--- /dev/null
+From b14b076ce593f72585412fc7fd3747e03a5e3632 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Jul 2025 14:34:29 +0100
+Subject: comedi: pcl812: Fix bit shift out of bounds
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b14b076ce593f72585412fc7fd3747e03a5e3632 upstream.
+
+When checking for a supported IRQ number, the following test is used:
+
+ if ((1 << it->options[1]) & board->irq_bits) {
+
+However, `it->options[i]` is an unchecked `int` value from userspace, so
+the shift amount could be negative or out of bounds. Fix the test by
+requiring `it->options[1]` to be within bounds before proceeding with
+the original test. Valid `it->options[1]` values that select the IRQ
+will be in the range [1,15]. The value 0 explicitly disables the use of
+interrupts.
+
+Reported-by: syzbot+32de323b0addb9e114ff@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=32de323b0addb9e114ff
+Fixes: fcdb427bc7cf ("Staging: comedi: add pcl821 driver")
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20250707133429.73202-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/comedi/drivers/pcl812.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/comedi/drivers/pcl812.c
++++ b/drivers/comedi/drivers/pcl812.c
+@@ -1149,7 +1149,8 @@ static int pcl812_attach(struct comedi_d
+ if (!dev->pacer)
+ return -ENOMEM;
+
+- if ((1 << it->options[1]) & board->irq_bits) {
++ if (it->options[1] > 0 && it->options[1] < 16 &&
++ (1 << it->options[1]) & board->irq_bits) {
+ ret = request_irq(it->options[1], pcl812_interrupt, 0,
+ dev->board_name, dev);
+ if (ret == 0)
--- /dev/null
+From 1fe16dc1a2f5057772e5391ec042ed7442966c9a Mon Sep 17 00:00:00 2001
+From: Sean Nyekjaer <sean@geanix.com>
+Date: Tue, 3 Jun 2025 14:25:44 +0200
+Subject: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush
+
+From: Sean Nyekjaer <sean@geanix.com>
+
+commit 1fe16dc1a2f5057772e5391ec042ed7442966c9a upstream.
+
+fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with
+iio_for_each_active_channel()) without making sure the indio_dev
+stays in buffer mode.
+There is a race if indio_dev exits buffer mode in the middle of the
+interrupt that flushes the fifo. Fix this by calling
+synchronize_irq() to ensure that no interrupt is currently running when
+disabling buffer mode.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read
+[...]
+_find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290
+fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178
+fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c
+irq_thread_fn from irq_thread+0x110/0x1f4
+irq_thread from kthread+0xe0/0xfc
+kthread from ret_from_fork+0x14/0x2c
+
+Fixes: 79e3a5bdd9ef ("iio: accel: fxls8962af: add hw buffered sampling")
+Cc: stable@vger.kernel.org
+Suggested-by: David Lechner <dlechner@baylibre.com>
+Signed-off-by: Sean Nyekjaer <sean@geanix.com>
+Link: https://patch.msgid.link/20250603-fxlsrace-v2-1-5381b36ba1db@geanix.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/accel/fxls8962af-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/accel/fxls8962af-core.c
++++ b/drivers/iio/accel/fxls8962af-core.c
+@@ -865,6 +865,8 @@ static int fxls8962af_buffer_predisable(
+ if (ret)
+ return ret;
+
++ synchronize_irq(data->irq);
++
+ ret = __fxls8962af_fifo_set_mode(data, false);
+
+ if (data->enable_event)
--- /dev/null
+From 6d21f2c2dd843bceefd9455f2919f6bb526797f0 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@denx.de>
+Date: Fri, 16 May 2025 14:38:59 -0300
+Subject: iio: adc: max1363: Fix MAX1363_4X_CHANS/MAX1363_8X_CHANS[]
+
+From: Fabio Estevam <festevam@denx.de>
+
+commit 6d21f2c2dd843bceefd9455f2919f6bb526797f0 upstream.
