--- /dev/null
+From dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 Mon Sep 17 00:00:00 2001
+From: Mark Brown <broonie@kernel.org>
+Date: Mon, 15 Jan 2024 20:15:46 +0000
+Subject: arm64/sme: Always exit sme_alloc() early with existing storage
+
+From: Mark Brown <broonie@kernel.org>
+
+commit dc7eb8755797ed41a0d1b5c0c39df3c8f401b3d9 upstream.
+
+When sme_alloc() is called with existing storage and we are not flushing we
+will always allocate new storage, both leaking the existing storage and
+corrupting the state. Fix this by separating the checks for flushing and
+for existing storage as we do for SVE.
+
+Callers that reallocate (eg, due to changing the vector length) should
+call sme_free() themselves.
+
+Fixes: 5d0a8d2fba50 ("arm64/ptrace: Ensure that SME is set up for target when writing SSVE state")
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20240115-arm64-sme-flush-v1-1-7472bd3459b7@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/kernel/fpsimd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/fpsimd.c
++++ b/arch/arm64/kernel/fpsimd.c
+@@ -1259,8 +1259,10 @@ void fpsimd_release_task(struct task_str
+ */
+ void sme_alloc(struct task_struct *task, bool flush)
+ {
+- if (task->thread.za_state && flush) {
+- memset(task->thread.za_state, 0, za_state_size(task));
++ if (task->thread.za_state) {
++ if (flush)
++ memset(task->thread.za_state, 0,
++ za_state_size(task));
+ return;
+ }
+
--- /dev/null
+From 3051a77a09dfe3022aa012071346937fdf059033 Mon Sep 17 00:00:00 2001
+From: Shravya KN <shravya.k-n@broadcom.com>
+Date: Fri, 22 Nov 2024 14:45:44 -0800
+Subject: bnxt_en: Fix receive ring space parameters when XDP is active
+
+From: Shravya KN <shravya.k-n@broadcom.com>
+
+commit 3051a77a09dfe3022aa012071346937fdf059033 upstream.
+
+The MTU setting at the time an XDP multi-buffer is attached
+determines whether the aggregation ring will be used and the
+rx_skb_func handler. This is done in bnxt_set_rx_skb_mode().
+
+If the MTU is later changed, the aggregation ring setting may need
+to be changed and it may become out-of-sync with the settings
+initially done in bnxt_set_rx_skb_mode(). This may result in
+random memory corruption and crashes as the HW may DMA data larger
+than the allocated buffer size, such as:
+
+BUG: kernel NULL pointer dereference, address: 00000000000003c0
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP NOPTI
+CPU: 17 PID: 0 Comm: swapper/17 Kdump: loaded Tainted: G S OE 6.1.0-226bf9805506 #1
+Hardware name: Wiwynn Delta Lake PVT BZA.02601.0150/Delta Lake-Class1, BIOS F0E_3A12 08/26/2021
+RIP: 0010:bnxt_rx_pkt+0xe97/0x1ae0 [bnxt_en]
+Code: 8b 95 70 ff ff ff 4c 8b 9d 48 ff ff ff 66 41 89 87 b4 00 00 00 e9 0b f7 ff ff 0f b7 43 0a 49 8b 95 a8 04 00 00 25 ff 0f 00 00 <0f> b7 14 42 48 c1 e2 06 49 03 95 a0 04 00 00 0f b6 42 33f
+RSP: 0018:ffffa19f40cc0d18 EFLAGS: 00010202
+RAX: 00000000000001e0 RBX: ffff8e2c805c6100 RCX: 00000000000007ff
+RDX: 0000000000000000 RSI: ffff8e2c271ab990 RDI: ffff8e2c84f12380
+RBP: ffffa19f40cc0e48 R08: 000000000001000d R09: 974ea2fcddfa4cbf
+R10: 0000000000000000 R11: ffffa19f40cc0ff8 R12: ffff8e2c94b58980
+R13: ffff8e2c952d6600 R14: 0000000000000016 R15: ffff8e2c271ab990
+FS: 0000000000000000(0000) GS:ffff8e3b3f840000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00000000000003c0 CR3: 0000000e8580a004 CR4: 00000000007706e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ <IRQ>
+ __bnxt_poll_work+0x1c2/0x3e0 [bnxt_en]
+
+To address the issue, we now call bnxt_set_rx_skb_mode() within
+bnxt_change_mtu() to properly set the AGG rings configuration and
+update rx_skb_func based on the new MTU value.
