--- /dev/null
+From f489c948028b69cea235d9c0de1cc10eeb26a172 Mon Sep 17 00:00:00 2001
+From: Vanshidhar Konda <vanshikonda@os.amperecomputing.com>
+Date: Thu, 11 Apr 2024 16:18:44 -0700
+Subject: ACPI: CPPC: Fix access width used for PCC registers
+
+From: Vanshidhar Konda <vanshikonda@os.amperecomputing.com>
+
+commit f489c948028b69cea235d9c0de1cc10eeb26a172 upstream.
+
+commit 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system
+memory accesses") modified cpc_read()/cpc_write() to use access_width to
+read CPC registers.
+
+However, for PCC registers the access width field in the ACPI register
+macro specifies the PCC subspace ID. For non-zero PCC subspace ID it is
+incorrectly treated as access width. This causes errors when reading
+from PCC registers in the CPPC driver.
+
+For PCC registers, base the size of read/write on the bit width field.
+The debug message in cpc_read()/cpc_write() is updated to print relevant
+information for the address space type used to read the register.
+
+Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
+Signed-off-by: Vanshidhar Konda <vanshikonda@os.amperecomputing.com>
+Tested-by: Jarred White <jarredwhite@linux.microsoft.com>
+Reviewed-by: Jarred White <jarredwhite@linux.microsoft.com>
+Reviewed-by: Easwar Hariharan <eahariha@linux.microsoft.com>
+Cc: 5.15+ <stable@vger.kernel.org> # 5.15+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/cppc_acpi.c | 53 ++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 37 insertions(+), 16 deletions(-)
+
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -998,14 +998,14 @@ static int cpc_read(int cpu, struct cpc_
+ }
+
+ *val = 0;
++ size = GET_BIT_WIDTH(reg);
+
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
+- u32 width = GET_BIT_WIDTH(reg);
+ u32 val_u32;
+ acpi_status status;
+
+ status = acpi_os_read_port((acpi_io_address)reg->address,
+- &val_u32, width);
++ &val_u32, size);
+ if (ACPI_FAILURE(status)) {
+ pr_debug("Error: Failed to read SystemIO port %llx\n",
+ reg->address);
+@@ -1014,17 +1014,22 @@ static int cpc_read(int cpu, struct cpc_
+
+ *val = val_u32;
+ return 0;
+- } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0)
++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) {
++ /*
++ * For registers in PCC space, the register size is determined
++ * by the bit width field; the access size is used to indicate
++ * the PCC subspace id.
++ */
++ size = reg->bit_width;
+ vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
++ }
+ else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+ vaddr = reg_res->sys_mem_vaddr;
+ else if (reg->space_id == ACPI_ADR_SPACE_FIXED_HARDWARE)
+ return cpc_read_ffh(cpu, reg, val);
+ else
+ return acpi_os_read_memory((acpi_physical_address)reg->address,
+- val, reg->bit_width);
+-
+- size = GET_BIT_WIDTH(reg);
++ val, size);
+
+ switch (size) {
+ case 8:
+@@ -1040,8 +1045,13 @@ static int cpc_read(int cpu, struct cpc_
+ *val = readq_relaxed(vaddr);
+ break;
+ default:
+- pr_debug("Error: Cannot read %u bit width from PCC for ss: %d\n",
+- reg->bit_width, pcc_ss_id);
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
++ pr_debug("Error: Cannot read %u bit width from system memory: 0x%llx\n",
++ size, reg->address);
++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
++ pr_debug("Error: Cannot read %u bit width from PCC for ss: %d\n",
++ size, pcc_ss_id);
++ }
+ return -EFAULT;
+ }
+
+@@ -1059,12 +1069,13 @@ static int cpc_write(int cpu, struct cpc
+ int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu);
+ struct cpc_reg *reg = ®_res->cpc_entry.reg;
+
++ size = GET_BIT_WIDTH(reg);
++
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
+- u32 width = GET_BIT_WIDTH(reg);
+ acpi_status status;
+
+ status = acpi_os_write_port((acpi_io_address)reg->address,
+- (u32)val, width);
++ (u32)val, size);
+ if (ACPI_FAILURE(status)) {
+ pr_debug("Error: Failed to write SystemIO port %llx\n",
+ reg->address);
+@@ -1072,17 +1083,22 @@ static int cpc_write(int cpu, struct cpc
+ }
+
+ return 0;
+- } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0)
++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM && pcc_ss_id >= 0) {
++ /*
++ * For registers in PCC space, the register size is determined
++ * by the bit width field; the access size is used to indicate
++ * the PCC subspace id.
++ */
++ size = reg->bit_width;
+ vaddr = GET_PCC_VADDR(reg->address, pcc_ss_id);
++ }
+ else if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+ vaddr = reg_res->sys_mem_vaddr;
+ else if (reg->space_id == ACPI_ADR_SPACE_FIXED_HARDWARE)
+ return cpc_write_ffh(cpu, reg, val);
+ else
+ return acpi_os_write_memory((acpi_physical_address)reg->address,
+- val, reg->bit_width);
+-
+- size = GET_BIT_WIDTH(reg);
++ val, size);
+
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
+ val = MASK_VAL(reg, val);
+@@ -1101,8 +1117,13 @@ static int cpc_write(int cpu, struct cpc
+ writeq_relaxed(val, vaddr);
+ break;
+ default:
+- pr_debug("Error: Cannot write %u bit width to PCC for ss: %d\n",
+- reg->bit_width, pcc_ss_id);
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
++ pr_debug("Error: Cannot write %u bit width to system memory: 0x%llx\n",
++ size, reg->address);
++ } else if (reg->space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
++ pr_debug("Error: Cannot write %u bit width to PCC for ss: %d\n",
++ size, pcc_ss_id);
++ }
+ ret_val = -EFAULT;
+ break;
+ }
--- /dev/null
+From 05d92ee782eeb7b939bdd0189e6efcab9195bf95 Mon Sep 17 00:00:00 2001
+From: Jarred White <jarredwhite@linux.microsoft.com>
+Date: Mon, 8 Apr 2024 22:23:09 -0700
+Subject: ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro
+
+From: Jarred White <jarredwhite@linux.microsoft.com>
+
+commit 05d92ee782eeb7b939bdd0189e6efcab9195bf95 upstream.
+
+Commit 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for
+system memory accesses") neglected to properly wrap the bit_offset shift
+when it comes to applying the mask. This may cause incorrect values to be
+read and may cause the cpufreq module not be loaded.
+
+[ 11.059751] cpu_capacity: CPU0 missing/invalid highest performance.
+[ 11.066005] cpu_capacity: partial information: fallback to 1024 for all CPUs
+
+Also, corrected the bitmask generation in GENMASK (extra bit being added).
+
+Fixes: 2f4a4d63a193 ("ACPI: CPPC: Use access_width over bit_width for system memory accesses")
+Signed-off-by: Jarred White <jarredwhite@linux.microsoft.com>
+Cc: 5.15+ <stable@vger.kernel.org> # 5.15+
+Reviewed-by: Vanshidhar Konda <vanshikonda@os.amperecomputing.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/cppc_acpi.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -167,8 +167,8 @@ show_cppc_data(cppc_get_perf_ctrs, cppc_
+ #define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
+
+ /* Shift and apply the mask for CPC reads/writes */
+-#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \
+- GENMASK(((reg)->bit_width), 0)))
++#define MASK_VAL(reg, val) (((val) >> (reg)->bit_offset) & \
++ GENMASK(((reg)->bit_width) - 1, 0))
+
+ static ssize_t show_feedback_ctrs(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
--- /dev/null
+From 2f4a4d63a193be6fd530d180bb13c3592052904c Mon Sep 17 00:00:00 2001
+From: Jarred White <jarredwhite@linux.microsoft.com>
+Date: Fri, 1 Mar 2024 11:25:59 -0800
+Subject: ACPI: CPPC: Use access_width over bit_width for system memory accesses
+
+From: Jarred White <jarredwhite@linux.microsoft.com>
+
+commit 2f4a4d63a193be6fd530d180bb13c3592052904c upstream.
