--- /dev/null
+From 28f07f2ab4b3a2714f1fefcc58ada4bcc195f806 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 17 Nov 2023 18:37:25 +0100
+Subject: dm-verity: don't use blocking calls from tasklets
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 28f07f2ab4b3a2714f1fefcc58ada4bcc195f806 upstream.
+
+The commit 5721d4e5a9cd enhanced dm-verity, so that it can verify blocks
+from tasklets rather than from workqueues. This reportedly improves
+performance significantly.
+
+However, dm-verity was using the flag CRYPTO_TFM_REQ_MAY_SLEEP from
+tasklets which resulted in warnings about sleeping function being called
+from non-sleeping context.
+
+BUG: sleeping function called from invalid context at crypto/internal.h:206
+in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 14, name: ksoftirqd/0
+preempt_count: 100, expected: 0
+RCU nest depth: 0, expected: 0
+CPU: 0 PID: 14 Comm: ksoftirqd/0 Tainted: G W 6.7.0-rc1 #1
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x32/0x50
+ __might_resched+0x110/0x160
+ crypto_hash_walk_done+0x54/0xb0
+ shash_ahash_update+0x51/0x60
+ verity_hash_update.isra.0+0x4a/0x130 [dm_verity]
+ verity_verify_io+0x165/0x550 [dm_verity]
+ ? free_unref_page+0xdf/0x170
+ ? psi_group_change+0x113/0x390
+ verity_tasklet+0xd/0x70 [dm_verity]
+ tasklet_action_common.isra.0+0xb3/0xc0
+ __do_softirq+0xaf/0x1ec
+ ? smpboot_thread_fn+0x1d/0x200
+ ? sort_range+0x20/0x20
+ run_ksoftirqd+0x15/0x30
+ smpboot_thread_fn+0xed/0x200
+ kthread+0xdc/0x110
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork+0x28/0x40
+ ? kthread_complete_and_exit+0x20/0x20
+ ret_from_fork_asm+0x11/0x20
+ </TASK>
+
+This commit fixes dm-verity so that it doesn't use the flags
+CRYPTO_TFM_REQ_MAY_SLEEP and CRYPTO_TFM_REQ_MAY_BACKLOG from tasklets. The
+crypto API would do GFP_ATOMIC allocation instead, it could return -ENOMEM
+and we catch -ENOMEM in verity_tasklet and requeue the request to the
+workqueue.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org # v6.0+
+Fixes: 5721d4e5a9cd ("dm verity: Add optional "try_verify_in_tasklet" feature")
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 4 ++--
+ drivers/md/dm-verity-target.c | 23 ++++++++++++-----------
+ drivers/md/dm-verity.h | 2 +-
+ 3 files changed, 15 insertions(+), 14 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -185,7 +185,7 @@ static int fec_is_erasure(struct dm_veri
+ {
+ if (unlikely(verity_hash(v, verity_io_hash_req(v, io),
+ data, 1 << v->data_dev_block_bits,
+- verity_io_real_digest(v, io))))
++ verity_io_real_digest(v, io), true)))
+ return 0;
+
+ return memcmp(verity_io_real_digest(v, io), want_digest,
+@@ -386,7 +386,7 @@ static int fec_decode_rsb(struct dm_veri
+ /* Always re-validate the corrected block against the expected hash */
+ r = verity_hash(v, verity_io_hash_req(v, io), fio->output,
+ 1 << v->data_dev_block_bits,
+- verity_io_real_digest(v, io));
++ verity_io_real_digest(v, io), true);
+ if (unlikely(r < 0))
+ return r;
+
+--- a/drivers/md/dm-verity-target.c
++++ b/drivers/md/dm-verity-target.c
+@@ -132,20 +132,21 @@ static int verity_hash_update(struct dm_
+ * Wrapper for crypto_ahash_init, which handles verity salting.
+ */
+ static int verity_hash_init(struct dm_verity *v, struct ahash_request *req,
+- struct crypto_wait *wait)
++ struct crypto_wait *wait, bool may_sleep)
+ {
+ int r;
+
+ ahash_request_set_tfm(req, v->tfm);
+- ahash_request_set_callback(req, CRYPTO_TFM_REQ_MAY_SLEEP |
+- CRYPTO_TFM_REQ_MAY_BACKLOG,
+- crypto_req_done, (void *)wait);
++ ahash_request_set_callback(req,
++ may_sleep ? CRYPTO_TFM_REQ_MAY_SLEEP | CRYPTO_TFM_REQ_MAY_BACKLOG : 0,
++ crypto_req_done, (void *)wait);
+ crypto_init_wait(wait);
+
+ r = crypto_wait_req(crypto_ahash_init(req), wait);
+
+ if (unlikely(r < 0)) {
+- DMERR("crypto_ahash_init failed: %d", r);
++ if (r != -ENOMEM)
++ DMERR("crypto_ahash_init failed: %d", r);
+ return r;
+ }
+
+@@ -176,12 +177,12 @@ out:
+ }
+
+ int verity_hash(struct dm_verity *v, struct ahash_request *req,
+- const u8 *data, size_t len, u8 *digest)
++ const u8 *data, size_t len, u8 *digest, bool may_sleep)
+ {
+ int r;
+ struct crypto_wait wait;
+
+- r = verity_hash_init(v, req, &wait);
++ r = verity_hash_init(v, req, &wait, may_sleep);
+ if (unlikely(r < 0))
+ goto out;
+
+@@ -317,7 +318,7 @@ static int verity_verify_level(struct dm
+
+ r = verity_hash(v, verity_io_hash_req(v, io),
+ data, 1 << v->hash_dev_block_bits,
+- verity_io_real_digest(v, io));
++ verity_io_real_digest(v, io), !io->in_tasklet);
+ if (unlikely(r < 0))
+ goto release_ret_r;
+
+@@ -548,7 +549,7 @@ static int verity_verify_io(struct dm_ve
+ continue;
+ }
+
+- r = verity_hash_init(v, req, &wait);
++ r = verity_hash_init(v, req, &wait, !io->in_tasklet);
+ if (unlikely(r < 0))
+ return r;
+
+@@ -641,7 +642,7 @@ static void verity_tasklet(unsigned long
+
+ io->in_tasklet = true;
+ err = verity_verify_io(io);
+- if (err == -EAGAIN) {
++ if (err == -EAGAIN || err == -ENOMEM) {
+ /* fallback to retrying with work-queue */
+ INIT_WORK(&io->work, verity_work);
+ queue_work(io->v->verify_wq, &io->work);
+@@ -1018,7 +1019,7 @@ static int verity_alloc_zero_digest(stru
+ goto out;
+
+ r = verity_hash(v, req, zero_data, 1 << v->data_dev_block_bits,
+- v->zero_digest);
++ v->zero_digest, true);
+
+ out:
+ kfree(req);
+--- a/drivers/md/dm-verity.h
++++ b/drivers/md/dm-verity.h
+@@ -128,7 +128,7 @@ extern int verity_for_bv_block(struct dm
+ u8 *data, size_t len));
+
+ extern int verity_hash(struct dm_verity *v, struct ahash_request *req,
+- const u8 *data, size_t len, u8 *digest);
++ const u8 *data, size_t len, u8 *digest, bool may_sleep);
+
+ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
+ sector_t block, u8 *digest, bool *is_zero);
--- /dev/null
+From dab12fa8d2bd3868cf2de485ed15a3feef28a13d Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 14 Sep 2023 18:53:17 +0300
+Subject: drm/mediatek/dp: fix memory leak on ->get_edid callback audio detection
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit dab12fa8d2bd3868cf2de485ed15a3feef28a13d upstream.
+
+The sads returned by drm_edid_to_sad() needs to be freed.
