--- /dev/null
+From 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 Mon Sep 17 00:00:00 2001
+From: David Sterba <dsterba@suse.com>
+Date: Wed, 14 Feb 2024 16:19:24 +0100
+Subject: btrfs: dev-replace: properly validate device names
+
+From: David Sterba <dsterba@suse.com>
+
+commit 9845664b9ee47ce7ee7ea93caf47d39a9d4552c4 upstream.
+
+There's a syzbot report that device name buffers passed to device
+replace are not properly checked for string termination which could lead
+to a read out of bounds in getname_kernel().
+
+Add a helper that validates both source and target device name buffers.
+For devid as the source initialize the buffer to empty string in case
+something tries to read it later.
+
+This was originally analyzed and fixed in a different way by Edward Adam
+Davis (see links).
+
+Link: https://lore.kernel.org/linux-btrfs/000000000000d1a1d1060cc9c5e7@google.com/
+Link: https://lore.kernel.org/linux-btrfs/tencent_44CA0665C9836EF9EEC80CB9E7E206DF5206@qq.com/
+CC: stable@vger.kernel.org # 4.19+
+CC: Edward Adam Davis <eadavis@qq.com>
+Reported-and-tested-by: syzbot+33f23b49ac24f986c9e8@syzkaller.appspotmail.com
+Reviewed-by: Boris Burkov <boris@bur.io>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/dev-replace.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/dev-replace.c
++++ b/fs/btrfs/dev-replace.c
+@@ -727,6 +727,23 @@ leave:
+ return ret;
+ }
+
++static int btrfs_check_replace_dev_names(struct btrfs_ioctl_dev_replace_args *args)
++{
++ if (args->start.srcdevid == 0) {
++ if (memchr(args->start.srcdev_name, 0,
++ sizeof(args->start.srcdev_name)) == NULL)
++ return -ENAMETOOLONG;
++ } else {
++ args->start.srcdev_name[0] = 0;
++ }
++
++ if (memchr(args->start.tgtdev_name, 0,
++ sizeof(args->start.tgtdev_name)) == NULL)
++ return -ENAMETOOLONG;
++
++ return 0;
++}
++
+ int btrfs_dev_replace_by_ioctl(struct btrfs_fs_info *fs_info,
+ struct btrfs_ioctl_dev_replace_args *args)
+ {
+@@ -739,10 +756,9 @@ int btrfs_dev_replace_by_ioctl(struct bt
+ default:
+ return -EINVAL;
+ }
+-
+- if ((args->start.srcdevid == 0 && args->start.srcdev_name[0] == '\0') ||
+- args->start.tgtdev_name[0] == '\0')
+- return -EINVAL;
++ ret = btrfs_check_replace_dev_names(args);
++ if (ret < 0)
++ return ret;
+
+ ret = btrfs_dev_replace_start(fs_info, args->start.tgtdev_name,
+ args->start.srcdevid,
--- /dev/null
+From e2b54eaf28df0c978626c9736b94f003b523b451 Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 23 Feb 2024 16:38:43 +0000
+Subject: btrfs: fix double free of anonymous device after snapshot creation failure
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit e2b54eaf28df0c978626c9736b94f003b523b451 upstream.
+
+When creating a snapshot we may do a double free of an anonymous device
+in case there's an error committing the transaction. The second free may
+result in freeing an anonymous device number that was allocated by some
+other subsystem in the kernel or another btrfs filesystem.
+
+The steps that lead to this:
+
+1) At ioctl.c:create_snapshot() we allocate an anonymous device number
+ and assign it to pending_snapshot->anon_dev;
+
+2) Then we call btrfs_commit_transaction() and end up at
+ transaction.c:create_pending_snapshot();
+
+3) There we call btrfs_get_new_fs_root() and pass it the anonymous device
+ number stored in pending_snapshot->anon_dev;
+
+4) btrfs_get_new_fs_root() frees that anonymous device number because
+ btrfs_lookup_fs_root() returned a root - someone else did a lookup
+ of the new root already, which could some task doing backref walking;
+
+5) After that some error happens in the transaction commit path, and at
+ ioctl.c:create_snapshot() we jump to the 'fail' label, and after
+ that we free again the same anonymous device number, which in the
+ meanwhile may have been reallocated somewhere else, because
+ pending_snapshot->anon_dev still has the same value as in step 1.
+
+Recently syzbot ran into this and reported the following trace:
+
+ ------------[ cut here ]------------
+ ida_free called for id=51 which is not allocated.
+ WARNING: CPU: 1 PID: 31038 at lib/idr.c:525 ida_free+0x370/0x420 lib/idr.c:525
+ Modules linked in:
+ CPU: 1 PID: 31038 Comm: syz-executor.2 Not tainted 6.8.0-rc4-syzkaller-00410-gc02197fc9076 #0
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
+ RIP: 0010:ida_free+0x370/0x420 lib/idr.c:525
+ Code: 10 42 80 3c 28 (...)
+ RSP: 0018:ffffc90015a67300 EFLAGS: 00010246
+ RAX: be5130472f5dd000 RBX: 0000000000000033 RCX: 0000000000040000
+ RDX: ffffc90009a7a000 RSI: 000000000003ffff RDI: 0000000000040000
+ RBP: ffffc90015a673f0 R08: ffffffff81577992 R09: 1ffff92002b4cdb4
+ R10: dffffc0000000000 R11: fffff52002b4cdb5 R12: 0000000000000246
+ R13: dffffc0000000000 R14: ffffffff8e256b80 R15: 0000000000000246
+ FS: 00007fca3f4b46c0(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007f167a17b978 CR3: 000000001ed26000 CR4: 0000000000350ef0
+ Call Trace:
+ <TASK>
+ btrfs_get_root_ref+0xa48/0xaf0 fs/btrfs/disk-io.c:1346
+ create_pending_snapshot+0xff2/0x2bc0 fs/btrfs/transaction.c:1837
+ create_pending_snapshots+0x195/0x1d0 fs/btrfs/transaction.c:1931
+ btrfs_commit_transaction+0xf1c/0x3740 fs/btrfs/transaction.c:2404
+ create_snapshot+0x507/0x880 fs/btrfs/ioctl.c:848
+ btrfs_mksubvol+0x5d0/0x750 fs/btrfs/ioctl.c:998
+ btrfs_mksnapshot+0xb5/0xf0 fs/btrfs/ioctl.c:1044
+ __btrfs_ioctl_snap_create+0x387/0x4b0 fs/btrfs/ioctl.c:1306
+ btrfs_ioctl_snap_create_v2+0x1ca/0x400 fs/btrfs/ioctl.c:1393
+ btrfs_ioctl+0xa74/0xd40
+ vfs_ioctl fs/ioctl.c:51 [inline]
+ __do_sys_ioctl fs/ioctl.c:871 [inline]
+ __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:857
+ do_syscall_64+0xfb/0x240
+ entry_SYSCALL_64_after_hwframe+0x6f/0x77
+ RIP: 0033:0x7fca3e67dda9
+ Code: 28 00 00 00 (...)
+ RSP: 002b:00007fca3f4b40c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+ RAX: ffffffffffffffda RBX: 00007fca3e7abf80 RCX: 00007fca3e67dda9
+ RDX: 00000000200005c0 RSI: 0000000050009417 RDI: 0000000000000003
+ RBP: 00007fca3e6ca47a R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 000000000000000b R14: 00007fca3e7abf80 R15: 00007fff6bf95658
+ </TASK>
+
+Where we get an explicit message where we attempt to free an anonymous
+device number that is not currently allocated. It happens in a different
+code path from the example below, at btrfs_get_root_ref(), so this change
+may not fix the case triggered by syzbot.
+
+To fix at least the code path from the example above, change
+btrfs_get_root_ref() and its callers to receive a dev_t pointer argument
+for the anonymous device number, so that in case it frees the number, it
+also resets it to 0, so that up in the call chain we don't attempt to do
+the double free.
+
+CC: stable@vger.kernel.org # 5.10+
+Link: https://lore.kernel.org/linux-btrfs/000000000000f673a1061202f630@google.com/
+Fixes: e03ee2fe873e ("btrfs: do not ASSERT() if the newly created subvolume already got read")
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 22 +++++++++++-----------
+ fs/btrfs/disk-io.h | 2 +-
+ fs/btrfs/ioctl.c | 2 +-
+ fs/btrfs/transaction.c | 2 +-
+ 4 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -1286,12 +1286,12 @@ void btrfs_free_fs_info(struct btrfs_fs_
+ *
+ * @objectid: root id
+ * @anon_dev: preallocated anonymous block device number for new roots,
+- * pass 0 for new allocation.
++ * pass NULL for a new allocation.
+ * @check_ref: whether to check root item references, If true, return -ENOENT
+ * for orphan roots
+ */
+ static struct btrfs_root *btrfs_get_root_ref(struct btrfs_fs_info *fs_info,
+- u64 objectid, dev_t anon_dev,
++ u64 objectid, dev_t *anon_dev,
+ bool check_ref)
+ {
+ struct btrfs_root *root;
+@@ -1321,9 +1321,9 @@ again:
+ * that common but still possible. In that case, we just need
+ * to free the anon_dev.
+ */
+- if (unlikely(anon_dev)) {
+- free_anon_bdev(anon_dev);
+- anon_dev = 0;
++ if (unlikely(anon_dev && *anon_dev)) {
++ free_anon_bdev(*anon_dev);
++ *anon_dev = 0;
+ }
+
+ if (check_ref && btrfs_root_refs(&root->root_item) == 0) {
+@@ -1345,7 +1345,7 @@ again:
+ goto fail;
+ }
+
+- ret = btrfs_init_fs_root(root, anon_dev);
++ ret = btrfs_init_fs_root(root, anon_dev ? *anon_dev : 0);
+ if (ret)
+ goto fail;
+
+@@ -1381,7 +1381,7 @@ fail:
+ * root's anon_dev to 0 to avoid a double free, once by btrfs_put_root()
+ * and once again by our caller.
