--- /dev/null
+From 82fdcf9b518b205da040046fbe7747fb3fd18657 Mon Sep 17 00:00:00 2001
+From: Jaakko Salo <jaakkos@gmail.com>
+Date: Fri, 6 Dec 2024 18:44:48 +0200
+Subject: ALSA: usb-audio: Add implicit feedback quirk for Yamaha THR5
+
+From: Jaakko Salo <jaakkos@gmail.com>
+
+commit 82fdcf9b518b205da040046fbe7747fb3fd18657 upstream.
+
+Use implicit feedback from the capture endpoint to fix popping
+sounds during playback.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=219567
+Signed-off-by: Jaakko Salo <jaakkos@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20241206164448.8136-1-jaakkos@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -2067,6 +2067,8 @@ static const struct usb_audio_quirk_flag
+ QUIRK_FLAG_CTL_MSG_DELAY_1M | QUIRK_FLAG_MIC_RES_384),
+ DEVICE_FLG(0x046d, 0x09a4, /* Logitech QuickCam E 3500 */
+ QUIRK_FLAG_CTL_MSG_DELAY_1M | QUIRK_FLAG_IGNORE_CTL_ERROR),
++ DEVICE_FLG(0x0499, 0x1506, /* Yamaha THR5 */
++ QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x0499, 0x1509, /* Steinberg UR22 */
+ QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x0499, 0x3108, /* Yamaha YIT-W12TX */
--- /dev/null
+From 676fe1f6f74db988191dab5df3bf256908177072 Mon Sep 17 00:00:00 2001
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Date: Thu, 5 Dec 2024 19:30:14 +0900
+Subject: ata: sata_highbank: fix OF node reference leak in highbank_initialize_phys()
+
+From: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+
+commit 676fe1f6f74db988191dab5df3bf256908177072 upstream.
+
+The OF node reference obtained by of_parse_phandle_with_args() is not
+released on early return. Add a of_node_put() call before returning.
+
+Fixes: 8996b89d6bc9 ("ata: add platform driver for Calxeda AHCI controller")
+Signed-off-by: Joe Hattori <joe@pf.is.s.u-tokyo.ac.jp>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_highbank.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/sata_highbank.c
++++ b/drivers/ata/sata_highbank.c
+@@ -348,6 +348,7 @@ static int highbank_initialize_phys(stru
+ phy_nodes[phy] = phy_data.np;
+ cphy_base[phy] = of_iomap(phy_nodes[phy], 0);
+ if (cphy_base[phy] == NULL) {
++ of_node_put(phy_data.np);
+ return 0;
+ }
+ phy_count += 1;
--- /dev/null
+From 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Fri, 6 Dec 2024 07:59:51 -1000
+Subject: blk-cgroup: Fix UAF in blkcg_unpin_online()
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 86e6ca55b83c575ab0f2e105cf08f98e58d3d7af upstream.
+
+blkcg_unpin_online() walks up the blkcg hierarchy putting the online pin. To
+walk up, it uses blkcg_parent(blkcg) but it was calling that after
+blkcg_destroy_blkgs(blkcg) which could free the blkcg, leading to the
+following UAF:
+
+ ==================================================================
+ BUG: KASAN: slab-use-after-free in blkcg_unpin_online+0x15a/0x270
+ Read of size 8 at addr ffff8881057678c0 by task kworker/9:1/117
+
+ CPU: 9 UID: 0 PID: 117 Comm: kworker/9:1 Not tainted 6.13.0-rc1-work-00182-gb8f52214c61a-dirty #48
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 02/02/2022
+ Workqueue: cgwb_release cgwb_release_workfn
+ Call Trace:
+ <TASK>
+ dump_stack_lvl+0x27/0x80
+ print_report+0x151/0x710
+ kasan_report+0xc0/0x100
+ blkcg_unpin_online+0x15a/0x270
+ cgwb_release_workfn+0x194/0x480
+ process_scheduled_works+0x71b/0xe20
+ worker_thread+0x82a/0xbd0
+ kthread+0x242/0x2c0
+ ret_from_fork+0x33/0x70
+ ret_from_fork_asm+0x1a/0x30
+ </TASK>
+ ...
+ Freed by task 1944:
+ kasan_save_track+0x2b/0x70
+ kasan_save_free_info+0x3c/0x50
+ __kasan_slab_free+0x33/0x50
+ kfree+0x10c/0x330
+ css_free_rwork_fn+0xe6/0xb30
+ process_scheduled_works+0x71b/0xe20
+ worker_thread+0x82a/0xbd0
+ kthread+0x242/0x2c0
+ ret_from_fork+0x33/0x70
+ ret_from_fork_asm+0x1a/0x30
+
+Note that the UAF is not easy to trigger as the free path is indirected
+behind a couple RCU grace periods and a work item execution. I could only
+trigger it with artifical msleep() injected in blkcg_unpin_online().