+
+Fixes: e71a8ebbe086 ("drm/mediatek: dp: Audio support for MT8195")
+Cc: Guillaume Ranquet <granquet@baylibre.com>
+Cc: Bo-Chen Chen <rex-bc.chen@mediatek.com>
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Cc: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-mediatek@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: <stable@vger.kernel.org> # v6.1+
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20230914155317.2511876-1-jani.nikula@intel.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/mediatek/mtk_dp.c
++++ b/drivers/gpu/drm/mediatek/mtk_dp.c
+@@ -1983,7 +1983,6 @@ static struct edid *mtk_dp_get_edid(stru
+ bool enabled = mtk_dp->enabled;
+ struct edid *new_edid = NULL;
+ struct mtk_dp_audio_cfg *audio_caps = &mtk_dp->info.audio_cur_cfg;
+- struct cea_sad *sads;
+
+ if (!enabled) {
+ drm_bridge_chain_pre_enable(bridge);
+@@ -2010,7 +2009,11 @@ static struct edid *mtk_dp_get_edid(stru
+ }
+
+ if (new_edid) {
++ struct cea_sad *sads;
++
+ audio_caps->sad_count = drm_edid_to_sad(new_edid, &sads);
++ kfree(sads);
++
+ audio_caps->detect_monitor = drm_detect_monitor_audio(new_edid);
+ }
+
--- /dev/null
+From fcaf9761fd5884a64eaac48536f8c27ecfd2e6bc Mon Sep 17 00:00:00 2001
+From: Jani Nikula <jani.nikula@intel.com>
+Date: Thu, 14 Sep 2023 16:10:58 +0300
+Subject: drm/mediatek/dp: fix memory leak on ->get_edid callback error path
+
+From: Jani Nikula <jani.nikula@intel.com>
+
+commit fcaf9761fd5884a64eaac48536f8c27ecfd2e6bc upstream.
+
+Setting new_edid to NULL leaks the buffer.
+
+Fixes: f70ac097a2cf ("drm/mediatek: Add MT8195 Embedded DisplayPort driver")
+Cc: Markus Schneider-Pargmann <msp@baylibre.com>
+Cc: Guillaume Ranquet <granquet@baylibre.com>
+Cc: Bo-Chen Chen <rex-bc.chen@mediatek.com>
+Cc: CK Hu <ck.hu@mediatek.com>
+Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Cc: Dmitry Osipenko <dmitry.osipenko@collabora.com>
+Cc: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Cc: Philipp Zabel <p.zabel@pengutronix.de>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: dri-devel@lists.freedesktop.org
+Cc: linux-mediatek@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: <stable@vger.kernel.org> # v6.1+
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Reviewed-by: Guillaume Ranquet <granquet@baylibre.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20230914131058.2472260-1-jani.nikula@intel.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/gpu/drm/mediatek/mtk_dp.c
++++ b/drivers/gpu/drm/mediatek/mtk_dp.c
+@@ -2005,6 +2005,7 @@ static struct edid *mtk_dp_get_edid(stru
+ */
+ if (mtk_dp_parse_capabilities(mtk_dp)) {
+ drm_err(mtk_dp->drm_dev, "Can't parse capabilities\n");
++ kfree(new_edid);
+ new_edid = NULL;
+ }
+
--- /dev/null
+From e0d4e8acb3789c5a8651061fbab62ca24a45c063 Mon Sep 17 00:00:00 2001
+From: Su Hui <suhui@nfschina.com>
+Date: Sun, 8 Oct 2023 14:39:30 +0800
+Subject: f2fs: avoid format-overflow warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+commit e0d4e8acb3789c5a8651061fbab62ca24a45c063 upstream.
+
+With gcc and W=1 option, there's a warning like this:
+
+fs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:
+fs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between
+1 and 7 bytes into a region of size between 5 and 8
+[-Werror=format-overflow=]
+ 1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev),
+ MINOR(dev));
+ | ^~
+
+String "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up
+to 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35".
+slab_name's size should be 35 rather than 32.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/compress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -1983,7 +1983,7 @@ void f2fs_destroy_compress_inode(struct
+ int f2fs_init_page_array_cache(struct f2fs_sb_info *sbi)
+ {
+ dev_t dev = sbi->sb->s_bdev->bd_dev;
+- char slab_name[32];
++ char slab_name[35];
+
+ if (!f2fs_sb_has_compression(sbi))
+ return 0;
--- /dev/null
+From 50a472bbc79ff9d5a88be8019a60e936cadf9f13 Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Thu, 19 Oct 2023 15:51:08 -0700
+Subject: f2fs: do not return EFSCORRUPTED, but try to run online repair
+
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+
+commit 50a472bbc79ff9d5a88be8019a60e936cadf9f13 upstream.
+
+If we return the error, there's no way to recover the status as of now, since
+fsck does not fix the xattr boundary issue.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/node.c | 4 +++-
+ fs/f2fs/xattr.c | 20 +++++++++++++-------
+ 2 files changed, 16 insertions(+), 8 deletions(-)
+
+--- a/fs/f2fs/node.c
++++ b/fs/f2fs/node.c
+@@ -2738,7 +2738,9 @@ recover_xnid:
+ f2fs_update_inode_page(inode);
+
+ /* 3: update and set xattr node page dirty */
+- memcpy(F2FS_NODE(xpage), F2FS_NODE(page), VALID_XATTR_BLOCK_SIZE);
++ if (page)
++ memcpy(F2FS_NODE(xpage), F2FS_NODE(page),
++ VALID_XATTR_BLOCK_SIZE);
+
+ set_page_dirty(xpage);
+ f2fs_put_page(xpage, 1);
+--- a/fs/f2fs/xattr.c
++++ b/fs/f2fs/xattr.c
+@@ -363,10 +363,10 @@ static int lookup_all_xattrs(struct inod
+
+ *xe = __find_xattr(cur_addr, last_txattr_addr, NULL, index, len, name);
+ if (!*xe) {
+- f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
++ f2fs_err(F2FS_I_SB(inode), "lookup inode (%lu) has corrupted xattr",
+ inode->i_ino);
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+- err = -EFSCORRUPTED;
++ err = -ENODATA;
+ f2fs_handle_error(F2FS_I_SB(inode),
+ ERROR_CORRUPTED_XATTR);
+ goto out;
+@@ -583,13 +583,12 @@ ssize_t f2fs_listxattr(struct dentry *de
+
+ if ((void *)(entry) + sizeof(__u32) > last_base_addr ||
+ (void *)XATTR_NEXT_ENTRY(entry) > last_base_addr) {
+- f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
++ f2fs_err(F2FS_I_SB(inode), "list inode (%lu) has corrupted xattr",
+ inode->i_ino);
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+- error = -EFSCORRUPTED;
+ f2fs_handle_error(F2FS_I_SB(inode),
+ ERROR_CORRUPTED_XATTR);
+- goto cleanup;
++ break;
+ }
+
+ if (!handler || (handler->list && !handler->list(dentry)))
+@@ -650,7 +649,7 @@ static int __f2fs_setxattr(struct inode
+
+ if (size > MAX_VALUE_LEN(inode))
+ return -E2BIG;
+-
++retry:
+ error = read_all_xattrs(inode, ipage, &base_addr);
+ if (error)
+ return error;
+@@ -660,7 +659,14 @@ static int __f2fs_setxattr(struct inode
+ /* find entry with wanted name. */
+ here = __find_xattr(base_addr, last_base_addr, NULL, index, len, name);
+ if (!here) {
+- f2fs_err(F2FS_I_SB(inode), "inode (%lu) has corrupted xattr",
++ if (!F2FS_I(inode)->i_xattr_nid) {
++ f2fs_notice(F2FS_I_SB(inode),
++ "recover xattr in inode (%lu)", inode->i_ino);
++ f2fs_recover_xattr_data(inode, NULL);
++ kfree(base_addr);
++ goto retry;
++ }
++ f2fs_err(F2FS_I_SB(inode), "set inode (%lu) has corrupted xattr",
+ inode->i_ino);
+ set_sbi_flag(F2FS_I_SB(inode), SBI_NEED_FSCK);
+ error = -EFSCORRUPTED;
--- /dev/null
+From e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 Mon Sep 17 00:00:00 2001
+From: Tam Nguyen <tamnguyenchi@os.amperecomputing.com>
+Date: Thu, 2 Nov 2023 10:30:08 +0700
+Subject: i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
+
+From: Tam Nguyen <tamnguyenchi@os.amperecomputing.com>
+
+commit e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 upstream.
+
+During SMBus block data read process, we have seen high interrupt rate
+because of TX_EMPTY irq status while waiting for block length byte (the
+first data byte after the address phase). The interrupt handler does not
+do anything because the internal state is kept as STATUS_WRITE_IN_PROGRESS.
+Hence, we should disable TX_EMPTY IRQ until I2C DesignWare receives
+first data byte from I2C device, then re-enable it to resume SMBus
+transaction.
+
+It takes 0.789 ms for host to receive data length from slave.
+Without the patch, i2c_dw_isr() is called 99 times by TX_EMPTY interrupt.
+And it is none after applying the patch.