+ */
+- if (anon_dev)
++ if (anon_dev && *anon_dev)
+ root->anon_dev = 0;
+ btrfs_put_root(root);
+ return ERR_PTR(ret);
+@@ -1397,7 +1397,7 @@ fail:
+ struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info,
+ u64 objectid, bool check_ref)
+ {
+- return btrfs_get_root_ref(fs_info, objectid, 0, check_ref);
++ return btrfs_get_root_ref(fs_info, objectid, NULL, check_ref);
+ }
+
+ /*
+@@ -1405,11 +1405,11 @@ struct btrfs_root *btrfs_get_fs_root(str
+ * the anonymous block device id
+ *
+ * @objectid: tree objectid
+- * @anon_dev: if zero, allocate a new anonymous block device or use the
+- * parameter value
++ * @anon_dev: if NULL, allocate a new anonymous block device or use the
++ * parameter value if not NULL
+ */
+ struct btrfs_root *btrfs_get_new_fs_root(struct btrfs_fs_info *fs_info,
+- u64 objectid, dev_t anon_dev)
++ u64 objectid, dev_t *anon_dev)
+ {
+ return btrfs_get_root_ref(fs_info, objectid, anon_dev, true);
+ }
+--- a/fs/btrfs/disk-io.h
++++ b/fs/btrfs/disk-io.h
+@@ -64,7 +64,7 @@ void btrfs_free_fs_roots(struct btrfs_fs
+ struct btrfs_root *btrfs_get_fs_root(struct btrfs_fs_info *fs_info,
+ u64 objectid, bool check_ref);
+ struct btrfs_root *btrfs_get_new_fs_root(struct btrfs_fs_info *fs_info,
+- u64 objectid, dev_t anon_dev);
++ u64 objectid, dev_t *anon_dev);
+ struct btrfs_root *btrfs_get_fs_root_commit_root(struct btrfs_fs_info *fs_info,
+ struct btrfs_path *path,
+ u64 objectid);
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -721,7 +721,7 @@ static noinline int create_subvol(struct
+ free_extent_buffer(leaf);
+ leaf = NULL;
+
+- new_root = btrfs_get_new_fs_root(fs_info, objectid, anon_dev);
++ new_root = btrfs_get_new_fs_root(fs_info, objectid, &anon_dev);
+ if (IS_ERR(new_root)) {
+ ret = PTR_ERR(new_root);
+ btrfs_abort_transaction(trans, ret);
+--- a/fs/btrfs/transaction.c
++++ b/fs/btrfs/transaction.c
+@@ -1834,7 +1834,7 @@ static noinline int create_pending_snaps
+ }
+
+ key.offset = (u64)-1;
+- pending->snap = btrfs_get_new_fs_root(fs_info, objectid, pending->anon_dev);
++ pending->snap = btrfs_get_new_fs_root(fs_info, objectid, &pending->anon_dev);
+ if (IS_ERR(pending->snap)) {
+ ret = PTR_ERR(pending->snap);
+ pending->snap = NULL;
--- /dev/null
+From 5897710b28cabab04ea6c7547f27b7989de646ae Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Fri, 16 Feb 2024 22:17:10 +0000
+Subject: btrfs: send: don't issue unnecessary zero writes for trailing hole
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 5897710b28cabab04ea6c7547f27b7989de646ae upstream.
+
+If we have a sparse file with a trailing hole (from the last extent's end
+to i_size) and then create an extent in the file that ends before the
+file's i_size, then when doing an incremental send we will issue a write
+full of zeroes for the range that starts immediately after the new extent
+ends up to i_size. While this isn't incorrect because the file ends up
+with exactly the same data, it unnecessarily results in using extra space
+at the destination with one or more extents full of zeroes instead of
+having a hole. In same cases this results in using megabytes or even
+gigabytes of unnecessary space.
+
+Example, reproducer:
+
+ $ cat test.sh
+ #!/bin/bash
+
+ DEV=/dev/sdh
+ MNT=/mnt/sdh
+
+ mkfs.btrfs -f $DEV
+ mount $DEV $MNT
+
+ # Create 1G sparse file.
+ xfs_io -f -c "truncate 1G" $MNT/foobar
+
+ # Create base snapshot.
+ btrfs subvolume snapshot -r $MNT $MNT/mysnap1
+
+ # Create send stream (full send) for the base snapshot.
+ btrfs send -f /tmp/1.snap $MNT/mysnap1
+
+ # Now write one extent at the beginning of the file and one somewhere
+ # in the middle, leaving a gap between the end of this second extent
+ # and the file's size.
+ xfs_io -c "pwrite -S 0xab 0 128K" \
+ -c "pwrite -S 0xcd 512M 128K" \
+ $MNT/foobar
+
+ # Now create a second snapshot which is going to be used for an
+ # incremental send operation.
+ btrfs subvolume snapshot -r $MNT $MNT/mysnap2
+
+ # Create send stream (incremental send) for the second snapshot.
+ btrfs send -p $MNT/mysnap1 -f /tmp/2.snap $MNT/mysnap2
+
+ # Now recreate the filesystem by receiving both send streams and
+ # verify we get the same content that the original filesystem had
+ # and file foobar has only two extents with a size of 128K each.
+ umount $MNT
+ mkfs.btrfs -f $DEV
+ mount $DEV $MNT
+
+ btrfs receive -f /tmp/1.snap $MNT
+ btrfs receive -f /tmp/2.snap $MNT
+
+ echo -e "\nFile fiemap in the second snapshot:"
+ # Should have:
+ #
+ # 128K extent at file range [0, 128K[
+ # hole at file range [128K, 512M[
+ # 128K extent file range [512M, 512M + 128K[
+ # hole at file range [512M + 128K, 1G[
+ xfs_io -r -c "fiemap -v" $MNT/mysnap2/foobar
+
+ # File should be using 256K of data (two 128K extents).
+ echo -e "\nSpace used by the file: $(du -h $MNT/mysnap2/foobar | cut -f 1)"
+
+ umount $MNT
+
+Running the test, we can see with fiemap that we get an extent for the
+range [512M, 1G[, while in the source filesystem we have an extent for
+the range [512M, 512M + 128K[ and a hole for the rest of the file (the
+range [512M + 128K, 1G[):
+
+ $ ./test.sh
+ (...)
+ File fiemap in the second snapshot:
+ /mnt/sdh/mysnap2/foobar:
+ EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
+ 0: [0..255]: 26624..26879 256 0x0
+ 1: [256..1048575]: hole 1048320
+ 2: [1048576..2097151]: 2156544..3205119 1048576 0x1
+
+ Space used by the file: 513M
+
+This happens because once we finish processing an inode, at
+finish_inode_if_needed(), we always issue a hole (write operations full
+of zeros) if there's a gap between the end of the last processed extent
+and the file's size, even if that range is already a hole in the parent
+snapshot. Fix this by issuing the hole only if the range is not already
+a hole.
+
+After this change, running the test above, we get the expected layout:
+
+ $ ./test.sh
+ (...)
+ File fiemap in the second snapshot:
+ /mnt/sdh/mysnap2/foobar:
+ EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS
+ 0: [0..255]: 26624..26879 256 0x0
+ 1: [256..1048575]: hole 1048320
+ 2: [1048576..1048831]: 26880..27135 256 0x1
+ 3: [1048832..2097151]: hole 1048320
+
+ Space used by the file: 256K
+
+A test case for fstests will follow soon.
+
+CC: stable@vger.kernel.org # 6.1+
+Reported-by: Dorai Ashok S A <dash.btrfs@inix.me>
+Link: https://lore.kernel.org/linux-btrfs/c0bf7818-9c45-46a8-b3d3-513230d0c86e@inix.me/
+Reviewed-by: Sweet Tea Dorminy <sweettea-kernel@dorminy.me>
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/send.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/send.c
++++ b/fs/btrfs/send.c
+@@ -6705,11 +6705,20 @@ static int finish_inode_if_needed(struct
+ if (ret)
+ goto out;
+ }
+- if (sctx->cur_inode_last_extent <
+- sctx->cur_inode_size) {
+- ret = send_hole(sctx, sctx->cur_inode_size);
+- if (ret)
++ if (sctx->cur_inode_last_extent < sctx->cur_inode_size) {
++ ret = range_is_hole_in_parent(sctx,
++ sctx->cur_inode_last_extent,
++ sctx->cur_inode_size);
++ if (ret < 0) {
+ goto out;
++ } else if (ret == 0) {
++ ret = send_hole(sctx, sctx->cur_inode_size);
++ if (ret < 0)
++ goto out;
++ } else {
++ /* Range is already a hole, skip. */
++ ret = 0;
++ }
+ }
+ }
+ if (need_truncate) {
--- /dev/null
+From 51d31149a88b5c5a8d2d33f06df93f6187a25b4c Mon Sep 17 00:00:00 2001
+From: Xiubo Li <xiubli@redhat.com>
+Date: Mon, 19 Feb 2024 13:14:32 +0800
+Subject: ceph: switch to corrected encoding of max_xattr_size in mdsmap
+
+From: Xiubo Li <xiubli@redhat.com>
+
+commit 51d31149a88b5c5a8d2d33f06df93f6187a25b4c upstream.
+
+The addition of bal_rank_mask with encoding version 17 was merged
+into ceph.git in Oct 2022 and made it into v18.2.0 release normally.
+A few months later, the much delayed addition of max_xattr_size got
+merged, also with encoding version 17, placed before bal_rank_mask
+in the encoding -- but it didn't make v18.2.0 release.
+
+The way this ended up being resolved on the MDS side is that
+bal_rank_mask will continue to be encoded in version 17 while
+max_xattr_size is now encoded in version 18. This does mean that
+older kernels will misdecode version 17, but this is also true for
+v18.2.0 and v18.2.1 clients in userspace.
+
+The best we can do is backport this adjustment -- see ceph.git
+commit 78abfeaff27fee343fb664db633de5b221699a73 for details.
+
+[ idryomov: changelog ]
+
+Cc: stable@vger.kernel.org
+Link: https://tracker.ceph.com/issues/64440
+Fixes: d93231a6bc8a ("ceph: prevent a client from exceeding the MDS maximum xattr size")
+Signed-off-by: Xiubo Li <xiubli@redhat.com>
+Reviewed-by: Patrick Donnelly <pdonnell@ibm.com>
+Reviewed-by: Venky Shankar <vshankar@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ceph/mdsmap.c | 7 ++++---
+ fs/ceph/mdsmap.h | 6 +++++-
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/mdsmap.c
++++ b/fs/ceph/mdsmap.c
+@@ -380,10 +380,11 @@ struct ceph_mdsmap *ceph_mdsmap_decode(s
+ ceph_decode_skip_8(p, end, bad_ext);
+ /* required_client_features */
+ ceph_decode_skip_set(p, end, 64, bad_ext);
++ /* bal_rank_mask */
++ ceph_decode_skip_string(p, end, bad_ext);
++ }
++ if (mdsmap_ev >= 18) {
+ ceph_decode_64_safe(p, end, m->m_max_xattr_size, bad_ext);
+- } else {
+- /* This forces the usage of the (sync) SETXATTR Op */
+- m->m_max_xattr_size = 0;
+ }
+ bad_ext:
+ doutc(cl, "m_enabled: %d, m_damaged: %d, m_num_laggy: %d\n",
+--- a/fs/ceph/mdsmap.h
++++ b/fs/ceph/mdsmap.h
+@@ -27,7 +27,11 @@ struct ceph_mdsmap {
+ u32 m_session_timeout; /* seconds */
+ u32 m_session_autoclose; /* seconds */
+ u64 m_max_file_size;
+- u64 m_max_xattr_size; /* maximum size for xattrs blob */
++ /*
++ * maximum size for xattrs blob.
++ * Zeroed by default to force the usage of the (sync) SETXATTR Op.
