--- /dev/null
+From 938ec31e3b76f7e3f30545ca821c07d3b9802fc8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 22:41:10 +0800
+Subject: bpf: Check percpu map value size first
+
+From: Tao Chen <chen.dylane@gmail.com>
+
+[ Upstream commit 1d244784be6b01162b732a5a7d637dfc024c3203 ]
+
+Percpu map is often used, but the map value size limit often ignored,
+like issue: https://github.com/iovisor/bcc/issues/2519. Actually,
+percpu map value size is bound by PCPU_MIN_UNIT_SIZE, so we
+can check the value size whether it exceeds PCPU_MIN_UNIT_SIZE first,
+like percpu map of local_storage. Maybe the error message seems clearer
+compared with "cannot allocate memory".
+
+Signed-off-by: Jinke Han <jinkehan@didiglobal.com>
+Signed-off-by: Tao Chen <chen.dylane@gmail.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Jiri Olsa <jolsa@kernel.org>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Link: https://lore.kernel.org/bpf/20240910144111.1464912-2-chen.dylane@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/arraymap.c | 3 +++
+ kernel/bpf/hashtab.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
+index 81ed9b79f4019..af90c4498e80e 100644
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -64,6 +64,9 @@ int array_map_alloc_check(union bpf_attr *attr)
+ * access the elements.
+ */
+ return -E2BIG;
++ /* percpu map value size is bound by PCPU_MIN_UNIT_SIZE */
++ if (percpu && round_up(attr->value_size, 8) > PCPU_MIN_UNIT_SIZE)
++ return -E2BIG;
+
+ return 0;
+ }
+diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
+index 34c4f709b1ede..0d14a2a11463a 100644
+--- a/kernel/bpf/hashtab.c
++++ b/kernel/bpf/hashtab.c
+@@ -288,6 +288,9 @@ static int htab_map_alloc_check(union bpf_attr *attr)
+ * kmalloc-able later in htab_map_update_elem()
+ */
+ return -E2BIG;
++ /* percpu map value size is bound by PCPU_MIN_UNIT_SIZE */
++ if (percpu && round_up(attr->value_size, 8) > PCPU_MIN_UNIT_SIZE)
++ return -E2BIG;
+
+ return 0;
+ }
+--
+2.43.0
+
--- /dev/null
+From 170e4d424fe820410768faffd01bebd21ce43d73 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 08:58:01 +0200
+Subject: clk: bcm: bcm53573: fix OF node leak in init
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit f92d67e23b8caa81f6322a2bad1d633b00ca000e ]
+
+Driver code is leaking OF node reference from of_get_parent() in
+bcm53573_ilp_init(). Usage of of_get_parent() is not needed in the
+first place, because the parent node will not be freed while we are
+processing given node (triggered by CLK_OF_DECLARE()). Thus fix the
+leak by accessing parent directly, instead of of_get_parent().
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://lore.kernel.org/r/20240826065801.17081-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/bcm/clk-bcm53573-ilp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/bcm/clk-bcm53573-ilp.c b/drivers/clk/bcm/clk-bcm53573-ilp.c
+index 84f2af736ee8a..83ef41d618be3 100644
+--- a/drivers/clk/bcm/clk-bcm53573-ilp.c
++++ b/drivers/clk/bcm/clk-bcm53573-ilp.c
+@@ -112,7 +112,7 @@ static void bcm53573_ilp_init(struct device_node *np)
+ goto err_free_ilp;
+ }
+
+- ilp->regmap = syscon_node_to_regmap(of_get_parent(np));
++ ilp->regmap = syscon_node_to_regmap(np->parent);
+ if (IS_ERR(ilp->regmap)) {
+ err = PTR_ERR(ilp->regmap);
+ goto err_free_ilp;
+--
+2.43.0
+
--- /dev/null
+From 5c20bb050c276c9dd39ced07baa8ba0e81a5b98b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 24 Jul 2024 21:54:48 +0800
+Subject: driver core: bus: Return -EIO instead of 0 when show/store invalid
+ bus attribute
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit c0fd973c108cdc22a384854bc4b3e288a9717bb2 ]
+
+Return -EIO instead of 0 for below erroneous bus attribute operations:
+ - read a bus attribute without show().
+ - write a bus attribute without store().
+
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20240724-bus_fix-v2-1-5adbafc698fb@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/bus.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/base/bus.c b/drivers/base/bus.c
+index 7d7d28f498edd..f970a40a2f7ad 100644
+--- a/drivers/base/bus.c
++++ b/drivers/base/bus.c
+@@ -103,7 +103,8 @@ static ssize_t bus_attr_show(struct kobject *kobj, struct attribute *attr,
+ {
+ struct bus_attribute *bus_attr = to_bus_attr(attr);
+ struct subsys_private *subsys_priv = to_subsys_private(kobj);
+- ssize_t ret = 0;
++ /* return -EIO for reading a bus attribute without show() */
++ ssize_t ret = -EIO;
+
+ if (bus_attr->show)
+ ret = bus_attr->show(subsys_priv->bus, buf);
+@@ -115,7 +116,8 @@ static ssize_t bus_attr_store(struct kobject *kobj, struct attribute *attr,
+ {
+ struct bus_attribute *bus_attr = to_bus_attr(attr);
+ struct subsys_private *subsys_priv = to_subsys_private(kobj);
+- ssize_t ret = 0;
++ /* return -EIO for writing a bus attribute without store() */
++ ssize_t ret = -EIO;
+
+ if (bus_attr->store)
+ ret = bus_attr->store(subsys_priv->bus, buf, count);
+--
+2.43.0
+
--- /dev/null
+From b88a1b7dc51a0b44672bfd3b6ab4cdf89b592fe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Aug 2024 16:38:27 +0200
+Subject: ext4: nested locking for xattr inode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Wojciech Gładysz <wojciech.gladysz@infogain.com>
+
+[ Upstream commit d1bc560e9a9c78d0b2314692847fc8661e0aeb99 ]
+
+Add nested locking with I_MUTEX_XATTR subclass to avoid lockdep warning
+while handling xattr inode on file open syscall at ext4_xattr_inode_iget.
+
+Backtrace
+EXT4-fs (loop0): Ignoring removed oldalloc option
+======================================================
+WARNING: possible circular locking dependency detected
+5.10.0-syzkaller #0 Not tainted
+------------------------------------------------------
+syz-executor543/2794 is trying to acquire lock:
+ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
+ffff8880215e1a48 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}, at: ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
+
+but task is already holding lock:
+ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
+
+which lock already depends on the new lock.
