--- /dev/null
+From a2e94ebe03eeb6456acfac338a867fdf06de1a8e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 12:28:12 +0900
+Subject: ACPI: fan: cleanup resources in the error path of .probe()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit c759bc8e9046f9812238f506d70f07d3ea4206d4 ]
+
+Call thermal_cooling_device_unregister() and sysfs_remove_link() in the
+error path of acpi_fan_probe() to fix possible memory leak.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Fixes: 05a83d972293 ("ACPI: register ACPI Fan as generic thermal cooling device")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://patch.msgid.link/20241211032812.210164-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/acpi/fan.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c
+index 5cd0ceb50bc8a..936429e81d8c8 100644
+--- a/drivers/acpi/fan.c
++++ b/drivers/acpi/fan.c
+@@ -423,19 +423,25 @@ static int acpi_fan_probe(struct platform_device *pdev)
+ result = sysfs_create_link(&pdev->dev.kobj,
+ &cdev->device.kobj,
+ "thermal_cooling");
+- if (result)
++ if (result) {
+ dev_err(&pdev->dev, "Failed to create sysfs link 'thermal_cooling'\n");
++ goto err_unregister;
++ }
+
+ result = sysfs_create_link(&cdev->device.kobj,
+ &pdev->dev.kobj,
+ "device");
+ if (result) {
+ dev_err(&pdev->dev, "Failed to create sysfs link 'device'\n");
+- goto err_end;
++ goto err_remove_link;
+ }
+
+ return 0;
+
++err_remove_link:
++ sysfs_remove_link(&pdev->dev.kobj, "thermal_cooling");
++err_unregister:
++ thermal_cooling_device_unregister(cdev);
+ err_end:
+ if (fan->acpi4) {
+ int i;
+--
+2.39.5
+
--- /dev/null
+From 4cee02a61c80084b061f6891b5d8fd63104b210d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2024 20:41:03 +0000
+Subject: afs: Fix directory format encoding struct
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 07a10767853adcbdbf436dc91393b729b52c4e81 ]
+
+The AFS directory format structure, union afs_xdr_dir_block::meta, has too
+many alloc counter slots declared and so pushes the hash table along and
+over the data. This doesn't cause a problem at the moment because I'm
+currently ignoring the hash table and only using the correct number of
+alloc_ctrs in the code anyway. In future, however, I should start using
+the hash table to try and speed up afs_lookup().
+
+Fix this by using the correct constant to declare the counter array.
+
+Fixes: 4ea219a839bf ("afs: Split the directory content defs into a header")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/20241216204124.3752367-14-dhowells@redhat.com
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/xdr_fs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/afs/xdr_fs.h b/fs/afs/xdr_fs.h
+index 94f1f398eefad..cccc8e74f49b0 100644
+--- a/fs/afs/xdr_fs.h
++++ b/fs/afs/xdr_fs.h
+@@ -82,7 +82,7 @@ union afs_xdr_dir_block {
+
+ struct {
+ struct afs_xdr_dir_hdr hdr;
+- u8 alloc_ctrs[AFS_DIR_MAX_BLOCKS];
++ u8 alloc_ctrs[AFS_DIR_BLOCKS_WITH_CTR];
+ __be16 hashtable[AFS_DIR_HASHTBL_SIZE];
+ } meta;
+
+--
+2.39.5
+
--- /dev/null
+From ec95583420815d31901158dff847f2f4923cf487 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2024 20:41:02 +0000
+Subject: afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit b49194da2aff2c879dec9c59ef8dec0f2b0809ef ]
+
+AFS servers pass back a code indicating EEXIST when they're asked to remove
+a directory that is not empty rather than ENOTEMPTY because not all the
+systems that an AFS server can run on have the latter error available and
+AFS preexisted the addition of that error in general.
+
+Fix afs_rmdir() to translate EEXIST to ENOTEMPTY.
+
+Fixes: 260a980317da ("[AFS]: Add "directory write" support.")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/20241216204124.3752367-13-dhowells@redhat.com
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/dir.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/fs/afs/dir.c b/fs/afs/dir.c
+index a59d6293a32b2..c3c870416f1b7 100644
+--- a/fs/afs/dir.c
++++ b/fs/afs/dir.c
+@@ -1412,7 +1412,12 @@ static int afs_rmdir(struct inode *dir, struct dentry *dentry)
+ op->file[1].vnode = vnode;
+ }
+
+- return afs_do_sync_operation(op);
++ ret = afs_do_sync_operation(op);
++
++ /* Not all systems that can host afs servers have ENOTEMPTY. */
++ if (ret == -EEXIST)
++ ret = -ENOTEMPTY;
++ return ret;
+
+ error:
+ return afs_put_operation(op);
+--
+2.39.5
+
--- /dev/null
+From 7bd9e65c36804512fb445509e654e5ca9bd1d8e8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Jan 2025 14:46:03 +0000
+Subject: afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit e30458d690f35abb01de8b3cbc09285deb725d00 ]
+
+Fix a pair of bugs in the fallback handling for the YFS.RemoveFile2 RPC
+call:
+
+ (1) Fix the abort code check to also look for RXGEN_OPCODE. The lack of
+ this masks the second bug.
+
+ (2) call->server is now not used for ordinary filesystem RPC calls that
+ have an operation descriptor. Fix to use call->op->server instead.
+
+Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
+Signed-off-by: David Howells <dhowells@redhat.com>
+Link: https://lore.kernel.org/r/109541.1736865963@warthog.procyon.org.uk
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: linux-afs@lists.infradead.org
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/afs/yfsclient.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/afs/yfsclient.c b/fs/afs/yfsclient.c
+index 5b2ef5ffd716f..171de355a7e58 100644
+--- a/fs/afs/yfsclient.c
++++ b/fs/afs/yfsclient.c
+@@ -689,8 +689,9 @@ static int yfs_deliver_fs_remove_file2(struct afs_call *call)
+ static void yfs_done_fs_remove_file2(struct afs_call *call)
+ {
+ if (call->error == -ECONNABORTED &&
+- call->abort_code == RX_INVALID_OPERATION) {
+- set_bit(AFS_SERVER_FL_NO_RM2, &call->server->flags);
++ (call->abort_code == RX_INVALID_OPERATION ||
++ call->abort_code == RXGEN_OPCODE)) {
++ set_bit(AFS_SERVER_FL_NO_RM2, &call->op->server->flags);
+ call->op->flags |= AFS_OPERATION_DOWNGRADE;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From e0136a7b13d82861e9b5c1ac6e489c55a17bbf35 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Jun 2024 11:46:33 +0200
+Subject: ARM: dts: mediatek: mt7623: fix IR nodename
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit 90234cf9b37c57201a24b78c217a91a8af774109 ]
+
+Fix following validation error:
+arch/arm/boot/dts/mediatek/mt7623a-rfb-emmc.dtb: cir@10013000: $nodename:0: 'cir@10013000' does not match '^ir(-receiver)?(@[a-f0-9]+)?$'
+ from schema $id: http://devicetree.org/schemas/media/mediatek,mt7622-cir.yaml#
+
+Fixes: 91044f38dae7 ("arm: dts: mt7623: add ir nodes to the mt7623.dtsi file")
+Cc: linux-media@vger.kernel.org
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20240617094634.23173-1-zajec5@gmail.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/mt7623.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/boot/dts/mt7623.dtsi b/arch/arm/boot/dts/mt7623.dtsi
+index aea6809500d74..c267fc1f83579 100644
+--- a/arch/arm/boot/dts/mt7623.dtsi
++++ b/arch/arm/boot/dts/mt7623.dtsi
+@@ -309,7 +309,7 @@
+ clock-names = "spi", "wrap";
+ };
+
+- cir: cir@10013000 {
++ cir: ir-receiver@10013000 {
+ compatible = "mediatek,mt7623-cir";
+ reg = <0 0x10013000 0 0x1000>;
+ interrupts = <GIC_SPI 87 IRQ_TYPE_LEVEL_LOW>;
+--
+2.39.5
+
--- /dev/null
+From e409ef2d8bc1754aef29809501a733f853d2cc6d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 13:24:21 +0800
+Subject: arm64: dts: mediatek: mt8173-elm: Drop regulator-compatible property
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 4b907b3ea5fba240808136cc5599d14b52230b39 ]
+
+The "regulator-compatible" property has been deprecated since 2012 in
+commit 13511def87b9 ("regulator: deprecate regulator-compatible DT
+property"), which is so old it's not even mentioned in the converted
+regulator bindings YAML file. It is also not listed in the MT6397
+regulator bindings. Having them present produces a whole bunch of
+validation errors:
+
+ Unevaluated properties are not allowed ('regulator-compatible' was unexpected)
+
+Drop the "regulator-compatible" property from the board dts. The
+property values are the same as the node name, so everything should
+continue to work.
+
+Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241211052427.4178367-4-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 23 --------------------
+ 1 file changed, 23 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
+index 44a0346133cde..908b87735819e 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
+@@ -921,7 +921,6 @@
+ compatible = "mediatek,mt6397-regulator";
+
+ mt6397_vpca15_reg: buck_vpca15 {
+- regulator-compatible = "buck_vpca15";
+ regulator-name = "vpca15";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -931,7 +930,6 @@
+ };
+
+ mt6397_vpca7_reg: buck_vpca7 {
+- regulator-compatible = "buck_vpca7";
+ regulator-name = "vpca7";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -941,7 +939,6 @@
+ };
+
+ mt6397_vsramca15_reg: buck_vsramca15 {
+- regulator-compatible = "buck_vsramca15";
+ regulator-name = "vsramca15";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -950,7 +947,6 @@
+ };
+
+ mt6397_vsramca7_reg: buck_vsramca7 {
+- regulator-compatible = "buck_vsramca7";
+ regulator-name = "vsramca7";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -959,7 +955,6 @@
+ };
+
+ mt6397_vcore_reg: buck_vcore {
+- regulator-compatible = "buck_vcore";
+ regulator-name = "vcore";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -968,7 +963,6 @@
+ };
+
+ mt6397_vgpu_reg: buck_vgpu {
+- regulator-compatible = "buck_vgpu";
+ regulator-name = "vgpu";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -977,7 +971,6 @@
+ };
+
+ mt6397_vdrm_reg: buck_vdrm {
+- regulator-compatible = "buck_vdrm";
+ regulator-name = "vdrm";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1400000>;
+@@ -986,7 +979,6 @@
+ };
+
+ mt6397_vio18_reg: buck_vio18 {
+- regulator-compatible = "buck_vio18";
+ regulator-name = "vio18";
+ regulator-min-microvolt = <1620000>;
+ regulator-max-microvolt = <1980000>;
+@@ -995,18 +987,15 @@
+ };
+
+ mt6397_vtcxo_reg: ldo_vtcxo {
+- regulator-compatible = "ldo_vtcxo";
+ regulator-name = "vtcxo";
+ regulator-always-on;
+ };
+
+ mt6397_va28_reg: ldo_va28 {
+- regulator-compatible = "ldo_va28";
+ regulator-name = "va28";
+ };
+
+ mt6397_vcama_reg: ldo_vcama {
+- regulator-compatible = "ldo_vcama";
+ regulator-name = "vcama";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -1014,18 +1003,15 @@
+ };
+
+ mt6397_vio28_reg: ldo_vio28 {
+- regulator-compatible = "ldo_vio28";
+ regulator-name = "vio28";
+ regulator-always-on;
+ };
+
+ mt6397_vusb_reg: ldo_vusb {
+- regulator-compatible = "ldo_vusb";
+ regulator-name = "vusb";
+ };
+
+ mt6397_vmc_reg: ldo_vmc {
+- regulator-compatible = "ldo_vmc";
+ regulator-name = "vmc";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <3300000>;
+@@ -1033,7 +1019,6 @@
+ };
+
+ mt6397_vmch_reg: ldo_vmch {
+- regulator-compatible = "ldo_vmch";
+ regulator-name = "vmch";
+ regulator-min-microvolt = <3000000>;
+ regulator-max-microvolt = <3300000>;
+@@ -1041,7 +1026,6 @@
+ };
+
+ mt6397_vemc_3v3_reg: ldo_vemc3v3 {
+- regulator-compatible = "ldo_vemc3v3";
+ regulator-name = "vemc_3v3";
+ regulator-min-microvolt = <3000000>;
+ regulator-max-microvolt = <3300000>;
+@@ -1049,7 +1033,6 @@
+ };
+
+ mt6397_vgp1_reg: ldo_vgp1 {
+- regulator-compatible = "ldo_vgp1";
+ regulator-name = "vcamd";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -1057,7 +1040,6 @@
+ };
+
+ mt6397_vgp2_reg: ldo_vgp2 {
+- regulator-compatible = "ldo_vgp2";
+ regulator-name = "vcamio";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+@@ -1065,7 +1047,6 @@
+ };
+
+ mt6397_vgp3_reg: ldo_vgp3 {
+- regulator-compatible = "ldo_vgp3";
+ regulator-name = "vcamaf";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <1800000>;
+@@ -1073,7 +1054,6 @@
+ };
+
+ mt6397_vgp4_reg: ldo_vgp4 {
+- regulator-compatible = "ldo_vgp4";
+ regulator-name = "vgp4";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <3300000>;
+@@ -1081,7 +1061,6 @@
+ };
+
+ mt6397_vgp5_reg: ldo_vgp5 {
+- regulator-compatible = "ldo_vgp5";
+ regulator-name = "vgp5";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <3000000>;
+@@ -1089,7 +1068,6 @@
+ };
+
+ mt6397_vgp6_reg: ldo_vgp6 {
+- regulator-compatible = "ldo_vgp6";
+ regulator-name = "vgp6";
+ regulator-min-microvolt = <3300000>;
+ regulator-max-microvolt = <3300000>;
+@@ -1098,7 +1076,6 @@
+ };
+
+ mt6397_vibr_reg: ldo_vibr {
+- regulator-compatible = "ldo_vibr";
+ regulator-name = "vibr";
+ regulator-min-microvolt = <1300000>;
+ regulator-max-microvolt = <3300000>;
+--
+2.39.5
+
--- /dev/null
+From c87f06a9150d3942e508c9651aa1ea70996e4221 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 17:26:12 +0800
+Subject: arm64: dts: mediatek: mt8173-elm: Fix MT6397 PMIC sub-node names
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit beb06b727194f68b0a4b5183e50c88265ce185af ]
+
+The MT6397 PMIC bindings specify exact names for its sub-nodes. The
+names used in the current dts don't match, causing a validation error.
+
+Fix up the names. Also drop the label for the regulators node, since
+any reference should be against the individual regulator sub-nodes.
+
+Fixes: 689b937bedde ("arm64: dts: mediatek: add mt8173 elm and hana board")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20241210092614.3951748-1-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
+index 908b87735819e..3eeeb1b8dbad1 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173-elm.dtsi
+@@ -905,7 +905,7 @@
+ interrupt-controller;
+ #interrupt-cells = <2>;
+
+- clock: mt6397clock {
++ clock: clocks {
+ compatible = "mediatek,mt6397-clk";
+ #clock-cells = <1>;
+ };
+@@ -917,7 +917,7 @@
+ #gpio-cells = <2>;
+ };
+
+- regulator: mt6397regulator {
++ regulators {
+ compatible = "mediatek,mt6397-regulator";
+
+ mt6397_vpca15_reg: buck_vpca15 {
+@@ -1083,7 +1083,7 @@
+ };
+ };
+
+- rtc: mt6397rtc {
++ rtc: rtc {
+ compatible = "mediatek,mt6397-rtc";
+ };
+
+--
+2.39.5
+
--- /dev/null
+From c7dabe62ef8a452fe1feeb1686286a162eba8af9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 13:24:20 +0800
+Subject: arm64: dts: mediatek: mt8173-evb: Drop regulator-compatible property
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit a6d5983e40f5d5b219337569cdd269727f5a3e2e ]
+
+The "regulator-compatible" property has been deprecated since 2012 in
+commit 13511def87b9 ("regulator: deprecate regulator-compatible DT
+property"), which is so old it's not even mentioned in the converted
+regulator bindings YAML file. It is also not listed in the MT6397
+regulator bindings. Having them present produces a whole bunch of
+validation errors:
+
+ Unevaluated properties are not allowed ('regulator-compatible' was unexpected)
+
+Drop the "regulator-compatible" property from the board dts. The
+property values are the same as the node name, so everything should
+continue to work.
+
+Fixes: 16ea61fc5614 ("arm64: dts: mt8173-evb: Add PMIC support")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241211052427.4178367-3-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 23 ---------------------
+ 1 file changed, 23 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
+index 2b66afcf026e1..66f0e5b24fda4 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
++++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
+@@ -307,7 +307,6 @@
+ compatible = "mediatek,mt6397-regulator";
+
+ mt6397_vpca15_reg: buck_vpca15 {
+- regulator-compatible = "buck_vpca15";
+ regulator-name = "vpca15";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -316,7 +315,6 @@
+ };
+
+ mt6397_vpca7_reg: buck_vpca7 {
+- regulator-compatible = "buck_vpca7";
+ regulator-name = "vpca7";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -325,7 +323,6 @@
+ };
+
+ mt6397_vsramca15_reg: buck_vsramca15 {
+- regulator-compatible = "buck_vsramca15";
+ regulator-name = "vsramca15";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -334,7 +331,6 @@
+ };
+
+ mt6397_vsramca7_reg: buck_vsramca7 {
+- regulator-compatible = "buck_vsramca7";
+ regulator-name = "vsramca7";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -343,7 +339,6 @@
+ };
+
+ mt6397_vcore_reg: buck_vcore {
+- regulator-compatible = "buck_vcore";
+ regulator-name = "vcore";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -352,7 +347,6 @@
+ };
+
+ mt6397_vgpu_reg: buck_vgpu {
+- regulator-compatible = "buck_vgpu";
+ regulator-name = "vgpu";
+ regulator-min-microvolt = < 700000>;
+ regulator-max-microvolt = <1350000>;
+@@ -361,7 +355,6 @@
+ };
+
+ mt6397_vdrm_reg: buck_vdrm {
+- regulator-compatible = "buck_vdrm";
+ regulator-name = "vdrm";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <1400000>;
+@@ -370,7 +363,6 @@
+ };
+
+ mt6397_vio18_reg: buck_vio18 {
+- regulator-compatible = "buck_vio18";
+ regulator-name = "vio18";
+ regulator-min-microvolt = <1620000>;
+ regulator-max-microvolt = <1980000>;
+@@ -379,19 +371,16 @@
+ };
+
+ mt6397_vtcxo_reg: ldo_vtcxo {
+- regulator-compatible = "ldo_vtcxo";
+ regulator-name = "vtcxo";
+ regulator-always-on;
+ };
+
+ mt6397_va28_reg: ldo_va28 {
+- regulator-compatible = "ldo_va28";
+ regulator-name = "va28";
+ regulator-always-on;
+ };
+
+ mt6397_vcama_reg: ldo_vcama {
+- regulator-compatible = "ldo_vcama";
+ regulator-name = "vcama";
+ regulator-min-microvolt = <1500000>;
+ regulator-max-microvolt = <2800000>;
+@@ -399,18 +388,15 @@
+ };
+
+ mt6397_vio28_reg: ldo_vio28 {
+- regulator-compatible = "ldo_vio28";
+ regulator-name = "vio28";
+ regulator-always-on;
+ };
+
+ mt6397_vusb_reg: ldo_vusb {
+- regulator-compatible = "ldo_vusb";
+ regulator-name = "vusb";
+ };
+
+ mt6397_vmc_reg: ldo_vmc {
+- regulator-compatible = "ldo_vmc";
+ regulator-name = "vmc";
+ regulator-min-microvolt = <1800000>;
+ regulator-max-microvolt = <3300000>;
+@@ -418,7 +404,6 @@
+ };
+
+ mt6397_vmch_reg: ldo_vmch {
+- regulator-compatible = "ldo_vmch";
+ regulator-name = "vmch";
+ regulator-min-microvolt = <3000000>;
+ regulator-max-microvolt = <3300000>;
+@@ -426,7 +411,6 @@
+ };
+
+ mt6397_vemc_3v3_reg: ldo_vemc3v3 {
+- regulator-compatible = "ldo_vemc3v3";
+ regulator-name = "vemc_3v3";
+ regulator-min-microvolt = <3000000>;
+ regulator-max-microvolt = <3300000>;
+@@ -434,7 +418,6 @@
+ };
+
+ mt6397_vgp1_reg: ldo_vgp1 {
+- regulator-compatible = "ldo_vgp1";
+ regulator-name = "vcamd";
+ regulator-min-microvolt = <1220000>;
+ regulator-max-microvolt = <3300000>;
+@@ -442,7 +425,6 @@
+ };
+
+ mt6397_vgp2_reg: ldo_vgp2 {
+- regulator-compatible = "ldo_vgp2";
+ regulator-name = "vcamio";
+ regulator-min-microvolt = <1000000>;
+ regulator-max-microvolt = <3300000>;
+@@ -450,7 +432,6 @@
+ };
+
+ mt6397_vgp3_reg: ldo_vgp3 {
+- regulator-compatible = "ldo_vgp3";
+ regulator-name = "vcamaf";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <3300000>;
+@@ -458,7 +439,6 @@
+ };
+
+ mt6397_vgp4_reg: ldo_vgp4 {
+- regulator-compatible = "ldo_vgp4";
+ regulator-name = "vgp4";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <3300000>;
+@@ -466,7 +446,6 @@
+ };
+
+ mt6397_vgp5_reg: ldo_vgp5 {
+- regulator-compatible = "ldo_vgp5";
+ regulator-name = "vgp5";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <3000000>;
+@@ -474,7 +453,6 @@
+ };
+
+ mt6397_vgp6_reg: ldo_vgp6 {
+- regulator-compatible = "ldo_vgp6";
+ regulator-name = "vgp6";
+ regulator-min-microvolt = <1200000>;
+ regulator-max-microvolt = <3300000>;
+@@ -482,7 +460,6 @@
+ };
+
+ mt6397_vibr_reg: ldo_vibr {
+- regulator-compatible = "ldo_vibr";
+ regulator-name = "vibr";
+ regulator-min-microvolt = <1300000>;
+ regulator-max-microvolt = <3300000>;
+--
+2.39.5
+
--- /dev/null
+From 49acb4c2790a647ac80e80f2b680f0de5aabe0fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 17:26:13 +0800
+Subject: arm64: dts: mediatek: mt8173-evb: Fix MT6397 PMIC sub-node names
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+[ Upstream commit 9545ba142865b9099d43c972b9ebcf463606499a ]
+
+The MT6397 PMIC bindings specify exact names for its sub-nodes. The
+names used in the current dts don't match, causing a validation error.
+
+Fix up the names. Also drop the label for the regulators node, since
+any reference should be against the individual regulator sub-nodes.
+
+Fixes: 16ea61fc5614 ("arm64: dts: mt8173-evb: Add PMIC support")
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://lore.kernel.org/r/20241210092614.3951748-2-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173-evb.dts | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
+index 66f0e5b24fda4..1158bee050e13 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
++++ b/arch/arm64/boot/dts/mediatek/mt8173-evb.dts
+@@ -303,7 +303,7 @@
+ interrupt-controller;
+ #interrupt-cells = <2>;
+
+- mt6397regulator: mt6397regulator {
++ regulators {
+ compatible = "mediatek,mt6397-regulator";
+
+ mt6397_vpca15_reg: buck_vpca15 {
+--
+2.39.5
+
--- /dev/null
+From 1efba1caacea0a6e58983403ae43a99b0d03c837 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 16:05:06 -0300
+Subject: arm64: dts: mediatek: mt8516: add i2c clock-div property
+
+From: Val Packett <val@packett.cool>
+
+[ Upstream commit eb72341fd92b7af510d236e5a8554d855ed38d3c ]
+
+Move the clock-div property from the pumpkin board dtsi to the SoC's
+since it belongs to the SoC itself and is required on other devices.
+
+Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
+Signed-off-by: Val Packett <val@packett.cool>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241204190524.21862-4-val@packett.cool
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8516.dtsi | 3 +++
+ arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi | 2 --
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+index 5163dda398d56..383ae46891ec2 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+@@ -308,6 +308,7 @@
+ reg = <0 0x11009000 0 0x90>,
+ <0 0x11000180 0 0x80>;
+ interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_LOW>;
++ clock-div = <2>;
+ clocks = <&topckgen CLK_TOP_I2C0>,
+ <&topckgen CLK_TOP_APDMA>;
+ clock-names = "main", "dma";
+@@ -322,6 +323,7 @@
+ reg = <0 0x1100a000 0 0x90>,
+ <0 0x11000200 0 0x80>;
+ interrupts = <GIC_SPI 81 IRQ_TYPE_LEVEL_LOW>;
++ clock-div = <2>;
+ clocks = <&topckgen CLK_TOP_I2C1>,
+ <&topckgen CLK_TOP_APDMA>;
+ clock-names = "main", "dma";
+@@ -336,6 +338,7 @@
+ reg = <0 0x1100b000 0 0x90>,
+ <0 0x11000280 0 0x80>;
+ interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_LOW>;
++ clock-div = <2>;
+ clocks = <&topckgen CLK_TOP_I2C2>,
+ <&topckgen CLK_TOP_APDMA>;
+ clock-names = "main", "dma";
+diff --git a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
+index d5059735c5940..e5e3a3969145b 100644
+--- a/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
++++ b/arch/arm64/boot/dts/mediatek/pumpkin-common.dtsi
+@@ -48,7 +48,6 @@
+ };
+
+ &i2c0 {
+- clock-div = <2>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2c0_pins_a>;
+ status = "okay";
+@@ -157,7 +156,6 @@
+ };
+
+ &i2c2 {
+- clock-div = <2>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&i2c2_pins_a>;
+ status = "okay";
+--
+2.39.5
+
--- /dev/null
+From f364bfb82cb6bedb8d47d14cfb55a501e8b97033 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 16:05:04 -0300
+Subject: arm64: dts: mediatek: mt8516: fix GICv2 range
+
+From: Val Packett <val@packett.cool>
+
+[ Upstream commit e3ee31e4409f051c021a30122f3c470f093a7386 ]
+
+On the MT8167 which is based on the MT8516 DTS, the following error
+was appearing on boot, breaking interrupt operation:
+
+GICv2 detected, but range too small and irqchip.gicv2_force_probe not set
+
+Similar to what's been proposed for MT7622 which has the same issue,
+fix by using the range reported by force_probe.
+
+Link: https://lore.kernel.org/all/YmhNSLgp%2Fyg8Vr1F@makrotopia.org/
+Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
+Signed-off-by: Val Packett <val@packett.cool>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241204190524.21862-2-val@packett.cool
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8516.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+index 89af661e7f631..6d2804065ca89 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+@@ -262,7 +262,7 @@
+ interrupt-parent = <&gic>;
+ interrupt-controller;
+ reg = <0 0x10310000 0 0x1000>,
+- <0 0x10320000 0 0x1000>,
++ <0 0x1032f000 0 0x2000>,
+ <0 0x10340000 0 0x2000>,
+ <0 0x10360000 0 0x2000>;
+ interrupts = <GIC_PPI 9
+--
+2.39.5
+
--- /dev/null
+From d5072c6a47e1c5ce81ec3f08a7208dc0cc1922dd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 16:05:05 -0300
+Subject: arm64: dts: mediatek: mt8516: fix wdt irq type
+
+From: Val Packett <val@packett.cool>
+
+[ Upstream commit 03a80442030e7147391738fb6cbe5fa0b3b91bb1 ]
+
+The GICv2 does not support EDGE_FALLING interrupts, so the watchdog
+would refuse to attach due to a failing check coming from the GIC driver.
+
+Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
+Signed-off-by: Val Packett <val@packett.cool>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241204190524.21862-3-val@packett.cool
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8516.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+index 6d2804065ca89..247e89ee2f88e 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+@@ -206,7 +206,7 @@
+ compatible = "mediatek,mt8516-wdt",
+ "mediatek,mt6589-wdt";
+ reg = <0 0x10007000 0 0x1000>;
+- interrupts = <GIC_SPI 198 IRQ_TYPE_EDGE_FALLING>;
++ interrupts = <GIC_SPI 198 IRQ_TYPE_LEVEL_LOW>;
+ #reset-cells = <1>;
+ };
+
+--
+2.39.5
+
--- /dev/null
+From eebfbdd074b12c8f2595765c243780f067cf6692 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 10 Nov 2021 20:35:20 +0100
+Subject: arm64: dts: mediatek: mt8516: remove 2 invalid i2c clocks
+
+From: Fabien Parent <fparent@baylibre.com>
+
+[ Upstream commit 9cf6a26ae352a6a150662c0c4ddff87664cc6e3c ]
+
+The two clocks "main-source" and "main-sel" are not present in the
+driver and not defined in the binding documentation. Remove them
+as they are not used and not described in the documentation.
+
+Signed-off-by: Fabien Parent <fparent@baylibre.com>
+Link: https://lore.kernel.org/r/20211110193520.488-1-fparent@baylibre.com
+Signed-off-by: Matthias Brugger <matthias.bgg@gmail.com>
+Stable-dep-of: eb72341fd92b ("arm64: dts: mediatek: mt8516: add i2c clock-div property")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8516.dtsi | 27 ++++++------------------
+ 1 file changed, 6 insertions(+), 21 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+index 247e89ee2f88e..5163dda398d56 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+@@ -308,14 +308,9 @@
+ reg = <0 0x11009000 0 0x90>,
+ <0 0x11000180 0 0x80>;
+ interrupts = <GIC_SPI 80 IRQ_TYPE_LEVEL_LOW>;
+- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>,
+- <&infracfg CLK_IFR_I2C0_SEL>,
+- <&topckgen CLK_TOP_I2C0>,
++ clocks = <&topckgen CLK_TOP_I2C0>,
+ <&topckgen CLK_TOP_APDMA>;
+- clock-names = "main-source",
+- "main-sel",
+- "main",
+- "dma";
++ clock-names = "main", "dma";
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -327,14 +322,9 @@
+ reg = <0 0x1100a000 0 0x90>,
+ <0 0x11000200 0 0x80>;
+ interrupts = <GIC_SPI 81 IRQ_TYPE_LEVEL_LOW>;
+- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>,
+- <&infracfg CLK_IFR_I2C1_SEL>,
+- <&topckgen CLK_TOP_I2C1>,
++ clocks = <&topckgen CLK_TOP_I2C1>,
+ <&topckgen CLK_TOP_APDMA>;
+- clock-names = "main-source",
+- "main-sel",
+- "main",
+- "dma";
++ clock-names = "main", "dma";
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+@@ -346,14 +336,9 @@
+ reg = <0 0x1100b000 0 0x90>,
+ <0 0x11000280 0 0x80>;
+ interrupts = <GIC_SPI 82 IRQ_TYPE_LEVEL_LOW>;
+- clocks = <&topckgen CLK_TOP_AHB_INFRA_D2>,
+- <&infracfg CLK_IFR_I2C2_SEL>,
+- <&topckgen CLK_TOP_I2C2>,
++ clocks = <&topckgen CLK_TOP_I2C2>,
+ <&topckgen CLK_TOP_APDMA>;
+- clock-names = "main-source",
+- "main-sel",
+- "main",
+- "dma";
++ clock-names = "main", "dma";
+ #address-cells = <1>;
+ #size-cells = <0>;
+ status = "disabled";
+--
+2.39.5
+
--- /dev/null
+From a7a2b4d88eb74a955710980171a3c92fb928c1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Dec 2024 16:05:07 -0300
+Subject: arm64: dts: mediatek: mt8516: reserve 192 KiB for TF-A
+
+From: Val Packett <val@packett.cool>
+
+[ Upstream commit 2561c7d5d497b988deccc36fe5eac7fd50b937f8 ]
+
+The Android DTB for the related MT8167 reserves 0x30000. This is likely
+correct for MT8516 Android devices as well, and there's never any harm
+in reserving 64KiB more.
+
+Fixes: 5236347bde42 ("arm64: dts: mediatek: add dtsi for MT8516")
+Signed-off-by: Val Packett <val@packett.cool>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20241204190524.21862-5-val@packett.cool
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8516.dtsi | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/arch/arm64/boot/dts/mediatek/mt8516.dtsi b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+index 383ae46891ec2..afb66d1439511 100644
+--- a/arch/arm64/boot/dts/mediatek/mt8516.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8516.dtsi
+@@ -144,10 +144,10 @@
+ #size-cells = <2>;
+ ranges;
+
+- /* 128 KiB reserved for ARM Trusted Firmware (BL31) */
++ /* 192 KiB reserved for ARM Trusted Firmware (BL31) */
+ bl31_secmon_reserved: secmon@43000000 {
+ no-map;
+- reg = <0 0x43000000 0 0x20000>;
++ reg = <0 0x43000000 0 0x30000>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From b434a83407b03387c35bec944c9f45d228659716 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 12:17:00 +0200
+Subject: arm64: dts: qcom: msm8916: correct sleep clock frequency
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit f088b921890cef28862913e5627bb2e2b5f82125 ]
+
+The MSM8916 platform uses PM8916 to provide sleep clock. According to the
+documentation, that clock has 32.7645 kHz frequency. Correct the sleep
+clock definition.
+
+Fixes: f4fb6aeafaaa ("arm64: dts: qcom: msm8916: Add fixed rate on-board oscillators")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-1-e9b08fbeadd3@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8916.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+index c39a299fc636f..4e0441d99eefa 100644
+--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi
+@@ -104,7 +104,7 @@
+ sleep_clk: sleep-clk {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+- clock-frequency = <32768>;
++ clock-frequency = <32764>;
+ };
+ };
+
+--
+2.39.5
+
--- /dev/null
+From 2322cfe6e847a546ad526071b4247a012135dc65 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 12:17:02 +0200
+Subject: arm64: dts: qcom: msm8994: correct sleep clock frequency
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit a4148d869d47d8c86da0291dd95d411a5ebe90c8 ]
+
+The MSM8994 platform uses PM8994/6 to provide sleep clock. According to the
+documentation, that clock has 32.7645 kHz frequency. Correct the sleep
+clock definition.
+
+Fixes: feeaf56ac78d ("arm64: dts: msm8994 SoC and Huawei Angler (Nexus 6P) support")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-3-e9b08fbeadd3@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/msm8994.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/msm8994.dtsi b/arch/arm64/boot/dts/qcom/msm8994.dtsi
+index caaf7102f5798..9a8c365abbda4 100644
+--- a/arch/arm64/boot/dts/qcom/msm8994.dtsi
++++ b/arch/arm64/boot/dts/qcom/msm8994.dtsi
+@@ -24,7 +24,7 @@
+ sleep_clk: sleep-clk {
+ compatible = "fixed-clock";
+ #clock-cells = <0>;
+- clock-frequency = <32768>;
++ clock-frequency = <32764>;
+ clock-output-names = "sleep_clk";
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From 7c6321e28db6268f542faa5519a85b68b9836451 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 12:17:12 +0200
+Subject: arm64: dts: qcom: sm8250: correct sleep clock frequency
+
+From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+
+[ Upstream commit 75420e437eed69fa95d1d7c339dad86dea35319a ]
+
+The SM8250 platform uses PM8150 to provide sleep clock. According to the
+documentation, that clock has 32.7645 kHz frequency. Correct the sleep
+clock definition.
+
+Fixes: 9ff8b0591fcf ("arm64: dts: qcom: sm8250: use the right clock-freqency for sleep-clk")
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20241224-fix-board-clocks-v3-13-e9b08fbeadd3@linaro.org
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm64/boot/dts/qcom/sm8250.dtsi | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm64/boot/dts/qcom/sm8250.dtsi b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+index ec356fe07ac8a..025503ce88780 100644
+--- a/arch/arm64/boot/dts/qcom/sm8250.dtsi
++++ b/arch/arm64/boot/dts/qcom/sm8250.dtsi
+@@ -75,7 +75,7 @@
+
+ sleep_clk: sleep-clk {
+ compatible = "fixed-clock";
+- clock-frequency = <32768>;
++ clock-frequency = <32764>;
+ #clock-cells = <0>;
+ };
+ };
+--
+2.39.5
+
--- /dev/null
+From 584fa35f4a134806a26613ef3cd93fcd9c4da2e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 11 Nov 2024 17:55:29 +0100
+Subject: ASoC: sun4i-spdif: Add clock multiplier settings
+
+From: George Lander <lander@jagmn.com>
+
+[ Upstream commit 0a2319308de88b9e819c0b43d0fccd857123eb31 ]
+
+There have been intermittent issues with the SPDIF output on H3
+and H2+ devices which has been fixed by setting the s_clk to 4
+times the audio pll.
+Add a quirk for the clock multiplier as not every supported SoC
+requires it. Without the multiplier, the audio at normal sampling
+rates was distorted and did not play at higher sampling rates.
+
+Fixes: 1bd92af877ab ("ASoC: sun4i-spdif: Add support for the H3 SoC")
+Signed-off-by: George Lander <lander@jagmn.com>
+Signed-off-by: Marcus Cooper <codekipper@gmail.com>
+Link: https://patch.msgid.link/20241111165600.57219-2-codekipper@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/sunxi/sun4i-spdif.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/sunxi/sun4i-spdif.c b/sound/soc/sunxi/sun4i-spdif.c
+index 6dcad1aa25037..8e255a6d0bd1a 100644
+--- a/sound/soc/sunxi/sun4i-spdif.c
++++ b/sound/soc/sunxi/sun4i-spdif.c
+@@ -175,6 +175,7 @@ struct sun4i_spdif_quirks {
+ unsigned int reg_dac_txdata;
+ bool has_reset;
+ unsigned int val_fctl_ftx;
++ unsigned int mclk_multiplier;
+ };
+
+ struct sun4i_spdif_dev {
+@@ -311,6 +312,7 @@ static int sun4i_spdif_hw_params(struct snd_pcm_substream *substream,
+ default:
+ return -EINVAL;
+ }
++ mclk *= host->quirks->mclk_multiplier;
+
+ ret = clk_set_rate(host->spdif_clk, mclk);
+ if (ret < 0) {
+@@ -345,6 +347,7 @@ static int sun4i_spdif_hw_params(struct snd_pcm_substream *substream,
+ default:
+ return -EINVAL;
+ }
++ mclk_div *= host->quirks->mclk_multiplier;
+
+ reg_val = 0;
+ reg_val |= SUN4I_SPDIF_TXCFG_ASS;
+@@ -427,24 +430,28 @@ static struct snd_soc_dai_driver sun4i_spdif_dai = {
+ static const struct sun4i_spdif_quirks sun4i_a10_spdif_quirks = {
+ .reg_dac_txdata = SUN4I_SPDIF_TXFIFO,
+ .val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX,
++ .mclk_multiplier = 1,
+ };
+
+ static const struct sun4i_spdif_quirks sun6i_a31_spdif_quirks = {
+ .reg_dac_txdata = SUN4I_SPDIF_TXFIFO,
+ .val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX,
+ .has_reset = true,
++ .mclk_multiplier = 1,
+ };
+
+ static const struct sun4i_spdif_quirks sun8i_h3_spdif_quirks = {
+ .reg_dac_txdata = SUN8I_SPDIF_TXFIFO,
+ .val_fctl_ftx = SUN4I_SPDIF_FCTL_FTX,
+ .has_reset = true,
++ .mclk_multiplier = 4,
+ };
+
+ static const struct sun4i_spdif_quirks sun50i_h6_spdif_quirks = {
+ .reg_dac_txdata = SUN8I_SPDIF_TXFIFO,
+ .val_fctl_ftx = SUN50I_H6_SPDIF_FCTL_FTX,
+ .has_reset = true,
++ .mclk_multiplier = 1,
+ };
+
+ static const struct of_device_id sun4i_spdif_of_match[] = {
+--
+2.39.5
+
--- /dev/null
+From 9da0d7d4e6b0602f89e861a302f3478c1903a30b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jan 2025 09:51:59 -0800
+Subject: bgmac: reduce max frame size to support just MTU 1500
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+[ Upstream commit 752e5fcc2e77358936d36ef8e522d6439372e201 ]
+
+bgmac allocates new replacement buffer before handling each received
+frame. Allocating & DMA-preparing 9724 B each time consumes a lot of CPU
+time. Ideally bgmac should just respect currently set MTU but it isn't
+the case right now. For now just revert back to the old limited frame
+size.
+
+This change bumps NAT masquerade speed by ~95%.
+
+Since commit 8218f62c9c9b ("mm: page_frag: use initial zero offset for
+page_frag_alloc_align()"), the bgmac driver fails to open its network
+interface successfully and runs out of memory in the following call
+stack:
+
+bgmac_open
+ -> bgmac_dma_init
+ -> bgmac_dma_rx_skb_for_slot
+ -> netdev_alloc_frag
+
+BGMAC_RX_ALLOC_SIZE = 10048 and PAGE_FRAG_CACHE_MAX_SIZE = 32768.
+
+Eventually we land into __page_frag_alloc_align() with the following
+parameters across multiple successive calls:
+
+__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=0
+__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=10048
+__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=20096
+__page_frag_alloc_align: fragsz=10048, align_mask=-1, size=32768, offset=30144
+
+So in that case we do indeed have offset + fragsz (40192) > size (32768)
+and so we would eventually return NULL. Reverting to the older 1500
+bytes MTU allows the network driver to be usable again.
+
+Fixes: 8c7da63978f1 ("bgmac: configure MTU and add support for frames beyond 8192 byte size")
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+[florian: expand commit message about recent commits]
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Link: https://patch.msgid.link/20250127175159.1788246-1-florian.fainelli@broadcom.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bgmac.h | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bgmac.h b/drivers/net/ethernet/broadcom/bgmac.h
+index d1200b27af1ed..51ff5aceba99e 100644
+--- a/drivers/net/ethernet/broadcom/bgmac.h
++++ b/drivers/net/ethernet/broadcom/bgmac.h
+@@ -366,8 +366,7 @@
+ #define BGMAC_RX_FRAME_OFFSET 30 /* There are 2 unused bytes between header and real data */
+ #define BGMAC_RX_BUF_OFFSET (NET_SKB_PAD + NET_IP_ALIGN - \
+ BGMAC_RX_FRAME_OFFSET)
+-/* Jumbo frame size with FCS */
+-#define BGMAC_RX_MAX_FRAME_SIZE 9724
++#define BGMAC_RX_MAX_FRAME_SIZE 1536
+ #define BGMAC_RX_BUF_SIZE (BGMAC_RX_FRAME_OFFSET + BGMAC_RX_MAX_FRAME_SIZE)
+ #define BGMAC_RX_ALLOC_SIZE (SKB_DATA_ALIGN(BGMAC_RX_BUF_SIZE + BGMAC_RX_BUF_OFFSET) + \
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info)))
+--
+2.39.5
+
--- /dev/null
+From 7cdc329584f6a498dc2f880d8433bd73c8c568be Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 10:36:47 +0000
+Subject: bpf: Send signals asynchronously if !preemptible
+
+From: Puranjay Mohan <puranjay@kernel.org>
+
+[ Upstream commit 87c544108b612512b254c8f79aa5c0a8546e2cc4 ]
+
+BPF programs can execute in all kinds of contexts and when a program
+running in a non-preemptible context uses the bpf_send_signal() kfunc,
+it will cause issues because this kfunc can sleep.
+Change `irqs_disabled()` to `!preemptible()`.
+
+Reported-by: syzbot+97da3d7e0112d59971de@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/67486b09.050a0220.253251.0084.GAE@google.com/
+Fixes: 1bc7896e9ef4 ("bpf: Fix deadlock with rq_lock in bpf_send_signal()")
+Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
+Acked-by: Yonghong Song <yonghong.song@linux.dev>
+Link: https://lore.kernel.org/r/20250115103647.38487-1-puranjay@kernel.org
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/bpf_trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
+index 71e0c1bc9759e..1656a7d9bb697 100644
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -1081,7 +1081,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
+ if (unlikely(is_global_init(current)))
+ return -EPERM;
+
+- if (irqs_disabled()) {
++ if (!preemptible()) {
+ /* Do an early check on signal validity. Otherwise,
+ * the error is lost in deferred irq_work.
