--- /dev/null
+From 56314c0d78d6f5a60c8804c517167991a879e14a Mon Sep 17 00:00:00 2001
+From: John Sweeney <john.sweeney@runbox.com>
+Date: Sun, 18 Aug 2024 11:30:15 -0400
+Subject: ALSA: hda/realtek: Enable mute/micmute LEDs on HP Laptop 14-ey0xxx
+
+From: John Sweeney <john.sweeney@runbox.com>
+
+commit 56314c0d78d6f5a60c8804c517167991a879e14a upstream.
+
+HP Pavilion Plus 14-ey0xxx needs existing quirk
+ALC245_FIXUP_HP_X360_MUTE_LEDS to enable its mute/micmute LEDs.
+
+Signed-off-by: John Sweeney <john.sweeney@runbox.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/E1sfhrD-0007TA-HC@rmmprod05.runbox
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10221,6 +10221,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8c15, "HP Spectre x360 2-in-1 Laptop 14-eu0xxx", ALC245_FIXUP_HP_SPECTRE_X360_EU0XXX),
+ SND_PCI_QUIRK(0x103c, 0x8c16, "HP Spectre 16", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8c17, "HP Spectre 16", ALC287_FIXUP_CS35L41_I2C_2),
++ SND_PCI_QUIRK(0x103c, 0x8c21, "HP Pavilion Plus Laptop 14-ey0XXX", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8c46, "HP EliteBook 830 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c47, "HP EliteBook 840 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8c48, "HP EliteBook 860 G11", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
--- /dev/null
+From 2dc43c5e212036458ed7c5586fb82ee183fee504 Mon Sep 17 00:00:00 2001
+From: Hendrik Borghorst <hendrikborghorst@gmail.com>
+Date: Sun, 25 Aug 2024 19:43:47 +0200
+Subject: ALSA: hda/realtek: support HP Pavilion Aero 13-bg0xxx Mute LED
+
+From: Hendrik Borghorst <hendrikborghorst@gmail.com>
+
+commit 2dc43c5e212036458ed7c5586fb82ee183fee504 upstream.
+
+This patch adds the HP Pavilion Aero 13 (13-bg0xxx) (year 2024) to list of
+quirks for keyboard LED mute indication.
+
+The laptop has two LEDs (one for speaker and one for mic mute). The
+pre-existing quirk ALC245_FIXUP_HP_X360_MUTE_LEDS chains both the quirk for
+mic and speaker mute.
+
+Tested on 6.11.0-rc4 with the aforementioned laptop.
+
+Signed-off-by: Hendrik Borghorst <hendrikborghorst@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20240825174351.5687-1-hendrikborghorst@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -10260,6 +10260,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x8ca2, "HP ZBook Power", ALC236_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ca4, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x8ca7, "HP ZBook Fury", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
++ SND_PCI_QUIRK(0x103c, 0x8cbd, "HP Pavilion Aero Laptop 13-bg0xxx", ALC245_FIXUP_HP_X360_MUTE_LEDS),
+ SND_PCI_QUIRK(0x103c, 0x8cdd, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8cde, "HP Spectre", ALC287_FIXUP_CS35L41_I2C_2),
+ SND_PCI_QUIRK(0x103c, 0x8cdf, "HP SnowWhite", ALC287_FIXUP_CS35L41_I2C_2_HP_GPIO_LED),
--- /dev/null
+From 32108c22ac619c32dd6db594319e259b63bfb387 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 19 Aug 2024 10:41:53 +0200
+Subject: ALSA: seq: Skip event type filtering for UMP events
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 32108c22ac619c32dd6db594319e259b63bfb387 upstream.
+
+UMP events don't use the event type field, hence it's invalid to apply
+the filter, which may drop the events unexpectedly.
+Skip the event filtering for UMP events, instead.
