--- /dev/null
+From 89fb8acc38852116d38d721ad394aad7f2871670 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Fri, 27 Jun 2025 09:05:08 +0200
+Subject: Bluetooth: HCI: Set extended advertising data synchronously
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 89fb8acc38852116d38d721ad394aad7f2871670 upstream.
+
+Currently, for controllers with extended advertising, the advertising
+data is set in the asynchronous response handler for extended
+adverstising params. As most advertising settings are performed in a
+synchronous context, the (asynchronous) setting of the advertising data
+is done too late (after enabling the advertising).
+
+Move setting of adverstising data from asynchronous response handler
+into synchronous context to fix ordering of HCI commands.
+
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Fixes: a0fb3726ba55 ("Bluetooth: Use Set ext adv/scan rsp data if controller supports")
+Cc: stable@vger.kernel.org
+v2: https://lore.kernel.org/linux-bluetooth/20250626115209.17839-1-ceggers@arri.de/
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 36 --------
+ net/bluetooth/hci_sync.c | 207 ++++++++++++++++++++++++++++------------------
+ 2 files changed, 130 insertions(+), 113 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2141,40 +2141,6 @@ static u8 hci_cc_set_adv_param(struct hc
+ return rp->status;
+ }
+
+-static u8 hci_cc_set_ext_adv_param(struct hci_dev *hdev, void *data,
+- struct sk_buff *skb)
+-{
+- struct hci_rp_le_set_ext_adv_params *rp = data;
+- struct hci_cp_le_set_ext_adv_params *cp;
+- struct adv_info *adv_instance;
+-
+- bt_dev_dbg(hdev, "status 0x%2.2x", rp->status);
+-
+- if (rp->status)
+- return rp->status;
+-
+- cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS);
+- if (!cp)
+- return rp->status;
+-
+- hci_dev_lock(hdev);
+- hdev->adv_addr_type = cp->own_addr_type;
+- if (!cp->handle) {
+- /* Store in hdev for instance 0 */
+- hdev->adv_tx_power = rp->tx_power;
+- } else {
+- adv_instance = hci_find_adv_instance(hdev, cp->handle);
+- if (adv_instance)
+- adv_instance->tx_power = rp->tx_power;
+- }
+- /* Update adv data as tx power is known now */
+- hci_update_adv_data(hdev, cp->handle);
+-
+- hci_dev_unlock(hdev);
+-
+- return rp->status;
+-}
+-
+ static u8 hci_cc_read_rssi(struct hci_dev *hdev, void *data,
+ struct sk_buff *skb)
+ {
+@@ -4155,8 +4121,6 @@ static const struct hci_cc {
+ HCI_CC(HCI_OP_LE_READ_NUM_SUPPORTED_ADV_SETS,
+ hci_cc_le_read_num_adv_sets,
+ sizeof(struct hci_rp_le_read_num_supported_adv_sets)),
+- HCI_CC(HCI_OP_LE_SET_EXT_ADV_PARAMS, hci_cc_set_ext_adv_param,
+- sizeof(struct hci_rp_le_set_ext_adv_params)),
+ HCI_CC_STATUS(HCI_OP_LE_SET_EXT_ADV_ENABLE,
+ hci_cc_le_set_ext_adv_enable),
+ HCI_CC_STATUS(HCI_OP_LE_SET_ADV_SET_RAND_ADDR,
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1205,9 +1205,126 @@ static int hci_set_adv_set_random_addr_s
+ sizeof(cp), &cp, HCI_CMD_TIMEOUT);
+ }
+
++static int
++hci_set_ext_adv_params_sync(struct hci_dev *hdev, struct adv_info *adv,
++ const struct hci_cp_le_set_ext_adv_params *cp,
++ struct hci_rp_le_set_ext_adv_params *rp)
++{
++ struct sk_buff *skb;
++
++ skb = __hci_cmd_sync(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS, sizeof(*cp),
++ cp, HCI_CMD_TIMEOUT);
++
++ /* If command return a status event, skb will be set to -ENODATA */
++ if (skb == ERR_PTR(-ENODATA))
++ return 0;
++
++ if (IS_ERR(skb)) {
++ bt_dev_err(hdev, "Opcode 0x%4.4x failed: %ld",
++ HCI_OP_LE_SET_EXT_ADV_PARAMS, PTR_ERR(skb));
++ return PTR_ERR(skb);
++ }
++
++ if (skb->len != sizeof(*rp)) {
++ bt_dev_err(hdev, "Invalid response length for 0x%4.4x: %u",
++ HCI_OP_LE_SET_EXT_ADV_PARAMS, skb->len);
++ kfree_skb(skb);
++ return -EIO;
++ }
++
++ memcpy(rp, skb->data, sizeof(*rp));
++ kfree_skb(skb);
++
++ if (!rp->status) {
++ hdev->adv_addr_type = cp->own_addr_type;
++ if (!cp->handle) {
++ /* Store in hdev for instance 0 */
++ hdev->adv_tx_power = rp->tx_power;
++ } else if (adv) {
++ adv->tx_power = rp->tx_power;
++ }
++ }
++
++ return rp->status;
++}
++
++static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance)
++{
++ DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length,
++ HCI_MAX_EXT_AD_LENGTH);
++ u8 len;
++ struct adv_info *adv = NULL;
++ int err;
++
++ if (instance) {
++ adv = hci_find_adv_instance(hdev, instance);
++ if (!adv || !adv->adv_data_changed)
++ return 0;
++ }
++
++ len = eir_create_adv_data(hdev, instance, pdu->data,
++ HCI_MAX_EXT_AD_LENGTH);
++
++ pdu->length = len;
++ pdu->handle = adv ? adv->handle : instance;
++ pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE;
++ pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG;
++
++ err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA,
++ struct_size(pdu, data, len), pdu,
++ HCI_CMD_TIMEOUT);
++ if (err)
++ return err;
++
++ /* Update data if the command succeed */
++ if (adv) {
++ adv->adv_data_changed = false;
++ } else {
++ memcpy(hdev->adv_data, pdu->data, len);
++ hdev->adv_data_len = len;
++ }
++
++ return 0;
++}
++
++static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance)
++{
++ struct hci_cp_le_set_adv_data cp;
++ u8 len;
++
++ memset(&cp, 0, sizeof(cp));
++
++ len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data));
++
++ /* There's nothing to do if the data hasn't changed */
++ if (hdev->adv_data_len == len &&
++ memcmp(cp.data, hdev->adv_data, len) == 0)
++ return 0;
++
++ memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
++ hdev->adv_data_len = len;
++
++ cp.length = len;
++
++ return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA,
++ sizeof(cp), &cp, HCI_CMD_TIMEOUT);
++}
++
++int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance)
++{
++ if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
++ return 0;
++
++ if (ext_adv_capable(hdev))
++ return hci_set_ext_adv_data_sync(hdev, instance);
++
++ return hci_set_adv_data_sync(hdev, instance);
++}
++
+ int hci_setup_ext_adv_instance_sync(struct hci_dev *hdev, u8 instance)
+ {
+ struct hci_cp_le_set_ext_adv_params cp;
++ struct hci_rp_le_set_ext_adv_params rp;
+ bool connectable;
+ u32 flags;
+ bdaddr_t random_addr;
+@@ -1314,8 +1431,12 @@ int hci_setup_ext_adv_instance_sync(stru
+ cp.secondary_phy = HCI_ADV_PHY_1M;
+ }
+
+- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS,
+- sizeof(cp), &cp, HCI_CMD_TIMEOUT);
++ err = hci_set_ext_adv_params_sync(hdev, adv, &cp, &rp);
++ if (err)
++ return err;
++
++ /* Update adv data as tx power is known now */
++ err = hci_set_ext_adv_data_sync(hdev, cp.handle);
+ if (err)
+ return err;
+
+@@ -1832,79 +1953,6 @@ int hci_le_terminate_big_sync(struct hci
+ sizeof(cp), &cp, HCI_CMD_TIMEOUT);
+ }
+
+-static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance)
+-{
+- DEFINE_FLEX(struct hci_cp_le_set_ext_adv_data, pdu, data, length,
+- HCI_MAX_EXT_AD_LENGTH);
+- u8 len;
+- struct adv_info *adv = NULL;
+- int err;
+-
+- if (instance) {
+- adv = hci_find_adv_instance(hdev, instance);
+- if (!adv || !adv->adv_data_changed)
+- return 0;
+- }
+-
+- len = eir_create_adv_data(hdev, instance, pdu->data,
+- HCI_MAX_EXT_AD_LENGTH);
+-
+- pdu->length = len;
+- pdu->handle = adv ? adv->handle : instance;
+- pdu->operation = LE_SET_ADV_DATA_OP_COMPLETE;
+- pdu->frag_pref = LE_SET_ADV_DATA_NO_FRAG;
+-
+- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_DATA,
+- struct_size(pdu, data, len), pdu,
+- HCI_CMD_TIMEOUT);
+- if (err)
+- return err;
+-
+- /* Update data if the command succeed */
+- if (adv) {
+- adv->adv_data_changed = false;
+- } else {
