--- /dev/null
+From 77a38607f2f8bdf5474ea2c3e1eae70d8905bd36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 14 Dec 2024 22:43:39 +0000
+Subject: arm64: dts: rockchip: add hevc power domain clock to rk3328
+
+From: Peter Geis <pgwipeout@gmail.com>
+
+[ Upstream commit 3699f2c43ea9984e00d70463f8c29baaf260ea97 ]
+
+There is a race condition at startup between disabling power domains not
+used and disabling clocks not used on the rk3328. When the clocks are
+disabled first, the hevc power domain fails to shut off leading to a
+splat of failures. Add the hevc core clock to the rk3328 power domain
+node to prevent this condition.
+
+rcu: INFO: rcu_sched detected expedited stalls on CPUs/tasks: { 3-.... }
+1087 jiffies s: 89 root: 0x8/.
+rcu: blocking rcu_node structures (internal RCU debug):
+Sending NMI from CPU 0 to CPUs 3:
+NMI backtrace for cpu 3
+CPU: 3 UID: 0 PID: 86 Comm: kworker/3:3 Not tainted 6.12.0-rc5+ #53
+Hardware name: Firefly ROC-RK3328-CC (DT)
+Workqueue: pm genpd_power_off_work_fn
+pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+pc : regmap_unlock_spinlock+0x18/0x30
+lr : regmap_read+0x60/0x88
+sp : ffff800081123c00
+x29: ffff800081123c00 x28: ffff2fa4c62cad80 x27: 0000000000000000
+x26: ffffd74e6e660eb8 x25: ffff2fa4c62cae00 x24: 0000000000000040
+x23: ffffd74e6d2f3ab8 x22: 0000000000000001 x21: ffff800081123c74
+x20: 0000000000000000 x19: ffff2fa4c0412000 x18: 0000000000000000
+x17: 77202c31203d2065 x16: 6c6469203a72656c x15: 6c6f72746e6f632d
+x14: 7265776f703a6e6f x13: 2063766568206e69 x12: 616d6f64202c3431
+x11: 347830206f742030 x10: 3430303034783020 x9 : ffffd74e6c7369e0
+x8 : 3030316666206e69 x7 : 205d383738353733 x6 : 332e31202020205b
+x5 : ffffd74e6c73fc88 x4 : ffffd74e6c73fcd4 x3 : ffffd74e6c740b40
+x2 : ffff800080015484 x1 : 0000000000000000 x0 : ffff2fa4c0412000
+Call trace:
+regmap_unlock_spinlock+0x18/0x30
+rockchip_pmu_set_idle_request+0xac/0x2c0
+rockchip_pd_power+0x144/0x5f8
+rockchip_pd_power_off+0x1c/0x30
+_genpd_power_off+0x9c/0x180
+genpd_power_off.part.0.isra.0+0x130/0x2a8
+genpd_power_off_work_fn+0x6c/0x98
+process_one_work+0x170/0x3f0
+worker_thread+0x290/0x4a8
+kthread+0xec/0xf8
+ret_from_fork+0x10/0x20
+rockchip-pm-domain ff100000.syscon:power-controller: failed to get ack on domain 'hevc', val=0x88220
+
+Fixes: 52e02d377a72 ("arm64: dts: rockchip: add core dtsi file for RK3328 SoCs")
+Signed-off-by: Peter Geis <pgwipeout@gmail.com>
+Reviewed-by: Dragan Simic <dsimic@manjaro.org>
+Link: https://lore.kernel.org/r/20241214224339.24674-1-pgwipeout@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3328.dtsi | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/arch/arm64/boot/dts/rockchip/rk3328.dtsi b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+index f73cb7667bab..93ef90315cda 100644
+--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi
+@@ -302,6 +302,7 @@
+
+ power-domain@RK3328_PD_HEVC {
+ reg = <RK3328_PD_HEVC>;
++ clocks = <&cru SCLK_VENC_CORE>;
+ #power-domain-cells = <0>;
+ };
+ power-domain@RK3328_PD_VIDEO {
+--
+2.39.5
+
--- /dev/null
+From fc2acb94faf4941b26c2a2c6c0939526558b9394 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 16:41:48 +0800
+Subject: block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit fcede1f0a043ccefe9bc6ad57f12718e42f63f1d ]
+
+Our syzkaller report a following UAF for v6.6:
+
+BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
+Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726
+
+CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:88 [inline]
+ dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
+ print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364
+ print_report+0x3e/0x70 mm/kasan/report.c:475
+ kasan_report+0xb8/0xf0 mm/kasan/report.c:588
+ hlist_add_head include/linux/list.h:1023 [inline]
+ bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
+ bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
+ bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
+ blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
+ blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
+ __submit_bio+0xa0/0x6b0 block/blk-core.c:639
+ __submit_bio_noacct_mq block/blk-core.c:718 [inline]
+ submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
+ submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
+ __ext4_read_bh fs/ext4/super.c:205 [inline]
+ ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
+ __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
+ ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
+ ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
+ ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
+ ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
+ iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
+ iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
+ ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
+ ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
+ do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
+ __do_sys_ioctl fs/ioctl.c:869 [inline]
+ __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x78/0xe2
+
+Allocated by task 232719:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
+ kasan_slab_alloc include/linux/kasan.h:188 [inline]
+ slab_post_alloc_hook mm/slab.h:768 [inline]
+ slab_alloc_node mm/slub.c:3492 [inline]
+ kmem_cache_alloc_node+0x1b8/0x6f0 mm/slub.c:3537
+ bfq_get_queue+0x215/0x1f00 block/bfq-iosched.c:5869
+ bfq_get_bfqq_handle_split+0x167/0x5f0 block/bfq-iosched.c:6776
+ bfq_init_rq+0x13a4/0x17a0 block/bfq-iosched.c:6938
+ bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
+ bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
+ blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
+ blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
+ __submit_bio+0xa0/0x6b0 block/blk-core.c:639
+ __submit_bio_noacct_mq block/blk-core.c:718 [inline]
+ submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
+ submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
+ __ext4_read_bh fs/ext4/super.c:205 [inline]
+ ext4_read_bh_nowait+0x15a/0x240 fs/ext4/super.c:217
+ ext4_read_bh_lock+0xac/0xd0 fs/ext4/super.c:242
+ ext4_bread_batch+0x268/0x500 fs/ext4/inode.c:958
+ __ext4_find_entry+0x448/0x10f0 fs/ext4/namei.c:1671
+ ext4_lookup_entry fs/ext4/namei.c:1774 [inline]
+ ext4_lookup.part.0+0x359/0x6f0 fs/ext4/namei.c:1842
+ ext4_lookup+0x72/0x90 fs/ext4/namei.c:1839
+ __lookup_slow+0x257/0x480 fs/namei.c:1696
+ lookup_slow fs/namei.c:1713 [inline]
+ walk_component+0x454/0x5c0 fs/namei.c:2004
+ link_path_walk.part.0+0x773/0xda0 fs/namei.c:2331
+ link_path_walk fs/namei.c:3826 [inline]
