--- /dev/null
+From 829451beaed6165eb11d7a9fb4e28eb17f489980 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 3 Jun 2025 18:53:17 +0200
+Subject: dm-mirror: fix a tiny race condition
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 829451beaed6165eb11d7a9fb4e28eb17f489980 upstream.
+
+There's a tiny race condition in dm-mirror. The functions queue_bio and
+write_callback grab a spinlock, add a bio to the list, drop the spinlock
+and wake up the mirrord thread that processes bios in the list.
+
+It may be possible that the mirrord thread processes the bio just after
+spin_unlock_irqrestore is called, before wakeup_mirrord. This spurious
+wake-up is normally harmless, however if the device mapper device is
+unloaded just after the bio was processed, it may be possible that
+wakeup_mirrord(ms) uses invalid "ms" pointer.
+
+Fix this bug by moving wakeup_mirrord inside the spinlock.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid1.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/md/dm-raid1.c
++++ b/drivers/md/dm-raid1.c
+@@ -128,10 +128,9 @@ static void queue_bio(struct mirror_set
+ spin_lock_irqsave(&ms->lock, flags);
+ should_wake = !(bl->head);
+ bio_list_add(bl, bio);
+- spin_unlock_irqrestore(&ms->lock, flags);
+-
+ if (should_wake)
+ wakeup_mirrord(ms);
++ spin_unlock_irqrestore(&ms->lock, flags);
+ }
+
+ static void dispatch_bios(void *context, struct bio_list *bio_list)
+@@ -638,9 +637,9 @@ static void write_callback(unsigned long
+ if (!ms->failures.head)
+ should_wake = 1;
+ bio_list_add(&ms->failures, bio);
+- spin_unlock_irqrestore(&ms->lock, flags);
+ if (should_wake)
+ wakeup_mirrord(ms);
++ spin_unlock_irqrestore(&ms->lock, flags);
+ }
+
+ static void do_write(struct mirror_set *ms, struct bio *bio)
--- /dev/null
+From f914b52c379c12288b7623bb814d0508dbe7481d Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Thu, 29 May 2025 19:19:54 +0800
+Subject: ftrace: Fix UAF when lookup kallsym after ftrace disabled
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit f914b52c379c12288b7623bb814d0508dbe7481d upstream.
+
+The following issue happens with a buggy module:
+
+BUG: unable to handle page fault for address: ffffffffc05d0218
+PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0
+Oops: Oops: 0000 [#1] SMP KASAN PTI
+Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+RIP: 0010:sized_strscpy+0x81/0x2f0
+RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246
+RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000
+RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d
+RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68
+R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038
+R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff
+FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ ftrace_mod_get_kallsym+0x1ac/0x590
+ update_iter_mod+0x239/0x5b0
+ s_next+0x5b/0xa0
+ seq_read_iter+0x8c9/0x1070
+ seq_read+0x249/0x3b0
+ proc_reg_read+0x1b0/0x280
+ vfs_read+0x17f/0x920
+ ksys_read+0xf3/0x1c0
+ do_syscall_64+0x5f/0x2e0
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The above issue may happen as follows:
+(1) Add kprobe tracepoint;
+(2) insmod test.ko;
+(3) Module triggers ftrace disabled;
+(4) rmmod test.ko;
+(5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed;
+ftrace_mod_get_kallsym()
+...
+strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
+...
+
+The problem is when a module triggers an issue with ftrace and
+sets ftrace_disable. The ftrace_disable is set when an anomaly is
+discovered and to prevent any more damage, ftrace stops all text
+modification. The issue that happened was that the ftrace_disable stops
+more than just the text modification.
+
+When a module is loaded, its init functions can also be traced. Because
+kallsyms deletes the init functions after a module has loaded, ftrace
+saves them when the module is loaded and function tracing is enabled. This
+allows the output of the function trace to show the init function names
+instead of just their raw memory addresses.
