--- /dev/null
+From 379c590113ce46f605439d4887996c60ab8820cc Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 10 Mar 2025 14:12:20 +0100
+Subject: ARM: shmobile: smp: Enforce shmobile_smp_* alignment
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 379c590113ce46f605439d4887996c60ab8820cc upstream.
+
+When the addresses of the shmobile_smp_mpidr, shmobile_smp_fn, and
+shmobile_smp_arg variables are not multiples of 4 bytes, secondary CPU
+bring-up fails:
+
+ smp: Bringing up secondary CPUs ...
+ CPU1: failed to come online
+ CPU2: failed to come online
+ CPU3: failed to come online
+ smp: Brought up 1 node, 1 CPU
+
+Fix this by adding the missing alignment directive.
+
+Fixes: 4e960f52fce16a3b ("ARM: shmobile: Move shmobile_smp_{mpidr, fn, arg}[] from .text to .bss")
+Closes: https://lore.kernel.org/r/CAMuHMdU=QR-JLgEHKWpsr6SbaZRc-Hz9r91JfpP8c3n2G-OjqA@mail.gmail.com
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Tested-by: Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com>
+Link: https://lore.kernel.org/c499234d559a0d95ad9472883e46077311051cd8.1741612208.git.geert+renesas@glider.be
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/mach-shmobile/headsmp.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/arm/mach-shmobile/headsmp.S
++++ b/arch/arm/mach-shmobile/headsmp.S
+@@ -136,6 +136,7 @@ ENDPROC(shmobile_smp_sleep)
+ .long shmobile_smp_arg - 1b
+
+ .bss
++ .align 2
+ .globl shmobile_smp_mpidr
+ shmobile_smp_mpidr:
+ .space NR_CPUS * 4
--- /dev/null
+From ffcef3df680c437ca33ff434be18ec24d72907c2 Mon Sep 17 00:00:00 2001
+From: Dragan Simic <dsimic@manjaro.org>
+Date: Sun, 2 Mar 2025 19:48:04 +0100
+Subject: arm64: dts: rockchip: Add missing PCIe supplies to RockPro64 board dtsi
+
+From: Dragan Simic <dsimic@manjaro.org>
+
+commit ffcef3df680c437ca33ff434be18ec24d72907c2 upstream.
+
+Add missing "vpcie0v9-supply" and "vpcie1v8-supply" properties to the "pcie0"
+node in the Pine64 RockPro64 board dtsi file. This eliminates the following
+warnings from the kernel log:
+
+ rockchip-pcie f8000000.pcie: supply vpcie1v8 not found, using dummy regulator
+ rockchip-pcie f8000000.pcie: supply vpcie0v9 not found, using dummy regulator
+
+These additions improve the accuracy of hardware description of the RockPro64
+and, in theory, they should result in no functional changes to the way board
+works after the changes, because the "vcca_0v9" and "vcca_1v8" regulators are
+always enabled. [1][2] However, extended reliability testing, performed by
+Chris, [3] has proven that the age-old issues with some PCI Express cards,
+when used with a Pine64 RockPro64, are also resolved.
+
+Those issues were already mentioned in the commit 43853e843aa6 (arm64: dts:
+rockchip: Remove unsupported node from the Pinebook Pro dts, 2024-04-01),
+together with a brief description of the out-of-tree enumeration delay patch
+that reportedly resolves those issues. In a nutshell, booting a RockPro64
+with some PCI Express cards attached to it caused a kernel oops. [4]
+
+Symptomatically enough, to the commit author's best knowledge, only the Pine64
+RockPro64, out of all RK3399-based boards and devices supported upstream, has
+been reported to suffer from those PCI Express issues, and only the RockPro64
+had some of the PCI Express supplies missing in its DT. Thus, perhaps some
+weird timing issues exist that caused the "vcca_1v8" always-on regulator,
+which is part of the RK808 PMIC, to actually not be enabled before the PCI
+Express is initialized and enumerated on the RockPro64, causing oopses with
+some PCIe cards, and the aforementioned enumeration delay patch [4] probably
+acted as just a workaround for the underlying timing issue.
