--- /dev/null
+From 26ea2459d1724406bf0b342df6b4b1f002d7f8e3 Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wenst@chromium.org>
+Date: Fri, 18 Oct 2024 16:21:11 +0800
+Subject: arm64: dts: mediatek: mt8186-corsola-voltorb: Merge speaker codec nodes
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+commit 26ea2459d1724406bf0b342df6b4b1f002d7f8e3 upstream.
+
+The Voltorb device uses a speaker codec different from the original
+Corsola device. When the Voltorb device tree was first added, the new
+codec was added as a separate node when it should have just replaced the
+existing one.
+
+Merge the two nodes. The only differences are the compatible string and
+the GPIO line property name. This keeps the device node path for the
+speaker codec the same across the MT8186 Chromebook line. Also rename
+the related labels and node names from having rt1019p to speaker codec.
+
+Cc: stable@vger.kernel.org # v6.11+
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241018082113.1297268-1-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ .../dts/mediatek/mt8186-corsola-voltorb.dtsi | 21 +++++--------------
+ .../boot/dts/mediatek/mt8186-corsola.dtsi | 8 +++----
+ 2 files changed, 9 insertions(+), 20 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi
+index 52ec58128d56..b495a241b443 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola-voltorb.dtsi
+@@ -10,12 +10,6 @@
+
+ / {
+ chassis-type = "laptop";
+-
+- max98360a: max98360a {
+- compatible = "maxim,max98360a";
+- sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>;
+- #sound-dai-cells = <0>;
+- };
+ };
+
+ &cpu6 {
+@@ -59,19 +53,14 @@ &cluster1_opp_15 {
+ opp-hz = /bits/ 64 <2200000000>;
+ };
+
+-&rt1019p{
+- status = "disabled";
+-};
+-
+ &sound {
+ compatible = "mediatek,mt8186-mt6366-rt5682s-max98360-sound";
+- status = "okay";
++};
+
+- spk-hdmi-playback-dai-link {
+- codec {
+- sound-dai = <&it6505dptx>, <&max98360a>;
+- };
+- };
++&speaker_codec {
++ compatible = "maxim,max98360a";
++ sdmode-gpios = <&pio 150 GPIO_ACTIVE_HIGH>;
++ /delete-property/ sdb-gpios;
+ };
+
+ &spmi {
+diff --git a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi
+index 682c6ad2574d..0c0b3ac59745 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8186-corsola.dtsi
+@@ -259,15 +259,15 @@ spk-hdmi-playback-dai-link {
+ mediatek,clk-provider = "cpu";
+ /* RT1019P and IT6505 connected to the same I2S line */
+ codec {
+- sound-dai = <&it6505dptx>, <&rt1019p>;
++ sound-dai = <&it6505dptx>, <&speaker_codec>;
+ };
+ };
+ };
+
+- rt1019p: speaker-codec {
++ speaker_codec: speaker-codec {
+ compatible = "realtek,rt1019p";
+ pinctrl-names = "default";
+- pinctrl-0 = <&rt1019p_pins_default>;
++ pinctrl-0 = <&speaker_codec_pins_default>;
+ #sound-dai-cells = <0>;
+ sdb-gpios = <&pio 150 GPIO_ACTIVE_HIGH>;
+ };
+@@ -1179,7 +1179,7 @@ pins {
+ };
+ };
+
+- rt1019p_pins_default: rt1019p-default-pins {
++ speaker_codec_pins_default: speaker-codec-default-pins {
+ pins-sdb {
+ pinmux = <PINMUX_GPIO150__FUNC_GPIO150>;
+ output-low;
+--
+2.47.1
+
--- /dev/null
+From 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 14 Nov 2024 09:53:32 +0000
+Subject: arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled
+
+From: Will Deacon <will@kernel.org>
+
+commit 67ab51cbdfee02ef07fb9d7d14cc0bf6cb5a5e5c upstream.
+
+Commit 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of
+tpidrro_el0 for native tasks") tried to optimise the context switching
+of tpidrro_el0 by eliding the clearing of the register when switching
+to a native task with kpti enabled, on the erroneous assumption that
+the kpti trampoline entry code would already have taken care of the
+write.
+
+Although the kpti trampoline does zero the register on entry from a
+native task, the check in tls_thread_switch() is on the *next* task and
+so we can end up leaving a stale, non-zero value in the register if the
+previous task was 32-bit.
+
+Drop the broken optimisation and zero tpidrro_el0 unconditionally when
+switching to a native 64-bit task.
+
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: stable@vger.kernel.org
+Fixes: 18011eac28c7 ("arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks")
+Signed-off-by: Will Deacon <will@kernel.org>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Link: https://lore.kernel.org/r/20241114095332.23391-1-will@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/process.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/process.c
++++ b/arch/arm64/kernel/process.c
+@@ -426,7 +426,7 @@ static void tls_thread_switch(struct tas
+
+ if (is_compat_thread(task_thread_info(next)))
+ write_sysreg(next->thread.uw.tp_value, tpidrro_el0);
+- else if (!arm64_kernel_unmapped_at_el0())
++ else
+ write_sysreg(0, tpidrro_el0);
+
+ write_sysreg(*task_user_tls(next), tpidr_el0);
--- /dev/null
+From ccd9e252c515ac5a3ed04a414c95d1307d17f159 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Tue, 22 Oct 2024 11:16:17 -0700
+Subject: blk-mq: Make blk_mq_quiesce_tagset() hold the tag list mutex less long
+
+From: Bart Van Assche <bvanassche@acm.org>
+
+commit ccd9e252c515ac5a3ed04a414c95d1307d17f159 upstream.
+
+Make sure that the tag_list_lock mutex is not held any longer than
+necessary. This change reduces latency if e.g. blk_mq_quiesce_tagset()
+is called concurrently from more than one thread. This function is used
+by the NVMe core and also by the UFS driver.
+
+Reported-by: Peter Wang <peter.wang@mediatek.com>
+Cc: Chao Leng <lengchao@huawei.com>
+Cc: Ming Lei <ming.lei@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 414dd48e882c ("blk-mq: add tagset quiesce interface")
+Signed-off-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Keith Busch <kbusch@kernel.org>
+Link: https://lore.kernel.org/r/20241022181617.2716173-1-bvanassche@acm.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -283,8 +283,9 @@ void blk_mq_quiesce_tagset(struct blk_mq
+ if (!blk_queue_skip_tagset_quiesce(q))
+ blk_mq_quiesce_queue_nowait(q);
+ }
+- blk_mq_wait_quiesce_done(set);
+ mutex_unlock(&set->tag_list_lock);
++
++ blk_mq_wait_quiesce_done(set);
+ }
+ EXPORT_SYMBOL_GPL(blk_mq_quiesce_tagset);
+
--- /dev/null
+From 2003ee8a9aa14d766b06088156978d53c2e9be3d Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Mon, 14 Oct 2024 17:29:32 +0800
+Subject: block: fix missing dispatching request when queue is started or unquiesced
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 2003ee8a9aa14d766b06088156978d53c2e9be3d upstream.
