--- /dev/null
+From 6e74e53b34b6dec5a50e1404e2680852ec6768d2 Mon Sep 17 00:00:00 2001
+From: Niklas Cassel <cassel@kernel.org>
+Date: Mon, 27 Jan 2025 16:43:04 +0100
+Subject: ata: libata-sff: Ensure that we cannot write outside the allocated buffer
+
+From: Niklas Cassel <cassel@kernel.org>
+
+commit 6e74e53b34b6dec5a50e1404e2680852ec6768d2 upstream.
+
+reveliofuzzing reported that a SCSI_IOCTL_SEND_COMMAND ioctl with out_len
+set to 0xd42, SCSI command set to ATA_16 PASS-THROUGH, ATA command set to
+ATA_NOP, and protocol set to ATA_PROT_PIO, can cause ata_pio_sector() to
+write outside the allocated buffer, overwriting random memory.
+
+While a ATA device is supposed to abort a ATA_NOP command, there does seem
+to be a bug either in libata-sff or QEMU, where either this status is not
+set, or the status is cleared before read by ata_sff_hsm_move().
+Anyway, that is most likely a separate bug.
+
+Looking at __atapi_pio_bytes(), it already has a safety check to ensure
+that __atapi_pio_bytes() cannot write outside the allocated buffer.
+
+Add a similar check to ata_pio_sector(), such that also ata_pio_sector()
+cannot write outside the allocated buffer.
+
+Cc: stable@vger.kernel.org
+Reported-by: reveliofuzzing <reveliofuzzing@gmail.com>
+Closes: https://lore.kernel.org/linux-ide/CA+-ZZ_jTgxh3bS7m+KX07_EWckSnW3N2adX3KV63y4g7M4CZ2A@mail.gmail.com/
+Link: https://lore.kernel.org/r/20250127154303.15567-2-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-sff.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/drivers/ata/libata-sff.c
++++ b/drivers/ata/libata-sff.c
+@@ -658,7 +658,7 @@ static void ata_pio_sector(struct ata_qu
+ {
+ struct ata_port *ap = qc->ap;
+ struct page *page;
+- unsigned int offset;
++ unsigned int offset, count;
+
+ if (!qc->cursg) {
+ qc->curbytes = qc->nbytes;
+@@ -674,25 +674,27 @@ static void ata_pio_sector(struct ata_qu
+ page = nth_page(page, (offset >> PAGE_SHIFT));
+ offset %= PAGE_SIZE;
+
+- trace_ata_sff_pio_transfer_data(qc, offset, qc->sect_size);
++ /* don't overrun current sg */
++ count = min(qc->cursg->length - qc->cursg_ofs, qc->sect_size);
++
++ trace_ata_sff_pio_transfer_data(qc, offset, count);
+
+ /*
+ * Split the transfer when it splits a page boundary. Note that the
+ * split still has to be dword aligned like all ATA data transfers.
+ */
+ WARN_ON_ONCE(offset % 4);
+- if (offset + qc->sect_size > PAGE_SIZE) {
++ if (offset + count > PAGE_SIZE) {
+ unsigned int split_len = PAGE_SIZE - offset;
+
+ ata_pio_xfer(qc, page, offset, split_len);
+- ata_pio_xfer(qc, nth_page(page, 1), 0,
+- qc->sect_size - split_len);
++ ata_pio_xfer(qc, nth_page(page, 1), 0, count - split_len);
+ } else {
+- ata_pio_xfer(qc, page, offset, qc->sect_size);
++ ata_pio_xfer(qc, page, offset, count);
+ }
+
+- qc->curbytes += qc->sect_size;
+- qc->cursg_ofs += qc->sect_size;
++ qc->curbytes += count;
++ qc->cursg_ofs += count;
+
+ if (qc->cursg_ofs == qc->cursg->length) {
+ qc->cursg = sg_next(qc->cursg);
--- /dev/null
+From 5278275c1758a38199b43530adfc50098f4b41c7 Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 3 Dec 2024 10:19:29 +0100
+Subject: crypto: qce - fix goto jump in error path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit 5278275c1758a38199b43530adfc50098f4b41c7 upstream.
+
+If qce_check_version() fails, we should jump to err_dma as we already
+called qce_dma_request() a couple lines before.
+
+Cc: stable@vger.kernel.org
+Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/qce/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/crypto/qce/core.c
++++ b/drivers/crypto/qce/core.c
+@@ -236,7 +236,7 @@ static int qce_crypto_probe(struct platf
+
+ ret = qce_check_version(qce);
+ if (ret)
+- goto err_clks;
++ goto err_dma;
+
+ spin_lock_init(&qce->lock);
+ tasklet_init(&qce->done_tasklet, qce_tasklet_req_done,
--- /dev/null
+From e80cf84b608725303113d6fe98bb727bf7b7a40d Mon Sep 17 00:00:00 2001
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Date: Tue, 3 Dec 2024 10:19:30 +0100
+Subject: crypto: qce - unregister previously registered algos in error path
+
+From: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+
+commit e80cf84b608725303113d6fe98bb727bf7b7a40d upstream.
+
+If we encounter an error when registering alorithms with the crypto
+framework, we just bail out and don't unregister the ones we
+successfully registered in prior iterations of the loop.
+
+Add code that goes back over the algos and unregisters them before
+returning an error from qce_register_algs().
+
+Cc: stable@vger.kernel.org
+Fixes: ec8f5d8f6f76 ("crypto: qce - Qualcomm crypto engine driver")
+Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
+Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/qce/core.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/crypto/qce/core.c
++++ b/drivers/crypto/qce/core.c
+@@ -48,16 +48,19 @@ static void qce_unregister_algs(struct q
+ static int qce_register_algs(struct qce_device *qce)
+ {
+ const struct qce_algo_ops *ops;
+- int i, ret = -ENODEV;
++ int i, j, ret = -ENODEV;
+
+ for (i = 0; i < ARRAY_SIZE(qce_ops); i++) {
+ ops = qce_ops[i];
+ ret = ops->register_algs(qce);
+- if (ret)
+- break;
++ if (ret) {
++ for (j = i - 1; j >= 0; j--)
++ ops->unregister_algs(qce);
++ return ret;
++ }
+ }
+
+- return ret;
++ return 0;
+ }
+
+ static int qce_handle_request(struct crypto_async_request *async_req)
--- /dev/null
+From b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 Mon Sep 17 00:00:00 2001
+From: Frank Li <Frank.Li@nxp.com>
+Date: Wed, 8 Jan 2025 17:55:33 -0500
+Subject: i3c: master: Fix missing 'ret' assignment in set_speed()
+
+From: Frank Li <Frank.Li@nxp.com>
+
+commit b266e0d4dac00eecdfaf50ec3f708fd0c3b39637 upstream.
+
+Fix a probe failure in the i3c master driver that occurs when no i3c
+devices are connected to the bus.
+
+The issue arises in `i3c_master_bus_init()` where the `ret` value is not
+updated after calling `master->ops->set_speed()`. If no devices are
+present, `ret` remains set to `I3C_ERROR_M2`, causing the code to
+incorrectly proceed to `err_bus_cleanup`.
