--- /dev/null
+From 042bb9603c44620dce98717a2d23235ca57a00d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= <frederic.danis@collabora.com>
+Date: Thu, 12 Jun 2025 09:50:34 +0200
+Subject: Bluetooth: L2CAP: Fix L2CAP MTU negotiation
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Frédéric Danis <frederic.danis@collabora.com>
+
+commit 042bb9603c44620dce98717a2d23235ca57a00d7 upstream.
+
+OBEX download from iPhone is currently slow due to small packet size
+used to transfer data which doesn't follow the MTU negotiated during
+L2CAP connection, i.e. 672 bytes instead of 32767:
+
+ < ACL Data TX: Handle 11 flags 0x00 dlen 12
+ L2CAP: Connection Request (0x02) ident 18 len 4
+ PSM: 4103 (0x1007)
+ Source CID: 72
+ > ACL Data RX: Handle 11 flags 0x02 dlen 16
+ L2CAP: Connection Response (0x03) ident 18 len 8
+ Destination CID: 14608
+ Source CID: 72
+ Result: Connection successful (0x0000)
+ Status: No further information available (0x0000)
+ < ACL Data TX: Handle 11 flags 0x00 dlen 27
+ L2CAP: Configure Request (0x04) ident 20 len 19
+ Destination CID: 14608
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 26
+ L2CAP: Configure Request (0x04) ident 72 len 18
+ Destination CID: 72
+ Flags: 0x0000
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 65527
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ < ACL Data TX: Handle 11 flags 0x00 dlen 29
+ L2CAP: Configure Response (0x05) ident 72 len 21
+ Source CID: 14608
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 672
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 32
+ L2CAP: Configure Response (0x05) ident 20 len 24
+ Source CID: 72
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ ...
+ > ACL Data RX: Handle 11 flags 0x02 dlen 680
+ Channel: 72 len 676 ctrl 0x0202 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Unsegmented TxSeq 1 ReqSeq 2
+ < ACL Data TX: Handle 11 flags 0x00 dlen 13
+ Channel: 14608 len 9 ctrl 0x0204 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Unsegmented TxSeq 2 ReqSeq 2
+ > ACL Data RX: Handle 11 flags 0x02 dlen 680
+ Channel: 72 len 676 ctrl 0x0304 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Unsegmented TxSeq 2 ReqSeq 3
+
+The MTUs are negotiated for each direction. In this traces 32767 for
+iPhone->localhost and no MTU for localhost->iPhone, which based on
+'4.4 L2CAP_CONFIGURATION_REQ' (Core specification v5.4, Vol. 3, Part
+A):
+
+ The only parameters that should be included in the
+ L2CAP_CONFIGURATION_REQ packet are those that require different
+ values than the default or previously agreed values.
+ ...
+ Any missing configuration parameters are assumed to have their
+ most recently explicitly or implicitly accepted values.
+
+and '5.1 Maximum transmission unit (MTU)':
+
+ If the remote device sends a positive L2CAP_CONFIGURATION_RSP
+ packet it should include the actual MTU to be used on this channel
+ for traffic flowing into the local device.
+ ...
+ The default value is 672 octets.
+
+is set by BlueZ to 672 bytes.
+
+It seems that the iPhone used the lowest negotiated value to transfer
+data to the localhost instead of the negotiated one for the incoming
+direction.
+
+This could be fixed by using the MTU negotiated for the other
+direction, if exists, in the L2CAP_CONFIGURATION_RSP.