+
+Supposing the following scenario with a virtio_blk driver.
+
+CPU0 CPU1 CPU2
+
+blk_mq_try_issue_directly()
+ __blk_mq_issue_directly()
+ q->mq_ops->queue_rq()
+ virtio_queue_rq()
+ blk_mq_stop_hw_queue()
+ virtblk_done()
+ blk_mq_try_issue_directly()
+ if (blk_mq_hctx_stopped())
+ blk_mq_request_bypass_insert() blk_mq_run_hw_queue()
+ blk_mq_run_hw_queue() blk_mq_run_hw_queue()
+ blk_mq_insert_request()
+ return
+
+After CPU0 has marked the queue as stopped, CPU1 will see the queue is
+stopped. But before CPU1 puts the request on the dispatch list, CPU2
+receives the interrupt of completion of request, so it will run the
+hardware queue and marks the queue as non-stopped. Meanwhile, CPU1 also
+runs the same hardware queue. After both CPU1 and CPU2 complete
+blk_mq_run_hw_queue(), CPU1 just puts the request to the same hardware
+queue and returns. It misses dispatching a request. Fix it by running
+the hardware queue explicitly. And blk_mq_request_issue_directly()
+should handle a similar situation. Fix it as well.
+
+Fixes: d964f04a8fde ("blk-mq: fix direct issue")
+Cc: stable@vger.kernel.org
+Cc: Muchun Song <muchun.song@linux.dev>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241014092934.53630-2-songmuchun@bytedance.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2619,6 +2619,7 @@ static void blk_mq_try_issue_directly(st
+
+ if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) {
+ blk_mq_insert_request(rq, 0);
++ blk_mq_run_hw_queue(hctx, false);
+ return;
+ }
+
+@@ -2649,6 +2650,7 @@ static blk_status_t blk_mq_request_issue
+
+ if (blk_mq_hctx_stopped(hctx) || blk_queue_quiesced(rq->q)) {
+ blk_mq_insert_request(rq, 0);
++ blk_mq_run_hw_queue(hctx, false);
+ return BLK_STS_OK;
+ }
+
--- /dev/null
+From 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Mon, 14 Oct 2024 17:29:34 +0800
+Subject: block: fix ordering between checking BLK_MQ_S_STOPPED request adding
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 96a9fe64bfd486ebeeacf1e6011801ffe89dae18 upstream.
+
+Supposing first scenario with a virtio_blk driver.
+
+CPU0 CPU1
+
+blk_mq_try_issue_directly()
+ __blk_mq_issue_directly()
+ q->mq_ops->queue_rq()
+ virtio_queue_rq()
+ blk_mq_stop_hw_queue()
+ virtblk_done()
+ blk_mq_request_bypass_insert() 1) store
+ blk_mq_start_stopped_hw_queue()
+ clear_bit(BLK_MQ_S_STOPPED) 3) store
+ blk_mq_run_hw_queue()
+ if (!blk_mq_hctx_has_pending()) 4) load
+ return
+ blk_mq_sched_dispatch_requests()
+ blk_mq_run_hw_queue()
+ if (!blk_mq_hctx_has_pending())
+ return
+ blk_mq_sched_dispatch_requests()
+ if (blk_mq_hctx_stopped()) 2) load
+ return
+ __blk_mq_sched_dispatch_requests()
+
+Supposing another scenario.
+
+CPU0 CPU1
+
+blk_mq_requeue_work()
+ blk_mq_insert_request() 1) store
+ virtblk_done()
+ blk_mq_start_stopped_hw_queue()
+ blk_mq_run_hw_queues() clear_bit(BLK_MQ_S_STOPPED) 3) store
+ blk_mq_run_hw_queue()
+ if (!blk_mq_hctx_has_pending()) 4) load
+ return
+ blk_mq_sched_dispatch_requests()
+ if (blk_mq_hctx_stopped()) 2) load
+ continue
+ blk_mq_run_hw_queue()
+
+Both scenarios are similar, the full memory barrier should be inserted
+between 1) and 2), as well as between 3) and 4) to make sure that either
+CPU0 sees BLK_MQ_S_STOPPED is cleared or CPU1 sees dispatch list.
+Otherwise, either CPU will not rerun the hardware queue causing
+starvation of the request.
+
+The easy way to fix it is to add the essential full memory barrier into
+helper of blk_mq_hctx_stopped(). In order to not affect the fast path
+(hardware queue is not stopped most of the time), we only insert the
+barrier into the slow path. Actually, only slow path needs to care about
+missing of dispatching the request to the low-level device driver.
+
+Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism")
+Cc: stable@vger.kernel.org
+Cc: Muchun Song <muchun.song@linux.dev>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241014092934.53630-4-songmuchun@bytedance.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 6 ++++++
+ block/blk-mq.h | 13 +++++++++++++
+ 2 files changed, 19 insertions(+)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2413,6 +2413,12 @@ void blk_mq_start_stopped_hw_queue(struc
+ return;
+
+ clear_bit(BLK_MQ_S_STOPPED, &hctx->state);
++ /*
++ * Pairs with the smp_mb() in blk_mq_hctx_stopped() to order the
++ * clearing of BLK_MQ_S_STOPPED above and the checking of dispatch
++ * list in the subsequent routine.
++ */
++ smp_mb__after_atomic();
+ blk_mq_run_hw_queue(hctx, async);
+ }
+ EXPORT_SYMBOL_GPL(blk_mq_start_stopped_hw_queue);
+--- a/block/blk-mq.h
++++ b/block/blk-mq.h
+@@ -230,6 +230,19 @@ static inline struct blk_mq_tags *blk_mq
+
+ static inline bool blk_mq_hctx_stopped(struct blk_mq_hw_ctx *hctx)
+ {
++ /* Fast path: hardware queue is not stopped most of the time. */
++ if (likely(!test_bit(BLK_MQ_S_STOPPED, &hctx->state)))
++ return false;
++
++ /*
++ * This barrier is used to order adding of dispatch list before and
++ * the test of BLK_MQ_S_STOPPED below. Pairs with the memory barrier
++ * in blk_mq_start_stopped_hw_queue() so that dispatch code could
++ * either see BLK_MQ_S_STOPPED is cleared or dispatch list is not
++ * empty to avoid missing dispatching requests.
++ */
++ smp_mb();
++
+ return test_bit(BLK_MQ_S_STOPPED, &hctx->state);
+ }
+
--- /dev/null
+From 6bda857bcbb86fb9d0e54fbef93a093d51172acc Mon Sep 17 00:00:00 2001
+From: Muchun Song <songmuchun@bytedance.com>
+Date: Mon, 14 Oct 2024 17:29:33 +0800
+Subject: block: fix ordering between checking QUEUE_FLAG_QUIESCED request adding
+
+From: Muchun Song <songmuchun@bytedance.com>
+
+commit 6bda857bcbb86fb9d0e54fbef93a093d51172acc upstream.