+
+Cc: stable@vger.kernel.org
+Fixes: aef79e189ba2 ("i3c: master: support to adjust first broadcast address speed")
+Signed-off-by: Frank Li <Frank.Li@nxp.com>
+Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Acked-by: Mukesh Kumar Savaliya <quic_msavaliy@quicinc.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20250108225533.915334-1-Frank.Li@nxp.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i3c/master.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i3c/master.c
++++ b/drivers/i3c/master.c
+@@ -1861,7 +1861,7 @@ static int i3c_master_bus_init(struct i3
+ goto err_bus_cleanup;
+
+ if (master->ops->set_speed) {
+- master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED);
++ ret = master->ops->set_speed(master, I3C_OPEN_DRAIN_NORMAL_SPEED);
+ if (ret)
+ goto err_bus_cleanup;
+ }
--- /dev/null
+From 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 30 Jan 2025 08:40:29 -0700
+Subject: io_uring/net: don't retry connect operation on EPOLLERR
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 8c8492ca64e79c6e0f433e8c9d2bcbd039ef83d0 upstream.
+
+If a socket is shutdown before the connection completes, POLLERR is set
+in the poll mask. However, connect ignores this as it doesn't know, and
+attempts the connection again. This may lead to a bogus -ETIMEDOUT
+result, where it should have noticed the POLLERR and just returned
+-ECONNRESET instead.
+
+Have the poll logic check for whether or not POLLERR is set in the mask,
+and if so, mark the request as failed. Then connect can appropriately
+fail the request rather than retry it.
+
+Reported-by: Sergey Galas <ssgalas@cloud.ru>
+Cc: stable@vger.kernel.org
+Link: https://github.com/axboe/liburing/discussions/1335
+Fixes: 3fb1bd688172 ("io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 5 +++++
+ io_uring/poll.c | 2 ++
+ 2 files changed, 7 insertions(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1486,6 +1486,11 @@ int io_connect(struct io_kiocb *req, uns
+ io = &__io;
+ }
+
++ if (unlikely(req->flags & REQ_F_FAIL)) {
++ ret = -ECONNRESET;
++ goto out;
++ }
++
+ file_flags = force_nonblock ? O_NONBLOCK : 0;
+
+ ret = __sys_connect_file(req->file, &io->address,
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -288,6 +288,8 @@ static int io_poll_check_events(struct i
+ return IOU_POLL_REISSUE;
+ }
+ }
++ if (unlikely(req->cqe.res & EPOLLERR))
++ req_set_fail(req);
+ if (req->apoll_events & EPOLLONESHOT)
+ return IOU_POLL_DONE;
+ if (io_is_uring_fops(req->file))
--- /dev/null
+From 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 Mon Sep 17 00:00:00 2001
+From: Nick Chan <towinchenmi@gmail.com>
+Date: Sun, 19 Jan 2025 00:31:42 +0800
+Subject: irqchip/apple-aic: Only handle PMC interrupt as FIQ when configured so
+
+From: Nick Chan <towinchenmi@gmail.com>
+
+commit 698244bbb3bfd32ddf9a0b70a12b1c7d69056497 upstream.
+
+The CPU PMU in Apple SoCs can be configured to fire its interrupt in one of
+several ways, and since Apple A11 one of the methods is FIQ, but the check
+of the configuration register fails to test explicitely for FIQ mode. It
+tests whether the IMODE bitfield is zero or not and the PMCRO_IACT bit is
+set. That results in false positives when the IMODE bitfield is not zero,
+but does not have the mode PMCR0_IMODE_FIQ.
+
+Only handle the PMC interrupt as a FIQ when the CPU PMU has been configured
+to fire FIQs, i.e. the IMODE bitfield value is PMCR0_IMODE_FIQ and
+PMCR0_IACT is set.
+
+Fixes: c7708816c944 ("irqchip/apple-aic: Wire PMU interrupts")
+Signed-off-by: Nick Chan <towinchenmi@gmail.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20250118163554.16733-1-towinchenmi@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-apple-aic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/irqchip/irq-apple-aic.c
++++ b/drivers/irqchip/irq-apple-aic.c
+@@ -555,7 +555,8 @@ static void __exception_irq_entry aic_ha
+ AIC_FIQ_HWIRQ(AIC_TMR_EL02_VIRT));
+ }
+
+- if (read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & PMCR0_IACT) {
++ if ((read_sysreg_s(SYS_IMP_APL_PMCR0_EL1) & (PMCR0_IMODE | PMCR0_IACT)) ==
++ (FIELD_PREP(PMCR0_IMODE, PMCR0_IMODE_FIQ) | PMCR0_IACT)) {
+ int irq;
+ if (cpumask_test_cpu(smp_processor_id(),
+ &aic_irqc->fiq_aff[AIC_CPU_PMU_P]->aff))
--- /dev/null
+From 0b7f8328f988178b55ee11d772a6e1238c04d29d Mon Sep 17 00:00:00 2001
+From: Pekka Pessi <ppessi@nvidia.com>
+Date: Mon, 2 Dec 2024 15:35:59 +0530
+Subject: mailbox: tegra-hsp: Clear mailbox before using message
+
+From: Pekka Pessi <ppessi@nvidia.com>
+
+commit 0b7f8328f988178b55ee11d772a6e1238c04d29d upstream.
+
+The Tegra RCE (Camera) driver expects the mailbox to be empty before
+processing the IVC messages. On RT kernel, the threads processing the
+IVC messages (which are invoked after `mbox_chan_received_data()` is
+called) may be on a different CPU or running with a higher priority
+than the HSP interrupt handler thread. This can cause it to act on the
+message before the mailbox gets cleared in the HSP interrupt handler
+resulting in a loss of IVC notification.
+
+Fix this by clearing the mailbox data register before calling
+`mbox_chan_received_data()`.
+
+Fixes: 8f585d14030d ("mailbox: tegra-hsp: Add tegra_hsp_sm_ops")
+Fixes: 74c20dd0f892 ("mailbox: tegra-hsp: Add 128-bit shared mailbox support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pekka Pessi <ppessi@nvidia.com>
+Signed-off-by: Kartik Rajput <kkartik@nvidia.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mailbox/tegra-hsp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/mailbox/tegra-hsp.c
++++ b/drivers/mailbox/tegra-hsp.c
+@@ -388,7 +388,6 @@ static void tegra_hsp_sm_recv32(struct t
+ value = tegra_hsp_channel_readl(channel, HSP_SM_SHRD_MBOX);
+ value &= ~HSP_SM_SHRD_MBOX_FULL;
+ msg = (void *)(unsigned long)value;
+- mbox_chan_received_data(channel->chan, msg);
+
+ /*
+ * Need to clear all bits here since some producers, such as TCU, depend
+@@ -398,6 +397,8 @@ static void tegra_hsp_sm_recv32(struct t
+ * explicitly, so we have to make sure we cover all possible cases.
+ */
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SM_SHRD_MBOX);
++
++ mbox_chan_received_data(channel->chan, msg);
+ }
+
+ static const struct tegra_hsp_sm_ops tegra_hsp_sm_32bit_ops = {
+@@ -433,7 +434,6 @@ static void tegra_hsp_sm_recv128(struct
+ value[3] = tegra_hsp_channel_readl(channel, HSP_SHRD_MBOX_TYPE1_DATA3);
+
+ msg = (void *)(unsigned long)value;
+- mbox_chan_received_data(channel->chan, msg);
+
+ /*
+ * Clear data registers and tag.
