--- /dev/null
+From 3cf615bf5544c1b35ee99172ecf04df9226871c4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 12:44:20 -0500
+Subject: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
+
+From: Radu Rendec <rrendec@redhat.com>
+
+[ Upstream commit 875d742cf5327c93cba1f11e12b08d3cce7a88d2 ]
+
+The loop that detects/populates cache information already has a bounds
+check on the array size but does not account for cache levels with
+separate data/instructions cache. Fix this by incrementing the index
+for any populated leaf (instead of any populated level).
+
+Fixes: 5d425c186537 ("arm64: kernel: add support for cpu cache information")
+
+Signed-off-by: Radu Rendec <rrendec@redhat.com>
+Link: https://lore.kernel.org/r/20250206174420.2178724-1-rrendec@redhat.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/kernel/cacheinfo.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/arch/arm64/kernel/cacheinfo.c b/arch/arm64/kernel/cacheinfo.c
+index 97c42be71338a..1510f457b6154 100644
+--- a/arch/arm64/kernel/cacheinfo.c
++++ b/arch/arm64/kernel/cacheinfo.c
+@@ -87,16 +87,18 @@ int populate_cache_leaves(unsigned int cpu)
+ unsigned int level, idx;
+ enum cache_type type;
+ struct cpu_cacheinfo *this_cpu_ci = get_cpu_cacheinfo(cpu);
+- struct cacheinfo *this_leaf = this_cpu_ci->info_list;
++ struct cacheinfo *infos = this_cpu_ci->info_list;
+
+ for (idx = 0, level = 1; level <= this_cpu_ci->num_levels &&
+- idx < this_cpu_ci->num_leaves; idx++, level++) {
++ idx < this_cpu_ci->num_leaves; level++) {
+ type = get_cache_type(level);
+ if (type == CACHE_TYPE_SEPARATE) {
+- ci_leaf_init(this_leaf++, CACHE_TYPE_DATA, level);
+- ci_leaf_init(this_leaf++, CACHE_TYPE_INST, level);
++ if (idx + 1 >= this_cpu_ci->num_leaves)
++ break;
++ ci_leaf_init(&infos[idx++], CACHE_TYPE_DATA, level);
++ ci_leaf_init(&infos[idx++], CACHE_TYPE_INST, level);
+ } else {
+- ci_leaf_init(this_leaf++, type, level);
++ ci_leaf_init(&infos[idx++], type, level);
+ }
+ }
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 34281e8a9e3a21928639f90d684f1aa2855dda2f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jan 2025 14:25:07 +0100
+Subject: ASoC: Intel: bytcr_rt5640: Add DMI quirk for Vexia Edu Atla 10 tablet
+ 5V
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 6917192378c1ce17ba31df51c4e0d8b1c97a453b ]
+
+The Vexia EDU ATLA 10 tablet comes in 2 different versions with
+significantly different mainboards. The only outward difference is that
+the charging barrel on one is marked 5V and the other is marked 9V.
+
+The 5V version mostly works with the BYTCR defaults, except that it is
+missing a CHAN package in its ACPI tables and the default of using
+SSP0-AIF2 is wrong, instead SSP0-AIF1 must be used. That and its jack
+detect signal is not inverted as it usually is.
+
+Add a DMI quirk for the 5V version to fix sound not working.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://patch.msgid.link/20250123132507.18434-1-hdegoede@redhat.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/intel/boards/bytcr_rt5640.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
+index 8706fef8ccce8..721b9971fd744 100644
+--- a/sound/soc/intel/boards/bytcr_rt5640.c
++++ b/sound/soc/intel/boards/bytcr_rt5640.c
+@@ -1102,7 +1102,22 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
+ BYT_RT5640_SSP0_AIF2 |
+ BYT_RT5640_MCLK_EN),
+ },
+- { /* Vexia Edu Atla 10 tablet */
++ {
++ /* Vexia Edu Atla 10 tablet 5V version */
++ .matches = {
++ /* Having all 3 of these not set is somewhat unique */
++ DMI_MATCH(DMI_SYS_VENDOR, "To be filled by O.E.M."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."),
++ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."),
++ /* Above strings are too generic, also match on BIOS date */
++ DMI_MATCH(DMI_BIOS_DATE, "05/14/2015"),
++ },
++ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS |
++ BYT_RT5640_JD_NOT_INV |
++ BYT_RT5640_SSP0_AIF1 |
++ BYT_RT5640_MCLK_EN),
++ },
++ { /* Vexia Edu Atla 10 tablet 9V version */
+ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "AMI Corporation"),
+ DMI_MATCH(DMI_BOARD_NAME, "Aptio CRB"),
+--
+2.39.5
+
--- /dev/null
+From 007bb80a8c0e4742a3c8bbfd6175f4584f9687c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2025 09:19:31 +0000
+Subject: drm/i915/selftests: avoid using uninitialized context
+
+From: Krzysztof Karas <krzysztof.karas@intel.com>
+
+[ Upstream commit 53139b3f9998ea07289e7b70b909fea2264a0de9 ]
+
+There is an error path in igt_ppgtt_alloc(), which leads
+to ww object being passed down to i915_gem_ww_ctx_fini() without
+initialization. Correct that by only putting ppgtt->vm and
+returning early.
+
+Fixes: 480ae79537b2 ("drm/i915/selftests: Prepare gtt tests for obj->mm.lock removal")
+Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
+Reviewed-by: Mikolaj Wasiak <mikolaj.wasiak@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/iuaonpjc3rywmvhna6umjlvzilocn2uqsrxfxfob24e2taocbi@lkaivvfp4777
+(cherry picked from commit 8d8334632ea62424233ac6529712868241d0f8df)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
+index f843a5040706a..df3934a990d08 100644
+--- a/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
++++ b/drivers/gpu/drm/i915/selftests/i915_gem_gtt.c
+@@ -160,7 +160,7 @@ static int igt_ppgtt_alloc(void *arg)
+ return PTR_ERR(ppgtt);
+
+ if (!ppgtt->vm.allocate_va_range)
+- goto err_ppgtt_cleanup;
++ goto ppgtt_vm_put;
+
+ /*
+ * While we only allocate the page tables here and so we could
+@@ -228,7 +228,7 @@ static int igt_ppgtt_alloc(void *arg)
+ goto retry;
+ }
+ i915_gem_ww_ctx_fini(&ww);
+-
++ppgtt_vm_put:
+ i915_vm_put(&ppgtt->vm);
+ return err;
+ }
+--
+2.39.5
+
--- /dev/null
+From 09524fa6f0df43793ff063ff0e806ca4b0de0ee5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 18:46:02 +0100
+Subject: gpio: bcm-kona: Add missing newline to dev_err format string
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 615279db222c3ac56d5c93716efd72b843295c1f ]
+
+Add a missing newline to the format string of the "Couldn't get IRQ
+for bank..." error message.
