--- /dev/null
+From f04dd30f1bef1ed2e74a4050af6e5e5e3869bac3 Mon Sep 17 00:00:00 2001
+From: Vishal Badole <Vishal.Badole@amd.com>
+Date: Thu, 24 Apr 2025 18:32:48 +0530
+Subject: amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload
+
+From: Vishal Badole <Vishal.Badole@amd.com>
+
+commit f04dd30f1bef1ed2e74a4050af6e5e5e3869bac3 upstream.
+
+According to the XGMAC specification, enabling features such as Layer 3
+and Layer 4 Packet Filtering, Split Header and Virtualized Network support
+automatically selects the IPC Full Checksum Offload Engine on the receive
+side.
+
+When RX checksum offload is disabled, these dependent features must also
+be disabled to prevent abnormal behavior caused by mismatched feature
+dependencies.
+
+Ensure that toggling RX checksum offload (disabling or enabling) properly
+disables or enables all dependent features, maintaining consistent and
+expected behavior in the network device.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a510ccf5869 ("amd-xgbe: Add support for VXLAN offload capabilities")
+Signed-off-by: Vishal Badole <Vishal.Badole@amd.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250424130248.428865-1-Vishal.Badole@amd.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 9 +++++++--
+ drivers/net/ethernet/amd/xgbe/xgbe-dev.c | 24 ++++++++++++++++++++++--
+ drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 11 +++++++++--
+ drivers/net/ethernet/amd/xgbe/xgbe.h | 4 ++++
+ 4 files changed, 42 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
+@@ -373,8 +373,13 @@ static int xgbe_map_rx_buffer(struct xgb
+ }
+
+ /* Set up the header page info */
+- xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa,
+- XGBE_SKB_ALLOC_SIZE);
++ if (pdata->netdev->features & NETIF_F_RXCSUM) {
++ xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa,
++ XGBE_SKB_ALLOC_SIZE);
++ } else {
++ xgbe_set_buffer_data(&rdata->rx.hdr, &ring->rx_hdr_pa,
++ pdata->rx_buf_size);
++ }
+
+ /* Set up the buffer page info */
+ xgbe_set_buffer_data(&rdata->rx.buf, &ring->rx_buf_pa,
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
+@@ -320,6 +320,18 @@ static void xgbe_config_sph_mode(struct
+ XGMAC_IOWRITE_BITS(pdata, MAC_RCR, HDSMS, XGBE_SPH_HDSMS_SIZE);
+ }
+
++static void xgbe_disable_sph_mode(struct xgbe_prv_data *pdata)
++{
++ unsigned int i;
++
++ for (i = 0; i < pdata->channel_count; i++) {
++ if (!pdata->channel[i]->rx_ring)
++ break;
++
++ XGMAC_DMA_IOWRITE_BITS(pdata->channel[i], DMA_CH_CR, SPH, 0);
++ }
++}
++
+ static int xgbe_write_rss_reg(struct xgbe_prv_data *pdata, unsigned int type,
+ unsigned int index, unsigned int val)
+ {
+@@ -3495,8 +3507,12 @@ static int xgbe_init(struct xgbe_prv_dat
+ xgbe_config_tx_coalesce(pdata);
+ xgbe_config_rx_buffer_size(pdata);
+ xgbe_config_tso_mode(pdata);
+- xgbe_config_sph_mode(pdata);
+- xgbe_config_rss(pdata);
++
++ if (pdata->netdev->features & NETIF_F_RXCSUM) {
++ xgbe_config_sph_mode(pdata);
++ xgbe_config_rss(pdata);
++ }
++
+ desc_if->wrapper_tx_desc_init(pdata);
+ desc_if->wrapper_rx_desc_init(pdata);
+ xgbe_enable_dma_interrupts(pdata);
+@@ -3650,5 +3666,9 @@ void xgbe_init_function_ptrs_dev(struct
+ hw_if->disable_vxlan = xgbe_disable_vxlan;
+ hw_if->set_vxlan_id = xgbe_set_vxlan_id;
+
++ /* For Split Header*/
++ hw_if->enable_sph = xgbe_config_sph_mode;
++ hw_if->disable_sph = xgbe_disable_sph_mode;
++
+ DBGPR("<--xgbe_init_function_ptrs\n");
+ }
+--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
++++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
+@@ -2264,10 +2264,17 @@ static int xgbe_set_features(struct net_
+ if (ret)
+ return ret;
+
+- if ((features & NETIF_F_RXCSUM) && !rxcsum)
++ if ((features & NETIF_F_RXCSUM) && !rxcsum) {
++ hw_if->enable_sph(pdata);
++ hw_if->enable_vxlan(pdata);
+ hw_if->enable_rx_csum(pdata);
+- else if (!(features & NETIF_F_RXCSUM) && rxcsum)
++ schedule_work(&pdata->restart_work);
