--- /dev/null
+From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 3 Dec 2024 10:19:29 +0100
+Subject: crypto: qce - fix goto jump in error path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream.
+
+If qce_check_version() fails, we should jump to err_dma as we already
+called qce_dma_request() a couple lines before.
+
+Cc: stable@vger.kernel.org
+Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/qce/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/qce/core.c
++++ b/drivers/crypto/qce/core.c
+@@ -236,7 +236,7 @@ static int qce_crypto_probe(struct platf
+
+ ret = qce_check_version(qce);
+ if (ret)
+- goto err_clks;
++ goto err_dma;
+
+ spin_lock_init(&qce->lock);
+ tasklet_init(&qce->done_tasklet, qce_tasklet_req_done,
--- /dev/null
+From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 3 Dec 2024 10:19:30 +0100
+Subject: crypto: qce - unregister previously registered algos in error path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream.
+
+If we encounter an error when registering alorithms with the crypto
+framework, we just bail out and don't unregister the ones we
+successfully registered in prior iterations of the loop.
+
+Add code that goes back over the algos and unregisters them before
+returning an error from qce_register_algs().
+
+Cc: stable@vger.kernel.org
+Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/qce/core.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/qce/core.c
++++ b/drivers/crypto/qce/core.c
+@@ -48,16 +48,19 @@ static void qce_unregister_algs(struct q
+ static int qce_register_algs(struct qce_device *qce)
+ {
+ const struct qce_algo_ops *ops;
+- int i, ret = -ENODEV;
++ int i, j, ret = -ENODEV;
+
+ for (i = 0; i < ARRAY_SIZE(qce_ops); i++) {
+ ops = qce_ops[i];
+ ret = ops->register_algs(qce);
+- if (ret)
+- break;
++ if (ret) {
++ for (j = i - 1; j >= 0; j--)
++ ops->unregister_algs(qce);
++ return ret;
++ }
+ }
+
+- return ret;
++ return 0;
+ }
+
+ static int qce_handle_request(struct crypto_async_request *async_req)
--- /dev/null
+From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:38 +0000
+Subject: misc: fastrpc: Fix registered buffer page address
+
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+
+commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream.
+
+For registered buffers, fastrpc driver sends the buffer information
+to remote subsystem. There is a problem with current implementation
+where the page address is being sent with an offset leading to
+improper buffer address on DSP. This is leads to functional failures
+as DSP expects base address in page information and extracts offset
+information from remote arguments. Mask the offset and pass the base
+page address to DSP.
+
+This issue is observed is a corner case when some buffer which is registered
+with fastrpc framework is passed with some offset by user and then the DSP
+implementation tried to read the data. As DSP expects base address and takes
+care of offsetting with remote arguments, passing an offsetted address will
+result in some unexpected data read in DSP.
+
+All generic usecases usually pass the buffer as it is hence is problem is
+not usually observed. If someone tries to pass offsetted buffer and then
+tries to compare data at HLOS and DSP end, then the ambiguity will be observed.
+
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Cc: stable@kernel.org
+Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -828,7 +828,7 @@ static int fastrpc_get_args(u32 kernel,
+ mmap_read_lock(current->mm);
+ vma = find_vma(current->mm, ctx->args[i].ptr);
+ if (vma)
+- pages[i].addr += ctx->args[i].ptr -
++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
+ vma->vm_start;
+ mmap_read_unlock(current->mm);
+
--- /dev/null
+From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001
+From: Ivan Stepchenko <sid@itb.spb.ru>
+Date: Thu, 14 Nov 2024 16:29:51 +0300
+Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read()
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream.
+
+The function do_otp_read() does not set the output parameter *retlen,
+which is expected to contain the number of bytes actually read.
+As a result, in onenand_otp_walk(), the tmp_retlen variable remains
+uninitialized after calling do_otp_walk() and used to change
+the values of the buf, len and retlen variables.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/onenand/onenand_base.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/onenand/onenand_base.c
++++ b/drivers/mtd/nand/onenand/onenand_base.c
+@@ -2911,6 +2911,7 @@ static int do_otp_read(struct mtd_info *
+ ret = ONENAND_IS_4KB_PAGE(this) ?
