--- /dev/null
+From 1ee5aa765c22a0577ec552d460bf2035300b4b51 Mon Sep 17 00:00:00 2001
+From: Hoku Ishibe <me@hokuishi.be>
+Date: Sun, 23 Feb 2025 21:05:17 -0500
+Subject: ALSA: hda: intel: Add Dell ALC3271 to power_save denylist
+
+From: Hoku Ishibe <me@hokuishi.be>
+
+commit 1ee5aa765c22a0577ec552d460bf2035300b4b51 upstream.
+
+Dell XPS 13 7390 with the Realtek ALC3271 codec experiences
+persistent humming noise when the power_save mode is enabled.
+This issue occurs when the codec enters power saving mode,
+leading to unwanted noise from the speakers.
+
+This patch adds the affected model (PCI ID 0x1028:0x0962) to the
+power_save denylist to ensure power_save is disabled by default,
+preventing power-off related noise issues.
+
+Steps to Reproduce
+1. Boot the system with `snd_hda_intel` loaded.
+2. Verify that `power_save` mode is enabled:
+```sh
+cat /sys/module/snd_hda_intel/parameters/power_save
+````
+output: 10 (default power save timeout)
+3. Wait for the power save timeout
+4. Observe a persistent humming noise from the speakers
+5. Disable `power_save` manually:
+```sh
+echo 0 | sudo tee /sys/module/snd_hda_intel/parameters/power_save
+````
+6. Confirm that the noise disappears immediately.
+
+This issue has been observed on my system, and this patch
+successfully eliminates the unwanted noise. If other users
+experience similar issues, additional reports would be helpful.
+
+Signed-off-by: Hoku Ishibe <me@hokuishi.be>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250224020517.51035-1-me@hokuishi.be
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_intel.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2222,6 +2222,8 @@ static const struct snd_pci_quirk power_
+ SND_PCI_QUIRK(0x1631, 0xe017, "Packard Bell NEC IMEDIA 5204", 0),
+ /* KONTRON SinglePC may cause a stall at runtime resume */
+ SND_PCI_QUIRK(0x1734, 0x1232, "KONTRON SinglePC", 0),
++ /* Dell ALC3271 */
++ SND_PCI_QUIRK(0x1028, 0x0962, "Dell ALC3271", 0),
+ {}
+ };
+ #endif /* CONFIG_PM */
--- /dev/null
+From f603b159231b0c58f0c27ab39348534063d38223 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Mon, 3 Mar 2025 14:56:10 +0800
+Subject: ALSA: hda/realtek - add supported Mic Mute LED for Lenovo platform
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit f603b159231b0c58f0c27ab39348534063d38223 upstream.
+
+Support Mic Mute LED for ThinkCentre M series.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/c211a2702f1f411e86bd7420d7eebc03@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -4918,6 +4918,16 @@ static void alc269_fixup_hp_line1_mic1_l
+ }
+ }
+
++static void alc233_fixup_lenovo_low_en_micmute_led(struct hda_codec *codec,
++ const struct hda_fixup *fix, int action)
++{
++ struct alc_spec *spec = codec->spec;
++
++ if (action == HDA_FIXUP_ACT_PRE_PROBE)
++ spec->micmute_led_polarity = 1;
++ alc233_fixup_lenovo_line2_mic_hotkey(codec, fix, action);
++}
++
+ static void alc_hp_mute_disable(struct hda_codec *codec, unsigned int delay)
+ {
+ if (delay <= 0)
+@@ -7295,6 +7305,7 @@ enum {
+ ALC275_FIXUP_DELL_XPS,
+ ALC293_FIXUP_LENOVO_SPK_NOISE,
+ ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY,
++ ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED,
+ ALC255_FIXUP_DELL_SPK_NOISE,
+ ALC225_FIXUP_DISABLE_MIC_VREF,
+ ALC225_FIXUP_DELL1_MIC_NO_PRESENCE,
+@@ -8282,6 +8293,10 @@ static const struct hda_fixup alc269_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc233_fixup_lenovo_line2_mic_hotkey,
+ },
++ [ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED] = {
++ .type = HDA_FIXUP_FUNC,
++ .v.func = alc233_fixup_lenovo_low_en_micmute_led,
++ },
+ [ALC233_FIXUP_INTEL_NUC8_DMIC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_inv_dmic,
+@@ -10343,6 +10358,9 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x17aa, 0x3178, "ThinkCentre Station", ALC283_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x17aa, 0x31af, "ThinkCentre Station", ALC623_FIXUP_LENOVO_THINKSTATION_P340),
+ SND_PCI_QUIRK(0x17aa, 0x334b, "Lenovo ThinkCentre M70 Gen5", ALC283_FIXUP_HEADSET_MIC),
++ SND_PCI_QUIRK(0x17aa, 0x3384, "ThinkCentre M90a PRO", ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED),
++ SND_PCI_QUIRK(0x17aa, 0x3386, "ThinkCentre M90a Gen6", ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED),
++ SND_PCI_QUIRK(0x17aa, 0x3387, "ThinkCentre M70a Gen6", ALC233_FIXUP_LENOVO_L2MH_LOW_ENLED),
+ SND_PCI_QUIRK(0x17aa, 0x3801, "Lenovo Yoga9 14IAP7", ALC287_FIXUP_YOGA9_14IAP7_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3802, "Lenovo Yoga Pro 9 14IRP8 / DuetITL 2021", ALC287_FIXUP_LENOVO_14IRP8_DUETITL),
+ SND_PCI_QUIRK(0x17aa, 0x3813, "Legion 7i 15IMHG05", ALC287_FIXUP_LEGION_15IMHG05_SPEAKERS),
--- /dev/null
+From ca0dedaff92307591f66c9206933fbdfe87add10 Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Wed, 5 Mar 2025 13:54:34 +0800
+Subject: ALSA: hda/realtek: update ALC222 depop optimize
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit ca0dedaff92307591f66c9206933fbdfe87add10 upstream.
+
+Add ALC222 its own depop functions for alc_init and alc_shutup.
+
+[note: this fixes pop noise issues on the models with two headphone
+ jacks -- tiwai ]
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 76 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 76 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3834,6 +3834,79 @@ static void alc225_shutup(struct hda_cod
+ }
+ }
+
++static void alc222_init(struct hda_codec *codec)
++{
++ struct alc_spec *spec = codec->spec;
++ hda_nid_t hp_pin = alc_get_hp_pin(spec);
++ bool hp1_pin_sense, hp2_pin_sense;
++
++ if (!hp_pin)
++ return;
++
++ msleep(30);
++
++ hp1_pin_sense = snd_hda_jack_detect(codec, hp_pin);
++ hp2_pin_sense = snd_hda_jack_detect(codec, 0x14);
++
++ if (hp1_pin_sense || hp2_pin_sense) {
++ msleep(2);
++
++ if (hp1_pin_sense)
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT);
++ if (hp2_pin_sense)
++ snd_hda_codec_write(codec, 0x14, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, PIN_OUT);
++ msleep(75);
++
++ if (hp1_pin_sense)
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE);
++ if (hp2_pin_sense)
++ snd_hda_codec_write(codec, 0x14, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_UNMUTE);
++
++ msleep(75);
++ }
++}
++
++static void alc222_shutup(struct hda_codec *codec)
++{
++ struct alc_spec *spec = codec->spec;
++ hda_nid_t hp_pin = alc_get_hp_pin(spec);
++ bool hp1_pin_sense, hp2_pin_sense;
++
++ if (!hp_pin)
++ hp_pin = 0x21;
++
++ hp1_pin_sense = snd_hda_jack_detect(codec, hp_pin);
++ hp2_pin_sense = snd_hda_jack_detect(codec, 0x14);
++
++ if (hp1_pin_sense || hp2_pin_sense) {
++ msleep(2);
++
++ if (hp1_pin_sense)
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
++ if (hp2_pin_sense)
++ snd_hda_codec_write(codec, 0x14, 0,
++ AC_VERB_SET_AMP_GAIN_MUTE, AMP_OUT_MUTE);
++
++ msleep(75);
++
++ if (hp1_pin_sense)
++ snd_hda_codec_write(codec, hp_pin, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0);
++ if (hp2_pin_sense)
++ snd_hda_codec_write(codec, 0x14, 0,
++ AC_VERB_SET_PIN_WIDGET_CONTROL, 0x0);
++
++ msleep(75);
++ }
++ alc_auto_setup_eapd(codec, false);
++ alc_shutup_pins(codec);
++}
++
+ static void alc_default_init(struct hda_codec *codec)
+ {
+ struct alc_spec *spec = codec->spec;
+@@ -11309,8 +11382,11 @@ static int patch_alc269(struct hda_codec
+ spec->codec_variant = ALC269_TYPE_ALC300;
+ spec->gen.mixer_nid = 0; /* no loopback on ALC300 */
+ break;
++ case 0x10ec0222:
+ case 0x10ec0623:
+ spec->codec_variant = ALC269_TYPE_ALC623;
++ spec->shutup = alc222_shutup;
++ spec->init_hook = alc222_init;
+ break;
+ case 0x10ec0700:
+ case 0x10ec0701:
--- /dev/null
+From c9ce148ea753bef66686460fa3cec6641cdfbb9f Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sat, 1 Mar 2025 12:45:29 +0100
+Subject: ALSA: seq: Avoid module auto-load handling at event delivery
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c9ce148ea753bef66686460fa3cec6641cdfbb9f upstream.
+
+snd_seq_client_use_ptr() is supposed to return the snd_seq_client
+object for the given client ID, and it tries to handle the module
+auto-loading when no matching object is found. Although the module
+handling is performed only conditionally with "!in_interrupt()", this
+condition may be fragile, e.g. when the code is called from the ALSA
+timer callback where the spinlock is temporarily disabled while the
+irq is disabled. Then his doesn't fit well and spews the error about
+sleep from invalid context, as complained recently by syzbot.
