable@kernel.org
+Signed-off-by: Anandu Krishnan E <quic_anane@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -2327,7 +2327,7 @@ static int fastrpc_rpmsg_probe(struct rp
+
+ err = fastrpc_device_register(rdev, data, false, domains[domain_id]);
+ if (err)
+- goto fdev_error;
++ goto populate_error;
+ break;
+ default:
+ err = -EINVAL;
--- /dev/null
+From e966eae72762ecfdbdb82627e2cda48845b9dd66 Mon Sep 17 00:00:00 2001
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:39 +0000
+Subject: misc: fastrpc: Fix copy buffer page size
+
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+
+commit e966eae72762ecfdbdb82627e2cda48845b9dd66 upstream.
+
+For non-registered buffer, fastrpc driver copies the buffer and
+pass it to the remote subsystem. There is a problem with current
+implementation of page size calculation which is not considering
+the offset in the calculation. This might lead to passing of
+improper and out-of-bounds page size which could result in
+memory issue. Calculate page start and page end using the offset
+adjusted address instead of absolute address.
+
+Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation")
+Cc: stable@kernel.org
+Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -1015,8 +1015,8 @@ static int fastrpc_get_args(u32 kernel,
+ (pkt_size - rlen);
+ pages[i].addr = pages[i].addr & PAGE_MASK;
+
+- pg_start = (args & PAGE_MASK) >> PAGE_SHIFT;
+- pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
++ pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT;
++ pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
+ pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE;
+ args = args + mlen;
+ rlen -= mlen;
--- /dev/null
+From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:38 +0000
+Subject: misc: fastrpc: Fix registered buffer page address
+
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+
+commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream.
+
+For registered buffers, fastrpc driver sends the buffer information
+to remote subsystem. There is a problem with current implementation
+where the page address is being sent with an offset leading to
+improper buffer address on DSP. This is leads to functional failures
+as DSP expects base address in page information and extracts offset
+information from remote arguments. Mask the offset and pass the base
+page address to DSP.
+
+This issue is observed is a corner case when some buffer which is registered
+with fastrpc framework is passed with some offset by user and then the DSP
+implementation tried to read the data. As DSP expects base address and takes
+care of offsetting with remote arguments, passing an offsetted address will
+result in some unexpected data read in DSP.
+
+All generic usecases usually pass the buffer as it is hence is problem is
+not usually observed. If someone tries to pass offsetted buffer and then
+tries to compare data at HLOS and DSP end, then the ambiguity will be observed.
+
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Cc: stable@kernel.org
+Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -988,7 +988,7 @@ static int fastrpc_get_args(u32 kernel,
+ mmap_read_lock(current->mm);
+ vma = find_vma(current->mm, ctx->args[i].ptr);
+ if (vma)
+- pages[i].addr += ctx->args[i].ptr -
++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
+ vma->vm_start;
+ mmap_read_unlock(current->mm);
+
--- /dev/null
+From 6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68 Mon Sep 17 00:00:00 2001
+From: Vimal Agrawal <vimal.agrawal@sophos.com>
+Date: Mon, 21 Oct 2024 13:38:12 +0000
+Subject: misc: misc_minor_alloc to use ida for all dynamic/misc dynamic minors
+
+From: Vimal Agrawal <vimal.agrawal@sophos.com>
+
+commit 6d04d2b554b14ae6c428a9c60b6c85f1e5c89f68 upstream.
+
+misc_minor_alloc was allocating id using ida for minor only in case of
+MISC_DYNAMIC_MINOR but misc_minor_free was always freeing ids
+using ida_free causing a mismatch and following warn:
+> > WARNING: CPU: 0 PID: 159 at lib/idr.c:525 ida_free+0x3e0/0x41f
+> > ida_free called for id=127 which is not allocated.
+> > <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
+...
+> > [<60941eb4>] ida_free+0x3e0/0x41f
+> > [<605ac993>] misc_minor_free+0x3e/0xbc
+> > [<605acb82>] misc_deregister+0x171/0x1b3
+
+misc_minor_alloc is changed to allocate id from ida for all minors
+falling in the range of dynamic/ misc dynamic minors
+
+Fixes: ab760791c0cf ("char: misc: Increase the maximum number of dynamic misc devices to 1048448")
+Signed-off-by: Vimal Agrawal <vimal.agrawal@sophos.com>
+Reviewed-by: Dirk VanDerMerwe <dirk.vandermerwe@sophos.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20241021133812.23703-1-vimal.agrawal@sophos.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/misc.c | 37 +++++++++++++++++++++++++++++--------
+ 1 file changed, 29 insertions(+), 8 deletions(-)
+
+--- a/drivers/char/misc.c
++++ b/drivers/char/misc.c
+@@ -63,16 +63,30 @@ static DEFINE_MUTEX(misc_mtx);
+ #define DYNAMIC_MINORS 128 /* like dynamic majors */
+ static DEFINE_IDA(misc_minors_ida);
+
+-static int misc_minor_alloc(void)
++static int misc_minor_alloc(int minor)
+ {
+- int ret;
++ int ret = 0;
+
+- ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL);
+- if (ret >= 0) {
+- ret = DYNAMIC_MINORS - ret - 1;
++ if (minor == MISC_DYNAMIC_MINOR) {
++ /* allocate free id */
++ ret = ida_alloc_max(&misc_minors_ida, DYNAMIC_MINORS - 1, GFP_KERNEL);
++ if (ret >= 0) {
++ ret = DYNAMIC_MINORS - ret - 1;
++ } else {
++ ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1,
++ MINORMASK, GFP_KERNEL);
++ }
+ } else {
+- ret = ida_alloc_range(&misc_minors_ida, MISC_DYNAMIC_MINOR + 1,
+- MINORMASK, GFP_KERNEL);
++ /* specific minor, check if it is in dynamic or misc dynamic range */
++ if (minor < DYNAMIC_MINORS) {
++ minor = DYNAMIC_MINORS - minor - 1;
++ ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL);
++ } else if (minor > MISC_DYNAMIC_MINOR) {
++ ret = ida_alloc_range(&misc_minors_ida, minor, minor, GFP_KERNEL);
++ } else {
++ /* case of non-dynamic minors, no need to allocate id */
++ ret = 0;
++ }
+ }
+ return ret;
+ }
+@@ -219,7 +233,7 @@ int misc_register(struct miscdevice *mis
+ mutex_lock(&misc_mtx);
+
+ if (is_dynamic) {
+- int i = misc_minor_alloc();
++ int i = misc_minor_alloc(misc->minor);
+
+ if (i < 0) {
+ err = -EBUSY;
+@@ -228,6 +242,7 @@ int misc_register(struct miscdevice *mis
+ misc->minor = i;
+ } else {
+ struct miscdevice *c;
++ int i;
+
+ list_for_each_entry(c, &misc_list, list) {
+ if (c->minor == misc->minor) {
+@@ -235,6 +250,12 @@ int misc_register(struct miscdevice *mis
+ goto out;
+ }
+ }
++
++ i = misc_minor_alloc(misc->minor);
++ if (i < 0) {
++ err = -EBUSY;
++ goto out;
++ }
+ }
+
+ dev = MKDEV(MISC_MAJOR, misc->minor);
--- /dev/null
+From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001
+From: Ivan Stepchenko <sid@itb.spb.ru>
+Date: Thu, 14 Nov 2024 16:29:51 +0300
+Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read()
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream.
