--- /dev/null
+From e0d4e8acb3789c5a8651061fbab62ca24a45c063 Mon Sep 17 00:00:00 2001
+From: Su Hui <suhui@nfschina.com>
+Date: Sun, 8 Oct 2023 14:39:30 +0800
+Subject: f2fs: avoid format-overflow warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Su Hui <suhui@nfschina.com>
+
+commit e0d4e8acb3789c5a8651061fbab62ca24a45c063 upstream.
+
+With gcc and W=1 option, there's a warning like this:
+
+fs/f2fs/compress.c: In function ‘f2fs_init_page_array_cache’:
+fs/f2fs/compress.c:1984:47: error: ‘%u’ directive writing between
+1 and 7 bytes into a region of size between 5 and 8
+[-Werror=format-overflow=]
+ 1984 | sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev),
+ MINOR(dev));
+ | ^~
+
+String "f2fs_page_array_entry-%u:%u" can up to 35. The first "%u" can up
+to 4 and the second "%u" can up to 7, so total size is "24 + 4 + 7 = 35".
+slab_name's size should be 35 rather than 32.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Reviewed-by: Chao Yu <chao@kernel.org>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/f2fs/compress.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/f2fs/compress.c
++++ b/fs/f2fs/compress.c
+@@ -1906,7 +1906,7 @@ void f2fs_destroy_compress_inode(struct
+ int f2fs_init_page_array_cache(struct f2fs_sb_info *sbi)
+ {
+ dev_t dev = sbi->sb->s_bdev->bd_dev;
+- char slab_name[32];
++ char slab_name[35];
+
+ sprintf(slab_name, "f2fs_page_array_entry-%u:%u", MAJOR(dev), MINOR(dev));
+
--- /dev/null
+From e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 Mon Sep 17 00:00:00 2001
+From: Tam Nguyen <tamnguyenchi@os.amperecomputing.com>
+Date: Thu, 2 Nov 2023 10:30:08 +0700
+Subject: i2c: designware: Disable TX_EMPTY irq while waiting for block length byte
+
+From: Tam Nguyen <tamnguyenchi@os.amperecomputing.com>
+
+commit e8183fa10c25c7b3c20670bf2b430ddcc1ee03c0 upstream.
+
+During SMBus block data read process, we have seen high interrupt rate
+because of TX_EMPTY irq status while waiting for block length byte (the
+first data byte after the address phase). The interrupt handler does not
+do anything because the internal state is kept as STATUS_WRITE_IN_PROGRESS.
+Hence, we should disable TX_EMPTY IRQ until I2C DesignWare receives
+first data byte from I2C device, then re-enable it to resume SMBus
+transaction.
+
+It takes 0.789 ms for host to receive data length from slave.
+Without the patch, i2c_dw_isr() is called 99 times by TX_EMPTY interrupt.
+And it is none after applying the patch.
+
+Cc: stable@vger.kernel.org
+Co-developed-by: Chuong Tran <chuong@os.amperecomputing.com>
+Signed-off-by: Chuong Tran <chuong@os.amperecomputing.com>
+Signed-off-by: Tam Nguyen <tamnguyenchi@os.amperecomputing.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-designware-master.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-designware-master.c
++++ b/drivers/i2c/busses/i2c-designware-master.c
+@@ -456,10 +456,16 @@ i2c_dw_xfer_msg(struct dw_i2c_dev *dev)
+
+ /*
+ * Because we don't know the buffer length in the
+- * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop
+- * the transaction here.
++ * I2C_FUNC_SMBUS_BLOCK_DATA case, we can't stop the
++ * transaction here. Also disable the TX_EMPTY IRQ
++ * while waiting for the data length byte to avoid the
++ * bogus interrupts flood.
+ */
+- if (buf_len > 0 || flags & I2C_M_RECV_LEN) {
++ if (flags & I2C_M_RECV_LEN) {
++ dev->status |= STATUS_WRITE_IN_PROGRESS;
++ intr_mask &= ~DW_IC_INTR_TX_EMPTY;
++ break;
++ } else if (buf_len > 0) {
+ /* more bytes to be written */
+ dev->status |= STATUS_WRITE_IN_PROGRESS;
+ break;
+@@ -495,6 +501,13 @@ i2c_dw_recv_len(struct dw_i2c_dev *dev,
+ msgs[dev->msg_read_idx].len = len;
+ msgs[dev->msg_read_idx].flags &= ~I2C_M_RECV_LEN;
+
++ /*
++ * Received buffer length, re-enable TX_EMPTY interrupt
++ * to resume the SMBUS transaction.
++ */
++ regmap_update_bits(dev->map, DW_IC_INTR_MASK, DW_IC_INTR_TX_EMPTY,
++ DW_IC_INTR_TX_EMPTY);
++
+ return len;
+ }
+
--- /dev/null
+From f78ca48a8ba9cdec96e8839351e49eec3233b177 Mon Sep 17 00:00:00 2001
+From: Heiner Kallweit <hkallweit1@gmail.com>
+Date: Sat, 9 Sep 2023 22:25:06 +0200
+Subject: i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
+
+From: Heiner Kallweit <hkallweit1@gmail.com>
+
+commit f78ca48a8ba9cdec96e8839351e49eec3233b177 upstream.
+
+Currently we set SMBHSTCNT_LAST_BYTE only after the host has started
+receiving the last byte. If we get e.g. preempted before setting
+SMBHSTCNT_LAST_BYTE, the host may be finished with receiving the byte
+before SMBHSTCNT_LAST_BYTE is set.
+Therefore change the code to set SMBHSTCNT_LAST_BYTE before writing
+SMBHSTSTS_BYTE_DONE for the byte before the last byte. Now the code
+is also consistent with what we do in i801_isr_byte_done().
