--- /dev/null
+From e2974a220594c06f536e65dfd7b2447e0e83a1cb Mon Sep 17 00:00:00 2001
+From: Sahas Leelodharry <sahas.leelodharry@mail.mcgill.ca>
+Date: Mon, 2 Dec 2024 03:28:33 +0000
+Subject: ALSA: hda/realtek: Add support for Samsung Galaxy Book3 360 (NP730QFG)
+
+From: Sahas Leelodharry <sahas.leelodharry@mail.mcgill.ca>
+
+commit e2974a220594c06f536e65dfd7b2447e0e83a1cb upstream.
+
+Fixes the 3.5mm headphone jack on the Samsung Galaxy Book 3 360
+NP730QFG laptop.
+Unlike the other Galaxy Book3 series devices, this device only needs
+the ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET quirk.
+Verified changes on the device and compared with codec state in Windows.
+
+[ white-space fixes by tiwai ]
+
+Signed-off-by: Sahas Leelodharry <sahas.leelodharry@mail.mcgill.ca>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/QB1PR01MB40047D4CC1282DB7F1333124CC352@QB1PR01MB4004.CANPRD01.PROD.OUTLOOK.COM
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10753,6 +10753,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x144d, 0xc830, "Samsung Galaxy Book Ion (NT950XCJ-X716A)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc832, "Samsung Galaxy Book Flex Alpha (NP730QCJ)", ALC256_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
+ SND_PCI_QUIRK(0x144d, 0xca03, "Samsung Galaxy Book2 Pro 360 (NP930QED)", ALC298_FIXUP_SAMSUNG_AMP),
++ SND_PCI_QUIRK(0x144d, 0xca06, "Samsung Galaxy Book3 360 (NP730QFG)", ALC298_FIXUP_SAMSUNG_HEADPHONE_VERY_QUIET),
+ SND_PCI_QUIRK(0x144d, 0xc868, "Samsung Galaxy Book2 Pro (NP930XED)", ALC298_FIXUP_SAMSUNG_AMP),
+ SND_PCI_QUIRK(0x144d, 0xc870, "Samsung Galaxy Book2 Pro (NP950XED)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
+ SND_PCI_QUIRK(0x144d, 0xc872, "Samsung Galaxy Book2 Pro (NP950XEE)", ALC298_FIXUP_SAMSUNG_AMP_V2_2_AMPS),
--- /dev/null
+From 3a83f7baf1346aca885cb83cb888e835fef7c472 Mon Sep 17 00:00:00 2001
+From: Nazar Bilinskyi <nbilinskyi@gmail.com>
+Date: Sun, 1 Dec 2024 01:16:31 +0200
+Subject: ALSA: hda/realtek: Enable mute and micmute LED on HP ProBook 430 G8
+
+From: Nazar Bilinskyi <nbilinskyi@gmail.com>
+
+commit 3a83f7baf1346aca885cb83cb888e835fef7c472 upstream.
+
+HP ProBook 430 G8 has a mute and micmute LEDs that can be made to work
+using quirk ALC236_FIXUP_HP_GPIO_LED. Enable already existing quirk.
+
+Signed-off-by: Nazar Bilinskyi <nbilinskyi@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20241130231631.8929-1-nbilinskyi@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10411,6 +10411,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x87b7, "HP Laptop 14-fq0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
+ SND_PCI_QUIRK(0x103c, 0x87c8, "HP", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87d3, "HP Laptop 15-gw0xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
++ SND_PCI_QUIRK(0x103c, 0x87df, "HP ProBook 430 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e5, "HP ProBook 440 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87e7, "HP ProBook 450 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x87f1, "HP ProBook 630 G8 Notebook PC", ALC236_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 0d08f0eec961acdb0424a3e2cfb37cfb89154833 Mon Sep 17 00:00:00 2001
+From: Chris Chiu <chris.chiu@canonical.com>
+Date: Mon, 2 Dec 2024 22:46:59 +0800
+Subject: ALSA: hda/realtek: fix micmute LEDs don't work on HP Laptops
+
+From: Chris Chiu <chris.chiu@canonical.com>
+
+commit 0d08f0eec961acdb0424a3e2cfb37cfb89154833 upstream.
+
+These HP laptops use Realtek HDA codec ALC3315 combined CS35L56
+Amplifiers. They need the quirk ALC285_FIXUP_HP_GPIO_LED to get
+the micmute LED working.
+
+Signed-off-by: Chris Chiu <chris.chiu@canonical.com>
+Reviewed-by: Simon Trimmer <simont@opensource.cirrus.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20241202144659.1553504-1-chris.chiu@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10592,7 +10592,13 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8cdf, "HP SnowWhite", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ce0, "HP SnowWhite", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8cf5, "HP ZBook Studio 16", ALC245_FIXUP_CS35L41_SPI_4_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8d01, "HP ZBook Power 14 G12", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8d84, "HP EliteBook X G1i", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8d91, "HP ZBook Firefly 14 G12", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8d92, "HP ZBook Firefly 16 G12", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8e18, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8e19, "HP ZBook Firelfy 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8e1a, "HP ZBook Firefly 14 G12A", ALC285_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x1043, 0x103e, "ASUS X540SA", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x103f, "ASUS TX300", ALC282_FIXUP_ASUS_TX300),
+ SND_PCI_QUIRK(0x1043, 0x106d, "Asus K53BE", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
--- /dev/null
+From f09f0397db641f99f6c3e109283d82e3584bfb50 Mon Sep 17 00:00:00 2001
+From: Asahi Lina <lina@asahilina.net>
+Date: Mon, 2 Dec 2024 22:17:15 +0900
+Subject: ALSA: usb-audio: Add extra PID for RME Digiface USB
+
+From: Asahi Lina <lina@asahilina.net>
+
+commit f09f0397db641f99f6c3e109283d82e3584bfb50 upstream.
+
+It seems there is an alternate version of the hardware with a different
+PID. User testing reveals this still works with the same interface as far
+as the kernel is concerned, so just add the extra PID. Thanks to Heiko
+Engemann for testing with this version.
+
+Due to the way quirks-table.h is structured, that means we have to turn
+the entire quirk struct into a macro to avoid duplicating it...
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Asahi Lina <lina@asahilina.net>
+Link: https://patch.msgid.link/20241202-rme-digiface-usb-id-v1-1-50f730d7a46e@asahilina.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_quirks.c | 1
+ sound/usb/quirks-table.h | 341 +++++++++++++++++++++++------------------------
+ sound/usb/quirks.c | 2
+ 3 files changed, 176 insertions(+), 168 deletions(-)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -4059,6 +4059,7 @@ int snd_usb_mixer_apply_create_quirk(str
+ err = snd_bbfpro_controls_create(mixer);
+ break;
+ case USB_ID(0x2a39, 0x3f8c): /* RME Digiface USB */
++ case USB_ID(0x2a39, 0x3fa0): /* RME Digiface USB (alternate) */
+ err = snd_rme_digiface_controls_create(mixer);
+ break;
+ case USB_ID(0x2b73, 0x0017): /* Pioneer DJ DJM-250MK2 */
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3616,176 +3616,181 @@ YAMAHA_DEVICE(0x7010, "UB99"),
+ }
+ }
+ },
+-{
+- /* Only claim interface 0 */
+- .match_flags = USB_DEVICE_ID_MATCH_VENDOR |
+- USB_DEVICE_ID_MATCH_PRODUCT |
+- USB_DEVICE_ID_MATCH_INT_CLASS |
+- USB_DEVICE_ID_MATCH_INT_NUMBER,
+- .idVendor = 0x2a39,
+- .idProduct = 0x3f8c,
+- .bInterfaceClass = USB_CLASS_VENDOR_SPEC,
+- .bInterfaceNumber = 0,
+- QUIRK_DRIVER_INFO {
+- QUIRK_DATA_COMPOSITE {
++#define QUIRK_RME_DIGIFACE(pid) \
++{ \
++ /* Only claim interface 0 */ \
++ .match_flags = USB_DEVICE_ID_MATCH_VENDOR | \
++ USB_DEVICE_ID_MATCH_PRODUCT | \
++ USB_DEVICE_ID_MATCH_INT_CLASS | \
++ USB_DEVICE_ID_MATCH_INT_NUMBER, \
++ .idVendor = 0x2a39, \
++ .idProduct = pid, \
++ .bInterfaceClass = USB_CLASS_VENDOR_SPEC, \
++ .bInterfaceNumber = 0, \
++ QUIRK_DRIVER_INFO { \
++ QUIRK_DATA_COMPOSITE { \
+ /*
+ * Three modes depending on sample rate band,
+ * with different channel counts for in/out
+- */
+- { QUIRK_DATA_STANDARD_MIXER(0) },
+- {
+- QUIRK_DATA_AUDIOFORMAT(0) {
+- .formats = SNDRV_PCM_FMTBIT_S32_LE,
+- .channels = 34, // outputs
+- .fmt_bits = 24,
+- .iface = 0,
+- .altsetting = 1,
+- .altset_idx = 1,
+- .endpoint = 0x02,
+- .ep_idx = 1,
+- .ep_attr = USB_ENDPOINT_XFER_ISOC |
+- USB_ENDPOINT_SYNC_ASYNC,
+- .rates = SNDRV_PCM_RATE_32000 |
+- SNDRV_PCM_RATE_44100 |
+- SNDRV_PCM_RATE_48000,
+- .rate_min = 32000,
+- .rate_max = 48000,
+- .nr_rates = 3,
+- .rate_table = (unsigned int[]) {
+- 32000, 44100, 48000,
+- },
+- .sync_ep = 0x81,
+- .sync_iface = 0,
+- .sync_altsetting = 1,
+- .sync_ep_idx = 0,
+- .implicit_fb = 1,
+- },
+- },
+- {
+- QUIRK_DATA_AUDIOFORMAT(0) {
+- .formats = SNDRV_PCM_FMTBIT_S32_LE,
+- .channels = 18, // outputs
+- .fmt_bits = 24,
+- .iface = 0,
+- .altsetting = 1,
+- .altset_idx = 1,
+- .endpoint = 0x02,
+- .ep_idx = 1,
+- .ep_attr = USB_ENDPOINT_XFER_ISOC |
+- USB_ENDPOINT_SYNC_ASYNC,
+- .rates = SNDRV_PCM_RATE_64000 |
+- SNDRV_PCM_RATE_88200 |
+- SNDRV_PCM_RATE_96000,
+- .rate_min = 64000,
+- .rate_max = 96000,
+- .nr_rates = 3,
+- .rate_table = (unsigned int[]) {
+- 64000, 88200, 96000,
+- },
+- .sync_ep = 0x81,
+- .sync_iface = 0,
+- .sync_altsetting = 1,
+- .sync_ep_idx = 0,
+- .implicit_fb = 1,
+- },
+- },
+- {
+- QUIRK_DATA_AUDIOFORMAT(0) {
+- .formats = SNDRV_PCM_FMTBIT_S32_LE,
+- .channels = 10, // outputs
+- .fmt_bits = 24,
+- .iface = 0,
+- .altsetting = 1,
+- .altset_idx = 1,
+- .endpoint = 0x02,
+- .ep_idx = 1,
+- .ep_attr = USB_ENDPOINT_XFER_ISOC |
+- USB_ENDPOINT_SYNC_ASYNC,
+- .rates = SNDRV_PCM_RATE_KNOT |
+- SNDRV_PCM_RATE_176400 |
+- SNDRV_PCM_RATE_192000,
+- .rate_min = 128000,
+- .rate_max = 192000,
+- .nr_rates = 3,
+- .rate_table = (unsigned int[]) {
+- 128000, 176400, 192000,
+- },
+- .sync_ep = 0x81,
+- .sync_iface = 0,
+- .sync_altsetting = 1,
+- .sync_ep_idx = 0,
+- .implicit_fb = 1,
+- },
+- },
+- {
+- QUIRK_DATA_AUDIOFORMAT(0) {
+- .formats = SNDRV_PCM_FMTBIT_S32_LE,
+- .channels = 32, // inputs
+- .fmt_bits = 24,
+- .iface = 0,
+- .altsetting = 1,
+- .altset_idx = 1,
+- .endpoint = 0x81,
+- .ep_attr = USB_ENDPOINT_XFER_ISOC |
+- USB_ENDPOINT_SYNC_ASYNC,
+- .rates = SNDRV_PCM_RATE_32000 |
+- SNDRV_PCM_RATE_44100 |
+- SNDRV_PCM_RATE_48000,
+- .rate_min = 32000,
+- .rate_max = 48000,
+- .nr_rates = 3,
+- .rate_table = (unsigned int[]) {
+- 32000, 44100, 48000,
+- }
+- }
+- },
+- {
+- QUIRK_DATA_AUDIOFORMAT(0) {
+- .formats = SNDRV_PCM_FMTBIT_S32_LE,
+- .channels = 16, // inputs
+- .fmt_bits = 24,
+- .iface = 0,
+- .altsetting = 1,
+- .altset_idx = 1,
+- .endpoint = 0x81,
+- .ep_attr = USB_ENDPOINT_XFER_ISOC |
+- USB_ENDPOINT_SYNC_ASYNC,
+- .rates = SNDRV_PCM_RATE_64000 |
+- SNDRV_PCM_RATE_88200 |
+- SNDRV_PCM_RATE_96000,
+- .rate_min = 64000,
+- .rate_max = 96000,
+- .nr_rates = 3,
+- .rate_table = (unsigned int[]) {
+- 64000, 88200, 96000,
+- }
+- }
+- },
+- {
+- QUIRK_DATA_AUDIOFORMAT(0) {
+- .formats = SNDRV_PCM_FMTBIT_S32_LE,
+- .channels = 8, // inputs
+- .fmt_bits = 24,
+- .iface = 0,
+- .altsetting = 1,
+- .altset_idx = 1,
+- .endpoint = 0x81,
+- .ep_attr = USB_ENDPOINT_XFER_ISOC |
+- USB_ENDPOINT_SYNC_ASYNC,
+- .rates = SNDRV_PCM_RATE_KNOT |
+- SNDRV_PCM_RATE_176400 |
+- SNDRV_PCM_RATE_192000,
+- .rate_min = 128000,
+- .rate_max = 192000,
+- .nr_rates = 3,
+- .rate_table = (unsigned int[]) {
+- 128000, 176400, 192000,
+- }
+- }
+- },
+- QUIRK_COMPOSITE_END
+- }
+- }
+-},
++ */ \
++ { QUIRK_DATA_STANDARD_MIXER(0) }, \
++ { \
++ QUIRK_DATA_AUDIOFORMAT(0) { \
++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \
++ .channels = 34, /* outputs */ \
++ .fmt_bits = 24, \
++ .iface = 0, \
++ .altsetting = 1, \
++ .altset_idx = 1, \
++ .endpoint = 0x02, \
++ .ep_idx = 1, \
++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \
++ USB_ENDPOINT_SYNC_ASYNC, \
++ .rates = SNDRV_PCM_RATE_32000 | \
++ SNDRV_PCM_RATE_44100 | \
++ SNDRV_PCM_RATE_48000, \
++ .rate_min = 32000, \
++ .rate_max = 48000, \
++ .nr_rates = 3, \
++ .rate_table = (unsigned int[]) { \
++ 32000, 44100, 48000, \
++ }, \
++ .sync_ep = 0x81, \
++ .sync_iface = 0, \
++ .sync_altsetting = 1, \
++ .sync_ep_idx = 0, \
++ .implicit_fb = 1, \
++ }, \
++ }, \
++ { \
++ QUIRK_DATA_AUDIOFORMAT(0) { \
++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \
++ .channels = 18, /* outputs */ \
++ .fmt_bits = 24, \
++ .iface = 0, \
++ .altsetting = 1, \
++ .altset_idx = 1, \
++ .endpoint = 0x02, \
++ .ep_idx = 1, \
++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \
++ USB_ENDPOINT_SYNC_ASYNC, \
++ .rates = SNDRV_PCM_RATE_64000 | \
++ SNDRV_PCM_RATE_88200 | \
++ SNDRV_PCM_RATE_96000, \
++ .rate_min = 64000, \
++ .rate_max = 96000, \
++ .nr_rates = 3, \
++ .rate_table = (unsigned int[]) { \
++ 64000, 88200, 96000, \
++ }, \
++ .sync_ep = 0x81, \
++ .sync_iface = 0, \
++ .sync_altsetting = 1, \
++ .sync_ep_idx = 0, \
++ .implicit_fb = 1, \
++ }, \
++ }, \
++ { \
++ QUIRK_DATA_AUDIOFORMAT(0) { \
++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \
++ .channels = 10, /* outputs */ \
++ .fmt_bits = 24, \
++ .iface = 0, \
++ .altsetting = 1, \
++ .altset_idx = 1, \
++ .endpoint = 0x02, \
++ .ep_idx = 1, \
++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \
++ USB_ENDPOINT_SYNC_ASYNC, \
++ .rates = SNDRV_PCM_RATE_KNOT | \
++ SNDRV_PCM_RATE_176400 | \
++ SNDRV_PCM_RATE_192000, \
++ .rate_min = 128000, \
++ .rate_max = 192000, \
++ .nr_rates = 3, \
++ .rate_table = (unsigned int[]) { \
++ 128000, 176400, 192000, \
++ }, \
++ .sync_ep = 0x81, \
++ .sync_iface = 0, \
++ .sync_altsetting = 1, \
++ .sync_ep_idx = 0, \
++ .implicit_fb = 1, \
++ }, \
++ }, \
++ { \
++ QUIRK_DATA_AUDIOFORMAT(0) { \
++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \
++ .channels = 32, /* inputs */ \
++ .fmt_bits = 24, \
++ .iface = 0, \
++ .altsetting = 1, \
++ .altset_idx = 1, \
++ .endpoint = 0x81, \
++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \
++ USB_ENDPOINT_SYNC_ASYNC, \
++ .rates = SNDRV_PCM_RATE_32000 | \
++ SNDRV_PCM_RATE_44100 | \
++ SNDRV_PCM_RATE_48000, \
++ .rate_min = 32000, \
++ .rate_max = 48000, \
++ .nr_rates = 3, \
++ .rate_table = (unsigned int[]) { \
++ 32000, 44100, 48000, \
++ } \
++ } \
++ }, \
++ { \
++ QUIRK_DATA_AUDIOFORMAT(0) { \
++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \
++ .channels = 16, /* inputs */ \
++ .fmt_bits = 24, \
++ .iface = 0, \
++ .altsetting = 1, \
++ .altset_idx = 1, \
++ .endpoint = 0x81, \
++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \
++ USB_ENDPOINT_SYNC_ASYNC, \
++ .rates = SNDRV_PCM_RATE_64000 | \
++ SNDRV_PCM_RATE_88200 | \
++ SNDRV_PCM_RATE_96000, \
++ .rate_min = 64000, \
++ .rate_max = 96000, \
++ .nr_rates = 3, \
++ .rate_table = (unsigned int[]) { \
++ 64000, 88200, 96000, \
++ } \
++ } \
++ }, \
++ { \
++ QUIRK_DATA_AUDIOFORMAT(0) { \
++ .formats = SNDRV_PCM_FMTBIT_S32_LE, \
++ .channels = 8, /* inputs */ \
++ .fmt_bits = 24, \
++ .iface = 0, \
++ .altsetting = 1, \
++ .altset_idx = 1, \
++ .endpoint = 0x81, \
++ .ep_attr = USB_ENDPOINT_XFER_ISOC | \
++ USB_ENDPOINT_SYNC_ASYNC, \
++ .rates = SNDRV_PCM_RATE_KNOT | \
++ SNDRV_PCM_RATE_176400 | \
++ SNDRV_PCM_RATE_192000, \
++ .rate_min = 128000, \
++ .rate_max = 192000, \
++ .nr_rates = 3, \
++ .rate_table = (unsigned int[]) { \
++ 128000, 176400, 192000, \
++ } \
++ } \
++ }, \
++ QUIRK_COMPOSITE_END \
++ } \
++ } \
++}
++
++QUIRK_RME_DIGIFACE(0x3f8c),
++QUIRK_RME_DIGIFACE(0x3fa0),
++
+ #undef USB_DEVICE_VENDOR_SPEC
+ #undef USB_AUDIO_DEVICE
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1665,6 +1665,7 @@ int snd_usb_apply_boot_quirk(struct usb_
+ return snd_usb_motu_microbookii_boot_quirk(dev);
+ break;
+ case USB_ID(0x2a39, 0x3f8c): /* RME Digiface USB */
++ case USB_ID(0x2a39, 0x3fa0): /* RME Digiface USB (alternate) */
+ return snd_usb_rme_digiface_boot_quirk(dev);
+ }
+
+@@ -1878,6 +1879,7 @@ void snd_usb_set_format_quirk(struct snd
+ mbox3_set_format_quirk(subs, fmt); /* Digidesign Mbox 3 */
+ break;
+ case USB_ID(0x2a39, 0x3f8c): /* RME Digiface USB */
++ case USB_ID(0x2a39, 0x3fa0): /* RME Digiface USB (alternate) */
+ rme_digiface_set_format_quirk(subs);
+ break;
+ }
--- /dev/null
+From a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 Mon Sep 17 00:00:00 2001
+From: Marie Ramlow <me@nycode.dev>
+Date: Sat, 30 Nov 2024 17:52:40 +0100
+Subject: ALSA: usb-audio: add mixer mapping for Corsair HS80
+
+From: Marie Ramlow <me@nycode.dev>
+
+commit a7de2b873f3dbcda02d504536f1ec6dc50e3f6c4 upstream.