+@@ -443,6 +443,8 @@ static void tegra_hsp_sm_recv128(struct
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA2);
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_DATA3);
+ tegra_hsp_channel_writel(channel, 0x0, HSP_SHRD_MBOX_TYPE1_TAG);
++
++ mbox_chan_received_data(channel->chan, msg);
+ }
+
+ static const struct tegra_hsp_sm_ops tegra_hsp_sm_128bit_ops = {
--- /dev/null
+From 637c20002dc8c347001292664055bfbf56544ec6 Mon Sep 17 00:00:00 2001
+From: Anandu Krishnan E <quic_anane@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:37 +0000
+Subject: misc: fastrpc: Deregister device nodes properly in error scenarios
+
+From: Anandu Krishnan E <quic_anane@quicinc.com>
+
+commit 637c20002dc8c347001292664055bfbf56544ec6 upstream.
+
+During fastrpc_rpmsg_probe, if secure device node registration
+succeeds but non-secure device node registration fails, the secure
+device node deregister is not called during error cleanup. Add proper
+exit paths to ensure proper cleanup in case of error.
+
+Fixes: 3abe3ab3cdab ("misc: fastrpc: add secure domain support")
+Cc: stable@kernel.org
+Signed-off-by: Anandu Krishnan E <quic_anane@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-2-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -2119,7 +2119,7 @@ static int fastrpc_rpmsg_probe(struct rp
+
+ err = fastrpc_device_register(rdev, data, false, domains[domain_id]);
+ if (err)
+- goto fdev_error;
++ goto populate_error;
+ break;
+ default:
+ err = -EINVAL;
--- /dev/null
+From e966eae72762ecfdbdb82627e2cda48845b9dd66 Mon Sep 17 00:00:00 2001
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:39 +0000
+Subject: misc: fastrpc: Fix copy buffer page size
+
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+
+commit e966eae72762ecfdbdb82627e2cda48845b9dd66 upstream.
+
+For non-registered buffer, fastrpc driver copies the buffer and
+pass it to the remote subsystem. There is a problem with current
+implementation of page size calculation which is not considering
+the offset in the calculation. This might lead to passing of
+improper and out-of-bounds page size which could result in
+memory issue. Calculate page start and page end using the offset
+adjusted address instead of absolute address.
+
+Fixes: 02b45b47fbe8 ("misc: fastrpc: fix remote page size calculation")
+Cc: stable@kernel.org
+Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-4-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -961,8 +961,8 @@ static int fastrpc_get_args(u32 kernel,
+ (pkt_size - rlen);
+ pages[i].addr = pages[i].addr & PAGE_MASK;
+
+- pg_start = (args & PAGE_MASK) >> PAGE_SHIFT;
+- pg_end = ((args + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
++ pg_start = (rpra[i].buf.pv & PAGE_MASK) >> PAGE_SHIFT;
++ pg_end = ((rpra[i].buf.pv + len - 1) & PAGE_MASK) >> PAGE_SHIFT;
+ pages[i].size = (pg_end - pg_start + 1) * PAGE_SIZE;
+ args = args + mlen;
+ rlen -= mlen;
--- /dev/null
+From 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 Mon Sep 17 00:00:00 2001
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Date: Fri, 10 Jan 2025 13:42:38 +0000
+Subject: misc: fastrpc: Fix registered buffer page address
+
+From: Ekansh Gupta <quic_ekangupt@quicinc.com>
+
+commit 6ca4ea1f88a06a04ed7b2c9c6bf9f00833b68214 upstream.
+
+For registered buffers, fastrpc driver sends the buffer information
+to remote subsystem. There is a problem with current implementation
+where the page address is being sent with an offset leading to
+improper buffer address on DSP. This is leads to functional failures
+as DSP expects base address in page information and extracts offset
+information from remote arguments. Mask the offset and pass the base
+page address to DSP.
+
+This issue is observed is a corner case when some buffer which is registered
+with fastrpc framework is passed with some offset by user and then the DSP
+implementation tried to read the data. As DSP expects base address and takes
+care of offsetting with remote arguments, passing an offsetted address will
+result in some unexpected data read in DSP.
+
+All generic usecases usually pass the buffer as it is hence is problem is
+not usually observed. If someone tries to pass offsetted buffer and then
+tries to compare data at HLOS and DSP end, then the ambiguity will be observed.
+
+Fixes: 80f3afd72bd4 ("misc: fastrpc: consider address offset before sending to DSP")
+Cc: stable@kernel.org
+Signed-off-by: Ekansh Gupta <quic_ekangupt@quicinc.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20250110134239.123603-3-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/fastrpc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/fastrpc.c
++++ b/drivers/misc/fastrpc.c
+@@ -934,7 +934,7 @@ static int fastrpc_get_args(u32 kernel,
+ mmap_read_lock(current->mm);
+ vma = find_vma(current->mm, ctx->args[i].ptr);
+ if (vma)
+- pages[i].addr += ctx->args[i].ptr -
++ pages[i].addr += (ctx->args[i].ptr & PAGE_MASK) -
+ vma->vm_start;
+ mmap_read_unlock(current->mm);
+
--- /dev/null
+From 70a71f8151b9879b0950668ce3ad76263261fee0 Mon Sep 17 00:00:00 2001
+From: Ivan Stepchenko <sid@itb.spb.ru>
+Date: Thu, 14 Nov 2024 16:29:51 +0300
+Subject: mtd: onenand: Fix uninitialized retlen in do_otp_read()
+
+From: Ivan Stepchenko <sid@itb.spb.ru>
+
+commit 70a71f8151b9879b0950668ce3ad76263261fee0 upstream.
+
+The function do_otp_read() does not set the output parameter *retlen,
+which is expected to contain the number of bytes actually read.
+As a result, in onenand_otp_walk(), the tmp_retlen variable remains
+uninitialized after calling do_otp_walk() and used to change
+the values of the buf, len and retlen variables.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 49dc08eeda70 ("[MTD] [OneNAND] fix numerous races")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ivan Stepchenko <sid@itb.spb.ru>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/onenand/onenand_base.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mtd/nand/onenand/onenand_base.c
++++ b/drivers/mtd/nand/onenand/onenand_base.c
+@@ -2923,6 +2923,7 @@ static int do_otp_read(struct mtd_info *
+ ret = ONENAND_IS_4KB_PAGE(this) ?
+ onenand_mlc_read_ops_nolock(mtd, from, &ops) :
+ onenand_read_ops_nolock(mtd, from, &ops);
++ *retlen = ops.retlen;
+
+ /* Exit OTP access mode */
+ this->command(mtd, ONENAND_CMD_RESET, 0, 0);
--- /dev/null
+From 6bb194d036c6e1b329dcdff459338cdd9a54802a Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Thu, 16 Jan 2025 18:29:00 +0300
+Subject: net/ncsi: wait for the last response to Deselect Package before configuring channel
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit 6bb194d036c6e1b329dcdff459338cdd9a54802a upstream.
+
+The NCSI state machine as it's currently implemented assumes that
+transition to the next logical state is performed either explicitly by
+calling `schedule_work(&ndp->work)` to re-queue itself or implicitly
+after processing the predefined (ndp->pending_req_num) number of
+replies. Thus to avoid the configuration FSM from advancing prematurely
+and getting out of sync with the process it's essential to not skip
+waiting for a reply.