+Additionally, BNXT_FLAG_NO_AGG_RINGS is cleared at the beginning of
+bnxt_set_rx_skb_mode() to make sure it gets set or cleared based on
+the current MTU.
+
+Fixes: 08450ea98ae9 ("bnxt_en: Fix max_mtu setting for multi-buf XDP")
+Co-developed-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Somnath Kotur <somnath.kotur@broadcom.com>
+Signed-off-by: Shravya KN <shravya.k-n@broadcom.com>
+Signed-off-by: Michael Chan <michael.chan@broadcom.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+@@ -4041,7 +4041,7 @@ int bnxt_set_rx_skb_mode(struct bnxt *bp
+ struct net_device *dev = bp->dev;
+
+ if (page_mode) {
+- bp->flags &= ~BNXT_FLAG_AGG_RINGS;
++ bp->flags &= ~(BNXT_FLAG_AGG_RINGS | BNXT_FLAG_NO_AGG_RINGS);
+ bp->flags |= BNXT_FLAG_RX_PAGE_MODE;
+
+ if (bp->xdp_prog->aux->xdp_has_frags)
+@@ -12799,6 +12799,14 @@ static int bnxt_change_mtu(struct net_de
+ bnxt_close_nic(bp, true, false);
+
+ dev->mtu = new_mtu;
++
++ /* MTU change may change the AGG ring settings if an XDP multi-buffer
++ * program is attached. We need to set the AGG rings settings and
++ * rx_skb_func accordingly.
++ */
++ if (READ_ONCE(bp->xdp_prog))
++ bnxt_set_rx_skb_mode(bp, true);
++
+ bnxt_set_ring_params(bp);
+
+ if (netif_running(dev))
--- /dev/null
+From 4aaffc85751da5722e858e4333e8cf0aa4b6c78f Mon Sep 17 00:00:00 2001
+From: Alex Deucher <alexander.deucher@amd.com>
+Date: Thu, 1 May 2025 13:46:46 -0400
+Subject: drm/amdgpu: fix pm notifier handling
+
+From: Alex Deucher <alexander.deucher@amd.com>
+
+commit 4aaffc85751da5722e858e4333e8cf0aa4b6c78f upstream.
+
+Set the s3/s0ix and s4 flags in the pm notifier so that we can skip
+the resource evictions properly in pm prepare based on whether
+we are suspending or hibernating. Drop the eviction as processes
+are not frozen at this time, we we can end up getting stuck trying
+to evict VRAM while applications continue to submit work which
+causes the buffers to get pulled back into VRAM.
+
+v2: Move suspend flags out of pm notifier (Mario)
+
+Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/4178
+Fixes: 2965e6355dcd ("drm/amd: Add Suspend/Hibernate notification callback support")
+Cc: Mario Limonciello <mario.limonciello@amd.com>
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 06f2dcc241e7e5c681f81fbc46cacdf4bfd7d6d7)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 18 +++++-------------
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 10 +---------
+ 2 files changed, 6 insertions(+), 22 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
+@@ -4199,28 +4199,20 @@ static int amdgpu_device_evict_resources
+ * @data: data
+ *
+ * This function is called when the system is about to suspend or hibernate.
+- * It is used to evict resources from the device before the system goes to
+- * sleep while there is still access to swap.
++ * It is used to set the appropriate flags so that eviction can be optimized
++ * in the pm prepare callback.
+ */
+ static int amdgpu_device_pm_notifier(struct notifier_block *nb, unsigned long mode,
+ void *data)
+ {
+ struct amdgpu_device *adev = container_of(nb, struct amdgpu_device, pm_nb);
+- int r;
+
+ switch (mode) {
+ case PM_HIBERNATION_PREPARE:
+ adev->in_s4 = true;
+- fallthrough;
+- case PM_SUSPEND_PREPARE:
+- r = amdgpu_device_evict_resources(adev);
+- /*
+- * This is considered non-fatal at this time because
+- * amdgpu_device_prepare() will also fatally evict resources.