+
+To align with ACPI 6.3+, since bit_width can be any 8-bit value, it
+cannot be depended on to be always on a clean 8b boundary. This was
+uncovered on the Cobalt 100 platform.
+
+SError Interrupt on CPU26, code 0xbe000011 -- SError
+ CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted 5.15.2.1-13 #1
+ Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION
+ pstate: 62400009 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
+ pc : cppc_get_perf_caps+0xec/0x410
+ lr : cppc_get_perf_caps+0xe8/0x410
+ sp : ffff8000155ab730
+ x29: ffff8000155ab730 x28: ffff0080139d0038 x27: ffff0080139d0078
+ x26: 0000000000000000 x25: ffff0080139d0058 x24: 00000000ffffffff
+ x23: ffff0080139d0298 x22: ffff0080139d0278 x21: 0000000000000000
+ x20: ffff00802b251910 x19: ffff0080139d0000 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: ffffdc7e111bad04 x15: ffff00802b251008
+ x14: ffffffffffffffff x13: ffff013f1fd63300 x12: 0000000000000006
+ x11: ffffdc7e128f4420 x10: 0000000000000000 x9 : ffffdc7e111badec
+ x8 : ffff00802b251980 x7 : 0000000000000000 x6 : ffff0080139d0028
+ x5 : 0000000000000000 x4 : ffff0080139d0018 x3 : 00000000ffffffff
+ x2 : 0000000000000008 x1 : ffff8000155ab7a0 x0 : 0000000000000000
+ Kernel panic - not syncing: Asynchronous SError Interrupt
+ CPU: 26 PID: 1510 Comm: systemd-udevd Not tainted
+5.15.2.1-13 #1
+ Hardware name: MICROSOFT CORPORATION, BIOS MICROSOFT CORPORATION
+ Call trace:
+ dump_backtrace+0x0/0x1e0
+ show_stack+0x24/0x30
+ dump_stack_lvl+0x8c/0xb8
+ dump_stack+0x18/0x34
+ panic+0x16c/0x384
+ add_taint+0x0/0xc0
+ arm64_serror_panic+0x7c/0x90
+ arm64_is_fatal_ras_serror+0x34/0xa4
+ do_serror+0x50/0x6c
+ el1h_64_error_handler+0x40/0x74
+ el1h_64_error+0x7c/0x80
+ cppc_get_perf_caps+0xec/0x410
+ cppc_cpufreq_cpu_init+0x74/0x400 [cppc_cpufreq]
+ cpufreq_online+0x2dc/0xa30
+ cpufreq_add_dev+0xc0/0xd4
+ subsys_interface_register+0x134/0x14c
+ cpufreq_register_driver+0x1b0/0x354
+ cppc_cpufreq_init+0x1a8/0x1000 [cppc_cpufreq]
+ do_one_initcall+0x50/0x250
+ do_init_module+0x60/0x27c
+ load_module+0x2300/0x2570
+ __do_sys_finit_module+0xa8/0x114
+ __arm64_sys_finit_module+0x2c/0x3c
+ invoke_syscall+0x78/0x100
+ el0_svc_common.constprop.0+0x180/0x1a0
+ do_el0_svc+0x84/0xa0
+ el0_svc+0x2c/0xc0
+ el0t_64_sync_handler+0xa4/0x12c
+ el0t_64_sync+0x1a4/0x1a8
+
+Instead, use access_width to determine the size and use the offset and
+width to shift and mask the bits to read/write out. Make sure to add a
+check for system memory since pcc redefines the access_width to
+subspace id.
+
+If access_width is not set, then fall back to using bit_width.
+
+Signed-off-by: Jarred White <jarredwhite@linux.microsoft.com>
+Reviewed-by: Easwar Hariharan <eahariha@linux.microsoft.com>
+Cc: 5.15+ <stable@vger.kernel.org> # 5.15+
+[ rjw: Subject and changelog edits, comment adjustments ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/cppc_acpi.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+
+--- a/drivers/acpi/cppc_acpi.c
++++ b/drivers/acpi/cppc_acpi.c
+@@ -163,6 +163,13 @@ show_cppc_data(cppc_get_perf_caps, cppc_
+ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, reference_perf);
+ show_cppc_data(cppc_get_perf_ctrs, cppc_perf_fb_ctrs, wraparound_time);
+
++/* Check for valid access_width, otherwise, fallback to using bit_width */
++#define GET_BIT_WIDTH(reg) ((reg)->access_width ? (8 << ((reg)->access_width - 1)) : (reg)->bit_width)
++
++/* Shift and apply the mask for CPC reads/writes */
++#define MASK_VAL(reg, val) ((val) >> ((reg)->bit_offset & \
++ GENMASK(((reg)->bit_width), 0)))
++
+ static ssize_t show_feedback_ctrs(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+ {
+@@ -776,6 +783,7 @@ int acpi_cppc_processor_probe(struct acp
+ } else if (gas_t->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY) {
+ if (gas_t->address) {
+ void __iomem *addr;
++ size_t access_width;
+
+ if (!osc_cpc_flexible_adr_space_confirmed) {
+ pr_debug("Flexible address space capability not supported\n");
+@@ -783,7 +791,8 @@ int acpi_cppc_processor_probe(struct acp
+ goto out_free;
+ }
+
+- addr = ioremap(gas_t->address, gas_t->bit_width/8);
++ access_width = GET_BIT_WIDTH(gas_t) / 8;
++ addr = ioremap(gas_t->address, access_width);
+ if (!addr)
+ goto out_free;
+ cpc_ptr->cpc_regs[i-2].sys_mem_vaddr = addr;
+@@ -979,6 +988,7 @@ int __weak cpc_write_ffh(int cpunum, str
+ static int cpc_read(int cpu, struct cpc_register_resource *reg_res, u64 *val)
+ {
+ void __iomem *vaddr = NULL;
++ int size;
+ int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu);
+ struct cpc_reg *reg = ®_res->cpc_entry.reg;
+
+@@ -990,7 +1000,7 @@ static int cpc_read(int cpu, struct cpc_
+ *val = 0;
+
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
+- u32 width = 8 << (reg->access_width - 1);
++ u32 width = GET_BIT_WIDTH(reg);
+ u32 val_u32;
+ acpi_status status;
+
+@@ -1014,7 +1024,9 @@ static int cpc_read(int cpu, struct cpc_
+ return acpi_os_read_memory((acpi_physical_address)reg->address,
+ val, reg->bit_width);
+
+- switch (reg->bit_width) {
++ size = GET_BIT_WIDTH(reg);
++
++ switch (size) {
+ case 8:
+ *val = readb_relaxed(vaddr);
+ break;
+@@ -1033,18 +1045,22 @@ static int cpc_read(int cpu, struct cpc_
+ return -EFAULT;
+ }
+
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
++ *val = MASK_VAL(reg, *val);
++
+ return 0;
+ }
+
+ static int cpc_write(int cpu, struct cpc_register_resource *reg_res, u64 val)
+ {
+ int ret_val = 0;
++ int size;
+ void __iomem *vaddr = NULL;
+ int pcc_ss_id = per_cpu(cpu_pcc_subspace_idx, cpu);
+ struct cpc_reg *reg = ®_res->cpc_entry.reg;
+
+ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_IO) {
+- u32 width = 8 << (reg->access_width - 1);
++ u32 width = GET_BIT_WIDTH(reg);
+ acpi_status status;
+
+ status = acpi_os_write_port((acpi_io_address)reg->address,
+@@ -1066,7 +1082,12 @@ static int cpc_write(int cpu, struct cpc
+ return acpi_os_write_memory((acpi_physical_address)reg->address,
+ val, reg->bit_width);
+
+- switch (reg->bit_width) {
++ size = GET_BIT_WIDTH(reg);
++
++ if (reg->space_id == ACPI_ADR_SPACE_SYSTEM_MEMORY)
++ val = MASK_VAL(reg, val);
++
++ switch (size) {
+ case 8:
+ writeb_relaxed(val, vaddr);
+ break;
--- /dev/null
+From 0ac417b8f124427c90ec8c2ef4f632b821d924cc Mon Sep 17 00:00:00 2001
+From: Iskander Amara <iskander.amara@theobroma-systems.com>
+Date: Fri, 8 Mar 2024 09:52:42 +0100
+Subject: arm64: dts: rockchip: enable internal pull-up for Q7_THRM# on RK3399 Puma
+
+From: Iskander Amara <iskander.amara@theobroma-systems.com>
+
+commit 0ac417b8f124427c90ec8c2ef4f632b821d924cc upstream.