+
+The function do_otp_read() does not set the output parameter *retlen,
+which is expected to contain the number of bytes actually read.
+As a result, in onenand_otp_walk(), the tmp_retlen variable remains
+uninitialized after calling do_otp_walk() and used to change
+the values of the buf, len and retlen variables.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/onenand/onenand_base.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/onenand/onenand_base.c
++++ b/drivers/mtd/nand/onenand/onenand_base.c
+@@ -2923,6 +2923,7 @@ static int do_otp_read(struct mtd_info *
+ ret = ONENAND_IS_4KB_PAGE(this) ?
+ onenand_mlc_read_ops_nolock(mtd, from, &ops) :
+ onenand_read_ops_nolock(mtd, from, &ops);
++ *retlen = ops.retlen;
+
+ /* Exit OTP access mode */
+ this->command(mtd, ONENAND_CMD_RESET, 0, 0);
--- /dev/null
+From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 16 Jan 2025 18:29:00 +0300
+Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream.
+
+The NCSI state machine as it's currently implemented assumes that
+transition to the next logical state is performed either explicitly by
+calling `schedule_work(&ndp->work)` to re-queue itself or implicitly
+after processing the predefined (ndp->pending_req_num) number of
+replies. Thus to avoid the configuration FSM from advancing prematurely
+and getting out of sync with the process it's essential to not skip
+waiting for a reply.
+
+This patch makes the code wait for reception of the Deselect Package
+response for the last package probed before proceeding to channel
+configuration.
+
+Thanks go to Potin Lai and Cosmo Chou for the initial investigation and
+testing.
+
+Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/ncsi-manage.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -1385,6 +1385,12 @@ static void ncsi_probe_channel(struct nc
+ nd->state = ncsi_dev_state_probe_package;
+ break;
+ case ncsi_dev_state_probe_package:
++ if (ndp->package_probe_id >= 8) {
++ /* Last package probed, finishing */
++ ndp->flags |= NCSI_DEV_PROBED;
++ break;
++ }
++
+ ndp->pending_req_num = 1;
+
+ nca.type = NCSI_PKT_CMD_SP;
+@@ -1501,13 +1507,8 @@ static void ncsi_probe_channel(struct nc
+ if (ret)
+ goto error;
+
+- /* Probe next package */
++ /* Probe next package after receiving response */
+ ndp->package_probe_id++;
+- if (ndp->package_probe_id >= 8) {
+- /* Probe finished */
+- ndp->flags |= NCSI_DEV_PROBED;
+- break;
+- }
+ nd->state = ncsi_dev_state_probe_package;
+ ndp->active_package = NULL;
+ break;
--- /dev/null
+From bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 Mon Sep 17 00:00:00 2001
+From: Milos Reljin <milos_reljin@outlook.com>
+Date: Fri, 24 Jan 2025 10:41:02 +0000
+Subject: net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset
+
+From: Milos Reljin <milos_reljin@outlook.com>
+
+commit bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 upstream.
+
+In application note (AN13663) for TJA1120, on page 30, there's a figure
+with average PHY startup timing values following software reset.
+The time it takes for SMI to become operational after software reset
+ranges roughly from 500 us to 1500 us.
+
+This commit adds 2000 us delay after MDIO write which triggers software
+reset. Without this delay, soft_reset function returns an error and
+prevents successful PHY init.
+
+Cc: stable@vger.kernel.org
+Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103")
+Signed-off-by: Milos Reljin <milos_reljin@outlook.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/AM8P250MB0124D258E5A71041AF2CC322E1E32@AM8P250MB0124.EURP250.PROD.OUTLOOK.COM
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -1302,6 +1302,8 @@ static int nxp_c45_soft_reset(struct phy
+ if (ret)
+ return ret;
+
++ usleep_range(2000, 2050);
++
+ return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1,
+ VEND1_DEVICE_CONTROL, ret,
+ !(ret & DEVICE_CONTROL_RESET), 20000,
--- /dev/null
+From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 17 Jan 2025 12:38:41 +0300
+Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream.
+
+The "pipe" variable is a u8 which comes from the network. If it's more
+than 127, then it results in memory corruption in the caller,
+nci_hci_connect_gate().
+
+Cc: stable@vger.kernel.org
+Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/hci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -542,6 +542,8 @@ static u8 nci_hci_create_pipe(struct nci
+
+ pr_debug("pipe created=%d\n", pipe);
+
++ if (pipe >= NCI_HCI_MAX_PIPES)
++ pipe = NCI_HCI_INVALID_PIPE;
+ return pipe;
+ }
+
--- /dev/null
+From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Sat, 25 Jan 2025 07:20:53 +0900
+Subject: nilfs2: fix possible int overflows in nilfs_fiemap()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream.
+
+Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result
+by being prepared to go through potentially maxblocks == INT_MAX blocks,
+the value in n may experience an overflow caused by left shift of blkbits.
+
+While it is extremely unlikely to occur, play it safe and cast right hand
+expression to wider type to mitigate the issue.
+
+Found by Linux Verification Center (linuxtesting.org) with static analysis
+tool SVACE.