+
+Cc: stable@vger.kernel.org
+Co-developed-by: Chuong Tran <chuong@os.amperecomputing.com>
+Signed-off-by: Chuong Tran <chuong@os.amperecomputing.com>
+Signed-off-by: Tam Nguyen <tamnguyenchi@os.amperecomputing.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-designware-master.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-designware-master.c
++++ b/drivers/i2c/busses/i2c-designware-master.c
+@@ -456,10 +456,16 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev)
+
+ /*
+ * Because we don't know the buffer length in the
+- * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop
+- * the transaction here.
++ * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop the
++ * transaction here. Also disable the TX_EMPTY IRQ
++ * while waiting for the data length byte to avoid the
++ * bogus interrupts flood.
+ */
+- if (buf_len > 0 || flags & I2C_M_RECV_LEN) {
++ if (flags & I2C_M_RECV_LEN) {
++ dev->status |= STATUS_WRITE_IN_PROGRESS;
++ intr_mask &= ~DW_IC_INTR_TX_EMPTY;
++ break;
++ } else if (buf_len > 0) {
+ /* more bytes to be written */
+ dev->status |= STATUS_WRITE_IN_PROGRESS;
+ break;
+@@ -495,6 +501,13 @@ i2c_dw_recv_len(struct dw_i2c_dev *dev,
+ msgs[dev->msg_read_idx].len = len;
+ msgs[dev->msg_read_idx].flags &= ~I2C_M_RECV_LEN;
+
++ /*
++ * Received buffer length, re-enable TX_EMPTY interrupt
++ * to resume the SMBUS transaction.
++ */
++ regmap_update_bits(dev->map, DW_IC_INTR_MASK, DW_IC_INTR_TX_EMPTY,
++ DW_IC_INTR_TX_EMPTY);
++
+ return len;
+ }
+
--- /dev/null
+From f78ca48a8ba9cdec96e8839351e49eec3233b177 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sat, 9 Sep 2023 22:25:06 +0200
+Subject: i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream.
+
+Currently we set SMBHSTCNT_LAST_BYTE only after the host has started
+receiving the last byte. If we get e.g. preempted before setting
+SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte
+before SMBHSTCNT_LAST_BYTE is set.
+Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing
+SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code
+is also consistent with what we do in i801_isr_byte_done().
+
+Reported-by: Jean Delvare <jdelvare@suse.com>
+Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/
+Cc: stable@vger.kernel.org
+Acked-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-i801.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -690,15 +690,11 @@ static int i801_block_transaction_byte_b
+ return i801_check_post(priv, result ? priv->status : -ETIMEDOUT);
+ }
+
+- for (i = 1; i <= len; i++) {
+- if (i == len && read_write == I2C_SMBUS_READ)
+- smbcmd |= SMBHSTCNT_LAST_BYTE;
+- outb_p(smbcmd, SMBHSTCNT(priv));
+-
+- if (i == 1)
+- outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START,
+- SMBHSTCNT(priv));
++ if (len == 1 && read_write == I2C_SMBUS_READ)
++ smbcmd |= SMBHSTCNT_LAST_BYTE;
++ outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv));
+
++ for (i = 1; i <= len; i++) {
+ status = i801_wait_byte_done(priv);
+ if (status)
+ goto exit;
+@@ -721,9 +717,12 @@ static int i801_block_transaction_byte_b
+ data->block[0] = len;
+ }
+
+- /* Retrieve/store value in SMBBLKDAT */
+- if (read_write == I2C_SMBUS_READ)
++ if (read_write == I2C_SMBUS_READ) {
+ data->block[i] = inb_p(SMBBLKDAT(priv));
++ if (i == len - 1)
++ outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv));
++ }
++
+ if (read_write == I2C_SMBUS_WRITE && i+1 <= len)
+ outb_p(data->block[i+1], SMBBLKDAT(priv));
+
--- /dev/null
+From 71945968d8b128c955204baa33ec03bdd91bdc26 Mon Sep 17 00:00:00 2001
+From: Nathan Chancellor <nathan@kernel.org>
+Date: Wed, 8 Nov 2023 14:12:15 +0800
+Subject: LoongArch: Mark __percpu functions as always inline
+
+From: Nathan Chancellor <nathan@kernel.org>
+
+commit 71945968d8b128c955204baa33ec03bdd91bdc26 upstream.
+
+A recent change to the optimization pipeline in LLVM reveals some
+fragility around the inlining of LoongArch's __percpu functions, which
+manifests as a BUILD_BUG() failure:
+
+ In file included from kernel/sched/build_policy.c:17:
+ In file included from include/linux/sched/cputime.h:5:
+ In file included from include/linux/sched/signal.h:5:
+ In file included from include/linux/rculist.h:11:
+ In file included from include/linux/rcupdate.h:26:
+ In file included from include/linux/irqflags.h:18:
+ arch/loongarch/include/asm/percpu.h:97:3: error: call to '__compiletime_assert_51' declared with 'error' attribute: BUILD_BUG failed
+ 97 | BUILD_BUG();
+ | ^
+ include/linux/build_bug.h:59:21: note: expanded from macro 'BUILD_BUG'
+ 59 | #define BUILD_BUG() BUILD_BUG_ON_MSG(1, "BUILD_BUG failed")
+ | ^
+ include/linux/build_bug.h:39:37: note: expanded from macro 'BUILD_BUG_ON_MSG'
+ 39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
+ | ^
+ include/linux/compiler_types.h:425:2: note: expanded from macro 'compiletime_assert'
+ 425 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
+ | ^
+ include/linux/compiler_types.h:413:2: note: expanded from macro '_compiletime_assert'
+ 413 | __compiletime_assert(condition, msg, prefix, suffix)
+ | ^
+ include/linux/compiler_types.h:406:4: note: expanded from macro '__compiletime_assert'
+ 406 | prefix ## suffix(); \
+ | ^
+ <scratch space>:86:1: note: expanded from here
+ 86 | __compiletime_assert_51
+ | ^
+ 1 error generated.
+
+If these functions are not inlined (which the compiler is free to do
+even with functions marked with the standard 'inline' keyword), the
+BUILD_BUG() in the default case cannot be eliminated since the compiler
+cannot prove it is never used, resulting in a build failure due to the
+error attribute.
+
+Mark these functions as __always_inline to guarantee inlining so that
+the BUILD_BUG() only triggers when the default case genuinely cannot be
+eliminated due to an unexpected size.
+
+Cc: <stable@vger.kernel.org>
+Closes: https://github.com/ClangBuiltLinux/linux/issues/1955
+Fixes: 46859ac8af52 ("LoongArch: Add multi-processor (SMP) support")
+Link: https://github.com/llvm/llvm-project/commit/1a2e77cf9e11dbf56b5720c607313a566eebb16e
+Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Nathan Chancellor <nathan@kernel.org>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/percpu.h | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/arch/loongarch/include/asm/percpu.h
++++ b/arch/loongarch/include/asm/percpu.h
+@@ -28,7 +28,7 @@ static inline void set_my_cpu_offset(uns
+ #define __my_cpu_offset __my_cpu_offset
+
+ #define PERCPU_OP(op, asm_op, c_op) \
+-static inline unsigned long __percpu_##op(void *ptr, \
++static __always_inline unsigned long __percpu_##op(void *ptr, \
+ unsigned long val, int size) \
+ { \
+ unsigned long ret; \
+@@ -59,7 +59,7 @@ PERCPU_OP(and, and, &)
+ PERCPU_OP(or, or, |)
+ #undef PERCPU_OP
+
+-static inline unsigned long __percpu_read(void *ptr, int size)
++static __always_inline unsigned long __percpu_read(void *ptr, int size)
+ {
+ unsigned long ret;
+
+@@ -96,7 +96,7 @@ static inline unsigned long __percpu_rea
+ return ret;
+ }
+
+-static inline void __percpu_write(void *ptr, unsigned long val, int size)
++static __always_inline void __percpu_write(void *ptr, unsigned long val, int size)
+ {
+ switch (size) {
+ case 1:
+@@ -128,8 +128,8 @@ static inline void __percpu_write(void *
+ }
+ }
+
+-static inline unsigned long __percpu_xchg(void *ptr, unsigned long val,
+- int size)
++static __always_inline unsigned long __percpu_xchg(void *ptr, unsigned long val,
++ int size)
+ {
+ switch (size) {
+ case 1:
--- /dev/null
+From b36995b8609a5a8fe5cf259a1ee768fcaed919f8 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 31 Oct 2023 13:32:07 +0100
+Subject: lsm: fix default return value for inode_getsecctx
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit b36995b8609a5a8fe5cf259a1ee768fcaed919f8 upstream.
