--- /dev/null
+From 99f268cda55fc2c64c3b3cdd9ebaa2fbcac00cab Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 16:38:00 +0100
+Subject: af_packet: avoid erroring out after sock_init_data() in
+ packet_create()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 46f2a11cb82b657fd15bab1c47821b635e03838b ]
+
+After sock_init_data() the allocated sk object is attached to the provided
+sock object. On error, packet_create() frees the sk object leaving the
+dangling pointer in the sock object on return. Some other code may try
+to use this pointer and cause use-after-free.
+
+Suggested-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241014153808.51894-2-ignat@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/packet/af_packet.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 6aed6a36ea456..88bc4a21dda45 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3357,18 +3357,18 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
+ if (sock->type == SOCK_PACKET)
+ sock->ops = &packet_ops_spkt;
+
++ po = pkt_sk(sk);
++ err = packet_alloc_pending(po);
++ if (err)
++ goto out_sk_free;
++
+ sock_init_data(sock, sk);
+
+- po = pkt_sk(sk);
+ init_completion(&po->skb_completion);
+ sk->sk_family = PF_PACKET;
+ po->num = proto;
+ po->xmit = dev_queue_xmit;
+
+- err = packet_alloc_pending(po);
+- if (err)
+- goto out2;
+-
+ packet_cached_dev_reset(po);
+
+ sk->sk_destruct = packet_sock_destruct;
+@@ -3403,7 +3403,7 @@ static int packet_create(struct net *net, struct socket *sock, int protocol,
+ preempt_enable();
+
+ return 0;
+-out2:
++out_sk_free:
+ sk_free(sk);
+ out:
+ return err;
+--
+2.43.0
+
--- /dev/null
+From 44c11e64f795148fb7c62b9362a9b3fa8b15738b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 04:43:44 +0000
+Subject: ASoC: hdmi-codec: reorder channel allocation list
+
+From: Jonas Karlman <jonas@kwiboo.se>
+
+[ Upstream commit 82ff5abc2edcfba0c0f1a1be807795e2876f46e9 ]
+
+The ordering in hdmi_codec_get_ch_alloc_table_idx() results in
+wrong channel allocation for a number of cases, e.g. when ELD
+reports FL|FR|LFE|FC|RL|RR or FL|FR|LFE|FC|RL|RR|RC|RLC|RRC:
+
+ca_id 0x01 with speaker mask FL|FR|LFE is selected instead of
+ca_id 0x03 with speaker mask FL|FR|LFE|FC for 4 channels
+
+and
+
+ca_id 0x04 with speaker mask FL|FR|RC gets selected instead of
+ca_id 0x0b with speaker mask FL|FR|LFE|FC|RL|RR for 6 channels
+
+Fix this by reordering the channel allocation list with most
+specific speaker masks at the top.
+
+Signed-off-by: Jonas Karlman <jonas@kwiboo.se>
+Signed-off-by: Christian Hewitt <christianshewitt@gmail.com>
+Link: https://patch.msgid.link/20241115044344.3510979-1-christianshewitt@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/hdmi-codec.c | 140 +++++++++++++++++++---------------
+ 1 file changed, 77 insertions(+), 63 deletions(-)
+
+diff --git a/sound/soc/codecs/hdmi-codec.c b/sound/soc/codecs/hdmi-codec.c
+index f8b5b960e5970..cc6ae76e2132f 100644
+--- a/sound/soc/codecs/hdmi-codec.c
++++ b/sound/soc/codecs/hdmi-codec.c
+@@ -189,84 +189,97 @@ static const struct snd_pcm_chmap_elem hdmi_codec_8ch_chmaps[] = {
+ /*
+ * hdmi_codec_channel_alloc: speaker configuration available for CEA
+ *
+- * This is an ordered list that must match with hdmi_codec_8ch_chmaps struct
++ * This is an ordered list where ca_id must exist in hdmi_codec_8ch_chmaps
+ * The preceding ones have better chances to be selected by
+ * hdmi_codec_get_ch_alloc_table_idx().
+ */
+ static const struct hdmi_codec_cea_spk_alloc hdmi_codec_channel_alloc[] = {
+ { .ca_id = 0x00, .n_ch = 2,
+- .mask = FL | FR},
+- /* 2.1 */
+- { .ca_id = 0x01, .n_ch = 4,
+- .mask = FL | FR | LFE},
+- /* Dolby Surround */
++ .mask = FL | FR },
++ { .ca_id = 0x03, .n_ch = 4,
++ .mask = FL | FR | LFE | FC },
+ { .ca_id = 0x02, .n_ch = 4,
+ .mask = FL | FR | FC },
+- /* surround51 */
++ { .ca_id = 0x01, .n_ch = 4,
++ .mask = FL | FR | LFE },
+ { .ca_id = 0x0b, .n_ch = 6,
+- .mask = FL | FR | LFE | FC | RL | RR},
+- /* surround40 */
+- { .ca_id = 0x08, .n_ch = 6,
+- .mask = FL | FR | RL | RR },
+- /* surround41 */
+- { .ca_id = 0x09, .n_ch = 6,
+- .mask = FL | FR | LFE | RL | RR },
+- /* surround50 */
++ .mask = FL | FR | LFE | FC | RL | RR },
+ { .ca_id = 0x0a, .n_ch = 6,
+ .mask = FL | FR | FC | RL | RR },
+- /* 6.1 */
+- { .ca_id = 0x0f, .n_ch = 8,
+- .mask = FL | FR | LFE | FC | RL | RR | RC },
+- /* surround71 */
++ { .ca_id = 0x09, .n_ch = 6,
++ .mask = FL | FR | LFE | RL | RR },
++ { .ca_id = 0x08, .n_ch = 6,
++ .mask = FL | FR | RL | RR },
++ { .ca_id = 0x07, .n_ch = 6,
++ .mask = FL | FR | LFE | FC | RC },
++ { .ca_id = 0x06, .n_ch = 6,
++ .mask = FL | FR | FC | RC },
++ { .ca_id = 0x05, .n_ch = 6,
++ .mask = FL | FR | LFE | RC },
++ { .ca_id = 0x04, .n_ch = 6,
++ .mask = FL | FR | RC },
+ { .ca_id = 0x13, .n_ch = 8,
+ .mask = FL | FR | LFE | FC | RL | RR | RLC | RRC },
+- /* others */
+- { .ca_id = 0x03, .n_ch = 8,
+- .mask = FL | FR | LFE | FC },
+- { .ca_id = 0x04, .n_ch = 8,
+- .mask = FL | FR | RC},
+- { .ca_id = 0x05, .n_ch = 8,
+- .mask = FL | FR | LFE | RC },
+- { .ca_id = 0x06, .n_ch = 8,
+- .mask = FL | FR | FC | RC },
+- { .ca_id = 0x07, .n_ch = 8,
+- .mask = FL | FR | LFE | FC | RC },
+- { .ca_id = 0x0c, .n_ch = 8,
+- .mask = FL | FR | RC | RL | RR },
+- { .ca_id = 0x0d, .n_ch = 8,
+- .mask = FL | FR | LFE | RL | RR | RC },
+- { .ca_id = 0x0e, .n_ch = 8,
+- .mask = FL | FR | FC | RL | RR | RC },
+- { .ca_id = 0x10, .n_ch = 8,
+- .mask = FL | FR | RL | RR | RLC | RRC },
+- { .ca_id = 0x11, .n_ch = 8,
+- .mask = FL | FR | LFE | RL | RR | RLC | RRC },
++ { .ca_id = 0x1f, .n_ch = 8,
++ .mask = FL | FR | LFE | FC | RL | RR | FLC | FRC },
+ { .ca_id = 0x12, .n_ch = 8,
+ .mask = FL | FR | FC | RL | RR | RLC | RRC },
+- { .ca_id = 0x14, .n_ch = 8,
+- .mask = FL | FR | FLC | FRC },
+- { .ca_id = 0x15, .n_ch = 8,
+- .mask = FL | FR | LFE | FLC | FRC },
+- { .ca_id = 0x16, .n_ch = 8,
+- .mask = FL | FR | FC | FLC | FRC },
+- { .ca_id = 0x17, .n_ch = 8,
+- .mask = FL | FR | LFE | FC | FLC | FRC },
+- { .ca_id = 0x18, .n_ch = 8,
+- .mask = FL | FR | RC | FLC | FRC },
+- { .ca_id = 0x19, .n_ch = 8,
+- .mask = FL | FR | LFE | RC | FLC | FRC },
+- { .ca_id = 0x1a, .n_ch = 8,
+- .mask = FL | FR | RC | FC | FLC | FRC },
+- { .ca_id = 0x1b, .n_ch = 8,
+- .mask = FL | FR | LFE | RC | FC | FLC | FRC },
+- { .ca_id = 0x1c, .n_ch = 8,
+- .mask = FL | FR | RL | RR | FLC | FRC },
+- { .ca_id = 0x1d, .n_ch = 8,
+- .mask = FL | FR | LFE | RL | RR | FLC | FRC },
+ { .ca_id = 0x1e, .n_ch = 8,
+ .mask = FL | FR | FC | RL | RR | FLC | FRC },
+- { .ca_id = 0x1f, .n_ch = 8,
+- .mask = FL | FR | LFE | FC | RL | RR | FLC | FRC },
++ { .ca_id = 0x11, .n_ch = 8,
++ .mask = FL | FR | LFE | RL | RR | RLC | RRC },
++ { .ca_id = 0x1d, .n_ch = 8,
++ .mask = FL | FR | LFE | RL | RR | FLC | FRC },
++ { .ca_id = 0x10, .n_ch = 8,
++ .mask = FL | FR | RL | RR | RLC | RRC },
++ { .ca_id = 0x1c, .n_ch = 8,
++ .mask = FL | FR | RL | RR | FLC | FRC },
++ { .ca_id = 0x0f, .n_ch = 8,
++ .mask = FL | FR | LFE | FC | RL | RR | RC },
++ { .ca_id = 0x1b, .n_ch = 8,
++ .mask = FL | FR | LFE | RC | FC | FLC | FRC },
++ { .ca_id = 0x0e, .n_ch = 8,
++ .mask = FL | FR | FC | RL | RR | RC },
++ { .ca_id = 0x1a, .n_ch = 8,
++ .mask = FL | FR | RC | FC | FLC | FRC },
++ { .ca_id = 0x0d, .n_ch = 8,
++ .mask = FL | FR | LFE | RL | RR | RC },
++ { .ca_id = 0x19, .n_ch = 8,
++ .mask = FL | FR | LFE | RC | FLC | FRC },
++ { .ca_id = 0x0c, .n_ch = 8,
++ .mask = FL | FR | RC | RL | RR },
++ { .ca_id = 0x18, .n_ch = 8,
++ .mask = FL | FR | RC | FLC | FRC },
++ { .ca_id = 0x17, .n_ch = 8,
++ .mask = FL | FR | LFE | FC | FLC | FRC },
++ { .ca_id = 0x16, .n_ch = 8,
++ .mask = FL | FR | FC | FLC | FRC },
++ { .ca_id = 0x15, .n_ch = 8,
++ .mask = FL | FR | LFE | FLC | FRC },
++ { .ca_id = 0x14, .n_ch = 8,
++ .mask = FL | FR | FLC | FRC },
++ { .ca_id = 0x0b, .n_ch = 8,
++ .mask = FL | FR | LFE | FC | RL | RR },
++ { .ca_id = 0x0a, .n_ch = 8,
++ .mask = FL | FR | FC | RL | RR },
++ { .ca_id = 0x09, .n_ch = 8,
++ .mask = FL | FR | LFE | RL | RR },
++ { .ca_id = 0x08, .n_ch = 8,
++ .mask = FL | FR | RL | RR },
++ { .ca_id = 0x07, .n_ch = 8,
++ .mask = FL | FR | LFE | FC | RC },
++ { .ca_id = 0x06, .n_ch = 8,
++ .mask = FL | FR | FC | RC },
++ { .ca_id = 0x05, .n_ch = 8,
++ .mask = FL | FR | LFE | RC },
++ { .ca_id = 0x04, .n_ch = 8,
++ .mask = FL | FR | RC },
++ { .ca_id = 0x03, .n_ch = 8,
++ .mask = FL | FR | LFE | FC },
++ { .ca_id = 0x02, .n_ch = 8,
++ .mask = FL | FR | FC },
++ { .ca_id = 0x01, .n_ch = 8,
++ .mask = FL | FR | LFE },
+ };
+
+ struct hdmi_codec_priv {
+@@ -372,7 +385,8 @@ static int hdmi_codec_chmap_ctl_get(struct snd_kcontrol *kcontrol,
+ struct snd_pcm_chmap *info = snd_kcontrol_chip(kcontrol);
+ struct hdmi_codec_priv *hcp = info->private_data;
+
+- map = info->chmap[hcp->chmap_idx].map;
++ if (hcp->chmap_idx != HDMI_CODEC_CHMAP_IDX_UNKNOWN)
++ map = info->chmap[hcp->chmap_idx].map;
+
+ for (i = 0; i < info->max_channels; i++) {
+ if (hcp->chmap_idx == HDMI_CODEC_CHMAP_IDX_UNKNOWN)
+--
+2.43.0
+
--- /dev/null
+From 97099df1dcf623d366a944f55cc9851a4f43968f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 16:37:29 +0800
+Subject: Bluetooth: btusb: Add RTL8852BE device 0489:e123 to device tables
+
+From: Hilda Wu <hildawu@realtek.com>
+
+[ Upstream commit 69b84ffce260ff13826dc10aeb3c3e5c2288a552 ]
+
+Add the support ID 0489:e123 to usb_device_id table for
+Realtek RTL8852B chip.
+
+The device info from /sys/kernel/debug/usb/devices as below.