+
+Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com
+Fixes: 622daaff0a89 ("nilfs2: fiemap support")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -1267,7 +1267,7 @@ int nilfs_fiemap(struct inode *inode, st
+ if (size) {
+ if (phys && blkphy << blkbits == phys + size) {
+ /* The current extent goes on */
+- size += n << blkbits;
++ size += (u64)n << blkbits;
+ } else {
+ /* Terminate the current extent */
+ ret = fiemap_fill_next_extent(
+@@ -1280,14 +1280,14 @@ int nilfs_fiemap(struct inode *inode, st
+ flags = FIEMAP_EXTENT_MERGED;
+ logical = blkoff << blkbits;
+ phys = blkphy << blkbits;
+- size = n << blkbits;
++ size = (u64)n << blkbits;
+ }
+ } else {
+ /* Start a new extent */
+ flags = FIEMAP_EXTENT_MERGED;
+ logical = blkoff << blkbits;
+ phys = blkphy << blkbits;
+- size = n << blkbits;
++ size = (u64)n << blkbits;
+ }
+ blkoff += n;
+ }
--- /dev/null
+From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001
+From: Jennifer Berringer <jberring@redhat.com>
+Date: Mon, 30 Dec 2024 14:19:01 +0000
+Subject: nvmem: core: improve range check for nvmem_cell_write()
+
+From: Jennifer Berringer <jberring@redhat.com>
+
+commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream.
+
+When __nvmem_cell_entry_write() is called for an nvmem cell that does
+not need bit shifting, it requires that the len parameter exactly
+matches the nvmem cell size. However, when the nvmem cell has a nonzero
+bit_offset, it was skipping this check.
+
+Accepting values of len larger than the cell size results in
+nvmem_cell_prepare_write_buffer() trying to write past the end of a heap
+buffer that it allocates. Add a check to avoid that problem and instead
+return -EINVAL when len doesn't match the number of bits expected by the
+nvmem cell when bit_offset is nonzero.
+
+This check uses cell->nbits in order to allow providing the smaller size
+to cells that are shifted into another byte by bit_offset. For example,
+a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should
+accept a 1-byte write here, although no current callers depend on this.
+
+Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jennifer Berringer <jberring@redhat.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -1725,6 +1725,8 @@ static int __nvmem_cell_entry_write(stru
+ return -EINVAL;
+
+ if (cell->bit_offset || cell->nbits) {
++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes)
++ return -EINVAL;
+ buf = nvmem_cell_prepare_write_buffer(cell, buf, len);
+ if (IS_ERR(buf))
+ return PTR_ERR(buf);
--- /dev/null
+From 3c9e2cb6cecf65f7501004038c5d1ed85fb7db84 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Mon, 30 Dec 2024 14:18:57 +0000
+Subject: nvmem: imx-ocotp-ele: fix reading from non zero offset
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit 3c9e2cb6cecf65f7501004038c5d1ed85fb7db84 upstream.
+
+In imx_ocotp_reg_read() the offset comes in as bytes and not as words.
+This means we have to divide offset by 4 to get to the correct word
+offset.
+
+Also the incoming offset might not be word aligned. In order to read
+from the OCOTP the driver aligns down the previous word boundary and
+reads from there. This means we have to skip this alignment offset from
+the temporary buffer when copying the data to the output buffer.
+
+Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP")
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/imx-ocotp-ele.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvmem/imx-ocotp-ele.c
++++ b/drivers/nvmem/imx-ocotp-ele.c
+@@ -70,12 +70,14 @@ static int imx_ocotp_reg_read(void *cont
+ u32 *buf;
+ void *p;
+ int i;
++ u8 skipbytes;
+
+ if (offset + bytes > priv->data->size)
+ bytes = priv->data->size - offset;
+
+- index = offset;
+- num_bytes = round_up(bytes, 4);
++ index = offset >> 2;
++ skipbytes = offset - (index << 2);
++ num_bytes = round_up(bytes + skipbytes, 4);
+ count = num_bytes >> 2;
+
+ p = kzalloc(num_bytes, GFP_KERNEL);
+@@ -96,7 +98,7 @@ static int imx_ocotp_reg_read(void *cont
+ *buf++ = readl_relaxed(reg + (i << 2));
+ }
+
+- memcpy(val, (u8 *)p, bytes);
++ memcpy(val, ((u8 *)p) + skipbytes, bytes);
+
+ mutex_unlock(&priv->lock);
+
--- /dev/null
+From 1b2cb4d0b5b6a9d9fe78470704309ec75f8a1c3a Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Mon, 30 Dec 2024 14:18:59 +0000
+Subject: nvmem: imx-ocotp-ele: set word length to 1
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit 1b2cb4d0b5b6a9d9fe78470704309ec75f8a1c3a upstream.
+
+The ELE hardware internally has a word length of 4. However, among other
+things we store MAC addresses in the ELE OCOTP. With a length of 6 bytes
+these are naturally unaligned to the word length. Therefore we must
+support unaligned reads in reg_read() and indeed it works properly when
+reg_read() is called via nvmem_reg_read(). Setting the word size to 4
+has the only visible effect that doing unaligned reads from userspace
+via bin_attr_nvmem_read() do not work because they are rejected by that
+function.
+
+Given that we have to abstract from word accesses to byte accesses in
+the driver, set the word size to 1. This allows bytewise accesses from
+userspace to be able to test what the driver has to support anyway.
+
+Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP")
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-5-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/imx-ocotp-ele.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvmem/imx-ocotp-ele.c
++++ b/drivers/nvmem/imx-ocotp-ele.c
+@@ -129,7 +129,7 @@ static int imx_ele_ocotp_probe(struct pl
+ priv->config.owner = THIS_MODULE;
+ priv->config.size = priv->data->size;
+ priv->config.reg_read = priv->data->reg_read;
+- priv->config.word_size = 4;
++ priv->config.word_size = 1;
+ priv->config.stride = 1;
+ priv->config.priv = priv;
+ priv->config.read_only = true;
--- /dev/null
+From 343aa1e289e8e3dba5e3d054c4eb27da7b4e1ecc Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Mon, 30 Dec 2024 14:18:56 +0000
+Subject: nvmem: imx-ocotp-ele: simplify read beyond device check
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit 343aa1e289e8e3dba5e3d054c4eb27da7b4e1ecc upstream.
+
+Do the read beyond device check on function entry in bytes instead of
+32bit words which is easier to follow.
+
+Fixes: 22e9e6fcfb50 ("nvmem: imx: support i.MX93 OCOTP")
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: stable <stable@kernel.org>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/imx-ocotp-ele.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvmem/imx-ocotp-ele.c
++++ b/drivers/nvmem/imx-ocotp-ele.c
+@@ -71,13 +71,13 @@ static int imx_ocotp_reg_read(void *cont
+ void *p;
+ int i;
+
++ if (offset + bytes > priv->data->size)
++ bytes = priv->data->size - offset;
++
+ index = offset;
+ num_bytes = round_up(bytes, 4);
+ count = num_bytes >> 2;
+
+- if (count > ((priv->data->size >> 2) - index))
+- count = (priv->data->size >> 2) - index;
+-
+ p = kzalloc(num_bytes, GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
--- /dev/null
+From e88f516ea417c71bb3702603ac6af9e95338cfa6 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca.weiss@fairphone.com>
+Date: Mon, 30 Dec 2024 14:19:00 +0000
+Subject: nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream.