+This allows to use segmented packets as in the following traces:
+
+ < ACL Data TX: Handle 11 flags 0x00 dlen 12
+ L2CAP: Connection Request (0x02) ident 22 len 4
+ PSM: 4103 (0x1007)
+ Source CID: 72
+ < ACL Data TX: Handle 11 flags 0x00 dlen 27
+ L2CAP: Configure Request (0x04) ident 24 len 19
+ Destination CID: 2832
+ Flags: 0x0000
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 26
+ L2CAP: Configure Request (0x04) ident 15 len 18
+ Destination CID: 72
+ Flags: 0x0000
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 0
+ Monitor timeout: 0
+ Maximum PDU size: 65527
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ < ACL Data TX: Handle 11 flags 0x00 dlen 29
+ L2CAP: Configure Response (0x05) ident 15 len 21
+ Source CID: 2832
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 32
+ Max transmit: 255
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ > ACL Data RX: Handle 11 flags 0x02 dlen 32
+ L2CAP: Configure Response (0x05) ident 24 len 24
+ Source CID: 72
+ Flags: 0x0000
+ Result: Success (0x0000)
+ Option: Maximum Transmission Unit (0x01) [mandatory]
+ MTU: 32767
+ Option: Retransmission and Flow Control (0x04) [mandatory]
+ Mode: Enhanced Retransmission (0x03)
+ TX window size: 63
+ Max transmit: 3
+ Retransmission timeout: 2000
+ Monitor timeout: 12000
+ Maximum PDU size: 1009
+ Option: Frame Check Sequence (0x05) [mandatory]
+ FCS: 16-bit FCS (0x01)
+ ...
+ > ACL Data RX: Handle 11 flags 0x02 dlen 1009
+ Channel: 72 len 1005 ctrl 0x4202 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Start (len 21884) TxSeq 1 ReqSeq 2
+ > ACL Data RX: Handle 11 flags 0x02 dlen 1009
+ Channel: 72 len 1005 ctrl 0xc204 [PSM 4103 mode Enhanced Retransmission (0x03)] {chan 8}
+ I-frame: Continuation TxSeq 2 ReqSeq 2
+
+This has been tested with kernel 5.4 and BlueZ 5.77.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3576,7 +3576,7 @@ static int l2cap_parse_conf_req(struct l
+ struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+ struct l2cap_conf_efs efs;
+ u8 remote_efs = 0;
+- u16 mtu = L2CAP_DEFAULT_MTU;
++ u16 mtu = 0;
+ u16 result = L2CAP_CONF_SUCCESS;
+ u16 size;
+
+@@ -3687,6 +3687,13 @@ done:
+ /* Configure output options and let the other side know
+ * which ones we don't like. */
+
++ /* If MTU is not provided in configure request, use the most recently
++ * explicitly or implicitly accepted value for the other direction,
++ * or the default value.
++ */
++ if (mtu == 0)
++ mtu = chan->imtu ? chan->imtu : L2CAP_DEFAULT_MTU;
++
+ if (mtu < L2CAP_DEFAULT_MIN_MTU)
+ result = L2CAP_CONF_UNACCEPT;
+ else {
--- /dev/null
+From ae4477f937569d097ca5dbce92a89ba384b49bc6 Mon Sep 17 00:00:00 2001
+From: Mark Harmstone <maharmstone@fb.com>
+Date: Thu, 29 May 2025 10:37:44 +0100
+Subject: btrfs: update superblock's device bytes_used when dropping chunk
+
+From: Mark Harmstone <maharmstone@fb.com>
+
+commit ae4477f937569d097ca5dbce92a89ba384b49bc6 upstream.
+
+Each superblock contains a copy of the device item for that device. In a
+transaction which drops a chunk but doesn't create any new ones, we were
+correctly updating the device item in the chunk tree but not copying
+over the new bytes_used value to the superblock.
+
+This can be seen by doing the following:
+
+ # dd if=/dev/zero of=test bs=4096 count=2621440
+ # mkfs.btrfs test
+ # mount test /root/temp
+
+ # cd /root/temp
+ # for i in {00..10}; do dd if=/dev/zero of=$i bs=4096 count=32768; done
+ # sync
+ # rm *
+ # sync
+ # btrfs balance start -dusage=0 .
+ # sync
+
+ # cd
+ # umount /root/temp
+ # btrfs check test
+
+For btrfs-check to detect this, you will also need my patch at
+https://github.com/kdave/btrfs-progs/pull/991.
