5.15-stable patches

added patches:
	asm-generic-add-memory-barrier-dma_mb.patch
	drm-amd-display-don-t-overclock-dce-6-by-15.patch
	drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
	f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
	iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch
	locking-barriers-kcsan-support-generic-instrumentation.patch
	media-camss-convert-to-platform-remove-callback-returning-void.patch
	media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
	media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
	media-venus-protect-against-spurious-interrupts-during-probe.patch
	mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
	pwm-mediatek-fix-duty-and-period-setting.patch
	pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
	pwm-mediatek-implement-.apply-callback.patch
	scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
	scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
	scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
	soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
	wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch

diff --git a/queue-5.15/asm-generic-add-memory-barrier-dma_mb.patch b/queue-5.15/asm-generic-add-memory-barrier-dma_mb.patch
new file mode 100644 (file)
index 0000000..0574a78
--- /dev/null
+++ b/queue-5.15/asm-generic-add-memory-barrier-dma_mb.patch
@@ -0,0 +1,81 @@
+From stable+bounces-172507-greg=kroah.com@vger.kernel.org Fri Aug 22 21:35:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:35:01 -0400
+Subject: asm-generic: Add memory barrier dma_mb()
+To: stable@vger.kernel.org
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>, Arnd Bergmann <arnd@arndb.de>, Marco Elver <elver@google.com>, Will Deacon <will@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822193502.1445377-2-sashal@kernel.org>
+
+From: Kefeng Wang <wangkefeng.wang@huawei.com>
+
+[ Upstream commit ed59dfd9509d172e4920994ed9cbebf93b0050cc ]
+
+The memory barrier dma_mb() is introduced by commit a76a37777f2c
+("iommu/arm-smmu-v3: Ensure queue is read after updating prod pointer"),
+which is used to ensure that prior (both reads and writes) accesses
+to memory by a CPU are ordered w.r.t. a subsequent MMIO write.
+
+Reviewed-by: Arnd Bergmann <arnd@arndb.de> # for asm-generic
+Signed-off-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Reviewed-by: Marco Elver <elver@google.com>
+Link: https://lore.kernel.org/r/20220523113126.171714-2-wangkefeng.wang@huawei.com
+Signed-off-by: Will Deacon <will@kernel.org>
+Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/memory-barriers.txt |   11 ++++++-----
+ include/asm-generic/barrier.h     |    8 ++++++++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+--- a/Documentation/memory-barriers.txt
++++ b/Documentation/memory-barriers.txt
+@@ -1894,6 +1894,7 @@ There are some more advanced barrier fun
+ 
+  (*) dma_wmb();
+  (*) dma_rmb();
++ (*) dma_mb();
+ 
+      These are for use with consistent memory to guarantee the ordering
+      of writes or reads of shared memory accessible to both the CPU and a
+@@ -1925,11 +1926,11 @@ There are some more advanced barrier fun
+      The dma_rmb() allows us guarantee the device has released ownership
+      before we read the data from the descriptor, and the dma_wmb() allows
+      us to guarantee the data is written to the descriptor before the device
+-     can see it now has ownership.  Note that, when using writel(), a prior
+-     wmb() is not needed to guarantee that the cache coherent memory writes
+-     have completed before writing to the MMIO region.  The cheaper
+-     writel_relaxed() does not provide this guarantee and must not be used
+-     here.
++     can see it now has ownership.  The dma_mb() implies both a dma_rmb() and
++     a dma_wmb().  Note that, when using writel(), a prior wmb() is not needed
++     to guarantee that the cache coherent memory writes have completed before
++     writing to the MMIO region.  The cheaper writel_relaxed() does not provide
++     this guarantee and must not be used here.
+ 
+      See the subsection "Kernel I/O barrier effects" for more information on
+      relaxed I/O accessors and the Documentation/core-api/dma-api.rst file for
+--- a/include/asm-generic/barrier.h
++++ b/include/asm-generic/barrier.h
+@@ -37,6 +37,10 @@
+ #define wmb() do { kcsan_wmb(); __wmb(); } while (0)
+ #endif
+ 
++#ifdef __dma_mb
++#define dma_mb()      do { kcsan_mb(); __dma_mb(); } while (0)
++#endif
++
+ #ifdef __dma_rmb
+ #define dma_rmb()     do { kcsan_rmb(); __dma_rmb(); } while (0)
+ #endif
+@@ -64,6 +68,10 @@
+ #define wmb() mb()
+ #endif
+ 
++#ifndef dma_mb
++#define dma_mb()      mb()
++#endif
++
+ #ifndef dma_rmb
+ #define dma_rmb()     rmb()
+ #endif

diff --git a/queue-5.15/drm-amd-display-don-t-overclock-dce-6-by-15.patch b/queue-5.15/drm-amd-display-don-t-overclock-dce-6-by-15.patch
new file mode 100644 (file)
index 0000000..6f6e3b7
--- /dev/null
+++ b/queue-5.15/drm-amd-display-don-t-overclock-dce-6-by-15.patch
@@ -0,0 +1,55 @@
+From stable+bounces-172676-greg=kroah.com@vger.kernel.org Sun Aug 24 03:01:54 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 21:01:40 -0400
+Subject: drm/amd/display: Don't overclock DCE 6 by 15%
+To: stable@vger.kernel.org
+Cc: "Timur Kristóf" <timur.kristof@gmail.com>, "Alex Deucher" <alexander.deucher@amd.com>, "Rodrigo Siqueira" <siqueira@igalia.com>, "Alex Hung" <alex.hung@amd.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250824010140.2569605-1-sashal@kernel.org>
+
+From: Timur Kristóf <timur.kristof@gmail.com>
+
+[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ]
+
+The extra 15% clock was added as a workaround for a Polaris issue
+which uses DCE 11, and should not have been used on DCE 6 which
+is already hardcoded to the highest possible display clock.
+Unfortunately, the extra 15% was mistakenly copied and kept
+even on code paths which don't affect Polaris.
+
+This commit fixes that and also adds a check to make sure
+not to exceed the maximum DCE 6 display clock.
+
+Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris")
+Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific")
+Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)")
+Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408)
+Cc: stable@vger.kernel.org
+[ `MIN` => `min` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c |    8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c
+ {
+       struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base);
+       struct dm_pp_power_level_change_request level_change_req;
+-      int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz;
+-
+-      /*TODO: W/A for dal3 linux, investigate why this works */
+-      if (!clk_mgr_dce->dfs_bypass_active)
+-              patched_disp_clk = patched_disp_clk * 115 / 100;
++      const int max_disp_clk =
++              clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz;
++      int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz);
+ 
+       level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context);
+       /* get max clock state from PPLIB */