++ } else if (!(features & NETIF_F_RXCSUM) && rxcsum) {
++ hw_if->disable_sph(pdata);
++ hw_if->disable_vxlan(pdata);
+ hw_if->disable_rx_csum(pdata);
++ schedule_work(&pdata->restart_work);
++ }
+
+ if ((features & NETIF_F_HW_VLAN_CTAG_RX) && !rxvlan)
+ hw_if->enable_rx_vlan_stripping(pdata);
+--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
++++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
+@@ -833,6 +833,10 @@ struct xgbe_hw_if {
+ void (*enable_vxlan)(struct xgbe_prv_data *);
+ void (*disable_vxlan)(struct xgbe_prv_data *);
+ void (*set_vxlan_id)(struct xgbe_prv_data *);
++
++ /* For Split Header */
++ void (*enable_sph)(struct xgbe_prv_data *pdata);
++ void (*disable_sph)(struct xgbe_prv_data *pdata);
+ };
+
+ /* This structure represents implementation specific routines for an
--- /dev/null
+From fee4d171451c1ad9e8aaf65fc0ab7d143a33bd72 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Thu, 1 May 2025 11:47:47 +0100
+Subject: arm64: errata: Add missing sentinels to Spectre-BHB MIDR arrays
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Will Deacon <will@kernel.org>
+
+commit fee4d171451c1ad9e8aaf65fc0ab7d143a33bd72 upstream.
+
+Commit a5951389e58d ("arm64: errata: Add newer ARM cores to the
+spectre_bhb_loop_affected() lists") added some additional CPUs to the
+Spectre-BHB workaround, including some new arrays for designs that
+require new 'k' values for the workaround to be effective.
+
+Unfortunately, the new arrays omitted the sentinel entry and so
+is_midr_in_range_list() will walk off the end when it doesn't find a
+match. With UBSAN enabled, this leads to a crash during boot when
+is_midr_in_range_list() is inlined (which was more common prior to
+c8c2647e69be ("arm64: Make _midr_in_range_list() an exported
+function")):
+
+ | Internal error: aarch64 BRK: 00000000f2000001 [#1] PREEMPT SMP
+ | pstate: 804000c5 (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ | pc : spectre_bhb_loop_affected+0x28/0x30
+ | lr : is_spectre_bhb_affected+0x170/0x190
+ | [...]
+ | Call trace:
+ | spectre_bhb_loop_affected+0x28/0x30
+ | update_cpu_capabilities+0xc0/0x184
+ | init_cpu_features+0x188/0x1a4
+ | cpuinfo_store_boot_cpu+0x4c/0x60
+ | smp_prepare_boot_cpu+0x38/0x54
+ | start_kernel+0x8c/0x478
+ | __primary_switched+0xc8/0xd4
+ | Code: 6b09011f 54000061 52801080 d65f03c0 (d4200020)
+ | ---[ end trace 0000000000000000 ]---
+ | Kernel panic - not syncing: aarch64 BRK: Fatal exception
+
+Add the missing sentinel entries.
+
+Cc: Lee Jones <lee@kernel.org>
+Cc: James Morse <james.morse@arm.com>
+Cc: Doug Anderson <dianders@chromium.org>
+Cc: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Cc: <stable@vger.kernel.org>
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: a5951389e58d ("arm64: errata: Add newer ARM cores to the spectre_bhb_loop_affected() lists")
+Signed-off-by: Will Deacon <will@kernel.org>
+Reviewed-by: Lee Jones <lee@kernel.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20250501104747.28431-1-will@kernel.org
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/proton-pack.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/kernel/proton-pack.c
++++ b/arch/arm64/kernel/proton-pack.c
+@@ -879,10 +879,12 @@ static u8 spectre_bhb_loop_affected(void
+ static const struct midr_range spectre_bhb_k132_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
++ {},
+ };
+ static const struct midr_range spectre_bhb_k38_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
++ {},
+ };
+ static const struct midr_range spectre_bhb_k32_list[] = {
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
--- /dev/null
+From 5a2a6c428190f945c5cbf5791f72dbea83e97f66 Mon Sep 17 00:00:00 2001
+From: Benjamin Marzinski <bmarzins@redhat.com>
+Date: Tue, 15 Apr 2025 00:17:16 -0400
+Subject: dm: always update the array size in realloc_argv on success
+
+From: Benjamin Marzinski <bmarzins@redhat.com>
+
+commit 5a2a6c428190f945c5cbf5791f72dbea83e97f66 upstream.