+
+This patch makes the code wait for reception of the Deselect Package
+response for the last package probed before proceeding to channel
+configuration.
+
+Thanks go to Potin Lai and Cosmo Chou for the initial investigation and
+testing.
+
+Fixes: 8e13f70be05e ("net/ncsi: Probe single packages to avoid conflict")
+Cc: stable@vger.kernel.org
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Link: https://patch.msgid.link/20250116152900.8656-1-fercerpav@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/ncsi-manage.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/ncsi/ncsi-manage.c
++++ b/net/ncsi/ncsi-manage.c
+@@ -1385,6 +1385,12 @@ static void ncsi_probe_channel(struct nc
+ nd->state = ncsi_dev_state_probe_package;
+ break;
+ case ncsi_dev_state_probe_package:
++ if (ndp->package_probe_id >= 8) {
++ /* Last package probed, finishing */
++ ndp->flags |= NCSI_DEV_PROBED;
++ break;
++ }
++
+ ndp->pending_req_num = 1;
+
+ nca.type = NCSI_PKT_CMD_SP;
+@@ -1501,13 +1507,8 @@ static void ncsi_probe_channel(struct nc
+ if (ret)
+ goto error;
+
+- /* Probe next package */
++ /* Probe next package after receiving response */
+ ndp->package_probe_id++;
+- if (ndp->package_probe_id >= 8) {
+- /* Probe finished */
+- ndp->flags |= NCSI_DEV_PROBED;
+- break;
+- }
+ nd->state = ncsi_dev_state_probe_package;
+ ndp->active_package = NULL;
+ break;
--- /dev/null
+From bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 Mon Sep 17 00:00:00 2001
+From: Milos Reljin <milos_reljin@outlook.com>
+Date: Fri, 24 Jan 2025 10:41:02 +0000
+Subject: net: phy: c45-tjaxx: add delay between MDIO write and read in soft_reset
+
+From: Milos Reljin <milos_reljin@outlook.com>
+
+commit bd1bbab717608757cccbbe08b0d46e6c3ed0ced5 upstream.
+
+In application note (AN13663) for TJA1120, on page 30, there's a figure
+with average PHY startup timing values following software reset.
+The time it takes for SMI to become operational after software reset
+ranges roughly from 500 us to 1500 us.
+
+This commit adds 2000 us delay after MDIO write which triggers software
+reset. Without this delay, soft_reset function returns an error and
+prevents successful PHY init.
+
+Cc: stable@vger.kernel.org
+Fixes: b050f2f15e04 ("phy: nxp-c45: add driver for tja1103")
+Signed-off-by: Milos Reljin <milos_reljin@outlook.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://patch.msgid.link/AM8P250MB0124D258E5A71041AF2CC322E1E32@AM8P250MB0124.EURP250.PROD.OUTLOOK.COM
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/nxp-c45-tja11xx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/phy/nxp-c45-tja11xx.c
++++ b/drivers/net/phy/nxp-c45-tja11xx.c
+@@ -937,6 +937,8 @@ static int nxp_c45_soft_reset(struct phy
+ if (ret)
+ return ret;
+
++ usleep_range(2000, 2050);
++
+ return phy_read_mmd_poll_timeout(phydev, MDIO_MMD_VEND1,
+ VEND1_DEVICE_CONTROL, ret,
+ !(ret & DEVICE_CONTROL_RESET), 20000,
--- /dev/null
+From 110b43ef05342d5a11284cc8b21582b698b4ef1c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 17 Jan 2025 12:38:41 +0300
+Subject: NFC: nci: Add bounds checking in nci_hci_create_pipe()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 110b43ef05342d5a11284cc8b21582b698b4ef1c upstream.
+
+The "pipe" variable is a u8 which comes from the network. If it's more
+than 127, then it results in memory corruption in the caller,
+nci_hci_connect_gate().
+
+Cc: stable@vger.kernel.org
+Fixes: a1b0b9415817 ("NFC: nci: Create pipe on specific gate in nci_hci_connect_gate")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Link: https://patch.msgid.link/bcf5453b-7204-4297-9c20-4d8c7dacf586@stanley.mountain
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/nci/hci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/nfc/nci/hci.c
++++ b/net/nfc/nci/hci.c
+@@ -540,6 +540,8 @@ static u8 nci_hci_create_pipe(struct nci
+
+ pr_debug("pipe created=%d\n", pipe);
+
++ if (pipe >= NCI_HCI_MAX_PIPES)
++ pipe = NCI_HCI_INVALID_PIPE;
+ return pipe;
+ }
+
--- /dev/null
+From 6438ef381c183444f7f9d1de18f22661cba1e946 Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Sat, 25 Jan 2025 07:20:53 +0900
+Subject: nilfs2: fix possible int overflows in nilfs_fiemap()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit 6438ef381c183444f7f9d1de18f22661cba1e946 upstream.
+
+Since nilfs_bmap_lookup_contig() in nilfs_fiemap() calculates its result
+by being prepared to go through potentially maxblocks == INT_MAX blocks,
+the value in n may experience an overflow caused by left shift of blkbits.
+
+While it is extremely unlikely to occur, play it safe and cast right hand
+expression to wider type to mitigate the issue.
+
+Found by Linux Verification Center (linuxtesting.org) with static analysis
+tool SVACE.
+
+Link: https://lkml.kernel.org/r/20250124222133.5323-1-konishi.ryusuke@gmail.com
+Fixes: 622daaff0a89 ("nilfs2: fiemap support")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/inode.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/nilfs2/inode.c
++++ b/fs/nilfs2/inode.c
+@@ -1267,7 +1267,7 @@ int nilfs_fiemap(struct inode *inode, st
+ if (size) {
+ if (phys && blkphy << blkbits == phys + size) {
+ /* The current extent goes on */
+- size += n << blkbits;
++ size += (u64)n << blkbits;
+ } else {
+ /* Terminate the current extent */
+ ret = fiemap_fill_next_extent(
+@@ -1280,14 +1280,14 @@ int nilfs_fiemap(struct inode *inode, st
+ flags = FIEMAP_EXTENT_MERGED;
+ logical = blkoff << blkbits;
+ phys = blkphy << blkbits;
+- size = n << blkbits;
++ size = (u64)n << blkbits;
+ }
+ } else {
+ /* Start a new extent */
+ flags = FIEMAP_EXTENT_MERGED;
+ logical = blkoff << blkbits;
+ phys = blkphy << blkbits;
+- size = n << blkbits;
++ size = (u64)n << blkbits;
+ }
+ blkoff += n;
+ }
--- /dev/null
+From 31507fc2ad36e0071751a710449db19c85d82a7f Mon Sep 17 00:00:00 2001
+From: Jennifer Berringer <jberring@redhat.com>
+Date: Mon, 30 Dec 2024 14:19:01 +0000
+Subject: nvmem: core: improve range check for nvmem_cell_write()
+
+From: Jennifer Berringer <jberring@redhat.com>
+
+commit 31507fc2ad36e0071751a710449db19c85d82a7f upstream.