+
+Change btrfs_remove_dev_extents() so that it adds the devices to the
+fs_info->post_commit_list if they're not there already. This causes
+btrfs_commit_device_sizes() to be called, which updates the bytes_used
+value in the superblock.
+
+Fixes: bbbf7243d62d ("btrfs: combine device update operations during transaction commit")
+CC: stable@vger.kernel.org # 5.10+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Mark Harmstone <maharmstone@fb.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/volumes.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/btrfs/volumes.c
++++ b/fs/btrfs/volumes.c
+@@ -3197,6 +3197,12 @@ int btrfs_remove_chunk(struct btrfs_tran
+ device->bytes_used - dev_extent_len);
+ atomic64_add(dev_extent_len, &fs_info->free_chunk_space);
+ btrfs_clear_space_info_full(fs_info);
++
++ if (list_empty(&device->post_commit_list)) {
++ list_add_tail(&device->post_commit_list,
++ &trans->transaction->dev_update_list);
++ }
++
+ mutex_unlock(&fs_info->chunk_mutex);
+ }
+ }
--- /dev/null
+From db53805156f1e0aa6d059c0d3f9ac660d4ef3eb4 Mon Sep 17 00:00:00 2001
+From: Heinz Mauelshagen <heinzm@redhat.com>
+Date: Tue, 10 Jun 2025 20:53:30 +0200
+Subject: dm-raid: fix variable in journal device check
+
+From: Heinz Mauelshagen <heinzm@redhat.com>
+
+commit db53805156f1e0aa6d059c0d3f9ac660d4ef3eb4 upstream.
+
+Replace "rdev" with correct loop variable name "r".
+
+Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: 63c32ed4afc2 ("dm raid: add raid4/5/6 journaling support")
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-raid.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/md/dm-raid.c
++++ b/drivers/md/dm-raid.c
+@@ -2381,7 +2381,7 @@ static int super_init_validation(struct
+ */
+ sb_retrieve_failed_devices(sb, failed_devices);
+ rdev_for_each(r, mddev) {
+- if (test_bit(Journal, &rdev->flags) ||
++ if (test_bit(Journal, &r->flags) ||
+ !r->sb_page)
+ continue;
+ sb2 = page_address(r->sb_page);
--- /dev/null
+From cfb05257ae168a0496c7637e1d9e3ab8a25cbffe Mon Sep 17 00:00:00 2001
+From: Jay Cornwall <jay.cornwall@amd.com>
+Date: Wed, 11 Jun 2025 09:52:14 -0500
+Subject: drm/amdkfd: Fix race in GWS queue scheduling
+
+From: Jay Cornwall <jay.cornwall@amd.com>
+
+commit cfb05257ae168a0496c7637e1d9e3ab8a25cbffe upstream.
+
+q->gws is not updated atomically with qpd->mapped_gws_queue. If a
+runlist is created between pqm_set_gws and update_queue it will
+contain a queue which uses GWS in a process with no GWS allocated.
+This will result in a scheduler hang.
+
+Use q->properties.is_gws which is changed while holding the DQM lock.
+
+Signed-off-by: Jay Cornwall <jay.cornwall@amd.com>
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit b98370220eb3110e82248e3354e16a489a492cfb)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager_v9.c
+@@ -195,7 +195,7 @@ static int pm_map_queues_v9(struct packe
+
+ packet->bitfields2.engine_sel =
+ engine_sel__mes_map_queues__compute_vi;
+- packet->bitfields2.gws_control_queue = q->gws ? 1 : 0;
++ packet->bitfields2.gws_control_queue = q->properties.is_gws ? 1 : 0;
+ packet->bitfields2.extended_engine_sel =
+ extended_engine_sel__mes_map_queues__legacy_engine_sel;
+ packet->bitfields2.queue_type =
--- /dev/null
+From 9ff4fdf4f44b69237c0afc1d3a8dac916ce66f3e Mon Sep 17 00:00:00 2001
+From: Thierry Reding <treding@nvidia.com>
+Date: Mon, 21 Apr 2025 11:13:05 -0500
+Subject: drm/tegra: Assign plane type before registration
+
+From: Thierry Reding <treding@nvidia.com>
+
+commit 9ff4fdf4f44b69237c0afc1d3a8dac916ce66f3e upstream.