+
+realloc_argv() was only updating the array size if it was called with
+old_argv already allocated. The first time it was called to create an
+argv array, it would allocate the array but return the array size as
+zero. dm_split_args() would think that it couldn't store any arguments
+in the array and would call realloc_argv() again, causing it to
+reallocate the initial slots (this time using GPF_KERNEL) and finally
+return a size. Aside from being wasteful, this could cause deadlocks on
+targets that need to process messages without starting new IO. Instead,
+realloc_argv should always update the allocated array size on success.
+
+Fixes: a0651926553c ("dm table: don't copy from a NULL pointer in realloc_argv()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-table.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -492,9 +492,10 @@ static char **realloc_argv(unsigned *siz
+ gfp = GFP_NOIO;
+ }
+ argv = kmalloc_array(new_size, sizeof(*argv), gfp);
+- if (argv && old_argv) {
+- memcpy(argv, old_argv, *size * sizeof(*argv));
++ if (argv) {
+ *size = new_size;
++ if (old_argv)
++ memcpy(argv, old_argv, *size * sizeof(*argv));
+ }
+
+ kfree(old_argv);
--- /dev/null
+From 0a533c3e4246c29d502a7e0fba0e86d80a906b04 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 22 Apr 2025 21:18:33 +0200
+Subject: dm-integrity: fix a warning on invalid table line
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 0a533c3e4246c29d502a7e0fba0e86d80a906b04 upstream.
+
+If we use the 'B' mode and we have an invalit table line,
+cancel_delayed_work_sync would trigger a warning. This commit avoids the
+warning.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-integrity.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-integrity.c
++++ b/drivers/md/dm-integrity.c
+@@ -4543,7 +4543,7 @@ static void dm_integrity_dtr(struct dm_t
+ BUG_ON(!RB_EMPTY_ROOT(&ic->in_progress));
+ BUG_ON(!list_empty(&ic->wait_list));
+
+- if (ic->mode == 'B')
++ if (ic->mode == 'B' && ic->bitmap_flush_work.work.func)
+ cancel_delayed_work_sync(&ic->bitmap_flush_work);
+ if (ic->metadata_wq)
+ destroy_workqueue(ic->metadata_wq);
--- /dev/null
+From bbe5679f30d7690a9b6838a583b9690ea73fe0e9 Mon Sep 17 00:00:00 2001
+From: Philipp Stanner <phasta@kernel.org>
+Date: Tue, 15 Apr 2025 14:19:00 +0200
+Subject: drm/nouveau: Fix WARN_ON in nouveau_fence_context_kill()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Philipp Stanner <phasta@kernel.org>
+
+commit bbe5679f30d7690a9b6838a583b9690ea73fe0e9 upstream.
+
+Nouveau is mostly designed in a way that it's expected that fences only
+ever get signaled through nouveau_fence_signal(). However, in at least
+one other place, nouveau_fence_done(), can signal fences, too. If that
+happens (race) a signaled fence remains in the pending list for a while,
+until it gets removed by nouveau_fence_update().
+
+Should nouveau_fence_context_kill() run in the meantime, this would be
+a bug because the function would attempt to set an error code on an
+already signaled fence.
+
+Have nouveau_fence_context_kill() check for a fence being signaled.
+
+Cc: stable@vger.kernel.org # v5.10+
+Fixes: ea13e5abf807 ("drm/nouveau: signal pending fences when channel has been killed")
+Suggested-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Philipp Stanner <phasta@kernel.org>
+Link: https://lore.kernel.org/r/20250415121900.55719-3-phasta@kernel.org
+Signed-off-by: Danilo Krummrich <dakr@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fence.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_fence.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c
+@@ -95,7 +95,7 @@ nouveau_fence_context_kill(struct nouvea
+ while (!list_empty(&fctx->pending)) {
+ fence = list_entry(fctx->pending.next, typeof(*fence), head);
+
+- if (error)
++ if (error && !dma_fence_is_signaled_locked(&fence->base))
+ dma_fence_set_error(&fence->base, error);
+
+ if (nouveau_fence_signal(fence))
--- /dev/null
+From 6dbe3c5418c4368e824bff6ae4889257dd544892 Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@altera.com>
+Date: Fri, 25 Apr 2025 07:26:40 -0700
+Subject: EDAC/altera: Set DDR and SDMMC interrupt mask before registration
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@altera.com>
+
+commit 6dbe3c5418c4368e824bff6ae4889257dd544892 upstream.
+
+Mask DDR and SDMMC in probe function to avoid spurious interrupts before
+registration. Removed invalid register write to system manager.
