--- /dev/null
+From 46c0d947b64ac8efcf89dd754213dab5d1bd00aa Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Wed, 25 Jun 2025 15:09:29 +0200
+Subject: Bluetooth: hci_sync: revert some mesh modifications
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 46c0d947b64ac8efcf89dd754213dab5d1bd00aa upstream.
+
+This reverts minor parts of the changes made in commit b338d91703fa
+("Bluetooth: Implement support for Mesh"). It looks like these changes
+were only made for development purposes but shouldn't have been part of
+the commit.
+
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_sync.c | 16 ++++------------
+ 1 file changed, 4 insertions(+), 12 deletions(-)
+
+--- a/net/bluetooth/hci_sync.c
++++ b/net/bluetooth/hci_sync.c
+@@ -1966,13 +1966,10 @@ static int hci_clear_adv_sets_sync(struc
+ static int hci_clear_adv_sync(struct hci_dev *hdev, struct sock *sk, bool force)
+ {
+ struct adv_info *adv, *n;
+- int err = 0;
+
+ if (ext_adv_capable(hdev))
+ /* Remove all existing sets */
+- err = hci_clear_adv_sets_sync(hdev, sk);
+- if (ext_adv_capable(hdev))
+- return err;
++ return hci_clear_adv_sets_sync(hdev, sk);
+
+ /* This is safe as long as there is no command send while the lock is
+ * held.
+@@ -2000,13 +1997,11 @@ static int hci_clear_adv_sync(struct hci
+ static int hci_remove_adv_sync(struct hci_dev *hdev, u8 instance,
+ struct sock *sk)
+ {
+- int err = 0;
++ int err;
+
+ /* If we use extended advertising, instance has to be removed first. */
+ if (ext_adv_capable(hdev))
+- err = hci_remove_ext_adv_instance_sync(hdev, instance, sk);
+- if (ext_adv_capable(hdev))
+- return err;
++ return hci_remove_ext_adv_instance_sync(hdev, instance, sk);
+
+ /* This is safe as long as there is no command send while the lock is
+ * held.
+@@ -2105,16 +2100,13 @@ int hci_read_tx_power_sync(struct hci_de
+ int hci_disable_advertising_sync(struct hci_dev *hdev)
+ {
+ u8 enable = 0x00;
+- int err = 0;
+
+ /* If controller is not advertising we are done. */
+ if (!hci_dev_test_flag(hdev, HCI_LE_ADV))
+ return 0;
+
+ if (ext_adv_capable(hdev))
+- err = hci_disable_ext_adv_instance_sync(hdev, 0x00);
+- if (ext_adv_capable(hdev))
+- return err;
++ return hci_disable_ext_adv_instance_sync(hdev, 0x00);
+
+ return __hci_cmd_sync_status(hdev, HCI_OP_LE_SET_ADV_ENABLE,
+ sizeof(enable), &enable, HCI_CMD_TIMEOUT);
--- /dev/null
+From f3cb5676e5c11c896ba647ee309a993e73531588 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Wed, 25 Jun 2025 15:09:31 +0200
+Subject: Bluetooth: MGMT: mesh_send: check instances prior disabling advertising
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit f3cb5676e5c11c896ba647ee309a993e73531588 upstream.
+
+The unconditional call of hci_disable_advertising_sync() in
+mesh_send_done_sync() also disables other LE advertisings (non mesh
+related).
+
+I am not sure whether this call is required at all, but checking the
+adv_instances list (like done at other places) seems to solve the
+problem.
+
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -1085,7 +1085,8 @@ static int mesh_send_done_sync(struct hc
+ struct mgmt_mesh_tx *mesh_tx;
+
+ hci_dev_clear_flag(hdev, HCI_MESH_SENDING);
+- hci_disable_advertising_sync(hdev);
++ if (list_empty(&hdev->adv_instances))
++ hci_disable_advertising_sync(hdev);
+ mesh_tx = mgmt_mesh_next(hdev, NULL);
+
+ if (mesh_tx)
--- /dev/null
+From e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Wed, 25 Jun 2025 15:09:30 +0200
+Subject: Bluetooth: MGMT: set_mesh: update LE scan interval and window
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit e5af67a870f738bb8a4594b6c60c2caf4c87a3c9 upstream.