+
+Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
+Cc: <stable@vger.kernel.org>
+Link: https://patch.msgid.link/20240819084156.10286-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/seq/seq_clientmgr.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -537,6 +537,9 @@ static struct snd_seq_client *get_event_
+ return NULL;
+ if (! dest->accept_input)
+ goto __not_avail;
++ if (snd_seq_ev_is_ump(event))
++ return dest; /* ok - no filter checks */
++
+ if ((dest->filter & SNDRV_SEQ_FILTER_USE_EVENT) &&
+ ! test_bit(event->type, dest->event_filter))
+ goto __not_avail;
--- /dev/null
+From 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 Mon Sep 17 00:00:00 2001
+From: Qu Wenruo <wqu@suse.com>
+Date: Sat, 17 Aug 2024 18:34:30 +0930
+Subject: btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()
+
+From: Qu Wenruo <wqu@suse.com>
+
+commit 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 upstream.
+
+[BUG]
+There is an internal report that KASAN is reporting use-after-free, with
+the following backtrace:
+
+ BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]
+ Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45
+ CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
+ Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
+ Call Trace:
+ dump_stack_lvl+0x61/0x80
+ print_address_description.constprop.0+0x5e/0x2f0
+ print_report+0x118/0x216
+ kasan_report+0x11d/0x1f0
+ btrfs_check_read_bio+0xa68/0xb70 [btrfs]
+ process_one_work+0xce0/0x12a0
+ worker_thread+0x717/0x1250
+ kthread+0x2e3/0x3c0
+ ret_from_fork+0x2d/0x70
+ ret_from_fork_asm+0x11/0x20
+
+ Allocated by task 20917:
+ kasan_save_stack+0x37/0x60
+ kasan_save_track+0x10/0x30
+ __kasan_slab_alloc+0x7d/0x80
+ kmem_cache_alloc_noprof+0x16e/0x3e0
+ mempool_alloc_noprof+0x12e/0x310
+ bio_alloc_bioset+0x3f0/0x7a0
+ btrfs_bio_alloc+0x2e/0x50 [btrfs]
+ submit_extent_page+0x4d1/0xdb0 [btrfs]
+ btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
+ btrfs_readahead+0x29a/0x430 [btrfs]
+ read_pages+0x1a7/0xc60
+ page_cache_ra_unbounded+0x2ad/0x560
+ filemap_get_pages+0x629/0xa20
+ filemap_read+0x335/0xbf0
+ vfs_read+0x790/0xcb0
+ ksys_read+0xfd/0x1d0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+ Freed by task 20917:
+ kasan_save_stack+0x37/0x60
+ kasan_save_track+0x10/0x30
+ kasan_save_free_info+0x37/0x50
+ __kasan_slab_free+0x4b/0x60
+ kmem_cache_free+0x214/0x5d0
+ bio_free+0xed/0x180
+ end_bbio_data_read+0x1cc/0x580 [btrfs]
+ btrfs_submit_chunk+0x98d/0x1880 [btrfs]
+ btrfs_submit_bio+0x33/0x70 [btrfs]
+ submit_one_bio+0xd4/0x130 [btrfs]
+ submit_extent_page+0x3ea/0xdb0 [btrfs]
+ btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
+ btrfs_readahead+0x29a/0x430 [btrfs]
+ read_pages+0x1a7/0xc60
+ page_cache_ra_unbounded+0x2ad/0x560
+ filemap_get_pages+0x629/0xa20
+ filemap_read+0x335/0xbf0
+ vfs_read+0x790/0xcb0
+ ksys_read+0xfd/0x1d0
+ do_syscall_64+0x6d/0x140
+ entry_SYSCALL_64_after_hwframe+0x4b/0x53
+
+[CAUSE]
+Although I cannot reproduce the error, the report itself is good enough
+to pin down the cause.
+
+The call trace is the regular endio workqueue context, but the
+free-by-task trace is showing that during btrfs_submit_chunk() we
+already hit a critical error, and is calling btrfs_bio_end_io() to error
+out. And the original endio function called bio_put() to free the whole
+bio.
+
+This means a double freeing thus causing use-after-free, e.g.:
+
+1. Enter btrfs_submit_bio() with a read bio
+ The read bio length is 128K, crossing two 64K stripes.
+
+2. The first run of btrfs_submit_chunk()
+
+2.1 Call btrfs_map_block(), which returns 64K
+2.2 Call btrfs_split_bio()
+ Now there are two bios, one referring to the first 64K, the other
+ referring to the second 64K.
