--- /dev/null
+From cb0b331dd302a97af873d76d3b79f6b8d103030a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Mar 2025 10:20:30 +0100
+Subject: ahci: add PCI ID for Marvell 88SE9215 SATA Controller
+
+From: Daniel Kral <d.kral@proxmox.com>
+
+[ Upstream commit 885251dc35767b1c992f6909532ca366c830814a ]
+
+Add support for Marvell Technology Group Ltd. 88SE9215 SATA 6 Gb/s
+controller, which is e.g. used in the DAWICONTROL DC-614e RAID bus
+controller and was not automatically recognized before.
+
+Tested with a DAWICONTROL DC-614e RAID bus controller.
+
+Signed-off-by: Daniel Kral <d.kral@proxmox.com>
+Link: https://lore.kernel.org/r/20250304092030.37108-1-d.kral@proxmox.com
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/ahci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c
+index 2d2a070c1efcb..3c8fa08f5d970 100644
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -558,6 +558,8 @@ static const struct pci_device_id ahci_pci_tbl[] = {
+ .driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3),
+ .driver_data = board_ahci_yes_fbs },
++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9215),
++ .driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
+ .driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */
+--
+2.39.5
+
--- /dev/null
+From 43308a247b5e54803cb6afe2ded411464a082a56 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Feb 2025 23:46:01 +0200
+Subject: ALSA: hda: intel: Fix Optimus when GPU has no sound
+
+From: Maxim Mikityanskiy <maxtram95@gmail.com>
+
+[ Upstream commit 2b360ba9a4936486380bc30d1eabceb40a714d98 ]
+
+quirk_nvidia_hda() forcefully enables HDA controller on all NVIDIA GPUs,
+because some buggy BIOSes leave it disabled. However, some dual-GPU
+laptops do not have a functional HDA controller in DGPU, and BIOS
+disables it on purpose. After quirk_nvidia_hda() reenables this dummy
+HDA controller, attempting to probe it fails at azx_first_init(), which
+is too late to cancel the probe, as it happens in azx_probe_continue().
+
+The sna_hda_intel driver calls azx_free() and stops the chip, however,
+it stays probed, and from the runtime PM point of view, the device
+remains active (it was set as active by the PCI subsystem on probe). It
+prevents vga_switcheroo from turning off the DGPU, because
+pci_create_device_link() syncs power management for video and audio
+devices.
+
+Affected devices should be added to driver_denylist to prevent them from
+probing early. This patch helps identify such devices by printing a
+warning, and also forces the device to the suspended state to allow
+vga_switcheroo turn off DGPU.
+
+Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
+Link: https://patch.msgid.link/20250208214602.39607-2-maxtram95@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_intel.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
+index 59fc56a970a9d..cdc1d00ab34b1 100644
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -1410,8 +1410,21 @@ static void azx_free(struct azx *chip)
+ if (use_vga_switcheroo(hda)) {
+ if (chip->disabled && hda->probe_continued)
+ snd_hda_unlock_devices(&chip->bus);
+- if (hda->vga_switcheroo_registered)
++ if (hda->vga_switcheroo_registered) {
+ vga_switcheroo_unregister_client(chip->pci);
++
++ /* Some GPUs don't have sound, and azx_first_init fails,
++ * leaving the device probed but non-functional. As long
++ * as it's probed, the PCI subsystem keeps its runtime
++ * PM status as active. Force it to suspended (as we
++ * actually stop the chip) to allow GPU to suspend via
++ * vga_switcheroo, and print a warning.
++ */
++ dev_warn(&pci->dev, "GPU sound probed, but not operational: please add a quirk to driver_denylist\n");
++ pm_runtime_disable(&pci->dev);
++ pm_runtime_set_suspended(&pci->dev);
++ pm_runtime_enable(&pci->dev);
++ }
+ }
+
+ if (bus->chip_init) {
+--
+2.39.5
+
--- /dev/null
+From bcb9686efa0f763f37b6421f787fac9b1a407ad3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 23:16:17 +0100
+Subject: ALSA: usb-audio: Fix CME quirk for UF series keyboards
+
+From: Ricard Wanderlof <ricard2013@butoba.net>
+
+[ Upstream commit c2820405ba55a38932aa2177f026b70064296663 ]
+
+Fix quirk for CME master keyboards so it not only handles
+sysex but also song position pointer, MIDI timing clock, start
+and stop messages, and active sensing. All of these can be
+output by the CME UF series master keyboards.
+
+Tested with a CME UF6 in a desktop Linux environment as
+well as on the Zynthian Raspberry Pi based platform.
+
+Signed-off-by: Ricard Wanderlof <ricard2013@butoba.net>
+Link: https://patch.msgid.link/20250313-cme-fix-v1-1-d404889e4de8@butoba.net
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/usb/midi.c | 80 ++++++++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 74 insertions(+), 6 deletions(-)
+
+diff --git a/sound/usb/midi.c b/sound/usb/midi.c
+index f175c537353a0..2dded1f2ca05e 100644
+--- a/sound/usb/midi.c
++++ b/sound/usb/midi.c
+@@ -505,16 +505,84 @@ static void ch345_broken_sysex_input(struct snd_usb_midi_in_endpoint *ep,
+
+ /*
+ * CME protocol: like the standard protocol, but SysEx commands are sent as a
+- * single USB packet preceded by a 0x0F byte.
++ * single USB packet preceded by a 0x0F byte, as are system realtime
++ * messages and MIDI Active Sensing.
++ * Also, multiple messages can be sent in the same packet.
+ */
+ static void snd_usbmidi_cme_input(struct snd_usb_midi_in_endpoint *ep,
+ uint8_t *buffer, int buffer_length)
+ {
+- if (buffer_length < 2 || (buffer[0] & 0x0f) != 0x0f)
+- snd_usbmidi_standard_input(ep, buffer, buffer_length);
+- else
+- snd_usbmidi_input_data(ep, buffer[0] >> 4,
+- &buffer[1], buffer_length - 1);
++ int remaining = buffer_length;
++
++ /*
++ * CME send sysex, song position pointer, system realtime
++ * and active sensing using CIN 0x0f, which in the standard
++ * is only intended for single byte unparsed data.
++ * So we need to interpret these here before sending them on.
++ * By default, we assume single byte data, which is true
++ * for system realtime (midi clock, start, stop and continue)
++ * and active sensing, and handle the other (known) cases
++ * separately.
++ * In contrast to the standard, CME does not split sysex
++ * into multiple 4-byte packets, but lumps everything together
++ * into one. In addition, CME can string multiple messages
++ * together in the same packet; pressing the Record button
++ * on an UF6 sends a sysex message directly followed
++ * by a song position pointer in the same packet.
++ * For it to have any reasonable meaning, a sysex message
++ * needs to be at least 3 bytes in length (0xf0, id, 0xf7),
++ * corresponding to a packet size of 4 bytes, and the ones sent
++ * by CME devices are 6 or 7 bytes, making the packet fragments
++ * 7 or 8 bytes long (six or seven bytes plus preceding CN+CIN byte).
++ * For the other types, the packet size is always 4 bytes,
++ * as per the standard, with the data size being 3 for SPP
++ * and 1 for the others.
++ * Thus all packet fragments are at least 4 bytes long, so we can
++ * skip anything that is shorter; this also conveniantly skips
++ * packets with size 0, which CME devices continuously send when
++ * they have nothing better to do.
++ * Another quirk is that sometimes multiple messages are sent
++ * in the same packet. This has been observed for midi clock
++ * and active sensing i.e. 0x0f 0xf8 0x00 0x00 0x0f 0xfe 0x00 0x00,
++ * but also multiple note ons/offs, and control change together
++ * with MIDI clock. Similarly, some sysex messages are followed by
++ * the song position pointer in the same packet, and occasionally
++ * additionally by a midi clock or active sensing.
++ * We handle this by looping over all data and parsing it along the way.
++ */
++ while (remaining >= 4) {
++ int source_length = 4; /* default */
++
++ if ((buffer[0] & 0x0f) == 0x0f) {
++ int data_length = 1; /* default */
++
++ if (buffer[1] == 0xf0) {
++ /* Sysex: Find EOX and send on whole message. */
++ /* To kick off the search, skip the first
++ * two bytes (CN+CIN and SYSEX (0xf0).
++ */
++ uint8_t *tmp_buf = buffer + 2;
++ int tmp_length = remaining - 2;
++
++ while (tmp_length > 1 && *tmp_buf != 0xf7) {
++ tmp_buf++;
++ tmp_length--;
++ }
++ data_length = tmp_buf - buffer;
++ source_length = data_length + 1;
++ } else if (buffer[1] == 0xf2) {
++ /* Three byte song position pointer */
++ data_length = 3;
++ }
++ snd_usbmidi_input_data(ep, buffer[0] >> 4,
++ &buffer[1], data_length);
++ } else {
++ /* normal channel events */
++ snd_usbmidi_standard_input(ep, buffer, source_length);
++ }
++ buffer += source_length;
++ remaining -= source_length;
++ }
+ }
+
+ /*
+--
+2.39.5
+
--- /dev/null
+From 2f38b9367dee5e22ca8ea6503d380d19951f35c9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Feb 2025 02:54:23 +0100
+Subject: ata: libata-eh: Do not use ATAPI DMA for a device limited to PIO mode
+
+From: Niklas Cassel <cassel@kernel.org>
+
+[ Upstream commit 91ec84f8eaddbc93d7c62e363d68aeb7b89879c7 ]
+
+atapi_eh_request_sense() currently uses ATAPI DMA if the SATA controller
+has ATA_FLAG_PIO_DMA (PIO cmds via DMA) set.
+
+However, ATA_FLAG_PIO_DMA is a flag that can be set by a low-level driver
+on a port at initialization time, before any devices are scanned.
+
+If a controller detects a connected device that only supports PIO, we set
+the flag ATA_DFLAG_PIO.
+
+Modify atapi_eh_request_sense() to not use ATAPI DMA if the connected
+device only supports PIO.