diff --git a/queue-5.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch b/queue-5.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
new file mode 100644 (file)
index 0000000..57f614c
--- /dev/null
+++ b/queue-5.15/drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
@@ -0,0 +1,50 @@
+From stable+bounces-172599-greg=kroah.com@vger.kernel.org Sat Aug 23 15:55:26 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 09:55:20 -0400
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+To: stable@vger.kernel.org
+Cc: "Imre Deak" <imre.deak@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Jani Nikula" <jani.nikula@linux.intel.com>, "Jani Nikula" <jani.nikula@intel.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250823135520.2154797-1-sashal@kernel.org>
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+[ call to drm_dp_dpcd_access() instead of drm_dp_dpcd_probe() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_dp_helper.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_dp_helper.c
++++ b/drivers/gpu/drm/drm_dp_helper.c
+@@ -336,7 +336,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+        * monitor doesn't power down exactly after the throw away read.
+        */
+       if (!aux->is_remote) {
+-              ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_DPCD_REV,
++              ret = drm_dp_dpcd_access(aux, DP_AUX_NATIVE_READ, DP_LANE0_1_STATUS,
+                                        buffer, 1);
+               if (ret != 1)
+                       goto out;

diff --git a/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch b/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
new file mode 100644 (file)
index 0000000..c02d09e
--- /dev/null
+++ b/queue-5.15/f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
@@ -0,0 +1,76 @@
+From stable+bounces-172551-greg=kroah.com@vger.kernel.org Sat Aug 23 05:59:07 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 23:58:56 -0400
+Subject: f2fs: fix to avoid out-of-boundary access in dnode page
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, Jiaming Zhang <r772577952@gmail.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823035856.1823032-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
+
+As Jiaming Zhang reported:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x17e/0x800 mm/kasan/report.c:480
+ kasan_report+0x147/0x180 mm/kasan/report.c:593
+ data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
+ f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
+ f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
+ f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
+ prepare_write_begin fs/f2fs/data.c:3395 [inline]
+ f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
+ generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
+ f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
+ f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x546/0xa90 fs/read_write.c:686
+ ksys_write+0x149/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is in the corrupted image, there is a dnode has the same
+node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
+access block address in dnode at offset 934, however it parses the dnode
+as inode node, so that get_dnode_addr() returns 360, then it tries to
+access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
+
+To fix this issue, let's add sanity check for node id of all direct nodes
+during f2fs_get_dnode_of_data().
+
+Cc: stable@kernel.org
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+[ replaced f2fs_err_ratelimited() with f2fs_err() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -798,6 +798,16 @@ int f2fs_get_dnode_of_data(struct dnode_
+       for (i = 1; i <= level; i++) {
+               bool done = false;
+ 
++              if (nids[i] && nids[i] == dn->inode->i_ino) {
++                      err = -EFSCORRUPTED;
++                      f2fs_err(sbi,
++                              "inode mapping table is corrupted, run fsck to fix it, "
++                              "ino:%lu, nid:%u, level:%d, offset:%d",
++                              dn->inode->i_ino, nids[i], level, offset[level]);
++                      set_sbi_flag(sbi, SBI_NEED_FSCK);
++                      goto release_pages;
++              }
++
+               if (!nids[i] && mode == ALLOC_NODE) {
+                       /* alloc new node */
+                       if (!f2fs_alloc_nid(sbi, &(nids[i]))) {

diff --git a/queue-5.15/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch b/queue-5.15/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch
new file mode 100644 (file)
index 0000000..c132e1e
--- /dev/null
+++ b/queue-5.15/iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch
@@ -0,0 +1,51 @@
+From stable+bounces-172483-greg=kroah.com@vger.kernel.org Fri Aug 22 19:46:17 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:46:08 -0400
+Subject: iio: adc: ad_sigma_delta: change to buffer predisable
+To: stable@vger.kernel.org
+Cc: "David Lechner" <dlechner@baylibre.com>, "Nuno Sá" <nuno.sa@analog.com>, "Jonathan Cameron" <Jonathan.Cameron@huawei.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822174608.1341735-1-sashal@kernel.org>
+
+From: David Lechner <dlechner@baylibre.com>
+
+[ Upstream commit 66d4374d97f85516b5a22418c5e798aed2606dec ]
+
+Change the buffer disable callback from postdisable to predisable.
+This balances the existing posteanble callback. Using postdisable
+with posteanble can be problematic, for example, if update_scan_mode
+fails, it would call postdisable without ever having called posteanble,
+so the drivers using this would be in an unexpected state when
+postdisable was called.
+
+Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices")
+Signed-off-by: David Lechner <dlechner@baylibre.com>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20250703-iio-adc-ad_sigma_delta-buffer-predisable-v1-1-f2ab85138f1f@baylibre.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad_sigma_delta.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/ad_sigma_delta.c
++++ b/drivers/iio/adc/ad_sigma_delta.c
+@@ -371,7 +371,7 @@ err_unlock:
+       return ret;
+ }
+ 
+-static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
++static int ad_sd_buffer_predisable(struct iio_dev *indio_dev)
+ {
+       struct ad_sigma_delta *sigma_delta = iio_device_get_drvdata(indio_dev);
+ 
+@@ -432,7 +432,7 @@ static irqreturn_t ad_sd_trigger_handler
+ 
+ static const struct iio_buffer_setup_ops ad_sd_buffer_setup_ops = {
+       .postenable = &ad_sd_buffer_postenable,
+-      .postdisable = &ad_sd_buffer_postdisable,
++      .predisable = &ad_sd_buffer_predisable,
+       .validate_scan_mask = &iio_validate_scan_mask_onehot,
+ };
+ 