+
+Reported-by: Jean Delvare <jdelvare@suse.com>
+Closes: https://lore.kernel.org/linux-i2c/20230828152747.09444625@endymion.delvare/
+Cc: stable@vger.kernel.org
+Acked-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-i801.c | 19 +++++++++----------
+ 1 file changed, 9 insertions(+), 10 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -702,15 +702,11 @@ static int i801_block_transaction_byte_b
+ return i801_check_post(priv, result ? priv->status : -ETIMEDOUT);
+ }
+
+- for (i = 1; i <= len; i++) {
+- if (i == len && read_write == I2C_SMBUS_READ)
+- smbcmd |= SMBHSTCNT_LAST_BYTE;
+- outb_p(smbcmd, SMBHSTCNT(priv));
+-
+- if (i == 1)
+- outb_p(inb(SMBHSTCNT(priv)) | SMBHSTCNT_START,
+- SMBHSTCNT(priv));
++ if (len == 1 && read_write == I2C_SMBUS_READ)
++ smbcmd |= SMBHSTCNT_LAST_BYTE;
++ outb_p(smbcmd | SMBHSTCNT_START, SMBHSTCNT(priv));
+
++ for (i = 1; i <= len; i++) {
+ status = i801_wait_byte_done(priv);
+ if (status)
+ goto exit;
+@@ -733,9 +729,12 @@ static int i801_block_transaction_byte_b
+ data->block[0] = len;
+ }
+
+- /* Retrieve/store value in SMBBLKDAT */
+- if (read_write == I2C_SMBUS_READ)
++ if (read_write == I2C_SMBUS_READ) {
+ data->block[i] = inb_p(SMBBLKDAT(priv));
++ if (i == len - 1)
++ outb_p(smbcmd | SMBHSTCNT_LAST_BYTE, SMBHSTCNT(priv));
++ }
++
+ if (read_write == I2C_SMBUS_WRITE && i+1 <= len)
+ outb_p(data->block[i+1], SMBBLKDAT(priv));
+
--- /dev/null
+From b36995b8609a5a8fe5cf259a1ee768fcaed919f8 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 31 Oct 2023 13:32:07 +0100
+Subject: lsm: fix default return value for inode_getsecctx
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit b36995b8609a5a8fe5cf259a1ee768fcaed919f8 upstream.
+
+-EOPNOTSUPP is the return value that implements a "no-op" hook, not 0.
+
+Without this fix having only the BPF LSM enabled (with no programs
+attached) can cause uninitialized variable reads in
+nfsd4_encode_fattr(), because the BPF hook returns 0 without touching
+the 'ctxlen' variable and the corresponding 'contextlen' variable in
+nfsd4_encode_fattr() remains uninitialized, yet being treated as valid
+based on the 0 return value.
+
+Cc: stable@vger.kernel.org
+Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
+Reported-by: Benjamin Coddington <bcodding@redhat.com>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -265,7 +265,7 @@ LSM_HOOK(void, LSM_RET_VOID, release_sec
+ LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode)
+ LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen)
+ LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen)
+-LSM_HOOK(int, 0, inode_getsecctx, struct inode *inode, void **ctx,
++LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx,
+ u32 *ctxlen)
+
+ #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
--- /dev/null
+From 866d648059d5faf53f1cd960b43fe8365ad93ea7 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 31 Oct 2023 13:32:06 +0100
+Subject: lsm: fix default return value for vm_enough_memory
+
+From: Ondrej Mosnacek <omosnace@redhat.com>
+
+commit 866d648059d5faf53f1cd960b43fe8365ad93ea7 upstream.
+
+1 is the return value that implements a "no-op" hook, not 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks")
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/lsm_hook_defs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/lsm_hook_defs.h
++++ b/include/linux/lsm_hook_defs.h
+@@ -48,7 +48,7 @@ LSM_HOOK(int, 0, quota_on, struct dentry
+ LSM_HOOK(int, 0, syslog, int type)
+ LSM_HOOK(int, 0, settime, const struct timespec64 *ts,
+ const struct timezone *tz)
+-LSM_HOOK(int, 0, vm_enough_memory, struct mm_struct *mm, long pages)
++LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages)
+ LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm)
+ LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, struct file *file)
+ LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
--- /dev/null
+From 724ff68e968b19d786870d333f9952bdd6b119cb Mon Sep 17 00:00:00 2001
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+Date: Mon, 4 Sep 2023 15:57:37 +0300
+Subject: media: ccs: Correctly initialise try compose rectangle
+
+From: Sakari Ailus <sakari.ailus@linux.intel.com>
+
+commit 724ff68e968b19d786870d333f9952bdd6b119cb upstream.
+
+Initialise the try sink compose rectangle size to the sink compose
+rectangle for binner and scaler sub-devices. This was missed due to the
+faulty condition that lead to the compose rectangles to be initialised for
+the pixel array sub-device where it is not relevant.
+
+Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/i2c/ccs/ccs-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/i2c/ccs/ccs-core.c
++++ b/drivers/media/i2c/ccs/ccs-core.c
+@@ -3089,7 +3089,7 @@ static int ccs_open(struct v4l2_subdev *
+ try_fmt->code = sensor->internal_csi_format->code;
+ try_fmt->field = V4L2_FIELD_NONE;
+
+- if (ssd != sensor->pixel_array)
++ if (ssd == sensor->pixel_array)
+ continue;
+
+ try_comp = v4l2_subdev_get_try_compose(sd, fh->state, i);
--- /dev/null
+From c8a489f820179fb12251e262b50303c29de991ac Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Fri, 6 Oct 2023 22:31:52 +0100
+Subject: media: lirc: drop trailing space from scancode transmit
+
+From: Sean Young <sean@mess.org>
+
+commit c8a489f820179fb12251e262b50303c29de991ac upstream.
+
+When transmitting, infrared drivers expect an odd number of samples; iow
+without a trailing space. No problems have been observed so far, so
+this is just belt and braces.
+
+Fixes: 9b6192589be7 ("media: lirc: implement scancode sending")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/lirc_dev.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/rc/lirc_dev.c
++++ b/drivers/media/rc/lirc_dev.c
+@@ -287,7 +287,11 @@ static ssize_t lirc_transmit(struct file
+ if (ret < 0)
+ goto out_kfree_raw;
+
+- count = ret;
++ /* drop trailing space */
++ if (!(ret % 2))
++ count = ret - 1;
++ else
++ count = ret;
+
+ txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
+ if (!txbuf) {
--- /dev/null
+From 4f7efc71891462ab7606da7039f480d7c1584a13 Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Fri, 6 Oct 2023 12:54:25 +0100
+Subject: media: sharp: fix sharp encoding
+
+From: Sean Young <sean@mess.org>
+
+commit 4f7efc71891462ab7606da7039f480d7c1584a13 upstream.
+
+The Sharp protocol[1] encoding has incorrect timings for bit space.
