--- /dev/null
+From db91586b1e8f36122a9e5b8fbced11741488dd22 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Fri, 18 Apr 2025 15:40:14 +0900
+Subject: ata: libata-scsi: Fix ata_mselect_control_ata_feature() return type
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit db91586b1e8f36122a9e5b8fbced11741488dd22 upstream.
+
+The function ata_mselect_control_ata_feature() has a return type defined
+as unsigned int but this function may return negative error codes, which
+are correctly propagated up the call chain as integers.
+
+Fix ata_mselect_control_ata_feature() to have the correct int return
+type.
+
+While at it, also fix a typo in this function description comment.
+
+Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3764,12 +3764,11 @@ static int ata_mselect_control_spg0(stru
+ }
+
+ /*
+- * Translate MODE SELECT control mode page, sub-pages f2h (ATA feature mode
++ * Translate MODE SELECT control mode page, sub-page f2h (ATA feature mode
+ * page) into a SET FEATURES command.
+ */
+-static unsigned int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc,
+- const u8 *buf, int len,
+- u16 *fp)
++static int ata_mselect_control_ata_feature(struct ata_queued_cmd *qc,
++ const u8 *buf, int len, u16 *fp)
+ {
+ struct ata_device *dev = qc->dev;
+ struct ata_taskfile *tf = &qc->tf;
--- /dev/null
+From 88474ad734fb2000805c63e01cc53ea930adf2c7 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Sun, 13 Apr 2025 14:45:30 +0900
+Subject: ata: libata-scsi: Fix ata_msense_control_ata_feature()
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 88474ad734fb2000805c63e01cc53ea930adf2c7 upstream.
+
+For the ATA features subpage of the control mode page, the T10 SAT-6
+specifications state that:
+
+For a MODE SENSE command, the SATL shall return the CDL_CTRL field value
+that was last set by an application client.
+
+However, the function ata_msense_control_ata_feature() always sets the
+CDL_CTRL field to the 0x02 value to indicate support for the CDL T2A and
+T2B pages. This is thus incorrect and the value 0x02 must be reported
+only after the user enables the CDL feature, which is indicated with the
+ATA_DFLAG_CDL_ENABLED device flag. When this flag is not set, the
+CDL_CTRL field of the ATA feature subpage of the control mode page must
+report a value of 0x00.
+
+Fix ata_msense_control_ata_feature() to report the correct values for
+the CDL_CTRL field, according to the enable/disable state of the device
+CDL feature.
+
+Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -2354,8 +2354,8 @@ static unsigned int ata_msense_control_a
+ */
+ put_unaligned_be16(ATA_FEATURE_SUB_MPAGE_LEN - 4, &buf[2]);
+
+- if (dev->flags & ATA_DFLAG_CDL)
+- buf[4] = 0x02; /* Support T2A and T2B pages */
++ if (dev->flags & ATA_DFLAG_CDL_ENABLED)
++ buf[4] = 0x02; /* T2A and T2B pages enabled */
+ else
+ buf[4] = 0;
+
--- /dev/null
+From 17e897a456752ec9c2d7afb3d9baf268b442451b Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Mon, 14 Apr 2025 10:25:05 +0900
+Subject: ata: libata-scsi: Improve CDL control
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 17e897a456752ec9c2d7afb3d9baf268b442451b upstream.
+
+With ATA devices supporting the CDL feature, using CDL requires that the
+feature be enabled with a SET FEATURES command. This command is issued
+as the translated command for the MODE SELECT command issued by
+scsi_cdl_enable() when the user enables CDL through the device
+cdl_enable sysfs attribute.
+
+Currently, ata_mselect_control_ata_feature() always translates a MODE
+SELECT command for the ATA features subpage of the control mode page to
+a SET FEATURES command to enable or disable CDL based on the cdl_ctrl
+field. However, there is no need to issue the SET FEATURES command if:
+1) The MODE SELECT command requests disabling CDL and CDL is already
+ disabled.
+2) The MODE SELECT command requests enabling CDL and CDL is already
+ enabled.
+
+Fix ata_mselect_control_ata_feature() to issue the SET FEATURES command
+only when necessary. Since enabling CDL also implies a reset of the CDL
+statistics log page, avoiding useless CDL enable operations also avoids
+clearing the CDL statistics log.
+
+Also add debug messages to clearly signal when CDL is being enabled or
+disabled using a SET FEATURES command.
+
+Fixes: df60f9c64576 ("scsi: ata: libata: Add ATA feature control sub-page translation")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-scsi.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/libata-scsi.c
++++ b/drivers/ata/libata-scsi.c
+@@ -3787,17 +3787,27 @@ static unsigned int ata_mselect_control_
+ /* Check cdl_ctrl */
+ switch (buf[0] & 0x03) {
+ case 0:
+- /* Disable CDL */
++ /* Disable CDL if it is enabled */
++ if (!(dev->flags & ATA_DFLAG_CDL_ENABLED))
++ return 0;
++ ata_dev_dbg(dev, "Disabling CDL\n");
+ cdl_action = 0;
+ dev->flags &= ~ATA_DFLAG_CDL_ENABLED;
+ break;
+ case 0x02:
+- /* Enable CDL T2A/T2B: NCQ priority must be disabled */
++ /*
++ * Enable CDL if not already enabled. Since this is mutually
++ * exclusive with NCQ priority, allow this only if NCQ priority
++ * is disabled.