+
+Changes to a plane's type after it has been registered aren't propagated
+to userspace automatically. This could possibly be achieved by updating
+the property, but since we can already determine which type this should
+be before the registration, passing in the right type from the start is
+a much better solution.
+
+Suggested-by: Aaron Kling <webgeek1234@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Cc: stable@vger.kernel.org
+Fixes: 473079549f27 ("drm/tegra: dc: Add Tegra186 support")
+Signed-off-by: Aaron Kling <webgeek1234@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20250421-tegra-drm-primary-v2-1-7f740c4c2121@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/dc.c | 12 ++++++++----
+ drivers/gpu/drm/tegra/hub.c | 4 ++--
+ drivers/gpu/drm/tegra/hub.h | 3 ++-
+ 3 files changed, 12 insertions(+), 7 deletions(-)
+
+--- a/drivers/gpu/drm/tegra/dc.c
++++ b/drivers/gpu/drm/tegra/dc.c
+@@ -1221,10 +1221,16 @@ static struct drm_plane *tegra_dc_add_sh
+ if (wgrp->dc == dc->pipe) {
+ for (j = 0; j < wgrp->num_windows; j++) {
+ unsigned int index = wgrp->windows[j];
++ enum drm_plane_type type;
++
++ if (primary)
++ type = DRM_PLANE_TYPE_OVERLAY;
++ else
++ type = DRM_PLANE_TYPE_PRIMARY;
+
+ plane = tegra_shared_plane_create(drm, dc,
+ wgrp->index,
+- index);
++ index, type);
+ if (IS_ERR(plane))
+ return plane;
+
+@@ -1232,10 +1238,8 @@ static struct drm_plane *tegra_dc_add_sh
+ * Choose the first shared plane owned by this
+ * head as the primary plane.
+ */
+- if (!primary) {
+- plane->type = DRM_PLANE_TYPE_PRIMARY;
++ if (!primary)
+ primary = plane;
+- }
+ }
+ }
+ }
+--- a/drivers/gpu/drm/tegra/hub.c
++++ b/drivers/gpu/drm/tegra/hub.c
+@@ -747,9 +747,9 @@ static const struct drm_plane_helper_fun
+ struct drm_plane *tegra_shared_plane_create(struct drm_device *drm,
+ struct tegra_dc *dc,
+ unsigned int wgrp,
+- unsigned int index)
++ unsigned int index,
++ enum drm_plane_type type)
+ {
+- enum drm_plane_type type = DRM_PLANE_TYPE_OVERLAY;
+ struct tegra_drm *tegra = drm->dev_private;
+ struct tegra_display_hub *hub = tegra->hub;
+ struct tegra_shared_plane *plane;
+--- a/drivers/gpu/drm/tegra/hub.h
++++ b/drivers/gpu/drm/tegra/hub.h
+@@ -81,7 +81,8 @@ void tegra_display_hub_cleanup(struct te
+ struct drm_plane *tegra_shared_plane_create(struct drm_device *drm,
+ struct tegra_dc *dc,
+ unsigned int wgrp,
+- unsigned int index);
++ unsigned int index,
++ enum drm_plane_type type);
+
+ int tegra_display_hub_atomic_check(struct drm_device *drm,
+ struct drm_atomic_state *state);
--- /dev/null
+From 780351a5f61416ed2ba1199cc57e4a076fca644d Mon Sep 17 00:00:00 2001
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+Date: Wed, 6 Nov 2024 17:59:06 +0800
+Subject: drm/tegra: Fix a possible null pointer dereference
+
+From: Qiu-ji Chen <chenqiuji666@gmail.com>
+
+commit 780351a5f61416ed2ba1199cc57e4a076fca644d upstream.