+
+Let the nvmem core know what size the SDAM is, most notably this fixes
+the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes
+user space work with that file.
+
+ ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem
+ 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
+ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
+ *
+ 00000080
+
+Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/qcom-spmi-sdam.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvmem/qcom-spmi-sdam.c
++++ b/drivers/nvmem/qcom-spmi-sdam.c
+@@ -144,6 +144,7 @@ static int sdam_probe(struct platform_de
+ sdam->sdam_config.owner = THIS_MODULE;
+ sdam->sdam_config.add_legacy_fixed_of_cells = true;
+ sdam->sdam_config.stride = 1;
++ sdam->sdam_config.size = sdam->size;
+ sdam->sdam_config.word_size = 1;
+ sdam->sdam_config.reg_read = sdam_read;
+ sdam->sdam_config.reg_write = sdam_write;
--- /dev/null
+From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001
+From: Heming Zhao <heming.zhao@suse.com>
+Date: Tue, 21 Jan 2025 19:22:03 +0800
+Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure
+
+From: Heming Zhao <heming.zhao@suse.com>
+
+commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream.
+
+Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
+introduced a regression bug. The blksz_bits value is already converted to
+CPU endian in the previous code; therefore, the code shouldn't use
+le32_to_cpu() anymore.
+
+Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com
+Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
+Signed-off-by: Heming Zhao <heming.zhao@suse.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2343,7 +2343,7 @@ static int ocfs2_verify_volume(struct oc
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size bits: found %u, should be 9, 10, 11, or 12\n",
+ blksz_bits);
+- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) {
++ } else if ((1 << blksz_bits) != blksz) {
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size: found %u, should be %u\n", 1 << blksz_bits, blksz);
+ } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) !=
--- /dev/null
+From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Thu, 5 Dec 2024 17:16:29 +0000
+Subject: ocfs2: handle a symlink read error correctly
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream.
+
+Patch series "Convert ocfs2 to use folios".
+
+Mark did a conversion of ocfs2 to use folios and sent it to me as a
+giant patch for review ;-)
+
+So I've redone it as individual patches, and credited Mark for the patches
+where his code is substantially the same. It's not a bad way to do it;
+his patch had some bugs and my patches had some bugs. Hopefully all our
+bugs were different from each other. And hopefully Mark likes all the
+changes I made to his code!
+
+
+This patch (of 23):
+
+If we can't read the buffer, be sure to unlock the page before returning.
+
+Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org
+Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Tinguely <mark.tinguely@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/symlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/symlink.c
++++ b/fs/ocfs2/symlink.c
+@@ -65,7 +65,7 @@ static int ocfs2_fast_symlink_read_folio
+
+ if (status < 0) {
+ mlog_errno(status);
+- return status;
++ goto out;
+ }
+
+ fe = (struct ocfs2_dinode *) bh->b_data;
+@@ -76,9 +76,10 @@ static int ocfs2_fast_symlink_read_folio
+ memcpy(kaddr, link, len + 1);
+ kunmap_atomic(kaddr);
+ SetPageUptodate(page);
++out:
+ unlock_page(page);
+ brelse(bh);
+- return 0;
++ return status;
+ }
+
+ const struct address_space_operations ocfs2_fast_symlink_aops = {
--- /dev/null
+From 459915f55509f4bfd6076daa1428e28490ddee3b Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Wed, 6 Nov 2024 23:04:39 +0100
+Subject: pinctrl: samsung: fix fwnode refcount cleanup if platform_get_irq_optional() fails
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 459915f55509f4bfd6076daa1428e28490ddee3b upstream.
+
+Commit 50ebd19e3585 ("pinctrl: samsung: drop pin banks references on
+error paths") fixed the pin bank references on the error paths of the
+probe function, but there is still an error path where this is not done.
+
+If samsung_pinctrl_get_soc_data() does not fail, the child references
+will have acquired, and they will need to be released in the error path
+of platform_get_irq_optional(), as it is done in the following error
+paths within the probe function.
+
+Replace the direct return in the error path with a goto instruction to
+the cleanup function.
+
+Cc: stable@vger.kernel.org
+Fixes: a382d568f144 ("pinctrl: samsung: Use platform_get_irq_optional() to get the interrupt")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20241106-samsung-pinctrl-put-v1-1-de854e26dd03@gmail.com
+[krzysztof: change Fixes SHA to point to commit introducing the return
+ leading to OF node leak]
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -1150,7 +1150,7 @@ static int samsung_pinctrl_probe(struct
+
+ ret = platform_get_irq_optional(pdev, 0);
+ if (ret < 0 && ret != -ENXIO)
+- return ret;
++ goto err_put_banks;
+ if (ret > 0)
+ drvdata->irq = ret;
+
--- /dev/null
+From eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@kernel.org>
+Date: Thu, 16 Jan 2025 20:05:39 -0500
+Subject: pnfs/flexfiles: retry getting layout segment for reads
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream.
+
+If ff_layout_pg_get_read()'s attempt to get a layout segment results
+in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping.
+
+If "softerr" mount is used, use 'io_maxretrans' to limit the number of
+attempts to get a layout segment.
+
+This fixes a long-standing issue of O_DIRECT reads failing with
+-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -839,6 +839,9 @@ ff_layout_pg_init_read(struct nfs_pageio
+ struct nfs4_pnfs_ds *ds;
+ u32 ds_idx;
+
++ if (NFS_SERVER(pgio->pg_inode)->flags &
++ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
++ pgio->pg_maxretrans = io_maxretrans;
+ retry:
+ ff_layout_pg_check_layout(pgio, req);
+ /* Use full layout for now */
+@@ -852,6 +855,8 @@ retry:
+ if (!pgio->pg_lseg)
+ goto out_nolseg;
+ }
++ /* Reset wb_nio, since getting layout segment was successful */
++ req->wb_nio = 0;
+
+ ds = ff_layout_get_ds_for_read(pgio, &ds_idx);
+ if (!ds) {
+@@ -868,14 +873,24 @@ retry:
+ pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize;
+
+ pgio->pg_mirror_idx = ds_idx;
+-
+- if (NFS_SERVER(pgio->pg_inode)->flags &
+- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
+- pgio->pg_maxretrans = io_maxretrans;
+ return;
+ out_nolseg:
+- if (pgio->pg_error < 0)
+- return;
++ if (pgio->pg_error < 0) {
++ if (pgio->pg_error != -EAGAIN)
++ return;
++ /* Retry getting layout segment if lower layer returned -EAGAIN */
++ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) {
++ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR)
++ pgio->pg_error = -ETIMEDOUT;
++ else
++ pgio->pg_error = -EIO;
++ return;
++ }
++ pgio->pg_error = 0;
++ /* Sleep for 1 second before retrying */
++ ssleep(1);
++ goto retry;
++ }
+ out_mds:
+ trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode,
+ 0, NFS4_MAX_UINT64, IOMODE_READ,
--- /dev/null
+From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Thu, 23 Jan 2025 08:22:40 +0100
+Subject: ptp: Ensure info->enable callback is always set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit fd53aa40e65f518453115b6f56183b0c201db26b upstream.
