--- /dev/null
+From 74ebd02163fde05baa23129e06dde4b8f0f2377a Mon Sep 17 00:00:00 2001
+From: Shyam Prasad N <sprasad@microsoft.com>
+Date: Mon, 30 Jun 2025 23:09:34 +0530
+Subject: cifs: all initializations for tcon should happen in tcon_info_alloc
+
+From: Shyam Prasad N <sprasad@microsoft.com>
+
+commit 74ebd02163fde05baa23129e06dde4b8f0f2377a upstream.
+
+Today, a few work structs inside tcon are initialized inside
+cifs_get_tcon and not in tcon_info_alloc. As a result, if a tcon
+is obtained from tcon_info_alloc, but not called as a part of
+cifs_get_tcon, we may trip over.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Shyam Prasad N <sprasad@microsoft.com>
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsproto.h | 1 +
+ fs/smb/client/connect.c | 8 +-------
+ fs/smb/client/misc.c | 6 ++++++
+ 3 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -136,6 +136,7 @@ extern int SendReceiveBlockingLock(const
+ struct smb_hdr *out_buf,
+ int *bytes_returned);
+
++void smb2_query_server_interfaces(struct work_struct *work);
+ void
+ cifs_signal_cifsd_for_reconnect(struct TCP_Server_Info *server,
+ bool all_channels);
+--- a/fs/smb/client/connect.c
++++ b/fs/smb/client/connect.c
+@@ -97,7 +97,7 @@ static int reconn_set_ipaddr_from_hostna
+ return rc;
+ }
+
+-static void smb2_query_server_interfaces(struct work_struct *work)
++void smb2_query_server_interfaces(struct work_struct *work)
+ {
+ int rc;
+ int xid;
+@@ -2880,20 +2880,14 @@ cifs_get_tcon(struct cifs_ses *ses, stru
+ tcon->max_cached_dirs = ctx->max_cached_dirs;
+ tcon->nodelete = ctx->nodelete;
+ tcon->local_lease = ctx->local_lease;
+- INIT_LIST_HEAD(&tcon->pending_opens);
+ tcon->status = TID_GOOD;
+
+- INIT_DELAYED_WORK(&tcon->query_interfaces,
+- smb2_query_server_interfaces);
+ if (ses->server->dialect >= SMB30_PROT_ID &&
+ (ses->server->capabilities & SMB2_GLOBAL_CAP_MULTI_CHANNEL)) {
+ /* schedule query interfaces poll */
+ queue_delayed_work(cifsiod_wq, &tcon->query_interfaces,
+ (SMB_INTERFACE_POLL_INTERVAL * HZ));
+ }
+-#ifdef CONFIG_CIFS_DFS_UPCALL
+- INIT_DELAYED_WORK(&tcon->dfs_cache_work, dfs_cache_refresh);
+-#endif
+ spin_lock(&cifs_tcp_ses_lock);
+ list_add(&tcon->tcon_list, &ses->tcon_list);
+ spin_unlock(&cifs_tcp_ses_lock);
+--- a/fs/smb/client/misc.c
++++ b/fs/smb/client/misc.c
+@@ -151,6 +151,12 @@ tcon_info_alloc(bool dir_leases_enabled,
+ #ifdef CONFIG_CIFS_DFS_UPCALL
+ INIT_LIST_HEAD(&ret_buf->dfs_ses_list);
+ #endif
++ INIT_LIST_HEAD(&ret_buf->pending_opens);
++ INIT_DELAYED_WORK(&ret_buf->query_interfaces,
++ smb2_query_server_interfaces);
++#ifdef CONFIG_CIFS_DFS_UPCALL
++ INIT_DELAYED_WORK(&ret_buf->dfs_cache_work, dfs_cache_refresh);
++#endif
+
+ return ret_buf;
+ }
--- /dev/null
+From 2b95a7db6e0f75587bffddbb490399cbb87e4985 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20K=C3=B6nig?= <christian.koenig@amd.com>
+Date: Tue, 28 Jan 2025 10:47:48 +0100
+Subject: dma-buf: fix timeout handling in dma_resv_wait_timeout v2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christian König <christian.koenig@amd.com>
+
+commit 2b95a7db6e0f75587bffddbb490399cbb87e4985 upstream.
+
+Even the kerneldoc says that with a zero timeout the function should not
+wait for anything, but still return 1 to indicate that the fences are
+signaled now.
+
+Unfortunately that isn't what was implemented, instead of only returning
+1 we also waited for at least one jiffies.
+
+Fix that by adjusting the handling to what the function is actually
+documented to do.