+
+Also, in general, handling the module-loading at each time if no
+matching object is found is really an overkill. It can be still
+useful when performed at the top-level ioctl or proc reads, but it
+shouldn't be done at event delivery at all.
+
+For addressing the issues above, this patch disables the module
+handling in snd_seq_client_use_ptr() in normal cases like event
+deliveries, but allow only in limited and safe situations.
+A new function client_load_and_use_ptr() is used for the cases where
+the module loading can be done safely, instead.
+
+Reported-by: syzbot+4cb9fad083898f54c517@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/67c272e5.050a0220.dc10f.0159.GAE@google.com
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250301114530.8975-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq/seq_clientmgr.c | 46 ++++++++++++++++++++++++++---------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -106,7 +106,7 @@ static struct snd_seq_client *clientptr(
+ return clienttab[clientid];
+ }
+
+-struct snd_seq_client *snd_seq_client_use_ptr(int clientid)
++static struct snd_seq_client *client_use_ptr(int clientid, bool load_module)
+ {
+ unsigned long flags;
+ struct snd_seq_client *client;
+@@ -126,7 +126,7 @@ struct snd_seq_client *snd_seq_client_us
+ }
+ spin_unlock_irqrestore(&clients_lock, flags);
+ #ifdef CONFIG_MODULES
+- if (!in_interrupt()) {
++ if (load_module) {
+ static DECLARE_BITMAP(client_requested, SNDRV_SEQ_GLOBAL_CLIENTS);
+ static DECLARE_BITMAP(card_requested, SNDRV_CARDS);
+
+@@ -168,6 +168,20 @@ struct snd_seq_client *snd_seq_client_us
+ return client;
+ }
+
++/* get snd_seq_client object for the given id quickly */
++struct snd_seq_client *snd_seq_client_use_ptr(int clientid)
++{
++ return client_use_ptr(clientid, false);
++}
++
++/* get snd_seq_client object for the given id;
++ * if not found, retry after loading the modules
++ */
++static struct snd_seq_client *client_load_and_use_ptr(int clientid)
++{
++ return client_use_ptr(clientid, IS_ENABLED(CONFIG_MODULES));
++}
++
+ /* Take refcount and perform ioctl_mutex lock on the given client;
+ * used only for OSS sequencer
+ * Unlock via snd_seq_client_ioctl_unlock() below
+@@ -176,7 +190,7 @@ bool snd_seq_client_ioctl_lock(int clien
+ {
+ struct snd_seq_client *client;
+
+- client = snd_seq_client_use_ptr(clientid);
++ client = client_load_and_use_ptr(clientid);
+ if (!client)
+ return false;
+ mutex_lock(&client->ioctl_mutex);
+@@ -1200,7 +1214,7 @@ static int snd_seq_ioctl_running_mode(st
+ int err = 0;
+
+ /* requested client number */
+- cptr = snd_seq_client_use_ptr(info->client);
++ cptr = client_load_and_use_ptr(info->client);
+ if (cptr == NULL)
+ return -ENOENT; /* don't change !!! */
+
+@@ -1262,7 +1276,7 @@ static int snd_seq_ioctl_get_client_info
+ struct snd_seq_client *cptr;
+
+ /* requested client number */
+- cptr = snd_seq_client_use_ptr(client_info->client);
++ cptr = client_load_and_use_ptr(client_info->client);
+ if (cptr == NULL)
+ return -ENOENT; /* don't change !!! */
+
+@@ -1397,7 +1411,7 @@ static int snd_seq_ioctl_get_port_info(s
+ struct snd_seq_client *cptr;
+ struct snd_seq_client_port *port;
+
+- cptr = snd_seq_client_use_ptr(info->addr.client);
++ cptr = client_load_and_use_ptr(info->addr.client);
+ if (cptr == NULL)
+ return -ENXIO;
+
+@@ -1501,10 +1515,10 @@ static int snd_seq_ioctl_subscribe_port(
+ struct snd_seq_client *receiver = NULL, *sender = NULL;
+ struct snd_seq_client_port *sport = NULL, *dport = NULL;
+
+- receiver = snd_seq_client_use_ptr(subs->dest.client);
++ receiver = client_load_and_use_ptr(subs->dest.client);
+ if (!receiver)
+ goto __end;
+- sender = snd_seq_client_use_ptr(subs->sender.client);
++ sender = client_load_and_use_ptr(subs->sender.client);
+ if (!sender)
+ goto __end;
+ sport = snd_seq_port_use_ptr(sender, subs->sender.port);
+@@ -1865,7 +1879,7 @@ static int snd_seq_ioctl_get_client_pool
+ struct snd_seq_client_pool *info = arg;
+ struct snd_seq_client *cptr;
+
+- cptr = snd_seq_client_use_ptr(info->client);
++ cptr = client_load_and_use_ptr(info->client);
+ if (cptr == NULL)
+ return -ENOENT;
+ memset(info, 0, sizeof(*info));
+@@ -1969,7 +1983,7 @@ static int snd_seq_ioctl_get_subscriptio
+ struct snd_seq_client_port *sport = NULL;
+
+ result = -EINVAL;
+- sender = snd_seq_client_use_ptr(subs->sender.client);
++ sender = client_load_and_use_ptr(subs->sender.client);
+ if (!sender)
+ goto __end;
+ sport = snd_seq_port_use_ptr(sender, subs->sender.port);
+@@ -2000,7 +2014,7 @@ static int snd_seq_ioctl_query_subs(stru
+ struct list_head *p;
+ int i;
+
+- cptr = snd_seq_client_use_ptr(subs->root.client);
++ cptr = client_load_and_use_ptr(subs->root.client);
+ if (!cptr)
+ goto __end;
+ port = snd_seq_port_use_ptr(cptr, subs->root.port);
+@@ -2067,7 +2081,7 @@ static int snd_seq_ioctl_query_next_clie
+ if (info->client < 0)
+ info->client = 0;
+ for (; info->client < SNDRV_SEQ_MAX_CLIENTS; info->client++) {
+- cptr = snd_seq_client_use_ptr(info->client);
++ cptr = client_load_and_use_ptr(info->client);
+ if (cptr)
+ break; /* found */
+ }
+@@ -2090,7 +2104,7 @@ static int snd_seq_ioctl_query_next_port
+ struct snd_seq_client *cptr;
+ struct snd_seq_client_port *port = NULL;
+
+- cptr = snd_seq_client_use_ptr(info->addr.client);
++ cptr = client_load_and_use_ptr(info->addr.client);
+ if (cptr == NULL)
+ return -ENXIO;
+
+@@ -2187,7 +2201,7 @@ static int snd_seq_ioctl_client_ump_info
+ size = sizeof(struct snd_ump_endpoint_info);
+ else
+ size = sizeof(struct snd_ump_block_info);
+- cptr = snd_seq_client_use_ptr(client);
++ cptr = client_load_and_use_ptr(client);
+ if (!cptr)
+ return -ENOENT;
+
+@@ -2459,7 +2473,7 @@ int snd_seq_kernel_client_enqueue(int cl
+ if (check_event_type_and_length(ev))
+ return -EINVAL;
+
+- cptr = snd_seq_client_use_ptr(client);
++ cptr = client_load_and_use_ptr(client);
+ if (cptr == NULL)
+ return -EINVAL;
+
+@@ -2686,7 +2700,7 @@ void snd_seq_info_clients_read(struct sn
+
+ /* list the client table */
+ for (c = 0; c < SNDRV_SEQ_MAX_CLIENTS; c++) {
+- client = snd_seq_client_use_ptr(c);
++ client = client_load_and_use_ptr(c);
+ if (client == NULL)
+ continue;
+ if (client->type == NO_CLIENT) {
--- /dev/null
+From 374c9faac5a763a05bc3f68ad9f73dab3c6aec90 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Wed, 26 Feb 2025 16:37:31 +0800
+Subject: drm/amd/display: Fix null check for pipe_ctx->plane_state in resource_build_scaling_params
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 374c9faac5a763a05bc3f68ad9f73dab3c6aec90 upstream.
+
+Null pointer dereference issue could occur when pipe_ctx->plane_state
+is null. The fix adds a check to ensure 'pipe_ctx->plane_state' is not
+null before accessing. This prevents a null pointer dereference.
+
+Found by code review.
+
+Fixes: 3be5262e353b ("drm/amd/display: Rename more dc_surface stuff to plane_state")
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 63e6a77ccf239337baa9b1e7787cde9fa0462092)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+@@ -1394,7 +1394,8 @@ bool resource_build_scaling_params(struc
+ DC_LOGGER_INIT(pipe_ctx->stream->ctx->logger);
+
+ /* Invalid input */
+- if (!plane_state->dst_rect.width ||
++ if (!plane_state ||
++ !plane_state->dst_rect.width ||
+ !plane_state->dst_rect.height ||
+ !plane_state->src_rect.width ||
+ !plane_state->src_rect.height) {
--- /dev/null
+From 29ffeb73b216ce3eff10229eb077cf9b7812119d Mon Sep 17 00:00:00 2001
+From: Richard Thier <u9vata@gmail.com>
+Date: Mon, 17 Jun 2019 23:46:27 +0200
+Subject: drm/radeon: Fix rs400_gpu_init for ATI mobility radeon Xpress 200M
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Richard Thier <u9vata@gmail.com>
+
+commit 29ffeb73b216ce3eff10229eb077cf9b7812119d upstream.
