--- /dev/null
+From 46ad36002088eff8fc5cae200aa42ae9f9310ddd Mon Sep 17 00:00:00 2001
+From: Chen-Yu Tsai <wenst@chromium.org>
+Date: Wed, 8 Jan 2025 16:34:22 +0800
+Subject: arm64: dts: mediatek: mt8173: Fix disp-pwm compatible string
+
+From: Chen-Yu Tsai <wenst@chromium.org>
+
+commit 46ad36002088eff8fc5cae200aa42ae9f9310ddd upstream.
+
+The MT8173 disp-pwm device should have only one compatible string, based
+on the following DT validation error:
+
+ arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401e000: compatible: 'oneOf' conditional failed, one must be fixed:
+ ['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
+ 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
+ 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
+ 'mediatek,mt8173-disp-pwm' was expected
+ 'mediatek,mt8183-disp-pwm' was expected
+ from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
+ arch/arm64/boot/dts/mediatek/mt8173-elm.dtb: pwm@1401f000: compatible: 'oneOf' conditional failed, one must be fixed:
+ ['mediatek,mt8173-disp-pwm', 'mediatek,mt6595-disp-pwm'] is too long
+ 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt6795-disp-pwm', 'mediatek,mt8167-disp-pwm']
+ 'mediatek,mt8173-disp-pwm' is not one of ['mediatek,mt8186-disp-pwm', 'mediatek,mt8188-disp-pwm', 'mediatek,mt8192-disp-pwm', 'mediatek,mt8195-disp-pwm', 'mediatek,mt8365-disp-pwm']
+ 'mediatek,mt8173-disp-pwm' was expected
+ 'mediatek,mt8183-disp-pwm' was expected
+ from schema $id: http://devicetree.org/schemas/pwm/mediatek,pwm-disp.yaml#
+
+Drop the extra "mediatek,mt6595-disp-pwm" compatible string.
+
+Fixes: 61aee9342514 ("arm64: dts: mt8173: add MT8173 display PWM driver support node")
+Cc: YH Huang <yh.huang@mediatek.com>
+Cc: stable@vger.kernel.org # v4.5+
+Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://lore.kernel.org/r/20250108083424.2732375-2-wenst@chromium.org
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/mediatek/mt8173.dtsi | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/arch/arm64/boot/dts/mediatek/mt8173.dtsi
++++ b/arch/arm64/boot/dts/mediatek/mt8173.dtsi
+@@ -1161,8 +1161,7 @@
+ };
+
+ pwm0: pwm@1401e000 {
+- compatible = "mediatek,mt8173-disp-pwm",
+- "mediatek,mt6595-disp-pwm";
++ compatible = "mediatek,mt8173-disp-pwm";
+ reg = <0 0x1401e000 0 0x1000>;
+ #pwm-cells = <2>;
+ clocks = <&mmsys CLK_MM_DISP_PWM026M>,
+@@ -1172,8 +1171,7 @@
+ };
+
+ pwm1: pwm@1401f000 {
+- compatible = "mediatek,mt8173-disp-pwm",
+- "mediatek,mt6595-disp-pwm";
++ compatible = "mediatek,mt8173-disp-pwm";
+ reg = <0 0x1401f000 0 0x1000>;
+ #pwm-cells = <2>;
+ clocks = <&mmsys CLK_MM_DISP_PWM126M>,
--- /dev/null
+From bd496a44f041da9ef3afe14d1d6193d460424e91 Mon Sep 17 00:00:00 2001
+From: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
+Date: Wed, 26 Mar 2025 18:00:46 +0530
+Subject: i3c: Add NULL pointer check in i3c_master_queue_ibi()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
+
+commit bd496a44f041da9ef3afe14d1d6193d460424e91 upstream.
+
+The I3C master driver may receive an IBI from a target device that has not
+been probed yet. In such cases, the master calls `i3c_master_queue_ibi()`
+to queue an IBI work task, leading to "Unable to handle kernel read from
+unreadable memory" and resulting in a kernel panic.
+
+Typical IBI handling flow:
+1. The I3C master scans target devices and probes their respective drivers.
+2. The target device driver calls `i3c_device_request_ibi()` to enable IBI
+ and assigns `dev->ibi = ibi`.
+3. The I3C master receives an IBI from the target device and calls
+ `i3c_master_queue_ibi()` to queue the target device driver’s IBI
+ handler task.
+
+However, since target device events are asynchronous to the I3C probe
+sequence, step 3 may occur before step 2, causing `dev->ibi` to be `NULL`,
+leading to a kernel panic.
+
+Add a NULL pointer check in `i3c_master_queue_ibi()` to prevent accessing
+an uninitialized `dev->ibi`, ensuring stability.