++ */
++ u64 m_max_xattr_size;
+ u32 m_max_mds; /* expected up:active mds number */
+ u32 m_num_active_mds; /* actual up:active mds number */
+ u32 possible_max_rank; /* possible max rank index */
--- /dev/null
+From 1c0cf6d19690141002889d72622b90fc01562ce4 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Fri, 23 Feb 2024 14:20:35 +0100
+Subject: crypto: arm64/neonbs - fix out-of-bounds access on short input
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit 1c0cf6d19690141002889d72622b90fc01562ce4 upstream.
+
+The bit-sliced implementation of AES-CTR operates on blocks of 128
+bytes, and will fall back to the plain NEON version for tail blocks or
+inputs that are shorter than 128 bytes to begin with.
+
+It will call straight into the plain NEON asm helper, which performs all
+memory accesses in granules of 16 bytes (the size of a NEON register).
+For this reason, the associated plain NEON glue code will copy inputs
+shorter than 16 bytes into a temporary buffer, given that this is a rare
+occurrence and it is not worth the effort to work around this in the asm
+code.
+
+The fallback from the bit-sliced NEON version fails to take this into
+account, potentially resulting in out-of-bounds accesses. So clone the
+same workaround, and use a temp buffer for short in/outputs.
+
+Fixes: fc074e130051 ("crypto: arm64/aes-neonbs-ctr - fallback to plain NEON for final chunk")
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+f1ceaa1a09ab891e1934@syzkaller.appspotmail.com
+Reviewed-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/crypto/aes-neonbs-glue.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/arm64/crypto/aes-neonbs-glue.c
++++ b/arch/arm64/crypto/aes-neonbs-glue.c
+@@ -227,8 +227,19 @@ static int ctr_encrypt(struct skcipher_r
+ src += blocks * AES_BLOCK_SIZE;
+ }
+ if (nbytes && walk.nbytes == walk.total) {
++ u8 buf[AES_BLOCK_SIZE];
++ u8 *d = dst;
++
++ if (unlikely(nbytes < AES_BLOCK_SIZE))
++ src = dst = memcpy(buf + sizeof(buf) - nbytes,
++ src, nbytes);
++
+ neon_aes_ctr_encrypt(dst, src, ctx->enc, ctx->key.rounds,
+ nbytes, walk.iv);
++
++ if (unlikely(nbytes < AES_BLOCK_SIZE))
++ memcpy(d, dst, nbytes);
++
+ nbytes = 0;
+ }
+ kernel_neon_end();
--- /dev/null
+From 9ba17defd9edd87970b701085402bc8ecc3a11d4 Mon Sep 17 00:00:00 2001
+From: Joy Zou <joy.zou@nxp.com>
+Date: Wed, 31 Jan 2024 11:33:18 -0500
+Subject: dmaengine: fsl-edma: correct calculation of 'nbytes' in multi-fifo scenario
+
+From: Joy Zou <joy.zou@nxp.com>
+
+commit 9ba17defd9edd87970b701085402bc8ecc3a11d4 upstream.
+
+The 'nbytes' should be equivalent to burst * width in audio multi-fifo
+setups. Given that the FIFO width is fixed at 32 bits, adjusts the burst
+size for multi-fifo configurations to match the slave maxburst in the
+configuration.
+
+Cc: stable@vger.kernel.org
+Fixes: 72f5801a4e2b ("dmaengine: fsl-edma: integrate v3 support")
+Signed-off-by: Joy Zou <joy.zou@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240131163318.360315-1-Frank.Li@nxp.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/fsl-edma-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/fsl-edma-common.c
++++ b/drivers/dma/fsl-edma-common.c
+@@ -503,7 +503,7 @@ void fsl_edma_fill_tcd(struct fsl_edma_c
+ if (fsl_chan->is_multi_fifo) {
+ /* set mloff to support multiple fifo */
+ burst = cfg->direction == DMA_DEV_TO_MEM ?
+- cfg->src_addr_width : cfg->dst_addr_width;
++ cfg->src_maxburst : cfg->dst_maxburst;
+ nbytes |= EDMA_V3_TCD_NBYTES_MLOFF(-(burst * 4));
+ /* enable DMLOE/SMLOE */
+ if (cfg->direction == DMA_MEM_TO_DEV) {
--- /dev/null
+From 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e Mon Sep 17 00:00:00 2001
+From: Peng Ma <peng.ma@nxp.com>
+Date: Thu, 1 Feb 2024 16:50:07 -0500
+Subject: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read
+
+From: Peng Ma <peng.ma@nxp.com>
+
+commit 9d739bccf261dd93ec1babf82f5c5d71dd4caa3e upstream.
+
+There is chip (ls1028a) errata:
+
+The SoC may hang on 16 byte unaligned read transactions by QDMA.
+
+Unaligned read transactions initiated by QDMA may stall in the NOC
+(Network On-Chip), causing a deadlock condition. Stalled transactions will
+trigger completion timeouts in PCIe controller.
+
+Workaround:
+Enable prefetch by setting the source descriptor prefetchable bit
+( SD[PF] = 1 ).
+
+Implement this workaround.
+
+Cc: stable@vger.kernel.org
+Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs")
+Signed-off-by: Peng Ma <peng.ma@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240201215007.439503-1-Frank.Li@nxp.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/fsl-qdma.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/fsl-qdma.c
++++ b/drivers/dma/fsl-qdma.c
+@@ -109,6 +109,7 @@
+ #define FSL_QDMA_CMD_WTHROTL_OFFSET 20
+ #define FSL_QDMA_CMD_DSEN_OFFSET 19
+ #define FSL_QDMA_CMD_LWC_OFFSET 16
++#define FSL_QDMA_CMD_PF BIT(17)
+
+ /* Field definition for Descriptor status */
+ #define QDMA_CCDF_STATUS_RTE BIT(5)
+@@ -384,7 +385,8 @@ static void fsl_qdma_comp_fill_memcpy(st
+ qdma_csgf_set_f(csgf_dest, len);
+ /* Descriptor Buffer */
+ cmd = cpu_to_le32(FSL_QDMA_CMD_RWTTYPE <<
+- FSL_QDMA_CMD_RWTTYPE_OFFSET);
++ FSL_QDMA_CMD_RWTTYPE_OFFSET) |
++ FSL_QDMA_CMD_PF;
+ sdf->data = QDMA_SDDF_CMD(cmd);
+
+ cmd = cpu_to_le32(FSL_QDMA_CMD_RWTTYPE <<
--- /dev/null
+From 87a39071e0b639f45e05d296cc0538eef44ec0bd Mon Sep 17 00:00:00 2001
+From: Curtis Klein <curtis.klein@hpe.com>
+Date: Thu, 1 Feb 2024 17:04:06 -0500
+Subject: dmaengine: fsl-qdma: init irq after reg initialization
+
+From: Curtis Klein <curtis.klein@hpe.com>
+
+commit 87a39071e0b639f45e05d296cc0538eef44ec0bd upstream.
+
+Initialize the qDMA irqs after the registers are configured so that
+interrupts that may have been pending from a primary kernel don't get
+processed by the irq handler before it is ready to and cause panic with
+the following trace:
+
+ Call trace:
+ fsl_qdma_queue_handler+0xf8/0x3e8
+ __handle_irq_event_percpu+0x78/0x2b0
+ handle_irq_event_percpu+0x1c/0x68
+ handle_irq_event+0x44/0x78
+ handle_fasteoi_irq+0xc8/0x178
+ generic_handle_irq+0x24/0x38
+ __handle_domain_irq+0x90/0x100
+ gic_handle_irq+0x5c/0xb8
+ el1_irq+0xb8/0x180
+ _raw_spin_unlock_irqrestore+0x14/0x40
+ __setup_irq+0x4bc/0x798
+ request_threaded_irq+0xd8/0x190
+ devm_request_threaded_irq+0x74/0xe8
+ fsl_qdma_probe+0x4d4/0xca8
+ platform_drv_probe+0x50/0xa0
+ really_probe+0xe0/0x3f8
+ driver_probe_device+0x64/0x130
+ device_driver_attach+0x6c/0x78
+ __driver_attach+0xbc/0x158
+ bus_for_each_dev+0x5c/0x98
+ driver_attach+0x20/0x28
+ bus_add_driver+0x158/0x220
+ driver_register+0x60/0x110
+ __platform_driver_register+0x44/0x50
+ fsl_qdma_driver_init+0x18/0x20
+ do_one_initcall+0x48/0x258
+ kernel_init_freeable+0x1a4/0x23c
+ kernel_init+0x10/0xf8
+ ret_from_fork+0x10/0x18
+
+Cc: stable@vger.kernel.org
+Fixes: b092529e0aa0 ("dmaengine: fsl-qdma: Add qDMA controller driver for Layerscape SoCs")
+Signed-off-by: Curtis Klein <curtis.klein@hpe.com>
+Signed-off-by: Yi Zhao <yi.zhao@nxp.com>
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20240201220406.440145-1-Frank.Li@nxp.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/fsl-qdma.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+--- a/drivers/dma/fsl-qdma.c
++++ b/drivers/dma/fsl-qdma.c
+@@ -1199,10 +1199,6 @@ static int fsl_qdma_probe(struct platfor
+ if (!fsl_qdma->queue)
+ return -ENOMEM;
+
+- ret = fsl_qdma_irq_init(pdev, fsl_qdma);
+- if (ret)
+- return ret;
+-
+ fsl_qdma->irq_base = platform_get_irq_byname(pdev, "qdma-queue0");
+ if (fsl_qdma->irq_base < 0)
+ return fsl_qdma->irq_base;
+@@ -1241,16 +1237,19 @@ static int fsl_qdma_probe(struct platfor
+
+ platform_set_drvdata(pdev, fsl_qdma);
+
+- ret = dma_async_device_register(&fsl_qdma->dma_dev);
++ ret = fsl_qdma_reg_init(fsl_qdma);
+ if (ret) {
+- dev_err(&pdev->dev,
+- "Can't register NXP Layerscape qDMA engine.\n");
++ dev_err(&pdev->dev, "Can't Initialize the qDMA engine.\n");
+ return ret;
+ }
+
+- ret = fsl_qdma_reg_init(fsl_qdma);
++ ret = fsl_qdma_irq_init(pdev, fsl_qdma);
++ if (ret)
++ return ret;
++
++ ret = dma_async_device_register(&fsl_qdma->dma_dev);
+ if (ret) {
+- dev_err(&pdev->dev, "Can't Initialize the qDMA engine.\n");
++ dev_err(&pdev->dev, "Can't register NXP Layerscape qDMA engine.\n");
+ return ret;
+ }
+
--- /dev/null
+From df2515a17914ecfc2a0594509deaf7fcb8d191ac Mon Sep 17 00:00:00 2001
+From: Tadeusz Struk <tstruk@gigaio.com>
+Date: Thu, 22 Feb 2024 17:30:53 +0100
+Subject: dmaengine: ptdma: use consistent DMA masks
+
+From: Tadeusz Struk <tstruk@gigaio.com>
+
+commit df2515a17914ecfc2a0594509deaf7fcb8d191ac upstream.