+
+v2: improve code readability
+
+Reported-by: Marek Olšák <marek.olsak@amd.com>
+Reported-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20250129105841.1806-1-christian.koenig@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/dma-resv.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/dma-buf/dma-resv.c
++++ b/drivers/dma-buf/dma-resv.c
+@@ -685,11 +685,13 @@ long dma_resv_wait_timeout(struct dma_re
+ dma_resv_iter_begin(&cursor, obj, usage);
+ dma_resv_for_each_fence_unlocked(&cursor, fence) {
+
+- ret = dma_fence_wait_timeout(fence, intr, ret);
+- if (ret <= 0) {
+- dma_resv_iter_end(&cursor);
+- return ret;
+- }
++ ret = dma_fence_wait_timeout(fence, intr, timeout);
++ if (ret <= 0)
++ break;
++
++ /* Even for zero timeout the return value is 1 */
++ if (timeout)
++ timeout = ret;
+ }
+ dma_resv_iter_end(&cursor);
+
--- /dev/null
+From 5f05fc6e2218db7ecc52c60eb34b707fe69262c2 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Date: Wed, 2 Jul 2025 08:15:31 +0200
+Subject: dt-bindings: i2c: realtek,rtl9301: Fix missing 'reg' constraint
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+commit 5f05fc6e2218db7ecc52c60eb34b707fe69262c2 upstream.
+
+Lists should have fixed amount if items, so add missing constraint to
+the 'reg' property (only one address space entry).
+
+Fixes: c5eda0333076 ("dt-bindings: i2c: Add Realtek RTL I2C Controller")
+Cc: <stable@vger.kernel.org> # v6.13+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250702061530.6940-2-krzysztof.kozlowski@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/i2c/realtek,rtl9301-i2c.yaml | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/i2c/realtek,rtl9301-i2c.yaml
++++ b/Documentation/devicetree/bindings/i2c/realtek,rtl9301-i2c.yaml
+@@ -26,7 +26,8 @@ properties:
+ - const: realtek,rtl9301-i2c
+
+ reg:
+- description: Register offset and size this I2C controller.
++ items:
++ - description: Register offset and size this I2C controller.
+
+ "#address-cells":
+ const: 1
--- /dev/null
+From 38224c472a038fa9ccd4085511dd9f3d6119dbf9 Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Tue, 24 Jun 2025 13:52:56 +0100
+Subject: HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 38224c472a038fa9ccd4085511dd9f3d6119dbf9 upstream.
+
+In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated
+via devm_kzalloc() to store touch bar keyboard related data.
+Later on if backlight_device_get_by_name() finds a backlight device
+with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup
+with appletb_inactivity_timer() and the timer is armed to run after
+appletb_tb_dim_timeout (60) seconds.
+
+A use-after-free is triggered when failure occurs after the timer is
+armed. This ultimately means probe failure occurs and as a result the
+"struct appletb_kbd *kbd" which is device managed memory is freed.
+After 60 seconds the timer will have expired and __run_timers will
+attempt to access the timer (kbd->inactivity_timer) however the kdb
+structure has been freed causing a use-after free.
+
+[ 71.636938] ==================================================================
+[ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890
+[ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0
+[ 71.637915]
+[ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary)
+[ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
+[ 71.637915] Call Trace:
+[ 71.637915] <IRQ>
+[ 71.637915] dump_stack_lvl+0x53/0x70
+[ 71.637915] print_report+0xce/0x670
+[ 71.637915] ? __run_timers+0x7ad/0x890
+[ 71.637915] kasan_report+0xce/0x100
+[ 71.637915] ? __run_timers+0x7ad/0x890
+[ 71.637915] __run_timers+0x7ad/0x890
+[ 71.637915] ? __pfx___run_timers+0x10/0x10
+[ 71.637915] ? update_process_times+0xfc/0x190
+[ 71.637915] ? __pfx_update_process_times+0x10/0x10
+[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0
+[ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0
+[ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10
+[ 71.637915] run_timer_softirq+0x141/0x240
+[ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10
+[ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10
+[ 71.637915] ? kvm_clock_get_cycles+0x18/0x30
+[ 71.637915] ? ktime_get+0x60/0x140
+[ 71.637915] handle_softirqs+0x1b8/0x5c0
+[ 71.637915] ? __pfx_handle_softirqs+0x10/0x10
+[ 71.637915] irq_exit_rcu+0xaf/0xe0
+[ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80
+[ 71.637915] </IRQ>
+[ 71.637915]
+[ 71.637915] Allocated by task 39:
+[ 71.637915] kasan_save_stack+0x33/0x60
+[ 71.637915] kasan_save_track+0x14/0x30
+[ 71.637915] __kasan_kmalloc+0x8f/0xa0
+[ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420
+[ 71.637915] devm_kmalloc+0x74/0x1e0
+[ 71.637915] appletb_kbd_probe+0x37/0x3c0
+[ 71.637915] hid_device_probe+0x2d1/0x680
+[ 71.637915] really_probe+0x1c3/0x690
+[ 71.637915] __driver_probe_device+0x247/0x300
+[ 71.637915] driver_probe_device+0x49/0x210
+[...]