+
+Admittedly, the Pine64 RockPro64 is a bit specific board by having a standard
+PCI Express slot, allowing use of various standard cards, but pretty much
+standard PCI Express cards have been attached to other RK3399 boards as well,
+and the commit author is unaware ot such issues reported for them.
+
+It's quite hard to be sure that the PCI Express issues are fully resolved by
+these additions to the DT, without some really extensive and time-consuming
+testing. However, these additions to the DT can result in good things and
+improvements anyway, making them perfectly safe from the standpoint of being
+unable to do any harm or cause some unforeseen regressions.
+
+These changes apply to the both supported hardware revisions of the Pine64
+RockPro64, i.e. to the production-run revisions 2.0 and 2.1. [1][2]
+
+[1] https://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf
+[2] https://files.pine64.org/doc/rockpro64/rockpro64_v20-SCH.pdf
+[3] https://z9.de/hedgedoc/s/nF4d5G7rg#reboot-tests-for-PCIe-improvements
+[4] https://lore.kernel.org/lkml/20230509153912.515218-1-vincenzopalazzodev@gmail.com/T/#u
+
+Fixes: bba821f5479e ("arm64: dts: rockchip: add PCIe nodes on rk3399-rockpro64")
+Cc: stable@vger.kernel.org
+Cc: Vincenzo Palazzo <vincenzopalazzodev@gmail.com>
+Cc: Peter Geis <pgwipeout@gmail.com>
+Cc: Bjorn Helgaas <helgaas@kernel.org>
+Reported-by: Diederik de Haas <didi.debian@cknow.org>
+Tested-by: Chris Vogel <chris@z9.de>
+Signed-off-by: Dragan Simic <dsimic@manjaro.org>
+Tested-by: Diederik de Haas <didi.debian@cknow.org>
+Link: https://lore.kernel.org/r/b39cfd7490d8194f053bf3971f13a43472d1769e.1740941097.git.dsimic@manjaro.org
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi
++++ b/arch/arm64/boot/dts/rockchip/rk3399-rockpro64.dtsi
+@@ -546,6 +546,8 @@
+ num-lanes = <4>;
+ pinctrl-names = "default";
+ pinctrl-0 = <&pcie_perst>;
++ vpcie0v9-supply = <&vcca_0v9>;
++ vpcie1v8-supply = <&vcca_1v8>;
+ vpcie12v-supply = <&vcc12v_dcin>;
+ vpcie3v3-supply = <&vcc3v3_pcie>;
+ status = "okay";
--- /dev/null
+From 548b0c5de7619ef53bbde5590700693f2f6d2a56 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Sun, 2 Feb 2025 17:04:13 +0100
+Subject: batman-adv: Ignore own maximum aggregation size during RX
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 548b0c5de7619ef53bbde5590700693f2f6d2a56 upstream.
+
+An OGMv1 and OGMv2 packet receive processing were not only limited by the
+number of bytes in the received packet but also by the nodes maximum
+aggregation packet size limit. But this limit is relevant for TX and not
+for RX. It must not be enforced by batadv_(i)v_ogm_aggr_packet to avoid
+loss of information in case of a different limit for sender and receiver.
+
+This has a minor side effect for B.A.T.M.A.N. IV because the
+batadv_iv_ogm_aggr_packet is also used for the preprocessing for the TX.
+But since the aggregation code itself will not allow more than
+BATADV_MAX_AGGREGATION_BYTES bytes, this check was never triggering (in
+this context) prior of removing it.
+
+Cc: stable@vger.kernel.org
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_iv_ogm.c | 3 +--
+ net/batman-adv/bat_v_ogm.c | 3 +--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/batman-adv/bat_iv_ogm.c
++++ b/net/batman-adv/bat_iv_ogm.c
+@@ -326,8 +326,7 @@ batadv_iv_ogm_aggr_packet(int buff_pos,
+ /* check if there is enough space for the optional TVLV */
+ next_buff_pos += ntohs(ogm_packet->tvlv_len);
+
+- return (next_buff_pos <= packet_len) &&
+- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
++ return next_buff_pos <= packet_len;
+ }
+
+ /* send a batman ogm to a given interface */
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -850,8 +850,7 @@ batadv_v_ogm_aggr_packet(int buff_pos, i
+ /* check if there is enough space for the optional TVLV */
+ next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+
+- return (next_buff_pos <= packet_len) &&
+- (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
++ return next_buff_pos <= packet_len;
+ }
+
+ /**
--- /dev/null
+From dd8689b52a24807c2d5ce0a17cb26dc87f75235c Mon Sep 17 00:00:00 2001
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Date: Tue, 11 Mar 2025 14:14:59 +0300
+Subject: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()
+
+From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+
+commit dd8689b52a24807c2d5ce0a17cb26dc87f75235c upstream.