+
+The PTDMA driver sets DMA masks in two different places for the same
+device inconsistently. First call is in pt_pci_probe(), where it uses
+48bit mask. The second call is in pt_dmaengine_register(), where it
+uses a 64bit mask. Using 64bit dma mask causes IO_PAGE_FAULT errors
+on DMA transfers between main memory and other devices.
+Without the extra call it works fine. Additionally the second call
+doesn't check the return value so it can silently fail.
+Remove the superfluous dma_set_mask() call and only use 48bit mask.
+
+Cc: stable@vger.kernel.org
+Fixes: b0b4a6b10577 ("dmaengine: ptdma: register PTDMA controller as a DMA resource")
+Reviewed-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Signed-off-by: Tadeusz Struk <tstruk@gigaio.com>
+Link: https://lore.kernel.org/r/20240222163053.13842-1-tstruk@gigaio.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma/ptdma/ptdma-dmaengine.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/dma/ptdma/ptdma-dmaengine.c
++++ b/drivers/dma/ptdma/ptdma-dmaengine.c
+@@ -385,8 +385,6 @@ int pt_dmaengine_register(struct pt_devi
+ chan->vc.desc_free = pt_do_cleanup;
+ vchan_init(&chan->vc, dma_dev);
+
+- dma_set_mask_and_coherent(pt->dev, DMA_BIT_MASK(64));
+-
+ ret = dma_async_device_register(dma_dev);
+ if (ret)
+ goto err_reg;
--- /dev/null
+From b7cdccc6a849568775f738b1e233f751a8fed013 Mon Sep 17 00:00:00 2001
+From: Ryan Lin <tsung-hua.lin@amd.com>
+Date: Wed, 28 Feb 2024 11:39:21 -0700
+Subject: drm/amd/display: Add monitor patch for specific eDP
+
+From: Ryan Lin <tsung-hua.lin@amd.com>
+
+commit b7cdccc6a849568775f738b1e233f751a8fed013 upstream.
+
+[WHY]
+Some eDP panels' ext caps don't write initial values. The value of
+dpcd_addr (0x317) can be random and the backlight control interface
+will be incorrect.
+
+[HOW]
+Add new panel patches to remove sink ext caps.
+
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Cc: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org # 6.5.x
+Cc: Tsung-hua Lin <tsung-hua.lin@amd.com>
+Cc: Chris Chi <moukong.chi@amd.com>
+Reviewed-by: Wayne Lin <wayne.lin@amd.com>
+Acked-by: Alex Hung <alex.hung@amd.com>
+Signed-off-by: Ryan Lin <tsung-hua.lin@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+@@ -66,6 +66,8 @@ static void apply_edid_quirks(struct edi
+ /* Workaround for some monitors that do not clear DPCD 0x317 if FreeSync is unsupported */
+ case drm_edid_encode_panel_id('A', 'U', 'O', 0xA7AB):
+ case drm_edid_encode_panel_id('A', 'U', 'O', 0xE69B):
++ case drm_edid_encode_panel_id('B', 'O', 'E', 0x092A):
++ case drm_edid_encode_panel_id('L', 'G', 'D', 0x06D1):
+ DRM_DEBUG_DRIVER("Clearing DPCD 0x317 on monitor with panel id %X\n", panel_id);
+ edid_caps->panel_patch.remove_sink_ext_caps = true;
+ break;
+@@ -119,6 +121,8 @@ enum dc_edid_status dm_helpers_parse_edi
+
+ edid_caps->edid_hdmi = connector->display_info.is_hdmi;
+
++ apply_edid_quirks(edid_buf, edid_caps);
++
+ sad_count = drm_edid_to_sad((struct edid *) edid->raw_edid, &sads);
+ if (sad_count <= 0)
+ return result;
+@@ -145,8 +149,6 @@ enum dc_edid_status dm_helpers_parse_edi
+ else
+ edid_caps->speaker_flags = DEFAULT_SPEAKER_LOCATION;
+
+- apply_edid_quirks(edid_buf, edid_caps);
+-
+ kfree(sads);
+ kfree(sadb);
+
--- /dev/null
+From 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb Mon Sep 17 00:00:00 2001
+From: Ma Jun <Jun.Ma2@amd.com>
+Date: Thu, 22 Feb 2024 17:08:42 +0800
+Subject: drm/amdgpu/pm: Fix the power1_min_cap value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Jun <Jun.Ma2@amd.com>
+
+commit 7968e9748fbbd7ae49770d9f8a8231d8bce2aebb upstream.
+
+It's unreasonable to use 0 as the power1_min_cap when
+OD is disabled. So, use the same lower limit as the value
+used when OD is enabled.
+
+Fixes: 1958946858a6 ("drm/amd/pm: Support for getting power1_cap_min value")
+Signed-off-by: Ma Jun <Jun.Ma2@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Acked-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c | 9 ++++-----
+ drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 9 ++++-----
+ drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c | 9 ++++-----
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c | 9 ++++-----
+ drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c | 9 ++++-----
+ 5 files changed, 20 insertions(+), 25 deletions(-)
+
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c
+@@ -1303,13 +1303,12 @@ static int arcturus_get_power_limit(stru
+ if (default_power_limit)
+ *default_power_limit = power_limit;
+
+- if (smu->od_enabled) {
++ if (smu->od_enabled)
+ od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+- } else {
++ else
+ od_percent_upper = 0;
+- od_percent_lower = 100;
+- }
++
++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+
+ dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
+ od_percent_upper, od_percent_lower, power_limit);
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c
+@@ -2357,13 +2357,12 @@ static int navi10_get_power_limit(struct
+ *default_power_limit = power_limit;
+
+ if (smu->od_enabled &&
+- navi10_od_feature_is_supported(od_settings, SMU_11_0_ODCAP_POWER_LIMIT)) {
++ navi10_od_feature_is_supported(od_settings, SMU_11_0_ODCAP_POWER_LIMIT))
+ od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+- } else {
++ else
+ od_percent_upper = 0;
+- od_percent_lower = 100;
+- }
++
++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_ODSETTING_POWERPERCENTAGE]);
+
+ dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
+ od_percent_upper, od_percent_lower, power_limit);
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu11/sienna_cichlid_ppt.c
+@@ -640,13 +640,12 @@ static int sienna_cichlid_get_power_limi
+ if (default_power_limit)
+ *default_power_limit = power_limit;
+
+- if (smu->od_enabled) {
++ if (smu->od_enabled)
+ od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_11_0_7_ODSETTING_POWERPERCENTAGE]);
+- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_7_ODSETTING_POWERPERCENTAGE]);
+- } else {
++ else
+ od_percent_upper = 0;
+- od_percent_lower = 100;
+- }
++
++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_11_0_7_ODSETTING_POWERPERCENTAGE]);
+
+ dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
+ od_percent_upper, od_percent_lower, power_limit);
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_0_ppt.c
+@@ -2364,13 +2364,12 @@ static int smu_v13_0_0_get_power_limit(s
+ if (default_power_limit)
+ *default_power_limit = power_limit;
+
+- if (smu->od_enabled) {
++ if (smu->od_enabled)
+ od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_13_0_0_ODSETTING_POWERPERCENTAGE]);
+- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_0_ODSETTING_POWERPERCENTAGE]);
+- } else {
++ else
+ od_percent_upper = 0;
+- od_percent_lower = 100;
+- }
++
++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_0_ODSETTING_POWERPERCENTAGE]);
+
+ dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
+ od_percent_upper, od_percent_lower, power_limit);
+--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
++++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0_7_ppt.c
+@@ -2328,13 +2328,12 @@ static int smu_v13_0_7_get_power_limit(s
+ if (default_power_limit)
+ *default_power_limit = power_limit;
+
+- if (smu->od_enabled) {
++ if (smu->od_enabled)
+ od_percent_upper = le32_to_cpu(powerplay_table->overdrive_table.max[SMU_13_0_7_ODSETTING_POWERPERCENTAGE]);
+- od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_7_ODSETTING_POWERPERCENTAGE]);
+- } else {
++ else
+ od_percent_upper = 0;
+- od_percent_lower = 100;
+- }
++
++ od_percent_lower = le32_to_cpu(powerplay_table->overdrive_table.min[SMU_13_0_7_ODSETTING_POWERPERCENTAGE]);
+
+ dev_dbg(smu->adev->dev, "od percent upper:%d, od percent lower:%d (default power: %d)\n",
+ od_percent_upper, od_percent_lower, power_limit);
--- /dev/null
+From f41900e4a6ef019d64a70394b0e0c3bd048d4ec8 Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Mon, 19 Feb 2024 12:18:52 +0000
+Subject: drm/buddy: fix range bias
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit f41900e4a6ef019d64a70394b0e0c3bd048d4ec8 upstream.
+
+There is a corner case here where start/end is after/before the block
+range we are currently checking. If so we need to be sure that splitting
+the block will eventually give use the block size we need. To do that we
+should adjust the block range to account for the start/end, and only
+continue with the split if the size/alignment will fit the requested
+size. Not doing so can result in leaving split blocks unmerged when it
+eventually fails.
+
+Fixes: afea229fe102 ("drm: improve drm_buddy_alloc function")
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Cc: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+Cc: Christian König <christian.koenig@amd.com>
+Cc: <stable@vger.kernel.org> # v5.18+
+Reviewed-by: Arunpravin Paneer Selvam <Arunpravin.PaneerSelvam@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240219121851.25774-4-matthew.auld@intel.com
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_buddy.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/gpu/drm/drm_buddy.c
++++ b/drivers/gpu/drm/drm_buddy.c
+@@ -332,6 +332,7 @@ alloc_range_bias(struct drm_buddy *mm,
+ u64 start, u64 end,
+ unsigned int order)
+ {
++ u64 req_size = mm->chunk_size << order;
+ struct drm_buddy_block *block;
+ struct drm_buddy_block *buddy;
+ LIST_HEAD(dfs);
+@@ -367,6 +368,15 @@ alloc_range_bias(struct drm_buddy *mm,
+ if (drm_buddy_block_is_allocated(block))
+ continue;
+
++ if (block_start < start || block_end > end) {
++ u64 adjusted_start = max(block_start, start);
++ u64 adjusted_end = min(block_end, end);
++
++ if (round_down(adjusted_end + 1, req_size) <=
++ round_up(adjusted_start, req_size))
++ continue;
++ }
++
+ if (contains(start, end, block_start, block_end) &&
+ order == drm_buddy_block_order(block)) {
+ /*
--- /dev/null
+From 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e Mon Sep 17 00:00:00 2001
+From: Alexander Ofitserov <oficerovas@altlinux.org>
+Date: Wed, 28 Feb 2024 14:47:03 +0300
+Subject: gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
+
+From: Alexander Ofitserov <oficerovas@altlinux.org>
+
+commit 616d82c3cfa2a2146dd7e3ae47bda7e877ee549e upstream.