+- memcpy(hdev->adv_data, pdu->data, len);
+- hdev->adv_data_len = len;
+- }
+-
+- return 0;
+-}
+-
+-static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance)
+-{
+- struct hci_cp_le_set_adv_data cp;
+- u8 len;
+-
+- memset(&cp, 0, sizeof(cp));
+-
+- len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data));
+-
+- /* There's nothing to do if the data hasn't changed */
+- if (hdev->adv_data_len == len &&
+- memcmp(cp.data, hdev->adv_data, len) == 0)
+- return 0;
+-
+- memcpy(hdev->adv_data, cp.data, sizeof(cp.data));
+- hdev->adv_data_len = len;
+-
+- cp.length = len;
+-
+- return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_DATA,
+- sizeof(cp), &cp, HCI_CMD_TIMEOUT);
+-}
+-
+-int hci_update_adv_data_sync(struct hci_dev *hdev, u8 instance)
+-{
+- if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
+- return 0;
+-
+- if (ext_adv_capable(hdev))
+- return hci_set_ext_adv_data_sync(hdev, instance);
+-
+- return hci_set_adv_data_sync(hdev, instance);
+-}
+-
+ int hci_schedule_adv_instance_sync(struct hci_dev *hdev, u8 instance,
+ bool force)
+ {
+@@ -6251,6 +6299,7 @@ static int hci_le_ext_directed_advertisi
+ struct hci_conn *conn)
+ {
+ struct hci_cp_le_set_ext_adv_params cp;
++ struct hci_rp_le_set_ext_adv_params rp;
+ int err;
+ bdaddr_t random_addr;
+ u8 own_addr_type;
+@@ -6292,8 +6341,12 @@ static int hci_le_ext_directed_advertisi
+ if (err)
+ return err;
+
+- err = __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_EXT_ADV_PARAMS,
+- sizeof(cp), &cp, HCI_CMD_TIMEOUT);
++ err = hci_set_ext_adv_params_sync(hdev, NULL, &cp, &rp);
++ if (err)
++ return err;
++
++ /* Update adv data as tx power is known now */
++ err = hci_set_ext_adv_data_sync(hdev, cp.handle);
+ if (err)
+ return err;
+
--- /dev/null
+From 46c0d947b64ac8efcf89dd754213dab5d1bd00aa Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Wed, 25 Jun 2025 15:09:29 +0200
+Subject: Bluetooth: hci_sync: revert some mesh modifications
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 46c0d947b64ac8efcf89dd754213dab5d1bd00aa upstream.
+
+This reverts minor parts of the changes made in commit b338d91703fa
+("Bluetooth: Implement support for Mesh"). It looks like these changes
+were only made for development purposes but shouldn't have been part of
+the commit.
+
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -2028,13 +2028,10 @@ static int hci_clear_adv_sets_sync(struc
+ static int hci_clear_adv_sync(struct hci_dev *hdev, struct sock *sk, bool force)
+ {
+ struct adv_info *adv, *n;
+- int err = 0;
+
+ if (ext_adv_capable(hdev))
+ /* Remove all existing sets */
+- err = hci_clear_adv_sets_sync(hdev, sk);
+- if (ext_adv_capable(hdev))
+- return err;
++ return hci_clear_adv_sets_sync(hdev, sk);
+
+ /* This is safe as long as there is no command send while the lock is
+ * held.
+@@ -2062,13 +2059,11 @@ static int hci_clear_adv_sync(struct hci
+ static int hci_remove_adv_sync(struct hci_dev *hdev, u8 instance,
+ struct sock *sk)
+ {
+- int err = 0;
++ int err;
+
+ /* If we use extended advertising, instance has to be removed first. */
+ if (ext_adv_capable(hdev))
+- err = hci_remove_ext_adv_instance_sync(hdev, instance, sk);
+- if (ext_adv_capable(hdev))
+- return err;
++ return hci_remove_ext_adv_instance_sync(hdev, instance, sk);
+
+ /* This is safe as long as there is no command send while the lock is
+ * held.
+@@ -2167,16 +2162,13 @@ int hci_read_tx_power_sync(struct hci_de
+ int hci_disable_advertising_sync(struct hci_dev *hdev)
+ {
+ u8 enable = 0x00;
+- int err = 0;
+
+ /* If controller is not advertising we are done. */
+ if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
+ return 0;
+
+ if (ext_adv_capable(hdev))
+- err = hci_disable_ext_adv_instance_sync(hdev, 0x00);
+- if (ext_adv_capable(hdev))
+- return err;
++ return hci_disable_ext_adv_instance_sync(hdev, 0x00);
+
+ return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE,
+ sizeof(enable), &enable, HCI_CMD_TIMEOUT);
--- /dev/null
+From f3cb5676e5c11c896ba647ee309a993e73531588 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Wed, 25 Jun 2025 15:09:31 +0200
+Subject: Bluetooth: MGMT: mesh_send: check instances prior disabling advertising
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit f3cb5676e5c11c896ba647ee309a993e73531588 upstream.
+
+The unconditional call of hci_disable_advertising_sync() in
+mesh_send_done_sync() also disables other LE advertisings (non mesh
+related).
+
+I am not sure whether this call is required at all, but checking the
+adv_instances list (like done at other places) seems to solve the
+problem.
+
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1073,7 +1073,8 @@ static int mesh_send_done_sync(struct hc
+ struct mgmt_mesh_tx *mesh_tx;
+
+ hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
+- hci_disable_advertising_sync(hdev);
++ if (list_empty(&hdev->adv_instances))
++ hci_disable_advertising_sync(hdev);
+ mesh_tx = mgmt_mesh_next(hdev, NULL);
+
+ if (mesh_tx)
--- /dev/null
+From e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Wed, 25 Jun 2025 15:09:30 +0200
+Subject: Bluetooth: MGMT: set_mesh: update LE scan interval and window
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 upstream.
+
+According to the message of commit b338d91703fa ("Bluetooth: Implement
+support for Mesh"), MGMT_OP_SET_MESH_RECEIVER should set the passive scan
+parameters. Currently the scan interval and window parameters are
+silently ignored, although user space (bluetooth-meshd) expects that
+they can be used [1]
+
+[1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/mesh/mesh-io-mgmt.c#n344
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2146,6 +2146,9 @@ static int set_mesh_sync(struct hci_dev
+ else
+ hci_dev_clear_flag(hdev, HCI_MESH);
+
++ hdev->le_scan_interval = __le16_to_cpu(cp->period);
++ hdev->le_scan_window = __le16_to_cpu(cp->window);
++
+ len -= sizeof(*cp);
+
+ /* If filters don't fit, forward all adv pkts */
+@@ -2160,6 +2163,7 @@ static int set_mesh(struct sock *sk, str
+ {
+ struct mgmt_cp_set_mesh *cp = data;
+ struct mgmt_pending_cmd *cmd;
++ __u16 period, window;
+ int err = 0;
+
+ bt_dev_dbg(hdev, "sock %p", sk);
+@@ -2173,6 +2177,23 @@ static int set_mesh(struct sock *sk, str
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
+ MGMT_STATUS_INVALID_PARAMS);
+
++ /* Keep allowed ranges in sync with set_scan_params() */
++ period = __le16_to_cpu(cp->period);
++
++ if (period < 0x0004 || period > 0x4000)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ MGMT_STATUS_INVALID_PARAMS);
++
++ window = __le16_to_cpu(cp->window);
++
++ if (window < 0x0004 || window > 0x4000)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ MGMT_STATUS_INVALID_PARAMS);
++
++ if (window > period)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ MGMT_STATUS_INVALID_PARAMS);
++
+ hci_dev_lock(hdev);
+
+ cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
+@@ -6536,6 +6557,7 @@ static int set_scan_params(struct sock *
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
+ MGMT_STATUS_NOT_SUPPORTED);
+
++ /* Keep allowed ranges in sync with set_mesh() */
+ interval = __le16_to_cpu(cp->interval);
+
+ if (interval < 0x0004 || interval > 0x4000)
--- /dev/null
+From 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>
+Date: Sat, 28 Jun 2025 19:42:42 -0300
+Subject: drm/v3d: Disable interrupts before resetting the GPU
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: MaÃra Canal <mcanal@igalia.com>
+
+commit 226862f50a7a88e4e4de9abbf36c64d19acd6fd0 upstream.