+
+Fixes: 1166fde93d5b ("EDAC, altera: Add Arria10 ECC memory init functions")
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@altera.com>
+Signed-off-by: Matthew Gerlach <matthew.gerlach@altera.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/20250425142640.33125-3-matthew.gerlach@altera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/altera_edac.c | 7 ++++---
+ drivers/edac/altera_edac.h | 2 ++
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/edac/altera_edac.c
++++ b/drivers/edac/altera_edac.c
+@@ -1015,9 +1015,6 @@ altr_init_a10_ecc_block(struct device_no
+ }
+ }
+
+- /* Interrupt mode set to every SBERR */
+- regmap_write(ecc_mgr_map, ALTR_A10_ECC_INTMODE_OFST,
+- ALTR_A10_ECC_INTMODE);
+ /* Enable ECC */
+ ecc_set_bits(ecc_ctrl_en_mask, (ecc_block_base +
+ ALTR_A10_ECC_CTRL_OFST));
+@@ -2100,6 +2097,10 @@ static int altr_edac_a10_probe(struct pl
+ return PTR_ERR(edac->ecc_mgr_map);
+ }
+
++ /* Set irq mask for DDR SBE to avoid any pending irq before registration */
++ regmap_write(edac->ecc_mgr_map, A10_SYSMGR_ECC_INTMASK_SET_OFST,
++ (A10_SYSMGR_ECC_INTMASK_SDMMCB | A10_SYSMGR_ECC_INTMASK_DDR0));
++
+ edac->irq_chip.name = pdev->dev.of_node->name;
+ edac->irq_chip.irq_mask = a10_eccmgr_irq_mask;
+ edac->irq_chip.irq_unmask = a10_eccmgr_irq_unmask;
+--- a/drivers/edac/altera_edac.h
++++ b/drivers/edac/altera_edac.h
+@@ -249,6 +249,8 @@ struct altr_sdram_mc_data {
+ #define A10_SYSMGR_ECC_INTMASK_SET_OFST 0x94
+ #define A10_SYSMGR_ECC_INTMASK_CLR_OFST 0x98
+ #define A10_SYSMGR_ECC_INTMASK_OCRAM BIT(1)
++#define A10_SYSMGR_ECC_INTMASK_SDMMCB BIT(16)
++#define A10_SYSMGR_ECC_INTMASK_DDR0 BIT(17)
+
+ #define A10_SYSMGR_ECC_INTSTAT_SERR_OFST 0x9C
+ #define A10_SYSMGR_ECC_INTSTAT_DERR_OFST 0xA0
--- /dev/null
+From 4fb7b8fceb0beebbe00712c3daf49ade0386076a Mon Sep 17 00:00:00 2001
+From: Niravkumar L Rabara <niravkumar.l.rabara@altera.com>
+Date: Fri, 25 Apr 2025 07:26:39 -0700
+Subject: EDAC/altera: Test the correct error reg offset
+
+From: Niravkumar L Rabara <niravkumar.l.rabara@altera.com>
+
+commit 4fb7b8fceb0beebbe00712c3daf49ade0386076a upstream.
+
+Test correct structure member, ecc_cecnt_offset, before using it.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 73bcc942f427 ("EDAC, altera: Add Arria10 EDAC support")
+Signed-off-by: Niravkumar L Rabara <niravkumar.l.rabara@altera.com>
+Signed-off-by: Matthew Gerlach <matthew.gerlach@altera.com>
+Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
+Acked-by: Dinh Nguyen <dinguyen@kernel.org>
+Cc: stable@kernel.org
+Link: https://lore.kernel.org/20250425142640.33125-2-matthew.gerlach@altera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/altera_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/altera_edac.c
++++ b/drivers/edac/altera_edac.c
+@@ -98,7 +98,7 @@ static irqreturn_t altr_sdram_mc_err_han
+ if (status & priv->ecc_stat_ce_mask) {
+ regmap_read(drvdata->mc_vbase, priv->ecc_saddr_offset,
+ &err_addr);
+- if (priv->ecc_uecnt_offset)
++ if (priv->ecc_cecnt_offset)
+ regmap_read(drvdata->mc_vbase, priv->ecc_cecnt_offset,
+ &err_count);
+ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, err_count,
--- /dev/null
+From b1852c5de2f2a37dd4462f7837c9e3e678f9e546 Mon Sep 17 00:00:00 2001
+From: Clark Wang <xiaoning.wang@nxp.com>
+Date: Mon, 21 Apr 2025 14:23:41 +0800
+Subject: i2c: imx-lpi2c: Fix clock count when probe defers
+
+From: Clark Wang <xiaoning.wang@nxp.com>
+
+commit b1852c5de2f2a37dd4462f7837c9e3e678f9e546 upstream.
+
+Deferred probe with pm_runtime_put() may delay clock disable, causing
+incorrect clock usage count. Use pm_runtime_put_sync() to ensure the
+clock is disabled immediately.