+
+Reported-by: Philip Pemberton <lists@philpem.me.uk>
+Closes: https://lore.kernel.org/linux-ide/c6722ee8-5e21-4169-af59-cbbae9edc02f@philpem.me.uk/
+Tested-by: Philip Pemberton <lists@philpem.me.uk>
+Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
+Link: https://lore.kernel.org/r/20250221015422.20687-2-cassel@kernel.org
+Signed-off-by: Niklas Cassel <cassel@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/ata/libata-eh.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
+index fa3f08ca5f6ce..4677eaf737141 100644
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -1603,8 +1603,15 @@ unsigned int atapi_eh_request_sense(struct ata_device *dev,
+ tf.flags |= ATA_TFLAG_ISADDR | ATA_TFLAG_DEVICE;
+ tf.command = ATA_CMD_PACKET;
+
+- /* is it pointless to prefer PIO for "safety reasons"? */
+- if (ap->flags & ATA_FLAG_PIO_DMA) {
++ /*
++ * Do not use DMA if the connected device only supports PIO, even if the
++ * port prefers PIO commands via DMA.
++ *
++ * Ideally, we should call atapi_check_dma() to check if it is safe for
++ * the LLD to use DMA for REQUEST_SENSE, but we don't have a qc.
++ * Since we can't check the command, perhaps we should only use pio?
++ */
++ if ((ap->flags & ATA_FLAG_PIO_DMA) && !(dev->flags & ATA_DFLAG_PIO)) {
+ tf.protocol = ATAPI_PROT_DMA;
+ tf.feature |= ATAPI_PKT_DMA;
+ } else {
+--
+2.39.5
+
--- /dev/null
+From b25bf72b8712ffb2517aa8be366e05fcad6f2e61 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jan 2025 21:43:26 +0300
+Subject: Bluetooth: hci_uart: fix race during initialization
+
+From: Arseniy Krasnov <avkrasnov@salutedevices.com>
+
+[ Upstream commit 366ceff495f902182d42b6f41525c2474caf3f9a ]
+
+'hci_register_dev()' calls power up function, which is executed by
+kworker - 'hci_power_on()'. This function does access to bluetooth chip
+using callbacks from 'hci_ldisc.c', for example 'hci_uart_send_frame()'.
+Now 'hci_uart_send_frame()' checks 'HCI_UART_PROTO_READY' bit set, and
+if not - it fails. Problem is that 'HCI_UART_PROTO_READY' is set after
+'hci_register_dev()', and there is tiny chance that 'hci_power_on()' will
+be executed before setting this bit. In that case HCI init logic fails.
+
+Patch moves setting of 'HCI_UART_PROTO_READY' before calling function
+'hci_uart_register_dev()'.
+
+Signed-off-by: Arseniy Krasnov <avkrasnov@salutedevices.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/hci_ldisc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c
+index 600c88fc3145f..8e4a23cd40218 100644
+--- a/drivers/bluetooth/hci_ldisc.c
++++ b/drivers/bluetooth/hci_ldisc.c
+@@ -703,12 +703,13 @@ static int hci_uart_set_proto(struct hci_uart *hu, int id)
+
+ hu->proto = p;
+
++ set_bit(HCI_UART_PROTO_READY, &hu->flags);
++
+ err = hci_uart_register_dev(hu);
+ if (err) {
+ return err;
+ }
+
+- set_bit(HCI_UART_PROTO_READY, &hu->flags);
+ return 0;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 6191a1398ac159eb52125f8a2c042514976069b1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 Dec 2024 13:18:42 -0800
+Subject: drm: allow encoder mode_set even when connectors change for crtc
+
+From: Abhinav Kumar <quic_abhinavk@quicinc.com>
+
+[ Upstream commit 7e182cb4f5567f53417b762ec0d679f0b6f0039d ]
+
+In certain use-cases, a CRTC could switch between two encoders
+and because the mode being programmed on the CRTC remains
+the same during this switch, the CRTC's mode_changed remains false.
+In such cases, the encoder's mode_set also gets skipped.
+
+Skipping mode_set on the encoder for such cases could cause an issue
+because even though the same CRTC mode was being used, the encoder
+type could have changed like the CRTC could have switched from a
+real time encoder to a writeback encoder OR vice-versa.
+
+Allow encoder's mode_set to happen even when connectors changed on a
+CRTC and not just when the mode changed.
+
+Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
+Signed-off-by: Jessica Zhang <quic_jesszhan@quicinc.com>
+Reviewed-by: Maxime Ripard <mripard@kernel.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20241211-abhinavk-modeset-fix-v3-1-0de4bf3e7c32@quicinc.com
+Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_atomic_helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/drm_atomic_helper.c b/drivers/gpu/drm/drm_atomic_helper.c
+index d91d6c063a1d2..70d97a7fc6864 100644
+--- a/drivers/gpu/drm/drm_atomic_helper.c
++++ b/drivers/gpu/drm/drm_atomic_helper.c
+@@ -1225,7 +1225,7 @@ crtc_set_mode(struct drm_device *dev, struct drm_atomic_state *old_state)
+ mode = &new_crtc_state->mode;
+ adjusted_mode = &new_crtc_state->adjusted_mode;
+
+- if (!new_crtc_state->mode_changed)
++ if (!new_crtc_state->mode_changed && !new_crtc_state->connectors_changed)
+ continue;
+
+ DRM_DEBUG_ATOMIC("modeset on [ENCODER:%d:%s]\n",
+--
+2.39.5
+
--- /dev/null
+From 42ba5b3646348b9d866cb5e3ff4e71d5025720f4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 25 Feb 2025 18:08:02 -0500
+Subject: drm/amdkfd: clamp queue size to minimum
+
+From: David Yat Sin <David.YatSin@amd.com>
+
+[ Upstream commit e90711946b53590371ecce32e8fcc381a99d6333 ]
+
+If queue size is less than minimum, clamp it to minimum to prevent
+underflow when writing queue mqd.
+
+Signed-off-by: David Yat Sin <David.YatSin@amd.com>
+Reviewed-by: Jay Cornwall <jay.cornwall@amd.com>
+Reviewed-by: Harish Kasiviswanathan <Harish.Kasiviswanathan@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 10 ++++++++++
+ include/uapi/linux/kfd_ioctl.h | 2 ++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+index b99e6b2e0acac..a845eda14ece3 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+@@ -169,6 +169,11 @@ static int set_queue_properties_from_user(struct queue_properties *q_properties,
+ return -EINVAL;
+ }
+
++ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
++ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
++ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
++ }
++
+ if (!access_ok((const void __user *) args->read_pointer_address,
+ sizeof(uint32_t))) {
+ pr_err("Can't access read pointer\n");
+@@ -373,6 +378,11 @@ static int kfd_ioctl_update_queue(struct file *filp, struct kfd_process *p,
+ return -EINVAL;
+ }
+
++ if (args->ring_size < KFD_MIN_QUEUE_RING_SIZE) {
++ args->ring_size = KFD_MIN_QUEUE_RING_SIZE;
++ pr_debug("Size lower. clamped to KFD_MIN_QUEUE_RING_SIZE");
++ }
++
+ properties.queue_address = args->ring_base_address;
+ properties.queue_size = args->ring_size;
+ properties.queue_percent = args->queue_percentage;
+diff --git a/include/uapi/linux/kfd_ioctl.h b/include/uapi/linux/kfd_ioctl.h
+index 20917c59f39c9..899e7c0f5f669 100644
+--- a/include/uapi/linux/kfd_ioctl.h
++++ b/include/uapi/linux/kfd_ioctl.h
+@@ -43,6 +43,8 @@ struct kfd_ioctl_get_version_args {
+ #define KFD_MAX_QUEUE_PERCENTAGE 100
+ #define KFD_MAX_QUEUE_PRIORITY 15
+
++#define KFD_MIN_QUEUE_RING_SIZE 1024
++
+ struct kfd_ioctl_create_queue_args {
+ __u64 ring_base_address; /* to KFD */
+ __u64 write_pointer_address; /* from KFD */
+--
+2.39.5
+
--- /dev/null
+From dcb89526929cb9c6f7243b6b42679674bda3d8e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 16:02:13 -0500
+Subject: drm/amdkfd: Fix pqm_destroy_queue race with GPU reset
+
+From: Philip Yang <Philip.Yang@amd.com>
+
+[ Upstream commit 7919b4cad5545ed93778f11881ceee72e4dbed66 ]
+
+If GPU in reset, destroy_queue return -EIO, pqm_destroy_queue should
+delete the queue from process_queue_list and free the resource.
+
+Signed-off-by: Philip Yang <Philip.Yang@amd.com>
+Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+index 7e6c3ee82f5b2..234a09b60c552 100644
+--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+@@ -380,7 +380,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
+ pr_err("Pasid %d destroy queue %d failed, ret %d\n",
+ pqm->process->pasid,
+ pqn->q->properties.queue_id, retval);
+- if (retval != -ETIME)
++ if (retval != -ETIME && retval != -EIO)
+ goto err_destroy_queue;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 944d083c6cd4b4d8df00147d86c89bb8bb5b2fb4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Feb 2025 16:48:02 +0100
+Subject: drm/mediatek: mtk_dpi: Explicitly manage TVD clock in power on/off
+
+From: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+
+[ Upstream commit 473c33f5ce651365468503c76f33158aaa1c7dd2 ]
+
+In preparation for adding support for MT8195's HDMI reserved
+DPI, add calls to clk_prepare_enable() / clk_disable_unprepare()
+for the TVD clock: in this particular case, the aforementioned
+clock is not (and cannot be) parented to neither pixel or engine
+clocks hence it won't get enabled automatically by the clock
+framework.
+
+Please note that on all of the currently supported MediaTek
+platforms, the TVD clock is always a parent of either pixel or
+engine clocks, and this means that the common clock framework
+is already enabling this clock before the children.
+On such platforms, this commit will only increase the refcount
+of the TVD clock without any functional change.
+
+Reviewed-by: CK Hu <ck.hu@mediatek.com>
+Signed-off-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Link: https://patchwork.kernel.org/project/dri-devel/patch/20250217154836.108895-10-angelogioacchino.delregno@collabora.com/
+Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/mediatek/mtk_dpi.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c
+index 7c68a39339150..191e0cec004b4 100644
+--- a/drivers/gpu/drm/mediatek/mtk_dpi.c
++++ b/drivers/gpu/drm/mediatek/mtk_dpi.c
+@@ -366,6 +366,7 @@ static void mtk_dpi_power_off(struct mtk_dpi *dpi)
+
+ mtk_dpi_disable(dpi);
+ clk_disable_unprepare(dpi->pixel_clk);
++ clk_disable_unprepare(dpi->tvd_clk);
+ clk_disable_unprepare(dpi->engine_clk);
+ }
+
+@@ -382,6 +383,12 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
+ goto err_refcount;
+ }
+
++ ret = clk_prepare_enable(dpi->tvd_clk);
++ if (ret) {
++ dev_err(dpi->dev, "Failed to enable tvd pll: %d\n", ret);
++ goto err_engine;
++ }
++
+ ret = clk_prepare_enable(dpi->pixel_clk);
+ if (ret) {
+ dev_err(dpi->dev, "Failed to enable pixel clock: %d\n", ret);
+@@ -391,6 +398,8 @@ static int mtk_dpi_power_on(struct mtk_dpi *dpi)
+ return 0;
+
+ err_pixel:
++ clk_disable_unprepare(dpi->tvd_clk);
++err_engine:
+ clk_disable_unprepare(dpi->engine_clk);
+ err_refcount:
+ dpi->refcount--;
+--
+2.39.5
+
--- /dev/null
+From b72df45cf9f946ccf9fce2f56fb28b1371c10308 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 22:24:52 +0000
+Subject: drm: panel-orientation-quirks: Add new quirk for GPD Win 2
+
+From: Andrew Wyatt <fewtarius@steamfork.org>
+
+[ Upstream commit a860eb9c6ba6cdbf32e3e01a606556e5a90a2931 ]
+
+Some GPD Win 2 units shipped with the correct DMI strings.