+
+-EOPNOTSUPP is the return value that implements a "no-op" hook, not 0.
+
+Without this fix having only the BPF LSM enabled (with no programs
+attached) can cause uninitialized variable reads in
+nfsd4_encode_fattr(), because the BPF hook returns 0 without touching
+the 'ctxlen' variable and the corresponding 'contextlen' variable in
+nfsd4_encode_fattr() remains uninitialized, yet being treated as valid
+based on the 0 return value.
+
+Cc: stable@vger.kernel.org
+Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
+Reported-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -266,7 +266,7 @@ LSM_HOOK(void, LSM_RET_VOID, release_sec
+ LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
+ LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
+ LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
+-LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx,
++LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx,
+ u32 *ctxlen)
+
+ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
--- /dev/null
+From 866d648059d5faf53f1cd960b43fe8365ad93ea7 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 31 Oct 2023 13:32:06 +0100
+Subject: lsm: fix default return value for vm_enough_memory
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 866d648059d5faf53f1cd960b43fe8365ad93ea7 upstream.
+
+1 is the return value that implements a "no-op" hook, not 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry
+ LSM_HOOK(int, 0, syslog, int type)
+ LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
+ const struct timezone *tz)
+-LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
++LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages)
+ LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
+ LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file)
+ LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
--- /dev/null
+From 724ff68e968b19d786870d333f9952bdd6b119cb Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 4 Sep 2023 15:57:37 +0300
+Subject: media: ccs: Correctly initialise try compose rectangle
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 724ff68e968b19d786870d333f9952bdd6b119cb upstream.
+
+Initialise the try sink compose rectangle size to the sink compose
+rectangle for binner and scaler sub-devices. This was missed due to the
+faulty condition that lead to the compose rectangles to be initialised for
+the pixel array sub-device where it is not relevant.
+
+Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -3088,7 +3088,7 @@ static int ccs_open(struct v4l2_subdev *
+ try_fmt->code = sensor->internal_csi_format->code;
+ try_fmt->field = V4L2_FIELD_NONE;
+
+- if (ssd != sensor->pixel_array)
++ if (ssd == sensor->pixel_array)
+ continue;
+
+ try_comp = v4l2_subdev_get_try_compose(sd, fh->state, i);
--- /dev/null
+From c8a489f820179fb12251e262b50303c29de991ac Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Fri, 6 Oct 2023 22:31:52 +0100
+Subject: media: lirc: drop trailing space from scancode transmit
+
+From: Sean Young <sean@mess.org>
+
+commit c8a489f820179fb12251e262b50303c29de991ac upstream.
+
+When transmitting, infrared drivers expect an odd number of samples; iow
+without a trailing space. No problems have been observed so far, so
+this is just belt and braces.
+
+Fixes: 9b6192589be7 ("media: lirc: implement scancode sending")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/lirc_dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/rc/lirc_dev.c
++++ b/drivers/media/rc/lirc_dev.c
+@@ -276,7 +276,11 @@ static ssize_t lirc_transmit(struct file
+ if (ret < 0)
+ goto out_kfree_raw;
+
+- count = ret;
++ /* drop trailing space */
++ if (!(ret % 2))
++ count = ret - 1;
++ else
++ count = ret;
+
+ txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
+ if (!txbuf) {
--- /dev/null
+From 4f7efc71891462ab7606da7039f480d7c1584a13 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Fri, 6 Oct 2023 12:54:25 +0100
+Subject: media: sharp: fix sharp encoding
+
+From: Sean Young <sean@mess.org>
+
+commit 4f7efc71891462ab7606da7039f480d7c1584a13 upstream.
+
+The Sharp protocol[1] encoding has incorrect timings for bit space.
+
+[1] https://www.sbprojects.net/knowledge/ir/sharp.php
+
+Fixes: d35afc5fe097 ("[media] rc: ir-sharp-decoder: Add encode capability")
+Cc: stable@vger.kernel.org
+Reported-by: Joe Ferner <joe.m.ferner@gmail.com>
+Closes: https://sourceforge.net/p/lirc/mailman/message/38604507/
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/ir-sharp-decoder.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/rc/ir-sharp-decoder.c
++++ b/drivers/media/rc/ir-sharp-decoder.c
+@@ -15,7 +15,9 @@
+ #define SHARP_UNIT 40 /* us */
+ #define SHARP_BIT_PULSE (8 * SHARP_UNIT) /* 320us */
+ #define SHARP_BIT_0_PERIOD (25 * SHARP_UNIT) /* 1ms (680us space) */
+-#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680ms space) */
++#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680us space) */
++#define SHARP_BIT_0_SPACE (17 * SHARP_UNIT) /* 680us space */
++#define SHARP_BIT_1_SPACE (42 * SHARP_UNIT) /* 1680us space */
+ #define SHARP_ECHO_SPACE (1000 * SHARP_UNIT) /* 40 ms */
+ #define SHARP_TRAILER_SPACE (125 * SHARP_UNIT) /* 5 ms (even longer) */
+
+@@ -168,8 +170,8 @@ static const struct ir_raw_timings_pd ir
+ .header_pulse = 0,
+ .header_space = 0,
+ .bit_pulse = SHARP_BIT_PULSE,
+- .bit_space[0] = SHARP_BIT_0_PERIOD,
+- .bit_space[1] = SHARP_BIT_1_PERIOD,
++ .bit_space[0] = SHARP_BIT_0_SPACE,
++ .bit_space[1] = SHARP_BIT_1_SPACE,
+ .trailer_pulse = SHARP_BIT_PULSE,
+ .trailer_space = SHARP_ECHO_SPACE,
+ .msb_first = 1,
--- /dev/null
+From 8d0b89398b7ebc52103e055bf36b60b045f5258f Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 10 Aug 2023 07:55:03 +0530
+Subject: media: venus: hfi: add checks to handle capabilities from firmware
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 8d0b89398b7ebc52103e055bf36b60b045f5258f upstream.
+
+The hfi parser, parses the capabilities received from venus firmware and
+copies them to core capabilities. Consider below api, for example,
+fill_caps - In this api, caps in core structure gets updated with the
+number of capabilities received in firmware data payload. If the same api
+is called multiple times, there is a possibility of copying beyond the max
+allocated size in core caps.
+Similar possibilities in fill_raw_fmts and fill_profile_level functions.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -89,6 +89,9 @@ static void fill_profile_level(struct hf
+ {
+ const struct hfi_profile_level *pl = data;
+
++ if (cap->num_pl + num >= HFI_MAX_PROFILE_COUNT)
++ return;
++
+ memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl));
+ cap->num_pl += num;
+ }
+@@ -114,6 +117,9 @@ fill_caps(struct hfi_plat_caps *cap, con
+ {
+ const struct hfi_capability *caps = data;
+
++ if (cap->num_caps + num >= MAX_CAP_ENTRIES)
++ return;
++
+ memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps));
+ cap->num_caps += num;
+ }
+@@ -140,6 +146,9 @@ static void fill_raw_fmts(struct hfi_pla
+ {
+ const struct raw_formats *formats = fmts;
+
++ if (cap->num_fmts + num_fmts >= MAX_FMT_ENTRIES)
++ return;
++
+ memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats));
+ cap->num_fmts += num_fmts;
+ }
+@@ -162,6 +171,9 @@ parse_raw_formats(struct venus_core *cor
+ rawfmts[i].buftype = fmt->buffer_type;
+ i++;
+
++ if (i >= MAX_FMT_ENTRIES)
++ return;
++
+ if (pinfo->num_planes > MAX_PLANES)
+ break;
+
--- /dev/null
+From b18e36dfd6c935da60a971310374f3dfec3c82e1 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 10 Aug 2023 07:55:02 +0530
+Subject: media: venus: hfi: fix the check to handle session buffer requirement
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream.
+
+Buffer requirement, for different buffer type, comes from video firmware.
+While copying these requirements, there is an OOB possibility when the
+payload from firmware is more than expected size. Fix the check to avoid
+the OOB possibility.
+
+Cc: stable@vger.kernel.org
+Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
+Reviewed-by: Nathan Hebert <nhebert@chromium.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
+@@ -374,7 +374,7 @@ session_get_prop_buf_req(struct hfi_msg_
+ memcpy(&bufreq[idx], buf_req, sizeof(*bufreq));
+ idx++;
+
+- if (idx > HFI_BUFFER_TYPE_MAX)
++ if (idx >= HFI_BUFFER_TYPE_MAX)
+ return HFI_ERR_SESSION_INVALID_PARAMETER;
+
+ req_bytes -= sizeof(struct hfi_buffer_requirements);
--- /dev/null
+From 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 10 Aug 2023 07:55:04 +0530
+Subject: media: venus: hfi_parser: Add check to keep the number of codecs within range
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd upstream.
