--- /dev/null
+From c25c0c9035bb8b28c844dfddeda7b8bdbcfcae95 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 14 Oct 2024 08:51:15 +0800
+Subject: blk-mq: setup queue ->tag_set before initializing hctx
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit c25c0c9035bb8b28c844dfddeda7b8bdbcfcae95 upstream.
+
+Commit 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx")
+needs to check queue mapping via tag set in hctx's cpuhp handler.
+
+However, q->tag_set may not be setup yet when the cpuhp handler is
+enabled, then kernel oops is triggered.
+
+Fix the issue by setup queue tag_set before initializing hctx.
+
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: Rick Koch <mr.rickkoch@gmail.com>
+Closes: https://lore.kernel.org/linux-block/CANa58eeNDozLaBHKPLxSAhEy__FPfJT_F71W=sEQw49UCrC9PQ@mail.gmail.com
+Fixes: 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: John Garry <john.g.garry@oracle.com>
+Link: https://lore.kernel.org/r/20241014005115.2699642-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -4307,6 +4307,12 @@ int blk_mq_init_allocated_queue(struct b
+ /* mark the queue as mq asap */
+ q->mq_ops = set->ops;
+
++ /*
++ * ->tag_set has to be setup before initialize hctx, which cpuphp
++ * handler needs it for checking queue mapping
++ */
++ q->tag_set = set;
++
+ if (blk_mq_alloc_ctxs(q))
+ goto err_exit;
+
+@@ -4325,8 +4331,6 @@ int blk_mq_init_allocated_queue(struct b
+ INIT_WORK(&q->timeout_work, blk_mq_timeout_work);
+ blk_queue_rq_timeout(q, set->timeout ? set->timeout : 30 * HZ);
+
+- q->tag_set = set;
+-
+ q->queue_flags |= QUEUE_FLAG_MQ_DEFAULT;
+
+ INIT_DELAYED_WORK(&q->requeue_work, blk_mq_requeue_work);
--- /dev/null
+From e972b08b91ef48488bae9789f03cfedb148667fb Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Tue, 15 Oct 2024 10:59:46 -0700
+Subject: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race
+
+From: Omar Sandoval <osandov@fb.com>
+
+commit e972b08b91ef48488bae9789f03cfedb148667fb upstream.
+
+We're seeing crashes from rq_qos_wake_function that look like this:
+
+ BUG: unable to handle page fault for address: ffffafe180a40084
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0
+ Oops: Oops: 0002 [#1] PREEMPT SMP PTI
+ CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
+ RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40
+ Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00
+ RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046
+ RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011
+ RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084
+ RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011
+ R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002
+ R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003
+ FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+ PKRU: 55555554
+ Call Trace:
+ <IRQ>
+ try_to_wake_up+0x5a/0x6a0
+ rq_qos_wake_function+0x71/0x80
+ __wake_up_common+0x75/0xa0
+ __wake_up+0x36/0x60
+ scale_up.part.0+0x50/0x110
+ wb_timer_fn+0x227/0x450
+ ...
+
+So rq_qos_wake_function() calls wake_up_process(data->task), which calls
+try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock).
+
+p comes from data->task, and data comes from the waitqueue entry, which
+is stored on the waiter's stack in rq_qos_wait(). Analyzing the core
+dump with drgn, I found that the waiter had already woken up and moved
+on to a completely unrelated code path, clobbering what was previously
+data->task. Meanwhile, the waker was passing the clobbered garbage in
+data->task to wake_up_process(), leading to the crash.
+
+What's happening is that in between rq_qos_wake_function() deleting the
+waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding
+that it already got a token and returning. The race looks like this:
+
+rq_qos_wait() rq_qos_wake_function()
+==============================================================
+prepare_to_wait_exclusive()
+ data->got_token = true;
+ list_del_init(&curr->entry);
+if (data.got_token)
+ break;
+finish_wait(&rqw->wait, &data.wq);
+ ^- returns immediately because
+ list_empty_careful(&wq_entry->entry)
+ is true
+... return, go do something else ...
+ wake_up_process(data->task)
+ (NO LONGER VALID!)-^
+
+Normally, finish_wait() is supposed to synchronize against the waker.
+But, as noted above, it is returning immediately because the waitqueue
+entry has already been removed from the waitqueue.
+
+The bug is that rq_qos_wake_function() is accessing the waitqueue entry
+AFTER deleting it. Note that autoremove_wake_function() wakes the waiter
+and THEN deletes the waitqueue entry, which is the proper order.
+
+Fix it by swapping the order. We also need to use
+list_del_init_careful() to match the list_empty_careful() in
+finish_wait().
+
+Fixes: 38cfb5a45ee0 ("blk-wbt: improve waking of tasks")
+Cc: stable@vger.kernel.org
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Link: https://lore.kernel.org/r/d3bee2463a67b1ee597211823bf7ad3721c26e41.1729014591.git.osandov@fb.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-rq-qos.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/blk-rq-qos.c
++++ b/block/blk-rq-qos.c
+@@ -219,8 +219,8 @@ static int rq_qos_wake_function(struct w
+
+ data->got_token = true;
+ smp_wmb();
+- list_del_init(&curr->entry);
+ wake_up_process(data->task);
++ list_del_init_careful(&curr->entry);
+ return 1;
+ }
+
--- /dev/null
+From 28127dba64d8ae1a0b737b973d6d029908599611 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Mon, 14 Oct 2024 19:09:36 +0300
+Subject: drm/radeon: Fix encoder->possible_clones
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 28127dba64d8ae1a0b737b973d6d029908599611 upstream.