+
+On the off chance that command stream passed from userspace via
+ioctl() call to radeon_vce_cs_parse() is weirdly crafted and
+first command to execute is to encode (case 0x03000001), the function
+in question will attempt to call radeon_vce_cs_reloc() with size
+argument that has not been properly initialized. Specifically, 'size'
+will point to 'tmp' variable before the latter had a chance to be
+assigned any value.
+
+Play it safe and init 'tmp' with 0, thus ensuring that
+radeon_vce_cs_reloc() will catch an early error in cases like these.
+
+Found by Linux Verification Center (linuxtesting.org) with static
+analysis tool SVACE.
+
+Fixes: 2fc5703abda2 ("drm/radeon: check VCE relocation buffer range v3")
+Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/radeon/radeon_vce.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_vce.c
++++ b/drivers/gpu/drm/radeon/radeon_vce.c
+@@ -558,7 +558,7 @@ int radeon_vce_cs_parse(struct radeon_cs
+ {
+ int session_idx = -1;
+ bool destroyed = false, created = false, allocated = false;
+- uint32_t tmp, handle = 0;
++ uint32_t tmp = 0, handle = 0;
+ uint32_t *size = &tmp;
+ int i, r = 0;
+
--- /dev/null
+From 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ma=C3=ADra=20Canal?= <mcanal@igalia.com>
+Date: Thu, 13 Mar 2025 11:43:26 -0300
+Subject: drm/v3d: Don't run jobs that have errors flagged in its fence
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maíra Canal <mcanal@igalia.com>
+
+commit 80cbee810e4e13cdbd3ae9654e9ecddf17f3e828 upstream.
+
+The V3D driver still relies on `drm_sched_increase_karma()` and
+`drm_sched_resubmit_jobs()` for resubmissions when a timeout occurs.
+The function `drm_sched_increase_karma()` marks the job as guilty, while
+`drm_sched_resubmit_jobs()` sets an error (-ECANCELED) in the DMA fence of
+that guilty job.
+
+Because of this, we must check whether the job’s DMA fence has been
+flagged with an error before executing the job. Otherwise, the same guilty
+job may be resubmitted indefinitely, causing repeated GPU resets.
+
+This patch adds a check for an error on the job's fence to prevent running
+a guilty job that was previously flagged when the GPU timed out.
+
+Note that the CPU and CACHE_CLEAN queues do not require this check, as
+their jobs are executed synchronously once the DRM scheduler starts them.
+
+Cc: stable@vger.kernel.org
+Fixes: d223f98f0209 ("drm/v3d: Add support for compute shader dispatch.")
+Fixes: 1584f16ca96e ("drm/v3d: Add support for submitting jobs to the TFU.")
+Reviewed-by: Iago Toral Quiroga <itoral@igalia.com>
+Signed-off-by: Maíra Canal <mcanal@igalia.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20250313-v3d-gpu-reset-fixes-v4-1-c1e780d8e096@igalia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/v3d/v3d_sched.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/v3d/v3d_sched.c
++++ b/drivers/gpu/drm/v3d/v3d_sched.c
+@@ -188,11 +188,15 @@ v3d_tfu_job_run(struct drm_sched_job *sc
+ struct drm_device *dev = &v3d->drm;
+ struct dma_fence *fence;
+
++ if (unlikely(job->base.base.s_fence->finished.error))
++ return NULL;
++
++ v3d->tfu_job = job;
++
+ fence = v3d_fence_create(v3d, V3D_TFU);
+ if (IS_ERR(fence))
+ return NULL;
+
+- v3d->tfu_job = job;
+ if (job->base.irq_fence)
+ dma_fence_put(job->base.irq_fence);
+ job->base.irq_fence = dma_fence_get(fence);
+@@ -226,6 +230,9 @@ v3d_csd_job_run(struct drm_sched_job *sc
+ struct dma_fence *fence;
+ int i;
+
++ if (unlikely(job->base.base.s_fence->finished.error))
++ return NULL;
++
+ v3d->csd_job = job;
+
+ v3d_invalidate_caches(v3d);
--- /dev/null
+From 285df995f90e3d61d97f327d34b9659d92313314 Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Fri, 28 Feb 2025 15:04:20 +0100
+Subject: i2c: omap: fix IRQ storms
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit 285df995f90e3d61d97f327d34b9659d92313314 upstream.