+
+When a module is removed, ftrace_release_mod() is called, and if
+ftrace_disable is set, it just returns without doing anything more. The
+problem here is that it leaves the mod_list still around and if kallsyms
+is called, it will call into this code and access the module memory that
+has already been freed as it will return:
+
+ strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN);
+
+Where the "mod" no longer exists and triggers a UAF bug.
+
+Link: https://lore.kernel.org/all/20250523135452.626d8dcd@gandalf.local.home/
+
+Cc: stable@vger.kernel.org
+Fixes: aba4b5c22cba ("ftrace: Save module init functions kallsyms symbols for tracing")
+Link: https://lore.kernel.org/20250529111955.2349189-2-yebin@huaweicloud.com
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -6474,9 +6474,10 @@ void ftrace_release_mod(struct module *m
+
+ mutex_lock(&ftrace_lock);
+
+- if (ftrace_disabled)
+- goto out_unlock;
+-
++ /*
++ * To avoid the UAF problem after the module is unloaded, the
++ * 'mod_map' resource needs to be released unconditionally.
++ */
+ list_for_each_entry_safe(mod_map, n, &ftrace_mod_maps, list) {
+ if (mod_map->mod == mod) {
+ list_del_rcu(&mod_map->list);
+@@ -6485,6 +6486,9 @@ void ftrace_release_mod(struct module *m
+ }
+ }
+
++ if (ftrace_disabled)
++ goto out_unlock;
++
+ /*
+ * Each module has its own ftrace_pages, remove
+ * them from the list.
--- /dev/null
+From 0f4ae7c6ecb89bfda026d210dcf8216fb67d2333 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 29 Mar 2025 08:39:03 -0700
+Subject: mips: Add -std= flag specified in KBUILD_CFLAGS to vdso CFLAGS
+
+From: Khem Raj <raj.khem@gmail.com>
+
+commit 0f4ae7c6ecb89bfda026d210dcf8216fb67d2333 upstream.
+
+GCC 15 changed the default C standard dialect from gnu17 to gnu23,
+which should not have impacted the kernel because it explicitly requests
+the gnu11 standard in the main Makefile. However, mips/vdso code uses
+its own CFLAGS without a '-std=' value, which break with this dialect
+change because of the kernel's own definitions of bool, false, and true
+conflicting with the C23 reserved keywords.
+
+ include/linux/stddef.h:11:9: error: cannot use keyword 'false' as enumeration constant
+ 11 | false = 0,
+ | ^~~~~
+ include/linux/stddef.h:11:9: note: 'false' is a keyword with '-std=c23' onwards
+ include/linux/types.h:35:33: error: 'bool' cannot be defined via 'typedef'
+ 35 | typedef _Bool bool;
+ | ^~~~
+ include/linux/types.h:35:33: note: 'bool' is a keyword with '-std=c23' onwards
+
+Add -std as specified in KBUILD_CFLAGS to the decompressor and purgatory
+CFLAGS to eliminate these errors and make the C standard version of these
+areas match the rest of the kernel.
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/mips/vdso/Makefile | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/vdso/Makefile
++++ b/arch/mips/vdso/Makefile
+@@ -29,6 +29,7 @@ endif
+ # offsets.
+ cflags-vdso := $(ccflags-vdso) \
+ $(filter -W%,$(filter-out -Wa$(comma)%,$(KBUILD_CFLAGS))) \
++ $(filter -std=%,$(KBUILD_CFLAGS)) \
+ -O3 -g -fPIC -fno-strict-aliasing -fno-common -fno-builtin -G 0 \
+ -mrelax-pic-calls $(call cc-option, -mexplicit-relocs) \
+ -fno-stack-protector -fno-jump-tables -DDISABLE_BRANCH_PROFILING \
--- /dev/null
+From 4a5a99bc79cdc4be63933653682b0261a67a0c9f Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Mon, 19 May 2025 23:42:24 +0800
+Subject: mtd: nand: sunxi: Add randomizer configuration before randomizer enable
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 4a5a99bc79cdc4be63933653682b0261a67a0c9f upstream.