+
+Add a DMI match to correctly rotate the panel on these units.
+
+Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
+Signed-off-by: John Edwards <uejji@uejji.net>
+Tested-by: Paco Avelar <pacoavelar@hotmail.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-5-uejji@uejji.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index 6bb8d4502ca8e..6fc9d638ccd23 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -235,6 +235,12 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
+ },
+ .driver_data = (void *)&gpd_win2,
++ }, { /* GPD Win 2 (correct DMI strings) */
++ .matches = {
++ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
++ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "WIN2")
++ },
++ .driver_data = (void *)&lcd720x1280_rightside_up,
+ }, { /* GPD Win 3 */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "GPD"),
+--
+2.39.5
+
--- /dev/null
+From f1894a998fd1f3a0a10589e7e1b2b9ba16e50166 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Feb 2025 22:24:49 +0000
+Subject: drm: panel-orientation-quirks: Add support for AYANEO 2S
+
+From: Andrew Wyatt <fewtarius@steamfork.org>
+
+[ Upstream commit eb8f1e3e8ee10cff591d4a47437dfd34d850d454 ]
+
+AYANEO 2S uses the same panel and orientation as the AYANEO 2.
+
+Update the AYANEO 2 DMI match to also match AYANEO 2S.
+
+Signed-off-by: Andrew Wyatt <fewtarius@steamfork.org>
+Signed-off-by: John Edwards <uejji@uejji.net>
+Tested-by: John Edwards <uejji@uejji.net>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250213222455.93533-2-uejji@uejji.net
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/drm_panel_orientation_quirks.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+index bf90a5be956fe..6bb8d4502ca8e 100644
+--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
++++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
+@@ -166,10 +166,10 @@ static const struct dmi_system_id orientation_data[] = {
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T103HAF"),
+ },
+ .driver_data = (void *)&lcd800x1280_rightside_up,
+- }, { /* AYA NEO AYANEO 2 */
++ }, { /* AYA NEO AYANEO 2/2S */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "AYANEO"),
+- DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "AYANEO 2"),
+ },
+ .driver_data = (void *)&lcd1200x1920_rightside_up,
+ }, { /* AYA NEO 2021 */
+--
+2.39.5
+
--- /dev/null
+From ba17d0825bdb2431a86389d590cf6d5ce321731b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jan 2025 13:57:50 +0530
+Subject: ext4: ignore xattrs past end
+
+From: Bhupesh <bhupesh@igalia.com>
+
+[ Upstream commit c8e008b60492cf6fd31ef127aea6d02fd3d314cd ]
+
+Once inside 'ext4_xattr_inode_dec_ref_all' we should
+ignore xattrs entries past the 'end' entry.
+
+This fixes the following KASAN reported issue:
+
+==================================================================
+BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
+Read of size 4 at addr ffff888012c120c4 by task repro/2065
+
+CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x1fd/0x300
+ ? tcp_gro_dev_warn+0x260/0x260
+ ? _printk+0xc0/0x100
+ ? read_lock_is_recursive+0x10/0x10
+ ? irq_work_queue+0x72/0xf0
+ ? __virt_addr_valid+0x17b/0x4b0
+ print_address_description+0x78/0x390
+ print_report+0x107/0x1f0
+ ? __virt_addr_valid+0x17b/0x4b0
+ ? __virt_addr_valid+0x3ff/0x4b0
+ ? __phys_addr+0xb5/0x160
+ ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
+ kasan_report+0xcc/0x100
+ ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
+ ext4_xattr_inode_dec_ref_all+0xb8c/0xe90
+ ? ext4_xattr_delete_inode+0xd30/0xd30
+ ? __ext4_journal_ensure_credits+0x5f0/0x5f0
+ ? __ext4_journal_ensure_credits+0x2b/0x5f0
+ ? inode_update_timestamps+0x410/0x410
+ ext4_xattr_delete_inode+0xb64/0xd30
+ ? ext4_truncate+0xb70/0xdc0
+ ? ext4_expand_extra_isize_ea+0x1d20/0x1d20
+ ? __ext4_mark_inode_dirty+0x670/0x670
+ ? ext4_journal_check_start+0x16f/0x240
+ ? ext4_inode_is_fast_symlink+0x2f2/0x3a0
+ ext4_evict_inode+0xc8c/0xff0
+ ? ext4_inode_is_fast_symlink+0x3a0/0x3a0
+ ? do_raw_spin_unlock+0x53/0x8a0
+ ? ext4_inode_is_fast_symlink+0x3a0/0x3a0
+ evict+0x4ac/0x950
+ ? proc_nr_inodes+0x310/0x310
+ ? trace_ext4_drop_inode+0xa2/0x220
+ ? _raw_spin_unlock+0x1a/0x30
+ ? iput+0x4cb/0x7e0
+ do_unlinkat+0x495/0x7c0
+ ? try_break_deleg+0x120/0x120
+ ? 0xffffffff81000000
+ ? __check_object_size+0x15a/0x210
+ ? strncpy_from_user+0x13e/0x250
+ ? getname_flags+0x1dc/0x530
+ __x64_sys_unlinkat+0xc8/0xf0
+ do_syscall_64+0x65/0x110
+ entry_SYSCALL_64_after_hwframe+0x67/0x6f
+RIP: 0033:0x434ffd
+Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8
+RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107
+RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd
+RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
+RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
+R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
+ </TASK>
+
+The buggy address belongs to the object at ffff888012c12000
+ which belongs to the cache filp of size 360
+The buggy address is located 196 bytes inside of
+ freed 360-byte region [ffff888012c12000, ffff888012c12168)
+
+The buggy address belongs to the physical page:
+page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12
+head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
+flags: 0x40(head|node=0|zone=0)
+page_type: f5(slab)
+raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
+raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
+head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004
+head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
+head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000
+head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+> ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
+ ffff888012c12180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+==================================================================
+
+Reported-by: syzbot+b244bda78289b00204ed@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b244bda78289b00204ed
+Suggested-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
+Signed-off-by: Bhupesh <bhupesh@igalia.com>
+Link: https://patch.msgid.link/20250128082751.124948-2-bhupesh@igalia.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/xattr.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
+index 19982a682b9c1..f32e720e9e202 100644
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -1152,15 +1152,24 @@ ext4_xattr_inode_dec_ref_all(handle_t *handle, struct inode *parent,
+ {
+ struct inode *ea_inode;
+ struct ext4_xattr_entry *entry;
++ struct ext4_iloc iloc;
+ bool dirty = false;
+ unsigned int ea_ino;
+ int err;
+ int credits;
++ void *end;
++
++ if (block_csum)
++ end = (void *)bh->b_data + bh->b_size;
++ else {
++ ext4_get_inode_loc(parent, &iloc);
++ end = (void *)ext4_raw_inode(&iloc) + EXT4_SB(parent->i_sb)->s_inode_size;
++ }
+
+ /* One credit for dec ref on ea_inode, one for orphan list addition, */
+ credits = 2 + extra_credits;
+
+- for (entry = first; !IS_LAST_ENTRY(entry);
++ for (entry = first; (void *)entry < end && !IS_LAST_ENTRY(entry);
+ entry = EXT4_XATTR_NEXT(entry)) {
+ if (!entry->e_value_inum)
+ continue;
+--
+2.39.5
+
--- /dev/null
+From 88dc5ae6a5af13cc08912f7d20d383e11f580060 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Nov 2024 18:08:55 +0530
+Subject: ext4: protect ext4_release_dquot against freezing
+
+From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+
+[ Upstream commit 530fea29ef82e169cd7fe048c2b7baaeb85a0028 ]
+
+Protect ext4_release_dquot against freezing so that we
+don't try to start a transaction when FS is frozen, leading
+to warnings.
+
+Further, avoid taking the freeze protection if a transaction
+is already running so that we don't need end up in a deadlock
+as described in
+
+ 46e294efc355 ext4: fix deadlock with fs freezing and EA inodes
+
+Suggested-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
+Reviewed-by: Baokun Li <libaokun1@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://patch.msgid.link/20241121123855.645335-3-ojaswin@linux.ibm.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/ext4/super.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/fs/ext4/super.c b/fs/ext4/super.c
+index 6307adb16621a..0d4d50c8038fd 100644
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -5809,18 +5809,35 @@ static int ext4_release_dquot(struct dquot *dquot)
+ {
+ int ret, err;
+ handle_t *handle;
++ bool freeze_protected = false;
++
++ /*
++ * Trying to sb_start_intwrite() in a running transaction
++ * can result in a deadlock. Further, running transactions
++ * are already protected from freezing.
++ */
++ if (!ext4_journal_current_handle()) {
++ sb_start_intwrite(dquot->dq_sb);
++ freeze_protected = true;
++ }
+
+ handle = ext4_journal_start(dquot_to_inode(dquot), EXT4_HT_QUOTA,
+ EXT4_QUOTA_DEL_BLOCKS(dquot->dq_sb));
+ if (IS_ERR(handle)) {
+ /* Release dquot anyway to avoid endless cycle in dqput() */
+ dquot_release(dquot);
++ if (freeze_protected)
++ sb_end_intwrite(dquot->dq_sb);
+ return PTR_ERR(handle);
+ }
+ ret = dquot_release(dquot);
+ err = ext4_journal_stop(handle);
+ if (!ret)
+ ret = err;
++
++ if (freeze_protected)
++ sb_end_intwrite(dquot->dq_sb);
++
+ return ret;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 974531d2654e0be0a95cf59b937a303f661f886a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 21:19:52 +0000
+Subject: fbdev: omapfb: Add 'plane' value check
+
+From: Leonid Arapov <arapovl839@gmail.com>
+
+[ Upstream commit 3e411827f31db7f938a30a3c7a7599839401ec30 ]
+
+Function dispc_ovl_setup is not intended to work with the value OMAP_DSS_WB
+of the enum parameter plane.