+
+When __nvmem_cell_entry_write() is called for an nvmem cell that does
+not need bit shifting, it requires that the len parameter exactly
+matches the nvmem cell size. However, when the nvmem cell has a nonzero
+bit_offset, it was skipping this check.
+
+Accepting values of len larger than the cell size results in
+nvmem_cell_prepare_write_buffer() trying to write past the end of a heap
+buffer that it allocates. Add a check to avoid that problem and instead
+return -EINVAL when len doesn't match the number of bits expected by the
+nvmem cell when bit_offset is nonzero.
+
+This check uses cell->nbits in order to allow providing the smaller size
+to cells that are shifted into another byte by bit_offset. For example,
+a cell with nbits=8 and nonzero bit_offset would have bytes=2 but should
+accept a 1-byte write here, although no current callers depend on this.
+
+Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jennifer Berringer <jberring@redhat.com>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-7-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -1532,6 +1532,8 @@ static int __nvmem_cell_entry_write(stru
+ return -EINVAL;
+
+ if (cell->bit_offset || cell->nbits) {
++ if (len != BITS_TO_BYTES(cell->nbits) && len != cell->bytes)
++ return -EINVAL;
+ buf = nvmem_cell_prepare_write_buffer(cell, buf, len);
+ if (IS_ERR(buf))
+ return PTR_ERR(buf);
--- /dev/null
+From e88f516ea417c71bb3702603ac6af9e95338cfa6 Mon Sep 17 00:00:00 2001
+From: Luca Weiss <luca.weiss@fairphone.com>
+Date: Mon, 30 Dec 2024 14:19:00 +0000
+Subject: nvmem: qcom-spmi-sdam: Set size in struct nvmem_config
+
+From: Luca Weiss <luca.weiss@fairphone.com>
+
+commit e88f516ea417c71bb3702603ac6af9e95338cfa6 upstream.
+
+Let the nvmem core know what size the SDAM is, most notably this fixes
+the size of /sys/bus/nvmem/devices/spmi_sdam*/nvmem being '0' and makes
+user space work with that file.
+
+ ~ # hexdump -C -s 64 /sys/bus/nvmem/devices/spmi_sdam2/nvmem
+ 00000040 02 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
+ 00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
+ *
+ 00000080
+
+Fixes: 40ce9798794f ("nvmem: add QTI SDAM driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Luca Weiss <luca.weiss@fairphone.com>
+Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20241230141901.263976-6-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/qcom-spmi-sdam.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/nvmem/qcom-spmi-sdam.c
++++ b/drivers/nvmem/qcom-spmi-sdam.c
+@@ -143,6 +143,7 @@ static int sdam_probe(struct platform_de
+ sdam->sdam_config.id = NVMEM_DEVID_AUTO;
+ sdam->sdam_config.owner = THIS_MODULE;
+ sdam->sdam_config.stride = 1;
++ sdam->sdam_config.size = sdam->size;
+ sdam->sdam_config.word_size = 1;
+ sdam->sdam_config.reg_read = sdam_read;
+ sdam->sdam_config.reg_write = sdam_write;
--- /dev/null
+From f921da2c34692dfec5f72b5ae347b1bea22bb369 Mon Sep 17 00:00:00 2001
+From: Heming Zhao <heming.zhao@suse.com>
+Date: Tue, 21 Jan 2025 19:22:03 +0800
+Subject: ocfs2: fix incorrect CPU endianness conversion causing mount failure
+
+From: Heming Zhao <heming.zhao@suse.com>
+
+commit f921da2c34692dfec5f72b5ae347b1bea22bb369 upstream.
+
+Commit 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
+introduced a regression bug. The blksz_bits value is already converted to
+CPU endian in the previous code; therefore, the code shouldn't use
+le32_to_cpu() anymore.
+
+Link: https://lkml.kernel.org/r/20250121112204.12834-1-heming.zhao@suse.com
+Fixes: 23aab037106d ("ocfs2: fix UBSAN warning in ocfs2_verify_volume()")
+Signed-off-by: Heming Zhao <heming.zhao@suse.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/super.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/super.c
++++ b/fs/ocfs2/super.c
+@@ -2342,7 +2342,7 @@ static int ocfs2_verify_volume(struct oc
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size bits: found %u, should be 9, 10, 11, or 12\n",
+ blksz_bits);
+- } else if ((1 << le32_to_cpu(blksz_bits)) != blksz) {
++ } else if ((1 << blksz_bits) != blksz) {
+ mlog(ML_ERROR, "found superblock with incorrect block "
+ "size: found %u, should be %u\n", 1 << blksz_bits, blksz);
+ } else if (le16_to_cpu(di->id2.i_super.s_major_rev_level) !=
--- /dev/null
+From 2b4c2094da6d84e69b843dd3317902e977bf64bd Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Thu, 5 Dec 2024 17:16:29 +0000
+Subject: ocfs2: handle a symlink read error correctly
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 2b4c2094da6d84e69b843dd3317902e977bf64bd upstream.
+
+Patch series "Convert ocfs2 to use folios".
+
+Mark did a conversion of ocfs2 to use folios and sent it to me as a
+giant patch for review ;-)
+
+So I've redone it as individual patches, and credited Mark for the patches
+where his code is substantially the same. It's not a bad way to do it;
+his patch had some bugs and my patches had some bugs. Hopefully all our
+bugs were different from each other. And hopefully Mark likes all the
+changes I made to his code!
+
+
+This patch (of 23):
+
+If we can't read the buffer, be sure to unlock the page before returning.
+
+Link: https://lkml.kernel.org/r/20241205171653.3179945-1-willy@infradead.org
+Link: https://lkml.kernel.org/r/20241205171653.3179945-2-willy@infradead.org
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: Mark Tinguely <mark.tinguely@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/symlink.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/ocfs2/symlink.c
++++ b/fs/ocfs2/symlink.c
+@@ -65,7 +65,7 @@ static int ocfs2_fast_symlink_read_folio
+
+ if (status < 0) {
+ mlog_errno(status);
+- return status;
++ goto out;
+ }
+
+ fe = (struct ocfs2_dinode *) bh->b_data;
+@@ -76,9 +76,10 @@ static int ocfs2_fast_symlink_read_folio
+ memcpy(kaddr, link, len + 1);
+ kunmap_atomic(kaddr);
+ SetPageUptodate(page);
++out:
+ unlock_page(page);
+ brelse(bh);
+- return 0;
++ return status;
+ }
+
+ const struct address_space_operations ocfs2_fast_symlink_aops = {
--- /dev/null
+From 459915f55509f4bfd6076daa1428e28490ddee3b Mon Sep 17 00:00:00 2001
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Date: Wed, 6 Nov 2024 23:04:39 +0100
+Subject: pinctrl: samsung: fix fwnode refcount cleanup if platform_get_irq_optional() fails
+
+From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+
+commit 459915f55509f4bfd6076daa1428e28490ddee3b upstream.
+
+Commit 50ebd19e3585 ("pinctrl: samsung: drop pin banks references on
+error paths") fixed the pin bank references on the error paths of the
+probe function, but there is still an error path where this is not done.
+
+If samsung_pinctrl_get_soc_data() does not fail, the child references
+will have acquired, and they will need to be released in the error path
+of platform_get_irq_optional(), as it is done in the following error
+paths within the probe function.
+
+Replace the direct return in the error path with a goto instruction to
+the cleanup function.