+
+Fixes: 13d6eb20fc79 ("i2c: imx-lpi2c: add runtime pm support")
+Signed-off-by: Clark Wang <xiaoning.wang@nxp.com>
+Signed-off-by: Carlos Song <carlos.song@nxp.com>
+Cc: <stable@vger.kernel.org> # v4.16+
+Link: https://lore.kernel.org/r/20250421062341.2471922-1-carlos.song@nxp.com
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-imx-lpi2c.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
++++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
+@@ -616,9 +616,9 @@ static int lpi2c_imx_probe(struct platfo
+ return 0;
+
+ rpm_disable:
+- pm_runtime_put(&pdev->dev);
+- pm_runtime_disable(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
++ pm_runtime_put_sync(&pdev->dev);
++ pm_runtime_disable(&pdev->dev);
+
+ return ret;
+ }
--- /dev/null
+From 8dee308e4c01dea48fc104d37f92d5b58c50b96c Mon Sep 17 00:00:00 2001
+From: Pavel Paklov <Pavel.Paklov@cyberprotect.ru>
+Date: Tue, 25 Mar 2025 09:22:44 +0000
+Subject: iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid
+
+From: Pavel Paklov <Pavel.Paklov@cyberprotect.ru>
+
+commit 8dee308e4c01dea48fc104d37f92d5b58c50b96c upstream.
+
+There is a string parsing logic error which can lead to an overflow of hid
+or uid buffers. Comparing ACPIID_LEN against a total string length doesn't
+take into account the lengths of individual hid and uid buffers so the
+check is insufficient in some cases. For example if the length of hid
+string is 4 and the length of the uid string is 260, the length of str
+will be equal to ACPIID_LEN + 1 but uid string will overflow uid buffer
+which size is 256.
+
+The same applies to the hid string with length 13 and uid string with
+length 250.
+
+Check the length of hid and uid strings separately to prevent
+buffer overflow.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Paklov <Pavel.Paklov@cyberprotect.ru>
+Link: https://lore.kernel.org/r/20250325092259.392844-1-Pavel.Paklov@cyberprotect.ru
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/amd/init.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/iommu/amd/init.c
++++ b/drivers/iommu/amd/init.c
+@@ -3343,6 +3343,14 @@ found:
+ while (*uid == '0' && *(uid + 1))
+ uid++;
+
++ if (strlen(hid) >= ACPIHID_HID_LEN) {
++ pr_err("Invalid command line: hid is too long\n");
++ return 1;
++ } else if (strlen(uid) >= ACPIHID_UID_LEN) {
++ pr_err("Invalid command line: uid is too long\n");
++ return 1;
++ }
++
+ i = early_acpihid_map_size++;
+ memcpy(early_acpihid_map[i].hid, hid, strlen(hid));
+ memcpy(early_acpihid_map[i].uid, uid, strlen(uid));
--- /dev/null
+From 2c8a7c66c90832432496616a9a3c07293f1364f3 Mon Sep 17 00:00:00 2001
+From: Mingcong Bai <jeffbai@aosc.io>
+Date: Fri, 18 Apr 2025 11:16:42 +0800
+Subject: iommu/vt-d: Apply quirk_iommu_igfx for 8086:0044 (QM57/QS57)
+
+From: Mingcong Bai <jeffbai@aosc.io>
+
+commit 2c8a7c66c90832432496616a9a3c07293f1364f3 upstream.
+
+On the Lenovo ThinkPad X201, when Intel VT-d is enabled in the BIOS, the
+kernel boots with errors related to DMAR, the graphical interface appeared
+quite choppy, and the system resets erratically within a minute after it
+booted:
+
+DMAR: DRHD: handling fault status reg 3
+DMAR: [DMA Write NO_PASID] Request device [00:02.0] fault addr 0xb97ff000
+[fault reason 0x05] PTE Write access is not set
+
+Upon comparing boot logs with VT-d on/off, I found that the Intel Calpella
+quirk (`quirk_calpella_no_shadow_gtt()') correctly applied the igfx IOMMU
+disable/quirk correctly:
+
+pci 0000:00:00.0: DMAR: BIOS has allocated no shadow GTT; disabling IOMMU
+for graphics
+
+Whereas with VT-d on, it went into the "else" branch, which then
+triggered the DMAR handling fault above:
+
+... else if (!disable_igfx_iommu) {
+ /* we have to ensure the gfx device is idle before we flush */
+ pci_info(dev, "Disabling batched IOTLB flush on Ironlake\n");
+ iommu_set_dma_strict();
+}
+
+Now, this is not exactly scientific, but moving 0x0044 to quirk_iommu_igfx
+seems to have fixed the aforementioned issue. Running a few `git blame'
+runs on the function, I have found that the quirk was originally
+introduced as a fix specific to ThinkPad X201:
+
+commit 9eecabcb9a92 ("intel-iommu: Abort IOMMU setup for igfx if BIOS gave
+no shadow GTT space")
+
+Which was later revised twice to the "else" branch we saw above:
+
+- 2011: commit 6fbcfb3e467a ("intel-iommu: Workaround IOTLB hang on
+ Ironlake GPU")
+- 2024: commit ba00196ca41c ("iommu/vt-d: Decouple igfx_off from graphic
+ identity mapping")
+
+I'm uncertain whether further testings on this particular laptops were
+done in 2011 and (honestly I'm not sure) 2024, but I would be happy to do
+some distro-specific testing if that's what would be required to verify
+this patch.
