--- /dev/null
+From 042bb9603c44620dce98717a2d23235ca57a00d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
+Date: Thu, 12 Jun 2025 09:50:34 +0200
+Subject: Bluetooth: L2CAP: Fix L2CAP MTU negotiation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Danis <frederic.danis@collabora.com>
+
+commit 042bb9603c44620dce98717a2d23235ca57a00d7 upstream.
+
+OBEX download from iPhone is currently slow due to small packet size
+used to transfer data which doesn't follow the MTU negotiated during
+L2CAP connection, i.e. 672 bytes instead of 32767:
+
+ < ACL Data TX: Handle 11 flags 0x00 dlen 12
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 4103 (0x1007)
+ Source CID: 72
+ > ACL Data RX: Handle 11 flags 0x02 dlen 16
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 14608
+ Source CID: 72
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+ < ACL Data TX: Handle 11 flags 0x00 dlen 27
+ L2CAP: Configure Request (0x04) ident 20 len 19
+ Destination CID: 14608
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 26
+ L2CAP: Configure Request (0x04) ident 72 len 18
+ Destination CID: 72
+ Flags: 0x0000
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 65527
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ < ACL Data TX: Handle 11 flags 0x00 dlen 29
+ L2CAP: Configure Response (0x05) ident 72 len 21
+ Source CID: 14608
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 672
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 32
+ L2CAP: Configure Response (0x05) ident 20 len 24
+ Source CID: 72
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ ...
+ > ACL Data RX: Handle 11 flags 0x02 dlen 680
+ Channel: 72 len 676 ctrl 0x0202 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Unsegmented TxSeq 1 ReqSeq 2
+ < ACL Data TX: Handle 11 flags 0x00 dlen 13
+ Channel: 14608 len 9 ctrl 0x0204 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Unsegmented TxSeq 2 ReqSeq 2
+ > ACL Data RX: Handle 11 flags 0x02 dlen 680
+ Channel: 72 len 676 ctrl 0x0304 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Unsegmented TxSeq 2 ReqSeq 3
+
+The MTUs are negotiated for each direction. In this traces 32767 for
+iPhone->localhost and no MTU for localhost->iPhone, which based on
+'4.4 L2CAP_CONFIGURATION_REQ' (Core specification v5.4, Vol. 3, Part
+A):
+
+ The only parameters that should be included in the
+ L2CAP_CONFIGURATION_REQ packet are those that require different
+ values than the default or previously agreed values.
+ ...
+ Any missing configuration parameters are assumed to have their
+ most recently explicitly or implicitly accepted values.
+
+and '5.1 Maximum transmission unit (MTU)':
+
+ If the remote device sends a positive L2CAP_CONFIGURATION_RSP
+ packet it should include the actual MTU to be used on this channel
+ for traffic flowing into the local device.
+ ...
+ The default value is 672 octets.
+
+is set by BlueZ to 672 bytes.
+
+It seems that the iPhone used the lowest negotiated value to transfer
+data to the localhost instead of the negotiated one for the incoming
+direction.
+
+This could be fixed by using the MTU negotiated for the other
+direction, if exists, in the L2CAP_CONFIGURATION_RSP.
+This allows to use segmented packets as in the following traces:
+
+ < ACL Data TX: Handle 11 flags 0x00 dlen 12
+ L2CAP: Connection Request (0x02) ident 22 len 4
+ PSM: 4103 (0x1007)
+ Source CID: 72
+ < ACL Data TX: Handle 11 flags 0x00 dlen 27
+ L2CAP: Configure Request (0x04) ident 24 len 19
+ Destination CID: 2832
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 26
+ L2CAP: Configure Request (0x04) ident 15 len 18
+ Destination CID: 72
+ Flags: 0x0000
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 65527
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ < ACL Data TX: Handle 11 flags 0x00 dlen 29
+ L2CAP: Configure Response (0x05) ident 15 len 21
+ Source CID: 2832
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 32
+ L2CAP: Configure Response (0x05) ident 24 len 24
+ Source CID: 72
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ ...
+ > ACL Data RX: Handle 11 flags 0x02 dlen 1009
+ Channel: 72 len 1005 ctrl 0x4202 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Start (len 21884) TxSeq 1 ReqSeq 2
+ > ACL Data RX: Handle 11 flags 0x02 dlen 1009
+ Channel: 72 len 1005 ctrl 0xc204 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Continuation TxSeq 2 ReqSeq 2
+
+This has been tested with kernel 5.4 and BlueZ 5.77.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3380,7 +3380,7 @@ static int l2cap_parse_conf_req(struct l
+ struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+ struct l2cap_conf_efs efs;
+ u8 remote_efs = 0;
+- u16 mtu = L2CAP_DEFAULT_MTU;
++ u16 mtu = 0;
+ u16 result = L2CAP_CONF_SUCCESS;
+ u16 size;
+
+@@ -3485,6 +3485,13 @@ done:
+ /* Configure output options and let the other side know
+ * which ones we don't like. */
+
++ /* If MTU is not provided in configure request, use the most recently
++ * explicitly or implicitly accepted value for the other direction,
++ * or the default value.
++ */
++ if (mtu == 0)
++ mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU;
++
+ if (mtu < L2CAP_DEFAULT_MIN_MTU)
+ result = L2CAP_CONF_UNACCEPT;
+ else {
--- /dev/null
+From 3ca864de852bc91007b32d2a0d48993724f4abad Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Wed, 28 May 2025 12:28:27 +0100
+Subject: btrfs: fix a race between renames and directory logging
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 3ca864de852bc91007b32d2a0d48993724f4abad upstream.
+
+We have a race between a rename and directory inode logging that if it
+happens and we crash/power fail before the rename completes, the next time
+the filesystem is mounted, the log replay code will end up deleting the
+file that was being renamed.
+
+This is best explained following a step by step analysis of an interleaving
+of steps that lead into this situation.
+
+Consider the initial conditions:
+
+1) We are at transaction N;
+
+2) We have directories A and B created in a past transaction (< N);
+
+3) We have inode X corresponding to a file that has 2 hardlinks, one in
+ directory A and the other in directory B, so we'll name them as
+ "A/foo_link1" and "B/foo_link2". Both hard links were persisted in a
+ past transaction (< N);
+
+4) We have inode Y corresponding to a file that as a single hard link and
+ is located in directory A, we'll name it as "A/bar". This file was also
+ persisted in a past transaction (< N).
+
+The steps leading to a file loss are the following and for all of them we
+are under transaction N:
+
+ 1) Link "A/foo_link1" is removed, so inode's X last_unlink_trans field
+ is updated to N, through btrfs_unlink() -> btrfs_record_unlink_dir();
+
+ 2) Task A starts a rename for inode Y, with the goal of renaming from
+ "A/bar" to "A/baz", so we enter btrfs_rename();
+
+ 3) Task A inserts the new BTRFS_INODE_REF_KEY for inode Y by calling
+ btrfs_insert_inode_ref();
+
+ 4) Because the rename happens in the same directory, we don't set the
+ last_unlink_trans field of directoty A's inode to the current
+ transaction id, that is, we don't cal btrfs_record_unlink_dir();
+
+ 5) Task A then removes the entries from directory A (BTRFS_DIR_ITEM_KEY
+ and BTRFS_DIR_INDEX_KEY items) when calling __btrfs_unlink_inode()
+ (actually the dir index item is added as a delayed item, but the
+ effect is the same);
+
+ 6) Now before task A adds the new entry "A/baz" to directory A by
+ calling btrfs_add_link(), another task, task B is logging inode X;
+
+ 7) Task B starts a fsync of inode X and after logging inode X, at
+ btrfs_log_inode_parent() it calls btrfs_log_all_parents(), since
+ inode X has a last_unlink_trans value of N, set at in step 1;
+
+ 8) At btrfs_log_all_parents() we search for all parent directories of
+ inode X using the commit root, so we find directories A and B and log
+ them. Bu when logging direct A, we don't have a dir index item for
+ inode Y anymore, neither the old name "A/bar" nor for the new name
+ "A/baz" since the rename has deleted the old name but has not yet
+ inserted the new name - task A hasn't called yet btrfs_add_link() to
+ do that.
