--- /dev/null
+From 890ed45bde808c422c3c27d3285fc45affa0f930 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 11 Feb 2025 18:16:00 +0100
+Subject: acct: block access to kernel internal filesystems
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 890ed45bde808c422c3c27d3285fc45affa0f930 upstream.
+
+There's no point in allowing anything kernel internal nor procfs or
+sysfs.
+
+Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com
+Link: https://lore.kernel.org/r/20250211-work-acct-v1-2-1c16aecab8b3@kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Amir Goldstein <amir73il@gmail.com>
+Reported-by: Zicheng Qu <quzicheng@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/acct.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -244,6 +244,20 @@ static int acct_on(struct filename *path
+ return -EACCES;
+ }
+
++ /* Exclude kernel kernel internal filesystems. */
++ if (file_inode(file)->i_sb->s_flags & (SB_NOUSER | SB_KERNMOUNT)) {
++ kfree(acct);
++ filp_close(file, NULL);
++ return -EINVAL;
++ }
++
++ /* Exclude procfs and sysfs. */
++ if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) {
++ kfree(acct);
++ filp_close(file, NULL);
++ return -EINVAL;
++ }
++
+ if (!(file->f_mode & FMODE_CAN_WRITE)) {
+ kfree(acct);
+ filp_close(file, NULL);
--- /dev/null
+From 56d5f3eba3f5de0efdd556de4ef381e109b973a9 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Tue, 11 Feb 2025 18:15:59 +0100
+Subject: acct: perform last write from workqueue
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 56d5f3eba3f5de0efdd556de4ef381e109b973a9 upstream.
+
+In [1] it was reported that the acct(2) system call can be used to
+trigger NULL deref in cases where it is set to write to a file that
+triggers an internal lookup. This can e.g., happen when pointing acc(2)
+to /sys/power/resume. At the point the where the write to this file
+happens the calling task has already exited and called exit_fs(). A
+lookup will thus trigger a NULL-deref when accessing current->fs.
+
+Reorganize the code so that the the final write happens from the
+workqueue but with the caller's credentials. This preserves the
+(strange) permission model and has almost no regression risk.
+
+This api should stop to exist though.
+
+Link: https://lore.kernel.org/r/20250127091811.3183623-1-quzicheng@huawei.com [1]
+Link: https://lore.kernel.org/r/20250211-work-acct-v1-1-1c16aecab8b3@kernel.org
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Zicheng Qu <quzicheng@huawei.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/acct.c | 120 +++++++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 70 insertions(+), 50 deletions(-)
+
+--- a/kernel/acct.c
++++ b/kernel/acct.c
+@@ -104,48 +104,50 @@ struct bsd_acct_struct {
+ atomic_long_t count;
+ struct rcu_head rcu;
+ struct mutex lock;
+- int active;
++ bool active;
++ bool check_space;
+ unsigned long needcheck;
+ struct file *file;
+ struct pid_namespace *ns;
+ struct work_struct work;
+ struct completion done;
++ acct_t ac;
+ };
+
+-static void do_acct_process(struct bsd_acct_struct *acct);
++static void fill_ac(struct bsd_acct_struct *acct);
++static void acct_write_process(struct bsd_acct_struct *acct);
+
+ /*
+ * Check the amount of free space and suspend/resume accordingly.
+ */
+-static int check_free_space(struct bsd_acct_struct *acct)
++static bool check_free_space(struct bsd_acct_struct *acct)
+ {
+ struct kstatfs sbuf;
+
+- if (time_is_after_jiffies(acct->needcheck))
+- goto out;
++ if (!acct->check_space)
++ return acct->active;
+
+ /* May block */
+ if (vfs_statfs(&acct->file->f_path, &sbuf))
+- goto out;
++ return acct->active;
+
+ if (acct->active) {
+ u64 suspend = sbuf.f_blocks * SUSPEND;
+ do_div(suspend, 100);
+ if (sbuf.f_bavail <= suspend) {
+- acct->active = 0;
++ acct->active = false;
+ pr_info("Process accounting paused\n");
+ }
+ } else {
+ u64 resume = sbuf.f_blocks * RESUME;
+ do_div(resume, 100);
+ if (sbuf.f_bavail >= resume) {
+- acct->active = 1;
++ acct->active = true;
+ pr_info("Process accounting resumed\n");
+ }
+ }
+
+ acct->needcheck = jiffies + ACCT_TIMEOUT*HZ;
+-out:
+ return acct->active;
+ }
+
+@@ -190,7 +192,11 @@ static void acct_pin_kill(struct fs_pin
+ {
+ struct bsd_acct_struct *acct = to_acct(pin);
+ mutex_lock(&acct->lock);
+- do_acct_process(acct);
++ /*
++ * Fill the accounting struct with the exiting task's info
++ * before punting to the workqueue.
++ */
++ fill_ac(acct);
+ schedule_work(&acct->work);
+ wait_for_completion(&acct->done);
+ cmpxchg(&acct->ns->bacct, pin, NULL);
+@@ -203,6 +209,9 @@ static void close_work(struct work_struc
+ {
+ struct bsd_acct_struct *acct = container_of(work, struct bsd_acct_struct, work);
+ struct file *file = acct->file;
++
++ /* We were fired by acct_pin_kill() which holds acct->lock. */
++ acct_write_process(acct);
+ if (file->f_op->flush)
+ file->f_op->flush(file, NULL);
+ __fput_sync(file);
+@@ -431,13 +440,27 @@ static u32 encode_float(u64 value)
+ * do_exit() or when switching to a different output file.