+
+Cc: stable@vger.kernel.org
+Fixes: a382d568f144 ("pinctrl: samsung: Use platform_get_irq_optional() to get the interrupt")
+Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
+Link: https://lore.kernel.org/r/20241106-samsung-pinctrl-put-v1-1-de854e26dd03@gmail.com
+[krzysztof: change Fixes SHA to point to commit introducing the return
+ leading to OF node leak]
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/samsung/pinctrl-samsung.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/samsung/pinctrl-samsung.c
++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c
+@@ -1149,7 +1149,7 @@ static int samsung_pinctrl_probe(struct
+
+ ret = platform_get_irq_optional(pdev, 0);
+ if (ret < 0 && ret != -ENXIO)
+- return ret;
++ goto err_put_banks;
+ if (ret > 0)
+ drvdata->irq = ret;
+
--- /dev/null
+From eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca Mon Sep 17 00:00:00 2001
+From: Mike Snitzer <snitzer@kernel.org>
+Date: Thu, 16 Jan 2025 20:05:39 -0500
+Subject: pnfs/flexfiles: retry getting layout segment for reads
+
+From: Mike Snitzer <snitzer@kernel.org>
+
+commit eb3fabde15bccdf34f1c9b35a83aa4c0dacbb4ca upstream.
+
+If ff_layout_pg_get_read()'s attempt to get a layout segment results
+in -EAGAIN have ff_layout_pg_init_read() retry it after sleeping.
+
+If "softerr" mount is used, use 'io_maxretrans' to limit the number of
+attempts to get a layout segment.
+
+This fixes a long-standing issue of O_DIRECT reads failing with
+-EAGAIN (11) when using flexfiles Client Side Mirroring (CSM).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfs/flexfilelayout/flexfilelayout.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+--- a/fs/nfs/flexfilelayout/flexfilelayout.c
++++ b/fs/nfs/flexfilelayout/flexfilelayout.c
+@@ -839,6 +839,9 @@ ff_layout_pg_init_read(struct nfs_pageio
+ struct nfs4_pnfs_ds *ds;
+ u32 ds_idx;
+
++ if (NFS_SERVER(pgio->pg_inode)->flags &
++ (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
++ pgio->pg_maxretrans = io_maxretrans;
+ retry:
+ ff_layout_pg_check_layout(pgio, req);
+ /* Use full layout for now */
+@@ -852,6 +855,8 @@ retry:
+ if (!pgio->pg_lseg)
+ goto out_nolseg;
+ }
++ /* Reset wb_nio, since getting layout segment was successful */
++ req->wb_nio = 0;
+
+ ds = ff_layout_get_ds_for_read(pgio, &ds_idx);
+ if (!ds) {
+@@ -868,14 +873,24 @@ retry:
+ pgm->pg_bsize = mirror->mirror_ds->ds_versions[0].rsize;
+
+ pgio->pg_mirror_idx = ds_idx;
+-
+- if (NFS_SERVER(pgio->pg_inode)->flags &
+- (NFS_MOUNT_SOFT|NFS_MOUNT_SOFTERR))
+- pgio->pg_maxretrans = io_maxretrans;
+ return;
+ out_nolseg:
+- if (pgio->pg_error < 0)
+- return;
++ if (pgio->pg_error < 0) {
++ if (pgio->pg_error != -EAGAIN)
++ return;
++ /* Retry getting layout segment if lower layer returned -EAGAIN */
++ if (pgio->pg_maxretrans && req->wb_nio++ > pgio->pg_maxretrans) {
++ if (NFS_SERVER(pgio->pg_inode)->flags & NFS_MOUNT_SOFTERR)
++ pgio->pg_error = -ETIMEDOUT;
++ else
++ pgio->pg_error = -EIO;
++ return;
++ }
++ pgio->pg_error = 0;
++ /* Sleep for 1 second before retrying */
++ ssleep(1);
++ goto retry;
++ }
+ out_mds:
+ trace_pnfs_mds_fallback_pg_init_read(pgio->pg_inode,
+ 0, NFS4_MAX_UINT64, IOMODE_READ,
--- /dev/null
+From fd53aa40e65f518453115b6f56183b0c201db26b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= <linux@weissschuh.net>
+Date: Thu, 23 Jan 2025 08:22:40 +0100
+Subject: ptp: Ensure info->enable callback is always set
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Thomas Weißschuh <linux@weissschuh.net>
+
+commit fd53aa40e65f518453115b6f56183b0c201db26b upstream.
+
+The ioctl and sysfs handlers unconditionally call the ->enable callback.
+Not all drivers implement that callback, leading to NULL dereferences.
+Example of affected drivers: ptp_s390.c, ptp_vclock.c and ptp_mock.c.
+
+Instead use a dummy callback if no better was specified by the driver.
+
+Fixes: d94ba80ebbea ("ptp: Added a brand new class driver for ptp clocks.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
+Acked-by: Richard Cochran <richardcochran@gmail.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/20250123-ptp-enable-v1-1-b015834d3a47@weissschuh.net
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ptp/ptp_clock.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/ptp/ptp_clock.c
++++ b/drivers/ptp/ptp_clock.c
+@@ -188,6 +188,11 @@ static int ptp_getcycles64(struct ptp_cl
+ return info->gettime64(info, ts);
+ }
+
++static int ptp_enable(struct ptp_clock_info *ptp, struct ptp_clock_request *request, int on)
++{
++ return -EOPNOTSUPP;
++}
++
+ static void ptp_aux_kworker(struct kthread_work *work)
+ {
+ struct ptp_clock *ptp = container_of(work, struct ptp_clock,
+@@ -250,6 +255,9 @@ struct ptp_clock *ptp_clock_register(str
+ ptp->info->getcrosscycles = ptp->info->getcrosststamp;
+ }
+
++ if (!ptp->info->enable)
++ ptp->info->enable = ptp_enable;
++
+ if (ptp->info->do_aux_work) {
+ kthread_init_delayed_work(&ptp->aux_work, ptp_aux_kworker);
+ ptp->kworker = kthread_create_worker(0, "ptp%d", ptp->index);
--- /dev/null
+From 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 Mon Sep 17 00:00:00 2001
+From: Michal Simek <michal.simek@amd.com>
+Date: Wed, 27 Nov 2024 17:01:22 +0100
+Subject: rtc: zynqmp: Fix optional clock name property
+
+From: Michal Simek <michal.simek@amd.com>
+
+commit 2a388ff22d2cbfc5cbd628ef085bdcd3b7dc64f5 upstream.
+
+Clock description in DT binding introduced by commit f69060c14431
+("dt-bindings: rtc: zynqmp: Add clock information") is talking about "rtc"
+clock name but driver is checking "rtc_clk" name instead.
+Because clock is optional property likely in was never handled properly by
+the driver.