+
+P.S., I also see IDs 0x0040, 0x0062, and 0x006a listed under the same
+`quirk_calpella_no_shadow_gtt()' quirk, but I'm not sure how similar these
+chipsets are (if they share the same issue with VT-d or even, indeed, if
+this issue is specific to a bug in the Lenovo BIOS). With regards to
+0x0062, it seems to be a Centrino wireless card, but not a chipset?
+
+I have also listed a couple (distro and kernel) bug reports below as
+references (some of them are from 7-8 years ago!), as they seem to be
+similar issue found on different Westmere/Ironlake, Haswell, and Broadwell
+hardware setups.
+
+Cc: stable@vger.kernel.org
+Fixes: 6fbcfb3e467a ("intel-iommu: Workaround IOTLB hang on Ironlake GPU")
+Fixes: ba00196ca41c ("iommu/vt-d: Decouple igfx_off from graphic identity mapping")
+Link: https://groups.google.com/g/qubes-users/c/4NP4goUds2c?pli=1
+Link: https://bugs.archlinux.org/task/65362
+Link: https://bbs.archlinux.org/viewtopic.php?id=230323
+Reported-by: Wenhao Sun <weiguangtwk@outlook.com>
+Closes: https://bugzilla.kernel.org/show_bug.cgi?id=197029
+Signed-off-by: Mingcong Bai <jeffbai@aosc.io>
+Link: https://lore.kernel.org/r/20250415133330.12528-1-jeffbai@aosc.io
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Joerg Roedel <jroedel@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iommu/intel/iommu.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/iommu/intel/iommu.c
++++ b/drivers/iommu/intel/iommu.c
+@@ -5660,6 +5660,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_I
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e40, quirk_iommu_igfx);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x2e90, quirk_iommu_igfx);
+
++/* QM57/QS57 integrated gfx malfunctions with dmar */
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x0044, quirk_iommu_igfx);
++
+ /* Broadwell igfx malfunctions with dmar */
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x1606, quirk_iommu_igfx);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x160B, quirk_iommu_igfx);
+@@ -5737,7 +5740,6 @@ static void quirk_calpella_no_shadow_gtt
+ }
+ }
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x0040, quirk_calpella_no_shadow_gtt);
+-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x0044, quirk_calpella_no_shadow_gtt);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x0062, quirk_calpella_no_shadow_gtt);
+ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x006a, quirk_calpella_no_shadow_gtt);
+
--- /dev/null
+From 649b50a82f09fa44c2f7a65618e4584072145ab7 Mon Sep 17 00:00:00 2001
+From: Ruslan Piasetskyi <ruslan.piasetskyi@gmail.com>
+Date: Wed, 26 Mar 2025 23:06:38 +0100
+Subject: mmc: renesas_sdhi: Fix error handling in renesas_sdhi_probe
+
+From: Ruslan Piasetskyi <ruslan.piasetskyi@gmail.com>
+
+commit 649b50a82f09fa44c2f7a65618e4584072145ab7 upstream.
+
+After moving tmio_mmc_host_probe down, error handling has to be
+adjusted.
+
+Fixes: 74f45de394d9 ("mmc: renesas_sdhi: register irqs before registering controller")
+Reviewed-by: Ihar Salauyou <salauyou.ihar@gmail.com>
+Signed-off-by: Ruslan Piasetskyi <ruslan.piasetskyi@gmail.com>
+Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250326220638.460083-1-ruslan.piasetskyi@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/renesas_sdhi_core.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/host/renesas_sdhi_core.c
++++ b/drivers/mmc/host/renesas_sdhi_core.c
+@@ -1078,26 +1078,26 @@ int renesas_sdhi_probe(struct platform_d
+ num_irqs = platform_irq_count(pdev);
+ if (num_irqs < 0) {
+ ret = num_irqs;
+- goto eirq;
++ goto edisclk;
+ }
+
+ /* There must be at least one IRQ source */
+ if (!num_irqs) {
+ ret = -ENXIO;
+- goto eirq;
++ goto edisclk;
+ }
+
+ for (i = 0; i < num_irqs; i++) {
+ irq = platform_get_irq(pdev, i);
+ if (irq < 0) {
+ ret = irq;
+- goto eirq;
++ goto edisclk;
+ }
+
+ ret = devm_request_irq(&pdev->dev, irq, tmio_mmc_irq, 0,
+ dev_name(&pdev->dev), host);
+ if (ret)
+- goto eirq;
++ goto edisclk;
+ }
+
+ ret = tmio_mmc_host_probe(host);
+@@ -1109,8 +1109,6 @@ int renesas_sdhi_probe(struct platform_d
+
+ return ret;
+
+-eirq:
+- tmio_mmc_host_remove(host);
+ edisclk:
+ renesas_sdhi_clk_disable(host);
+ efree:
--- /dev/null
+From de3629baf5a33af1919dec7136d643b0662e85ef Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Sat, 3 May 2025 18:24:01 +0200
+Subject: parisc: Fix double SIGFPE crash
+
+From: Helge Deller <deller@gmx.de>
+
+commit de3629baf5a33af1919dec7136d643b0662e85ef upstream.