+
+[1] https://www.sbprojects.net/knowledge/ir/sharp.php
+
+Fixes: d35afc5fe097 ("[media] rc: ir-sharp-decoder: Add encode capability")
+Cc: stable@vger.kernel.org
+Reported-by: Joe Ferner <joe.m.ferner@gmail.com>
+Closes: https://sourceforge.net/p/lirc/mailman/message/38604507/
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/rc/ir-sharp-decoder.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/rc/ir-sharp-decoder.c
++++ b/drivers/media/rc/ir-sharp-decoder.c
+@@ -15,7 +15,9 @@
+ #define SHARP_UNIT 40 /* us */
+ #define SHARP_BIT_PULSE (8 * SHARP_UNIT) /* 320us */
+ #define SHARP_BIT_0_PERIOD (25 * SHARP_UNIT) /* 1ms (680us space) */
+-#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680ms space) */
++#define SHARP_BIT_1_PERIOD (50 * SHARP_UNIT) /* 2ms (1680us space) */
++#define SHARP_BIT_0_SPACE (17 * SHARP_UNIT) /* 680us space */
++#define SHARP_BIT_1_SPACE (42 * SHARP_UNIT) /* 1680us space */
+ #define SHARP_ECHO_SPACE (1000 * SHARP_UNIT) /* 40 ms */
+ #define SHARP_TRAILER_SPACE (125 * SHARP_UNIT) /* 5 ms (even longer) */
+
+@@ -168,8 +170,8 @@ static const struct ir_raw_timings_pd ir
+ .header_pulse = 0,
+ .header_space = 0,
+ .bit_pulse = SHARP_BIT_PULSE,
+- .bit_space[0] = SHARP_BIT_0_PERIOD,
+- .bit_space[1] = SHARP_BIT_1_PERIOD,
++ .bit_space[0] = SHARP_BIT_0_SPACE,
++ .bit_space[1] = SHARP_BIT_1_SPACE,
+ .trailer_pulse = SHARP_BIT_PULSE,
+ .trailer_space = SHARP_ECHO_SPACE,
+ .msb_first = 1,
--- /dev/null
+From 8d0b89398b7ebc52103e055bf36b60b045f5258f Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 10 Aug 2023 07:55:03 +0530
+Subject: media: venus: hfi: add checks to handle capabilities from firmware
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 8d0b89398b7ebc52103e055bf36b60b045f5258f upstream.
+
+The hfi parser, parses the capabilities received from venus firmware and
+copies them to core capabilities. Consider below api, for example,
+fill_caps - In this api, caps in core structure gets updated with the
+number of capabilities received in firmware data payload. If the same api
+is called multiple times, there is a possibility of copying beyond the max
+allocated size in core caps.
+Similar possibilities in fill_raw_fmts and fill_profile_level functions.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -89,6 +89,9 @@ static void fill_profile_level(struct hf
+ {
+ const struct hfi_profile_level *pl = data;
+
++ if (cap->num_pl + num >= HFI_MAX_PROFILE_COUNT)
++ return;
++
+ memcpy(&cap->pl[cap->num_pl], pl, num * sizeof(*pl));
+ cap->num_pl += num;
+ }
+@@ -114,6 +117,9 @@ fill_caps(struct hfi_plat_caps *cap, con
+ {
+ const struct hfi_capability *caps = data;
+
++ if (cap->num_caps + num >= MAX_CAP_ENTRIES)
++ return;
++
+ memcpy(&cap->caps[cap->num_caps], caps, num * sizeof(*caps));
+ cap->num_caps += num;
+ }
+@@ -140,6 +146,9 @@ static void fill_raw_fmts(struct hfi_pla
+ {
+ const struct raw_formats *formats = fmts;
+
++ if (cap->num_fmts + num_fmts >= MAX_FMT_ENTRIES)
++ return;
++
+ memcpy(&cap->fmts[cap->num_fmts], formats, num_fmts * sizeof(*formats));
+ cap->num_fmts += num_fmts;
+ }
+@@ -162,6 +171,9 @@ parse_raw_formats(struct venus_core *cor
+ rawfmts[i].buftype = fmt->buffer_type;
+ i++;
+
++ if (i >= MAX_FMT_ENTRIES)
++ return;
++
+ if (pinfo->num_planes > MAX_PLANES)
+ break;
+
--- /dev/null
+From b18e36dfd6c935da60a971310374f3dfec3c82e1 Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 10 Aug 2023 07:55:02 +0530
+Subject: media: venus: hfi: fix the check to handle session buffer requirement
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit b18e36dfd6c935da60a971310374f3dfec3c82e1 upstream.
+
+Buffer requirement, for different buffer type, comes from video firmware.
+While copying these requirements, there is an OOB possibility when the
+payload from firmware is more than expected size. Fix the check to avoid
+the OOB possibility.
+
+Cc: stable@vger.kernel.org
+Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
+Reviewed-by: Nathan Hebert <nhebert@chromium.org>
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/platform/qcom/venus/hfi_msgs.c
++++ b/drivers/media/platform/qcom/venus/hfi_msgs.c
+@@ -367,7 +367,7 @@ session_get_prop_buf_req(struct hfi_msg_
+ memcpy(&bufreq[idx], buf_req, sizeof(*bufreq));
+ idx++;
+
+- if (idx > HFI_BUFFER_TYPE_MAX)
++ if (idx >= HFI_BUFFER_TYPE_MAX)
+ return HFI_ERR_SESSION_INVALID_PARAMETER;
+
+ req_bytes -= sizeof(struct hfi_buffer_requirements);
--- /dev/null
+From 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd Mon Sep 17 00:00:00 2001
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+Date: Thu, 10 Aug 2023 07:55:04 +0530
+Subject: media: venus: hfi_parser: Add check to keep the number of codecs within range
+
+From: Vikash Garodia <quic_vgarodia@quicinc.com>
+
+commit 0768a9dd809ef52440b5df7dce5a1c1c7e97abbd upstream.
+
+Supported codec bitmask is populated from the payload from venus firmware.
+There is a possible case when all the bits in the codec bitmask is set. In
+such case, core cap for decoder is filled and MAX_CODEC_NUM is utilized.
+Now while filling the caps for encoder, it can lead to access the caps
+array beyong 32 index. Hence leading to OOB write.
+The fix counts the supported encoder and decoder. If the count is more than
+max, then it skips accessing the caps.
+
+Cc: stable@vger.kernel.org
+Fixes: 1a73374a04e5 ("media: venus: hfi_parser: add common capability parser")
+Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
+Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/qcom/venus/hfi_parser.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/platform/qcom/venus/hfi_parser.c
++++ b/drivers/media/platform/qcom/venus/hfi_parser.c
+@@ -19,6 +19,9 @@ static void init_codecs(struct venus_cor
+ struct hfi_plat_caps *caps = core->caps, *cap;
+ unsigned long bit;
+
++ if (hweight_long(core->dec_codecs) + hweight_long(core->enc_codecs) > MAX_CODEC_NUM)
++ return;
++
+ for_each_set_bit(bit, &core->dec_codecs, MAX_CODEC_NUM) {
+ cap = &caps[core->codecs_count++];
+ cap->codec = BIT(bit);
--- /dev/null
+From d7133797e9e1b72fd89237f68cb36d745599ed86 Mon Sep 17 00:00:00 2001
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+Date: Tue, 12 Sep 2023 17:17:10 +0800
+Subject: mmc: sdhci-pci-gli: A workaround to allow GL9750 to enter ASPM L1.2
+
+From: Victor Shih <victor.shih@genesyslogic.com.tw>
+
+commit d7133797e9e1b72fd89237f68cb36d745599ed86 upstream.