+
+Since commit 2718f15403fb ("iio: sanity check available_scan_masks array"),
+booting a board populated with a MAX11601 results in a flood of warnings:
+
+max1363 1-0064: available_scan_mask 8 subset of 0. Never used
+max1363 1-0064: available_scan_mask 9 subset of 0. Never used
+max1363 1-0064: available_scan_mask 10 subset of 0. Never used
+max1363 1-0064: available_scan_mask 11 subset of 0. Never used
+max1363 1-0064: available_scan_mask 12 subset of 0. Never used
+max1363 1-0064: available_scan_mask 13 subset of 0. Never used
+...
+
+These warnings are caused by incorrect offsets used for differential
+channels in the MAX1363_4X_CHANS() and MAX1363_8X_CHANS() macros.
+
+The max1363_mode_table[] defines the differential channel mappings as
+follows:
+
+MAX1363_MODE_DIFF_SINGLE(0, 1, 1 << 12),
+MAX1363_MODE_DIFF_SINGLE(2, 3, 1 << 13),
+MAX1363_MODE_DIFF_SINGLE(4, 5, 1 << 14),
+MAX1363_MODE_DIFF_SINGLE(6, 7, 1 << 15),
+MAX1363_MODE_DIFF_SINGLE(8, 9, 1 << 16),
+MAX1363_MODE_DIFF_SINGLE(10, 11, 1 << 17),
+MAX1363_MODE_DIFF_SINGLE(1, 0, 1 << 18),
+MAX1363_MODE_DIFF_SINGLE(3, 2, 1 << 19),
+MAX1363_MODE_DIFF_SINGLE(5, 4, 1 << 20),
+MAX1363_MODE_DIFF_SINGLE(7, 6, 1 << 21),
+MAX1363_MODE_DIFF_SINGLE(9, 8, 1 << 22),
+MAX1363_MODE_DIFF_SINGLE(11, 10, 1 << 23),
+
+Update the macros to follow this same pattern, ensuring that the scan masks
+are valid and preventing the warnings.
+
+Cc: stable@vger.kernel.org
+Suggested-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Link: https://patch.msgid.link/20250516173900.677821-1-festevam@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/max1363.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+--- a/drivers/iio/adc/max1363.c
++++ b/drivers/iio/adc/max1363.c
+@@ -510,10 +510,10 @@ static const struct iio_event_spec max13
+ MAX1363_CHAN_U(1, _s1, 1, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_U(2, _s2, 2, bits, ev_spec, num_ev_spec), \
+ MAX1363_CHAN_U(3, _s3, 3, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(0, 1, d0m1, 4, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(2, 3, d2m3, 5, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(1, 0, d1m0, 6, bits, ev_spec, num_ev_spec), \
+- MAX1363_CHAN_B(3, 2, d3m2, 7, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, ev_spec, num_ev_spec), \
++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, ev_spec, num_ev_spec), \
+ IIO_CHAN_SOFT_TIMESTAMP(8) \
+ }
+
+@@ -608,14 +608,14 @@ static const enum max1363_modes max11608
+ MAX1363_CHAN_U(5, _s5, 5, bits, NULL, 0), \
+ MAX1363_CHAN_U(6, _s6, 6, bits, NULL, 0), \
+ MAX1363_CHAN_U(7, _s7, 7, bits, NULL, 0), \
+- MAX1363_CHAN_B(0, 1, d0m1, 8, bits, NULL, 0), \
+- MAX1363_CHAN_B(2, 3, d2m3, 9, bits, NULL, 0), \
+- MAX1363_CHAN_B(4, 5, d4m5, 10, bits, NULL, 0), \
+- MAX1363_CHAN_B(6, 7, d6m7, 11, bits, NULL, 0), \
+- MAX1363_CHAN_B(1, 0, d1m0, 12, bits, NULL, 0), \
+- MAX1363_CHAN_B(3, 2, d3m2, 13, bits, NULL, 0), \
+- MAX1363_CHAN_B(5, 4, d5m4, 14, bits, NULL, 0), \
+- MAX1363_CHAN_B(7, 6, d7m6, 15, bits, NULL, 0), \
