--- /dev/null
+From stable+bounces-172406-greg=kroah.com@vger.kernel.org Fri Aug 22 16:10:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 10:10:30 -0400
+Subject: arm64: dts: ti: k3-am62-main: Remove eMMC High Speed DDR support
+To: stable@vger.kernel.org
+Cc: Judith Mendez <jm@ti.com>, Vignesh Raghavendra <vigneshr@ti.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822141031.1253096-1-sashal@kernel.org>
+
+From: Judith Mendez <jm@ti.com>
+
+[ Upstream commit 265f70af805f33a0dfc90f50cc0f116f702c3811 ]
+
+For eMMC, High Speed DDR mode is not supported [0], so remove
+mmc-ddr-1_8v flag which adds the capability.
+
+[0] https://www.ti.com/lit/gpn/am625
+
+Fixes: c37c58fdeb8a ("arm64: dts: ti: k3-am62: Add more peripheral nodes")
+Cc: stable@vger.kernel.org
+Signed-off-by: Judith Mendez <jm@ti.com>
+Link: https://lore.kernel.org/r/20250707191250.3953990-1-jm@ti.com
+Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
+[ adapted context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/ti/k3-am62-main.dtsi | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/arch/arm64/boot/dts/ti/k3-am62-main.dtsi
++++ b/arch/arm64/boot/dts/ti/k3-am62-main.dtsi
+@@ -386,7 +386,6 @@
+ clock-names = "clk_ahb", "clk_xin";
+ assigned-clocks = <&k3_clks 57 6>;
+ assigned-clock-parents = <&k3_clks 57 8>;
+- mmc-ddr-1_8v;
+ mmc-hs200-1_8v;
+ ti,trm-icp = <0x2>;
+ bus-width = <8>;
--- /dev/null
+From stable+bounces-172669-greg=kroah.com@vger.kernel.org Sun Aug 24 02:31:19 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 20:31:08 -0400
+Subject: drm/amd/display: Don't overclock DCE 6 by 15%
+To: stable@vger.kernel.org
+Cc: "Timur Kristóf" <timur.kristof@gmail.com>, "Alex Deucher" <alexander.deucher@amd.com>, "Rodrigo Siqueira" <siqueira@igalia.com>, "Alex Hung" <alex.hung@amd.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250824003109.2531974-1-sashal@kernel.org>
+
+From: Timur Kristóf <timur.kristof@gmail.com>
+
+[ Upstream commit cb7b7ae53b557d168b4af5cd8549f3eff920bfb5 ]
+
+The extra 15% clock was added as a workaround for a Polaris issue
+which uses DCE 11, and should not have been used on DCE 6 which
+is already hardcoded to the highest possible display clock.
+Unfortunately, the extra 15% was mistakenly copied and kept
+even on code paths which don't affect Polaris.
+
+This commit fixes that and also adds a check to make sure
+not to exceed the maximum DCE 6 display clock.
+
+Fixes: 8cd61c313d8b ("drm/amd/display: Raise dispclk value for Polaris")
+Fixes: dc88b4a684d2 ("drm/amd/display: make clk mgr soc specific")
+Fixes: 3ecb3b794e2c ("drm/amd/display: dc/clk_mgr: add support for SI parts (v2)")
+Signed-off-by: Timur Kristóf <timur.kristof@gmail.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Reviewed-by: Rodrigo Siqueira <siqueira@igalia.com>
+Reviewed-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 427980c1cbd22bb256b9385f5ce73c0937562408)
+Cc: stable@vger.kernel.org
+[ `MIN` => `min` ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
++++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dce60/dce60_clk_mgr.c
+@@ -112,11 +112,9 @@ static void dce60_update_clocks(struct c
+ {
+ struct clk_mgr_internal *clk_mgr_dce = TO_CLK_MGR_INTERNAL(clk_mgr_base);
+ struct dm_pp_power_level_change_request level_change_req;
+- int patched_disp_clk = context->bw_ctx.bw.dce.dispclk_khz;
+-
+- /*TODO: W/A for dal3 linux, investigate why this works */
+- if (!clk_mgr_dce->dfs_bypass_active)
+- patched_disp_clk = patched_disp_clk * 115 / 100;
++ const int max_disp_clk =
++ clk_mgr_dce->max_clks_by_state[DM_PP_CLOCKS_STATE_PERFORMANCE].display_clk_khz;
++ int patched_disp_clk = min(max_disp_clk, context->bw_ctx.bw.dce.dispclk_khz);
+
+ level_change_req.power_level = dce_get_required_clocks_state(clk_mgr_base, context);
+ /* get max clock state from PPLIB */
--- /dev/null
+From stable+bounces-172590-greg=kroah.com@vger.kernel.org Sat Aug 23 15:17:10 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 09:16:59 -0400
+Subject: drm/dp: Change AUX DPCD probe address from DPCD_REV to LANE0_1_STATUS
+To: stable@vger.kernel.org
+Cc: "Imre Deak" <imre.deak@intel.com>, "Ville Syrjälä" <ville.syrjala@linux.intel.com>, "Jani Nikula" <jani.nikula@linux.intel.com>, "Jani Nikula" <jani.nikula@intel.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250823131659.2118893-1-sashal@kernel.org>
+
+From: Imre Deak <imre.deak@intel.com>
+
+[ Upstream commit a40c5d727b8111b5db424a1e43e14a1dcce1e77f ]
+
+Reading DPCD registers has side-effects in general. In particular
+accessing registers outside of the link training register range
+(0x102-0x106, 0x202-0x207, 0x200c-0x200f, 0x2216) is explicitly
+forbidden by the DP v2.1 Standard, see
+
+3.6.5.1 DPTX AUX Transaction Handling Mandates
+3.6.7.4 128b/132b DP Link Layer LTTPR Link Training Mandates
+
+Based on my tests, accessing the DPCD_REV register during the link
+training of an UHBR TBT DP tunnel sink leads to link training failures.
+
+Solve the above by using the DP_LANE0_1_STATUS (0x202) register for the
+DPCD register access quirk.
+
+Cc: <stable@vger.kernel.org>
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Jani Nikula <jani.nikula@linux.intel.com>
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Link: https://lore.kernel.org/r/20250605082850.65136-2-imre.deak@intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/display/drm_dp_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/display/drm_dp_helper.c
++++ b/drivers/gpu/drm/display/drm_dp_helper.c
+@@ -663,7 +663,7 @@ ssize_t drm_dp_dpcd_read(struct drm_dp_a
+ * monitor doesn't power down exactly after the throw away read.
+ */
+ if (!aux->is_remote) {
+- ret = drm_dp_dpcd_probe(aux, DP_DPCD_REV);
++ ret = drm_dp_dpcd_probe(aux, DP_LANE0_1_STATUS);
+ if (ret < 0)
+ return ret;
+ }
--- /dev/null
+From stable+bounces-172471-greg=kroah.com@vger.kernel.org Fri Aug 22 19:03:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:01:24 -0400
+Subject: ext4: preserve SB_I_VERSION on remount
+To: stable@vger.kernel.org
+Cc: Baokun Li <libaokun1@huawei.com>, stable@kernel.org, Jan Kara <jack@suse.cz>, Theodore Ts'o <tytso@mit.edu>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822170124.1319222-1-sashal@kernel.org>
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit f2326fd14a224e4cccbab89e14c52279ff79b7ec ]
+
+IMA testing revealed that after an ext4 remount, file accesses triggered
+full measurements even without modifications, instead of skipping as
+expected when i_version is unchanged.