+
+num_gb_pipes was set to a wrong value using r420_pipe_config
+
+This have lead to HyperZ glitches on fast Z clearing.
+
+Closes: https://bugs.freedesktop.org/show_bug.cgi?id=110897
+Reviewed-by: Marek Olšák <marek.olsak@amd.com>
+Signed-off-by: Richard Thier <u9vata@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 044e59a85c4d84e3c8d004c486e5c479640563a6)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/r300.c | 3 ++-
+ drivers/gpu/drm/radeon/radeon_asic.h | 1 +
+ drivers/gpu/drm/radeon/rs400.c | 18 ++++++++++++++++--
+ 3 files changed, 19 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/r300.c
++++ b/drivers/gpu/drm/radeon/r300.c
+@@ -358,7 +358,8 @@ int r300_mc_wait_for_idle(struct radeon_
+ return -1;
+ }
+
+-static void r300_gpu_init(struct radeon_device *rdev)
++/* rs400_gpu_init also calls this! */
++void r300_gpu_init(struct radeon_device *rdev)
+ {
+ uint32_t gb_tile_config, tmp;
+
+--- a/drivers/gpu/drm/radeon/radeon_asic.h
++++ b/drivers/gpu/drm/radeon/radeon_asic.h
+@@ -165,6 +165,7 @@ void r200_set_safe_registers(struct rade
+ */
+ extern int r300_init(struct radeon_device *rdev);
+ extern void r300_fini(struct radeon_device *rdev);
++extern void r300_gpu_init(struct radeon_device *rdev);
+ extern int r300_suspend(struct radeon_device *rdev);
+ extern int r300_resume(struct radeon_device *rdev);
+ extern int r300_asic_reset(struct radeon_device *rdev, bool hard);
+--- a/drivers/gpu/drm/radeon/rs400.c
++++ b/drivers/gpu/drm/radeon/rs400.c
+@@ -255,8 +255,22 @@ int rs400_mc_wait_for_idle(struct radeon
+
+ static void rs400_gpu_init(struct radeon_device *rdev)
+ {
+- /* FIXME: is this correct ? */
+- r420_pipes_init(rdev);
++ /* Earlier code was calling r420_pipes_init and then
++ * rs400_mc_wait_for_idle(rdev). The problem is that
++ * at least on my Mobility Radeon Xpress 200M RC410 card
++ * that ends up in this code path ends up num_gb_pipes == 3
++ * while the card seems to have only one pipe. With the
++ * r420 pipe initialization method.
++ *
++ * Problems shown up as HyperZ glitches, see:
++ * https://bugs.freedesktop.org/show_bug.cgi?id=110897
++ *
++ * Delegating initialization to r300 code seems to work
++ * and results in proper pipe numbers. The rs400 cards
++ * are said to be not r400, but r300 kind of cards.
++ */
++ r300_gpu_init(rdev);
++
+ if (rs400_mc_wait_for_idle(rdev)) {
+ pr_warn("rs400: Failed to wait MC idle while programming pipes. Bad things might happen. %08x\n",
+ RREG32(RADEON_MC_STATUS));
--- /dev/null
+From 12f65d1203507f7db3ba59930fe29a3b8eee9945 Mon Sep 17 00:00:00 2001
+From: Koichiro Den <koichiro.den@canonical.com>
+Date: Mon, 24 Feb 2025 23:31:26 +0900
+Subject: gpio: aggregator: protect driver attr handlers against module unload
+
+From: Koichiro Den <koichiro.den@canonical.com>
+
+commit 12f65d1203507f7db3ba59930fe29a3b8eee9945 upstream.
+
+Both new_device_store and delete_device_store touch module global
+resources (e.g. gpio_aggregator_lock). To prevent race conditions with
+module unload, a reference needs to be held.
+
+Add try_module_get() in these handlers.
+
+For new_device_store, this eliminates what appears to be the most dangerous
+scenario: if an id is allocated from gpio_aggregator_idr but
+platform_device_register has not yet been called or completed, a concurrent
+module unload could fail to unregister/delete the device, leaving behind a
+dangling platform device/GPIO forwarder. This can result in various issues.
+The following simple reproducer demonstrates these problems:
+
+ #!/bin/bash
+ while :; do
+ # note: whether 'gpiochip0 0' exists or not does not matter.
+ echo 'gpiochip0 0' > /sys/bus/platform/drivers/gpio-aggregator/new_device
+ done &
+ while :; do
+ modprobe gpio-aggregator
+ modprobe -r gpio-aggregator
+ done &
+ wait
+
+ Starting with the following warning, several kinds of warnings will appear
+ and the system may become unstable:
+
+ ------------[ cut here ]------------
+ list_del corruption, ffff888103e2e980->next is LIST_POISON1 (dead000000000100)
+ WARNING: CPU: 1 PID: 1327 at lib/list_debug.c:56 __list_del_entry_valid_or_report+0xa3/0x120
+ [...]
+ RIP: 0010:__list_del_entry_valid_or_report+0xa3/0x120
+ [...]
+ Call Trace:
+ <TASK>
+ ? __list_del_entry_valid_or_report+0xa3/0x120
+ ? __warn.cold+0x93/0xf2
+ ? __list_del_entry_valid_or_report+0xa3/0x120
+ ? report_bug+0xe6/0x170
+ ? __irq_work_queue_local+0x39/0xe0
+ ? handle_bug+0x58/0x90
+ ? exc_invalid_op+0x13/0x60
+ ? asm_exc_invalid_op+0x16/0x20
+ ? __list_del_entry_valid_or_report+0xa3/0x120
+ gpiod_remove_lookup_table+0x22/0x60
+ new_device_store+0x315/0x350 [gpio_aggregator]
+ kernfs_fop_write_iter+0x137/0x1f0
+ vfs_write+0x262/0x430
+ ksys_write+0x60/0xd0
+ do_syscall_64+0x6c/0x180
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+ [...]
+ </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+Fixes: 828546e24280 ("gpio: Add GPIO Aggregator")
+Cc: stable@vger.kernel.org
+Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
+Link: https://lore.kernel.org/r/20250224143134.3024598-2-koichiro.den@canonical.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-aggregator.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpio/gpio-aggregator.c
++++ b/drivers/gpio/gpio-aggregator.c
+@@ -121,10 +121,15 @@ static ssize_t new_device_store(struct d
+ struct platform_device *pdev;
+ int res, id;
+
++ if (!try_module_get(THIS_MODULE))
++ return -ENOENT;
++
+ /* kernfs guarantees string termination, so count + 1 is safe */
+ aggr = kzalloc(sizeof(*aggr) + count + 1, GFP_KERNEL);
+- if (!aggr)
+- return -ENOMEM;
++ if (!aggr) {
++ res = -ENOMEM;
++ goto put_module;
++ }
+
+ memcpy(aggr->args, buf, count + 1);
+
+@@ -163,6 +168,7 @@ static ssize_t new_device_store(struct d
+ }
+
+ aggr->pdev = pdev;
++ module_put(THIS_MODULE);
+ return count;
+
+ remove_table:
+@@ -177,6 +183,8 @@ free_table:
+ kfree(aggr->lookups);
+ free_ga:
+ kfree(aggr);
++put_module:
++ module_put(THIS_MODULE);
+ return res;
+ }
+
+@@ -205,13 +213,19 @@ static ssize_t delete_device_store(struc
+ if (error)
+ return error;
+
++ if (!try_module_get(THIS_MODULE))
++ return -ENOENT;
++
+ mutex_lock(&gpio_aggregator_lock);
+ aggr = idr_remove(&gpio_aggregator_idr, id);
+ mutex_unlock(&gpio_aggregator_lock);
+- if (!aggr)
++ if (!aggr) {
++ module_put(THIS_MODULE);
+ return -ENOENT;
++ }
+
+ gpio_aggregator_free(aggr);
++ module_put(THIS_MODULE);
+ return count;
+ }
+ static DRIVER_ATTR_WO(delete_device);
--- /dev/null
+From f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Niklas=20S=C3=B6derlund?=
+ <niklas.soderlund+renesas@ragnatech.se>
+Date: Tue, 21 Jan 2025 14:58:33 +0100
+Subject: gpio: rcar: Use raw_spinlock to protect register access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+
+commit f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5 upstream.
+
+Use raw_spinlock in order to fix spurious messages about invalid context
+when spinlock debugging is enabled. The lock is only used to serialize
+register access.
+
+ [ 4.239592] =============================
+ [ 4.239595] [ BUG: Invalid wait context ]
+ [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted
+ [ 4.239603] -----------------------------
+ [ 4.239606] kworker/u8:5/76 is trying to lock:
+ [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164
+ [ 4.239641] other info that might help us debug this:
+ [ 4.239643] context-{5:5}
+ [ 4.239646] 5 locks held by kworker/u8:5/76:
+ [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c
+ [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value.
+ [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c
+ [ 4.254109] #2: ffff00000920c8f8
+ [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value.
+ [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc
+ [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690
+ [ 4.264840] #4:
+ [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value.