++ MAX1363_CHAN_B(0, 1, d0m1, 12, bits, NULL, 0), \
++ MAX1363_CHAN_B(2, 3, d2m3, 13, bits, NULL, 0), \
++ MAX1363_CHAN_B(4, 5, d4m5, 14, bits, NULL, 0), \
++ MAX1363_CHAN_B(6, 7, d6m7, 15, bits, NULL, 0), \
++ MAX1363_CHAN_B(1, 0, d1m0, 18, bits, NULL, 0), \
++ MAX1363_CHAN_B(3, 2, d3m2, 19, bits, NULL, 0), \
++ MAX1363_CHAN_B(5, 4, d5m4, 20, bits, NULL, 0), \
++ MAX1363_CHAN_B(7, 6, d7m6, 21, bits, NULL, 0), \
+ IIO_CHAN_SOFT_TIMESTAMP(16) \
+ }
+ static const struct iio_chan_spec max11602_channels[] = MAX1363_8X_CHANS(8);
--- /dev/null
+From 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 Mon Sep 17 00:00:00 2001
+From: Fabio Estevam <festevam@denx.de>
+Date: Fri, 16 May 2025 14:39:00 -0300
+Subject: iio: adc: max1363: Reorder mode_list[] entries
+
+From: Fabio Estevam <festevam@denx.de>
+
+commit 8d8d7c1dbc46aa07a76acab7336a42ddd900be10 upstream.
+
+The IIO core issues warnings when a scan mask is a subset of a previous
+entry in the available_scan_masks array.
+
+On a board using a MAX11601, the following warning is observed:
+
+max1363 1-0064: available_scan_mask 7 subset of 6. Never used
+
+This occurs because the entries in the max11607_mode_list[] array are not
+ordered correctly. To fix this, reorder the entries so that no scan mask is
+a subset of an earlier one.
+
+While at it, reorder the mode_list[] arrays for other supported chips as
+well, to prevent similar warnings on different variants.
+
+Note fixes tag dropped as these were introduced over many commits a long
+time back and the side effect until recently was a reduction in sampling
+rate due to reading too many channels when only a few were desired.
+Now we have a sanity check that reports this error but that is not
+where the issue was introduced.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Fabio Estevam <festevam@denx.de>
+Acked-by: Matti Vaittinen <mazziesaccount@gmail.com>
+Link: https://patch.msgid.link/20250516173900.677821-2-festevam@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/max1363.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/iio/adc/max1363.c
++++ b/drivers/iio/adc/max1363.c
+@@ -531,23 +531,23 @@ static const struct iio_chan_spec max136
+ /* Applies to max1236, max1237 */
+ static const enum max1363_modes max1236_mode_list[] = {
+ _s0, _s1, _s2, _s3,
+- s0to1, s0to2, s0to3,
++ s0to1, s0to2, s2to3, s0to3,
+ d0m1, d2m3, d1m0, d3m2,
+ d0m1to2m3, d1m0to3m2,
+- s2to3,
+ };
+
+ /* Applies to max1238, max1239 */
+ static const enum max1363_modes max1238_mode_list[] = {
+ _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7, _s8, _s9, _s10, _s11,
+ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6,
++ s6to7, s6to8, s6to9, s6to10, s6to11,
+ s0to7, s0to8, s0to9, s0to10, s0to11,
+ d0m1, d2m3, d4m5, d6m7, d8m9, d10m11,
+ d1m0, d3m2, d5m4, d7m6, d9m8, d11m10,
+- d0m1to2m3, d0m1to4m5, d0m1to6m7, d0m1to8m9, d0m1to10m11,
+- d1m0to3m2, d1m0to5m4, d1m0to7m6, d1m0to9m8, d1m0to11m10,
+- s6to7, s6to8, s6to9, s6to10, s6to11,
+- d6m7to8m9, d6m7to10m11, d7m6to9m8, d7m6to11m10,