+
+According to the message of commit b338d91703fa ("Bluetooth: Implement
+support for Mesh"), MGMT_OP_SET_MESH_RECEIVER should set the passive scan
+parameters. Currently the scan interval and window parameters are
+silently ignored, although user space (bluetooth-meshd) expects that
+they can be used [1]
+
+[1] https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/mesh/mesh-io-mgmt.c#n344
+Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -2223,6 +2223,9 @@ static int set_mesh_sync(struct hci_dev
+ else
+ hci_dev_clear_flag(hdev, HCI_MESH);
+
++ hdev->le_scan_interval = __le16_to_cpu(cp->period);
++ hdev->le_scan_window = __le16_to_cpu(cp->window);
++
+ len -= sizeof(*cp);
+
+ /* If filters don't fit, forward all adv pkts */
+@@ -2237,6 +2240,7 @@ static int set_mesh(struct sock *sk, str
+ {
+ struct mgmt_cp_set_mesh *cp = data;
+ struct mgmt_pending_cmd *cmd;
++ __u16 period, window;
+ int err = 0;
+
+ bt_dev_dbg(hdev, "sock %p", sk);
+@@ -2250,6 +2254,23 @@ static int set_mesh(struct sock *sk, str
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
+ MGMT_STATUS_INVALID_PARAMS);
+
++ /* Keep allowed ranges in sync with set_scan_params() */
++ period = __le16_to_cpu(cp->period);
++
++ if (period < 0x0004 || period > 0x4000)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ MGMT_STATUS_INVALID_PARAMS);
++
++ window = __le16_to_cpu(cp->window);
++
++ if (window < 0x0004 || window > 0x4000)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ MGMT_STATUS_INVALID_PARAMS);
++
++ if (window > period)
++ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_MESH_RECEIVER,
++ MGMT_STATUS_INVALID_PARAMS);
++
+ hci_dev_lock(hdev);
+
+ cmd = mgmt_pending_add(sk, MGMT_OP_SET_MESH_RECEIVER, hdev, data, len);
+@@ -6607,6 +6628,7 @@ static int set_scan_params(struct sock *
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_SET_SCAN_PARAMS,
+ MGMT_STATUS_NOT_SUPPORTED);
+
++ /* Keep allowed ranges in sync with set_mesh() */
+ interval = __le16_to_cpu(cp->interval);
+
+ if (interval < 0x0004 || interval > 0x4000)
--- /dev/null
+From 009c3a4bc41e855fd76f92727f9fbae4e5917d7f Mon Sep 17 00:00:00 2001
+From: Avri Altman <avri.altman@sandisk.com>
+Date: Mon, 26 May 2025 14:44:45 +0300
+Subject: mmc: core: sd: Apply BROKEN_SD_DISCARD quirk earlier
+
+From: Avri Altman <avri.altman@sandisk.com>
+
+commit 009c3a4bc41e855fd76f92727f9fbae4e5917d7f upstream.
+
+Move the BROKEN_SD_DISCARD quirk for certain SanDisk SD cards from the
+`mmc_blk_fixups[]` to `mmc_sd_fixups[]`. This ensures the quirk is
+applied earlier in the device initialization process, aligning with the
+reasoning in [1]. Applying the quirk sooner prevents the kernel from
+incorrectly enabling discard support on affected cards during initial
+setup.