+
+ Note that logging directory A doesn't fallback to a transaction
+ commit because its last_unlink_trans has a lower value than the
+ current transaction's id (see step 4);
+
+ 9) Task B finishes logging directories A and B and gets back to
+ btrfs_sync_file() where it calls btrfs_sync_log() to persist the log
+ tree;
+
+10) Task B successfully persisted the log tree, btrfs_sync_log() completed
+ with success, and a power failure happened.
+
+ We have a log tree without any directory entry for inode Y, so the
+ log replay code deletes the entry for inode Y, name "A/bar", from the
+ subvolume tree since it doesn't exist in the log tree and the log
+ tree is authorative for its index (we logged a BTRFS_DIR_LOG_INDEX_KEY
+ item that covers the index range for the dentry that corresponds to
+ "A/bar").
+
+ Since there's no other hard link for inode Y and the log replay code
+ deletes the name "A/bar", the file is lost.
+
+The issue wouldn't happen if task B synced the log only after task A
+called btrfs_log_new_name(), which would update the log with the new name
+for inode Y ("A/bar").
+
+Fix this by pinning the log root during renames before removing the old
+directory entry, and unpinning after btrfs_log_new_name() is called.
+
+Fixes: 259c4b96d78d ("btrfs: stop doing unnecessary log updates during a rename")
+CC: stable@vger.kernel.org # 5.18+
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/inode.c | 81 +++++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 64 insertions(+), 17 deletions(-)
+
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -8754,6 +8754,7 @@ static int btrfs_rename_exchange(struct
+ int ret;
+ int ret2;
+ bool need_abort = false;
++ bool logs_pinned = false;
+ struct fscrypt_name old_fname, new_fname;
+ struct fscrypt_str *old_name, *new_name;
+
+@@ -8877,6 +8878,31 @@ static int btrfs_rename_exchange(struct
+ inode_inc_iversion(new_inode);
+ simple_rename_timestamp(old_dir, old_dentry, new_dir, new_dentry);
+
++ if (old_ino != BTRFS_FIRST_FREE_OBJECTID &&
++ new_ino != BTRFS_FIRST_FREE_OBJECTID) {
++ /*
++ * If we are renaming in the same directory (and it's not for
++ * root entries) pin the log early to prevent any concurrent
++ * task from logging the directory after we removed the old
++ * entries and before we add the new entries, otherwise that
++ * task can sync a log without any entry for the inodes we are
++ * renaming and therefore replaying that log, if a power failure
++ * happens after syncing the log, would result in deleting the
++ * inodes.
++ *
++ * If the rename affects two different directories, we want to
++ * make sure the that there's no log commit that contains
++ * updates for only one of the directories but not for the
++ * other.
++ *
++ * If we are renaming an entry for a root, we don't care about
++ * log updates since we called btrfs_set_log_full_commit().
++ */
++ btrfs_pin_log_trans(root);
++ btrfs_pin_log_trans(dest);
++ logs_pinned = true;
++ }
++
+ if (old_dentry->d_parent != new_dentry->d_parent) {
+ btrfs_record_unlink_dir(trans, BTRFS_I(old_dir),
+ BTRFS_I(old_inode), true);
+@@ -8934,30 +8960,23 @@ static int btrfs_rename_exchange(struct
+ BTRFS_I(new_inode)->dir_index = new_idx;
+
+ /*
+- * Now pin the logs of the roots. We do it to ensure that no other task
+- * can sync the logs while we are in progress with the rename, because
+- * that could result in an inconsistency in case any of the inodes that
+- * are part of this rename operation were logged before.
++ * Do the log updates for all inodes.
++ *
++ * If either entry is for a root we don't need to update the logs since
++ * we've called btrfs_set_log_full_commit() before.
+ */
+- if (old_ino != BTRFS_FIRST_FREE_OBJECTID)
+- btrfs_pin_log_trans(root);
+- if (new_ino != BTRFS_FIRST_FREE_OBJECTID)
+- btrfs_pin_log_trans(dest);
+-
+- /* Do the log updates for all inodes. */
+- if (old_ino != BTRFS_FIRST_FREE_OBJECTID)
++ if (logs_pinned) {
+ btrfs_log_new_name(trans, old_dentry, BTRFS_I(old_dir),
+ old_rename_ctx.index, new_dentry->d_parent);
+- if (new_ino != BTRFS_FIRST_FREE_OBJECTID)
+ btrfs_log_new_name(trans, new_dentry, BTRFS_I(new_dir),
+ new_rename_ctx.index, old_dentry->d_parent);
++ }
+
+- /* Now unpin the logs. */
+- if (old_ino != BTRFS_FIRST_FREE_OBJECTID)
++out_fail:
++ if (logs_pinned) {
+ btrfs_end_log_trans(root);
+- if (new_ino != BTRFS_FIRST_FREE_OBJECTID)
+ btrfs_end_log_trans(dest);
+-out_fail:
++ }
+ ret2 = btrfs_end_transaction(trans);
+ ret = ret ? ret : ret2;
+ out_notrans:
+@@ -9007,6 +9026,7 @@ static int btrfs_rename(struct mnt_idmap
+ int ret2;
+ u64 old_ino = btrfs_ino(BTRFS_I(old_inode));
+ struct fscrypt_name old_fname, new_fname;
++ bool logs_pinned = false;
+
+ if (btrfs_ino(BTRFS_I(new_dir)) == BTRFS_EMPTY_SUBVOL_DIR_OBJECTID)
+ return -EPERM;
+@@ -9141,6 +9161,29 @@ static int btrfs_rename(struct mnt_idmap
+ inode_inc_iversion(old_inode);
+ simple_rename_timestamp(old_dir, old_dentry, new_dir, new_dentry);
+
++ if (old_ino != BTRFS_FIRST_FREE_OBJECTID) {
++ /*
++ * If we are renaming in the same directory (and it's not a
++ * root entry) pin the log to prevent any concurrent task from
++ * logging the directory after we removed the old entry and
++ * before we add the new entry, otherwise that task can sync
++ * a log without any entry for the inode we are renaming and
++ * therefore replaying that log, if a power failure happens
++ * after syncing the log, would result in deleting the inode.
++ *
++ * If the rename affects two different directories, we want to
++ * make sure the that there's no log commit that contains
++ * updates for only one of the directories but not for the
++ * other.
++ *
++ * If we are renaming an entry for a root, we don't care about
++ * log updates since we called btrfs_set_log_full_commit().
++ */
++ btrfs_pin_log_trans(root);
++ btrfs_pin_log_trans(dest);
++ logs_pinned = true;
++ }
++
+ if (old_dentry->d_parent != new_dentry->d_parent)
+ btrfs_record_unlink_dir(trans, BTRFS_I(old_dir),
+ BTRFS_I(old_inode), true);
+@@ -9189,7 +9232,7 @@ static int btrfs_rename(struct mnt_idmap
+ if (old_inode->i_nlink == 1)
+ BTRFS_I(old_inode)->dir_index = index;
+
+- if (old_ino != BTRFS_FIRST_FREE_OBJECTID)
++ if (logs_pinned)
+ btrfs_log_new_name(trans, old_dentry, BTRFS_I(old_dir),
+ rename_ctx.index, new_dentry->d_parent);
+
+@@ -9205,6 +9248,10 @@ static int btrfs_rename(struct mnt_idmap
+ }
+ }
+ out_fail:
++ if (logs_pinned) {
++ btrfs_end_log_trans(root);
++ btrfs_end_log_trans(dest);
++ }
+ ret2 = btrfs_end_transaction(trans);
+ ret = ret ? ret : ret2;
+ out_notrans:
--- /dev/null
+From ae4477f937569d097ca5dbce92a89ba384b49bc6 Mon Sep 17 00:00:00 2001
+From: Mark Harmstone <maharmstone@fb.com>
+Date: Thu, 29 May 2025 10:37:44 +0100
+Subject: btrfs: update superblock's device bytes_used when dropping chunk
+
+From: Mark Harmstone <maharmstone@fb.com>
+
+commit ae4477f937569d097ca5dbce92a89ba384b49bc6 upstream.
+
+Each superblock contains a copy of the device item for that device. In a
+transaction which drops a chunk but doesn't create any new ones, we were
+correctly updating the device item in the chunk tree but not copying
+over the new bytes_used value to the superblock.
+
+This can be seen by doing the following:
+
+ # dd if=/dev/zero of=test bs=4096 count=2621440
+ # mkfs.btrfs test
+ # mount test /root/temp
+
+ # cd /root/temp
+ # for i in {00..10}; do dd if=/dev/zero of=$i bs=4096 count=32768; done
+ # sync
+ # rm *
+ # sync
+ # btrfs balance start -dusage=0 .