++ d0m1to2m3, d0m1to4m5, d0m1to6m7, d6m7to8m9,
++ d0m1to8m9, d6m7to10m11, d0m1to10m11, d1m0to3m2,
++ d1m0to5m4, d1m0to7m6, d7m6to9m8, d1m0to9m8,
++ d7m6to11m10, d1m0to11m10,
+ };
+
+ #define MAX1363_12X_CHANS(bits) { \
+@@ -583,16 +583,15 @@ static const struct iio_chan_spec max123
+
+ static const enum max1363_modes max11607_mode_list[] = {
+ _s0, _s1, _s2, _s3,
+- s0to1, s0to2, s0to3,
+- s2to3,
++ s0to1, s0to2, s2to3,
++ s0to3,
+ d0m1, d2m3, d1m0, d3m2,
+ d0m1to2m3, d1m0to3m2,
+ };
+
+ static const enum max1363_modes max11608_mode_list[] = {
+ _s0, _s1, _s2, _s3, _s4, _s5, _s6, _s7,
+- s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s0to7,
+- s6to7,
++ s0to1, s0to2, s0to3, s0to4, s0to5, s0to6, s6to7, s0to7,
+ d0m1, d2m3, d4m5, d6m7,
+ d1m0, d3m2, d5m4, d7m6,
+ d0m1to2m3, d0m1to4m5, d0m1to6m7,
--- /dev/null
+From e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 Mon Sep 17 00:00:00 2001
+From: Chen Ni <nichen@iscas.ac.cn>
+Date: Thu, 15 May 2025 16:31:01 +0800
+Subject: iio: adc: stm32-adc: Fix race in installing chained IRQ handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Chen Ni <nichen@iscas.ac.cn>
+
+commit e8ad595064f6ebd5d2d1a5d5d7ebe0efce623091 upstream.
+
+Fix a race where a pending interrupt could be received and the handler
+called before the handler's data has been setup, by converting to
+irq_set_chained_handler_and_data().
+
+Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core")
+Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
+Reviewed-by: Nuno Sá <nuno.sa@analog.com>
+Tested-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Reviewed-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Link: https://patch.msgid.link/20250515083101.3811350-1-nichen@iscas.ac.cn
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/stm32-adc-core.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/adc/stm32-adc-core.c
++++ b/drivers/iio/adc/stm32-adc-core.c
+@@ -428,10 +428,9 @@ static int stm32_adc_irq_probe(struct pl
+ return -ENOMEM;
+ }
+
+- for (i = 0; i < priv->cfg->num_irqs; i++) {
+- irq_set_chained_handler(priv->irq[i], stm32_adc_irq_handler);
+- irq_set_handler_data(priv->irq[i], priv);
+- }
++ for (i = 0; i < priv->cfg->num_irqs; i++)
++ irq_set_chained_handler_and_data(priv->irq[i],
++ stm32_adc_irq_handler, priv);
+
+ return 0;
+ }
+++ /dev/null
-From da9b2fc7b73d147d88abe1922de5ab72d72d7756 Mon Sep 17 00:00:00 2001
-From: Paolo Abeni <pabeni@redhat.com>
-Date: Mon, 14 Jul 2025 18:41:46 +0200
-Subject: mptcp: reset fallback status gracefully at disconnect() time
-
-From: Paolo Abeni <pabeni@redhat.com>
-
-commit da9b2fc7b73d147d88abe1922de5ab72d72d7756 upstream.
-
-mptcp_disconnect() clears the fallback bit unconditionally, without
-touching the associated flags.
-
-The bit clear is safe, as no fallback operation can race with that --
-all subflow are already in TCP_CLOSE status thanks to the previous
-FASTCLOSE -- but we need to consistently reset all the fallback related
-status.
-
-Also acquire the relevant lock, to avoid fouling static analyzers.