+
+Fixes: 3a379bbcea0af ("i3c: Add core I3C infrastructure")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/lkml/Z9gjGYudiYyl3bSe@lizhi-Precision-Tower-5810/
+Signed-off-by: Manjunatha Venkatesh <manjunatha.venkatesh@nxp.com>
+Reviewed-by: Frank Li <Frank.Li@nxp.com>
+Link: https://lore.kernel.org/r/20250326123047.2797946-1-manjunatha.venkatesh@nxp.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -2198,6 +2198,9 @@ static void i3c_master_unregister_i3c_de
+ */
+ void i3c_master_queue_ibi(struct i3c_dev_desc *dev, struct i3c_ibi_slot *slot)
+ {
++ if (!dev->ibi || !slot)
++ return;
++
+ atomic_inc(&dev->ibi->pending_ibis);
+ queue_work(dev->common.master->wq, &slot->work);
+ }
--- /dev/null
+From e6eff39dd0fe4190c6146069cc16d160e71d1148 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 6 Feb 2025 10:46:58 +0100
+Subject: jbd2: remove wrong sb->s_sequence check
+
+From: Jan Kara <jack@suse.cz>
+
+commit e6eff39dd0fe4190c6146069cc16d160e71d1148 upstream.
+
+Journal emptiness is not determined by sb->s_sequence == 0 but rather by
+sb->s_start == 0 (which is set a few lines above). Furthermore 0 is a
+valid transaction ID so the check can spuriously trigger. Remove the
+invalid WARN_ON.
+
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250206094657.20865-3-jack@suse.cz
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/jbd2/journal.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1432,7 +1432,6 @@ int jbd2_journal_update_sb_log_tail(jour
+
+ /* Log is no longer empty */
+ write_lock(&journal->j_state_lock);
+- WARN_ON(!sb->s_sequence);
+ journal->j_flags &= ~JBD2_FLUSHED;
+ write_unlock(&journal->j_state_lock);
+
--- /dev/null
+From 8b46fdaea819a679da176b879e7b0674a1161a5e Mon Sep 17 00:00:00 2001
+From: T Pratham <t-pratham@ti.com>
+Date: Wed, 19 Mar 2025 16:44:38 +0530
+Subject: lib: scatterlist: fix sg_split_phys to preserve original scatterlist offsets
+
+From: T Pratham <t-pratham@ti.com>
+
+commit 8b46fdaea819a679da176b879e7b0674a1161a5e upstream.
+
+The split_sg_phys function was incorrectly setting the offsets of all
+scatterlist entries (except the first) to 0. Only the first scatterlist
+entry's offset and length needs to be modified to account for the skip.
+Setting the rest entries' offsets to 0 could lead to incorrect data
+access.
+
+I am using this function in a crypto driver that I'm currently developing
+(not yet sent to mailing list). During testing, it was observed that the
+output scatterlists (except the first one) contained incorrect garbage
+data.
+
+I narrowed this issue down to the call of sg_split(). Upon debugging
+inside this function, I found that this resetting of offset is the cause
+of the problem, causing the subsequent scatterlists to point to incorrect
+memory locations in a page. By removing this code, I am obtaining
+expected data in all the split output scatterlists. Thus, this was indeed
+causing observable runtime effects!
+
+This patch removes the offending code, ensuring that the page offsets in
+the input scatterlist are preserved in the output scatterlist.
+
+Link: https://lkml.kernel.org/r/20250319111437.1969903-1-t-pratham@ti.com
+Fixes: f8bcbe62acd0 ("lib: scatterlist: add sg splitting function")
+Signed-off-by: T Pratham <t-pratham@ti.com>
+Cc: Robert Jarzmik <robert.jarzmik@free.fr>
+Cc: Jens Axboe <axboe@kernel.dk>
+Cc: Kamlesh Gurudasani <kamlesh@ti.com>
+Cc: Praneeth Bajjuri <praneeth@ti.com>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/sg_split.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/lib/sg_split.c
++++ b/lib/sg_split.c
+@@ -88,8 +88,6 @@ static void sg_split_phys(struct sg_spli
+ if (!j) {
+ out_sg->offset += split->skip_sg0;
+ out_sg->length -= split->skip_sg0;
+- } else {
+- out_sg->offset = 0;
+ }
+ sg_dma_address(out_sg) = 0;
+ sg_dma_len(out_sg) = 0;
--- /dev/null
+From 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Wed, 26 Mar 2025 11:08:30 -0700
+Subject: locking/lockdep: Decrease nr_unused_locks if lock unused in zap_class()
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+commit 495f53d5cca0f939eaed9dca90b67e7e6fb0e30c upstream.
+
+Currently, when a lock class is allocated, nr_unused_locks will be
+increased by 1, until it gets used: nr_unused_locks will be decreased by
+1 in mark_lock(). However, one scenario is missed: a lock class may be
+zapped without even being used once. This could result into a situation
+that nr_unused_locks != 0 but no unused lock class is active in the
+system, and when `cat /proc/lockdep_stats`, a WARN_ON() will
+be triggered in a CONFIG_DEBUG_LOCKDEP=y kernel:
+
+ [...] DEBUG_LOCKS_WARN_ON(debug_atomic_read(nr_unused_locks) != nr_unused)
+ [...] WARNING: CPU: 41 PID: 1121 at kernel/locking/lockdep_proc.c:283 lockdep_stats_show+0xba9/0xbd0
+
+And as a result, lockdep will be disabled after this.