+
+Include the encoder itself in its possible_clones bitmask.
+In the past nothing validated that drivers were populating
+possible_clones correctly, but that changed in commit
+74d2aacbe840 ("drm: Validate encoder->possible_clones").
+Looks like radeon never got the memo and is still not
+following the rules 100% correctly.
+
+This results in some warnings during driver initialization:
+Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7)
+WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c
+...
+
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: amd-gfx@lists.freedesktop.org
+Fixes: 74d2aacbe840 ("drm: Validate encoder->possible_clones")
+Reported-by: Erhard Furtner <erhard_f@mailbox.org>
+Closes: https://lore.kernel.org/dri-devel/20241009000321.418e4294@yea/
+Tested-by: Erhard Furtner <erhard_f@mailbox.org>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/radeon_encoders.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_encoders.c
++++ b/drivers/gpu/drm/radeon/radeon_encoders.c
+@@ -43,7 +43,7 @@ static uint32_t radeon_encoder_clones(st
+ struct radeon_device *rdev = dev->dev_private;
+ struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
+ struct drm_encoder *clone_encoder;
+- uint32_t index_mask = 0;
++ uint32_t index_mask = drm_encoder_mask(encoder);
+ int count;
+
+ /* DIG routing gets problematic */
--- /dev/null
+From 2c02f7375e658ae93d57a31a66f91b62754ef8f1 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Fri, 18 Oct 2024 21:43:00 -0400
+Subject: fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 2c02f7375e658ae93d57a31a66f91b62754ef8f1 upstream.
+
+The function graph infrastructure allocates a shadow stack for every task
+when enabled. This includes the idle tasks. The first time the function
+graph is invoked, the shadow stacks are created and never freed until the
+task exits. This includes the idle tasks.
+
+Only the idle tasks that were for online CPUs had their shadow stacks
+created when function graph tracing started. If function graph tracing is
+enabled and a CPU comes online, the idle task representing that CPU will
+not have its shadow stack created, and all function graph tracing for that
+idle task will be silently dropped.
+
+Instead, use the CPU hotplug mechanism to allocate the idle shadow stacks.
+This will include idle tasks for CPUs that come online during tracing.
+
+This issue can be reproduced by:
+
+ # cd /sys/kernel/tracing
+ # echo 0 > /sys/devices/system/cpu/cpu1/online
+ # echo 0 > set_ftrace_pid
+ # echo function_graph > current_tracer
+ # echo 1 > options/funcgraph-proc
+ # echo 1 > /sys/devices/system/cpu/cpu1
+ # grep '<idle>' per_cpu/cpu1/trace | head
+
+Before, nothing would show up.
+
+After:
+ 1) <idle>-0 | 0.811 us | __enqueue_entity();
+ 1) <idle>-0 | 5.626 us | } /* enqueue_entity */
+ 1) <idle>-0 | | dl_server_update_idle_time() {
+ 1) <idle>-0 | | dl_scaled_delta_exec() {
+ 1) <idle>-0 | 0.450 us | arch_scale_cpu_capacity();
+ 1) <idle>-0 | 1.242 us | }
+ 1) <idle>-0 | 1.908 us | }
+ 1) <idle>-0 | | dl_server_start() {
+ 1) <idle>-0 | | enqueue_dl_entity() {
+ 1) <idle>-0 | | task_contending() {
+
+Note, if tracing stops and restarts, the old way would then initialize
+the onlined CPUs.
+
+Cc: stable@vger.kernel.org
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/20241018214300.6df82178@rorschach
+Fixes: 868baf07b1a25 ("ftrace: Fix memory leak with function graph and cpu hotplug")
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/fgraph.c | 28 +++++++++++++++++++++-------
+ 1 file changed, 21 insertions(+), 7 deletions(-)
+
+--- a/kernel/trace/fgraph.c
++++ b/kernel/trace/fgraph.c
+@@ -1160,19 +1160,13 @@ void fgraph_update_pid_func(void)
+ static int start_graph_tracing(void)
+ {
+ unsigned long **ret_stack_list;
+- int ret, cpu;
++ int ret;
+
+ ret_stack_list = kmalloc(SHADOW_STACK_SIZE, GFP_KERNEL);
+
+ if (!ret_stack_list)
+ return -ENOMEM;
+
+- /* The cpu_boot init_task->ret_stack will never be freed */
+- for_each_online_cpu(cpu) {
+- if (!idle_task(cpu)->ret_stack)
+- ftrace_graph_init_idle_task(idle_task(cpu), cpu);
+- }
+-
+ do {
+ ret = alloc_retstack_tasklist(ret_stack_list);
+ } while (ret == -EAGAIN);
+@@ -1242,14 +1236,34 @@ static void ftrace_graph_disable_direct(
+ fgraph_direct_gops = &fgraph_stub;
+ }
+
++/* The cpu_boot init_task->ret_stack will never be freed */
++static int fgraph_cpu_init(unsigned int cpu)
++{
++ if (!idle_task(cpu)->ret_stack)
++ ftrace_graph_init_idle_task(idle_task(cpu), cpu);
++ return 0;
++}
++
+ int register_ftrace_graph(struct fgraph_ops *gops)
+ {
++ static bool fgraph_initialized;
+ int command = 0;
+ int ret = 0;
+ int i = -1;
+
+ mutex_lock(&ftrace_lock);
+
++ if (!fgraph_initialized) {
++ ret = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "fgraph_idle_init",
++ fgraph_cpu_init, NULL);
++ if (ret < 0) {
++ pr_warn("fgraph: Error to init cpu hotplug support\n");
++ return ret;
++ }
++ fgraph_initialized = true;
++ ret = 0;
++ }
++
+ if (!fgraph_array[0]) {
+ /* The array must always have real data on it */
+ for (i = 0; i < FGRAPH_ARRAY_SIZE; i++)
--- /dev/null
+From ea330429a04b383bd319c66261a5eca4798801e4 Mon Sep 17 00:00:00 2001
+From: Stefan Kerkmann <s.kerkmann@pengutronix.de>
+Date: Wed, 16 Oct 2024 12:37:06 -0700
+Subject: Input: xpad - add support for 8BitDo Ultimate 2C Wireless Controller
+
+From: Stefan Kerkmann <s.kerkmann@pengutronix.de>
+
+commit ea330429a04b383bd319c66261a5eca4798801e4 upstream.