+
+In tegra_crtc_reset(), new memory is allocated with kzalloc(), but
+no check is performed. Before calling __drm_atomic_helper_crtc_reset,
+state should be checked to prevent possible null pointer dereference.
+
+Fixes: b7e0b04ae450 ("drm/tegra: Convert to using __drm_atomic_helper_crtc_reset() for reset.")
+Cc: stable@vger.kernel.org
+Signed-off-by: Qiu-ji Chen <chenqiuji666@gmail.com>
+Signed-off-by: Thierry Reding <treding@nvidia.com>
+Link: https://lore.kernel.org/r/20241106095906.15247-1-chenqiuji666@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/tegra/dc.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/tegra/dc.c
++++ b/drivers/gpu/drm/tegra/dc.c
+@@ -1293,7 +1293,10 @@ static void tegra_crtc_reset(struct drm_
+ if (crtc->state)
+ tegra_crtc_atomic_destroy_state(crtc, crtc->state);
+
+- __drm_atomic_helper_crtc_reset(crtc, &state->base);
++ if (state)
++ __drm_atomic_helper_crtc_reset(crtc, &state->base);
++ else
++ __drm_atomic_helper_crtc_reset(crtc, NULL);
+ }
+
+ static struct drm_crtc_state *
--- /dev/null
+From ff9cb6d2035c586ea7c8f1754d4409eec7a2d26d Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Mon, 3 Mar 2025 15:52:56 +0100
+Subject: drm/udl: Unregister device before cleaning up on disconnect
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit ff9cb6d2035c586ea7c8f1754d4409eec7a2d26d upstream.
+
+Disconnecting a DisplayLink device results in the following kernel
+error messages
+
+[ 93.041748] [drm:udl_urb_completion [udl]] *ERROR* udl_urb_completion - nonzero write bulk status received: -115
+[ 93.055299] [drm:udl_submit_urb [udl]] *ERROR* usb_submit_urb error fffffffe
+[ 93.065363] [drm:udl_urb_completion [udl]] *ERROR* udl_urb_completion - nonzero write bulk status received: -115
+[ 93.078207] [drm:udl_submit_urb [udl]] *ERROR* usb_submit_urb error fffffffe
+
+coming from KMS poll helpers. Shutting down poll helpers runs them
+one final time when the USB device is already gone.
+
+Run drm_dev_unplug() first in udl's USB disconnect handler. Udl's
+polling code already handles disconnects gracefully if the device has
+been marked as unplugged.
+
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Fixes: b1a981bd5576 ("drm/udl: drop drm_driver.release hook")
+Cc: dri-devel@lists.freedesktop.org
+Cc: <stable@vger.kernel.org> # v5.8+
+Reviewed-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250303145604.62962-2-tzimmermann@suse.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/udl/udl_drv.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/udl/udl_drv.c
++++ b/drivers/gpu/drm/udl/udl_drv.c
+@@ -110,9 +110,9 @@ static void udl_usb_disconnect(struct us
+ {
+ struct drm_device *dev = usb_get_intfdata(interface);
+
++ drm_dev_unplug(dev);
+ drm_kms_helper_poll_fini(dev);
+ udl_drop_usb(dev);
+- drm_dev_unplug(dev);
+ }
+
+ /*
--- /dev/null
+From 09812134071b3941fb81def30b61ed36d3a5dfb5 Mon Sep 17 00:00:00 2001
+From: Yao Zi <ziyao@disroot.org>
+Date: Mon, 23 Jun 2025 09:34:45 +0000
+Subject: dt-bindings: serial: 8250: Make clocks and clock-frequency exclusive
+
+From: Yao Zi <ziyao@disroot.org>
+
+commit 09812134071b3941fb81def30b61ed36d3a5dfb5 upstream.
+
+The 8250 binding before converting to json-schema states,
+
+ - clock-frequency : the input clock frequency for the UART
+ or
+ - clocks phandle to refer to the clk used as per Documentation/devicetree
+
+for clock-related properties, where "or" indicates these properties
+shouldn't exist at the same time.
