--- /dev/null
+From 3b4309546b48fc167aa615a2d881a09c0a97971f Mon Sep 17 00:00:00 2001
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+Date: Wed, 29 Jan 2025 00:54:15 +0800
+Subject: ALSA: hda: Fix headset detection failure due to unstable sort
+
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+
+commit 3b4309546b48fc167aa615a2d881a09c0a97971f upstream.
+
+The auto_parser assumed sort() was stable, but the kernel's sort() uses
+heapsort, which has never been stable. After commit 0e02ca29a563
+("lib/sort: optimize heapsort with double-pop variation"), the order of
+equal elements changed, causing the headset to fail to work.
+
+Fix the issue by recording the original order of elements before
+sorting and using it as a tiebreaker for equal elements in the
+comparison function.
+
+Fixes: b9030a005d58 ("ALSA: hda - Use standard sort function in hda_auto_parser.c")
+Reported-by: Austrum <austrum.lab@gmail.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=219158
+Tested-by: Austrum <austrum.lab@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
+Link: https://patch.msgid.link/20250128165415.643223-1-visitorckw@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_auto_parser.c | 8 +++++++-
+ sound/pci/hda/hda_auto_parser.h | 1 +
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_auto_parser.c
++++ b/sound/pci/hda/hda_auto_parser.c
+@@ -80,7 +80,11 @@ static int compare_input_type(const void
+
+ /* In case one has boost and the other one has not,
+ pick the one with boost first. */
+- return (int)(b->has_boost_on_pin - a->has_boost_on_pin);
++ if (a->has_boost_on_pin != b->has_boost_on_pin)
++ return (int)(b->has_boost_on_pin - a->has_boost_on_pin);
++
++ /* Keep the original order */
++ return a->order - b->order;
+ }
+
+ /* Reorder the surround channels
+@@ -400,6 +404,8 @@ int snd_hda_parse_pin_defcfg(struct hda_
+ reorder_outputs(cfg->speaker_outs, cfg->speaker_pins);
+
+ /* sort inputs in the order of AUTO_PIN_* type */
++ for (i = 0; i < cfg->num_inputs; i++)
++ cfg->inputs[i].order = i;
+ sort(cfg->inputs, cfg->num_inputs, sizeof(cfg->inputs[0]),
+ compare_input_type, NULL);
+
+--- a/sound/pci/hda/hda_auto_parser.h
++++ b/sound/pci/hda/hda_auto_parser.h
+@@ -37,6 +37,7 @@ struct auto_pin_cfg_item {
+ unsigned int is_headset_mic:1;
+ unsigned int is_headphone_mic:1; /* Mic-only in headphone jack */
+ unsigned int has_boost_on_pin:1;
++ int order;
+ };
+
+ struct auto_pin_cfg;
--- /dev/null
+From 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 Mon Sep 17 00:00:00 2001
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Date: Tue, 14 Jan 2025 14:06:19 -0300
+Subject: ALSA: hda/realtek: Enable headset mic on Positivo C6400
+
+From: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+
+commit 1aec3ed2e3e1512aba15e7e790196a44efd5f0a7 upstream.
+
+Positivo C6400 is equipped with ALC269VB, and it needs
+ALC269VB_FIXUP_ASUS_ZENBOOK quirk to make its headset mic work.
+Also must to limits the microphone boost.
+
+Signed-off-by: Edson Juliano Drosdeck <edson.drosdeck@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20250114170619.11510-1-edson.drosdeck@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10402,6 +10402,7 @@ static const struct hda_quirk alc269_fix
+ SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
+ SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
+ SND_PCI_QUIRK(0x17aa, 0x9e56, "Lenovo ZhaoYang CF4620Z", ALC286_FIXUP_SONY_MIC_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1849, 0x0269, "Positivo Master C6400", ALC269VB_FIXUP_ASUS_ZENBOOK),
+ SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK),
+ SND_PCI_QUIRK(0x1849, 0xa233, "Positivo Master C6300", ALC269_FIXUP_HEADSET_MIC),
+ SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS),
--- /dev/null
+From b615fbd70fce8582d92b3bdbbf3c9b80cadcfb55 Mon Sep 17 00:00:00 2001
+From: Brad Griffis <bgriffis@nvidia.com>
+Date: Fri, 13 Dec 2024 23:56:02 +0000
+Subject: arm64: tegra: Fix Tegra234 PCIe interrupt-map
+
+From: Brad Griffis <bgriffis@nvidia.com>
+
+commit b615fbd70fce8582d92b3bdbbf3c9b80cadcfb55 upstream.
+
+For interrupt-map entries, the DTS specification requires
+that #address-cells is defined for both the child node and the
+interrupt parent. For the PCIe interrupt-map entries, the parent
+node ("gic") has not specified #address-cells. The existing layout
+of the PCIe interrupt-map entries indicates that it assumes
+that #address-cells is zero for this node.
+
+Explicitly set #address-cells to zero for "gic" so that it complies
+with the device tree specification.
+
+NVIDIA EDK2 works around this issue by assuming #address-cells
+is zero in this scenario, but that workaround is being removed and so
+this update is needed or else NVIDIA EDK2 cannot successfully parse the
+device tree and the board cannot boot.
+
+Fixes: ec142c44b026 ("arm64: tegra: Add P2U and PCIe controller nodes to Tegra234 DT")
+Signed-off-by: Brad Griffis <bgriffis@nvidia.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20241213235602.452303-1-bgriffis@nvidia.com
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/nvidia/tegra234.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/nvidia/tegra234.dtsi
++++ b/arch/arm64/boot/dts/nvidia/tegra234.dtsi
+@@ -1912,6 +1912,8 @@
+ #redistributor-regions = <1>;
+ #interrupt-cells = <3>;
+ interrupt-controller;
++
++ #address-cells = <0>;
+ };
+
+ smmu_iso: iommu@10000000 {
--- /dev/null
+From b9a8ea185f3f8024619b2e74b74375493c87df8c Mon Sep 17 00:00:00 2001
+From: Mario Limonciello <mario.limonciello@amd.com>
+Date: Wed, 22 Jan 2025 20:49:13 -0600
+Subject: ASoC: acp: Support microphone from Lenovo Go S
+
+From: Mario Limonciello <mario.limonciello@amd.com>
+
+commit b9a8ea185f3f8024619b2e74b74375493c87df8c upstream.
+
+On Lenovo Go S there is a DMIC connected to the ACP but the firmware
+has no `AcpDmicConnected` ACPI _DSD.
+
+Add a DMI entry for all possible Lenovo Go S SKUs to enable DMIC.
+
+Cc: nijs1@lenovo.com
+Cc: pgriffais@valvesoftware.com
+Cc: mpearson-lenovo@squebb.ca
+Cc: stable@vger.kernel.org
+Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20250123024915.2457115-1-superm1@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/amd/yc/acp6x-mach.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+--- a/sound/soc/amd/yc/acp6x-mach.c
++++ b/sound/soc/amd/yc/acp6x-mach.c
+@@ -307,6 +307,34 @@ static const struct dmi_system_id yc_acp
+ {
+ .driver_data = &acp6x_card,
+ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83L3"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83N6"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q2"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
++ DMI_MATCH(DMI_BOARD_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "83Q3"),
++ }
++ },
++ {
++ .driver_data = &acp6x_card,
++ .matches = {
+ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "UM5302TA"),
+ }
--- /dev/null
+From d1248436cbef1f924c04255367ff4845ccd9025e Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 5 Jan 2025 16:34:03 +0800
+Subject: blk-cgroup: Fix class @block_class's subsystem refcount leakage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit d1248436cbef1f924c04255367ff4845ccd9025e upstream.
+
+blkcg_fill_root_iostats() iterates over @block_class's devices by
+class_dev_iter_(init|next)(), but does not end iterating with
+class_dev_iter_exit(), so causes the class's subsystem refcount leakage.
+
+Fix by ending the iterating with class_dev_iter_exit().
+
+Fixes: ef45fe470e1e ("blk-cgroup: show global disk stats in root cgroup io.stat")
+Reviewed-by: Michal Koutný <mkoutny@suse.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250105-class_fix-v6-2-3a2f1768d4d4@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-cgroup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1139,6 +1139,7 @@ static void blkcg_fill_root_iostats(void
+ blkg_iostat_set(&blkg->iostat.cur, &tmp);
+ u64_stats_update_end_irqrestore(&blkg->iostat.sync, flags);
+ }
++ class_dev_iter_exit(&iter);
+ }
+
+ static void blkcg_print_one_stat(struct blkcg_gq *blkg, struct seq_file *s)
--- /dev/null
+From b13ee668e8280ca5b07f8ce2846b9957a8a10853 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 23 Jan 2025 06:18:41 -0700
+Subject: block: don't revert iter for -EIOCBQUEUED
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit b13ee668e8280ca5b07f8ce2846b9957a8a10853 upstream.
+
+blkdev_read_iter() has a few odd checks, like gating the position and
+count adjustment on whether or not the result is bigger-than-or-equal to
+zero (where bigger than makes more sense), and not checking the return
+value of blkdev_direct_IO() before doing an iov_iter_revert(). The
+latter can lead to attempting to revert with a negative value, which
+when passed to iov_iter_revert() as an unsigned value will lead to
+throwing a WARN_ON() because unroll is bigger than MAX_RW_COUNT.
+
+Be sane and don't revert for -EIOCBQUEUED, like what is done in other
+spots.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/fops.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/block/fops.c
++++ b/block/fops.c
+@@ -718,11 +718,12 @@ static ssize_t blkdev_read_iter(struct k
+ file_accessed(iocb->ki_filp);
+
+ ret = blkdev_direct_IO(iocb, to);
+- if (ret >= 0) {
++ if (ret > 0) {
+ iocb->ki_pos += ret;
+ count -= ret;
+ }
+- iov_iter_revert(to, count - iov_iter_count(to));
++ if (ret != -EIOCBQUEUED)
++ iov_iter_revert(to, count - iov_iter_count(to));
+ if (ret < 0 || !count)
+ goto reexpand;
+ }
--- /dev/null
+From 9fdbbdbbc92b1474a87b89f8b964892a63734492 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Mon, 20 Jan 2025 16:29:49 +0800
+Subject: dm-crypt: don't update io->sector after kcryptd_crypt_write_io_submit()
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 9fdbbdbbc92b1474a87b89f8b964892a63734492 upstream.
+
+The updates of io->sector are the leftovers when dm-crypt allocated
+pages for partial write request. However, since commit cf2f1abfbd0db
+("dm crypt: don't allocate pages for a partial request"), there is no
+partial request anymore.
+
+After the introduction of write request rb-tree, the updates of
+io->sectors may interfere the insertion procedure, because ->sectors of
+these write requests which have already been added in the rb-tree may be
+changed during the insertion of new write request.
+
+Fix it by removing these buggy updates of io->sectors. Considering these
+updates only effect the write request rb-tree, the commit which
+introduces the write request rb-tree is used as the fix tag.
+
+Fixes: b3c5fd305249 ("dm crypt: sort writes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-crypt.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -2068,7 +2068,6 @@ static void kcryptd_crypt_write_continue
+ struct crypt_config *cc = io->cc;
+ struct convert_context *ctx = &io->ctx;
+ int crypt_finished;
+- sector_t sector = io->sector;
+ blk_status_t r;
+
+ wait_for_completion(&ctx->restart);
+@@ -2085,10 +2084,8 @@ static void kcryptd_crypt_write_continue
+ }
+
+ /* Encryption was already finished, submit io now */
+- if (crypt_finished) {
++ if (crypt_finished)
+ kcryptd_crypt_write_io_submit(io, 0);
+- io->sector = sector;
+- }
+
+ crypt_dec_pending(io);
+ }
+@@ -2099,14 +2096,13 @@ static void kcryptd_crypt_write_convert(
+ struct convert_context *ctx = &io->ctx;
+ struct bio *clone;
+ int crypt_finished;
+- sector_t sector = io->sector;
+ blk_status_t r;
+
+ /*
+ * Prevent io from disappearing until this function completes.
+ */
+ crypt_inc_pending(io);
+- crypt_convert_init(cc, ctx, NULL, io->base_bio, sector);
++ crypt_convert_init(cc, ctx, NULL, io->base_bio, io->sector);
+
+ clone = crypt_alloc_buffer(io, io->base_bio->bi_iter.bi_size);
+ if (unlikely(!clone)) {
+@@ -2123,8 +2119,6 @@ static void kcryptd_crypt_write_convert(
+ io->ctx.iter_in = clone->bi_iter;
+ }
+
+- sector += bio_sectors(clone);
+-
+ crypt_inc_pending(io);
+ r = crypt_convert(cc, ctx,
+ test_bit(DM_CRYPT_NO_WRITE_WORKQUEUE, &cc->flags), true);
+@@ -2148,10 +2142,8 @@ static void kcryptd_crypt_write_convert(
+ }
+
+ /* Encryption was already finished, submit io now */
+- if (crypt_finished) {
++ if (crypt_finished)
+ kcryptd_crypt_write_io_submit(io, 0);
+- io->sector = sector;
+- }
+
+ dec:
+ crypt_dec_pending(io);
--- /dev/null
+From 8b8f8037765757861f899ed3a2bfb34525b5c065 Mon Sep 17 00:00:00 2001
+From: Hou Tao <houtao1@huawei.com>
+Date: Mon, 20 Jan 2025 16:29:51 +0800
+Subject: dm-crypt: track tag_offset in convert_context
+
+From: Hou Tao <houtao1@huawei.com>
+
+commit 8b8f8037765757861f899ed3a2bfb34525b5c065 upstream.
+
+dm-crypt uses tag_offset to index the integrity metadata for each crypt
+sector. When the initial crypt_convert() returns BLK_STS_DEV_RESOURCE,
+dm-crypt will try to continue the crypt/decrypt procedure in a kworker.
+However, it resets tag_offset as zero instead of using the tag_offset
+related with current sector. It may return unexpected data when using
+random IV or return unexpected integrity related error.
+
+Fix the problem by tracking tag_offset in per-IO convert_context.
+Therefore, when the crypt/decrypt procedure continues in a kworker, it
+could use the next tag_offset saved in convert_context.
+
+Fixes: 8abec36d1274 ("dm crypt: do not wait for backlogged crypto request completion in softirq")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-crypt.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/md/dm-crypt.c
++++ b/drivers/md/dm-crypt.c
+@@ -57,6 +57,7 @@ struct convert_context {
+ struct bio *bio_out;
+ struct bvec_iter iter_out;
+ atomic_t cc_pending;
++ unsigned int tag_offset;
+ u64 cc_sector;
+ union {
+ struct skcipher_request *req;
+@@ -1232,6 +1233,7 @@ static void crypt_convert_init(struct cr
+ if (bio_out)
+ ctx->iter_out = bio_out->bi_iter;
+ ctx->cc_sector = sector + cc->iv_offset;
++ ctx->tag_offset = 0;
+ init_completion(&ctx->restart);
+ }
+
+@@ -1564,7 +1566,6 @@ static void crypt_free_req(struct crypt_
+ static blk_status_t crypt_convert(struct crypt_config *cc,
+ struct convert_context *ctx, bool atomic, bool reset_pending)
+ {
+- unsigned int tag_offset = 0;
+ unsigned int sector_step = cc->sector_size >> SECTOR_SHIFT;
+ int r;
+
+@@ -1587,9 +1588,9 @@ static blk_status_t crypt_convert(struct
+ atomic_inc(&ctx->cc_pending);
+
+ if (crypt_integrity_aead(cc))
+- r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, tag_offset);
++ r = crypt_convert_block_aead(cc, ctx, ctx->r.req_aead, ctx->tag_offset);
+ else
+- r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, tag_offset);
++ r = crypt_convert_block_skcipher(cc, ctx, ctx->r.req, ctx->tag_offset);
+
+ switch (r) {
+ /*
+@@ -1609,8 +1610,8 @@ static blk_status_t crypt_convert(struct
+ * exit and continue processing in a workqueue
+ */
+ ctx->r.req = NULL;
++ ctx->tag_offset++;
+ ctx->cc_sector += sector_step;
+- tag_offset++;
+ return BLK_STS_DEV_RESOURCE;
+ }
+ } else {
+@@ -1624,8 +1625,8 @@ static blk_status_t crypt_convert(struct
+ */
+ case -EINPROGRESS:
+ ctx->r.req = NULL;
++ ctx->tag_offset++;
+ ctx->cc_sector += sector_step;
+- tag_offset++;
+ continue;
+ /*
+ * The request was already processed (synchronously).
