--- /dev/null
+From 4df153652cc46545722879415937582028c18af5 Mon Sep 17 00:00:00 2001
+From: Carlos Llamas <cmllamas@google.com>
+Date: Thu, 22 Aug 2024 18:23:52 +0000
+Subject: binder: fix UAF caused by offsets overwrite
+
+From: Carlos Llamas <cmllamas@google.com>
+
+commit 4df153652cc46545722879415937582028c18af5 upstream.
+
+Binder objects are processed and copied individually into the target
+buffer during transactions. Any raw data in-between these objects is
+copied as well. However, this raw data copy lacks an out-of-bounds
+check. If the raw data exceeds the data section size then the copy
+overwrites the offsets section. This eventually triggers an error that
+attempts to unwind the processed objects. However, at this point the
+offsets used to index these objects are now corrupted.
+
+Unwinding with corrupted offsets can result in decrements of arbitrary
+nodes and lead to their premature release. Other users of such nodes are
+left with a dangling pointer triggering a use-after-free. This issue is
+made evident by the following KASAN report (trimmed):
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
+ Write of size 4 at addr ffff47fc91598f04 by task binder-util/743
+
+ CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
+ Hardware name: linux,dummy-virt (DT)
+ Call trace:
+ _raw_spin_lock+0xe4/0x19c
+ binder_free_buf+0x128/0x434
+ binder_thread_write+0x8a4/0x3260
+ binder_ioctl+0x18f0/0x258c
+ [...]
+
+ Allocated by task 743:
+ __kmalloc_cache_noprof+0x110/0x270
+ binder_new_node+0x50/0x700
+ binder_transaction+0x413c/0x6da8
+ binder_thread_write+0x978/0x3260
+ binder_ioctl+0x18f0/0x258c
+ [...]
+
+ Freed by task 745:
+ kfree+0xbc/0x208
+ binder_thread_read+0x1c5c/0x37d4
+ binder_ioctl+0x16d8/0x258c
+ [...]
+ ==================================================================
+
+To avoid this issue, let's check that the raw data copy is within the
+boundaries of the data section.
+
+Fixes: 6d98eb95b450 ("binder: avoid potential data leakage when copying txn")
+Cc: Todd Kjos <tkjos@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Carlos Llamas <cmllamas@google.com>
+Link: https://lore.kernel.org/r/20240822182353.2129600-1-cmllamas@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3173,6 +3173,7 @@ static void binder_transaction(struct bi
+ */
+ copy_size = object_offset - user_offset;
+ if (copy_size && (user_offset > object_offset ||
++ object_offset > tr->data_size ||
+ binder_alloc_copy_user_to_buffer(
+ &target_proc->alloc,
+ t->buffer, user_offset,
--- /dev/null
+From 3d5c2f8e75a55cfb11a85086c71996af0354a1fb Mon Sep 17 00:00:00 2001
+From: Jacky Bai <ping.bai@nxp.com>
+Date: Thu, 25 Jul 2024 15:33:55 -0400
+Subject: clocksource/drivers/imx-tpm: Fix next event not taking effect sometime
+
+From: Jacky Bai <ping.bai@nxp.com>
+
+commit 3d5c2f8e75a55cfb11a85086c71996af0354a1fb upstream.
+
+The value written into the TPM CnV can only be updated into the hardware
+when the counter increases. Additional writes to the CnV write buffer are
+ignored until the register has been updated. Therefore, we need to check
+if the CnV has been updated before continuing. This may require waiting for
+1 counter cycle in the worst case.
+
+Cc: stable@vger.kernel.org
+Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support")
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Ye Li <ye.li@nxp.com>
+Reviewed-by: Jason Liu <jason.hui.liu@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240725193355.1436005-2-Frank.Li@nxp.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-imx-tpm.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/clocksource/timer-imx-tpm.c
++++ b/drivers/clocksource/timer-imx-tpm.c
+@@ -91,6 +91,14 @@ static int tpm_set_next_event(unsigned l
+ now = tpm_read_counter();
+
+ /*
++ * Need to wait CNT increase at least 1 cycle to make sure
++ * the C0V has been updated into HW.
++ */
++ if ((next & 0xffffffff) != readl(timer_base + TPM_C0V))
++ while (now == tpm_read_counter())
++ ;
++
++ /*
+ * NOTE: We observed in a very small probability, the bus fabric
+ * contention between GPU and A7 may results a few cycles delay
+ * of writing CNT registers which may cause the min_delta event got
--- /dev/null
+From 5b8843fcd49827813da80c0f590a17ae4ce93c5d Mon Sep 17 00:00:00 2001
+From: Jacky Bai <ping.bai@nxp.com>
+Date: Thu, 25 Jul 2024 15:33:54 -0400
+Subject: clocksource/drivers/imx-tpm: Fix return -ETIME when delta exceeds INT_MAX
+
+From: Jacky Bai <ping.bai@nxp.com>
+
+commit 5b8843fcd49827813da80c0f590a17ae4ce93c5d upstream.
+
+In tpm_set_next_event(delta), return -ETIME by wrong cast to int when delta
+is larger than INT_MAX.
+
+For example:
+
+tpm_set_next_event(delta = 0xffff_fffe)
+{
+ ...
+ next = tpm_read_counter(); // assume next is 0x10
+ next += delta; // next will 0xffff_fffe + 0x10 = 0x1_0000_000e
+ now = tpm_read_counter(); // now is 0x10
+ ...
+
+ return (int)(next - now) <= 0 ? -ETIME : 0;
+ ^^^^^^^^^^
+ 0x1_0000_000e - 0x10 = 0xffff_fffe, which is -2 when
+ cast to int. So return -ETIME.
+}
+
+To fix this, introduce a 'prev' variable and check if 'now - prev' is
+larger than delta.
