--- /dev/null
+From efa353ae1b0541981bc96dbf2e586387d0392baa Mon Sep 17 00:00:00 2001
+From: Zicheng Qu <quzicheng@huawei.com>
+Date: Tue, 22 Oct 2024 13:43:30 +0000
+Subject: iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr()
+
+From: Zicheng Qu <quzicheng@huawei.com>
+
+commit efa353ae1b0541981bc96dbf2e586387d0392baa upstream.
+
+In the ad7124_write_raw() function, parameter val can potentially
+be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST()
+is called within ad7124_set_channel_odr(). The ad7124_write_raw()
+function is invoked through the sequence: iio_write_channel_raw() ->
+iio_write_channel_attribute() -> iio_channel_write(), with no checks
+in place to ensure val is non-zero.
+
+Cc: stable@vger.kernel.org
+Fixes: 7b8d045e497a ("iio: adc: ad7124: allow more than 8 channels")
+Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Link: https://patch.msgid.link/20241022134330.574601-1-quzicheng@huawei.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7124.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -643,7 +643,7 @@ static int ad7124_write_raw(struct iio_d
+
+ switch (info) {
+ case IIO_CHAN_INFO_SAMP_FREQ:
+- if (val2 != 0) {
++ if (val2 != 0 || val == 0) {
+ ret = -EINVAL;
+ break;
+ }
--- /dev/null
+From 369f05688911b05216cfcd6ca74473bec87948d7 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Wed, 16 Oct 2024 09:24:53 +0800
+Subject: iio: gts-helper: Fix memory leaks for the error path of iio_gts_build_avail_scale_table()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 369f05688911b05216cfcd6ca74473bec87948d7 upstream.
+
+If per_time_scales[i] or per_time_gains[i] kcalloc fails in the for loop
+of iio_gts_build_avail_scale_table(), the err_free_out will fail to call
+kfree() each time when i is reduced to 0, so all the per_time_scales[0]
+and per_time_gains[0] will not be freed, which will cause memory leaks.
+
+Fix it by checking if i >= 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers")
+Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Link: https://patch.msgid.link/20241016012453.2013302-1-ruanjinjie@huawei.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-gts-helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/industrialio-gts-helper.c
++++ b/drivers/iio/industrialio-gts-helper.c
+@@ -313,7 +313,7 @@ static int iio_gts_build_avail_scale_tab
+ return 0;
+
+ err_free_out:
+- for (i--; i; i--) {
++ for (i--; i >= 0; i--) {
+ kfree(per_time_scales[i]);
+ kfree(per_time_gains[i]);
+ }
--- /dev/null
+From 691e79ffc42154a9c91dc3b7e96a307037b4be74 Mon Sep 17 00:00:00 2001
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+Date: Fri, 11 Oct 2024 17:55:12 +0800
+Subject: iio: gts-helper: Fix memory leaks in iio_gts_build_avail_scale_table()
+
+From: Jinjie Ruan <ruanjinjie@huawei.com>
+
+commit 691e79ffc42154a9c91dc3b7e96a307037b4be74 upstream.
+
+modprobe iio-test-gts and rmmod it, then the following memory leak
+occurs:
+
+ unreferenced object 0xffffff80c810be00 (size 64):
+ comm "kunit_try_catch", pid 1654, jiffies 4294913981
+ hex dump (first 32 bytes):
+ 02 00 00 00 08 00 00 00 20 00 00 00 40 00 00 00 ........ ...@...
+ 80 00 00 00 00 02 00 00 00 04 00 00 00 08 00 00 ................
+ backtrace (crc a63d875e):
+ [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
+ [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
+ [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
+ [<0000000071bb4b09>] 0xffffffdf052a62e0
+ [<000000000315bc18>] 0xffffffdf052a6488
+ [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
+ [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
+ [<00000000f505065d>] kthread+0x2e8/0x374
+ [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
+ unreferenced object 0xffffff80cbfe9e70 (size 16):
+ comm "kunit_try_catch", pid 1658, jiffies 4294914015
+ hex dump (first 16 bytes):
+ 10 00 00 00 40 00 00 00 80 00 00 00 00 00 00 00 ....@...........
+ backtrace (crc 857f0cb4):
+ [<0000000028c1b3c2>] kmemleak_alloc+0x34/0x40
+ [<000000001d6ecc87>] __kmalloc_noprof+0x2bc/0x3c0
+ [<00000000393795c1>] devm_iio_init_iio_gts+0x4b4/0x16f4
+ [<0000000071bb4b09>] 0xffffffdf052a62e0
+ [<000000007d089d45>] 0xffffffdf052a6864
+ [<00000000f9dc55b5>] kunit_try_run_case+0x13c/0x3ac
+ [<00000000175a3fd4>] kunit_generic_run_threadfn_adapter+0x80/0xec
+ [<00000000f505065d>] kthread+0x2e8/0x374
+ [<00000000bbfb0e5d>] ret_from_fork+0x10/0x20
+ ......
+
+It includes 5*5 times "size 64" memory leaks, which correspond to 5 times
+test_init_iio_gain_scale() calls with gts_test_gains size 10 (10*size(int))
+and gts_test_itimes size 5. It also includes 5*1 times "size 16"
+memory leak, which correspond to one time __test_init_iio_gain_scale()
+call with gts_test_gains_gain_low size 3 (3*size(int)) and gts_test_itimes
+size 5.
+
+The reason is that the per_time_gains[i] is not freed which is allocated in
+the "gts->num_itime" for loop in iio_gts_build_avail_scale_table().