+ path_openat+0x1b9/0x520 fs/namei.c:3826
+ do_filp_open+0x1b7/0x400 fs/namei.c:3857
+ do_sys_openat2+0x5dc/0x6e0 fs/open.c:1428
+ do_sys_open fs/open.c:1443 [inline]
+ __do_sys_openat fs/open.c:1459 [inline]
+ __se_sys_openat fs/open.c:1454 [inline]
+ __x64_sys_openat+0x148/0x200 fs/open.c:1454
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x78/0xe2
+
+Freed by task 232726:
+ kasan_save_stack+0x22/0x50 mm/kasan/common.c:45
+ kasan_set_track+0x25/0x30 mm/kasan/common.c:52
+ kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
+ ____kasan_slab_free mm/kasan/common.c:236 [inline]
+ __kasan_slab_free+0x12a/0x1b0 mm/kasan/common.c:244
+ kasan_slab_free include/linux/kasan.h:164 [inline]
+ slab_free_hook mm/slub.c:1827 [inline]
+ slab_free_freelist_hook mm/slub.c:1853 [inline]
+ slab_free mm/slub.c:3820 [inline]
+ kmem_cache_free+0x110/0x760 mm/slub.c:3842
+ bfq_put_queue+0x6a7/0xfb0 block/bfq-iosched.c:5428
+ bfq_forget_entity block/bfq-wf2q.c:634 [inline]
+ bfq_put_idle_entity+0x142/0x240 block/bfq-wf2q.c:645
+ bfq_forget_idle+0x189/0x1e0 block/bfq-wf2q.c:671
+ bfq_update_vtime block/bfq-wf2q.c:1280 [inline]
+ __bfq_lookup_next_entity block/bfq-wf2q.c:1374 [inline]
+ bfq_lookup_next_entity+0x350/0x480 block/bfq-wf2q.c:1433
+ bfq_update_next_in_service+0x1c0/0x4f0 block/bfq-wf2q.c:128
+ bfq_deactivate_entity+0x10a/0x240 block/bfq-wf2q.c:1188
+ bfq_deactivate_bfqq block/bfq-wf2q.c:1592 [inline]
+ bfq_del_bfqq_busy+0x2e8/0xad0 block/bfq-wf2q.c:1659
+ bfq_release_process_ref+0x1cc/0x220 block/bfq-iosched.c:3139
+ bfq_split_bfqq+0x481/0xdf0 block/bfq-iosched.c:6754
+ bfq_init_rq+0xf29/0x17a0 block/bfq-iosched.c:6934
+ bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
+ bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
+ blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
+ blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
+ __submit_bio+0xa0/0x6b0 block/blk-core.c:639
+ __submit_bio_noacct_mq block/blk-core.c:718 [inline]
+ submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
+ submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
+ __ext4_read_bh fs/ext4/super.c:205 [inline]
+ ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
+ __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
+ ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
+ ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
+ ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
+ ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
+ iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
+ iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
+ ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
+ ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
+ do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
+ __do_sys_ioctl fs/ioctl.c:869 [inline]
+ __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
+ do_syscall_x64 arch/x86/entry/common.c:51 [inline]
+ do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
+ entry_SYSCALL_64_after_hwframe+0x78/0xe2
+
+commit 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after
+splitting") fix the problem that if waker_bfqq is in the merge chain,
+and current is the only procress, waker_bfqq can be freed from
+bfq_split_bfqq(). However, the case that waker_bfqq is not in the merge
+chain is missed, and if the procress reference of waker_bfqq is 0,
+waker_bfqq can be freed as well.
+
+Fix the problem by checking procress reference if waker_bfqq is not in
+the merge_chain.
+
+Fixes: 1ba0403ac644 ("block, bfq: fix uaf for accessing waker_bfqq after splitting")
+Signed-off-by: Hou Tao <houtao1@huawei.com>
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20250108084148.1549973-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/bfq-iosched.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
+index c985c944fa65..d830ed169e65 100644
+--- a/block/bfq-iosched.c
++++ b/block/bfq-iosched.c
+@@ -6577,16 +6577,24 @@ static struct bfq_queue *bfq_waker_bfqq(struct bfq_queue *bfqq)
+ if (new_bfqq == waker_bfqq) {
+ /*
+ * If waker_bfqq is in the merge chain, and current
+- * is the only procress.
++ * is the only process, waker_bfqq can be freed.
+ */
+ if (bfqq_process_refs(waker_bfqq) == 1)
+ return NULL;
+- break;
++
++ return waker_bfqq;
+ }
+
+ new_bfqq = new_bfqq->new_bfqq;
+ }
+
++ /*
++ * If waker_bfqq is not in the merge chain, and it's procress reference
++ * is 0, waker_bfqq can be freed.
++ */
++ if (bfqq_process_refs(waker_bfqq) == 0)
++ return NULL;
++
+ return waker_bfqq;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 7407923aaece553302f998ab37b56b0ce549f3fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 15 Feb 2022 18:11:27 -0800
+Subject: mptcp: drop port parameter of mptcp_pm_add_addr_signal
+
+From: Geliang Tang <geliang.tang@suse.com>
+
+[ Upstream commit af7939f390de17bde4a10a3bf0e337627fb42591 ]
+
+Drop the port parameter of mptcp_pm_add_addr_signal() and reflect it to
+avoid passing too many parameters.
+
+Signed-off-by: Geliang Tang <geliang.tang@suse.com>
+Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Stable-dep-of: cbb26f7d8451 ("mptcp: fix TCP options overflow.")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/options.c | 5 ++---
+ net/mptcp/pm.c | 7 ++++---
+ net/mptcp/protocol.h | 2 +-
+ 3 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/net/mptcp/options.c b/net/mptcp/options.c
+index e654701685a8..31bec175886c 100644
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -651,7 +651,6 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff *
+ bool drop_other_suboptions = false;
+ unsigned int opt_size = *size;
+ bool echo;
+- bool port;
+ int len;
+
+ /* add addr will strip the existing options, be sure to avoid breaking
+@@ -660,12 +659,12 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff *
+ if (!mptcp_pm_should_add_signal(msk) ||
+ (opts->suboptions & (OPTION_MPTCP_MPJ_ACK | OPTION_MPTCP_MPC_ACK)) ||
+ !mptcp_pm_add_addr_signal(msk, skb, opt_size, remaining, &opts->addr,
+- &echo, &port, &drop_other_suboptions))
++ &echo, &drop_other_suboptions))
+ return false;
+
+ if (drop_other_suboptions)
+ remaining += opt_size;
+- len = mptcp_add_addr_len(opts->addr.family, echo, port);
++ len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port);
+ if (remaining < len)
+ return false;
+
+diff --git a/net/mptcp/pm.c b/net/mptcp/pm.c
+index b14eb6bccd36..4fa31301fe84 100644
+--- a/net/mptcp/pm.c
++++ b/net/mptcp/pm.c
+@@ -265,11 +265,12 @@ void mptcp_pm_mp_fail_received(struct sock *sk, u64 fail_seq)
+ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