+
+Q7_THRM# pin is connected to a diode on the module which is used
+as a level shifter, and the pin have a pull-down enabled by
+default. We need to configure it to internal pull-up, other-
+wise whenever the pin is configured as INPUT and we try to
+control it externally the value will always remain zero.
+
+Signed-off-by: Iskander Amara <iskander.amara@theobroma-systems.com>
+Fixes: 2c66fc34e945 ("arm64: dts: rockchip: add RK3399-Q7 (Puma) SoM")
+Reviewed-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240308085243.69903-1-iskander.amara@theobroma-systems.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-puma.dtsi
+@@ -407,6 +407,16 @@
+ };
+
+ &pinctrl {
++ pinctrl-names = "default";
++ pinctrl-0 = <&q7_thermal_pin>;
++
++ gpios {
++ q7_thermal_pin: q7-thermal-pin {
++ rockchip,pins =
++ <0 RK_PA3 RK_FUNC_GPIO &pcfg_pull_up>;
++ };
++ };
++
+ i2c8 {
+ i2c8_xfer_a: i2c8-xfer {
+ rockchip,pins =
--- /dev/null
+From d1a5a7eede2977da3d2002d5ea3b519019cc1a98 Mon Sep 17 00:00:00 2001
+From: WangYuli <wangyuli@uniontech.com>
+Date: Fri, 29 Mar 2024 10:34:39 +0800
+Subject: Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0bda:0x4853
+
+From: WangYuli <wangyuli@uniontech.com>
+
+commit d1a5a7eede2977da3d2002d5ea3b519019cc1a98 upstream.
+
+Add the support ID(0x0bda, 0x4853) to usb_device_id table for
+Realtek RTL8852BE.
+
+Without this change the device utilizes an obsolete version of
+the firmware that is encoded in it rather than the updated Realtek
+firmware and config files from the firmware directory. The latter
+files implement many new features.
+
+The device table is as follows:
+
+T: Bus=03 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=0bda ProdID=4853 Rev= 0.00
+S: Manufacturer=Realtek
+S: Product=Bluetooth Radio
+S: SerialNumber=00e04c000001
+C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
+I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
+I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
+I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
+I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
+I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btusb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -535,6 +535,8 @@ static const struct usb_device_id blackl
+ /* Realtek 8852BE Bluetooth devices */
+ { USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
++ { USB_DEVICE(0x0bda, 0x4853), .driver_info = BTUSB_REALTEK |
++ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0bda, 0x887b), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0bda, 0xb85b), .driver_info = BTUSB_REALTEK |
--- /dev/null
+From 9bf4e919ccad613b3596eebf1ff37b05b6405307 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 1 Apr 2024 11:24:17 -0700
+Subject: Bluetooth: Fix type of len in {l2cap,sco}_sock_getsockopt_old()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 9bf4e919ccad613b3596eebf1ff37b05b6405307 upstream.
+
+After an innocuous optimization change in LLVM main (19.0.0), x86_64
+allmodconfig (which enables CONFIG_KCSAN / -fsanitize=thread) fails to
+build due to the checks in check_copy_size():
+
+ In file included from net/bluetooth/sco.c:27:
+ In file included from include/linux/module.h:13:
+ In file included from include/linux/stat.h:19:
+ In file included from include/linux/time.h:60:
+ In file included from include/linux/time32.h:13:
+ In file included from include/linux/timex.h:67:
+ In file included from arch/x86/include/asm/timex.h:6:
+ In file included from arch/x86/include/asm/tsc.h:10:
+ In file included from arch/x86/include/asm/msr.h:15:
+ In file included from include/linux/percpu.h:7:
+ In file included from include/linux/smp.h:118:
+ include/linux/thread_info.h:244:4: error: call to '__bad_copy_from'
+ declared with 'error' attribute: copy source size is too small
+ 244 | __bad_copy_from();
+ | ^
+
+The same exact error occurs in l2cap_sock.c. The copy_to_user()
+statements that are failing come from l2cap_sock_getsockopt_old() and
+sco_sock_getsockopt_old(). This does not occur with GCC with or without
+KCSAN or Clang without KCSAN enabled.
+
+len is defined as an 'int' because it is assigned from
+'__user int *optlen'. However, it is clamped against the result of
+sizeof(), which has a type of 'size_t' ('unsigned long' for 64-bit
+platforms). This is done with min_t() because min() requires compatible
+types, which results in both len and the result of sizeof() being casted
+to 'unsigned int', meaning len changes signs and the result of sizeof()
+is truncated. From there, len is passed to copy_to_user(), which has a
+third parameter type of 'unsigned long', so it is widened and changes
+signs again. This excessive casting in combination with the KCSAN
+instrumentation causes LLVM to fail to eliminate the __bad_copy_from()
+call, failing the build.
+
+The official recommendation from LLVM developers is to consistently use
+long types for all size variables to avoid the unnecessary casting in
+the first place. Change the type of len to size_t in both
+l2cap_sock_getsockopt_old() and sco_sock_getsockopt_old(). This clears
+up the error while allowing min_t() to be replaced with min(), resulting
+in simpler code with no casts and fewer implicit conversions. While len
+is a different type than optlen now, it should result in no functional
+change because the result of sizeof() will clamp all values of optlen in
+the same manner as before.
+
+Cc: stable@vger.kernel.org
+Closes: https://github.com/ClangBuiltLinux/linux/issues/2007
+Link: https://github.com/llvm/llvm-project/issues/85647
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_sock.c | 7 ++++---
+ net/bluetooth/sco.c | 7 ++++---
+ 2 files changed, 8 insertions(+), 6 deletions(-)
+
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -457,7 +457,8 @@ static int l2cap_sock_getsockopt_old(str
+ struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+ struct l2cap_options opts;
+ struct l2cap_conninfo cinfo;
+- int len, err = 0;
++ int err = 0;
++ size_t len;
+ u32 opt;
+
+ BT_DBG("sk %p", sk);
+@@ -504,7 +505,7 @@ static int l2cap_sock_getsockopt_old(str
+
+ BT_DBG("mode 0x%2.2x", chan->mode);
+
+- len = min_t(unsigned int, len, sizeof(opts));
++ len = min(len, sizeof(opts));
+ if (copy_to_user(optval, (char *) &opts, len))
+ err = -EFAULT;
+
+@@ -554,7 +555,7 @@ static int l2cap_sock_getsockopt_old(str
+ cinfo.hci_handle = chan->conn->hcon->handle;
+ memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
+
+- len = min_t(unsigned int, len, sizeof(cinfo));
++ len = min(len, sizeof(cinfo));
+ if (copy_to_user(optval, (char *) &cinfo, len))
+ err = -EFAULT;
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -971,7 +971,8 @@ static int sco_sock_getsockopt_old(struc
+ struct sock *sk = sock->sk;
+ struct sco_options opts;
+ struct sco_conninfo cinfo;
+- int len, err = 0;
++ int err = 0;
++ size_t len;
+
+ BT_DBG("sk %p", sk);
+
+@@ -993,7 +994,7 @@ static int sco_sock_getsockopt_old(struc
+
+ BT_DBG("mtu %u", opts.mtu);
+
+- len = min_t(unsigned int, len, sizeof(opts));
++ len = min(len, sizeof(opts));
+ if (copy_to_user(optval, (char *)&opts, len))
+ err = -EFAULT;
+
+@@ -1011,7 +1012,7 @@ static int sco_sock_getsockopt_old(struc
+ cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
+ memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
+
+- len = min_t(unsigned int, len, sizeof(cinfo));
++ len = min(len, sizeof(cinfo));
+ if (copy_to_user(optval, (char *)&cinfo, len))
+ err = -EFAULT;
+
--- /dev/null
+From 73e87c0a49fda31d7b589edccf4c72e924411371 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro@kernel.org>
+Date: Mon, 22 Apr 2024 15:57:47 +0200
+Subject: Bluetooth: qca: fix NULL-deref on non-serdev suspend
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+commit 73e87c0a49fda31d7b589edccf4c72e924411371 upstream.