+@@ -1633,7 +1634,7 @@ static blk_status_t crypt_convert(struct
+ case 0:
+ atomic_dec(&ctx->cc_pending);
+ ctx->cc_sector += sector_step;
+- tag_offset++;
++ ctx->tag_offset++;
+ if (!atomic)
+ cond_resched();
+ continue;
--- /dev/null
+From 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Tue, 21 Jan 2025 18:11:34 -0700
+Subject: efi: libstub: Use '-std=gnu11' to fix build with GCC 15
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 8ba14d9f490aef9fd535c04e9e62e1169eb7a055 upstream.
+
+GCC 15 changed the default C standard version to C23, which should not
+have impacted the kernel because it requests the gnu11 standard via
+'-std=' in the main Makefile. However, the EFI libstub Makefile uses its
+own set of KBUILD_CFLAGS for x86 without a '-std=' value (i.e., using
+the default), resulting in errors from the kernel's definitions of bool,
+true, and false in stddef.h, which are reserved keywords under C23.
+
+ ./include/linux/stddef.h:11:9: error: expected identifier before ‘false’
+ 11 | false = 0,
+ ./include/linux/types.h:35:33: error: two or more data types in declaration specifiers
+ 35 | typedef _Bool bool;
+
+Set '-std=gnu11' in the x86 cflags to resolve the error and consistently
+use the same C standard version for the entire kernel. All other
+architectures reuse KBUILD_CFLAGS from the rest of the kernel, so this
+issue is not visible for them.
+
+Cc: stable@vger.kernel.org
+Reported-by: Kostadin Shishmanov <kostadinshishmanov@protonmail.com>
+Closes: https://lore.kernel.org/4OAhbllK7x4QJGpZjkYjtBYNLd_2whHx9oFiuZcGwtVR4hIzvduultkgfAIRZI3vQpZylu7Gl929HaYFRGeMEalWCpeMzCIIhLxxRhq4U-Y=@protonmail.com/
+Reported-by: Jakub Jelinek <jakub@redhat.com>
+Closes: https://lore.kernel.org/Z4467umXR2PZ0M1H@tucnak/
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/libstub/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/libstub/Makefile
++++ b/drivers/firmware/efi/libstub/Makefile
+@@ -11,7 +11,7 @@ cflags-y := $(KBUILD_CFLAGS)
+
+ cflags-$(CONFIG_X86_32) := -march=i386
+ cflags-$(CONFIG_X86_64) := -mcmodel=small
+-cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ \
++cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -std=gnu11 \
+ -fPIC -fno-strict-aliasing -mno-red-zone \
+ -mno-mmx -mno-sse -fshort-wchar \
+ -Wno-pointer-sign \
--- /dev/null
+From 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 Mon Sep 17 00:00:00 2001
+From: Heiko Stuebner <heiko@sntech.de>
+Date: Thu, 7 Nov 2024 12:47:04 +0100
+Subject: HID: hid-sensor-hub: don't use stale platform-data on remove
+
+From: Heiko Stuebner <heiko@sntech.de>
+
+commit 8a5b38c3fd709e8acd2bfdedf66c25e6af759576 upstream.
+
+The hid-sensor-hub creates the individual device structs and transfers them
+to the created mfd platform-devices via the platform_data in the mfd_cell.
+
+Before e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads")
+the sensor-hub was managing access centrally, with one "completion" in the
+hub's data structure, which needed to be finished on removal at the latest.
+
+The mentioned commit then moved this central management to each hid sensor
+device, resulting on a completion in each struct hid_sensor_hub_device.
+The remove procedure was adapted to go through all sensor devices and
+finish any pending "completion".
+
+What this didn't take into account was, platform_device_add_data() that is
+used by mfd_add{_hotplug}_devices() does a kmemdup on the submitted
+platform-data. So the data the platform-device gets is a copy of the
+original data, meaning that the device worked on a different completion
+than what sensor_hub_remove() currently wants to access.
+
+To fix that, use device_for_each_child() to go through each child-device
+similar to how mfd_remove_devices() unregisters the devices later and
+with that get the live platform_data to finalize the correct completion.
+
+Fixes: e651a1da442a ("HID: hid-sensor-hub: Allow parallel synchronous reads")
+Cc: stable@vger.kernel.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Acked-by: Benjamin Tissoires <bentiss@kernel.org>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Acked-by: Jiri Kosina <jkosina@suse.com>
+Link: https://lore.kernel.org/r/20241107114712.538976-2-heiko@sntech.de
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-sensor-hub.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/hid/hid-sensor-hub.c
++++ b/drivers/hid/hid-sensor-hub.c
+@@ -730,23 +730,30 @@ err_stop_hw:
+ return ret;
+ }
+
++static int sensor_hub_finalize_pending_fn(struct device *dev, void *data)
++{
++ struct hid_sensor_hub_device *hsdev = dev->platform_data;
++
++ if (hsdev->pending.status)
++ complete(&hsdev->pending.ready);
++
++ return 0;
++}
++
+ static void sensor_hub_remove(struct hid_device *hdev)
+ {
+ struct sensor_hub_data *data = hid_get_drvdata(hdev);
+ unsigned long flags;
+- int i;
+
+ hid_dbg(hdev, " hardware removed\n");
+ hid_hw_close(hdev);
+ hid_hw_stop(hdev);
++
+ spin_lock_irqsave(&data->lock, flags);
+- for (i = 0; i < data->hid_sensor_client_cnt; ++i) {
+- struct hid_sensor_hub_device *hsdev =
+- data->hid_sensor_hub_client_devs[i].platform_data;
+- if (hsdev->pending.status)
+- complete(&hsdev->pending.ready);
+- }
++ device_for_each_child(&hdev->dev, NULL,
++ sensor_hub_finalize_pending_fn);
+ spin_unlock_irqrestore(&data->lock, flags);
++
+ mfd_remove_devices(&hdev->dev);
+ mutex_destroy(&data->mutex);
+ }
--- /dev/null
+From 8f6629c004b193d23612641c3607e785819e97ab Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Thu, 17 Oct 2024 10:09:22 -0700
+Subject: kbuild: Move -Wenum-enum-conversion to W=2
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 8f6629c004b193d23612641c3607e785819e97ab upstream.
+
+-Wenum-enum-conversion was strengthened in clang-19 to warn for C, which
+caused the kernel to move it to W=1 in commit 75b5ab134bb5 ("kbuild:
+Move -Wenum-{compare-conditional,enum-conversion} into W=1") because
+there were numerous instances that would break builds with -Werror.
+Unfortunately, this is not a full solution, as more and more developers,
+subsystems, and distributors are building with W=1 as well, so they
+continue to see the numerous instances of this warning.
+
+Since the move to W=1, there have not been many new instances that have
+appeared through various build reports and the ones that have appeared
+seem to be following similar existing patterns, suggesting that most
+instances of this warning will not be real issues. The only alternatives
+for silencing this warning are adding casts (which is generally seen as
+an ugly practice) or refactoring the enums to macro defines or a unified
+enum (which may be undesirable because of type safety in other parts of
+the code).
+
+Move the warning to W=2, where warnings that occur frequently but may be
+relevant should reside.
+
+Cc: stable@vger.kernel.org
+Fixes: 75b5ab134bb5 ("kbuild: Move -Wenum-{compare-conditional,enum-conversion} into W=1")
+Link: https://lore.kernel.org/ZwRA9SOcOjjLJcpi@google.com/
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Acked-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/Makefile.extrawarn | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/scripts/Makefile.extrawarn
++++ b/scripts/Makefile.extrawarn
+@@ -144,7 +144,6 @@ KBUILD_CFLAGS += -Wno-tautological-const
+ KBUILD_CFLAGS += $(call cc-disable-warning, unaligned-access)
+ KBUILD_CFLAGS += $(call cc-disable-warning, cast-function-type-strict)
+ KBUILD_CFLAGS += -Wno-enum-compare-conditional
+-KBUILD_CFLAGS += -Wno-enum-enum-conversion
+ endif
+
+ endif
+@@ -176,6 +175,10 @@ KBUILD_CFLAGS += -Wno-type-limits
+ KBUILD_CFLAGS += -Wno-shift-negative-value
+
+ ifdef CONFIG_CC_IS_CLANG
++KBUILD_CFLAGS += -Wno-enum-enum-conversion
++endif
++
++ifdef CONFIG_CC_IS_CLANG
+ KBUILD_CFLAGS += -Wno-initializer-overrides
+ else
+ KBUILD_CFLAGS += -Wno-maybe-uninitialized
--- /dev/null
+From 531936dee53e471a3ec668de3c94ca357f54b7e8 Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Sun, 26 Jan 2025 21:49:59 +0800
+Subject: LoongArch: Extend the maximum number of watchpoints
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit 531936dee53e471a3ec668de3c94ca357f54b7e8 upstream.
+
+The maximum number of load/store watchpoints and fetch instruction
+watchpoints is 14 each according to LoongArch Reference Manual, so
+extend the maximum number of watchpoints from 8 to 14 for ptrace.
+
+By the way, just simply change 8 to 14 for the definition in struct
+user_watch_state at the beginning, but it may corrupt uapi, then add
+a new struct user_watch_state_v2 directly.
+
+As far as I can tell, the only users for this struct in the userspace
+are GDB and LLDB, there are no any problems of software compatibility
+between the application and kernel according to the analysis.
+
+The compatibility problem has been considered while developing and
+testing. When the applications in the userspace get watchpoint state,
+the length will be specified which is no bigger than the sizeof struct
+user_watch_state or user_watch_state_v2, the actual length is assigned
+as the minimal value of the application and kernel in the generic code
+of ptrace:
+
+kernel/ptrace.c: ptrace_regset():
+
+ kiov->iov_len = min(kiov->iov_len,
+ (__kernel_size_t) (regset->n * regset->size));
+
+ if (req == PTRACE_GETREGSET)
+ return copy_regset_to_user(task, view, regset_no, 0,
+ kiov->iov_len, kiov->iov_base);
+ else
+ return copy_regset_from_user(task, view, regset_no, 0,
+ kiov->iov_len, kiov->iov_base);
+
+For example, there are four kind of combinations, all of them work well.
+
+(1) "older kernel + older gdb", the actual length is 8+(8+8+4+4)*8=200;
+(2) "newer kernel + newer gdb", the actual length is 8+(8+8+4+4)*14=344;
+(3) "older kernel + newer gdb", the actual length is 8+(8+8+4+4)*8=200;
+(4) "newer kernel + older gdb", the actual length is 8+(8+8+4+4)*8=200.
+
+Link: https://loongson.github.io/LoongArch-Documentation/LoongArch-Vol1-EN.html#control-and-status-registers-related-to-watchpoints
+Cc: stable@vger.kernel.org
+Fixes: 1a69f7a161a7 ("LoongArch: ptrace: Expose hardware breakpoints to debuggers")
+Reviewed-by: WANG Xuerui <git@xen0n.name>
+Reviewed-by: Xi Ruoyao <xry111@xry111.site>
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/uapi/asm/ptrace.h | 10 ++++++++++
+ arch/loongarch/kernel/ptrace.c | 6 +++---
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/arch/loongarch/include/uapi/asm/ptrace.h b/arch/loongarch/include/uapi/asm/ptrace.h
+index ac915f841650..aafb3cd9e943 100644
+--- a/arch/loongarch/include/uapi/asm/ptrace.h
++++ b/arch/loongarch/include/uapi/asm/ptrace.h
+@@ -72,6 +72,16 @@ struct user_watch_state {
+ } dbg_regs[8];
+ };
+
++struct user_watch_state_v2 {
++ uint64_t dbg_info;
++ struct {
++ uint64_t addr;
++ uint64_t mask;
++ uint32_t ctrl;
++ uint32_t pad;
++ } dbg_regs[14];
++};
++
+ #define PTRACE_SYSEMU 0x1f
+ #define PTRACE_SYSEMU_SINGLESTEP 0x20
+
+diff --git a/arch/loongarch/kernel/ptrace.c b/arch/loongarch/kernel/ptrace.c
+index 19dc6eff45cc..5e2402cfcab0 100644
+--- a/arch/loongarch/kernel/ptrace.c
++++ b/arch/loongarch/kernel/ptrace.c
+@@ -720,7 +720,7 @@ static int hw_break_set(struct task_struct *target,
+ unsigned int note_type = regset->core_note_type;
+
+ /* Resource info */
+- offset = offsetof(struct user_watch_state, dbg_regs);
++ offset = offsetof(struct user_watch_state_v2, dbg_regs);
+ user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, 0, offset);
+
+ /* (address, mask, ctrl) registers */
+@@ -920,7 +920,7 @@ static const struct user_regset loongarch64_regsets[] = {
+ #ifdef CONFIG_HAVE_HW_BREAKPOINT
+ [REGSET_HW_BREAK] = {
+ .core_note_type = NT_LOONGARCH_HW_BREAK,
+- .n = sizeof(struct user_watch_state) / sizeof(u32),
++ .n = sizeof(struct user_watch_state_v2) / sizeof(u32),
+ .size = sizeof(u32),
+ .align = sizeof(u32),
+ .regset_get = hw_break_get,
+@@ -928,7 +928,7 @@ static const struct user_regset loongarch64_regsets[] = {
+ },
+ [REGSET_HW_WATCH] = {
+ .core_note_type = NT_LOONGARCH_HW_WATCH,
+- .n = sizeof(struct user_watch_state) / sizeof(u32),
++ .n = sizeof(struct user_watch_state_v2) / sizeof(u32),
+ .size = sizeof(u32),
+ .align = sizeof(u32),
+ .regset_get = hw_break_get,
+--
+2.48.1
+
--- /dev/null
+From bd2212d658d7659b9d83c7e2f3a06789d4db1e90 Mon Sep 17 00:00:00 2001
+From: Kexy Biscuit <kexybiscuit@aosc.io>
+Date: Sat, 11 Jan 2025 01:22:08 +0800
+Subject: MIPS: Loongson64: remove ROM Size unit in boardinfo
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kexy Biscuit <kexybiscuit@aosc.io>
+
+commit bd2212d658d7659b9d83c7e2f3a06789d4db1e90 upstream.