+ unsigned int opt_size, unsigned int remaining,
+ struct mptcp_addr_info *addr, bool *echo,
+- bool *port, bool *drop_other_suboptions)
++ bool *drop_other_suboptions)
+ {
+ int ret = false;
+ u8 add_addr;
+ u8 family;
++ bool port;
+
+ spin_lock_bh(&msk->pm.lock);
+
+@@ -287,10 +288,10 @@ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
+ }
+
+ *echo = mptcp_pm_should_add_signal_echo(msk);
+- *port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port);
++ port = !!(*echo ? msk->pm.remote.port : msk->pm.local.port);
+
+ family = *echo ? msk->pm.remote.family : msk->pm.local.family;
+- if (remaining < mptcp_add_addr_len(family, *echo, *port))
++ if (remaining < mptcp_add_addr_len(family, *echo, port))
+ goto out_unlock;
+
+ if (*echo) {
+diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
+index 8f5e5a66babf..6026f0bcdea6 100644
+--- a/net/mptcp/protocol.h
++++ b/net/mptcp/protocol.h
+@@ -823,7 +823,7 @@ static inline int mptcp_rm_addr_len(const struct mptcp_rm_list *rm_list)
+ bool mptcp_pm_add_addr_signal(struct mptcp_sock *msk, const struct sk_buff *skb,
+ unsigned int opt_size, unsigned int remaining,
+ struct mptcp_addr_info *addr, bool *echo,
+- bool *port, bool *drop_other_suboptions);
++ bool *drop_other_suboptions);
+ bool mptcp_pm_rm_addr_signal(struct mptcp_sock *msk, unsigned int remaining,
+ struct mptcp_rm_list *rm_list);
+ int mptcp_pm_get_local_id(struct mptcp_sock *msk, struct sock_common *skc);
+--
+2.39.5
+
--- /dev/null
+From dd019501221313c2d531443b7e10d6942ee49785 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 21 Dec 2024 09:51:46 +0100
+Subject: mptcp: fix TCP options overflow.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit cbb26f7d8451fe56ccac802c6db48d16240feebd ]
+
+Syzbot reported the following splat:
+
+Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
+KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+CPU: 1 UID: 0 PID: 5836 Comm: sshd Not tainted 6.13.0-rc3-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
+RIP: 0010:_compound_head include/linux/page-flags.h:242 [inline]
+RIP: 0010:put_page+0x23/0x260 include/linux/mm.h:1552
+Code: 90 90 90 90 90 90 90 55 41 57 41 56 53 49 89 fe 48 bd 00 00 00 00 00 fc ff df e8 f8 5e 12 f8 49 8d 5e 08 48 89 d8 48 c1 e8 03 <80> 3c 28 00 74 08 48 89 df e8 8f c7 78 f8 48 8b 1b 48 89 de 48 83
+RSP: 0000:ffffc90003916c90 EFLAGS: 00010202
+RAX: 0000000000000001 RBX: 0000000000000008 RCX: ffff888030458000
+RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
+RBP: dffffc0000000000 R08: ffffffff898ca81d R09: 1ffff110054414ac
+R10: dffffc0000000000 R11: ffffed10054414ad R12: 0000000000000007
+R13: ffff88802a20a542 R14: 0000000000000000 R15: 0000000000000000
+FS: 00007f34f496e800(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007f9d6ec9ec28 CR3: 000000004d260000 CR4: 00000000003526f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ skb_page_unref include/linux/skbuff_ref.h:43 [inline]
+ __skb_frag_unref include/linux/skbuff_ref.h:56 [inline]
+ skb_release_data+0x483/0x8a0 net/core/skbuff.c:1119
+ skb_release_all net/core/skbuff.c:1190 [inline]
+ __kfree_skb+0x55/0x70 net/core/skbuff.c:1204
+ tcp_clean_rtx_queue net/ipv4/tcp_input.c:3436 [inline]
+ tcp_ack+0x2442/0x6bc0 net/ipv4/tcp_input.c:4032
+ tcp_rcv_state_process+0x8eb/0x44e0 net/ipv4/tcp_input.c:6805
+ tcp_v4_do_rcv+0x77d/0xc70 net/ipv4/tcp_ipv4.c:1939
+ tcp_v4_rcv+0x2dc0/0x37f0 net/ipv4/tcp_ipv4.c:2351
+ ip_protocol_deliver_rcu+0x22e/0x440 net/ipv4/ip_input.c:205
+ ip_local_deliver_finish+0x341/0x5f0 net/ipv4/ip_input.c:233
+ NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
+ NF_HOOK+0x3a4/0x450 include/linux/netfilter.h:314
+ __netif_receive_skb_one_core net/core/dev.c:5672 [inline]
+ __netif_receive_skb+0x2bf/0x650 net/core/dev.c:5785
+ process_backlog+0x662/0x15b0 net/core/dev.c:6117
+ __napi_poll+0xcb/0x490 net/core/dev.c:6883
+ napi_poll net/core/dev.c:6952 [inline]
+ net_rx_action+0x89b/0x1240 net/core/dev.c:7074
+ handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
+ __do_softirq kernel/softirq.c:595 [inline]
+ invoke_softirq kernel/softirq.c:435 [inline]
+ __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
+ irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
+ sysvec_apic_timer_interrupt+0x57/0xc0 arch/x86/kernel/apic/apic.c:1049
+ asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
+RIP: 0033:0x7f34f4519ad5
+Code: 85 d2 74 0d 0f 10 02 48 8d 54 24 20 0f 11 44 24 20 64 8b 04 25 18 00 00 00 85 c0 75 27 41 b8 08 00 00 00 b8 0f 01 00 00 0f 05 <48> 3d 00 f0 ff ff 76 75 48 8b 15 24 73 0d 00 f7 d8 64 89 02 48 83
+RSP: 002b:00007ffec5b32ce0 EFLAGS: 00000246
+RAX: 0000000000000001 RBX: 00000000000668a0 RCX: 00007f34f4519ad5
+RDX: 00007ffec5b32d00 RSI: 0000000000000004 RDI: 0000564f4bc6cae0
+RBP: 0000564f4bc6b5a0 R08: 0000000000000008 R09: 0000000000000000
+R10: 00007ffec5b32de8 R11: 0000000000000246 R12: 0000564f48ea8aa4
+R13: 0000000000000001 R14: 0000564f48ea93e8 R15: 00007ffec5b32d68
+ </TASK>
+
+Eric noted a probable shinfo->nr_frags corruption, which indeed
+occurs.
+
+The root cause is a buggy MPTCP option len computation in some
+circumstances: the ADD_ADDR option should be mutually exclusive
+with DSS since the blamed commit.
+
+Still, mptcp_established_options_add_addr() tries to set the
+relevant info in mptcp_out_options, if the remaining space is
+large enough even when DSS is present.
+
+Since the ADD_ADDR infos and the DSS share the same union
+fields, adding first corrupts the latter. In the worst-case
+scenario, such corruption increases the DSS binary layout,
+exceeding the computed length and possibly overwriting the
+skb shared info.
+
+Address the issue by enforcing mutual exclusion in
+mptcp_established_options_add_addr(), too.
+
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+38a095a81f30d82884c1@syzkaller.appspotmail.com
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/538
+Fixes: 1bff1e43a30e ("mptcp: optimize out option generation")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/025d9df8cde3c9a557befc47e9bc08fbbe3476e5.1734771049.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mptcp/options.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/mptcp/options.c b/net/mptcp/options.c
+index 31bec175886c..bdabc5e889b7 100644
+--- a/net/mptcp/options.c
++++ b/net/mptcp/options.c
+@@ -662,8 +662,15 @@ static bool mptcp_established_options_add_addr(struct sock *sk, struct sk_buff *
+ &echo, &drop_other_suboptions))
+ return false;
+
++ /*
++ * Later on, mptcp_write_options() will enforce mutually exclusion with
++ * DSS, bail out if such option is set and we can't drop it.