+ onenand_mlc_read_ops_nolock(mtd, from, &ops) :
+ onenand_read_ops_nolock(mtd, from, &ops);
++ *retlen = ops.retlen;
+
+ /* Exit OTP access mode */
+ this->command(mtd, ONENAND_CMD_RESET, 0, 0);
--- /dev/null
+From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 16 Jan 2025 18:29:00 +0300
+Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream.
+
+The NCSI state machine as it's currently implemented assumes that
+transition to the next logical state is performed either explicitly by
+calling `schedule_work(&ndp->work)` to re-queue itself or implicitly
+after processing the predefined (ndp->pending_req_num) number of
+replies. Thus to avoid the configuration FSM from advancing prematurely
+and getting out of sync with the process it's essential to not skip
+waiting for a reply.
+
+This patch makes the code wait for reception of the Deselect Package
+response for the last package probed before proceeding to channel
+configuration.
+
+Thanks go to Potin Lai and Cosmo Chou for the initial investigation and
+testing.
+
+Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/ncsi-manage.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -1385,6 +1385,12 @@ static void ncsi_probe_channel(struct nc
+ nd->state = ncsi_dev_state_probe_package;
+ break;
+ case ncsi_dev_state_probe_package:
++ if (ndp->package_probe_id >= 8) {
++ /* Last package probed, finishing */
++ ndp->flags |= NCSI_DEV_PROBED;
++ break;
++ }
++
+ ndp->pending_req_num = 1;
+
+ nca.type = NCSI_PKT_CMD_SP;
+@@ -1501,13 +1507,8 @@ static void ncsi_probe_channel(struct nc
+ if (ret)
+ goto error;
+
+- /* Probe next package */
++ /* Probe next package after receiving response */
+ ndp->package_probe_id++;
+- if (ndp->package_probe_id >= 8) {
+- /* Probe finished */
+- ndp->flags |= NCSI_DEV_PROBED;
+- break;
+- }
+ nd->state = ncsi_dev_state_probe_package;
+ ndp->active_package = NULL;
+ break;
--- /dev/null
+From bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 Mon Sep 17 00:00:00 2001
+From: Milos Reljin <milos_reljin@outlook.com>
+Date: Fri, 24 Jan 2025 10:41:02 +0000
+Subject: net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset
+
+From: Milos Reljin <milos_reljin@outlook.com>
+
+commit bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 upstream.
+
+In application note (AN13663) for TJA1120, on page 30, there's a figure
+with average PHY startup timing values following software reset.
+The time it takes for SMI to become operational after software reset
+ranges roughly from 500 us to 1500 us.
+
+This commit adds 2000 us delay after MDIO write which triggers software
+reset. Without this delay, soft_reset function returns an error and
+prevents successful PHY init.
+
+Cc: stable@vger.kernel.org
+Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103")
+Signed-off-by: Milos Reljin <milos_reljin@outlook.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/AM8P250MB0124D258E5A71041AF2CC322E1E32@AM8P250MB0124.EURP250.PROD.OUTLOOK.COM
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -717,6 +717,8 @@ static int nxp_c45_soft_reset(struct phy
+ if (ret)
+ return ret;
+
++ usleep_range(2000, 2050);
++
+ return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1,
+ VEND1_DEVICE_CONTROL, ret,
+ !(ret & DEVICE_CONTROL_RESET), 20000,
--- /dev/null
+From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 17 Jan 2025 12:38:41 +0300
+Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream.
+
+The "pipe" variable is a u8 which comes from the network. If it's more
+than 127, then it results in memory corruption in the caller,
+nci_hci_connect_gate().