+
+Supposing the following scenario.
+
+CPU0 CPU1
+
+blk_mq_insert_request() 1) store
+ blk_mq_unquiesce_queue()
+ blk_queue_flag_clear() 3) store
+ blk_mq_run_hw_queues()
+ blk_mq_run_hw_queue()
+ if (!blk_mq_hctx_has_pending()) 4) load
+ return
+blk_mq_run_hw_queue()
+ if (blk_queue_quiesced()) 2) load
+ return
+ blk_mq_sched_dispatch_requests()
+
+The full memory barrier should be inserted between 1) and 2), as well as
+between 3) and 4) to make sure that either CPU0 sees QUEUE_FLAG_QUIESCED
+is cleared or CPU1 sees dispatch list or setting of bitmap of software
+queue. Otherwise, either CPU will not rerun the hardware queue causing
+starvation.
+
+So the first solution is to 1) add a pair of memory barrier to fix the
+problem, another solution is to 2) use hctx->queue->queue_lock to
+synchronize QUEUE_FLAG_QUIESCED. Here, we chose 2) to fix it since
+memory barrier is not easy to be maintained.
+
+Fixes: f4560ffe8cec ("blk-mq: use QUEUE_FLAG_QUIESCED to quiesce queue")
+Cc: stable@vger.kernel.org
+Cc: Muchun Song <muchun.song@linux.dev>
+Signed-off-by: Muchun Song <songmuchun@bytedance.com>
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241014092934.53630-3-songmuchun@bytedance.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-mq.c | 49 +++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+
+--- a/block/blk-mq.c
++++ b/block/blk-mq.c
+@@ -2202,6 +2202,24 @@ void blk_mq_delay_run_hw_queue(struct bl
+ }
+ EXPORT_SYMBOL(blk_mq_delay_run_hw_queue);
+
++static inline bool blk_mq_hw_queue_need_run(struct blk_mq_hw_ctx *hctx)
++{
++ bool need_run;
++
++ /*
++ * When queue is quiesced, we may be switching io scheduler, or
++ * updating nr_hw_queues, or other things, and we can't run queue
++ * any more, even blk_mq_hctx_has_pending() can't be called safely.
++ *
++ * And queue will be rerun in blk_mq_unquiesce_queue() if it is
++ * quiesced.
++ */
++ __blk_mq_run_dispatch_ops(hctx->queue, false,
++ need_run = !blk_queue_quiesced(hctx->queue) &&
++ blk_mq_hctx_has_pending(hctx));
++ return need_run;
++}
++
+ /**
+ * blk_mq_run_hw_queue - Start to run a hardware queue.
+ * @hctx: Pointer to the hardware queue to run.
+@@ -2222,20 +2240,23 @@ void blk_mq_run_hw_queue(struct blk_mq_h
+
+ might_sleep_if(!async && hctx->flags & BLK_MQ_F_BLOCKING);
+
+- /*
+- * When queue is quiesced, we may be switching io scheduler, or
+- * updating nr_hw_queues, or other things, and we can't run queue
+- * any more, even __blk_mq_hctx_has_pending() can't be called safely.
+- *
+- * And queue will be rerun in blk_mq_unquiesce_queue() if it is
+- * quiesced.
+- */
+- __blk_mq_run_dispatch_ops(hctx->queue, false,
+- need_run = !blk_queue_quiesced(hctx->queue) &&
+- blk_mq_hctx_has_pending(hctx));
+-
+- if (!need_run)
+- return;
++ need_run = blk_mq_hw_queue_need_run(hctx);
++ if (!need_run) {
++ unsigned long flags;
++
++ /*
++ * Synchronize with blk_mq_unquiesce_queue(), because we check
++ * if hw queue is quiesced locklessly above, we need the use
++ * ->queue_lock to make sure we see the up-to-date status to
++ * not miss rerunning the hw queue.
++ */
++ spin_lock_irqsave(&hctx->queue->queue_lock, flags);
++ need_run = blk_mq_hw_queue_need_run(hctx);
++ spin_unlock_irqrestore(&hctx->queue->queue_lock, flags);
++
++ if (!need_run)
++ return;
++ }
+
+ if (async || !cpumask_test_cpu(raw_smp_processor_id(), hctx->cpumask)) {
+ blk_mq_delay_run_hw_queue(hctx, 0);
--- /dev/null
+From 8ffade77b6337a8767fae9820d57d7a6413dd1a1 Mon Sep 17 00:00:00 2001
+From: Ziwei Xiao <ziweixiao@google.com>
+Date: Wed, 13 Nov 2024 09:59:30 -0800
+Subject: gve: Flow steering trigger reset only for timeout error
+
+From: Ziwei Xiao <ziweixiao@google.com>
+
+commit 8ffade77b6337a8767fae9820d57d7a6413dd1a1 upstream.
+
+When configuring flow steering rules, the driver is currently going
+through a reset for all errors from the device. Instead, the driver
+should only reset when there's a timeout error from the device.
+
+Fixes: 57718b60df9b ("gve: Add flow steering adminq commands")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ziwei Xiao <ziweixiao@google.com>
+Signed-off-by: Jeroen de Borst <jeroendb@google.com>
+Reviewed-by: Harshitha Ramamurthy <hramamurthy@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20241113175930.2585680-1-jeroendb@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/google/gve/gve_adminq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/google/gve/gve_adminq.c
++++ b/drivers/net/ethernet/google/gve/gve_adminq.c
+@@ -1208,10 +1208,10 @@ gve_adminq_configure_flow_rule(struct gv
+ sizeof(struct gve_adminq_configure_flow_rule),
+ flow_rule_cmd);
+
+- if (err) {
++ if (err == -ETIME) {
+ dev_err(&priv->pdev->dev, "Timeout to configure the flow rule, trigger reset");
+ gve_reset(priv, true);
+- } else {
++ } else if (!err) {
+ priv->flow_rules_cache.rules_cache_synced = false;
+ }
+
--- /dev/null
+From 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <jason.gerecke@wacom.com>
+Date: Mon, 28 Oct 2024 10:39:14 -0700
+Subject: HID: wacom: Interpret tilt data from Intuos Pro BT as signed values
+
+From: Jason Gerecke <jason.gerecke@wacom.com>
+
+commit 49a397ad24ee5e2c53a59dada2780d7e71bd3f77 upstream.
+
+The tilt data contained in the Bluetooth packets of an Intuos Pro are
+supposed to be interpreted as signed values. Simply casting the values
+to type `char` is not guaranteed to work since it is implementation-
+defined whether it is signed or unsigned. At least one user has noticed
+the data being reported incorrectly on their system. To ensure that the
+data is interpreted properly, we specifically cast to `signed char`
+instead.