+
+Per Appendix A.7 in Q/LS 0013-2014 (龙芯CPU开发系统固件与内核接口规范 V2.2,
+lit. Loongson DevSys Firmware Kernel Interface Specification V2.2),
+interface_info.size is size of this interface, not size of the LEFI BIOS
+ROM.
+
+In any case, the BIOS ROM Size just cannot be several kilobytes (KB) on
+Loongson64 LEFI platforms.
+
+Reported-by: Mingcong Bai <jeffbai@aosc.io>
+Suggested-by: Icenowy Zheng <uwu@icenowy.me>
+Fixes: 6c1bfbd9df8c ("MIPS: Loongson64: Add /sys/firmware/lefi/boardinfo")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kexy Biscuit <kexybiscuit@aosc.io>
+Acked-by: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/loongson64/boardinfo.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/mips/loongson64/boardinfo.c
++++ b/arch/mips/loongson64/boardinfo.c
+@@ -21,13 +21,11 @@ static ssize_t boardinfo_show(struct kob
+ "BIOS Info\n"
+ "Vendor\t\t\t: %s\n"
+ "Version\t\t\t: %s\n"
+- "ROM Size\t\t: %d KB\n"
+ "Release Date\t\t: %s\n",
+ strsep(&tmp_board_manufacturer, "-"),
+ eboard->name,
+ strsep(&tmp_bios_vendor, "-"),
+ einter->description,
+- einter->size,
+ especial->special_name);
+ }
+ static struct kobj_attribute boardinfo_attr = __ATTR(boardinfo, 0444,
--- /dev/null
+From 42a39e4aa59a10aa4afdc14194f3ee63d2db94e1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= <mat.jonczyk@o2.pl>
+Date: Sun, 5 Jan 2025 22:18:06 +0100
+Subject: mips/math-emu: fix emulation of the prefx instruction
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mateusz Jończyk <mat.jonczyk@o2.pl>
+
+commit 42a39e4aa59a10aa4afdc14194f3ee63d2db94e1 upstream.
+
+Currently, installation of Debian 12.8 for mipsel fails on machines
+without an FPU [1]. This is caused by the fact that zstd (which is used
+for initramfs compression) executes the prefx instruction, which is not
+emulated properly by the kernel.
+
+The prefx (Prefetch Indexed) instruction fetches data from memory into
+the cache without any side effects. Though functionally unrelated, it
+requires an FPU [2].
+
+Bytecode format of this instruction ends on "001111" binary:
+
+ (prefx instruction format) & 0x0000003f = 0x0000000f
+
+The code in fpux_emu() runs like so:
+
+ #define MIPSInst(x) x
+ #define MIPSInst_FMA_FFMT(x) (MIPSInst(x) & 0x00000007)
+ #define MIPSInst_FUNC(x) (MIPSInst(x) & 0x0000003f)
+ enum cop1x_func { ..., pfetch_op = 0x0f, ... };
+
+ ...
+
+ switch (MIPSInst_FMA_FFMT(ir)) {
+ ...
+
+ case 0x3:
+ if (MIPSInst_FUNC(ir) != pfetch_op)
+ return SIGILL;
+
+ /* ignore prefx operation */
+ break;
+
+ default:
+ return SIGILL;
+ }
+
+That snippet above contains a logic error and the
+ if (MIPSInst_FUNC(ir) != pfetch_op)
+comparison always fires.
+
+When MIPSInst_FUNC(ir) is equal to pfetch_op, ir must end on 001111
+binary. In this case, MIPSInst_FMA_FFMT(ir) must be equal to 0x7, which
+does not match that case label.
+
+This causes emulation failure for the prefx instruction. Fix it.
+
+This has been broken by
+commit 919af8b96c89 ("MIPS: Make definitions of MIPSInst_FMA_{FUNC,FMTM} consistent with MIPS64 manual")
+which modified the MIPSInst_FMA_FFMT macro without updating the users.
+
+Signed-off-by: Mateusz Jończyk <mat.jonczyk@o2.pl>
+Cc: stable@vger.kernel.org # after 3 weeks
+Cc: Dengcheng Zhu <dzhu@wavecomp.com>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: Ming Wang <wangming01@loongson.cn>
+Cc: Tiezhu Yang <yangtiezhu@loongson.cn>
+Fixes: 919af8b96c89 ("MIPS: Make definitions of MIPSInst_FMA_{FUNC,FMTM} consistent with MIPS64 manual")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091858
+[2] MIPS Architecture For Programmers Volume II-A: The MIPS32 Instruction Set
+
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+---
+ arch/mips/math-emu/cp1emu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/math-emu/cp1emu.c
++++ b/arch/mips/math-emu/cp1emu.c
+@@ -1660,7 +1660,7 @@ static int fpux_emu(struct pt_regs *xcp,
+ break;
+ }
+
+- case 0x3:
++ case 0x7:
+ if (MIPSInst_FUNC(ir) != pfetch_op)
+ return SIGILL;
+
--- /dev/null
+From 11cb3529d18514f7d28ad2190533192aedefd761 Mon Sep 17 00:00:00 2001
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+Date: Mon, 16 Dec 2024 23:28:04 +0100
+Subject: nvme-pci: Add TUXEDO IBP Gen9 to Samsung sleep quirk
+
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+
+commit 11cb3529d18514f7d28ad2190533192aedefd761 upstream.
+
+On the TUXEDO InfinityBook Pro Gen9 Intel, a Samsung 990 Evo NVMe leads to
+a high power consumption in s2idle sleep (4 watts).
+
+This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with
+a lower power consumption, typically around 1.2 watts.
+
+Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2951,6 +2951,7 @@ static unsigned long check_vendor_combin
+ */
+ if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") ||
+ dmi_match(DMI_BOARD_NAME, "GMxPXxx") ||
++ dmi_match(DMI_BOARD_NAME, "GXxMRXx") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PG31") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") ||
+ dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71"))
--- /dev/null
+From dbf2bb1a1319b7c7d8828905378a6696cca6b0f2 Mon Sep 17 00:00:00 2001
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+Date: Mon, 16 Dec 2024 23:28:03 +0100
+Subject: nvme-pci: Add TUXEDO InfinityFlex to Samsung sleep quirk
+
+From: Georg Gottleuber <ggo@tuxedocomputers.com>
+
+commit dbf2bb1a1319b7c7d8828905378a6696cca6b0f2 upstream.
+
+On the TUXEDO InfinityFlex, a Samsung 990 Evo NVMe leads to a high power
+consumption in s2idle sleep (4 watts).
+
+This patch applies 'Force No Simple Suspend' quirk to achieve a sleep with
+a lower power consumption, typically around 1.4 watts.
+
+Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -2949,7 +2949,8 @@ static unsigned long check_vendor_combin
+ * because of high power consumption (> 2 Watt) in s2idle
+ * sleep. Only some boards with Intel CPU are affected.
+ */
+- if (dmi_match(DMI_BOARD_NAME, "GMxPXxx") ||
++ if (dmi_match(DMI_BOARD_NAME, "DN50Z-140HC-YD") ||
++ dmi_match(DMI_BOARD_NAME, "GMxPXxx") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PG31") ||
+ dmi_match(DMI_BOARD_NAME, "PH4PRX1_PH6PRX1") ||
+ dmi_match(DMI_BOARD_NAME, "PH6PG01_PH6PG71"))
--- /dev/null
+From e4c00c9b1f70cd11792ff5b825899a6ee0234a62 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Thu, 9 Jan 2025 21:26:52 +0800
+Subject: of: Correct child specifier used as input of the 2nd nexus node
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit e4c00c9b1f70cd11792ff5b825899a6ee0234a62 upstream.
+
+API of_parse_phandle_with_args_map() will use wrong input for nexus node
+Nexus_2 as shown below:
+
+ Node_1 Nexus_1 Nexus_2
+&Nexus_1,arg_1 -> arg_1,&Nexus_2,arg_2' -> &Nexus_2,arg_2 -> arg_2,...
+ map-pass-thru=<...>
+
+Nexus_1's output arg_2 should be used as input of Nexus_2, but the API
+wrongly uses arg_2' instead which != arg_2 due to Nexus_1's map-pass-thru.
+
+Fix by always making @match_array point to @initial_match_array into
+which to store nexus output.
+
+Fixes: bd6f2fd5a1d5 ("of: Support parsing phandle argument lists through a nexus node")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-1-db8a72415b8c@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -1453,7 +1453,6 @@ int of_parse_phandle_with_args_map(const
+ * specifier into the out_args structure, keeping the
+ * bits specified in <list>-map-pass-thru.
+ */
+- match_array = map - new_size;
+ for (i = 0; i < new_size; i++) {
+ __be32 val = *(map - new_size + i);
+
+@@ -1462,6 +1461,7 @@ int of_parse_phandle_with_args_map(const
+ val |= cpu_to_be32(out_args->args[i]) & pass[i];
+ }
+
++ initial_match_array[i] = val;
+ out_args->args[i] = be32_to_cpu(val);
+ }
+ out_args->args_count = list_size = new_size;
--- /dev/null
+From b9e58c934c56aa35b0fb436d9afd86ef326bae0e Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Mon, 16 Dec 2024 08:40:40 +0800
+Subject: of: Fix of_find_node_opts_by_path() handling of alias+path+options
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit b9e58c934c56aa35b0fb436d9afd86ef326bae0e upstream.
+
+of_find_node_opts_by_path() fails to find OF device node when its
+@path parameter have pattern below:
+
+"alias-name/node-name-1/.../node-name-N:options".
+
+The reason is that alias name length calculated by the API is wrong, as
+explained by example below:
+
+"testcase-alias/phandle-tests/consumer-a:testaliasoption".
+ ^ ^ ^
+ 0 14 39
+
+The right length of alias 'testcase-alias' is 14, but the result worked
+out by the API is 39 which is obvious wrong.
+
+Fix by using index of either '/' or ':' as the length who comes earlier.
+
+Fixes: 75c28c09af99 ("of: add optional options parameter to of_find_node_by_path()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241216-of_core_fix-v2-1-e69b8f60da63@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/base.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/of/base.c
++++ b/drivers/of/base.c
+@@ -788,10 +788,10 @@ struct device_node *of_find_node_opts_by
+ /* The path could begin with an alias */
+ if (*path != '/') {
+ int len;
+- const char *p = separator;
++ const char *p = strchrnul(path, '/');
+
+- if (!p)
+- p = strchrnul(path, '/');
++ if (separator && separator < p)
++ p = separator;
+ len = p - path;
+
+ /* of_aliases must not be NULL */
--- /dev/null
+From 267b21d0bef8e67dbe6c591c9991444e58237ec9 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Thu, 9 Jan 2025 21:27:00 +0800
+Subject: of: reserved-memory: Fix using wrong number of cells to get property 'alignment'
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 267b21d0bef8e67dbe6c591c9991444e58237ec9 upstream.
+
+According to DT spec, size of property 'alignment' is based on parent
+node’s #size-cells property.
+
+But __reserved_mem_alloc_size() wrongly uses @dt_root_addr_cells to get
+the property obviously.
+
+Fix by using @dt_root_size_cells instead of @dt_root_addr_cells.
+
+Fixes: 3f0c82066448 ("drivers: of: add initialization code for dynamic reserved memory")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250109-of_core_fix-v4-9-db8a72415b8c@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/of_reserved_mem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/of/of_reserved_mem.c
++++ b/drivers/of/of_reserved_mem.c
+@@ -156,12 +156,12 @@ static int __init __reserved_mem_alloc_s
+
+ prop = of_get_flat_dt_prop(node, "alignment", &len);
+ if (prop) {
+- if (len != dt_root_addr_cells * sizeof(__be32)) {
++ if (len != dt_root_size_cells * sizeof(__be32)) {
+ pr_err("invalid alignment property in '%s' node.\n",
+ uname);
+ return -EINVAL;
+ }
+- align = dt_mem_next_cell(dt_root_addr_cells, &prop);
++ align = dt_mem_next_cell(dt_root_size_cells, &prop);
+ }
+
+ nomap = of_get_flat_dt_prop(node, "no-map", NULL) != NULL;
--- /dev/null
+From b1049f2d68693c80a576c4578d96774a68df2bad Mon Sep 17 00:00:00 2001
+From: Werner Sembach <wse@tuxedocomputers.com>
+Date: Tue, 14 Jan 2025 23:23:54 +0100
+Subject: PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Werner Sembach <wse@tuxedocomputers.com>
+
+commit b1049f2d68693c80a576c4578d96774a68df2bad upstream.
+
+commit 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") sets the
+policy that all PCIe ports are allowed to use D3. When the system is
+suspended if the port is not power manageable by the platform and won't be
+used for wakeup via a PME this sets up the policy for these ports to go
+into D3hot.
+
+This policy generally makes sense from an OSPM perspective but it leads to
+problems with wakeup from suspend on the TUXEDO Sirius 16 Gen 1 with a
+specific old BIOS. This manifests as a system hang.
+
+On the affected Device + BIOS combination, add a quirk for the root port of
+the problematic controller to ensure that these root ports are not put into
+D3hot at suspend.
+
+This patch is based on
+
+ https://lore.kernel.org/linux-pci/20230708214457.1229-2-mario.limonciello@amd.com
+
+but with the added condition both in the documentation and in the code to
+apply only to the TUXEDO Sirius 16 Gen 1 with a specific old BIOS and only
+the affected root ports.
+
+Fixes: 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend")
+Suggested-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20250114222436.1075456-1-wse@tuxedocomputers.com
+Co-developed-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Signed-off-by: Georg Gottleuber <ggo@tuxedocomputers.com>
+Signed-off-by: Werner Sembach <wse@tuxedocomputers.com>
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Cc: <stable@vger.kernel.org> # 6.1+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/pci/fixup.c | 30 ++++++++++++++++++++++++++++++
+ 1 file changed, 30 insertions(+)
+
+--- a/arch/x86/pci/fixup.c
++++ b/arch/x86/pci/fixup.c
+@@ -1010,4 +1010,34 @@ DECLARE_PCI_FIXUP_SUSPEND(PCI_VENDOR_ID_
+ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1668, amd_rp_pme_resume);
+ DECLARE_PCI_FIXUP_SUSPEND(PCI_VENDOR_ID_AMD, 0x1669, amd_rp_pme_suspend);
+ DECLARE_PCI_FIXUP_RESUME(PCI_VENDOR_ID_AMD, 0x1669, amd_rp_pme_resume);
++
++/*
++ * Putting PCIe root ports on Ryzen SoCs with USB4 controllers into D3hot
++ * may cause problems when the system attempts wake up from s2idle.
++ *
++ * On the TUXEDO Sirius 16 Gen 1 with a specific old BIOS this manifests as
++ * a system hang.
++ */
++static const struct dmi_system_id quirk_tuxeo_rp_d3_dmi_table[] = {
++ {
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "TUXEDO"),
++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "APX958"),
++ DMI_EXACT_MATCH(DMI_BIOS_VERSION, "V1.00A00_20240108"),
++ },
++ },
++ {}
++};
++
++static void quirk_tuxeo_rp_d3(struct pci_dev *pdev)
++{
++ struct pci_dev *root_pdev;
++
++ if (dmi_check_system(quirk_tuxeo_rp_d3_dmi_table)) {
++ root_pdev = pcie_find_root_port(pdev);
++ if (root_pdev)
++ root_pdev->dev_flags |= PCI_DEV_FLAGS_NO_D3;
++ }
++}
++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AMD, 0x1502, quirk_tuxeo_rp_d3);
+ #endif /* CONFIG_SUSPEND */
--- /dev/null
+From 3b9f942eb21c92041905e3943a8d5177c9a9d89d Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Tue, 10 Dec 2024 22:00:20 +0800
+Subject: PCI: endpoint: Finish virtual EP removal in pci_epf_remove_vepf()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 3b9f942eb21c92041905e3943a8d5177c9a9d89d upstream.