+
+Additionally, the behavior of Linux's driver is strange when both clocks
+and clock-frequency are specified: it ignores clocks and obtains the
+frequency from clock-frequency, left the specified clocks unclaimed. It
+may even be disabled, which is undesired most of the time.
+
+But "anyOf" doesn't prevent these two properties from coexisting, as it
+considers the object valid as long as there's at LEAST one match.
+
+Let's switch to "oneOf" and disallows the other property if one exists,
+precisely matching the original binding and avoiding future confusion on
+the driver's behavior.
+
+Fixes: e69f5dc623f9 ("dt-bindings: serial: Convert 8250 to json-schema")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Yao Zi <ziyao@disroot.org>
+Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
+Link: https://lore.kernel.org/r/20250623093445.62327-1-ziyao@disroot.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/serial/8250.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/serial/8250.yaml
++++ b/Documentation/devicetree/bindings/serial/8250.yaml
+@@ -44,7 +44,7 @@ allOf:
+ - ns16550
+ - ns16550a
+ then:
+- anyOf:
++ oneOf:
+ - required: [ clock-frequency ]
+ - required: [ clocks ]
+
--- /dev/null
+From 85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Fri, 6 Jun 2025 19:49:59 +0100
+Subject: HID: wacom: fix kobject reference count leak
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 85a720f4337f0ddf1603c8b75a8f1ffbbe022ef9 upstream.
+
+When sysfs_create_files() fails in wacom_initialize_remotes() the error
+is returned and the cleanup action will not have been registered yet.
+
+As a result the kobject???s refcount is never dropped, so the
+kobject can never be freed leading to a reference leak.
+
+Fix this by calling kobject_put() before returning.
+
+Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated")
+Acked-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2031,6 +2031,7 @@ static int wacom_initialize_remotes(stru
+ hid_err(wacom->hdev,
+ "cannot create sysfs group err: %d\n", error);
+ kfifo_free(&remote->remote_fifo);
++ kobject_put(remote->remote_dir);
+ return error;
+ }
+
--- /dev/null
+From 5ae416c5b1e2e816aee7b3fc8347adf70afabb4c Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Fri, 6 Jun 2025 19:49:57 +0100
+Subject: HID: wacom: fix memory leak on kobject creation failure
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 5ae416c5b1e2e816aee7b3fc8347adf70afabb4c upstream.
+
+During wacom_initialize_remotes() a fifo buffer is allocated
+with kfifo_alloc() and later a cleanup action is registered
+during devm_add_action_or_reset() to clean it up.
+
+However if the code fails to create a kobject and register it
+with sysfs the code simply returns -ENOMEM before the cleanup
+action is registered leading to a memory leak.
+
+Fix this by ensuring the fifo is freed when the kobject creation
+and registration process fails.
+
+Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated")
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2020,8 +2020,10 @@ static int wacom_initialize_remotes(stru
+
+ remote->remote_dir = kobject_create_and_add("wacom_remote",
+ &wacom->hdev->dev.kobj);
+- if (!remote->remote_dir)
++ if (!remote->remote_dir) {
++ kfifo_free(&remote->remote_fifo);
+ return -ENOMEM;
++ }
+
+ error = sysfs_create_files(remote->remote_dir, remote_unpair_attrs);
+
--- /dev/null
+From 1a19ae437ca5d5c7d9ec2678946fb339b1c706bf Mon Sep 17 00:00:00 2001
+From: Qasim Ijaz <qasdev00@gmail.com>
+Date: Fri, 6 Jun 2025 19:49:58 +0100
+Subject: HID: wacom: fix memory leak on sysfs attribute creation failure
+
+From: Qasim Ijaz <qasdev00@gmail.com>
+
+commit 1a19ae437ca5d5c7d9ec2678946fb339b1c706bf upstream.
+
+When sysfs_create_files() fails during wacom_initialize_remotes() the
+fifo buffer is not freed leading to a memory leak.
+
+Fix this by calling kfifo_free() before returning.