+ # sync
+
+ # cd
+ # umount /root/temp
+ # btrfs check test
+
+For btrfs-check to detect this, you will also need my patch at
+https://github.com/kdave/btrfs-progs/pull/991.
+
+Change btrfs_remove_dev_extents() so that it adds the devices to the
+fs_info->post_commit_list if they're not there already. This causes
+btrfs_commit_device_sizes() to be called, which updates the bytes_used
+value in the superblock.
+
+Fixes: bbbf7243d62d ("btrfs: combine device update operations during transaction commit")
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Mark Harmstone <maharmstone@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3174,6 +3174,12 @@ int btrfs_remove_chunk(struct btrfs_tran
+ device->bytes_used - dev_extent_len);
+ atomic64_add(dev_extent_len, &fs_info->free_chunk_space);
+ btrfs_clear_space_info_full(fs_info);
++
++ if (list_empty(&device->post_commit_list)) {
++ list_add_tail(&device->post_commit_list,
++ &trans->transaction->dev_update_list);
++ }
++
+ mutex_unlock(&fs_info->chunk_mutex);
+ }
+ }
--- /dev/null
+From db53805156f1e0aa6d059c0d3f9ac660d4ef3eb4 Mon Sep 17 00:00:00 2001
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Tue, 10 Jun 2025 20:53:30 +0200
+Subject: dm-raid: fix variable in journal device check
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+commit db53805156f1e0aa6d059c0d3f9ac660d4ef3eb4 upstream.
+
+Replace "rdev" with correct loop variable name "r".
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 63c32ed4afc2 ("dm raid: add raid4/5/6 journaling support")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -2378,7 +2378,7 @@ static int super_init_validation(struct
+ */
+ sb_retrieve_failed_devices(sb, failed_devices);
+ rdev_for_each(r, mddev) {
+- if (test_bit(Journal, &rdev->flags) ||
++ if (test_bit(Journal, &r->flags) ||
+ !r->sb_page)
+ continue;
+ sb2 = page_address(r->sb_page);
--- /dev/null
+From cfb05257ae168a0496c7637e1d9e3ab8a25cbffe Mon Sep 17 00:00:00 2001
+From: Jay Cornwall <jay.cornwall@amd.com>
+Date: Wed, 11 Jun 2025 09:52:14 -0500
+Subject: drm/amdkfd: Fix race in GWS queue scheduling
+
+From: Jay Cornwall <jay.cornwall@amd.com>
+
+commit cfb05257ae168a0496c7637e1d9e3ab8a25cbffe upstream.
+
+q->gws is not updated atomically with qpd->mapped_gws_queue. If a
+runlist is created between pqm_set_gws and update_queue it will
+contain a queue which uses GWS in a process with no GWS allocated.
+This will result in a scheduler hang.
+
+Use q->properties.is_gws which is changed while holding the DQM lock.
+
+Signed-off-by: Jay Cornwall <jay.cornwall@amd.com>
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit b98370220eb3110e82248e3354e16a489a492cfb)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c
+@@ -225,7 +225,7 @@ static int pm_map_queues_v9(struct packe
+
+ packet->bitfields2.engine_sel =
+ engine_sel__mes_map_queues__compute_vi;
+- packet->bitfields2.gws_control_queue = q->gws ? 1 : 0;
++ packet->bitfields2.gws_control_queue = q->properties.is_gws ? 1 : 0;
+ packet->bitfields2.extended_engine_sel =
+ extended_engine_sel__mes_map_queues__legacy_engine_sel;
+ packet->bitfields2.queue_type =
--- /dev/null
+From 7cce65f3789e04c0f7668a66563e680d81d54493 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Mon, 24 Mar 2025 10:44:09 +0100
+Subject: drm/ast: Fix comment on modeset lock
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 7cce65f3789e04c0f7668a66563e680d81d54493 upstream.
+
+The ast driver protects the commit tail against concurrent reads
+of the display modes by acquiring a lock. The comment is misleading
+as the lock is not released in atomic_flush, but at the end of the
+commit-tail helper. Rewrite the comment.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: 1fe182154984 ("drm/ast: Acquire I/O-register lock in atomic_commit_tail function")
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Jocelyn Falempe <jfalempe@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v6.2+
+Reviewed-by: Jocelyn Falempe <jfalempe@redhat.com>
+Link: https://lore.kernel.org/r/20250324094520.192974-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/ast/ast_mode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/ast/ast_mode.c
++++ b/drivers/gpu/drm/ast/ast_mode.c
+@@ -1868,9 +1868,9 @@ static void ast_mode_config_helper_atomi
+
+ /*
+ * Concurrent operations could possibly trigger a call to
+- * drm_connector_helper_funcs.get_modes by trying to read the
+- * display modes. Protect access to I/O registers by acquiring
+- * the I/O-register lock. Released in atomic_flush().
++ * drm_connector_helper_funcs.get_modes by reading the display
++ * modes. Protect access to registers by acquiring the modeset
++ * lock.
+ */
+ mutex_lock(&ast->ioregs_lock);
+ drm_atomic_helper_commit_tail_rpm(state);
--- /dev/null
+From 4bfb389a0136a13f0802eeb5e97a0e76d88f77ae Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Fri, 28 Mar 2025 10:17:05 +0100
+Subject: drm/cirrus-qemu: Fix pitch programming
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit 4bfb389a0136a13f0802eeb5e97a0e76d88f77ae upstream.
+
+Do not set CR1B[6] when programming the pitch. The bit effects VGA
+text mode and is not interpreted by qemu. [1] It has no affect on
+the scanline pitch.
+
+The scanline bit that is set into CR1B[6] belongs into CR13[7], which
+the driver sets up correctly.
+
+This bug goes back to the driver's initial commit.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Link: https://gitlab.com/qemu-project/qemu/-/blob/stable-9.2/hw/display/cirrus_vga.c?ref_type=heads#L1112 # 1
+Fixes: f9aa76a85248 ("drm/kms: driver for virtual cirrus under qemu")
+Cc: Adam Jackson <ajax@redhat.com>
+Cc: Dave Airlie <airlied@redhat.com>
+Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Cc: Maxime Ripard <mripard@kernel.org>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: <stable@vger.kernel.org> # v3.5+
+Link: https://lore.kernel.org/r/20250328091821.195061-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tiny/cirrus.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/gpu/drm/tiny/cirrus.c
++++ b/drivers/gpu/drm/tiny/cirrus.c
+@@ -318,7 +318,6 @@ static void cirrus_pitch_set(struct cirr
+ /* Enable extended blanking and pitch bits, and enable full memory */
+ cr1b = 0x22;
+ cr1b |= (pitch >> 7) & 0x10;
+- cr1b |= (pitch >> 6) & 0x40;
+ wreg_crt(cirrus, 0x1b, cr1b);
+
+ cirrus_set_start_address(cirrus, 0);
--- /dev/null
+From 61ee19dedb8d753249e20308782bf4e9e2fb7344 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>
+Date: Mon, 2 Jun 2025 10:22:16 -0300
+Subject: drm/etnaviv: Protect the scheduler's pending list with its lock
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+commit 61ee19dedb8d753249e20308782bf4e9e2fb7344 upstream.
+
+Commit 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still
+active") ensured that active jobs are returned to the pending list when
+extending the timeout. However, it didn't use the pending list's lock to
+manipulate the list, which causes a race condition as the scheduler's
+workqueues are running.
+
+Hold the lock while manipulating the scheduler's pending list to prevent
+a race.