+
+Currently, an interrupt can be triggered during a GPU reset, which can
+lead to GPU hangs and NULL pointer dereference in an interrupt context
+as shown in the following trace:
+
+ [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0
+ [ 314.043822] Mem abort info:
+ [ 314.046606] ESR = 0x0000000096000005
+ [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits
+ [ 314.055651] SET = 0, FnV = 0
+ [ 314.058695] EA = 0, S1PTW = 0
+ [ 314.061826] FSC = 0x05: level 1 translation fault
+ [ 314.066694] Data abort info:
+ [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
+ [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000
+ [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
+ [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
+ [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight
+ [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1
+ [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)
+ [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d]
+ [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d]
+ [ 314.160198] sp : ffffffc080003ea0
+ [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000
+ [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0
+ [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000
+ [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000
+ [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000
+ [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001
+ [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874
+ [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180
+ [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb
+ [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000
+ [ 314.234807] Call trace:
+ [ 314.237243] v3d_irq+0xec/0x2e0 [v3d]
+ [ 314.240906] __handle_irq_event_percpu+0x58/0x218
+ [ 314.245609] handle_irq_event+0x54/0xb8
+ [ 314.249439] handle_fasteoi_irq+0xac/0x240
+ [ 314.253527] handle_irq_desc+0x48/0x68
+ [ 314.257269] generic_handle_domain_irq+0x24/0x38
+ [ 314.261879] gic_handle_irq+0x48/0xd8
+ [ 314.265533] call_on_irq_stack+0x24/0x58
+ [ 314.269448] do_interrupt_handler+0x88/0x98
+ [ 314.273624] el1_interrupt+0x34/0x68
+ [ 314.277193] el1h_64_irq_handler+0x18/0x28
+ [ 314.281281] el1h_64_irq+0x64/0x68
+ [ 314.284673] default_idle_call+0x3c/0x168
+ [ 314.288675] do_idle+0x1fc/0x230
+ [ 314.291895] cpu_startup_entry+0x3c/0x50
+ [ 314.295810] rest_init+0xe4/0xf0
+ [ 314.299030] start_kernel+0x5e8/0x790
+ [ 314.302684] __primary_switched+0x80/0x90
+ [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017)
+ [ 314.312775] ---[ end trace 0000000000000000 ]---
+ [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt
+ [ 314.324249] SMP: stopping secondary CPUs
+ [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000
+ [ 314.334076] PHYS_OFFSET: 0x0
+ [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b
+ [ 314.342337] Memory Limit: none
+ [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]---
+
+Before resetting the GPU, it's necessary to disable all interrupts and
+deal with any interrupt handler still in-flight. Otherwise, the GPU might
+reset with jobs still running, or yet, an interrupt could be handled
+during the reset.
+
+Cc: stable@vger.kernel.org
+Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+")
+Reviewed-by: Juan A. Suarez <jasuarez@igalia.com>
+Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
+Link: https://lore.kernel.org/r/20250628224243.47599-1-mcanal@igalia.com
+Signed-off-by: MaÃra Canal <mcanal@igalia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/v3d/v3d_drv.h | 8 ++++++++
+ drivers/gpu/drm/v3d/v3d_gem.c | 2 ++
+ drivers/gpu/drm/v3d/v3d_irq.c | 37 +++++++++++++++++++++++++++----------
+ 3 files changed, 37 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/v3d/v3d_drv.h
++++ b/drivers/gpu/drm/v3d/v3d_drv.h
+@@ -95,6 +95,12 @@ struct v3d_perfmon {
+ u64 values[] __counted_by(ncounters);
+ };
+
++enum v3d_irq {
++ V3D_CORE_IRQ,
++ V3D_HUB_IRQ,
++ V3D_MAX_IRQS,
++};
++
+ struct v3d_dev {
+ struct drm_device drm;
+
+@@ -106,6 +112,8 @@ struct v3d_dev {
+
+ bool single_irq_line;
+
++ int irq[V3D_MAX_IRQS];
++
+ struct v3d_perfmon_info perfmon_info;
+
+ void __iomem *hub_regs;
+--- a/drivers/gpu/drm/v3d/v3d_gem.c
++++ b/drivers/gpu/drm/v3d/v3d_gem.c
+@@ -118,6 +118,8 @@ v3d_reset(struct v3d_dev *v3d)
+ if (false)
+ v3d_idle_axi(v3d, 0);
+
++ v3d_irq_disable(v3d);
++
+ v3d_idle_gca(v3d);
+ v3d_reset_v3d(v3d);
+
+--- a/drivers/gpu/drm/v3d/v3d_irq.c
++++ b/drivers/gpu/drm/v3d/v3d_irq.c
+@@ -228,7 +228,7 @@ v3d_hub_irq(int irq, void *arg)
+ int
+ v3d_irq_init(struct v3d_dev *v3d)
+ {
+- int irq1, ret, core;
++ int irq, ret, core;
+
+ INIT_WORK(&v3d->overflow_mem_work, v3d_overflow_mem_work);
+
+@@ -239,17 +239,24 @@ v3d_irq_init(struct v3d_dev *v3d)
+ V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));
+ V3D_WRITE(V3D_HUB_INT_CLR, V3D_HUB_IRQS(v3d->ver));
+
+- irq1 = platform_get_irq_optional(v3d_to_pdev(v3d), 1);
+- if (irq1 == -EPROBE_DEFER)
+- return irq1;
+- if (irq1 > 0) {
+- ret = devm_request_irq(v3d->drm.dev, irq1,
++ irq = platform_get_irq_optional(v3d_to_pdev(v3d), 1);
++ if (irq == -EPROBE_DEFER)
++ return irq;
++ if (irq > 0) {
++ v3d->irq[V3D_CORE_IRQ] = irq;
++
++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ],
+ v3d_irq, IRQF_SHARED,
+ "v3d_core0", v3d);
+ if (ret)
+ goto fail;
+- ret = devm_request_irq(v3d->drm.dev,
+- platform_get_irq(v3d_to_pdev(v3d), 0),
++
++ irq = platform_get_irq(v3d_to_pdev(v3d), 0);
++ if (irq < 0)
++ return irq;
++ v3d->irq[V3D_HUB_IRQ] = irq;
++
++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_HUB_IRQ],
+ v3d_hub_irq, IRQF_SHARED,
+ "v3d_hub", v3d);
+ if (ret)
+@@ -257,8 +264,12 @@ v3d_irq_init(struct v3d_dev *v3d)
+ } else {
+ v3d->single_irq_line = true;
+
+- ret = devm_request_irq(v3d->drm.dev,
+- platform_get_irq(v3d_to_pdev(v3d), 0),
++ irq = platform_get_irq(v3d_to_pdev(v3d), 0);
++ if (irq < 0)
++ return irq;
++ v3d->irq[V3D_CORE_IRQ] = irq;
++
++ ret = devm_request_irq(v3d->drm.dev, v3d->irq[V3D_CORE_IRQ],
+ v3d_irq, IRQF_SHARED,
+ "v3d", v3d);
+ if (ret)
+@@ -299,6 +310,12 @@ v3d_irq_disable(struct v3d_dev *v3d)
+ V3D_CORE_WRITE(core, V3D_CTL_INT_MSK_SET, ~0);
+ V3D_WRITE(V3D_HUB_INT_MSK_SET, ~0);
+
++ /* Finish any interrupt handler still in flight. */
++ for (int i = 0; i < V3D_MAX_IRQS; i++) {
++ if (v3d->irq[i])
++ synchronize_irq(v3d->irq[i]);
++ }
++
+ /* Clear any pending interrupts we might have left. */
+ for (core = 0; core < v3d->cores; core++)
+ V3D_CORE_WRITE(core, V3D_CTL_INT_CLR, V3D_CORE_IRQS(v3d->ver));
--- /dev/null
+From 4cf65845fdd09d711fc7546d60c9abe010956922 Mon Sep 17 00:00:00 2001
+From: Yunshui Jiang <jiangyunshui@kylinos.cn>
+Date: Thu, 3 Jul 2025 21:56:02 -0700
+Subject: Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt()
+
+From: Yunshui Jiang <jiangyunshui@kylinos.cn>
+
+commit 4cf65845fdd09d711fc7546d60c9abe010956922 upstream.