+
+Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-3-409135eab780@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-bcm-kona.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
+index 4734749b90860..0c97a8c95e06c 100644
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -675,7 +675,7 @@ static int bcm_kona_gpio_probe(struct platform_device *pdev)
+ bank->irq = platform_get_irq(pdev, i);
+ bank->kona_gpio = kona_gpio;
+ if (bank->irq < 0) {
+- dev_err(dev, "Couldn't get IRQ for bank %d", i);
++ dev_err(dev, "Couldn't get IRQ for bank %d\n", i);
+ ret = -ENOENT;
+ goto err_irq_domain;
+ }
+--
+2.39.5
+
--- /dev/null
+From 475153a39743172d7c0afb4f41e14a394c8fb42b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 18:46:00 +0100
+Subject: gpio: bcm-kona: Fix GPIO lock/unlock for banks above bank 0
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit de1d0d160f64ee76df1d364d521b2faf465a091c ]
+
+The GPIO lock/unlock functions clear/write a bit to the relevant
+register for each bank. However, due to an oversight the bit that
+was being written was based on the total GPIO number, not the index
+of the GPIO within the relevant bank, causing it to fail for any
+GPIO above 32 (thus any GPIO for banks above bank 0).
+
+Fix lock/unlock for these banks by using the correct bit.
+
+Fixes: bdb93c03c550 ("gpio: bcm281xx: Centralize register locking")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-1-409135eab780@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-bcm-kona.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
+index d329a143f5ec9..c83968384904e 100644
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -93,11 +93,12 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio,
+ u32 val;
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
++ int bit = GPIO_BIT(gpio);
+
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val |= BIT(gpio);
++ val |= BIT(bit);
+ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+@@ -109,11 +110,12 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
+ u32 val;
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
++ int bit = GPIO_BIT(gpio);
+
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val &= ~BIT(gpio);
++ val &= ~BIT(bit);
+ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
+--
+2.39.5
+
--- /dev/null
+From 266779ebcd5ffc5c0c568b92324483c161e6af46 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 6 Feb 2025 18:46:01 +0100
+Subject: gpio: bcm-kona: Make sure GPIO bits are unlocked when requesting IRQ
+
+From: Artur Weber <aweber.kernel@gmail.com>
+
+[ Upstream commit 57f5db77a915cc29461a679a6bcae7097967be1a ]
+
+The settings for all GPIOs are locked by default in bcm_kona_gpio_reset.
+The settings for a GPIO are unlocked when requesting it as a GPIO, but
+not when requesting it as an interrupt, causing the IRQ settings to not
+get applied.
+
+Fix this by making sure to unlock the right bits when an IRQ is requested.
+To avoid a situation where an IRQ being released causes a lock despite
+the same GPIO being used by a GPIO request or vice versa, add an unlock
+counter and only lock if it reaches 0.
+
+Fixes: 757651e3d60e ("gpio: bcm281xx: Add GPIO driver")
+Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Reviewed-by: Markus Mayer <mmayer@broadcom.com>
+Signed-off-by: Artur Weber <aweber.kernel@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250206-kona-gpio-fixes-v2-2-409135eab780@gmail.com
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpio/gpio-bcm-kona.c | 67 +++++++++++++++++++++++++++++-------
+ 1 file changed, 55 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpio/gpio-bcm-kona.c b/drivers/gpio/gpio-bcm-kona.c
+index c83968384904e..4734749b90860 100644
+--- a/drivers/gpio/gpio-bcm-kona.c
++++ b/drivers/gpio/gpio-bcm-kona.c
+@@ -76,6 +76,22 @@ struct bcm_kona_gpio {
+ struct bcm_kona_gpio_bank {
+ int id;
+ int irq;
++ /*
++ * Used to keep track of lock/unlock operations for each GPIO in the
++ * bank.
++ *
++ * All GPIOs are locked by default (see bcm_kona_gpio_reset), and the
++ * unlock count for all GPIOs is 0 by default. Each unlock increments
++ * the counter, and each lock decrements the counter.
++ *
++ * The lock function only locks the GPIO once its unlock counter is
++ * down to 0. This is necessary because the GPIO is unlocked in two
++ * places in this driver: once for requested GPIOs, and once for
++ * requested IRQs. Since it is possible for a GPIO to be requested
++ * as both a GPIO and an IRQ, we need to ensure that we don't lock it
++ * too early.
++ */
++ u8 gpio_unlock_count[GPIO_PER_BANK];
+ /* Used in the interrupt handler */
+ struct bcm_kona_gpio *kona_gpio;
+ };
+@@ -94,14 +110,23 @@ static void bcm_kona_gpio_lock_gpio(struct bcm_kona_gpio *kona_gpio,
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
+ int bit = GPIO_BIT(gpio);
++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id];
+
+- raw_spin_lock_irqsave(&kona_gpio->lock, flags);
++ if (bank->gpio_unlock_count[bit] == 0) {
++ dev_err(kona_gpio->gpio_chip.parent,
++ "Unbalanced locks for GPIO %u\n", gpio);
++ return;
++ }
+
+- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val |= BIT(bit);
+- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
++ if (--bank->gpio_unlock_count[bit] == 0) {
++ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
++ val |= BIT(bit);
++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
++
++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ }
+ }
+
+ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
+@@ -111,14 +136,19 @@ static void bcm_kona_gpio_unlock_gpio(struct bcm_kona_gpio *kona_gpio,
+ unsigned long flags;
+ int bank_id = GPIO_BANK(gpio);
+ int bit = GPIO_BIT(gpio);
++ struct bcm_kona_gpio_bank *bank = &kona_gpio->banks[bank_id];
+
+- raw_spin_lock_irqsave(&kona_gpio->lock, flags);
++ if (bank->gpio_unlock_count[bit] == 0) {
++ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+- val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
+- val &= ~BIT(bit);
+- bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
++ val = readl(kona_gpio->reg_base + GPIO_PWD_STATUS(bank_id));
++ val &= ~BIT(bit);
++ bcm_kona_gpio_write_lock_regs(kona_gpio->reg_base, bank_id, val);
+
+- raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ raw_spin_unlock_irqrestore(&kona_gpio->lock, flags);
++ }
++
++ ++bank->gpio_unlock_count[bit];
+ }
+
+ static int bcm_kona_gpio_get_dir(struct gpio_chip *chip, unsigned gpio)
+@@ -369,6 +399,7 @@ static void bcm_kona_gpio_irq_mask(struct irq_data *d)
+
+ kona_gpio = irq_data_get_irq_chip_data(d);
+ reg_base = kona_gpio->reg_base;
++
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(reg_base + GPIO_INT_MASK(bank_id));
+@@ -391,6 +422,7 @@ static void bcm_kona_gpio_irq_unmask(struct irq_data *d)
+
+ kona_gpio = irq_data_get_irq_chip_data(d);
+ reg_base = kona_gpio->reg_base;
++
+ raw_spin_lock_irqsave(&kona_gpio->lock, flags);
+
+ val = readl(reg_base + GPIO_INT_MSKCLR(bank_id));
+@@ -486,15 +518,26 @@ static void bcm_kona_gpio_irq_handler(struct irq_desc *desc)
+ static int bcm_kona_gpio_irq_reqres(struct irq_data *d)
+ {
+ struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d);
++ unsigned int gpio = d->hwirq;
++
++ /*
++ * We need to unlock the GPIO before any other operations are performed
++ * on the relevant GPIO configuration registers
++ */
++ bcm_kona_gpio_unlock_gpio(kona_gpio, gpio);
+
+- return gpiochip_reqres_irq(&kona_gpio->gpio_chip, d->hwirq);
++ return gpiochip_reqres_irq(&kona_gpio->gpio_chip, gpio);
+ }
+
+ static void bcm_kona_gpio_irq_relres(struct irq_data *d)
+ {
+ struct bcm_kona_gpio *kona_gpio = irq_data_get_irq_chip_data(d);
++ unsigned int gpio = d->hwirq;
++
++ /* Once we no longer use it, lock the GPIO again */
++ bcm_kona_gpio_lock_gpio(kona_gpio, gpio);
+
+- gpiochip_relres_irq(&kona_gpio->gpio_chip, d->hwirq);
++ gpiochip_relres_irq(&kona_gpio->gpio_chip, gpio);
+ }
+
+ static struct irq_chip bcm_gpio_irq_chip = {
+--
+2.39.5
+
--- /dev/null
+From bfdb741fb4717272b9d3bb0199f4ff8a007cd87a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 11:35:15 +0100
+Subject: Grab mm lock before grabbing pt lock
+
+From: Maksym Planeta <maksym@exostellar.io>
+
+[ Upstream commit 6d002348789bc16e9203e9818b7a3688787e3b29 ]
+
+Function xen_pin_page calls xen_pte_lock, which in turn grab page
+table lock (ptlock). When locking, xen_pte_lock expect mm->page_table_lock
+to be held before grabbing ptlock, but this does not happen when pinning
+is caused by xen_mm_pin_all.