+ */
+--
+2.39.5
+
--- /dev/null
+From 912c74c08659c936ca6a92e5092cecca3ad01712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 29 Aug 2024 23:16:39 -0700
+Subject: clk: analogbits: Fix incorrect calculation of vco rate delta
+
+From: Bo Gan <ganboing@gmail.com>
+
+[ Upstream commit d7f12857f095ef38523399d47e68787b357232f6 ]
+
+In wrpll_configure_for_rate() we try to determine the best PLL
+configuration for a target rate. However, in the loop where we try
+values of R, we should compare the derived `vco` with `target_vco_rate`.
+However, we were in fact comparing it with `target_rate`, which is
+actually after Q shift. This is incorrect, and sometimes can result in
+suboptimal clock rates. Fix it.
+
+Fixes: 7b9487a9a5c4 ("clk: analogbits: add Wide-Range PLL library")
+Signed-off-by: Bo Gan <ganboing@gmail.com>
+Link: https://lore.kernel.org/r/20240830061639.2316-1-ganboing@gmail.com
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/analogbits/wrpll-cln28hpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clk/analogbits/wrpll-cln28hpc.c b/drivers/clk/analogbits/wrpll-cln28hpc.c
+index 776ead319ae9c..9df572579afb4 100644
+--- a/drivers/clk/analogbits/wrpll-cln28hpc.c
++++ b/drivers/clk/analogbits/wrpll-cln28hpc.c
+@@ -287,7 +287,7 @@ int wrpll_configure_for_rate(struct wrpll_cfg *c, u32 target_rate,
+ vco = vco_pre * f;
+ }
+
+- delta = abs(target_rate - vco);
++ delta = abs(target_vco_rate - vco);
+ if (delta < best_delta) {
+ best_delta = delta;
+ best_r = r;
+--
+2.39.5
+
--- /dev/null
+From 14e150cac27cf4b90ac35d19bbb3dc99732527cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2024 02:36:54 +0100
+Subject: clk: imx8mp: Fix clkout1/2 support
+
+From: Marek Vasut <marex@denx.de>
+
+[ Upstream commit a9b7c84d22fb1687d63ca2a386773015cf59436b ]
+
+The CLKOUTn may be fed from PLL1/2/3, but the PLL1/2/3 has to be enabled
+first by setting PLL_CLKE bit 11 in CCM_ANALOG_SYS_PLLn_GEN_CTRL register.
+The CCM_ANALOG_SYS_PLLn_GEN_CTRL bit 11 is modeled by plln_out clock. Fix
+the clock tree and place the clkout1/2 under plln_sel instead of plain plln
+to let the clock subsystem correctly control the bit 11 and enable the PLL
+in case the CLKOUTn is supplied by PLL1/2/3.
+
+Fixes: 43896f56b59e ("clk: imx8mp: add clkout1/2 support")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Reviewed-by: Peng Fan <peng.fan@nxp.com>
+Link: https://lore.kernel.org/r/20241112013718.333771-1-marex@denx.de
+Signed-off-by: Abel Vesa <abel.vesa@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/imx/clk-imx8mp.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/clk/imx/clk-imx8mp.c b/drivers/clk/imx/clk-imx8mp.c
+index 56d45caa603f8..385653fe39660 100644
+--- a/drivers/clk/imx/clk-imx8mp.c
++++ b/drivers/clk/imx/clk-imx8mp.c
+@@ -410,8 +410,9 @@ static const char * const imx8mp_dram_core_sels[] = {"dram_pll_out", "dram_alt_r
+
+ static const char * const imx8mp_clkout_sels[] = {"audio_pll1_out", "audio_pll2_out", "video_pll1_out",
+ "dummy", "dummy", "gpu_pll_out", "vpu_pll_out",
+- "arm_pll_out", "sys_pll1", "sys_pll2", "sys_pll3",
+- "dummy", "dummy", "osc_24m", "dummy", "osc_32k"};
++ "arm_pll_out", "sys_pll1_out", "sys_pll2_out",
++ "sys_pll3_out", "dummy", "dummy", "osc_24m",
++ "dummy", "osc_32k"};
+
+ static struct clk_hw **hws;
+ static struct clk_hw_onecell_data *clk_hw_data;
+--
+2.39.5
+
--- /dev/null
+From 239d3d8517fa35d3a4dba28f966bd4fa77d99929 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 10:11:07 +0530
+Subject: cpufreq: ACPI: Fix max-frequency computation
+
+From: Gautham R. Shenoy <gautham.shenoy@amd.com>
+
+[ Upstream commit 0834667545962ef1c5e8684ed32b45d9c574acd3 ]
+
+Commit 3c55e94c0ade ("cpufreq: ACPI: Extend frequency tables to cover
+boost frequencies") introduced an assumption in acpi_cpufreq_cpu_init()
+that the first entry in the P-state table was the nominal frequency.
+This assumption is incorrect. The frequency corresponding to the P0
+P-State need not be the same as the nominal frequency advertised via
+CPPC.
+
+Since the driver is using the CPPC.highest_perf and CPPC.nominal_perf
+to compute the boost-ratio, it makes sense to use CPPC.nominal_freq to
+compute the max-frequency. CPPC.nominal_freq is advertised on
+platforms supporting CPPC revisions 3 or higher.
+
+Hence, fallback to using the first entry in the P-State table only on
+platforms that do not advertise CPPC.nominal_freq.
+
+Fixes: 3c55e94c0ade ("cpufreq: ACPI: Extend frequency tables to cover boost frequencies")
+Tested-by: Dhananjay Ugwekar <Dhananjay.Ugwekar@amd.com>
+Signed-off-by: Gautham R. Shenoy <gautham.shenoy@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://patch.msgid.link/20250113044107.566-1-gautham.shenoy@amd.com
+[ rjw: Retain reverse X-mas tree ordering of local variable declarations ]
+[ rjw: Subject and changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/cpufreq/acpi-cpufreq.c | 36 +++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
+index d1bbc16fba4b4..4109dda5e36d0 100644
+--- a/drivers/cpufreq/acpi-cpufreq.c
++++ b/drivers/cpufreq/acpi-cpufreq.c
+@@ -630,7 +630,14 @@ static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
+ #endif
+
+ #ifdef CONFIG_ACPI_CPPC_LIB
+-static u64 get_max_boost_ratio(unsigned int cpu)
++/*
++ * get_max_boost_ratio: Computes the max_boost_ratio as the ratio
++ * between the highest_perf and the nominal_perf.
++ *
++ * Returns the max_boost_ratio for @cpu. Returns the CPPC nominal
++ * frequency via @nominal_freq if it is non-NULL pointer.
++ */
++static u64 get_max_boost_ratio(unsigned int cpu, u64 *nominal_freq)
+ {
+ struct cppc_perf_caps perf_caps;
+ u64 highest_perf, nominal_perf;
+@@ -649,6 +656,9 @@ static u64 get_max_boost_ratio(unsigned int cpu)
+ highest_perf = perf_caps.highest_perf;
+ nominal_perf = perf_caps.nominal_perf;
+
++ if (nominal_freq)
++ *nominal_freq = perf_caps.nominal_freq;
++
+ if (!highest_perf || !nominal_perf) {
+ pr_debug("CPU%d: highest or nominal performance missing\n", cpu);
+ return 0;
+@@ -661,8 +671,12 @@ static u64 get_max_boost_ratio(unsigned int cpu)
+
+ return div_u64(highest_perf << SCHED_CAPACITY_SHIFT, nominal_perf);
+ }
++
+ #else
+-static inline u64 get_max_boost_ratio(unsigned int cpu) { return 0; }
++static inline u64 get_max_boost_ratio(unsigned int cpu, u64 *nominal_freq)
++{
++ return 0;
++}
+ #endif
+
+ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
+@@ -672,9 +686,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
+ struct acpi_cpufreq_data *data;
+ unsigned int cpu = policy->cpu;
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
++ u64 max_boost_ratio, nominal_freq = 0;
+ unsigned int valid_states = 0;
+ unsigned int result = 0;
+- u64 max_boost_ratio;
+ unsigned int i;
+ #ifdef CONFIG_SMP
+ static int blacklisted;
+@@ -824,16 +838,20 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
+ }
+ freq_table[valid_states].frequency = CPUFREQ_TABLE_END;
+
+- max_boost_ratio = get_max_boost_ratio(cpu);
++ max_boost_ratio = get_max_boost_ratio(cpu, &nominal_freq);
+ if (max_boost_ratio) {
+- unsigned int freq = freq_table[0].frequency;
++ unsigned int freq = nominal_freq;
+
+ /*
+- * Because the loop above sorts the freq_table entries in the
+- * descending order, freq is the maximum frequency in the table.
+- * Assume that it corresponds to the CPPC nominal frequency and
+- * use it to set cpuinfo.max_freq.
++ * The loop above sorts the freq_table entries in the
++ * descending order. If ACPI CPPC has not advertised
++ * the nominal frequency (this is possible in CPPC
++ * revisions prior to 3), then use the first entry in
++ * the pstate table as a proxy for nominal frequency.
+ */
++ if (!freq)
++ freq = freq_table[0].frequency;
++
+ policy->cpuinfo.max_freq = freq * max_boost_ratio >> SCHED_CAPACITY_SHIFT;
+ } else {
+ /*
+--
+2.39.5
+
--- /dev/null
+From 81bfc721bcc813e9364f09c289c4b4ff4f5c6acc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 17:57:32 -0800
+Subject: cpufreq: schedutil: Fix superfluous updates caused by
+ need_freq_update
+
+From: Sultan Alsawaf (unemployed) <sultan@kerneltoast.com>
+
+[ Upstream commit 8e461a1cb43d69d2fc8a97e61916dce571e6bb31 ]
+
+A redundant frequency update is only truly needed when there is a policy
+limits change with a driver that specifies CPUFREQ_NEED_UPDATE_LIMITS.
+
+In spite of that, drivers specifying CPUFREQ_NEED_UPDATE_LIMITS receive a
+frequency update _all the time_, not just for a policy limits change,
+because need_freq_update is never cleared.
+
+Furthermore, ignore_dl_rate_limit()'s usage of need_freq_update also leads
+to a redundant frequency update, regardless of whether or not the driver
+specifies CPUFREQ_NEED_UPDATE_LIMITS, when the next chosen frequency is the
+same as the current one.
+
+Fix the superfluous updates by only honoring CPUFREQ_NEED_UPDATE_LIMITS
+when there's a policy limits change, and clearing need_freq_update when a
+requisite redundant update occurs.
+
+This is neatly achieved by moving up the CPUFREQ_NEED_UPDATE_LIMITS test
+and instead setting need_freq_update to false in sugov_update_next_freq().
+
+Fixes: 600f5badb78c ("cpufreq: schedutil: Don't skip freq update when limits change")
+Signed-off-by: Sultan Alsawaf (unemployed) <sultan@kerneltoast.com>
+Reviewed-by: Christian Loehle <christian.loehle@arm.com>
+Link: https://patch.msgid.link/20241212015734.41241-2-sultan@kerneltoast.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
+index 04295212ab500..d8b9e1d25200f 100644
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -90,7 +90,7 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
+
+ if (unlikely(sg_policy->limits_changed)) {
+ sg_policy->limits_changed = false;
+- sg_policy->need_freq_update = true;
++ sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
+ return true;
+ }
+
+@@ -103,7 +103,7 @@ static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
+ unsigned int next_freq)
+ {
+ if (sg_policy->need_freq_update)
+- sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
++ sg_policy->need_freq_update = false;
+ else if (sg_policy->next_freq == next_freq)
+ return false;
+
+--
+2.39.5
+
--- /dev/null
+From 190ca27e24a861374c799e472581898df78200ec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Nov 2020 20:26:42 +0100
+Subject: cpufreq: schedutil: Simplify sugov_update_next_freq()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 90ac908a418b836427d6eaf84fbc5062881747fd ]
+
+Rearrange a conditional to make it more straightforward.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Stable-dep-of: 8e461a1cb43d ("cpufreq: schedutil: Fix superfluous updates caused by need_freq_update")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/sched/cpufreq_schedutil.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
+index 5e39da0ae0868..04295212ab500 100644
+--- a/kernel/sched/cpufreq_schedutil.c
++++ b/kernel/sched/cpufreq_schedutil.c
+@@ -102,12 +102,10 @@ static bool sugov_should_update_freq(struct sugov_policy *sg_policy, u64 time)
+ static bool sugov_update_next_freq(struct sugov_policy *sg_policy, u64 time,
+ unsigned int next_freq)
+ {
+- if (!sg_policy->need_freq_update) {
+- if (sg_policy->next_freq == next_freq)
+- return false;
+- } else {
++ if (sg_policy->need_freq_update)
+ sg_policy->need_freq_update = cpufreq_driver_test_flags(CPUFREQ_NEED_UPDATE_LIMITS);
+- }
++ else if (sg_policy->next_freq == next_freq)
++ return false;
+
+ sg_policy->next_freq = next_freq;
+ sg_policy->last_freq_update_time = time;
+--
+2.39.5
+
--- /dev/null
+From e981dff073836ce823ec367a437107986b8b20cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 10:14:59 +0800
+Subject: cpupower: fix TSC MHz calculation
+
+From: He Rongguang <herongguang@linux.alibaba.com>
+
+[ Upstream commit 9d6c0e58514f8b57cd9c2c755e41623d6a966025 ]
+
+Commit 'cpupower: Make TSC read per CPU for Mperf monitor' (c2adb1877b7)
+changes TSC counter reads per cpu, but left time diff global (from start
+of all cpus to end of all cpus), thus diff(time) is too large for a
+cpu's tsc counting, resulting in far less than acutal TSC_Mhz and thus
+`cpupower monitor` showing far less than actual cpu realtime frequency.
+
+/proc/cpuinfo shows frequency:
+cat /proc/cpuinfo | egrep -e 'processor' -e 'MHz'
+...
+processor : 171
+cpu MHz : 4108.498
+...
+
+before fix (System 100% busy):
+ | Mperf || Idle_Stats
+ CPU| C0 | Cx | Freq || POLL | C1 | C2
+ 171| 0.77| 99.23| 2279|| 0.00| 0.00| 0.00
+
+after fix (System 100% busy):
+ | Mperf || Idle_Stats
+ CPU| C0 | Cx | Freq || POLL | C1 | C2
+ 171| 0.46| 99.54| 4095|| 0.00| 0.00| 0.00
+
+Fixes: c2adb1877b76 ("cpupower: Make TSC read per CPU for Mperf monitor")
+Signed-off-by: He Rongguang <herongguang@linux.alibaba.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ .../cpupower/utils/idle_monitor/mperf_monitor.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+index ae6af354a81db..08a399b0be286 100644
+--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
++++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+@@ -33,7 +33,7 @@ static int mperf_get_count_percent(unsigned int self_id, double *percent,
+ unsigned int cpu);
+ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
+ unsigned int cpu);
+-static struct timespec time_start, time_end;
++static struct timespec *time_start, *time_end;
+
+ static cstate_t mperf_cstates[MPERF_CSTATE_COUNT] = {
+ {
+@@ -174,7 +174,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent,
+ dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n",
+ mperf_cstates[id].name, mperf_diff, tsc_diff);
+ } else if (max_freq_mode == MAX_FREQ_SYSFS) {
+- timediff = max_frequency * timespec_diff_us(time_start, time_end);
++ timediff = max_frequency * timespec_diff_us(time_start[cpu], time_end[cpu]);
+ *percent = 100.0 * mperf_diff / timediff;
+ dprint("%s: MAXFREQ - mperf_diff: %llu, time_diff: %llu\n",
+ mperf_cstates[id].name, mperf_diff, timediff);
+@@ -207,7 +207,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
+ if (max_freq_mode == MAX_FREQ_TSC_REF) {
+ /* Calculate max_freq from TSC count */
+ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
+- time_diff = timespec_diff_us(time_start, time_end);
++ time_diff = timespec_diff_us(time_start[cpu], time_end[cpu]);
+ max_frequency = tsc_diff / time_diff;
+ }
+
+@@ -226,9 +226,8 @@ static int mperf_start(void)
+ {
+ int cpu;
+
+- clock_gettime(CLOCK_REALTIME, &time_start);
+-
+ for (cpu = 0; cpu < cpu_count; cpu++) {
++ clock_gettime(CLOCK_REALTIME, &time_start[cpu]);
+ mperf_get_tsc(&tsc_at_measure_start[cpu]);
+ mperf_init_stats(cpu);
+ }
+@@ -243,9 +242,9 @@ static int mperf_stop(void)
+ for (cpu = 0; cpu < cpu_count; cpu++) {
+ mperf_measure_stats(cpu);
+ mperf_get_tsc(&tsc_at_measure_end[cpu]);
++ clock_gettime(CLOCK_REALTIME, &time_end[cpu]);
+ }
+
+- clock_gettime(CLOCK_REALTIME, &time_end);
+ return 0;
+ }
+
+@@ -349,6 +348,8 @@ struct cpuidle_monitor *mperf_register(void)
+ aperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
+ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long));
+ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long));
++ time_start = calloc(cpu_count, sizeof(struct timespec));
++ time_end = calloc(cpu_count, sizeof(struct timespec));
+ mperf_monitor.name_len = strlen(mperf_monitor.name);
+ return &mperf_monitor;
+ }
+@@ -361,6 +362,8 @@ void mperf_unregister(void)
+ free(aperf_current_count);
+ free(tsc_at_measure_start);
+ free(tsc_at_measure_end);
++ free(time_start);
++ free(time_end);
+ free(is_valid);
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 02db35c02a9ac15c648fc6bf9a2725f25b8e7808 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Dec 2024 11:05:07 +0900
+Subject: dmaengine: ti: edma: fix OF node reference leaks in edma_driver
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit e883c64778e5a9905fce955681f8ee38c7197e0f ]
+
+The .probe() of edma_driver calls of_parse_phandle_with_fixed_args() but
+does not release the obtained OF nodes. Thus add a of_node_put() call.
+
+This bug was found by an experimental verification tool that I am
+developing.
+
+Fixes: 1be5336bc7ba ("dmaengine: edma: New device tree binding")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20241219020507.1983124-3-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/dma/ti/edma.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/dma/ti/edma.c b/drivers/dma/ti/edma.c
+index 69292d4a0c441..560fe658b8942 100644
+--- a/drivers/dma/ti/edma.c
++++ b/drivers/dma/ti/edma.c
+@@ -217,7 +217,6 @@ struct edma_desc {
+ struct edma_cc;
+
+ struct edma_tc {
+- struct device_node *node;
+ u16 id;
+ };
+
+@@ -2524,13 +2523,13 @@ static int edma_probe(struct platform_device *pdev)
+ if (ret || i == ecc->num_tc)
+ break;
+
+- ecc->tc_list[i].node = tc_args.np;
+ ecc->tc_list[i].id = i;
+ queue_priority_mapping[i][1] = tc_args.args[0];
+ if (queue_priority_mapping[i][1] > lowest_priority) {
+ lowest_priority = queue_priority_mapping[i][1];
+ info->default_queue = i;
+ }
++ of_node_put(tc_args.np);
+ }
+
+ /* See if we have optional dma-channel-mask array */
+--
+2.39.5
+
--- /dev/null
+From 1eae1d687bfd5e9aa2c573ebc0edaddeaf1c898f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Nov 2020 13:46:10 +0100
+Subject: driver core: platform: change logic implementing
+ platform_driver_probe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 16085668eacdc56c46652d0f3bfef81ecace57de ]
+
+Instead of overwriting the core driver's probe function handle probing
+devices for drivers loaded by platform_driver_probe() in the platform
+driver probe function.
+
+The intended goal is to not have to change the probe function to
+simplify converting the platform bus to use bus functions.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20201119124611.2573057-2-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index fa023cf80dc48..16426eb934632 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -743,12 +743,25 @@ struct platform_device *platform_device_register_full(
+ }
+ EXPORT_SYMBOL_GPL(platform_device_register_full);
+
++static int platform_probe_fail(struct platform_device *pdev);
++
+ static int platform_drv_probe(struct device *_dev)
+ {
+ struct platform_driver *drv = to_platform_driver(_dev->driver);
+ struct platform_device *dev = to_platform_device(_dev);
+ int ret;
+
++ /*
++ * A driver registered using platform_driver_probe() cannot be bound
++ * again later because the probe function usually lives in __init code
++ * and so is gone. For these drivers .probe is set to
++ * platform_probe_fail in __platform_driver_probe(). Don't even
++ * prepare clocks and PM domains for these to match the traditional
++ * behaviour.
++ */
++ if (unlikely(drv->probe == platform_probe_fail))
++ return -ENXIO;
++
+ ret = of_clk_set_defaults(_dev->of_node, false);
+ if (ret < 0)
+ return ret;
+@@ -822,7 +835,7 @@ void platform_driver_unregister(struct platform_driver *drv)
+ }
+ EXPORT_SYMBOL_GPL(platform_driver_unregister);
+
+-static int platform_drv_probe_fail(struct device *_dev)
++static int platform_probe_fail(struct platform_device *pdev)
+ {
+ return -ENXIO;
+ }
+@@ -887,10 +900,9 @@ int __init_or_module __platform_driver_probe(struct platform_driver *drv,
+ * new devices fail.
+ */
+ spin_lock(&drv->driver.bus->p->klist_drivers.k_lock);
+- drv->probe = NULL;
++ drv->probe = platform_probe_fail;
+ if (code == 0 && list_empty(&drv->driver.p->klist_devices.k_list))
+ retval = -ENODEV;
+- drv->driver.probe = platform_drv_probe_fail;
+ spin_unlock(&drv->driver.bus->p->klist_drivers.k_lock);
+
+ if (code != retval)
+--
+2.39.5
+
--- /dev/null
+From d3130d676b6942ea14cd06dcbe105f997a956302 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 7 Feb 2021 22:15:37 +0100
+Subject: driver core: platform: Emit a warning if a remove callback returned
+ non-zero
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <uwe@kleine-koenig.org>
+
+[ Upstream commit e5e1c209788138f33ca6558bf9f572f6904f486d ]
+
+The driver core ignores the return value of a bus' remove callback. However
+a driver returning an error code is a hint that there is a problem,
+probably a driver author who expects that returning e.g. -EBUSY has any
+effect.
+
+The right thing to do would be to make struct platform_driver::remove()
+return void. With the immense number of platform drivers this is however a
+big quest and I hope to prevent at least a few new drivers that return an
+error code here.
+
+Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
+Link: https://lore.kernel.org/r/20210207211537.19992-1-uwe@kleine-koenig.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 90166535a5c05..d0b15cbab0ff0 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -1305,13 +1305,16 @@ static int platform_remove(struct device *_dev)
+ {
+ struct platform_driver *drv = to_platform_driver(_dev->driver);
+ struct platform_device *dev = to_platform_device(_dev);
+- int ret = 0;
+
+- if (drv->remove)
+- ret = drv->remove(dev);
++ if (drv->remove) {
++ int ret = drv->remove(dev);
++
++ if (ret)
++ dev_warn(_dev, "remove callback returned a non-zero value. This will be ignored.\n");
++ }
+ dev_pm_domain_detach(_dev, true);
+
+- return ret;
++ return 0;
+ }
+
+ static void platform_shutdown(struct device *_dev)
+--
+2.39.5
+
--- /dev/null
+From d850359856e0edc5c80cd3bb1b9f5932091f18f5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Nov 2020 13:46:09 +0100
+Subject: driver core: platform: reorder functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit e21d740a3fe5ad2db7b5f5c2331fe2b713b1edba ]
+
+This way all callbacks and structures used to initialize
+platform_bus_type are defined just before platform_bus_type and in the
+same order. Also move platform_drv_probe_fail just before it's only
+user.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20201119124611.2573057-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 293 ++++++++++++++++++++--------------------
+ 1 file changed, 147 insertions(+), 146 deletions(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 647066229fec3..fa023cf80dc48 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -772,11 +772,6 @@ static int platform_drv_probe(struct device *_dev)
+ return ret;
+ }
+
+-static int platform_drv_probe_fail(struct device *_dev)
+-{
+- return -ENXIO;
+-}
+-
+ static int platform_drv_remove(struct device *_dev)
+ {
+ struct platform_driver *drv = to_platform_driver(_dev->driver);
+@@ -827,6 +822,11 @@ void platform_driver_unregister(struct platform_driver *drv)
+ }
+ EXPORT_SYMBOL_GPL(platform_driver_unregister);
+
++static int platform_drv_probe_fail(struct device *_dev)
++{
++ return -ENXIO;
++}
++
+ /**
+ * __platform_driver_probe - register driver for non-hotpluggable device
+ * @drv: platform driver structure
+@@ -1017,109 +1017,6 @@ void platform_unregister_drivers(struct platform_driver * const *drivers,
+ }
+ EXPORT_SYMBOL_GPL(platform_unregister_drivers);
+
+-/* modalias support enables more hands-off userspace setup:
+- * (a) environment variable lets new-style hotplug events work once system is
+- * fully running: "modprobe $MODALIAS"
+- * (b) sysfs attribute lets new-style coldplug recover from hotplug events
+- * mishandled before system is fully running: "modprobe $(cat modalias)"
+- */
+-static ssize_t modalias_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+- int len;
+-
+- len = of_device_modalias(dev, buf, PAGE_SIZE);
+- if (len != -ENODEV)
+- return len;
+-
+- len = acpi_device_modalias(dev, buf, PAGE_SIZE - 1);
+- if (len != -ENODEV)
+- return len;
+-
+- return sysfs_emit(buf, "platform:%s\n", pdev->name);
+-}
+-static DEVICE_ATTR_RO(modalias);
+-
+-static ssize_t driver_override_store(struct device *dev,
+- struct device_attribute *attr,
+- const char *buf, size_t count)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+- int ret;
+-
+- ret = driver_set_override(dev, &pdev->driver_override, buf, count);
+- if (ret)
+- return ret;
+-
+- return count;
+-}
+-
+-static ssize_t driver_override_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+- ssize_t len;
+-
+- device_lock(dev);
+- len = sysfs_emit(buf, "%s\n", pdev->driver_override);
+- device_unlock(dev);
+-
+- return len;
+-}
+-static DEVICE_ATTR_RW(driver_override);
+-
+-static ssize_t numa_node_show(struct device *dev,
+- struct device_attribute *attr, char *buf)
+-{
+- return sysfs_emit(buf, "%d\n", dev_to_node(dev));
+-}
+-static DEVICE_ATTR_RO(numa_node);
+-
+-static umode_t platform_dev_attrs_visible(struct kobject *kobj, struct attribute *a,
+- int n)
+-{
+- struct device *dev = container_of(kobj, typeof(*dev), kobj);
+-
+- if (a == &dev_attr_numa_node.attr &&
+- dev_to_node(dev) == NUMA_NO_NODE)
+- return 0;
+-
+- return a->mode;
+-}
+-
+-static struct attribute *platform_dev_attrs[] = {
+- &dev_attr_modalias.attr,
+- &dev_attr_numa_node.attr,
+- &dev_attr_driver_override.attr,
+- NULL,
+-};
+-
+-static struct attribute_group platform_dev_group = {
+- .attrs = platform_dev_attrs,
+- .is_visible = platform_dev_attrs_visible,
+-};
+-__ATTRIBUTE_GROUPS(platform_dev);
+-
+-static int platform_uevent(struct device *dev, struct kobj_uevent_env *env)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+- int rc;
+-
+- /* Some devices have extra OF data and an OF-style MODALIAS */
+- rc = of_device_uevent_modalias(dev, env);
+- if (rc != -ENODEV)
+- return rc;
+-
+- rc = acpi_device_uevent_modalias(dev, env);
+- if (rc != -ENODEV)
+- return rc;
+-
+- add_uevent_var(env, "MODALIAS=%s%s", PLATFORM_MODULE_PREFIX,
+- pdev->name);
+- return 0;
+-}
+-
+ static const struct platform_device_id *platform_match_id(
+ const struct platform_device_id *id,
+ struct platform_device *pdev)
+@@ -1134,44 +1031,6 @@ static const struct platform_device_id *platform_match_id(
+ return NULL;
+ }
+
+-/**
+- * platform_match - bind platform device to platform driver.
+- * @dev: device.
+- * @drv: driver.
+- *
+- * Platform device IDs are assumed to be encoded like this:
+- * "<name><instance>", where <name> is a short description of the type of
+- * device, like "pci" or "floppy", and <instance> is the enumerated
+- * instance of the device, like '0' or '42'. Driver IDs are simply
+- * "<name>". So, extract the <name> from the platform_device structure,
+- * and compare it against the name of the driver. Return whether they match
+- * or not.
+- */
+-static int platform_match(struct device *dev, struct device_driver *drv)
+-{
+- struct platform_device *pdev = to_platform_device(dev);
+- struct platform_driver *pdrv = to_platform_driver(drv);
+-
+- /* When driver_override is set, only bind to the matching driver */
+- if (pdev->driver_override)
+- return !strcmp(pdev->driver_override, drv->name);
+-
+- /* Attempt an OF style match first */
+- if (of_driver_match_device(dev, drv))
+- return 1;
+-
+- /* Then try ACPI style match */
+- if (acpi_driver_match_device(dev, drv))
+- return 1;
+-
+- /* Then try to match against the id table */
+- if (pdrv->id_table)
+- return platform_match_id(pdrv->id_table, pdev) != NULL;
+-
+- /* fall-back to driver name match */
+- return (strcmp(pdev->name, drv->name) == 0);
+-}
+-
+ #ifdef CONFIG_PM_SLEEP
+
+ static int platform_legacy_suspend(struct device *dev, pm_message_t mesg)
+@@ -1316,6 +1175,148 @@ int platform_pm_restore(struct device *dev)
+
+ #endif /* CONFIG_HIBERNATE_CALLBACKS */
+
++/* modalias support enables more hands-off userspace setup:
++ * (a) environment variable lets new-style hotplug events work once system is
++ * fully running: "modprobe $MODALIAS"
++ * (b) sysfs attribute lets new-style coldplug recover from hotplug events
++ * mishandled before system is fully running: "modprobe $(cat modalias)"
++ */
++static ssize_t modalias_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ int len;
++
++ len = of_device_modalias(dev, buf, PAGE_SIZE);
++ if (len != -ENODEV)
++ return len;
++
++ len = acpi_device_modalias(dev, buf, PAGE_SIZE - 1);
++ if (len != -ENODEV)
++ return len;
++
++ return sysfs_emit(buf, "platform:%s\n", pdev->name);
++}
++static DEVICE_ATTR_RO(modalias);
++
++static ssize_t numa_node_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ return sysfs_emit(buf, "%d\n", dev_to_node(dev));
++}
++static DEVICE_ATTR_RO(numa_node);
++
++static ssize_t driver_override_show(struct device *dev,
++ struct device_attribute *attr, char *buf)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ ssize_t len;
++
++ device_lock(dev);
++ len = sysfs_emit(buf, "%s\n", pdev->driver_override);
++ device_unlock(dev);
++
++ return len;
++}
++
++static ssize_t driver_override_store(struct device *dev,
++ struct device_attribute *attr,
++ const char *buf, size_t count)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ int ret;
++
++ ret = driver_set_override(dev, &pdev->driver_override, buf, count);
++ if (ret)
++ return ret;
++
++ return count;
++}
++static DEVICE_ATTR_RW(driver_override);
++
++static struct attribute *platform_dev_attrs[] = {
++ &dev_attr_modalias.attr,
++ &dev_attr_numa_node.attr,
++ &dev_attr_driver_override.attr,
++ NULL,
++};
++
++static umode_t platform_dev_attrs_visible(struct kobject *kobj, struct attribute *a,
++ int n)
++{
++ struct device *dev = container_of(kobj, typeof(*dev), kobj);
++
++ if (a == &dev_attr_numa_node.attr &&
++ dev_to_node(dev) == NUMA_NO_NODE)
++ return 0;
++
++ return a->mode;
++}
++
++static struct attribute_group platform_dev_group = {
++ .attrs = platform_dev_attrs,
++ .is_visible = platform_dev_attrs_visible,
++};
++__ATTRIBUTE_GROUPS(platform_dev);
++
++
++/**
++ * platform_match - bind platform device to platform driver.
++ * @dev: device.
++ * @drv: driver.
++ *
++ * Platform device IDs are assumed to be encoded like this:
++ * "<name><instance>", where <name> is a short description of the type of
++ * device, like "pci" or "floppy", and <instance> is the enumerated
++ * instance of the device, like '0' or '42'. Driver IDs are simply
++ * "<name>". So, extract the <name> from the platform_device structure,
++ * and compare it against the name of the driver. Return whether they match
++ * or not.
++ */
++static int platform_match(struct device *dev, struct device_driver *drv)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct platform_driver *pdrv = to_platform_driver(drv);
++
++ /* When driver_override is set, only bind to the matching driver */
++ if (pdev->driver_override)
++ return !strcmp(pdev->driver_override, drv->name);
++
++ /* Attempt an OF style match first */
++ if (of_driver_match_device(dev, drv))
++ return 1;
++
++ /* Then try ACPI style match */
++ if (acpi_driver_match_device(dev, drv))
++ return 1;
++
++ /* Then try to match against the id table */
++ if (pdrv->id_table)
++ return platform_match_id(pdrv->id_table, pdev) != NULL;
++
++ /* fall-back to driver name match */
++ return (strcmp(pdev->name, drv->name) == 0);
++}
++
++static int platform_uevent(struct device *dev, struct kobj_uevent_env *env)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ int rc;
++
++ /* Some devices have extra OF data and an OF-style MODALIAS */
++ rc = of_device_uevent_modalias(dev, env);
++ if (rc != -ENODEV)
++ return rc;
++
++ rc = acpi_device_uevent_modalias(dev, env);
++ if (rc != -ENODEV)
++ return rc;
++
++ add_uevent_var(env, "MODALIAS=%s%s", PLATFORM_MODULE_PREFIX,
++ pdev->name);
++ return 0;
++}
++
+ int platform_dma_configure(struct device *dev)
+ {
+ enum dev_dma_attr attr;
+--
+2.39.5
+
--- /dev/null
+From 42a21f6047a9a56987a59b5340e718b5e1109e7a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Nov 2020 13:46:11 +0100
+Subject: driver core: platform: use bus_type functions
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 9c30921fe7994907e0b3e0637b2c8c0fc4b5171f ]
+
+This works towards the goal mentioned in 2006 in commit 594c8281f905
+("[PATCH] Add bus_type probe, remove, shutdown methods.").
+
+The functions are moved to where the other bus_type functions are
+defined and renamed to match the already established naming scheme.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20201119124611.2573057-3-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 132 ++++++++++++++++++++--------------------
+ 1 file changed, 65 insertions(+), 67 deletions(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index 16426eb934632..90166535a5c05 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -743,70 +743,6 @@ struct platform_device *platform_device_register_full(
+ }
+ EXPORT_SYMBOL_GPL(platform_device_register_full);
+
+-static int platform_probe_fail(struct platform_device *pdev);
+-
+-static int platform_drv_probe(struct device *_dev)
+-{
+- struct platform_driver *drv = to_platform_driver(_dev->driver);
+- struct platform_device *dev = to_platform_device(_dev);
+- int ret;
+-
+- /*
+- * A driver registered using platform_driver_probe() cannot be bound
+- * again later because the probe function usually lives in __init code
+- * and so is gone. For these drivers .probe is set to
+- * platform_probe_fail in __platform_driver_probe(). Don't even
+- * prepare clocks and PM domains for these to match the traditional
+- * behaviour.
+- */
+- if (unlikely(drv->probe == platform_probe_fail))
+- return -ENXIO;
+-
+- ret = of_clk_set_defaults(_dev->of_node, false);
+- if (ret < 0)
+- return ret;
+-
+- ret = dev_pm_domain_attach(_dev, true);
+- if (ret)
+- goto out;
+-
+- if (drv->probe) {
+- ret = drv->probe(dev);
+- if (ret)
+- dev_pm_domain_detach(_dev, true);
+- }
+-
+-out:
+- if (drv->prevent_deferred_probe && ret == -EPROBE_DEFER) {
+- dev_warn(_dev, "probe deferral not supported\n");
+- ret = -ENXIO;
+- }
+-
+- return ret;
+-}
+-
+-static int platform_drv_remove(struct device *_dev)
+-{
+- struct platform_driver *drv = to_platform_driver(_dev->driver);
+- struct platform_device *dev = to_platform_device(_dev);
+- int ret = 0;
+-
+- if (drv->remove)
+- ret = drv->remove(dev);
+- dev_pm_domain_detach(_dev, true);
+-
+- return ret;
+-}
+-
+-static void platform_drv_shutdown(struct device *_dev)
+-{
+- struct platform_driver *drv = to_platform_driver(_dev->driver);
+- struct platform_device *dev = to_platform_device(_dev);
+-
+- if (drv->shutdown)
+- drv->shutdown(dev);
+-}
+-
+ /**
+ * __platform_driver_register - register a driver for platform-level devices
+ * @drv: platform driver structure
+@@ -817,9 +753,6 @@ int __platform_driver_register(struct platform_driver *drv,
+ {
+ drv->driver.owner = owner;
+ drv->driver.bus = &platform_bus_type;
+- drv->driver.probe = platform_drv_probe;
+- drv->driver.remove = platform_drv_remove;
+- drv->driver.shutdown = platform_drv_shutdown;
+
+ return driver_register(&drv->driver);
+ }
+@@ -1329,6 +1262,68 @@ static int platform_uevent(struct device *dev, struct kobj_uevent_env *env)
+ return 0;
+ }
+
++static int platform_probe(struct device *_dev)
++{
++ struct platform_driver *drv = to_platform_driver(_dev->driver);
++ struct platform_device *dev = to_platform_device(_dev);
++ int ret;
++
++ /*
++ * A driver registered using platform_driver_probe() cannot be bound
++ * again later because the probe function usually lives in __init code
++ * and so is gone. For these drivers .probe is set to
++ * platform_probe_fail in __platform_driver_probe(). Don't even prepare
++ * clocks and PM domains for these to match the traditional behaviour.
++ */
++ if (unlikely(drv->probe == platform_probe_fail))
++ return -ENXIO;
++
++ ret = of_clk_set_defaults(_dev->of_node, false);
++ if (ret < 0)
++ return ret;
++
++ ret = dev_pm_domain_attach(_dev, true);
++ if (ret)
++ goto out;
++
++ if (drv->probe) {
++ ret = drv->probe(dev);
++ if (ret)
++ dev_pm_domain_detach(_dev, true);
++ }
++
++out:
++ if (drv->prevent_deferred_probe && ret == -EPROBE_DEFER) {
++ dev_warn(_dev, "probe deferral not supported\n");
++ ret = -ENXIO;
++ }
++
++ return ret;
++}
++
++static int platform_remove(struct device *_dev)
++{
++ struct platform_driver *drv = to_platform_driver(_dev->driver);
++ struct platform_device *dev = to_platform_device(_dev);
++ int ret = 0;
++
++ if (drv->remove)
++ ret = drv->remove(dev);
++ dev_pm_domain_detach(_dev, true);
++
++ return ret;
++}
++
++static void platform_shutdown(struct device *_dev)
++{
++ struct platform_driver *drv = to_platform_driver(_dev->driver);
++ struct platform_device *dev = to_platform_device(_dev);
++
++ if (drv->shutdown)
++ drv->shutdown(dev);
++}
++
++
+ int platform_dma_configure(struct device *dev)
+ {
+ enum dev_dma_attr attr;
+@@ -1355,6 +1350,9 @@ struct bus_type platform_bus_type = {
+ .dev_groups = platform_dev_groups,
+ .match = platform_match,
+ .uevent = platform_uevent,
++ .probe = platform_probe,
++ .remove = platform_remove,
++ .shutdown = platform_shutdown,
+ .dma_configure = platform_dma_configure,
+ .pm = &platform_dev_pm_ops,
+ };
+--
+2.39.5
+
--- /dev/null
+From 0552f8ac30103417ffa89c88e1bda02f87ce405d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 11:00:43 +0300
+Subject: drm/amdgpu: Fix potential NULL pointer dereference in
+ atomctrl_get_smc_sclk_range_table
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+[ Upstream commit 357445e28ff004d7f10967aa93ddb4bffa5c3688 ]
+
+The function atomctrl_get_smc_sclk_range_table() does not check the return
+value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to
+retrieve SMU_Info table, it returns NULL which is later dereferenced.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+In practice this should never happen as this code only gets called
+on polaris chips and the vbios data table will always be present on
+those chips.
+
+Fixes: a23eefa2f461 ("drm/amd/powerplay: enable dpm for baffin.")
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+index 165af862d0542..04dbd9f89a45d 100644
+--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
++++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/ppatomctrl.c
+@@ -1370,6 +1370,8 @@ int atomctrl_get_smc_sclk_range_table(struct pp_hwmgr *hwmgr, struct pp_atom_ctr
+ GetIndexIntoMasterTable(DATA, SMU_Info),
+ &size, &frev, &crev);
+
++ if (!psmu_info)
++ return -EINVAL;
+
+ for (i = 0; i < psmu_info->ucSclkEntryNum; i++) {
+ table->entry[i].ucVco_setting = psmu_info->asSclkFcwRangeEntry[i].ucVco_setting;
+--
+2.39.5
+
--- /dev/null
+From 791d9ffe333712fffb952f74ac4c77b6ca20724c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 4 Nov 2024 08:41:56 +0800
+Subject: drm/etnaviv: Fix page property being used for non writecombine
+ buffers
+
+From: Sui Jingfeng <sui.jingfeng@linux.dev>
+
+[ Upstream commit 834f304192834d6f0941954f3277ae0ba11a9a86 ]
+
+In the etnaviv_gem_vmap_impl() function, the driver vmap whatever buffers
+with write combine(WC) page property, this is incorrect. Cached buffers
+should be mapped with the cached page property and uncached buffers should
+be mapped with the uncached page property.
+
+Fixes: a0a5ab3e99b8 ("drm/etnaviv: call correct function when trying to vmap a DMABUF")
+Signed-off-by: Sui Jingfeng <sui.jingfeng@linux.dev>
+Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/etnaviv/etnaviv_gem.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/etnaviv/etnaviv_gem.c b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
+index aa372982335e9..bdd3564634e79 100644
+--- a/drivers/gpu/drm/etnaviv/etnaviv_gem.c
++++ b/drivers/gpu/drm/etnaviv/etnaviv_gem.c
+@@ -351,6 +351,7 @@ void *etnaviv_gem_vmap(struct drm_gem_object *obj)
+ static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj)
+ {
+ struct page **pages;
++ pgprot_t prot;
+
+ lockdep_assert_held(&obj->lock);
+
+@@ -358,8 +359,19 @@ static void *etnaviv_gem_vmap_impl(struct etnaviv_gem_object *obj)
+ if (IS_ERR(pages))
+ return NULL;
+
+- return vmap(pages, obj->base.size >> PAGE_SHIFT,
+- VM_MAP, pgprot_writecombine(PAGE_KERNEL));
++ switch (obj->flags & ETNA_BO_CACHE_MASK) {
++ case ETNA_BO_CACHED:
++ prot = PAGE_KERNEL;
++ break;
++ case ETNA_BO_UNCACHED:
++ prot = pgprot_noncached(PAGE_KERNEL);
++ break;
++ case ETNA_BO_WC:
++ default:
++ prot = pgprot_writecombine(PAGE_KERNEL);
++ }
++
++ return vmap(pages, obj->base.size >> PAGE_SHIFT, VM_MAP, prot);
+ }
+
+ static inline enum dma_data_direction etnaviv_op_to_dma_dir(u32 op)
+--
+2.39.5
+
--- /dev/null
+From 21bd38f238e2fe68a69e55f9c382d42bde0e4338 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Nov 2024 16:16:41 +0100
+Subject: dt-bindings: mmc: controller: clarify the address-cells description
+
+From: Neil Armstrong <neil.armstrong@linaro.org>
+
+[ Upstream commit b2b8e93ec00b8110cb37cbde5400d5abfdaed6a7 ]
+
+The term "slot ID" has nothing to do with the SDIO function number
+which is specified in the reg property of the subnodes, rephrase
+the description to be more accurate.