+
+Cc: stable@vger.kernel.org
+Fixes: 059ab7b82eec ("clocksource/drivers/imx-tpm: Add imx tpm timer support")
+Signed-off-by: Jacky Bai <ping.bai@nxp.com>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Reviewed-by: Ye Li <ye.li@nxp.com>
+Reviewed-by: Jason Liu <jason.hui.liu@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240725193355.1436005-1-Frank.Li@nxp.com
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-imx-tpm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/clocksource/timer-imx-tpm.c
++++ b/drivers/clocksource/timer-imx-tpm.c
+@@ -83,10 +83,10 @@ static u64 notrace tpm_read_sched_clock(
+ static int tpm_set_next_event(unsigned long delta,
+ struct clock_event_device *evt)
+ {
+- unsigned long next, now;
++ unsigned long next, prev, now;
+
+- next = tpm_read_counter();
+- next += delta;
++ prev = tpm_read_counter();
++ next = prev + delta;
+ writel(next, timer_base + TPM_C0V);
+ now = tpm_read_counter();
+
+@@ -96,7 +96,7 @@ static int tpm_set_next_event(unsigned l
+ * of writing CNT registers which may cause the min_delta event got
+ * missed, so we need add a ETIME check here in case it happened.
+ */
+- return (int)(next - now) <= 0 ? -ETIME : 0;
++ return (now - prev) >= delta ? -ETIME : 0;
+ }
+
+ static int tpm_set_state_oneshot(struct clock_event_device *evt)
--- /dev/null
+From 471ef0b5a8aaca4296108e756b970acfc499ede4 Mon Sep 17 00:00:00 2001
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+Date: Mon, 19 Aug 2024 12:03:35 +0200
+Subject: clocksource/drivers/timer-of: Remove percpu irq related code
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Lezcano <daniel.lezcano@linaro.org>
+
+commit 471ef0b5a8aaca4296108e756b970acfc499ede4 upstream.
+
+GCC's named address space checks errors out with:
+
+drivers/clocksource/timer-of.c: In function ‘timer_of_irq_exit’:
+drivers/clocksource/timer-of.c:29:46: error: passing argument 2 of
+‘free_percpu_irq’ from pointer to non-enclosed address space
+ 29 | free_percpu_irq(of_irq->irq, clkevt);
+ | ^~~~~~
+In file included from drivers/clocksource/timer-of.c:8:
+./include/linux/interrupt.h:201:43: note: expected ‘__seg_gs void *’
+but argument is of type ‘struct clock_event_device *’
+ 201 | extern void free_percpu_irq(unsigned int, void __percpu *);
+ | ^~~~~~~~~~~~~~~
+drivers/clocksource/timer-of.c: In function ‘timer_of_irq_init’:
+drivers/clocksource/timer-of.c:74:51: error: passing argument 4 of
+‘request_percpu_irq’ from pointer to non-enclosed address space
+ 74 | np->full_name, clkevt) :
+ | ^~~~~~
+./include/linux/interrupt.h:190:56: note: expected ‘__seg_gs void *’
+but argument is of type ‘struct clock_event_device *’
+ 190 | const char *devname, void __percpu *percpu_dev_id)
+
+Sparse warns about:
+
+timer-of.c:29:46: warning: incorrect type in argument 2 (different address spaces)
+timer-of.c:29:46: expected void [noderef] __percpu *
+timer-of.c:29:46: got struct clock_event_device *clkevt
+timer-of.c:74:51: warning: incorrect type in argument 4 (different address spaces)
+timer-of.c:74:51: expected void [noderef] __percpu *percpu_dev_id
+timer-of.c:74:51: got struct clock_event_device *clkevt
+
+It appears the code is incorrect as reported by Uros Bizjak:
+
+"The referred code is questionable as it tries to reuse
+the clkevent pointer once as percpu pointer and once as generic
+pointer, which should be avoided."
+
+This change removes the percpu related code as no drivers is using it.
+
+[Daniel: Fixed the description]
+
+Fixes: dc11bae785295 ("clocksource/drivers: Add timer-of common init routine")
+Reported-by: Uros Bizjak <ubizjak@gmail.com>
+Tested-by: Uros Bizjak <ubizjak@gmail.com>
+Link: https://lore.kernel.org/r/20240819100335.2394751-1-daniel.lezcano@linaro.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/clocksource/timer-of.c | 17 ++++-------------
+ drivers/clocksource/timer-of.h | 1 -
+ 2 files changed, 4 insertions(+), 14 deletions(-)
+
+--- a/drivers/clocksource/timer-of.c
++++ b/drivers/clocksource/timer-of.c
+@@ -25,10 +25,7 @@ static __init void timer_of_irq_exit(str
+
+ struct clock_event_device *clkevt = &to->clkevt;
+
+- if (of_irq->percpu)
+- free_percpu_irq(of_irq->irq, clkevt);
+- else
+- free_irq(of_irq->irq, clkevt);
++ free_irq(of_irq->irq, clkevt);
+ }
+
+ /**
+@@ -42,9 +39,6 @@ static __init void timer_of_irq_exit(str
+ * - Get interrupt number by name
+ * - Get interrupt number by index
+ *
+- * When the interrupt is per CPU, 'request_percpu_irq()' is called,
+- * otherwise 'request_irq()' is used.
+- *
+ * Returns 0 on success, < 0 otherwise
+ */
+ static __init int timer_of_irq_init(struct device_node *np,
+@@ -69,12 +63,9 @@ static __init int timer_of_irq_init(stru
+ return -EINVAL;
+ }
+
+- ret = of_irq->percpu ?
+- request_percpu_irq(of_irq->irq, of_irq->handler,
+- np->full_name, clkevt) :
+- request_irq(of_irq->irq, of_irq->handler,
+- of_irq->flags ? of_irq->flags : IRQF_TIMER,
+- np->full_name, clkevt);
++ ret = request_irq(of_irq->irq, of_irq->handler,
++ of_irq->flags ? of_irq->flags : IRQF_TIMER,
++ np->full_name, clkevt);
+ if (ret) {
+ pr_err("Failed to request irq %d for %pOF\n", of_irq->irq, np);
+ return ret;
+--- a/drivers/clocksource/timer-of.h
++++ b/drivers/clocksource/timer-of.h
+@@ -11,7 +11,6 @@
+ struct of_timer_irq {
+ int irq;
+ int index;
+- int percpu;
+ const char *name;
+ unsigned long flags;
+ irq_handler_t handler;
--- /dev/null
+From 6fd28941447bf2c8ca0f26fda612a1cabc41663f Mon Sep 17 00:00:00 2001
+From: Naman Jain <namjain@linux.microsoft.com>
+Date: Thu, 29 Aug 2024 12:43:12 +0530
+Subject: Drivers: hv: vmbus: Fix rescind handling in uio_hv_generic
+
+From: Naman Jain <namjain@linux.microsoft.com>
+
+commit 6fd28941447bf2c8ca0f26fda612a1cabc41663f upstream.