+
+The Corsair HS80 RGB Wireless is a USB headset with a mic and a sidetone
+feature. It has the same quirk as the Virtuoso series.
+This labels the mixers appropriately, so applications don't
+move the sidetone volume when they actually intend to move the main
+headset volume.
+
+Signed-off-by: Marie Ramlow <me@nycode.dev>
+cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20241130165240.17838-1-me@nycode.dev
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/mixer_maps.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/sound/usb/mixer_maps.c
++++ b/sound/usb/mixer_maps.c
+@@ -621,6 +621,16 @@ static const struct usbmix_ctl_map usbmi
+ .id = USB_ID(0x1b1c, 0x0a42),
+ .map = corsair_virtuoso_map,
+ },
++ {
++ /* Corsair HS80 RGB Wireless (wired mode) */
++ .id = USB_ID(0x1b1c, 0x0a6a),
++ .map = corsair_virtuoso_map,
++ },
++ {
++ /* Corsair HS80 RGB Wireless (wireless mode) */
++ .id = USB_ID(0x1b1c, 0x0a6b),
++ .map = corsair_virtuoso_map,
++ },
+ { /* Gigabyte TRX40 Aorus Master (rear panel + front mic) */
+ .id = USB_ID(0x0414, 0xa001),
+ .map = aorus_master_alc1220vb_map,
--- /dev/null
+From f7d306b47a24367302bd4fe846854e07752ffcd9 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Mon, 2 Dec 2024 15:57:54 +0300
+Subject: ALSA: usb-audio: Fix a DMA to stack memory bug
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
+
+The usb_get_descriptor() function does DMA so we're not allowed
+to use a stack buffer for that. Doing DMA to the stack is not portable
+all architectures. Move the "new_device_descriptor" from being stored
+on the stack and allocate it with kmalloc() instead.
+
+Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
+Cc: stable@kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 42 +++++++++++++++++++++++++++---------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -555,7 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_
+ static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf)
+ {
+ struct usb_host_config *config = dev->actconfig;
+- struct usb_device_descriptor new_device_descriptor;
++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL;
+ int err;
+
+ if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD ||
+@@ -566,15 +566,19 @@ static int snd_usb_extigy_boot_quirk(str
+ 0x10, 0x43, 0x0001, 0x000a, NULL, 0);
+ if (err < 0)
+ dev_dbg(&dev->dev, "error sending boot message: %d\n", err);
++
++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
++ if (!new_device_descriptor)
++ return -ENOMEM;
+ err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
+- &new_device_descriptor, sizeof(new_device_descriptor));
++ new_device_descriptor, sizeof(*new_device_descriptor));
+ if (err < 0)
+ dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
+- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
+- new_device_descriptor.bNumConfigurations);
++ new_device_descriptor->bNumConfigurations);
+ else
+- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
+ err = usb_reset_configuration(dev);
+ if (err < 0)
+ dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err);
+@@ -906,7 +910,7 @@ static void mbox2_setup_48_24_magic(stru
+ static int snd_usb_mbox2_boot_quirk(struct usb_device *dev)
+ {
+ struct usb_host_config *config = dev->actconfig;
+- struct usb_device_descriptor new_device_descriptor;
++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL;
+ int err;
+ u8 bootresponse[0x12];
+ int fwsize;
+@@ -941,15 +945,19 @@ static int snd_usb_mbox2_boot_quirk(stru
+
+ dev_dbg(&dev->dev, "device initialised!\n");
+
++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
++ if (!new_device_descriptor)
++ return -ENOMEM;
++
+ err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
+- &new_device_descriptor, sizeof(new_device_descriptor));
++ new_device_descriptor, sizeof(*new_device_descriptor));
+ if (err < 0)
+ dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err);
+- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n",
+- new_device_descriptor.bNumConfigurations);
++ new_device_descriptor->bNumConfigurations);
+ else
+- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
+
+ err = usb_reset_configuration(dev);
+ if (err < 0)
+@@ -1259,7 +1267,7 @@ static void mbox3_setup_defaults(struct
+ static int snd_usb_mbox3_boot_quirk(struct usb_device *dev)
+ {
+ struct usb_host_config *config = dev->actconfig;
+- struct usb_device_descriptor new_device_descriptor;
++ struct usb_device_descriptor *new_device_descriptor __free(kfree) = NULL;
+ int err;
+ int descriptor_size;
+
+@@ -1272,15 +1280,19 @@ static int snd_usb_mbox3_boot_quirk(stru
+
+ dev_dbg(&dev->dev, "MBOX3: device initialised!\n");
+
++ new_device_descriptor = kmalloc(sizeof(*new_device_descriptor), GFP_KERNEL);
++ if (!new_device_descriptor)
++ return -ENOMEM;
++
+ err = usb_get_descriptor(dev, USB_DT_DEVICE, 0,
+- &new_device_descriptor, sizeof(new_device_descriptor));
++ new_device_descriptor, sizeof(*new_device_descriptor));
+ if (err < 0)
+ dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err);
+- if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations)
++ if (new_device_descriptor->bNumConfigurations > dev->descriptor.bNumConfigurations)
+ dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n",
+- new_device_descriptor.bNumConfigurations);
++ new_device_descriptor->bNumConfigurations);
+ else
+- memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor));
++ memcpy(&dev->descriptor, new_device_descriptor, sizeof(dev->descriptor));
+
+ err = usb_reset_configuration(dev);
+ if (err < 0)
--- /dev/null
+From c0900d15d31c2597dd9f634c8be2b71762199890 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Tue, 3 Dec 2024 15:19:41 +0000
+Subject: arm64: Ensure bits ASID[15:8] are masked out when the kernel uses 8-bit ASIDs
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit c0900d15d31c2597dd9f634c8be2b71762199890 upstream.
+
+Linux currently sets the TCR_EL1.AS bit unconditionally during CPU
+bring-up. On an 8-bit ASID CPU, this is RES0 and ignored, otherwise
+16-bit ASIDs are enabled. However, if running in a VM and the hypervisor
+reports 8-bit ASIDs (ID_AA64MMFR0_EL1.ASIDBits == 0) on a 16-bit ASIDs
+CPU, Linux uses bits 8 to 63 as a generation number for tracking old
+process ASIDs. The bottom 8 bits of this generation end up being written
+to TTBR1_EL1 and also used for the ASID-based TLBI operations as the
+upper 8 bits of the ASID. Following an ASID roll-over event we can have
+threads of the same application with the same 8-bit ASID but different
+generation numbers running on separate CPUs. Both TLB caching and the
+TLBI operations will end up using different actual 16-bit ASIDs for the
+same process.
+
+A similar scenario can happen in a big.LITTLE configuration if the boot
+CPU only uses 8-bit ASIDs while secondary CPUs have 16-bit ASIDs.
+
+Ensure that the ASID generation is only tracked by bits 16 and up,
+leaving bits 15:8 as 0 if the kernel uses 8-bit ASIDs. Note that
+clearing TCR_EL1.AS is not sufficient since the architecture requires
+that the top 8 bits of the ASID passed to TLBI instructions are 0 rather
+than ignored in such configuration.
+
+Cc: stable@vger.kernel.org
+Cc: Will Deacon <will@kernel.org>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Marc Zyngier <maz@kernel.org>
+Cc: James Morse <james.morse@arm.com>
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Acked-by: Marc Zyngier <maz@kernel.org>
+Link: https://lore.kernel.org/r/20241203151941.353796-1-catalin.marinas@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/context.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/mm/context.c
++++ b/arch/arm64/mm/context.c
+@@ -32,9 +32,9 @@ static unsigned long nr_pinned_asids;
+ static unsigned long *pinned_asid_map;
+
+ #define ASID_MASK (~GENMASK(asid_bits - 1, 0))
+-#define ASID_FIRST_VERSION (1UL << asid_bits)
++#define ASID_FIRST_VERSION (1UL << 16)
+
+-#define NUM_USER_ASIDS ASID_FIRST_VERSION
++#define NUM_USER_ASIDS (1UL << asid_bits)
+ #define ctxid2asid(asid) ((asid) & ~ASID_MASK)
+ #define asid2ctxid(asid, genid) ((asid) | (genid))
+
--- /dev/null
+From 56a708742a8bf127eb66798bfc9c9516c61f9930 Mon Sep 17 00:00:00 2001
+From: Yang Shi <yang@os.amperecomputing.com>
+Date: Mon, 25 Nov 2024 09:16:50 -0800
+Subject: arm64: mm: Fix zone_dma_limit calculation
+
+From: Yang Shi <yang@os.amperecomputing.com>
+
+commit 56a708742a8bf127eb66798bfc9c9516c61f9930 upstream.
+
+Commit ba0fb44aed47 ("dma-mapping: replace zone_dma_bits by
+zone_dma_limit") and subsequent patches changed how zone_dma_limit is
+calculated to allow a reduced ZONE_DMA even when RAM starts above 4GB.
+Commit 122c234ef4e1 ("arm64: mm: keep low RAM dma zone") further fixed
+this to ensure ZONE_DMA remains below U32_MAX if RAM starts below 4GB,
+especially on platforms that do not have IORT or DT description of the
+device DMA ranges. While zone boundaries calculation was fixed by the
+latter commit, zone_dma_limit, used to determine the GFP_DMA flag in the
+core code, was not updated. This results in excessive use of GFP_DMA and
+unnecessary ZONE_DMA allocations on some platforms.
+
+Update zone_dma_limit to match the actual upper bound of ZONE_DMA.
+
+Fixes: ba0fb44aed47 ("dma-mapping: replace zone_dma_bits by zone_dma_limit")
+Cc: <stable@vger.kernel.org> # 6.12.x
+Reported-by: Yutang Jiang <jiangyutang@os.amperecomputing.com>
+Tested-by: Yutang Jiang <jiangyutang@os.amperecomputing.com>
+Signed-off-by: Yang Shi <yang@os.amperecomputing.com>
+Link: https://lore.kernel.org/r/20241125171650.77424-1-yang@os.amperecomputing.com
+[catalin.marinas@arm.com: some tweaking of the commit log]
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/mm/init.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/arch/arm64/mm/init.c
++++ b/arch/arm64/mm/init.c
+@@ -116,15 +116,6 @@ static void __init arch_reserve_crashker
+
+ static phys_addr_t __init max_zone_phys(phys_addr_t zone_limit)
+ {
+- /**
+- * Information we get from firmware (e.g. DT dma-ranges) describe DMA
+- * bus constraints. Devices using DMA might have their own limitations.
+- * Some of them rely on DMA zone in low 32-bit memory. Keep low RAM
+- * DMA zone on platforms that have RAM there.
+- */
+- if (memblock_start_of_DRAM() < U32_MAX)
+- zone_limit = min(zone_limit, U32_MAX);
+-
+ return min(zone_limit, memblock_end_of_DRAM() - 1) + 1;
+ }
+
+@@ -140,6 +131,14 @@ static void __init zone_sizes_init(void)
+ acpi_zone_dma_limit = acpi_iort_dma_get_max_cpu_address();
+ dt_zone_dma_limit = of_dma_get_max_cpu_address(NULL);
+ zone_dma_limit = min(dt_zone_dma_limit, acpi_zone_dma_limit);
++ /*
++ * Information we get from firmware (e.g. DT dma-ranges) describe DMA
++ * bus constraints. Devices using DMA might have their own limitations.
++ * Some of them rely on DMA zone in low 32-bit memory. Keep low RAM
++ * DMA zone on platforms that have RAM there.
++ */
++ if (memblock_start_of_DRAM() < U32_MAX)
++ zone_dma_limit = min(zone_dma_limit, U32_MAX);
+ arm64_dma_phys_limit = max_zone_phys(zone_dma_limit);
+ max_zone_pfns[ZONE_DMA] = PFN_DOWN(arm64_dma_phys_limit);
+ #endif
--- /dev/null
+From f5d71291841aecfe5d8435da2dfa7f58ccd18bc8 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 5 Dec 2024 12:16:53 +0000
+Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit f5d71291841aecfe5d8435da2dfa7f58ccd18bc8 upstream.
+
+Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable,
+and a SETREGSET call with a length of zero will leave this
+uninitialized. Consequently an arbitrary value will be written back to
+target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from
+the kernel stack. The read is limited to a specific slot on the stack,
+and the issue does not provide a write mechanism.
+
+Fix this by initializing the temporary value before copying the regset
+from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,
+NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing
+contents of FPMR will be retained.
+
+Before this patch:
+
+| # ./fpmr-test
+| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d
+| SETREGSET(nt=0x40e, len=8) wrote 8 bytes
+|
+| Attempting to read NT_ARM_FPMR::fpmr
+| GETREGSET(nt=0x40e, len=8) read 8 bytes
+| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d
+|
+| Attempting to write NT_ARM_FPMR (zero length)
+| SETREGSET(nt=0x40e, len=0) wrote 0 bytes
+|
+| Attempting to read NT_ARM_FPMR::fpmr
+| GETREGSET(nt=0x40e, len=8) read 8 bytes
+| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50
+
+After this patch:
+
+| # ./fpmr-test
+| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d
+| SETREGSET(nt=0x40e, len=8) wrote 8 bytes
+|
+| Attempting to read NT_ARM_FPMR::fpmr
+| GETREGSET(nt=0x40e, len=8) read 8 bytes
+| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d
+|
+| Attempting to write NT_ARM_FPMR (zero length)
+| SETREGSET(nt=0x40e, len=0) wrote 0 bytes
+|
+| Attempting to read NT_ARM_FPMR::fpmr
+| GETREGSET(nt=0x40e, len=8) read 8 bytes
+| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d
+
+Fixes: 4035c22ef7d4 ("arm64/ptrace: Expose FPMR via ptrace")
+Cc: <stable@vger.kernel.org> # 6.9.x
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20241205121655.1824269-3-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/ptrace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -719,6 +719,8 @@ static int fpmr_set(struct task_struct *
+ if (!system_supports_fpmr())
+ return -EINVAL;
+
++ fpmr = target->thread.uw.fpmr;
++
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &fpmr, 0, count);
+ if (ret)
+ return ret;
--- /dev/null
+From 594bfc4947c4fcabba1318d8384c61a29a6b89fb Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 5 Dec 2024 12:16:54 +0000
+Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_POE
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit 594bfc4947c4fcabba1318d8384c61a29a6b89fb upstream.
+
+Currently poe_set() doesn't initialize the temporary 'ctrl' variable,
+and a SETREGSET call with a length of zero will leave this
+uninitialized. Consequently an arbitrary value will be written back to
+target->thread.por_el0, potentially leaking up to 64 bits of memory from
+the kernel stack. The read is limited to a specific slot on the stack,
+and the issue does not provide a write mechanism.