+2.3 The first half is submitted.
+
+3. The second run of btrfs_submit_chunk()
+
+3.1 Call btrfs_map_block(), which by somehow failed
+ Now we call btrfs_bio_end_io() to handle the error
+
+3.2 btrfs_bio_end_io() calls the original endio function
+ Which is end_bbio_data_read(), and it calls bio_put() for the
+ original bio.
+
+ Now the original bio is freed.
+
+4. The submitted first 64K bio finished
+ Now we call into btrfs_check_read_bio() and tries to advance the bio
+ iter.
+ But since the original bio (thus its iter) is already freed, we
+ trigger the above use-after free.
+
+ And even if the memory is not poisoned/corrupted, we will later call
+ the original endio function, causing a double freeing.
+
+[FIX]
+Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),
+which has the extra check on split bios and do the proper refcounting
+for cloned bios.
+
+Furthermore there is already one extra btrfs_cleanup_bio() call, but
+that is duplicated to btrfs_orig_bbio_end_io() call, so remove that
+label completely.
+
+Reported-by: David Sterba <dsterba@suse.com>
+Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios")
+CC: stable@vger.kernel.org # 6.6+
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/bio.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/bio.c
++++ b/fs/btrfs/bio.c
+@@ -668,7 +668,6 @@ static bool btrfs_submit_chunk(struct bt
+ {
+ struct btrfs_inode *inode = bbio->inode;
+ struct btrfs_fs_info *fs_info = bbio->fs_info;
+- struct btrfs_bio *orig_bbio = bbio;
+ struct bio *bio = &bbio->bio;
+ u64 logical = bio->bi_iter.bi_sector << SECTOR_SHIFT;
+ u64 length = bio->bi_iter.bi_size;
+@@ -706,7 +705,7 @@ static bool btrfs_submit_chunk(struct bt
+ bbio->saved_iter = bio->bi_iter;
+ ret = btrfs_lookup_bio_sums(bbio);
+ if (ret)
+- goto fail_put_bio;
++ goto fail;
+ }
+
+ if (btrfs_op(bio) == BTRFS_MAP_WRITE) {
+@@ -740,13 +739,13 @@ static bool btrfs_submit_chunk(struct bt
+
+ ret = btrfs_bio_csum(bbio);
+ if (ret)
+- goto fail_put_bio;
++ goto fail;
+ } else if (use_append ||
+ (btrfs_is_zoned(fs_info) && inode &&
+ inode->flags & BTRFS_INODE_NODATASUM)) {
+ ret = btrfs_alloc_dummy_sum(bbio);
+ if (ret)
+- goto fail_put_bio;
++ goto fail;
+ }
+ }
+
+@@ -754,12 +753,23 @@ static bool btrfs_submit_chunk(struct bt
+ done:
+ return map_length == length;
+
+-fail_put_bio:
+- if (map_length < length)
+- btrfs_cleanup_bio(bbio);
+ fail:
+ btrfs_bio_counter_dec(fs_info);
+- btrfs_bio_end_io(orig_bbio, ret);
++ /*
++ * We have split the original bbio, now we have to end both the current
++ * @bbio and remaining one, as the remaining one will never be submitted.
++ */
++ if (map_length < length) {
++ struct btrfs_bio *remaining = bbio->private;
++
++ ASSERT(bbio->bio.bi_pool == &btrfs_clone_bioset);
++ ASSERT(remaining);
++
++ remaining->bio.bi_status = ret;
++ btrfs_orig_bbio_end_io(remaining);
++ }
++ bbio->bio.bi_status = ret;
++ btrfs_orig_bbio_end_io(bbio);
+ /* Do not submit another chunk */
+ return true;
+ }
--- /dev/null
+From 2d3447261031503b181dacc549fe65ffe2d93d65 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Wed, 21 Aug 2024 15:53:18 -0400
+Subject: btrfs: run delayed iputs when flushing delalloc
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 2d3447261031503b181dacc549fe65ffe2d93d65 upstream.