++ */
+ if (drop_other_suboptions)
+ remaining += opt_size;
++ else if (opts->suboptions & OPTION_MPTCP_DSS)
++ return false;
++
+ len = mptcp_add_addr_len(opts->addr.family, echo, !!opts->addr.port);
+ if (remaining < len)
+ return false;
+--
+2.39.5
+
--- /dev/null
+From c382368bc8bbbb5dd5d82d7c4b2359e29fe8636a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 28 May 2023 21:20:32 +0800
+Subject: ocfs2: correct return value of ocfs2_local_free_info()
+
+From: Joseph Qi <joseph.qi@linux.alibaba.com>
+
+[ Upstream commit d32840ad4a111c6abd651fbf6b5996e6123913da ]
+
+Now in ocfs2_local_free_info(), it returns 0 even if it actually fails.
+Though it doesn't cause any real problem since the only caller
+dquot_disable() ignores the return value, we'd better return correct as it
+is.
+
+Link: https://lkml.kernel.org/r/20230528132033.217664-1-joseph.qi@linux.alibaba.com
+Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Joseph Qi <jiangqi903@gmail.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Stable-dep-of: 5f3fd772d152 ("ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/quota_local.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
+index 7a1c8da9e44b..fbab536741e2 100644
+--- a/fs/ocfs2/quota_local.c
++++ b/fs/ocfs2/quota_local.c
+@@ -815,7 +815,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
+ struct ocfs2_quota_chunk *chunk;
+ struct ocfs2_local_disk_chunk *dchunk;
+ int mark_clean = 1, len;
+- int status;
++ int status = 0;
+
+ iput(oinfo->dqi_gqinode);
+ ocfs2_simple_drop_lockres(OCFS2_SB(sb), &oinfo->dqi_gqlock);
+@@ -857,17 +857,14 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
+ oinfo->dqi_libh,
+ olq_update_info,
+ info);
+- if (status < 0) {
++ if (status < 0)
+ mlog_errno(status);
+- goto out;
+- }
+-
+ out:
+ ocfs2_inode_unlock(sb_dqopt(sb)->files[type], 1);
+ brelse(oinfo->dqi_libh);
+ brelse(oinfo->dqi_lqi_bh);
+ kfree(oinfo);
+- return 0;
++ return status;
+ }
+
+ static void olq_set_dquot(struct buffer_head *bh, void *private)
+--
+2.39.5
+
--- /dev/null
+From fe6b9548fbfed4161e0b9df6d5f687359ae9ea66 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Dec 2024 21:39:25 -0500
+Subject: ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
+
+From: Dennis Lam <dennis.lamerice@gmail.com>
+
+[ Upstream commit 5f3fd772d152229d94602bca243fbb658068a597 ]
+
+When mounting ocfs2 and then remounting it as read-only, a
+slab-use-after-free occurs after the user uses a syscall to
+quota_getnextquota. Specifically, sb_dqinfo(sb, type)->dqi_priv is the
+dangling pointer.
+
+During the remounting process, the pointer dqi_priv is freed but is never
+set as null leaving it to be accessed. Additionally, the read-only option
+for remounting sets the DQUOT_SUSPENDED flag instead of setting the
+DQUOT_USAGE_ENABLED flags. Moreover, later in the process of getting the
+next quota, the function ocfs2_get_next_id is called and only checks the
+quota usage flags and not the quota suspended flags.
+
+To fix this, I set dqi_priv to null when it is freed after remounting with
+read-only and put a check for DQUOT_SUSPENDED in ocfs2_get_next_id.
+
+[akpm@linux-foundation.org: coding-style cleanups]
+Link: https://lkml.kernel.org/r/20241218023924.22821-2-dennis.lamerice@gmail.com
+Fixes: 8f9e8f5fcc05 ("ocfs2: Fix Q_GETNEXTQUOTA for filesystem without quotas")
+Signed-off-by: Dennis Lam <dennis.lamerice@gmail.com>
+Reported-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com
+Tested-by: syzbot+d173bf8a5a7faeede34c@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/6731d26f.050a0220.1fb99c.014b.GAE@google.com/T/
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/quota_global.c | 2 +-
+ fs/ocfs2/quota_local.c | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
+index effe92c7d693..cc464c9560e2 100644
+--- a/fs/ocfs2/quota_global.c
++++ b/fs/ocfs2/quota_global.c
+@@ -881,7 +881,7 @@ static int ocfs2_get_next_id(struct super_block *sb, struct kqid *qid)
+ int status = 0;
+
+ trace_ocfs2_get_next_id(from_kqid(&init_user_ns, *qid), type);
+- if (!sb_has_quota_loaded(sb, type)) {
++ if (!sb_has_quota_active(sb, type)) {
+ status = -ESRCH;
+ goto out;
+ }
+diff --git a/fs/ocfs2/quota_local.c b/fs/ocfs2/quota_local.c
+index fbab536741e2..77d5aa90338f 100644
+--- a/fs/ocfs2/quota_local.c
++++ b/fs/ocfs2/quota_local.c
+@@ -864,6 +864,7 @@ static int ocfs2_local_free_info(struct super_block *sb, int type)
+ brelse(oinfo->dqi_libh);
+ brelse(oinfo->dqi_lqi_bh);
+ kfree(oinfo);
++ info->dqi_priv = NULL;
+ return status;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 40ab4b838d4e93e5fd62de3674937037ee9b41a6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 15:15:58 -0500
+Subject: of/address: Add support for 3 address cell bus
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 3d5089c4263d3594dc055e0f9c5cb990505cdd64 ]
+
+There's a few custom bus bindings (e.g. fsl,qoriq-mc) which use a
+3 cell format with custom flags in the high cell. We can match these
+buses as a fallback if we didn't match on PCI bus which is the only
+standard bus binding with 3 address cells.