+
+Rescind offer handling relies on rescind callbacks for some of the
+resources cleanup, if they are registered. It does not unregister
+vmbus device for the primary channel closure, when callback is
+registered. Without it, next onoffer does not come, rescind flag
+remains set and device goes to unusable state.
+
+Add logic to unregister vmbus for the primary channel in rescind callback
+to ensure channel removal and relid release, and to ensure that next
+onoffer can be received and handled properly.
+
+Cc: stable@vger.kernel.org
+Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Reviewed-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20240829071312.1595-3-namjain@linux.microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hv/vmbus_drv.c | 1 +
+ drivers/uio/uio_hv_generic.c | 8 ++++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -2008,6 +2008,7 @@ static umode_t vmbus_chan_attr_is_visibl
+
+ return attr->mode;
+ }
++EXPORT_SYMBOL_GPL(vmbus_device_unregister);
+
+ static struct attribute_group vmbus_chan_group = {
+ .attrs = vmbus_chan_attrs,
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -119,6 +119,14 @@ static void hv_uio_rescind(struct vmbus_
+
+ /* Wake up reader */
+ uio_event_notify(&pdata->info);
++
++ /*
++ * With rescind callback registered, rescind path will not unregister the device
++ * from vmbus when the primary channel is rescinded.
++ * Without it, rescind handling is incomplete and next onoffer msg does not come.
++ * Unregister the device from vmbus here.
++ */
++ vmbus_device_unregister(channel->device_obj);
+ }
+
+ /* Sysfs API to allow mmap of the ring buffers
--- /dev/null
+From 96f9ab0d5933c1c00142dd052f259fce0bc3ced2 Mon Sep 17 00:00:00 2001
+From: Dumitru Ceclan <mitrutzceclan@gmail.com>
+Date: Wed, 31 Jul 2024 15:37:22 +0300
+Subject: iio: adc: ad7124: fix chip ID mismatch
+
+From: Dumitru Ceclan <mitrutzceclan@gmail.com>
+
+commit 96f9ab0d5933c1c00142dd052f259fce0bc3ced2 upstream.
+
+The ad7124_soft_reset() function has the assumption that the chip will
+assert the "power-on reset" bit in the STATUS register after a software
+reset without any delay. The POR bit =0 is used to check if the chip
+initialization is done.
+
+A chip ID mismatch probe error appears intermittently when the probe
+continues too soon and the ID register does not contain the expected
+value.
+
+Fix by adding a 200us delay after the software reset command is issued.
+
+Fixes: b3af341bbd96 ("iio: adc: Add ad7124 support")
+Signed-off-by: Dumitru Ceclan <dumitru.ceclan@analog.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20240731-ad7124-fix-v1-1-46a76aa4b9be@analog.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7124.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -690,6 +690,7 @@ static int ad7124_soft_reset(struct ad71
+ if (ret < 0)
+ return ret;
+
++ fsleep(200);
+ timeout = 100;
+ do {
+ ret = ad_sd_read_reg(&st->sd, AD7124_STATUS, 1, &readval);
--- /dev/null
+From 2f6b92d0f69f04d9e2ea0db1228ab7f82f3173af Mon Sep 17 00:00:00 2001
+From: Dumitru Ceclan <mitrutzceclan@gmail.com>
+Date: Wed, 31 Jul 2024 15:37:23 +0300
+Subject: iio: adc: ad7124: fix config comparison
+
+From: Dumitru Ceclan <mitrutzceclan@gmail.com>
+
+commit 2f6b92d0f69f04d9e2ea0db1228ab7f82f3173af upstream.
+
+The ad7124_find_similar_live_cfg() computes the compare size by
+substracting the address of the cfg struct from the address of the live
+field. Because the live field is the first field in the struct, the
+result is 0.
+
+Also, the memcmp() call is made from the start of the cfg struct, which
+includes the live and cfg_slot fields, which are not relevant for the
+comparison.
+
+Fix by grouping the relevant fields with struct_group() and use the
+size of the group to compute the compare size; make the memcmp() call
+from the address of the group.
+
+Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
+Signed-off-by: Dumitru Ceclan <dumitru.ceclan@analog.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20240731-ad7124-fix-v1-2-46a76aa4b9be@analog.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7124.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -144,15 +144,18 @@ struct ad7124_chip_info {
+ struct ad7124_channel_config {
+ bool live;
+ unsigned int cfg_slot;
+- enum ad7124_ref_sel refsel;
+- bool bipolar;
+- bool buf_positive;
+- bool buf_negative;
+- unsigned int vref_mv;
+- unsigned int pga_bits;
+- unsigned int odr;
+- unsigned int odr_sel_bits;
+- unsigned int filter_type;
++ /* Following fields are used to compare equality. */
++ struct_group(config_props,
++ enum ad7124_ref_sel refsel;
++ bool bipolar;
++ bool buf_positive;
++ bool buf_negative;
++ unsigned int vref_mv;
++ unsigned int pga_bits;
++ unsigned int odr;
++ unsigned int odr_sel_bits;
++ unsigned int filter_type;
++ );
+ };
+
+ struct ad7124_channel {
+@@ -331,11 +334,12 @@ static struct ad7124_channel_config *ad7
+ ptrdiff_t cmp_size;
+ int i;
+
+- cmp_size = (u8 *)&cfg->live - (u8 *)cfg;
++ cmp_size = sizeof_field(struct ad7124_channel_config, config_props);
+ for (i = 0; i < st->num_channels; i++) {
+ cfg_aux = &st->channels[i].cfg;
+
+- if (cfg_aux->live && !memcmp(cfg, cfg_aux, cmp_size))
++ if (cfg_aux->live &&
++ !memcmp(&cfg->config_props, &cfg_aux->config_props, cmp_size))
+ return cfg_aux;
+ }
+
--- /dev/null
+From 90826e08468ba7fb35d8b39645b22d9e80004afe Mon Sep 17 00:00:00 2001
+From: Guillaume Stols <gstols@baylibre.com>
+Date: Tue, 2 Jul 2024 12:52:51 +0000
+Subject: iio: adc: ad7606: remove frstdata check for serial mode
+
+From: Guillaume Stols <gstols@baylibre.com>
+
+commit 90826e08468ba7fb35d8b39645b22d9e80004afe upstream.