+
+When GL9750 enters ASPM L1 sub-states, it will stay at L1.1 and will not
+enter L1.2. The workaround is to toggle PM state to allow GL9750 to enter
+ASPM L1.2.
+
+Signed-off-by: Victor Shih <victor.shih@genesyslogic.com.tw>
+Link: https://lore.kernel.org/r/20230912091710.7797-1-victorshihgli@gmail.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/sdhci-pci-gli.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-pci-gli.c
++++ b/drivers/mmc/host/sdhci-pci-gli.c
+@@ -23,6 +23,9 @@
+ #define GLI_9750_WT_EN_ON 0x1
+ #define GLI_9750_WT_EN_OFF 0x0
+
++#define PCI_GLI_9750_PM_CTRL 0xFC
++#define PCI_GLI_9750_PM_STATE GENMASK(1, 0)
++
+ #define SDHCI_GLI_9750_CFG2 0x848
+ #define SDHCI_GLI_9750_CFG2_L1DLY GENMASK(28, 24)
+ #define GLI_9750_CFG2_L1DLY_VALUE 0x1F
+@@ -421,8 +424,12 @@ static void sdhci_gl9750_set_clock(struc
+
+ static void gl9750_hw_setting(struct sdhci_host *host)
+ {
++ struct sdhci_pci_slot *slot = sdhci_priv(host);
++ struct pci_dev *pdev;
+ u32 value;
+
++ pdev = slot->chip->pdev;
++
+ gl9750_wt_on(host);
+
+ value = sdhci_readl(host, SDHCI_GLI_9750_CFG2);
+@@ -432,6 +439,13 @@ static void gl9750_hw_setting(struct sdh
+ GLI_9750_CFG2_L1DLY_VALUE);
+ sdhci_writel(host, value, SDHCI_GLI_9750_CFG2);
+
++ /* toggle PM state to allow GL9750 to enter ASPM L1.2 */
++ pci_read_config_dword(pdev, PCI_GLI_9750_PM_CTRL, &value);
++ value |= PCI_GLI_9750_PM_STATE;
++ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
++ value &= ~PCI_GLI_9750_PM_STATE;
++ pci_write_config_dword(pdev, PCI_GLI_9750_PM_CTRL, value);
++
+ gl9750_wt_off(host);
+ }
+
--- /dev/null
+From 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Date: Fri, 27 Oct 2023 08:57:38 +0200
+Subject: net: dsa: lan9303: consequently nested-lock physical MDIO
+
+From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+
+commit 5a22fbcc10f3f7d94c5d88afbbffa240a3677057 upstream.
+
+When LAN9303 is MDIO-connected two callchains exist into
+mdio->bus->write():
+
+1. switch ports 1&2 ("physical" PHYs):
+
+virtual (switch-internal) MDIO bus (lan9303_switch_ops->phy_{read|write})->
+ lan9303_mdio_phy_{read|write} -> mdiobus_{read|write}_nested
+
+2. LAN9303 virtual PHY:
+
+virtual MDIO bus (lan9303_phy_{read|write}) ->
+ lan9303_virt_phy_reg_{read|write} -> regmap -> lan9303_mdio_{read|write}
+
+If the latter functions just take
+mutex_lock(&sw_dev->device->bus->mdio_lock) it triggers a LOCKDEP
+false-positive splat. It's false-positive because the first
+mdio_lock in the second callchain above belongs to virtual MDIO bus, the
+second mdio_lock belongs to physical MDIO bus.
+
+Consequent annotation in lan9303_mdio_{read|write} as nested lock
+(similar to lan9303_mdio_phy_{read|write}, it's the same physical MDIO bus)
+prevents the following splat:
+
+WARNING: possible circular locking dependency detected
+5.15.71 #1 Not tainted
+------------------------------------------------------
+kworker/u4:3/609 is trying to acquire lock:
+ffff000011531c68 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}, at: regmap_lock_mutex
+but task is already holding lock:
+ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read
+which lock already depends on the new lock.
+the existing dependency chain (in reverse order) is:
+-> #1 (&bus->mdio_lock){+.+.}-{3:3}:
+ lock_acquire
+ __mutex_lock
+ mutex_lock_nested
+ lan9303_mdio_read
+ _regmap_read
+ regmap_read
+ lan9303_probe
+ lan9303_mdio_probe
+ mdio_probe
+ really_probe
+ __driver_probe_device
+ driver_probe_device
+ __device_attach_driver
+ bus_for_each_drv
+ __device_attach
+ device_initial_probe
+ bus_probe_device
+ deferred_probe_work_func
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+-> #0 (lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock){+.+.}-{3:3}:
+ __lock_acquire
+ lock_acquire.part.0
+ lock_acquire
+ __mutex_lock
+ mutex_lock_nested
+ regmap_lock_mutex
+ regmap_read
+ lan9303_phy_read
+ dsa_slave_phy_read
+ __mdiobus_read
+ mdiobus_read
+ get_phy_device
+ mdiobus_scan
+ __mdiobus_register
+ dsa_register_switch
+ lan9303_probe
+ lan9303_mdio_probe
+ mdio_probe
+ really_probe
+ __driver_probe_device
+ driver_probe_device
+ __device_attach_driver
+ bus_for_each_drv
+ __device_attach
+ device_initial_probe
+ bus_probe_device
+ deferred_probe_work_func
+ process_one_work
+ worker_thread
+ kthread
+ ret_from_fork
+other info that might help us debug this:
+ Possible unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock(&bus->mdio_lock);
+ lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock);
+ lock(&bus->mdio_lock);
+ lock(lan9303_mdio:131:(&lan9303_mdio_regmap_config)->lock);
+*** DEADLOCK ***
+5 locks held by kworker/u4:3/609:
+ #0: ffff000002842938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work
+ #1: ffff80000bacbd60 (deferred_probe_work){+.+.}-{0:0}, at: process_one_work
+ #2: ffff000007645178 (&dev->mutex){....}-{3:3}, at: __device_attach
+ #3: ffff8000096e6e78 (dsa2_mutex){+.+.}-{3:3}, at: dsa_register_switch
+ #4: ffff0000114c44d8 (&bus->mdio_lock){+.+.}-{3:3}, at: mdiobus_read
+stack backtrace:
+CPU: 1 PID: 609 Comm: kworker/u4:3 Not tainted 5.15.71 #1
+Workqueue: events_unbound deferred_probe_work_func
+Call trace:
+ dump_backtrace
+ show_stack
+ dump_stack_lvl
+ dump_stack
+ print_circular_bug
+ check_noncircular
+ __lock_acquire
+ lock_acquire.part.0
+ lock_acquire
+ __mutex_lock
+ mutex_lock_nested
+ regmap_lock_mutex
+ regmap_read
+ lan9303_phy_read
+ dsa_slave_phy_read
+ __mdiobus_read
+ mdiobus_read
+ get_phy_device
+ mdiobus_scan
+ __mdiobus_register
+ dsa_register_switch
+ lan9303_probe
+ lan9303_mdio_probe
+...