+ */
+
+-static void fill_ac(acct_t *ac)
++static void fill_ac(struct bsd_acct_struct *acct)
+ {
+ struct pacct_struct *pacct = ¤t->signal->pacct;
++ struct file *file = acct->file;
++ acct_t *ac = &acct->ac;
+ u64 elapsed, run_time;
+ time64_t btime;
+ struct tty_struct *tty;
+
++ lockdep_assert_held(&acct->lock);
++
++ if (time_is_after_jiffies(acct->needcheck)) {
++ acct->check_space = false;
++
++ /* Don't fill in @ac if nothing will be written. */
++ if (!acct->active)
++ return;
++ } else {
++ acct->check_space = true;
++ }
++
+ /*
+ * Fill the accounting struct with the needed info as recorded
+ * by the different kernel functions.
+@@ -485,64 +508,61 @@ static void fill_ac(acct_t *ac)
+ ac->ac_majflt = encode_comp_t(pacct->ac_majflt);
+ ac->ac_exitcode = pacct->ac_exitcode;
+ spin_unlock_irq(¤t->sighand->siglock);
+-}
+-/*
+- * do_acct_process does all actual work. Caller holds the reference to file.
+- */
+-static void do_acct_process(struct bsd_acct_struct *acct)
+-{
+- acct_t ac;
+- unsigned long flim;
+- const struct cred *orig_cred;
+- struct file *file = acct->file;
+-
+- /*
+- * Accounting records are not subject to resource limits.
+- */
+- flim = rlimit(RLIMIT_FSIZE);
+- current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
+- /* Perform file operations on behalf of whoever enabled accounting */
+- orig_cred = override_creds(file->f_cred);
+
+- /*
+- * First check to see if there is enough free_space to continue
+- * the process accounting system.
+- */
+- if (!check_free_space(acct))
+- goto out;
+-
+- fill_ac(&ac);
+ /* we really need to bite the bullet and change layout */
+- ac.ac_uid = from_kuid_munged(file->f_cred->user_ns, orig_cred->uid);
+- ac.ac_gid = from_kgid_munged(file->f_cred->user_ns, orig_cred->gid);
++ ac->ac_uid = from_kuid_munged(file->f_cred->user_ns, current_uid());
++ ac->ac_gid = from_kgid_munged(file->f_cred->user_ns, current_gid());
+ #if ACCT_VERSION == 1 || ACCT_VERSION == 2
+ /* backward-compatible 16 bit fields */
+- ac.ac_uid16 = ac.ac_uid;
+- ac.ac_gid16 = ac.ac_gid;
++ ac->ac_uid16 = ac->ac_uid;
++ ac->ac_gid16 = ac->ac_gid;
+ #elif ACCT_VERSION == 3
+ {
+ struct pid_namespace *ns = acct->ns;
+
+- ac.ac_pid = task_tgid_nr_ns(current, ns);
++ ac->ac_pid = task_tgid_nr_ns(current, ns);
+ rcu_read_lock();
+- ac.ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent),
+- ns);
++ ac->ac_ppid = task_tgid_nr_ns(rcu_dereference(current->real_parent), ns);
+ rcu_read_unlock();
+ }
+ #endif
++}
++
++static void acct_write_process(struct bsd_acct_struct *acct)
++{
++ struct file *file = acct->file;
++ const struct cred *cred;
++ acct_t *ac = &acct->ac;
++
++ /* Perform file operations on behalf of whoever enabled accounting */
++ cred = override_creds(file->f_cred);
++
+ /*
+- * Get freeze protection. If the fs is frozen, just skip the write
+- * as we could deadlock the system otherwise.
++ * First check to see if there is enough free_space to continue
++ * the process accounting system. Then get freeze protection. If
++ * the fs is frozen, just skip the write as we could deadlock
++ * the system otherwise.
+ */
+- if (file_start_write_trylock(file)) {
++ if (check_free_space(acct) && file_start_write_trylock(file)) {
+ /* it's been opened O_APPEND, so position is irrelevant */
+ loff_t pos = 0;
+- __kernel_write(file, &ac, sizeof(acct_t), &pos);
++ __kernel_write(file, ac, sizeof(acct_t), &pos);
+ file_end_write(file);
+ }
+-out:
++
++ revert_creds(cred);
++}
++
++static void do_acct_process(struct bsd_acct_struct *acct)
++{
++ unsigned long flim;
++
++ /* Accounting records are not subject to resource limits. */
++ flim = rlimit(RLIMIT_FSIZE);
++ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
++ fill_ac(acct);
++ acct_write_process(acct);
+ current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
+- revert_creds(orig_cred);
+ }
+
+ /**
--- /dev/null
+From 822b7ec657e99b44b874e052d8540d8b54fe8569 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Thu, 13 Feb 2025 15:45:43 +0800
+Subject: ALSA: hda: Add error check for snd_ctl_rename_id() in snd_hda_create_dig_out_ctls()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 822b7ec657e99b44b874e052d8540d8b54fe8569 upstream.
+
+Check the return value of snd_ctl_rename_id() in
+snd_hda_create_dig_out_ctls(). Ensure that failures
+are properly handled.
+
+[ Note: the error cannot happen practically because the only error
+ condition in snd_ctl_rename_id() is the missing ID, but this is a
+ rename, hence it must be present. But for the code consistency,
+ it's safer to have always the proper return check -- tiwai ]
+
+Fixes: 5c219a340850 ("ALSA: hda: Fix kctl->id initialization")
+Cc: stable@vger.kernel.org # 6.4+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20250213074543.1620-1-vulab@iscas.ac.cn
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/hda_codec.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -2465,7 +2465,9 @@ int snd_hda_create_dig_out_ctls(struct h
+ break;
+ id = kctl->id;
+ id.index = spdif_index;
+- snd_ctl_rename_id(codec->card, &kctl->id, &id);
++ err = snd_ctl_rename_id(codec->card, &kctl->id, &id);
++ if (err < 0)
++ return err;
+ }
+ bus->primary_dig_out_type = HDA_PCM_TYPE_HDMI;
+ }
--- /dev/null
+From 6d1f86610f23b0bc334d6506a186f21a98f51392 Mon Sep 17 00:00:00 2001
+From: John Veness <john-linux@pelago.org.uk>
+Date: Mon, 17 Feb 2025 12:15:50 +0000
+Subject: ALSA: hda/conexant: Add quirk for HP ProBook 450 G4 mute LED
+
+From: John Veness <john-linux@pelago.org.uk>
+
+commit 6d1f86610f23b0bc334d6506a186f21a98f51392 upstream.