+
+The gtp_link_ops operations structure for the subsystem must be
+registered after registering the gtp_net_ops pernet operations structure.
+
+Syzkaller hit 'general protection fault in gtp_genl_dump_pdp' bug:
+
+[ 1010.702740] gtp: GTP module unloaded
+[ 1010.715877] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
+[ 1010.715888] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+[ 1010.715895] CPU: 1 PID: 128616 Comm: a.out Not tainted 6.8.0-rc6-std-def-alt1 #1
+[ 1010.715899] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-alt1 04/01/2014
+[ 1010.715908] RIP: 0010:gtp_newlink+0x4d7/0x9c0 [gtp]
+[ 1010.715915] Code: 80 3c 02 00 0f 85 41 04 00 00 48 8b bb d8 05 00 00 e8 ed f6 ff ff 48 89 c2 48 89 c5 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 4f 04 00 00 4c 89 e2 4c 8b 6d 00 48 b8 00 00 00
+[ 1010.715920] RSP: 0018:ffff888020fbf180 EFLAGS: 00010203
+[ 1010.715929] RAX: dffffc0000000000 RBX: ffff88800399c000 RCX: 0000000000000000
+[ 1010.715933] RDX: 0000000000000001 RSI: ffffffff84805280 RDI: 0000000000000282
+[ 1010.715938] RBP: 000000000000000d R08: 0000000000000001 R09: 0000000000000000
+[ 1010.715942] R10: 0000000000000001 R11: 0000000000000001 R12: ffff88800399cc80
+[ 1010.715947] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000400
+[ 1010.715953] FS: 00007fd1509ab5c0(0000) GS:ffff88805b300000(0000) knlGS:0000000000000000
+[ 1010.715958] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 1010.715962] CR2: 0000000000000000 CR3: 000000001c07a000 CR4: 0000000000750ee0
+[ 1010.715968] PKRU: 55555554
+[ 1010.715972] Call Trace:
+[ 1010.715985] ? __die_body.cold+0x1a/0x1f
+[ 1010.715995] ? die_addr+0x43/0x70
+[ 1010.716002] ? exc_general_protection+0x199/0x2f0
+[ 1010.716016] ? asm_exc_general_protection+0x1e/0x30
+[ 1010.716026] ? gtp_newlink+0x4d7/0x9c0 [gtp]
+[ 1010.716034] ? gtp_net_exit+0x150/0x150 [gtp]
+[ 1010.716042] __rtnl_newlink+0x1063/0x1700
+[ 1010.716051] ? rtnl_setlink+0x3c0/0x3c0
+[ 1010.716063] ? is_bpf_text_address+0xc0/0x1f0
+[ 1010.716070] ? kernel_text_address.part.0+0xbb/0xd0
+[ 1010.716076] ? __kernel_text_address+0x56/0xa0
+[ 1010.716084] ? unwind_get_return_address+0x5a/0xa0
+[ 1010.716091] ? create_prof_cpu_mask+0x30/0x30
+[ 1010.716098] ? arch_stack_walk+0x9e/0xf0
+[ 1010.716106] ? stack_trace_save+0x91/0xd0
+[ 1010.716113] ? stack_trace_consume_entry+0x170/0x170
+[ 1010.716121] ? __lock_acquire+0x15c5/0x5380
+[ 1010.716139] ? mark_held_locks+0x9e/0xe0
+[ 1010.716148] ? kmem_cache_alloc_trace+0x35f/0x3c0
+[ 1010.716155] ? __rtnl_newlink+0x1700/0x1700
+[ 1010.716160] rtnl_newlink+0x69/0xa0
+[ 1010.716166] rtnetlink_rcv_msg+0x43b/0xc50
+[ 1010.716172] ? rtnl_fdb_dump+0x9f0/0x9f0
+[ 1010.716179] ? lock_acquire+0x1fe/0x560
+[ 1010.716188] ? netlink_deliver_tap+0x12f/0xd50
+[ 1010.716196] netlink_rcv_skb+0x14d/0x440
+[ 1010.716202] ? rtnl_fdb_dump+0x9f0/0x9f0
+[ 1010.716208] ? netlink_ack+0xab0/0xab0
+[ 1010.716213] ? netlink_deliver_tap+0x202/0xd50
+[ 1010.716220] ? netlink_deliver_tap+0x218/0xd50
+[ 1010.716226] ? __virt_addr_valid+0x30b/0x590
+[ 1010.716233] netlink_unicast+0x54b/0x800
+[ 1010.716240] ? netlink_attachskb+0x870/0x870
+[ 1010.716248] ? __check_object_size+0x2de/0x3b0
+[ 1010.716254] netlink_sendmsg+0x938/0xe40
+[ 1010.716261] ? netlink_unicast+0x800/0x800
+[ 1010.716269] ? __import_iovec+0x292/0x510
+[ 1010.716276] ? netlink_unicast+0x800/0x800
+[ 1010.716284] __sock_sendmsg+0x159/0x190
+[ 1010.716290] ____sys_sendmsg+0x712/0x880
+[ 1010.716297] ? sock_write_iter+0x3d0/0x3d0
+[ 1010.716304] ? __ia32_sys_recvmmsg+0x270/0x270
+[ 1010.716309] ? lock_acquire+0x1fe/0x560
+[ 1010.716315] ? drain_array_locked+0x90/0x90
+[ 1010.716324] ___sys_sendmsg+0xf8/0x170
+[ 1010.716331] ? sendmsg_copy_msghdr+0x170/0x170
+[ 1010.716337] ? lockdep_init_map_type+0x2c7/0x860
+[ 1010.716343] ? lockdep_hardirqs_on_prepare+0x430/0x430
+[ 1010.716350] ? debug_mutex_init+0x33/0x70
+[ 1010.716360] ? percpu_counter_add_batch+0x8b/0x140
+[ 1010.716367] ? lock_acquire+0x1fe/0x560
+[ 1010.716373] ? find_held_lock+0x2c/0x110
+[ 1010.716384] ? __fd_install+0x1b6/0x6f0
+[ 1010.716389] ? lock_downgrade+0x810/0x810
+[ 1010.716396] ? __fget_light+0x222/0x290
+[ 1010.716403] __sys_sendmsg+0xea/0x1b0
+[ 1010.716409] ? __sys_sendmsg_sock+0x40/0x40
+[ 1010.716419] ? lockdep_hardirqs_on_prepare+0x2b3/0x430
+[ 1010.716425] ? syscall_enter_from_user_mode+0x1d/0x60
+[ 1010.716432] do_syscall_64+0x30/0x40
+[ 1010.716438] entry_SYSCALL_64_after_hwframe+0x62/0xc7
+[ 1010.716444] RIP: 0033:0x7fd1508cbd49
+[ 1010.716452] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ef 70 0d 00 f7 d8 64 89 01 48
+[ 1010.716456] RSP: 002b:00007fff18872348 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
+[ 1010.716463] RAX: ffffffffffffffda RBX: 000055f72bf0eac0 RCX: 00007fd1508cbd49
+[ 1010.716468] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000006
+[ 1010.716473] RBP: 00007fff18872360 R08: 00007fff18872360 R09: 00007fff18872360
+[ 1010.716478] R10: 00007fff18872360 R11: 0000000000000202 R12: 000055f72bf0e1b0
+[ 1010.716482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
+[ 1010.716491] Modules linked in: gtp(+) udp_tunnel ib_core uinput af_packet rfkill qrtr joydev hid_generic usbhid hid kvm_intel iTCO_wdt intel_pmc_bxt iTCO_vendor_support kvm snd_hda_codec_generic ledtrig_audio irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel snd_hda_intel nls_utf8 snd_intel_dspcfg nls_cp866 psmouse aesni_intel vfat crypto_simd fat cryptd glue_helper snd_hda_codec pcspkr snd_hda_core i2c_i801 snd_hwdep i2c_smbus xhci_pci snd_pcm lpc_ich xhci_pci_renesas xhci_hcd qemu_fw_cfg tiny_power_button button sch_fq_codel vboxvideo drm_vram_helper drm_ttm_helper ttm vboxsf vboxguest snd_seq_midi snd_seq_midi_event snd_seq snd_rawmidi snd_seq_device snd_timer snd soundcore msr fuse efi_pstore dm_mod ip_tables x_tables autofs4 virtio_gpu virtio_dma_buf drm_kms_helper cec rc_core drm virtio_rng virtio_scsi rng_core virtio_balloon virtio_blk virtio_net virtio_console net_failover failover ahci libahci libata evdev scsi_mod input_leds serio_raw virtio_pci intel_agp
+[ 1010.716674] virtio_ring intel_gtt virtio [last unloaded: gtp]
+[ 1010.716693] ---[ end trace 04990a4ce61e174b ]---
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Ofitserov <oficerovas@altlinux.org>
+Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
+Reviewed-by: Jiri Pirko <jiri@nvidia.com>
+Link: https://lore.kernel.org/r/20240228114703.465107-1-oficerovas@altlinux.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/gtp.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/gtp.c
++++ b/drivers/net/gtp.c
+@@ -1903,26 +1903,26 @@ static int __init gtp_init(void)
+
+ get_random_bytes(>p_h_initval, sizeof(gtp_h_initval));
+
+- err = rtnl_link_register(>p_link_ops);
++ err = register_pernet_subsys(>p_net_ops);
+ if (err < 0)
+ goto error_out;
+
+- err = register_pernet_subsys(>p_net_ops);
++ err = rtnl_link_register(>p_link_ops);
+ if (err < 0)
+- goto unreg_rtnl_link;
++ goto unreg_pernet_subsys;
+
+ err = genl_register_family(>p_genl_family);
+ if (err < 0)
+- goto unreg_pernet_subsys;
++ goto unreg_rtnl_link;
+
+ pr_info("GTP module loaded (pdp ctx size %zd bytes)\n",
+ sizeof(struct pdp_ctx));
+ return 0;
+
+-unreg_pernet_subsys:
+- unregister_pernet_subsys(>p_net_ops);
+ unreg_rtnl_link:
+ rtnl_link_unregister(>p_link_ops);
++unreg_pernet_subsys:
++ unregister_pernet_subsys(>p_net_ops);
+ error_out:
+ pr_err("error loading GTP module loaded\n");
+ return err;
--- /dev/null
+From d9818b3e906a0ee1ab02ea79e74a2f755fc5461a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic@digikod.net>
+Date: Mon, 19 Feb 2024 20:03:45 +0100
+Subject: landlock: Fix asymmetric private inodes referring
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mickaël Salaün <mic@digikod.net>
+
+commit d9818b3e906a0ee1ab02ea79e74a2f755fc5461a upstream.
+
+When linking or renaming a file, if only one of the source or
+destination directory is backed by an S_PRIVATE inode, then the related
+set of layer masks would be used as uninitialized by
+is_access_to_paths_allowed(). This would result to indeterministic
+access for one side instead of always being allowed.