+
+Cc: stable@vger.kernel.org
+Fixes: dc7005831523 ("net: dsa: LAN9303: add MDIO managed mode support")
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Link: https://lore.kernel.org/r/20231027065741.534971-1-alexander.sverdlin@siemens.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/lan9303_mdio.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/dsa/lan9303_mdio.c
++++ b/drivers/net/dsa/lan9303_mdio.c
+@@ -32,7 +32,7 @@ static int lan9303_mdio_write(void *ctx,
+ struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx;
+
+ reg <<= 2; /* reg num to offset */
+- mutex_lock(&sw_dev->device->bus->mdio_lock);
++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED);
+ lan9303_mdio_real_write(sw_dev->device, reg, val & 0xffff);
+ lan9303_mdio_real_write(sw_dev->device, reg + 2, (val >> 16) & 0xffff);
+ mutex_unlock(&sw_dev->device->bus->mdio_lock);
+@@ -50,7 +50,7 @@ static int lan9303_mdio_read(void *ctx,
+ struct lan9303_mdio *sw_dev = (struct lan9303_mdio *)ctx;
+
+ reg <<= 2; /* reg num to offset */
+- mutex_lock(&sw_dev->device->bus->mdio_lock);
++ mutex_lock_nested(&sw_dev->device->bus->mdio_lock, MDIO_MUTEX_NESTED);
+ *val = lan9303_mdio_real_read(sw_dev->device, reg);
+ *val |= (lan9303_mdio_real_read(sw_dev->device, reg + 2) << 16);
+ mutex_unlock(&sw_dev->device->bus->mdio_lock);
--- /dev/null
+From f55d8e60f10909dbc5524e261041e1d28d7d20d8 Mon Sep 17 00:00:00 2001
+From: Andrew Lunn <andrew@lunn.ch>
+Date: Sat, 28 Oct 2023 21:25:11 +0200
+Subject: net: ethtool: Fix documentation of ethtool_sprintf()
+
+From: Andrew Lunn <andrew@lunn.ch>
+
+commit f55d8e60f10909dbc5524e261041e1d28d7d20d8 upstream.
+
+This function takes a pointer to a pointer, unlike sprintf() which is
+passed a plain pointer. Fix up the documentation to make this clear.
+
+Fixes: 7888fe53b706 ("ethtool: Add common function for filling out strings")
+Cc: Alexander Duyck <alexanderduyck@fb.com>
+Cc: Justin Stitt <justinstitt@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Lunn <andrew@lunn.ch>
+Reviewed-by: Justin Stitt <justinstitt@google.com>
+Link: https://lore.kernel.org/r/20231028192511.100001-1-andrew@lunn.ch
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/ethtool.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/linux/ethtool.h
++++ b/include/linux/ethtool.h
+@@ -781,10 +781,10 @@ int ethtool_get_phc_vclocks(struct net_d
+
+ /**
+ * ethtool_sprintf - Write formatted string to ethtool string data
+- * @data: Pointer to start of string to update
++ * @data: Pointer to a pointer to the start of string to update
+ * @fmt: Format of string to write
+ *
+- * Write formatted string to data. Update data to point at start of
++ * Write formatted string to *data. Update *data to point at start of
+ * next string.
+ */
+ extern __printf(2, 3) void ethtool_sprintf(u8 **data, const char *fmt, ...);
--- /dev/null
+From 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 Mon Sep 17 00:00:00 2001
+From: Klaus Kudielka <klaus.kudielka@gmail.com>
+Date: Tue, 7 Nov 2023 18:44:02 +0100
+Subject: net: phylink: initialize carrier state at creation
+
+From: Klaus Kudielka <klaus.kudielka@gmail.com>
+
+commit 02d5fdbf4f2b8c406f7a4c98fa52aa181a11d733 upstream.
+
+Background: Turris Omnia (Armada 385); eth2 (mvneta) connected to SFP bus;
+SFP module is present, but no fiber connected, so definitely no carrier.
+
+After booting, eth2 is down, but netdev LED trigger surprisingly reports
+link active. Then, after "ip link set eth2 up", the link indicator goes
+away - as I would have expected it from the beginning.
+
+It turns out, that the default carrier state after netdev creation is
+"carrier ok". Some ethernet drivers explicitly call netif_carrier_off
+during probing, others (like mvneta) don't - which explains the current
+behaviour: only when the device is brought up, phylink_start calls
+netif_carrier_off.
+
+Fix this for all drivers using phylink, by calling netif_carrier_off in
+phylink_create.
+
+Fixes: 089381b27abe ("leds: initial support for Turris Omnia LEDs")
+Cc: stable@vger.kernel.org
+Suggested-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: Klaus Kudielka <klaus.kudielka@gmail.com>
+Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/phylink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/phy/phylink.c
++++ b/drivers/net/phy/phylink.c
+@@ -853,6 +853,7 @@ struct phylink *phylink_create(struct ph
+ pl->config = config;
+ if (config->type == PHYLINK_NETDEV) {
+ pl->netdev = to_net_dev(config->dev);
++ netif_carrier_off(pl->netdev);
+ } else if (config->type == PHYLINK_DEV) {
+ pl->dev = config->dev;
+ } else {
--- /dev/null
+From bc1b5acb40201a0746d68a7d7cfc141899937f4f Mon Sep 17 00:00:00 2001
+From: Mahmoud Adam <mngyadam@amazon.com>
+Date: Fri, 10 Nov 2023 19:21:04 +0100
+Subject: nfsd: fix file memleak on client_opens_release
+
+From: Mahmoud Adam <mngyadam@amazon.com>
+
+commit bc1b5acb40201a0746d68a7d7cfc141899937f4f upstream.