+
+Fixes: 07dcc6f9c762 ("rtc: zynqmp: Add calibration set and get support")
+Signed-off-by: Michal Simek <michal.simek@amd.com>
+Cc: stable@kernel.org
+Reviewed-by: Peter Korsgaard <peter@korsgaard.com>
+Link: https://lore.kernel.org/r/cd5f0c9d01ec1f5a240e37a7e0d85b8dacb3a869.1732723280.git.michal.simek@amd.com
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rtc/rtc-zynqmp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/rtc/rtc-zynqmp.c b/drivers/rtc/rtc-zynqmp.c
+index 625f708a7caf..f39102b66eac 100644
+--- a/drivers/rtc/rtc-zynqmp.c
++++ b/drivers/rtc/rtc-zynqmp.c
+@@ -318,8 +318,8 @@ static int xlnx_rtc_probe(struct platform_device *pdev)
+ return ret;
+ }
+
+- /* Getting the rtc_clk info */
+- xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc_clk");
++ /* Getting the rtc info */
++ xrtcdev->rtc_clk = devm_clk_get_optional(&pdev->dev, "rtc");
+ if (IS_ERR(xrtcdev->rtc_clk)) {
+ if (PTR_ERR(xrtcdev->rtc_clk) != -EPROBE_DEFER)
+ dev_warn(&pdev->dev, "Device clock not found.\n");
+--
+2.48.1
+
--- /dev/null
+From e879b5dcf8d044f3865a32d95cc5b213f314c54f Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Thu, 16 Jan 2025 15:49:27 +0100
+Subject: rtla: Add trace_instance_stop
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit e879b5dcf8d044f3865a32d95cc5b213f314c54f upstream.
+
+Support not only turning trace on for the timerlat tracer, but also
+turning it off.
+
+This will be used in subsequent patches to stop the timerlat tracer
+without also wiping the trace buffer.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-2-tglozar@redhat.com
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/trace.c | 8 ++++++++
+ tools/tracing/rtla/src/trace.h | 1 +
+ 2 files changed, 9 insertions(+)
+
+--- a/tools/tracing/rtla/src/trace.c
++++ b/tools/tracing/rtla/src/trace.c
+@@ -197,6 +197,14 @@ int trace_instance_start(struct trace_in
+ }
+
+ /*
++ * trace_instance_stop - stop tracing a given rtla instance
++ */
++int trace_instance_stop(struct trace_instance *trace)
++{
++ return tracefs_trace_off(trace->inst);
++}
++
++/*
+ * trace_events_free - free a list of trace events
+ */
+ static void trace_events_free(struct trace_events *events)
+--- a/tools/tracing/rtla/src/trace.h
++++ b/tools/tracing/rtla/src/trace.h
+@@ -21,6 +21,7 @@ struct trace_instance {
+
+ int trace_instance_init(struct trace_instance *trace, char *tool_name);
+ int trace_instance_start(struct trace_instance *trace);
++int trace_instance_stop(struct trace_instance *trace);
+ void trace_instance_destroy(struct trace_instance *trace);
+
+ struct trace_seq *get_trace_seq(void);
--- /dev/null
+From 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Tue, 7 Jan 2025 15:48:21 +0100
+Subject: rtla/osnoise: Distinguish missing workload option
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit 80d3ba1cf51bfbbb3b098434f2b2c95cd7c0ae5c upstream.
+
+osnoise_set_workload returns -1 for both missing OSNOISE_WORKLOAD option
+and failure in setting the option.
+
+Return -1 for missing and -2 for failure to distinguish them.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Link: https://lore.kernel.org/20250107144823.239782-2-tglozar@redhat.com
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/osnoise.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/src/osnoise.c
++++ b/tools/tracing/rtla/src/osnoise.c
+@@ -693,7 +693,7 @@ int osnoise_set_tracing_thresh(struct os
+
+ retval = osnoise_write_ll_config("tracing_thresh", tracing_thresh);
+ if (retval < 0)
+- return -1;
++ return -2;
+
+ context->tracing_thresh = tracing_thresh;
+
--- /dev/null
+From c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Thu, 16 Jan 2025 15:49:28 +0100
+Subject: rtla/timerlat_hist: Stop timerlat tracer on signal
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit c73cab9dbed04d8f65ca69177b4b21ed3e09dfa7 upstream.
+
+Currently, when either SIGINT from the user or SIGALRM from the duration
+timer is caught by rtla-timerlat, stop_tracing is set to break out of
+the main loop. This is not sufficient for cases where the timerlat
+tracer is producing more data than rtla can consume, since in that case,
+rtla is looping indefinitely inside tracefs_iterate_raw_events, never
+reaches the check of stop_tracing and hangs.
+
+In addition to setting stop_tracing, also stop the timerlat tracer on
+received signal (SIGINT or SIGALRM). This will stop new samples so that
+the existing samples may be processed and tracefs_iterate_raw_events
+eventually exits.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-3-tglozar@redhat.com
+Fixes: 1eeb6328e8b3 ("rtla/timerlat: Add timerlat hist mode")
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/timerlat_hist.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/src/timerlat_hist.c
++++ b/tools/tracing/rtla/src/timerlat_hist.c
+@@ -783,9 +783,12 @@ out_err:
+ }
+
+ static int stop_tracing;
++static struct trace_instance *hist_inst = NULL;
+ static void stop_hist(int sig)
+ {
+ stop_tracing = 1;
++ if (hist_inst)
++ trace_instance_stop(hist_inst);
+ }
+
+ /*
+@@ -828,6 +831,12 @@ int timerlat_hist_main(int argc, char *a
+ }
+
+ trace = &tool->trace;
++ /*
++ * Save trace instance into global variable so that SIGINT can stop
++ * the timerlat tracer.
++ * Otherwise, rtla could loop indefinitely when overloaded.
++ */
++ hist_inst = trace;
+
+ retval = enable_timerlat(trace);
+ if (retval) {
+@@ -894,7 +903,7 @@ int timerlat_hist_main(int argc, char *a
+
+ return_value = 0;
+
+- if (trace_is_off(&tool->trace, &record->trace)) {
++ if (trace_is_off(&tool->trace, &record->trace) && !stop_tracing) {
+ printf("rtla timerlat hit stop tracing\n");
+ if (params->trace_output) {
+ printf(" Saving trace to %s\n", params->trace_output);
--- /dev/null
+From a4dfce7559d75430c464294ddee554be2a413c4a Mon Sep 17 00:00:00 2001
+From: Tomas Glozar <tglozar@redhat.com>
+Date: Thu, 16 Jan 2025 15:49:29 +0100
+Subject: rtla/timerlat_top: Stop timerlat tracer on signal
+
+From: Tomas Glozar <tglozar@redhat.com>
+
+commit a4dfce7559d75430c464294ddee554be2a413c4a upstream.
+
+Currently, when either SIGINT from the user or SIGALRM from the duration
+timer is caught by rtla-timerlat, stop_tracing is set to break out of
+the main loop. This is not sufficient for cases where the timerlat
+tracer is producing more data than rtla can consume, since in that case,
+rtla is looping indefinitely inside tracefs_iterate_raw_events, never
+reaches the check of stop_tracing and hangs.
+
+In addition to setting stop_tracing, also stop the timerlat tracer on
+received signal (SIGINT or SIGALRM). This will stop new samples so that
+the existing samples may be processed and tracefs_iterate_raw_events
+eventually exits.