+
+Cc: stable@vger.kernel.org
+Fixes: 38416c28e168 ("iio: light: Add gain-time-scale helpers")
+Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
+Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Link: https://patch.msgid.link/20241011095512.3667549-1-ruanjinjie@huawei.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-gts-helper.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/iio/industrialio-gts-helper.c b/drivers/iio/industrialio-gts-helper.c
+index 59d7615c0f56..7326c7949244 100644
+--- a/drivers/iio/industrialio-gts-helper.c
++++ b/drivers/iio/industrialio-gts-helper.c
+@@ -307,6 +307,8 @@ static int iio_gts_build_avail_scale_table(struct iio_gts *gts)
+ if (ret)
+ goto err_free_out;
+
++ for (i = 0; i < gts->num_itime; i++)
++ kfree(per_time_gains[i]);
+ kfree(per_time_gains);
+ gts->per_time_avail_scale_tables = per_time_scales;
+
+--
+2.47.0
+
--- /dev/null
+From 63dd163cd61dda6f38343776b42331cc6b7e56e0 Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Wed, 16 Oct 2024 19:04:31 +0200
+Subject: iio: light: veml6030: fix microlux value calculation
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 63dd163cd61dda6f38343776b42331cc6b7e56e0 upstream.
+
+The raw value conversion to obtain a measurement in lux as
+INT_PLUS_MICRO does not calculate the decimal part properly to display
+it as micro (in this case microlux). It only calculates the module to
+obtain the decimal part from a resolution that is 10000 times the
+provided in the datasheet (0.5376 lux/cnt for the veml6030). The
+resulting value must still be multiplied by 100 to make it micro.
+
+This bug was introduced with the original implementation of the driver.
+
+Only the illuminance channel is fixed becuase the scale is non sensical
+for the intensity channels anyway.
+
+Cc: stable@vger.kernel.org
+Fixes: 7b779f573c48 ("iio: light: add driver for veml6030 ambient light sensor")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://patch.msgid.link/20241016-veml6030-fix-processed-micro-v1-1-4a5644796437@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/veml6030.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/light/veml6030.c
++++ b/drivers/iio/light/veml6030.c
+@@ -522,7 +522,7 @@ static int veml6030_read_raw(struct iio_
+ }
+ if (mask == IIO_CHAN_INFO_PROCESSED) {
+ *val = (reg * data->cur_resolution) / 10000;
+- *val2 = (reg * data->cur_resolution) % 10000;
++ *val2 = (reg * data->cur_resolution) % 10000 * 100;
+ return IIO_VAL_INT_PLUS_MICRO;
+ }
+ *val = reg;
--- /dev/null
+From b3a033e3ecd3471248d474ef263aadc0059e516a Mon Sep 17 00:00:00 2001
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Date: Sun, 20 Oct 2024 13:51:28 +0900
+Subject: nilfs2: fix potential deadlock with newly created symlinks
+
+From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+
+commit b3a033e3ecd3471248d474ef263aadc0059e516a upstream.
+
+Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers
+memory reclamation involving the filesystem layer, which can result in
+circular lock dependencies among the reader/writer semaphore
+nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the
+fs_reclaim pseudo lock.
+
+This is because after commit 21fc61c73c39 ("don't put symlink bodies in
+pagecache into highmem"), the gfp flags of the page cache for symbolic
+links are overwritten to GFP_KERNEL via inode_nohighmem().
+
+This is not a problem for symlinks read from the backing device, because
+the __GFP_FS flag is dropped after inode_nohighmem() is called. However,
+when a new symlink is created with nilfs_symlink(), the gfp flags remain
+overwritten to GFP_KERNEL. Then, memory allocation called from
+page_symlink() etc. triggers memory reclamation including the FS layer,
+which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can
+cause a deadlock if they are called while nilfs->ns_segctor_sem is held:
+
+Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags
+of newly created symlinks in the same way that nilfs_new_inode() and
+__nilfs_read_inode() do, as a workaround until we adopt nofs allocation
+scope consistently or improve the locking constraints.
+
+Link: https://lkml.kernel.org/r/20241020050003.4308-1-konishi.ryusuke@gmail.com
+Fixes: 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem")
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Reported-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=9ef37ac20608f4836256
+Tested-by: syzbot+9ef37ac20608f4836256@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/namei.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nilfs2/namei.c
++++ b/fs/nilfs2/namei.c
+@@ -157,6 +157,9 @@ static int nilfs_symlink(struct mnt_idma
+ /* slow symlink */
+ inode->i_op = &nilfs_symlink_inode_operations;
+ inode_nohighmem(inode);
++ mapping_set_gfp_mask(inode->i_mapping,
++ mapping_gfp_constraint(inode->i_mapping,
++ ~__GFP_FS));
+ inode->i_mapping->a_ops = &nilfs_aops;
+ err = page_symlink(inode, symname, l);
+ if (err)
--- /dev/null
+From 9a71892cbcdb9d1459c84f5a4c722b14354158a5 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 29 Oct 2024 01:23:04 +0100
+Subject: Revert "driver core: Fix uevent_show() vs driver detach race"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 9a71892cbcdb9d1459c84f5a4c722b14354158a5 upstream.
+
+This reverts commit 15fffc6a5624b13b428bb1c6e9088e32a55eb82c.
+
+This commit causes a regression, so revert it for now until it can come
+back in a way that works for everyone.