+
+When removing a virtual Endpoint, pci_epf_remove_vepf() failed to clear
+epf_vf->epf_pf, which caused a subsequent pci_epf_add_vepf() to incorrectly
+return -EBUSY:
+
+ pci_epf_add_vepf(epf_pf, epf_vf) // add
+ pci_epf_remove_vepf(epf_pf, epf_vf) // remove
+ pci_epf_add_vepf(epf_pf, epf_vf) // add again, -EBUSY error
+
+Fix by clearing epf_vf->epf_pf in pci_epf_remove_vepf().
+
+Link: https://lore.kernel.org/r/20241210-pci-epc-core_fix-v3-3-4d86dd573e4b@quicinc.com
+Fixes: 1cf362e907f3 ("PCI: endpoint: Add support to add virtual function in endpoint core")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/endpoint/pci-epf-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/endpoint/pci-epf-core.c
++++ b/drivers/pci/endpoint/pci-epf-core.c
+@@ -202,6 +202,7 @@ void pci_epf_remove_vepf(struct pci_epf
+
+ mutex_lock(&epf_pf->lock);
+ clear_bit(epf_vf->vfunc_no, &epf_pf->vfunction_num_map);
++ epf_vf->epf_pf = NULL;
+ list_del(&epf_vf->list);
+ mutex_unlock(&epf_pf->lock);
+ }
--- /dev/null
+From 62892e77b8a64b9dc0e1da75980aa145347b6820 Mon Sep 17 00:00:00 2001
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+Date: Thu, 16 Jan 2025 19:08:42 +0800
+Subject: perf bench: Fix undefined behavior in cmpworker()
+
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+
+commit 62892e77b8a64b9dc0e1da75980aa145347b6820 upstream.
+
+The comparison function cmpworker() violates the C standard's
+requirements for qsort() comparison functions, which mandate symmetry
+and transitivity:
+
+Symmetry: If x < y, then y > x.
+Transitivity: If x < y and y < z, then x < z.
+
+In its current implementation, cmpworker() incorrectly returns 0 when
+w1->tid < w2->tid, which breaks both symmetry and transitivity. This
+violation causes undefined behavior, potentially leading to issues such
+as memory corruption in glibc [1].
+
+Fix the issue by returning -1 when w1->tid < w2->tid, ensuring
+compliance with the C standard and preventing undefined behavior.
+
+Link: https://www.qualys.com/2024/01/30/qsort.txt [1]
+Fixes: 121dd9ea0116 ("perf bench: Add epoll parallel epoll_wait benchmark")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
+Reviewed-by: James Clark <james.clark@linaro.org>
+Link: https://lore.kernel.org/r/20250116110842.4087530-1-visitorckw@gmail.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/bench/epoll-wait.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/tools/perf/bench/epoll-wait.c
++++ b/tools/perf/bench/epoll-wait.c
+@@ -420,7 +420,12 @@ static int cmpworker(const void *p1, con
+
+ struct worker *w1 = (struct worker *) p1;
+ struct worker *w2 = (struct worker *) p2;
+- return w1->tid > w2->tid;
++
++ if (w1->tid > w2->tid)
++ return 1;
++ if (w1->tid < w2->tid)
++ return -1;
++ return 0;
+ }
+
+ int bench_epoll_wait(int argc, const char **argv)
--- /dev/null
+From 11b93559000c686ad7e5ab0547e76f21cc143844 Mon Sep 17 00:00:00 2001
+From: Narayana Murty N <nnmlinux@linux.ibm.com>
+Date: Thu, 16 Jan 2025 04:39:54 -0600
+Subject: powerpc/pseries/eeh: Fix get PE state translation
+
+From: Narayana Murty N <nnmlinux@linux.ibm.com>
+
+commit 11b93559000c686ad7e5ab0547e76f21cc143844 upstream.
+
+The PE Reset State "0" returned by RTAS calls
+"ibm_read_slot_reset_[state|state2]" indicates that the reset is
+deactivated and the PE is in a state where MMIO and DMA are allowed.
+However, the current implementation of "pseries_eeh_get_state()" does
+not reflect this, causing drivers to incorrectly assume that MMIO and
+DMA operations cannot be resumed.
+
+The userspace drivers as a part of EEH recovery using VFIO ioctls fail
+to detect when the recovery process is complete. The VFIO_EEH_PE_GET_STATE
+ioctl does not report the expected EEH_PE_STATE_NORMAL state, preventing
+userspace drivers from functioning properly on pseries systems.
+
+The patch addresses this issue by updating 'pseries_eeh_get_state()'
+to include "EEH_STATE_MMIO_ENABLED" and "EEH_STATE_DMA_ENABLED" in
+the result mask for PE Reset State "0". This ensures correct state
+reporting to the callers, aligning the behavior with the PAPR specification
+and fixing the bug in EEH recovery for VFIO user workflows.
+
+Fixes: 00ba05a12b3c ("powerpc/pseries: Cleanup on pseries_eeh_get_state()")
+Cc: stable@vger.kernel.org
+Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
+Signed-off-by: Narayana Murty N <nnmlinux@linux.ibm.com>
+Link: https://lore.kernel.org/stable/20241212075044.10563-1-nnmlinux%40linux.ibm.com
+Signed-off-by: Madhavan Srinivasan <maddy@linux.ibm.com>
+Link: https://patch.msgid.link/20250116103954.17324-1-nnmlinux@linux.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/platforms/pseries/eeh_pseries.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/powerpc/platforms/pseries/eeh_pseries.c
++++ b/arch/powerpc/platforms/pseries/eeh_pseries.c
+@@ -580,8 +580,10 @@ static int pseries_eeh_get_state(struct
+
+ switch(rets[0]) {
+ case 0:
+- result = EEH_STATE_MMIO_ACTIVE |
+- EEH_STATE_DMA_ACTIVE;
++ result = EEH_STATE_MMIO_ACTIVE |
++ EEH_STATE_DMA_ACTIVE |
++ EEH_STATE_MMIO_ENABLED |
++ EEH_STATE_DMA_ENABLED;
+ break;
+ case 1:
+ result = EEH_STATE_RESET_ACTIVE |
--- /dev/null
+From 8004d635f27bbccaa5c083c50d4d5302a6ffa00e Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Date: Tue, 14 Jan 2025 17:00:45 -0300
+Subject: Revert "media: uvcvideo: Require entities to have a non-zero unique ID"
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+commit 8004d635f27bbccaa5c083c50d4d5302a6ffa00e upstream.
+
+This reverts commit 3dd075fe8ebbc6fcbf998f81a75b8c4b159a6195.
+
+Tomasz has reported that his device, Generalplus Technology Inc. 808 Camera,
+with ID 1b3f:2002, stopped being detected:
+
+$ ls -l /dev/video*
+zsh: no matches found: /dev/video*
+[ 7.230599] usb 3-2: Found multiple Units with ID 5
+
+This particular device is non-compliant, having both the Output Terminal
+and Processing Unit with ID 5. uvc_scan_fallback, though, is able to build
+a chain. However, when media elements are added and uvc_mc_create_links
+call uvc_entity_by_id, it will get the incorrect entity,
+media_create_pad_link will WARN, and it will fail to register the entities.
+
+In order to reinstate support for such devices in a timely fashion,
+reverting the fix for these warnings is appropriate. A proper fix that
+considers the existence of such non-compliant devices will be submitted in
+a later development cycle.
+
+Reported-by: Tomasz Sikora <sikora.tomus@gmail.com>
+Fixes: 3dd075fe8ebb ("media: uvcvideo: Require entities to have a non-zero unique ID")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Ricardo Ribalda <ribalda@chromium.org>
+Link: https://lore.kernel.org/r/20250114200045.1401644-1-cascardo@igalia.com
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/uvc/uvc_driver.c | 70 ++++++++++++++-----------------------
+ 1 file changed, 27 insertions(+), 43 deletions(-)
+
+--- a/drivers/media/usb/uvc/uvc_driver.c
++++ b/drivers/media/usb/uvc/uvc_driver.c
+@@ -775,27 +775,14 @@ static const u8 uvc_media_transport_inpu
+ UVC_GUID_UVC_MEDIA_TRANSPORT_INPUT;
+ static const u8 uvc_processing_guid[16] = UVC_GUID_UVC_PROCESSING;
+
+-static struct uvc_entity *uvc_alloc_new_entity(struct uvc_device *dev, u16 type,
+- u16 id, unsigned int num_pads,
+- unsigned int extra_size)
++static struct uvc_entity *uvc_alloc_entity(u16 type, u16 id,
++ unsigned int num_pads, unsigned int extra_size)
+ {
+ struct uvc_entity *entity;
+ unsigned int num_inputs;
+ unsigned int size;
+ unsigned int i;
+
+- /* Per UVC 1.1+ spec 3.7.2, the ID should be non-zero. */
+- if (id == 0) {
+- dev_err(&dev->udev->dev, "Found Unit with invalid ID 0.\n");
+- return ERR_PTR(-EINVAL);
+- }
+-
+- /* Per UVC 1.1+ spec 3.7.2, the ID is unique. */
+- if (uvc_entity_by_id(dev, id)) {
+- dev_err(&dev->udev->dev, "Found multiple Units with ID %u\n", id);
+- return ERR_PTR(-EINVAL);
+- }
+-
+ extra_size = roundup(extra_size, sizeof(*entity->pads));
+ if (num_pads)
+ num_inputs = type & UVC_TERM_OUTPUT ? num_pads : num_pads - 1;
+@@ -805,7 +792,7 @@ static struct uvc_entity *uvc_alloc_new_
+ + num_inputs;
+ entity = kzalloc(size, GFP_KERNEL);
+ if (entity == NULL)
+- return ERR_PTR(-ENOMEM);
++ return NULL;
+
+ entity->id = id;
+ entity->type = type;
+@@ -917,10 +904,10 @@ static int uvc_parse_vendor_control(stru
+ break;
+ }
+
+- unit = uvc_alloc_new_entity(dev, UVC_VC_EXTENSION_UNIT,
+- buffer[3], p + 1, 2 * n);
+- if (IS_ERR(unit))
+- return PTR_ERR(unit);
++ unit = uvc_alloc_entity(UVC_VC_EXTENSION_UNIT, buffer[3],
++ p + 1, 2*n);
++ if (unit == NULL)
++ return -ENOMEM;
+
+ memcpy(unit->guid, &buffer[4], 16);
+ unit->extension.bNumControls = buffer[20];
+@@ -1029,10 +1016,10 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- term = uvc_alloc_new_entity(dev, type | UVC_TERM_INPUT,
+- buffer[3], 1, n + p);
+- if (IS_ERR(term))
+- return PTR_ERR(term);
++ term = uvc_alloc_entity(type | UVC_TERM_INPUT, buffer[3],
++ 1, n + p);
++ if (term == NULL)
++ return -ENOMEM;
+
+ if (UVC_ENTITY_TYPE(term) == UVC_ITT_CAMERA) {
+ term->camera.bControlSize = n;
+@@ -1088,10 +1075,10 @@ static int uvc_parse_standard_control(st
+ return 0;
+ }
+
+- term = uvc_alloc_new_entity(dev, type | UVC_TERM_OUTPUT,
+- buffer[3], 1, 0);
+- if (IS_ERR(term))
+- return PTR_ERR(term);
++ term = uvc_alloc_entity(type | UVC_TERM_OUTPUT, buffer[3],
++ 1, 0);
++ if (term == NULL)
++ return -ENOMEM;
+
+ memcpy(term->baSourceID, &buffer[7], 1);
+
+@@ -1110,10 +1097,9 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
+- p + 1, 0);
+- if (IS_ERR(unit))
+- return PTR_ERR(unit);
++ unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, 0);
++ if (unit == NULL)
++ return -ENOMEM;
+
+ memcpy(unit->baSourceID, &buffer[5], p);
+
+@@ -1133,9 +1119,9 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3], 2, n);
+- if (IS_ERR(unit))
+- return PTR_ERR(unit);
++ unit = uvc_alloc_entity(buffer[2], buffer[3], 2, n);
++ if (unit == NULL)
++ return -ENOMEM;
+
+ memcpy(unit->baSourceID, &buffer[4], 1);
+ unit->processing.wMaxMultiplier =
+@@ -1162,10 +1148,9 @@ static int uvc_parse_standard_control(st
+ return -EINVAL;
+ }
+
+- unit = uvc_alloc_new_entity(dev, buffer[2], buffer[3],
+- p + 1, n);
+- if (IS_ERR(unit))
+- return PTR_ERR(unit);
++ unit = uvc_alloc_entity(buffer[2], buffer[3], p + 1, n);
++ if (unit == NULL)
++ return -ENOMEM;
+
+ memcpy(unit->guid, &buffer[4], 16);
+ unit->extension.bNumControls = buffer[20];
+@@ -1305,10 +1290,9 @@ static int uvc_gpio_parse(struct uvc_dev
+ return dev_err_probe(&dev->udev->dev, irq,
+ "No IRQ for privacy GPIO\n");
+
+- unit = uvc_alloc_new_entity(dev, UVC_EXT_GPIO_UNIT,
+- UVC_EXT_GPIO_UNIT_ID, 0, 1);
+- if (IS_ERR(unit))
+- return PTR_ERR(unit);
++ unit = uvc_alloc_entity(UVC_EXT_GPIO_UNIT, UVC_EXT_GPIO_UNIT_ID, 0, 1);
++ if (!unit)
++ return -ENOMEM;
+
+ unit->gpio.gpio_privacy = gpio_privacy;
+ unit->gpio.irq = irq;
--- /dev/null
+From 841df27d619ee1f5ca6473e15227b39d6136562d Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 15 Nov 2024 18:33:09 +0530
+Subject: scsi: qla2xxx: Move FCE Trace buffer allocation to user control
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 841df27d619ee1f5ca6473e15227b39d6136562d upstream.
+
+Currently FCE Tracing is enabled to log additional ELS events. Instead,
+user will enable or disable this feature through debugfs.
+
+Modify existing DFS knob to allow user to enable or disable this
+feature.
+
+echo [1 | 0] > /sys/kernel/debug/qla2xxx/qla2xxx_??/fce
+cat /sys/kernel/debug/qla2xxx/qla2xxx_??/fce
+
+Cc: stable@vger.kernel.org
+Fixes: df613b96077c ("[SCSI] qla2xxx: Add Fibre Channel Event (FCE) tracing support.")