+
+Supported codec bitmask is populated from the payload from venus firmware.
+There is a possible case when all the bits in the codec bitmask is set. In
+such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized.
+Now while filling the caps for encoder, it can lead to access the caps
+array beyong 32 index. Hence leading to OOB write.
+The fix counts the supported encoder and decoder. If the count is more than
+max, then it skips accessing the caps.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -19,6 +19,9 @@ static void init_codecs(struct venus_cor
+ struct hfi_plat_caps *caps = core->caps, *cap;
+ unsigned long bit;
+
++ if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
++ return;
++
+ for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) {
+ cap = &caps[core->codecs_count++];
+ cap->codec = BIT(bit);
--- /dev/null
+From d7133797e9e1b72fd89237f68cb36d745599ed86 Mon Sep 17 00:00:00 2001
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+Date: Tue, 12 Sep 2023 17:17:10 +0800
+Subject: mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+commit d7133797e9e1b72fd89237f68cb36d745599ed86 upstream.
+
+When GL9750 enters ASPM L1 sub-states, it will stay at L1.1 and will not
+enter L1.2. The workaround is to toggle PM state to allow GL9750 to enter
+ASPM L1.2.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Link: https://lore.kernel.org/r/20230912091710.7797-1-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -24,6 +24,9 @@
+ #define GLI_9750_WT_EN_ON 0x1
+ #define GLI_9750_WT_EN_OFF 0x0
+
++#define PCI_GLI_9750_PM_CTRL 0xFC
++#define PCI_GLI_9750_PM_STATE GENMASK(1, 0)
++
+ #define SDHCI_GLI_9750_CFG2 0x848
+ #define SDHCI_GLI_9750_CFG2_L1DLY GENMASK(28, 24)
+ #define GLI_9750_CFG2_L1DLY_VALUE 0x1F
+@@ -469,8 +472,12 @@ static void sdhci_gl9750_set_clock(struc
+
+ static void gl9750_hw_setting(struct sdhci_host *host)
+ {
++ struct sdhci_pci_slot *slot = sdhci_priv(host);
++ struct pci_dev *pdev;
+ u32 value;
+
++ pdev = slot->chip->pdev;
++
+ gl9750_wt_on(host);
+
+ value = sdhci_readl(host, SDHCI_GLI_9750_CFG2);
+@@ -480,6 +487,13 @@ static void gl9750_hw_setting(struct sdh
+ GLI_9750_CFG2_L1DLY_VALUE);
+ sdhci_writel(host, value, SDHCI_GLI_9750_CFG2);
+
++ /* toggle PM state to allow GL9750 to enter ASPM L1.2 */
++ pci_read_config_dword(pdev, PCI_GLI_9750_PM_CTRL, &value);
++ value |= PCI_GLI_9750_PM_STATE;
++ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
++ value &= ~PCI_GLI_9750_PM_STATE;
++ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
++
+ gl9750_wt_off(host);
+ }
+
--- /dev/null
+From 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Fri, 27 Oct 2023 08:57:38 +0200
+Subject: net: dsa: lan9303: consequently nested-lock physical MDIO
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 upstream.
+
+When LAN9303 is MDIO-connected two callchains exist into
+mdio->bus->write():
+
+1. switch ports 1&2 ("physical" PHYs):
+
+virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})->
+ lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested
+
+2. LAN9303 virtual PHY:
+
+virtual MDIO bus (lan9303_phy_{read|write}) ->
+ lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write}
+
+If the latter functions just take
+mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP
+false-positive splat. It's false-positive because the first
+mdio_lock in the second callchain above belongs to virtual MDIO bus, the
+second mdio_lock belongs to physical MDIO bus.
+
+Consequent annotation in lan9303_mdio_{read|write} as nested lock
+(similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus)
+prevents the following splat:
+
+WARNING: possible circular locking dependency detected
+5.15.71 #1 Not tainted
+------------------------------------------------------
+kworker/u4:3/609 is trying to acquire lock:
+ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex
+but task is already holding lock:
+ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read
+which lock already depends on the new lock.
+the existing dependency chain (in reverse order) is:
+-> #1 (&bus->mdio_lock){+.+.}-{3:3}:
+ lock_acquire
+ __mutex_lock
+ mutex_lock_nested
+ lan9303_mdio_read
+ _regmap_read
+ regmap_read
+ lan9303_probe
+ lan9303_mdio_probe
+ mdio_probe
+ really_probe
+ __driver_probe_device
+ driver_probe_device
+ __device_attach_driver
+ bus_for_each_drv
+ __device_attach
+ device_initial_probe
+ bus_probe_device
+ deferred_probe_work_func
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+-> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}:
+ __lock_acquire
+ lock_acquire.part.0
+ lock_acquire
+ __mutex_lock
+ mutex_lock_nested
+ regmap_lock_mutex
+ regmap_read
+ lan9303_phy_read
+ dsa_slave_phy_read
+ __mdiobus_read
+ mdiobus_read
+ get_phy_device
+ mdiobus_scan
+ __mdiobus_register
+ dsa_register_switch
+ lan9303_probe
+ lan9303_mdio_probe
+ mdio_probe
+ really_probe
+ __driver_probe_device
+ driver_probe_device
+ __device_attach_driver
+ bus_for_each_drv
+ __device_attach
+ device_initial_probe
+ bus_probe_device
+ deferred_probe_work_func
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock(&bus->mdio_lock);
+ lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock);
+ lock(&bus->mdio_lock);
+ lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock);
+*** DEADLOCK ***
+5 locks held by kworker/u4:3/609:
+ #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work
+ #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work
+ #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach
+ #3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch
+ #4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read
+stack backtrace:
+CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1
+Workqueue: events_unbound deferred_probe_work_func
+Call trace:
+ dump_backtrace
+ show_stack
+ dump_stack_lvl
+ dump_stack
+ print_circular_bug
+ check_noncircular
+ __lock_acquire
+ lock_acquire.part.0
+ lock_acquire
+ __mutex_lock
+ mutex_lock_nested
+ regmap_lock_mutex
+ regmap_read
+ lan9303_phy_read
+ dsa_slave_phy_read
+ __mdiobus_read
+ mdiobus_read
+ get_phy_device
+ mdiobus_scan
+ __mdiobus_register
+ dsa_register_switch
+ lan9303_probe
+ lan9303_mdio_probe
+...
+
+Cc: stable@vger.kernel.org
+Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20231027065741.534971-1-alexander.sverdlin@siemens.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lan9303_mdio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/lan9303_mdio.c
++++ b/drivers/net/dsa/lan9303_mdio.c
+@@ -32,7 +32,7 @@ static int lan9303_mdio_write(void *ctx,
+ struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx;
+
+ reg <<= 2; /* reg num to offset */
+- mutex_lock(&sw_dev->device->bus->mdio_lock);
++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED);
+ lan9303_mdio_real_write(sw_dev->device, reg, val & 0xffff);
+ lan9303_mdio_real_write(sw_dev->device, reg + 2, (val >> 16) & 0xffff);
+ mutex_unlock(&sw_dev->device->bus->mdio_lock);
+@@ -50,7 +50,7 @@ static int lan9303_mdio_read(void *ctx,
+ struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx;
+
+ reg <<= 2; /* reg num to offset */
+- mutex_lock(&sw_dev->device->bus->mdio_lock);
++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED);
+ *val = lan9303_mdio_real_read(sw_dev->device, reg);
+ *val |= (lan9303_mdio_real_read(sw_dev->device, reg + 2) << 16);
+ mutex_unlock(&sw_dev->device->bus->mdio_lock);
--- /dev/null
+From f55d8e60f10909dbc5524e261041e1d28d7d20d8 Mon Sep 17 00:00:00 2001
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sat, 28 Oct 2023 21:25:11 +0200
+Subject: net: ethtool: Fix documentation of ethtool_sprintf()
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+commit f55d8e60f10909dbc5524e261041e1d28d7d20d8 upstream.
+
+This function takes a pointer to a pointer, unlike sprintf() which is
+passed a plain pointer. Fix up the documentation to make this clear.