+
+T: Bus=01 Lev=01 Prnt=01 Port=07 Cnt=04 Dev#= 7 Spd=12 MxCh= 0
+D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0489 ProdID=e123 Rev= 0.00
+S: Manufacturer=Realtek
+S: Product=Bluetooth Radio
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Signed-off-by: Hilda Wu <hildawu@realtek.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
+index 6616671dfd32f..9f71f9135f9e3 100644
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -372,6 +372,8 @@ static const struct usb_device_id blacklist_table[] = {
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x13d3, 0x3591), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
++ { USB_DEVICE(0x0489, 0xe123), .driver_info = BTUSB_REALTEK |
++ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe125), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
+
+--
+2.43.0
+
--- /dev/null
+From d916a23061e21b5d1cf60a4ab8f8747c556fbb16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 16:38:01 +0100
+Subject: Bluetooth: L2CAP: do not leave dangling sk pointer on error in
+ l2cap_sock_create()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 7c4f78cdb8e7501e9f92d291a7d956591bf73be9 ]
+
+bt_sock_alloc() allocates the sk object and attaches it to the provided
+sock object. On error l2cap_sock_alloc() frees the sk object, but the
+dangling pointer is still attached to the sock object, which may create
+use-after-free in other code.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241014153808.51894-3-ignat@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/l2cap_sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
+index 9eea2af9a8e1c..6ec6f6a06521d 100644
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -1678,6 +1678,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
+ chan = l2cap_chan_create();
+ if (!chan) {
+ sk_free(sk);
++ sock->sk = NULL;
+ return NULL;
+ }
+
+--
+2.43.0
+
--- /dev/null
+From ade5e9d86ed112a728f94bc3b2457cb0e81ab759 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 10:59:17 +0800
+Subject: drm/amdgpu: set the right AMDGPU sg segment limitation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Prike Liang <Prike.Liang@amd.com>
+
+[ Upstream commit e2e97435783979124ba92d6870415c57ecfef6a5 ]
+
+The driver needs to set the correct max_segment_size;
+otherwise debug_dma_map_sg() will complain about the
+over-mapping of the AMDGPU sg length as following:
+
+WARNING: CPU: 6 PID: 1964 at kernel/dma/debug.c:1178 debug_dma_map_sg+0x2dc/0x370
+[ 364.049444] Modules linked in: veth amdgpu(OE) amdxcp drm_exec gpu_sched drm_buddy drm_ttm_helper ttm(OE) drm_suballoc_helper drm_display_helper drm_kms_helper i2c_algo_bit rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace netfs xt_conntrack xt_MASQUERADE nf_conntrack_netlink xfrm_user xfrm_algo iptable_nat xt_addrtype iptable_filter br_netfilter nvme_fabrics overlay nfnetlink_cttimeout nfnetlink openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c bridge stp llc amd_atl intel_rapl_msr intel_rapl_common sunrpc sch_fq_codel snd_hda_codec_realtek snd_hda_codec_generic snd_hda_scodec_component snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg edac_mce_amd binfmt_misc snd_hda_codec snd_pci_acp6x snd_hda_core snd_acp_config snd_hwdep snd_soc_acpi kvm_amd snd_pcm kvm snd_seq_midi snd_seq_midi_event crct10dif_pclmul ghash_clmulni_intel sha512_ssse3 snd_rawmidi sha256_ssse3 sha1_ssse3 aesni_intel snd_seq nls_iso8859_1 crypto_simd snd_seq_device cryptd snd_timer rapl input_leds snd
+[ 364.049532] ipmi_devintf wmi_bmof ccp serio_raw k10temp sp5100_tco soundcore ipmi_msghandler cm32181 industrialio mac_hid msr parport_pc ppdev lp parport drm efi_pstore ip_tables x_tables pci_stub crc32_pclmul nvme ahci libahci i2c_piix4 r8169 nvme_core i2c_designware_pci realtek i2c_ccgx_ucsi video wmi hid_generic cdc_ether usbnet usbhid hid r8152 mii
+[ 364.049576] CPU: 6 PID: 1964 Comm: rocminfo Tainted: G OE 6.10.0-custom #492
+[ 364.049579] Hardware name: AMD Majolica-RN/Majolica-RN, BIOS RMJ1009A 06/13/2021
+[ 364.049582] RIP: 0010:debug_dma_map_sg+0x2dc/0x370
+[ 364.049585] Code: 89 4d b8 e8 36 b1 86 00 8b 4d b8 48 8b 55 b0 44 8b 45 a8 4c 8b 4d a0 48 89 c6 48 c7 c7 00 4b 74 bc 4c 89 4d b8 e8 b4 73 f3 ff <0f> 0b 4c 8b 4d b8 8b 15 c8 2c b8 01 85 d2 0f 85 ee fd ff ff 8b 05
+[ 364.049588] RSP: 0018:ffff9ca600b57ac0 EFLAGS: 00010286
+[ 364.049590] RAX: 0000000000000000 RBX: ffff88b7c132b0c8 RCX: 0000000000000027
+[ 364.049592] RDX: ffff88bb0f521688 RSI: 0000000000000001 RDI: ffff88bb0f521680
+[ 364.049594] RBP: ffff9ca600b57b20 R08: 000000000000006f R09: ffff9ca600b57930
+[ 364.049596] R10: ffff9ca600b57928 R11: ffffffffbcb46328 R12: 0000000000000000
+[ 364.049597] R13: 0000000000000001 R14: ffff88b7c19c0700 R15: ffff88b7c9059800
+[ 364.049599] FS: 00007fb2d3516e80(0000) GS:ffff88bb0f500000(0000) knlGS:0000000000000000
+[ 364.049601] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 364.049603] CR2: 000055610bd03598 CR3: 00000001049f6000 CR4: 0000000000350ef0
+[ 364.049605] Call Trace:
+[ 364.049607] <TASK>
+[ 364.049609] ? show_regs+0x6d/0x80
+[ 364.049614] ? __warn+0x8c/0x140
+[ 364.049618] ? debug_dma_map_sg+0x2dc/0x370
+[ 364.049621] ? report_bug+0x193/0x1a0
+[ 364.049627] ? handle_bug+0x46/0x80
+[ 364.049631] ? exc_invalid_op+0x1d/0x80
+[ 364.049635] ? asm_exc_invalid_op+0x1f/0x30
+[ 364.049642] ? debug_dma_map_sg+0x2dc/0x370
+[ 364.049647] __dma_map_sg_attrs+0x90/0xe0
+[ 364.049651] dma_map_sgtable+0x25/0x40
+[ 364.049654] amdgpu_bo_move+0x59a/0x850 [amdgpu]
+[ 364.049935] ? srso_return_thunk+0x5/0x5f
+[ 364.049939] ? amdgpu_ttm_tt_populate+0x5d/0xc0 [amdgpu]
+[ 364.050095] ttm_bo_handle_move_mem+0xc3/0x180 [ttm]
+[ 364.050103] ttm_bo_validate+0xc1/0x160 [ttm]
+[ 364.050108] ? amdgpu_ttm_tt_get_user_pages+0xe5/0x1b0 [amdgpu]
+[ 364.050263] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0xa12/0xc90 [amdgpu]
+[ 364.050473] kfd_ioctl_alloc_memory_of_gpu+0x16b/0x3b0 [amdgpu]
+[ 364.050680] kfd_ioctl+0x3c2/0x530 [amdgpu]
+[ 364.050866] ? __pfx_kfd_ioctl_alloc_memory_of_gpu+0x10/0x10 [amdgpu]
+[ 364.051054] ? srso_return_thunk+0x5/0x5f
+[ 364.051057] ? tomoyo_file_ioctl+0x20/0x30
+[ 364.051063] __x64_sys_ioctl+0x9c/0xd0
+[ 364.051068] x64_sys_call+0x1219/0x20d0
+[ 364.051073] do_syscall_64+0x51/0x120
+[ 364.051077] entry_SYSCALL_64_after_hwframe+0x76/0x7e
+[ 364.051081] RIP: 0033:0x7fb2d2f1a94f
+
+Signed-off-by: Prike Liang <Prike.Liang@amd.com>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+index 870dd78d5a21a..30e3cc9c25d03 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c
+@@ -1678,6 +1678,7 @@ int amdgpu_ttm_init(struct amdgpu_device *adev)
+
+ mutex_init(&adev->mman.gtt_window_lock);
+
++ dma_set_max_seg_size(adev->dev, UINT_MAX);
+ /* No others user of address space so set it to 0 */
+ r = ttm_bo_device_init(&adev->mman.bdev,
+ &amdgpu_bo_driver,
+--
+2.43.0
+
--- /dev/null
+From 1fcbc5e14c6f6c7adb86f97b52cbf0363c4463cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 11:33:20 +0000
+Subject: drm/mcde: Enable module autoloading
+
+From: Liao Chen <liaochen4@huawei.com>
+
+[ Upstream commit 8a16b5cdae26207ff4c22834559384ad3d7bc970 ]
+
+Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded based
+on the alias from of_device_id table.
+
+Signed-off-by: Liao Chen <liaochen4@huawei.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240902113320.903147-4-liaochen4@huawei.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mcde/mcde_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/mcde/mcde_drv.c b/drivers/gpu/drm/mcde/mcde_drv.c
+index 82946ffcb6d21..9a767fbb86c95 100644
+--- a/drivers/gpu/drm/mcde/mcde_drv.c
++++ b/drivers/gpu/drm/mcde/mcde_drv.c
+@@ -533,6 +533,7 @@ static const struct of_device_id mcde_of_match[] = {
+ },
+ {},
+ };
++MODULE_DEVICE_TABLE(of, mcde_of_match);
+
+ static struct platform_driver mcde_driver = {
+ .driver = {
+--
+2.43.0
+
--- /dev/null
+From 4361a30ffe2ece3b2d8670c884ab4fe444552f94 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Sep 2024 15:18:51 +0200
+Subject: drm: panel-orientation-quirks: Add quirk for AYA NEO 2 model
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Joaquín Ignacio Aramendía <samsagax@gmail.com>
+
+[ Upstream commit 361ebf5ef843b0aa1704c72eb26b91cf76c3c5b7 ]
+
+Add quirk orientation for AYA NEO 2. The name appears without spaces in
+DMI strings. That made it difficult to reuse the 2021 match. Also the
+display is larger in resolution.
+
+Tested by the JELOS team that has been patching their own kernel for a
+while now and confirmed by users in the AYA NEO and ChimeraOS discord
+servers.
+
+Signed-off-by: Joaquín Ignacio Aramendía <samsagax@gmail.com>
+Signed-off-by: Tobias Jakobi <tjakobi@math.uni-bielefeld.de>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/2b35545b77a9fd8c9699b751ca282226dcecb1dd.1726492131.git.tjakobi@math.uni-bielefeld.de
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index f1091cb87de0c..bf90a5be956fe 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -166,6 +166,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
++ }, { /* AYA NEO AYANEO 2 */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
++ },
++ .driver_data = (void *)&lcd1200x1920_rightside_up,
+ }, { /* AYA NEO 2021 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYADEVICE"),
+--
+2.43.0
+
--- /dev/null
+From 04eb46e92c7130e1257c4738111b207307f7628e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 18:07:19 +0300
+Subject: drm/radeon/r600_cs: Fix possible int overflow in r600_packet3_check()
+
+From: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
+
+[ Upstream commit a1e2da6a5072f8abe5b0feaa91a5bcd9dc544a04 ]
+
+It is possible, although unlikely, that an integer overflow will occur
+when the result of radeon_get_ib_value() is shifted to the left.
+
+Avoid it by casting one of the operands to larger data type (u64).
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Signed-off-by: Igor Artemiev <Igor.A.Artemiev@mcst.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/radeon/r600_cs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/radeon/r600_cs.c b/drivers/gpu/drm/radeon/r600_cs.c
+index 19c9e86b2aafe..a85470213b27f 100644
+--- a/drivers/gpu/drm/radeon/r600_cs.c
++++ b/drivers/gpu/drm/radeon/r600_cs.c
+@@ -2104,7 +2104,7 @@ static int r600_packet3_check(struct radeon_cs_parser *p,
+ return -EINVAL;
+ }
+
+- offset = radeon_get_ib_value(p, idx+1) << 8;
++ offset = (u64)radeon_get_ib_value(p, idx+1) << 8;
+ if (offset != track->vgt_strmout_bo_offset[idx_value]) {
+ DRM_ERROR("bad STRMOUT_BASE_UPDATE, bo offset does not match: 0x%llx, 0x%x\n",
+ offset, track->vgt_strmout_bo_offset[idx_value]);
+--
+2.43.0
+
--- /dev/null
+From d0d95aa4f12b8c99842474bb1382244a967b26dc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 02:44:00 -0600
+Subject: f2fs: fix f2fs_bug_on when uninstalling filesystem call
+ f2fs_evict_inode.
+
+From: Qi Han <hanqi@vivo.com>
+
+[ Upstream commit d5c367ef8287fb4d235c46a2f8c8d68715f3a0ca ]
+
+creating a large files during checkpoint disable until it runs out of
+space and then delete it, then remount to enable checkpoint again, and
+then unmount the filesystem triggers the f2fs_bug_on as below:
+
+------------[ cut here ]------------
+kernel BUG at fs/f2fs/inode.c:896!
+CPU: 2 UID: 0 PID: 1286 Comm: umount Not tainted 6.11.0-rc7-dirty #360
+Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
+RIP: 0010:f2fs_evict_inode+0x58c/0x610
+Call Trace:
+ __die_body+0x15/0x60
+ die+0x33/0x50
+ do_trap+0x10a/0x120
+ f2fs_evict_inode+0x58c/0x610
+ do_error_trap+0x60/0x80
+ f2fs_evict_inode+0x58c/0x610
+ exc_invalid_op+0x53/0x60
+ f2fs_evict_inode+0x58c/0x610
+ asm_exc_invalid_op+0x16/0x20
+ f2fs_evict_inode+0x58c/0x610
+ evict+0x101/0x260
+ dispose_list+0x30/0x50
+ evict_inodes+0x140/0x190
+ generic_shutdown_super+0x2f/0x150
+ kill_block_super+0x11/0x40
+ kill_f2fs_super+0x7d/0x140
+ deactivate_locked_super+0x2a/0x70
+ cleanup_mnt+0xb3/0x140
+ task_work_run+0x61/0x90
+
+The root cause is: creating large files during disable checkpoint
+period results in not enough free segments, so when writing back root
+inode will failed in f2fs_enable_checkpoint. When umount the file
+system after enabling checkpoint, the root inode is dirty in
+f2fs_evict_inode function, which triggers BUG_ON. The steps to
+reproduce are as follows:
+
+dd if=/dev/zero of=f2fs.img bs=1M count=55
+mount f2fs.img f2fs_dir -o checkpoint=disable:10%
+dd if=/dev/zero of=big bs=1M count=50
+sync
+rm big
+mount -o remount,checkpoint=enable f2fs_dir
+umount f2fs_dir
+
+Let's redirty inode when there is not free segments during checkpoint
+is disable.
+
+Signed-off-by: Qi Han <hanqi@vivo.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/f2fs/inode.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
+index 53e1a757e4e17..b0cbb01df8cba 100644
+--- a/fs/f2fs/inode.c
++++ b/fs/f2fs/inode.c
+@@ -631,8 +631,10 @@ int f2fs_write_inode(struct inode *inode, struct writeback_control *wbc)
+ !is_inode_flag_set(inode, FI_DIRTY_INODE))
+ return 0;
+
+- if (!f2fs_is_checkpoint_ready(sbi))
++ if (!f2fs_is_checkpoint_ready(sbi)) {
++ f2fs_mark_inode_dirty_sync(inode, true);
+ return -ENOSPC;
++ }
+
+ /*
+ * We need to balance fs here to prevent from producing dirty node pages
+--
+2.43.0
+
--- /dev/null
+From 1fbcf8b1b86db5517d82b5ff571a794e64f7098a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 17 Oct 2024 18:34:58 +0200
+Subject: HID: bpf: Fix NKRO on Mistel MD770
+
+From: Benjamin Tissoires <bentiss@kernel.org>
+
+[ Upstream commit 9bc089307e8dff7797233308372b4a90ce8f79be ]
+
+Mistel MD770 keyboard (using Holtek Semiconductor, Inc. controller) has
+a quirk in report descriptor in one of its interfaces (more detail in
+the source file). Fix up the descriptor to allow NKRO to work again.
+
+Tested by loading the BPF program and confirming that 8 simultaneous
+keypresses work.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=218495
+Link: https://gitlab.freedesktop.org/libevdev/udev-hid-bpf/-/merge_requests/122
+Signed-off-by: Tatsuyuki Ishi <ishitatsuyuki@gmail.com>
+Acked-by: Jiri Kosina <jkosina@suse.com>
+Link: https://patch.msgid.link/20241017-import_bpf_6-13-v2-1-6a7acb89a97f@kernel.org
+Signed-off-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/bpf/progs/Mistel__MD770.bpf.c | 154 ++++++++++++++++++++++
+ 1 file changed, 154 insertions(+)
+ create mode 100644 drivers/hid/bpf/progs/Mistel__MD770.bpf.c
+
+diff --git a/drivers/hid/bpf/progs/Mistel__MD770.bpf.c b/drivers/hid/bpf/progs/Mistel__MD770.bpf.c
+new file mode 100644
+index 0000000000000..fb8b5a6968b12
+--- /dev/null
++++ b/drivers/hid/bpf/progs/Mistel__MD770.bpf.c
+@@ -0,0 +1,154 @@
++// SPDX-License-Identifier: GPL-2.0
++/* Copyright (c) 2024 Tatsuyuki Ishi
++ */
++
++#include "vmlinux.h"
++#include "hid_bpf.h"
++#include "hid_bpf_helpers.h"
++#include <bpf/bpf_tracing.h>
++
++#define VID_HOLTEK 0x04D9
++#define PID_MD770 0x0339
++#define RDESC_SIZE 203
++
++HID_BPF_CONFIG(
++ HID_DEVICE(BUS_USB, HID_GROUP_GENERIC, VID_HOLTEK, PID_MD770)
++);
++
++/*
++ * The Mistel MD770 keyboard reports the first 6 simultaneous key presses
++ * through the first interface, and anything beyond that through a second
++ * interface. Unfortunately, the second interface's report descriptor has an
++ * error, causing events to be malformed and ignored. This HID-BPF driver
++ * fixes the descriptor to allow NKRO to work again.