+
+Fix it by reading the parent pointer before destroying the blkcg's blkg's.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Abagail ren <renzezhongucas@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linuxfoundation.org>
+Fixes: 4308a434e5e0 ("blkcg: don't offline parent blkcg first")
+Cc: stable@vger.kernel.org # v5.7+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-cgroup.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -1325,10 +1325,14 @@ void blkcg_unpin_online(struct cgroup_su
+ struct blkcg *blkcg = css_to_blkcg(blkcg_css);
+
+ do {
++ struct blkcg *parent;
++
+ if (!refcount_dec_and_test(&blkcg->online_pin))
+ break;
++
++ parent = blkcg_parent(blkcg);
+ blkcg_destroy_blkgs(blkcg);
+- blkcg = blkcg_parent(blkcg);
++ blkcg = parent;
+ } while (blkcg);
+ }
+
--- /dev/null
+From ef1b808e3b7c98612feceedf985c2fbbeb28f956 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Tue, 10 Dec 2024 17:32:13 +0100
+Subject: bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
+
+From: Jann Horn <jannh@google.com>
+
+commit ef1b808e3b7c98612feceedf985c2fbbeb28f956 upstream.
+
+Uprobes always use bpf_prog_run_array_uprobe() under tasks-trace-RCU
+protection. But it is possible to attach a non-sleepable BPF program to a
+uprobe, and non-sleepable BPF programs are freed via normal RCU (see
+__bpf_prog_put_noref()). This leads to UAF of the bpf_prog because a normal
+RCU grace period does not imply a tasks-trace-RCU grace period.
+
+Fix it by explicitly waiting for a tasks-trace-RCU grace period after
+removing the attachment of a bpf_prog to a perf_event.
+
+Fixes: 8c7dcb84e3b7 ("bpf: implement sleepable uprobes by chaining gps")
+Suggested-by: Andrii Nakryiko <andrii@kernel.org>
+Suggested-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/bpf/20241210-bpf-fix-actual-uprobe-uaf-v1-1-19439849dd44@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/trace/bpf_trace.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/trace/bpf_trace.c
++++ b/kernel/trace/bpf_trace.c
+@@ -2224,6 +2224,13 @@ void perf_event_detach_bpf_prog(struct p
+ bpf_prog_array_free_sleepable(old_array);
+ }
+
++ /*
++ * It could be that the bpf_prog is not sleepable (and will be freed
++ * via normal RCU), but is called from a point that supports sleepable
++ * programs and uses tasks-trace-RCU.
++ */
++ synchronize_rcu_tasks_trace();
++
+ bpf_prog_put(event->prog);
+ event->prog = NULL;
+
--- /dev/null
+From b95629435b84b9ecc0c765995204a4d8a913ed52 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Thu, 5 Dec 2024 21:38:47 +0900
+Subject: ksmbd: fix racy issue from session lookup and expire
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit b95629435b84b9ecc0c765995204a4d8a913ed52 upstream.
+
+Increment the session reference count within the lock for lookup to avoid
+racy issue with session expire.
+
+Cc: stable@vger.kernel.org
+Reported-by: zdi-disclosures@trendmicro.com # ZDI-CAN-25737
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/auth.c | 2 ++
+ fs/smb/server/mgmt/user_session.c | 6 +++++-
+ fs/smb/server/server.c | 4 ++--
+ fs/smb/server/smb2pdu.c | 27 ++++++++++++++-------------
+ 4 files changed, 23 insertions(+), 16 deletions(-)
+
+--- a/fs/smb/server/auth.c
++++ b/fs/smb/server/auth.c
+@@ -1012,6 +1012,8 @@ static int ksmbd_get_encryption_key(stru
+
+ ses_enc_key = enc ? sess->smb3encryptionkey :
+ sess->smb3decryptionkey;
++ if (enc)
++ ksmbd_user_session_get(sess);
+ memcpy(key, ses_enc_key, SMB3_ENC_DEC_KEY_SIZE);
+
+ return 0;
+--- a/fs/smb/server/mgmt/user_session.c
++++ b/fs/smb/server/mgmt/user_session.c
+@@ -262,8 +262,10 @@ struct ksmbd_session *ksmbd_session_look
+
+ down_read(&conn->session_lock);
+ sess = xa_load(&conn->sessions, id);
+- if (sess)
++ if (sess) {
+ sess->last_active = jiffies;
++ ksmbd_user_session_get(sess);
++ }
+ up_read(&conn->session_lock);
+ return sess;
+ }
+@@ -274,6 +276,8 @@ struct ksmbd_session *ksmbd_session_look
+
+ down_read(&sessions_table_lock);
+ sess = __session_lookup(id);
++ if (sess)
++ ksmbd_user_session_get(sess);
+ up_read(&sessions_table_lock);
+
+ return sess;
+--- a/fs/smb/server/server.c
++++ b/fs/smb/server/server.c
+@@ -241,14 +241,14 @@ send:
+ if (work->tcon)
+ ksmbd_tree_connect_put(work->tcon);
+ smb3_preauth_hash_rsp(work);
+- if (work->sess)
+- ksmbd_user_session_put(work->sess);