+
+In sunxi_nfc_hw_ecc_read_chunk(), the sunxi_nfc_randomizer_enable() is
+called without the config of randomizer. A proper implementation can be
+found in sunxi_nfc_hw_ecc_read_chunks_dma().
+
+Add sunxi_nfc_randomizer_config() before the start of randomization.
+
+Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support")
+Cc: stable@vger.kernel.org # v4.6
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/sunxi_nand.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/raw/sunxi_nand.c
++++ b/drivers/mtd/nand/raw/sunxi_nand.c
+@@ -818,6 +818,7 @@ static int sunxi_nfc_hw_ecc_read_chunk(s
+ if (ret)
+ return ret;
+
++ sunxi_nfc_randomizer_config(nand, page, false);
+ sunxi_nfc_randomizer_enable(nand);
+ writel(NFC_DATA_TRANS | NFC_DATA_SWAP_METHOD | NFC_ECC_OP,
+ nfc->regs + NFC_REG_CMD);
--- /dev/null
+From 44ed1f5ff73e9e115b6f5411744d5a22ea1c855b Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Mon, 26 May 2025 11:43:44 +0800
+Subject: mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 44ed1f5ff73e9e115b6f5411744d5a22ea1c855b upstream.
+
+The function sunxi_nfc_hw_ecc_write_chunk() calls the
+sunxi_nfc_hw_ecc_write_chunk(), but does not call the configuration
+function sunxi_nfc_randomizer_config(). Consequently, the randomization
+might not conduct correctly, which will affect the lifespan of NAND flash.
+A proper implementation can be found in sunxi_nfc_hw_ecc_write_page_dma().
+
+Add the sunxi_nfc_randomizer_config() to config randomizer.
+
+Fixes: 4be4e03efc7f ("mtd: nand: sunxi: add randomizer support")
+Cc: stable@vger.kernel.org # v4.6
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/sunxi_nand.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/raw/sunxi_nand.c
++++ b/drivers/mtd/nand/raw/sunxi_nand.c
+@@ -1045,6 +1045,7 @@ static int sunxi_nfc_hw_ecc_write_chunk(
+ if (ret)
+ return ret;
+
++ sunxi_nfc_randomizer_config(nand, page, false);
+ sunxi_nfc_randomizer_enable(nand);
+ sunxi_nfc_hw_ecc_set_prot_oob_bytes(nand, oob, 0, bbm, page);
+
--- /dev/null
+From 9ad0452c0277b816a435433cca601304cfac7c21 Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Mon, 26 May 2025 19:36:07 +0100
+Subject: net: ch9200: fix uninitialised access during mii_nway_restart
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 9ad0452c0277b816a435433cca601304cfac7c21 upstream.
+
+In mii_nway_restart() the code attempts to call
+mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read()
+utilises a local buffer called "buff", which is initialised
+with control_read(). However "buff" is conditionally
+initialised inside control_read():
+
+ if (err == size) {
+ memcpy(data, buf, size);
+ }
+
+If the condition of "err == size" is not met, then
+"buff" remains uninitialised. Once this happens the
+uninitialised "buff" is accessed and returned during
+ch9200_mdio_read():
+
+ return (buff[0] | buff[1] << 8);
+
+The problem stems from the fact that ch9200_mdio_read()
+ignores the return value of control_read(), leading to
+uinit-access of "buff".
+
+To fix this we should check the return value of
+control_read() and return early on error.