+
+The current implementation attempts to recover from an eventual glitch
+in the clock by checking frstdata state after reading the first
+channel's sample: If frstdata is low, it will reset the chip and
+return -EIO.
+
+This will only work in parallel mode, where frstdata pin is set low
+after the 2nd sample read starts.
+
+For the serial mode, according to the datasheet, "The FRSTDATA output
+returns to a logic low following the 16th SCLK falling edge.", thus
+after the Xth pulse, X being the number of bits in a sample, the check
+will always be true, and the driver will not work at all in serial
+mode if frstdata(optional) is defined in the devicetree as it will
+reset the chip, and return -EIO every time read_sample is called.
+
+Hence, this check must be removed for serial mode.
+
+Fixes: b9618c0cacd7 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
+Signed-off-by: Guillaume Stols <gstols@baylibre.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20240702-cleanup-ad7606-v3-1-18d5ea18770e@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7606.c | 28 +------------------------
+ drivers/iio/adc/ad7606.h | 2 +
+ drivers/iio/adc/ad7606_par.c | 48 ++++++++++++++++++++++++++++++++++++++++---
+ 3 files changed, 49 insertions(+), 29 deletions(-)
+
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -48,7 +48,7 @@ static const unsigned int ad7616_oversam
+ 1, 2, 4, 8, 16, 32, 64, 128,
+ };
+
+-static int ad7606_reset(struct ad7606_state *st)
++int ad7606_reset(struct ad7606_state *st)
+ {
+ if (st->gpio_reset) {
+ gpiod_set_value(st->gpio_reset, 1);
+@@ -59,6 +59,7 @@ static int ad7606_reset(struct ad7606_st
+
+ return -ENODEV;
+ }
++EXPORT_SYMBOL_NS_GPL(ad7606_reset, IIO_AD7606);
+
+ static int ad7606_reg_access(struct iio_dev *indio_dev,
+ unsigned int reg,
+@@ -87,31 +88,6 @@ static int ad7606_read_samples(struct ad
+ {
+ unsigned int num = st->chip_info->num_channels - 1;
+ u16 *data = st->data;
+- int ret;
+-
+- /*
+- * The frstdata signal is set to high while and after reading the sample
+- * of the first channel and low for all other channels. This can be used
+- * to check that the incoming data is correctly aligned. During normal
+- * operation the data should never become unaligned, but some glitch or
+- * electrostatic discharge might cause an extra read or clock cycle.
+- * Monitoring the frstdata signal allows to recover from such failure
+- * situations.
+- */
+-
+- if (st->gpio_frstdata) {
+- ret = st->bops->read_block(st->dev, 1, data);
+- if (ret)
+- return ret;
+-
+- if (!gpiod_get_value(st->gpio_frstdata)) {
+- ad7606_reset(st);
+- return -EIO;
+- }
+-
+- data++;
+- num--;
+- }
+
+ return st->bops->read_block(st->dev, num, data);
+ }
+--- a/drivers/iio/adc/ad7606.h
++++ b/drivers/iio/adc/ad7606.h
+@@ -153,6 +153,8 @@ int ad7606_probe(struct device *dev, int
+ const char *name, unsigned int id,
+ const struct ad7606_bus_ops *bops);
+
++int ad7606_reset(struct ad7606_state *st);
++
+ enum ad7606_supported_device_ids {
+ ID_AD7605_4,
+ ID_AD7606_8,
+--- a/drivers/iio/adc/ad7606_par.c
++++ b/drivers/iio/adc/ad7606_par.c
+@@ -6,6 +6,7 @@
+ */
+
+ #include <linux/module.h>
++#include <linux/gpio/consumer.h>
+ #include <linux/platform_device.h>
+ #include <linux/types.h>
+ #include <linux/err.h>
+@@ -20,8 +21,29 @@ static int ad7606_par16_read_block(struc
+ struct iio_dev *indio_dev = dev_get_drvdata(dev);
+ struct ad7606_state *st = iio_priv(indio_dev);
+
+- insw((unsigned long)st->base_address, buf, count);
+
++ /*
++ * On the parallel interface, the frstdata signal is set to high while
++ * and after reading the sample of the first channel and low for all
++ * other channels. This can be used to check that the incoming data is
++ * correctly aligned. During normal operation the data should never
++ * become unaligned, but some glitch or electrostatic discharge might
++ * cause an extra read or clock cycle. Monitoring the frstdata signal
++ * allows to recover from such failure situations.
++ */
++ int num = count;
++ u16 *_buf = buf;
++
++ if (st->gpio_frstdata) {
++ insw((unsigned long)st->base_address, _buf, 1);
++ if (!gpiod_get_value(st->gpio_frstdata)) {
++ ad7606_reset(st);
++ return -EIO;
++ }
++ _buf++;
++ num--;
++ }
++ insw((unsigned long)st->base_address, _buf, num);
+ return 0;
+ }
+
+@@ -34,8 +56,28 @@ static int ad7606_par8_read_block(struct
+ {
+ struct iio_dev *indio_dev = dev_get_drvdata(dev);
+ struct ad7606_state *st = iio_priv(indio_dev);
+-
+- insb((unsigned long)st->base_address, buf, count * 2);
++ /*
++ * On the parallel interface, the frstdata signal is set to high while
++ * and after reading the sample of the first channel and low for all
++ * other channels. This can be used to check that the incoming data is
++ * correctly aligned. During normal operation the data should never
++ * become unaligned, but some glitch or electrostatic discharge might
++ * cause an extra read or clock cycle. Monitoring the frstdata signal
++ * allows to recover from such failure situations.