+
+Debugging showed `SB_I_VERSION` was cleared in reconfigure_super() during
+remount due to commit 1ff20307393e ("ext4: unconditionally enable the
+i_version counter") removing the fix from commit 960e0ab63b2e ("ext4: fix
+i_version handling on remount").
+
+To rectify this, `SB_I_VERSION` is always set for `fc->sb_flags` in
+ext4_init_fs_context(), instead of `sb->s_flags` in __ext4_fill_super(),
+ensuring it persists across all mounts.
+
+Cc: stable@kernel.org
+Fixes: 1ff20307393e ("ext4: unconditionally enable the i_version counter")
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20250703073903.6952-2-libaokun@huaweicloud.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1937,6 +1937,9 @@ int ext4_init_fs_context(struct fs_conte
+ fc->fs_private = ctx;
+ fc->ops = &ext4_context_ops;
+
++ /* i_version is always enabled now */
++ fc->sb_flags |= SB_I_VERSION;
++
+ return 0;
+ }
+
+@@ -5113,9 +5116,6 @@ static int __ext4_fill_super(struct fs_c
+ sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
+ (test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0);
+
+- /* i_version is always enabled now */
+- sb->s_flags |= SB_I_VERSION;
+-
+ if (ext4_check_feature_compatibility(sb, es, silent))
+ goto failed_mount;
+
--- /dev/null
+From stable+bounces-172540-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:20 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:09 -0400
+Subject: f2fs: fix to avoid out-of-boundary access in dnode page
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, stable@kernel.org, Jiaming Zhang <r772577952@gmail.com>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025009.1694095-2-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 77de19b6867f2740cdcb6c9c7e50d522b47847a4 ]
+
+As Jiaming Zhang reported:
+
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x17e/0x800 mm/kasan/report.c:480
+ kasan_report+0x147/0x180 mm/kasan/report.c:593
+ data_blkaddr fs/f2fs/f2fs.h:3053 [inline]
+ f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline]
+ f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855
+ f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195
+ prepare_write_begin fs/f2fs/data.c:3395 [inline]
+ f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594
+ generic_perform_write+0x2c7/0x910 mm/filemap.c:4112
+ f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline]
+ f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216
+ new_sync_write fs/read_write.c:593 [inline]
+ vfs_write+0x546/0xa90 fs/read_write.c:686
+ ksys_write+0x149/0x250 fs/read_write.c:738
+ do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
+ do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+The root cause is in the corrupted image, there is a dnode has the same
+node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to
+access block address in dnode at offset 934, however it parses the dnode
+as inode node, so that get_dnode_addr() returns 360, then it tries to
+access page address from 360 + 934 * 4 = 4096 w/ 4 bytes.
+
+To fix this issue, let's add sanity check for node id of all direct nodes
+during f2fs_get_dnode_of_data().
+
+Cc: stable@kernel.org
+Reported-by: Jiaming Zhang <r772577952@gmail.com>
+Closes: https://groups.google.com/g/syzkaller/c/-ZnaaOOfO3M
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -797,6 +797,16 @@ int f2fs_get_dnode_of_data(struct dnode_
+ for (i = 1; i <= level; i++) {
+ bool done = false;
+
++ if (nids[i] && nids[i] == dn->inode->i_ino) {
++ err = -EFSCORRUPTED;
++ f2fs_err(sbi,
++ "inode mapping table is corrupted, run fsck to fix it, "
++ "ino:%lu, nid:%u, level:%d, offset:%d",
++ dn->inode->i_ino, nids[i], level, offset[level]);
++ set_sbi_flag(sbi, SBI_NEED_FSCK);
++ goto release_pages;
++ }
++
+ if (!nids[i] && mode == ALLOC_NODE) {
+ /* alloc new node */
+ if (!f2fs_alloc_nid(sbi, &(nids[i]))) {
--- /dev/null
+From stable+bounces-172539-greg=kroah.com@vger.kernel.org Sat Aug 23 04:50:35 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 22:50:08 -0400
+Subject: f2fs: fix to call clear_page_private_reference in .{release,invalid}_folio
+To: stable@vger.kernel.org
+Cc: Chao Yu <chao@kernel.org>, Jaegeuk Kim <jaegeuk@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823025009.1694095-1-sashal@kernel.org>
+
+From: Chao Yu <chao@kernel.org>
+
+[ Upstream commit 6779b5db90c5b925293f7ccc5ed5336c5b24ed50 ]
+
+b763f3bedc2d ("f2fs: restructure f2fs page.private layout") missed
+to call clear_page_private_reference() in .{release,invalid}_folio,
+fix it, though it's not a big deal since folio_detach_private() was
+called to clear all privae info and reference count in the page.
+
+BTW, remove page_private_reference() definition as it never be used.
+
+Signed-off-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Stable-dep-of: 77de19b6867f ("f2fs: fix to avoid out-of-boundary access in dnode page")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/data.c | 2 ++
+ fs/f2fs/f2fs.h | 1 -
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/f2fs/data.c
++++ b/fs/f2fs/data.c
+@@ -3729,6 +3729,7 @@ void f2fs_invalidate_folio(struct folio
+ }
+ }
+
++ clear_page_private_reference(&folio->page);
+ clear_page_private_gcing(&folio->page);
+
+ if (test_opt(sbi, COMPRESS_CACHE) &&
+@@ -3754,6 +3755,7 @@ bool f2fs_release_folio(struct folio *fo
+ clear_page_private_data(&folio->page);
+ }
+
++ clear_page_private_reference(&folio->page);
+ clear_page_private_gcing(&folio->page);
+
+ folio_detach_private(folio);
+--- a/fs/f2fs/f2fs.h
++++ b/fs/f2fs/f2fs.h
+@@ -1428,7 +1428,6 @@ static inline void clear_page_private_##
+ }
+
+ PAGE_PRIVATE_GET_FUNC(nonpointer, NOT_POINTER);
+-PAGE_PRIVATE_GET_FUNC(reference, REF_RESOURCE);
+ PAGE_PRIVATE_GET_FUNC(inline, INLINE_INODE);
+ PAGE_PRIVATE_GET_FUNC(gcing, ONGOING_MIGRATION);
+ PAGE_PRIVATE_GET_FUNC(atomic, ATOMIC_WRITE);
--- /dev/null
+From stable+bounces-172672-greg=kroah.com@vger.kernel.org Sun Aug 24 02:36:36 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 20:36:26 -0400
+Subject: mm/memory-failure: fix infinite UCE for VM_PFNMAP pfn
+To: stable@vger.kernel.org
+Cc: Jinjiang Tu <tujinjiang@huawei.com>, David Hildenbrand <david@redhat.com>, Miaohe Lin <linmiaohe@huawei.com>, Jane Chu <jane.chu@oracle.com>, Kefeng Wang <wangkefeng.wang@huawei.com>, Naoya Horiguchi <nao.horiguchi@gmail.com>, Oscar Salvador <osalvador@suse.de>, Shuai Xue <xueshuai@linux.alibaba.com>, Zi Yan <ziy@nvidia.com>, Andrew Morton <akpm@linux-foundation.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250824003626.2559323-1-sashal@kernel.org>
+
+From: Jinjiang Tu <tujinjiang@huawei.com>
+
+[ Upstream commit 2e6053fea379806269c4f7f5e36b523c9c0fb35c ]
+
+When memory_failure() is called for a already hwpoisoned pfn,
+kill_accessing_process() will be called to kill current task. However, if
+the vma of the accessing vaddr is VM_PFNMAP, walk_page_range() will skip
+the vma in walk_page_test() and return 0.
