--- /dev/null
+From 890ed45bde808c422c3c27d3285fc45affa0f930 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 11 Feb 2025 18:16:00 +0100
+Subject: acct: block access to kernel internal filesystems
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 890ed45bde808c422c3c27d3285fc45affa0f930 upstream.
+
+There's no point in allowing anything kernel internal nor procfs or
+sysfs.
+
+Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com
+Link: https://lore.kernel.org/r/20250211-work-acct-v1-2-1c16aecab8b3@kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Reported-by: Zicheng Qu <quzicheng@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/acct.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -243,6 +243,20 @@ static int acct_on(struct filename *path
+ return -EACCES;
+ }
+
++ /* Exclude kernel kernel internal filesystems. */
++ if (file_inode(file)->i_sb->s_flags & (SB_NOUSER | SB_KERNMOUNT)) {
++ kfree(acct);
++ filp_close(file, NULL);
++ return -EINVAL;
++ }
++
++ /* Exclude procfs and sysfs. */
++ if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) {
++ kfree(acct);
++ filp_close(file, NULL);
++ return -EINVAL;
++ }
++
+ if (!(file->f_mode & FMODE_CAN_WRITE)) {
+ kfree(acct);
+ filp_close(file, NULL);
--- /dev/null
+From 56d5f3eba3f5de0efdd556de4ef381e109b973a9 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 11 Feb 2025 18:15:59 +0100
+Subject: acct: perform last write from workqueue
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 56d5f3eba3f5de0efdd556de4ef381e109b973a9 upstream.
+
+In [1] it was reported that the acct(2) system call can be used to
+trigger NULL deref in cases where it is set to write to a file that
+triggers an internal lookup. This can e.g., happen when pointing acc(2)
+to /sys/power/resume. At the point the where the write to this file
+happens the calling task has already exited and called exit_fs(). A
+lookup will thus trigger a NULL-deref when accessing current->fs.
+
+Reorganize the code so that the the final write happens from the
+workqueue but with the caller's credentials. This preserves the
+(strange) permission model and has almost no regression risk.
+
+This api should stop to exist though.
+
+Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1]
+Link: https://lore.kernel.org/r/20250211-work-acct-v1-1-1c16aecab8b3@kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Zicheng Qu <quzicheng@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/acct.c | 120 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 70 insertions(+), 50 deletions(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -103,48 +103,50 @@ struct bsd_acct_struct {
+ atomic_long_t count;
+ struct rcu_head rcu;
+ struct mutex lock;
+- int active;
++ bool active;
++ bool check_space;
+ unsigned long needcheck;
+ struct file *file;
+ struct pid_namespace *ns;
+ struct work_struct work;
+ struct completion done;
++ acct_t ac;
+ };
+
+-static void do_acct_process(struct bsd_acct_struct *acct);
++static void fill_ac(struct bsd_acct_struct *acct);
++static void acct_write_process(struct bsd_acct_struct *acct);
+
+ /*
+ * Check the amount of free space and suspend/resume accordingly.
+ */
+-static int check_free_space(struct bsd_acct_struct *acct)
++static bool check_free_space(struct bsd_acct_struct *acct)
+ {
+ struct kstatfs sbuf;
+
+- if (time_is_after_jiffies(acct->needcheck))
+- goto out;
++ if (!acct->check_space)
++ return acct->active;
+
+ /* May block */
+ if (vfs_statfs(&acct->file->f_path, &sbuf))
+- goto out;
++ return acct->active;
+
+ if (acct->active) {
+ u64 suspend = sbuf.f_blocks * SUSPEND;
+ do_div(suspend, 100);
+ if (sbuf.f_bavail <= suspend) {
+- acct->active = 0;
++ acct->active = false;
+ pr_info("Process accounting paused\n");
+ }
+ } else {
+ u64 resume = sbuf.f_blocks * RESUME;
+ do_div(resume, 100);
+ if (sbuf.f_bavail >= resume) {
+- acct->active = 1;
++ acct->active = true;
+ pr_info("Process accounting resumed\n");
+ }
+ }
+
+ acct->needcheck = jiffies + ACCT_TIMEOUT*HZ;
+-out:
+ return acct->active;
+ }
+
+@@ -189,7 +191,11 @@ static void acct_pin_kill(struct fs_pin
+ {
+ struct bsd_acct_struct *acct = to_acct(pin);
+ mutex_lock(&acct->lock);
+- do_acct_process(acct);
++ /*
++ * Fill the accounting struct with the exiting task's info
++ * before punting to the workqueue.
++ */
++ fill_ac(acct);
+ schedule_work(&acct->work);
+ wait_for_completion(&acct->done);
+ cmpxchg(&acct->ns->bacct, pin, NULL);
+@@ -202,6 +208,9 @@ static void close_work(struct work_struc
+ {
+ struct bsd_acct_struct *acct = container_of(work, struct bsd_acct_struct, work);
+ struct file *file = acct->file;
++
++ /* We were fired by acct_pin_kill() which holds acct->lock. */
++ acct_write_process(acct);
+ if (file->f_op->flush)
+ file->f_op->flush(file, NULL);
+ __fput_sync(file);
+@@ -430,13 +439,27 @@ static u32 encode_float(u64 value)
+ * do_exit() or when switching to a different output file.
+ */
+
+-static void fill_ac(acct_t *ac)
++static void fill_ac(struct bsd_acct_struct *acct)
+ {
+ struct pacct_struct *pacct = ¤t->signal->pacct;
++ struct file *file = acct->file;
++ acct_t *ac = &acct->ac;
+ u64 elapsed, run_time;
+ time64_t btime;
+ struct tty_struct *tty;
+
++ lockdep_assert_held(&acct->lock);
++
++ if (time_is_after_jiffies(acct->needcheck)) {
++ acct->check_space = false;
++
++ /* Don't fill in @ac if nothing will be written. */
++ if (!acct->active)
++ return;
++ } else {
++ acct->check_space = true;
++ }
++
+ /*
+ * Fill the accounting struct with the needed info as recorded
+ * by the different kernel functions.
+@@ -484,64 +507,61 @@ static void fill_ac(acct_t *ac)
+ ac->ac_majflt = encode_comp_t(pacct->ac_majflt);
+ ac->ac_exitcode = pacct->ac_exitcode;
+ spin_unlock_irq(¤t->sighand->siglock);
+-}
+-/*
+- * do_acct_process does all actual work. Caller holds the reference to file.
+- */
+-static void do_acct_process(struct bsd_acct_struct *acct)
+-{
+- acct_t ac;
+- unsigned long flim;
+- const struct cred *orig_cred;
+- struct file *file = acct->file;
+-
+- /*
+- * Accounting records are not subject to resource limits.
+- */
+- flim = rlimit(RLIMIT_FSIZE);
+- current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
+- /* Perform file operations on behalf of whoever enabled accounting */
+- orig_cred = override_creds(file->f_cred);
+
+- /*
+- * First check to see if there is enough free_space to continue
+- * the process accounting system.
+- */
+- if (!check_free_space(acct))
+- goto out;
+-
+- fill_ac(&ac);
+ /* we really need to bite the bullet and change layout */
+- ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid);
+- ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid);
++ ac->ac_uid = from_kuid_munged(file->f_cred->user_ns, current_uid());
++ ac->ac_gid = from_kgid_munged(file->f_cred->user_ns, current_gid());
+ #if ACCT_VERSION == 1 || ACCT_VERSION == 2
+ /* backward-compatible 16 bit fields */
+- ac.ac_uid16 = ac.ac_uid;
+- ac.ac_gid16 = ac.ac_gid;
++ ac->ac_uid16 = ac->ac_uid;
++ ac->ac_gid16 = ac->ac_gid;
+ #elif ACCT_VERSION == 3
+ {
+ struct pid_namespace *ns = acct->ns;
+
+- ac.ac_pid = task_tgid_nr_ns(current, ns);
++ ac->ac_pid = task_tgid_nr_ns(current, ns);
+ rcu_read_lock();
+- ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent),
+- ns);
++ ac->ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns);
+ rcu_read_unlock();
+ }
+ #endif
++}
++
++static void acct_write_process(struct bsd_acct_struct *acct)
++{
++ struct file *file = acct->file;
++ const struct cred *cred;
++ acct_t *ac = &acct->ac;
++
++ /* Perform file operations on behalf of whoever enabled accounting */
++ cred = override_creds(file->f_cred);
++
+ /*
+- * Get freeze protection. If the fs is frozen, just skip the write
+- * as we could deadlock the system otherwise.
++ * First check to see if there is enough free_space to continue
++ * the process accounting system. Then get freeze protection. If
++ * the fs is frozen, just skip the write as we could deadlock
++ * the system otherwise.
+ */
+- if (file_start_write_trylock(file)) {
++ if (check_free_space(acct) && file_start_write_trylock(file)) {
+ /* it's been opened O_APPEND, so position is irrelevant */
+ loff_t pos = 0;
+- __kernel_write(file, &ac, sizeof(acct_t), &pos);
++ __kernel_write(file, ac, sizeof(acct_t), &pos);
+ file_end_write(file);
+ }
+-out:
++
++ revert_creds(cred);
++}
++
++static void do_acct_process(struct bsd_acct_struct *acct)
++{
++ unsigned long flim;
++
++ /* Accounting records are not subject to resource limits. */
++ flim = rlimit(RLIMIT_FSIZE);
++ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
++ fill_ac(acct);
++ acct_write_process(acct);
+ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
+- revert_creds(orig_cred);
+ }
+
+ /**
--- /dev/null
+From 822b7ec657e99b44b874e052d8540d8b54fe8569 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Thu, 13 Feb 2025 15:45:43 +0800
+Subject: ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 822b7ec657e99b44b874e052d8540d8b54fe8569 upstream.
+
+Check the return value of snd_ctl_rename_id() in
+snd_hda_create_dig_out_ctls(). Ensure that failures
+are properly handled.
+
+[ Note: the error cannot happen practically because the only error
+ condition in snd_ctl_rename_id() is the missing ID, but this is a
+ rename, hence it must be present. But for the code consistency,
+ it's safer to have always the proper return check -- tiwai ]
+
+Fixes: 5c219a340850 ("ALSA: hda: Fix kctl->id initialization")
+Cc: stable@vger.kernel.org # 6.4+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20250213074543.1620-1-vulab@iscas.ac.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_codec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -2470,7 +2470,9 @@ int snd_hda_create_dig_out_ctls(struct h
+ break;
+ id = kctl->id;
+ id.index = spdif_index;
+- snd_ctl_rename_id(codec->card, &kctl->id, &id);
++ err = snd_ctl_rename_id(codec->card, &kctl->id, &id);
++ if (err < 0)
++ return err;
+ }
+ bus->primary_dig_out_type = HDA_PCM_TYPE_HDMI;
+ }
--- /dev/null
+From 6d1f86610f23b0bc334d6506a186f21a98f51392 Mon Sep 17 00:00:00 2001
+From: John Veness <john-linux@pelago.org.uk>
+Date: Mon, 17 Feb 2025 12:15:50 +0000
+Subject: ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
+
+From: John Veness <john-linux@pelago.org.uk>
+
+commit 6d1f86610f23b0bc334d6506a186f21a98f51392 upstream.
+
+Allows the LED on the dedicated mute button on the HP ProBook 450 G4
+laptop to change colour correctly.
+
+Signed-off-by: John Veness <john-linux@pelago.org.uk>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/2fb55d48-6991-4a42-b591-4c78f2fad8d7@pelago.org.uk
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1080,6 +1080,7 @@ static const struct hda_quirk cxt5066_fi
+ SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
++ SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
--- /dev/null
+From 5ae4dca718eacd0a56173a687a3736eb7e627c77 Mon Sep 17 00:00:00 2001
+From: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Date: Tue, 21 Jan 2025 13:56:04 +0100
+Subject: arm64: dts: rockchip: Disable DMA for uart5 on px30-ringneck
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+
+commit 5ae4dca718eacd0a56173a687a3736eb7e627c77 upstream.
+
+UART controllers without flow control seem to behave unstable
+in case DMA is enabled. The issues were indicated in the message:
+https://lore.kernel.org/linux-arm-kernel/CAMdYzYpXtMocCtCpZLU_xuWmOp2Ja_v0Aj0e6YFNRA-yV7u14g@mail.gmail.com/
+In case of PX30-uQ7 Ringneck SoM, it was noticed that after couple
+of hours of UART communication, the CPU stall was occurring,
+leading to the system becoming unresponsive.
+After disabling the DMA, extensive UART communication tests for
+up to two weeks were performed, and no issues were further
+observed.
+The flow control pins for uart5 are not available on PX30-uQ7
+Ringneck, as configured by pinctrl-0, so the DMA nodes were
+removed on SoM dtsi.
+
+Cc: stable@vger.kernel.org
+Fixes: c484cf93f61b ("arm64: dts: rockchip: add PX30-µQ7 (Ringneck) SoM with Haikou baseboard")
+Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
+Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Link: https://lore.kernel.org/r/20250121125604.3115235-3-lukasz.czechowski@thaumatec.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi
++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi
+@@ -374,6 +374,8 @@
+ };
+
+ &uart5 {
++ /delete-property/ dmas;
++ /delete-property/ dma-names;
+ pinctrl-0 = <&uart5_xfer>;
+ };
+
--- /dev/null
+From 5c8f9a05336cf5cadbd57ad461621b386aadb762 Mon Sep 17 00:00:00 2001
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+Date: Thu, 30 Jan 2025 08:38:49 +0300
+Subject: arm64: dts: rockchip: Fix broken tsadc pinctrl names for rk3588
+
+From: Alexander Shiyan <eagle.alexander923@gmail.com>
+
+commit 5c8f9a05336cf5cadbd57ad461621b386aadb762 upstream.
+
+The tsadc driver does not handle pinctrl "gpio" and "otpout".
+Let's use the correct pinctrl names "default" and "sleep".
+Additionally, Alexey Charkov's testing [1] has established that
+it is necessary for pinctrl state to reference the &tsadc_shut_org
+configuration rather than &tsadc_shut for the driver to function correctly.
+
+[1] https://lkml.org/lkml/2025/1/24/966
+
+Fixes: 32641b8ab1a5 ("arm64: dts: rockchip: add rk3588 thermal sensor")
+Cc: stable@vger.kernel.org
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
+Link: https://lore.kernel.org/r/20250130053849.4902-1-eagle.alexander923@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3588-base.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3588-base.dtsi
+@@ -2626,9 +2626,9 @@
+ rockchip,hw-tshut-temp = <120000>;
+ rockchip,hw-tshut-mode = <0>; /* tshut mode 0:CRU 1:GPIO */
+ rockchip,hw-tshut-polarity = <0>; /* tshut polarity 0:LOW 1:HIGH */
+- pinctrl-0 = <&tsadc_gpio_func>;
+- pinctrl-1 = <&tsadc_shut>;
+- pinctrl-names = "gpio", "otpout";
++ pinctrl-0 = <&tsadc_shut_org>;
++ pinctrl-1 = <&tsadc_gpio_func>;
++ pinctrl-names = "default", "sleep";
+ #thermal-sensor-cells = <1>;
+ status = "disabled";
+ };
--- /dev/null
+From 4eee627ea59304cdd66c5d4194ef13486a6c44fc Mon Sep 17 00:00:00 2001
+From: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Date: Tue, 21 Jan 2025 13:56:03 +0100
+Subject: arm64: dts: rockchip: Move uart5 pin configuration to px30 ringneck SoM
+
+From: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+
+commit 4eee627ea59304cdd66c5d4194ef13486a6c44fc upstream.