+
+[1] https://lore.kernel.org/all/20240820230631.GA436523@sony.com
+
+Fixes: 07d2872bf4c8 ("mmc: core: Add SD card quirk for broken discard")
+Signed-off-by: Avri Altman <avri.altman@sandisk.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250526114445.675548-1-avri.altman@sandisk.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/core/quirks.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/mmc/core/quirks.h
++++ b/drivers/mmc/core/quirks.h
+@@ -44,6 +44,12 @@ static const struct mmc_fixup __maybe_un
+ 0, -1ull, SDIO_ANY_ID, SDIO_ANY_ID, add_quirk_sd,
+ MMC_QUIRK_NO_UHS_DDR50_TUNING, EXT_CSD_REV_ANY),
+
++ /*
++ * Some SD cards reports discard support while they don't
++ */
++ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
++ MMC_QUIRK_BROKEN_SD_DISCARD),
++
+ END_FIXUP
+ };
+
+@@ -147,12 +153,6 @@ static const struct mmc_fixup __maybe_un
+ MMC_FIXUP("Q2J54A", CID_MANFID_MICRON, 0x014e, add_quirk_mmc,
+ MMC_QUIRK_TRIM_BROKEN | MMC_QUIRK_BROKEN_CACHE_FLUSH),
+
+- /*
+- * Some SD cards reports discard support while they don't
+- */
+- MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
+- MMC_QUIRK_BROKEN_SD_DISCARD),
+-
+ END_FIXUP
+ };
+
--- /dev/null
+From 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c Mon Sep 17 00:00:00 2001
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+Date: Fri, 6 Jun 2025 19:01:20 +0800
+Subject: mmc: sdhci: Add a helper function for dump register in dynamic debug mode
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+commit 2881ba9af073faa8ee7408a8d1e0575e50eb3f6c upstream.
+
+Add a helper function for dump register in dynamic debug mode.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250606110121.96314-3-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.h | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/mmc/host/sdhci.h
++++ b/drivers/mmc/host/sdhci.h
+@@ -820,4 +820,20 @@ void sdhci_switch_external_dma(struct sd
+ void sdhci_set_data_timeout_irq(struct sdhci_host *host, bool enable);
+ void __sdhci_set_timeout(struct sdhci_host *host, struct mmc_command *cmd);
+
++#if defined(CONFIG_DYNAMIC_DEBUG) || \
++ (defined(CONFIG_DYNAMIC_DEBUG_CORE) && defined(DYNAMIC_DEBUG_MODULE))
++#define SDHCI_DBG_ANYWAY 0
++#elif defined(DEBUG)
++#define SDHCI_DBG_ANYWAY 1
++#else
++#define SDHCI_DBG_ANYWAY 0
++#endif
++
++#define sdhci_dbg_dumpregs(host, fmt) \
++do { \
++ DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \
++ if (DYNAMIC_DEBUG_BRANCH(descriptor) || SDHCI_DBG_ANYWAY) \
++ sdhci_dumpregs(host); \
++} while (0)
++
+ #endif /* __SDHCI_HW_H */
--- /dev/null
+From 539d80575b810c7a5987c7ac8915e3bc99c03695 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Thu, 5 Jun 2025 10:07:38 +0900
+Subject: mtk-sd: Fix a pagefault in dma_unmap_sg() for not prepared data
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit 539d80575b810c7a5987c7ac8915e3bc99c03695 upstream.
+
+When swiotlb buffer is full, the dma_map_sg() returns 0 to
+msdc_prepare_data(), but it does not check it and sets the
+MSDC_PREPARE_FLAG.
+
+swiotlb_tbl_map_single() /* prints "swiotlb buffer is full" */
+ <-swiotlb_map()
+ <-dma_direct_map_page()
+ <-dma_direct_map_sg()
+ <-__dma_map_sg_attrs()
+ <-dma_map_sg_attrs()
+ <-dma_map_sg() /* returns 0 (pages mapped) */
+ <-msdc_prepare_data()
+
+Then, the msdc_unprepare_data() checks MSDC_PREPARE_FLAG and calls
+dma_unmap_sg() with unmapped pages. It causes a page fault.