+
+The ioctl and sysfs handlers unconditionally call the ->enable callback.
+Not all drivers implement that callback, leading to NULL dereferences.
+Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.
+
+Instead use a dummy callback if no better was specified by the driver.
+
+Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -189,6 +189,11 @@ static int ptp_getcycles64(struct ptp_cl
+ return info->gettime64(info, ts);
+ }
+
++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on)
++{
++ return -EOPNOTSUPP;
++}
++
+ static void ptp_aux_kworker(struct kthread_work *work)
+ {
+ struct ptp_clock *ptp = container_of(work, struct ptp_clock,
+@@ -251,6 +256,9 @@ struct ptp_clock *ptp_clock_register(str
+ ptp->info->getcrosscycles = ptp->info->getcrosststamp;
+ }
+
++ if (!ptp->info->enable)
++ ptp->info->enable = ptp_enable;
++
+ if (ptp->info->do_aux_work) {
+ kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker);
+ ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index);
--- /dev/null
+From 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@amd.com>
+Date: Wed, 27 Nov 2024 17:01:22 +0100
+Subject: rtc: zynqmp: Fix optional clock name property
+
+From: Michal Simek <michal.simek@amd.com>
+
+commit 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 upstream.
+
+Clock description in DT binding introduced by commit f69060c14431
+("dt-bindings: rtc: zynqmp: Add clock information") is talking about "rtc"
+clock name but driver is checking "rtc_clk" name instead.
+Because clock is optional property likely in was never handled properly by
+the driver.
+
+Fixes: 07dcc6f9c762 ("rtc: zynqmp: Add calibration set and get support")
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Cc: stable@kernel.org
+Reviewed-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://lore.kernel.org/r/cd5f0c9d01ec1f5a240e37a7e0d85b8dacb3a869.1732723280.git.michal.simek@amd.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-zynqmp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-zynqmp.c
++++ b/drivers/rtc/rtc-zynqmp.c
+@@ -318,8 +318,8 @@ static int xlnx_rtc_probe(struct platfor
+ return ret;
+ }
+
+- /* Getting the rtc_clk info */
+- xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc_clk");
++ /* Getting the rtc info */
++ xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc");
+ if (IS_ERR(xrtcdev->rtc_clk)) {
+ if (PTR_ERR(xrtcdev->rtc_clk) != -EPROBE_DEFER)
+ dev_warn(&pdev->dev, "Device clock not found.\n");
--- /dev/null
+From e879b5dcf8d044f3865a32d95cc5b213f314c54f Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Thu, 16 Jan 2025 15:49:27 +0100
+Subject: rtla: Add trace_instance_stop
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit e879b5dcf8d044f3865a32d95cc5b213f314c54f upstream.
+
+Support not only turning trace on for the timerlat tracer, but also
+turning it off.
+
+This will be used in subsequent patches to stop the timerlat tracer
+without also wiping the trace buffer.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-2-tglozar@redhat.com
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/trace.c | 8 ++++++++
+ tools/tracing/rtla/src/trace.h | 1 +
+ 2 files changed, 9 insertions(+)
+
+--- a/tools/tracing/rtla/src/trace.c
++++ b/tools/tracing/rtla/src/trace.c
+@@ -197,6 +197,14 @@ int trace_instance_start(struct trace_in
+ }
+
+ /*
++ * trace_instance_stop - stop tracing a given rtla instance
++ */
++int trace_instance_stop(struct trace_instance *trace)
++{
++ return tracefs_trace_off(trace->inst);
++}
++
++/*
+ * trace_events_free - free a list of trace events
+ */
+ static void trace_events_free(struct trace_events *events)
+--- a/tools/tracing/rtla/src/trace.h
++++ b/tools/tracing/rtla/src/trace.h
+@@ -21,6 +21,7 @@ struct trace_instance {
+
+ int trace_instance_init(struct trace_instance *trace, char *tool_name);
+ int trace_instance_start(struct trace_instance *trace);
++int trace_instance_stop(struct trace_instance *trace);
+ void trace_instance_destroy(struct trace_instance *trace);
+
+ struct trace_seq *get_trace_seq(void);
--- /dev/null
+From 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Tue, 7 Jan 2025 15:48:21 +0100
+Subject: rtla/osnoise: Distinguish missing workload option
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c upstream.
+
+osnoise_set_workload returns -1 for both missing OSNOISE_WORKLOAD option
+and failure in setting the option.
+
+Return -1 for missing and -2 for failure to distinguish them.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Link: https://lore.kernel.org/20250107144823.239782-2-tglozar@redhat.com
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/osnoise.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/src/osnoise.c
++++ b/tools/tracing/rtla/src/osnoise.c
+@@ -867,7 +867,7 @@ int osnoise_set_workload(struct osnoise_
+
+ retval = osnoise_options_set_option("OSNOISE_WORKLOAD", onoff);
+ if (retval < 0)
+- return -1;
++ return -2;
+
+ context->opt_workload = onoff;
+
--- /dev/null
+From d8d866171a414ed88bd0d720864095fd75461134 Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Tue, 7 Jan 2025 15:48:22 +0100
+Subject: rtla/timerlat_hist: Set OSNOISE_WORKLOAD for kernel threads
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit d8d866171a414ed88bd0d720864095fd75461134 upstream.