-
-Fixes: b29fcfb54cd7 ("mptcp: full disconnect implementation")
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Abeni <pabeni@redhat.com>
-Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
-Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
-Link: https://patch.msgid.link/20250714-net-mptcp-fallback-races-v1-3-391aff963322@kernel.org
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- net/mptcp/protocol.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
---- a/net/mptcp/protocol.c
-+++ b/net/mptcp/protocol.c
-@@ -3183,7 +3183,16 @@ static int mptcp_disconnect(struct sock
- * subflow
- */
- mptcp_destroy_common(msk, MPTCP_CF_FASTCLOSE);
-+
-+ /* The first subflow is already in TCP_CLOSE status, the following
-+ * can't overlap with a fallback anymore
-+ */
-+ spin_lock_bh(&msk->fallback_lock);
-+ msk->allow_subflows = true;
-+ msk->allow_infinite_fallback = true;
- WRITE_ONCE(msk->flags, 0);
-+ spin_unlock_bh(&msk->fallback_lock);
-+
- msk->cb_flags = 0;
- msk->recovery = false;
- msk->can_ack = false;
--- /dev/null
+From 500ba33284416255b9a5b50ace24470b6fe77ea5 Mon Sep 17 00:00:00 2001
+From: Maulik Shah <maulik.shah@oss.qualcomm.com>
+Date: Wed, 9 Jul 2025 14:00:11 +0530
+Subject: pmdomain: governor: Consider CPU latency tolerance from pm_domain_cpu_gov
+
+From: Maulik Shah <maulik.shah@oss.qualcomm.com>
+
+commit 500ba33284416255b9a5b50ace24470b6fe77ea5 upstream.
+
+pm_domain_cpu_gov is selecting a cluster idle state but does not consider
+latency tolerance of child CPUs. This results in deeper cluster idle state
+whose latency does not meet latency tolerance requirement.
+
+Select deeper idle state only if global and device latency tolerance of all
+child CPUs meet.
+
+Test results on SM8750 with 300 usec PM-QoS on CPU0 which is less than
+domain idle state entry (2150) + exit (1983) usec latency mentioned in
+devicetree, demonstrate the issue.
+
+ # echo 300 > /sys/devices/system/cpu/cpu0/power/pm_qos_resume_latency_us
+
+Before: (Usage is incrementing)
+======
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 29817 537 8 270 0
+
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 30348 542 8 271 0
+
+After: (Usage is not incrementing due to latency tolerance)
+======
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 39319 626 14 307 0
+
+ # cat /sys/kernel/debug/pm_genpd/power-domain-cluster0/idle_states
+ State Time Spent(ms) Usage Rejected Above Below
+ S0 39319 626 14 307 0
+
+Signed-off-by: Maulik Shah <maulik.shah@oss.qualcomm.com>
+Fixes: e94999688e3a ("PM / Domains: Add genpd governor for CPUs")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250709-pmdomain_qos-v2-1-976b12257899@oss.qualcomm.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/domain_governor.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/power/domain_governor.c
++++ b/drivers/base/power/domain_governor.c
+@@ -8,6 +8,7 @@
+ #include <linux/pm_domain.h>
+ #include <linux/pm_qos.h>
+ #include <linux/hrtimer.h>
++#include <linux/cpu.h>
+ #include <linux/cpuidle.h>
+ #include <linux/cpumask.h>
+ #include <linux/ktime.h>
+@@ -345,6 +346,8 @@ static bool cpu_power_down_ok(struct dev
+ struct cpuidle_device *dev;
+ ktime_t domain_wakeup, next_hrtimer;
+ ktime_t now = ktime_get();
++ struct device *cpu_dev;
++ s64 cpu_constraint, global_constraint;
+ s64 idle_duration_ns;
+ int cpu, i;
+
+@@ -355,6 +358,7 @@ static bool cpu_power_down_ok(struct dev
+ if (!(genpd->flags & GENPD_FLAG_CPU_DOMAIN))
+ return true;
+
++ global_constraint = cpu_latency_qos_limit();
+ /*
+ * Find the next wakeup for any of the online CPUs within the PM domain
+ * and its subdomains. Note, we only need the genpd->cpus, as it already
+@@ -368,8 +372,16 @@ static bool cpu_power_down_ok(struct dev
+ if (ktime_before(next_hrtimer, domain_wakeup))
+ domain_wakeup = next_hrtimer;
+ }
++
++ cpu_dev = get_cpu_device(cpu);
++ if (cpu_dev) {
++ cpu_constraint = dev_pm_qos_raw_resume_latency(cpu_dev);