+
+The value of this parameter is initialized in dss_init_overlays and in the
+current state of the code it cannot take this value so it's not a real
+problem.
+
+For the purposes of defensive coding it wouldn't be superfluous to check
+the parameter value, because some functions down the call stack process
+this value correctly and some not.
+
+For example, in dispc_ovl_setup_global_alpha it may lead to buffer
+overflow.
+
+Add check for this value.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE static
+analysis tool.
+
+Signed-off-by: Leonid Arapov <arapovl839@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/video/fbdev/omap2/omapfb/dss/dispc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
+index 34e8171856e95..5570f2359d073 100644
+--- a/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
++++ b/drivers/video/fbdev/omap2/omapfb/dss/dispc.c
+@@ -2787,9 +2787,13 @@ int dispc_ovl_setup(enum omap_plane plane, const struct omap_overlay_info *oi,
+ bool mem_to_mem)
+ {
+ int r;
+- enum omap_overlay_caps caps = dss_feat_get_overlay_caps(plane);
++ enum omap_overlay_caps caps;
+ enum omap_channel channel;
+
++ if (plane == OMAP_DSS_WB)
++ return -EINVAL;
++
++ caps = dss_feat_get_overlay_caps(plane);
+ channel = dispc_ovl_get_channel_out(plane);
+
+ DSSDBG("dispc_ovl_setup %d, pa %pad, pa_uv %pad, sw %d, %d,%d, %dx%d ->"
+--
+2.39.5
+
--- /dev/null
+From 9ecfb7071c79b5a8388983700658233d756b6147 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 12:43:49 +0300
+Subject: fs/jfs: cast inactags to s64 to prevent potential overflow
+
+From: Rand Deeb <rand.sec96@gmail.com>
+
+[ Upstream commit 70ca3246ad201b53a9f09380b3f29d8bac320383 ]
+
+The expression "inactags << bmp->db_agl2size" in the function
+dbFinalizeBmap() is computed using int operands. Although the
+values (inactags and db_agl2size) are derived from filesystem
+parameters and are usually small, there is a theoretical risk that
+the shift could overflow a 32-bit int if extreme values occur.
+
+According to the C standard, shifting a signed 32-bit int can lead
+to undefined behavior if the result exceeds its range. In our
+case, an overflow could miscalculate free blocks, potentially
+leading to erroneous filesystem accounting.
+
+To ensure the arithmetic is performed in 64-bit space, we cast
+"inactags" to s64 before shifting. This defensive fix prevents any
+risk of overflow and complies with kernel coding best practices.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 812945c8e3840..3bc304d4886e6 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -3728,8 +3728,8 @@ void dbFinalizeBmap(struct inode *ipbmap)
+ * system size is not a multiple of the group size).
+ */
+ inactfree = (inactags && ag_rem) ?
+- ((inactags - 1) << bmp->db_agl2size) + ag_rem
+- : inactags << bmp->db_agl2size;
++ (((s64)inactags - 1) << bmp->db_agl2size) + ag_rem
++ : ((s64)inactags << bmp->db_agl2size);
+
+ /* determine how many free blocks are in the active
+ * allocation groups plus the average number of free blocks
+--
+2.39.5
+
--- /dev/null
+From 58ee5bf6a1e74faeb9f7ccba2cf14a267332f74e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 12:52:31 +0300
+Subject: fs/jfs: Prevent integer overflow in AG size calculation
+
+From: Rand Deeb <rand.sec96@gmail.com>
+
+[ Upstream commit 7fcbf789629cdb9fbf4e2172ce31136cfed11e5e ]
+
+The JFS filesystem calculates allocation group (AG) size using 1 <<
+l2agsize in dbExtendFS(). When l2agsize exceeds 31 (possible with >2TB
+aggregates on 32-bit systems), this 32-bit shift operation causes undefined
+behavior and improper AG sizing.
+
+On 32-bit architectures:
+- Left-shifting 1 by 32+ bits results in 0 due to integer overflow
+- This creates invalid AG sizes (0 or garbage values) in
+sbi->bmap->db_agsize
+- Subsequent block allocations would reference invalid AG structures
+- Could lead to:
+ - Filesystem corruption during extend operations
+ - Kernel crashes due to invalid memory accesses
+ - Security vulnerabilities via malformed on-disk structures
+
+Fix by casting to s64 before shifting:
+bmp->db_agsize = (s64)1 << l2agsize;
+
+This ensures 64-bit arithmetic even on 32-bit architectures. The cast
+matches the data type of db_agsize (s64) and follows similar patterns in
+JFS block calculation code.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Signed-off-by: Rand Deeb <rand.sec96@gmail.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index 3bc304d4886e6..d4e26744b2005 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -3465,7 +3465,7 @@ int dbExtendFS(struct inode *ipbmap, s64 blkno, s64 nblocks)
+ oldl2agsize = bmp->db_agl2size;
+
+ bmp->db_agl2size = l2agsize;
+- bmp->db_agsize = 1 << l2agsize;
++ bmp->db_agsize = (s64)1 << l2agsize;
+
+ /* compute new number of AG */
+ agno = bmp->db_numag;
+--
+2.39.5
+
--- /dev/null
+From 068ce8efa11d4de60585c859a7d39cb0167a4a69 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2025 12:38:45 +0100
+Subject: HID: pidff: Convert infinite length from Linux API to PID standard
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
+
+[ Upstream commit 37e0591fe44dce39d1ebc7a82d5b6e4dba1582eb ]
+
+Software uses 0 as de-facto infinite lenght on Linux FF apis (SDL),
+Linux doesn't actually define anythi as of now, while USB PID defines
+NULL (0xffff). Most PID devices do not expect a 0-length effect and
+can't interpret it as infinite. This change fixes Force Feedback for
+most PID compliant devices.
+
+As most games depend on updating the values of already playing infinite
+effects, this is crucial to ensure they will actually work.
+
+Previously, users had to rely on third-party software to do this conversion
+and make their PID devices usable.
+
+Co-developed-by: Makarenko Oleg <oleg@makarenk.ooo>
+Signed-off-by: Makarenko Oleg <oleg@makarenk.ooo>
+Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
+Reviewed-by: Michał Kopeć <michal@nozomi.space>
+Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
+Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
+Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
+Tested-by: Pablo Cisneros <patchkez@protonmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/usbhid/hid-pidff.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
+index 07a9fe97d2e05..badcb5f28607e 100644
+--- a/drivers/hid/usbhid/hid-pidff.c
++++ b/drivers/hid/usbhid/hid-pidff.c
+@@ -21,6 +21,7 @@
+ #include "usbhid.h"
+
+ #define PID_EFFECTS_MAX 64
++#define PID_INFINITE 0xffff
+
+ /* Report usage table used to put reports into an array */
+
+@@ -301,7 +302,12 @@ static void pidff_set_effect_report(struct pidff_device *pidff,
+ pidff->block_load[PID_EFFECT_BLOCK_INDEX].value[0];
+ pidff->set_effect_type->value[0] =
+ pidff->create_new_effect_type->value[0];
+- pidff->set_effect[PID_DURATION].value[0] = effect->replay.length;
++
++ /* Convert infinite length from Linux API (0)
++ to PID standard (NULL) if needed */
++ pidff->set_effect[PID_DURATION].value[0] =
++ effect->replay.length == 0 ? PID_INFINITE : effect->replay.length;
++
+ pidff->set_effect[PID_TRIGGER_BUTTON].value[0] = effect->trigger.button;
+ pidff->set_effect[PID_TRIGGER_REPEAT_INT].value[0] =
+ effect->trigger.interval;
+--
+2.39.5
+
--- /dev/null
+From 01daed437f068a1eca17b09927df3e64af84c028 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2025 12:38:46 +0100
+Subject: HID: pidff: Do not send effect envelope if it's empty
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
+
+[ Upstream commit 8876fc1884f5b39550c8387ff3176396c988541d ]
+
+Envelope struct is always initialized, but the envelope itself is
+optional as described in USB PID Device class definition 1.0.
+
+5.1.1.1 Type Specific Block Offsets
+...
+4) Effects that do not use Condition Blocks use 1 Parameter Block and
+an *optional* Envelope Block.
+
+Sending out "empty" envelope breaks force feedback on some devices with
+games that use SINE effect + offset to emulate constant force effect, as
+well as generally breaking Constant/Periodic effects. One of the affected
+brands is Moza Racing.
+
+This change prevents the envelope from being sent if it contains all
+0 values while keeping the old behavior of only sending it, if it differs
+from the old one.