+
+This XBOX360 compatible gamepad uses the new product id 0x310a under the
+8BitDo's vendor id 0x2dc8. The change was tested using the gamepad in a
+wired and wireless dongle configuration.
+
+Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
+Link: https://lore.kernel.org/r/20241015-8bitdo_2c_ultimate_wireless-v1-1-9c9f9db2e995@pengutronix.de
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -373,6 +373,7 @@ static const struct xpad_device {
+ { 0x294b, 0x3404, "Snakebyte GAMEPAD RGB X", 0, XTYPE_XBOXONE },
+ { 0x2dc8, 0x2000, "8BitDo Pro 2 Wired Controller fox Xbox", 0, XTYPE_XBOXONE },
+ { 0x2dc8, 0x3106, "8BitDo Pro 2 Wired Controller", 0, XTYPE_XBOX360 },
++ { 0x2dc8, 0x310a, "8BitDo Ultimate 2C Wireless Controller", 0, XTYPE_XBOX360 },
+ { 0x2e24, 0x0652, "Hyperkin Duke X-Box One pad", 0, XTYPE_XBOXONE },
+ { 0x31e3, 0x1100, "Wooting One", 0, XTYPE_XBOX360 },
+ { 0x31e3, 0x1200, "Wooting Two", 0, XTYPE_XBOX360 },
--- /dev/null
+From 22a18935d7d96bbb1a28076f843c1926d0ba189e Mon Sep 17 00:00:00 2001
+From: John Edwards <uejji@uejji.net>
+Date: Thu, 10 Oct 2024 23:09:23 +0000
+Subject: Input: xpad - add support for MSI Claw A1M
+
+From: John Edwards <uejji@uejji.net>
+
+commit 22a18935d7d96bbb1a28076f843c1926d0ba189e upstream.
+
+Add MSI Claw A1M controller to xpad_device match table when in xinput mode.
+Add MSI VID as XPAD_XBOX360_VENDOR.
+
+Signed-off-by: John Edwards <uejji@uejji.net>
+Reviewed-by: Derek J. Clark <derekjohn.clark@gmail.com>
+Reviewed-by: Christopher Snowhill <kode54@gmail.com>
+Link: https://lore.kernel.org/r/20241010232020.3292284-4-uejji@uejji.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -218,6 +218,7 @@ static const struct xpad_device {
+ { 0x0c12, 0x8810, "Zeroplus Xbox Controller", 0, XTYPE_XBOX },
+ { 0x0c12, 0x9902, "HAMA VibraX - *FAULTY HARDWARE*", 0, XTYPE_XBOX },
+ { 0x0d2f, 0x0002, "Andamiro Pump It Up pad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX },
++ { 0x0db0, 0x1901, "Micro Star International Xbox360 Controller for Windows", 0, XTYPE_XBOX360 },
+ { 0x0e4c, 0x1097, "Radica Gamester Controller", 0, XTYPE_XBOX },
+ { 0x0e4c, 0x1103, "Radica Gamester Reflex", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX },
+ { 0x0e4c, 0x2390, "Radica Games Jtech Controller", 0, XTYPE_XBOX },
+@@ -493,6 +494,7 @@ static const struct usb_device_id xpad_t
+ XPAD_XBOX360_VENDOR(0x07ff), /* Mad Catz Gamepad */
+ XPAD_XBOXONE_VENDOR(0x0b05), /* ASUS controllers */
+ XPAD_XBOX360_VENDOR(0x0c12), /* Zeroplus X-Box 360 controllers */
++ XPAD_XBOX360_VENDOR(0x0db0), /* Micro Star International X-Box 360 controllers */
+ XPAD_XBOX360_VENDOR(0x0e6f), /* 0x0e6f Xbox 360 controllers */
+ XPAD_XBOXONE_VENDOR(0x0e6f), /* 0x0e6f Xbox One controllers */
+ XPAD_XBOX360_VENDOR(0x0f0d), /* Hori controllers */
--- /dev/null
+From 28aabffae6be54284869a91cd8bccd3720041129 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Tue, 15 Oct 2024 08:58:25 -0600
+Subject: io_uring/sqpoll: close race on waiting for sqring entries
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 28aabffae6be54284869a91cd8bccd3720041129 upstream.