+
+Fix this by initializing the temporary value before copying the regset
+from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,
+NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing
+contents of POR_EL1 will be retained.
+
+Before this patch:
+
+| # ./poe-test
+| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d
+| SETREGSET(nt=0x40f, len=8) wrote 8 bytes
+|
+| Attempting to read NT_ARM_POE::por_el0
+| GETREGSET(nt=0x40f, len=8) read 8 bytes
+| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d
+|
+| Attempting to write NT_ARM_POE (zero length)
+| SETREGSET(nt=0x40f, len=0) wrote 0 bytes
+|
+| Attempting to read NT_ARM_POE::por_el0
+| GETREGSET(nt=0x40f, len=8) read 8 bytes
+| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50
+
+After this patch:
+
+| # ./poe-test
+| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d
+| SETREGSET(nt=0x40f, len=8) wrote 8 bytes
+|
+| Attempting to read NT_ARM_POE::por_el0
+| GETREGSET(nt=0x40f, len=8) read 8 bytes
+| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d
+|
+| Attempting to write NT_ARM_POE (zero length)
+| SETREGSET(nt=0x40f, len=0) wrote 0 bytes
+|
+| Attempting to read NT_ARM_POE::por_el0
+| GETREGSET(nt=0x40f, len=8) read 8 bytes
+| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d
+
+Fixes: 175198199262 ("arm64/ptrace: add support for FEAT_POE")
+Cc: <stable@vger.kernel.org> # 6.12.x
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Joey Gouly <joey.gouly@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20241205121655.1824269-4-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/ptrace.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1469,6 +1469,8 @@ static int poe_set(struct task_struct *t
+ if (!system_supports_poe())
+ return -EINVAL;
+
++ ctrl = target->thread.por_el0;
++
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1);
+ if (ret)
+ return ret;
--- /dev/null
+From ca62d90085f4af36de745883faab9f8a7cbb45d3 Mon Sep 17 00:00:00 2001
+From: Mark Rutland <mark.rutland@arm.com>
+Date: Thu, 5 Dec 2024 12:16:52 +0000
+Subject: arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+commit ca62d90085f4af36de745883faab9f8a7cbb45d3 upstream.
+
+Currently tagged_addr_ctrl_set() doesn't initialize the temporary 'ctrl'
+variable, and a SETREGSET call with a length of zero will leave this
+uninitialized. Consequently tagged_addr_ctrl_set() will consume an
+arbitrary value, potentially leaking up to 64 bits of memory from the
+kernel stack. The read is limited to a specific slot on the stack, and
+the issue does not provide a write mechanism.
+
+As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and
+rejects other values, a partial SETREGSET attempt will randomly succeed
+or fail depending on the value of the uninitialized value, and the
+exposure is significantly limited.
+
+Fix this by initializing the temporary value before copying the regset
+from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,
+NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing
+value of the tagged address ctrl will be retained.
+
+The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the
+user_aarch64_view used by a native AArch64 task to manipulate another
+native AArch64 task. As get_tagged_addr_ctrl() only returns an error
+value when called for a compat task, tagged_addr_ctrl_get() and
+tagged_addr_ctrl_set() should never observe an error value from
+get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that
+such an error would be unexpected, and error handlnig is not missing in
+either case.
+
+Fixes: 2200aa7154cb ("arm64: mte: ptrace: Add NT_ARM_TAGGED_ADDR_CTRL regset")
+Cc: <stable@vger.kernel.org> # 5.10.x
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Cc: Will Deacon <will@kernel.org>
+Reviewed-by: Mark Brown <broonie@kernel.org>
+Link: https://lore.kernel.org/r/20241205121655.1824269-2-mark.rutland@arm.com
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/ptrace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/kernel/ptrace.c
++++ b/arch/arm64/kernel/ptrace.c
+@@ -1418,7 +1418,7 @@ static int tagged_addr_ctrl_get(struct t
+ {
+ long ctrl = get_tagged_addr_ctrl(target);
+
+- if (IS_ERR_VALUE(ctrl))
++ if (WARN_ON_ONCE(IS_ERR_VALUE(ctrl)))
+ return ctrl;
+
+ return membuf_write(&to, &ctrl, sizeof(ctrl));
+@@ -1432,6 +1432,10 @@ static int tagged_addr_ctrl_set(struct t
+ int ret;
+ long ctrl;
+
++ ctrl = get_tagged_addr_ctrl(target);
++ if (WARN_ON_ONCE(IS_ERR_VALUE(ctrl)))
++ return ctrl;
++
+ ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &ctrl, 0, -1);
+ if (ret)
+ return ret;
--- /dev/null
+From b2e382ae12a63560fca35050498e19e760adf8c0 Mon Sep 17 00:00:00 2001
+From: Liequan Che <cheliequan@inspur.com>
+Date: Mon, 2 Dec 2024 19:56:38 +0800
+Subject: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again
+
+From: Liequan Che <cheliequan@inspur.com>
+
+commit b2e382ae12a63560fca35050498e19e760adf8c0 upstream.
+
+Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check in
+node allocations") leads a NULL pointer deference in cache_set_flush().
+
+1721 if (!IS_ERR_OR_NULL(c->root))
+1722 list_add(&c->root->list, &c->btree_cache);
+
+>From the above code in cache_set_flush(), if previous registration code
+fails before allocating c->root, it is possible c->root is NULL as what
+it is initialized. __bch_btree_node_alloc() never returns NULL but
+c->root is possible to be NULL at above line 1721.
+
+This patch replaces IS_ERR() by IS_ERR_OR_NULL() to fix this.
+
+Fixes: 028ddcac477b ("bcache: Remove unnecessary NULL point check in node allocations")
+Signed-off-by: Liequan Che <cheliequan@inspur.com>
+Cc: stable@vger.kernel.org
+Cc: Zheng Wang <zyytlz.wz@163.com>
+Reviewed-by: Mingzhe Zou <mingzhe.zou@easystack.cn>
+Signed-off-by: Coly Li <colyli@suse.de>
+Link: https://lore.kernel.org/r/20241202115638.28957-1-colyli@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/bcache/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/bcache/super.c
++++ b/drivers/md/bcache/super.c
+@@ -1718,7 +1718,7 @@ static CLOSURE_CALLBACK(cache_set_flush)
+ if (!IS_ERR_OR_NULL(c->gc_thread))
+ kthread_stop(c->gc_thread);
+
+- if (!IS_ERR(c->root))
++ if (!IS_ERR_OR_NULL(c->root))
+ list_add(&c->root->list, &c->btree_cache);
+
+ /*
--- /dev/null
+From ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Thu, 21 Nov 2024 11:08:25 +0100
+Subject: can: dev: can_set_termination(): allow sleeping GPIOs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit ee1dfbdd8b4b6de85e96ae2059dc9c1bdb6b49b5 upstream.
+
+In commit 6e86a1543c37 ("can: dev: provide optional GPIO based
+termination support") GPIO based termination support was added.
+
+For no particular reason that patch uses gpiod_set_value() to set the
+GPIO. This leads to the following warning, if the systems uses a
+sleeping GPIO, i.e. behind an I2C port expander:
+
+| WARNING: CPU: 0 PID: 379 at /drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x50/0x6c
+| CPU: 0 UID: 0 PID: 379 Comm: ip Not tainted 6.11.0-20241016-1 #1 823affae360cc91126e4d316d7a614a8bf86236c
+
+Replace gpiod_set_value() by gpiod_set_value_cansleep() to allow the
+use of sleeping GPIOs.
+
+Cc: Nicolai Buchwitz <nb@tipi-net.de>
+Cc: Lino Sanfilippo <l.sanfilippo@kunbus.com>
+Cc: stable@vger.kernel.org
+Reported-by: Leonard Göhrs <l.goehrs@pengutronix.de>
+Tested-by: Leonard Göhrs <l.goehrs@pengutronix.de>
+Fixes: 6e86a1543c37 ("can: dev: provide optional GPIO based termination support")
+Link: https://patch.msgid.link/20241121-dev-fix-can_set_termination-v1-1-41fa6e29216d@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/dev/dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/dev/dev.c
++++ b/drivers/net/can/dev/dev.c
+@@ -468,7 +468,7 @@ static int can_set_termination(struct ne
+ else
+ set = 0;
+
+- gpiod_set_value(priv->termination_gpio, set);
++ gpiod_set_value_cansleep(priv->termination_gpio, set);
+
+ return 0;
+ }
--- /dev/null
+From 30447a1bc0e066e492552b3e5ffeb63c1605dfe2 Mon Sep 17 00:00:00 2001
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+Date: Sun, 24 Nov 2024 18:42:56 +0100
+Subject: can: mcp251xfd: mcp251xfd_get_tef_len(): work around erratum DS80000789E 6.
+
+From: Marc Kleine-Budde <mkl@pengutronix.de>
+
+commit 30447a1bc0e066e492552b3e5ffeb63c1605dfe2 upstream.
+
+Commit b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround
+broken TEF FIFO tail index erratum") introduced
+mcp251xfd_get_tef_len() to get the number of unhandled transmit events
+from the Transmit Event FIFO (TEF).
+
+As the TEF has no head index, the driver uses the TX-FIFO's tail index
+instead, assuming that send frames are completed.
+
+When calculating the number of unhandled TEF events, that commit
+didn't take mcp2518fd erratum DS80000789E 6. into account. According
+to that erratum, the FIFOCI bits of a FIFOSTA register, here the
+TX-FIFO tail index might be corrupted.
+
+However here it seems the bit indicating that the TX-FIFO is
+empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct while the
+TX-FIFO tail index is.
+
+Assume that the TX-FIFO is indeed empty if:
+- Chip's head and tail index are equal (len == 0).
+- The TX-FIFO is less than half full.
+ (The TX-FIFO empty case has already been checked at the
+ beginning of this function.)
+- No free buffers in the TX ring.
+
+If the TX-FIFO is assumed to be empty, assume that the TEF is full and
+return the number of elements in the TX-FIFO (which equals the number
+of TEF elements).
+
+If these assumptions are false, the driver might read to many objects
+from the TEF. mcp251xfd_handle_tefif_one() checks the sequence numbers
+and will refuse to process old events.
+
+Reported-by: Renjaya Raga Zenta <renjaya.zenta@formulatrix.com>
+Closes: https://patch.msgid.link/CAJ7t6HgaeQ3a_OtfszezU=zB-FqiZXqrnATJ3UujNoQJJf7GgA@mail.gmail.com
+Fixes: b8e0ddd36ce9 ("can: mcp251xfd: tef: prepare to workaround broken TEF FIFO tail index erratum")
+Tested-by: Renjaya Raga Zenta <renjaya.zenta@formulatrix.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20241126-mcp251xfd-fix-length-calculation-v2-1-c2ed516ed6ba@pengutronix.de
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c | 29 +++++++++++++++++++++++++-
+ 1 file changed, 28 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-tef.c
+@@ -21,6 +21,11 @@ static inline bool mcp251xfd_tx_fifo_sta
+ return fifo_sta & MCP251XFD_REG_FIFOSTA_TFERFFIF;
+ }
+
++static inline bool mcp251xfd_tx_fifo_sta_less_than_half_full(u32 fifo_sta)
++{
++ return fifo_sta & MCP251XFD_REG_FIFOSTA_TFHRFHIF;
++}
++
+ static inline int
+ mcp251xfd_tef_tail_get_from_chip(const struct mcp251xfd_priv *priv,
+ u8 *tef_tail)
+@@ -147,7 +152,29 @@ mcp251xfd_get_tef_len(struct mcp251xfd_p
+ BUILD_BUG_ON(sizeof(tx_ring->obj_num) != sizeof(len));
+
+ len = (chip_tx_tail << shift) - (tail << shift);
+- *len_p = len >> shift;
++ len >>= shift;
++
++ /* According to mcp2518fd erratum DS80000789E 6. the FIFOCI
++ * bits of a FIFOSTA register, here the TX-FIFO tail index
++ * might be corrupted.
++ *
++ * However here it seems the bit indicating that the TX-FIFO
++ * is empty (MCP251XFD_REG_FIFOSTA_TFERFFIF) is not correct
++ * while the TX-FIFO tail index is.
++ *
++ * We assume the TX-FIFO is empty, i.e. all pending CAN frames
++ * haven been send, if:
++ * - Chip's head and tail index are equal (len == 0).
++ * - The TX-FIFO is less than half full.
++ * (The TX-FIFO empty case has already been checked at the
++ * beginning of this function.)
++ * - No free buffers in the TX ring.
++ */
++ if (len == 0 && mcp251xfd_tx_fifo_sta_less_than_half_full(fifo_sta) &&
++ mcp251xfd_get_tx_free(tx_ring) == 0)
++ len = tx_ring->obj_num;
++
++ *len_p = len;
+
+ return 0;
+ }
--- /dev/null
+From ca4b2c4607433033e9c4f4659f809af4261d8992 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 15 Nov 2024 13:15:50 +0100
+Subject: fs/smb/client: avoid querying SMB2_OP_QUERY_WSL_EA for SMB3 POSIX
+
+From: Ralph Boehme <slow@samba.org>
+
+commit ca4b2c4607433033e9c4f4659f809af4261d8992 upstream.
+
+Avoid extra roundtrip
+
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2inode.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2inode.c
++++ b/fs/smb/client/smb2inode.c
+@@ -943,7 +943,8 @@ int smb2_query_path_info(const unsigned
+ if (rc || !data->reparse_point)
+ goto out;
+
+- cmds[num_cmds++] = SMB2_OP_QUERY_WSL_EA;
++ if (!tcon->posix_extensions)
++ cmds[num_cmds++] = SMB2_OP_QUERY_WSL_EA;
+ /*
+ * Skip SMB2_OP_GET_REPARSE if symlink already parsed in create
+ * response.
--- /dev/null
+From 8cb0bc5436351de8a11eef13b7367d64cc0d6c68 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Mon, 25 Nov 2024 16:19:56 +0100
+Subject: fs/smb/client: cifs_prime_dcache() for SMB3 POSIX reparse points
+
+From: Ralph Boehme <slow@samba.org>
+
+commit 8cb0bc5436351de8a11eef13b7367d64cc0d6c68 upstream.
+
+Spares an extra revalidation request
+
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/readdir.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -71,6 +71,8 @@ cifs_prime_dcache(struct dentry *parent,
+ struct inode *inode;
+ struct super_block *sb = parent->d_sb;
+ struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
++ bool posix = cifs_sb_master_tcon(cifs_sb)->posix_extensions;
++ bool reparse_need_reval = false;
+ DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq);
+ int rc;
+
+@@ -85,7 +87,21 @@ cifs_prime_dcache(struct dentry *parent,
+ * this spares us an invalidation.
+ */
+ retry:
+- if ((fattr->cf_cifsattrs & ATTR_REPARSE) ||
++ if (posix) {
++ switch (fattr->cf_mode & S_IFMT) {
++ case S_IFLNK:
++ case S_IFBLK:
++ case S_IFCHR:
++ reparse_need_reval = true;
++ break;
++ default:
++ break;
++ }
++ } else if (fattr->cf_cifsattrs & ATTR_REPARSE) {
++ reparse_need_reval = true;
++ }
++
++ if (reparse_need_reval ||
+ (fattr->cf_flags & CIFS_FATTR_NEED_REVAL))
+ return;
+
--- /dev/null
+From 6a832bc8bbb22350f7ffe6ecb2d36f261bb96023 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 15 Nov 2024 19:21:04 +0100
+Subject: fs/smb/client: Implement new SMB3 POSIX type
+
+From: Ralph Boehme <slow@samba.org>
+
+commit 6a832bc8bbb22350f7ffe6ecb2d36f261bb96023 upstream.
+
+Fixes special files against current Samba.