+ if (work->sess && work->sess->enc && work->encrypted &&
+ conn->ops->encrypt_resp) {
+ rc = conn->ops->encrypt_resp(work);
+ if (rc < 0)
+ conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
+ }
++ if (work->sess)
++ ksmbd_user_session_put(work->sess);
+
+ ksmbd_conn_write(work);
+ }
+--- a/fs/smb/server/smb2pdu.c
++++ b/fs/smb/server/smb2pdu.c
+@@ -67,8 +67,10 @@ static inline bool check_session_id(stru
+ return false;
+
+ sess = ksmbd_session_lookup_all(conn, id);
+- if (sess)
++ if (sess) {
++ ksmbd_user_session_put(sess);
+ return true;
++ }
+ pr_err("Invalid user session id: %llu\n", id);
+ return false;
+ }
+@@ -605,10 +607,8 @@ int smb2_check_user_session(struct ksmbd
+
+ /* Check for validity of user session */
+ work->sess = ksmbd_session_lookup_all(conn, sess_id);
+- if (work->sess) {
+- ksmbd_user_session_get(work->sess);
++ if (work->sess)
+ return 1;
+- }
+ ksmbd_debug(SMB, "Invalid user session, Uid %llu\n", sess_id);
+ return -ENOENT;
+ }
+@@ -1704,29 +1704,35 @@ int smb2_sess_setup(struct ksmbd_work *w
+
+ if (conn->dialect != sess->dialect) {
+ rc = -EINVAL;
++ ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (!(req->hdr.Flags & SMB2_FLAGS_SIGNED)) {
+ rc = -EINVAL;
++ ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (strncmp(conn->ClientGUID, sess->ClientGUID,
+ SMB2_CLIENT_GUID_SIZE)) {
+ rc = -ENOENT;
++ ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (sess->state == SMB2_SESSION_IN_PROGRESS) {
+ rc = -EACCES;
++ ksmbd_user_session_put(sess);
+ goto out_err;
+ }
+
+ if (sess->state == SMB2_SESSION_EXPIRED) {
+ rc = -EFAULT;
++ ksmbd_user_session_put(sess);
+ goto out_err;
+ }
++ ksmbd_user_session_put(sess);
+
+ if (ksmbd_conn_need_reconnect(conn)) {
+ rc = -EFAULT;
+@@ -1734,7 +1740,8 @@ int smb2_sess_setup(struct ksmbd_work *w
+ goto out_err;
+ }
+
+- if (ksmbd_session_lookup(conn, sess_id)) {
++ sess = ksmbd_session_lookup(conn, sess_id);
++ if (!sess) {
+ rc = -EACCES;
+ goto out_err;
+ }
+@@ -1745,7 +1752,6 @@ int smb2_sess_setup(struct ksmbd_work *w
+ }
+
+ conn->binding = true;
+- ksmbd_user_session_get(sess);
+ } else if ((conn->dialect < SMB30_PROT_ID ||
+ server_conf.flags & KSMBD_GLOBAL_FLAG_SMB3_MULTICHANNEL) &&
+ (req->Flags & SMB2_SESSION_REQ_FLAG_BINDING)) {
+@@ -1772,7 +1778,6 @@ int smb2_sess_setup(struct ksmbd_work *w
+ }
+
+ conn->binding = false;
+- ksmbd_user_session_get(sess);
+ }
+ work->sess = sess;
+
+@@ -2196,9 +2201,9 @@ err_out:
+ int smb2_session_logoff(struct ksmbd_work *work)
+ {
+ struct ksmbd_conn *conn = work->conn;
++ struct ksmbd_session *sess = work->sess;
+ struct smb2_logoff_req *req;
+ struct smb2_logoff_rsp *rsp;
+- struct ksmbd_session *sess;
+ u64 sess_id;
+ int err;
+
+@@ -2220,11 +2225,6 @@ int smb2_session_logoff(struct ksmbd_wor
+ ksmbd_close_session_fds(work);
+ ksmbd_conn_wait_idle(conn);
+
+- /*
+- * Re-lookup session to validate if session is deleted
+- * while waiting request complete
+- */
+- sess = ksmbd_session_lookup_all(conn, sess_id);
+ if (ksmbd_tree_conn_session_logoff(sess)) {
+ ksmbd_debug(SMB, "Invalid tid %d\n", req->hdr.Id.SyncId.TreeId);
+ rsp->hdr.Status = STATUS_NETWORK_NAME_DELETED;
+@@ -8964,6 +8964,7 @@ int smb3_decrypt_req(struct ksmbd_work *
+ le64_to_cpu(tr_hdr->SessionId));
+ return -ECONNABORTED;
+ }
++ ksmbd_user_session_put(sess);
+
+ iov[0].iov_base = buf;
+ iov[0].iov_len = sizeof(struct smb2_transform_hdr) + 4;
--- /dev/null
+From 9f3de72a0c37005f897d69e4bdd59c25b8898447 Mon Sep 17 00:00:00 2001
+From: Kan Liang <kan.liang@linux.intel.com>
+Date: Tue, 19 Nov 2024 05:55:01 -0800
+Subject: perf/x86/intel/ds: Unconditionally drain PEBS DS when changing PEBS_DATA_CFG
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+commit 9f3de72a0c37005f897d69e4bdd59c25b8898447 upstream.
+
+The PEBS kernel warnings can still be observed with the below case.
+
+when the below commands are running in parallel for a while.
+
+ while true;
+ do
+ perf record --no-buildid -a --intr-regs=AX \
+ -e cpu/event=0xd0,umask=0x81/pp \
+ -c 10003 -o /dev/null ./triad;
+ done &
+
+ while true;
+ do
+ perf record -e 'cpu/mem-loads,ldlat=3/uP' -W -d -- ./dtlb
+ done
+
+The commit b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing
+PEBS_DATA_CFG") intends to flush the entire PEBS buffer before the
+hardware is reprogrammed. However, it fails in the above case.