+
+In the PX30-uQ7 (Ringneck) SoM, the hardware CTS and RTS pins for
+uart5 cannot be used for the UART CTS/RTS, because they are already
+allocated for different purposes. CTS pin is routed to SUS_S3#
+signal, while RTS pin is used internally and is not available on
+Q7 connector. Move definition of the pinctrl-0 property from
+px30-ringneck-haikou.dts to px30-ringneck.dtsi.
+
+This commit is a dependency to next commit in the patch series,
+that disables DMA for uart5.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
+Signed-off-by: Lukasz Czechowski <lukasz.czechowski@thaumatec.com>
+Link: https://lore.kernel.org/r/20250121125604.3115235-2-lukasz.czechowski@thaumatec.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts | 1 -
+ arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi | 4 ++++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts
++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck-haikou.dts
+@@ -226,7 +226,6 @@
+ };
+
+ &uart5 {
+- pinctrl-0 = <&uart5_xfer>;
+ rts-gpios = <&gpio0 RK_PB5 GPIO_ACTIVE_HIGH>;
+ status = "okay";
+ };
+--- a/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi
++++ b/arch/arm64/boot/dts/rockchip/px30-ringneck.dtsi
+@@ -373,6 +373,10 @@
+ status = "okay";
+ };
+
++&uart5 {
++ pinctrl-0 = <&uart5_xfer>;
++};
++
+ /* Mule UCAN */
+ &usb_host0_ehci {
+ status = "okay";
--- /dev/null
+From a8c9a453387640dbe45761970f41301a6985e7fa Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 16 Jan 2025 06:24:36 -0800
+Subject: ASoC: fsl_micfil: Enable default case in micfil_set_quality()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit a8c9a453387640dbe45761970f41301a6985e7fa upstream.
+
+If 'micfil->quality' received from micfil_quality_set() somehow ends
+up with an unpredictable value, switch() operator will fail to
+initialize local variable qsel before regmap_update_bits() tries
+to utilize it.
+
+While it is unlikely, play it safe and enable a default case that
+returns -EINVAL error.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250116142436.22389-1-n.zhandarovich@fintech.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -156,6 +156,8 @@ static int micfil_set_quality(struct fsl
+ case QUALITY_VLOW2:
+ qsel = MICFIL_QSEL_VLOW2_QUALITY;
+ break;
++ default:
++ return -EINVAL;
+ }
+
+ return regmap_update_bits(micfil->regmap, REG_MICFIL_CTRL2,
--- /dev/null
+From 46c7b901e2a03536df5a3cb40b3b26e2be505df6 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Date: Wed, 5 Feb 2025 15:52:32 +0200
+Subject: ASoC: SOF: pcm: Clear the susbstream pointer to NULL on close
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+commit 46c7b901e2a03536df5a3cb40b3b26e2be505df6 upstream.
+
+The spcm->stream[substream->stream].substream is set during open and was
+left untouched. After the first PCM stream it will never be NULL and we
+have code which checks for substream NULLity as indication if the stream is
+active or not.
+For the compressed cstream pointer the same has been done, this change will
+correct the handling of PCM streams.
+
+Fixes: 090349a9feba ("ASoC: SOF: Add support for compress API for stream data/offset")
+Cc: stable@vger.kernel.org
+Reported-by: Curtis Malainey <cujomalainey@chromium.org>
+Closes: https://github.com/thesofproject/linux/pull/5214
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Curtis Malainey <cujomalainey@chromium.org>
+Link: https://patch.msgid.link/20250205135232.19762-3-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/pcm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/soc/sof/pcm.c
++++ b/sound/soc/sof/pcm.c
+@@ -511,6 +511,8 @@ static int sof_pcm_close(struct snd_soc_
+ */
+ }
+
++ spcm->stream[substream->stream].substream = NULL;
++
+ return 0;
+ }
+
--- /dev/null
+From d8d99c3b5c485f339864aeaa29f76269cc0ea975 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Date: Wed, 5 Feb 2025 15:52:31 +0200
+Subject: ASoC: SOF: stream-ipc: Check for cstream nullity in sof_ipc_msg_data()
+
+From: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+
+commit d8d99c3b5c485f339864aeaa29f76269cc0ea975 upstream.
+
+The nullity of sps->cstream should be checked similarly as it is done in
+sof_set_stream_data_offset() function.
+Assuming that it is not NULL if sps->stream is NULL is incorrect and can
+lead to NULL pointer dereference.
+
+Fixes: 090349a9feba ("ASoC: SOF: Add support for compress API for stream data/offset")
+Cc: stable@vger.kernel.org
+Reported-by: Curtis Malainey <cujomalainey@chromium.org>
+Closes: https://github.com/thesofproject/linux/pull/5214
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
+Reviewed-by: Daniel Baluta <daniel.baluta@nxp.com>
+Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Reviewed-by: Bard Liao <yung-chuan.liao@linux.intel.com>
+Reviewed-by: Curtis Malainey <cujomalainey@chromium.org>
+Link: https://patch.msgid.link/20250205135232.19762-2-peter.ujfalusi@linux.intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/sof/stream-ipc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/sof/stream-ipc.c
++++ b/sound/soc/sof/stream-ipc.c
+@@ -43,7 +43,7 @@ int sof_ipc_msg_data(struct snd_sof_dev
+ return -ESTRPIPE;
+
+ posn_offset = stream->posn_offset;
+- } else {
++ } else if (sps->cstream) {
+
+ struct sof_compr_stream *sstream = sps->cstream->runtime->private_data;
+
+@@ -51,6 +51,10 @@ int sof_ipc_msg_data(struct snd_sof_dev
+ return -ESTRPIPE;
+
+ posn_offset = sstream->posn_offset;
++
++ } else {
++ dev_err(sdev->dev, "%s: No stream opened\n", __func__);
++ return -EINVAL;
+ }
+
+ snd_sof_dsp_mailbox_read(sdev, posn_offset, p, sz);
--- /dev/null
+From 166ce267ae3f96e439d8ccc838e8ec4d8b4dab73 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 14 Feb 2025 16:19:52 +0200
+Subject: drm/i915/ddi: Fix HDMI port width programming in DDI_BUF_CTL
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 166ce267ae3f96e439d8ccc838e8ec4d8b4dab73 upstream.
+
+Fix the port width programming in the DDI_BUF_CTL register on MTLP+,
+where this had an off-by-one error.
+
+Cc: <stable@vger.kernel.org> # v6.5+
+Fixes: b66a8abaa48a ("drm/i915/display/mtl: Fill port width in DDI_BUF_/TRANS_DDI_FUNC_/PORT_BUF_CTL for HDMI")
+Reviewed-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250214142001.552916-3-imre.deak@intel.com
+(cherry picked from commit b2ecdabe46d23db275f94cd7c46ca414a144818b)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_ddi.c | 2 +-
+ drivers/gpu/drm/i915/i915_reg.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_ddi.c
++++ b/drivers/gpu/drm/i915/display/intel_ddi.c
+@@ -3363,7 +3363,7 @@ static void intel_enable_ddi_hdmi(struct
+ intel_de_rmw(dev_priv, XELPDP_PORT_BUF_CTL1(dev_priv, port),
+ XELPDP_PORT_WIDTH_MASK | XELPDP_PORT_REVERSAL, port_buf);
+
+- buf_ctl |= DDI_PORT_WIDTH(lane_count);
++ buf_ctl |= DDI_PORT_WIDTH(crtc_state->lane_count);
+
+ if (DISPLAY_VER(dev_priv) >= 20)
+ buf_ctl |= XE2LPD_DDI_BUF_D2D_LINK_ENABLE;
+--- a/drivers/gpu/drm/i915/i915_reg.h
++++ b/drivers/gpu/drm/i915/i915_reg.h
+@@ -3869,7 +3869,7 @@ enum skl_power_gate {
+ #define DDI_BUF_IS_IDLE (1 << 7)
+ #define DDI_BUF_CTL_TC_PHY_OWNERSHIP REG_BIT(6)
+ #define DDI_A_4_LANES (1 << 4)
+-#define DDI_PORT_WIDTH(width) (((width) - 1) << 1)
++#define DDI_PORT_WIDTH(width) (((width) == 3 ? 4 : ((width) - 1)) << 1)
+ #define DDI_PORT_WIDTH_MASK (7 << 1)
+ #define DDI_PORT_WIDTH_SHIFT 1
+ #define DDI_INIT_DISPLAY_DETECTED (1 << 0)
--- /dev/null
+From b9275eabe31e6679ae12c46a4a0a18d622db4570 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Tue, 18 Feb 2025 00:38:27 +0200
+Subject: drm/i915/dp: Fix error handling during 128b/132b link training
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit b9275eabe31e6679ae12c46a4a0a18d622db4570 upstream.
+
+At the end of a 128b/132b link training sequence, the HW expects the
+transcoder training pattern to be set to TPS2 and from that to normal
+mode (disabling the training pattern). Transitioning from TPS1 directly
+to normal mode leaves the transcoder in a stuck state, resulting in
+page-flip timeouts later in the modeset sequence.
+
+Atm, in case of a failure during link training, the transcoder may be
+still set to output the TPS1 pattern. Later the transcoder is then set
+from TPS1 directly to normal mode in intel_dp_stop_link_train(), leading
+to modeset failures later as described above. Fix this by setting the
+training patter to TPS2, if the link training failed at any point.
+
+The clue in the specification about the above HW behavior is the
+explicit mention that TPS2 must be set after the link training sequence
+(and there isn't a similar requirement specified for the 8b/10b link
+training), see the Bspec links below.
+
+v2: Add bspec aspect/link to the commit log. (Jani)
+
+Bspec: 54128, 65448, 68849
+Cc: stable@vger.kernel.org # v5.18+
+Cc: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250217223828.1166093-2-imre.deak@intel.com
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+(cherry picked from commit 8b4bbaf8ddc1f68f3ee96a706f65fdb1bcd9d355)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_dp_link_training.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/i915/display/intel_dp_link_training.c
++++ b/drivers/gpu/drm/i915/display/intel_dp_link_training.c
+@@ -1561,7 +1561,7 @@ intel_dp_128b132b_link_train(struct inte
+
+ if (wait_for(intel_dp_128b132b_intra_hop(intel_dp, crtc_state) == 0, 500)) {
+ lt_err(intel_dp, DP_PHY_DPRX, "128b/132b intra-hop not clear\n");
+- return false;
++ goto out;
+ }
+
+ if (intel_dp_128b132b_lane_eq(intel_dp, crtc_state) &&
+@@ -1573,6 +1573,19 @@ intel_dp_128b132b_link_train(struct inte
+ passed ? "passed" : "failed",
+ crtc_state->port_clock, crtc_state->lane_count);
+
++out:
++ /*
++ * Ensure that the training pattern does get set to TPS2 even in case
++ * of a failure, as is the case at the end of a passing link training
++ * and what is expected by the transcoder. Leaving TPS1 set (and
++ * disabling the link train mode in DP_TP_CTL later from TPS1 directly)
++ * would result in a stuck transcoder HW state and flip-done timeouts
++ * later in the modeset sequence.
++ */
++ if (!passed)
++ intel_dp_program_link_training_pattern(intel_dp, crtc_state,
++ DP_PHY_DPRX, DP_TRAINING_PATTERN_2);
++
+ return passed;
+ }
+
--- /dev/null
+From e49477f7f78598295551d486ecc7f020d796432e Mon Sep 17 00:00:00 2001
+From: Krzysztof Karas <krzysztof.karas@intel.com>
+Date: Thu, 16 Jan 2025 10:40:46 +0000
+Subject: drm/i915/gt: Use spin_lock_irqsave() in interruptible context
+
+From: Krzysztof Karas <krzysztof.karas@intel.com>
+
+commit e49477f7f78598295551d486ecc7f020d796432e upstream.
+
+spin_lock/unlock() functions used in interrupt contexts could
+result in a deadlock, as seen in GitLab issue #13399,
+which occurs when interrupt comes in while holding a lock.
+
+Try to remedy the problem by saving irq state before spin lock
+acquisition.
+
+v2: add irqs' state save/restore calls to all locks/unlocks in
+ signal_irq_work() execution (Maciej)
+
+v3: use with spin_lock_irqsave() in guc_lrc_desc_unpin() instead
+ of other lock/unlock calls and add Fixes and Cc tags (Tvrtko);
+ change title and commit message
+
+Fixes: 2f2cc53b5fe7 ("drm/i915/guc: Close deregister-context race against CT-loss")
+Closes: https://gitlab.freedesktop.org/drm/i915/kernel/-/issues/13399
+Signed-off-by: Krzysztof Karas <krzysztof.karas@intel.com>
+Cc: <stable@vger.kernel.org> # v6.9+
+Reviewed-by: Maciej Patelczyk <maciej.patelczyk@intel.com>
+Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/pusppq5ybyszau2oocboj3mtj5x574gwij323jlclm5zxvimmu@mnfg6odxbpsv
+(cherry picked from commit c088387ddd6482b40f21ccf23db1125e8fa4af7e)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
++++ b/drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c
+@@ -3425,10 +3425,10 @@ static inline int guc_lrc_desc_unpin(str
+ */
+ ret = deregister_context(ce, ce->guc_id.id);
+ if (ret) {
+- spin_lock(&ce->guc_state.lock);
++ spin_lock_irqsave(&ce->guc_state.lock, flags);
+ set_context_registered(ce);
+ clr_context_destroyed(ce);
+- spin_unlock(&ce->guc_state.lock);
++ spin_unlock_irqrestore(&ce->guc_state.lock, flags);
+ /*
+ * As gt-pm is awake at function entry, intel_wakeref_put_async merely decrements
+ * the wakeref immediately but per function spec usage call this after unlock.
--- /dev/null
+From 07fb70d82e0df085980246bf17bc12537588795f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 12 Feb 2025 18:43:21 +0200
+Subject: drm/i915: Make sure all planes in use by the joiner have their crtc included
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 07fb70d82e0df085980246bf17bc12537588795f upstream.
+
+Any active plane needs to have its crtc included in the atomic
+state. For planes enabled via uapi that is all handler in the core.
+But when we use a plane for joiner the uapi code things the plane
+is disabled and therefore doesn't have a crtc. So we need to pull
+those in by hand. We do it first thing in
+intel_joiner_add_affected_crtcs() so that any newly added crtc will
+subsequently pull in all of its joined crtcs as well.