+
+When an application uses SQPOLL, it must wait for the SQPOLL thread to
+consume SQE entries, if it fails to get an sqe when calling
+io_uring_get_sqe(). It can do so by calling io_uring_enter(2) with the
+flag value of IORING_ENTER_SQ_WAIT. In liburing, this is generally done
+with io_uring_sqring_wait(). There's a natural expectation that once
+this call returns, a new SQE entry can be retrieved, filled out, and
+submitted. However, the kernel uses the cached sq head to determine if
+the SQRING is full or not. If the SQPOLL thread is currently in the
+process of submitting SQE entries, it may have updated the cached sq
+head, but not yet committed it to the SQ ring. Hence the kernel may find
+that there are SQE entries ready to be consumed, and return successfully
+to the application. If the SQPOLL thread hasn't yet committed the SQ
+ring entries by the time the application returns to userspace and
+attempts to get a new SQE, it will fail getting a new SQE.
+
+Fix this by having io_sqring_full() always use the user visible SQ ring
+head entry, rather than the internally cached one.
+
+Cc: stable@vger.kernel.org # 5.10+
+Link: https://github.com/axboe/liburing/discussions/1267
+Reported-by: Benedek Thaler <thaler@thaler.hu>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/io_uring/io_uring.h
++++ b/io_uring/io_uring.h
+@@ -279,7 +279,14 @@ static inline bool io_sqring_full(struct
+ {
+ struct io_rings *r = ctx->rings;
+
+- return READ_ONCE(r->sq.tail) - ctx->cached_sq_head == ctx->sq_entries;
++ /*
++ * SQPOLL must use the actual sqring head, as using the cached_sq_head
++ * is race prone if the SQPOLL thread has grabbed entries but not yet
++ * committed them to the ring. For !SQPOLL, this doesn't matter, but
++ * since this helper is just used for SQPOLL sqring waits (or POLLOUT),
++ * just read the actual sqring head unconditionally.
++ */
++ return READ_ONCE(r->sq.tail) - READ_ONCE(r->sq.head) == ctx->sq_entries;
+ }
+
+ static inline unsigned int io_sqring_entries(struct io_ring_ctx *ctx)
--- /dev/null
+From 8f7033aa4089fbaf7a33995f0f2ee6c9d7b9ca1b Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 17 Oct 2024 08:31:56 -0600
+Subject: io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 8f7033aa4089fbaf7a33995f0f2ee6c9d7b9ca1b upstream.
+
+When the sqpoll is exiting and cancels pending work items, it may need
+to run task_work. If this happens from within io_uring_cancel_generic(),
+then it may be under waiting for the io_uring_task waitqueue. This
+results in the below splat from the scheduler, as the ring mutex may be
+attempted grabbed while in a TASK_INTERRUPTIBLE state.
+
+Ensure that the task state is set appropriately for that, just like what
+is done for the other cases in io_run_task_work().
+
+do not call blocking ops when !TASK_RUNNING; state=1 set at [<0000000029387fd2>] prepare_to_wait+0x88/0x2fc
+WARNING: CPU: 6 PID: 59939 at kernel/sched/core.c:8561 __might_sleep+0xf4/0x140
+Modules linked in:
+CPU: 6 UID: 0 PID: 59939 Comm: iou-sqp-59938 Not tainted 6.12.0-rc3-00113-g8d020023b155 #7456
+Hardware name: linux,dummy-virt (DT)
+pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
+pc : __might_sleep+0xf4/0x140
+lr : __might_sleep+0xf4/0x140
+sp : ffff80008c5e7830
+x29: ffff80008c5e7830 x28: ffff0000d93088c0 x27: ffff60001c2d7230
+x26: dfff800000000000 x25: ffff0000e16b9180 x24: ffff80008c5e7a50
+x23: 1ffff000118bcf4a x22: ffff0000e16b9180 x21: ffff0000e16b9180
+x20: 000000000000011b x19: ffff80008310fac0 x18: 1ffff000118bcd90
+x17: 30303c5b20746120 x16: 74657320313d6574 x15: 0720072007200720
+x14: 0720072007200720 x13: 0720072007200720 x12: ffff600036c64f0b
+x11: 1fffe00036c64f0a x10: ffff600036c64f0a x9 : dfff800000000000
+x8 : 00009fffc939b0f6 x7 : ffff0001b6327853 x6 : 0000000000000001
+x5 : ffff0001b6327850 x4 : ffff600036c64f0b x3 : ffff8000803c35bc
+x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000e16b9180
+Call trace:
+ __might_sleep+0xf4/0x140
+ mutex_lock+0x84/0x124
+ io_handle_tw_list+0xf4/0x260
+ tctx_task_work_run+0x94/0x340
+ io_run_task_work+0x1ec/0x3c0
+ io_uring_cancel_generic+0x364/0x524
+ io_sq_thread+0x820/0x124c
+ ret_from_fork+0x10/0x20
+
+Cc: stable@vger.kernel.org
+Fixes: af5d68f8892f ("io_uring/sqpoll: manage task_work privately")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/io_uring.h
++++ b/io_uring/io_uring.h
+@@ -322,6 +322,7 @@ static inline int io_run_task_work(void)
+ if (current->io_uring) {
+ unsigned int count = 0;
+
++ __set_current_state(TASK_RUNNING);
+ tctx_task_work_run(current->io_uring, UINT_MAX, &count);
+ if (count)
+ ret = true;
--- /dev/null
+From b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 Mon Sep 17 00:00:00 2001
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Date: Tue, 8 Oct 2024 13:13:53 +0530
+Subject: scsi: mpi3mr: Validate SAS port assignments
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+commit b9e63d6c7c0e94a99e1af7c9c0c7fad13a2f2453 upstream.