++ if (cpu_constraint < global_constraint)
++ global_constraint = cpu_constraint;
++ }
+ }
+
++ global_constraint *= NSEC_PER_USEC;
+ /* The minimum idle duration is from now - until the next wakeup. */
+ idle_duration_ns = ktime_to_ns(ktime_sub(domain_wakeup, now));
+ if (idle_duration_ns <= 0)
+@@ -385,8 +397,10 @@ static bool cpu_power_down_ok(struct dev
+ */
+ i = genpd->state_idx;
+ do {
+- if (idle_duration_ns >= (genpd->states[i].residency_ns +
+- genpd->states[i].power_off_latency_ns)) {
++ if ((idle_duration_ns >= (genpd->states[i].residency_ns +
++ genpd->states[i].power_off_latency_ns)) &&
++ (global_constraint >= (genpd->states[i].power_on_latency_ns +
++ genpd->states[i].power_off_latency_ns))) {
+ genpd->state_idx = i;
+ return true;
+ }
--- /dev/null
+From 6a5abf8cf182f577c7ae6c62f14debc9754ec986 Mon Sep 17 00:00:00 2001
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+Date: Wed, 16 Jul 2025 21:35:06 +0200
+Subject: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again
+
+From: Ilya Leoshkevich <iii@linux.ibm.com>
+
+commit 6a5abf8cf182f577c7ae6c62f14debc9754ec986 upstream.
+
+Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has
+accidentally removed the critical piece of commit c730fce7c70c
+("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing
+intermittent kernel panics in e.g. perf's on_switch() prog to reappear.
+
+Restore the fix and add a comment.
+
+Fixes: 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Link: https://lore.kernel.org/r/20250716194524.48109-2-iii@linux.ibm.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/s390/net/bpf_jit_comp.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/arch/s390/net/bpf_jit_comp.c
++++ b/arch/s390/net/bpf_jit_comp.c
+@@ -539,7 +539,15 @@ static void bpf_jit_plt(struct bpf_plt *
+ {
+ memcpy(plt, &bpf_plt, sizeof(*plt));
+ plt->ret = ret;
+- plt->target = target;
++ /*
++ * (target == NULL) implies that the branch to this PLT entry was
++ * patched and became a no-op. However, some CPU could have jumped
++ * to this PLT entry before patching and may be still executing it.
++ *
++ * Since the intention in this case is to make the PLT entry a no-op,
++ * make the target point to the return label instead of NULL.
++ */
++ plt->target = target ?: ret;
+ }
+
+ /*
drm-amdgpu-gfx8-reset-compute-ring-wptr-on-the-gpu-on-resume.patch
alsa-hda-realtek-add-quirk-for-asus-rog-strix-g712lws.patch
io_uring-poll-fix-pollerr-handling.patch
-mptcp-reset-fallback-status-gracefully-at-disconnect-time.patch
phonet-pep-move-call-to-pn_skb_get_dst_sockaddr-earlier-in-pep_sock_accept.patch
net-mlx5-update-the-list-of-the-pci-supported-devices.patch
arm64-dts-imx8mp-venice-gw74xx-fix-tpm-spi-frequency.patch
net-libwx-remove-duplicate-page_pool_put_full_page.patch
net-libwx-fix-the-using-of-rx-buffer-dma.patch
net-libwx-properly-reset-rx-ring-descriptor.patch
+pmdomain-governor-consider-cpu-latency-tolerance-from-pm_domain_cpu_gov.patch
+s390-bpf-fix-bpf_arch_text_poke-with-new_addr-null-again.patch
+smb-client-fix-use-after-free-in-crypt_message-when-using-async-crypto.patch
+soc-aspeed-lpc-snoop-cleanup-resources-in-stack-order.patch
+soc-aspeed-lpc-snoop-don-t-disable-channels-that-aren-t-enabled.patch
+iio-accel-fxls8962af-fix-use-after-free-in-fxls8962af_fifo_flush.patch
+iio-adc-max1363-fix-max1363_4x_chans-max1363_8x_chans.patch
+iio-adc-max1363-reorder-mode_list-entries.patch
+iio-adc-stm32-adc-fix-race-in-installing-chained-irq-handler.patch
+comedi-pcl812-fix-bit-shift-out-of-bounds.patch
--- /dev/null
+From b220bed63330c0e1733dc06ea8e75d5b9962b6b6 Mon Sep 17 00:00:00 2001
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Date: Sat, 5 Jul 2025 10:51:18 +0800
+Subject: smb: client: fix use-after-free in crypt_message when using async crypto
+
+From: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+
+commit b220bed63330c0e1733dc06ea8e75d5b9962b6b6 upstream.