+
+Link: https://github.com/linuxwacom/input-wacom/issues/445
+Fixes: 4922cd26f03c ("HID: wacom: Support 2nd-gen Intuos Pro's Bluetooth classic interface")
+CC: stable@vger.kernel.org # 4.11+
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -1353,9 +1353,9 @@ static void wacom_intuos_pro2_bt_pen(str
+ rotation -= 1800;
+
+ input_report_abs(pen_input, ABS_TILT_X,
+- (char)frame[7]);
++ (signed char)frame[7]);
+ input_report_abs(pen_input, ABS_TILT_Y,
+- (char)frame[8]);
++ (signed char)frame[8]);
+ input_report_abs(pen_input, ABS_Z, rotation);
+ input_report_abs(pen_input, ABS_WHEEL,
+ get_unaligned_le16(&frame[11]));
--- /dev/null
+From ea301aec8bb718b02b68761d2229fc12c9fefa29 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Peter=20Gro=C3=9Fe?= <pegro@friiks.de>
+Date: Wed, 13 Nov 2024 13:07:04 -0800
+Subject: i40e: Fix handling changed priv flags
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Große <pegro@friiks.de>
+
+commit ea301aec8bb718b02b68761d2229fc12c9fefa29 upstream.
+
+After assembling the new private flags on a PF, the operation to determine
+the changed flags uses the wrong bitmaps. Instead of xor-ing orig_flags
+with new_flags, it uses the still unchanged pf->flags, thus changed_flags
+is always 0.
+
+Fix it by using the correct bitmaps.
+
+The issue was discovered while debugging why disabling source pruning
+stopped working with release 6.7. Although the new flags will be copied to
+pf->flags later on in that function, disabling source pruning requires
+a reset of the PF, which was skipped due to this bug.
+
+Disabling source pruning:
+$ sudo ethtool --set-priv-flags eno1 disable-source-pruning on
+$ sudo ethtool --show-priv-flags eno1
+Private flags for eno1:
+MFP : off
+total-port-shutdown : off
+LinkPolling : off
+flow-director-atr : on
+veb-stats : off
+hw-atr-eviction : off
+link-down-on-close : off
+legacy-rx : off
+disable-source-pruning: on
+disable-fw-lldp : off
+rs-fec : off
+base-r-fec : off
+vf-vlan-pruning : off
+
+Regarding reproducing:
+
+I observed the issue with a rather complicated lab setup, where
+ * two VLAN interfaces are created on eno1
+ * each with a different MAC address assigned
+ * each moved into a separate namespace
+ * both VLANs are bridged externally, so they form a single layer 2 network
+
+The external bridge is done via a channel emulator adding packet loss and
+delay and the application in the namespaces tries to send/receive traffic
+and measure the performance. Sender and receiver are separated by
+namespaces, yet the network card "sees its own traffic" send back to it.
+To make that work, source pruning has to be disabled.
+
+Cc: stable@vger.kernel.org
+Fixes: 70756d0a4727 ("i40e: Use DECLARE_BITMAP for flags and hw_features fields in i40e_pf")
+Signed-off-by: Peter Große <pegro@friiks.de>
+Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
+Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Link: https://patch.msgid.link/20241113210705.1296408-1-anthony.l.nguyen@intel.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+@@ -5303,7 +5303,7 @@ static int i40e_set_priv_flags(struct ne
+ }
+
+ flags_complete:
+- bitmap_xor(changed_flags, pf->flags, orig_flags, I40E_PF_FLAGS_NBITS);
++ bitmap_xor(changed_flags, new_flags, orig_flags, I40E_PF_FLAGS_NBITS);
+
+ if (test_bit(I40E_FLAG_FW_LLDP_DIS, changed_flags))
+ reset_needed = I40E_PF_RESET_AND_REBUILD_FLAG;
--- /dev/null
+From 1429826883bb18847092b2e04c6598ef34bae1d4 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Date: Thu, 31 Oct 2024 11:23:21 +0100
+Subject: media: intel/ipu6: do not handle interrupts when device is disabled
+
+From: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+
+commit 1429826883bb18847092b2e04c6598ef34bae1d4 upstream.
+
+Some IPU6 devices have shared interrupts. We need to handle properly
+case when interrupt is triggered from other device on shared irq line
+and IPU6 itself disabled. In such case we get 0xffffffff from
+ISR_STATUS register and handle all irq's cases, for what we are not
+not prepared and usually hang the whole system.
+
+To avoid the issue use pm_runtime_get_if_active() to check if
+the device is enabled and prevent suspending it when we handle irq
+until the end of irq. Additionally use synchronize_irq() in suspend
+
+Fixes: ab29a2478e70 ("media: intel/ipu6: add IPU6 buttress interface driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com> # ThinkPad X1 Yoga Gen 8, ov2740
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/pci/intel/ipu6/ipu6-buttress.c | 13 +++++++++----
+ drivers/media/pci/intel/ipu6/ipu6.c | 3 +++
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/pci/intel/ipu6/ipu6-buttress.c
++++ b/drivers/media/pci/intel/ipu6/ipu6-buttress.c
+@@ -346,12 +346,16 @@ irqreturn_t ipu6_buttress_isr(int irq, v
+ u32 disable_irqs = 0;
+ u32 irq_status;
+ u32 i, count = 0;
++ int active;
+
+- pm_runtime_get_noresume(&isp->pdev->dev);
++ active = pm_runtime_get_if_active(&isp->pdev->dev);
++ if (!active)
++ return IRQ_NONE;
+
+ irq_status = readl(isp->base + reg_irq_sts);
+- if (!irq_status) {
+- pm_runtime_put_noidle(&isp->pdev->dev);
++ if (irq_status == 0 || WARN_ON_ONCE(irq_status == 0xffffffffu)) {
++ if (active > 0)
++ pm_runtime_put_noidle(&isp->pdev->dev);
+ return IRQ_NONE;
+ }
+
+@@ -427,7 +431,8 @@ irqreturn_t ipu6_buttress_isr(int irq, v
+ writel(BUTTRESS_IRQS & ~disable_irqs,
+ isp->base + BUTTRESS_REG_ISR_ENABLE);
+
+- pm_runtime_put(&isp->pdev->dev);
++ if (active > 0)
++ pm_runtime_put(&isp->pdev->dev);
+
+ return ret;
+ }
+--- a/drivers/media/pci/intel/ipu6/ipu6.c
++++ b/drivers/media/pci/intel/ipu6/ipu6.c
+@@ -758,6 +758,9 @@ static void ipu6_pci_reset_done(struct p
+ */
+ static int ipu6_suspend(struct device *dev)
+ {
++ struct pci_dev *pdev = to_pci_dev(dev);
++
++ synchronize_irq(pdev->irq);
+ return 0;
+ }
+
--- /dev/null
+From 9f070b1862f3411b8bcdfd51a8eaad25286f9deb Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hverkuil@xs4all.nl>
+Date: Mon, 14 Oct 2024 16:52:41 +0200
+Subject: media: v4l2-core: v4l2-dv-timings: check cvt/gtf result
+
+From: Hans Verkuil <hverkuil@xs4all.nl>
+
+commit 9f070b1862f3411b8bcdfd51a8eaad25286f9deb upstream.