+
+Allows the LED on the dedicated mute button on the HP ProBook 450 G4
+laptop to change colour correctly.
+
+Signed-off-by: John Veness <john-linux@pelago.org.uk>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/2fb55d48-6991-4a42-b591-4c78f2fad8d7@pelago.org.uk
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_conexant.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_conexant.c
++++ b/sound/pci/hda/patch_conexant.c
+@@ -1098,6 +1098,7 @@ static const struct snd_pci_quirk cxt506
+ SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE),
+ SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO),
++ SND_PCI_QUIRK(0x103c, 0x8231, "HP ProBook 450 G4", CXT_FIXUP_MUTE_LED_GPIO),
+ SND_PCI_QUIRK(0x103c, 0x828c, "HP EliteBook 840 G4", CXT_FIXUP_HP_DOCK),
+ SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE),
--- /dev/null
+From a8c9a453387640dbe45761970f41301a6985e7fa Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Thu, 16 Jan 2025 06:24:36 -0800
+Subject: ASoC: fsl_micfil: Enable default case in micfil_set_quality()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit a8c9a453387640dbe45761970f41301a6985e7fa upstream.
+
+If 'micfil->quality' received from micfil_quality_set() somehow ends
+up with an unpredictable value, switch() operator will fail to
+initialize local variable qsel before regmap_update_bits() tries
+to utilize it.
+
+While it is unlikely, play it safe and enable a default case that
+returns -EINVAL error.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: bea1d61d5892 ("ASoC: fsl_micfil: rework quality setting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250116142436.22389-1-n.zhandarovich@fintech.ru
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/soc/fsl/fsl_micfil.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/soc/fsl/fsl_micfil.c
++++ b/sound/soc/fsl/fsl_micfil.c
+@@ -123,6 +123,8 @@ static int micfil_set_quality(struct fsl
+ case QUALITY_VLOW2:
+ qsel = MICFIL_QSEL_VLOW2_QUALITY;
+ break;
++ default:
++ return -EINVAL;
+ }
+
+ return regmap_update_bits(micfil->regmap, REG_MICFIL_CTRL2,
--- /dev/null
+From 07fb70d82e0df085980246bf17bc12537588795f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Wed, 12 Feb 2025 18:43:21 +0200
+Subject: drm/i915: Make sure all planes in use by the joiner have their crtc included
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 07fb70d82e0df085980246bf17bc12537588795f upstream.
+
+Any active plane needs to have its crtc included in the atomic
+state. For planes enabled via uapi that is all handler in the core.
+But when we use a plane for joiner the uapi code things the plane
+is disabled and therefore doesn't have a crtc. So we need to pull
+those in by hand. We do it first thing in
+intel_joiner_add_affected_crtcs() so that any newly added crtc will
+subsequently pull in all of its joined crtcs as well.
+
+The symptoms from failing to do this are:
+- duct tape in the form of commit 1d5b09f8daf8 ("drm/i915: Fix NULL
+ ptr deref by checking new_crtc_state")
+- the plane's hw state will get overwritten by the disabled
+ uapi state if it can't find the uapi counterpart plane in
+ the atomic state from where it should copy the correct state
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250212164330.16891-2-ville.syrjala@linux.intel.com
+(cherry picked from commit 91077d1deb5374eb8be00fb391710f00e751dc4b)
+Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/i915/display/intel_display.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/gpu/drm/i915/display/intel_display.c
++++ b/drivers/gpu/drm/i915/display/intel_display.c
+@@ -6691,12 +6691,30 @@ static int intel_async_flip_check_hw(str
+ static int intel_bigjoiner_add_affected_crtcs(struct intel_atomic_state *state)
+ {
+ struct drm_i915_private *i915 = to_i915(state->base.dev);
++ const struct intel_plane_state *plane_state;
+ struct intel_crtc_state *crtc_state;
++ struct intel_plane *plane;
+ struct intel_crtc *crtc;
+ u8 affected_pipes = 0;
+ u8 modeset_pipes = 0;
+ int i;
+
++ /*
++ * Any plane which is in use by the joiner needs its crtc.
++ * Pull those in first as this will not have happened yet
++ * if the plane remains disabled according to uapi.
++ */
++ for_each_new_intel_plane_in_state(state, plane, plane_state, i) {
++ crtc = to_intel_crtc(plane_state->hw.crtc);
++ if (!crtc)
++ continue;
++
++ crtc_state = intel_atomic_get_crtc_state(&state->base, crtc);
++ if (IS_ERR(crtc_state))
++ return PTR_ERR(crtc_state);
++ }
++
++ /* Now pull in all joined crtcs */
+ for_each_new_intel_crtc_in_state(state, crtc, crtc_state, i) {
+ affected_pipes |= crtc_state->bigjoiner_pipes;
+ if (intel_crtc_needs_modeset(crtc_state))
--- /dev/null
+From f063ac6b55df03ed25996bdc84d9e1c50147cfa1 Mon Sep 17 00:00:00 2001
+From: Jessica Zhang <quic_jesszhan@quicinc.com>
+Date: Tue, 11 Feb 2025 19:59:19 -0800
+Subject: drm/msm/dpu: Disable dither in phys encoder cleanup
+
+From: Jessica Zhang <quic_jesszhan@quicinc.com>
+
+commit f063ac6b55df03ed25996bdc84d9e1c50147cfa1 upstream.
+
+Disable pingpong dither in dpu_encoder_helper_phys_cleanup().
+
+This avoids the issue where an encoder unknowingly uses dither after
+reserving a pingpong block that was previously bound to an encoder that
+had enabled dither.