+[ 71.637915]
+[ 71.637915] Freed by task 39:
+[ 71.637915] kasan_save_stack+0x33/0x60
+[ 71.637915] kasan_save_track+0x14/0x30
+[ 71.637915] kasan_save_free_info+0x3b/0x60
+[ 71.637915] __kasan_slab_free+0x37/0x50
+[ 71.637915] kfree+0xcf/0x360
+[ 71.637915] devres_release_group+0x1f8/0x3c0
+[ 71.637915] hid_device_probe+0x315/0x680
+[ 71.637915] really_probe+0x1c3/0x690
+[ 71.637915] __driver_probe_device+0x247/0x300
+[ 71.637915] driver_probe_device+0x49/0x210
+[...]
+
+The root cause of the issue is that the timer is not disarmed
+on failure paths leading to it remaining active and accessing
+freed memory. To fix this call timer_delete_sync() to deactivate
+the timer.
+
+Another small issue is that timer_delete_sync is called
+unconditionally in appletb_kbd_remove(), fix this by checking
+for a valid kbd->backlight_dev before calling timer_delete_sync.
+
+Fixes: 93a0fc489481 ("HID: hid-appletb-kbd: add support for automatic brightness control while using the touchbar")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Reviewed-by: Aditya Garg <gargaditya08@live.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-appletb-kbd.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-appletb-kbd.c
++++ b/drivers/hid/hid-appletb-kbd.c
+@@ -437,8 +437,10 @@ static int appletb_kbd_probe(struct hid_
+ unregister_handler:
+ input_unregister_handler(&kbd->inp_handler);
+ close_hw:
+- if (kbd->backlight_dev)
++ if (kbd->backlight_dev) {
+ put_device(&kbd->backlight_dev->dev);
++ timer_delete_sync(&kbd->inactivity_timer);
++ }
+ hid_hw_close(hdev);
+ stop_hw:
+ hid_hw_stop(hdev);
+@@ -452,10 +454,10 @@ static void appletb_kbd_remove(struct hi
+ appletb_kbd_set_mode(kbd, APPLETB_KBD_MODE_OFF);
+
+ input_unregister_handler(&kbd->inp_handler);
+- timer_delete_sync(&kbd->inactivity_timer);
+-
+- if (kbd->backlight_dev)
++ if (kbd->backlight_dev) {
+ put_device(&kbd->backlight_dev->dev);
++ timer_delete_sync(&kbd->inactivity_timer);
++ }
+
+ hid_hw_close(hdev);
+ hid_hw_stop(hdev);
--- /dev/null
+From 3d30048958e0d43425f6d4e76565e6249fa71050 Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Fri, 27 Jun 2025 10:35:11 -0400
+Subject: i2c/designware: Fix an initialization issue
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit 3d30048958e0d43425f6d4e76565e6249fa71050 upstream.
+
+The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the
+dev context to be initialized.
+
+amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx.
+
+This could allow an out of bounds access (of msgs).
+
+Initialize msg_write_idx before calling i2c_dw_xfer_init().
+
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Fixes: 17631e8ca2d3 ("i2c: designware: Add driver support for AMD NAVI GPU")
+Cc: <stable@vger.kernel.org> # v5.13+
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250627143511.489570-1-michael.j.ruhl@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-designware-master.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/i2c/busses/i2c-designware-master.c
++++ b/drivers/i2c/busses/i2c-designware-master.c
+@@ -363,6 +363,7 @@ static int amd_i2c_dw_xfer_quirk(struct
+
+ dev->msgs = msgs;
+ dev->msgs_num = num_msgs;
++ dev->msg_write_idx = 0;
+ i2c_dw_xfer_init(dev);
+
+ /* Initiate messages read/write transaction */
--- /dev/null
+From 62e062a29ad5133f67c20b333ba0a952a99161ae Mon Sep 17 00:00:00 2001
+From: Simon Xue <xxm@rock-chips.com>
+Date: Mon, 23 Jun 2025 10:00:18 +0800
+Subject: iommu/rockchip: prevent iommus dead loop when two masters share one IOMMU
+
+From: Simon Xue <xxm@rock-chips.com>
+
+commit 62e062a29ad5133f67c20b333ba0a952a99161ae upstream.