+
+Therefore, nr_unused_locks needs to be accounted correctly at
+zap_class() time.
+
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250326180831.510348-1-boqun.feng@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/lockdep.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/locking/lockdep.c
++++ b/kernel/locking/lockdep.c
+@@ -5011,6 +5011,9 @@ static void zap_class(struct pending_fre
+ hlist_del_rcu(&class->hash_entry);
+ WRITE_ONCE(class->key, NULL);
+ WRITE_ONCE(class->name, NULL);
++ /* Class allocated but not used, -1 in nr_unused_locks */
++ if (class->usage_mask == 0)
++ debug_atomic_dec(nr_unused_locks);
+ nr_lock_classes--;
+ __clear_bit(class - lock_classes, lock_classes_in_use);
+ } else {
--- /dev/null
+From d027951dc85cb2e15924c980dc22a6754d100c7c Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Wed, 2 Apr 2025 11:16:43 +0800
+Subject: mtd: inftlcore: Add error check for inftl_read_oob()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit d027951dc85cb2e15924c980dc22a6754d100c7c upstream.
+
+In INFTL_findwriteunit(), the return value of inftl_read_oob()
+need to be checked. A proper implementation can be
+found in INFTL_deleteblock(). The status will be set as
+SECTOR_IGNORE to break from the while-loop correctly
+if the inftl_read_oob() fails.
+
+Fixes: 8593fbc68b0d ("[MTD] Rework the out of band handling completely")
+Cc: stable@vger.kernel.org # v2.6+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/inftlcore.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mtd/inftlcore.c
++++ b/drivers/mtd/inftlcore.c
+@@ -482,10 +482,11 @@ static inline u16 INFTL_findwriteunit(st
+ silly = MAX_LOOPS;
+
+ while (thisEUN <= inftl->lastEUN) {
+- inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
+- blockofs, 8, &retlen, (char *)&bci);
+-
+- status = bci.Status | bci.Status1;
++ if (inftl_read_oob(mtd, (thisEUN * inftl->EraseSize) +
++ blockofs, 8, &retlen, (char *)&bci) < 0)
++ status = SECTOR_IGNORE;
++ else
++ status = bci.Status | bci.Status1;
+ pr_debug("INFTL: status of block %d in EUN %d is %x\n",
+ block , writeEUN, status);
+
--- /dev/null
+From b79fe1829975556854665258cf4d2476784a89db Mon Sep 17 00:00:00 2001
+From: Wentao Liang <vulab@iscas.ac.cn>
+Date: Wed, 2 Apr 2025 15:56:23 +0800
+Subject: mtd: rawnand: Add status chack in r852_ready()
+
+From: Wentao Liang <vulab@iscas.ac.cn>
+
+commit b79fe1829975556854665258cf4d2476784a89db upstream.
+
+In r852_ready(), the dev get from r852_get_dev() need to be checked.
+An unstable device should not be ready. A proper implementation can
+be found in r852_read_byte(). Add a status check and return 0 when it is
+unstable.
+
+Fixes: 50a487e7719c ("mtd: rawnand: Pass a nand_chip object to chip->dev_ready()")
+Cc: stable@vger.kernel.org # v4.20+
+Signed-off-by: Wentao Liang <vulab@iscas.ac.cn>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/r852.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mtd/nand/raw/r852.c
++++ b/drivers/mtd/nand/raw/r852.c
+@@ -387,6 +387,9 @@ static int r852_wait(struct nand_chip *c
+ static int r852_ready(struct nand_chip *chip)
+ {
+ struct r852_device *dev = r852_get_dev(nand_to_mtd(chip));
++ if (dev->card_unstable)
++ return 0;
++
+ return !(r852_read_reg(dev, R852_CARD_STA) & R852_CARD_STA_BUSY);
+ }
+
net-dsa-mv88e6xxx-workaround-rgmii-transmit-delay-erratum-for-6320-family.patch
wifi-mac80211-fix-integer-overflow-in-hwmp_route_info_get.patch
ext4-fix-off-by-one-error-in-do_split.patch
+i3c-add-null-pointer-check-in-i3c_master_queue_ibi.patch
+jbd2-remove-wrong-sb-s_sequence-check.patch
+locking-lockdep-decrease-nr_unused_locks-if-lock-unused-in-zap_class.patch
+lib-scatterlist-fix-sg_split_phys-to-preserve-original-scatterlist-offsets.patch
+mtd-inftlcore-add-error-check-for-inftl_read_oob.patch
+mtd-rawnand-add-status-chack-in-r852_ready.patch
+arm64-dts-mediatek-mt8173-fix-disp-pwm-compatible-string.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