+
+the existing dependency chain (in reverse order) is:
+
+-> #1 (&ei->i_data_sem/3){++++}-{3:3}:
+ lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
+ down_write+0x93/0x180 kernel/locking/rwsem.c:1564
+ ext4_update_i_disksize fs/ext4/ext4.h:3267 [inline]
+ ext4_xattr_inode_write fs/ext4/xattr.c:1390 [inline]
+ ext4_xattr_inode_lookup_create fs/ext4/xattr.c:1538 [inline]
+ ext4_xattr_set_entry+0x331a/0x3d80 fs/ext4/xattr.c:1662
+ ext4_xattr_ibody_set+0x124/0x390 fs/ext4/xattr.c:2228
+ ext4_xattr_set_handle+0xc27/0x14e0 fs/ext4/xattr.c:2385
+ ext4_xattr_set+0x219/0x390 fs/ext4/xattr.c:2498
+ ext4_xattr_user_set+0xc9/0xf0 fs/ext4/xattr_user.c:40
+ __vfs_setxattr+0x404/0x450 fs/xattr.c:177
+ __vfs_setxattr_noperm+0x11d/0x4f0 fs/xattr.c:208
+ __vfs_setxattr_locked+0x1f9/0x210 fs/xattr.c:266
+ vfs_setxattr+0x112/0x2c0 fs/xattr.c:283
+ setxattr+0x1db/0x3e0 fs/xattr.c:548
+ path_setxattr+0x15a/0x240 fs/xattr.c:567
+ __do_sys_setxattr fs/xattr.c:582 [inline]
+ __se_sys_setxattr fs/xattr.c:578 [inline]
+ __x64_sys_setxattr+0xc5/0xe0 fs/xattr.c:578
+ do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+-> #0 (&ea_inode->i_rwsem#7/1){+.+.}-{3:3}:
+ check_prev_add kernel/locking/lockdep.c:2988 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3113 [inline]
+ validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
+ __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
+ lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
+ down_write+0x93/0x180 kernel/locking/rwsem.c:1564
+ inode_lock include/linux/fs.h:782 [inline]
+ ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
+ ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
+ ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
+ ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
+ ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
+ __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
+ ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
+ __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
+ ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
+ notify_change+0xbb6/0xe60 fs/attr.c:435
+ do_truncate+0x1de/0x2c0 fs/open.c:64
+ handle_truncate fs/namei.c:2970 [inline]
+ do_open fs/namei.c:3311 [inline]
+ path_openat+0x29f3/0x3290 fs/namei.c:3425
+ do_filp_open+0x20b/0x450 fs/namei.c:3452
+ do_sys_openat2+0x124/0x460 fs/open.c:1207
+ do_sys_open fs/open.c:1223 [inline]
+ __do_sys_open fs/open.c:1231 [inline]
+ __se_sys_open fs/open.c:1227 [inline]
+ __x64_sys_open+0x221/0x270 fs/open.c:1227
+ do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+
+other info that might help us debug this:
+
+ Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(&ei->i_data_sem/3);
+ lock(&ea_inode->i_rwsem#7/1);
+ lock(&ei->i_data_sem/3);
+ lock(&ea_inode->i_rwsem#7/1);
+
+ *** DEADLOCK ***
+
+5 locks held by syz-executor543/2794:
+ #0: ffff888026fbc448 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x4a/0x2a0 fs/namespace.c:365
+ #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: inode_lock include/linux/fs.h:782 [inline]
+ #1: ffff8880215e3488 (&sb->s_type->i_mutex_key#7){++++}-{3:3}, at: do_truncate+0x1cf/0x2c0 fs/open.c:62
+ #2: ffff8880215e3310 (&ei->i_mmap_sem){++++}-{3:3}, at: ext4_setattr+0xec4/0x19c0 fs/ext4/inode.c:5519
+ #3: ffff8880215e3278 (&ei->i_data_sem/3){++++}-{3:3}, at: ext4_setattr+0x136d/0x19c0 fs/ext4/inode.c:5559
+ #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_write_trylock_xattr fs/ext4/xattr.h:162 [inline]
+ #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: ext4_try_to_expand_extra_isize fs/ext4/inode.c:5938 [inline]
+ #4: ffff8880215e30c8 (&ei->xattr_sem){++++}-{3:3}, at: __ext4_mark_inode_dirty+0x4fb/0x810 fs/ext4/inode.c:6018
+
+stack backtrace:
+CPU: 1 PID: 2794 Comm: syz-executor543 Not tainted 5.10.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x177/0x211 lib/dump_stack.c:118
+ print_circular_bug+0x146/0x1b0 kernel/locking/lockdep.c:2002
+ check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2123
+ check_prev_add kernel/locking/lockdep.c:2988 [inline]
+ check_prevs_add kernel/locking/lockdep.c:3113 [inline]
+ validate_chain+0x1695/0x58f0 kernel/locking/lockdep.c:3729
+ __lock_acquire+0x12fd/0x20d0 kernel/locking/lockdep.c:4955
+ lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5566
+ down_write+0x93/0x180 kernel/locking/rwsem.c:1564
+ inode_lock include/linux/fs.h:782 [inline]
+ ext4_xattr_inode_iget+0x42a/0x5c0 fs/ext4/xattr.c:425
+ ext4_xattr_inode_get+0x138/0x410 fs/ext4/xattr.c:485
+ ext4_xattr_move_to_block fs/ext4/xattr.c:2580 [inline]
+ ext4_xattr_make_inode_space fs/ext4/xattr.c:2682 [inline]
+ ext4_expand_extra_isize_ea+0xe70/0x1bb0 fs/ext4/xattr.c:2774
+ __ext4_expand_extra_isize+0x304/0x3f0 fs/ext4/inode.c:5898
+ ext4_try_to_expand_extra_isize fs/ext4/inode.c:5941 [inline]
+ __ext4_mark_inode_dirty+0x591/0x810 fs/ext4/inode.c:6018
+ ext4_setattr+0x1400/0x19c0 fs/ext4/inode.c:5562
+ notify_change+0xbb6/0xe60 fs/attr.c:435
+ do_truncate+0x1de/0x2c0 fs/open.c:64
+ handle_truncate fs/namei.c:2970 [inline]
+ do_open fs/namei.c:3311 [inline]
+ path_openat+0x29f3/0x3290 fs/namei.c:3425
+ do_filp_open+0x20b/0x450 fs/namei.c:3452
+ do_sys_openat2+0x124/0x460 fs/open.c:1207
+ do_sys_open fs/open.c:1223 [inline]
+ __do_sys_open fs/open.c:1231 [inline]
+ __se_sys_open fs/open.c:1227 [inline]
+ __x64_sys_open+0x221/0x270 fs/open.c:1227