++ */
++ if (dev->flags & ATA_DFLAG_CDL_ENABLED)
++ return 0;
+ if (dev->flags & ATA_DFLAG_NCQ_PRIO_ENABLED) {
+ ata_dev_err(dev,
+ "NCQ priority must be disabled to enable CDL\n");
+ return -EINVAL;
+ }
++ ata_dev_dbg(dev, "Enabling CDL\n");
+ cdl_action = 1;
+ dev->flags |= ATA_DFLAG_CDL_ENABLED;
+ break;
--- /dev/null
+From 8006aff15516a170640239c5a8e6696c0ba18d8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Tue, 22 Apr 2025 11:57:18 +0200
+Subject: crypto: atmel-sha204a - Set hwrng quality to lowest possible
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek BehĂșn <kabel@kernel.org>
+
+commit 8006aff15516a170640239c5a8e6696c0ba18d8e upstream.
+
+According to the review by Bill Cox [1], the Atmel SHA204A random number
+generator produces random numbers with very low entropy.
+
+Set the lowest possible entropy for this chip just to be safe.
+
+[1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
+
+Fixes: da001fb651b00e1d ("crypto: atmel-i2c - add support for SHA204A random number generator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Marek BehĂșn <kabel@kernel.org>
+Acked-by: Ard Biesheuvel <ardb@kernel.org>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/atmel-sha204a.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/crypto/atmel-sha204a.c
++++ b/drivers/crypto/atmel-sha204a.c
+@@ -107,6 +107,12 @@ static int atmel_sha204a_probe(struct i2
+ i2c_priv->hwrng.name = dev_name(&client->dev);
+ i2c_priv->hwrng.read = atmel_sha204a_rng_read;
+
++ /*
++ * According to review by Bill Cox [1], this HWRNG has very low entropy.
++ * [1] https://www.metzdowd.com/pipermail/cryptography/2014-December/023858.html
++ */
++ i2c_priv->hwrng.quality = 1;
++
+ ret = devm_hwrng_register(&client->dev, &i2c_priv->hwrng);
+ if (ret)
+ dev_warn(&client->dev, "failed to register RNG (%d)\n", ret);
--- /dev/null
+From 078d3ee7c162cd66d76171579c02d7890bd77daf Mon Sep 17 00:00:00 2001
+From: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
+Date: Mon, 7 Apr 2025 19:27:34 +0000
+Subject: cxl/core/regs.c: Skip Memory Space Enable check for RCD and RCH Ports
+
+From: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
+
+commit 078d3ee7c162cd66d76171579c02d7890bd77daf upstream.
+
+According to CXL r3.2 section 8.2.1.2, the PCI_COMMAND register fields,
+including Memory Space Enable bit, have no effect on the behavior of an
+RCD Upstream Port. Retaining this check may incorrectly cause
+cxl_pci_probe() to fail on a valid RCD upstream Port.
+
+While the specification is explicit only for RCD Upstream Ports, this
+check is solely for accessing the RCRB, which is always mapped through
+memory space. Therefore, its safe to remove the check entirely. In
+practice, firmware reliably enables the Memory Space Enable bit for
+RCH Downstream Ports and no failures have been observed.
+
+Removing the check simplifies the code and avoids unnecessary
+special-casing, while relying on BIOS/firmware to configure devices
+correctly. Moreover, any failures due to inaccessible RCRB regions
+will still be caught either in __rcrb_to_component() or while
+parsing the component register block.
+
+The following failure was observed in dmesg when the check was present:
+ cxl_pci 0000:7f:00.0: No component registers (-6)
+
+Fixes: d5b1a27143cb ("cxl/acpi: Extract component registers of restricted hosts from RCRB")
+Signed-off-by: Smita Koralahalli <Smita.KoralahalliChannabasappa@amd.com>
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Ira Weiny <ira.weiny@intel.com>
+Reviewed-by: Terry Bowman <terry.bowman@amd.com>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Reviewed-by: Robert Richter <rrichter@amd.com>
+Link: https://patch.msgid.link/20250407192734.70631-1-Smita.KoralahalliChannabasappa@amd.com
+Signed-off-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/cxl/core/regs.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/cxl/core/regs.c
++++ b/drivers/cxl/core/regs.c
+@@ -478,7 +478,6 @@ resource_size_t __rcrb_to_component(stru
+ resource_size_t rcrb = ri->base;
+ void __iomem *addr;
+ u32 bar0, bar1;
+- u16 cmd;
+ u32 id;
+
+ if (which == CXL_RCRB_UPSTREAM)
+@@ -500,7 +499,6 @@ resource_size_t __rcrb_to_component(stru
+ }
+
+ id = readl(addr + PCI_VENDOR_ID);
+- cmd = readw(addr + PCI_COMMAND);
+ bar0 = readl(addr + PCI_BASE_ADDRESS_0);
+ bar1 = readl(addr + PCI_BASE_ADDRESS_1);
+ iounmap(addr);
+@@ -515,8 +513,6 @@ resource_size_t __rcrb_to_component(stru
+ dev_err(dev, "Failed to access Downstream Port RCRB\n");
+ return CXL_RESOURCE_NONE;
+ }
+- if (!(cmd & PCI_COMMAND_MEMORY))
+- return CXL_RESOURCE_NONE;
+ /* The RCRB is a Memory Window, and the MEM_TYPE_1M bit is obsolete */
+ if (bar0 & (PCI_BASE_ADDRESS_MEM_TYPE_1M | PCI_BASE_ADDRESS_SPACE_IO))
+ return CXL_RESOURCE_NONE;
--- /dev/null
+From 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 Mon Sep 17 00:00:00 2001
+From: Roman Li <Roman.Li@amd.com>
+Date: Tue, 1 Apr 2025 17:05:10 -0400
+Subject: drm/amd/display: Fix gpu reset in multidisplay config
+
+From: Roman Li <Roman.Li@amd.com>
+
+commit 7eb287beeb60be1e4437be2b4e4e9f0da89aab97 upstream.