+
+When using rtla timerlat with userspace threads (-u or -U), rtla
+disables the OSNOISE_WORKLOAD option in
+/sys/kernel/tracing/osnoise/options. This option is not re-enabled in a
+subsequent run with kernel-space threads, leading to rtla collecting no
+results if the previous run exited abnormally:
+
+$ rtla timerlat hist -u
+^\Quit (core dumped)
+$ rtla timerlat hist -k -d 1s
+Index
+over:
+count:
+min:
+avg:
+max:
+ALL: IRQ Thr Usr
+count: 0 0 0
+min: - - -
+avg: - - -
+max: - - -
+
+The issue persists until OSNOISE_WORKLOAD is set manually by running:
+$ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
+
+Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if
+available to fix the issue.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Link: https://lore.kernel.org/20250107144823.239782-3-tglozar@redhat.com
+Fixes: ed774f7481fa ("rtla/timerlat_hist: Add timerlat user-space support")
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/timerlat_hist.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/tools/tracing/rtla/src/timerlat_hist.c
++++ b/tools/tracing/rtla/src/timerlat_hist.c
+@@ -900,12 +900,15 @@ timerlat_hist_apply_config(struct osnois
+ auto_house_keeping(¶ms->monitored_cpus);
+ }
+
+- if (params->user_hist) {
+- retval = osnoise_set_workload(tool->context, 0);
+- if (retval) {
+- err_msg("Failed to set OSNOISE_WORKLOAD option\n");
+- goto out_err;
+- }
++ /*
++ * Set workload according to type of thread if the kernel supports it.
++ * On kernels without support, user threads will have already failed
++ * on missing timerlat_fd, and kernel threads do not need it.
++ */
++ retval = osnoise_set_workload(tool->context, params->kernel_workload);
++ if (retval < -1) {
++ err_msg("Failed to set OSNOISE_WORKLOAD option\n");
++ goto out_err;
+ }
+
+ return 0;
--- /dev/null
+From c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Thu, 16 Jan 2025 15:49:28 +0100
+Subject: rtla/timerlat_hist: Stop timerlat tracer on signal
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 upstream.
+
+Currently, when either SIGINT from the user or SIGALRM from the duration
+timer is caught by rtla-timerlat, stop_tracing is set to break out of
+the main loop. This is not sufficient for cases where the timerlat
+tracer is producing more data than rtla can consume, since in that case,
+rtla is looping indefinitely inside tracefs_iterate_raw_events, never
+reaches the check of stop_tracing and hangs.
+
+In addition to setting stop_tracing, also stop the timerlat tracer on
+received signal (SIGINT or SIGALRM). This will stop new samples so that
+the existing samples may be processed and tracefs_iterate_raw_events
+eventually exits.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-3-tglozar@redhat.com
+Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode")
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/timerlat_hist.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/src/timerlat_hist.c
++++ b/tools/tracing/rtla/src/timerlat_hist.c
+@@ -949,9 +949,12 @@ out_err:
+ }
+
+ static int stop_tracing;
++static struct trace_instance *hist_inst = NULL;
+ static void stop_hist(int sig)
+ {
+ stop_tracing = 1;
++ if (hist_inst)
++ trace_instance_stop(hist_inst);
+ }
+
+ /*
+@@ -997,6 +1000,12 @@ int timerlat_hist_main(int argc, char *a
+ }
+
+ trace = &tool->trace;
++ /*
++ * Save trace instance into global variable so that SIGINT can stop
++ * the timerlat tracer.
++ * Otherwise, rtla could loop indefinitely when overloaded.
++ */
++ hist_inst = trace;
+
+ retval = enable_timerlat(trace);
+ if (retval) {
+@@ -1129,7 +1138,7 @@ int timerlat_hist_main(int argc, char *a
+
+ return_value = 0;
+
+- if (trace_is_off(&tool->trace, &record->trace)) {
++ if (trace_is_off(&tool->trace, &record->trace) && !stop_tracing) {
+ printf("rtla timerlat hit stop tracing\n");
+
+ if (!params->no_aa)
--- /dev/null
+From 217f0b1e990e30a1f06f6d531fdb4530f4788d48 Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Tue, 7 Jan 2025 15:48:23 +0100
+Subject: rtla/timerlat_top: Set OSNOISE_WORKLOAD for kernel threads
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit 217f0b1e990e30a1f06f6d531fdb4530f4788d48 upstream.
+
+When using rtla timerlat with userspace threads (-u or -U), rtla
+disables the OSNOISE_WORKLOAD option in
+/sys/kernel/tracing/osnoise/options. This option is not re-enabled in a
+subsequent run with kernel-space threads, leading to rtla collecting no
+results if the previous run exited abnormally:
+
+$ rtla timerlat top -u
+^\Quit (core dumped)
+$ rtla timerlat top -k -d 1s
+ Timer Latency
+ 0 00:00:01 | IRQ Timer Latency (us) | Thread Timer Latency (us)
+CPU COUNT | cur min avg max | cur min avg max
+
+The issue persists until OSNOISE_WORKLOAD is set manually by running:
+$ echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
+
+Set OSNOISE_WORKLOAD when running rtla with kernel-space threads if
+available to fix the issue.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Link: https://lore.kernel.org/20250107144823.239782-4-tglozar@redhat.com
+Fixes: cdca4f4e5e8e ("rtla/timerlat_top: Add timerlat user-space support")
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/timerlat_top.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/tools/tracing/rtla/src/timerlat_top.c
++++ b/tools/tracing/rtla/src/timerlat_top.c
+@@ -679,12 +679,15 @@ timerlat_top_apply_config(struct osnoise
+ auto_house_keeping(¶ms->monitored_cpus);
+ }
+
+- if (params->user_top) {
+- retval = osnoise_set_workload(top->context, 0);
+- if (retval) {
+- err_msg("Failed to set OSNOISE_WORKLOAD option\n");
+- goto out_err;
+- }
++ /*
++ * Set workload according to type of thread if the kernel supports it.
++ * On kernels without support, user threads will have already failed
++ * on missing timerlat_fd, and kernel threads do not need it.
++ */
++ retval = osnoise_set_workload(top->context, params->kernel_workload);
++ if (retval < -1) {
++ err_msg("Failed to set OSNOISE_WORKLOAD option\n");
++ goto out_err;
+ }
+
+ return 0;
--- /dev/null
+From a4dfce7559d75430c464294ddee554be2a413c4a Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Thu, 16 Jan 2025 15:49:29 +0100
+Subject: rtla/timerlat_top: Stop timerlat tracer on signal
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit a4dfce7559d75430c464294ddee554be2a413c4a upstream.
+
+Currently, when either SIGINT from the user or SIGALRM from the duration
+timer is caught by rtla-timerlat, stop_tracing is set to break out of
+the main loop. This is not sufficient for cases where the timerlat
+tracer is producing more data than rtla can consume, since in that case,
+rtla is looping indefinitely inside tracefs_iterate_raw_events, never
+reaches the check of stop_tracing and hangs.