+
+Cc: stable@vger.kernel.org
+Reported-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Closes: https://lore.kernel.org/all/jr7zbj5w7iq4apg3gofuvcwf4r2swzqjk7sshwcdjll4mn6ctt@l2n3qfpujg3q/
+Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Fixes: 3c128638a07d ("drm/msm/dpu: add support for dither block in display")
+Patchwork: https://patchwork.freedesktop.org/patch/636517/
+Link: https://lore.kernel.org/r/20250211-dither-disable-v1-1-ac2cb455f6b9@quicinc.com
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
++++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_encoder.c
+@@ -2059,6 +2059,9 @@ void dpu_encoder_helper_phys_cleanup(str
+ }
+ }
+
++ if (phys_enc->hw_pp && phys_enc->hw_pp->ops.setup_dither)
++ phys_enc->hw_pp->ops.setup_dither(phys_enc->hw_pp, NULL);
++
+ /* reset the merge 3D HW block */
+ if (phys_enc->hw_pp && phys_enc->hw_pp->merge_3d) {
+ phys_enc->hw_pp->merge_3d->ops.setup_3d_mode(phys_enc->hw_pp->merge_3d,
--- /dev/null
+From 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea Mon Sep 17 00:00:00 2001
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+Date: Thu, 13 Feb 2025 15:20:55 +0000
+Subject: drop_monitor: fix incorrect initialization order
+
+From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
+
+commit 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea upstream.
+
+Syzkaller reports the following bug:
+
+BUG: spinlock bad magic on CPU#1, syz-executor.0/7995
+ lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0
+CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1
+Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x119/0x179 lib/dump_stack.c:118
+ debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
+ do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112
+ __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]
+ _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159
+ reset_per_cpu_data+0xe6/0x240 [drop_monitor]
+ net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]
+ genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739
+ genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
+ genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800
+ netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497
+ genl_rcv+0x29/0x40 net/netlink/genetlink.c:811
+ netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]
+ netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348
+ netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916
+ sock_sendmsg_nosec net/socket.c:651 [inline]
+ __sock_sendmsg+0x157/0x190 net/socket.c:663
+ ____sys_sendmsg+0x712/0x870 net/socket.c:2378
+ ___sys_sendmsg+0xf8/0x170 net/socket.c:2432
+ __sys_sendmsg+0xea/0x1b0 net/socket.c:2461
+ do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x62/0xc7
+RIP: 0033:0x7f3f9815aee9
+Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
+RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9
+RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007
+RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
+R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768
+
+If drop_monitor is built as a kernel module, syzkaller may have time
+to send a netlink NET_DM_CMD_START message during the module loading.
+This will call the net_dm_monitor_start() function that uses
+a spinlock that has not yet been initialized.
+
+To fix this, let's place resource initialization above the registration
+of a generic netlink family.
+
+Found by InfoTeCS on behalf of Linux Verification Center
+(linuxtesting.org) with Syzkaller.
+
+Fixes: 9a8afc8d3962 ("Network Drop Monitor: Adding drop monitor implementation & Netlink protocol")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilia Gavrilov <Ilia.Gavrilov@infotecs.ru>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Link: https://patch.msgid.link/20250213152054.2785669-1-Ilia.Gavrilov@infotecs.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/drop_monitor.c | 29 ++++++++++++++---------------
+ 1 file changed, 14 insertions(+), 15 deletions(-)
+
+--- a/net/core/drop_monitor.c
++++ b/net/core/drop_monitor.c
+@@ -1716,30 +1716,30 @@ static int __init init_net_drop_monitor(
+ return -ENOSPC;
+ }
+
+- rc = genl_register_family(&net_drop_monitor_family);
+- if (rc) {
+- pr_err("Could not create drop monitor netlink family\n");
+- return rc;
++ for_each_possible_cpu(cpu) {
++ net_dm_cpu_data_init(cpu);
++ net_dm_hw_cpu_data_init(cpu);
+ }
+- WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT);
+
+ rc = register_netdevice_notifier(&dropmon_net_notifier);
+ if (rc < 0) {
+ pr_crit("Failed to register netdevice notifier\n");
++ return rc;
++ }
++
++ rc = genl_register_family(&net_drop_monitor_family);
++ if (rc) {
++ pr_err("Could not create drop monitor netlink family\n");
+ goto out_unreg;
+ }
++ WARN_ON(net_drop_monitor_family.mcgrp_offset != NET_DM_GRP_ALERT);
+
+ rc = 0;
+
+- for_each_possible_cpu(cpu) {
+- net_dm_cpu_data_init(cpu);
+- net_dm_hw_cpu_data_init(cpu);
+- }
+-
+ goto out;
+
+ out_unreg:
+- genl_unregister_family(&net_drop_monitor_family);
++ WARN_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+ out:
+ return rc;
+ }
+@@ -1748,19 +1748,18 @@ static void exit_net_drop_monitor(void)
+ {
+ int cpu;
+
+- BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+-
+ /*
+ * Because of the module_get/put we do in the trace state change path
+ * we are guaranteed not to have any current users when we get here
+ */
++ BUG_ON(genl_unregister_family(&net_drop_monitor_family));
++
++ BUG_ON(unregister_netdevice_notifier(&dropmon_net_notifier));
+
+ for_each_possible_cpu(cpu) {
+ net_dm_hw_cpu_data_fini(cpu);
+ net_dm_cpu_data_fini(cpu);
+ }
+-
+- BUG_ON(genl_unregister_family(&net_drop_monitor_family));
+ }
+
+ module_init(init_net_drop_monitor);
--- /dev/null
+From c158647c107358bf1be579f98e4bb705c1953292 Mon Sep 17 00:00:00 2001
+From: Komal Bajaj <quic_kbajaj@quicinc.com>
+Date: Tue, 19 Nov 2024 12:16:08 +0530
+Subject: EDAC/qcom: Correct interrupt enable register configuration
+
+From: Komal Bajaj <quic_kbajaj@quicinc.com>
+
+commit c158647c107358bf1be579f98e4bb705c1953292 upstream.