++ */
++ int num = count;
++ u16 *_buf = buf;
++
++ if (st->gpio_frstdata) {
++ insb((unsigned long)st->base_address, _buf, 2);
++ if (!gpiod_get_value(st->gpio_frstdata)) {
++ ad7606_reset(st);
++ return -EIO;
++ }
++ _buf++;
++ num--;
++ }
++ insb((unsigned long)st->base_address, _buf, num * 2);
+
+ return 0;
+ }
--- /dev/null
+From 84c65d8008764a8fb4e627ff02de01ec4245f2c4 Mon Sep 17 00:00:00 2001
+From: David Lechner <dlechner@baylibre.com>
+Date: Tue, 23 Jul 2024 11:32:21 -0500
+Subject: iio: buffer-dmaengine: fix releasing dma channel on error
+
+From: David Lechner <dlechner@baylibre.com>
+
+commit 84c65d8008764a8fb4e627ff02de01ec4245f2c4 upstream.
+
+If dma_get_slave_caps() fails, we need to release the dma channel before
+returning an error to avoid leaking the channel.
+
+Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Link: https://patch.msgid.link/20240723-iio-fix-dmaengine-free-on-error-v1-1-2c7cbc9b92ff@baylibre.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/buffer/industrialio-buffer-dmaengine.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/buffer/industrialio-buffer-dmaengine.c
++++ b/drivers/iio/buffer/industrialio-buffer-dmaengine.c
+@@ -180,7 +180,7 @@ static struct iio_buffer *iio_dmaengine_
+
+ ret = dma_get_slave_caps(chan, &caps);
+ if (ret < 0)
+- goto err_free;
++ goto err_release;
+
+ /* Needs to be aligned to the maximum of the minimums */
+ if (caps.src_addr_widths)
+@@ -206,6 +206,8 @@ static struct iio_buffer *iio_dmaengine_
+
+ return &dmaengine_buffer->queue.buffer;
+
++err_release:
++ dma_release_channel(chan);
+ err_free:
+ kfree(dmaengine_buffer);
+ return ERR_PTR(ret);
--- /dev/null
+From 8a3dcc970dc57b358c8db2702447bf0af4e0d83a Mon Sep 17 00:00:00 2001
+From: Matteo Martelli <matteomartelli3@gmail.com>
+Date: Tue, 30 Jul 2024 10:11:53 +0200
+Subject: iio: fix scale application in iio_convert_raw_to_processed_unlocked
+
+From: Matteo Martelli <matteomartelli3@gmail.com>
+
+commit 8a3dcc970dc57b358c8db2702447bf0af4e0d83a upstream.
+
+When the scale_type is IIO_VAL_INT_PLUS_MICRO or IIO_VAL_INT_PLUS_NANO
+the scale passed as argument is only applied to the fractional part of
+the value. Fix it by also multiplying the integer part by the scale
+provided.
+
+Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value")
+Signed-off-by: Matteo Martelli <matteomartelli3@gmail.com>
+Link: https://patch.msgid.link/20240730-iio-fix-scale-v1-1-6246638c8daa@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/inkern.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/inkern.c
++++ b/drivers/iio/inkern.c
+@@ -629,17 +629,17 @@ static int iio_convert_raw_to_processed_
+ break;
+ case IIO_VAL_INT_PLUS_MICRO:
+ if (scale_val2 < 0)
+- *processed = -raw64 * scale_val;
++ *processed = -raw64 * scale_val * scale;
+ else
+- *processed = raw64 * scale_val;
++ *processed = raw64 * scale_val * scale;
+ *processed += div_s64(raw64 * (s64)scale_val2 * scale,
+ 1000000LL);
+ break;
+ case IIO_VAL_INT_PLUS_NANO:
+ if (scale_val2 < 0)
+- *processed = -raw64 * scale_val;
++ *processed = -raw64 * scale_val * scale;
+ else
+- *processed = raw64 * scale_val;
++ *processed = raw64 * scale_val * scale;
+ *processed += div_s64(raw64 * (s64)scale_val2 * scale,
+ 1000000000LL);
+ break;
--- /dev/null
+From c69f37f6559a8948d70badd2b179db7714dedd62 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 2 Sep 2024 15:25:09 +0100
+Subject: nvmem: Fix return type of devm_nvmem_device_get() in kerneldoc
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit c69f37f6559a8948d70badd2b179db7714dedd62 upstream.
+
+devm_nvmem_device_get() returns an nvmem device, not an nvmem cell.
+
+Fixes: e2a5402ec7c6d044 ("nvmem: Add nvmem_device based consumer apis.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20240902142510.71096-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -1112,13 +1112,13 @@ void nvmem_device_put(struct nvmem_devic
+ EXPORT_SYMBOL_GPL(nvmem_device_put);
+
+ /**
+- * devm_nvmem_device_get() - Get nvmem cell of device form a given id
++ * devm_nvmem_device_get() - Get nvmem device of device form a given id
+ *
+ * @dev: Device that requests the nvmem device.
+ * @id: name id for the requested nvmem device.
+ *
+- * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_cell
+- * on success. The nvmem_cell will be freed by the automatically once the
++ * Return: ERR_PTR() on error or a valid pointer to a struct nvmem_device
++ * on success. The nvmem_device will be freed by the automatically once the
+ * device is freed.
+ */
+ struct nvmem_device *devm_nvmem_device_get(struct device *dev, const char *id)
--- /dev/null
+From 2ab9d830262c132ab5db2f571003d80850d56b2a Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Mon, 2 Sep 2024 10:14:24 +0200
+Subject: perf/aux: Fix AUX buffer serialization
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit 2ab9d830262c132ab5db2f571003d80850d56b2a upstream.