+ do_syscall_64+0x6d/0xa0 arch/x86/entry/common.c:62
+ entry_SYSCALL_64_after_hwframe+0x61/0xcb
+RIP: 0033:0x7f0cde4ea229
+Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007ffd81d1c978 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
+RAX: ffffffffffffffda RBX: 0030656c69662f30 RCX: 00007f0cde4ea229
+RDX: 0000000000000089 RSI: 00000000000a0a00 RDI: 00000000200001c0
+RBP: 2f30656c69662f2e R08: 0000000000208000 R09: 0000000000208000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd81d1c9c0
+R13: 00007ffd81d1ca00 R14: 0000000000080000 R15: 0000000000000003
+EXT4-fs error (device loop0): ext4_expand_extra_isize_ea:2730: inode #13: comm syz-executor543: corrupted in-inode xattr
+
+Signed-off-by: Wojciech Gładysz <wojciech.gladysz@infogain.com>
+Link: https://patch.msgid.link/20240801143827.19135-1-wojciech.gladysz@infogain.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/xattr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index d65f1eb85a924..19982a682b9c1 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -420,7 +420,7 @@ static int ext4_xattr_inode_iget(struct inode *parent, unsigned long ea_ino,
+ ext4_set_inode_state(inode, EXT4_STATE_LUSTRE_EA_INODE);
+ ext4_xattr_inode_set_ref(inode, 1);
+ } else {
+- inode_lock(inode);
++ inode_lock_nested(inode, I_MUTEX_XATTR);
+ inode->i_flags |= S_NOQUOTA;
+ inode_unlock(inode);
+ }
+@@ -1033,7 +1033,7 @@ static int ext4_xattr_inode_update_ref(handle_t *handle, struct inode *ea_inode,
+ s64 ref_count;
+ int ret;
+
+- inode_lock(ea_inode);
++ inode_lock_nested(ea_inode, I_MUTEX_XATTR);
+
+ ret = ext4_reserve_inode_write(handle, ea_inode, &iloc);
+ if (ret)
+--
+2.43.0
+
--- /dev/null
+From 26eb62c0f178e3ecc79e04a39ac18078bc8db2da Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Sep 2024 22:34:24 +0300
+Subject: fbdev: sisfb: Fix strbuf array overflow
+
+From: Andrey Shumilin <shum.sdl@nppct.ru>
+
+[ Upstream commit 9cf14f5a2746c19455ce9cb44341b5527b5e19c3 ]
+
+The values of the variables xres and yres are placed in strbuf.
+These variables are obtained from strbuf1.
+The strbuf1 array contains digit characters
+and a space if the array contains non-digit characters.
+Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres);
+more than 16 bytes will be written to strbuf.
+It is suggested to increase the size of the strbuf array to 24.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Andrey Shumilin <shum.sdl@nppct.ru>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/sis/sis_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/sis/sis_main.c b/drivers/video/fbdev/sis/sis_main.c
+index 2fdd02e51f5fc..db745dc3cebe2 100644
+--- a/drivers/video/fbdev/sis/sis_main.c
++++ b/drivers/video/fbdev/sis/sis_main.c
+@@ -183,7 +183,7 @@ static void sisfb_search_mode(char *name, bool quiet)
+ {
+ unsigned int j = 0, xres = 0, yres = 0, depth = 0, rate = 0;
+ int i = 0;
+- char strbuf[16], strbuf1[20];
++ char strbuf[24], strbuf1[20];
+ char *nameptr = name;
+
+ /* We don't know the hardware specs yet and there is no ivideo */
+--
+2.43.0
+
--- /dev/null
+From 1abc4b5f85573082c0c577a28340f82473830cc7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 12 Aug 2024 22:39:48 +0200
+Subject: i2c: i801: Use a different adapter-name for IDF adapters
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+[ Upstream commit 43457ada98c824f310adb7bd96bd5f2fcd9a3279 ]
+
+On chipsets with a second 'Integrated Device Function' SMBus controller use
+a different adapter-name for the second IDF adapter.
+
+This allows platform glue code which is looking for the primary i801
+adapter to manually instantiate i2c_clients on to differentiate
+between the 2.
+
+This allows such code to find the primary i801 adapter by name, without
+needing to duplicate the PCI-ids to feature-flags mapping from i2c-i801.c.
+
+Reviewed-by: Pali Rohár <pali@kernel.org>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/busses/i2c-i801.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c
+index 2c077ffcee607..6b960cbd045bc 100644
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -1861,8 +1861,15 @@ static int i801_probe(struct pci_dev *dev, const struct pci_device_id *id)
+
+ i801_add_tco(priv);
+
++ /*
++ * adapter.name is used by platform code to find the main I801 adapter
++ * to instantiante i2c_clients, do not change.
++ */
+ snprintf(priv->adapter.name, sizeof(priv->adapter.name),
+- "SMBus I801 adapter at %04lx", priv->smba);
++ "SMBus %s adapter at %04lx",
++ (priv->features & FEATURE_IDF) ? "I801 IDF" : "I801",
++ priv->smba);
++
+ err = i2c_add_adapter(&priv->adapter);
+ if (err) {
+ platform_device_unregister(priv->tco_pdev);
+--
+2.43.0
+
--- /dev/null
+From b998b3f4f6426b964847787d1c81078e8faf45b0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 13:55:30 -0400
+Subject: ktest.pl: Avoid false positives with grub2 skip regex
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+[ Upstream commit 2351e8c65404aabc433300b6bf90c7a37e8bbc4d ]
+
+Some distros have grub2 config files with the lines
+
+ if [ x"${feature_menuentry_id}" = xy ]; then
+ menuentry_id_option="--id"
+ else
+ menuentry_id_option=""
+ fi
+
+which match the skip regex defined for grub2 in get_grub_index():
+
+ $skip = '^\s*menuentry';
+
+These false positives cause the grub number to be higher than it
+should be, and the wrong kernel can end up booting.