+
+Fixes: f9b7989859dd ("dt-bindings: mmc: Add YAML schemas for the generic MMC options")
+Signed-off-by: Neil Armstrong <neil.armstrong@linaro.org>
+Acked-by: Rob Herring (Arm) <robh@kernel.org>
+Message-ID: <20241128-topic-amlogic-arm32-upstream-bindings-fixes-convert-meson-mx-sdio-v4-1-11d9f9200a59@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ Documentation/devicetree/bindings/mmc/mmc-controller.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Documentation/devicetree/bindings/mmc/mmc-controller.yaml b/Documentation/devicetree/bindings/mmc/mmc-controller.yaml
+index 186f04ba93579..b7976809d8f68 100644
+--- a/Documentation/devicetree/bindings/mmc/mmc-controller.yaml
++++ b/Documentation/devicetree/bindings/mmc/mmc-controller.yaml
+@@ -25,7 +25,7 @@ properties:
+ "#address-cells":
+ const: 1
+ description: |
+- The cell is the slot ID if a function subnode is used.
++ The cell is the SDIO function number if a function subnode is used.
+
+ "#size-cells":
+ const: 0
+--
+2.39.5
+
--- /dev/null
+From eccab193b9fda61f532cca14f0eeec3054420b36 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 10:15:37 +0900
+Subject: fbdev: omapfb: Fix an OF node leak in dss_of_port_get_parent_device()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit de124b61e179e690277116e6be512e4f422b5dd8 ]
+
+dss_of_port_get_parent_device() leaks an OF node reference when i >= 2
+and struct device_node *np is present. Since of_get_next_parent()
+obtains a reference of the returned OF node, call of_node_put() before
+returning NULL.
+
+This was found by an experimental verifier that I am developing, and no
+runtime test was able to be performed due to that lack of actual
+devices.
+
+Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/omap2/omapfb/dss/dss-of.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c b/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c
+index 0282d4eef139d..3b16c3342cb77 100644
+--- a/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c
++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss-of.c
+@@ -102,6 +102,7 @@ struct device_node *dss_of_port_get_parent_device(struct device_node *port)
+ np = of_get_next_parent(np);
+ }
+
++ of_node_put(np);
+ return NULL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 060c0f9c50fce3108df6e2b769d32808d7b681df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 11:20:43 +0100
+Subject: genirq: Make handle_enforce_irqctx() unconditionally available
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+[ Upstream commit 8d187a77f04c14fb459a5301d69f733a5a1396bc ]
+
+Commit 1b57d91b969c ("irqchip/gic-v2, v3: Prevent SW resends entirely")
+sett the flag which enforces interrupt handling in interrupt context and
+prevents software base resends for ARM GIC v2/v3.
+
+But it missed that the helper function which checks the flag was hidden
+behind CONFIG_GENERIC_PENDING_IRQ, which is not set by ARM[64].
+
+Make the helper unconditionally available so that the enforcement actually
+works.
+
+Fixes: 1b57d91b969c ("irqchip/gic-v2, v3: Prevent SW resends entirely")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lore.kernel.org/all/20241210101811.497716609@linutronix.de
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/irq/internals.h | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/kernel/irq/internals.h b/kernel/irq/internals.h
+index f1d83a8b44171..da1f282d5a1d1 100644
+--- a/kernel/irq/internals.h
++++ b/kernel/irq/internals.h
+@@ -429,10 +429,6 @@ static inline struct cpumask *irq_desc_get_pending_mask(struct irq_desc *desc)
+ {
+ return desc->pending_mask;
+ }
+-static inline bool handle_enforce_irqctx(struct irq_data *data)
+-{
+- return irqd_is_handle_enforce_irqctx(data);
+-}
+ bool irq_fixup_move_pending(struct irq_desc *desc, bool force_clear);
+ #else /* CONFIG_GENERIC_PENDING_IRQ */
+ static inline bool irq_can_move_pcntxt(struct irq_data *data)
+@@ -459,11 +455,12 @@ static inline bool irq_fixup_move_pending(struct irq_desc *desc, bool fclear)
+ {
+ return false;
+ }
++#endif /* !CONFIG_GENERIC_PENDING_IRQ */
++
+ static inline bool handle_enforce_irqctx(struct irq_data *data)
+ {
+- return false;
++ return irqd_is_handle_enforce_irqctx(data);
+ }
+-#endif /* !CONFIG_GENERIC_PENDING_IRQ */
+
+ #if !defined(CONFIG_IRQ_DOMAIN) || !defined(CONFIG_IRQ_DOMAIN_HIERARCHY)
+ static inline int irq_domain_activate_irq(struct irq_data *data, bool reserve)
+--
+2.39.5
+
--- /dev/null
+From 9c751e59a57a0ed68c47f2d8ccfb668d50271830 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 Sep 2024 17:44:19 +0800
+Subject: ipmi: ipmb: Add check devm_kasprintf() returned value
+
+From: Charles Han <hanchunchao@inspur.com>
+
+[ Upstream commit 2378bd0b264ad3a1f76bd957caf33ee0c7945351 ]
+
+devm_kasprintf() can return a NULL pointer on failure but this
+returned value is not checked.
+
+Fixes: 51bd6f291583 ("Add support for IPMB driver")
+Signed-off-by: Charles Han <hanchunchao@inspur.com>
+Message-ID: <20240926094419.25900-1-hanchunchao@inspur.com>
+Signed-off-by: Corey Minyard <corey@minyard.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/char/ipmi/ipmb_dev_int.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
+index 382b28f1cf2f6..8800f2998d590 100644
+--- a/drivers/char/ipmi/ipmb_dev_int.c
++++ b/drivers/char/ipmi/ipmb_dev_int.c
+@@ -322,6 +322,9 @@ static int ipmb_probe(struct i2c_client *client,
+ ipmb_dev->miscdev.name = devm_kasprintf(&client->dev, GFP_KERNEL,
+ "%s%d", "ipmb-",
+ client->adapter->nr);
++ if (!ipmb_dev->miscdev.name)
++ return -ENOMEM;
++
+ ipmb_dev->miscdev.fops = &ipmb_fops;
+ ipmb_dev->miscdev.parent = &client->dev;
+ ret = misc_register(&ipmb_dev->miscdev);
+--
+2.39.5
+
--- /dev/null
+From 9c258f48b695c7203dc4429f4e9d7c02fbfae3fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jan 2025 18:12:41 +0000
+Subject: ipmr: do not call mr_mfc_uses_dev() for unres entries
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 15a901361ec3fb1c393f91880e1cbf24ec0a88bd ]
+
+syzbot found that calling mr_mfc_uses_dev() for unres entries
+would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif
+alias to "struct sk_buff_head unresolved", which contain two pointers.
+
+This code never worked, lets remove it.
+
+[1]
+Unable to handle kernel paging request at virtual address ffff5fff2d536613
+KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]
+Modules linked in:
+CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]
+ pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334
+ lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]
+ lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334
+Call trace:
+ mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)
+ mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)
+ mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382
+ ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648
+ rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327
+ rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791
+ netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317
+ netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973
+ sock_recvmsg_nosec net/socket.c:1033 [inline]
+ sock_recvmsg net/socket.c:1055 [inline]
+ sock_read_iter+0x2d8/0x40c net/socket.c:1125
+ new_sync_read fs/read_write.c:484 [inline]
+ vfs_read+0x740/0x970 fs/read_write.c:565
+ ksys_read+0x15c/0x26c fs/read_write.c:708
+
+Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps")
+Reported-by: syzbot+5cfae50c0e5f2c500013@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/678fe2d1.050a0220.15cac.00b3.GAE@google.com/T/#u
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Link: https://patch.msgid.link/20250121181241.841212-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/ipmr_base.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/net/ipv4/ipmr_base.c b/net/ipv4/ipmr_base.c
+index c45cb7cb57590..8b5b6f196cdc4 100644
+--- a/net/ipv4/ipmr_base.c
++++ b/net/ipv4/ipmr_base.c
+@@ -321,9 +321,6 @@ int mr_table_dump(struct mr_table *mrt, struct sk_buff *skb,
+ list_for_each_entry(mfc, &mrt->mfc_unres_queue, list) {
+ if (e < s_e)
+ goto next_entry2;
+- if (filter->dev &&
+- !mr_mfc_uses_dev(mrt, mfc, filter->dev))
+- goto next_entry2;
+
+ err = fill(mrt, skb, NETLINK_CB(cb->skb).portid,
+ cb->nlh->nlmsg_seq, mfc, RTM_NEWROUTE, flags);
+--
+2.39.5
+
--- /dev/null
+From 39a73b24f0572b861febdb1fb082039b1ac2aa5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Sep 2024 21:07:35 +0800
+Subject: ktest.pl: Remove unused declarations in run_bisect_test function
+
+From: Ba Jing <bajing@cmss.chinamobile.com>
+
+[ Upstream commit 776735b954f49f85fd19e1198efa421fae2ad77c ]
+
+Since $output and $ret are not used in the subsequent code, the declarations
+should be removed.
+
+Fixes: a75fececff3c ("ktest: Added sample.conf, new %default option format")
+Link: https://lore.kernel.org/20240902130735.6034-1-bajing@cmss.chinamobile.com
+Signed-off-by: Ba Jing <bajing@cmss.chinamobile.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/ktest/ktest.pl | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/tools/testing/ktest/ktest.pl b/tools/testing/ktest/ktest.pl
+index f260b455b74d4..72101e172e073 100755
+--- a/tools/testing/ktest/ktest.pl
++++ b/tools/testing/ktest/ktest.pl
+@@ -2892,8 +2892,6 @@ sub run_bisect_test {
+
+ my $failed = 0;
+ my $result;
+- my $output;
+- my $ret;
+
+ $in_bisect = 1;
+
+--
+2.39.5
+
--- /dev/null
+From 34edd797b6516ed6b638984266c49853aa6a36a5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 Dec 2024 16:49:23 +0900
+Subject: leds: netxbig: Fix an OF node reference leak in
+ netxbig_leds_get_of_pdata()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 0508316be63bb735f59bdc8fe4527cadb62210ca ]
+
+netxbig_leds_get_of_pdata() does not release the OF node obtained by
+of_parse_phandle() when of_find_device_by_node() fails. Add an
+of_node_put() call to fix the leak.
+
+This bug was found by an experimental static analysis tool that I am
+developing.
+
+Fixes: 9af512e81964 ("leds: netxbig: Convert to use GPIO descriptors")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://lore.kernel.org/r/20241216074923.628509-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Lee Jones <lee@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/leds/leds-netxbig.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/leds/leds-netxbig.c b/drivers/leds/leds-netxbig.c
+index 68fbf0b66fadd..c2cc45e19c4b2 100644
+--- a/drivers/leds/leds-netxbig.c
++++ b/drivers/leds/leds-netxbig.c
+@@ -440,6 +440,7 @@ static int netxbig_leds_get_of_pdata(struct device *dev,
+ }
+ gpio_ext_pdev = of_find_device_by_node(gpio_ext_np);
+ if (!gpio_ext_pdev) {
++ of_node_put(gpio_ext_np);
+ dev_err(dev, "Failed to find platform device for gpio-ext\n");
+ return -ENODEV;
+ }
+--
+2.39.5
+
--- /dev/null
+From 5f1b122052f9e68efc560d25686407b34f9d32cc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2024 19:18:17 +0000
+Subject: media: camif-core: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit 77ed2470ac09c2b0a33cf3f98cc51d18ba9ed976 ]
+
+Add check for the return value of clk_enable() to gurantee the success.
+
+Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/s3c-camif/camif-core.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/s3c-camif/camif-core.c b/drivers/media/platform/s3c-camif/camif-core.c
+index 422fd549e9c87..aa2427cb2e63b 100644
+--- a/drivers/media/platform/s3c-camif/camif-core.c
++++ b/drivers/media/platform/s3c-camif/camif-core.c
+@@ -529,10 +529,19 @@ static int s3c_camif_remove(struct platform_device *pdev)
+ static int s3c_camif_runtime_resume(struct device *dev)
+ {
+ struct camif_dev *camif = dev_get_drvdata(dev);
++ int ret;
++
++ ret = clk_enable(camif->clock[CLK_GATE]);
++ if (ret)
++ return ret;
+
+- clk_enable(camif->clock[CLK_GATE]);
+ /* null op on s3c244x */
+- clk_enable(camif->clock[CLK_CAM]);
++ ret = clk_enable(camif->clock[CLK_CAM]);
++ if (ret) {
++ clk_disable(camif->clock[CLK_GATE]);
++ return ret;
++ }
++
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 2384bc02b1cdc348b3d82982b5dcc6217cb72736 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 May 2024 17:10:42 +0800
+Subject: media: lmedm04: Handle errors for lme2510_int_read
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+[ Upstream commit a2836d3fe220220ff8c495ca9722f89cea8a67e7 ]
+
+Add check for the return value of usb_pipe_endpoint() and
+usb_submit_urb() in order to catch the errors.
+
+Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Link: https://lore.kernel.org/r/20240521091042.1769684-1-nichen@iscas.ac.cn
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 0f5a1eed5ea9f..b54eb5a083561 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -372,6 +372,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+ struct dvb_usb_device *d = adap_to_d(adap);
+ struct lme2510_state *lme_int = adap_to_priv(adap);
+ struct usb_host_endpoint *ep;
++ int ret;
+
+ lme_int->lme_urb = usb_alloc_urb(0, GFP_KERNEL);
+
+@@ -389,11 +390,20 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+
+ /* Quirk of pipe reporting PIPE_BULK but behaves as interrupt */
+ ep = usb_pipe_endpoint(d->udev, lme_int->lme_urb->pipe);
++ if (!ep) {
++ usb_free_urb(lme_int->lme_urb);
++ return -ENODEV;
++ }
+
+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
+ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa);
+
+- usb_submit_urb(lme_int->lme_urb, GFP_KERNEL);
++ ret = usb_submit_urb(lme_int->lme_urb, GFP_KERNEL);
++ if (ret) {
++ usb_free_urb(lme_int->lme_urb);
++ return ret;
++ }
++
+ info("INT Interrupt Service Started");
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From ba9cdff976ba1f2c53a3c335ccb017260385d62f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 3 Oct 2020 11:32:43 +0200
+Subject: media: lmedm04: Use GFP_KERNEL for URB allocation/submission.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+[ Upstream commit add5861769f912af0181f5fbd79dbf19c8211c20 ]
+
+lme2510_int_read is not atomically called so use GFP_KERNEL for
+usb_alloc_urb and usb_submit_urb which is the first in the chain
+of interrupt submissions.
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Stable-dep-of: a2836d3fe220 ("media: lmedm04: Handle errors for lme2510_int_read")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/usb/dvb-usb-v2/lmedm04.c b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+index 9ddda8d68ee0f..0f5a1eed5ea9f 100644
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -373,7 +373,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+ struct lme2510_state *lme_int = adap_to_priv(adap);
+ struct usb_host_endpoint *ep;
+
+- lme_int->lme_urb = usb_alloc_urb(0, GFP_ATOMIC);
++ lme_int->lme_urb = usb_alloc_urb(0, GFP_KERNEL);
+
+ if (lme_int->lme_urb == NULL)
+ return -ENOMEM;
+@@ -393,7 +393,7 @@ static int lme2510_int_read(struct dvb_usb_adapter *adap)
+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
+ lme_int->lme_urb->pipe = usb_rcvbulkpipe(d->udev, 0xa);
+
+- usb_submit_urb(lme_int->lme_urb, GFP_ATOMIC);
++ usb_submit_urb(lme_int->lme_urb, GFP_KERNEL);
+ info("INT Interrupt Service Started");
+
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 4a41255bc2ab4917f188fe0535739815912e87f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 21:29:02 +0000
+Subject: media: marvell: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit 11f68d2ba2e1521a608af773bf788e8cfa260f68 ]
+
+Add check for the return value of clk_enable() to guarantee the success.
+
+Fixes: 81a409bfd551 ("media: marvell-ccic: provide a clock for the sensor")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+[Sakari Ailus: Fix spelling in commit message.]
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/marvell-ccic/mcam-core.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/marvell-ccic/mcam-core.c b/drivers/media/platform/marvell-ccic/mcam-core.c
+index e56c5e56e824a..2d7e68fa2b9af 100644
+--- a/drivers/media/platform/marvell-ccic/mcam-core.c
++++ b/drivers/media/platform/marvell-ccic/mcam-core.c
+@@ -935,7 +935,12 @@ static int mclk_enable(struct clk_hw *hw)
+ ret = pm_runtime_resume_and_get(cam->dev);
+ if (ret < 0)
+ return ret;
+- clk_enable(cam->clk[0]);
++ ret = clk_enable(cam->clk[0]);
++ if (ret) {
++ pm_runtime_put(cam->dev);
++ return ret;
++ }
++
+ mcam_reg_write(cam, REG_CLKCTRL, (mclk_src << 29) | mclk_div);
+ mcam_ctlr_power_up(cam);
+
+--
+2.39.5
+
--- /dev/null
+From 6231f3bef30fe9158042bd83835b6e58628a0ca4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 25 Nov 2024 19:18:18 +0000
+Subject: media: mipi-csis: Add check for clk_enable()
+
+From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+
+[ Upstream commit 125ad1aeec77eb55273b420be6894b284a01e4b6 ]
+
+Add check for the return value of clk_enable() to gurantee the success.
+
+Fixes: b5f1220d587d ("[media] v4l: Add v4l2 subdev driver for S5P/EXYNOS4 MIPI-CSI receivers")
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/platform/exynos4-is/mipi-csis.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c
+index ebf39c8568943..e6c86ba30fa32 100644
+--- a/drivers/media/platform/exynos4-is/mipi-csis.c
++++ b/drivers/media/platform/exynos4-is/mipi-csis.c
+@@ -939,13 +939,19 @@ static int s5pcsis_pm_resume(struct device *dev, bool runtime)
+ state->supplies);
+ goto unlock;
+ }
+- clk_enable(state->clock[CSIS_CLK_GATE]);
++ ret = clk_enable(state->clock[CSIS_CLK_GATE]);
++ if (ret) {
++ phy_power_off(state->phy);
++ regulator_bulk_disable(CSIS_NUM_SUPPLIES,
++ state->supplies);
++ goto unlock;
++ }
+ }
+ if (state->flags & ST_STREAMING)
+ s5pcsis_start_stream(state);
+
+ state->flags &= ~ST_SUSPENDED;
+- unlock:
++unlock:
+ mutex_unlock(&state->lock);
+ return ret ? -EAGAIN : 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 9d59eb279cb0c3c95cbd14cb3398cfc0d1be8989 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Nov 2024 14:17:22 +0100
+Subject: media: rc: iguanair: handle timeouts
+
+From: Oliver Neukum <oneukum@suse.com>
+
+[ Upstream commit b98d5000c50544f14bacb248c34e5219fbe81287 ]
+
+In case of a timeout the IO must be cancelled or
+the next IO using the URB will fail and/or overwrite
+an operational URB.
+
+The automatic bisection fails because it arrives
+at a commit that correctly lets the test case run
+without an error.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Fixes: e99a7cfe93fd ("[media] iguanair: reuse existing urb callback for command responses")
+Reported-by: syzbot+ffba8e636870dac0e0c0@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/66f5cc9a.050a0220.46d20.0004.GAE@google.com/
+Tested-by: syzbot+ffba8e636870dac0e0c0@syzkaller.appspotmail.com
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/rc/iguanair.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/rc/iguanair.c b/drivers/media/rc/iguanair.c
+index 84949baf9f6b3..c1343df0dbbab 100644
+--- a/drivers/media/rc/iguanair.c
++++ b/drivers/media/rc/iguanair.c
+@@ -197,8 +197,10 @@ static int iguanair_send(struct iguanair *ir, unsigned size)
+ if (rc)
+ return rc;
+
+- if (wait_for_completion_timeout(&ir->completion, TIMEOUT) == 0)
++ if (wait_for_completion_timeout(&ir->completion, TIMEOUT) == 0) {
++ usb_kill_urb(ir->urb_out);
+ return -ETIMEDOUT;
++ }
+
+ return rc;
+ }
+--
+2.39.5
+
--- /dev/null
+From 47a65e72e88e6064daf3f079afc8a7da87d05fe9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 21:39:08 +0000
+Subject: media: uvcvideo: Propagate buf->error to userspace
+
+From: Ricardo Ribalda <ribalda@chromium.org>
+
+[ Upstream commit 87ce177654e388451850905a1d376658aebe8699 ]
+
+Now we return VB2_BUF_STATE_DONE for valid and invalid frames. Propagate
+the correct value, so the user can know if the frame is valid or not via
+struct v4l2_buffer->flags.
+
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Closes: https://lore.kernel.org/linux-media/84b0f212-cd88-46bb-8e6f-b94ec3eccba6@redhat.com
+Fixes: 6998b6fb4b1c ("[media] uvcvideo: Use videobuf2-vmalloc")
+Signed-off-by: Ricardo Ribalda <ribalda@chromium.org>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20241218-uvc-deprecate-v2-1-ab814139e983@chromium.org
+Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/uvc/uvc_queue.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/usb/uvc/uvc_queue.c b/drivers/media/usb/uvc/uvc_queue.c
+index cd60c6c1749ea..6a9fdd32cfb86 100644
+--- a/drivers/media/usb/uvc/uvc_queue.c
++++ b/drivers/media/usb/uvc/uvc_queue.c
+@@ -486,7 +486,8 @@ static void uvc_queue_buffer_complete(struct kref *ref)
+
+ buf->state = buf->error ? UVC_BUF_STATE_ERROR : UVC_BUF_STATE_DONE;
+ vb2_set_plane_payload(&buf->buf.vb2_buf, 0, buf->bytesused);
+- vb2_buffer_done(&buf->buf.vb2_buf, VB2_BUF_STATE_DONE);
++ vb2_buffer_done(&buf->buf.vb2_buf, buf->error ? VB2_BUF_STATE_ERROR :
++ VB2_BUF_STATE_DONE);
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From c06c749bd4f8beed37b15014dfa96ad7aefb85a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 10:04:30 +0100
+Subject: module: Extend the preempt disabled section in
+ dereference_symbol_descriptor().
+
+From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+
+[ Upstream commit a145c848d69f9c6f32008d8319edaa133360dd74 ]
+
+dereference_symbol_descriptor() needs to obtain the module pointer
+belonging to pointer in order to resolve that pointer.
+The returned mod pointer is obtained under RCU-sched/ preempt_disable()
+guarantees and needs to be used within this section to ensure that the
+module is not removed in the meantime.
+
+Extend the preempt_disable() section to also cover
+dereference_module_function_descriptor().
+
+Fixes: 04b8eb7a4ccd9 ("symbol lookup: introduce dereference_symbol_descriptor()")
+Cc: James E.J. Bottomley <James.Bottomley@HansenPartnership.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Helge Deller <deller@gmx.de>
+Cc: Madhavan Srinivasan <maddy@linux.ibm.com>
+Cc: Michael Ellerman <mpe@ellerman.id.au>
+Cc: Naveen N Rao <naveen@kernel.org>
+Cc: Nicholas Piggin <npiggin@gmail.com>
+Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
+Cc: linux-parisc@vger.kernel.org
+Cc: linuxppc-dev@lists.ozlabs.org
+Reviewed-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Link: https://lore.kernel.org/r/20250108090457.512198-2-bigeasy@linutronix.de
+Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/kallsyms.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
+index 430f1cefbb9e1..ea2eb5fe83a3c 100644
+--- a/include/linux/kallsyms.h
++++ b/include/linux/kallsyms.h
+@@ -63,10 +63,10 @@ static inline void *dereference_symbol_descriptor(void *ptr)
+
+ preempt_disable();
+ mod = __module_address((unsigned long)ptr);
+- preempt_enable();
+
+ if (mod)
+ ptr = dereference_module_function_descriptor(mod, ptr);
++ preempt_enable();
+ #endif
+ return ptr;
+ }
+--
+2.39.5
+
--- /dev/null
+From dedab413388b592ae804446041bc6f7e77dfaf5d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 Oct 2023 22:01:32 +0200
+Subject: mtd: hyperbus: hbmc-am654: Convert to platform remove callback
+ returning void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 59bd56760df17506bc2f828f19b40a2243edd0d0 ]
+
+The .remove() callback for a platform driver returns an int which makes
+many driver authors wrongly assume it's possible to do error handling by
+returning an error code. However the value returned is ignored (apart
+from emitting a warning) and this typically results in resource leaks.
+
+To improve here there is a quest to make the remove callback return
+void. In the first step of this quest all drivers are converted to
+.remove_new(), which already returns void. Eventually after all drivers
+are converted, .remove_new() will be renamed to .remove().
+
+Trivially convert this driver from always returning zero in the remove
+callback to the void returning variant.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Acked-by: Tudor Ambarus <tudor.ambarus@linaro.org>
+Link: https://lore.kernel.org/linux-mtd/20231008200143.196369-10-u.kleine-koenig@pengutronix.de
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/hbmc-am654.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c
+index a6161ce340d4e..dbe3eb361cca2 100644
+--- a/drivers/mtd/hyperbus/hbmc-am654.c
++++ b/drivers/mtd/hyperbus/hbmc-am654.c
+@@ -229,7 +229,7 @@ static int am654_hbmc_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+-static int am654_hbmc_remove(struct platform_device *pdev)
++static void am654_hbmc_remove(struct platform_device *pdev)
+ {
+ struct am654_hbmc_priv *priv = platform_get_drvdata(pdev);
+ struct am654_hbmc_device_priv *dev_priv = priv->hbdev.priv;
+@@ -241,8 +241,6 @@ static int am654_hbmc_remove(struct platform_device *pdev)
+
+ if (dev_priv->rx_chan)
+ dma_release_channel(dev_priv->rx_chan);
+-
+- return 0;
+ }
+
+ static const struct of_device_id am654_hbmc_dt_ids[] = {
+@@ -256,7 +254,7 @@ MODULE_DEVICE_TABLE(of, am654_hbmc_dt_ids);
+
+ static struct platform_driver am654_hbmc_platform_driver = {
+ .probe = am654_hbmc_probe,
+- .remove = am654_hbmc_remove,
++ .remove_new = am654_hbmc_remove,
+ .driver = {
+ .name = "hbmc-am654",
+ .of_match_table = am654_hbmc_dt_ids,
+--
+2.39.5
+
--- /dev/null
+From 1ea3481b5c548f292943bcb58bc9cceebd8838ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 22:38:09 +0900
+Subject: mtd: hyperbus: hbmc-am654: fix an OF node reference leak
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit bf5821909eb9c7f5d07d5c6e852ead2c373c94a0 ]
+
+In am654_hbmc_platform_driver, .remove() and the error path of .probe()
+do not decrement the refcount of an OF node obtained by
+ of_get_next_child(). Fix this by adding of_node_put() calls.
+
+Fixes: aca31ce96814 ("mtd: hyperbus: hbmc-am654: Fix direct mapping setup flash access")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/hbmc-am654.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c
+index dbe3eb361cca2..4b6cbee23fe89 100644
+--- a/drivers/mtd/hyperbus/hbmc-am654.c
++++ b/drivers/mtd/hyperbus/hbmc-am654.c
+@@ -174,26 +174,30 @@ static int am654_hbmc_probe(struct platform_device *pdev)
+ priv->hbdev.np = of_get_next_child(np, NULL);
+ ret = of_address_to_resource(priv->hbdev.np, 0, &res);
+ if (ret)
+- return ret;
++ goto put_node;
+
+ if (of_property_read_bool(dev->of_node, "mux-controls")) {
+ struct mux_control *control = devm_mux_control_get(dev, NULL);
+
+- if (IS_ERR(control))
+- return PTR_ERR(control);
++ if (IS_ERR(control)) {
++ ret = PTR_ERR(control);
++ goto put_node;
++ }
+
+ ret = mux_control_select(control, 1);
+ if (ret) {
+ dev_err(dev, "Failed to select HBMC mux\n");
+- return ret;
++ goto put_node;
+ }
+ priv->mux_ctrl = control;
+ }
+
+ priv->hbdev.map.size = resource_size(&res);
+ priv->hbdev.map.virt = devm_ioremap_resource(dev, &res);
+- if (IS_ERR(priv->hbdev.map.virt))
+- return PTR_ERR(priv->hbdev.map.virt);
++ if (IS_ERR(priv->hbdev.map.virt)) {
++ ret = PTR_ERR(priv->hbdev.map.virt);
++ goto disable_mux;
++ }
+
+ priv->ctlr.dev = dev;
+ priv->ctlr.ops = &am654_hbmc_ops;
+@@ -226,6 +230,8 @@ static int am654_hbmc_probe(struct platform_device *pdev)
+ disable_mux:
+ if (priv->mux_ctrl)
+ mux_control_deselect(priv->mux_ctrl);
++put_node:
++ of_node_put(priv->hbdev.np);
+ return ret;
+ }
+
+@@ -241,6 +247,7 @@ static void am654_hbmc_remove(struct platform_device *pdev)
+
+ if (dev_priv->rx_chan)
+ dma_release_channel(dev_priv->rx_chan);
++ of_node_put(priv->hbdev.np);
+ }
+
+ static const struct of_device_id am654_hbmc_dt_ids[] = {
+--
+2.39.5
+
--- /dev/null
+From 9cfe7c4f97f6d4cf6aacc85a5282564415887533 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jun 2022 23:07:45 +0200
+Subject: mtd: hyperbus: Make hyperbus_unregister_device() return void
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 0c90466a7985d39355f743e9cd2139da3e86c4d8 ]
+
+The only thing that could theoretically fail in that function is
+mtd_device_unregister(). However it's not supposed to fail and when
+used correctly it doesn't. So wail loudly if it does anyhow.
+
+This matches how other drivers (e.g. nand/raw/nandsim.c) use
+mtd_device_unregister().
+
+This is a preparation for making platform remove callbacks return void.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/linux-mtd/20220603210758.148493-2-u.kleine-koenig@pengutronix.de
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/hyperbus/hbmc-am654.c | 6 +++---
+ drivers/mtd/hyperbus/hyperbus-core.c | 8 ++------
+ drivers/mtd/hyperbus/rpc-if.c | 5 +++--
+ include/linux/mtd/hyperbus.h | 4 +---
+ 4 files changed, 9 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/mtd/hyperbus/hbmc-am654.c b/drivers/mtd/hyperbus/hbmc-am654.c
+index a3439b791eeb4..a6161ce340d4e 100644
+--- a/drivers/mtd/hyperbus/hbmc-am654.c
++++ b/drivers/mtd/hyperbus/hbmc-am654.c
+@@ -233,16 +233,16 @@ static int am654_hbmc_remove(struct platform_device *pdev)
+ {
+ struct am654_hbmc_priv *priv = platform_get_drvdata(pdev);
+ struct am654_hbmc_device_priv *dev_priv = priv->hbdev.priv;
+- int ret;
+
+- ret = hyperbus_unregister_device(&priv->hbdev);
++ hyperbus_unregister_device(&priv->hbdev);
++
+ if (priv->mux_ctrl)
+ mux_control_deselect(priv->mux_ctrl);
+
+ if (dev_priv->rx_chan)
+ dma_release_channel(dev_priv->rx_chan);
+
+- return ret;
++ return 0;
+ }
+
+ static const struct of_device_id am654_hbmc_dt_ids[] = {
+diff --git a/drivers/mtd/hyperbus/hyperbus-core.c b/drivers/mtd/hyperbus/hyperbus-core.c
+index 2f9fc4e17d53e..4d8047d43e48e 100644
+--- a/drivers/mtd/hyperbus/hyperbus-core.c
++++ b/drivers/mtd/hyperbus/hyperbus-core.c
+@@ -126,16 +126,12 @@ int hyperbus_register_device(struct hyperbus_device *hbdev)
+ }
+ EXPORT_SYMBOL_GPL(hyperbus_register_device);
+
+-int hyperbus_unregister_device(struct hyperbus_device *hbdev)
++void hyperbus_unregister_device(struct hyperbus_device *hbdev)
+ {
+- int ret = 0;
+-
+ if (hbdev && hbdev->mtd) {
+- ret = mtd_device_unregister(hbdev->mtd);
++ WARN_ON(mtd_device_unregister(hbdev->mtd));
+ map_destroy(hbdev->mtd);
+ }
+-
+- return ret;
+ }
+ EXPORT_SYMBOL_GPL(hyperbus_unregister_device);
+
+diff --git a/drivers/mtd/hyperbus/rpc-if.c b/drivers/mtd/hyperbus/rpc-if.c
+index dc164c18f8429..cd0e577684ff0 100644
+--- a/drivers/mtd/hyperbus/rpc-if.c
++++ b/drivers/mtd/hyperbus/rpc-if.c
+@@ -151,11 +151,12 @@ static int rpcif_hb_probe(struct platform_device *pdev)
+ static int rpcif_hb_remove(struct platform_device *pdev)
+ {
+ struct rpcif_hyperbus *hyperbus = platform_get_drvdata(pdev);
+- int error = hyperbus_unregister_device(&hyperbus->hbdev);
++
++ hyperbus_unregister_device(&hyperbus->hbdev);
+
+ rpcif_disable_rpm(&hyperbus->rpc);
+
+- return error;
++ return 0;
+ }
+
+ static struct platform_driver rpcif_platform_driver = {
+diff --git a/include/linux/mtd/hyperbus.h b/include/linux/mtd/hyperbus.h
+index 0ce612428aea2..bb6b7121a5427 100644
+--- a/include/linux/mtd/hyperbus.h
++++ b/include/linux/mtd/hyperbus.h
+@@ -89,9 +89,7 @@ int hyperbus_register_device(struct hyperbus_device *hbdev);
+ /**
+ * hyperbus_unregister_device - deregister HyperBus slave memory device
+ * @hbdev: hyperbus_device to be unregistered
+- *
+- * Return: 0 for success, others for failure.
+ */
+-int hyperbus_unregister_device(struct hyperbus_device *hbdev);
++void hyperbus_unregister_device(struct hyperbus_device *hbdev);
+
+ #endif /* __LINUX_MTD_HYPERBUS_H__ */
+--
+2.39.5
+
--- /dev/null
+From 134fd000ebbf5634f68765b6481e1c8f26709844 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 3 Jan 2025 17:28:59 +0800
+Subject: nbd: don't allow reconnect after disconnect
+
+From: Yu Kuai <yukuai3@huawei.com>
+
+[ Upstream commit 844b8cdc681612ff24df62cdefddeab5772fadf1 ]
+
+Following process can cause nbd_config UAF:
+
+1) grab nbd_config temporarily;
+
+2) nbd_genl_disconnect() flush all recv_work() and release the
+initial reference:
+
+ nbd_genl_disconnect
+ nbd_disconnect_and_put
+ nbd_disconnect
+ flush_workqueue(nbd->recv_workq)
+ if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF, ...))
+ nbd_config_put
+ -> due to step 1), reference is still not zero
+
+3) nbd_genl_reconfigure() queue recv_work() again;
+
+ nbd_genl_reconfigure
+ config = nbd_get_config_unlocked(nbd)
+ if (!config)
+ -> succeed
+ if (!test_bit(NBD_RT_BOUND, ...))
+ -> succeed
+ nbd_reconnect_socket
+ queue_work(nbd->recv_workq, &args->work)
+
+4) step 1) release the reference;
+
+5) Finially, recv_work() will trigger UAF:
+
+ recv_work
+ nbd_config_put(nbd)
+ -> nbd_config is freed
+ atomic_dec(&config->recv_threads)
+ -> UAF
+
+Fix the problem by clearing NBD_RT_BOUND in nbd_genl_disconnect(), so
+that nbd_genl_reconfigure() will fail.
+
+Fixes: b7aa3d39385d ("nbd: add a reconfigure netlink command")
+Reported-by: syzbot+6b0df248918b92c33e6a@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/675bfb65.050a0220.1a2d0d.0006.GAE@google.com/
+Signed-off-by: Yu Kuai <yukuai3@huawei.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Link: https://lore.kernel.org/r/20250103092859.3574648-1-yukuai1@huaweicloud.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/nbd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index d6e3edb404748..4776009587190 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -2065,6 +2065,7 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
+ flush_workqueue(nbd->recv_workq);
+ nbd_clear_que(nbd);
+ nbd->task_setup = NULL;
++ clear_bit(NBD_RT_BOUND, &nbd->config->runtime_flags);
+ mutex_unlock(&nbd->config_lock);
+
+ if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF,
+--
+2.39.5
+
--- /dev/null
+From 57326cbb3c31d8e6ff53f21924d1e4f44ba08a8f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jan 2025 15:42:13 -0600
+Subject: net: davicom: fix UAF in dm9000_drv_remove
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chenyuan Yang <chenyuan0y@gmail.com>
+
+[ Upstream commit 19e65c45a1507a1a2926649d2db3583ed9d55fd9 ]
+
+dm is netdev private data and it cannot be
+used after free_netdev() call. Using dm after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() at the end of the
+function.
+
+This is similar to the issue fixed in commit
+ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove").
+
+This bug is detected by our static analysis tool.
+
+Fixes: cf9e60aa69ae ("net: davicom: Fix regulator not turned off on driver removal")
+Signed-off-by: Chenyuan Yang <chenyuan0y@gmail.com>
+CC: Uwe Kleine-König <u.kleine-koenig@baylibre.com>
+Link: https://patch.msgid.link/20250123214213.623518-1-chenyuan0y@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/davicom/dm9000.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c
+index afc4a103c5080..79aef6b368836 100644
+--- a/drivers/net/ethernet/davicom/dm9000.c
++++ b/drivers/net/ethernet/davicom/dm9000.c
+@@ -1779,10 +1779,11 @@ dm9000_drv_remove(struct platform_device *pdev)
+
+ unregister_netdev(ndev);
+ dm9000_release_board(pdev, dm);
+- free_netdev(ndev); /* free device structure */
+ if (dm->power_supply)
+ regulator_disable(dm->power_supply);
+
++ free_netdev(ndev); /* free device structure */
++
+ dev_dbg(&pdev->dev, "released and freed device\n");
+ return 0;
+ }
+--
+2.39.5
+
--- /dev/null
+From 432cc647e9b5b060ee580f9be57794e9cf96c19c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 15:54:49 +0200
+Subject: net: ethernet: ti: am65-cpsw: fix freeing IRQ in
+ am65_cpsw_nuss_remove_tx_chns()
+
+From: Roger Quadros <rogerq@kernel.org>
+
+[ Upstream commit 4395a44acb15850e492dd1de9ec4b6479d96bc80 ]
+
+When getting the IRQ we use k3_udma_glue_tx_get_irq() which returns
+negative error value on error. So not NULL check is not sufficient
+to deteremine if IRQ is valid. Check that IRQ is greater then zero
+to ensure it is valid.
+
+There is no issue at probe time but at runtime user can invoke
+.set_channels which results in the following call chain.
+am65_cpsw_set_channels()
+ am65_cpsw_nuss_update_tx_rx_chns()
+ am65_cpsw_nuss_remove_tx_chns()
+ am65_cpsw_nuss_init_tx_chns()
+
+At this point if am65_cpsw_nuss_init_tx_chns() fails due to
+k3_udma_glue_tx_get_irq() then tx_chn->irq will be set to a
+negative value.
+
+Then, at subsequent .set_channels with higher channel count we
+will attempt to free an invalid IRQ in am65_cpsw_nuss_remove_tx_chns()
+leading to a kernel warning.
+
+The issue is present in the original commit that introduced this driver,
+although there, am65_cpsw_nuss_update_tx_rx_chns() existed as
+am65_cpsw_nuss_update_tx_chns().
+
+Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver")
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Siddharth Vadapalli <s-vadapalli@ti.com>
+Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/ti/am65-cpsw-nuss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/ti/am65-cpsw-nuss.c b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+index 94e36deefe88a..07510e068742e 100644
+--- a/drivers/net/ethernet/ti/am65-cpsw-nuss.c
++++ b/drivers/net/ethernet/ti/am65-cpsw-nuss.c
+@@ -1425,7 +1425,7 @@ void am65_cpsw_nuss_remove_tx_chns(struct am65_cpsw_common *common)
+ for (i = 0; i < common->tx_ch_num; i++) {
+ struct am65_cpsw_tx_chn *tx_chn = &common->tx_chns[i];
+
+- if (tx_chn->irq)
++ if (tx_chn->irq > 0)
+ devm_free_irq(dev, tx_chn->irq, tx_chn);
+
+ netif_napi_del(&tx_chn->napi_tx);
+--
+2.39.5
+
--- /dev/null
+From 713cf7b041ae5693925ab8720f9ab9446795f001 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 20 Jan 2025 14:24:30 +0530
+Subject: net: fec: implement TSO descriptor cleanup
+
+From: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
+
+[ Upstream commit 61dc1fd9205bc9d9918aa933a847b08e80b4dc20 ]
+
+Implement cleanup of descriptors in the TSO error path of
+fec_enet_txq_submit_tso(). The cleanup
+
+- Unmaps DMA buffers for data descriptors skipping TSO header
+- Clears all buffer descriptors
+- Handles extended descriptors by clearing cbd_esc when enabled
+
+Fixes: 79f339125ea3 ("net: fec: Add software TSO support")
+Signed-off-by: Dheeraj Reddy Jonnalagadda <dheeraj.linuxdev@gmail.com>
+Reviewed-by: Wei Fang <wei.fang@nxp.com>
+Link: https://patch.msgid.link/20250120085430.99318-1-dheeraj.linuxdev@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 31 ++++++++++++++++++++++-
+ 1 file changed, 30 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index a591ca0b37787..8e30e999456d4 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -728,6 +728,8 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq,
+ struct fec_enet_private *fep = netdev_priv(ndev);
+ int hdr_len, total_len, data_left;
+ struct bufdesc *bdp = txq->bd.cur;
++ struct bufdesc *tmp_bdp;
++ struct bufdesc_ex *ebdp;
+ struct tso_t tso;
+ unsigned int index = 0;
+ int ret;
+@@ -801,7 +803,34 @@ static int fec_enet_txq_submit_tso(struct fec_enet_priv_tx_q *txq,
+ return 0;
+
+ err_release:
+- /* TODO: Release all used data descriptors for TSO */
++ /* Release all used data descriptors for TSO */
++ tmp_bdp = txq->bd.cur;
++
++ while (tmp_bdp != bdp) {
++ /* Unmap data buffers */
++ if (tmp_bdp->cbd_bufaddr &&
++ !IS_TSO_HEADER(txq, fec32_to_cpu(tmp_bdp->cbd_bufaddr)))
++ dma_unmap_single(&fep->pdev->dev,
++ fec32_to_cpu(tmp_bdp->cbd_bufaddr),
++ fec16_to_cpu(tmp_bdp->cbd_datlen),
++ DMA_TO_DEVICE);
++
++ /* Clear standard buffer descriptor fields */
++ tmp_bdp->cbd_sc = 0;
++ tmp_bdp->cbd_datlen = 0;
++ tmp_bdp->cbd_bufaddr = 0;
++
++ /* Handle extended descriptor if enabled */
++ if (fep->bufdesc_ex) {
++ ebdp = (struct bufdesc_ex *)tmp_bdp;
++ ebdp->cbd_esc = 0;
++ }
++
++ tmp_bdp = fec_enet_get_nextdesc(tmp_bdp, &txq->bd);
++ }
++
++ dev_kfree_skb_any(skb);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From b31256ff89b06aadc1b4d4b086c0ced594f11e10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 18 Jan 2025 17:47:41 +0800
+Subject: net: hns3: fix oops when unload drivers paralleling
+
+From: Jian Shen <shenjian15@huawei.com>
+
+[ Upstream commit 92e5995773774a3e70257e9c95ea03518268bea5 ]
+
+When unload hclge driver, it tries to disable sriov first for each
+ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at
+the time, because it removes all the ae_dev nodes, and it may cause
+oops.
+
+But we can't simply use hnae3_common_lock for this. Because in the
+process flow of pci_disable_sriov(), it will trigger the remove flow
+of VF, which will also take hnae3_common_lock.