+
+A sanity check on phy_mask was added in commit 3668651def2c ("scsi:
+mpi3mr: Sanitise num_phys"). This causes warning messages when more than
+64 phys are detected and devices connected to phys greater than 64 are
+dropped.
+
+The phy_mask bitmap is only needed for controller phys and not required
+for expander phys. Controller phys can go up to a maximum of 64 and
+therefore u64 is good enough to contain phy_mask bitmap.
+
+To suppress those warnings and allow devices to be discovered as before
+the offending commit, restrict the phy_mask setting and lowest phy
+setting only to the controller phys.
+
+Fixes: 3668651def2c ("scsi: mpi3mr: Sanitise num_phys")
+Cc: stable@vger.kernel.org
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202410051943.Mp9o5DlF-lkp@intel.com/
+Reported-by: Alexander Motin <mav@ixsystems.com>
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20241008074353.200379-1-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h | 4 +--
+ drivers/scsi/mpi3mr/mpi3mr_transport.c | 42 +++++++++++++++++++++------------
+ 2 files changed, 29 insertions(+), 17 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -541,8 +541,8 @@ struct mpi3mr_hba_port {
+ * @port_list: List of ports belonging to a SAS node
+ * @num_phys: Number of phys associated with port
+ * @marked_responding: used while refresing the sas ports
+- * @lowest_phy: lowest phy ID of current sas port
+- * @phy_mask: phy_mask of current sas port
++ * @lowest_phy: lowest phy ID of current sas port, valid for controller port
++ * @phy_mask: phy_mask of current sas port, valid for controller port
+ * @hba_port: HBA port entry
+ * @remote_identify: Attached device identification
+ * @rphy: SAS transport layer rphy object
+--- a/drivers/scsi/mpi3mr/mpi3mr_transport.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_transport.c
+@@ -590,12 +590,13 @@ static enum sas_linkrate mpi3mr_convert_
+ * @mrioc: Adapter instance reference
+ * @mr_sas_port: Internal Port object
+ * @mr_sas_phy: Internal Phy object
++ * @host_node: Flag to indicate this is a host_node
+ *
+ * Return: None.
+ */
+ static void mpi3mr_delete_sas_phy(struct mpi3mr_ioc *mrioc,
+ struct mpi3mr_sas_port *mr_sas_port,
+- struct mpi3mr_sas_phy *mr_sas_phy)
++ struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node)
+ {
+ u64 sas_address = mr_sas_port->remote_identify.sas_address;
+
+@@ -605,9 +606,13 @@ static void mpi3mr_delete_sas_phy(struct
+
+ list_del(&mr_sas_phy->port_siblings);
+ mr_sas_port->num_phys--;
+- mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id);
+- if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id)
+- mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1;
++
++ if (host_node) {
++ mr_sas_port->phy_mask &= ~(1 << mr_sas_phy->phy_id);
++
++ if (mr_sas_port->lowest_phy == mr_sas_phy->phy_id)
++ mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1;
++ }
+ sas_port_delete_phy(mr_sas_port->port, mr_sas_phy->phy);
+ mr_sas_phy->phy_belongs_to_port = 0;
+ }
+@@ -617,12 +622,13 @@ static void mpi3mr_delete_sas_phy(struct
+ * @mrioc: Adapter instance reference
+ * @mr_sas_port: Internal Port object
+ * @mr_sas_phy: Internal Phy object
++ * @host_node: Flag to indicate this is a host_node
+ *
+ * Return: None.
+ */
+ static void mpi3mr_add_sas_phy(struct mpi3mr_ioc *mrioc,
+ struct mpi3mr_sas_port *mr_sas_port,
+- struct mpi3mr_sas_phy *mr_sas_phy)
++ struct mpi3mr_sas_phy *mr_sas_phy, u8 host_node)
+ {
+ u64 sas_address = mr_sas_port->remote_identify.sas_address;
+
+@@ -632,9 +638,12 @@ static void mpi3mr_add_sas_phy(struct mp
+
+ list_add_tail(&mr_sas_phy->port_siblings, &mr_sas_port->phy_list);
+ mr_sas_port->num_phys++;
+- mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id);
+- if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy)
+- mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1;
++ if (host_node) {
++ mr_sas_port->phy_mask |= (1 << mr_sas_phy->phy_id);
++
++ if (mr_sas_phy->phy_id < mr_sas_port->lowest_phy)
++ mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1;
++ }
+ sas_port_add_phy(mr_sas_port->port, mr_sas_phy->phy);
+ mr_sas_phy->phy_belongs_to_port = 1;
+ }
+@@ -675,7 +684,7 @@ static void mpi3mr_add_phy_to_an_existin
+ if (srch_phy == mr_sas_phy)
+ return;
+ }
+- mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy);
++ mpi3mr_add_sas_phy(mrioc, mr_sas_port, mr_sas_phy, mr_sas_node->host_node);
+ return;
+ }
+ }