+
+Cc: stable@vger.kernel.org
+Cc: John Kacur <jkacur@redhat.com>
+Cc: Luis Goncalves <lgoncalv@redhat.com>
+Cc: Gabriele Monaco <gmonaco@redhat.com>
+Link: https://lore.kernel.org/20250116144931.649593-4-tglozar@redhat.com
+Fixes: a828cd18bc4a ("rtla: Add timerlat tool and timelart top mode")
+Signed-off-by: Tomas Glozar <tglozar@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/tracing/rtla/src/timerlat_top.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/tools/tracing/rtla/src/timerlat_top.c
++++ b/tools/tracing/rtla/src/timerlat_top.c
+@@ -575,9 +575,12 @@ out_err:
+ }
+
+ static int stop_tracing;
++static struct trace_instance *top_inst = NULL;
+ static void stop_top(int sig)
+ {
+ stop_tracing = 1;
++ if (top_inst)
++ trace_instance_stop(top_inst);
+ }
+
+ /*
+@@ -620,6 +623,13 @@ int timerlat_top_main(int argc, char *ar
+ }
+
+ trace = &top->trace;
++ /*
++ * Save trace instance into global variable so that SIGINT can stop
++ * the timerlat tracer.
++ * Otherwise, rtla could loop indefinitely when overloaded.
++ */
++ top_inst = trace;
++
+
+ retval = enable_timerlat(trace);
+ if (retval) {
+@@ -690,7 +700,7 @@ int timerlat_top_main(int argc, char *ar
+
+ return_value = 0;
+
+- if (trace_is_off(&top->trace, &record->trace)) {
++ if (trace_is_off(&top->trace, &record->trace) && !stop_tracing) {
+ printf("rtla timerlat hit stop tracing\n");
+ if (params->trace_output) {
+ printf(" Saving trace to %s\n", params->trace_output);
--- /dev/null
+From 5368a67307b3b2c347dc8965ac55b888be665934 Mon Sep 17 00:00:00 2001
+From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
+Date: Tue, 4 Feb 2025 23:19:53 +0100
+Subject: selftests: mptcp: connect: -f: no reconnect
+
+From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+
+commit 5368a67307b3b2c347dc8965ac55b888be665934 upstream.
+
+The '-f' parameter is there to force the kernel to emit MPTCP FASTCLOSE
+by closing the connection with unread bytes in the receive queue.
+
+The xdisconnect() helper was used to stop the connection, but it does
+more than that: it will shut it down, then wait before reconnecting to
+the same address. This causes the mptcp_join's "fastclose test" to fail
+all the time.
+
+This failure is due to a recent change, with commit 218cc166321f
+("selftests: mptcp: avoid spurious errors on disconnect"), but that went
+unnoticed because the test is currently ignored. The recent modification
+only shown an existing issue: xdisconnect() doesn't need to be used
+here, only the shutdown() part is needed.
+
+Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases")
+Cc: stable@vger.kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20250204-net-mptcp-sft-conn-f-v1-1-6b470c72fffa@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/net/mptcp/mptcp_connect.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/testing/selftests/net/mptcp/mptcp_connect.c
++++ b/tools/testing/selftests/net/mptcp/mptcp_connect.c
+@@ -1216,7 +1216,7 @@ again:
+ return ret;
+
+ if (cfg_truncate > 0) {
+- xdisconnect(fd);
++ shutdown(fd, SHUT_WR);
+ } else if (--cfg_repeat > 0) {
+ xdisconnect(fd);
+
media-uvcvideo-fix-event-flags-in-uvc_ctrl_send_events.patch
media-uvcvideo-remove-redundant-null-assignment.patch
mm-kmemleak-fix-upper-boundary-check-for-physical-address-objects.patch
+ata-libata-sff-ensure-that-we-cannot-write-outside-the-allocated-buffer.patch
+crypto-qce-fix-goto-jump-in-error-path.patch
+crypto-qce-unregister-previously-registered-algos-in-error-path.patch
+nvmem-qcom-spmi-sdam-set-size-in-struct-nvmem_config.patch
+nvmem-core-improve-range-check-for-nvmem_cell_write.patch
+io_uring-net-don-t-retry-connect-operation-on-epollerr.patch
+vfio-platform-check-the-bounds-of-read-write-syscalls.patch
+selftests-mptcp-connect-f-no-reconnect.patch
+pnfs-flexfiles-retry-getting-layout-segment-for-reads.patch
+ocfs2-fix-incorrect-cpu-endianness-conversion-causing-mount-failure.patch
+ocfs2-handle-a-symlink-read-error-correctly.patch
+nilfs2-fix-possible-int-overflows-in-nilfs_fiemap.patch
+mailbox-tegra-hsp-clear-mailbox-before-using-message.patch
+nfc-nci-add-bounds-checking-in-nci_hci_create_pipe.patch
+i3c-master-fix-missing-ret-assignment-in-set_speed.patch
+irqchip-apple-aic-only-handle-pmc-interrupt-as-fiq-when-configured-so.patch
+mtd-onenand-fix-uninitialized-retlen-in-do_otp_read.patch
+misc-fastrpc-deregister-device-nodes-properly-in-error-scenarios.patch
+misc-fastrpc-fix-registered-buffer-page-address.patch
+misc-fastrpc-fix-copy-buffer-page-size.patch
+net-ncsi-wait-for-the-last-response-to-deselect-package-before-configuring-channel.patch
+net-phy-c45-tjaxx-add-delay-between-mdio-write-and-read-in-soft_reset.patch
+rtla-osnoise-distinguish-missing-workload-option.patch
+rtla-add-trace_instance_stop.patch
+rtla-timerlat_hist-stop-timerlat-tracer-on-signal.patch
+rtla-timerlat_top-stop-timerlat-tracer-on-signal.patch
+pinctrl-samsung-fix-fwnode-refcount-cleanup-if-platform_get_irq_optional-fails.patch
+ptp-ensure-info-enable-callback-is-always-set.patch
+rtc-zynqmp-fix-optional-clock-name-property.patch
--- /dev/null
+From ce9ff21ea89d191e477a02ad7eabf4f996b80a69 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 22 Jan 2025 10:38:30 -0700
+Subject: vfio/platform: check the bounds of read/write syscalls
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit ce9ff21ea89d191e477a02ad7eabf4f996b80a69 upstream.
+
+count and offset are passed from user space and not checked, only
+offset is capped to 40 bits, which can be used to read/write out of
+bounds of the device.
+
+Fixes: 6e3f26456009 (“vfio/platform: read and write support for the device fd”)
+Cc: stable@vger.kernel.org
+Reported-by: Mostafa Saleh <smostafa@google.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
+Reviewed-by: Mostafa Saleh <smostafa@google.com>
+Tested-by: Mostafa Saleh <smostafa@google.com>
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/vfio/platform/vfio_platform_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/vfio/platform/vfio_platform_common.c
++++ b/drivers/vfio/platform/vfio_platform_common.c
+@@ -396,6 +396,11 @@ static ssize_t vfio_platform_read_mmio(s
+
+ count = min_t(size_t, count, reg->size - off);
+
++ if (off >= reg->size)
++ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
+ if (!reg->ioaddr) {
+ reg->ioaddr =
+ ioremap(reg->addr, reg->size);
+@@ -477,6 +482,11 @@ static ssize_t vfio_platform_write_mmio(
+
+ if (off >= reg->size)
+ return -EINVAL;
++
++ count = min_t(size_t, count, reg->size - off);
++
++ if (off >= reg->size)
++ return -EINVAL;
+
+ count = min_t(size_t, count, reg->size - off);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