+ [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690
+ [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz
+ [ 4.304082] stack backtrace:
+ [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35
+ [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
+ [ 4.304097] Workqueue: async async_run_entry_fn
+ [ 4.304106] Call trace:
+ [ 4.304110] show_stack+0x14/0x20 (C)
+ [ 4.304122] dump_stack_lvl+0x6c/0x90
+ [ 4.304131] dump_stack+0x14/0x1c
+ [ 4.304138] __lock_acquire+0xdfc/0x1584
+ [ 4.426274] lock_acquire+0x1c4/0x33c
+ [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80
+ [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164
+ [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8
+ [ 4.444422] __irq_set_trigger+0x5c/0x178
+ [ 4.448435] __setup_irq+0x2e4/0x690
+ [ 4.452012] request_threaded_irq+0xc4/0x190
+ [ 4.456285] devm_request_threaded_irq+0x7c/0xf4
+ [ 4.459398] ata1: link resume succeeded after 1 retries
+ [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0
+ [ 4.470660] mmc_start_host+0x50/0xac
+ [ 4.474327] mmc_add_host+0x80/0xe4
+ [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440
+ [ 4.482094] renesas_sdhi_probe+0x488/0x6f4
+ [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78
+ [ 4.491509] platform_probe+0x64/0xd8
+ [ 4.495178] really_probe+0xb8/0x2a8
+ [ 4.498756] __driver_probe_device+0x74/0x118
+ [ 4.503116] driver_probe_device+0x3c/0x154
+ [ 4.507303] __device_attach_driver+0xd4/0x160
+ [ 4.511750] bus_for_each_drv+0x84/0xe0
+ [ 4.515588] __device_attach_async_helper+0xb0/0xdc
+ [ 4.520470] async_run_entry_fn+0x30/0xd8
+ [ 4.524481] process_one_work+0x210/0x62c
+ [ 4.528494] worker_thread+0x1ac/0x340
+ [ 4.532245] kthread+0x10c/0x110
+ [ 4.535476] ret_from_fork+0x10/0x20
+
+Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250121135833.3769310-1-niklas.soderlund+renesas@ragnatech.se
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpio-rcar.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/gpio/gpio-rcar.c
++++ b/drivers/gpio/gpio-rcar.c
+@@ -40,7 +40,7 @@ struct gpio_rcar_info {
+
+ struct gpio_rcar_priv {
+ void __iomem *base;
+- spinlock_t lock;
++ raw_spinlock_t lock;
+ struct device *dev;
+ struct gpio_chip gpio_chip;
+ unsigned int irq_parent;
+@@ -123,7 +123,7 @@ static void gpio_rcar_config_interrupt_i
+ * "Setting Level-Sensitive Interrupt Input Mode"
+ */
+
+- spin_lock_irqsave(&p->lock, flags);
++ raw_spin_lock_irqsave(&p->lock, flags);
+
+ /* Configure positive or negative logic in POSNEG */
+ gpio_rcar_modify_bit(p, POSNEG, hwirq, !active_high_rising_edge);
+@@ -142,7 +142,7 @@ static void gpio_rcar_config_interrupt_i
+ if (!level_trigger)
+ gpio_rcar_write(p, INTCLR, BIT(hwirq));
+
+- spin_unlock_irqrestore(&p->lock, flags);
++ raw_spin_unlock_irqrestore(&p->lock, flags);
+ }
+
+ static int gpio_rcar_irq_set_type(struct irq_data *d, unsigned int type)
+@@ -246,7 +246,7 @@ static void gpio_rcar_config_general_inp
+ * "Setting General Input Mode"
+ */
+
+- spin_lock_irqsave(&p->lock, flags);
++ raw_spin_lock_irqsave(&p->lock, flags);
+
+ /* Configure positive logic in POSNEG */
+ gpio_rcar_modify_bit(p, POSNEG, gpio, false);
+@@ -261,7 +261,7 @@ static void gpio_rcar_config_general_inp
+ if (p->info.has_outdtsel && output)
+ gpio_rcar_modify_bit(p, OUTDTSEL, gpio, false);
+
+- spin_unlock_irqrestore(&p->lock, flags);
++ raw_spin_unlock_irqrestore(&p->lock, flags);
+ }
+
+ static int gpio_rcar_request(struct gpio_chip *chip, unsigned offset)
+@@ -347,7 +347,7 @@ static int gpio_rcar_get_multiple(struct
+ return 0;
+ }
+
+- spin_lock_irqsave(&p->lock, flags);
++ raw_spin_lock_irqsave(&p->lock, flags);
+ outputs = gpio_rcar_read(p, INOUTSEL);
+ m = outputs & bankmask;
+ if (m)
+@@ -356,7 +356,7 @@ static int gpio_rcar_get_multiple(struct
+ m = ~outputs & bankmask;
+ if (m)
+ val |= gpio_rcar_read(p, INDT) & m;
+- spin_unlock_irqrestore(&p->lock, flags);
++ raw_spin_unlock_irqrestore(&p->lock, flags);
+
+ bits[0] = val;
+ return 0;
+@@ -367,9 +367,9 @@ static void gpio_rcar_set(struct gpio_ch
+ struct gpio_rcar_priv *p = gpiochip_get_data(chip);
+ unsigned long flags;
+
+- spin_lock_irqsave(&p->lock, flags);
++ raw_spin_lock_irqsave(&p->lock, flags);
+ gpio_rcar_modify_bit(p, OUTDT, offset, value);
+- spin_unlock_irqrestore(&p->lock, flags);
++ raw_spin_unlock_irqrestore(&p->lock, flags);
+ }
+
+ static void gpio_rcar_set_multiple(struct gpio_chip *chip, unsigned long *mask,
+@@ -386,12 +386,12 @@ static void gpio_rcar_set_multiple(struc
+ if (!bankmask)
+ return;
+
+- spin_lock_irqsave(&p->lock, flags);
++ raw_spin_lock_irqsave(&p->lock, flags);
+ val = gpio_rcar_read(p, OUTDT);
+ val &= ~bankmask;
+ val |= (bankmask & bits[0]);
+ gpio_rcar_write(p, OUTDT, val);
+- spin_unlock_irqrestore(&p->lock, flags);
++ raw_spin_unlock_irqrestore(&p->lock, flags);
+ }
+
+ static int gpio_rcar_direction_output(struct gpio_chip *chip, unsigned offset,
+@@ -505,7 +505,7 @@ static int gpio_rcar_probe(struct platfo
+ return -ENOMEM;
+
+ p->dev = dev;
+- spin_lock_init(&p->lock);
++ raw_spin_lock_init(&p->lock);
+
+ /* Get device configuration from DT node */
+ ret = gpio_rcar_parse_dt(p, &npins);
--- /dev/null
+From 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 Mon Sep 17 00:00:00 2001
+From: Daniil Dulov <d.dulov@aladdin.ru>
+Date: Mon, 24 Feb 2025 20:30:30 +0300
+Subject: HID: appleir: Fix potential NULL dereference at raw event handle
+
+From: Daniil Dulov <d.dulov@aladdin.ru>
+
+commit 2ff5baa9b5275e3acafdf7f2089f74cccb2f38d1 upstream.
+
+Syzkaller reports a NULL pointer dereference issue in input_event().
+
+BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:68 [inline]
+BUG: KASAN: null-ptr-deref in _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
+BUG: KASAN: null-ptr-deref in is_event_supported drivers/input/input.c:67 [inline]
+BUG: KASAN: null-ptr-deref in input_event+0x42/0xa0 drivers/input/input.c:395
+Read of size 8 at addr 0000000000000028 by task syz-executor199/2949
+
+CPU: 0 UID: 0 PID: 2949 Comm: syz-executor199 Not tainted 6.13.0-rc4-syzkaller-00076-gf097a36ef88d #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ kasan_report+0xd9/0x110 mm/kasan/report.c:602
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
+ instrument_atomic_read include/linux/instrumented.h:68 [inline]
+ _test_bit include/asm-generic/bitops/instrumented-non-atomic.h:141 [inline]
+ is_event_supported drivers/input/input.c:67 [inline]
+ input_event+0x42/0xa0 drivers/input/input.c:395
+ input_report_key include/linux/input.h:439 [inline]
+ key_down drivers/hid/hid-appleir.c:159 [inline]
+ appleir_raw_event+0x3e5/0x5e0 drivers/hid/hid-appleir.c:232
+ __hid_input_report.constprop.0+0x312/0x440 drivers/hid/hid-core.c:2111
+ hid_ctrl+0x49f/0x550 drivers/hid/usbhid/hid-core.c:484
+ __usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
+ usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
+ dummy_timer+0x17f7/0x3960 drivers/usb/gadget/udc/dummy_hcd.c:1993
+ __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
+ __hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1803
+ hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1820
+ handle_softirqs+0x206/0x8d0 kernel/softirq.c:561
+ __do_softirq kernel/softirq.c:595 [inline]
+ invoke_softirq kernel/softirq.c:435 [inline]
+ __irq_exit_rcu+0xfa/0x160 kernel/softirq.c:662
+ irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
+ sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
+ </IRQ>
+ <TASK>
+ asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
+ __mod_timer+0x8f6/0xdc0 kernel/time/timer.c:1185
+ add_timer+0x62/0x90 kernel/time/timer.c:1295
+ schedule_timeout+0x11f/0x280 kernel/time/sleep_timeout.c:98
+ usbhid_wait_io+0x1c7/0x380 drivers/hid/usbhid/hid-core.c:645
+ usbhid_init_reports+0x19f/0x390 drivers/hid/usbhid/hid-core.c:784
+ hiddev_ioctl+0x1133/0x15b0 drivers/hid/usbhid/hiddev.c:794
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:906 [inline]
+ __se_sys_ioctl fs/ioctl.c:892 [inline]
+ __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+ </TASK>
+
+This happens due to the malformed report items sent by the emulated device
+which results in a report, that has no fields, being added to the report list.
+Due to this appleir_input_configured() is never called, hidinput_connect()
+fails which results in the HID_CLAIMED_INPUT flag is not being set. However,
+it does not make appleir_probe() fail and lets the event callback to be
+called without the associated input device.
+
+Thus, add a check for the HID_CLAIMED_INPUT flag and leave the event hook
+early if the driver didn't claim any input_dev for some reason. Moreover,
+some other hid drivers accessing input_dev in their event callbacks do have
+similar checks, too.