+
+To fixes it, introduce a new mutex to protect the unload process.
+
+Fixes: 0dd8a25f355b ("net: hns3: disable sriov before unload hclge layer")
+Signed-off-by: Jian Shen <shenjian15@huawei.com>
+Signed-off-by: Jijie Shao <shaojijie@huawei.com>
+Link: https://patch.msgid.link/20250118094741.3046663-1-shaojijie@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/hisilicon/hns3/hnae3.c | 15 +++++++++++++++
+ drivers/net/ethernet/hisilicon/hns3/hnae3.h | 2 ++
+ drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 ++
+ .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 2 ++
+ .../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 2 ++
+ 5 files changed, 23 insertions(+)
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.c b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+index 9a63fbc694083..b25fb400f4767 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.c
+@@ -40,6 +40,21 @@ EXPORT_SYMBOL(hnae3_unregister_ae_algo_prepare);
+ */
+ static DEFINE_MUTEX(hnae3_common_lock);
+
++/* ensure the drivers being unloaded one by one */
++static DEFINE_MUTEX(hnae3_unload_lock);
++
++void hnae3_acquire_unload_lock(void)
++{
++ mutex_lock(&hnae3_unload_lock);
++}
++EXPORT_SYMBOL(hnae3_acquire_unload_lock);
++
++void hnae3_release_unload_lock(void)
++{
++ mutex_unlock(&hnae3_unload_lock);
++}
++EXPORT_SYMBOL(hnae3_release_unload_lock);
++
+ static bool hnae3_client_match(enum hnae3_client_type client_type)
+ {
+ if (client_type == HNAE3_CLIENT_KNIC ||
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+index 4a9576a449e10..25b6b4f780f1d 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h
++++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+@@ -764,4 +764,6 @@ int hnae3_register_client(struct hnae3_client *client);
+ void hnae3_set_client_init_flag(struct hnae3_client *client,
+ struct hnae3_ae_dev *ae_dev,
+ unsigned int inited);
++void hnae3_acquire_unload_lock(void);
++void hnae3_release_unload_lock(void);
+ #endif
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+index 9ff5179b4d879..110baa9949a0c 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+@@ -4751,9 +4751,11 @@ module_init(hns3_init_module);
+ */
+ static void __exit hns3_exit_module(void)
+ {
++ hnae3_acquire_unload_lock();
+ pci_unregister_driver(&hns3_driver);
+ hnae3_unregister_client(&client);
+ hns3_dbg_unregister_debugfs();
++ hnae3_release_unload_lock();
+ }
+ module_exit(hns3_exit_module);
+
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+index 885793707a5f1..ec918f2981ec2 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+@@ -11539,9 +11539,11 @@ static int hclge_init(void)
+
+ static void hclge_exit(void)
+ {
++ hnae3_acquire_unload_lock();
+ hnae3_unregister_ae_algo_prepare(&ae_algo);
+ hnae3_unregister_ae_algo(&ae_algo);
+ destroy_workqueue(hclge_wq);
++ hnae3_release_unload_lock();
+ }
+ module_init(hclge_init);
+ module_exit(hclge_exit);
+diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+index 755935f9efc81..aa026eb5cf588 100644
+--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+@@ -3726,8 +3726,10 @@ static int hclgevf_init(void)
+
+ static void hclgevf_exit(void)
+ {
++ hnae3_acquire_unload_lock();
+ hnae3_unregister_ae_algo(&ae_algovf);
+ destroy_workqueue(hclgevf_wq);
++ hnae3_release_unload_lock();
+ }
+ module_init(hclgevf_init);
+ module_exit(hclgevf_exit);
+--
+2.39.5
+
--- /dev/null
+From e77a82c3c3dde553462bde07e47703f8fceada8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jan 2025 13:00:07 +0000
+Subject: net: hsr: fix fill_frame_info() regression vs VLAN packets
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0f5697f1a3f99bc2b674b8aa3c5da822c5673c11 ]
+
+Stephan Wurm reported that my recent patch broke VLAN support.
+
+Apparently skb->mac_len is not correct for VLAN traffic as
+shown by debug traces [1].
+
+Use instead pskb_may_pull() to make sure the expected header
+is present in skb->head.
+
+Many thanks to Stephan for his help.
+
+[1]
+kernel: skb len=170 headroom=2 headlen=170 tailroom=20
+ mac=(2,14) mac_len=14 net=(16,-1) trans=-1
+ shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
+ csum(0x0 start=0 offset=0 ip_summed=0 complete_sw=0 valid=0 level=0)
+ hash(0x0 sw=0 l4=0) proto=0x0000 pkttype=0 iif=0
+ priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
+ encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
+kernel: dev name=prp0 feat=0x0000000000007000
+kernel: sk family=17 type=3 proto=0
+kernel: skb headroom: 00000000: 74 00
+kernel: skb linear: 00000000: 01 0c cd 01 00 01 00 d0 93 53 9c cb 81 00 80 00
+kernel: skb linear: 00000010: 88 b8 00 01 00 98 00 00 00 00 61 81 8d 80 16 52
+kernel: skb linear: 00000020: 45 47 44 4e 43 54 52 4c 2f 4c 4c 4e 30 24 47 4f
+kernel: skb linear: 00000030: 24 47 6f 43 62 81 01 14 82 16 52 45 47 44 4e 43
+kernel: skb linear: 00000040: 54 52 4c 2f 4c 4c 4e 30 24 44 73 47 6f 6f 73 65
+kernel: skb linear: 00000050: 83 07 47 6f 49 64 65 6e 74 84 08 67 8d f5 93 7e
+kernel: skb linear: 00000060: 76 c8 00 85 01 01 86 01 00 87 01 00 88 01 01 89
+kernel: skb linear: 00000070: 01 00 8a 01 02 ab 33 a2 15 83 01 00 84 03 03 00
+kernel: skb linear: 00000080: 00 91 08 67 8d f5 92 77 4b c6 1f 83 01 00 a2 1a
+kernel: skb linear: 00000090: a2 06 85 01 00 83 01 00 84 03 03 00 00 91 08 67
+kernel: skb linear: 000000a0: 8d f5 92 77 4b c6 1f 83 01 00
+kernel: skb tailroom: 00000000: 80 18 02 00 fe 4e 00 00 01 01 08 0a 4f fd 5e d1
+kernel: skb tailroom: 00000010: 4f fd 5e cd
+
+Fixes: b9653d19e556 ("net: hsr: avoid potential out-of-bound access in fill_frame_info()")
+Reported-by: Stephan Wurm <stephan.wurm@a-eberle.de>
+Tested-by: Stephan Wurm <stephan.wurm@a-eberle.de>
+Closes: https://lore.kernel.org/netdev/Z4o_UC0HweBHJ_cw@PC-LX-SteWu/
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250129130007.644084-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/hsr/hsr_forward.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c
+index a58c0be64272b..66df4d7cbfb1e 100644
+--- a/net/hsr/hsr_forward.c
++++ b/net/hsr/hsr_forward.c
+@@ -525,9 +525,12 @@ static int fill_frame_info(struct hsr_frame_info *frame,
+ frame->is_vlan = true;
+
+ if (frame->is_vlan) {
+- if (skb->mac_len < offsetofend(struct hsr_vlan_ethhdr, vlanhdr))
++ /* Note: skb->mac_len might be wrong here. */
++ if (!pskb_may_pull(skb,
++ skb_mac_offset(skb) +
++ offsetofend(struct hsr_vlan_ethhdr, vlanhdr)))
+ return -EINVAL;
+- vlan_hdr = (struct hsr_vlan_ethhdr *)ethhdr;
++ vlan_hdr = (struct hsr_vlan_ethhdr *)skb_mac_header(skb);
+ proto = vlan_hdr->vlanhdr.h_vlan_encapsulated_proto;
+ /* FIXME: */
+ netdev_warn_once(skb->dev, "VLAN not yet supported");
+--
+2.39.5
+
--- /dev/null
+From e1541185e39a6912069eb360194d2cbfb953b1cf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 22:30:53 +0800
+Subject: net: let net.core.dev_weight always be non-zero
+
+From: Liu Jian <liujian56@huawei.com>
+
+[ Upstream commit d1f9f79fa2af8e3b45cffdeef66e05833480148a ]
+
+The following problem was encountered during stability test:
+
+(NULL net_device): NAPI poll function process_backlog+0x0/0x530 \
+ returned 1, exceeding its budget of 0.
+------------[ cut here ]------------
+list_add double add: new=ffff88905f746f48, prev=ffff88905f746f48, \
+ next=ffff88905f746e40.
+WARNING: CPU: 18 PID: 5462 at lib/list_debug.c:35 \
+ __list_add_valid_or_report+0xf3/0x130
+CPU: 18 UID: 0 PID: 5462 Comm: ping Kdump: loaded Not tainted 6.13.0-rc7+
+RIP: 0010:__list_add_valid_or_report+0xf3/0x130
+Call Trace:
+? __warn+0xcd/0x250
+? __list_add_valid_or_report+0xf3/0x130
+enqueue_to_backlog+0x923/0x1070
+netif_rx_internal+0x92/0x2b0
+__netif_rx+0x15/0x170
+loopback_xmit+0x2ef/0x450
+dev_hard_start_xmit+0x103/0x490
+__dev_queue_xmit+0xeac/0x1950
+ip_finish_output2+0x6cc/0x1620
+ip_output+0x161/0x270
+ip_push_pending_frames+0x155/0x1a0
+raw_sendmsg+0xe13/0x1550
+__sys_sendto+0x3bf/0x4e0
+__x64_sys_sendto+0xdc/0x1b0
+do_syscall_64+0x5b/0x170
+entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+The reproduction command is as follows:
+ sysctl -w net.core.dev_weight=0
+ ping 127.0.0.1
+
+This is because when the napi's weight is set to 0, process_backlog() may
+return 0 and clear the NAPI_STATE_SCHED bit of napi->state, causing this
+napi to be re-polled in net_rx_action() until __do_softirq() times out.
+Since the NAPI_STATE_SCHED bit has been cleared, napi_schedule_rps() can
+be retriggered in enqueue_to_backlog(), causing this issue.
+
+Making the napi's weight always non-zero solves this problem.
+
+Triggering this issue requires system-wide admin (setting is
+not namespaced).
+
+Fixes: e38766054509 ("[NET]: Fix sysctl net.core.dev_weight")
+Fixes: 3d48b53fb2ae ("net: dev_weight: TX/RX orthogonality")
+Signed-off-by: Liu Jian <liujian56@huawei.com>
+Link: https://patch.msgid.link/20250116143053.4146855-1-liujian56@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/sysctl_net_core.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
+index 0dfe9f255ab3a..3640be19a795e 100644
+--- a/net/core/sysctl_net_core.c
++++ b/net/core/sysctl_net_core.c
+@@ -239,7 +239,7 @@ static int proc_do_dev_weight(struct ctl_table *table, int write,
+ int ret, weight;
+
+ mutex_lock(&dev_weight_mutex);
+- ret = proc_dointvec(table, write, buffer, lenp, ppos);
++ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ if (!ret && write) {
+ weight = READ_ONCE(weight_p);
+ WRITE_ONCE(dev_rx_weight, weight * dev_weight_rx_bias);
+@@ -351,6 +351,7 @@ static struct ctl_table net_core_table[] = {
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_do_dev_weight,
++ .extra1 = SYSCTL_ONE,
+ },
+ {
+ .procname = "dev_weight_rx_bias",
+@@ -358,6 +359,7 @@ static struct ctl_table net_core_table[] = {
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_do_dev_weight,
++ .extra1 = SYSCTL_ONE,
+ },
+ {
+ .procname = "dev_weight_tx_bias",
+@@ -365,6 +367,7 @@ static struct ctl_table net_core_table[] = {
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_do_dev_weight,
++ .extra1 = SYSCTL_ONE,
+ },
+ {
+ .procname = "netdev_max_backlog",
+--
+2.39.5
+
--- /dev/null
+From 980553a0ac6a55dd4b4c22ede5fe53a8993d06ea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 16 Jan 2025 14:33:16 +0200
+Subject: net/mlxfw: Drop hard coded max FW flash image size
+
+From: Maher Sanalla <msanalla@nvidia.com>
+
+[ Upstream commit 70d81f25cc92cc4e914516c9935ae752f27d78ad ]
+
+Currently, mlxfw kernel module limits FW flash image size to be
+10MB at most, preventing the ability to burn recent BlueField-3
+FW that exceeds the said size limit.
+
+Thus, drop the hard coded limit. Instead, rely on FW's
+max_component_size threshold that is reported in MCQI register
+as the size limit for FW image.
+
+Fixes: 410ed13cae39 ("Add the mlxfw module for Mellanox firmware flash process")
+Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
+Signed-off-by: Moshe Shemesh <moshe@nvidia.com>
+Reviewed-by: Ido Schimmel <idosch@nvidia.com>
+Tested-by: Ido Schimmel <idosch@nvidia.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/1737030796-1441634-1-git-send-email-moshe@nvidia.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
+index bcd166911d444..bbcaac4f99bc6 100644
+--- a/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
++++ b/drivers/net/ethernet/mellanox/mlxfw/mlxfw_fsm.c
+@@ -14,7 +14,6 @@
+ #define MLXFW_FSM_STATE_WAIT_TIMEOUT_MS 30000
+ #define MLXFW_FSM_STATE_WAIT_ROUNDS \
+ (MLXFW_FSM_STATE_WAIT_TIMEOUT_MS / MLXFW_FSM_STATE_WAIT_CYCLE_MS)
+-#define MLXFW_FSM_MAX_COMPONENT_SIZE (10 * (1 << 20))
+
+ static const int mlxfw_fsm_state_errno[] = {
+ [MLXFW_FSM_STATE_ERR_ERROR] = -EIO,
+@@ -229,7 +228,6 @@ static int mlxfw_flash_component(struct mlxfw_dev *mlxfw_dev,
+ return err;
+ }
+
+- comp_max_size = min_t(u32, comp_max_size, MLXFW_FSM_MAX_COMPONENT_SIZE);
+ if (comp->data_size > comp_max_size) {
+ MLXFW_ERR_MSG(mlxfw_dev, extack,
+ "Component size is bigger than limit", -EINVAL);
+--
+2.39.5
+
--- /dev/null
+From 0403aec24c255c9f67224f4cd7a69deb6e512863 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2025 14:45:03 -0800
+Subject: net: netdevsim: try to close UDP port harness races
+
+From: Jakub Kicinski <kuba@kernel.org>
+
+[ Upstream commit 50bf398e1ceacb9a7f85bd3bdca065ebe5cb6159 ]
+
+syzbot discovered that we remove the debugfs files after we free
+the netdev. Try to clean up the relevant dir while the device
+is still around.
+
+Reported-by: syzbot+2e5de9e3ab986b71d2bf@syzkaller.appspotmail.com
+Fixes: 424be63ad831 ("netdevsim: add UDP tunnel port offload support")
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/20250122224503.762705-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/netdevsim/netdevsim.h | 1 +
+ drivers/net/netdevsim/udp_tunnels.c | 23 +++++++++++--------
+ .../drivers/net/netdevsim/udp_tunnel_nic.sh | 16 ++++++-------
+ 3 files changed, 23 insertions(+), 17 deletions(-)
+
+diff --git a/drivers/net/netdevsim/netdevsim.h b/drivers/net/netdevsim/netdevsim.h
+index c4e7ad2a19642..a001db758b13f 100644
+--- a/drivers/net/netdevsim/netdevsim.h
++++ b/drivers/net/netdevsim/netdevsim.h
+@@ -87,6 +87,7 @@ struct netdevsim {
+ u32 sleep;
+ u32 __ports[2][NSIM_UDP_TUNNEL_N_PORTS];
+ u32 (*ports)[NSIM_UDP_TUNNEL_N_PORTS];
++ struct dentry *ddir;
+ struct debugfs_u32_array dfs_ports[2];
+ } udp_ports;
+
+diff --git a/drivers/net/netdevsim/udp_tunnels.c b/drivers/net/netdevsim/udp_tunnels.c
+index 02dc3123eb6c1..640b4983a9a0d 100644
+--- a/drivers/net/netdevsim/udp_tunnels.c
++++ b/drivers/net/netdevsim/udp_tunnels.c
+@@ -112,9 +112,11 @@ nsim_udp_tunnels_info_reset_write(struct file *file, const char __user *data,
+ struct net_device *dev = file->private_data;
+ struct netdevsim *ns = netdev_priv(dev);
+
+- memset(ns->udp_ports.ports, 0, sizeof(ns->udp_ports.__ports));
+ rtnl_lock();
+- udp_tunnel_nic_reset_ntf(dev);
++ if (dev->reg_state == NETREG_REGISTERED) {
++ memset(ns->udp_ports.ports, 0, sizeof(ns->udp_ports.__ports));
++ udp_tunnel_nic_reset_ntf(dev);
++ }
+ rtnl_unlock();
+
+ return count;
+@@ -144,23 +146,23 @@ int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev,
+ else
+ ns->udp_ports.ports = nsim_dev->udp_ports.__ports;
+
+- debugfs_create_u32("udp_ports_inject_error", 0600,
+- ns->nsim_dev_port->ddir,
++ ns->udp_ports.ddir = debugfs_create_dir("udp_ports",
++ ns->nsim_dev_port->ddir);
++
++ debugfs_create_u32("inject_error", 0600, ns->udp_ports.ddir,
+ &ns->udp_ports.inject_error);
+
+ ns->udp_ports.dfs_ports[0].array = ns->udp_ports.ports[0];
+ ns->udp_ports.dfs_ports[0].n_elements = NSIM_UDP_TUNNEL_N_PORTS;
+- debugfs_create_u32_array("udp_ports_table0", 0400,
+- ns->nsim_dev_port->ddir,
++ debugfs_create_u32_array("table0", 0400, ns->udp_ports.ddir,
+ &ns->udp_ports.dfs_ports[0]);
+
+ ns->udp_ports.dfs_ports[1].array = ns->udp_ports.ports[1];
+ ns->udp_ports.dfs_ports[1].n_elements = NSIM_UDP_TUNNEL_N_PORTS;
+- debugfs_create_u32_array("udp_ports_table1", 0400,
+- ns->nsim_dev_port->ddir,
++ debugfs_create_u32_array("table1", 0400, ns->udp_ports.ddir,
+ &ns->udp_ports.dfs_ports[1]);
+
+- debugfs_create_file("udp_ports_reset", 0200, ns->nsim_dev_port->ddir,
++ debugfs_create_file("reset", 0200, ns->udp_ports.ddir,
+ dev, &nsim_udp_tunnels_info_reset_fops);
+
+ /* Note: it's not normal to allocate the info struct like this!
+@@ -196,6 +198,9 @@ int nsim_udp_tunnels_info_create(struct nsim_dev *nsim_dev,
+
+ void nsim_udp_tunnels_info_destroy(struct net_device *dev)
+ {
++ struct netdevsim *ns = netdev_priv(dev);
++
++ debugfs_remove_recursive(ns->udp_ports.ddir);
+ kfree(dev->udp_tunnel_nic_info);
+ dev->udp_tunnel_nic_info = NULL;
+ }
+diff --git a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
+index 185b02d2d4cd1..7af78990b5bb6 100755
+--- a/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
++++ b/tools/testing/selftests/drivers/net/netdevsim/udp_tunnel_nic.sh
+@@ -142,7 +142,7 @@ function pre_ethtool {
+ }
+
+ function check_table {
+- local path=$NSIM_DEV_DFS/ports/$port/udp_ports_table$1
++ local path=$NSIM_DEV_DFS/ports/$port/udp_ports/table$1
+ local -n expected=$2
+ local last=$3
+
+@@ -212,7 +212,7 @@ function check_tables {
+ }
+
+ function print_table {
+- local path=$NSIM_DEV_DFS/ports/$port/udp_ports_table$1
++ local path=$NSIM_DEV_DFS/ports/$port/udp_ports/table$1
+ read -a have < $path
+
+ tree $NSIM_DEV_DFS/
+@@ -640,7 +640,7 @@ for port in 0 1; do
+ NSIM_NETDEV=`get_netdev_name old_netdevs`
+ ifconfig $NSIM_NETDEV up
+
+- echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error
++ echo 110 > $NSIM_DEV_DFS/ports/$port/udp_ports/inject_error
+
+ msg="1 - create VxLANs v6"
+ exp0=( 0 0 0 0 )
+@@ -662,7 +662,7 @@ for port in 0 1; do
+ new_geneve gnv0 20000
+
+ msg="2 - destroy GENEVE"
+- echo 2 > $NSIM_DEV_DFS/ports/$port/udp_ports_inject_error
++ echo 2 > $NSIM_DEV_DFS/ports/$port/udp_ports/inject_error
+ exp1=( `mke 20000 2` 0 0 0 )
+ del_dev gnv0
+
+@@ -763,7 +763,7 @@ for port in 0 1; do
+ msg="create VxLANs v4"
+ new_vxlan vxlan0 10000 $NSIM_NETDEV
+
+- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
++ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
+ check_tables
+
+ msg="NIC device goes down"
+@@ -774,7 +774,7 @@ for port in 0 1; do
+ fi
+ check_tables
+
+- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
++ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
+ check_tables
+
+ msg="NIC device goes up again"
+@@ -788,7 +788,7 @@ for port in 0 1; do
+ del_dev vxlan0
+ check_tables
+
+- echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
++ echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
+ check_tables
+
+ msg="destroy NIC"
+@@ -895,7 +895,7 @@ msg="vacate VxLAN in overflow table"
+ exp0=( `mke 10000 1` `mke 10004 1` 0 `mke 10003 1` )
+ del_dev vxlan2
+
+-echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports_reset
++echo 1 > $NSIM_DEV_DFS/ports/$port/udp_ports/reset
+ check_tables
+
+ msg="tunnels destroyed 2"
+--
+2.39.5
+
--- /dev/null
+From 1c7e8c91364056c1e882d5ab0fc5eefab276e1fc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 22 Jan 2025 18:02:44 +0000
+Subject: net: rose: fix timer races against user threads
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 5de7665e0a0746b5ad7943554b34db8f8614a196 ]
+
+Rose timers only acquire the socket spinlock, without
+checking if the socket is owned by one user thread.
+
+Add a check and rearm the timers if needed.
+
+BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
+Read of size 2 at addr ffff88802f09b82a by task swapper/0/0
+
+CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
+Call Trace:
+ <IRQ>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:378 [inline]
+ print_report+0x169/0x550 mm/kasan/report.c:489
+ kasan_report+0x143/0x180 mm/kasan/report.c:602
+ rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174
+ call_timer_fn+0x187/0x650 kernel/time/timer.c:1793
+ expire_timers kernel/time/timer.c:1844 [inline]
+ __run_timers kernel/time/timer.c:2418 [inline]
+ __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2430
+ run_timer_base kernel/time/timer.c:2439 [inline]
+ run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2449
+ handle_softirqs+0x2d4/0x9b0 kernel/softirq.c:561
+ __do_softirq kernel/softirq.c:595 [inline]
+ invoke_softirq kernel/softirq.c:435 [inline]
+ __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
+ irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
+ instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
+ sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
+ </IRQ>
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20250122180244.1861468-1-edumazet@google.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/rose_timer.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/net/rose/rose_timer.c b/net/rose/rose_timer.c
+index f06ddbed3fed6..1525773e94aa1 100644
+--- a/net/rose/rose_timer.c
++++ b/net/rose/rose_timer.c
+@@ -122,6 +122,10 @@ static void rose_heartbeat_expiry(struct timer_list *t)
+ struct rose_sock *rose = rose_sk(sk);
+
+ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
++ sk_reset_timer(sk, &sk->sk_timer, jiffies + HZ/20);
++ goto out;
++ }
+ switch (rose->state) {
+ case ROSE_STATE_0:
+ /* Magic here: If we listen() and a new link dies before it
+@@ -152,6 +156,7 @@ static void rose_heartbeat_expiry(struct timer_list *t)
+ }
+
+ rose_start_heartbeat(sk);
++out:
+ bh_unlock_sock(sk);
+ sock_put(sk);
+ }
+@@ -162,6 +167,10 @@ static void rose_timer_expiry(struct timer_list *t)
+ struct sock *sk = &rose->sock;
+
+ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
++ sk_reset_timer(sk, &rose->timer, jiffies + HZ/20);
++ goto out;
++ }
+ switch (rose->state) {
+ case ROSE_STATE_1: /* T1 */
+ case ROSE_STATE_4: /* T2 */
+@@ -182,6 +191,7 @@ static void rose_timer_expiry(struct timer_list *t)
+ }
+ break;
+ }
++out:
+ bh_unlock_sock(sk);
+ sock_put(sk);
+ }
+@@ -192,6 +202,10 @@ static void rose_idletimer_expiry(struct timer_list *t)
+ struct sock *sk = &rose->sock;
+
+ bh_lock_sock(sk);
++ if (sock_owned_by_user(sk)) {
++ sk_reset_timer(sk, &rose->idletimer, jiffies + HZ/20);
++ goto out;
++ }
+ rose_clear_queues(sk);
+
+ rose_write_internal(sk, ROSE_CLEAR_REQUEST);
+@@ -207,6 +221,7 @@ static void rose_idletimer_expiry(struct timer_list *t)
+ sk->sk_state_change(sk);
+ sock_set_flag(sk, SOCK_DEAD);
+ }
++out:
+ bh_unlock_sock(sk);
+ sock_put(sk);
+ }
+--
+2.39.5
+
--- /dev/null
+From d65e383fca56a3a8f2c65f44587175a4f6331616 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 08:42:20 -0800
+Subject: net/rose: prevent integer overflows in rose_setsockopt()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+[ Upstream commit d640627663bfe7d8963c7615316d7d4ef60f3b0b ]
+
+In case of possible unpredictably large arguments passed to
+rose_setsockopt() and multiplied by extra values on top of that,
+integer overflows may occur.
+
+Do the safest minimum and fix these issues by checking the
+contents of 'opt' and returning -EINVAL if they are too large. Also,
+switch to unsigned int and remove useless check for negative 'opt'
+in ROSE_IDLE case.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Link: https://patch.msgid.link/20250115164220.19954-1-n.zhandarovich@fintech.ru
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/rose/af_rose.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 1d95ff34b13c9..65fd5b99f9dea 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -396,15 +396,15 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
+ {
+ struct sock *sk = sock->sk;
+ struct rose_sock *rose = rose_sk(sk);
+- int opt;
++ unsigned int opt;
+
+ if (level != SOL_ROSE)
+ return -ENOPROTOOPT;
+
+- if (optlen < sizeof(int))
++ if (optlen < sizeof(unsigned int))
+ return -EINVAL;
+
+- if (copy_from_sockptr(&opt, optval, sizeof(int)))
++ if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
+ return -EFAULT;
+
+ switch (optname) {
+@@ -413,31 +413,31 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
+ return 0;
+
+ case ROSE_T1:
+- if (opt < 1)
++ if (opt < 1 || opt > UINT_MAX / HZ)
+ return -EINVAL;
+ rose->t1 = opt * HZ;
+ return 0;
+
+ case ROSE_T2:
+- if (opt < 1)
++ if (opt < 1 || opt > UINT_MAX / HZ)
+ return -EINVAL;
+ rose->t2 = opt * HZ;
+ return 0;
+
+ case ROSE_T3:
+- if (opt < 1)
++ if (opt < 1 || opt > UINT_MAX / HZ)
+ return -EINVAL;
+ rose->t3 = opt * HZ;
+ return 0;
+
+ case ROSE_HOLDBACK:
+- if (opt < 1)
++ if (opt < 1 || opt > UINT_MAX / HZ)
+ return -EINVAL;
+ rose->hb = opt * HZ;
+ return 0;
+
+ case ROSE_IDLE:
+- if (opt < 0)
++ if (opt > UINT_MAX / (60 * HZ))
+ return -EINVAL;
+ rose->idle = opt * 60 * HZ;
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 5bf8602e8b779723264f8e39af923edc6b1407ef Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 15 Jan 2025 17:37:13 -0800
+Subject: net: sched: Disallow replacing of child qdisc from one parent to
+ another
+
+From: Jamal Hadi Salim <jhs@mojatatu.com>
+
+[ Upstream commit bc50835e83f60f56e9bec2b392fb5544f250fb6f ]
+
+Lion Ackermann was able to create a UAF which can be abused for privilege
+escalation with the following script
+
+Step 1. create root qdisc
+tc qdisc add dev lo root handle 1:0 drr
+
+step2. a class for packet aggregation do demonstrate uaf
+tc class add dev lo classid 1:1 drr
+
+step3. a class for nesting
+tc class add dev lo classid 1:2 drr
+
+step4. a class to graft qdisc to
+tc class add dev lo classid 1:3 drr
+
+step5.
+tc qdisc add dev lo parent 1:1 handle 2:0 plug limit 1024
+
+step6.
+tc qdisc add dev lo parent 1:2 handle 3:0 drr
+
+step7.
+tc class add dev lo classid 3:1 drr
+
+step 8.
+tc qdisc add dev lo parent 3:1 handle 4:0 pfifo
+
+step 9. Display the class/qdisc layout
+
+tc class ls dev lo
+ class drr 1:1 root leaf 2: quantum 64Kb
+ class drr 1:2 root leaf 3: quantum 64Kb
+ class drr 3:1 root leaf 4: quantum 64Kb
+
+tc qdisc ls
+ qdisc drr 1: dev lo root refcnt 2
+ qdisc plug 2: dev lo parent 1:1
+ qdisc pfifo 4: dev lo parent 3:1 limit 1000p
+ qdisc drr 3: dev lo parent 1:2
+
+step10. trigger the bug <=== prevented by this patch
+tc qdisc replace dev lo parent 1:3 handle 4:0
+
+step 11. Redisplay again the qdiscs/classes
+
+tc class ls dev lo
+ class drr 1:1 root leaf 2: quantum 64Kb
+ class drr 1:2 root leaf 3: quantum 64Kb
+ class drr 1:3 root leaf 4: quantum 64Kb
+ class drr 3:1 root leaf 4: quantum 64Kb
+
+tc qdisc ls
+ qdisc drr 1: dev lo root refcnt 2
+ qdisc plug 2: dev lo parent 1:1
+ qdisc pfifo 4: dev lo parent 3:1 refcnt 2 limit 1000p
+ qdisc drr 3: dev lo parent 1:2
+
+Observe that a) parent for 4:0 does not change despite the replace request.
+There can only be one parent. b) refcount has gone up by two for 4:0 and
+c) both class 1:3 and 3:1 are pointing to it.
+
+Step 12. send one packet to plug
+echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10001))
+step13. send one packet to the grafted fifo
+echo "" | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888,priority=$((0x10003))
+
+step14. lets trigger the uaf
+tc class delete dev lo classid 1:3
+tc class delete dev lo classid 1:1
+
+The semantics of "replace" is for a del/add _on the same node_ and not
+a delete from one node(3:1) and add to another node (1:3) as in step10.
+While we could "fix" with a more complex approach there could be
+consequences to expectations so the patch takes the preventive approach of
+"disallow such config".
+
+Joint work with Lion Ackermann <nnamrec@gmail.com>
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250116013713.900000-1-kuba@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sched/sch_api.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
+index b4e405676600f..238ae7b0ca5ba 100644
+--- a/net/sched/sch_api.c
++++ b/net/sched/sch_api.c
+@@ -1603,6 +1603,10 @@ static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n,
+ q = qdisc_lookup(dev, tcm->tcm_handle);
+ if (!q)
+ goto create_n_graft;
++ if (q->parent != tcm->tcm_parent) {
++ NL_SET_ERR_MSG(extack, "Cannot move an existing qdisc to a different parent");
++ return -EINVAL;
++ }
+ if (n->nlmsg_flags & NLM_F_EXCL) {
+ NL_SET_ERR_MSG(extack, "Exclusivity flag on, cannot override");
+ return -EEXIST;
+--
+2.39.5
+
--- /dev/null
+From 389a99e207d1941f9414bd1f4726fe1ac8ef165b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jan 2025 10:50:47 +0100
+Subject: net: sh_eth: Fix missing rtnl lock in suspend/resume path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kory Maincent <kory.maincent@bootlin.com>
+
+[ Upstream commit b95102215a8d0987789715ce11c0d4ec031cbfbe ]
+
+Fix the suspend/resume path by ensuring the rtnl lock is held where
+required. Calls to sh_eth_close, sh_eth_open and wol operations must be
+performed under the rtnl lock to prevent conflicts with ongoing ndo
+operations.
+
+Fixes: b71af04676e9 ("sh_eth: add more PM methods")
+Tested-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
+Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
+Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/renesas/sh_eth.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/net/ethernet/renesas/sh_eth.c b/drivers/net/ethernet/renesas/sh_eth.c
+index 8927d59977458..e2019dc3ac563 100644
+--- a/drivers/net/ethernet/renesas/sh_eth.c
++++ b/drivers/net/ethernet/renesas/sh_eth.c
+@@ -3446,10 +3446,12 @@ static int sh_eth_suspend(struct device *dev)
+
+ netif_device_detach(ndev);
+
++ rtnl_lock();
+ if (mdp->wol_enabled)
+ ret = sh_eth_wol_setup(ndev);
+ else
+ ret = sh_eth_close(ndev);
++ rtnl_unlock();
+
+ return ret;
+ }
+@@ -3463,10 +3465,12 @@ static int sh_eth_resume(struct device *dev)
+ if (!netif_running(ndev))
+ return 0;
+
++ rtnl_lock();
+ if (mdp->wol_enabled)
+ ret = sh_eth_wol_restore(ndev);
+ else
+ ret = sh_eth_open(ndev);
++ rtnl_unlock();
+
+ if (ret < 0)
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From 8b3d5df01ea3e16457c48b75af46250f27b40bae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 22:32:01 +0800
+Subject: net/smc: fix data error when recvmsg with MSG_PEEK flag
+
+From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+
+[ Upstream commit a4b6539038c1aa1ae871aacf6e41b566c3613993 ]
+
+When recvmsg with MSG_PEEK flag, the data will be copied to
+user's buffer without advancing consume cursor and without
+reducing the length of rx available data. Once the expected
+peek length is larger than the value of bytes_to_rcv, in the
+loop of do while in smc_rx_recvmsg, the first loop will copy
+bytes_to_rcv bytes of data from the position local_tx_ctrl.cons,
+the second loop will copy the min(bytes_to_rcv, read_remaining)
+bytes from the position local_tx_ctrl.cons again because of the
+lacking of process with advancing consume cursor and reducing
+the length of available data. So do the subsequent loops. The
+data copied in the second loop and the subsequent loops will
+result in data error, as it should not be copied if no more data
+arrives and it should be copied from the position advancing
+bytes_to_rcv bytes from the local_tx_ctrl.cons if more data arrives.
+
+This issue can be reproduce by the following python script:
+server.py:
+import socket
+import time
+server_ip = '0.0.0.0'
+server_port = 12346
+server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+server_socket.bind((server_ip, server_port))
+server_socket.listen(1)
+print('Server is running and listening for connections...')
+conn, addr = server_socket.accept()
+print('Connected by', addr)
+while True:
+ data = conn.recv(1024)
+ if not data:
+ break
+ print('Received request:', data.decode())
+ conn.sendall(b'Hello, client!\n')
+ time.sleep(5)
+ conn.sendall(b'Hello, again!\n')
+conn.close()
+
+client.py:
+import socket
+server_ip = '<server ip>'
+server_port = 12346
+resp=b'Hello, client!\nHello, again!\n'
+client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+client_socket.connect((server_ip, server_port))
+request = 'Hello, server!'
+client_socket.sendall(request.encode())
+peek_data = client_socket.recv(len(resp),
+ socket.MSG_PEEK | socket.MSG_WAITALL)
+print('Peeked data:', peek_data.decode())
+client_socket.close()
+
+Fixes: 952310ccf2d8 ("smc: receive data from RMBE")
+Reported-by: D. Wythe <alibuda@linux.alibaba.com>
+Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
+Link: https://patch.msgid.link/20250104143201.35529-1-guangguan.wang@linux.alibaba.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/smc/af_smc.c | 2 +-
+ net/smc/smc_rx.c | 37 +++++++++++++++++++++----------------
+ net/smc/smc_rx.h | 8 ++++----
+ 3 files changed, 26 insertions(+), 21 deletions(-)
+
+diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
+index 0e0a12f4bb61f..d64cfd651c7a1 100644
+--- a/net/smc/af_smc.c
++++ b/net/smc/af_smc.c
+@@ -1968,7 +1968,7 @@ static int smc_accept(struct socket *sock, struct socket *new_sock,
+ release_sock(clcsk);
+ } else if (!atomic_read(&smc_sk(nsk)->conn.bytes_to_rcv)) {
+ lock_sock(nsk);
+- smc_rx_wait(smc_sk(nsk), &timeo, smc_rx_data_available);
++ smc_rx_wait(smc_sk(nsk), &timeo, 0, smc_rx_data_available);
+ release_sock(nsk);
+ }
+ }
+diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
+index 3757aff6c2f00..5f20538cbf990 100644
+--- a/net/smc/smc_rx.c
++++ b/net/smc/smc_rx.c
+@@ -174,22 +174,23 @@ static int smc_rx_splice(struct pipe_inode_info *pipe, char *src, size_t len,
+ return bytes;
+ }
+
+-static int smc_rx_data_available_and_no_splice_pend(struct smc_connection *conn)
++static int smc_rx_data_available_and_no_splice_pend(struct smc_connection *conn, size_t peeked)
+ {
+- return atomic_read(&conn->bytes_to_rcv) &&
++ return smc_rx_data_available(conn, peeked) &&
+ !atomic_read(&conn->splice_pending);
+ }
+
+ /* blocks rcvbuf consumer until >=len bytes available or timeout or interrupted
+ * @smc smc socket
+ * @timeo pointer to max seconds to wait, pointer to value 0 for no timeout
++ * @peeked number of bytes already peeked
+ * @fcrit add'l criterion to evaluate as function pointer
+ * Returns:
+ * 1 if at least 1 byte available in rcvbuf or if socket error/shutdown.
+ * 0 otherwise (nothing in rcvbuf nor timeout, e.g. interrupted).
+ */
+-int smc_rx_wait(struct smc_sock *smc, long *timeo,
+- int (*fcrit)(struct smc_connection *conn))
++int smc_rx_wait(struct smc_sock *smc, long *timeo, size_t peeked,
++ int (*fcrit)(struct smc_connection *conn, size_t baseline))
+ {
+ DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ struct smc_connection *conn = &smc->conn;
+@@ -198,7 +199,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
+ struct sock *sk = &smc->sk;
+ int rc;
+
+- if (fcrit(conn))
++ if (fcrit(conn, peeked))
+ return 1;
+ sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+ add_wait_queue(sk_sleep(sk), &wait);
+@@ -207,7 +208,7 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
+ cflags->peer_conn_abort ||
+ READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN ||
+ conn->killed ||
+- fcrit(conn),
++ fcrit(conn, peeked),
+ &wait);
+ remove_wait_queue(sk_sleep(sk), &wait);
+ sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
+@@ -257,11 +258,11 @@ static int smc_rx_recv_urg(struct smc_sock *smc, struct msghdr *msg, int len,
+ return -EAGAIN;
+ }
+
+-static bool smc_rx_recvmsg_data_available(struct smc_sock *smc)
++static bool smc_rx_recvmsg_data_available(struct smc_sock *smc, size_t peeked)
+ {
+ struct smc_connection *conn = &smc->conn;
+
+- if (smc_rx_data_available(conn))
++ if (smc_rx_data_available(conn, peeked))
+ return true;
+ else if (conn->urg_state == SMC_URG_VALID)
+ /* we received a single urgent Byte - skip */
+@@ -279,10 +280,10 @@ static bool smc_rx_recvmsg_data_available(struct smc_sock *smc)
+ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
+ struct pipe_inode_info *pipe, size_t len, int flags)
+ {
+- size_t copylen, read_done = 0, read_remaining = len;
++ size_t copylen, read_done = 0, read_remaining = len, peeked_bytes = 0;
+ size_t chunk_len, chunk_off, chunk_len_sum;
+ struct smc_connection *conn = &smc->conn;
+- int (*func)(struct smc_connection *conn);
++ int (*func)(struct smc_connection *conn, size_t baseline);
+ union smc_host_cursor cons;
+ int readable, chunk;
+ char *rcvbuf_base;
+@@ -313,14 +314,14 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
+ if (conn->killed)
+ break;
+
+- if (smc_rx_recvmsg_data_available(smc))
++ if (smc_rx_recvmsg_data_available(smc, peeked_bytes))
+ goto copy;
+
+ if (sk->sk_shutdown & RCV_SHUTDOWN) {
+ /* smc_cdc_msg_recv_action() could have run after
+ * above smc_rx_recvmsg_data_available()
+ */
+- if (smc_rx_recvmsg_data_available(smc))
++ if (smc_rx_recvmsg_data_available(smc, peeked_bytes))
+ goto copy;
+ break;
+ }
+@@ -354,26 +355,28 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
+ }
+ }
+
+- if (!smc_rx_data_available(conn)) {
+- smc_rx_wait(smc, &timeo, smc_rx_data_available);
++ if (!smc_rx_data_available(conn, peeked_bytes)) {
++ smc_rx_wait(smc, &timeo, peeked_bytes, smc_rx_data_available);
+ continue;
+ }
+
+ copy:
+ /* initialize variables for 1st iteration of subsequent loop */
+ /* could be just 1 byte, even after waiting on data above */
+- readable = atomic_read(&conn->bytes_to_rcv);
++ readable = smc_rx_data_available(conn, peeked_bytes);
+ splbytes = atomic_read(&conn->splice_pending);
+ if (!readable || (msg && splbytes)) {
+ if (splbytes)
+ func = smc_rx_data_available_and_no_splice_pend;
+ else
+ func = smc_rx_data_available;
+- smc_rx_wait(smc, &timeo, func);
++ smc_rx_wait(smc, &timeo, peeked_bytes, func);
+ continue;
+ }
+
+ smc_curs_copy(&cons, &conn->local_tx_ctrl.cons, conn);
++ if ((flags & MSG_PEEK) && peeked_bytes)
++ smc_curs_add(conn->rmb_desc->len, &cons, peeked_bytes);
+ /* subsequent splice() calls pick up where previous left */
+ if (splbytes)
+ smc_curs_add(conn->rmb_desc->len, &cons, splbytes);
+@@ -410,6 +413,8 @@ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
+ }
+ read_remaining -= chunk_len;
+ read_done += chunk_len;
++ if (flags & MSG_PEEK)
++ peeked_bytes += chunk_len;
+
+ if (chunk_len_sum == copylen)
+ break; /* either on 1st or 2nd iteration */
+diff --git a/net/smc/smc_rx.h b/net/smc/smc_rx.h
+index db823c97d824e..994f5e42d1ba2 100644
+--- a/net/smc/smc_rx.h
++++ b/net/smc/smc_rx.h
+@@ -21,11 +21,11 @@ void smc_rx_init(struct smc_sock *smc);
+
+ int smc_rx_recvmsg(struct smc_sock *smc, struct msghdr *msg,
+ struct pipe_inode_info *pipe, size_t len, int flags);
+-int smc_rx_wait(struct smc_sock *smc, long *timeo,
+- int (*fcrit)(struct smc_connection *conn));
+-static inline int smc_rx_data_available(struct smc_connection *conn)
++int smc_rx_wait(struct smc_sock *smc, long *timeo, size_t peeked,
++ int (*fcrit)(struct smc_connection *conn, size_t baseline));
++static inline int smc_rx_data_available(struct smc_connection *conn, size_t peeked)
+ {
+- return atomic_read(&conn->bytes_to_rcv);
++ return atomic_read(&conn->bytes_to_rcv) - peeked;
+ }
+
+ #endif /* SMC_RX_H */
+--
+2.39.5
+
--- /dev/null
+From c0e31f774919d810a72c9d82a272d432da6454df Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 13 Dec 2024 11:52:00 -0500
+Subject: NFSv4.2: fix COPY_NOTIFY xdr buf size calculation
+
+From: Olga Kornievskaia <okorniev@redhat.com>
+
+[ Upstream commit e8380c2d06055665b3df6c03964911375d7f9290 ]
+
+We need to include sequence size in the compound.