+
+When two masters share an IOMMU, calling ops->of_xlate during
+the second master's driver init may overwrite iommu->domain set
+by the first. This causes the check if (iommu->domain == domain)
+in rk_iommu_attach_device() to fail, resulting in the same
+iommu->node being added twice to &rk_domain->iommus, which can
+lead to an infinite loop in subsequent &rk_domain->iommus operations.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 25c2325575cc ("iommu/rockchip: Add missing set_platform_dma_ops callback")
+Signed-off-by: Simon Xue <xxm@rock-chips.com>
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Link: https://lore.kernel.org/r/20250623020018.584802-1-xxm@rock-chips.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/rockchip-iommu.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/rockchip-iommu.c
++++ b/drivers/iommu/rockchip-iommu.c
+@@ -1155,7 +1155,6 @@ static int rk_iommu_of_xlate(struct devi
+ return -ENOMEM;
+
+ data->iommu = platform_get_drvdata(iommu_dev);
+- data->iommu->domain = &rk_identity_domain;
+ dev_iommu_priv_set(dev, data);
+
+ platform_device_put(iommu_dev);
+@@ -1193,6 +1192,8 @@ static int rk_iommu_probe(struct platfor
+ if (!iommu)
+ return -ENOMEM;
+
++ iommu->domain = &rk_identity_domain;
++
+ platform_set_drvdata(pdev, iommu);
+ iommu->dev = dev;
+ iommu->num_mmu = 0;
--- /dev/null
+From 25b1b75bbaf96331750fb01302825069657b2ff8 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Sat, 28 Jun 2025 18:03:51 +0800
+Subject: iommu/vt-d: Assign devtlb cache tag on ATS enablement
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 25b1b75bbaf96331750fb01302825069657b2ff8 upstream.
+
+Commit <4f1492efb495> ("iommu/vt-d: Revert ATS timing change to fix boot
+failure") placed the enabling of ATS in the probe_finalize callback. This
+occurs after the default domain attachment, which is when the ATS cache
+tag is assigned. Consequently, the device TLB cache tag is missed when the
+domain is attached, leading to the device TLB not being invalidated in the
+iommu_unmap paths.
+
+Fix this by assigning the CACHE_TAG_DEVTLB cache tag when ATS is enabled.
+
+Fixes: 4f1492efb495 ("iommu/vt-d: Revert ATS timing change to fix boot failure")
+Cc: stable@vger.kernel.org
+Suggested-by: Kevin Tian <kevin.tian@intel.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Tested-by: Shuicheng Lin <shuicheng.lin@intel.com>
+Reviewed-by: Kevin Tian <kevin.tian@intel.com>
+Link: https://lore.kernel.org/r/20250625050135.3129955-1-baolu.lu@linux.intel.com
+Link: https://lore.kernel.org/r/20250628100351.3198955-2-baolu.lu@linux.intel.com
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel/cache.c | 5 ++---
+ drivers/iommu/intel/iommu.c | 11 ++++++++++-
+ drivers/iommu/intel/iommu.h | 2 ++
+ 3 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/iommu/intel/cache.c
++++ b/drivers/iommu/intel/cache.c
+@@ -40,9 +40,8 @@ static bool cache_tage_match(struct cach
+ }
+
+ /* Assign a cache tag with specified type to domain. */
+-static int cache_tag_assign(struct dmar_domain *domain, u16 did,
+- struct device *dev, ioasid_t pasid,
+- enum cache_tag_type type)
++int cache_tag_assign(struct dmar_domain *domain, u16 did, struct device *dev,
++ ioasid_t pasid, enum cache_tag_type type)
+ {
+ struct device_domain_info *info = dev_iommu_priv_get(dev);
+ struct intel_iommu *iommu = info->iommu;
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -3819,8 +3819,17 @@ static void intel_iommu_probe_finalize(s
+ !pci_enable_pasid(to_pci_dev(dev), info->pasid_supported & ~1))
+ info->pasid_enabled = 1;
+
+- if (sm_supported(iommu) && !dev_is_real_dma_subdevice(dev))
++ if (sm_supported(iommu) && !dev_is_real_dma_subdevice(dev)) {
+ iommu_enable_pci_ats(info);
++ /* Assign a DEVTLB cache tag to the default domain. */
++ if (info->ats_enabled && info->domain) {
++ u16 did = domain_id_iommu(info->domain, iommu);
++
++ if (cache_tag_assign(info->domain, did, dev,
++ IOMMU_NO_PASID, CACHE_TAG_DEVTLB))
++ iommu_disable_pci_ats(info);
++ }
++ }
+ iommu_enable_pci_pri(info);
+ }
+
+--- a/drivers/iommu/intel/iommu.h
++++ b/drivers/iommu/intel/iommu.h
+@@ -1277,6 +1277,8 @@ struct cache_tag {
+ unsigned int users;
+ };
+
++int cache_tag_assign(struct dmar_domain *domain, u16 did, struct device *dev,
++ ioasid_t pasid, enum cache_tag_type type);
+ int cache_tag_assign_domain(struct dmar_domain *domain,
+ struct device *dev, ioasid_t pasid);
+ void cache_tag_unassign_domain(struct dmar_domain *domain,
--- /dev/null
+From cee4392a57e14a799fbdee193bc4c0de65b29521 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 5 Jun 2025 14:28:45 +0200
+Subject: Logitech C-270 even more broken
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit cee4392a57e14a799fbdee193bc4c0de65b29521 upstream.