+
+Grub documents the menuentry command with whitespace between it and the
+title, so make the skip regex reflect this.
+
+Link: https://lore.kernel.org/20240904175530.84175-1-daniel.m.jordan@oracle.com
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Acked-by: John 'Warthog9' Hawley (Tenstorrent) <warthog9@eaglescrag.net>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/ktest/ktest.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
+index d36612c620981..e7adb429018b2 100755
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -1954,7 +1954,7 @@ sub get_grub_index {
+ } elsif ($reboot_type eq "grub2") {
+ $command = "cat $grub_file";
+ $target = '^\s*menuentry.*' . $grub_menu_qt;
+- $skip = '^\s*menuentry';
++ $skip = '^\s*menuentry\s';
+ $submenu = '^\s*submenu\s';
+ } elsif ($reboot_type eq "grub2bls") {
+ $command = $grub_bls_get;
+--
+2.43.0
+
--- /dev/null
+From d16411679d5bd970aff9e92b0ef1ab0f9a5d86e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 14 Aug 2024 11:06:40 +0900
+Subject: media: videobuf2-core: clear memory related fields in
+ __vb2_plane_dmabuf_put()
+
+From: Yunke Cao <yunkec@chromium.org>
+
+[ Upstream commit 6a9c97ab6b7e85697e0b74e86062192a5ffffd99 ]
+
+Clear vb2_plane's memory related fields in __vb2_plane_dmabuf_put(),
+including bytesused, length, fd and data_offset.
+
+Remove the duplicated code in __prepare_dmabuf().
+
+Signed-off-by: Yunke Cao <yunkec@chromium.org>
+Acked-by: Tomasz Figa <tfiga@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/common/videobuf2/videobuf2-core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c
+index 13602939906fc..98651c934d4e0 100644
+--- a/drivers/media/common/videobuf2/videobuf2-core.c
++++ b/drivers/media/common/videobuf2/videobuf2-core.c
+@@ -282,6 +282,10 @@ static void __vb2_plane_dmabuf_put(struct vb2_buffer *vb, struct vb2_plane *p)
+ p->mem_priv = NULL;
+ p->dbuf = NULL;
+ p->dbuf_mapped = 0;
++ p->bytesused = 0;
++ p->length = 0;
++ p->m.fd = 0;
++ p->data_offset = 0;
+ }
+
+ /*
+@@ -1177,10 +1181,6 @@ static int __prepare_dmabuf(struct vb2_buffer *vb)
+
+ /* Release previously acquired memory if present */
+ __vb2_plane_dmabuf_put(vb, &vb->planes[plane]);
+- vb->planes[plane].bytesused = 0;
+- vb->planes[plane].length = 0;
+- vb->planes[plane].m.fd = 0;
+- vb->planes[plane].data_offset = 0;
+
+ /* Acquire each plane's memory */
+ mem_priv = call_ptr_memop(vb, attach_dmabuf,
+--
+2.43.0
+
--- /dev/null
+From 9486e7159b2e2d2b3fdd55c10d4fb86787146f86 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Sep 2024 01:20:07 +0800
+Subject: ntb: ntb_hw_switchtec: Fix use after free vulnerability in
+ switchtec_ntb_remove due to race condition
+
+From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+
+[ Upstream commit e51aded92d42784313ba16c12f4f88cc4f973bbb ]
+
+In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev
+function, then &sndev->check_link_status_work is bound with
+check_link_status_work. switchtec_ntb_link_notification may be called
+to start the work.
+
+If we remove the module which will call switchtec_ntb_remove to make
+cleanup, it will free sndev through kfree(sndev), while the work
+mentioned above will be used. The sequence of operations that may lead
+to a UAF bug is as follows:
+
+CPU0 CPU1
+
+ | check_link_status_work
+switchtec_ntb_remove |
+kfree(sndev); |
+ | if (sndev->link_force_down)
+ | // use sndev
+
+Fix it by ensuring that the work is canceled before proceeding with
+the cleanup in switchtec_ntb_remove.
+
+Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
+Reviewed-by: Logan Gunthorpe <logang@deltatee.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+index 86ffa716eaf22..db9be3ce1cd0d 100644
+--- a/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
++++ b/drivers/ntb/hw/mscc/ntb_hw_switchtec.c
+@@ -1558,6 +1558,7 @@ static void switchtec_ntb_remove(struct device *dev,
+ switchtec_ntb_deinit_db_msg_irq(sndev);
+ switchtec_ntb_deinit_shared_mw(sndev);
+ switchtec_ntb_deinit_crosslink(sndev);
++ cancel_work_sync(&sndev->check_link_status_work);
+ kfree(sndev);
+ dev_info(dev, "ntb device unregistered\n");
+ }
+--
+2.43.0
+
--- /dev/null
+From 0ae6dfb1a7faa6cc192d996092fa802b653c4453 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2024 10:52:27 +0530
+Subject: PCI: Add ACS quirk for Qualcomm SA8775P
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Subramanian Ananthanarayanan <quic_skananth@quicinc.com>
+
+[ Upstream commit 026f84d3fa62d215b11cbeb5a5d97df941e93b5c ]
+
+The Qualcomm SA8775P root ports don't advertise an ACS capability, but they
+do provide ACS-like features to disable peer transactions and validate bus
+numbers in requests.
+
+Thus, add an ACS quirk for the SA8775P.
+
+Link: https://lore.kernel.org/linux-pci/20240906052228.1829485-1-quic_skananth@quicinc.com
+Signed-off-by: Subramanian Ananthanarayanan <quic_skananth@quicinc.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 3bc7058404156..1e846b62feba5 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4957,6 +4957,8 @@ static const struct pci_dev_acs_enabled {
+ /* QCOM QDF2xxx root ports */
+ { PCI_VENDOR_ID_QCOM, 0x0400, pci_quirk_qcom_rp_acs },
+ { PCI_VENDOR_ID_QCOM, 0x0401, pci_quirk_qcom_rp_acs },
++ /* QCOM SA8775P root port */
++ { PCI_VENDOR_ID_QCOM, 0x0115, pci_quirk_qcom_rp_acs },
+ /* HXT SD4800 root ports. The ACS design is same as QCOM QDF2xxx */
+ { PCI_VENDOR_ID_HXT, 0x0401, pci_quirk_qcom_rp_acs },
+ /* Intel PCH root ports */
+--
+2.43.0
+
--- /dev/null
+From b843aafe17caeae8a2d64deabdf7ec8c94a59721 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Sep 2024 15:53:27 -0600
+Subject: PCI: Mark Creative Labs EMU20k2 INTx masking as broken
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+[ Upstream commit 2910306655a7072640021563ec9501bfa67f0cb1 ]
+
+Per user reports, the Creative Labs EMU20k2 (Sound Blaster X-Fi
+Titanium Series) generates spurious interrupts when used with
+vfio-pci unless DisINTx masking support is disabled.