+
+Changes in v6:
+- Simplify the checks to make them clearer
+- Fix possible null pointer dereference while calling
+ pidff_needs_set_envelope
+
+Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
+Reviewed-by: Michał Kopeć <michal@nozomi.space>
+Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
+Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
+Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
+Tested-by: Pablo Cisneros <patchkez@protonmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/usbhid/hid-pidff.c | 42 +++++++++++++++++++---------------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
+index badcb5f28607e..ba0d7cb15377e 100644
+--- a/drivers/hid/usbhid/hid-pidff.c
++++ b/drivers/hid/usbhid/hid-pidff.c
+@@ -262,10 +262,22 @@ static void pidff_set_envelope_report(struct pidff_device *pidff,
+ static int pidff_needs_set_envelope(struct ff_envelope *envelope,
+ struct ff_envelope *old)
+ {
+- return envelope->attack_level != old->attack_level ||
+- envelope->fade_level != old->fade_level ||
++ bool needs_new_envelope;
++ needs_new_envelope = envelope->attack_level != 0 ||
++ envelope->fade_level != 0 ||
++ envelope->attack_length != 0 ||
++ envelope->fade_length != 0;
++
++ if (!needs_new_envelope)
++ return false;
++
++ if (!old)
++ return needs_new_envelope;
++
++ return envelope->attack_level != old->attack_level ||
++ envelope->fade_level != old->fade_level ||
+ envelope->attack_length != old->attack_length ||
+- envelope->fade_length != old->fade_length;
++ envelope->fade_length != old->fade_length;
+ }
+
+ /*
+@@ -580,11 +592,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
+ pidff_set_effect_report(pidff, effect);
+ if (!old || pidff_needs_set_constant(effect, old))
+ pidff_set_constant_force_report(pidff, effect);
+- if (!old ||
+- pidff_needs_set_envelope(&effect->u.constant.envelope,
+- &old->u.constant.envelope))
+- pidff_set_envelope_report(pidff,
+- &effect->u.constant.envelope);
++ if (pidff_needs_set_envelope(&effect->u.constant.envelope,
++ old ? &old->u.constant.envelope : NULL))
++ pidff_set_envelope_report(pidff, &effect->u.constant.envelope);
+ break;
+
+ case FF_PERIODIC:
+@@ -619,11 +629,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
+ pidff_set_effect_report(pidff, effect);
+ if (!old || pidff_needs_set_periodic(effect, old))
+ pidff_set_periodic_report(pidff, effect);
+- if (!old ||
+- pidff_needs_set_envelope(&effect->u.periodic.envelope,
+- &old->u.periodic.envelope))
+- pidff_set_envelope_report(pidff,
+- &effect->u.periodic.envelope);
++ if (pidff_needs_set_envelope(&effect->u.periodic.envelope,
++ old ? &old->u.periodic.envelope : NULL))
++ pidff_set_envelope_report(pidff, &effect->u.periodic.envelope);
+ break;
+
+ case FF_RAMP:
+@@ -637,11 +645,9 @@ static int pidff_upload_effect(struct input_dev *dev, struct ff_effect *effect,
+ pidff_set_effect_report(pidff, effect);
+ if (!old || pidff_needs_set_ramp(effect, old))
+ pidff_set_ramp_force_report(pidff, effect);
+- if (!old ||
+- pidff_needs_set_envelope(&effect->u.ramp.envelope,
+- &old->u.ramp.envelope))
+- pidff_set_envelope_report(pidff,
+- &effect->u.ramp.envelope);
++ if (pidff_needs_set_envelope(&effect->u.ramp.envelope,
++ old ? &old->u.ramp.envelope : NULL))
++ pidff_set_envelope_report(pidff, &effect->u.ramp.envelope);
+ break;
+
+ case FF_SPRING:
+--
+2.39.5
+
--- /dev/null
+From 12cc091013b24ebd6b6bfa4213e562e6aacadc62 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 1 Feb 2025 12:39:02 +0100
+Subject: HID: pidff: Fix null pointer dereference in pidff_find_fields
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tomasz Pakuła <forest10pl@gmail.com>
+
+[ Upstream commit 22a05462c3d0eee15154faf8d13c49e6295270a5 ]
+
+This function triggered a null pointer dereference if used to search for
+a report that isn't implemented on the device. This happened both for
+optional and required reports alike.
+
+The same logic was applied to pidff_find_special_field and although
+pidff_init_fields should return an error earlier if one of the required
+reports is missing, future modifications could change this logic and
+resurface this possible null pointer dereference again.
+
+LKML bug report:
+https://lore.kernel.org/all/CAL-gK7f5=R0nrrQdPtaZZr1fd-cdAMbDMuZ_NLA8vM0SX+nGSw@mail.gmail.com
+
+Reported-by: Nolan Nicholson <nolananicholson@gmail.com>
+Signed-off-by: Tomasz Pakuła <tomasz.pakula.oficjalny@gmail.com>
+Reviewed-by: Michał Kopeć <michal@nozomi.space>
+Reviewed-by: Paul Dino Jones <paul@spacefreak18.xyz>
+Tested-by: Paul Dino Jones <paul@spacefreak18.xyz>
+Tested-by: Cristóferson Bueno <cbueno81@gmail.com>
+Tested-by: Pablo Cisneros <patchkez@protonmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hid/usbhid/hid-pidff.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
+index ba0d7cb15377e..7801294fe086d 100644
+--- a/drivers/hid/usbhid/hid-pidff.c
++++ b/drivers/hid/usbhid/hid-pidff.c
+@@ -770,6 +770,11 @@ static void pidff_set_autocenter(struct input_dev *dev, u16 magnitude)
+ static int pidff_find_fields(struct pidff_usage *usage, const u8 *table,
+ struct hid_report *report, int count, int strict)
+ {
++ if (!report) {
++ pr_debug("pidff_find_fields, null report\n");
++ return -1;
++ }
++
+ int i, j, k, found;
+
+ for (k = 0; k < count; k++) {
+@@ -883,6 +888,11 @@ static int pidff_reports_ok(struct pidff_device *pidff)
+ static struct hid_field *pidff_find_special_field(struct hid_report *report,
+ int usage, int enforce_min)
+ {
++ if (!report) {
++ pr_debug("pidff_find_special_field, null report\n");
++ return NULL;
++ }
++
+ int i;
+
+ for (i = 0; i < report->maxfield; i++) {
+--
+2.39.5
+
--- /dev/null
+From 7f3cf711d9c6df89cfc9996633323a1f5306503a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 19:24:19 +0800
+Subject: jfs: add sanity check for agwidth in dbMount
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit ddf2846f22e8575d6b4b6a66f2100f168b8cd73d ]
+
+The width in dmapctl of the AG is zero, it trigger a divide error when
+calculating the control page level in dbAllocAG.
+
+To avoid this issue, add a check for agwidth in dbAllocAG.
+
+Reported-and-tested-by: syzbot+7c808908291a569281a9@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=7c808908291a569281a9
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_dmap.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
+index d4e26744b2005..d161bbafe77f6 100644
+--- a/fs/jfs/jfs_dmap.c
++++ b/fs/jfs/jfs_dmap.c
+@@ -204,6 +204,10 @@ int dbMount(struct inode *ipbmap)
+ bmp->db_aglevel = le32_to_cpu(dbmp_le->dn_aglevel);
+ bmp->db_agheight = le32_to_cpu(dbmp_le->dn_agheight);
+ bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth);
++ if (!bmp->db_agwidth) {
++ err = -EINVAL;
++ goto err_release_metapage;
++ }
+ bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart);
+ bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size);
+ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG ||
+--
+2.39.5
+
--- /dev/null
+From f010e822bbc24d294a07c263aa787140eaa41134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2025 19:13:21 +0800
+Subject: jfs: Prevent copying of nlink with value 0 from disk inode
+
+From: Edward Adam Davis <eadavis@qq.com>
+
+[ Upstream commit b61e69bb1c049cf507e3c654fa3dc1568231bd07 ]
+
+syzbot report a deadlock in diFree. [1]
+
+When calling "ioctl$LOOP_SET_STATUS64", the offset value passed in is 4,
+which does not match the mounted loop device, causing the mapping of the
+mounted loop device to be invalidated.
+
+When creating the directory and creating the inode of iag in diReadSpecial(),
+read the page of fixed disk inode (AIT) in raw mode in read_metapage(), the
+metapage data it returns is corrupted, which causes the nlink value of 0 to be
+assigned to the iag inode when executing copy_from_dinode(), which ultimately
+causes a deadlock when entering diFree().
+
+To avoid this, first check the nlink value of dinode before setting iag inode.
+
+[1]
+WARNING: possible recursive locking detected
+6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted
+--------------------------------------------
+syz-executor301/5309 is trying to acquire lock:
+ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
+
+but task is already holding lock:
+ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
+
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+
+ CPU0
+ ----
+ lock(&(imap->im_aglock[index]));
+ lock(&(imap->im_aglock[index]));
+
+ *** DEADLOCK ***
+
+ May be due to missing lock nesting notation
+
+5 locks held by syz-executor301/5309:
+ #0: ffff8880422a4420 (sb_writers#9){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:515
+ #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:850 [inline]
+ #1: ffff88804755b390 (&type->i_mutex_dir_key#6/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:4026
+ #2: ffff888044548920 (&(imap->im_aglock[index])){+.+.}-{3:3}, at: diAlloc+0x1b6/0x1630
+ #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2460 [inline]
+ #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
+ #3: ffff888044548890 (&imap->im_freelock){+.+.}-{3:3}, at: diAllocAG+0x4b7/0x1e50 fs/jfs/jfs_imap.c:1669
+ #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diNewIAG fs/jfs/jfs_imap.c:2477 [inline]
+ #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
+ #4: ffff88804755a618 (&jfs_ip->rdwrlock/1){++++}-{3:3}, at: diAllocAG+0x869/0x1e50 fs/jfs/jfs_imap.c:1669
+
+stack backtrace:
+CPU: 0 UID: 0 PID: 5309 Comm: syz-executor301 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0
+Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
+Call Trace:
+ <TASK>
+ __dump_stack lib/dump_stack.c:94 [inline]
+ dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
+ print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3037
+ check_deadlock kernel/locking/lockdep.c:3089 [inline]
+ validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3891
+ __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
+ lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