++ *
++ * For reference, this is the original report descriptor:
++ *
++ * 0x05, 0x01, // Usage Page (Generic Desktop) 0
++ * 0x09, 0x80, // Usage (System Control) 2
++ * 0xa1, 0x01, // Collection (Application) 4
++ * 0x85, 0x01, // Report ID (1) 6
++ * 0x19, 0x81, // Usage Minimum (129) 8
++ * 0x29, 0x83, // Usage Maximum (131) 10
++ * 0x15, 0x00, // Logical Minimum (0) 12
++ * 0x25, 0x01, // Logical Maximum (1) 14
++ * 0x95, 0x03, // Report Count (3) 16
++ * 0x75, 0x01, // Report Size (1) 18
++ * 0x81, 0x02, // Input (Data,Var,Abs) 20
++ * 0x95, 0x01, // Report Count (1) 22
++ * 0x75, 0x05, // Report Size (5) 24
++ * 0x81, 0x01, // Input (Cnst,Arr,Abs) 26
++ * 0xc0, // End Collection 28
++ * 0x05, 0x0c, // Usage Page (Consumer Devices) 29
++ * 0x09, 0x01, // Usage (Consumer Control) 31
++ * 0xa1, 0x01, // Collection (Application) 33
++ * 0x85, 0x02, // Report ID (2) 35
++ * 0x15, 0x00, // Logical Minimum (0) 37
++ * 0x25, 0x01, // Logical Maximum (1) 39
++ * 0x95, 0x12, // Report Count (18) 41
++ * 0x75, 0x01, // Report Size (1) 43
++ * 0x0a, 0x83, 0x01, // Usage (AL Consumer Control Config) 45
++ * 0x0a, 0x8a, 0x01, // Usage (AL Email Reader) 48
++ * 0x0a, 0x92, 0x01, // Usage (AL Calculator) 51
++ * 0x0a, 0x94, 0x01, // Usage (AL Local Machine Browser) 54
++ * 0x09, 0xcd, // Usage (Play/Pause) 57
++ * 0x09, 0xb7, // Usage (Stop) 59
++ * 0x09, 0xb6, // Usage (Scan Previous Track) 61
++ * 0x09, 0xb5, // Usage (Scan Next Track) 63
++ * 0x09, 0xe2, // Usage (Mute) 65
++ * 0x09, 0xea, // Usage (Volume Down) 67
++ * 0x09, 0xe9, // Usage (Volume Up) 69
++ * 0x0a, 0x21, 0x02, // Usage (AC Search) 71
++ * 0x0a, 0x23, 0x02, // Usage (AC Home) 74
++ * 0x0a, 0x24, 0x02, // Usage (AC Back) 77
++ * 0x0a, 0x25, 0x02, // Usage (AC Forward) 80
++ * 0x0a, 0x26, 0x02, // Usage (AC Stop) 83
++ * 0x0a, 0x27, 0x02, // Usage (AC Refresh) 86
++ * 0x0a, 0x2a, 0x02, // Usage (AC Bookmarks) 89
++ * 0x81, 0x02, // Input (Data,Var,Abs) 92
++ * 0x95, 0x01, // Report Count (1) 94
++ * 0x75, 0x0e, // Report Size (14) 96
++ * 0x81, 0x01, // Input (Cnst,Arr,Abs) 98
++ * 0xc0, // End Collection 100
++ * 0x05, 0x01, // Usage Page (Generic Desktop) 101
++ * 0x09, 0x02, // Usage (Mouse) 103
++ * 0xa1, 0x01, // Collection (Application) 105
++ * 0x09, 0x01, // Usage (Pointer) 107
++ * 0xa1, 0x00, // Collection (Physical) 109
++ * 0x85, 0x03, // Report ID (3) 111
++ * 0x05, 0x09, // Usage Page (Button) 113
++ * 0x19, 0x01, // Usage Minimum (1) 115
++ * 0x29, 0x08, // Usage Maximum (8) 117
++ * 0x15, 0x00, // Logical Minimum (0) 119
++ * 0x25, 0x01, // Logical Maximum (1) 121
++ * 0x75, 0x01, // Report Size (1) 123
++ * 0x95, 0x08, // Report Count (8) 125
++ * 0x81, 0x02, // Input (Data,Var,Abs) 127
++ * 0x05, 0x01, // Usage Page (Generic Desktop) 129
++ * 0x09, 0x30, // Usage (X) 131
++ * 0x09, 0x31, // Usage (Y) 133
++ * 0x16, 0x01, 0x80, // Logical Minimum (-32767) 135
++ * 0x26, 0xff, 0x7f, // Logical Maximum (32767) 138
++ * 0x75, 0x10, // Report Size (16) 141
++ * 0x95, 0x02, // Report Count (2) 143
++ * 0x81, 0x06, // Input (Data,Var,Rel) 145
++ * 0x09, 0x38, // Usage (Wheel) 147
++ * 0x15, 0x81, // Logical Minimum (-127) 149
++ * 0x25, 0x7f, // Logical Maximum (127) 151
++ * 0x75, 0x08, // Report Size (8) 153
++ * 0x95, 0x01, // Report Count (1) 155
++ * 0x81, 0x06, // Input (Data,Var,Rel) 157
++ * 0x05, 0x0c, // Usage Page (Consumer Devices) 159
++ * 0x0a, 0x38, 0x02, // Usage (AC Pan) 161
++ * 0x95, 0x01, // Report Count (1) 164
++ * 0x81, 0x06, // Input (Data,Var,Rel) 166
++ * 0xc0, // End Collection 168
++ * 0xc0, // End Collection 169
++ * 0x05, 0x01, // Usage Page (Generic Desktop) 170
++ * 0x09, 0x06, // Usage (Keyboard) 172
++ * 0xa1, 0x01, // Collection (Application) 174
++ * 0x85, 0x04, // Report ID (4) 176
++ * 0x05, 0x07, // Usage Page (Keyboard) 178
++ * 0x95, 0x01, // Report Count (1) 180
++ * 0x75, 0x08, // Report Size (8) 182
++ * 0x81, 0x03, // Input (Cnst,Var,Abs) 184
++ * 0x95, 0xe8, // Report Count (232) 186
++ * 0x75, 0x01, // Report Size (1) 188
++ * 0x15, 0x00, // Logical Minimum (0) 190
++ * 0x25, 0x01, // Logical Maximum (1) 192
++ * 0x05, 0x07, // Usage Page (Keyboard) 194
++ * 0x19, 0x00, // Usage Minimum (0) 196
++ * 0x29, 0xe7, // Usage Maximum (231) 198
++ * 0x81, 0x00, // Input (Data,Arr,Abs) 200 <- change to 0x81, 0x02 (Data,Var,Abs)
++ * 0xc0, // End Collection 202
++ */
++
++SEC(HID_BPF_RDESC_FIXUP)
++int BPF_PROG(hid_rdesc_fixup_mistel_md770, struct hid_bpf_ctx *hctx)
++{
++ __u8 *data = hid_bpf_get_data(hctx, 0, HID_MAX_DESCRIPTOR_SIZE);
++
++ if (!data)
++ return 0; /* EPERM check */
++
++ if (data[201] == 0x00)
++ data[201] = 0x02;
++
++ return 0;
++}
++
++HID_BPF_OPS(mistel_md770) = {
++ .hid_rdesc_fixup = (void *)hid_rdesc_fixup_mistel_md770,
++};
++
++SEC("syscall")
++int probe(struct hid_bpf_probe_args *ctx)
++{
++ ctx->retval = ctx->rdesc_size != RDESC_SIZE;
++ if (ctx->retval)
++ ctx->retval = -EINVAL;
++
++ return 0;
++}
++
++char _license[] SEC("license") = "GPL";
+--
+2.43.0
+
--- /dev/null
+From 230241e652c4b0cd3482b93ba12639c34f7656cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 21:25:39 +0800
+Subject: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info()
+ to avoid deadlock
+
+From: Defa Li <defa.li@mediatek.com>
+
+[ Upstream commit 6cf7b65f7029914dc0cd7db86fac9ee5159008c6 ]
+
+A deadlock may happen since the i3c_master_register() acquires
+&i3cbus->lock twice. See the log below.
+Use i3cdev->desc->info instead of calling i3c_device_info() to
+avoid acquiring the lock twice.
+
+v2:
+ - Modified the title and commit message
+
+============================================
+WARNING: possible recursive locking detected
+6.11.0-mainline
+--------------------------------------------
+init/1 is trying to acquire lock:
+f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_bus_normaluse_lock
+
+but task is already holding lock:
+f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&i3cbus->lock);
+ lock(&i3cbus->lock);
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+2 locks held by init/1:
+ #0: fcffff809b6798f8 (&dev->mutex){....}-{3:3}, at: __driver_attach
+ #1: f1ffff80a6a40dc0 (&i3cbus->lock){++++}-{3:3}, at: i3c_master_register
+
+stack backtrace:
+CPU: 6 UID: 0 PID: 1 Comm: init
+Call trace:
+ dump_backtrace+0xfc/0x17c
+ show_stack+0x18/0x28
+ dump_stack_lvl+0x40/0xc0
+ dump_stack+0x18/0x24
+ print_deadlock_bug+0x388/0x390
+ __lock_acquire+0x18bc/0x32ec
+ lock_acquire+0x134/0x2b0
+ down_read+0x50/0x19c
+ i3c_bus_normaluse_lock+0x14/0x24
+ i3c_device_get_info+0x24/0x58
+ i3c_device_uevent+0x34/0xa4
+ dev_uevent+0x310/0x384
+ kobject_uevent_env+0x244/0x414
+ kobject_uevent+0x14/0x20
+ device_add+0x278/0x460
+ device_register+0x20/0x34
+ i3c_master_register_new_i3c_devs+0x78/0x154
+ i3c_master_register+0x6a0/0x6d4
+ mtk_i3c_master_probe+0x3b8/0x4d8
+ platform_probe+0xa0/0xe0
+ really_probe+0x114/0x454
+ __driver_probe_device+0xa0/0x15c
+ driver_probe_device+0x3c/0x1ac
+ __driver_attach+0xc4/0x1f0
+ bus_for_each_dev+0x104/0x160
+ driver_attach+0x24/0x34
+ bus_add_driver+0x14c/0x294
+ driver_register+0x68/0x104
+ __platform_driver_register+0x20/0x30
+ init_module+0x20/0xfe4
+ do_one_initcall+0x184/0x464
+ do_init_module+0x58/0x1ec
+ load_module+0xefc/0x10c8
+ __arm64_sys_finit_module+0x238/0x33c
+ invoke_syscall+0x58/0x10c
+ el0_svc_common+0xa8/0xdc
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x50/0xac
+ el0t_64_sync_handler+0x70/0xbc
+ el0t_64_sync+0x1a8/0x1ac
+
+Signed-off-by: Defa Li <defa.li@mediatek.com>
+Link: https://lore.kernel.org/r/20241107132549.25439-1-defa.li@mediatek.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i3c/master.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
+index 68170b1b32678..3f581a1cf8e62 100644
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -257,7 +257,8 @@ static int i3c_device_uevent(struct device *dev, struct kobj_uevent_env *env)
+ struct i3c_device_info devinfo;
+ u16 manuf, part, ext;
+
+- i3c_device_get_info(i3cdev, &devinfo);
++ if (i3cdev->desc)
++ devinfo = i3cdev->desc->info;
+ manuf = I3C_PID_MANUF_ID(devinfo.pid);
+ part = I3C_PID_PART_ID(devinfo.pid);
+ ext = I3C_PID_EXTRA_INFO(devinfo.pid);
+--
+2.43.0
+
--- /dev/null
+From f8f412f9b27069aa018be675c90a8977c08c34bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 01:51:38 +0530
+Subject: jfs: add a check to prevent array-index-out-of-bounds in dbAdjTree
+
+From: Nihar Chaithanya <niharchaithanya@gmail.com>
+
+[ Upstream commit a174706ba4dad895c40b1d2277bade16dfacdcd9 ]
+
+When the value of lp is 0 at the beginning of the for loop, it will
+become negative in the next assignment and we should bail out.
+
+Reported-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=412dea214d8baa3f7483
+Tested-by: syzbot+412dea214d8baa3f7483@syzkaller.appspotmail.com
+Signed-off-by: Nihar Chaithanya <niharchaithanya@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index d83ac5f5888a4..812945c8e3840 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -2953,6 +2953,9 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
+ /* bubble the new value up the tree as required.
+ */
+ for (k = 0; k < le32_to_cpu(tp->dmt_height); k++) {
++ if (lp == 0)
++ break;
++
+ /* get the index of the first leaf of the 4 leaf
+ * group containing the specified leaf (leafno).
+ */
+--
+2.43.0
+
--- /dev/null
+From a76b00e0c55302197c1759191d2962f3ff1eb2d5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 28 Sep 2024 14:07:22 +0530
+Subject: jfs: array-index-out-of-bounds fix in dtReadFirst
+
+From: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
+
+[ Upstream commit ca84a2c9be482836b86d780244f0357e5a778c46 ]
+
+The value of stbl can be sometimes out of bounds due
+to a bad filesystem. Added a check with appopriate return
+of error code in that case.
+
+Reported-by: syzbot+65fa06e29859e41a83f3@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=65fa06e29859e41a83f3
+Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dtree.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
+index 077a87e530205..bd198b04c388f 100644
+--- a/fs/jfs/jfs_dtree.c
++++ b/fs/jfs/jfs_dtree.c
+@@ -3382,6 +3382,13 @@ static int dtReadFirst(struct inode *ip, struct btstack * btstack)
+
+ /* get the leftmost entry */
+ stbl = DT_GETSTBL(p);
++
++ if (stbl[0] < 0 || stbl[0] > 127) {
++ DT_PUTPAGE(mp);
++ jfs_error(ip->i_sb, "stbl[0] out of bound\n");
++ return -EIO;
++ }
++
+ xd = (pxd_t *) & p->slot[stbl[0]];
+
+ /* get the child page block address */
+--
+2.43.0
+
--- /dev/null
+From e101915f380e7387eb0f672c1eeee8532116037f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2024 11:35:47 +0530
+Subject: jfs: fix array-index-out-of-bounds in jfs_readdir
+
+From: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
+
+[ Upstream commit 839f102efb168f02dfdd46717b7c6dddb26b015e ]
+
+The stbl might contain some invalid values. Added a check to
+return error code in that case.
+
+Reported-by: syzbot+0315f8fe99120601ba88@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=0315f8fe99120601ba88
+Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dtree.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/fs/jfs/jfs_dtree.c b/fs/jfs/jfs_dtree.c
+index bd198b04c388f..4692c50d615f0 100644
+--- a/fs/jfs/jfs_dtree.c
++++ b/fs/jfs/jfs_dtree.c
+@@ -3187,6 +3187,14 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
+ stbl = DT_GETSTBL(p);
+
+ for (i = index; i < p->header.nextindex; i++) {
++ if (stbl[i] < 0 || stbl[i] > 127) {
++ jfs_err("JFS: Invalid stbl[%d] = %d for inode %ld, block = %lld",
++ i, stbl[i], (long)ip->i_ino, (long long)bn);
++ free_page(dirent_buf);
++ DT_PUTPAGE(mp);
++ return -EIO;
++ }
++
+ d = (struct ldtentry *) & p->slot[stbl[i]];
+
+ if (((long) jfs_dirent + d->namlen + 1) >
+--
+2.43.0
+
--- /dev/null
+From b1bb58c14c873b029e75f2dadee37af04740a9fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 13:42:18 +0530
+Subject: jfs: fix shift-out-of-bounds in dbSplit
+
+From: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
+
+[ Upstream commit a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d ]
+
+When dmt_budmin is less than zero, it causes errors
+in the later stages. Added a check to return an error beforehand
+in dbAllocCtl itself.