+
+[Why]
+The indexing of stream_status in dm_gpureset_commit_state() is incorrect.
+That leads to asserts in multi-display configuration after gpu reset.
+
+[How]
+Adjust the indexing logic to align stream_status with surface_updates.
+
+Fixes: cdaae8371aa9 ("drm/amd/display: Handle GPU reset for DC block")
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3808
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Roman Li <Roman.Li@amd.com>
+Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Tested-by: Mark Broadworth <mark.broadworth@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit d91bc901398741d317d9b55c59ca949d4bc7394b)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -2789,16 +2789,16 @@ static void dm_gpureset_commit_state(str
+ for (k = 0; k < dc_state->stream_count; k++) {
+ bundle->stream_update.stream = dc_state->streams[k];
+
+- for (m = 0; m < dc_state->stream_status->plane_count; m++) {
++ for (m = 0; m < dc_state->stream_status[k].plane_count; m++) {
+ bundle->surface_updates[m].surface =
+- dc_state->stream_status->plane_states[m];
++ dc_state->stream_status[k].plane_states[m];
+ bundle->surface_updates[m].surface->force_full_update =
+ true;
+ }
+
+ update_planes_and_stream_adapter(dm->dc,
+ UPDATE_TYPE_FULL,
+- dc_state->stream_status->plane_count,
++ dc_state->stream_status[k].plane_count,
+ dc_state->streams[k],
+ &bundle->stream_update,
+ bundle->surface_updates);
--- /dev/null
+From 67fe574651c73fe5cc176e35f28f2ec1ba498d14 Mon Sep 17 00:00:00 2001
+From: Roman Li <Roman.Li@amd.com>
+Date: Wed, 26 Mar 2025 10:33:51 -0400
+Subject: drm/amd/display: Force full update in gpu reset
+
+From: Roman Li <Roman.Li@amd.com>
+
+commit 67fe574651c73fe5cc176e35f28f2ec1ba498d14 upstream.
+
+[Why]
+While system undergoing gpu reset always do full update
+to sync the dc state before and after reset.
+
+[How]
+Return true in should_reset_plane() if gpu reset detected
+
+Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Roman Li <Roman.Li@amd.com>
+Signed-off-by: Zaeem Mohamed <zaeem.mohamed@amd.com>
+Tested-by: Mark Broadworth <mark.broadworth@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2ba8619b9a378ad218ad6c2e2ccaee8f531e08de)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+@@ -9590,6 +9590,9 @@ static bool should_reset_plane(struct dr
+ if (adev->ip_versions[DCE_HWIP][0] < IP_VERSION(3, 2, 0) && state->allow_modeset)
+ return true;
+
++ if (amdgpu_in_reset(adev) && state->allow_modeset)
++ return true;
++
+ /* Exit early if we know that we're adding or removing the plane. */
+ if (old_plane_state->crtc != new_plane_state->crtc)
+ return true;
--- /dev/null
+From edd43f4d6f50ec3de55a0c9e9df6348d1da51965 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 24 Apr 2025 10:28:14 -0600
+Subject: io_uring: fix 'sync' handling of io_fallback_tw()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit edd43f4d6f50ec3de55a0c9e9df6348d1da51965 upstream.
+
+A previous commit added a 'sync' parameter to io_fallback_tw(), which if
+true, means the caller wants to wait on the fallback thread handling it.
+But the logic is somewhat messed up, ensure that ctxs are swapped and
+flushed appropriately.
+
+Cc: stable@vger.kernel.org
+Fixes: dfbe5561ae93 ("io_uring: flush offloaded and delayed task_work on exit")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1247,21 +1247,22 @@ static __cold void io_fallback_tw(struct
+ while (node) {
+ req = container_of(node, struct io_kiocb, io_task_work.node);
+ node = node->next;
+- if (sync && last_ctx != req->ctx) {
++ if (last_ctx != req->ctx) {
+ if (last_ctx) {
+- flush_delayed_work(&last_ctx->fallback_work);
++ if (sync)
++ flush_delayed_work(&last_ctx->fallback_work);
+ percpu_ref_put(&last_ctx->refs);
+ }
+ last_ctx = req->ctx;
+ percpu_ref_get(&last_ctx->refs);
+ }
+- if (llist_add(&req->io_task_work.node,
+- &req->ctx->fallback_llist))
+- schedule_delayed_work(&req->ctx->fallback_work, 1);
++ if (llist_add(&req->io_task_work.node, &last_ctx->fallback_llist))
++ schedule_delayed_work(&last_ctx->fallback_work, 1);
+ }
+
+ if (last_ctx) {
+- flush_delayed_work(&last_ctx->fallback_work);
++ if (sync)
++ flush_delayed_work(&last_ctx->fallback_work);
+ percpu_ref_put(&last_ctx->refs);
+ }
+ }
--- /dev/null
+From 3318dc299b072a0511d6dfd8367f3304fb6d9827 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Tue, 22 Apr 2025 17:16:16 +0100
+Subject: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit 3318dc299b072a0511d6dfd8367f3304fb6d9827 upstream.