+
+This commit addresses lockdep warning below, which shows up when
+suspending a Xen VM.
+
+[ 3680.658422] Freezing user space processes
+[ 3680.660156] Freezing user space processes completed (elapsed 0.001 seconds)
+[ 3680.660182] OOM killer disabled.
+[ 3680.660192] Freezing remaining freezable tasks
+[ 3680.661485] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
+[ 3680.685254]
+[ 3680.685265] ==================================
+[ 3680.685269] WARNING: Nested lock was not taken
+[ 3680.685274] 6.12.0+ #16 Tainted: G W
+[ 3680.685279] ----------------------------------
+[ 3680.685283] migration/0/19 is trying to lock:
+[ 3680.685288] ffff88800bac33c0 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: xen_pin_page+0x175/0x1d0
+[ 3680.685303]
+[ 3680.685303] but this task is not holding:
+[ 3680.685308] init_mm.page_table_lock
+[ 3680.685311]
+[ 3680.685311] stack backtrace:
+[ 3680.685316] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16
+[ 3680.685324] Tainted: [W]=WARN
+[ 3680.685328] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0
+[ 3680.685339] Call Trace:
+[ 3680.685344] <TASK>
+[ 3680.685347] dump_stack_lvl+0x77/0xb0
+[ 3680.685356] __lock_acquire+0x917/0x2310
+[ 3680.685364] lock_acquire+0xce/0x2c0
+[ 3680.685369] ? xen_pin_page+0x175/0x1d0
+[ 3680.685373] _raw_spin_lock_nest_lock+0x2f/0x70
+[ 3680.685381] ? xen_pin_page+0x175/0x1d0
+[ 3680.685386] xen_pin_page+0x175/0x1d0
+[ 3680.685390] ? __pfx_xen_pin_page+0x10/0x10
+[ 3680.685394] __xen_pgd_walk+0x233/0x2c0
+[ 3680.685401] ? stop_one_cpu+0x91/0x100
+[ 3680.685405] __xen_pgd_pin+0x5d/0x250
+[ 3680.685410] xen_mm_pin_all+0x70/0xa0
+[ 3680.685415] xen_pv_pre_suspend+0xf/0x280
+[ 3680.685420] xen_suspend+0x57/0x1a0
+[ 3680.685428] multi_cpu_stop+0x6b/0x120
+[ 3680.685432] ? update_cpumasks_hier+0x7c/0xa60
+[ 3680.685439] ? __pfx_multi_cpu_stop+0x10/0x10
+[ 3680.685443] cpu_stopper_thread+0x8c/0x140
+[ 3680.685448] ? smpboot_thread_fn+0x20/0x1f0
+[ 3680.685454] ? __pfx_smpboot_thread_fn+0x10/0x10
+[ 3680.685458] smpboot_thread_fn+0xed/0x1f0
+[ 3680.685462] kthread+0xde/0x110
+[ 3680.685467] ? __pfx_kthread+0x10/0x10
+[ 3680.685471] ret_from_fork+0x2f/0x50
+[ 3680.685478] ? __pfx_kthread+0x10/0x10
+[ 3680.685482] ret_from_fork_asm+0x1a/0x30
+[ 3680.685489] </TASK>
+[ 3680.685491]
+[ 3680.685491] other info that might help us debug this:
+[ 3680.685497] 1 lock held by migration/0/19:
+[ 3680.685500] #0: ffffffff8284df38 (pgd_lock){+.+.}-{3:3}, at: xen_mm_pin_all+0x14/0xa0
+[ 3680.685512]
+[ 3680.685512] stack backtrace:
+[ 3680.685518] CPU: 0 UID: 0 PID: 19 Comm: migration/0 Tainted: G W 6.12.0+ #16
+[ 3680.685528] Tainted: [W]=WARN
+[ 3680.685531] Stopper: multi_cpu_stop+0x0/0x120 <- __stop_cpus.constprop.0+0x8c/0xd0
+[ 3680.685538] Call Trace:
+[ 3680.685541] <TASK>
+[ 3680.685544] dump_stack_lvl+0x77/0xb0
+[ 3680.685549] __lock_acquire+0x93c/0x2310
+[ 3680.685554] lock_acquire+0xce/0x2c0
+[ 3680.685558] ? xen_pin_page+0x175/0x1d0
+[ 3680.685562] _raw_spin_lock_nest_lock+0x2f/0x70
+[ 3680.685568] ? xen_pin_page+0x175/0x1d0
+[ 3680.685572] xen_pin_page+0x175/0x1d0
+[ 3680.685578] ? __pfx_xen_pin_page+0x10/0x10
+[ 3680.685582] __xen_pgd_walk+0x233/0x2c0
+[ 3680.685588] ? stop_one_cpu+0x91/0x100
+[ 3680.685592] __xen_pgd_pin+0x5d/0x250
+[ 3680.685596] xen_mm_pin_all+0x70/0xa0
+[ 3680.685600] xen_pv_pre_suspend+0xf/0x280
+[ 3680.685607] xen_suspend+0x57/0x1a0
+[ 3680.685611] multi_cpu_stop+0x6b/0x120
+[ 3680.685615] ? update_cpumasks_hier+0x7c/0xa60
+[ 3680.685620] ? __pfx_multi_cpu_stop+0x10/0x10
+[ 3680.685625] cpu_stopper_thread+0x8c/0x140
+[ 3680.685629] ? smpboot_thread_fn+0x20/0x1f0
+[ 3680.685634] ? __pfx_smpboot_thread_fn+0x10/0x10
+[ 3680.685638] smpboot_thread_fn+0xed/0x1f0
+[ 3680.685642] kthread+0xde/0x110
+[ 3680.685645] ? __pfx_kthread+0x10/0x10
+[ 3680.685649] ret_from_fork+0x2f/0x50
+[ 3680.685654] ? __pfx_kthread+0x10/0x10
+[ 3680.685657] ret_from_fork_asm+0x1a/0x30
+[ 3680.685662] </TASK>
+[ 3680.685267] xen:grant_table: Grant tables using version 1 layout
+[ 3680.685921] OOM killer enabled.