+
+The symptoms from failing to do this are:
+- duct tape in the form of commit 1d5b09f8daf8 ("drm/i915: Fix NULL
+ ptr deref by checking new_crtc_state")
+- the plane's hw state will get overwritten by the disabled
+ uapi state if it can't find the uapi counterpart plane in
+ the atomic state from where it should copy the correct state
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250212164330.16891-2-ville.syrjala@linux.intel.com
+(cherry picked from commit 91077d1deb5374eb8be00fb391710f00e751dc4b)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_display.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_display.c
++++ b/drivers/gpu/drm/i915/display/intel_display.c
+@@ -6369,12 +6369,30 @@ static int intel_async_flip_check_hw(str
+ static int intel_joiner_add_affected_crtcs(struct intel_atomic_state *state)
+ {
+ struct drm_i915_private *i915 = to_i915(state->base.dev);
++ const struct intel_plane_state *plane_state;
+ struct intel_crtc_state *crtc_state;
++ struct intel_plane *plane;
+ struct intel_crtc *crtc;
+ u8 affected_pipes = 0;
+ u8 modeset_pipes = 0;
+ int i;
+
++ /*
++ * Any plane which is in use by the joiner needs its crtc.
++ * Pull those in first as this will not have happened yet
++ * if the plane remains disabled according to uapi.
++ */
++ for_each_new_intel_plane_in_state(state, plane, plane_state, i) {
++ crtc = to_intel_crtc(plane_state->hw.crtc);
++ if (!crtc)
++ continue;
++
++ crtc_state = intel_atomic_get_crtc_state(&state->base, crtc);
++ if (IS_ERR(crtc_state))
++ return PTR_ERR(crtc_state);
++ }
++
++ /* Now pull in all joined crtcs */
+ for_each_new_intel_crtc_in_state(state, crtc, crtc_state, i) {
+ affected_pipes |= crtc_state->joiner_pipes;
+ if (intel_crtc_needs_modeset(crtc_state))
--- /dev/null
+From f063ac6b55df03ed25996bdc84d9e1c50147cfa1 Mon Sep 17 00:00:00 2001
+From: Jessica Zhang <quic_jesszhan@quicinc.com>
+Date: Tue, 11 Feb 2025 19:59:19 -0800
+Subject: drm/msm/dpu: Disable dither in phys encoder cleanup
+
+From: Jessica Zhang <quic_jesszhan@quicinc.com>
+
+commit f063ac6b55df03ed25996bdc84d9e1c50147cfa1 upstream.
+
+Disable pingpong dither in dpu_encoder_helper_phys_cleanup().
+
+This avoids the issue where an encoder unknowingly uses dither after
+reserving a pingpong block that was previously bound to an encoder that
+had enabled dither.
+
+Cc: stable@vger.kernel.org
+Reported-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Closes: https://lore.kernel.org/all/jr7zbj5w7iq4apg3gofuvcwf4r2swzqjk7sshwcdjll4mn6ctt@l2n3qfpujg3q/
+Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Fixes: 3c128638a07d ("drm/msm/dpu: add support for dither block in display")
+Patchwork: https://patchwork.freedesktop.org/patch/636517/
+Link: https://lore.kernel.org/r/20250211-dither-disable-v1-1-ac2cb455f6b9@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -2125,6 +2125,9 @@ void dpu_encoder_helper_phys_cleanup(str
+ }
+ }
+
++ if (phys_enc->hw_pp && phys_enc->hw_pp->ops.setup_dither)
++ phys_enc->hw_pp->ops.setup_dither(phys_enc->hw_pp, NULL);
++
+ /* reset the merge 3D HW block */
+ if (phys_enc->hw_pp && phys_enc->hw_pp->merge_3d) {
+ phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d,
--- /dev/null
+From a8972d5a49b408248294b5ecbdd0a085e4726349 Mon Sep 17 00:00:00 2001
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Date: Fri, 27 Sep 2024 09:53:05 -0400
+Subject: drm: panel: jd9365da-h3: fix reset signal polarity
+
+From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+
+commit a8972d5a49b408248294b5ecbdd0a085e4726349 upstream.
+
+In jadard_prepare() a reset pulse is generated with the following
+statements (delays ommited for clarity):
+
+ gpiod_set_value(jadard->reset, 1); --> Deassert reset
+ gpiod_set_value(jadard->reset, 0); --> Assert reset for 10ms
+ gpiod_set_value(jadard->reset, 1); --> Deassert reset
+
+However, specifying second argument of "0" to gpiod_set_value() means to
+deassert the GPIO, and "1" means to assert it. If the reset signal is
+defined as GPIO_ACTIVE_LOW in the DTS, the above statements will
+incorrectly generate the reset pulse (inverted) and leave it asserted
+(LOW) at the end of jadard_prepare().
+
+Fix reset behavior by inverting gpiod_set_value() second argument
+in jadard_prepare(). Also modify second argument to devm_gpiod_get()
+in jadard_dsi_probe() to assert the reset when probing.
+
+Do not modify it in jadard_unprepare() as it is already properly
+asserted with "1", which seems to be the intended behavior.
+
+Fixes: 6b818c533dd8 ("drm: panel: Add Jadard JD9365DA-H3 DSI panel")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20240927135306.857617-1-hugo@hugovil.com
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240927135306.857617-1-hugo@hugovil.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c
++++ b/drivers/gpu/drm/panel/panel-jadard-jd9365da-h3.c
+@@ -109,13 +109,13 @@ static int jadard_prepare(struct drm_pan
+ if (jadard->desc->lp11_to_reset_delay_ms)
+ msleep(jadard->desc->lp11_to_reset_delay_ms);
+
+- gpiod_set_value(jadard->reset, 1);
++ gpiod_set_value(jadard->reset, 0);
+ msleep(5);
+
+- gpiod_set_value(jadard->reset, 0);
++ gpiod_set_value(jadard->reset, 1);
+ msleep(10);
+
+- gpiod_set_value(jadard->reset, 1);
++ gpiod_set_value(jadard->reset, 0);
+ msleep(130);
+
+ ret = jadard->desc->init(jadard);
+@@ -1130,7 +1130,7 @@ static int jadard_dsi_probe(struct mipi_
+ dsi->format = desc->format;
+ dsi->lanes = desc->lanes;
+
+- jadard->reset = devm_gpiod_get(dev, "reset", GPIOD_OUT_LOW);
++ jadard->reset = devm_gpiod_get(dev, "reset", GPIOD_OUT_HIGH);
+ if (IS_ERR(jadard->reset)) {
+ DRM_DEV_ERROR(&dsi->dev, "failed to get our reset GPIO\n");
+ return PTR_ERR(jadard->reset);
--- /dev/null
+From 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Thu, 13 Feb 2025 15:20:55 +0000
+Subject: drop_monitor: fix incorrect initialization order
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea upstream.
+
+Syzkaller reports the following bug:
+
+BUG: spinlock bad magic on CPU#1, syz-executor.0/7995
+ lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1
+Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x119/0x179 lib/dump_stack.c:118
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
+ do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
+ _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159
+ reset_per_cpu_data+0xe6/0x240 [drop_monitor]
+ net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]
+ genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
+ genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
+ netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497
+ genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ __sock_sendmsg+0x157/0x190 net/socket.c:663
+ ____sys_sendmsg+0x712/0x870 net/socket.c:2378
+ ___sys_sendmsg+0xf8/0x170 net/socket.c:2432
+ __sys_sendmsg+0xea/0x1b0 net/socket.c:2461
+ do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x62/0xc7
+RIP: 0033:0x7f3f9815aee9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9
+RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007
+RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768
+
+If drop_monitor is built as a kernel module, syzkaller may have time
+to send a netlink NET_DM_CMD_START message during the module loading.
+This will call the net_dm_monitor_start() function that uses
+a spinlock that has not yet been initialized.
+
+To fix this, let's place resource initialization above the registration
+of a generic netlink family.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with Syzkaller.
+
+Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250213152054.2785669-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/drop_monitor.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -1734,30 +1734,30 @@ static int __init init_net_drop_monitor(
+ return -ENOSPC;
+ }
+
+- rc = genl_register_family(&net_drop_monitor_family);
+- if (rc) {
+- pr_err("Could not create drop monitor netlink family\n");
+- return rc;
++ for_each_possible_cpu(cpu) {
++ net_dm_cpu_data_init(cpu);
++ net_dm_hw_cpu_data_init(cpu);
+ }
+- WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT);
+
+ rc = register_netdevice_notifier(&dropmon_net_notifier);
+ if (rc < 0) {
+ pr_crit("Failed to register netdevice notifier\n");
++ return rc;
++ }
++
++ rc = genl_register_family(&net_drop_monitor_family);
++ if (rc) {
++ pr_err("Could not create drop monitor netlink family\n");
+ goto out_unreg;
+ }
++ WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT);
+
+ rc = 0;
+
+- for_each_possible_cpu(cpu) {
+- net_dm_cpu_data_init(cpu);
+- net_dm_hw_cpu_data_init(cpu);
+- }
+-
+ goto out;
+
+ out_unreg:
+- genl_unregister_family(&net_drop_monitor_family);
++ WARN_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+ out:
+ return rc;
+ }
+@@ -1766,19 +1766,18 @@ static void exit_net_drop_monitor(void)
+ {
+ int cpu;
+
+- BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+-
+ /*
+ * Because of the module_get/put we do in the trace state change path
+ * we are guaranteed not to have any current users when we get here
+ */
++ BUG_ON(genl_unregister_family(&net_drop_monitor_family));
++
++ BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+
+ for_each_possible_cpu(cpu) {
+ net_dm_hw_cpu_data_fini(cpu);
+ net_dm_cpu_data_fini(cpu);
+ }
+-
+- BUG_ON(genl_unregister_family(&net_drop_monitor_family));
+ }
+
+ module_init(init_net_drop_monitor);
--- /dev/null
+From c158647c107358bf1be579f98e4bb705c1953292 Mon Sep 17 00:00:00 2001
+From: Komal Bajaj <quic_kbajaj@quicinc.com>
+Date: Tue, 19 Nov 2024 12:16:08 +0530
+Subject: EDAC/qcom: Correct interrupt enable register configuration
+
+From: Komal Bajaj <quic_kbajaj@quicinc.com>
+
+commit c158647c107358bf1be579f98e4bb705c1953292 upstream.
+
+The previous implementation incorrectly configured the cmn_interrupt_2_enable
+register for interrupt handling. Using cmn_interrupt_2_enable to configure
+Tag, Data RAM ECC interrupts would lead to issues like double handling of the
+interrupts (EL1 and EL3) as cmn_interrupt_2_enable is meant to be configured
+for interrupts which needs to be handled by EL3.
+
+EL1 LLCC EDAC driver needs to use cmn_interrupt_0_enable register to configure
+Tag, Data RAM ECC interrupts instead of cmn_interrupt_2_enable.
+
+Fixes: 27450653f1db ("drivers: edac: Add EDAC driver support for QCOM SoCs")
+Signed-off-by: Komal Bajaj <quic_kbajaj@quicinc.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/20241119064608.12326-1-quic_kbajaj@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/qcom_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/qcom_edac.c
++++ b/drivers/edac/qcom_edac.c
+@@ -95,7 +95,7 @@ static int qcom_llcc_core_setup(struct l
+ * Configure interrupt enable registers such that Tag, Data RAM related
+ * interrupts are propagated to interrupt controller for servicing
+ */
+- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable,
++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable,
+ TRP0_INTERRUPT_ENABLE,
+ TRP0_INTERRUPT_ENABLE);
+ if (ret)
+@@ -113,7 +113,7 @@ static int qcom_llcc_core_setup(struct l
+ if (ret)
+ return ret;
+
+- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable,
++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable,
+ DRP0_INTERRUPT_ENABLE,
+ DRP0_INTERRUPT_ENABLE);
+ if (ret)
--- /dev/null
+From 57b76bedc5c52c66968183b5ef57234894c25ce7 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 20 Feb 2025 15:07:49 +0100
+Subject: ftrace: Correct preemption accounting for function tracing.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 57b76bedc5c52c66968183b5ef57234894c25ce7 upstream.
+
+The function tracer should record the preemption level at the point when
+the function is invoked. If the tracing subsystem decrement the
+preemption counter it needs to correct this before feeding the data into
+the trace buffer. This was broken in the commit cited below while
+shifting the preempt-disabled section.
+
+Use tracing_gen_ctx_dec() which properly subtracts one from the
+preemption counter on a preemptible kernel.
+
+Cc: stable@vger.kernel.org
+Cc: Wander Lairson Costa <wander@redhat.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/20250220140749.pfw8qoNZ@linutronix.de
+Fixes: ce5e48036c9e7 ("ftrace: disable preemption when recursion locked")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_functions.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/trace_functions.c
++++ b/kernel/trace/trace_functions.c
+@@ -193,7 +193,7 @@ function_trace_call(unsigned long ip, un
+ if (bit < 0)
+ return;
+
+- trace_ctx = tracing_gen_ctx();
++ trace_ctx = tracing_gen_ctx_dec();
+
+ cpu = smp_processor_id();
+ data = per_cpu_ptr(tr->array_buffer.data, cpu);
+@@ -298,7 +298,6 @@ function_no_repeats_trace_call(unsigned
+ struct trace_array *tr = op->private;
+ struct trace_array_cpu *data;
+ unsigned int trace_ctx;
+- unsigned long flags;
+ int bit;
+ int cpu;
+
+@@ -325,8 +324,7 @@ function_no_repeats_trace_call(unsigned
+ if (is_repeat_check(tr, last_info, ip, parent_ip))
+ goto out;
+
+- local_save_flags(flags);
+- trace_ctx = tracing_gen_ctx_flags(flags);
++ trace_ctx = tracing_gen_ctx_dec();
+ process_repeats(tr, ip, parent_ip, last_info, trace_ctx);
+
+ trace_function(tr, ip, parent_ip, trace_ctx);
--- /dev/null
+From 8eb4b09e0bbd30981305643229fe7640ad41b667 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 20 Feb 2025 15:20:11 -0500
+Subject: ftrace: Do not add duplicate entries in subops manager ops
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 8eb4b09e0bbd30981305643229fe7640ad41b667 upstream.
+
+Check if a function is already in the manager ops of a subops. A manager
+ops contains multiple subops, and if two or more subops are tracing the
+same function, the manager ops only needs a single entry in its hash.
+
+Cc: stable@vger.kernel.org
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Link: https://lore.kernel.org/20250220202055.226762894@goodmis.org
+Fixes: 4f554e955614f ("ftrace: Add ftrace_set_filter_ips function")
+Tested-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5758,6 +5758,9 @@ __ftrace_match_addr(struct ftrace_hash *
+ return -ENOENT;
+ free_hash_entry(hash, entry);
+ return 0;
++ } else if (__ftrace_lookup_ip(hash, ip) != NULL) {
++ /* Already exists */
++ return 0;
+ }
+
+ entry = add_hash_entry(hash, ip);
--- /dev/null
+From 38b14061947fa546491656e3f5e388d4fedf8dba Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 20 Feb 2025 15:20:10 -0500
+Subject: ftrace: Fix accounting of adding subops to a manager ops
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 38b14061947fa546491656e3f5e388d4fedf8dba upstream.