+
+The previous implementation incorrectly configured the cmn_interrupt_2_enable
+register for interrupt handling. Using cmn_interrupt_2_enable to configure
+Tag, Data RAM ECC interrupts would lead to issues like double handling of the
+interrupts (EL1 and EL3) as cmn_interrupt_2_enable is meant to be configured
+for interrupts which needs to be handled by EL3.
+
+EL1 LLCC EDAC driver needs to use cmn_interrupt_0_enable register to configure
+Tag, Data RAM ECC interrupts instead of cmn_interrupt_2_enable.
+
+Fixes: 27450653f1db ("drivers: edac: Add EDAC driver support for QCOM SoCs")
+Signed-off-by: Komal Bajaj <quic_kbajaj@quicinc.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Cc: <stable@kernel.org>
+Link: https://lore.kernel.org/r/20241119064608.12326-1-quic_kbajaj@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/qcom_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/qcom_edac.c
++++ b/drivers/edac/qcom_edac.c
+@@ -95,7 +95,7 @@ static int qcom_llcc_core_setup(struct l
+ * Configure interrupt enable registers such that Tag, Data RAM related
+ * interrupts are propagated to interrupt controller for servicing
+ */
+- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable,
++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable,
+ TRP0_INTERRUPT_ENABLE,
+ TRP0_INTERRUPT_ENABLE);
+ if (ret)
+@@ -113,7 +113,7 @@ static int qcom_llcc_core_setup(struct l
+ if (ret)
+ return ret;
+
+- ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_2_enable,
++ ret = regmap_update_bits(llcc_bcast_regmap, drv->edac_reg_offset->cmn_interrupt_0_enable,
+ DRP0_INTERRUPT_ENABLE,
+ DRP0_INTERRUPT_ENABLE);
+ if (ret)
--- /dev/null
+From 57b76bedc5c52c66968183b5ef57234894c25ce7 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Date: Thu, 20 Feb 2025 15:07:49 +0100
+Subject: ftrace: Correct preemption accounting for function tracing.
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+commit 57b76bedc5c52c66968183b5ef57234894c25ce7 upstream.
+
+The function tracer should record the preemption level at the point when
+the function is invoked. If the tracing subsystem decrement the
+preemption counter it needs to correct this before feeding the data into
+the trace buffer. This was broken in the commit cited below while
+shifting the preempt-disabled section.
+
+Use tracing_gen_ctx_dec() which properly subtracts one from the
+preemption counter on a preemptible kernel.
+
+Cc: stable@vger.kernel.org
+Cc: Wander Lairson Costa <wander@redhat.com>
+Cc: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/20250220140749.pfw8qoNZ@linutronix.de
+Fixes: ce5e48036c9e7 ("ftrace: disable preemption when recursion locked")
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Wander Lairson Costa <wander@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace_functions.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/kernel/trace/trace_functions.c
++++ b/kernel/trace/trace_functions.c
+@@ -185,7 +185,7 @@ function_trace_call(unsigned long ip, un
+ if (bit < 0)
+ return;
+
+- trace_ctx = tracing_gen_ctx();
++ trace_ctx = tracing_gen_ctx_dec();
+
+ cpu = smp_processor_id();
+ data = per_cpu_ptr(tr->array_buffer.data, cpu);
+@@ -285,7 +285,6 @@ function_no_repeats_trace_call(unsigned
+ struct trace_array *tr = op->private;
+ struct trace_array_cpu *data;
+ unsigned int trace_ctx;
+- unsigned long flags;
+ int bit;
+ int cpu;
+
+@@ -312,8 +311,7 @@ function_no_repeats_trace_call(unsigned
+ if (is_repeat_check(tr, last_info, ip, parent_ip))
+ goto out;
+
+- local_save_flags(flags);
+- trace_ctx = tracing_gen_ctx_flags(flags);
++ trace_ctx = tracing_gen_ctx_dec();
+ process_repeats(tr, ip, parent_ip, last_info, trace_ctx);
+
+ trace_function(tr, ip, parent_ip, trace_ctx);
--- /dev/null
+From 8eb4b09e0bbd30981305643229fe7640ad41b667 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <rostedt@goodmis.org>
+Date: Thu, 20 Feb 2025 15:20:11 -0500
+Subject: ftrace: Do not add duplicate entries in subops manager ops
+
+From: Steven Rostedt <rostedt@goodmis.org>
+
+commit 8eb4b09e0bbd30981305643229fe7640ad41b667 upstream.
+
+Check if a function is already in the manager ops of a subops. A manager
+ops contains multiple subops, and if two or more subops are tracing the
+same function, the manager ops only needs a single entry in its hash.
+
+Cc: stable@vger.kernel.org
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Sven Schnelle <svens@linux.ibm.com>
+Cc: Vasily Gorbik <gor@linux.ibm.com>
+Cc: Alexander Gordeev <agordeev@linux.ibm.com>
+Link: https://lore.kernel.org/20250220202055.226762894@goodmis.org
+Fixes: 4f554e955614f ("ftrace: Add ftrace_set_filter_ips function")
+Tested-by: Heiko Carstens <hca@linux.ibm.com>
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/ftrace.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -5108,6 +5108,9 @@ __ftrace_match_addr(struct ftrace_hash *
+ return -ENOENT;
+ free_hash_entry(hash, entry);
+ return 0;
++ } else if (__ftrace_lookup_ip(hash, ip) != NULL) {
++ /* Already exists */
++ return 0;
+ }
+
+ return add_hash_entry(hash, ip);
--- /dev/null
+From 2ede647a6fde3e54a6bfda7cf01c716649655900 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ricardo=20Ca=C3=B1uelo=20Navarro?= <rcn@igalia.com>
+Date: Mon, 3 Feb 2025 08:52:06 +0100
+Subject: mm,madvise,hugetlb: check for 0-length range after end address adjustment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ricardo Cañuelo Navarro <rcn@igalia.com>
+
+commit 2ede647a6fde3e54a6bfda7cf01c716649655900 upstream.