+
+On the Samba server:
+
+insgesamt 20
+131958 brw-r--r-- 1 root root 0, 0 15. Nov 12:04 blockdev
+131965 crw-r--r-- 1 root root 1, 1 15. Nov 12:04 chardev
+131966 prw-r--r-- 1 samba samba 0 15. Nov 12:05 fifo
+131953 -rw-rwxrw-+ 2 samba samba 4 18. Nov 11:37 file
+131953 -rw-rwxrw-+ 2 samba samba 4 18. Nov 11:37 hardlink
+131957 lrwxrwxrwx 1 samba samba 4 15. Nov 12:03 symlink -> file
+131954 -rwxrwxr-x+ 1 samba samba 0 18. Nov 15:28 symlinkoversmb
+
+Before:
+
+ls: cannot access '/mnt/smb3unix/posix/blockdev': No data available
+ls: cannot access '/mnt/smb3unix/posix/chardev': No data available
+ls: cannot access '/mnt/smb3unix/posix/symlinkoversmb': No data available
+ls: cannot access '/mnt/smb3unix/posix/fifo': No data available
+ls: cannot access '/mnt/smb3unix/posix/symlink': No data available
+total 16
+ ? -????????? ? ? ? ? ? blockdev
+ ? -????????? ? ? ? ? ? chardev
+ ? -????????? ? ? ? ? ? fifo
+131953 -rw-rwxrw- 2 root samba 4 Nov 18 11:37 file
+131953 -rw-rwxrw- 2 root samba 4 Nov 18 11:37 hardlink
+ ? -????????? ? ? ? ? ? symlink
+ ? -????????? ? ? ? ? ? symlinkoversmb
+
+After:
+
+insgesamt 21
+131958 brw-r--r-- 1 root root 0, 0 15. Nov 12:04 blockdev
+131965 crw-r--r-- 1 root root 1, 1 15. Nov 12:04 chardev
+131966 prw-r--r-- 1 root samba 0 15. Nov 12:05 fifo
+131953 -rw-rwxrw- 2 root samba 4 18. Nov 11:37 file
+131953 -rw-rwxrw- 2 root samba 4 18. Nov 11:37 hardlink
+131957 lrwxrwxrwx 1 root samba 4 15. Nov 12:03 symlink -> file
+131954 lrwxrwxr-x 1 root samba 23 18. Nov 15:28 symlinkoversmb -> mnt/smb3unix/posix/file
+
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsproto.h | 1
+ fs/smb/client/inode.c | 89 +++++++++++++++++++++++++++++++++++++++++-----
+ fs/smb/client/readdir.c | 35 ++++++++----------
+ fs/smb/client/reparse.c | 84 ++++++++++++++++++++++++++-----------------
+ 4 files changed, 149 insertions(+), 60 deletions(-)
+
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -677,6 +677,7 @@ int __cifs_sfu_make_node(unsigned int xi
+ int cifs_sfu_make_node(unsigned int xid, struct inode *inode,
+ struct dentry *dentry, struct cifs_tcon *tcon,
+ const char *full_path, umode_t mode, dev_t dev);
++umode_t wire_mode_to_posix(u32 wire);
+
+ #ifdef CONFIG_CIFS_DFS_UPCALL
+ static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses,
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -724,6 +724,84 @@ static int cifs_sfu_mode(struct cifs_fat
+ #endif
+ }
+
++#define POSIX_TYPE_FILE 0
++#define POSIX_TYPE_DIR 1
++#define POSIX_TYPE_SYMLINK 2
++#define POSIX_TYPE_CHARDEV 3
++#define POSIX_TYPE_BLKDEV 4
++#define POSIX_TYPE_FIFO 5
++#define POSIX_TYPE_SOCKET 6
++
++#define POSIX_X_OTH 0000001
++#define POSIX_W_OTH 0000002
++#define POSIX_R_OTH 0000004
++#define POSIX_X_GRP 0000010
++#define POSIX_W_GRP 0000020
++#define POSIX_R_GRP 0000040
++#define POSIX_X_USR 0000100
++#define POSIX_W_USR 0000200
++#define POSIX_R_USR 0000400
++#define POSIX_STICKY 0001000
++#define POSIX_SET_GID 0002000
++#define POSIX_SET_UID 0004000
++
++#define POSIX_OTH_MASK 0000007
++#define POSIX_GRP_MASK 0000070
++#define POSIX_USR_MASK 0000700
++#define POSIX_PERM_MASK 0000777
++#define POSIX_FILETYPE_MASK 0070000
++
++#define POSIX_FILETYPE_SHIFT 12
++
++static u32 wire_perms_to_posix(u32 wire)
++{
++ u32 mode = 0;
++
++ mode |= (wire & POSIX_X_OTH) ? S_IXOTH : 0;
++ mode |= (wire & POSIX_W_OTH) ? S_IWOTH : 0;
++ mode |= (wire & POSIX_R_OTH) ? S_IROTH : 0;
++ mode |= (wire & POSIX_X_GRP) ? S_IXGRP : 0;
++ mode |= (wire & POSIX_W_GRP) ? S_IWGRP : 0;
++ mode |= (wire & POSIX_R_GRP) ? S_IRGRP : 0;
++ mode |= (wire & POSIX_X_USR) ? S_IXUSR : 0;
++ mode |= (wire & POSIX_W_USR) ? S_IWUSR : 0;
++ mode |= (wire & POSIX_R_USR) ? S_IRUSR : 0;
++ mode |= (wire & POSIX_STICKY) ? S_ISVTX : 0;
++ mode |= (wire & POSIX_SET_GID) ? S_ISGID : 0;
++ mode |= (wire & POSIX_SET_UID) ? S_ISUID : 0;
++
++ return mode;
++}
++
++static u32 posix_filetypes[] = {
++ S_IFREG,
++ S_IFDIR,
++ S_IFLNK,
++ S_IFCHR,
++ S_IFBLK,
++ S_IFIFO,
++ S_IFSOCK
++};
++
++static u32 wire_filetype_to_posix(u32 wire_type)
++{
++ if (wire_type >= ARRAY_SIZE(posix_filetypes)) {
++ pr_warn("Unexpected type %u", wire_type);
++ return 0;
++ }
++ return posix_filetypes[wire_type];
++}
++
++umode_t wire_mode_to_posix(u32 wire)
++{
++ u32 wire_type;
++ u32 mode;
++
++ wire_type = (wire & POSIX_FILETYPE_MASK) >> POSIX_FILETYPE_SHIFT;
++ mode = (wire_perms_to_posix(wire) | wire_filetype_to_posix(wire_type));
++ return (umode_t)mode;
++}
++
+ /* Fill a cifs_fattr struct with info from POSIX info struct */
+ static void smb311_posix_info_to_fattr(struct cifs_fattr *fattr,
+ struct cifs_open_info_data *data,
+@@ -760,20 +838,13 @@ static void smb311_posix_info_to_fattr(s
+ fattr->cf_bytes = le64_to_cpu(info->AllocationSize);
+ fattr->cf_createtime = le64_to_cpu(info->CreationTime);
+ fattr->cf_nlink = le32_to_cpu(info->HardLinks);
+- fattr->cf_mode = (umode_t) le32_to_cpu(info->Mode);
++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode));
+
+ if (cifs_open_data_reparse(data) &&
+ cifs_reparse_point_to_fattr(cifs_sb, fattr, data))
+ goto out_reparse;
+
+- fattr->cf_mode &= ~S_IFMT;
+- if (fattr->cf_cifsattrs & ATTR_DIRECTORY) {
+- fattr->cf_mode |= S_IFDIR;
+- fattr->cf_dtype = DT_DIR;
+- } else { /* file */
+- fattr->cf_mode |= S_IFREG;
+- fattr->cf_dtype = DT_REG;
+- }
++ fattr->cf_dtype = S_DT(fattr->cf_mode);
+
+ out_reparse:
+ if (S_ISLNK(fattr->cf_mode)) {
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -241,31 +241,28 @@ cifs_posix_to_fattr(struct cifs_fattr *f
+ fattr->cf_nlink = le32_to_cpu(info->HardLinks);
+ fattr->cf_cifsattrs = le32_to_cpu(info->DosAttributes);
+
+- /*
+- * Since we set the inode type below we need to mask off
+- * to avoid strange results if bits set above.
+- * XXX: why not make server&client use the type bits?
+- */
+- fattr->cf_mode = le32_to_cpu(info->Mode) & ~S_IFMT;
++ if (fattr->cf_cifsattrs & ATTR_REPARSE)
++ fattr->cf_cifstag = le32_to_cpu(info->ReparseTag);
++
++ /* The Mode field in the response can now include the file type as well */
++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode));
++ fattr->cf_dtype = S_DT(le32_to_cpu(info->Mode));
++
++ switch (fattr->cf_mode & S_IFMT) {
++ case S_IFLNK:
++ case S_IFBLK:
++ case S_IFCHR:
++ fattr->cf_flags |= CIFS_FATTR_NEED_REVAL;
++ break;
++ default:
++ break;
++ }
+
+ cifs_dbg(FYI, "posix fattr: dev %d, reparse %d, mode %o\n",
+ le32_to_cpu(info->DeviceId),
+ le32_to_cpu(info->ReparseTag),
+ le32_to_cpu(info->Mode));
+
+- if (fattr->cf_cifsattrs & ATTR_DIRECTORY) {
+- fattr->cf_mode |= S_IFDIR;
+- fattr->cf_dtype = DT_DIR;
+- } else {
+- /*
+- * mark anything that is not a dir as regular
+- * file. special files should have the REPARSE
+- * attribute and will be marked as needing revaluation
+- */
+- fattr->cf_mode |= S_IFREG;
+- fattr->cf_dtype = DT_REG;
+- }
+-
+ sid_to_id(cifs_sb, &parsed.owner, fattr, SIDOWNER);
+ sid_to_id(cifs_sb, &parsed.group, fattr, SIDGROUP);
+ }
+--- a/fs/smb/client/reparse.c
++++ b/fs/smb/client/reparse.c
+@@ -730,44 +730,60 @@ out:
+ fattr->cf_dtype = S_DT(fattr->cf_mode);
+ }
+
+-bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb,
+- struct cifs_fattr *fattr,
+- struct cifs_open_info_data *data)
++static bool posix_reparse_to_fattr(struct cifs_sb_info *cifs_sb,
++ struct cifs_fattr *fattr,
++ struct cifs_open_info_data *data)
+ {
+ struct reparse_posix_data *buf = data->reparse.posix;
+- u32 tag = data->reparse.tag;
+
+- if (tag == IO_REPARSE_TAG_NFS && buf) {
+- if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType))
++
++ if (buf == NULL)
++ return true;
++
++ if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType)) {
++ WARN_ON_ONCE(1);
++ return false;
++ }
++
++ switch (le64_to_cpu(buf->InodeType)) {
++ case NFS_SPECFILE_CHR:
++ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) {
++ WARN_ON_ONCE(1);
+ return false;
+- switch (le64_to_cpu(buf->InodeType)) {
+- case NFS_SPECFILE_CHR:
+- if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)
+- return false;
+- fattr->cf_mode |= S_IFCHR;
+- fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);
+- break;
+- case NFS_SPECFILE_BLK:
+- if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)
+- return false;
+- fattr->cf_mode |= S_IFBLK;
+- fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);
+- break;
+- case NFS_SPECFILE_FIFO:
+- fattr->cf_mode |= S_IFIFO;
+- break;
+- case NFS_SPECFILE_SOCK:
+- fattr->cf_mode |= S_IFSOCK;
+- break;
+- case NFS_SPECFILE_LNK:
+- fattr->cf_mode |= S_IFLNK;
+- break;
+- default:
++ }
++ fattr->cf_mode |= S_IFCHR;
++ fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);
++ break;
++ case NFS_SPECFILE_BLK:
++ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8) {
+ WARN_ON_ONCE(1);
+ return false;
+ }
+- goto out;
++ fattr->cf_mode |= S_IFBLK;
++ fattr->cf_rdev = reparse_mkdev(buf->DataBuffer);
++ break;
++ case NFS_SPECFILE_FIFO:
++ fattr->cf_mode |= S_IFIFO;
++ break;
++ case NFS_SPECFILE_SOCK:
++ fattr->cf_mode |= S_IFSOCK;
++ break;
++ case NFS_SPECFILE_LNK:
++ fattr->cf_mode |= S_IFLNK;
++ break;
++ default:
++ WARN_ON_ONCE(1);
++ return false;
+ }
++ return true;
++}
++
++bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb,
++ struct cifs_fattr *fattr,
++ struct cifs_open_info_data *data)
++{
++ u32 tag = data->reparse.tag;
++ bool ok;
+
+ switch (tag) {
+ case IO_REPARSE_TAG_INTERNAL:
+@@ -787,15 +803,19 @@ bool cifs_reparse_point_to_fattr(struct
+ case IO_REPARSE_TAG_LX_BLK:
+ wsl_to_fattr(data, cifs_sb, tag, fattr);
+ break;
++ case IO_REPARSE_TAG_NFS:
++ ok = posix_reparse_to_fattr(cifs_sb, fattr, data);
++ if (!ok)
++ return false;
++ break;
+ case 0: /* SMB1 symlink */
+ case IO_REPARSE_TAG_SYMLINK:
+- case IO_REPARSE_TAG_NFS:
+ fattr->cf_mode |= S_IFLNK;
+ break;
+ default:
+ return false;
+ }
+-out:
++
+ fattr->cf_dtype = S_DT(fattr->cf_mode);
+ return true;
+ }
--- /dev/null
+From a07d2d7930c75e6bf88683b376d09ab1f3fed2aa Mon Sep 17 00:00:00 2001
+From: Bernd Schubert <bschubert@ddn.com>
+Date: Tue, 3 Dec 2024 11:31:05 +0100
+Subject: io_uring: Change res2 parameter type in io_uring_cmd_done
+
+From: Bernd Schubert <bschubert@ddn.com>
+
+commit a07d2d7930c75e6bf88683b376d09ab1f3fed2aa upstream.
+
+Change the type of the res2 parameter in io_uring_cmd_done from ssize_t
+to u64. This aligns the parameter type with io_req_set_cqe32_extra,
+which expects u64 arguments.
+The change eliminates potential issues on 32-bit architectures where
+ssize_t might be 32-bit.
+
+Only user of passing res2 is drivers/nvme/host/ioctl.c and it actually
+passes u64.
+
+Fixes: ee692a21e9bf ("fs,io_uring: add infrastructure for uring-cmd")
+Cc: stable@vger.kernel.org
+Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
+Tested-by: Li Zetao <lizetao1@huawei.com>
+Reviewed-by: Li Zetao <lizetao1@huawei.com>
+Signed-off-by: Bernd Schubert <bschubert@ddn.com>
+Link: https://lore.kernel.org/r/20241203-io_uring_cmd_done-res2-as-u64-v2-1-5e59ae617151@ddn.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/io_uring/cmd.h | 4 ++--
+ io_uring/uring_cmd.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/include/linux/io_uring/cmd.h
++++ b/include/linux/io_uring/cmd.h
+@@ -43,7 +43,7 @@ int io_uring_cmd_import_fixed(u64 ubuf,
+ * Note: the caller should never hard code @issue_flags and is only allowed
+ * to pass the mask provided by the core io_uring code.
+ */
+-void io_uring_cmd_done(struct io_uring_cmd *cmd, ssize_t ret, ssize_t res2,
++void io_uring_cmd_done(struct io_uring_cmd *cmd, ssize_t ret, u64 res2,
+ unsigned issue_flags);
+
+ void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd,
+@@ -67,7 +67,7 @@ static inline int io_uring_cmd_import_fi
+ return -EOPNOTSUPP;
+ }
+ static inline void io_uring_cmd_done(struct io_uring_cmd *cmd, ssize_t ret,
+- ssize_t ret2, unsigned issue_flags)
++ u64 ret2, unsigned issue_flags)
+ {
+ }
+ static inline void __io_uring_cmd_do_in_task(struct io_uring_cmd *ioucmd,
+--- a/io_uring/uring_cmd.c
++++ b/io_uring/uring_cmd.c
+@@ -147,7 +147,7 @@ static inline void io_req_set_cqe32_extr
+ * Called by consumers of io_uring_cmd, if they originally returned
+ * -EIOCBQUEUED upon receiving the command.
+ */
+-void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, ssize_t res2,
++void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, u64 res2,
+ unsigned issue_flags)
+ {
+ struct io_kiocb *req = cmd_to_io_kiocb(ioucmd);
--- /dev/null
+From af7f4780514f850322b2959032ecaa96e4b26472 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicolinc@nvidia.com>
+Date: Tue, 3 Dec 2024 00:02:54 -0800
+Subject: iommufd: Fix out_fput in iommufd_fault_alloc()
+
+From: Nicolin Chen <nicolinc@nvidia.com>
+
+commit af7f4780514f850322b2959032ecaa96e4b26472 upstream.
+
+As fput() calls the file->f_op->release op, where fault obj and ictx are
+getting released, there is no need to release these two after fput() one
+more time, which would result in imbalanced refcounts:
+ refcount_t: decrement hit 0; leaking memory.
+ WARNING: CPU: 48 PID: 2369 at lib/refcount.c:31 refcount_warn_saturate+0x60/0x230
+ Call trace:
+ refcount_warn_saturate+0x60/0x230 (P)
+ refcount_warn_saturate+0x60/0x230 (L)
+ iommufd_fault_fops_release+0x9c/0xe0 [iommufd]
+ ...
+ VFS: Close: file count is 0 (f_op=iommufd_fops [iommufd])
+ WARNING: CPU: 48 PID: 2369 at fs/open.c:1507 filp_flush+0x3c/0xf0
+ Call trace:
+ filp_flush+0x3c/0xf0 (P)
+ filp_flush+0x3c/0xf0 (L)
+ __arm64_sys_close+0x34/0x98
+ ...
+ imbalanced put on file reference count
+ WARNING: CPU: 48 PID: 2369 at fs/file.c:74 __file_ref_put+0x100/0x138
+ Call trace:
+ __file_ref_put+0x100/0x138 (P)
+ __file_ref_put+0x100/0x138 (L)
+ __fput_sync+0x4c/0xd0
+
+Drop those two lines to fix the warnings above.
+
+Cc: stable@vger.kernel.org
+Fixes: 07838f7fd529 ("iommufd: Add iommufd fault object")
+Link: https://patch.msgid.link/r/b5651beb3a6b1adeef26fffac24607353bf67ba1.1733212723.git.nicolinc@nvidia.com
+Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
+Reviewed-by: Yi Liu <yi.l.liu@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/iommufd/fault.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/iommu/iommufd/fault.c
++++ b/drivers/iommu/iommufd/fault.c
+@@ -415,8 +415,6 @@ out_put_fdno:
+ put_unused_fd(fdno);
+ out_fput:
+ fput(filep);
+- refcount_dec(&fault->obj.users);
+- iommufd_ctx_put(fault->ictx);
+ out_abort:
+ iommufd_object_abort_and_destroy(ucmd->ictx, &fault->obj);
+
--- /dev/null
+From fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 Mon Sep 17 00:00:00 2001
+From: Jordy Zomer <jordyzomer@google.com>
+Date: Thu, 28 Nov 2024 09:32:45 +0900
+Subject: ksmbd: fix Out-of-Bounds Read in ksmbd_vfs_stream_read
+
+From: Jordy Zomer <jordyzomer@google.com>
+
+commit fc342cf86e2dc4d2edb0fc2ff5e28b6c7845adb9 upstream.
+
+An offset from client could be a negative value, It could lead
+to an out-of-bounds read from the stream_buf.
+Note that this issue is coming when setting
+'vfs objects = streams_xattr parameter' in ksmbd.conf.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Jordy Zomer <jordyzomer@google.com>
+Signed-off-by: Jordy Zomer <jordyzomer@google.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -6651,6 +6651,10 @@ int smb2_read(struct ksmbd_work *work)
+ }
+
+ offset = le64_to_cpu(req->Offset);
++ if (offset < 0) {
++ err = -EINVAL;
++ goto out;
++ }
+ length = le32_to_cpu(req->Length);
+ mincount = le32_to_cpu(req->MinimumCount);
+
--- /dev/null
+From 313dab082289e460391c82d855430ec8a28ddf81 Mon Sep 17 00:00:00 2001
+From: Jordy Zomer <jordyzomer@google.com>
+Date: Thu, 28 Nov 2024 09:33:25 +0900
+Subject: ksmbd: fix Out-of-Bounds Write in ksmbd_vfs_stream_write
+
+From: Jordy Zomer <jordyzomer@google.com>
+
+commit 313dab082289e460391c82d855430ec8a28ddf81 upstream.