+
+To fix this problem, Do not set MSDC_PREPARE_FLAG if dma_map_sg()
+fails because this is not prepared.
+
+Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Tested-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/174908565814.4056588.769599127120955383.stgit@mhiramat.tok.corp.google.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -756,9 +756,10 @@ static inline void msdc_dma_setup(struct
+ static void msdc_prepare_data(struct msdc_host *host, struct mmc_data *data)
+ {
+ if (!(data->host_cookie & MSDC_PREPARE_FLAG)) {
+- data->host_cookie |= MSDC_PREPARE_FLAG;
+ data->sg_count = dma_map_sg(host->dev, data->sg, data->sg_len,
+ mmc_get_dma_dir(data));
++ if (data->sg_count)
++ data->host_cookie |= MSDC_PREPARE_FLAG;
+ }
+ }
+
--- /dev/null
+From f5de469990f19569627ea0dd56536ff5a13beaa3 Mon Sep 17 00:00:00 2001
+From: "Masami Hiramatsu (Google)" <mhiramat@kernel.org>
+Date: Thu, 12 Jun 2025 20:26:10 +0900
+Subject: mtk-sd: Prevent memory corruption from DMA map failure
+
+From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+
+commit f5de469990f19569627ea0dd56536ff5a13beaa3 upstream.
+
+If msdc_prepare_data() fails to map the DMA region, the request is
+not prepared for data receiving, but msdc_start_data() proceeds
+the DMA with previous setting.
+Since this will lead a memory corruption, we have to stop the
+request operation soon after the msdc_prepare_data() fails to
+prepare it.
+
+Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Fixes: 208489032bdd ("mmc: mediatek: Add Mediatek MMC driver")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/174972756982.3337526.6755001617701603082.stgit@mhiramat.tok.corp.google.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -763,6 +763,11 @@ static void msdc_prepare_data(struct msd
+ }
+ }
+
++static bool msdc_data_prepared(struct mmc_data *data)
++{
++ return data->host_cookie & MSDC_PREPARE_FLAG;
++}
++
+ static void msdc_unprepare_data(struct msdc_host *host, struct mmc_data *data)
+ {
+ if (data->host_cookie & MSDC_ASYNC_FLAG)
+@@ -1323,8 +1328,18 @@ static void msdc_ops_request(struct mmc_
+ WARN_ON(host->mrq);
+ host->mrq = mrq;
+
+- if (mrq->data)
++ if (mrq->data) {
+ msdc_prepare_data(host, mrq->data);
++ if (!msdc_data_prepared(mrq->data)) {
++ /*
++ * Failed to prepare DMA area, fail fast before
++ * starting any commands.
++ */
++ mrq->cmd->error = -ENOSPC;
++ mmc_request_done(mmc_from_priv(host), mrq);
++ return;
++ }
++ }
+
+ /* if SBC is required, we have HW option and SW option.
+ * if HW option is enabled, and SBC does not have "special" flags,
--- /dev/null
+From ec54c0a20709ed6e56f40a8d59eee725c31a916b Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+Date: Wed, 25 Jun 2025 14:20:37 +0900
+Subject: mtk-sd: reset host->mrq on prepare_data() error
+
+From: Sergey Senozhatsky <senozhatsky@chromium.org>
+
+commit ec54c0a20709ed6e56f40a8d59eee725c31a916b upstream.
+
+Do not leave host with dangling ->mrq pointer if we hit
+the msdc_prepare_data() error out path.
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky@chromium.org>
+Reviewed-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
+Fixes: f5de469990f1 ("mtk-sd: Prevent memory corruption from DMA map failure")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250625052106.584905-1-senozhatsky@chromium.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/mtk-sd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/mtk-sd.c
++++ b/drivers/mmc/host/mtk-sd.c
+@@ -1331,6 +1331,7 @@ static void msdc_ops_request(struct mmc_
+ if (mrq->data) {
+ msdc_prepare_data(host, mrq->data);
+ if (!msdc_data_prepared(mrq->data)) {
++ host->mrq = NULL;
+ /*
+ * Failed to prepare DMA area, fail fast before
+ * starting any commands.