+
+On the GTA04A5 writing a reset command to the gyroscope causes IRQ
+storms because NACK IRQs are enabled and therefore triggered but not
+acked.
+
+Sending a reset command to the gyroscope by
+i2cset 1 0x69 0x14 0xb6
+with an additional debug print in the ISR (not the thread) itself
+causes
+
+[ 363.353515] i2c i2c-1: ioctl, cmd=0x720, arg=0xbe801b00
+[ 363.359039] omap_i2c 48072000.i2c: addr: 0x0069, len: 2, flags: 0x0, stop: 1
+[ 363.366180] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x1110)
+[ 363.371673] omap_i2c 48072000.i2c: IRQ (ISR = 0x0010)
+[ 363.376892] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
+[ 363.382263] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
+[ 363.387664] omap_i2c 48072000.i2c: IRQ LL (ISR = 0x0102)
+repeating till infinity
+[...]
+(0x2 = NACK, 0x100 = Bus free, which is not enabled)
+Apparently no other IRQ bit gets set, so this stalls.
+
+Do not ignore enabled interrupts and make sure they are acked.
+If the NACK IRQ is not needed, it should simply not enabled, but
+according to the above log, caring about it is necessary unless
+the Bus free IRQ is enabled and handled. The assumption that is
+will always come with a ARDY IRQ, which was the idea behind
+ignoring it, proves wrong.
+It is true for simple reads from an unused address.
+
+To still avoid the i2cdetect trouble which is the reason for
+commit c770657bd261 ("i2c: omap: Fix standard mode false ACK readings"),
+avoid doing much about NACK in omap_i2c_xfer_data() which is used
+by both IRQ mode and polling mode, so also the false detection fix
+is extended to polling usage and IRQ storms are avoided.
+
+By changing this, the hardirq handler is not needed anymore to filter
+stuff.
+
+The mentioned gyro reset now just causes a -ETIMEDOUT instead of
+hanging the system.
+
+Fixes: c770657bd261 ("i2c: omap: Fix standard mode false ACK readings").
+CC: stable@kernel.org
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Tested-by: Nishanth Menon <nm@ti.com>
+Reviewed-by: Aniket Limaye <a-limaye@ti.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Link: https://lore.kernel.org/r/20250228140420.379498-1-andreas@kemnade.info
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-omap.c | 26 +++++++-------------------
+ 1 file changed, 7 insertions(+), 19 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-omap.c
++++ b/drivers/i2c/busses/i2c-omap.c
+@@ -1049,23 +1049,6 @@ static int omap_i2c_transmit_data(struct
+ return 0;
+ }
+
+-static irqreturn_t
+-omap_i2c_isr(int irq, void *dev_id)
+-{
+- struct omap_i2c_dev *omap = dev_id;
+- irqreturn_t ret = IRQ_HANDLED;
+- u16 mask;
+- u16 stat;
+-
+- stat = omap_i2c_read_reg(omap, OMAP_I2C_STAT_REG);
+- mask = omap_i2c_read_reg(omap, OMAP_I2C_IE_REG) & ~OMAP_I2C_STAT_NACK;
+-
+- if (stat & mask)
+- ret = IRQ_WAKE_THREAD;
+-
+- return ret;
+-}
+-
+ static int omap_i2c_xfer_data(struct omap_i2c_dev *omap)