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: 9a4a5574ce42 ("HID: appleir: add support for Apple ir devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniil Dulov <d.dulov@aladdin.ru>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-appleir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-appleir.c
++++ b/drivers/hid/hid-appleir.c
+@@ -188,7 +188,7 @@ static int appleir_raw_event(struct hid_
+ static const u8 flatbattery[] = { 0x25, 0x87, 0xe0 };
+ unsigned long flags;
+
+- if (len != 5)
++ if (len != 5 || !(hid->claimed & HID_CLAIMED_INPUT))
+ goto out;
+
+ if (!memcmp(data, keydown, sizeof(keydown))) {
--- /dev/null
+From 5797c04400ee117bfe459ff1e468d0ea38054ab4 Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 23 Jan 2025 15:20:02 +0300
+Subject: hwmon: (peci/dimmtemp) Do not provide fake thresholds data
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 5797c04400ee117bfe459ff1e468d0ea38054ab4 upstream.
+
+When an Icelake or Sapphire Rapids CPU isn't providing the maximum and
+critical thresholds for particular DIMM the driver should return an
+error to the userspace instead of giving it stale (best case) or wrong
+(the structure contains all zeros after kzalloc() call) data.
+
+The issue can be reproduced by binding the peci driver while the host is
+fully booted and idle, this makes PECI interaction unreliable enough.
+
+Fixes: 73bc1b885dae ("hwmon: peci: Add dimmtemp driver")
+Fixes: 621995b6d795 ("hwmon: (peci/dimmtemp) Add Sapphire Rapids support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Reviewed-by: Iwona Winiarska <iwona.winiarska@intel.com>
+Link: https://lore.kernel.org/r/20250123122003.6010-1-fercerpav@gmail.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/peci/dimmtemp.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/hwmon/peci/dimmtemp.c
++++ b/drivers/hwmon/peci/dimmtemp.c
+@@ -127,8 +127,6 @@ static int update_thresholds(struct peci
+ return 0;
+
+ ret = priv->gen_info->read_thresholds(priv, dimm_order, chan_rank, &data);
+- if (ret == -ENODATA) /* Use default or previous value */
+- return 0;
+ if (ret)
+ return ret;
+
+@@ -509,11 +507,11 @@ read_thresholds_icx(struct peci_dimmtemp
+
+ ret = peci_ep_pci_local_read(priv->peci_dev, 0, 13, 0, 2, 0xd4, ®_val);
+ if (ret || !(reg_val & BIT(31)))
+- return -ENODATA; /* Use default or previous value */
++ return -ENODATA;
+
+ ret = peci_ep_pci_local_read(priv->peci_dev, 0, 13, 0, 2, 0xd0, ®_val);
+ if (ret)
+- return -ENODATA; /* Use default or previous value */
++ return -ENODATA;
+
+ /*
+ * Device 26, Offset 224e0: IMC 0 channel 0 -> rank 0
+@@ -546,11 +544,11 @@ read_thresholds_spr(struct peci_dimmtemp
+
+ ret = peci_ep_pci_local_read(priv->peci_dev, 0, 30, 0, 2, 0xd4, ®_val);
+ if (ret || !(reg_val & BIT(31)))
+- return -ENODATA; /* Use default or previous value */
++ return -ENODATA;
+
+ ret = peci_ep_pci_local_read(priv->peci_dev, 0, 30, 0, 2, 0xd0, ®_val);
+ if (ret)
+- return -ENODATA; /* Use default or previous value */
++ return -ENODATA;
+
+ /*
+ * Device 26, Offset 219a8: IMC 0 channel 0 -> rank 0
--- /dev/null
+From e26e2d2e15daf1ab33e0135caf2304a0cfa2744b Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 27 Feb 2025 15:49:10 +0900
+Subject: ksmbd: fix bug on trap in smb2_lock
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit e26e2d2e15daf1ab33e0135caf2304a0cfa2744b upstream.
+
+If lock count is greater than 1, flags could be old value.
+It should be checked with flags of smb_lock, not flags.
+It will cause bug-on trap from locks_free_lock in error handling
+routine.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -7452,7 +7452,7 @@ no_check_cl:
+ retry:
+ rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
+ skip:
+- if (flags & SMB2_LOCKFLAG_UNLOCK) {
++ if (smb_lock->flags & SMB2_LOCKFLAG_UNLOCK) {
+ if (!rc) {
+ ksmbd_debug(SMB, "File unlocked\n");
+ } else if (rc == -ENOENT) {
--- /dev/null
+From d6e13e19063db24f94b690159d0633aaf72a0f03 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Tue, 18 Feb 2025 22:49:50 +0900
+Subject: ksmbd: fix out-of-bounds in parse_sec_desc()
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit d6e13e19063db24f94b690159d0633aaf72a0f03 upstream.
+
+If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd
+struct size. If it is smaller, It could cause slab-out-of-bounds.
+And when validating sid, It need to check it included subauth array size.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smbacl.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/fs/smb/server/smbacl.c
++++ b/fs/smb/server/smbacl.c
+@@ -807,6 +807,13 @@ static int parse_sid(struct smb_sid *psi
+ return -EINVAL;
+ }
+
++ if (!psid->num_subauth)
++ return 0;
++
++ if (psid->num_subauth > SID_MAX_SUB_AUTHORITIES ||
++ end_of_acl < (char *)psid + 8 + sizeof(__le32) * psid->num_subauth)
++ return -EINVAL;
++
+ return 0;
+ }
+
+@@ -848,6 +855,9 @@ int parse_sec_desc(struct mnt_idmap *idm
+ pntsd->type = cpu_to_le16(DACL_PRESENT);
+
+ if (pntsd->osidoffset) {
++ if (le32_to_cpu(pntsd->osidoffset) < sizeof(struct smb_ntsd))
++ return -EINVAL;
++
+ rc = parse_sid(owner_sid_ptr, end_of_acl);
+ if (rc) {
+ pr_err("%s: Error %d parsing Owner SID\n", __func__, rc);
+@@ -863,6 +873,9 @@ int parse_sec_desc(struct mnt_idmap *idm
+ }
+
+ if (pntsd->gsidoffset) {
++ if (le32_to_cpu(pntsd->gsidoffset) < sizeof(struct smb_ntsd))
++ return -EINVAL;
++
+ rc = parse_sid(group_sid_ptr, end_of_acl);
+ if (rc) {
+ pr_err("%s: Error %d mapping Owner SID to gid\n",
+@@ -884,6 +897,9 @@ int parse_sec_desc(struct mnt_idmap *idm
+ pntsd->type |= cpu_to_le16(DACL_PROTECTED);
+
+ if (dacloffset) {
++ if (dacloffset < sizeof(struct smb_ntsd))
++ return -EINVAL;
++
+ parse_dacl(idmap, dacl_ptr, end_of_acl,
+ owner_sid_ptr, group_sid_ptr, fattr);
+ }
--- /dev/null
+From e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Fri, 21 Feb 2025 14:16:23 +0900
+Subject: ksmbd: fix type confusion via race condition when using ipc_msg_send_request
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit e2ff19f0b7a30e03516e6eb73b948e27a55bc9d2 upstream.
+
+req->handle is allocated using ksmbd_acquire_id(&ipc_ida), based on
+ida_alloc. req->handle from ksmbd_ipc_login_request and
+FSCTL_PIPE_TRANSCEIVE ioctl can be same and it could lead to type confusion
+between messages, resulting in access to unexpected parts of memory after
+an incorrect delivery. ksmbd check type of ipc response but missing add
+continue to check next ipc reponse.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/transport_ipc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/smb/server/transport_ipc.c
++++ b/fs/smb/server/transport_ipc.c
+@@ -267,6 +267,7 @@ static int handle_response(int type, voi
+ if (entry->type + 1 != type) {
+ pr_err("Waiting for IPC type %d, got %d. Ignore.\n",
+ entry->type + 1, type);
++ continue;
+ }
+
+ entry->response = kvzalloc(sz, GFP_KERNEL);
--- /dev/null
+From 84d2d1641b71dec326e8736a749b7ee76a9599fc Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Wed, 26 Feb 2025 15:44:02 +0900
+Subject: ksmbd: fix use-after-free in smb2_lock
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 84d2d1641b71dec326e8736a749b7ee76a9599fc upstream.
+
+If smb_lock->zero_len has value, ->llist of smb_lock is not delete and
+flock is old one. It will cause use-after-free on error handling
+routine.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -7442,13 +7442,13 @@ out_check_cl:
+ }
+
+ no_check_cl:
++ flock = smb_lock->fl;
++ list_del(&smb_lock->llist);
++
+ if (smb_lock->zero_len) {
+ err = 0;
+ goto skip;
+ }
+-
+- flock = smb_lock->fl;
+- list_del(&smb_lock->llist);
+ retry:
+ rc = vfs_lock_file(filp, smb_lock->cmd, flock, NULL);
+ skip:
--- /dev/null
+From da64a2359092ceec4f9dea5b329d0aef20104217 Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Sat, 8 Mar 2025 13:50:45 +0800
+Subject: LoongArch: Convert unreachable() to BUG()
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit da64a2359092ceec4f9dea5b329d0aef20104217 upstream.
+
+When compiling on LoongArch, there exists the following objtool warning
+in arch/loongarch/kernel/machine_kexec.o:
+
+ kexec_reboot() falls through to next function crash_shutdown_secondary()
+
+Avoid using unreachable() as it can (and will in the absence of UBSAN)
+generate fall-through code. Use BUG() so we get a "break BRK_BUG" trap
+(with unreachable annotation).