+
+Qualcomm ROME controllers can be registered from the Bluetooth line
+discipline and in this case the HCI UART serdev pointer is NULL.
+
+Add the missing sanity check to prevent a NULL-pointer dereference when
+wakeup() is called for a non-serdev controller during suspend.
+
+Just return true for now to restore the original behaviour and address
+the crash with pre-6.2 kernels, which do not have commit e9b3e5b8c657
+("Bluetooth: hci_qca: only assign wakeup with serial port support") that
+causes the crash to happen already at setup() time.
+
+Fixes: c1a74160eaf1 ("Bluetooth: hci_qca: Add device_may_wakeup support")
+Cc: stable@vger.kernel.org # 5.13
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/hci_qca.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/hci_qca.c
++++ b/drivers/bluetooth/hci_qca.c
+@@ -1645,6 +1645,9 @@ static bool qca_wakeup(struct hci_dev *h
+ struct hci_uart *hu = hci_get_drvdata(hdev);
+ bool wakeup;
+
++ if (!hu->serdev)
++ return true;
++
+ /* BT SoC attached through the serial bus is handled by the serdev driver.
+ * So we need to use the device handle of the serdev driver to get the
+ * status of device may wakeup.
--- /dev/null
+From 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf Mon Sep 17 00:00:00 2001
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Date: Wed, 17 Apr 2024 10:45:47 +0200
+Subject: btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
+
+From: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+
+commit 2f7ef5bb4a2f3e481ef05fab946edb97c84f67cf upstream.
+
+Syzbot reported the following information leak for in
+btrfs_ioctl_logical_to_ino():
+
+ BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ BUG: KMSAN: kernel-infoleak in _copy_to_user+0xbc/0x110 lib/usercopy.c:40
+ instrument_copy_to_user include/linux/instrumented.h:114 [inline]
+ _copy_to_user+0xbc/0x110 lib/usercopy.c:40
+ copy_to_user include/linux/uaccess.h:191 [inline]
+ btrfs_ioctl_logical_to_ino+0x440/0x750 fs/btrfs/ioctl.c:3499
+ btrfs_ioctl+0x714/0x1260
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
+ __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
+ x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Uninit was created at:
+ __kmalloc_large_node+0x231/0x370 mm/slub.c:3921
+ __do_kmalloc_node mm/slub.c:3954 [inline]
+ __kmalloc_node+0xb07/0x1060 mm/slub.c:3973
+ kmalloc_node include/linux/slab.h:648 [inline]
+ kvmalloc_node+0xc0/0x2d0 mm/util.c:634
+ kvmalloc include/linux/slab.h:766 [inline]
+ init_data_container+0x49/0x1e0 fs/btrfs/backref.c:2779
+ btrfs_ioctl_logical_to_ino+0x17c/0x750 fs/btrfs/ioctl.c:3480
+ btrfs_ioctl+0x714/0x1260
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:904 [inline]
+ __se_sys_ioctl+0x261/0x450 fs/ioctl.c:890
+ __x64_sys_ioctl+0x96/0xe0 fs/ioctl.c:890
+ x64_sys_call+0x1883/0x3b50 arch/x86/include/generated/asm/syscalls_64.h:17
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+ Bytes 40-65535 of 65536 are uninitialized
+ Memory access of size 65536 starts at ffff888045a40000
+
+This happens, because we're copying a 'struct btrfs_data_container' back
+to user-space. This btrfs_data_container is allocated in
+'init_data_container()' via kvmalloc(), which does not zero-fill the
+memory.
+
+Fix this by using kvzalloc() which zeroes out the memory on allocation.
+
+CC: stable@vger.kernel.org # 4.14+
+Reported-by: <syzbot+510a1abbb8116eeb341d@syzkaller.appspotmail.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: Johannes Thumshirn <Johannes.thumshirn@wdc.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/backref.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/fs/btrfs/backref.c
++++ b/fs/btrfs/backref.c
+@@ -2475,20 +2475,14 @@ struct btrfs_data_container *init_data_c
+ size_t alloc_bytes;
+
+ alloc_bytes = max_t(size_t, total_bytes, sizeof(*data));
+- data = kvmalloc(alloc_bytes, GFP_KERNEL);
++ data = kvzalloc(alloc_bytes, GFP_KERNEL);
+ if (!data)
+ return ERR_PTR(-ENOMEM);
+
+- if (total_bytes >= sizeof(*data)) {
++ if (total_bytes >= sizeof(*data))
+ data->bytes_left = total_bytes - sizeof(*data);
+- data->bytes_missing = 0;
+- } else {
++ else
+ data->bytes_missing = sizeof(*data) - total_bytes;
+- data->bytes_left = 0;
+- }
+-
+- data->elem_cnt = 0;
+- data->elem_missed = 0;
+
+ return data;
+ }
--- /dev/null
+From fe42754b94a42d08cf9501790afc25c4f6a5f631 Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Fri, 19 Apr 2024 17:05:54 -0700
+Subject: cpu: Re-enable CPU mitigations by default for !X86 architectures
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit fe42754b94a42d08cf9501790afc25c4f6a5f631 upstream.
+
+Rename x86's to CPU_MITIGATIONS, define it in generic code, and force it
+on for all architectures exception x86. A recent commit to turn
+mitigations off by default if SPECULATION_MITIGATIONS=n kinda sorta
+missed that "cpu_mitigations" is completely generic, whereas
+SPECULATION_MITIGATIONS is x86-specific.
+
+Rename x86's SPECULATIVE_MITIGATIONS instead of keeping both and have it
+select CPU_MITIGATIONS, as having two configs for the same thing is
+unnecessary and confusing. This will also allow x86 to use the knob to
+manage mitigations that aren't strictly related to speculative
+execution.
+
+Use another Kconfig to communicate to common code that CPU_MITIGATIONS
+is already defined instead of having x86's menu depend on the common
+CPU_MITIGATIONS. This allows keeping a single point of contact for all
+of x86's mitigations, and it's not clear that other architectures *want*
+to allow disabling mitigations at compile-time.
+
+Fixes: f337a6a21e2f ("x86/cpu: Actually turn off mitigations by default for SPECULATION_MITIGATIONS=n")
+Closes: https://lkml.kernel.org/r/20240413115324.53303a68%40canb.auug.org.au
+Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
+Reported-by: Michael Ellerman <mpe@ellerman.id.au>
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
+Acked-by: Borislav Petkov (AMD) <bp@alien8.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240420000556.2645001-2-seanjc@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/Kconfig | 8 ++++++++
+ arch/x86/Kconfig | 11 ++++++-----
+ kernel/cpu.c | 4 ++--
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+--- a/arch/Kconfig
++++ b/arch/Kconfig
+@@ -9,6 +9,14 @@
+ #
+ source "arch/$(SRCARCH)/Kconfig"
+
++config ARCH_CONFIGURES_CPU_MITIGATIONS
++ bool
++
++if !ARCH_CONFIGURES_CPU_MITIGATIONS
++config CPU_MITIGATIONS
++ def_bool y
++endif
++
+ menu "General architecture-dependent options"
+
+ config CRASH_CORE
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -61,6 +61,7 @@ config X86
+ select ACPI_SYSTEM_POWER_STATES_SUPPORT if ACPI
+ select ARCH_32BIT_OFF_T if X86_32
+ select ARCH_CLOCKSOURCE_INIT
++ select ARCH_CONFIGURES_CPU_MITIGATIONS
+ select ARCH_CORRECT_STACKTRACE_ON_KRETPROBE
+ select ARCH_ENABLE_HUGEPAGE_MIGRATION if X86_64 && HUGETLB_PAGE && MIGRATION
+ select ARCH_ENABLE_MEMORY_HOTPLUG if X86_64
+@@ -2449,17 +2450,17 @@ config CC_HAS_SLS
+ config CC_HAS_RETURN_THUNK
+ def_bool $(cc-option,-mfunction-return=thunk-extern)
+
+-menuconfig SPECULATION_MITIGATIONS
+- bool "Mitigations for speculative execution vulnerabilities"
++menuconfig CPU_MITIGATIONS
++ bool "Mitigations for CPU vulnerabilities"
+ default y
+ help
+- Say Y here to enable options which enable mitigations for
+- speculative execution hardware vulnerabilities.