+
+The cs40l50_upload_owt() function allocates memory via kmalloc()
+without checking for allocation failure, which could lead to a
+NULL pointer dereference.
+
+Return -ENOMEM in case allocation fails.
+
+Signed-off-by: Yunshui Jiang <jiangyunshui@kylinos.cn>
+Fixes: c38fe1bb5d21 ("Input: cs40l50 - Add support for the CS40L50 haptic driver")
+Link: https://lore.kernel.org/r/20250704024010.2353841-1-jiangyunshui@kylinos.cn
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/misc/cs40l50-vibra.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/input/misc/cs40l50-vibra.c b/drivers/input/misc/cs40l50-vibra.c
+index dce3b0ec8cf3..330f09123631 100644
+--- a/drivers/input/misc/cs40l50-vibra.c
++++ b/drivers/input/misc/cs40l50-vibra.c
+@@ -238,6 +238,8 @@ static int cs40l50_upload_owt(struct cs40l50_work *work_data)
+ header.data_words = len / sizeof(u32);
+
+ new_owt_effect_data = kmalloc(sizeof(header) + len, GFP_KERNEL);
++ if (!new_owt_effect_data)
++ return -ENOMEM;
+
+ memcpy(new_owt_effect_data, &header, sizeof(header));
+ memcpy(new_owt_effect_data + sizeof(header), work_data->custom_data, len);
+--
+2.50.0
+
--- /dev/null
+From 818625570558cd91082c9bafd6f2b59b73241a69 Mon Sep 17 00:00:00 2001
+From: Nicolin Chen <nicolinc@nvidia.com>
+Date: Tue, 24 Jun 2025 11:00:45 -0700
+Subject: iommufd/selftest: Fix iommufd_dirty_tracking with large hugepage sizes
+
+From: Nicolin Chen <nicolinc@nvidia.com>
+
+commit 818625570558cd91082c9bafd6f2b59b73241a69 upstream.
+
+The hugepage test cases of iommufd_dirty_tracking have the 64MB and 128MB
+coverages. Both of them are smaller than the default hugepage size 512MB,
+when CONFIG_PAGE_SIZE_64KB=y. However, these test cases have a variant of
+using huge pages, which would mmap(MAP_HUGETLB) using these smaller sizes
+than the system hugepag size. This results in the kernel aligning up the
+smaller size to 512MB. If a memory was located between the upper 64/128MB
+size boundary and the hugepage 512MB boundary, it would get wiped out:
+https://lore.kernel.org/all/aEoUhPYIAizTLADq@nvidia.com/
+
+Given that this aligning up behavior is well documented, we have no choice
+but to allocate a hugepage aligned size to avoid this unintended wipe out.
+Instead of relying on the kernel's internal force alignment, pass the same
+size to posix_memalign() and map().
+
+Also, fix the FIXTURE_TEARDOWN() misusing munmap() to free the memory from
+posix_memalign(), as munmap() doesn't destroy the allocator meta data. So,
+call free() instead.
+
+Fixes: a9af47e382a4 ("iommufd/selftest: Test IOMMU_HWPT_GET_DIRTY_BITMAP")
+Link: https://patch.msgid.link/r/1ea8609ae6d523fdd4d8efb179ddee79c8582cb6.1750787928.git.nicolinc@nvidia.com
+Cc: stable@vger.kernel.org
+Suggested-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/iommu/iommufd.c | 30 +++++++++++++++++++++---------
+ 1 file changed, 21 insertions(+), 9 deletions(-)
+
+--- a/tools/testing/selftests/iommu/iommufd.c
++++ b/tools/testing/selftests/iommu/iommufd.c
+@@ -1748,6 +1748,7 @@ FIXTURE_VARIANT(iommufd_dirty_tracking)
+
+ FIXTURE_SETUP(iommufd_dirty_tracking)
+ {
++ size_t mmap_buffer_size;
+ unsigned long size;
+ int mmap_flags;
+ void *vrc;
+@@ -1762,22 +1763,33 @@ FIXTURE_SETUP(iommufd_dirty_tracking)
+ self->fd = open("/dev/iommu", O_RDWR);
+ ASSERT_NE(-1, self->fd);
+
+- rc = posix_memalign(&self->buffer, HUGEPAGE_SIZE, variant->buffer_size);
+- if (rc || !self->buffer) {
+- SKIP(return, "Skipping buffer_size=%lu due to errno=%d",
+- variant->buffer_size, rc);
+- }
+-
+ mmap_flags = MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED;
++ mmap_buffer_size = variant->buffer_size;
+ if (variant->hugepages) {
+ /*
+ * MAP_POPULATE will cause the kernel to fail mmap if THPs are
+ * not available.
+ */
+ mmap_flags |= MAP_HUGETLB | MAP_POPULATE;
++
++ /*
++ * Allocation must be aligned to the HUGEPAGE_SIZE, because the
++ * following mmap() will automatically align the length to be a
++ * multiple of the underlying huge page size. Failing to do the
++ * same at this allocation will result in a memory overwrite by
++ * the mmap().
++ */
++ if (mmap_buffer_size < HUGEPAGE_SIZE)
++ mmap_buffer_size = HUGEPAGE_SIZE;
++ }
++
++ rc = posix_memalign(&self->buffer, HUGEPAGE_SIZE, mmap_buffer_size);
++ if (rc || !self->buffer) {
++ SKIP(return, "Skipping buffer_size=%lu due to errno=%d",
++ mmap_buffer_size, rc);
+ }
+ assert((uintptr_t)self->buffer % HUGEPAGE_SIZE == 0);
+- vrc = mmap(self->buffer, variant->buffer_size, PROT_READ | PROT_WRITE,
++ vrc = mmap(self->buffer, mmap_buffer_size, PROT_READ | PROT_WRITE,
+ mmap_flags, -1, 0);
+ assert(vrc == self->buffer);
+
+@@ -1806,8 +1818,8 @@ FIXTURE_SETUP(iommufd_dirty_tracking)
+
+ FIXTURE_TEARDOWN(iommufd_dirty_tracking)
+ {
+- munmap(self->buffer, variant->buffer_size);
+- munmap(self->bitmap, DIV_ROUND_UP(self->bitmap_size, BITS_PER_BYTE));
++ free(self->buffer);
++ free(self->bitmap);
+ teardown_iommufd(self->fd, _metadata);
+ }
+
--- /dev/null
+From 009c3a4bc41e855fd76f92727f9fbae4e5917d7f Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@sandisk.com>
+Date: Mon, 26 May 2025 14:44:45 +0300
+Subject: mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier
+
+From: Avri Altman <avri.altman@sandisk.com>
+
+commit 009c3a4bc41e855fd76f92727f9fbae4e5917d7f upstream.
+
+Move the BROKEN_SD_DISCARD quirk for certain SanDisk SD cards from the
+`mmc_blk_fixups[]` to `mmc_sd_fixups[]`. This ensures the quirk is
+applied earlier in the device initialization process, aligning with the
+reasoning in [1]. Applying the quirk sooner prevents the kernel from
+incorrectly enabling discard support on affected cards during initial
+setup.