+
+The first perf command utilizes the large PEBS, while the second perf
+command only utilizes a single PEBS. When the second perf event is
+added, only the n_pebs++. The intel_pmu_pebs_enable() is invoked after
+intel_pmu_pebs_add(). So the cpuc->n_pebs == cpuc->n_large_pebs check in
+the intel_pmu_drain_large_pebs() fails. The PEBS DS is not flushed.
+The new PEBS event should not be taken into account when flushing the
+existing PEBS DS.
+
+The check is unnecessary here. Before the hardware is reprogrammed, all
+the stale records must be drained unconditionally.
+
+For single PEBS or PEBS-vi-pt, the DS must be empty. The drain_pebs()
+can handle the empty case. There is no harm to unconditionally drain the
+PEBS DS.
+
+Fixes: b752ea0c28e3 ("perf/x86/intel/ds: Flush PEBS DS when changing PEBS_DATA_CFG")
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20241119135504.1463839-2-kan.liang@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/ds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/ds.c
++++ b/arch/x86/events/intel/ds.c
+@@ -1354,7 +1354,7 @@ void intel_pmu_pebs_enable(struct perf_e
+ * hence we need to drain when changing said
+ * size.
+ */
+- intel_pmu_drain_large_pebs(cpuc);
++ intel_pmu_drain_pebs_buffer();
+ adaptive_pebs_record_size_update();
+ wrmsrl(MSR_PEBS_DATA_CFG, pebs_data_cfg);
+ cpuc->active_pebs_data_cfg = pebs_data_cfg;
--- /dev/null
+From b3431a8bb336cece8adc452437befa7d4534b2fd Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Mon, 9 Dec 2024 08:41:25 +0100
+Subject: riscv: Fix IPIs usage in kfence_protect_page()
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit b3431a8bb336cece8adc452437befa7d4534b2fd upstream.
+
+flush_tlb_kernel_range() may use IPIs to flush the TLBs of all the
+cores, which triggers the following warning when the irqs are disabled:
+
+[ 3.455330] WARNING: CPU: 1 PID: 0 at kernel/smp.c:815 smp_call_function_many_cond+0x452/0x520
+[ 3.456647] Modules linked in:
+[ 3.457218] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.12.0-rc7-00010-g91d3de7240b8 #1
+[ 3.457416] Hardware name: QEMU QEMU Virtual Machine, BIOS
+[ 3.457633] epc : smp_call_function_many_cond+0x452/0x520
+[ 3.457736] ra : on_each_cpu_cond_mask+0x1e/0x30
+[ 3.457786] epc : ffffffff800b669a ra : ffffffff800b67c2 sp : ff2000000000bb50
+[ 3.457824] gp : ffffffff815212b8 tp : ff6000008014f080 t0 : 000000000000003f
+[ 3.457859] t1 : ffffffff815221e0 t2 : 000000000000000f s0 : ff2000000000bc10
+[ 3.457920] s1 : 0000000000000040 a0 : ffffffff815221e0 a1 : 0000000000000001
+[ 3.457953] a2 : 0000000000010000 a3 : 0000000000000003 a4 : 0000000000000000
+[ 3.458006] a5 : 0000000000000000 a6 : ffffffffffffffff a7 : 0000000000000000
+[ 3.458042] s2 : ffffffff815223be s3 : 00fffffffffff000 s4 : ff600001ffe38fc0
+[ 3.458076] s5 : ff600001ff950d00 s6 : 0000000200000120 s7 : 0000000000000001
+[ 3.458109] s8 : 0000000000000001 s9 : ff60000080841ef0 s10: 0000000000000001
+[ 3.458141] s11: ffffffff81524812 t3 : 0000000000000001 t4 : ff60000080092bc0
+[ 3.458172] t5 : 0000000000000000 t6 : ff200000000236d0
+[ 3.458203] status: 0000000200000100 badaddr: ffffffff800b669a cause: 0000000000000003
+[ 3.458373] [<ffffffff800b669a>] smp_call_function_many_cond+0x452/0x520
+[ 3.458593] [<ffffffff800b67c2>] on_each_cpu_cond_mask+0x1e/0x30
+[ 3.458625] [<ffffffff8000e4ca>] __flush_tlb_range+0x118/0x1ca
+[ 3.458656] [<ffffffff8000e6b2>] flush_tlb_kernel_range+0x1e/0x26
+[ 3.458683] [<ffffffff801ea56a>] kfence_protect+0xc0/0xce
+[ 3.458717] [<ffffffff801e9456>] kfence_guarded_free+0xc6/0x1c0
+[ 3.458742] [<ffffffff801e9d6c>] __kfence_free+0x62/0xc6
+[ 3.458764] [<ffffffff801c57d8>] kfree+0x106/0x32c
+[ 3.458786] [<ffffffff80588cf2>] detach_buf_split+0x188/0x1a8
+[ 3.458816] [<ffffffff8058708c>] virtqueue_get_buf_ctx+0xb6/0x1f6
+[ 3.458839] [<ffffffff805871da>] virtqueue_get_buf+0xe/0x16
+[ 3.458880] [<ffffffff80613d6a>] virtblk_done+0x5c/0xe2
+[ 3.458908] [<ffffffff8058766e>] vring_interrupt+0x6a/0x74
+[ 3.458930] [<ffffffff800747d8>] __handle_irq_event_percpu+0x7c/0xe2
+[ 3.458956] [<ffffffff800748f0>] handle_irq_event+0x3c/0x86
+[ 3.458978] [<ffffffff800786cc>] handle_simple_irq+0x9e/0xbe
+[ 3.459004] [<ffffffff80073934>] generic_handle_domain_irq+0x1c/0x2a
+[ 3.459027] [<ffffffff804bf87c>] imsic_handle_irq+0xba/0x120
+[ 3.459056] [<ffffffff80073934>] generic_handle_domain_irq+0x1c/0x2a
+[ 3.459080] [<ffffffff804bdb76>] riscv_intc_aia_irq+0x24/0x34
+[ 3.459103] [<ffffffff809d0452>] handle_riscv_irq+0x2e/0x4c
+[ 3.459133] [<ffffffff809d923e>] call_on_irq_stack+0x32/0x40
+
+So only flush the local TLB and let the lazy kfence page fault handling
+deal with the faults which could happen when a core has an old protected
+pte version cached in its TLB. That leads to potential inaccuracies which
+can be tolerated when using kfence.