--- /dev/null
+From c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 Mon Sep 17 00:00:00 2001
+From: Manivannan Sadhasivam <mani@kernel.org>
+Date: Thu, 3 Jul 2025 16:05:49 +0530
+Subject: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods
+
+From: Manivannan Sadhasivam <mani@kernel.org>
+
+commit c9764fd88bc744592b0604ccb6b6fc1a5f76b4e3 upstream.
+
+drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But
+the memory is allocated for only one pointer. This will lead to
+out-of-bounds access later in the code if 'config::ngpios' is > 1. So
+fix the code to allocate enough memory to hold 'config::ngpios' of GPIO
+descriptors.
+
+While at it, also move the check for memory allocation failure to be below
+the allocation to make it more readable.
+
+Cc: stable@vger.kernel.org # 5.0
+Fixes: d6cd33ad7102 ("regulator: gpio: Convert to use descriptors")
+Signed-off-by: Manivannan Sadhasivam <mani@kernel.org>
+Link: https://patch.msgid.link/20250703103549.16558-1-mani@kernel.org
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/gpio-regulator.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/regulator/gpio-regulator.c
++++ b/drivers/regulator/gpio-regulator.c
+@@ -260,8 +260,10 @@ static int gpio_regulator_probe(struct p
+ return -ENOMEM;
+ }
+
+- drvdata->gpiods = devm_kzalloc(dev, sizeof(struct gpio_desc *),
+- GFP_KERNEL);
++ drvdata->gpiods = devm_kcalloc(dev, config->ngpios,
++ sizeof(struct gpio_desc *), GFP_KERNEL);
++ if (!drvdata->gpiods)
++ return -ENOMEM;
+
+ if (config->input_supply) {
+ drvdata->desc.supply_name = devm_kstrdup(&pdev->dev,
+@@ -274,8 +276,6 @@ static int gpio_regulator_probe(struct p
+ }
+ }
+
+- if (!drvdata->gpiods)
+- return -ENOMEM;
+ for (i = 0; i < config->ngpios; i++) {
+ drvdata->gpiods[i] = devm_gpiod_get_index(dev,
+ NULL,
--- /dev/null
+From dcc3bcfc5b50c625b475dcc25d167b6b947a6637 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Tue, 24 Jun 2025 13:09:32 +0200
+Subject: Revert "mmc: sdhci: Disable SD card clock before changing parameters"
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit dcc3bcfc5b50c625b475dcc25d167b6b947a6637 upstream.
+
+It has turned out the trying to strictly conform to the SDHCI specification
+is causing problems. Let's revert and start over.
+
+This reverts commit fb3bbc46c94f261b6156ee863c1b06c84cf157dc.
+
+Cc: Erick Shepherd <erick.shepherd@ni.com>
+Cc: stable@vger.kernel.org
+Fixes: fb3bbc46c94f ("mmc: sdhci: Disable SD card clock before changing parameters")
+Suggested-by: Adrian Hunter <adrian.hunter@intel.com>
+Reported-by: Jonathan Liu <net147@gmail.com>
+Reported-by: Salvatore Bonaccorso <carnil@debian.org>
+Closes: https://bugs.debian.org/1108065
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Link: https://lore.kernel.org/r/20250624110932.176925-1-ulf.hansson@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -2049,15 +2049,10 @@ void sdhci_set_clock(struct sdhci_host *
+
+ host->mmc->actual_clock = 0;
+
+- clk = sdhci_readw(host, SDHCI_CLOCK_CONTROL);
+- if (clk & SDHCI_CLOCK_CARD_EN)
+- sdhci_writew(host, clk & ~SDHCI_CLOCK_CARD_EN,
+- SDHCI_CLOCK_CONTROL);
++ sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
+
+- if (clock == 0) {
+- sdhci_writew(host, 0, SDHCI_CLOCK_CONTROL);
++ if (clock == 0)
+ return;
+- }
+
+ clk = sdhci_calc_clk(host, clock, &host->mmc->actual_clock);
+ sdhci_enable_clk(host, clk);
--- /dev/null
+From b97a7972b1f4f81417840b9a2ab0c19722b577d5 Mon Sep 17 00:00:00 2001
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+Date: Wed, 25 Jun 2025 11:28:29 +0200
+Subject: s390/pci: Do not try re-enabling load/store if device is disabled
+
+From: Niklas Schnelle <schnelle@linux.ibm.com>
+
+commit b97a7972b1f4f81417840b9a2ab0c19722b577d5 upstream.