+
+[1] https://lore.kernel.org/all/20240820230631.GA436523@sony.com
+
+Fixes: 07d2872bf4c8 ("mmc: core: Add SD card quirk for broken discard")
+Signed-off-by: Avri Altman <avri.altman@sandisk.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250526114445.675548-1-avri.altman@sandisk.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/quirks.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/core/quirks.h
++++ b/drivers/mmc/core/quirks.h
+@@ -44,6 +44,12 @@ static const struct mmc_fixup __maybe_un
+ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd,
+ MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY),
+
++ /*
++ * Some SD cards reports discard support while they don't
++ */
++ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
++ MMC_QUIRK_BROKEN_SD_DISCARD),
++
+ END_FIXUP
+ };
+
+@@ -147,12 +153,6 @@ static const struct mmc_fixup __maybe_un
+ MMC_FIXUP("M62704", CID_MANFID_KINGSTON, 0x0100, add_quirk_mmc,
+ MMC_QUIRK_TRIM_BROKEN),
+
+- /*
+- * Some SD cards reports discard support while they don't
+- */
+- MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
+- MMC_QUIRK_BROKEN_SD_DISCARD),
+-
+ END_FIXUP
+ };
+
--- /dev/null
+From 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c Mon Sep 17 00:00:00 2001
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+Date: Fri, 6 Jun 2025 19:01:20 +0800
+Subject: mmc: sdhci: Add a helper function for dump register in dynamic debug mode
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+commit 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c upstream.
+
+Add a helper function for dump register in dynamic debug mode.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250606110121.96314-3-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.h | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/mmc/host/sdhci.h
++++ b/drivers/mmc/host/sdhci.h
+@@ -825,4 +825,20 @@ void sdhci_switch_external_dma(struct sd
+ void sdhci_set_data_timeout_irq(struct sdhci_host *host, bool enable);
+ void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd);
+
++#if defined(CONFIG_DYNAMIC_DEBUG) || \
++ (defined(CONFIG_DYNAMIC_DEBUG_CORE) && defined(DYNAMIC_DEBUG_MODULE))
++#define SDHCI_DBG_ANYWAY 0
++#elif defined(DEBUG)
++#define SDHCI_DBG_ANYWAY 1
++#else
++#define SDHCI_DBG_ANYWAY 0
++#endif
++
++#define sdhci_dbg_dumpregs(host, fmt) \
++do { \
++ DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \
++ if (DYNAMIC_DEBUG_BRANCH(descriptor) || SDHCI_DBG_ANYWAY) \
++ sdhci_dumpregs(host); \
++} while (0)
++
+ #endif /* __SDHCI_HW_H */
--- /dev/null
+From 539d80575b810c7a5987c7ac8915e3bc99c03695 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Thu, 5 Jun 2025 10:07:38 +0900
+Subject: mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 539d80575b810c7a5987c7ac8915e3bc99c03695 upstream.
+
+When swiotlb buffer is full, the dma_map_sg() returns 0 to
+msdc_prepare_data(), but it does not check it and sets the
+MSDC_PREPARE_FLAG.
+
+swiotlb_tbl_map_single() /* prints "swiotlb buffer is full" */
+ <-swiotlb_map()
+ <-dma_direct_map_page()
+ <-dma_direct_map_sg()
+ <-__dma_map_sg_attrs()
+ <-dma_map_sg_attrs()
+ <-dma_map_sg() /* returns 0 (pages mapped) */
+ <-msdc_prepare_data()
+
+Then, the msdc_unprepare_data() checks MSDC_PREPARE_FLAG and calls
+dma_unmap_sg() with unmapped pages. It causes a page fault.
+
+To fix this problem, Do not set MSDC_PREPARE_FLAG if dma_map_sg()
+fails because this is not prepared.
+
+Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/174908565814.4056588.769599127120955383.stgit@mhiramat.tok.corp.google.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -776,9 +776,10 @@ static inline void msdc_dma_setup(struct
+ static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data)
+ {
+ if (!(data->host_cookie & MSDC_PREPARE_FLAG)) {
+- data->host_cookie |= MSDC_PREPARE_FLAG;
+ data->sg_count = dma_map_sg(host->dev, data->sg, data->sg_len,
+ mmc_get_dma_dir(data));
++ if (data->sg_count)
++ data->host_cookie |= MSDC_PREPARE_FLAG;
+ }
+ }
+
--- /dev/null
+From f5de469990f19569627ea0dd56536ff5a13beaa3 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Thu, 12 Jun 2025 20:26:10 +0900
+Subject: mtk-sd: Prevent memory corruption from DMA map failure
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit f5de469990f19569627ea0dd56536ff5a13beaa3 upstream.
+
+If msdc_prepare_data() fails to map the DMA region, the request is
+not prepared for data receiving, but msdc_start_data() proceeds
+the DMA with previous setting.
+Since this will lead a memory corruption, we have to stop the
+request operation soon after the msdc_prepare_data() fails to
+prepare it.
+
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mhiramat.tok.corp.google.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -783,6 +783,11 @@ static void msdc_prepare_data(struct msd
+ }
+ }
+
++static bool msdc_data_prepared(struct mmc_data *data)
++{
++ return data->host_cookie & MSDC_PREPARE_FLAG;
++}
++
+ static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data)
+ {
+ if (data->host_cookie & MSDC_ASYNC_FLAG)
+@@ -1346,8 +1351,18 @@ static void msdc_ops_request(struct mmc_
+ WARN_ON(host->mrq);
+ host->mrq = mrq;
+
+- if (mrq->data)
++ if (mrq->data) {
+ msdc_prepare_data(host, mrq->data);
++ if (!msdc_data_prepared(mrq->data)) {
++ /*
++ * Failed to prepare DMA area, fail fast before
++ * starting any commands.
++ */
++ mrq->cmd->error = -ENOSPC;
++ mmc_request_done(mmc_from_priv(host), mrq);
++ return;
++ }
++ }
+
+ /* if SBC is required, we have HW option and SW option.
+ * if HW option is enabled, and SBC does not have "special" flags,
--- /dev/null
+From ec54c0a20709ed6e56f40a8d59eee725c31a916b Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Wed, 25 Jun 2025 14:20:37 +0900
+Subject: mtk-sd: reset host->mrq on prepare_data() error
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit ec54c0a20709ed6e56f40a8d59eee725c31a916b upstream.
+
+Do not leave host with dangling ->mrq pointer if we hit
+the msdc_prepare_data() error out path.
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Fixes: f5de469990f1 ("mtk-sd: Prevent memory corruption from DMA map failure")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250625052106.584905-1-senozhatsky@chromium.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -1354,6 +1354,7 @@ static void msdc_ops_request(struct mmc_
+ if (mrq->data) {
+ msdc_prepare_data(host, mrq->data);
+ if (!msdc_data_prepared(mrq->data)) {
++ host->mrq = NULL;
+ /*
+ * Failed to prepare DMA area, fail fast before
+ * starting any commands.
--- /dev/null
+From 5186ff7e1d0e26aaef998ba18b31c79c28d1441f Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Tue, 1 Jul 2025 15:06:25 +0800
+Subject: net: libwx: fix the incorrect display of the queue number
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit 5186ff7e1d0e26aaef998ba18b31c79c28d1441f upstream.
+
+When setting "ethtool -L eth0 combined 1", the number of RX/TX queue is
+changed to be 1. RSS is disabled at this moment, and the indices of FDIR
+have not be changed in wx_set_rss_queues(). So the combined count still
+shows the previous value. This issue was introduced when supporting
+FDIR. Fix it for those devices that support FDIR.
+
+Fixes: 34744a7749b3 ("net: txgbe: add FDIR info to ethtool ops")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/A5C8FE56D6C04608+20250701070625.73680-1-jiawenwu@trustnetic.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/libwx/wx_lib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/wangxun/libwx/wx_lib.c
++++ b/drivers/net/ethernet/wangxun/libwx/wx_lib.c
+@@ -1585,6 +1585,7 @@ static void wx_set_rss_queues(struct wx
+
+ clear_bit(WX_FLAG_FDIR_HASH, wx->flags);
+
++ wx->ring_feature[RING_F_FDIR].indices = 1;
+ /* Use Flow Director in addition to RSS to ensure the best
+ * distribution of flows across cores, even when an FDIR flow
+ * isn't matched.