+@@ -736,7 +745,7 @@ static void mpi3mr_del_phy_from_an_exist
+ mpi3mr_delete_sas_port(mrioc, mr_sas_port);
+ else
+ mpi3mr_delete_sas_phy(mrioc, mr_sas_port,
+- mr_sas_phy);
++ mr_sas_phy, mr_sas_node->host_node);
+ return;
+ }
+ }
+@@ -1028,7 +1037,7 @@ mpi3mr_alloc_hba_port(struct mpi3mr_ioc
+ /**
+ * mpi3mr_get_hba_port_by_id - find hba port by id
+ * @mrioc: Adapter instance reference
+- * @port_id - Port ID to search
++ * @port_id: Port ID to search
+ *
+ * Return: mpi3mr_hba_port reference for the matched port
+ */
+@@ -1367,7 +1376,8 @@ static struct mpi3mr_sas_port *mpi3mr_sa
+ mpi3mr_sas_port_sanity_check(mrioc, mr_sas_node,
+ mr_sas_port->remote_identify.sas_address, hba_port);
+
+- if (mr_sas_node->num_phys >= sizeof(mr_sas_port->phy_mask) * 8)
++ if (mr_sas_node->host_node && mr_sas_node->num_phys >=
++ sizeof(mr_sas_port->phy_mask) * 8)
+ ioc_info(mrioc, "max port count %u could be too high\n",
+ mr_sas_node->num_phys);
+
+@@ -1377,7 +1387,7 @@ static struct mpi3mr_sas_port *mpi3mr_sa
+ (mr_sas_node->phy[i].hba_port != hba_port))
+ continue;
+
+- if (i >= sizeof(mr_sas_port->phy_mask) * 8) {
++ if (mr_sas_node->host_node && (i >= sizeof(mr_sas_port->phy_mask) * 8)) {
+ ioc_warn(mrioc, "skipping port %u, max allowed value is %zu\n",
+ i, sizeof(mr_sas_port->phy_mask) * 8);
+ goto out_fail;
+@@ -1385,7 +1395,8 @@ static struct mpi3mr_sas_port *mpi3mr_sa
+ list_add_tail(&mr_sas_node->phy[i].port_siblings,
+ &mr_sas_port->phy_list);
+ mr_sas_port->num_phys++;
+- mr_sas_port->phy_mask |= (1 << i);
++ if (mr_sas_node->host_node)
++ mr_sas_port->phy_mask |= (1 << i);
+ }
+
+ if (!mr_sas_port->num_phys) {
+@@ -1394,7 +1405,8 @@ static struct mpi3mr_sas_port *mpi3mr_sa
+ goto out_fail;
+ }
+
+- mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1;
++ if (mr_sas_node->host_node)
++ mr_sas_port->lowest_phy = ffs(mr_sas_port->phy_mask) - 1;
+
+ if (mr_sas_port->remote_identify.device_type == SAS_END_DEVICE) {
+ tgtdev = mpi3mr_get_tgtdev_by_addr(mrioc,
--- /dev/null
+From bf0c6cc73f7f91ec70307f7c72343f6cb7d65d01 Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Tue, 1 Oct 2024 17:19:16 +0800
+Subject: scsi: ufs: core: Fix the issue of ICU failure
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit bf0c6cc73f7f91ec70307f7c72343f6cb7d65d01 upstream.
+
+When setting the ICU bit without using read-modify-write, SQRTCy will
+restart SQ again and receive an RTC return error code 2 (Failure - SQ
+not stopped).
+
+Additionally, the error log has been modified so that this type of error
+can be observed.
+
+Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Link: https://lore.kernel.org/r/20241001091917.6917-2-peter.wang@mediatek.com
+Reviewed-by: Bao D. Nguyen <quic_nguyenb@quicinc.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufs-mcq.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/ufs/core/ufs-mcq.c
++++ b/drivers/ufs/core/ufs-mcq.c
+@@ -539,7 +539,7 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba
+ struct scsi_cmnd *cmd = lrbp->cmd;
+ struct ufs_hw_queue *hwq;
+ void __iomem *reg, *opr_sqd_base;
+- u32 nexus, id, val;
++ u32 nexus, id, val, rtc;
+ int err;
+
+ if (hba->quirks & UFSHCD_QUIRK_MCQ_BROKEN_RTC)
+@@ -569,17 +569,18 @@ int ufshcd_mcq_sq_cleanup(struct ufs_hba
+ opr_sqd_base = mcq_opr_base(hba, OPR_SQD, id);
+ writel(nexus, opr_sqd_base + REG_SQCTI);
+
+- /* SQRTCy.ICU = 1 */
+- writel(SQ_ICU, opr_sqd_base + REG_SQRTC);
++ /* Initiate Cleanup */
++ writel(readl(opr_sqd_base + REG_SQRTC) | SQ_ICU,
++ opr_sqd_base + REG_SQRTC);
+
+ /* Poll SQRTSy.CUS = 1. Return result from SQRTSy.RTC */
+ reg = opr_sqd_base + REG_SQRTS;
+ err = read_poll_timeout(readl, val, val & SQ_CUS, 20,
+ MCQ_POLL_US, false, reg);
+- if (err)
+- dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%ld\n",
+- __func__, id, task_tag,
+- FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg)));
++ rtc = FIELD_GET(SQ_ICU_ERR_CODE_MASK, readl(reg));
++ if (err || rtc)
++ dev_err(hba->dev, "%s: failed. hwq=%d, tag=%d err=%d RTC=%d\n",
++ __func__, id, task_tag, err, rtc);
+
+ if (ufshcd_mcq_sq_start(hba, hwq))
+ err = -ETIMEDOUT;
--- /dev/null
+From 8fa075804cb3b00960dd5c06554308175c834530 Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Tue, 1 Oct 2024 17:19:17 +0800
+Subject: scsi: ufs: core: Requeue aborted request
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit 8fa075804cb3b00960dd5c06554308175c834530 upstream.