+
+Link: https://lore.kernel.org/all/172790598832.1168608.4519484276671503678.stgit@dwillia2-xfh.jf.intel.com/
+Fixes: 15fffc6a5624 ("driver core: Fix uevent_show() vs driver detach race")
+Cc: stable <stable@kernel.org>
+Cc: Ashish Sangwan <a.sangwan@samsung.com>
+Cc: Namjae Jeon <namjae.jeon@samsung.com>
+Cc: Dirk Behme <dirk.behme@de.bosch.com>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: Rafael J. Wysocki <rafael@kernel.org>
+Cc: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/core.c | 13 +++++--------
+ drivers/base/module.c | 4 ----
+ 2 files changed, 5 insertions(+), 12 deletions(-)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -25,7 +25,6 @@
+ #include <linux/mutex.h>
+ #include <linux/pm_runtime.h>
+ #include <linux/netdevice.h>
+-#include <linux/rcupdate.h>
+ #include <linux/sched/signal.h>
+ #include <linux/sched/mm.h>
+ #include <linux/string_helpers.h>
+@@ -2566,7 +2565,6 @@ static const char *dev_uevent_name(const
+ static int dev_uevent(const struct kobject *kobj, struct kobj_uevent_env *env)
+ {
+ const struct device *dev = kobj_to_dev(kobj);
+- struct device_driver *driver;
+ int retval = 0;
+
+ /* add device node properties if present */
+@@ -2595,12 +2593,8 @@ static int dev_uevent(const struct kobje
+ if (dev->type && dev->type->name)
+ add_uevent_var(env, "DEVTYPE=%s", dev->type->name);
+
+- /* Synchronize with module_remove_driver() */
+- rcu_read_lock();
+- driver = READ_ONCE(dev->driver);
+- if (driver)
+- add_uevent_var(env, "DRIVER=%s", driver->name);
+- rcu_read_unlock();
++ if (dev->driver)
++ add_uevent_var(env, "DRIVER=%s", dev->driver->name);
+
+ /* Add common DT information about the device */
+ of_device_uevent(dev, env);
+@@ -2670,8 +2664,11 @@ static ssize_t uevent_show(struct device
+ if (!env)
+ return -ENOMEM;
+
++ /* Synchronize with really_probe() */
++ device_lock(dev);
+ /* let the kset specific function add its keys */
+ retval = kset->uevent_ops->uevent(&dev->kobj, env);
++ device_unlock(dev);
+ if (retval)
+ goto out;
+
+--- a/drivers/base/module.c
++++ b/drivers/base/module.c
+@@ -7,7 +7,6 @@
+ #include <linux/errno.h>
+ #include <linux/slab.h>
+ #include <linux/string.h>
+-#include <linux/rcupdate.h>
+ #include "base.h"
+
+ static char *make_driver_name(struct device_driver *drv)
+@@ -102,9 +101,6 @@ void module_remove_driver(struct device_
+ if (!drv)
+ return;
+
+- /* Synchronize with dev_uevent() */
+- synchronize_rcu();
+-
+ sysfs_remove_link(&drv->p->kobj, "module");
+
+ if (drv->owner)
--- /dev/null
+From 5bb1f4c9340e01003b00b94d539eadb0da88f48e Mon Sep 17 00:00:00 2001
+From: Edward Liaw <edliaw@google.com>
+Date: Fri, 18 Oct 2024 17:17:22 +0000
+Subject: Revert "selftests/mm: fix deadlock for fork after pthread_create on ARM"
+
+From: Edward Liaw <edliaw@google.com>
+
+commit 5bb1f4c9340e01003b00b94d539eadb0da88f48e upstream.
+
+Patch series "selftests/mm: revert pthread_barrier change"
+
+On Android arm, pthread_create followed by a fork caused a deadlock in
+the case where the fork required work to be completed by the created
+thread.
+
+The previous patches incorrectly assumed that the parent would
+always initialize the pthread_barrier for the child thread. This
+reverts the change and replaces the fix for wp-fork-with-event with the
+original use of atomic_bool.
+
+
+This patch (of 3):
+
+This reverts commit e142cc87ac4ec618f2ccf5f68aedcd6e28a59d9d.
+
+fork_event_consumer may be called by other tests that do not initialize
+the pthread_barrier, so this approach is not correct. The subsequent
+patch will revert to using atomic_bool instead.
+
+Link: https://lkml.kernel.org/r/20241018171734.2315053-1-edliaw@google.com
+Link: https://lkml.kernel.org/r/20241018171734.2315053-2-edliaw@google.com
+Fixes: e142cc87ac4e ("fix deadlock for fork after pthread_create on ARM")
+Signed-off-by: Edward Liaw <edliaw@google.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/uffd-unit-tests.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/tools/testing/selftests/mm/uffd-unit-tests.c
++++ b/tools/testing/selftests/mm/uffd-unit-tests.c
+@@ -237,9 +237,6 @@ static void *fork_event_consumer(void *d
+ fork_event_args *args = data;
+ struct uffd_msg msg = { 0 };
+
+- /* Ready for parent thread to fork */
+- pthread_barrier_wait(&ready_for_fork);
+-
+ /* Read until a full msg received */
+ while (uffd_read_msg(args->parent_uffd, &msg));
+
+@@ -307,12 +304,8 @@ static int pagemap_test_fork(int uffd, b
+
+ /* Prepare a thread to resolve EVENT_FORK */
+ if (with_event) {
+- pthread_barrier_init(&ready_for_fork, NULL, 2);
+ if (pthread_create(&thread, NULL, fork_event_consumer, &args))
+ err("pthread_create()");
+- /* Wait for child thread to start before forking */
+- pthread_barrier_wait(&ready_for_fork);
+- pthread_barrier_destroy(&ready_for_fork);
+ }
+
+ child = fork();
--- /dev/null
+From 3673167a3a07f25b3f06754d69f406edea65543a Mon Sep 17 00:00:00 2001
+From: Edward Liaw <edliaw@google.com>
+Date: Fri, 18 Oct 2024 17:17:23 +0000
+Subject: Revert "selftests/mm: replace atomic_bool with pthread_barrier_t"
+
+From: Edward Liaw <edliaw@google.com>
+
+commit 3673167a3a07f25b3f06754d69f406edea65543a upstream.
