--- /dev/null
+From 7d345aa1fac4c2ec9584fbd6f389f2c2368671d5 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Mon, 14 Jul 2025 21:03:21 +0800
+Subject: ext4: fix largest free orders lists corruption on mb_optimize_scan switch
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 7d345aa1fac4c2ec9584fbd6f389f2c2368671d5 upstream.
+
+The grp->bb_largest_free_order is updated regardless of whether
+mb_optimize_scan is enabled. This can lead to inconsistencies between
+grp->bb_largest_free_order and the actual s_mb_largest_free_orders list
+index when mb_optimize_scan is repeatedly enabled and disabled via remount.
+
+For example, if mb_optimize_scan is initially enabled, largest free
+order is 3, and the group is in s_mb_largest_free_orders[3]. Then,
+mb_optimize_scan is disabled via remount, block allocations occur,
+updating largest free order to 2. Finally, mb_optimize_scan is re-enabled
+via remount, more block allocations update largest free order to 1.
+
+At this point, the group would be removed from s_mb_largest_free_orders[3]
+under the protection of s_mb_largest_free_orders_locks[2]. This lock
+mismatch can lead to list corruption.
+
+To fix this, whenever grp->bb_largest_free_order changes, we now always
+attempt to remove the group from its old order list. However, we only
+insert the group into the new order list if `mb_optimize_scan` is enabled.
+This approach helps prevent lock inconsistencies and ensures the data in
+the order lists remains reliable.
+
+Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning")
+CC: stable@vger.kernel.org
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250714130327.1830534-12-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c | 33 ++++++++++++++-------------------
+ 1 file changed, 14 insertions(+), 19 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -1032,33 +1032,28 @@ static void
+ mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+- int i;
++ int new, old = grp->bb_largest_free_order;
+
+- for (i = MB_NUM_ORDERS(sb) - 1; i >= 0; i--)
+- if (grp->bb_counters[i] > 0)
++ for (new = MB_NUM_ORDERS(sb) - 1; new >= 0; new--)
++ if (grp->bb_counters[new] > 0)
+ break;
++
+ /* No need to move between order lists? */
+- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) ||
+- i == grp->bb_largest_free_order) {
+- grp->bb_largest_free_order = i;
++ if (new == old)
+ return;
+- }
+
+- if (grp->bb_largest_free_order >= 0) {
+- write_lock(&sbi->s_mb_largest_free_orders_locks[
+- grp->bb_largest_free_order]);
++ if (old >= 0 && !list_empty(&grp->bb_largest_free_order_node)) {
++ write_lock(&sbi->s_mb_largest_free_orders_locks[old]);
+ list_del_init(&grp->bb_largest_free_order_node);
+- write_unlock(&sbi->s_mb_largest_free_orders_locks[
+- grp->bb_largest_free_order]);
++ write_unlock(&sbi->s_mb_largest_free_orders_locks[old]);
+ }
+- grp->bb_largest_free_order = i;
+- if (grp->bb_largest_free_order >= 0 && grp->bb_free) {
+- write_lock(&sbi->s_mb_largest_free_orders_locks[
+- grp->bb_largest_free_order]);
++
++ grp->bb_largest_free_order = new;
++ if (test_opt2(sb, MB_OPTIMIZE_SCAN) && new >= 0 && grp->bb_free) {
++ write_lock(&sbi->s_mb_largest_free_orders_locks[new]);
+ list_add_tail(&grp->bb_largest_free_order_node,
+- &sbi->s_mb_largest_free_orders[grp->bb_largest_free_order]);
+- write_unlock(&sbi->s_mb_largest_free_orders_locks[
+- grp->bb_largest_free_order]);
++ &sbi->s_mb_largest_free_orders[new]);
++ write_unlock(&sbi->s_mb_largest_free_orders_locks[new]);
+ }
+ }
+
--- /dev/null
+From 1c320d8e92925bb7615f83a7b6e3f402a5c2ca63 Mon Sep 17 00:00:00 2001
+From: Baokun Li <libaokun1@huawei.com>
+Date: Mon, 14 Jul 2025 21:03:20 +0800
+Subject: ext4: fix zombie groups in average fragment size lists
+
+From: Baokun Li <libaokun1@huawei.com>
+
+commit 1c320d8e92925bb7615f83a7b6e3f402a5c2ca63 upstream.
+
+Groups with no free blocks shouldn't be in any average fragment size list.
+However, when all blocks in a group are allocated(i.e., bb_fragments or
+bb_free is 0), we currently skip updating the average fragment size, which
+means the group isn't removed from its previous s_mb_avg_fragment_size[old]
+list.
+
+This created "zombie" groups that were always skipped during traversal as
+they couldn't satisfy any block allocation requests, negatively impacting
+traversal efficiency.