+
+Fixes: 83e6b40e2de6 ("HID: wacom: EKR: have the wacom resources dynamically allocated")
+Reviewed-by: Ping Cheng <ping.cheng@wacom.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Qasim Ijaz <qasdev00@gmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_sys.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/wacom_sys.c
++++ b/drivers/hid/wacom_sys.c
+@@ -2030,6 +2030,7 @@ static int wacom_initialize_remotes(stru
+ if (error) {
+ hid_err(wacom->hdev,
+ "cannot create sysfs group err: %d\n", error);
++ kfifo_free(&remote->remote_fifo);
+ return error;
+ }
+
net-enetc-correct-endianness-handling-in-_enetc_rd_r.patch
atm-release-atm_dev_mutex-after-removing-procfs-in-a.patch
net-selftests-fix-tcp-packet-checksum.patch
+staging-rtl8723bs-avoid-memset-in-aes_cipher-and-aes_decipher.patch
+dt-bindings-serial-8250-make-clocks-and-clock-frequency-exclusive.patch
+bluetooth-l2cap-fix-l2cap-mtu-negotiation.patch
+dm-raid-fix-variable-in-journal-device-check.patch
+btrfs-update-superblock-s-device-bytes_used-when-dropping-chunk.patch
+hid-wacom-fix-memory-leak-on-kobject-creation-failure.patch
+hid-wacom-fix-memory-leak-on-sysfs-attribute-creation-failure.patch
+hid-wacom-fix-kobject-reference-count-leak.patch
+drm-tegra-assign-plane-type-before-registration.patch
+drm-tegra-fix-a-possible-null-pointer-dereference.patch
+drm-udl-unregister-device-before-cleaning-up-on-disconnect.patch
+drm-amdkfd-fix-race-in-gws-queue-scheduling.patch
--- /dev/null
+From a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Mon, 9 Jun 2025 14:13:14 -0700
+Subject: staging: rtl8723bs: Avoid memset() in aes_cipher() and aes_decipher()
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit a55bc4ffc06d8c965a7d6f0a01ed0ed41380df28 upstream.
+
+After commit 6f110a5e4f99 ("Disable SLUB_TINY for build testing"), which
+causes CONFIG_KASAN to be enabled in allmodconfig again, arm64
+allmodconfig builds with older versions of clang (15 through 17) show an
+instance of -Wframe-larger-than (which breaks the build with
+CONFIG_WERROR=y):
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:1287:5: error: stack frame size (2208) exceeds limit (2048) in 'rtw_aes_decrypt' [-Werror,-Wframe-larger-than]
+ 1287 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
+ | ^
+
+This comes from aes_decipher() being inlined in rtw_aes_decrypt().
+Running the same build with CONFIG_FRAME_WARN=128 shows aes_cipher()
+also uses a decent amount of stack, just under the limit of 2048:
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1952) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than]
+ 864 | static signed int aes_cipher(u8 *key, uint hdrlen,
+ | ^
+
+-Rpass-analysis=stack-frame-layout only shows one large structure on the
+stack, which is the ctx variable inlined from aes128k128d(). A good
+number of the other variables come from the additional checks of
+fortified string routines, which are present in memset(), which both
+aes_cipher() and aes_decipher() use to initialize some temporary
+buffers. In this case, since the size is known at compile time, these
+additional checks should not result in any code generation changes but
+allmodconfig has several sanitizers enabled, which may make it harder
+for the compiler to eliminate the compile time checks and the variables
+that come about from them.
+
+The memset() calls are just initializing these buffers to zero, so use
+'= {}' instead, which is used all over the kernel and does the exact
+same thing as memset() without the fortify checks, which drops the stack
+usage of these functions by a few hundred kilobytes.