+
+Cc: stable@vger.kernel.org
+Fixes: 704d3d60fec4 ("drm/etnaviv: don't block scheduler when GPU is still active")
+Reported-by: Philipp Stanner <phasta@kernel.org>
+Closes: https://lore.kernel.org/dri-devel/964e59ba1539083ef29b06d3c78f5e2e9b138ab8.camel@mailbox.org/
+Reviewed-by: Lucas Stach <l.stach@pengutronix.de>
+Reviewed-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20250602132240.93314-1-mcanal@igalia.com
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_sched.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/etnaviv/etnaviv_sched.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_sched.c
+@@ -34,6 +34,7 @@ static enum drm_gpu_sched_stat etnaviv_s
+ *sched_job)
+ {
+ struct etnaviv_gem_submit *submit = to_etnaviv_submit(sched_job);
++ struct drm_gpu_scheduler *sched = sched_job->sched;
+ struct etnaviv_gpu *gpu = submit->gpu;
+ u32 dma_addr;
+ int change;
+@@ -76,7 +77,9 @@ static enum drm_gpu_sched_stat etnaviv_s
+ return DRM_GPU_SCHED_STAT_NOMINAL;
+
+ out_no_timeout:
+- list_add(&sched_job->list, &sched_job->sched->pending_list);
++ spin_lock(&sched->job_list_lock);
++ list_add(&sched_job->list, &sched->pending_list);
++ spin_unlock(&sched->job_list_lock);
+ return DRM_GPU_SCHED_STAT_NOMINAL;
+ }
+
--- /dev/null
+From b71717735be48d7743a34897e9e44a0b53e30c0e Mon Sep 17 00:00:00 2001
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+Date: Tue, 29 Apr 2025 10:33:56 +0200
+Subject: drm/msm/gpu: Fix crash when throttling GPU immediately during boot
+
+From: Stephan Gerhold <stephan.gerhold@linaro.org>
+
+commit b71717735be48d7743a34897e9e44a0b53e30c0e upstream.
+
+There is a small chance that the GPU is already hot during boot. In that
+case, the call to of_devfreq_cooling_register() will immediately try to
+apply devfreq cooling, as seen in the following crash:
+
+ Unable to handle kernel paging request at virtual address 0000000000014110
+ pc : a6xx_gpu_busy+0x1c/0x58 [msm]
+ lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm]
+ Call trace:
+ a6xx_gpu_busy+0x1c/0x58 [msm] (P)
+ devfreq_simple_ondemand_func+0x3c/0x150
+ devfreq_update_target+0x44/0xd8
+ qos_max_notifier_call+0x30/0x84
+ blocking_notifier_call_chain+0x6c/0xa0
+ pm_qos_update_target+0xd0/0x110
+ freq_qos_apply+0x3c/0x74
+ apply_constraint+0x88/0x148
+ __dev_pm_qos_update_request+0x7c/0xcc
+ dev_pm_qos_update_request+0x38/0x5c
+ devfreq_cooling_set_cur_state+0x98/0xf0
+ __thermal_cdev_update+0x64/0xb4
+ thermal_cdev_update+0x4c/0x58
+ step_wise_manage+0x1f0/0x318
+ __thermal_zone_device_update+0x278/0x424
+ __thermal_cooling_device_register+0x2bc/0x308
+ thermal_of_cooling_device_register+0x10/0x1c
+ of_devfreq_cooling_register_power+0x240/0x2bc
+ of_devfreq_cooling_register+0x14/0x20
+ msm_devfreq_init+0xc4/0x1a0 [msm]
+ msm_gpu_init+0x304/0x574 [msm]
+ adreno_gpu_init+0x1c4/0x2e0 [msm]
+ a6xx_gpu_init+0x5c8/0x9c8 [msm]
+ adreno_bind+0x2a8/0x33c [msm]
+ ...
+
+At this point we haven't initialized the GMU at all yet, so we cannot read
+the GMU registers inside a6xx_gpu_busy(). A similar issue was fixed before
+in commit 6694482a70e9 ("drm/msm: Avoid unclocked GMU register access in
+6xx gpu_busy"): msm_devfreq_init() does call devfreq_suspend_device(), but
+unlike msm_devfreq_suspend(), it doesn't set the df->suspended flag
+accordingly. This means the df->suspended flag does not match the actual
+devfreq state after initialization and msm_devfreq_get_dev_status() will
+end up accessing GMU registers, causing the crash.
+
+Fix this by setting df->suspended correctly during initialization.
+
+Cc: stable@vger.kernel.org
+Fixes: 6694482a70e9 ("drm/msm: Avoid unclocked GMU register access in 6xx gpu_busy")
+Signed-off-by: Stephan Gerhold <stephan.gerhold@linaro.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
+Patchwork: https://patchwork.freedesktop.org/patch/650772/
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/msm_gpu_devfreq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/msm/msm_gpu_devfreq.c
++++ b/drivers/gpu/drm/msm/msm_gpu_devfreq.c
+@@ -156,6 +156,7 @@ void msm_devfreq_init(struct msm_gpu *gp
+ priv->gpu_devfreq_config.downdifferential = 10;
+
+ mutex_init(&df->lock);
++ df->suspended = true;
+
+ ret = dev_pm_qos_add_request(&gpu->pdev->dev, &df->boost_freq,
+ DEV_PM_QOS_MIN_FREQUENCY, 0);
--- /dev/null
+From 9ff4fdf4f44b69237c0afc1d3a8dac916ce66f3e Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Mon, 21 Apr 2025 11:13:05 -0500
+Subject: drm/tegra: Assign plane type before registration
+
+From: Thierry Reding <treding@nvidia.com>
+
+commit 9ff4fdf4f44b69237c0afc1d3a8dac916ce66f3e upstream.
+
+Changes to a plane's type after it has been registered aren't propagated
+to userspace automatically. This could possibly be achieved by updating
+the property, but since we can already determine which type this should
+be before the registration, passing in the right type from the start is
+a much better solution.
+
+Suggested-by: Aaron Kling <webgeek1234@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Cc: stable@vger.kernel.org
+Fixes: 473079549f27 ("drm/tegra: dc: Add Tegra186 support")
+Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20250421-tegra-drm-primary-v2-1-7f740c4c2121@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/dc.c | 12 ++++++++----
+ drivers/gpu/drm/tegra/hub.c | 4 ++--
+ drivers/gpu/drm/tegra/hub.h | 3 ++-
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/tegra/dc.c
++++ b/drivers/gpu/drm/tegra/dc.c
+@@ -1320,10 +1320,16 @@ static struct drm_plane *tegra_dc_add_sh
+ if (wgrp->dc == dc->pipe) {
+ for (j = 0; j < wgrp->num_windows; j++) {
+ unsigned int index = wgrp->windows[j];
++ enum drm_plane_type type;
++
++ if (primary)
++ type = DRM_PLANE_TYPE_OVERLAY;
++ else
++ type = DRM_PLANE_TYPE_PRIMARY;
+
+ plane = tegra_shared_plane_create(drm, dc,
+ wgrp->index,
+- index);
++ index, type);
+ if (IS_ERR(plane))
+ return plane;
+
+@@ -1331,10 +1337,8 @@ static struct drm_plane *tegra_dc_add_sh
+ * Choose the first shared plane owned by this
+ * head as the primary plane.
+ */
+- if (!primary) {
+- plane->type = DRM_PLANE_TYPE_PRIMARY;
++ if (!primary)
+ primary = plane;
+- }
+ }
+ }
+ }
+--- a/drivers/gpu/drm/tegra/hub.c
++++ b/drivers/gpu/drm/tegra/hub.c
+@@ -756,9 +756,9 @@ static const struct drm_plane_helper_fun
+ struct drm_plane *tegra_shared_plane_create(struct drm_device *drm,
+ struct tegra_dc *dc,
+ unsigned int wgrp,
+- unsigned int index)
++ unsigned int index,
++ enum drm_plane_type type)
+ {
+- enum drm_plane_type type = DRM_PLANE_TYPE_OVERLAY;
+ struct tegra_drm *tegra = drm->dev_private;
+ struct tegra_display_hub *hub = tegra->hub;
+ struct tegra_shared_plane *plane;
+--- a/drivers/gpu/drm/tegra/hub.h
++++ b/drivers/gpu/drm/tegra/hub.h
+@@ -80,7 +80,8 @@ void tegra_display_hub_cleanup(struct te
+ struct drm_plane *tegra_shared_plane_create(struct drm_device *drm,
+ struct tegra_dc *dc,
+ unsigned int wgrp,
+- unsigned int index);
++ unsigned int index,
++ enum drm_plane_type type);
+
+ int tegra_display_hub_atomic_check(struct drm_device *drm,
+ struct drm_atomic_state *state);
--- /dev/null
+From 780351a5f61416ed2ba1199cc57e4a076fca644d Mon Sep 17 00:00:00 2001
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+Date: Wed, 6 Nov 2024 17:59:06 +0800
+Subject: drm/tegra: Fix a possible null pointer dereference
+
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+
+commit 780351a5f61416ed2ba1199cc57e4a076fca644d upstream.