+
+seq_release should be called to free the allocated seq_file
+
+Cc: stable@vger.kernel.org # v5.3+
+Signed-off-by: Mahmoud Adam <mngyadam@amazon.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens")
+Reviewed-by: NeilBrown <neilb@suse.de>
+Tested-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -2686,7 +2686,7 @@ static int client_opens_release(struct i
+
+ /* XXX: alternatively, we could get/drop in seq start/stop */
+ drop_client(clp);
+- return 0;
++ return seq_release(inode, file);
+ }
+
+ static const struct file_operations client_states_fops = {
--- /dev/null
+From 7b211c7671212cad0b83603c674838c7e824d845 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko@sartura.hr>
+Date: Fri, 10 Nov 2023 10:30:11 +0100
+Subject: Revert "i2c: pxa: move to generic GPIO recovery"
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+commit 7b211c7671212cad0b83603c674838c7e824d845 upstream.
+
+This reverts commit 0b01392c18b9993a584f36ace1d61118772ad0ca.
+
+Conversion of PXA to generic I2C recovery, makes the I2C bus completely
+lock up if recovery pinctrl is present in the DT and I2C recovery is
+enabled.
+
+So, until the generic I2C recovery can also work with PXA lets revert
+to have working I2C and I2C recovery again.
+
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Cc: stable@vger.kernel.org # 5.11+
+Acked-by: Andi Shyti <andi.shyti@kernel.org>
+Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-pxa.c | 76 ++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 68 insertions(+), 8 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-pxa.c
++++ b/drivers/i2c/busses/i2c-pxa.c
+@@ -264,6 +264,9 @@ struct pxa_i2c {
+ u32 hs_mask;
+
+ struct i2c_bus_recovery_info recovery;
++ struct pinctrl *pinctrl;
++ struct pinctrl_state *pinctrl_default;
++ struct pinctrl_state *pinctrl_recovery;
+ };
+
+ #define _IBMR(i2c) ((i2c)->reg_ibmr)
+@@ -1302,12 +1305,13 @@ static void i2c_pxa_prepare_recovery(str
+ */
+ gpiod_set_value(i2c->recovery.scl_gpiod, ibmr & IBMR_SCLS);
+ gpiod_set_value(i2c->recovery.sda_gpiod, ibmr & IBMR_SDAS);
++
++ WARN_ON(pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_recovery));
+ }
+
+ static void i2c_pxa_unprepare_recovery(struct i2c_adapter *adap)
+ {
+ struct pxa_i2c *i2c = adap->algo_data;
+- struct i2c_bus_recovery_info *bri = adap->bus_recovery_info;
+ u32 isr;
+
+ /*
+@@ -1321,7 +1325,7 @@ static void i2c_pxa_unprepare_recovery(s
+ i2c_pxa_do_reset(i2c);
+ }
+
+- WARN_ON(pinctrl_select_state(bri->pinctrl, bri->pins_default));
++ WARN_ON(pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_default));
+
+ dev_dbg(&i2c->adap.dev, "recovery: IBMR 0x%08x ISR 0x%08x\n",
+ readl(_IBMR(i2c)), readl(_ISR(i2c)));
+@@ -1343,20 +1347,76 @@ static int i2c_pxa_init_recovery(struct
+ if (IS_ENABLED(CONFIG_I2C_PXA_SLAVE))
+ return 0;
+
+- bri->pinctrl = devm_pinctrl_get(dev);
+- if (PTR_ERR(bri->pinctrl) == -ENODEV) {
+- bri->pinctrl = NULL;
++ i2c->pinctrl = devm_pinctrl_get(dev);
++ if (PTR_ERR(i2c->pinctrl) == -ENODEV)
++ i2c->pinctrl = NULL;
++ if (IS_ERR(i2c->pinctrl))
++ return PTR_ERR(i2c->pinctrl);
++
++ if (!i2c->pinctrl)
++ return 0;
++
++ i2c->pinctrl_default = pinctrl_lookup_state(i2c->pinctrl,
++ PINCTRL_STATE_DEFAULT);
++ i2c->pinctrl_recovery = pinctrl_lookup_state(i2c->pinctrl, "recovery");
++
++ if (IS_ERR(i2c->pinctrl_default) || IS_ERR(i2c->pinctrl_recovery)) {
++ dev_info(dev, "missing pinmux recovery information: %ld %ld\n",
++ PTR_ERR(i2c->pinctrl_default),
++ PTR_ERR(i2c->pinctrl_recovery));
++ return 0;
++ }
++
++ /*
++ * Claiming GPIOs can influence the pinmux state, and may glitch the
++ * I2C bus. Do this carefully.
++ */
++ bri->scl_gpiod = devm_gpiod_get(dev, "scl", GPIOD_OUT_HIGH_OPEN_DRAIN);
++ if (bri->scl_gpiod == ERR_PTR(-EPROBE_DEFER))
++ return -EPROBE_DEFER;
++ if (IS_ERR(bri->scl_gpiod)) {
++ dev_info(dev, "missing scl gpio recovery information: %pe\n",
++ bri->scl_gpiod);
++ return 0;
++ }
++
++ /*
++ * We have SCL. Pull SCL low and wait a bit so that SDA glitches
++ * have no effect.
++ */
++ gpiod_direction_output(bri->scl_gpiod, 0);
++ udelay(10);
++ bri->sda_gpiod = devm_gpiod_get(dev, "sda", GPIOD_OUT_HIGH_OPEN_DRAIN);
++
++ /* Wait a bit in case of a SDA glitch, and then release SCL. */
++ udelay(10);
++ gpiod_direction_output(bri->scl_gpiod, 1);
++
++ if (bri->sda_gpiod == ERR_PTR(-EPROBE_DEFER))
++ return -EPROBE_DEFER;
++
++ if (IS_ERR(bri->sda_gpiod)) {
++ dev_info(dev, "missing sda gpio recovery information: %pe\n",
++ bri->sda_gpiod);
+ return 0;
+ }
+- if (IS_ERR(bri->pinctrl))
+- return PTR_ERR(bri->pinctrl);
+
+ bri->prepare_recovery = i2c_pxa_prepare_recovery;
+ bri->unprepare_recovery = i2c_pxa_unprepare_recovery;
++ bri->recover_bus = i2c_generic_scl_recovery;
+
+ i2c->adap.bus_recovery_info = bri;
+
+- return 0;
++ /*
++ * Claiming GPIOs can change the pinmux state, which confuses the
++ * pinctrl since pinctrl's idea of the current setting is unaffected
++ * by the pinmux change caused by claiming the GPIO. Work around that
++ * by switching pinctrl to the GPIO state here. We do it this way to
++ * avoid glitching the I2C bus.