+
+Reported-by: syzbot+b5ca8a249162c4b9a7d0@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b5ca8a249162c4b9a7d0
+Signed-off-by: Ghanshyam Agrawal <ghanshyam1898@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 00258a551334a..d83ac5f5888a4 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -1886,6 +1886,9 @@ dbAllocCtl(struct bmap * bmp, s64 nblocks, int l2nb, s64 blkno, s64 * results)
+ return -EIO;
+ dp = (struct dmap *) mp->data;
+
++ if (dp->tree.budmin < 0)
++ return -EIO;
++
+ /* try to allocate the blocks.
+ */
+ rc = dbAllocDmapLev(bmp, dp, (int) nblocks, l2nb, results);
+--
+2.43.0
+
--- /dev/null
+From e41c99a199ea271e9cd69676d29614db307b1287 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Nov 2024 21:35:27 +0530
+Subject: leds: class: Protect brightness_show() with led_cdev->led_access
+ mutex
+
+From: Mukesh Ojha <quic_mojha@quicinc.com>
+
+[ Upstream commit 4ca7cd938725a4050dcd62ae9472e931d603118d ]
+
+There is NULL pointer issue observed if from Process A where hid device
+being added which results in adding a led_cdev addition and later a
+another call to access of led_cdev attribute from Process B can result
+in NULL pointer issue.
+
+Use mutex led_cdev->led_access to protect access to led->cdev and its
+attribute inside brightness_show() and max_brightness_show() and also
+update the comment for mutex that it should be used to protect the led
+class device fields.
+
+ Process A Process B
+
+ kthread+0x114
+ worker_thread+0x244
+ process_scheduled_works+0x248
+ uhid_device_add_worker+0x24
+ hid_add_device+0x120
+ device_add+0x268
+ bus_probe_device+0x94
+ device_initial_probe+0x14
+ __device_attach+0xfc
+ bus_for_each_drv+0x10c
+ __device_attach_driver+0x14c
+ driver_probe_device+0x3c
+ __driver_probe_device+0xa0
+ really_probe+0x190
+ hid_device_probe+0x130
+ ps_probe+0x990
+ ps_led_register+0x94
+ devm_led_classdev_register_ext+0x58
+ led_classdev_register_ext+0x1f8
+ device_create_with_groups+0x48
+ device_create_groups_vargs+0xc8
+ device_add+0x244
+ kobject_uevent+0x14
+ kobject_uevent_env[jt]+0x224
+ mutex_unlock[jt]+0xc4
+ __mutex_unlock_slowpath+0xd4
+ wake_up_q+0x70
+ try_to_wake_up[jt]+0x48c
+ preempt_schedule_common+0x28
+ __schedule+0x628
+ __switch_to+0x174
+ el0t_64_sync+0x1a8/0x1ac
+ el0t_64_sync_handler+0x68/0xbc
+ el0_svc+0x38/0x68
+ do_el0_svc+0x1c/0x28
+ el0_svc_common+0x80/0xe0
+ invoke_syscall+0x58/0x114
+ __arm64_sys_read+0x1c/0x2c
+ ksys_read+0x78/0xe8
+ vfs_read+0x1e0/0x2c8
+ kernfs_fop_read_iter+0x68/0x1b4
+ seq_read_iter+0x158/0x4ec
+ kernfs_seq_show+0x44/0x54
+ sysfs_kf_seq_show+0xb4/0x130
+ dev_attr_show+0x38/0x74
+ brightness_show+0x20/0x4c
+ dualshock4_led_get_brightness+0xc/0x74
+
+[ 3313.874295][ T4013] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060
+[ 3313.874301][ T4013] Mem abort info:
+[ 3313.874303][ T4013] ESR = 0x0000000096000006
+[ 3313.874305][ T4013] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 3313.874307][ T4013] SET = 0, FnV = 0
+[ 3313.874309][ T4013] EA = 0, S1PTW = 0
+[ 3313.874311][ T4013] FSC = 0x06: level 2 translation fault
+[ 3313.874313][ T4013] Data abort info:
+[ 3313.874314][ T4013] ISV = 0, ISS = 0x00000006, ISS2 = 0x00000000
+[ 3313.874316][ T4013] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+[ 3313.874318][ T4013] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+[ 3313.874320][ T4013] user pgtable: 4k pages, 39-bit VAs, pgdp=00000008f2b0a000
+..
+
+[ 3313.874332][ T4013] Dumping ftrace buffer:
+[ 3313.874334][ T4013] (ftrace buffer empty)
+..
+..
+[ dd3313.874639][ T4013] CPU: 6 PID: 4013 Comm: InputReader
+[ 3313.874648][ T4013] pc : dualshock4_led_get_brightness+0xc/0x74
+[ 3313.874653][ T4013] lr : led_update_brightness+0x38/0x60
+[ 3313.874656][ T4013] sp : ffffffc0b910bbd0
+..
+..
+[ 3313.874685][ T4013] Call trace:
+[ 3313.874687][ T4013] dualshock4_led_get_brightness+0xc/0x74
+[ 3313.874690][ T4013] brightness_show+0x20/0x4c
+[ 3313.874692][ T4013] dev_attr_show+0x38/0x74
+[ 3313.874696][ T4013] sysfs_kf_seq_show+0xb4/0x130
+[ 3313.874700][ T4013] kernfs_seq_show+0x44/0x54
+[ 3313.874703][ T4013] seq_read_iter+0x158/0x4ec
+[ 3313.874705][ T4013] kernfs_fop_read_iter+0x68/0x1b4
+[ 3313.874708][ T4013] vfs_read+0x1e0/0x2c8
+[ 3313.874711][ T4013] ksys_read+0x78/0xe8
+[ 3313.874714][ T4013] __arm64_sys_read+0x1c/0x2c
+[ 3313.874718][ T4013] invoke_syscall+0x58/0x114
+[ 3313.874721][ T4013] el0_svc_common+0x80/0xe0
+[ 3313.874724][ T4013] do_el0_svc+0x1c/0x28
+[ 3313.874727][ T4013] el0_svc+0x38/0x68
+[ 3313.874730][ T4013] el0t_64_sync_handler+0x68/0xbc
+[ 3313.874732][ T4013] el0t_64_sync+0x1a8/0x1ac
+
+Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
+Reviewed-by: Anish Kumar <yesanishhere@gmail.com>
+Link: https://lore.kernel.org/r/20241103160527.82487-1-quic_mojha@quicinc.com
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/led-class.c | 14 +++++++++++---
+ include/linux/leds.h | 2 +-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/leds/led-class.c b/drivers/leds/led-class.c
+index 0a4823d9797ae..a9f37e8227881 100644
+--- a/drivers/leds/led-class.c
++++ b/drivers/leds/led-class.c
+@@ -27,11 +27,14 @@ static ssize_t brightness_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct led_classdev *led_cdev = dev_get_drvdata(dev);
++ unsigned int brightness;
+
+- /* no lock needed for this */
++ mutex_lock(&led_cdev->led_access);
+ led_update_brightness(led_cdev);
++ brightness = led_cdev->brightness;
++ mutex_unlock(&led_cdev->led_access);
+
+- return sprintf(buf, "%u\n", led_cdev->brightness);
++ return sprintf(buf, "%u\n", brightness);
+ }
+
+ static ssize_t brightness_store(struct device *dev,
+@@ -68,8 +71,13 @@ static ssize_t max_brightness_show(struct device *dev,
+ struct device_attribute *attr, char *buf)
+ {
+ struct led_classdev *led_cdev = dev_get_drvdata(dev);
++ unsigned int max_brightness;
++
++ mutex_lock(&led_cdev->led_access);
++ max_brightness = led_cdev->max_brightness;
++ mutex_unlock(&led_cdev->led_access);
+
+- return sprintf(buf, "%u\n", led_cdev->max_brightness);
++ return sprintf(buf, "%u\n", max_brightness);
+ }
+ static DEVICE_ATTR_RO(max_brightness);
+
+diff --git a/include/linux/leds.h b/include/linux/leds.h
+index efb309dba914a..ef68aa9a00ff7 100644
+--- a/include/linux/leds.h
++++ b/include/linux/leds.h
+@@ -146,7 +146,7 @@ struct led_classdev {
+ struct kernfs_node *brightness_hw_changed_kn;
+ #endif
+
+- /* Ensures consistent access to the LED Flash Class device */
++ /* Ensures consistent access to the LED class device */
+ struct mutex led_access;
+ };
+
+--
+2.43.0
+
--- /dev/null
+From 218c2475e41c5c2e30ca88c8ec0a93339ff29ee1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 3 Oct 2024 19:40:40 +1000
+Subject: media: cx231xx: Add support for Dexatek USB Video Grabber 1d19:6108
+
+From: Rohan Barar <rohan.barar@gmail.com>
+
+[ Upstream commit 61a830bc0ea69a05d8a4534f825c6aa618263649 ]
+
+Add Dexatek Technology Ltd USB Video Grabber 1d19:6108 to the cx231xx
+driver. This device is sold under the name "BAUHN DVD Maker (DK8723)" by
+ALDI in Australia.
+
+This device is similar to 1d19:6109, which is already included in cx231xx.
+
+Both video and audio capture function correctly after installing the
+patched cx231xx driver.
+
+Patch Changelog
+v1:
+ - Initial submission.
+v2:
+ - Fix SoB + Improve subject.
+v3:
+ - Rephrase message to not exceed 75 characters per line.
+ - Removed reference to external GitHub URL.
+
+Signed-off-by: Rohan Barar <rohan.barar@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/media/usb/cx231xx/cx231xx-cards.c b/drivers/media/usb/cx231xx/cx231xx-cards.c
+index e123e74c549ed..49094b6b2a31e 100644
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -994,6 +994,8 @@ const unsigned int cx231xx_bcount = ARRAY_SIZE(cx231xx_boards);
+
+ /* table of devices that work with this driver */
+ struct usb_device_id cx231xx_id_table[] = {
++ {USB_DEVICE(0x1D19, 0x6108),
++ .driver_info = CX231XX_BOARD_PV_XCAPTURE_USB},
+ {USB_DEVICE(0x1D19, 0x6109),
+ .driver_info = CX231XX_BOARD_PV_XCAPTURE_USB},
+ {USB_DEVICE(0x0572, 0x5A3C),
+--
+2.43.0
+
--- /dev/null
+From 7c2f3ef3336faff9af332f7049170c7b8c78d84d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2024 20:05:40 +0200
+Subject: media: uvcvideo: Add a quirk for the Kaiweets KTI-W02 infrared camera
+
+From: David Given <dg@cowlark.com>
+
+[ Upstream commit b2ec92bb5605452d539a7aa1e42345b95acd8583 ]
+
+Adds a quirk to make the NXP Semiconductors 1fc9:009b chipset work.
+
+lsusb for the device reports:
+
+Bus 003 Device 011: ID 1fc9:009b NXP Semiconductors IR VIDEO
+Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 239 Miscellaneous Device
+ bDeviceSubClass 2 [unknown]
+ bDeviceProtocol 1 Interface Association
+ bMaxPacketSize0 64
+ idVendor 0x1fc9 NXP Semiconductors
+ idProduct 0x009b IR VIDEO
+ bcdDevice 1.01
+ iManufacturer 1 Guide sensmart
+ iProduct 2 IR VIDEO
+ iSerial 0
+ bNumConfigurations 1
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 0x00c2
+ bNumInterfaces 2
+ bConfigurationValue 1
+ iConfiguration 0
+ bmAttributes 0xc0
+ Self Powered
+ MaxPower 100mA
+ Interface Association:
+ bLength 8
+ bDescriptorType 11
+ bFirstInterface 0
+ bInterfaceCount 2
+ bFunctionClass 14 Video
+ bFunctionSubClass 3 Video Interface Collection
+ bFunctionProtocol 0
+ iFunction 3 IR Camera
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 0
+ bAlternateSetting 0
+ bNumEndpoints 1
+ bInterfaceClass 14 Video
+ bInterfaceSubClass 1 Video Control
+ bInterfaceProtocol 0
+ iInterface 0
+ VideoControl Interface Descriptor:
+ bLength 13
+ bDescriptorType 36
+ bDescriptorSubtype 1 (HEADER)
+ bcdUVC 1.00
+ wTotalLength 0x0033
+ dwClockFrequency 6.000000MHz
+ bInCollection 1
+ baInterfaceNr( 0) 1
+ VideoControl Interface Descriptor:
+ bLength 18
+ bDescriptorType 36
+ bDescriptorSubtype 2 (INPUT_TERMINAL)
+ bTerminalID 1
+ wTerminalType 0x0201 Camera Sensor
+ bAssocTerminal 0
+ iTerminal 0
+ wObjectiveFocalLengthMin 0
+ wObjectiveFocalLengthMax 0
+ wOcularFocalLength 0
+ bControlSize 3
+ bmControls 0x00000000
+ VideoControl Interface Descriptor:
+ bLength 9
+ bDescriptorType 36
+ bDescriptorSubtype 3 (OUTPUT_TERMINAL)
+ bTerminalID 2
+ wTerminalType 0x0101 USB Streaming
+ bAssocTerminal 0
+ bSourceID 1
+ iTerminal 0
+ VideoControl Interface Descriptor:
+ bLength 11
+ bDescriptorType 36
+ bDescriptorSubtype 5 (PROCESSING_UNIT)
+ Warning: Descriptor too short
+ bUnitID 3
+ bSourceID 1
+ wMaxMultiplier 0
+ bControlSize 2
+ bmControls 0x00000000
+ iProcessing 0
+ bmVideoStandards 0x62
+ NTSC - 525/60
+ PAL - 525/60
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0008 1x 8 bytes
+ bInterval 1
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 1
+ bAlternateSetting 0
+ bNumEndpoints 0
+ bInterfaceClass 14 Video
+ bInterfaceSubClass 2 Video Streaming
+ bInterfaceProtocol 0
+ iInterface 0
+ VideoStreaming Interface Descriptor:
+ bLength 14
+ bDescriptorType 36
+ bDescriptorSubtype 1 (INPUT_HEADER)
+ bNumFormats 1
+ wTotalLength 0x0055
+ bEndpointAddress 0x82 EP 2 IN
+ bmInfo 0
+ bTerminalLink 2
+ bStillCaptureMethod 2
+ bTriggerSupport 0
+ bTriggerUsage 0
+ bControlSize 1
+ bmaControls( 0) 0
+ VideoStreaming Interface Descriptor:
+ bLength 27
+ bDescriptorType 36
+ bDescriptorSubtype 4 (FORMAT_UNCOMPRESSED)
+ bFormatIndex 1
+ bNumFrameDescriptors 1
+ guidFormat {e436eb7b-524f-11ce-9f53-0020af0ba770}
+ bBitsPerPixel 16
+ bDefaultFrameIndex 1
+ bAspectRatioX 0
+ bAspectRatioY 0
+ bmInterlaceFlags 0x00
+ Interlaced stream or variable: No
+ Fields per frame: 2 fields
+ Field 1 first: No
+ Field pattern: Field 1 only
+ bCopyProtect 0
+ VideoStreaming Interface Descriptor:
+ bLength 34
+ bDescriptorType 36
+ bDescriptorSubtype 5 (FRAME_UNCOMPRESSED)
+ bFrameIndex 1
+ bmCapabilities 0x00
+ Still image unsupported
+ wWidth 240
+ wHeight 322
+ dwMinBitRate 12364800
+ dwMaxBitRate 30912000
+ dwMaxVideoFrameBufferSize 154560
+ dwDefaultFrameInterval 400000
+ bFrameIntervalType 2
+ dwFrameInterval( 0) 400000
+ dwFrameInterval( 1) 1000000
+ VideoStreaming Interface Descriptor:
+ bLength 10
+ bDescriptorType 36
+ bDescriptorSubtype 3 (STILL_IMAGE_FRAME)
+ bEndpointAddress 0x00 EP 0 OUT
+ bNumImageSizePatterns 1
+ wWidth( 0) 240
+ wHeight( 0) 322
+ bNumCompressionPatterns 0
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 1
+ bAlternateSetting 1
+ bNumEndpoints 1
+ bInterfaceClass 14 Video
+ bInterfaceSubClass 2 Video Streaming
+ bInterfaceProtocol 0
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x82 EP 2 IN
+ bmAttributes 5
+ Transfer Type Isochronous
+ Synch Type Asynchronous
+ Usage Type Data
+ wMaxPacketSize 0x0400 1x 1024 bytes
+ bInterval 1
+Device Status: 0x0001
+ Self Powered
+
+Signed-off-by: David Given <dg@cowlark.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20240918180540.10830-2-dg@cowlark.com
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c
+index 2f913ea44b281..2c2ceb50500ce 100644
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -2425,6 +2425,8 @@ static const struct uvc_device_info uvc_quirk_force_y8 = {
+ * The Logitech cameras listed below have their interface class set to
+ * VENDOR_SPEC because they don't announce themselves as UVC devices, even
+ * though they are compliant.