+
+Before commit aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes
+with recovered clean pages"), kill_accessing_process() will return EFAULT.
+For x86, the current task will be killed in kill_me_maybe().
+
+However, after this commit, kill_accessing_process() simplies return 0,
+that means UCE is handled properly, but it doesn't actually. In such
+case, the user task will trigger UCE infinitely.
+
+To fix it, add .test_walk callback for hwpoison_walk_ops to scan all vmas.
+
+Link: https://lkml.kernel.org/r/20250815073209.1984582-1-tujinjiang@huawei.com
+Fixes: aaf99ac2ceb7 ("mm/hwpoison: do not send SIGBUS to processes with recovered clean pages")
+Signed-off-by: Jinjiang Tu <tujinjiang@huawei.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Acked-by: Miaohe Lin <linmiaohe@huawei.com>
+Reviewed-by: Jane Chu <jane.chu@oracle.com>
+Cc: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Shuai Xue <xueshuai@linux.alibaba.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+[ Adjust context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -731,9 +731,17 @@ static int hwpoison_hugetlb_range(pte_t
+ #define hwpoison_hugetlb_range NULL
+ #endif
+
++static int hwpoison_test_walk(unsigned long start, unsigned long end,
++ struct mm_walk *walk)
++{
++ /* We also want to consider pages mapped into VM_PFNMAP. */
++ return 0;
++}
++
+ static const struct mm_walk_ops hwp_walk_ops = {
+ .pmd_entry = hwpoison_pte_range,
+ .hugetlb_entry = hwpoison_hugetlb_range,
++ .test_walk = hwpoison_test_walk,
+ };
+
+ /*
--- /dev/null
+From stable+bounces-172655-greg=kroah.com@vger.kernel.org Sat Aug 23 18:55:13 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 12:55:03 -0400
+Subject: mmc: sdhci-pci-gli: Add a new function to simplify the code
+To: stable@vger.kernel.org
+Cc: Victor Shih <victor.shih@genesyslogic.com.tw>, Adrian Hunter <adrian.hunter@intel.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823165504.2340548-2-sashal@kernel.org>
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+[ Upstream commit dec8b38be4b35cae5f7fa086daf2631e2cfa09c1 ]
+
+In preparation to fix replay timer timeout, add
+sdhci_gli_mask_replay_timer_timeout() function
+to simplify some of the code, allowing it to be re-used.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250731065752.450231-2-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Stable-dep-of: 340be332e420 ("mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -156,6 +156,20 @@
+ #define GLI_MAX_TUNING_LOOP 40
+
+ /* Genesys Logic chipset */
++static void sdhci_gli_mask_replay_timer_timeout(struct pci_dev *pdev)
++{
++ int aer;
++ u32 value;
++
++ /* mask the replay timer timeout of AER */
++ aer = pci_find_ext_capability(pdev, PCI_EXT_CAP_ID_ERR);
++ if (aer) {
++ pci_read_config_dword(pdev, aer + PCI_ERR_COR_MASK, &value);
++ value |= PCI_ERR_COR_REP_TIMER;
++ pci_write_config_dword(pdev, aer + PCI_ERR_COR_MASK, value);
++ }
++}
++
+ static inline void gl9750_wt_on(struct sdhci_host *host)
+ {
+ u32 wt_value;
--- /dev/null
+From stable+bounces-172656-greg=kroah.com@vger.kernel.org Sat Aug 23 18:55:40 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 12:55:04 -0400
+Subject: mmc: sdhci-pci-gli: GL9763e: Mask the replay timer timeout of AER
+To: stable@vger.kernel.org
+Cc: Victor Shih <victor.shih@genesyslogic.com.tw>, Adrian Hunter <adrian.hunter@intel.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823165504.2340548-3-sashal@kernel.org>
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+[ Upstream commit 340be332e420ed37d15d4169a1b4174e912ad6cb ]
+
+Due to a flaw in the hardware design, the GL9763e replay timer frequently
+times out when ASPM is enabled. As a result, the warning messages will
+often appear in the system log when the system accesses the GL9763e
+PCI config. Therefore, the replay timer timeout must be masked.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Fixes: 1ae1d2d6e555 ("mmc: sdhci-pci-gli: Add Genesys Logic GL9763E support")
+Cc: stable@vger.kernel.org
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Link: https://lore.kernel.org/r/20250731065752.450231-4-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -988,6 +988,9 @@ static void gl9763e_hw_setting(struct sd
+ value |= FIELD_PREP(GLI_9763E_HS400_RXDLY, GLI_9763E_HS400_RXDLY_5);
+ pci_write_config_dword(pdev, PCIE_GLI_9763E_CLKRXDLY, value);
+
++ /* mask the replay timer timeout of AER */
++ sdhci_gli_mask_replay_timer_timeout(pdev);
++
+ pci_read_config_dword(pdev, PCIE_GLI_9763E_VHS, &value);
+ value &= ~GLI_9763E_VHS_REV;
+ value |= FIELD_PREP(GLI_9763E_VHS_REV, GLI_9763E_VHS_REV_R);
--- /dev/null
+From stable+bounces-172654-greg=kroah.com@vger.kernel.org Sat Aug 23 18:55:28 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 12:55:02 -0400
+Subject: mmc: sdhci-pci-gli: Use PCI AER definitions, not hard-coded values
+To: stable@vger.kernel.org
+Cc: Bjorn Helgaas <bhelgaas@google.com>, Ulf Hansson <ulf.hansson@linaro.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823165504.2340548-1-sashal@kernel.org>
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+[ Upstream commit 951b7ccc54591ba48755b5e0c7fc8b9623a64640 ]
+
+015c9cbcf0ad ("mmc: sdhci-pci-gli: GL9750: Mask the replay timer timeout of
+AER") added PCI_GLI_9750_CORRERR_MASK, the offset of the AER Capability in
+config space, and PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT, the
+Replay Timer Timeout bit in the AER Correctable Error Status register.
+
+Use pci_find_ext_capability() to locate the AER Capability and use the
+existing PCI_ERR_COR_REP_TIMER definition to mask the bit.
+
+This removes a little bit of unnecessarily device-specific code and makes
+AER-related things more greppable.