+
+The CVE-2024-50047 fix removed asynchronous crypto handling from
+crypt_message(), assuming all crypto operations are synchronous.
+However, when hardware crypto accelerators are used, this can cause
+use-after-free crashes:
+
+ crypt_message()
+ // Allocate the creq buffer containing the req
+ creq = smb2_get_aead_req(..., &req);
+
+ // Async encryption returns -EINPROGRESS immediately
+ rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
+
+ // Free creq while async operation is still in progress
+ kvfree_sensitive(creq, ...);
+
+Hardware crypto modules often implement async AEAD operations for
+performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS,
+the operation completes asynchronously. Without crypto_wait_req(),
+the function immediately frees the request buffer, leading to crashes
+when the driver later accesses the freed memory.
+
+This results in a use-after-free condition when the hardware crypto
+driver later accesses the freed request structure, leading to kernel
+crashes with NULL pointer dereferences.
+
+The issue occurs because crypto_alloc_aead() with mask=0 doesn't
+guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in
+the mask, async implementations can be selected.
+
+Fix by restoring the async crypto handling:
+- DECLARE_CRYPTO_WAIT(wait) for completion tracking
+- aead_request_set_callback() for async completion notification
+- crypto_wait_req() to wait for operation completion
+
+This ensures the request buffer isn't freed until the crypto operation
+completes, whether synchronous or asynchronous, while preserving the
+CVE-2024-50047 fix.
+
+Fixes: b0abcd65ec54 ("smb: client: fix UAF in async decryption")
+Link: https://lore.kernel.org/all/8b784a13-87b0-4131-9ff9-7a8993538749@huaweicloud.com/
+Cc: stable@vger.kernel.org
+Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
+Signed-off-by: Wang Zhaolong <wangzhaolong@huaweicloud.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2ops.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2ops.c
++++ b/fs/smb/client/smb2ops.c
+@@ -4271,6 +4271,7 @@ crypt_message(struct TCP_Server_Info *se
+ u8 key[SMB3_ENC_DEC_KEY_SIZE];
+ struct aead_request *req;
+ u8 *iv;
++ DECLARE_CRYPTO_WAIT(wait);
+ unsigned int crypt_len = le32_to_cpu(tr_hdr->OriginalMessageSize);
+ void *creq;
+ size_t sensitive_size;
+@@ -4321,7 +4322,11 @@ crypt_message(struct TCP_Server_Info *se
+ aead_request_set_crypt(req, sg, sg, crypt_len, iv);
+ aead_request_set_ad(req, assoc_data_len);
+
+- rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req);
++ aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
++ crypto_req_done, &wait);
++
++ rc = crypto_wait_req(enc ? crypto_aead_encrypt(req)
++ : crypto_aead_decrypt(req), &wait);
+
+ if (!rc && enc)
+ memcpy(&tr_hdr->Signature, sign, SMB2_SIGNATURE_SIZE);
--- /dev/null
+From 8481d59be606d2338dbfe14b04cdbd1a3402c150 Mon Sep 17 00:00:00 2001
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+Date: Mon, 16 Jun 2025 22:43:38 +0930
+Subject: soc: aspeed: lpc-snoop: Cleanup resources in stack-order
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+commit 8481d59be606d2338dbfe14b04cdbd1a3402c150 upstream.
+
+Free the kfifo after unregistering the miscdev in
+aspeed_lpc_disable_snoop() as the kfifo is initialised before the
+miscdev in aspeed_lpc_enable_snoop().