++ */
++ pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_recovery);
++
++ return pinctrl_select_state(i2c->pinctrl, i2c->pinctrl_default);
+ }
+
+ static int i2c_pxa_probe(struct platform_device *dev)
--- /dev/null
+From 9e2e7efbbbff69d8340abb56d375dd79d1f5770f Mon Sep 17 00:00:00 2001
+From: Johnathan Mantey <johnathanx.mantey@intel.com>
+Date: Mon, 13 Nov 2023 08:30:29 -0800
+Subject: Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
+
+From: Johnathan Mantey <johnathanx.mantey@intel.com>
+
+commit 9e2e7efbbbff69d8340abb56d375dd79d1f5770f upstream.
+
+This reverts commit 3780bb29311eccb7a1c9641032a112eed237f7e3.
+
+The cited commit introduced unwanted behavior.
+
+The intent for the commit was to be able to detect carrier loss/gain
+for just the NIC connected to the BMC. The unwanted effect is a
+carrier loss for auxiliary paths also causes the BMC to lose
+carrier. The BMC never regains carrier despite the secondary NIC
+regaining a link.
+
+This change, when merged, needs to be backported to stable kernels.
+5.4-stable, 5.10-stable, 5.15-stable, 6.1-stable, 6.5-stable
+
+Fixes: 3780bb29311e ("ncsi: Propagate carrier gain/loss events to the NCSI controller")
+CC: stable@vger.kernel.org
+Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>
+Reviewed-by: Simon Horman <horms@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ncsi/ncsi-aen.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/net/ncsi/ncsi-aen.c
++++ b/net/ncsi/ncsi-aen.c
+@@ -89,11 +89,6 @@ static int ncsi_aen_handler_lsc(struct n
+ if ((had_link == has_link) || chained)
+ return 0;
+
+- if (had_link)
+- netif_carrier_off(ndp->ndev.dev);
+- else
+- netif_carrier_on(ndp->ndev.dev);
+-
+ if (!ndp->multi_package && !nc->package->multi_channel) {
+ if (had_link) {
+ ndp->flags |= NCSI_DEV_RESHUFFLE;
--- /dev/null
+From 8cb22bec142624d21bc85ff96b7bad10b6220e6a Mon Sep 17 00:00:00 2001
+From: Nam Cao <namcaov@gmail.com>
+Date: Tue, 29 Aug 2023 20:25:00 +0200
+Subject: riscv: kprobes: allow writing to x0
+
+From: Nam Cao <namcaov@gmail.com>
+
+commit 8cb22bec142624d21bc85ff96b7bad10b6220e6a upstream.
+
+Instructions can write to x0, so we should simulate these instructions
+normally.
+
+Currently, the kernel hangs if an instruction who writes to x0 is
+simulated.
+
+Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported")
+Cc: stable@vger.kernel.org
+Signed-off-by: Nam Cao <namcaov@gmail.com>
+Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
+Acked-by: Guo Ren <guoren@kernel.org>
+Link: https://lore.kernel.org/r/20230829182500.61875-1-namcaov@gmail.com
+Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/riscv/kernel/probes/simulate-insn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/riscv/kernel/probes/simulate-insn.c b/arch/riscv/kernel/probes/simulate-insn.c
+index d3099d67816d..6c166029079c 100644
+--- a/arch/riscv/kernel/probes/simulate-insn.c
++++ b/arch/riscv/kernel/probes/simulate-insn.c
+@@ -24,7 +24,7 @@ static inline bool rv_insn_reg_set_val(struct pt_regs *regs, u32 index,
+ unsigned long val)
+ {
+ if (index == 0)
+- return false;
++ return true;
+ else if (index <= 31)
+ *((unsigned long *)regs + index) = val;
+ else
+--
+2.43.0
+
--- /dev/null
+From e14aec23025eeb1f2159ba34dbc1458467c4c347 Mon Sep 17 00:00:00 2001
+From: Harald Freudenberger <freude@linux.ibm.com>
+Date: Mon, 23 Oct 2023 09:57:10 +0200
+Subject: s390/ap: fix AP bus crash on early config change callback invocation
+
+From: Harald Freudenberger <freude@linux.ibm.com>
+
+commit e14aec23025eeb1f2159ba34dbc1458467c4c347 upstream.
+
+Fix kernel crash in AP bus code caused by very early invocation of the
+config change callback function via SCLP.
+
+After a fresh IML of the machine the crypto cards are still offline and
+will get switched online only with activation of any LPAR which has the
+card in it's configuration. A crypto card coming online is reported
+to the LPAR via SCLP and the AP bus offers a callback function to get
+this kind of information. However, it may happen that the callback is
+invoked before the AP bus init function is complete. As the callback
+triggers a synchronous AP bus scan, the scan may already run but some
+internal states are not initialized by the AP bus init function resulting
+in a crash like this:
+
+ [ 11.635859] Unable to handle kernel pointer dereference in virtual kernel address space
+ [ 11.635861] Failing address: 0000000000000000 TEID: 0000000000000887
+ [ 11.635862] Fault in home space mode while using kernel ASCE.
