--- /dev/null
+From bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 Mon Sep 17 00:00:00 2001
+From: Oliver Schramm <oliver.schramm97@gmail.com>
+Date: Sun, 22 Jun 2025 00:30:01 +0200
+Subject: ASoC: amd: yc: Add DMI quirk for Lenovo IdeaPad Slim 5 15
+
+From: Oliver Schramm <oliver.schramm97@gmail.com>
+
+commit bf39286adc5e10ce3e32eb86ad316ae56f3b52a0 upstream.
+
+It's smaller brother has already received the patch to enable the microphone,
+now add it too to the DMI quirk table.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Oliver Schramm <oliver.schramm97@gmail.com>
+Link: https://patch.msgid.link/20250621223000.11817-2-oliver.schramm97@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -356,6 +356,13 @@ static const struct dmi_system_id yc_acp
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83J3"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"),
+ }
--- /dev/null
+From 3e0809b1664b9dc650d9dbca9a2d3ac690d4f661 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Tue, 24 Jun 2025 09:40:30 +0200
+Subject: ata: ahci: Use correct DMI identifier for ASUSPRO-D840SA LPM quirk
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit 3e0809b1664b9dc650d9dbca9a2d3ac690d4f661 upstream.
+
+ASUS store the board name in DMI_PRODUCT_NAME rather than
+DMI_PRODUCT_VERSION. (Apparently it is only Lenovo that stores the
+model-name in DMI_PRODUCT_VERSION.)
+
+Use the correct DMI identifier, DMI_PRODUCT_NAME, to match the
+ASUSPRO-D840SA board, such that the quirk actually gets applied.
+
+Cc: stable@vger.kernel.org
+Reported-by: Andy Yang <andyybtc79@gmail.com>
+Tested-by: Andy Yang <andyybtc79@gmail.com>
+Closes: https://lore.kernel.org/linux-ide/aFb3wXAwJSSJUB7o@ryzen/
+Fixes: b5acc3628898 ("ata: ahci: Disallow LPM for ASUSPRO-D840SA motherboard")
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250624074029.963028-2-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/ahci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -1456,7 +1456,7 @@ static bool ahci_broken_lpm(struct pci_d
+ {
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+- DMI_MATCH(DMI_PRODUCT_VERSION, "ASUSPRO D840MB_M840SA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "ASUSPRO D840MB_M840SA"),
+ },
+ /* 320 is broken, there is no known good version. */
+ },
--- /dev/null
+From a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Thu, 5 Jun 2025 11:28:46 +0300
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit a3ef3c2da675a8a564c8bea1a511cdd0a2a9aa49 upstream.
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+(cherry picked from commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f)
+Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/display/drm_dp_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/display/drm_dp_helper.c
++++ b/drivers/gpu/drm/display/drm_dp_helper.c
+@@ -664,7 +664,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+ * monitor doesn't power down exactly after the throw away read.
+ */
+ if (!aux->is_remote) {
+- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV);
++ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS);
+ if (ret < 0)
+ return ret;
+ }
--- /dev/null
+From 62207293479e6c03ef498a70f2914c51f4d31d2c Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Fri, 16 May 2025 15:16:55 +0300
+Subject: drm/xe/display: Add check for alloc_ordered_workqueue()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 62207293479e6c03ef498a70f2914c51f4d31d2c upstream.
+
+Add check for the return value of alloc_ordered_workqueue()
+in xe_display_create() to catch potential exception.
+
+Fixes: 44e694958b95 ("drm/xe/display: Implement display support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Reviewed-by: Matthew Auld <matthew.auld@intel.com>
+Link: https://lore.kernel.org/r/4ee1b0e5d1626ce1dde2e82af05c2edaed50c3aa.1747397638.git.jani.nikula@intel.com
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit 5b62d63395d5b7d4094e7cd380bccae4b25415cb)
+Signed-off-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/xe/display/xe_display.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/xe/display/xe_display.c
++++ b/drivers/gpu/drm/xe/display/xe_display.c
+@@ -96,6 +96,8 @@ int xe_display_create(struct xe_device *
+ spin_lock_init(&xe->display.fb_tracking.lock);
+
+ xe->display.hotplug.dp_wq = alloc_ordered_workqueue("xe-dp", 0);
++ if (!xe->display.hotplug.dp_wq)
++ return -ENOMEM;
+
+ return drmm_add_action_or_reset(&xe->drm, display_destroy, NULL);
+ }
--- /dev/null
+From 4a5e85f4eb8fd18b1266342d100e4f0849544ca0 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Tue, 17 Jun 2025 16:35:32 +0200
+Subject: fs/proc/task_mmu: fix PAGE_IS_PFNZERO detection for the huge zero folio
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 4a5e85f4eb8fd18b1266342d100e4f0849544ca0 upstream.