++ Say Y here to enable options which enable mitigations for hardware
++ vulnerabilities (usually related to speculative execution).
+
+ If you say N, all mitigations will be disabled. You really
+ should know what you are doing to say so.
+
+-if SPECULATION_MITIGATIONS
++if CPU_MITIGATIONS
+
+ config PAGE_TABLE_ISOLATION
+ bool "Remove the kernel mapping in user mode"
+--- a/kernel/cpu.c
++++ b/kernel/cpu.c
+@@ -2788,8 +2788,8 @@ enum cpu_mitigations {
+ };
+
+ static enum cpu_mitigations cpu_mitigations __ro_after_init =
+- IS_ENABLED(CONFIG_SPECULATION_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
+- CPU_MITIGATIONS_OFF;
++ IS_ENABLED(CONFIG_CPU_MITIGATIONS) ? CPU_MITIGATIONS_AUTO :
++ CPU_MITIGATIONS_OFF;
+
+ static int __init mitigations_parse_cmdline(char *arg)
+ {
--- /dev/null
+From 25e9227c6afd200bed6774c866980b8e36d033af Mon Sep 17 00:00:00 2001
+From: Mukul Joshi <mukul.joshi@amd.com>
+Date: Thu, 18 Apr 2024 11:32:34 -0400
+Subject: drm/amdgpu: Fix leak when GPU memory allocation fails
+
+From: Mukul Joshi <mukul.joshi@amd.com>
+
+commit 25e9227c6afd200bed6774c866980b8e36d033af upstream.
+
+Free the sync object if the memory allocation fails for any
+reason.
+
+Signed-off-by: Mukul Joshi <mukul.joshi@amd.com>
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c
+@@ -1779,6 +1779,7 @@ err_node_allow:
+ err_bo_create:
+ amdgpu_amdkfd_unreserve_mem_limit(adev, aligned_size, flags);
+ err_reserve_limit:
++ amdgpu_sync_free(&(*mem)->sync);
+ mutex_destroy(&(*mem)->lock);
+ if (gobj)
+ drm_gem_object_put(gobj);
--- /dev/null
+From 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Sun, 14 Apr 2024 21:20:56 -0400
+Subject: drm/amdgpu/sdma5.2: use legacy HDP flush for SDMA2/3
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 9792b7cc18aaa0c2acae6af5d0acf249bcb1ab0d upstream.
+
+This avoids a potential conflict with firmwares with the newer
+HDP flush mechanism.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c | 24 ++++++++++++++----------
+ 1 file changed, 14 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
++++ b/drivers/gpu/drm/amd/amdgpu/sdma_v5_2.c
+@@ -345,17 +345,21 @@ static void sdma_v5_2_ring_emit_hdp_flus
+ u32 ref_and_mask = 0;
+ const struct nbio_hdp_flush_reg *nbio_hf_reg = adev->nbio.hdp_flush_reg;
+
+- ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me;
++ if (ring->me > 1) {
++ amdgpu_asic_flush_hdp(adev, ring);
++ } else {
++ ref_and_mask = nbio_hf_reg->ref_and_mask_sdma0 << ring->me;
+
+- amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) |
+- SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) |
+- SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */
+- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2);
+- amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2);
+- amdgpu_ring_write(ring, ref_and_mask); /* reference */
+- amdgpu_ring_write(ring, ref_and_mask); /* mask */
+- amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) |
+- SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */
++ amdgpu_ring_write(ring, SDMA_PKT_HEADER_OP(SDMA_OP_POLL_REGMEM) |
++ SDMA_PKT_POLL_REGMEM_HEADER_HDP_FLUSH(1) |
++ SDMA_PKT_POLL_REGMEM_HEADER_FUNC(3)); /* == */
++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_done_offset(adev)) << 2);
++ amdgpu_ring_write(ring, (adev->nbio.funcs->get_hdp_flush_req_offset(adev)) << 2);
++ amdgpu_ring_write(ring, ref_and_mask); /* reference */
++ amdgpu_ring_write(ring, ref_and_mask); /* mask */
++ amdgpu_ring_write(ring, SDMA_PKT_POLL_REGMEM_DW5_RETRY_COUNT(0xfff) |
++ SDMA_PKT_POLL_REGMEM_DW5_INTERVAL(10)); /* retry count, poll interval */
++ }
+ }
+
+ /**
--- /dev/null
+From 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcao@linutronix.de>
+Date: Mon, 18 Mar 2024 11:59:02 +0100
+Subject: HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent lock-up
+
+From: Nam Cao <namcao@linutronix.de>
+
+commit 9c0f59e47a90c54d0153f8ddc0f80d7a36207d0e upstream.
+
+The flag I2C_HID_READ_PENDING is used to serialize I2C operations.
+However, this is not necessary, because I2C core already has its own
+locking for that.
+
+More importantly, this flag can cause a lock-up: if the flag is set in
+i2c_hid_xfer() and an interrupt happens, the interrupt handler
+(i2c_hid_irq) will check this flag and return immediately without doing
+anything, then the interrupt handler will be invoked again in an
+infinite loop.
+
+Since interrupt handler is an RT task, it takes over the CPU and the
+flag-clearing task never gets scheduled, thus we have a lock-up.
+
+Delete this unnecessary flag.
+
+Reported-and-tested-by: Eva Kurchatova <nyandarknessgirl@gmail.com>
+Closes: https://lore.kernel.org/r/CA+eeCSPUDpUg76ZO8dszSbAGn+UHjcyv8F1J-CUPVARAzEtW9w@mail.gmail.com
+Fixes: 4a200c3b9a40 ("HID: i2c-hid: introduce HID over i2c specification implementation")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Nam Cao <namcao@linutronix.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/i2c-hid/i2c-hid-core.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c
+@@ -61,7 +61,6 @@
+ /* flags */
+ #define I2C_HID_STARTED 0
+ #define I2C_HID_RESET_PENDING 1
+-#define I2C_HID_READ_PENDING 2
+
+ #define I2C_HID_PWR_ON 0x00
+ #define I2C_HID_PWR_SLEEP 0x01
+@@ -193,15 +192,10 @@ static int i2c_hid_xfer(struct i2c_hid *
+ msgs[n].len = recv_len;
+ msgs[n].buf = recv_buf;
+ n++;
+-
+- set_bit(I2C_HID_READ_PENDING, &ihid->flags);
+ }
+
+ ret = i2c_transfer(client->adapter, msgs, n);
+
+- if (recv_len)
+- clear_bit(I2C_HID_READ_PENDING, &ihid->flags);
+-
+ if (ret != n)
+ return ret < 0 ? ret : -EIO;
+
+@@ -569,9 +563,6 @@ static irqreturn_t i2c_hid_irq(int irq,
+ {
+ struct i2c_hid *ihid = dev_id;
+
+- if (test_bit(I2C_HID_READ_PENDING, &ihid->flags))
+- return IRQ_HANDLED;
+-
+ i2c_hid_get_input(ihid);
+
+ return IRQ_HANDLED;
--- /dev/null
+From c26591afd33adce296c022e3480dea4282b7ef91 Mon Sep 17 00:00:00 2001
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Date: Thu, 18 Apr 2024 14:10:52 +0800
+Subject: irqchip/gic-v3-its: Prevent double free on error
+
+From: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+
+commit c26591afd33adce296c022e3480dea4282b7ef91 upstream.