+
+In tegra_crtc_reset(), new memory is allocated with kzalloc(), but
+no check is performed. Before calling __drm_atomic_helper_crtc_reset,
+state should be checked to prevent possible null pointer dereference.
+
+Fixes: b7e0b04ae450 ("drm/tegra: Convert to using __drm_atomic_helper_crtc_reset() for reset.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20241106095906.15247-1-chenqiuji666@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/dc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/tegra/dc.c
++++ b/drivers/gpu/drm/tegra/dc.c
+@@ -1392,7 +1392,10 @@ static void tegra_crtc_reset(struct drm_
+ if (crtc->state)
+ tegra_crtc_atomic_destroy_state(crtc, crtc->state);
+
+- __drm_atomic_helper_crtc_reset(crtc, &state->base);
++ if (state)
++ __drm_atomic_helper_crtc_reset(crtc, &state->base);
++ else
++ __drm_atomic_helper_crtc_reset(crtc, NULL);
+ }
+
+ static struct drm_crtc_state *
--- /dev/null
+From ff9cb6d2035c586ea7c8f1754d4409eec7a2d26d Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Mon, 3 Mar 2025 15:52:56 +0100
+Subject: drm/udl: Unregister device before cleaning up on disconnect
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit ff9cb6d2035c586ea7c8f1754d4409eec7a2d26d upstream.
+
+Disconnecting a DisplayLink device results in the following kernel
+error messages
+
+[ 93.041748] [drm:udl_urb_completion [udl]] *ERROR* udl_urb_completion - nonzero write bulk status received: -115
+[ 93.055299] [drm:udl_submit_urb [udl]] *ERROR* usb_submit_urb error fffffffe
+[ 93.065363] [drm:udl_urb_completion [udl]] *ERROR* udl_urb_completion - nonzero write bulk status received: -115
+[ 93.078207] [drm:udl_submit_urb [udl]] *ERROR* usb_submit_urb error fffffffe
+
+coming from KMS poll helpers. Shutting down poll helpers runs them
+one final time when the USB device is already gone.
+
+Run drm_dev_unplug() first in udl's USB disconnect handler. Udl's
+polling code already handles disconnects gracefully if the device has
+been marked as unplugged.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: b1a981bd5576 ("drm/udl: drop drm_driver.release hook")
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250303145604.62962-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/udl/udl_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/udl/udl_drv.c
++++ b/drivers/gpu/drm/udl/udl_drv.c
+@@ -126,9 +126,9 @@ static void udl_usb_disconnect(struct us
+ {
+ struct drm_device *dev = usb_get_intfdata(interface);
+
++ drm_dev_unplug(dev);
+ drm_kms_helper_poll_fini(dev);
+ udl_drop_usb(dev);
+- drm_dev_unplug(dev);
+ }
+
+ /*
--- /dev/null
+From 09812134071b3941fb81def30b61ed36d3a5dfb5 Mon Sep 17 00:00:00 2001
+From: Yao Zi <ziyao@disroot.org>
+Date: Mon, 23 Jun 2025 09:34:45 +0000
+Subject: dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive
+
+From: Yao Zi <ziyao@disroot.org>
+
+commit 09812134071b3941fb81def30b61ed36d3a5dfb5 upstream.
+
+The 8250 binding before converting to json-schema states,
+
+ - clock-frequency : the input clock frequency for the UART
+ or
+ - clocks phandle to refer to the clk used as per Documentation/devicetree
+
+for clock-related properties, where "or" indicates these properties
+shouldn't exist at the same time.
+
+Additionally, the behavior of Linux's driver is strange when both clocks
+and clock-frequency are specified: it ignores clocks and obtains the
+frequency from clock-frequency, left the specified clocks unclaimed. It
+may even be disabled, which is undesired most of the time.
+
+But "anyOf" doesn't prevent these two properties from coexisting, as it
+considers the object valid as long as there's at LEAST one match.
+
+Let's switch to "oneOf" and disallows the other property if one exists,
+precisely matching the original binding and avoiding future confusion on
+the driver's behavior.
+
+Fixes: e69f5dc623f9 ("dt-bindings: serial: Convert 8250 to json-schema")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20250623093445.62327-1-ziyao@disroot.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/serial/8250.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/serial/8250.yaml
++++ b/Documentation/devicetree/bindings/serial/8250.yaml
+@@ -45,7 +45,7 @@ allOf:
+ - ns16550
+ - ns16550a
+ then:
+- anyOf:
++ oneOf:
+ - required: [ clock-frequency ]
+ - required: [ clocks ]
+
--- /dev/null
+From a3f3040657417aeadb9622c629d4a0c2693a0f93 Mon Sep 17 00:00:00 2001
+From: Avadhut Naik <avadhut.naik@amd.com>
+Date: Thu, 29 May 2025 20:50:04 +0000
+Subject: EDAC/amd64: Fix size calculation for Non-Power-of-Two DIMMs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Avadhut Naik <avadhut.naik@amd.com>
+
+commit a3f3040657417aeadb9622c629d4a0c2693a0f93 upstream.
+
+Each Chip-Select (CS) of a Unified Memory Controller (UMC) on AMD Zen-based
+SOCs has an Address Mask and a Secondary Address Mask register associated with
+it. The amd64_edac module logs DIMM sizes on a per-UMC per-CS granularity
+during init using these two registers.
+
+Currently, the module primarily considers only the Address Mask register for
+computing DIMM sizes. The Secondary Address Mask register is only considered
+for odd CS. Additionally, if it has been considered, the Address Mask register
+is ignored altogether for that CS. For power-of-two DIMMs i.e. DIMMs whose
+total capacity is a power of two (32GB, 64GB, etc), this is not an issue
+since only the Address Mask register is used.
+
+For non-power-of-two DIMMs i.e., DIMMs whose total capacity is not a power of
+two (48GB, 96GB, etc), however, the Secondary Address Mask register is used
+in conjunction with the Address Mask register. However, since the module only
+considers either of the two registers for a CS, the size computed by the
+module is incorrect. The Secondary Address Mask register is not considered for
+even CS, and the Address Mask register is not considered for odd CS.
+
+Introduce a new helper function so that both Address Mask and Secondary
+Address Mask registers are considered, when valid, for computing DIMM sizes.
+Furthermore, also rename some variables for greater clarity.
+
+Fixes: 81f5090db843 ("EDAC/amd64: Support asymmetric dual-rank DIMMs")
+Closes: https://lore.kernel.org/dbec22b6-00f2-498b-b70d-ab6f8a5ec87e@natrix.lt
+Reported-by: Žilvinas Žaltiena <zilvinas@natrix.lt>
+Signed-off-by: Avadhut Naik <avadhut.naik@amd.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Yazen Ghannam <yazen.ghannam@amd.com>
+Tested-by: Žilvinas Žaltiena <zilvinas@natrix.lt>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/20250529205013.403450-1-avadhut.naik@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/amd64_edac.c | 57 +++++++++++++++++++++++++++++-----------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+--- a/drivers/edac/amd64_edac.c
++++ b/drivers/edac/amd64_edac.c
+@@ -1475,7 +1475,9 @@ static int umc_get_cs_mode(int dimm, u8
+ if (csrow_enabled(2 * dimm + 1, ctrl, pvt))
+ cs_mode |= CS_ODD_PRIMARY;
+
+- /* Asymmetric dual-rank DIMM support. */
++ if (csrow_sec_enabled(2 * dimm, ctrl, pvt))
++ cs_mode |= CS_EVEN_SECONDARY;
++
+ if (csrow_sec_enabled(2 * dimm + 1, ctrl, pvt))
+ cs_mode |= CS_ODD_SECONDARY;
+
+@@ -1496,12 +1498,13 @@ static int umc_get_cs_mode(int dimm, u8
+ return cs_mode;
+ }
+
+-static int __addr_mask_to_cs_size(u32 addr_mask_orig, unsigned int cs_mode,
+- int csrow_nr, int dimm)
++static int calculate_cs_size(u32 mask, unsigned int cs_mode)
+ {
+- u32 msb, weight, num_zero_bits;
+- u32 addr_mask_deinterleaved;
+- int size = 0;
++ int msb, weight, num_zero_bits;
++ u32 deinterleaved_mask;
++
++ if (!mask)
++ return 0;
+
+ /*
+ * The number of zero bits in the mask is equal to the number of bits
+@@ -1514,19 +1517,30 @@ static int __addr_mask_to_cs_size(u32 ad
+ * without swapping with the most significant bit. This can be handled
+ * by keeping the MSB where it is and ignoring the single zero bit.