+
+Function graph uses a subops and manager ops mechanism to attach to
+ftrace. The manager ops connects to ftrace and the functions it connects
+to is defined by a list of subops that it manages.
+
+The function hash that defines what the above ops attaches to limits the
+functions to attach if the hash has any content. If the hash is empty, it
+means to trace all functions.
+
+The creation of the manager ops hash is done by iterating over all the
+subops hashes. If any of the subops hashes is empty, it means that the
+manager ops hash must trace all functions as well.
+
+The issue is in the creation of the manager ops. When a second subops is
+attached, a new hash is created by starting it as NULL and adding the
+subops one at a time. But the NULL ops is mistaken as an empty hash, and
+once an empty hash is found, it stops the loop of subops and just enables
+all functions.
+
+ # echo "f:myevent1 kernel_clone" >> /sys/kernel/tracing/dynamic_events
+ # cat /sys/kernel/tracing/enabled_functions
+kernel_clone (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+
+ # echo "f:myevent2 schedule_timeout" >> /sys/kernel/tracing/dynamic_events
+ # cat /sys/kernel/tracing/enabled_functions
+trace_initcall_start_cb (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+run_init_process (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+try_to_run_init_process (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+x86_pmu_show_pmu_cap (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+cleanup_rapl_pmus (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+uncore_free_pcibus_map (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+uncore_types_exit (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+uncore_pci_exit.part.0 (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+kvm_shutdown (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+vmx_dump_msrs (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+vmx_cleanup_l1d_flush (1) tramp: 0xffffffffc0309000 (ftrace_graph_func+0x0/0x60) ->ftrace_graph_func+0x0/0x60
+[..]
+
+Fix this by initializing the new hash to NULL and if the hash is NULL do
+not treat it as an empty hash but instead allocate by copying the content
+of the first sub ops. Then on subsequent iterations, the new hash will not
+be NULL, but the content of the previous subops. If that first subops
+attached to all functions, then new hash may assume that the manager ops
+also needs to attach to all functions.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Link: https://lore.kernel.org/20250220202055.060300046@goodmis.org
+Fixes: 5fccc7552ccbc ("ftrace: Add subops logic to allow one ops to manage many")
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3219,15 +3219,22 @@ static struct ftrace_hash *copy_hash(str
+ * The filter_hash updates uses just the append_hash() function
+ * and the notrace_hash does not.
+ */
+-static int append_hash(struct ftrace_hash **hash, struct ftrace_hash *new_hash)
++static int append_hash(struct ftrace_hash **hash, struct ftrace_hash *new_hash,
++ int size_bits)
+ {
+ struct ftrace_func_entry *entry;
+ int size;
+ int i;
+
+- /* An empty hash does everything */
+- if (ftrace_hash_empty(*hash))
+- return 0;
++ if (*hash) {
++ /* An empty hash does everything */
++ if (ftrace_hash_empty(*hash))
++ return 0;
++ } else {
++ *hash = alloc_ftrace_hash(size_bits);
++ if (!*hash)
++ return -ENOMEM;
++ }
+
+ /* If new_hash has everything make hash have everything */
+ if (ftrace_hash_empty(new_hash)) {
+@@ -3291,16 +3298,18 @@ static int intersect_hash(struct ftrace_
+ /* Return a new hash that has a union of all @ops->filter_hash entries */
+ static struct ftrace_hash *append_hashes(struct ftrace_ops *ops)
+ {
+- struct ftrace_hash *new_hash;
++ struct ftrace_hash *new_hash = NULL;
+ struct ftrace_ops *subops;
++ int size_bits;
+ int ret;
+
+- new_hash = alloc_ftrace_hash(ops->func_hash->filter_hash->size_bits);
+- if (!new_hash)
+- return NULL;
++ if (ops->func_hash->filter_hash)
++ size_bits = ops->func_hash->filter_hash->size_bits;
++ else
++ size_bits = FTRACE_HASH_DEFAULT_BITS;
+
+ list_for_each_entry(subops, &ops->subop_list, list) {
+- ret = append_hash(&new_hash, subops->func_hash->filter_hash);
++ ret = append_hash(&new_hash, subops->func_hash->filter_hash, size_bits);
+ if (ret < 0) {
+ free_ftrace_hash(new_hash);
+ return NULL;
+@@ -3309,7 +3318,8 @@ static struct ftrace_hash *append_hashes
+ if (ftrace_hash_empty(new_hash))
+ break;
+ }
+- return new_hash;
++ /* Can't return NULL as that means this failed */
++ return new_hash ? : EMPTY_HASH;
+ }
+
+ /* Make @ops trace evenything except what all its subops do not trace */
+@@ -3504,7 +3514,8 @@ int ftrace_startup_subops(struct ftrace_
+ filter_hash = alloc_and_copy_ftrace_hash(size_bits, ops->func_hash->filter_hash);
+ if (!filter_hash)
+ return -ENOMEM;
+- ret = append_hash(&filter_hash, subops->func_hash->filter_hash);
++ ret = append_hash(&filter_hash, subops->func_hash->filter_hash,
++ size_bits);
+ if (ret < 0) {
+ free_ftrace_hash(filter_hash);
+ return ret;
--- /dev/null
+From 9d846b1aebbe488f245f1aa463802ff9c34cc078 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Mon, 10 Feb 2025 11:51:55 +0100
+Subject: gpiolib: check the return value of gpio_chip::get_direction()
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 9d846b1aebbe488f245f1aa463802ff9c34cc078 upstream.
+
+As per the API contract - gpio_chip::get_direction() may fail and return
+a negative error number. However, we treat it as if it always returned 0
+or 1. Check the return value of the callback and propagate the error
+number up the stack.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20250210-gpio-sanitize-retvals-v1-1-12ea88506cb2@linaro.org
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 44 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 29 insertions(+), 15 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -1059,8 +1059,11 @@ int gpiochip_add_data_with_key(struct gp
+ struct gpio_desc *desc = &gdev->descs[desc_index];
+
+ if (gc->get_direction && gpiochip_line_is_valid(gc, desc_index)) {
+- assign_bit(FLAG_IS_OUT,
+- &desc->flags, !gc->get_direction(gc, desc_index));
++ ret = gc->get_direction(gc, desc_index);
++ if (ret < 0)
++ goto err_cleanup_desc_srcu;
++
++ assign_bit(FLAG_IS_OUT, &desc->flags, !ret);
+ } else {
+ assign_bit(FLAG_IS_OUT,
+ &desc->flags, !gc->direction_input);
+@@ -2702,13 +2705,18 @@ int gpiod_direction_input(struct gpio_de
+ if (guard.gc->direction_input) {
+ ret = guard.gc->direction_input(guard.gc,
+ gpio_chip_hwgpio(desc));
+- } else if (guard.gc->get_direction &&
+- (guard.gc->get_direction(guard.gc,
+- gpio_chip_hwgpio(desc)) != 1)) {
+- gpiod_warn(desc,
+- "%s: missing direction_input() operation and line is output\n",
+- __func__);
+- return -EIO;
++ } else if (guard.gc->get_direction) {
++ ret = guard.gc->get_direction(guard.gc,
++ gpio_chip_hwgpio(desc));
++ if (ret < 0)
++ return ret;
++
++ if (ret != GPIO_LINE_DIRECTION_IN) {
++ gpiod_warn(desc,
++ "%s: missing direction_input() operation and line is output\n",
++ __func__);
++ return -EIO;
++ }
+ }
+ if (ret == 0) {
+ clear_bit(FLAG_IS_OUT, &desc->flags);
+@@ -2746,12 +2754,18 @@ static int gpiod_direction_output_raw_co
+ gpio_chip_hwgpio(desc), val);
+ } else {
+ /* Check that we are in output mode if we can */
+- if (guard.gc->get_direction &&
+- guard.gc->get_direction(guard.gc, gpio_chip_hwgpio(desc))) {
+- gpiod_warn(desc,
+- "%s: missing direction_output() operation\n",
+- __func__);
+- return -EIO;
++ if (guard.gc->get_direction) {
++ ret = guard.gc->get_direction(guard.gc,
++ gpio_chip_hwgpio(desc));
++ if (ret < 0)
++ return ret;
++
++ if (ret != GPIO_LINE_DIRECTION_OUT) {
++ gpiod_warn(desc,
++ "%s: missing direction_output() operation\n",
++ __func__);
++ return -EIO;
++ }
+ }
+ /*
+ * If we can't actively set the direction, we are some
--- /dev/null
+From 81570d6a7ad37033c7895811551a5a9023706eda Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Sat, 15 Feb 2025 10:56:55 +0100
+Subject: gpiolib: protect gpio_chip with SRCU in array_info paths in multi get/set
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 81570d6a7ad37033c7895811551a5a9023706eda upstream.
+
+During the locking rework in GPIOLIB, we omitted one important use-case,
+namely: setting and getting values for GPIO descriptor arrays with
+array_info present.
+
+This patch does two things: first it makes struct gpio_array store the
+address of the underlying GPIO device and not chip. Next: it protects
+the chip with SRCU from removal in gpiod_get_array_value_complex() and
+gpiod_set_array_value_complex().
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250215095655.23152-1-brgl@bgdev.pl
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpio/gpiolib.c | 48 +++++++++++++++++++++++++++++++++---------------
+ drivers/gpio/gpiolib.h | 4 ++--
+ 2 files changed, 35 insertions(+), 17 deletions(-)
+
+--- a/drivers/gpio/gpiolib.c
++++ b/drivers/gpio/gpiolib.c
+@@ -3082,6 +3082,8 @@ static int gpiod_get_raw_value_commit(co
+ static int gpio_chip_get_multiple(struct gpio_chip *gc,
+ unsigned long *mask, unsigned long *bits)
+ {
++ lockdep_assert_held(&gc->gpiodev->srcu);
++
+ if (gc->get_multiple)
+ return gc->get_multiple(gc, mask, bits);
+ if (gc->get) {
+@@ -3112,6 +3114,7 @@ int gpiod_get_array_value_complex(bool r
+ struct gpio_array *array_info,
+ unsigned long *value_bitmap)
+ {
++ struct gpio_chip *gc;
+ int ret, i = 0;
+
+ /*
+@@ -3123,10 +3126,15 @@ int gpiod_get_array_value_complex(bool r
+ array_size <= array_info->size &&
+ (void *)array_info == desc_array + array_info->size) {
+ if (!can_sleep)
+- WARN_ON(array_info->chip->can_sleep);
++ WARN_ON(array_info->gdev->can_sleep);
+
+- ret = gpio_chip_get_multiple(array_info->chip,
+- array_info->get_mask,
++ guard(srcu)(&array_info->gdev->srcu);
++ gc = srcu_dereference(array_info->gdev->chip,
++ &array_info->gdev->srcu);
++ if (!gc)
++ return -ENODEV;
++
++ ret = gpio_chip_get_multiple(gc, array_info->get_mask,
+ value_bitmap);
+ if (ret)
+ return ret;
+@@ -3407,6 +3415,8 @@ static void gpiod_set_raw_value_commit(s
+ static void gpio_chip_set_multiple(struct gpio_chip *gc,
+ unsigned long *mask, unsigned long *bits)
+ {
++ lockdep_assert_held(&gc->gpiodev->srcu);
++
+ if (gc->set_multiple) {
+ gc->set_multiple(gc, mask, bits);
+ } else {
+@@ -3424,6 +3434,7 @@ int gpiod_set_array_value_complex(bool r
+ struct gpio_array *array_info,
+ unsigned long *value_bitmap)
+ {
++ struct gpio_chip *gc;
+ int i = 0;
+
+ /*
+@@ -3435,14 +3446,19 @@ int gpiod_set_array_value_complex(bool r
+ array_size <= array_info->size &&
+ (void *)array_info == desc_array + array_info->size) {
+ if (!can_sleep)
+- WARN_ON(array_info->chip->can_sleep);
++ WARN_ON(array_info->gdev->can_sleep);
++
++ guard(srcu)(&array_info->gdev->srcu);
++ gc = srcu_dereference(array_info->gdev->chip,
++ &array_info->gdev->srcu);
++ if (!gc)
++ return -ENODEV;
+
+ if (!raw && !bitmap_empty(array_info->invert_mask, array_size))
+ bitmap_xor(value_bitmap, value_bitmap,
+ array_info->invert_mask, array_size);
+
+- gpio_chip_set_multiple(array_info->chip, array_info->set_mask,
+- value_bitmap);
++ gpio_chip_set_multiple(gc, array_info->set_mask, value_bitmap);
+
+ i = find_first_zero_bit(array_info->set_mask, array_size);
+ if (i == array_size)
+@@ -4698,9 +4714,10 @@ struct gpio_descs *__must_check gpiod_ge
+ {
+ struct gpio_desc *desc;
+ struct gpio_descs *descs;
++ struct gpio_device *gdev;
+ struct gpio_array *array_info = NULL;
+- struct gpio_chip *gc;
+ int count, bitmap_size;
++ unsigned long dflags;
+ size_t descs_size;
+
+ count = gpiod_count(dev, con_id);
+@@ -4721,7 +4738,7 @@ struct gpio_descs *__must_check gpiod_ge
+
+ descs->desc[descs->ndescs] = desc;
+
+- gc = gpiod_to_chip(desc);
++ gdev = gpiod_to_gpio_device(desc);
+ /*
+ * If pin hardware number of array member 0 is also 0, select
+ * its chip as a candidate for fast bitmap processing path.
+@@ -4729,8 +4746,8 @@ struct gpio_descs *__must_check gpiod_ge
+ if (descs->ndescs == 0 && gpio_chip_hwgpio(desc) == 0) {
+ struct gpio_descs *array;
+
+- bitmap_size = BITS_TO_LONGS(gc->ngpio > count ?
+- gc->ngpio : count);
++ bitmap_size = BITS_TO_LONGS(gdev->ngpio > count ?