+
+With ACPI in place, gicv2m_get_fwnode() is registered with the pci
+subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime
+during a PCI host bridge probe. But, the call back is wrongly marked as
+__init, causing it to be freed, while being registered with the PCI
+subsystem and could trigger:
+
+ Unable to handle kernel paging request at virtual address ffff8000816c0400
+ gicv2m_get_fwnode+0x0/0x58 (P)
+ pci_set_bus_msi_domain+0x74/0x88
+ pci_register_host_bridge+0x194/0x548
+
+This is easily reproducible on a Juno board with ACPI boot.
+
+Retain the function for later use.
+
+Fixes: 0644b3daca28 ("irqchip/gic-v2m: acpi: Introducing GICv2m ACPI support")
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v2m.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-gic-v2m.c
++++ b/drivers/irqchip/irq-gic-v2m.c
+@@ -454,7 +454,7 @@ static int __init gicv2m_of_init(struct
+ #ifdef CONFIG_ACPI
+ static int acpi_num_msi;
+
+-static __init struct fwnode_handle *gicv2m_get_fwnode(struct device *dev)
++static struct fwnode_handle *gicv2m_get_fwnode(struct device *dev)
+ {
+ struct v2m_data *data;
+
--- /dev/null
+From 7537deda36521fa8fff9133b39c46e31893606f2 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 4 Apr 2025 12:38:16 -0700
+Subject: KVM: SVM: Allocate IR data using atomic allocation
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 7537deda36521fa8fff9133b39c46e31893606f2 upstream.
+
+Allocate SVM's interrupt remapping metadata using GFP_ATOMIC as
+svm_ir_list_add() is called with IRQs are disabled and irqfs.lock held
+when kvm_irq_routing_update() reacts to GSI routing changes.
+
+Fixes: 411b44ba80ab ("svm: Implements update_pi_irte hook to setup posted interrupt")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-ID: <20250404193923.1413163-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/svm/avic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/svm/avic.c
++++ b/arch/x86/kvm/svm/avic.c
+@@ -820,7 +820,7 @@ static int svm_ir_list_add(struct vcpu_s
+ * Allocating new amd_iommu_pi_data, which will get
+ * add to the per-vcpu ir_list.
+ */
+- ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_KERNEL_ACCOUNT);
++ ir = kzalloc(sizeof(struct amd_svm_iommu_ir), GFP_ATOMIC | __GFP_ACCOUNT);
+ if (!ir) {
+ ret = -ENOMEM;
+ goto out;
--- /dev/null
+From c37325cbd91abe3bfab280b3b09947155abe8e07 Mon Sep 17 00:00:00 2001
+From: Petr Tesarik <ptesarik@suse.com>
+Date: Thu, 24 Apr 2025 20:15:41 +0800
+Subject: LoongArch: Remove a bogus reference to ZONE_DMA
+
+From: Petr Tesarik <ptesarik@suse.com>
+
+commit c37325cbd91abe3bfab280b3b09947155abe8e07 upstream.
+
+Remove dead code. LoongArch does not have a DMA memory zone (24bit DMA).
+The architecture does not even define MAX_DMA_PFN.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Signed-off-by: Petr Tesarik <ptesarik@suse.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/mm/init.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/arch/loongarch/mm/init.c
++++ b/arch/loongarch/mm/init.c
+@@ -64,9 +64,6 @@ void __init paging_init(void)
+ {
+ unsigned long max_zone_pfns[MAX_NR_ZONES];
+
+-#ifdef CONFIG_ZONE_DMA
+- max_zone_pfns[ZONE_DMA] = MAX_DMA_PFN;
+-#endif
+ #ifdef CONFIG_ZONE_DMA32
+ max_zone_pfns[ZONE_DMA32] = MAX_DMA32_PFN;
+ #endif
--- /dev/null
+From bd51834d1cf65a2c801295d230c220aeebf87a73 Mon Sep 17 00:00:00 2001
+From: Ming Wang <wangming01@loongson.cn>
+Date: Thu, 24 Apr 2025 20:15:47 +0800
+Subject: LoongArch: Return NULL from huge_pte_offset() for invalid PMD
+
+From: Ming Wang <wangming01@loongson.cn>
+
+commit bd51834d1cf65a2c801295d230c220aeebf87a73 upstream.
+
+LoongArch's huge_pte_offset() currently returns a pointer to a PMD slot
+even if the underlying entry points to invalid_pte_table (indicating no
+mapping). Callers like smaps_hugetlb_range() fetch this invalid entry
+value (the address of invalid_pte_table) via this pointer.
+
+The generic is_swap_pte() check then incorrectly identifies this address
+as a swap entry on LoongArch, because it satisfies the "!pte_present()
+&& !pte_none()" conditions. This misinterpretation, combined with a
+coincidental match by is_migration_entry() on the address bits, leads to
+kernel crashes in pfn_swap_entry_to_page().
+
+Fix this at the architecture level by modifying huge_pte_offset() to
+check the PMD entry's content using pmd_none() before returning. If the
+entry is invalid (i.e., it points to invalid_pte_table), return NULL
+instead of the pointer to the slot.