+
+We have transient failures with btrfs/301, specifically in the part
+where we do
+
+ for i in $(seq 0 10); do
+ write 50m to file
+ rm -f file
+ done
+
+Sometimes this will result in a transient quota error, and it's because
+sometimes we start writeback on the file which results in a delayed
+iput, and thus the rm doesn't actually clean the file up. When we're
+flushing the quota space we need to run the delayed iputs to make sure
+all the unlinks that we think have completed have actually completed.
+This removes the small window where we could fail to find enough space
+in our quota.
+
+CC: stable@vger.kernel.org # 5.15+
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/qgroup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/qgroup.c
++++ b/fs/btrfs/qgroup.c
+@@ -4100,6 +4100,8 @@ static int try_flush_qgroup(struct btrfs
+ return 0;
+ }
+
++ btrfs_run_delayed_iputs(root->fs_info);
++ btrfs_wait_on_delayed_iputs(root->fs_info);
+ ret = btrfs_start_delalloc_snapshot(root, true);
+ if (ret < 0)
+ goto out;
--- /dev/null
+From 11752c013f562a1124088a35bd314aa0e9f0e88f Mon Sep 17 00:00:00 2001
+From: Jack Xiao <Jack.Xiao@amd.com>
+Date: Thu, 18 Jul 2024 16:38:50 +0800
+Subject: drm/amdgpu/mes: fix mes ring buffer overflow
+
+From: Jack Xiao <Jack.Xiao@amd.com>
+
+commit 11752c013f562a1124088a35bd314aa0e9f0e88f upstream.
+
+wait memory room until enough before writing mes packets
+to avoid ring buffer overflow.
+
+v2: squash in sched_hw_submission fix
+
+Fixes: de3246254156 ("drm/amdgpu: cleanup MES11 command submission")
+Fixes: fffe347e1478 ("drm/amdgpu: cleanup MES12 command submission")
+Signed-off-by: Jack Xiao <Jack.Xiao@amd.com>
+Acked-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 34e087e8920e635c62e2ed6a758b0cd27f836d13)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c | 2 ++
+ drivers/gpu/drm/amd/amdgpu/mes_v11_0.c | 18 ++++++++++++++----
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ring.c
+@@ -212,6 +212,8 @@ int amdgpu_ring_init(struct amdgpu_devic
+ */
+ if (ring->funcs->type == AMDGPU_RING_TYPE_KIQ)
+ sched_hw_submission = max(sched_hw_submission, 256);
++ if (ring->funcs->type == AMDGPU_RING_TYPE_MES)
++ sched_hw_submission = 8;
+ else if (ring == &adev->sdma.instance[0].page)
+ sched_hw_submission = 256;
+
+--- a/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
++++ b/drivers/gpu/drm/amd/amdgpu/mes_v11_0.c
+@@ -163,7 +163,7 @@ static int mes_v11_0_submit_pkt_and_poll
+ const char *op_str, *misc_op_str;
+ unsigned long flags;
+ u64 status_gpu_addr;
+- u32 status_offset;
++ u32 seq, status_offset;
+ u64 *status_ptr;
+ signed long r;
+ int ret;
+@@ -191,6 +191,13 @@ static int mes_v11_0_submit_pkt_and_poll
+ if (r)
+ goto error_unlock_free;
+
++ seq = ++ring->fence_drv.sync_seq;
++ r = amdgpu_fence_wait_polling(ring,
++ seq - ring->fence_drv.num_fences_mask,
++ timeout);
++ if (r < 1)
++ goto error_undo;
++
+ api_status = (struct MES_API_STATUS *)((char *)pkt + api_status_off);
+ api_status->api_completion_fence_addr = status_gpu_addr;
+ api_status->api_completion_fence_value = 1;
+@@ -203,8 +210,7 @@ static int mes_v11_0_submit_pkt_and_poll
+ mes_status_pkt.header.dwsize = API_FRAME_SIZE_IN_DWORDS;
+ mes_status_pkt.api_status.api_completion_fence_addr =
+ ring->fence_drv.gpu_addr;