+
+Fixes: 0491567b51ef ("NFS: add COPY_NOTIFY operation")
+Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/nfs/nfs42xdr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/fs/nfs/nfs42xdr.c b/fs/nfs/nfs42xdr.c
+index df5bee2f505c4..c9987d615ebc5 100644
+--- a/fs/nfs/nfs42xdr.c
++++ b/fs/nfs/nfs42xdr.c
+@@ -122,9 +122,11 @@
+ decode_putfh_maxsz + \
+ decode_offload_cancel_maxsz)
+ #define NFS4_enc_copy_notify_sz (compound_encode_hdr_maxsz + \
++ encode_sequence_maxsz + \
+ encode_putfh_maxsz + \
+ encode_copy_notify_maxsz)
+ #define NFS4_dec_copy_notify_sz (compound_decode_hdr_maxsz + \
++ decode_sequence_maxsz + \
+ decode_putfh_maxsz + \
+ decode_copy_notify_maxsz)
+ #define NFS4_enc_deallocate_sz (compound_encode_hdr_maxsz + \
+--
+2.39.5
+
--- /dev/null
+From a24c6dd0e0d07a21b142b4c4557b0545f04ccbaa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Dec 2024 13:00:47 +0100
+Subject: nvme: Add error check for xa_store in nvme_get_effects_log
+
+From: Keisuke Nishimura <keisuke.nishimura@inria.fr>
+
+[ Upstream commit ac32057acc7f3d7a238dafaa9b2aa2bc9750080e ]
+
+The xa_store() may fail due to memory allocation failure because there
+is no guarantee that the index csi is already used. This fix adds an
+error check of the return value of xa_store() in nvme_get_effects_log().
+
+Fixes: 1cf7a12e09aa ("nvme: use an xarray to lookup the Commands Supported and Effects log")
+Signed-off-by: Keisuke Nishimura <keisuke.nishimura@inria.fr>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/core.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
+index c739ac1761ba6..f988a5e3f0e15 100644
+--- a/drivers/nvme/host/core.c
++++ b/drivers/nvme/host/core.c
+@@ -3043,7 +3043,7 @@ int nvme_get_log(struct nvme_ctrl *ctrl, u32 nsid, u8 log_page, u8 lsp, u8 csi,
+ static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi,
+ struct nvme_effects_log **log)
+ {
+- struct nvme_effects_log *cel = xa_load(&ctrl->cels, csi);
++ struct nvme_effects_log *old, *cel = xa_load(&ctrl->cels, csi);
+ int ret;
+
+ if (cel)
+@@ -3060,7 +3060,11 @@ static int nvme_get_effects_log(struct nvme_ctrl *ctrl, u8 csi,
+ return ret;
+ }
+
+- xa_store(&ctrl->cels, csi, cel, GFP_KERNEL);
++ old = xa_store(&ctrl->cels, csi, cel, GFP_KERNEL);
++ if (xa_is_err(old)) {
++ kfree(cel);
++ return xa_err(old);
++ }
+ out:
+ *log = cel;
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 94ff684b9b5de2f828fc9986617adf5ed86eba74 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jan 2025 22:06:53 +0800
+Subject: ocfs2: mark dquot as inactive if failed to start trans while
+ releasing dquot
+
+From: Su Yue <glass.su@suse.com>
+
+[ Upstream commit 276c61385f6bc3223a5ecd307cf4aba2dfbb9a31 ]
+
+While running fstests generic/329, the kernel workqueue
+quota_release_workfn is dead looping in calling ocfs2_release_dquot().
+The ocfs2 state is already readonly but ocfs2_release_dquot wants to
+start a transaction but fails and returns.
+
+=====================================================================
+[ 2918.123602 ][ T275 ] On-disk corruption discovered. Please run
+fsck.ocfs2 once the filesystem is unmounted.
+[ 2918.124034 ][ T275 ] (kworker/u135:1,275,11):ocfs2_release_dquot:765
+ERROR: status = -30
+[ 2918.124452 ][ T275 ] (kworker/u135:1,275,11):ocfs2_release_dquot:795
+ERROR: status = -30
+[ 2918.124883 ][ T275 ] (kworker/u135:1,275,11):ocfs2_start_trans:357
+ERROR: status = -30
+[ 2918.125276 ][ T275 ] OCFS2: abort (device dm-0): ocfs2_start_trans:
+Detected aborted journal
+[ 2918.125710 ][ T275 ] On-disk corruption discovered. Please run
+fsck.ocfs2 once the filesystem is unmounted.
+=====================================================================
+
+ocfs2_release_dquot() is much like dquot_release(), which is called by
+ext4 to handle similar situation. So here fix it by marking the dquot as
+inactive like what dquot_release() does.
+
+Link: https://lkml.kernel.org/r/20250106140653.92292-1-glass.su@suse.com
+Fixes: 9e33d69f553a ("ocfs2: Implementation of local and global quota file handling")
+Signed-off-by: Su Yue <glass.su@suse.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ocfs2/quota_global.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/fs/ocfs2/quota_global.c b/fs/ocfs2/quota_global.c
+index 1ce3780e8b499..742bf103d2eb2 100644
+--- a/fs/ocfs2/quota_global.c
++++ b/fs/ocfs2/quota_global.c
+@@ -749,6 +749,11 @@ static int ocfs2_release_dquot(struct dquot *dquot)
+ handle = ocfs2_start_trans(osb,
+ ocfs2_calc_qdel_credits(dquot->dq_sb, dquot->dq_id.type));
+ if (IS_ERR(handle)) {
++ /*
++ * Mark dquot as inactive to avoid endless cycle in
++ * quota_release_workfn().
++ */
++ clear_bit(DQ_ACTIVE_B, &dquot->dq_flags);
+ status = PTR_ERR(handle);
+ mlog_errno(status);
+ goto out_ilock;
+--
+2.39.5
+
--- /dev/null
+From d1444a04911d5920736008f3cade522d0602585c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 06:16:37 +0000
+Subject: padata: add pd get/put refcnt helper
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit ae154202cc6a189b035359f3c4e143d5c24d5352 ]
+
+Add helpers for pd to get/put refcnt to make code consice.
+
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Stable-dep-of: dd7d37ccf6b1 ("padata: avoid UAF for reorder_work")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 27 ++++++++++++++++++++-------
+ 1 file changed, 20 insertions(+), 7 deletions(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index e4e0121ef3da2..02bb06a2c797d 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -60,6 +60,22 @@ struct padata_mt_job_state {
+ static void padata_free_pd(struct parallel_data *pd);
+ static void __init padata_mt_helper(struct work_struct *work);
+
++static inline void padata_get_pd(struct parallel_data *pd)
++{
++ refcount_inc(&pd->refcnt);
++}
++
++static inline void padata_put_pd_cnt(struct parallel_data *pd, int cnt)
++{
++ if (refcount_sub_and_test(cnt, &pd->refcnt))
++ padata_free_pd(pd);
++}
++
++static inline void padata_put_pd(struct parallel_data *pd)
++{
++ padata_put_pd_cnt(pd, 1);
++}
++
+ static int padata_index_to_cpu(struct parallel_data *pd, int cpu_index)
+ {
+ int cpu, target_cpu;
+@@ -211,7 +227,7 @@ int padata_do_parallel(struct padata_shell *ps,
+ if ((pinst->flags & PADATA_RESET))
+ goto out;
+
+- refcount_inc(&pd->refcnt);
++ padata_get_pd(pd);
+ padata->pd = pd;
+ padata->cb_cpu = *cb_cpu;
+
+@@ -385,8 +401,7 @@ static void padata_serial_worker(struct work_struct *serial_work)
+ }
+ local_bh_enable();
+
+- if (refcount_sub_and_test(cnt, &pd->refcnt))
+- padata_free_pd(pd);
++ padata_put_pd_cnt(pd, cnt);
+ }
+
+ /**
+@@ -683,8 +698,7 @@ static int padata_replace(struct padata_instance *pinst)
+ synchronize_rcu();
+
+ list_for_each_entry_continue_reverse(ps, &pinst->pslist, list)
+- if (refcount_dec_and_test(&ps->opd->refcnt))
+- padata_free_pd(ps->opd);
++ padata_put_pd(ps->opd);
+
+ pinst->flags &= ~PADATA_RESET;
+
+@@ -1132,8 +1146,7 @@ void padata_free_shell(struct padata_shell *ps)
+ mutex_lock(&ps->pinst->lock);
+ list_del(&ps->list);
+ pd = rcu_dereference_protected(ps->pd, 1);
+- if (refcount_dec_and_test(&pd->refcnt))
+- padata_free_pd(pd);
++ padata_put_pd(pd);
+ mutex_unlock(&ps->pinst->lock);
+
+ kfree(ps);
+--
+2.39.5
+
--- /dev/null
+From 2aee1b9354dccccd72d4b1e2172393719af48433 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 06:16:39 +0000
+Subject: padata: avoid UAF for reorder_work
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit dd7d37ccf6b11f3d95e797ebe4e9e886d0332600 ]
+
+Although the previous patch can avoid ps and ps UAF for _do_serial, it
+can not avoid potential UAF issue for reorder_work. This issue can
+happen just as below:
+
+crypto_request crypto_request crypto_del_alg
+padata_do_serial
+ ...
+ padata_reorder
+ // processes all remaining
+ // requests then breaks
+ while (1) {
+ if (!padata)
+ break;
+ ...
+ }
+
+ padata_do_serial
+ // new request added
+ list_add
+ // sees the new request
+ queue_work(reorder_work)
+ padata_reorder
+ queue_work_on(squeue->work)
+...
+
+ <kworker context>
+ padata_serial_worker
+ // completes new request,
+ // no more outstanding
+ // requests
+
+ crypto_del_alg
+ // free pd
+
+<kworker context>
+invoke_padata_reorder
+ // UAF of pd
+
+To avoid UAF for 'reorder_work', get 'pd' ref before put 'reorder_work'
+into the 'serial_wq' and put 'pd' ref until the 'serial_wq' finish.
+
+Fixes: bbefa1dd6a6d ("crypto: pcrypt - Avoid deadlock by using per-instance padata queues")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 02bb06a2c797d..c7aa60907fdf8 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -357,8 +357,14 @@ static void padata_reorder(struct parallel_data *pd)
+ smp_mb();
+
+ reorder = per_cpu_ptr(pd->reorder_list, pd->cpu);
+- if (!list_empty(&reorder->list) && padata_find_next(pd, false))
++ if (!list_empty(&reorder->list) && padata_find_next(pd, false)) {
++ /*
++ * Other context(eg. the padata_serial_worker) can finish the request.
++ * To avoid UAF issue, add pd ref here, and put pd ref after reorder_work finish.
++ */
++ padata_get_pd(pd);
+ queue_work(pinst->serial_wq, &pd->reorder_work);
++ }
+ }
+
+ static void invoke_padata_reorder(struct work_struct *work)
+@@ -369,6 +375,8 @@ static void invoke_padata_reorder(struct work_struct *work)
+ pd = container_of(work, struct parallel_data, reorder_work);
+ padata_reorder(pd);
+ local_bh_enable();
++ /* Pairs with putting the reorder_work in the serial_wq */
++ padata_put_pd(pd);
+ }
+
+ static void padata_serial_worker(struct work_struct *serial_work)
+--
+2.39.5
+
--- /dev/null
+From 66d57654c833ef4d9553e9da8e866e7750e8dcea Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Dec 2024 23:32:01 +0100
+Subject: padata: fix sysfs store callback check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+[ Upstream commit 9ff6e943bce67d125781fe4780a5d6f072dc44c0 ]
+
+padata_sysfs_store() was copied from padata_sysfs_show() but this check
+was not adapted. Today there is no attribute which can fail this
+check, but if there is one it may as well be correct.
+
+Fixes: 5e017dc3f8bc ("padata: Added sysfs primitives to padata subsystem")
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index 914a88d9cee14..a2badc5dd922e 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -972,7 +972,7 @@ static ssize_t padata_sysfs_store(struct kobject *kobj, struct attribute *attr,
+
+ pinst = kobj2pinst(kobj);
+ pentry = attr2pentry(attr);
+- if (pentry->show)
++ if (pentry->store)
+ ret = pentry->store(pinst, attr, buf, count);
+
+ return ret;
+--
+2.39.5
+
--- /dev/null
+From d32c71e93d8b59a6b19e16753b56da238ac83149 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 06:16:38 +0000
+Subject: padata: fix UAF in padata_reorder
+
+From: Chen Ridong <chenridong@huawei.com>
+
+[ Upstream commit e01780ea4661172734118d2a5f41bc9720765668 ]
+
+A bug was found when run ltp test:
+
+BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0
+Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206
+
+CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+
+Workqueue: pdecrypt_parallel padata_parallel_worker
+Call Trace:
+<TASK>
+dump_stack_lvl+0x32/0x50
+print_address_description.constprop.0+0x6b/0x3d0
+print_report+0xdd/0x2c0
+kasan_report+0xa5/0xd0
+padata_find_next+0x29/0x1a0
+padata_reorder+0x131/0x220
+padata_parallel_worker+0x3d/0xc0
+process_one_work+0x2ec/0x5a0
+
+If 'mdelay(10)' is added before calling 'padata_find_next' in the
+'padata_reorder' function, this issue could be reproduced easily with
+ltp test (pcrypt_aead01).
+
+This can be explained as bellow:
+
+pcrypt_aead_encrypt
+...
+padata_do_parallel
+refcount_inc(&pd->refcnt); // add refcnt
+...
+padata_do_serial
+padata_reorder // pd
+while (1) {
+padata_find_next(pd, true); // using pd
+queue_work_on
+...
+padata_serial_worker crypto_del_alg
+padata_put_pd_cnt // sub refcnt
+ padata_free_shell
+ padata_put_pd(ps->pd);
+ // pd is freed
+// loop again, but pd is freed
+// call padata_find_next, UAF
+}
+
+In the padata_reorder function, when it loops in 'while', if the alg is
+deleted, the refcnt may be decreased to 0 before entering
+'padata_find_next', which leads to UAF.
+
+As mentioned in [1], do_serial is supposed to be called with BHs disabled
+and always happen under RCU protection, to address this issue, add
+synchronize_rcu() in 'padata_free_shell' wait for all _do_serial calls
+to finish.
+
+[1] https://lore.kernel.org/all/20221028160401.cccypv4euxikusiq@parnassus.localdomain/
+[2] https://lore.kernel.org/linux-kernel/jfjz5d7zwbytztackem7ibzalm5lnxldi2eofeiczqmqs2m7o6@fq426cwnjtkm/
+Fixes: b128a3040935 ("padata: allocate workqueue internally")
+Signed-off-by: Chen Ridong <chenridong@huawei.com>
+Signed-off-by: Qu Zicheng <quzicheng@huawei.com>
+Acked-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/padata.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/kernel/padata.c b/kernel/padata.c
+index a2badc5dd922e..e4e0121ef3da2 100644
+--- a/kernel/padata.c
++++ b/kernel/padata.c
+@@ -1123,6 +1123,12 @@ void padata_free_shell(struct padata_shell *ps)
+ if (!ps)
+ return;
+
++ /*
++ * Wait for all _do_serial calls to finish to avoid touching
++ * freed pd's and ps's.
++ */
++ synchronize_rcu();
++
+ mutex_lock(&ps->pinst->lock);
+ list_del(&ps->list);
+ pd = rcu_dereference_protected(ps->pd, 1);
+--
+2.39.5
+
--- /dev/null
+From dae9fcfc16d42c09dc4fe6ee4f91f99baf5e2ebf Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jan 2025 22:27:58 -0800
+Subject: partitions: ldm: remove the initial kernel-doc notation
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit e494e451611a3de6ae95f99e8339210c157d70fb ]
+
+Remove the file's first comment describing what the file is.
+This comment is not in kernel-doc format so it causes a kernel-doc
+warning.
+
+ldm.h:13: warning: expecting prototype for ldm(). Prototype was for _FS_PT_LDM_H_() instead
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Richard Russon (FlatCap) <ldm@flatcap.org>
+Cc: linux-ntfs-dev@lists.sourceforge.net
+Cc: Jens Axboe <axboe@kernel.dk>
+Link: https://lore.kernel.org/r/20250111062758.910458-1-rdunlap@infradead.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ block/partitions/ldm.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/block/partitions/ldm.h b/block/partitions/ldm.h
+index 8693704dcf5e9..84a66b51cd2ab 100644
+--- a/block/partitions/ldm.h
++++ b/block/partitions/ldm.h
+@@ -1,5 +1,5 @@
+ // SPDX-License-Identifier: GPL-2.0-or-later
+-/**
++/*
+ * ldm - Part of the Linux-NTFS project.
+ *
+ * Copyright (C) 2001,2002 Richard Russon <ldm@flatcap.org>
+--
+2.39.5
+
--- /dev/null
+From 3c32457592042da6ecd4ffe7d991f87f459ba61b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 Dec 2024 22:00:18 +0800
+Subject: PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+[ Upstream commit d4929755e4d02bd3de3ae5569dab69cb9502c54f ]
+
+The devm_pci_epc_destroy() comment says destroys the EPC device, but it
+does not actually do that since devres_destroy() does not call
+devm_pci_epc_release(), and it also can not fully undo what the API
+devm_pci_epc_create() does, so it is faulty.
+
+Fortunately, the faulty API has not been used by current kernel tree. Use
+devres_release() instead of devres_destroy() so the EPC device will be
+released.
+
+Link: https://lore.kernel.org/r/20241210-pci-epc-core_fix-v3-1-4d86dd573e4b@quicinc.com
+Fixes: 5e8cb4033807 ("PCI: endpoint: Add EP core layer to enable EP controller and EP functions")
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/endpoint/pci-epc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/endpoint/pci-epc-core.c b/drivers/pci/endpoint/pci-epc-core.c
+index ea7e7465ce7a6..8062bc2432303 100644
+--- a/drivers/pci/endpoint/pci-epc-core.c
++++ b/drivers/pci/endpoint/pci-epc-core.c
+@@ -616,7 +616,7 @@ void devm_pci_epc_destroy(struct device *dev, struct pci_epc *epc)
+ {
+ int r;
+
+- r = devres_destroy(dev, devm_pci_epc_release, devm_pci_epc_match,
++ r = devres_release(dev, devm_pci_epc_release, devm_pci_epc_match,
+ epc);
+ dev_WARN_ONCE(dev, r, "couldn't find PCI EPC resource\n");
+ }
+--
+2.39.5
+
--- /dev/null
+From cd5d7716e645bc9b38c201508f78187f288a0083 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2025 08:50:18 +0800
+Subject: PCI: rcar-ep: Fix incorrect variable used when calling
+ devm_request_mem_region()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: King Dix <kingdix10@qq.com>
+
+[ Upstream commit 2d2da5a4c1b4509f6f7e5a8db015cd420144beb4 ]
+
+The rcar_pcie_parse_outbound_ranges() uses the devm_request_mem_region()
+macro to request a needed resource. A string variable that lives on the
+stack is then used to store a dynamically computed resource name, which
+is then passed on as one of the macro arguments. This can lead to
+undefined behavior.
+
+Depending on the current contents of the memory, the manifestations of
+errors may vary. One possible output may be as follows:
+
+ $ cat /proc/iomem
+ 30000000-37ffffff :
+ 38000000-3fffffff :
+
+Sometimes, garbage may appear after the colon.
+
+In very rare cases, if no NULL-terminator is found in memory, the system
+might crash because the string iterator will overrun which can lead to
+access of unmapped memory above the stack.
+
+Thus, fix this by replacing outbound_name with the name of the previously
+requested resource. With the changes applied, the output will be as
+follows:
+
+ $ cat /proc/iomem
+ 30000000-37ffffff : memory2
+ 38000000-3fffffff : memory3
+
+Fixes: 2a6d0d63d999 ("PCI: rcar: Add endpoint mode support")
+Link: https://lore.kernel.org/r/tencent_DBDCC19D60F361119E76919ADAB25EC13C06@qq.com
+Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Signed-off-by: King Dix <kingdix10@qq.com>
+[kwilczynski: commit log]
+Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
+Reviewed-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pci/controller/pcie-rcar-ep.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pci/controller/pcie-rcar-ep.c b/drivers/pci/controller/pcie-rcar-ep.c
+index c91d85b151290..fc85263797e91 100644
+--- a/drivers/pci/controller/pcie-rcar-ep.c
++++ b/drivers/pci/controller/pcie-rcar-ep.c
+@@ -110,7 +110,7 @@ static int rcar_pcie_parse_outbound_ranges(struct rcar_pcie_endpoint *ep,
+ }
+ if (!devm_request_mem_region(&pdev->dev, res->start,
+ resource_size(res),
+- outbound_name)) {
++ res->name)) {
+ dev_err(pcie->dev, "Cannot request memory region %s.\n",
+ outbound_name);
+ return -EIO;
+--
+2.39.5
+
--- /dev/null
+From 60adc37079b1c1e3be4b5a2e8e5ad4183ddf8e57 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:45:00 +0800
+Subject: perf bpf: Fix two memory leakages when calling
+ perf_env__insert_bpf_prog_info()
+
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+
+[ Upstream commit 03edb7020bb920f1935c3f30acad0bb27fdb99af ]
+
+If perf_env__insert_bpf_prog_info() returns false due to a duplicate bpf
+prog info node insertion, the temporary info_node and info_linear memory
+will leak. Add a check to ensure the memory is freed if the function
+returns false.
+
+Fixes: d56354dc49091e33 ("perf tools: Save bpf_prog_info and BTF of new BPF programs")
+Reviewed-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <song@kernel.org>
+Cc: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20241205084500.823660-4-quic_zhonhan@quicinc.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/bpf-event.c | 10 ++++++++--
+ tools/perf/util/env.c | 8 ++++++--
+ tools/perf/util/env.h | 2 +-
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/tools/perf/util/bpf-event.c b/tools/perf/util/bpf-event.c
+index c50d2c7a264fe..c4de19eba3880 100644
+--- a/tools/perf/util/bpf-event.c
++++ b/tools/perf/util/bpf-event.c
+@@ -280,7 +280,10 @@ static int perf_event__synthesize_one_bpf_prog(struct perf_session *session,
+ }
+
+ info_node->info_linear = info_linear;
+- perf_env__insert_bpf_prog_info(env, info_node);
++ if (!perf_env__insert_bpf_prog_info(env, info_node)) {
++ free(info_linear);
++ free(info_node);
++ }
+ info_linear = NULL;
+
+ /*
+@@ -468,7 +471,10 @@ static void perf_env__add_bpf_info(struct perf_env *env, u32 id)
+ info_node = malloc(sizeof(struct bpf_prog_info_node));
+ if (info_node) {
+ info_node->info_linear = info_linear;
+- perf_env__insert_bpf_prog_info(env, info_node);
++ if (!perf_env__insert_bpf_prog_info(env, info_node)) {
++ free(info_linear);
++ free(info_node);
++ }
+ } else
+ free(info_linear);
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index 08d641c4e4580..485ee960debfd 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -17,12 +17,16 @@ struct perf_env perf_env;
+ #include "bpf-event.h"
+ #include <bpf/libbpf.h>
+
+-void perf_env__insert_bpf_prog_info(struct perf_env *env,
++bool perf_env__insert_bpf_prog_info(struct perf_env *env,
+ struct bpf_prog_info_node *info_node)
+ {
++ bool ret;
++
+ down_write(&env->bpf_progs.lock);
+- __perf_env__insert_bpf_prog_info(env, info_node);
++ ret = __perf_env__insert_bpf_prog_info(env, info_node);
+ up_write(&env->bpf_progs.lock);
++
++ return ret;
+ }
+
+ bool __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node)
+diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
+index b5ddf2ab0e8c6..76c918544db1b 100644
+--- a/tools/perf/util/env.h
++++ b/tools/perf/util/env.h
+@@ -141,7 +141,7 @@ int perf_env__nr_cpus_avail(struct perf_env *env);
+ void perf_env__init(struct perf_env *env);
+ bool __perf_env__insert_bpf_prog_info(struct perf_env *env,
+ struct bpf_prog_info_node *info_node);
+-void perf_env__insert_bpf_prog_info(struct perf_env *env,
++bool perf_env__insert_bpf_prog_info(struct perf_env *env,
+ struct bpf_prog_info_node *info_node);
+ struct bpf_prog_info_node *perf_env__find_bpf_prog_info(struct perf_env *env,
+ __u32 prog_id);
+--
+2.39.5
+
--- /dev/null
+From 9ad8939054828b6fb25425614ec62c877da30e6e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 20 Oct 2020 15:57:21 -0300
+Subject: perf env: Conditionally compile BPF support code on having
+ HAVE_LIBBPF_SUPPORT
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit ef0580ecd8b0306acf09b7a7508d72cafc67896d ]
+
+If libbpf isn't selected, no need for a bunch of related code, that were
+not even being used, as code using these perf_env methods was also
+enclosed in HAVE_LIBBPF_SUPPORT.
+
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: 03edb7020bb9 ("perf bpf: Fix two memory leakages when calling perf_env__insert_bpf_prog_info()")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/dso.c | 14 ++++++++++----
+ tools/perf/util/env.c | 15 ++++++++++++---
+ tools/perf/util/env.h | 4 ++--
+ tools/perf/util/header.c | 21 ++++++++-------------
+ 4 files changed, 32 insertions(+), 22 deletions(-)
+
+diff --git a/tools/perf/util/dso.c b/tools/perf/util/dso.c
+index 5e9902fa1dc8a..48b5d6ec27b6e 100644
+--- a/tools/perf/util/dso.c
++++ b/tools/perf/util/dso.c
+@@ -11,8 +11,10 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <stdlib.h>
++#ifdef HAVE_LIBBPF_SUPPORT
+ #include <bpf/libbpf.h>
+ #include "bpf-event.h"
++#endif
+ #include "compress.h"
+ #include "env.h"
+ #include "namespaces.h"
+@@ -728,6 +730,7 @@ bool dso__data_status_seen(struct dso *dso, enum dso_data_status_seen by)
+ return false;
+ }
+
++#ifdef HAVE_LIBBPF_SUPPORT
+ static ssize_t bpf_read(struct dso *dso, u64 offset, char *data)
+ {
+ struct bpf_prog_info_node *node;
+@@ -765,6 +768,7 @@ static int bpf_size(struct dso *dso)
+ dso->data.file_size = node->info_linear->info.jited_prog_len;
+ return 0;
+ }
++#endif // HAVE_LIBBPF_SUPPORT
+
+ static void
+ dso_cache__free(struct dso *dso)
+@@ -894,10 +898,12 @@ static struct dso_cache *dso_cache__populate(struct dso *dso,
+ *ret = -ENOMEM;
+ return NULL;
+ }
+-
++#ifdef HAVE_LIBBPF_SUPPORT
+ if (dso->binary_type == DSO_BINARY_TYPE__BPF_PROG_INFO)
+ *ret = bpf_read(dso, cache_offset, cache->data);
+- else if (dso->binary_type == DSO_BINARY_TYPE__OOL)
++ else
++#endif
++ if (dso->binary_type == DSO_BINARY_TYPE__OOL)
+ *ret = DSO__DATA_CACHE_SIZE;
+ else
+ *ret = file_read(dso, machine, cache_offset, cache->data);
+@@ -1018,10 +1024,10 @@ int dso__data_file_size(struct dso *dso, struct machine *machine)
+
+ if (dso->data.status == DSO_DATA_STATUS_ERROR)
+ return -1;
+-
++#ifdef HAVE_LIBBPF_SUPPORT
+ if (dso->binary_type == DSO_BINARY_TYPE__BPF_PROG_INFO)
+ return bpf_size(dso);
+-
++#endif
+ return file_size(dso, machine);
+ }
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index abb43643c7857..08d641c4e4580 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -5,16 +5,18 @@
+ #include "util/header.h"
+ #include <linux/ctype.h>
+ #include <linux/zalloc.h>
+-#include "bpf-event.h"
+ #include "cgroup.h"
+ #include <errno.h>
+ #include <sys/utsname.h>
+-#include <bpf/libbpf.h>
+ #include <stdlib.h>
+ #include <string.h>
+
+ struct perf_env perf_env;
+
++#ifdef HAVE_LIBBPF_SUPPORT
++#include "bpf-event.h"
++#include <bpf/libbpf.h>
++
+ void perf_env__insert_bpf_prog_info(struct perf_env *env,
+ struct bpf_prog_info_node *info_node)
+ {
+@@ -182,6 +184,11 @@ static void perf_env__purge_bpf(struct perf_env *env)
+
+ up_write(&env->bpf_progs.lock);
+ }
++#else // HAVE_LIBBPF_SUPPORT
++static void perf_env__purge_bpf(struct perf_env *env __maybe_unused)
++{
++}
++#endif // HAVE_LIBBPF_SUPPORT
+
+ void perf_env__exit(struct perf_env *env)
+ {
+@@ -218,11 +225,13 @@ void perf_env__exit(struct perf_env *env)
+ zfree(&env->memory_nodes);
+ }
+
+-void perf_env__init(struct perf_env *env)
++void perf_env__init(struct perf_env *env __maybe_unused)
+ {
++#ifdef HAVE_LIBBPF_SUPPORT
+ env->bpf_progs.infos = RB_ROOT;
+ env->bpf_progs.btfs = RB_ROOT;
+ init_rwsem(&env->bpf_progs.lock);
++#endif
+ }
+
+ int perf_env__set_cmdline(struct perf_env *env, int argc, const char *argv[])
+diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
+index 64b63e989472e..b5ddf2ab0e8c6 100644
+--- a/tools/perf/util/env.h
++++ b/tools/perf/util/env.h
+@@ -77,7 +77,7 @@ struct perf_env {
+ struct numa_node *numa_nodes;
+ struct memory_node *memory_nodes;
+ unsigned long long memory_bsize;
+-
++#ifdef HAVE_LIBBPF_SUPPORT
+ /*
+ * bpf_info_lock protects bpf rbtrees. This is needed because the
+ * trees are accessed by different threads in perf-top
+@@ -89,7 +89,7 @@ struct perf_env {
+ struct rb_root btfs;
+ u32 btfs_cnt;
+ } bpf_progs;
+-
++#endif // HAVE_LIBBPF_SUPPORT
+ /* same reason as above (for perf-top) */
+ struct {
+ struct rw_semaphore lock;
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index 8d4f35e08905c..94b9c96c29d58 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -19,7 +19,9 @@
+ #include <sys/utsname.h>
+ #include <linux/time64.h>
+ #include <dirent.h>
++#ifdef HAVE_LIBBPF_SUPPORT
+ #include <bpf/libbpf.h>
++#endif
+ #include <perf/cpumap.h>
+
+ #include "dso.h"
+@@ -987,13 +989,6 @@ static int write_bpf_prog_info(struct feat_fd *ff,
+ up_read(&env->bpf_progs.lock);
+ return ret;
+ }
+-#else // HAVE_LIBBPF_SUPPORT
+-static int write_bpf_prog_info(struct feat_fd *ff __maybe_unused,
+- struct evlist *evlist __maybe_unused)
+-{
+- return 0;
+-}
+-#endif // HAVE_LIBBPF_SUPPORT
+
+ static int write_bpf_btf(struct feat_fd *ff,
+ struct evlist *evlist __maybe_unused)
+@@ -1027,6 +1022,7 @@ static int write_bpf_btf(struct feat_fd *ff,
+ up_read(&env->bpf_progs.lock);
+ return ret;
+ }
++#endif // HAVE_LIBBPF_SUPPORT
+
+ static int cpu_cache_level__sort(const void *a, const void *b)
+ {
+@@ -1638,6 +1634,7 @@ static void print_dir_format(struct feat_fd *ff, FILE *fp)
+ fprintf(fp, "# directory data version : %"PRIu64"\n", data->dir.version);
+ }
+
++#ifdef HAVE_LIBBPF_SUPPORT
+ static void print_bpf_prog_info(struct feat_fd *ff, FILE *fp)
+ {
+ struct perf_env *env = &ff->ph->env;
+@@ -1683,6 +1680,7 @@ static void print_bpf_btf(struct feat_fd *ff, FILE *fp)
+
+ up_read(&env->bpf_progs.lock);
+ }
++#endif // HAVE_LIBBPF_SUPPORT
+
+ static void free_event_desc(struct evsel *events)
+ {
+@@ -2941,12 +2939,6 @@ static int process_bpf_prog_info(struct feat_fd *ff, void *data __maybe_unused)
+ up_write(&env->bpf_progs.lock);
+ return err;
+ }
+-#else // HAVE_LIBBPF_SUPPORT
+-static int process_bpf_prog_info(struct feat_fd *ff __maybe_unused, void *data __maybe_unused)
+-{
+- return 0;
+-}
+-#endif // HAVE_LIBBPF_SUPPORT
+
+ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused)
+ {
+@@ -2994,6 +2986,7 @@ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused)
+ free(node);
+ return err;
+ }
++#endif // HAVE_LIBBPF_SUPPORT
+
+ static int process_compressed(struct feat_fd *ff,
+ void *data __maybe_unused)
+@@ -3124,8 +3117,10 @@ const struct perf_header_feature_ops feat_ops[HEADER_LAST_FEATURE] = {
+ FEAT_OPR(MEM_TOPOLOGY, mem_topology, true),
+ FEAT_OPR(CLOCKID, clockid, false),
+ FEAT_OPN(DIR_FORMAT, dir_format, false),
++#ifdef HAVE_LIBBPF_SUPPORT
+ FEAT_OPR(BPF_PROG_INFO, bpf_prog_info, false),
+ FEAT_OPR(BPF_BTF, bpf_btf, false),
++#endif
+ FEAT_OPR(COMPRESSED, compressed, false),
+ FEAT_OPR(CPU_PMU_CAPS, cpu_pmu_caps, false),
+ FEAT_OPR(CLOCK_DATA, clock_data, false),
+--
+2.39.5
+
--- /dev/null
+From f4af205ea1fa52239f0cd4ead0f8e09bd4a5eea8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:44:58 +0800
+Subject: perf header: Fix one memory leakage in process_bpf_btf()
+
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+
+[ Upstream commit 875d22980a062521beed7b5df71fb13a1af15d83 ]
+
+If __perf_env__insert_btf() returns false due to a duplicate btf node
+insertion, the temporary node will leak. Add a check to ensure the memory
+is freed if the function returns false.
+
+Fixes: a70a1123174ab592 ("perf bpf: Save BTF information as headers to perf.data")
+Reviewed-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <song@kernel.org>
+Cc: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20241205084500.823660-2-quic_zhonhan@quicinc.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/header.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index d2812d98968df..a0a83e5de762a 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -2980,7 +2980,8 @@ static int process_bpf_btf(struct feat_fd *ff, void *data __maybe_unused)
+ if (__do_read(ff, node->data, data_size))
+ goto out;
+
+- __perf_env__insert_btf(env, node);
++ if (!__perf_env__insert_btf(env, node))
++ free(node);
+ node = NULL;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From d58126c7966da6e6bd59b71760e36ed51fea8eb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Dec 2024 16:44:59 +0800
+Subject: perf header: Fix one memory leakage in process_bpf_prog_info()
+
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+
+[ Upstream commit a7da6c7030e1aec32f0a41c7b4fa70ec96042019 ]
+
+Function __perf_env__insert_bpf_prog_info() will return without inserting
+bpf prog info node into perf env again due to a duplicate bpf prog info
+node insertion, causing the temporary info_linear and info_node memory to
+leak. Modify the return type of this function to bool and add a check to
+ensure the memory is freed if the function returns false.
+
+Fixes: 606f972b1361f477 ("perf bpf: Save bpf_prog_info information as headers to perf.data")
+Reviewed-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <song@kernel.org>
+Cc: Yicong Yang <yangyicong@hisilicon.com>
+Link: https://lore.kernel.org/r/20241205084500.823660-3-quic_zhonhan@quicinc.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/env.c | 5 +++--
+ tools/perf/util/env.h | 2 +-
+ tools/perf/util/header.c | 5 ++++-
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/tools/perf/util/env.c b/tools/perf/util/env.c
+index ed2a42abe1270..abb43643c7857 100644
+--- a/tools/perf/util/env.c
++++ b/tools/perf/util/env.c
+@@ -23,7 +23,7 @@ void perf_env__insert_bpf_prog_info(struct perf_env *env,
+ up_write(&env->bpf_progs.lock);
+ }
+
+-void __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node)
++bool __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info_node *info_node)
+ {
+ __u32 prog_id = info_node->info_linear->info.id;
+ struct bpf_prog_info_node *node;
+@@ -41,13 +41,14 @@ void __perf_env__insert_bpf_prog_info(struct perf_env *env, struct bpf_prog_info
+ p = &(*p)->rb_right;
+ } else {
+ pr_debug("duplicated bpf prog info %u\n", prog_id);
+- return;
++ return false;
+ }
+ }
+
+ rb_link_node(&info_node->rb_node, parent, p);
+ rb_insert_color(&info_node->rb_node, &env->bpf_progs.infos);
+ env->bpf_progs.infos_cnt++;
++ return true;
+ }
+
+ struct bpf_prog_info_node *perf_env__find_bpf_prog_info(struct perf_env *env,
+diff --git a/tools/perf/util/env.h b/tools/perf/util/env.h
+index ef0fd544cd672..64b63e989472e 100644
+--- a/tools/perf/util/env.h
++++ b/tools/perf/util/env.h
+@@ -139,7 +139,7 @@ const char *perf_env__raw_arch(struct perf_env *env);
+ int perf_env__nr_cpus_avail(struct perf_env *env);
+
+ void perf_env__init(struct perf_env *env);
+-void __perf_env__insert_bpf_prog_info(struct perf_env *env,
++bool __perf_env__insert_bpf_prog_info(struct perf_env *env,
+ struct bpf_prog_info_node *info_node);
+ void perf_env__insert_bpf_prog_info(struct perf_env *env,
+ struct bpf_prog_info_node *info_node);
+diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c
+index a0a83e5de762a..8d4f35e08905c 100644
+--- a/tools/perf/util/header.c
++++ b/tools/perf/util/header.c
+@@ -2927,7 +2927,10 @@ static int process_bpf_prog_info(struct feat_fd *ff, void *data __maybe_unused)
+ /* after reading from file, translate offset to address */
+ bpf_program__bpil_offs_to_addr(info_linear);
+ info_node->info_linear = info_linear;
+- __perf_env__insert_bpf_prog_info(env, info_node);
++ if (!__perf_env__insert_bpf_prog_info(env, info_node)) {
++ free(info_linear);
++ free(info_node);
++ }
+ }
+
+ up_write(&env->bpf_progs.lock);
+--
+2.39.5
+
--- /dev/null
+From 8876def9bc05bf6db1aa72b1c1f3115544ce6ae6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 10:15:24 +0100
+Subject: perf machine: Don't ignore _etext when not a text symbol
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 7a93786c306296f15e728b1dbd949a319e4e3d19 ]
+
+Depending on how vmlinux.lds is written, _etext might be the very first
+data symbol instead of the very last text symbol.
+
+Don't require it to be a text symbol, accept any symbol type.
+
+Comitter notes:
+
+See the first Link for further discussion, but it all boils down to
+this:
+
+ ---
+ # grep -e _stext -e _etext -e _edata /proc/kallsyms
+ c0000000 T _stext
+ c08b8000 D _etext
+
+ So there is no _edata and _etext is not text
+
+ $ ppc-linux-objdump -x vmlinux | grep -e _stext -e _etext -e _edata
+ c0000000 g .head.text 00000000 _stext
+ c08b8000 g .rodata 00000000 _etext
+ c1378000 g .sbss 00000000 _edata
+ ---
+
+Fixes: ed9adb2035b5be58 ("perf machine: Read also the end of the kernel")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: linuxppc-dev@lists.ozlabs.org
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/r/b3ee1994d95257cb7f2de037c5030ba7d1bed404.1736327613.git.christophe.leroy@csgroup.eu
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index d8d64cd63b1dc..4ae2d28f13ebe 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -1039,7 +1039,7 @@ static int machine__get_running_kernel_start(struct machine *machine,
+
+ err = kallsyms__get_symbol_start(filename, "_edata", &addr);
+ if (err)
+- err = kallsyms__get_function_start(filename, "_etext", &addr);
++ err = kallsyms__get_symbol_start(filename, "_etext", &addr);
+ if (!err)
+ *end = addr;
+
+--
+2.39.5
+
--- /dev/null
+From 850ab5f1c00d51542a86b35175bdf47a768aea98 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Jul 2023 17:19:29 -0700
+Subject: perf machine: Include data symbols in the kernel map
+
+From: Namhyung Kim <namhyung@kernel.org>
+
+[ Upstream commit 69a87a32f5cd8b262cb2195b045f96c63aede734 ]
+
+When 'perf record -d' is used, it needs data mmaps to symbolize global
+data. But it missed to collect kernel data maps so it cannot symbolize
+them. Instead of having a separate map, just increase the kernel map
+size to include the data section.
+
+Probably we can have a separate kernel map for data, but the current
+code assumes a single kernel map. So it'd require more changes in other
+places and looks error-prone. I decided not to go that way for now.
+
+Also it seems the kernel module size already includes the data section.
+
+For example, my system has the following.
+
+ $ grep -e _stext -e _etext -e _edata /proc/kallsyms
+ ffffffff99800000 T _stext
+ ffffffff9a601ac8 T _etext
+ ffffffff9b446a00 D _edata
+
+Size of the text section is (0x9a601ac8 - 0x99800000 = 0xe01ac8) and
+size including data section is (0x9b446a00 - 0x99800000 = 0x1c46a00).
+
+Before:
+ $ perf record -d true
+
+ $ perf report -D | grep MMAP | head -1
+ 0 0 0x460 [0x60]: PERF_RECORD_MMAP -1/0: [0xffffffff99800000(0xe01ac8) @ 0xffffffff99800000]: x [kernel.kallsyms]_text
+ ^^^^^^^^
+ here
+After:
+ $ perf report -D | grep MMAP | head -1
+ 0 0 0x460 [0x60]: PERF_RECORD_MMAP -1/0: [0xffffffff99800000(0x1c46a00) @ 0xffffffff99800000]: x [kernel.kallsyms]_text
+ ^^^^^^^^^
+
+Instead of just replacing it to _edata, try _edata first and then fall
+back to _etext just in case.
+
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@kernel.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20230725001929.368041-2-namhyung@kernel.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Stable-dep-of: 7a93786c3062 ("perf machine: Don't ignore _etext when not a text symbol")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/util/machine.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
+index eec926c313b13..d8d64cd63b1dc 100644
+--- a/tools/perf/util/machine.c
++++ b/tools/perf/util/machine.c
+@@ -1037,7 +1037,9 @@ static int machine__get_running_kernel_start(struct machine *machine,
+
+ *start = addr;
+
+- err = kallsyms__get_function_start(filename, "_etext", &addr);
++ err = kallsyms__get_symbol_start(filename, "_edata", &addr);
++ if (err)
++ err = kallsyms__get_function_start(filename, "_etext", &addr);
+ if (!err)
+ *end = addr;
+
+--
+2.39.5
+
--- /dev/null
+From 47692cae3eacf88366ac52692203ddce5b6ff977 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jan 2025 23:22:19 +0800
+Subject: perf report: Fix misleading help message about --demangle
+
+From: Jiachen Zhang <me@jcix.top>
+
+[ Upstream commit ac0ac75189a4d6a29a2765a7adbb62bc6cc650c7 ]
+
+The wrong help message may mislead users. This commit fixes it.