diff --git a/queue-5.15/locking-barriers-kcsan-support-generic-instrumentation.patch b/queue-5.15/locking-barriers-kcsan-support-generic-instrumentation.patch
new file mode 100644 (file)
index 0000000..ba574ee
--- /dev/null
+++ b/queue-5.15/locking-barriers-kcsan-support-generic-instrumentation.patch
@@ -0,0 +1,70 @@
+From stable+bounces-172508-greg=kroah.com@vger.kernel.org Fri Aug 22 21:35:12 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:35:00 -0400
+Subject: locking/barriers, kcsan: Support generic instrumentation
+To: stable@vger.kernel.org
+Cc: Marco Elver <elver@google.com>, "Paul E. McKenney" <paulmck@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822193502.1445377-1-sashal@kernel.org>
+
+From: Marco Elver <elver@google.com>
+
+[ Upstream commit 2505a51ac6f249956735e0a369e2404f96eebef0 ]
+
+Thus far only smp_*() barriers had been defined by asm-generic/barrier.h
+based on __smp_*() barriers, because the !SMP case is usually generic.
+
+With the introduction of instrumentation, it also makes sense to have
+asm-generic/barrier.h assist in the definition of instrumented versions
+of mb(), rmb(), wmb(), dma_rmb(), and dma_wmb().
+
+Because there is no requirement to distinguish the !SMP case, the
+definition can be simpler: we can avoid also providing fallbacks for the
+__ prefixed cases, and only check if `defined(__<barrier>)`, to finally
+define the KCSAN-instrumented versions.
+
+This also allows for the compiler to complain if an architecture
+accidentally defines both the normal and __ prefixed variant.
+
+Signed-off-by: Marco Elver <elver@google.com>
+Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
+Stable-dep-of: aa6956150f82 ("wifi: ath11k: fix dest ring-buffer corruption when ring is full")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/asm-generic/barrier.h |   25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/include/asm-generic/barrier.h
++++ b/include/asm-generic/barrier.h
+@@ -21,6 +21,31 @@
+ #endif
+ 
+ /*
++ * Architectures that want generic instrumentation can define __ prefixed
++ * variants of all barriers.
++ */
++
++#ifdef __mb
++#define mb()  do { kcsan_mb(); __mb(); } while (0)
++#endif
++
++#ifdef __rmb
++#define rmb() do { kcsan_rmb(); __rmb(); } while (0)
++#endif
++
++#ifdef __wmb
++#define wmb() do { kcsan_wmb(); __wmb(); } while (0)
++#endif
++
++#ifdef __dma_rmb
++#define dma_rmb()     do { kcsan_rmb(); __dma_rmb(); } while (0)
++#endif
++
++#ifdef __dma_wmb
++#define dma_wmb()     do { kcsan_wmb(); __dma_wmb(); } while (0)
++#endif
++
++/*
+  * Force strict CPU ordering. And yes, this is required on UP too when we're
+  * talking to devices.
+  *

diff --git a/queue-5.15/media-camss-convert-to-platform-remove-callback-returning-void.patch b/queue-5.15/media-camss-convert-to-platform-remove-callback-returning-void.patch
new file mode 100644 (file)
index 0000000..d5c0201
--- /dev/null
+++ b/queue-5.15/media-camss-convert-to-platform-remove-callback-returning-void.patch
@@ -0,0 +1,61 @@
+From stable+bounces-172546-greg=kroah.com@vger.kernel.org Sat Aug 23 05:36:04 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 23:35:53 -0400
+Subject: media: camss: Convert to platform remove callback returning void
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "Hans Verkuil" <hverkuil-cisco@xs4all.nl>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250823033554.1801998-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 428bbf4be4018aefa26e4d6531779fa8925ecaaf ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is (mostly) ignored
+and this typically results in resource leaks. To improve here there is a
+quest to make the remove callback return void. In the first step of this
+quest all drivers are converted to .remove_new() which already returns
+void.
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Stable-dep-of: 69080ec3d0da ("media: qcom: camss: cleanup media device allocated resource on error path")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/camss/camss.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -1477,7 +1477,7 @@ void camss_delete(struct camss *camss)
+  *
+  * Always returns 0.
+  */
+-static int camss_remove(struct platform_device *pdev)
++static void camss_remove(struct platform_device *pdev)
+ {
+       struct camss *camss = platform_get_drvdata(pdev);
+ 
+@@ -1487,8 +1487,6 @@ static int camss_remove(struct platform_
+ 
+       if (atomic_read(&camss->ref_count) == 0)
+               camss_delete(camss);
+-
+-      return 0;
+ }
+ 
+ static const struct of_device_id camss_dt_match[] = {
+@@ -1519,7 +1517,7 @@ static const struct dev_pm_ops camss_pm_
+ 
+ static struct platform_driver qcom_camss_driver = {
+       .probe = camss_probe,
+-      .remove = camss_remove,
++      .remove_new = camss_remove,
+       .driver = {
+               .name = "qcom-camss",
+               .of_match_table = camss_dt_match,

diff --git a/queue-5.15/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch b/queue-5.15/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
new file mode 100644 (file)
index 0000000..415eccb
--- /dev/null
+++ b/queue-5.15/media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
@@ -0,0 +1,51 @@
+From stable+bounces-172547-greg=kroah.com@vger.kernel.org Sat Aug 23 05:36:05 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 23:35:54 -0400
+Subject: media: qcom: camss: cleanup media device allocated resource on error path
+To: stable@vger.kernel.org
+Cc: Sasha Levin <sashal@kernel.org>, Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>
+Message-ID: <20250823033554.1801998-2-sashal@kernel.org>
+
+From: Sasha Levin <sashal@kernel.org>
+
+[ Upstream commit 69080ec3d0daba8a894025476c98ab16b5a505a4 ]
+
+A call to media_device_init() requires media_device_cleanup() counterpart
+to complete cleanup and release any allocated resources.
+
+This has been done in the driver .remove() right from the beginning, but
+error paths on .probe() shall also be fixed.
+
+Fixes: a1d7c116fcf7 ("media: camms: Add core files")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+[ adapted error label from err_genpd_cleanup to err_cleanup ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/camss/camss.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/camss/camss.c
++++ b/drivers/media/platform/qcom/camss/camss.c
+@@ -1396,7 +1396,7 @@ static int camss_probe(struct platform_d
+       ret = v4l2_device_register(camss->dev, &camss->v4l2_dev);
+       if (ret < 0) {
+               dev_err(dev, "Failed to register V4L2 device: %d\n", ret);
+-              goto err_cleanup;
++              goto err_media_cleanup;
+       }
+ 
+       ret = camss_register_entities(camss);
+@@ -1438,6 +1438,8 @@ err_register_subdevs:
+       camss_unregister_entities(camss);
+ err_register_entities:
+       v4l2_device_unregister(&camss->v4l2_dev);
++err_media_cleanup:
++      media_device_cleanup(&camss->media_dev);
+ err_cleanup:
+       v4l2_async_notifier_cleanup(&camss->notifier);
+ err_free:

diff --git a/queue-5.15/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch b/queue-5.15/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
new file mode 100644 (file)
index 0000000..d7784aa
--- /dev/null
+++ b/queue-5.15/media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
@@ -0,0 +1,112 @@
+From stable+bounces-172543-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:44 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:34 -0400
+Subject: media: venus: Add support for SSR trigger using fault injection
+To: stable@vger.kernel.org
+Cc: Dikshita Agarwal <quic_dikshita@quicinc.com>, Stanimir Varbanov <stanimir.varbanov@linaro.org>, Stephen Boyd <swboyd@chromium.org>, Mauro Carvalho Chehab <mchehab@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025035.1695132-1-sashal@kernel.org>
+
+From: Dikshita Agarwal <quic_dikshita@quicinc.com>
+
+[ Upstream commit 748b080f21678f2988b0da2d2b396a6f928d9b2c ]
+
+Here we introduce a new fault injection for SSR trigger.
+
+To trigger the SSR:
+ echo 100 >  /sys/kernel/debug/venus/fail_ssr/probability
+ echo 1 >  /sys/kernel/debug/venus/fail_ssr/times
+
+Co-developed-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
+Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Reviewed-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Stable-dep-of: 3200144a2fa4 ("media: venus: protect against spurious interrupts during probe")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c  |   15 ++++++++++++++-
+ drivers/media/platform/qcom/venus/dbgfs.c |    9 +++++++++
+ drivers/media/platform/qcom/venus/dbgfs.h |   13 +++++++++++++
+ 3 files changed, 36 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -263,6 +263,19 @@ static void venus_assign_register_offset
+       }
+ }
+ 
++static irqreturn_t venus_isr_thread(int irq, void *dev_id)
++{
++      struct venus_core *core = dev_id;
++      irqreturn_t ret;
++
++      ret = hfi_isr_thread(irq, dev_id);
++
++      if (ret == IRQ_HANDLED && venus_fault_inject_ssr())
++              hfi_core_trigger_ssr(core, HFI_TEST_SSR_SW_ERR_FATAL);
++
++      return ret;
++}
++
+ static int venus_probe(struct platform_device *pdev)
+ {
+       struct device *dev = &pdev->dev;
+@@ -319,7 +332,7 @@ static int venus_probe(struct platform_d
+       mutex_init(&core->lock);
+       INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
+ 
+-      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, hfi_isr_thread,
++      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
+                                       IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+                                       "venus", core);
+       if (ret)
+--- a/drivers/media/platform/qcom/venus/dbgfs.c
++++ b/drivers/media/platform/qcom/venus/dbgfs.c
+@@ -4,13 +4,22 @@
+  */
+ 
+ #include <linux/debugfs.h>
++#include <linux/fault-inject.h>
+ 
+ #include "core.h"
+ 
++#ifdef CONFIG_FAULT_INJECTION
++DECLARE_FAULT_ATTR(venus_ssr_attr);
++#endif
++
+ void venus_dbgfs_init(struct venus_core *core)
+ {
+       core->root = debugfs_create_dir("venus", NULL);
+       debugfs_create_x32("fw_level", 0644, core->root, &venus_fw_debug);
++
++#ifdef CONFIG_FAULT_INJECTION
++      fault_create_debugfs_attr("fail_ssr", core->root, &venus_ssr_attr);
++#endif
+ }
+ 
+ void venus_dbgfs_deinit(struct venus_core *core)
+--- a/drivers/media/platform/qcom/venus/dbgfs.h
++++ b/drivers/media/platform/qcom/venus/dbgfs.h
+@@ -4,8 +4,21 @@
+ #ifndef __VENUS_DBGFS_H__
+ #define __VENUS_DBGFS_H__
+ 
++#include <linux/fault-inject.h>
++
+ struct venus_core;
+ 
++#ifdef CONFIG_FAULT_INJECTION
++extern struct fault_attr venus_ssr_attr;
++static inline bool venus_fault_inject_ssr(void)
++{
++      return should_fail(&venus_ssr_attr, 1);
++}
++#else
++static inline bool venus_fault_inject_ssr(void) { return false; }
++#endif
++
++
+ void venus_dbgfs_init(struct venus_core *core);
+ void venus_dbgfs_deinit(struct venus_core *core);
+ 

diff --git a/queue-5.15/media-venus-protect-against-spurious-interrupts-during-probe.patch b/queue-5.15/media-venus-protect-against-spurious-interrupts-during-probe.patch
new file mode 100644 (file)
index 0000000..cca92e7
--- /dev/null
+++ b/queue-5.15/media-venus-protect-against-spurious-interrupts-during-probe.patch
@@ -0,0 +1,56 @@
+From stable+bounces-172544-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:47 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:35 -0400
+Subject: media: venus: protect against spurious interrupts during probe
+To: stable@vger.kernel.org
+Cc: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>, Bryan O'Donoghue <bryan.odonoghue@linaro.org>, Vikash Garodia <quic_vgarodia@quicinc.com>, Dikshita Agarwal <quic_dikshita@quicinc.com>, Bryan O'Donoghue <bod@kernel.org>, Hans Verkuil <hverkuil@xs4all.nl>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025035.1695132-2-sashal@kernel.org>
+
+From: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+
+[ Upstream commit 3200144a2fa4209dc084a19941b9b203b43580f0 ]
+
+Make sure the interrupt handler is initialized before the interrupt is
+registered.
+
+If the IRQ is registered before hfi_create(), it's possible that an
+interrupt fires before the handler setup is complete, leading to a NULL
+dereference.
+
+This error condition has been observed during system boot on Rb3Gen2.
+
+Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez@oss.qualcomm.com>
+Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Reviewed-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Reviewed-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
+Tested-by: Dikshita Agarwal <quic_dikshita@quicinc.com> # RB5
+Signed-off-by: Bryan O'Donoghue <bod@kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/core.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/media/platform/qcom/venus/core.c
++++ b/drivers/media/platform/qcom/venus/core.c
+@@ -332,13 +332,13 @@ static int venus_probe(struct platform_d
+       mutex_init(&core->lock);
+       INIT_DELAYED_WORK(&core->work, venus_sys_error_handler);
+ 
+-      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
+-                                      IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
+-                                      "venus", core);
++      ret = hfi_create(core, &venus_core_ops);
+       if (ret)
+               goto err_core_put;
+ 
+-      ret = hfi_create(core, &venus_core_ops);
++      ret = devm_request_threaded_irq(dev, core->irq, hfi_isr, venus_isr_thread,
++                                      IRQF_TRIGGER_HIGH | IRQF_ONESHOT,
++                                      "venus", core);
+       if (ret)
+               goto err_core_put;
+ 