+
+Fixes: 47513f243b45 ("riscv: Enable KFENCE for riscv64")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20241209074125.52322-1-alexghiti@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/kfence.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/riscv/include/asm/kfence.h
++++ b/arch/riscv/include/asm/kfence.h
+@@ -22,7 +22,9 @@ static inline bool kfence_protect_page(u
+ else
+ set_pte(pte, __pte(pte_val(ptep_get(pte)) | _PAGE_PRESENT));
+
+- flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
++ preempt_disable();
++ local_flush_tlb_kernel_range(addr, addr + PAGE_SIZE);
++ preempt_enable();
+
+ return true;
+ }
--- /dev/null
+From c796e187201242992d6d292bfeff41aadfdf3f29 Mon Sep 17 00:00:00 2001
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+Date: Mon, 9 Dec 2024 08:45:08 +0100
+Subject: riscv: Fix wrong usage of __pa() on a fixmap address
+
+From: Alexandre Ghiti <alexghiti@rivosinc.com>
+
+commit c796e187201242992d6d292bfeff41aadfdf3f29 upstream.
+
+riscv uses fixmap addresses to map the dtb so we can't use __pa() which
+is reserved for linear mapping addresses.
+
+Fixes: b2473a359763 ("of/fdt: add dt_phys arg to early_init_dt_scan and early_init_dt_verify")
+Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Link: https://lore.kernel.org/r/20241209074508.53037-1-alexghiti@rivosinc.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/setup.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/setup.c
++++ b/arch/riscv/kernel/setup.c
+@@ -246,7 +246,7 @@ static void __init init_resources(void)
+ static void __init parse_dtb(void)
+ {
+ /* Early scan of device tree from init memory */
+- if (early_init_dt_scan(dtb_early_va, __pa(dtb_early_va))) {
++ if (early_init_dt_scan(dtb_early_va, dtb_early_pa)) {
+ const char *name = of_flat_dt_get_machine_name();
+
+ if (name) {
--- /dev/null
+From f103396ae31851d00b561ff9f8a32a441953ff8b Mon Sep 17 00:00:00 2001
+From: liuderong <liuderong@oppo.com>
+Date: Fri, 6 Dec 2024 15:29:42 +0800
+Subject: scsi: ufs: core: Update compl_time_stamp_local_clock after completing a cqe
+
+From: liuderong <liuderong@oppo.com>
+
+commit f103396ae31851d00b561ff9f8a32a441953ff8b upstream.
+
+lrbp->compl_time_stamp_local_clock is set to zero after sending a sqe
+but it is not updated after completing a cqe. Thus the printed
+information in ufshcd_print_tr() will always be zero.
+
+Update lrbp->cmpl_time_stamp_local_clock after completing a cqe.