++ *
++ * Sort these by vendor/product ID.
+ */
+ static const struct usb_device_id uvc_ids[] = {
+ /* LogiLink Wireless Webcam */
+@@ -2893,6 +2895,15 @@ static const struct usb_device_id uvc_ids[] = {
+ .bInterfaceProtocol = 0,
+ .driver_info = UVC_INFO_QUIRK(UVC_QUIRK_PROBE_MINMAX
+ | UVC_QUIRK_IGNORE_SELECTOR_UNIT) },
++ /* NXP Semiconductors IR VIDEO */
++ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
++ | USB_DEVICE_ID_MATCH_INT_INFO,
++ .idVendor = 0x1fc9,
++ .idProduct = 0x009b,
++ .bInterfaceClass = USB_CLASS_VIDEO,
++ .bInterfaceSubClass = 1,
++ .bInterfaceProtocol = 0,
++ .driver_info = (kernel_ulong_t)&uvc_quirk_probe_minmax },
+ /* Oculus VR Positional Tracker DK2 */
+ { .match_flags = USB_DEVICE_ID_MATCH_DEVICE
+ | USB_DEVICE_ID_MATCH_INT_INFO,
+--
+2.43.0
+
--- /dev/null
+From 9eb6df6d41170f02a8b81d4ccd984bd4a6a38482 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Oct 2024 11:12:33 -0400
+Subject: misc: eeprom: eeprom_93cx6: Add quirk for extra read clock cycle
+
+From: Parker Newman <pnewman@connecttech.com>
+
+[ Upstream commit 7738a7ab9d12c5371ed97114ee2132d4512e9fd5 ]
+
+Add a quirk similar to eeprom_93xx46 to add an extra clock cycle before
+reading data from the EEPROM.
+
+The 93Cx6 family of EEPROMs output a "dummy 0 bit" between the writing
+of the op-code/address from the host to the EEPROM and the reading of
+the actual data from the EEPROM.
+
+More info can be found on page 6 of the AT93C46 datasheet (linked below).
+Similar notes are found in other 93xx6 datasheets.
+
+In summary the read operation for a 93Cx6 EEPROM is:
+Write to EEPROM: 110[A5-A0] (9 bits)
+Read from EEPROM: 0[D15-D0] (17 bits)
+
+Where:
+ 110 is the start bit and READ OpCode
+ [A5-A0] is the address to read from
+ 0 is a "dummy bit" preceding the actual data
+ [D15-D0] is the actual data.
+
+Looking at the READ timing diagrams in the 93Cx6 datasheets the dummy
+bit should be clocked out on the last address bit clock cycle meaning it
+should be discarded naturally.
+
+However, depending on the hardware configuration sometimes this dummy
+bit is not discarded. This is the case with Exar PCI UARTs which require
+an extra clock cycle between sending the address and reading the data.
+
+Datasheet: https://ww1.microchip.com/downloads/en/DeviceDoc/Atmel-5193-SEEPROM-AT93C46D-Datasheet.pdf
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Parker Newman <pnewman@connecttech.com>
+Link: https://lore.kernel.org/r/0f23973efefccd2544705a0480b4ad4c2353e407.1727880931.git.pnewman@connecttech.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/misc/eeprom/eeprom_93cx6.c | 10 ++++++++++
+ include/linux/eeprom_93cx6.h | 11 +++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/drivers/misc/eeprom/eeprom_93cx6.c b/drivers/misc/eeprom/eeprom_93cx6.c
+index 36a2eb837371b..6b42ba6705d3f 100644
+--- a/drivers/misc/eeprom/eeprom_93cx6.c
++++ b/drivers/misc/eeprom/eeprom_93cx6.c
+@@ -186,6 +186,11 @@ void eeprom_93cx6_read(struct eeprom_93cx6 *eeprom, const u8 word,
+ eeprom_93cx6_write_bits(eeprom, command,
+ PCI_EEPROM_WIDTH_OPCODE + eeprom->width);
+
++ if (has_quirk_extra_read_cycle(eeprom)) {
++ eeprom_93cx6_pulse_high(eeprom);
++ eeprom_93cx6_pulse_low(eeprom);
++ }
++
+ /*
+ * Read the requested 16 bits.
+ */
+@@ -252,6 +257,11 @@ void eeprom_93cx6_readb(struct eeprom_93cx6 *eeprom, const u8 byte,
+ eeprom_93cx6_write_bits(eeprom, command,
+ PCI_EEPROM_WIDTH_OPCODE + eeprom->width + 1);
+
++ if (has_quirk_extra_read_cycle(eeprom)) {
++ eeprom_93cx6_pulse_high(eeprom);
++ eeprom_93cx6_pulse_low(eeprom);
++ }
++
+ /*
+ * Read the requested 8 bits.
+ */
+diff --git a/include/linux/eeprom_93cx6.h b/include/linux/eeprom_93cx6.h
+index c860c72a921d0..3a485cc0e0fa0 100644
+--- a/include/linux/eeprom_93cx6.h
++++ b/include/linux/eeprom_93cx6.h
+@@ -11,6 +11,8 @@
+ Supported chipsets: 93c46, 93c56 and 93c66.
+ */
+
++#include <linux/bits.h>
++
+ /*
+ * EEPROM operation defines.
+ */
+@@ -34,6 +36,7 @@
+ * @register_write(struct eeprom_93cx6 *eeprom): handler to
+ * write to the eeprom register by using all reg_* fields.
+ * @width: eeprom width, should be one of the PCI_EEPROM_WIDTH_* defines
++ * @quirks: eeprom or controller quirks
+ * @drive_data: Set if we're driving the data line.
+ * @reg_data_in: register field to indicate data input
+ * @reg_data_out: register field to indicate data output
+@@ -50,6 +53,9 @@ struct eeprom_93cx6 {
+ void (*register_write)(struct eeprom_93cx6 *eeprom);
+
+ int width;
++ unsigned int quirks;
++/* Some EEPROMs require an extra clock cycle before reading */
++#define PCI_EEPROM_QUIRK_EXTRA_READ_CYCLE BIT(0)
+
+ char drive_data;
+ char reg_data_in;
+@@ -71,3 +77,8 @@ extern void eeprom_93cx6_wren(struct eeprom_93cx6 *eeprom, bool enable);
+
+ extern void eeprom_93cx6_write(struct eeprom_93cx6 *eeprom,
+ u8 addr, u16 data);
++
++static inline bool has_quirk_extra_read_cycle(struct eeprom_93cx6 *eeprom)
++{
++ return eeprom->quirks & PCI_EEPROM_QUIRK_EXTRA_READ_CYCLE;
++}
+--
+2.43.0
+
--- /dev/null
+From 7030adc9cdcfc833b5322ce8dd813ce7de2ab2f9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 16:38:03 +0100
+Subject: net: af_can: do not leave a dangling sk pointer in can_create()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 811a7ca7320c062e15d0f5b171fe6ad8592d1434 ]
+
+On error can_create() frees the allocated sk object, but sock_init_data()
+has already attached it to the provided sock object. This will leave a
+dangling sk pointer in the sock object and may cause use-after-free later.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Link: https://patch.msgid.link/20241014153808.51894-5-ignat@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/can/af_can.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/can/af_can.c b/net/can/af_can.c
+index b396c23561d63..bc06016a4fe90 100644
+--- a/net/can/af_can.c
++++ b/net/can/af_can.c
+@@ -171,6 +171,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
+ /* release sk on errors */
+ sock_orphan(sk);
+ sock_put(sk);
++ sock->sk = NULL;
+ }
+
+ errout:
+--
+2.43.0
+
--- /dev/null
+From 54a11aaf196ba6e38970e0485c3052e902c50662 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 11:48:08 +0100
+Subject: net: ethernet: fs_enet: Use %pa to format resource_size_t
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 45fe45fada261e1e83fce2a07fa22835aec1cf0a ]
+
+The correct format string for resource_size_t is %pa which
+acts on the address of the variable to be formatted [1].
+
+[1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229
+
+Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string")
+
+Flagged by gcc-14 as:
+
+drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c: In function 'fs_mii_bitbang_init':
+drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c:126:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=]
+ 126 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start);
+ | ~^ ~~~~~~~~~
+ | | |
+ | | resource_size_t {aka long long unsigned int}
+ | unsigned int
+ | %llx
+
+No functional change intended.
+Compile tested only.
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Closes: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Daniel Machon <daniel.machon@microchip.com>
+Link: https://patch.msgid.link/20241014-net-pa-fmt-v1-2-dcc9afb8858b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c b/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c
+index 21de56345503f..f743112730194 100644
+--- a/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c
++++ b/drivers/net/ethernet/freescale/fs_enet/mii-bitbang.c
+@@ -126,7 +126,7 @@ static int fs_mii_bitbang_init(struct mii_bus *bus, struct device_node *np)
+ * we get is an int, and the odds of multiple bitbang mdio buses
+ * is low enough that it's not worth going too crazy.
+ */
+- snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start);
++ snprintf(bus->id, MII_BUS_ID_SIZE, "%pa", &res.start);
+
+ data = of_get_property(np, "fsl,mdio-pin", &len);
+ if (!data || len != 4)
+--
+2.43.0
+
--- /dev/null
+From e7fe3fef582d1ff5e1506763c85a6ad8115153a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 11:48:07 +0100
+Subject: net: fec_mpc52xx_phy: Use %pa to format resource_size_t
+
+From: Simon Horman <horms@kernel.org>
+
+[ Upstream commit 020bfdc4ed94be472138c891bde4d14241cf00fd ]
+
+The correct format string for resource_size_t is %pa which
+acts on the address of the variable to be formatted [1].
+
+[1] https://elixir.bootlin.com/linux/v6.11.3/source/Documentation/core-api/printk-formats.rst#L229
+
+Introduced by commit 9d9326d3bc0e ("phy: Change mii_bus id field to a string")
+
+Flagged by gcc-14 as:
+
+drivers/net/ethernet/freescale/fec_mpc52xx_phy.c: In function 'mpc52xx_fec_mdio_probe':
+drivers/net/ethernet/freescale/fec_mpc52xx_phy.c:97:46: warning: format '%x' expects argument of type 'unsigned int', but argument 4 has type 'resource_size_t' {aka 'long long unsigned int'} [-Wformat=]
+ 97 | snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start);
+ | ~^ ~~~~~~~~~
+ | | |
+ | | resource_size_t {aka long long unsigned int}
+ | unsigned int
+ | %llx
+
+No functional change intended.
+Compile tested only.
+
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Closes: https://lore.kernel.org/netdev/711d7f6d-b785-7560-f4dc-c6aad2cce99@linux-m68k.org/
+Signed-off-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Daniel Machon <daniel.machon@microchip.com>
+Link: https://patch.msgid.link/20241014-net-pa-fmt-v1-1-dcc9afb8858b@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_mpc52xx_phy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c b/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c
+index b5497e3083020..7e631e2f710fb 100644
+--- a/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c
++++ b/drivers/net/ethernet/freescale/fec_mpc52xx_phy.c
+@@ -92,7 +92,7 @@ static int mpc52xx_fec_mdio_probe(struct platform_device *of)
+ goto out_free;
+ }
+
+- snprintf(bus->id, MII_BUS_ID_SIZE, "%x", res.start);
++ snprintf(bus->id, MII_BUS_ID_SIZE, "%pa", &res.start);
+ bus->priv = priv;
+
+ bus->parent = dev;
+--
+2.43.0
+
--- /dev/null
+From 5e14facd6bc81bafb3423dc179d5bcc2def0b265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 16:38:04 +0100
+Subject: net: ieee802154: do not leave a dangling sk pointer in
+ ieee802154_create()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit b4fcd63f6ef79c73cafae8cf4a114def5fc3d80d ]
+
+sock_init_data() attaches the allocated sk object to the provided sock
+object. If ieee802154_create() fails later, the allocated sk object is
+freed, but the dangling pointer remains in the provided sock object, which
+may allow use-after-free.
+
+Clear the sk pointer in the sock object on error.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241014153808.51894-6-ignat@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ieee802154/socket.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/net/ieee802154/socket.c b/net/ieee802154/socket.c
+index ce5f25c89dfaf..b5f8aaa428844 100644
+--- a/net/ieee802154/socket.c
++++ b/net/ieee802154/socket.c
+@@ -1055,19 +1055,21 @@ static int ieee802154_create(struct net *net, struct socket *sock,
+
+ if (sk->sk_prot->hash) {
+ rc = sk->sk_prot->hash(sk);
+- if (rc) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (rc)
++ goto out_sk_release;
+ }
+
+ if (sk->sk_prot->init) {
+ rc = sk->sk_prot->init(sk);
+ if (rc)
+- sk_common_release(sk);
++ goto out_sk_release;
+ }
+ out:
+ return rc;
++out_sk_release:
++ sk_common_release(sk);
++ sock->sk = NULL;
++ goto out;
+ }
+
+ static const struct net_proto_family ieee802154_family_ops = {
+--
+2.43.0
+
--- /dev/null
+From d846bb8949e617c07726da4b4650ad8c69626965 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 16:38:05 +0100
+Subject: net: inet: do not leave a dangling sk pointer in inet_create()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 9365fa510c6f82e3aa550a09d0c5c6b44dbc78ff ]
+
+sock_init_data() attaches the allocated sk object to the provided sock
+object. If inet_create() fails later, the sk object is freed, but the
+sock object retains the dangling pointer, which may create use-after-free
+later.
+
+Clear the sk pointer in the sock object on error.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241014153808.51894-7-ignat@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/af_inet.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
+index be2b786cee2bd..486ab202303ff 100644
+--- a/net/ipv4/af_inet.c
++++ b/net/ipv4/af_inet.c
+@@ -369,32 +369,30 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
+ inet->inet_sport = htons(inet->inet_num);
+ /* Add to protocol hash chains. */
+ err = sk->sk_prot->hash(sk);
+- if (err) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (err)
++ goto out_sk_release;
+ }
+
+ if (sk->sk_prot->init) {
+ err = sk->sk_prot->init(sk);
+- if (err) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (err)
++ goto out_sk_release;
+ }
+
+ if (!kern) {
+ err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk);
+- if (err) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (err)
++ goto out_sk_release;
+ }
+ out:
+ return err;
+ out_rcu_unlock:
+ rcu_read_unlock();
+ goto out;
++out_sk_release:
++ sk_common_release(sk);
++ sock->sk = NULL;
++ goto out;
+ }
+
+
+--
+2.43.0
+
--- /dev/null
+From c9fb9fe9a1057d8881656fc00e662894e7785efb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Oct 2024 16:38:06 +0100
+Subject: net: inet6: do not leave a dangling sk pointer in inet6_create()
+
+From: Ignat Korchagin <ignat@cloudflare.com>
+
+[ Upstream commit 9df99c395d0f55fb444ef39f4d6f194ca437d884 ]
+
+sock_init_data() attaches the allocated sk pointer to the provided sock
+object. If inet6_create() fails later, the sk object is released, but the
+sock object retains the dangling sk pointer, which may cause use-after-free
+later.