+
+Ole reported that event->mmap_mutex is strictly insufficient to
+serialize the AUX buffer, add a per RB mutex to fully serialize it.
+
+Note that in the lock order comment the perf_event::mmap_mutex order
+was already wrong, that is, it nesting under mmap_lock is not new with
+this patch.
+
+Fixes: 45bfb2e50471 ("perf: Add AUX area to ring buffer for raw data streams")
+Reported-by: Ole <ole@binarygecko.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/core.c | 18 ++++++++++++------
+ kernel/events/internal.h | 1 +
+ kernel/events/ring_buffer.c | 2 ++
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -1368,8 +1368,9 @@ static void put_ctx(struct perf_event_co
+ * perf_event_context::mutex
+ * perf_event::child_mutex;
+ * perf_event_context::lock
+- * perf_event::mmap_mutex
+ * mmap_lock
++ * perf_event::mmap_mutex
++ * perf_buffer::aux_mutex
+ * perf_addr_filters_head::lock
+ *
+ * cpu_hotplug_lock
+@@ -6275,12 +6276,11 @@ static void perf_mmap_close(struct vm_ar
+ event->pmu->event_unmapped(event, vma->vm_mm);
+
+ /*
+- * rb->aux_mmap_count will always drop before rb->mmap_count and
+- * event->mmap_count, so it is ok to use event->mmap_mutex to
+- * serialize with perf_mmap here.
++ * The AUX buffer is strictly a sub-buffer, serialize using aux_mutex
++ * to avoid complications.
+ */
+ if (rb_has_aux(rb) && vma->vm_pgoff == rb->aux_pgoff &&
+- atomic_dec_and_mutex_lock(&rb->aux_mmap_count, &event->mmap_mutex)) {
++ atomic_dec_and_mutex_lock(&rb->aux_mmap_count, &rb->aux_mutex)) {
+ /*
+ * Stop all AUX events that are writing to this buffer,
+ * so that we can free its AUX pages and corresponding PMU
+@@ -6297,7 +6297,7 @@ static void perf_mmap_close(struct vm_ar
+ rb_free_aux(rb);
+ WARN_ON_ONCE(refcount_read(&rb->aux_refcount));
+
+- mutex_unlock(&event->mmap_mutex);
++ mutex_unlock(&rb->aux_mutex);
+ }
+
+ if (atomic_dec_and_test(&rb->mmap_count))
+@@ -6385,6 +6385,7 @@ static int perf_mmap(struct file *file,
+ struct perf_event *event = file->private_data;
+ unsigned long user_locked, user_lock_limit;
+ struct user_struct *user = current_user();
++ struct mutex *aux_mutex = NULL;
+ struct perf_buffer *rb = NULL;
+ unsigned long locked, lock_limit;
+ unsigned long vma_size;
+@@ -6433,6 +6434,9 @@ static int perf_mmap(struct file *file,
+ if (!rb)
+ goto aux_unlock;
+
++ aux_mutex = &rb->aux_mutex;
++ mutex_lock(aux_mutex);
++
+ aux_offset = READ_ONCE(rb->user_page->aux_offset);
+ aux_size = READ_ONCE(rb->user_page->aux_size);
+
+@@ -6583,6 +6587,8 @@ unlock:
+ atomic_dec(&rb->mmap_count);
+ }
+ aux_unlock:
++ if (aux_mutex)
++ mutex_unlock(aux_mutex);
+ mutex_unlock(&event->mmap_mutex);
+
+ /*
+--- a/kernel/events/internal.h
++++ b/kernel/events/internal.h
+@@ -40,6 +40,7 @@ struct perf_buffer {
+ struct user_struct *mmap_user;
+
+ /* AUX area */
++ struct mutex aux_mutex;
+ long aux_head;
+ unsigned int aux_nest;
+ long aux_wakeup; /* last aux_watermark boundary crossed by aux_head */
+--- a/kernel/events/ring_buffer.c
++++ b/kernel/events/ring_buffer.c
+@@ -332,6 +332,8 @@ ring_buffer_init(struct perf_buffer *rb,
+ */
+ if (!rb->nr_pages)
+ rb->paused = 1;
++
++ mutex_init(&rb->aux_mutex);
+ }
+
+ void perf_aux_output_flag(struct perf_output_handle *handle, u64 flags)
ata-pata_macio-use-warn-instead-of-bug.patch
nfsv4-add-missing-rescheduling-points-in-nfs_client_.patch
cifs-check-the-lease-context-if-we-actually-got-a-lease.patch
+staging-iio-frequency-ad9834-validate-frequency-parameter-value.patch
+iio-buffer-dmaengine-fix-releasing-dma-channel-on-error.patch
+iio-fix-scale-application-in-iio_convert_raw_to_processed_unlocked.patch
+iio-adc-ad7124-fix-config-comparison.patch
+iio-adc-ad7606-remove-frstdata-check-for-serial-mode.patch
+iio-adc-ad7124-fix-chip-id-mismatch.patch
+usb-dwc3-core-update-lc-timer-as-per-usb-spec-v3.2.patch
+binder-fix-uaf-caused-by-offsets-overwrite.patch
+nvmem-fix-return-type-of-devm_nvmem_device_get-in-kerneldoc.patch
+uio_hv_generic-fix-kernel-null-pointer-dereference-in-hv_uio_rescind.patch
+drivers-hv-vmbus-fix-rescind-handling-in-uio_hv_generic.patch
+vmci-fix-use-after-free-when-removing-resource-in-vmci_resource_remove.patch
+clocksource-drivers-imx-tpm-fix-return-etime-when-delta-exceeds-int_max.patch
+clocksource-drivers-imx-tpm-fix-next-event-not-taking-effect-sometime.patch
+clocksource-drivers-timer-of-remove-percpu-irq-related-code.patch
+uprobes-use-kzalloc-to-allocate-xol-area.patch
+perf-aux-fix-aux-buffer-serialization.patch
--- /dev/null
+From b48aa991758999d4e8f9296c5bbe388f293ef465 Mon Sep 17 00:00:00 2001
+From: Aleksandr Mishin <amishin@t-argos.ru>
+Date: Wed, 3 Jul 2024 18:45:06 +0300
+Subject: staging: iio: frequency: ad9834: Validate frequency parameter value
+
+From: Aleksandr Mishin <amishin@t-argos.ru>
+
+commit b48aa991758999d4e8f9296c5bbe388f293ef465 upstream.