+
+The v4l2_detect_cvt/gtf functions should check the result against the
+timing capabilities: these functions calculate the timings, so if they
+are out of bounds, they should be rejected.
+
+To do this, add the struct v4l2_dv_timings_cap as argument to those
+functions.
+
+This required updates to the adv7604 and adv7842 drivers since the
+prototype of these functions has now changed. The timings struct
+that is passed to v4l2_detect_cvt/gtf in those two drivers is filled
+with the timings detected by the hardware.
+
+The vivid driver was also updated, but an additional check was added:
+the width and height specified by VIDIOC_S_DV_TIMINGS has to match the
+calculated result, otherwise something went wrong. Note that vivid
+*emulates* hardware, so all the values passed to the v4l2_detect_cvt/gtf
+functions came from the timings struct that was filled by userspace
+and passed on to the driver via VIDIOC_S_DV_TIMINGS. So these fields
+can contain random data. Both the constraints check via
+struct v4l2_dv_timings_cap and the additional width/height check
+ensure that the resulting timings are sane and not messed up by the
+v4l2_detect_cvt/gtf calculations.
+
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Fixes: 2576415846bc ("[media] v4l2: move dv-timings related code to v4l2-dv-timings.c")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+a828133770f62293563e@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/linux-media/000000000000013050062127830a@google.com/
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/adv7604.c | 5
+ drivers/media/i2c/adv7842.c | 13 +-
+ drivers/media/test-drivers/vivid/vivid-vid-cap.c | 15 ++
+ drivers/media/v4l2-core/v4l2-dv-timings.c | 132 ++++++++++++-----------
+ include/media/v4l2-dv-timings.h | 18 ++-
+ 5 files changed, 107 insertions(+), 76 deletions(-)
+
+--- a/drivers/media/i2c/adv7604.c
++++ b/drivers/media/i2c/adv7604.c
+@@ -1405,12 +1405,13 @@ static int stdi2dv_timings(struct v4l2_s
+ if (v4l2_detect_cvt(stdi->lcf + 1, hfreq, stdi->lcvs, 0,
+ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) |
+ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0),
+- false, timings))
++ false, adv76xx_get_dv_timings_cap(sd, -1), timings))
+ return 0;
+ if (v4l2_detect_gtf(stdi->lcf + 1, hfreq, stdi->lcvs,
+ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) |
+ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0),
+- false, state->aspect_ratio, timings))
++ false, state->aspect_ratio,
++ adv76xx_get_dv_timings_cap(sd, -1), timings))
+ return 0;
+
+ v4l2_dbg(2, debug, sd,
+--- a/drivers/media/i2c/adv7842.c
++++ b/drivers/media/i2c/adv7842.c
+@@ -1431,14 +1431,15 @@ static int stdi2dv_timings(struct v4l2_s
+ }
+
+ if (v4l2_detect_cvt(stdi->lcf + 1, hfreq, stdi->lcvs, 0,
+- (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) |
+- (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0),
+- false, timings))
++ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) |
++ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0),
++ false, adv7842_get_dv_timings_cap(sd), timings))
+ return 0;
+ if (v4l2_detect_gtf(stdi->lcf + 1, hfreq, stdi->lcvs,
+- (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) |
+- (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0),
+- false, state->aspect_ratio, timings))
++ (stdi->hs_pol == '+' ? V4L2_DV_HSYNC_POS_POL : 0) |
++ (stdi->vs_pol == '+' ? V4L2_DV_VSYNC_POS_POL : 0),
++ false, state->aspect_ratio,
++ adv7842_get_dv_timings_cap(sd), timings))
+ return 0;
+
+ v4l2_dbg(2, debug, sd,
+--- a/drivers/media/test-drivers/vivid/vivid-vid-cap.c
++++ b/drivers/media/test-drivers/vivid/vivid-vid-cap.c
+@@ -1459,12 +1459,19 @@ static bool valid_cvt_gtf_timings(struct
+ h_freq = (u32)bt->pixelclock / total_h_pixel;
+
+ if (bt->standards == 0 || (bt->standards & V4L2_DV_BT_STD_CVT)) {
++ struct v4l2_dv_timings cvt = {};
++
+ if (v4l2_detect_cvt(total_v_lines, h_freq, bt->vsync, bt->width,
+- bt->polarities, bt->interlaced, timings))
++ bt->polarities, bt->interlaced,
++ &vivid_dv_timings_cap, &cvt) &&
++ cvt.bt.width == bt->width && cvt.bt.height == bt->height) {
++ *timings = cvt;
+ return true;
++ }
+ }
+
+ if (bt->standards == 0 || (bt->standards & V4L2_DV_BT_STD_GTF)) {
++ struct v4l2_dv_timings gtf = {};
+ struct v4l2_fract aspect_ratio;
+
+ find_aspect_ratio(bt->width, bt->height,
+@@ -1472,8 +1479,12 @@ static bool valid_cvt_gtf_timings(struct
+ &aspect_ratio.denominator);
+ if (v4l2_detect_gtf(total_v_lines, h_freq, bt->vsync,
+ bt->polarities, bt->interlaced,
+- aspect_ratio, timings))
++ aspect_ratio, &vivid_dv_timings_cap,
++ >f) &&
++ gtf.bt.width == bt->width && gtf.bt.height == bt->height) {
++ *timings = gtf;
+ return true;
++ }
+ }
+ return false;
+ }
+--- a/drivers/media/v4l2-core/v4l2-dv-timings.c
++++ b/drivers/media/v4l2-core/v4l2-dv-timings.c
+@@ -481,25 +481,28 @@ EXPORT_SYMBOL_GPL(v4l2_calc_timeperframe
+ * @polarities - the horizontal and vertical polarities (same as struct
+ * v4l2_bt_timings polarities).
+ * @interlaced - if this flag is true, it indicates interlaced format
+- * @fmt - the resulting timings.
++ * @cap - the v4l2_dv_timings_cap capabilities.
++ * @timings - the resulting timings.
+ *
+ * This function will attempt to detect if the given values correspond to a
+ * valid CVT format. If so, then it will return true, and fmt will be filled
+ * in with the found CVT timings.