+
+This bug could only be triggered with a mounted filesystem containing
+both S_PRIVATE and !S_PRIVATE inodes, which doesn't seem possible.
+
+The collect_domain_accesses() calls return early if
+is_nouser_or_private() returns false, which means that the directory's
+superblock has SB_NOUSER or its inode has S_PRIVATE. Because rename or
+link actions are only allowed on the same mounted filesystem, the
+superblock is always the same for both source and destination
+directories. However, it might be possible in theory to have an
+S_PRIVATE parent source inode with an !S_PRIVATE parent destination
+inode, or vice versa.
+
+To make sure this case is not an issue, explicitly initialized both set
+of layer masks to 0, which means to allow all actions on the related
+side. If at least on side has !S_PRIVATE, then
+collect_domain_accesses() and is_access_to_paths_allowed() check for the
+required access rights.
+
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Christian Brauner <brauner@kernel.org>
+Cc: Günther Noack <gnoack@google.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Shervin Oloumi <enlightened@chromium.org>
+Cc: stable@vger.kernel.org
+Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER")
+Link: https://lore.kernel.org/r/20240219190345.2928627-1-mic@digikod.net
+Signed-off-by: Mickaël Salaün <mic@digikod.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/landlock/fs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/security/landlock/fs.c
++++ b/security/landlock/fs.c
+@@ -737,8 +737,8 @@ static int current_check_refer_path(stru
+ bool allow_parent1, allow_parent2;
+ access_mask_t access_request_parent1, access_request_parent2;
+ struct path mnt_dir;
+- layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS],
+- layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS];
++ layer_mask_t layer_masks_parent1[LANDLOCK_NUM_ACCESS_FS] = {},
++ layer_masks_parent2[LANDLOCK_NUM_ACCESS_FS] = {};
+
+ if (!dom)
+ return 0;
--- /dev/null
+From 3a75cb05d53f4a6823a32deb078de1366954a804 Mon Sep 17 00:00:00 2001
+From: Nhat Pham <nphamcs@gmail.com>
+Date: Mon, 19 Feb 2024 19:01:21 -0800
+Subject: mm: cachestat: fix folio read-after-free in cache walk
+
+From: Nhat Pham <nphamcs@gmail.com>
+
+commit 3a75cb05d53f4a6823a32deb078de1366954a804 upstream.
+
+In cachestat, we access the folio from the page cache's xarray to compute
+its page offset, and check for its dirty and writeback flags. However, we
+do not hold a reference to the folio before performing these actions,
+which means the folio can concurrently be released and reused as another
+folio/page/slab.
+
+Get around this altogether by just using xarray's existing machinery for
+the folio page offsets and dirty/writeback states.
+
+This changes behavior for tmpfs files to now always report zeroes in their
+dirty and writeback counters. This is okay as tmpfs doesn't follow
+conventional writeback cache behavior: its pages get "cleaned" during
+swapout, after which they're no longer resident etc.
+
+Link: https://lkml.kernel.org/r/20240220153409.GA216065@cmpxchg.org
+Fixes: cf264e1329fb ("cachestat: implement cachestat syscall")
+Reported-by: Jann Horn <jannh@google.com>
+Suggested-by: Matthew Wilcox <willy@infradead.org>
+Signed-off-by: Nhat Pham <nphamcs@gmail.com>
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Tested-by: Jann Horn <jannh@google.com>
+Cc: <stable@vger.kernel.org> [6.4+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 51 ++++++++++++++++++++++++++-------------------------
+ 1 file changed, 26 insertions(+), 25 deletions(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -4108,28 +4108,40 @@ static void filemap_cachestat(struct add
+
+ rcu_read_lock();
+ xas_for_each(&xas, folio, last_index) {
++ int order;
+ unsigned long nr_pages;
+ pgoff_t folio_first_index, folio_last_index;
+
++ /*
++ * Don't deref the folio. It is not pinned, and might
++ * get freed (and reused) underneath us.
++ *
++ * We *could* pin it, but that would be expensive for
++ * what should be a fast and lightweight syscall.
++ *
++ * Instead, derive all information of interest from
++ * the rcu-protected xarray.
++ */
++
+ if (xas_retry(&xas, folio))
+ continue;
+
++ order = xa_get_order(xas.xa, xas.xa_index);
++ nr_pages = 1 << order;
++ folio_first_index = round_down(xas.xa_index, 1 << order);
++ folio_last_index = folio_first_index + nr_pages - 1;
++
++ /* Folios might straddle the range boundaries, only count covered pages */
++ if (folio_first_index < first_index)
++ nr_pages -= first_index - folio_first_index;
++
++ if (folio_last_index > last_index)
++ nr_pages -= folio_last_index - last_index;
++
+ if (xa_is_value(folio)) {
+ /* page is evicted */
+ void *shadow = (void *)folio;
+ bool workingset; /* not used */
+- int order = xa_get_order(xas.xa, xas.xa_index);
+-
+- nr_pages = 1 << order;
+- folio_first_index = round_down(xas.xa_index, 1 << order);
+- folio_last_index = folio_first_index + nr_pages - 1;
+-
+- /* Folios might straddle the range boundaries, only count covered pages */
+- if (folio_first_index < first_index)
+- nr_pages -= first_index - folio_first_index;
+-
+- if (folio_last_index > last_index)
+- nr_pages -= folio_last_index - last_index;
+
+ cs->nr_evicted += nr_pages;
+
+@@ -4147,24 +4159,13 @@ static void filemap_cachestat(struct add
+ goto resched;
+ }
+
+- nr_pages = folio_nr_pages(folio);
+- folio_first_index = folio_pgoff(folio);
+- folio_last_index = folio_first_index + nr_pages - 1;
+-
+- /* Folios might straddle the range boundaries, only count covered pages */
+- if (folio_first_index < first_index)
+- nr_pages -= first_index - folio_first_index;
+-
+- if (folio_last_index > last_index)
+- nr_pages -= folio_last_index - last_index;
+-
+ /* page is in cache */
+ cs->nr_cache += nr_pages;
+
+- if (folio_test_dirty(folio))
++ if (xas_get_mark(&xas, PAGECACHE_TAG_DIRTY))
+ cs->nr_dirty += nr_pages;
+
+- if (folio_test_writeback(folio))
++ if (xas_get_mark(&xas, PAGECACHE_TAG_WRITEBACK))
+ cs->nr_writeback += nr_pages;
+
+ resched:
--- /dev/null
+From ff3206d2186d84e4f77e1378ba1d225633f17b9b Mon Sep 17 00:00:00 2001
+From: Ivan Semenov <ivan@semenov.dev>
+Date: Tue, 6 Feb 2024 19:28:45 +0200
+Subject: mmc: core: Fix eMMC initialization with 1-bit bus connection
+
+From: Ivan Semenov <ivan@semenov.dev>
+
+commit ff3206d2186d84e4f77e1378ba1d225633f17b9b upstream.
+
+Initializing an eMMC that's connected via a 1-bit bus is current failing,
+if the HW (DT) informs that 4-bit bus is supported. In fact this is a
+regression, as we were earlier capable of falling back to 1-bit mode, when
+switching to 4/8-bit bus failed. Therefore, let's restore the behaviour.
+
+Log for Samsung eMMC 5.1 chip connected via 1bit bus (only D0 pin)
+Before patch:
+[134509.044225] mmc0: switch to bus width 4 failed
+[134509.044509] mmc0: new high speed MMC card at address 0001
+[134509.054594] mmcblk0: mmc0:0001 BGUF4R 29.1 GiB
+[134509.281602] mmc0: switch to bus width 4 failed
+[134509.282638] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
+[134509.282657] Buffer I/O error on dev mmcblk0, logical block 0, async page read
+[134509.284598] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
+[134509.284602] Buffer I/O error on dev mmcblk0, logical block 0, async page read
+[134509.284609] ldm_validate_partition_table(): Disk read failed.
+[134509.286495] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
+[134509.286500] Buffer I/O error on dev mmcblk0, logical block 0, async page read
+[134509.288303] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
+[134509.288308] Buffer I/O error on dev mmcblk0, logical block 0, async page read
+[134509.289540] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
+[134509.289544] Buffer I/O error on dev mmcblk0, logical block 0, async page read
+[134509.289553] mmcblk0: unable to read partition table
+[134509.289728] mmcblk0boot0: mmc0:0001 BGUF4R 31.9 MiB
+[134509.290283] mmcblk0boot1: mmc0:0001 BGUF4R 31.9 MiB
+[134509.294577] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 2
+[134509.295835] I/O error, dev mmcblk0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
+[134509.295841] Buffer I/O error on dev mmcblk0, logical block 0, async page read
+
+After patch:
+
+[134551.089613] mmc0: switch to bus width 4 failed
+[134551.090377] mmc0: new high speed MMC card at address 0001
+[134551.102271] mmcblk0: mmc0:0001 BGUF4R 29.1 GiB
+[134551.113365] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21
+[134551.114262] mmcblk0boot0: mmc0:0001 BGUF4R 31.9 MiB
+[134551.114925] mmcblk0boot1: mmc0:0001 BGUF4R 31.9 MiB
+
+Fixes: 577fb13199b1 ("mmc: rework selection of bus speed mode")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Semenov <ivan@semenov.dev>
+Link: https://lore.kernel.org/r/20240206172845.34316-1-ivan@semenov.dev
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/mmc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1006,10 +1006,12 @@ static int mmc_select_bus_width(struct m
+ static unsigned ext_csd_bits[] = {
+ EXT_CSD_BUS_WIDTH_8,
+ EXT_CSD_BUS_WIDTH_4,
++ EXT_CSD_BUS_WIDTH_1,
+ };
+ static unsigned bus_widths[] = {
+ MMC_BUS_WIDTH_8,
+ MMC_BUS_WIDTH_4,
++ MMC_BUS_WIDTH_1,
+ };
+ struct mmc_host *host = card->host;
+ unsigned idx, bus_width = 0;
--- /dev/null
+From 6b1ba3f9040be5efc4396d86c9752cdc564730be Mon Sep 17 00:00:00 2001
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+Date: Wed, 7 Feb 2024 15:39:51 +0100
+Subject: mmc: mmci: stm32: fix DMA API overlapping mappings warning
+
+From: Christophe Kerello <christophe.kerello@foss.st.com>
+
+commit 6b1ba3f9040be5efc4396d86c9752cdc564730be upstream.