+ __mutex_lock_common kernel/locking/mutex.c:608 [inline]
+ __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
+ diFree+0x37c/0x2fb0 fs/jfs/jfs_imap.c:889
+ jfs_evict_inode+0x32d/0x440 fs/jfs/inode.c:156
+ evict+0x4e8/0x9b0 fs/inode.c:725
+ diFreeSpecial fs/jfs/jfs_imap.c:552 [inline]
+ duplicateIXtree+0x3c6/0x550 fs/jfs/jfs_imap.c:3022
+ diNewIAG fs/jfs/jfs_imap.c:2597 [inline]
+ diAllocExt fs/jfs/jfs_imap.c:1905 [inline]
+ diAllocAG+0x17dc/0x1e50 fs/jfs/jfs_imap.c:1669
+ diAlloc+0x1d2/0x1630 fs/jfs/jfs_imap.c:1590
+ ialloc+0x8f/0x900 fs/jfs/jfs_inode.c:56
+ jfs_mkdir+0x1c5/0xba0 fs/jfs/namei.c:225
+ vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257
+ do_mkdirat+0x264/0x3a0 fs/namei.c:4280
+ __do_sys_mkdirat fs/namei.c:4295 [inline]
+ __se_sys_mkdirat fs/namei.c:4293 [inline]
+ __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293
+ do_syscall_x64 arch/x86/entry/common.c:52 [inline]
+ do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
+ entry_SYSCALL_64_after_hwframe+0x77/0x7f
+
+Reported-by: syzbot+355da3b3a74881008e8f@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=355da3b3a74881008e8f
+Signed-off-by: Edward Adam Davis <eadavis@qq.com>
+Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jfs/jfs_imap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
+index da3a1c27d3498..84e2c67c9070f 100644
+--- a/fs/jfs/jfs_imap.c
++++ b/fs/jfs/jfs_imap.c
+@@ -458,7 +458,7 @@ struct inode *diReadSpecial(struct super_block *sb, ino_t inum, int secondary)
+ dp += inum % 8; /* 8 inodes per 4K page */
+
+ /* copy on-disk inode to in-memory inode */
+- if ((copy_from_dinode(dp, ip)) != 0) {
++ if ((copy_from_dinode(dp, ip) != 0) || (ip->i_nlink == 0)) {
+ /* handle bad return by returning NULL for ip */
+ set_nlink(ip, 1); /* Don't want iput() deleting it */
+ iput(ip);
+--
+2.39.5
+
--- /dev/null
+From 13db0e6d0cab5b2f46777f5184ed781028927199 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 13 Mar 2025 03:06:57 -0700
+Subject: net: vlan: don't propagate flags on open
+
+From: Stanislav Fomichev <sdf@fomichev.me>
+
+[ Upstream commit 27b918007d96402aba10ed52a6af8015230f1793 ]
+
+With the device instance lock, there is now a possibility of a deadlock:
+
+[ 1.211455] ============================================
+[ 1.211571] WARNING: possible recursive locking detected
+[ 1.211687] 6.14.0-rc5-01215-g032756b4ca7a-dirty #5 Not tainted
+[ 1.211823] --------------------------------------------
+[ 1.211936] ip/184 is trying to acquire lock:
+[ 1.212032] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_set_allmulti+0x4e/0xb0
+[ 1.212207]
+[ 1.212207] but task is already holding lock:
+[ 1.212332] ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
+[ 1.212487]
+[ 1.212487] other info that might help us debug this:
+[ 1.212626] Possible unsafe locking scenario:
+[ 1.212626]
+[ 1.212751] CPU0
+[ 1.212815] ----
+[ 1.212871] lock(&dev->lock);
+[ 1.212944] lock(&dev->lock);
+[ 1.213016]
+[ 1.213016] *** DEADLOCK ***
+[ 1.213016]
+[ 1.213143] May be due to missing lock nesting notation
+[ 1.213143]
+[ 1.213294] 3 locks held by ip/184:
+[ 1.213371] #0: ffffffff838b53e0 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x1b/0xa0
+[ 1.213543] #1: ffffffff84e5fc70 (&net->rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock+0x37/0xa0
+[ 1.213727] #2: ffff8881024a4c30 (&dev->lock){+.+.}-{4:4}, at: dev_open+0x50/0xb0
+[ 1.213895]
+[ 1.213895] stack backtrace:
+[ 1.213991] CPU: 0 UID: 0 PID: 184 Comm: ip Not tainted 6.14.0-rc5-01215-g032756b4ca7a-dirty #5
+[ 1.213993] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014
+[ 1.213994] Call Trace:
+[ 1.213995] <TASK>
+[ 1.213996] dump_stack_lvl+0x8e/0xd0
+[ 1.214000] print_deadlock_bug+0x28b/0x2a0
+[ 1.214020] lock_acquire+0xea/0x2a0
+[ 1.214027] __mutex_lock+0xbf/0xd40
+[ 1.214038] dev_set_allmulti+0x4e/0xb0 # real_dev->flags & IFF_ALLMULTI
+[ 1.214040] vlan_dev_open+0xa5/0x170 # ndo_open on vlandev
+[ 1.214042] __dev_open+0x145/0x270
+[ 1.214046] __dev_change_flags+0xb0/0x1e0
+[ 1.214051] netif_change_flags+0x22/0x60 # IFF_UP vlandev
+[ 1.214053] dev_change_flags+0x61/0xb0 # for each device in group from dev->vlan_info
+[ 1.214055] vlan_device_event+0x766/0x7c0 # on netdevsim0
+[ 1.214058] notifier_call_chain+0x78/0x120
+[ 1.214062] netif_open+0x6d/0x90
+[ 1.214064] dev_open+0x5b/0xb0 # locks netdevsim0
+[ 1.214066] bond_enslave+0x64c/0x1230
+[ 1.214075] do_set_master+0x175/0x1e0 # on netdevsim0
+[ 1.214077] do_setlink+0x516/0x13b0
+[ 1.214094] rtnl_newlink+0xaba/0xb80
+[ 1.214132] rtnetlink_rcv_msg+0x440/0x490
+[ 1.214144] netlink_rcv_skb+0xeb/0x120
+[ 1.214150] netlink_unicast+0x1f9/0x320
+[ 1.214153] netlink_sendmsg+0x346/0x3f0
+[ 1.214157] __sock_sendmsg+0x86/0xb0
+[ 1.214160] ____sys_sendmsg+0x1c8/0x220
+[ 1.214164] ___sys_sendmsg+0x28f/0x2d0
+[ 1.214179] __x64_sys_sendmsg+0xef/0x140
+[ 1.214184] do_syscall_64+0xec/0x1d0
+[ 1.214190] entry_SYSCALL_64_after_hwframe+0x77/0x7f
+[ 1.214191] RIP: 0033:0x7f2d1b4a7e56
+
+Device setup:
+
+ netdevsim0 (down)
+ ^ ^
+ bond netdevsim1.100@netdevsim1 allmulticast=on (down)
+
+When we enslave the lower device (netdevsim0) which has a vlan, we
+propagate vlan's allmuti/promisc flags during ndo_open. This causes
+(re)locking on of the real_dev.
+
+Propagate allmulti/promisc on flags change, not on the open. There
+is a slight semantics change that vlans that are down now propagate
+the flags, but this seems unlikely to result in the real issues.
+
+Reproducer:
+
+ echo 0 1 > /sys/bus/netdevsim/new_device
+
+ dev_path=$(ls -d /sys/bus/netdevsim/devices/netdevsim0/net/*)
+ dev=$(echo $dev_path | rev | cut -d/ -f1 | rev)
+
+ ip link set dev $dev name netdevsim0
+ ip link set dev netdevsim0 up
+
+ ip link add link netdevsim0 name netdevsim0.100 type vlan id 100
+ ip link set dev netdevsim0.100 allmulticast on down
+ ip link add name bond1 type bond mode 802.3ad
+ ip link set dev netdevsim0 down
+ ip link set dev netdevsim0 master bond1
+ ip link set dev bond1 up
+ ip link show
+
+Reported-by: syzbot+b0c03d76056ef6cd12a6@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/netdev/Z9CfXjLMKn6VLG5d@mini-arch/T/#m15ba130f53227c883e79fb969687d69d670337a0
+Signed-off-by: Stanislav Fomichev <sdf@fomichev.me>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Link: https://patch.msgid.link/20250313100657.2287455-1-sdf@fomichev.me
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/8021q/vlan_dev.c | 31 ++++---------------------------
+ 1 file changed, 4 insertions(+), 27 deletions(-)
+
+diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
+index b5384e5fb781d..67bedd3a5128d 100644
+--- a/net/8021q/vlan_dev.c
++++ b/net/8021q/vlan_dev.c
+@@ -273,17 +273,6 @@ static int vlan_dev_open(struct net_device *dev)
+ goto out;
+ }
+
+- if (dev->flags & IFF_ALLMULTI) {
+- err = dev_set_allmulti(real_dev, 1);
+- if (err < 0)
+- goto del_unicast;
+- }
+- if (dev->flags & IFF_PROMISC) {
+- err = dev_set_promiscuity(real_dev, 1);
+- if (err < 0)
+- goto clear_allmulti;
+- }
+-
+ ether_addr_copy(vlan->real_dev_addr, real_dev->dev_addr);
+
+ if (vlan->flags & VLAN_FLAG_GVRP)
+@@ -297,12 +286,6 @@ static int vlan_dev_open(struct net_device *dev)
+ netif_carrier_on(dev);
+ return 0;
+
+-clear_allmulti:
+- if (dev->flags & IFF_ALLMULTI)
+- dev_set_allmulti(real_dev, -1);
+-del_unicast:
+- if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
+- dev_uc_del(real_dev, dev->dev_addr);
+ out:
+ netif_carrier_off(dev);
+ return err;
+@@ -315,10 +298,6 @@ static int vlan_dev_stop(struct net_device *dev)
+
+ dev_mc_unsync(real_dev, dev);
+ dev_uc_unsync(real_dev, dev);
+- if (dev->flags & IFF_ALLMULTI)
+- dev_set_allmulti(real_dev, -1);
+- if (dev->flags & IFF_PROMISC)
+- dev_set_promiscuity(real_dev, -1);
+
+ if (!ether_addr_equal(dev->dev_addr, real_dev->dev_addr))
+ dev_uc_del(real_dev, dev->dev_addr);
+@@ -475,12 +454,10 @@ static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
+ {
+ struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
+
+- if (dev->flags & IFF_UP) {
+- if (change & IFF_ALLMULTI)
+- dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
+- if (change & IFF_PROMISC)
+- dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
+- }
++ if (change & IFF_ALLMULTI)
++ dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
++ if (change & IFF_PROMISC)
++ dev_set_promiscuity(real_dev, dev->flags & IFF_PROMISC ? 1 : -1);
+ }
+
+ static void vlan_dev_set_rx_mode(struct net_device *vlan_dev)
+--
+2.39.5
+
--- /dev/null
+From 2068ea93b7d337dec1c6ceaceb028d5e7c3be872 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 14 Feb 2025 14:42:50 +0800
+Subject: page_pool: avoid infinite loop to schedule delayed worker
+
+From: Jason Xing <kerneljasonxing@gmail.com>
+
+[ Upstream commit 43130d02baa137033c25297aaae95fd0edc41654 ]
+
+We noticed the kworker in page_pool_release_retry() was waken
+up repeatedly and infinitely in production because of the
+buggy driver causing the inflight less than 0 and warning
+us in page_pool_inflight()[1].
+
+Since the inflight value goes negative, it means we should
+not expect the whole page_pool to get back to work normally.
+
+This patch mitigates the adverse effect by not rescheduling
+the kworker when detecting the inflight negative in
+page_pool_release_retry().
+
+[1]
+[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------
+[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages
+...
+[Mon Feb 10 20:36:11 2025] Call Trace:
+[Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70
+[Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370
+[Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0
+[Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140
+[Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370
+[Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40
+[Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40
+[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---
+Note: before this patch, the above calltrace would flood the
+dmesg due to repeated reschedule of release_dw kworker.