+
+Reported-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
+Closes: https://syzkaller.appspot.com/bug?extid=3361c2d6f78a3e0892f9
+Tested-by: syzbot <syzbot+3361c2d6f78a3e0892f9@syzkaller.appspotmail.com>
+Fixes: 4a476bd6d1d9 ("usbnet: New driver for QinHeng CH9200 devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Link: https://patch.msgid.link/20250526183607.66527-1-qasdev00@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ch9200.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/usb/ch9200.c
++++ b/drivers/net/usb/ch9200.c
+@@ -178,6 +178,7 @@ static int ch9200_mdio_read(struct net_d
+ {
+ struct usbnet *dev = netdev_priv(netdev);
+ unsigned char buff[2];
++ int ret;
+
+ netdev_dbg(netdev, "%s phy_id:%02x loc:%02x\n",
+ __func__, phy_id, loc);
+@@ -185,8 +186,10 @@ static int ch9200_mdio_read(struct net_d
+ if (phy_id != 0)
+ return -ENODEV;
+
+- control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
+- CONTROL_TIMEOUT_MS);
++ ret = control_read(dev, REQUEST_READ, 0, loc * 2, buff, 0x02,
++ CONTROL_TIMEOUT_MS);
++ if (ret < 0)
++ return ret;
+
+ return (buff[0] | buff[1] << 8);
+ }
--- /dev/null
+From 1f3303aa92e15fa273779acac2d0023609de30f1 Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhuacai@loongson.cn>
+Date: Thu, 3 Apr 2025 12:07:56 +0800
+Subject: PCI: Add ACS quirk for Loongson PCIe
+
+From: Huacai Chen <chenhuacai@loongson.cn>
+
+commit 1f3303aa92e15fa273779acac2d0023609de30f1 upstream.
+
+Loongson PCIe Root Ports don't advertise an ACS capability, but they do not
+allow peer-to-peer transactions between Root Ports. Add an ACS quirk so
+each Root Port can be in a separate IOMMU group.
+
+Signed-off-by: Xianglai Li <lixianglai@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250403040756.720409-1-chenhuacai@loongson.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/quirks.c | 23 +++++++++++++++++++++++
+ 1 file changed, 23 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -4828,6 +4828,18 @@ static int pci_quirk_brcm_acs(struct pci
+ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
+ }
+
++static int pci_quirk_loongson_acs(struct pci_dev *dev, u16 acs_flags)
++{
++ /*
++ * Loongson PCIe Root Ports don't advertise an ACS capability, but
++ * they do not allow peer-to-peer transactions between Root Ports.
++ * Allow each Root Port to be in a separate IOMMU group by masking
++ * SV/RR/CR/UF bits.
++ */
++ return pci_acs_ctrl_enabled(acs_flags,
++ PCI_ACS_SV | PCI_ACS_RR | PCI_ACS_CR | PCI_ACS_UF);
++}
++
+ /*
+ * Wangxun 40G/25G/10G/1G NICs have no ACS capability, but on
+ * multi-function devices, the hardware isolates the functions by
+@@ -4961,6 +4973,17 @@ static const struct pci_dev_acs_enabled
+ { PCI_VENDOR_ID_BROADCOM, 0x1762, pci_quirk_mf_endpoint_acs },
+ { PCI_VENDOR_ID_BROADCOM, 0x1763, pci_quirk_mf_endpoint_acs },
+ { PCI_VENDOR_ID_BROADCOM, 0xD714, pci_quirk_brcm_acs },
++ /* Loongson PCIe Root Ports */
++ { PCI_VENDOR_ID_LOONGSON, 0x3C09, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x3C19, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x3C29, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A09, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A19, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A29, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A39, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A49, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A59, pci_quirk_loongson_acs },
++ { PCI_VENDOR_ID_LOONGSON, 0x7A69, pci_quirk_loongson_acs },
+ /* Amazon Annapurna Labs */
+ { PCI_VENDOR_ID_AMAZON_ANNAPURNA_LABS, 0x0031, pci_quirk_al_acs },
+ /* Zhaoxin multi-function devices */
--- /dev/null
+From f3efb9569b4a21354ef2caf7ab0608a3e14cc6e4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ilpo=20J=C3=A4rvinen?= <ilpo.jarvinen@linux.intel.com>
+Date: Mon, 5 May 2025 14:54:12 +0300
+Subject: PCI: Fix lock symmetry in pci_slot_unlock()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+commit f3efb9569b4a21354ef2caf7ab0608a3e14cc6e4 upstream.
+
+The commit a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")
+made the lock function to call depend on dev->subordinate but left
+pci_slot_unlock() unmodified creating locking asymmetry compared with
+pci_slot_lock().