+
+If a device is disabled unblocking load/store on its own is not useful
+as a full re-enable of the function is necessary anyway. Note that SCLP
+Write Event Data Action Qualifier 0 (Reset) leaves the device disabled
+and triggers this case unless the driver already requests a reset.
+
+Cc: stable@vger.kernel.org
+Fixes: 4cdf2f4e24ff ("s390/pci: implement minimal PCI error recovery")
+Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
+Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
+Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/pci/pci_event.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/arch/s390/pci/pci_event.c
++++ b/arch/s390/pci/pci_event.c
+@@ -98,6 +98,10 @@ static pci_ers_result_t zpci_event_do_er
+ struct zpci_dev *zdev = to_zpci(pdev);
+ int rc;
+
++ /* The underlying device may have been disabled by the event */
++ if (!zdev_enabled(zdev))
++ return PCI_ERS_RESULT_NEED_RESET;
++
+ pr_info("%s: Unblocking device access for examination\n", pci_name(pdev));
+ rc = zpci_reset_load_store_blocked(zdev);
+ if (rc) {
rtc-cmos-use-spin_lock_irqsave-in-cmos_interrupt.patch
+s390-pci-do-not-try-re-enabling-load-store-if-device-is-disabled.patch
+vsock-vmci-clear-the-vmci-transport-packet-properly-when-initializing-it.patch
+mmc-sdhci-add-a-helper-function-for-dump-register-in-dynamic-debug-mode.patch
+revert-mmc-sdhci-disable-sd-card-clock-before-changing-parameters.patch
+mmc-core-sd-apply-broken_sd_discard-quirk-earlier.patch
+bluetooth-hci_sync-revert-some-mesh-modifications.patch
+bluetooth-mgmt-set_mesh-update-le-scan-interval-and-window.patch
+bluetooth-mgmt-mesh_send-check-instances-prior-disabling-advertising.patch
+regulator-gpio-fix-the-out-of-bounds-access-to-drvdata-gpiods.patch
+usb-typec-altmodes-displayport-do-not-index-invalid-pin_assignments.patch
+mtk-sd-fix-a-pagefault-in-dma_unmap_sg-for-not-prepared-data.patch
+mtk-sd-prevent-memory-corruption-from-dma-map-failure.patch
+mtk-sd-reset-host-mrq-on-prepare_data-error.patch
--- /dev/null
+From af4db5a35a4ef7a68046883bfd12468007db38f1 Mon Sep 17 00:00:00 2001
+From: RD Babiera <rdbabiera@google.com>
+Date: Wed, 18 Jun 2025 22:49:42 +0000
+Subject: usb: typec: altmodes/displayport: do not index invalid pin_assignments
+
+From: RD Babiera <rdbabiera@google.com>
+
+commit af4db5a35a4ef7a68046883bfd12468007db38f1 upstream.
+
+A poorly implemented DisplayPort Alt Mode port partner can indicate
+that its pin assignment capabilities are greater than the maximum
+value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show
+will cause a BRK exception due to an out of bounds array access.
+
+Prevent for loop in pin_assignment_show from accessing
+invalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX
+value in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop
+condition.