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20241115130313.46826-4-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_def.h | 2
+ drivers/scsi/qla2xxx/qla_dfs.c | 124 ++++++++++++++++++++++++++++++++--------
+ drivers/scsi/qla2xxx/qla_gbl.h | 3
+ drivers/scsi/qla2xxx/qla_init.c | 28 ++++++---
+ 4 files changed, 126 insertions(+), 31 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_def.h
++++ b/drivers/scsi/qla2xxx/qla_def.h
+@@ -4099,6 +4099,8 @@ struct qla_hw_data {
+ uint32_t npiv_supported :1;
+ uint32_t pci_channel_io_perm_failure :1;
+ uint32_t fce_enabled :1;
++ uint32_t user_enabled_fce :1;
++ uint32_t fce_dump_buf_alloced :1;
+ uint32_t fac_supported :1;
+
+ uint32_t chip_reset_done :1;
+--- a/drivers/scsi/qla2xxx/qla_dfs.c
++++ b/drivers/scsi/qla2xxx/qla_dfs.c
+@@ -409,27 +409,32 @@ qla2x00_dfs_fce_show(struct seq_file *s,
+
+ mutex_lock(&ha->fce_mutex);
+
+- seq_puts(s, "FCE Trace Buffer\n");
+- seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr);
+- seq_printf(s, "Base = %llx\n\n", (unsigned long long) ha->fce_dma);
+- seq_puts(s, "FCE Enable Registers\n");
+- seq_printf(s, "%08x %08x %08x %08x %08x %08x\n",
+- ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4],
+- ha->fce_mb[5], ha->fce_mb[6]);
+-
+- fce = (uint32_t *) ha->fce;
+- fce_start = (unsigned long long) ha->fce_dma;
+- for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) {
+- if (cnt % 8 == 0)
+- seq_printf(s, "\n%llx: ",
+- (unsigned long long)((cnt * 4) + fce_start));
+- else
+- seq_putc(s, ' ');
+- seq_printf(s, "%08x", *fce++);
++ if (ha->flags.user_enabled_fce) {
++ seq_puts(s, "FCE Trace Buffer\n");
++ seq_printf(s, "In Pointer = %llx\n\n", (unsigned long long)ha->fce_wr);
++ seq_printf(s, "Base = %llx\n\n", (unsigned long long)ha->fce_dma);
++ seq_puts(s, "FCE Enable Registers\n");
++ seq_printf(s, "%08x %08x %08x %08x %08x %08x\n",
++ ha->fce_mb[0], ha->fce_mb[2], ha->fce_mb[3], ha->fce_mb[4],
++ ha->fce_mb[5], ha->fce_mb[6]);
++
++ fce = (uint32_t *)ha->fce;
++ fce_start = (unsigned long long)ha->fce_dma;
++ for (cnt = 0; cnt < fce_calc_size(ha->fce_bufs) / 4; cnt++) {
++ if (cnt % 8 == 0)
++ seq_printf(s, "\n%llx: ",
++ (unsigned long long)((cnt * 4) + fce_start));
++ else
++ seq_putc(s, ' ');
++ seq_printf(s, "%08x", *fce++);
++ }
++
++ seq_puts(s, "\nEnd\n");
++ } else {
++ seq_puts(s, "FCE Trace is currently not enabled\n");
++ seq_puts(s, "\techo [ 1 | 0 ] > fce\n");
+ }
+
+- seq_puts(s, "\nEnd\n");
+-
+ mutex_unlock(&ha->fce_mutex);
+
+ return 0;
+@@ -467,7 +472,7 @@ qla2x00_dfs_fce_release(struct inode *in
+ struct qla_hw_data *ha = vha->hw;
+ int rval;
+
+- if (ha->flags.fce_enabled)
++ if (ha->flags.fce_enabled || !ha->fce)
+ goto out;
+
+ mutex_lock(&ha->fce_mutex);
+@@ -488,11 +493,88 @@ out:
+ return single_release(inode, file);
+ }
+
++static ssize_t
++qla2x00_dfs_fce_write(struct file *file, const char __user *buffer,
++ size_t count, loff_t *pos)
++{
++ struct seq_file *s = file->private_data;
++ struct scsi_qla_host *vha = s->private;
++ struct qla_hw_data *ha = vha->hw;
++ char *buf;
++ int rc = 0;
++ unsigned long enable;
++
++ if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) &&
++ !IS_QLA27XX(ha) && !IS_QLA28XX(ha)) {
++ ql_dbg(ql_dbg_user, vha, 0xd034,
++ "this adapter does not support FCE.");
++ return -EINVAL;
++ }
++
++ buf = memdup_user_nul(buffer, count);
++ if (IS_ERR(buf)) {
++ ql_dbg(ql_dbg_user, vha, 0xd037,
++ "fail to copy user buffer.");
++ return PTR_ERR(buf);
++ }
++
++ enable = kstrtoul(buf, 0, 0);
++ rc = count;
++
++ mutex_lock(&ha->fce_mutex);
++
++ if (enable) {
++ if (ha->flags.user_enabled_fce) {
++ mutex_unlock(&ha->fce_mutex);
++ goto out_free;
++ }
++ ha->flags.user_enabled_fce = 1;
++ if (!ha->fce) {
++ rc = qla2x00_alloc_fce_trace(vha);
++ if (rc) {
++ ha->flags.user_enabled_fce = 0;
++ mutex_unlock(&ha->fce_mutex);
++ goto out_free;
++ }
++
++ /* adjust fw dump buffer to take into account of this feature */
++ if (!ha->flags.fce_dump_buf_alloced)
++ qla2x00_alloc_fw_dump(vha);
++ }
++
++ if (!ha->flags.fce_enabled)
++ qla_enable_fce_trace(vha);
++
++ ql_dbg(ql_dbg_user, vha, 0xd045, "User enabled FCE .\n");
++ } else {
++ if (!ha->flags.user_enabled_fce) {
++ mutex_unlock(&ha->fce_mutex);
++ goto out_free;
++ }
++ ha->flags.user_enabled_fce = 0;
++ if (ha->flags.fce_enabled) {
++ qla2x00_disable_fce_trace(vha, NULL, NULL);
++ ha->flags.fce_enabled = 0;
++ }
++
++ qla2x00_free_fce_trace(ha);
++ /* no need to re-adjust fw dump buffer */
++
++ ql_dbg(ql_dbg_user, vha, 0xd04f, "User disabled FCE .\n");
++ }
++
++ mutex_unlock(&ha->fce_mutex);
++out_free:
++ kfree(buf);
++ return rc;
++}
++
+ static const struct file_operations dfs_fce_ops = {
+ .open = qla2x00_dfs_fce_open,
+ .read = seq_read,
+ .llseek = seq_lseek,
+ .release = qla2x00_dfs_fce_release,
++ .write = qla2x00_dfs_fce_write,
+ };
+
+ static int
+@@ -671,8 +753,6 @@ qla2x00_dfs_setup(scsi_qla_host_t *vha)
+ if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) &&
+ !IS_QLA27XX(ha) && !IS_QLA28XX(ha))
+ goto out;
+- if (!ha->fce)
+- goto out;
+
+ if (qla2x00_dfs_root)
+ goto create_dir;
+--- a/drivers/scsi/qla2xxx/qla_gbl.h
++++ b/drivers/scsi/qla2xxx/qla_gbl.h
+@@ -11,6 +11,9 @@
+ /*
+ * Global Function Prototypes in qla_init.c source file.
+ */
++int qla2x00_alloc_fce_trace(scsi_qla_host_t *);
++void qla2x00_free_fce_trace(struct qla_hw_data *ha);
++void qla_enable_fce_trace(scsi_qla_host_t *);
+ extern int qla2x00_initialize_adapter(scsi_qla_host_t *);
+ extern int qla24xx_post_prli_work(struct scsi_qla_host *vha, fc_port_t *fcport);
+
+--- a/drivers/scsi/qla2xxx/qla_init.c
++++ b/drivers/scsi/qla2xxx/qla_init.c
+@@ -2681,7 +2681,7 @@ exit:
+ return rval;
+ }
+
+-static void qla_enable_fce_trace(scsi_qla_host_t *vha)
++void qla_enable_fce_trace(scsi_qla_host_t *vha)
+ {
+ int rval;
+ struct qla_hw_data *ha = vha->hw;
+@@ -3717,25 +3717,24 @@ qla24xx_chip_diag(scsi_qla_host_t *vha)
+ return rval;
+ }
+
+-static void
+-qla2x00_alloc_fce_trace(scsi_qla_host_t *vha)
++int qla2x00_alloc_fce_trace(scsi_qla_host_t *vha)
+ {
+ dma_addr_t tc_dma;
+ void *tc;
+ struct qla_hw_data *ha = vha->hw;
+
+ if (!IS_FWI2_CAPABLE(ha))
+- return;
++ return -EINVAL;
+
+ if (!IS_QLA25XX(ha) && !IS_QLA81XX(ha) && !IS_QLA83XX(ha) &&
+ !IS_QLA27XX(ha) && !IS_QLA28XX(ha))
+- return;
++ return -EINVAL;
+
+ if (ha->fce) {
+ ql_dbg(ql_dbg_init, vha, 0x00bd,
+ "%s: FCE Mem is already allocated.\n",
+ __func__);
+- return;
++ return -EIO;
+ }
+
+ /* Allocate memory for Fibre Channel Event Buffer. */
+@@ -3745,7 +3744,7 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t
+ ql_log(ql_log_warn, vha, 0x00be,
+ "Unable to allocate (%d KB) for FCE.\n",
+ FCE_SIZE / 1024);
+- return;
++ return -ENOMEM;
+ }
+
+ ql_dbg(ql_dbg_init, vha, 0x00c0,
+@@ -3754,6 +3753,16 @@ qla2x00_alloc_fce_trace(scsi_qla_host_t
+ ha->fce_dma = tc_dma;
+ ha->fce = tc;
+ ha->fce_bufs = FCE_NUM_BUFFERS;
++ return 0;
++}
++
++void qla2x00_free_fce_trace(struct qla_hw_data *ha)
++{
++ if (!ha->fce)
++ return;
++ dma_free_coherent(&ha->pdev->dev, FCE_SIZE, ha->fce, ha->fce_dma);
++ ha->fce = NULL;
++ ha->fce_dma = 0;
+ }
+
+ static void
+@@ -3844,9 +3853,10 @@ qla2x00_alloc_fw_dump(scsi_qla_host_t *v
+ if (ha->tgt.atio_ring)
+ mq_size += ha->tgt.atio_q_length * sizeof(request_t);
+
+- qla2x00_alloc_fce_trace(vha);
+- if (ha->fce)
++ if (ha->fce) {
+ fce_size = sizeof(struct qla2xxx_fce_chain) + FCE_SIZE;
++ ha->flags.fce_dump_buf_alloced = 1;
++ }
+ qla2x00_alloc_eft_trace(vha);
+ if (ha->eft)
+ eft_size = EFT_SIZE;
--- /dev/null
+From 98b37881b7492ae9048ad48260cc8a6ee9eb39fd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Kai=20M=C3=A4kisara?= <Kai.Makisara@kolumbus.fi>
+Date: Mon, 16 Dec 2024 13:37:55 +0200
+Subject: scsi: st: Don't set pos_unknown just after device recognition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+
+commit 98b37881b7492ae9048ad48260cc8a6ee9eb39fd upstream.
+
+Commit 9604eea5bd3a ("scsi: st: Add third party poweron reset handling") in
+v6.6 added new code to handle the Power On/Reset Unit Attention (POR UA)
+sense data. This was in addition to the existing method. When this Unit
+Attention is received, the driver blocks attempts to read, write and some
+other operations because the reset may have rewinded the tape. Because of
+the added code, also the initial POR UA resulted in blocking operations,
+including those that are used to set the driver options after the device is
+recognized. Also, reading and writing are refused, whereas they succeeded
+before this commit.
+
+Add code to not set pos_unknown to block operations if the POR UA is
+received from the first test_ready() call after the st device has been
+created. This restores the behavior before v6.6.
+
+Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+Link: https://lore.kernel.org/r/20241216113755.30415-1-Kai.Makisara@kolumbus.fi
+Fixes: 9604eea5bd3a ("scsi: st: Add third party poweron reset handling")
+CC: stable@vger.kernel.org
+Closes: https://lore.kernel.org/linux-scsi/2201CF73-4795-4D3B-9A79-6EE5215CF58D@kolumbus.fi/
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/st.c | 6 ++++++
+ drivers/scsi/st.h | 1 +
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -1028,6 +1028,11 @@ static int test_ready(struct scsi_tape *
+ retval = new_session ? CHKRES_NEW_SESSION : CHKRES_READY;
+ break;
+ }
++ if (STp->first_tur) {
++ /* Don't set pos_unknown right after device recognition */
++ STp->pos_unknown = 0;
++ STp->first_tur = 0;
++ }
+
+ if (SRpnt != NULL)
+ st_release_request(SRpnt);
+@@ -4326,6 +4331,7 @@ static int st_probe(struct device *dev)
+ blk_queue_rq_timeout(tpnt->device->request_queue, ST_TIMEOUT);
+ tpnt->long_timeout = ST_LONG_TIMEOUT;
+ tpnt->try_dio = try_direct_io;
++ tpnt->first_tur = 1;
+
+ for (i = 0; i < ST_NBR_MODES; i++) {
+ STm = &(tpnt->modes[i]);
+--- a/drivers/scsi/st.h
++++ b/drivers/scsi/st.h
+@@ -170,6 +170,7 @@ struct scsi_tape {
+ unsigned char rew_at_close; /* rewind necessary at close */
+ unsigned char inited;
+ unsigned char cleaning_req; /* cleaning requested? */
++ unsigned char first_tur; /* first TEST UNIT READY */
+ int block_size;
+ int min_block;
+ int max_block;
--- /dev/null
+From 87c4b5e8a6b65189abd9ea5010ab308941f964a4 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Wed, 22 Jan 2025 19:07:22 -0800
+Subject: scsi: storvsc: Set correct data length for sending SCSI command without payload
+
+From: Long Li <longli@microsoft.com>
+
+commit 87c4b5e8a6b65189abd9ea5010ab308941f964a4 upstream.
+
+In StorVSC, payload->range.len is used to indicate if this SCSI command
+carries payload. This data is allocated as part of the private driver data
+by the upper layer and may get passed to lower driver uninitialized.
+
+For example, the SCSI error handling mid layer may send TEST_UNIT_READY or
+REQUEST_SENSE while reusing the buffer from a failed command. The private
+data section may have stale data from the previous command.
+
+If the SCSI command doesn't carry payload, the driver may use this value as
+is for communicating with host, resulting in possible corruption.
+
+Fix this by always initializing this value.
+
+Fixes: be0cf6ca301c ("scsi: storvsc: Set the tablesize based on the information given by the host")
+Cc: stable@kernel.org
+Tested-by: Roman Kisel <romank@linux.microsoft.com>
+Reviewed-by: Roman Kisel <romank@linux.microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Signed-off-by: Long Li <longli@microsoft.com>
+Link: https://lore.kernel.org/r/1737601642-7759-1-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/storvsc_drv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/storvsc_drv.c
++++ b/drivers/scsi/storvsc_drv.c
+@@ -1800,6 +1800,7 @@ static int storvsc_queuecommand(struct S
+
+ length = scsi_bufflen(scmnd);
+ payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
++ payload->range.len = 0;
+ payload_sz = 0;
+
+ if (scsi_sg_count(scmnd)) {
--- /dev/null
+From 1b3e2d4ec0c5848776cc56d2624998aa5b2f0d27 Mon Sep 17 00:00:00 2001
+From: "Bao D. Nguyen" <quic_nguyenb@quicinc.com>
+Date: Mon, 13 Jan 2025 10:32:07 -0800
+Subject: scsi: ufs: core: Fix the HIGH/LOW_TEMP Bit Definitions
+
+From: Bao D. Nguyen <quic_nguyenb@quicinc.com>
+
+commit 1b3e2d4ec0c5848776cc56d2624998aa5b2f0d27 upstream.