+ */
+-bool v4l2_detect_cvt(unsigned frame_height,
+- unsigned hfreq,
+- unsigned vsync,
+- unsigned active_width,
++bool v4l2_detect_cvt(unsigned int frame_height,
++ unsigned int hfreq,
++ unsigned int vsync,
++ unsigned int active_width,
+ u32 polarities,
+ bool interlaced,
+- struct v4l2_dv_timings *fmt)
++ const struct v4l2_dv_timings_cap *cap,
++ struct v4l2_dv_timings *timings)
+ {
+- int v_fp, v_bp, h_fp, h_bp, hsync;
+- int frame_width, image_height, image_width;
++ struct v4l2_dv_timings t = {};
++ int v_fp, v_bp, h_fp, h_bp, hsync;
++ int frame_width, image_height, image_width;
+ bool reduced_blanking;
+ bool rb_v2 = false;
+- unsigned pix_clk;
++ unsigned int pix_clk;
+
+ if (vsync < 4 || vsync > 8)
+ return false;
+@@ -625,36 +628,39 @@ bool v4l2_detect_cvt(unsigned frame_heig
+ h_fp = h_blank - hsync - h_bp;
+ }
+
+- fmt->type = V4L2_DV_BT_656_1120;
+- fmt->bt.polarities = polarities;
+- fmt->bt.width = image_width;
+- fmt->bt.height = image_height;
+- fmt->bt.hfrontporch = h_fp;
+- fmt->bt.vfrontporch = v_fp;
+- fmt->bt.hsync = hsync;
+- fmt->bt.vsync = vsync;
+- fmt->bt.hbackporch = frame_width - image_width - h_fp - hsync;
++ t.type = V4L2_DV_BT_656_1120;
++ t.bt.polarities = polarities;
++ t.bt.width = image_width;
++ t.bt.height = image_height;
++ t.bt.hfrontporch = h_fp;
++ t.bt.vfrontporch = v_fp;
++ t.bt.hsync = hsync;
++ t.bt.vsync = vsync;
++ t.bt.hbackporch = frame_width - image_width - h_fp - hsync;
+
+ if (!interlaced) {
+- fmt->bt.vbackporch = frame_height - image_height - v_fp - vsync;
+- fmt->bt.interlaced = V4L2_DV_PROGRESSIVE;
++ t.bt.vbackporch = frame_height - image_height - v_fp - vsync;
++ t.bt.interlaced = V4L2_DV_PROGRESSIVE;
+ } else {
+- fmt->bt.vbackporch = (frame_height - image_height - 2 * v_fp -
++ t.bt.vbackporch = (frame_height - image_height - 2 * v_fp -
+ 2 * vsync) / 2;
+- fmt->bt.il_vbackporch = frame_height - image_height - 2 * v_fp -
+- 2 * vsync - fmt->bt.vbackporch;
+- fmt->bt.il_vfrontporch = v_fp;
+- fmt->bt.il_vsync = vsync;
+- fmt->bt.flags |= V4L2_DV_FL_HALF_LINE;
+- fmt->bt.interlaced = V4L2_DV_INTERLACED;
++ t.bt.il_vbackporch = frame_height - image_height - 2 * v_fp -
++ 2 * vsync - t.bt.vbackporch;
++ t.bt.il_vfrontporch = v_fp;
++ t.bt.il_vsync = vsync;
++ t.bt.flags |= V4L2_DV_FL_HALF_LINE;
++ t.bt.interlaced = V4L2_DV_INTERLACED;
+ }
+
+- fmt->bt.pixelclock = pix_clk;
+- fmt->bt.standards = V4L2_DV_BT_STD_CVT;
++ t.bt.pixelclock = pix_clk;
++ t.bt.standards = V4L2_DV_BT_STD_CVT;
+
+ if (reduced_blanking)
+- fmt->bt.flags |= V4L2_DV_FL_REDUCED_BLANKING;
++ t.bt.flags |= V4L2_DV_FL_REDUCED_BLANKING;
+
++ if (!v4l2_valid_dv_timings(&t, cap, NULL, NULL))
++ return false;
++ *timings = t;
+ return true;
+ }
+ EXPORT_SYMBOL_GPL(v4l2_detect_cvt);
+@@ -699,22 +705,25 @@ EXPORT_SYMBOL_GPL(v4l2_detect_cvt);
+ * image height, so it has to be passed explicitly. Usually
+ * the native screen aspect ratio is used for this. If it
+ * is not filled in correctly, then 16:9 will be assumed.
+- * @fmt - the resulting timings.
++ * @cap - the v4l2_dv_timings_cap capabilities.
++ * @timings - the resulting timings.
+ *
+ * This function will attempt to detect if the given values correspond to a
+ * valid GTF format. If so, then it will return true, and fmt will be filled
+ * in with the found GTF timings.
+ */
+-bool v4l2_detect_gtf(unsigned frame_height,
+- unsigned hfreq,
+- unsigned vsync,
+- u32 polarities,
+- bool interlaced,
+- struct v4l2_fract aspect,
+- struct v4l2_dv_timings *fmt)
++bool v4l2_detect_gtf(unsigned int frame_height,
++ unsigned int hfreq,
++ unsigned int vsync,
++ u32 polarities,
++ bool interlaced,
++ struct v4l2_fract aspect,
++ const struct v4l2_dv_timings_cap *cap,
++ struct v4l2_dv_timings *timings)
+ {
++ struct v4l2_dv_timings t = {};
+ int pix_clk;
+- int v_fp, v_bp, h_fp, hsync;
++ int v_fp, v_bp, h_fp, hsync;
+ int frame_width, image_height, image_width;
+ bool default_gtf;
+ int h_blank;
+@@ -783,36 +792,39 @@ bool v4l2_detect_gtf(unsigned frame_heig
+
+ h_fp = h_blank / 2 - hsync;
+
+- fmt->type = V4L2_DV_BT_656_1120;
+- fmt->bt.polarities = polarities;
+- fmt->bt.width = image_width;
+- fmt->bt.height = image_height;
+- fmt->bt.hfrontporch = h_fp;
+- fmt->bt.vfrontporch = v_fp;
+- fmt->bt.hsync = hsync;
+- fmt->bt.vsync = vsync;
+- fmt->bt.hbackporch = frame_width - image_width - h_fp - hsync;
++ t.type = V4L2_DV_BT_656_1120;
++ t.bt.polarities = polarities;
++ t.bt.width = image_width;
++ t.bt.height = image_height;
++ t.bt.hfrontporch = h_fp;
++ t.bt.vfrontporch = v_fp;
++ t.bt.hsync = hsync;
++ t.bt.vsync = vsync;
++ t.bt.hbackporch = frame_width - image_width - h_fp - hsync;
+
+ if (!interlaced) {
+- fmt->bt.vbackporch = frame_height - image_height - v_fp - vsync;
+- fmt->bt.interlaced = V4L2_DV_PROGRESSIVE;
++ t.bt.vbackporch = frame_height - image_height - v_fp - vsync;
++ t.bt.interlaced = V4L2_DV_PROGRESSIVE;
+ } else {
+- fmt->bt.vbackporch = (frame_height - image_height - 2 * v_fp -
++ t.bt.vbackporch = (frame_height - image_height - 2 * v_fp -
+ 2 * vsync) / 2;
+- fmt->bt.il_vbackporch = frame_height - image_height - 2 * v_fp -
+- 2 * vsync - fmt->bt.vbackporch;
+- fmt->bt.il_vfrontporch = v_fp;
+- fmt->bt.il_vsync = vsync;
+- fmt->bt.flags |= V4L2_DV_FL_HALF_LINE;
+- fmt->bt.interlaced = V4L2_DV_INTERLACED;
++ t.bt.il_vbackporch = frame_height - image_height - 2 * v_fp -
++ 2 * vsync - t.bt.vbackporch;
++ t.bt.il_vfrontporch = v_fp;
++ t.bt.il_vsync = vsync;
++ t.bt.flags |= V4L2_DV_FL_HALF_LINE;
++ t.bt.interlaced = V4L2_DV_INTERLACED;
+ }
+
+- fmt->bt.pixelclock = pix_clk;
+- fmt->bt.standards = V4L2_DV_BT_STD_GTF;
++ t.bt.pixelclock = pix_clk;
++ t.bt.standards = V4L2_DV_BT_STD_GTF;
+
+ if (!default_gtf)
+- fmt->bt.flags |= V4L2_DV_FL_REDUCED_BLANKING;
++ t.bt.flags |= V4L2_DV_FL_REDUCED_BLANKING;
+
++ if (!v4l2_valid_dv_timings(&t, cap, NULL, NULL))
++ return false;
++ *timings = t;
+ return true;
+ }
+ EXPORT_SYMBOL_GPL(v4l2_detect_gtf);
+--- a/include/media/v4l2-dv-timings.h
++++ b/include/media/v4l2-dv-timings.h
+@@ -146,15 +146,18 @@ void v4l2_print_dv_timings(const char *d
+ * @polarities: the horizontal and vertical polarities (same as struct
+ * v4l2_bt_timings polarities).