+
+Thus, quirk the device to mark INTx masking as broken.
+
+Closes: https://lore.kernel.org/all/VI1PR10MB8207C507DB5420AB4C7281E0DB9A2@VI1PR10MB8207.EURPRD10.PROD.OUTLOOK.COM
+Link: https://lore.kernel.org/linux-pci/20240912215331.839220-1-alex.williamson@redhat.com
+Reported-by: zdravko delineshev <delineshev@outlook.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
+index 1e846b62feba5..805200feaec82 100644
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -3441,6 +3441,8 @@ DECLARE_PCI_FIXUP_FINAL(0x1814, 0x0601, /* Ralink RT2800 802.11n PCI */
+ quirk_broken_intx_masking);
+ DECLARE_PCI_FIXUP_FINAL(0x1b7c, 0x0004, /* Ceton InfiniTV4 */
+ quirk_broken_intx_masking);
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_CREATIVE, PCI_DEVICE_ID_CREATIVE_20K2,
++ quirk_broken_intx_masking);
+
+ /*
+ * Realtek RTL8169 PCI Gigabit Ethernet Controller (rev 10)
+--
+2.43.0
+
--- /dev/null
+From 4b0f0acc2dac743bf828a1095fa8239f15946482 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 11:39:27 +0200
+Subject: s390/boot: Compile all files with the same march flag
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit fccb175bc89a0d37e3ff513bb6bf1f73b3a48950 ]
+
+Only a couple of files of the decompressor are compiled with the
+minimum architecture level. This is problematic for potential function
+calls between compile units, especially if a target function is within
+a compile until compiled for a higher architecture level, since that
+may lead to an unexpected operation exception.
+
+Therefore compile all files of the decompressor for the same (minimum)
+architecture level.
+
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/boot/Makefile | 19 +++++--------------
+ 1 file changed, 5 insertions(+), 14 deletions(-)
+
+diff --git a/arch/s390/boot/Makefile b/arch/s390/boot/Makefile
+index 0ff9261c915e3..cba2705c62353 100644
+--- a/arch/s390/boot/Makefile
++++ b/arch/s390/boot/Makefile
+@@ -8,11 +8,8 @@ GCOV_PROFILE := n
+ UBSAN_SANITIZE := n
+ KASAN_SANITIZE := n
+
+-KBUILD_AFLAGS := $(KBUILD_AFLAGS_DECOMPRESSOR)
+-KBUILD_CFLAGS := $(KBUILD_CFLAGS_DECOMPRESSOR)
+-
+ #
+-# Use minimum architecture for als.c to be able to print an error
++# Use minimum architecture level so it is possible to print an error
+ # message if the kernel is started on a machine which is too old
+ #
+ ifndef CONFIG_CC_IS_CLANG
+@@ -21,16 +18,10 @@ else
+ CC_FLAGS_MARCH_MINIMUM := -march=z10
+ endif
+
+-ifneq ($(CC_FLAGS_MARCH),$(CC_FLAGS_MARCH_MINIMUM))
+-AFLAGS_REMOVE_head.o += $(CC_FLAGS_MARCH)
+-AFLAGS_head.o += $(CC_FLAGS_MARCH_MINIMUM)
+-AFLAGS_REMOVE_mem.o += $(CC_FLAGS_MARCH)
+-AFLAGS_mem.o += $(CC_FLAGS_MARCH_MINIMUM)
+-CFLAGS_REMOVE_als.o += $(CC_FLAGS_MARCH)
+-CFLAGS_als.o += $(CC_FLAGS_MARCH_MINIMUM)
+-CFLAGS_REMOVE_sclp_early_core.o += $(CC_FLAGS_MARCH)
+-CFLAGS_sclp_early_core.o += $(CC_FLAGS_MARCH_MINIMUM)
+-endif
++KBUILD_AFLAGS := $(filter-out $(CC_FLAGS_MARCH),$(KBUILD_AFLAGS_DECOMPRESSOR))
++KBUILD_CFLAGS := $(filter-out $(CC_FLAGS_MARCH),$(KBUILD_CFLAGS_DECOMPRESSOR))
++KBUILD_AFLAGS += $(CC_FLAGS_MARCH_MINIMUM)
++KBUILD_CFLAGS += $(CC_FLAGS_MARCH_MINIMUM)
+
+ CFLAGS_sclp_early_core.o += -I$(srctree)/drivers/s390/char
+
+--
+2.43.0
+
--- /dev/null
+From 51a2be9a397ba6db8e66774bccf9f3ce20ad2171 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Jul 2024 12:23:47 +0200
+Subject: s390/cpum_sf: Remove WARN_ON_ONCE statements
+
+From: Thomas Richter <tmricht@linux.ibm.com>
+
+[ Upstream commit b495e710157606889f2d8bdc62aebf2aa02f67a7 ]
+
+Remove WARN_ON_ONCE statements. These have not triggered in the
+past.