+
+Cc: stable@vger.kernel.org
+Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/hci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -542,6 +542,8 @@ static u8 nci_hci_create_pipe(struct nci
+
+ pr_debug("pipe created=%d\n", pipe);
+
++ if (pipe >= NCI_HCI_MAX_PIPES)
++ pipe = NCI_HCI_INVALID_PIPE;
+ return pipe;
+ }
+
--- /dev/null
+From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Sat, 25 Jan 2025 07:20:53 +0900
+Subject: nilfs2: fix possible int overflows in nilfs_fiemap()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream.
+
+Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result
+by being prepared to go through potentially maxblocks == INT_MAX blocks,
+the value in n may experience an overflow caused by left shift of blkbits.
+
+While it is extremely unlikely to occur, play it safe and cast right hand
+expression to wider type to mitigate the issue.
+
+Found by Linux Verification Center (linuxtesting.org) with static analysis
+tool SVACE.
+
+Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com
+Fixes: 622daaff0a89 ("nilfs2: fiemap support")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -1265,7 +1265,7 @@ int nilfs_fiemap(struct inode *inode, st
+ if (size) {
+ if (phys && blkphy << blkbits == phys + size) {
+ /* The current extent goes on */
+- size += n << blkbits;
++ size += (u64)n << blkbits;
+ } else {
+ /* Terminate the current extent */
+ ret = fiemap_fill_next_extent(
+@@ -1278,14 +1278,14 @@ int nilfs_fiemap(struct inode *inode, st
+ flags = FIEMAP_EXTENT_MERGED;
+ logical = blkoff << blkbits;
+ phys = blkphy << blkbits;
+- size = n << blkbits;
++ size = (u64)n << blkbits;
+ }
+ } else {
+ /* Start a new extent */
+ flags = FIEMAP_EXTENT_MERGED;
+ logical = blkoff << blkbits;
+ phys = blkphy << blkbits;
+- size = n << blkbits;
++ size = (u64)n << blkbits;
+ }
+ blkoff += n;
+ }
--- /dev/null
+From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001
+From: Jennifer Berringer <jberring@redhat.com>
+Date: Mon, 30 Dec 2024 14:19:01 +0000
+Subject: nvmem: core: improve range check for nvmem_cell_write()
+
+From: Jennifer Berringer <jberring@redhat.com>
+
+commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream.
+
+When __nvmem_cell_entry_write() is called for an nvmem cell that does
+not need bit shifting, it requires that the len parameter exactly
+matches the nvmem cell size. However, when the nvmem cell has a nonzero
+bit_offset, it was skipping this check.
+
+Accepting values of len larger than the cell size results in
+nvmem_cell_prepare_write_buffer() trying to write past the end of a heap
+buffer that it allocates. Add a check to avoid that problem and instead
+return -EINVAL when len doesn't match the number of bits expected by the
+nvmem cell when bit_offset is nonzero.
+
+This check uses cell->nbits in order to allow providing the smaller size
+to cells that are shifted into another byte by bit_offset. For example,
+a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should
+accept a 1-byte write here, although no current callers depend on this.
+
+Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jennifer Berringer <jberring@redhat.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -1512,6 +1512,8 @@ int nvmem_cell_write(struct nvmem_cell *
+ return -EINVAL;
+
+ if (cell->bit_offset || cell->nbits) {
++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes)
++ return -EINVAL;
+ buf = nvmem_cell_prepare_write_buffer(cell, buf, len);
+ if (IS_ERR(buf))
+ return PTR_ERR(buf);
--- /dev/null
+From e88f516ea417c71bb3702603ac6af9e95338cfa6 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca.weiss@fairphone.com>
+Date: Mon, 30 Dec 2024 14:19:00 +0000
+Subject: nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream.
+
+Let the nvmem core know what size the SDAM is, most notably this fixes
+the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes
+user space work with that file.