+ * @interlaced: if this flag is true, it indicates interlaced format
++ * @cap: the v4l2_dv_timings_cap capabilities.
+ * @fmt: the resulting timings.
+ *
+ * This function will attempt to detect if the given values correspond to a
+ * valid CVT format. If so, then it will return true, and fmt will be filled
+ * in with the found CVT timings.
+ */
+-bool v4l2_detect_cvt(unsigned frame_height, unsigned hfreq, unsigned vsync,
+- unsigned active_width, u32 polarities, bool interlaced,
+- struct v4l2_dv_timings *fmt);
++bool v4l2_detect_cvt(unsigned int frame_height, unsigned int hfreq,
++ unsigned int vsync, unsigned int active_width,
++ u32 polarities, bool interlaced,
++ const struct v4l2_dv_timings_cap *cap,
++ struct v4l2_dv_timings *fmt);
+
+ /**
+ * v4l2_detect_gtf - detect if the given timings follow the GTF standard
+@@ -170,15 +173,18 @@ bool v4l2_detect_cvt(unsigned frame_heig
+ * image height, so it has to be passed explicitly. Usually
+ * the native screen aspect ratio is used for this. If it
+ * is not filled in correctly, then 16:9 will be assumed.
++ * @cap: the v4l2_dv_timings_cap capabilities.
+ * @fmt: the resulting timings.
+ *
+ * This function will attempt to detect if the given values correspond to a
+ * valid GTF format. If so, then it will return true, and fmt will be filled
+ * in with the found GTF timings.
+ */
+-bool v4l2_detect_gtf(unsigned frame_height, unsigned hfreq, unsigned vsync,
+- u32 polarities, bool interlaced, struct v4l2_fract aspect,
+- struct v4l2_dv_timings *fmt);
++bool v4l2_detect_gtf(unsigned int frame_height, unsigned int hfreq,
++ unsigned int vsync, u32 polarities, bool interlaced,
++ struct v4l2_fract aspect,
++ const struct v4l2_dv_timings_cap *cap,
++ struct v4l2_dv_timings *fmt);
+
+ /**
+ * v4l2_calc_aspect_ratio - calculate the aspect ratio based on bytes
--- /dev/null
+From ca59f9956d4519ab18ab2270be47c6b8c6ced091 Mon Sep 17 00:00:00 2001
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+Date: Fri, 27 Sep 2024 16:39:02 +0800
+Subject: media: wl128x: Fix atomicity violation in fmc_send_cmd()
+
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+
+commit ca59f9956d4519ab18ab2270be47c6b8c6ced091 upstream.
+
+Atomicity violation occurs when the fmc_send_cmd() function is executed
+simultaneously with the modification of the fmdev->resp_skb value.
+Consider a scenario where, after passing the validity check within the
+function, a non-null fmdev->resp_skb variable is assigned a null value.
+This results in an invalid fmdev->resp_skb variable passing the validity
+check. As seen in the later part of the function, skb = fmdev->resp_skb;
+when the invalid fmdev->resp_skb passes the check, a null pointer
+dereference error may occur at line 478, evt_hdr = (void *)skb->data;
+
+To address this issue, it is recommended to include the validity check of
+fmdev->resp_skb within the locked section of the function. This
+modification ensures that the value of fmdev->resp_skb does not change
+during the validation process, thereby maintaining its validity.
+
+This possible bug is found by an experimental static analysis tool
+developed by our team. This tool analyzes the locking APIs
+to extract function pairs that can be concurrently executed, and then
+analyzes the instructions in the paired functions to identify possible
+concurrency bugs including data races and atomicity violations.
+
+Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/radio/wl128x/fmdrv_common.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/radio/wl128x/fmdrv_common.c
++++ b/drivers/media/radio/wl128x/fmdrv_common.c
+@@ -466,11 +466,12 @@ int fmc_send_cmd(struct fmdev *fmdev, u8
+ jiffies_to_msecs(FM_DRV_TX_TIMEOUT) / 1000);
+ return -ETIMEDOUT;
+ }
++ spin_lock_irqsave(&fmdev->resp_skb_lock, flags);
+ if (!fmdev->resp_skb) {
++ spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags);
+ fmerr("Response SKB is missing\n");
+ return -EFAULT;
+ }
+- spin_lock_irqsave(&fmdev->resp_skb_lock, flags);
+ skb = fmdev->resp_skb;
+ fmdev->resp_skb = NULL;
+ spin_unlock_irqrestore(&fmdev->resp_skb_lock, flags);
--- /dev/null
+From c53bf100f68619acf6cedcf4cf5249a1ca2db0b4 Mon Sep 17 00:00:00 2001
+From: Joe Damato <jdamato@fastly.com>
+Date: Thu, 14 Nov 2024 17:51:56 +0000
+Subject: netdev-genl: Hold rcu_read_lock in napi_get
+
+From: Joe Damato <jdamato@fastly.com>
+
+commit c53bf100f68619acf6cedcf4cf5249a1ca2db0b4 upstream.