+
+Fixes: 328ccdace8855289 ("perf report: Add --no-demangle option")
+Reviewed-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Jiachen Zhang <me@jcix.top>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung.kim@lge.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20250109152220.1869581-1-me@jcix.top
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-report.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-report.c b/tools/perf/builtin-report.c
+index b55ee073c2f72..575ad3c4fb373 100644
+--- a/tools/perf/builtin-report.c
++++ b/tools/perf/builtin-report.c
+@@ -1276,7 +1276,7 @@ int cmd_report(int argc, const char **argv)
+ OPT_STRING(0, "objdump", &report.annotation_opts.objdump_path, "path",
+ "objdump binary to use for disassembly and annotations"),
+ OPT_BOOLEAN(0, "demangle", &symbol_conf.demangle,
+- "Disable symbol demangling"),
++ "Symbol demangling. Enabled by default, use --no-demangle to disable."),
+ OPT_BOOLEAN(0, "demangle-kernel", &symbol_conf.demangle_kernel,
+ "Enable kernel symbol demangling"),
+ OPT_BOOLEAN(0, "mem-mode", &report.mem_mode, "mem access profile"),
+--
+2.39.5
+
--- /dev/null
+From 0b62cea497c0d1c173405630e71433b90996d231 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jan 2025 16:50:39 -0300
+Subject: perf top: Don't complain about lack of vmlinux when not resolving
+ some kernel samples
+
+From: Arnaldo Carvalho de Melo <acme@redhat.com>
+
+[ Upstream commit 058b38ccd2af9e5c95590b018e8425fa148d7aca ]
+
+Recently we got a case where a kernel sample wasn't being resolved due
+to a bug that was not setting the end address on kernel functions
+implemented in assembly (see Link: tag), and then those were not being
+found by machine__resolve() -> map__find_symbol().
+
+So we ended up with:
+
+ # perf top --stdio
+ PerfTop: 0 irqs/s kernel: 0% exact: 0% lost: 0/0 drop: 0/0 [cycles/P]
+ -----------------------------------------------------------------------
+
+ Warning:
+ A vmlinux file was not found.
+ Kernel samples will not be resolved.
+ ^Z
+ [1]+ Stopped perf top --stdio
+ #
+
+But then resolving all other kernel symbols.
+
+So just fixup the logic to only print that warning when there are no
+symbols in the kernel map.
+
+Fixes: d88205db9caa0e9d ("perf dso: Add dso__has_symbols() method")
+Reviewed-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Ian Rogers <irogers@google.com>
+Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
+Cc: James Clark <james.clark@linaro.org>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Kan Liang <kan.liang@linux.intel.com>
+Link: https://lore.kernel.org/lkml/Z3buKhcCsZi3_aGb@x1
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-top.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-top.c b/tools/perf/builtin-top.c
+index ee30372f77133..f14970acc6ba8 100644
+--- a/tools/perf/builtin-top.c
++++ b/tools/perf/builtin-top.c
+@@ -809,7 +809,7 @@ static void perf_event__process_sample(struct perf_tool *tool,
+ * invalid --vmlinux ;-)
+ */
+ if (!machine->kptr_restrict_warned && !top->vmlinux_warned &&
+- __map__is_kernel(al.map) && map__has_symbols(al.map)) {
++ __map__is_kernel(al.map) && !map__has_symbols(al.map)) {
+ if (symbol_conf.vmlinux_name) {
+ char serr[256];
+ dso__strerror_load(al.map->dso, serr, sizeof(serr));
+--
+2.39.5
+
--- /dev/null
+From 19cc43fcc3567709ccdd93d1cb68ea21df1aec3a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 21 Jan 2025 18:55:19 -0800
+Subject: perf trace: Fix runtime error of index out of bounds
+
+From: Howard Chu <howardchu95@gmail.com>
+
+[ Upstream commit c7b87ce0dd10b64b68a0b22cb83bbd556e28fe81 ]
+
+libtraceevent parses and returns an array of argument fields, sometimes
+larger than RAW_SYSCALL_ARGS_NUM (6) because it includes "__syscall_nr",
+idx will traverse to index 6 (7th element) whereas sc->fmt->arg holds 6
+elements max, creating an out-of-bounds access. This runtime error is
+found by UBsan. The error message:
+
+ $ sudo UBSAN_OPTIONS=print_stacktrace=1 ./perf trace -a --max-events=1
+ builtin-trace.c:1966:35: runtime error: index 6 out of bounds for type 'syscall_arg_fmt [6]'
+ #0 0x5c04956be5fe in syscall__alloc_arg_fmts /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:1966
+ #1 0x5c04956c0510 in trace__read_syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2110
+ #2 0x5c04956c372b in trace__syscall_info /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:2436
+ #3 0x5c04956d2f39 in trace__init_syscalls_bpf_prog_array_maps /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:3897
+ #4 0x5c04956d6d25 in trace__run /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:4335
+ #5 0x5c04956e112e in cmd_trace /home/howard/hw/linux-perf/tools/perf/builtin-trace.c:5502
+ #6 0x5c04956eda7d in run_builtin /home/howard/hw/linux-perf/tools/perf/perf.c:351
+ #7 0x5c04956ee0a8 in handle_internal_command /home/howard/hw/linux-perf/tools/perf/perf.c:404
+ #8 0x5c04956ee37f in run_argv /home/howard/hw/linux-perf/tools/perf/perf.c:448
+ #9 0x5c04956ee8e9 in main /home/howard/hw/linux-perf/tools/perf/perf.c:556
+ #10 0x79eb3622a3b7 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
+ #11 0x79eb3622a47a in __libc_start_main_impl ../csu/libc-start.c:360
+ #12 0x5c04955422d4 in _start (/home/howard/hw/linux-perf/tools/perf/perf+0x4e02d4) (BuildId: 5b6cab2d59e96a4341741765ad6914a4d784dbc6)
+
+ 0.000 ( 0.014 ms): Chrome_ChildIO/117244 write(fd: 238, buf: !, count: 1) = 1
+
+Fixes: 5e58fcfaf4c6 ("perf trace: Allow allocating sc->arg_fmt even without the syscall tracepoint")
+Signed-off-by: Howard Chu <howardchu95@gmail.com>
+Link: https://lore.kernel.org/r/20250122025519.361873-1-howardchu95@gmail.com
+Signed-off-by: Namhyung Kim <namhyung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-trace.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/tools/perf/builtin-trace.c b/tools/perf/builtin-trace.c
+index 68189e6347205..178cf3a11f089 100644
+--- a/tools/perf/builtin-trace.c
++++ b/tools/perf/builtin-trace.c
+@@ -1803,8 +1803,12 @@ static int trace__read_syscall_info(struct trace *trace, int id)
+ return PTR_ERR(sc->tp_format);
+ }
+
++ /*
++ * The tracepoint format contains __syscall_nr field, so it's one more
++ * than the actual number of syscall arguments.
++ */
+ if (syscall__alloc_arg_fmts(sc, IS_ERR(sc->tp_format) ?
+- RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields))
++ RAW_SYSCALL_ARGS_NUM : sc->tp_format->format.nr_fields - 1))
+ return -ENOMEM;
+
+ sc->args = sc->tp_format->format.fields;
+--
+2.39.5
+
--- /dev/null
+From d513c6f29e95ad19a3285bcd0eae0a7bc05a1c51 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 9 Dec 2022 16:09:14 +0100
+Subject: platform: Provide a remove callback that returns no value
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 5c5a7680e67ba6fbbb5f4d79fa41485450c1985c ]
+
+struct platform_driver::remove returning an integer made driver authors
+expect that returning an error code was proper error handling. However
+the driver core ignores the error and continues to remove the device
+because there is nothing the core could do anyhow and reentering the
+remove callback again is only calling for trouble.
+
+So this is an source for errors typically yielding resource leaks in the
+error path.
+
+As there are too many platform drivers to neatly convert them all to
+return void in a single go, do it in several steps after this patch:
+
+ a) Convert all drivers to implement .remove_new() returning void instead
+ of .remove() returning int;
+ b) Change struct platform_driver::remove() to return void and so make
+ it identical to .remove_new();
+ c) Change all drivers back to .remove() now with the better prototype;
+ d) drop struct platform_driver::remove_new().
+
+While this touches all drivers eventually twice, steps a) and c) can be
+done one driver after another and so reduces coordination efforts
+immensely and simplifies review.
+
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20221209150914.3557650-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: bf5821909eb9 ("mtd: hyperbus: hbmc-am654: fix an OF node reference leak")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/platform.c | 4 +++-
+ include/linux/platform_device.h | 11 +++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/base/platform.c b/drivers/base/platform.c
+index d0b15cbab0ff0..e07043d85c65c 100644
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -1306,7 +1306,9 @@ static int platform_remove(struct device *_dev)
+ struct platform_driver *drv = to_platform_driver(_dev->driver);
+ struct platform_device *dev = to_platform_device(_dev);
+
+- if (drv->remove) {
++ if (drv->remove_new) {
++ drv->remove_new(dev);
++ } else if (drv->remove) {
+ int ret = drv->remove(dev);
+
+ if (ret)
+diff --git a/include/linux/platform_device.h b/include/linux/platform_device.h
+index e7a83b0218077..870a918aa251c 100644
+--- a/include/linux/platform_device.h
++++ b/include/linux/platform_device.h
+@@ -203,7 +203,18 @@ extern void platform_device_put(struct platform_device *pdev);
+
+ struct platform_driver {
+ int (*probe)(struct platform_device *);
++
++ /*
++ * Traditionally the remove callback returned an int which however is
++ * ignored by the driver core. This led to wrong expectations by driver
++ * authors who thought returning an error code was a valid error
++ * handling strategy. To convert to a callback returning void, new
++ * drivers should implement .remove_new() until the conversion it done
++ * that eventually makes .remove() return void.
++ */
+ int (*remove)(struct platform_device *);
++ void (*remove_new)(struct platform_device *);
++
+ void (*shutdown)(struct platform_device *);
+ int (*suspend)(struct platform_device *, pm_message_t state);
+ int (*resume)(struct platform_device *);
+--
+2.39.5
+
--- /dev/null
+From b3457db125d2253d1b2b760f57c0741bf23daba8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jan 2025 22:32:05 +0800
+Subject: PM: hibernate: Add error handling for syscore_suspend()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+[ Upstream commit e20a70c572539a486dbd91b225fa6a194a5e2122 ]
+
+In hibernation_platform_enter(), the code did not check the
+return value of syscore_suspend(), potentially leading to a
+situation where syscore_resume() would be called even if
+syscore_suspend() failed. This could cause unpredictable
+behavior or system instability.
+
+Modify the code sequence in question to properly handle errors returned
+by syscore_suspend(). If an error occurs in the suspend path, the code
+now jumps to label 'Enable_irqs' skipping the syscore_resume() call and
+only enabling interrupts after setting the system state to SYSTEM_RUNNING.
+
+Fixes: 40dc166cb5dd ("PM / Core: Introduce struct syscore_ops for core subsystems PM")
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Link: https://patch.msgid.link/20250119143205.2103-1-vulab@iscas.ac.cn
+[ rjw: Changelog edits ]
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/power/hibernate.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c
+index 59a1b126c369b..f2b2a2dcdb87b 100644
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -590,7 +590,11 @@ int hibernation_platform_enter(void)
+
+ local_irq_disable();
+ system_state = SYSTEM_SUSPEND;
+- syscore_suspend();
++
++ error = syscore_suspend();
++ if (error)
++ goto Enable_irqs;
++
+ if (pm_wakeup_pending()) {
+ error = -EAGAIN;
+ goto Power_up;
+@@ -602,6 +606,7 @@ int hibernation_platform_enter(void)
+
+ Power_up:
+ syscore_resume();
++ Enable_irqs:
+ system_state = SYSTEM_RUNNING;
+ local_irq_enable();
+
+--
+2.39.5
+
--- /dev/null
+From 1856343e6435d557ab04729f9707bc14b961039a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 20:24:41 +0100
+Subject: PM: sleep: core: Synchronize runtime PM status of parents and
+ children
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 3775fc538f535a7c5adaf11990c7932a0bd1f9eb ]
+
+Commit 6e176bf8d461 ("PM: sleep: core: Do not skip callbacks in the
+resume phase") overlooked the case in which the parent of a device with
+DPM_FLAG_SMART_SUSPEND set did not use that flag and could be runtime-
+suspended before a transition into a system-wide sleep state. In that
+case, if the child is resumed during the subsequent transition from
+that state into the working state, its runtime PM status will be set to
+RPM_ACTIVE, but the runtime PM status of the parent will not be updated
+accordingly, even though the parent will be resumed too, because of the
+dev_pm_skip_suspend() check in device_resume_noirq().
+
+Address this problem by tracking the need to set the runtime PM status
+to RPM_ACTIVE during system-wide resume transitions for devices with
+DPM_FLAG_SMART_SUSPEND set and all of the devices depended on by them.
+
+Fixes: 6e176bf8d461 ("PM: sleep: core: Do not skip callbacks in the resume phase")
+Closes: https://lore.kernel.org/linux-pm/Z30p2Etwf3F2AUvD@hovoldconsulting.com/
+Reported-by: Johan Hovold <johan@kernel.org>
+Tested-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Link: https://patch.msgid.link/12619233.O9o76ZdvQC@rjwysocki.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 29 ++++++++++++++++++++---------
+ include/linux/pm.h | 1 +
+ 2 files changed, 21 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index 07f561e17b637..39646b27f2fb0 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -618,13 +618,15 @@ static void device_resume_noirq(struct device *dev, pm_message_t state, bool asy
+ * so change its status accordingly.
+ *
+ * Otherwise, the device is going to be resumed, so set its PM-runtime
+- * status to "active", but do that only if DPM_FLAG_SMART_SUSPEND is set
+- * to avoid confusing drivers that don't use it.
++ * status to "active" unless its power.set_active flag is clear, in
++ * which case it is not necessary to update its PM-runtime status.
+ */
+- if (skip_resume)
++ if (skip_resume) {
+ pm_runtime_set_suspended(dev);
+- else if (dev_pm_skip_suspend(dev))
++ } else if (dev->power.set_active) {
+ pm_runtime_set_active(dev);
++ dev->power.set_active = false;
++ }
+
+ if (dev->pm_domain) {
+ info = "noirq power domain ";
+@@ -1176,18 +1178,24 @@ static pm_message_t resume_event(pm_message_t sleep_state)
+ return PMSG_ON;
+ }
+
+-static void dpm_superior_set_must_resume(struct device *dev)
++static void dpm_superior_set_must_resume(struct device *dev, bool set_active)
+ {
+ struct device_link *link;
+ int idx;
+
+- if (dev->parent)
++ if (dev->parent) {
+ dev->parent->power.must_resume = true;
++ if (set_active)
++ dev->parent->power.set_active = true;
++ }
+
+ idx = device_links_read_lock();
+
+- list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node)
++ list_for_each_entry_rcu_locked(link, &dev->links.suppliers, c_node) {
+ link->supplier->power.must_resume = true;
++ if (set_active)
++ link->supplier->power.set_active = true;
++ }
+
+ device_links_read_unlock(idx);
+ }
+@@ -1263,8 +1271,11 @@ static int __device_suspend_noirq(struct device *dev, pm_message_t state, bool a
+ dev->power.may_skip_resume))
+ dev->power.must_resume = true;
+
+- if (dev->power.must_resume)
+- dpm_superior_set_must_resume(dev);
++ if (dev->power.must_resume) {
++ dev->power.set_active = dev->power.set_active ||
++ dev_pm_test_driver_flags(dev, DPM_FLAG_SMART_SUSPEND);
++ dpm_superior_set_must_resume(dev, dev->power.set_active);
++ }
+
+ Complete:
+ complete_all(&dev->power.completion);
+diff --git a/include/linux/pm.h b/include/linux/pm.h
+index 04ba61ac1a8d6..9007379d333b3 100644
+--- a/include/linux/pm.h
++++ b/include/linux/pm.h
+@@ -585,6 +585,7 @@ struct dev_pm_info {
+ bool no_pm_callbacks:1; /* Owned by the PM core */
+ bool async_in_progress:1; /* Owned by the PM core */
+ bool must_resume:1; /* Owned by the PM core */
++ bool set_active:1; /* Owned by the PM core */
+ bool may_skip_resume:1; /* Set by subsystems */
+ #else
+ bool should_wakeup:1;
+--
+2.39.5
+
--- /dev/null
+From 46afbb4961503f331dbc45ed832299fd5a613a10 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 9 Jan 2024 17:59:22 +0100
+Subject: PM: sleep: Restore asynchronous device resume optimization
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit 3e999770ac1c7c31a70685dd5b88e89473509e9c ]
+
+Before commit 7839d0078e0d ("PM: sleep: Fix possible deadlocks in core
+system-wide PM code"), the resume of devices that were allowed to resume
+asynchronously was scheduled before starting the resume of the other
+devices, so the former did not have to wait for the latter unless
+functional dependencies were present.
+
+Commit 7839d0078e0d removed that optimization in order to address a
+correctness issue, but it can be restored with the help of a new device
+power management flag, so do that now.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
+Stable-dep-of: 3775fc538f53 ("PM: sleep: core: Synchronize runtime PM status of parents and children")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/base/power/main.c | 117 +++++++++++++++++++++-----------------
+ include/linux/pm.h | 1 +
+ 2 files changed, 65 insertions(+), 53 deletions(-)
+
+diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
+index fbc57c4fcdd01..07f561e17b637 100644
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -583,7 +583,7 @@ bool dev_pm_skip_resume(struct device *dev)
+ }
+
+ /**
+- * __device_resume_noirq - Execute a "noirq resume" callback for given device.
++ * device_resume_noirq - Execute a "noirq resume" callback for given device.
+ * @dev: Device to handle.
+ * @state: PM transition of the system being carried out.
+ * @async: If true, the device is being resumed asynchronously.
+@@ -591,7 +591,7 @@ bool dev_pm_skip_resume(struct device *dev)
+ * The driver of @dev will not receive interrupts while this function is being
+ * executed.
+ */
+-static void __device_resume_noirq(struct device *dev, pm_message_t state, bool async)
++static void device_resume_noirq(struct device *dev, pm_message_t state, bool async)
+ {
+ pm_callback_t callback = NULL;
+ const char *info = NULL;
+@@ -678,16 +678,22 @@ static bool dpm_async_fn(struct device *dev, async_func_t func)
+ {
+ reinit_completion(&dev->power.completion);
+
+- if (!is_async(dev))
+- return false;
+-
+- get_device(dev);
++ if (is_async(dev)) {
++ dev->power.async_in_progress = true;
+
+- if (async_schedule_dev_nocall(func, dev))
+- return true;
++ get_device(dev);
+
+- put_device(dev);
++ if (async_schedule_dev_nocall(func, dev))
++ return true;
+
++ put_device(dev);
++ }
++ /*
++ * Because async_schedule_dev_nocall() above has returned false or it
++ * has not been called at all, func() is not running and it is safe to
++ * update the async_in_progress flag without extra synchronization.
++ */
++ dev->power.async_in_progress = false;
+ return false;
+ }
+
+@@ -695,18 +701,10 @@ static void async_resume_noirq(void *data, async_cookie_t cookie)
+ {
+ struct device *dev = data;
+
+- __device_resume_noirq(dev, pm_transition, true);
++ device_resume_noirq(dev, pm_transition, true);
+ put_device(dev);
+ }
+
+-static void device_resume_noirq(struct device *dev)
+-{
+- if (dpm_async_fn(dev, async_resume_noirq))
+- return;
+-
+- __device_resume_noirq(dev, pm_transition, false);
+-}
+-
+ static void dpm_noirq_resume_devices(pm_message_t state)
+ {
+ struct device *dev;
+@@ -716,18 +714,28 @@ static void dpm_noirq_resume_devices(pm_message_t state)
+ mutex_lock(&dpm_list_mtx);
+ pm_transition = state;
+
++ /*
++ * Trigger the resume of "async" devices upfront so they don't have to
++ * wait for the "non-async" ones they don't depend on.
++ */
++ list_for_each_entry(dev, &dpm_noirq_list, power.entry)
++ dpm_async_fn(dev, async_resume_noirq);
++
+ while (!list_empty(&dpm_noirq_list)) {
+ dev = to_device(dpm_noirq_list.next);
+- get_device(dev);
+ list_move_tail(&dev->power.entry, &dpm_late_early_list);
+
+- mutex_unlock(&dpm_list_mtx);
++ if (!dev->power.async_in_progress) {
++ get_device(dev);
+
+- device_resume_noirq(dev);
++ mutex_unlock(&dpm_list_mtx);
+
+- put_device(dev);
++ device_resume_noirq(dev, state, false);
+
+- mutex_lock(&dpm_list_mtx);
++ put_device(dev);
++
++ mutex_lock(&dpm_list_mtx);
++ }
+ }
+ mutex_unlock(&dpm_list_mtx);
+ async_synchronize_full();
+@@ -753,14 +761,14 @@ void dpm_resume_noirq(pm_message_t state)
+ }
+
+ /**
+- * __device_resume_early - Execute an "early resume" callback for given device.
++ * device_resume_early - Execute an "early resume" callback for given device.
+ * @dev: Device to handle.
+ * @state: PM transition of the system being carried out.
+ * @async: If true, the device is being resumed asynchronously.
+ *
+ * Runtime PM is disabled for @dev while this function is being executed.
+ */
+-static void __device_resume_early(struct device *dev, pm_message_t state, bool async)
++static void device_resume_early(struct device *dev, pm_message_t state, bool async)
+ {
+ pm_callback_t callback = NULL;
+ const char *info = NULL;
+@@ -826,18 +834,10 @@ static void async_resume_early(void *data, async_cookie_t cookie)
+ {
+ struct device *dev = data;
+
+- __device_resume_early(dev, pm_transition, true);
++ device_resume_early(dev, pm_transition, true);
+ put_device(dev);
+ }
+
+-static void device_resume_early(struct device *dev)
+-{
+- if (dpm_async_fn(dev, async_resume_early))
+- return;
+-
+- __device_resume_early(dev, pm_transition, false);
+-}
+-
+ /**
+ * dpm_resume_early - Execute "early resume" callbacks for all devices.
+ * @state: PM transition of the system being carried out.
+@@ -851,18 +851,28 @@ void dpm_resume_early(pm_message_t state)
+ mutex_lock(&dpm_list_mtx);
+ pm_transition = state;
+
++ /*
++ * Trigger the resume of "async" devices upfront so they don't have to
++ * wait for the "non-async" ones they don't depend on.
++ */
++ list_for_each_entry(dev, &dpm_late_early_list, power.entry)
++ dpm_async_fn(dev, async_resume_early);
++
+ while (!list_empty(&dpm_late_early_list)) {
+ dev = to_device(dpm_late_early_list.next);
+- get_device(dev);
+ list_move_tail(&dev->power.entry, &dpm_suspended_list);
+
+- mutex_unlock(&dpm_list_mtx);
++ if (!dev->power.async_in_progress) {
++ get_device(dev);
+
+- device_resume_early(dev);
++ mutex_unlock(&dpm_list_mtx);
+
+- put_device(dev);
++ device_resume_early(dev, state, false);
+
+- mutex_lock(&dpm_list_mtx);
++ put_device(dev);
++
++ mutex_lock(&dpm_list_mtx);
++ }
+ }
+ mutex_unlock(&dpm_list_mtx);
+ async_synchronize_full();
+@@ -882,12 +892,12 @@ void dpm_resume_start(pm_message_t state)
+ EXPORT_SYMBOL_GPL(dpm_resume_start);
+
+ /**
+- * __device_resume - Execute "resume" callbacks for given device.
++ * device_resume - Execute "resume" callbacks for given device.
+ * @dev: Device to handle.
+ * @state: PM transition of the system being carried out.
+ * @async: If true, the device is being resumed asynchronously.
+ */
+-static void __device_resume(struct device *dev, pm_message_t state, bool async)
++static void device_resume(struct device *dev, pm_message_t state, bool async)
+ {
+ pm_callback_t callback = NULL;
+ const char *info = NULL;
+@@ -981,18 +991,10 @@ static void async_resume(void *data, async_cookie_t cookie)
+ {
+ struct device *dev = data;
+
+- __device_resume(dev, pm_transition, true);
++ device_resume(dev, pm_transition, true);
+ put_device(dev);
+ }
+
+-static void device_resume(struct device *dev)
+-{
+- if (dpm_async_fn(dev, async_resume))
+- return;
+-
+- __device_resume(dev, pm_transition, false);
+-}
+-
+ /**
+ * dpm_resume - Execute "resume" callbacks for non-sysdev devices.
+ * @state: PM transition of the system being carried out.
+@@ -1012,16 +1014,25 @@ void dpm_resume(pm_message_t state)
+ pm_transition = state;
+ async_error = 0;
+
++ /*
++ * Trigger the resume of "async" devices upfront so they don't have to
++ * wait for the "non-async" ones they don't depend on.
++ */
++ list_for_each_entry(dev, &dpm_suspended_list, power.entry)
++ dpm_async_fn(dev, async_resume);
++
+ while (!list_empty(&dpm_suspended_list)) {
+ dev = to_device(dpm_suspended_list.next);
+
+ get_device(dev);
+
+- mutex_unlock(&dpm_list_mtx);
++ if (!dev->power.async_in_progress) {
++ mutex_unlock(&dpm_list_mtx);
+
+- device_resume(dev);
++ device_resume(dev, state, false);
+
+- mutex_lock(&dpm_list_mtx);
++ mutex_lock(&dpm_list_mtx);
++ }
+
+ if (!list_empty(&dev->power.entry))
+ list_move_tail(&dev->power.entry, &dpm_prepared_list);
+diff --git a/include/linux/pm.h b/include/linux/pm.h
+index 52d9724db9dc6..c27d1e4ca8ca9 100644
+--- a/include/linux/pm.h
++++ b/include/linux/pm.h
+@@ -583,6 +583,7 @@ struct dev_pm_info {
+ bool wakeup_path:1;
+ bool syscore:1;
+ bool no_pm_callbacks:1; /* Owned by the PM core */
++ bool async_in_progress:1; /* Owned by the PM core */
+ unsigned int must_resume:1; /* Owned by the PM core */
+ unsigned int may_skip_resume:1; /* Set by subsystems */
+ #else
+--
+2.39.5
+
--- /dev/null
+From 6eaa9e0ddeb12a1936d188b0b17c0cd1c1abbb2b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 22 Jan 2024 17:11:26 +0100
+Subject: PM: sleep: Use bool for all 1-bit fields in struct dev_pm_info
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+[ Upstream commit b017500ab53c06441ff7d3a681484e37039b4f57 ]
+
+For some 1-bit fields in struct dev_pm_info the data type is bool, while
+for some other 1-bit fields in there it is unsigned int, and these
+differences are somewhat arbitrary.
+
+For consistency, change the data type of the latter to bool, so that all
+of the 1-bit fields in struct dev_pm_info fields are bool.
+
+No intentional functional impact.
+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Stable-dep-of: 3775fc538f53 ("PM: sleep: core: Synchronize runtime PM status of parents and children")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/pm.h | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/include/linux/pm.h b/include/linux/pm.h
+index c27d1e4ca8ca9..04ba61ac1a8d6 100644
+--- a/include/linux/pm.h
++++ b/include/linux/pm.h
+@@ -564,8 +564,8 @@ struct pm_subsys_data {
+
+ struct dev_pm_info {
+ pm_message_t power_state;
+- unsigned int can_wakeup:1;
+- unsigned int async_suspend:1;
++ bool can_wakeup:1;
++ bool async_suspend:1;
+ bool in_dpm_list:1; /* Owned by the PM core */
+ bool is_prepared:1; /* Owned by the PM core */
+ bool is_suspended:1; /* Ditto */
+@@ -584,10 +584,10 @@ struct dev_pm_info {
+ bool syscore:1;
+ bool no_pm_callbacks:1; /* Owned by the PM core */
+ bool async_in_progress:1; /* Owned by the PM core */
+- unsigned int must_resume:1; /* Owned by the PM core */
+- unsigned int may_skip_resume:1; /* Set by subsystems */
++ bool must_resume:1; /* Owned by the PM core */
++ bool may_skip_resume:1; /* Set by subsystems */
+ #else
+- unsigned int should_wakeup:1;
++ bool should_wakeup:1;
+ #endif
+ #ifdef CONFIG_PM
+ struct hrtimer suspend_timer;
+@@ -598,17 +598,17 @@ struct dev_pm_info {
+ atomic_t usage_count;
+ atomic_t child_count;
+ unsigned int disable_depth:3;
+- unsigned int idle_notification:1;
+- unsigned int request_pending:1;
+- unsigned int deferred_resume:1;
+- unsigned int needs_force_resume:1;
+- unsigned int runtime_auto:1;
++ bool idle_notification:1;
++ bool request_pending:1;
++ bool deferred_resume:1;
++ bool needs_force_resume:1;
++ bool runtime_auto:1;
+ bool ignore_children:1;
+- unsigned int no_callbacks:1;
+- unsigned int irq_safe:1;
+- unsigned int use_autosuspend:1;
+- unsigned int timer_autosuspends:1;
+- unsigned int memalloc_noio:1;
++ bool no_callbacks:1;
++ bool irq_safe:1;
++ bool use_autosuspend:1;
++ bool timer_autosuspends:1;
++ bool memalloc_noio:1;
+ unsigned int links_count;
+ enum rpm_request request;
+ enum rpm_status runtime_status;
+--
+2.39.5
+
--- /dev/null
+From 455a1be83ff738d4e788ceb5bb15c08619d37dac Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 15 Dec 2024 17:47:52 -0500
+Subject: pwm: stm32: Add check for clk_enable()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mingwei Zheng <zmw12306@gmail.com>
+
+[ Upstream commit e8c59791ebb60790c74b2c3ab520f04a8a57219a ]
+
+Add check for the return value of clk_enable() to catch the potential
+error.
+
+Fixes: 19f1016ea960 ("pwm: stm32: Fix enable count for clk in .probe()")
+Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://lore.kernel.org/r/20241215224752.220318-1-zmw12306@gmail.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pwm/pwm-stm32.c b/drivers/pwm/pwm-stm32.c
+index 7146b3f6755bc..2ca2855255be1 100644
+--- a/drivers/pwm/pwm-stm32.c
++++ b/drivers/pwm/pwm-stm32.c
+@@ -634,8 +634,11 @@ static int stm32_pwm_probe(struct platform_device *pdev)
+ priv->chip.npwm = stm32_pwm_detect_channels(priv, &num_enabled);
+
+ /* Initialize clock refcount to number of enabled PWM channels. */
+- for (i = 0; i < num_enabled; i++)
+- clk_enable(priv->clk);
++ for (i = 0; i < num_enabled; i++) {
++ ret = clk_enable(priv->clk);
++ if (ret)
++ return ret;
++ }
+
+ ret = pwmchip_add(&priv->chip);
+ if (ret < 0)
+--
+2.39.5
+
--- /dev/null
+From f90fc366b8a06acbffd51cb01af83bee75f60747 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 16:53:18 -0500
+Subject: pwm: stm32-lp: Add check for clk_enable()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mingwei Zheng <zmw12306@gmail.com>
+
+[ Upstream commit cce16e7f6216227964cda25f5f23634bce2c500f ]
+
+Add check for the return value of clk_enable() to catch the potential
+error.
+We used APP-Miner to find it.
+
+Fixes: e70a540b4e02 ("pwm: Add STM32 LPTimer PWM driver")
+Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://lore.kernel.org/r/20241206215318.3402860-1-zmw12306@gmail.com
+Signed-off-by: Uwe Kleine-König <ukleinek@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-stm32-lp.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/pwm/pwm-stm32-lp.c b/drivers/pwm/pwm-stm32-lp.c
+index c8a847fcb775b..6c77499c27211 100644
+--- a/drivers/pwm/pwm-stm32-lp.c
++++ b/drivers/pwm/pwm-stm32-lp.c
+@@ -169,8 +169,12 @@ static void stm32_pwm_lp_get_state(struct pwm_chip *chip,
+ regmap_read(priv->regmap, STM32_LPTIM_CR, &val);
+ state->enabled = !!FIELD_GET(STM32_LPTIM_ENABLE, val);
+ /* Keep PWM counter clock refcount in sync with PWM initial state */
+- if (state->enabled)
+- clk_enable(priv->clk);
++ if (state->enabled) {
++ int ret = clk_enable(priv->clk);
++
++ if (ret)
++ return ret;
++ }
+
+ regmap_read(priv->regmap, STM32_LPTIM_CFGR, &val);
+ presc = FIELD_GET(STM32_LPTIM_PRESC, val);
+--
+2.39.5
+
--- /dev/null
+From df45899a5e30e7634c34c73d2107cbd00abda35d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 30 Nov 2024 13:01:37 +0300
+Subject: rdma/cxgb4: Prevent potential integer overflow on 32bit
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit bd96a3935e89486304461a21752f824fc25e0f0b ]
+
+The "gl->tot_len" variable is controlled by the user. It comes from
+process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct
+cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an
+integer wrapping bug. Use size_add() to prevent this.
+
+Fixes: 1cab775c3e75 ("RDMA/cxgb4: Fix LE hash collision bug for passive open connection")
+Link: https://patch.msgid.link/r/86b404e1-4a75-4a35-a34e-e3054fa554c7@stanley.mountain
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/cxgb4/device.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/hw/cxgb4/device.c b/drivers/infiniband/hw/cxgb4/device.c
+index 541dbcf22d0eb..13e4b2c40d835 100644
+--- a/drivers/infiniband/hw/cxgb4/device.c
++++ b/drivers/infiniband/hw/cxgb4/device.c
+@@ -1114,8 +1114,10 @@ static inline struct sk_buff *copy_gl_to_skb_pkt(const struct pkt_gl *gl,
+ * The math here assumes sizeof cpl_pass_accept_req >= sizeof
+ * cpl_rx_pkt.
+ */
+- skb = alloc_skb(gl->tot_len + sizeof(struct cpl_pass_accept_req) +
+- sizeof(struct rss_header) - pktshift, GFP_ATOMIC);
++ skb = alloc_skb(size_add(gl->tot_len,
++ sizeof(struct cpl_pass_accept_req) +
++ sizeof(struct rss_header)) - pktshift,
++ GFP_ATOMIC);
+ if (unlikely(!skb))
+ return NULL;
+
+--
+2.39.5
+
--- /dev/null
+From 7702cc153d3acb2002a8c4b541bc04d9c905fea2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Dec 2024 15:44:25 +0200
+Subject: RDMA/mlx4: Avoid false error about access to uninitialized gids array
+
+From: Leon Romanovsky <leonro@nvidia.com>
+
+[ Upstream commit 1f53d88cbb0dcc7df235bf6611ae632b254fccd8 ]
+
+Smatch generates the following false error report:
+drivers/infiniband/hw/mlx4/main.c:393 mlx4_ib_del_gid() error: uninitialized symbol 'gids'.
+
+Traditionally, we are not changing kernel code and asking people to fix
+the tools. However in this case, the fix can be done by simply rearranging
+the code to be more clear.
+
+Fixes: e26be1bfef81 ("IB/mlx4: Implement ib_device callbacks")
+Link: https://patch.msgid.link/6a3a1577463da16962463fcf62883a87506e9b62.1733233426.git.leonro@nvidia.com
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/mlx4/main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/infiniband/hw/mlx4/main.c b/drivers/infiniband/hw/mlx4/main.c
+index c62cdd6456962..0c49f3f5e6247 100644
+--- a/drivers/infiniband/hw/mlx4/main.c
++++ b/drivers/infiniband/hw/mlx4/main.c
+@@ -391,10 +391,10 @@ static int mlx4_ib_del_gid(const struct ib_gid_attr *attr, void **context)
+ }
+ spin_unlock_bh(&iboe->lock);
+
+- if (!ret && hw_update) {
++ if (gids)
+ ret = mlx4_ib_update_gids(gids, ibdev, attr->port_num);
+- kfree(gids);
+- }
++
++ kfree(gids);
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From e93b7637a341d6e3bba9c2d67658c6571241cbd6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 17:04:53 +0900
+Subject: regulator: of: Implement the unwind path of of_regulator_match()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit dddca3b2fc676113c58b04aaefe84bfb958ac83e ]
+
+of_regulator_match() does not release the OF node reference in the error
+path, resulting in an OF node leak. Therefore, call of_node_put() on the
+obtained nodes before returning the EINVAL error.
+
+Since it is possible that some drivers call this function and do not
+exit on failure, such as s2mps11_pmic_driver, clear the init_data and
+of_node in the error path.
+
+This was reported by an experimental verification tool that I am
+developing. As I do not have access to actual devices nor the QEMU board
+configuration to test drivers that call this function, no runtime test
+was able to be performed.
+
+Fixes: 1c8fa58f4750 ("regulator: Add generic DT parsing for regulators")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Link: https://patch.msgid.link/20250104080453.2153592-1-joe@pf.is.s.u-tokyo.ac.jp
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/regulator/of_regulator.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c
+index 5d844697c7b68..d1e69470137cf 100644
+--- a/drivers/regulator/of_regulator.c
++++ b/drivers/regulator/of_regulator.c
+@@ -377,7 +377,7 @@ int of_regulator_match(struct device *dev, struct device_node *node,
+ "failed to parse DT for regulator %pOFn\n",
+ child);
+ of_node_put(child);
+- return -EINVAL;
++ goto err_put;
+ }
+ match->of_node = of_node_get(child);
+ count++;
+@@ -386,6 +386,18 @@ int of_regulator_match(struct device *dev, struct device_node *node,
+ }
+
+ return count;
++
++err_put:
++ for (i = 0; i < num_matches; i++) {
++ struct of_regulator_match *match = &matches[i];
++
++ match->init_data = NULL;
++ if (match->of_node) {
++ of_node_put(match->of_node);
++ match->of_node = NULL;
++ }
++ }
++ return -EINVAL;
+ }
+ EXPORT_SYMBOL_GPL(of_regulator_match);
+
+--
+2.39.5
+
--- /dev/null
+From bde7c944d212055d666c6c52f6684bb7587298f0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 20:34:58 +0100
+Subject: rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
+
+From: Oleksij Rempel <o.rempel@pengutronix.de>
+
+[ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ]
+
+The nvmem interface supports variable buffer sizes, while the regmap
+interface operates with fixed-size storage. If an nvmem client uses a
+buffer size less than 4 bytes, regmap_read will write out of bounds
+as it expects the buffer to point at an unsigned int.
+
+Fix this by using an intermediary unsigned int to hold the value.
+
+Fixes: fadfd092ee91 ("rtc: pcf85063: add nvram support")
+Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
+Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
+Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-pcf85063.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
+index 449204d84c61d..dd3336cbb7921 100644
+--- a/drivers/rtc/rtc-pcf85063.c
++++ b/drivers/rtc/rtc-pcf85063.c
+@@ -328,7 +328,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops_alarm = {
+ static int pcf85063_nvmem_read(void *priv, unsigned int offset,
+ void *val, size_t bytes)
+ {
+- return regmap_read(priv, PCF85063_REG_RAM, val);
++ unsigned int tmp;
++ int ret;
++
++ ret = regmap_read(priv, PCF85063_REG_RAM, &tmp);
++ if (ret < 0)
++ return ret;
++
++ *(u8 *)val = tmp;
++
++ return 0;
+ }
+
+ static int pcf85063_nvmem_write(void *priv, unsigned int offset,
+--
+2.39.5
+
--- /dev/null
+From aa3b4edf2e0f30264fdf14dcba225e615093f59e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 27 Mar 2021 23:00:14 +0000
+Subject: rtlwifi: remove redundant assignment to variable err
+
+From: Colin Ian King <colin.king@canonical.com>
+
+[ Upstream commit 87431bc1f0f67aa2d23ca1b9682fe54f68549d42 ]
+
+Variable err is assigned -ENODEV followed by an error return path
+via label error_out that does not access the variable and returns
+with the -ENODEV error return code. The assignment to err is
+redundant and can be removed.
+
+Addresses-Coverity: ("Unused value")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210327230014.25554-1-colin.king@canonical.com
+Stable-dep-of: b4b26642b31e ("wifi: rtlwifi: wait for firmware loading before releasing memory")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 7e4655de30237..add6da1ce3602 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1072,7 +1072,6 @@ int rtl_usb_probe(struct usb_interface *intf,
+ err = ieee80211_register_hw(hw);
+ if (err) {
+ pr_err("Can't register mac80211 hw.\n");
+- err = -ENODEV;
+ goto error_out;
+ }
+ rtlpriv->mac80211.mac80211_registered = 1;
+--
+2.39.5
+
--- /dev/null
+From 20605d6f26ad64cbae1084b1c1a8e3fea9b9c364 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Mar 2022 08:21:24 +0100
+Subject: rtlwifi: replace usage of found with dedicated list iterator variable
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+[ Upstream commit a0ff2a87194a968b9547fd4d824a09092171d1ea ]
+
+To move the list iterator variable into the list_for_each_entry_*()
+macro in the future it should be avoided to use the list iterator
+variable after the loop body.
+
+To *never* use the list iterator variable after the loop it was
+concluded to use a separate iterator variable instead of a
+found boolean [1].
+
+This removes the need to use a found variable and simply checking if
+the variable was set, can determine if the break/goto was hit.
+
+Link: https://lore.kernel.org/all/CAHk-=wgRr_D8CB-D9Kg-c=EHreAsk5SqXPwr9Y7k9sA6cWXJ6w@mail.gmail.com/
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20220324072124.62458-1-jakobkoschel@gmail.com
+Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 13 ++++++-------
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 15 +++++++--------
+ 2 files changed, 13 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index 1866f6c2acab1..7ec876c6c663e 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -1995,8 +1995,7 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb)
+ struct rtl_mac *mac = rtl_mac(rtl_priv(hw));
+ unsigned long flags;
+
+- struct rtl_bssid_entry *entry;
+- bool entry_found = false;
++ struct rtl_bssid_entry *entry = NULL, *iter;
+
+ /* check if it is scanning */
+ if (!mac->act_scanning)
+@@ -2009,10 +2008,10 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb)
+
+ spin_lock_irqsave(&rtlpriv->locks.scan_list_lock, flags);
+
+- list_for_each_entry(entry, &rtlpriv->scan_list.list, list) {
+- if (memcmp(entry->bssid, hdr->addr3, ETH_ALEN) == 0) {
+- list_del_init(&entry->list);
+- entry_found = true;
++ list_for_each_entry(iter, &rtlpriv->scan_list.list, list) {
++ if (memcmp(iter->bssid, hdr->addr3, ETH_ALEN) == 0) {
++ list_del_init(&iter->list);
++ entry = iter;
+ rtl_dbg(rtlpriv, COMP_SCAN, DBG_LOUD,
+ "Update BSSID=%pM to scan list (total=%d)\n",
+ hdr->addr3, rtlpriv->scan_list.num);
+@@ -2020,7 +2019,7 @@ void rtl_collect_scan_list(struct ieee80211_hw *hw, struct sk_buff *skb)
+ }
+ }
+
+- if (!entry_found) {
++ if (!entry) {
+ entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
+
+ if (!entry)
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 70f1cc906502b..f17a365fba070 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -300,14 +300,13 @@ static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw,
+ {
+ struct rtl_priv *rtlpriv = rtl_priv(hw);
+ struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw);
+- bool find_buddy_priv = false;
+- struct rtl_priv *tpriv;
++ struct rtl_priv *tpriv = NULL, *iter;
+ struct rtl_pci_priv *tpcipriv = NULL;
+
+ if (!list_empty(&rtlpriv->glb_var->glb_priv_list)) {
+- list_for_each_entry(tpriv, &rtlpriv->glb_var->glb_priv_list,
++ list_for_each_entry(iter, &rtlpriv->glb_var->glb_priv_list,
+ list) {
+- tpcipriv = (struct rtl_pci_priv *)tpriv->priv;
++ tpcipriv = (struct rtl_pci_priv *)iter->priv;
+ rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
+ "pcipriv->ndis_adapter.funcnumber %x\n",
+ pcipriv->ndis_adapter.funcnumber);
+@@ -321,19 +320,19 @@ static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw,
+ tpcipriv->ndis_adapter.devnumber &&
+ pcipriv->ndis_adapter.funcnumber !=
+ tpcipriv->ndis_adapter.funcnumber) {
+- find_buddy_priv = true;
++ tpriv = iter;
+ break;
+ }
+ }
+ }
+
+ rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
+- "find_buddy_priv %d\n", find_buddy_priv);
++ "find_buddy_priv %d\n", tpriv != NULL);
+
+- if (find_buddy_priv)
++ if (tpriv)
+ *buddy_priv = tpriv;
+
+- return find_buddy_priv;
++ return tpriv != NULL;
+ }
+
+ static void rtl_pci_parse_configuration(struct pci_dev *pdev,
+--
+2.39.5
+
--- /dev/null
+From e515841737e9d7cc3cc4013579052803f2804d12 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Dec 2024 23:18:12 +0100
+Subject: scsi: mpt3sas: Set ioc->manu_pg11.EEDPTagMode directly to 1
+
+From: Paul Menzel <pmenzel@molgen.mpg.de>
+
+[ Upstream commit ad7c3c0cb8f61d6d5a48b83e62ca4a9fd2f26153 ]
+
+Currently, the code does:
+
+ if (x == 0) {
+ x &= ~0x3;
+ x |= 0x1;
+ }
+
+Zeroing bits 0 and 1 of a variable that is 0 is not necessary. So directly
+set the variable to 1.