+ */
+- msb = fls(addr_mask_orig) - 1;
+- weight = hweight_long(addr_mask_orig);
++ msb = fls(mask) - 1;
++ weight = hweight_long(mask);
+ num_zero_bits = msb - weight - !!(cs_mode & CS_3R_INTERLEAVE);
+
+ /* Take the number of zero bits off from the top of the mask. */
+- addr_mask_deinterleaved = GENMASK_ULL(msb - num_zero_bits, 1);
++ deinterleaved_mask = GENMASK(msb - num_zero_bits, 1);
++ edac_dbg(1, " Deinterleaved AddrMask: 0x%x\n", deinterleaved_mask);
++
++ return (deinterleaved_mask >> 2) + 1;
++}
++
++static int __addr_mask_to_cs_size(u32 addr_mask, u32 addr_mask_sec,
++ unsigned int cs_mode, int csrow_nr, int dimm)
++{
++ int size;
+
+ edac_dbg(1, "CS%d DIMM%d AddrMasks:\n", csrow_nr, dimm);
+- edac_dbg(1, " Original AddrMask: 0x%x\n", addr_mask_orig);
+- edac_dbg(1, " Deinterleaved AddrMask: 0x%x\n", addr_mask_deinterleaved);
++ edac_dbg(1, " Primary AddrMask: 0x%x\n", addr_mask);
+
+ /* Register [31:1] = Address [39:9]. Size is in kBs here. */
+- size = (addr_mask_deinterleaved >> 2) + 1;
++ size = calculate_cs_size(addr_mask, cs_mode);
++
++ edac_dbg(1, " Secondary AddrMask: 0x%x\n", addr_mask_sec);
++ size += calculate_cs_size(addr_mask_sec, cs_mode);
+
+ /* Return size in MBs. */
+ return size >> 10;
+@@ -1535,8 +1549,8 @@ static int __addr_mask_to_cs_size(u32 ad
+ static int umc_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc,
+ unsigned int cs_mode, int csrow_nr)
+ {
++ u32 addr_mask = 0, addr_mask_sec = 0;
+ int cs_mask_nr = csrow_nr;
+- u32 addr_mask_orig;
+ int dimm, size = 0;
+
+ /* No Chip Selects are enabled. */
+@@ -1574,13 +1588,13 @@ static int umc_addr_mask_to_cs_size(stru
+ if (!pvt->flags.zn_regs_v2)
+ cs_mask_nr >>= 1;
+
+- /* Asymmetric dual-rank DIMM support. */
+- if ((csrow_nr & 1) && (cs_mode & CS_ODD_SECONDARY))
+- addr_mask_orig = pvt->csels[umc].csmasks_sec[cs_mask_nr];
+- else
+- addr_mask_orig = pvt->csels[umc].csmasks[cs_mask_nr];
++ if (cs_mode & (CS_EVEN_PRIMARY | CS_ODD_PRIMARY))
++ addr_mask = pvt->csels[umc].csmasks[cs_mask_nr];
++
++ if (cs_mode & (CS_EVEN_SECONDARY | CS_ODD_SECONDARY))
++ addr_mask_sec = pvt->csels[umc].csmasks_sec[cs_mask_nr];
+
+- return __addr_mask_to_cs_size(addr_mask_orig, cs_mode, csrow_nr, dimm);
++ return __addr_mask_to_cs_size(addr_mask, addr_mask_sec, cs_mode, csrow_nr, dimm);
+ }
+
+ static void umc_debug_display_dimm_sizes(struct amd64_pvt *pvt, u8 ctrl)
+@@ -3773,9 +3787,10 @@ static void gpu_get_err_info(struct mce
+ static int gpu_addr_mask_to_cs_size(struct amd64_pvt *pvt, u8 umc,
+ unsigned int cs_mode, int csrow_nr)
+ {
+- u32 addr_mask_orig = pvt->csels[umc].csmasks[csrow_nr];
++ u32 addr_mask = pvt->csels[umc].csmasks[csrow_nr];
++ u32 addr_mask_sec = pvt->csels[umc].csmasks_sec[csrow_nr];
+
+- return __addr_mask_to_cs_size(addr_mask_orig, cs_mode, csrow_nr, csrow_nr >> 1);
++ return __addr_mask_to_cs_size(addr_mask, addr_mask_sec, cs_mode, csrow_nr, csrow_nr >> 1);
+ }
+
+ static void gpu_debug_display_dimm_sizes(struct amd64_pvt *pvt, u8 ctrl)
--- /dev/null
+From 9327e3ee5b077c4ab4495a09b67624f670ed88b6 Mon Sep 17 00:00:00 2001
+From: Iusico Maxim <iusico.maxim@libero.it>
+Date: Thu, 5 Jun 2025 19:55:50 +0200
+Subject: HID: lenovo: Restrict F7/9/11 mode to compact keyboards only
+
+From: Iusico Maxim <iusico.maxim@libero.it>
+
+commit 9327e3ee5b077c4ab4495a09b67624f670ed88b6 upstream.
+
+Commit 2f2bd7cbd1d1 ("hid: lenovo: Resend all settings on reset_resume
+for compact keyboards") introduced a regression for ThinkPad TrackPoint
+Keyboard II by removing the conditional check for enabling F7/9/11 mode
+needed for compact keyboards only. As a result, the non-compact
+keyboards can no longer toggle Fn-lock via Fn+Esc, although it can be
+controlled via sysfs knob that directly sends raw commands.
+
+This patch restores the previous conditional check without any
+additions.
+
+Cc: stable@vger.kernel.org
+Fixes: 2f2bd7cbd1d1 ("hid: lenovo: Resend all settings on reset_resume for compact keyboards")
+Signed-off-by: Iusico Maxim <iusico.maxim@libero.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-lenovo.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/hid/hid-lenovo.c
++++ b/drivers/hid/hid-lenovo.c
+@@ -529,11 +529,14 @@ static void lenovo_features_set_cptkbd(s
+
+ /*
+ * Tell the keyboard a driver understands it, and turn F7, F9, F11 into
+- * regular keys
++ * regular keys (Compact only)
+ */
+- ret = lenovo_send_cmd_cptkbd(hdev, 0x01, 0x03);
+- if (ret)
+- hid_warn(hdev, "Failed to switch F7/9/11 mode: %d\n", ret);
++ if (hdev->product == USB_DEVICE_ID_LENOVO_CUSBKBD ||
++ hdev->product == USB_DEVICE_ID_LENOVO_CBTKBD) {
++ ret = lenovo_send_cmd_cptkbd(hdev, 0x01, 0x03);
++ if (ret)
++ hid_warn(hdev, "Failed to switch F7/9/11 mode: %d\n", ret);
++ }
+
+ /* Switch middle button to native mode */
+ ret = lenovo_send_cmd_cptkbd(hdev, 0x09, 0x01);
--- /dev/null
+From 85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Fri, 6 Jun 2025 19:49:59 +0100
+Subject: HID: wacom: fix kobject reference count leak
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 upstream.
+
+When sysfs_create_files() fails in wacom_initialize_remotes() the error
+is returned and the cleanup action will not have been registered yet.
+
+As a result the kobject???s refcount is never dropped, so the
+kobject can never be freed leading to a reference leak.
+
+Fix this by calling kobject_put() before returning.
+
+Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated")
+Acked-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2023,6 +2023,7 @@ static int wacom_initialize_remotes(stru
+ hid_err(wacom->hdev,
+ "cannot create sysfs group err: %d\n", error);
+ kfifo_free(&remote->remote_fifo);
++ kobject_put(remote->remote_dir);
+ return error;
+ }
+
--- /dev/null
+From 5ae416c5b1e2e816aee7b3fc8347adf70afabb4c Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Fri, 6 Jun 2025 19:49:57 +0100
+Subject: HID: wacom: fix memory leak on kobject creation failure
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 5ae416c5b1e2e816aee7b3fc8347adf70afabb4c upstream.
+
+During wacom_initialize_remotes() a fifo buffer is allocated
+with kfifo_alloc() and later a cleanup action is registered
+during devm_add_action_or_reset() to clean it up.
+
+However if the code fails to create a kobject and register it
+with sysfs the code simply returns -ENOMEM before the cleanup
+action is registered leading to a memory leak.