+
+Signed-off-by: Jason Xing <kerneljasonxing@gmail.com>
+Reviewed-by: Mina Almasry <almasrymina@google.com>
+Link: https://patch.msgid.link/20250214064250.85987-1-kerneljasonxing@gmail.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/core/page_pool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/net/core/page_pool.c b/net/core/page_pool.c
+index 335f68eaaa05c..dbe0489e46035 100644
+--- a/net/core/page_pool.c
++++ b/net/core/page_pool.c
+@@ -387,7 +387,13 @@ static void page_pool_release_retry(struct work_struct *wq)
+ int inflight;
+
+ inflight = page_pool_release(pool);
+- if (!inflight)
++ /* In rare cases, a driver bug may cause inflight to go negative.
++ * Don't reschedule release if inflight is 0 or negative.
++ * - If 0, the page_pool has been destroyed
++ * - if negative, we will never recover
++ * in both cases no reschedule is necessary.
++ */
++ if (inflight <= 0)
+ return;
+
+ /* Periodic warning */
+--
+2.39.5
+
--- /dev/null
+From 91ed5c72f85caf045346aa5152797e743e7ac9c3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Feb 2025 14:39:57 -0600
+Subject: perf: arm_pmu: Don't disable counter in armpmu_add()
+
+From: Mark Rutland <mark.rutland@arm.com>
+
+[ Upstream commit dcca27bc1eccb9abc2552aab950b18a9742fb8e7 ]
+
+Currently armpmu_add() tries to handle a newly-allocated counter having
+a stale associated event, but this should not be possible, and if this
+were to happen the current mitigation is insufficient and potentially
+expensive. It would be better to warn if we encounter the impossible
+case.
+
+Calls to pmu::add() and pmu::del() are serialized by the core perf code,
+and armpmu_del() clears the relevant slot in pmu_hw_events::events[]
+before clearing the bit in pmu_hw_events::used_mask such that the
+counter can be reallocated. Thus when armpmu_add() allocates a counter
+index from pmu_hw_events::used_mask, it should not be possible to observe
+a stale even in pmu_hw_events::events[] unless either
+pmu_hw_events::used_mask or pmu_hw_events::events[] have been corrupted.
+
+If this were to happen, we'd end up with two events with the same
+event->hw.idx, which would clash with each other during reprogramming,
+deletion, etc, and produce bogus results. Add a WARN_ON_ONCE() for this
+case so that we can detect if this ever occurs in practice.
+
+That possiblity aside, there's no need to call arm_pmu::disable(event)
+for the new event. The PMU reset code initialises the counter in a
+disabled state, and armpmu_del() will disable the counter before it can
+be reused. Remove the redundant disable.
+
+Signed-off-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Tested-by: James Clark <james.clark@linaro.org>
+Link: https://lore.kernel.org/r/20250218-arm-brbe-v19-v20-2-4e9922fc2e8e@kernel.org
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/perf/arm_pmu.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/perf/arm_pmu.c b/drivers/perf/arm_pmu.c
+index b377872a8f9d6..558ee5401ea89 100644
+--- a/drivers/perf/arm_pmu.c
++++ b/drivers/perf/arm_pmu.c
+@@ -262,12 +262,10 @@ armpmu_add(struct perf_event *event, int flags)
+ if (idx < 0)
+ return idx;
+
+- /*
+- * If there is an event in the counter we are going to use then make
+- * sure it is disabled.
+- */
++ /* The newly-allocated counter should be empty */
++ WARN_ON_ONCE(hw_events->events[idx]);
++
+ event->hw.idx = idx;
+- armpmu->disable(event);
+ hw_events->events[idx] = event;
+
+ hwc->state = PERF_HES_STOPPED | PERF_HES_UPTODATE;
+--
+2.39.5
+
--- /dev/null
+From 89933cbeae4cc4b95b3a85252cafce559188ae93 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 19 Feb 2025 20:27:15 +0800
+Subject: pm: cpupower: bench: Prevent NULL dereference on malloc failure
+
+From: Zhongqiu Han <quic_zhonhan@quicinc.com>
+
+[ Upstream commit 208baa3ec9043a664d9acfb8174b332e6b17fb69 ]
+
+If malloc returns NULL due to low memory, 'config' pointer can be NULL.
+Add a check to prevent NULL dereference.
+
+Link: https://lore.kernel.org/r/20250219122715.3892223-1-quic_zhonhan@quicinc.com
+Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
+Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/power/cpupower/bench/parse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/tools/power/cpupower/bench/parse.c b/tools/power/cpupower/bench/parse.c
+index e63dc11fa3a53..48e25be6e1635 100644
+--- a/tools/power/cpupower/bench/parse.c
++++ b/tools/power/cpupower/bench/parse.c
+@@ -120,6 +120,10 @@ FILE *prepare_output(const char *dirname)
+ struct config *prepare_default_config()
+ {
+ struct config *config = malloc(sizeof(struct config));
++ if (!config) {
++ perror("malloc");
++ return NULL;
++ }
+
+ dprintf("loading defaults\n");
+
+--
+2.39.5
+
--- /dev/null
+From 022023eb1e58f16e71d06377b8b10765577034e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Mar 2025 13:25:14 +0200
+Subject: scsi: st: Fix array overflow in st_setup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+
+[ Upstream commit a018d1cf990d0c339fe0e29b762ea5dc10567d67 ]
+
+Change the array size to follow parms size instead of a fixed value.
+
+Reported-by: Chenyuan Yang <chenyuan0y@gmail.com>
+Closes: https://lore.kernel.org/linux-scsi/CALGdzuoubbra4xKOJcsyThdk5Y1BrAmZs==wbqjbkAgmKS39Aw@mail.gmail.com/
+Signed-off-by: Kai Mäkisara <Kai.Makisara@kolumbus.fi>
+Link: https://lore.kernel.org/r/20250311112516.5548-2-Kai.Makisara@kolumbus.fi
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/st.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
+index 49e149d28954a..2b5e3e2ba3b8b 100644
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -4124,7 +4124,7 @@ static void validate_options(void)
+ */
+ static int __init st_setup(char *str)
+ {
+- int i, len, ints[5];
++ int i, len, ints[ARRAY_SIZE(parms) + 1];
+ char *stp;
+
+ stp = get_options(str, ARRAY_SIZE(ints), ints);
+--
+2.39.5
+
ata-sata_sx4-drop-pointless-vprintk-calls-and-conver.patch
ata-sata_sx4-add-error-handling-in-pdc20621_i2c_read.patch
net-ppp-add-bound-checking-for-skb-data-on-ppp_sync_.patch
+pm-cpupower-bench-prevent-null-dereference-on-malloc.patch
+x86-cpu-don-t-clear-x86_feature_lahf_lm-flag-in-init.patch
+perf-arm_pmu-don-t-disable-counter-in-armpmu_add.patch
+xen-mcelog-add-__nonstring-annotations-for-untermina.patch
+x86-mm-ident_map-fix-theoretical-virtual-address-ove.patch
+hid-pidff-convert-infinite-length-from-linux-api-to-.patch
+hid-pidff-do-not-send-effect-envelope-if-it-s-empty.patch
+hid-pidff-fix-null-pointer-dereference-in-pidff_find.patch
+alsa-hda-intel-fix-optimus-when-gpu-has-no-sound.patch
+alsa-usb-audio-fix-cme-quirk-for-uf-series-keyboards.patch
+page_pool-avoid-infinite-loop-to-schedule-delayed-wo.patch
+fs-jfs-cast-inactags-to-s64-to-prevent-potential-ove.patch
+fs-jfs-prevent-integer-overflow-in-ag-size-calculati.patch
+jfs-prevent-copying-of-nlink-with-value-0-from-disk-.patch
+jfs-add-sanity-check-for-agwidth-in-dbmount.patch
+ata-libata-eh-do-not-use-atapi-dma-for-a-device-limi.patch
+ahci-add-pci-id-for-marvell-88se9215-sata-controller.patch
+ext4-protect-ext4_release_dquot-against-freezing.patch
+ext4-ignore-xattrs-past-end.patch
+scsi-st-fix-array-overflow-in-st_setup.patch
+wifi-mt76-mt76x2u-add-tp-link-tl-wdn6200-id-to-devic.patch
+net-vlan-don-t-propagate-flags-on-open.patch
+tracing-fix-return-value-in-__ftrace_event_enable_di.patch
+bluetooth-hci_uart-fix-race-during-initialization.patch
+drm-allow-encoder-mode_set-even-when-connectors-chan.patch
+drm-panel-orientation-quirks-add-support-for-ayaneo-.patch
+drm-panel-orientation-quirks-add-new-quirk-for-gpd-w.patch
+drm-amdkfd-clamp-queue-size-to-minimum.patch
+drm-amdkfd-fix-pqm_destroy_queue-race-with-gpu-reset.patch
+drm-mediatek-mtk_dpi-explicitly-manage-tvd-clock-in-.patch
+fbdev-omapfb-add-plane-value-check.patch
--- /dev/null
+From 236a3e856bb0de986db2eac5eb1c8052accffbb1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 21 Mar 2025 18:08:21 +0100
+Subject: tracing: fix return value in __ftrace_event_enable_disable for
+ TRACE_REG_UNREGISTER
+
+From: Gabriele Paoloni <gpaoloni@redhat.com>
+
+[ Upstream commit 0c588ac0ca6c22b774d9ad4a6594681fdfa57d9d ]
+
+When __ftrace_event_enable_disable invokes the class callback to
+unregister the event, the return value is not reported up to the
+caller, hence leading to event unregister failures being silently
+ignored.
+
+This patch assigns the ret variable to the invocation of the
+event unregister callback, so that its return value is stored
+and reported to the caller, and it raises a warning in case
+of error.
+
+Link: https://lore.kernel.org/20250321170821.101403-1-gpaoloni@redhat.com
+Signed-off-by: Gabriele Paoloni <gpaoloni@redhat.com>
+Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
+index 958789fe4cef7..77df1e28fa329 100644
+--- a/kernel/trace/trace_events.c
++++ b/kernel/trace/trace_events.c
+@@ -405,7 +405,9 @@ static int __ftrace_event_enable_disable(struct trace_event_file *file,
+ clear_bit(EVENT_FILE_FL_RECORDED_TGID_BIT, &file->flags);
+ }
+
+- call->class->reg(call, TRACE_REG_UNREGISTER, file);
++ ret = call->class->reg(call, TRACE_REG_UNREGISTER, file);
++
++ WARN_ON_ONCE(ret);
+ }
+ /* If in SOFT_MODE, just set the SOFT_DISABLE_BIT, else clear it */
+ if (file->flags & EVENT_FILE_FL_SOFT_MODE)
+--
+2.39.5
+
--- /dev/null
+From e55c8e141c6da8bcd87bf5ac176a89fccc1142cd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 17 Mar 2025 18:22:35 +0800
+Subject: wifi: mt76: mt76x2u: add TP-Link TL-WDN6200 ID to device table
+
+From: Icenowy Zheng <uwu@icenowy.me>
+
+[ Upstream commit 06cccc2ebbe6c8a20f714f3a0ff3ff489d3004bb ]
+
+The TP-Link TL-WDN6200 "Driverless" version cards use a MT7612U chipset.