+
+Because of the asymmetric lock handling, the same bridge device is unlocked
+twice. First pci_bus_unlock() unlocks bus->self and then pci_slot_unlock()
+will unconditionally unlock the same bridge device.
+
+Move pci_dev_unlock() inside an else branch to match the logic in
+pci_slot_lock().
+
+Fixes: a4e772898f8b ("PCI: Add missing bridge lock to pci_bus_lock()")
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Lukas Wunner <lukas@wunner.de>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20250505115412.37628-1-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/pci.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci.c
++++ b/drivers/pci/pci.c
+@@ -5356,7 +5356,8 @@ static void pci_slot_unlock(struct pci_s
+ continue;
+ if (dev->subordinate)
+ pci_bus_unlock(dev->subordinate);
+- pci_dev_unlock(dev);
++ else
++ pci_dev_unlock(dev);
+ }
+ }
+
--- /dev/null
+From 65271f868cb1dca709ff69e45939bbef8d6d0b70 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Mon, 26 May 2025 10:56:27 +0800
+Subject: regulator: max14577: Add error check for max14577_read_reg()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 65271f868cb1dca709ff69e45939bbef8d6d0b70 upstream.
+
+The function max14577_reg_get_current_limit() calls the function
+max14577_read_reg(), but does not check its return value. A proper
+implementation can be found in max14577_get_online().
+
+Add a error check for the max14577_read_reg() and return error code
+if the function fails.
+
+Fixes: b0902bbeb768 ("regulator: max14577: Add regulator driver for Maxim 14577")
+Cc: stable@vger.kernel.org # v3.14
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20250526025627.407-1-vulab@iscas.ac.cn
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/max14577-regulator.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/regulator/max14577-regulator.c
++++ b/drivers/regulator/max14577-regulator.c
+@@ -40,11 +40,14 @@ static int max14577_reg_get_current_limi
+ struct max14577 *max14577 = rdev_get_drvdata(rdev);
+ const struct maxim_charger_current *limits =
+ &maxim_charger_currents[max14577->dev_type];
++ int ret;
+
+ if (rdev_get_id(rdev) != MAX14577_CHARGER)
+ return -EINVAL;
+
+- max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, ®_data);
++ ret = max14577_read_reg(rmap, MAX14577_CHG_REG_CHG_CTRL4, ®_data);
++ if (ret < 0)
++ return ret;
+
+ if ((reg_data & CHGCTRL4_MBCICHWRCL_MASK) == 0)
+ return limits->min;
clk-meson-g12a-add-missing-fclk_div2-to-spicc.patch
ipc-fix-to-protect-ipcs-lookups-using-rcu.patch
mm-fix-ratelimit_pages-update-error-in-dirty_ratio_handler.patch
+mtd-rawnand-sunxi-add-randomizer-configuration-in-sunxi_nfc_hw_ecc_write_chunk.patch
+mtd-nand-sunxi-add-randomizer-configuration-before-randomizer-enable.patch
+dm-mirror-fix-a-tiny-race-condition.patch
+ftrace-fix-uaf-when-lookup-kallsym-after-ftrace-disabled.patch
+net-ch9200-fix-uninitialised-access-during-mii_nway_restart.patch
+staging-iio-ad5933-correct-settling-cycles-encoding-per-datasheet.patch
+mips-add-std-flag-specified-in-kbuild_cflags-to-vdso-cflags.patch
+regulator-max14577-add-error-check-for-max14577_read_reg.patch
+uio_hv_generic-use-correct-size-for-interrupt-and-monitor-pages.patch
+pci-add-acs-quirk-for-loongson-pcie.patch
+pci-fix-lock-symmetry-in-pci_slot_unlock.patch
--- /dev/null
+From 60638e2a2d4bc03798f00d5ab65ce9b83cb8b03b Mon Sep 17 00:00:00 2001
+From: Gabriel Shahrouzi <gshahrouzi@gmail.com>
+Date: Sat, 19 Apr 2025 21:30:09 -0400
+Subject: staging: iio: ad5933: Correct settling cycles encoding per datasheet
+
+From: Gabriel Shahrouzi <gshahrouzi@gmail.com>
+
+commit 60638e2a2d4bc03798f00d5ab65ce9b83cb8b03b upstream.