+
+Add a sanity check to madvise_dontneed_free() to address a corner case in
+madvise where a race condition causes the current vma being processed to
+be backed by a different page size.
+
+During a madvise(MADV_DONTNEED) call on a memory region registered with a
+userfaultfd, there's a period of time where the process mm lock is
+temporarily released in order to send a UFFD_EVENT_REMOVE and let
+userspace handle the event. During this time, the vma covering the
+current address range may change due to an explicit mmap done concurrently
+by another thread.
+
+If, after that change, the memory region, which was originally backed by
+4KB pages, is now backed by hugepages, the end address is rounded down to
+a hugepage boundary to avoid data loss (see "Fixes" below). This rounding
+may cause the end address to be truncated to the same address as the
+start.
+
+Make this corner case follow the same semantics as in other similar cases
+where the requested region has zero length (ie. return 0).
+
+This will make madvise_walk_vmas() continue to the next vma in the range
+(this time holding the process mm lock) which, due to the prev pointer
+becoming stale because of the vma change, will be the same hugepage-backed
+vma that was just checked before. The next time madvise_dontneed_free()
+runs for this vma, if the start address isn't aligned to a hugepage
+boundary, it'll return -EINVAL, which is also in line with the madvise
+api.
+
+From userspace perspective, madvise() will return EINVAL because the start
+address isn't aligned according to the new vma alignment requirements
+(hugepage), even though it was correctly page-aligned when the call was
+issued.
+
+Link: https://lkml.kernel.org/r/20250203075206.1452208-1-rcn@igalia.com
+Fixes: 8ebe0a5eaaeb ("mm,madvise,hugetlb: fix unexpected data loss with MADV_DONTNEED on hugetlbfs")
+Signed-off-by: Ricardo Cañuelo Navarro <rcn@igalia.com>
+Reviewed-by: Oscar Salvador <osalvador@suse.de>
+Cc: Florent Revest <revest@google.com>
+Cc: Rik van Riel <riel@surriel.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/madvise.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -879,7 +879,16 @@ static long madvise_dontneed_free(struct
+ */
+ end = vma->vm_end;
+ }
+- VM_WARN_ON(start >= end);
++ /*
++ * If the memory region between start and end was
++ * originally backed by 4kB pages and then remapped to
++ * be backed by hugepages while mmap_lock was dropped,
++ * the adjustment for hugetlb vma above may have rounded
++ * end down to the start address.
++ */
++ if (start == end)
++ return 0;
++ VM_WARN_ON(start > end);
+ }
+
+ if (behavior == MADV_DONTNEED || behavior == MADV_DONTNEED_LOCKED)
--- /dev/null
+From 2b9df00cded911e2ca2cfae5c45082166b24f8aa Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Date: Mon, 10 Feb 2025 13:35:49 +0800
+Subject: mtd: rawnand: cadence: fix error code in cadence_nand_init()
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+commit 2b9df00cded911e2ca2cfae5c45082166b24f8aa upstream.
+
+Replace dma_request_channel() with dma_request_chan_by_mask() and use
+helper functions to return proper error code instead of fixed -EBUSY.
+
+Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -2863,11 +2863,10 @@ static int cadence_nand_init(struct cdns
+ dma_cap_set(DMA_MEMCPY, mask);
+
+ if (cdns_ctrl->caps1->has_dma) {
+- cdns_ctrl->dmac = dma_request_channel(mask, NULL, NULL);
+- if (!cdns_ctrl->dmac) {
+- dev_err(cdns_ctrl->dev,
+- "Unable to get a DMA channel\n");
+- ret = -EBUSY;
++ cdns_ctrl->dmac = dma_request_chan_by_mask(&mask);
++ if (IS_ERR(cdns_ctrl->dmac)) {
++ ret = dev_err_probe(cdns_ctrl->dev, PTR_ERR(cdns_ctrl->dmac),
++ "%d: Failed to get a DMA channel\n", ret);
+ goto disable_irq;
+ }
+ }
--- /dev/null
+From f37d135b42cb484bdecee93f56b9f483214ede78 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Date: Mon, 10 Feb 2025 13:35:51 +0800
+Subject: mtd: rawnand: cadence: fix incorrect device in dma_unmap_single
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+commit f37d135b42cb484bdecee93f56b9f483214ede78 upstream.
+
+dma_map_single is using physical/bus device (DMA) but dma_unmap_single
+is using framework device(NAND controller), which is incorrect.
+Fixed dma_unmap_single to use correct physical/bus device.
+
+Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -1858,12 +1858,12 @@ static int cadence_nand_slave_dma_transf
+ dma_async_issue_pending(cdns_ctrl->dmac);
+ wait_for_completion(&finished);
+
+- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir);
++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir);
+
+ return 0;
+
+ err_unmap:
+- dma_unmap_single(cdns_ctrl->dev, buf_dma, len, dir);
++ dma_unmap_single(dma_dev->dev, buf_dma, len, dir);
+
+ err:
+ dev_dbg(cdns_ctrl->dev, "Fall back to CPU I/O\n");
--- /dev/null
+From d76d22b5096c5b05208fd982b153b3f182350b19 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Date: Mon, 10 Feb 2025 13:35:50 +0800
+Subject: mtd: rawnand: cadence: use dma_map_resource for sdma address
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+
+commit d76d22b5096c5b05208fd982b153b3f182350b19 upstream.
+
+Remap the slave DMA I/O resources to enhance driver portability.
+Using a physical address causes DMA translation failure when the
+ARM SMMU is enabled.