+
+The error handling path in its_vpe_irq_domain_alloc() causes a double free
+when its_vpe_init() fails after successfully allocating at least one
+interrupt. This happens because its_vpe_irq_domain_free() frees the
+interrupts along with the area bitmap and the vprop_page and
+its_vpe_irq_domain_alloc() subsequently frees the area bitmap and the
+vprop_page again.
+
+Fix this by unconditionally invoking its_vpe_irq_domain_free() which
+handles all cases correctly and by removing the bitmap/vprop_page freeing
+from its_vpe_irq_domain_alloc().
+
+[ tglx: Massaged change log ]
+
+Fixes: 7d75bbb4bc1a ("irqchip/gic-v3-its: Add VPE irq domain allocation/teardown")
+Signed-off-by: Guanrui Huang <guanrui.huang@linux.alibaba.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Reviewed-by: Zenghui Yu <yuzenghui@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240418061053.96803-2-guanrui.huang@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3-its.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -4535,13 +4535,8 @@ static int its_vpe_irq_domain_alloc(stru
+ set_bit(i, bitmap);
+ }
+
+- if (err) {
+- if (i > 0)
+- its_vpe_irq_domain_free(domain, virq, i);
+-
+- its_lpi_free(bitmap, base, nr_ids);
+- its_free_prop_table(vprop_page);
+- }
++ if (err)
++ its_vpe_irq_domain_free(domain, virq, i);
+
+ return err;
+ }
--- /dev/null
+From efb44ff64c95340b06331fc48634b99efc9dd77c Mon Sep 17 00:00:00 2001
+From: Jiantao Shan <shanjiantao@loongson.cn>
+Date: Wed, 24 Apr 2024 12:36:07 +0800
+Subject: LoongArch: Fix access error when read fault on a write-only VMA
+
+From: Jiantao Shan <shanjiantao@loongson.cn>
+
+commit efb44ff64c95340b06331fc48634b99efc9dd77c upstream.
+
+As with most architectures, allow handling of read faults in VMAs that
+have VM_WRITE but without VM_READ (WRITE implies READ).
+
+Otherwise, reading before writing a write-only memory will error while
+reading after writing everything is fine.
+
+BTW, move the VM_EXEC judgement before VM_READ/VM_WRITE to make logic a
+little clearer.
+
+Cc: stable@vger.kernel.org
+Fixes: 09cfefb7fa70c3af01 ("LoongArch: Add memory management")
+Signed-off-by: Jiantao Shan <shanjiantao@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/mm/fault.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/loongarch/mm/fault.c
++++ b/arch/loongarch/mm/fault.c
+@@ -193,10 +193,10 @@ good_area:
+ if (!(vma->vm_flags & VM_WRITE))
+ goto bad_area;
+ } else {
+- if (!(vma->vm_flags & VM_READ) && address != exception_era(regs))
+- goto bad_area;
+ if (!(vma->vm_flags & VM_EXEC) && address == exception_era(regs))
+ goto bad_area;
++ if (!(vma->vm_flags & (VM_READ | VM_WRITE)) && address != exception_era(regs))
++ goto bad_area;
+ }
+
+ /*
--- /dev/null
+From d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Wed, 24 Apr 2024 12:36:07 +0800
+Subject: LoongArch: Fix callchain parse error with kernel tracepoint events
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit d3119bc985fb645ad3b2a9cf9952c1d56d9daaa3 upstream.
+
+In order to fix perf's callchain parse error for LoongArch, we implement
+perf_arch_fetch_caller_regs() which fills several necessary registers
+used for callchain unwinding, including sp, fp, and era. This is similar
+to the following commits.
+
+commit b3eac0265bf6:
+("arm: perf: Fix callchain parse error with kernel tracepoint events")
+
+commit 5b09a094f2fb:
+("arm64: perf: Fix callchain parse error with kernel tracepoint events")
+
+commit 9a7e8ec0d4cc:
+("riscv: perf: Fix callchain parse error with kernel tracepoint events")
+
+Test with commands:
+
+ perf record -e sched:sched_switch -g --call-graph dwarf
+ perf report
+
+Without this patch:
+
+ Children Self Command Shared Object Symbol
+ ........ ........ ............. ................. ....................
+
+ 43.41% 43.41% swapper [unknown] [k] 0000000000000000
+
+ 10.94% 10.94% loong-container [unknown] [k] 0000000000000000
+ |
+ |--5.98%--0x12006ba38
+ |
+ |--2.56%--0x12006bb84
+ |
+ --2.40%--0x12006b6b8
+
+With this patch, callchain can be parsed correctly:
+
+ Children Self Command Shared Object Symbol
+ ........ ........ ............. ................. ....................
+
+ 47.57% 47.57% swapper [kernel.vmlinux] [k] __schedule
+ |
+ ---__schedule
+
+ 26.76% 26.76% loong-container [kernel.vmlinux] [k] __schedule
+ |
+ |--13.78%--0x12006ba38
+ | |
+ | |--9.19%--__schedule
+ | |
+ | --4.59%--handle_syscall
+ | do_syscall
+ | sys_futex
+ | do_futex
+ | futex_wait
+ | futex_wait_queue_me
+ | hrtimer_start_range_ns
+ | __schedule
+ |
+ |--8.38%--0x12006bb84
+ | handle_syscall
+ | do_syscall
+ | sys_epoll_pwait
+ | do_epoll_wait
+ | schedule_hrtimeout_range_clock
+ | hrtimer_start_range_ns
+ | __schedule
+ |
+ --4.59%--0x12006b6b8
+ handle_syscall
+ do_syscall
+ sys_nanosleep
+ hrtimer_nanosleep
+ do_nanosleep
+ hrtimer_start_range_ns
+ __schedule
+
+Cc: stable@vger.kernel.org
+Fixes: b37042b2bb7cd751f0 ("LoongArch: Add perf events support")
+Reported-by: Youling Tang <tangyouling@kylinos.cn>
+Suggested-by: Youling Tang <tangyouling@kylinos.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/perf_event.h | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/arch/loongarch/include/asm/perf_event.h b/arch/loongarch/include/asm/perf_event.h
+index 2a35a0bc2aaa..52b638059e40 100644
+--- a/arch/loongarch/include/asm/perf_event.h
++++ b/arch/loongarch/include/asm/perf_event.h
+@@ -7,6 +7,14 @@
+ #ifndef __LOONGARCH_PERF_EVENT_H__
+ #define __LOONGARCH_PERF_EVENT_H__
+
++#include <asm/ptrace.h>
++
+ #define perf_arch_bpf_user_pt_regs(regs) (struct user_pt_regs *)regs
+
++#define perf_arch_fetch_caller_regs(regs, __ip) { \
++ (regs)->csr_era = (__ip); \
++ (regs)->regs[3] = current_stack_pointer; \
++ (regs)->regs[22] = (unsigned long) __builtin_frame_address(0); \
++}
++
+ #endif /* __LOONGARCH_PERF_EVENT_H__ */
+--
+2.44.0
+
--- /dev/null
+From f8def10f73a516b771051a2f70f2f0446902cb4f Mon Sep 17 00:00:00 2001
+From: Mantas Pucka <mantas@8devices.com>
+Date: Thu, 21 Mar 2024 14:30:01 +0000
+Subject: mmc: sdhci-msm: pervent access to suspended controller
+
+From: Mantas Pucka <mantas@8devices.com>
+
+commit f8def10f73a516b771051a2f70f2f0446902cb4f upstream.
+
+Generic sdhci code registers LED device and uses host->runtime_suspended
+flag to protect access to it. The sdhci-msm driver doesn't set this flag,
+which causes a crash when LED is accessed while controller is runtime
+suspended. Fix this by setting the flag correctly.