+
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://lore.kernel.org/r/20240327214831.1544595-2-helgaas@kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -27,8 +27,6 @@
+ #define PCI_GLI_9750_PM_CTRL 0xFC
+ #define PCI_GLI_9750_PM_STATE GENMASK(1, 0)
+
+-#define PCI_GLI_9750_CORRERR_MASK 0x214
+-#define PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT BIT(12)
+
+ #define SDHCI_GLI_9750_CFG2 0x848
+ #define SDHCI_GLI_9750_CFG2_L1DLY GENMASK(28, 24)
+@@ -154,8 +152,6 @@
+ #define PCI_GLI_9755_PM_CTRL 0xFC
+ #define PCI_GLI_9755_PM_STATE GENMASK(1, 0)
+
+-#define PCI_GLI_9755_CORRERR_MASK 0x214
+-#define PCI_GLI_9755_CORRERR_MASK_REPLAY_TIMER_TIMEOUT BIT(12)
+
+ #define GLI_MAX_TUNING_LOOP 40
+
+@@ -501,9 +497,7 @@ static void gl9750_hw_setting(struct sdh
+ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
+
+ /* mask the replay timer timeout of AER */
+- pci_read_config_dword(pdev, PCI_GLI_9750_CORRERR_MASK, &value);
+- value |= PCI_GLI_9750_CORRERR_MASK_REPLAY_TIMER_TIMEOUT;
+- pci_write_config_dword(pdev, PCI_GLI_9750_CORRERR_MASK, value);
++ sdhci_gli_mask_replay_timer_timeout(pdev);
+
+ gl9750_wt_off(host);
+ }
+@@ -715,9 +709,7 @@ static void gl9755_hw_setting(struct sdh
+ pci_write_config_dword(pdev, PCI_GLI_9755_PM_CTRL, value);
+
+ /* mask the replay timer timeout of AER */
+- pci_read_config_dword(pdev, PCI_GLI_9755_CORRERR_MASK, &value);
+- value |= PCI_GLI_9755_CORRERR_MASK_REPLAY_TIMER_TIMEOUT;
+- pci_write_config_dword(pdev, PCI_GLI_9755_CORRERR_MASK, value);
++ sdhci_gli_mask_replay_timer_timeout(pdev);
+
+ gl9755_wt_off(pdev);
+ }
--- /dev/null
+From stable+bounces-172614-greg=kroah.com@vger.kernel.org Sat Aug 23 16:56:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 10:55:34 -0400
+Subject: mptcp: disable add_addr retransmission when timeout is 0
+To: stable@vger.kernel.org
+Cc: Geliang Tang <tanggeliang@kylinos.cn>, Matthieu Baerts <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823145534.2259284-1-sashal@kernel.org>
+
+From: Geliang Tang <tanggeliang@kylinos.cn>
+
+[ Upstream commit f5ce0714623cffd00bf2a83e890d09c609b7f50a ]
+
+When add_addr_timeout was set to 0, this caused the ADD_ADDR to be
+retransmitted immediately, which looks like a buggy behaviour. Instead,
+interpret 0 as "no retransmissions needed".
+
+The documentation is updated to explicitly state that setting the timeout
+to 0 disables retransmission.
+
+Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
+Cc: stable@vger.kernel.org
+Suggested-by: Matthieu Baerts <matttbe@kernel.org>
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-5-521fe9957892@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ Apply to net/mptcp/pm_netlink.c , structural changes in mptcp_pm_alloc_anno_list ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/networking/mptcp-sysctl.rst | 2 ++
+ net/mptcp/pm_netlink.c | 18 ++++++++++++------
+ 2 files changed, 14 insertions(+), 6 deletions(-)
+
+--- a/Documentation/networking/mptcp-sysctl.rst
++++ b/Documentation/networking/mptcp-sysctl.rst
+@@ -20,6 +20,8 @@ add_addr_timeout - INTEGER (seconds)
+ resent to an MPTCP peer that has not acknowledged a previous
+ ADD_ADDR message.
+
++ Do not retransmit if set to 0.
++
+ The default value matches TCP_RTO_MAX. This is a per-namespace
+ sysctl.
+
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -304,6 +304,7 @@ static void mptcp_pm_add_timer(struct ti
+ struct mptcp_pm_add_entry *entry = from_timer(entry, timer, add_timer);
+ struct mptcp_sock *msk = entry->sock;
+ struct sock *sk = (struct sock *)msk;
++ unsigned int timeout;
+
+ pr_debug("msk=%p\n", msk);
+
+@@ -321,6 +322,10 @@ static void mptcp_pm_add_timer(struct ti
+ goto out;
+ }
+
++ timeout = mptcp_get_add_addr_timeout(sock_net(sk));
++ if (!timeout)
++ goto out;
++
+ spin_lock_bh(&msk->pm.lock);
+
+ if (!mptcp_pm_should_add_signal_addr(msk)) {
+@@ -332,7 +337,7 @@ static void mptcp_pm_add_timer(struct ti
+
+ if (entry->retrans_times < ADD_ADDR_RETRANS_MAX)
+ sk_reset_timer(sk, timer,
+- jiffies + mptcp_get_add_addr_timeout(sock_net(sk)));
++ jiffies + timeout);
+
+ spin_unlock_bh(&msk->pm.lock);
+
+@@ -374,6 +379,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
+ struct mptcp_pm_add_entry *add_entry = NULL;
+ struct sock *sk = (struct sock *)msk;
+ struct net *net = sock_net(sk);
++ unsigned int timeout;
+
+ lockdep_assert_held(&msk->pm.lock);
+
+@@ -383,9 +389,7 @@ bool mptcp_pm_alloc_anno_list(struct mpt
+ if (WARN_ON_ONCE(mptcp_pm_is_kernel(msk)))
+ return false;
+
+- sk_reset_timer(sk, &add_entry->add_timer,
+- jiffies + mptcp_get_add_addr_timeout(net));
+- return true;
++ goto reset_timer;
+ }
+
+ add_entry = kmalloc(sizeof(*add_entry), GFP_ATOMIC);
+@@ -399,8 +403,10 @@ bool mptcp_pm_alloc_anno_list(struct mpt
+ add_entry->retrans_times = 0;
+
+ timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
+- sk_reset_timer(sk, &add_entry->add_timer,
+- jiffies + mptcp_get_add_addr_timeout(net));
++reset_timer:
++ timeout = mptcp_get_add_addr_timeout(net);
++ if (timeout)
++ sk_reset_timer(sk, &add_entry->add_timer, jiffies + timeout);
+
+ return true;
+ }
--- /dev/null
+From stable+bounces-172607-greg=kroah.com@vger.kernel.org Sat Aug 23 16:34:14 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 23 Aug 2025 10:34:06 -0400
+Subject: mptcp: remove duplicate sk_reset_timer call
+To: stable@vger.kernel.org
+Cc: Geliang Tang <geliang@kernel.org>, Geliang Tang <tanggeliang@kylinos.cn>, "Matthieu Baerts (NGI0)" <matttbe@kernel.org>, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250823143406.2247894-1-sashal@kernel.org>
+
+From: Geliang Tang <geliang@kernel.org>
+
+[ Upstream commit 5d13349472ac8abcbcb94407969aa0fdc2e1f1be ]
+
+sk_reset_timer() was called twice in mptcp_pm_alloc_anno_list.
+
+Simplify the code by using a 'goto' statement to eliminate the
+duplication.
+
+Note that this is not a fix, but it will help backporting the following
+patch. The same "Fixes" tag has been added for this reason.