+
+Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+Acked-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
+Cc: Heiko Carstens <hca@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/kernel/perf_cpum_sf.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
+index b83bddf35e068..4f251cd624d7e 100644
+--- a/arch/s390/kernel/perf_cpum_sf.c
++++ b/arch/s390/kernel/perf_cpum_sf.c
+@@ -1412,7 +1412,7 @@ static int aux_output_begin(struct perf_output_handle *handle,
+ unsigned long head, base, offset;
+ struct hws_trailer_entry *te;
+
+- if (WARN_ON_ONCE(handle->head & ~PAGE_MASK))
++ if (handle->head & ~PAGE_MASK)
+ return -EINVAL;
+
+ aux->head = handle->head >> PAGE_SHIFT;
+@@ -1580,7 +1580,7 @@ static void hw_collect_aux(struct cpu_hw_sf *cpuhw)
+ unsigned long num_sdb;
+
+ aux = perf_get_aux(handle);
+- if (WARN_ON_ONCE(!aux))
++ if (!aux)
+ return;
+
+ /* Inform user space new data arrived */
+@@ -1599,7 +1599,7 @@ static void hw_collect_aux(struct cpu_hw_sf *cpuhw)
+ debug_sprintf_event(sfdbg, 1, "AUX buffer used up\n");
+ break;
+ }
+- if (WARN_ON_ONCE(!aux))
++ if (!aux)
+ return;
+
+ /* Update head and alert_mark to new position */
+@@ -1836,12 +1836,8 @@ static void cpumsf_pmu_start(struct perf_event *event, int flags)
+ {
+ struct cpu_hw_sf *cpuhw = this_cpu_ptr(&cpu_hw_sf);
+
+- if (WARN_ON_ONCE(!(event->hw.state & PERF_HES_STOPPED)))
++ if (!(event->hw.state & PERF_HES_STOPPED))
+ return;
+-
+- if (flags & PERF_EF_RELOAD)
+- WARN_ON_ONCE(!(event->hw.state & PERF_HES_UPTODATE));
+-
+ perf_pmu_disable(event->pmu);
+ event->hw.state = 0;
+ cpuhw->lsctl.cs = 1;
+--
+2.43.0
+
--- /dev/null
+From 180c4de3ef3e687ce30e46ed51f55feb94f50fdf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Sep 2024 11:39:24 +0200
+Subject: s390/facility: Disable compile time optimization for decompressor
+ code
+
+From: Heiko Carstens <hca@linux.ibm.com>
+
+[ Upstream commit 0147addc4fb72a39448b8873d8acdf3a0f29aa65 ]
+
+Disable compile time optimizations of test_facility() for the
+decompressor. The decompressor should not contain any optimized code
+depending on the architecture level set the kernel image is compiled
+for to avoid unexpected operation exceptions.
+
+Add a __DECOMPRESSOR check to test_facility() to enforce that
+facilities are always checked during runtime for the decompressor.
+
+Reviewed-by: Sven Schnelle <svens@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/include/asm/facility.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/include/asm/facility.h b/arch/s390/include/asm/facility.h
+index 68c476b20b57e..c7031d9ada293 100644
+--- a/arch/s390/include/asm/facility.h
++++ b/arch/s390/include/asm/facility.h
+@@ -53,8 +53,10 @@ static inline int test_facility(unsigned long nr)
+ unsigned long facilities_als[] = { FACILITIES_ALS };
+
+ if (__builtin_constant_p(nr) && nr < sizeof(facilities_als) * 8) {
+- if (__test_facility(nr, &facilities_als))
+- return 1;
++ if (__test_facility(nr, &facilities_als)) {
++ if (!__is_defined(__DECOMPRESSOR))
++ return 1;
++ }
+ }
+ return __test_facility(nr, &S390_lowcore.stfle_fac_list);
+ }
+--
+2.43.0
+
--- /dev/null
+From 84b450e4cdd01609813dafae24d86e643b172f62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 14:02:19 +0200
+Subject: s390/mm: Add cond_resched() to cmm_alloc/free_pages()
+
+From: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+
+[ Upstream commit 131b8db78558120f58c5dc745ea9655f6b854162 ]
+
+Adding/removing large amount of pages at once to/from the CMM balloon
+can result in rcu_sched stalls or workqueue lockups, because of busy
+looping w/o cond_resched().
+
+Prevent this by adding a cond_resched(). cmm_free_pages() holds a
+spin_lock while looping, so it cannot be added directly to the existing
+loop. Instead, introduce a wrapper function that operates on maximum 256
+pages at once, and add it there.
+
+Signed-off-by: Gerald Schaefer <gerald.schaefer@linux.ibm.com>
+Reviewed-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/s390/mm/cmm.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/arch/s390/mm/cmm.c b/arch/s390/mm/cmm.c
+index a51c892f14f3e..756aefbd05249 100644
+--- a/arch/s390/mm/cmm.c
++++ b/arch/s390/mm/cmm.c
+@@ -98,11 +98,12 @@ static long cmm_alloc_pages(long nr, long *counter,
+ (*counter)++;
+ spin_unlock(&cmm_lock);
+ nr--;
++ cond_resched();
+ }
+ return nr;
+ }
+
+-static long cmm_free_pages(long nr, long *counter, struct cmm_page_array **list)
++static long __cmm_free_pages(long nr, long *counter, struct cmm_page_array **list)
+ {
+ struct cmm_page_array *pa;
+ unsigned long addr;
+@@ -126,6 +127,21 @@ static long cmm_free_pages(long nr, long *counter, struct cmm_page_array **list)
+ return nr;
+ }
+
++static long cmm_free_pages(long nr, long *counter, struct cmm_page_array **list)
++{
++ long inc = 0;
++
++ while (nr) {
++ inc = min(256L, nr);
++ nr -= inc;
++ inc = __cmm_free_pages(inc, counter, list);
++ if (inc)
++ break;
++ cond_resched();
++ }
++ return nr + inc;
++}
++
+ static int cmm_oom_notify(struct notifier_block *self,
+ unsigned long dummy, void *parm)
+ {
+--
+2.43.0
+
tracing-have-saved_cmdlines-arrays-all-in-one-alloca.patch
virtio_console-fix-misc-probe-bugs.patch
input-synaptics-rmi4-fix-uaf-of-irq-domain-on-driver.patch
+bpf-check-percpu-map-value-size-first.patch
+s390-boot-compile-all-files-with-the-same-march-flag.patch
+s390-facility-disable-compile-time-optimization-for-.patch
+s390-mm-add-cond_resched-to-cmm_alloc-free_pages.patch
+ext4-nested-locking-for-xattr-inode.patch
+s390-cpum_sf-remove-warn_on_once-statements.patch
+ktest.pl-avoid-false-positives-with-grub2-skip-regex.patch
+clk-bcm-bcm53573-fix-of-node-leak-in-init.patch
+pci-add-acs-quirk-for-qualcomm-sa8775p.patch
+i2c-i801-use-a-different-adapter-name-for-idf-adapte.patch
+pci-mark-creative-labs-emu20k2-intx-masking-as-broke.patch
+ntb-ntb_hw_switchtec-fix-use-after-free-vulnerabilit.patch
+media-videobuf2-core-clear-memory-related-fields-in-.patch
+usb-chipidea-udc-enable-suspend-interrupt-after-usb-.patch
+usb-dwc2-adjust-the-timing-of-usb-driver-interrupt-r.patch
+virtio_pmem-check-device-status-before-requesting-fl.patch
+tools-iio-add-memory-allocation-failure-check-for-tr.patch
+driver-core-bus-return-eio-instead-of-0-when-show-st.patch
+fbdev-sisfb-fix-strbuf-array-overflow.patch
--- /dev/null
+From eb813dfeded61149c56089d9a97df5e6913775e7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 28 Aug 2024 02:31:29 -0700
+Subject: tools/iio: Add memory allocation failure check for trigger_name
+
+From: Zhu Jun <zhujun2@cmss.chinamobile.com>
+
+[ Upstream commit 3c6b818b097dd6932859bcc3d6722a74ec5931c1 ]
+
+Added a check to handle memory allocation failure for `trigger_name`
+and return `-ENOMEM`.