+
+According to the UFS Device Specification, the dExtendedUFSFeaturesSupport
+defines the support for TOO_HIGH_TEMPERATURE as bit[4] and the
+TOO_LOW_TEMPERATURE as bit[5]. Correct the code to match with
+the UFS device specification definition.
+
+Cc: stable@vger.kernel.org
+Fixes: e88e2d32200a ("scsi: ufs: core: Probe for temperature notification support")
+Signed-off-by: Bao D. Nguyen <quic_nguyenb@quicinc.com>
+Link: https://lore.kernel.org/r/69992b3e3e3434a5c7643be5a64de48be892ca46.1736793068.git.quic_nguyenb@quicinc.com
+Reviewed-by: Avri Altman <Avri.Altman@wdc.com>
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/ufs/ufs.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/ufs/ufs.h
++++ b/include/ufs/ufs.h
+@@ -384,8 +384,8 @@ enum {
+
+ /* Possible values for dExtendedUFSFeaturesSupport */
+ enum {
+- UFS_DEV_LOW_TEMP_NOTIF = BIT(4),
+- UFS_DEV_HIGH_TEMP_NOTIF = BIT(5),
++ UFS_DEV_HIGH_TEMP_NOTIF = BIT(4),
++ UFS_DEV_LOW_TEMP_NOTIF = BIT(5),
+ UFS_DEV_EXT_TEMP_NOTIF = BIT(6),
+ UFS_DEV_HPB_SUPPORT = BIT(7),
+ UFS_DEV_WRITE_BOOSTER_SUP = BIT(8),
--- /dev/null
+From 7a0905caf5665be41094a6ceb5e9d2524de4627a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Dec 2024 19:08:39 -0800
+Subject: scsi: ufs: qcom: Fix crypto key eviction
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 7a0905caf5665be41094a6ceb5e9d2524de4627a upstream.
+
+Commit 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API")
+introduced an incorrect check of the algorithm ID into the key eviction
+path, and thus qcom_ice_evict_key() is no longer ever called. Fix it.
+
+Fixes: 56541c7c4468 ("scsi: ufs: ufs-qcom: Switch to the new ICE API")
+Cc: stable@vger.kernel.org
+Cc: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Link: https://lore.kernel.org/r/20241210030839.1118805-1-ebiggers@kernel.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-qcom.c | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -158,8 +158,9 @@ static int ufs_qcom_ice_program_key(stru
+ {
+ struct ufs_qcom_host *host = ufshcd_get_variant(hba);
+ union ufs_crypto_cap_entry cap;
+- bool config_enable =
+- cfg->config_enable & UFS_CRYPTO_CONFIGURATION_ENABLE;
++
++ if (!(cfg->config_enable & UFS_CRYPTO_CONFIGURATION_ENABLE))
++ return qcom_ice_evict_key(host->ice, slot);
+
+ /* Only AES-256-XTS has been tested so far. */
+ cap = hba->crypto_cap_array[cfg->crypto_cap_idx];
+@@ -167,14 +168,11 @@ static int ufs_qcom_ice_program_key(stru
+ cap.key_size != UFS_CRYPTO_KEY_SIZE_256)
+ return -EOPNOTSUPP;
+
+- if (config_enable)
+- return qcom_ice_program_key(host->ice,
+- QCOM_ICE_CRYPTO_ALG_AES_XTS,
+- QCOM_ICE_CRYPTO_KEY_SIZE_256,
+- cfg->crypto_key,
+- cfg->data_unit_size, slot);
+- else
+- return qcom_ice_evict_key(host->ice, slot);
++ return qcom_ice_program_key(host->ice,
++ QCOM_ICE_CRYPTO_ALG_AES_XTS,
++ QCOM_ICE_CRYPTO_KEY_SIZE_256,
++ cfg->crypto_key,
++ cfg->data_unit_size, slot);
+ }
+
+ #else
--- /dev/null
+From 9f7dea875cc7f9c1a56a5c688290634a59cd1420 Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Date: Thu, 16 Jan 2025 20:22:47 +0200
+Subject: serial: sh-sci: Do not probe the serial port if its slot in sci_ports[] is in use
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+commit 9f7dea875cc7f9c1a56a5c688290634a59cd1420 upstream.
+
+In the sh-sci driver, sci_ports[0] is used by earlycon. If the earlycon is
+still active when sci_probe() is called and the new serial port is supposed
+to map to sci_ports[0], return -EBUSY to prevent breaking the earlycon.
+
+This situation should occurs in debug scenarios, and users should be
+aware of the potential conflict.
+
+Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Link: https://lore.kernel.org/r/20250116182249.3828577-4-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -164,6 +164,7 @@ struct sci_port {
+ static struct sci_port sci_ports[SCI_NPORTS];
+ static unsigned long sci_ports_in_use;
+ static struct uart_driver sci_uart_driver;
++static bool sci_uart_earlycon;
+
+ static inline struct sci_port *
+ to_sci_port(struct uart_port *uart)
+@@ -3391,6 +3392,7 @@ static int sci_probe_single(struct platf
+ static int sci_probe(struct platform_device *dev)
+ {
+ struct plat_sci_port *p;
++ struct resource *res;
+ struct sci_port *sp;
+ unsigned int dev_id;
+ int ret;
+@@ -3420,6 +3422,26 @@ static int sci_probe(struct platform_dev
+ }
+
+ sp = &sci_ports[dev_id];
++
++ /*
++ * In case:
++ * - the probed port alias is zero (as the one used by earlycon), and
++ * - the earlycon is still active (e.g., "earlycon keep_bootcon" in
++ * bootargs)
++ *
++ * defer the probe of this serial. This is a debug scenario and the user
++ * must be aware of it.
++ *
++ * Except when the probed port is the same as the earlycon port.
++ */
++
++ res = platform_get_resource(dev, IORESOURCE_MEM, 0);
++ if (!res)
++ return -ENODEV;
++
++ if (sci_uart_earlycon && sp == &sci_ports[0] && sp->port.mapbase != res->start)
++ return dev_err_probe(&dev->dev, -EBUSY, "sci_port[0] is used by earlycon!\n");
++
+ platform_set_drvdata(dev, sp);
+
+ ret = sci_probe_single(dev, dev_id, p, sp);
+@@ -3518,6 +3540,7 @@ static int __init early_console_setup(st
+ port_cfg.type = type;
+ sci_ports[0].cfg = &port_cfg;
+ sci_ports[0].params = sci_probe_regmap(&port_cfg);
++ sci_uart_earlycon = true;
+ port_cfg.scscr = sci_serial_in(&sci_ports[0].port, SCSCR);
+ sci_serial_out(&sci_ports[0].port, SCSCR,
+ SCSCR_RE | SCSCR_TE | port_cfg.scscr);
--- /dev/null
+From eaeee4225dba30bef4d424bdf134a07b7f423e8b Mon Sep 17 00:00:00 2001
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Date: Thu, 16 Jan 2025 20:22:45 +0200
+Subject: serial: sh-sci: Drop __initdata macro for port_cfg
+
+From: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+
+commit eaeee4225dba30bef4d424bdf134a07b7f423e8b upstream.
+
+The port_cfg object is used by serial_console_write(), which serves as
+the write function for the earlycon device. Marking port_cfg as __initdata
+causes it to be freed after kernel initialization, resulting in earlycon
+becoming unavailable thereafter. Remove the __initdata macro from port_cfg
+to resolve this issue.
+
+Fixes: 0b0cced19ab1 ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
+Cc: stable@vger.kernel.org
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
+Fixes: 0b0cced19ab15c9e ("serial: sh-sci: Add CONFIG_SERIAL_EARLYCON support")
+Link: https://lore.kernel.org/r/20250116182249.3828577-2-claudiu.beznea.uj@bp.renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/sh-sci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -3503,7 +3503,7 @@ sh_early_platform_init_buffer("earlyprin
+ early_serial_buf, ARRAY_SIZE(early_serial_buf));
+ #endif
+ #ifdef CONFIG_SERIAL_SH_SCI_EARLYCON
+-static struct plat_sci_port port_cfg __initdata;
++static struct plat_sci_port port_cfg;
+
+ static int __init early_console_setup(struct earlycon_device *device,
+ int type)
clk-mediatek-mt2701-bdp-add-missing-dummy-clk.patch
clk-mediatek-mt2701-img-add-missing-dummy-clk.patch
clk-mediatek-mt2701-mm-add-missing-dummy-clk.patch
+blk-cgroup-fix-class-block_class-s-subsystem-refcount-leakage.patch
+efi-libstub-use-std-gnu11-to-fix-build-with-gcc-15.patch
+perf-bench-fix-undefined-behavior-in-cmpworker.patch
+scsi-ufs-core-fix-the-high-low_temp-bit-definitions.patch
+of-correct-child-specifier-used-as-input-of-the-2nd-nexus-node.patch
+of-fix-of_find_node_opts_by_path-handling-of-alias-path-options.patch
+of-reserved-memory-fix-using-wrong-number-of-cells-to-get-property-alignment.patch
+hid-hid-sensor-hub-don-t-use-stale-platform-data-on-remove.patch
+wifi-rtlwifi-rtl8821ae-fix-media-status-report.patch
+wifi-brcmfmac-fix-null-pointer-dereference-in-brcmf_txfinalize.patch
+wifi-mt76-mt7921u-add-vid-pid-for-tp-link-txe50uh.patch
+wifi-rtw88-sdio-fix-disconnection-after-beacon-loss.patch
+wifi-mt76-mt7915-add-module-param-to-select-5-ghz-or-6-ghz-on-mt7916.patch
+usb-gadget-f_tcm-translate-error-to-sense.patch
+usb-gadget-f_tcm-decrement-command-ref-count-on-cleanup.patch
+usb-gadget-f_tcm-ep_autoconfig-with-fullspeed-endpoint.patch
+usb-gadget-f_tcm-don-t-prepare-bot-write-request-twice.patch
+usbnet-ipheth-fix-possible-overflow-in-dpe-length-check.patch
+usbnet-ipheth-use-static-ndp16-location-in-urb.patch
+usbnet-ipheth-check-that-dpe-points-past-ncm-header.patch
+usbnet-ipheth-refactor-ncm-datagram-loop.patch
+usbnet-ipheth-break-up-ncm-header-size-computation.patch
+usbnet-ipheth-fix-dpe-oob-read.patch
+usbnet-ipheth-document-scope-of-ncm-implementation.patch
+asoc-acp-support-microphone-from-lenovo-go-s.patch
+soc-qcom-socinfo-avoid-out-of-bounds-read-of-serial-number.patch
+serial-sh-sci-drop-__initdata-macro-for-port_cfg.patch
+serial-sh-sci-do-not-probe-the-serial-port-if-its-slot-in-sci_ports-is-in-use.patch
+mips-loongson64-remove-rom-size-unit-in-boardinfo.patch
+loongarch-extend-the-maximum-number-of-watchpoints.patch
+powerpc-pseries-eeh-fix-get-pe-state-translation.patch
+dm-crypt-don-t-update-io-sector-after-kcryptd_crypt_write_io_submit.patch
+dm-crypt-track-tag_offset-in-convert_context.patch
+mips-math-emu-fix-emulation-of-the-prefx-instruction.patch
+block-don-t-revert-iter-for-eiocbqueued.patch
+revert-media-uvcvideo-require-entities-to-have-a-non-zero-unique-id.patch
+alsa-hda-realtek-enable-headset-mic-on-positivo-c6400.patch
+alsa-hda-fix-headset-detection-failure-due-to-unstable-sort.patch
+arm64-tegra-fix-tegra234-pcie-interrupt-map.patch
+pci-avoid-putting-some-root-ports-into-d3-on-tuxedo-sirius-gen1.patch
+pci-endpoint-finish-virtual-ep-removal-in-pci_epf_remove_vepf.patch
+nvme-pci-add-tuxedo-infinityflex-to-samsung-sleep-quirk.patch
+nvme-pci-add-tuxedo-ibp-gen9-to-samsung-sleep-quirk.patch
+scsi-st-don-t-set-pos_unknown-just-after-device-recognition.patch
+scsi-qla2xxx-move-fce-trace-buffer-allocation-to-user-control.patch
+scsi-ufs-qcom-fix-crypto-key-eviction.patch
+scsi-storvsc-set-correct-data-length-for-sending-scsi-command-without-payload.patch
+kbuild-move-wenum-enum-conversion-to-w-2.patch
--- /dev/null
+From 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Mon, 30 Dec 2024 20:59:35 +0100
+Subject: soc: qcom: socinfo: Avoid out of bounds read of serial number
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 upstream.
+
+On MSM8916 devices, the serial number exposed in sysfs is constant and does
+not change across individual devices. It's always:
+
+ db410c:/sys/devices/soc0$ cat serial_number
+ 2644893864
+
+The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not
+have support for the serial_num field in the socinfo struct. There is an
+existing check to avoid exposing the serial number in that case, but it's
+not correct: When checking the item_size returned by SMEM, we need to make
+sure the *end* of the serial_num is within bounds, instead of comparing
+with the *start* offset. The serial_number currently exposed on MSM8916
+devices is just an out of bounds read of whatever comes after the socinfo
+struct in SMEM.
+
+Fix this by changing offsetof() to offsetofend(), so that the size of the
+field is also taken into account.
+
+Cc: stable@vger.kernel.org
+Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241230-qcom-socinfo-serialno-oob-v1-1-9b7a890da3da@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/socinfo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/socinfo.c
++++ b/drivers/soc/qcom/socinfo.c
+@@ -760,7 +760,7 @@ static int qcom_socinfo_probe(struct pla
+ if (!qs->attr.soc_id || !qs->attr.revision)
+ return -ENOMEM;
+
+- if (offsetof(struct socinfo, serial_num) <= item_size) {
++ if (offsetofend(struct socinfo, serial_num) <= item_size) {
+ qs->attr.serial_number = devm_kasprintf(&pdev->dev, GFP_KERNEL,
+ "%u",
+ le32_to_cpu(info->serial_num));
--- /dev/null
+From 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:31:48 +0000
+Subject: usb: gadget: f_tcm: Decrement command ref count on cleanup
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 3b2a52e88ab0c9469eaadd4d4c8f57d072477820 upstream.
+
+We submitted the command with TARGET_SCF_ACK_KREF, which requires
+acknowledgment of command completion. If the command fails, make sure to
+decrement the ref count.
+
+Fixes: cff834c16d23 ("usb-gadget/tcm: Convert to TARGET_SCF_ACK_KREF I/O krefs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/3c667b4d9c8b0b580346a69ff53616b6a74cfea2.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -973,6 +973,7 @@ static void usbg_data_write_cmpl(struct
+ return;
+
+ cleanup:
++ target_put_sess_cmd(se_cmd);
+ transport_generic_free_cmd(&cmd->se_cmd, 0);
+ }
+
--- /dev/null
+From 94d9bf671ae314cacc2d7bf96bd233b4abc7cede Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:32:07 +0000
+Subject: usb: gadget: f_tcm: Don't prepare BOT write request twice
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 94d9bf671ae314cacc2d7bf96bd233b4abc7cede upstream.