+
+Add the USB ID to mt76x2u driver.
+
+Signed-off-by: Icenowy Zheng <uwu@icenowy.me>
+Link: https://patch.msgid.link/20250317102235.1421726-1-uwu@icenowy.me
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76x2/usb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+index 96a2b7ba6764b..8c392d55d59ba 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76x2/usb.c
+@@ -19,6 +19,7 @@ static const struct usb_device_id mt76x2u_device_table[] = {
+ { USB_DEVICE(0x0846, 0x9053) }, /* Netgear A6210 */
+ { USB_DEVICE(0x045e, 0x02e6) }, /* XBox One Wireless Adapter */
+ { USB_DEVICE(0x045e, 0x02fe) }, /* XBox One Wireless Adapter */
++ { USB_DEVICE(0x2357, 0x0137) }, /* TP-Link TL-WDN6200 */
+ { },
+ };
+
+--
+2.39.5
+
--- /dev/null
+From c227684aea77efbc177890b67398d95b9b9e370e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 27 Feb 2025 21:45:05 +0100
+Subject: x86/cpu: Don't clear X86_FEATURE_LAHF_LM flag in init_amd_k8() on AMD
+ when running in a virtual machine
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Max Grobecker <max@grobecker.info>
+
+[ Upstream commit a4248ee16f411ac1ea7dfab228a6659b111e3d65 ]
+
+When running in a virtual machine, we might see the original hardware CPU
+vendor string (i.e. "AuthenticAMD"), but a model and family ID set by the
+hypervisor. In case we run on AMD hardware and the hypervisor sets a model
+ID < 0x14, the LAHF cpu feature is eliminated from the the list of CPU
+capabilities present to circumvent a bug with some BIOSes in conjunction with
+AMD K8 processors.
+
+Parsing the flags list from /proc/cpuinfo seems to be happening mostly in
+bash scripts and prebuilt Docker containers, as it does not need to have
+additionals tools present – even though more reliable ways like using "kcpuid",
+which calls the CPUID instruction instead of parsing a list, should be preferred.
+Scripts, that use /proc/cpuinfo to determine if the current CPU is
+"compliant" with defined microarchitecture levels like x86-64-v2 will falsely
+claim the CPU is incapable of modern CPU instructions when "lahf_lm" is missing
+in that flags list.
+
+This can prevent some docker containers from starting or build scripts to create
+unoptimized binaries.
+
+Admittably, this is more a small inconvenience than a severe bug in the kernel
+and the shoddy scripts that rely on parsing /proc/cpuinfo
+should be fixed instead.
+
+This patch adds an additional check to see if we're running inside a
+virtual machine (X86_FEATURE_HYPERVISOR is present), which, to my
+understanding, can't be present on a real K8 processor as it was introduced
+only with the later/other Athlon64 models.
+
+Example output with the "lahf_lm" flag missing in the flags list
+(should be shown between "hypervisor" and "abm"):
+
+ $ cat /proc/cpuinfo
+ processor : 0
+ vendor_id : AuthenticAMD
+ cpu family : 15
+ model : 6
+ model name : Common KVM processor
+ stepping : 1
+ microcode : 0x1000065
+ cpu MHz : 2599.998
+ cache size : 512 KB
+ physical id : 0
+ siblings : 1
+ core id : 0
+ cpu cores : 1
+ apicid : 0
+ initial apicid : 0
+ fpu : yes
+ fpu_exception : yes
+ cpuid level : 13
+ wp : yes
+ flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca
+ cmov pat pse36 clflush mmx fxsr sse sse2 syscall nx rdtscp
+ lm rep_good nopl cpuid extd_apicid tsc_known_freq pni
+ pclmulqdq ssse3 fma cx16 sse4_1 sse4_2 x2apic movbe popcnt
+ tsc_deadline_timer aes xsave avx f16c hypervisor abm
+ 3dnowprefetch vmmcall bmi1 avx2 bmi2 xsaveopt
+
+... while kcpuid shows the feature to be present in the CPU:
+
+ # kcpuid -d | grep lahf
+ lahf_lm - LAHF/SAHF available in 64-bit mode
+
+[ mingo: Updated the comment a bit, incorporated Boris's review feedback. ]
+
+Signed-off-by: Max Grobecker <max@grobecker.info>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Cc: linux-kernel@vger.kernel.org
+Cc: Borislav Petkov <bp@alien8.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kernel/cpu/amd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
+index 533451498c8f8..9bcc099484c89 100644
+--- a/arch/x86/kernel/cpu/amd.c
++++ b/arch/x86/kernel/cpu/amd.c
+@@ -808,7 +808,7 @@ static void init_amd_k8(struct cpuinfo_x86 *c)
+ * (model = 0x14) and later actually support it.
+ * (AMD Erratum #110, docId: 25759).
+ */
+- if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM)) {
++ if (c->x86_model < 0x14 && cpu_has(c, X86_FEATURE_LAHF_LM) && !cpu_has(c, X86_FEATURE_HYPERVISOR)) {
+ clear_cpu_cap(c, X86_FEATURE_LAHF_LM);
+ if (!rdmsrl_amd_safe(0xc001100d, &value)) {
+ value &= ~BIT_64(32);
+--
+2.39.5
+
--- /dev/null
+From c838fe3ec8d4e3f10a5e784fb8caad02e6aa9683 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Oct 2024 14:14:55 +0300
+Subject: x86/mm/ident_map: Fix theoretical virtual address overflow to zero
+
+From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+
+[ Upstream commit f666c92090a41ac5524dade63ff96b3adcf8c2ab ]
+
+The current calculation of the 'next' virtual address in the
+page table initialization functions in arch/x86/mm/ident_map.c
+doesn't protect against wrapping to zero.
+
+This is a theoretical issue that cannot happen currently,
+the problematic case is possible only if the user sets a
+high enough x86_mapping_info::offset value - which no
+current code in the upstream kernel does.
+
+( The wrapping to zero only occurs if the top PGD entry is accessed.
+ There are no such users upstream. Only hibernate_64.c uses
+ x86_mapping_info::offset, and it operates on the direct mapping
+ range, which is not the top PGD entry. )
+
+Should such an overflow happen, it can result in page table
+corruption and a hang.
+
+To future-proof this code, replace the manual 'next' calculation
+with p?d_addr_end() which handles wrapping correctly.
+
+[ Backporter's note: there's no need to backport this patch. ]
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Reviewed-by: Kai Huang <kai.huang@intel.com>
+Reviewed-by: Tom Lendacky <thomas.lendacky@amd.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Link: https://lore.kernel.org/r/20241016111458.846228-2-kirill.shutemov@linux.intel.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/mm/ident_map.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+diff --git a/arch/x86/mm/ident_map.c b/arch/x86/mm/ident_map.c
+index 968d7005f4a72..2f383e288c430 100644
+--- a/arch/x86/mm/ident_map.c
++++ b/arch/x86/mm/ident_map.c
+@@ -27,9 +27,7 @@ static int ident_pud_init(struct x86_mapping_info *info, pud_t *pud_page,
+ pud_t *pud = pud_page + pud_index(addr);
+ pmd_t *pmd;
+
+- next = (addr & PUD_MASK) + PUD_SIZE;
+- if (next > end)
+- next = end;
++ next = pud_addr_end(addr, end);
+
+ if (info->direct_gbpages) {
+ pud_t pudval;
+@@ -68,10 +66,7 @@ static int ident_p4d_init(struct x86_mapping_info *info, p4d_t *p4d_page,
+ p4d_t *p4d = p4d_page + p4d_index(addr);
+ pud_t *pud;
+
+- next = (addr & P4D_MASK) + P4D_SIZE;
+- if (next > end)
+- next = end;
+-
++ next = p4d_addr_end(addr, end);
+ if (p4d_present(*p4d)) {
+ pud = pud_offset(p4d, 0);
+ result = ident_pud_init(info, pud, addr, next);
+@@ -113,10 +108,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
+ pgd_t *pgd = pgd_page + pgd_index(addr);
+ p4d_t *p4d;
+
+- next = (addr & PGDIR_MASK) + PGDIR_SIZE;
+- if (next > end)
+- next = end;
+-
++ next = pgd_addr_end(addr, end);
+ if (pgd_present(*pgd)) {
+ p4d = p4d_offset(pgd, 0);
+ result = ident_p4d_init(info, p4d, addr, next);
+--
+2.39.5
+
--- /dev/null
+From 304aba4a16bca76cc79afe3bc9a269fea150e65a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Mar 2025 15:22:38 -0700
+Subject: xen/mcelog: Add __nonstring annotations for unterminated strings
+
+From: Kees Cook <kees@kernel.org>
+
+[ Upstream commit 1c3dfc7c6b0f551fdca3f7c1f1e4c73be8adb17d ]
+
+When a character array without a terminating NUL character has a static
+initializer, GCC 15's -Wunterminated-string-initialization will only
+warn if the array lacks the "nonstring" attribute[1]. Mark the arrays
+with __nonstring to and correctly identify the char array as "not a C
+string" and thereby eliminate the warning.
+
+Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117178 [1]
+Cc: Juergen Gross <jgross@suse.com>
+Cc: Stefano Stabellini <sstabellini@kernel.org>
+Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
+Cc: xen-devel@lists.xenproject.org
+Signed-off-by: Kees Cook <kees@kernel.org>
+Acked-by: Juergen Gross <jgross@suse.com>
+Message-ID: <20250310222234.work.473-kees@kernel.org>
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/xen/interface/xen-mca.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/include/xen/interface/xen-mca.h b/include/xen/interface/xen-mca.h
+index 73a4ea714d937..5db6116cd042c 100644
+--- a/include/xen/interface/xen-mca.h
++++ b/include/xen/interface/xen-mca.h
+@@ -365,7 +365,7 @@ struct xen_mce {
+ #define XEN_MCE_LOG_LEN 32
+
+ struct xen_mce_log {
+- char signature[12]; /* "MACHINECHECK" */
++ char signature[12] __nonstring; /* "MACHINECHECK" */
+ unsigned len; /* = XEN_MCE_LOG_LEN */
+ unsigned next;
+ unsigned flags;
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