+
+Signed-off-by: Zhu Jun <zhujun2@cmss.chinamobile.com>
+Link: https://patch.msgid.link/20240828093129.3040-1-zhujun2@cmss.chinamobile.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/iio/iio_generic_buffer.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/iio/iio_generic_buffer.c b/tools/iio/iio_generic_buffer.c
+index 2fd10eab75b53..5ef09ac6e7cf7 100644
+--- a/tools/iio/iio_generic_buffer.c
++++ b/tools/iio/iio_generic_buffer.c
+@@ -479,6 +479,10 @@ int main(int argc, char **argv)
+ return -ENOMEM;
+ }
+ trigger_name = malloc(IIO_MAX_NAME_LENGTH);
++ if (!trigger_name) {
++ ret = -ENOMEM;
++ goto error;
++ }
+ ret = read_sysfs_string("name", trig_dev_name, trigger_name);
+ free(trig_dev_name);
+ if (ret < 0) {
+--
+2.43.0
+
--- /dev/null
+From 524b830191540c6a90c91b3f317b7a41146bf1f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 23 Aug 2024 15:38:32 +0800
+Subject: usb: chipidea: udc: enable suspend interrupt after usb reset
+
+From: Xu Yang <xu.yang_2@nxp.com>
+
+[ Upstream commit e4fdcc10092fb244218013bfe8ff01c55d54e8e4 ]
+
+Currently, suspend interrupt is enabled before pullup enable operation.
+This will cause a suspend interrupt assert right after pullup DP. This
+suspend interrupt is meaningless, so this will ignore such interrupt
+by enable it after usb reset completed.
+
+Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
+Acked-by: Peter Chen <peter.chen@kernel.org>
+Link: https://lore.kernel.org/r/20240823073832.1702135-1-xu.yang_2@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/chipidea/udc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/chipidea/udc.c b/drivers/usb/chipidea/udc.c
+index 21c299c85505d..72d62abb6f285 100644
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -82,7 +82,7 @@ static int hw_device_state(struct ci_hdrc *ci, u32 dma)
+ hw_write(ci, OP_ENDPTLISTADDR, ~0, dma);
+ /* interrupt, error, port change, reset, sleep/suspend */
+ hw_write(ci, OP_USBINTR, ~0,
+- USBi_UI|USBi_UEI|USBi_PCI|USBi_URI|USBi_SLI);
++ USBi_UI|USBi_UEI|USBi_PCI|USBi_URI);
+ } else {
+ hw_write(ci, OP_USBINTR, ~0, 0);
+ }
+@@ -749,6 +749,7 @@ __releases(ci->lock)
+ __acquires(ci->lock)
+ {
+ int retval;
++ u32 intr;
+
+ spin_unlock(&ci->lock);
+ if (ci->gadget.speed != USB_SPEED_UNKNOWN)
+@@ -762,6 +763,11 @@ __acquires(ci->lock)
+ if (retval)
+ goto done;
+
++ /* clear SLI */
++ hw_write(ci, OP_USBSTS, USBi_SLI, USBi_SLI);
++ intr = hw_read(ci, OP_USBINTR, ~0);
++ hw_write(ci, OP_USBINTR, ~0, intr | USBi_SLI);
++
+ ci->status = usb_ep_alloc_request(&ci->ep0in->ep, GFP_ATOMIC);
+ if (ci->status == NULL)
+ retval = -ENOMEM;
+--
+2.43.0
+
--- /dev/null
+From f04203db97575718416d4813309172048532875f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 30 Aug 2024 11:17:09 +0800
+Subject: usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in
+ the Crashkernel Scenario
+
+From: Shawn Shao <shawn.shao@jaguarmicro.com>
+
+[ Upstream commit 4058c39bd176daf11a826802d940d86292a6b02b ]
+
+The issue is that before entering the crash kernel, the DWC USB controller
+did not perform operations such as resetting the interrupt mask bits.
+After entering the crash kernel,before the USB interrupt handler
+registration was completed while loading the DWC USB driver,an GINTSTS_SOF
+interrupt was received.This triggered the misroute_irq process within the
+GIC handling framework,ultimately leading to the misrouting of the
+interrupt,causing it to be handled by the wrong interrupt handler
+and resulting in the issue.
+
+Summary:In a scenario where the kernel triggers a panic and enters
+the crash kernel,it is necessary to ensure that the interrupt mask
+bit is not enabled before the interrupt registration is complete.
+If an interrupt reaches the CPU at this moment,it will certainly
+not be handled correctly,especially in cases where this interrupt
+is reported frequently.