+
+Fixes: 7888fe53b706 ("ethtool: Add common function for filling out strings")
+Cc: Alexander Duyck <alexanderduyck@fb.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Link: https://lore.kernel.org/r/20231028192511.100001-1-andrew@lunn.ch
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ethtool.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/ethtool.h
++++ b/include/linux/ethtool.h
+@@ -836,10 +836,10 @@ int ethtool_get_phc_vclocks(struct net_d
+
+ /**
+ * ethtool_sprintf - Write formatted string to ethtool string data
+- * @data: Pointer to start of string to update
++ * @data: Pointer to a pointer to the start of string to update
+ * @fmt: Format of string to write
+ *
+- * Write formatted string to data. Update data to point at start of
++ * Write formatted string to *data. Update *data to point at start of
+ * next string.
+ */
+ extern __printf(2, 3) void ethtool_sprintf(u8 **data, const char *fmt, ...);
--- /dev/null
+From 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 Mon Sep 17 00:00:00 2001
+From: Klaus Kudielka <klaus.kudielka@gmail.com>
+Date: Tue, 7 Nov 2023 18:44:02 +0100
+Subject: net: phylink: initialize carrier state at creation
+
+From: Klaus Kudielka <klaus.kudielka@gmail.com>
+
+commit 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 upstream.
+
+Background: Turris Omnia (Armada 385); eth2 (mvneta) connected to SFP bus;
+SFP module is present, but no fiber connected, so definitely no carrier.
+
+After booting, eth2 is down, but netdev LED trigger surprisingly reports
+link active. Then, after "ip link set eth2 up", the link indicator goes
+away - as I would have expected it from the beginning.
+
+It turns out, that the default carrier state after netdev creation is
+"carrier ok". Some ethernet drivers explicitly call netif_carrier_off
+during probing, others (like mvneta) don't - which explains the current
+behaviour: only when the device is brought up, phylink_start calls
+netif_carrier_off.
+
+Fix this for all drivers using phylink, by calling netif_carrier_off in
+phylink_create.
+
+Fixes: 089381b27abe ("leds: initial support for Turris Omnia LEDs")
+Cc: stable@vger.kernel.org
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Klaus Kudielka <klaus.kudielka@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phylink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -1479,6 +1479,7 @@ struct phylink *phylink_create(struct ph
+ pl->config = config;
+ if (config->type == PHYLINK_NETDEV) {
+ pl->netdev = to_net_dev(config->dev);
++ netif_carrier_off(pl->netdev);
+ } else if (config->type == PHYLINK_DEV) {
+ pl->dev = config->dev;
+ } else {
--- /dev/null
+From bc1b5acb40201a0746d68a7d7cfc141899937f4f Mon Sep 17 00:00:00 2001
+From: Mahmoud Adam <mngyadam@amazon.com>
+Date: Fri, 10 Nov 2023 19:21:04 +0100
+Subject: nfsd: fix file memleak on client_opens_release
+
+From: Mahmoud Adam <mngyadam@amazon.com>
+
+commit bc1b5acb40201a0746d68a7d7cfc141899937f4f upstream.
+
+seq_release should be called to free the allocated seq_file
+
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
+Reviewed-by: NeilBrown <neilb@suse.de>
+Tested-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -2799,7 +2799,7 @@ static int client_opens_release(struct i
+
+ /* XXX: alternatively, we could get/drop in seq start/stop */
+ drop_client(clp);
+- return 0;
++ return seq_release(inode, file);
+ }
+
+ static const struct file_operations client_states_fops = {
--- /dev/null
+From 7b211c7671212cad0b83603c674838c7e824d845 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko@sartura.hr>
+Date: Fri, 10 Nov 2023 10:30:11 +0100
+Subject: Revert "i2c: pxa: move to generic GPIO recovery"
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+commit 7b211c7671212cad0b83603c674838c7e824d845 upstream.
+
+This reverts commit 0b01392c18b9993a584f36ace1d61118772ad0ca.
+
+Conversion of PXA to generic I2C recovery, makes the I2C bus completely
+lock up if recovery pinctrl is present in the DT and I2C recovery is
+enabled.
+
+So, until the generic I2C recovery can also work with PXA lets revert
+to have working I2C and I2C recovery again.
+
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Cc: stable@vger.kernel.org # 5.11+
+Acked-by: Andi Shyti <andi.shyti@kernel.org>
+Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-pxa.c | 76 ++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 68 insertions(+), 8 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-pxa.c
++++ b/drivers/i2c/busses/i2c-pxa.c
+@@ -264,6 +264,9 @@ struct pxa_i2c {
+ u32 hs_mask;
+
+ struct i2c_bus_recovery_info recovery;
++ struct pinctrl *pinctrl;
++ struct pinctrl_state *pinctrl_default;
++ struct pinctrl_state *pinctrl_recovery;
+ };
+
+ #define _IBMR(i2c) ((i2c)->reg_ibmr)
+@@ -1302,12 +1305,13 @@ static void i2c_pxa_prepare_recovery(str
+ */
+ gpiod_set_value(i2c->recovery.scl_gpiod, ibmr & IBMR_SCLS);
+ gpiod_set_value(i2c->recovery.sda_gpiod, ibmr & IBMR_SDAS);
++
++ WARN_ON(pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_recovery));
+ }
+
+ static void i2c_pxa_unprepare_recovery(struct i2c_adapter *adap)
+ {
+ struct pxa_i2c *i2c = adap->algo_data;
+- struct i2c_bus_recovery_info *bri = adap->bus_recovery_info;
+ u32 isr;
+
+ /*
+@@ -1321,7 +1325,7 @@ static void i2c_pxa_unprepare_recovery(s
+ i2c_pxa_do_reset(i2c);
+ }
+
+- WARN_ON(pinctrl_select_state(bri->pinctrl, bri->pins_default));
++ WARN_ON(pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_default));
+
+ dev_dbg(&i2c->adap.dev, "recovery: IBMR 0x%08x ISR 0x%08x\n",
+ readl(_IBMR(i2c)), readl(_ISR(i2c)));
+@@ -1343,20 +1347,76 @@ static int i2c_pxa_init_recovery(struct
+ if (IS_ENABLED(CONFIG_I2C_PXA_SLAVE))
+ return 0;
+
+- bri->pinctrl = devm_pinctrl_get(dev);
+- if (PTR_ERR(bri->pinctrl) == -ENODEV) {
+- bri->pinctrl = NULL;
++ i2c->pinctrl = devm_pinctrl_get(dev);
++ if (PTR_ERR(i2c->pinctrl) == -ENODEV)
++ i2c->pinctrl = NULL;
++ if (IS_ERR(i2c->pinctrl))
++ return PTR_ERR(i2c->pinctrl);
++
++ if (!i2c->pinctrl)
++ return 0;
++
++ i2c->pinctrl_default = pinctrl_lookup_state(i2c->pinctrl,
++ PINCTRL_STATE_DEFAULT);
++ i2c->pinctrl_recovery = pinctrl_lookup_state(i2c->pinctrl, "recovery");
++
++ if (IS_ERR(i2c->pinctrl_default) || IS_ERR(i2c->pinctrl_recovery)) {
++ dev_info(dev, "missing pinmux recovery information: %ld %ld\n",
++ PTR_ERR(i2c->pinctrl_default),
++ PTR_ERR(i2c->pinctrl_recovery));
++ return 0;
++ }
++
++ /*
++ * Claiming GPIOs can influence the pinmux state, and may glitch the
++ * I2C bus. Do this carefully.
++ */
++ bri->scl_gpiod = devm_gpiod_get(dev, "scl", GPIOD_OUT_HIGH_OPEN_DRAIN);
++ if (bri->scl_gpiod == ERR_PTR(-EPROBE_DEFER))
++ return -EPROBE_DEFER;
++ if (IS_ERR(bri->scl_gpiod)) {
++ dev_info(dev, "missing scl gpio recovery information: %pe\n",
++ bri->scl_gpiod);
++ return 0;
++ }
++
++ /*
++ * We have SCL. Pull SCL low and wait a bit so that SDA glitches
++ * have no effect.