++ gdev->ngpio : count);
+
+ array = krealloc(descs, descs_size +
+ struct_size(array_info, invert_mask, 3 * bitmap_size),
+@@ -4750,7 +4767,7 @@ struct gpio_descs *__must_check gpiod_ge
+
+ array_info->desc = descs->desc;
+ array_info->size = count;
+- array_info->chip = gc;
++ array_info->gdev = gdev;
+ bitmap_set(array_info->get_mask, descs->ndescs,
+ count - descs->ndescs);
+ bitmap_set(array_info->set_mask, descs->ndescs,
+@@ -4763,7 +4780,7 @@ struct gpio_descs *__must_check gpiod_ge
+ continue;
+
+ /* Unmark array members which don't belong to the 'fast' chip */
+- if (array_info->chip != gc) {
++ if (array_info->gdev != gdev) {
+ __clear_bit(descs->ndescs, array_info->get_mask);
+ __clear_bit(descs->ndescs, array_info->set_mask);
+ }
+@@ -4786,9 +4803,10 @@ struct gpio_descs *__must_check gpiod_ge
+ array_info->set_mask);
+ }
+ } else {
++ dflags = READ_ONCE(desc->flags);
+ /* Exclude open drain or open source from fast output */
+- if (gpiochip_line_is_open_drain(gc, descs->ndescs) ||
+- gpiochip_line_is_open_source(gc, descs->ndescs))
++ if (test_bit(FLAG_OPEN_DRAIN, &dflags) ||
++ test_bit(FLAG_OPEN_SOURCE, &dflags))
+ __clear_bit(descs->ndescs,
+ array_info->set_mask);
+ /* Identify 'fast' pins which require invertion */
+@@ -4800,7 +4818,7 @@ struct gpio_descs *__must_check gpiod_ge
+ if (array_info)
+ dev_dbg(dev,
+ "GPIO array info: chip=%s, size=%d, get_mask=%lx, set_mask=%lx, invert_mask=%lx\n",
+- array_info->chip->label, array_info->size,
++ array_info->gdev->label, array_info->size,
+ *array_info->get_mask, *array_info->set_mask,
+ *array_info->invert_mask);
+ return descs;
+--- a/drivers/gpio/gpiolib.h
++++ b/drivers/gpio/gpiolib.h
+@@ -110,7 +110,7 @@ extern const char *const gpio_suffixes[]
+ *
+ * @desc: Array of pointers to the GPIO descriptors
+ * @size: Number of elements in desc
+- * @chip: Parent GPIO chip
++ * @gdev: Parent GPIO device
+ * @get_mask: Get mask used in fastpath
+ * @set_mask: Set mask used in fastpath
+ * @invert_mask: Invert mask used in fastpath
+@@ -122,7 +122,7 @@ extern const char *const gpio_suffixes[]
+ struct gpio_array {
+ struct gpio_desc **desc;
+ unsigned int size;
+- struct gpio_chip *chip;
++ struct gpio_device *gdev;
+ unsigned long *get_mask;
+ unsigned long *set_mask;
+ unsigned long invert_mask[];
--- /dev/null
+From 415cadd505464d9a11ff5e0f6e0329c127849da5 Mon Sep 17 00:00:00 2001
+From: Joshua Washington <joshwash@google.com>
+Date: Fri, 14 Feb 2025 14:43:59 -0800
+Subject: gve: set xdp redirect target only when it is available
+
+From: Joshua Washington <joshwash@google.com>
+
+commit 415cadd505464d9a11ff5e0f6e0329c127849da5 upstream.
+
+Before this patch the NETDEV_XDP_ACT_NDO_XMIT XDP feature flag is set by
+default as part of driver initialization, and is never cleared. However,
+this flag differs from others in that it is used as an indicator for
+whether the driver is ready to perform the ndo_xdp_xmit operation as
+part of an XDP_REDIRECT. Kernel helpers
+xdp_features_(set|clear)_redirect_target exist to convey this meaning.
+
+This patch ensures that the netdev is only reported as a redirect target
+when XDP queues exist to forward traffic.
+
+Fixes: 39a7f4aa3e4a ("gve: Add XDP REDIRECT support for GQI-QPL format")
+Cc: stable@vger.kernel.org
+Reviewed-by: Praveen Kaligineedi <pkaligineedi@google.com>
+Reviewed-by: Jeroen de Borst <jeroendb@google.com>
+Signed-off-by: Joshua Washington <joshwash@google.com>
+Link: https://patch.msgid.link/20250214224417.1237818-1-joshwash@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve.h | 10 ++++++++++
+ drivers/net/ethernet/google/gve/gve_main.c | 6 +++++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/google/gve/gve.h
++++ b/drivers/net/ethernet/google/gve/gve.h
+@@ -1110,6 +1110,16 @@ static inline u32 gve_xdp_tx_start_queue
+ return gve_xdp_tx_queue_id(priv, 0);
+ }
+
++static inline bool gve_supports_xdp_xmit(struct gve_priv *priv)
++{
++ switch (priv->queue_format) {
++ case GVE_GQI_QPL_FORMAT:
++ return true;
++ default:
++ return false;
++ }
++}
++
+ /* gqi napi handler defined in gve_main.c */
+ int gve_napi_poll(struct napi_struct *napi, int budget);
+
+--- a/drivers/net/ethernet/google/gve/gve_main.c
++++ b/drivers/net/ethernet/google/gve/gve_main.c
+@@ -1895,6 +1895,8 @@ static void gve_turndown(struct gve_priv
+ /* Stop tx queues */
+ netif_tx_disable(priv->dev);
+
++ xdp_features_clear_redirect_target(priv->dev);
++
+ gve_clear_napi_enabled(priv);
+ gve_clear_report_stats(priv);
+
+@@ -1955,6 +1957,9 @@ static void gve_turnup(struct gve_priv *
+ napi_schedule(&block->napi);
+ }
+
++ if (priv->num_xdp_queues && gve_supports_xdp_xmit(priv))
++ xdp_features_set_redirect_target(priv->dev, false);
++
+ gve_set_napi_enabled(priv);
+ }
+
+@@ -2229,7 +2234,6 @@ static void gve_set_netdev_xdp_features(
+ if (priv->queue_format == GVE_GQI_QPL_FORMAT) {
+ xdp_features = NETDEV_XDP_ACT_BASIC;
+ xdp_features |= NETDEV_XDP_ACT_REDIRECT;
+- xdp_features |= NETDEV_XDP_ACT_NDO_XMIT;
+ xdp_features |= NETDEV_XDP_ACT_XSK_ZEROCOPY;
+ } else {
+ xdp_features = 0;
--- /dev/null
+From 1e988c3fe1264708f4f92109203ac5b1d65de50b Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Fri, 14 Feb 2025 22:48:15 +0000
+Subject: io_uring: prevent opcode speculation
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 1e988c3fe1264708f4f92109203ac5b1d65de50b upstream.
+
+sqe->opcode is used for different tables, make sure we santitise it
+against speculations.
+
+Cc: stable@vger.kernel.org
+Fixes: d3656344fea03 ("io_uring: add lookup table for various opcode needs")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Reviewed-by: Li Zetao <lizetao1@huawei.com>
+Link: https://lore.kernel.org/r/7eddbf31c8ca0a3947f8ed98271acc2b4349c016.1739568408.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -2053,6 +2053,8 @@ static int io_init_req(struct io_ring_ct
+ req->opcode = 0;
+ return io_init_fail_req(req, -EINVAL);
+ }
++ opcode = array_index_nospec(opcode, IORING_OP_LAST);
++
+ def = &io_issue_defs[opcode];
+ if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) {
+ /* enforce forwards compatibility on users */
--- /dev/null
+From 67b0025d19f99fb9fbb8b62e6975553c183f3a16 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 19 Feb 2025 01:33:37 +0000
+Subject: io_uring/rw: forbid multishot async reads
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 67b0025d19f99fb9fbb8b62e6975553c183f3a16 upstream.
+
+At the moment we can't sanely handle queuing an async request from a
+multishot context, so disable them. It shouldn't matter as pollable
+files / socekts don't normally do async.
+
+Patching it in __io_read() is not the cleanest way, but it's simpler
+than other options, so let's fix it there and clean up on top.
+
+Cc: stable@vger.kernel.org
+Reported-by: chase xd <sl1589472800@gmail.com>
+Fixes: fc68fcda04910 ("io_uring/rw: add support for IORING_OP_READ_MULTISHOT")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/7d51732c125159d17db4fe16f51ec41b936973f8.1739919038.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rw.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/io_uring/rw.c
++++ b/io_uring/rw.c
+@@ -862,7 +862,15 @@ static int __io_read(struct io_kiocb *re
+ if (unlikely(ret))
+ return ret;
+
+- ret = io_iter_do_read(rw, &io->iter);
++ if (unlikely(req->opcode == IORING_OP_READ_MULTISHOT)) {
++ void *cb_copy = rw->kiocb.ki_complete;
++
++ rw->kiocb.ki_complete = NULL;
++ ret = io_iter_do_read(rw, &io->iter);
++ rw->kiocb.ki_complete = cb_copy;
++ } else {
++ ret = io_iter_do_read(rw, &io->iter);
++ }
+
+ /*
+ * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT
+@@ -887,7 +895,8 @@ static int __io_read(struct io_kiocb *re
+ } else if (ret == -EIOCBQUEUED) {
+ return IOU_ISSUE_SKIP_COMPLETE;
+ } else if (ret == req->cqe.res || ret <= 0 || !force_nonblock ||
+- (req->flags & REQ_F_NOWAIT) || !need_complete_io(req)) {
++ (req->flags & REQ_F_NOWAIT) || !need_complete_io(req) ||
++ (issue_flags & IO_URING_F_MULTISHOT)) {
+ /* read all, failed, already did sync or don't want to retry */
+ goto done;
+ }
--- /dev/null
+From 4cb77793842a351b39a030f77caebace3524840e Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sat, 15 Feb 2025 18:52:41 +0000
+Subject: irqchip/gic-v3: Fix rk3399 workaround when secure interrupts are enabled
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 4cb77793842a351b39a030f77caebace3524840e upstream.
+
+Christoph reports that their rk3399 system dies since commit 773c05f417fa1
+("irqchip/gic-v3: Work around insecure GIC integrations").
+
+It appears that some rk3399 have secure payloads, and that the firmware
+sets SCR_EL3.FIQ==1. Obivously, disabling security in that configuration
+leads to even more problems.
+
+Revisit the workaround by:
+
+ - making it rk3399 specific
+ - checking whether Group-0 is available, which is a good proxy
+ for SCR_EL3.FIQ being 0
+ - either apply the workaround if Group-0 is available, or disable
+ pseudo-NMIs if not
+
+Note that this doesn't mean that the secure side is able to receive
+interrupts, as all interrupts are made non-secure anyway.
+
+Clearly, nobody ever tested secure interrupts on this platform.
+
+Fixes: 773c05f417fa1 ("irqchip/gic-v3: Work around insecure GIC integrations")
+Reported-by: Christoph Fritz <chf.fritz@googlemail.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Christoph Fritz <chf.fritz@googlemail.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250215185241.3768218-1-maz@kernel.org
+Closes: https://lore.kernel.org/r/b1266652fb64857246e8babdf268d0df8f0c36d9.camel@googlemail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3.c | 49 ++++++++++++++++++++++++++++--------
+ 1 file changed, 38 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/irqchip/irq-gic-v3.c b/drivers/irqchip/irq-gic-v3.c
+index 76dce0aac246..270d7a4d85a6 100644
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -44,6 +44,7 @@ static u8 dist_prio_nmi __ro_after_init = GICV3_PRIO_NMI;
+ #define FLAGS_WORKAROUND_GICR_WAKER_MSM8996 (1ULL << 0)
+ #define FLAGS_WORKAROUND_CAVIUM_ERRATUM_38539 (1ULL << 1)
+ #define FLAGS_WORKAROUND_ASR_ERRATUM_8601001 (1ULL << 2)
++#define FLAGS_WORKAROUND_INSECURE (1ULL << 3)
+
+ #define GIC_IRQ_TYPE_PARTITION (GIC_IRQ_TYPE_LPI + 1)
+
+@@ -83,6 +84,8 @@ static DEFINE_STATIC_KEY_TRUE(supports_deactivate_key);
+ #define GIC_LINE_NR min(GICD_TYPER_SPIS(gic_data.rdists.gicd_typer), 1020U)
+ #define GIC_ESPI_NR GICD_TYPER_ESPIS(gic_data.rdists.gicd_typer)
+
++static bool nmi_support_forbidden;
++
+ /*
+ * There are 16 SGIs, though we only actually use 8 in Linux. The other 8 SGIs
+ * are potentially stolen by the secure side. Some code, especially code dealing
+@@ -163,21 +166,27 @@ static void __init gic_prio_init(void)
+ {
+ bool ds;
+
++ cpus_have_group0 = gic_has_group0();
++
+ ds = gic_dist_security_disabled();
+- if (!ds) {
+- u32 val;
++ if ((gic_data.flags & FLAGS_WORKAROUND_INSECURE) && !ds) {
++ if (cpus_have_group0) {
++ u32 val;
+
+- val = readl_relaxed(gic_data.dist_base + GICD_CTLR);
+- val |= GICD_CTLR_DS;
+- writel_relaxed(val, gic_data.dist_base + GICD_CTLR);
++ val = readl_relaxed(gic_data.dist_base + GICD_CTLR);
++ val |= GICD_CTLR_DS;
++ writel_relaxed(val, gic_data.dist_base + GICD_CTLR);
+
+- ds = gic_dist_security_disabled();
+- if (ds)
+- pr_warn("Broken GIC integration, security disabled");
++ ds = gic_dist_security_disabled();
++ if (ds)
++ pr_warn("Broken GIC integration, security disabled\n");
++ } else {
++ pr_warn("Broken GIC integration, pNMI forbidden\n");
++ nmi_support_forbidden = true;
++ }
+ }
+
+ cpus_have_security_disabled = ds;
+- cpus_have_group0 = gic_has_group0();
+
+ /*
+ * How priority values are used by the GIC depends on two things:
+@@ -209,7 +218,7 @@ static void __init gic_prio_init(void)
+ * be in the non-secure range, we program the non-secure values into
+ * the distributor to match the PMR values we want.
+ */
+- if (cpus_have_group0 & !cpus_have_security_disabled) {
++ if (cpus_have_group0 && !cpus_have_security_disabled) {
+ dist_prio_irq = __gicv3_prio_to_ns(dist_prio_irq);
+ dist_prio_nmi = __gicv3_prio_to_ns(dist_prio_nmi);
+ }
+@@ -1922,6 +1931,18 @@ static bool gic_enable_quirk_arm64_2941627(void *data)
+ return true;
+ }
+
++static bool gic_enable_quirk_rk3399(void *data)
++{
++ struct gic_chip_data *d = data;
++
++ if (of_machine_is_compatible("rockchip,rk3399")) {
++ d->flags |= FLAGS_WORKAROUND_INSECURE;
++ return true;
++ }
++
++ return false;
++}
++
+ static bool rd_set_non_coherent(void *data)
+ {
+ struct gic_chip_data *d = data;
+@@ -1996,6 +2017,12 @@ static const struct gic_quirk gic_quirks[] = {
+ .property = "dma-noncoherent",
+ .init = rd_set_non_coherent,
+ },
++ {
++ .desc = "GICv3: Insecure RK3399 integration",
++ .iidr = 0x0000043b,
++ .mask = 0xff000fff,
++ .init = gic_enable_quirk_rk3399,
++ },
+ {
+ }
+ };
+@@ -2004,7 +2031,7 @@ static void gic_enable_nmi_support(void)
+ {
+ int i;
+
+- if (!gic_prio_masking_enabled())
++ if (!gic_prio_masking_enabled() || nmi_support_forbidden)
+ return;
+
+ rdist_nmi_refs = kcalloc(gic_data.ppi_nr + SGI_NR,
+--
+2.48.1
+
--- /dev/null
+From f4b78260fc678ccd7169f32dc9f3bfa3b93931c7 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Fri, 31 Jan 2025 14:13:15 +0000
+Subject: lib/iov_iter: fix import_iovec_ubuf iovec management
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit f4b78260fc678ccd7169f32dc9f3bfa3b93931c7 upstream.