+
+Some varieties of this device don't work with
+RESET_RESUME alone.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20250605122852.1440382-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/quirks.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -227,7 +227,8 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME },
+
+ /* Logitech HD Webcam C270 */
+- { USB_DEVICE(0x046d, 0x0825), .driver_info = USB_QUIRK_RESET_RESUME },
++ { USB_DEVICE(0x046d, 0x0825), .driver_info = USB_QUIRK_RESET_RESUME |
++ USB_QUIRK_NO_LPM},
+
+ /* Logitech HD Pro Webcams C920, C920-C, C922, C925e and C930e */
+ { USB_DEVICE(0x046d, 0x082d), .driver_info = USB_QUIRK_DELAY_INIT },
--- /dev/null
+From 312d02adb959ea199372f375ada06e0186f651e4 Mon Sep 17 00:00:00 2001
+From: Jens Wiklander <jens.wiklander@linaro.org>
+Date: Mon, 2 Jun 2025 14:04:35 +0200
+Subject: optee: ffa: fix sleep in atomic context
+
+From: Jens Wiklander <jens.wiklander@linaro.org>
+
+commit 312d02adb959ea199372f375ada06e0186f651e4 upstream.
+
+The OP-TEE driver registers the function notif_callback() for FF-A
+notifications. However, this function is called in an atomic context
+leading to errors like this when processing asynchronous notifications:
+
+ | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258
+ | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0
+ | preempt_count: 1, expected: 0
+ | RCU nest depth: 0, expected: 0
+ | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0-00019-g657536ebe0aa #13
+ | Hardware name: linux,dummy-virt (DT)
+ | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn
+ | Call trace:
+ | show_stack+0x18/0x24 (C)
+ | dump_stack_lvl+0x78/0x90
+ | dump_stack+0x18/0x24
+ | __might_resched+0x114/0x170
+ | __might_sleep+0x48/0x98
+ | mutex_lock+0x24/0x80
+ | optee_get_msg_arg+0x7c/0x21c
+ | simple_call_with_arg+0x50/0xc0
+ | optee_do_bottom_half+0x14/0x20
+ | notif_callback+0x3c/0x48
+ | handle_notif_callbacks+0x9c/0xe0
+ | notif_get_and_handle+0x40/0x88
+ | generic_exec_single+0x80/0xc0
+ | smp_call_function_single+0xfc/0x1a0
+ | notif_pcpu_irq_work_fn+0x2c/0x38
+ | process_one_work+0x14c/0x2b4
+ | worker_thread+0x2e4/0x3e0
+ | kthread+0x13c/0x210
+ | ret_from_fork+0x10/0x20
+
+Fix this by adding work queue to process the notification in a
+non-atomic context.