+
+Cc: Sreekanth Reddy <sreekanth.reddy@broadcom.com>
+Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
+Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
+Link: https://lore.kernel.org/r/20241212221817.78940-2-pmenzel@molgen.mpg.de
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c
+index 768635de93da9..78b178aa46e94 100644
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -4771,8 +4771,7 @@ _base_static_config_pages(struct MPT3SAS_ADAPTER *ioc)
+ if (!ioc->is_gen35_ioc && ioc->manu_pg11.EEDPTagMode == 0) {
+ pr_err("%s: overriding NVDATA EEDPTagMode setting\n",
+ ioc->name);
+- ioc->manu_pg11.EEDPTagMode &= ~0x3;
+- ioc->manu_pg11.EEDPTagMode |= 0x1;
++ ioc->manu_pg11.EEDPTagMode = 0x1;
+ mpt3sas_config_set_manufacturing_pg11(ioc, &mpi_reply,
+ &ioc->manu_pg11);
+ }
+--
+2.39.5
+
--- /dev/null
+From 930a1b5b957318c09f0234f6ac4ecb53244c890a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 09:42:13 +0800
+Subject: scsi: ufs: bsg: Delete bsg_dev when setting up bsg fails
+
+From: Guixin Liu <kanie@linux.alibaba.com>
+
+[ Upstream commit fcf247deb3c3e1c6be5774e3fa03bbd018eff1a9 ]
+
+We should remove the bsg device when bsg_setup_queue() fails to release the
+resources.
+
+Fixes: df032bf27a41 ("scsi: ufs: Add a bsg endpoint that supports UPIUs")
+Signed-off-by: Guixin Liu <kanie@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20241218014214.64533-2-kanie@linux.alibaba.com
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/ufs/ufs_bsg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/scsi/ufs/ufs_bsg.c b/drivers/scsi/ufs/ufs_bsg.c
+index 5b2bc1a6f9226..05c7347eda188 100644
+--- a/drivers/scsi/ufs/ufs_bsg.c
++++ b/drivers/scsi/ufs/ufs_bsg.c
+@@ -213,6 +213,7 @@ int ufs_bsg_probe(struct ufs_hba *hba)
+ q = bsg_setup_queue(bsg_dev, dev_name(bsg_dev), ufs_bsg_request, NULL, 0);
+ if (IS_ERR(q)) {
+ ret = PTR_ERR(q);
++ device_del(bsg_dev);
+ goto out;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 668db8475eb987b5380ee8b422fb101f9ec0338d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 09:37:24 +0100
+Subject: select: Fix unbalanced user_access_end()
+
+From: Christophe Leroy <christophe.leroy@csgroup.eu>
+
+[ Upstream commit 344af27715ddbf357cf76978d674428b88f8e92d ]
+
+While working on implementing user access validation on powerpc
+I got the following warnings on a pmac32_defconfig build:
+
+ CC fs/select.o
+ fs/select.o: warning: objtool: sys_pselect6+0x1bc: redundant UACCESS disable
+ fs/select.o: warning: objtool: sys_pselect6_time32+0x1bc: redundant UACCESS disable
+
+On powerpc/32s, user_read_access_begin/end() are no-ops, but the
+failure path has a user_access_end() instead of user_read_access_end()
+which means an access end without any prior access begin.
+
+Replace that user_access_end() by user_read_access_end().
+
+Fixes: 7e71609f64ec ("pselect6() and friends: take handling the combined 6th/7th args into helper")
+Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
+Link: https://lore.kernel.org/r/a7139e28d767a13e667ee3c79599a8047222ef36.1736751221.git.christophe.leroy@csgroup.eu
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/select.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/select.c b/fs/select.c
+index 668a5200503ae..7ce67428582e6 100644
+--- a/fs/select.c
++++ b/fs/select.c
+@@ -787,7 +787,7 @@ static inline int get_sigset_argpack(struct sigset_argpack *to,
+ }
+ return 0;
+ Efault:
+- user_access_end();
++ user_read_access_end();
+ return -EFAULT;
+ }
+
+@@ -1360,7 +1360,7 @@ static inline int get_compat_sigset_argpack(struct compat_sigset_argpack *to,
+ }
+ return 0;
+ Efault:
+- user_access_end();
++ user_read_access_end();
+ return -EFAULT;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6b90497f1f071a52a5a5b00a62fd2c38eef46192 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 8 Jan 2025 19:07:57 +0200
+Subject: selftests: harness: fix printing of mismatch values in __EXPECT()
+
+From: Dmitry V. Levin <ldv@strace.io>
+
+[ Upstream commit 02bc220dc6dc7c56edc4859bc5dd2c08b95d5fb5 ]
+
+intptr_t and uintptr_t are not big enough types on 32-bit architectures
+when printing 64-bit values, resulting to the following incorrect
+diagnostic output:
+
+ # get_syscall_info.c:209:get_syscall_info:Expected exp_args[2] (3134324433) == info.entry.args[1] (3134324433)
+
+Replace intptr_t and uintptr_t with intmax_t and uintmax_t, respectively.
+With this fix, the same test produces more usable diagnostic output:
+
+ # get_syscall_info.c:209:get_syscall_info:Expected exp_args[2] (3134324433) == info.entry.args[1] (18446744072548908753)
+
+Link: https://lore.kernel.org/r/20250108170757.GA6723@strace.io
+Fixes: b5bb6d3068ea ("selftests/seccomp: fix 32-bit build warnings")
+Signed-off-by: Dmitry V. Levin <ldv@strace.io>
+Reviewed-by: Kees Cook <kees@kernel.org>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/kselftest_harness.h | 24 ++++++++++-----------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/tools/testing/selftests/kselftest_harness.h b/tools/testing/selftests/kselftest_harness.h
+index 2fadc99d93619..8baf4789d9372 100644
+--- a/tools/testing/selftests/kselftest_harness.h
++++ b/tools/testing/selftests/kselftest_harness.h
+@@ -695,33 +695,33 @@
+ /* Report with actual signedness to avoid weird output. */ \
+ switch (is_signed_type(__exp) * 2 + is_signed_type(__seen)) { \
+ case 0: { \
+- unsigned long long __exp_print = (uintptr_t)__exp; \
+- unsigned long long __seen_print = (uintptr_t)__seen; \
+- __TH_LOG("Expected %s (%llu) %s %s (%llu)", \
++ uintmax_t __exp_print = (uintmax_t)__exp; \
++ uintmax_t __seen_print = (uintmax_t)__seen; \
++ __TH_LOG("Expected %s (%ju) %s %s (%ju)", \
+ _expected_str, __exp_print, #_t, \
+ _seen_str, __seen_print); \
+ break; \
+ } \
+ case 1: { \
+- unsigned long long __exp_print = (uintptr_t)__exp; \
+- long long __seen_print = (intptr_t)__seen; \
+- __TH_LOG("Expected %s (%llu) %s %s (%lld)", \
++ uintmax_t __exp_print = (uintmax_t)__exp; \
++ intmax_t __seen_print = (intmax_t)__seen; \
++ __TH_LOG("Expected %s (%ju) %s %s (%jd)", \
+ _expected_str, __exp_print, #_t, \
+ _seen_str, __seen_print); \
+ break; \
+ } \
+ case 2: { \
+- long long __exp_print = (intptr_t)__exp; \
+- unsigned long long __seen_print = (uintptr_t)__seen; \
+- __TH_LOG("Expected %s (%lld) %s %s (%llu)", \
++ intmax_t __exp_print = (intmax_t)__exp; \
++ uintmax_t __seen_print = (uintmax_t)__seen; \
++ __TH_LOG("Expected %s (%jd) %s %s (%ju)", \
+ _expected_str, __exp_print, #_t, \
+ _seen_str, __seen_print); \
+ break; \
+ } \
+ case 3: { \
+- long long __exp_print = (intptr_t)__exp; \
+- long long __seen_print = (intptr_t)__seen; \
+- __TH_LOG("Expected %s (%lld) %s %s (%lld)", \
++ intmax_t __exp_print = (intmax_t)__exp; \
++ intmax_t __seen_print = (intmax_t)__seen; \
++ __TH_LOG("Expected %s (%jd) %s %s (%jd)", \
+ _expected_str, __exp_print, #_t, \
+ _seen_str, __seen_print); \
+ break; \
+--
+2.39.5
+
--- /dev/null
+afs-fix-eexist-error-returned-from-afs_rmdir-to-be-e.patch
+afs-fix-directory-format-encoding-struct.patch
+nbd-don-t-allow-reconnect-after-disconnect.patch
+nvme-add-error-check-for-xa_store-in-nvme_get_effect.patch
+partitions-ldm-remove-the-initial-kernel-doc-notatio.patch
+select-fix-unbalanced-user_access_end.patch
+afs-fix-the-fallback-handling-for-the-yfs.removefile.patch
+drm-etnaviv-fix-page-property-being-used-for-non-wri.patch
+drm-amdgpu-fix-potential-null-pointer-dereference-in.patch
+genirq-make-handle_enforce_irqctx-unconditionally-av.patch
+ipmi-ipmb-add-check-devm_kasprintf-returned-value.patch
+wifi-rtlwifi-do-not-complete-firmware-loading-needle.patch
+wifi-rtlwifi-rtl8192se-rise-completion-of-firmware-l.patch
+rtlwifi-remove-redundant-assignment-to-variable-err.patch
+wifi-rtlwifi-wait-for-firmware-loading-before-releas.patch
+wifi-rtlwifi-fix-init_sw_vars-leak-when-probe-fails.patch
+wifi-rtlwifi-usb-fix-workqueue-leak-when-probe-fails.patch
+spi-zynq-qspi-add-check-for-clk_enable.patch
+dt-bindings-mmc-controller-clarify-the-address-cells.patch
+rtlwifi-replace-usage-of-found-with-dedicated-list-i.patch
+wifi-rtlwifi-remove-unused-timer-and-related-code.patch
+wifi-rtlwifi-remove-unused-dualmac-control-leftovers.patch
+wifi-rtlwifi-remove-unused-check_buddy_priv.patch
+wifi-rtlwifi-destroy-workqueue-at-rtl_deinit_core.patch
+wifi-rtlwifi-fix-memory-leaks-and-invalid-access-at-.patch
+wifi-rtlwifi-pci-wait-for-firmware-loading-before-re.patch
+acpi-fan-cleanup-resources-in-the-error-path-of-.pro.patch
+cpupower-fix-tsc-mhz-calculation.patch
+leds-netxbig-fix-an-of-node-reference-leak-in-netxbi.patch
+pwm-stm32-lp-add-check-for-clk_enable.patch
+cpufreq-schedutil-simplify-sugov_update_next_freq.patch
+cpufreq-schedutil-fix-superfluous-updates-caused-by-.patch
+udp-deal-with-race-between-udp-socket-address-change.patch
+clk-imx8mp-fix-clkout1-2-support.patch
+team-prevent-adding-a-device-which-is-already-a-team.patch
+regulator-of-implement-the-unwind-path-of-of_regulat.patch
+wifi-wlcore-fix-unbalanced-pm_runtime-calls.patch
+net-smc-fix-data-error-when-recvmsg-with-msg_peek-fl.patch
+wifi-mt76-mt76u_vendor_request-do-not-print-error-me.patch
+cpufreq-acpi-fix-max-frequency-computation.patch
+selftests-harness-fix-printing-of-mismatch-values-in.patch
+wifi-cfg80211-handle-specific-bssid-in-6ghz-scanning.patch
+wifi-cfg80211-adjust-allocation-of-colocated-ap-data.patch
+clk-analogbits-fix-incorrect-calculation-of-vco-rate.patch
+pwm-stm32-add-check-for-clk_enable.patch
+net-let-net.core.dev_weight-always-be-non-zero.patch
+net-mlxfw-drop-hard-coded-max-fw-flash-image-size.patch
+net-sched-disallow-replacing-of-child-qdisc-from-one.patch
+net-ethernet-ti-am65-cpsw-fix-freeing-irq-in-am65_cp.patch
+net-rose-prevent-integer-overflows-in-rose_setsockop.patch
+tools-testing-selftests-bpf-test_tc_tunnel.sh-fix-wa.patch
+asoc-sun4i-spdif-add-clock-multiplier-settings.patch
+perf-header-fix-one-memory-leakage-in-process_bpf_bt.patch
+perf-header-fix-one-memory-leakage-in-process_bpf_pr.patch
+perf-env-conditionally-compile-bpf-support-code-on-h.patch
+perf-bpf-fix-two-memory-leakages-when-calling-perf_e.patch
+ktest.pl-remove-unused-declarations-in-run_bisect_te.patch
+padata-fix-sysfs-store-callback-check.patch
+perf-top-don-t-complain-about-lack-of-vmlinux-when-n.patch
+perf-machine-include-data-symbols-in-the-kernel-map.patch
+perf-machine-don-t-ignore-_etext-when-not-a-text-sym.patch
+perf-report-fix-misleading-help-message-about-demang.patch
+bpf-send-signals-asynchronously-if-preemptible.patch
+padata-fix-uaf-in-padata_reorder.patch
+padata-add-pd-get-put-refcnt-helper.patch
+padata-avoid-uaf-for-reorder_work.patch
+soc-atmel-fix-device_node-release-in-atmel_soc_devic.patch
+arm64-dts-mediatek-mt8516-fix-gicv2-range.patch
+arm64-dts-mediatek-mt8516-fix-wdt-irq-type.patch
+arm64-dts-mediatek-mt8516-remove-2-invalid-i2c-clock.patch
+arm64-dts-mediatek-mt8516-add-i2c-clock-div-property.patch
+arm64-dts-mediatek-mt8516-reserve-192-kib-for-tf-a.patch
+rdma-mlx4-avoid-false-error-about-access-to-uninitia.patch
+rdma-cxgb4-prevent-potential-integer-overflow-on-32b.patch
+arm64-dts-mediatek-mt8173-evb-drop-regulator-compati.patch
+arm64-dts-mediatek-mt8173-elm-drop-regulator-compati.patch
+arm64-dts-mediatek-mt8173-elm-fix-mt6397-pmic-sub-no.patch
+arm64-dts-mediatek-mt8173-evb-fix-mt6397-pmic-sub-no.patch
+arm64-dts-qcom-msm8916-correct-sleep-clock-frequency.patch
+arm64-dts-qcom-msm8994-correct-sleep-clock-frequency.patch
+arm64-dts-qcom-sm8250-correct-sleep-clock-frequency.patch
+arm-dts-mediatek-mt7623-fix-ir-nodename.patch
+fbdev-omapfb-fix-an-of-node-leak-in-dss_of_port_get_.patch
+media-rc-iguanair-handle-timeouts.patch
+media-lmedm04-use-gfp_kernel-for-urb-allocation-subm.patch
+media-lmedm04-handle-errors-for-lme2510_int_read.patch
+pci-endpoint-destroy-the-epc-device-in-devm_pci_epc_.patch
+media-marvell-add-check-for-clk_enable.patch
+media-mipi-csis-add-check-for-clk_enable.patch
+media-camif-core-add-check-for-clk_enable.patch
+media-uvcvideo-propagate-buf-error-to-userspace.patch
+driver-core-platform-reorder-functions.patch
+driver-core-platform-change-logic-implementing-platf.patch
+driver-core-platform-use-bus_type-functions.patch
+driver-core-platform-emit-a-warning-if-a-remove-call.patch
+mtd-hyperbus-make-hyperbus_unregister_device-return-.patch
+platform-provide-a-remove-callback-that-returns-no-v.patch
+mtd-hyperbus-hbmc-am654-convert-to-platform-remove-c.patch
+mtd-hyperbus-hbmc-am654-fix-an-of-node-reference-lea.patch
+staging-media-imx-fix-of-node-leak-in-imx_media_add_.patch
+pci-rcar-ep-fix-incorrect-variable-used-when-calling.patch
+scsi-mpt3sas-set-ioc-manu_pg11.eedptagmode-directly-.patch
+scsi-ufs-bsg-delete-bsg_dev-when-setting-up-bsg-fail.patch
+ocfs2-mark-dquot-as-inactive-if-failed-to-start-tran.patch
+module-extend-the-preempt-disabled-section-in-derefe.patch
+nfsv4.2-fix-copy_notify-xdr-buf-size-calculation.patch
+tools-bootconfig-fix-the-wrong-format-specifier.patch
+xfrm-replay-fix-the-update-of-replay_esn-oseq_hi-for.patch
+dmaengine-ti-edma-fix-of-node-reference-leaks-in-edm.patch
+rtc-pcf85063-fix-potential-oob-write-in-pcf85063-nvm.patch
+ubifs-skip-dumping-tnc-tree-when-zroot-is-null.patch
+net-hns3-fix-oops-when-unload-drivers-paralleling.patch
+net-fec-implement-tso-descriptor-cleanup.patch
+ipmr-do-not-call-mr_mfc_uses_dev-for-unres-entries.patch
+pm-hibernate-add-error-handling-for-syscore_suspend.patch
+net-rose-fix-timer-races-against-user-threads.patch
+net-netdevsim-try-to-close-udp-port-harness-races.patch
+net-davicom-fix-uaf-in-dm9000_drv_remove.patch
+perf-trace-fix-runtime-error-of-index-out-of-bounds.patch
+pm-sleep-restore-asynchronous-device-resume-optimiza.patch
+pm-sleep-use-bool-for-all-1-bit-fields-in-struct-dev.patch
+pm-sleep-core-synchronize-runtime-pm-status-of-paren.patch
+vsock-allow-retrying-on-connect-failure.patch
+bgmac-reduce-max-frame-size-to-support-just-mtu-1500.patch
+net-sh_eth-fix-missing-rtnl-lock-in-suspend-resume-p.patch
+net-hsr-fix-fill_frame_info-regression-vs-vlan-packe.patch
--- /dev/null
+From a93bf0191848b931143f60e57abfc7d76b5e3e22 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 31 Oct 2024 13:33:36 +0100
+Subject: soc: atmel: fix device_node release in atmel_soc_device_init()
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+[ Upstream commit d3455ab798100f40af77123e7c2443ec979c546b ]
+
+A device_node acquired via of_find_node_by_path() requires explicit
+calls to of_node_put() when it is no longer needed to avoid leaking the
+resource.
+
+Instead of adding the missing calls to of_node_put() in all execution
+paths, use the cleanup attribute for 'np' by means of the __free()
+macro, which automatically calls of_node_put() when the variable goes
+out of scope.
+
+Fixes: 960ddf70cc11 ("drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20241031-soc-atmel-soc-cleanup-v2-1-73f2d235fd98@gmail.com
+Signed-off-by: Claudiu Beznea <claudiu.beznea@tuxon.dev>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/atmel/soc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/soc/atmel/soc.c b/drivers/soc/atmel/soc.c
+index 5d06ee70a36b9..7d852f859687b 100644
+--- a/drivers/soc/atmel/soc.c
++++ b/drivers/soc/atmel/soc.c
+@@ -275,7 +275,7 @@ static const struct of_device_id at91_soc_allowed_list[] __initconst = {
+
+ static int __init atmel_soc_device_init(void)
+ {
+- struct device_node *np = of_find_node_by_path("/");
++ struct device_node *np __free(device_node) = of_find_node_by_path("/");
+
+ if (!of_match_node(at91_soc_allowed_list, np))
+ return 0;
+--
+2.39.5
+
--- /dev/null
+From 2e032b66c06128b18b7712f903b81d4a83428361 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 20:52:06 -0500
+Subject: spi: zynq-qspi: Add check for clk_enable()
+
+From: Mingwei Zheng <zmw12306@gmail.com>
+
+[ Upstream commit 8332e667099712e05ec87ba2058af394b51ebdc9 ]
+
+Add check for the return value of clk_enable() to catch the potential
+error.
+
+Fixes: c618a90dcaf3 ("spi: zynq-qspi: Drop GPIO header")
+Signed-off-by: Mingwei Zheng <zmw12306@gmail.com>
+Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
+Link: https://patch.msgid.link/20241207015206.3689364-1-zmw12306@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/spi/spi-zynq-qspi.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
+index 13c0b15fe1764..2be764d5460d3 100644
+--- a/drivers/spi/spi-zynq-qspi.c
++++ b/drivers/spi/spi-zynq-qspi.c
+@@ -379,12 +379,21 @@ static int zynq_qspi_setup_op(struct spi_device *spi)
+ {
+ struct spi_controller *ctlr = spi->master;
+ struct zynq_qspi *qspi = spi_controller_get_devdata(ctlr);
++ int ret;
+
+ if (ctlr->busy)
+ return -EBUSY;
+
+- clk_enable(qspi->refclk);
+- clk_enable(qspi->pclk);
++ ret = clk_enable(qspi->refclk);
++ if (ret)
++ return ret;
++
++ ret = clk_enable(qspi->pclk);
++ if (ret) {
++ clk_disable(qspi->refclk);
++ return ret;
++ }
++
+ zynq_qspi_write(qspi, ZYNQ_QSPI_ENABLE_OFFSET,
+ ZYNQ_QSPI_ENABLE_ENABLE_MASK);
+
+--
+2.39.5
+
--- /dev/null
+From 423a1d5431cf508472e6f36708faaf68e3b095e6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 12:54:11 +0900
+Subject: staging: media: imx: fix OF node leak in imx_media_add_of_subdevs()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+[ Upstream commit 094f5c315f756b19198e6c401aa821ac0e868750 ]
+
+imx_media_add_of_subdevs() calls of_parse_phandle() and passes the
+obtained node to imx_media_of_add_csi(). The passed node is used in
+v4l2_async_nf_add_fwnode(), which increments the refcount of the node.
+Therefore, while the current implementation only releases the node when
+imx_media_of_add_csi() fails, but should always release it. Call
+of_node_put() right after imx_media_of_add_csi().
+
+Fixes: dee747f88167 ("media: imx: Don't register IPU subdevs/links if CSI port missing")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Reviewed-by: Philipp Zabel <p.zabel@pengutronix.de>
+Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/media/imx/imx-media-of.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/staging/media/imx/imx-media-of.c b/drivers/staging/media/imx/imx-media-of.c
+index 82e13e972e233..566e133ad3f42 100644
+--- a/drivers/staging/media/imx/imx-media-of.c
++++ b/drivers/staging/media/imx/imx-media-of.c
+@@ -55,22 +55,18 @@ int imx_media_add_of_subdevs(struct imx_media_dev *imxmd,
+ break;
+
+ ret = imx_media_of_add_csi(imxmd, csi_np);
++ of_node_put(csi_np);
+ if (ret) {
+ /* unavailable or already added is not an error */
+ if (ret == -ENODEV || ret == -EEXIST) {
+- of_node_put(csi_np);
+ continue;
+ }
+
+ /* other error, can't continue */
+- goto err_out;
++ return ret;
+ }
+ }
+
+ return 0;
+-
+-err_out:
+- of_node_put(csi_np);
+- return ret;
+ }
+ EXPORT_SYMBOL_GPL(imx_media_add_of_subdevs);
+--
+2.39.5
+
--- /dev/null
+From 1544cca7bdf6449a4f6a44de7b7d20a59d407363 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Dec 2024 12:56:47 -0800
+Subject: team: prevent adding a device which is already a team device lower
+
+From: Octavian Purdila <tavip@google.com>
+
+[ Upstream commit 3fff5da4ca2164bb4d0f1e6cd33f6eb8a0e73e50 ]
+
+Prevent adding a device which is already a team device lower,
+e.g. adding veth0 if vlan1 was already added and veth0 is a lower of
+vlan1.
+
+This is not useful in practice and can lead to recursive locking:
+
+$ ip link add veth0 type veth peer name veth1
+$ ip link set veth0 up
+$ ip link set veth1 up
+$ ip link add link veth0 name veth0.1 type vlan protocol 802.1Q id 1
+$ ip link add team0 type team
+$ ip link set veth0.1 down
+$ ip link set veth0.1 master team0
+team0: Port device veth0.1 added
+$ ip link set veth0 down
+$ ip link set veth0 master team0
+
+============================================
+WARNING: possible recursive locking detected
+6.13.0-rc2-virtme-00441-ga14a429069bb #46 Not tainted
+--------------------------------------------
+ip/7684 is trying to acquire lock:
+ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+
+but task is already holding lock:
+ffff888016848e00 (team->team_lock_key){+.+.}-{4:4}, at: team_add_slave (drivers/net/team/team_core.c:1147 drivers/net/team/team_core.c:1977)
+
+other info that might help us debug this:
+Possible unsafe locking scenario:
+
+CPU0
+----
+lock(team->team_lock_key);
+lock(team->team_lock_key);
+
+*** DEADLOCK ***
+
+May be due to missing lock nesting notation
+
+2 locks held by ip/7684:
+
+stack backtrace:
+CPU: 3 UID: 0 PID: 7684 Comm: ip Not tainted 6.13.0-rc2-virtme-00441-ga14a429069bb #46
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
+Call Trace:
+<TASK>
+dump_stack_lvl (lib/dump_stack.c:122)
+print_deadlock_bug.cold (kernel/locking/lockdep.c:3040)
+__lock_acquire (kernel/locking/lockdep.c:3893 kernel/locking/lockdep.c:5226)
+? netlink_broadcast_filtered (net/netlink/af_netlink.c:1548)
+lock_acquire.part.0 (kernel/locking/lockdep.c:467 kernel/locking/lockdep.c:5851)
+? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+? trace_lock_acquire (./include/trace/events/lock.h:24 (discriminator 2))
+? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+? lock_acquire (kernel/locking/lockdep.c:5822)
+? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+__mutex_lock (kernel/locking/mutex.c:587 kernel/locking/mutex.c:735)
+? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+? fib_sync_up (net/ipv4/fib_semantics.c:2167)
+? team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+team_device_event (drivers/net/team/team_core.c:2928 drivers/net/team/team_core.c:2951 drivers/net/team/team_core.c:2973)
+notifier_call_chain (kernel/notifier.c:85)
+call_netdevice_notifiers_info (net/core/dev.c:1996)
+__dev_notify_flags (net/core/dev.c:8993)
+? __dev_change_flags (net/core/dev.c:8975)
+dev_change_flags (net/core/dev.c:9027)
+vlan_device_event (net/8021q/vlan.c:85 net/8021q/vlan.c:470)
+? br_device_event (net/bridge/br.c:143)
+notifier_call_chain (kernel/notifier.c:85)
+call_netdevice_notifiers_info (net/core/dev.c:1996)
+dev_open (net/core/dev.c:1519 net/core/dev.c:1505)
+team_add_slave (drivers/net/team/team_core.c:1219 drivers/net/team/team_core.c:1977)
+? __pfx_team_add_slave (drivers/net/team/team_core.c:1972)
+do_set_master (net/core/rtnetlink.c:2917)
+do_setlink.isra.0 (net/core/rtnetlink.c:3117)
+
+Reported-by: syzbot+3c47b5843403a45aef57@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=3c47b5843403a45aef57
+Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device")
+Signed-off-by: Octavian Purdila <tavip@google.com>
+Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/team/team.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
+index bc52f9e24ff34..699076fbfb4d6 100644
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -1165,6 +1165,13 @@ static int team_port_add(struct team *team, struct net_device *port_dev,
+ return -EBUSY;
+ }
+
++ if (netdev_has_upper_dev(port_dev, dev)) {
++ NL_SET_ERR_MSG(extack, "Device is already a lower device of the team interface");
++ netdev_err(dev, "Device %s is already a lower device of the team interface\n",
++ portname);
++ return -EBUSY;
++ }
++
+ if (port_dev->features & NETIF_F_VLAN_CHALLENGED &&
+ vlan_uses_dev(dev)) {
+ NL_SET_ERR_MSG(extack, "Device is VLAN challenged and team device has VLAN set up");
+--
+2.39.5
+
--- /dev/null
+From 3c93215d2fb90a8eab990c5596f425707d928b48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 23:27:01 +0900
+Subject: tools/bootconfig: Fix the wrong format specifier
+
+From: Luo Yifan <luoyifan@cmss.chinamobile.com>
+
+[ Upstream commit f6ab7384d554ba80ff4793259d75535874b366f5 ]
+
+Use '%u' instead of '%d' for unsigned int.
+
+Link: https://lore.kernel.org/all/20241105011048.201629-1-luoyifan@cmss.chinamobile.com/
+
+Fixes: 973780011106 ("tools/bootconfig: Suppress non-error messages")
+Signed-off-by: Luo Yifan <luoyifan@cmss.chinamobile.com>
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/bootconfig/main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/bootconfig/main.c b/tools/bootconfig/main.c
+index 6cd6080cac04c..365c022fb7cdd 100644
+--- a/tools/bootconfig/main.c
++++ b/tools/bootconfig/main.c
+@@ -207,7 +207,7 @@ static int load_xbc_from_initrd(int fd, char **buf)
+ /* Wrong Checksum */
+ rcsum = checksum((unsigned char *)*buf, size);
+ if (csum != rcsum) {
+- pr_err("checksum error: %d != %d\n", csum, rcsum);
++ pr_err("checksum error: %u != %u\n", csum, rcsum);
+ return -EINVAL;
+ }
+
+@@ -375,7 +375,7 @@ static int apply_xbc(const char *path, const char *xbc_path)
+ printf("Apply %s to %s\n", xbc_path, path);
+ printf("\tNumber of nodes: %d\n", ret);
+ printf("\tSize: %u bytes\n", (unsigned int)size);
+- printf("\tChecksum: %d\n", (unsigned int)csum);
++ printf("\tChecksum: %u\n", (unsigned int)csum);
+
+ /* TODO: Check the options by schema */
+ xbc_destroy_all();
+--
+2.39.5
+
--- /dev/null
+From 49f197473a068db6c933306fa253d997603f472b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 2 Dec 2024 12:45:30 -0800
+Subject: tools/testing/selftests/bpf/test_tc_tunnel.sh: Fix wait for server
+ bind
+
+From: Marco Leogrande <leogrande@google.com>
+
+[ Upstream commit e2f0791124a1b6ca8d570110cbd487969d9d41ef ]
+
+Commit f803bcf9208a ("selftests/bpf: Prevent client connect before
+server bind in test_tc_tunnel.sh") added code that waits for the
+netcat server to start before the netcat client attempts to connect to
+it. However, not all calls to 'server_listen' were guarded.
+
+This patch adds the existing 'wait_for_port' guard after the remaining
+call to 'server_listen'.
+
+Fixes: f803bcf9208a ("selftests/bpf: Prevent client connect before server bind in test_tc_tunnel.sh")
+Signed-off-by: Marco Leogrande <leogrande@google.com>
+Acked-by: Stanislav Fomichev <sdf@fomichev.me>
+Link: https://lore.kernel.org/r/20241202204530.1143448-1-leogrande@google.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/test_tc_tunnel.sh | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/testing/selftests/bpf/test_tc_tunnel.sh b/tools/testing/selftests/bpf/test_tc_tunnel.sh
+index 21bde60c95230..e42d8959cbf1c 100755
+--- a/tools/testing/selftests/bpf/test_tc_tunnel.sh
++++ b/tools/testing/selftests/bpf/test_tc_tunnel.sh
+@@ -286,6 +286,7 @@ else
+ client_connect
+ verify_data
+ server_listen
++ wait_for_port ${port} ${netcat_opt}
+ fi
+
+ # bpf_skb_net_shrink does not take tunnel flags yet, cannot update L3.
+--
+2.39.5
+
--- /dev/null
+From 9debb44ff4f9ebd8f22b754de94e5ae55cf96af7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Dec 2024 16:18:23 +0800
+Subject: ubifs: skip dumping tnc tree when zroot is null
+
+From: pangliyuan <pangliyuan1@huawei.com>
+
+[ Upstream commit bdb0ca39e0acccf6771db49c3f94ed787d05f2d7 ]
+
+Clearing slab cache will free all znode in memory and make
+c->zroot.znode = NULL, then dumping tnc tree will access
+c->zroot.znode which cause null pointer dereference.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219624#c0
+Fixes: 1e51764a3c2a ("UBIFS: add new flash file system")
+Signed-off-by: pangliyuan <pangliyuan1@huawei.com>
+Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ubifs/debug.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/fs/ubifs/debug.c b/fs/ubifs/debug.c
+index ebff43f8009c2..9ee58cf4d53f6 100644
+--- a/fs/ubifs/debug.c
++++ b/fs/ubifs/debug.c
+@@ -925,16 +925,20 @@ void ubifs_dump_tnc(struct ubifs_info *c)
+
+ pr_err("\n");
+ pr_err("(pid %d) start dumping TNC tree\n", current->pid);
+- znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, NULL);
+- level = znode->level;
+- pr_err("== Level %d ==\n", level);
+- while (znode) {
+- if (level != znode->level) {
+- level = znode->level;
+- pr_err("== Level %d ==\n", level);
++ if (c->zroot.znode) {
++ znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, NULL);
++ level = znode->level;
++ pr_err("== Level %d ==\n", level);
++ while (znode) {
++ if (level != znode->level) {
++ level = znode->level;
++ pr_err("== Level %d ==\n", level);
++ }
++ ubifs_dump_znode(c, znode);
++ znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, znode);
+ }
+- ubifs_dump_znode(c, znode);
+- znode = ubifs_tnc_levelorder_next(c, c->zroot.znode, znode);
++ } else {
++ pr_err("empty TNC tree in memory\n");
+ }
+ pr_err("(pid %d) finish dumping TNC tree\n", current->pid);
+ }
+--
+2.39.5
+
--- /dev/null
+From e27cd5cf7f24ac02a5c48b834440c0618e75b6eb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Dec 2024 17:21:16 +0100
+Subject: udp: Deal with race between UDP socket address change and rehash
+
+From: Stefano Brivio <sbrivio@redhat.com>
+
+[ Upstream commit a502ea6fa94b1f7be72a24bcf9e3f5f6b7e6e90c ]
+
+If a UDP socket changes its local address while it's receiving
+datagrams, as a result of connect(), there is a period during which
+a lookup operation might fail to find it, after the address is changed
+but before the secondary hash (port and address) and the four-tuple
+hash (local and remote ports and addresses) are updated.
+
+Secondary hash chains were introduced by commit 30fff9231fad ("udp:
+bind() optimisation") and, as a result, a rehash operation became
+needed to make a bound socket reachable again after a connect().
+
+This operation was introduced by commit 719f835853a9 ("udp: add
+rehash on connect()") which isn't however a complete fix: the
+socket will be found once the rehashing completes, but not while
+it's pending.
+
+This is noticeable with a socat(1) server in UDP4-LISTEN mode, and a
+client sending datagrams to it. After the server receives the first
+datagram (cf. _xioopen_ipdgram_listen()), it issues a connect() to
+the address of the sender, in order to set up a directed flow.
+
+Now, if the client, running on a different CPU thread, happens to
+send a (subsequent) datagram while the server's socket changes its
+address, but is not rehashed yet, this will result in a failed
+lookup and a port unreachable error delivered to the client, as
+apparent from the following reproducer:
+
+ LEN=$(($(cat /proc/sys/net/core/wmem_default) / 4))
+ dd if=/dev/urandom bs=1 count=${LEN} of=tmp.in
+
+ while :; do
+ taskset -c 1 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc &
+ sleep 0.1 || sleep 1
+ taskset -c 2 socat OPEN:tmp.in UDP4:localhost:1337,shut-null
+ wait
+ done
+
+where the client will eventually get ECONNREFUSED on a write()
+(typically the second or third one of a given iteration):
+
+ 2024/11/13 21:28:23 socat[46901] E write(6, 0x556db2e3c000, 8192): Connection refused
+
+This issue was first observed as a seldom failure in Podman's tests
+checking UDP functionality while using pasta(1) to connect the
+container's network namespace, which leads us to a reproducer with
+the lookup error resulting in an ICMP packet on a tap device:
+
+ LOCAL_ADDR="$(ip -j -4 addr show|jq -rM '.[] | .addr_info[0] | select(.scope == "global").local')"
+
+ while :; do
+ ./pasta --config-net -p pasta.pcap -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc &
+ sleep 0.2 || sleep 1
+ socat OPEN:tmp.in UDP4:${LOCAL_ADDR}:1337,shut-null
+ wait
+ cmp tmp.in tmp.out
+ done
+
+Once this fails:
+
+ tmp.in tmp.out differ: char 8193, line 29
+
+we can finally have a look at what's going on:
+
+ $ tshark -r pasta.pcap
+ 1 0.000000 :: ? ff02::16 ICMPv6 110 Multicast Listener Report Message v2
+ 2 0.168690 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
+ 3 0.168767 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
+ 4 0.168806 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
+ 5 0.168827 c6:47:05:8d:dc:04 ? Broadcast ARP 42 Who has 88.198.0.161? Tell 88.198.0.164
+ 6 0.168851 9a:55:9a:55:9a:55 ? c6:47:05:8d:dc:04 ARP 42 88.198.0.161 is at 9a:55:9a:55:9a:55
+ 7 0.168875 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
+ 8 0.168896 88.198.0.164 ? 88.198.0.161 ICMP 590 Destination unreachable (Port unreachable)
+ 9 0.168926 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
+ 10 0.168959 88.198.0.161 ? 88.198.0.164 UDP 8234 60260 ? 1337 Len=8192
+ 11 0.168989 88.198.0.161 ? 88.198.0.164 UDP 4138 60260 ? 1337 Len=4096
+ 12 0.169010 88.198.0.161 ? 88.198.0.164 UDP 42 60260 ? 1337 Len=0
+
+On the third datagram received, the network namespace of the container
+initiates an ARP lookup to deliver the ICMP message.
+
+In another variant of this reproducer, starting the client with:
+
+ strace -f pasta --config-net -u 1337 socat UDP4-LISTEN:1337,null-eof OPEN:tmp.out,create,trunc 2>strace.log &
+
+and connecting to the socat server using a loopback address:
+
+ socat OPEN:tmp.in UDP4:localhost:1337,shut-null
+
+we can more clearly observe a sendmmsg() call failing after the
+first datagram is delivered:
+
+ [pid 278012] connect(173, 0x7fff96c95fc0, 16) = 0
+ [...]
+ [pid 278012] recvmmsg(173, 0x7fff96c96020, 1024, MSG_DONTWAIT, NULL) = -1 EAGAIN (Resource temporarily unavailable)
+ [pid 278012] sendmmsg(173, 0x561c5ad0a720, 1, MSG_NOSIGNAL) = 1
+ [...]
+ [pid 278012] sendmmsg(173, 0x561c5ad0a720, 1, MSG_NOSIGNAL) = -1 ECONNREFUSED (Connection refused)
+
+and, somewhat confusingly, after a connect() on the same socket
+succeeded.
+
+Until commit 4cdeeee9252a ("net: udp: prefer listeners bound to an
+address"), the race between receive address change and lookup didn't
+actually cause visible issues, because, once the lookup based on the
+secondary hash chain failed, we would still attempt a lookup based on
+the primary hash (destination port only), and find the socket with the
+outdated secondary hash.
+
+That change, however, dropped port-only lookups altogether, as side
+effect, making the race visible.
+
+To fix this, while avoiding the need to make address changes and
+rehash atomic against lookups, reintroduce primary hash lookups as
+fallback, if lookups based on four-tuple and secondary hashes fail.
+
+To this end, introduce a simplified lookup implementation, which
+doesn't take care of SO_REUSEPORT groups: if we have one, there are
+multiple sockets that would match the four-tuple or secondary hash,
+meaning that we can't run into this race at all.
+
+v2:
+ - instead of synchronising lookup operations against address change
+ plus rehash, reintroduce a simplified version of the original
+ primary hash lookup as fallback
+
+v1:
+ - fix build with CONFIG_IPV6=n: add ifdef around sk_v6_rcv_saddr
+ usage (Kuniyuki Iwashima)
+ - directly use sk_rcv_saddr for IPv4 receive addresses instead of
+ fetching inet_rcv_saddr (Kuniyuki Iwashima)
+ - move inet_update_saddr() to inet_hashtables.h and use that
+ to set IPv4/IPv6 addresses as suitable (Kuniyuki Iwashima)
+ - rebase onto net-next, update commit message accordingly
+
+Reported-by: Ed Santiago <santiago@redhat.com>
+Link: https://github.com/containers/podman/issues/24147
+Analysed-by: David Gibson <david@gibson.dropbear.id.au>
+Fixes: 30fff9231fad ("udp: bind() optimisation")
+Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/udp.c | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ net/ipv6/udp.c | 50 ++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 106 insertions(+)
+
+diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
+index 6ad25dc9710c1..0f835abe7c9e9 100644
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -412,6 +412,49 @@ u32 udp_ehashfn(const struct net *net, const __be32 laddr, const __u16 lport,
+ udp_ehash_secret + net_hash_mix(net));
+ }
+
++/**
++ * udp4_lib_lookup1() - Simplified lookup using primary hash (destination port)
++ * @net: Network namespace
++ * @saddr: Source address, network order
++ * @sport: Source port, network order
++ * @daddr: Destination address, network order
++ * @hnum: Destination port, host order
++ * @dif: Destination interface index
++ * @sdif: Destination bridge port index, if relevant
++ * @udptable: Set of UDP hash tables
++ *
++ * Simplified lookup to be used as fallback if no sockets are found due to a
++ * potential race between (receive) address change, and lookup happening before
++ * the rehash operation. This function ignores SO_REUSEPORT groups while scoring
++ * result sockets, because if we have one, we don't need the fallback at all.
++ *
++ * Called under rcu_read_lock().
++ *
++ * Return: socket with highest matching score if any, NULL if none
++ */
++static struct sock *udp4_lib_lookup1(const struct net *net,
++ __be32 saddr, __be16 sport,
++ __be32 daddr, unsigned int hnum,
++ int dif, int sdif,
++ const struct udp_table *udptable)
++{
++ unsigned int slot = udp_hashfn(net, hnum, udptable->mask);
++ struct udp_hslot *hslot = &udptable->hash[slot];
++ struct sock *sk, *result = NULL;
++ int score, badness = 0;
++
++ sk_for_each_rcu(sk, &hslot->head) {
++ score = compute_score(sk, net,
++ saddr, sport, daddr, hnum, dif, sdif);
++ if (score > badness) {
++ result = sk;
++ badness = score;
++ }
++ }
++
++ return result;
++}
++
+ /* called with rcu_read_lock() */
+ static struct sock *udp4_lib_lookup2(struct net *net,
+ __be32 saddr, __be16 sport,
+@@ -539,6 +582,19 @@ struct sock *__udp4_lib_lookup(struct net *net, __be32 saddr,
+ result = udp4_lib_lookup2(net, saddr, sport,
+ htonl(INADDR_ANY), hnum, dif, sdif,
+ hslot2, skb);
++ if (!IS_ERR_OR_NULL(result))
++ goto done;
++
++ /* Primary hash (destination port) lookup as fallback for this race:
++ * 1. __ip4_datagram_connect() sets sk_rcv_saddr
++ * 2. lookup (this function): new sk_rcv_saddr, hashes not updated yet
++ * 3. rehash operation updating _secondary and four-tuple_ hashes
++ * The primary hash doesn't need an update after 1., so, thanks to this
++ * further step, 1. and 3. don't need to be atomic against the lookup.