+
+After the SQ cleanup fix, the CQ will receive a response with the
+corresponding tag marked as OCS: ABORTED. To align with the behavior of
+Legacy SDB mode, the handling of OCS: ABORTED has been changed to match
+that of OCS_INVALID_COMMAND_STATUS (SDB), with both returning a SCSI
+result of DID_REQUEUE.
+
+Furthermore, the workaround implemented before the SQ cleanup fix can be
+removed.
+
+Fixes: ab248643d3d6 ("scsi: ufs: core: Add error handling for MCQ mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Link: https://lore.kernel.org/r/20241001091917.6917-3-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 20 ++++----------------
+ 1 file changed, 4 insertions(+), 16 deletions(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -5403,10 +5403,12 @@ ufshcd_transfer_rsp_status(struct ufs_hb
+ }
+ break;
+ case OCS_ABORTED:
+- result |= DID_ABORT << 16;
+- break;
+ case OCS_INVALID_COMMAND_STATUS:
+ result |= DID_REQUEUE << 16;
++ dev_warn(hba->dev,
++ "OCS %s from controller for tag %d\n",
++ (ocs == OCS_ABORTED ? "aborted" : "invalid"),
++ lrbp->task_tag);
+ break;
+ case OCS_INVALID_CMD_TABLE_ATTR:
+ case OCS_INVALID_PRDT_ATTR:
+@@ -6470,26 +6472,12 @@ static bool ufshcd_abort_one(struct requ
+ struct scsi_device *sdev = cmd->device;
+ struct Scsi_Host *shost = sdev->host;
+ struct ufs_hba *hba = shost_priv(shost);
+- struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+- struct ufs_hw_queue *hwq;
+- unsigned long flags;
+
+ *ret = ufshcd_try_to_abort_task(hba, tag);
+ dev_err(hba->dev, "Aborting tag %d / CDB %#02x %s\n", tag,
+ hba->lrb[tag].cmd ? hba->lrb[tag].cmd->cmnd[0] : -1,
+ *ret ? "failed" : "succeeded");
+
+- /* Release cmd in MCQ mode if abort succeeds */
+- if (hba->mcq_enabled && (*ret == 0)) {
+- hwq = ufshcd_mcq_req_to_hwq(hba, scsi_cmd_to_rq(lrbp->cmd));
+- if (!hwq)
+- return 0;
+- spin_lock_irqsave(&hwq->cq_lock, flags);
+- if (ufshcd_cmd_inflight(lrbp->cmd))
+- ufshcd_release_scsi_cmd(hba, lrbp);
+- spin_unlock_irqrestore(&hwq->cq_lock, flags);
+- }
+-
+ return *ret == 0;
+ }
+
--- /dev/null
+From 19a198b67767d952c8f3d0cf24eb3100522a8223 Mon Sep 17 00:00:00 2001
+From: Seunghwan Baek <sh8267.baek@samsung.com>
+Date: Thu, 29 Aug 2024 18:39:13 +0900
+Subject: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down
+
+From: Seunghwan Baek <sh8267.baek@samsung.com>
+
+commit 19a198b67767d952c8f3d0cf24eb3100522a8223 upstream.
+
+There is a history of deadlock if reboot is performed at the beginning
+of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS
+shutdown, and at that time the audio driver was waiting on
+blk_mq_submit_bio() holding a mutex_lock while reading the fw binary.
+After that, a deadlock issue occurred while audio driver shutdown was
+waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set
+SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down
+after a UFS shutdown will return an error.
+
+[ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown]
+[ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49]
+[ 31.907806]I[0: swapper/0: 0] Call trace:
+[ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338
+[ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc
+[ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8
+[ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40
+[ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac
+[ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24
+[ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec
+[ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280
+[ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c
+[ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280
+[ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158
+[ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4
+[ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0
+[ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0
+[ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4
+[ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4
+
+[ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter]
+[ 31.908783]I[0: swapper/0: 0] Call trace:
+[ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338
+[ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc
+[ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8
+[ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178
+[ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c
+[ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c
+
+Fixes: b294ff3e3449 ("scsi: ufs: core: Enable power management for wlun")
+Cc: stable@vger.kernel.org
+Signed-off-by: Seunghwan Baek <sh8267.baek@samsung.com>
+Link: https://lore.kernel.org/r/20240829093913.6282-2-sh8267.baek@samsung.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -10214,7 +10214,9 @@ static void ufshcd_wl_shutdown(struct de
+ shost_for_each_device(sdev, hba->host) {
+ if (sdev == hba->ufs_device_wlun)
+ continue;
+- scsi_device_quiesce(sdev);
++ mutex_lock(&sdev->state_mutex);
++ scsi_device_set_state(sdev, SDEV_OFFLINE);
++ mutex_unlock(&sdev->state_mutex);
+ }
+ __ufshcd_wl_suspend(hba, UFS_SHUTDOWN_PM);
+
--- /dev/null
+From fe05c40ca9c18cfdb003f639a30fc78a7ab49519 Mon Sep 17 00:00:00 2001
+From: Yun Lu <luyun@kylinos.cn>
+Date: Tue, 15 Oct 2024 17:15:20 +0800
+Subject: selftest: hid: add the missing tests directory
+
+From: Yun Lu <luyun@kylinos.cn>
+
+commit fe05c40ca9c18cfdb003f639a30fc78a7ab49519 upstream.
+
+Commit 160c826b4dd0 ("selftest: hid: add missing run-hid-tools-tests.sh")
+has added the run-hid-tools-tests.sh script for it to be installed, but
+I forgot to add the tests directory together.