+ {
+ u16 bits;
+@@ -1096,8 +1079,13 @@ static int omap_i2c_xfer_data(struct oma
+ }
+
+ if (stat & OMAP_I2C_STAT_NACK) {
+- err |= OMAP_I2C_STAT_NACK;
++ omap->cmd_err |= OMAP_I2C_STAT_NACK;
+ omap_i2c_ack_stat(omap, OMAP_I2C_STAT_NACK);
++
++ if (!(stat & ~OMAP_I2C_STAT_NACK)) {
++ err = -EAGAIN;
++ break;
++ }
+ }
+
+ if (stat & OMAP_I2C_STAT_AL) {
+@@ -1475,7 +1463,7 @@ omap_i2c_probe(struct platform_device *p
+ IRQF_NO_SUSPEND, pdev->name, omap);
+ else
+ r = devm_request_threaded_irq(&pdev->dev, omap->irq,
+- omap_i2c_isr, omap_i2c_isr_thread,
++ NULL, omap_i2c_isr_thread,
+ IRQF_NO_SUSPEND | IRQF_ONESHOT,
+ pdev->name, omap);
+
--- /dev/null
+From e51a349d2dcf1df8422dabb90b2f691dc7df6f92 Mon Sep 17 00:00:00 2001
+From: Gu Bowen <gubowen5@huawei.com>
+Date: Tue, 25 Feb 2025 10:28:56 +0800
+Subject: mmc: atmel-mci: Add missing clk_disable_unprepare()
+
+From: Gu Bowen <gubowen5@huawei.com>
+
+commit e51a349d2dcf1df8422dabb90b2f691dc7df6f92 upstream.
+
+The error path when atmci_configure_dma() set dma fails in atmci driver
+does not correctly disable the clock.
+Add the missing clk_disable_unprepare() to the error path for pair with
+clk_prepare_enable().
+
+Fixes: 467e081d23e6 ("mmc: atmel-mci: use probe deferring if dma controller is not ready yet")
+Signed-off-by: Gu Bowen <gubowen5@huawei.com>
+Acked-by: Aubin Constans <aubin.constans@microchip.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20250225022856.3452240-1-gubowen5@huawei.com
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mmc/host/atmel-mci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/atmel-mci.c
++++ b/drivers/mmc/host/atmel-mci.c
+@@ -2507,8 +2507,10 @@ static int atmci_probe(struct platform_d
+ /* Get MCI capabilities and set operations according to it */
+ atmci_get_cap(host);
+ ret = atmci_configure_dma(host);
+- if (ret == -EPROBE_DEFER)
++ if (ret == -EPROBE_DEFER) {
++ clk_disable_unprepare(host->mck);
+ goto err_dma_probe_defer;
++ }
+ if (ret == 0) {
+ host->prepare_data = &atmci_prepare_data_dma;
+ host->submit_data = &atmci_submit_data_dma;
--- /dev/null
+From 654b33ada4ab5e926cd9c570196fefa7bec7c1df Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Sat, 1 Mar 2025 15:06:24 +0300
+Subject: proc: fix UAF in proc_get_inode()
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 654b33ada4ab5e926cd9c570196fefa7bec7c1df upstream.
+
+Fix race between rmmod and /proc/XXX's inode instantiation.
+
+The bug is that pde->proc_ops don't belong to /proc, it belongs to a
+module, therefore dereferencing it after /proc entry has been registered
+is a bug unless use_pde/unuse_pde() pair has been used.
+
+use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops
+never changes so information necessary for inode instantiation can be
+saved _before_ proc_register() in PDE itself and used later, avoiding
+pde->proc_ops->... dereference.