diff --git a/queue-5.15/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch b/queue-5.15/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
new file mode 100644 (file)
index 0000000..b744712
--- /dev/null
+++ b/queue-5.15/mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
@@ -0,0 +1,96 @@
+From stable+bounces-172617-greg=kroah.com@vger.kernel.org Sat Aug 23 17:22:42 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 11:22:28 -0400
+Subject: mptcp: disable add_addr retransmission when timeout is 0
+To: stable@vger.kernel.org
+Cc: Geliang Tang <tanggeliang@kylinos.cn>, Matthieu Baerts <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823152229.2272429-1-sashal@kernel.org>
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit f5ce0714623cffd00bf2a83e890d09c609b7f50a ]
+
+When add_addr_timeout was set to 0, this caused the ADD_ADDR to be
+retransmitted immediately, which looks like a buggy behaviour. Instead,
+interpret 0 as "no retransmissions needed".
+
+The documentation is updated to explicitly state that setting the timeout
+to 0 disables retransmission.
+
+Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
+Cc: stable@vger.kernel.org
+Suggested-by: Matthieu Baerts <matttbe@kernel.org>
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-5-521fe9957892@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ pm.c => pm_netlink.c , drop mptcp_pm_alloc_anno_list hunk ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/networking/mptcp-sysctl.rst |    2 ++
+ net/mptcp/pm_netlink.c                    |   13 ++++++++++---
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+--- a/Documentation/networking/mptcp-sysctl.rst
++++ b/Documentation/networking/mptcp-sysctl.rst
+@@ -20,6 +20,8 @@ add_addr_timeout - INTEGER (seconds)
+       resent to an MPTCP peer that has not acknowledged a previous
+       ADD_ADDR message.
+ 
++      Do not retransmit if set to 0.
++
+       The default value matches TCP_RTO_MAX. This is a per-namespace
+       sysctl.
+ 
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -316,6 +316,7 @@ static void mptcp_pm_add_timer(struct ti
+       struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer);
+       struct mptcp_sock *msk = entry->sock;
+       struct sock *sk = (struct sock *)msk;
++      unsigned int timeout;
+ 
+       pr_debug("msk=%p\n", msk);
+ 
+@@ -333,6 +334,10 @@ static void mptcp_pm_add_timer(struct ti
+               goto out;
+       }
+ 
++      timeout = mptcp_get_add_addr_timeout(sock_net(sk));
++      if (!timeout)
++              goto out;
++
+       spin_lock_bh(&msk->pm.lock);
+ 
+       if (!mptcp_pm_should_add_signal_addr(msk)) {
+@@ -344,7 +349,7 @@ static void mptcp_pm_add_timer(struct ti
+ 
+       if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
+               sk_reset_timer(sk, timer,
+-                             jiffies + mptcp_get_add_addr_timeout(sock_net(sk)));
++                             jiffies + timeout);
+ 
+       spin_unlock_bh(&msk->pm.lock);
+ 
+@@ -386,6 +391,7 @@ static bool mptcp_pm_alloc_anno_list(str
+       struct mptcp_pm_add_entry *add_entry = NULL;
+       struct sock *sk = (struct sock *)msk;
+       struct net *net = sock_net(sk);
++      unsigned int timeout;
+ 
+       lockdep_assert_held(&msk->pm.lock);
+ 
+@@ -403,8 +409,9 @@ static bool mptcp_pm_alloc_anno_list(str
+       add_entry->retrans_times = 0;
+ 
+       timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
+-      sk_reset_timer(sk, &add_entry->add_timer,
+-                     jiffies + mptcp_get_add_addr_timeout(net));
++      timeout = mptcp_get_add_addr_timeout(net);
++      if (timeout)
++              sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
+ 
+       return true;
+ }

diff --git a/queue-5.15/pwm-mediatek-fix-duty-and-period-setting.patch b/queue-5.15/pwm-mediatek-fix-duty-and-period-setting.patch
new file mode 100644 (file)
index 0000000..8ddc4b0
--- /dev/null
+++ b/queue-5.15/pwm-mediatek-fix-duty-and-period-setting.patch
@@ -0,0 +1,82 @@
+From stable+bounces-172495-greg=kroah.com@vger.kernel.org Fri Aug 22 20:50:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 14:50:02 -0400
+Subject: pwm: mediatek: Fix duty and period setting
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Uwe Kleine-König" <ukleinek@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822185002.1400911-3-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit f21d136caf8171f94159d975ea4620c164431bd9 ]
+
+The period generated by the hardware is
+
+       (PWMDWIDTH + 1) << CLKDIV) / freq
+
+according to my tests with a signal analyser and also the documentation.
+
+The current algorithm doesn't consider the `+ 1` part and so configures
+slightly too high periods. The same issue exists for the duty cycle
+setting. So subtract 1 from both the register values for period and
+duty cycle. If period is 0, bail out, if duty_cycle is 0, just disable
+the PWM which results in a constant low output.
+
+Fixes: caf065f8fd58 ("pwm: Add MediaTek PWM support")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/6d1fa87a76f8020bfe3171529b8e19baffceab10.1753717973.git.u.kleine-koenig@baylibre.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c |   21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -163,7 +163,10 @@ static int pwm_mediatek_config(struct pw
+       do_div(resolution, clk_rate);
+ 
+       cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000, resolution);
+-      while (cnt_period > 8191) {
++      if (!cnt_period)
++              return -EINVAL;
++
++      while (cnt_period > 8192) {
+               resolution *= 2;
+               clkdiv++;
+               cnt_period = DIV_ROUND_CLOSEST_ULL((u64)period_ns * 1000,
+@@ -186,9 +189,16 @@ static int pwm_mediatek_config(struct pw
+       }
+ 
+       cnt_duty = DIV_ROUND_CLOSEST_ULL((u64)duty_ns * 1000, resolution);
++
+       pwm_mediatek_writel(pc, pwm->hwpwm, PWMCON, BIT(15) | clkdiv);
+-      pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period);
+-      pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty);
++      pwm_mediatek_writel(pc, pwm->hwpwm, reg_width, cnt_period - 1);
++
++      if (cnt_duty) {
++              pwm_mediatek_writel(pc, pwm->hwpwm, reg_thres, cnt_duty - 1);
++              pwm_mediatek_enable(chip, pwm);
++      } else {
++              pwm_mediatek_disable(chip, pwm);
++      }
+ 
+ out:
+       pwm_mediatek_clk_disable(chip, pwm);
+@@ -217,11 +227,8 @@ static int pwm_mediatek_apply(struct pwm
+       if (err)
+               return err;
+ 
+-      if (!pwm->state.enabled) {
++      if (!pwm->state.enabled)
+               err = pwm_mediatek_clk_enable(chip, pwm);
+-              if (!err)
+-                      pwm_mediatek_enable(chip, pwm);
+-      }
+ 
+       return err;
+ }