+
+Fixes: d0476a59de06 ("optee: ffa_abi: add asynchronous notifications")
+Cc: stable@vger.kernel.org
+Reviewed-by: Sumit Garg <sumit.garg@oss.qualcomm.com>
+Tested-by: Sudeep Holla <sudeep.holla@arm.com>
+Link: https://lore.kernel.org/r/20250602120452.2507084-1-jens.wiklander@linaro.org
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/ffa_abi.c | 41 +++++++++++++++++++++++++++++---------
+ drivers/tee/optee/optee_private.h | 2 +
+ 2 files changed, 34 insertions(+), 9 deletions(-)
+
+--- a/drivers/tee/optee/ffa_abi.c
++++ b/drivers/tee/optee/ffa_abi.c
+@@ -728,12 +728,21 @@ static bool optee_ffa_exchange_caps(stru
+ return true;
+ }
+
++static void notif_work_fn(struct work_struct *work)
++{
++ struct optee_ffa *optee_ffa = container_of(work, struct optee_ffa,
++ notif_work);
++ struct optee *optee = container_of(optee_ffa, struct optee, ffa);
++
++ optee_do_bottom_half(optee->ctx);
++}
++
+ static void notif_callback(int notify_id, void *cb_data)
+ {
+ struct optee *optee = cb_data;
+
+ if (notify_id == optee->ffa.bottom_half_value)
+- optee_do_bottom_half(optee->ctx);
++ queue_work(optee->ffa.notif_wq, &optee->ffa.notif_work);
+ else
+ optee_notif_send(optee, notify_id);
+ }
+@@ -817,9 +826,11 @@ static void optee_ffa_remove(struct ffa_
+ struct optee *optee = ffa_dev_get_drvdata(ffa_dev);
+ u32 bottom_half_id = optee->ffa.bottom_half_value;
+
+- if (bottom_half_id != U32_MAX)
++ if (bottom_half_id != U32_MAX) {
+ ffa_dev->ops->notifier_ops->notify_relinquish(ffa_dev,
+ bottom_half_id);
++ destroy_workqueue(optee->ffa.notif_wq);
++ }
+ optee_remove_common(optee);
+
+ mutex_destroy(&optee->ffa.mutex);
+@@ -835,6 +846,13 @@ static int optee_ffa_async_notif_init(st
+ u32 notif_id = 0;
+ int rc;
+
++ INIT_WORK(&optee->ffa.notif_work, notif_work_fn);
++ optee->ffa.notif_wq = create_workqueue("optee_notification");
++ if (!optee->ffa.notif_wq) {
++ rc = -EINVAL;
++ goto err;
++ }
++
+ while (true) {
+ rc = ffa_dev->ops->notifier_ops->notify_request(ffa_dev,
+ is_per_vcpu,
+@@ -851,19 +869,24 @@ static int optee_ffa_async_notif_init(st
+ * notifications in that case.
+ */
+ if (rc != -EACCES)
+- return rc;
++ goto err_wq;
+ notif_id++;
+ if (notif_id >= OPTEE_FFA_MAX_ASYNC_NOTIF_VALUE)
+- return rc;
++ goto err_wq;
+ }
+ optee->ffa.bottom_half_value = notif_id;
+
+ rc = enable_async_notif(optee);
+- if (rc < 0) {
+- ffa_dev->ops->notifier_ops->notify_relinquish(ffa_dev,
+- notif_id);
+- optee->ffa.bottom_half_value = U32_MAX;
+- }
++ if (rc < 0)
++ goto err_rel;
++
++ return 0;
++err_rel:
++ ffa_dev->ops->notifier_ops->notify_relinquish(ffa_dev, notif_id);
++err_wq:
++ destroy_workqueue(optee->ffa.notif_wq);
++err:
++ optee->ffa.bottom_half_value = U32_MAX;
+
+ return rc;
+ }
+--- a/drivers/tee/optee/optee_private.h
++++ b/drivers/tee/optee/optee_private.h
+@@ -165,6 +165,8 @@ struct optee_ffa {
+ /* Serializes access to @global_ids */
+ struct mutex mutex;
+ struct rhashtable global_ids;
++ struct workqueue_struct *notif_wq;
++ struct work_struct notif_work;
+ };
+
+ struct optee;
--- /dev/null
+From 964209202ebe1569c858337441e87ef0f9d71416 Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Thu, 19 Jun 2025 15:13:40 +0800
+Subject: powercap: intel_rapl: Do not change CLAMPING bit if ENABLE bit cannot be changed
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit 964209202ebe1569c858337441e87ef0f9d71416 upstream.
+
+PL1 cannot be disabled on some platforms. The ENABLE bit is still set
+after software clears it. This behavior leads to a scenario where, upon
+user request to disable the Power Limit through the powercap sysfs, the
+ENABLE bit remains set while the CLAMPING bit is inadvertently cleared.
+
+According to the Intel Software Developer's Manual, the CLAMPING bit,
+"When set, allows the processor to go below the OS requested P states in
+order to maintain the power below specified Platform Power Limit value."
+
+Thus this means the system may operate at higher power levels than
+intended on such platforms.
+
+Enhance the code to check ENABLE bit after writing to it, and stop
+further processing if ENABLE bit cannot be changed.