+ [ 11.635864] AS:00000000894c4007 R3:00000001fece8007 S:00000001fece7800 P:000000000000013d
+ [ 11.635879] Oops: 0004 ilc:1 [#1] SMP
+ [ 11.635882] Modules linked in:
+ [ 11.635884] CPU: 5 PID: 42 Comm: kworker/5:0 Not tainted 6.6.0-rc3-00003-g4dbf7cdc6b42 #12
+ [ 11.635886] Hardware name: IBM 3931 A01 751 (LPAR)
+ [ 11.635887] Workqueue: events_long ap_scan_bus
+ [ 11.635891] Krnl PSW : 0704c00180000000 0000000000000000 (0x0)
+ [ 11.635895] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
+ [ 11.635897] Krnl GPRS: 0000000001000a00 0000000000000000 0000000000000006 0000000089591940
+ [ 11.635899] 0000000080000000 0000000000000a00 0000000000000000 0000000000000000
+ [ 11.635901] 0000000081870c00 0000000089591000 000000008834e4e2 0000000002625a00
+ [ 11.635903] 0000000081734200 0000038000913c18 000000008834c6d6 0000038000913ac8
+ [ 11.635906] Krnl Code:>0000000000000000: 0000 illegal
+ [ 11.635906] 0000000000000002: 0000 illegal
+ [ 11.635906] 0000000000000004: 0000 illegal
+ [ 11.635906] 0000000000000006: 0000 illegal
+ [ 11.635906] 0000000000000008: 0000 illegal
+ [ 11.635906] 000000000000000a: 0000 illegal
+ [ 11.635906] 000000000000000c: 0000 illegal
+ [ 11.635906] 000000000000000e: 0000 illegal
+ [ 11.635915] Call Trace:
+ [ 11.635916] [<0000000000000000>] 0x0
+ [ 11.635918] [<000000008834e4e2>] ap_queue_init_state+0x82/0xb8
+ [ 11.635921] [<000000008834ba1c>] ap_scan_domains+0x6fc/0x740
+ [ 11.635923] [<000000008834c092>] ap_scan_adapter+0x632/0x8b0
+ [ 11.635925] [<000000008834c3e4>] ap_scan_bus+0xd4/0x288
+ [ 11.635927] [<00000000879a33ba>] process_one_work+0x19a/0x410
+ [ 11.635930] Discipline DIAG cannot be used without z/VM
+ [ 11.635930] [<00000000879a3a2c>] worker_thread+0x3fc/0x560
+ [ 11.635933] [<00000000879aea60>] kthread+0x120/0x128
+ [ 11.635936] [<000000008792afa4>] __ret_from_fork+0x3c/0x58
+ [ 11.635938] [<00000000885ebe62>] ret_from_fork+0xa/0x30
+ [ 11.635942] Last Breaking-Event-Address:
+ [ 11.635942] [<000000008834c6d4>] ap_wait+0xcc/0x148
+
+This patch improves the ap_bus_force_rescan() function which is
+invoked by the config change callback by checking if a first
+initial AP bus scan has been done. If not, the force rescan request
+is simple ignored. Anyhow it does not make sense to trigger AP bus
+re-scans even before the very first bus scan is complete.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
+Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/crypto/ap_bus.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/s390/crypto/ap_bus.c
++++ b/drivers/s390/crypto/ap_bus.c
+@@ -955,6 +955,10 @@ EXPORT_SYMBOL(ap_driver_unregister);
+
+ void ap_bus_force_rescan(void)
+ {
++ /* Only trigger AP bus scans after the initial scan is done */
++ if (atomic64_read(&ap_scan_bus_count) <= 0)
++ return;
++
+ /* processing a asynchronous bus rescan */
+ del_timer(&ap_config_timer);
+ queue_work(system_long_wq, &ap_scan_work);
--- /dev/null
+From 5d6aa89bba5bd6af2580f872b57f438dab883738 Mon Sep 17 00:00:00 2001
+From: Darren Hart <darren@os.amperecomputing.com>
+Date: Thu, 21 Sep 2023 02:02:36 -0700
+Subject: sbsa_gwdt: Calculate timeout with 64-bit math
+
+From: Darren Hart <darren@os.amperecomputing.com>
+
+commit 5d6aa89bba5bd6af2580f872b57f438dab883738 upstream.
+
+Commit abd3ac7902fb ("watchdog: sbsa: Support architecture version 1")
+introduced new timer math for watchdog revision 1 with the 48 bit offset
+register.
+
+The gwdt->clk and timeout are u32, but the argument being calculated is
+u64. Without a cast, the compiler performs u32 operations, truncating
+intermediate steps, resulting in incorrect values.
+
+A watchdog revision 1 implementation with a gwdt->clk of 1GHz and a
+timeout of 600s writes 3647256576 to the one shot watchdog instead of
+300000000000, resulting in the watchdog firing in 3.6s instead of 600s.
+
+Force u64 math by casting the first argument (gwdt->clk) as a u64. Make
+the order of operations explicit with parenthesis.
+
+Fixes: abd3ac7902fb ("watchdog: sbsa: Support architecture version 1")
+Reported-by: Vanshidhar Konda <vanshikonda@os.amperecomputing.com>
+Signed-off-by: Darren Hart <darren@os.amperecomputing.com>
+Cc: Wim Van Sebroeck <wim@linux-watchdog.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: linux-watchdog@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Cc: <stable@vger.kernel.org> # 5.14.x
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/7d1713c5ffab19b0f3de796d82df19e8b1f340de.1695286124.git.darren@os.amperecomputing.com
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/watchdog/sbsa_gwdt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/watchdog/sbsa_gwdt.c
++++ b/drivers/watchdog/sbsa_gwdt.c
+@@ -153,14 +153,14 @@ static int sbsa_gwdt_set_timeout(struct
+ timeout = clamp_t(unsigned int, timeout, 1, wdd->max_hw_heartbeat_ms / 1000);
+
+ if (action)
+- sbsa_gwdt_reg_write(gwdt->clk * timeout, gwdt);
++ sbsa_gwdt_reg_write((u64)gwdt->clk * timeout, gwdt);
+ else
+ /*
+ * In the single stage mode, The first signal (WS0) is ignored,
+ * the timeout is (WOR * 2), so the WOR should be configured
+ * to half value of timeout.
+ */
+- sbsa_gwdt_reg_write(gwdt->clk / 2 * timeout, gwdt);
++ sbsa_gwdt_reg_write(((u64)gwdt->clk / 2) * timeout, gwdt);
+
+ return 0;
+ }
driver-core-release-all-resources-during-unbind-befo.patch
powerpc-pseries-ddw-simplify-enable_ddw.patch
powerpc-pseries-iommu-enable_ddw-incorrectly-returns.patch
+revert-ncsi-propagate-carrier-gain-loss-events-to-the-ncsi-controller.patch
+revert-i2c-pxa-move-to-generic-gpio-recovery.patch
+lsm-fix-default-return-value-for-vm_enough_memory.patch
+lsm-fix-default-return-value-for-inode_getsecctx.patch
+sbsa_gwdt-calculate-timeout-with-64-bit-math.patch
+i2c-designware-disable-tx_empty-irq-while-waiting-for-block-length-byte.patch
+s390-ap-fix-ap-bus-crash-on-early-config-change-callback-invocation.patch
+net-ethtool-fix-documentation-of-ethtool_sprintf.patch
+net-dsa-lan9303-consequently-nested-lock-physical-mdio.patch
+net-phylink-initialize-carrier-state-at-creation.patch
+i2c-i801-fix-potential-race-in-i801_block_transaction_byte_by_byte.patch
+f2fs-avoid-format-overflow-warning.patch
+media-lirc-drop-trailing-space-from-scancode-transmit.patch
+media-sharp-fix-sharp-encoding.patch
+media-venus-hfi_parser-add-check-to-keep-the-number-of-codecs-within-range.patch
+media-venus-hfi-fix-the-check-to-handle-session-buffer-requirement.patch
+media-venus-hfi-add-checks-to-handle-capabilities-from-firmware.patch
+media-ccs-correctly-initialise-try-compose-rectangle.patch
+nfsd-fix-file-memleak-on-client_opens_release.patch
+riscv-kprobes-allow-writing-to-x0.patch
+mmc-sdhci-pci-gli-a-workaround-to-allow-gl9750-to-enter-aspm-l1.2.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