+
+In addition to setting stop_tracing, also stop the timerlat tracer on
+received signal (SIGINT or SIGALRM). This will stop new samples so that
+the existing samples may be processed and tracefs_iterate_raw_events
+eventually exits.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-4-tglozar@redhat.com
+Fixes: a828cd18bc4a ("rtla: Add timerlat tool and timelart top mode")
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/timerlat_top.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/src/timerlat_top.c
++++ b/tools/tracing/rtla/src/timerlat_top.c
+@@ -728,9 +728,12 @@ out_err:
+ }
+
+ static int stop_tracing;
++static struct trace_instance *top_inst = NULL;
+ static void stop_top(int sig)
+ {
+ stop_tracing = 1;
++ if (top_inst)
++ trace_instance_stop(top_inst);
+ }
+
+ /*
+@@ -777,6 +780,13 @@ int timerlat_top_main(int argc, char *ar
+ }
+
+ trace = &top->trace;
++ /*
++ * Save trace instance into global variable so that SIGINT can stop
++ * the timerlat tracer.
++ * Otherwise, rtla could loop indefinitely when overloaded.
++ */
++ top_inst = trace;
++
+
+ retval = enable_timerlat(trace);
+ if (retval) {
+@@ -925,7 +935,7 @@ int timerlat_top_main(int argc, char *ar
+
+ return_value = 0;
+
+- if (trace_is_off(&top->trace, &record->trace)) {
++ if (trace_is_off(&top->trace, &record->trace) && !stop_tracing) {
+ printf("rtla timerlat hit stop tracing\n");
+
+ if (!params->no_aa)
--- /dev/null
+From 4ebc417ef9cb34010a71270421fe320ec5d88aa2 Mon Sep 17 00:00:00 2001
+From: Jan Kiszka <jan.kiszka@siemens.com>
+Date: Fri, 10 Jan 2025 11:36:33 +0100
+Subject: scripts/gdb: fix aarch64 userspace detection in get_current_task
+
+From: Jan Kiszka <jan.kiszka@siemens.com>
+
+commit 4ebc417ef9cb34010a71270421fe320ec5d88aa2 upstream.
+
+At least recent gdb releases (seen with 14.2) return SP_EL0 as signed long
+which lets the right-shift always return 0.
+
+Link: https://lkml.kernel.org/r/dcd2fabc-9131-4b48-8419-6444e2d67454@siemens.com
+Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
+Cc: Barry Song <baohua@kernel.org>
+Cc: Kieran Bingham <kbingham@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/gdb/linux/cpus.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/gdb/linux/cpus.py
++++ b/scripts/gdb/linux/cpus.py
+@@ -172,7 +172,7 @@ def get_current_task(cpu):
+ var_ptr = gdb.parse_and_eval("&pcpu_hot.current_task")
+ return per_cpu(var_ptr, cpu).dereference()
+ elif utils.is_target_arch("aarch64"):
+- current_task_addr = gdb.parse_and_eval("$SP_EL0")
++ current_task_addr = gdb.parse_and_eval("(unsigned long)$SP_EL0")
+ if (current_task_addr >> 63) != 0:
+ current_task = current_task_addr.cast(task_ptr_type)
+ return current_task.dereference()
--- /dev/null
+From 5368a67307b3b2c347dc8965ac55b888be665934 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 4 Feb 2025 23:19:53 +0100
+Subject: selftests: mptcp: connect: -f: no reconnect
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 5368a67307b3b2c347dc8965ac55b888be665934 upstream.
+
+The '-f' parameter is there to force the kernel to emit MPTCP FASTCLOSE
+by closing the connection with unread bytes in the receive queue.
+
+The xdisconnect() helper was used to stop the connection, but it does
+more than that: it will shut it down, then wait before reconnecting to
+the same address. This causes the mptcp_join's "fastclose test" to fail
+all the time.
+
+This failure is due to a recent change, with commit 218cc166321f
+("selftests: mptcp: avoid spurious errors on disconnect"), but that went
+unnoticed because the test is currently ignored. The recent modification
+only shown an existing issue: xdisconnect() doesn't need to be used
+here, only the shutdown() part is needed.
+
+Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250204-net-mptcp-sft-conn-f-v1-1-6b470c72fffa@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -1302,7 +1302,7 @@ again:
+ return ret;
+
+ if (cfg_truncate > 0) {
+- xdisconnect(fd);
++ shutdown(fd, SHUT_WR);
+ } else if (--cfg_repeat > 0) {
+ xdisconnect(fd);
+
media-uvcvideo-support-partial-control-reads.patch
media-uvcvideo-remove-redundant-null-assignment.patch
mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch
+ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch
+crypto-qce-fix-goto-jump-in-error-path.patch
+crypto-qce-unregister-previously-registered-algos-in-error-path.patch
+nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch
+nvmem-core-improve-range-check-for-nvmem_cell_write.patch
+nvmem-imx-ocotp-ele-simplify-read-beyond-device-check.patch
+nvmem-imx-ocotp-ele-fix-reading-from-non-zero-offset.patch
+nvmem-imx-ocotp-ele-set-word-length-to-1.patch
+io_uring-fix-multishots-with-selected-buffers.patch
+io_uring-net-don-t-retry-connect-operation-on-epollerr.patch
+vfio-platform-check-the-bounds-of-read-write-syscalls.patch
+selftests-mptcp-connect-f-no-reconnect.patch
+pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch
+ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch
+ocfs2-handle-a-symlink-read-error-correctly.patch
+nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch
+mailbox-tegra-hsp-clear-mailbox-before-using-message.patch
+nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch
+i3c-master-fix-missing-ret-assignment-in-set_speed.patch
+irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch
+mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch
+misc-misc_minor_alloc-to-use-ida-for-all-dynamic-misc-dynamic-minors.patch
+misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch
+misc-fastrpc-fix-registered-buffer-page-address.patch
+misc-fastrpc-fix-copy-buffer-page-size.patch
+net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch
+net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch
+maple_tree-simplify-split-calculation.patch
+scripts-gdb-fix-aarch64-userspace-detection-in-get_current_task.patch
+tracing-osnoise-fix-resetting-of-tracepoints.patch
+rtla-osnoise-distinguish-missing-workload-option.patch
+rtla-timerlat_hist-set-osnoise_workload-for-kernel-threads.patch
+rtla-timerlat_top-set-osnoise_workload-for-kernel-threads.patch
+rtla-add-trace_instance_stop.patch
+rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch
+rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch
+pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch
+ptp-ensure-info-enable-callback-is-always-set.patch
+rtc-zynqmp-fix-optional-clock-name-property.patch
--- /dev/null
+From e3ff4245928f948f3eb2e852aa350b870421c358 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 23 Jan 2025 20:41:59 -0500
+Subject: tracing/osnoise: Fix resetting of tracepoints
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit e3ff4245928f948f3eb2e852aa350b870421c358 upstream.