+
+ rmmod lookup
+sys_delete_module
+ proc_lookup_de
+ pde_get(de);
+ proc_get_inode(dir->i_sb, de);
+ mod->exit()
+ proc_remove
+ remove_proc_subtree
+ proc_entry_rundown(de);
+ free_module(mod);
+
+ if (S_ISREG(inode->i_mode))
+ if (de->proc_ops->proc_read_iter)
+ --> As module is already freed, will trigger UAF
+
+BUG: unable to handle page fault for address: fffffbfff80a702b
+PGD 817fc4067 P4D 817fc4067 PUD 817fc0067 PMD 102ef4067 PTE 0
+Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
+CPU: 26 UID: 0 PID: 2667 Comm: ls Tainted: G
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
+RIP: 0010:proc_get_inode+0x302/0x6e0
+RSP: 0018:ffff88811c837998 EFLAGS: 00010a06
+RAX: dffffc0000000000 RBX: ffffffffc0538140 RCX: 0000000000000007
+RDX: 1ffffffff80a702b RSI: 0000000000000001 RDI: ffffffffc0538158
+RBP: ffff8881299a6000 R08: 0000000067bbe1e5 R09: 1ffff11023906f20
+R10: ffffffffb560ca07 R11: ffffffffb2b43a58 R12: ffff888105bb78f0
+R13: ffff888100518048 R14: ffff8881299a6004 R15: 0000000000000001
+FS: 00007f95b9686840(0000) GS:ffff8883af100000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffffbfff80a702b CR3: 0000000117dd2000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ proc_lookup_de+0x11f/0x2e0
+ __lookup_slow+0x188/0x350
+ walk_component+0x2ab/0x4f0
+ path_lookupat+0x120/0x660
+ filename_lookup+0x1ce/0x560
+ vfs_statx+0xac/0x150
+ __do_sys_newstat+0x96/0x110
+ do_syscall_64+0x5f/0x170
+ entry_SYSCALL_64_after_hwframe+0x76/0x7e
+
+[adobriyan@gmail.com: don't do 2 atomic ops on the common path]
+Link: https://lkml.kernel.org/r/3d25ded0-1739-447e-812b-e34da7990dcf@p183
+Fixes: 778f3dd5a13c ("Fix procfs compat_ioctl regression")
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/generic.c | 10 +++++++++-
+ fs/proc/inode.c | 6 +++---
+ fs/proc/internal.h | 14 ++++++++++++++
+ include/linux/proc_fs.h | 7 +++++--
+ 4 files changed, 31 insertions(+), 6 deletions(-)
+
+--- a/fs/proc/generic.c
++++ b/fs/proc/generic.c
+@@ -563,10 +563,16 @@ struct proc_dir_entry *proc_create_reg(c
+ return p;
+ }
+
+-static inline void pde_set_flags(struct proc_dir_entry *pde)
++static void pde_set_flags(struct proc_dir_entry *pde)
+ {
+ if (pde->proc_ops->proc_flags & PROC_ENTRY_PERMANENT)
+ pde->flags |= PROC_ENTRY_PERMANENT;
++ if (pde->proc_ops->proc_read_iter)
++ pde->flags |= PROC_ENTRY_proc_read_iter;
++#ifdef CONFIG_COMPAT
++ if (pde->proc_ops->proc_compat_ioctl)
++ pde->flags |= PROC_ENTRY_proc_compat_ioctl;
++#endif
+ }
+
+ struct proc_dir_entry *proc_create_data(const char *name, umode_t mode,
+@@ -630,6 +636,7 @@ struct proc_dir_entry *proc_create_seq_p
+ p->proc_ops = &proc_seq_ops;
+ p->seq_ops = ops;
+ p->state_size = state_size;
++ pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_seq_private);
+@@ -660,6 +667,7 @@ struct proc_dir_entry *proc_create_singl
+ return NULL;
+ p->proc_ops = &proc_single_ops;
+ p->single_show = show;
++ pde_set_flags(p);
+ return proc_register(parent, p);
+ }
+ EXPORT_SYMBOL(proc_create_single_data);
+--- a/fs/proc/inode.c
++++ b/fs/proc/inode.c
+@@ -684,13 +684,13 @@ struct inode *proc_get_inode(struct supe
+
+ if (S_ISREG(inode->i_mode)) {
+ inode->i_op = de->proc_iops;
+- if (de->proc_ops->proc_read_iter)
++ if (pde_has_proc_read_iter(de))
+ inode->i_fop = &proc_iter_file_ops;
+ else
+ inode->i_fop = &proc_reg_file_ops;
+ #ifdef CONFIG_COMPAT
+- if (de->proc_ops->proc_compat_ioctl) {
+- if (de->proc_ops->proc_read_iter)
++ if (pde_has_proc_compat_ioctl(de)) {
++ if (pde_has_proc_read_iter(de))
+ inode->i_fop = &proc_iter_file_ops_compat;
+ else
+ inode->i_fop = &proc_reg_file_ops_compat;
+--- a/fs/proc/internal.h
++++ b/fs/proc/internal.h
+@@ -79,6 +79,20 @@ static inline bool pde_is_permanent(cons
+ return pde->flags & PROC_ENTRY_PERMANENT;
+ }
+
++static inline bool pde_has_proc_read_iter(const struct proc_dir_entry *pde)
++{
++ return pde->flags & PROC_ENTRY_proc_read_iter;
++}
++
++static inline bool pde_has_proc_compat_ioctl(const struct proc_dir_entry *pde)
++{
++#ifdef CONFIG_COMPAT
++ return pde->flags & PROC_ENTRY_proc_compat_ioctl;
++#else
++ return false;
++#endif
++}
++
+ extern struct kmem_cache *proc_dir_entry_cache;
+ void pde_free(struct proc_dir_entry *pde);
+
+--- a/include/linux/proc_fs.h
++++ b/include/linux/proc_fs.h
+@@ -20,10 +20,13 @@ enum {
+ * If in doubt, ignore this flag.