+
+Turning on CONFIG_DMA_API_DEBUG_SG results in the following warning:
+
+DMA-API: mmci-pl18x 48220000.mmc: cacheline tracking EEXIST,
+overlapping mappings aren't supported
+WARNING: CPU: 1 PID: 51 at kernel/dma/debug.c:568
+add_dma_entry+0x234/0x2f4
+Modules linked in:
+CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 6.1.28 #1
+Hardware name: STMicroelectronics STM32MP257F-EV1 Evaluation Board (DT)
+Workqueue: events_freezable mmc_rescan
+Call trace:
+add_dma_entry+0x234/0x2f4
+debug_dma_map_sg+0x198/0x350
+__dma_map_sg_attrs+0xa0/0x110
+dma_map_sg_attrs+0x10/0x2c
+sdmmc_idma_prep_data+0x80/0xc0
+mmci_prep_data+0x38/0x84
+mmci_start_data+0x108/0x2dc
+mmci_request+0xe4/0x190
+__mmc_start_request+0x68/0x140
+mmc_start_request+0x94/0xc0
+mmc_wait_for_req+0x70/0x100
+mmc_send_tuning+0x108/0x1ac
+sdmmc_execute_tuning+0x14c/0x210
+mmc_execute_tuning+0x48/0xec
+mmc_sd_init_uhs_card.part.0+0x208/0x464
+mmc_sd_init_card+0x318/0x89c
+mmc_attach_sd+0xe4/0x180
+mmc_rescan+0x244/0x320
+
+DMA API debug brings to light leaking dma-mappings as dma_map_sg and
+dma_unmap_sg are not correctly balanced.
+
+If an error occurs in mmci_cmd_irq function, only mmci_dma_error
+function is called and as this API is not managed on stm32 variant,
+dma_unmap_sg is never called in this error path.
+
+Signed-off-by: Christophe Kerello <christophe.kerello@foss.st.com>
+Fixes: 46b723dd867d ("mmc: mmci: add stm32 sdmmc variant")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20240207143951.938144-1-christophe.kerello@foss.st.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mmci_stm32_sdmmc.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/mmc/host/mmci_stm32_sdmmc.c
++++ b/drivers/mmc/host/mmci_stm32_sdmmc.c
+@@ -225,6 +225,8 @@ static int sdmmc_idma_start(struct mmci_
+ struct scatterlist *sg;
+ int i;
+
++ host->dma_in_progress = true;
++
+ if (!host->variant->dma_lli || data->sg_len == 1 ||
+ idma->use_bounce_buffer) {
+ u32 dma_addr;
+@@ -263,9 +265,30 @@ static int sdmmc_idma_start(struct mmci_
+ return 0;
+ }
+
++static void sdmmc_idma_error(struct mmci_host *host)
++{
++ struct mmc_data *data = host->data;
++ struct sdmmc_idma *idma = host->dma_priv;
++
++ if (!dma_inprogress(host))
++ return;
++
++ writel_relaxed(0, host->base + MMCI_STM32_IDMACTRLR);
++ host->dma_in_progress = false;
++ data->host_cookie = 0;
++
++ if (!idma->use_bounce_buffer)
++ dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len,
++ mmc_get_dma_dir(data));
++}
++
+ static void sdmmc_idma_finalize(struct mmci_host *host, struct mmc_data *data)
+ {
++ if (!dma_inprogress(host))
++ return;
++
+ writel_relaxed(0, host->base + MMCI_STM32_IDMACTRLR);
++ host->dma_in_progress = false;
+
+ if (!data->host_cookie)
+ sdmmc_idma_unprep_data(host, data, 0);
+@@ -676,6 +699,7 @@ static struct mmci_host_ops sdmmc_varian
+ .dma_setup = sdmmc_idma_setup,
+ .dma_start = sdmmc_idma_start,
+ .dma_finalize = sdmmc_idma_finalize,
++ .dma_error = sdmmc_idma_error,
+ .set_clkreg = mmci_sdmmc_set_clkreg,
+ .set_pwrreg = mmci_sdmmc_set_pwrreg,
+ .busy_complete = sdmmc_busy_complete,
--- /dev/null
+From 09e23823ae9a3e2d5d20f2e1efe0d6e48cef9129 Mon Sep 17 00:00:00 2001
+From: Elad Nachman <enachman@marvell.com>
+Date: Thu, 22 Feb 2024 21:17:14 +0200
+Subject: mmc: sdhci-xenon: add timeout for PHY init complete
+
+From: Elad Nachman <enachman@marvell.com>
+
+commit 09e23823ae9a3e2d5d20f2e1efe0d6e48cef9129 upstream.
+
+AC5X spec says PHY init complete bit must be polled until zero.
+We see cases in which timeout can take longer than the standard
+calculation on AC5X, which is expected following the spec comment above.
+According to the spec, we must wait as long as it takes for that bit to
+toggle on AC5X.
+Cap that with 100 delay loops so we won't get stuck forever.
+
+Fixes: 06c8b667ff5b ("mmc: sdhci-xenon: Add support to PHYs of Marvell Xenon SDHC")
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Elad Nachman <enachman@marvell.com>
+Link: https://lore.kernel.org/r/20240222191714.1216470-3-enachman@marvell.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-xenon-phy.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+--- a/drivers/mmc/host/sdhci-xenon-phy.c
++++ b/drivers/mmc/host/sdhci-xenon-phy.c
+@@ -109,6 +109,8 @@
+ #define XENON_EMMC_PHY_LOGIC_TIMING_ADJUST (XENON_EMMC_PHY_REG_BASE + 0x18)
+ #define XENON_LOGIC_TIMING_VALUE 0x00AA8977
+
++#define XENON_MAX_PHY_TIMEOUT_LOOPS 100
++
+ /*
+ * List offset of PHY registers and some special register values
+ * in eMMC PHY 5.0 or eMMC PHY 5.1
+@@ -259,18 +261,27 @@ static int xenon_emmc_phy_init(struct sd
+ /* get the wait time */
+ wait /= clock;
+ wait++;
+- /* wait for host eMMC PHY init completes */
+- udelay(wait);
+
+- reg = sdhci_readl(host, phy_regs->timing_adj);
+- reg &= XENON_PHY_INITIALIZAION;
+- if (reg) {
++ /*
++ * AC5X spec says bit must be polled until zero.
++ * We see cases in which timeout can take longer
++ * than the standard calculation on AC5X, which is
++ * expected following the spec comment above.
++ * According to the spec, we must wait as long as
++ * it takes for that bit to toggle on AC5X.
++ * Cap that with 100 delay loops so we won't get
++ * stuck here forever:
++ */
++
++ ret = read_poll_timeout(sdhci_readl, reg,
++ !(reg & XENON_PHY_INITIALIZAION),
++ wait, XENON_MAX_PHY_TIMEOUT_LOOPS * wait,
++ false, host, phy_regs->timing_adj);
++ if (ret)
+ dev_err(mmc_dev(host->mmc), "eMMC PHY init cannot complete after %d us\n",
+- wait);
+- return -ETIMEDOUT;
+- }
++ wait * XENON_MAX_PHY_TIMEOUT_LOOPS);
+
+- return 0;
++ return ret;
+ }
+
+ #define ARMADA_3700_SOC_PAD_1_8V 0x1
--- /dev/null
+From 8e9f25a290ae0016353c9ea13314c95fb3207812 Mon Sep 17 00:00:00 2001
+From: Elad Nachman <enachman@marvell.com>
+Date: Thu, 22 Feb 2024 22:09:30 +0200
+Subject: mmc: sdhci-xenon: fix PHY init clock stability
+
+From: Elad Nachman <enachman@marvell.com>
+
+commit 8e9f25a290ae0016353c9ea13314c95fb3207812 upstream.
+
+Each time SD/mmc phy is initialized, at times, in some of
+the attempts, phy fails to completes its initialization
+which results into timeout error. Per the HW spec, it is
+a pre-requisite to ensure a stable SD clock before a phy
+initialization is attempted.
+
+Fixes: 06c8b667ff5b ("mmc: sdhci-xenon: Add support to PHYs of Marvell Xenon SDHC")
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Elad Nachman <enachman@marvell.com>
+Link: https://lore.kernel.org/r/20240222200930.1277665-1-enachman@marvell.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-xenon-phy.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-xenon-phy.c
++++ b/drivers/mmc/host/sdhci-xenon-phy.c
+@@ -11,6 +11,7 @@
+ #include <linux/slab.h>
+ #include <linux/delay.h>
+ #include <linux/ktime.h>
++#include <linux/iopoll.h>
+ #include <linux/of_address.h>
+
+ #include "sdhci-pltfm.h"
+@@ -218,6 +219,19 @@ static int xenon_alloc_emmc_phy(struct s
+ return 0;
+ }
+
++static int xenon_check_stability_internal_clk(struct sdhci_host *host)
++{
++ u32 reg;
++ int err;
++
++ err = read_poll_timeout(sdhci_readw, reg, reg & SDHCI_CLOCK_INT_STABLE,
++ 1100, 20000, false, host, SDHCI_CLOCK_CONTROL);
++ if (err)
++ dev_err(mmc_dev(host->mmc), "phy_init: Internal clock never stabilized.\n");
++
++ return err;
++}
++
+ /*
+ * eMMC 5.0/5.1 PHY init/re-init.
+ * eMMC PHY init should be executed after:
+@@ -234,6 +248,11 @@ static int xenon_emmc_phy_init(struct sd
+ struct xenon_priv *priv = sdhci_pltfm_priv(pltfm_host);
+ struct xenon_emmc_phy_regs *phy_regs = priv->emmc_phy_regs;
+
++ int ret = xenon_check_stability_internal_clk(host);
++
++ if (ret)
++ return ret;
++
+ reg = sdhci_readl(host, phy_regs->timing_adj);
+ reg |= XENON_PHY_INITIALIZAION;
+ sdhci_writel(host, reg, phy_regs->timing_adj);
--- /dev/null
+From e6a30d0c48a1e8a68f1cc413bee65302ab03ddfb Mon Sep 17 00:00:00 2001
+From: Elad Nachman <enachman@marvell.com>
+Date: Mon, 5 Feb 2024 15:44:35 +0200
+Subject: mtd: rawnand: marvell: fix layouts
+
+From: Elad Nachman <enachman@marvell.com>
+
+commit e6a30d0c48a1e8a68f1cc413bee65302ab03ddfb upstream.
+
+The check in nand_base.c, nand_scan_tail() : has the following code:
+(ecc->steps * ecc->size != mtd->writesize) which fails for some NAND chips.
+Remove ECC entries in this driver which are not integral multiplications,
+and adjust the number of chunks for entries which fails the above
+calculation so it will calculate correctly (this was previously done
+automatically before the check and was removed in a later commit).