+
+In ad9834_write_frequency() clk_get_rate() can return 0. In such case
+ad9834_calc_freqreg() call will lead to division by zero. Checking
+'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0.
+ad9834_write_frequency() is called from ad9834_write(), where fout is
+taken from text buffer, which can contain any value.
+
+Modify parameters checking.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 12b9d5bf76bf ("Staging: IIO: DDS: AD9833 / AD9834 driver")
+Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20240703154506.25584-1-amishin@t-argos.ru
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/iio/frequency/ad9834.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/iio/frequency/ad9834.c
++++ b/drivers/staging/iio/frequency/ad9834.c
+@@ -114,7 +114,7 @@ static int ad9834_write_frequency(struct
+
+ clk_freq = clk_get_rate(st->mclk);
+
+- if (fout > (clk_freq / 2))
++ if (!clk_freq || fout > (clk_freq / 2))
+ return -EINVAL;
+
+ regval = ad9834_calc_freqreg(clk_freq, fout);
--- /dev/null
+From fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e Mon Sep 17 00:00:00 2001
+From: Saurabh Sengar <ssengar@linux.microsoft.com>
+Date: Thu, 29 Aug 2024 12:43:11 +0530
+Subject: uio_hv_generic: Fix kernel NULL pointer dereference in hv_uio_rescind
+
+From: Saurabh Sengar <ssengar@linux.microsoft.com>
+
+commit fb1adbd7e50f3d2de56d0a2bb0700e2e819a329e upstream.
+
+For primary VM Bus channels, primary_channel pointer is always NULL. This
+pointer is valid only for the secondary channels. Also, rescind callback
+is meant for primary channels only.
+
+Fix NULL pointer dereference by retrieving the device_obj from the parent
+for the primary channel.
+
+Cc: stable@vger.kernel.org
+Fixes: ca3cda6fcf1e ("uio_hv_generic: add rescind support")
+Signed-off-by: Saurabh Sengar <ssengar@linux.microsoft.com>
+Signed-off-by: Naman Jain <namjain@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20240829071312.1595-2-namjain@linux.microsoft.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -104,10 +104,11 @@ static void hv_uio_channel_cb(void *cont
+
+ /*
+ * Callback from vmbus_event when channel is rescinded.
++ * It is meant for rescind of primary channels only.
+ */
+ static void hv_uio_rescind(struct vmbus_channel *channel)
+ {
+- struct hv_device *hv_dev = channel->primary_channel->device_obj;
++ struct hv_device *hv_dev = channel->device_obj;
+ struct hv_uio_private_data *pdata = hv_get_drvdata(hv_dev);
+
+ /*
--- /dev/null
+From e240b0fde52f33670d1336697c22d90a4fe33c84 Mon Sep 17 00:00:00 2001
+From: Sven Schnelle <svens@linux.ibm.com>
+Date: Tue, 3 Sep 2024 12:23:12 +0200
+Subject: uprobes: Use kzalloc to allocate xol area
+
+From: Sven Schnelle <svens@linux.ibm.com>
+
+commit e240b0fde52f33670d1336697c22d90a4fe33c84 upstream.
+
+To prevent unitialized members, use kzalloc to allocate
+the xol area.
+
+Fixes: b059a453b1cf1 ("x86/vdso: Add mremap hook to vm_special_mapping")
+Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Link: https://lore.kernel.org/r/20240903102313.3402529-1-svens@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/events/uprobes.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/events/uprobes.c
++++ b/kernel/events/uprobes.c
+@@ -1484,7 +1484,7 @@ static struct xol_area *__create_xol_are
+ uprobe_opcode_t insn = UPROBE_SWBP_INSN;
+ struct xol_area *area;
+
+- area = kmalloc(sizeof(*area), GFP_KERNEL);
++ area = kzalloc(sizeof(*area), GFP_KERNEL);
+ if (unlikely(!area))
+ goto out;
+
+@@ -1494,7 +1494,6 @@ static struct xol_area *__create_xol_are
+ goto free_area;
+
+ area->xol_mapping.name = "[uprobes]";
+- area->xol_mapping.fault = NULL;
+ area->xol_mapping.pages = area->pages;
+ area->pages[0] = alloc_page(GFP_HIGHUSER);
+ if (!area->pages[0])
--- /dev/null
+From 9149c9b0c7e046273141e41eebd8a517416144ac Mon Sep 17 00:00:00 2001
+From: Faisal Hassan <quic_faisalh@quicinc.com>
+Date: Thu, 29 Aug 2024 15:15:02 +0530
+Subject: usb: dwc3: core: update LC timer as per USB Spec V3.2
+
+From: Faisal Hassan <quic_faisalh@quicinc.com>
+
+commit 9149c9b0c7e046273141e41eebd8a517416144ac upstream.
+
+This fix addresses STAR 9001285599, which only affects DWC_usb3 version
+3.20a. The timer value for PM_LC_TIMER in DWC_usb3 3.20a for the Link
+ECN changes is incorrect. If the PM TIMER ECN is enabled via GUCTL2[19],
+the link compliance test (TD7.21) may fail. If the ECN is not enabled
+(GUCTL2[19] = 0), the controller will use the old timer value (5us),
+which is still acceptable for the link compliance test. Therefore, clear
+GUCTL2[19] to pass the USB link compliance test: TD 7.21.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/20240829094502.26502-1-quic_faisalh@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 15 +++++++++++++++
+ drivers/usb/dwc3/core.h | 2 ++
+ 2 files changed, 17 insertions(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1058,6 +1058,21 @@ static int dwc3_core_init(struct dwc3 *d
+ }
+
+ /*
++ * STAR 9001285599: This issue affects DWC_usb3 version 3.20a
++ * only. If the PM TIMER ECM is enabled through GUCTL2[19], the
++ * link compliance test (TD7.21) may fail. If the ECN is not
++ * enabled (GUCTL2[19] = 0), the controller will use the old timer
++ * value (5us), which is still acceptable for the link compliance
++ * test. Therefore, do not enable PM TIMER ECM in 3.20a by
++ * setting GUCTL2[19] by default; instead, use GUCTL2[19] = 0.