--- /dev/null
+From cc9f7f65cd2f31150b10e6956f1f0882e1bbae49 Mon Sep 17 00:00:00 2001
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+Date: Tue, 1 Jul 2025 14:30:28 +0800
+Subject: net: txgbe: request MISC IRQ in ndo_open
+
+From: Jiawen Wu <jiawenwu@trustnetic.com>
+
+commit cc9f7f65cd2f31150b10e6956f1f0882e1bbae49 upstream.
+
+Move the creating of irq_domain for MISC IRQ from .probe to .ndo_open,
+and free it in .ndo_stop, to maintain consistency with the queue IRQs.
+This it for subsequent adjustments to the IRQ vectors.
+
+Fixes: aefd013624a1 ("net: txgbe: use irq_domain for interrupt controller")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
+Reviewed-by: Michal Swiatkowski <michal.swiatkowski@linux.intel.com>
+Link: https://patch.msgid.link/20250701063030.59340-2-jiawenwu@trustnetic.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c | 2 +-
+ drivers/net/ethernet/wangxun/txgbe/txgbe_main.c | 22 ++++++++++------------
+ 2 files changed, 11 insertions(+), 13 deletions(-)
+
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_irq.c
+@@ -68,7 +68,6 @@ free_queue_irqs:
+ free_irq(wx->msix_q_entries[vector].vector,
+ wx->q_vector[vector]);
+ }
+- wx_reset_interrupt_capability(wx);
+ return err;
+ }
+
+@@ -169,6 +168,7 @@ void txgbe_free_misc_irq(struct txgbe *t
+ free_irq(txgbe->link_irq, txgbe);
+ free_irq(txgbe->misc.irq, txgbe);
+ txgbe_del_irq_domain(txgbe);
++ txgbe->wx->misc_irq_domain = false;
+ }
+
+ int txgbe_setup_misc_irq(struct txgbe *txgbe)
+--- a/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
++++ b/drivers/net/ethernet/wangxun/txgbe/txgbe_main.c
+@@ -308,10 +308,14 @@ static int txgbe_open(struct net_device
+
+ wx_configure(wx);
+
+- err = txgbe_request_queue_irqs(wx);
++ err = txgbe_setup_misc_irq(wx->priv);
+ if (err)
+ goto err_free_resources;
+
++ err = txgbe_request_queue_irqs(wx);
++ if (err)
++ goto err_free_misc_irq;
++
+ /* Notify the stack of the actual queue counts. */
+ err = netif_set_real_num_tx_queues(netdev, wx->num_tx_queues);
+ if (err)
+@@ -327,6 +331,9 @@ static int txgbe_open(struct net_device
+
+ err_free_irq:
+ wx_free_irq(wx);
++err_free_misc_irq:
++ txgbe_free_misc_irq(wx->priv);
++ wx_reset_interrupt_capability(wx);
+ err_free_resources:
+ wx_free_resources(wx);
+ err_reset:
+@@ -365,6 +372,7 @@ static int txgbe_close(struct net_device
+
+ txgbe_down(wx);
+ wx_free_irq(wx);
++ txgbe_free_misc_irq(wx->priv);
+ wx_free_resources(wx);
+ txgbe_fdir_filter_exit(wx);
+ wx_control_hw(wx, false);
+@@ -410,7 +418,6 @@ static void txgbe_shutdown(struct pci_de
+ int txgbe_setup_tc(struct net_device *dev, u8 tc)
+ {
+ struct wx *wx = netdev_priv(dev);
+- struct txgbe *txgbe = wx->priv;
+
+ /* Hardware has to reinitialize queues and interrupts to
+ * match packet buffer alignment. Unfortunately, the
+@@ -421,7 +428,6 @@ int txgbe_setup_tc(struct net_device *de
+ else
+ txgbe_reset(wx);
+
+- txgbe_free_misc_irq(txgbe);
+ wx_clear_interrupt_scheme(wx);
+
+ if (tc)
+@@ -430,7 +436,6 @@ int txgbe_setup_tc(struct net_device *de
+ netdev_reset_tc(dev);
+
+ wx_init_interrupt_scheme(wx);
+- txgbe_setup_misc_irq(txgbe);
+
+ if (netif_running(dev))
+ txgbe_open(dev);
+@@ -677,13 +682,9 @@ static int txgbe_probe(struct pci_dev *p
+
+ txgbe_init_fdir(txgbe);
+
+- err = txgbe_setup_misc_irq(txgbe);
+- if (err)
+- goto err_release_hw;
+-
+ err = txgbe_init_phy(txgbe);
+ if (err)
+- goto err_free_misc_irq;
++ goto err_release_hw;
+
+ err = register_netdev(netdev);
+ if (err)
+@@ -711,8 +712,6 @@ static int txgbe_probe(struct pci_dev *p
+
+ err_remove_phy:
+ txgbe_remove_phy(txgbe);
+-err_free_misc_irq:
+- txgbe_free_misc_irq(txgbe);
+ err_release_hw:
+ wx_clear_interrupt_scheme(wx);
+ wx_control_hw(wx, false);
+@@ -746,7 +745,6 @@ static void txgbe_remove(struct pci_dev
+ unregister_netdev(netdev);
+
+ txgbe_remove_phy(txgbe);
+- txgbe_free_misc_irq(txgbe);
+ wx_free_isb_resources(wx);
+
+ pci_release_selected_regions(pdev,
--- /dev/null
+From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <mani@kernel.org>
+Date: Thu, 3 Jul 2025 16:05:49 +0530
+Subject: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
+
+From: Manivannan Sadhasivam <mani@kernel.org>
+
+commit c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 upstream.
+
+drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But
+the memory is allocated for only one pointer. This will lead to
+out-of-bounds access later in the code if 'config::ngpios' is > 1. So
+fix the code to allocate enough memory to hold 'config::ngpios' of GPIO
+descriptors.
+
+While at it, also move the check for memory allocation failure to be below
+the allocation to make it more readable.
+
+Cc: stable@vger.kernel.org # 5.0
+Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors")
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/gpio-regulator.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/regulator/gpio-regulator.c
++++ b/drivers/regulator/gpio-regulator.c
+@@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct p
+ return -ENOMEM;
+ }
+
+- drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *),
+- GFP_KERNEL);
++ drvdata->gpiods = devm_kcalloc(dev, config->ngpios,
++ sizeof(struct gpio_desc *), GFP_KERNEL);
++ if (!drvdata->gpiods)
++ return -ENOMEM;
+
+ if (config->input_supply) {
+ drvdata->desc.supply_name = devm_kstrdup(&pdev->dev,
+@@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct p
+ }
+ }
+
+- if (!drvdata->gpiods)
+- return -ENOMEM;
+ for (i = 0; i < config->ngpios; i++) {
+ drvdata->gpiods[i] = devm_gpiod_get_index(dev,
+ NULL,
--- /dev/null
+From dcc3bcfc5b50c625b475dcc25d167b6b947a6637 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 24 Jun 2025 13:09:32 +0200
+Subject: Revert "mmc: sdhci: Disable SD card clock before changing parameters"
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit dcc3bcfc5b50c625b475dcc25d167b6b947a6637 upstream.
+
+It has turned out the trying to strictly conform to the SDHCI specification
+is causing problems. Let's revert and start over.
+
+This reverts commit fb3bbc46c94f261b6156ee863c1b06c84cf157dc.
+
+Cc: Erick Shepherd <erick.shepherd@ni.com>
+Cc: stable@vger.kernel.org
+Fixes: fb3bbc46c94f ("mmc: sdhci: Disable SD card clock before changing parameters")
+Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
+Reported-by: Jonathan Liu <net147@gmail.com>
+Reported-by: Salvatore Bonaccorso <carnil@debian.org>
+Closes: https://bugs.debian.org/1108065
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20250624110932.176925-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2035,15 +2035,10 @@ void sdhci_set_clock(struct sdhci_host *
+
+ host->mmc->actual_clock = 0;
+
+- clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
+- if (clk & SDHCI_CLOCK_CARD_EN)
+- sdhci_writew(host, clk & ~SDHCI_CLOCK_CARD_EN,
+- SDHCI_CLOCK_CONTROL);
++ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
+
+- if (clock == 0) {
+- sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
++ if (clock == 0)
+ return;
+- }
+
+ clk = sdhci_calc_clk(host, clock, &host->mmc->actual_clock);
+ sdhci_enable_clk(host, clk);
--- /dev/null
+From b97a7972b1f4f81417840b9a2ab0c19722b577d5 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Wed, 25 Jun 2025 11:28:29 +0200
+Subject: s390/pci: Do not try re-enabling load/store if device is disabled
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit b97a7972b1f4f81417840b9a2ab0c19722b577d5 upstream.