+- mes_status_pkt.api_status.api_completion_fence_value =
+- ++ring->fence_drv.sync_seq;
++ mes_status_pkt.api_status.api_completion_fence_value = seq;
+
+ amdgpu_ring_write_multiple(ring, &mes_status_pkt,
+ sizeof(mes_status_pkt) / 4);
+@@ -224,7 +230,7 @@ static int mes_v11_0_submit_pkt_and_poll
+ dev_dbg(adev->dev, "MES msg=%d was emitted\n",
+ x_pkt->header.opcode);
+
+- r = amdgpu_fence_wait_polling(ring, ring->fence_drv.sync_seq, timeout);
++ r = amdgpu_fence_wait_polling(ring, seq, timeout);
+ if (r < 1 || !*status_ptr) {
+
+ if (misc_op_str)
+@@ -247,6 +253,10 @@ static int mes_v11_0_submit_pkt_and_poll
+ amdgpu_device_wb_free(adev, status_offset);
+ return 0;
+
++error_undo:
++ dev_err(adev->dev, "MES ring buffer is full.\n");
++ amdgpu_ring_undo(ring);
++
+ error_unlock_free:
+ spin_unlock_irqrestore(&mes->ring_lock, flags);
+
--- /dev/null
+From 0005e01e1e875c5e27130c5e2ed0189749d1e08a Mon Sep 17 00:00:00 2001
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+Date: Tue, 20 Aug 2024 16:56:19 +0800
+Subject: erofs: fix out-of-bound access when z_erofs_gbuf_growsize() partially fails
+
+From: Gao Xiang <hsiangkao@linux.alibaba.com>
+
+commit 0005e01e1e875c5e27130c5e2ed0189749d1e08a upstream.
+
+If z_erofs_gbuf_growsize() partially fails on a global buffer due to
+memory allocation failure or fault injection (as reported by syzbot [1]),
+new pages need to be freed by comparing to the existing pages to avoid
+memory leaks.
+
+However, the old gbuf->pages[] array may not be large enough, which can
+lead to null-ptr-deref or out-of-bound access.
+
+Fix this by checking against gbuf->nrpages in advance.
+
+[1] https://lore.kernel.org/r/000000000000f7b96e062018c6e3@google.com
+
+Reported-by: syzbot+242ee56aaa9585553766@syzkaller.appspotmail.com
+Fixes: d6db47e571dc ("erofs: do not use pagepool in z_erofs_gbuf_growsize()")
+Cc: <stable@vger.kernel.org> # 6.10+
+Reviewed-by: Chunhai Guo <guochunhai@vivo.com>
+Reviewed-by: Sandeep Dhavale <dhavale@google.com>
+Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
+Link: https://lore.kernel.org/r/20240820085619.1375963-1-hsiangkao@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/erofs/zutil.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/erofs/zutil.c
++++ b/fs/erofs/zutil.c
+@@ -111,7 +111,8 @@ int z_erofs_gbuf_growsize(unsigned int n
+ out:
+ if (i < z_erofs_gbuf_count && tmp_pages) {
+ for (j = 0; j < nrpages; ++j)
+- if (tmp_pages[j] && tmp_pages[j] != gbuf->pages[j])
++ if (tmp_pages[j] && (j >= gbuf->nrpages ||
++ tmp_pages[j] != gbuf->pages[j]))
+ __free_page(tmp_pages[j]);
+ kfree(tmp_pages);
+ }
--- /dev/null
+From 80376323e2b6a4559f86b2b4d864848ac25cb054 Mon Sep 17 00:00:00 2001
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+Date: Mon, 26 Aug 2024 23:11:32 +0800
+Subject: LoongArch: Add ifdefs to fix LSX and LASX related warnings
+
+From: Tiezhu Yang <yangtiezhu@loongson.cn>
+
+commit 80376323e2b6a4559f86b2b4d864848ac25cb054 upstream.
+
+There exist some warnings when building kernel if CONFIG_CPU_HAS_LBT is
+set but CONFIG_CPU_HAS_LSX and CONFIG_CPU_HAS_LASX are not set. In this
+case, there are no definitions of _restore_lsx & _restore_lasx and there
+are also no definitions of kvm_restore_lsx & kvm_restore_lasx in fpu.S
+and switch.S respectively, just add some ifdefs to fix these warnings.