+
+Cc: stable@vger.kernel.org
+Acked-by: Peter Xu <peterx@redhat.com>
+Co-developed-by: Hongchen Zhang <zhanghongchen@loongson.cn>
+Signed-off-by: Hongchen Zhang <zhanghongchen@loongson.cn>
+Signed-off-by: Ming Wang <wangming01@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/mm/hugetlbpage.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/loongarch/mm/hugetlbpage.c
++++ b/arch/loongarch/mm/hugetlbpage.c
+@@ -47,7 +47,7 @@ pte_t *huge_pte_offset(struct mm_struct
+ pmd = pmd_offset(pud, addr);
+ }
+ }
+- return (pte_t *) pmd;
++ return pmd_none(pmdp_get(pmd)) ? NULL : (pte_t *) pmd;
+ }
+
+ int pmd_huge(pmd_t pmd)
--- /dev/null
+From 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Mon, 10 Mar 2025 09:46:57 +0100
+Subject: mcb: fix a double free bug in chameleon_parse_gdd()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 7c7f1bfdb2249f854a736d9b79778c7e5a29a150 upstream.
+
+In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev'
+would be released in mcb_device_register() via put_device().
+Thus, goto 'err' label and free 'mdev' again causes a double free.
+Just return if mcb_device_register() fails.
+
+Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Johannes Thumshirn <jth@kernel.org>
+Link: https://lore.kernel.org/r/6201d09e2975ae5789879f79a6de4c38de9edd4a.1741596225.git.jth@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mcb/mcb-parse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mcb/mcb-parse.c
++++ b/drivers/mcb/mcb-parse.c
+@@ -101,7 +101,7 @@ static int chameleon_parse_gdd(struct mc
+
+ ret = mcb_device_register(bus, mdev);
+ if (ret < 0)
+- goto err;
++ return ret;
+
+ return 0;
+
--- /dev/null
+From 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c Mon Sep 17 00:00:00 2001
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+Date: Tue, 8 Apr 2025 16:00:05 +0300
+Subject: mei: me: add panther lake H DID
+
+From: Alexander Usyskin <alexander.usyskin@intel.com>
+
+commit 86ce5c0a1dec02e21b4c864b2bc0cc5880a2c13c upstream.
+
+Add Panther Lake H device id.
+
+Cc: stable <stable@kernel.org>
+Co-developed-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Tomas Winkler <tomasw@gmail.com>
+Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://lore.kernel.org/r/20250408130005.1358140-1-alexander.usyskin@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 1 +
+ drivers/misc/mei/pci-me.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -117,6 +117,7 @@
+
+ #define MEI_DEV_ID_LNL_M 0xA870 /* Lunar Lake Point M */
+
++#define MEI_DEV_ID_PTL_H 0xE370 /* Panther Lake H */
+ #define MEI_DEV_ID_PTL_P 0xE470 /* Panther Lake P */
+
+ /*
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -124,6 +124,7 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_LNL_M, MEI_ME_PCH15_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_H, MEI_ME_PCH15_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_PTL_P, MEI_ME_PCH15_CFG)},
+
+ /* required last entry */
--- /dev/null
+From 30a41ed32d3088cd0d682a13d7f30b23baed7e93 Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Wed, 16 Apr 2025 12:24:13 +0200
+Subject: net: phy: microchip: force IRQ polling mode for lan88xx
+
+From: Fiona Klute <fiona.klute@gmx.de>
+
+commit 30a41ed32d3088cd0d682a13d7f30b23baed7e93 upstream.
+
+With lan88xx based devices the lan78xx driver can get stuck in an
+interrupt loop while bringing the device up, flooding the kernel log
+with messages like the following:
+
+lan78xx 2-3:1.0 enp1s0u3: kevent 4 may have been dropped
+
+Removing interrupt support from the lan88xx PHY driver forces the
+driver to use polling instead, which avoids the problem.
+
+The issue has been observed with Raspberry Pi devices at least since
+4.14 (see [1], bug report for their downstream kernel), as well as
+with Nvidia devices [2] in 2020, where disabling interrupts was the
+vendor-suggested workaround (together with the claim that phylib
+changes in 4.9 made the interrupt handling in lan78xx incompatible).
+
+Iperf reports well over 900Mbits/sec per direction with client in
+--dualtest mode, so there does not seem to be a significant impact on
+throughput (lan88xx device connected via switch to the peer).