+
+Cc: stable@vger.kernel.org
+Fixes: 67e6db113c90 ("mmc: sdhci-msm: Add pm_runtime and system PM support")
+Signed-off-by: Mantas Pucka <mantas@8devices.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20240321-sdhci-mmc-suspend-v1-1-fbc555a64400@8devices.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-msm.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-msm.c
++++ b/drivers/mmc/host/sdhci-msm.c
+@@ -2831,6 +2831,11 @@ static __maybe_unused int sdhci_msm_runt
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++ unsigned long flags;
++
++ spin_lock_irqsave(&host->lock, flags);
++ host->runtime_suspended = true;
++ spin_unlock_irqrestore(&host->lock, flags);
+
+ /* Drop the performance vote */
+ dev_pm_opp_set_rate(dev, 0);
+@@ -2845,6 +2850,7 @@ static __maybe_unused int sdhci_msm_runt
+ struct sdhci_host *host = dev_get_drvdata(dev);
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+ struct sdhci_msm_host *msm_host = sdhci_pltfm_priv(pltfm_host);
++ unsigned long flags;
+ int ret;
+
+ ret = clk_bulk_prepare_enable(ARRAY_SIZE(msm_host->bulk_clks),
+@@ -2863,7 +2869,15 @@ static __maybe_unused int sdhci_msm_runt
+
+ dev_pm_opp_set_rate(dev, msm_host->clk_rate);
+
+- return sdhci_msm_ice_resume(msm_host);
++ ret = sdhci_msm_ice_resume(msm_host);
++ if (ret)
++ return ret;
++
++ spin_lock_irqsave(&host->lock, flags);
++ host->runtime_suspended = false;
++ spin_unlock_irqrestore(&host->lock, flags);
++
++ return ret;
+ }
+
+ static const struct dev_pm_ops sdhci_msm_pm_ops = {
--- /dev/null
+From 7d49f53af4b988b188d3932deac2c9c80fd7d9ce Mon Sep 17 00:00:00 2001
+From: Alice Ryhl <aliceryhl@google.com>
+Date: Fri, 8 Mar 2024 09:36:31 +0000
+Subject: rust: don't select CONSTRUCTORS
+
+From: Alice Ryhl <aliceryhl@google.com>
+
+commit 7d49f53af4b988b188d3932deac2c9c80fd7d9ce upstream.
+
+This was originally part of commit 4b9a68f2e59a0 ("rust: add support for
+static synchronisation primitives") from the old Rust branch, which used
+module constructors to initialize globals containing various
+synchronisation primitives with pin-init. That commit has never been
+upstreamed, but the `select CONSTRUCTORS` statement ended up being
+included in the patch that initially added Rust support to the Linux
+Kernel.
+
+We are not using module constructors, so let's remove the select.
+
+Signed-off-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Benno Lossin <benno.lossin@proton.me>
+Cc: stable@vger.kernel.org
+Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
+Link: https://lore.kernel.org/r/20240308-constructors-v1-1-4c811342391c@google.com
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/Kconfig | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1924,7 +1924,6 @@ config RUST
+ depends on !GCC_PLUGINS
+ depends on !RANDSTRUCT
+ depends on !DEBUG_INFO_BTF || PAHOLE_HAS_LANG_EXCLUDE
+- select CONSTRUCTORS
+ help
+ Enables Rust support in the kernel.
+
--- /dev/null
+From 323617f649c0966ad5e741e47e27e06d3a680d8f Mon Sep 17 00:00:00 2001
+From: Wedson Almeida Filho <walmeida@microsoft.com>
+Date: Thu, 28 Mar 2024 16:54:54 -0300
+Subject: rust: kernel: require `Send` for `Module` implementations
+
+From: Wedson Almeida Filho <walmeida@microsoft.com>
+
+commit 323617f649c0966ad5e741e47e27e06d3a680d8f upstream.
+
+The thread that calls the module initialisation code when a module is
+loaded is not guaranteed [in fact, it is unlikely] to be the same one
+that calls the module cleanup code on module unload, therefore, `Module`
+implementations must be `Send` to account for them moving from one
+thread to another implicitly.
+
+Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
+Reviewed-by: Alice Ryhl <aliceryhl@google.com>
+Reviewed-by: Benno Lossin <benno.lossin@proton.me>
+Cc: stable@vger.kernel.org # 6.8.x: df70d04d5697: rust: phy: implement `Send` for `Registration`
+Cc: stable@vger.kernel.org
+Fixes: 247b365dc8dc ("rust: add `kernel` crate")
+Link: https://lore.kernel.org/r/20240328195457.225001-3-wedsonaf@gmail.com
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ rust/kernel/lib.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/rust/kernel/lib.rs
++++ b/rust/kernel/lib.rs
+@@ -37,7 +37,7 @@ const __LOG_PREFIX: &[u8] = b"rust_kerne
+ /// The top level entrypoint to implementing a kernel module.
+ ///
+ /// For any teardown or cleanup operations, your type may implement [`Drop`].
+-pub trait Module: Sized + Sync {
++pub trait Module: Sized + Sync + Send {
+ /// Called at module initialization time.
+ ///
+ /// Use this method to perform whatever setup or registration your module
--- /dev/null
+From 8933cf4651e02853ca679be7b2d978dfcdcc5e0c Mon Sep 17 00:00:00 2001
+From: Conor Dooley <conor.dooley@microchip.com>
+Date: Thu, 4 Apr 2024 15:17:02 +0100
+Subject: rust: make mutually exclusive with CFI_CLANG
+
+From: Conor Dooley <conor.dooley@microchip.com>
+
+commit 8933cf4651e02853ca679be7b2d978dfcdcc5e0c upstream.
+
+On RISC-V and arm64, and presumably x86, if CFI_CLANG is enabled,
+loading a rust module will trigger a kernel panic. Support for
+sanitisers, including kcfi (CFI_CLANG), is in the works, but for now
+they're nightly-only options in rustc. Make RUST depend on !CFI_CLANG
+to prevent configuring a kernel without symmetrical support for kfi.
+
+[ Matthew Maurer writes [1]:
+
+ This patch is fine by me - the last patch needed for KCFI to be
+ functional in Rust just landed upstream last night, so we should
+ revisit this (in the form of enabling it) once we move to
+ `rustc-1.79.0` or later.