+
+Camm noticed that on parisc a SIGFPE exception will crash an application with
+a second SIGFPE in the signal handler. Dave analyzed it, and it happens
+because glibc uses a double-word floating-point store to atomically update
+function descriptors. As a result of lazy binding, we hit a floating-point
+store in fpe_func almost immediately.
+
+When the T bit is set, an assist exception trap occurs when when the
+co-processor encounters *any* floating-point instruction except for a double
+store of register %fr0. The latter cancels all pending traps. Let's fix this
+by clearing the Trap (T) bit in the FP status register before returning to the
+signal handler in userspace.
+
+The issue can be reproduced with this test program:
+
+root@parisc:~# cat fpe.c
+
+static void fpe_func(int sig, siginfo_t *i, void *v) {
+ sigset_t set;
+ sigemptyset(&set);
+ sigaddset(&set, SIGFPE);
+ sigprocmask(SIG_UNBLOCK, &set, NULL);
+ printf("GOT signal %d with si_code %ld\n", sig, i->si_code);
+}
+
+int main() {
+ struct sigaction action = {
+ .sa_sigaction = fpe_func,
+ .sa_flags = SA_RESTART|SA_SIGINFO };
+ sigaction(SIGFPE, &action, 0);
+ feenableexcept(FE_OVERFLOW);
+ return printf("%lf\n",1.7976931348623158E308*1.7976931348623158E308);
+}
+
+root@parisc:~# gcc fpe.c -lm
+root@parisc:~# ./a.out
+ Floating point exception
+
+root@parisc:~# strace -f ./a.out
+ execve("./a.out", ["./a.out"], 0xf9ac7034 /* 20 vars */) = 0
+ getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
+ ...
+ rt_sigaction(SIGFPE, {sa_handler=0x1110a, sa_mask=[], sa_flags=SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
+ --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0x1078f} ---
+ --- SIGFPE {si_signo=SIGFPE, si_code=FPE_FLTOVF, si_addr=0xf8f21237} ---
+ +++ killed by SIGFPE +++
+ Floating point exception
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Suggested-by: John David Anglin <dave.anglin@bell.net>
+Reported-by: Camm Maguire <camm@maguirefamily.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/math-emu/driver.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/arch/parisc/math-emu/driver.c
++++ b/arch/parisc/math-emu/driver.c
+@@ -103,9 +103,19 @@ handle_fpe(struct pt_regs *regs)
+
+ memcpy(regs->fr, frcopy, sizeof regs->fr);
+ if (signalcode != 0) {
+- force_sig_fault(signalcode >> 24, signalcode & 0xffffff,
+- (void __user *) regs->iaoq[0]);
+- return -1;
++ int sig = signalcode >> 24;
++
++ if (sig == SIGFPE) {
++ /*
++ * Clear floating point trap bit to avoid trapping
++ * again on the first floating-point instruction in
++ * the userspace signal handler.
++ */
++ regs->fr[0] &= ~(1ULL << 38);
++ }
++ force_sig_fault(sig, signalcode & 0xffffff,
++ (void __user *) regs->iaoq[0]);
++ return -1;
+ }
+
+ return signalcode ? -1 : 0;
alsa-usb-audio-add-second-usb-id-for-jabra-evolve-65-headset.patch
+drm-nouveau-fix-warn_on-in-nouveau_fence_context_kill.patch
+edac-altera-test-the-correct-error-reg-offset.patch
+edac-altera-set-ddr-and-sdmmc-interrupt-mask-before-registration.patch
+i2c-imx-lpi2c-fix-clock-count-when-probe-defers.patch
+arm64-errata-add-missing-sentinels-to-spectre-bhb-midr-arrays.patch
+parisc-fix-double-sigfpe-crash.patch
+amd-xgbe-fix-to-ensure-dependent-features-are-toggled-with-rx-checksum-offload.patch
+mmc-renesas_sdhi-fix-error-handling-in-renesas_sdhi_probe.patch
+wifi-brcm80211-fmac-add-error-handling-for-brcmf_usb_dl_writeimage.patch
+dm-integrity-fix-a-warning-on-invalid-table-line.patch
+dm-always-update-the-array-size-in-realloc_argv-on-success.patch
+iommu-amd-fix-potential-buffer-overflow-in-parse_ivrs_acpihid.patch
+iommu-vt-d-apply-quirk_iommu_igfx-for-8086-0044-qm57-qs57.patch
+tracing-fix-oob-write-in-trace_seq_to_buffer.patch
--- /dev/null
+From f5178c41bb43444a6008150fe6094497135d07cb Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Tue, 22 Apr 2025 20:30:25 +0900
+Subject: tracing: Fix oob write in trace_seq_to_buffer()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit f5178c41bb43444a6008150fe6094497135d07cb upstream.