+
+An offset from client could be a negative value, It could allows
+to write data outside the bounds of the allocated buffer.
+Note that this issue is coming when setting
+'vfs objects = streams_xattr parameter' in ksmbd.conf.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: Jordy Zomer <jordyzomer@google.com>
+Signed-off-by: Jordy Zomer <jordyzomer@google.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/smb2pdu.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -6868,6 +6868,8 @@ int smb2_write(struct ksmbd_work *work)
+ }
+
+ offset = le64_to_cpu(req->Offset);
++ if (offset < 0)
++ return -EINVAL;
+ length = le32_to_cpu(req->Length);
+
+ if (req->Channel == SMB2_CHANNEL_RDMA_V1 ||
--- /dev/null
+From 7cd1f5f77925ae905a57296932f0f9ef0dc364f8 Mon Sep 17 00:00:00 2001
+From: Bibo Mao <maobibo@loongson.cn>
+Date: Mon, 2 Dec 2024 16:42:08 +0800
+Subject: LoongArch: Add architecture specific huge_pte_clear()
+
+From: Bibo Mao <maobibo@loongson.cn>
+
+commit 7cd1f5f77925ae905a57296932f0f9ef0dc364f8 upstream.
+
+When executing mm selftests run_vmtests.sh, there is such an error:
+
+ BUG: Bad page state in process uffd-unit-tests pfn:00000
+ page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x0
+ flags: 0xffff0000002000(reserved|node=0|zone=0|lastcpupid=0xffff)
+ raw: 00ffff0000002000 ffffbf0000000008 ffffbf0000000008 0000000000000000
+ raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
+ page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set
+ Modules linked in: snd_seq_dummy snd_seq snd_seq_device rfkill vfat fat
+ virtio_balloon efi_pstore virtio_net pstore net_failover failover fuse
+ nfnetlink virtio_scsi virtio_gpu virtio_dma_buf dm_multipath efivarfs
+ CPU: 2 UID: 0 PID: 1913 Comm: uffd-unit-tests Not tainted 6.12.0 #184
+ Hardware name: QEMU QEMU Virtual Machine, BIOS unknown 2/2/2022
+ Stack : 900000047c8ac000 0000000000000000 9000000000223a7c 900000047c8ac000
+ 900000047c8af690 900000047c8af698 0000000000000000 900000047c8af7d8
+ 900000047c8af7d0 900000047c8af7d0 900000047c8af5b0 0000000000000001
+ 0000000000000001 900000047c8af698 10b3c7d53da40d26 0000010000000000
+ 0000000000000022 0000000fffffffff fffffffffe000000 ffff800000000000
+ 000000000000002f 0000800000000000 000000017a6d4000 90000000028f8940
+ 0000000000000000 0000000000000000 90000000025aa5e0 9000000002905000
+ 0000000000000000 90000000028f8940 ffff800000000000 0000000000000000
+ 0000000000000000 0000000000000000 9000000000223a94 000000012001839c
+ 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d
+ ...
+ Call Trace:
+ [<9000000000223a94>] show_stack+0x5c/0x180
+ [<9000000001c3fd64>] dump_stack_lvl+0x6c/0xa0
+ [<900000000056aa08>] bad_page+0x1a0/0x1f0
+ [<9000000000574978>] free_unref_folios+0xbf0/0xd20
+ [<90000000004e65cc>] folios_put_refs+0x1a4/0x2b8
+ [<9000000000599a0c>] free_pages_and_swap_cache+0x164/0x260
+ [<9000000000547698>] tlb_batch_pages_flush+0xa8/0x1c0
+ [<9000000000547f30>] tlb_finish_mmu+0xa8/0x218
+ [<9000000000543cb8>] exit_mmap+0x1a0/0x360
+ [<9000000000247658>] __mmput+0x78/0x200
+ [<900000000025583c>] do_exit+0x43c/0xde8
+ [<9000000000256490>] do_group_exit+0x68/0x110
+ [<9000000000256554>] sys_exit_group+0x1c/0x20
+ [<9000000001c413b4>] do_syscall+0x94/0x130
+ [<90000000002216d8>] handle_syscall+0xb8/0x158
+ Disabling lock debugging due to kernel taint
+ BUG: non-zero pgtables_bytes on freeing mm: -16384
+
+On LoongArch system, invalid huge pte entry should be invalid_pte_table
+or a single _PAGE_HUGE bit rather than a zero value. And it should be
+the same with invalid pmd entry, since pmd_none() is called by function
+free_pgd_range() and pmd_none() return 0 by huge_pte_clear(). So single
+_PAGE_HUGE bit is also treated as a valid pte table and free_pte_range()
+will be called in free_pmd_range().
+
+ free_pmd_range()
+ pmd = pmd_offset(pud, addr);
+ do {
+ next = pmd_addr_end(addr, end);
+ if (pmd_none_or_clear_bad(pmd))
+ continue;
+ free_pte_range(tlb, pmd, addr);
+ } while (pmd++, addr = next, addr != end);
+
+Here invalid_pte_table is used for both invalid huge pte entry and
+pmd entry.
+
+Cc: stable@vger.kernel.org
+Fixes: 09cfefb7fa70 ("LoongArch: Add memory management")
+Signed-off-by: Bibo Mao <maobibo@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/hugetlb.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/loongarch/include/asm/hugetlb.h
++++ b/arch/loongarch/include/asm/hugetlb.h
+@@ -29,6 +29,16 @@ static inline int prepare_hugepage_range
+ return 0;
+ }
+
++#define __HAVE_ARCH_HUGE_PTE_CLEAR
++static inline void huge_pte_clear(struct mm_struct *mm, unsigned long addr,
++ pte_t *ptep, unsigned long sz)
++{
++ pte_t clear;
++
++ pte_val(clear) = (unsigned long)invalid_pte_table;
++ set_pte_at(mm, addr, ptep, clear);
++}
++
+ #define __HAVE_ARCH_HUGE_PTEP_GET_AND_CLEAR
+ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
+ unsigned long addr, pte_t *ptep)
--- /dev/null
+From 589e6cc7597655bed7b8543b8286925f631f597c Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Mon, 2 Dec 2024 16:42:10 +0800
+Subject: LoongArch: KVM: Protect kvm_check_requests() with SRCU
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 589e6cc7597655bed7b8543b8286925f631f597c upstream.
+
+When we enable lockdep we get such a warning:
+
+ =============================
+ WARNING: suspicious RCU usage
+ 6.12.0-rc7+ #1891 Tainted: G W
+ -----------------------------
+ include/linux/kvm_host.h:1043 suspicious rcu_dereference_check() usage!
+ other info that might help us debug this:
+ rcu_scheduler_active = 2, debug_locks = 1
+ 1 lock held by qemu-system-loo/948:
+ #0: 90000001184a00a8 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0xf4/0xe20 [kvm]
+ stack backtrace:
+ CPU: 0 UID: 0 PID: 948 Comm: qemu-system-loo Tainted: G W 6.12.0-rc7+ #1891
+ Tainted: [W]=WARN
+ Hardware name: Loongson Loongson-3A5000-7A1000-1w-CRB/Loongson-LS3A5000-7A1000-1w-CRB, BIOS vUDK2018-LoongArch-V2.0.0-prebeta9 10/21/2022
+ Stack : 0000000000000089 9000000005a0db9c 90000000071519c8 900000012c578000
+ 900000012c57b920 0000000000000000 900000012c57b928 9000000007e53788
+ 900000000815bcc8 900000000815bcc0 900000012c57b790 0000000000000001
+ 0000000000000001 4b031894b9d6b725 0000000004dec000 90000001003299c0
+ 0000000000000414 0000000000000001 000000000000002d 0000000000000003
+ 0000000000000030 00000000000003b4 0000000004dec000 90000001184a0000
+ 900000000806d000 9000000007e53788 00000000000000b4 0000000000000004
+ 0000000000000004 0000000000000000 0000000000000000 9000000107baf600
+ 9000000008916000 9000000007e53788 9000000005924778 0000000010000044
+ 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1d
+ ...
+ Call Trace:
+ [<9000000005924778>] show_stack+0x38/0x180
+ [<90000000071519c4>] dump_stack_lvl+0x94/0xe4
+ [<90000000059eb754>] lockdep_rcu_suspicious+0x194/0x240
+ [<ffff8000022143bc>] kvm_gfn_to_hva_cache_init+0xfc/0x120 [kvm]
+ [<ffff80000222ade4>] kvm_pre_enter_guest+0x3a4/0x520 [kvm]
+ [<ffff80000222b3dc>] kvm_handle_exit+0x23c/0x480 [kvm]
+
+Fix it by protecting kvm_check_requests() with SRCU.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kvm/vcpu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/loongarch/kvm/vcpu.c
++++ b/arch/loongarch/kvm/vcpu.c
+@@ -240,7 +240,7 @@ static void kvm_late_check_requests(stru
+ */
+ static int kvm_enter_guest_check(struct kvm_vcpu *vcpu)
+ {
+- int ret;
++ int idx, ret;
+
+ /*
+ * Check conditions before entering the guest
+@@ -249,7 +249,9 @@ static int kvm_enter_guest_check(struct
+ if (ret < 0)
+ return ret;
+
++ idx = srcu_read_lock(&vcpu->kvm->srcu);
+ ret = kvm_check_requests(vcpu);
++ srcu_read_unlock(&vcpu->kvm->srcu, idx);
+
+ return ret;
+ }
--- /dev/null
+From 31f1b55d5d7e531cd827419e5d71c19f24de161c Mon Sep 17 00:00:00 2001
+From: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Date: Tue, 3 Dec 2024 21:48:20 -0800
+Subject: net :mana :Request a V2 response version for MANA_QUERY_GF_STAT
+
+From: Shradha Gupta <shradhagupta@linux.microsoft.com>
+
+commit 31f1b55d5d7e531cd827419e5d71c19f24de161c upstream.
+
+The current requested response version(V1) for MANA_QUERY_GF_STAT query
+results in STATISTICS_FLAGS_TX_ERRORS_GDMA_ERROR value being set to
+0 always.
+In order to get the correct value for this counter we request the response
+version to be V2.
+
+Cc: stable@vger.kernel.org
+Fixes: e1df5202e879 ("net :mana :Add remaining GDMA stats for MANA to ethtool")
+Signed-off-by: Shradha Gupta <shradhagupta@linux.microsoft.com>
+Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
+Link: https://patch.msgid.link/1733291300-12593-1-git-send-email-shradhagupta@linux.microsoft.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/microsoft/mana/mana_en.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
++++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
+@@ -2439,6 +2439,7 @@ void mana_query_gf_stats(struct mana_por
+
+ mana_gd_init_req_hdr(&req.hdr, MANA_QUERY_GF_STAT,
+ sizeof(req), sizeof(resp));
++ req.hdr.resp.msg_version = GDMA_MESSAGE_V2;
+ req.req_stats = STATISTICS_FLAGS_RX_DISCARDS_NO_WQE |
+ STATISTICS_FLAGS_RX_ERRORS_VPORT_DISABLED |
+ STATISTICS_FLAGS_HC_RX_BYTES |
--- /dev/null
+From 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Wed, 20 Nov 2024 02:23:37 +0900
+Subject: nilfs2: fix potential out-of-bounds memory access in nilfs_find_entry()
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit 985ebec4ab0a28bb5910c3b1481a40fbf7f9e61d upstream.
+
+Syzbot reported that when searching for records in a directory where the
+inode's i_size is corrupted and has a large value, memory access outside
+the folio/page range may occur, or a use-after-free bug may be detected if
+KASAN is enabled.
+
+This is because nilfs_last_byte(), which is called by nilfs_find_entry()
+and others to calculate the number of valid bytes of directory data in a
+page from i_size and the page index, loses the upper 32 bits of the 64-bit
+size information due to an inappropriate type of local variable to which
+the i_size value is assigned.
+
+This caused a large byte offset value due to underflow in the end address
+calculation in the calling nilfs_find_entry(), resulting in memory access
+that exceeds the folio/page size.
+
+Fix this issue by changing the type of the local variable causing the bit
+loss from "unsigned int" to "u64". The return value of nilfs_last_byte()
+is also of type "unsigned int", but it is truncated so as not to exceed
+PAGE_SIZE and no bit loss occurs, so no change is required.
+
+Link: https://lkml.kernel.org/r/20241119172403.9292-1-konishi.ryusuke@gmail.com
+Fixes: 2ba466d74ed7 ("nilfs2: directory entry operations")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=96d5d14c47d97015c624
+Tested-by: syzbot+96d5d14c47d97015c624@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nilfs2/dir.c
++++ b/fs/nilfs2/dir.c
+@@ -70,7 +70,7 @@ static inline unsigned int nilfs_chunk_s
+ */
+ static unsigned int nilfs_last_byte(struct inode *inode, unsigned long page_nr)
+ {
+- unsigned int last_byte = inode->i_size;
++ u64 last_byte = inode->i_size;
+
+ last_byte -= page_nr << PAGE_SHIFT;
+ if (last_byte > PAGE_SIZE)
--- /dev/null
+From 2379fb937de5333991c567eefd7d11b98977d059 Mon Sep 17 00:00:00 2001
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+Date: Thu, 21 Nov 2024 15:52:31 +0800
+Subject: pmdomain: imx: gpcv2: Adjust delay after power up handshake
+
+From: Shengjiu Wang <shengjiu.wang@nxp.com>
+
+commit 2379fb937de5333991c567eefd7d11b98977d059 upstream.
+
+The udelay(5) is not enough, sometimes below kernel panic
+still be triggered:
+
+[ 4.012973] Kernel panic - not syncing: Asynchronous SError Interrupt
+[ 4.012976] CPU: 2 UID: 0 PID: 186 Comm: (udev-worker) Not tainted 6.12.0-rc2-0.0.0-devel-00004-g8b1b79e88956 #1
+[ 4.012982] Hardware name: Toradex Verdin iMX8M Plus WB on Dahlia Board (DT)
+[ 4.012985] Call trace:
+[...]
+[ 4.013029] arm64_serror_panic+0x64/0x70
+[ 4.013034] do_serror+0x3c/0x70
+[ 4.013039] el1h_64_error_handler+0x30/0x54
+[ 4.013046] el1h_64_error+0x64/0x68
+[ 4.013050] clk_imx8mp_audiomix_runtime_resume+0x38/0x48
+[ 4.013059] __genpd_runtime_resume+0x30/0x80
+[ 4.013066] genpd_runtime_resume+0x114/0x29c
+[ 4.013073] __rpm_callback+0x48/0x1e0
+[ 4.013079] rpm_callback+0x68/0x80
+[ 4.013084] rpm_resume+0x3bc/0x6a0
+[ 4.013089] __pm_runtime_resume+0x50/0x9c
+[ 4.013095] pm_runtime_get_suppliers+0x60/0x8c
+[ 4.013101] __driver_probe_device+0x4c/0x14c
+[ 4.013108] driver_probe_device+0x3c/0x120
+[ 4.013114] __driver_attach+0xc4/0x200
+[ 4.013119] bus_for_each_dev+0x7c/0xe0
+[ 4.013125] driver_attach+0x24/0x30
+[ 4.013130] bus_add_driver+0x110/0x240
+[ 4.013135] driver_register+0x68/0x124
+[ 4.013142] __platform_driver_register+0x24/0x30
+[ 4.013149] sdma_driver_init+0x20/0x1000 [imx_sdma]
+[ 4.013163] do_one_initcall+0x60/0x1e0
+[ 4.013168] do_init_module+0x5c/0x21c
+[ 4.013175] load_module+0x1a98/0x205c
+[ 4.013181] init_module_from_file+0x88/0xd4
+[ 4.013187] __arm64_sys_finit_module+0x258/0x350
+[ 4.013194] invoke_syscall.constprop.0+0x50/0xe0
+[ 4.013202] do_el0_svc+0xa8/0xe0
+[ 4.013208] el0_svc+0x3c/0x140
+[ 4.013215] el0t_64_sync_handler+0x120/0x12c
+[ 4.013222] el0t_64_sync+0x190/0x194
+[ 4.013228] SMP: stopping secondary CPUs
+
+The correct way is to wait handshake, but it needs BUS clock of
+BLK-CTL be enabled, which is in separate driver. So delay is the
+only option here. The udelay(10) is a data got by experiment.
+
+Fixes: e8dc41afca16 ("pmdomain: imx: gpcv2: Add delay after power up handshake")
+Reported-by: Francesco Dolcini <francesco@dolcini.it>
+Closes: https://lore.kernel.org/lkml/20241007132555.GA53279@francesco-nb/
+Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
+Cc: stable@vger.kernel.org
+Message-ID: <20241121075231.3910922-1-shengjiu.wang@nxp.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pmdomain/imx/gpcv2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pmdomain/imx/gpcv2.c
++++ b/drivers/pmdomain/imx/gpcv2.c
+@@ -403,7 +403,7 @@ static int imx_pgc_power_up(struct gener
+ * already reaches target before udelay()
+ */
+ regmap_read_bypassed(domain->regmap, domain->regs->hsk, ®_val);
+- udelay(5);
++ udelay(10);
+ }
+
+ /* Disable reset clocks for all devices in the domain */
--- /dev/null
+From a220d6b95b1ae12c7626283d7609f0a1438e6437 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 26 Nov 2024 15:52:08 +0100
+Subject: Revert "readahead: properly shorten readahead when falling back to do_page_cache_ra()"
+
+From: Jan Kara <jack@suse.cz>
+
+commit a220d6b95b1ae12c7626283d7609f0a1438e6437 upstream.
+
+This reverts commit 7c877586da3178974a8a94577b6045a48377ff25.