+
+Link: https://lore.kernel.org/r/20230328-dt-address-helpers-v1-3-e2456c3e77ab@kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/address.c | 22 ++++++++
+ drivers/of/unittest-data/tests-address.dtsi | 9 +++-
+ drivers/of/unittest.c | 58 ++++++++++++++++++++-
+ 3 files changed, 87 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index 60ead6105471..a95b57cea0d0 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -95,11 +95,17 @@ static int of_bus_default_translate(__be32 *addr, u64 offset, int na)
+ return 0;
+ }
+
++static unsigned int of_bus_default_flags_get_flags(const __be32 *addr)
++{
++ return of_read_number(addr, 1);
++}
++
+ static unsigned int of_bus_default_get_flags(const __be32 *addr)
+ {
+ return IORESOURCE_MEM;
+ }
+
++
+ #ifdef CONFIG_PCI
+ static unsigned int of_bus_pci_get_flags(const __be32 *addr)
+ {
+@@ -319,6 +325,11 @@ static unsigned int of_bus_isa_get_flags(const __be32 *addr)
+ return flags;
+ }
+
++static int of_bus_default_flags_match(struct device_node *np)
++{
++ return of_bus_n_addr_cells(np) == 3;
++}
++
+ /*
+ * Array of bus specific translators
+ */
+@@ -348,6 +359,17 @@ static struct of_bus of_busses[] = {
+ .has_flags = true,
+ .get_flags = of_bus_isa_get_flags,
+ },
++ /* Default with flags cell */
++ {
++ .name = "default-flags",
++ .addresses = "reg",
++ .match = of_bus_default_flags_match,
++ .count_cells = of_bus_default_count_cells,
++ .map = of_bus_default_map,
++ .translate = of_bus_default_translate,
++ .has_flags = true,
++ .get_flags = of_bus_default_flags_get_flags,
++ },
+ /* Default */
+ {
+ .name = "default",
+diff --git a/drivers/of/unittest-data/tests-address.dtsi b/drivers/of/unittest-data/tests-address.dtsi
+index 6604a52bf6cb..bc0029cbf8ea 100644
+--- a/drivers/of/unittest-data/tests-address.dtsi
++++ b/drivers/of/unittest-data/tests-address.dtsi
+@@ -14,7 +14,7 @@
+ #size-cells = <1>;
+ /* ranges here is to make sure we don't use it for
+ * dma-ranges translation */
+- ranges = <0x70000000 0x70000000 0x40000000>,
++ ranges = <0x70000000 0x70000000 0x50000000>,
+ <0x00000000 0xd0000000 0x20000000>;
+ dma-ranges = <0x0 0x20000000 0x40000000>;
+
+@@ -43,6 +43,13 @@
+ <0x42000000 0x0 0xc0000000 0x20000000 0x0 0x10000000>;
+ };
+
++ bus@a0000000 {
++ #address-cells = <3>;
++ #size-cells = <2>;
++ ranges = <0xf00baa 0x0 0x0 0xa0000000 0x0 0x100000>,
++ <0xf00bee 0x1 0x0 0xb0000000 0x0 0x200000>;
++ };
++
+ };
+ };
+ };
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index a020296fbf41..d6a250cd7a40 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -1045,7 +1045,7 @@ static void __init of_unittest_bus_ranges(void)
+ "for_each_of_range wrong flags on node %pOF flags=%x (expected %x)\n",
+ np, range.flags, IORESOURCE_MEM);
+ if (!i) {
+- unittest(range.size == 0x40000000,
++ unittest(range.size == 0x50000000,
+ "for_each_of_range wrong size on node %pOF size=%llx\n",
+ np, range.size);
+ unittest(range.cpu_addr == 0x70000000,
+@@ -1071,6 +1071,61 @@ static void __init of_unittest_bus_ranges(void)
+ of_node_put(np);
+ }
+
++static void __init of_unittest_bus_3cell_ranges(void)
++{
++ struct device_node *np;
++ struct of_range range;
++ struct of_range_parser parser;
++ int i = 0;
++
++ np = of_find_node_by_path("/testcase-data/address-tests/bus@a0000000");
++ if (!np) {
++ pr_err("missing testcase data\n");
++ return;
++ }
++
++ if (of_range_parser_init(&parser, np)) {
++ pr_err("missing ranges property\n");
++ return;
++ }
++
++ /*
++ * Get the "ranges" from the device tree
++ */
++ for_each_of_range(&parser, &range) {
++ if (!i) {
++ unittest(range.flags == 0xf00baa,
++ "for_each_of_range wrong flags on node %pOF flags=%x\n",
++ np, range.flags);
++ unittest(range.size == 0x100000,
++ "for_each_of_range wrong size on node %pOF size=%llx\n",
++ np, range.size);
++ unittest(range.cpu_addr == 0xa0000000,
++ "for_each_of_range wrong CPU addr (%llx) on node %pOF",
++ range.cpu_addr, np);
++ unittest(range.bus_addr == 0x0,
++ "for_each_of_range wrong bus addr (%llx) on node %pOF",
++ range.pci_addr, np);
++ } else {
++ unittest(range.flags == 0xf00bee,
++ "for_each_of_range wrong flags on node %pOF flags=%x\n",
++ np, range.flags);
++ unittest(range.size == 0x200000,
++ "for_each_of_range wrong size on node %pOF size=%llx\n",
++ np, range.size);
++ unittest(range.cpu_addr == 0xb0000000,
++ "for_each_of_range wrong CPU addr (%llx) on node %pOF",
++ range.cpu_addr, np);
++ unittest(range.bus_addr == 0x100000000,
++ "for_each_of_range wrong bus addr (%llx) on node %pOF",
++ range.pci_addr, np);
++ }
++ i++;
++ }
++
++ of_node_put(np);
++}
++
+ static void __init of_unittest_parse_interrupts(void)
+ {
+ struct device_node *np;
+@@ -3377,6 +3432,7 @@ static int __init of_unittest(void)
+ of_unittest_parse_dma_ranges();
+ of_unittest_pci_dma_ranges();
+ of_unittest_bus_ranges();
++ of_unittest_bus_3cell_ranges();
+ of_unittest_match_node();
+ of_unittest_platform_populate();
+ of_unittest_overlay();
+--
+2.39.5
+
--- /dev/null
+From d9070f72131337adb254c80e5698be0e9a46b2bb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Oct 2023 13:02:16 +0200
+Subject: of: address: Fix address translation when address-size is greater
+ than 2
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+[ Upstream commit 42604f8eb7ba04b589375049cc76282dad4677d2 ]
+
+With the recent addition of of_pci_prop_ranges() in commit 407d1a51921e
+("PCI: Create device tree node for bridge"), the ranges property can
+have a 3 cells child address, a 3 cells parent address and a 2 cells
+child size.
+
+A range item property for a PCI device is filled as follow:
+ <BAR_nbr> 0 0 <phys.hi> <phys.mid> <phys.low> <BAR_sizeh> <BAR_sizel>
+ <-- Child --> <-- Parent (PCI definition) --> <- BAR size (64bit) -->
+
+This allow to translate BAR addresses from the DT. For instance:
+pci@0,0 {
+ #address-cells = <0x03>;
+ #size-cells = <0x02>;
+ device_type = "pci";
+ compatible = "pci11ab,100", "pciclass,060400", "pciclass,0604";
+ ranges = <0x82000000 0x00 0xe8000000
+ 0x82000000 0x00 0xe8000000
+ 0x00 0x4400000>;
+ ...
+ dev@0,0 {
+ #address-cells = <0x03>;
+ #size-cells = <0x02>;
+ compatible = "pci1055,9660", "pciclass,020000", "pciclass,0200";
+ /* Translations for BAR0 to BAR5 */
+ ranges = <0x00 0x00 0x00 0x82010000 0x00 0xe8000000 0x00 0x2000000
+ 0x01 0x00 0x00 0x82010000 0x00 0xea000000 0x00 0x1000000
+ 0x02 0x00 0x00 0x82010000 0x00 0xeb000000 0x00 0x800000
+ 0x03 0x00 0x00 0x82010000 0x00 0xeb800000 0x00 0x800000
+ 0x04 0x00 0x00 0x82010000 0x00 0xec000000 0x00 0x20000
+ 0x05 0x00 0x00 0x82010000 0x00 0xec020000 0x00 0x2000>;
+ ...
+ pci-ep-bus@0 {
+ #address-cells = <0x01>;
+ #size-cells = <0x01>;
+ compatible = "simple-bus";
+ /* Translate 0xe2000000 to BAR0 and 0xe0000000 to BAR1 */
+ ranges = <0xe2000000 0x00 0x00 0x00 0x2000000
+ 0xe0000000 0x01 0x00 0x00 0x1000000>;
+ ...
+ };
+ };
+};
+
+During the translation process, the "default-flags" map() function is
+used to select the matching item in the ranges table and determine the
+address offset from this matching item.