+
+ AS arch/loongarch/kernel/fpu.o
+arch/loongarch/kernel/fpu.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0
+arch/loongarch/kernel/fpu.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0
+
+ AS [M] arch/loongarch/kvm/switch.o
+arch/loongarch/kvm/switch.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0
+arch/loongarch/kvm/switch.o: warning: objtool: unexpected relocation symbol type in .rela.discard.func_stack_frame_non_standard: 0
+
+ MODPOST Module.symvers
+ERROR: modpost: "kvm_restore_lsx" [arch/loongarch/kvm/kvm.ko] undefined!
+ERROR: modpost: "kvm_restore_lasx" [arch/loongarch/kvm/kvm.ko] undefined!
+
+Cc: stable@vger.kernel.org # 6.9+
+Fixes: cb8a2ef0848c ("LoongArch: Add ORC stack unwinder support")
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/oe-kbuild-all/202408120955.qls5oNQY-lkp@intel.com/
+Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/kernel/fpu.S | 4 ++++
+ arch/loongarch/kvm/switch.S | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/arch/loongarch/kernel/fpu.S b/arch/loongarch/kernel/fpu.S
+index 69a85f2479fb..6ab640101457 100644
+--- a/arch/loongarch/kernel/fpu.S
++++ b/arch/loongarch/kernel/fpu.S
+@@ -530,6 +530,10 @@ SYM_FUNC_END(_restore_lasx_context)
+
+ #ifdef CONFIG_CPU_HAS_LBT
+ STACK_FRAME_NON_STANDARD _restore_fp
++#ifdef CONFIG_CPU_HAS_LSX
+ STACK_FRAME_NON_STANDARD _restore_lsx
++#endif
++#ifdef CONFIG_CPU_HAS_LASX
+ STACK_FRAME_NON_STANDARD _restore_lasx
+ #endif
++#endif
+diff --git a/arch/loongarch/kvm/switch.S b/arch/loongarch/kvm/switch.S
+index 80e988985a6a..0c292f818492 100644
+--- a/arch/loongarch/kvm/switch.S
++++ b/arch/loongarch/kvm/switch.S
+@@ -277,6 +277,10 @@ SYM_DATA(kvm_enter_guest_size, .quad kvm_enter_guest_end - kvm_enter_guest)
+
+ #ifdef CONFIG_CPU_HAS_LBT
+ STACK_FRAME_NON_STANDARD kvm_restore_fpu
++#ifdef CONFIG_CPU_HAS_LSX
+ STACK_FRAME_NON_STANDARD kvm_restore_lsx
++#endif
++#ifdef CONFIG_CPU_HAS_LASX
+ STACK_FRAME_NON_STANDARD kvm_restore_lasx
+ #endif
++#endif
+--
+2.46.0
+
--- /dev/null
+From 58aec91efb93338d1cc7acc0a93242613a2a4e5f Mon Sep 17 00:00:00 2001
+From: Miao Wang <shankerwangmiao@gmail.com>
+Date: Sun, 25 Aug 2024 22:17:39 +0800
+Subject: LoongArch: Remove the unused dma-direct.h
+
+From: Miao Wang <shankerwangmiao@gmail.com>
+
+commit 58aec91efb93338d1cc7acc0a93242613a2a4e5f upstream.
+
+dma-direct.h is introduced in commit d4b6f1562a3c3284 ("LoongArch: Add
+Non-Uniform Memory Access (NUMA) support"). In commit c78c43fe7d42524c
+("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA"),
+ARCH_HAS_PHYS_TO_DMA was deselected and the coresponding phys_to_dma()/
+dma_to_phys() functions were removed. However, the unused dma-direct.h
+was left behind, which is removed by this patch.