+
+Log sample:
+
+ufshcd-qcom 1d84000.ufshc: UPIU[8] - issue time 8750227249 us
+ufshcd-qcom 1d84000.ufshc: UPIU[8] - complete time 0 us
+
+Fixes: c30d8d010b5e ("scsi: ufs: core: Prepare for completion in MCQ")
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Reviewed-by: Peter Wang <peter.wang@mediatek.com>
+Signed-off-by: liuderong <liuderong@oppo.com>
+Link: https://lore.kernel.org/r/1733470182-220841-1-git-send-email-liuderong@oppo.com
+Reviewed-by: Avri Altman <avri.altman@wdc.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ufs/core/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ufs/core/ufshcd.c
++++ b/drivers/ufs/core/ufshcd.c
+@@ -5439,6 +5439,7 @@ void ufshcd_compl_one_cqe(struct ufs_hba
+
+ lrbp = &hba->lrb[task_tag];
+ lrbp->compl_time_stamp = ktime_get();
++ lrbp->compl_time_stamp_local_clock = local_clock();
+ cmd = lrbp->cmd;
+ if (cmd) {
+ if (unlikely(ufshcd_should_inform_monitor(hba, lrbp)))
--- /dev/null
+bpf-fix-uaf-via-mismatching-bpf_prog-attachment-rcu-flavors.patch
+perf-x86-intel-ds-unconditionally-drain-pebs-ds-when-changing-pebs_data_cfg.patch
+ksmbd-fix-racy-issue-from-session-lookup-and-expire.patch
+splice-do-not-checksum-af_unix-sockets.patch
+tcp-check-space-before-adding-mptcp-syn-options.patch
+riscv-fix-wrong-usage-of-__pa-on-a-fixmap-address.patch
+blk-cgroup-fix-uaf-in-blkcg_unpin_online.patch
+alsa-usb-audio-add-implicit-feedback-quirk-for-yamaha-thr5.patch
+riscv-fix-ipis-usage-in-kfence_protect_page.patch
+usb-host-max3421-hcd-correctly-abort-a-usb-request.patch
+ata-sata_highbank-fix-of-node-reference-leak-in-highbank_initialize_phys.patch
+usb-dwc2-fix-hcd-resume.patch
+usb-dwc2-hcd-fix-getportstatus-setportfeature.patch
+usb-dwc2-fix-hcd-port-connection-race.patch
+scsi-ufs-core-update-compl_time_stamp_local_clock-after-completing-a-cqe.patch
--- /dev/null
+From 6bd8614fc2d076fc21b7488c9f279853960964e2 Mon Sep 17 00:00:00 2001
+From: Frederik Deweerdt <deweerdt.lkml@gmail.com>
+Date: Mon, 9 Dec 2024 21:06:48 -0800
+Subject: splice: do not checksum AF_UNIX sockets
+
+From: Frederik Deweerdt <deweerdt.lkml@gmail.com>
+
+commit 6bd8614fc2d076fc21b7488c9f279853960964e2 upstream.
+
+When `skb_splice_from_iter` was introduced, it inadvertently added
+checksumming for AF_UNIX sockets. This resulted in significant
+slowdowns, for example when using sendfile over unix sockets.
+
+Using the test code in [1] in my test setup (2G single core qemu),
+the client receives a 1000M file in:
+- without the patch: 1482ms (+/- 36ms)
+- with the patch: 652.5ms (+/- 22.9ms)
+
+This commit addresses the issue by marking checksumming as unnecessary in
+`unix_stream_sendmsg`
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Frederik Deweerdt <deweerdt.lkml@gmail.com>
+Fixes: 2e910b95329c ("net: Add a function to splice pages into an skbuff for MSG_SPLICE_PAGES")
+Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Reviewed-by: Joe Damato <jdamato@fastly.com>
+Link: https://patch.msgid.link/Z1fMaHkRf8cfubuE@xiberoa
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/unix/af_unix.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -2219,6 +2219,7 @@ static int unix_stream_sendmsg(struct so
+ fds_sent = true;
+
+ if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) {
++ skb->ip_summed = CHECKSUM_UNNECESSARY;
+ err = skb_splice_from_iter(skb, &msg->msg_iter, size,
+ sk->sk_allocation);
+ if (err < 0) {
--- /dev/null
+From 06d64ab46f19ac12f59a1d2aa8cd196b2e4edb5b Mon Sep 17 00:00:00 2001
+From: MoYuanhao <moyuanhao3676@163.com>
+Date: Mon, 9 Dec 2024 13:28:14 +0100
+Subject: tcp: check space before adding MPTCP SYN options
+
+From: MoYuanhao <moyuanhao3676@163.com>
+
+commit 06d64ab46f19ac12f59a1d2aa8cd196b2e4edb5b upstream.
+
+Ensure there is enough space before adding MPTCP options in
+tcp_syn_options().
+
+Without this check, 'remaining' could underflow, and causes issues. If
+there is not enough space, MPTCP should not be used.
+
+Signed-off-by: MoYuanhao <moyuanhao3676@163.com>
+Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
+Cc: stable@vger.kernel.org
+Acked-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+[ Matt: Add Fixes, cc Stable, update Description ]
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Link: https://patch.msgid.link/20241209-net-mptcp-check-space-syn-v1-1-2da992bb6f74@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/tcp_output.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -837,8 +837,10 @@ static unsigned int tcp_syn_options(stru
+ unsigned int size;
+
+ if (mptcp_syn_options(sk, skb, &size, &opts->mptcp)) {
+- opts->options |= OPTION_MPTCP;
+- remaining -= size;
++ if (remaining >= size) {
++ opts->options |= OPTION_MPTCP;
++ remaining -= size;
++ }
+ }
+ }
+
--- /dev/null
+From 1cf1bd88f129f3bd647fead4dca270a5894274bb Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Mon, 2 Dec 2024 01:16:31 +0100
+Subject: usb: dwc2: Fix HCD port connection race
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit 1cf1bd88f129f3bd647fead4dca270a5894274bb upstream.
+
+On Raspberry Pis without onboard USB hub frequent device reconnects
+can trigger a interrupt storm after DWC2 entered host clock gating.
+This is caused by a race between _dwc2_hcd_suspend() and the port
+interrupt, which sets port_connect_status. The issue occurs if
+port_connect_status is still 1, but there is no connection anymore:
+
+usb 1-1: USB disconnect, device number 25
+dwc2 3f980000.usb: _dwc2_hcd_suspend: port_connect_status: 1
+dwc2 3f980000.usb: Entering host clock gating.