+This map() function simply calls of_read_number() and when address-size
+is greater than 2, the map() function skips the extra high address part
+(ie part over 64bit). This lead to a wrong matching item and a wrong
+offset computation.
+Also during the translation itself, the extra high part related to the
+parent address is not present in the translated address.
+
+Fix the "default-flags" map() and translate() in order to take into
+account the child extra high address part in map() and the parent extra
+high address part in translate() and so having a correct address
+translation for ranges patterns such as the one given in the example
+above.
+
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20231017110221.189299-2-herve.codina@bootlin.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/address.c | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index a95b57cea0d0..7e74fe909282 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -105,6 +105,32 @@ static unsigned int of_bus_default_get_flags(const __be32 *addr)
+ return IORESOURCE_MEM;
+ }
+
++static u64 of_bus_default_flags_map(__be32 *addr, const __be32 *range, int na,
++ int ns, int pna)
++{
++ u64 cp, s, da;
++
++ /* Check that flags match */
++ if (*addr != *range)
++ return OF_BAD_ADDR;
++
++ /* Read address values, skipping high cell */
++ cp = of_read_number(range + 1, na - 1);
++ s = of_read_number(range + na + pna, ns);
++ da = of_read_number(addr + 1, na - 1);
++
++ pr_debug("default flags map, cp=%llx, s=%llx, da=%llx\n", cp, s, da);
++
++ if (da < cp || da >= (cp + s))
++ return OF_BAD_ADDR;
++ return da - cp;
++}
++
++static int of_bus_default_flags_translate(__be32 *addr, u64 offset, int na)
++{
++ /* Keep "flags" part (high cell) in translated address */
++ return of_bus_default_translate(addr + 1, offset, na - 1);
++}
+
+ #ifdef CONFIG_PCI
+ static unsigned int of_bus_pci_get_flags(const __be32 *addr)
+@@ -365,8 +391,8 @@ static struct of_bus of_busses[] = {
+ .addresses = "reg",
+ .match = of_bus_default_flags_match,
+ .count_cells = of_bus_default_count_cells,
+- .map = of_bus_default_map,
+- .translate = of_bus_default_translate,
++ .map = of_bus_default_flags_map,
++ .translate = of_bus_default_flags_translate,
+ .has_flags = true,
+ .get_flags = of_bus_default_flags_get_flags,
+ },
+--
+2.39.5
+
--- /dev/null
+From 284be989f582676bd6dd78cd331fb7987155dc64 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 24 Nov 2024 11:05:37 +0100
+Subject: of: address: Preserve the flags portion on 1:1 dma-ranges mapping
+
+From: Andrea della Porta <andrea.porta@suse.com>
+
+[ Upstream commit 7f05e20b989ac33c9c0f8c2028ec0a566493548f ]
+
+A missing or empty dma-ranges in a DT node implies a 1:1 mapping for dma
+translations. In this specific case, the current behaviour is to zero out
+the entire specifier so that the translation could be carried on as an
+offset from zero. This includes address specifier that has flags (e.g.
+PCI ranges).
+
+Once the flags portion has been zeroed, the translation chain is broken
+since the mapping functions will check the upcoming address specifier
+against mismatching flags, always failing the 1:1 mapping and its entire
+purpose of always succeeding.
+
+Set to zero only the address portion while passing the flags through.
+
+Fixes: dbbdee94734b ("of/address: Merge all of the bus translation code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrea della Porta <andrea.porta@suse.com>
+Tested-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/e51ae57874e58a9b349c35e2e877425ebc075d7a.1732441813.git.andrea.porta@suse.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/address.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index 123a75a19bc1..9454725af850 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -466,7 +466,8 @@ static int of_translate_one(struct device_node *parent, struct of_bus *bus,
+ }
+ if (ranges == NULL || rlen == 0) {
+ offset = of_read_number(addr, na);
+- memset(addr, 0, pna * 4);
++ /* set address to zero, pass flags through */
++ memset(addr + pbus->flag_cells, 0, (pna - pbus->flag_cells) * 4);
+ pr_debug("empty ranges; 1:1 translation\n");
+ goto finish;
+ }
+--
+2.39.5
+
--- /dev/null
+From 698cf7ff12b43926f07fecca9e41c26bd707dbd8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 17 Oct 2023 13:02:17 +0200
+Subject: of: address: Remove duplicated functions
+
+From: Herve Codina <herve.codina@bootlin.com>
+
+[ Upstream commit 3eb030c60835668997d5763b1a0c7938faf169f6 ]
+
+The recently added of_bus_default_flags_translate() performs the exact
+same operation as of_bus_pci_translate() and of_bus_isa_translate().
+
+Avoid duplicated code replacing both of_bus_pci_translate() and
+of_bus_isa_translate() with of_bus_default_flags_translate().
+
+Signed-off-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20231017110221.189299-3-herve.codina@bootlin.com
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/address.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index 7e74fe909282..b8e015af59df 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -221,10 +221,6 @@ static u64 of_bus_pci_map(__be32 *addr, const __be32 *range, int na, int ns,
+ return da - cp;
+ }
+
+-static int of_bus_pci_translate(__be32 *addr, u64 offset, int na)
+-{
+- return of_bus_default_translate(addr + 1, offset, na - 1);
+-}
+ #endif /* CONFIG_PCI */
+
+ int of_pci_address_to_resource(struct device_node *dev, int bar,
+@@ -334,11 +330,6 @@ static u64 of_bus_isa_map(__be32 *addr, const __be32 *range, int na, int ns,
+ return da - cp;
+ }
+
+-static int of_bus_isa_translate(__be32 *addr, u64 offset, int na)
+-{
+- return of_bus_default_translate(addr + 1, offset, na - 1);
+-}
+-
+ static unsigned int of_bus_isa_get_flags(const __be32 *addr)
+ {
+ unsigned int flags = 0;
+@@ -369,7 +360,7 @@ static struct of_bus of_busses[] = {
+ .match = of_bus_pci_match,
+ .count_cells = of_bus_pci_count_cells,
+ .map = of_bus_pci_map,
+- .translate = of_bus_pci_translate,
++ .translate = of_bus_default_flags_translate,
+ .has_flags = true,
+ .get_flags = of_bus_pci_get_flags,
+ },
+@@ -381,7 +372,7 @@ static struct of_bus of_busses[] = {
+ .match = of_bus_isa_match,
+ .count_cells = of_bus_isa_count_cells,
+ .map = of_bus_isa_map,
+- .translate = of_bus_isa_translate,
++ .translate = of_bus_default_flags_translate,
+ .has_flags = true,
+ .get_flags = of_bus_isa_get_flags,
+ },
+--
+2.39.5
+
--- /dev/null
+From 9e5343ac53c008e2f4382c42681c80cd408d8647 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Oct 2023 08:53:58 -0500
+Subject: of: address: Store number of bus flag cells rather than bool
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 88696db08b7efa3b6bb722014ea7429e78f6be32 ]
+
+It is more useful to know how many flags cells a bus has rather than
+whether a bus has flags or not as ultimately the number of cells is the
+information used. Replace 'has_flags' boolean with 'flag_cells' count.