+
+Fixes: 93f323b9cccc ("mptcp: add a new sysctl add_addr_timeout")
+Cc: stable@vger.kernel.org
+Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250815-net-mptcp-misc-fixes-6-17-rc2-v1-4-521fe9957892@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adjusted function location from pm.c to pm_netlink.c ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/pm_netlink.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
+index 3391d4df2dbb..1f22c434d122 100644
+--- a/net/mptcp/pm_netlink.c
++++ b/net/mptcp/pm_netlink.c
+@@ -383,9 +383,7 @@ bool mptcp_pm_alloc_anno_list(struct mptcp_sock *msk,
+ if (WARN_ON_ONCE(mptcp_pm_is_kernel(msk)))
+ return false;
+
+- sk_reset_timer(sk, &add_entry->add_timer,
+- jiffies + mptcp_get_add_addr_timeout(net));
+- return true;
++ goto reset_timer;
+ }
+
+ add_entry = kmalloc(sizeof(*add_entry), GFP_ATOMIC);
+@@ -399,6 +397,7 @@ bool mptcp_pm_alloc_anno_list(struct mptcp_sock *msk,
+ add_entry->retrans_times = 0;
+
+ timer_setup(&add_entry->add_timer, mptcp_pm_add_timer, 0);
++reset_timer:
+ sk_reset_timer(sk, &add_entry->add_timer,
+ jiffies + mptcp_get_add_addr_timeout(net));
+
+--
+2.50.1
+
--- /dev/null
+From stable+bounces-172521-greg=kroah.com@vger.kernel.org Fri Aug 22 22:55:57 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 16:55:44 -0400
+Subject: PCI: rockchip: Set Target Link Speed to 5.0 GT/s before retraining
+To: stable@vger.kernel.org
+Cc: Geraldo Nascimento <geraldogabriel@gmail.com>, Manivannan Sadhasivam <mani@kernel.org>, Bjorn Helgaas <bhelgaas@google.com>, Robin Murphy <robin.murphy@arm.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822205544.1528134-2-sashal@kernel.org>
+
+From: Geraldo Nascimento <geraldogabriel@gmail.com>
+
+[ Upstream commit 114b06ee108cabc82b995fbac6672230a9776936 ]
+
+Rockchip controllers can support up to 5.0 GT/s link speed. But the driver
+doesn't set the Target Link Speed currently. This may cause failure in
+retraining the link to 5.0 GT/s if supported by the endpoint. So set the
+Target Link Speed to 5.0 GT/s in the Link Control and Status Register 2.
+
+Fixes: e77f847df54c ("PCI: rockchip: Add Rockchip PCIe controller support")
+Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+[mani: fixed whitespace warning, commit message rewording, added fixes tag]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Tested-by: Robin Murphy <robin.murphy@arm.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/0afa6bc47b7f50e2e81b0b47d51c66feb0fb565f.1751322015.git.geraldogabriel@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -342,6 +342,10 @@ static int rockchip_pcie_host_init_port(
+ * Enable retrain for gen2. This should be configured only after
+ * gen1 finished.
+ */
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL2);
++ status &= ~PCI_EXP_LNKCTL2_TLS;
++ status |= PCI_EXP_LNKCTL2_TLS_5_0GT;
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL2);
+ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ status |= PCI_EXP_LNKCTL_RL;
+ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
--- /dev/null
+From stable+bounces-172520-greg=kroah.com@vger.kernel.org Fri Aug 22 22:55:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 16:55:43 -0400
+Subject: PCI: rockchip: Use standard PCIe definitions
+To: stable@vger.kernel.org
+Cc: Geraldo Nascimento <geraldogabriel@gmail.com>, Bjorn Helgaas <bhelgaas@google.com>, Manivannan Sadhasivam <mani@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822205544.1528134-1-sashal@kernel.org>
+
+From: Geraldo Nascimento <geraldogabriel@gmail.com>
+
+[ Upstream commit cbbfe9f683f0f9b6a1da2eaa53b995a4b5961086 ]
+
+Current code uses custom-defined register offsets and bitfields for the
+standard PCIe registers. This creates duplication as the PCI header already
+defines them. So, switch to using the standard PCIe definitions and drop
+the custom ones.
+
+Suggested-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Geraldo Nascimento <geraldogabriel@gmail.com>
+[mani: commit message rewording]
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+[bhelgaas: include bitfield.h]
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Link: https://patch.msgid.link/e81700ef4b49f584bc8834bfb07b6d8995fc1f42.1751322015.git.geraldogabriel@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/controller/pcie-rockchip-host.c | 45 ++++++++++++++--------------
+ drivers/pci/controller/pcie-rockchip.h | 11 ------
+ 2 files changed, 24 insertions(+), 32 deletions(-)
+
+--- a/drivers/pci/controller/pcie-rockchip-host.c
++++ b/drivers/pci/controller/pcie-rockchip-host.c
+@@ -11,6 +11,7 @@
+ * ARM PCI Host generic driver.
+ */
+
++#include <linux/bitfield.h>
+ #include <linux/bitrev.h>
+ #include <linux/clk.h>
+ #include <linux/delay.h>
+@@ -43,18 +44,18 @@ static void rockchip_pcie_enable_bw_int(
+ {
+ u32 status;
+
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ status |= (PCI_EXP_LNKCTL_LBMIE | PCI_EXP_LNKCTL_LABIE);
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ }
+
+ static void rockchip_pcie_clr_bw_int(struct rockchip_pcie *rockchip)
+ {
+ u32 status;
+
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ status |= (PCI_EXP_LNKSTA_LBMS | PCI_EXP_LNKSTA_LABS) << 16;
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ }
+
+ static void rockchip_pcie_update_txcredit_mui(struct rockchip_pcie *rockchip)
+@@ -272,7 +273,7 @@ static void rockchip_pcie_set_power_limi
+ scale = 3; /* 0.001x */
+ curr = curr / 1000; /* convert to mA */
+ power = (curr * 3300) / 1000; /* milliwatt */
+- while (power > PCIE_RC_CONFIG_DCR_CSPL_LIMIT) {
++ while (power > FIELD_MAX(PCI_EXP_DEVCAP_PWR_VAL)) {
+ if (!scale) {
+ dev_warn(rockchip->dev, "invalid power supply\n");
+ return;
+@@ -281,10 +282,10 @@ static void rockchip_pcie_set_power_limi
+ power = power / 10;
+ }
+
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_DCR);
+- status |= (power << PCIE_RC_CONFIG_DCR_CSPL_SHIFT) |
+- (scale << PCIE_RC_CONFIG_DCR_CPLS_SHIFT);
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_DCR);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCAP);
++ status |= FIELD_PREP(PCI_EXP_DEVCAP_PWR_VAL, power);
++ status |= FIELD_PREP(PCI_EXP_DEVCAP_PWR_SCL, scale);
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCAP);
+ }
+
+ /**
+@@ -312,14 +313,14 @@ static int rockchip_pcie_host_init_port(
+ rockchip_pcie_set_power_limit(rockchip);
+
+ /* Set RC's clock architecture as common clock */
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ status |= PCI_EXP_LNKSTA_SLC << 16;
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+
+ /* Set RC's RCB to 128 */
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ status |= PCI_EXP_LNKCTL_RCB;
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+
+ /* Enable Gen1 training */
+ rockchip_pcie_write(rockchip, PCIE_CLIENT_LINK_TRAIN_ENABLE,
+@@ -341,9 +342,9 @@ static int rockchip_pcie_host_init_port(
+ * Enable retrain for gen2. This should be configured only after
+ * gen1 finished.