+
+Cc: stable@vger.kernel.org # 6.12+
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/machine_kexec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/loongarch/kernel/machine_kexec.c
++++ b/arch/loongarch/kernel/machine_kexec.c
+@@ -126,14 +126,14 @@ void kexec_reboot(void)
+ /* All secondary cpus go to kexec_smp_wait */
+ if (smp_processor_id() > 0) {
+ relocated_kexec_smp_wait(NULL);
+- unreachable();
++ BUG();
+ }
+ #endif
+
+ do_kexec = (void *)reboot_code_buffer;
+ do_kexec(efi_boot, cmdline_ptr, systable_ptr, start_addr, first_ind_entry);
+
+- unreachable();
++ BUG();
+ }
+
+
--- /dev/null
+From c8477bb0a8e7f6b2e47952b403c5cb67a6929e55 Mon Sep 17 00:00:00 2001
+From: Bibo Mao <maobibo@loongson.cn>
+Date: Sat, 8 Mar 2025 13:51:32 +0800
+Subject: LoongArch: Set max_pfn with the PFN of the last page
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+commit c8477bb0a8e7f6b2e47952b403c5cb67a6929e55 upstream.
+
+The current max_pfn equals to zero. In this case, it causes user cannot
+get some page information through /proc filesystem such as kpagecount.
+The following message is displayed by stress-ng test suite with command
+"stress-ng --verbose --physpage 1 -t 1".
+
+ # stress-ng --verbose --physpage 1 -t 1
+ stress-ng: error: [1691] physpage: cannot read page count for address 0x134ac000 in /proc/kpagecount, errno=22 (Invalid argument)
+ stress-ng: error: [1691] physpage: cannot read page count for address 0x7ffff207c3a8 in /proc/kpagecount, errno=22 (Invalid argument)
+ stress-ng: error: [1691] physpage: cannot read page count for address 0x134b0000 in /proc/kpagecount, errno=22 (Invalid argument)
+ ...
+
+After applying this patch, the kernel can pass the test.
+
+ # stress-ng --verbose --physpage 1 -t 1
+ stress-ng: debug: [1701] physpage: [1701] started (instance 0 on CPU 3)
+ stress-ng: debug: [1701] physpage: [1701] exited (instance 0 on CPU 3)
+ stress-ng: debug: [1700] physpage: [1701] terminated (success)
+
+Cc: stable@vger.kernel.org # 6.8+
+Fixes: ff6c3d81f2e8 ("NUMA: optimize detection of memory with no node id assigned by firmware")
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/setup.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/loongarch/kernel/setup.c
++++ b/arch/loongarch/kernel/setup.c
+@@ -400,6 +400,9 @@ static void __init check_kernel_sections
+ */
+ static void __init arch_mem_init(char **cmdline_p)
+ {
++ /* Recalculate max_low_pfn for "mem=xxx" */
++ max_pfn = max_low_pfn = PHYS_PFN(memblock_end_of_DRAM());
++
+ if (usermem)
+ pr_info("User-defined physical RAM map overwrite\n");
+
--- /dev/null
+From c9117434c8f7523f0b77db4c5766f5011cc94677 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Sat, 8 Mar 2025 13:51:32 +0800
+Subject: LoongArch: Use polling play_dead() when resuming from hibernation
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit c9117434c8f7523f0b77db4c5766f5011cc94677 upstream.
+
+When CONFIG_RANDOM_KMALLOC_CACHES or other randomization infrastructrue
+enabled, the idle_task's stack may different between the booting kernel
+and target kernel. So when resuming from hibernation, an ACTION_BOOT_CPU
+IPI wakeup the idle instruction in arch_cpu_idle_dead() and jump to the
+interrupt handler. But since the stack pointer is changed, the interrupt
+handler cannot restore correct context.
+
+So rename the current arch_cpu_idle_dead() to idle_play_dead(), make it
+as the default version of play_dead(), and the new arch_cpu_idle_dead()
+call play_dead() directly. For hibernation, implement an arch-specific
+hibernate_resume_nonboot_cpu_disable() to use the polling version (idle
+instruction is replace by nop, and irq is disabled) of play_dead(), i.e.
+poll_play_dead(), to avoid IPI handler corrupting the idle_task's stack
+when resuming from hibernation.
+
+This solution is a little similar to commit 406f992e4a372dafbe3c ("x86 /
+hibernate: Use hlt_play_dead() when resuming from hibernation").
+
+Cc: stable@vger.kernel.org
+Tested-by: Erpeng Xu <xuerpeng@uniontech.com>
+Tested-by: Yuli Wang <wangyuli@uniontech.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/smp.c | 47 +++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 46 insertions(+), 1 deletion(-)
+
+--- a/arch/loongarch/kernel/smp.c
++++ b/arch/loongarch/kernel/smp.c
+@@ -18,6 +18,7 @@
+ #include <linux/smp.h>
+ #include <linux/threads.h>
+ #include <linux/export.h>
++#include <linux/suspend.h>
+ #include <linux/syscore_ops.h>
+ #include <linux/time.h>
+ #include <linux/tracepoint.h>
+@@ -388,7 +389,7 @@ void loongson_cpu_die(unsigned int cpu)
+ mb();
+ }
+
+-void __noreturn arch_cpu_idle_dead(void)
++static void __noreturn idle_play_dead(void)
+ {
+ register uint64_t addr;
+ register void (*init_fn)(void);
+@@ -412,6 +413,50 @@ void __noreturn arch_cpu_idle_dead(void)
+ BUG();
+ }
+
++#ifdef CONFIG_HIBERNATION
++static void __noreturn poll_play_dead(void)
++{
++ register uint64_t addr;
++ register void (*init_fn)(void);
++
++ idle_task_exit();
++ __this_cpu_write(cpu_state, CPU_DEAD);
++
++ __smp_mb();
++ do {
++ __asm__ __volatile__("nop\n\t");
++ addr = iocsr_read64(LOONGARCH_IOCSR_MBUF0);
++ } while (addr == 0);
++
++ init_fn = (void *)TO_CACHE(addr);
++ iocsr_write32(0xffffffff, LOONGARCH_IOCSR_IPI_CLEAR);
++
++ init_fn();
++ BUG();
++}
++#endif
++
++static void (*play_dead)(void) = idle_play_dead;
++
++void __noreturn arch_cpu_idle_dead(void)
++{
++ play_dead();
++ BUG(); /* play_dead() doesn't return */
++}
++
++#ifdef CONFIG_HIBERNATION
++int hibernate_resume_nonboot_cpu_disable(void)
++{
++ int ret;
++
++ play_dead = poll_play_dead;
++ ret = suspend_disable_secondary_cpus();
++ play_dead = idle_play_dead;
++
++ return ret;
++}
++#endif
++
+ #endif
+
+ /*
--- /dev/null
+From 022bfe24aad8937705704ff2e414b100cf0f2e1a Mon Sep 17 00:00:00 2001
+From: Krister Johansen <kjlx@templeofstupid.com>
+Date: Mon, 3 Mar 2025 18:10:13 +0100
+Subject: mptcp: fix 'scheduling while atomic' in mptcp_pm_nl_append_new_local_addr
+
+From: Krister Johansen <kjlx@templeofstupid.com>
+
+commit 022bfe24aad8937705704ff2e414b100cf0f2e1a upstream.
+
+If multiple connection requests attempt to create an implicit mptcp
+endpoint in parallel, more than one caller may end up in
+mptcp_pm_nl_append_new_local_addr because none found the address in
+local_addr_list during their call to mptcp_pm_nl_get_local_id. In this
+case, the concurrent new_local_addr calls may delete the address entry
+created by the previous caller. These deletes use synchronize_rcu, but
+this is not permitted in some of the contexts where this function may be
+called. During packet recv, the caller may be in a rcu read critical
+section and have preemption disabled.
+
+An example stack:
+
+ BUG: scheduling while atomic: swapper/2/0/0x00000302
+
+ Call Trace:
+ <IRQ>
+ dump_stack_lvl (lib/dump_stack.c:117 (discriminator 1))
+ dump_stack (lib/dump_stack.c:124)
+ __schedule_bug (kernel/sched/core.c:5943)
+ schedule_debug.constprop.0 (arch/x86/include/asm/preempt.h:33 kernel/sched/core.c:5970)
+ __schedule (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:207 kernel/sched/features.h:29 kernel/sched/core.c:6621)
+ schedule (arch/x86/include/asm/preempt.h:84 kernel/sched/core.c:6804 kernel/sched/core.c:6818)
+ schedule_timeout (kernel/time/timer.c:2160)
+ wait_for_completion (kernel/sched/completion.c:96 kernel/sched/completion.c:116 kernel/sched/completion.c:127 kernel/sched/completion.c:148)
+ __wait_rcu_gp (include/linux/rcupdate.h:311 kernel/rcu/update.c:444)
+ synchronize_rcu (kernel/rcu/tree.c:3609)
+ mptcp_pm_nl_append_new_local_addr (net/mptcp/pm_netlink.c:966 net/mptcp/pm_netlink.c:1061)
+ mptcp_pm_nl_get_local_id (net/mptcp/pm_netlink.c:1164)
+ mptcp_pm_get_local_id (net/mptcp/pm.c:420)
+ subflow_check_req (net/mptcp/subflow.c:98 net/mptcp/subflow.c:213)
+ subflow_v4_route_req (net/mptcp/subflow.c:305)
+ tcp_conn_request (net/ipv4/tcp_input.c:7216)
+ subflow_v4_conn_request (net/mptcp/subflow.c:651)
+ tcp_rcv_state_process (net/ipv4/tcp_input.c:6709)
+ tcp_v4_do_rcv (net/ipv4/tcp_ipv4.c:1934)
+ tcp_v4_rcv (net/ipv4/tcp_ipv4.c:2334)
+ ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205 (discriminator 1))
+ ip_local_deliver_finish (include/linux/rcupdate.h:813 net/ipv4/ip_input.c:234)
+ ip_local_deliver (include/linux/netfilter.h:314 include/linux/netfilter.h:308 net/ipv4/ip_input.c:254)
+ ip_sublist_rcv_finish (include/net/dst.h:461 net/ipv4/ip_input.c:580)
+ ip_sublist_rcv (net/ipv4/ip_input.c:640)
+ ip_list_rcv (net/ipv4/ip_input.c:675)
+ __netif_receive_skb_list_core (net/core/dev.c:5583 net/core/dev.c:5631)
+ netif_receive_skb_list_internal (net/core/dev.c:5685 net/core/dev.c:5774)
+ napi_complete_done (include/linux/list.h:37 include/net/gro.h:449 include/net/gro.h:444 net/core/dev.c:6114)
+ igb_poll (drivers/net/ethernet/intel/igb/igb_main.c:8244) igb
+ __napi_poll (net/core/dev.c:6582)
+ net_rx_action (net/core/dev.c:6653 net/core/dev.c:6787)
+ handle_softirqs (kernel/softirq.c:553)
+ __irq_exit_rcu (kernel/softirq.c:588 kernel/softirq.c:427 kernel/softirq.c:636)
+ irq_exit_rcu (kernel/softirq.c:651)
+ common_interrupt (arch/x86/kernel/irq.c:247 (discriminator 14))
+ </IRQ>
+
+This problem seems particularly prevalent if the user advertises an
+endpoint that has a different external vs internal address. In the case
+where the external address is advertised and multiple connections
+already exist, multiple subflow SYNs arrive in parallel which tends to
+trigger the race during creation of the first local_addr_list entries
+which have the internal address instead.