+Disabling IRQ #66
+irq 66: nobody cared (try booting with the "irqpoll" option)
+CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.0-gc1bb81b13202-dirty #322
+Hardware name: BCM2835
+Call trace:
+ unwind_backtrace from show_stack+0x10/0x14
+ show_stack from dump_stack_lvl+0x50/0x64
+ dump_stack_lvl from __report_bad_irq+0x38/0xc0
+ __report_bad_irq from note_interrupt+0x2ac/0x2f4
+ note_interrupt from handle_irq_event+0x88/0x8c
+ handle_irq_event from handle_level_irq+0xb4/0x1ac
+ handle_level_irq from generic_handle_domain_irq+0x24/0x34
+ generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28
+ bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34
+ generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44
+ generic_handle_arch_irq from __irq_svc+0x88/0xb0
+ Exception stack(0xc1d01f20 to 0xc1d01f68)
+ 1f20: 0004ef3c 00000001 00000000 00000000 c1d09780 c1f6bb5c c1d04e54 c1c60ca8
+ 1f40: c1d04e94 00000000 00000000 c1d092a8 c1f6af20 c1d01f70 c1211b98 c1212f40
+ 1f60: 60000013 ffffffff
+ __irq_svc from default_idle_call+0x1c/0xb0
+ default_idle_call from do_idle+0x21c/0x284
+ do_idle from cpu_startup_entry+0x28/0x2c
+ cpu_startup_entry from kernel_init+0x0/0x12c
+handlers:
+ [<e3a25c00>] dwc2_handle_common_intr
+ [<58bf98a3>] usb_hcd_irq
+Disabling IRQ #66
+
+So avoid this by reading the connection status directly.
+
+Fixes: 113f86d0c302 ("usb: dwc2: Update partial power down entering by system suspend")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20241202001631.75473-4-wahrenst@gmx.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -4345,7 +4345,7 @@ static int _dwc2_hcd_suspend(struct usb_
+ if (hsotg->bus_suspended)
+ goto skip_power_saving;
+
+- if (hsotg->flags.b.port_connect_status == 0)
++ if (!(dwc2_read_hprt0(hsotg) & HPRT0_CONNSTS))
+ goto skip_power_saving;
+
+ switch (hsotg->params.power_down) {
--- /dev/null
+From 336f72d3cbf5cc17df2947bbbd2ba6e2509f17e8 Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Mon, 2 Dec 2024 01:16:29 +0100
+Subject: usb: dwc2: Fix HCD resume
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit 336f72d3cbf5cc17df2947bbbd2ba6e2509f17e8 upstream.
+
+The Raspberry Pi can suffer on interrupt storms on HCD resume. The dwc2
+driver sometimes misses to enable HCD_FLAG_HW_ACCESSIBLE before re-enabling
+the interrupts. This causes a situation where both handler ignore a incoming
+port interrupt and force the upper layers to disable the dwc2 interrupt
+line. This leaves the USB interface in a unusable state:
+
+irq 66: nobody cared (try booting with the "irqpoll" option)
+CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.10.0-rc3
+Hardware name: BCM2835
+Call trace:
+unwind_backtrace from show_stack+0x10/0x14
+show_stack from dump_stack_lvl+0x50/0x64
+dump_stack_lvl from __report_bad_irq+0x38/0xc0
+__report_bad_irq from note_interrupt+0x2ac/0x2f4
+note_interrupt from handle_irq_event+0x88/0x8c
+handle_irq_event from handle_level_irq+0xb4/0x1ac
+handle_level_irq from generic_handle_domain_irq+0x24/0x34
+generic_handle_domain_irq from bcm2836_chained_handle_irq+0x24/0x28
+bcm2836_chained_handle_irq from generic_handle_domain_irq+0x24/0x34
+generic_handle_domain_irq from generic_handle_arch_irq+0x34/0x44
+generic_handle_arch_irq from __irq_svc+0x88/0xb0
+Exception stack(0xc1b01f20 to 0xc1b01f68)
+1f20: 0005c0d4 00000001 00000000 00000000 c1b09780 c1d6b32c c1b04e54 c1a5eae8
+1f40: c1b04e90 00000000 00000000 00000000 c1d6a8a0 c1b01f70 c11d2da8 c11d4160
+1f60: 60000013 ffffffff
+__irq_svc from default_idle_call+0x1c/0xb0
+default_idle_call from do_idle+0x21c/0x284
+do_idle from cpu_startup_entry+0x28/0x2c
+cpu_startup_entry from kernel_init+0x0/0x12c
+handlers:
+[<f539e0f4>] dwc2_handle_common_intr
+[<75cd278b>] usb_hcd_irq
+Disabling IRQ #66
+
+So enable the HCD_FLAG_HW_ACCESSIBLE flag in case there is a port
+connection.
+
+Fixes: c74c26f6e398 ("usb: dwc2: Fix partial power down exiting by system resume")
+Closes: https://lore.kernel.org/linux-usb/3fd0c2fb-4752-45b3-94eb-42352703e1fd@gmx.net/T/
+Link: https://lore.kernel.org/all/5e8cbce0-3260-2971-484f-fc73a3b2bd28@synopsys.com/
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20241202001631.75473-2-wahrenst@gmx.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -4431,6 +4431,7 @@ static int _dwc2_hcd_resume(struct usb_h
+ * Power Down mode.