++ */
++ gpiod_direction_output(bri->scl_gpiod, 0);
++ udelay(10);
++ bri->sda_gpiod = devm_gpiod_get(dev, "sda", GPIOD_OUT_HIGH_OPEN_DRAIN);
++
++ /* Wait a bit in case of a SDA glitch, and then release SCL. */
++ udelay(10);
++ gpiod_direction_output(bri->scl_gpiod, 1);
++
++ if (bri->sda_gpiod == ERR_PTR(-EPROBE_DEFER))
++ return -EPROBE_DEFER;
++
++ if (IS_ERR(bri->sda_gpiod)) {
++ dev_info(dev, "missing sda gpio recovery information: %pe\n",
++ bri->sda_gpiod);
+ return 0;
+ }
+- if (IS_ERR(bri->pinctrl))
+- return PTR_ERR(bri->pinctrl);
+
+ bri->prepare_recovery = i2c_pxa_prepare_recovery;
+ bri->unprepare_recovery = i2c_pxa_unprepare_recovery;
++ bri->recover_bus = i2c_generic_scl_recovery;
+
+ i2c->adap.bus_recovery_info = bri;
+
+- return 0;
++ /*
++ * Claiming GPIOs can change the pinmux state, which confuses the
++ * pinctrl since pinctrl's idea of the current setting is unaffected
++ * by the pinmux change caused by claiming the GPIO. Work around that
++ * by switching pinctrl to the GPIO state here. We do it this way to
++ * avoid glitching the I2C bus.
++ */
++ pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_recovery);
++
++ return pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_default);
+ }
+
+ static int i2c_pxa_probe(struct platform_device *dev)
--- /dev/null
+From 9e2e7efbbbff69d8340abb56d375dd79d1f5770f Mon Sep 17 00:00:00 2001
+From: Johnathan Mantey <johnathanx.mantey@intel.com>
+Date: Mon, 13 Nov 2023 08:30:29 -0800
+Subject: Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
+
+From: Johnathan Mantey <johnathanx.mantey@intel.com>
+
+commit 9e2e7efbbbff69d8340abb56d375dd79d1f5770f upstream.
+
+This reverts commit 3780bb29311eccb7a1c9641032a112eed237f7e3.
+
+The cited commit introduced unwanted behavior.
+
+The intent for the commit was to be able to detect carrier loss/gain
+for just the NIC connected to the BMC. The unwanted effect is a
+carrier loss for auxiliary paths also causes the BMC to lose
+carrier. The BMC never regains carrier despite the secondary NIC
+regaining a link.
+
+This change, when merged, needs to be backported to stable kernels.
+5.4-stable, 5.10-stable, 5.15-stable, 6.1-stable, 6.5-stable
+
+Fixes: 3780bb29311e ("ncsi: Propagate carrier gain/loss events to the NCSI controller")
+CC: stable@vger.kernel.org
+Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/ncsi-aen.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/net/ncsi/ncsi-aen.c
++++ b/net/ncsi/ncsi-aen.c
+@@ -89,11 +89,6 @@ static int ncsi_aen_handler_lsc(struct n
+ if ((had_link == has_link) || chained)
+ return 0;
+
+- if (had_link)
+- netif_carrier_off(ndp->ndev.dev);
+- else
+- netif_carrier_on(ndp->ndev.dev);
+-
+ if (!ndp->multi_package && !nc->package->multi_channel) {
+ if (had_link) {
+ ndp->flags |= NCSI_DEV_RESHUFFLE;
--- /dev/null
+From e59e5e2754bf983fc58ad18f99b5eec01f1a0745 Mon Sep 17 00:00:00 2001
+From: Song Shuai <suagrfillet@gmail.com>
+Date: Tue, 29 Aug 2023 21:39:20 -0700
+Subject: riscv: correct pt_level name via pgtable_l5/4_enabled
+
+From: Song Shuai <suagrfillet@gmail.com>
+
+commit e59e5e2754bf983fc58ad18f99b5eec01f1a0745 upstream.
+
+The pt_level uses CONFIG_PGTABLE_LEVELS to display page table names.
+But if page mode is downgraded from kernel cmdline or restricted by
+the hardware in 64BIT, it will give a wrong name.
+
+Like, using no4lvl for sv39, ptdump named the 1G-mapping as "PUD"
+that should be "PGD":
+
+0xffffffd840000000-0xffffffd900000000 0x00000000c0000000 3G PUD D A G . . W R V
+
+So select "P4D/PUD" or "PGD" via pgtable_l5/4_enabled to correct it.
+
+Fixes: e8a62cc26ddf ("riscv: Implement sv48 support")
+Reviewed-by: Alexandre Ghiti <alexghiti@rivosinc.com>
+Signed-off-by: Song Shuai <suagrfillet@gmail.com>
+Link: https://lore.kernel.org/r/20230712115740.943324-1-suagrfillet@gmail.com
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20230830044129.11481-3-palmer@rivosinc.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/mm/ptdump.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/arch/riscv/mm/ptdump.c b/arch/riscv/mm/ptdump.c
+index 20a9f991a6d7..e9090b38f811 100644
+--- a/arch/riscv/mm/ptdump.c
++++ b/arch/riscv/mm/ptdump.c
+@@ -384,6 +384,9 @@ static int __init ptdump_init(void)
+
+ kernel_ptd_info.base_addr = KERN_VIRT_START;
+
++ pg_level[1].name = pgtable_l5_enabled ? "P4D" : "PGD";
++ pg_level[2].name = pgtable_l4_enabled ? "PUD" : "PGD";
++
+ for (i = 0; i < ARRAY_SIZE(pg_level); i++)
+ for (j = 0; j < ARRAY_SIZE(pte_bits); j++)
+ pg_level[i].mask |= pte_bits[j].mask;
+--
+2.43.0
+
--- /dev/null
+From 8cb22bec142624d21bc85ff96b7bad10b6220e6a Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcaov@gmail.com>
+Date: Tue, 29 Aug 2023 20:25:00 +0200
+Subject: riscv: kprobes: allow writing to x0
+
+From: Nam Cao <namcaov@gmail.com>
+
+commit 8cb22bec142624d21bc85ff96b7bad10b6220e6a upstream.
+
+Instructions can write to x0, so we should simulate these instructions
+normally.
+
+Currently, the kernel hangs if an instruction who writes to x0 is
+simulated.
+
+Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nam Cao <namcaov@gmail.com>
+Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
+Acked-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/20230829182500.61875-1-namcaov@gmail.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/probes/simulate-insn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/riscv/kernel/probes/simulate-insn.c
++++ b/arch/riscv/kernel/probes/simulate-insn.c
+@@ -24,7 +24,7 @@ static inline bool rv_insn_reg_set_val(s
+ unsigned long val)
+ {
+ if (index == 0)
+- return false;
++ return true;
+ else if (index <= 31)
+ *((unsigned long *)regs + index) = val;
+ else
--- /dev/null
+From 559fe94a449cba5b50a7cffea60474b385598c00 Mon Sep 17 00:00:00 2001
+From: Song Shuai <suagrfillet@gmail.com>
+Date: Wed, 9 Aug 2023 11:10:23 +0800
+Subject: riscv: mm: Update the comment of CONFIG_PAGE_OFFSET
+
+From: Song Shuai <suagrfillet@gmail.com>
+
+commit 559fe94a449cba5b50a7cffea60474b385598c00 upstream.
+
+Since the commit 011f09d12052 set sv57 as default for CONFIG_64BIT,
+the comment of CONFIG_PAGE_OFFSET should be updated too.
+
+Fixes: 011f09d12052 ("riscv: mm: Set sv57 on defaultly")
+Signed-off-by: Song Shuai <suagrfillet@gmail.com>
+Link: https://lore.kernel.org/r/20230809031023.3575407-1-songshuaishuai@tinylab.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/include/asm/page.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/page.h
++++ b/arch/riscv/include/asm/page.h
+@@ -38,8 +38,8 @@
+ #define PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
+ #endif
+ /*
+- * By default, CONFIG_PAGE_OFFSET value corresponds to SV48 address space so
+- * define the PAGE_OFFSET value for SV39.
++ * By default, CONFIG_PAGE_OFFSET value corresponds to SV57 address space so
++ * define the PAGE_OFFSET value for SV48 and SV39.
+ */
+ #define PAGE_OFFSET_L4 _AC(0xffffaf8000000000, UL)
+ #define PAGE_OFFSET_L3 _AC(0xffffffd800000000, UL)
--- /dev/null
+From e14aec23025eeb1f2159ba34dbc1458467c4c347 Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Mon, 23 Oct 2023 09:57:10 +0200
+Subject: s390/ap: fix AP bus crash on early config change callback invocation
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit e14aec23025eeb1f2159ba34dbc1458467c4c347 upstream.
+
+Fix kernel crash in AP bus code caused by very early invocation of the
+config change callback function via SCLP.