diff --git a/queue-5.15/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch b/queue-5.15/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
new file mode 100644 (file)
index 0000000..5268d42
--- /dev/null
+++ b/queue-5.15/pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
@@ -0,0 +1,123 @@
+From stable+bounces-172494-greg=kroah.com@vger.kernel.org Fri Aug 22 20:52:18 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 14:50:01 -0400
+Subject: pwm: mediatek: Handle hardware enable and clock enable separately
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@baylibre.com>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Uwe Kleine-König" <ukleinek@kernel.org>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822185002.1400911-2-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+
+[ Upstream commit 704d918341c378c5f9505dfdf32d315e256d3846 ]
+
+Stop handling the clocks in pwm_mediatek_enable() and
+pwm_mediatek_disable(). This is a preparing change for the next commit
+that requires that clocks and the enable bit are handled separately.
+
+Also move these two functions a bit further up in the source file to
+make them usable in pwm_mediatek_config(), which is needed in the next
+commit, too.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/55c94fe2917ece152ee1e998f4675642a7716f13.1753717973.git.u.kleine-koenig@baylibre.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c |   60 +++++++++++++++++++++------------------------
+ 1 file changed, 28 insertions(+), 32 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -114,6 +114,26 @@ static inline void pwm_mediatek_writel(s
+       writel(value, chip->regs + pwm_mediatek_reg_offset[num] + offset);
+ }
+ 
++static void pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
++{
++      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
++      u32 value;
++
++      value = readl(pc->regs);
++      value |= BIT(pwm->hwpwm);
++      writel(value, pc->regs);
++}
++
++static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
++{
++      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
++      u32 value;
++
++      value = readl(pc->regs);
++      value &= ~BIT(pwm->hwpwm);
++      writel(value, pc->regs);
++}
++
+ static int pwm_mediatek_config(struct pwm_chip *chip, struct pwm_device *pwm,
+                              int duty_ns, int period_ns)
+ {
+@@ -176,35 +196,6 @@ out:
+       return ret;
+ }
+ 
+-static int pwm_mediatek_enable(struct pwm_chip *chip, struct pwm_device *pwm)
+-{
+-      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+-      u32 value;
+-      int ret;
+-
+-      ret = pwm_mediatek_clk_enable(chip, pwm);
+-      if (ret < 0)
+-              return ret;
+-
+-      value = readl(pc->regs);
+-      value |= BIT(pwm->hwpwm);
+-      writel(value, pc->regs);
+-
+-      return 0;
+-}
+-
+-static void pwm_mediatek_disable(struct pwm_chip *chip, struct pwm_device *pwm)
+-{
+-      struct pwm_mediatek_chip *pc = to_pwm_mediatek_chip(chip);
+-      u32 value;
+-
+-      value = readl(pc->regs);
+-      value &= ~BIT(pwm->hwpwm);
+-      writel(value, pc->regs);
+-
+-      pwm_mediatek_clk_disable(chip, pwm);
+-}
+-
+ static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
+                             const struct pwm_state *state)
+ {
+@@ -214,8 +205,10 @@ static int pwm_mediatek_apply(struct pwm
+               return -EINVAL;
+ 
+       if (!state->enabled) {
+-              if (pwm->state.enabled)
++              if (pwm->state.enabled) {
+                       pwm_mediatek_disable(chip, pwm);
++                      pwm_mediatek_clk_disable(chip, pwm);
++              }
+ 
+               return 0;
+       }
+@@ -224,8 +217,11 @@ static int pwm_mediatek_apply(struct pwm
+       if (err)
+               return err;
+ 
+-      if (!pwm->state.enabled)
+-              err = pwm_mediatek_enable(chip, pwm);
++      if (!pwm->state.enabled) {
++              err = pwm_mediatek_clk_enable(chip, pwm);
++              if (!err)
++                      pwm_mediatek_enable(chip, pwm);
++      }
+ 
+       return err;
+ }

diff --git a/queue-5.15/pwm-mediatek-implement-.apply-callback.patch b/queue-5.15/pwm-mediatek-implement-.apply-callback.patch
new file mode 100644 (file)
index 0000000..8cc0cff
--- /dev/null
+++ b/queue-5.15/pwm-mediatek-implement-.apply-callback.patch
@@ -0,0 +1,67 @@
+From stable+bounces-172493-greg=kroah.com@vger.kernel.org Fri Aug 22 20:52:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 14:50:00 -0400
+Subject: pwm: mediatek: Implement .apply() callback
+To: stable@vger.kernel.org
+Cc: "Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>, "AngeloGioacchino Del Regno" <angelogioacchino.delregno@collabora.com>, "Thierry Reding" <thierry.reding@gmail.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822185002.1400911-1-sashal@kernel.org>
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 758de66f4bd2cac2b1d71db917c65c3d611d4e74 ]
+
+To eventually get rid of all legacy drivers convert this driver to the
+modern world implementing .apply().
+This just pushed a variant of pwm_apply_legacy() into the driver that was
+slightly simplified because the driver doesn't provide a .set_polarity()
+callback.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Stable-dep-of: f21d136caf81 ("pwm: mediatek: Fix duty and period setting")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mediatek.c |   29 ++++++++++++++++++++++++++---
+ 1 file changed, 26 insertions(+), 3 deletions(-)
+
+--- a/drivers/pwm/pwm-mediatek.c
++++ b/drivers/pwm/pwm-mediatek.c
+@@ -205,10 +205,33 @@ static void pwm_mediatek_disable(struct
+       pwm_mediatek_clk_disable(chip, pwm);
+ }
+ 
++static int pwm_mediatek_apply(struct pwm_chip *chip, struct pwm_device *pwm,
++                            const struct pwm_state *state)
++{
++      int err;
++
++      if (state->polarity != PWM_POLARITY_NORMAL)
++              return -EINVAL;
++
++      if (!state->enabled) {
++              if (pwm->state.enabled)
++                      pwm_mediatek_disable(chip, pwm);
++
++              return 0;
++      }
++
++      err = pwm_mediatek_config(pwm->chip, pwm, state->duty_cycle, state->period);
++      if (err)
++              return err;
++
++      if (!pwm->state.enabled)
++              err = pwm_mediatek_enable(chip, pwm);
++
++      return err;
++}
++
+ static const struct pwm_ops pwm_mediatek_ops = {
+-      .config = pwm_mediatek_config,
+-      .enable = pwm_mediatek_enable,
+-      .disable = pwm_mediatek_disable,
++      .apply = pwm_mediatek_apply,
+       .owner = THIS_MODULE,
+ };
+ 