+
+import_iovec() says that it should always be fine to kfree the iovec
+returned in @iovp regardless of the error code. __import_iovec_ubuf()
+never reallocates it and thus should clear the pointer even in cases when
+copy_iovec_*() fail.
+
+Link: https://lkml.kernel.org/r/378ae26923ffc20fd5e41b4360d673bf47b1775b.1738332461.git.asml.silence@gmail.com
+Fixes: 3b2deb0e46da ("iov_iter: import single vector iovecs as ITER_UBUF")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Reviewed-by: Jens Axboe <axboe@kernel.dk>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/iov_iter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -1428,6 +1428,8 @@ static ssize_t __import_iovec_ubuf(int t
+ struct iovec *iov = *iovp;
+ ssize_t ret;
+
++ *iovp = NULL;
++
+ if (compat)
+ ret = copy_compat_iovec_from_user(iov, uvec, 1);
+ else
+@@ -1438,7 +1440,6 @@ static ssize_t __import_iovec_ubuf(int t
+ ret = import_ubuf(type, iov->iov_base, iov->iov_len, i);
+ if (unlikely(ret))
+ return ret;
+- *iovp = NULL;
+ return i->count;
+ }
+
--- /dev/null
+From 2ede647a6fde3e54a6bfda7cf01c716649655900 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn@igalia.com>
+Date: Mon, 3 Feb 2025 08:52:06 +0100
+Subject: mm,madvise,hugetlb: check for 0-length range after end address adjustment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo Cañuelo Navarro <rcn@igalia.com>
+
+commit 2ede647a6fde3e54a6bfda7cf01c716649655900 upstream.
+
+Add a sanity check to madvise_dontneed_free() to address a corner case in
+madvise where a race condition causes the current vma being processed to
+be backed by a different page size.
+
+During a madvise(MADV_DONTNEED) call on a memory region registered with a
+userfaultfd, there's a period of time where the process mm lock is
+temporarily released in order to send a UFFD_EVENT_REMOVE and let
+userspace handle the event. During this time, the vma covering the
+current address range may change due to an explicit mmap done concurrently
+by another thread.
+
+If, after that change, the memory region, which was originally backed by
+4KB pages, is now backed by hugepages, the end address is rounded down to
+a hugepage boundary to avoid data loss (see "Fixes" below). This rounding
+may cause the end address to be truncated to the same address as the
+start.
+
+Make this corner case follow the same semantics as in other similar cases
+where the requested region has zero length (ie. return 0).
+
+This will make madvise_walk_vmas() continue to the next vma in the range
+(this time holding the process mm lock) which, due to the prev pointer
+becoming stale because of the vma change, will be the same hugepage-backed
+vma that was just checked before. The next time madvise_dontneed_free()
+runs for this vma, if the start address isn't aligned to a hugepage
+boundary, it'll return -EINVAL, which is also in line with the madvise
+api.
+
+From userspace perspective, madvise() will return EINVAL because the start
+address isn't aligned according to the new vma alignment requirements
+(hugepage), even though it was correctly page-aligned when the call was
+issued.
+
+Link: https://lkml.kernel.org/r/20250203075206.1452208-1-rcn@igalia.com
+Fixes: 8ebe0a5eaaeb ("mm,madvise,hugetlb: fix unexpected data loss with MADV_DONTNEED on hugetlbfs")
+Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Florent Revest <revest@google.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/madvise.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -920,7 +920,16 @@ static long madvise_dontneed_free(struct
+ */
+ end = vma->vm_end;
+ }
+- VM_WARN_ON(start >= end);
++ /*
++ * If the memory region between start and end was
++ * originally backed by 4kB pages and then remapped to
++ * be backed by hugepages while mmap_lock was dropped,
++ * the adjustment for hugetlb vma above may have rounded
++ * end down to the start address.
++ */
++ if (start == end)
++ return 0;
++ VM_WARN_ON(start > end);
+ }
+
+ if (behavior == MADV_DONTNEED || behavior == MADV_DONTNEED_LOCKED)
--- /dev/null
+From 41cddf83d8b00f29fd105e7a0777366edc69a5cf Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Mon, 10 Feb 2025 17:13:17 +0100
+Subject: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 41cddf83d8b00f29fd105e7a0777366edc69a5cf upstream.
+
+If migration succeeded, we called
+folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the
+old to the new folio. This will set memcg_data of the old folio to 0.
+
+Similarly, if migration failed, memcg_data of the dst folio is left unset.
+
+If we call folio_putback_lru() on such folios (memcg_data == 0), we will
+add the folio to be freed to the LRU, making memcg code unhappy. Running
+the hmm selftests:
+
+ # ./hmm-tests
+ ...
+ # RUN hmm.hmm_device_private.migrate ...
+ [ 102.078007][T14893] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x7ff27d200 pfn:0x13cc00
+ [ 102.079974][T14893] anon flags: 0x17ff00000020018(uptodate|dirty|swapbacked|node=0|zone=2|lastcpupid=0x7ff)
+ [ 102.082037][T14893] raw: 017ff00000020018 dead000000000100 dead000000000122 ffff8881353896c9
+ [ 102.083687][T14893] raw: 00000007ff27d200 0000000000000000 00000001ffffffff 0000000000000000
+ [ 102.085331][T14893] page dumped because: VM_WARN_ON_ONCE_FOLIO(!memcg && !mem_cgroup_disabled())
+ [ 102.087230][T14893] ------------[ cut here ]------------
+ [ 102.088279][T14893] WARNING: CPU: 0 PID: 14893 at ./include/linux/memcontrol.h:726 folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.090478][T14893] Modules linked in:
+ [ 102.091244][T14893] CPU: 0 UID: 0 PID: 14893 Comm: hmm-tests Not tainted 6.13.0-09623-g6c216bc522fd #151
+ [ 102.093089][T14893] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014
+ [ 102.094848][T14893] RIP: 0010:folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.096104][T14893] Code: ...
+ [ 102.099908][T14893] RSP: 0018:ffffc900236c37b0 EFLAGS: 00010293
+ [ 102.101152][T14893] RAX: 0000000000000000 RBX: ffffea0004f30000 RCX: ffffffff8183f426
+ [ 102.102684][T14893] RDX: ffff8881063cb880 RSI: ffffffff81b8117f RDI: ffff8881063cb880
+ [ 102.104227][T14893] RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
+ [ 102.105757][T14893] R10: 0000000000000001 R11: 0000000000000002 R12: ffffc900236c37d8
+ [ 102.107296][T14893] R13: ffff888277a2bcb0 R14: 000000000000001f R15: 0000000000000000
+ [ 102.108830][T14893] FS: 00007ff27dbdd740(0000) GS:ffff888277a00000(0000) knlGS:0000000000000000
+ [ 102.110643][T14893] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [ 102.111924][T14893] CR2: 00007ff27d400000 CR3: 000000010866e000 CR4: 0000000000750ef0
+ [ 102.113478][T14893] PKRU: 55555554
+ [ 102.114172][T14893] Call Trace:
+ [ 102.114805][T14893] <TASK>
+ [ 102.115397][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.116547][T14893] ? __warn.cold+0x110/0x210
+ [ 102.117461][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.118667][T14893] ? report_bug+0x1b9/0x320
+ [ 102.119571][T14893] ? handle_bug+0x54/0x90
+ [ 102.120494][T14893] ? exc_invalid_op+0x17/0x50
+ [ 102.121433][T14893] ? asm_exc_invalid_op+0x1a/0x20
+ [ 102.122435][T14893] ? __wake_up_klogd.part.0+0x76/0xd0
+ [ 102.123506][T14893] ? dump_page+0x4f/0x60
+ [ 102.124352][T14893] ? folio_lruvec_lock_irqsave+0x10e/0x170
+ [ 102.125500][T14893] folio_batch_move_lru+0xd4/0x200
+ [ 102.126577][T14893] ? __pfx_lru_add+0x10/0x10
+ [ 102.127505][T14893] __folio_batch_add_and_move+0x391/0x720
+ [ 102.128633][T14893] ? __pfx_lru_add+0x10/0x10
+ [ 102.129550][T14893] folio_putback_lru+0x16/0x80
+ [ 102.130564][T14893] migrate_device_finalize+0x9b/0x530
+ [ 102.131640][T14893] dmirror_migrate_to_device.constprop.0+0x7c5/0xad0
+ [ 102.133047][T14893] dmirror_fops_unlocked_ioctl+0x89b/0xc80
+
+Likely, nothing else goes wrong: putting the last folio reference will
+remove the folio from the LRU again. So besides memcg complaining, adding
+the folio to be freed to the LRU is just an unnecessary step.
+
+The new flow resembles what we have in migrate_folio_move(): add the dst
+to the lru, remove migration ptes, unlock and unref dst.
+
+Link: https://lkml.kernel.org/r/20250210161317.717936-1-david@redhat.com
+Fixes: 8763cb45ab96 ("mm/migrate: new memory migration helper for use with device memory")
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Cc: Jérôme Glisse <jglisse@redhat.com>
+Cc: John Hubbard <jhubbard@nvidia.com>
+Cc: Alistair Popple <apopple@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/migrate_device.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+--- a/mm/migrate_device.c
++++ b/mm/migrate_device.c
+@@ -840,20 +840,15 @@ void migrate_device_finalize(unsigned lo
+ dst = src;
+ }
+
++ if (!folio_is_zone_device(dst))
++ folio_add_lru(dst);
+ remove_migration_ptes(src, dst, 0);
+ folio_unlock(src);
+-
+- if (folio_is_zone_device(src))
+- folio_put(src);
+- else
+- folio_putback_lru(src);
++ folio_put(src);
+
+ if (dst != src) {
+ folio_unlock(dst);
+- if (folio_is_zone_device(dst))
+- folio_put(dst);
+- else
+- folio_putback_lru(dst);
++ folio_put(dst);
+ }
+ }
+ }
--- /dev/null
+From 2b9df00cded911e2ca2cfae5c45082166b24f8aa Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Date: Mon, 10 Feb 2025 13:35:49 +0800
+Subject: mtd: rawnand: cadence: fix error code in cadence_nand_init()
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+commit 2b9df00cded911e2ca2cfae5c45082166b24f8aa upstream.
+
+Replace dma_request_channel() with dma_request_chan_by_mask() and use
+helper functions to return proper error code instead of fixed -EBUSY.
+
+Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -2904,11 +2904,10 @@ static int cadence_nand_init(struct cdns
+ dma_cap_set(DMA_MEMCPY, mask);
+
+ if (cdns_ctrl->caps1->has_dma) {
+- cdns_ctrl->dmac = dma_request_channel(mask, NULL, NULL);
+- if (!cdns_ctrl->dmac) {
+- dev_err(cdns_ctrl->dev,
+- "Unable to get a DMA channel\n");
+- ret = -EBUSY;
++ cdns_ctrl->dmac = dma_request_chan_by_mask(&mask);
++ if (IS_ERR(cdns_ctrl->dmac)) {
++ ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac),
++ "%d: Failed to get a DMA channel\n", ret);
+ goto disable_irq;
+ }
+ }
--- /dev/null
+From f37d135b42cb484bdecee93f56b9f483214ede78 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Date: Mon, 10 Feb 2025 13:35:51 +0800
+Subject: mtd: rawnand: cadence: fix incorrect device in dma_unmap_single
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+commit f37d135b42cb484bdecee93f56b9f483214ede78 upstream.
+
+dma_map_single is using physical/bus device (DMA) but dma_unmap_single
+is using framework device(NAND controller), which is incorrect.
+Fixed dma_unmap_single to use correct physical/bus device.
+
+Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -1863,12 +1863,12 @@ static int cadence_nand_slave_dma_transf
+ dma_async_issue_pending(cdns_ctrl->dmac);
+ wait_for_completion(&finished);
+
+- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir);
++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir);
+
+ return 0;
+
+ err_unmap:
+- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir);
++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir);
+
+ err:
+ dev_dbg(cdns_ctrl->dev, "Fall back to CPU I/O\n");
--- /dev/null
+From d76d22b5096c5b05208fd982b153b3f182350b19 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Date: Mon, 10 Feb 2025 13:35:50 +0800
+Subject: mtd: rawnand: cadence: use dma_map_resource for sdma address
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+commit d76d22b5096c5b05208fd982b153b3f182350b19 upstream.
+
+Remap the slave DMA I/O resources to enhance driver portability.
+Using a physical address causes DMA translation failure when the
+ARM SMMU is enabled.
+
+Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 29 +++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -471,6 +471,8 @@ struct cdns_nand_ctrl {
+ struct {
+ void __iomem *virt;
+ dma_addr_t dma;
++ dma_addr_t iova_dma;
++ u32 size;
+ } io;
+
+ int irq;
+@@ -1835,11 +1837,11 @@ static int cadence_nand_slave_dma_transf
+ }
+
+ if (dir == DMA_FROM_DEVICE) {
+- src_dma = cdns_ctrl->io.dma;
++ src_dma = cdns_ctrl->io.iova_dma;
+ dst_dma = buf_dma;
+ } else {
+ src_dma = buf_dma;
+- dst_dma = cdns_ctrl->io.dma;
++ dst_dma = cdns_ctrl->io.iova_dma;
+ }
+
+ tx = dmaengine_prep_dma_memcpy(cdns_ctrl->dmac, dst_dma, src_dma, len,
+@@ -2869,6 +2871,7 @@ cadence_nand_irq_cleanup(int irqnum, str
+ static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl)
+ {
+ dma_cap_mask_t mask;
++ struct dma_device *dma_dev = cdns_ctrl->dmac->device;
+ int ret;
+
+ cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev,
+@@ -2912,6 +2915,16 @@ static int cadence_nand_init(struct cdns
+ }
+ }
+
++ cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
++ cdns_ctrl->io.size,
++ DMA_BIDIRECTIONAL, 0);
++
++ ret = dma_mapping_error(dma_dev->dev, cdns_ctrl->io.iova_dma);
++ if (ret) {
++ dev_err(cdns_ctrl->dev, "Failed to map I/O resource to DMA\n");
++ goto dma_release_chnl;
++ }
++
+ nand_controller_init(&cdns_ctrl->controller);
+ INIT_LIST_HEAD(&cdns_ctrl->chips);
+
+@@ -2922,18 +2935,22 @@ static int cadence_nand_init(struct cdns
+ if (ret) {
+ dev_err(cdns_ctrl->dev, "Failed to register MTD: %d\n",
+ ret);
+- goto dma_release_chnl;
++ goto unmap_dma_resource;
+ }
+
+ kfree(cdns_ctrl->buf);
+ cdns_ctrl->buf = kzalloc(cdns_ctrl->buf_size, GFP_KERNEL);
+ if (!cdns_ctrl->buf) {
+ ret = -ENOMEM;
+- goto dma_release_chnl;
++ goto unmap_dma_resource;
+ }
+
+ return 0;
+
++unmap_dma_resource:
++ dma_unmap_resource(dma_dev->dev, cdns_ctrl->io.iova_dma,
++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0);
++
+ dma_release_chnl:
+ if (cdns_ctrl->dmac)
+ dma_release_channel(cdns_ctrl->dmac);
+@@ -2955,6 +2972,8 @@ free_buf_desc:
+ static void cadence_nand_remove(struct cdns_nand_ctrl *cdns_ctrl)
+ {
+ cadence_nand_chips_cleanup(cdns_ctrl);
++ dma_unmap_resource(cdns_ctrl->dmac->device->dev, cdns_ctrl->io.iova_dma,
++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0);
+ cadence_nand_irq_cleanup(cdns_ctrl->irq, cdns_ctrl);
+ kfree(cdns_ctrl->buf);
+ dma_free_coherent(cdns_ctrl->dev, sizeof(struct cadence_nand_cdma_desc),
+@@ -3019,7 +3038,9 @@ static int cadence_nand_dt_probe(struct
+ cdns_ctrl->io.virt = devm_platform_get_and_ioremap_resource(ofdev, 1, &res);
+ if (IS_ERR(cdns_ctrl->io.virt))
+ return PTR_ERR(cdns_ctrl->io.virt);
++
+ cdns_ctrl->io.dma = res->start;
++ cdns_ctrl->io.size = resource_size(res);
+
+ dt->clk = devm_clk_get(cdns_ctrl->dev, "nf_clk");
+ if (IS_ERR(dt->clk))
--- /dev/null
+From 539bd20352832b9244238a055eb169ccf1c41ff6 Mon Sep 17 00:00:00 2001
+From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+Date: Thu, 13 Feb 2025 11:15:46 +0530
+Subject: mtd: spi-nor: sst: Fix SST write failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+
+commit 539bd20352832b9244238a055eb169ccf1c41ff6 upstream.