+
+Clear the sock sk pointer on error.
+
+Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241014153808.51894-8-ignat@cloudflare.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/af_inet6.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 7ee0bfea9de1d..845d77b0a7f03 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -251,31 +251,29 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
+ */
+ inet->inet_sport = htons(inet->inet_num);
+ err = sk->sk_prot->hash(sk);
+- if (err) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (err)
++ goto out_sk_release;
+ }
+ if (sk->sk_prot->init) {
+ err = sk->sk_prot->init(sk);
+- if (err) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (err)
++ goto out_sk_release;
+ }
+
+ if (!kern) {
+ err = BPF_CGROUP_RUN_PROG_INET_SOCK(sk);
+- if (err) {
+- sk_common_release(sk);
+- goto out;
+- }
++ if (err)
++ goto out_sk_release;
+ }
+ out:
+ return err;
+ out_rcu_unlock:
+ rcu_read_unlock();
+ goto out;
++out_sk_release:
++ sk_common_release(sk);
++ sock->sk = NULL;
++ goto out;
+ }
+
+ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
+--
+2.43.0
+
--- /dev/null
+From c4fd5fda2ece0d518ef501ca81a8d43790d6a209 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 16:32:21 -0800
+Subject: net/neighbor: clear error in case strict check is not set
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 0de6a472c3b38432b2f184bd64eb70d9ea36d107 ]
+
+Commit 51183d233b5a ("net/neighbor: Update neigh_dump_info for strict
+data checking") added strict checking. The err variable is not cleared,
+so if we find no table to dump we will return the validation error even
+if user did not want strict checking.
+
+I think the only way to hit this is to send an buggy request, and ask
+for a table which doesn't exist, so there's no point treating this
+as a real fix. I only noticed it because a syzbot repro depended on it
+to trigger another bug.
+
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241115003221.733593-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/neighbour.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/core/neighbour.c b/net/core/neighbour.c
+index e571007d083cc..4dfe17f1a76aa 100644
+--- a/net/core/neighbour.c
++++ b/net/core/neighbour.c
+@@ -2734,6 +2734,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
+ err = neigh_valid_dump_req(nlh, cb->strict_check, &filter, cb->extack);
+ if (err < 0 && cb->strict_check)
+ return err;
++ err = 0;
+
+ s_t = cb->args[0];
+
+--
+2.43.0
+
--- /dev/null
+From 8dd4ac9c59d17cc7ba2212bbafda9a785c118a9a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 13 Oct 2024 15:45:29 +0300
+Subject: net/sched: cbs: Fix integer overflow in cbs_set_port_rate()
+
+From: Elena Salomatkina <esalomatkina@ispras.ru>
+
+[ Upstream commit 397006ba5d918f9b74e734867e8fddbc36dc2282 ]
+
+The subsequent calculation of port_rate = speed * 1000 * BYTES_PER_KBIT,
+where the BYTES_PER_KBIT is of type LL, may cause an overflow.
+At least when speed = SPEED_20000, the expression to the left of port_rate
+will be greater than INT_MAX.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Elena Salomatkina <esalomatkina@ispras.ru>
+Link: https://patch.msgid.link/20241013124529.1043-1-esalomatkina@ispras.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_cbs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/sched/sch_cbs.c b/net/sched/sch_cbs.c
+index 2eaac2ff380fa..db92ae819fd28 100644
+--- a/net/sched/sch_cbs.c
++++ b/net/sched/sch_cbs.c
+@@ -309,7 +309,7 @@ static void cbs_set_port_rate(struct net_device *dev, struct cbs_sched_data *q)
+ {
+ struct ethtool_link_ksettings ecmd;
+ int speed = SPEED_10;
+- int port_rate;
++ s64 port_rate;
+ int err;
+
+ err = __ethtool_get_link_ksettings(dev, &ecmd);
+--
+2.43.0
+
--- /dev/null
+From 48b9cbbc42f77bed8e9f1ecc364c8711e92d22ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 18 Nov 2024 03:15:17 -0800
+Subject: netpoll: Use rcu_access_pointer() in __netpoll_setup
+
+From: Breno Leitao <leitao@debian.org>
+
+[ Upstream commit c69c5e10adb903ae2438d4f9c16eccf43d1fcbc1 ]
+
+The ndev->npinfo pointer in __netpoll_setup() is RCU-protected but is being
+accessed directly for a NULL check. While no RCU read lock is held in this
+context, we should still use proper RCU primitives for consistency and
+correctness.
+
+Replace the direct NULL check with rcu_access_pointer(), which is the
+appropriate primitive when only checking for NULL without dereferencing
+the pointer. This function provides the necessary ordering guarantees
+without requiring RCU read-side protection.
+
+Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
+Signed-off-by: Breno Leitao <leitao@debian.org>
+Link: https://patch.msgid.link/20241118-netpoll_rcu-v1-1-a1888dcb4a02@debian.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/netpoll.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/netpoll.c b/net/core/netpoll.c
+index 9b263a5c0f36f..9a67aa989d606 100644
+--- a/net/core/netpoll.c
++++ b/net/core/netpoll.c
+@@ -615,7 +615,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
+ goto out;
+ }
+
+- if (!ndev->npinfo) {
++ if (!rcu_access_pointer(ndev->npinfo)) {
+ npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL);
+ if (!npinfo) {
+ err = -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From 76d6559fc77936c15be44e225c1cbe4a3aad8485 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Nov 2024 08:55:26 +0000
+Subject: nvdimm: rectify the illogical code within nd_dax_probe()
+
+From: Yi Yang <yiyang13@huawei.com>
+
+[ Upstream commit b61352101470f8b68c98af674e187cfaa7c43504 ]
+
+When nd_dax is NULL, nd_pfn is consequently NULL as well. Nevertheless,
+it is inadvisable to perform pointer arithmetic or address-taking on a
+NULL pointer.
+Introduce the nd_dax_devinit() function to enhance the code's logic and
+improve its readability.
+
+Signed-off-by: Yi Yang <yiyang13@huawei.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Link: https://patch.msgid.link/20241108085526.527957-1-yiyang13@huawei.com
+Signed-off-by: Ira Weiny <ira.weiny@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/dax_devs.c | 4 ++--
+ drivers/nvdimm/nd.h | 7 +++++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
+index 6d22b0f83b3b0..c882534dbe84c 100644
+--- a/drivers/nvdimm/dax_devs.c
++++ b/drivers/nvdimm/dax_devs.c
+@@ -113,12 +113,12 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
+
+ nvdimm_bus_lock(&ndns->dev);
+ nd_dax = nd_dax_alloc(nd_region);
+- nd_pfn = &nd_dax->nd_pfn;
+- dax_dev = nd_pfn_devinit(nd_pfn, ndns);
++ dax_dev = nd_dax_devinit(nd_dax, ndns);
+ nvdimm_bus_unlock(&ndns->dev);
+ if (!dax_dev)
+ return -ENOMEM;
+ pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL);
++ nd_pfn = &nd_dax->nd_pfn;
+ nd_pfn->pfn_sb = pfn_sb;
+ rc = nd_pfn_validate(nd_pfn, DAX_SIG);
+ dev_dbg(dev, "dax: %s\n", rc == 0 ? dev_name(dax_dev) : "<none>");
+diff --git a/drivers/nvdimm/nd.h b/drivers/nvdimm/nd.h
+index ee5c04070ef91..23d011b01fa61 100644
+--- a/drivers/nvdimm/nd.h
++++ b/drivers/nvdimm/nd.h
+@@ -326,6 +326,13 @@ struct nd_dax *to_nd_dax(struct device *dev);
+ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns);
+ bool is_nd_dax(struct device *dev);
+ struct device *nd_dax_create(struct nd_region *nd_region);
++static inline struct device *nd_dax_devinit(struct nd_dax *nd_dax,
++ struct nd_namespace_common *ndns)
++{
++ if (!nd_dax)
++ return NULL;
++ return nd_pfn_devinit(&nd_dax->nd_pfn, ndns);
++}
+ #else
+ static inline int nd_dax_probe(struct device *dev,
+ struct nd_namespace_common *ndns)
+--
+2.43.0
+
--- /dev/null
+From fc922b6ddc117fa447c74efc72523229d4503dd2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 10:46:04 +0800
+Subject: PCI: Add ACS quirk for Wangxun FF5xxx NICs
+
+From: Mengyuan Lou <mengyuanlou@net-swift.com>
+
+[ Upstream commit aa46a3736afcb7b0793766d22479b8b99fc1b322 ]
+
+Wangxun FF5xxx NICs are similar to SFxxx, RP1000 and RP2000 NICs. They may
+be multi-function devices, but they do not advertise an ACS capability.
+
+But the hardware does isolate FF5xxx functions as though it had an ACS
+capability and PCI_ACS_RR and PCI_ACS_CR were set in the ACS Control
+register, i.e., all peer-to-peer traffic is directed upstream instead of
+being routed internally.
+
+Add ACS quirk for FF5xxx NICs in pci_quirk_wangxun_nic_acs() so the
+functions can be in independent IOMMU groups.
+
+Link: https://lore.kernel.org/r/E16053DB2B80E9A5+20241115024604.30493-1-mengyuanlou@net-swift.com
+Signed-off-by: Mengyuan Lou <mengyuanlou@net-swift.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index b60954b04a077..6a2d64d050c04 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4870,18 +4870,21 @@ static int pci_quirk_brcm_acs(struct pci_dev *dev, u16 acs_flags)
+ }
+
+ /*
+- * Wangxun 10G/1G NICs have no ACS capability, and on multi-function
+- * devices, peer-to-peer transactions are not be used between the functions.
+- * So add an ACS quirk for below devices to isolate functions.
++ * Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on
++ * multi-function devices, the hardware isolates the functions by
++ * directing all peer-to-peer traffic upstream as though PCI_ACS_RR and
++ * PCI_ACS_CR were set.
+ * SFxxx 1G NICs(em).
+ * RP1000/RP2000 10G NICs(sp).
++ * FF5xxx 40G/25G/10G NICs(aml).
+ */
+ static int pci_quirk_wangxun_nic_acs(struct pci_dev *dev, u16 acs_flags)
+ {
+ switch (dev->device) {
+- case 0x0100 ... 0x010F:
+- case 0x1001:
+- case 0x2001:
++ case 0x0100 ... 0x010F: /* EM */
++ case 0x1001: case 0x2001: /* SP */
++ case 0x5010: case 0x5025: case 0x5040: /* AML */
++ case 0x5110: case 0x5125: case 0x5140: /* AML */
+ return pci_acs_ctrl_enabled(acs_flags,
+ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
+ }
+--
+2.43.0
+
--- /dev/null
+From 13723226de246695b0b2705380adab1d7e8cc8b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 15:27:54 -0700
+Subject: PCI: Add 'reset_subordinate' to reset hierarchy below bridge
+
+From: Keith Busch <kbusch@kernel.org>
+
+[ Upstream commit 2fa046449a82a7d0f6d9721dd83e348816038444 ]
+
+The "bus" and "cxl_bus" reset methods reset a device by asserting Secondary
+Bus Reset on the bridge leading to the device. These only work if the
+device is the only device below the bridge.
+
+Add a sysfs 'reset_subordinate' attribute on bridges that can assert
+Secondary Bus Reset regardless of how many devices are below the bridge.
+
+This resets all the devices below a bridge in a single command, including
+the locking and config space save/restore that reset methods normally do.
+
+This may be the only way to reset devices that don't support other reset
+methods (ACPI, FLR, PM reset, etc).
+
+Link: https://lore.kernel.org/r/20241025222755.3756162-1-kbusch@meta.com
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+[bhelgaas: commit log, add capable(CAP_SYS_ADMIN) check]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Alex Williamson <alex.williamson@redhat.com>
+Reviewed-by: Amey Narkhede <ameynarkhede03@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/ABI/testing/sysfs-bus-pci | 11 +++++++++++
+ drivers/pci/pci-sysfs.c | 26 +++++++++++++++++++++++++
+ drivers/pci/pci.c | 2 +-
+ drivers/pci/pci.h | 1 +
+ 4 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/Documentation/ABI/testing/sysfs-bus-pci b/Documentation/ABI/testing/sysfs-bus-pci
+index 8bfee557e50ea..e84434d48dcf0 100644
+--- a/Documentation/ABI/testing/sysfs-bus-pci
++++ b/Documentation/ABI/testing/sysfs-bus-pci
+@@ -125,6 +125,17 @@ Description:
+ will be present in sysfs. Writing 1 to this file
+ will perform reset.
+
++What: /sys/bus/pci/devices/.../reset_subordinate
++Date: October 2024
++Contact: linux-pci@vger.kernel.org
++Description:
++ This is visible only for bridge devices. If you want to reset
++ all devices attached through the subordinate bus of a specific
++ bridge device, writing 1 to this will try to do it. This will
++ affect all devices attached to the system through this bridge
++ similiar to writing 1 to their individual "reset" file, so use
++ with caution.
++
+ What: /sys/bus/pci/devices/.../vpd
+ Date: February 2008
+ Contact: Ben Hutchings <bwh@kernel.org>
+diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
+index 90d5a29a6ff3d..131c6d7e86f8f 100644
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -505,6 +505,31 @@ static ssize_t bus_rescan_store(struct device *dev,
+ static struct device_attribute dev_attr_bus_rescan = __ATTR(rescan, 0200, NULL,
+ bus_rescan_store);
+
++static ssize_t reset_subordinate_store(struct device *dev,
++ struct device_attribute *attr,
++ const char *buf, size_t count)
++{
++ struct pci_dev *pdev = to_pci_dev(dev);
++ struct pci_bus *bus = pdev->subordinate;
++ unsigned long val;
++
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ if (kstrtoul(buf, 0, &val) < 0)
++ return -EINVAL;
++
++ if (val) {
++ int ret = __pci_reset_bus(bus);
++
++ if (ret)
++ return ret;
++ }
++
++ return count;
++}
++static DEVICE_ATTR_WO(reset_subordinate);
++
+ #if defined(CONFIG_PM) && defined(CONFIG_ACPI)
+ static ssize_t d3cold_allowed_store(struct device *dev,
+ struct device_attribute *attr,
+@@ -628,6 +653,7 @@ static struct attribute *pci_dev_attrs[] = {
+ static struct attribute *pci_bridge_attrs[] = {
+ &dev_attr_subordinate_bus_number.attr,
+ &dev_attr_secondary_bus_number.attr,
++ &dev_attr_reset_subordinate.attr,
+ NULL,
+ };
+
+diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c
+index 41050a35631fa..ad5bd17f77a3b 100644
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5538,7 +5538,7 @@ EXPORT_SYMBOL_GPL(pci_probe_reset_bus);
+ *
+ * Same as above except return -EAGAIN if the bus cannot be locked
+ */
+-static int __pci_reset_bus(struct pci_bus *bus)
++int __pci_reset_bus(struct pci_bus *bus)
+ {
+ int rc;
+
+diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
+index 725d2b0d45693..7a737ef76e6de 100644
+--- a/drivers/pci/pci.h
++++ b/drivers/pci/pci.h
+@@ -41,6 +41,7 @@ int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vmai,
+ int pci_probe_reset_function(struct pci_dev *dev);
+ int pci_bridge_secondary_bus_reset(struct pci_dev *dev);
+ int pci_bus_error_reset(struct pci_dev *dev);
++int __pci_reset_bus(struct pci_bus *bus);
+
+ #define PCI_PM_D2_DELAY 200
+ #define PCI_PM_D3_WAIT 10
+--
+2.43.0
+
--- /dev/null
+From 2a55b249f8fc5715bee51a374026fb88e9967612 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 02:19:43 +0100
+Subject: pinctrl: qcom-pmic-gpio: add support for PM8937
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Barnabás Czémán <barnabas.czeman@mainlining.org>
+
+[ Upstream commit 89265a58ff24e3885c2c9ca722bc3aaa47018be9 ]
+
+PM8937 has 8 GPIO-s with holes on GPIO3, GPIO4 and GPIO6.