+
+The duplicate kmalloc here is causing memory leak. The request
+preparation in bot_send_write_request is also done in
+usbg_prepare_w_request. Remove the duplicate work.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/f4f26c3d586cde0d46f8c3bcb4e8ae32311b650d.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -245,7 +245,6 @@ static int bot_send_write_request(struct
+ {
+ struct f_uas *fu = cmd->fu;
+ struct se_cmd *se_cmd = &cmd->se_cmd;
+- struct usb_gadget *gadget = fuas_to_gadget(fu);
+ int ret;
+
+ init_completion(&cmd->write_complete);
+@@ -256,22 +255,6 @@ static int bot_send_write_request(struct
+ return -EINVAL;
+ }
+
+- if (!gadget->sg_supported) {
+- cmd->data_buf = kmalloc(se_cmd->data_length, GFP_KERNEL);
+- if (!cmd->data_buf)
+- return -ENOMEM;
+-
+- fu->bot_req_out->buf = cmd->data_buf;
+- } else {
+- fu->bot_req_out->buf = NULL;
+- fu->bot_req_out->num_sgs = se_cmd->t_data_nents;
+- fu->bot_req_out->sg = se_cmd->t_data_sg;
+- }
+-
+- fu->bot_req_out->complete = usbg_data_write_cmpl;
+- fu->bot_req_out->length = se_cmd->data_length;
+- fu->bot_req_out->context = cmd;
+-
+ ret = usbg_prepare_w_request(cmd, fu->bot_req_out);
+ if (ret)
+ goto cleanup;
--- /dev/null
+From 25224c1f07d31c261d04dfbc705a7a0f314a825d Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:32:01 +0000
+Subject: usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 25224c1f07d31c261d04dfbc705a7a0f314a825d upstream.
+
+Match usb endpoint using fullspeed endpoint descriptor to make sure the
+wMaxPacketSize for fullspeed descriptors is automatically configured.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/e4507bc824aed6e7c7f5a718392ab6a7c1480a7f.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -1967,43 +1967,39 @@ static int tcm_bind(struct usb_configura
+ bot_intf_desc.bInterfaceNumber = iface;
+ uasp_intf_desc.bInterfaceNumber = iface;
+ fu->iface = iface;
+- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bi_desc,
+- &uasp_bi_ep_comp_desc);
++ ep = usb_ep_autoconfig(gadget, &uasp_fs_bi_desc);
+ if (!ep)
+ goto ep_fail;
+
+ fu->ep_in = ep;
+
+- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_bo_desc,
+- &uasp_bo_ep_comp_desc);
++ ep = usb_ep_autoconfig(gadget, &uasp_fs_bo_desc);
+ if (!ep)
+ goto ep_fail;
+ fu->ep_out = ep;
+
+- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_status_desc,
+- &uasp_status_in_ep_comp_desc);
++ ep = usb_ep_autoconfig(gadget, &uasp_fs_status_desc);
+ if (!ep)
+ goto ep_fail;
+ fu->ep_status = ep;
+
+- ep = usb_ep_autoconfig_ss(gadget, &uasp_ss_cmd_desc,
+- &uasp_cmd_comp_desc);
++ ep = usb_ep_autoconfig(gadget, &uasp_fs_cmd_desc);
+ if (!ep)
+ goto ep_fail;
+ fu->ep_cmd = ep;
+
+ /* Assume endpoint addresses are the same for both speeds */
+- uasp_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress;
+- uasp_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress;
++ uasp_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress;
++ uasp_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress;
+ uasp_status_desc.bEndpointAddress =
+- uasp_ss_status_desc.bEndpointAddress;
+- uasp_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
++ uasp_fs_status_desc.bEndpointAddress;
++ uasp_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress;
+
+- uasp_fs_bi_desc.bEndpointAddress = uasp_ss_bi_desc.bEndpointAddress;
+- uasp_fs_bo_desc.bEndpointAddress = uasp_ss_bo_desc.bEndpointAddress;
+- uasp_fs_status_desc.bEndpointAddress =
+- uasp_ss_status_desc.bEndpointAddress;
+- uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
++ uasp_ss_bi_desc.bEndpointAddress = uasp_fs_bi_desc.bEndpointAddress;
++ uasp_ss_bo_desc.bEndpointAddress = uasp_fs_bo_desc.bEndpointAddress;
++ uasp_ss_status_desc.bEndpointAddress =
++ uasp_fs_status_desc.bEndpointAddress;
++ uasp_ss_cmd_desc.bEndpointAddress = uasp_fs_cmd_desc.bEndpointAddress;
+
+ ret = usb_assign_descriptors(f, uasp_fs_function_desc,
+ uasp_hs_function_desc, uasp_ss_function_desc,
--- /dev/null
+From 98fa00fd3ae43b857b4976984a135483d89d9281 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Wed, 11 Dec 2024 00:31:43 +0000
+Subject: usb: gadget: f_tcm: Translate error to sense
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 98fa00fd3ae43b857b4976984a135483d89d9281 upstream.
+
+When respond with check_condition error status, clear from_transport
+input so the target layer can translate the sense reason reported by
+f_tcm.
+
+Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/b2a5577efe7abd0af0051229622cf7d3be5cdcd0.1733876548.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_tcm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -1065,7 +1065,7 @@ static void usbg_cmd_work(struct work_st
+
+ out:
+ transport_send_check_condition_and_sense(se_cmd,
+- TCM_UNSUPPORTED_SCSI_OPCODE, 1);
++ TCM_UNSUPPORTED_SCSI_OPCODE, 0);
+ }
+
+ static struct usbg_cmd *usbg_get_cmd(struct f_uas *fu,
+@@ -1193,7 +1193,7 @@ static void bot_cmd_work(struct work_str
+
+ out:
+ transport_send_check_condition_and_sense(se_cmd,
+- TCM_UNSUPPORTED_SCSI_OPCODE, 1);
++ TCM_UNSUPPORTED_SCSI_OPCODE, 0);
+ }
+
+ static int bot_submit_command(struct f_uas *fu,
--- /dev/null
+From efcbc678a14be268040ffc1fa33c98faf2d55141 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:07 +0100
+Subject: usbnet: ipheth: break up NCM header size computation
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit efcbc678a14be268040ffc1fa33c98faf2d55141 upstream.
+
+Originally, the total NCM header size was computed as the sum of two
+vaguely labelled constants. While accurate, it wasn't particularly clear
+where they were coming from.
+
+Use sizes of existing NCM structs where available. Define the total
+NDP16 size based on the maximum amount of DPEs that can fit into the
+iOS-specific fixed-size header.
+
+This change does not fix any particular issue. Rather, it introduces
+intermediate constants that will simplify subsequent commits.
+It should also make it clearer for the reader where the constant values
+come from.
+
+Cc: stable@vger.kernel.org # 6.5.x
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 069979e2bb6e..03249208612e 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -61,7 +61,18 @@
+ #define IPHETH_USBINTF_PROTO 1
+
+ #define IPHETH_IP_ALIGN 2 /* padding at front of URB */
+-#define IPHETH_NCM_HEADER_SIZE (12 + 96) /* NCMH + NCM0 */
++/* On iOS devices, NCM headers in RX have a fixed size regardless of DPE count:
++ * - NTH16 (NCMH): 12 bytes, as per CDC NCM 1.0 spec
++ * - NDP16 (NCM0): 96 bytes, of which
++ * - NDP16 fixed header: 8 bytes
++ * - maximum of 22 DPEs (21 datagrams + trailer), 4 bytes each
++ */
++#define IPHETH_NDP16_MAX_DPE 22
++#define IPHETH_NDP16_HEADER_SIZE (sizeof(struct usb_cdc_ncm_ndp16) + \
++ IPHETH_NDP16_MAX_DPE * \
++ sizeof(struct usb_cdc_ncm_dpe16))
++#define IPHETH_NCM_HEADER_SIZE (sizeof(struct usb_cdc_ncm_nth16) + \
++ IPHETH_NDP16_HEADER_SIZE)
+ #define IPHETH_TX_BUF_SIZE ETH_FRAME_LEN
+ #define IPHETH_RX_BUF_SIZE_LEGACY (IPHETH_IP_ALIGN + ETH_FRAME_LEN)
+ #define IPHETH_RX_BUF_SIZE_NCM 65536
+--
+2.48.1
+
--- /dev/null
+From 429fa68b58cefb9aa9de27e4089637298b46b757 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:04 +0100
+Subject: usbnet: ipheth: check that DPE points past NCM header
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit 429fa68b58cefb9aa9de27e4089637298b46b757 upstream.
+
+By definition, a DPE points at the start of a network frame/datagram.
+Thus it makes no sense for it to point at anything that's part of the
+NCM header. It is not a security issue, but merely an indication of
+a malformed DPE.
+
+Enforce that all DPEs point at the data portion of the URB, past the
+NCM header.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -241,7 +241,8 @@ static int ipheth_rcvbulk_callback_ncm(s
+ dpe = ncm0->dpe16;
+ while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
+ le16_to_cpu(dpe->wDatagramLength) != 0) {
+- if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
++ if (le16_to_cpu(dpe->wDatagramIndex) < IPHETH_NCM_HEADER_SIZE ||
++ le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
+ le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
+ le16_to_cpu(dpe->wDatagramIndex)) {
+ dev->net->stats.rx_length_errors++;
--- /dev/null
+From be154b598fa54136e2be17d6dd13c8a8bc0078ce Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:09 +0100
+Subject: usbnet: ipheth: document scope of NCM implementation
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit be154b598fa54136e2be17d6dd13c8a8bc0078ce upstream.
+
+Clarify that the "NCM" implementation in `ipheth` is very limited, as
+iOS devices aren't compatible with the CDC NCM specification in regular
+tethering mode.
+
+For a standards-compliant implementation, one shall turn to
+the `cdc_ncm` module.
+
+Cc: stable@vger.kernel.org # 6.5.x
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 5347cd7e295b..a19789b57190 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -218,6 +218,14 @@ static int ipheth_rcvbulk_callback_legacy(struct urb *urb)
+ return ipheth_consume_skb(buf, len, dev);
+ }
+
++/* In "NCM mode", the iOS device encapsulates RX (phone->computer) traffic
++ * in NCM Transfer Blocks (similarly to CDC NCM). However, unlike reverse
++ * tethering (handled by the `cdc_ncm` driver), regular tethering is not
++ * compliant with the CDC NCM spec, as the device is missing the necessary
++ * descriptors, and TX (computer->phone) traffic is not encapsulated
++ * at all. Thus `ipheth` implements a very limited subset of the spec with
++ * the sole purpose of parsing RX URBs.
++ */
+ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ {
+ struct usb_cdc_ncm_nth16 *ncmh;
+--
+2.48.1
+
--- /dev/null
+From ee591f2b281721171896117f9946fced31441418 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:08 +0100
+Subject: usbnet: ipheth: fix DPE OoB read
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit ee591f2b281721171896117f9946fced31441418 upstream.
+
+Fix an out-of-bounds DPE read, limit the number of processed DPEs to
+the amount that fits into the fixed-size NDP16 header.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 03249208612e..5347cd7e295b 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -246,7 +246,7 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ goto rx_error;
+
+ dpe = ncm0->dpe16;
+- while (true) {
++ for (int dpe_i = 0; dpe_i < IPHETH_NDP16_MAX_DPE; ++dpe_i, ++dpe) {
+ dg_idx = le16_to_cpu(dpe->wDatagramIndex);
+ dg_len = le16_to_cpu(dpe->wDatagramLength);
+
+@@ -268,8 +268,6 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ retval = ipheth_consume_skb(buf, dg_len, dev);
+ if (retval != 0)
+ return retval;
+-
+- dpe++;
+ }
+
+ rx_error:
+--
+2.48.1
+
--- /dev/null
+From c219427ed296f94bb4b91d08626776dc7719ee27 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:03 +0100
+Subject: usbnet: ipheth: fix possible overflow in DPE length check
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit c219427ed296f94bb4b91d08626776dc7719ee27 upstream.
+
+Originally, it was possible for the DPE length check to overflow if
+wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB
+read.
+
+Move the wDatagramIndex term to the other side of the inequality.
+
+An existing condition ensures that wDatagramIndex < urb->actual_length.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 46afb95ffabe..45daae234cb8 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -243,8 +243,8 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
+ le16_to_cpu(dpe->wDatagramLength) != 0) {
+ if (le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
+- le16_to_cpu(dpe->wDatagramIndex) +
+- le16_to_cpu(dpe->wDatagramLength) > urb->actual_length) {
++ le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
++ le16_to_cpu(dpe->wDatagramIndex)) {
+ dev->net->stats.rx_length_errors++;
+ return retval;
+ }
+--
+2.48.1
+
--- /dev/null
+From 2a9a196429e98fcc64078366c2679bc40aba5466 Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:06 +0100
+Subject: usbnet: ipheth: refactor NCM datagram loop
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit 2a9a196429e98fcc64078366c2679bc40aba5466 upstream.
+
+Introduce an rx_error label to reduce repetitions in the header
+signature checks.
+
+Store wDatagramIndex and wDatagramLength after endianness conversion to
+avoid repeated le16_to_cpu() calls.
+
+Rewrite the loop to return on a null trailing DPE, which is required
+by the CDC NCM spec. In case it is missing, fall through to rx_error.
+
+This change does not fix any particular issue. Its purpose is to
+simplify a subsequent commit that fixes a potential OoB read by limiting
+the maximum amount of processed DPEs.
+
+Cc: stable@vger.kernel.org # 6.5.x
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 42 ++++++++++++++++++++++------------------
+ 1 file changed, 23 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index c385623596d2..069979e2bb6e 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -213,9 +213,9 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ struct usb_cdc_ncm_ndp16 *ncm0;
+ struct usb_cdc_ncm_dpe16 *dpe;
+ struct ipheth_device *dev;
++ u16 dg_idx, dg_len;
+ int retval = -EINVAL;
+ char *buf;
+- int len;
+
+ dev = urb->context;
+
+@@ -227,39 +227,43 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+ ncmh = urb->transfer_buffer;
+ if (ncmh->dwSignature != cpu_to_le32(USB_CDC_NCM_NTH16_SIGN) ||
+ /* On iOS, NDP16 directly follows NTH16 */
+- ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) {
+- dev->net->stats.rx_errors++;
+- return retval;
+- }
++ ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16)))
++ goto rx_error;
+
+ ncm0 = urb->transfer_buffer + sizeof(struct usb_cdc_ncm_nth16);
+- if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) {
+- dev->net->stats.rx_errors++;
+- return retval;
+- }
++ if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN))
++ goto rx_error;
+
+ dpe = ncm0->dpe16;
+- while (le16_to_cpu(dpe->wDatagramIndex) != 0 &&
+- le16_to_cpu(dpe->wDatagramLength) != 0) {
+- if (le16_to_cpu(dpe->wDatagramIndex) < IPHETH_NCM_HEADER_SIZE ||
+- le16_to_cpu(dpe->wDatagramIndex) >= urb->actual_length ||
+- le16_to_cpu(dpe->wDatagramLength) > urb->actual_length -
+- le16_to_cpu(dpe->wDatagramIndex)) {
++ while (true) {
++ dg_idx = le16_to_cpu(dpe->wDatagramIndex);
++ dg_len = le16_to_cpu(dpe->wDatagramLength);
++
++ /* Null DPE must be present after last datagram pointer entry
++ * (3.3.1 USB CDC NCM spec v1.0)
++ */
++ if (dg_idx == 0 && dg_len == 0)
++ return 0;
++
++ if (dg_idx < IPHETH_NCM_HEADER_SIZE ||
++ dg_idx >= urb->actual_length ||
++ dg_len > urb->actual_length - dg_idx) {
+ dev->net->stats.rx_length_errors++;
+ return retval;
+ }
+
+- buf = urb->transfer_buffer + le16_to_cpu(dpe->wDatagramIndex);
+- len = le16_to_cpu(dpe->wDatagramLength);
++ buf = urb->transfer_buffer + dg_idx;
+
+- retval = ipheth_consume_skb(buf, len, dev);
++ retval = ipheth_consume_skb(buf, dg_len, dev);
+ if (retval != 0)
+ return retval;
+
+ dpe++;
+ }
+
+- return 0;
++rx_error:
++ dev->net->stats.rx_errors++;
++ return retval;
+ }
+
+ static void ipheth_rcvbulk_callback(struct urb *urb)
+--
+2.48.1
+
--- /dev/null
+From 86586dcb75cb8fd062a518aca8ee667938b91efb Mon Sep 17 00:00:00 2001
+From: Foster Snowhill <forst@pen.gy>
+Date: Sun, 26 Jan 2025 00:54:05 +0100
+Subject: usbnet: ipheth: use static NDP16 location in URB
+
+From: Foster Snowhill <forst@pen.gy>
+
+commit 86586dcb75cb8fd062a518aca8ee667938b91efb upstream.