+- * See https://gitlab.freedesktop.org/drm/amd/-/issues/3781
+- */
+- if (r)
+- drm_warn(adev_to_drm(adev), "Failed to evict resources, freeze active processes if problems occur: %d\n", r);
++ break;
++ case PM_POST_HIBERNATION:
++ adev->in_s4 = false;
+ break;
+ }
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+@@ -2480,13 +2480,8 @@ static int amdgpu_pmops_freeze(struct de
+ static int amdgpu_pmops_thaw(struct device *dev)
+ {
+ struct drm_device *drm_dev = dev_get_drvdata(dev);
+- struct amdgpu_device *adev = drm_to_adev(drm_dev);
+- int r;
+
+- r = amdgpu_device_resume(drm_dev, true);
+- adev->in_s4 = false;
+-
+- return r;
++ return amdgpu_device_resume(drm_dev, true);
+ }
+
+ static int amdgpu_pmops_poweroff(struct device *dev)
+@@ -2499,9 +2494,6 @@ static int amdgpu_pmops_poweroff(struct
+ static int amdgpu_pmops_restore(struct device *dev)
+ {
+ struct drm_device *drm_dev = dev_get_drvdata(dev);
+- struct amdgpu_device *adev = drm_to_adev(drm_dev);
+-
+- adev->in_s4 = false;
+
+ return amdgpu_device_resume(drm_dev, true);
+ }
--- /dev/null
+From fc1092f51567277509563800a3c56732070b6aa4 Mon Sep 17 00:00:00 2001
+From: Shigeru Yoshida <syoshida@redhat.com>
+Date: Tue, 30 Apr 2024 21:39:45 +0900
+Subject: ipv4: Fix uninit-value access in __ip_make_skb()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+commit fc1092f51567277509563800a3c56732070b6aa4 upstream.
+
+KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()
+tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause a
+race condition. If calling setsockopt(2) with IP_HDRINCL changes HDRINCL
+while __ip_make_skb() is running, the function will access icmphdr in the
+skb even if it is not included. This causes the issue reported by KMSAN.
+
+Check FLOWI_FLAG_KNOWN_NH on fl4->flowi4_flags instead of testing HDRINCL
+on the socket.
+
+Also, fl4->fl4_icmp_type and fl4->fl4_icmp_code are not initialized. These
+are union in struct flowi4 and are implicitly initialized by
+flowi4_init_output(), but we should not rely on specific union layout.
+
+Initialize these explicitly in raw_sendmsg().
+
+[1]
+BUG: KMSAN: uninit-value in __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
+ __ip_make_skb+0x2b74/0x2d20 net/ipv4/ip_output.c:1481
+ ip_finish_skb include/net/ip.h:243 [inline]
+ ip_push_pending_frames+0x4c/0x5c0 net/ipv4/ip_output.c:1508
+ raw_sendmsg+0x2381/0x2690 net/ipv4/raw.c:654
+ inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x274/0x3c0 net/socket.c:745
+ __sys_sendto+0x62c/0x7b0 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x130/0x200 net/socket.c:2199
+ do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+Uninit was created at:
+ slab_post_alloc_hook mm/slub.c:3804 [inline]
+ slab_alloc_node mm/slub.c:3845 [inline]
+ kmem_cache_alloc_node+0x5f6/0xc50 mm/slub.c:3888
+ kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:577
+ __alloc_skb+0x35a/0x7c0 net/core/skbuff.c:668
+ alloc_skb include/linux/skbuff.h:1318 [inline]
+ __ip_append_data+0x49ab/0x68c0 net/ipv4/ip_output.c:1128
+ ip_append_data+0x1e7/0x260 net/ipv4/ip_output.c:1365
+ raw_sendmsg+0x22b1/0x2690 net/ipv4/raw.c:648
+ inet_sendmsg+0x27b/0x2a0 net/ipv4/af_inet.c:851
+ sock_sendmsg_nosec net/socket.c:730 [inline]
+ __sock_sendmsg+0x274/0x3c0 net/socket.c:745
+ __sys_sendto+0x62c/0x7b0 net/socket.c:2191
+ __do_sys_sendto net/socket.c:2203 [inline]
+ __se_sys_sendto net/socket.c:2199 [inline]
+ __x64_sys_sendto+0x130/0x200 net/socket.c:2199
+ do_syscall_64+0xd8/0x1f0 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x6d/0x75
+
+CPU: 1 PID: 15709 Comm: syz-executor.7 Not tainted 6.8.0-11567-gb3603fcb79b1 #25
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-1.fc39 04/01/2014
+
+Fixes: 99e5acae193e ("ipv4: Fix potential uninit variable access bug in __ip_make_skb()")
+Reported-by: syzkaller <syzkaller@googlegroups.com>
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Link: https://lore.kernel.org/r/20240430123945.2057348-1-syoshida@redhat.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_output.c | 3 ++-
+ net/ipv4/raw.c | 3 +++
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_output.c
++++ b/net/ipv4/ip_output.c
+@@ -1580,7 +1580,8 @@ struct sk_buff *__ip_make_skb(struct soc
+ * so icmphdr does not in skb linear region and can not get icmp_type
+ * by icmp_hdr(skb)->type.