+
+If a timerlat tracer is started with the osnoise option OSNOISE_WORKLOAD
+disabled, but then that option is enabled and timerlat is removed, the
+tracepoints that were enabled on timerlat registration do not get
+disabled. If the option is disabled again and timelat is started, then it
+triggers a warning in the tracepoint code due to registering the
+tracepoint again without ever disabling it.
+
+Do not use the same user space defined options to know to disable the
+tracepoints when timerlat is removed. Instead, set a global flag when it
+is enabled and use that flag to know to disable the events.
+
+ ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
+ ~# echo timerlat > /sys/kernel/tracing/current_tracer
+ ~# echo OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
+ ~# echo nop > /sys/kernel/tracing/current_tracer
+ ~# echo NO_OSNOISE_WORKLOAD > /sys/kernel/tracing/osnoise/options
+ ~# echo timerlat > /sys/kernel/tracing/current_tracer
+
+Triggers:
+
+ ------------[ cut here ]------------
+ WARNING: CPU: 6 PID: 1337 at kernel/tracepoint.c:294 tracepoint_add_func+0x3b6/0x3f0
+ Modules linked in:
+ CPU: 6 UID: 0 PID: 1337 Comm: rtla Not tainted 6.13.0-rc4-test-00018-ga867c441128e-dirty #73
+ Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+ RIP: 0010:tracepoint_add_func+0x3b6/0x3f0
+ Code: 48 8b 53 28 48 8b 73 20 4c 89 04 24 e8 23 59 11 00 4c 8b 04 24 e9 36 fe ff ff 0f 0b b8 ea ff ff ff 45 84 e4 0f 84 68 fe ff ff <0f> 0b e9 61 fe ff ff 48 8b 7b 18 48 85 ff 0f 84 4f ff ff ff 49 8b
+ RSP: 0018:ffffb9b003a87ca0 EFLAGS: 00010202
+ RAX: 00000000ffffffef RBX: ffffffff92f30860 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: ffff9bf59e91ccd0 RDI: ffffffff913b6410
+ RBP: 000000000000000a R08: 00000000000005c7 R09: 0000000000000002
+ R10: ffffb9b003a87ce0 R11: 0000000000000002 R12: 0000000000000001
+ R13: ffffb9b003a87ce0 R14: ffffffffffffffef R15: 0000000000000008
+ FS: 00007fce81209240(0000) GS:ffff9bf6fdd00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 000055e99b728000 CR3: 00000001277c0002 CR4: 0000000000172ef0
+ Call Trace:
+ <TASK>
+ ? __warn.cold+0xb7/0x14d
+ ? tracepoint_add_func+0x3b6/0x3f0
+ ? report_bug+0xea/0x170
+ ? handle_bug+0x58/0x90
+ ? exc_invalid_op+0x17/0x70
+ ? asm_exc_invalid_op+0x1a/0x20
+ ? __pfx_trace_sched_migrate_callback+0x10/0x10
+ ? tracepoint_add_func+0x3b6/0x3f0
+ ? __pfx_trace_sched_migrate_callback+0x10/0x10
+ ? __pfx_trace_sched_migrate_callback+0x10/0x10
+ tracepoint_probe_register+0x78/0xb0
+ ? __pfx_trace_sched_migrate_callback+0x10/0x10
+ osnoise_workload_start+0x2b5/0x370
+ timerlat_tracer_init+0x76/0x1b0
+ tracing_set_tracer+0x244/0x400
+ tracing_set_trace_write+0xa0/0xe0
+ vfs_write+0xfc/0x570
+ ? do_sys_openat2+0x9c/0xe0
+ ksys_write+0x72/0xf0
+ do_syscall_64+0x79/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Tomas Glozar <tglozar@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: John Kacur <jkacur@redhat.com>
+Link: https://lore.kernel.org/20250123204159.4450c88e@gandalf.local.home
+Fixes: e88ed227f639e ("tracing/timerlat: Add user-space interface")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_osnoise.c | 17 ++++++++++++++---
+ 1 file changed, 14 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/trace_osnoise.c
++++ b/kernel/trace/trace_osnoise.c
+@@ -1235,6 +1235,8 @@ static void trace_sched_migrate_callback
+ }
+ }
+
++static bool monitor_enabled;
++
+ static int register_migration_monitor(void)
+ {
+ int ret = 0;
+@@ -1243,16 +1245,25 @@ static int register_migration_monitor(vo
+ * Timerlat thread migration check is only required when running timerlat in user-space.
+ * Thus, enable callback only if timerlat is set with no workload.
+ */
+- if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options))
++ if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options)) {
++ if (WARN_ON_ONCE(monitor_enabled))
++ return 0;
++
+ ret = register_trace_sched_migrate_task(trace_sched_migrate_callback, NULL);
++ if (!ret)
++ monitor_enabled = true;
++ }
+
+ return ret;
+ }
+
+ static void unregister_migration_monitor(void)
+ {
+- if (timerlat_enabled() && !test_bit(OSN_WORKLOAD, &osnoise_options))
+- unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL);
++ if (!monitor_enabled)
++ return;
++
++ unregister_trace_sched_migrate_task(trace_sched_migrate_callback, NULL);
++ monitor_enabled = false;
+ }
+ #else
+ static int register_migration_monitor(void)
--- /dev/null
+From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 22 Jan 2025 10:38:30 -0700
+Subject: vfio/platform: check the bounds of read/write syscalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
+
+count and offset are passed from user space and not checked, only
+offset is capped to 40 bits, which can be used to read/write out of
+bounds of the device.
+
+Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
+Cc: stable@vger.kernel.org
+Reported-by: Mostafa Saleh <smostafa@google.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
+Tested-by: Mostafa Saleh <smostafa@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -393,6 +393,11 @@ static ssize_t vfio_platform_read_mmio(s
+
+ count = min_t(size_t, count, reg->size - off);
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
+@@ -474,6 +479,11 @@ static ssize_t vfio_platform_write_mmio(
+
+ if (off >= reg->size)
+ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
++ if (off >= reg->size)
++ return -EINVAL;
+
+ count = min_t(size_t, count, reg->size - off);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