+
+is_zero_pfn() does not work for the huge zero folio. Fix it by using
+is_huge_zero_pmd().
+
+This can cause the PAGEMAP_SCAN ioctl against /proc/pid/pagemap to
+present pages as PAGE_IS_PRESENT rather than as PAGE_IS_PFNZERO.
+
+Found by code inspection.
+
+Link: https://lkml.kernel.org/r/20250617143532.2375383-1-david@redhat.com
+Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Cc: Muhammad Usama Anjum <usama.anjum@collabora.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/task_mmu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -2155,7 +2155,7 @@ static unsigned long pagemap_thp_categor
+ categories |= PAGE_IS_FILE;
+ }
+
+- if (is_zero_pfn(pmd_pfn(pmd)))
++ if (is_huge_zero_pmd(pmd))
+ categories |= PAGE_IS_PFNZERO;
+ if (pmd_soft_dirty(pmd))
+ categories |= PAGE_IS_SOFT_DIRTY;
--- /dev/null
+From 56ad91c1aa9c18064348edf69308080b03c9dc48 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 22 May 2025 08:42:35 +0200
+Subject: i2c: robotfuzz-osif: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit 56ad91c1aa9c18064348edf69308080b03c9dc48 upstream.
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Fixes: 83e53a8f120f ("i2c: Add bus driver for for OSIF USB i2c device.")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: <stable@vger.kernel.org> # v3.14+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250522064234.3721-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-robotfuzz-osif.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-robotfuzz-osif.c
++++ b/drivers/i2c/busses/i2c-robotfuzz-osif.c
+@@ -111,6 +111,11 @@ static u32 osif_func(struct i2c_adapter
+ return I2C_FUNC_I2C | I2C_FUNC_SMBUS_EMUL;
+ }
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks osif_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ static const struct i2c_algorithm osif_algorithm = {
+ .xfer = osif_xfer,
+ .functionality = osif_func,
+@@ -143,6 +148,7 @@ static int osif_probe(struct usb_interfa
+
+ priv->adapter.owner = THIS_MODULE;
+ priv->adapter.class = I2C_CLASS_HWMON;
++ priv->adapter.quirks = &osif_quirks;
+ priv->adapter.algo = &osif_algorithm;
+ priv->adapter.algo_data = priv;
+ snprintf(priv->adapter.name, sizeof(priv->adapter.name),
--- /dev/null
+From cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Date: Thu, 22 May 2025 08:43:49 +0200
+Subject: i2c: tiny-usb: disable zero-length read messages
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+commit cbdb25ccf7566eee0c2b945e35cb98baf9ed0aa6 upstream.
+
+This driver passes the length of an i2c_msg directly to
+usb_control_msg(). If the message is now a read and of length 0, it
+violates the USB protocol and a warning will be printed. Enable the
+I2C_AQ_NO_ZERO_LEN_READ quirk for this adapter thus forbidding 0-length
+read messages altogether.
+
+Fixes: e8c76eed2ecd ("i2c: New i2c-tiny-usb bus driver")
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: <stable@vger.kernel.org> # v2.6.22+
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250522064349.3823-2-wsa+renesas@sang-engineering.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-tiny-usb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-tiny-usb.c
++++ b/drivers/i2c/busses/i2c-tiny-usb.c
+@@ -138,6 +138,11 @@ out:
+ return ret;
+ }
+
++/* prevent invalid 0-length usb_control_msg */
++static const struct i2c_adapter_quirks usb_quirks = {
++ .flags = I2C_AQ_NO_ZERO_LEN_READ,
++};
++
+ /* This is the actual algorithm we define */
+ static const struct i2c_algorithm usb_algorithm = {
+ .xfer = usb_xfer,
+@@ -246,6 +251,7 @@ static int i2c_tiny_usb_probe(struct usb
+ /* setup i2c adapter description */
+ dev->adapter.owner = THIS_MODULE;
+ dev->adapter.class = I2C_CLASS_HWMON;
++ dev->adapter.quirks = &usb_quirks;
+ dev->adapter.algo = &usb_algorithm;
+ dev->adapter.algo_data = dev;
+ snprintf(dev->adapter.name, sizeof(dev->adapter.name),
--- /dev/null
+From df831e97739405ecbaddb85516bc7d4d1c933d6b Mon Sep 17 00:00:00 2001
+From: Yu Kuai <yukuai3@huawei.com>
+Date: Thu, 19 Jun 2025 21:26:55 +0800
+Subject: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+commit df831e97739405ecbaddb85516bc7d4d1c933d6b upstream.