+
+Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
+Cc: stable <stable@kernel.org>
+Signed-off-by: RD Babiera <rdbabiera@google.com>
+Reviewed-by: Badhri Jagan Sridharan <badhri@google.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/20250618224943.3263103-2-rdbabiera@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/altmodes/displayport.c | 2 +-
+ include/linux/usb/typec_dp.h | 1 +
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/altmodes/displayport.c
++++ b/drivers/usb/typec/altmodes/displayport.c
+@@ -525,7 +525,7 @@ static ssize_t pin_assignment_show(struc
+
+ assignments = get_current_pin_assignments(dp);
+
+- for (i = 0; assignments; assignments >>= 1, i++) {
++ for (i = 0; assignments && i < DP_PIN_ASSIGN_MAX; assignments >>= 1, i++) {
+ if (assignments & 1) {
+ if (i == cur)
+ len += sprintf(buf + len, "[%s] ",
+--- a/include/linux/usb/typec_dp.h
++++ b/include/linux/usb/typec_dp.h
+@@ -56,6 +56,7 @@ enum {
+ DP_PIN_ASSIGN_D,
+ DP_PIN_ASSIGN_E,
+ DP_PIN_ASSIGN_F, /* Not supported after v1.0b */
++ DP_PIN_ASSIGN_MAX,
+ };
+
+ /* DisplayPort alt mode specific commands */
--- /dev/null
+From 223e2288f4b8c262a864e2c03964ffac91744cd5 Mon Sep 17 00:00:00 2001
+From: HarshaVardhana S A <harshavardhana.sa@broadcom.com>
+Date: Tue, 1 Jul 2025 14:22:54 +0200
+Subject: vsock/vmci: Clear the vmci transport packet properly when initializing it
+
+From: HarshaVardhana S A <harshavardhana.sa@broadcom.com>
+
+commit 223e2288f4b8c262a864e2c03964ffac91744cd5 upstream.
+
+In vmci_transport_packet_init memset the vmci_transport_packet before
+populating the fields to avoid any uninitialised data being left in the
+structure.
+
+Cc: Bryan Tan <bryan-bt.tan@broadcom.com>
+Cc: Vishnu Dasa <vishnu.dasa@broadcom.com>
+Cc: Broadcom internal kernel review list
+Cc: Stefano Garzarella <sgarzare@redhat.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: Eric Dumazet <edumazet@google.com>
+Cc: Jakub Kicinski <kuba@kernel.org>
+Cc: Paolo Abeni <pabeni@redhat.com>
+Cc: Simon Horman <horms@kernel.org>
+Cc: virtualization@lists.linux.dev
+Cc: netdev@vger.kernel.org
+Cc: stable <stable@kernel.org>
+Signed-off-by: HarshaVardhana S A <harshavardhana.sa@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
+Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+Link: https://patch.msgid.link/20250701122254.2397440-1-gregkh@linuxfoundation.org
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/vmw_vsock/vmci_transport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/vmw_vsock/vmci_transport.c
++++ b/net/vmw_vsock/vmci_transport.c
+@@ -119,6 +119,8 @@ vmci_transport_packet_init(struct vmci_t
+ u16 proto,
+ struct vmci_handle handle)
+ {
++ memset(pkt, 0, sizeof(*pkt));
++
+ /* We register the stream control handler as an any cid handle so we
+ * must always send from a source address of VMADDR_CID_ANY
+ */
+@@ -131,8 +133,6 @@ vmci_transport_packet_init(struct vmci_t
+ pkt->type = type;
+ pkt->src_port = src->svm_port;
+ pkt->dst_port = dst->svm_port;
+- memset(&pkt->proto, 0, sizeof(pkt->proto));
+- memset(&pkt->_reserved2, 0, sizeof(pkt->_reserved2));
+
+ switch (pkt->type) {
+ case VMCI_TRANSPORT_PACKET_TYPE_INVALID:
projects / thirdparty / kernel / stable-queue.git / commitdiff