+
+ drivers/staging/rtl8723bs/core/rtw_security.c:864:19: warning: stack frame size (1584) exceeds limit (128) in 'aes_cipher' [-Wframe-larger-than]
+ 864 | static signed int aes_cipher(u8 *key, uint hdrlen,
+ | ^
+ drivers/staging/rtl8723bs/core/rtw_security.c:1271:5: warning: stack frame size (1456) exceeds limit (128) in 'rtw_aes_decrypt' [-Wframe-larger-than]
+ 1271 | u32 rtw_aes_decrypt(struct adapter *padapter, u8 *precvframe)
+ | ^
+
+Cc: stable@vger.kernel.org
+Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Reviewed-by: Dan Carpenter <dan.carpenter@linaro.org>
+Link: https://lore.kernel.org/r/20250609-rtl8723bs-fix-clang-arm64-wflt-v1-1-e2accba43def@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/core/rtw_security.c | 44 ++++++++------------------
+ 1 file changed, 14 insertions(+), 30 deletions(-)
+
+--- a/drivers/staging/rtl8723bs/core/rtw_security.c
++++ b/drivers/staging/rtl8723bs/core/rtw_security.c
+@@ -869,29 +869,21 @@ static signed int aes_cipher(u8 *key, ui
+ num_blocks, payload_index;
+
+ u8 pn_vector[6];
+- u8 mic_iv[16];
+- u8 mic_header1[16];
+- u8 mic_header2[16];
+- u8 ctr_preload[16];
++ u8 mic_iv[16] = {};
++ u8 mic_header1[16] = {};
++ u8 mic_header2[16] = {};
++ u8 ctr_preload[16] = {};
+
+ /* Intermediate Buffers */
+- u8 chain_buffer[16];
+- u8 aes_out[16];
+- u8 padded_buffer[16];
++ u8 chain_buffer[16] = {};
++ u8 aes_out[16] = {};
++ u8 padded_buffer[16] = {};
+ u8 mic[8];
+ uint frtype = GetFrameType(pframe);
+ uint frsubtype = GetFrameSubType(pframe);
+
+ frsubtype = frsubtype>>4;
+
+- memset((void *)mic_iv, 0, 16);
+- memset((void *)mic_header1, 0, 16);
+- memset((void *)mic_header2, 0, 16);
+- memset((void *)ctr_preload, 0, 16);
+- memset((void *)chain_buffer, 0, 16);
+- memset((void *)aes_out, 0, 16);
+- memset((void *)padded_buffer, 0, 16);
+-
+ if ((hdrlen == WLAN_HDR_A3_LEN) || (hdrlen == WLAN_HDR_A3_QOS_LEN))
+ a4_exists = 0;
+ else
+@@ -1081,15 +1073,15 @@ static signed int aes_decipher(u8 *key,
+ num_blocks, payload_index;
+ signed int res = _SUCCESS;
+ u8 pn_vector[6];
+- u8 mic_iv[16];
+- u8 mic_header1[16];
+- u8 mic_header2[16];
+- u8 ctr_preload[16];
++ u8 mic_iv[16] = {};
++ u8 mic_header1[16] = {};
++ u8 mic_header2[16] = {};
++ u8 ctr_preload[16] = {};
+
+ /* Intermediate Buffers */
+- u8 chain_buffer[16];
+- u8 aes_out[16];
+- u8 padded_buffer[16];
++ u8 chain_buffer[16] = {};
++ u8 aes_out[16] = {};
++ u8 padded_buffer[16] = {};
+ u8 mic[8];
+
+ uint frtype = GetFrameType(pframe);
+@@ -1097,14 +1089,6 @@ static signed int aes_decipher(u8 *key,
+
+ frsubtype = frsubtype>>4;
+
+- memset((void *)mic_iv, 0, 16);
+- memset((void *)mic_header1, 0, 16);
+- memset((void *)mic_header2, 0, 16);
+- memset((void *)ctr_preload, 0, 16);
+- memset((void *)chain_buffer, 0, 16);
+- memset((void *)aes_out, 0, 16);
+- memset((void *)padded_buffer, 0, 16);
+-
+ /* start to decrypt the payload */
+
+ num_blocks = (plen-8) / 16; /* plen including LLC, payload_length and mic) */
projects / thirdparty / kernel / stable-queue.git / commitdiff