+
+This reverts commit e61ef21e27e8deed8c474e9f47f4aa7bc37e138c.
+
+uffd_poll_thread may be called by other tests that do not initialize the
+pthread_barrier, so this approach is not correct. This will revert to
+using atomic_bool instead.
+
+Link: https://lkml.kernel.org/r/20241018171734.2315053-3-edliaw@google.com
+Fixes: e61ef21e27e8 ("selftests/mm: replace atomic_bool with pthread_barrier_t")
+Signed-off-by: Edward Liaw <edliaw@google.com>
+Cc: Ryan Roberts <ryan.roberts@arm.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/mm/uffd-common.c | 5 ++---
+ tools/testing/selftests/mm/uffd-common.h | 3 ++-
+ tools/testing/selftests/mm/uffd-unit-tests.c | 14 ++++++--------
+ 3 files changed, 10 insertions(+), 12 deletions(-)
+
+--- a/tools/testing/selftests/mm/uffd-common.c
++++ b/tools/testing/selftests/mm/uffd-common.c
+@@ -17,7 +17,7 @@ bool map_shared;
+ bool test_uffdio_wp = true;
+ unsigned long long *count_verify;
+ uffd_test_ops_t *uffd_test_ops;
+-pthread_barrier_t ready_for_fork;
++atomic_bool ready_for_fork;
+
+ static int uffd_mem_fd_create(off_t mem_size, bool hugetlb)
+ {
+@@ -508,8 +508,7 @@ void *uffd_poll_thread(void *arg)
+ pollfd[1].fd = pipefd[cpu*2];
+ pollfd[1].events = POLLIN;
+
+- /* Ready for parent thread to fork */
+- pthread_barrier_wait(&ready_for_fork);
++ ready_for_fork = true;
+
+ for (;;) {
+ ret = poll(pollfd, 2, -1);
+--- a/tools/testing/selftests/mm/uffd-common.h
++++ b/tools/testing/selftests/mm/uffd-common.h
+@@ -33,6 +33,7 @@
+ #include <inttypes.h>
+ #include <stdint.h>
+ #include <sys/random.h>
++#include <stdatomic.h>
+
+ #include "../kselftest.h"
+ #include "vm_util.h"
+@@ -98,7 +99,7 @@ extern bool map_shared;
+ extern bool test_uffdio_wp;
+ extern unsigned long long *count_verify;
+ extern volatile bool test_uffdio_copy_eexist;
+-extern pthread_barrier_t ready_for_fork;
++extern atomic_bool ready_for_fork;
+
+ extern uffd_test_ops_t anon_uffd_test_ops;
+ extern uffd_test_ops_t shmem_uffd_test_ops;
+--- a/tools/testing/selftests/mm/uffd-unit-tests.c
++++ b/tools/testing/selftests/mm/uffd-unit-tests.c
+@@ -770,7 +770,7 @@ static void uffd_sigbus_test_common(bool
+ char c;
+ struct uffd_args args = { 0 };
+
+- pthread_barrier_init(&ready_for_fork, NULL, 2);
++ ready_for_fork = false;
+
+ fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK);
+
+@@ -787,9 +787,8 @@ static void uffd_sigbus_test_common(bool
+ if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args))
+ err("uffd_poll_thread create");
+
+- /* Wait for child thread to start before forking */
+- pthread_barrier_wait(&ready_for_fork);
+- pthread_barrier_destroy(&ready_for_fork);
++ while (!ready_for_fork)
++ ; /* Wait for the poll_thread to start executing before forking */
+
+ pid = fork();
+ if (pid < 0)
+@@ -830,7 +829,7 @@ static void uffd_events_test_common(bool
+ char c;
+ struct uffd_args args = { 0 };
+
+- pthread_barrier_init(&ready_for_fork, NULL, 2);
++ ready_for_fork = false;
+
+ fcntl(uffd, F_SETFL, uffd_flags | O_NONBLOCK);
+ if (uffd_register(uffd, area_dst, nr_pages * page_size,
+@@ -841,9 +840,8 @@ static void uffd_events_test_common(bool
+ if (pthread_create(&uffd_mon, NULL, uffd_poll_thread, &args))
+ err("uffd_poll_thread create");
+
+- /* Wait for child thread to start before forking */
+- pthread_barrier_wait(&ready_for_fork);
+- pthread_barrier_destroy(&ready_for_fork);
++ while (!ready_for_fork)
++ ; /* Wait for the poll_thread to start executing before forking */
+
+ pid = fork();
+ if (pid < 0)
usb-typec-qcom-pmic-typec-use-fwnode_handle_put-to-release-fwnodes.patch
phy-qcom-qmp-usb-fix-null-deref-on-runtime-suspend.patch
phy-qcom-qmp-usb-legacy-fix-null-deref-on-runtime-suspend.patch
+xhci-fix-link-trb-dma-in-command-ring-stopped-completion-event.patch
+xhci-use-pm_runtime_get-to-prevent-rpm-on-unsupported-systems.patch
+revert-driver-core-fix-uevent_show-vs-driver-detach-race.patch
+revert-selftests-mm-fix-deadlock-for-fork-after-pthread_create-on-arm.patch
+revert-selftests-mm-replace-atomic_bool-with-pthread_barrier_t.patch
+wifi-mac80211-do-not-pass-a-stopped-vif-to-the-driver-in-.get_txpower.patch
+wifi-ath10k-fix-memory-leak-in-management-tx.patch
+wifi-cfg80211-clear-wdev-cqm_config-pointer-on-free.patch
+wifi-iwlegacy-clear-stale-interrupts-before-resuming-device.patch
+staging-iio-frequency-ad9832-fix-division-by-zero-in-ad9832_calc_freqreg.patch
+iio-adc-ad7124-fix-division-by-zero-in-ad7124_set_channel_odr.patch
+iio-gts-helper-fix-memory-leaks-for-the-error-path-of-iio_gts_build_avail_scale_table.patch
+iio-gts-helper-fix-memory-leaks-in-iio_gts_build_avail_scale_table.patch
+iio-light-veml6030-fix-microlux-value-calculation.patch
+nilfs2-fix-potential-deadlock-with-newly-created-symlinks.patch
--- /dev/null
+From 6bd301819f8f69331a55ae2336c8b111fc933f3d Mon Sep 17 00:00:00 2001
+From: Zicheng Qu <quzicheng@huawei.com>
+Date: Tue, 22 Oct 2024 13:43:54 +0000
+Subject: staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg()
+
+From: Zicheng Qu <quzicheng@huawei.com>
+
+commit 6bd301819f8f69331a55ae2336c8b111fc933f3d upstream.