+
+Fix this by ensuring the fifo is freed when the kobject creation
+and registration process fails.
+
+Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated")
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2012,8 +2012,10 @@ static int wacom_initialize_remotes(stru
+
+ remote->remote_dir = kobject_create_and_add("wacom_remote",
+ &wacom->hdev->dev.kobj);
+- if (!remote->remote_dir)
++ if (!remote->remote_dir) {
++ kfifo_free(&remote->remote_fifo);
+ return -ENOMEM;
++ }
+
+ error = sysfs_create_files(remote->remote_dir, remote_unpair_attrs);
+
--- /dev/null
+From 1a19ae437ca5d5c7d9ec2678946fb339b1c706bf Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Fri, 6 Jun 2025 19:49:58 +0100
+Subject: HID: wacom: fix memory leak on sysfs attribute creation failure
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 1a19ae437ca5d5c7d9ec2678946fb339b1c706bf upstream.
+
+When sysfs_create_files() fails during wacom_initialize_remotes() the
+fifo buffer is not freed leading to a memory leak.
+
+Fix this by calling kfifo_free() before returning.
+
+Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated")
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2022,6 +2022,7 @@ static int wacom_initialize_remotes(stru
+ if (error) {
+ hid_err(wacom->hdev,
+ "cannot create sysfs group err: %d\n", error);
++ kfifo_free(&remote->remote_fifo);
+ return error;
+ }
+
--- /dev/null
+From 85720e04d9af0b77f8092b12a06661a8d459d4a0 Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Wed, 25 Jun 2025 10:39:24 +0800
+Subject: net: libwx: fix the creation of page_pool
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit 85720e04d9af0b77f8092b12a06661a8d459d4a0 upstream.
+
+'rx_ring->size' means the count of ring descriptors multiplied by the
+size of one descriptor. When increasing the count of ring descriptors,
+it may exceed the limit of pool size.
+
+[ 864.209610] page_pool_create_percpu() gave up with errno -7
+[ 864.209613] txgbe 0000:11:00.0: Page pool creation failed: -7
+
+Fix to set the pool_size to the count of ring descriptors.
+
+Fixes: 850b971110b2 ("net: libwx: Allocate Rx and Tx resources")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Link: https://patch.msgid.link/434C72BFB40E350A+20250625023924.21821-1-jiawenwu@trustnetic.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_lib.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+@@ -2368,7 +2368,7 @@ static int wx_alloc_page_pool(struct wx_
+ struct page_pool_params pp_params = {
+ .flags = PP_FLAG_DMA_MAP | PP_FLAG_DMA_SYNC_DEV,
+ .order = 0,
+- .pool_size = rx_ring->size,
++ .pool_size = rx_ring->count,
+ .nid = dev_to_node(rx_ring->dev),
+ .dev = rx_ring->dev,
+ .dma_dir = DMA_FROM_DEVICE,
--- /dev/null
+From 752eb816b55adb0673727ba0ed96609a17895654 Mon Sep 17 00:00:00 2001
+From: Chen Yu <yu.c.chen@intel.com>
+Date: Wed, 4 Jun 2025 12:25:56 +0800
+Subject: scsi: megaraid_sas: Fix invalid node index
+
+From: Chen Yu <yu.c.chen@intel.com>
+
+commit 752eb816b55adb0673727ba0ed96609a17895654 upstream.
+
+On a system with DRAM interleave enabled, out-of-bound access is
+detected:
+
+megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0
+------------[ cut here ]------------
+UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28
+index -1 is out of range for type 'cpumask *[1024]'
+dump_stack_lvl+0x5d/0x80
+ubsan_epilogue+0x5/0x2b
+__ubsan_handle_out_of_bounds.cold+0x46/0x4b
+megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas]
+megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas]
+local_pci_probe+0x42/0x90
+pci_device_probe+0xdc/0x290
+really_probe+0xdb/0x340
+__driver_probe_device+0x78/0x110
+driver_probe_device+0x1f/0xa0
+__driver_attach+0xba/0x1c0
+bus_for_each_dev+0x8b/0xe0
+bus_add_driver+0x142/0x220
+driver_register+0x72/0xd0
+megasas_init+0xdf/0xff0 [megaraid_sas]
+do_one_initcall+0x57/0x310
+do_init_module+0x90/0x250
+init_module_from_file+0x85/0xc0
+idempotent_init_module+0x114/0x310
+__x64_sys_finit_module+0x65/0xc0
+do_syscall_64+0x82/0x170
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+Fix it accordingly.
+
+Signed-off-by: Chen Yu <yu.c.chen@intel.com>
+Link: https://lore.kernel.org/r/20250604042556.3731059-1-yu.c.chen@intel.com
+Fixes: 8049da6f3943 ("scsi: megaraid_sas: Use irq_set_affinity_and_hint()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/megaraid/megaraid_sas_base.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/megaraid/megaraid_sas_base.c
++++ b/drivers/scsi/megaraid/megaraid_sas_base.c
+@@ -5908,7 +5908,11 @@ megasas_set_high_iops_queue_affinity_and
+ const struct cpumask *mask;
+
+ if (instance->perf_mode == MR_BALANCED_PERF_MODE) {
+- mask = cpumask_of_node(dev_to_node(&instance->pdev->dev));
++ int nid = dev_to_node(&instance->pdev->dev);
++
++ if (nid == NUMA_NO_NODE)
++ nid = 0;
++ mask = cpumask_of_node(nid);
+
+ for (i = 0; i < instance->low_latency_index_start; i++) {
+ irq = pci_irq_vector(instance->pdev, i);
--- /dev/null
+From f23c52aafb1675ab1d1f46914556d8e29cbbf7b3 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@gmail.com>
+Date: Thu, 19 Jun 2025 08:46:17 -0300
+Subject: serial: imx: Restore original RXTL for console to fix data loss
+
+From: Fabio Estevam <festevam@gmail.com>
+
+commit f23c52aafb1675ab1d1f46914556d8e29cbbf7b3 upstream.
+
+Commit 7a637784d517 ("serial: imx: reduce RX interrupt frequency")
+introduced a regression on the i.MX6UL EVK board. The issue can be
+reproduced with the following steps:
+
+- Open vi on the board.
+- Paste a text file (~150 characters).
+- Save the file, then repeat the process.
+- Compare the sha256sum of the saved files.
+
+The checksums do not match due to missing characters or entire lines.
+
+Fix this by restoring the RXTL value to 1 when the UART is used as a
+console.
+
+This ensures timely RX interrupts and reliable data reception in console
+mode.
+
+With this change, pasted content is saved correctly, and checksums are
+always consistent.