++ */
++ result = udp4_lib_lookup1(net, saddr, sport, daddr, hnum, dif, sdif,
++ udptable);
++
+ done:
+ if (IS_ERR(result))
+ return NULL;
+diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
+index 203a6d64d7e99..9f5aaf90ce905 100644
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -156,6 +156,49 @@ static int compute_score(struct sock *sk, struct net *net,
+ return score;
+ }
+
++/**
++ * udp6_lib_lookup1() - Simplified lookup using primary hash (destination port)
++ * @net: Network namespace
++ * @saddr: Source address, network order
++ * @sport: Source port, network order
++ * @daddr: Destination address, network order
++ * @hnum: Destination port, host order
++ * @dif: Destination interface index
++ * @sdif: Destination bridge port index, if relevant
++ * @udptable: Set of UDP hash tables
++ *
++ * Simplified lookup to be used as fallback if no sockets are found due to a
++ * potential race between (receive) address change, and lookup happening before
++ * the rehash operation. This function ignores SO_REUSEPORT groups while scoring
++ * result sockets, because if we have one, we don't need the fallback at all.
++ *
++ * Called under rcu_read_lock().
++ *
++ * Return: socket with highest matching score if any, NULL if none
++ */
++static struct sock *udp6_lib_lookup1(const struct net *net,
++ const struct in6_addr *saddr, __be16 sport,
++ const struct in6_addr *daddr,
++ unsigned int hnum, int dif, int sdif,
++ const struct udp_table *udptable)
++{
++ unsigned int slot = udp_hashfn(net, hnum, udptable->mask);
++ struct udp_hslot *hslot = &udptable->hash[slot];
++ struct sock *sk, *result = NULL;
++ int score, badness = 0;
++
++ sk_for_each_rcu(sk, &hslot->head) {
++ score = compute_score(sk, net,
++ saddr, sport, daddr, hnum, dif, sdif);
++ if (score > badness) {
++ result = sk;
++ badness = score;
++ }
++ }
++
++ return result;
++}
++
+ /* called with rcu_read_lock() */
+ static struct sock *udp6_lib_lookup2(struct net *net,
+ const struct in6_addr *saddr, __be16 sport,
+@@ -284,6 +327,13 @@ struct sock *__udp6_lib_lookup(struct net *net,
+ result = udp6_lib_lookup2(net, saddr, sport,
+ &in6addr_any, hnum, dif, sdif,
+ hslot2, skb);
++ if (!IS_ERR_OR_NULL(result))
++ goto done;
++
++ /* Cover address change/lookup/rehash race: see __udp4_lib_lookup() */
++ result = udp6_lib_lookup1(net, saddr, sport, daddr, hnum, dif, sdif,
++ udptable);
++
+ done:
+ if (IS_ERR(result))
+ return NULL;
+--
+2.39.5
+
--- /dev/null
+From 5e03a66d55db154f0f27f4d07f518782fe99db15 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 14:15:28 +0100
+Subject: vsock: Allow retrying on connect() failure
+
+From: Michal Luczaj <mhal@rbox.co>
+
+[ Upstream commit aa388c72113b7458127b709bdd7d3628af26e9b4 ]
+
+sk_err is set when a (connectible) connect() fails. Effectively, this makes
+an otherwise still healthy SS_UNCONNECTED socket impossible to use for any
+subsequent connection attempts.
+
+Clear sk_err upon trying to establish a connection.
+
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Luigi Leonardi <leonardi@redhat.com>
+Signed-off-by: Michal Luczaj <mhal@rbox.co>
+Link: https://patch.msgid.link/20250128-vsock-transport-vs-autobind-v3-2-1cf57065b770@rbox.co
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/vmw_vsock/af_vsock.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
+index 53a9c0a73489b..473ba765a4356 100644
+--- a/net/vmw_vsock/af_vsock.c
++++ b/net/vmw_vsock/af_vsock.c
+@@ -1340,6 +1340,11 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
+ if (err < 0)
+ goto out;
+
++ /* sk_err might have been set as a result of an earlier
++ * (failed) connect attempt.
++ */
++ sk->sk_err = 0;
++
+ /* Mark sock as connecting and set the error code to in
+ * progress in case this is a non-blocking connect.
+ */
+--
+2.39.5
+
--- /dev/null
+From 2983cfa2eff2016ebeb3bbd466f6cb634fac65db Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 18:54:17 +0300
+Subject: wifi: cfg80211: adjust allocation of colocated AP data
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 1a0d24775cdee2b8dc14bfa4f4418c930ab1ac57 ]
+
+In 'cfg80211_scan_6ghz()', an instances of 'struct cfg80211_colocated_ap'
+are allocated as if they would have 'ssid' as trailing VLA member. Since
+this is not so, extra IEEE80211_MAX_SSID_LEN bytes are not needed.
+Briefly tested with KUnit.
+
+Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Link: https://patch.msgid.link/20250113155417.552587-1-dmantipov@yandex.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index 348b2fce25fc3..670fcdbef95be 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -821,9 +821,7 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev)
+ if (ret)
+ continue;
+
+- entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN,
+- GFP_ATOMIC);
+-
++ entry = kzalloc(sizeof(*entry), GFP_ATOMIC);
+ if (!entry)
+ continue;
+
+--
+2.39.5
+
--- /dev/null
+From 3ab29ef4dbe3c2a73d5feb2f4d22d5290f70fbda Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 Sep 2023 17:35:30 +0300
+Subject: wifi: cfg80211: Handle specific BSSID in 6GHz scanning
+
+From: Ilan Peer <ilan.peer@intel.com>
+
+[ Upstream commit 0fca7784b7a14d4ede64f479662afb98876ec7f8 ]
+
+When the scan parameters for a 6GHz scan specify a unicast
+BSSID address, and the corresponding AP is found in the scan
+list, add a corresponding entry in the collocated AP list,
+so this AP would be directly probed even if it was not
+advertised as a collocated AP.
+
+This is needed for handling a scan request that is intended
+for a ML probe flow, where user space can requests a scan
+to retrieve information for other links in the AP MLD.
+
+Signed-off-by: Ilan Peer <ilan.peer@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230928172905.54b954bc02ad.I1c072793d3d77a4c8fbbc64b4db5cce1bbb00382@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Stable-dep-of: 1a0d24775cde ("wifi: cfg80211: adjust allocation of colocated AP data")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/scan.c | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/net/wireless/scan.c b/net/wireless/scan.c
+index f6307061aac49..348b2fce25fc3 100644
+--- a/net/wireless/scan.c
++++ b/net/wireless/scan.c
+@@ -796,10 +796,47 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev)
+ list_for_each_entry(intbss, &rdev->bss_list, list) {
+ struct cfg80211_bss *res = &intbss->pub;
+ const struct cfg80211_bss_ies *ies;
++ const struct element *ssid_elem;
++ struct cfg80211_colocated_ap *entry;
++ u32 s_ssid_tmp;
++ int ret;
+
+ ies = rcu_access_pointer(res->ies);
+ count += cfg80211_parse_colocated_ap(ies,
+ &coloc_ap_list);
++
++ /* In case the scan request specified a specific BSSID
++ * and the BSS is found and operating on 6GHz band then
++ * add this AP to the collocated APs list.
++ * This is relevant for ML probe requests when the lower
++ * band APs have not been discovered.
++ */
++ if (is_broadcast_ether_addr(rdev_req->bssid) ||
++ !ether_addr_equal(rdev_req->bssid, res->bssid) ||
++ res->channel->band != NL80211_BAND_6GHZ)
++ continue;
++
++ ret = cfg80211_calc_short_ssid(ies, &ssid_elem,
++ &s_ssid_tmp);
++ if (ret)
++ continue;
++
++ entry = kzalloc(sizeof(*entry) + IEEE80211_MAX_SSID_LEN,
++ GFP_ATOMIC);
++
++ if (!entry)
++ continue;
++
++ memcpy(entry->bssid, res->bssid, ETH_ALEN);
++ entry->short_ssid = s_ssid_tmp;
++ memcpy(entry->ssid, ssid_elem->data,
++ ssid_elem->datalen);
++ entry->ssid_len = ssid_elem->datalen;
++ entry->short_ssid_valid = true;
++ entry->center_freq = res->channel->center_freq;
++
++ list_add_tail(&entry->list, &coloc_ap_list);
++ count++;
+ }
+ spin_unlock_bh(&rdev->bss_lock);
+ }
+--
+2.39.5
+
--- /dev/null
+From 1f1742e649d32d1e8b048d30a148603728383362 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Jan 2025 15:02:41 +0800
+Subject: wifi: mt76: mt76u_vendor_request: Do not print error messages when
+ -EPROTO
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: WangYuli <wangyuli@uniontech.com>
+
+[ Upstream commit f1b1e133a770fcdbd89551651232b034d2f7a27a ]
+
+When initializing the network card, unplugging the device will
+trigger an -EPROTO error, resulting in a flood of error messages
+being printed frantically.
+
+The exception is printed as follows:
+
+ mt76x2u 2-2.4:1.0: vendor request req:47 off:9018 failed:-71
+ mt76x2u 2-2.4:1.0: vendor request req:47 off:9018 failed:-71
+ ...
+
+It will continue to print more than 2000 times for about 5 minutes,
+causing the usb device to be unable to be disconnected. During this
+period, the usb port cannot recognize the new device because the old
+device has not disconnected.
+
+There may be other operating methods that cause -EPROTO, but -EPROTO is
+a low-level hardware error. It is unwise to repeat vendor requests
+expecting to read correct data. It is a better choice to treat -EPROTO
+and -ENODEV the same way.
+
+Similar to commit 9b0f100c1970 ("mt76: usb: process URBs with status
+EPROTO properly") do no schedule rx_worker for urb marked with status
+set -EPROTO. I also reproduced this situation when plugging and
+unplugging the device, and this patch is effective.
+
+Just do not vendor request again for urb marked with status set -EPROTO.
+
+Link: https://lore.kernel.org/all/531681bd-30f5-4a70-a156-bf8754b8e072@intel.com/
+Link: https://lore.kernel.org/all/D4B9CC1FFC0CBAC3+20250105040607.154706-1-wangyuli@uniontech.com/
+Fixes: b40b15e1521f ("mt76: add usb support to mt76 layer")
+Co-developed-by: Xu Rao <raoxu@uniontech.com>
+Signed-off-by: Xu Rao <raoxu@uniontech.com>
+Signed-off-by: WangYuli <wangyuli@uniontech.com>
+Link: https://patch.msgid.link/9DD7DE7AAB497CB7+20250113070241.63590-1-wangyuli@uniontech.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c
+index f1ae9ff835b23..07a563df6d6d3 100644
+--- a/drivers/net/wireless/mediatek/mt76/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/usb.c
+@@ -34,9 +34,9 @@ static int __mt76u_vendor_request(struct mt76_dev *dev, u8 req,
+
+ ret = usb_control_msg(udev, pipe, req, req_type, val,
+ offset, buf, len, MT_VEND_REQ_TOUT_MS);
+- if (ret == -ENODEV)
++ if (ret == -ENODEV || ret == -EPROTO)
+ set_bit(MT76_REMOVED, &dev->phy.state);
+- if (ret >= 0 || ret == -ENODEV)
++ if (ret >= 0 || ret == -ENODEV || ret == -EPROTO)
+ return ret;
+ usleep_range(5000, 10000);
+ }
+--
+2.39.5
+
--- /dev/null
+From 118a7f0ed18f2cf53f466ecc59129518bbc62069 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 14:37:11 -0300
+Subject: wifi: rtlwifi: destroy workqueue at rtl_deinit_core
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit d8ece6fc3694657e4886191b32ca1690af11adda ]
+
+rtl_wq is allocated at rtl_init_core, so it makes more sense to destroy it
+at rtl_deinit_core. In the case of USB, where _rtl_usb_init does not
+require anything to be undone, that is fine. But for PCI, rtl_pci_init,
+which is called after rtl_init_core, needs to deallocate data, but only if
+it has been called.
+
+That means that destroying the workqueue needs to be done whether
+rtl_pci_init has been called or not. And since rtl_pci_deinit was doing it,
+it has to be moved out of there.
+
+It makes more sense to move it to rtl_deinit_core and have it done in both
+cases, USB and PCI.
+
+Since this is a requirement for a followup memory leak fix, mark this as
+fixing such memory leak.
+
+Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241206173713.3222187-3-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 6 ++++++
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 2 --
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 5 -----
+ 3 files changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index c14d7cbaa6472..775f0c181fece 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -576,9 +576,15 @@ static void rtl_free_entries_from_ack_queue(struct ieee80211_hw *hw,
+
+ void rtl_deinit_core(struct ieee80211_hw *hw)
+ {
++ struct rtl_priv *rtlpriv = rtl_priv(hw);
++
+ rtl_c2hcmd_launcher(hw, 0);
+ rtl_free_entries_from_scan_list(hw);
+ rtl_free_entries_from_ack_queue(hw, false);
++ if (rtlpriv->works.rtl_wq) {
++ destroy_workqueue(rtlpriv->works.rtl_wq);
++ rtlpriv->works.rtl_wq = NULL;
++ }
+ }
+ EXPORT_SYMBOL_GPL(rtl_deinit_core);
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index c0a201f1b74e5..84f2669f201ab 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -1657,8 +1657,6 @@ static void rtl_pci_deinit(struct ieee80211_hw *hw)
+ synchronize_irq(rtlpci->pdev->irq);
+ tasklet_kill(&rtlpriv->works.irq_tasklet);
+ cancel_work_sync(&rtlpriv->works.lps_change_work);
+-
+- destroy_workqueue(rtlpriv->works.rtl_wq);
+ }
+
+ static int rtl_pci_init(struct ieee80211_hw *hw, struct pci_dev *pdev)
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 08ab2482c00cc..be17498b5515f 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -680,11 +680,6 @@ static void _rtl_usb_cleanup_rx(struct ieee80211_hw *hw)
+ tasklet_kill(&rtlusb->rx_work_tasklet);
+ cancel_work_sync(&rtlpriv->works.lps_change_work);
+
+- if (rtlpriv->works.rtl_wq) {
+- destroy_workqueue(rtlpriv->works.rtl_wq);
+- rtlpriv->works.rtl_wq = NULL;
+- }
+-
+ skb_queue_purge(&rtlusb->rx_queue);
+
+ while ((urb = usb_get_from_anchor(&rtlusb->rx_cleanup_urbs))) {
+--
+2.39.5
+
--- /dev/null
+From 418335fef86482f13bac38c25bafe2a7fca1a138 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 10:33:18 -0300
+Subject: wifi: rtlwifi: do not complete firmware loading needlessly
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit e73e11d303940119e41850a0452a0deda2cc4eb5 ]
+
+The only code waiting for completion is driver removal, which will not be
+called when probe returns a failure. So this completion is unnecessary.
+
+Fixes: b0302aba812b ("rtlwifi: Convert to asynchronous firmware load")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241107133322.855112-2-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 1 -
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 1 -
+ 2 files changed, 2 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 6d9f2a6233a21..70f1cc906502b 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -2274,7 +2274,6 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start);
+
+ pci_release_regions(pdev);
+- complete(&rtlpriv->firmware_loading_complete);
+
+ fail1:
+ if (hw)
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index c6e4fda7e431f..7e4655de30237 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1085,7 +1085,6 @@ int rtl_usb_probe(struct usb_interface *intf,
+ error_out2:
+ _rtl_usb_io_handler_release(hw);
+ usb_put_dev(udev);
+- complete(&rtlpriv->firmware_loading_complete);
+ kfree(rtlpriv->usb_data);
+ ieee80211_free_hw(hw);
+ return -ENODEV;
+--
+2.39.5
+
--- /dev/null
+From e0192c88ec8421bbdb280f228c6a31c06a9428ce Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 10:33:21 -0300
+Subject: wifi: rtlwifi: fix init_sw_vars leak when probe fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 00260350aed80c002df270c805ca443ec9a719a6 ]
+
+If ieee80211_register_hw fails, the memory allocated for the firmware will
+not be released. Call deinit_sw_vars as the function that undoes the
+allocationes done by init_sw_vars.
+
+Fixes: cefe3dfdb9f5 ("rtl8192cu: Call ieee80211_register_hw from rtl_usb_probe")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241107133322.855112-5-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 087e398da36d9..66af56a79dbe5 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1081,6 +1081,7 @@ int rtl_usb_probe(struct usb_interface *intf,
+
+ error_init_vars:
+ wait_for_completion(&rtlpriv->firmware_loading_complete);
++ rtlpriv->cfg->ops->deinit_sw_vars(hw);
+ error_out:
+ rtl_deinit_core(hw);
+ error_out2:
+--
+2.39.5
+
--- /dev/null
+From 8c08d47fd625a7d33ffaa15c114ab7741d0f95ad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 14:37:12 -0300
+Subject: wifi: rtlwifi: fix memory leaks and invalid access at probe error
+ path
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit e7ceefbfd8d447abc8aca8ab993a942803522c06 ]
+
+Deinitialize at reverse order when probe fails.
+
+When init_sw_vars fails, rtl_deinit_core should not be called, specially
+now that it destroys the rtl_wq workqueue.
+
+And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be
+leaked.
+
+Remove pci_set_drvdata call as it will already be cleaned up by the core
+driver code and could lead to memory leaks too. cf. commit 8d450935ae7f
+("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and
+commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").
+
+Fixes: 0c8173385e54 ("rtl8192ce: Add new driver")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241206173713.3222187-4-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 84f2669f201ab..5b0a5a22d06d2 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -2167,7 +2167,7 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ if (rtlpriv->cfg->ops->init_sw_vars(hw)) {
+ pr_err("Can't init_sw_vars\n");
+ err = -ENODEV;
+- goto fail3;
++ goto fail2;
+ }
+ rtlpriv->cfg->ops->init_sw_leds(hw);
+
+@@ -2185,14 +2185,14 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ err = rtl_pci_init(hw, pdev);
+ if (err) {
+ pr_err("Failed to init PCI\n");
+- goto fail3;
++ goto fail4;
+ }
+
+ err = ieee80211_register_hw(hw);
+ if (err) {
+ pr_err("Can't register mac80211 hw.\n");
+ err = -ENODEV;
+- goto fail3;
++ goto fail5;
+ }
+ rtlpriv->mac80211.mac80211_registered = 1;
+
+@@ -2215,9 +2215,12 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status);
+ return 0;
+
+-fail3:
+- pci_set_drvdata(pdev, NULL);
++fail5:
++ rtl_pci_deinit(hw);
++fail4:
+ rtl_deinit_core(hw);
++fail3:
++ rtlpriv->cfg->ops->deinit_sw_vars(hw);
+
+ fail2:
+ if (rtlpriv->io.pci_mem_start != 0)
+--
+2.39.5
+
--- /dev/null
+From 7c850c6545b697f8068c101ed53990c2527ad5e5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 14:37:13 -0300
+Subject: wifi: rtlwifi: pci: wait for firmware loading before releasing memory
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit b59b86c5d08be7d761c04affcbcec8184738c200 ]
+
+At probe error path, the firmware loading work may have already been
+queued. In such a case, it will try to access memory allocated by the probe
+function, which is about to be released. In such paths, wait for the
+firmware worker to finish before releasing memory.
+
+Fixes: 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241206173713.3222187-5-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 5b0a5a22d06d2..925e4f807eb9f 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -2220,6 +2220,7 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ fail4:
+ rtl_deinit_core(hw);
+ fail3:
++ wait_for_completion(&rtlpriv->firmware_loading_complete);
+ rtlpriv->cfg->ops->deinit_sw_vars(hw);
+
+ fail2:
+--
+2.39.5
+
--- /dev/null
+From 7c52028a64469487d0902fa71a5acb46f48d56b4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Dec 2024 14:37:10 -0300
+Subject: wifi: rtlwifi: remove unused check_buddy_priv
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 2fdac64c3c35858aa8ac5caa70b232e03456e120 ]
+
+Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global
+list of private data structures.
+
+Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match
+vendor version 2013.02.07") started adding the private data to that list at
+probe time and added a hook, check_buddy_priv to find the private data from
+a similar device.
+
+However, that function was never used.
+
+Besides, though there is a lock for that list, it is never used. And when
+the probe fails, the private data is never removed from the list. This
+would cause a second probe to access freed memory.
+
+Remove the unused hook, structures and members, which will prevent the
+potential race condition on the list and its corruption during a second
+probe when probe fails.
+
+Fixes: 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241206173713.3222187-2-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 7 ----
+ drivers/net/wireless/realtek/rtlwifi/base.h | 1 -
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 44 ---------------------
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 12 ------
+ 4 files changed, 64 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index 3c2bdfb56fb4f..c14d7cbaa6472 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -2720,9 +2720,6 @@ MODULE_AUTHOR("Larry Finger <Larry.FInger@lwfinger.net>");
+ MODULE_LICENSE("GPL");
+ MODULE_DESCRIPTION("Realtek 802.11n PCI wireless core");
+
+-struct rtl_global_var rtl_global_var = {};
+-EXPORT_SYMBOL_GPL(rtl_global_var);
+-
+ static int __init rtl_core_module_init(void)
+ {
+ BUILD_BUG_ON(TX_PWR_BY_RATE_NUM_RATE < TX_PWR_BY_RATE_NUM_SECTION);
+@@ -2736,10 +2733,6 @@ static int __init rtl_core_module_init(void)
+ /* add debugfs */
+ rtl_debugfs_add_topdir();
+
+- /* init some global vars */
+- INIT_LIST_HEAD(&rtl_global_var.glb_priv_list);
+- spin_lock_init(&rtl_global_var.glb_list_lock);
+-
+ return 0;
+ }
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.h b/drivers/net/wireless/realtek/rtlwifi/base.h
+index f081a9a90563f..f3a6a43a42eca 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.h
++++ b/drivers/net/wireless/realtek/rtlwifi/base.h
+@@ -124,7 +124,6 @@ int rtl_send_smps_action(struct ieee80211_hw *hw,
+ u8 *rtl_find_ie(u8 *data, unsigned int len, u8 ie);
+ void rtl_recognize_peer(struct ieee80211_hw *hw, u8 *data, unsigned int len);
+ u8 rtl_tid_to_ac(u8 tid);
+-extern struct rtl_global_var rtl_global_var;
+ void rtl_phy_scan_operation_backup(struct ieee80211_hw *hw, u8 operation);
+
+ #endif
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index 0dcf5350e0885..c0a201f1b74e5 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -295,46 +295,6 @@ static bool rtl_pci_get_amd_l1_patch(struct ieee80211_hw *hw)
+ return status;
+ }
+
+-static bool rtl_pci_check_buddy_priv(struct ieee80211_hw *hw,
+- struct rtl_priv **buddy_priv)
+-{
+- struct rtl_priv *rtlpriv = rtl_priv(hw);
+- struct rtl_pci_priv *pcipriv = rtl_pcipriv(hw);
+- struct rtl_priv *tpriv = NULL, *iter;
+- struct rtl_pci_priv *tpcipriv = NULL;
+-
+- if (!list_empty(&rtlpriv->glb_var->glb_priv_list)) {
+- list_for_each_entry(iter, &rtlpriv->glb_var->glb_priv_list,
+- list) {
+- tpcipriv = (struct rtl_pci_priv *)iter->priv;
+- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
+- "pcipriv->ndis_adapter.funcnumber %x\n",
+- pcipriv->ndis_adapter.funcnumber);
+- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
+- "tpcipriv->ndis_adapter.funcnumber %x\n",
+- tpcipriv->ndis_adapter.funcnumber);
+-
+- if (pcipriv->ndis_adapter.busnumber ==
+- tpcipriv->ndis_adapter.busnumber &&
+- pcipriv->ndis_adapter.devnumber ==
+- tpcipriv->ndis_adapter.devnumber &&
+- pcipriv->ndis_adapter.funcnumber !=
+- tpcipriv->ndis_adapter.funcnumber) {
+- tpriv = iter;
+- break;
+- }
+- }
+- }
+-
+- rtl_dbg(rtlpriv, COMP_INIT, DBG_LOUD,
+- "find_buddy_priv %d\n", tpriv != NULL);
+-
+- if (tpriv)
+- *buddy_priv = tpriv;
+-
+- return tpriv != NULL;
+-}
+-
+ static void rtl_pci_parse_configuration(struct pci_dev *pdev,
+ struct ieee80211_hw *hw)
+ {
+@@ -2013,7 +1973,6 @@ static bool _rtl_pci_find_adapter(struct pci_dev *pdev,
+ pcipriv->ndis_adapter.amd_l1_patch);
+
+ rtl_pci_parse_configuration(pdev, hw);
+- list_add_tail(&rtlpriv->list, &rtlpriv->glb_var->glb_priv_list);
+
+ return true;
+ }
+@@ -2160,7 +2119,6 @@ int rtl_pci_probe(struct pci_dev *pdev,
+ rtlpriv->rtlhal.interface = INTF_PCI;
+ rtlpriv->cfg = (struct rtl_hal_cfg *)(id->driver_data);
+ rtlpriv->intf_ops = &rtl_pci_ops;
+- rtlpriv->glb_var = &rtl_global_var;
+ rtl_efuse_ops_init(hw);
+
+ /* MEM map */
+@@ -2318,7 +2276,6 @@ void rtl_pci_disconnect(struct pci_dev *pdev)
+ if (rtlpci->using_msi)
+ pci_disable_msi(rtlpci->pdev);
+
+- list_del(&rtlpriv->list);
+ if (rtlpriv->io.pci_mem_start != 0) {
+ pci_iounmap(pdev, (void __iomem *)rtlpriv->io.pci_mem_start);
+ pci_release_regions(pdev);
+@@ -2378,7 +2335,6 @@ const struct rtl_intf_ops rtl_pci_ops = {
+ .read_efuse_byte = read_efuse_byte,
+ .adapter_start = rtl_pci_start,
+ .adapter_stop = rtl_pci_stop,
+- .check_buddy_priv = rtl_pci_check_buddy_priv,
+ .adapter_tx = rtl_pci_tx,
+ .flush = rtl_pci_flush,
+ .reset_trx_ring = rtl_pci_reset_trx_ring,
+diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+index f22891c73ade1..359ee313a0d2b 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -2335,8 +2335,6 @@ struct rtl_intf_ops {
+ void (*read_efuse_byte)(struct ieee80211_hw *hw, u16 _offset, u8 *pbuf);
+ int (*adapter_start)(struct ieee80211_hw *hw);
+ void (*adapter_stop)(struct ieee80211_hw *hw);
+- bool (*check_buddy_priv)(struct ieee80211_hw *hw,
+- struct rtl_priv **buddy_priv);
+
+ int (*adapter_tx)(struct ieee80211_hw *hw,
+ struct ieee80211_sta *sta,
+@@ -2580,14 +2578,6 @@ struct dig_t {
+ u32 rssi_max;
+ };
+
+-struct rtl_global_var {
+- /* from this list we can get
+- * other adapter's rtl_priv
+- */
+- struct list_head glb_priv_list;
+- spinlock_t glb_list_lock;
+-};
+-
+ #define IN_4WAY_TIMEOUT_TIME (30 * MSEC_PER_SEC) /* 30 seconds */
+
+ struct rtl_btc_info {
+@@ -2733,9 +2723,7 @@ struct rtl_scan_list {
+ struct rtl_priv {
+ struct ieee80211_hw *hw;
+ struct completion firmware_loading_complete;
+- struct list_head list;
+ struct rtl_priv *buddy_priv;
+- struct rtl_global_var *glb_var;
+ struct rtl_dmsp_ctl dmsp_ctl;
+ struct rtl_locks locks;
+ struct rtl_works works;
+--
+2.39.5
+
--- /dev/null
+From 9fa6477c83c43929d08001745fcb39be77e4f6a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 09:59:40 +0300
+Subject: wifi: rtlwifi: remove unused dualmac control leftovers
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 557123259200b30863e1b6a8f24a8c8060b6fc1d ]
+
+Remove 'struct rtl_dualmac_easy_concurrent_ctl' of 'struct rtl_priv'
+and related code in '_rtl_pci_tx_chk_waitq()'.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230602065940.149198-2-dmantipov@yandex.ru
+Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/pci.c | 5 -----
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 9 ---------
+ 2 files changed, 14 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/pci.c b/drivers/net/wireless/realtek/rtlwifi/pci.c
+index f17a365fba070..0dcf5350e0885 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/pci.c
++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c
+@@ -443,11 +443,6 @@ static void _rtl_pci_tx_chk_waitq(struct ieee80211_hw *hw)
+ if (!rtlpriv->rtlhal.earlymode_enable)
+ return;
+
+- if (rtlpriv->dm.supp_phymode_switch &&
+- (rtlpriv->easy_concurrent_ctl.switch_in_process ||
+- (rtlpriv->buddy_priv &&
+- rtlpriv->buddy_priv->easy_concurrent_ctl.switch_in_process)))
+- return;
+ /* we just use em for BE/BK/VI/VO */
+ for (tid = 7; tid >= 0; tid--) {
+ u8 hw_queue = ac_to_hwq[rtl_tid_to_ac(tid)];
+diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+index d1b36760c8948..f22891c73ade1 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -2496,14 +2496,6 @@ struct rtl_debug {
+ #define MIMO_PS_DYNAMIC 1
+ #define MIMO_PS_NOLIMIT 3
+
+-struct rtl_dualmac_easy_concurrent_ctl {
+- enum band_type currentbandtype_backfordmdp;
+- bool close_bbandrf_for_dmsp;
+- bool change_to_dmdp;
+- bool change_to_dmsp;
+- bool switch_in_process;
+-};
+-
+ struct rtl_dmsp_ctl {
+ bool activescan_for_slaveofdmsp;
+ bool scan_for_anothermac_fordmsp;
+@@ -2744,7 +2736,6 @@ struct rtl_priv {
+ struct list_head list;
+ struct rtl_priv *buddy_priv;
+ struct rtl_global_var *glb_var;
+- struct rtl_dualmac_easy_concurrent_ctl easy_concurrent_ctl;
+ struct rtl_dmsp_ctl dmsp_ctl;
+ struct rtl_locks locks;
+ struct rtl_works works;
+--
+2.39.5
+
--- /dev/null
+From 300462f725072feaf60e97423cf978ef1b55b2b5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 2 Jun 2023 09:59:39 +0300
+Subject: wifi: rtlwifi: remove unused timer and related code
+
+From: Dmitry Antipov <dmantipov@yandex.ru>
+
+[ Upstream commit 358b94f0a7cadd2ec7824531d54dadaa8b71de04 ]
+
+Drop unused 'dualmac_easyconcurrent_retrytimer' of 'struct rtl_works',
+corresponding 'rtl_easy_concurrent_retrytimer_callback()' handler,
+'dualmac_easy_concurrent' function pointer of 'struct rtl_hal_ops'
+and related call to 'timer_setup()' in '_rtl_init_deferred_work()'.
+
+Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://lore.kernel.org/r/20230602065940.149198-1-dmantipov@yandex.ru
+Stable-dep-of: 2fdac64c3c35 ("wifi: rtlwifi: remove unused check_buddy_priv")
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/base.c | 16 +---------------
+ drivers/net/wireless/realtek/rtlwifi/base.h | 1 -
+ drivers/net/wireless/realtek/rtlwifi/wifi.h | 2 --
+ 3 files changed, 1 insertion(+), 18 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
+index 7ec876c6c663e..3c2bdfb56fb4f 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.c
++++ b/drivers/net/wireless/realtek/rtlwifi/base.c
+@@ -452,8 +452,7 @@ static int _rtl_init_deferred_work(struct ieee80211_hw *hw)
+ /* <1> timer */
+ timer_setup(&rtlpriv->works.watchdog_timer,
+ rtl_watch_dog_timer_callback, 0);
+- timer_setup(&rtlpriv->works.dualmac_easyconcurrent_retrytimer,
+- rtl_easy_concurrent_retrytimer_callback, 0);
++
+ /* <2> work queue */
+ rtlpriv->works.hw = hw;
+ rtlpriv->works.rtl_wq = wq;
+@@ -2376,19 +2375,6 @@ static void rtl_c2hcmd_wq_callback(struct work_struct *work)
+ rtl_c2hcmd_launcher(hw, 1);
+ }
+
+-void rtl_easy_concurrent_retrytimer_callback(struct timer_list *t)
+-{
+- struct rtl_priv *rtlpriv =
+- from_timer(rtlpriv, t, works.dualmac_easyconcurrent_retrytimer);
+- struct ieee80211_hw *hw = rtlpriv->hw;
+- struct rtl_priv *buddy_priv = rtlpriv->buddy_priv;
+-
+- if (buddy_priv == NULL)
+- return;
+-
+- rtlpriv->cfg->ops->dualmac_easy_concurrent(hw);
+-}
+-
+ /*********************************************************
+ *
+ * frame process functions
+diff --git a/drivers/net/wireless/realtek/rtlwifi/base.h b/drivers/net/wireless/realtek/rtlwifi/base.h
+index 0e4f8a8ae3a5f..f081a9a90563f 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/base.h
++++ b/drivers/net/wireless/realtek/rtlwifi/base.h
+@@ -124,7 +124,6 @@ int rtl_send_smps_action(struct ieee80211_hw *hw,
+ u8 *rtl_find_ie(u8 *data, unsigned int len, u8 ie);
+ void rtl_recognize_peer(struct ieee80211_hw *hw, u8 *data, unsigned int len);
+ u8 rtl_tid_to_ac(u8 tid);
+-void rtl_easy_concurrent_retrytimer_callback(struct timer_list *t);
+ extern struct rtl_global_var rtl_global_var;
+ void rtl_phy_scan_operation_backup(struct ieee80211_hw *hw, u8 operation);
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+index c997d8bfda975..d1b36760c8948 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -2300,7 +2300,6 @@ struct rtl_hal_ops {
+ u32 regaddr, u32 bitmask, u32 data);
+ void (*linked_set_reg)(struct ieee80211_hw *hw);
+ void (*chk_switch_dmdp)(struct ieee80211_hw *hw);
+- void (*dualmac_easy_concurrent)(struct ieee80211_hw *hw);
+ void (*dualmac_switch_to_dmdp)(struct ieee80211_hw *hw);
+ bool (*phy_rf6052_config)(struct ieee80211_hw *hw);
+ void (*phy_rf6052_set_cck_txpower)(struct ieee80211_hw *hw,
+@@ -2466,7 +2465,6 @@ struct rtl_works {
+
+ /*timer */
+ struct timer_list watchdog_timer;
+- struct timer_list dualmac_easyconcurrent_retrytimer;
+ struct timer_list fw_clockoff_timer;
+ struct timer_list fast_antenna_training_timer;
+ /*task */
+--
+2.39.5
+
--- /dev/null
+From e92e1e45f3f502f0bcb8a2f0144ebf5b6310baed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 10:33:19 -0300
+Subject: wifi: rtlwifi: rtl8192se: rise completion of firmware loading as last
+ step
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit 8559a9e0c457729fe3edb3176bbf7c7874f482b0 ]
+
+Just like in commit 4dfde294b979 ("rtlwifi: rise completion at the last
+step of firmware callback"), only signal completion once the function is
+finished. Otherwise, the module removal waiting for the completion could
+free the memory that the callback will still use before returning.
+
+Fixes: b0302aba812b ("rtlwifi: Convert to asynchronous firmware load")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Acked-by: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241107133322.855112-3-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
+index 6d352a3161b8f..60d97e73ca28e 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192se/sw.c
+@@ -67,22 +67,23 @@ static void rtl92se_fw_cb(const struct firmware *firmware, void *context)
+
+ rtl_dbg(rtlpriv, COMP_ERR, DBG_LOUD,
+ "Firmware callback routine entered!\n");
+- complete(&rtlpriv->firmware_loading_complete);
+ if (!firmware) {
+ pr_err("Firmware %s not available\n", fw_name);
+ rtlpriv->max_fw_size = 0;
+- return;
++ goto exit;
+ }
+ if (firmware->size > rtlpriv->max_fw_size) {
+ pr_err("Firmware is too big!\n");
+ rtlpriv->max_fw_size = 0;
+ release_firmware(firmware);
+- return;
++ goto exit;
+ }
+ pfirmware = (struct rt_firmware *)rtlpriv->rtlhal.pfirmware;
+ memcpy(pfirmware->sz_fw_tmpbuffer, firmware->data, firmware->size);
+ pfirmware->sz_fw_tmpbufferlen = firmware->size;
+ release_firmware(firmware);
++exit:
++ complete(&rtlpriv->firmware_loading_complete);
+ }
+
+ static int rtl92s_init_sw_vars(struct ieee80211_hw *hw)
+--
+2.39.5
+
--- /dev/null
+From 21b2f5af6267068406869160976909cafef9c506 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 10:33:22 -0300
+Subject: wifi: rtlwifi: usb: fix workqueue leak when probe fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit f79bc5c67867c19ce2762e7934c20dbb835ed82c ]
+
+rtl_init_core creates a workqueue that is then assigned to rtl_wq.
+rtl_deinit_core does not destroy it. It is left to rtl_usb_deinit, which
+must be called in the probe error path.
+
+Fixes: 2ca20f79e0d8 ("rtlwifi: Add usb driver")
+Fixes: 851639fdaeac ("rtlwifi: Modify some USB de-initialize code.")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241107133322.855112-6-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index 66af56a79dbe5..08ab2482c00cc 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1083,6 +1083,7 @@ int rtl_usb_probe(struct usb_interface *intf,
+ wait_for_completion(&rtlpriv->firmware_loading_complete);
+ rtlpriv->cfg->ops->deinit_sw_vars(hw);
+ error_out:
++ rtl_usb_deinit(hw);
+ rtl_deinit_core(hw);
+ error_out2:
+ _rtl_usb_io_handler_release(hw);
+--
+2.39.5
+
--- /dev/null
+From bc829d902168c0d1341f8a966c4acbb607826f0d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 7 Nov 2024 10:33:20 -0300
+Subject: wifi: rtlwifi: wait for firmware loading before releasing memory
+
+From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+
+[ Upstream commit b4b26642b31ef282df6ff7ea8531985edfdef12a ]
+
+At probe error path, the firmware loading work may have already been
+queued. In such a case, it will try to access memory allocated by the probe
+function, which is about to be released. In such paths, wait for the
+firmware worker to finish before releasing memory.
+
+Fixes: a7f7c15e945a ("rtlwifi: rtl8192cu: Free ieee80211_hw if probing fails")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Link: https://patch.msgid.link/20241107133322.855112-4-cascardo@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/realtek/rtlwifi/usb.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/realtek/rtlwifi/usb.c b/drivers/net/wireless/realtek/rtlwifi/usb.c
+index add6da1ce3602..087e398da36d9 100644
+--- a/drivers/net/wireless/realtek/rtlwifi/usb.c
++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c
+@@ -1072,13 +1072,15 @@ int rtl_usb_probe(struct usb_interface *intf,
+ err = ieee80211_register_hw(hw);
+ if (err) {
+ pr_err("Can't register mac80211 hw.\n");
+- goto error_out;
++ goto error_init_vars;
+ }
+ rtlpriv->mac80211.mac80211_registered = 1;
+
+ set_bit(RTL_STATUS_INTERFACE_START, &rtlpriv->status);
+ return 0;
+
++error_init_vars:
++ wait_for_completion(&rtlpriv->firmware_loading_complete);
+ error_out:
+ rtl_deinit_core(hw);
+ error_out2:
+--
+2.39.5
+
--- /dev/null
+From 5f5cdb7dd0f4795fd439a93f8bc741f456adf0e4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 4 Jan 2025 20:55:07 +0100
+Subject: wifi: wlcore: fix unbalanced pm_runtime calls
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+[ Upstream commit 996c934c8c196144af386c4385f61fcd5349af28 ]
+
+If firmware boot failes, runtime pm is put too often:
+[12092.708099] wlcore: ERROR firmware boot failed despite 3 retries
+[12092.708099] wl18xx_driver wl18xx.1.auto: Runtime PM usage count underflow!
+Fix that by redirecting all error gotos before runtime_get so that runtime is
+not put.
+
+Fixes: c40aad28a3cf ("wlcore: Make sure firmware is initialized in wl1271_op_add_interface()")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20250104195507.402673-1-akemnade@kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wlcore/main.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
+index 6e402d62dbe4a..109c51e497926 100644
+--- a/drivers/net/wireless/ti/wlcore/main.c
++++ b/drivers/net/wireless/ti/wlcore/main.c
+@@ -2552,24 +2552,24 @@ static int wl1271_op_add_interface(struct ieee80211_hw *hw,
+ if (test_bit(WL1271_FLAG_RECOVERY_IN_PROGRESS, &wl->flags) ||
+ test_bit(WLVIF_FLAG_INITIALIZED, &wlvif->flags)) {
+ ret = -EBUSY;
+- goto out;
++ goto out_unlock;
+ }
+
+
+ ret = wl12xx_init_vif_data(wl, vif);
+ if (ret < 0)
+- goto out;
++ goto out_unlock;
+
+ wlvif->wl = wl;
+ role_type = wl12xx_get_role_type(wl, wlvif);
+ if (role_type == WL12XX_INVALID_ROLE_TYPE) {
+ ret = -EINVAL;
+- goto out;
++ goto out_unlock;
+ }
+
+ ret = wlcore_allocate_hw_queue_base(wl, wlvif);
+ if (ret < 0)
+- goto out;
++ goto out_unlock;
+
+ /*
+ * TODO: after the nvs issue will be solved, move this block
+@@ -2584,7 +2584,7 @@ static int wl1271_op_add_interface(struct ieee80211_hw *hw,
+
+ ret = wl12xx_init_fw(wl);
+ if (ret < 0)
+- goto out;
++ goto out_unlock;
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 8d4cf97a8c4900b4fbcc89dccf50151262c92be8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Nov 2024 14:10:31 +0200
+Subject: xfrm: replay: Fix the update of replay_esn->oseq_hi for GSO
+
+From: Jianbo Liu <jianbol@nvidia.com>
+
+[ Upstream commit c05c5e5aa163f4682ca97a2f0536575fc7dbdecb ]
+
+When skb needs GSO and wrap around happens, if xo->seq.low (seqno of
+the first skb segment) is before the last seq number but oseq (seqno
+of the last segment) is after it, xo->seq.low is still bigger than
+replay_esn->oseq while oseq is smaller than it, so the update of
+replay_esn->oseq_hi is missed for this case wrap around because of
+the change in the cited commit.
+
+For example, if sending a packet with gso_segs=3 while old
+replay_esn->oseq=0xfffffffe, we calculate:
+ xo->seq.low = 0xfffffffe + 1 = 0x0xffffffff
+ oseq = 0xfffffffe + 3 = 0x1
+(oseq < replay_esn->oseq) is true, but (xo->seq.low <
+replay_esn->oseq) is false, so replay_esn->oseq_hi is not incremented.
+
+To fix this issue, change the outer checking back for the update of
+replay_esn->oseq_hi. And add new checking inside for the update of
+packet's oseq_hi.
+
+Fixes: 4b549ccce941 ("xfrm: replay: Fix ESN wrap around for GSO")
+Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
+Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
+Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/xfrm/xfrm_replay.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
+index 65d009e3b6bbe..aedc61ceadb30 100644
+--- a/net/xfrm/xfrm_replay.c
++++ b/net/xfrm/xfrm_replay.c
+@@ -657,10 +657,12 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
+ oseq += skb_shinfo(skb)->gso_segs;
+ }
+
+- if (unlikely(xo->seq.low < replay_esn->oseq)) {
+- XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi;
+- xo->seq.hi = oseq_hi;
+- replay_esn->oseq_hi = oseq_hi;
++ if (unlikely(oseq < replay_esn->oseq)) {
++ replay_esn->oseq_hi = ++oseq_hi;
++ if (xo->seq.low < replay_esn->oseq) {
++ XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
++ xo->seq.hi = oseq_hi;
++ }
+ if (replay_esn->oseq_hi == 0) {
+ replay_esn->oseq--;
+ replay_esn->oseq_hi--;
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