+ */
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LCS);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+ status |= PCI_EXP_LNKCTL_RL;
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LCS);
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCTL);
+
+ err = readl_poll_timeout(rockchip->apb_base + PCIE_CORE_CTRL,
+ status, PCIE_LINK_IS_GEN2(status), 20,
+@@ -380,15 +381,15 @@ static int rockchip_pcie_host_init_port(
+
+ /* Clear L0s from RC's link cap */
+ if (of_property_read_bool(dev->of_node, "aspm-no-l0s")) {
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_LINK_CAP);
+- status &= ~PCIE_RC_CONFIG_LINK_CAP_L0S;
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_LINK_CAP);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCAP);
++ status &= ~PCI_EXP_LNKCAP_ASPM_L0S;
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_LNKCAP);
+ }
+
+- status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_DCSR);
+- status &= ~PCIE_RC_CONFIG_DCSR_MPS_MASK;
+- status |= PCIE_RC_CONFIG_DCSR_MPS_256;
+- rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_DCSR);
++ status = rockchip_pcie_read(rockchip, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCTL);
++ status &= ~PCI_EXP_DEVCTL_PAYLOAD;
++ status |= PCI_EXP_DEVCTL_PAYLOAD_256B;
++ rockchip_pcie_write(rockchip, status, PCIE_RC_CONFIG_CR + PCI_EXP_DEVCTL);
+
+ return 0;
+ err_power_off_phy:
+--- a/drivers/pci/controller/pcie-rockchip.h
++++ b/drivers/pci/controller/pcie-rockchip.h
+@@ -144,16 +144,7 @@
+ #define PCIE_EP_CONFIG_BASE 0xa00000
+ #define PCIE_EP_CONFIG_DID_VID (PCIE_EP_CONFIG_BASE + 0x00)
+ #define PCIE_RC_CONFIG_RID_CCR (PCIE_RC_CONFIG_BASE + 0x08)
+-#define PCIE_RC_CONFIG_DCR (PCIE_RC_CONFIG_BASE + 0xc4)
+-#define PCIE_RC_CONFIG_DCR_CSPL_SHIFT 18
+-#define PCIE_RC_CONFIG_DCR_CSPL_LIMIT 0xff
+-#define PCIE_RC_CONFIG_DCR_CPLS_SHIFT 26
+-#define PCIE_RC_CONFIG_DCSR (PCIE_RC_CONFIG_BASE + 0xc8)
+-#define PCIE_RC_CONFIG_DCSR_MPS_MASK GENMASK(7, 5)
+-#define PCIE_RC_CONFIG_DCSR_MPS_256 (0x1 << 5)
+-#define PCIE_RC_CONFIG_LINK_CAP (PCIE_RC_CONFIG_BASE + 0xcc)
+-#define PCIE_RC_CONFIG_LINK_CAP_L0S BIT(10)
+-#define PCIE_RC_CONFIG_LCS (PCIE_RC_CONFIG_BASE + 0xd0)
++#define PCIE_RC_CONFIG_CR (PCIE_RC_CONFIG_BASE + 0xc0)
+ #define PCIE_RC_CONFIG_L1_SUBSTATE_CTRL2 (PCIE_RC_CONFIG_BASE + 0x90c)
+ #define PCIE_RC_CONFIG_THP_CAP (PCIE_RC_CONFIG_BASE + 0x274)
+ #define PCIE_RC_CONFIG_THP_CAP_NEXT_MASK GENMASK(31, 20)
--- /dev/null
+From stable+bounces-172455-greg=kroah.com@vger.kernel.org Fri Aug 22 17:14:06 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:10:12 -0400
+Subject: scsi: mpi3mr: Drop unnecessary volatile from __iomem pointers
+To: stable@vger.kernel.org
+Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822151013.1280211-1-sashal@kernel.org>
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit 6853885b21cb1d7157cc14c9d30cc17141565bae ]
+
+The volatile qualifier is redundant for __iomem pointers.
+
+Cleaned up usage in mpi3mr_writeq() and sysif_regs pointer as per
+Upstream compliance.
+
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-3-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Stable-dep-of: c91e140c82eb ("scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h | 2 +-
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -1035,7 +1035,7 @@ struct mpi3mr_ioc {
+ char name[MPI3MR_NAME_LENGTH];
+ char driver_name[MPI3MR_NAME_LENGTH];
+
+- volatile struct mpi3_sysif_registers __iomem *sysif_regs;
++ struct mpi3_sysif_registers __iomem *sysif_regs;
+ resource_size_t sysif_regs_phys;
+ int bars;
+ u64 dma_mask;
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -23,12 +23,12 @@ module_param(poll_queues, int, 0444);
+ MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
+
+ #if defined(writeq) && defined(CONFIG_64BIT)
+-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+ {
+ writeq(b, addr);
+ }
+ #else
+-static inline void mpi3mr_writeq(__u64 b, volatile void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
+ {
+ __u64 data_out = b;
+
--- /dev/null
+From stable+bounces-172456-greg=kroah.com@vger.kernel.org Fri Aug 22 17:17:59 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 11:10:13 -0400
+Subject: scsi: mpi3mr: Serialize admin queue BAR writes on 32-bit systems
+To: stable@vger.kernel.org
+Cc: Ranjan Kumar <ranjan.kumar@broadcom.com>, "Martin K. Petersen" <martin.petersen@oracle.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822151013.1280211-2-sashal@kernel.org>
+
+From: Ranjan Kumar <ranjan.kumar@broadcom.com>
+
+[ Upstream commit c91e140c82eb58724c435f623702e51cc7896646 ]
+
+On 32-bit systems, 64-bit BAR writes to admin queue registers are
+performed as two 32-bit writes. Without locking, this can cause partial
+writes when accessed concurrently.
+
+Updated per-queue spinlocks is used to serialize these writes and prevent
+race conditions.