+
+[1] https://github.com/raspberrypi/linux/issues/2447
+[2] https://forums.developer.nvidia.com/t/jetson-xavier-and-lan7800-problem/142134/11
+
+Link: https://lore.kernel.org/0901d90d-3f20-4a10-b680-9c978e04ddda@lunn.ch
+Fixes: 792aec47d59d ("add microchip LAN88xx phy driver")
+Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
+Cc: kernel-list@raspberrypi.com
+Cc: stable@vger.kernel.org
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/20250416102413.30654-1-fiona.klute@gmx.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/microchip.c | 46 ++------------------------------------------
+ 1 file changed, 3 insertions(+), 43 deletions(-)
+
+--- a/drivers/net/phy/microchip.c
++++ b/drivers/net/phy/microchip.c
+@@ -31,47 +31,6 @@ static int lan88xx_write_page(struct phy
+ return __phy_write(phydev, LAN88XX_EXT_PAGE_ACCESS, page);
+ }
+
+-static int lan88xx_phy_config_intr(struct phy_device *phydev)
+-{
+- int rc;
+-
+- if (phydev->interrupts == PHY_INTERRUPT_ENABLED) {
+- /* unmask all source and clear them before enable */
+- rc = phy_write(phydev, LAN88XX_INT_MASK, 0x7FFF);
+- rc = phy_read(phydev, LAN88XX_INT_STS);
+- rc = phy_write(phydev, LAN88XX_INT_MASK,
+- LAN88XX_INT_MASK_MDINTPIN_EN_ |
+- LAN88XX_INT_MASK_LINK_CHANGE_);
+- } else {
+- rc = phy_write(phydev, LAN88XX_INT_MASK, 0);
+- if (rc)
+- return rc;
+-
+- /* Ack interrupts after they have been disabled */
+- rc = phy_read(phydev, LAN88XX_INT_STS);
+- }
+-
+- return rc < 0 ? rc : 0;
+-}
+-
+-static irqreturn_t lan88xx_handle_interrupt(struct phy_device *phydev)
+-{
+- int irq_status;
+-
+- irq_status = phy_read(phydev, LAN88XX_INT_STS);
+- if (irq_status < 0) {
+- phy_error(phydev);
+- return IRQ_NONE;
+- }
+-
+- if (!(irq_status & LAN88XX_INT_STS_LINK_CHANGE_))
+- return IRQ_NONE;
+-
+- phy_trigger_machine(phydev);
+-
+- return IRQ_HANDLED;
+-}
+-
+ static int lan88xx_suspend(struct phy_device *phydev)
+ {
+ struct lan88xx_priv *priv = phydev->priv;
+@@ -392,8 +351,9 @@ static struct phy_driver microchip_phy_d
+ .config_aneg = lan88xx_config_aneg,
+ .link_change_notify = lan88xx_link_change_notify,
+
+- .config_intr = lan88xx_phy_config_intr,
+- .handle_interrupt = lan88xx_handle_interrupt,
++ /* Interrupt handling is broken, do not define related
++ * functions to force polling.
++ */
+
+ .suspend = lan88xx_suspend,
+ .resume = genphy_resume,
--- /dev/null
+From 9e8d1013b0c38910cbc9e60de74dbe883878469d Mon Sep 17 00:00:00 2001
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+Date: Wed, 16 Apr 2025 18:01:25 +0200
+Subject: net: selftests: initialize TCP header and skb payload with zero
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+commit 9e8d1013b0c38910cbc9e60de74dbe883878469d upstream.
+
+Zero-initialize TCP header via memset() to avoid garbage values that
+may affect checksum or behavior during test transmission.
+
+Also zero-fill allocated payload and padding regions using memset()
+after skb_put(), ensuring deterministic content for all outgoing
+test packets.
+
+Fixes: 3e1e58d64c3d ("net: add generic selftest support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250416160125.2914724-1-o.rempel@pengutronix.de
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/selftests.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/net/core/selftests.c
++++ b/net/core/selftests.c
+@@ -100,10 +100,10 @@ static struct sk_buff *net_test_get_skb(
+ ehdr->h_proto = htons(ETH_P_IP);
+
+ if (attr->tcp) {
++ memset(thdr, 0, sizeof(*thdr));
+ thdr->source = htons(attr->sport);
+ thdr->dest = htons(attr->dport);
+ thdr->doff = sizeof(struct tcphdr) / 4;
+- thdr->check = 0;
+ } else {
+ uhdr->source = htons(attr->sport);
+ uhdr->dest = htons(attr->dport);
+@@ -144,10 +144,18 @@ static struct sk_buff *net_test_get_skb(
+ attr->id = net_test_next_id;
+ shdr->id = net_test_next_id++;
+
+- if (attr->size)
+- skb_put(skb, attr->size);
+- if (attr->max_size && attr->max_size > skb->len)
+- skb_put(skb, attr->max_size - skb->len);
++ if (attr->size) {
++ void *payload = skb_put(skb, attr->size);
++
++ memset(payload, 0, attr->size);
++ }
++
++ if (attr->max_size && attr->max_size > skb->len) {
++ size_t pad_len = attr->max_size - skb->len;
++ void *pad = skb_put(skb, pad_len);
++
++ memset(pad, 0, pad_len);
++ }
+
+ skb->csum = 0;
+ skb->ip_summed = CHECKSUM_PARTIAL;
--- /dev/null
+From 14a3cc755825ef7b34c986aa2786ea815023e9c5 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <dlemoal@kernel.org>
+Date: Sun, 13 Apr 2025 11:24:47 +0900
+Subject: scsi: Improve CDL control
+
+From: Damien Le Moal <dlemoal@kernel.org>
+
+commit 14a3cc755825ef7b34c986aa2786ea815023e9c5 upstream.
+
+With ATA devices supporting the CDL feature, using CDL requires that the
+feature be enabled with a SET FEATURES command. This command is issued
+as the translated command for the MODE SELECT command issued by
+scsi_cdl_enable() when the user enables CDL through the device
+cdl_enable sysfs attribute.
+
+However, the implementation of scsi_cdl_enable() always issues a MODE
+SELECT command for ATA devices when the enable argument is true, even if
+CDL is already enabled on the device. While this does not cause any
+issue with using CDL descriptors with read/write commands (the CDL
+feature will be enabled on the drive), issuing the MODE SELECT command
+even when the device CDL feature is already enabled will cause a reset
+of the ATA device CDL statistics log page (as defined in ACS, any CDL
+enable action must reset the device statistics).
+
+Avoid this needless actions (and the implied statistics log page reset)
+by modifying scsi_cdl_enable() to issue the MODE SELECT command to
+enable CDL if and only if CDL is not reported as already enabled on the
+device.
+
+And while at it, simplify the initialization of the is_ata boolean
+variable and move the declaration of the scsi mode data and sense header
+variables to within the scope of ATA device handling.