+
+While testing null_blk with configfs, echo 0 > poll_queues will trigger
+following panic:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000010
+Oops: Oops: 0000 [#1] SMP NOPTI
+CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef)
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014
+RIP: 0010:__bitmap_or+0x48/0x70
+Call Trace:
+ <TASK>
+ __group_cpus_evenly+0x822/0x8c0
+ group_cpus_evenly+0x2d9/0x490
+ blk_mq_map_queues+0x1e/0x110
+ null_map_queues+0xc9/0x170 [null_blk]
+ blk_mq_update_queue_map+0xdb/0x160
+ blk_mq_update_nr_hw_queues+0x22b/0x560
+ nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
+ nullb_device_poll_queues_store+0xa4/0x130 [null_blk]
+ configfs_write_iter+0x109/0x1d0
+ vfs_write+0x26e/0x6f0
+ ksys_write+0x79/0x180
+ __x64_sys_write+0x1d/0x30
+ x64_sys_call+0x45c4/0x45f0
+ do_syscall_64+0xa5/0x240
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from
+kcalloc(), and later ZERO_SIZE_PTR will be deferenced.
+
+Fix the problem by checking numgrps first in group_cpus_evenly(), and
+return NULL directly if numgrps is zero.
+
+[yukuai3@huawei.com: also fix the non-SMP version]
+ Link: https://lkml.kernel.org/r/20250620010958.1265984-1-yukuai1@huaweicloud.com
+Link: https://lkml.kernel.org/r/20250619132655.3318883-1-yukuai1@huaweicloud.com
+Fixes: 6a6dcae8f486 ("blk-mq: Build default queue map via group_cpus_evenly()")
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Cc: ErKun Yang <yangerkun@huawei.com>
+Cc: John Garry <john.g.garry@oracle.com>
+Cc: Thomas Gleinxer <tglx@linutronix.de>
+Cc: "zhangyi (F)" <yi.zhang@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/group_cpus.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/lib/group_cpus.c
++++ b/lib/group_cpus.c
+@@ -352,6 +352,9 @@ struct cpumask *group_cpus_evenly(unsign
+ int ret = -ENOMEM;
+ struct cpumask *masks = NULL;
+
++ if (numgrps == 0)
++ return NULL;
++
+ if (!zalloc_cpumask_var(&nmsk, GFP_KERNEL))
+ return NULL;
+
+@@ -426,8 +429,12 @@ struct cpumask *group_cpus_evenly(unsign
+ #else /* CONFIG_SMP */
+ struct cpumask *group_cpus_evenly(unsigned int numgrps)
+ {
+- struct cpumask *masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL);
++ struct cpumask *masks;
+
++ if (numgrps == 0)
++ return NULL;
++
++ masks = kcalloc(numgrps, sizeof(*masks), GFP_KERNEL);
+ if (!masks)
+ return NULL;
+
--- /dev/null
+From 4f489fe6afb395dbc79840efa3c05440b760d883 Mon Sep 17 00:00:00 2001
+From: SeongJae Park <sj@kernel.org>
+Date: Thu, 19 Jun 2025 11:36:07 -0700
+Subject: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write
+
+From: SeongJae Park <sj@kernel.org>
+
+commit 4f489fe6afb395dbc79840efa3c05440b760d883 upstream.
+
+memcg_path_store() assigns a newly allocated memory buffer to
+filter->memcg_path, without deallocating the previously allocated and
+assigned memory buffer. As a result, users can leak kernel memory by
+continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak
+by deallocating the previously set memory buffer.