+
+ Ramon de C Valle also gave feedback [2] on the status of KCFI for
+ Rust and created a tracking issue [3] in upstream Rust. - Miguel ]
+
+Fixes: 2f7ab1267dc9 ("Kbuild: add Rust support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
+Acked-by: Nathan Chancellor <nathan@kernel.org>
+Link: https://lore.kernel.org/rust-for-linux/CAGSQo024u1gHJgzsO38Xg3c4or+JupoPABQx_+0BLEpPg0cOEA@mail.gmail.com/ [1]
+Link: https://lore.kernel.org/rust-for-linux/CAOcBZOS2kPyH0Dm7Fuh4GC3=v7nZhyzBj_-dKu3PfAnrHZvaxg@mail.gmail.com/ [2]
+Link: https://github.com/rust-lang/rust/issues/123479 [3]
+Link: https://lore.kernel.org/r/20240404-providing-emporium-e652e359c711@spud
+[ Added feedback from the list, links, and used Cc for the tag. ]
+Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ init/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1920,6 +1920,7 @@ config RUST
+ bool "Rust support"
+ depends on HAVE_RUST
+ depends on RUST_IS_AVAILABLE
++ depends on !CFI_CLANG
+ depends on !MODVERSIONS
+ depends on !GCC_PLUGINS
+ depends on !RANDSTRUCT
virtio_net-do-not-send-rss-key-if-it-is-not-supported.patch
fork-defer-linking-file-vma-until-vma-is-fully-initialized.patch
x86-cpu-fix-check-for-rdpkru-in-__show_regs.patch
+rust-kernel-require-send-for-module-implementations.patch
+rust-don-t-select-constructors.patch
+rust-make-mutually-exclusive-with-cfi_clang.patch
+bluetooth-fix-type-of-len-in-l2cap-sco-_sock_getsockopt_old.patch
+bluetooth-btusb-add-realtek-rtl8852be-support-id-0x0bda-0x4853.patch
+bluetooth-qca-fix-null-deref-on-non-serdev-suspend.patch
+mmc-sdhci-msm-pervent-access-to-suspended-controller.patch
+smb-client-fix-struct_group-usage-in-__packed-structs.patch
+smb3-fix-lock-ordering-potential-deadlock-in-cifs_sync_mid_result.patch
+hid-i2c-hid-remove-i2c_hid_read_pending-flag-to-prevent-lock-up.patch
+btrfs-fix-information-leak-in-btrfs_ioctl_logical_to_ino.patch
+cpu-re-enable-cpu-mitigations-by-default-for-x86-architectures.patch
+loongarch-fix-callchain-parse-error-with-kernel-tracepoint-events.patch
+loongarch-fix-access-error-when-read-fault-on-a-write-only-vma.patch
+arm64-dts-rockchip-enable-internal-pull-up-for-q7_thrm-on-rk3399-puma.patch
+drm-amdgpu-sdma5.2-use-legacy-hdp-flush-for-sdma2-3.patch
+drm-amdgpu-fix-leak-when-gpu-memory-allocation-fails.patch
+irqchip-gic-v3-its-prevent-double-free-on-error.patch
+acpi-cppc-use-access_width-over-bit_width-for-system-memory-accesses.patch
+acpi-cppc-fix-bit_offset-shift-in-mask_val-macro.patch
+acpi-cppc-fix-access-width-used-for-pcc-registers.patch
--- /dev/null
+From 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Date: Tue, 23 Apr 2024 20:41:22 -0600
+Subject: smb: client: Fix struct_group() usage in __packed structs
+
+From: Gustavo A. R. Silva <gustavoars@kernel.org>
+
+commit 9a1f1d04f63c59550a5364858b46eeffdf03e8d6 upstream.
+
+Use struct_group_attr() in __packed structs, instead of struct_group().
+
+Below you can see the pahole output before/after changes:
+
+pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o
+struct smb2_file_network_open_info {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ }; /* 0 56 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ } network_open_info; /* 0 56 */
+ }; /* 0 56 */
+ __le32 Reserved; /* 56 4 */
+
+ /* size: 60, cachelines: 1, members: 2 */
+ /* last cacheline: 60 bytes */
+} __attribute__((__packed__));
+
+pahole -C smb2_file_network_open_info fs/smb/client/smb2ops.o
+struct smb2_file_network_open_info {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ } __attribute__((__packed__)); /* 0 52 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le64 AllocationSize; /* 32 8 */
+ __le64 EndOfFile; /* 40 8 */
+ __le32 Attributes; /* 48 4 */
+ } __attribute__((__packed__)) network_open_info; /* 0 52 */
+ }; /* 0 52 */
+ __le32 Reserved; /* 52 4 */
+
+ /* size: 56, cachelines: 1, members: 2 */
+ /* last cacheline: 56 bytes */
+};
+
+pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o
+struct smb_com_open_rsp {
+ ...
+
+ union {
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ }; /* 48 40 */
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ } common_attributes; /* 48 40 */
+ }; /* 48 40 */
+
+ ...
+
+ /* size: 111, cachelines: 2, members: 14 */
+ /* last cacheline: 47 bytes */
+} __attribute__((__packed__));
+
+pahole -C smb_com_open_rsp fs/smb/client/cifssmb.o
+struct smb_com_open_rsp {
+ ...
+
+ union {
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ } __attribute__((__packed__)); /* 48 36 */
+ struct {
+ __le64 CreationTime; /* 48 8 */
+ __le64 LastAccessTime; /* 56 8 */
+ /* --- cacheline 1 boundary (64 bytes) --- */
+ __le64 LastWriteTime; /* 64 8 */
+ __le64 ChangeTime; /* 72 8 */
+ __le32 FileAttributes; /* 80 4 */
+ } __attribute__((__packed__)) common_attributes; /* 48 36 */
+ }; /* 48 36 */
+
+ ...
+
+ /* size: 107, cachelines: 2, members: 14 */
+ /* last cacheline: 43 bytes */
+} __attribute__((__packed__));
+
+pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o
+typedef struct {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ }; /* 0 40 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ } common_attributes; /* 0 40 */
+ }; /* 0 40 */
+
+ ...
+
+ /* size: 113, cachelines: 2, members: 17 */
+ /* last cacheline: 49 bytes */
+} __attribute__((__packed__)) FILE_ALL_INFO;
+
+pahole -C FILE_ALL_INFO fs/smb/client/cifssmb.o
+typedef struct {
+ union {
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ } __attribute__((__packed__)); /* 0 36 */
+ struct {
+ __le64 CreationTime; /* 0 8 */
+ __le64 LastAccessTime; /* 8 8 */
+ __le64 LastWriteTime; /* 16 8 */
+ __le64 ChangeTime; /* 24 8 */
+ __le32 Attributes; /* 32 4 */
+ } __attribute__((__packed__)) common_attributes; /* 0 36 */
+ }; /* 0 36 */
+
+ ...
+
+ /* size: 109, cachelines: 2, members: 17 */
+ /* last cacheline: 45 bytes */
+} __attribute__((__packed__)) FILE_ALL_INFO;
+
+Fixes: 0015eb6e1238 ("smb: client, common: fix fortify warnings")
+Cc: stable@vger.kernel.org
+Reviewed-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifspdu.h | 4 ++--
+ fs/smb/client/smb2pdu.h | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/smb/client/cifspdu.h
++++ b/fs/smb/client/cifspdu.h
+@@ -882,7 +882,7 @@ typedef struct smb_com_open_rsp {
+ __u8 OplockLevel;
+ __u16 Fid;
+ __le32 CreateAction;
+- struct_group(common_attributes,
++ struct_group_attr(common_attributes, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
+@@ -2270,7 +2270,7 @@ typedef struct {
+ /* QueryFileInfo/QueryPathinfo (also for SetPath/SetFile) data buffer formats */
+ /******************************************************************************/
+ typedef struct { /* data block encoding of response to level 263 QPathInfo */
+- struct_group(common_attributes,
++ struct_group_attr(common_attributes, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
+--- a/fs/smb/client/smb2pdu.h
++++ b/fs/smb/client/smb2pdu.h
+@@ -339,7 +339,7 @@ struct smb2_file_reparse_point_info {
+ } __packed;
+
+ struct smb2_file_network_open_info {
+- struct_group(network_open_info,
++ struct_group_attr(network_open_info, __packed,
+ __le64 CreationTime;
+ __le64 LastAccessTime;
+ __le64 LastWriteTime;
--- /dev/null
+From 8861fd5180476f45f9e8853db154600469a0284f Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 25 Apr 2024 12:49:50 -0500
+Subject: smb3: fix lock ordering potential deadlock in cifs_sync_mid_result
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 8861fd5180476f45f9e8853db154600469a0284f upstream.
+
+Coverity spotted that the cifs_sync_mid_result function could deadlock
+
+"Thread deadlock (ORDER_REVERSAL) lock_order: Calling spin_lock acquires
+lock TCP_Server_Info.srv_lock while holding lock TCP_Server_Info.mid_lock"
+
+Addresses-Coverity: 1590401 ("Thread deadlock (ORDER_REVERSAL)")
+Cc: stable@vger.kernel.org
+Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/transport.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/smb/client/transport.c
++++ b/fs/smb/client/transport.c
+@@ -931,12 +931,15 @@ cifs_sync_mid_result(struct mid_q_entry
+ list_del_init(&mid->qhead);
+ mid->mid_flags |= MID_DELETED;
+ }
++ spin_unlock(&server->mid_lock);
+ cifs_server_dbg(VFS, "%s: invalid mid state mid=%llu state=%d\n",
+ __func__, mid->mid, mid->mid_state);
+ rc = -EIO;
++ goto sync_mid_done;
+ }
+ spin_unlock(&server->mid_lock);
+
++sync_mid_done:
+ release_mid(mid);
+ return rc;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