+
+Reported-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Fixes: 2d281d8196e3 ("PowerCap: Introduce Intel RAPL power capping driver")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Link: https://patch.msgid.link/20250619071340.384782-1-rui.zhang@intel.com
+[ rjw: Use str_enabled_disabled() instead of open-coded equivalent ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/powercap/intel_rapl_common.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/drivers/powercap/intel_rapl_common.c
++++ b/drivers/powercap/intel_rapl_common.c
+@@ -340,12 +340,28 @@ static int set_domain_enable(struct powe
+ {
+ struct rapl_domain *rd = power_zone_to_rapl_domain(power_zone);
+ struct rapl_defaults *defaults = get_defaults(rd->rp);
++ u64 val;
+ int ret;
+
+ cpus_read_lock();
+ ret = rapl_write_pl_data(rd, POWER_LIMIT1, PL_ENABLE, mode);
+- if (!ret && defaults->set_floor_freq)
++ if (ret)
++ goto end;
++
++ ret = rapl_read_pl_data(rd, POWER_LIMIT1, PL_ENABLE, false, &val);
++ if (ret)
++ goto end;
++
++ if (mode != val) {
++ pr_debug("%s cannot be %s\n", power_zone->name,
++ str_enabled_disabled(mode));
++ goto end;
++ }
++
++ if (defaults->set_floor_freq)
+ defaults->set_floor_freq(rd, mode);
++
++end:
+ cpus_read_unlock();
+
+ return ret;
--- /dev/null
+From 2b29be967ae456fc09c320d91d52278cf721be1e Mon Sep 17 00:00:00 2001
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+Date: Tue, 24 Jun 2025 16:04:46 +0800
+Subject: riscv: cpu_ops_sbi: Use static array for boot_data
+
+From: Vivian Wang <wangruikang@iscas.ac.cn>
+
+commit 2b29be967ae456fc09c320d91d52278cf721be1e upstream.
+
+Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunk
+allocator"), if NUMA is enabled, the page percpu allocator may be used
+on very sparse configurations, or when requested on boot with
+percpu_alloc=page.
+
+In that case, percpu data gets put in the vmalloc area. However,
+sbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data,
+and simply assumes that __pa() would work. This causes the just started
+hart to immediately access an invalid address and hang.
+
+Fortunately, struct sbi_hart_boot_data is not too large, so we can
+simply allocate an array for boot_data statically, putting it in the
+kernel image.
+
+This fixes NUMA=y SMP boot on Sophgo SG2042.
+
+To reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then
+run with:
+
+ qemu-system-riscv64 -M virt -smp 2 -nographic \
+ -kernel arch/riscv/boot/Image \
+ -append "percpu_alloc=page"
+
+Kernel output:
+
+[ 0.000000] Booting Linux on hartid 0
+[ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025
+...
+[ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712
+...
+[ 0.083192] smp: Bringing up secondary CPUs ...
+[ 0.086722] ------------[ cut here ]------------
+[ 0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080)
+[ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8
+[ 0.088376] Modules linked in:
+[ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE
+[ 0.088833] Hardware name: riscv-virtio,qemu (DT)
+[ 0.088948] epc : __virt_to_phys+0xae/0xe8
+[ 0.089001] ra : __virt_to_phys+0xae/0xe8
+[ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0
+[ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976
+[ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0
+[ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000
+[ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000
+[ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000
+[ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001
+[ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec
+[ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000
+[ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7
+[ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8
+[ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003
+[ 0.090101] [<ffffffff80021eaa>] __virt_to_phys+0xae/0xe8
+[ 0.090228] [<ffffffff8001d796>] sbi_cpu_start+0x6e/0xe8
+[ 0.090247] [<ffffffff8001a5da>] __cpu_up+0x1e/0x8c
+[ 0.090260] [<ffffffff8002a32e>] bringup_cpu+0x42/0x258
+[ 0.090277] [<ffffffff8002914c>] cpuhp_invoke_callback+0xe0/0x40c
+[ 0.090292] [<ffffffff800294e0>] __cpuhp_invoke_callback_range+0x68/0xfc
+[ 0.090320] [<ffffffff8002a96a>] _cpu_up+0x11a/0x244
+[ 0.090334] [<ffffffff8002aae6>] cpu_up+0x52/0x90
+[ 0.090384] [<ffffffff80c09350>] bringup_nonboot_cpus+0x78/0x118
+[ 0.090411] [<ffffffff80c11060>] smp_init+0x34/0xb8
+[ 0.090425] [<ffffffff80c01220>] kernel_init_freeable+0x148/0x2e4
+[ 0.090442] [<ffffffff80b83802>] kernel_init+0x1e/0x14c
+[ 0.090455] [<ffffffff800124ca>] ret_from_fork_kernel+0xe/0xf0
+[ 0.090471] [<ffffffff80b8d9c2>] ret_from_fork_kernel_asm+0x16/0x18
+[ 0.090560] ---[ end trace 0000000000000000 ]---
+[ 1.179875] CPU1: failed to come online
+[ 1.190324] smp: Brought up 1 node, 1 CPU
+
+Cc: stable@vger.kernel.org
+Reported-by: Han Gao <rabenda.cn@gmail.com>
+Fixes: 6b9f29b81b15 ("riscv: Enable pcpu page first chunk allocator")
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Tested-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Vivian Wang <wangruikang@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20250624-riscv-hsm-boot-data-array-v1-1-50b5eeafbe61@iscas.ac.cn
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/cpu_ops_sbi.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/riscv/kernel/cpu_ops_sbi.c
++++ b/arch/riscv/kernel/cpu_ops_sbi.c
+@@ -18,10 +18,10 @@ const struct cpu_operations cpu_ops_sbi;
+
+ /*
+ * Ordered booting via HSM brings one cpu at a time. However, cpu hotplug can
+- * be invoked from multiple threads in parallel. Define a per cpu data
++ * be invoked from multiple threads in parallel. Define an array of boot data
+ * to handle that.