+
+Cc: <stable@vger.kernel.org>
+Fixes: c78c43fe7d42 ("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA")
+Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
+Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/loongarch/include/asm/dma-direct.h | 11 -----------
+ 1 file changed, 11 deletions(-)
+ delete mode 100644 arch/loongarch/include/asm/dma-direct.h
+
+--- a/arch/loongarch/include/asm/dma-direct.h
++++ /dev/null
+@@ -1,11 +0,0 @@
+-/* SPDX-License-Identifier: GPL-2.0 */
+-/*
+- * Copyright (C) 2020-2022 Loongson Technology Corporation Limited
+- */
+-#ifndef _LOONGARCH_DMA_DIRECT_H
+-#define _LOONGARCH_DMA_DIRECT_H
+-
+-dma_addr_t phys_to_dma(struct device *dev, phys_addr_t paddr);
+-phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
+-
+-#endif /* _LOONGARCH_DMA_DIRECT_H */
--- /dev/null
+From 128f71fe014fc91efa1407ce549f94a9a9f1072c Mon Sep 17 00:00:00 2001
+From: Huang-Huang Bao <i@eh5.me>
+Date: Tue, 9 Jul 2024 18:54:28 +0800
+Subject: pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins
+
+From: Huang-Huang Bao <i@eh5.me>
+
+commit 128f71fe014fc91efa1407ce549f94a9a9f1072c upstream.
+
+The base iomux offsets for each GPIO pin line are accumulatively
+calculated based off iomux width flag in rockchip_pinctrl_get_soc_data.
+If the iomux width flag is one of IOMUX_WIDTH_4BIT, IOMUX_WIDTH_3BIT or
+IOMUX_WIDTH_2BIT, the base offset for next pin line would increase by 8
+bytes, otherwise it would increase by 4 bytes.
+
+Despite most of GPIO2-B iomux have 2-bit data width, which can be fit
+into 4 bytes space with write mask, it actually take 8 bytes width for
+whole GPIO2-B line.
+
+Commit e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328
+GPIO2-B pins") wrongly set iomux width flag to 0, causing all base
+iomux offset for line after GPIO2-B to be calculated wrong. Fix the
+iomux width flag to IOMUX_WIDTH_2BIT so the offset after GPIO2-B is
+correctly increased by 8, matching the actual width of GPIO2-B iomux.
+
+Fixes: e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins")
+Cc: stable@vger.kernel.org
+Reported-by: Richard Kojedzinszky <richard@kojedz.in>
+Closes: https://lore.kernel.org/linux-rockchip/4f29b743202397d60edfb3c725537415@kojedz.in/
+Tested-by: Richard Kojedzinszky <richard@kojedz.in>
+Signed-off-by: Huang-Huang Bao <i@eh5.me>
+Reviewed-by: Heiko Stuebner <heiko@sntech.de>
+Tested-by: Daniel Golle <daniel@makrotopia.org>
+Tested-by: Trevor Woerner <twoerner@gmail.com>
+Link: https://lore.kernel.org/20240709105428.1176375-1-i@eh5.me
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-rockchip.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-rockchip.c
++++ b/drivers/pinctrl/pinctrl-rockchip.c
+@@ -3800,7 +3800,7 @@ static struct rockchip_pin_bank rk3328_p
+ PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0),
+ PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0),
+ PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0,
+- 0,
++ IOMUX_WIDTH_2BIT,
+ IOMUX_WIDTH_3BIT,
+ 0),
+ PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3",
--- /dev/null
+From 1c38a62f15e595346a1106025722869e87ffe044 Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Thu, 8 Aug 2024 12:13:55 +0800
+Subject: pinctrl: single: fix potential NULL dereference in pcs_get_function()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 1c38a62f15e595346a1106025722869e87ffe044 upstream.
+
+pinmux_generic_get_function() can return NULL and the pointer 'function'
+was dereferenced without checking against NULL. Add checking of pointer
+'function' in pcs_get_function().
+
+Found by code review.