+
+Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev")
+Cc: stable@vger.kernel.org
+Cc: Jean Delvare <jdelvare@suse.de>
+Acked-by: Jean Delvare <jdelvare@suse.de>
+Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-1-3cdd59c934d3@codeconstruct.com.au
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -263,8 +263,8 @@ static void aspeed_lpc_disable_snoop(str
+ return;
+ }
+
+- kfifo_free(&lpc_snoop->chan[channel].fifo);
+ misc_deregister(&lpc_snoop->chan[channel].miscdev);
++ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ }
+
+ static int aspeed_lpc_snoop_probe(struct platform_device *pdev)
--- /dev/null
+From 56448e78a6bb4e1a8528a0e2efe94eff0400c247 Mon Sep 17 00:00:00 2001
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+Date: Mon, 16 Jun 2025 22:43:39 +0930
+Subject: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
+
+From: Andrew Jeffery <andrew@codeconstruct.com.au>
+
+commit 56448e78a6bb4e1a8528a0e2efe94eff0400c247 upstream.
+
+Mitigate e.g. the following:
+
+ # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind
+ ...
+ [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write
+ [ 120.373866] [00000004] *pgd=00000000
+ [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM
+ [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE
+ ...
+ [ 120.679543] Call trace:
+ [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac
+ [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38
+ [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200
+ ...
+
+Fixes: 9f4f9ae81d0a ("drivers/misc: add Aspeed LPC snoop driver")
+Cc: stable@vger.kernel.org
+Cc: Jean Delvare <jdelvare@suse.de>
+Acked-by: Jean Delvare <jdelvare@suse.de>
+Link: https://patch.msgid.link/20250616-aspeed-lpc-snoop-fixes-v2-2-3cdd59c934d3@codeconstruct.com.au
+Signed-off-by: Andrew Jeffery <andrew@codeconstruct.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/aspeed/aspeed-lpc-snoop.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/soc/aspeed/aspeed-lpc-snoop.c
++++ b/drivers/soc/aspeed/aspeed-lpc-snoop.c
+@@ -58,6 +58,7 @@ struct aspeed_lpc_snoop_model_data {
+ };
+
+ struct aspeed_lpc_snoop_channel {
++ bool enabled;
+ struct kfifo fifo;
+ wait_queue_head_t wq;
+ struct miscdevice miscdev;
+@@ -190,6 +191,9 @@ static int aspeed_lpc_enable_snoop(struc
+ const struct aspeed_lpc_snoop_model_data *model_data =
+ of_device_get_match_data(dev);
+
++ if (WARN_ON(lpc_snoop->chan[channel].enabled))
++ return -EBUSY;
++
+ init_waitqueue_head(&lpc_snoop->chan[channel].wq);
+ /* Create FIFO datastructure */
+ rc = kfifo_alloc(&lpc_snoop->chan[channel].fifo,
+@@ -236,6 +240,8 @@ static int aspeed_lpc_enable_snoop(struc
+ regmap_update_bits(lpc_snoop->regmap, HICRB,
+ hicrb_en, hicrb_en);
+
++ lpc_snoop->chan[channel].enabled = true;
++
+ return 0;
+
+ err_misc_deregister:
+@@ -248,6 +254,9 @@ err_free_fifo:
+ static void aspeed_lpc_disable_snoop(struct aspeed_lpc_snoop *lpc_snoop,
+ int channel)
+ {
++ if (!lpc_snoop->chan[channel].enabled)
++ return;
++
+ switch (channel) {
+ case 0:
+ regmap_update_bits(lpc_snoop->regmap, HICR5,
+@@ -263,6 +272,8 @@ static void aspeed_lpc_disable_snoop(str
+ return;
+ }
+
++ lpc_snoop->chan[channel].enabled = false;
++ /* Consider improving safety wrt concurrent reader(s) */
+ misc_deregister(&lpc_snoop->chan[channel].miscdev);
+ kfifo_free(&lpc_snoop->chan[channel].fifo);
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