+[ 3680.685934] Restarting tasks ... done.
+
+Signed-off-by: Maksym Planeta <maksym@exostellar.io>
+Reviewed-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20241204103516.3309112-1-maksym@exostellar.io>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index f88071566cac5..4eb6a6bb609f4 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -807,6 +807,7 @@ void xen_mm_pin_all(void)
+ {
+ struct page *page;
+
++ spin_lock(&init_mm.page_table_lock);
+ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+@@ -817,6 +818,7 @@ void xen_mm_pin_all(void)
+ }
+
+ spin_unlock(&pgd_lock);
++ spin_unlock(&init_mm.page_table_lock);
+ }
+
+ static void __init xen_mark_pinned(struct mm_struct *mm, struct page *page,
+@@ -914,6 +916,7 @@ void xen_mm_unpin_all(void)
+ {
+ struct page *page;
+
++ spin_lock(&init_mm.page_table_lock);
+ spin_lock(&pgd_lock);
+
+ list_for_each_entry(page, &pgd_list, lru) {
+@@ -925,6 +928,7 @@ void xen_mm_unpin_all(void)
+ }
+
+ spin_unlock(&pgd_lock);
++ spin_unlock(&init_mm.page_table_lock);
+ }
+
+ static void xen_activate_mm(struct mm_struct *prev, struct mm_struct *next)
+--
+2.39.5
+
--- /dev/null
+From c6f1e67f3c203922ebb186c37c0c914ef157f04c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 15 Nov 2024 14:26:21 +0800
+Subject: HID: multitouch: Add NULL check in mt_input_configured
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 9b8e2220d3a052a690b1d1b23019673e612494c5 ]
+
+devm_kasprintf() can return a NULL pointer on failure,but this
+returned value in mt_input_configured() is not checked.
+Add NULL check in mt_input_configured(), to handle kernel NULL
+pointer dereference error.
+
+Fixes: 479439463529 ("HID: multitouch: Correct devm device reference for hidinput input_dev name")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/hid-multitouch.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
+index df7b620fa23ee..bc9ba011ff607 100644
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -1671,9 +1671,12 @@ static int mt_input_configured(struct hid_device *hdev, struct hid_input *hi)
+ break;
+ }
+
+- if (suffix)
++ if (suffix) {
+ hi->input->name = devm_kasprintf(&hdev->dev, GFP_KERNEL,
+ "%s %s", hdev->name, suffix);
++ if (!hi->input->name)
++ return -ENOMEM;
++ }
+
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 7dac82b21143ae44f532c77be8fded71bf804123 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2024 11:41:42 +0100
+Subject: media: cxd2841er: fix 64-bit division on gcc-9
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+[ Upstream commit 8d46603eeeb4c6abff1d2e49f2a6ae289dac765e ]
+
+It appears that do_div() once more gets confused by a complex
+expression that ends up not quite being constant despite
+__builtin_constant_p() thinking it is:
+
+ERROR: modpost: "__aeabi_uldivmod" [drivers/media/dvb-frontends/cxd2841er.ko] undefined!
+
+Use div_u64() instead, forcing the expression to be evaluated
+first, and making it a bit more readable.
+
+Cc: Dan Carpenter <dan.carpenter@linaro.org>
+Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
+Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/
+Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
+Closes: https://lore.kernel.org/linux-media/CA+G9fYvvNm-aYodLaAwwTjEGtX0YxR-1R14FOA5aHKt0sSVsYg@mail.gmail.com/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[hverkuil: added Closes tags]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/dvb-frontends/cxd2841er.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/dvb-frontends/cxd2841er.c b/drivers/media/dvb-frontends/cxd2841er.c
+index e9d1eef40c627..798da50421368 100644
+--- a/drivers/media/dvb-frontends/cxd2841er.c
++++ b/drivers/media/dvb-frontends/cxd2841er.c
+@@ -311,12 +311,8 @@ static int cxd2841er_set_reg_bits(struct cxd2841er_priv *priv,
+
+ static u32 cxd2841er_calc_iffreq_xtal(enum cxd2841er_xtal xtal, u32 ifhz)
+ {
+- u64 tmp;
+-
+- tmp = (u64) ifhz * 16777216;
+- do_div(tmp, ((xtal == SONY_XTAL_24000) ? 48000000 : 41000000));
+-
+- return (u32) tmp;
++ return div_u64(ifhz * 16777216ull,
++ (xtal == SONY_XTAL_24000) ? 48000000 : 41000000);
+ }
+
+ static u32 cxd2841er_calc_iffreq(u32 ifhz)
+--
+2.39.5
+
--- /dev/null
+From 716f6b194ec9a119de82eb524843cbcbb8446d67 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 29 Dec 2024 18:50:39 +0800
+Subject: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit 1221989555db711578a327a9367f1be46500cb48 ]
+
+syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]
+
+If dvb->mux is not initialized successfully by vidtv_mux_init() in the
+vidtv_start_streaming(), it will trigger null pointer dereference about mux
+in vidtv_mux_stop_thread().
+
+Adjust the timing of streaming initialization and check it before
+stopping it.