+
+Link: https://lkml.kernel.org/r/20250619183608.6647-2-sj@kernel.org
+Fixes: 7ee161f18b5d ("mm/damon/sysfs-schemes: implement filter directory")
+Signed-off-by: SeongJae Park <sj@kernel.org>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org> [6.3.x]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/damon/sysfs-schemes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/damon/sysfs-schemes.c
++++ b/mm/damon/sysfs-schemes.c
+@@ -423,6 +423,7 @@ static ssize_t memcg_path_store(struct k
+ return -ENOMEM;
+
+ strscpy(path, buf, count + 1);
++ kfree(filter->memcg_path);
+ filter->memcg_path = path;
+ return count;
+ }
--- /dev/null
+From 890ba5be6335dbbbc99af14ea007befb5f83f174 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Thu, 19 Jun 2025 17:58:58 +0200
+Subject: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()"
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 890ba5be6335dbbbc99af14ea007befb5f83f174 upstream.
+
+This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for
+__access_ok()").
+
+This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(),
+because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some
+computation.
+
+The reasoning was that all user addresses are less than LONG_MAX, and all
+kernel addresses are greater than LONG_MAX. Therefore access_ok() can
+filter kernel addresses.
+
+Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but
+access_ok() let them pass. That was thought to be okay, because they are
+not valid addresses at hardware level.
+
+Unfortunately, one case is missed: get_user_pages_fast() happily accepts
+addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses
+get_user_pages_fast(). This causes the problem reported by Robert [1].
+
+Therefore, revert this commit. TASK_SIZE_MAX is changed to the default:
+TASK_SIZE.
+
+This unfortunately reduces performance, because TASK_SIZE is more expensive
+to compute compared to LONG_MAX. But correctness first, we can think about
+optimization later, if required.
+
+Reported-by: <rtm@csail.mit.edu>
+Closes: https://lore.kernel.org/linux-riscv/77605.1750245028@localhost/
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Fixes: ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()")
+Link: https://lore.kernel.org/r/20250619155858.1249789-1-namcao@linutronix.de
+Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/pgtable.h | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/riscv/include/asm/pgtable.h
++++ b/arch/riscv/include/asm/pgtable.h
+@@ -916,7 +916,6 @@ static inline pte_t pte_swp_clear_exclus
+ */
+ #ifdef CONFIG_64BIT
+ #define TASK_SIZE_64 (PGDIR_SIZE * PTRS_PER_PGD / 2)
+-#define TASK_SIZE_MAX LONG_MAX
+
+ #ifdef CONFIG_COMPAT
+ #define TASK_SIZE_32 (_AC(0x80000000, UL) - PAGE_SIZE)
--- /dev/null
+From 2f73c62d4e13df67380ff6faca39eec2bf08dd93 Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Fri, 20 Jun 2025 13:09:39 +0200
+Subject: Revert "riscv: misaligned: fix sleeping function called during misaligned access handling"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 2f73c62d4e13df67380ff6faca39eec2bf08dd93 upstream.
+
+This reverts commit 61a74ad25462 ("riscv: misaligned: fix sleeping function
+called during misaligned access handling"). The commit addresses a sleeping
+in atomic context problem, but it is not the correct fix as explained by
+Clément:
+
+"Using nofault would lead to failure to read from user memory that is paged
+out for instance. This is not really acceptable, we should handle user
+misaligned access even at an address that would generate a page fault."
+
+This bug has been properly fixed by commit 453805f0a28f ("riscv:
+misaligned: enable IRQs while handling misaligned accesses").
+
+Revert this improper fix.
+
+Link: https://lore.kernel.org/linux-riscv/b779beed-e44e-4a5e-9551-4647682b0d21@rivosinc.com/
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Clément Léger <cleger@rivosinc.com>
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Fixes: 61a74ad25462 ("riscv: misaligned: fix sleeping function called during misaligned access handling")
+Link: https://lore.kernel.org/r/20250620110939.1642735-1-namcao@linutronix.de
+Signed-off-by: Palmer Dabbelt <palmer@dabbelt.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/traps_misaligned.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/kernel/traps_misaligned.c
++++ b/arch/riscv/kernel/traps_misaligned.c
+@@ -429,7 +429,7 @@ int handle_misaligned_load(struct pt_reg
+
+ val.data_u64 = 0;
+ if (user_mode(regs)) {
+- if (copy_from_user_nofault(&val, (u8 __user *)addr, len))
++ if (copy_from_user(&val, (u8 __user *)addr, len))
+ return -1;
+ } else {
+ memcpy(&val, (u8 *)addr, len);
+@@ -530,7 +530,7 @@ int handle_misaligned_store(struct pt_re
+ return -EOPNOTSUPP;
+
+ if (user_mode(regs)) {
+- if (copy_to_user_nofault((u8 __user *)addr, &val, len))
++ if (copy_to_user((u8 __user *)addr, &val, len))
+ return -1;
+ } else {
+ memcpy((u8 *)addr, &val, len);
--- /dev/null
+From 7360ee47599af91a1d5f4e74d635d9408a54e489 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 11 Jun 2025 22:20:10 +0300
+Subject: s390/pkey: Prevent overflow in size calculation for memdup_user()
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit 7360ee47599af91a1d5f4e74d635d9408a54e489 upstream.