+
+syzbot reported this bug:
+==================================================================
+BUG: KASAN: slab-out-of-bounds in trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]
+BUG: KASAN: slab-out-of-bounds in tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822
+Write of size 4507 at addr ffff888032b6b000 by task syz.2.320/7260
+
+CPU: 1 UID: 0 PID: 7260 Comm: syz.2.320 Not tainted 6.15.0-rc1-syzkaller-00301-g3bde70a2c827 #0 PREEMPT(full)
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
+ print_address_description mm/kasan/report.c:408 [inline]
+ print_report+0xc3/0x670 mm/kasan/report.c:521
+ kasan_report+0xe0/0x110 mm/kasan/report.c:634
+ check_region_inline mm/kasan/generic.c:183 [inline]
+ kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
+ __asan_memcpy+0x3c/0x60 mm/kasan/shadow.c:106
+ trace_seq_to_buffer kernel/trace/trace.c:1830 [inline]
+ tracing_splice_read_pipe+0x6be/0xdd0 kernel/trace/trace.c:6822
+ ....
+==================================================================
+
+It has been reported that trace_seq_to_buffer() tries to copy more data
+than PAGE_SIZE to buf. Therefore, to prevent this, we should use the
+smaller of trace_seq_used(&iter->seq) and PAGE_SIZE as an argument.
+
+Link: https://lore.kernel.org/20250422113026.13308-1-aha310510@gmail.com
+Reported-by: syzbot+c8cd2d2c412b868263fb@syzkaller.appspotmail.com
+Fixes: 3c56819b14b0 ("tracing: splice support for tracing_pipe")
+Suggested-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/trace.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -7034,13 +7034,14 @@ static ssize_t tracing_splice_read_pipe(
+ /* Copy the data into the page, so we can start over. */
+ ret = trace_seq_to_buffer(&iter->seq,
+ page_address(spd.pages[i]),
+- trace_seq_used(&iter->seq));
++ min((size_t)trace_seq_used(&iter->seq),
++ PAGE_SIZE));
+ if (ret < 0) {
+ __free_page(spd.pages[i]);
+ break;
+ }
+ spd.partial[i].offset = 0;
+- spd.partial[i].len = trace_seq_used(&iter->seq);
++ spd.partial[i].len = ret;
+
+ trace_seq_init(&iter->seq);
+ }
--- /dev/null
+From 8e089e7b585d95122c8122d732d1d5ef8f879396 Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Tue, 22 Apr 2025 12:22:02 +0800
+Subject: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit 8e089e7b585d95122c8122d732d1d5ef8f879396 upstream.
+
+The function brcmf_usb_dl_writeimage() calls the function
+brcmf_usb_dl_cmd() but dose not check its return value. The
+'state.state' and the 'state.bytes' are uninitialized if the
+function brcmf_usb_dl_cmd() fails. It is dangerous to use
+uninitialized variables in the conditions.
+
+Add error handling for brcmf_usb_dl_cmd() to jump to error
+handling path if the brcmf_usb_dl_cmd() fails and the
+'state.state' and the 'state.bytes' are uninitialized.
+
+Improve the error message to report more detailed error
+information.
+
+Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
+Cc: stable@vger.kernel.org # v3.4+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20250422042203.2259-1-vulab@iscas.ac.cn
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -903,14 +903,16 @@ brcmf_usb_dl_writeimage(struct brcmf_usb
+ }
+
+ /* 1) Prepare USB boot loader for runtime image */
+- brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state));
++ err = brcmf_usb_dl_cmd(devinfo, DL_START, &state, sizeof(state));
++ if (err)
++ goto fail;
+
+ rdlstate = le32_to_cpu(state.state);
+ rdlbytes = le32_to_cpu(state.bytes);
+
+ /* 2) Check we are in the Waiting state */
+ if (rdlstate != DL_WAITING) {
+- brcmf_err("Failed to DL_START\n");
++ brcmf_err("Invalid DL state: %u\n", rdlstate);
+ err = -EINVAL;
+ goto fail;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