+
+Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/20241031-msm8917-v2-2-8a075faa89b1@mainlining.org
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+index 3769ad08eadfe..ea244b00d5bed 100644
+--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c
+@@ -1106,6 +1106,8 @@ static int pmic_gpio_remove(struct platform_device *pdev)
+ static const struct of_device_id pmic_gpio_of_match[] = {
+ { .compatible = "qcom,pm8005-gpio", .data = (void *) 4 },
+ { .compatible = "qcom,pm8916-gpio", .data = (void *) 4 },
++ /* pm8937 has 8 GPIOs with holes on 3, 4 and 6 */
++ { .compatible = "qcom,pm8937-gpio", .data = (void *) 8 },
+ { .compatible = "qcom,pm8941-gpio", .data = (void *) 36 },
+ { .compatible = "qcom,pm8994-gpio", .data = (void *) 22 },
+ { .compatible = "qcom,pmi8994-gpio", .data = (void *) 10 },
+--
+2.43.0
+
--- /dev/null
+From 1d4d5e401f13c9f73f475240853efa5ece41e66e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 13:57:10 +1100
+Subject: powerpc/prom_init: Fixup missing powermac #size-cells
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+[ Upstream commit cf89c9434af122f28a3552e6f9cc5158c33ce50a ]
+
+On some powermacs `escc` nodes are missing `#size-cells` properties,
+which is deprecated and now triggers a warning at boot since commit
+045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells
+handling").
+
+For example:
+
+ Missing '#size-cells' in /pci@f2000000/mac-io@c/escc@13000
+ WARNING: CPU: 0 PID: 0 at drivers/of/base.c:133 of_bus_n_size_cells+0x98/0x108
+ Hardware name: PowerMac3,1 7400 0xc0209 PowerMac
+ ...
+ Call Trace:
+ of_bus_n_size_cells+0x98/0x108 (unreliable)
+ of_bus_default_count_cells+0x40/0x60
+ __of_get_address+0xc8/0x21c
+ __of_address_to_resource+0x5c/0x228
+ pmz_init_port+0x5c/0x2ec
+ pmz_probe.isra.0+0x144/0x1e4
+ pmz_console_init+0x10/0x48
+ console_init+0xcc/0x138
+ start_kernel+0x5c4/0x694
+
+As powermacs boot via prom_init it's possible to add the missing
+properties to the device tree during boot, avoiding the warning. Note
+that `escc-legacy` nodes are also missing `#size-cells` properties, but
+they are skipped by the macio driver, so leave them alone.
+
+Depends-on: 045b14ca5c36 ("of: WARN on deprecated #address-cells/#size-cells handling")
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Reviewed-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20241126025710.591683-1-mpe@ellerman.id.au
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/prom_init.c | 29 +++++++++++++++++++++++++++--
+ 1 file changed, 27 insertions(+), 2 deletions(-)
+
+diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c
+index 7f4e2c031a9ab..b7ef63614417d 100644
+--- a/arch/powerpc/kernel/prom_init.c
++++ b/arch/powerpc/kernel/prom_init.c
+@@ -2856,7 +2856,7 @@ static void __init fixup_device_tree_chrp(void)
+ #endif
+
+ #if defined(CONFIG_PPC64) && defined(CONFIG_PPC_PMAC)
+-static void __init fixup_device_tree_pmac(void)
++static void __init fixup_device_tree_pmac64(void)
+ {
+ phandle u3, i2c, mpic;
+ u32 u3_rev;
+@@ -2896,7 +2896,31 @@ static void __init fixup_device_tree_pmac(void)
+ &parent, sizeof(parent));
+ }
+ #else
+-#define fixup_device_tree_pmac()
++#define fixup_device_tree_pmac64()
++#endif
++
++#ifdef CONFIG_PPC_PMAC
++static void __init fixup_device_tree_pmac(void)
++{
++ __be32 val = 1;
++ char type[8];
++ phandle node;
++
++ // Some pmacs are missing #size-cells on escc nodes
++ for (node = 0; prom_next_node(&node); ) {
++ type[0] = '\0';
++ prom_getprop(node, "device_type", type, sizeof(type));
++ if (prom_strcmp(type, "escc"))
++ continue;
++
++ if (prom_getproplen(node, "#size-cells") != PROM_ERROR)
++ continue;
++
++ prom_setprop(node, NULL, "#size-cells", &val, sizeof(val));
++ }
++}
++#else
++static inline void fixup_device_tree_pmac(void) { }
+ #endif
+
+ #ifdef CONFIG_PPC_EFIKA
+@@ -3121,6 +3145,7 @@ static void __init fixup_device_tree(void)
+ fixup_device_tree_maple_memory_controller();
+ fixup_device_tree_chrp();
+ fixup_device_tree_pmac();
++ fixup_device_tree_pmac64();
+ fixup_device_tree_efika();
+ fixup_device_tree_pasemi();
+ }
+--
+2.43.0
+
--- /dev/null
+From b9d4ccd8f32d9eac701de6a15647df68016fe269 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 14 Nov 2024 18:19:46 +0300
+Subject: rocker: fix link status detection in rocker_carrier_init()
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit e64285ff41bb7a934bd815bd38f31119be62ac37 ]
+
+Since '1 << rocker_port->pport' may be undefined for port >= 32,
+cast the left operand to 'unsigned long long' like it's done in
+'rocker_port_set_enable()' above. Compile tested only.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20241114151946.519047-1-dmantipov@yandex.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/rocker/rocker_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/rocker/rocker_main.c b/drivers/net/ethernet/rocker/rocker_main.c
+index 5abb3f9684ffd..6bee5055559fe 100644
+--- a/drivers/net/ethernet/rocker/rocker_main.c
++++ b/drivers/net/ethernet/rocker/rocker_main.c
+@@ -2542,7 +2542,7 @@ static void rocker_carrier_init(const struct rocker_port *rocker_port)
+ u64 link_status = rocker_read64(rocker, PORT_PHYS_LINK_STATUS);
+ bool link_up;
+
+- link_up = link_status & (1 << rocker_port->pport);
++ link_up = link_status & (1ULL << rocker_port->pport);
+ if (link_up)
+ netif_carrier_on(rocker_port->dev);
+ else
+--
+2.43.0
+
--- /dev/null
+From 8e5f935eace4771dcc1e65ddeb476db3825ce966 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Oct 2024 12:27:53 +0200
+Subject: s390/cpum_sf: Handle CPU hotplug remove during sampling
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit a0bd7dacbd51c632b8e2c0500b479af564afadf3 ]
+
+CPU hotplug remove handling triggers the following function
+call sequence:
+
+ CPUHP_AP_PERF_S390_SF_ONLINE --> s390_pmu_sf_offline_cpu()
+ ...
+ CPUHP_AP_PERF_ONLINE --> perf_event_exit_cpu()
+
+The s390 CPUMF sampling CPU hotplug handler invokes:
+
+ s390_pmu_sf_offline_cpu()
+ +--> cpusf_pmu_setup()
+ +--> setup_pmc_cpu()
+ +--> deallocate_buffers()
+
+This function de-allocates all sampling data buffers (SDBs) allocated
+for that CPU at event initialization. It also clears the
+PMU_F_RESERVED bit. The CPU is gone and can not be sampled.
+
+With the event still being active on the removed CPU, the CPU event
+hotplug support in kernel performance subsystem triggers the
+following function calls on the removed CPU:
+
+ perf_event_exit_cpu()
+ +--> perf_event_exit_cpu_context()
+ +--> __perf_event_exit_context()
+ +--> __perf_remove_from_context()
+ +--> event_sched_out()
+ +--> cpumsf_pmu_del()
+ +--> cpumsf_pmu_stop()
+ +--> hw_perf_event_update()
+
+to stop and remove the event. During removal of the event, the
+sampling device driver tries to read out the remaining samples from
+the sample data buffers (SDBs). But they have already been freed
+(and may have been re-assigned). This may lead to a use after free
+situation in which case the samples are most likely invalid. In the
+best case the memory has not been reassigned and still contains
+valid data.
+
+Remedy this situation and check if the CPU is still in reserved
+state (bit PMU_F_RESERVED set). In this case the SDBs have not been
+released an contain valid data. This is always the case when
+the event is removed (and no CPU hotplug off occured).
+If the PMU_F_RESERVED bit is not set, the SDB buffers are gone.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index 4f251cd624d7e..6047ccb6f8e26 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1862,7 +1862,9 @@ static void cpumsf_pmu_stop(struct perf_event *event, int flags)
+ event->hw.state |= PERF_HES_STOPPED;
+
+ if ((flags & PERF_EF_UPDATE) && !(event->hw.state & PERF_HES_UPTODATE)) {
+- hw_perf_event_update(event, 1);
++ /* CPU hotplug off removes SDBs. No samples to extract. */
++ if (cpuhw->flags & PMU_F_RESERVED)
++ hw_perf_event_update(event, 1);
+ event->hw.state |= PERF_HES_UPTODATE;
+ }
+ perf_pmu_enable(event->pmu);
+--
+2.43.0
+
--- /dev/null
+From cbd13dbecfcfe740535d1a7cb933a6004c54a28b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 9 Oct 2024 18:41:26 -0700
+Subject: samples/bpf: Fix a resource leak
+
+From: Zhu Jun <zhujun2@cmss.chinamobile.com>
+
+[ Upstream commit f3ef53174b23246fe9bc2bbc2542f3a3856fa1e2 ]
+
+The opened file should be closed in show_sockopts(), otherwise resource
+leak will occur that this problem was discovered by reading code
+
+Signed-off-by: Zhu Jun <zhujun2@cmss.chinamobile.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20241010014126.2573-1-zhujun2@cmss.chinamobile.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ samples/bpf/test_cgrp2_sock.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/samples/bpf/test_cgrp2_sock.c b/samples/bpf/test_cgrp2_sock.c
+index b0811da5a00f3..3f56519a1ccd7 100644
+--- a/samples/bpf/test_cgrp2_sock.c
++++ b/samples/bpf/test_cgrp2_sock.c
+@@ -174,8 +174,10 @@ static int show_sockopts(int family)
+ return 1;
+ }
+
+- if (get_bind_to_device(sd, name, sizeof(name)) < 0)
++ if (get_bind_to_device(sd, name, sizeof(name)) < 0) {
++ close(sd);
+ return 1;
++ }
+
+ mark = get_somark(sd);
+ prio = get_priority(sd);
+--
+2.43.0
+
--- /dev/null
+From 0213043c1cc068a4e783cfae952d1842c5f2430c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 11:57:22 +0200
+Subject: scsi: st: Add MTIOCGET and MTLOAD to ioctls allowed after device
+ reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+
+[ Upstream commit 0b120edb37dc9dd8ca82893d386922eb6b16f860 ]
+
+Most drives rewind the tape when the device is reset. Reading and writing
+are not allowed until something is done to make the tape position match the
+user's expectation (e.g., rewind the tape). Add MTIOCGET and MTLOAD to
+operations allowed after reset. MTIOCGET is modified to not touch the tape
+if pos_unknown is non-zero. The tape location is known after MTLOAD.
+
+Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219419#c14
+Link: https://lore.kernel.org/r/20241106095723.63254-3-Kai.Makisara@kolumbus.fi
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Tested-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/st.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
+index 4e0737c25fbdf..49e149d28954a 100644
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -3505,6 +3505,7 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg)
+ int i, cmd_nr, cmd_type, bt;
+ int retval = 0;
+ unsigned int blk;
++ bool cmd_mtiocget;
+ struct scsi_tape *STp = file->private_data;
+ struct st_modedef *STm;
+ struct st_partstat *STps;
+@@ -3619,6 +3620,7 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg)
+ */
+ if (mtc.mt_op != MTREW &&
+ mtc.mt_op != MTOFFL &&
++ mtc.mt_op != MTLOAD &&
+ mtc.mt_op != MTRETEN &&
+ mtc.mt_op != MTERASE &&
+ mtc.mt_op != MTSEEK &&
+@@ -3732,17 +3734,28 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg)
+ goto out;
+ }
+
++ cmd_mtiocget = cmd_type == _IOC_TYPE(MTIOCGET) && cmd_nr == _IOC_NR(MTIOCGET);
++
+ if ((i = flush_buffer(STp, 0)) < 0) {
+- retval = i;
+- goto out;
+- }
+- if (STp->can_partitions &&
+- (i = switch_partition(STp)) < 0) {
+- retval = i;
+- goto out;
++ if (cmd_mtiocget && STp->pos_unknown) {
++ /* flush fails -> modify status accordingly */
++ reset_state(STp);
++ STp->pos_unknown = 1;
++ } else { /* return error */
++ retval = i;
++ goto out;
++ }
++ } else { /* flush_buffer succeeds */
++ if (STp->can_partitions) {
++ i = switch_partition(STp);
++ if (i < 0) {
++ retval = i;
++ goto out;
++ }
++ }
+ }
+
+- if (cmd_type == _IOC_TYPE(MTIOCGET) && cmd_nr == _IOC_NR(MTIOCGET)) {
++ if (cmd_mtiocget) {
+ struct mtget mt_status;
+
+ if (_IOC_SIZE(cmd_in) != sizeof(struct mtget)) {
+--
+2.43.0
+
--- /dev/null
+From b13adb298d532f8199e6a3a8408f99e233e41bb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Nov 2024 11:57:21 +0200
+Subject: scsi: st: Don't modify unknown block number in MTIOCGET
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+
+[ Upstream commit 5bb2d6179d1a8039236237e1e94cfbda3be1ed9e ]
+
+Struct mtget field mt_blkno -1 means it is unknown. Don't add anything to
+it.