+
+Fixes: ec4ba01e894d ("mtd: rawnand: Add new Cadence NAND driver to MTD subsystem")
+Cc: stable@vger.kernel.org
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@intel.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/cadence-nand-controller.c | 29 +++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/nand/raw/cadence-nand-controller.c
++++ b/drivers/mtd/nand/raw/cadence-nand-controller.c
+@@ -469,6 +469,8 @@ struct cdns_nand_ctrl {
+ struct {
+ void __iomem *virt;
+ dma_addr_t dma;
++ dma_addr_t iova_dma;
++ u32 size;
+ } io;
+
+ int irq;
+@@ -1830,11 +1832,11 @@ static int cadence_nand_slave_dma_transf
+ }
+
+ if (dir == DMA_FROM_DEVICE) {
+- src_dma = cdns_ctrl->io.dma;
++ src_dma = cdns_ctrl->io.iova_dma;
+ dst_dma = buf_dma;
+ } else {
+ src_dma = buf_dma;
+- dst_dma = cdns_ctrl->io.dma;
++ dst_dma = cdns_ctrl->io.iova_dma;
+ }
+
+ tx = dmaengine_prep_dma_memcpy(cdns_ctrl->dmac, dst_dma, src_dma, len,
+@@ -2828,6 +2830,7 @@ cadence_nand_irq_cleanup(int irqnum, str
+ static int cadence_nand_init(struct cdns_nand_ctrl *cdns_ctrl)
+ {
+ dma_cap_mask_t mask;
++ struct dma_device *dma_dev = cdns_ctrl->dmac->device;
+ int ret;
+
+ cdns_ctrl->cdma_desc = dma_alloc_coherent(cdns_ctrl->dev,
+@@ -2871,6 +2874,16 @@ static int cadence_nand_init(struct cdns
+ }
+ }
+
++ cdns_ctrl->io.iova_dma = dma_map_resource(dma_dev->dev, cdns_ctrl->io.dma,
++ cdns_ctrl->io.size,
++ DMA_BIDIRECTIONAL, 0);
++
++ ret = dma_mapping_error(dma_dev->dev, cdns_ctrl->io.iova_dma);
++ if (ret) {
++ dev_err(cdns_ctrl->dev, "Failed to map I/O resource to DMA\n");
++ goto dma_release_chnl;
++ }
++
+ nand_controller_init(&cdns_ctrl->controller);
+ INIT_LIST_HEAD(&cdns_ctrl->chips);
+
+@@ -2881,18 +2894,22 @@ static int cadence_nand_init(struct cdns
+ if (ret) {
+ dev_err(cdns_ctrl->dev, "Failed to register MTD: %d\n",
+ ret);
+- goto dma_release_chnl;
++ goto unmap_dma_resource;
+ }
+
+ kfree(cdns_ctrl->buf);
+ cdns_ctrl->buf = kzalloc(cdns_ctrl->buf_size, GFP_KERNEL);
+ if (!cdns_ctrl->buf) {
+ ret = -ENOMEM;
+- goto dma_release_chnl;
++ goto unmap_dma_resource;
+ }
+
+ return 0;
+
++unmap_dma_resource:
++ dma_unmap_resource(dma_dev->dev, cdns_ctrl->io.iova_dma,
++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0);
++
+ dma_release_chnl:
+ if (cdns_ctrl->dmac)
+ dma_release_channel(cdns_ctrl->dmac);
+@@ -2914,6 +2931,8 @@ free_buf_desc:
+ static void cadence_nand_remove(struct cdns_nand_ctrl *cdns_ctrl)
+ {
+ cadence_nand_chips_cleanup(cdns_ctrl);
++ dma_unmap_resource(cdns_ctrl->dmac->device->dev, cdns_ctrl->io.iova_dma,
++ cdns_ctrl->io.size, DMA_BIDIRECTIONAL, 0);
+ cadence_nand_irq_cleanup(cdns_ctrl->irq, cdns_ctrl);
+ kfree(cdns_ctrl->buf);
+ dma_free_coherent(cdns_ctrl->dev, sizeof(struct cadence_nand_cdma_desc),
+@@ -2982,7 +3001,9 @@ static int cadence_nand_dt_probe(struct
+ cdns_ctrl->io.virt = devm_platform_get_and_ioremap_resource(ofdev, 1, &res);
+ if (IS_ERR(cdns_ctrl->io.virt))
+ return PTR_ERR(cdns_ctrl->io.virt);
++
+ cdns_ctrl->io.dma = res->start;
++ cdns_ctrl->io.size = resource_size(res);
+
+ dt->clk = devm_clk_get(cdns_ctrl->dev, "nf_clk");
+ if (IS_ERR(dt->clk))
--- /dev/null
+From 878e7b11736e062514e58f3b445ff343e6705537 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Tue, 18 Feb 2025 11:04:09 +0800
+Subject: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 878e7b11736e062514e58f3b445ff343e6705537 upstream.
+
+Add check for the return value of nfp_app_ctrl_msg_alloc() in
+nfp_bpf_cmsg_alloc() to prevent null pointer dereference.