+
+Anders and Philippe have reported that recent kernels occasionally hang
+when used with NFS in readahead code. The problem has been bisected to
+7c877586da3 ("readahead: properly shorten readahead when falling back to
+do_page_cache_ra()"). The cause of the problem is that ra->size can be
+shrunk by read_pages() call and subsequently we end up calling
+do_page_cache_ra() with negative (read huge positive) number of pages.
+Let's revert 7c877586da3 for now until we can find a proper way how the
+logic in read_pages() and page_cache_ra_order() can coexist. This can
+lead to reduced readahead throughput due to readahead window confusion but
+that's better than outright hangs.
+
+Link: https://lkml.kernel.org/r/20241126145208.985-1-jack@suse.cz
+Fixes: 7c877586da31 ("readahead: properly shorten readahead when falling back to do_page_cache_ra()")
+Reported-by: Anders Blomdell <anders.blomdell@gmail.com>
+Reported-by: Philippe Troin <phil@fifi.org>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Tested-by: Philippe Troin <phil@fifi.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/readahead.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/mm/readahead.c
++++ b/mm/readahead.c
+@@ -453,8 +453,7 @@ void page_cache_ra_order(struct readahea
+ struct file_ra_state *ra, unsigned int new_order)
+ {
+ struct address_space *mapping = ractl->mapping;
+- pgoff_t start = readahead_index(ractl);
+- pgoff_t index = start;
++ pgoff_t index = readahead_index(ractl);
+ unsigned int min_order = mapping_min_folio_order(mapping);
+ pgoff_t limit = (i_size_read(mapping->host) - 1) >> PAGE_SHIFT;
+ pgoff_t mark = index + ra->size - ra->async_size;
+@@ -517,7 +516,7 @@ void page_cache_ra_order(struct readahea
+ if (!err)
+ return;
+ fallback:
+- do_page_cache_ra(ractl, ra->size - (index - start), ra->async_size);
++ do_page_cache_ra(ractl, ra->size, ra->async_size);
+ }
+
+ static unsigned long ractl_max_pages(struct readahead_control *ractl,
--- /dev/null
+From c423263082ee8ccfad59ab33e3d5da5dc004c21e Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 15 Nov 2024 18:33:07 +0530
+Subject: scsi: qla2xxx: Fix abort in bsg timeout
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit c423263082ee8ccfad59ab33e3d5da5dc004c21e upstream.
+
+Current abort of bsg on timeout prematurely clears the
+outstanding_cmds[]. Abort does not allow FW to return the IOCB/SRB. In
+addition, bsg_job_done() is not called to return the BSG (i.e. leak).
+
+Abort the outstanding bsg/SRB and wait for the completion. The
+completion IOCB will wake up the bsg_timeout thread. If abort is not
+successful, then driver will forcibly call bsg_job_done() and free the
+srb.
+
+Err Inject:
+
+ - qaucli -z
+ - assign CT Passthru IOCB's NportHandle with another initiator
+ nport handle to trigger timeout. Remote port will drop CT request.
+ - bsg_job_done is properly called as part of cleanup
+
+kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject.
+kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa.
+kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f0838 msgcode 80000004 vendor cmd fa010000
+kernel: qla2xxx [0000:21:00.1]-507c:7: Abort command issued - hdl=4b, type=5
+kernel: qla2xxx [0000:21:00.1]-5040:7: ELS-CT pass-through-ct pass-through error hdl=4b comp_status-status=0x5 error subcode 1=0x0 error subcode 2=0xaf882e80.
+kernel: qla2xxx [0000:21:00.1]-7009:7: qla2x00_bsg_job_done: sp hdl 4b, result=70000 bsg ptr ffff9971a42f0838
+kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=4b rval=0
+kernel: qla2xxx [0000:21:00.1]-708a:7: bsg abort success. bsg ffff9971a42f0838 sp=ffff99760b87ba80 handle=0x4b
+kernel: qla2xxx [0000:21:00.1]-7012:7: qla2x00_process_ct : 286 : Error Inject.
+kernel: qla2xxx [0000:21:00.1]-7016:7: bsg rqst type: FC_BSG_HST_CT else type: 101 - loop-id=1 portid=fffffa.
+kernel: qla2xxx [0000:21:00.1]-70bb:7: qla24xx_bsg_timeout CMD timeout. bsg ptr ffff9971a42f43b8 msgcode 80000004 vendor cmd fa010000
+kernel: qla2xxx [0000:21:00.1]-7012:7: qla_bsg_found : 2206 : Error Inject 2.
+kernel: qla2xxx [0000:21:00.1]-802c:7: Aborting bsg ffff9971a42f43b8 sp=ffff99762c304440 handle=5e rval=5
+kernel: qla2xxx [0000:21:00.1]-704f:7: bsg abort fail. bsg=ffff9971a42f43b8 sp=ffff99762c304440 rval=5.
+kernel: qla2xxx [0000:21:00.1]-7051:7: qla_bsg_found bsg_job_done : bsg ffff9971a42f43b8 result 0xfffffffa sp ffff99762c304440.
+
+Cc: stable@vger.kernel.org
+Fixes: c449b4198701 ("scsi: qla2xxx: Use QP lock to search for bsg")
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20241115130313.46826-2-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 114 +++++++++++++++++++++++++++++++++--------
+ 1 file changed, 92 insertions(+), 22 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -24,6 +24,7 @@ void qla2x00_bsg_job_done(srb_t *sp, int
+ {
+ struct bsg_job *bsg_job = sp->u.bsg_job;
+ struct fc_bsg_reply *bsg_reply = bsg_job->reply;
++ struct completion *comp = sp->comp;
+
+ ql_dbg(ql_dbg_user, sp->vha, 0x7009,
+ "%s: sp hdl %x, result=%x bsg ptr %p\n",
+@@ -35,6 +36,9 @@ void qla2x00_bsg_job_done(srb_t *sp, int
+ bsg_reply->result = res;
+ bsg_job_done(bsg_job, bsg_reply->result,
+ bsg_reply->reply_payload_rcv_len);
++
++ if (comp)
++ complete(comp);
+ }
+
+ void qla2x00_bsg_sp_free(srb_t *sp)
+@@ -3061,7 +3065,7 @@ skip_chip_chk:
+
+ static bool qla_bsg_found(struct qla_qpair *qpair, struct bsg_job *bsg_job)
+ {
+- bool found = false;
++ bool found, do_bsg_done;
+ struct fc_bsg_reply *bsg_reply = bsg_job->reply;
+ scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job));
+ struct qla_hw_data *ha = vha->hw;
+@@ -3069,6 +3073,11 @@ static bool qla_bsg_found(struct qla_qpa
+ int cnt;
+ unsigned long flags;
+ struct req_que *req;
++ int rval;
++ DECLARE_COMPLETION_ONSTACK(comp);
++ uint32_t ratov_j;
++
++ found = do_bsg_done = false;
+
+ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
+ req = qpair->req;
+@@ -3080,42 +3089,104 @@ static bool qla_bsg_found(struct qla_qpa
+ sp->type == SRB_ELS_CMD_HST ||
+ sp->type == SRB_ELS_CMD_HST_NOLOGIN) &&
+ sp->u.bsg_job == bsg_job) {
+- req->outstanding_cmds[cnt] = NULL;
+- spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+-
+- if (!ha->flags.eeh_busy && ha->isp_ops->abort_command(sp)) {
+- ql_log(ql_log_warn, vha, 0x7089,
+- "mbx abort_command failed.\n");
+- bsg_reply->result = -EIO;
+- } else {
+- ql_dbg(ql_dbg_user, vha, 0x708a,
+- "mbx abort_command success.\n");
+- bsg_reply->result = 0;
+- }
+- /* ref: INIT */
+- kref_put(&sp->cmd_kref, qla2x00_sp_release);
+
+ found = true;
+- goto done;
++ sp->comp = ∁
++ break;
+ }
+ }
+ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
+
+-done:
+- return found;
++ if (!found)
++ return false;
++
++ if (ha->flags.eeh_busy) {
++ /* skip over abort. EEH handling will return the bsg. Wait for it */
++ rval = QLA_SUCCESS;
++ ql_dbg(ql_dbg_user, vha, 0x802c,
++ "eeh encounter. bsg %p sp=%p handle=%x \n",
++ bsg_job, sp, sp->handle);
++ } else {
++ rval = ha->isp_ops->abort_command(sp);
++ ql_dbg(ql_dbg_user, vha, 0x802c,
++ "Aborting bsg %p sp=%p handle=%x rval=%x\n",
++ bsg_job, sp, sp->handle, rval);
++ }
++
++ switch (rval) {
++ case QLA_SUCCESS:
++ /* Wait for the command completion. */
++ ratov_j = ha->r_a_tov / 10 * 4 * 1000;
++ ratov_j = msecs_to_jiffies(ratov_j);
++
++ if (!wait_for_completion_timeout(&comp, ratov_j)) {
++ ql_log(ql_log_info, vha, 0x7089,
++ "bsg abort timeout. bsg=%p sp=%p handle %#x .\n",
++ bsg_job, sp, sp->handle);
++
++ do_bsg_done = true;
++ } else {
++ /* fw had returned the bsg */
++ ql_dbg(ql_dbg_user, vha, 0x708a,
++ "bsg abort success. bsg %p sp=%p handle=%#x\n",
++ bsg_job, sp, sp->handle);
++ do_bsg_done = false;
++ }
++ break;
++ default:
++ ql_log(ql_log_info, vha, 0x704f,
++ "bsg abort fail. bsg=%p sp=%p rval=%x.\n",
++ bsg_job, sp, rval);
++
++ do_bsg_done = true;
++ break;
++ }
++
++ if (!do_bsg_done)
++ return true;
++
++ spin_lock_irqsave(qpair->qp_lock_ptr, flags);
++ /*
++ * recheck to make sure it's still the same bsg_job due to
++ * qp_lock_ptr was released earlier.
++ */
++ if (req->outstanding_cmds[cnt] &&
++ req->outstanding_cmds[cnt]->u.bsg_job != bsg_job) {
++ /* fw had returned the bsg */
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++ return true;
++ }
++ req->outstanding_cmds[cnt] = NULL;
++ spin_unlock_irqrestore(qpair->qp_lock_ptr, flags);
++
++ /* ref: INIT */
++ sp->comp = NULL;
++ kref_put(&sp->cmd_kref, qla2x00_sp_release);
++ bsg_reply->result = -ENXIO;
++ bsg_reply->reply_payload_rcv_len = 0;
++
++ ql_dbg(ql_dbg_user, vha, 0x7051,
++ "%s bsg_job_done : bsg %p result %#x sp %p.\n",
++ __func__, bsg_job, bsg_reply->result, sp);
++
++ bsg_job_done(bsg_job, bsg_reply->result, bsg_reply->reply_payload_rcv_len);
++
++ return true;
+ }
+
+ int
+ qla24xx_bsg_timeout(struct bsg_job *bsg_job)
+ {
+- struct fc_bsg_reply *bsg_reply = bsg_job->reply;
++ struct fc_bsg_request *bsg_request = bsg_job->request;
+ scsi_qla_host_t *vha = shost_priv(fc_bsg_to_shost(bsg_job));
+ struct qla_hw_data *ha = vha->hw;
+ int i;
+ struct qla_qpair *qpair;
+
+- ql_log(ql_log_info, vha, 0x708b, "%s CMD timeout. bsg ptr %p.\n",
+- __func__, bsg_job);
++ ql_log(ql_log_info, vha, 0x708b,
++ "%s CMD timeout. bsg ptr %p msgcode %x vendor cmd %x\n",
++ __func__, bsg_job, bsg_request->msgcode,
++ bsg_request->rqst_data.h_vendor.vendor_cmd[0]);
+
+ if (qla2x00_isp_reg_stat(ha)) {
+ ql_log(ql_log_info, vha, 0x9007,
+@@ -3136,7 +3207,6 @@ qla24xx_bsg_timeout(struct bsg_job *bsg_
+ }
+
+ ql_log(ql_log_info, vha, 0x708b, "SRB not found to abort.\n");
+- bsg_reply->result = -ENXIO;
+
+ done:
+ return 0;
--- /dev/null
+From 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 15 Nov 2024 18:33:11 +0530
+Subject: scsi: qla2xxx: Fix NVMe and NPIV connect issue
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 4812b7796c144f63a1094f79a5eb8fbdad8d7ebc upstream.
+
+NVMe controller fails to send connect command due to failure to locate
+hw context buffer for NVMe queue 0 (blk_mq_hw_ctx, hctx_idx=0). The
+cause of the issue is NPIV host did not initialize the vha->irq_offset
+field. This field is given to blk-mq (blk_mq_pci_map_queues) to help
+locate the beginning of IO Queues which in turn help locate NVMe queue
+0.
+
+Initialize this field to allow NVMe to work properly with NPIV host.
+
+ kernel: nvme nvme5: Connect command failed, errno: -18
+ kernel: nvme nvme5: qid 0: secure concatenation is not supported
+ kernel: nvme nvme5: NVME-FC{5}: create_assoc failed, assoc_id 2e9100 ret 401
+ kernel: nvme nvme5: NVME-FC{5}: reset: Reconnect attempt failed (401)
+ kernel: nvme nvme5: NVME-FC{5}: Reconnect attempt in 2 seconds
+
+Cc: stable@vger.kernel.org
+Fixes: f0783d43dde4 ("scsi: qla2xxx: Use correct number of vectors for online CPUs")
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20241115130313.46826-6-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_mid.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/qla2xxx/qla_mid.c
++++ b/drivers/scsi/qla2xxx/qla_mid.c
+@@ -506,6 +506,7 @@ qla24xx_create_vhost(struct fc_vport *fc
+ return(NULL);
+ }
+
++ vha->irq_offset = QLA_BASE_VECTORS;
+ host = vha->host;
+ fc_vport->dd_data = vha;
+ /* New host info */
--- /dev/null
+From 07c903db0a2ff84b68efa1a74a4de353ea591eb0 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Fri, 15 Nov 2024 18:33:08 +0530
+Subject: scsi: qla2xxx: Fix use after free on unload
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 07c903db0a2ff84b68efa1a74a4de353ea591eb0 upstream.
+
+System crash is observed with stack trace warning of use after
+free. There are 2 signals to tell dpc_thread to terminate (UNLOADING
+flag and kthread_stop).
+
+On setting the UNLOADING flag when dpc_thread happens to run at the time
+and sees the flag, this causes dpc_thread to exit and clean up
+itself. When kthread_stop is called for final cleanup, this causes use
+after free.
+
+Remove UNLOADING signal to terminate dpc_thread. Use the kthread_stop
+as the main signal to exit dpc_thread.
+
+[596663.812935] kernel BUG at mm/slub.c:294!
+[596663.812950] invalid opcode: 0000 [#1] SMP PTI
+[596663.812957] CPU: 13 PID: 1475935 Comm: rmmod Kdump: loaded Tainted: G IOE --------- - - 4.18.0-240.el8.x86_64 #1
+[596663.812960] Hardware name: HP ProLiant DL380p Gen8, BIOS P70 08/20/2012
+[596663.812974] RIP: 0010:__slab_free+0x17d/0x360
+
+...
+[596663.813008] Call Trace:
+[596663.813022] ? __dentry_kill+0x121/0x170
+[596663.813030] ? _cond_resched+0x15/0x30
+[596663.813034] ? _cond_resched+0x15/0x30
+[596663.813039] ? wait_for_completion+0x35/0x190
+[596663.813048] ? try_to_wake_up+0x63/0x540
+[596663.813055] free_task+0x5a/0x60
+[596663.813061] kthread_stop+0xf3/0x100
+[596663.813103] qla2x00_remove_one+0x284/0x440 [qla2xxx]
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20241115130313.46826-3-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_os.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_os.c
++++ b/drivers/scsi/qla2xxx/qla_os.c
+@@ -6902,12 +6902,15 @@ qla2x00_do_dpc(void *data)
+ set_user_nice(current, MIN_NICE);
+
+ set_current_state(TASK_INTERRUPTIBLE);
+- while (!kthread_should_stop()) {
++ while (1) {
+ ql_dbg(ql_dbg_dpc, base_vha, 0x4000,
+ "DPC handler sleeping.\n");
+
+ schedule();
+
++ if (kthread_should_stop())
++ break;
++
+ if (test_and_clear_bit(DO_EEH_RECOVERY, &base_vha->dpc_flags))
+ qla_pci_set_eeh_busy(base_vha);
+
+@@ -6920,15 +6923,16 @@ qla2x00_do_dpc(void *data)
+ goto end_loop;
+ }
+
++ if (test_bit(UNLOADING, &base_vha->dpc_flags))
++ /* don't do any work. Wait to be terminated by kthread_stop */
++ goto end_loop;
++
+ ha->dpc_active = 1;
+
+ ql_dbg(ql_dbg_dpc + ql_dbg_verbose, base_vha, 0x4001,
+ "DPC handler waking up, dpc_flags=0x%lx.\n",
+ base_vha->dpc_flags);
+
+- if (test_bit(UNLOADING, &base_vha->dpc_flags))
+- break;
+-
+ if (IS_P3P_TYPE(ha)) {
+ if (IS_QLA8044(ha)) {
+ if (test_and_clear_bit(ISP_UNRECOVERABLE,
+@@ -7241,9 +7245,6 @@ end_loop:
+ */
+ ha->dpc_active = 0;
+
+- /* Cleanup any residual CTX SRBs. */
+- qla2x00_abort_all_cmds(base_vha, DID_NO_CONNECT << 16);
+-
+ return 0;
+ }
+
--- /dev/null
+From 833c70e212fc40d3e98da941796f4c7bcaecdf58 Mon Sep 17 00:00:00 2001
+From: Saurav Kashyap <skashyap@marvell.com>
+Date: Fri, 15 Nov 2024 18:33:10 +0530
+Subject: scsi: qla2xxx: Remove check req_sg_cnt should be equal to rsp_sg_cnt
+
+From: Saurav Kashyap <skashyap@marvell.com>
+
+commit 833c70e212fc40d3e98da941796f4c7bcaecdf58 upstream.