+
+ ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem
+ 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
+ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
+ *
+ 00000080
+
+Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/qcom-spmi-sdam.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvmem/qcom-spmi-sdam.c
++++ b/drivers/nvmem/qcom-spmi-sdam.c
+@@ -143,6 +143,7 @@ static int sdam_probe(struct platform_de
+ sdam->sdam_config.id = NVMEM_DEVID_AUTO;
+ sdam->sdam_config.owner = THIS_MODULE;
+ sdam->sdam_config.stride = 1;
++ sdam->sdam_config.size = sdam->size;
+ sdam->sdam_config.word_size = 1;
+ sdam->sdam_config.reg_read = sdam_read;
+ sdam->sdam_config.reg_write = sdam_write;
--- /dev/null
+From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001
+From: Heming Zhao <heming.zhao@suse.com>
+Date: Tue, 21 Jan 2025 19:22:03 +0800
+Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure
+
+From: Heming Zhao <heming.zhao@suse.com>
+
+commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream.
+
+Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
+introduced a regression bug. The blksz_bits value is already converted to
+CPU endian in the previous code; therefore, the code shouldn't use
+le32_to_cpu() anymore.
+
+Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com
+Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
+Signed-off-by: Heming Zhao <heming.zhao@suse.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2346,7 +2346,7 @@ static int ocfs2_verify_volume(struct oc
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size bits: found %u, should be 9, 10, 11, or 12\n",
+ blksz_bits);
+- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) {
++ } else if ((1 << blksz_bits) != blksz) {
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size: found %u, should be %u\n", 1 << blksz_bits, blksz);
+ } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) !=
--- /dev/null
+From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Thu, 5 Dec 2024 17:16:29 +0000
+Subject: ocfs2: handle a symlink read error correctly
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream.
+
+Patch series "Convert ocfs2 to use folios".
+
+Mark did a conversion of ocfs2 to use folios and sent it to me as a
+giant patch for review ;-)
+
+So I've redone it as individual patches, and credited Mark for the patches
+where his code is substantially the same. It's not a bad way to do it;
+his patch had some bugs and my patches had some bugs. Hopefully all our
+bugs were different from each other. And hopefully Mark likes all the
+changes I made to his code!
+
+
+This patch (of 23):
+
+If we can't read the buffer, be sure to unlock the page before returning.
+
+Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org
+Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Tinguely <mark.tinguely@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/symlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/symlink.c
++++ b/fs/ocfs2/symlink.c
+@@ -64,7 +64,7 @@ static int ocfs2_fast_symlink_readpage(s
+
+ if (status < 0) {
+ mlog_errno(status);
+- return status;
++ goto out;
+ }
+
+ fe = (struct ocfs2_dinode *) bh->b_data;
+@@ -75,9 +75,10 @@ static int ocfs2_fast_symlink_readpage(s
+ memcpy(kaddr, link, len + 1);
+ kunmap_atomic(kaddr);
+ SetPageUptodate(page);
++out:
+ unlock_page(page);
+ brelse(bh);
+- return 0;
++ return status;
+ }
+
+ const struct address_space_operations ocfs2_fast_symlink_aops = {
--- /dev/null
+From eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@kernel.org>
+Date: Thu, 16 Jan 2025 20:05:39 -0500
+Subject: pnfs/flexfiles: retry getting layout segment for reads
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream.
+
+If ff_layout_pg_get_read()'s attempt to get a layout segment results
+in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping.
+
+If "softerr" mount is used, use 'io_maxretrans' to limit the number of
+attempts to get a layout segment.