+
+Fix by skipping the replacement of an existing implicit local address if
+called via mptcp_pm_nl_get_local_id.
+
+Fixes: d045b9eb95a9 ("mptcp: introduce implicit endpoints")
+Cc: stable@vger.kernel.org
+Suggested-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Krister Johansen <kjlx@templeofstupid.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250303-net-mptcp-fix-sched-while-atomic-v1-1-f6a216c5a74c@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -969,7 +969,7 @@ static void __mptcp_pm_release_addr_entr
+
+ static int mptcp_pm_nl_append_new_local_addr(struct pm_nl_pernet *pernet,
+ struct mptcp_pm_addr_entry *entry,
+- bool needs_id)
++ bool needs_id, bool replace)
+ {
+ struct mptcp_pm_addr_entry *cur, *del_entry = NULL;
+ unsigned int addr_max;
+@@ -1009,6 +1009,17 @@ static int mptcp_pm_nl_append_new_local_
+ if (entry->addr.id)
+ goto out;
+
++ /* allow callers that only need to look up the local
++ * addr's id to skip replacement. This allows them to
++ * avoid calling synchronize_rcu in the packet recv
++ * path.
++ */
++ if (!replace) {
++ kfree(entry);
++ ret = cur->addr.id;
++ goto out;
++ }
++
+ pernet->addrs--;
+ entry->addr.id = cur->addr.id;
+ list_del_rcu(&cur->list);
+@@ -1161,7 +1172,7 @@ int mptcp_pm_nl_get_local_id(struct mptc
+ entry->ifindex = 0;
+ entry->flags = MPTCP_PM_ADDR_FLAG_IMPLICIT;
+ entry->lsk = NULL;
+- ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true);
++ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry, true, false);
+ if (ret < 0)
+ kfree(entry);
+
+@@ -1456,7 +1467,8 @@ static int mptcp_nl_cmd_add_addr(struct
+ }
+ }
+ ret = mptcp_pm_nl_append_new_local_addr(pernet, entry,
+- !mptcp_pm_has_addr_attr_id(attr, info));
++ !mptcp_pm_has_addr_attr_id(attr, info),
++ true);
+ if (ret < 0) {
+ GENL_SET_ERR_MSG_FMT(info, "too many addresses or duplicate one: %d", ret);
+ goto out_free;
--- /dev/null
+From d0d10eaedcb53740883d7e5d53c5e15c879b48fb Mon Sep 17 00:00:00 2001
+From: Mingcong Bai <jeffbai@aosc.io>
+Date: Sat, 22 Feb 2025 00:48:24 +0800
+Subject: platform/x86: thinkpad_acpi: Add battery quirk for ThinkPad X131e
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mingcong Bai <jeffbai@aosc.io>
+
+commit d0d10eaedcb53740883d7e5d53c5e15c879b48fb upstream.
+
+Based on the dmesg messages from the original reporter:
+
+[ 4.964073] ACPI: \_SB_.PCI0.LPCB.EC__.HKEY: BCTG evaluated but flagged as error
+[ 4.964083] thinkpad_acpi: Error probing battery 2
+
+Lenovo ThinkPad X131e also needs this battery quirk.
+
+Reported-by: Fan Yang <804284660@qq.com>
+Tested-by: Fan Yang <804284660@qq.com>
+Co-developed-by: Xi Ruoyao <xry111@xry111.site>
+Signed-off-by: Xi Ruoyao <xry111@xry111.site>
+Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250221164825.77315-1-jeffbai@aosc.io
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/thinkpad_acpi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/platform/x86/thinkpad_acpi.c
++++ b/drivers/platform/x86/thinkpad_acpi.c
+@@ -9911,6 +9911,7 @@ static const struct tpacpi_quirk battery
+ * Individual addressing is broken on models that expose the
+ * primary battery as BAT1.
+ */
++ TPACPI_Q_LNV('G', '8', true), /* ThinkPad X131e */
+ TPACPI_Q_LNV('8', 'F', true), /* Thinkpad X120e */
+ TPACPI_Q_LNV('J', '7', true), /* B5400 */
+ TPACPI_Q_LNV('J', 'I', true), /* Thinkpad 11e */
--- /dev/null
+From 75f1f311d883dfaffb98be3c1da208d6ed5d4df9 Mon Sep 17 00:00:00 2001
+From: "Rob Herring (Arm)" <robh@kernel.org>
+Date: Wed, 26 Feb 2025 13:38:19 -0600
+Subject: Revert "of: reserved-memory: Fix using wrong number of cells to get property 'alignment'"
+
+From: Rob Herring (Arm) <robh@kernel.org>
+
+commit 75f1f311d883dfaffb98be3c1da208d6ed5d4df9 upstream.
+
+This reverts commit 267b21d0bef8e67dbe6c591c9991444e58237ec9.
+
+Turns out some DTs do depend on this behavior. Specifically, a
+downstream Pixel 6 DT. Revert the change at least until we can decide if
+the DT spec can be changed instead.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/of_reserved_mem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/of_reserved_mem.c
++++ b/drivers/of/of_reserved_mem.c
+@@ -156,12 +156,12 @@ static int __init __reserved_mem_alloc_s
+
+ prop = of_get_flat_dt_prop(node, "alignment", &len);
+ if (prop) {
+- if (len != dt_root_size_cells * sizeof(__be32)) {
++ if (len != dt_root_addr_cells * sizeof(__be32)) {
+ pr_err("invalid alignment property in '%s' node.\n",
+ uname);
+ return -EINVAL;
+ }
+- align = dt_mem_next_cell(dt_root_size_cells, &prop);
++ align = dt_mem_next_cell(dt_root_addr_cells, &prop);
+ }
+
+ nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL;
risc-v-enable-cbo.zero-in-usermode.patch
riscv-signal-fix-signal_minsigstksz.patch
x86-microcode-amd-add-some-forgotten-models-to-the-sha-check.patch
+revert-of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch
+tracing-tprobe-events-fix-a-memory-leak-when-tprobe-with-retval.patch
+loongarch-convert-unreachable-to-bug.patch
+loongarch-use-polling-play_dead-when-resuming-from-hibernation.patch
+loongarch-set-max_pfn-with-the-pfn-of-the-last-page.patch
+hid-appleir-fix-potential-null-dereference-at-raw-event-handle.patch
+ksmbd-fix-type-confusion-via-race-condition-when-using-ipc_msg_send_request.patch
+ksmbd-fix-out-of-bounds-in-parse_sec_desc.patch
+ksmbd-fix-use-after-free-in-smb2_lock.patch
+ksmbd-fix-bug-on-trap-in-smb2_lock.patch
+gpio-rcar-use-raw_spinlock-to-protect-register-access.patch
+gpio-aggregator-protect-driver-attr-handlers-against-module-unload.patch
+alsa-seq-avoid-module-auto-load-handling-at-event-delivery.patch
+alsa-hda-intel-add-dell-alc3271-to-power_save-denylist.patch
+alsa-hda-realtek-add-supported-mic-mute-led-for-lenovo-platform.patch
+alsa-hda-realtek-update-alc222-depop-optimize.patch
+hwmon-peci-dimmtemp-do-not-provide-fake-thresholds-data.patch
+drm-amd-display-fix-null-check-for-pipe_ctx-plane_state-in-resource_build_scaling_params.patch
+drm-radeon-fix-rs400_gpu_init-for-ati-mobility-radeon-xpress-200m.patch
+platform-x86-thinkpad_acpi-add-battery-quirk-for-thinkpad-x131e.patch
+x86-cacheinfo-validate-cpuid-leaf-0x2-edx-output.patch
+x86-cpu-validate-cpuid-leaf-0x2-edx-output.patch
+x86-cpu-properly-parse-cpuid-leaf-0x2-tlb-descriptor-0x63.patch
+mptcp-fix-scheduling-while-atomic-in-mptcp_pm_nl_append_new_local_addr.patch
--- /dev/null
+From ac965d7d88fc36fb42e3d50225c0a44dd8326da4 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Wed, 26 Feb 2025 15:18:46 +0900
+Subject: tracing: tprobe-events: Fix a memory leak when tprobe with $retval
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit ac965d7d88fc36fb42e3d50225c0a44dd8326da4 upstream.