+
+[1]
+KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]
+CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471
+Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8
+RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202
+RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125
+RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128
+RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188
+R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710
+FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]
+ vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252
+ dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000
+ dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486
+ dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559
+ dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]
+ dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246
+ __fput+0x3f8/0xb60 fs/file_table.c:450
+ task_work_run+0x14e/0x250 kernel/task_work.c:239
+ get_signal+0x1d3/0x2610 kernel/signal.c:2790
+ arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
+ exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
+ exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
+ __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
+ syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
+ do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+5e248227c80a3be8e96a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=5e248227c80a3be8e96a
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_bridge.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/test-drivers/vidtv/vidtv_bridge.c b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+index dff7265a42ca2..c1621680ec570 100644
+--- a/drivers/media/test-drivers/vidtv/vidtv_bridge.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_bridge.c
+@@ -191,10 +191,11 @@ static int vidtv_start_streaming(struct vidtv_dvb *dvb)
+
+ mux_args.mux_buf_sz = mux_buf_sz;
+
+- dvb->streaming = true;
+ dvb->mux = vidtv_mux_init(dvb->fe[0], dev, &mux_args);
+ if (!dvb->mux)
+ return -ENOMEM;
++
++ dvb->streaming = true;
+ vidtv_mux_start_thread(dvb->mux);
+
+ dev_dbg_ratelimited(dev, "Started streaming\n");
+@@ -205,6 +206,11 @@ static int vidtv_stop_streaming(struct vidtv_dvb *dvb)
+ {
+ struct device *dev = &dvb->pdev->dev;
+
++ if (!dvb->streaming) {
++ dev_warn_ratelimited(dev, "No streaming. Skipping.\n");
++ return 0;
++ }
++
+ dvb->streaming = false;
+ vidtv_mux_stop_thread(dvb->mux);
+ vidtv_mux_destroy(dvb->mux);
+--
+2.39.5
+
--- /dev/null
+From 1be56391dbf45ee00f448c37d608d9b9ee534030 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 13:58:33 +0000
+Subject: ndisc: ndisc_send_redirect() must use dev_get_by_index_rcu()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 48145a57d4bbe3496e8e4880b23ea6b511e6e519 ]
+
+ndisc_send_redirect() is called under RCU protection, not RTNL.
+
+It must use dev_get_by_index_rcu() instead of __dev_get_by_index()
+
+Fixes: 2f17becfbea5 ("vrf: check the original netdevice for generating redirect")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250207135841.1948589-2-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv6/ndisc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
+index d56e80741c5ba..63c1420c58249 100644
+--- a/net/ipv6/ndisc.c
++++ b/net/ipv6/ndisc.c
+@@ -1619,7 +1619,7 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
+ bool ret;
+
+ if (netif_is_l3_master(skb->dev)) {
+- dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
++ dev = dev_get_by_index_rcu(dev_net(skb->dev), IPCB(skb)->iif);
+ if (!dev)
+ return;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9e02e89f4ae0f12e4180b3deb828b77fa9e1488c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 14:21:08 -0500
+Subject: orangefs: fix a oob in orangefs_debug_write
+
+From: Mike Marshall <hubcap@omnibond.com>
+
+[ Upstream commit f7c848431632598ff9bce57a659db6af60d75b39 ]
+
+I got a syzbot report: slab-out-of-bounds Read in
+orangefs_debug_write... several people suggested fixes,
+I tested Al Viro's suggestion and made this patch.
+
+Signed-off-by: Mike Marshall <hubcap@omnibond.com>
+Reported-by: syzbot+fc519d7875f2d9186c1f@syzkaller.appspotmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/orangefs/orangefs-debugfs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
+index 1b508f5433846..fa41db0884880 100644
+--- a/fs/orangefs/orangefs-debugfs.c
++++ b/fs/orangefs/orangefs-debugfs.c
+@@ -393,9 +393,9 @@ static ssize_t orangefs_debug_write(struct file *file,
+ * Thwart users who try to jamb a ridiculous number
+ * of bytes into the debug file...
+ */
+- if (count > ORANGEFS_MAX_DEBUG_STRING_LEN + 1) {
++ if (count > ORANGEFS_MAX_DEBUG_STRING_LEN) {
+ silly = count;
+- count = ORANGEFS_MAX_DEBUG_STRING_LEN + 1;
++ count = ORANGEFS_MAX_DEBUG_STRING_LEN;
+ }
+
+ buf = kzalloc(ORANGEFS_MAX_DEBUG_STRING_LEN, GFP_KERNEL);
+--
+2.39.5
+
--- /dev/null
+From 45760fdb96cc8f68940194b2dce8a18365338b7c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 17:43:13 +0100
+Subject: PCI/DPC: Quirk PIO log size for Intel Raptor Lake-P
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Takashi Iwai <tiwai@suse.de>
+
+[ Upstream commit b198499c7d2508a76243b98e7cca992f6fd2b7f7 ]
+
+Apparently the Raptor Lake-P reference firmware configures the PIO log size
+correctly, but some vendor BIOSes, including at least ASUSTeK COMPUTER INC.
+Zenbook UX3402VA_UX3402VA, do not.
+
+Apply the quirk for Raptor Lake-P. This prevents kernel complaints like:
+
+ DPC: RP PIO log size 0 is invalid
+
+and also enables the DPC driver to dump the RP PIO Log registers when DPC
+is triggered.
+
+Note that the bug report also mentions 8086:a76e, which has been already
+added by 627c6db20703 ("PCI/DPC: Quirk PIO log size for Intel Raptor Lake
+Root Ports").
+
+Link: https://lore.kernel.org/r/20250102164315.7562-1-tiwai@suse.de
+Link: https://bugzilla.suse.com/show_bug.cgi?id=1234623
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bhelgaas: commit log]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 24fde99c11a70..a1f85120f97e6 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -6005,6 +6005,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2b, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2d, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a2f, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x9a31, dpc_log_size);
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa72f, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa73f, dpc_log_size);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0xa76e, dpc_log_size);
+ #endif
+--
+2.39.5
+
tty-xilinx_uartps-split-sysrq-handling.patch
nfsd-clear-acl_access-acl_default-after-releasing-them.patch
nfsd-fix-hang-in-nfsd4_shutdown_callback.patch
+hid-multitouch-add-null-check-in-mt_input_configured.patch
+ndisc-ndisc_send_redirect-must-use-dev_get_by_index_.patch
+vrf-use-rcu-protection-in-l3mdev_l3_out.patch
+team-better-team_option_type_string-validation.patch
+arm64-cacheinfo-avoid-out-of-bounds-write-to-cachein.patch
+drm-i915-selftests-avoid-using-uninitialized-context.patch
+gpio-bcm-kona-fix-gpio-lock-unlock-for-banks-above-b.patch
+gpio-bcm-kona-make-sure-gpio-bits-are-unlocked-when-.patch
+gpio-bcm-kona-add-missing-newline-to-dev_err-format-.patch
+xen-remove-a-confusing-comment-on-auto-translated-gu.patch
+x86-xen-allow-larger-contiguous-memory-regions-in-pv.patch
+media-cxd2841er-fix-64-bit-division-on-gcc-9.patch
+media-vidtv-fix-a-null-ptr-deref-in-vidtv_mux_stop_t.patch
+pci-dpc-quirk-pio-log-size-for-intel-raptor-lake-p.patch
+vfio-pci-enable-iowrite64-and-ioread64-for-vfio-pci.patch
+grab-mm-lock-before-grabbing-pt-lock.patch
+x86-mm-tlb-only-trim-the-mm_cpumask-once-a-second.patch
+orangefs-fix-a-oob-in-orangefs_debug_write.patch
+asoc-intel-bytcr_rt5640-add-dmi-quirk-for-vexia-edu-.patch
--- /dev/null
+From bace5eab00b09af3276b263f10e119e069d0d020 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 12 Feb 2025 13:49:28 +0000
+Subject: team: better TEAM_OPTION_TYPE_STRING validation
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5bef3ac184b5626ea62385d6b82a1992b89d7940 ]
+
+syzbot reported following splat [1]
+
+Make sure user-provided data contains one nul byte.