+
+If running the test case without the tests directory, will results in
+the following error message:
+
+ make -C tools/testing/selftests/ TARGETS=hid install \
+ INSTALL_PATH=$KSFT_INSTALL_PATH
+ cd $KSFT_INSTALL_PATH
+ ./run_kselftest.sh -t hid:hid-core.sh
+
+ /usr/lib/python3.11/site-packages/_pytest/config/__init__.py:331: PluggyTeardownRaisedWarning: A plugin raised an exception during an old-style hookwrapper teardown.
+ Plugin: helpconfig, Hook: pytest_cmdline_parse
+ UsageError: usage: __main__.py [options] [file_or_dir] [file_or_dir] [...]
+ __main__.py: error: unrecognized arguments: --udevd
+ inifile: None
+ rootdir: /root/linux/kselftest_install/hid
+
+In fact, the run-hid-tools-tests.sh script uses the scripts in the tests
+directory to run tests. The tests directory also needs to be added to be
+installed.
+
+Fixes: ffb85d5c9e80 ("selftests: hid: import hid-tools hid-core tests")
+Cc: stable@vger.kernel.org
+Signed-off-by: Yun Lu <luyun@kylinos.cn>
+Acked-by: Benjamin Tissoires <bentiss@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/hid/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/tools/testing/selftests/hid/Makefile
++++ b/tools/testing/selftests/hid/Makefile
+@@ -18,6 +18,7 @@ TEST_PROGS += hid-usb_crash.sh
+ TEST_PROGS += hid-wacom.sh
+
+ TEST_FILES := run-hid-tools-tests.sh
++TEST_FILES += tests
+
+ CXX ?= $(CROSS_COMPILE)g++
+
x86-entry-have-entry_ibpb-invalidate-return-predictions.patch
x86-bugs-skip-rsb-fill-at-vmexit.patch
x86-bugs-do-not-use-untrain_ret-with-ibpb-on-entry.patch
+fgraph-use-cpu-hotplug-mechanism-to-initialize-idle-shadow-stacks.patch
+input-xpad-add-support-for-8bitdo-ultimate-2c-wireless-controller.patch
+blk-rq-qos-fix-crash-on-rq_qos_wait-vs.-rq_qos_wake_function-race.patch
+io_uring-sqpoll-close-race-on-waiting-for-sqring-entries.patch
+blk-mq-setup-queue-tag_set-before-initializing-hctx.patch
+ublk-don-t-allow-user-copy-for-unprivileged-device.patch
+io_uring-sqpoll-ensure-task-state-is-task_running-when-running-task_work.patch
+selftest-hid-add-the-missing-tests-directory.patch
+input-xpad-add-support-for-msi-claw-a1m.patch
+scsi-mpi3mr-validate-sas-port-assignments.patch
+scsi-ufs-core-set-sdev_offline-when-ufs-is-shut-down.patch
+scsi-ufs-core-fix-the-issue-of-icu-failure.patch
+scsi-ufs-core-requeue-aborted-request.patch
+drm-radeon-fix-encoder-possible_clones.patch
--- /dev/null
+From 42aafd8b48adac1c3b20fe5892b1b91b80c1a1e6 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Wed, 16 Oct 2024 21:48:47 +0800
+Subject: ublk: don't allow user copy for unprivileged device
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit 42aafd8b48adac1c3b20fe5892b1b91b80c1a1e6 upstream.
+
+UBLK_F_USER_COPY requires userspace to call write() on ublk char
+device for filling request buffer, and unprivileged device can't
+be trusted.
+
+So don't allow user copy for unprivileged device.
+
+Cc: stable@vger.kernel.org
+Fixes: 1172d5b8beca ("ublk: support user copy")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241016134847.2911721-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/ublk_drv.c | 11 ++++++++++-
+ include/uapi/linux/ublk_cmd.h | 8 +++++++-
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -2381,10 +2381,19 @@ static int ublk_ctrl_add_dev(struct io_u
+ * TODO: provide forward progress for RECOVERY handler, so that
+ * unprivileged device can benefit from it
+ */
+- if (info.flags & UBLK_F_UNPRIVILEGED_DEV)
++ if (info.flags & UBLK_F_UNPRIVILEGED_DEV) {
+ info.flags &= ~(UBLK_F_USER_RECOVERY_REISSUE |
+ UBLK_F_USER_RECOVERY);
+
++ /*
++ * For USER_COPY, we depends on userspace to fill request
++ * buffer by pwrite() to ublk char device, which can't be
++ * used for unprivileged device
++ */
++ if (info.flags & UBLK_F_USER_COPY)
++ return -EINVAL;
++ }
++
+ /* the created device is always owned by current user */
+ ublk_store_owner_uid_gid(&info.owner_uid, &info.owner_gid);
+
+--- a/include/uapi/linux/ublk_cmd.h
++++ b/include/uapi/linux/ublk_cmd.h
+@@ -175,7 +175,13 @@
+ /* use ioctl encoding for uring command */
+ #define UBLK_F_CMD_IOCTL_ENCODE (1UL << 6)
+
+-/* Copy between request and user buffer by pread()/pwrite() */
++/*
++ * Copy between request and user buffer by pread()/pwrite()
++ *
++ * Not available for UBLK_F_UNPRIVILEGED_DEV, otherwise userspace may
++ * deceive us by not filling request buffer, then kernel uninitialized
++ * data may be leaked.
++ */
+ #define UBLK_F_USER_COPY (1UL << 7)
+
+ /*
projects / thirdparty / kernel / stable-queue.git / commitdiff