+ */
+- if (sk->sk_type == SOCK_RAW && !inet_sk(sk)->hdrincl)
++ if (sk->sk_type == SOCK_RAW &&
++ !(fl4->flowi4_flags & FLOWI_FLAG_KNOWN_NH))
+ icmp_type = fl4->fl4_icmp_type;
+ else
+ icmp_type = icmp_hdr(skb)->type;
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -608,6 +608,9 @@ static int raw_sendmsg(struct sock *sk,
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ daddr, saddr, 0, 0, sk->sk_uid);
+
++ fl4.fl4_icmp_type = 0;
++ fl4.fl4_icmp_code = 0;
++
+ if (!hdrincl) {
+ rfv.msg = msg;
+ rfv.hlen = 0;
--- /dev/null
+From 4e13d3a9c25b7080f8a619f961e943fe08c2672c Mon Sep 17 00:00:00 2001
+From: Shigeru Yoshida <syoshida@redhat.com>
+Date: Mon, 6 May 2024 23:11:29 +0900
+Subject: ipv6: Fix potential uninit-value access in __ip6_make_skb()
+
+From: Shigeru Yoshida <syoshida@redhat.com>
+
+commit 4e13d3a9c25b7080f8a619f961e943fe08c2672c upstream.
+
+As it was done in commit fc1092f51567 ("ipv4: Fix uninit-value access in
+__ip_make_skb()") for IPv4, check FLOWI_FLAG_KNOWN_NH on fl6->flowi6_flags
+instead of testing HDRINCL on the socket to avoid a race condition which
+causes uninit-value access.
+
+Fixes: ea30388baebc ("ipv6: Fix an uninit variable access bug in __ip6_make_skb()")
+Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ip6_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1985,7 +1985,8 @@ struct sk_buff *__ip6_make_skb(struct so
+ struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
+ u8 icmp6_type;
+
+- if (sk->sk_socket->type == SOCK_RAW && !inet_sk(sk)->hdrincl)
++ if (sk->sk_socket->type == SOCK_RAW &&
++ !(fl6->flowi6_flags & FLOWI_FLAG_KNOWN_NH))
+ icmp6_type = fl6->fl6_icmp_type;
+ else
+ icmp6_type = icmp6_hdr(skb)->icmp6_type;
--- /dev/null
+From dd410d784402c5775f66faf8b624e85e41c38aaf Mon Sep 17 00:00:00 2001
+From: "Maciej S. Szmigiero" <mail@maciej.szmigiero.name>
+Date: Mon, 6 Jan 2025 18:40:34 +0100
+Subject: platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042 actually enabled it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+
+commit dd410d784402c5775f66faf8b624e85e41c38aaf upstream.
+
+Wakeup for IRQ1 should be disabled only in cases where i8042 had
+actually enabled it, otherwise "wake_depth" for this IRQ will try to
+drop below zero and there will be an unpleasant WARN() logged:
+
+kernel: atkbd serio0: Disabling IRQ1 wakeup source to avoid platform firmware bug
+kernel: ------------[ cut here ]------------
+kernel: Unbalanced IRQ 1 wake disable
+kernel: WARNING: CPU: 10 PID: 6431 at kernel/irq/manage.c:920 irq_set_irq_wake+0x147/0x1a0
+
+The PMC driver uses DEFINE_SIMPLE_DEV_PM_OPS() to define its dev_pm_ops
+which sets amd_pmc_suspend_handler() to the .suspend, .freeze, and
+.poweroff handlers. i8042_pm_suspend(), however, is only set as
+the .suspend handler.
+
+Fix the issue by call PMC suspend handler only from the same set of
+dev_pm_ops handlers as i8042_pm_suspend(), which currently means just
+the .suspend handler.
+
+To reproduce this issue try hibernating (S4) the machine after a fresh boot
+without putting it into s2idle first.
+
+Fixes: 8e60615e8932 ("platform/x86/amd: pmc: Disable IRQ1 wakeup for RN/CZN")
+Reviewed-by: Mario Limonciello <mario.limonciello@amd.com>
+Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
+Link: https://lore.kernel.org/r/c8f28c002ca3c66fbeeb850904a1f43118e17200.1736184606.git.mail@maciej.szmigiero.name
+[ij: edited the commit message.]
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/platform/x86/amd/pmc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/amd/pmc.c
++++ b/drivers/platform/x86/amd/pmc.c
+@@ -834,6 +834,10 @@ static int __maybe_unused amd_pmc_suspen
+ {
+ struct amd_pmc_dev *pdev = dev_get_drvdata(dev);
+
++ /*
++ * Must be called only from the same set of dev_pm_ops handlers
++ * as i8042_pm_suspend() is called: currently just from .suspend.