+ */
+ if (hprt0 & HPRT0_CONNSTS) {
++ set_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags);
+ hsotg->lx_state = DWC2_L0;
+ goto unlock;
+ }
--- /dev/null
+From a8d3e4a734599c7d0f6735f8db8a812e503395dd Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Mon, 2 Dec 2024 01:16:30 +0100
+Subject: usb: dwc2: hcd: Fix GetPortStatus & SetPortFeature
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit a8d3e4a734599c7d0f6735f8db8a812e503395dd upstream.
+
+On Rasperry Pis without onboard USB hub the power cycle during
+power connect init only disable the port but never enabled it again:
+
+ usb usb1-port1: attempt power cycle
+
+The port relevant part in dwc2_hcd_hub_control() is skipped in case
+port_connect_status = 0 under the assumption the core is or will be soon
+in device mode. But this assumption is wrong, because after ClearPortFeature
+USB_PORT_FEAT_POWER the port_connect_status will also be 0 and
+SetPortFeature (incl. USB_PORT_FEAT_POWER) will be a no-op.
+
+Fix the behavior of dwc2_hcd_hub_control() by replacing the
+port_connect_status check with dwc2_is_device_mode().
+
+Link: https://github.com/raspberrypi/linux/issues/6247
+Fixes: 7359d482eb4d ("staging: HCD files for the DWC2 driver")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Link: https://lore.kernel.org/r/20241202001631.75473-3-wahrenst@gmx.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/hcd.c | 16 ++++++----------
+ 1 file changed, 6 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/dwc2/hcd.c
++++ b/drivers/usb/dwc2/hcd.c
+@@ -3546,11 +3546,9 @@ static int dwc2_hcd_hub_control(struct d
+ port_status |= USB_PORT_STAT_C_OVERCURRENT << 16;
+ }
+
+- if (!hsotg->flags.b.port_connect_status) {
++ if (dwc2_is_device_mode(hsotg)) {
+ /*
+- * The port is disconnected, which means the core is
+- * either in device mode or it soon will be. Just
+- * return 0's for the remainder of the port status
++ * Just return 0's for the remainder of the port status
+ * since the port register can't be read if the core
+ * is in device mode.
+ */
+@@ -3620,13 +3618,11 @@ static int dwc2_hcd_hub_control(struct d
+ if (wvalue != USB_PORT_FEAT_TEST && (!windex || windex > 1))
+ goto error;
+
+- if (!hsotg->flags.b.port_connect_status) {
++ if (dwc2_is_device_mode(hsotg)) {
+ /*
+- * The port is disconnected, which means the core is
+- * either in device mode or it soon will be. Just
+- * return without doing anything since the port
+- * register can't be written if the core is in device
+- * mode.
++ * Just return 0's for the remainder of the port status
++ * since the port register can't be read if the core
++ * is in device mode.
+ */
+ break;
+ }
--- /dev/null
+From 0d2ada05227881f3d0722ca2364e3f7a860a301f Mon Sep 17 00:00:00 2001
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Date: Mon, 25 Nov 2024 11:14:30 +1300
+Subject: usb: host: max3421-hcd: Correctly abort a USB request.
+
+From: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+
+commit 0d2ada05227881f3d0722ca2364e3f7a860a301f upstream.
+
+If the current USB request was aborted, the spi thread would not respond
+to any further requests. This is because the "curr_urb" pointer would
+not become NULL, so no further requests would be taken off the queue.
+The solution here is to set the "urb_done" flag, as this will cause the
+correct handling of the URB. Also clear interrupts that should only be
+expected if an URB is in progress.
+
+Fixes: 2d53139f3162 ("Add support for using a MAX3421E chip as a host driver.")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
+Link: https://lore.kernel.org/r/20241124221430.1106080-1-mark.tomlinson@alliedtelesis.co.nz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/max3421-hcd.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/max3421-hcd.c
++++ b/drivers/usb/host/max3421-hcd.c
+@@ -779,11 +779,17 @@ max3421_check_unlink(struct usb_hcd *hcd
+ retval = 1;
+ dev_dbg(&spi->dev, "%s: URB %p unlinked=%d",
+ __func__, urb, urb->unlinked);
+- usb_hcd_unlink_urb_from_ep(hcd, urb);
+- spin_unlock_irqrestore(&max3421_hcd->lock,
+- flags);
+- usb_hcd_giveback_urb(hcd, urb, 0);
+- spin_lock_irqsave(&max3421_hcd->lock, flags);
++ if (urb == max3421_hcd->curr_urb) {
++ max3421_hcd->urb_done = 1;
++ max3421_hcd->hien &= ~(BIT(MAX3421_HI_HXFRDN_BIT) |
++ BIT(MAX3421_HI_RCVDAV_BIT));
++ } else {
++ usb_hcd_unlink_urb_from_ep(hcd, urb);
++ spin_unlock_irqrestore(&max3421_hcd->lock,
++ flags);
++ usb_hcd_giveback_urb(hcd, urb, 0);
++ spin_lock_irqsave(&max3421_hcd->lock, flags);
++ }
+ }
+ }
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