+
+'commit 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation
+to `sst_nor_write_data()`")' introduced a bug where only one byte of data
+is written, regardless of the number of bytes passed to
+sst_nor_write_data(), causing a kernel crash during the write operation.
+Ensure the correct number of bytes are written as passed to
+sst_nor_write_data().
+
+Call trace:
+[ 57.400180] ------------[ cut here ]------------
+[ 57.404842] While writing 2 byte written 1 bytes
+[ 57.409493] WARNING: CPU: 0 PID: 737 at drivers/mtd/spi-nor/sst.c:187 sst_nor_write_data+0x6c/0x74
+[ 57.418464] Modules linked in:
+[ 57.421517] CPU: 0 UID: 0 PID: 737 Comm: mtd_debug Not tainted 6.12.0-g5ad04afd91f9 #30
+[ 57.429517] Hardware name: Xilinx Versal A2197 Processor board revA - x-prc-02 revA (DT)
+[ 57.437600] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+[ 57.444557] pc : sst_nor_write_data+0x6c/0x74
+[ 57.448911] lr : sst_nor_write_data+0x6c/0x74
+[ 57.453264] sp : ffff80008232bb40
+[ 57.456570] x29: ffff80008232bb40 x28: 0000000000010000 x27: 0000000000000001
+[ 57.463708] x26: 000000000000ffff x25: 0000000000000000 x24: 0000000000000000
+[ 57.470843] x23: 0000000000010000 x22: ffff80008232bbf0 x21: ffff000816230000
+[ 57.477978] x20: ffff0008056c0080 x19: 0000000000000002 x18: 0000000000000006
+[ 57.485112] x17: 0000000000000000 x16: 0000000000000000 x15: ffff80008232b580
+[ 57.492246] x14: 0000000000000000 x13: ffff8000816d1530 x12: 00000000000004a4
+[ 57.499380] x11: 000000000000018c x10: ffff8000816fd530 x9 : ffff8000816d1530
+[ 57.506515] x8 : 00000000fffff7ff x7 : ffff8000816fd530 x6 : 0000000000000001
+[ 57.513649] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
+[ 57.520782] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0008049b0000
+[ 57.527916] Call trace:
+[ 57.530354] sst_nor_write_data+0x6c/0x74
+[ 57.534361] sst_nor_write+0xb4/0x18c
+[ 57.538019] mtd_write_oob_std+0x7c/0x88
+[ 57.541941] mtd_write_oob+0x70/0xbc
+[ 57.545511] mtd_write+0x68/0xa8
+[ 57.548733] mtdchar_write+0x10c/0x290
+[ 57.552477] vfs_write+0xb4/0x3a8
+[ 57.555791] ksys_write+0x74/0x10c
+[ 57.559189] __arm64_sys_write+0x1c/0x28
+[ 57.563109] invoke_syscall+0x54/0x11c
+[ 57.566856] el0_svc_common.constprop.0+0xc0/0xe0
+[ 57.571557] do_el0_svc+0x1c/0x28
+[ 57.574868] el0_svc+0x30/0xcc
+[ 57.577921] el0t_64_sync_handler+0x120/0x12c
+[ 57.582276] el0t_64_sync+0x190/0x194
+[ 57.585933] ---[ end trace 0000000000000000 ]---
+
+Cc: stable@vger.kernel.org
+Fixes: 18bcb4aa54ea ("mtd: spi-nor: sst: Factor out common write operation to `sst_nor_write_data()`")
+Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@amd.com>
+Reviewed-by: Pratyush Yadav <pratyush@kernel.org>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Reviewed-by: Bence Csókás <csokas.bence@prolan.hu>
+[pratyush@kernel.org: add Cc stable tag]
+Signed-off-by: Pratyush Yadav <pratyush@kernel.org>
+Link: https://lore.kernel.org/r/20250213054546.2078121-1-amit.kumar-mahapatra@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/spi-nor/sst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/mtd/spi-nor/sst.c b/drivers/mtd/spi-nor/sst.c
+index b5ad7118c49a..175211fe6a5e 100644
+--- a/drivers/mtd/spi-nor/sst.c
++++ b/drivers/mtd/spi-nor/sst.c
+@@ -174,7 +174,7 @@ static int sst_nor_write_data(struct spi_nor *nor, loff_t to, size_t len,
+ int ret;
+
+ nor->program_opcode = op;
+- ret = spi_nor_write_data(nor, to, 1, buf);
++ ret = spi_nor_write_data(nor, to, len, buf);
+ if (ret < 0)
+ return ret;
+ WARN(ret != len, "While writing %zu byte written %i bytes\n", len, ret);
+--
+2.48.1
+
--- /dev/null
+From 878e7b11736e062514e58f3b445ff343e6705537 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Tue, 18 Feb 2025 11:04:09 +0800
+Subject: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 878e7b11736e062514e58f3b445ff343e6705537 upstream.
+
+Add check for the return value of nfp_app_ctrl_msg_alloc() in
+nfp_bpf_cmsg_alloc() to prevent null pointer dereference.
+
+Fixes: ff3d43f7568c ("nfp: bpf: implement helpers for FW map ops")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20250218030409.2425798-1-haoxiang_li2024@163.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c
+@@ -20,6 +20,8 @@ nfp_bpf_cmsg_alloc(struct nfp_app_bpf *b
+ struct sk_buff *skb;
+
+ skb = nfp_app_ctrl_msg_alloc(bpf->app, size, GFP_KERNEL);
++ if (!skb)
++ return NULL;
+ skb_put(skb, size);
+
+ return skb;
--- /dev/null
+From 782cffeec9ad96daa64ffb2d527b2a052fb02552 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Wed, 19 Feb 2025 06:10:05 -0800
+Subject: perf/x86/intel: Fix event constraints for LNC
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 782cffeec9ad96daa64ffb2d527b2a052fb02552 upstream.
+
+According to the latest event list, update the event constraint tables
+for Lion Cove core.
+
+The general rule (the event codes < 0x90 are restricted to counters
+0-3.) has been removed. There is no restriction for most of the
+performance monitoring events.
+
+Fixes: a932aa0e868f ("perf/x86: Add Lunar Lake and Arrow Lake support")
+Reported-by: Amiri Khalil <amiri.khalil@intel.com>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20250219141005.2446823-1-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 20 +++++++-------------
+ arch/x86/events/intel/ds.c | 2 +-
+ 2 files changed, 8 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -397,34 +397,28 @@ static struct event_constraint intel_lnc
+ METRIC_EVENT_CONSTRAINT(INTEL_TD_METRIC_FETCH_LAT, 6),
+ METRIC_EVENT_CONSTRAINT(INTEL_TD_METRIC_MEM_BOUND, 7),
+
++ INTEL_EVENT_CONSTRAINT(0x20, 0xf),
++
++ INTEL_UEVENT_CONSTRAINT(0x012a, 0xf),
++ INTEL_UEVENT_CONSTRAINT(0x012b, 0xf),
+ INTEL_UEVENT_CONSTRAINT(0x0148, 0x4),
+ INTEL_UEVENT_CONSTRAINT(0x0175, 0x4),
+
+ INTEL_EVENT_CONSTRAINT(0x2e, 0x3ff),
+ INTEL_EVENT_CONSTRAINT(0x3c, 0x3ff),
+- /*
+- * Generally event codes < 0x90 are restricted to counters 0-3.
+- * The 0x2E and 0x3C are exception, which has no restriction.
+- */
+- INTEL_EVENT_CONSTRAINT_RANGE(0x01, 0x8f, 0xf),
+
+- INTEL_UEVENT_CONSTRAINT(0x01a3, 0xf),
+- INTEL_UEVENT_CONSTRAINT(0x02a3, 0xf),
+ INTEL_UEVENT_CONSTRAINT(0x08a3, 0x4),
+ INTEL_UEVENT_CONSTRAINT(0x0ca3, 0x4),
+ INTEL_UEVENT_CONSTRAINT(0x04a4, 0x1),
+ INTEL_UEVENT_CONSTRAINT(0x08a4, 0x1),
+ INTEL_UEVENT_CONSTRAINT(0x10a4, 0x1),
+ INTEL_UEVENT_CONSTRAINT(0x01b1, 0x8),
++ INTEL_UEVENT_CONSTRAINT(0x01cd, 0x3fc),
+ INTEL_UEVENT_CONSTRAINT(0x02cd, 0x3),
+- INTEL_EVENT_CONSTRAINT(0xce, 0x1),
+
+ INTEL_EVENT_CONSTRAINT_RANGE(0xd0, 0xdf, 0xf),
+- /*
+- * Generally event codes >= 0x90 are likely to have no restrictions.
+- * The exception are defined as above.
+- */
+- INTEL_EVENT_CONSTRAINT_RANGE(0x90, 0xfe, 0x3ff),
++
++ INTEL_UEVENT_CONSTRAINT(0x00e0, 0xf),
+
+ EVENT_CONSTRAINT_END
+ };
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1178,7 +1178,7 @@ struct event_constraint intel_lnc_pebs_e
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x100, 0x100000000ULL), /* INST_RETIRED.PREC_DIST */
+ INTEL_FLAGS_UEVENT_CONSTRAINT(0x0400, 0x800000000ULL),
+
+- INTEL_HYBRID_LDLAT_CONSTRAINT(0x1cd, 0x3ff),
++ INTEL_HYBRID_LDLAT_CONSTRAINT(0x1cd, 0x3fc),
+ INTEL_HYBRID_STLAT_CONSTRAINT(0x2cd, 0x3),
+ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_LD(0x11d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_LOADS */
+ INTEL_FLAGS_UEVENT_CONSTRAINT_DATALA_ST(0x12d0, 0xf), /* MEM_INST_RETIRED.STLB_MISS_STORES */
--- /dev/null
+From c3a589fd9fcbf295a7402a4b188dc9277d505f4f Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <hca@linux.ibm.com>
+Date: Tue, 18 Feb 2025 12:11:34 +0100
+Subject: s390/boot: Fix ESSA detection
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+commit c3a589fd9fcbf295a7402a4b188dc9277d505f4f upstream.
+
+The cmma_test_essa() inline assembly uses tmp as input and output, however
+tmp is specified as output only, which allows the compiler to optimize the
+initialization of tmp away.
+
+Therefore the ESSA detection may or may not work depending on previous
+contents of the register that the compiler selected for tmp.
+
+Fix this by using the correct constraint modifier.
+
+Fixes: 468a3bc2b7b9 ("s390/cmma: move parsing of cmma kernel parameter to early boot code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/boot/startup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/s390/boot/startup.c
++++ b/arch/s390/boot/startup.c
+@@ -75,7 +75,7 @@ static int cmma_test_essa(void)
+ : [reg1] "=&d" (reg1),
+ [reg2] "=&a" (reg2),
+ [rc] "+&d" (rc),
+- [tmp] "=&d" (tmp),
++ [tmp] "+&d" (tmp),
+ "+Q" (get_lowcore()->program_new_psw),
+ "=Q" (old)
+ : [psw_old] "a" (&old),
bpf-skip-non-exist-keys-in-generic_map_lookup_batch.patch
drm-nouveau-pmu-fix-gp10b-firmware-guard.patch
irqchip-jcore-aic-clocksource-drivers-jcore-fix-jcor.patch
+drm-panel-jd9365da-h3-fix-reset-signal-polarity.patch
+drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch
+drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch
+drm-i915-dp-fix-error-handling-during-128b-132b-link-training.patch
+drm-i915-ddi-fix-hdmi-port-width-programming-in-ddi_buf_ctl.patch
+drm-i915-gt-use-spin_lock_irqsave-in-interruptible-context.patch
+io_uring-rw-forbid-multishot-async-reads.patch
+io_uring-prevent-opcode-speculation.patch
+gpiolib-check-the-return-value-of-gpio_chip-get_direction.patch
+gpiolib-protect-gpio_chip-with-srcu-in-array_info-paths-in-multi-get-set.patch
+tee-optee-fix-supplicant-wait-loop.patch
+drop_monitor-fix-incorrect-initialization-order.patch
+mm-migrate_device-don-t-add-folio-to-be-freed-to-lru-in-migrate_device_finalize.patch
+arm64-dts-rockchip-fix-broken-tsadc-pinctrl-names-for-rk3588.patch
+arm64-dts-rockchip-move-uart5-pin-configuration-to-px30-ringneck-som.patch
+arm64-dts-rockchip-disable-dma-for-uart5-on-px30-ringneck.patch
+soc-loongson-loongson2_guts-add-check-for-devm_kstrdup.patch
+s390-boot-fix-essa-detection.patch
+xfs-fix-online-repair-probing-when-config_xfs_online_repair-n.patch
+lib-iov_iter-fix-import_iovec_ubuf-iovec-management.patch
+smb-client-fix-chmod-2-regression-with-attr_readonly.patch
+nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch
+gve-set-xdp-redirect-target-only-when-it-is-available.patch
+asoc-sof-stream-ipc-check-for-cstream-nullity-in-sof_ipc_msg_data.patch
+asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch
+alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch
+alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch
+asoc-sof-pcm-clear-the-susbstream-pointer-to-null-on-close.patch
+acct-perform-last-write-from-workqueue.patch
+acct-block-access-to-kernel-internal-filesystems.patch
+mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch
+mtd-spi-nor-sst-fix-sst-write-failure.patch
+mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch
+mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch
+mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch
+perf-x86-intel-fix-event-constraints-for-lnc.patch
+irqchip-gic-v3-fix-rk3399-workaround-when-secure-interrupts-are-enabled.patch
+smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch
+edac-qcom-correct-interrupt-enable-register-configuration.patch
+ftrace-correct-preemption-accounting-for-function-tracing.patch
+ftrace-fix-accounting-of-adding-subops-to-a-manager-ops.patch
+ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch
--- /dev/null
+From 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Mon, 17 Feb 2025 15:20:38 +0800
+Subject: smb: client: Add check for next_buffer in receive_encrypted_standard()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 upstream.