+ */
+-static DEFINE_PER_CPU(struct sbi_hart_boot_data, boot_data);
++static struct sbi_hart_boot_data boot_data[NR_CPUS];
+
+ static int sbi_hsm_hart_start(unsigned long hartid, unsigned long saddr,
+ unsigned long priv)
+@@ -67,7 +67,7 @@ static int sbi_cpu_start(unsigned int cp
+ unsigned long boot_addr = __pa_symbol(secondary_start_sbi);
+ unsigned long hartid = cpuid_to_hartid_map(cpuid);
+ unsigned long hsm_data;
+- struct sbi_hart_boot_data *bdata = &per_cpu(boot_data, cpuid);
++ struct sbi_hart_boot_data *bdata = &boot_data[cpuid];
+
+ /* Make sure tidle is updated */
+ smp_mb();
usb-dwc3-gadget-fix-trb-reclaim-logic-for-short-transfers-and-zlps.patch
usb-chipidea-udc-disconnect-reconnect-from-host-when-do-suspend-resume.patch
usb-acpi-fix-device-link-removal.patch
+smb-client-fix-readdir-returning-wrong-type-with-posix-extensions.patch
+cifs-all-initializations-for-tcon-should-happen-in-tcon_info_alloc.patch
+dma-buf-fix-timeout-handling-in-dma_resv_wait_timeout-v2.patch
+hid-appletb-kbd-fix-slab-use-after-free-bug-in-appletb_kbd_probe.patch
+dt-bindings-i2c-realtek-rtl9301-fix-missing-reg-constraint.patch
+i2c-designware-fix-an-initialization-issue.patch
+logitech-c-270-even-more-broken.patch
+optee-ffa-fix-sleep-in-atomic-context.patch
+iommu-rockchip-prevent-iommus-dead-loop-when-two-masters-share-one-iommu.patch
+iommu-vt-d-assign-devtlb-cache-tag-on-ats-enablement.patch
+powercap-intel_rapl-do-not-change-clamping-bit-if-enable-bit-cannot-be-changed.patch
+riscv-cpu_ops_sbi-use-static-array-for-boot_data.patch
--- /dev/null
+From b8f89cb723b9e66f5dbd7199e4036fee34fb0de0 Mon Sep 17 00:00:00 2001
+From: Philipp Kerling <pkerling@casix.org>
+Date: Sun, 29 Jun 2025 19:05:05 +0200
+Subject: smb: client: fix readdir returning wrong type with POSIX extensions
+
+From: Philipp Kerling <pkerling@casix.org>
+
+commit b8f89cb723b9e66f5dbd7199e4036fee34fb0de0 upstream.
+
+When SMB 3.1.1 POSIX Extensions are negotiated, userspace applications
+using readdir() or getdents() calls without stat() on each individual file
+(such as a simple "ls" or "find") would misidentify file types and exhibit
+strange behavior such as not descending into directories. The reason for
+this behavior is an oversight in the cifs_posix_to_fattr conversion
+function. Instead of extracting the entry type for cf_dtype from the
+properly converted cf_mode field, it tries to extract the type from the
+PDU. While the wire representation of the entry mode is similar in
+structure to POSIX stat(), the assignments of the entry types are
+different. Applying the S_DT macro to cf_mode instead yields the correct
+result. This is also what the equivalent function
+smb311_posix_info_to_fattr in inode.c already does for stat() etc.; which
+is why "ls -l" would give the correct file type but "ls" would not (as
+identified by the colors).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Philipp Kerling <pkerling@casix.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/readdir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -263,7 +263,7 @@ cifs_posix_to_fattr(struct cifs_fattr *f
+ /* The Mode field in the response can now include the file type as well */
+ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode),
+ fattr->cf_cifsattrs & ATTR_DIRECTORY);
+- fattr->cf_dtype = S_DT(le32_to_cpu(info->Mode));
++ fattr->cf_dtype = S_DT(fattr->cf_mode);
+
+ switch (fattr->cf_mode & S_IFMT) {
+ case S_IFLNK:
projects / thirdparty / kernel / stable-queue.git / commitdiff