+
+Number of apqn target list entries contained in 'nr_apqns' variable is
+determined by userspace via an ioctl call so the result of the product in
+calculation of size passed to memdup_user() may overflow.
+
+In this case the actual size of the allocated area and the value
+describing it won't be in sync leading to various types of unpredictable
+behaviour later.
+
+Use a proper memdup_array_user() helper which returns an error if an
+overflow is detected. Note that it is different from when nr_apqns is
+initially zero - that case is considered valid and should be handled in
+subsequent pkey_handler implementations.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: f2bbc96e7cfa ("s390/pkey: add CCA AES cipher key support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250611192011.206057-1-pchelkin@ispras.ru
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/pkey_api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/crypto/pkey_api.c
++++ b/drivers/s390/crypto/pkey_api.c
+@@ -85,7 +85,7 @@ static void *_copy_apqns_from_user(void
+ if (!uapqns || nr_apqns == 0)
+ return NULL;
+
+- return memdup_user(uapqns, nr_apqns * sizeof(struct pkey_apqn));
++ return memdup_array_user(uapqns, nr_apqns, sizeof(struct pkey_apqn));
+ }
+
+ static int pkey_ioctl_genseck(struct pkey_genseck __user *ugs)
accel-ivpu-add-debugfs-interface-for-setting-hws-pri.patch
accel-ivpu-trigger-device-recovery-on-engine-reset-r.patch
af_unix-don-t-leave-consecutive-consumed-oob-skbs.patch
+i2c-tiny-usb-disable-zero-length-read-messages.patch
+i2c-robotfuzz-osif-disable-zero-length-read-messages.patch
+ata-ahci-use-correct-dmi-identifier-for-asuspro-d840sa-lpm-quirk.patch
+smb-client-remove-t-from-tp_printk-statements.patch
+mm-damon-sysfs-schemes-free-old-damon_sysfs_scheme_filter-memcg_path-on-write.patch
+asoc-amd-yc-add-dmi-quirk-for-lenovo-ideapad-slim-5-15.patch
+s390-pkey-prevent-overflow-in-size-calculation-for-memdup_user.patch
+fs-proc-task_mmu-fix-page_is_pfnzero-detection-for-the-huge-zero-folio.patch
+lib-group_cpus-fix-null-pointer-dereference-from-group_cpus_evenly.patch
+revert-riscv-define-task_size_max-for-__access_ok.patch
+revert-riscv-misaligned-fix-sleeping-function-called-during-misaligned-access-handling.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
+drm-xe-display-add-check-for-alloc_ordered_workqueue.patch
--- /dev/null
+From e97f9540ce001503a4539f337da742c1dfa7d86a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 25 Jun 2025 10:13:04 +0200
+Subject: smb: client: remove \t from TP_printk statements
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit e97f9540ce001503a4539f337da742c1dfa7d86a upstream.