++ */
++ if (DWC3_VER_IS(DWC3, 320A)) {
++ reg = dwc3_readl(dwc->regs, DWC3_GUCTL2);
++ reg &= ~DWC3_GUCTL2_LC_TIMER;
++ dwc3_writel(dwc->regs, DWC3_GUCTL2, reg);
++ }
++
++ /*
+ * When configured in HOST mode, after issuing U3/L2 exit controller
+ * fails to send proper CRC checksum in CRC5 feild. Because of this
+ * behaviour Transaction Error is generated, resulting in reset and
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -387,6 +387,7 @@
+
+ /* Global User Control Register 2 */
+ #define DWC3_GUCTL2_RST_ACTBITLATER BIT(14)
++#define DWC3_GUCTL2_LC_TIMER BIT(19)
+
+ /* Global User Control Register 3 */
+ #define DWC3_GUCTL3_SPLITDISABLE BIT(14)
+@@ -1197,6 +1198,7 @@ struct dwc3 {
+ #define DWC3_REVISION_290A 0x5533290a
+ #define DWC3_REVISION_300A 0x5533300a
+ #define DWC3_REVISION_310A 0x5533310a
++#define DWC3_REVISION_320A 0x5533320a
+ #define DWC3_REVISION_330A 0x5533330a
+
+ #define DWC31_REVISION_ANY 0x0
--- /dev/null
+From 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 Mon Sep 17 00:00:00 2001
+From: David Fernandez Gonzalez <david.fernandez.gonzalez@oracle.com>
+Date: Wed, 28 Aug 2024 15:43:37 +0000
+Subject: VMCI: Fix use-after-free when removing resource in vmci_resource_remove()
+
+From: David Fernandez Gonzalez <david.fernandez.gonzalez@oracle.com>
+
+commit 48b9a8dabcc3cf5f961b2ebcd8933bf9204babb7 upstream.
+
+When removing a resource from vmci_resource_table in
+vmci_resource_remove(), the search is performed using the resource
+handle by comparing context and resource fields.
+
+It is possible though to create two resources with different types
+but same handle (same context and resource fields).
+
+When trying to remove one of the resources, vmci_resource_remove()
+may not remove the intended one, but the object will still be freed
+as in the case of the datagram type in vmci_datagram_destroy_handle().
+vmci_resource_table will still hold a pointer to this freed resource
+leading to a use-after-free vulnerability.
+
+BUG: KASAN: use-after-free in vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
+BUG: KASAN: use-after-free in vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
+Read of size 4 at addr ffff88801c16d800 by task syz-executor197/1592
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x82/0xa9 lib/dump_stack.c:106
+ print_address_description.constprop.0+0x21/0x366 mm/kasan/report.c:239
+ __kasan_report.cold+0x7f/0x132 mm/kasan/report.c:425
+ kasan_report+0x38/0x51 mm/kasan/report.c:442
+ vmci_handle_is_equal include/linux/vmw_vmci_defs.h:142 [inline]
+ vmci_resource_remove+0x3a1/0x410 drivers/misc/vmw_vmci/vmci_resource.c:147
+ vmci_qp_broker_detach+0x89a/0x11b9 drivers/misc/vmw_vmci/vmci_queue_pair.c:2182
+ ctx_free_ctx+0x473/0xbe1 drivers/misc/vmw_vmci/vmci_context.c:444
+ kref_put include/linux/kref.h:65 [inline]
+ vmci_ctx_put drivers/misc/vmw_vmci/vmci_context.c:497 [inline]
+ vmci_ctx_destroy+0x170/0x1d6 drivers/misc/vmw_vmci/vmci_context.c:195
+ vmci_host_close+0x125/0x1ac drivers/misc/vmw_vmci/vmci_host.c:143
+ __fput+0x261/0xa34 fs/file_table.c:282
+ task_work_run+0xf0/0x194 kernel/task_work.c:164
+ tracehook_notify_resume include/linux/tracehook.h:189 [inline]
+ exit_to_user_mode_loop+0x184/0x189 kernel/entry/common.c:187
+ exit_to_user_mode_prepare+0x11b/0x123 kernel/entry/common.c:220
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:302 [inline]
+ syscall_exit_to_user_mode+0x18/0x42 kernel/entry/common.c:313
+ do_syscall_64+0x41/0x85 arch/x86/entry/common.c:86
+ entry_SYSCALL_64_after_hwframe+0x6e/0x0
+
+This change ensures the type is also checked when removing
+the resource from vmci_resource_table in vmci_resource_remove().
+
+Fixes: bc63dedb7d46 ("VMCI: resource object implementation.")
+Cc: stable@vger.kernel.org
+Reported-by: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: David Fernandez Gonzalez <david.fernandez.gonzalez@oracle.com>
+Link: https://lore.kernel.org/r/20240828154338.754746-1-david.fernandez.gonzalez@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_resource.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_resource.c
++++ b/drivers/misc/vmw_vmci/vmci_resource.c
+@@ -144,7 +144,8 @@ void vmci_resource_remove(struct vmci_re
+ spin_lock(&vmci_resource_table.lock);
+
+ hlist_for_each_entry(r, &vmci_resource_table.entries[idx], node) {
+- if (vmci_handle_is_equal(r->handle, resource->handle)) {
++ if (vmci_handle_is_equal(r->handle, resource->handle) &&
++ resource->type == r->type) {
+ hlist_del_init_rcu(&r->node);
+ break;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