+
+In the ad9832_write_frequency() function, clk_get_rate() might return 0.
+This can lead to a division by zero when calling ad9832_calc_freqreg().
+The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect
+against the case when fout is 0. The ad9832_write_frequency() function
+is called from ad9832_write(), and fout is derived from a text buffer,
+which can contain any value.
+
+Link: https://lore.kernel.org/all/2024100904-CVE-2024-47663-9bdc@gregkh/
+Fixes: ea707584bac1 ("Staging: IIO: DDS: AD9832 / AD9835 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zicheng Qu <quzicheng@huawei.com>
+Reviewed-by: Nuno Sa <nuno.sa@analog.com>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://patch.msgid.link/20241022134354.574614-1-quzicheng@huawei.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/iio/frequency/ad9832.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/iio/frequency/ad9832.c
++++ b/drivers/staging/iio/frequency/ad9832.c
+@@ -129,12 +129,15 @@ static unsigned long ad9832_calc_freqreg
+ static int ad9832_write_frequency(struct ad9832_state *st,
+ unsigned int addr, unsigned long fout)
+ {
++ unsigned long clk_freq;
+ unsigned long regval;
+
+- if (fout > (clk_get_rate(st->mclk) / 2))
++ clk_freq = clk_get_rate(st->mclk);
++
++ if (!clk_freq || fout > (clk_freq / 2))
+ return -EINVAL;
+
+- regval = ad9832_calc_freqreg(clk_get_rate(st->mclk), fout);
++ regval = ad9832_calc_freqreg(clk_freq, fout);
+
+ st->freq_data[0] = cpu_to_be16((AD9832_CMD_FRE8BITSW << CMD_SHIFT) |
+ (addr << ADD_SHIFT) |
--- /dev/null
+From e15d84b3bba187aa372dff7c58ce1fd5cb48a076 Mon Sep 17 00:00:00 2001
+From: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Date: Tue, 15 Oct 2024 12:11:03 +0530
+Subject: wifi: ath10k: Fix memory leak in management tx
+
+From: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+
+commit e15d84b3bba187aa372dff7c58ce1fd5cb48a076 upstream.
+
+In the current logic, memory is allocated for storing the MSDU context
+during management packet TX but this memory is not being freed during
+management TX completion. Similar leaks are seen in the management TX
+cleanup logic.
+
+Kmemleak reports this problem as below,
+
+unreferenced object 0xffffff80b64ed250 (size 16):
+ comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s)
+ hex dump (first 16 bytes):
+ 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t......
+ backtrace:
+ [<ffffffe6e7b245dc>] __kmem_cache_alloc_node+0x1e4/0x2d8
+ [<ffffffe6e7adde88>] kmalloc_trace+0x48/0x110
+ [<ffffffe6bbd765fc>] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core]
+ [<ffffffe6bbd3eed4>] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core]
+ [<ffffffe6e78d5974>] process_scheduled_works+0x1ac/0x400
+ [<ffffffe6e78d60b8>] worker_thread+0x208/0x328
+ [<ffffffe6e78dc890>] kthread+0x100/0x1c0
+ [<ffffffe6e78166c0>] ret_from_fork+0x10/0x20
+
+Free the memory during completion and cleanup to fix the leak.
+
+Protect the mgmt_pending_tx idr_remove() operation in
+ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to
+other instances.
+
+Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1
+
+Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
+Fixes: c730c477176a ("ath10k: Remove msdu from idr when management pkt send fails")
+Cc: stable@vger.kernel.org
+Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Link: https://patch.msgid.link/20241015064103.6060-1-quic_mpubbise@quicinc.com
+Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath10k/wmi-tlv.c | 7 ++++++-
+ drivers/net/wireless/ath/ath10k/wmi.c | 2 ++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
+@@ -3042,9 +3042,14 @@ ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(s
+ struct sk_buff *msdu)
+ {
+ struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
++ struct ath10k_mgmt_tx_pkt_addr *pkt_addr;
+ struct ath10k_wmi *wmi = &ar->wmi;
+
+- idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
++ spin_lock_bh(&ar->data_lock);
++ pkt_addr = idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
++ spin_unlock_bh(&ar->data_lock);
++
++ kfree(pkt_addr);
+
+ return 0;
+ }
+--- a/drivers/net/wireless/ath/ath10k/wmi.c
++++ b/drivers/net/wireless/ath/ath10k/wmi.c
+@@ -2440,6 +2440,7 @@ wmi_process_mgmt_tx_comp(struct ath10k *
+ dma_unmap_single(ar->dev, pkt_addr->paddr,
+ msdu->len, DMA_TO_DEVICE);
+ info = IEEE80211_SKB_CB(msdu);
++ kfree(pkt_addr);
+
+ if (param->status) {
+ info->flags &= ~IEEE80211_TX_STAT_ACK;
+@@ -9559,6 +9560,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_p
+ dma_unmap_single(ar->dev, pkt_addr->paddr,
+ msdu->len, DMA_TO_DEVICE);
+ ieee80211_free_txskb(ar->hw, msdu);
++ kfree(pkt_addr);
+
+ return 0;
+ }
--- /dev/null
+From d5fee261dfd9e17b08b1df8471ac5d5736070917 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 22 Oct 2024 16:17:42 +0200
+Subject: wifi: cfg80211: clear wdev->cqm_config pointer on free
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit d5fee261dfd9e17b08b1df8471ac5d5736070917 upstream.