+
+[1]
+ BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline]
+ BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714
+ string_nocheck lib/vsprintf.c:633 [inline]
+ string+0x3ec/0x5f0 lib/vsprintf.c:714
+ vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843
+ __request_module+0x252/0x9f0 kernel/module/kmod.c:149
+ team_mode_get drivers/net/team/team_core.c:480 [inline]
+ team_change_mode drivers/net/team/team_core.c:607 [inline]
+ team_mode_option_set+0x437/0x970 drivers/net/team/team_core.c:1401
+ team_option_set drivers/net/team/team_core.c:375 [inline]
+ team_nl_options_set_doit+0x1339/0x1f90 drivers/net/team/team_core.c:2662
+ genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]
+ genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
+ genl_rcv_msg+0x1214/0x12c0 net/netlink/genetlink.c:1210
+ netlink_rcv_skb+0x375/0x650 net/netlink/af_netlink.c:2543
+ genl_rcv+0x40/0x60 net/netlink/genetlink.c:1219
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0xf52/0x1260 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x10da/0x11e0 net/netlink/af_netlink.c:1892
+ sock_sendmsg_nosec net/socket.c:718 [inline]
+ __sock_sendmsg+0x30f/0x380 net/socket.c:733
+ ____sys_sendmsg+0x877/0xb60 net/socket.c:2573
+ ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2627
+ __sys_sendmsg net/socket.c:2659 [inline]
+ __do_sys_sendmsg net/socket.c:2664 [inline]
+ __se_sys_sendmsg net/socket.c:2662 [inline]
+ __x64_sys_sendmsg+0x212/0x3c0 net/socket.c:2662
+ x64_sys_call+0x2ed6/0x3c30 arch/x86/include/generated/asm/syscalls_64.h:47
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Reported-by: syzbot+1fcd957a82e3a1baa94d@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=1fcd957a82e3a1baa94d
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://patch.msgid.link/20250212134928.1541609-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index 015151cd22220..1e0adeb5e177c 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2665,7 +2665,9 @@ static int team_nl_cmd_options_set(struct sk_buff *skb, struct genl_info *info)
+ ctx.data.u32_val = nla_get_u32(attr_data);
+ break;
+ case TEAM_OPTION_TYPE_STRING:
+- if (nla_len(attr_data) > TEAM_STRING_MAX_LEN) {
++ if (nla_len(attr_data) > TEAM_STRING_MAX_LEN ||
++ !memchr(nla_data(attr_data), '\0',
++ nla_len(attr_data))) {
+ err = -EINVAL;
+ goto team_put;
+ }
+--
+2.39.5
+
--- /dev/null
+From c4964536513f5315848e8962807540c14aa1956c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 05:19:37 -0800
+Subject: vfio/pci: Enable iowrite64 and ioread64 for vfio pci
+
+From: Ramesh Thomas <ramesh.thomas@intel.com>
+
+[ Upstream commit 2b938e3db335e3670475e31a722c2bee34748c5a ]
+
+Definitions of ioread64 and iowrite64 macros in asm/io.h called by vfio
+pci implementations are enclosed inside check for CONFIG_GENERIC_IOMAP.
+They don't get defined if CONFIG_GENERIC_IOMAP is defined. Include
+linux/io-64-nonatomic-lo-hi.h to define iowrite64 and ioread64 macros
+when they are not defined. io-64-nonatomic-lo-hi.h maps the macros to
+generic implementation in lib/iomap.c. The generic implementation does
+64 bit rw if readq/writeq is defined for the architecture, otherwise it
+would do 32 bit back to back rw.
+
+Note that there are two versions of the generic implementation that
+differs in the order the 32 bit words are written if 64 bit support is
+not present. This is not the little/big endian ordering, which is
+handled separately. This patch uses the lo followed by hi word ordering
+which is consistent with current back to back implementation in the
+vfio/pci code.
+
+Signed-off-by: Ramesh Thomas <ramesh.thomas@intel.com>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Link: https://lore.kernel.org/r/20241210131938.303500-2-ramesh.thomas@intel.com
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/vfio/pci/vfio_pci_rdwr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/vfio/pci/vfio_pci_rdwr.c b/drivers/vfio/pci/vfio_pci_rdwr.c
+index 82ac1569deb05..e45c15e210ffd 100644
+--- a/drivers/vfio/pci/vfio_pci_rdwr.c
++++ b/drivers/vfio/pci/vfio_pci_rdwr.c
+@@ -16,6 +16,7 @@
+ #include <linux/io.h>
+ #include <linux/vfio.h>
+ #include <linux/vgaarb.h>
++#include <linux/io-64-nonatomic-lo-hi.h>
+
+ #include <linux/vfio_pci_core.h>
+
+--
+2.39.5
+
--- /dev/null
+From c012f622d897ddf0ba9ffd6d555e7e49341781a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 7 Feb 2025 13:58:38 +0000
+Subject: vrf: use RCU protection in l3mdev_l3_out()
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 ]
+
+l3mdev_l3_out() can be called without RCU being held:
+
+raw_sendmsg()
+ ip_push_pending_frames()
+ ip_send_skb()
+ ip_local_out()
+ __ip_local_out()
+ l3mdev_ip_out()
+
+Add rcu_read_lock() / rcu_read_unlock() pair to avoid
+a potential UAF.
+
+Fixes: a8e3e1a9f020 ("net: l3mdev: Add hook to output path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Link: https://patch.msgid.link/20250207135841.1948589-7-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/l3mdev.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/net/l3mdev.h b/include/net/l3mdev.h
+index 031c661aa14df..bdfa9d414360c 100644
+--- a/include/net/l3mdev.h
++++ b/include/net/l3mdev.h
+@@ -198,10 +198,12 @@ struct sk_buff *l3mdev_l3_out(struct sock *sk, struct sk_buff *skb, u16 proto)
+ if (netif_is_l3_slave(dev)) {
+ struct net_device *master;
+
++ rcu_read_lock();
+ master = netdev_master_upper_dev_get_rcu(dev);
+ if (master && master->l3mdev_ops->l3mdev_l3_out)
+ skb = master->l3mdev_ops->l3mdev_l3_out(master, sk,
+ skb, proto);
++ rcu_read_unlock();
+ }
+
+ return skb;
+--
+2.39.5
+
--- /dev/null
+From 59c102ad7cb7eda4e29a34629efded11fece904c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 21:03:16 -0500
+Subject: x86/mm/tlb: Only trim the mm_cpumask once a second
+
+From: Rik van Riel <riel@fb.com>
+
+[ Upstream commit 6db2526c1d694c91c6e05e2f186c085e9460f202 ]
+
+Setting and clearing CPU bits in the mm_cpumask is only ever done
+by the CPU itself, from the context switch code or the TLB flush
+code.