+
+Fixes: ff3d43f7568c ("nfp: bpf: implement helpers for FW map ops")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Link: https://patch.msgid.link/20250218030409.2425798-1-haoxiang_li2024@163.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c
++++ b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c
+@@ -20,6 +20,8 @@ nfp_bpf_cmsg_alloc(struct nfp_app_bpf *b
+ struct sk_buff *skb;
+
+ skb = nfp_app_ctrl_msg_alloc(bpf->app, size, GFP_KERNEL);
++ if (!skb)
++ return NULL;
+ skb_put(skb, size);
+
+ return skb;
drm-msm-dpu-don-t-leak-bits_per_component-into-rando.patch
nvme-ioctl-add-missing-space-in-err-message.patch
bpf-skip-non-exist-keys-in-generic_map_lookup_batch.patch
+drm-msm-dpu-disable-dither-in-phys-encoder-cleanup.patch
+drm-i915-make-sure-all-planes-in-use-by-the-joiner-have-their-crtc-included.patch
+tee-optee-fix-supplicant-wait-loop.patch
+drop_monitor-fix-incorrect-initialization-order.patch
+nfp-bpf-add-check-for-nfp_app_ctrl_msg_alloc.patch
+asoc-fsl_micfil-enable-default-case-in-micfil_set_quality.patch
+alsa-hda-add-error-check-for-snd_ctl_rename_id-in-snd_hda_create_dig_out_ctls.patch
+alsa-hda-conexant-add-quirk-for-hp-probook-450-g4-mute-led.patch
+acct-perform-last-write-from-workqueue.patch
+acct-block-access-to-kernel-internal-filesystems.patch
+mm-madvise-hugetlb-check-for-0-length-range-after-end-address-adjustment.patch
+mtd-rawnand-cadence-fix-error-code-in-cadence_nand_init.patch
+mtd-rawnand-cadence-use-dma_map_resource-for-sdma-address.patch
+mtd-rawnand-cadence-fix-incorrect-device-in-dma_unmap_single.patch
+smb-client-add-check-for-next_buffer-in-receive_encrypted_standard.patch
+edac-qcom-correct-interrupt-enable-register-configuration.patch
+ftrace-correct-preemption-accounting-for-function-tracing.patch
+ftrace-do-not-add-duplicate-entries-in-subops-manager-ops.patch
--- /dev/null
+From 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 Mon Sep 17 00:00:00 2001
+From: Haoxiang Li <haoxiang_li2024@163.com>
+Date: Mon, 17 Feb 2025 15:20:38 +0800
+Subject: smb: client: Add check for next_buffer in receive_encrypted_standard()
+
+From: Haoxiang Li <haoxiang_li2024@163.com>
+
+commit 860ca5e50f73c2a1cef7eefc9d39d04e275417f7 upstream.
+
+Add check for the return value of cifs_buf_get() and cifs_small_buf_get()
+in receive_encrypted_standard() to prevent null pointer dereference.
+
+Fixes: eec04ea11969 ("smb: client: fix OOB in receive_encrypted_standard()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Haoxiang Li <haoxiang_li2024@163.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -5158,6 +5158,10 @@ one_more:
+ next_buffer = (char *)cifs_buf_get();
+ else
+ next_buffer = (char *)cifs_small_buf_get();
++ if (!next_buffer) {
++ cifs_server_dbg(VFS, "No memory for (large) SMB response\n");
++ return -1;
++ }
+ memcpy(next_buffer, buf + next_cmd, pdu_length - next_cmd);
+ }
+
--- /dev/null
+From 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 Mon Sep 17 00:00:00 2001
+From: Sumit Garg <sumit.garg@linaro.org>
+Date: Tue, 4 Feb 2025 13:04:18 +0530
+Subject: tee: optee: Fix supplicant wait loop
+
+From: Sumit Garg <sumit.garg@linaro.org>
+
+commit 70b0d6b0a199c5a3ee6c72f5e61681ed6f759612 upstream.
+
+OP-TEE supplicant is a user-space daemon and it's possible for it
+be hung or crashed or killed in the middle of processing an OP-TEE
+RPC call. It becomes more complicated when there is incorrect shutdown
+ordering of the supplicant process vs the OP-TEE client application which
+can eventually lead to system hang-up waiting for the closure of the
+client application.
+
+Allow the client process waiting in kernel for supplicant response to
+be killed rather than indefinitely waiting in an unkillable state. Also,
+a normal uninterruptible wait should not have resulted in the hung-task
+watchdog getting triggered, but the endless loop would.
+
+This fixes issues observed during system reboot/shutdown when supplicant
+got hung for some reason or gets crashed/killed which lead to client
+getting hung in an unkillable state. It in turn lead to system being in
+hung up state requiring hard power off/on to recover.
+
+Fixes: 4fb0a5eb364d ("tee: add OP-TEE driver")
+Suggested-by: Arnd Bergmann <arnd@arndb.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tee/optee/supp.c | 35 ++++++++---------------------------
+ 1 file changed, 8 insertions(+), 27 deletions(-)
+
+--- a/drivers/tee/optee/supp.c
++++ b/drivers/tee/optee/supp.c
+@@ -80,7 +80,6 @@ u32 optee_supp_thrd_req(struct tee_conte
+ struct optee *optee = tee_get_drvdata(ctx->teedev);
+ struct optee_supp *supp = &optee->supp;
+ struct optee_supp_req *req;
+- bool interruptable;
+ u32 ret;
+
+ /*
+@@ -111,36 +110,18 @@ u32 optee_supp_thrd_req(struct tee_conte
+ /*
+ * Wait for supplicant to process and return result, once we've
+ * returned from wait_for_completion(&req->c) successfully we have
+- * exclusive access again.
++ * exclusive access again. Allow the wait to be killable such that
++ * the wait doesn't turn into an indefinite state if the supplicant
++ * gets hung for some reason.
+ */
+- while (wait_for_completion_interruptible(&req->c)) {
++ if (wait_for_completion_killable(&req->c)) {
+ mutex_lock(&supp->mutex);
+- interruptable = !supp->ctx;
+- if (interruptable) {
+- /*
+- * There's no supplicant available and since the
+- * supp->mutex currently is held none can
+- * become available until the mutex released
+- * again.
+- *
+- * Interrupting an RPC to supplicant is only
+- * allowed as a way of slightly improving the user
+- * experience in case the supplicant hasn't been
+- * started yet. During normal operation the supplicant
+- * will serve all requests in a timely manner and
+- * interrupting then wouldn't make sense.
+- */
+- if (req->in_queue) {
+- list_del(&req->link);
+- req->in_queue = false;
+- }
++ if (req->in_queue) {
++ list_del(&req->link);
++ req->in_queue = false;
+ }
+ mutex_unlock(&supp->mutex);
+-
+- if (interruptable) {
+- req->ret = TEEC_ERROR_COMMUNICATION;
+- break;
+- }
++ req->ret = TEEC_ERROR_COMMUNICATION;
+ }
+
+ ret = req->ret;
projects / thirdparty / kernel / stable-queue.git / commitdiff