+
+Cc: stable@vger.kernel.org
+Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Link: https://lore.kernel.org/20240808041355.2766009-1-make24@iscas.ac.cn
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/pinctrl-single.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pinctrl/pinctrl-single.c
++++ b/drivers/pinctrl/pinctrl-single.c
+@@ -345,6 +345,8 @@ static int pcs_get_function(struct pinct
+ return -ENOTSUPP;
+ fselector = setting->func;
+ function = pinmux_generic_get_function(pctldev, fselector);
++ if (!function)
++ return -EINVAL;
+ *func = function->data;
+ if (!(*func)) {
+ dev_err(pcs->dev, "%s could not find function%i\n",
--- /dev/null
+drm-amdgpu-mes-fix-mes-ring-buffer-overflow.patch
+erofs-fix-out-of-bound-access-when-z_erofs_gbuf_growsize-partially-fails.patch
+alsa-seq-skip-event-type-filtering-for-ump-events.patch
+alsa-hda-realtek-enable-mute-micmute-leds-on-hp-laptop-14-ey0xxx.patch
+alsa-hda-realtek-support-hp-pavilion-aero-13-bg0xxx-mute-led.patch
+loongarch-remove-the-unused-dma-direct.h.patch
+loongarch-add-ifdefs-to-fix-lsx-and-lasx-related-warnings.patch
+tpm-ibmvtpm-call-tpm2_sessions_init-to-initialize-session-support.patch
+btrfs-fix-a-use-after-free-when-hitting-errors-inside-btrfs_submit_chunk.patch
+btrfs-run-delayed-iputs-when-flushing-delalloc.patch
+smb-client-avoid-dereferencing-rdata-null-in-smb2_new_read_req.patch
+pinctrl-rockchip-correct-rk3328-iomux-width-flag-for-gpio2-b-pins.patch
+pinctrl-single-fix-potential-null-dereference-in-pcs_get_function.patch
--- /dev/null
+From c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 21 Aug 2024 17:18:23 +0200
+Subject: smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()
+
+From: Stefan Metzmacher <metze@samba.org>
+
+commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream.
+
+This happens when called from SMB2_read() while using rdma
+and reaching the rdma_readwrite_threshold.
+
+Cc: stable@vger.kernel.org
+Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper")
+Reviewed-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/client/smb2pdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/smb/client/smb2pdu.c
++++ b/fs/smb/client/smb2pdu.c
+@@ -4435,7 +4435,7 @@ smb2_new_read_req(void **buf, unsigned i
+ * If we want to do a RDMA write, fill in and append
+ * smbd_buffer_descriptor_v1 to the end of read request
+ */
+- if (smb3_use_rdma_offload(io_parms)) {
++ if (rdata && smb3_use_rdma_offload(io_parms)) {
+ struct smbd_buffer_descriptor_v1 *v1;
+ bool need_invalidate = server->dialect == SMB30_PROT_ID;
+
--- /dev/null
+From 08d08e2e9f0ad1af0044e4747723f66677c35ee9 Mon Sep 17 00:00:00 2001
+From: Stefan Berger <stefanb@linux.ibm.com>
+Date: Mon, 29 Jul 2024 09:29:34 -0400
+Subject: tpm: ibmvtpm: Call tpm2_sessions_init() to initialize session support
+
+From: Stefan Berger <stefanb@linux.ibm.com>
+
+commit 08d08e2e9f0ad1af0044e4747723f66677c35ee9 upstream.
+
+Commit d2add27cf2b8 ("tpm: Add NULL primary creation") introduced
+CONFIG_TCG_TPM2_HMAC. When this option is enabled on ppc64 then the
+following message appears in the kernel log due to a missing call to
+tpm2_sessions_init().
+
+[ 2.654549] tpm tpm0: auth session is not active
+
+Add the missing call to tpm2_session_init() to the ibmvtpm driver to
+resolve this issue.
+
+Cc: stable@vger.kernel.org # v6.10+
+Fixes: d2add27cf2b8 ("tpm: Add NULL primary creation")
+Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_ibmvtpm.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c
+index d3989b257f42..1e5b107d1f3b 100644
+--- a/drivers/char/tpm/tpm_ibmvtpm.c
++++ b/drivers/char/tpm/tpm_ibmvtpm.c
+@@ -698,6 +698,10 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
+ rc = tpm2_get_cc_attrs_tbl(chip);
+ if (rc)
+ goto init_irq_cleanup;
++
++ rc = tpm2_sessions_init(chip);
++ if (rc)
++ goto init_irq_cleanup;
+ }
+
+ return tpm_chip_register(chip);
+--
+2.46.0
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