+
+Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
+in receive_encrypted_standard() to prevent null pointer dereference.
+
+Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -4991,6 +4991,10 @@ one_more:
+ next_buffer = (char *)cifs_buf_get();
+ else
+ next_buffer = (char *)cifs_small_buf_get();
++ if (!next_buffer) {
++ cifs_server_dbg(VFS, "No memory for (large) SMB response\n");
++ return -1;
++ }
+ memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
+ }
+
--- /dev/null
+From 654292a0b264e9b8c51b98394146218a21612aa1 Mon Sep 17 00:00:00 2001
+From: Paulo Alcantara <pc@manguebit.com>
+Date: Sun, 16 Feb 2025 18:02:47 -0300
+Subject: smb: client: fix chmod(2) regression with ATTR_READONLY
+
+From: Paulo Alcantara <pc@manguebit.com>
+
+commit 654292a0b264e9b8c51b98394146218a21612aa1 upstream.
+
+When the user sets a file or directory as read-only (e.g. ~S_IWUGO),
+the client will set the ATTR_READONLY attribute by sending an
+SMB2_SET_INFO request to the server in cifs_setattr_{,nounix}(), but
+cifsInodeInfo::cifsAttrs will be left unchanged as the client will
+only update the new file attributes in the next call to
+{smb311_posix,cifs}_get_inode_info() with the new metadata filled in
+@data parameter.
+
+Commit a18280e7fdea ("smb: cilent: set reparse mount points as
+automounts") mistakenly removed the @data NULL check when calling
+is_inode_cache_good(), which broke the above case as the new
+ATTR_READONLY attribute would end up not being updated on files with a
+read lease.
+
+Fix this by updating the inode whenever we have cached metadata in
+@data parameter.
+
+Reported-by: Horst Reiterer <horst.reiterer@fabasoft.com>
+Closes: https://lore.kernel.org/r/85a16504e09147a195ac0aac1c801280@fabasoft.com
+Fixes: a18280e7fdea ("smb: cilent: set reparse mount points as automounts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/inode.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -1381,7 +1381,7 @@ int cifs_get_inode_info(struct inode **i
+ struct cifs_fattr fattr = {};
+ int rc;
+
+- if (is_inode_cache_good(*inode)) {
++ if (!data && is_inode_cache_good(*inode)) {
+ cifs_dbg(FYI, "No need to revalidate cached inode sizes\n");
+ return 0;
+ }
+@@ -1480,7 +1480,7 @@ int smb311_posix_get_inode_info(struct i
+ struct cifs_fattr fattr = {};
+ int rc;
+
+- if (is_inode_cache_good(*inode)) {
++ if (!data && is_inode_cache_good(*inode)) {
+ cifs_dbg(FYI, "No need to revalidate cached inode sizes\n");
+ return 0;
+ }
--- /dev/null
+From e31e3f6c0ce473f7ce1e70d54ac8e3ed190509f8 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Thu, 20 Feb 2025 16:17:14 +0800
+Subject: soc: loongson: loongson2_guts: Add check for devm_kstrdup()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit e31e3f6c0ce473f7ce1e70d54ac8e3ed190509f8 upstream.
+
+Add check for the return value of devm_kstrdup() in
+loongson2_guts_probe() to catch potential exception.
+
+Fixes: b82621ac8450 ("soc: loongson: add GUTS driver for loongson-2 platforms")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://lore.kernel.org/r/20250220081714.2676828-1-haoxiang_li2024@163.com
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/loongson/loongson2_guts.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/soc/loongson/loongson2_guts.c
++++ b/drivers/soc/loongson/loongson2_guts.c
+@@ -114,8 +114,11 @@ static int loongson2_guts_probe(struct p
+ if (of_property_read_string(root, "model", &machine))
+ of_property_read_string_index(root, "compatible", 0, &machine);
+ of_node_put(root);
+- if (machine)
++ if (machine) {
+ soc_dev_attr.machine = devm_kstrdup(dev, machine, GFP_KERNEL);
++ if (!soc_dev_attr.machine)
++ return -ENOMEM;
++ }
+
+ svr = loongson2_guts_get_svr();
+ soc_die = loongson2_soc_die_match(svr, loongson2_soc_die);
--- /dev/null
+From 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Tue, 4 Feb 2025 13:04:18 +0530
+Subject: tee: optee: Fix supplicant wait loop
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 upstream.
+
+OP-TEE supplicant is a user-space daemon and it's possible for it
+be hung or crashed or killed in the middle of processing an OP-TEE
+RPC call. It becomes more complicated when there is incorrect shutdown
+ordering of the supplicant process vs the OP-TEE client application which
+can eventually lead to system hang-up waiting for the closure of the
+client application.
+
+Allow the client process waiting in kernel for supplicant response to
+be killed rather than indefinitely waiting in an unkillable state. Also,
+a normal uninterruptible wait should not have resulted in the hung-task
+watchdog getting triggered, but the endless loop would.
+
+This fixes issues observed during system reboot/shutdown when supplicant
+got hung for some reason or gets crashed/killed which lead to client
+getting hung in an unkillable state. It in turn lead to system being in
+hung up state requiring hard power off/on to recover.
+
+Fixes: 4fb0a5eb364d ("tee: add OP-TEE driver")
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/supp.c | 35 ++++++++---------------------------
+ 1 file changed, 8 insertions(+), 27 deletions(-)
+
+--- a/drivers/tee/optee/supp.c
++++ b/drivers/tee/optee/supp.c
+@@ -80,7 +80,6 @@ u32 optee_supp_thrd_req(struct tee_conte
+ struct optee *optee = tee_get_drvdata(ctx->teedev);
+ struct optee_supp *supp = &optee->supp;
+ struct optee_supp_req *req;
+- bool interruptable;
+ u32 ret;
+
+ /*
+@@ -111,36 +110,18 @@ u32 optee_supp_thrd_req(struct tee_conte
+ /*
+ * Wait for supplicant to process and return result, once we've
+ * returned from wait_for_completion(&req->c) successfully we have
+- * exclusive access again.
++ * exclusive access again. Allow the wait to be killable such that
++ * the wait doesn't turn into an indefinite state if the supplicant
++ * gets hung for some reason.
+ */
+- while (wait_for_completion_interruptible(&req->c)) {
++ if (wait_for_completion_killable(&req->c)) {
+ mutex_lock(&supp->mutex);
+- interruptable = !supp->ctx;
+- if (interruptable) {
+- /*
+- * There's no supplicant available and since the
+- * supp->mutex currently is held none can
+- * become available until the mutex released
+- * again.
+- *
+- * Interrupting an RPC to supplicant is only
+- * allowed as a way of slightly improving the user
+- * experience in case the supplicant hasn't been
+- * started yet. During normal operation the supplicant
+- * will serve all requests in a timely manner and
+- * interrupting then wouldn't make sense.
+- */
+- if (req->in_queue) {
+- list_del(&req->link);
+- req->in_queue = false;
+- }
++ if (req->in_queue) {
++ list_del(&req->link);
++ req->in_queue = false;
+ }
+ mutex_unlock(&supp->mutex);
+-
+- if (interruptable) {
+- req->ret = TEEC_ERROR_COMMUNICATION;
+- break;
+- }
++ req->ret = TEEC_ERROR_COMMUNICATION;
+ }
+
+ ret = req->ret;
--- /dev/null
+From 66314e9a57a050f95cb0ebac904f5ab047a8926e Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <djwong@kernel.org>
+Date: Sun, 2 Feb 2025 16:50:14 -0800
+Subject: xfs: fix online repair probing when CONFIG_XFS_ONLINE_REPAIR=n
+
+From: Darrick J. Wong <djwong@kernel.org>
+
+commit 66314e9a57a050f95cb0ebac904f5ab047a8926e upstream.
+
+I received a report from the release engineering side of the house that
+xfs_scrub without the -n flag (aka fix it mode) would try to fix a
+broken filesystem even on a kernel that doesn't have online repair built
+into it:
+
+ # xfs_scrub -dTvn /mnt/test
+ EXPERIMENTAL xfs_scrub program in use! Use at your own risk!
+ Phase 1: Find filesystem geometry.
+ /mnt/test: using 1 threads to scrub.
+ Phase 1: Memory used: 132k/0k (108k/25k), time: 0.00/ 0.00/ 0.00s
+ <snip>
+ Phase 4: Repair filesystem.
+ <snip>
+ Info: /mnt/test/some/victimdir directory entries: Attempting repair. (repair.c line 351)
+ Corruption: /mnt/test/some/victimdir directory entries: Repair unsuccessful; offline repair required. (repair.c line 204)
+
+Source: https://blogs.oracle.com/linux/post/xfs-online-filesystem-repair
+
+It is strange that xfs_scrub doesn't refuse to run, because the kernel
+is supposed to return EOPNOTSUPP if we actually needed to run a repair,
+and xfs_io's repair subcommand will perror that. And yet:
+
+ # xfs_io -x -c 'repair probe' /mnt/test
+ #
+
+The first problem is commit dcb660f9222fd9 (4.15) which should have had
+xchk_probe set the CORRUPT OFLAG so that any of the repair machinery
+will get called at all.
+
+It turns out that some refactoring that happened in the 6.6-6.8 era
+broke the operation of this corner case. What we *really* want to
+happen is that all the predicates that would steer xfs_scrub_metadata()
+towards calling xrep_attempt() should function the same way that they do
+when repair is compiled in; and then xrep_attempt gets to return the
+fatal EOPNOTSUPP error code that causes the probe to fail.
+
+Instead, commit 8336a64eb75cba (6.6) started the failwhale swimming by
+hoisting OFLAG checking logic into a helper whose non-repair stub always
+returns false, causing scrub to return "repair not needed" when in fact
+the repair is not supported. Prior to that commit, the oflag checking
+that was open-coded in scrub.c worked correctly.
+
+Similarly, in commit 4bdfd7d15747b1 (6.8) we hoisted the IFLAG_REPAIR
+and ALREADY_FIXED logic into a helper whose non-repair stub always
+returns false, so we never enter the if test body that would have called
+xrep_attempt, let alone fail to decode the OFLAGs correctly.
+
+The final insult (yes, we're doing The Naked Gun now) is commit
+48a72f60861f79 (6.8) in which we hoisted the "are we going to try a
+repair?" predicate into yet another function with a non-repair stub
+always returns false.
+
+Fix xchk_probe to trigger xrep_probe if repair is enabled, or return
+EOPNOTSUPP directly if it is not. For all the other scrub types, we
+need to fix the header predicates so that the ->repair functions (which
+are all xrep_notsupported) get called to return EOPNOTSUPP. Commit
+48a72 is tagged here because the scrub code prior to LTS 6.12 are
+incomplete and not worth patching.
+
+Reported-by: David Flynn <david.flynn@oracle.com>
+Cc: <stable@vger.kernel.org> # v6.8
+Fixes: 8336a64eb75c ("xfs: don't complain about unfixed metadata when repairs were injected")
+Signed-off-by: "Darrick J. Wong" <djwong@kernel.org>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Carlos Maiolino <cem@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/xfs/scrub/common.h | 5 -----
+ fs/xfs/scrub/repair.h | 11 ++++++++++-
+ fs/xfs/scrub/scrub.c | 12 ++++++++++++
+ 3 files changed, 22 insertions(+), 6 deletions(-)
+
+--- a/fs/xfs/scrub/common.h
++++ b/fs/xfs/scrub/common.h
+@@ -179,7 +179,6 @@ static inline bool xchk_skip_xref(struct
+ bool xchk_dir_looks_zapped(struct xfs_inode *dp);
+ bool xchk_pptr_looks_zapped(struct xfs_inode *ip);
+
+-#ifdef CONFIG_XFS_ONLINE_REPAIR
+ /* Decide if a repair is required. */
+ static inline bool xchk_needs_repair(const struct xfs_scrub_metadata *sm)
+ {
+@@ -199,10 +198,6 @@ static inline bool xchk_could_repair(con
+ return (sc->sm->sm_flags & XFS_SCRUB_IFLAG_REPAIR) &&
+ !(sc->flags & XREP_ALREADY_FIXED);
+ }
+-#else
+-# define xchk_needs_repair(sc) (false)
+-# define xchk_could_repair(sc) (false)
+-#endif /* CONFIG_XFS_ONLINE_REPAIR */
+
+ int xchk_metadata_inode_forks(struct xfs_scrub *sc);
+
+--- a/fs/xfs/scrub/repair.h
++++ b/fs/xfs/scrub/repair.h
+@@ -163,7 +163,16 @@ bool xrep_buf_verify_struct(struct xfs_b
+ #else
+
+ #define xrep_ino_dqattach(sc) (0)
+-#define xrep_will_attempt(sc) (false)
++
++/*
++ * When online repair is not built into the kernel, we still want to attempt
++ * the repair so that the stub xrep_attempt below will return EOPNOTSUPP.
++ */
++static inline bool xrep_will_attempt(const struct xfs_scrub *sc)
++{
++ return (sc->sm->sm_flags & XFS_SCRUB_IFLAG_FORCE_REBUILD) ||
++ xchk_needs_repair(sc->sm);
++}
+
+ static inline int
+ xrep_attempt(
+--- a/fs/xfs/scrub/scrub.c
++++ b/fs/xfs/scrub/scrub.c
+@@ -149,6 +149,18 @@ xchk_probe(
+ if (xchk_should_terminate(sc, &error))
+ return error;
+
++ /*
++ * If the caller is probing to see if repair works but repair isn't
++ * built into the kernel, return EOPNOTSUPP because that's the signal
++ * that userspace expects. If online repair is built in, set the
++ * CORRUPT flag (without any of the usual tracing/logging) to force us
++ * into xrep_probe.
++ */
++ if (xchk_could_repair(sc)) {
++ if (!IS_ENABLED(CONFIG_XFS_ONLINE_REPAIR))
++ return -EOPNOTSUPP;
++ sc->sm->sm_flags |= XFS_SCRUB_OFLAG_CORRUPT;
++ }
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