+
+When we free wdev->cqm_config when unregistering, we also
+need to clear out the pointer since the same wdev/netdev
+may get re-registered in another network namespace, then
+destroyed later, running this code again, which results in
+a double-free.
+
+Reported-by: syzbot+36218cddfd84b5cc263e@syzkaller.appspotmail.com
+Fixes: 37c20b2effe9 ("wifi: cfg80211: fix cqm_config access race")
+Cc: stable@vger.kernel.org
+Link: https://patch.msgid.link/20241022161742.7c34b2037726.I121b9cdb7eb180802eafc90b493522950d57ee18@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/wireless/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -1233,6 +1233,7 @@ static void _cfg80211_unregister_wdev(st
+ /* deleted from the list, so can't be found from nl80211 any more */
+ cqm_config = rcu_access_pointer(wdev->cqm_config);
+ kfree_rcu(cqm_config, rcu_head);
++ RCU_INIT_POINTER(wdev->cqm_config, NULL);
+
+ /*
+ * Ensure that all events have been processed and
--- /dev/null
+From 07c90acb071b9954e1fecb1e4f4f13d12c544b34 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 1 Oct 2024 23:07:45 +0300
+Subject: wifi: iwlegacy: Clear stale interrupts before resuming device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit 07c90acb071b9954e1fecb1e4f4f13d12c544b34 upstream.
+
+iwl4965 fails upon resume from hibernation on my laptop. The reason
+seems to be a stale interrupt which isn't being cleared out before
+interrupts are enabled. We end up with a race beween the resume
+trying to bring things back up, and the restart work (queued form
+the interrupt handler) trying to bring things down. Eventually
+the whole thing blows up.
+
+Fix the problem by clearing out any stale interrupts before
+interrupts get enabled during resume.
+
+Here's a debug log of the indicent:
+[ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000
+[ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000
+[ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio.
+[ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload
+[ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282
+[ 12.052207] ieee80211 phy0: il4965_mac_start enter
+[ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff
+[ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready
+[ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions
+[ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S
+[ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm
+[ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm
+[ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK
+[ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations
+[ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up
+[ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done.
+[ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down
+[ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout
+[ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort
+[ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver
+[ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared
+[ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state
+[ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master
+[ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear.
+[ 12.058869] ieee80211 phy0: Hardware restart was requested
+[ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms.
+[ 16.132303] ------------[ cut here ]------------
+[ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.
+[ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211]
+[ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
+[ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143
+[ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
+[ 16.132463] Workqueue: async async_run_entry_fn
+[ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211]
+[ 16.132501] Code: da 02 00 00 c6 83 ad 05 00 00 00 48 89 df e8 98 1b fc ff 85 c0 41 89 c7 0f 84 e9 02 00 00 48 c7 c7 a0 e6 48 a0 e8 d1 77 c4 e0 <0f> 0b eb 2d 84 c0 0f 85 8b 01 00 00 c6 87 ad 05 00 00 00 e8 69 1b
+[ 16.132504] RSP: 0018:ffffc9000029fcf0 EFLAGS: 00010282
+[ 16.132507] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: 0000000000000001
+[ 16.132509] RDX: ffffffff81f21a18 RSI: 0000000000000086 RDI: 0000000000000001
+[ 16.132510] RBP: ffff8880072003c0 R08: 0000000000000000 R09: 0000000000000003
+[ 16.132512] R10: 0000000000000000 R11: ffff88807e5b0000 R12: 0000000000000001
+[ 16.132514] R13: 0000000000000000 R14: 0000000000000000 R15: 00000000ffffff92
+[ 16.132515] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000
+[ 16.132517] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 16.132519] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0
+[ 16.132521] Call Trace:
+[ 16.132525] <TASK>
+[ 16.132526] ? __warn+0x77/0x120
+[ 16.132532] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211]
+[ 16.132564] ? report_bug+0x15c/0x190
+[ 16.132568] ? handle_bug+0x36/0x70
+[ 16.132571] ? exc_invalid_op+0x13/0x60
+[ 16.132573] ? asm_exc_invalid_op+0x16/0x20