+
+Firmware supports multiple sg_cnt for request and response for CT
+commands, so remove the redundant check. A check is there where sg_cnt
+for request and response should be same. This is not required as driver
+and FW have code to handle multiple and different sg_cnt on request and
+response.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20241115130313.46826-5-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_bsg.c | 10 ----------
+ 1 file changed, 10 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_bsg.c
++++ b/drivers/scsi/qla2xxx/qla_bsg.c
+@@ -494,16 +494,6 @@ qla2x00_process_ct(struct bsg_job *bsg_j
+ goto done;
+ }
+
+- if ((req_sg_cnt != bsg_job->request_payload.sg_cnt) ||
+- (rsp_sg_cnt != bsg_job->reply_payload.sg_cnt)) {
+- ql_log(ql_log_warn, vha, 0x7011,
+- "request_sg_cnt: %x dma_request_sg_cnt: %x reply_sg_cnt:%x "
+- "dma_reply_sg_cnt: %x\n", bsg_job->request_payload.sg_cnt,
+- req_sg_cnt, bsg_job->reply_payload.sg_cnt, rsp_sg_cnt);
+- rval = -EAGAIN;
+- goto done_unmap_sg;
+- }
+-
+ if (!vha->flags.online) {
+ ql_log(ql_log_warn, vha, 0x7012,
+ "Host is not online.\n");
--- /dev/null
+From e4e268f898c8a08f0a1188677e15eadbc06e98f6 Mon Sep 17 00:00:00 2001
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+Date: Fri, 15 Nov 2024 18:33:12 +0530
+Subject: scsi: qla2xxx: Supported speed displayed incorrectly for VPorts
+
+From: Anil Gurumurthy <agurumurthy@marvell.com>
+
+commit e4e268f898c8a08f0a1188677e15eadbc06e98f6 upstream.
+
+The fc_function_template for vports was missing the
+.show_host_supported_speeds. The base port had the same.
+
+Add .show_host_supported_speeds to the vport template as well.
+
+Cc: stable@vger.kernel.org
+Fixes: 2c3dfe3f6ad8 ("[SCSI] qla2xxx: add support for NPIV")
+Signed-off-by: Anil Gurumurthy <agurumurthy@marvell.com>
+Signed-off-by: Nilesh Javali <njavali@marvell.com>
+Link: https://lore.kernel.org/r/20241115130313.46826-7-njavali@marvell.com
+Reviewed-by: Himanshu Madhani <himanshu.madhani@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -3304,6 +3304,7 @@ struct fc_function_template qla2xxx_tran
+ .show_host_node_name = 1,
+ .show_host_port_name = 1,
+ .show_host_supported_classes = 1,
++ .show_host_supported_speeds = 1,
+
+ .get_host_port_id = qla2x00_get_host_port_id,
+ .show_host_port_id = 1,
--- /dev/null
+From 7f45ed5f0cd5ccbbec79adc6c48a67d6a85fba56 Mon Sep 17 00:00:00 2001
+From: Peter Wang <peter.wang@mediatek.com>
+Date: Fri, 22 Nov 2024 10:49:43 +0800
+Subject: scsi: ufs: core: Add missing post notify for power mode change
+
+From: Peter Wang <peter.wang@mediatek.com>
+
+commit 7f45ed5f0cd5ccbbec79adc6c48a67d6a85fba56 upstream.
+
+When the power mode change is successful but the power mode hasn't
+actually changed, the post notification was missed. Similar to the
+approach with hibernate/clock scale/hce enable, having pre/post
+notifications in the same function will make it easier to maintain.
+
+Additionally, supplement the description of power parameters for the
+pwr_change_notify callback.
+
+Fixes: 7eb584db73be ("ufs: refactor configuring power mode")
+Cc: stable@vger.kernel.org #6.11.x
+Signed-off-by: Peter Wang <peter.wang@mediatek.com>
+Link: https://lore.kernel.org/r/20241122024943.30589-1-peter.wang@mediatek.com
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 7 ++++---
+ include/ufs/ufshcd.h | 10 ++++++----
+ 2 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -4684,9 +4684,6 @@ static int ufshcd_change_power_mode(stru
+ dev_err(hba->dev,
+ "%s: power mode change failed %d\n", __func__, ret);
+ } else {
+- ufshcd_vops_pwr_change_notify(hba, POST_CHANGE, NULL,
+- pwr_mode);
+-
+ memcpy(&hba->pwr_info, pwr_mode,
+ sizeof(struct ufs_pa_layer_attr));
+ }
+@@ -4715,6 +4712,10 @@ int ufshcd_config_pwr_mode(struct ufs_hb
+
+ ret = ufshcd_change_power_mode(hba, &final_params);
+
++ if (!ret)
++ ufshcd_vops_pwr_change_notify(hba, POST_CHANGE, NULL,
++ &final_params);
++
+ return ret;
+ }
+ EXPORT_SYMBOL_GPL(ufshcd_config_pwr_mode);
+--- a/include/ufs/ufshcd.h
++++ b/include/ufs/ufshcd.h
+@@ -308,7 +308,9 @@ struct ufs_pwr_mode_info {
+ * to allow variant specific Uni-Pro initialization.
+ * @pwr_change_notify: called before and after a power mode change
+ * is carried out to allow vendor spesific capabilities
+- * to be set.
++ * to be set. PRE_CHANGE can modify final_params based
++ * on desired_pwr_mode, but POST_CHANGE must not alter
++ * the final_params parameter
+ * @setup_xfer_req: called before any transfer request is issued
+ * to set some things
+ * @setup_task_mgmt: called before any task management request is issued
+@@ -350,9 +352,9 @@ struct ufs_hba_variant_ops {
+ int (*link_startup_notify)(struct ufs_hba *,
+ enum ufs_notify_change_status);
+ int (*pwr_change_notify)(struct ufs_hba *,
+- enum ufs_notify_change_status status,
+- struct ufs_pa_layer_attr *,
+- struct ufs_pa_layer_attr *);
++ enum ufs_notify_change_status status,
++ struct ufs_pa_layer_attr *desired_pwr_mode,
++ struct ufs_pa_layer_attr *final_params);
+ void (*setup_xfer_req)(struct ufs_hba *hba, int tag,
+ bool is_scsi_cmd);
+ void (*setup_task_mgmt)(struct ufs_hba *, int, u8);
--- /dev/null
+From 1695c4361d35b7bdadd7b34f99c9c07741e181e5 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 11 Nov 2024 23:18:30 +0530
+Subject: scsi: ufs: core: Cancel RTC work during ufshcd_remove()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 1695c4361d35b7bdadd7b34f99c9c07741e181e5 upstream.
+
+Currently, RTC work is only cancelled during __ufshcd_wl_suspend(). When
+ufshcd is removed in ufshcd_remove(), RTC work is not cancelled. Due to
+this, any further trigger of the RTC work after ufshcd_remove() would
+result in a NULL pointer dereference as below:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000000002a4
+Workqueue: events ufshcd_rtc_work
+Call trace:
+ _raw_spin_lock_irqsave+0x34/0x8c
+ pm_runtime_get_if_active+0x24/0xb4
+ ufshcd_rtc_work+0x124/0x19c
+ process_scheduled_works+0x18c/0x2d8
+ worker_thread+0x144/0x280
+ kthread+0x11c/0x128
+ ret_from_fork+0x10/0x20
+
+Since RTC work accesses the ufshcd internal structures, it should be cancelled
+when ufshcd is removed. So do that in ufshcd_remove(), as per the order in
+ufshcd_init().
+
+Cc: stable@vger.kernel.org # 6.8
+Fixes: 6bf999e0eb41 ("scsi: ufs: core: Add UFS RTC support")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-1-45ad8b62f02e@linaro.org
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -10264,6 +10264,7 @@ void ufshcd_remove(struct ufs_hba *hba)
+ ufs_hwmon_remove(hba);
+ ufs_bsg_remove(hba);
+ ufs_sysfs_remove_nodes(hba->dev);
++ cancel_delayed_work_sync(&hba->ufs_rtc_update_work);
+ blk_mq_destroy_queue(hba->tmf_queue);
+ blk_put_queue(hba->tmf_queue);
+ blk_mq_free_tag_set(&hba->tmf_tag_set);
--- /dev/null
+From eb48e9fc0028bed94a40a9352d065909f19e333c Mon Sep 17 00:00:00 2001
+From: Gwendal Grignou <gwendal@chromium.org>
+Date: Tue, 19 Nov 2024 22:25:22 -0800
+Subject: scsi: ufs: core: sysfs: Prevent div by zero
+
+From: Gwendal Grignou <gwendal@chromium.org>
+
+commit eb48e9fc0028bed94a40a9352d065909f19e333c upstream.
+
+Prevent a division by 0 when monitoring is not enabled.
+
+Fixes: 1d8613a23f3c ("scsi: ufs: core: Introduce HBA performance monitor sysfs nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
+Link: https://lore.kernel.org/r/20241120062522.917157-1-gwendal@chromium.org
+Reviewed-by: Can Guo <quic_cang@quicinc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufs-sysfs.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/ufs/core/ufs-sysfs.c
++++ b/drivers/ufs/core/ufs-sysfs.c
+@@ -670,6 +670,9 @@ static ssize_t read_req_latency_avg_show
+ struct ufs_hba *hba = dev_get_drvdata(dev);
+ struct ufs_hba_monitor *m = &hba->monitor;
+
++ if (!m->nr_req[READ])
++ return sysfs_emit(buf, "0\n");
++
+ return sysfs_emit(buf, "%llu\n", div_u64(ktime_to_us(m->lat_sum[READ]),
+ m->nr_req[READ]));
+ }
+@@ -737,6 +740,9 @@ static ssize_t write_req_latency_avg_sho
+ struct ufs_hba *hba = dev_get_drvdata(dev);
+ struct ufs_hba_monitor *m = &hba->monitor;
+
++ if (!m->nr_req[WRITE])
++ return sysfs_emit(buf, "0\n");
++
+ return sysfs_emit(buf, "%llu\n", div_u64(ktime_to_us(m->lat_sum[WRITE]),
+ m->nr_req[WRITE]));
+ }
--- /dev/null
+From d3326e6a3f9bf1e075be2201fb704c2fdf19e2b7 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 11 Nov 2024 23:18:32 +0530
+Subject: scsi: ufs: pltfrm: Disable runtime PM during removal of glue drivers
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit d3326e6a3f9bf1e075be2201fb704c2fdf19e2b7 upstream.
+
+When the UFSHCD platform glue drivers are removed, runtime PM should be
+disabled using pm_runtime_disable() to balance the enablement done in
+ufshcd_pltfrm_init(). This is also reported by PM core when the glue driver
+is removed and inserted again:
+
+ufshcd-qcom 1d84000.ufshc: Unbalanced pm_runtime_enable!
+
+So disable runtime PM using a new helper API ufshcd_pltfrm_remove(), that
+also takes care of removing ufshcd. This helper should be called during the
+remove() stage of glue drivers.
+
+Cc: stable@vger.kernel.org # 3.12
+Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-3-45ad8b62f02e@linaro.org
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/cdns-pltfrm.c | 4 +---
+ drivers/ufs/host/tc-dwc-g210-pltfrm.c | 4 +---
+ drivers/ufs/host/ufs-exynos.c | 2 +-
+ drivers/ufs/host/ufs-hisi.c | 4 +---
+ drivers/ufs/host/ufs-mediatek.c | 4 +---
+ drivers/ufs/host/ufs-qcom.c | 2 +-
+ drivers/ufs/host/ufs-renesas.c | 4 +---
+ drivers/ufs/host/ufs-sprd.c | 4 +---
+ drivers/ufs/host/ufshcd-pltfrm.c | 13 +++++++++++++
+ drivers/ufs/host/ufshcd-pltfrm.h | 1 +
+ 10 files changed, 22 insertions(+), 20 deletions(-)
+
+--- a/drivers/ufs/host/cdns-pltfrm.c
++++ b/drivers/ufs/host/cdns-pltfrm.c
+@@ -307,9 +307,7 @@ static int cdns_ufs_pltfrm_probe(struct
+ */
+ static void cdns_ufs_pltfrm_remove(struct platform_device *pdev)
+ {
+- struct ufs_hba *hba = platform_get_drvdata(pdev);
+-
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ }
+
+ static const struct dev_pm_ops cdns_ufs_dev_pm_ops = {
+--- a/drivers/ufs/host/tc-dwc-g210-pltfrm.c
++++ b/drivers/ufs/host/tc-dwc-g210-pltfrm.c
+@@ -76,10 +76,8 @@ static int tc_dwc_g210_pltfm_probe(struc
+ */
+ static void tc_dwc_g210_pltfm_remove(struct platform_device *pdev)
+ {
+- struct ufs_hba *hba = platform_get_drvdata(pdev);
+-
+ pm_runtime_get_sync(&(pdev)->dev);
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ }
+
+ static const struct dev_pm_ops tc_dwc_g210_pltfm_pm_ops = {
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -1964,7 +1964,7 @@ static void exynos_ufs_remove(struct pla
+ struct exynos_ufs *ufs = ufshcd_get_variant(hba);
+
+ pm_runtime_get_sync(&(pdev)->dev);
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+
+ phy_power_off(ufs->phy);
+ phy_exit(ufs->phy);
+--- a/drivers/ufs/host/ufs-hisi.c
++++ b/drivers/ufs/host/ufs-hisi.c
+@@ -576,9 +576,7 @@ static int ufs_hisi_probe(struct platfor
+
+ static void ufs_hisi_remove(struct platform_device *pdev)
+ {
+- struct ufs_hba *hba = platform_get_drvdata(pdev);
+-
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ }
+
+ static const struct dev_pm_ops ufs_hisi_pm_ops = {
+--- a/drivers/ufs/host/ufs-mediatek.c
++++ b/drivers/ufs/host/ufs-mediatek.c
+@@ -1869,10 +1869,8 @@ out:
+ */
+ static void ufs_mtk_remove(struct platform_device *pdev)
+ {
+- struct ufs_hba *hba = platform_get_drvdata(pdev);
+-
+ pm_runtime_get_sync(&(pdev)->dev);
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ }
+
+ #ifdef CONFIG_PM_SLEEP
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -1846,7 +1846,7 @@ static void ufs_qcom_remove(struct platf
+ struct ufs_qcom_host *host = ufshcd_get_variant(hba);
+
+ pm_runtime_get_sync(&(pdev)->dev);
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ if (host->esi_enabled)
+ platform_device_msi_free_irqs_all(hba->dev);
+ }
+--- a/drivers/ufs/host/ufs-renesas.c
++++ b/drivers/ufs/host/ufs-renesas.c
+@@ -390,9 +390,7 @@ static int ufs_renesas_probe(struct plat
+
+ static void ufs_renesas_remove(struct platform_device *pdev)
+ {
+- struct ufs_hba *hba = platform_get_drvdata(pdev);
+-
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ }
+
+ static struct platform_driver ufs_renesas_platform = {
+--- a/drivers/ufs/host/ufs-sprd.c
++++ b/drivers/ufs/host/ufs-sprd.c
+@@ -427,10 +427,8 @@ static int ufs_sprd_probe(struct platfor
+
+ static void ufs_sprd_remove(struct platform_device *pdev)
+ {
+- struct ufs_hba *hba = platform_get_drvdata(pdev);
+-
+ pm_runtime_get_sync(&(pdev)->dev);
+- ufshcd_remove(hba);
++ ufshcd_pltfrm_remove(pdev);
+ }
+
+ static const struct dev_pm_ops ufs_sprd_pm_ops = {
+--- a/drivers/ufs/host/ufshcd-pltfrm.c
++++ b/drivers/ufs/host/ufshcd-pltfrm.c
+@@ -524,6 +524,19 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(ufshcd_pltfrm_init);
+
++/**
++ * ufshcd_pltfrm_remove - Remove ufshcd platform
++ * @pdev: pointer to Platform device handle
++ */
++void ufshcd_pltfrm_remove(struct platform_device *pdev)
++{
++ struct ufs_hba *hba = platform_get_drvdata(pdev);
++
++ ufshcd_remove(hba);
++ pm_runtime_disable(&pdev->dev);
++}
++EXPORT_SYMBOL_GPL(ufshcd_pltfrm_remove);
++
+ MODULE_AUTHOR("Santosh Yaragnavi <santosh.sy@samsung.com>");
+ MODULE_AUTHOR("Vinayak Holikatti <h.vinayak@samsung.com>");
+ MODULE_DESCRIPTION("UFS host controller Platform bus based glue driver");
+--- a/drivers/ufs/host/ufshcd-pltfrm.h
++++ b/drivers/ufs/host/ufshcd-pltfrm.h
+@@ -31,6 +31,7 @@ int ufshcd_negotiate_pwr_params(const st
+ void ufshcd_init_host_params(struct ufs_host_params *host_params);
+ int ufshcd_pltfrm_init(struct platform_device *pdev,
+ const struct ufs_hba_variant_ops *vops);
++void ufshcd_pltfrm_remove(struct platform_device *pdev);
+ int ufshcd_populate_vreg(struct device *dev, const char *name,
+ struct ufs_vreg **out_vreg, bool skip_current);
+
--- /dev/null
+From 1745dcdb7227102e16248a324c600b9121c8f6df Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 11 Nov 2024 23:18:33 +0530
+Subject: scsi: ufs: pltfrm: Drop PM runtime reference count after ufshcd_remove()
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 1745dcdb7227102e16248a324c600b9121c8f6df upstream.
+
+During the remove stage of glue drivers, some of them are incrementing the
+reference count using pm_runtime_get_sync(), before removing the ufshcd
+using ufshcd_remove(). But they are not dropping that reference count after
+ufshcd_remove() to balance the refcount.
+
+So drop the reference count by calling pm_runtime_put_noidle() after
+ufshcd_remove(). Since the behavior is applicable to all glue drivers, move
+the PM handling to ufshcd_pltfrm_remove().