+
+Cc: stable <stable@kernel.org>
+Fixes: 7a637784d517 ("serial: imx: reduce RX interrupt frequency")
+Signed-off-by: Fabio Estevam <festevam@gmail.com>
+Reviewed-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20250619114617.2791939-1-festevam@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/imx.c | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -234,6 +234,7 @@ struct imx_port {
+ enum imx_tx_state tx_state;
+ struct hrtimer trigger_start_tx;
+ struct hrtimer trigger_stop_tx;
++ unsigned int rxtl;
+ };
+
+ struct imx_port_ucrs {
+@@ -1337,6 +1338,7 @@ static void imx_uart_clear_rx_errors(str
+
+ #define TXTL_DEFAULT 8
+ #define RXTL_DEFAULT 8 /* 8 characters or aging timer */
++#define RXTL_CONSOLE_DEFAULT 1
+ #define TXTL_DMA 8 /* DMA burst setting */
+ #define RXTL_DMA 9 /* DMA burst setting */
+
+@@ -1449,7 +1451,7 @@ static void imx_uart_disable_dma(struct
+ ucr1 &= ~(UCR1_RXDMAEN | UCR1_TXDMAEN | UCR1_ATDMAEN);
+ imx_uart_writel(sport, ucr1, UCR1);
+
+- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT);
++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl);
+
+ sport->dma_is_enabled = 0;
+ }
+@@ -1474,7 +1476,12 @@ static int imx_uart_startup(struct uart_
+ return retval;
+ }
+
+- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT);
++ if (uart_console(&sport->port))
++ sport->rxtl = RXTL_CONSOLE_DEFAULT;
++ else
++ sport->rxtl = RXTL_DEFAULT;
++
++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl);
+
+ /* disable the DREN bit (Data Ready interrupt enable) before
+ * requesting IRQs
+@@ -1887,7 +1894,7 @@ static int imx_uart_poll_init(struct uar
+ if (retval)
+ clk_disable_unprepare(sport->clk_ipg);
+
+- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT);
++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl);
+
+ spin_lock_irqsave(&sport->port.lock, flags);
+
+@@ -1979,7 +1986,7 @@ static int imx_uart_rs485_config(struct
+ /* If the receiver trigger is 0, set it to a default value */
+ ufcr = imx_uart_readl(sport, UFCR);
+ if ((ufcr & UFCR_RXTL_MASK) == 0)
+- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT);
++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl);
+ imx_uart_start_rx(port);
+ }
+
+@@ -2164,7 +2171,7 @@ imx_uart_console_setup(struct console *c
+ else
+ imx_uart_console_get_options(sport, &baud, &parity, &bits);
+
+- imx_uart_setup_ufcr(sport, TXTL_DEFAULT, RXTL_DEFAULT);
++ imx_uart_setup_ufcr(sport, TXTL_DEFAULT, sport->rxtl);
+
+ retval = uart_set_options(&sport->port, co, baud, parity, bits, flow);
+
drm-bridge-ti-sn65dsi86-make-use-of-debugfs_init-cal.patch
drm-bridge-ti-sn65dsi86-add-hpd-for-displayport-conn.patch
smb-client-fix-potential-deadlock-when-reconnecting-.patch
+edac-amd64-fix-size-calculation-for-non-power-of-two-dimms.patch
+staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch
+dt-bindings-serial-8250-make-clocks-and-clock-frequency-exclusive.patch
+serial-imx-restore-original-rxtl-for-console-to-fix-data-loss.patch
+bluetooth-l2cap-fix-l2cap-mtu-negotiation.patch
+dm-raid-fix-variable-in-journal-device-check.patch
+btrfs-fix-a-race-between-renames-and-directory-logging.patch
+btrfs-update-superblock-s-device-bytes_used-when-dropping-chunk.patch
+net-libwx-fix-the-creation-of-page_pool.patch
+hid-lenovo-restrict-f7-9-11-mode-to-compact-keyboards-only.patch
+hid-wacom-fix-memory-leak-on-kobject-creation-failure.patch
+hid-wacom-fix-memory-leak-on-sysfs-attribute-creation-failure.patch
+hid-wacom-fix-kobject-reference-count-leak.patch
+scsi-megaraid_sas-fix-invalid-node-index.patch
+drm-ast-fix-comment-on-modeset-lock.patch
+drm-cirrus-qemu-fix-pitch-programming.patch
+drm-etnaviv-protect-the-scheduler-s-pending-list-with-its-lock.patch
+drm-tegra-assign-plane-type-before-registration.patch
+drm-tegra-fix-a-possible-null-pointer-dereference.patch
+drm-udl-unregister-device-before-cleaning-up-on-disconnect.patch
+drm-msm-gpu-fix-crash-when-throttling-gpu-immediately-during-boot.patch
+drm-amdkfd-fix-race-in-gws-queue-scheduling.patch
--- /dev/null
+From a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 9 Jun 2025 14:13:14 -0700
+Subject: staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 upstream.
+
+After commit 6f110a5e4f99 ("Disable SLUB_TINY for build testing"), which
+causes CONFIG_KASAN to be enabled in allmodconfig again, arm64
+allmodconfig builds with older versions of clang (15 through 17) show an
+instance of -Wframe-larger-than (which breaks the build with
+CONFIG_WERROR=y):
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:1287:5: error: stack frame size (2208) exceeds limit (2048) in 'rtw_aes_decrypt' [-Werror,-Wframe-larger-than]
+ 1287 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
+ | ^
+
+This comes from aes_decipher() being inlined in rtw_aes_decrypt().
+Running the same build with CONFIG_FRAME_WARN=128 shows aes_cipher()
+also uses a decent amount of stack, just under the limit of 2048:
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1952) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than]
+ 864 | static signed int aes_cipher(u8 *key, uint hdrlen,
+ | ^
+
+-Rpass-analysis=stack-frame-layout only shows one large structure on the
+stack, which is the ctx variable inlined from aes128k128d(). A good
+number of the other variables come from the additional checks of
+fortified string routines, which are present in memset(), which both
+aes_cipher() and aes_decipher() use to initialize some temporary
+buffers. In this case, since the size is known at compile time, these
+additional checks should not result in any code generation changes but
+allmodconfig has several sanitizers enabled, which may make it harder
+for the compiler to eliminate the compile time checks and the variables
+that come about from them.
+
+The memset() calls are just initializing these buffers to zero, so use
+'= {}' instead, which is used all over the kernel and does the exact
+same thing as memset() without the fortify checks, which drops the stack
+usage of these functions by a few hundred kilobytes.
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1584) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than]
+ 864 | static signed int aes_cipher(u8 *key, uint hdrlen,
+ | ^
+ drivers/staging/rtl8723bs/core/rtw_security.c:1271:5: warning: stack frame size (1456) exceeds limit (128) in 'rtw_aes_decrypt' [-Wframe-larger-than]
+ 1271 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
+ | ^
+
+Cc: stable@vger.kernel.org
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250609-rtl8723bs-fix-clang-arm64-wflt-v1-1-e2accba43def@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_security.c | 44 ++++++++------------------
+ 1 file changed, 14 insertions(+), 30 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_security.c
++++ b/drivers/staging/rtl8723bs/core/rtw_security.c
+@@ -869,29 +869,21 @@ static signed int aes_cipher(u8 *key, ui
+ num_blocks, payload_index;
+
+ u8 pn_vector[6];
+- u8 mic_iv[16];
+- u8 mic_header1[16];
+- u8 mic_header2[16];
+- u8 ctr_preload[16];
++ u8 mic_iv[16] = {};
++ u8 mic_header1[16] = {};
++ u8 mic_header2[16] = {};
++ u8 ctr_preload[16] = {};
+
+ /* Intermediate Buffers */
+- u8 chain_buffer[16];
+- u8 aes_out[16];
+- u8 padded_buffer[16];
++ u8 chain_buffer[16] = {};
++ u8 aes_out[16] = {};
++ u8 padded_buffer[16] = {};
+ u8 mic[8];
+ uint frtype = GetFrameType(pframe);
+ uint frsubtype = GetFrameSubType(pframe);
+
+ frsubtype = frsubtype>>4;
+
+- memset((void *)mic_iv, 0, 16);
+- memset((void *)mic_header1, 0, 16);
+- memset((void *)mic_header2, 0, 16);
+- memset((void *)ctr_preload, 0, 16);
+- memset((void *)chain_buffer, 0, 16);
+- memset((void *)aes_out, 0, 16);
+- memset((void *)padded_buffer, 0, 16);
+-
+ if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
+ a4_exists = 0;
+ else
+@@ -1081,15 +1073,15 @@ static signed int aes_decipher(u8 *key,
+ num_blocks, payload_index;
+ signed int res = _SUCCESS;
+ u8 pn_vector[6];
+- u8 mic_iv[16];
+- u8 mic_header1[16];
+- u8 mic_header2[16];
+- u8 ctr_preload[16];
++ u8 mic_iv[16] = {};
++ u8 mic_header1[16] = {};
++ u8 mic_header2[16] = {};
++ u8 ctr_preload[16] = {};
+
+ /* Intermediate Buffers */
+- u8 chain_buffer[16];
+- u8 aes_out[16];
+- u8 padded_buffer[16];
++ u8 chain_buffer[16] = {};
++ u8 aes_out[16] = {};
++ u8 padded_buffer[16] = {};
+ u8 mic[8];
+
+ uint frtype = GetFrameType(pframe);
+@@ -1097,14 +1089,6 @@ static signed int aes_decipher(u8 *key,
+
+ frsubtype = frsubtype>>4;
+
+- memset((void *)mic_iv, 0, 16);
+- memset((void *)mic_header1, 0, 16);
+- memset((void *)mic_header2, 0, 16);
+- memset((void *)ctr_preload, 0, 16);
+- memset((void *)chain_buffer, 0, 16);
+- memset((void *)aes_out, 0, 16);
+- memset((void *)padded_buffer, 0, 16);
+-
+ /* start to decrypt the payload */
+
+ num_blocks = (plen-8) / 16; /* plen including LLC, payload_length and mic) */
projects / thirdparty / kernel / stable-queue.git / commitdiff