+[ 16.132579] ? ieee80211_reconfig+0x8f/0x14b0 [mac80211]
+[ 16.132611] ? snd_hdac_bus_init_cmd_io+0x24/0x200 [snd_hda_core]
+[ 16.132617] ? pick_eevdf+0x133/0x1c0
+[ 16.132622] ? check_preempt_wakeup_fair+0x70/0x90
+[ 16.132626] ? wakeup_preempt+0x4a/0x60
+[ 16.132628] ? ttwu_do_activate.isra.0+0x5a/0x190
+[ 16.132632] wiphy_resume+0x79/0x1a0 [cfg80211]
+[ 16.132675] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211]
+[ 16.132697] dpm_run_callback+0x75/0x1b0
+[ 16.132703] device_resume+0x97/0x200
+[ 16.132707] async_resume+0x14/0x20
+[ 16.132711] async_run_entry_fn+0x1b/0xa0
+[ 16.132714] process_one_work+0x13d/0x350
+[ 16.132718] worker_thread+0x2be/0x3d0
+[ 16.132722] ? cancel_delayed_work_sync+0x70/0x70
+[ 16.132725] kthread+0xc0/0xf0
+[ 16.132729] ? kthread_park+0x80/0x80
+[ 16.132732] ret_from_fork+0x28/0x40
+[ 16.132735] ? kthread_park+0x80/0x80
+[ 16.132738] ret_from_fork_asm+0x11/0x20
+[ 16.132741] </TASK>
+[ 16.132742] ---[ end trace 0000000000000000 ]---
+[ 16.132930] ------------[ cut here ]------------
+[ 16.132932] WARNING: CPU: 0 PID: 181 at net/mac80211/driver-ops.c:41 drv_stop+0xe7/0xf0 [mac80211]
+[ 16.132957] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev
+[ 16.133014] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Tainted: G W 6.11.0-cl+ #143
+[ 16.133018] Tainted: [W]=WARN
+[ 16.133019] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010
+[ 16.133021] Workqueue: async async_run_entry_fn
+[ 16.133025] RIP: 0010:drv_stop+0xe7/0xf0 [mac80211]
+[ 16.133048] Code: 48 85 c0 74 0e 48 8b 78 08 89 ea 48 89 de e8 e0 87 04 00 65 ff 0d d1 de c4 5f 0f 85 42 ff ff ff e8 be 52 c2 e0 e9 38 ff ff ff <0f> 0b 5b 5d c3 0f 1f 40 00 41 54 49 89 fc 55 53 48 89 f3 2e 2e 2e
+[ 16.133050] RSP: 0018:ffffc9000029fc50 EFLAGS: 00010246
+[ 16.133053] RAX: 0000000000000000 RBX: ffff8880072008e0 RCX: ffff88800377f6c0
+[ 16.133054] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff8880072008e0
+[ 16.133056] RBP: 0000000000000000 R08: ffffffff81f238d8 R09: 0000000000000000
+[ 16.133058] R10: ffff8880080520f0 R11: 0000000000000000 R12: ffff888008051c60
+[ 16.133060] R13: ffff8880072008e0 R14: 0000000000000000 R15: ffff8880072011d8
+[ 16.133061] FS: 0000000000000000(0000) GS:ffff88807c200000(0000) knlGS:0000000000000000
+[ 16.133063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 16.133065] CR2: 000055dd43786c08 CR3: 000000000978f000 CR4: 00000000000006f0
+[ 16.133067] Call Trace:
+[ 16.133069] <TASK>
+[ 16.133070] ? __warn+0x77/0x120
+[ 16.133075] ? drv_stop+0xe7/0xf0 [mac80211]
+[ 16.133098] ? report_bug+0x15c/0x190
+[ 16.133100] ? handle_bug+0x36/0x70
+[ 16.133103] ? exc_invalid_op+0x13/0x60
+[ 16.133105] ? asm_exc_invalid_op+0x16/0x20
+[ 16.133109] ? drv_stop+0xe7/0xf0 [mac80211]
+[ 16.133132] ieee80211_do_stop+0x55a/0x810 [mac80211]
+[ 16.133161] ? fq_codel_reset+0xa5/0xc0 [sch_fq_codel]
+[ 16.133164] ieee80211_stop+0x4f/0x180 [mac80211]
+[ 16.133192] __dev_close_many+0xa2/0x120
+[ 16.133195] dev_close_many+0x90/0x150
+[ 16.133198] dev_close+0x5d/0x80
+[ 16.133200] cfg80211_shutdown_all_interfaces+0x40/0xe0 [cfg80211]
+[ 16.133223] wiphy_resume+0xb2/0x1a0 [cfg80211]
+[ 16.133247] ? wiphy_suspend+0x2a0/0x2a0 [cfg80211]
+[ 16.133269] dpm_run_callback+0x75/0x1b0
+[ 16.133273] device_resume+0x97/0x200
+[ 16.133277] async_resume+0x14/0x20
+[ 16.133280] async_run_entry_fn+0x1b/0xa0
+[ 16.133283] process_one_work+0x13d/0x350
+[ 16.133287] worker_thread+0x2be/0x3d0
+[ 16.133290] ? cancel_delayed_work_sync+0x70/0x70
+[ 16.133294] kthread+0xc0/0xf0
+[ 16.133296] ? kthread_park+0x80/0x80
+[ 16.133299] ret_from_fork+0x28/0x40
+[ 16.133302] ? kthread_park+0x80/0x80
+[ 16.133304] ret_from_fork_asm+0x11/0x20
+[ 16.133307] </TASK>
+[ 16.133308] ---[ end trace 0000000000000000 ]---
+[ 16.133335] ieee80211 phy0: PM: dpm_run_callback(): wiphy_resume [cfg80211] returns -110
+[ 16.133360] ieee80211 phy0: PM: failed to restore async: error -110
+
+Cc: stable@vger.kernel.org
+Cc: Stanislaw Gruszka <stf_xl@wp.pl>
+Cc: Kalle Valo <kvalo@kernel.org>
+Cc: linux-wireless@vger.kernel.org
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
+Signed-off-by: Kalle Valo <kvalo@kernel.org>
+Link: https://patch.msgid.link/20241001200745.8276-1-ville.syrjala@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlegacy/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/wireless/intel/iwlegacy/common.c
++++ b/drivers/net/wireless/intel/iwlegacy/common.c
+@@ -4972,6 +4972,8 @@ il_pci_resume(struct device *device)
+ */
+ pci_write_config_byte(pdev, PCI_CFG_RETRY_TIMEOUT, 0x00);
+
++ _il_wr(il, CSR_INT, 0xffffffff);
++ _il_wr(il, CSR_FH_INT_STATUS, 0xffffffff);
+ il_enable_interrupts(il);
+
+ if (!(_il_rd(il, CSR_GP_CNTRL) & CSR_GP_CNTRL_REG_FLAG_HW_RF_KILL_SW))
--- /dev/null
+From 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 2 Oct 2024 11:56:30 +0200
+Subject: wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 393b6bc174b0dd21bb2a36c13b36e62fc3474a23 upstream.