+
+If a device is disabled unblocking load/store on its own is not useful
+as a full re-enable of the function is necessary anyway. Note that SCLP
+Write Event Data Action Qualifier 0 (Reset) leaves the device disabled
+and triggers this case unless the driver already requests a reset.
+
+Cc: stable@vger.kernel.org
+Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery")
+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci_event.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/s390/pci/pci_event.c
++++ b/arch/s390/pci/pci_event.c
+@@ -105,6 +105,10 @@ static pci_ers_result_t zpci_event_do_er
+ struct zpci_dev *zdev = to_zpci(pdev);
+ int rc;
+
++ /* The underlying device may have been disabled by the event */
++ if (!zdev_enabled(zdev))
++ return PCI_ERS_RESULT_NEED_RESET;
++
+ pr_info("%s: Unblocking device access for examination\n", pci_name(pdev));
+ rc = zpci_reset_load_store_blocked(zdev);
+ if (rc) {
--- /dev/null
+From 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Wed, 25 Jun 2025 11:28:28 +0200
+Subject: s390/pci: Fix stale function handles in error handling
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit 45537926dd2aaa9190ac0fac5a0fbeefcadfea95 upstream.
+
+The error event information for PCI error events contains a function
+handle for the respective function. This handle is generally captured at
+the time the error event was recorded. Due to delays in processing or
+cascading issues, it may happen that during firmware recovery multiple
+events are generated. When processing these events in order Linux may
+already have recovered an affected function making the event information
+stale. Fix this by doing an unconditional CLP List PCI function
+retrieving the current function handle with the zdev->state_lock held
+and ignoring the event if its function handle is stale.
+
+Cc: stable@vger.kernel.org
+Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery")
+Reviewed-by: Julian Ruess <julianr@linux.ibm.com>
+Reviewed-by: Gerd Bayer <gbayer@linux.ibm.com>
+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci_event.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/s390/pci/pci_event.c
++++ b/arch/s390/pci/pci_event.c
+@@ -260,6 +260,8 @@ static void __zpci_event_error(struct zp
+ struct zpci_dev *zdev = get_zdev_by_fid(ccdf->fid);
+ struct pci_dev *pdev = NULL;
+ pci_ers_result_t ers_res;
++ u32 fh = 0;
++ int rc;
+
+ zpci_dbg(3, "err fid:%x, fh:%x, pec:%x\n",
+ ccdf->fid, ccdf->fh, ccdf->pec);
+@@ -268,6 +270,15 @@ static void __zpci_event_error(struct zp
+
+ if (zdev) {
+ mutex_lock(&zdev->state_lock);
++ rc = clp_refresh_fh(zdev->fid, &fh);
++ if (rc)
++ goto no_pdev;
++ if (!fh || ccdf->fh != fh) {
++ /* Ignore events with stale handles */
++ zpci_dbg(3, "err fid:%x, fh:%x (stale %x)\n",
++ ccdf->fid, fh, ccdf->fh);
++ goto no_pdev;
++ }
+ zpci_update_fh(zdev, ccdf->fh);
+ if (zdev->zbus->bus)
+ pdev = pci_get_slot(zdev->zbus->bus, zdev->devfn);
rtc-pcf2127-add-missing-semicolon-after-statement.patch
rtc-pcf2127-fix-spi-command-byte-for-pcf2131.patch
rtc-cmos-use-spin_lock_irqsave-in-cmos_interrupt.patch
+virtio-net-xsk-rx-fix-the-frame-s-length-check.patch
+virtio-net-ensure-the-received-length-does-not-exceed-allocated-size.patch
+s390-pci-fix-stale-function-handles-in-error-handling.patch
+s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch
+net-txgbe-request-misc-irq-in-ndo_open.patch
+vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch
+net-libwx-fix-the-incorrect-display-of-the-queue-number.patch
+mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch
+revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch
+mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch
+bluetooth-hci-set-extended-advertising-data-synchronously.patch
+bluetooth-hci_sync-revert-some-mesh-modifications.patch
+bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch
+bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch
+iommufd-selftest-fix-iommufd_dirty_tracking-with-large-hugepage-sizes.patch
+regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch
+input-cs40l50-vibra-fix-potential-null-dereference-in-cs40l50_upload_owt.patch
+usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch
+mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch
+mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch
+mtk-sd-reset-host-mrq-on-prepare_data-error.patch
+drm-v3d-disable-interrupts-before-resetting-the-gpu.patch
--- /dev/null
+From af4db5a35a4ef7a68046883bfd12468007db38f1 Mon Sep 17 00:00:00 2001
+From: RD Babiera <rdbabiera@google.com>
+Date: Wed, 18 Jun 2025 22:49:42 +0000
+Subject: usb: typec: altmodes/displayport: do not index invalid pin_assignments
+
+From: RD Babiera <rdbabiera@google.com>
+
+commit af4db5a35a4ef7a68046883bfd12468007db38f1 upstream.
+
+A poorly implemented DisplayPort Alt Mode port partner can indicate
+that its pin assignment capabilities are greater than the maximum
+value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show
+will cause a BRK exception due to an out of bounds array access.
+
+Prevent for loop in pin_assignment_show from accessing
+invalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX
+value in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop
+condition.
+
+Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
+Cc: stable <stable@kernel.org>
+Signed-off-by: RD Babiera <rdbabiera@google.com>
+Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250618224943.3263103-2-rdbabiera@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 2 +-
+ include/linux/usb/typec_dp.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -677,7 +677,7 @@ static ssize_t pin_assignment_show(struc
+
+ assignments = get_current_pin_assignments(dp);
+
+- for (i = 0; assignments; assignments >>= 1, i++) {
++ for (i = 0; assignments && i < DP_PIN_ASSIGN_MAX; assignments >>= 1, i++) {
+ if (assignments & 1) {
+ if (i == cur)
+ len += sprintf(buf + len, "[%s] ",
+--- a/include/linux/usb/typec_dp.h
++++ b/include/linux/usb/typec_dp.h
+@@ -57,6 +57,7 @@ enum {
+ DP_PIN_ASSIGN_D,
+ DP_PIN_ASSIGN_E,
+ DP_PIN_ASSIGN_F, /* Not supported after v1.0b */
++ DP_PIN_ASSIGN_MAX,
+ };
+
+ /* DisplayPort alt mode specific commands */
--- /dev/null
+From 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 Mon Sep 17 00:00:00 2001
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+Date: Mon, 30 Jun 2025 21:42:10 +0700
+Subject: virtio-net: ensure the received length does not exceed allocated size
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+commit 315dbdd7cdf6aa533829774caaf4d25f1fd20e73 upstream.
+
+In xdp_linearize_page, when reading the following buffers from the ring,
+we forget to check the received length with the true allocate size. This
+can lead to an out-of-bound read. This commit adds that missing check.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Acked-by: Jason Wang <jasowang@redhat.com>
+Link: https://patch.msgid.link/20250630144212.48471-2-minhquangbui99@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 38 ++++++++++++++++++++++++++++++++++----
+ 1 file changed, 34 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -765,6 +765,26 @@ static unsigned int mergeable_ctx_to_tru
+ return (unsigned long)mrg_ctx & ((1 << MRG_CTX_HEADER_SHIFT) - 1);
+ }
+
++static int check_mergeable_len(struct net_device *dev, void *mrg_ctx,
++ unsigned int len)
++{
++ unsigned int headroom, tailroom, room, truesize;
++
++ truesize = mergeable_ctx_to_truesize(mrg_ctx);
++ headroom = mergeable_ctx_to_headroom(mrg_ctx);
++ tailroom = headroom ? sizeof(struct skb_shared_info) : 0;
++ room = SKB_DATA_ALIGN(headroom + tailroom);
++
++ if (len > truesize - room) {
++ pr_debug("%s: rx error: len %u exceeds truesize %lu\n",
++ dev->name, len, (unsigned long)(truesize - room));
++ DEV_STATS_INC(dev, rx_length_errors);
++ return -1;
++ }
++
++ return 0;
++}
++
+ static struct sk_buff *virtnet_build_skb(void *buf, unsigned int buflen,
+ unsigned int headroom,
+ unsigned int len)
+@@ -1663,7 +1683,8 @@ static unsigned int virtnet_get_headroom
+ * across multiple buffers (num_buf > 1), and we make sure buffers
+ * have enough headroom.