+
+Please refer to the Crashkernel dmesg information as follows
+(the message on line 3 was added before devm_request_irq is
+called by the dwc2_driver_probe function):
+[ 5.866837][ T1] dwc2 JMIC0010:01: supply vusb_d not found, using dummy regulator
+[ 5.874588][ T1] dwc2 JMIC0010:01: supply vusb_a not found, using dummy regulator
+[ 5.882335][ T1] dwc2 JMIC0010:01: before devm_request_irq irq: [71], gintmsk[0xf300080e], gintsts[0x04200009]
+[ 5.892686][ C0] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.10.0-jmnd1.2_RC #18
+[ 5.900327][ C0] Hardware name: CMSS HyperCard4-25G/HyperCard4-25G, BIOS 1.6.4 Jul 8 2024
+[ 5.908836][ C0] Call trace:
+[ 5.911965][ C0] dump_backtrace+0x0/0x1f0
+[ 5.916308][ C0] show_stack+0x20/0x30
+[ 5.920304][ C0] dump_stack+0xd8/0x140
+[ 5.924387][ C0] pcie_xxx_handler+0x3c/0x1d8
+[ 5.930121][ C0] __handle_irq_event_percpu+0x64/0x1e0
+[ 5.935506][ C0] handle_irq_event+0x80/0x1d0
+[ 5.940109][ C0] try_one_irq+0x138/0x174
+[ 5.944365][ C0] misrouted_irq+0x134/0x140
+[ 5.948795][ C0] note_interrupt+0x1d0/0x30c
+[ 5.953311][ C0] handle_irq_event+0x13c/0x1d0
+[ 5.958001][ C0] handle_fasteoi_irq+0xd4/0x260
+[ 5.962779][ C0] __handle_domain_irq+0x88/0xf0
+[ 5.967555][ C0] gic_handle_irq+0x9c/0x2f0
+[ 5.971985][ C0] el1_irq+0xb8/0x140
+[ 5.975807][ C0] __setup_irq+0x3dc/0x7cc
+[ 5.980064][ C0] request_threaded_irq+0xf4/0x1b4
+[ 5.985015][ C0] devm_request_threaded_irq+0x80/0x100
+[ 5.990400][ C0] dwc2_driver_probe+0x1b8/0x6b0
+[ 5.995178][ C0] platform_drv_probe+0x5c/0xb0
+[ 5.999868][ C0] really_probe+0xf8/0x51c
+[ 6.004125][ C0] driver_probe_device+0xfc/0x170
+[ 6.008989][ C0] device_driver_attach+0xc8/0xd0
+[ 6.013853][ C0] __driver_attach+0xe8/0x1b0
+[ 6.018369][ C0] bus_for_each_dev+0x7c/0xdc
+[ 6.022886][ C0] driver_attach+0x2c/0x3c
+[ 6.027143][ C0] bus_add_driver+0xdc/0x240
+[ 6.031573][ C0] driver_register+0x80/0x13c
+[ 6.036090][ C0] __platform_driver_register+0x50/0x5c
+[ 6.041476][ C0] dwc2_platform_driver_init+0x24/0x30
+[ 6.046774][ C0] do_one_initcall+0x50/0x25c
+[ 6.051291][ C0] do_initcall_level+0xe4/0xfc
+[ 6.055894][ C0] do_initcalls+0x80/0xa4
+[ 6.060064][ C0] kernel_init_freeable+0x198/0x240
+[ 6.065102][ C0] kernel_init+0x1c/0x12c
+
+Signed-off-by: Shawn Shao <shawn.shao@jaguarmicro.com>
+Link: https://lore.kernel.org/r/20240830031709.134-1-shawn.shao@jaguarmicro.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/dwc2/platform.c | 26 ++++++++++++++------------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/usb/dwc2/platform.c b/drivers/usb/dwc2/platform.c
+index 4f640c0c51b39..717fd0c0bccca 100644
+--- a/drivers/usb/dwc2/platform.c
++++ b/drivers/usb/dwc2/platform.c
+@@ -407,18 +407,6 @@ static int dwc2_driver_probe(struct platform_device *dev)
+
+ spin_lock_init(&hsotg->lock);
+
+- hsotg->irq = platform_get_irq(dev, 0);
+- if (hsotg->irq < 0)
+- return hsotg->irq;
+-
+- dev_dbg(hsotg->dev, "registering common handler for irq%d\n",
+- hsotg->irq);
+- retval = devm_request_irq(hsotg->dev, hsotg->irq,
+- dwc2_handle_common_intr, IRQF_SHARED,
+- dev_name(hsotg->dev), hsotg);
+- if (retval)
+- return retval;
+-
+ hsotg->vbus_supply = devm_regulator_get_optional(hsotg->dev, "vbus");
+ if (IS_ERR(hsotg->vbus_supply)) {
+ retval = PTR_ERR(hsotg->vbus_supply);
+@@ -454,6 +442,20 @@ static int dwc2_driver_probe(struct platform_device *dev)
+ if (retval)
+ goto error;
+
++ hsotg->irq = platform_get_irq(dev, 0);
++ if (hsotg->irq < 0) {
++ retval = hsotg->irq;
++ goto error;
++ }
++
++ dev_dbg(hsotg->dev, "registering common handler for irq%d\n",
++ hsotg->irq);
++ retval = devm_request_irq(hsotg->dev, hsotg->irq,
++ dwc2_handle_common_intr, IRQF_SHARED,
++ dev_name(hsotg->dev), hsotg);
++ if (retval)
++ goto error;
++
+ /*
+ * For OTG cores, set the force mode bits to reflect the value
+ * of dr_mode. Force mode bits should not be touched at any
+--
+2.43.0
+
--- /dev/null
+From 3cee62f65e9752356a1310fe8ffaa36926739ef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Aug 2024 21:53:13 +0000
+Subject: virtio_pmem: Check device status before requesting flush
+
+From: Philip Chen <philipchen@chromium.org>
+
+[ Upstream commit e25fbcd97cf52c3c9824d44b5c56c19673c3dd50 ]
+
+If a pmem device is in a bad status, the driver side could wait for
+host ack forever in virtio_pmem_flush(), causing the system to hang.
+
+So add a status check in the beginning of virtio_pmem_flush() to return
+early if the device is not activated.
+
+Signed-off-by: Philip Chen <philipchen@chromium.org>
+Message-Id: <20240826215313.2673566-1-philipchen@chromium.org>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Pankaj Gupta <pankaj.gupta.linux@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvdimm/nd_virtio.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/nvdimm/nd_virtio.c b/drivers/nvdimm/nd_virtio.c
+index 10351d5b49fac..41e97c6567cf9 100644
+--- a/drivers/nvdimm/nd_virtio.c
++++ b/drivers/nvdimm/nd_virtio.c
+@@ -44,6 +44,15 @@ static int virtio_pmem_flush(struct nd_region *nd_region)
+ unsigned long flags;
+ int err, err1;
+
++ /*
++ * Don't bother to submit the request to the device if the device is
++ * not activated.
++ */
++ if (vdev->config->get_status(vdev) & VIRTIO_CONFIG_S_NEEDS_RESET) {
++ dev_info(&vdev->dev, "virtio pmem device needs a reset\n");
++ return -EIO;
++ }
++
+ might_sleep();
+ req_data = kmalloc(sizeof(*req_data), GFP_KERNEL);
+ if (!req_data)
+--
+2.43.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