+
+The AD5933 datasheet (Table 13) lists the maximum cycles to be 0x7FC
+(2044).
+
+Clamp the user input to the maximum effective value of 0x7FC cycles.
+
+Fixes: f94aa354d676 ("iio: impedance-analyzer: New driver for AD5933/4 Impedance Converter, Network Analyzer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gabriel Shahrouzi <gshahrouzi@gmail.com>
+Reviewed-by: Marcelo Schmitt <marcelo.schmitt1@gmail.com>
+Link: https://patch.msgid.link/20250420013009.847851-1-gshahrouzi@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/iio/impedance-analyzer/ad5933.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
+@@ -412,7 +412,7 @@ static ssize_t ad5933_store(struct devic
+ ret = ad5933_cmd(st, 0);
+ break;
+ case AD5933_OUT_SETTLING_CYCLES:
+- val = clamp(val, (u16)0, (u16)0x7FF);
++ val = clamp(val, (u16)0, (u16)0x7FC);
+ st->settling_cycles = val;
+
+ /* 2x, 4x handling, see datasheet */
--- /dev/null
+From c951ab8fd3589cf6991ed4111d2130816f2e3ac2 Mon Sep 17 00:00:00 2001
+From: Long Li <longli@microsoft.com>
+Date: Mon, 5 May 2025 17:56:34 -0700
+Subject: uio_hv_generic: Use correct size for interrupt and monitor pages
+
+From: Long Li <longli@microsoft.com>
+
+commit c951ab8fd3589cf6991ed4111d2130816f2e3ac2 upstream.
+
+Interrupt and monitor pages should be in Hyper-V page size (4k bytes).
+This can be different from the system page size.
+
+This size is read and used by the user-mode program to determine the
+mapped data region. An example of such user-mode program is the VMBus
+driver in DPDK.
+
+Cc: stable@vger.kernel.org
+Fixes: 95096f2fbd10 ("uio-hv-generic: new userspace i/o driver for VMBus")
+Signed-off-by: Long Li <longli@microsoft.com>
+Reviewed-by: Michael Kelley <mhklinux@outlook.com>
+Link: https://lore.kernel.org/r/1746492997-4599-3-git-send-email-longli@linuxonhyperv.com
+Signed-off-by: Wei Liu <wei.liu@kernel.org>
+Message-ID: <1746492997-4599-3-git-send-email-longli@linuxonhyperv.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -288,13 +288,13 @@ hv_uio_probe(struct hv_device *dev,
+ pdata->info.mem[INT_PAGE_MAP].name = "int_page";
+ pdata->info.mem[INT_PAGE_MAP].addr
+ = (uintptr_t)vmbus_connection.int_page;
+- pdata->info.mem[INT_PAGE_MAP].size = PAGE_SIZE;
++ pdata->info.mem[INT_PAGE_MAP].size = HV_HYP_PAGE_SIZE;
+ pdata->info.mem[INT_PAGE_MAP].memtype = UIO_MEM_LOGICAL;
+
+ pdata->info.mem[MON_PAGE_MAP].name = "monitor_page";
+ pdata->info.mem[MON_PAGE_MAP].addr
+ = (uintptr_t)vmbus_connection.monitor_pages[1];
+- pdata->info.mem[MON_PAGE_MAP].size = PAGE_SIZE;
++ pdata->info.mem[MON_PAGE_MAP].size = HV_HYP_PAGE_SIZE;
+ pdata->info.mem[MON_PAGE_MAP].memtype = UIO_MEM_LOGICAL;
+
+ pdata->recv_buf = vzalloc(RECV_BUFFER_SIZE);
projects / thirdparty / kernel / stable-queue.git / commitdiff