+
+Therefore, when a group becomes completely full, bb_avg_fragment_size_order
+is now set to -1. If the old order was not -1, a removal operation is
+performed; if the new order is not -1, an insertion is performed.
+
+Fixes: 196e402adf2e ("ext4: improve cr 0 / cr 1 group scanning")
+CC: stable@vger.kernel.org
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
+Link: https://patch.msgid.link/20250714130327.1830534-11-libaokun1@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/mballoc.c | 34 +++++++++++++++++-----------------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+--- a/fs/ext4/mballoc.c
++++ b/fs/ext4/mballoc.c
+@@ -829,30 +829,30 @@ static void
+ mb_update_avg_fragment_size(struct super_block *sb, struct ext4_group_info *grp)
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+- int new_order;
++ int new, old;
+
+- if (!test_opt2(sb, MB_OPTIMIZE_SCAN) || grp->bb_fragments == 0)
++ if (!test_opt2(sb, MB_OPTIMIZE_SCAN))
+ return;
+
+- new_order = mb_avg_fragment_size_order(sb,
+- grp->bb_free / grp->bb_fragments);
+- if (new_order == grp->bb_avg_fragment_size_order)
++ old = grp->bb_avg_fragment_size_order;
++ new = grp->bb_fragments == 0 ? -1 :
++ mb_avg_fragment_size_order(sb, grp->bb_free / grp->bb_fragments);
++ if (new == old)
+ return;
+
+- if (grp->bb_avg_fragment_size_order != -1) {
+- write_lock(&sbi->s_mb_avg_fragment_size_locks[
+- grp->bb_avg_fragment_size_order]);
++ if (old >= 0) {
++ write_lock(&sbi->s_mb_avg_fragment_size_locks[old]);
+ list_del(&grp->bb_avg_fragment_size_node);
+- write_unlock(&sbi->s_mb_avg_fragment_size_locks[
+- grp->bb_avg_fragment_size_order]);
++ write_unlock(&sbi->s_mb_avg_fragment_size_locks[old]);
++ }
++
++ grp->bb_avg_fragment_size_order = new;
++ if (new >= 0) {
++ write_lock(&sbi->s_mb_avg_fragment_size_locks[new]);
++ list_add_tail(&grp->bb_avg_fragment_size_node,
++ &sbi->s_mb_avg_fragment_size[new]);
++ write_unlock(&sbi->s_mb_avg_fragment_size_locks[new]);
+ }
+- grp->bb_avg_fragment_size_order = new_order;
+- write_lock(&sbi->s_mb_avg_fragment_size_locks[
+- grp->bb_avg_fragment_size_order]);
+- list_add_tail(&grp->bb_avg_fragment_size_node,
+- &sbi->s_mb_avg_fragment_size[grp->bb_avg_fragment_size_order]);
+- write_unlock(&sbi->s_mb_avg_fragment_size_locks[
+- grp->bb_avg_fragment_size_order]);
+ }
+
+ /*
--- /dev/null
+From 966c5cd72be8989c8a559ddef8e8ff07a37c5eb0 Mon Sep 17 00:00:00 2001
+From: Ricky Wu <ricky_wu@realtek.com>
+Date: Fri, 11 Jul 2025 22:01:43 +0800
+Subject: misc: rtsx: usb: Ensure mmc child device is active when card is present
+
+From: Ricky Wu <ricky_wu@realtek.com>
+
+commit 966c5cd72be8989c8a559ddef8e8ff07a37c5eb0 upstream.
+
+When a card is present in the reader, the driver currently defers
+autosuspend by returning -EAGAIN during the suspend callback to
+trigger USB remote wakeup signaling. However, this does not guarantee
+that the mmc child device has been resumed, which may cause issues if
+it remains suspended while the card is accessible.
+This patch ensures that all child devices, including the mmc host
+controller, are explicitly resumed before returning -EAGAIN. This
+fixes a corner case introduced by earlier remote wakeup handling,
+improving reliability of runtime PM when a card is inserted.