+
+Original code allowed for the start of NDP16 to be anywhere within the
+URB based on the `wNdpIndex` value in NTH16. Only the start position of
+NDP16 was checked, so it was possible for even the fixed-length part
+of NDP16 to extend past the end of URB, leading to an out-of-bounds
+read.
+
+On iOS devices, the NDP16 header always directly follows NTH16. Rely on
+and check for this specific format.
+
+This, along with NCM-specific minimal URB length check that already
+exists, will ensure that the fixed-length part of NDP16 plus a set
+amount of DPEs fit within the URB.
+
+Note that this commit alone does not fully address the OoB read.
+The limit on the amount of DPEs needs to be enforced separately.
+
+Fixes: a2d274c62e44 ("usbnet: ipheth: add CDC NCM support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Foster Snowhill <forst@pen.gy>
+Reviewed-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ipheth.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/usb/ipheth.c b/drivers/net/usb/ipheth.c
+index 1ff5f7076ad5..c385623596d2 100644
+--- a/drivers/net/usb/ipheth.c
++++ b/drivers/net/usb/ipheth.c
+@@ -226,15 +226,14 @@ static int ipheth_rcvbulk_callback_ncm(struct urb *urb)
+
+ ncmh = urb->transfer_buffer;
+ if (ncmh->dwSignature != cpu_to_le32(USB_CDC_NCM_NTH16_SIGN) ||
+- le16_to_cpu(ncmh->wNdpIndex) >= urb->actual_length) {
++ /* On iOS, NDP16 directly follows NTH16 */
++ ncmh->wNdpIndex != cpu_to_le16(sizeof(struct usb_cdc_ncm_nth16))) {
+ dev->net->stats.rx_errors++;
+ return retval;
+ }
+
+- ncm0 = urb->transfer_buffer + le16_to_cpu(ncmh->wNdpIndex);
+- if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN) ||
+- le16_to_cpu(ncmh->wHeaderLength) + le16_to_cpu(ncm0->wLength) >=
+- urb->actual_length) {
++ ncm0 = urb->transfer_buffer + sizeof(struct usb_cdc_ncm_nth16);
++ if (ncm0->dwSignature != cpu_to_le32(USB_CDC_NCM_NDP16_NOCRC_SIGN)) {
+ dev->net->stats.rx_errors++;
+ return retval;
+ }
+--
+2.48.1
+
--- /dev/null
+From 68abd0c4ebf24cd499841a488b97a6873d5efabb Mon Sep 17 00:00:00 2001
+From: Marcel Hamer <marcel.hamer@windriver.com>
+Date: Thu, 16 Jan 2025 14:22:40 +0100
+Subject: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
+
+From: Marcel Hamer <marcel.hamer@windriver.com>
+
+commit 68abd0c4ebf24cd499841a488b97a6873d5efabb upstream.
+
+On removal of the device or unloading of the kernel module a potential NULL
+pointer dereference occurs.
+
+The following sequence deletes the interface:
+
+ brcmf_detach()
+ brcmf_remove_interface()
+ brcmf_del_if()
+
+Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to
+BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches.
+
+After brcmf_remove_interface() call the brcmf_proto_detach() function is
+called providing the following sequence:
+
+ brcmf_detach()
+ brcmf_proto_detach()
+ brcmf_proto_msgbuf_detach()
+ brcmf_flowring_detach()
+ brcmf_msgbuf_delete_flowring()
+ brcmf_msgbuf_remove_flowring()
+ brcmf_flowring_delete()
+ brcmf_get_ifp()
+ brcmf_txfinalize()
+
+Since brcmf_get_ip() can and actually will return NULL in this case the
+call to brcmf_txfinalize() will result in a NULL pointer dereference inside
+brcmf_txfinalize() when trying to update ifp->ndev->stats.tx_errors.
+
+This will only happen if a flowring still has an skb.
+
+Although the NULL pointer dereference has only been seen when trying to
+update the tx statistic, all other uses of the ifp pointer have been
+guarded as well with an early return if ifp is NULL.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Marcel Hamer <marcel.hamer@windriver.com>
+Link: https://lore.kernel.org/all/b519e746-ddfd-421f-d897-7620d229e4b2@gmail.com/
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20250116132240.731039-1-marcel.hamer@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -540,6 +540,11 @@ void brcmf_txfinalize(struct brcmf_if *i
+ struct ethhdr *eh;
+ u16 type;
+
++ if (!ifp) {
++ brcmu_pkt_buf_free_skb(txp);
++ return;
++ }
++
+ eh = (struct ethhdr *)(txp->data);
+ type = ntohs(eh->h_proto);
+
--- /dev/null
+From 57af267d2b8f5d88485c6372761386d79c5e6a1a Mon Sep 17 00:00:00 2001
+From: Shayne Chen <shayne.chen@mediatek.com>
+Date: Thu, 10 Oct 2024 10:38:16 +0200
+Subject: wifi: mt76: mt7915: add module param to select 5 GHz or 6 GHz on MT7916
+
+From: Shayne Chen <shayne.chen@mediatek.com>
+
+commit 57af267d2b8f5d88485c6372761386d79c5e6a1a upstream.
+
+Due to a limitation in available memory, the MT7916 firmware can only
+handle either 5 GHz or 6 GHz at a time. It does not support runtime
+switching without a full restart.
+
+On older firmware, this accidentally worked to some degree due to missing
+checks, but couldn't be supported properly, because it left the 6 GHz
+channels uncalibrated.
+Newer firmware refuses to start on either band if the passed EEPROM
+data indicates support for both.
+
+Deal with this limitation by using a module parameter to specify the
+preferred band in case both are supported.
+
+Fixes: b4d093e321bd ("mt76: mt7915: add 6 GHz support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Shayne Chen <shayne.chen@mediatek.com>
+Link: https://patch.msgid.link/20241010083816.51880-1-nbd@nbd.name
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c | 21 +++++++++++++++++++--
+ drivers/net/wireless/mediatek/mt76/mt7915/init.c | 4 ++--
+ 2 files changed, 21 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/eeprom.c
+@@ -2,9 +2,14 @@
+ /* Copyright (C) 2020 MediaTek Inc. */
+
+ #include <linux/firmware.h>
++#include <linux/moduleparam.h>
+ #include "mt7915.h"
+ #include "eeprom.h"
+
++static bool enable_6ghz;
++module_param(enable_6ghz, bool, 0644);
++MODULE_PARM_DESC(enable_6ghz, "Enable 6 GHz instead of 5 GHz on hardware that supports both");
++
+ static int mt7915_eeprom_load_precal(struct mt7915_dev *dev)
+ {
+ struct mt76_dev *mdev = &dev->mt76;
+@@ -159,8 +164,20 @@ static void mt7915_eeprom_parse_band_con
+ phy->mt76->cap.has_6ghz = true;
+ return;
+ case MT_EE_V2_BAND_SEL_5GHZ_6GHZ:
+- phy->mt76->cap.has_5ghz = true;
+- phy->mt76->cap.has_6ghz = true;
++ if (enable_6ghz) {
++ phy->mt76->cap.has_6ghz = true;
++ u8p_replace_bits(&eeprom[MT_EE_WIFI_CONF + band],
++ MT_EE_V2_BAND_SEL_6GHZ,
++ MT_EE_WIFI_CONF0_BAND_SEL);
++ } else {
++ phy->mt76->cap.has_5ghz = true;
++ u8p_replace_bits(&eeprom[MT_EE_WIFI_CONF + band],
++ MT_EE_V2_BAND_SEL_5GHZ,
++ MT_EE_WIFI_CONF0_BAND_SEL);
++ }
++ /* force to buffer mode */
++ dev->flash_mode = true;
++
+ return;
+ default:
+ phy->mt76->cap.has_2ghz = true;
+--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+@@ -1220,14 +1220,14 @@ int mt7915_register_device(struct mt7915
+ if (ret)
+ goto unreg_dev;
+
+- ieee80211_queue_work(mt76_hw(dev), &dev->init_work);
+-
+ if (phy2) {
+ ret = mt7915_register_ext_phy(dev, phy2);
+ if (ret)
+ goto unreg_thermal;
+ }
+
++ ieee80211_queue_work(mt76_hw(dev), &dev->init_work);
++
+ dev->recovery.hw_init_done = true;
+
+ ret = mt7915_init_debugfs(&dev->phy);
--- /dev/null
+From 47d9a8ba1d7f31c674b6936b3c34ee934aa9b420 Mon Sep 17 00:00:00 2001
+From: Nick Morrow <usbwifi2024@gmail.com>
+Date: Thu, 19 Dec 2024 08:12:14 -0600
+Subject: wifi: mt76: mt7921u: Add VID/PID for TP-Link TXE50UH
+
+From: Nick Morrow <usbwifi2024@gmail.com>
+
+commit 47d9a8ba1d7f31c674b6936b3c34ee934aa9b420 upstream.
+
+Add VID/PID 35bc/0107 for recently released TP-Link TXE50UH USB WiFi adapter.
+
+Tested-by: Shang Chieh Tseng <shangchieh.tseng@tsengsy.com>
+Signed-off-by: Nick Morrow <usbwifi2024@gmail.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/e797f105-9ca8-41e9-96de-7d25dec09943@gmail.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/usb.c
+@@ -21,6 +21,9 @@ static const struct usb_device_id mt7921
+ /* Netgear, Inc. [A8000,AXE3000] */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x0846, 0x9060, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
++ /* TP-Link TXE50UH */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x35bc, 0x0107, 0xff, 0xff, 0xff),
++ .driver_info = (kernel_ulong_t)MT7921_FIRMWARE_WM },
+ { },
+ };
+
--- /dev/null
+From 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 Mon Sep 17 00:00:00 2001
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Date: Wed, 18 Dec 2024 00:53:11 +0200
+Subject: wifi: rtlwifi: rtl8821ae: Fix media status report
+
+From: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+
+commit 66ef0289ac99e155d206ddaa0fdfad09ae3cd007 upstream.
+
+RTL8821AE is stuck transmitting at the lowest rate allowed by the rate
+mask. This is because the firmware doesn't know the device is connected
+to a network.
+
+Fix the macros SET_H2CCMD_MSRRPT_PARM_OPMODE and
+SET_H2CCMD_MSRRPT_PARM_MACID_IND to work on the first byte of __cmd,
+not the second. Now the firmware is correctly notified when the device
+is connected to a network and it activates the rate control.
+
+Before (MCS3):
+
+[ 5] 0.00-1.00 sec 12.5 MBytes 105 Mbits/sec 0 339 KBytes
+[ 5] 1.00-2.00 sec 10.6 MBytes 89.1 Mbits/sec 0 339 KBytes
+[ 5] 2.00-3.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes
+[ 5] 3.00-4.00 sec 10.6 MBytes 89.1 Mbits/sec 0 386 KBytes
+[ 5] 4.00-5.00 sec 10.2 MBytes 86.0 Mbits/sec 0 427 KBytes
+
+After (MCS9):
+
+[ 5] 0.00-1.00 sec 33.9 MBytes 284 Mbits/sec 0 771 KBytes
+[ 5] 1.00-2.00 sec 31.6 MBytes 265 Mbits/sec 0 865 KBytes
+[ 5] 2.00-3.00 sec 29.9 MBytes 251 Mbits/sec 0 963 KBytes
+[ 5] 3.00-4.00 sec 28.2 MBytes 237 Mbits/sec 0 963 KBytes
+[ 5] 4.00-5.00 sec 26.8 MBytes 224 Mbits/sec 0 963 KBytes
+
+Fixes: 39f40710d0b5 ("rtlwifi: rtl88821ae: Remove usage of private bit manipulation macros")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bitterblue Smith <rtl8821cerfe2@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/754785b3-8a78-4554-b80d-de5f603b410b@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/fw.h
+@@ -197,9 +197,9 @@ enum rtl8821a_h2c_cmd {
+
+ /* _MEDIA_STATUS_RPT_PARM_CMD1 */
+ #define SET_H2CCMD_MSRRPT_PARM_OPMODE(__cmd, __value) \
+- u8p_replace_bits(__cmd + 1, __value, BIT(0))
++ u8p_replace_bits(__cmd, __value, BIT(0))
+ #define SET_H2CCMD_MSRRPT_PARM_MACID_IND(__cmd, __value) \
+- u8p_replace_bits(__cmd + 1, __value, BIT(1))
++ u8p_replace_bits(__cmd, __value, BIT(1))
+
+ /* AP_OFFLOAD */
+ #define SET_H2CCMD_AP_OFFLOAD_ON(__cmd, __value) \
--- /dev/null
+From fb2fcfbe5eef9ae26b0425978435ae1308951e51 Mon Sep 17 00:00:00 2001
+From: Fiona Klute <fiona.klute@gmx.de>
+Date: Mon, 6 Jan 2025 15:54:34 +0200
+Subject: wifi: rtw88: sdio: Fix disconnection after beacon loss
+
+From: Fiona Klute <fiona.klute@gmx.de>
+
+commit fb2fcfbe5eef9ae26b0425978435ae1308951e51 upstream.
+
+This is the equivalent of commit 28818b4d871b ("wifi: rtw88: usb: Fix
+disconnection after beacon loss") for SDIO chips.
+Tested on Pinephone (RTL8723CS), random disconnections became rare,
+instead of a frequent nuisance.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
+Tested-by: Vasily Khoruzhick <anarsoul@gmail.com> # Tested on Pinebook
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20250106135434.35936-1-fiona.klute@gmx.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/realtek/rtw88/sdio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/realtek/rtw88/sdio.c
++++ b/drivers/net/wireless/realtek/rtw88/sdio.c
+@@ -1191,6 +1191,8 @@ static void rtw_sdio_indicate_tx_status(
+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+ struct ieee80211_hw *hw = rtwdev->hw;
+
++ skb_pull(skb, rtwdev->chip->tx_pkt_desc_sz);
++
+ /* enqueue to wait for tx report */
+ if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) {
+ rtw_tx_report_enqueue(rtwdev, skb, tx_data->sn);
projects / thirdparty / kernel / stable-queue.git / commitdiff