+
+Fixes: 1b22cfb14142 ("scsi: core: Allow enabling and disabling command duration limits")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Reviewed-by: Niklas Cassel <cassel@kernel.org>
+Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi.c | 36 ++++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+--- a/drivers/scsi/scsi.c
++++ b/drivers/scsi/scsi.c
+@@ -693,26 +693,23 @@ void scsi_cdl_check(struct scsi_device *
+ */
+ int scsi_cdl_enable(struct scsi_device *sdev, bool enable)
+ {
+- struct scsi_mode_data data;
+- struct scsi_sense_hdr sshdr;
+- struct scsi_vpd *vpd;
+- bool is_ata = false;
+ char buf[64];
++ bool is_ata;
+ int ret;
+
+ if (!sdev->cdl_supported)
+ return -EOPNOTSUPP;
+
+ rcu_read_lock();
+- vpd = rcu_dereference(sdev->vpd_pg89);
+- if (vpd)
+- is_ata = true;
++ is_ata = rcu_dereference(sdev->vpd_pg89);
+ rcu_read_unlock();
+
+ /*
+ * For ATA devices, CDL needs to be enabled with a SET FEATURES command.
+ */
+ if (is_ata) {
++ struct scsi_mode_data data;
++ struct scsi_sense_hdr sshdr;
+ char *buf_data;
+ int len;
+
+@@ -721,16 +718,30 @@ int scsi_cdl_enable(struct scsi_device *
+ if (ret)
+ return -EINVAL;
+
+- /* Enable CDL using the ATA feature page */
++ /* Enable or disable CDL using the ATA feature page */
+ len = min_t(size_t, sizeof(buf),
+ data.length - data.header_length -
+ data.block_descriptor_length);
+ buf_data = buf + data.header_length +
+ data.block_descriptor_length;
+- if (enable)
+- buf_data[4] = 0x02;
+- else
+- buf_data[4] = 0;
++
++ /*
++ * If we want to enable CDL and CDL is already enabled on the
++ * device, do nothing. This avoids needlessly resetting the CDL
++ * statistics on the device as that is implied by the CDL enable
++ * action. Similar to this, there is no need to do anything if
++ * we want to disable CDL and CDL is already disabled.
++ */
++ if (enable) {
++ if ((buf_data[4] & 0x03) == 0x02)
++ goto out;
++ buf_data[4] &= ~0x03;
++ buf_data[4] |= 0x02;
++ } else {
++ if ((buf_data[4] & 0x03) == 0x00)
++ goto out;
++ buf_data[4] &= ~0x03;
++ }
+
+ ret = scsi_mode_select(sdev, 1, 0, buf_data, len, 5 * HZ, 3,
+ &data, &sshdr);
+@@ -742,6 +753,7 @@ int scsi_cdl_enable(struct scsi_device *
+ }
+ }
+
++out:
+ sdev->cdl_enable = enable;
+
+ return 0;
loongarch-select-arch_use_memtest.patch
loongarch-make-regs_irqs_disabled-more-clear.patch
loongarch-make-do_xyz-exception-handlers-more-robust.patch
+virtio_console-fix-missing-byte-order-handling-for-cols-and-rows.patch
+crypto-atmel-sha204a-set-hwrng-quality-to-lowest-possible.patch
+xen-netfront-handle-null-returned-by-xdp_convert_buff_to_frame.patch
+net-selftests-initialize-tcp-header-and-skb-payload-with-zero.patch
+net-phy-microchip-force-irq-polling-mode-for-lan88xx.patch
+drm-amd-display-fix-gpu-reset-in-multidisplay-config.patch
+drm-amd-display-force-full-update-in-gpu-reset.patch
+irqchip-gic-v2m-prevent-use-after-free-of-gicv2m_get_fwnode.patch
+loongarch-return-null-from-huge_pte_offset-for-invalid-pmd.patch
+loongarch-remove-a-bogus-reference-to-zone_dma.patch
+io_uring-fix-sync-handling-of-io_fallback_tw.patch
+kvm-svm-allocate-ir-data-using-atomic-allocation.patch
+cxl-core-regs.c-skip-memory-space-enable-check-for-rcd-and-rch-ports.patch
+mcb-fix-a-double-free-bug-in-chameleon_parse_gdd.patch
+ata-libata-scsi-improve-cdl-control.patch
+ata-libata-scsi-fix-ata_mselect_control_ata_feature-return-type.patch
+ata-libata-scsi-fix-ata_msense_control_ata_feature.patch
+usb-storage-quirk-for-adata-portable-hdd-ch94.patch
+scsi-improve-cdl-control.patch
+mei-me-add-panther-lake-h-did.patch
--- /dev/null
+From 9ab75eee1a056f896b87d139044dd103adc532b9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 3 Apr 2025 19:59:45 +0200
+Subject: USB: storage: quirk for ADATA Portable HDD CH94
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 9ab75eee1a056f896b87d139044dd103adc532b9 upstream.
+
+Version 1.60 specifically needs this quirk.
+Version 2.00 is known good.