+ */
+ #ifdef MODULE
+- PROC_ENTRY_PERMANENT = 0U,
++ PROC_ENTRY_PERMANENT = 0U,
+ #else
+- PROC_ENTRY_PERMANENT = 1U << 0,
++ PROC_ENTRY_PERMANENT = 1U << 0,
+ #endif
++
++ PROC_ENTRY_proc_read_iter = 1U << 1,
++ PROC_ENTRY_proc_compat_ioctl = 1U << 2,
+ };
+
+ struct proc_ops {
--- /dev/null
+From 2c7a50bec4958f1d1c84d19cde518d0e96a676fd Mon Sep 17 00:00:00 2001
+From: Christian Eggers <ceggers@arri.de>
+Date: Thu, 13 Mar 2025 11:27:39 +0100
+Subject: regulator: check that dummy regulator has been probed before using it
+
+From: Christian Eggers <ceggers@arri.de>
+
+commit 2c7a50bec4958f1d1c84d19cde518d0e96a676fd upstream.
+
+Due to asynchronous driver probing there is a chance that the dummy
+regulator hasn't already been probed when first accessing it.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Christian Eggers <ceggers@arri.de>
+Link: https://patch.msgid.link/20250313103051.32430-3-ceggers@arri.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/regulator/core.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -1924,6 +1924,10 @@ static int regulator_resolve_supply(stru
+
+ if (have_full_constraints()) {
+ r = dummy_regulator_rdev;
++ if (!r) {
++ ret = -EPROBE_DEFER;
++ goto out;
++ }
+ get_device(&r->dev);
+ } else {
+ dev_err(dev, "Failed to resolve %s-supply for %s\n",
+@@ -1941,6 +1945,10 @@ static int regulator_resolve_supply(stru
+ goto out;
+ }
+ r = dummy_regulator_rdev;
++ if (!r) {
++ ret = -EPROBE_DEFER;
++ goto out;
++ }
+ get_device(&r->dev);
+ }
+
+@@ -2049,8 +2057,10 @@ struct regulator *_regulator_get(struct
+ * enabled, even if it isn't hooked up, and just
+ * provide a dummy.
+ */
+- dev_warn(dev, "supply %s not found, using dummy regulator\n", id);
+ rdev = dummy_regulator_rdev;
++ if (!rdev)
++ return ERR_PTR(-EPROBE_DEFER);
++ dev_warn(dev, "supply %s not found, using dummy regulator\n", id);
+ get_device(&rdev->dev);
+ break;
+
ipv6-set-errno-after-ip_fib_metrics_init-in-ip6_rout.patch
net-atm-fix-use-after-free-in-lec_send.patch
net-neighbor-add-missing-policy-for-ndtpa_queue_lenb.patch
+i2c-omap-fix-irq-storms.patch
+drm-v3d-don-t-run-jobs-that-have-errors-flagged-in-its-fence.patch
+regulator-check-that-dummy-regulator-has-been-probed-before-using-it.patch
+arm64-dts-rockchip-add-missing-pcie-supplies-to-rockpro64-board-dtsi.patch
+mmc-atmel-mci-add-missing-clk_disable_unprepare.patch
+proc-fix-uaf-in-proc_get_inode.patch
+arm-shmobile-smp-enforce-shmobile_smp_-alignment.patch
+batman-adv-ignore-own-maximum-aggregation-size-during-rx.patch
+soc-qcom-pdr-fix-the-potential-deadlock.patch
+drm-radeon-fix-uninitialized-size-issue-in-radeon_vce_cs_parse.patch
--- /dev/null
+From 2eeb03ad9f42dfece63051be2400af487ddb96d2 Mon Sep 17 00:00:00 2001
+From: Saranya R <quic_sarar@quicinc.com>
+Date: Wed, 12 Feb 2025 22:07:20 +0530
+Subject: soc: qcom: pdr: Fix the potential deadlock
+
+From: Saranya R <quic_sarar@quicinc.com>
+
+commit 2eeb03ad9f42dfece63051be2400af487ddb96d2 upstream.