+
+Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219419#c14
+Link: https://lore.kernel.org/r/20241106095723.63254-2-Kai.Makisara@kolumbus.fi
+Reviewed-by: John Meneghini <jmeneghi@redhat.com>
+Tested-by: John Meneghini <jmeneghi@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/st.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
+index 2121e44c342f8..4e0737c25fbdf 100644
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -3756,7 +3756,7 @@ static long st_ioctl(struct file *file, unsigned int cmd_in, unsigned long arg)
+ ((STp->density << MT_ST_DENSITY_SHIFT) & MT_ST_DENSITY_MASK);
+ mt_status.mt_blkno = STps->drv_block;
+ mt_status.mt_fileno = STps->drv_file;
+- if (STp->block_size != 0) {
++ if (STp->block_size != 0 && mt_status.mt_blkno >= 0) {
+ if (STps->rw == ST_WRITING)
+ mt_status.mt_blkno +=
+ (STp->buffer)->buffer_bytes / STp->block_size;
+--
+2.43.0
+
dma-buf-fix-dma_fence_array_signaled-v4.patch
regmap-detach-regmap-from-dev-on-regmap_exit.patch
mmc-core-further-prevent-card-detect-during-shutdown.patch
+s390-cpum_sf-handle-cpu-hotplug-remove-during-sampli.patch
+timekeeping-always-check-for-negative-motion.patch
+media-uvcvideo-add-a-quirk-for-the-kaiweets-kti-w02-.patch
+media-cx231xx-add-support-for-dexatek-usb-video-grab.patch
+hid-bpf-fix-nkro-on-mistel-md770.patch
+drm-panel-orientation-quirks-add-quirk-for-aya-neo-2.patch
+drm-mcde-enable-module-autoloading.patch
+drm-radeon-r600_cs-fix-possible-int-overflow-in-r600.patch
+samples-bpf-fix-a-resource-leak.patch
+net-fec_mpc52xx_phy-use-pa-to-format-resource_size_t.patch
+net-ethernet-fs_enet-use-pa-to-format-resource_size_.patch
+net-sched-cbs-fix-integer-overflow-in-cbs_set_port_r.patch
+af_packet-avoid-erroring-out-after-sock_init_data-in.patch
+bluetooth-l2cap-do-not-leave-dangling-sk-pointer-on-.patch
+net-af_can-do-not-leave-a-dangling-sk-pointer-in-can.patch
+net-ieee802154-do-not-leave-a-dangling-sk-pointer-in.patch
+net-inet-do-not-leave-a-dangling-sk-pointer-in-inet_.patch
+net-inet6-do-not-leave-a-dangling-sk-pointer-in-inet.patch
+wifi-ath5k-add-pci-id-for-sx76x.patch
+wifi-ath5k-add-pci-id-for-arcadyan-devices.patch
+jfs-array-index-out-of-bounds-fix-in-dtreadfirst.patch
+jfs-fix-shift-out-of-bounds-in-dbsplit.patch
+jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch
+jfs-add-a-check-to-prevent-array-index-out-of-bounds.patch
+drm-amdgpu-set-the-right-amdgpu-sg-segment-limitatio.patch
+wifi-ipw2x00-libipw_rx_any-fix-bad-alignment.patch
+wifi-brcmfmac-fix-oops-due-to-null-pointer-dereferen.patch
+bluetooth-btusb-add-rtl8852be-device-0489-e123-to-de.patch
+asoc-hdmi-codec-reorder-channel-allocation-list.patch
+rocker-fix-link-status-detection-in-rocker_carrier_i.patch
+net-neighbor-clear-error-in-case-strict-check-is-not.patch
+netpoll-use-rcu_access_pointer-in-__netpoll_setup.patch
+tracing-use-atomic64_inc_return-in-trace_clock_count.patch
+leds-class-protect-brightness_show-with-led_cdev-led.patch
+scsi-st-don-t-modify-unknown-block-number-in-mtiocge.patch
+scsi-st-add-mtiocget-and-mtload-to-ioctls-allowed-af.patch
+pinctrl-qcom-pmic-gpio-add-support-for-pm8937.patch
+nvdimm-rectify-the-illogical-code-within-nd_dax_prob.patch
+f2fs-fix-f2fs_bug_on-when-uninstalling-filesystem-ca.patch
+pci-add-reset_subordinate-to-reset-hierarchy-below-b.patch
+pci-add-acs-quirk-for-wangxun-ff5xxx-nics.patch
+i3c-use-i3cdev-desc-info-instead-of-calling-i3c_devi.patch
+usb-chipidea-udc-handle-usb-error-interrupt-if-ioc-n.patch
+powerpc-prom_init-fixup-missing-powermac-size-cells.patch
+misc-eeprom-eeprom_93cx6-add-quirk-for-extra-read-cl.patch
--- /dev/null
+From a6188d33b7a5ea1f492ad8a52645e5698698ba38 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 13:04:08 +0100
+Subject: timekeeping: Always check for negative motion
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit c163e40af9b2331b2c629fd4ec8b703ed4d4ae39 ]
+
+clocksource_delta() has two variants. One with a check for negative motion,
+which is only selected by x86. This is a historic leftover as this function
+was previously used in the time getter hot paths.
+
+Since 135225a363ae timekeeping_cycles_to_ns() has unconditional protection
+against this as a by-product of the protection against 64bit math overflow.
+
+clocksource_delta() is only used in the clocksource watchdog and in
+timekeeping_advance(). The extra conditional there is not hurting anyone.
+
+Remove the config option and unconditionally prevent negative motion of the
+readout.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: John Stultz <jstultz@google.com>
+Link: https://lore.kernel.org/all/20241031120328.599430157@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/Kconfig | 1 -
+ kernel/time/Kconfig | 5 -----
+ kernel/time/timekeeping_internal.h | 7 -------
+ 3 files changed, 13 deletions(-)
+
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index df0a3a1b08ae0..a3e7f75a8cfa8 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -99,7 +99,6 @@ config X86
+ select ARCH_WANTS_THP_SWAP if X86_64
+ select BUILDTIME_EXTABLE_SORT
+ select CLKEVT_I8253
+- select CLOCKSOURCE_VALIDATE_LAST_CYCLE
+ select CLOCKSOURCE_WATCHDOG
+ select DCACHE_WORD_ACCESS
+ select EDAC_ATOMIC_SCRUB
+diff --git a/kernel/time/Kconfig b/kernel/time/Kconfig
+index fcc42353f1253..4b9a8653a6327 100644
+--- a/kernel/time/Kconfig
++++ b/kernel/time/Kconfig
+@@ -17,11 +17,6 @@ config ARCH_CLOCKSOURCE_DATA
+ config ARCH_CLOCKSOURCE_INIT
+ bool
+
+-# Clocksources require validation of the clocksource against the last
+-# cycle update - x86/TSC misfeature
+-config CLOCKSOURCE_VALIDATE_LAST_CYCLE
+- bool
+-
+ # Timekeeping vsyscall support
+ config GENERIC_TIME_VSYSCALL
+ bool
+diff --git a/kernel/time/timekeeping_internal.h b/kernel/time/timekeeping_internal.h
+index bcbb52db22565..d7f99e69bce4b 100644
+--- a/kernel/time/timekeeping_internal.h
++++ b/kernel/time/timekeeping_internal.h
+@@ -13,7 +13,6 @@ extern void tk_debug_account_sleep_time(const struct timespec64 *t);
+ #define tk_debug_account_sleep_time(x)
+ #endif
+
+-#ifdef CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE
+ static inline u64 clocksource_delta(u64 now, u64 last, u64 mask)
+ {
+ u64 ret = (now - last) & mask;
+@@ -24,11 +23,5 @@ static inline u64 clocksource_delta(u64 now, u64 last, u64 mask)
+ */
+ return ret & ~(mask >> 1) ? 0 : ret;
+ }
+-#else
+-static inline u64 clocksource_delta(u64 now, u64 last, u64 mask)
+-{
+- return (now - last) & mask;
+-}
+-#endif
+
+ #endif /* _TIMEKEEPING_INTERNAL_H */
+--
+2.43.0
+
--- /dev/null
+From 73319ed6fbc1a28790d34ac3dae0a8d044d1e391 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Oct 2024 10:56:28 +0200
+Subject: tracing: Use atomic64_inc_return() in trace_clock_counter()
+
+From: Uros Bizjak <ubizjak@gmail.com>
+
+[ Upstream commit eb887c4567d1b0e7684c026fe7df44afa96589e6 ]
+
+Use atomic64_inc_return(&ref) instead of atomic64_add_return(1, &ref)
+to use optimized implementation and ease register pressure around
+the primitive for targets that implement optimized variant.
+
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Link: https://lore.kernel.org/20241007085651.48544-1-ubizjak@gmail.com
+Signed-off-by: Uros Bizjak <ubizjak@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_clock.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
+index 4702efb00ff21..4cb2ebc439be6 100644
+--- a/kernel/trace/trace_clock.c
++++ b/kernel/trace/trace_clock.c
+@@ -154,5 +154,5 @@ static atomic64_t trace_counter;
+ */
+ u64 notrace trace_clock_counter(void)
+ {
+- return atomic64_add_return(1, &trace_counter);
++ return atomic64_inc_return(&trace_counter);
+ }
+--
+2.43.0
+
--- /dev/null
+From 65d9618f78df3a7afdad20984e9ca4afbc1d69a2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 10:29:04 +0800
+Subject: usb: chipidea: udc: handle USB Error Interrupt if IOC not set
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+[ Upstream commit 548f48b66c0c5d4b9795a55f304b7298cde2a025 ]
+
+As per USBSTS register description about UEI:
+
+ When completion of a USB transaction results in an error condition, this
+ bit is set by the Host/Device Controller. This bit is set along with the
+ USBINT bit, if the TD on which the error interrupt occurred also had its
+ interrupt on complete (IOC) bit set.
+
+UI is set only when IOC set. Add checking UEI to fix miss call
+isr_tr_complete_handler() when IOC have not set and transfer error happen.
+
+Acked-by: Peter Chen <peter.chen@kernel.com>
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Link: https://lore.kernel.org/r/20240926022906.473319-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index 72d62abb6f285..a6ce6b89b271a 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -1902,7 +1902,7 @@ static irqreturn_t udc_irq(struct ci_hdrc *ci)
+ }
+ }
+
+- if (USBi_UI & intr)
++ if ((USBi_UI | USBi_UEI) & intr)
+ isr_tr_complete_handler(ci);
+
+ if ((USBi_SLI & intr) && !(ci->suspended)) {
+--
+2.43.0
+
--- /dev/null
+From d3aee4a0f2e68cb4d5e4925bb2fc340c2a67f273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 11:07:16 -0700
+Subject: wifi: ath5k: add PCI ID for Arcadyan devices
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit f3ced9bb90b0a287a1fa6184d16b0f104a78fa90 ]
+
+Arcadyan made routers with this PCI ID containing an AR2417.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Link: https://patch.msgid.link/20240930180716.139894-3-rosenp@gmail.com
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath5k/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath5k/pci.c b/drivers/net/wireless/ath/ath5k/pci.c
+index b7f62c472b879..e58da21b28ef5 100644
+--- a/drivers/net/wireless/ath/ath5k/pci.c
++++ b/drivers/net/wireless/ath/ath5k/pci.c
+@@ -47,6 +47,7 @@ static const struct pci_device_id ath5k_pci_id_table[] = {
+ { PCI_VDEVICE(ATHEROS, 0x001c) }, /* PCI-E cards */
+ { PCI_VDEVICE(ATHEROS, 0x001d) }, /* 2417 Nala */
+ { PCI_VDEVICE(ATHEROS, 0xff16) }, /* Gigaset SX76[23] AR241[34]A */
++ { PCI_VDEVICE(ATHEROS, 0xff1a) }, /* Arcadyan ARV45XX AR2417 */
+ { PCI_VDEVICE(ATHEROS, 0xff1b) }, /* AR5BXB63 */
+ { 0 }
+ };
+--
+2.43.0
+
--- /dev/null
+From 9da96bf1edf5cd9c9c812854ade4344e7c062ad6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Sep 2024 11:07:15 -0700
+Subject: wifi: ath5k: add PCI ID for SX76X
+
+From: Rosen Penev <rosenp@gmail.com>
+
+[ Upstream commit da0474012402d4729b98799d71a54c35dc5c5de3 ]
+
+This is in two devices made by Gigaset, SX762 and SX763.
+
+Signed-off-by: Rosen Penev <rosenp@gmail.com>
+Link: https://patch.msgid.link/20240930180716.139894-2-rosenp@gmail.com
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath5k/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath5k/pci.c b/drivers/net/wireless/ath/ath5k/pci.c
+index d5ee32ce9eb3d..b7f62c472b879 100644
+--- a/drivers/net/wireless/ath/ath5k/pci.c
++++ b/drivers/net/wireless/ath/ath5k/pci.c
+@@ -46,6 +46,7 @@ static const struct pci_device_id ath5k_pci_id_table[] = {
+ { PCI_VDEVICE(ATHEROS, 0x001b) }, /* 5413 Eagle */
+ { PCI_VDEVICE(ATHEROS, 0x001c) }, /* PCI-E cards */
+ { PCI_VDEVICE(ATHEROS, 0x001d) }, /* 2417 Nala */
++ { PCI_VDEVICE(ATHEROS, 0xff16) }, /* Gigaset SX76[23] AR241[34]A */
+ { PCI_VDEVICE(ATHEROS, 0xff1b) }, /* AR5BXB63 */
+ { 0 }
+ };
+--
+2.43.0
+
--- /dev/null
+From 01dc2f995a43c2083679d57fb7f4ea15fe6c23c7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 14:28:13 +0100
+Subject: wifi: brcmfmac: Fix oops due to NULL pointer dereference in
+ brcmf_sdiod_sglist_rw()
+
+From: Norbert van Bolhuis <nvbolhuis@gmail.com>
+
+[ Upstream commit 857282b819cbaa0675aaab1e7542e2c0579f52d7 ]
+
+This patch fixes a NULL pointer dereference bug in brcmfmac that occurs
+when a high 'sd_sgentry_align' value applies (e.g. 512) and a lot of queued SKBs
+are sent from the pkt queue.
+
+The problem is the number of entries in the pre-allocated sgtable, it is
+nents = max(rxglom_size, txglom_size) + max(rxglom_size, txglom_size) >> 4 + 1.
+Given the default [rt]xglom_size=32 it's actually 35 which is too small.
+Worst case, the pkt queue can end up with 64 SKBs. This occurs when a new SKB
+is added for each original SKB if tailroom isn't enough to hold tail_pad.
+At least one sg entry is needed for each SKB. So, eventually the "skb_queue_walk loop"
+in brcmf_sdiod_sglist_rw may run out of sg entries. This makes sg_next return
+NULL and this causes the oops.
+
+The patch sets nents to max(rxglom_size, txglom_size) * 2 to be able handle
+the worst-case.
+Btw. this requires only 64-35=29 * 16 (or 20 if CONFIG_NEED_SG_DMA_LENGTH) = 464
+additional bytes of memory.
+
+Signed-off-by: Norbert van Bolhuis <nvbolhuis@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241107132903.13513-1-nvbolhuis@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+index c492d2d2db1df..32ac1fa5bdecf 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
+@@ -770,7 +770,7 @@ void brcmf_sdiod_sgtable_alloc(struct brcmf_sdio_dev *sdiodev)
+
+ nents = max_t(uint, BRCMF_DEFAULT_RXGLOM_SIZE,
+ sdiodev->settings->bus.sdio.txglomsz);
+- nents += (nents >> 4) + 1;
++ nents *= 2;
+
+ WARN_ON(nents > sdiodev->max_segment_count);
+
+--
+2.43.0
+
--- /dev/null
+From e7c5794ac3639bed0c004c3265ea1e4e8bfb197e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Nov 2024 14:07:25 +0800
+Subject: wifi: ipw2x00: libipw_rx_any(): fix bad alignment
+
+From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+
+[ Upstream commit 4fa4f049dc0d9741b16c96bcbf0108c85368a2b9 ]
+
+This patch fixes incorrect code alignment.
+
+./drivers/net/wireless/intel/ipw2x00/libipw_rx.c:871:2-3: code aligned with following code on line 882.
+./drivers/net/wireless/intel/ipw2x00/libipw_rx.c:886:2-3: code aligned with following code on line 900.
+
+Reported-by: Abaci Robot <abaci@linux.alibaba.com>
+Closes: https://bugzilla.openanolis.cn/show_bug.cgi?id=11381
+Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241101060725.54640-1-jiapeng.chong@linux.alibaba.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/intel/ipw2x00/libipw_rx.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c
+index 34cfd81628559..36831f4a2ea5e 100644
+--- a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c
++++ b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c
+@@ -870,8 +870,8 @@ void libipw_rx_any(struct libipw_device *ieee,
+ switch (ieee->iw_mode) {
+ case IW_MODE_ADHOC:
+ /* our BSS and not from/to DS */
+- if (ether_addr_equal(hdr->addr3, ieee->bssid))
+- if ((fc & (IEEE80211_FCTL_TODS+IEEE80211_FCTL_FROMDS)) == 0) {
++ if (ether_addr_equal(hdr->addr3, ieee->bssid) &&
++ ((fc & (IEEE80211_FCTL_TODS + IEEE80211_FCTL_FROMDS)) == 0)) {
+ /* promisc: get all */
+ if (ieee->dev->flags & IFF_PROMISC)
+ is_packet_for_us = 1;
+@@ -885,8 +885,8 @@ void libipw_rx_any(struct libipw_device *ieee,
+ break;
+ case IW_MODE_INFRA:
+ /* our BSS (== from our AP) and from DS */
+- if (ether_addr_equal(hdr->addr2, ieee->bssid))
+- if ((fc & (IEEE80211_FCTL_TODS+IEEE80211_FCTL_FROMDS)) == IEEE80211_FCTL_FROMDS) {
++ if (ether_addr_equal(hdr->addr2, ieee->bssid) &&
++ ((fc & (IEEE80211_FCTL_TODS + IEEE80211_FCTL_FROMDS)) == IEEE80211_FCTL_FROMDS)) {
+ /* promisc: get all */
+ if (ieee->dev->flags & IFF_PROMISC)
+ is_packet_for_us = 1;
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