+
+Synchronization is handled by switch_mm_irqs_off() blocking interrupts.
+
+Sending TLB flush IPIs to CPUs that are in the mm_cpumask, but no
+longer running the program causes a regression in the will-it-scale
+tlbflush2 test. This test is contrived, but a large regression here
+might cause a small regression in some real world workload.
+
+Instead of always sending IPIs to CPUs that are in the mm_cpumask,
+but no longer running the program, send these IPIs only once a second.
+
+The rest of the time we can skip over CPUs where the loaded_mm is
+different from the target mm.
+
+Reported-by: kernel test roboto <oliver.sang@intel.com>
+Signed-off-by: Rik van Riel <riel@surriel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241204210316.612ee573@fangorn
+Closes: https://lore.kernel.org/oe-lkp/202411282207.6bd28eae-lkp@intel.com/
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/include/asm/mmu.h | 2 ++
+ arch/x86/include/asm/mmu_context.h | 1 +
+ arch/x86/include/asm/tlbflush.h | 1 +
+ arch/x86/mm/tlb.c | 35 +++++++++++++++++++++++++++---
+ 4 files changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
+index 5d7494631ea95..c07c018a1c139 100644
+--- a/arch/x86/include/asm/mmu.h
++++ b/arch/x86/include/asm/mmu.h
+@@ -33,6 +33,8 @@ typedef struct {
+ */
+ atomic64_t tlb_gen;
+
++ unsigned long next_trim_cpumask;
++
+ #ifdef CONFIG_MODIFY_LDT_SYSCALL
+ struct rw_semaphore ldt_usr_sem;
+ struct ldt_struct *ldt;
+diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
+index 27516046117a3..1d11aeb597542 100644
+--- a/arch/x86/include/asm/mmu_context.h
++++ b/arch/x86/include/asm/mmu_context.h
+@@ -106,6 +106,7 @@ static inline int init_new_context(struct task_struct *tsk,
+
+ mm->context.ctx_id = atomic64_inc_return(&last_mm_ctx_id);
+ atomic64_set(&mm->context.tlb_gen, 0);
++ mm->context.next_trim_cpumask = jiffies + HZ;
+
+ #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
+ if (cpu_feature_enabled(X86_FEATURE_OSPKE)) {
+diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
+index b587a9ee9cb25..22b93e35fa886 100644
+--- a/arch/x86/include/asm/tlbflush.h
++++ b/arch/x86/include/asm/tlbflush.h
+@@ -207,6 +207,7 @@ struct flush_tlb_info {
+ unsigned int initiating_cpu;
+ u8 stride_shift;
+ u8 freed_tables;
++ u8 trim_cpumask;
+ };
+
+ void flush_tlb_local(void);
+diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
+index 511172d70825c..19d083ad2de79 100644
+--- a/arch/x86/mm/tlb.c
++++ b/arch/x86/mm/tlb.c
+@@ -854,9 +854,36 @@ static void flush_tlb_func(void *info)
+ nr_invalidate);
+ }
+
+-static bool tlb_is_not_lazy(int cpu, void *data)
++static bool should_flush_tlb(int cpu, void *data)
+ {
+- return !per_cpu(cpu_tlbstate_shared.is_lazy, cpu);
++ struct flush_tlb_info *info = data;
++
++ /* Lazy TLB will get flushed at the next context switch. */
++ if (per_cpu(cpu_tlbstate_shared.is_lazy, cpu))
++ return false;
++
++ /* No mm means kernel memory flush. */
++ if (!info->mm)
++ return true;
++
++ /* The target mm is loaded, and the CPU is not lazy. */
++ if (per_cpu(cpu_tlbstate.loaded_mm, cpu) == info->mm)
++ return true;
++
++ /* In cpumask, but not the loaded mm? Periodically remove by flushing. */
++ if (info->trim_cpumask)
++ return true;
++
++ return false;
++}
++
++static bool should_trim_cpumask(struct mm_struct *mm)
++{
++ if (time_after(jiffies, READ_ONCE(mm->context.next_trim_cpumask))) {
++ WRITE_ONCE(mm->context.next_trim_cpumask, jiffies + HZ);
++ return true;
++ }
++ return false;
+ }
+
+ DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state_shared, cpu_tlbstate_shared);
+@@ -890,7 +917,7 @@ STATIC_NOPV void native_flush_tlb_multi(const struct cpumask *cpumask,
+ if (info->freed_tables)
+ on_each_cpu_mask(cpumask, flush_tlb_func, (void *)info, true);
+ else
+- on_each_cpu_cond_mask(tlb_is_not_lazy, flush_tlb_func,
++ on_each_cpu_cond_mask(should_flush_tlb, flush_tlb_func,
+ (void *)info, 1, cpumask);
+ }
+
+@@ -941,6 +968,7 @@ static struct flush_tlb_info *get_flush_tlb_info(struct mm_struct *mm,
+ info->freed_tables = freed_tables;
+ info->new_tlb_gen = new_tlb_gen;
+ info->initiating_cpu = smp_processor_id();
++ info->trim_cpumask = 0;
+
+ return info;
+ }
+@@ -983,6 +1011,7 @@ void flush_tlb_mm_range(struct mm_struct *mm, unsigned long start,
+ * flush_tlb_func_local() directly in this case.
+ */
+ if (cpumask_any_but(mm_cpumask(mm), cpu) < nr_cpu_ids) {
++ info->trim_cpumask = should_trim_cpumask(mm);
+ flush_tlb_multi(mm_cpumask(mm), info);
+ } else if (mm == this_cpu_read(cpu_tlbstate.loaded_mm)) {
+ lockdep_assert_irqs_enabled();
+--
+2.39.5
+
--- /dev/null
+From 9918e7f187a8266e2594f9fd41b673b8dfc878b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2025 11:16:28 +0100
+Subject: x86/xen: allow larger contiguous memory regions in PV guests
+
+From: Juergen Gross <jgross@suse.com>
+
+[ Upstream commit e93ec87286bd1fd30b7389e7a387cfb259f297e3 ]
+
+Today a PV guest (including dom0) can create 2MB contiguous memory
+regions for DMA buffers at max. This has led to problems at least
+with the megaraid_sas driver, which wants to allocate a 2.3MB DMA
+buffer.
+
+The limiting factor is the frame array used to do the hypercall for
+making the memory contiguous, which has 512 entries and is just a
+static array in mmu_pv.c.
+
+In order to not waste memory for non-PV guests, put the initial
+frame array into .init.data section and dynamically allocate an array
+from the .init_after_bootmem hook of PV guests.
+
+In case a contiguous memory area larger than the initially supported
+2MB is requested, allocate a larger buffer for the frame list. Note
+that such an allocation is tried only after memory management has been
+initialized properly, which is tested via a flag being set in the
+.init_after_bootmem hook.