+
+When some client process A call pdr_add_lookup() to add the look up for
+the service and does schedule locator work, later a process B got a new
+server packet indicating locator is up and call pdr_locator_new_server()
+which eventually sets pdr->locator_init_complete to true which process A
+sees and takes list lock and queries domain list but it will timeout due
+to deadlock as the response will queued to the same qmi->wq and it is
+ordered workqueue and process B is not able to complete new server
+request work due to deadlock on list lock.
+
+Fix it by removing the unnecessary list iteration as the list iteration
+is already being done inside locator work, so avoid it here and just
+call schedule_work() here.
+
+ Process A Process B
+
+ process_scheduled_works()
+pdr_add_lookup() qmi_data_ready_work()
+ process_scheduled_works() pdr_locator_new_server()
+ pdr->locator_init_complete=true;
+ pdr_locator_work()
+ mutex_lock(&pdr->list_lock);
+
+ pdr_locate_service() mutex_lock(&pdr->list_lock);
+
+ pdr_get_domain_list()
+ pr_err("PDR: %s get domain list
+ txn wait failed: %d\n",
+ req->service_name,
+ ret);
+
+Timeout error log due to deadlock:
+
+"
+ PDR: tms/servreg get domain list txn wait failed: -110
+ PDR: service lookup for msm/adsp/sensor_pd:tms/servreg failed: -110
+"
+
+Thanks to Bjorn and Johan for letting me know that this commit also fixes
+an audio regression when using the in-kernel pd-mapper as that makes it
+easier to hit this race. [1]
+
+Link: https://lore.kernel.org/lkml/Zqet8iInnDhnxkT9@hovoldconsulting.com/ # [1]
+Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers")
+CC: stable@vger.kernel.org
+Reviewed-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Tested-by: Bjorn Andersson <bjorn.andersson@oss.qualcomm.com>
+Tested-by: Johan Hovold <johan+linaro@kernel.org>
+Signed-off-by: Saranya R <quic_sarar@quicinc.com>
+Co-developed-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Signed-off-by: Mukesh Ojha <mukesh.ojha@oss.qualcomm.com>
+Link: https://lore.kernel.org/r/20250212163720.1577876-1-mukesh.ojha@oss.qualcomm.com
+Signed-off-by: Bjorn Andersson <andersson@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/soc/qcom/pdr_interface.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/soc/qcom/pdr_interface.c
++++ b/drivers/soc/qcom/pdr_interface.c
+@@ -74,7 +74,6 @@ static int pdr_locator_new_server(struct
+ {
+ struct pdr_handle *pdr = container_of(qmi, struct pdr_handle,
+ locator_hdl);
+- struct pdr_service *pds;
+
+ mutex_lock(&pdr->lock);
+ /* Create a local client port for QMI communication */
+@@ -86,12 +85,7 @@ static int pdr_locator_new_server(struct
+ mutex_unlock(&pdr->lock);
+
+ /* Service pending lookup requests */
+- mutex_lock(&pdr->list_lock);
+- list_for_each_entry(pds, &pdr->lookups, node) {
+- if (pds->need_locator_lookup)
+- schedule_work(&pdr->locator_work);
+- }
+- mutex_unlock(&pdr->list_lock);
++ schedule_work(&pdr->locator_work);
+
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