+
+This fixes a long-standing issue of O_DIRECT reads failing with
+-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -836,6 +836,9 @@ ff_layout_pg_init_read(struct nfs_pageio
+ struct nfs4_pnfs_ds *ds;
+ u32 ds_idx;
+
++ if (NFS_SERVER(pgio->pg_inode)->flags &
++ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
++ pgio->pg_maxretrans = io_maxretrans;
+ retry:
+ ff_layout_pg_check_layout(pgio, req);
+ /* Use full layout for now */
+@@ -849,6 +852,8 @@ retry:
+ if (!pgio->pg_lseg)
+ goto out_nolseg;
+ }
++ /* Reset wb_nio, since getting layout segment was successful */
++ req->wb_nio = 0;
+
+ ds = ff_layout_get_ds_for_read(pgio, &ds_idx);
+ if (!ds) {
+@@ -865,14 +870,24 @@ retry:
+ pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize;
+
+ pgio->pg_mirror_idx = ds_idx;
+-
+- if (NFS_SERVER(pgio->pg_inode)->flags &
+- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
+- pgio->pg_maxretrans = io_maxretrans;
+ return;
+ out_nolseg:
+- if (pgio->pg_error < 0)
+- return;
++ if (pgio->pg_error < 0) {
++ if (pgio->pg_error != -EAGAIN)
++ return;
++ /* Retry getting layout segment if lower layer returned -EAGAIN */
++ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) {
++ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR)
++ pgio->pg_error = -ETIMEDOUT;
++ else
++ pgio->pg_error = -EIO;
++ return;
++ }
++ pgio->pg_error = 0;
++ /* Sleep for 1 second before retrying */
++ ssleep(1);
++ goto retry;
++ }
+ out_mds:
+ trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode,
+ 0, NFS4_MAX_UINT64, IOMODE_READ,
--- /dev/null
+From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Thu, 23 Jan 2025 08:22:40 +0100
+Subject: ptp: Ensure info->enable callback is always set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit fd53aa40e65f518453115b6f56183b0c201db26b upstream.
+
+The ioctl and sysfs handlers unconditionally call the ->enable callback.
+Not all drivers implement that callback, leading to NULL dereferences.
+Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.
+
+Instead use a dummy callback if no better was specified by the driver.
+
+Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -180,6 +180,11 @@ static void ptp_clock_release(struct dev
+ kfree(ptp);
+ }
+
++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on)
++{
++ return -EOPNOTSUPP;
++}
++
+ static void ptp_aux_kworker(struct kthread_work *work)
+ {
+ struct ptp_clock *ptp = container_of(work, struct ptp_clock,
+@@ -227,6 +232,9 @@ struct ptp_clock *ptp_clock_register(str
+ mutex_init(&ptp->n_vclocks_mux);
+ init_waitqueue_head(&ptp->tsev_wq);
+
++ if (!ptp->info->enable)
++ ptp->info->enable = ptp_enable;
++
+ if (ptp->info->do_aux_work) {
+ kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker);
+ ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index);
media-ccs-fix-cleanup-order-in-ccs_probe.patch
media-uvcvideo-fix-event-flags-in-uvc_ctrl_send_events.patch
media-uvcvideo-remove-redundant-null-assignment.patch
+crypto-qce-fix-goto-jump-in-error-path.patch
+crypto-qce-unregister-previously-registered-algos-in-error-path.patch
+nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch
+nvmem-core-improve-range-check-for-nvmem_cell_write.patch
+vfio-platform-check-the-bounds-of-read-write-syscalls.patch
+pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch
+ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch
+ocfs2-handle-a-symlink-read-error-correctly.patch
+nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch
+nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch
+mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch
+misc-fastrpc-fix-registered-buffer-page-address.patch
+net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch
+net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch
+ptp-ensure-info-enable-callback-is-always-set.patch
--- /dev/null
+From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 22 Jan 2025 10:38:30 -0700
+Subject: vfio/platform: check the bounds of read/write syscalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
+
+count and offset are passed from user space and not checked, only
+offset is capped to 40 bits, which can be used to read/write out of
+bounds of the device.
+
+Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
+Cc: stable@vger.kernel.org
+Reported-by: Mostafa Saleh <smostafa@google.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
+Tested-by: Mostafa Saleh <smostafa@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -393,6 +393,11 @@ static ssize_t vfio_platform_read_mmio(s
+
+ count = min_t(size_t, count, reg->size - off);
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
+@@ -473,6 +478,11 @@ static ssize_t vfio_platform_write_mmio(
+
+ if (off >= reg->size)
+ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
++ if (off >= reg->size)
++ return -EINVAL;
+
+ count = min_t(size_t, count, reg->size - off);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