+
+Acked-by: Herve Codina <herve.codina@bootlin.com>
+Link: https://lore.kernel.org/r/20231026135358.3564307-2-robh@kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/address.c | 14 +++++---------
+ 1 file changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/of/address.c b/drivers/of/address.c
+index b8e015af59df..123a75a19bc1 100644
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -50,7 +50,7 @@ struct of_bus {
+ u64 (*map)(__be32 *addr, const __be32 *range,
+ int na, int ns, int pna);
+ int (*translate)(__be32 *addr, u64 offset, int na);
+- bool has_flags;
++ int flag_cells;
+ unsigned int (*get_flags)(const __be32 *addr);
+ };
+
+@@ -361,7 +361,7 @@ static struct of_bus of_busses[] = {
+ .count_cells = of_bus_pci_count_cells,
+ .map = of_bus_pci_map,
+ .translate = of_bus_default_flags_translate,
+- .has_flags = true,
++ .flag_cells = 1,
+ .get_flags = of_bus_pci_get_flags,
+ },
+ #endif /* CONFIG_PCI */
+@@ -373,7 +373,7 @@ static struct of_bus of_busses[] = {
+ .count_cells = of_bus_isa_count_cells,
+ .map = of_bus_isa_map,
+ .translate = of_bus_default_flags_translate,
+- .has_flags = true,
++ .flag_cells = 1,
+ .get_flags = of_bus_isa_get_flags,
+ },
+ /* Default with flags cell */
+@@ -384,7 +384,7 @@ static struct of_bus of_busses[] = {
+ .count_cells = of_bus_default_count_cells,
+ .map = of_bus_default_flags_map,
+ .translate = of_bus_default_flags_translate,
+- .has_flags = true,
++ .flag_cells = 1,
+ .get_flags = of_bus_default_flags_get_flags,
+ },
+ /* Default */
+@@ -751,7 +751,7 @@ struct of_pci_range *of_pci_range_parser_one(struct of_pci_range_parser *parser,
+ int na = parser->na;
+ int ns = parser->ns;
+ int np = parser->pna + na + ns;
+- int busflag_na = 0;
++ int busflag_na = parser->bus->flag_cells;
+
+ if (!range)
+ return NULL;
+@@ -761,10 +761,6 @@ struct of_pci_range *of_pci_range_parser_one(struct of_pci_range_parser *parser,
+
+ range->flags = parser->bus->get_flags(parser->range);
+
+- /* A extra cell for resource flags */
+- if (parser->bus->has_flags)
+- busflag_na = 1;
+-
+ range->bus_addr = of_read_number(parser->range + busflag_na, na - busflag_na);
+
+ if (parser->dma)
+--
+2.39.5
+
--- /dev/null
+From b5bf318fe531be7834dc2a060dfd2d6762a9e6c6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Mar 2023 15:15:56 -0500
+Subject: of: unittest: Add bus address range parsing tests
+
+From: Rob Herring <robh@kernel.org>
+
+[ Upstream commit 6d32dadb11a6480be62c6ada901bbdcbda1775c9 ]
+
+While there are tests for "dma-ranges" helpers, "ranges" is missing any
+tests. It's the same underlying code, but for completeness add a test
+for "ranges" parsing iterators. This is in preparation to add some
+additional "ranges" helpers.
+
+Link: https://lore.kernel.org/r/20230328-dt-address-helpers-v1-1-e2456c3e77ab@kernel.org
+Signed-off-by: Rob Herring <robh@kernel.org>
+Stable-dep-of: 7f05e20b989a ("of: address: Preserve the flags portion on 1:1 dma-ranges mapping")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/of/unittest.c | 53 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/drivers/of/unittest.c b/drivers/of/unittest.c
+index 5a8d37cef0ba..a020296fbf41 100644
+--- a/drivers/of/unittest.c
++++ b/drivers/of/unittest.c
+@@ -1019,6 +1019,58 @@ static void __init of_unittest_pci_dma_ranges(void)
+ of_node_put(np);
+ }
+
++static void __init of_unittest_bus_ranges(void)
++{
++ struct device_node *np;
++ struct of_range range;
++ struct of_range_parser parser;
++ int i = 0;
++
++ np = of_find_node_by_path("/testcase-data/address-tests");
++ if (!np) {
++ pr_err("missing testcase data\n");
++ return;
++ }
++
++ if (of_range_parser_init(&parser, np)) {
++ pr_err("missing ranges property\n");
++ return;
++ }
++
++ /*
++ * Get the "ranges" from the device tree
++ */
++ for_each_of_range(&parser, &range) {
++ unittest(range.flags == IORESOURCE_MEM,
++ "for_each_of_range wrong flags on node %pOF flags=%x (expected %x)\n",
++ np, range.flags, IORESOURCE_MEM);
++ if (!i) {
++ unittest(range.size == 0x40000000,
++ "for_each_of_range wrong size on node %pOF size=%llx\n",
++ np, range.size);
++ unittest(range.cpu_addr == 0x70000000,
++ "for_each_of_range wrong CPU addr (%llx) on node %pOF",
++ range.cpu_addr, np);
++ unittest(range.bus_addr == 0x70000000,
++ "for_each_of_range wrong bus addr (%llx) on node %pOF",
++ range.pci_addr, np);
++ } else {
++ unittest(range.size == 0x20000000,
++ "for_each_of_range wrong size on node %pOF size=%llx\n",
++ np, range.size);
++ unittest(range.cpu_addr == 0xd0000000,
++ "for_each_of_range wrong CPU addr (%llx) on node %pOF",
++ range.cpu_addr, np);
++ unittest(range.bus_addr == 0x00000000,
++ "for_each_of_range wrong bus addr (%llx) on node %pOF",
++ range.pci_addr, np);
++ }
++ i++;
++ }
++
++ of_node_put(np);
++}
++
+ static void __init of_unittest_parse_interrupts(void)
+ {
+ struct device_node *np;
+@@ -3324,6 +3376,7 @@ static int __init of_unittest(void)
+ of_unittest_dma_get_max_cpu_address();
+ of_unittest_parse_dma_ranges();
+ of_unittest_pci_dma_ranges();
++ of_unittest_bus_ranges();
+ of_unittest_match_node();
+ of_unittest_platform_populate();
+ of_unittest_overlay();
+--
+2.39.5
+
--- /dev/null
+From 37011de452b21b71efb13ef16eed774a49c3a99f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Feb 2022 19:24:21 -0800
+Subject: phy: usb: Add "wake on" functionality for newer Synopsis XHCI
+ controllers
+
+From: Al Cooper <alcooperx@gmail.com>
+
+[ Upstream commit ae532b2b7aa5a3dad036aef4e0b177607172d276 ]
+
+Add "wake on" support for the newer Synopsis based XHCI only controller.
+This works on the 72165 and 72164 and newer chips and does not work
+on 7216 based systems. Also switch the USB sysclk to a slower clock
+on suspend to save additional power in S2. The clock switch will only
+save power on the 72165b0 and newer chips and is a nop on older chips.