+
+Cc: stable <stable@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20250403180004.343133-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -83,6 +83,13 @@ UNUSUAL_DEV(0x0bc2, 0x331a, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_LUNS),
+
++/* Reported-by: Oliver Neukum <oneukum@suse.com> */
++UNUSUAL_DEV(0x125f, 0xa94a, 0x0160, 0x0160,
++ "ADATA",
++ "Portable HDD CH94",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_ATA_1X),
++
+ /* Reported-by: Benjamin Tissoires <benjamin.tissoires@redhat.com> */
+ UNUSUAL_DEV(0x13fd, 0x3940, 0x0000, 0x9999,
+ "Initio Corporation",
--- /dev/null
+From fbd3039a64b01b769040677c4fc68badeca8e3b2 Mon Sep 17 00:00:00 2001
+From: Halil Pasic <pasic@linux.ibm.com>
+Date: Sat, 22 Mar 2025 01:29:54 +0100
+Subject: virtio_console: fix missing byte order handling for cols and rows
+
+From: Halil Pasic <pasic@linux.ibm.com>
+
+commit fbd3039a64b01b769040677c4fc68badeca8e3b2 upstream.
+
+As per virtio spec the fields cols and rows are specified as little
+endian. Although there is no legacy interface requirement that would
+state that cols and rows need to be handled as native endian when legacy
+interface is used, unlike for the fields of the adjacent struct
+virtio_console_control, I decided to err on the side of caution based
+on some non-conclusive virtio spec repo archaeology and opt for using
+virtio16_to_cpu() much like for virtio_console_control.event. Strictly
+by the letter of the spec virtio_le_to_cpu() would have been sufficient.
+But when the legacy interface is not used, it boils down to the same.
+
+And when using the legacy interface, the device formatting these as
+little endian when the guest is big endian would surprise me more than
+it using guest native byte order (which would make it compatible with
+the current implementation). Nevertheless somebody trying to implement
+the spec following it to the letter could end up forcing little endian
+byte order when the legacy interface is in use. So IMHO this ultimately
+needs a judgement call by the maintainers.
+
+Fixes: 8345adbf96fc1 ("virtio: console: Accept console size along with resize control message")
+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
+Cc: stable@vger.kernel.org # v2.6.35+
+Message-Id: <20250322002954.3129282-1-pasic@linux.ibm.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/virtio_console.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/virtio_console.c
++++ b/drivers/char/virtio_console.c
+@@ -1612,8 +1612,8 @@ static void handle_control_message(struc
+ break;
+ case VIRTIO_CONSOLE_RESIZE: {
+ struct {
+- __u16 rows;
+- __u16 cols;
++ __virtio16 rows;
++ __virtio16 cols;
+ } size;
+
+ if (!is_console_port(port))
+@@ -1621,7 +1621,8 @@ static void handle_control_message(struc
+
+ memcpy(&size, buf->buf + buf->offset + sizeof(*cpkt),
+ sizeof(size));
+- set_console_size(port, size.rows, size.cols);
++ set_console_size(port, virtio16_to_cpu(vdev, size.rows),
++ virtio16_to_cpu(vdev, size.cols));
+
+ port->cons.hvc->irq_requested = 1;
+ resize_console(port);
--- /dev/null
+From cc3628dcd851ddd8d418bf0c897024b4621ddc92 Mon Sep 17 00:00:00 2001
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+Date: Thu, 17 Apr 2025 12:21:17 +0000
+Subject: xen-netfront: handle NULL returned by xdp_convert_buff_to_frame()
+
+From: Alexey Nepomnyashih <sdl@nppct.ru>
+
+commit cc3628dcd851ddd8d418bf0c897024b4621ddc92 upstream.
+
+The function xdp_convert_buff_to_frame() may return NULL if it fails
+to correctly convert the XDP buffer into an XDP frame due to memory
+constraints, internal errors, or invalid data. Failing to check for NULL
+may lead to a NULL pointer dereference if the result is used later in
+processing, potentially causing crashes, data corruption, or undefined
+behavior.
+
+On XDP redirect failure, the associated page must be released explicitly
+if it was previously retained via get_page(). Failing to do so may result
+in a memory leak, as the pages reference count is not decremented.
+
+Cc: stable@vger.kernel.org # v5.9+
+Fixes: 6c5aa6fc4def ("xen networking: add basic XDP support for xen-netfront")
+Signed-off-by: Alexey Nepomnyashih <sdl@nppct.ru>
+Link: https://patch.msgid.link/20250417122118.1009824-1-sdl@nppct.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/xen-netfront.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/xen-netfront.c
++++ b/drivers/net/xen-netfront.c
+@@ -985,20 +985,27 @@ static u32 xennet_run_xdp(struct netfron
+ act = bpf_prog_run_xdp(prog, xdp);
+ switch (act) {
+ case XDP_TX:
+- get_page(pdata);
+ xdpf = xdp_convert_buff_to_frame(xdp);
++ if (unlikely(!xdpf)) {
++ trace_xdp_exception(queue->info->netdev, prog, act);
++ break;
++ }
++ get_page(pdata);
+ err = xennet_xdp_xmit(queue->info->netdev, 1, &xdpf, 0);
+- if (unlikely(!err))
++ if (unlikely(err <= 0)) {
++ if (err < 0)
++ trace_xdp_exception(queue->info->netdev, prog, act);
+ xdp_return_frame_rx_napi(xdpf);
+- else if (unlikely(err < 0))
+- trace_xdp_exception(queue->info->netdev, prog, act);
++ }
+ break;
+ case XDP_REDIRECT:
+ get_page(pdata);
+ err = xdp_do_redirect(queue->info->netdev, xdp, prog);
+ *need_xdp_flush = true;
+- if (unlikely(err))
++ if (unlikely(err)) {
+ trace_xdp_exception(queue->info->netdev, prog, act);
++ xdp_return_buff(xdp);
++ }
+ break;
+ case XDP_PASS:
+ case XDP_DROP:
projects / thirdparty / kernel / stable-queue.git / commitdiff