diff --git a/queue-5.15/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch b/queue-5.15/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
new file mode 100644 (file)
index 0000000..ae113a2
--- /dev/null
+++ b/queue-5.15/scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
@@ -0,0 +1,56 @@
+From stable+bounces-172472-greg=kroah.com@vger.kernel.org Fri Aug 22 19:02:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:02:37 -0400
+Subject: scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
+To: stable@vger.kernel.org
+Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822170238.1319698-1-sashal@kernel.org>
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit 6853885b21cb1d7157cc14c9d30cc17141565bae ]
+
+The volatile qualifier is redundant for __iomem pointers.
+
+Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per
+Upstream compliance.
+
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: c91e140c82eb ("scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h    |    2 +-
+ drivers/scsi/mpi3mr/mpi3mr_fw.c |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -714,7 +714,7 @@ struct mpi3mr_ioc {
+       char name[MPI3MR_NAME_LENGTH];
+       char driver_name[MPI3MR_NAME_LENGTH];
+ 
+-      volatile struct mpi3_sysif_registers __iomem *sysif_regs;
++      struct mpi3_sysif_registers __iomem *sysif_regs;
+       resource_size_t sysif_regs_phys;
+       int bars;
+       u64 dma_mask;
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -11,12 +11,12 @@
+ #include <linux/io-64-nonatomic-lo-hi.h>
+ 
+ #if defined(writeq) && defined(CONFIG_64BIT)
+-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+ {
+       writeq(b, addr);
+ }
+ #else
+-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+ {
+       __u64 data_out = b;
+ 

diff --git a/queue-5.15/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch b/queue-5.15/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
new file mode 100644 (file)
index 0000000..656338f
--- /dev/null
+++ b/queue-5.15/scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
@@ -0,0 +1,105 @@
+From stable+bounces-172473-greg=kroah.com@vger.kernel.org Fri Aug 22 19:05:16 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:02:38 -0400
+Subject: scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
+To: stable@vger.kernel.org
+Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822170238.1319698-2-sashal@kernel.org>
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit c91e140c82eb58724c435f623702e51cc7896646 ]
+
+On 32-bit systems, 64-bit BAR writes to admin queue registers are
+performed as two 32-bit writes. Without locking, this can cause partial
+writes when accessed concurrently.
+
+Updated per-queue spinlocks is used to serialize these writes and prevent
+race conditions.
+
+Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Adapt context in struct mpi3mr_ioc ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h    |    4 ++++
+ drivers/scsi/mpi3mr/mpi3mr_fw.c |   15 +++++++++++----
+ drivers/scsi/mpi3mr/mpi3mr_os.c |    2 ++
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -701,6 +701,8 @@ struct scmd_priv {
+  * @driver_info: Driver, Kernel, OS information to firmware
+  * @change_count: Topology change count
+  * @op_reply_q_offset: Operational reply queue offset with MSIx
++ * @adm_req_q_bar_writeq_lock: Admin request queue lock
++ * @adm_reply_q_bar_writeq_lock: Admin reply queue lock
+  */
+ struct mpi3mr_ioc {
+       struct list_head list;
+@@ -828,6 +830,8 @@ struct mpi3mr_ioc {
+       struct mpi3_driver_info_layout driver_info;
+       u16 change_count;
+       u16 op_reply_q_offset;
++      spinlock_t adm_req_q_bar_writeq_lock;
++      spinlock_t adm_reply_q_bar_writeq_lock;
+ };
+ 
+ /**
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -11,17 +11,22 @@
+ #include <linux/io-64-nonatomic-lo-hi.h>
+ 
+ #if defined(writeq) && defined(CONFIG_64BIT)
+-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
++      spinlock_t *write_queue_lock)
+ {
+       writeq(b, addr);
+ }
+ #else
+-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
++      spinlock_t *write_queue_lock)
+ {
+       __u64 data_out = b;
++      unsigned long flags;
+ 
++      spin_lock_irqsave(write_queue_lock, flags);
+       writel((u32)(data_out), addr);
+       writel((u32)(data_out >> 32), (addr + 4));
++      spin_unlock_irqrestore(write_queue_lock, flags);
+ }
+ #endif
+ 
+@@ -2183,9 +2188,11 @@ static int mpi3mr_setup_admin_qpair(stru
+           (mrioc->num_admin_req);
+       writel(num_admin_entries, &mrioc->sysif_regs->admin_queue_num_entries);
+       mpi3mr_writeq(mrioc->admin_req_dma,
+-          &mrioc->sysif_regs->admin_request_queue_address);
++              &mrioc->sysif_regs->admin_request_queue_address,
++              &mrioc->adm_req_q_bar_writeq_lock);
+       mpi3mr_writeq(mrioc->admin_reply_dma,
+-          &mrioc->sysif_regs->admin_reply_queue_address);
++              &mrioc->sysif_regs->admin_reply_queue_address,
++              &mrioc->adm_reply_q_bar_writeq_lock);
+       writel(mrioc->admin_req_pi, &mrioc->sysif_regs->admin_request_queue_pi);
+       writel(mrioc->admin_reply_ci, &mrioc->sysif_regs->admin_reply_queue_ci);
+       return retval;
+--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
+@@ -3796,6 +3796,8 @@ mpi3mr_probe(struct pci_dev *pdev, const
+       spin_lock_init(&mrioc->tgtdev_lock);
+       spin_lock_init(&mrioc->watchdog_lock);
+       spin_lock_init(&mrioc->chain_buf_lock);
++      spin_lock_init(&mrioc->adm_req_q_bar_writeq_lock);
++      spin_lock_init(&mrioc->adm_reply_q_bar_writeq_lock);
+ 
+       INIT_LIST_HEAD(&mrioc->fwevt_list);
+       INIT_LIST_HEAD(&mrioc->tgtdev_list);

diff --git a/queue-5.15/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch b/queue-5.15/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
new file mode 100644 (file)
index 0000000..753d15d
--- /dev/null
+++ b/queue-5.15/scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
@@ -0,0 +1,58 @@
+From stable+bounces-172481-greg=kroah.com@vger.kernel.org Fri Aug 22 19:30:03 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:29:55 -0400
+Subject: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Bart Van Assche" <bvanassche@acm.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Martin K. Petersen" <martin.petersen@oracle.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822172955.1334600-1-sashal@kernel.org>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ]
+
+On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
+and in this case the driver ends up programming the UTRL_NEXUS_TYPE
+incorrectly as 0.
+
+This is because the left hand side of the shift is 1, which is of type
+int, i.e. 31 bits wide. Shifting by more than that width results in
+undefined behaviour.
+
+Fix this by switching to the BIT() macro, which applies correct type
+casting as required. This ensures the correct value is written to
+UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
+warning:
+
+    UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
+    shift exponent 32 is too large for 32-bit type 'int'
+
+For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
+write.
+
+Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Adjusted path from drivers/ufs/host to drivers/scsi/ufs ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufs-exynos.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/ufs/ufs-exynos.c
++++ b/drivers/scsi/ufs/ufs-exynos.c
+@@ -837,8 +837,8 @@ static int exynos_ufs_post_link(struct u
+       hci_writel(ufs, 0xa, HCI_DATA_REORDER);
+       hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE);
+       hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE);
+-      hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
+-      hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
++      hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
++      hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
+       hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN);
+ 
+       if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)