+
+Fixes: 9f40ec84a797 ("xen/swiotlb: add alignment check for dma buffers")
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Tested-by: Alan Robinson <Alan.Robinson@fujitsu.com>
+Reviewed-by: Jan Beulich <jbeulich@suse.com>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 71 +++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 62 insertions(+), 9 deletions(-)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index 03c9ec0212c9e..f88071566cac5 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -95,6 +95,51 @@ static pud_t level3_user_vsyscall[PTRS_PER_PUD] __page_aligned_bss;
+ */
+ static DEFINE_SPINLOCK(xen_reservation_lock);
+
++/* Protected by xen_reservation_lock. */
++#define MIN_CONTIG_ORDER 9 /* 2MB */
++static unsigned int discontig_frames_order = MIN_CONTIG_ORDER;
++static unsigned long discontig_frames_early[1UL << MIN_CONTIG_ORDER] __initdata;
++static unsigned long *discontig_frames __refdata = discontig_frames_early;
++static bool discontig_frames_dyn;
++
++static int alloc_discontig_frames(unsigned int order)
++{
++ unsigned long *new_array, *old_array;
++ unsigned int old_order;
++ unsigned long flags;
++
++ BUG_ON(order < MIN_CONTIG_ORDER);
++ BUILD_BUG_ON(sizeof(discontig_frames_early) != PAGE_SIZE);
++
++ new_array = (unsigned long *)__get_free_pages(GFP_KERNEL,
++ order - MIN_CONTIG_ORDER);
++ if (!new_array)
++ return -ENOMEM;
++
++ spin_lock_irqsave(&xen_reservation_lock, flags);
++
++ old_order = discontig_frames_order;
++
++ if (order > discontig_frames_order || !discontig_frames_dyn) {
++ if (!discontig_frames_dyn)
++ old_array = NULL;
++ else
++ old_array = discontig_frames;
++
++ discontig_frames = new_array;
++ discontig_frames_order = order;
++ discontig_frames_dyn = true;
++ } else {
++ old_array = new_array;
++ }
++
++ spin_unlock_irqrestore(&xen_reservation_lock, flags);
++
++ free_pages((unsigned long)old_array, old_order - MIN_CONTIG_ORDER);
++
++ return 0;
++}
++
+ /*
+ * Note about cr3 (pagetable base) values:
+ *
+@@ -791,6 +836,9 @@ static void __init xen_after_bootmem(void)
+ static_branch_enable(&xen_struct_pages_ready);
+ SetPagePinned(virt_to_page(level3_user_vsyscall));
+ xen_pgd_walk(&init_mm, xen_mark_pinned, FIXADDR_TOP);
++
++ if (alloc_discontig_frames(MIN_CONTIG_ORDER))
++ BUG();
+ }
+
+ static void xen_unpin_page(struct mm_struct *mm, struct page *page,
+@@ -2151,10 +2199,6 @@ void __init xen_init_mmu_ops(void)
+ memset(dummy_mapping, 0xff, PAGE_SIZE);
+ }
+
+-/* Protected by xen_reservation_lock. */
+-#define MAX_CONTIG_ORDER 9 /* 2MB */
+-static unsigned long discontig_frames[1<<MAX_CONTIG_ORDER];
+-
+ #define VOID_PTE (mfn_pte(0, __pgprot(0)))
+ static void xen_zap_pfn_range(unsigned long vaddr, unsigned int order,
+ unsigned long *in_frames,
+@@ -2271,18 +2315,25 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
+ unsigned int address_bits,
+ dma_addr_t *dma_handle)
+ {
+- unsigned long *in_frames = discontig_frames, out_frame;
++ unsigned long *in_frames, out_frame;
+ unsigned long flags;
+ int success;
+ unsigned long vstart = (unsigned long)phys_to_virt(pstart);
+
+- if (unlikely(order > MAX_CONTIG_ORDER))
+- return -ENOMEM;
++ if (unlikely(order > discontig_frames_order)) {
++ if (!discontig_frames_dyn)
++ return -ENOMEM;
++
++ if (alloc_discontig_frames(order))
++ return -ENOMEM;
++ }
+
+ memset((void *) vstart, 0, PAGE_SIZE << order);
+
+ spin_lock_irqsave(&xen_reservation_lock, flags);
+
++ in_frames = discontig_frames;
++
+ /* 1. Zap current PTEs, remembering MFNs. */
+ xen_zap_pfn_range(vstart, order, in_frames, NULL);
+
+@@ -2306,12 +2357,12 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
+
+ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order)
+ {
+- unsigned long *out_frames = discontig_frames, in_frame;
++ unsigned long *out_frames, in_frame;
+ unsigned long flags;
+ int success;
+ unsigned long vstart;
+
+- if (unlikely(order > MAX_CONTIG_ORDER))
++ if (unlikely(order > discontig_frames_order))
+ return;
+
+ vstart = (unsigned long)phys_to_virt(pstart);
+@@ -2319,6 +2370,8 @@ void xen_destroy_contiguous_region(phys_addr_t pstart, unsigned int order)
+
+ spin_lock_irqsave(&xen_reservation_lock, flags);
+
++ out_frames = discontig_frames;
++
+ /* 1. Find start MFN of contiguous extent. */
+ in_frame = virt_to_mfn(vstart);
+
+--
+2.39.5
+
--- /dev/null
+From fc9bf8952222440d531aeb55b403aa50fcca90e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Aug 2023 18:31:51 +0200
+Subject: xen: remove a confusing comment on auto-translated guest I/O
+
+From: Petr Tesarik <petr.tesarik.ext@huawei.com>
+
+[ Upstream commit d826c9e61c99120f8996f8fed6417167e32eb922 ]
+
+After removing the conditional return from xen_create_contiguous_region(),
+the accompanying comment was left in place, but it now precedes an
+unrelated conditional and confuses readers.
+
+Fixes: 989513a735f5 ("xen: cleanup pvh leftovers from pv-only sources")
+Signed-off-by: Petr Tesarik <petr.tesarik.ext@huawei.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/20230802163151.1486-1-petrtesarik@huaweicloud.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Stable-dep-of: e93ec87286bd ("x86/xen: allow larger contiguous memory regions in PV guests")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/xen/mmu_pv.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
+index 3359c23573c50..03c9ec0212c9e 100644
+--- a/arch/x86/xen/mmu_pv.c
++++ b/arch/x86/xen/mmu_pv.c
+@@ -2276,12 +2276,6 @@ int xen_create_contiguous_region(phys_addr_t pstart, unsigned int order,
+ int success;
+ unsigned long vstart = (unsigned long)phys_to_virt(pstart);
+
+- /*
+- * Currently an auto-translated guest will not perform I/O, nor will
+- * it require PAE page directories below 4GB. Therefore any calls to
+- * this function are redundant and can be ignored.
+- */
+-
+ if (unlikely(order > MAX_CONTIG_ORDER))
+ return -ENOMEM;
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