+
+Fixes: 824a156633df ("scsi: mpi3mr: Base driver code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ranjan Kumar <ranjan.kumar@broadcom.com>
+Link: https://lore.kernel.org/r/20250627194539.48851-4-ranjan.kumar@broadcom.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/mpi3mr/mpi3mr.h | 4 ++++
+ drivers/scsi/mpi3mr/mpi3mr_fw.c | 15 +++++++++++----
+ drivers/scsi/mpi3mr/mpi3mr_os.c | 2 ++
+ 3 files changed, 17 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/mpi3mr/mpi3mr.h
++++ b/drivers/scsi/mpi3mr/mpi3mr.h
+@@ -1005,6 +1005,8 @@ struct scmd_priv {
+ * @logdata_buf: Circular buffer to store log data entries
+ * @logdata_buf_idx: Index of entry in buffer to store
+ * @logdata_entry_sz: log data entry size
++ * @adm_req_q_bar_writeq_lock: Admin request queue lock
++ * @adm_reply_q_bar_writeq_lock: Admin reply queue lock
+ * @pend_large_data_sz: Counter to track pending large data
+ * @io_throttle_data_length: I/O size to track in 512b blocks
+ * @io_throttle_high: I/O size to start throttle in 512b blocks
+@@ -1186,6 +1188,8 @@ struct mpi3mr_ioc {
+ u8 *logdata_buf;
+ u16 logdata_buf_idx;
+ u16 logdata_entry_sz;
++ spinlock_t adm_req_q_bar_writeq_lock;
++ spinlock_t adm_reply_q_bar_writeq_lock;
+
+ atomic_t pend_large_data_sz;
+ u32 io_throttle_data_length;
+--- a/drivers/scsi/mpi3mr/mpi3mr_fw.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_fw.c
+@@ -23,17 +23,22 @@ module_param(poll_queues, int, 0444);
+ MODULE_PARM_DESC(poll_queues, "Number of queues for io_uring poll mode. (Range 1 - 126)");
+
+ #if defined(writeq) && defined(CONFIG_64BIT)
+-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
++ spinlock_t *write_queue_lock)
+ {
+ writeq(b, addr);
+ }
+ #else
+-static inline void mpi3mr_writeq(__u64 b, void __iomem *addr)
++static inline void mpi3mr_writeq(__u64 b, void __iomem *addr,
++ spinlock_t *write_queue_lock)
+ {
+ __u64 data_out = b;
++ unsigned long flags;
+
++ spin_lock_irqsave(write_queue_lock, flags);
+ writel((u32)(data_out), addr);
+ writel((u32)(data_out >> 32), (addr + 4));
++ spin_unlock_irqrestore(write_queue_lock, flags);
+ }
+ #endif
+
+@@ -2662,9 +2667,11 @@ static int mpi3mr_setup_admin_qpair(stru
+ (mrioc->num_admin_req);
+ writel(num_admin_entries, &mrioc->sysif_regs->admin_queue_num_entries);
+ mpi3mr_writeq(mrioc->admin_req_dma,
+- &mrioc->sysif_regs->admin_request_queue_address);
++ &mrioc->sysif_regs->admin_request_queue_address,
++ &mrioc->adm_req_q_bar_writeq_lock);
+ mpi3mr_writeq(mrioc->admin_reply_dma,
+- &mrioc->sysif_regs->admin_reply_queue_address);
++ &mrioc->sysif_regs->admin_reply_queue_address,
++ &mrioc->adm_reply_q_bar_writeq_lock);
+ writel(mrioc->admin_req_pi, &mrioc->sysif_regs->admin_request_queue_pi);
+ writel(mrioc->admin_reply_ci, &mrioc->sysif_regs->admin_reply_queue_ci);
+ return retval;
+--- a/drivers/scsi/mpi3mr/mpi3mr_os.c
++++ b/drivers/scsi/mpi3mr/mpi3mr_os.c
+@@ -4966,6 +4966,8 @@ mpi3mr_probe(struct pci_dev *pdev, const
+ spin_lock_init(&mrioc->tgtdev_lock);
+ spin_lock_init(&mrioc->watchdog_lock);
+ spin_lock_init(&mrioc->chain_buf_lock);
++ spin_lock_init(&mrioc->adm_req_q_bar_writeq_lock);
++ spin_lock_init(&mrioc->adm_reply_q_bar_writeq_lock);
+ spin_lock_init(&mrioc->sas_node_lock);
+
+ INIT_LIST_HEAD(&mrioc->fwevt_list);
--- /dev/null
+From stable+bounces-172474-greg=kroah.com@vger.kernel.org Fri Aug 22 19:06:56 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:06:46 -0400
+Subject: scsi: ufs: exynos: Fix programming of HCI_UTRL_NEXUS_TYPE
+To: stable@vger.kernel.org
+Cc: "André Draszik" <andre.draszik@linaro.org>, "Bart Van Assche" <bvanassche@acm.org>, "Peter Griffin" <peter.griffin@linaro.org>, "Martin K. Petersen" <martin.petersen@oracle.com>, "Sasha Levin" <sashal@kernel.org>
+Message-ID: <20250822170646.1321395-1-sashal@kernel.org>
+
+From: André Draszik <andre.draszik@linaro.org>
+
+[ Upstream commit 01aad16c2257ab8ff33b152b972c9f2e1af47912 ]
+
+On Google gs101, the number of UTP transfer request slots (nutrs) is 32,
+and in this case the driver ends up programming the UTRL_NEXUS_TYPE
+incorrectly as 0.
+
+This is because the left hand side of the shift is 1, which is of type
+int, i.e. 31 bits wide. Shifting by more than that width results in
+undefined behaviour.
+
+Fix this by switching to the BIT() macro, which applies correct type
+casting as required. This ensures the correct value is written to
+UTRL_NEXUS_TYPE (0xffffffff on gs101), and it also fixes a UBSAN shift
+warning:
+
+ UBSAN: shift-out-of-bounds in drivers/ufs/host/ufs-exynos.c:1113:21
+ shift exponent 32 is too large for 32-bit type 'int'
+
+For consistency, apply the same change to the nutmrs / UTMRL_NEXUS_TYPE
+write.
+
+Fixes: 55f4b1f73631 ("scsi: ufs: ufs-exynos: Add UFS host support for Exynos SoCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: André Draszik <andre.draszik@linaro.org>
+Link: https://lore.kernel.org/r/20250707-ufs-exynos-shift-v1-1-1418e161ae40@linaro.org
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[ Adapted context ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/host/ufs-exynos.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ufs/host/ufs-exynos.c
++++ b/drivers/ufs/host/ufs-exynos.c
+@@ -1028,8 +1028,8 @@ static int exynos_ufs_post_link(struct u
+ hci_writel(ufs, 0xa, HCI_DATA_REORDER);
+ hci_writel(ufs, PRDT_SET_SIZE(12), HCI_TXPRDT_ENTRY_SIZE);
+ hci_writel(ufs, PRDT_SET_SIZE(12), HCI_RXPRDT_ENTRY_SIZE);
+- hci_writel(ufs, (1 << hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
+- hci_writel(ufs, (1 << hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
++ hci_writel(ufs, BIT(hba->nutrs) - 1, HCI_UTRL_NEXUS_TYPE);
++ hci_writel(ufs, BIT(hba->nutmrs) - 1, HCI_UTMRL_NEXUS_TYPE);
+ hci_writel(ufs, 0xf, HCI_AXIDMA_RWDATA_BURST_LEN);
+
+ if (ufs->opts & EXYNOS_UFS_OPT_SKIP_CONNECTION_ESTAB)
usb-storage-ignore-driver-cd-mode-for-realtek-multi-mode-wi-fi-dongles.patch
usb-dwc3-ignore-late-xfernotready-event-to-prevent-halt-timeout.patch
usb-dwc3-remove-warn_on-for-device-endpoint-command-timeouts.patch
+arm64-dts-ti-k3-am62-main-remove-emmc-high-speed-ddr-support.patch
+scsi-ufs-exynos-fix-programming-of-hci_utrl_nexus_type.patch
+ext4-preserve-sb_i_version-on-remount.patch
+scsi-mpi3mr-drop-unnecessary-volatile-from-__iomem-pointers.patch
+scsi-mpi3mr-serialize-admin-queue-bar-writes-on-32-bit-systems.patch
+pci-rockchip-use-standard-pcie-definitions.patch
+pci-rockchip-set-target-link-speed-to-5.0-gt-s-before-retraining.patch
+soc-qcom-mdt_loader-enhance-split-binary-detection.patch
+soc-qcom-mdt_loader-ensure-we-don-t-read-past-the-elf-header.patch
+f2fs-fix-to-call-clear_page_private_reference-in-.-release-invalid-_folio.patch
+f2fs-fix-to-avoid-out-of-boundary-access-in-dnode-page.patch
+mptcp-disable-add_addr-retransmission-when-timeout-is-0.patch
+drm-dp-change-aux-dpcd-probe-address-from-dpcd_rev-to-lane0_1_status.patch
+mmc-sdhci-pci-gli-use-pci-aer-definitions-not-hard-coded-values.patch
+mmc-sdhci-pci-gli-add-a-new-function-to-simplify-the-code.patch
+mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
+mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch
+drm-amd-display-don-t-overclock-dce-6-by-15.patch
+mptcp-remove-duplicate-sk_reset_timer-call.patch
--- /dev/null
+From stable+bounces-172478-greg=kroah.com@vger.kernel.org Fri Aug 22 19:20:12 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:20:04 -0400
+Subject: soc: qcom: mdt_loader: Enhance split binary detection
+To: stable@vger.kernel.org
+Cc: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>, Melody Olvera <quic_molvera@quicinc.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822172005.1328408-1-sashal@kernel.org>
+
+From: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
+
+[ Upstream commit 210d12c8197a551caa2979be421aa42381156aec ]
+
+It may be that the offset of the first program header lies inside the mdt's
+filesize, in this case the loader would incorrectly assume that the bins
+were not split and in this scenario the firmware authentication fails.