+
+Cc: stable@vger.kernel.org # 3.12
+Fixes: 62694735ca95 ("[SCSI] ufs: Add runtime PM support for UFS host controller driver")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-4-45ad8b62f02e@linaro.org
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/tc-dwc-g210-pltfrm.c | 1 -
+ drivers/ufs/host/ufs-exynos.c | 1 -
+ drivers/ufs/host/ufs-mediatek.c | 1 -
+ drivers/ufs/host/ufs-qcom.c | 1 -
+ drivers/ufs/host/ufs-sprd.c | 1 -
+ drivers/ufs/host/ufshcd-pltfrm.c | 2 ++
+ 6 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/ufs/host/tc-dwc-g210-pltfrm.c b/drivers/ufs/host/tc-dwc-g210-pltfrm.c
+index 113e0ef7b2cf..c6f8565ede21 100644
+--- a/drivers/ufs/host/tc-dwc-g210-pltfrm.c
++++ b/drivers/ufs/host/tc-dwc-g210-pltfrm.c
+@@ -76,7 +76,6 @@ static int tc_dwc_g210_pltfm_probe(struct platform_device *pdev)
+ */
+ static void tc_dwc_g210_pltfm_remove(struct platform_device *pdev)
+ {
+- pm_runtime_get_sync(&(pdev)->dev);
+ ufshcd_pltfrm_remove(pdev);
+ }
+
+diff --git a/drivers/ufs/host/ufs-exynos.c b/drivers/ufs/host/ufs-exynos.c
+index b20f6526777a..9d4db13e142d 100644
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -1992,7 +1992,6 @@ static void exynos_ufs_remove(struct platform_device *pdev)
+ struct ufs_hba *hba = platform_get_drvdata(pdev);
+ struct exynos_ufs *ufs = ufshcd_get_variant(hba);
+
+- pm_runtime_get_sync(&(pdev)->dev);
+ ufshcd_pltfrm_remove(pdev);
+
+ phy_power_off(ufs->phy);
+diff --git a/drivers/ufs/host/ufs-mediatek.c b/drivers/ufs/host/ufs-mediatek.c
+index b444146419de..ffe4d03a0f38 100644
+--- a/drivers/ufs/host/ufs-mediatek.c
++++ b/drivers/ufs/host/ufs-mediatek.c
+@@ -1879,7 +1879,6 @@ static int ufs_mtk_probe(struct platform_device *pdev)
+ */
+ static void ufs_mtk_remove(struct platform_device *pdev)
+ {
+- pm_runtime_get_sync(&(pdev)->dev);
+ ufshcd_pltfrm_remove(pdev);
+ }
+
+diff --git a/drivers/ufs/host/ufs-qcom.c b/drivers/ufs/host/ufs-qcom.c
+index 3762337d7576..73b4fec8221a 100644
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -1863,7 +1863,6 @@ static void ufs_qcom_remove(struct platform_device *pdev)
+ struct ufs_hba *hba = platform_get_drvdata(pdev);
+ struct ufs_qcom_host *host = ufshcd_get_variant(hba);
+
+- pm_runtime_get_sync(&(pdev)->dev);
+ ufshcd_pltfrm_remove(pdev);
+ if (host->esi_enabled)
+ platform_device_msi_free_irqs_all(hba->dev);
+diff --git a/drivers/ufs/host/ufs-sprd.c b/drivers/ufs/host/ufs-sprd.c
+index e455890cf7d4..d220978c2d8c 100644
+--- a/drivers/ufs/host/ufs-sprd.c
++++ b/drivers/ufs/host/ufs-sprd.c
+@@ -427,7 +427,6 @@ static int ufs_sprd_probe(struct platform_device *pdev)
+
+ static void ufs_sprd_remove(struct platform_device *pdev)
+ {
+- pm_runtime_get_sync(&(pdev)->dev);
+ ufshcd_pltfrm_remove(pdev);
+ }
+
+diff --git a/drivers/ufs/host/ufshcd-pltfrm.c b/drivers/ufs/host/ufshcd-pltfrm.c
+index bad5b1303eb6..b8dadd0a2f4c 100644
+--- a/drivers/ufs/host/ufshcd-pltfrm.c
++++ b/drivers/ufs/host/ufshcd-pltfrm.c
+@@ -532,8 +532,10 @@ void ufshcd_pltfrm_remove(struct platform_device *pdev)
+ {
+ struct ufs_hba *hba = platform_get_drvdata(pdev);
+
++ pm_runtime_get_sync(&pdev->dev);
+ ufshcd_remove(hba);
+ pm_runtime_disable(&pdev->dev);
++ pm_runtime_put_noidle(&pdev->dev);
+ }
+ EXPORT_SYMBOL_GPL(ufshcd_pltfrm_remove);
+
+--
+2.47.1
+
--- /dev/null
+From 64506b3d23a337e98a74b18dcb10c8619365f2bd Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Date: Mon, 11 Nov 2024 23:18:31 +0530
+Subject: scsi: ufs: qcom: Only free platform MSIs when ESI is enabled
+
+From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+
+commit 64506b3d23a337e98a74b18dcb10c8619365f2bd upstream.
+
+Otherwise, it will result in a NULL pointer dereference as below:
+
+Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
+Call trace:
+ mutex_lock+0xc/0x54
+ platform_device_msi_free_irqs_all+0x14/0x20
+ ufs_qcom_remove+0x34/0x48 [ufs_qcom]
+ platform_remove+0x28/0x44
+ device_remove+0x4c/0x80
+ device_release_driver_internal+0xd8/0x178
+ driver_detach+0x50/0x9c
+ bus_remove_driver+0x6c/0xbc
+ driver_unregister+0x30/0x60
+ platform_driver_unregister+0x14/0x20
+ ufs_qcom_pltform_exit+0x18/0xb94 [ufs_qcom]
+ __arm64_sys_delete_module+0x180/0x260
+ invoke_syscall+0x44/0x100
+ el0_svc_common.constprop.0+0xc0/0xe0
+ do_el0_svc+0x1c/0x28
+ el0_svc+0x34/0xdc
+ el0t_64_sync_handler+0xc0/0xc4
+ el0t_64_sync+0x190/0x194
+
+Cc: stable@vger.kernel.org # 6.3
+Fixes: 519b6274a777 ("scsi: ufs: qcom: Add MCQ ESI config vendor specific ops")
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20241111-ufs_bug_fix-v1-2-45ad8b62f02e@linaro.org
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-qcom.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ufs/host/ufs-qcom.c
++++ b/drivers/ufs/host/ufs-qcom.c
+@@ -1843,10 +1843,12 @@ static int ufs_qcom_probe(struct platfor
+ static void ufs_qcom_remove(struct platform_device *pdev)
+ {
+ struct ufs_hba *hba = platform_get_drvdata(pdev);
++ struct ufs_qcom_host *host = ufshcd_get_variant(hba);
+
+ pm_runtime_get_sync(&(pdev)->dev);
+ ufshcd_remove(hba);
+- platform_device_msi_free_irqs_all(hba->dev);
++ if (host->esi_enabled)
++ platform_device_msi_free_irqs_all(hba->dev);
+ }
+
+ static const struct of_device_id ufs_qcom_of_match[] __maybe_unused = {
rust-allow-clippy-needless_lifetimes.patch
hid-i2c-hid-revert-to-using-power-commands-to-wake-on-resume.patch
hid-wacom-fix-when-get-product-name-maybe-null-pointer.patch
+loongarch-add-architecture-specific-huge_pte_clear.patch
+loongarch-kvm-protect-kvm_check_requests-with-srcu.patch
+ksmbd-fix-out-of-bounds-read-in-ksmbd_vfs_stream_read.patch
+ksmbd-fix-out-of-bounds-write-in-ksmbd_vfs_stream_write.patch
+watchdog-rti-of-honor-timeout-sec-property.patch
+can-dev-can_set_termination-allow-sleeping-gpios.patch
+can-mcp251xfd-mcp251xfd_get_tef_len-work-around-erratum-ds80000789e-6.patch
+tracing-fix-cmp_entries_dup-to-respect-sort-comparison-rules.patch
+net-mana-request-a-v2-response-version-for-mana_query_gf_stat.patch
+iommufd-fix-out_fput-in-iommufd_fault_alloc.patch
+arm64-mm-fix-zone_dma_limit-calculation.patch
+arm64-ensure-bits-asid-are-masked-out-when-the-kernel-uses-8-bit-asids.patch
+arm64-ptrace-fix-partial-setregset-for-nt_arm_tagged_addr_ctrl.patch
+arm64-ptrace-fix-partial-setregset-for-nt_arm_fpmr.patch
+arm64-ptrace-fix-partial-setregset-for-nt_arm_poe.patch
+alsa-usb-audio-fix-a-dma-to-stack-memory-bug.patch
+alsa-usb-audio-add-extra-pid-for-rme-digiface-usb.patch
+alsa-hda-realtek-fix-micmute-leds-don-t-work-on-hp-laptops.patch
+alsa-usb-audio-add-mixer-mapping-for-corsair-hs80.patch
+alsa-hda-realtek-enable-mute-and-micmute-led-on-hp-probook-430-g8.patch
+alsa-hda-realtek-add-support-for-samsung-galaxy-book3-360-np730qfg.patch
+scsi-qla2xxx-fix-abort-in-bsg-timeout.patch
+scsi-qla2xxx-fix-nvme-and-npiv-connect-issue.patch
+scsi-qla2xxx-supported-speed-displayed-incorrectly-for-vports.patch
+scsi-qla2xxx-fix-use-after-free-on-unload.patch
+scsi-qla2xxx-remove-check-req_sg_cnt-should-be-equal-to-rsp_sg_cnt.patch
+scsi-ufs-core-sysfs-prevent-div-by-zero.patch
+scsi-ufs-core-cancel-rtc-work-during-ufshcd_remove.patch
+scsi-ufs-qcom-only-free-platform-msis-when-esi-is-enabled.patch
+scsi-ufs-pltfrm-disable-runtime-pm-during-removal-of-glue-drivers.patch
+scsi-ufs-core-add-missing-post-notify-for-power-mode-change.patch
+nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch
+fs-smb-client-avoid-querying-smb2_op_query_wsl_ea-for-smb3-posix.patch
+fs-smb-client-implement-new-smb3-posix-type.patch
+fs-smb-client-cifs_prime_dcache-for-smb3-posix-reparse-points.patch
+smb3.1.1-fix-posix-mounts-to-older-servers.patch
+io_uring-change-res2-parameter-type-in-io_uring_cmd_done.patch
+bcache-revert-replacing-is_err_or_null-with-is_err-again.patch
+revert-readahead-properly-shorten-readahead-when-falling-back-to-do_page_cache_ra.patch
+pmdomain-imx-gpcv2-adjust-delay-after-power-up-handshake.patch
+scsi-ufs-pltfrm-drop-pm-runtime-reference-count-after-ufshcd_remove.patch
--- /dev/null
+From ddca5023091588eb303e3c0097d95c325992d05f Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Wed, 4 Dec 2024 17:46:00 -0600
+Subject: smb3.1.1: fix posix mounts to older servers
+
+From: Steve French <stfrench@microsoft.com>
+
+commit ddca5023091588eb303e3c0097d95c325992d05f upstream.
+
+Some servers which implement the SMB3.1.1 POSIX extensions did not
+set the file type in the mode in the infolevel 100 response.
+With the recent changes for checking the file type via the mode field,
+this can cause the root directory to be reported incorrectly and
+mounts (e.g. to ksmbd) to fail.
+
+Fixes: 6a832bc8bbb2 ("fs/smb/client: Implement new SMB3 POSIX type")
+Cc: stable@vger.kernel.org
+Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
+Cc: Ralph Boehme <slow@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/cifsproto.h | 2 +-
+ fs/smb/client/inode.c | 11 ++++++++---
+ fs/smb/client/readdir.c | 3 ++-
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+--- a/fs/smb/client/cifsproto.h
++++ b/fs/smb/client/cifsproto.h
+@@ -677,7 +677,7 @@ int __cifs_sfu_make_node(unsigned int xi
+ int cifs_sfu_make_node(unsigned int xid, struct inode *inode,
+ struct dentry *dentry, struct cifs_tcon *tcon,
+ const char *full_path, umode_t mode, dev_t dev);
+-umode_t wire_mode_to_posix(u32 wire);
++umode_t wire_mode_to_posix(u32 wire, bool is_dir);
+
+ #ifdef CONFIG_CIFS_DFS_UPCALL
+ static inline int get_dfs_path(const unsigned int xid, struct cifs_ses *ses,
+--- a/fs/smb/client/inode.c
++++ b/fs/smb/client/inode.c
+@@ -792,13 +792,17 @@ static u32 wire_filetype_to_posix(u32 wi
+ return posix_filetypes[wire_type];
+ }
+
+-umode_t wire_mode_to_posix(u32 wire)
++umode_t wire_mode_to_posix(u32 wire, bool is_dir)
+ {
+ u32 wire_type;
+ u32 mode;
+
+ wire_type = (wire & POSIX_FILETYPE_MASK) >> POSIX_FILETYPE_SHIFT;
+- mode = (wire_perms_to_posix(wire) | wire_filetype_to_posix(wire_type));
++ /* older servers do not set POSIX file type in the mode field in the response */
++ if ((wire_type == 0) && is_dir)
++ mode = wire_perms_to_posix(wire) | S_IFDIR;
++ else
++ mode = (wire_perms_to_posix(wire) | wire_filetype_to_posix(wire_type));
+ return (umode_t)mode;
+ }
+
+@@ -838,7 +842,8 @@ static void smb311_posix_info_to_fattr(s
+ fattr->cf_bytes = le64_to_cpu(info->AllocationSize);
+ fattr->cf_createtime = le64_to_cpu(info->CreationTime);
+ fattr->cf_nlink = le32_to_cpu(info->HardLinks);
+- fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode));
++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode),
++ fattr->cf_cifsattrs & ATTR_DIRECTORY);
+
+ if (cifs_open_data_reparse(data) &&
+ cifs_reparse_point_to_fattr(cifs_sb, fattr, data))
+--- a/fs/smb/client/readdir.c
++++ b/fs/smb/client/readdir.c
+@@ -261,7 +261,8 @@ cifs_posix_to_fattr(struct cifs_fattr *f
+ fattr->cf_cifstag = le32_to_cpu(info->ReparseTag);
+
+ /* The Mode field in the response can now include the file type as well */
+- fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode));
++ fattr->cf_mode = wire_mode_to_posix(le32_to_cpu(info->Mode),
++ fattr->cf_cifsattrs & ATTR_DIRECTORY);
+ fattr->cf_dtype = S_DT(le32_to_cpu(info->Mode));
+
+ switch (fattr->cf_mode & S_IFMT) {
--- /dev/null
+From e63fbd5f6810ed756bbb8a1549c7d4132968baa9 Mon Sep 17 00:00:00 2001
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+Date: Wed, 4 Dec 2024 04:22:28 +0800
+Subject: tracing: Fix cmp_entries_dup() to respect sort() comparison rules
+
+From: Kuan-Wei Chiu <visitorckw@gmail.com>
+
+commit e63fbd5f6810ed756bbb8a1549c7d4132968baa9 upstream.
+
+The cmp_entries_dup() function used as the comparator for sort()
+violated the symmetry and transitivity properties required by the
+sorting algorithm. Specifically, it returned 1 whenever memcmp() was
+non-zero, which broke the following expectations:
+
+* Symmetry: If x < y, then y > x.
+* Transitivity: If x < y and y < z, then x < z.
+
+These violations could lead to incorrect sorting and failure to
+correctly identify duplicate elements.
+
+Fix the issue by directly returning the result of memcmp(), which
+adheres to the required comparison properties.
+
+Cc: stable@vger.kernel.org
+Fixes: 08d43a5fa063 ("tracing: Add lock-free tracing_map")
+Link: https://lore.kernel.org/20241203202228.1274403-1-visitorckw@gmail.com
+Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/tracing_map.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/kernel/trace/tracing_map.c
++++ b/kernel/trace/tracing_map.c
+@@ -845,15 +845,11 @@ int tracing_map_init(struct tracing_map
+ static int cmp_entries_dup(const void *A, const void *B)
+ {
+ const struct tracing_map_sort_entry *a, *b;
+- int ret = 0;
+
+ a = *(const struct tracing_map_sort_entry **)A;
+ b = *(const struct tracing_map_sort_entry **)B;
+
+- if (memcmp(a->key, b->key, a->elt->map->key_size))
+- ret = 1;
+-
+- return ret;
++ return memcmp(a->key, b->key, a->elt->map->key_size);
+ }
+
+ static int cmp_entries_sum(const void *A, const void *B)
--- /dev/null
+From 4962ee045d8f06638714d801ab0fb72f89c16690 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Thu, 7 Nov 2024 21:38:28 +0100
+Subject: watchdog: rti: of: honor timeout-sec property
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit 4962ee045d8f06638714d801ab0fb72f89c16690 upstream.
+
+Currently "timeout-sec" Device Tree property is being silently ignored:
+even though watchdog_init_timeout() is being used, the driver always passes
+"heartbeat" == DEFAULT_HEARTBEAT == 60 as argument.
+
+Fix this by setting struct watchdog_device::timeout to DEFAULT_HEARTBEAT
+and passing real module parameter value to watchdog_init_timeout() (which
+may now be 0 if not specified).
+
+Cc: stable@vger.kernel.org
+Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Vignesh Raghavendra <vigneshr@ti.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/20241107203830.1068456-1-alexander.sverdlin@siemens.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/rti_wdt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/rti_wdt.c
++++ b/drivers/watchdog/rti_wdt.c
+@@ -61,7 +61,7 @@
+
+ #define MAX_HW_ERROR 250
+
+-static int heartbeat = DEFAULT_HEARTBEAT;
++static int heartbeat;
+
+ /*
+ * struct to hold data for each WDT device
+@@ -252,6 +252,7 @@ static int rti_wdt_probe(struct platform
+ wdd->min_timeout = 1;
+ wdd->max_hw_heartbeat_ms = (WDT_PRELOAD_MAX << WDT_PRELOAD_SHIFT) /
+ wdt->freq * 1000;
++ wdd->timeout = DEFAULT_HEARTBEAT;
+ wdd->parent = dev;
+
+ watchdog_set_drvdata(wdd, wdt);
projects / thirdparty / kernel / stable-queue.git / commitdiff