+ */
+-static struct page *xdp_linearize_page(struct receive_queue *rq,
++static struct page *xdp_linearize_page(struct net_device *dev,
++ struct receive_queue *rq,
+ int *num_buf,
+ struct page *p,
+ int offset,
+@@ -1683,18 +1704,27 @@ static struct page *xdp_linearize_page(s
+ memcpy(page_address(page) + page_off, page_address(p) + offset, *len);
+ page_off += *len;
+
++ /* Only mergeable mode can go inside this while loop. In small mode,
++ * *num_buf == 1, so it cannot go inside.
++ */
+ while (--*num_buf) {
+ unsigned int buflen;
+ void *buf;
++ void *ctx;
+ int off;
+
+- buf = virtnet_rq_get_buf(rq, &buflen, NULL);
++ buf = virtnet_rq_get_buf(rq, &buflen, &ctx);
+ if (unlikely(!buf))
+ goto err_buf;
+
+ p = virt_to_head_page(buf);
+ off = buf - page_address(p);
+
++ if (check_mergeable_len(dev, ctx, buflen)) {
++ put_page(p);
++ goto err_buf;
++ }
++
+ /* guard against a misconfigured or uncooperative backend that
+ * is sending packet larger than the MTU.
+ */
+@@ -1783,7 +1813,7 @@ static struct sk_buff *receive_small_xdp
+ headroom = vi->hdr_len + header_offset;
+ buflen = SKB_DATA_ALIGN(GOOD_PACKET_LEN + headroom) +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+- xdp_page = xdp_linearize_page(rq, &num_buf, page,
++ xdp_page = xdp_linearize_page(dev, rq, &num_buf, page,
+ offset, header_offset,
+ &tlen);
+ if (!xdp_page)
+@@ -2118,7 +2148,7 @@ static void *mergeable_xdp_get_buf(struc
+ */
+ if (!xdp_prog->aux->xdp_has_frags) {
+ /* linearize data for XDP */
+- xdp_page = xdp_linearize_page(rq, num_buf,
++ xdp_page = xdp_linearize_page(vi->dev, rq, num_buf,
+ *page, offset,
+ XDP_PACKET_HEADROOM,
+ len);
--- /dev/null
+From 5177373c31318c3c6a190383bfd232e6cf565c36 Mon Sep 17 00:00:00 2001
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+Date: Mon, 30 Jun 2025 22:13:14 +0700
+Subject: virtio-net: xsk: rx: fix the frame's length check
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+commit 5177373c31318c3c6a190383bfd232e6cf565c36 upstream.
+
+When calling buf_to_xdp, the len argument is the frame data's length
+without virtio header's length (vi->hdr_len). We check that len with
+
+ xsk_pool_get_rx_frame_size() + vi->hdr_len
+
+to ensure the provided len does not larger than the allocated chunk
+size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk,
+we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost
+to start placing data from
+
+ hard_start + XDP_PACKET_HEADROOM - vi->hdr_len
+not
+ hard_start + XDP_PACKET_HEADROOM
+
+But the first buffer has virtio_header, so the maximum frame's length in
+the first buffer can only be
+
+ xsk_pool_get_rx_frame_size()
+not
+ xsk_pool_get_rx_frame_size() + vi->hdr_len
+
+like in the current check.
+
+This commit adds an additional argument to buf_to_xdp differentiate
+between the first buffer and other ones to correctly calculate the maximum
+frame's length.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
+Fixes: a4e7ba702701 ("virtio_net: xsk: rx: support recv small mode")
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://patch.msgid.link/20250630151315.86722-2-minhquangbui99@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/virtio_net.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/virtio_net.c
++++ b/drivers/net/virtio_net.c
+@@ -1098,15 +1098,29 @@ static void sg_fill_dma(struct scatterli
+ sg->length = len;
+ }
+
++/* Note that @len is the length of received data without virtio header */
+ static struct xdp_buff *buf_to_xdp(struct virtnet_info *vi,
+- struct receive_queue *rq, void *buf, u32 len)
++ struct receive_queue *rq, void *buf,
++ u32 len, bool first_buf)
+ {
+ struct xdp_buff *xdp;
+ u32 bufsize;
+
+ xdp = (struct xdp_buff *)buf;
+
+- bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool) + vi->hdr_len;
++ /* In virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for
++ * virtio header and ask the vhost to fill data from
++ * hard_start + XDP_PACKET_HEADROOM - vi->hdr_len
++ * The first buffer has virtio header so the remaining region for frame
++ * data is
++ * xsk_pool_get_rx_frame_size()
++ * While other buffers than the first one do not have virtio header, so
++ * the maximum frame data's length can be
++ * xsk_pool_get_rx_frame_size() + vi->hdr_len
++ */
++ bufsize = xsk_pool_get_rx_frame_size(rq->xsk_pool);
++ if (!first_buf)
++ bufsize += vi->hdr_len;
+
+ if (unlikely(len > bufsize)) {
+ pr_debug("%s: rx error: len %u exceeds truesize %u\n",
+@@ -1231,7 +1245,7 @@ static int xsk_append_merge_buffer(struc
+
+ u64_stats_add(&stats->bytes, len);
+
+- xdp = buf_to_xdp(vi, rq, buf, len);
++ xdp = buf_to_xdp(vi, rq, buf, len, false);
+ if (!xdp)
+ goto err;
+
+@@ -1329,7 +1343,7 @@ static void virtnet_receive_xsk_buf(stru
+
+ u64_stats_add(&stats->bytes, len);
+
+- xdp = buf_to_xdp(vi, rq, buf, len);
++ xdp = buf_to_xdp(vi, rq, buf, len, true);
+ if (!xdp)
+ return;
+
--- /dev/null
+From 223e2288f4b8c262a864e2c03964ffac91744cd5 Mon Sep 17 00:00:00 2001
+From: HarshaVardhana S A <harshavardhana.sa@broadcom.com>
+Date: Tue, 1 Jul 2025 14:22:54 +0200
+Subject: vsock/vmci: Clear the vmci transport packet properly when initializing it
+
+From: HarshaVardhana S A <harshavardhana.sa@broadcom.com>
+
+commit 223e2288f4b8c262a864e2c03964ffac91744cd5 upstream.
+
+In vmci_transport_packet_init memset the vmci_transport_packet before
+populating the fields to avoid any uninitialised data being left in the
+structure.
+
+Cc: Bryan Tan <bryan-bt.tan@broadcom.com>
+Cc: Vishnu Dasa <vishnu.dasa@broadcom.com>
+Cc: Broadcom internal kernel review list
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: virtualization@lists.linux.dev
+Cc: netdev@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Signed-off-by: HarshaVardhana S A <harshavardhana.sa@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20250701122254.2397440-1-gregkh@linuxfoundation.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -119,6 +119,8 @@ vmci_transport_packet_init(struct vmci_t
+ u16 proto,
+ struct vmci_handle handle)
+ {
++ memset(pkt, 0, sizeof(*pkt));
++
+ /* We register the stream control handler as an any cid handle so we
+ * must always send from a source address of VMADDR_CID_ANY
+ */
+@@ -131,8 +133,6 @@ vmci_transport_packet_init(struct vmci_t
+ pkt->type = type;
+ pkt->src_port = src->svm_port;
+ pkt->dst_port = dst->svm_port;
+- memset(&pkt->proto, 0, sizeof(pkt->proto));
+- memset(&pkt->_reserved2, 0, sizeof(pkt->_reserved2));
+
+ switch (pkt->type) {
+ case VMCI_TRANSPORT_PACKET_TYPE_INVALID:
projects / thirdparty / kernel / stable-queue.git / commitdiff