+
+Avoid potentially crashing in the driver because of uninitialized private data
+
+Fixes: 5b3dc42b1b0d ("mac80211: add support for driver tx power reporting")
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://patch.msgid.link/20241002095630.22431-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -3115,7 +3115,8 @@ static int ieee80211_get_tx_power(struct
+ struct ieee80211_local *local = wiphy_priv(wiphy);
+ struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev);
+
+- if (local->ops->get_txpower)
++ if (local->ops->get_txpower &&
++ (sdata->flags & IEEE80211_SDATA_IN_DRIVER))
+ return drv_get_txpower(local, sdata, dbm);
+
+ if (!local->use_chanctx)
--- /dev/null
+From 075919f6df5dd82ad0b1894898b315fbb3c29b84 Mon Sep 17 00:00:00 2001
+From: Faisal Hassan <quic_faisalh@quicinc.com>
+Date: Tue, 22 Oct 2024 21:26:31 +0530
+Subject: xhci: Fix Link TRB DMA in command ring stopped completion event
+
+From: Faisal Hassan <quic_faisalh@quicinc.com>
+
+commit 075919f6df5dd82ad0b1894898b315fbb3c29b84 upstream.
+
+During the aborting of a command, the software receives a command
+completion event for the command ring stopped, with the TRB pointing
+to the next TRB after the aborted command.
+
+If the command we abort is located just before the Link TRB in the
+command ring, then during the 'command ring stopped' completion event,
+the xHC gives the Link TRB in the event's cmd DMA, which causes a
+mismatch in handling command completion event.
+
+To address this situation, move the 'command ring stopped' completion
+event check slightly earlier, since the specific command it stopped
+on isn't of significant concern.
+
+Fixes: 7f84eef0dafb ("USB: xhci: No-op command queueing and irq handler.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Faisal Hassan <quic_faisalh@quicinc.com>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20241022155631.1185-1-quic_faisalh@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1734,6 +1734,14 @@ static void handle_cmd_completion(struct
+
+ trace_xhci_handle_command(xhci->cmd_ring, &cmd_trb->generic);
+
++ cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status));
++
++ /* If CMD ring stopped we own the trbs between enqueue and dequeue */
++ if (cmd_comp_code == COMP_COMMAND_RING_STOPPED) {
++ complete_all(&xhci->cmd_ring_stop_completion);
++ return;
++ }
++
+ cmd_dequeue_dma = xhci_trb_virt_to_dma(xhci->cmd_ring->deq_seg,
+ cmd_trb);
+ /*
+@@ -1750,14 +1758,6 @@ static void handle_cmd_completion(struct
+
+ cancel_delayed_work(&xhci->cmd_timer);
+
+- cmd_comp_code = GET_COMP_CODE(le32_to_cpu(event->status));
+-
+- /* If CMD ring stopped we own the trbs between enqueue and dequeue */
+- if (cmd_comp_code == COMP_COMMAND_RING_STOPPED) {
+- complete_all(&xhci->cmd_ring_stop_completion);
+- return;
+- }
+-
+ if (cmd->command_trb != xhci->cmd_ring->dequeue) {
+ xhci_err(xhci,
+ "Command completion event does not match command\n");
--- /dev/null
+From 31004740e42846a6f0bb255e6348281df3eb8032 Mon Sep 17 00:00:00 2001
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Date: Thu, 24 Oct 2024 19:07:18 +0530
+Subject: xhci: Use pm_runtime_get to prevent RPM on unsupported systems
+
+From: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+
+commit 31004740e42846a6f0bb255e6348281df3eb8032 upstream.
+
+Use pm_runtime_put in the remove function and pm_runtime_get to disable
+RPM on platforms that don't support runtime D3, as re-enabling it through
+sysfs auto power control may cause the controller to malfunction. This
+can lead to issues such as hotplug devices not being detected due to
+failed interrupt generation.
+
+Fixes: a5d6264b638e ("xhci: Enable RPM on controllers that support low-power states")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Link: https://lore.kernel.org/r/20241024133718.723846-1-Basavaraj.Natikar@amd.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -713,7 +713,7 @@ static int xhci_pci_probe(struct pci_dev
+ pm_runtime_put_noidle(&dev->dev);
+
+ if (pci_choose_state(dev, PMSG_SUSPEND) == PCI_D0)
+- pm_runtime_forbid(&dev->dev);
++ pm_runtime_get(&dev->dev);
+ else if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW)
+ pm_runtime_allow(&dev->dev);
+
+@@ -740,7 +740,9 @@ static void xhci_pci_remove(struct pci_d
+
+ xhci->xhc_state |= XHCI_STATE_REMOVING;
+
+- if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW)
++ if (pci_choose_state(dev, PMSG_SUSPEND) == PCI_D0)
++ pm_runtime_put(&dev->dev);
++ else if (xhci->quirks & XHCI_DEFAULT_PM_RUNTIME_ALLOW)
+ pm_runtime_forbid(&dev->dev);
+
+ if (xhci->shared_hcd) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