+
+Fix a memory leak when a tprobe is defined with $retval. This
+combination is not allowed, but the parse_symbol_and_return() does
+not free the *symbol which should not be used if it returns the error.
+Thus, it leaks the *symbol memory in that error path.
+
+Link: https://lore.kernel.org/all/174055072650.4079315.3063014346697447838.stgit@mhiramat.tok.corp.google.com/
+
+Fixes: ce51e6153f77 ("tracing: fprobe-event: Fix to check tracepoint event and return")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_fprobe.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/trace/trace_fprobe.c
++++ b/kernel/trace/trace_fprobe.c
+@@ -948,6 +948,8 @@ static int parse_symbol_and_return(int a
+ if (is_tracepoint) {
+ trace_probe_log_set_index(i);
+ trace_probe_log_err(tmp - argv[i], RETVAL_ON_PROBE);
++ kfree(*symbol);
++ *symbol = NULL;
+ return -EINVAL;
+ }
+ *is_return = true;
--- /dev/null
+From 8177c6bedb7013cf736137da586cf783922309dd Mon Sep 17 00:00:00 2001
+From: "Ahmed S. Darwish" <darwi@linutronix.de>
+Date: Tue, 4 Mar 2025 09:51:12 +0100
+Subject: x86/cacheinfo: Validate CPUID leaf 0x2 EDX output
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+commit 8177c6bedb7013cf736137da586cf783922309dd upstream.
+
+CPUID leaf 0x2 emits one-byte descriptors in its four output registers
+EAX, EBX, ECX, and EDX. For these descriptors to be valid, the most
+significant bit (MSB) of each register must be clear.
+
+The historical Git commit:
+
+ 019361a20f016 ("- pre6: Intel: start to add Pentium IV specific stuff (128-byte cacheline etc)...")
+
+introduced leaf 0x2 output parsing. It only validated the MSBs of EAX,
+EBX, and ECX, but left EDX unchecked.
+
+Validate EDX's most-significant bit.
+
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@vger.kernel.org
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250304085152.51092-2-darwi@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/cacheinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/cacheinfo.c
++++ b/arch/x86/kernel/cpu/cacheinfo.c
+@@ -810,7 +810,7 @@ void init_intel_cacheinfo(struct cpuinfo
+ cpuid(2, ®s[0], ®s[1], ®s[2], ®s[3]);
+
+ /* If bit 31 is set, this is an unknown format */
+- for (j = 0 ; j < 3 ; j++)
++ for (j = 0 ; j < 4 ; j++)
+ if (regs[j] & (1 << 31))
+ regs[j] = 0;
+
--- /dev/null
+From f6bdaab79ee4228a143ee1b4cb80416d6ffc0c63 Mon Sep 17 00:00:00 2001
+From: "Ahmed S. Darwish" <darwi@linutronix.de>
+Date: Tue, 4 Mar 2025 09:51:14 +0100
+Subject: x86/cpu: Properly parse CPUID leaf 0x2 TLB descriptor 0x63
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+commit f6bdaab79ee4228a143ee1b4cb80416d6ffc0c63 upstream.
+
+CPUID leaf 0x2's one-byte TLB descriptors report the number of entries
+for specific TLB types, among other properties.
+
+Typically, each emitted descriptor implies the same number of entries
+for its respective TLB type(s). An emitted 0x63 descriptor is an
+exception: it implies 4 data TLB entries for 1GB pages and 32 data TLB
+entries for 2MB or 4MB pages.
+
+For the TLB descriptors parsing code, the entry count for 1GB pages is
+encoded at the intel_tlb_table[] mapping, but the 2MB/4MB entry count is
+totally ignored.
+
+Update leaf 0x2's parsing logic 0x2 to account for 32 data TLB entries
+for 2MB/4MB pages implied by the 0x63 descriptor.
+
+Fixes: e0ba94f14f74 ("x86/tlb_info: get last level TLB entry number of CPU")
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@kernel.org
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250304085152.51092-4-darwi@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/intel.c | 60 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 39 insertions(+), 21 deletions(-)
+
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -748,26 +748,37 @@ static unsigned int intel_size_cache(str
+ }
+ #endif
+
+-#define TLB_INST_4K 0x01
+-#define TLB_INST_4M 0x02
+-#define TLB_INST_2M_4M 0x03
+-
+-#define TLB_INST_ALL 0x05
+-#define TLB_INST_1G 0x06
+-
+-#define TLB_DATA_4K 0x11
+-#define TLB_DATA_4M 0x12
+-#define TLB_DATA_2M_4M 0x13
+-#define TLB_DATA_4K_4M 0x14
+-
+-#define TLB_DATA_1G 0x16
+-
+-#define TLB_DATA0_4K 0x21
+-#define TLB_DATA0_4M 0x22
+-#define TLB_DATA0_2M_4M 0x23
+-
+-#define STLB_4K 0x41
+-#define STLB_4K_2M 0x42
++#define TLB_INST_4K 0x01
++#define TLB_INST_4M 0x02
++#define TLB_INST_2M_4M 0x03
++
++#define TLB_INST_ALL 0x05
++#define TLB_INST_1G 0x06
++
++#define TLB_DATA_4K 0x11
++#define TLB_DATA_4M 0x12
++#define TLB_DATA_2M_4M 0x13
++#define TLB_DATA_4K_4M 0x14
++
++#define TLB_DATA_1G 0x16
++#define TLB_DATA_1G_2M_4M 0x17
++
++#define TLB_DATA0_4K 0x21
++#define TLB_DATA0_4M 0x22
++#define TLB_DATA0_2M_4M 0x23
++
++#define STLB_4K 0x41
++#define STLB_4K_2M 0x42
++
++/*
++ * All of leaf 0x2's one-byte TLB descriptors implies the same number of
++ * entries for their respective TLB types. The 0x63 descriptor is an
++ * exception: it implies 4 dTLB entries for 1GB pages 32 dTLB entries
++ * for 2MB or 4MB pages. Encode descriptor 0x63 dTLB entry count for
++ * 2MB/4MB pages here, as its count for dTLB 1GB pages is already at the
++ * intel_tlb_table[] mapping.
++ */
++#define TLB_0x63_2M_4M_ENTRIES 32
+
+ static const struct _tlb_table intel_tlb_table[] = {
+ { 0x01, TLB_INST_4K, 32, " TLB_INST 4 KByte pages, 4-way set associative" },
+@@ -789,7 +800,8 @@ static const struct _tlb_table intel_tlb
+ { 0x5c, TLB_DATA_4K_4M, 128, " TLB_DATA 4 KByte and 4 MByte pages" },
+ { 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" },
+ { 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" },
+- { 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" },
++ { 0x63, TLB_DATA_1G_2M_4M, 4, " TLB_DATA 1 GByte pages, 4-way set associative"
++ " (plus 32 entries TLB_DATA 2 MByte or 4 MByte pages, not encoded here)" },
+ { 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" },
+ { 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" },
+ { 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" },
+@@ -889,6 +901,12 @@ static void intel_tlb_lookup(const unsig
+ if (tlb_lld_4m[ENTRIES] < intel_tlb_table[k].entries)
+ tlb_lld_4m[ENTRIES] = intel_tlb_table[k].entries;
+ break;
++ case TLB_DATA_1G_2M_4M:
++ if (tlb_lld_2m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES)
++ tlb_lld_2m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES;
++ if (tlb_lld_4m[ENTRIES] < TLB_0x63_2M_4M_ENTRIES)
++ tlb_lld_4m[ENTRIES] = TLB_0x63_2M_4M_ENTRIES;
++ fallthrough;
+ case TLB_DATA_1G:
+ if (tlb_lld_1g[ENTRIES] < intel_tlb_table[k].entries)
+ tlb_lld_1g[ENTRIES] = intel_tlb_table[k].entries;
--- /dev/null
+From 1881148215c67151b146450fb89ec22fd92337a7 Mon Sep 17 00:00:00 2001
+From: "Ahmed S. Darwish" <darwi@linutronix.de>
+Date: Tue, 4 Mar 2025 09:51:13 +0100
+Subject: x86/cpu: Validate CPUID leaf 0x2 EDX output
+
+From: Ahmed S. Darwish <darwi@linutronix.de>
+
+commit 1881148215c67151b146450fb89ec22fd92337a7 upstream.
+
+CPUID leaf 0x2 emits one-byte descriptors in its four output registers
+EAX, EBX, ECX, and EDX. For these descriptors to be valid, the most
+significant bit (MSB) of each register must be clear.
+
+Leaf 0x2 parsing at intel.c only validated the MSBs of EAX, EBX, and
+ECX, but left EDX unchecked.
+
+Validate EDX's most-significant bit as well.
+
+Fixes: e0ba94f14f74 ("x86/tlb_info: get last level TLB entry number of CPU")
+Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: stable@kernel.org
+Cc: "H. Peter Anvin" <hpa@zytor.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20250304085152.51092-3-darwi@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/intel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/intel.c
++++ b/arch/x86/kernel/cpu/intel.c
+@@ -912,7 +912,7 @@ static void intel_detect_tlb(struct cpui
+ cpuid(2, ®s[0], ®s[1], ®s[2], ®s[3]);
+
+ /* If bit 31 is set, this is an unknown format */
+- for (j = 0 ; j < 3 ; j++)
++ for (j = 0 ; j < 4 ; j++)
+ if (regs[j] & (1 << 31))
+ regs[j] = 0;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