+
+Fixes: 68c18dae6888 ("mtd: rawnand: marvell: add missing layouts")
+Cc: stable@vger.kernel.org
+Signed-off-by: Elad Nachman <enachman@marvell.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/marvell_nand.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/mtd/nand/raw/marvell_nand.c
++++ b/drivers/mtd/nand/raw/marvell_nand.c
+@@ -290,16 +290,13 @@ static const struct marvell_hw_ecc_layou
+ MARVELL_LAYOUT( 2048, 512, 4, 1, 1, 2048, 32, 30, 0, 0, 0),
+ MARVELL_LAYOUT( 2048, 512, 8, 2, 1, 1024, 0, 30,1024,32, 30),
+ MARVELL_LAYOUT( 2048, 512, 8, 2, 1, 1024, 0, 30,1024,64, 30),
+- MARVELL_LAYOUT( 2048, 512, 12, 3, 2, 704, 0, 30,640, 0, 30),
+- MARVELL_LAYOUT( 2048, 512, 16, 5, 4, 512, 0, 30, 0, 32, 30),
++ MARVELL_LAYOUT( 2048, 512, 16, 4, 4, 512, 0, 30, 0, 32, 30),
+ MARVELL_LAYOUT( 4096, 512, 4, 2, 2, 2048, 32, 30, 0, 0, 0),
+- MARVELL_LAYOUT( 4096, 512, 8, 5, 4, 1024, 0, 30, 0, 64, 30),
+- MARVELL_LAYOUT( 4096, 512, 12, 6, 5, 704, 0, 30,576, 32, 30),
+- MARVELL_LAYOUT( 4096, 512, 16, 9, 8, 512, 0, 30, 0, 32, 30),
++ MARVELL_LAYOUT( 4096, 512, 8, 4, 4, 1024, 0, 30, 0, 64, 30),
++ MARVELL_LAYOUT( 4096, 512, 16, 8, 8, 512, 0, 30, 0, 32, 30),
+ MARVELL_LAYOUT( 8192, 512, 4, 4, 4, 2048, 0, 30, 0, 0, 0),
+- MARVELL_LAYOUT( 8192, 512, 8, 9, 8, 1024, 0, 30, 0, 160, 30),
+- MARVELL_LAYOUT( 8192, 512, 12, 12, 11, 704, 0, 30,448, 64, 30),
+- MARVELL_LAYOUT( 8192, 512, 16, 17, 16, 512, 0, 30, 0, 32, 30),
++ MARVELL_LAYOUT( 8192, 512, 8, 8, 8, 1024, 0, 30, 0, 160, 30),
++ MARVELL_LAYOUT( 8192, 512, 16, 16, 16, 512, 0, 30, 0, 32, 30),
+ };
+
+ /**
--- /dev/null
+From 955558030954b9637b41c97b730f9b38c92ac488 Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Wed, 9 Aug 2023 15:06:00 -0400
+Subject: Revert "drm/amd/pm: resolve reboot exception for si oland"
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 955558030954b9637b41c97b730f9b38c92ac488 upstream.
+
+This reverts commit e490d60a2f76bff636c68ce4fe34c1b6c34bbd86.
+
+This causes hangs on SI when DC is enabled and errors on driver
+reboot and power off cycles.
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3216
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/2755
+Reviewed-by: Yang Wang <kevinyang.wang@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+--- a/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
++++ b/drivers/gpu/drm/amd/pm/legacy-dpm/si_dpm.c
+@@ -6925,6 +6925,23 @@ static int si_dpm_enable(struct amdgpu_d
+ return 0;
+ }
+
++static int si_set_temperature_range(struct amdgpu_device *adev)
++{
++ int ret;
++
++ ret = si_thermal_enable_alert(adev, false);
++ if (ret)
++ return ret;
++ ret = si_thermal_set_temperature_range(adev, R600_TEMP_RANGE_MIN, R600_TEMP_RANGE_MAX);
++ if (ret)
++ return ret;
++ ret = si_thermal_enable_alert(adev, true);
++ if (ret)
++ return ret;
++
++ return ret;
++}
++
+ static void si_dpm_disable(struct amdgpu_device *adev)
+ {
+ struct rv7xx_power_info *pi = rv770_get_pi(adev);
+@@ -7608,6 +7625,18 @@ static int si_dpm_process_interrupt(stru
+
+ static int si_dpm_late_init(void *handle)
+ {
++ int ret;
++ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
++
++ if (!adev->pm.dpm_enabled)
++ return 0;
++
++ ret = si_set_temperature_range(adev);
++ if (ret)
++ return ret;
++#if 0 //TODO ?
++ si_dpm_powergate_uvd(adev, true);
++#endif
+ return 0;
+ }
+
alsa-hda-realtek-fix-mute-micmute-led-for-hp-mt440.patch
alsa-hda-realtek-add-special-fixup-for-lenovo-14irp8.patch
bluetooth-hci_bcm4377-do-not-mark-valid-bd_addr-as-invalid.patch
+landlock-fix-asymmetric-private-inodes-referring.patch
+gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch
+mm-cachestat-fix-folio-read-after-free-in-cache-walk.patch
+mtd-rawnand-marvell-fix-layouts.patch
+wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch
+btrfs-fix-double-free-of-anonymous-device-after-snapshot-creation-failure.patch
+btrfs-dev-replace-properly-validate-device-names.patch
+btrfs-send-don-t-issue-unnecessary-zero-writes-for-trailing-hole.patch
+revert-drm-amd-pm-resolve-reboot-exception-for-si-oland.patch
+drm-buddy-fix-range-bias.patch
+drm-amdgpu-pm-fix-the-power1_min_cap-value.patch
+drm-amd-display-add-monitor-patch-for-specific-edp.patch
+soc-qcom-pmic_glink-fix-boot-when-qrtr-m.patch
+dmaengine-fsl-qdma-fix-soc-may-hang-on-16-byte-unaligned-read.patch
+crypto-arm64-neonbs-fix-out-of-bounds-access-on-short-input.patch
+dmaengine-ptdma-use-consistent-dma-masks.patch
+dmaengine-fsl-edma-correct-calculation-of-nbytes-in-multi-fifo-scenario.patch
+dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch
+mmc-mmci-stm32-fix-dma-api-overlapping-mappings-warning.patch
+mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch
+mmc-sdhci-xenon-add-timeout-for-phy-init-complete.patch
+mmc-sdhci-xenon-fix-phy-init-clock-stability.patch
+ceph-switch-to-corrected-encoding-of-max_xattr_size-in-mdsmap.patch
--- /dev/null
+From f79ee78767ca60e7a2c89eacd2dbdf237d97e838 Mon Sep 17 00:00:00 2001
+From: Rob Clark <robdclark@chromium.org>
+Date: Sat, 17 Feb 2024 16:02:26 +0100
+Subject: soc: qcom: pmic_glink: Fix boot when QRTR=m
+
+From: Rob Clark <robdclark@chromium.org>
+
+commit f79ee78767ca60e7a2c89eacd2dbdf237d97e838 upstream.
+
+We need to bail out before adding/removing devices if we are going to
+-EPROBE_DEFER. Otherwise boot can get stuck in a probe deferral loop due
+to a long-standing issue in driver core (see commit fbc35b45f9f6 ("Add
+documentation on meaning of -EPROBE_DEFER")).
+
+Deregistering the altmode child device can potentially also trigger bugs
+in the DRM bridge implementation, which does not expect bridges to go
+away.
+
+[DB: slightly fixed commit message by adding the word 'commit']
+Suggested-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Link: https://lore.kernel.org/r/20231213210644.8702-1-robdclark@gmail.com
+[ johan: rebase on 6.8-rc4, amend commit message and mention DRM ]
+Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver")
+Cc: <stable@vger.kernel.org> # 6.3
+Cc: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20240217150228.5788-5-johan+linaro@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/pmic_glink.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/drivers/soc/qcom/pmic_glink.c
++++ b/drivers/soc/qcom/pmic_glink.c
+@@ -268,10 +268,17 @@ static int pmic_glink_probe(struct platf
+ else
+ pg->client_mask = PMIC_GLINK_CLIENT_DEFAULT;
+
++ pg->pdr = pdr_handle_alloc(pmic_glink_pdr_callback, pg);
++ if (IS_ERR(pg->pdr)) {
++ ret = dev_err_probe(&pdev->dev, PTR_ERR(pg->pdr),
++ "failed to initialize pdr\n");
++ return ret;
++ }
++
+ if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_UCSI)) {
+ ret = pmic_glink_add_aux_device(pg, &pg->ucsi_aux, "ucsi");
+ if (ret)
+- return ret;
++ goto out_release_pdr_handle;
+ }
+ if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_ALTMODE)) {
+ ret = pmic_glink_add_aux_device(pg, &pg->altmode_aux, "altmode");
+@@ -284,17 +291,11 @@ static int pmic_glink_probe(struct platf
+ goto out_release_altmode_aux;
+ }
+
+- pg->pdr = pdr_handle_alloc(pmic_glink_pdr_callback, pg);
+- if (IS_ERR(pg->pdr)) {
+- ret = dev_err_probe(&pdev->dev, PTR_ERR(pg->pdr), "failed to initialize pdr\n");
+- goto out_release_aux_devices;
+- }
+-
+ service = pdr_add_lookup(pg->pdr, "tms/servreg", "msm/adsp/charger_pd");
+ if (IS_ERR(service)) {
+ ret = dev_err_probe(&pdev->dev, PTR_ERR(service),
+ "failed adding pdr lookup for charger_pd\n");
+- goto out_release_pdr_handle;
++ goto out_release_aux_devices;
+ }
+
+ mutex_lock(&__pmic_glink_lock);
+@@ -303,8 +304,6 @@ static int pmic_glink_probe(struct platf
+
+ return 0;
+
+-out_release_pdr_handle:
+- pdr_handle_release(pg->pdr);
+ out_release_aux_devices:
+ if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_BATT))
+ pmic_glink_del_aux_device(pg, &pg->ps_aux);
+@@ -314,6 +313,8 @@ out_release_altmode_aux:
+ out_release_ucsi_aux:
+ if (pg->client_mask & BIT(PMIC_GLINK_CLIENT_UCSI))
+ pmic_glink_del_aux_device(pg, &pg->ucsi_aux);
++out_release_pdr_handle:
++ pdr_handle_release(pg->pdr);
+
+ return ret;
+ }
--- /dev/null
+From f78c1375339a291cba492a70eaf12ec501d28a8e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 14 Feb 2024 20:08:35 +0100
+Subject: wifi: nl80211: reject iftype change with mesh ID change
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f78c1375339a291cba492a70eaf12ec501d28a8e upstream.
+
+It's currently possible to change the mesh ID when the
+interface isn't yet in mesh mode, at the same time as
+changing it into mesh mode. This leads to an overwrite
+of data in the wdev->u union for the interface type it
+currently has, causing cfg80211_change_iface() to do
+wrong things when switching.
+
+We could probably allow setting an interface to mesh
+while setting the mesh ID at the same time by doing a
+different order of operations here, but realistically
+there's no userspace that's going to do this, so just
+disallow changes in iftype when setting mesh ID.
+
+Cc: stable@vger.kernel.org
+Fixes: 29cbe68c516a ("cfg80211/mac80211: add mesh join/leave commands")
+Reported-by: syzbot+dd4779978217b1973180@syzkaller.appspotmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/nl80211.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -4185,6 +4185,8 @@ static int nl80211_set_interface(struct
+
+ if (ntype != NL80211_IFTYPE_MESH_POINT)
+ return -EINVAL;
++ if (otype != NL80211_IFTYPE_MESH_POINT)
++ return -EINVAL;
+ if (netif_running(dev))
+ return -EBUSY;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