+
+Hold rcu_read_lock in netdev_nl_napi_get_doit, which calls napi_by_id
+and is required to be called under rcu_read_lock.
+
+Cc: stable@vger.kernel.org
+Fixes: 27f91aaf49b3 ("netdev-genl: Add netlink framework functions for napi")
+Signed-off-by: Joe Damato <jdamato@fastly.com>
+Link: https://patch.msgid.link/20241114175157.16604-1-jdamato@fastly.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/netdev-genl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/core/netdev-genl.c
++++ b/net/core/netdev-genl.c
+@@ -214,6 +214,7 @@ int netdev_nl_napi_get_doit(struct sk_bu
+ return -ENOMEM;
+
+ rtnl_lock();
++ rcu_read_lock();
+
+ napi = napi_by_id(napi_id);
+ if (napi) {
+@@ -223,6 +224,7 @@ int netdev_nl_napi_get_doit(struct sk_bu
+ err = -ENOENT;
+ }
+
++ rcu_read_unlock();
+ rtnl_unlock();
+
+ if (err)
um-vector-do-not-use-drvdata-in-release.patch
sh-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch
iio-gts-fix-uninitialized-symbol-ret.patch
+ublk-fix-ublk_ch_mmap-for-64k-page-size.patch
+arm64-tls-fix-context-switching-of-tpidrro_el0-when-kpti-is-enabled.patch
+block-fix-missing-dispatching-request-when-queue-is-started-or-unquiesced.patch
+block-fix-ordering-between-checking-queue_flag_quiesced-request-adding.patch
+block-fix-ordering-between-checking-blk_mq_s_stopped-request-adding.patch
+blk-mq-make-blk_mq_quiesce_tagset-hold-the-tag-list-mutex-less-long.patch
+gve-flow-steering-trigger-reset-only-for-timeout-error.patch
+hid-wacom-interpret-tilt-data-from-intuos-pro-bt-as-signed-values.patch
+i40e-fix-handling-changed-priv-flags.patch
+media-wl128x-fix-atomicity-violation-in-fmc_send_cmd.patch
+media-intel-ipu6-do-not-handle-interrupts-when-device-is-disabled.patch
+arm64-dts-mediatek-mt8186-corsola-voltorb-merge-speaker-codec-nodes.patch
+netdev-genl-hold-rcu_read_lock-in-napi_get.patch
+soc-fsl-rcpm-fix-missing-of_node_put-in-copy_ippdexpcr1_setting.patch
+media-v4l2-core-v4l2-dv-timings-check-cvt-gtf-result.patch
--- /dev/null
+From c9f1efabf8e3b3ff886a42669f7093789dbeca94 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Sun, 13 Oct 2024 15:29:17 +0200
+Subject: soc: fsl: rcpm: fix missing of_node_put() in copy_ippdexpcr1_setting()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit c9f1efabf8e3b3ff886a42669f7093789dbeca94 upstream.
+
+of_find_compatible_node() requires a call to of_node_put() when the
+pointer to the node is not required anymore to decrement its refcount
+and avoid leaking memory.
+
+Add the missing call to of_node_put() after the node has been used.
+
+Cc: stable@vger.kernel.org
+Fixes: e95f287deed2 ("soc: fsl: handle RCPM errata A-008646 on SoC LS1021A")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20241013-rcpm-of_node_put-v1-1-9a8e55a01eae@gmail.com
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/fsl/rcpm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/soc/fsl/rcpm.c
++++ b/drivers/soc/fsl/rcpm.c
+@@ -36,6 +36,7 @@ static void copy_ippdexpcr1_setting(u32
+ return;
+
+ regs = of_iomap(np, 0);
++ of_node_put(np);
+ if (!regs)
+ return;
+
--- /dev/null
+From d369735e02ef122d19d4c3d093028da0eb400636 Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@redhat.com>
+Date: Mon, 11 Nov 2024 19:07:18 +0800
+Subject: ublk: fix ublk_ch_mmap() for 64K page size
+
+From: Ming Lei <ming.lei@redhat.com>
+
+commit d369735e02ef122d19d4c3d093028da0eb400636 upstream.
+
+In ublk_ch_mmap(), queue id is calculated in the following way:
+
+ (vma->vm_pgoff << PAGE_SHIFT) / `max_cmd_buf_size`
+
+'max_cmd_buf_size' is equal to
+
+ `UBLK_MAX_QUEUE_DEPTH * sizeof(struct ublksrv_io_desc)`
+
+and UBLK_MAX_QUEUE_DEPTH is 4096 and part of UAPI, so 'max_cmd_buf_size'
+is always page aligned in 4K page size kernel. However, it isn't true in
+64K page size kernel.
+
+Fixes the issue by always rounding up 'max_cmd_buf_size' with PAGE_SIZE.
+
+Cc: stable@vger.kernel.org
+Fixes: 71f28f3136af ("ublk_drv: add io_uring based userspace block driver")
+Signed-off-by: Ming Lei <ming.lei@redhat.com>
+Link: https://lore.kernel.org/r/20241111110718.1394001-1-ming.lei@redhat.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/ublk_drv.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/ublk_drv.c
++++ b/drivers/block/ublk_drv.c
+@@ -664,12 +664,21 @@ static inline char *ublk_queue_cmd_buf(s
+ return ublk_get_queue(ub, q_id)->io_cmd_buf;
+ }
+
++static inline int __ublk_queue_cmd_buf_size(int depth)
++{
++ return round_up(depth * sizeof(struct ublksrv_io_desc), PAGE_SIZE);
++}
++
+ static inline int ublk_queue_cmd_buf_size(struct ublk_device *ub, int q_id)
+ {
+ struct ublk_queue *ubq = ublk_get_queue(ub, q_id);
+
+- return round_up(ubq->q_depth * sizeof(struct ublksrv_io_desc),
+- PAGE_SIZE);
++ return __ublk_queue_cmd_buf_size(ubq->q_depth);
++}
++
++static int ublk_max_cmd_buf_size(void)
++{
++ return __ublk_queue_cmd_buf_size(UBLK_MAX_QUEUE_DEPTH);
+ }
+
+ static inline bool ublk_queue_can_use_recovery_reissue(
+@@ -1322,7 +1331,7 @@ static int ublk_ch_mmap(struct file *fil
+ {
+ struct ublk_device *ub = filp->private_data;
+ size_t sz = vma->vm_end - vma->vm_start;
+- unsigned max_sz = UBLK_MAX_QUEUE_DEPTH * sizeof(struct ublksrv_io_desc);
++ unsigned max_sz = ublk_max_cmd_buf_size();
+ unsigned long pfn, end, phys_off = vma->vm_pgoff << PAGE_SHIFT;
+ int q_id, ret = 0;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