diff --git a/queue-5.15/series b/queue-5.15/series
index f2bdcf063ba014edcd86e8860f14e29b4df1deba..943ac27de4bd665bb59bfed86892cc02b5b46108 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -589,3 +589,22 @@ usb-storage-realtek_cr-use-correct-byte-order-for-bcs-residue.patch
 usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch
 usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch
 usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch
+drm-amd-display-don-t-overclock-dce-6-by-15.patch
+mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
+media-camss-convert-to-platform-remove-callback-returning-void.patch
+media-qcom-camss-cleanup-media-device-allocated-resource-on-error-path.patch
+media-venus-add-support-for-ssr-trigger-using-fault-injection.patch
+media-venus-protect-against-spurious-interrupts-during-probe.patch
+locking-barriers-kcsan-support-generic-instrumentation.patch
+asm-generic-add-memory-barrier-dma_mb.patch
+wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch
+soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
+iio-adc-ad_sigma_delta-change-to-buffer-predisable.patch
+scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
+scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
+scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
+pwm-mediatek-implement-.apply-callback.patch
+pwm-mediatek-handle-hardware-enable-and-clock-enable-separately.patch
+pwm-mediatek-fix-duty-and-period-setting.patch

diff --git a/queue-5.15/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch b/queue-5.15/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
new file mode 100644 (file)
index 0000000..838d92d
--- /dev/null
+++ b/queue-5.15/soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
@@ -0,0 +1,109 @@
+From stable+bounces-172488-greg=kroah.com@vger.kernel.org Fri Aug 22 20:09:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 14:09:02 -0400
+Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Doug Anderson <dianders@chromium.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822180902.1356815-1-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
+
+When the MDT loader is used in remoteproc, the ELF header is sanitized
+beforehand, but that's not necessary the case for other clients.
+
+Validate the size of the firmware buffer to ensure that we don't read
+past the end as we iterate over the header. e_phentsize and e_shentsize
+are validated as well, to ensure that the assumptions about step size in
+the traversal are valid.
+
+Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
+Cc: stable@vger.kernel.org
+Reported-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c |   41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -12,11 +12,43 @@
+ #include <linux/firmware.h>
+ #include <linux/kernel.h>
+ #include <linux/module.h>
++#include <linux/overflow.h>
+ #include <linux/qcom_scm.h>
+ #include <linux/sizes.h>
+ #include <linux/slab.h>
+ #include <linux/soc/qcom/mdt_loader.h>
+ 
++static bool mdt_header_valid(const struct firmware *fw)
++{
++      const struct elf32_hdr *ehdr;
++      size_t phend;
++      size_t shend;
++
++      if (fw->size < sizeof(*ehdr))
++              return false;
++
++      ehdr = (struct elf32_hdr *)fw->data;
++
++      if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
++              return false;
++
++      if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
++              return false;
++
++      phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
++      if (phend > fw->size)
++              return false;
++
++      if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++              return false;
++
++      shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++      if (shend > fw->size)
++              return false;
++
++      return true;
++}
++
+ static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
+ {
+       if (phdr->p_type != PT_LOAD)
+@@ -46,6 +78,9 @@ ssize_t qcom_mdt_get_size(const struct f
+       phys_addr_t max_addr = 0;
+       int i;
+ 
++      if (!mdt_header_valid(fw))
++              return -EINVAL;
++
+       ehdr = (struct elf32_hdr *)fw->data;
+       phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 
+@@ -92,6 +127,9 @@ void *qcom_mdt_read_metadata(const struc
+       size_t ehdr_size;
+       void *data;
+ 
++      if (!mdt_header_valid(fw))
++              return ERR_PTR(-EINVAL);
++
+       ehdr = (struct elf32_hdr *)fw->data;
+       phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 
+@@ -151,6 +189,9 @@ static int __qcom_mdt_load(struct device
+       if (!fw || !mem_region || !mem_phys || !mem_size)
+               return -EINVAL;
+ 
++      if (!mdt_header_valid(fw))
++              return -EINVAL;
++
+       ehdr = (struct elf32_hdr *)fw->data;
+       phdrs = (struct elf32_phdr *)(ehdr + 1);
+ 

diff --git a/queue-5.15/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch b/queue-5.15/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch
new file mode 100644 (file)
index 0000000..b71536b
--- /dev/null
+++ b/queue-5.15/wifi-ath11k-fix-dest-ring-buffer-corruption-when-ring-is-full.patch
@@ -0,0 +1,65 @@
+From stable+bounces-172509-greg=kroah.com@vger.kernel.org Fri Aug 22 21:35:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 15:35:02 -0400
+Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full
+To: stable@vger.kernel.org
+Cc: Johan Hovold <johan+linaro@kernel.org>, Baochen Qiang <quic_bqiang@quicinc.com>, Jeff Johnson <jeff.johnson@oss.qualcomm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822193502.1445377-3-sashal@kernel.org>
+
+From: Johan Hovold <johan+linaro@kernel.org>
+
+[ Upstream commit aa6956150f820e6a6deba44be325ddfcb5b10f88 ]
+
+Add the missing memory barriers to make sure that destination ring
+descriptors are read before updating the tail pointer (and passing
+ownership to the device) to avoid memory corruption on weakly ordered
+architectures like aarch64 when the ring is full.
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable@vger.kernel.org      # 5.6
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Baochen Qiang <quic_bqiang@quicinc.com>
+Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -789,7 +789,6 @@ void ath11k_hal_srng_access_end(struct a
+ {
+       lockdep_assert_held(&srng->lock);
+ 
+-      /* TODO: See if we need a write memory barrier here */
+       if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
+               /* For LMAC rings, ring pointer updates are done through FW and
+                * hence written to a shared memory location that is read by FW
+@@ -804,7 +803,11 @@ void ath11k_hal_srng_access_end(struct a
+                       WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
+               } else {
+                       srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+-                      *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
++                      /* Make sure descriptor is read before updating the
++                       * tail pointer.
++                       */
++                      dma_mb();
++                      WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
+               }
+       } else {
+               if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+@@ -820,6 +823,10 @@ void ath11k_hal_srng_access_end(struct a
+                                          srng->u.src_ring.hp);
+               } else {
+                       srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
++                      /* Make sure descriptor is read before updating the
++                       * tail pointer.
++                       */
++                      mb();
+                       ath11k_hif_write32(ab,
+                                          (unsigned long)srng->u.dst_ring.tp_addr -
+                                          (unsigned long)ab->mem,