+
+After a fresh IML of the machine the crypto cards are still offline and
+will get switched online only with activation of any LPAR which has the
+card in it's configuration. A crypto card coming online is reported
+to the LPAR via SCLP and the AP bus offers a callback function to get
+this kind of information. However, it may happen that the callback is
+invoked before the AP bus init function is complete. As the callback
+triggers a synchronous AP bus scan, the scan may already run but some
+internal states are not initialized by the AP bus init function resulting
+in a crash like this:
+
+ [ 11.635859] Unable to handle kernel pointer dereference in virtual kernel address space
+ [ 11.635861] Failing address: 0000000000000000 TEID: 0000000000000887
+ [ 11.635862] Fault in home space mode while using kernel ASCE.
+ [ 11.635864] AS:00000000894c4007 R3:00000001fece8007 S:00000001fece7800 P:000000000000013d
+ [ 11.635879] Oops: 0004 ilc:1 [#1] SMP
+ [ 11.635882] Modules linked in:
+ [ 11.635884] CPU: 5 PID: 42 Comm: kworker/5:0 Not tainted 6.6.0-rc3-00003-g4dbf7cdc6b42 #12
+ [ 11.635886] Hardware name: IBM 3931 A01 751 (LPAR)
+ [ 11.635887] Workqueue: events_long ap_scan_bus
+ [ 11.635891] Krnl PSW : 0704c00180000000 0000000000000000 (0x0)
+ [ 11.635895] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
+ [ 11.635897] Krnl GPRS: 0000000001000a00 0000000000000000 0000000000000006 0000000089591940
+ [ 11.635899] 0000000080000000 0000000000000a00 0000000000000000 0000000000000000
+ [ 11.635901] 0000000081870c00 0000000089591000 000000008834e4e2 0000000002625a00
+ [ 11.635903] 0000000081734200 0000038000913c18 000000008834c6d6 0000038000913ac8
+ [ 11.635906] Krnl Code:>0000000000000000: 0000 illegal
+ [ 11.635906] 0000000000000002: 0000 illegal
+ [ 11.635906] 0000000000000004: 0000 illegal
+ [ 11.635906] 0000000000000006: 0000 illegal
+ [ 11.635906] 0000000000000008: 0000 illegal
+ [ 11.635906] 000000000000000a: 0000 illegal
+ [ 11.635906] 000000000000000c: 0000 illegal
+ [ 11.635906] 000000000000000e: 0000 illegal
+ [ 11.635915] Call Trace:
+ [ 11.635916] [<0000000000000000>] 0x0
+ [ 11.635918] [<000000008834e4e2>] ap_queue_init_state+0x82/0xb8
+ [ 11.635921] [<000000008834ba1c>] ap_scan_domains+0x6fc/0x740
+ [ 11.635923] [<000000008834c092>] ap_scan_adapter+0x632/0x8b0
+ [ 11.635925] [<000000008834c3e4>] ap_scan_bus+0xd4/0x288
+ [ 11.635927] [<00000000879a33ba>] process_one_work+0x19a/0x410
+ [ 11.635930] Discipline DIAG cannot be used without z/VM
+ [ 11.635930] [<00000000879a3a2c>] worker_thread+0x3fc/0x560
+ [ 11.635933] [<00000000879aea60>] kthread+0x120/0x128
+ [ 11.635936] [<000000008792afa4>] __ret_from_fork+0x3c/0x58
+ [ 11.635938] [<00000000885ebe62>] ret_from_fork+0xa/0x30
+ [ 11.635942] Last Breaking-Event-Address:
+ [ 11.635942] [<000000008834c6d4>] ap_wait+0xcc/0x148
+
+This patch improves the ap_bus_force_rescan() function which is
+invoked by the config change callback by checking if a first
+initial AP bus scan has been done. If not, the force rescan request
+is simple ignored. Anyhow it does not make sense to trigger AP bus
+re-scans even before the very first bus scan is complete.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/ap_bus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -1012,6 +1012,10 @@ EXPORT_SYMBOL(ap_driver_unregister);
+
+ void ap_bus_force_rescan(void)
+ {
++ /* Only trigger AP bus scans after the initial scan is done */
++ if (atomic64_read(&ap_scan_bus_count) <= 0)
++ return;
++
+ /* processing a asynchronous bus rescan */
+ del_timer(&ap_config_timer);
+ queue_work(system_long_wq, &ap_scan_work);
--- /dev/null
+From 5d6aa89bba5bd6af2580f872b57f438dab883738 Mon Sep 17 00:00:00 2001
+From: Darren Hart <darren@os.amperecomputing.com>
+Date: Thu, 21 Sep 2023 02:02:36 -0700
+Subject: sbsa_gwdt: Calculate timeout with 64-bit math
+
+From: Darren Hart <darren@os.amperecomputing.com>
+
+commit 5d6aa89bba5bd6af2580f872b57f438dab883738 upstream.
+
+Commit abd3ac7902fb ("watchdog: sbsa: Support architecture version 1")
+introduced new timer math for watchdog revision 1 with the 48 bit offset
+register.
+
+The gwdt->clk and timeout are u32, but the argument being calculated is
+u64. Without a cast, the compiler performs u32 operations, truncating
+intermediate steps, resulting in incorrect values.
+
+A watchdog revision 1 implementation with a gwdt->clk of 1GHz and a
+timeout of 600s writes 3647256576 to the one shot watchdog instead of
+300000000000, resulting in the watchdog firing in 3.6s instead of 600s.
+
+Force u64 math by casting the first argument (gwdt->clk) as a u64. Make
+the order of operations explicit with parenthesis.
+
+Fixes: abd3ac7902fb ("watchdog: sbsa: Support architecture version 1")
+Reported-by: Vanshidhar Konda <vanshikonda@os.amperecomputing.com>
+Signed-off-by: Darren Hart <darren@os.amperecomputing.com>
+Cc: Wim Van Sebroeck <wim@linux-watchdog.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: linux-watchdog@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: <stable@vger.kernel.org> # 5.14.x
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/7d1713c5ffab19b0f3de796d82df19e8b1f340de.1695286124.git.darren@os.amperecomputing.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/sbsa_gwdt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/sbsa_gwdt.c
++++ b/drivers/watchdog/sbsa_gwdt.c
+@@ -153,14 +153,14 @@ static int sbsa_gwdt_set_timeout(struct
+ timeout = clamp_t(unsigned int, timeout, 1, wdd->max_hw_heartbeat_ms / 1000);
+
+ if (action)
+- sbsa_gwdt_reg_write(gwdt->clk * timeout, gwdt);
++ sbsa_gwdt_reg_write((u64)gwdt->clk * timeout, gwdt);
+ else
+ /*
+ * In the single stage mode, The first signal (WS0) is ignored,
+ * the timeout is (WOR * 2), so the WOR should be configured
+ * to half value of timeout.
+ */
+- sbsa_gwdt_reg_write(gwdt->clk / 2 * timeout, gwdt);
++ sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt);
+
+ return 0;
+ }
cxl-mem-move-devm_cxl_add_endpoint-from-cxl_core-to-.patch
tools-testing-cxl-define-a-fixed-volatile-configurat.patch
cxl-region-fix-x1-root-decoder-granularity-calculati.patch
+revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch
+revert-i2c-pxa-move-to-generic-gpio-recovery.patch
+lsm-fix-default-return-value-for-vm_enough_memory.patch
+lsm-fix-default-return-value-for-inode_getsecctx.patch
+sbsa_gwdt-calculate-timeout-with-64-bit-math.patch
+i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch
+s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch
+net-ethtool-fix-documentation-of-ethtool_sprintf.patch
+net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch
+net-phylink-initialize-carrier-state-at-creation.patch
+i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch
+f2fs-do-not-return-efscorrupted-but-try-to-run-online-repair.patch
+f2fs-avoid-format-overflow-warning.patch
+media-lirc-drop-trailing-space-from-scancode-transmit.patch
+media-sharp-fix-sharp-encoding.patch
+media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch
+media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch
+media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch
+media-ccs-correctly-initialise-try-compose-rectangle.patch
+drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-audio-detection.patch
+drm-mediatek-dp-fix-memory-leak-on-get_edid-callback-error-path.patch
+dm-verity-don-t-use-blocking-calls-from-tasklets.patch
+nfsd-fix-file-memleak-on-client_opens_release.patch
+loongarch-mark-__percpu-functions-as-always-inline.patch
+riscv-mm-update-the-comment-of-config_page_offset.patch
+riscv-correct-pt_level-name-via-pgtable_l5-4_enabled.patch
+riscv-kprobes-allow-writing-to-x0.patch
+mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