++ */
+ if (pdev->cpu_id == AMD_CPU_ID_CZN) {
+ int rc = amd_pmc_czn_wa_irq1(pdev);
+
+@@ -846,7 +850,9 @@ static int __maybe_unused amd_pmc_suspen
+ return 0;
+ }
+
+-static SIMPLE_DEV_PM_OPS(amd_pmc_pm, amd_pmc_suspend_handler, NULL);
++static const struct dev_pm_ops amd_pmc_pm = {
++ .suspend = amd_pmc_suspend_handler,
++};
+
+ #endif
+
netfilter-nf_tables-pass-nft_chain-to-destroy-function-not-nft_ctx.patch
netfilter-nf_tables-wait-for-rcu-grace-period-on-net_device-removal.patch
netfilter-nf_tables-do-not-defer-rule-destruction-via-call_rcu.patch
+arm64-sme-always-exit-sme_alloc-early-with-existing-storage.patch
+platform-x86-amd-pmc-only-disable-irq1-wakeup-where-i8042-actually-enabled-it.patch
+bnxt_en-fix-receive-ring-space-parameters-when-xdp-is-active.patch
+ipv6-fix-potential-uninit-value-access-in-__ip6_make_skb.patch
+ipv4-fix-uninit-value-access-in-__ip_make_skb.patch
+spi-cadence-qspi-fix-pointer-reference-in-runtime-pm-hooks.patch
+drm-amdgpu-fix-pm-notifier-handling.patch
--- /dev/null
+From 32ce3bb57b6b402de2aec1012511e7ac4e7449dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Th=C3=A9o=20Lebrun?= <theo.lebrun@bootlin.com>
+Date: Thu, 22 Feb 2024 11:12:29 +0100
+Subject: spi: cadence-qspi: fix pointer reference in runtime PM hooks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Théo Lebrun <theo.lebrun@bootlin.com>
+
+commit 32ce3bb57b6b402de2aec1012511e7ac4e7449dc upstream.
+
+dev_get_drvdata() gets used to acquire the pointer to cqspi and the SPI
+controller. Neither embed the other; this lead to memory corruption.
+
+On a given platform (Mobileye EyeQ5) the memory corruption is hidden
+inside cqspi->f_pdata. Also, this uninitialised memory is used as a
+mutex (ctlr->bus_lock_mutex) by spi_controller_suspend().
+
+Fixes: 2087e85bb66e ("spi: cadence-quadspi: fix suspend-resume implementations")
+Reviewed-by: Dhruva Gole <d-gole@ti.com>
+Signed-off-by: Théo Lebrun <theo.lebrun@bootlin.com>
+Link: https://msgid.link/r/20240222-cdns-qspi-pm-fix-v4-1-6b6af8bcbf59@bootlin.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Zhaoyang Li <lizy04@hust.edu.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-cadence-quadspi.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-cadence-quadspi.c
++++ b/drivers/spi/spi-cadence-quadspi.c
+@@ -1775,10 +1775,9 @@ static int cqspi_remove(struct platform_
+ static int cqspi_suspend(struct device *dev)
+ {
+ struct cqspi_st *cqspi = dev_get_drvdata(dev);
+- struct spi_master *master = dev_get_drvdata(dev);
+ int ret;
+
+- ret = spi_master_suspend(master);
++ ret = spi_master_suspend(cqspi->master);
+ cqspi_controller_enable(cqspi, 0);
+
+ clk_disable_unprepare(cqspi->clk);
+@@ -1789,7 +1788,6 @@ static int cqspi_suspend(struct device *
+ static int cqspi_resume(struct device *dev)
+ {
+ struct cqspi_st *cqspi = dev_get_drvdata(dev);
+- struct spi_master *master = dev_get_drvdata(dev);
+
+ clk_prepare_enable(cqspi->clk);
+ cqspi_wait_idle(cqspi);
+@@ -1798,7 +1796,7 @@ static int cqspi_resume(struct device *d
+ cqspi->current_cs = -1;
+ cqspi->sclk = 0;
+
+- return spi_master_resume(master);
++ return spi_master_resume(cqspi->master);
+ }
+
+ static DEFINE_SIMPLE_DEV_PM_OPS(cqspi_dev_pm_ops, cqspi_suspend, cqspi_resume);
projects / thirdparty / kernel / stable-queue.git / commitdiff