+
+The generate '[FAILED TO PARSE]' strings in trace-cmd report output like this:
+
+ rm-5298 [001] 6084.533748493: smb3_exit_err: [FAILED TO PARSE] xid=972 func_name=cifs_rmdir rc=-39
+ rm-5298 [001] 6084.533959234: smb3_enter: [FAILED TO PARSE] xid=973 func_name=cifs_closedir
+ rm-5298 [001] 6084.533967630: smb3_close_enter: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361
+ rm-5298 [001] 6084.534004008: smb3_cmd_enter: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566
+ rm-5298 [001] 6084.552248232: smb3_cmd_done: [FAILED TO PARSE] tid=1 sesid=96758029877361 cmd=6 mid=566
+ rm-5298 [001] 6084.552280542: smb3_close_done: [FAILED TO PARSE] xid=973 fid=94489281833 tid=1 sesid=96758029877361
+ rm-5298 [001] 6084.552316034: smb3_exit_done: [FAILED TO PARSE] xid=973 func_name=cifs_closedir
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/trace.h | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/fs/smb/client/trace.h
++++ b/fs/smb/client/trace.h
+@@ -140,7 +140,7 @@ DECLARE_EVENT_CLASS(smb3_rw_err_class,
+ __entry->len = len;
+ __entry->rc = rc;
+ ),
+- TP_printk("\tR=%08x[%x] xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d",
++ TP_printk("R=%08x[%x] xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d",
+ __entry->rreq_debug_id, __entry->rreq_debug_index,
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid,
+ __entry->offset, __entry->len, __entry->rc)
+@@ -190,7 +190,7 @@ DECLARE_EVENT_CLASS(smb3_other_err_class
+ __entry->len = len;
+ __entry->rc = rc;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx offset=0x%llx len=0x%x rc=%d",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid,
+ __entry->offset, __entry->len, __entry->rc)
+ )
+@@ -247,7 +247,7 @@ DECLARE_EVENT_CLASS(smb3_copy_range_err_
+ __entry->len = len;
+ __entry->rc = rc;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x rc=%d",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x rc=%d",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->target_fid,
+ __entry->src_offset, __entry->target_fid, __entry->target_offset, __entry->len, __entry->rc)
+ )
+@@ -298,7 +298,7 @@ DECLARE_EVENT_CLASS(smb3_copy_range_done
+ __entry->target_offset = target_offset;
+ __entry->len = len;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x source fid=0x%llx source offset=0x%llx target fid=0x%llx target offset=0x%llx len=0x%x",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->target_fid,
+ __entry->src_offset, __entry->target_fid, __entry->target_offset, __entry->len)
+ )
+@@ -482,7 +482,7 @@ DECLARE_EVENT_CLASS(smb3_fd_class,
+ __entry->tid = tid;
+ __entry->sesid = sesid;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid)
+ )
+
+@@ -521,7 +521,7 @@ DECLARE_EVENT_CLASS(smb3_fd_err_class,
+ __entry->sesid = sesid;
+ __entry->rc = rc;
+ ),
+- TP_printk("\txid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d",
++ TP_printk("xid=%u sid=0x%llx tid=0x%x fid=0x%llx rc=%d",
+ __entry->xid, __entry->sesid, __entry->tid, __entry->fid,
+ __entry->rc)
+ )
+@@ -793,7 +793,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_err_class,
+ __entry->status = status;
+ __entry->rc = rc;
+ ),
+- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d",
++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu status=0x%x rc=%d",
+ __entry->sesid, __entry->tid, __entry->cmd, __entry->mid,
+ __entry->status, __entry->rc)
+ )
+@@ -828,7 +828,7 @@ DECLARE_EVENT_CLASS(smb3_cmd_done_class,
+ __entry->cmd = cmd;
+ __entry->mid = mid;
+ ),
+- TP_printk("\tsid=0x%llx tid=0x%x cmd=%u mid=%llu",
++ TP_printk("sid=0x%llx tid=0x%x cmd=%u mid=%llu",
+ __entry->sesid, __entry->tid,
+ __entry->cmd, __entry->mid)
+ )
+@@ -866,7 +866,7 @@ DECLARE_EVENT_CLASS(smb3_mid_class,
+ __entry->when_sent = when_sent;
+ __entry->when_received = when_received;
+ ),
+- TP_printk("\tcmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu",
++ TP_printk("cmd=%u mid=%llu pid=%u, when_sent=%lu when_rcv=%lu",
+ __entry->cmd, __entry->mid, __entry->pid, __entry->when_sent,
+ __entry->when_received)
+ )
+@@ -897,7 +897,7 @@ DECLARE_EVENT_CLASS(smb3_exit_err_class,
+ __assign_str(func_name);
+ __entry->rc = rc;
+ ),
+- TP_printk("\t%s: xid=%u rc=%d",
++ TP_printk("%s: xid=%u rc=%d",
+ __get_str(func_name), __entry->xid, __entry->rc)
+ )
+
+@@ -923,7 +923,7 @@ DECLARE_EVENT_CLASS(smb3_sync_err_class,
+ __entry->ino = ino;
+ __entry->rc = rc;
+ ),
+- TP_printk("\tino=%lu rc=%d",
++ TP_printk("ino=%lu rc=%d",
+ __entry->ino, __entry->rc)
+ )
+
+@@ -949,7 +949,7 @@ DECLARE_EVENT_CLASS(smb3_enter_exit_clas
+ __entry->xid = xid;
+ __assign_str(func_name);
+ ),
+- TP_printk("\t%s: xid=%u",
++ TP_printk("%s: xid=%u",
+ __get_str(func_name), __entry->xid)
+ )
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