+This change updates the logic used by the mdt loader to understand whether
+the firmware images are split or not. It figures this out by checking if
+each programs header's segment lies within the file or not.
+
+Co-developed-by: Melody Olvera <quic_molvera@quicinc.com>
+Signed-off-by: Melody Olvera <quic_molvera@quicinc.com>
+Signed-off-by: Gokul krishna Krishnakumar <quic_gokukris@quicinc.com>
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Link: https://lore.kernel.org/r/20230509001821.24010-1-quic_gokukris@quicinc.com
+Stable-dep-of: 9f9967fed9d0 ("soc: qcom: mdt_loader: Ensure we don't read past the ELF header")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -264,6 +264,26 @@ out:
+ }
+ EXPORT_SYMBOL_GPL(qcom_mdt_pas_init);
+
++static bool qcom_mdt_bins_are_split(const struct firmware *fw, const char *fw_name)
++{
++ const struct elf32_phdr *phdrs;
++ const struct elf32_hdr *ehdr;
++ uint64_t seg_start, seg_end;
++ int i;
++
++ ehdr = (struct elf32_hdr *)fw->data;
++ phdrs = (struct elf32_phdr *)(ehdr + 1);
++
++ for (i = 0; i < ehdr->e_phnum; i++) {
++ seg_start = phdrs[i].p_offset;
++ seg_end = phdrs[i].p_offset + phdrs[i].p_filesz;
++ if (seg_start > fw->size || seg_end > fw->size)
++ return true;
++ }
++
++ return false;
++}
++
+ static int __qcom_mdt_load(struct device *dev, const struct firmware *fw,
+ const char *fw_name, int pas_id, void *mem_region,
+ phys_addr_t mem_phys, size_t mem_size,
+@@ -276,6 +296,7 @@ static int __qcom_mdt_load(struct device
+ phys_addr_t min_addr = PHYS_ADDR_MAX;
+ ssize_t offset;
+ bool relocate = false;
++ bool is_split;
+ void *ptr;
+ int ret = 0;
+ int i;
+@@ -283,6 +304,7 @@ static int __qcom_mdt_load(struct device
+ if (!fw || !mem_region || !mem_phys || !mem_size)
+ return -EINVAL;
+
++ is_split = qcom_mdt_bins_are_split(fw, fw_name);
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -336,8 +358,7 @@ static int __qcom_mdt_load(struct device
+
+ ptr = mem_region + offset;
+
+- if (phdr->p_filesz && phdr->p_offset < fw->size &&
+- phdr->p_offset + phdr->p_filesz <= fw->size) {
++ if (phdr->p_filesz && !is_split) {
+ /* Firmware is large enough to be non-split */
+ if (phdr->p_offset + phdr->p_filesz > fw->size) {
+ dev_err(dev, "file %s segment %d would be truncated\n",
--- /dev/null
+From stable+bounces-172480-greg=kroah.com@vger.kernel.org Fri Aug 22 19:20:15 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Aug 2025 13:20:05 -0400
+Subject: soc: qcom: mdt_loader: Ensure we don't read past the ELF header
+To: stable@vger.kernel.org
+Cc: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>, Doug Anderson <dianders@chromium.org>, Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>, Bjorn Andersson <andersson@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250822172005.1328408-2-sashal@kernel.org>
+
+From: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+
+[ Upstream commit 9f9967fed9d066ed3dae9372b45ffa4f6fccfeef ]
+
+When the MDT loader is used in remoteproc, the ELF header is sanitized
+beforehand, but that's not necessary the case for other clients.
+
+Validate the size of the firmware buffer to ensure that we don't read
+past the end as we iterate over the header. e_phentsize and e_shentsize
+are validated as well, to ensure that the assumptions about step size in
+the traversal are valid.
+
+Fixes: 2aad40d911ee ("remoteproc: Move qcom_mdt_loader into drivers/soc/qcom")
+Cc: stable@vger.kernel.org
+Reported-by: Doug Anderson <dianders@chromium.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250610-mdt-loader-validation-and-fixes-v2-1-f7073e9ab899@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/mdt_loader.c | 43 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 43 insertions(+)
+
+--- a/drivers/soc/qcom/mdt_loader.c
++++ b/drivers/soc/qcom/mdt_loader.c
+@@ -17,6 +17,37 @@
+ #include <linux/slab.h>
+ #include <linux/soc/qcom/mdt_loader.h>
+
++static bool mdt_header_valid(const struct firmware *fw)
++{
++ const struct elf32_hdr *ehdr;
++ size_t phend;
++ size_t shend;
++
++ if (fw->size < sizeof(*ehdr))
++ return false;
++
++ ehdr = (struct elf32_hdr *)fw->data;
++
++ if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG))
++ return false;
++
++ if (ehdr->e_phentsize != sizeof(struct elf32_phdr))
++ return -EINVAL;
++
++ phend = size_add(size_mul(sizeof(struct elf32_phdr), ehdr->e_phnum), ehdr->e_phoff);
++ if (phend > fw->size)
++ return false;
++
++ if (ehdr->e_shentsize != sizeof(struct elf32_shdr))
++ return -EINVAL;
++
++ shend = size_add(size_mul(sizeof(struct elf32_shdr), ehdr->e_shnum), ehdr->e_shoff);
++ if (shend > fw->size)
++ return false;
++
++ return true;
++}
++
+ static bool mdt_phdr_valid(const struct elf32_phdr *phdr)
+ {
+ if (phdr->p_type != PT_LOAD)
+@@ -84,6 +115,9 @@ ssize_t qcom_mdt_get_size(const struct f
+ phys_addr_t max_addr = 0;
+ int i;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -136,6 +170,9 @@ void *qcom_mdt_read_metadata(const struc
+ ssize_t ret;
+ void *data;
+
++ if (!mdt_header_valid(fw))
++ return ERR_PTR(-EINVAL);
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -216,6 +253,9 @@ int qcom_mdt_pas_init(struct device *dev
+ int ret;
+ int i;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
+
+@@ -304,6 +344,9 @@ static int __qcom_mdt_load(struct device
+ if (!fw || !mem_region || !mem_phys || !mem_size)
+ return -EINVAL;
+
++ if (!mdt_header_valid(fw))
++ return -EINVAL;
++
+ is_split = qcom_mdt_bins_are_split(fw, fw_name);
+ ehdr = (struct elf32_hdr *)fw->data;
+ phdrs = (struct elf32_phdr *)(ehdr + 1);
projects / thirdparty / kernel / stable-queue.git / commitdiff