+
+Fixes: 883a87ddf2f1 ("misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ricky Wu <ricky_wu@realtek.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20250711140143.2105224-1-ricky_wu@realtek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/cardreader/rtsx_usb.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/misc/cardreader/rtsx_usb.c
++++ b/drivers/misc/cardreader/rtsx_usb.c
+@@ -698,6 +698,12 @@ static void rtsx_usb_disconnect(struct u
+ }
+
+ #ifdef CONFIG_PM
++static int rtsx_usb_resume_child(struct device *dev, void *data)
++{
++ pm_request_resume(dev);
++ return 0;
++}
++
+ static int rtsx_usb_suspend(struct usb_interface *intf, pm_message_t message)
+ {
+ struct rtsx_ucr *ucr =
+@@ -713,8 +719,10 @@ static int rtsx_usb_suspend(struct usb_i
+ mutex_unlock(&ucr->dev_mutex);
+
+ /* Defer the autosuspend if card exists */
+- if (val & (SD_CD | MS_CD))
++ if (val & (SD_CD | MS_CD)) {
++ device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child);
+ return -EAGAIN;
++ }
+ } else {
+ /* There is an ongoing operation*/
+ return -EAGAIN;
+@@ -724,12 +732,6 @@ static int rtsx_usb_suspend(struct usb_i
+ return 0;
+ }
+
+-static int rtsx_usb_resume_child(struct device *dev, void *data)
+-{
+- pm_request_resume(dev);
+- return 0;
+-}
+-
+ static int rtsx_usb_resume(struct usb_interface *intf)
+ {
+ device_for_each_child(&intf->dev, NULL, rtsx_usb_resume_child);
asoc-fsl-merge-dai-call-back-functions-into-ops.patch
asoc-fsl_sai-replace-regmap_write-with-regmap_update.patch
drm-amdgpu-fix-incorrect-vm-flags-to-map-bo.patch
+ext4-fix-zombie-groups-in-average-fragment-size-lists.patch
+ext4-fix-largest-free-orders-lists-corruption-on-mb_optimize_scan-switch.patch
+usb-core-config-prevent-oob-read-in-ss-endpoint-companion-parsing.patch
+misc-rtsx-usb-ensure-mmc-child-device-is-active-when-card-is-present.patch
+usb-typec-ucsi-update-power_supply-on-power-role-change.patch
--- /dev/null
+From cf16f408364efd8a68f39011a3b073c83a03612d Mon Sep 17 00:00:00 2001
+From: Xinyu Liu <katieeliu@tencent.com>
+Date: Mon, 30 Jun 2025 10:02:56 +0800
+Subject: usb: core: config: Prevent OOB read in SS endpoint companion parsing
+
+From: Xinyu Liu <katieeliu@tencent.com>
+
+commit cf16f408364efd8a68f39011a3b073c83a03612d upstream.
+
+usb_parse_ss_endpoint_companion() checks descriptor type before length,
+enabling a potentially odd read outside of the buffer size.
+
+Fix this up by checking the size first before looking at any of the
+fields in the descriptor.
+
+Signed-off-by: Xinyu Liu <katieeliu@tencent.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -81,8 +81,14 @@ static void usb_parse_ss_endpoint_compan
+ */
+ desc = (struct usb_ss_ep_comp_descriptor *) buffer;
+
+- if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP ||
+- size < USB_DT_SS_EP_COMP_SIZE) {
++ if (size < USB_DT_SS_EP_COMP_SIZE) {
++ dev_notice(ddev,
++ "invalid SuperSpeed endpoint companion descriptor "
++ "of length %d, skipping\n", size);
++ return;
++ }
++
++ if (desc->bDescriptorType != USB_DT_SS_ENDPOINT_COMP) {
+ dev_notice(ddev, "No SuperSpeed endpoint companion for config %d "
+ " interface %d altsetting %d ep %d: "
+ "using minimum values\n",
--- /dev/null
+From 7616f006db07017ef5d4ae410fca99279aaca7aa Mon Sep 17 00:00:00 2001
+From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+Date: Mon, 21 Jul 2025 13:32:51 +0700
+Subject: usb: typec: ucsi: Update power_supply on power role change
+
+From: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+
+commit 7616f006db07017ef5d4ae410fca99279aaca7aa upstream.
+
+The current power direction of an USB-C port also influences the
+power_supply's online status, so a power role change should also update
+the power_supply.
+
+Fixes an issue on some systems where plugging in a normal USB device in
+for the first time after a reboot will cause upower to erroneously
+consider the system to be connected to AC power.
+
+Cc: stable <stable@kernel.org>
+Fixes: 0e6371fbfba3 ("usb: typec: ucsi: Report power supply changes")
+Signed-off-by: Myrrh Periwinkle <myrrhperiwinkle@qtmlabs.xyz>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250721-fix-ucsi-pwr-dir-notify-v1-1-e53d5340cb38@qtmlabs.xyz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -806,6 +806,7 @@ static void ucsi_handle_connector_change
+
+ if (con->status.change & UCSI_CONSTAT_POWER_DIR_CHANGE) {
+ typec_set_pwr_role(con->port, role);
++ ucsi_port_psy_changed(con);
+
+ /* Complete pending power role swap */
+ if (!completion_done(&con->complete))
projects / thirdparty / kernel / stable-queue.git / commitdiff