+
+Signed-off-by: Al Cooper <alcooperx@gmail.com>
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Link: https://lore.kernel.org/r/20220215032422.5179-1-f.fainelli@gmail.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Stable-dep-of: 0a92ea87bdd6 ("phy: usb: Toggle the PHY power during init")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../phy/broadcom/phy-brcm-usb-init-synopsys.c | 46 +++++++++++++++----
+ 1 file changed, 38 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+index e63457e145c7..d2524b70ea16 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
++++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+@@ -47,6 +47,8 @@
+ #define USB_CTRL_USB_PM_SOFT_RESET_MASK 0x40000000
+ #define USB_CTRL_USB_PM_BDC_SOFT_RESETB_MASK 0x00800000
+ #define USB_CTRL_USB_PM_XHC_SOFT_RESETB_MASK 0x00400000
++#define USB_CTRL_USB_PM_XHC_PME_EN_MASK 0x00000010
++#define USB_CTRL_USB_PM_XHC_S2_CLK_SWITCH_EN_MASK 0x00000008
+ #define USB_CTRL_USB_PM_STATUS 0x08
+ #define USB_CTRL_USB_DEVICE_CTL1 0x10
+ #define USB_CTRL_USB_DEVICE_CTL1_PORT_MODE_MASK 0x00000003
+@@ -190,10 +192,6 @@ static void usb_init_common(struct brcm_usb_init_params *params)
+
+ pr_debug("%s\n", __func__);
+
+- USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN);
+- /* 1 millisecond - for USB clocks to settle down */
+- usleep_range(1000, 2000);
+-
+ if (USB_CTRL_MASK(USB_DEVICE_CTL1, PORT_MODE)) {
+ reg = brcm_usb_readl(USB_CTRL_REG(ctrl, USB_DEVICE_CTL1));
+ reg &= ~USB_CTRL_MASK(USB_DEVICE_CTL1, PORT_MODE);
+@@ -222,6 +220,17 @@ static void usb_wake_enable_7211b0(struct brcm_usb_init_params *params,
+ USB_CTRL_UNSET(ctrl, CTLR_CSHCR, ctl_pme_en);
+ }
+
++static void usb_wake_enable_7216(struct brcm_usb_init_params *params,
++ bool enable)
++{
++ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL];
++
++ if (enable)
++ USB_CTRL_SET(ctrl, USB_PM, XHC_PME_EN);
++ else
++ USB_CTRL_UNSET(ctrl, USB_PM, XHC_PME_EN);
++}
++
+ static void usb_init_common_7211b0(struct brcm_usb_init_params *params)
+ {
+ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL];
+@@ -295,6 +304,20 @@ static void usb_init_common_7211b0(struct brcm_usb_init_params *params)
+ usb2_eye_fix_7211b0(params);
+ }
+
++static void usb_init_common_7216(struct brcm_usb_init_params *params)
++{
++ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL];
++
++ USB_CTRL_UNSET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN);
++ USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN);
++
++ /* 1 millisecond - for USB clocks to settle down */
++ usleep_range(1000, 2000);
++
++ usb_wake_enable_7216(params, false);
++ usb_init_common(params);
++}
++
+ static void usb_init_xhci(struct brcm_usb_init_params *params)
+ {
+ pr_debug("%s\n", __func__);
+@@ -302,14 +325,20 @@ static void usb_init_xhci(struct brcm_usb_init_params *params)
+ xhci_soft_reset(params, 0);
+ }
+
+-static void usb_uninit_common(struct brcm_usb_init_params *params)
++static void usb_uninit_common_7216(struct brcm_usb_init_params *params)
+ {
+ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL];
+
+ pr_debug("%s\n", __func__);
+
+- USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN);
++ if (!params->wake_enabled) {
++ USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN);
+
++ /* Switch to using slower clock during suspend to save power */
++ USB_CTRL_SET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN);
++ } else {
++ usb_wake_enable_7216(params, true);
++ }
+ }
+
+ static void usb_uninit_common_7211b0(struct brcm_usb_init_params *params)
+@@ -371,9 +400,9 @@ static void usb_set_dual_select(struct brcm_usb_init_params *params, int mode)
+
+ static const struct brcm_usb_init_ops bcm7216_ops = {
+ .init_ipp = usb_init_ipp,
+- .init_common = usb_init_common,
++ .init_common = usb_init_common_7216,
+ .init_xhci = usb_init_xhci,
+- .uninit_common = usb_uninit_common,
++ .uninit_common = usb_uninit_common_7216,
+ .uninit_xhci = usb_uninit_xhci,
+ .get_dual_select = usb_get_dual_select,
+ .set_dual_select = usb_set_dual_select,
+@@ -396,6 +425,7 @@ void brcm_usb_dvr_init_7216(struct brcm_usb_init_params *params)
+
+ params->family_name = "7216";
+ params->ops = &bcm7216_ops;
++ params->suspend_with_clocks = true;
+ }
+
+ void brcm_usb_dvr_init_7211b0(struct brcm_usb_init_params *params)
+--
+2.39.5
+
--- /dev/null
+From 58defff010052f422428a0c8659bf376351f029c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Oct 2024 14:35:40 -0700
+Subject: phy: usb: Toggle the PHY power during init
+
+From: Justin Chen <justin.chen@broadcom.com>
+
+[ Upstream commit 0a92ea87bdd6f77ca4e17fe19649882cf5209edd ]
+
+When bringing up the PHY, it might be in a bad state if left powered.
+One case is we lose the PLL lock if the PLL is gated while the PHY
+is powered. Toggle the PHY power so we can start from a known state.
+
+Fixes: 4e5b9c9a73b3 ("phy: usb: Add support for new Synopsys USB controller on the 7216")
+Signed-off-by: Justin Chen <justin.chen@broadcom.com>
+Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://lore.kernel.org/r/20241024213540.1059412-1-justin.chen@broadcom.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+index d2524b70ea16..fa54da35719f 100644
+--- a/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
++++ b/drivers/phy/broadcom/phy-brcm-usb-init-synopsys.c
+@@ -309,6 +309,12 @@ static void usb_init_common_7216(struct brcm_usb_init_params *params)
+ void __iomem *ctrl = params->regs[BRCM_REGS_CTRL];
+
+ USB_CTRL_UNSET(ctrl, USB_PM, XHC_S2_CLK_SWITCH_EN);
++
++ /*
++ * The PHY might be in a bad state if it is already powered
++ * up. Toggle the power just in case.
++ */
++ USB_CTRL_SET(ctrl, USB_PM, USB_PWRDN);
+ USB_CTRL_UNSET(ctrl, USB_PM, USB_PWRDN);
+
+ /* 1 millisecond - for USB clocks to settle down */
+--
+2.39.5
+
iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
iio-adc-ad7124-disable-all-channels-at-probe-time.patch
+block-bfq-fix-waker_bfqq-uaf-after-bfq_split_bfqq.patch
+arm64-dts-rockchip-add-hevc-power-domain-clock-to-rk.patch
+of-unittest-add-bus-address-range-parsing-tests.patch
+of-address-add-support-for-3-address-cell-bus.patch
+of-address-fix-address-translation-when-address-size.patch
+of-address-remove-duplicated-functions.patch
+of-address-store-number-of-bus-flag-cells-rather-tha.patch
+of-address-preserve-the-flags-portion-on-1-1-dma-ran.patch
+phy-usb-add-wake-on-functionality-for-newer-synopsis.patch
+phy-usb-toggle-the-phy-power-during-init.patch
+ocfs2-correct-return-value-of-ocfs2_local_free_info.patch
+ocfs2-fix-slab-use-after-free-due-to-dangling-pointe.patch
+mptcp-drop-port-parameter-of-mptcp_pm_add_addr_signa.patch
+mptcp-fix-tcp-options-overflow.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
